From sdw at lig.net Tue Oct 1 03:41:07 2013 From: sdw at lig.net (Stephen D. Williams) Date: Tue, 01 Oct 2013 03:41:07 -0700 Subject: D-Central In-Reply-To: <20131001102537.GG10405@leitl.org> References: <20131001102537.GG10405@leitl.org> Message-ID: <524AA6C3.2000909@lig.net> On 10/1/13 3:25 AM, Eugen Leitl wrote: > Probably vaporware/hoaxware > > http://news.cnet.com/8301-1009_3-57605233-83/john-mcafees-$100-d-central-aims-to-outsmart-the-nsa/ This could be as simple as a wifi router that runs independent DHCP/XMPP/BitTorrent/etc., coordinated direct connections for file sharing/serving (SparkleShare, i.e. git over SSH), etc. Or it could include peer-to-peer client wifi connections. Or the router devices and/or portable devices could form meshes to get extended range and more of an internet/Internet. The simple case isn't hard. I've been thinking of doing the same thing for Burning Man: Resilient, mesh, usually disconnected, store and forward when disconnected, secure + public, fair, prioritized traffic, opportunistic but bulk Internet capable networking in harsh environments and random usage patterns. Add store and forward to an XMPP server, plus email, some file transfer and usenet like flood propagation (using bittorrent protocols/methods), and you'd have a nice independent communication network. Layer authentication / crypto, features, and applications as desired. Stephen -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1756 bytes Desc: not available URL: From jya at pipeline.com Tue Oct 1 04:09:00 2013 From: jya at pipeline.com (John Young) Date: Tue, 01 Oct 2013 07:09:00 -0400 Subject: Surveillance In-Reply-To: <20131001102811.GA7173@netbook.cypherspace.org> References: <20131001102811.GA7173@netbook.cypherspace.org> Message-ID: The most common for of spying for all countries is that for assuring payment of taxes. These agencies have dossiers, agents, informants and contractors (tax lawyers) which put the other spies to shame (and put as much fear in the oft-blamed spies as in citizens). In the US the main function of early spies was to catch tax evaders. Not to overlook that the birth of the US was about who got the bloodily-extorted taxes. No greater cooperation among world governments exceeds that for catching tax evaders. The few refuges stings. Tax laws allow far greater intrusion than those for national security. And terrified citizens are obligated to spy and rat themselves, family, neighbors, bosses, co-revolutionaries in particular. Taxpayers are paid bonuses for spying on and ratting each other, and jump to obey tax obligations, albeit with an acceptable amount of shaving the truth. Bribes are endemic, whistleblowers deputies of the state. Presumably the fashionista excitement of bitching about the rest of the spies is aimed at curring favor with the most persistenlty threatening of the TLAs which will swoop in like the angel of death to remind of the inescapable collusion of both death and taxes to meticulously spy on futile efforts to wiggle out of what is due. Discussing this topic can get a citizen is more trouble than viewing kiddie porn or whatever is the country's favorite fashionista criminalization Fortuitiously, terror was invented to payback tyrants for their overdue abuse of taxation; today, shilled as sequestration. Before being forfeited into submission Let us now honor the two brave and revolutionary cypherpunks sent to prison for defying the top spies of the way over-taxed earth. Hail Jim, hail CJ, fuck you Agent Gordon. From dan at geer.org Tue Oct 1 06:10:27 2013 From: dan at geer.org (dan at geer.org) Date: Tue, 01 Oct 2013 09:10:27 -0400 Subject: Surveillance In-Reply-To: Your message of "Tue, 01 Oct 2013 00:37:03 -0300." <6F56E84703ED3E8D5F7F7933@F74D39FA044AA309EAEA14B9> Message-ID: <20131001131027.96DB62281A4@palinka.tinho.net> excerpting/compressing: > So, the question should be : apart from the anglo-americans, and > perhaps the chinese, is there any other cyber police state out there? > > > russia, of course. and ... > > perhaps the question you need to ask is who isn't a cyber police state? > > even the third world is buying tools from the first for this purpose... In a socialist nation, the government will own the critical infrastructure, and that is that. In a state capitalist nation, the government will own the critical infrastructure through straws. In a capitalist nation, the private sector will own the critical infrastructure. Therefore, the government of same will simply and quietly deputize the private sector against its will. Above some threshold level of deputization plus regulation, free-enterprise capitalist and state capitalist are operationally indistinguishable. By that analysis, the U.S. and China are destined to look more alike day by day. --dan From shap at eros-os.org Tue Oct 1 09:28:07 2013 From: shap at eros-os.org (Jonathan S. Shapiro) Date: October 1, 2013 9:28:07 AM PDT Subject: Cost and Responsibility for Snowden's Breaches Message-ID: [Via Dave Farber's IP] The press has lately been recirculating stories about the dollar damages of the Snowden disclosures. The repudiation of key cryptography standards - the ones that underly our electronic currency exchanges and clearinghouses, and are present in an overwhelming number of products - may in the end cost billions of dollars of damage. Some of the press would have us believe that all of this is Snowden's fault. Better, some feel, to focus attention on the messenger and protect the perpetrator. Or even if not better, easier. It sells more papers to focus on a "David vs. Goliath" story than to examine whether Goliath was actually a Philistine. In compromising these cryptography standards, NSA's alleged goal was to read the electronic communications of terrorists, arms dealers, and other savory characters. In a world of open cryptography standards, the only way to do that was to compromise *everybody*. That includes ordinary citizens, businesses, governments (ours and others), armed forces command and control, domestic and global financial systems, and so on. This goes beyond privacy. Cryptography sits under all of our most essential electronic communications. Focusing on Snowden has people asking "How safe are my secrets from the NSA?" when a more pertinent question might be "Is my bank still safe from the eastern block mafia and the terrorist of the month?" Banks for the most part don't operate by storing dollar bills; they operate electronically. Then there is the power delivery infrastructure, or... the list goes on. *That* is what NSA compromised. And when you understand that, it becomes clear that the damage to *us* was far worse than any cost to the terrorists. In fact, the damage is proportional to your dependence on electronic infrastructure. That's bad. Because it means that people inside our government, at the direction of government officials, sworn to protect and defend the constitution and the country, actively conspired to undermine every segment of the United States along with our key allies. While the run-of-the-mill staff may not have understood this, the more senior people at NSA knew what they were doing. They were certainly told by people on the outside often enough. Frankly, I think some of them should hang. And I mean that literally. These decisions by NSA weren't made by extremist muslims. They were made by people from Harvard, Yale, and Princeton (and elsewhere) right here in America. But there is something worse. In a certain sense, the NSA's primary mission is the discovery of secrets. Being in the secret breaking business, one of the things they know very well is that the best way to break a secret is to get someone to tell you what it is. And there is *always* someone who will tell you, either out of conviction or out of fear of compromise. There was never a question whether the fact that NSA compromised every first world and second world country would leak. The only questions were *who* would leak it and *how soon*. It happened to be Snowden, but if not for Snowden it would have been somebody else. So setting aside the technical damage, there is the fact that the U.S. Government is now known - and more importantly, believed - to have compromised ourselves and our allies. We need to ask what the consequences are of that. Here are some questions that suggest themselves: 1. Cryptography is clearly too important to entrust to the government. Who can we trust? 2. Fragmentation seems likely. Does that help or hinder us? 3. Do the issues differ for communications cryptography vs. long-term storage cryptography? Given that communications is recorded and stored forever, I suspect not. 4. Can our allies ever again trust an American-originated crypto system? Software system? Can we trust one from them? 5. Can our allies ever again afford to trust an American manufacturer of communications equipment, given that every one of the major players seems to have gotten in bed with NSA when pressured to do so by the U.S. Government? 6. What *other* compromised technologies have been promulgated through government-influenced standards and/or back room strong arm tactics? One thing seems clear: we must now choose between the credibility of American technology businesses and the continuation of export controls on cryptography and computer security technology. The controls are ineffective for their alleged purpose; there are too many ways to circumvent them. The main use of these laws has been to allow government pressure to be brought to bear on vendors who won't "play ball" with U.S. Government objectives. As long as the big players in the U.S. computing and networking industries can be be backdoored by their government (take that either way), only a fool would buy from them. If the goal is to destroy the American technology industry, this strategy is even better than software patents. As long as those laws remain on the books, the American tech sector has a credibility problem. A second thing seems clear: we need to move to openly *developed* standards for critical systems, not just open *standards*. And not just openly developed standards, but standards whose "theory of operation" is explained and critically examined by the public. No more unexplained magic tables of numbers. We need fully open public review, and public reference implementations as part of the standardization process. A third thing seems clear: fixing the cryptography doesn't solve the problem. Even with back doors, the best place to break crypto is at the insecure end points. We need to develop information management methods (e.g. "zero knowledge" methods, but also others) and software architectures that let us limit the scope of damage when it occurs. The operating systems - and consequently the applications - that we are using today simply weren't designed for this. Fortunately, the hardware environment has converged enough that we can do a lot better than we have in the past. There will never be perfect security, but we can largely eliminate the exponential advantage that is currently enjoyed by the attacker. Jonathan S. Shapiro .... From shap Tue Oct 1 09:28:07 2013 From: shap (Jonathan S. Shapiro) Date: October 1, 2013 9:28:07 AM PDT Subject: Cost and Responsibility for Snowden's Breaches Message-ID: Excerpts: "It becomes clear that the damage to *us* was far worse than any cost to the terrorists. In fact, the damage is proportional to your dependence on electronic infrastructure. That's bad. Because it means that people inside our government, at the direction of government officials, sworn to protect and defend the constitution and the country, actively conspired to undermine every segment of the United States along with our key allies. While the run-of-the-mill staff may not have understood this, the more senior people at NSA knew what they were doing. They were certainly told by people on the outside often enough. Frankly, I think some of them should hang. And I mean that literally. These decisions by NSA weren't made by extremist muslims. They were made by people from Harvard, Yale, and Princeton (and elsewhere) right here in America." ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From collin at sibilance.org Tue Oct 1 06:42:45 2013 From: collin at sibilance.org (Collin RM Stocks) Date: Tue, 01 Oct 2013 09:42:45 -0400 Subject: [cryptography] three crypto lists - why and which In-Reply-To: <20130930102743.GA10002@netbook.cypherspace.org> References: <20130930102743.GA10002@netbook.cypherspace.org> Message-ID: <524AD155.5090200@sibilance.org> On 09/30/2013 06:27 AM, Adam Back wrote: > I am not sure if everyone is aware that there is also an unmoderated crypto > list, because I see old familiar names posting on the moderated crypto list > that I do not see posting on the unmoderated list. The unmoderated list > has > been running continuously (new posts in every day with no gaps) since mar > 2010, with an interesting relatively low noise, and not firehose volume. > > http://lists.randombit.net/mailman/listinfo/cryptography > > The actual reason for the creation of that list was Perry's list went > through a hiatus when Perry stopped approving/forward posts eg > > http://www.mail-archive.com/cryptography at metzdowd.com/ > > originally Nov 2009 - Mar 2010 (I presume the mar 2010 restart was > motivated > by the creation of randombit list starting in the same month) but more > recently sep 2010 to may 2013 gap (minus traffic in aug 2011). > > http://www.metzdowd.com/pipermail/cryptography/ > > I have no desire to pry into Perry's personal circumstances as to why this > huge gap happened, and he should be thanked for the significant moderation > effort he has put into create this low noise environment, but despite that > it is bad for cryptography if people's means of technical interaction > spuriously stops. Perry mentioned recently that he has now backup > moderators, OK so good. > > There is now also the cypherpunks list which has picked up, and covers a > wider mix of topics, censorship resistant technology ideas, forays into > ideology etc. Moderation is even lower than randombit but no spam, noise > slightly higher but quite reasonable so far. And there is now a domain > name > that is not al-quaeda.net (seriously? is that even funny?): cpunks.org. > https://cpunks.org/pipermail/cypherpunks/ > At least I enjoy it and see some familiar names posting last seen decade+ > ago. > > Anyway my reason for posting was threefold: a) make people aware of > randombit crypto list, b) rebooted cypherpunks list (*), but c) about > how to > use randombit (unmoderated) and metzdowd. > For my tastes sometimes Perry will cut off a discussion that I thought was > just warming up because I wanted to get into the detail, so I tend more > prefer the unmoderated list. But its kind of a weird situaton because > there > are people I want views and comments from who are on the metzdowd list who > as far as I know are not on the crypto list, and there's no convenient way > to migrate a conversation other than everyone subscribing to both. Cc to > both perhaps works somewhat, I do that sometimes though as a general > principle it can be annoying when people Cc to too many lists. > > Anyway thanks for your attention, back to the unmoderated (or moderated) > discussion! > > Adam > _______________________________________________ > cryptography mailing list > cryptography at randombit.net > http://lists.randombit.net/mailman/listinfo/cryptography It's probably not worth mentioning the sci.crypt newsgroup, is it? There is *occasionally* some intelligent discussion there. -- 2C+CMQjIjaCehU0V2o3RDf0rk+jaijnRuQ3QhUj/vRtGGYTwncLy7AQU3Dap Hg10jLJ+tw8QBkqk1wfpeg/Z1eiT4Lbo13RB1kCKBI6AtBN1DJTDtENTeaAz XE9gTWVfi/Zpa4RPynL4zXTTDrRo4OWU5pUTOhqKU+GcHj85/SsjG4iV2AY5 AhuYwP42EuJ1aPq4JPVSJ6j/UX+jNM0wyUPbBx0Z0T8Jk3BuJ/xoHjwGdVxR FlKlcwtE3P5ocGXk90Pl25sZDqTqT08vXpOvSw1rMULG3xSkznJTM5KmQmSY /Pyr9uKqhryeJ2b+oX1iis7KcVwY5Q7RGJuR9p8uUg== From collin at sibilance.org Tue Oct 1 06:54:55 2013 From: collin at sibilance.org (Collin RM Stocks) Date: Tue, 01 Oct 2013 09:54:55 -0400 Subject: [cryptography] The Unbreakable Cipher In-Reply-To: References: Message-ID: <524AD42F.3060903@sibilance.org> On 09/25/2013 03:51 PM, Jonathan Katz wrote: > On Wed, Sep 25, 2013 at 1:30 PM, Greg Rose > wrote: > > > On Sep 25, 2013, at 9:40 , Jonathan Katz > wrote: > > "Every cipher is breakable, given enough traffic": in principle, > yes, as long as the traffic (formally, the entropy of the traffic) > is larger than the key length. > > You misstated this. It's breakable if the *redundancy* of the > traffic is larger than the key length. > > > Not so; this is most easily seen by taking the uniform distribution over > n-bit messages, in which case the entropy is n and the redundancy is 0. > > regards, > Greg. > > > > > _______________________________________________ > cryptography mailing list > cryptography at randombit.net > http://lists.randombit.net/mailman/listinfo/cryptography > If the message is chosen from a uniform distribution over n bits (and assuming that the message is not used for something else after it is deciphered), the adversary will not be able to distinguish a correctly deciphered message from an incorrectly deciphered message, no matter how short the key is in comparison to the data. Now, you could easily argue that there is absolutely no reason to send a message with those properties, but that isn't really the point. -- KmNJcjeUDRXMu6riH0KAK9Og8WAaAT8oXcbnFIij5djCP4v+6GTFxnHoHzvW NTL+4ZPiGUqerypkfsDfEOcO+i6ZlY59G79tEMwR0fsKO9w9MLbv6Odz5RxY JZgUsZJ8lZWx/zBsL4oqU60k+EFbV14fSUVoaRpazy1ozgQFdi2SdfHTB41y 7SsMX/JlevnnBj/GhUyFlXPr2kwechOSy5W74iVbUaOpeYMqNIx3jCmZfjez Gi+sS8ghQB8y5b9NgYTlR7HBh+leObqQX/R5bAkyPyh2oDOlFbD2HQiCsiB9 Uj/qLtG3CaZQVtkCSC1s3NschLBgWHfQ9xkb3Peqzg== From jya at pipeline.com Tue Oct 1 08:02:51 2013 From: jya at pipeline.com (John Young) Date: Tue, 01 Oct 2013 11:02:51 -0400 Subject: [Cryptography] Why is emailing me my password? In-Reply-To: References: Message-ID: The several crypto lists run by mailman email passwords monthly. Open crypto lists are not meant to be more trustworthy than open crypto. At 10:28 AM 10/1/2013, you wrote: >This falls somewhere in the land of beyond-the-absurd. > >Just got this message from your robot: > >On Oct 1, 2013, at 5:00 AM, mailman-owner at metzdowd.com wrote: > > > If you have questions, problems, comments, etc, send them to > > mailman-owner at metzdowd.com. Thanks! > > > > Passwords for greg at kinostudios.com: > > > > List Password // URL > > ---- -------- > > cryptography at metzdowd.com iPoopInYourHat > > http://www.metzdowd.com/mailman/options/cryptography/greg%40kinostudios.com > >So, my password, iPoopInYourHat, is being sent to me in the clear by >your servers. > >Of all the places on the internet, this would be on the last places >I would expect this to happen. > >- Greg > >-- >Please do not email me anything that you are not comfortable also >sharing with the NSA. > > > >_______________________________________________ >The cryptography mailing list >cryptography at metzdowd.com >http://www.metzdowd.com/mailman/listinfo/cryptography From eugen at leitl.org Tue Oct 1 03:25:37 2013 From: eugen at leitl.org (Eugen Leitl) Date: Tue, 1 Oct 2013 12:25:37 +0200 Subject: D-Central Message-ID: <20131001102537.GG10405@leitl.org> Probably vaporware/hoaxware http://news.cnet.com/8301-1009_3-57605233-83/john-mcafees-$100-d-central-aims-to-outsmart-the-nsa/ From adam at cypherspace.org Tue Oct 1 03:28:11 2013 From: adam at cypherspace.org (Adam Back) Date: Tue, 1 Oct 2013 12:28:11 +0200 Subject: Surveillance In-Reply-To: References: Message-ID: <20131001102811.GA7173@netbook.cypherspace.org> Apparently the UK is worse than the US even - less pretense about not spying on their own subjects, less legal restrictions (to the extent the NSA and their nominal oversight even respected the restrictions, which clearly they did not much respect and subverted with clear internal complaints of the oversight to the extent that the info was disclosed to them.). You are her majesty's subject not a citizen, and the royal family hasnt exercised their powers nor even expressed displeasure such is the etiquette in a century. The best you've got is the house of lords, however even their powers have been weakened and dilluted by politically appointed peers by parliament, which in my view was two steps backwards; at least the hereditary peers were a break on change, are typically wealthy people who dont want the politicians to screw up the country and to some extent have more aligned interests with the people than policitians who typically have no actual views, just play to opinion with no regard for the direction their actions push civil society and democracy. It may well be that for most westerners the best you could do is use a russian or chinese internet proxy for internet, voice SIP, video chat/IM etc. The chinese are interesting in having their own source of backdoors (electronics manufacturing) possibly rivaling the US software and key backdoors. They may have a state level interest and competence to find and eliminate US originated backdoors. Similarly for russia. Adam On Mon, Sep 30, 2013 at 10:08:35PM -0400, Tom Ritter wrote: >On 30 September 2013 21:45, Juan Garofalo wrote: >> Am I right in assuming that the US is the only country who has its >> own subjects PLUS a good deal of the world under close surveillance? > >I would say you are incorrect. The UK and the US cooperate very, very >closely. Likewise, the Echelon/Five Eyes program is a publicly >documented SIGINT sharing program >(https://en.wikipedia.org/wiki/ECHELON). > >-tom From joss-cypherpunks at pseudonymity.net Tue Oct 1 04:30:29 2013 From: joss-cypherpunks at pseudonymity.net (Joss Wright) Date: Tue, 1 Oct 2013 12:30:29 +0100 Subject: Surveillance In-Reply-To: <20131001102811.GA7173@netbook.cypherspace.org> References: <20131001102811.GA7173@netbook.cypherspace.org> Message-ID: <20131001113029.GA1326@kafka.pseudonymity.local> On Tue, Oct 01, 2013 at 12:28:11PM +0200, Adam Back wrote: > Apparently the UK is worse than the US even - less pretense about not spying > on their own subjects, This, depressingly, does seem to be true in just about every sense. To make matters worse, there are far more open debates at the political level about increasing the ongoing level of surveillance, even in response to what has become known recently. At least the US has the decency to be ever-so-slightly ashamed in public. > less legal restrictions (to the extent the NSA and their nominal > oversight even respected the restrictions, which clearly they did not > much respect and subverted with clear internal complaints of the > oversight to the extent that the info was disclosed to them.). The advantage that the UK, or at least its population, has over the US comes mainly from European law and the protections afforded there. (Of course, this is all predicated on the fact that most laws seem to be largely ignored behind the scenes, but let's work with that while we're talking legal restrictions.) There was an interesting discussion of this recently on the ietf-privacy mailing list, based on Caspar Bowden's research note for the European Parliament. The whole thread, and the note, are worth a read for people who haven't seen them: http://www.ietf.org/mail-archive/web/ietf-privacy/current/msg00326.html > You are her majesty's subject not a citizen This, at least, is just incorrect. Since the British Nationality Act of 1981 came into force in 1983, only a small (and diminishing) set of people are British Subjects, and as far as I understand it it is no longer possible to become a British Subject. The overwhelmingly vast majority of the British population are, in fact, British Citizens. See, for example: http://www.ukba.homeoffice.gov.uk/britishcitizenship/ and, specifically, http://www.ukba.homeoffice.gov.uk/britishcitizenship/othernationality/britishsubjects/ (The term 'subject' does still occur in old laws and traditions for historical reasons.) Joss -- Joss Wright | @JossWright http://www.pseudonymity.net From eugen at leitl.org Tue Oct 1 04:30:25 2013 From: eugen at leitl.org (Eugen Leitl) Date: Tue, 1 Oct 2013 13:30:25 +0200 Subject: Surveillance In-Reply-To: References: Message-ID: <20131001113025.GK10405@leitl.org> On Mon, Sep 30, 2013 at 10:08:35PM -0400, Tom Ritter wrote: > On 30 September 2013 21:45, Juan Garofalo wrote: > > Am I right in assuming that the US is the only country who has its > > own subjects PLUS a good deal of the world under close surveillance? > > I would say you are incorrect. The UK and the US cooperate very, very > closely. Likewise, the Echelon/Five Eyes program is a publicly It's Six Eyes, as Sweden is also part of the big vacuum, due to special geography. > documented SIGINT sharing program > (https://en.wikipedia.org/wiki/ECHELON). From eugen at leitl.org Tue Oct 1 04:32:46 2013 From: eugen at leitl.org (Eugen Leitl) Date: Tue, 1 Oct 2013 13:32:46 +0200 Subject: [tor-relays] Relay security, re: local network Message-ID: <20131001113246.GL10405@leitl.org> ----- Forwarded message from The Doctor ----- From eugen at leitl.org Tue Oct 1 04:45:57 2013 From: eugen at leitl.org (Eugen Leitl) Date: Tue, 1 Oct 2013 13:45:57 +0200 Subject: [Cryptography] RSA equivalent key length/strength Message-ID: <20131001114557.GP10405@leitl.org> ----- Forwarded message from "James A. Donald" ----- From eugen at leitl.org Tue Oct 1 05:47:42 2013 From: eugen at leitl.org (Eugen Leitl) Date: Tue, 1 Oct 2013 14:47:42 +0200 Subject: [Cryptography] RSA equivalent key length/strength Message-ID: <20131001124742.GV10405@leitl.org> ----- Forwarded message from Viktor Dukhovni ----- From juan.g71 at gmail.com Tue Oct 1 11:41:23 2013 From: juan.g71 at gmail.com (Juan Garofalo) Date: Tue, 01 Oct 2013 15:41:23 -0300 Subject: Surveillance In-Reply-To: <20131001113029.GA1326@kafka.pseudonymity.local> References: <20131001102811.GA7173@netbook.cypherspace.org> <20131001113029.GA1326@kafka.pseudonymity.local> Message-ID: <5473FE41D0DE1DC30996A8DC@F74D39FA044AA309EAEA14B9> --On Tuesday, October 01, 2013 12:30 PM +0100 Joss Wright wrote: >> You are her majesty's subject not a citizen > > This, at least, is just incorrect. "Citizen" is a meaningless term. Politically there two kinds of people. State agents (who are above the law) and their subjects. > Since the British Nationality Act of > 1981 came into force in 1983, only a small (and diminishing) set of > people are British Subjects, and as far as I understand it it is no > longer possible to become a British Subject. The overwhelmingly vast > majority of the British population are, in fact, British Citizens. See, > for example: > > http://www.ukba.homeoffice.gov.uk/britishcitizenship/ > > and, specifically, > http://www.ukba.homeoffice.gov.uk/britishcitizenship/othernationality/bri > tishsubjects/ > > (The term 'subject' does still occur in old laws and traditions for > historical reasons.) > > Joss > -- > Joss Wright | @JossWright > http://www.pseudonymity.net > From zooko at zooko.com Tue Oct 1 12:45:27 2013 From: zooko at zooko.com (zooko) Date: Tue, 1 Oct 2013 15:45:27 -0400 Subject: On 128-bit security Message-ID: Folks: Here are my personal opinions about these issues. I'm not expert at cryptanalysis. Disclosure: I'm one of the authors of BLAKE2 (but not one of the authors of BLAKE). I personally do not believe that there is any secret agenda behind this proposal, even though I believe that there was a secret agenda behind Dual EC DRBG. One reason that I believe that the motivation behind this proposal is the stated motivation of improving performance, is that Joan Daemen told me in person in January of 2013 that the Keccak team had considered defining a reduced Keccak to compete with BLAKE2, but had decided against it because they didn't want to disrupt the SHA-3 standardization process. Apparently they changed their minds, and apparently their fears of disruption turned out to be prescient! I also do not think that a "security level" of 2^256 is necessarily better than a "security level" of 2^128. *Maybe* it is better, but I'm not aware of any examples where that sort of distinction has turned out to matter in practice, and I can't really judge if it is likely to matter in the future (except, of course, if you forget to take into account multi-target issues…). I suspect nobody else can, either. However, even though I *personally* would have confidence that a Keccak with a 256-bit capacity would be safe and would be free of maliciously induced weakness, I want a standard to be widely accepted in addition to being safe. This is the "Caesar's wife must be above suspicion" argument. It isn't enough to make a secure standard, but also we need other people to have confidence in it. And, I don't know if we can persuade people that "no it isn't actually backdoored/weakened". It may be the kind of thing where if that's the conversation we're having then we've already lost. Would it make sense to go ahead and standardize SHA3-as-a-replacement-for-SHA2 by standardizing the form of Keccak which is most widely accepted by cryptographers and which is closest to what was studied during the contest, and then separately offer SHAKE and reduced-for-speed-Keccak as additional new things? A lot of uses of secure hash functions don't need to be particularly efficient. In my slides about BLAKE2 (https://blake2.net/acns/slides.html) I argue that there are use-cases where efficiency is critical, but it is equally true that there are common and important use cases where a 576-bit capacity Keccak would be fine, e.g. public key certificates. ------- Joan Daemen, one of inventors of AES and one of the inventors of Keccak (SHA-3), replied to my mailing list post as follows: From coderman at gmail.com Tue Oct 1 15:59:55 2013 From: coderman at gmail.com (coderman) Date: Tue, 1 Oct 2013 15:59:55 -0700 Subject: Fwd: [RISKS] Risks Digest 27.50 In-Reply-To: References: Message-ID: here here! "That's bad. Because it means that people inside our government, at the direction of government officials, sworn to protect and defend the constitution and the country, actively conspired to undermine every segment of the United States along with our key allies... ... the more senior people at NSA knew what they were doing. They were certainly told by people on the outside often enough. Frankly, I think some of them should hang. And I mean that literally." short walk and sudden stop for Alexander, now that'd be a sight! ( we can dream ... ) ---------- Forwarded [ED: and abridged] message ---------- From: RISKS List Owner Subject: [RISKS] Risks Digest 27.50 ... ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy ... From adam at cypherspace.org Tue Oct 1 07:26:03 2013 From: adam at cypherspace.org (Adam Back) Date: Tue, 1 Oct 2013 16:26:03 +0200 Subject: [Bitcoin-development] homomorphic coin value (validatable but encrypted) (Re: smart contracts -- possible use case? yes or no?) Message-ID: On Sun, Sep 29, 2013 at 10:49:00AM -0700, Mark Friedenbach wrote: >This kind of thing - providing external audits of customer accounts >without revealing private data - would be generally useful beyond >taxation. If you have any solutions, I'd be interested to hear them >(although bitcoin-dev is probably not the right place yet). Thanks for providing the impetus to write down the current state, the efficient version of which I only figured out a few days ago :) I have been researching this for a few months on and off, because it seems like an interesting construct in its own right, a different aspect of payment privacy (eg for auditable but commercial sensistive information) but also that other than its direct use it may enable some features that we have not thought of yet. I moved it to bitcointalk: https://bitcointalk.org/index.php?topic=305791.new#new Its efficient finally (after many dead ends): approximately 2x cost of current in terms of coin size and coin verification cost, however it also gives some perf advantages back in a different way - necessary changes to schnorr (EC version of Schnorr based proofs) allow n of n multiparty sigs, or k of n multiparty sigs for the verification cost and signature size of one pair of ECS signatures, for n > 2 its a space and efficiency improvement over current bitcoin. Adam ------------------------------------------------------------------------------ October Webinars: Code for Performance Free Intel webinars can help you accelerate application performance. Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from the latest Intel processors and coprocessors. See abstracts and register > http://pubads.g.doubleclick.net/gampad/clk?id=60134791&iu=/4140/ostg.clktrk _______________________________________________ Bitcoin-development mailing list Bitcoin-development at lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bitcoin-development ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From eugen at leitl.org Tue Oct 1 07:27:33 2013 From: eugen at leitl.org (Eugen Leitl) Date: Tue, 1 Oct 2013 16:27:33 +0200 Subject: [Bitcoin-development] homomorphic coin value (validatable but encrypted) (Re: smart contracts -- possible use case? yes or no?) Message-ID: <20131001142732.GB10405@leitl.org> ----- Forwarded message from Adam Back ----- From eugen at leitl.org Tue Oct 1 07:58:00 2013 From: eugen at leitl.org (Eugen Leitl) Date: Tue, 1 Oct 2013 16:58:00 +0200 Subject: [cryptography] The Compromised Internet Message-ID: <20131001145759.GD10405@leitl.org> ----- Forwarded message from The Doctor ----- Date: Mon, 30 Sep 2013 14:14:54 -0400 From: The Doctor To: cryptography at randombit.net Subject: Re: [cryptography] The Compromised Internet Organization: Virtual Adept Networks, Unlimited User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130514 Thunderbird/17.0.6 Reply-To: drwho at virtadpt.net -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/27/2013 09:35 AM, Eugen Leitl wrote: > I don't see how a ham running a repeater backbone can prevent end > to end encryption other than sniffing for traffic and actively > disrupting it. I'm not sure tampering If enough hams (or one sufficiently angry lone ham operator) decide that this is a problem they'll organize a turkey hunt to triangulate the operator(s) and politely ask them to stop before the feds get called in. The thinking behind this seems to be that the amateur community has been graciously granted a small portion of the RF spectrum to experiment with. People (licensed hams or otherwise) who do specifically prohibited things within the amateur bands (like transmitting encrypted traffic or undocumented digital protocols (which may be indistinguishable from encrypted traffic)) can get some or all of the amateur band taken away. A lot of time and effort are spent every year by ham operators who don't want this, that, or the other sliver of the amateur band reassigned away from amateur use, and someone doing something dodgy within those spectra could have disasterous consequences. When Project Byzantium was adding amateur radio support for ISC milestone #3, these regulations were noted and discussed at length during initial reasearch. We also spoke with the ARRL during development, which expressed similar sentiments about crypto in the amateur bands (and passing traffic from unlicensed network users over the amateur band, incidentally). > with transport is within ham ethics, though they definitely That would probably fall under jamming, which is definitely against ham ethics. > don't understand the actual uses for encryption, at The hams I've spoken to seem to, but they also seem to fall into the camp of "It's on the amateur bands, so if it's something I'd want to encrypt I'm not going to talk about it while chewing the rag anyway." > least the old hands (are there even new hands?). Hello. - -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ "Be the strange that you want to see in the world." --Gareth Branwyn -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlJJv54ACgkQO9j/K4B7F8GO0wCeMVOKo1YmC+/8VqUcm4+CGBek fk4AnjiH3UGQ/kqSzmSatwKFpSceISBq =n2mL -----END PGP SIGNATURE----- _______________________________________________ cryptography mailing list cryptography at randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: Digital signature URL: From tpetru at gmail.com Tue Oct 1 08:44:07 2013 From: tpetru at gmail.com (Tomas Overdrive Petru) Date: Tue, 01 Oct 2013 17:44:07 +0200 Subject: Bitmessage? In-Reply-To: <52491072.1080407@comcast.net> References: <52491072.1080407@comcast.net> Message-ID: <524AEDC7.2070105@gmail.com> Hoy, I have found some relatively long thread https://bitmessage.org/forum/index.php?topic=1666.0 with security analysis and it does not seems like really rock solid protocol. My personal experience is that most of the people I have tried BitMessage with where not able to tolerate really long and unpredictable latency of messages. During first week of tests we have tried to send like 150 messages with friends and only circa half of them where delivered, even none of us turned off client. If you are not activist with month of time, to deliver all of your followers invitation to prepared demonstration against spying on emails, there is no use for this in the way, how it is implemented. Another problem was -+2days of time, before client was fully synced with network. In case, I'm not connected few weeks and than I need to wait 2 days again to fully sync... no use. But it was just first impression, client deleted from hdd. ~ Tomas Dne 30.9.2013 7:47, d.nix napsal(a): > > I've seen little or no discussion of Bitmessage, and was wondering > what thoughts - pro or con - people have of it: > > https://bitmessage.org/wiki/Main_Page > > I've got it up and running and have exchanged messages with a friend > and well as a few other folks testing the waters. One thing I like > about it, is that it seems at first glance to not suffer from the same > sort of traffic analysis issues that plague regular email; to me, the > traffic analysis problems are a bigger issue than message encryption. > One could also paste PGP/GPG or other encrypted content into > Bitmessage for your super duper secret stuff where you are concerned > the recipients machine is compromised. > > There's apparently a standard email gateway for it also: > > https://bitmessage.ch/ > > Tho, that may bring you back to the problems of traffic analysis. > > I'd also love to see more mix network stuff getting developed so we > could help secure against traffic analysis of existing systems. Tom > Ritter's talk on analyzing mix network traffic was quite cool: > > http://ritter.vg/blog-deanonymizing_amm.html > http://ritter.vg/blog-deanonymizing_amm_followup1.html > > But anyhow, Bitmessage; yay or nay? > > Dave > > BM-2D9fgf9MeGhq9Fxcwg1k2W1C179KJuUEFg > -- “Borders I have never seen one. But I have heard they exist in the minds of some people.” ― Thor Heyerdahl www...................http://overdrive.a-nihil.net CellPhone.............00420-721-007-507 twitter...............https://twitter.com/#!/idoru23 GoogleTalk/Jabber.....tpetru at gmail.com blog..................http://d8ofh8.blogspot.com last.fm...............http://www.last.fm/user/overdrive23 GnuPG public key......http://overdrive.a-nihil.net/overdrive.txt GnuPG key FingerPrint.072C C0AD 88EF F681 5E52 5329 8483 4860 6E19 949D -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 553 bytes Desc: OpenPGP digital signature URL: From juan.g71 at gmail.com Tue Oct 1 16:54:53 2013 From: juan.g71 at gmail.com (Juan Garofalo) Date: Tue, 01 Oct 2013 20:54:53 -0300 Subject: Surveillance In-Reply-To: References: <20131001102811.GA7173@netbook.cypherspace.org> Message-ID: --On Tuesday, October 01, 2013 7:09 AM -0400 John Young wrote: > Discussing this topic can get a citizen is more trouble than > viewing kiddie porn or whatever is the country's favorite > fashionista criminalization You think so? Seems to me that so called tax evasion is rampant, especially among people who can hire lawyers and other lawyer-like creatures. 'kiddie porn' on the other hand will get any 'pervert' lynched in no time in, say, a western cesspool like the US. > > Fortuitiously, terror was invented to payback tyrants for their > overdue abuse of taxation; today, shilled as sequestration. > > Before being forfeited into submission Let us now honor the > two brave and revolutionary cypherpunks sent to prison for > defying the top spies of the way over-taxed earth. > > Hail Jim, hail CJ, fuck you Agent Gordon. > > > From jya at pipeline.com Wed Oct 2 05:21:31 2013 From: jya at pipeline.com (John Young) Date: Wed, 02 Oct 2013 08:21:31 -0400 Subject: [cryptome] Cost and Responsibility for Snowden's Breaches Message-ID: http://cryptome.org/2013/10/snowden-cost.htm From dan at geer.org Wed Oct 2 06:24:48 2013 From: dan at geer.org (dan at geer.org) Date: Wed, 02 Oct 2013 09:24:48 -0400 Subject: Studies on user behaviour In-Reply-To: Your message of "Wed, 02 Oct 2013 14:37:43 +0200." <20131002123743.GA14320@vic20.blipp.com> Message-ID: <20131002132448.4F383228144@palinka.tinho.net> > But there must be much more out there. [ Shoshana Zuboff, now Emeritus, was first woman tenured at HBS ] http://www.oldthinkernews.com/2007/12/anticipatory-conformity-will-the-growing-surveillance-panopticon-cause-us-to-self-censor/ Duke is referring to a term coined in 1988 by Harvard psychologist Shoshana Zuboff called "anticipatory conformity." Duke quotes Zuboff in her explanation of the term, "I think the first level of that is we anticipate surveillance and we conform, and we do that with awareness," she says. "We know, for example, when we're going through the security line at the airport not to make jokes about terrorists or we'll get nailed, and nobody wants to get nailed for cracking a joke. It's within our awareness to self-censor. And that self-censorship represents a diminution of our freedom." Applying that concept to the post-9/11 era, Zuboff says she sees anticipatory conformity all around and expects it to grow even more intense. From njloof at gmail.com Wed Oct 2 10:19:43 2013 From: njloof at gmail.com (Nathan Loofbourrow) Date: Wed, 2 Oct 2013 10:19:43 -0700 Subject: Silk Road founder arrested ... In-Reply-To: References: <20131002123743.GA14320@vic20.blipp.com> <524C41F5.5020105@openmail.cc> Message-ID: ...assuming it has not already been replaced by its former competitors. On Wednesday, October 2, 2013, Lodewijk andré de la porte wrote: > Good. That'll remove one mayor anti-bitcoin argument. Plus it shows that > even with anonymous transactions people can still be caught doing illegal > things, making it less important to have exclusively publicly knowable > transactions. > > Huzzah. > > > 2013/10/2 Trigger Happy 'cvml', 'triggerhappy at openmail.cc');>> > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA512 >> >> >> http://www.maxkeiser.com/2013/10/silk-road-founder-arrested/ >> >> - -- >> Trigger Happy >> jabber: triggerhappy at jabber.ccc.de > 'triggerhappy at jabber.ccc.de');> >> >> >> -----BEGIN PGP SIGNATURE----- >> >> iQIcBAEBCgAGBQJSTEH1AAoJEEtm9wC9fGLFLSMQAL3+e2tChE1Z3zAf2lRadpPX >> rVz6MbiZsXismiOXPwOFZGjXBAD0GnbM6ZwlBtvHLvDnnsxd+N6kwKpvaXv2S/sS >> UOZeFl7m2G1BfhxYIN+GxemYho7TnmwoEQp8e4cdoXF9PqYQylcxg7Q4e5HHXhDm >> 92Nsj8EbRscAsK+ibQslmXKCqgwsQYEElgx1Va+C/KU/rvzIcv9MC1g8Jaq2TTND >> 0Taz0M9e9s8S9hHAnbUU9dIQKSGB43iegY8UD/E6Q/vyS+qKgs6sKySkKfKw5MLN >> eOPuCOGw9btm/Qvh4ckAAztefzovEEsPKIEQo502WyeaOvSMot/RqlwEwK4LREOL >> IXKk2m3AOMwnMpeW8FQo4mb9XNV6HKZFSK//P3hQE3ao6PpyY2Nm6m68CSaDpsDB >> 2XjKs0xZyplit85BEsz496yNe5UTM2eUQTDoorCj6RHl7Y2lm44R3eW1/BcvMKO4 >> JyEo9PbYs57NRQLoyBaWU0NJFm9GlxrtqsnazOgX/i2ugqoy9f+qArOhRS7dEPvk >> PlJxKeAIe/qb7P+jOLHYKnl1gxa+2kP59XJ2VlOAmqrdIIvAeaGSK4tqFTi6ziD4 >> AV0WguqN7q9OXTrN0ybKOfjlsLdjCBchvmpOnDC/T3yMZOEktZM/Mih8N8YV6OJb >> fwGhM48wWoNaJlNck5ej >> =t7fB >> -----END PGP SIGNATURE----- >> > > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2212 bytes Desc: not available URL: From albill at openbuddha.com Wed Oct 2 10:28:57 2013 From: albill at openbuddha.com (Al Billings) Date: Wed, 2 Oct 2013 10:28:57 -0700 Subject: Silk Road founder arrested ... In-Reply-To: <1380734343.30026.10.camel@anglachel> References: <20131002123743.GA14320@vic20.blipp.com> <524C41F5.5020105@openmail.cc> <1380734343.30026.10.camel@anglachel> Message-ID: You mean like the guy he paid someone $150,000 to murder? -- Al Billings http://makehacklearn.org On Wednesday, October 2, 2013 at 10:19 AM, Ted Smith wrote: > I know on the Internet people aren't terribly good at being people, but > where I'm from it's considered bad form to celebrate anyone being > imprisoned. Let's try not to celebrate someone's life being ruined. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2249 bytes Desc: not available URL: From njloof at gmail.com Wed Oct 2 10:49:22 2013 From: njloof at gmail.com (Nathan Loofbourrow) Date: Wed, 2 Oct 2013 10:49:22 -0700 Subject: Silk Road founder arrested ... In-Reply-To: References: <20131002123743.GA14320@vic20.blipp.com> <524C41F5.5020105@openmail.cc> <1380734343.30026.10.camel@anglachel> Message-ID: To be fair, he was being blackmailed. That's self defense, right? On Wednesday, October 2, 2013, Al Billings wrote: > You mean like the guy he paid someone $150,000 to murder? > > -- > Al Billings > http://makehacklearn.org > > On Wednesday, October 2, 2013 at 10:19 AM, Ted Smith wrote: > > I know on the Internet people aren't terribly good at being people, but > where I'm from it's considered bad form to celebrate anyone being > imprisoned. Let's try not to celebrate someone's life being ruined. > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2051 bytes Desc: not available URL: From albill at openbuddha.com Wed Oct 2 10:50:24 2013 From: albill at openbuddha.com (Al Billings) Date: Wed, 2 Oct 2013 10:50:24 -0700 Subject: Silk Road founder arrested ... In-Reply-To: References: <20131002123743.GA14320@vic20.blipp.com> <524C41F5.5020105@openmail.cc> <1380734343.30026.10.camel@anglachel> Message-ID: <40F6437F0E924260B71B76F8F5CA8E46@openbuddha.com> If your name is Walter White. -- Al Billings http://makehacklearn.org On Wednesday, October 2, 2013 at 10:49 AM, Nathan Loofbourrow wrote: > To be fair, he was being blackmailed. That's self defense, right? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1272 bytes Desc: not available URL: From bill.stewart at pobox.com Wed Oct 2 11:34:55 2013 From: bill.stewart at pobox.com (Bill Stewart) Date: Wed, 02 Oct 2013 11:34:55 -0700 Subject: Silk Road founder arrested ... In-Reply-To: <1380734343.30026.10.camel@anglachel> References: <20131002123743.GA14320@vic20.blipp.com> <524C41F5.5020105@openmail.cc> <1380734343.30026.10.camel@anglachel> Message-ID: <20131002183504.F40ECCA45@a-pb-sasl-quonix.pobox.com> If he were the REAL Dread Pirate Roberts, this would be his method for selling his ship to the next holder of the Dread Pirate Roberts franchise. (Ok, probably not.) At 10:19 AM 10/2/2013, Ted Smith wrote: >Well, he was caught because early on, he advertised for developers using >his real-name email address. Dumb. >On Wed, 2013-10-02 at 18:42 +0200, Lodewijk andré de la porte wrote: > > Good. That'll remove one mayor anti-bitcoin argument. Plus it shows > > that even with anonymous transactions people can still be caught doing > > illegal things, making it less important to have exclusively publicly > > knowable transactions. I thought Silk Road was one of the major pro-bitcoin arguments. But there are competing services as well, according to some news article I saw that tried three of them (but since they were a Reputable Journalism Channel, the reporter didn't get to actually smoke the dope he bought.) From albill at openbuddha.com Wed Oct 2 11:47:51 2013 From: albill at openbuddha.com (Al Billings) Date: Wed, 2 Oct 2013 11:47:51 -0700 Subject: Silk Road founder arrested ... In-Reply-To: References: <20131002123743.GA14320@vic20.blipp.com> <524C41F5.5020105@openmail.cc> <1380734343.30026.10.camel@anglachel> Message-ID: <24ADD652FCEC47EE83047F8F55AE1100@openbuddha.com> Paying someone $150,000 to kill someone isn't a crime in your country? -- Al Billings http://makehacklearn.org On Wednesday, October 2, 2013 at 11:36 AM, Bill St. Clair wrote: > The FBI agents involved should be taken before a Grand Jury seeking an indictment for kidnapping. If indicted, and found guilty by a jury of their peers, they should be hanged. There was no crime here, other than the kidnapping. The man sold vegetables to people who wanted them. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1544 bytes Desc: not available URL: From coderman at gmail.com Wed Oct 2 11:56:27 2013 From: coderman at gmail.com (coderman) Date: Wed, 2 Oct 2013 11:56:27 -0700 Subject: Silk Road founder arrested ... In-Reply-To: <524C41F5.5020105@openmail.cc> References: <20131002123743.GA14320@vic20.blipp.com> <524C41F5.5020105@openmail.cc> Message-ID: On Wed, Oct 2, 2013 at 8:55 AM, Trigger Happy wrote: > ... > http://www.maxkeiser.com/2013/10/silk-road-founder-arrested/ also, http://www.washingtonpost.com/blogs/the-switch/wp/2013/10/02/feds-arrest-the-alleged-founder-of-bitcoins-largest-drug-market/ "The government shuttered the site and seized approximately 26,000 Bitcoins worth approximately $3.6 million..." i would be interested to know what coin addresses were seized, and how they are used going forward (if it all?). _that_ would be an interesting taint analysis... *grin* From harmony01 at riseup.net Wed Oct 2 05:00:09 2013 From: harmony01 at riseup.net (harmony) Date: Wed, 02 Oct 2013 12:00:09 +0000 Subject: [tor-talk] Tor Weekly News — October 2nd, 2013 Message-ID: ======================================================================== Tor Weekly News October 2nd, 2013 ======================================================================== Welcome to the fourteenth issue of Tor Weekly News, the weekly newsletter that covers what’s happening in the much-discussed Tor community. Tor Browser Bundle 3.0alpha4 released ------------------------------------- On September 28th, Mike Perry released the fourth alpha of the new Tor Browser Bundle 3.0 series [1]. The main highlights of this series are the important usability improvements that integrate Tor configuration and control into the browser itself, rather than relying on the unmaintained Vidalia interface. The latest iteration is based on Firefox 10.0.9esr, which brings with it a lot of important security fixes. It also fixes a fingerprinting issue by randomizing the timestamp sent when establishing an HTTPS connection. Two small but important usability improvements in the new Tor Launcher component were made: users can now directly copy and paste “bridge” lines from the bridge database [2], while clock-skews that would prevent Tor from functioning properly are now reported to users. Download your copy, test it, and report any problems you find. If you're feeling adventurous, you can also try out the crucial new security process by independently reproducing the binaries from the publicly-reviewable source code [3]. [1] https://blog.torproject.org/blog/tor-browser-bundle-30alpha4-released [2] https://bridges.torproject.org/ [3] https://gitweb.torproject.org/builders/tor-browser-bundle.git/blob/HEAD:/gitian/README.build Tor mini-hackathon at GNU 30th anniversary ------------------------------------------ The Tor mini-hackathon at the GNU 30th anniversary event [4] took place over the weekend, and Nick Mathewson sent out a brief report [5] on how things went. As well as working on proposal 220, which involves improvements to Tor server identity keys, Nick merged some small patches into the Tor mainline branch, and collected promises of several more to come. He also directed a few enquiring minds towards Tor's online community, saying “I hope we’ll be seeing more of some of the folks I talked to on our mailing lists and IRC channels soon”. [4] https://lists.torproject.org/pipermail/tor-talk/2013-September/030238.html [5] https://www.gnu.org/gnu30/ Tor Stack Exchange page in private beta --------------------------------------- The Tor Stack Exchange page [6], which reached 100% commitment last week [7], has now been moved into the ‘private beta’ stage. Runa Sandvik clarified that “the purpose behind it is to ensure that users who committed to the site’s proposal have a chance to start asking and answering questions, as well as help with the initial community building activities that will define and shape the site” [8]. She added that “the more experts who participate in the private beta, the more certain it is that our page will move on to the next stage (i.e. the public beta).” Fruitful discussions are already taking place: Karsten Loesing wrote to the wider community on the question of what to do about contact information for bridge operators after it was posed on Stack Exchange. [9] Roger Dingledine put out a call [10] for Tor developers and anonymity researchers to participate in answering questions on the site, adding “Steven, Philipp, Jens, and I can't do it by ourselves.” If you have expert knowledge to contribute, please send an email to help at rt.torproject.org to get an invitation! [6] http://tor.stackexchange.com [7] http://area51.stackexchange.com/proposals/56447/tor-online-anonymity-privacy-and-security [8] https://lists.torproject.org/pipermail/tor-talk/2013-September/030187.html [9] https://lists.torproject.org/pipermail/tor-relays/2013-September/002936.html [10] https://lists.torproject.org/pipermail/tor-dev/2013-September/005519.html liballium: Pluggable Transports utility library in C ---------------------------------------------------- Yawning Angel announced a new library to ease the task of writing pluggable transports [11]. liballium is a “simple library that handles the Tor Pluggable Transport Configuration protocol. The idea is for this library to be the C/C++ equivalent to pyptlib [12] (and maybe more, depending on how much time I have to work on it).” The code is available for review [13] featuring “a reasonably well commented example.” Feel free to follow up with “questions, comments, feedback”! [11] https://www.torproject.org/docs/pluggable-transports.html [12] https://gitweb.torproject.org/pluggable-transports/pyptlib.git [13] https://github.com/Yawning/liballium Tor Help Desk Roundup --------------------- Multiple users wrote to the help desk asking for guidance setting up hidden service sites. The most straightforward documentation for hidden services is in the torrc file itself [14]. A more in-depth guide can be found on the Tor Project website [15]. The website also documents how hidden services work [16]. Technical details can be found in the Rendezvous Specification document [17]. [14] https://www.torproject.org/docs/faq.html.en#torrc [15] https://www.torproject.org/docs/tor-hidden-service.html.en [16] https://www.torproject.org/docs/hidden-services.html.en [17] https://gitweb.torproject.org/torspec.git?a=blob_plain;hb=HEAD;f=rend-spec.txt Monthly status reports for September 2013 ----------------------------------------- The wave of regular monthly reports from Tor project members for the month of September has begun. Runa Sandvik released her report first [18], followed by reports from Damian Johnson [19], Philipp Winter [20], Sherief Alaa [21], and Noel David Torres Taño [22]. [18] https://lists.torproject.org/pipermail/tor-reports/2013-September/000341.html [19] https://lists.torproject.org/pipermail/tor-reports/2013-September/000342.html [20] https://lists.torproject.org/pipermail/tor-reports/2013-October/000343.html [21] https://lists.torproject.org/pipermail/tor-reports/2013-October/000344.html [22] https://lists.torproject.org/pipermail/tor-reports/2013-October/000345.html Miscellaneous news ------------------ Mike Perry published his new GPG public key, adding: “this new key will be used to sign email from me going forward, and will be used to sign software releases until such time as I get around to creating a second set of keys on a hardware token for that purpose” [23]. [23] https://lists.torproject.org/pipermail/tor-dev/2013-September/005518.html David Fifield updated the Pluggable Transports bundles using the latest Tor Browser Bundle [24]. In order to benefit from the improvements and security fixes, please update! [24] https://blog.torproject.org/blog/pluggable-transports-bundles-2417-beta-2-pt3-firefox-1709esr intrigeri sent a release schedule for Tails 0.21 [25]. The first release candidate should be out on October 20th. [25] https://mailman.boum.org/pipermail/tails-dev/2013-September/003719.html Roger Dingledine sent out “a list of criteria to consider when evaluating pluggable transports for readiness of deployment to users”, asking for comments on his initial draft [26]. [26] https://lists.torproject.org/pipermail/tor-dev/2013-September/005528.html If you have the necessary hardware and want to help Tails out, please test two upcoming features: persistent printer settings [27] and support for more SD card readers (the “sdio” type) [28]. [27] https://mailman.boum.org/pipermail/tails-dev/2013-September/003744.html [28] https://mailman.boum.org/pipermail/tails-dev/2013-September/003757.html Upcoming events --------------- Oct 09-10 | Andrew speaking at Secure Poland 2013 | Warszawa, Poland | http://www.secure.edu.pl/ | Nov 04-05 | 20th ACM Conference on Computer and Communications Security, | Berlin, Germany | http://www.sigsac.org/ccs/CCS2013/ This issue of Tor Weekly News has been assembled by harmony, Lunar, dope457, and Matt Pagan. Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page [29], write down your name and subscribe to the team mailing list [30] if you want to get involved! [29] https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews [30] https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team -- tor-talk mailing list - tor-talk at lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From jamesdbell8 at yahoo.com Wed Oct 2 12:23:06 2013 From: jamesdbell8 at yahoo.com (Jim Bell) Date: Wed, 2 Oct 2013 12:23:06 -0700 (PDT) Subject: Silk Road founder arrested ... In-Reply-To: References: <20131002123743.GA14320@vic20.blipp.com> <524C41F5.5020105@openmail.cc> <1380734343.30026.10.camel@anglachel> Message-ID: <1380741786.15249.YahooMailNeo@web141201.mail.bf1.yahoo.com> On Oct 2, 2013 7:19 PM, "Ted Smith" wrote: >> I know on the Internet people aren't terribly good at being people, but >> where I'm from it's considered bad form to celebrate anyone being >> imprisoned. Let's try not to celebrate someone's life being ruined. >I think this is an interesting notion. Yet you misunderstand my apathy for dislike. I simply don't care for this man. Not at all. I think law is served the way it should be, although later than it should be. This law the >citizens of America mostly agree with (hard to believe but true nonetheless) and he will likely be prosecuted fairly.  >It's miraculous that this man didn't decide to build up an existence in Russia or somesuch country, where he'd be safe from such prosecution. Why he didn't do the ultimate best he could to simply disappear. >Additionally Silk Road has been the one example of "bad things with Bitcoin" so as a news message this is good news for those that own Bitcoin, and Bitcoins image of legitimacy. This is the fact I am celibrating. The >actual arrest and takedown are sad results of society and the fact that the owner wasn't hardcore paranoid enough, and I see no reason to celebrate that. I can think of another "bad thing with Bitcoin" that hasn't yet been implemented.  So, I don't think this is "good news for those that own Bitcoin", quite the opposite.  If this prosecution is considered legitimate, could the next step be the prosecution of any persons who have anything to do with Bitcoin?  Buy it, go to jail.  Mine it, go to jail.  Keep it, go to jail. Offer it, go to jail.  Spend it, go to jail. Receive it, go to jail.  If this guy is being prosecuted, even in part, because others are using Bitcoin for illegal purposes, why aren't 'you' (term used generically) who own even one BTC, guilty of the same 'conspiracy'?  What is needed here is a mechanism to very strongly deter any such anti-bitcoin prosecutions.  (You can imagine what I'm thinking of...).  Separately, and somewhat less controversially, would be a mechanism to implement a 'denial of service attack' on court systems.   What if, for example, the Feds were no longer able to prosecute 70,000 people per year (the current figure, approximately), but instead were limited to, say, 5,000 per year?        Jim Bell -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 3535 bytes Desc: not available URL: From tedks at riseup.net Wed Oct 2 10:19:03 2013 From: tedks at riseup.net (Ted Smith) Date: Wed, 02 Oct 2013 13:19:03 -0400 Subject: Silk Road founder arrested ... In-Reply-To: References: <20131002123743.GA14320@vic20.blipp.com> <524C41F5.5020105@openmail.cc> Message-ID: <1380734343.30026.10.camel@anglachel> Well, he was caught because early on, he advertised for developers using his real-name email address. I know on the Internet people aren't terribly good at being people, but where I'm from it's considered bad form to celebrate anyone being imprisoned. Let's try not to celebrate someone's life being ruined. On Wed, 2013-10-02 at 18:42 +0200, Lodewijk andré de la porte wrote: > Good. That'll remove one mayor anti-bitcoin argument. Plus it shows > that even with anonymous transactions people can still be caught doing > illegal things, making it less important to have exclusively publicly > knowable transactions. > > > Huzzah. > > > 2013/10/2 Trigger Happy > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > > http://www.maxkeiser.com/2013/10/silk-road-founder-arrested/ > > - -- > Trigger Happy > jabber: triggerhappy at jabber.ccc.de > > > -----BEGIN PGP SIGNATURE----- > > iQIcBAEBCgAGBQJSTEH1AAoJEEtm9wC9fGLFLSMQAL3 > +e2tChE1Z3zAf2lRadpPX > rVz6MbiZsXismiOXPwOFZGjXBAD0GnbM6ZwlBtvHLvDnnsxd > +N6kwKpvaXv2S/sS > UOZeFl7m2G1BfhxYIN > +GxemYho7TnmwoEQp8e4cdoXF9PqYQylcxg7Q4e5HHXhDm > 92Nsj8EbRscAsK+ibQslmXKCqgwsQYEElgx1Va > +C/KU/rvzIcv9MC1g8Jaq2TTND > 0Taz0M9e9s8S9hHAnbUU9dIQKSGB43iegY8UD/E6Q/vyS > +qKgs6sKySkKfKw5MLN > eOPuCOGw9btm/Qvh4ckAAztefzovEEsPKIEQo502WyeaOvSMot/RqlwEwK4LREOL > IXKk2m3AOMwnMpeW8FQo4mb9XNV6HKZFSK//P3hQE3ao6PpyY2Nm6m68CSaDpsDB > 2XjKs0xZyplit85BEsz496yNe5UTM2eUQTDoorCj6RHl7Y2lm44R3eW1/BcvMKO4 > JyEo9PbYs57NRQLoyBaWU0NJFm9GlxrtqsnazOgX/i2ugqoy9f > +qArOhRS7dEPvk > PlJxKeAIe/qb7P+jOLHYKnl1gxa > +2kP59XJ2VlOAmqrdIIvAeaGSK4tqFTi6ziD4 > AV0WguqN7q9OXTrN0ybKOfjlsLdjCBchvmpOnDC/T3yMZOEktZM/Mih8N8YV6OJb > fwGhM48wWoNaJlNck5ej > =t7fB > -----END PGP SIGNATURE----- > > -- Sent from Ubuntu -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part URL: From albill at openbuddha.com Wed Oct 2 13:41:57 2013 From: albill at openbuddha.com (Al Billings) Date: Wed, 2 Oct 2013 13:41:57 -0700 Subject: Silk Road founder arrested ... In-Reply-To: References: <20131002123743.GA14320@vic20.blipp.com> <524C41F5.5020105@openmail.cc> <1380734343.30026.10.camel@anglachel> <1380740444.30026.18.camel@anglachel> <20131002193108.GA11783@netbook.cypherspace.org> <1380742664.5216.3.camel@anglachel> Message-ID: <59F41267AF424E199E63D0001C6F68C4@openbuddha.com> Your lack of proof or basic evidence. -- Al Billings http://makehacklearn.org On Wednesday, October 2, 2013 at 1:32 PM, Juan Garofalo wrote: > > The "slip" in this case is that the services were hacked. Tor (neither > > TOR, nor ToR) wasn't compromised. > > > > > And the source for that claim is...? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 3592 bytes Desc: not available URL: From eugen at leitl.org Wed Oct 2 05:33:05 2013 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 2 Oct 2013 14:33:05 +0200 Subject: [tor-talk] Tor Weekly News =?utf-8?B?4oCU?= =?utf-8?Q?_October?= 2nd, 2013 Message-ID: <20131002123305.GR10405@leitl.org> ----- Forwarded message from harmony ----- From eugen at leitl.org Wed Oct 2 05:34:15 2013 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 2 Oct 2013 14:34:15 +0200 Subject: [cryptome] Cost and Responsibility for Snowden's Breaches Message-ID: <20131002123415.GS10405@leitl.org> ----- Forwarded message from John Young ----- From billstclair at gmail.com Wed Oct 2 11:36:34 2013 From: billstclair at gmail.com (Bill St. Clair) Date: Wed, 2 Oct 2013 14:36:34 -0400 Subject: Silk Road founder arrested ... In-Reply-To: References: <20131002123743.GA14320@vic20.blipp.com> <524C41F5.5020105@openmail.cc> <1380734343.30026.10.camel@anglachel> Message-ID: On Wed, Oct 2, 2013 at 2:21 PM, Lodewijk andré de la porte wrote: > Additionally Silk Road has been *the one *example of "bad things with > Bitcoin" so as a news message this is good news for those that own Bitcoin, > and Bitcoins image of legitimacy. This is the fact I am celibrating. The > actual arrest and takedown are sad results of society and the fact that the > owner wasn't hardcore paranoid enough, and I see no reason to celebrate > that. > The FBI agents involved should be taken before a Grand Jury seeking an indictment for kidnapping. If indicted, and found guilty by a jury of their peers, they should be hanged. There was no crime here, other than the kidnapping. The man sold vegetables to people who wanted them. -Bill -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1265 bytes Desc: not available URL: From pawal at blipp.com Wed Oct 2 05:37:43 2013 From: pawal at blipp.com (Patrik Wallstrom) Date: Wed, 2 Oct 2013 14:37:43 +0200 Subject: Studies on user behaviour Message-ID: <20131002123743.GA14320@vic20.blipp.com> Hi list, I am looking for studies on how user behaviour changes under surveillance. I have no insights at all in the social studies academic space, so I am very curious if there is any serious work being done. Older studies, say from Stasi times and until now are very welcome. A quick search on the net gives me the following, http://bits.blogs.nytimes.com/2013/08/26/how-surveillance-changes-behavior-a-restaurant-workers-case-study/ "How Surveillance Changes Behavior: A Restaurant Workers Case Study" But there must be much more out there. From demonfighter at gmail.com Wed Oct 2 11:55:21 2013 From: demonfighter at gmail.com (Steve Furlong) Date: Wed, 2 Oct 2013 14:55:21 -0400 Subject: Silk Road founder arrested ... In-Reply-To: References: <20131002123743.GA14320@vic20.blipp.com> <524C41F5.5020105@openmail.cc> <1380734343.30026.10.camel@anglachel> Message-ID: On Wed, Oct 2, 2013 at 2:36 PM, Bill St. Clair wrote: > There was no crime here, other than the kidnapping. The man sold vegetables to people who wanted them. See, there's your mistake right there. You think you're talking about government and a system of laws which values personal freedom and free trade. In the US since Wickard v Filburn if not before, the federal government has had the power to tell you what commercial activities you may not participate in. -- Neca eos omnes. Deus suos agnoscet. -- Arnaud-Amaury, 1209 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 821 bytes Desc: not available URL: From tedks at riseup.net Wed Oct 2 11:56:56 2013 From: tedks at riseup.net (Ted Smith) Date: Wed, 02 Oct 2013 14:56:56 -0400 Subject: Silk Road founder arrested ... In-Reply-To: <40F6437F0E924260B71B76F8F5CA8E46@openbuddha.com> References: <20131002123743.GA14320@vic20.blipp.com> <524C41F5.5020105@openmail.cc> <1380734343.30026.10.camel@anglachel> <40F6437F0E924260B71B76F8F5CA8E46@openbuddha.com> Message-ID: <1380740216.30026.14.camel@anglachel> I'm subscribed to the cpunks list, there's no need to CC me. Lots of people do bad things, but especially if those bad things have already happened and there's nothing we can do about them, it makes more sense to try to build a better world where people don't do bad things, than it does to be very angry at the people who do bad things, and to be happy when other people do bad things to them. I suppose if you very strongly believe that drugs are bad, you can point to any drug-related prosecution and say that it functions as an incentive. But there are people on this list who have been the targets of federal investigations, and I feel it's bad taste and contrary to cypherpunk culture to be celebratory of them. On Wed, 2013-10-02 at 10:50 -0700, Al Billings wrote: > If your name is Walter White. > > > -- > Al Billings > http://makehacklearn.org > > > On Wednesday, October 2, 2013 at 10:49 AM, Nathan Loofbourrow wrote: > > > To be fair, he was being blackmailed. That's self defense, right? > > -- Sent from Ubuntu -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part URL: From tedks at riseup.net Wed Oct 2 12:00:44 2013 From: tedks at riseup.net (Ted Smith) Date: Wed, 02 Oct 2013 15:00:44 -0400 Subject: Silk Road founder arrested ... In-Reply-To: References: <20131002123743.GA14320@vic20.blipp.com> <524C41F5.5020105@openmail.cc> <1380734343.30026.10.camel@anglachel> Message-ID: <1380740444.30026.18.camel@anglachel> On Wed, 2013-10-02 at 20:21 +0200, Lodewijk andré de la porte wrote: > On Oct 2, 2013 7:19 PM, "Ted Smith" wrote: > > I know on the Internet people aren't terribly good at being people, > but > > where I'm from it's considered bad form to celebrate anyone being > > imprisoned. Let's try not to celebrate someone's life being ruined. > > > I think this is an interesting notion. Yet you misunderstand my apathy > for dislike. I simply don't care for this man. Not at all. I think law > is served the way it should be, although later than it should be. This > law the citizens of America mostly agree with (hard to believe but > true nonetheless) and he will likely be prosecuted fairly. > > It's miraculous that this man didn't decide to build up an existence > in Russia or somesuch country, where he'd be safe from such > prosecution. Why he didn't do the ultimate best he could to simply > disappear. > > Additionally Silk Road has been the one example of "bad things with > Bitcoin" so as a news message this is good news for those that own > Bitcoin, and Bitcoins image of legitimacy. This is the fact I am > celibrating. The actual arrest and takedown are sad results of society > and the fact that the owner wasn't hardcore paranoid enough, and I see > no reason to celebrate that. I hear there are non-profits that work to advance the "legitimacy" of bitcoin. There are plenty of companies that are trying to do the same, so they can make money. But we're neither bitcoin-related nonprofits, or bitcoin-related startups. This is the cypherpunks list. Legitimacy shouldn't be our concern. I think it's sad that so many people had no better option (indeed, the Silk Road was usually the best option for finding substances that weren't dangerously adulterated) than to send their money to a man who did violent things, and supported other people that did violent and utterly reprehensible things. I also think it's sad that this particular man is almost certainly going to have a shit life from now on. I also think this adds nothing to any argument over Bitcoin, because again, he got caught by being dumb. Bitcoin+Tor still seems pretty ironclad as a hosting platform for illegal activities. -- Sent from Ubuntu -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part URL: From billstclair at gmail.com Wed Oct 2 12:08:49 2013 From: billstclair at gmail.com (Bill St. Clair) Date: Wed, 2 Oct 2013 15:08:49 -0400 Subject: Silk Road founder arrested ... In-Reply-To: <24ADD652FCEC47EE83047F8F55AE1100@openbuddha.com> References: <20131002123743.GA14320@vic20.blipp.com> <524C41F5.5020105@openmail.cc> <1380734343.30026.10.camel@anglachel> <24ADD652FCEC47EE83047F8F55AE1100@openbuddha.com> Message-ID: On Wed, Oct 2, 2013 at 2:47 PM, Al Billings wrote: > Paying someone $150,000 to kill someone isn't a crime in your country? That's the single charge on the complaint that might have some merit, but apparently they have no body, nor any evidence that the victim even exists, other than electronic messages. And, he was being blackmailed, in an environment where he couldn't go to the authorities, since they would arrest HIM, not the blackmailer. Another situation in which the drug war causes unintended (or maybe not) consequences. -Bill -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1232 bytes Desc: not available URL: From billstclair at gmail.com Wed Oct 2 12:10:15 2013 From: billstclair at gmail.com (Bill St. Clair) Date: Wed, 2 Oct 2013 15:10:15 -0400 Subject: Silk Road founder arrested ... In-Reply-To: References: <20131002123743.GA14320@vic20.blipp.com> <524C41F5.5020105@openmail.cc> <1380734343.30026.10.camel@anglachel> Message-ID: On Wed, Oct 2, 2013 at 2:55 PM, Steve Furlong wrote: > On Wed, Oct 2, 2013 at 2:36 PM, Bill St. Clair > wrote: > > There was no crime here, other than the kidnapping. The man sold > vegetables to people who wanted them. > > See, there's your mistake right there. You think you're talking about > government and a system of laws which values personal freedom and free > trade. In the US since Wickard v Filburn if not before, the federal > government has had the power to tell you what commercial activities you may > not participate in. > Oh, I now very well how the world's biggest extortion racket functions. I'm merely stating what SHOULD happen were the rules what they're advertised to be. -Bill -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1638 bytes Desc: not available URL: From tedks at riseup.net Wed Oct 2 12:37:44 2013 From: tedks at riseup.net (Ted Smith) Date: Wed, 02 Oct 2013 15:37:44 -0400 Subject: Silk Road founder arrested ... In-Reply-To: <20131002193108.GA11783@netbook.cypherspace.org> References: <20131002123743.GA14320@vic20.blipp.com> <524C41F5.5020105@openmail.cc> <1380734343.30026.10.camel@anglachel> <1380740444.30026.18.camel@anglachel> <20131002193108.GA11783@netbook.cypherspace.org> Message-ID: <1380742664.5216.3.camel@anglachel> On Wed, 2013-10-02 at 21:31 +0200, Adam Back wrote: > >I also think this adds nothing to any argument over Bitcoin, because > >again, he got caught by being dumb. Bitcoin+Tor still seems pretty > >ironclad as a hosting platform for illegal activities. > > Well not so fast there, without slip by operator being reported, that guy in > Ireland operating a ToR focussed mini-ISP got identified, and/or his clients > did and it spilled over on to him, or whatever happened. (That one based on > some browser bug and jscript attack inserted by law enforcement somehow). > High grade security is not for the careless - need to follow advise, eg ToR > browser bundle and scripts off or such? The "slip" in this case is that the services were hacked. Tor (neither TOR, nor ToR) wasn't compromised. Notice that without tools like Tor, organized cybercriminals have been doing things like hosting child pornography for decades now. They do it with tradecraft and occasionally botnets. What does that say about this thread of argument (predicating the "legitimacy" of bitcoin on its ability to be compromised)? -- Sent from Ubuntu -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part URL: From triggerhappy at openmail.cc Wed Oct 2 08:55:33 2013 From: triggerhappy at openmail.cc (Trigger Happy) Date: Wed, 02 Oct 2013 15:55:33 +0000 Subject: Silk Road founder arrested ... In-Reply-To: <20131002123743.GA14320@vic20.blipp.com> References: <20131002123743.GA14320@vic20.blipp.com> Message-ID: <524C41F5.5020105@openmail.cc> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 http://www.maxkeiser.com/2013/10/silk-road-founder-arrested/ - -- Trigger Happy jabber: triggerhappy at jabber.ccc.de -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJSTEH1AAoJEEtm9wC9fGLFLSMQAL3+e2tChE1Z3zAf2lRadpPX rVz6MbiZsXismiOXPwOFZGjXBAD0GnbM6ZwlBtvHLvDnnsxd+N6kwKpvaXv2S/sS UOZeFl7m2G1BfhxYIN+GxemYho7TnmwoEQp8e4cdoXF9PqYQylcxg7Q4e5HHXhDm 92Nsj8EbRscAsK+ibQslmXKCqgwsQYEElgx1Va+C/KU/rvzIcv9MC1g8Jaq2TTND 0Taz0M9e9s8S9hHAnbUU9dIQKSGB43iegY8UD/E6Q/vyS+qKgs6sKySkKfKw5MLN eOPuCOGw9btm/Qvh4ckAAztefzovEEsPKIEQo502WyeaOvSMot/RqlwEwK4LREOL IXKk2m3AOMwnMpeW8FQo4mb9XNV6HKZFSK//P3hQE3ao6PpyY2Nm6m68CSaDpsDB 2XjKs0xZyplit85BEsz496yNe5UTM2eUQTDoorCj6RHl7Y2lm44R3eW1/BcvMKO4 JyEo9PbYs57NRQLoyBaWU0NJFm9GlxrtqsnazOgX/i2ugqoy9f+qArOhRS7dEPvk PlJxKeAIe/qb7P+jOLHYKnl1gxa+2kP59XJ2VlOAmqrdIIvAeaGSK4tqFTi6ziD4 AV0WguqN7q9OXTrN0ybKOfjlsLdjCBchvmpOnDC/T3yMZOEktZM/Mih8N8YV6OJb fwGhM48wWoNaJlNck5ej =t7fB -----END PGP SIGNATURE----- From juan.g71 at gmail.com Wed Oct 2 12:03:41 2013 From: juan.g71 at gmail.com (Juan Garofalo) Date: Wed, 02 Oct 2013 16:03:41 -0300 Subject: Silk Road founder arrested ... In-Reply-To: References: <20131002123743.GA14320@vic20.blipp.com> <524C41F5.5020105@openmail.cc> <1380734343.30026.10.camel@anglachel> Message-ID: <0157E85736995F9423DFC324@F74D39FA044AA309EAEA14B9> --On Wednesday, October 02, 2013 8:21 PM +0200 Lodewijk andré de la porte wrote: > I think this is an interesting notion. Yet you misunderstand my apathy > for dislike. I simply don't care for this man. Not at all. I think law is > served the way it should be, although later than it should be. This law > the citizens of America mostly agree with I didn't realize I was subscribed to the DEA mailing list... From patrickbwells at gmail.com Wed Oct 2 16:16:11 2013 From: patrickbwells at gmail.com (Patrick Wells) Date: Wed, 2 Oct 2013 16:16:11 -0700 Subject: remove from list Message-ID: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 26 bytes Desc: not available URL: From mail at larsluthman.net Wed Oct 2 07:35:09 2013 From: mail at larsluthman.net (Lars Luthman) Date: Wed, 02 Oct 2013 16:35:09 +0200 Subject: Studies on user behaviour In-Reply-To: <20131002123743.GA14320@vic20.blipp.com> References: <20131002123743.GA14320@vic20.blipp.com> Message-ID: <1380724509.22469.84.camel@miskatonic> On Wed, 2013-10-02 at 14:37 +0200, Patrik Wallstrom wrote: > Hi list, > > I am looking for studies on how user behaviour changes under > surveillance. I have no insights at all in the social studies academic > space, so I am very curious if there is any serious work being > done. Older studies, say from Stasi times and until now are very > welcome. Here's a small survey that was done in Germany during their (happily short) implementation of the data retention directive: https://www.vorratsdatenspeicherung.de/images/forsa_2008-06-03.pdf Short English description: http://www.kreativrauschen.com/blog/2008/06/04/data-retention-effectively-changes-the-behavior-of-citizens-in-germany/ --ll -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part URL: From tedks at riseup.net Wed Oct 2 13:40:06 2013 From: tedks at riseup.net (Ted Smith) Date: Wed, 02 Oct 2013 16:40:06 -0400 Subject: Silk Road founder arrested ... In-Reply-To: References: <20131002123743.GA14320@vic20.blipp.com> <524C41F5.5020105@openmail.cc> <1380734343.30026.10.camel@anglachel> <1380740444.30026.18.camel@anglachel> <20131002193108.GA11783@netbook.cypherspace.org> <1380742664.5216.3.camel@anglachel> Message-ID: <1380746406.5216.12.camel@anglachel> On Wed, 2013-10-02 at 17:32 -0300, Juan Garofalo wrote: > > The "slip" in this case is that the services were hacked. Tor > (neither > > TOR, nor ToR) wasn't compromised. > > > > And the source for that claim is...? http://www.wired.com/threatlevel/2013/09/freedom-hosting-fbi/ -- Sent from Ubuntu -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part URL: From tedks at riseup.net Wed Oct 2 13:42:04 2013 From: tedks at riseup.net (Ted Smith) Date: Wed, 02 Oct 2013 16:42:04 -0400 Subject: Silk Road founder arrested ... In-Reply-To: References: <20131002123743.GA14320@vic20.blipp.com> <524C41F5.5020105@openmail.cc> <1380734343.30026.10.camel@anglachel> <40F6437F0E924260B71B76F8F5CA8E46@openbuddha.com> <1380740216.30026.14.camel@anglachel> Message-ID: <1380746524.5216.14.camel@anglachel> On Wed, 2013-10-02 at 22:31 +0200, Lodewijk andré de la porte wrote: > If you say anarchy is part of cypherpunkism (if that's a thing) I > simply disagree with you. You're wrong as a matter of historic fact. Are you one of the people that was too afraid to be on the al-qaeda list or something? > And you tell me it is unethical to celebrate? > Want to ask Jim Bell how he feels about it? -- Sent from Ubuntu -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part URL: From juan.g71 at gmail.com Wed Oct 2 13:32:23 2013 From: juan.g71 at gmail.com (Juan Garofalo) Date: Wed, 02 Oct 2013 17:32:23 -0300 Subject: Silk Road founder arrested ... In-Reply-To: <1380742664.5216.3.camel@anglachel> References: <20131002123743.GA14320@vic20.blipp.com> <524C41F5.5020105@openmail.cc> <1380734343.30026.10.camel@anglachel> <1380740444.30026.18.camel@anglachel> <20131002193108.GA11783@netbook.cypherspace.org> <1380742664.5216.3.camel@anglachel> Message-ID: --On Wednesday, October 02, 2013 3:37 PM -0400 Ted Smith wrote: >> Well not so fast there, without slip by operator being reported, that >> guy in Ireland operating a ToR focussed mini-ISP got identified, and/or >> his clients did and it spilled over on to him, or whatever happened. >> (That one based on some browser bug and jscript attack inserted by law >> enforcement somehow). High grade security is not for the careless - >> need to follow advise, eg ToR browser bundle and scripts off or such? > > The "slip" in this case is that the services were hacked. Tor (neither > TOR, nor ToR) wasn't compromised. > And the source for that claim is...? > Notice that without tools like Tor, organized cybercriminals have been > doing things like hosting child pornography for decades now. They do it > with tradecraft and occasionally botnets. What does that say about this > thread of argument (predicating the "legitimacy" of bitcoin on its > ability to be compromised)? > > -- > Sent from Ubuntu > From bill.stewart at pobox.com Wed Oct 2 17:38:36 2013 From: bill.stewart at pobox.com (Bill Stewart) Date: Wed, 02 Oct 2013 17:38:36 -0700 Subject: Silk Road founder arrested ... In-Reply-To: <1380742664.5216.3.camel@anglachel> References: <20131002123743.GA14320@vic20.blipp.com> <524C41F5.5020105@openmail.cc> <1380734343.30026.10.camel@anglachel> <1380740444.30026.18.camel@anglachel> <20131002193108.GA11783@netbook.cypherspace.org> <1380742664.5216.3.camel@anglachel> Message-ID: <20131004002225.AB0F4DFB9@a-pb-sasl-quonix.pobox.com> At 12:37 PM 10/2/2013, Ted Smith wrote: >The "slip" in this case is that the services were hacked. >Tor (neither TOR, nor ToR) wasn't compromised. A surprising number of things *were* compromised, not even counting the known FBI malware attacks on the Tor network. If you read the indictment, there are a lot of email messages between DPR and various other people, implying either that DPR's mailbox has been seized (and that he saved a lot of messages that would be really dumb to save) or that many of the participants were actually Feds or informants (boy, would that be a surprise :-) or that the Feds have been monitoring communications on Silk Road's email for a while that I'd expect to have been private, in addition to monitoring open communications (drug ads, etc.), which says they've either compromised Silk Road or Tor. Also, somebody had said that the alleged hit on the extortionist competitor wasn't in the indictment, just the press release; that's incorrect. It's described in a fair bit of detail (including the Somewhere, BC police saying that there weren't actually any dead bodies lying around), in ways that sound almost like the extortionist and hit men were really cops; it wouldn't be a bad strategy for finding DPR if they'd wanted to do it, but you'd think they'd need to report that in the indictment if they had. Alternatively, the email systems were hopelessly compromised, to an extent that I'm glad I didn't try to buy any "research chemicals" in Silk Road. ------------- Events have superseded my travel to a working Wifi hotspot :-) http://www.popehat.com/2013/10/02/the-silk-road-to-federal-prosecution-the-charges-against-ross-ulbricht/ Ken at Popehat explains that there are two indictments, one in NY and one in MD, and at least the MD one indicates that the alleged hit was against a Federal witness, so it's possible that they've got some of the data directly from a participant; there's also speculation that the whole "witness" thing may have been a scam by an ex-employee. -------------- (On a side note, it's kind of frustrating that the correct capitalization of Tor is "Tor"; makes it hard to distinguish cypherpunks mail from mail about Tor Books, the science fiction oriented publishing company :-) From eugen at leitl.org Wed Oct 2 08:56:22 2013 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 2 Oct 2013 17:56:22 +0200 Subject: [cryptography] the spell is broken Message-ID: <20131002155622.GY10405@leitl.org> ----- Forwarded message from ianG ----- From juan.g71 at gmail.com Wed Oct 2 14:31:12 2013 From: juan.g71 at gmail.com (Juan Garofalo) Date: Wed, 02 Oct 2013 18:31:12 -0300 Subject: Silk Road founder arrested ... In-Reply-To: References: <20131002123743.GA14320@vic20.blipp.com> <524C41F5.5020105@openmail.cc> <1380734343.30026.10.camel@anglachel> <40F6437F0E924260B71B76F8F5CA8E46@openbuddha.com> <1380740216.30026.14.camel@anglachel> Message-ID: --On Wednesday, October 02, 2013 10:31 PM +0200 Lodewijk andré de la porte wrote: > Proclaiming not to support straight anarchy then what do you support? The > United States of America has, in its founding documents, a guarantee that > the people agree it functions as it should, or rebel to correct it. The US was founded as a fucking slave society. It had apartheid until ~1970. Today it's the biggest fascist society on the planet. Their babbling about natural 'god given' rights means nothing. I think you need to research the ABC of political theory before saying anything about anarchy. Your belief that anarchy is chaos is as unfounded as it is laughable. As it > should is also recorded, including a means of agreeing as a people. > > > This agreement has led to laws. These laws are executed by a blind > organization. This is as the people have wanted it, and even now permit > it to operate. > > > Now, I do not want to be part of the USA. This is exceedingly difficult, > as the peoples of the world have allowed it to grow to undeniable and > typically irresistible power. > > > Now you are saying that those who are willing parts of the USA, have > supported it and not changed it, have failed to adhere to it's laws and > receive the (according to the people of the USA) appropriate treatment. > And you tell me it is unethical to celebrate? > > > Getting off the high-and-mighty-seat I'd say the guy was a nutcase for > being in America. Completely unnecessary leaking of information about > himself while becoming high profile enough to get scrutiny of the highest > quality. I just can't imagine how he imagined he'd get out underneath it. > He even had the DHS on his footstep and, like everyone else who gets > caught, decided that it was probably no problem (it was just for the > ID's! Right?). > > > I will not repeat myself upon what I am celebrating. > > > Juan Garofalo > > I didn't realize I was subscribed to the DEA mailing list... > > > > > You can deny as much as you want that most Americans like the DEA's > function, but that won't save you. The masses are against you because > they're stupid. Realize it, asshole. You should understand what's going > on and what is always going on. Either you stay on its good side, or you > better be damn sure you know what it's thinking. That's more than a full > time job. Waiver a moment and you will fail. > > > Two things are infinite. The universe and the dumb masses. Both might > kill you on a whim, without the ears to hear your reasons nor the will > needed to grow those ears. > > > Good luck. If they're not after you, you're probably one of them. From iang at iang.org Wed Oct 2 08:41:21 2013 From: iang at iang.org (ianG) Date: Wed, 02 Oct 2013 18:41:21 +0300 Subject: [cryptography] the spell is broken Message-ID: http://www.infoworld.com/print/228000 October 02, 2013 Silent Circle moves away from NIST cryptographic standards, cites NSA concerns The company plans to replace AES and SHA-2 with Twofish and Skein in its encrypted communication services By Lucian Constantin | IDG News Service Silent Circle, a provider of encrypted mobile Voice over Internet Protocol (VoIP) and text messaging apps and services, will stop using the Advanced Encryption Standard (AES) cipher and Secure Hash Algorithm 2 (SHA-2) hash functions as default cryptographic algorithms in its products. [ Build and deploy an effective line of defense against corporate intruders with InfoWorld's Encryption Deep Dive PDF expert guide. Download it today! | Stay up to date on the latest security developments with InfoWorld's Security Central newsletter. ] "We are going to replace our use of the AES cipher with the Twofish cipher, as it is a drop-in replacement," Silent Circle CTO Jon Callas said Monday in a blog post. "We are going to replace our use of the SHA-2 hash functions with the Skein hash function. We are also examining using the Threefish cipher where that makes sense." The company also plans to stop using P-384, one of the elliptic curves recommended by the NIST for use in elliptic curve cryptography (ECC). ... Silent Circle plans to replace the P-384 elliptic curve with one or more curves that are being designed by cryptographers Daniel Bernstein and Tanja Lange, who have argued in the past that Suite B elliptic curves are weak. "If the Suite B curves are intentionally bad, this would be a major breach of trust and credibility," Callas said. "Even in a passive case -- where the curves were thought to be good, but NSA cryptanalysts found weaknesses they have since exploited -- it would create a credibility gap of the highest order, and would be the smoking gun that confirms the Guardian articles." ... Silent Circle's new decision to move away from AES, SHA-2 and the P-384 curve doesn't mean that these standards are insecure, Callas said in the blog post. "It doesn't mean we think less of our friends at NIST, whom we have the utmost respect for; they are victims of the NSA's perfidy, along with the rest of the free world. For us, the spell is broken. We're just moving on." ... Asked why Twofish and Skein in particular were chosen to be the new default choices for Silent Circle's products, Callas said via email that both algorithms come from trusted sources, including himself in the case of Skein. Twofish was a finalist in the NIST's selection of the AES cipher, and the team that developed it included people that Silent Circle's co-founders personally know and trust, he said. "A number of the same people produced Skein -- which was a SHA-3 finalist -- and I am a member of the Skein team." For Silent Circle this was a "decision of conscience," Callas said. "Our primary responsibility is to protect our customers, especially in the face of uncertainty." _______________________________________________ cryptography mailing list cryptography at randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From l at odewijk.nl Wed Oct 2 09:42:49 2013 From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=) Date: Wed, 2 Oct 2013 18:42:49 +0200 Subject: Silk Road founder arrested ... In-Reply-To: <524C41F5.5020105@openmail.cc> References: <20131002123743.GA14320@vic20.blipp.com> <524C41F5.5020105@openmail.cc> Message-ID: Good. That'll remove one mayor anti-bitcoin argument. Plus it shows that even with anonymous transactions people can still be caught doing illegal things, making it less important to have exclusively publicly knowable transactions. Huzzah. 2013/10/2 Trigger Happy > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > > http://www.maxkeiser.com/2013/10/silk-road-founder-arrested/ > > - -- > Trigger Happy > jabber: triggerhappy at jabber.ccc.de > > > -----BEGIN PGP SIGNATURE----- > > iQIcBAEBCgAGBQJSTEH1AAoJEEtm9wC9fGLFLSMQAL3+e2tChE1Z3zAf2lRadpPX > rVz6MbiZsXismiOXPwOFZGjXBAD0GnbM6ZwlBtvHLvDnnsxd+N6kwKpvaXv2S/sS > UOZeFl7m2G1BfhxYIN+GxemYho7TnmwoEQp8e4cdoXF9PqYQylcxg7Q4e5HHXhDm > 92Nsj8EbRscAsK+ibQslmXKCqgwsQYEElgx1Va+C/KU/rvzIcv9MC1g8Jaq2TTND > 0Taz0M9e9s8S9hHAnbUU9dIQKSGB43iegY8UD/E6Q/vyS+qKgs6sKySkKfKw5MLN > eOPuCOGw9btm/Qvh4ckAAztefzovEEsPKIEQo502WyeaOvSMot/RqlwEwK4LREOL > IXKk2m3AOMwnMpeW8FQo4mb9XNV6HKZFSK//P3hQE3ao6PpyY2Nm6m68CSaDpsDB > 2XjKs0xZyplit85BEsz496yNe5UTM2eUQTDoorCj6RHl7Y2lm44R3eW1/BcvMKO4 > JyEo9PbYs57NRQLoyBaWU0NJFm9GlxrtqsnazOgX/i2ugqoy9f+qArOhRS7dEPvk > PlJxKeAIe/qb7P+jOLHYKnl1gxa+2kP59XJ2VlOAmqrdIIvAeaGSK4tqFTi6ziD4 > AV0WguqN7q9OXTrN0ybKOfjlsLdjCBchvmpOnDC/T3yMZOEktZM/Mih8N8YV6OJb > fwGhM48wWoNaJlNck5ej > =t7fB > -----END PGP SIGNATURE----- > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1844 bytes Desc: not available URL: From tedks at riseup.net Wed Oct 2 16:34:14 2013 From: tedks at riseup.net (Ted Smith) Date: Wed, 02 Oct 2013 19:34:14 -0400 Subject: Silk Road founder arrested ... In-Reply-To: References: <20131002123743.GA14320@vic20.blipp.com> <524C41F5.5020105@openmail.cc> <1380734343.30026.10.camel@anglachel> <40F6437F0E924260B71B76F8F5CA8E46@openbuddha.com> <1380740216.30026.14.camel@anglachel> Message-ID: <1380756854.21755.4.camel@anglachel> On Thu, 2013-10-03 at 01:12 +0200, Lodewijk andré de la porte wrote: > Ted > On Wed, 2013-10-02 at 22:31 +0200, Lodewijk andré de la porte > wrote: > > If you say anarchy is part of cypherpunkism (if that's a > thing) I > > simply disagree with you. > You're wrong as a matter of historic fact. > Are you one of the people that was too afraid to be on the > al-qaeda list > or something? > > > At first I frowned and wondered why. Then I thought it was likely a > joke and if it wasn't then what's the problem with al-qaeda? Also a > distinct lack of right-to-left garbage spewing at me. (to clarify, this list used to have the address cyperpunks at al-qaeda.net, until liberals afraid of their own shadow forced it into more neutral territory. Many people joined at that point, somewhat diluting the existing radicalism.) > Of course putting things into the people's hands (truly and > irrevocably) is something that's very cypherpunk. In that sense it's > also very anarchist, as permission from anyone is not required to take > that power. https://en.wikipedia.org/wiki/Cryptoanarchism https://en.wikipedia.org/wiki/Cypherpunk This isn't a hard concept to grasp. -- Sent from Ubuntu -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part URL: From l at odewijk.nl Wed Oct 2 11:21:39 2013 From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=) Date: Wed, 2 Oct 2013 20:21:39 +0200 Subject: Silk Road founder arrested ... In-Reply-To: <1380734343.30026.10.camel@anglachel> References: <20131002123743.GA14320@vic20.blipp.com> <524C41F5.5020105@openmail.cc> <1380734343.30026.10.camel@anglachel> Message-ID: On Oct 2, 2013 7:19 PM, "Ted Smith" wrote: > I know on the Internet people aren't terribly good at being people, but > where I'm from it's considered bad form to celebrate anyone being > imprisoned. Let's try not to celebrate someone's life being ruined. I think this is an interesting notion. Yet you misunderstand my apathy for dislike. I simply don't care for this man. Not at all. I think law is served the way it should be, although later than it should be. This law the citizens of America mostly agree with (hard to believe but true nonetheless) and he will likely be prosecuted fairly. It's miraculous that this man didn't decide to build up an existence in Russia or somesuch country, where he'd be safe from such prosecution. Why he didn't do the ultimate best he could to simply disappear. Additionally Silk Road has been *the one *example of "bad things with Bitcoin" so as a news message this is good news for those that own Bitcoin, and Bitcoins image of legitimacy. This is the fact I am celibrating. The actual arrest and takedown are sad results of society and the fact that the owner wasn't hardcore paranoid enough, and I see no reason to celebrate that. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1448 bytes Desc: not available URL: From jamesdbell8 at yahoo.com Wed Oct 2 21:02:25 2013 From: jamesdbell8 at yahoo.com (Jim Bell) Date: Wed, 2 Oct 2013 21:02:25 -0700 (PDT) Subject: Injustice: Denial of Disservice Attack Message-ID: <1380772945.89717.YahooMailNeo@web141202.mail.bf1.yahoo.com>     "INJUSTICE: DENIAL of DISSERVICE ATTACK" or, "How to really mess up the opponent, and to do so legally"           By Jim Bell, Author of 'Assassination Politics'.      I spent well over 13 years in prison, and not only was I not guilty of nearly all of the crimes of which I was charged, I was actually a victim of crimes committed by various Federal government employees.  Not only was I assaulted on November 25, 1997 by a government stooge and informant, Ryan Thomas Lund, in order to force me to accept a plea agreement in case 97-5270, Tacoma Federal Court, I was also the victim of an amazing forged (falsified; fictitious; fake) appeal case (Ninth Circuit Court of Appeals, case 99-30210) that was initiated by corrupt government and court employees, and whose pre-April-2000 existence was concealed from me until about June 2003.  Naturally, I concluded that something must be done about this.      The current population of United States Federal prisons is approximately 220,000 inmates.  (In 1980, that population was about 20,000).  Each year, somewhat more than 70,000 new defendants are charged, and the large majority (perhaps 95%) are convicted.  Yet, you might be surprised:  There are only about 3,500 Federal criminal jury trials in America each year.  The reason for the apparent difference is that in the vast majority of such cases, the defendant or defendants accept a plea agreement, which the news media wrongly refers to as a 'plea bargain':  In reality, it's not a 'bargain' for the criminal defendant, and it certainly isn't a 'bargain' for the American taxpayer.  See the "Prisoner's Dilemma".   It's actually a financial disaster of the first magnitude, one which the majority of the American population doesn't know about, and certainly doesn't understand.  But the reason the defendants are motivated to accept those deals is simple:  The Feds threaten them with time far greater than what they'll get if they deal.  So, the very large majority of them deal.  And so, all of us are poorer as a consequence.  The average sentence, we can calculate, is 220,000/70,000, or a bit over 3 years per sentence.  (This is one way to calculate an 'average sentence', there may be others.)     It costs approximately $35,000 to keep a prisoner in Federal prison for one year.  So, for the 220,000 current prisoners, that's a total cost of about $7.7 billion dollars.  If that population could be brought down to the level it was in 1980, or 20,000 prisoners, about $7 billion dollars would be saved.   Even better, it would be far harder to extort people, people such as Barrett Brown (journalist), Kim Dotcom (Megaupload),  Bradley Manning (Cablegate), Ladar Levinson (operator of Lavabit), Edward Snowden (NSA leaker), Ty Warner (Beanie Babies, just convicted of tax evasion) or (now) Ross William Ulbricht, alleged operator of 'Silk Road'.   And, of course, thousands more that are less well-known.   Many of these people have either not committed any crime at all, or even if guilty of something, they shouldn't be punished to the extent the system would want to do.  Or punished at all.     I was pondering this problem in my prison cell one day, and I got yet one more of my 'awfully wonderful, wonderfully awful' ideas.  (Quote from:  "How the Grinch Stole Christmas")  I was almost as energized, and as enthusiastic, as I was in early 1995, when I got the idea that I later turned into my "Assassination Politics" essay.   I thought, what if every Federal defendant could be motivated to refuse to deal, to refuse to accept the deal that's usuallyoffered.  The figure of$5,000 popped into my head.  What if every Federal felony criminal defendant were offered money, let's say $5,000, if they would plead not-guilty (which is their Constitutional right) and to demand a jury trial (which is also their Constitutional right).  The current system has trouble putting on 3,500 Federal felony criminal jury trials per year.  How would that system increase that number significantly?  The number of Federal courtrooms is somewhat fixed, the number of U.S. Attorneys is rather limited as well.  And, Federal court time has to be shared with civil cases, too.  So, it would be hard to imagine a great increase in the number of Federal criminal jury trials held.  If the number of persons convicted could be dropped from 70,000 per year to 4,000 per year, that should save the American taxpayers well over $7 billion per year in prison and jail costs.  Well over 90% of Federal prisons would have to shut within 5 years.     How much would this cost?  Well, assuming a cost-per-offer of $5,000, and perhaps 4,000 trials per year, the cost would be $20 million per year.  For an individual, that's a lot of money.  But for an entire country, that's peanuts.   Yet, it would save the nation $7 billion.  In other words, for every dollar offered to a criminal defendant, the savings to the public would be:    $7 billion/$20 million = $350.     These estimates are not set in stone.  Of course, under this kind of pressure 'the system' would tend to allocate its resources, the limited number of courtroom-days available, and would probably select only the most serious cases for prosecution.  So, while it's possible that some residual amount of plea-bargaining would remain, this same pressure would tend to force officials to accept that defendants serve smaller average sentences than they've been getting, which of course are already much lower than they'd probably like to get.  Even if the resulting average sentence rose to 4 years, the overall population of Federal prisons would drop from 220,000 to about 16,000.  (4 years x 4,000 trials/year).  This would be a great improvement.         The big question is, "Who would pay for this?".  "Therein lies the rub", to quote Hamlet.  Don't expect bigtime drug-dealers to donate:  Their ability to make money would be thwarted if their products were rendered de-facto legal.   However, illegal-drug users would be greatly benefited.  The price of their favorite pastime might very well drop by a factor of 5-10, if the likelihood of getting arrested and charged with providing it was drastically lowered.  That would surely occur if this system was expanded to include state jurisdiction, which is about 10x larger than the Federal system, and thus a cost 10x higher:  $200 million per year..  Another group of people who would benefit would be tax-evaders.  The Wikipedia article on "Tax Evasion in the United States" indicates that the approximate money 'lost' (and thereby gained by non-payers) is $305 billion in 2010.  If only 1/100 of a penny foreach dollar thus saved was paid into a fund, that would be $30.5 million, which would be plenty to make sure that Federal tax evasion would be extremely difficult to prosecute.  As well as every other Federal crime.  Most accountants would see that as a good investment, and should advise their clients accordingly.               Jim Bell -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 11558 bytes Desc: not available URL: From wilder at trip.sk Wed Oct 2 12:13:18 2013 From: wilder at trip.sk (Pavol Luptak) Date: Wed, 2 Oct 2013 21:13:18 +0200 Subject: Silk Road founder arrested ... In-Reply-To: References: <20131002123743.GA14320@vic20.blipp.com> <524C41F5.5020105@openmail.cc> <1380734343.30026.10.camel@anglachel> Message-ID: <20131002191318.GB7253@core.nethemba.com> On Wed, Oct 02, 2013 at 08:21:39PM +0200, Lodewijk andré de la porte wrote: > Additionally Silk Road has been the one example of "bad things with > Bitcoin" so as a news message this is good news for those that own > Bitcoin, and Bitcoins image of legitimacy. This is the fact I am > celibrating. The actual arrest and takedown are sad results of society and > the fact that the owner wasn't hardcore paranoid enough, and I see no > reason to celebrate that. There are many alternative tor hidden drug-free markets portals that work well and use bitcoins/litecoins, Silk Road Market was just the biggest one. Regarding "Bitcoin image" vs. Silk Road, BTC is falling down significantly because of Silk Road market shutdown. From this point of view as a bitcoin owner, I am just loosing a lot of money :( (and this is the second time why I am loosing my money because of FBI/CIA actions, the first time it was because of megaupload.com shutdown, of course I had paid my megaupload lifetime subscription). -- _______________________________________________________________ [wilder at trip.sk] [http://trip.sk/wilder/] [talker: ttt.sk 5678] -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 230 bytes Desc: Digital signature URL: From jya at pipeline.com Wed Oct 2 18:13:42 2013 From: jya at pipeline.com (John Young) Date: Wed, 02 Oct 2013 21:13:42 -0400 Subject: Silk Road founder arrested ... In-Reply-To: <1380756854.21755.4.camel@anglachel> References: <20131002123743.GA14320@vic20.blipp.com> <524C41F5.5020105@openmail.cc> <1380734343.30026.10.camel@anglachel> <40F6437F0E924260B71B76F8F5CA8E46@openbuddha.com> <1380740216.30026.14.camel@anglachel> <1380756854.21755.4.camel@anglachel> Message-ID: Al-qaeda.net still works. May want to use ALQ comsec for surefire inescapable gravity of the galaxy's ravenous spy black dwarves. Ref: Inspire magazine 2010: http://cryptome.org/2013/09/al-qaeda-comsec.htm > At first I frowned and wondered why. Then I thought it was likely a > > joke and if it wasn't then what's the problem with al-qaeda? Also a > > distinct lack of right-to-left garbage spewing at me. > >(to clarify, this list used to have the address cyperpunks at al-qaeda.net, >until liberals afraid of their own shadow forced it into more neutral >territory. Many people joined at that point, somewhat diluting the >existing radicalism.) > > > Of course putting things into the people's hands (truly and > > irrevocably) is something that's very cypherpunk. In that sense it's > > also very anarchist, as permission from anyone is not required to take > > that power. > >https://en.wikipedia.org/wiki/Cryptoanarchism > >https://en.wikipedia.org/wiki/Cypherpunk > >This isn't a hard concept to grasp. > >-- >Sent from Ubuntu > From wilder at trip.sk Wed Oct 2 12:16:18 2013 From: wilder at trip.sk (Pavol Luptak) Date: Wed, 2 Oct 2013 21:16:18 +0200 Subject: Silk Road founder arrested ... In-Reply-To: <24ADD652FCEC47EE83047F8F55AE1100@openbuddha.com> References: <20131002123743.GA14320@vic20.blipp.com> <524C41F5.5020105@openmail.cc> <1380734343.30026.10.camel@anglachel> <24ADD652FCEC47EE83047F8F55AE1100@openbuddha.com> Message-ID: <20131002191617.GC7253@core.nethemba.com> How can you be sure that this is a true information? Do you really trust FBI? There are hundreds cases they did really nasty things. On Wed, Oct 02, 2013 at 11:47:51AM -0700, Al Billings wrote: > Paying someone $150,000 to kill someone isn't a crime in your country? > -- > Al Billings > http://makehacklearn.org > > On Wednesday, October 2, 2013 at 11:36 AM, Bill St. Clair wrote: > > The FBI agents involved should be taken before a Grand Jury seeking an > indictment for kidnapping. If indicted, and found guilty by a jury of > their peers, they should be hanged. There was no crime here, other than > the kidnapping. The man sold vegetables to people who wanted them. _______________________________________________________________ [wilder at trip.sk] [http://trip.sk/wilder/] [talker: ttt.sk 5678] -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4792 bytes Desc: not available URL: From adam at cypherspace.org Wed Oct 2 12:31:08 2013 From: adam at cypherspace.org (Adam Back) Date: Wed, 2 Oct 2013 21:31:08 +0200 Subject: Silk Road founder arrested ... In-Reply-To: <1380740444.30026.18.camel@anglachel> References: <20131002123743.GA14320@vic20.blipp.com> <524C41F5.5020105@openmail.cc> <1380734343.30026.10.camel@anglachel> <1380740444.30026.18.camel@anglachel> Message-ID: <20131002193108.GA11783@netbook.cypherspace.org> Without getting into the rights and wrongs of drugs policy, and the case, I suspect the silk road shutdown is good for bitcoin because it shows that even if bitcoin were very anonymous (which its not due to being a public ledger system), people are not completely immune from tracing even aside from that if they become a big enough target, and it is easy enough to slip up on security in operating a service. (Surely the NSA could've figured it out anyway with their Utah datacenter full of global internet traffic tracking info if anyone cared enough to get the clout to demand it from them, and from recent news its stated they will give evidence of crime to law enforcement if they find it as part of foreign national security activities. Whether they take requests to go trace things from law enforcement is a different question - seemingly not hinted at yet in the Snowden revelations. But apparently they're not beyond covering up the source with fake cover stories of how they found the info even to judges.) Also I read somewhere that silk road was using an offchain payment (not strictly bitcoin but bitcoin converted into some silk road operated server. maybe its described somewhere for people who dont have ToR running, perhaps it was a chaumian token server?). >I also think this adds nothing to any argument over Bitcoin, because >again, he got caught by being dumb. Bitcoin+Tor still seems pretty >ironclad as a hosting platform for illegal activities. Well not so fast there, without slip by operator being reported, that guy in Ireland operating a ToR focussed mini-ISP got identified, and/or his clients did and it spilled over on to him, or whatever happened. (That one based on some browser bug and jscript attack inserted by law enforcement somehow). High grade security is not for the careless - need to follow advise, eg ToR browser bundle and scripts off or such? Adam From albill at openbuddha.com Wed Oct 2 22:22:38 2013 From: albill at openbuddha.com (Al Billings) Date: Wed, 2 Oct 2013 22:22:38 -0700 Subject: Injustice: Denial of Disservice Attack In-Reply-To: <1380772945.89717.YahooMailNeo@web141202.mail.bf1.yahoo.com> References: <1380772945.89717.YahooMailNeo@web141202.mail.bf1.yahoo.com> Message-ID: What does this have to do with cryptography? -- Al Billings http://makehacklearn.org On Wednesday, October 2, 2013 at 9:02 PM, Jim Bell wrote: > "INJUSTICE: DENIAL of DISSERVICE ATTACK" > > or, "How to really mess up the opponent, and to do so legally" By Jim Bell, Author of 'Assassination Politics'. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2385 bytes Desc: not available URL: From jamesdbell8 at yahoo.com Wed Oct 2 22:22:55 2013 From: jamesdbell8 at yahoo.com (Jim Bell) Date: Wed, 2 Oct 2013 22:22:55 -0700 (PDT) Subject: Metadata-killer Message-ID: <1380777775.74676.YahooMailNeo@web141205.mail.bf1.yahoo.com> From  http://www.wired.com/threatlevel/2013/10/lavabit_unsealed/     "In an interesting work-around, Levison complied the next day by turning over the private SSL keys as an 11 page printout in 4-point type. The government, not unreasonably, called the printout “illegible.” “To make use of these keys, the FBI would have to manually input all 2,560 characters, and one incorrect keystroke in this laborious process would render the FBI collection system incapable of collecting decrypted data,” prosecutors wrote. The court ordered Levison to provide a more useful electronic copy. By August 5, Lavabit was still resisting the order, and the judge ordered that Levison would be fined $5,000 a day beginning August 6 until he handed over electronic copies of the keys."     Companies like Verizon who are ordered to hand over "electronic copies" of metadata, passwords, and other material the government shouldn't get, should be convinced that they need to hand over that material in "electronic form":  In the form of PDF files, of text that has been randomly ordered by line, and 'printed out' in a 'cursive' font, but not one in which each character always appears to be the same.  Rather, each character will be pseudorandomly modified in order to simulate the variability of any person's written cursive, with overlapping characters.  This will be analogous to the "Captcha" systemhttp://en.wikipedia.org/wiki/Captcha    , which is designed to be very difficult for a computer to convert back to ASCII or HTML text.  The text will therefore be eminently readable to humans (at least if you're old enough to have been taught cursive in school!), yet virtually impossible to return to the form they'd like to see.  (Alternatively, a similarly-variable Gothic script could be used, to add spice to the whole process.)            Jim Bell -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 3182 bytes Desc: not available URL: From l at odewijk.nl Wed Oct 2 13:31:47 2013 From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=) Date: Wed, 2 Oct 2013 22:31:47 +0200 Subject: Silk Road founder arrested ... In-Reply-To: <1380740216.30026.14.camel@anglachel> References: <20131002123743.GA14320@vic20.blipp.com> <524C41F5.5020105@openmail.cc> <1380734343.30026.10.camel@anglachel> <40F6437F0E924260B71B76F8F5CA8E46@openbuddha.com> <1380740216.30026.14.camel@anglachel> Message-ID: 2013/10/2 Ted Smith > But there are people on this list who have been the targets of federal > investigations, and I feel it's bad taste and contrary to cypherpunk > culture to be celebratory of them. > If you say anarchy is part of cypherpunkism (if that's a thing) I simply disagree with you. Truly that idea is shortsighted. Anarchy knows no peace or focus. There is chaos until there is again order. And chaos, however pleasing in it's unlimited shape, knows not mercy. Mercy it is that the masses wish for, usually however it is mercy for their ignorance. You too, need mercy for you ignorance. As do I. Proclaiming not to support straight anarchy then what do you support? The United States of America has, in its founding documents, a guarantee that the people agree it functions as it should, or rebel to correct it. As it should is also recorded, including a means of agreeing as a people. This agreement has led to laws. These laws are executed by a blind organization. This is as the people have wanted it, and even now permit it to operate. Now, I do not want to be part of the USA. This is exceedingly difficult, as the peoples of the world have allowed it to grow to undeniable and typically irresistible power. Now you are saying that those who are willing parts of the USA, have supported it and not changed it, have failed to adhere to it's laws and receive the (according to the people of the USA) appropriate treatment. And you tell me it is unethical to celebrate? Getting off the high-and-mighty-seat I'd say the guy was a nutcase for being in America. Completely unnecessary leaking of information about himself while becoming high profile enough to get scrutiny of the highest quality. I just can't imagine how he imagined he'd get out underneath it. He even had the DHS on his footstep and, like everyone else who gets caught, decided that it was probably no problem (it was just for the ID's! Right?). I will not repeat myself upon what I am celebrating. Juan Garofalo > I didn't realize I was subscribed to the DEA mailing list... You can deny as much as you want that most Americans like the DEA's function, but that won't save you. The masses are against you because they're stupid. Realize it, asshole. You should understand what's going on and what is always going on. Either you stay on its good side, or you better be damn sure you know what it's thinking. That's more than a full time job. Waiver a moment and you will fail. Two things are infinite. The universe and the dumb masses. Both might kill you on a whim, without the ears to hear your reasons nor the will needed to grow those ears. Good luck. If they're not after you, you're probably one of them. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 4025 bytes Desc: not available URL: From guido at witmond.nl Wed Oct 2 13:51:46 2013 From: guido at witmond.nl (Guido Witmond) Date: Wed, 02 Oct 2013 22:51:46 +0200 Subject: Silk Road founder arrested ... In-Reply-To: <1380741786.15249.YahooMailNeo@web141201.mail.bf1.yahoo.com> References: <20131002123743.GA14320@vic20.blipp.com> <524C41F5.5020105@openmail.cc> <1380734343.30026.10.camel@anglachel> <1380741786.15249.YahooMailNeo@web141201.mail.bf1.yahoo.com> Message-ID: <524C8762.4030405@witmond.nl> On 10/02/13 21:23, Jim Bell wrote: > > I can think of another "bad thing with Bitcoin" that hasn't yet been > implemented. So, I don't think this is "good news for those that own > Bitcoin", quite the opposite. If this prosecution is considered > legitimate, could the next step be the prosecution of any persons who > have anything to do with Bitcoin? Buy it, go to jail. Mine it, go to > jail. Keep it, go to jail. Offer it, go to jail. Spend it, go to jail. > Receive it, go to jail. If this guy is being prosecuted, even in part, > because others are using Bitcoin for illegal purposes, why aren't 'you' > (term used generically) who own even one BTC, guilty of the same > 'conspiracy'? > What is needed here is a mechanism to very strongly deter any such > anti-bitcoin prosecutions. (You can imagine what I'm thinking of...). > Separately, and somewhat less controversially, would be a mechanism to > implement a 'denial of service attack' on court systems. What if, for > example, the Feds were no longer able to prosecute 70,000 people per > year (the current figure, approximately), but instead were limited to, > say, 5,000 per year? > Jim Bell > > > I'm not so worried. From the Criminal Complaint PDF I get the feeling that the charges are on the narcotics, and the running of the shop where others can sell those narcotics. ie. the normal witch hunt on drugs. I get the impression that the use of bitcoin to hide identities is the problem. Not the bitcoin itself. There are references at paragraph 12b: use of a Bitcoin "tumbler" to hide origins of individual transactions. In paragraph 15: "Ulbricht has required ... Bitcoins, an electronic currency designed to be as anonymous as cash". The good news: The FBI-author even states that "Bitcoins are not illegal in and of themselves and have known legitimate uses. (Para 21.v) In fact, they have been declared legal in Germany. You need to pay tax on them, over there.... So, the biggest challenge is to make sure the general public gets to know this fact. Regards, Guido. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 897 bytes Desc: OpenPGP digital signature URL: From jamesdbell8 at yahoo.com Wed Oct 2 23:49:08 2013 From: jamesdbell8 at yahoo.com (Jim Bell) Date: Wed, 2 Oct 2013 23:49:08 -0700 (PDT) Subject: Injustice: Denial of Disservice Attack In-Reply-To: References: <1380772945.89717.YahooMailNeo@web141202.mail.bf1.yahoo.com> Message-ID: <1380782948.97062.YahooMailNeo@web141203.mail.bf1.yahoo.com> First, I am not aware that the CP list has ever been limited solely to something that can be strictly labelled as "cryptography".  Second: Fortunately, I just uploaded an item about Lavabit and its operator Levison.  Those of us who are truly interested in security (as opposed to those who merely pretend to be, and are actually shills of government) understand that his crypto strength is rather pointless if the operator of a trusted service can be strong-armed by a government.  What I've just invented is a method to make it about 18 times harder for the government to threaten somebody with prosecution for anything he might choose to do.  (Conviction rate going from 70,000 to 4,000 per year.)  But that should have been obvious to anybody.  Why wasn't it obvious to you?         Jim Bell ________________________________ From: Al Billings To: "cypherpunks at cpunks.org" Sent: Wednesday, October 2, 2013 10:22 PM Subject: Re: Injustice: Denial of Disservice Attack >What does this have to do with cryptography? --  >Al Billings http://makehacklearn.org On Wednesday, October 2, 2013 at 9:02 PM, Jim Bell wrote:     "INJUSTICE: DENIAL of DISSERVICE ATTACK" > > >or, "How to really mess up the opponent, and to do so legally"           By Jim Bell, Author of 'Assassination Politics'. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 4289 bytes Desc: not available URL: From juan.g71 at gmail.com Wed Oct 2 19:56:34 2013 From: juan.g71 at gmail.com (Juan Garofalo) Date: Wed, 02 Oct 2013 23:56:34 -0300 Subject: anarchy was : Silk Road founder arrested ... Message-ID: <63D2D2A962F8C4AD35FA425F@F74D39FA044AA309EAEA14B9> --On Thursday, October 03, 2013 1:12 AM +0200 Lodewijk andré de la porte wrote: > 2013/10/2 Juan Garofalo > > > I think you need to research the ABC of political theory before saying > anything about anarchy. Your belief that anarchy is chaos is as unfounded > as it is laughable. > > > Anarchy as a word does not mean a thing. Right, it doesn't mean one thing, it means *two* different and mutually exclusive things. It is vulgarly used to mean 'chaos', and it's used by advocates of voluntary interactions to describe a social system based on voluntary interactions. You know, voluntary interactions : The opposite of cheering the drug laws of the american state. > It's the people in it that shape > it. This is as much as risk as it is a feature. From chaos men makes > shapes, structures. These structures must, by the very absence of it, > reimplement what otherwise a government does. Of course the extends and > all will depend upon the people.  A government is a criminal organization that violates rights to life liberty and property. Those criminal 'functions' of government can't exist in a voluntary society. If 'people' 'reimplement' what government does, then we are not talking about anarchy. > > > Economically I can fairly say that every function will be taken over by > the group that can do the task as financially efficient as possible. > Combining that with the historic fact that kingdoms and empires, due to > people's ignorance, are the easiest structures to conjure. And that ease > makes it have a good return. Not sure what you're getting at... > > So. My thinking is that anarchy that remains anarchy is in fact quite > chaotic, > as no rel leaders are permitted to arise. I don't see the connection between leaders and their sheep on one hand and 'chaos' on the other. It's quite possible to have 'order' without 'leaders'. It's called self-government. Or doing what you like and leaving your neighbor alone. >Of course it's > possible to have discussions together, to rule as a non-forcible > collective. That's a very unstable situation however. Just like chaos. > Individuals can interact as individuals, voluntary and with no 'chaos' in sight. I don't see why it should be 'unstable'. > Now if you'd be so kind to tell me why your tone was so insulting and the > reasons for thinking the way you do, then perhaps this can become an > interesting conversation. From electromagnetize at gmail.com Wed Oct 2 22:20:22 2013 From: electromagnetize at gmail.com (brian carroll) Date: Thu, 3 Oct 2013 00:20:22 -0500 Subject: [=] boundaries and thresholds Message-ID: --- intro --- cryptography in a computer context, tied down into particular mindsets and frameworks, limited and private approaches to programming, addressing issue of secrecy and security, as if it is all inside the existing observation, contained within a particular viewpoint and set of variables as interpreted. and then, how to convey another parallel world that also involves itself in the same conceptual structure, though differently... and even precedent to what is rigidly occurring inside the electronic boxes and technologies, yet in comparison appearing only low-tech if no-tech, even while precedent if not philosophically more pure. grounded by default of its physicality as it relates to ideas placed into action. how to make the case 'this happened before that' and yet to address a default detestation or conceit that may also exist, culturally, via a detachment between ideas, how things work, their relevance and trajectory and importance as knowledge, while inside an illiterate world. a question of meaning, though also inherent bias, presumption of 'knowing' and having answers instead of not knowing and asking questions, learning from other realms of inquiry. thus are minds and mentalities closed or are they capable of seeing beyond themselves and their finite assumptions, especially if shared, solidified into the dogma of ideology. "science" without art is no longer science. it is technique removed of its human purpose and capacity and becomes and functions for another antihuman agenda. it can become a distortion or false viewpoint to develop hostile policies within. the *insight* of art, of inquiry, of questioning, of the realm of risk and of peak functioning and imagination, of optimization within a limited context and challenging constraints - of knowing, of being, of choices and actions - creates or opens or allows access, willing or not, into another realm beyond the normal and everyday, new territory or old territory reconsidered and reconceived. turning answers into questions again and presenting new views into existing questions and ideas. so for instance, 'the context' for crypto could be assumed to be computers by default of this being the present situation, in a confined digital, binary technological development. for some the relevance or questions of crypto may be bounded within assumptions of this context, perhaps never having been experienced or considered beyond this computer model and its particular emphasis on certain algorithmic approaches, as if previous questions have been answered correctly and now it is just an issue of extending the model indefinitely, tweaking it within the given parameters and upgrading the model into newer technologies. in this sense a certain 'faith in technology' could even exist, where blind faith replaces the role of questioning fundamental truth, which has already been decided upon, and is assumed "known" and therefore someone can just pick up the or join in the parade and security and secrecy are effectively deemed guaranteed as long as staying within the ideological lines. and yet an entire world of experience exists outside of this view and some if it can have profound relation both to the ideas of crypto and the falsification of existing models that seek to bound and limit its interpretation, thereby to control it within a given domain, while actual crypto could be occurring outside this, without realization by some "experts" who wholly believe in a limited finite hardware/software model as the limit of questioning or the basis for relations in a realm of intelligence or human communications of ideas in a realm of secrecy, privacy, and security, including issues of the state as decentralized. as if "where there is no computer encryption- there is no cryptography". in the realm of ideas this view is beyond laughable and truly ignorant of the domain cryptology operates within. for instance, the role of crossword puzzles or suduko as it relates to puzzle solving, as these skills may be applied outside a realm of computer encryption yet decipher meaning. not necessarily within those puzzles though others. and that this is basic and should be assumed relevant to ideas of cryptography and not seen as separate in terms of what it involves. an algorithm is only a minor part of a much larger realm of questioning that may involve other multiple approaches brought into a shared evaluation. it is not just a technical response that can be easily resolved in software/hardware models if it exists beyond their boundary. and thus how a situation is modeled or observed would influence what can be evaluated, and thus if there is no consideration of crypto outside of computation, none seeming exists. and yet this could be entirely false, an illusion or delusion of those so trapped in their POVs. and to some degree or other everyone is trapped within individual frameworks in some way, it is an issue of how it is dealt with, must everything occur within that limit in interactions and thus a bubble reality and bubble-relations are required, or can a person transcend their own limits through realizing and acknowledging truth beyond themselves and their limits and humble themselves before the larger world of ideas and other people, to learn and interact with others and ideas, and develop shared frameworks that are self-correcting, including requiring a person to correct their flawed assumptions as part of this empirical condition. in a sense, being freed of the burdens of upholding a false private finite view, letting go of the need to rationalize everything in a single correct view that is theirs (onesided) and see what is beyond the limit of a particular person, via shared identity that maps into a larger realm of the many, via the shared set of human awareness. where /perspective/ itself changes, transforms, becoming multiple while resolving itself in a single modeling of truth. so a situation exists, a condition begging the question: can you freely observe, can you freely think about what cryptography is, or are you bound to certain interpretations that restrict and limit because those frameworks are required for degrees or careers or papers for conferences, even if or while they may be inaccurate or limiting the examination and exploration of the issues involved. and so in some sense this seeks to present a realm that is closely paralleled with crypto in the abstract, yet also thoroughly material, tangible, in a way that this information in software or encoded into electrons may not readily be. and thus the purpose here is not to break the model of crypto considerations for its own sake, it is to break it open so that it can relate to other events and be reconsidered within the larger context it exists within, so that it can breathe again as an idea. and be removed of the carapace of ideological and its sterilization of the questions so important to the discipline, whose purposes ultimately involves protecting and securing truth, not lies. --- cultural precedent --- for a moment assume we are considering the multimedia networked computers of today including cellphones in this domain, as a platform in which 'ideas' and relations occur. that it is a technological environment we partly inhabit to establish and maintain relations, with other people and with institutions and with news and information; education, entertainment, the weather report and so on. and in this inquiry, how someone defines [multimedia] could be important to where the boundaries or limits are for how the shared situation is interpreted, including in what categories and what variables or dimensions it will be mapped out within. and thus if someone considers that 'multimedia' began with the Macintosh computer in the 1980s that would be one context for evaluating the situation and making assumptions. Yet another may believe it was established with Macromedia Shockwave software that allowed interactive cd-roms and eventually websites to be developed as a platform. And at some point these views may be resolved into one or another framework that may bias the interpretation and also the possibilities when asking questions and developing viable or usable solutions. i once had the pleasure of taking courses at SF Multimedia Studies Program in San Francisco in the mid-90s in the early multimedia boom when there was still a cultural dimension to the questions of internet development, before it become a de facto technical framework related to issues of canned software systems, data mechanics and constant upgrades and repair versus about ideas, organization of information, knowledge, education, models of truth, culture. the issues of its commercialization -- like a Tsunami -- basically destroyed the internet as a cultural platform, and this went hand-in-hand with greed, the desire for money and profit, and not valuing the traditional goals of society because it could be edited out of equations in self-serving ideologies of exploitation, as a standardized institutionalized practice. sound familiar to anyone? in any case in an overview class prior to this cultural meltdown, Randall Packer taught a class entitled From Wagner to Virtual Reality that set the stage for considering what the potential could be for multimedia computers within the larger society, and this from a view of the arts, what it offers as a context for technological development, its larger purpose. and so with that experience in mind, back to questioning [multimedia] then could feasibly lead, in the just stated framework, back to the Lascaux cave paintings, with realistic depictions of animals estimated to have been created approximately 17,000 years ago. thus the question of multimedia could be an issue of first markings in a next realm of communication, contrasting a pre-multimedia realm of newspapers with an interactive realm, or assumably hand signaling with diagrammatic animated-like depictions via cave artists. formal systems of written language begin over 5,000 years ago by comparison. moving from much earlier abstract marks, firstly, to eventual representation by alphabets, allowing for shared communications in an archival format, as this also relates to number, counting. and managing both information and ideas (grain deposits, governance, stories, law, culture). so if a person questions [multimedia] in that context, of first marks and new formal systems of communication and relation, yet still other dimensionality and frameworks could exist that help define and consider how, say, new markup languages or codes function in this realm compared to those previous, or how it may evolve over time in a systematic way, given what has happened many many many times before, over a period of millennia. absent this, it is reinventing the wheel though perhaps with less knowledge, repeatedly, and thus devolving the cultural standard to less than what preceded it, due to ignorance, ignoring lessons learned. so the internet ends up absent coherent knowledge at a larger scale, absent education or ideas beyond the limited framework, and entirely within a big-box highway advertising model of commercialization, as if an exercise in ancient roman road building to every end of the empire with direct connections back to the bank vaults at the core of the entire enterprise. culture here being money. commodification of information, exchange, data, the status quo. financialization perhaps high theology in its speculative sense, escape velocity beliefs. and yet another person may observe (and these latter two examples are from Randall Packers scholarship) that like with Lascaux, that [multimedia] was developed within art and that the work and ideas of electronic sculptor Nam June Paik created frameworks for its evaluation and relation that essentially are part of an overall empirical review, and it is important both to consider and retain truth of these observations in newer frameworks as applicable, because that is the source of knowledge in terms of innovation and imagination, that it can and does function across shared frameworks, scaffolding, between various structural systems. you could just evaluate birds without considering anything else, yet without trees, wind, leaves, sky, clouds, song, the fullness and wholeness of the bird is missing. so too, the issues and ideas of code, encryption, or in this case networked [multimedia]. and so the issue becomes one of including context, the foreground and the background events in an ecological and ecosystem-like review or survey, and i think diagramming and mapping and other 'first marks' are closer at accessing these connections than written alphabetic sentences that must R A T I O N A L I Z E them within a pre-existing viewpoint in order for the views to make sense or be valid, given existing interpretations, versus exploring questions and ideas at a conceptual level of ideation (fancy word). thus, instead of staying within the existing limited views of ideas, breaking them open again to question and test assumptions- that ideas are hypotheses that can and need to be challenged to retain their integrity, otherwise they can become ungrounded and detached from actual reality and substitute for it, as a lesser version of events and experience- as agreed to exist. thus, just like not being able to modify the segments within letters which become inviolable by the limits of their modeling, so too ideas become rigid by boundaries which protect them yet which could be based on errored assumptions or viewpoints. /history/ is effectively this. it could be a warped skewed series of shared observations that becomes the platform to develop future actions and ideas, and if unchallenged or not corrected, can function against the very goals and ideas sought, due to this internal corruption or internal rotting that is deemed off-limits from further consideration, especially in terms of structure, foundation. so too, systems of language, code, programming as this effects hardware, software, technical and cultural development. what can and cannot happen as a result of established framework and their normalization, standing-in for truth, yet potentially not accurately representing it and instead this can become religion, following certain beliefs beyond the evidence, and especially when in denial of external truth, via disregard or denial of its falsification. which then establishes an inside and outside condition, which is an ideological compound that can occupy communities, governments, education institutions, and bureaucracies. and software and hardware tools, entire technological platforms that support this ~behavior. so then devolution is in full swing, and it becomes a Planet of the Apes scenario. caged humans treated as if apes, needing to conform to the false worldview, poisoned out of existence. so there are these strange dynamics in the everyday that must be encountered and dealt with and they involve pressures that like force fields align with ideological frameworks that are mediated in certain ways, in particular realms, and they can be known and identified yet may also be unspoken or not talked about due to limits in communications with other people, in regard to what can be said versus what it is known. and the political danger in speaking, such that you may be attacked or killed for speaking 'wrongly' or 'falsely' in that context, of the ideological. next thing you know- no school for you, no career, no friends, etc. thus following the ideological lead, the party line is important when truth is managed by power and the facts can be chosen and edited to fit the finite shared viewpoint, whereby broken society and broken equipment and tools and broken relations are really all about evolution, and not driving civilization into the ground, and making people dig their own graves. this is the result of bad ideas. those that go uncorrected in their errors and assumptions. the consequences are very real and add up. each lapse or reinforcement of error promoting and extending an inhuman agenda, and this can be codified and solidified within processes, within tools, within relations, within language itself which functions against greater truth and relies upon this fallen state of mediocrity in some faith-based sense- that simply going along with the flow and following is going to lead to emancipation and not extinction. as if the automated technocratic system - driven by antihuman values - has our best interests at heart, when the heart -- its virtues and its truth -- is not modeled within the machinery. it is viewed as non-existant, a falsehood, sentiment by those detached from its grounding. and so crypto, likewise, may be perceived only as a manly man's sport- no girly stuff here. no warm fuzzy relations or questioning. nothing soft. all bits and sharp edges and speed, equations! algos! macho macho stuff. mathematics as rigid thought system, non-metaphysical. and yet that is not where its creativity arises from, in many instances. it is within ideas firstly, ingenuity, not canned approaches. not answered questions repeatedly incrementally upgraded. it does not glorify or harbor partial truths as if good enough. weak ideas have no place in crypto, they are more than a security risk. they are an unacceptable unallowable weakness and should not retain employment, and those who serve them should be isolated. here is why... how do you discuss the direct relevance of fiber and textile arts with cryptographers? what if this consideration involves a vital realm of questioning and reconsidering the existing interpretation of cryptology yet it is deemed off-limits by existing ideology? what if the too-simple binary approach seeks to govern or determine what can be true or included within its controlled framework- and in doing so ignores evidence and itself is the security risk? what if there are cryptographers whose principles are not aligned with serving truth and instead mimic this, and yet the illusion of this imitation is broken by wrong choices, in that a lesser approach is believed superior, ignoring or disregarded its falsification. and what if to get into a larger framework, of [crypto] beyond its existing ideological limits, involves cracking open the concept and seeing it in the larger cultural context it exists within yet also has become detached from, potentially, thus to consider it anew and test and challenge and extend its modeling beyond existing limits and boundaries, thresholds and frameworks, to see what crypto really involves as an idea, versus a given implementation in a particular medium at a place in time, such as within networked [multimedia] computers. my first instinct is to not heed preconceived ideological limits of those who simply think it is ~profane (to their crypto-religion) to break "their rules" for crypto corruption, as they need the existing model to retain coherence and governance of its next self-same iteration, that the sign of crypto equals itself and not something beyond their control (that is: crypto=crypto, versus its truth beyond the signage as packaged, commoditized). so if people are trying to limit evaluation of an idea, core to a discipline, it is fairly easy to see the political dimension and lines of force that need certain questioning to remain *answered* and out-of-bounds, to limit interpretation, keep it within a given perspective so to control what can happen, and to protect a border between what is inside and outside, or what if valid and invalidated by default of enforced convention, if not standardization. thus it is not only to forget them, it is to not include or allow them in considerations if truth is and has been secondary to their inquiries, for bad faith is their foundation for relations and interactions result in automatic exploits via onesided agendas. keep out. they are bad for crypto and these relations should be short-circuited, not allowed to continue. especially as to influencing what can or cannot happen in their limited, finite viewpoints. the exploring and questioning of ideas requires thinkers and should not defer to ideologues. so if suddenly it is proposed that yarn and thread and fabric have a lot to do with crypto and computers and someone from a networked multimedia computer context cries that it is off limits and wrong, perhaps they are unable to consider such things or consider cryptological considerations beyond a binary technical enterprise, and therefore are stuck and will remain stuck in that given framework while other things happen around them, eventually surpassing the broken model and its adherents who remain stuck if not captured inside a sinking ship. woe are they, unknowing of their descent into the unfathomable, the pressures that await. and so at this juncture the connection with the Jacquard loom can be introduced, of new technical automation within textile manufacture (c.1801) involving a mechanical process of weaving guided or programmed by coded punch cards instructions, resulting in the creation of woven patterns. abstract input related to machine functionality, holes in the card mapped to and representing hooks, leading to output in another medium. perhaps similar to metal tines protruding from a wind-up music box, as to what notes are played, though involving a more complex instrument and its orchestrated movement of warp and weft. http://en.wikipedia.org/wiki/Jacquard_loom note that also around this time, Ada Lovelace composed the first algorithm for the Analytical Engine computer of Charles Babbage, thus recognized as the first computer programmer. These observations originating from a course taught by Mr. Packer on 'multimedia history'. http://en.wikipedia.org/wiki/Ada_Lovelace what is important to consider is that the platforms for crypto systems in use today were experimented with and explored across a wider range of consideration in terms of mechanical systems and how code and programming developed into a single monocultural binarist system. and at some point the relation between thinking of some task and putting it into a set of instructions to be parsed by machinery retained coherence that may have been lost today, where writing such code appears even lost to its own interpretation or unknown effects within the automated machinery. and at some point choices could have become limited, from the control over this interaction and the dimensions it is mapped and proceeds within, to those that are not related to experienced or actions that need or should be dealt with. and this could be an issue of programming models, though also of ideas; especially "economics" as a discipline, where equations do not adequately map to the reality they seek to describe in order to determine profit-loss and gears by which civilization grinds into existence. so i am one of the weirdos who appreciates sewing, due to an artistic background, and this is a skill that is nearly wholly of a female domain today, at least in the US, in that to seek classes a male will be faced with class exercises for making dress patterns, etc. it is an interesting conundrum or limit that certainly reflects what females must face in most every context in terms of the dimensions allowed due to constricting bias of interpretation. awhile ago i went to a sewing expo at the nearby convention center to look at equipment and was completely surprised at the level of correspondence between advanced tools today and the earliest programmable equipment 200+ years ago. whether an individual sewing machine that can be programmed via bitmap graphic files or via stitch patterns or larger equipment, the role of embroidery done automatically by sewing machine (in that it is itself a computer) is the extension of this earliest programmatic development, a merging of Lovelace and loom. yet perhaps a step or more removed from ready or immediate analysis, and more of a plug-and-play scriptability of equipment. it remains unknown to what degree it is possible, though mirrors similarly the issues of scale, from very large industrial color printing into the desktop context of inkjet and laser home printers, whereby something occurring at one scale is suddenly available in another and what does it mean or indicate. and thus, in seeing the larger machinery, not factory-level though home-factory level, say 8' x 4' dimensions for equipment, including LASERS, these advanced sewing machine-computers can basically map out anything in thread as if a painting on a canvas and this has been automated, expertised, such that what may once have been zoned in a particular area of town, requiring certain square footage, could instead occupy the basement of a house in a newly zoned live-work neighborhood that involves both e-commerce and retail dimensions, thus potentially like with 3D printing alongside paper/data copy services, could bring the village and its [signage] back into a realm of city planning, where such districts foster these services both locally and for remote online or business orders, via courier and bulk shipments. in other words, the nature of industry, craft, trade, skill, is changing alongside the development of computation and this changes and challenges the context of these tools and the relations they involve. and in this approach, a certain segment of the population could develop their work or business within their home, especially if it is symbolic processing, which is the basis for telework and telecommunications today, reliant upon infrastructure. this is not the idea that will be explored here. it involves something else, something more fundamental and basic and vital and of a seemingly entirely other approach and application. the difficulty is that for me it exists beyond words, and thus like a programmer trying to find a way to convey the necessary instructions to allow particular computation to occur, it is to try to access a realm that already exists and to not limit it by my own incapacity, yet to bring it into question as a framework for considering the ideas of cryptography. today, yesterday and tomorrow. --- deep culture --- to precede this investigation, it was to recontextualize the idea of code and programming outside the limits of the electronic box of the digital computer, and consider that it may have some connection to the surrounding background of other existing or previous events and their structures and frameworks. as with cryptology and cryptography in general, as further relations within this domain, reliant upon it though also seemingly limited, constrained if modeling does not or cannot take into account information existing beyond its threshold. and so it gets into a realm of observation and action, open minds that are aware and questioning and those that may be closed and reliant upon rigid structures for security and secrecy that in a larger consideration are invalid, yet not accounted for or accountable in this realm. so perhaps this is an ideological audit of sorts, a litmus test, of crypto & intelligence... the importance and value of art within development and sustenance of culture can at times be hard to decipher, especially when retrograde or functioning against the necessary direction. while some appreciation may be given or afforded, it may also appear as a luxury, and a vast quantity of its production may be ungrounded and not offer greater insight beyond extremely limited or copyist approaches, yet which represent it and "culture" likewise, via artifacts and trends and social hierarchy that both validates and is validated by this relationship. and then there are the exceptions- where the *insight* occurs. not just the production. and this is a rare and ephemeral thing, and appears to occupy its own zone, where its truth is transmitted and received within dimensions similar and-or different and challenge or call into question or further expand upon observations and discoveries, shared or unshared, in such a way as ideas in a particle collider, or raindrops from a storm becoming rivers that return to oceans and return to the sky. that a transformational event or relation happens and alignment occurs within a range of experience, that provides grounding, heightened or new awareness, and essentially helps establish and defined an empirical model of relation held outside or alongside the current technological construct as an ideological framework, art and artistry active both in its preparation, continuing development, and dismantling. in this sense, technologists may be artists, as with others, yet unrecognized this way, or if so equated, likely corrupting its validity due to the role of commerce, exploiting or marketing this when subverted by other agendas. which is perhaps covered by the fake money that artworks can represent, symbolic commerce, the realm of celebrity now mass culture, everyone having a potentially valuable signature, everyone a Warhol Portrait in waiting. and so it is to say again that this inquiry is not about that, in itself, and yet about its substance, the truth it involves yet is caught within, via collapse of culture, illiteracy and evaluating things only in their most immediate limited sense via particularized views, which the binary mindset provides as a basis for relation. in this way, the contributions of artists Christo and Jeanne-Claude could be evaluated in terms of artistic opinion in some canon of art history- yea or nea? like or no-like in terms of an artistic project or experiential relation-- especially in terms of aesthetics. and as this relates to ideas, how the various artwork is interpreted. http://en.wikipedia.org/wiki/Christo_and_Jeanne-Claude http://www.christojeanneclaude.net/artworks/realized-projects i am no expert and art scholars have vast amounts of knowledge and insight to share on these questions, though offered here is a potential way of considering such artistic works in the larger context they inhabit- which remains open to interpretation. in the realm of fabric, Running Fence at least in part could involve seeing what otherwise is unseen as a boundary or limit, a line on a map that otherwise goes unnoticed, yet may establish an inside and outside. today, GPS maps may be correlated with this, as a rode that is driven on is a line, while others may appear, like that for a state park whose trees can only be viewed in the distance from the freeway, that establish various boundaries, inside and outside relations as it is mapped or correlated via direction observation. informational structure that is represented and then its representation encounters what it is mapped onto. metaphysics is a difficult word and easily diluted in its placeholder meaning, yet what it attempts to define is something that is difficult otherwise to capture in ordinary terms, as if it operates at another level than that of mundane, dull, and disconnected experience. as if suddenly everything makes sense and has inherent alignment, yet which can be unrecognized or hard to grasp because it is beyond a threshold of awareness or understanding, unless it is encountered, experienced, and can be revealed. thus there is an *invisibleness* to it. so the thing about ideas that relates to this, perhaps especially as linguistic constructs or models that take on the form of an idea as a sign, symbol, or word, is that it is linked to CATEGORY and categorization, that the meaning of words and concepts map into frameworks, structures, that each upon another build upon themselves the larger language development. foundation of this would seemingly be truth, yet not inherently so. and thus [category] could be related to truth yet not equated with it. it is as if an idea in superposition that has the potential to tend towards truth, or towards greater falsity, given its accounting. and so if there are two concepts, [concept1] and [concept2], they could be of different categories that challenge or extend one another or be based on different truths altogether or one could be largely inaccurate as an idea whereas another more accurate, in a particular context. in other words there are limits to meaning, it has boundaries, and concepts relate to one another as with people, within certain dimensions and not others. and connections are reliant upon structures or scaffolding between them, to establish or allow their relation in whatever truth may exist, or falsity may be allowed if this connection relies upon errors. if really cutting to the chase, this issue of language could be an issue of "original sin" as it relates to the SIGN and its misconception of equating with truth itself, versus as a reference to it. thus the [sign] could refer only to itself, within a corruption of language or outside or beyond itself to truth that validates it beyond a programmatic assumption. so when a [building] is covered entirely in fabric, what was once a building that is seen within its surrounding context is suddenly transformed, "disappeaered" or made invisible by its being covered and in doing so, its surface is removed from the common visual realm and hidden within an opaque interiority that can only be accessed by observational imagination, as if virtual. in that, if remaining on the outside of this boundary, it is discontinuous to all previous experience, where a building is removed or masked out of the framework, placed into some liminal realm, betwixt and between, neither here nor there. and in this abstract condition, the form of the building represents the building itself in its greater detail, yet lacks the 1:1 recognition that was known relation before this. in this way a given observation of a particular building could then have a limit or barrier created that limits or changes this observation, and provides a more abstract view in place of what was presumably of greater fidelity to the thing-in-itself. the volumetric massing of the building may instead become prominent, and in this, the covered building could exist as if a wrapped present even, its unveiling and return to itself part of the great delight. and yet beyond this, what could be involved is informational, related to the SIGN itself, as if the cover is what written or representational language functions as, when referring to something else it seeks to contain within its meaning. such that to cover something in this way is to contain it likewise, potentially, as a category. in other words, the fabric could demarcate the boundary between concepts, as with between different words and their meaning, and challenge the notion of this capacity to do so. when the building is covered or limited by this fabric veil, how has its existence changed and the relation of observers to it. it is tremendously difficult to write of, it is many layered and my approach inadequate to seek to convey that this directly involves the issues of data modeling within computers. that when seeking to map a SIGN onto something else, it presumes certain boundaries or limits yet may remain only partial to a given observation-- abstracting the very thing that is to be modeled, instead of allowing it to exist in its totality, and thus could involve an issue of removal of reality or reductionist "development" by default of this presumption that the sign represents the thing in itself, versus references and gains its value from it. in other words, you could take the fabric off the wrapped building and claim it is actually the building in itself-- which is what those invested in binary language do with signs, they believe the truth is within being able to put brackets and limits on perception and control and categorize things, as if doing so makes it true. such that there is only one version of an [event] and it is theirs and it is correct. and computers and institutions and minds are programmed this way ~likewise. and in essence this could be the empty set [ ] [ ] [ ], whereby truth is arbitrary insofar as it exists to serve a given ruling perspective. because the way things are covering it can be manipulated, and hide other details, or make limits appear that are not really there, and thus guide in the wrong direction. and perhaps there really is no building under the fabric- perhaps it is hollow inside, and who would know if no one is allowed to check inside anymore. the very idea of questioning theories- heresy. when Christo and Jeanne-Claude covered a stretch of coastline, the issue of scale again is relevant and involves what level of detail is possible to achieve, and thus a rough sketch like covering of the form occurs yet only to the most general aspects of given landscape and its geologic features. 'measuring the coastline' is a famous example of fractal mathematics whereby the rule for measurement changes the length of the coastline. if you map things at one-inch scale a different coastline will result than at one-foot scale, as features and micro-features are accounted for. and so too with fabric coverings, and so too, computer modeling and data representations of objects and ideas and events in the 'external world'. this is to suggest that the generality of the covered stretch of coastline is somewhat of a proof of the limits of representation to potentially accurately or entirely 'categorize' or cover or stand-for something else, and yet the very power of language and SIGNs to do so, to be able to map some event onto another, via a word or symbol or phrase. and that, like a primal marking or delineation of territory, this artistic intervention is establishing a boundary condition, in some cases an inside-outside correlation, though also of thresholds of observation and awareness and relation, that allows it to be considered anew-- yet also, the draping of the event may be low-resolution to the event itself, in certain dimensions. the ability of a computer to take the language of economics and automate it into software systems for diagnosing ills and benefits of society within its computational framework may pale in comparison to the coastline it seeks to measure and its covering via its SIGNAGE. it may not only be limited or reliant upon boundaries, it may be inaccurate and false in its assumptions that become solidified and related to as if by default true, as concepts. as if data that correlates to the conception validates the conception itself; covering = truth. it is the very problem of binary pattern recognition, its ideology and the corruption of ideas at the core of civilization and wrong-minded and -guided technological development today: take half of everything or anything including errors and wrong assumptions call it truth, ignore everything else so what if in the data modeling of the world, various data tarps are being placed over all that exists, yet this is an ideological mapping that is not serving human interests in the way the data is being processed and used, in terms of automated reasoning and decision making that seeks to benefit its modus operandi and not have this serve human values or needs anymore, especially in terms of representational governance. what does it mean that the Whitehouse or various seats of government may be data modeled likewise, "mediated" in this same abstract modeling that tends to exploit falsity to move in a particular direction and in doing so, plays the SIGNS and shuffles the limits and categories [ [ ] [ ] ] and creates a viewpoint that is supposedly shared, yet does not map into truth accurately and has no legal obligation to do so, while humans and their society collapse into nothingness. moving the abstraction (goalposts of meaning) around, the signage to create false perspective stagesets for oratory and political theatre, as if truth itself -- this gaming of language and perception -- versus the requirement and obligation to address [ideas] in their truth, within the world that exists, not only that which can be allowed to exist within the computerized worldview. (signs do not need to be accounted for in their whole truth, only partial truth. the category or sign is detached from truth, becomes its own truth via relativization) maybe this question of abstraction, naming, categorization, and language are inherent in the human condition, yet it is also possible some may exploit these dynamics, through dishonesty and seek to misalign and misdirect development via the /appearances/ of things, versus to account for things in themselves. and thus again [signage] can replace truth, stand-in for it and mediate existence yet it is entirely shallow and self-contained, systematic, as if an issue of sustaining an illusion within the given boundary, of an inside and outside, such that some may be kept on the outside, and not understand the threshold that is engineered, and thus be disenfranchised by watching and following the stage play, to their own demise. how do you know that GPS misdirection is only an error and not seeking to cause an accident, is this an issue of faith in the goodness of technocratic, biased political technology? what if the demarcation of events in history are warped to a biased viewpoint and thus staying within those lines serves a certain agenda set against your own existence- is observance of that boundary by default validated via its institutionalization, and what if educational systems no longer allow questioning of these views within their walls- what does it mean? what is versus what is represented. what exists versus what is represented, modeled, and believed to exist. authenticity versus the requirement of masquerade. people hiding views beyond certain limits or boundaries. "reason" contained within binary parameters, etc. then Plan B, psychiatric 'medicine' for those who do not comply with the insane master narrative. they refer to the [model] and not to the reality they defer to inaccurate and false modeling and not to more accurate truth and reality they do not question their secured model and instead question the very sanity of the perceiver of more accurate reality (goto: psychiatric routine; loop) // sidenote: in this way, those observers who can ignore larger reality for a partial viewpoint stand against natural observational powers and the need to correlate their understanding with it, for survival. this could indicate either a simulation exists, thereby explaining how some people seem to treat life as a game without consequence; else also an invading or occupying population that aligns its reality at a distance and must correspond views via a centralizing query and response, say via cellphones. both scenarios could also exist simultaneously, existing beside the human population. i think in some way, some artwork of Christo and Jeanne-Claude opens up questioning of the categorization of elements of existence in a linguistic if not geometric framework, as this relates to form and topology, and boundaries. pattern yet at a holistic level or totality, in terms of creating an inside/outside with a wrapped building. versus Running Fence that may involve other conceptions of boundaries and limits via scale, distance, and other geographic and geologic considerations, including accessible temporal and spatial experience of observers. in some sense the various events seem to question 'the fabric of space-time' via relation. as if made out of whole cloth. the enigma of information in this realm of category, where does the wrapped entity reside in its truth- its it contained only within the boundary or does it exist beyond this, outside of it, uncontainable in its conceptualization within finite dimension. is it instead of a realm of typology, tending toward the iconic, of stereotype and the archetype, the symbol that is temporarily accessed, made visible, tangible, this gift. the terror of this covering process would be that what becomes covered is removed and replaced by a false framework, literally dismantling what once appeared and could be assumed still present (and represented) by the sign-based covering. in this way the exterior could be presented and presumed as if an integrated whole while subverted in this same dimensions internally, and thus while appearing as an icon or representative concept, such as [economy], could replace the very meaning of this with its anti-thesis in terms of reliance on falsehood or other exploitations that are ungrounded yet also unchecked, allowed to be this way due to language -- its signage if not CODE -- being equated with truth itself. in this way the cover of a concept or ideas by SIGNS that inaccurately represent or subvert its connection with truth can be camouflage that enables truth to be hidden, kept away due to such boundaries and observational limits. { a note here on the iconic, regarding large scale sculptures of Claes Oldenburg and Coosje van Bruggen, also encountered locally at the once great Walker Art Center prior to its ideological fall and reconstruction. while the wrapped building if not [SIGN] could be evaluated in terms of its boundaries or limits, and in this difference between normal perception and its altered condition may appear abstractly singular in some new or different way, and perhaps iconic, as if a more pure manifestation or realization of what is observed in this abstraction-- and thus clarity by simplicity perhaps- this would seem different than an item changed and seen anew via a different technique, say a change in scale and materials, such as the soft sculptures or various juxtaposed objects, such as giant binoculars or paperclip or gigantic power outlet. that would seem to be an issue more of A1=A2 and challenging the parameters of what makes something what it is as an entity, such that if you change this and that element will the original entity remain the same, how does its essence change when its model of itself is modified, and to evaluate this surreal process. http://wpmedia.life.nationalpost.com/2013/08/philly-pics-4.jpg?w=940 http://www.artsconnected.org/media/c0/43/957633fca0a87cc093ab78addbeb/1024/768/22589.jpg it is thus to distinguish between the iconic aspects of wrapped works by Christo and Jeanne-Claude in their potentially iconic aspects with those of Claes Oldenburg and Coosje van Bruggen, yet both could be considered to function in a similar linguistic and conceptual realm involving sculpture, geometries, limits, and observation. } there are millions of people who have more accurate language for these events and more effective analysis to consider as it relates to these issues, scholarship of everyday observation as well as scholarly investigations and contemplations of aesthetics via appreciation of such ideas. so this is meant to offer connection between these realms and provide example, should, say, code and programming function similarly, yet also involve security issues that exploit similar parameters. alot can be learned from the structural frameworks of information that correlate across and between disciplines and thus the interdisciplinary is that integrative perspective of shared empirical truth. it is the natural tendency of truth to be correlated with itself in the terms it exists and not to falsely limit this, which unfortunately appears to be the default state in ways large and small, between people to between nations, unless it is not allowed. and thus illiteracy mapped onto these coverings, inaccurate data models and representations that ignore and do not acknowledge truth beyond an interior condition, can function both to protect whatever is going on inside, outside of observational view, protected or guarded by this condition, and keep those on the outside bounded and limited and reliant upon it, if everything is similarly designed, into a giant false perspective. whereas literacy would enable to coverings or [signs] to be tested, evaluated, error-corrected, and to verify what is on the inside corresponds with what is on the outside and not base this in blind faith and religious adherence to private inhuman ideology, as a means for survival or profit, a society of insiders the slaves outside sustain. and yet there is no way to get past this without requiring this [signage] be validated in truth, firstly, via logic. not binary "true belief" reliant on falsity and opinion. --- code and programming --- and then there is Olek... the category-defying space goddess time traveler whose artwork i fear to write about due to its magical dimensions which for me function beyond words, yet accesses a vital and core truth via aesthetic activity that my words can only fail to describe or capture. http://en.wikipedia.org/wiki/Olek http://oleknyc.com/ http://instagram.com/oleknyc# and in some way, if sheets of fabric pieced together correlate with the wrappings and coverings of Christo and Jeanne-Claude, as if perhaps a data representation, category or [sign] as variable (x), or data object of an event, then it is with the crochet artworks of Olek that the yarn itself enters into a code-like situation, via different structural stitches and patterns, that can overtake another [sign] as if a program that seeks to replace it via another version, a secondary layer of colored patterned yarn. in terms of code, it is known there are routines and ways of establishing structure and as with stitches, they have different purposes and qualities. an edge stitch versus an interior stitch that covers distance. as the beginning and end of a program may have different functional requirements in terms of code, than then interior. the work of Olek is vast. awe-inspiring. like i said, i am scared to write about it because my broken language cannot approximate its dimensions, it is beyond this and my capacity to convey and yet for me singularly stands out as important work in its depth of imagination and creative purpose, its tapping into and revealing hidden truth, and its performative social aspect that everyday people can relate to, via changing what is 'known' if not unseen, subconscious, or forgotten and looking and considering it anew. and yet to look at a finished or completed piece or 'yarn-complete' artwork is almost not the event in itself, as if time-lapse somehow is required to comprehend an aspect of it that is beyond a finished iconic relation. instead it is the insane challenges that Olek and her knitting crew taken on that genuinely defy belief -- in that it was never before imagined in my finite awareness that somehow could do what Olek does with yarn -- because it is beyond the ordinary limit yet also part of its unique capacity. yarn sculpture, yarn muralist, yet more than this- yarn topologist, yarn symbologist. and still it does not access the totality, which others have much more competence at defining in terms of the conceptualization and practices involved, and precedents. http://according2g.com/wp-content/uploads/2011/08/Olek-Levine.jpg http://happyfamousartists.com/wordpress/wp-content/uploads/2012/04/olek01.jpg http://happyfamousartists.com/wordpress/wp-content/uploads/2012/04/olek07.jpg http://365artists.files.wordpress.com/2011/07/newinterests_olek_01of24.jpg http://gjprojectdotcom.files.wordpress.com/2012/06/oleknc_gjproject.jpg http://www.huffingtonpost.com/2013/08/05/olek-crocheted-locomotive_n_3708469.html http://cdn01.boweryboogie.com/content/uploads/2012/06/olek-samsung-2-560x317.jpg http://instagram.com/p/Y9tcJIBR79/# who would figure you could cover an entire locomotive train in yarn and that doing so is not just an issue of getting it covered, thought also of additional aesthetic detail and meaning in the patterning. and this is what sets artists apart from others, in that they can see beyond and somehow ground such events in a realm of greater insight and awareness. and what is it? why is it fascinating or for others potentially without the requirement to be a legitimate investigation. what truth is being revealed and how.' and i do not know myself, though i can sense it. it is as if the inaccessible is made accessible yet per-language or pre-definition or something that exists in language and functions as a symbol or a sign is dematerialized yet held together by crocheted yarn and somehow a childlike fascination and pure joy overwhelms at the excitement it brings into the world, like light breaking through decades of dreary clouds and seeing a smile radiate outward or a strange glance that then winks, securing a shared known relation. and its also sexy. wild. libidinal. its potent if illicit energies flowing throughout. and perhaps this relates to its tangibleness, of knit fabrics that have textures that can be soothing to the touch, comforting and familiar. they also have information, in terms of touch, very much like the second skin of clothing. something very close to the realm of everyday feeling and issues of relation, in particular self-with-self as a person is clothed, and as others are likewise clothed or covered. and thus, what if suddenly the [sign] you walk by everyday is covered in yarn and becomes [sign2], and in its difference and similarities a world of consideration and insight is made available. i tend to believe the artists and artworks mentioned are involved in recontextualizing a situation and thus allow it to be perceived anew, within these different dimensions, to question frameworks of knowledge, relation, and issues of observation via aesthetic interventions. and the wrappings and presumably the crochet works are seemingly also temporary conditions, at least in the sense of outdoor installations. it would seem yarn would quickly deteriorate (though that may be very interesting as well to learn from, going from vibrant color to twine-like monotone decay and how meaning shifts). while for Christo and Jeanne-Claude the artworks likely involve massive planning and preparation of fabric, its manufacture, Olek and team do this crocheting onsite, as a collaborative endeavor, involving a social aspect that occurs outside the gallery or museum and instead on the street itself, where the artwork is mediated, as it is made. in other words, Olek and her team presumably have algorithms, code, programs and routines they use, the various kinds of stitches and patterns, guided by planning, by which they approach their challenge and transform it via aesthetic intervention of crochet. it is as if knitting is an intuitive approach to mathematical, geometrical situations that may function similarly in approximating certain parameters, as encountered, versus being able to know ahead how many stitches will be required, in that specificity. or so it is imagined. and perhaps like computer programming, creating software for a task that is encompassed within a set of concepts and refined in its functionality though perhaps this remains in a realm of code, another layer over what it seeks to describe and thus various threads and stitching of information and relations may occur in order to define such a territory and establish such functioning, albeit in a realm of signs that may never be grounded within linear language beyond this representational issue, and thus approximation could be part of this process. knowing it versus being unaware. writing of crochet artworks that cover or create other symbols or signs, including people turned into yarn people, has a close connection to data representation and the modeling of existence via CAD-like parameters that seek to define real life objects as data entities, if not substitute for them in computational models, simulations, and in algorithms used for processing (or "machine reasoning") that can become deterministic worldviews and rationalizations, to which people must align in their local relations, at their jobs, and in schools- a basis for a binary ideology that overtakes everything. there is one instance more than any other i could find that captures this process of data that overtakes the reality, on the instagram site of Olek there is a short video of a small vodka bottle that is slowly captured the code of yarn or ribbon that envelopes it, and yet with a string attached, as if likewise it could be unraveled. Olek has mentioned elsewhere (if memory serves) that cutting one string of a crocheted work can cause the entire piece to fall apart. http://instagram.com/p/d21b1rBR54/# [so too i propose a similar condition exists for 'reason' when based on a faulty and inaccurate modeling of representational data, [signs] that when evaluated via logical reasoning fall apart due to errors involved, relied on. and in this way, data that is insecure could jeopardize a much larger connected framework and cause it to fail, just as "concepts" wrongly modeled or evaluated could unravel an entire security approach. and perhaps this is age-old military knowledge, where a strength becomes a weakness, a place of refuge and hiding once revealed can become a trap that cannot be escaped from. when the cover is blown, the camouflage ineffective, the stealth lose their advantage. the situation changes, and its their turn to adjust to a reality that is beyond them. their code no longer will work. their security made insecure. unwanted transparency.] when watching rain fall on a section of concrete sidewalk, going to a dry condition to a series of raindrops dotting its surface, and then eventually filling in entirely with water saturating its surface, it is to see a progression take place bit by bit that then overwhelms a previous condition, as if a phase-change. dry to wet. and in this same way the small bottle that is encompassed by this yarn of code is like that of data that is taking over the actual bottle as a digital representation, bit by bit of code, until the program works its way to completion: this is the yarn bottle. this is the data model of the bottle, written in code, used and reference in other programs as its sign, as if [yarn-bottle minus bottle] = [bottle] in the everyday binary analysis. in that the data representation of the bottle is equated with the bottle itself. as if the data statistic is the more real reality than anything existing beyond its onesided and biased framework of evaluation, because that is what binary relativism requires and allows as a privileged viewpoint. inside the covering, versus being on the outside. seemingly. the data burka as it were, of civilization as represented digitally. in taking a series of threads and uniting them in a larger chain of connective stitches and relations, and establishing surfaces and mapping out complex topologies with these, various edge and surface and pattern and structural conditions are encountered and dealt with, and so too, likely various limits and thresholds and boundaries as it exists within particular approaches and circumstance. real-time calculation that mediates these conditions, thinks-through and works-through these conditions and gains knowledge by encounters with repeated features, whether flat or round or spherical or edges, and increases knowledge via new challenges not encountered the same before. and so what if code and programming and crypto were similarly involved in a situation involving such boundaries, limits, and assumptions mapped onto an underlying structure. in some sense, it could be assumed the structure itself is true, and that everything in its being able to cover and represent this situation is accurate, in and of itself, for being able to assign functions and define parameters and assign variables in a given situation, and have a seemingly accurate outcome based on some predictable input. and yet what if the very situation that is covered, and the [signs] that reference and rely upon it are themselves held beyond a security audit, for their own integrity as ideas. such that what is covered may not actually be there, in the way it is believed to be, or assumed to be, or said to be, even though it appears this way as an IMAGE. what if it is only on the surface, a threshold condition, and is instead hollow on the inside and has been replaced by a subverted model of events, which instead hide within and behind this technical development, via the very code meant to prevent and protect against such subversion. or has that never been the idea within the programming itself as idea- and instead of protecting and securing truth- protecting secrecy and privacy and security which could instead be a realm of harboring lies and grand deceptions. it is to wonder if the collective programming of technological civilization actually audits truth at the level of the [signs] themselves used as ideas and for shared awareness or if this is simply believed because it has been institutionalized and validated within an ideological framework and thus is assumed and presumed 'true' by default of its existence in and as code, as programming, as software and hardware, and as cryptographic communications that serve- what, exactly? if they are not grounded in truth in the ideas that establish the code, how can the program function towards this or serve it. if the concepts are ungrounded, how is this loose yarn or security flaw not able to be thoroughly exploited and unravel all security by design of such flaws into every last dual-use item and object. so what if it is the world that has been so covered in yarn or wrapped and covered in code, and people have put their lives into this, and yet it is not actually serving them or the human population in its actions and instead defaults to a realm of exploitation and subversion via its known errors that cannot be corrected, and instead it is defended against any such correction. artistic investigations can offer a glimpse into situations that otherwise may not be readily accessible or realizable within existing limits of particular observation. what Olek and her team function as, at least in this tentative estimation, is somewhere between the analytical programming of Ada Lovelace and the capacity of a customizable crotchet-loom consisting of a human knitting crew (compiler or not, unknown), and that in this personal relation with what is to become covered, it is seemingly similar in challenge to the daunting and original challenges a programmer can face when taking on a new area or developing new skills or approaching new problems beyond previous limit, and thus building a vocabulary and skills and competence via further such development. and that, over time, massive time and effort is put into a project or goals that can transform a situation and model it within certain parameters, and provide functionality that is new or optimized, and that such efforts and accomplishments cover a wide range of activity, including from creating basic computing utilities or programming languages to internet and telecom software, to content management systems (CMS) and other social and retail software, to explorations of data organization and computer modeling, and into financial and e-commerce and banking software, to include the role of cryptography software and hardware both online and offline in a similar context. and perhaps many people have dealt with endless thread or lines of code that are woven into complicated structures or must investigate convoluted software to figure out how something is fit together, and all such investigations occur in a given domain or in a given limit or parameters where the code and programming and computation reside, as it aligns with textbooks and classes and conversations and conferences about what exists and what is going on. that it is occurring within certain frameworks and dimensions. and yet in the same way, as a shared model of computation and data representation, it is proposed that what is underneath this has not been accounted for accurately and is not lining up with these efforts in a way that works, especially in terms of security issues and the state, as this becomes detached from truth and in doing so can allow a dictatorship to be hidden within a democracy yet beyond any outside accounting. as it is protected by ideological code, beliefs, political agendas, thugs and activists who in turn have control of the surveillance state via this interior difference, à la coup. and thus it is to review the assumption of this data modeling, the way the language and perception and observation works, pre-computer, to more accurately account for what is going on within the secrete and hidden technological enterprise of the rogue state. and what it indicates is that the [signs] are not mapped accurately or checked against truth beyond a given boundary or limit, which is based nearly entirely on the IMAGE of a thing replacing the thing itself; the image of a bottle replacing the bottle. though the 'data image' even moreso. and this in terms of boundary and threshold observation yet also its iconic aspect, that like modular programming, it can be assumed to exist as itself by default of its being perceived this way, inside the limited framework, and no external reference is needed, nor is it even allowed if contradicting the viewpoint. and that is the ideological environment that software and hardware are being developed within today in terms of economic, social, political tools that result in devolved and antihuman culture which seeks to stop external feedback from having a voice anymore. and there are loose strings everywhere. pull one and the false frameworks collapse, when evaluated in terms of paradoxical logic, actual reasoning of events instead of simply real-time processing them, via binary assessments that can self-contain truth yet only within an increasingly disconnected bubble, relativism unto itself, falsity. how can something that brings so much joy and beauty find itself compared in relation to such a dismal situation. i think it is through seeing the situation through other eyes that perhaps HOPE exists in recognizing what is true about this condition and then reorganizing and redeveloping code within that shared framework, and that taking into example the transformative power of, instead of functioning from within "the inside" of the situation, whether museum or standards institution, it could instead involve the gathering of individuals of shared purpose, to accomplish something larger that none by themselves could do alone, and taking on the bigger challenges and projects likewise, with the combined skillsets as part of this customizable equipment to call upon. so for instance, if new approaches to crypto were considered- it would not be to gather a group of algorithm-centric thinkers within a confined set of parameters to question what incremental technique may further the existing broken model and its assumptions, including hardware and software platforms-- instead, the beginning question could and likely should exist beyond this limit, beyond this threshold of ideological viewpoint, and gather together linguists, artists, thinkers, and those involved in patterns and structure and logic, physicists and others in addition to cryptologists, to consider the core ideas of security and secrecy and privacy in the terms they actually exist, before their institutionalization and normalization in the existing corrupt scenario. a computational linguist could have 1,000 approaches to encryption schemes by how they model language in terms of various relations, as might a graphic designer, and these could then be related to establishing algorithms, not just mathematic structures. an innovative technologist may understand infrastructures better than others and may know of new techniques or possibilities that may others be unconsidered. say electromagnets in a shoe that allows a drop or pickup of electronic data, or leaving a data print as a sign. and certainly this type of prototypical engineering of intelligence apparatus exists in the deep state, yet what about its application towards everyday scenarios such as house keys or e-commerce portals on home dwellings, synced with courier services for data updates and threshold access. infrastructures, zoned crypto, etc. and the question here attempts to ask: what if the form that has been covered is not the form that exists anymore. and what if what is actually required is to locate the ideas that need to be accurately modeled in data, and that this data representation needs to be secured, as an issue of integrity for systems built upon it, including most vitally, cryptography. and thus the issue is securing truth within a realm of lies and unaccountable deceit, and active hostilities against citizens trying to exist within a constitutional framework, yet aggressively denied their rights, via abuse and torture and retaliation for the attempts to recover what has been lost. and that many people exist in this condition, and yet 'reason' itself is broken within the state, feedback in terms of citizen representation and control over governance of the shared state, which is out-of-control and functioning against the population by default. and until this is accounted for, every further action within the false framework further allows its legitimation to continue in this criminal offensive, against the greater truth. in this way, securing this truth, aligning with it, relying upon it, requiring it to be addressed by relativistic viewpoints and ideology, within a shared logical framework- it then becomes a showdown of truth against power: whether law will be observed or if power will seek to destroy it, as with most recent dictatorship that have fallen. the data model is wrong, based on lies. a false perspective. the role of leaks, threads that when cut break the support structure needed to sustain the illusion. yet, when will documents provide direct evidence of crimes against citizens, mass surveillance of daily activities, ubiquitous paid informants of a private police state monitoring other citizens, covert programs to control what occurs in institutions, organizations and schools that aligns only with certain beliefs and demographics. will anyone even dare do anything if the documents are revealed. or is even that too much to expect, that someone may risk their life for the larger issues involved and take a stand against tyranny. never before has a nation been more full of hypocrites than the USA today. when are people going to take on the fight and take the necessary risks to change the underlying dynamics and shift the situation to a more realistic framework that piece by piece can be configured and established in a common model, and programmed likewise, to an agenda which serves people and traps the traitors within their deception, isolating and separating and constricting their actions until there are no longer any moves left. it saddens my heart because the artwork here is tremendous and full of life, yet exists in contrast to the world as if aberration, a beautiful exotic flower in a civilization brought to ruin, a reminder of what living is about, its potential, the true potential of the artist, of individuals with insight who strive to use their talents to shared their observations, and improve awareness of what exists as it exists, and beyond, into what could be, as a basis for consciousness, relation, value. grounding of belief. of action. the role of inspiration and play, the fantastical, of boundary breaking and paradigm shifting realization and revelations. even through something so humble and seemingly so commonplace as yarn, to see through the imagination of other its potential and perhaps consider other observations anew, based on the truth it helps reveal. in itself this is insufficient for evaluating the depth of any of the artworks above. especially so for the magic that is Olek, because interpretation of her work as code or programming or involving boundaries may not be accurate other than a correlation with the dynamics involved... another interpretation of which there are many, likely many more suitable to this consideration than my limited awareness allows. yet consider the power of artwork that can bring into consideration these questions and that aligns in such a way to offer a conceptualization of the existing situation within computational modeling of civilization in accurate and inaccurate terms. it does not exist the same within textbooks of the involved disciplines-- though it does exists outside them in the realm of the interdisciplinary. the real grounded value of critical theory and literature of the Two Cultures, the electromagnetic reconnection across the short-circuited institutional and ideological divide, to balance knowledge via the empirical modeling of truth (1:1) and shared observation around common, structurally related events. addressing this situation is entirely possible, if dealing with it head-on. --- last notes --- artwork of Olek extends into ballooning, where relations also exist with weaving and patterns... http://oleknyc.com/gallery/inflatables/9 http://oleknyc.com/gallery/inflatables/25 http://3.bp.blogspot.com/-9WEtVeZyuy4/T2TiJQs33qI/AAAAAAAABvE/SBo4Qmb7T-Q/s1600/Tetzloff_Olek+%2811%29.JPG http://1.bp.blogspot.com/-BKMa8l4EXQE/T2TiNn_hseI/AAAAAAAABvk/fgsLb-bRQrU/s1600/Tetzloff_Olek+%2815%29.JPG http://2.bp.blogspot.com/-8GGiGr-cOQQ/T2TiUGmkMYI/AAAAAAAABwU/xALX6-c2_LI/s1600/Tetzloff_Olek+%2821%29.JPG balloon sculptures of Jason Hackenwerth: http://iay.org.uk/files/blog/image/pisces.jpg http://fc02.deviantart.net/fs70/i/2013/089/0/c/pisces_by_jason_hackenwerth_by_kharashov-d5zto43.jpg also, 'mathematical knitting' is another realm of inquiry into mathematical concepts and topological forms via fiber arts and textiles: http://www.toroidalsnark.net/mathknit.html http://www.yasminnair.net/content/looking-math-and-science-everything-and-failing-see-arts the purpose of such examples being- what if security and cryptographic concepts and ideas were brought outside of the existing framework and explored in other mediums, involving issues of language and code and programming outside the electronic context. perhaps there is something still valuable and unknown in that ancient pottery or in that abstract marking no one notices, or the missed stitch or oddly arranged pattern. in this way, so too, why not origami crypto for self-folding or collapsing patterns or creating code that can reconfigure or rearrange itself, as the basis for algorithms. ᴍ ᴎ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 78656 bytes Desc: not available URL: From skquinn at rushpost.com Wed Oct 2 22:29:39 2013 From: skquinn at rushpost.com (Shawn K. Quinn) Date: Thu, 03 Oct 2013 00:29:39 -0500 Subject: Injustice: Denial of Disservice Attack In-Reply-To: References: <1380772945.89717.YahooMailNeo@web141202.mail.bf1.yahoo.com> Message-ID: <1380778179.28618.29406477.347426EA@webmail.messagingengine.com> On Thu, Oct 3, 2013, at 12:22 AM, Al Billings wrote: > What does this have to do with cryptography? If nothing else, it's related to "rubber hose cryptanalysis" by the government if I read it correctly. -- Shawn K. Quinn skquinn at rushpost.com From sebastian at rolux.org Wed Oct 2 15:29:41 2013 From: sebastian at rolux.org (pirate cinema berlin) Date: Thu, 3 Oct 2013 00:29:41 +0200 Subject: The Collected Quotations of the Dread Pirate Robert, According to Forbes.com Message-ID: (aus gegebenem Anlass) SECURITY 4/29/2013 @ 9:28AM Collected Quotations Of The Dread Pirate Roberts, Founder Of Underground Drug Site Silk Road And Radical Libertarian In public, the pseudonymous Internet drug czar known as the Dread Pirate Roberts doesn't say much. Roberts' website, the illegal, anonymous drug-selling black market known as the Silk Road, has survived only because of its creator's discretion. On the rare occasions when DPR speaks to the press, he (or she) does so in short messages, and–at least in my case–only through the anonymizing service Tor, the same cryptographic tool used to prevent the Feds from tracking down the Silk Road's servers or its users. Thanks to that discretion, the Silk Road's Bitcoin-driven narcotics trade has thrived for more than two years without being shut down by law enforcement, and its founder hasn't been identified. But within the community that the Dread Pirate Roberts has created, Silk Road's founder is hardly so shy. On the Tor-hidden online forums associated with Silk Road, Roberts posts long manifestos, philosophical and political musings, love letters to Silk Road's users, and even hosts the Dread Pirate Roberts Book Club, a reading and discussion group devoted to "agorism, counter-economics, anarcho-capitalism, Austrian economics, political philosophy, freedom issues and related topics." The character that emerges from those writings is no run-of-the-mill cybercriminal. (Though Silk Road site was moving $22 million worth of illicit pharmaceuticals a year at last check.) Roberts instead comes across as a principled libertarian and cypherpunk in the same vein as WikiLeaks founder Julian Assange and Bitcoin creator Satoshi Nakamoto. Below, I've assembled DPR's writings from Silk Road's forum on every topic from the War on Drugs to Ron Paul to his own motives and ideology. Since most readers don't use Tor, I've copied some entire long passages here. But for those who do use Tor, I've added links at the end of each subject back to Silk Road's Tor-hidden community forum, where you can read all of Roberts' words in context. On the Silk Road as a practical libertarian system: "Silk Road was founded on libertarian principles and continues to be operated on them. It is a great idea and a great practical system…It is not a utopia. It is regulated by market forces, not a central power (even I am subject to market forces by my competition. No one is forced to be here). The same principles that have allowed Silk Road to flourish can and do work anywhere human beings come together. The only difference is that the State is unable to get its thieving murderous mitts on it." [10/1/2012] On the War on Drugs: (In response to criticisms from another user who said that Silk Road hasn't affected the War on Drugs) "Silk Road has already made an impact on the war on drugs. The effect of the war is to limit people's access to controlled substances. Silk Road has expanded people's access. The great thing about agorism is that it is a victory from a thousand battles. Every single transaction that takes place outside the nexus of state control is a victory for those individuals taking part in the transaction. So there are thousands of victories here each week and each one makes a difference, strengthens the agora, and weakens the state." [9/23/2012] On the potential for drug cartels to form on Silk Road: "Cartels are nearly impossible to maintain without the use of violence, especially in an environment as competitive as Silk Road. There is also nothing morally wrong with them. If a cartel were to form, I would not attempt to break it up unless its members were breaking other rules. If you want an explanation for why cartels are nearly impossible to maintain in a free market environment, please read "Man, Economy and State" chapter 10, part 2, section D." [3/21/2013] On maintaining the trust of Silk Road's users: (after a Silk Road outage raised concerns among users that the site's administrators might have run off with the funds stored on the site) "I know this whole market is based on the trust you put in me and I don't take that lightly. It's an honor to serve you and though you don't know who I am, and have no recourse if I were to betray you, I hope that as time goes on I will have more opportunities to demonstrate that my intentions are genuine and no amount of money could buy my integrity. Especially you old hats that have been around since the beginning, but this goes for everyone, you all are like family to me. Sure we have some crazy cousins floating around, but they just add character, right? Doesn't matter though, I love you all. Of all the people in the world, you are the ones who are here, in the early stages of this revolution. You are the ones getting this thing off the ground and driving it forward. It is a privilege to have you by my side. Thank you for your trust, faith, camaraderie and love." [11/17/2012] On the "heroes" who sell drugs on Silk Road: "There are heroes among us here at Silk Road. Every day they risk their lives, fortunes, and precious liberty for us. They are on the front lines making tough decisions and working their asses off to make this market what it is. Of course I am talking about our vendors. I won't try to acknowledge them individually because we are blessed with so many extraordinary people who have stepped up to the task and taken it upon themselves to find a way to stock the shelves at Silk Road. They labor tirelessly to balance the heavy responsibilities they've taken on. From customer support, to supply chain and inventory management, to promotion, to quality control, to risk management and mitigation, to IT, to Bitcoin finance, to order fulfillment, and on and on, these guys and gals are professionals that are rising to the top of their game."[2/27/2012] On financial motivations, and whether DPR founded Silk Road "for the money," as another user claims: "Money is one motivating factor for me. If it wasn't I wouldn't impose a commission on trades, or require vendors to use the Silk Road payment processor. Money motivates me for two reasons. For one, I have basic human needs that money allows me to meet so that I may devote my time to our cause. I also enjoy a few first-world pleasures that I feel I have earned, but nothing extravagant. In fact, compared to most I know, I still live quite frugally. I buy better food at the grocery store now, and got some new clothes, and am more generous with my friends and loved ones, but I've always been a cheap ass, and still kinda am out of habit. Besides that, I don't want the attention that buying big toys brings for security reasons. More importantly, money is powerful, and it's going to take power to affect the kinds of changes I want to see. Money allows us to expand our infrastructure and manpower to accommodate the growing demands of our market and to pursue paths that will compliment and strengthen what's already been created here. All that being said, my primary motivation is not personal wealth, but making a difference. As corny as it sounds, I just want to look back on my life and know that I did something worthwhile that helped people. It's fulfilling to me. If you don't know this joy, you may hear my words as insincere and as a way to manipulate, but I know they are true and resonate with some of you. There is nothing wrong with living your life to maximize your own pleasure, so long as you aren't hurting anyone in the process, but you will miss out on higher levels of happiness if your focus is always on yourself. It's paradoxical, but the less you focus on your own happiness and focus on others', the happier you'll be. Try it out, you can always go back to being selfish. :)" [9/23/2012] On Silk Road's sustainability and complaints about the site's commission on sales: "Silk Road is an ENTERPRISE that is just getting started. It could literally change the world as we know it. It is bigger than any one of us, and it is going to take the dedication and will of MANY talented people, a lot of luck, and RESOURCES to get from here to there. Do you want to see this thing go all the way and take the absolute piss out of the power mongers of this world? Do you want to give it every chance it needs to succeed? Why aren't you telling me to raise the commission even further then? I don't hear anyone refusing the commission break on high priced goods. I don't hear anyone saying "don't do that, you need it, you keep this whole thing going, we're happy to do our part." As a community, if we are going to survive, we need to adopt a LONG TERM vision. Getting the most out of this thing before it gets taken down is NOT going to bring us success. In that world, Silk Road will be a shooting star that burns out quickly and dies as little more than a dream, swallowed by the nightmare reality of an ever-expanding, all-powerful global oligarchy. Planning ahead and doing everything we can NOW to prepare for the war to come is the only way we are going to have a shot at this. We are still mostly ignored by our true enemies, but this incubation WILL NOT last forever. I don't like writing this kind of stuff publicly because it taunts our enemies and might spur them into action, but I risk it because the context for what we are doing is too often lost in the day to day stuff that happens here and it needs to be put in from time to time. Silk Road NEEDS our support. It needs everything we have. The return on what we put into it will be immeasurable if we can get through the months and years ahead and gain a real foothold on the global stage. HELP ME GET US THERE!!! Do it for me, do it for yourself, do it for your families and friends, and do it for mankind." [1/11/2012] On whether the government could ban Tor or Bitcoin, the tools Silk Road uses to provide anonymity: "The state may try to ban our tools, but if we never use them for fear of them being banned, then we have already lost, no? Personally, I don't think they can be effectively banned at this point. Iran and China, for example, are actively trying and failing." [9/23/2012] On the decision to create the Armory, a Silk-Road-like site for selling weapons, in February of 2012: "We at Silk Road have no moral objection to the sale of small-arm weaponry. We believe that an individual's ability to defend themselves is a cornerstone of a civil society. Without this, those with weapons with eventually walk all over defenseless individuals. It could be criminals who prey on others, knowing they are helpless. It could be police brutalizing people with no fear of immediate reprisal. And as was seen too many times in the last century, it could be an organized government body committing genocide on an entire unarmed populace. Without the ability to defend them, the rest of your human rights will be eroded and stripped away as well. That being said, there is no reason we have to force everyone into a one-size-fits-all market where one group has to compromise their beliefs for the benefit of another. That's the kind of narrow thinking currently used by governments around the world. It's why we are in this mess in the first place. The majority in many countries feel that drugs and guns should be illegal or heavily regulated, so the minority suffers. Here at Silk Road, we recognize the smallest minority of all, YOU! Every person is unique, and their human rights are more important than any lofty goal, any mission, or any program. An individual's rights ARE the goal, ARE the mission, ARE the program. If the majority wants to ban the sale of guns on Silk Road, there is no way we are going to turn our backs on the minority who needs weaponry for self defense." [2/26/2012] On closing "the Armory" six months later: "As most of you have figured out, we are closing the Armory. Your first question is probably "why?" Well, it just wasn't getting used enough. Spinning it off originally was done somewhat abruptly and while we supported it, it was a kind of "sink or swim" experiment. The volume hasn't even been enough to cover server costs and is actually waning at this point. I had high hopes for it, but if we are going to serve an anonymous weapons market, I think it will require more careful thought and planning." On DPR's excitement at Silk Road's success: "You'll have to wait for my memoirs for the juicy details, lol. I've got some stories though, I'll tell ya. One weird thing that goes through my head when Silk Road goes through a growth spurt, like after the first Gawker article is that sound effect from Inception, or the intense music from the new Tron movie. It gives me the sensation of ‘holy shit, this is EPIC!'" [8/2/2012] On the users' power to control Silk Road: "The way I see it, we are all players in something that has grown way beyond any one of us. Granted I play a unique role, but part of that role is continually earning the trust of the community to make the right choices going forward, and to serve each of you as best I can. Silk Road was built to serve you, your needs and desires are the wind that fills its sails. Without you, we are dead in the water. So sure, it's my job to steer and chart the course, and I am ultimately responsible for the outcome of this experiment, but never forget where the real power lies. It's where it always has been, in your hands." [7/31/2012] On starting the Dread Pirate Roberts Book Club, an online book club devoted to Austrian economics and libertarianism: "I started this club because I think the pursuit of truth is one of the most noble human endeavors. Debating these issues is critical for us to construct a world-view that is grounded in reason and can guide us forward. Assuming great success for Silk Road, how easily could it become another blood thirsty cartel seeking profit at all costs? We must maintain our integrity and be true to our principles, the opportunity to make a lasting difference is too great not to." [10/3/2012] On the Federal Reserve: "The Federal Reserve system relies on the force of government to maintain its monopoly power on the issuance of money. This is how all central banks maintain their control. Without the state's involvement, people would be free to use whatever currency they like. Historically this was gold. If the founders of the fed tried to do what they did w/o the Federal Reserve Act legislation, and later the Brenton Woods agreement, they would have failed miserably. No one would have bought into their system. In fact, this is the beauty of libertarianism. The people are free to choose what system they want. No need for one size fits all government solutions. If you want to use a debt based inflationary monetary system, go right ahead, doesn't affect me so long as you don't try to force me to use it as well." [1/30/2013] On the movie V for Vendetta, which was suggested watching material for a Dread Pirate Roberts "movie night": "What a flick! I got so engrossed I forgot to chat with you guys while I was watching. Loved the part where the talk-show host guy made fun of the chancellor. Loved the moment the crowd passed the front line of the guards. Many inspiring moments reminding me how powerful we are." [11/17/2012] On the framers of the Constitution: "I have a pet theory about where the framers went wrong. First off, I can't applaud them enough for what they accomplished given the circumstances. It's easy to critique centuries later, supported by the wealth their system allowed to emerge. But I wonder how things would have happened differently had the constitution been 100% voluntary. As in, here are the rules our members live by and how those rules are amended. If you want to be in the club, you must pay your dues and follow the rules, but if you want to go it alone, or join a different club, we won't bother you unless you bother us, and you are free to go at any time." [10/16/2012] On Ron Paul: "A mighty hero in my book." [11/15/2012] On whether Silk Road's users are really free market believers or only serving their own needs: "Anything you do that is outside the control of the state is agorist, so in some sense we are all agorists whether we know it or not. Some people just take those actions because of the personal gain they can obtain, which is perfectly fine, but some do it as a conscientious objection and act of rebellion against the state as well. I'm out to turn unconscious agorists into conscious active ones. :)" [10/04/2012] On war: (in response to another commenter who argues for the economic benefits of the military) "There is an important point you are overlooking in your assessment of the positive benefits of warfare, and that is the costs, both seen and unseen. The seen costs are obvious: death and destruction. However, the unseen costs alone make the benefits you mentioned not worthwhile. That unseen cost is lost demand in the private sector. It's simple: the resources used in warfare are unavailable to private individuals. We have no idea what people would've done with the trillions of dollars worth of resources that have gone into blowing people and things up, not to mention the resources that were directly destroyed. Considering the efficiency with which people competing in the market operate, and the inefficiency of the military bureaucracy, I suspect that the innovation and wealth produced by a world without war would make any advances the military has made look negligible." [10/11/2012] On the TSA and airline security: "Here's a market solution for ya: hold airlines accountable for any destruction that comes about as a result of misuse of their planes or other property. They would then insure against it and actuaries would be able to put a price on this potential cost and the risk reduction of security measures in airports so airlines could make economic decisions about what measures to take. Customers would also get a say as they choose their airlines based on cost vs. security measures taken." [10/11/2012] On child labor and labor conditions: "If the options available to a person are work or starve, why would you take away the work option? If people are voluntarily choosing to work in a factory under terrible conditions, it means the alternatives available to them are even worse. That work is an opportunity for them to better themselves. Child labour regulations only hampered the development and expansion of the industries that were providing these opportunities. Had they been allowed to develop freely, only under the constraints of supply, demand and property rights, they would have had to provide a safe work environment for their employees, if that's what the employees wanted. Let me give you a quick example. Nike and Reebok both have shoe factories in the same city. All of their resources and external conditions are effectively identical. The only thing they can vary is the quality of the work environment for their employees. Nike chooses to spend $1 per man-hour maintaining an improved work environment for its employees, while Reebok keeps that dollar as profit. Reebok will quickly find itself unable to attract the employee base it needs to produce its shoes as Nike takes its employees and market share. So, Reebok, instead of improving the work conditions, simply passes the extra $1 per hour on to their employees. Now we are seeing the market at work. Employees are now faced with the option of a safe work environment, or an extra dollar per hour. Some will choose safety while others will choose the extra pay. And this is exactly what has happened eventually, where now employers do all they can to attract good employees away from their competitors." [10/3/2012] On the power held by large corporations: "The people who run corporations, heads of state, the person selling you food, you, me and every human being are all fallible and capable of using power to dominate other people. Liberty is not a pill that makes men angels. What it does do is limit the extent to which evil can be expressed in the world. Right now, in any given geographic area, we have a monopoly on many of the most vital social institutions that is maintained through violence. If voluntary organizations consolidate their power and turn on their customers and start stealing from them, putting them in cages, killing them, spying on them and telling them what they can and can't do, well then we're back to where we started, the present day state. But, if I am correct, and the pressure for those firms to compete with one another for our favor leads them to serve us, then we can have freedom and prosperity the likes of which the world has never known." [10/3/2012] On environmentalism and sustainable economic growth: "This is where the institution of private property and markets really shine. Markets curb unsustainable growth through the price mechanism. As a needed resource is depleted, its supply drops and, assuming constant or rising demand, its price will rise. Rising prices force people to consume LESS of the resource and save more of it. Private property also incentivizes people to maximize the value of it. People tend to preserve and improve their land and capital. Free enterprise and private property, when honored, are an environmentalist's dream." [10/3/2012] On the minimum wage: "How about someone whose labor is worth less than minimum wage? These people are not allowed to work even if they are willing and able. They wind up homeless or in government programs where they get no productive skills. They don't benefit, and the rest of us don't benefit. If they were allowed to work, they could gain productive skills and work their way up above the "poverty line", enriching themselves and others. Give them a chance." [10/1/2012] On the idea of privatized instead of state-run police: "State police scare the hell out of me. Who would you trust more, someone who you paid to protect you and who's livelihood depends on your continuing to pay them, or someone who steals from you (taxes), buys guns with the money (FBI, DEA, ATF, Military, local and state police, etc.), and then forces you to do things against your will when you are not hurting anyone else? …Bullies are bad and should be spanked." [10/1/2012] On the need for government: "This may shock some of you to hear coming from me, but we absolutely NEED government, and good government at that. In fact, the services the current governments of the world monopolize or regulate are some of the most demanded and needed: security/defense, law, dispute resolution, education, healthcare, transportation, utilities, quality control etc. The question I present to you is, do we want a single entity monopolizing the provision of all of these critical goods and services, or do we want a choice?" [9/29/2012] On DPR's love for the Silk Road community: "It's a privilege to have a stage to speak from here. It doesn't get said enough, and it is hard to get across in this medium, but… I love you. Who knew that a softy could lead an international narcotics organization? Behind my wall of anonymity, I don't have to intimidate, thankfully. But yea, I love you guys. Thank you for being here. Thank you for being my comrades. Thank you for being yourselves and bringing your unique perspectives and energy. And on a personal note, thank you for giving me the best job in the world. I've never had so much fun! I know we've been at it for over a year now, but really, we are JUST getting started. I'm so excited and anxious for our future I could burst." [9/22/2012] On legalizing and taxing drugs: "I keep hearing this argument come up when people talk about drug prohibition: legalize, regulate and tax it. On the surface it sounds like a good idea. No more drug war, more tax revenue, government regulators can make sure it is safe. Makes sense, right? I can't help but think something is wrong though. Feels like the bastards that have been screwing everyone over all this time still win in this scenario. Now all that money can go to the state and to their cronies, right? Here's the rub: the drug war is an acute symptom of a deeper problem, and that problem is the state. If they "legalize, regulate and tax" it, it's just one more part of society under their thumb, another productive sector that they can leech off of. If prohibition is lifted, most people here will go away. You'll go back to your lives and get your drugs from whatever state certified dispensaries are properly licensed to sell to you. Drug use will be as interesting as smoking and drinking. Here's my point: Silk Road is about something much bigger than thumbing your nose at the man and getting your drugs anyway. It's about taking back our liberty and our dignity and demanding justice. If prohibition is lifted, and the drug industry is placed under the yoke of the state, then we won in a small way, but lost in a big way. Right now, drugs are ours. They aren't tainted by the government. We the people control their manufacture, distribution and consumption. We should be looking to expand that control, taking back our power, no giving what is ours to the very people that have been our enemies all along. It's easy to justify though. Think of all the horrors the war on drugs has caused that will be gone, almost instantly. That pain could stop! Don't be tempted by this short-term easy fix of "let the government handle it." Their time is coming to an end. The future is OUR time. Let us take this opportunity they've given us to gain a foothold from which we can throw that yoke off completely. We are NOT beasts of burden to be taxed and controlled and regulated. WE are free spirits! We DEMAND respect! The future can be a time where the human spirit flourishes, unbridled, wild and free! Don't be so quick to put on that harness and pull for the parasites. If prohibition is lifted, where will you be? Will you forget about all this revolution stuff? Will you go back to ignoring that itching feeling that something isn't right, that men in uniforms and behind desks have just a bit too much control over your life, and are taking more and more of your sovereignty every day? Will you go back to thinking that taxes are as inevitable as death and the best you can do is to pull as hard as you can for them until you mind, body and spirit are all used up? Or will you feel the loss, as one more wild west frontier comes under the dominion of the enemy, and redouble your efforts to stop it? I know where I'll be. I won't rest until children are born into a world where oppression, institutional violence and control, world war, and all the other hallmarks of the state are as ancient history as pharaohs commanding armies of slaves. The drug war merely brings to light their nature and shows us who they really are. Legalizing it won't change that and will only make them stronger. Hold on to what you DO have, and stand for the freedom you deserve!" [4/29/2012] In response to a user who asked to give DPR a hug: "*hug* Hugs not drugs... no wait, hugs AND drugs!" [4/20/2012] And finally, on what inspires him: "Hey gang, I read more than I post in the forum, and my posts are rarely of a personal nature. For some reason the mood struck me just now to put the revolution down for a minute and just express a few things. There is a curtain of anonymity and secrecy that covers everything that goes on behind the scenes here. It is often fast paced and stressful behind this curtain and I rarely lift my head long enough to take in just how amazing all of this is. But when I do I am filled with inspiration and hope for the future. Here's a little story about what inspires me: For years I was frustrated and defeated by what seemed to be insurmountable barriers between the world today and the world I wanted. I searched long and hard for the truth about what is right and wrong and good for humanity. I argued with, learned from, and read the works of brilliant people in search of the truth. It's a damn hard thing to do too with all of the misinformation and distractions in the sea of opinion we live in. But eventually I found something I could agree with whole heartedly. Something that made sense, was simple, elegant and consistent in all cases. I'm talking about the Austrian Economic theory, voluntaryism, anarcho-capitalism, agorism etc. espoused by the likes of Mises and Rothbard before their deaths, and Salerno and Rockwell today. >From their works, I understood the mechanics of liberty, and the effects of tyranny. But such vision was a curse. Everywhere I looked I saw the State, and the horrible withering effects it had on the human spirit. It was horribly depressing. Like waking from a restless dream to find yourself in a cage with no way out. But I also saw free spirits trying to break free of their chains, doing everything they could to serve their fellow man and provide for themselves and their loved ones. I saw the magical and powerful wealth creating effect of the market, the way it fostered cooperation, civility and tolerance. How it made trading partners out of strangers or even enemies. How it coordinates the actions of every person on the planet in ways too complex for any one mind to fathom to produce an overflowing abundance of wealth, where nothing is wasted and where power and responsibility are directed to those most deserving and able. I saw a better way, but knew of no way to get there. I read everything I could to deepen my understanding of economics and liberty, but it was all intellectual, there was no call to action except to tell the people around me what I had learned and hopefully get them to see the light. That was until I read "Alongside night" and the works of Samuel Edward Konkin III. At last the missing puzzle piece! All of the sudden it was so clear: every action you take outside the scope of government control strengthens the market and weakens the state. I saw how the state lives parasitically off the productive people of the world, and how quickly it would crumble if it didn't have it's tax revenues. No soldiers if you can't pay them. No drug war without billions of dollars being siphoned off the very people you are oppressing. For the first time I saw the drug cartels and the dealers, and every person in the whole damn supply chain in a different light. Some, especially the cartels, are basically a defacto violent power hungry state, and surely would love nothing more than to take control of a national government, but you average joe pot dealer, who wouldn't hurt a fly, that guy became my hero. By making his living outside the purview of the state, he was depriving it of his precious life force, the product of his efforts. He was free. People like him, little by little, weakened the state and strengthened the market. It wasn't long, maybe a year or two after this realization that the pieces started coming together for the Silk Road, and what a ride it has been. No longer do I feel ANY frustration. In fact I am at peace in the knowledge that every day I have more I can do to breath life into a truly revolutionary and free market than I have hours in the day. I walk tall, proud and free, knowing that the actions I take eat away at the infrastructure that keeps oppression alive. We are like a little seed in a big jungle that has just broken the surface of the forest floor. It's a big scary jungle with lots of dangerous creatures, each honed by evolution to survive in the hostile environment known as human society. All manner of corporation, government agency, small family businesses, anything that can gain a foothold and survive. But the environment is rapidly changing and the jungle has never seen a species quite like the Silk Road. You can see it, but you can't touch it. It is elusive, yet powerful, and we are evolving at a rapid clip, experimenting, trying to find sturdy ground we can put roots down in. Will we and others like us someday grow to be tall hardwoods? Will we reshape the landscape of society as we know it? What if one day we had enough power to maintain a physical presence on the globe, where we shunned the parasites and upheld the rule of law, where the right to privacy and property was unquestioned and enshrined in the very structure of society. Where police are our servants and protectors beholden to their customers, the people. Where pace our leaders earn their power and responsibility in the harsh and unforgiving furnace of the free market and not from behind a gun, where the opportunities to create and enjoy wealth are as boundless as one's imagination. Some day, we could be a shining beacon of hope for the oppressed people of the world just as so many oppressed and violated souls have found refuge here already. Will it happen overnight? No. Will it happen in a lifetime? I don't know. Is it worth fighting for until my last breath. Of course. Once you've seen what's possible, how can you do otherwise? How can you plug yourself into the tax eating, life sucking, violent, sadistic, war mongering, oppressive machine ever again? How can you kneel when you've felt the power of your own legs? Felt them stretch and flex as you learn to walk and think as a free person? I would rather live my life in rags now than in golden chains. And now we can have both! Now it is profitable to throw off one's chains, with amazing crypto technology reducing the risk of doing so dramatically. How many niches have yet to be filled in the world of anonymous online markets? The opportunity to prosper and take part in a revolution of epic proportions is at our fingertips! I have no one to share my thoughts with in physical space. Security does not permit it, so thanks for listening. I hope my words can be an inspiration just as I am given so much by everyone here. Dread Pirate Roberts" [3/20/2012] http://www.forbes.com/sites/andygreenberg/2013/08/14/an-interview-with-a-digital -drug-lord-the-silk-roads-dread-pirate-roberts-qa/ () >< pirate cinema berlin www.piratecinema.org # distributed via : no commercial use without permission # is a moderated mailing list for net criticism, # collaborative text filtering and cultural politics of the nets # more info: http://mx.kein.org/mailman/listinfo/nettime-l # archive: http://www.nettime.org contact: nettime at kein.org ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From l at odewijk.nl Wed Oct 2 16:12:55 2013 From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=) Date: Thu, 3 Oct 2013 01:12:55 +0200 Subject: Silk Road founder arrested ... In-Reply-To: References: <20131002123743.GA14320@vic20.blipp.com> <524C41F5.5020105@openmail.cc> <1380734343.30026.10.camel@anglachel> <40F6437F0E924260B71B76F8F5CA8E46@openbuddha.com> <1380740216.30026.14.camel@anglachel> Message-ID: Ted > On Wed, 2013-10-02 at 22:31 +0200, Lodewijk andré de la porte wrote: > > If you say anarchy is part of cypherpunkism (if that's a thing) I > > simply disagree with you. > You're wrong as a matter of historic fact. > Are you one of the people that was too afraid to be on the al-qaeda list > or something? At first I frowned and wondered why. Then I thought it was likely a joke and if it wasn't then what's the problem with al-qaeda? Also a distinct lack of right-to-left garbage spewing at me. Of course putting things into the people's hands (truly and irrevocably) is something that's very cypherpunk. In that sense it's also very anarchist, as permission from anyone is not required to take that power. Yet I'd maintain that laws a very much part of every *software *ever written. Bitcoin is a system mired in laws really, the amount of restriction on what you can and what you can't is precise and unforgiving. There's no space for seperatists as the blockchain forces the richest (iow: the biggest miner) to win any contest of what set of rules is *the* set of rules. As it has been stated "The code is the law". Yet the code is to be agreed upon, lest splintering of code recreates law differences as it does in nations. 2013/10/2 Juan Garofalo > I think you need to research the ABC of political theory before saying > anything about anarchy. Your belief that anarchy is chaos is as unfounded > as it is laughable. Anarchy as a word does not mean a thing. It's the people in it that shape it. This is as much as risk as it is a feature. From chaos men makes shapes, structures. These structures must, by the very absence of it, reimplement what otherwise a government does. Of course the extends and all will depend upon the people. Economically I can fairly say that every function will be taken over by the group that can do the task as financially efficient as possible. Combining that with the historic fact that kingdoms and empires, due to people's ignorance, are the easiest structures to conjure. And that ease makes it have a good return. So. My thinking is that anarchy that remains anarchy is in fact quite chaotic, as no real leaders are permitted to arise. Of course it's possible to have discussions together, to rule as a non-forcible collective. That's a very unstable situation however. Just like chaos. Now if you'd be so kind to tell me why your tone was so insulting and the reasons for thinking the way you do, then perhaps this can become an interesting conversation. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 4005 bytes Desc: not available URL: From coderman at gmail.com Thu Oct 3 02:32:37 2013 From: coderman at gmail.com (coderman) Date: Thu, 3 Oct 2013 02:32:37 -0700 Subject: Injustice: Denial of Disservice Attack - ACCEPT NO BARGAINS! Message-ID: On Wed, Oct 2, 2013 at 9:02 PM, Jim Bell wrote: > ... I thought, what if every > Federal defendant could be motivated to refuse to deal, to refuse to accept > the deal that's usually offered. a great idea, and like jury nullification, sure to be treated harshly. case in point: how much pressure was brought to bear in the Aaron Swartz prosecution to force a plea, and how the mere "disrespect" of taking notes during a proceeding and blogging about them drove a DA to absurd abuses of power in retaliation. From d.nix at comcast.net Thu Oct 3 02:43:46 2013 From: d.nix at comcast.net (d.nix) Date: Thu, 03 Oct 2013 02:43:46 -0700 Subject: USB Block Erupters as RNG sources? Message-ID: <524D3C52.5070409@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Curious; anyone know much about what these inexpensive (comparatively, price seems steadily falling) ASIC Block Erupter USB Bitcoin miners can be adapted to doing? Could they be repurposed as RNG sources? I know they are designed / programmed for running the SHA256 hashing employed in mining Bitcoin, but as the difficulty rate goes up, their value in that arena becomes less and less... Just wondering if they might find new life as inexpensive RNGs. Any pointers to the circuit or the code they run? Disclaimer: I have no idea if this is even remotely a valid or good idea... But a cheap hardware thumb drive RNG might be useful, no? DN - -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (MingW32) iQEcBAEBAgAGBQJSTTxSAAoJEDMbeBxcUNAeS6cH/2byF7EcXWk6/wFrAzTkNuWE AuL8VEdgPuhZwkN10JCrFcpk7AwwIWZfZq7gUkFaaWS/Zc/X3Fiwj6no/Sr+76ak ste9aIZJ7ZGA6Hkni7JXdvEZi/xyq40UyVl0RGJHCTOrtNirSwgGF5uE8h0WYgom LwrulVWE+QpblBgVWJ/vR8i18kWnK1skrOGwDBg9weqW3nmBRtye3bOcJipiYHXm qdkxrzAYCY6Odr2pI7Fiv1lM4lH9ryZyDbJ6VW3jmsq2sXBMZ/TfZugscjx78m39 AbIk87ubwNUj30B/36pIvQyA9ePX43JZ9Ojpy+y3McbHI0Zg65A+MNpLnLCenCc= =7P4e -----END PGP SIGNATURE----- From coderman at gmail.com Thu Oct 3 03:04:52 2013 From: coderman at gmail.com (coderman) Date: Thu, 3 Oct 2013 03:04:52 -0700 Subject: Pen register request used to force disclosure of SSL private keys - LavaBit hearings Message-ID: this is perhaps the most interesting aspect of the LavaBit proceedings. See: http://cryptome.org/2013/10/lavabit-orders.pdf in short if you have not designed your system to be amenable to metadata tapping, particularly all the rich metadata requested by a "pen register", they're going to demand the encryption keys to access this metadata. said again for emphasis: SSL private keys are demanded under the smallest of justifications, which need not even show probable cause nor reasonable suspicion!! (they did later go back with an actual warrant for the keys, but only after this initial gambit, made repeatedly, failed.) """ July 16, 2013 TRANSCRIPT OF HEARING BEFORE THE HONORABLE CLAUDE M. HILTON ... [ED: James Trump is the fed lawyer, Ladar Levinson the LavaBit operator.] ... THE COURT: So as I understand it, my initial order ordered nothing but that the pen register be put in place. MR . TRUMP : And all technical assistance, information, and facilities necessary to implement the pen register. And it's our position t hat without the encryption keys, the data from the pen register will be meaningless. So to facilitate the actual monitoring required by the pen register, the FBI also requires the encryption keys . THE COURT: Well, that could be, but I don't know that I need - - I don ' t know that I need to reach that because I've issued a search warrant for that . MR. TRUMP : Correct, Your Honor. That the -- to avoid litigating this issue, we asked the Court to enter the seizure warrant. THE COURT : Well, what I ' m saying is if he agrees that the pen register be established, and that the only thing he doesn't want to do in connection with the pen register is to give up the encryption device or code MR. LEVISON : I've always maintained that . THE COURT : -- so we ' ve got no issue here . You're ready to do that? MR. LEVISON : I ' ve been ready to do that since Agent Howard spoke to me the first time . THE COURT: All right . So that ends our -- MR . TRUMP : Well, then we have to inquire of Mr, Levison whether he ... Jill produce the encryption keys pursuant to the search warrant that Your Honor just signed. THE COURT : But I can't deal with that this morning, can I? MR . TRUMP : Well , it ' s the same issue . You could ask him, Your Honor . We can serve him with the warrant and ask him if he' 5 going to comply rather than - - MR. LEVISON : Your Honor I've also been issued a subpoena demanding those same keys, which I brought with me in the event that we would have to address that subpoena . THE COURT : I don't know, Mr . Trump . I don't think I want to get involved in asking him . You can talk with him and see whether he ' s going to produce them or not and let him tell you . But I don ' t think I ought to go asking what he's going to do and what he's not going to do because I can ' t take any action about it anyway . If he does not comply with the subpoena, there are remedies for that one way or another . MR . TRUMP: Well, the original pen register order was followed by a compulsion order from Judge Buchanan . The compulsion order required the encr yption keys to be produced . So , yes, part of the show cause order is to require compliance both with the pen register order and the compulsion order issued by Judge Buchanan . And that order, which was attached to the show cause order, states, "To the extent any information, facilities, or technical assistance are under the control of Lavabit are needed to provide the FBI with the encrypted data, Lavabit shall provide such information, facilities, or technical assistance forthwith ." MR. LEVISON : I would object to that statement . I don't know if I'm wording this correctly, but what was in that order to compel was a statement that was incorrect . Agent Howard seemed to believe that I had the ability to encrypt the e-mail content stored on our servers, which is not the case . I only have the keys that govern communications into and out of the network , and those keys are used to secure the traffic for all users, not just the user in question . So the statement in that order compelling me to decrypt stuff and Agent Howard stating that I have the ability to do that is technically false or incorrect. There was never an explicit demand that I turn over these keys . THE COURT : I don't know what bearing that would have, would it? I mean, I don't have a problem -- Judge Buchanan issued an order in addition to mine, and I'm not sure I ought to be enforcing Judge Buchanan's order . July order, if he says that he will produce or allow the installation of the pen register, and in addition I have issued a search warrant for the codes that you want, which I did this morning, that's been entered, it seems that this issue is over as far as I'm concerned except I need to see that he allows the pen register and complies with the subpoena . MR . TRUMP : Correct . THE COURT: If he doesn't comply -- if he doesn't comply with the subpoena, then that has -- I have to address that. MR . TRUMP : Right . THE COURT: But right now there's nothing for me to address here unless he is not telling me correctly about the pen register . MR. TRUMP: Well , we can -- Your Honor, if we can talk to Mr . Levison for five minutes, we can ask him whether he will honor the warrant that you just issued . MR. LEVISON : Before we do that , can I - - THE COURT : Well, what can I do about it if he doesn't, if he tells you he's not going to? You've got the right to go out and search and get it . MR . TRUMP: Well, we can't get the information without his assistance . He's the only who knows and has possession of it . We can't take it from him involuntarily . MR . LEVISON : If I may, sir, my other THE COURT : Wait just a second . You're trying to get me ahead . You're trying to get me to deal with a contempt before there's any contempt , and I have a problem with that. MR . TRUMP: I'm trying to avoid contempt altogether, Your Honor . THE COURT: I know you are . And I'd love for you-all to get together and do that. I don't want to deal with it either. But I don't think we can sit around and agree that there's going to be a default and I will address it before it occurs. MR . TRUMP: I'm just trying to figure out whether there's going to be a default . We'll take care of that, Judge . THE COURT : You can . I think the way we've got to do this - - and I'll listen to you . I'm cutting you off, I know, but I'll listen to you in a minute. The way we have to do this, the hearing that's before me this morning on this issue of the pen register, that's been resolved, or so he's told me . I don't know whether you want to continue this one week and see if he complies with that, which I guess would be prudent to do, or a few days for him to comply with the pen register. Then we Hill wait and see what happens with the SUbpoena . Because as far as my pen register order is concerned, he says he's going to comply with it . So that issue's over and done with . The next issue will be ... whether or not he complies with the subpoena . And I don't know and I don't want to presume, and I don't want him to represent to me what he intends to do when he can very well go home and decide he's going to do something different. When that warrant is served, we'll know what he's going to do . I think we've got - - I don't see another way to do it . MR . TRUMP : That's fine, Your Honor. We will serve the warrant on him as soon as we conclude this hearing, and we'll find out whether he will provide the keys or not . From coderman at gmail.com Thu Oct 3 03:08:18 2013 From: coderman at gmail.com (coderman) Date: Thu, 3 Oct 2013 03:08:18 -0700 Subject: [liberationtech] USB Block Erupters as RNG sources? In-Reply-To: <524D3C52.5070409@comcast.net> References: <524D3C52.5070409@comcast.net> Message-ID: On Thu, Oct 3, 2013 at 2:43 AM, d.nix wrote: > ... > Curious; anyone know much about what these inexpensive (comparatively, > price seems steadily falling) ASIC Block Erupter USB Bitcoin miners > can be adapted to doing? Could they be repurposed as RNG sources? at best you *might* be able twist it into a DRBG that would still need to be seeded (and regularly reseeded) with robust entropy. these ASICs really are single purpose; they're useless for anything else. From coderman at gmail.com Thu Oct 3 05:30:08 2013 From: coderman at gmail.com (coderman) Date: Thu, 3 Oct 2013 05:30:08 -0700 Subject: Silk Road founder arrested ... In-Reply-To: <24ADD652FCEC47EE83047F8F55AE1100@openbuddha.com> References: <20131002123743.GA14320@vic20.blipp.com> <524C41F5.5020105@openmail.cc> <1380734343.30026.10.camel@anglachel> <24ADD652FCEC47EE83047F8F55AE1100@openbuddha.com> Message-ID: On Wed, Oct 2, 2013 at 11:47 AM, Al Billings wrote: > Paying someone $150,000 to kill someone isn't a crime in your country? in the United States this is on par for the targeted assassination program, which we should be learning more about soon. consider a presidential authorization made with unitary executive privilege: - 1 x $25,000 for the hellfire missile - 1-4 x $8,600 to $25,000 per drone flight hour == $33,600 to $125,000 per extra-judicial assassination, as expense to you the taxpayer benefiting the profits of the death merchants. currently this is considered "not a crime"... From coderman at gmail.com Thu Oct 3 06:10:47 2013 From: coderman at gmail.com (coderman) Date: Thu, 3 Oct 2013 06:10:47 -0700 Subject: Silk Road founder arrested ... In-Reply-To: References: <20131002123743.GA14320@vic20.blipp.com> <524C41F5.5020105@openmail.cc> <1380734343.30026.10.camel@anglachel> <24ADD652FCEC47EE83047F8F55AE1100@openbuddha.com> Message-ID: On Thu, Oct 3, 2013 at 5:59 AM, Lodewijk andré de la porte wrote: > ... > Of course it's not "extra-judicial" either. we can debate the ethics of remote drone kills separately, though clearly i'm not an unbiased party. however, this program fits the definition of "extrajudicial killing" perfectly. having a secret judge issue a secret ruling that "you can kill in secret without a trial, without due process, as long as criteria X is met" does not change the nature of the act. "An extrajudicial killing is the killing of a person by governmental authorities without the sanction of any judicial proceeding or legal process. Extrajudicial punishments are by their nature unlawful, since they bypass the due process of the legal jurisdiction in which they occur. Extrajudicial killings often target leading political, trade union, dissident, religious, and social figures and may be carried out by the state government or other state authorities like the armed forces and police." > Anyone think this is annoying? Me too. it was tedious before the first reply; perhaps we can agree that laws are poor substitute for ethical reasoning and depart this thread on common ground... From iam at kjro.se Thu Oct 3 08:10:23 2013 From: iam at kjro.se (Kelly John Rose) Date: Thu, 03 Oct 2013 09:10:23 -0600 Subject: Pen register request used to force disclosure of SSL private keys - LavaBit hearings In-Reply-To: References: Message-ID: <524D88DF.4080509@kjro.se> If anyone reads this and doesn't think they haven't pulled the same gambit with every US cloud service provider, they are kidding themselves. This, in my opinion, can make all US encryption, even US-based certificate authorities really untrustworthy. What is to stop them from getting GoDaddy to give up their root certificates with a NSL and a small legal justification? Once they have it, they could, in theory, MitM attack a ton of servers, and I don't think the judges even realize that. On 03/10/2013 4:04 AM, coderman wrote: > this is perhaps the most interesting aspect of the LavaBit proceedings. See: > http://cryptome.org/2013/10/lavabit-orders.pdf > > in short if you have not designed your system to be amenable to > metadata tapping, particularly all the rich metadata requested by a > "pen register", they're going to demand the encryption keys to access > this metadata. > > said again for emphasis: > > SSL private keys are demanded under the smallest of justifications, > which need not even show probable cause nor reasonable suspicion!! > > (they did later go back with an actual warrant for the keys, but only > after this initial gambit, made repeatedly, failed.) > > > """ > July 16, 2013 > TRANSCRIPT OF HEARING > BEFORE THE HONORABLE CLAUDE M. HILTON > ... > [ED: James Trump is the fed lawyer, Ladar Levinson the LavaBit operator.] > ... > THE COURT: So as I understand it, my initial order ordered > nothing but that the pen register be put in place. > > MR . TRUMP : And all technical assistance, information, and > facilities necessary to implement the pen register. And > it's our position t hat without the encryption keys, the data > from the pen register will be meaningless. So to facilitate > the actual monitoring required by the pen register, the FBI > also requires the encryption keys . > > THE COURT: Well, that could be, but I don't know that I > need - - I don ' t know that I need to reach that because > I've issued a search warrant for that . > > MR. TRUMP : Correct, Your Honor. That the -- to avoid > litigating this issue, we asked the Court to enter the > seizure warrant. > > THE COURT : Well, what I ' m saying is if he agrees that the > pen register be established, and that the only thing he > doesn't want to do in connection with the pen register is > to give up the encryption device or code > > MR. LEVISON : I've always maintained that . > > THE COURT : -- so we ' ve got no issue here . You're ready to > do that? > > MR. LEVISON : I ' ve been ready to do that since Agent Howard > spoke to me the first time . > > THE COURT: All right . So that ends our -- > > MR . TRUMP : Well, then we have to inquire of Mr, Levison > whether he ... Jill produce the encryption keys pursuant to > the search warrant that Your Honor just signed. > > THE COURT : But I can't deal with that this morning, can I? > > MR . TRUMP : Well , it ' s the same issue . You could ask > him, Your Honor . We can serve him with the warrant and ask > him if he' 5 going to comply rather than - - > > MR. LEVISON : Your Honor I've also been issued a subpoena > demanding those same keys, which I brought with me in the > event that we would have to address that subpoena . > > THE COURT : I don't know, Mr . Trump . I don't think I want > to get involved in asking him . You can talk with him and > see whether he ' s going to produce them or not and let him > tell you . But I don ' t think I ought to go asking what > he's going to do and what he's not going to do because I > can ' t take any action about it anyway . If he does not > comply with the subpoena, there are remedies for that one way > or another . > > MR . TRUMP: Well, the original pen register order was followed > by a compulsion order from Judge Buchanan . The compulsion > order required the encr yption keys to be produced . So , yes, > part of the show cause order is to require compliance both > with the pen register order and the compulsion order issued > by Judge Buchanan . And that order, which was attached to the > show cause order, states, "To the extent any information, > facilities, or technical assistance are under the control of > Lavabit are needed to provide the FBI with the encrypted > data, Lavabit shall provide such information, facilities, or > technical assistance forthwith ." > > MR. LEVISON : I would object to that statement . I don't know > if I'm wording this correctly, but what was in that order to > compel was a statement that was incorrect . Agent Howard > seemed to believe that I had the ability to encrypt the > e-mail content stored on our servers, which is not the case . > I only have the keys that govern communications into and out > of the network , and those keys are used to secure the > traffic for all users, not just the user in question . So > the statement in that order compelling me to decrypt stuff > and Agent Howard stating that I have the ability to do that > is technically false or incorrect. There was never an explicit > demand that I turn over these keys . > > THE COURT : I don't know what bearing that would have, would > it? I mean, I don't have a problem -- Judge Buchanan issued > an order in addition to mine, and I'm not sure I ought to > be enforcing Judge Buchanan's order . July order, if he says > that he will produce or allow the installation of the pen > register, and in addition I have issued a search warrant for > the codes that you want, which I did this morning, that's > been entered, it seems that this issue is over as far as > I'm concerned except I need to see that he allows the pen > register and complies with the subpoena . > > MR . TRUMP : Correct . > > THE COURT: If he doesn't comply -- if he doesn't comply with > the subpoena, then that has -- I have to address that. > > MR . TRUMP : Right . > > THE COURT: But right now there's nothing for me to address > here unless he is not telling me correctly about the pen > register . > > MR. TRUMP: Well , we can -- Your Honor, if we can talk to Mr > . Levison for five minutes, we can ask him whether he will > honor the warrant that you just issued . > > MR. LEVISON : Before we do that , can I - - > > THE COURT : Well, what can I do about it if he doesn't, if > he tells you he's not going to? You've got the right to go > out and search and get it . > > MR . TRUMP: Well, we can't get the information without his > assistance . He's the only who knows and has possession of it > . We can't take it from him involuntarily . > > MR . LEVISON : If I may, sir, my other > > THE COURT : Wait just a second . You're trying to get me > ahead . You're trying to get me to deal with a contempt > before there's any contempt , and I have a problem with that. > > MR . TRUMP: I'm trying to avoid contempt altogether, Your Honor . > > THE COURT: I know you are . And I'd love for you-all to get > together and do that. I don't want to deal with it either. > But I don't think we can sit around and agree that there's > going to be a default and I will address it before it > occurs. > > MR . TRUMP: I'm just trying to figure out whether there's > going to be a default . We'll take care of that, Judge . > > THE COURT : You can . I think the way we've got to do this > - - and I'll listen to you . I'm cutting you off, I know, but > I'll listen to you in a minute. The way we have to do > this, the hearing that's before me this morning on this issue > of the pen register, that's been resolved, or so he's told > me . I don't know whether you want to continue this one week > and see if he complies with that, which I guess would be > prudent to do, or a few days for him to comply with the > pen register. Then we Hill wait and see what happens with > the SUbpoena . Because as far as my pen register order is > concerned, he says he's going to comply with it . So that > issue's over and done with . The next issue will be ... > whether or not he complies with the subpoena . And I don't > know and I don't want to presume, and I don't want him to > represent to me what he intends to do when he can very well > go home and decide he's going to do something different. When > that warrant is served, we'll know what he's going to do . > I think we've got - - I don't see another way to do it . > > MR . TRUMP : That's fine, Your Honor. We will serve the > warrant on him as soon as we conclude this hearing, and > we'll find out whether he will provide the keys or not . > -- Kelly John Rose Mississauga, ON Phone: +1 647 638-4104 Twitter: @kjrose Document contents are confidential between original recipients and sender. From d.nix at comcast.net Thu Oct 3 09:11:43 2013 From: d.nix at comcast.net (d.nix) Date: Thu, 03 Oct 2013 09:11:43 -0700 Subject: USB Block Erupters as RNG sources? In-Reply-To: References: Message-ID: <524D973F.2030204@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > "Very little", and "no". They're basically custom Bitcoin-mining > ASICs, I looked at one a while back for use in password-cracking > and they're really not suited for it at all, you load a vector in > and say "go" but since they're quite I/O-limited you can't easily > adapt them for hash-breaking. As for RNG use, they're entirely > deterministic, how would you use them as an RNG source? > > > at best you *might* be able twist it into a DRBG that would still > need to be seeded (and regularly reseeded) with robust entropy. > > these ASICs really are single purpose; they're useless for anything > else. Thanks Peter, Coderman- Kinda what I suspected seeing as they are *Application Specific* IC's after all... Wishful thinking more than anything knowing that they are now saturating their market and loosing value rapidly. Cheers! DN - -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (MingW32) iQEcBAEBAgAGBQJSTZc/AAoJEDMbeBxcUNAen9AH/3e6uZXS0ot0k8OgSfhVnPQ/ kNhhkgS+xZEx3w7k5pBnw5SXxz4wnZ4pWi9+/16FLoryy5Jtped9GA8J/5iyU/84 RU8m1Uskb0fwqMX1U67EiV7jOhJnzCRpCc/0Vy7JwF1q06VRRgFHLOLVq9MEJuqc k7XyeCZRlvXflMjN9tB40xwq7hntBt+CqSdja9wAdzEIfRffiqkuNO02nSYVrtkC BV/UomkBtBed4lxXp/EmEA1WPt7hmsX6o+dJYDgvRi61RslADdy0Ye++A4iJRbYM qo2MS0PhvnZb7Tu59GjwlGT2GxFEXOADaK6Atq6zI6S33pb1OwuuFlxdhmjPEFU= =WXON -----END PGP SIGNATURE----- From jeffrey at goldmark.org Thu Oct 3 07:13:59 2013 From: jeffrey at goldmark.org (Jeffrey Goldberg) Date: Thu, 3 Oct 2013 09:13:59 -0500 Subject: [cryptography] the spell is broken Message-ID: On 2013-10-02, at 5:23 PM, Jon Callas wrote: > A friend of mine offered this analogy -- what if it was leaked that the government replaced all of a vaccine with salt water because some nasty jihadis get vaccinated. This is serious and pretty horrifying. If you're a responsible doctor, and source your vaccines from the same place, even if you test them yourself you're stuck proving a negative and in a place where stating the negative can look like you're part of the conspiracy. I have been like that doctor, trying to explain to people why I remain confident in AES and SHA-2. Most who have asked have been understanding, but there have been a few “if you still use NIST/NSA algorithms, it’s because you are being told to.” Now some of us do have a (non-evil) financial incentive not to switch. We are encrypting data in files that a user synchronizes among multiple platforms. Even if we built in alternative ciphersuites today, it would probably be a year before we could create data using the new ones. So unless you and Silent Circle have information that the rest of us don’t about AES and SHA-2, I’m actually pissed off at this action. It puts more pressure on us to follow suit, even though such a move would be pure security theater. > Let me also add that I wouldn't fault anyone for deciding differently. We, the crypto community, need to work together with security and respecting each other's decisions even if we make different decisions and do different things. I respect the alternate decision, to stay the course. Would you fault people for engaging in security theater? And how is moving away from AES anything other than security theater? Traditionally we’ve used the term “security theater” to refer to things instigated by politicians and large entities. But the term applies just as well when it is motivated by demand from semi-sophistical users. Some instances of security theater of that sort are relatively harmless (256 bit symmetric keys, etc), but switching to an AES alternative carries real risks. I have nothing against Skein and Twofish (simply because I’m not familiar with the research on these and other SHA-3 and AES alternatives), but that choice only helps confirm the charge of security theater. I also think that the choice of Twofish and Skein reeks of security theater as well. It’s based on the public image of a high-profile contributor instead of on security considerations. Other things being equal, going with ciphers that are popular is wise. But are “other things” equal here? (genuine question. I don’t know how well Twofish and Skein hold up in comparison to other AES or SHA-3 finalists.) I’m not unsympathetic to you and Silent Circle. I can foresee engaging in the same sorts of security theater due to user demand. We’ve done it ourselves in a move from 128 bit AES to 256 bits despite the problems with the 256 bit key schedule. I’m also sympathetic to showing the world that we consider NIST tainted in general. NIST may never regain credibility even if Dual_EC_DRGG was the only case. But that loss of credibility should come (as it has) in renewed scrutiny of NIST behavior; it shouldn’t be throwing out the baby with the bath water just to make people feel more secure. Although I’m angry, I do recognize that Silent Circle’s actions are legitimate. But I do wish you would acknowledge that wrt AES and SHA-2 it is security theater instead of security. Cheers, -j _______________________________________________ cryptography mailing list cryptography at randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From loki at obscura.com Thu Oct 3 09:30:35 2013 From: loki at obscura.com (Lance Cottrell) Date: Thu, 3 Oct 2013 09:30:35 -0700 Subject: Pen register request used to force disclosure of SSL private keys - LavaBit hearings In-Reply-To: References: Message-ID: <78F290E1-A5ED-4B63-A089-D22FD9E78576@obscura.com> When architecting a system, it is critical that the operator of the system should not have access to the keys at all. You can't be compelled to produce something that you don't have. It is not hard to do if it is part of your initial design. Backup providers like SpiderOak seem to be doing this right. I have designed a number of systems with this type of security design. Rule #1 don't store clear text. Rule #2 don't store decryption keys Rule #3 don't do decryption on the server Rule #4 treat all communications with people not implementing security on THEIR computers as insecure Email security for systems designed to work with outsiders who don't use the tool are particularly problematic. The operator can use public keys to encrypt traffic as it arrives, but can easily be compelled to reveal the arriving clear text messages before encryption. Is it the SSL certificate for the SMTP TLS that was being requested? It appears so from the transcripts. If that is the case, they are asking to access content that was stored in the clear on the previous mail server(s). This is hardly highly secured content. The HTTPS sessions might reasonably be considered more sensitive and secure. -Lance -- Lance Cottrell loki at obscura.com On Oct 3, 2013, at 3:04 AM, coderman wrote: > this is perhaps the most interesting aspect of the LavaBit proceedings. See: > http://cryptome.org/2013/10/lavabit-orders.pdf > > in short if you have not designed your system to be amenable to > metadata tapping, particularly all the rich metadata requested by a > "pen register", they're going to demand the encryption keys to access > this metadata. > > said again for emphasis: > > SSL private keys are demanded under the smallest of justifications, > which need not even show probable cause nor reasonable suspicion!! > > (they did later go back with an actual warrant for the keys, but only > after this initial gambit, made repeatedly, failed.) > > > """ > July 16, 2013 > TRANSCRIPT OF HEARING > BEFORE THE HONORABLE CLAUDE M. HILTON > ... > [ED: James Trump is the fed lawyer, Ladar Levinson the LavaBit operator.] > ... > THE COURT: So as I understand it, my initial order ordered > nothing but that the pen register be put in place. > > MR . TRUMP : And all technical assistance, information, and > facilities necessary to implement the pen register. And > it's our position t hat without the encryption keys, the data > from the pen register will be meaningless. So to facilitate > the actual monitoring required by the pen register, the FBI > also requires the encryption keys . > > THE COURT: Well, that could be, but I don't know that I > need - - I don ' t know that I need to reach that because > I've issued a search warrant for that . > > MR. TRUMP : Correct, Your Honor. That the -- to avoid > litigating this issue, we asked the Court to enter the > seizure warrant. > > THE COURT : Well, what I ' m saying is if he agrees that the > pen register be established, and that the only thing he > doesn't want to do in connection with the pen register is > to give up the encryption device or code > > MR. LEVISON : I've always maintained that . > > THE COURT : -- so we ' ve got no issue here . You're ready to > do that? > > MR. LEVISON : I ' ve been ready to do that since Agent Howard > spoke to me the first time . > > THE COURT: All right . So that ends our -- > > MR . TRUMP : Well, then we have to inquire of Mr, Levison > whether he ... Jill produce the encryption keys pursuant to > the search warrant that Your Honor just signed. > > THE COURT : But I can't deal with that this morning, can I? > > MR . TRUMP : Well , it ' s the same issue . You could ask > him, Your Honor . We can serve him with the warrant and ask > him if he' 5 going to comply rather than - - > > MR. LEVISON : Your Honor I've also been issued a subpoena > demanding those same keys, which I brought with me in the > event that we would have to address that subpoena . > > THE COURT : I don't know, Mr . Trump . I don't think I want > to get involved in asking him . You can talk with him and > see whether he ' s going to produce them or not and let him > tell you . But I don ' t think I ought to go asking what > he's going to do and what he's not going to do because I > can ' t take any action about it anyway . If he does not > comply with the subpoena, there are remedies for that one way > or another . > > MR . TRUMP: Well, the original pen register order was followed > by a compulsion order from Judge Buchanan . The compulsion > order required the encr yption keys to be produced . So , yes, > part of the show cause order is to require compliance both > with the pen register order and the compulsion order issued > by Judge Buchanan . And that order, which was attached to the > show cause order, states, "To the extent any information, > facilities, or technical assistance are under the control of > Lavabit are needed to provide the FBI with the encrypted > data, Lavabit shall provide such information, facilities, or > technical assistance forthwith ." > > MR. LEVISON : I would object to that statement . I don't know > if I'm wording this correctly, but what was in that order to > compel was a statement that was incorrect . Agent Howard > seemed to believe that I had the ability to encrypt the > e-mail content stored on our servers, which is not the case . > I only have the keys that govern communications into and out > of the network , and those keys are used to secure the > traffic for all users, not just the user in question . So > the statement in that order compelling me to decrypt stuff > and Agent Howard stating that I have the ability to do that > is technically false or incorrect. There was never an explicit > demand that I turn over these keys . > > THE COURT : I don't know what bearing that would have, would > it? I mean, I don't have a problem -- Judge Buchanan issued > an order in addition to mine, and I'm not sure I ought to > be enforcing Judge Buchanan's order . July order, if he says > that he will produce or allow the installation of the pen > register, and in addition I have issued a search warrant for > the codes that you want, which I did this morning, that's > been entered, it seems that this issue is over as far as > I'm concerned except I need to see that he allows the pen > register and complies with the subpoena . > > MR . TRUMP : Correct . > > THE COURT: If he doesn't comply -- if he doesn't comply with > the subpoena, then that has -- I have to address that. > > MR . TRUMP : Right . > > THE COURT: But right now there's nothing for me to address > here unless he is not telling me correctly about the pen > register . > > MR. TRUMP: Well , we can -- Your Honor, if we can talk to Mr > . Levison for five minutes, we can ask him whether he will > honor the warrant that you just issued . > > MR. LEVISON : Before we do that , can I - - > > THE COURT : Well, what can I do about it if he doesn't, if > he tells you he's not going to? You've got the right to go > out and search and get it . > > MR . TRUMP: Well, we can't get the information without his > assistance . He's the only who knows and has possession of it > . We can't take it from him involuntarily . > > MR . LEVISON : If I may, sir, my other > > THE COURT : Wait just a second . You're trying to get me > ahead . You're trying to get me to deal with a contempt > before there's any contempt , and I have a problem with that. > > MR . TRUMP: I'm trying to avoid contempt altogether, Your Honor . > > THE COURT: I know you are . And I'd love for you-all to get > together and do that. I don't want to deal with it either. > But I don't think we can sit around and agree that there's > going to be a default and I will address it before it > occurs. > > MR . TRUMP: I'm just trying to figure out whether there's > going to be a default . We'll take care of that, Judge . > > THE COURT : You can . I think the way we've got to do this > - - and I'll listen to you . I'm cutting you off, I know, but > I'll listen to you in a minute. The way we have to do > this, the hearing that's before me this morning on this issue > of the pen register, that's been resolved, or so he's told > me . I don't know whether you want to continue this one week > and see if he complies with that, which I guess would be > prudent to do, or a few days for him to comply with the > pen register. Then we Hill wait and see what happens with > the SUbpoena . Because as far as my pen register order is > concerned, he says he's going to comply with it . So that > issue's over and done with . The next issue will be ... > whether or not he complies with the subpoena . And I don't > know and I don't want to presume, and I don't want him to > represent to me what he intends to do when he can very well > go home and decide he's going to do something different. When > that warrant is served, we'll know what he's going to do . > I think we've got - - I don't see another way to do it . > > MR . TRUMP : That's fine, Your Honor. We will serve the > warrant on him as soon as we conclude this hearing, and > we'll find out whether he will provide the keys or not . -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 16951 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4877 bytes Desc: not available URL: From softservant at gmail.com Thu Oct 3 08:53:54 2013 From: softservant at gmail.com (Softy) Date: Thu, 3 Oct 2013 11:53:54 -0400 Subject: cypherpunks Digest, Vol 4, Issue 9 In-Reply-To: References: Message-ID: was that eight pages of fun reading rambling just to end with ... "because crypto is in too many mathematical dimensions to model in origami, or any other Earthly physical medium" ... or did I miss a crucial middle paragraph? ​ ​oh please oh please I hope people replying to this thread don't re-send the original in full.​ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 571 bytes Desc: not available URL: From coderman at gmail.com Thu Oct 3 11:57:22 2013 From: coderman at gmail.com (coderman) Date: Thu, 3 Oct 2013 11:57:22 -0700 Subject: Pen register request used to force disclosure of SSL private keys - LavaBit hearings In-Reply-To: <78F290E1-A5ED-4B63-A089-D22FD9E78576@obscura.com> References: <78F290E1-A5ED-4B63-A089-D22FD9E78576@obscura.com> Message-ID: On Thu, Oct 3, 2013 at 9:30 AM, Lance Cottrell wrote: > When architecting a system, it is critical that the operator of the system > should not have access to the keys at all... > ... > Rule #1 don't store clear text. > Rule #2 don't store decryption keys > Rule #3 don't do decryption on the server > Rule #4 treat all communications with people not implementing security on > THEIR computers as insecure some have suggested a rule #5: don't distribute updates automatically to your users and don't implement security critical functions in code that is delivered to the client via the server. i have yet to see a definitive case of a US company forced to include a backdoor in their software or forced to use their software update channel to deliver a CALEA/intercept friendly version of code to the targeted customer. to date all of these requests appear to be off the record rather than enforced via judicial motion. this is a shame, since out of date software itself poses significant risk, and is best resolved via automatic updates from the vendor. > Email security for systems designed to work with outsiders who don't use the > tool are particularly problematic. The operator can use public keys to > encrypt traffic as it arrives, but can easily be compelled to reveal the > arriving clear text messages before encryption. i'll avoid repeating my "email is for public communication" rant ;) > Is it the SSL certificate for the SMTP TLS that was being requested?... > This is hardly highly secured content. The HTTPS sessions might reasonably > be considered more sensitive and secure. my reading of this sequence of motions is that at least five different keys were requested, which seems to imply _all_ SSL/TLS keys, including those for HTTPS sessions. e.g. they can request "pen register" information for web traffic! (we're a long way from just the dialed digits days...) From coderman at gmail.com Thu Oct 3 12:55:07 2013 From: coderman at gmail.com (coderman) Date: Thu, 3 Oct 2013 12:55:07 -0700 Subject: Pen register request used to force disclosure of SSL private keys - LavaBit hearings In-Reply-To: References: <78F290E1-A5ED-4B63-A089-D22FD9E78576@obscura.com> Message-ID: On Thu, Oct 3, 2013 at 12:24 PM, CodesInChaos wrote: > ... > I don't think disabling auto-update is a good idea. What we need is secure > auto update. agreed. > This involves: > 1) requiring multiple signatures on the update by people in different > jurisdictions > 2) Reproducible builds > 3) A Certificate Transparency like log of all updates. > > I believe TOR is doing some work on points 1) and 2). there are additional concerns regarding the implementation of updates and key management for the updates as well. see: http://www.cs.arizona.edu/stork/ http://www.cs.arizona.edu/stork/packagemanagersecurity/papers.html https://trac.torproject.org/projects/tor/wiki/org/roadmaps/Thandy From jamesdbell8 at yahoo.com Thu Oct 3 13:03:18 2013 From: jamesdbell8 at yahoo.com (Jim Bell) Date: Thu, 3 Oct 2013 13:03:18 -0700 (PDT) Subject: Injustice: Denial of Disservice Attack - ACCEPT NO BARGAINS! In-Reply-To: References: Message-ID: <1380830598.10748.YahooMailNeo@web141205.mail.bf1.yahoo.com> From: coderman To: Jim Bell Cc: "cypherpunks at cpunks.org" Sent: Thursday, October 3, 2013 2:32 AM Subject: Re: Injustice: Denial of Disservice Attack - ACCEPT NO BARGAINS! On Wed, Oct 2, 2013 at 9:02 PM, Jim Bell wrote: >> ... I thought, what if every >> Federal defendant could be motivated to refuse to deal, to refuse to accept >> the deal that's usually offered. >a great idea, and like jury nullification, sure to be treated harshly. >case in point: how much pressure was brought to bear in the Aaron >Swartz prosecution to force a plea, and how the mere "disrespect" of >taking notes during a proceeding and blogging about them drove a DA to >absurd abuses of power in retaliation. Which is why this kind of thing must be done.  Drop the number of people who can be prosecuted Federally by a factor of 10-20, and these kinds of cases generally will not be brought, or in far smaller number.         Jim Bell -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1920 bytes Desc: not available URL: From eugen at leitl.org Thu Oct 3 05:06:06 2013 From: eugen at leitl.org (Eugen Leitl) Date: Thu, 3 Oct 2013 14:06:06 +0200 Subject: Silk Road founder arrested ... In-Reply-To: <24ADD652FCEC47EE83047F8F55AE1100@openbuddha.com> References: <20131002123743.GA14320@vic20.blipp.com> <524C41F5.5020105@openmail.cc> <1380734343.30026.10.camel@anglachel> <24ADD652FCEC47EE83047F8F55AE1100@openbuddha.com> Message-ID: <20131003120606.GD10405@leitl.org> On Wed, Oct 02, 2013 at 11:47:51AM -0700, Al Billings wrote: > Paying someone $150,000 to kill someone isn't a crime in your country? All assuming it's not all lies. From jon at callas.org Thu Oct 3 14:31:12 2013 From: jon at callas.org (Jon Callas) Date: Thu, 3 Oct 2013 14:31:12 -0700 Subject: [cryptography] the spell is broken Message-ID: <18F6696D-4D3B-4DC8-8CD4-82CE5D8DAAD3@callas.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Oct 3, 2013, at 7:13 AM, Jeffrey Goldberg wrote: Jeff, You might call it "security theatre," but I call it (among other things) "protest." I have also called it "trust," "conscience," and other things including "emotional." I'm willing to call it "marketing" in the sense that marketing often means non-technical. I disagree with "security theatre" because in my opinion security theatre is *empty* or *mere* trust-building, but I don't fault you for being upset. I don't blame you for venting in my direction, either. I will, however, repeat that I believe this is something gentlepersons can disagree on. A decision that's right for me might not be right for you and vice-versa. Since the AES competition, NIST has been taking a world-wide role in crypto standards leadership. Overall, it's been a good thing, but one could have one's disagreements with a number of things (and I do), but it's been a good *standards* process. A good standard, however, is not necessarily the *best*, it's merely agreed upon. A standard that is everyone's second choice is better than a standard that is anyone's first choice. I don't think there are any problems with AES, but I think Twofish is a better choice. During the AES competition, the OpenPGP community as a whole, and I and my PGP colleagues put Twofish into OpenPGP *independently* of the then-unselected AES. It was thus our vote for it. When Phil, Alan, and I were putting ZRTP together, we put in Twofish as an option (RFC 6189, section 5.1.3). Thus in my opinion, if you know my long-standing opinions on ciphers, this shouldn't be a surprise. I think Twofish is a better algorithm than Rijndael. ZRTP also has in it an option for using Skein's one-pass MAC instead of HMAC-SHA1. Why? Because we think it's more secure in addition to being a lot faster, which is important in an isochronous protocol. Silent Phone already has Twofish in it, and is already using Skein-MAC. In Silent Text, we went far more to the "one true ciphersuite" philosophy. I think that Iang's writings on that are brilliant. As a cryptographer, I agree, but as an engineer, I want options. I view those options as a form of preparedness. One True Suite works until that suite is no longer true, and then you're left hanging. To be fair, there are few options in ZRTP -- it's only AES or Twofish and SHA1-HMAC or Skein-MAC, so the selection matrix is small when compared to OpenPGP. We have One True Elliptic Curve -- P-384, and options for AES-CCM in either 128 or 256 bits and paired with SHA-256 or SHA-512 as hash and HMAC as appropriate. There's a third option, AES-256 paired with Skein/Skein-MAC, which I don't think is in the code, merely defined as a cipher suite. I can't remember. So we have to add Twofish there, but it's in Silent Phone now. Now let me go back to my comment about standards. Standards are not about what's *best*, they're about what's *agreed*, and part of what's agreed on is that they're good enough. When one is part of a standards regime, one sublimates one's personal opinions to the collective good of the standard. That collective good of the standard is also "security theatre" in the sense that one uses it because it's the thing uses to be part of the community. I think Twofish is better than AES. I believe that Skein is better than SHA-2. I also believe in the value of standards. The problem one faces with the BULLRUN documents gives a decision tree. The first question is whether you think they're credible. If you don't think BULLRUN is credible, then there's an easy conclusion -- stay the course. If you think it is credible, then the next decision is whether you think that the NIST standards are flawed, either intentionally or unintentionally; in short, was BULLRUN *successful*. If you think they're flawed, it's easy; you move away from them. The hard decision is the one that comes next -- I can state it dramatically as "Do you stand with the NSA or not?" which is an obnoxious way to put it, as there are few of us who would say, "Yes, I stand with the NSA." You can phrase less dramatically it as standing with NIST, or even less dramatically as standing with "the standard." You can even state it as whether you believe BULLRUN was successful, or lots of other ways. Moreover, it's not all-or-nothing. Bernstein and Lange have been arguing that the NIST curves are flawed since before Snowden. Lots of people have been advocating moving to curve 25519. I want a 384-or-better curve because my One True Curve has been P-384. If I'm going to move away from the NIST/NSA curve (which seems wise), what about everything else? Conveniently, I happen to have alternates for AES and SHA-2 in my back pocket, where they've been *alternates* in my crypto going back years. They're even in part of the software, sublimated to the goodness of the standard. The work is merely pulling them to the forefront and tying a bow around it. And absolutely, this is an emotional response. It's protest. Intellectually, I believe that AES and SHA2 are not compromised. Emotionally, I am angry and I want to distance myself from even the suggestion that I am standing with the NSA. As Coderman and Iang put it, I want to *signal* my fury. I am so pissed off about this stuff that I don't *care* about baby and bathwater, wheat and chaff, or whatever else. I also want to signal reassurance to the people who use my system that yes, I actually give a damn about this issue. I am fortunate enough to have a completely good cipher and completely good hash function in my back pocket. So I'm going to use them. If it turns out that there's a good explanation, that BULLRUN is wrong, it's just software. Your situation is different, as is everyone else's. I admire your cool head, but I have to stand over there. I apologize for angering you, but I'm not sorry. If I'm wrong, I'll have to eat my words. I would rather eat my words in this direction -- moving away -- than the other direction -- standing pat. Jon -----BEGIN PGP SIGNATURE----- Version: PGP Universal 3.2.0 (Build 1672) Charset: windows-1252 wj8DBQFSTeImsTedWZOD3gYRAkIRAJ9cDK8o+NF+L6j7B8tQyP/8oIV7rgCgzGpf ns15Wi+7A3OtBclHULxxBtM= =/bzs -----END PGP SIGNATURE----- _______________________________________________ cryptography mailing list cryptography at randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From l at odewijk.nl Thu Oct 3 05:48:30 2013 From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=) Date: Thu, 3 Oct 2013 14:48:30 +0200 Subject: anarchy was : Silk Road founder arrested ... In-Reply-To: <63D2D2A962F8C4AD35FA425F@F74D39FA044AA309EAEA14B9> References: <63D2D2A962F8C4AD35FA425F@F74D39FA044AA309EAEA14B9> Message-ID: 2013/10/3 Juan Garofalo > --On Thursday, October 03, 2013 1:12 AM +0200 Lodewijk andré de la porte < > l at odewijk.nl> wrote: > >> 2013/10/2 Juan Garofalo >> I think you need to research the ABC of political theory before saying >> anything about anarchy. Your belief that anarchy is chaos is as unfounded >> as it is laughable. >> >> Anarchy as a word does not mean a thing. >> > > Right, it doesn't mean one thing, it means *two* different and mutually > exclusive things. It is vulgarly used to mean 'chaos', and it's used by > advocates of voluntary interactions to describe a social system based on > voluntary interactions. > This system fails in the sight of coercion by force. In fact coercion of any kind reduces the ideals *i think *you hold it to have. The other way around is not true, a system of force is not destroyed by acting in only voluntary means. Merely by there being no opponents to those that act forcefully. An essential proposal of government is monopoly on violence. For if there is none able to combat a singular forceful actor force is no longer a viable means of coercion. And other means must be used to coerce. These means are defined in that same government. In the simplest case an oracle is used to provide right from wrong, the king or emperor. Nowadays we see faux-democratic organizations that, ideally, enforce the tyranny of the masses. There's a contest between tyranny of the masses and exploitation/corruption by those with financial incentives or a desire for power. The idea that coercion can be communicated about fairly I support strongly, it guarantees a minimum amount of power one can have. > You know, voluntary interactions : The opposite of cheering the drug laws > of the american state. > I'm not cheering the US (drug) laws. Please try to understand. I simply recognize the arrested man continued to live in an area where people comply fully to US laws. And I recognize that Americans consider their government to have the intended functionality for else they would be compelled to revolt against it. An exercise also guaranteed by their constitution. Part of it should feel quite provoking to Americans themselves. I hope it is. If I were American I would be beyond disgusted by my governing and it's systems. And I would be patriotic, defending the original values by which the US were founded. This all is quite unrelated to cryptography or cypherpunkism, which is not in question for the law instances have not shown the ability to break the hiding methods used. They might have applied "intelligence laundering" but it seems they did so effectively, and thus we cannot extrapolate from anything. > It's the people in it that shape it. This is as much as risk as it is a >> feature. From chaos men makes shapes, structures. These structures must, by >> the very absence of it, reimplement what otherwise a government does. Of >> course the extends and all will depend upon the people. >> > > A government is a criminal organization that violates rights to > life liberty and property. Those criminal 'functions' of government can't > exist in a voluntary society. > Non sequitur. Criminal is defined precisely by government. If you intend to use it any other way you should define it. You're trying to transfer the emotional experience of "crime" towards "government". Rights are the very same. If you want to say something, say it clearly. These statements are of exclusively emotional value, and they contain no reasons. If you wish to express your anger you may, but do not confuse it with logic. I would also propose that in fact most governments now are voluntary societies. However they exert force on those who choose to participate partially, and choose for some unable to choose. These things I consider despicable but also to some extend necessary and unavoidable. As to this man, he was capable to halt his participation in the Union but he was not willing. This argument does not apply to him. If 'people' 'reimplement' what government does, then we are not talking > about anarchy. > So in anarchy there is no maintenance of dykes, no roads, no legal tender or banks, no armies, no system of justice and no encouragement of certain economic operations? Reimplement, in anarchy, just means do it. For a profit or charity in all likelihood. I don't really see why you'd be better off with a "private cooperation" fighting a war over a government fighting a war. You also recreate the problems of governance in those "private co-operations". Note that any union of people for a purpose constitutes a cooperation or business. Economically I can fairly say that every function will be taken over by >> the group that can do the task as financially efficient as possible. >> Combining that with the historic fact that kingdoms and empires, due to >> people's ignorance, are the easiest structures to conjure. And that ease >> makes it have a good return. >> > > Not sure what you're getting at... > Anarchy turns into monarchies for economic and humanitarian reasons. > So. My thinking is that anarchy that remains anarchy is in fact quite >> chaotic, >> as no rel leaders are permitted to arise. >> > > I don't see the connection between leaders and their sheep on one > hand and 'chaos' on the other. > As soon as structures arise, be it following those that sound right, be it financial returns, be it newspapers. Influence and ability to decide move towards individuals. Without control not to quorums but to actual individuals. If you prevent these structures from arising at all there is not even the ability for two person interaction. If you permit these structures to a certain level you have (a political problem with no means to deal with it and) leaders, to the extend you permit. You are making a very binary distinction between a leader and the followers, but you must understand that one must always follow an idea. Whatever presents the idea becomes the leader. That leader may be fair, however, and this is what governments nowadays pretend to be. In fact, most people do agree that the way it is done now is the best way we can. * * "Many forms of Government have been tried and will be tried in this world of sin and woe. No one pretends that democracy is perfect or all-wise. Indeed, it has been said that democracy is the worst form of government except all those other forms that have been tried from time to time." and Churchill was certainly a leader. > It's quite possible to have 'order' without 'leaders'. It's called > self-government. Or doing what you like and leaving your neighbor alone. > You will find that everyone becoming his own country is not a more pleasant form of governance. Especially not when you will form unions. I have speculated about that extremism. Of course it is possible to have a "United Peoples" instead of "United Nations", where every person is required to contributed the way the UN requires it, and every person must enter into treaties of his/her liking. Sadly it fails due to the people's ignorance. The likelihood you will have a fruitful life, lived pleasantly, becomes lower. > Of course it's >> possible to have discussions together, to rule as a non-forcible >> collective. That's a very unstable situation however. Just like chaos. >> > Individuals can interact as individuals, voluntary and with no 'chaos' in > sight. I don't see why it should be 'unstable'. > Taking what I said above as the starting point, doesn't it seem likely a large group of people will enter into a "Trade Union of Amsterdam Constitutional Treaty" where those people may exclusively trade with each other, lest explicitly mentioned in the treaty, and there is a committee assigned for the justitional needs of the union, etc, etc ,etc. You recreate government with peculiar overhead. The step towards warring between people is oh so very small. It will be legal, certainly, but some treaties may demand retribution or punishment of the war starter. Not unlike a murdered would now be judged and charged and punished. Freedom is not served by this system. Neither is wealth or comfort. Now, you can say of course that that's not supposed to happen. Or that that would make it "not anarchy" anymore. But the truth is then that it is easy to become "not anarchy" and hard to stay anarchy. That's what I mean with "That's a very unstable situation". -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 12567 bytes Desc: not available URL: From l at odewijk.nl Thu Oct 3 05:59:06 2013 From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=) Date: Thu, 3 Oct 2013 14:59:06 +0200 Subject: Silk Road founder arrested ... In-Reply-To: References: <20131002123743.GA14320@vic20.blipp.com> <524C41F5.5020105@openmail.cc> <1380734343.30026.10.camel@anglachel> <24ADD652FCEC47EE83047F8F55AE1100@openbuddha.com> Message-ID: 2013/10/3 coderman > currently this is considered "not a crime"... I don't believe there's been a public ruling of a judge, which would make you think makes it unclear. There's however provisions for secret rulings that are still in effect. This law was passed legally and in accordance with earlier safeguards and with no revolt from the people. I'd say that if there's agreement on these things being okay, then it must be "not a crime". Of course it's not "extra-judicial" either. What we think about it personally, well, that's just not the same question, is it? Although it's a good answer. Maybe "sometimes it's legal" would be more direct. "someone" isn't a specific enough target. "Paying someone $150,000 for an illlegal murder isn't a crime in your country?" would be a better question, but you can see how it answers itself. "Is paying $150,00 ever legal in your country?" -"Yes" would be the perfect question. Anyone think this is annoying? Me too. Use clear language and answer people's actual goddamn questions. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1773 bytes Desc: not available URL: From nettime at kein.org Thu Oct 3 06:22:04 2013 From: nettime at kein.org (nettime's avid reader) Date: Thu, 03 Oct 2013 15:22:04 +0200 Subject: Two million 'internet opinion analysts' Message-ID: Two million 'internet opinion analysts' employed to monitor China's vast online population. Government employees trawl through blogs and social media to dissect public opinion Thursday, 03 October, 2013, 6:04pm Patrick Boehler patrick.boehler at scmp.com http://www.scmp.com/news/china-insider/article/1323529/two-million-employed-monitor-chinese-public-opinion Some two million people are employed by the Chinese government at all levels, as well as businesses, to monitor public opinion on Chinese social media, according to a report in Thursday’s Beijing News. By trawling through blogs, microblog posts and social networks, these "Internet opinion analysts," most of them government employees, dissect public opinion on local issues and try to identify accusations of corruption and poor governance. They keep local leadership, from county to province, informed on a daily basis via text messages and written reports. The Beijing-based newspaper took advantage of a seminar for these monitors, held in the capital in mid-October by the People’s Daily Online Public Opinion Monitoring Centre, a think tank-like unit of the Communist Party’s official mouthpiece, to meet these usually anonymous local government staffers known as “online public opinion analysts”. Even though the industry has been around for at least six years, the Ministry of Human Resources only listed their duties earlier this month as an official profession certified by the ministry’s China Employment Training Technical Instruction Centre. They use taxpayers’ money to suppress taxpayers’ voices Online commentator Since 2008, the People’s Daily’s think tank has advised local governments to quicken the pace of issuing public statements and reacting to online debate and viral political statements. In 2011, it called on officials to react within the “four golden hours” after an incident, such a train crash or a riot, to provide information and prevent allegations of cover-ups. One such analyst the Beijing News interviewed heads the public opinion monitoring office of a county in Henan province. Every day, the man with the pseudonym Yuan Ming would search his county’s name on Google and Baidu, the Chinese equivalent of the international search engine. Special software bought by the county at a cost of three million yuan alerts his office to trending topics on social media, according to the report. Local Communist Party propaganda departments have for years employed contractors, known as wumao at a reported rate of 0.5 yuan paid for every online post, so they can monitor public opinion and counterbalance negative voices with positive ones, as well as slander those critical of the local or central government officials. The certification of “public opinion monitors” has led many people online to quip that wumao have been given proper and government jobs, coveted by many for their job security. “Who pays their salaries?” one person asked. “They use taxpayers’ money to suppress taxpayers’ voices,” wrote another # distributed via : no commercial use without permission # is a moderated mailing list for net criticism, # collaborative text filtering and cultural politics of the nets # more info: http://mx.kein.org/mailman/listinfo/nettime-l # archive: http://www.nettime.org contact: nettime at kein.org ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From wilfred at vt.edu Thu Oct 3 20:23:52 2013 From: wilfred at vt.edu (Wilfred Guerin) Date: Thu, 3 Oct 2013 17:23:52 -1000 Subject: Fwd: USDOJ: Kelley Case Significant Oversight In-Reply-To: References: Message-ID: ---------- Forwarded message ---------- From: Wilfred Guerin Date: Wed, Sep 25, 2013 at 12:19 PM Subject: USDOJ: Kelley Case Significant Oversight To: peter.phipps at usdoj.gov CIV # 13-cv-825 Jill Kelley, FBI, DOD Jill Kelley's (in-law) father is Gen David Kelley (NCS, DISA) Jill Kelley's uncle is FBI Director of OIC Patrick W. Kelley Jill Kelley's uncle is Gen Zbiginew US Army Poland, responsible for CIA Rendition Torture Base Jill Kelley's cousin is FBI Deputy Director Sean Joyce (nephew of Patrick Kelley) Jill Kelley's cousin is DNI Lawyer Alex Joel (nephew of Patrick Kelley) Alex Joel's grandfather is Clarence M. Kelley, FBI Director 1970s Jill Kelley's uncle is DIA Counter-Intelligence Commander Jill Kelley's uncles [are] military [counter] intelligence training and command Jill Kelley's cousins [are] USDOJ covert intelligence and counter-intelligence Jill Kelley's cousin is DOJ/DOD Counter-Intelligence responsible for designing 9/11 (2001) Jill Kelley's cousin Logan provided aircraft flight control systems used 9/11 Gen John Allen's nephew worked on the WTC insurance policy 2001 Jill Kelley's cousin managed WTC insurance policy unit 2001 Jill Kelley's uncle is military propaganda specialist Deforest Kelley Patrick W. Kelley, FBI OIC, is responsible for protocol and compliance for FBI and all 1811s Sean Joyce brought David Petraeus issue to ODNI Clapper with first cousin Alex Joel as advised by mutual uncle Patrick W. Kelley re his niece Jill Kelley. The information you have cited in your filing is erroneous. This is indication of systemic treasonous influence. This is a short list of the 75+ identified parties involved. From wilfred at vt.edu Thu Oct 3 20:23:53 2013 From: wilfred at vt.edu (Wilfred Guerin) Date: Thu, 3 Oct 2013 17:23:53 -1000 Subject: Fwd: USDOJ: Kelley Case Significant Oversight In-Reply-To: References: Message-ID: ---------- Forwarded message ---------- From: Wilfred Guerin Date: Wed, Sep 25, 2013 at 12:19 PM Subject: USDOJ: Kelley Case Significant Oversight To: peter.phipps at usdoj.gov CIV # 13-cv-825 Jill Kelley, FBI, DOD Jill Kelley's (in-law) father is Gen David Kelley (NCS, DISA) Jill Kelley's uncle is FBI Director of OIC Patrick W. Kelley Jill Kelley's uncle is Gen Zbiginew US Army Poland, responsible for CIA Rendition Torture Base Jill Kelley's cousin is FBI Deputy Director Sean Joyce (nephew of Patrick Kelley) Jill Kelley's cousin is DNI Lawyer Alex Joel (nephew of Patrick Kelley) Alex Joel's grandfather is Clarence M. Kelley, FBI Director 1970s Jill Kelley's uncle is DIA Counter-Intelligence Commander Jill Kelley's uncles [are] military [counter] intelligence training and command Jill Kelley's cousins [are] USDOJ covert intelligence and counter-intelligence Jill Kelley's cousin is DOJ/DOD Counter-Intelligence responsible for designing 9/11 (2001) Jill Kelley's cousin Logan provided aircraft flight control systems used 9/11 Gen John Allen's nephew worked on the WTC insurance policy 2001 Jill Kelley's cousin managed WTC insurance policy unit 2001 Jill Kelley's uncle is military propaganda specialist Deforest Kelley Patrick W. Kelley, FBI OIC, is responsible for protocol and compliance for FBI and all 1811s Sean Joyce brought David Petraeus issue to ODNI Clapper with first cousin Alex Joel as advised by mutual uncle Patrick W. Kelley re his niece Jill Kelley. The information you have cited in your filing is erroneous. This is indication of systemic treasonous influence. This is a short list of the 75+ identified parties involved. From mike at zelea.com Thu Oct 3 14:25:51 2013 From: mike at zelea.com (Michael Allan) Date: Thu, 3 Oct 2013 17:25:51 -0400 Subject: [liberationtech] As F.B.I. Pursued Snowden, an E-Mail Service Stood Firm Message-ID: <1380835388.ACD53ff0.17857@out.zelea.com> DALLAS — One day last May, Ladar Levison returned home to find an F.B.I. agent’s business card on his Dallas doorstep. So began a four-month tangle with law enforcement officials that would end with Mr. Levison’s shutting the business he had spent a decade building and becoming an unlikely hero of privacy advocates in their escalating battle with the government over Internet security. http://www.nytimes.com/2013/10/03/us/snowdens-e-mail-provider-discusses-pressure-from-fbi-to-disclose-data.html?pagewanted=all -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu. ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From albill at openbuddha.com Thu Oct 3 17:32:31 2013 From: albill at openbuddha.com (Al Billings) Date: Thu, 3 Oct 2013 17:32:31 -0700 Subject: Silk Road founder arrested ... In-Reply-To: <20131004002225.AB0F4DFB9@a-pb-sasl-quonix.pobox.com> References: <20131002123743.GA14320@vic20.blipp.com> <524C41F5.5020105@openmail.cc> <1380734343.30026.10.camel@anglachel> <1380740444.30026.18.camel@anglachel> <20131002193108.GA11783@netbook.cypherspace.org> <1380742664.5216.3.camel@anglachel> <20131004002225.AB0F4DFB9@a-pb-sasl-quonix.pobox.com> Message-ID: There is another affidavit involving informants and another murder for hire allegation that surfaced today as well. https://ia601904.us.archive.org/1/items/gov.uscourts.mdd.238311/gov.uscourts.mdd.238311.4.0.pdf -- Al Billings http://makehacklearn.org On Wednesday, October 2, 2013 at 5:38 PM, Bill Stewart wrote: > Also, somebody had said that the alleged hit on the extortionist competitor > wasn't in the indictment, just the press release; that's incorrect. > It's described in a fair bit of detail (including the Somewhere, BC police > saying that there weren't actually any dead bodies lying around), > in ways that sound almost like the extortionist and hit men were really cops; -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 3433 bytes Desc: not available URL: From mirimir at riseup.net Thu Oct 3 13:58:57 2013 From: mirimir at riseup.net (mirimir) Date: Thu, 03 Oct 2013 20:58:57 +0000 Subject: [tor-talk] Silk Road taken down by FBI Message-ID: <524DDA91.30008@riseup.net> On 10/03/2013 05:49 PM, Ahmed Hassan wrote: > One question is still remain unanswered. How did they locate > Silkroad server before locating him? > > They had full image of the server before his arrest. >From we know: > According to the court complaint document, it was the discovery of > the rossulbricht at gmail.com email address that gave investigators a > major boost in their search. > > Through records "obtained from Google", details of IP addresses - and > therefore locations - used to log into Mr Ulbricht's account focused > the search on San Francisco, specifically an internet cafe on Laguna > Street. > > Furthermore, detailed analysis of Silk Road's source code highlighted > a function that restricted who was able to log in to control the > site, locking it down to just one IP address. > > As would be expected, Dread Pirate Roberts was using a VPN - virtual > private network - to generate a "false" IP address, designed to cover > his tracks. > > However, the provider of the VPN was subpoenaed by the FBI. > > While efforts had been made by DPR to delete data, the VPN server's > records showed a user logged in from an internet cafe just 500 yards > from an address on Hickory Street, known to be the home of a close > friend of Mr Ulbricht's, and a location that had also been used to > log in to the Gmail account. > > At this point in the investigation, these clues, investigators > concluded, were enough to suggest that Mr Ulbricht and DPR - if not > the same person - were at the very least in the same location at the > same time. So they did have the server before they knew who he was. We also knew that he was sold out by his VPN provider. Hopefully, the identity of that VPN provider will come out soon. Given what I see in the complaints, I suspect that he was sold out by one of his administrators, perhaps the one (with a huge drug debt) that he tried to have killed. This is rather like Snowden, isn't it? More fundamentally, a business built around selling drugs by mail to customers' actual physical addresses was doomed. Anonymity in the physical world is much^N harder than on the Internet. > On Thu, Oct 3, 2013 at 1:26 PM, shadowOps07 > wrote: > >> No, it was a rookie fuck-up that enabled old-fashioned detective >> work. if it wasn't a fookie fuck-up, then none of this would have >> happened. >> >> >> On Thu, Oct 3, 2013 at 11:15 AM, Gordon Morehouse >> >> wrote: >> > Jonathan D. Proulx: >>>>> 2) Traditional police work still works - this should be good >>>>> news to the law and order folks that traditional methods >>>>> still work and no extensive digital survailance state is >>>>> needed. >>>>> >>>>> Note I'm only anecdotally familiar with Silk Road so no >>>>> personal opinion on wether he should be praised or flogged, I >>>>> do think in a "dear legislator please don't ban privacy" >>>>> kindof way point 2 is important. > > A trillion times, this. > > I knew Silk Road would very likely get busted by good old fashioned > police work. It was too big to not leave trails that smart, > patient, Bill-of-Rights-respecting (though that remains to be seen) > cops can pick up. > > Best, -Gordon M. > >>> -- tor-talk mailing list - tor-talk at lists.torproject.org To >>> unsusbscribe or change other settings go to >>> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk >>> >> -- tor-talk mailing list - tor-talk at lists.torproject.org To >> unsusbscribe or change other settings go to >> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk >> -- tor-talk mailing list - tor-talk at lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From juan.g71 at gmail.com Thu Oct 3 17:21:33 2013 From: juan.g71 at gmail.com (Juan Garofalo) Date: Thu, 03 Oct 2013 21:21:33 -0300 Subject: anarchy was : Silk Road founder arrested ... In-Reply-To: References: <63D2D2A962F8C4AD35FA425F@F74D39FA044AA309EAEA14B9> Message-ID: > > > > This system[voluntarism] fails in the sight of coercion by force. In fact coercion of any kind reduces the ideals i think you hold it to have. Well, of course. And your point is? > > > The other way around is not true, a system of force is not destroyed by > acting in only voluntary means. Not sure what you mean? Actually I think your sentence doesn't make any sense. > Merely by there being no opponents to > those that act forcefully. An essential proposal of government is > monopoly on violence. What governments propose is to define 'right' and 'wrong' (an absurd proposal, of course) Governments do not have the monopoly on violence. They *pretend* to have the monopoly of what they call 'legitimate' violence, according to their own baseless definition of 'legitimate' > For if there is none able to combat a singular > forceful actor force is no longer a viable means of coercion.  What? > > And other means must be used to coerce. These means are defined in that > same government. In the simplest case an oracle is used to provide right > from wrong, the king or emperor. Nowadays we see faux-democratic > organizations that, ideally, enforce the tyranny of the masses. Isn't that what your precious democracy is all about? > There's a > contest between tyranny of the masses and exploitation/corruption by > those with financial incentives or a desire for power. OK. > > > The idea that coercion can be communicated about fairly I support > strongly, it guarantees a minimum amount of power one can have. >   Again, I don't understand what you say. "coercion can be communicated"? What does that mean? > > > You know, voluntary interactions : The opposite of cheering the drug laws > of the american state. > > > > > I'm not cheering the US (drug) laws. Please try to understand. I simply > recognize the arrested man continued to live in an area where people > comply fully to US laws. What? People in the US (or in any other country) do not 'fully comply' with the dictates of 'their' governments at all. It's actually impossible to do so (there are virtually tens of thousands of 'laws' and regulations in the books). Furthermore, lots of people don't agree with, or explicitly disobey lots of state 'laws'. And some end up in jail because of doing so. > And I recognize that Americans consider their > government to have the intended functionality for else they would be > compelled to revolt against it. An exercise also guaranteed by their > constitution. Hand waving. Like I said, (and you ignored) the US was founded as a slave society. Tell me about the constitutional right of slaves to revolt? > > Part of it should feel quite provoking to Americans themselves. I hope it > is. If I were American I would be beyond disgusted by my governing and > it's systems. And I would be patriotic, defending the original values by > which the US were founded. SLAVERY. That was the original value. And it still is. > > > This all is quite unrelated to cryptography or cypherpunkism, It is obviously unrelated to cryptography. It is obviously related to anarchist political theory. Considering that 'cypherpunkism' is kinda related to anarchy, I see how the discussion might be relevant. > hich is > not in question for the law instances have not shown the ability to break > the hiding methods used. They might have applied "intelligence > laundering" but it seems they did so effectively, and thus we cannot > extrapolate from anything. >   > > > > It's the people in it that shape it. This is as much as risk as it is a > feature. From chaos men makes shapes, structures. These structures must, > by the very absence of it, reimplement what otherwise a government does. > Of course the extends and all will depend upon the people.  > > >         A government is a criminal organization that violates rights > to life liberty and property. Those criminal 'functions' of government > can't exist in  a voluntary society. > > > > > Non sequitur. > Criminal is defined precisely by government. Ah yes. And that is so, because...you asserted it? Here's news for you. "Crime" is defined by common moral sense. Government has nothing to do with the origin of concepts like "natural law" "rights to life, liberty and property" and the like. This is of course the core of the disagreement here. You're assuming that legal positivism is a valid doctrine. Too bad it isn't. > If you intend > to use it any other way you should define it. You're trying to transfer > the emotional experience of "crime" towards "government". Rights are the > very same.  Only for legal positivists. Government is the biggest violator of natural rights, thus the biggest criminal. That's a fact. Of course, if you don't care about justice, you may not feel anything about that fact, but your lack of feelings is not really the point here... And no, 'natural rights' are not the creation of government. "We hold these truths to be self-evident, that all men are created equal, that they are endowed by their Creator with certain unalienable Rights" <--- natural rights, regardless of the 'god' nonsense. "That to secure these rights, Governments are instituted among Men, deriving their just powers from the consent of the governed," See? Governments do NOT create any right. And, they are supposed to protect them, and FURTHERMORE, governments are supposed to be 'consensual'. > > > If you want to say something, say it clearly. These statements are of > exclusively emotional value, and they contain no reasons. If you wish to > express your anger you may, but do not confuse it with logic. ... Right back at you? > > > I would also propose that in fact most governments now are voluntary > societies. I would propose that you are completely out of touch with reality? Plus, notice that you are thoroughly confusing 'government' with 'society'... > However they exert force on those who choose to participate > partially, and choose for some unable to choose. These things I consider > despicable but also to some extend necessary and unavoidable. > > > As to this man, he was capable to halt his participation in the Union but > he was not willing. This argument does not apply to him.   DPR didn't sign the constitution nor the 'social contract'... > > > > If 'people' 'reimplement' what government does, then we are not talking > about anarchy. > > > > > So in anarchy there is no maintenance of dykes, no roads, no legal tender > or banks, no armies, no system of justice and no encouragement of certain > economic operations? I suggest you research the topic yourself. Are you criticizing a system which you seem pretty ignorant of? > > > Reimplement, in anarchy, just means do it. For a profit or charity in all > likelihood. I don't really see why you'd be better off with a "private > cooperation" fighting a war over a government fighting a war. You also > recreate the problems of governance in those "private co-operations". > .... > Note that any union of people for a purpose constitutes a cooperation or > business. Note that I'm talking about voluntary cooperation and respect for the natural rights of third parties. But feel free to come up with a caricature of what you think libertarian anarchy is, and 'debunk' it... > > > > > Economically I can fairly say that every function will be taken over by > the group that can do the task as financially efficient as possible. > Combining that with the historic fact that kingdoms and empires, due to > people's ignorance, are the easiest structures to conjure. And that ease > makes it have a good return. > > > Not sure what you're getting at... > > > > > Anarchy turns into monarchies for economic and humanitarian reasons. Yeah well. If you say so.... >   > > > > So. My thinking is that anarchy that remains anarchy is in fact quite > chaotic, > as no rel leaders are permitted to arise. > > >         I don't see the connection between leaders and their sheep on > one hand and 'chaos' on the other. > > > > > As soon as structures arise, be it following those that sound right, be > it financial returns, be it newspapers. Influence and ability to decide > move towards individuals. Without control not to quorums but to actual > individuals. Hard to know what you're saying... > > > If you prevent these structures from arising at all there is not even the > ability for two person interaction. If you permit these structures to a > certain level you have (a political problem with no means to deal with it > and) leaders, to the extend you permit. > > > You are making a very binary distinction between a leader and the > followers, but you must understand that one must always follow an idea. > Whatever presents the idea becomes the leader. That leader may be fair, > however, and this is what governments nowadays pretend to be. In fact, > most people do agree that the way it is done now is the best way we can. > And your "argumentum ad populum" matters, why, exactly? > "Many forms of Government have been tried and will be tried in this world > of sin and woe. No one pretends that democracy is perfect or all-wise. > Indeed, it has been said that democracy is the worst form of government > except all those other forms that have been tried from time to time." and > Churchill was certainly a leader. Okay. Now you're quoting a bit of meaningless garbage from one of the worst fascists of the 20th century. That's too much for me =P I suggest you research all the subjects that you are clearly ignorant of (like the nature of government and rights). Them you'll realize that all your criticisms so far are baseless. If you feel like re-stating your position in a short and clear paragraph or two, go ahead and I might reply. Otherwise, I see no point in further communication. >   > > > It's quite possible to have 'order' without 'leaders'. It's called > self-government. Or doing what you like and leaving your neighbor alone. > > > > > You will find that everyone becoming his own country is not a more > pleasant form of governance. Especially not when you will form unions. > > > I have speculated about that extremism. Of course it is possible to have > a "United Peoples" instead of "United Nations", where every person is > required to contributed the way the UN requires it, and every person must > enter into treaties of his/her liking. > > > Sadly it fails due to the people's ignorance. The likelihood you will > have a fruitful life, lived pleasantly, becomes lower. >   > > > > Of course it's > possible to have discussions together, to rule as a non-forcible > collective. That's a very unstable situation however. Just like chaos. > > Individuals can interact as individuals, voluntary and with no 'chaos' in > sight. I don't see why it should be 'unstable'. > > > > > Taking what I said above as the starting point, doesn't it seem likely a > large group of people will enter into a "Trade Union of Amsterdam > Constitutional Treaty" where those people may exclusively trade with each > other, lest explicitly mentioned in the treaty, and there is a committee > assigned for the justitional needs of the union, etc, etc ,etc. You > recreate government with peculiar overhead. > > > The step towards warring between people is oh so very small. It will be > legal, certainly, but some treaties may demand retribution or punishment > of the war starter. Not unlike a murdered would now be judged and charged > and punished. > > > Freedom is not served by this system. Neither is wealth or comfort. > > > Now, you can say of course that that's not supposed to happen. Or that > that would make it "not anarchy" anymore. But the truth is then that it > is easy to become "not anarchy" and hard to stay anarchy. > > > That's what I mean with "That's a very unstable situation". > From codesinchaos at gmail.com Thu Oct 3 12:24:09 2013 From: codesinchaos at gmail.com (CodesInChaos) Date: Thu, 3 Oct 2013 21:24:09 +0200 Subject: Pen register request used to force disclosure of SSL private keys - LavaBit hearings In-Reply-To: References: <78F290E1-A5ED-4B63-A089-D22FD9E78576@obscura.com> Message-ID: > This, in my opinion, can make all US encryption, even US-based > certificate authorities really untrustworthy. What is to stop them from > getting GoDaddy to give up their root certificates with a NSL and a > small legal justification? We need to catch a CA which does this, for example using Certificate Transparency. Then handing over the CA private key is equivalent to committing company suicide. This means that 1. CAs will fight with all they've got 2. If corruption is successful, eliminates US CAs one by one until there are none left to compel. > some have suggested a rule #5: don't distribute updates automatically > to your users and don't implement security critical functions in code > that is delivered to the client via the server. I don't think disabling auto-update is a good idea. What we need is secure auto update. This involves: 1) requiring multiple signatures on the update by people in different jurisdictions 2) Reproducible builds 3) A Certificate Transparency like log of all updates. I believe TOR is doing some work on points 1) and 2). -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1749 bytes Desc: not available URL: From tedks at riseup.net Thu Oct 3 18:53:48 2013 From: tedks at riseup.net (Ted Smith) Date: Thu, 03 Oct 2013 21:53:48 -0400 Subject: Silk Road founder arrested ... In-Reply-To: <20131004002225.AB0F4DFB9@a-pb-sasl-quonix.pobox.com> References: <20131002123743.GA14320@vic20.blipp.com> <524C41F5.5020105@openmail.cc> <1380734343.30026.10.camel@anglachel> <1380740444.30026.18.camel@anglachel> <20131002193108.GA11783@netbook.cypherspace.org> <1380742664.5216.3.camel@anglachel> <20131004002225.AB0F4DFB9@a-pb-sasl-quonix.pobox.com> Message-ID: <1380851628.31392.18.camel@anglachel> On Wed, 2013-10-02 at 17:38 -0700, Bill Stewart wrote: > It's described in a fair bit of detail (including the Somewhere, BC > police > saying that there weren't actually any dead bodies lying around), > in ways that sound almost like the extortionist and hit men were > really cops; The hitmen were the extortionists. This is roughly how the exchange went according to the FBI complaint out of NY: * extortionist: Give me 500k. * DPR: Why? * E: I owe people money. * DPR: Put them on the line. * People to whom the extortionist owes money (TOTALLY NOT THE EXTORTIONIST'S OTHER EMAIL ADDRESS NO WAY THATS CRAZY TALK): Hello. * DPR: Kill the extortionist. * D: That'll be 150k. * DPR: I've had people killed for 80k. But sure. * D: Okay, transfer bitcoins to this address. * DPR: Here you are. * D: Have a nice day! The point of the "murder solicitation" is for DPR to indicate that he's willing and able to have people whacked if they piss him off too much. Then the extortionist and DPR both get to solve their mutual problems without losing face. -- Sent from Ubuntu -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part URL: From adam at cypherspace.org Thu Oct 3 12:57:47 2013 From: adam at cypherspace.org (Adam Back) Date: Thu, 3 Oct 2013 21:57:47 +0200 Subject: Pen register request used to force disclosure of SSL private keys - LavaBit hearings In-Reply-To: References: <78F290E1-A5ED-4B63-A089-D22FD9E78576@obscura.com> Message-ID: <20131003195747.GA16123@netbook.cypherspace.org> [Man there's a lot of names from the old days on this list. Good to hear from you Lance :-] I think the take-away from this issue is CAs should issue certifictes on keys used for signing only. Say its a DSA, or ECDSA which is a damn good choice because it is not even directly possible to encrypt with it (*), and the key usage will be marked sign only, so there is no argument about its purpose. Then we disable any non-forward-secret ciphersuites (and forward secret ciphersuites are not coincidentally the only ciphersuites that work with a signing only server key). Then the only plausible reason to demand the signing key is to perform a MITM not to access "encrypted data". Firstly MITM is more work, and secondly theyd at that point just as well play nicely and ask the operator with a subpoena to hand over some info inside the SSL stream if there's anything useful in there. In some countries there are explicit legal protections for signature only keys. At best they subpoena could ask the operator to record the session keys via the SSL web server, however that feature is not present as far as I know. I also think the weak point with lavabit was probably the in-mail and out-mail, as with silentcircle, and I presume the reason silent circle disabled email (though they could have secured internal sc-sc mail using eg the same end2end secure messaging architcture they use for messaging). A further weak point of lavabit as I understand it is it was actually taking the password to the server!! So the user private key was in the server ram temporarily. Which is complete misdesign and makes you start to question Snowden's crypto tradecraft which up to that point was looking pretty damn strong from the news reports. Anyway signature only keys and forward-secrecy FTW already. About software updates, I think we've reached the point of multiple independent public interest code review bodies with signing authority together with the software vendor. The other thing with opensource it can be forked if the main vendor goes wrong or is coerced. You see this kind of reasoning with bitcoin foundation etc as its probably the highest open software assurance level on the planet protecting > $1bn in bearer bitcoin value :) The only possible exception to the coerced code change might be the hushmail thing thogh I am kind of fuzzy about what exactly did happen. There were two versions, one like lavabit (server has key temporarily) and one real end2end as I recall and one version of the story is it was the non-end2end one that got the user info info subpoenaed. Adam (*) Yes yes I know you could abuse DSA public key for another discrete encryption log algorithm, however such practice is considered risky to reuse an asymmetric key for two different algorithms in case there is a way to use one as an oracle to attack the other. On Thu, Oct 03, 2013 at 11:57:22AM -0700, coderman wrote: >On Thu, Oct 3, 2013 at 9:30 AM, Lance Cottrell wrote: >> When architecting a system, it is critical that the operator of the system >> should not have access to the keys at all... >> ... >> Rule #1 don't store clear text. >> Rule #2 don't store decryption keys >> Rule #3 don't do decryption on the server >> Rule #4 treat all communications with people not implementing security on >> THEIR computers as insecure > >some have suggested a rule #5: don't distribute updates automatically >to your users and don't implement security critical functions in code >that is delivered to the client via the server. > >i have yet to see a definitive case of a US company forced to include >a backdoor in their software or forced to use their software update >channel to deliver a CALEA/intercept friendly version of code to the >targeted customer. to date all of these requests appear to be off the >record rather than enforced via judicial motion. > >this is a shame, since out of date software itself poses significant >risk, and is best resolved via automatic updates from the vendor. From electromagnetize at gmail.com Thu Oct 3 20:06:55 2013 From: electromagnetize at gmail.com (brian carroll) Date: Thu, 3 Oct 2013 22:06:55 -0500 Subject: cypherpunks Digest, Vol 4, Issue 9 In-Reply-To: References: Message-ID: Softy wrote: was that eight pages of fun reading rambling just to end with ... "because > crypto is in too many mathematical dimensions to model in origami, or any > other Earthly physical medium" ... or did I miss a crucial middle paragraph? > // i forgot the disclaimer again, that my role here is that of the fool... i do not understand how the crypto algorithms such as AES actually encrypt information- to what degree 'too many mathematical dimensions to model' indicates that there is some elaborate movement of data in intricate ways inside some computational matrix, perhaps like a menger sponge, though involving multiple approaches to placing data within some structure that is established and created, managed and then stores and accesses the data again via decryption a visualization of various crypto approaches to the degree they exist as a series of computational moves, for encrypting and decrypting data, would be helpful to understand beyond 2D linear graphs and data sets for instance, is everything occurring in a 2D data space or 3D, of x,y,z coordinates such as the sponge above, and would multiple algorithms be involved in establishing an occupiable realm for the data, or is it all put into one equation what the SRF (strange read/reply function) introduces is the possibility that such non-computational approaches such as origami, may not be available or accessible if solely generating encryption approaches based on mathematical structures themselves, such that a rationalization for intricate folding may have no inherent purpose or may appear arbitrary unless it was a strategic decision... it would seem unlikely to be developed into crypto equations within a math-only framework in that it would need to be rationalized without understanding its value- like doing something for no reason in other words how could origami crypto 'evolve' out of a mathematical approach that is contained with a computer firstly, and friction-free in terms of the mathematics that could be applied within that domain, primarily and so taking the assumption further, the fractal menger sponge in an origami approach, it could potentially be folded dozens of times in various ways and effect various scales and structural connections, as a way of coordinating data placement via algorithms, seemingly yet the limit would seem to be perspective of the situation, because origami could be N-dimensional, folded into non-existent space and doing this across a class of nested multidimensional objects, including potentially a form of computation or calculation based on overlapping structures, symbols, whatnot, as a way of reading or deciphering or aligning data events here is what i do not get: why focus entirely upon known mathematical constructs from within a mathematical boundary that are standardized into a cryptographic approach. is this not somewhat like doing the expected, in terms of 'how things work'. whereas if modeling and questioning crypto ideas outside the limits of the computer as medium (determiner of approach and its rationalization even), what if approaches exist which have no known mathematical category they operate within and thus remain a mystery, and there are dozens or thousands of such approaches like each become equivalent to crypto characters and character sets, that like an alphabet can be arranged infinitely into different "equations", so you could use [ciphers] & [origami] & [bit sets] & [fractals] & [n-dimensions] & [symbols] & [mathesis] together, each having potentially thousands of unique approaches, and that together this establishes an "encryption algorithm", perhaps one-time or changes with hashes and thus 3,020 folds, 20 character bit set, double-inverted mirrored fractals, one-time symbol array data placement, and key-accessible decryption via mathesis. what if such /computation/ is not even modeled within a computer to /analyse/ such a situation and instead it begins outside-the-lines by default, in the realm of infinitely possible structuring rather than knowing elliptical curves are used, therefore... i tend to think that the data space for crypto algorithms is rigidly defined within known mathematical constructs by default of standardized approaches. yet what about equations that do not exist or map to any known preexisting order, potentially it is the larger trouble with signs and variables, which the post you refer to inadequately attempted to address, in that the image of a thing becomes confused with what it references, in terms of language (and mathematical variables). subjective A=B situations whereby a variable {x} no longer refers to another event (over here...) and instead 'the image of the sign' replaces it, via substitution, in certain ungrounded conditions when truth is mediated in the signs and not beyond them what this suggests is that the crypto algorithms inside the electronic box or computer may be deterministic, a rationalization whereby the equations themselves function as if the larger truth instead of referencing something beyond the variables used, which can be assumed 'true' by default of their being used (the sign or image of their use, equals the thing referenced which is then detached from the evaluation). in other words the [sign] of crypto stands in for [crypto] itself, as if the same thing, and then the [sign] begins to determine the parameters for its development, and not a larger truth, which instead is limited by this narrowing and bounded interpretation-- such that origami may only be considered from an applied mathematical framework within an already existing encryption approach, versus independent and prior to this, outside of it, with vastly more to offer than a limited placement in a linear equationspace, if conceived or limited that way, as if only about compression, say, and not data nesting in n-dimensional arrays as if interdimensional conduit that could provide egress, circulation for code, and doorways and portals for keys and zoned relations and yet there could be tens of thousands of such innovations, if considered outside the computer framework-- it is an issue of imagination and probabilities and then, like making an ancient necklace out of stone beads, lining up a sequence or a matrix that becomes the basis for computation, perhaps some of it blackbox, some of it not, yet [infinity] x [infinity] ... [k] by default. it sounds like there is no way that n-dimensional origami crypto is going to naturally develop within an RSA or AES context just given the way these are discussed, the parameters, unless there are internal mysteries that involve such dimensions that go undocumented and so perhaps it is just not understanding the technical language that keeps a barrier between such lay observation and understanding of what is actually going on- as the cryptography being the fool, i admit i have not done my homework as conceptually it is unclear to me upon multiple attempts and views, that it is so technically laden an approach, or what is evaluated is so constrained to certain parameters, that it appears to perhaps involve a single equation that handles multiple functions, as if a Google Search algorithm, versus say dozens of algorithms chained together that may do more as described in the alternate version proposed above yet sharing that model does not necessarily compromise anything because it is variable, whereas it is unknown if sharing the inner workings of various standards would make them less secure, to evaluate the algorithms, which seems again a bounded process of 'review' over years, where inputs and outputs are correlated in terms of crackable structures-- yet what creates these numbers and schemes appears off-limits itself, behind a shroud of not mistaken, as part of the technical approach, and so apparently mystery is built-into the process, if not "unknowing" or trust and faith the standard, which to me is bizarre this because mathematics can be subjective, the variables as computational entities (x->x') can themselves be manipulated as signs, such that an ungrounded variable (x) can in its inaccuracy actually be another variable (y) and thus if this is not checked and error corrected, can lead elsewhere (y->y'), such that the sign of x leads to y'. because [x] becomes iconic, an image assumed true by its existing as a variable, not auditing the data model to whatever it being input or related to as x. this is why a discipline like economics is so backwards, taking concepts like [work] and [income] and [profit] and [society] and making them fuzzy, attaching numbers to them, and making computations as if A=A objecting, when instead subverted and moving this from A=>B', via the illusion that [B] is actually [A], due to its relation as an identified pattern match, (yet pT.) aesthetics are a huge part of mathematics and 'natural number' in nature, especially as it relates to geometry and symbolism. to omit this knowledge within crypto is to have a too narrow or bounded interpretation that determines false-limits and bases computation upon already-existing knowable structures, perhaps as if the very purpose if for binary network supercomputers to automatically break the codes. at least it would explain the existing approach in terms of who it actually benefits most. correction on post referenced: did not realize Olek and knitting crew create panels of works or sections prior to visiting sites, which is the only sane explanation for how large scale works are possible, so parallels installation of Christo et Jeanne-Claude; also, artwork Running Fence was mistakenly mentioned as inside/outside boundary, versus here/there or others Emergen-C, Açaí-Berry, Super Orange -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 10762 bytes Desc: not available URL: From pgut001 at cs.auckland.ac.nz Thu Oct 3 03:18:37 2013 From: pgut001 at cs.auckland.ac.nz (Peter Gutmann) Date: Thu, 03 Oct 2013 23:18:37 +1300 Subject: USB Block Erupters as RNG sources? In-Reply-To: <524D3C52.5070409@comcast.net> Message-ID: d.nix writes: >Curious; anyone know much about what these inexpensive (comparatively, price >seems steadily falling) ASIC Block Erupter USB Bitcoin miners can be adapted >to doing? Could they be repurposed as RNG sources? "Very little", and "no". They're basically custom Bitcoin-mining ASICs, I looked at one a while back for use in password-cracking and they're really not suited for it at all, you load a vector in and say "go" but since they're quite I/O-limited you can't easily adapt them for hash-breaking. As for RNG use, they're entirely deterministic, how would you use them as an RNG source? Peter. From a at AaronLux.com Thu Oct 3 21:50:40 2013 From: a at AaronLux.com (Aaron Lux) Date: Thu, 03 Oct 2013 23:50:40 -0500 Subject: [guardian-dev] How To Generate SSL keys without Backdoor Message-ID: <524E4920.7040007@AaronLux.com> How to generate SSL keys which cannot be compromised. (Courtesy of FBI): > ATTACHMENT B > Lavabit uses 2048?bit Secure Socket Layer (SSL) certificates purchased from GoDaddy to > encrypt communication bet".Veen users and its server. SSL encryption employs public-key > cryptography, in which both the sender and receiver each have two mathematically linked keys: a > "public" key and a "private" key. "Public" keys arc published, but "private" keys are not. In this > circumstance, a Lavabit customer uses Lavabit's published public key to initiate an encrypted > email session with Lavabit over the internet. Lavabit's servers then decrypt this traffic using their > private key. The only way to decrypt this traffic is through the usage of this private key. A SSL > certificate is another name for a published public key. > To obtain a SSL certificate from GoOaddy, a user needs to firs! generate a 2048-bil > private key on hislher computer. Depending on the operating system and web server used, there > are mUltiple ways to generate a private key. One of the more popular methods is to use a freely > available command-line tool called OpenSSL. This generation also creates a certificate signing > request file. The user sends this file to the SSL generation authority (e.g. GoOaddy) and > OoOaddy then sends back the SSL certifi cate. The private key is not sent to GoDaddy and > should be retained by the user. This private key is sto red on the user's web server to permit > decryption of internet traffic, as described above. The FBI's collection system that will be > installed to implement the PRiTT also requires the private key to be stored to decrypt Lavabit > email and internet traffic. This decrypted traffic will then be filtered for the target email address > specified in the PRlTI order. > Depending on how exactly the private key was first generated by the user, it itself may be > encrypted and protected by a password supplied by the user. This additional level of security is > useful if, for example, a backup copy of the private key is stored on a CD. Ifthal CD v.'8S lost or > stolen, the private key would not be compromised because a password would be required to > access it. However, the user that generated the private key would have supplied it at generation > time and would thus have knowledge of it. The OpenSSL tool described above is capable of > decrypting encrypted private keys and converting the keys to a non-encrypted format with a > simple, well -documented command. The FBI's collection system and most web servcrs requ ires > the key to be stored in a non-encrypted format. > > A 2048-bit key is composed of 512 characters. The standard practice of exchanging > private SSL keys between entities is to use some electronic medium (e.g., CD or secure internet > exchange). SSL keys are rarely, if ever, exchanged verbally or through print medium due to their > long length and possibil ity of human error. Mr. Levison has previously stated that Lavabit > actually uses five separate public/private key pairs, one for each type of mail protocol used by > Lavabit. > PEM format is an industry-standard file format for digitally representing SSL keys. PEM > files can easily be created using the OpenSSL tool described above. The preferred medium for > receiving these keys would be on a CO. _______________________________________________ Guardian-dev mailing list Post: Guardian-dev at lists.mayfirst.org List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To Unsubscribe Send email to: Guardian-dev-unsubscribe at lists.mayfirst.org Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/eugen%40leitl.org You are subscribed as: eugen at leitl.org ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From adi at hexapodia.org Fri Oct 4 01:16:52 2013 From: adi at hexapodia.org (Andy Isaacson) Date: Fri, 4 Oct 2013 01:16:52 -0700 Subject: Silk Road founder arrested ... In-Reply-To: <20131004002225.AB0F4DFB9@a-pb-sasl-quonix.pobox.com> References: <20131002123743.GA14320@vic20.blipp.com> <524C41F5.5020105@openmail.cc> <1380734343.30026.10.camel@anglachel> <1380740444.30026.18.camel@anglachel> <20131002193108.GA11783@netbook.cypherspace.org> <1380742664.5216.3.camel@anglachel> <20131004002225.AB0F4DFB9@a-pb-sasl-quonix.pobox.com> Message-ID: <20131004081652.GK15039@hexapodia.org> On Wed, Oct 02, 2013 at 05:38:36PM -0700, Bill Stewart wrote: > At 12:37 PM 10/2/2013, Ted Smith wrote: > >The "slip" in this case is that the services were hacked. > >Tor (neither TOR, nor ToR) wasn't compromised. > > A surprising number of things *were* compromised, > not even counting the known FBI malware attacks on the Tor network. The FBI malware didn't attack the Tor network, it just caused vulnerable endpoints to connect (outside of Tor) to a tattle-tale network server. > If you read the indictment, there are a lot of email messages Not email, but rather, private messages on the Silk Road platform. Which apparently stored more or less all messages, forever. -andy From joan.daemen at st.com Fri Oct 4 02:08:07 2013 From: joan.daemen at st.com (Joan DAEMEN) Date: Fri, 4 Oct 2013 05:08:07 -0400 Subject: On 128-bit security Message-ID: Hello all, Zooko wrote: > I personally do not believe that there is any secret > agenda behind this proposal, even though I believe that > there was a secret agenda behind Dual EC DRBG. > > One reason that I believe that the motivation behind > this proposal is the stated motivation of improving > performance, is that Joan Daemen told me in person in > January of 2013 that the Keccak team had considered > defining a reduced Keccak to compete with BLAKE2, but > had decided against it because they didn't want to > disrupt the SHA-3 standardization process. > > Apparently they changed their minds, and apparently > their fears of disruption turned out to be prescient! Yes, Zooko and I met at the end-of-Ecrypt II event on Tenerife early 2013 (24° C in January!). I don't remember our conversation in detail, but I I'm sure Zooko is citing me correctly because that is what we were thinking about at the time. Actually, what we had in mind was to propose something like "Keccak2" to compete with BLAKE2 by drastically cutting the number of rounds, e.g., down to 12 rounds for Keccak-f[1600], but otherwise keeping the algorithm as it is. That might have sent the wrong message indeed, but we just didn't do it. In contrast, the capacity is an integral parameter of the Keccak family that we even proposed as user-tunable in our SHA-3 submission. Matching the capacity to the security strength levels of [NIST SP 800-57] is simply exploiting that flexibility. Kind regards, Joan, also on behalf of my Keccak companions ------- Regards, Zooko Wilcox-O'Hearn Founder, CEO, and Customer Support Rep https://LeastAuthority.com Freedom matters. _______________________________________________ The cryptography mailing list cryptography at metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From coderman at gmail.com Fri Oct 4 06:15:30 2013 From: coderman at gmail.com (coderman) Date: Fri, 4 Oct 2013 06:15:30 -0700 Subject: how to use Tor securely (Re: Silk Road founder arrested ...) In-Reply-To: <20131004090126.GA2045@netbook.cypherspace.org> References: <20131002123743.GA14320@vic20.blipp.com> <524C41F5.5020105@openmail.cc> <1380734343.30026.10.camel@anglachel> <1380740444.30026.18.camel@anglachel> <20131002193108.GA11783@netbook.cypherspace.org> <1380742664.5216.3.camel@anglachel> <20131004002225.AB0F4DFB9@a-pb-sasl-quonix.pobox.com> <20131004081652.GK15039@hexapodia.org> <20131004090126.GA2045@netbook.cypherspace.org> Message-ID: On Fri, Oct 4, 2013 at 2:01 AM, Adam Back wrote: >... For my taste the Tor connection > and code and physical device identifiers (physical MAC addr, HD serial etc) > should be OUTSIDE of a VM and all client software should be inside the VM. a better approach is putting them all in constrained guest virtual machine instances. i'm fond of Qubes for this purpose, although there is much ongoing discussion around the best configuration. even better make your Anonymous Tor Browser VM disposable, and frequently re-instantiated. then when your rich attack surface browser gets pwned you've significantly limited the duration and scope of impact. check out: http://theinvisiblethings.blogspot.com/2011/09/playing-with-qubes-networking-for-fun.html https://www.whonix.org/wiki/Comparison_with_Others https://groups.google.com/forum/#!forum/qubes-devel From sandyinchina at gmail.com Fri Oct 4 03:33:03 2013 From: sandyinchina at gmail.com (Sandy Harris) Date: Fri, 4 Oct 2013 06:33:03 -0400 Subject: [Freedombox-discuss] Indie web Message-ID: On Fri, Aug 16, 2013 at 3:37 AM, Rob van der Hoeven wrote: >> I've been looking for projects comparable to freedombox .... > > Another FreedomBox-like project is arkOS > > https://arkos.io/ > > Runs on the Raspberry Pi, looks very promising! > Here are some remarks the author of arkOS made about the differences > between his project and the FreedomBox: > > https://arkos.io/2013/04/differences-between-arkos-and-freedombox/ Discussed on Slashdot today: http://www.techworld.com.au/article/528273/arkos_building_anti-cloud_raspberry_pi_/ _______________________________________________ Freedombox-discuss mailing list Freedombox-discuss at lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From gwen at cypherpunks.to Fri Oct 4 08:36:47 2013 From: gwen at cypherpunks.to (gwen hastings) Date: Fri, 04 Oct 2013 08:36:47 -0700 Subject: Use a low cost or free SSL provider(read no legal warchest) VIOLATED! Message-ID: <524EE08F.7000009@cypherpunks.to> So for those of us using the Lower cost tier of SSL cert provider(s) are definitely hosed at this point(but I figured the NSA had an intermediate CA in the browser chain someplace,and this is getting to be an old story and with that Intermediate CA allowed to sign wildcard and same name certs(in fact with the intermediate CA cert in possession this can be done on the fly with certain equipment) even private keys correctly handled(locally generated) fall in the face of this kind of attack. Now of course I am wondering for folks who knew this and then used the onsite generator for private key gen as opposed to locally generated keya via openssl simply had the private key copied off to NSA under the authority of an NSL.(and given the above scenarios of a MITM cert generating Intermediate CA does it even matter which way you get fucked?). startssl and cheapssl both being US based means a LOT of folks and FUCKED.. firefox has a browser plugin to detect changes in the server cert BUT if all looks plausible MOST of us will click right on through(the SSL infrastructure and governance being hopelessly broken from any rational point of view...) gwen -- Governments are instituted among men, deriving their just powers from the consent of the governed, that whenever any form of government becomes destructive of these ends, it is the right of the people to alter or abolish it, and to institute new government, laying its foundation on such principles, and organizing its powers in such form, as to them shall seem most likely to effect their safety and happiness.’ From jamesd at echeque.com Thu Oct 3 15:39:08 2013 From: jamesd at echeque.com (James A. Donald) Date: Fri, 04 Oct 2013 08:39:08 +1000 Subject: [cryptography] A question about public keys Message-ID: <524DF20C.7090809@echeque.com> On 2013-10-04 03:45, Adam Back wrote: > Is it just me or could we better replace NIST by DJB ? ;) He can > do that EC > crypto, and do constant time coding (nacl), and non-hackable mail servers > (qmail), and worst-time databases (cdb). Most people in the world > look like > rank amateurs or no-real-programming understanding niche-bound math geeks > compared to DJB! Committees are at best inherently more stupid than their most stupid member, and are at worst also inclined to evil and madness. Linux was success because Linus is unelected president for life. Let us have Jon Callas as unelected president for life of symmetric cryptography, Bernstein as God King of public key cryptography. Recall the long succession of Wifi debacles. Has any committee ever done anything good in cryptography? IEEE 802.11 was stupid. If NIST was not stupid, it was because evil was calling the shots behind the scenes, overruling the stupid. _______________________________________________ cryptography mailing list cryptography at randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From jamesd at echeque.com Thu Oct 3 17:30:11 2013 From: jamesd at echeque.com (James A. Donald) Date: Fri, 04 Oct 2013 10:30:11 +1000 Subject: anarchy was : Silk Road founder arrested ... In-Reply-To: References: <63D2D2A962F8C4AD35FA425F@F74D39FA044AA309EAEA14B9> Message-ID: <524E0C13.2000702@echeque.com> On 2013-10-03 22:48, Lodewijk andré de la porte wrote: > 2013/10/3 Juan Garofalo > > > --On Thursday, October 03, 2013 1:12 AM +0200 Lodewijk andré de la > porte > wrote: > > 2013/10/2 Juan Garofalo > > I think you need to research the ABC of political theory > before saying > anything about anarchy. Your belief that anarchy is chaos is > as unfounded > as it is laughable. > > Anarchy as a word does not mean a thing. > > > Right, it doesn't mean one thing, it means *two* different and > mutually exclusive things. It is vulgarly used to mean 'chaos', > and it's used by advocates of voluntary interactions to describe a > social system based on voluntary interactions. > > > This system fails in the sight of coercion by force. In fact coercion > of any kind reduces the ideals /i think /you hold it to have. Anarcho capitalism, anarcho piratism, and feudalism are related systems. Any actually existent system tends to have elements of all three. Saga period iceland was primarily anarcho capitalist in icelanders relationships with each other, and primarily anarcho piratist in their relations with distant peoples. They abducted a whole lot of women from Ireland. Feudalism with a King who is merely first among equals is anarcho capitalism in which those privileged to use force have established a cartel and local monopolies, but not a general monopoly. Anarcho piratism is anarcho capitalism where the number of people who are out of law with each other is alarmingly large. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 3139 bytes Desc: not available URL: From tedks at riseup.net Fri Oct 4 07:51:59 2013 From: tedks at riseup.net (Ted Smith) Date: Fri, 04 Oct 2013 10:51:59 -0400 Subject: cypherpunks Digest, Vol 4, Issue 9 In-Reply-To: References: Message-ID: <1380898319.17441.0.camel@anglachel> I now believe this is a programmatically constructed text. ...which is pretty cypherpunk, have to say. Big up. On Thu, 2013-10-03 at 22:06 -0500, brian carroll wrote: > correction on post referenced: did not realize Olek and knitting crew > create panels of works or sections prior to visiting sites, which is > the only sane explanation for how large scale works are possible, so > parallels installation of Christo et Jeanne-Claude; also, artwork > Running Fence was mistakenly mentioned as inside/outside boundary, > versus here/there or others -- Sent from Ubuntu -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part URL: From adam at cypherspace.org Fri Oct 4 02:01:27 2013 From: adam at cypherspace.org (Adam Back) Date: Fri, 4 Oct 2013 11:01:27 +0200 Subject: how to use Tor securely (Re: Silk Road founder arrested ...) In-Reply-To: <20131004081652.GK15039@hexapodia.org> References: <20131002123743.GA14320@vic20.blipp.com> <524C41F5.5020105@openmail.cc> <1380734343.30026.10.camel@anglachel> <1380740444.30026.18.camel@anglachel> <20131002193108.GA11783@netbook.cypherspace.org> <1380742664.5216.3.camel@anglachel> <20131004002225.AB0F4DFB9@a-pb-sasl-quonix.pobox.com> <20131004081652.GK15039@hexapodia.org> Message-ID: <20131004090126.GA2045@netbook.cypherspace.org> But the jscript malware was installed via remote compromise onto the Tor hidden web server. Being behind Tor does not particularly add any protection to your server, in terms of remote hacking. Probably static content is safer in general even if it doesnt make flashy cursor hover boxes and client-side form pre-validation. Ie instal and turn on noscript - 99% of jscript is of no particular use other than making your browser blink and show animated ads ;) Ideally you need Tor to be in a routing box, not your computer so that there is no way for your computer to connect to the non Tor network, so your computer doesnt even know its physical IP and has no power to disclose it. Or simulate that setup in software you need Tor on the main machine, and a VM that has access to and knowledge only of Tor network for connectivity. Do not put ANY identifying information inside the vm. That rules out vmware because they leak in your disk serial number as a result of a microsoft law suit. (Microsoft accused them of making it easy for people to share windows serial numbers, because the "is this the same machine" calculation based on various HW serial numbers always comes up with the same answer in a virtual machine at that level.) Similarly the VM must not know your physical network card MAC addresses etc. Thats the way to do it properly on the client side. There are Tor focused distros that let you boot into Tor only OS. For my taste the Tor connection and code and physical device identifiers (physical MAC addr, HD serial etc) should be OUTSIDE of a VM and all client software should be inside the VM. The VM should be open so you know they are not leaking physical MAC addr/serial into the the client in the name of copy-protection. (It was microsoft's fault, not vmware). Adam On Fri, Oct 04, 2013 at 01:16:52AM -0700, Andy Isaacson wrote: >On Wed, Oct 02, 2013 at 05:38:36PM -0700, Bill Stewart wrote: >> At 12:37 PM 10/2/2013, Ted Smith wrote: >> >The "slip" in this case is that the services were hacked. >> >Tor (neither TOR, nor ToR) wasn't compromised. >> >> A surprising number of things *were* compromised, >> not even counting the known FBI malware attacks on the Tor network. > >The FBI malware didn't attack the Tor network, it just caused vulnerable >endpoints to connect (outside of Tor) to a tattle-tale network server. > >> If you read the indictment, there are a lot of email messages > >Not email, but rather, private messages on the Silk Road platform. >Which apparently stored more or less all messages, forever. > >-andy From lee at guardianproject.info Fri Oct 4 08:12:55 2013 From: lee at guardianproject.info (Lee Azzarello) Date: Fri, 4 Oct 2013 11:12:55 -0400 Subject: cypherpunks Digest, Vol 4, Issue 9 In-Reply-To: <1380898319.17441.0.camel@anglachel> References: <1380898319.17441.0.camel@anglachel> Message-ID: +1. Mr. Carroll's nonsensical wordsmithing has been awesome from day one. Big ups indeed. Reminds me of the good old days of the complaint letter generator. For those who don't know: http://www.pakin.org/complaint?title=Pres.&firstname=Barack&middlename=H&lastname=Obama&suffix=&gender=m&shorttype=t&pgraphs=5 -lee On Fri, Oct 4, 2013 at 10:51 AM, Ted Smith wrote: > I now believe this is a programmatically constructed text. > > ...which is pretty cypherpunk, have to say. Big up. > > On Thu, 2013-10-03 at 22:06 -0500, brian carroll wrote: >> correction on post referenced: did not realize Olek and knitting crew >> create panels of works or sections prior to visiting sites, which is >> the only sane explanation for how large scale works are possible, so >> parallels installation of Christo et Jeanne-Claude; also, artwork >> Running Fence was mistakenly mentioned as inside/outside boundary, >> versus here/there or others > > -- > Sent from Ubuntu From patrice at xs4all.nl Fri Oct 4 02:19:11 2013 From: patrice at xs4all.nl (Patrice Riemens) Date: Fri, 4 Oct 2013 11:19:11 +0200 Subject: John Lanchester on the Snowden files (Guardian) Message-ID: original to: http://www.theguardian.com/world/2013/oct/03/edward-snowden-files-john-lanchester The Snowden files: why the British public should be worried about GCHQ When the Guardian offered John Lanchester access to the GCHQ files, the journalist and novelist was initially unconvinced. But what the papers told him was alarming: that Britain is sliding towards an entirely new kind of surveillance society John Lanchester The Guardian, Thursday 3 October 2013 In August, the editor of the Guardian rang me up and asked if I would spend a week in New York, reading the GCHQ files whose UK copy the Guardian was forced to destroy. His suggestion was that it might be worthwhile to look at the material not from a perspective of making news but from that of a novelist with an interest in the way we live now. I took Alan Rusbridger up on his invitation, after an initial reluctance that was based on two main reasons. The first of them was that I don't share the instinctive sense felt by many on the left that it is always wrong for states to have secrets. I'd put it more strongly than that: democratic states need spies. (...) (Read on on the Guardian site, as the illustrations are essential for comprehension) # distributed via : no commercial use without permission # is a moderated mailing list for net criticism, # collaborative text filtering and cultural politics of the nets # more info: http://mx.kein.org/mailman/listinfo/nettime-l # archive: http://www.nettime.org contact: nettime at kein.org ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From arma at mit.edu Fri Oct 4 08:38:10 2013 From: arma at mit.edu (Roger Dingledine) Date: Fri, 4 Oct 2013 11:38:10 -0400 Subject: [tor-talk] Guardian Tor article Message-ID: <20131004153810.GR31806@moria.seul.org> Just to start off the new media frenzy thread. http://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-online-anonymity http://www.theguardian.com/world/interactive/2013/oct/04/tor-high-secure-internet-anonymity http://www.theguardian.com/world/interactive/2013/oct/04/egotistical-giraffe-nsa-tor-document http://www.theguardian.com/world/interactive/2013/oct/04/tor-stinks-nsa-presentation-document (Did I miss any good links?) Enjoy, --Roger -- tor-talk mailing list - tor-talk at lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From eugen at leitl.org Fri Oct 4 02:46:27 2013 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 4 Oct 2013 11:46:27 +0200 Subject: A CEO who resisted NSA spying is out of prison. Message-ID: <20131004094627.GF10405@leitl.org> ----- Forwarded message from nettime's avid reader ----- Date: Fri, 4 Oct 2013 10:58:36 +0200 From: nettime's avid reader To: nettime-l at kein.org Subject: A CEO who resisted NSA spying is out of prison. Reply-To: a moderated mailing list for net criticism A CEO who resisted NSA spying is out of prison. And he feels ‘vindicated’ by Snowden leaks. http://www.washingtonpost.com/blogs/the-switch/wp/2013/09/30/a-ceo-who-resisted-nsa-spying-is-out-of-prison-and-he-feels-vindicated-by-snowden-leaks/ By Andrea Peterson, Published: September 30 at 12:07 pmE-mail the writer Both Edward Snowden and Joseph Nacchio revealed details about some of the things that go on at NSA headquarters in Fort Meade. (REUTERS/NSA/Handout) Both Edward Snowden and Joseph Nacchio revealed details about some of the things that go on at NSA headquarters in Fort Meade. (NSA/Reuters) Just one major telecommunications company refused to participate in a legally dubious NSA surveillance program in 2001. A few years later, its CEO was indicted by federal prosecutors. He was convicted, served four and a half years of his sentence and was released this month. Prosecutors claim Qwest CEO Joseph Nacchio was guilty of insider trading, and that his prosecution had nothing to do with his refusal to allow spying on his customers without the permission of the Foreign Intelligence Surveillance Court. But to this day, Nacchio insists that his prosecution was retaliation for refusing to break the law on the NSA's behalf. After his release from custody Sept. 20, Nacchio told the Wall Street Journal that he feels "vindicated" by the content of the leaks that show that the agency was collecting American's phone records. Nacchio was convicted of selling of Qwest stock in early 2001, not long before the company hit financial troubles. However, he claimed in court documents that he was optimistic about the firm's ability to win classified government contracts — something they'd succeeded at in the past. And according to his timeline, in February 2001 — some six months before the Sept. 11 terrorist attacks — he was approached by the NSA and asked to spy on customers during a meeting he thought was about a different contract. He reportedly refused because his lawyers believed such an action would be illegal and the NSA wouldn't go through the FISA Court. And then, he says, unrelated government contracts started to disappear. His narrative matches with the warrantless surveillance program reported by USA Today in 2006 which noted Qwest as the lone holdout from the program, hounded by the agency with hints that their refusal "might affect its ability to get future classified work with the government." But Nacchio was prevented from bringing up any of this defense during his jury trial — the evidence needed to support it was deemed classified and the judge in his case refused his requests to use it. And he still believes his prosecution was retaliatory for refusing the NSA requests for bulk access to customers' phone records. Some other observers share that opinion, and it seems consistent with evidence that has been made public, including some of the redacted court filings unsealed after his conviction. The NSA declined to comment on Nacchio, referring inquiries to the Department of Justice. The Department of Justice did not respond to The Post's request for comment. Snowden leaked documents about NSA spying programs to the public and arguably broke the law in doing so. In contrast, Nacchio seems to have done what was in his power to limit an illegal government data collection program. Even during his own defense, he went through the legal channels he could to make relevant information available for his defense — albeit unsuccessfully. The programs that were revealed are also substantially different in nature, if not in content. The Bush-era warrantless surveillance programs and data collection programs were on shaky legal ground, based on little more than the president's say-so. That's why telecom companies sought and received legal immunity from Congress for their participation in 2008. But that same update also expanded government surveillance powers. Some observers argue that some of the NSA's spying programs are still unconstitutional. But at a minimum, these programs were authorized by the FISC and disclosed to congressional intelligence committees. Nacchio told the Wall Street Journal, "I never broke the law, and I never will." But he never got a chance to present to the jury his theory that his prosecution was politically motivated. # distributed via : no commercial use without permission # is a moderated mailing list for net criticism, # collaborative text filtering and cultural politics of the nets # more info: http://mx.kein.org/mailman/listinfo/nettime-l # archive: http://www.nettime.org contact: nettime at kein.org ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: Digital signature URL: From adi at hexapodia.org Fri Oct 4 11:49:52 2013 From: adi at hexapodia.org (Andy Isaacson) Date: Fri, 4 Oct 2013 11:49:52 -0700 Subject: how to use Tor securely (Re: Silk Road founder arrested ...) In-Reply-To: <524E9590.702@echeque.com> References: <1380734343.30026.10.camel@anglachel> <1380740444.30026.18.camel@anglachel> <20131002193108.GA11783@netbook.cypherspace.org> <1380742664.5216.3.camel@anglachel> <20131004002225.AB0F4DFB9@a-pb-sasl-quonix.pobox.com> <20131004081652.GK15039@hexapodia.org> <20131004090126.GA2045@netbook.cypherspace.org> <524E9590.702@echeque.com> Message-ID: <20131004184952.GL15039@hexapodia.org> On Fri, Oct 04, 2013 at 08:16:48PM +1000, James A. Donald wrote: > Two security failures: The feds were able to find the Tor hidden > web server, and, having found it, there was information on the web > server that should not have been there. Note that this thread has meandered around, discussed several different security failures, and you seem to be returning to the Silk Road one. > My understanding is that they found a bunch of Tor machines, I don't see any evidence or claim that the investigation touched, investigated, or influenced any Tor relays in the published documents about the Silk Road arrest. Do you have any basis for this understanding? (BTW, it's *very* easy to "find a bunch of Tor machines", most of the Tor relays' IPs are listed in the public "consensus".) > installed malware by means of rubber hoses, Again, I see no published claim that any malware was used in this investigation, nor that the investigators had to lean on anyone (much less torture them, as the phrase "rubber hose" indicates) to install malware. > and thus located the > Silk Road hidden web server. The complaint and the indictment are stunningly silent on that part of the investigation, and the press coverage I've seen also doesn't shed much light on exactly how the machine in "a certain foreign country" was located. A few possibilities have been raised: - an investigator exploited the Silk Road software stack via its public web UI and caused the server to disclose its IP by connecting to a service outside of Tor. This seems quite plausible, to me. - the investigation already had Ulbricht targeted, but without a smoking gun, and watched his SSH traffic using a standard wiretapping warrant. This should have shown up in the arrest complaint if so. - a NSA/GCHQ capture was used to locate the server, and the public disclosure so far is an example of "parallel construction". - a vulnerability in the Tor network let the investigators find the server, possibly assisted by the investigators running some number of Tor relays. - the IP was known to any of the several criminal elements known to be interested in Silk Road, and the investigators got it as part of a deal (to drop another investigation, or harass someone's enemy, or similar). Given the shoddy quality of the rest of Ulbricht's security posture, I strongly suspect that a "phone home" vuln in the SR server was the trigger. "Never trust anyone who's programming language of choice is PHP." -andy From arma at mit.edu Fri Oct 4 08:50:09 2013 From: arma at mit.edu (Roger Dingledine) Date: Fri, 4 Oct 2013 11:50:09 -0400 Subject: [tor-talk] Guardian Tor article Message-ID: <20131004155009.GT31806@moria.seul.org> On Fri, Oct 04, 2013 at 11:38:10AM -0400, Roger Dingledine wrote: > (Did I miss any good links?) Ah, yes I did: http://www.theguardian.com/world/2013/oct/04/nsa-gchq-attack-tor-network-encryption --Roger -- tor-talk mailing list - tor-talk at lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From jamesdbell8 at yahoo.com Fri Oct 4 11:59:38 2013 From: jamesdbell8 at yahoo.com (Jim Bell) Date: Fri, 4 Oct 2013 11:59:38 -0700 (PDT) Subject: A CEO who resisted NSA spying is out of prison. In-Reply-To: <524EA5B7.5040609@echeque.com> References: <20131004094627.GF10405@leitl.org> <20131004100232.GA3061@netbook.cypherspace.org> <524EA5B7.5040609@echeque.com> Message-ID: <1380913178.94018.YahooMailNeo@web141201.mail.bf1.yahoo.com> From: James A. Donald To: cypherpunks at cpunks.org Sent: Friday, October 4, 2013 4:25 AM Subject: Re: A CEO who resisted NSA spying is out of prison. On 2013-10-04 20:02, Adam Back wrote: ... >>> A CEO who resisted NSA spying is out of prison. And he feels >>> ‘vindicated’ >>> by Snowden leaks. >>> http://www.washingtonpost.com/blogs/the-switch/wp/2013/09/30/a-ceo-who-resisted-nsa-spying-is-out-of-prison-and-he-feels-vindicated-by-snowden-leaks/ >>> By Andrea Peterson, Published: September 30 at 12:07 pmE-mail the writer >>> Both Edward Snowden and Joseph Nacchio revealed details about some of >>> the >>> things that go on at NSA headquarters in Fort Meade. >>> (REUTERS/NSA/Handout) >>> >>> Both Edward Snowden and Joseph Nacchio revealed details about some of >>> the >>> things that go on at NSA headquarters in Fort Meade. (NSA/Reuters) >>> >>> Just one major telecommunications company refused to participate in a >>> legally dubious NSA surveillance program in 2001. A few years later, its >>> CEO was indicted by federal prosecutors. He was convicted, served >>> four and >>> a half years of his sentence and was released this month. >Insider trading laws are so vague and all encompassing that it is >entirely impossible to be innocent of insider trading, unless you pick >your stocks by throwing darts >Almost every investor is guilty of insider trading.  Prosecutions are >selective and arbitrary. This is why that a system such as my "Denial of Disservice Attack" idea could be so attractive to corporate America and its high-level (and not so high level) employees.    If it were explained to them that it is in their interest to lower the Federal prison population from 220,000 to 15,000, and that it could be done for perhaps only $20 million per year,  they should flock to contribute.  It could be arranged as a charitable contribution ('to encourage employment of the jury system',) and thus be tax-deductible.           Jim Bell -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 3669 bytes Desc: not available URL: From adam at cypherspace.org Fri Oct 4 03:02:32 2013 From: adam at cypherspace.org (Adam Back) Date: Fri, 4 Oct 2013 12:02:32 +0200 Subject: A CEO who resisted NSA spying is out of prison. In-Reply-To: <20131004094627.GF10405@leitl.org> References: <20131004094627.GF10405@leitl.org> Message-ID: <20131004100232.GA3061@netbook.cypherspace.org> People frown at Russian suspected political prosecution (eg oligarchs falling with someone politically powerful and then with coincidental timing finding themselves incarcerated for probably trumped up financial irregularity or other charges.) Here we see it US style. A judicial inquiry should be heard, he should receive a pardon and compensation. This is a horrendous judicial fraud sanctioned at high levels and carried out by a complicit justice system. The perpetrators in NSA, government and justice system should receive long prison sentences. Otherwise the rule of law in the US has received a big credibility hit, the only fig leaf is the shaky plausibility of the trumped up charges. Unfortunately its not completely impluasible in isolation because wealthy business people from time to time have committed these exact crimes in showing poor judgement by backdating options, and insider trading and such shenanigans despite already being wealthy enough to not have their grand children work a day in their lives. But it sure looks suspicious and the political cover story has been blown. At minimum he should get a judicial review or inquiry and probable vindication. Adam On Fri, Oct 04, 2013 at 11:46:27AM +0200, Eugen Leitl wrote: >----- Forwarded message from nettime's avid reader ----- > >Date: Fri, 4 Oct 2013 10:58:36 +0200 >From: nettime's avid reader >To: nettime-l at kein.org >Subject: A CEO who resisted NSA spying is out of prison. >Reply-To: a moderated mailing list for net criticism > > >A CEO who resisted NSA spying is out of prison. And he feels ‘vindicated’ >by Snowden leaks. >http://www.washingtonpost.com/blogs/the-switch/wp/2013/09/30/a-ceo-who-resisted-nsa-spying-is-out-of-prison-and-he-feels-vindicated-by-snowden-leaks/ > >By Andrea Peterson, Published: September 30 at 12:07 pmE-mail the writer >Both Edward Snowden and Joseph Nacchio revealed details about some of the >things that go on at NSA headquarters in Fort Meade. (REUTERS/NSA/Handout) > >Both Edward Snowden and Joseph Nacchio revealed details about some of the >things that go on at NSA headquarters in Fort Meade. (NSA/Reuters) > >Just one major telecommunications company refused to participate in a >legally dubious NSA surveillance program in 2001. A few years later, its >CEO was indicted by federal prosecutors. He was convicted, served four and >a half years of his sentence and was released this month. > >Prosecutors claim Qwest CEO Joseph Nacchio was guilty of insider trading, >and that his prosecution had nothing to do with his refusal to allow spying >on his customers without the permission of the Foreign Intelligence >Surveillance Court. But to this day, Nacchio insists that his prosecution >was retaliation for refusing to break the law on the NSA's behalf. > >After his release from custody Sept. 20, Nacchio told the Wall Street >Journal that he feels "vindicated" by the content of the leaks that show >that the agency was collecting American's phone records. > >Nacchio was convicted of selling of Qwest stock in early 2001, not long >before the company hit financial troubles. However, he claimed in court >documents that he was optimistic about the firm's ability to win classified >government contracts — something they'd succeeded at in the past. And >according to his timeline, in February 2001 — some six months before the >Sept. 11 terrorist attacks — he was approached by the NSA and asked to spy >on customers during a meeting he thought was about a different contract. He >reportedly refused because his lawyers believed such an action would be >illegal and the NSA wouldn't go through the FISA Court. And then, he says, >unrelated government contracts started to disappear. > >His narrative matches with the warrantless surveillance program reported by >USA Today in 2006 which noted Qwest as the lone holdout from the program, >hounded by the agency with hints that their refusal "might affect its >ability to get future classified work with the government." But Nacchio was >prevented from bringing up any of this defense during his jury trial — the >evidence needed to support it was deemed classified and the judge in his >case refused his requests to use it. And he still believes his prosecution >was retaliatory for refusing the NSA requests for bulk access to customers' >phone records. Some other observers share that opinion, and it seems >consistent with evidence that has been made public, including some of the >redacted court filings unsealed after his conviction. > >The NSA declined to comment on Nacchio, referring inquiries to the >Department of Justice. The Department of Justice did not respond to The >Post's request for comment. > >Snowden leaked documents about NSA spying programs to the public and >arguably broke the law in doing so. In contrast, Nacchio seems to have done >what was in his power to limit an illegal government data collection >program. Even during his own defense, he went through the legal channels he >could to make relevant information available for his defense — albeit >unsuccessfully. > >The programs that were revealed are also substantially different in nature, >if not in content. The Bush-era warrantless surveillance programs and data >collection programs were on shaky legal ground, based on little more than >the president's say-so. That's why telecom companies sought and received >legal immunity from Congress for their participation in 2008. But that same >update also expanded government surveillance powers. Some observers argue >that some of the NSA's spying programs are still unconstitutional. But at a >minimum, these programs were authorized by the FISC and disclosed to >congressional intelligence committees. > >Nacchio told the Wall Street Journal, "I never broke the law, and I never >will." But he never got a chance to present to the jury his theory that his >prosecution was politically motivated. > > > ># distributed via : no commercial use without permission ># is a moderated mailing list for net criticism, ># collaborative text filtering and cultural politics of the nets ># more info: http://mx.kein.org/mailman/listinfo/nettime-l ># archive: http://www.nettime.org contact: nettime at kein.org > >----- End forwarded message ----- >-- >Eugen* Leitl leitl http://leitl.org >______________________________________________________________ >ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org >AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From pgut001 at cs.auckland.ac.nz Thu Oct 3 17:15:48 2013 From: pgut001 at cs.auckland.ac.nz (Peter Gutmann) Date: Fri, 04 Oct 2013 13:15:48 +1300 Subject: [cryptography] the spell is broken Message-ID: "James A. Donald" writes: >By moving away from anything NIST has touched he deprives the NSA of leverage >to insert backdoors, Just as a bit of a counterpoint here, how far do you want to go down this rathole? Someone recently pointed me to the latest CERT vuln. summary (because of a few interesting entries there): https://www.us-cert.gov/ncas/bulletins/SB13-273 Now this is just a single weeks' worth, and yet look at all the remote-code- execution and seize-control-of-device issues in just that seven-day stretch. The NSA doesn't really need to backdoor crypto when the barn door isn't just propped wide open, it's entirely missing in some cases. (I completely support Jon's position in terms of being seen to do the right thing, but there are more things to worry about than just backdoored crypto). Peter. _______________________________________________ cryptography mailing list cryptography at randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From d.nix at comcast.net Fri Oct 4 14:05:23 2013 From: d.nix at comcast.net (d.nix) Date: Fri, 04 Oct 2013 14:05:23 -0700 Subject: 49 Page NSA analysis of Tor Message-ID: <524F2D93.1010605@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Just published by Bart Gellman (Thanks Bart!): http://apps.washingtonpost.com/g/page/world/nsa-research-report-on-the-tor-encryption-program/501/ - -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (MingW32) iQEcBAEBAgAGBQJSTy2TAAoJEDMbeBxcUNAePB0H/0MxORH4Gs7zIpIojhzKS9pE YPQ0SmbXqLRhPKjllSAi+e24gIDzaj8yBDF9GQwv68u5lNSca/PFK2TVugx7mG/9 chQkmQCvBVbrtQ1mhCReLWxh6NCpUgEvvCRi5ZtvqfqBzxE22exb7tsTetDDezLh jVmq9CFCXdkDN6yNuHZ/5lC17feMBPj6nNEAuCX99V1236N3dbe52/ZpSb8uzC/b bGBmiGecc71wM4dMhjRMBJjxz1dMmKW1cImIj5StPJkDOD3beDX6EP7XE94b0Ts2 JVRi+NFPCRKqMpLhwlvmx0WtH5pLbcoxUmBGP3/Q8r+dgWUXdv+8Z8FFpMaJPFQ= =LDCN -----END PGP SIGNATURE----- From d.nix at comcast.net Fri Oct 4 14:14:05 2013 From: d.nix at comcast.net (d.nix) Date: Fri, 04 Oct 2013 14:14:05 -0700 Subject: GCHQ report on 'MULLENIZE' program to 'stain' anonymous electronic traffic - The Washington Post Message-ID: <524F2F9D.2020009@comcast.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 GCHQ report on tainting Tor traffic: http://apps.washingtonpost.com/g/page/world/gchq-report-on-mullenize-program-to-stain-anonymous-electronic-traffic/502/ - -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (MingW32) iQEcBAEBAgAGBQJSTy+dAAoJEDMbeBxcUNAer08H/2NRjQx8k/Wj/juvWKLoV1Q8 57VSYlUYpjDT6Ut7MoMPPDy2qhjPoFgUnJhvDMLgOrpGBXrjuO/6PgBLkPASRZUU /qQRsaGmiAmn8Inw2V097ISnoTBQlnjxjBIyPCKUh4mg0kRfZGcuTNWGlgTmL0hr b11+Th23afjpK9Ip+y9OvJykfdcOjoX11JQge9J4JmVwaNWmmFBj/u3DsgiCk6b7 U5F5Q5yIeQ8MhsucsOuvNbK7QQEZHdRbx7IqgHWxxu1JOTLLClOIkILoHbGUBOxj QMPw1EZAcBNx7Gmb8m4UU7DuPkAEXAcT/8ABd53MXE80rM6nqWgODC49rKa3Mvc= =8lpg -----END PGP SIGNATURE----- From eugen at leitl.org Fri Oct 4 05:18:29 2013 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 4 Oct 2013 14:18:29 +0200 Subject: [Freedombox-discuss] Indie web Message-ID: <20131004121829.GH10405@leitl.org> ----- Forwarded message from Sandy Harris ----- From eugen at leitl.org Fri Oct 4 05:38:34 2013 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 4 Oct 2013 14:38:34 +0200 Subject: [guardian-dev] How To Generate SSL keys without Backdoor Message-ID: <20131004123834.GN10405@leitl.org> ----- Forwarded message from Aaron Lux ----- From eugen at leitl.org Fri Oct 4 05:55:20 2013 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 4 Oct 2013 14:55:20 +0200 Subject: The Collected Quotations of the Dread Pirate Robert, According to Forbes.com Message-ID: <20131004125520.GS10405@leitl.org> ----- Forwarded message from pirate cinema berlin ----- From grarpamp at gmail.com Fri Oct 4 12:56:52 2013 From: grarpamp at gmail.com (grarpamp) Date: Fri, 4 Oct 2013 15:56:52 -0400 Subject: [tor-talk] Guardian Tor article In-Reply-To: <1380905326.19886.6.camel@anglachel> References: <20131004153810.GR31806@moria.seul.org> <1380905326.19886.6.camel@anglachel> Message-ID: Some have said... > this [Snowden meta arena] has been a subject of discussion on > the [various] lists as well > Congrats, torproject :-D > "Tor Stinks" means you're doing it right; good job Tor devs :) > good news everybody; defense in depth is effective and practical! Yes, fine work all hands, everyone have a round at their favorite pub/equivalent tonight. > Of course, this is also from 2007. It's been a long time since then. Yet whether from 2007 or last week... when Monday rolls around, we must channel all this joy and get back to work. For the risks and attackers that we all face are real, motivated, well funded, and do not play fair by any set of rules. They do not stop and neither can we. Wins that do not result in elimination from the game are but temporary gains. We must always be better... train, practice, discipline, and enter ourselves into every race... leaving only a continuous cloud of dust behind for our adversaries to choke on. Till Monday, I got this round :) From wb8foz at nrk.com Fri Oct 4 13:04:47 2013 From: wb8foz at nrk.com (David) Date: Fri, 04 Oct 2013 16:04:47 -0400 Subject: [tor-talk] Guardian Tor article In-Reply-To: <20131004155009.GW10405@leitl.org> References: <20131004155009.GW10405@leitl.org> Message-ID: <524F1F5F.2070808@nrk.com> Kudos to Bruce on a great article...... From juan.g71 at gmail.com Fri Oct 4 12:12:42 2013 From: juan.g71 at gmail.com (Juan Garofalo) Date: Fri, 04 Oct 2013 16:12:42 -0300 Subject: cypherpunks Digest, Vol 4, Issue 9 In-Reply-To: <1380898319.17441.0.camel@anglachel> References: <1380898319.17441.0.camel@anglachel> Message-ID: --On Friday, October 04, 2013 10:51 AM -0400 Ted Smith wrote: > I now believe this is a programmatically constructed text. Well, the messages are rather long, so I wonder if a person is actually taking the time to write them, but on the other hand, they don't sound machine-generated to me. The style is recursive and convoluted, but they seem to make sense. Or perhaps I'm slightly crazy =P Then again, english is not my native language, so fooling me is probably not that hard. > > ...which is pretty cypherpunk, have to say. Big up. > > On Thu, 2013-10-03 at 22:06 -0500, brian carroll wrote: >> correction on post referenced: did not realize Olek and knitting crew >> create panels of works or sections prior to visiting sites, which is >> the only sane explanation for how large scale works are possible, so >> parallels installation of Christo et Jeanne-Claude; also, artwork >> Running Fence was mistakenly mentioned as inside/outside boundary, >> versus here/there or others > > -- > Sent from Ubuntu > From jamesdbell8 at yahoo.com Fri Oct 4 16:21:56 2013 From: jamesdbell8 at yahoo.com (Jim Bell) Date: Fri, 4 Oct 2013 16:21:56 -0700 (PDT) Subject: USB Block Erupters as RNG sources? In-Reply-To: <1380864916.19870.YahooMailNeo@web141204.mail.bf1.yahoo.com> References: <524D973F.2030204@comcast.net> <1380864916.19870.YahooMailNeo@web141204.mail.bf1.yahoo.com> Message-ID: <1380928916.86741.YahooMailNeo@web141203.mail.bf1.yahoo.com> From: d.nix To: cypherpunks at cpunks.org; liberationtech at mailman.stanford.edu Sent: Thursday, October 3, 2013 9:11 AM Subject: Re: USB Block Erupters as RNG sources? > "Very little", and "no".  They're basically custom Bitcoin-mining > ASICs, I looked at one a while back for use in password-cracking >> and they're really not suited for it at all, you load a vector in >> and say "go" but since they're quite I/O-limited you can't easily >> adapt them for hash-breaking.  As for RNG use, they're entirely >> deterministic, how would you use them as an RNG source? >> at best you *might* be able twist it into a DRBG that would still >> need to be seeded (and regularly reseeded) with robust entropy. >> >> these ASICs really are single purpose; they're useless for anything >> else. >Thanks Peter, Coderman- >Kinda what I suspected seeing as they are *Application Specific* IC's >after all... Wishful thinking more than anything knowing that they are >now saturating their market and loosing value rapidly. >Cheers! >DN This looks like a decent idea for a RNG.          http://www.sciencedirect.com/science/article/pii/S1434841111001713       Another is:   http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=847868&url=http%3A%2F%2Fieeexplore.ieee.org%2Fiel5%2F81%2F18417%2F00847868 Yet another:   http://www.fdk.co.jp/cyber-e/pi_ic_rpg100.html       Jim Bell -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 3805 bytes Desc: not available URL: From mlp at upstandinghackers.com Fri Oct 4 07:22:02 2013 From: mlp at upstandinghackers.com (Meredith L. Patterson) Date: Fri, 4 Oct 2013 16:22:02 +0200 Subject: how to use Tor securely (Re: Silk Road founder arrested ...) In-Reply-To: <524E9590.702@echeque.com> References: <1380734343.30026.10.camel@anglachel> <1380740444.30026.18.camel@anglachel> <20131002193108.GA11783@netbook.cypherspace.org> <1380742664.5216.3.camel@anglachel> <20131004002225.AB0F4DFB9@a-pb-sasl-quonix.pobox.com> <20131004081652.GK15039@hexapodia.org> <20131004090126.GA2045@netbook.cypherspace.org> <524E9590.702@echeque.com> Message-ID: <20131004142202.GA19027@nestor.local> On Fri, Oct 04, 2013 at 08:16:48PM +1000, James A. Donald wrote: > My understanding is that they found a bunch of Tor machines, > installed malware by means of rubber hoses, and thus located the > Silk Road hidden web server. Why would they even need to use rubber hoses? They could just compel Amazon. How many Tor nodes are on EC2 these days, again? --mlp From coderman at gmail.com Fri Oct 4 16:33:09 2013 From: coderman at gmail.com (coderman) Date: Fri, 4 Oct 2013 16:33:09 -0700 Subject: Deterministic Builds Part Two: Technical Details Message-ID: Mike Perry has just posted the second half of his reproducible builds effort: "Deterministic Builds Part Two: Technical Details - This is the second post in a two-part series on the build security improvements in the Tor Browser Bundle 3.0 release cycle." https://blog.torproject.org/blog/deterministic-builds-part-two-technical-details From adam at cypherspace.org Fri Oct 4 07:40:38 2013 From: adam at cypherspace.org (Adam Back) Date: Fri, 4 Oct 2013 16:40:38 +0200 Subject: how to use Tor securely (Re: Silk Road founder arrested ...) In-Reply-To: <20131004142202.GA19027@nestor.local> References: <1380734343.30026.10.camel@anglachel> <1380740444.30026.18.camel@anglachel> <20131002193108.GA11783@netbook.cypherspace.org> <1380742664.5216.3.camel@anglachel> <20131004002225.AB0F4DFB9@a-pb-sasl-quonix.pobox.com> <20131004081652.GK15039@hexapodia.org> <20131004090126.GA2045@netbook.cypherspace.org> <524E9590.702@echeque.com> <20131004142202.GA19027@nestor.local> Message-ID: <20131004144038.GA9295@netbook.cypherspace.org> Seems to me if people care about anonymous publication security and robustness they need static content, distributed, encrypted and integrity protected. eg like say tahoeLAFS over Tor or something like that. Of course not as jscript, form, click etc but thats just asking to be hacked anyway. As I recall Zooko mentioned you can actually do that - back a web server in LAFS, then the webserver is nothing but a read-only consumer of LAFS data. Presumably someone can figure out how to route encrypted, authenticated change sets or form submussions back to the underlying LAFS over Tor. Adam On Fri, Oct 04, 2013 at 04:22:02PM +0200, Meredith L. Patterson wrote: >On Fri, Oct 04, 2013 at 08:16:48PM +1000, James A. Donald wrote: >> My understanding is that they found a bunch of Tor machines, >> installed malware by means of rubber hoses, and thus located the >> Silk Road hidden web server. > >Why would they even need to use rubber hoses? They could just compel > Amazon. How many Tor nodes are on EC2 these days, again? > >--mlp From jamesdbell8 at yahoo.com Fri Oct 4 16:49:29 2013 From: jamesdbell8 at yahoo.com (Jim Bell) Date: Fri, 4 Oct 2013 16:49:29 -0700 (PDT) Subject: Injustice: Denial of Disservice Attack In-Reply-To: <1380772945.89717.YahooMailNeo@web141202.mail.bf1.yahoo.com> References: <1380772945.89717.YahooMailNeo@web141202.mail.bf1.yahoo.com> Message-ID: <1380930569.19836.YahooMailNeo@web141206.mail.bf1.yahoo.com> To:  Andy Greenberg, Forbes Magazine,  agreenberg at forbes.com  and copied to the cypherpunks list.     A few days ago, I floated this idea on the Cypherpunks email list.  (cypherpunks at cpunks.org).  I think many of the readers of Forbes magazine would be interested in this service.  Look up the name, Joseph Nacchio, http://www.washingtonpost.com/blogs/the-switch/wp/2013/09/30/a-ceo-who-resisted-nsa-spying-is-out-of-prison-and-he-feels-vindicated-by-snowden-leaks/, a CEO who was a victim of the NSA demands on his company (QWEST) 12 years prior to Edward Snowden's recent leaks on the subject.  Below, I suggest that for an approximate $20 million investment per year, the number of federal criminal convictions the government can get can be forced down from 70,000 to about 16,000 per year.   Think of the benefits for insider-traders, tax-evaders and such.  What about Ladar Levison, operator of 'Lavabit', who the government tried to force to reveal encryption keys? Your magazine, Forbes, could greatly assist if it ran, gratis, ads soliciting donations for a project leading from this idea.  Could companies like Google, Microsoft, Yahoo, Comcast, and many others be induced to donate a total of $20 million per year for this worthy concept?     You may recall that in mid-2011, you contacted me and I informed you of that forged, fake, fraudulent appeal case, 99-30210, out of the Ninth Circuit Court of Appeals.  I wondered whether you would bother to do anything about that, and on cue, you did not.  I thought journalists considered it one of their jobs to reveal government corruption?       Jim Bell ----- Forwarded Message ----- From: Jim Bell To: "cypherpunks at cpunks.org" Sent: Wednesday, October 2, 2013 9:02 PM Subject: Injustice: Denial of Disservice Attack     "INJUSTICE: DENIAL of DISSERVICE ATTACK" or, "How to really mess up the opponent, and to do so legally"           By Jim Bell, Author of 'Assassination Politics'.      I spent well over 13 years in prison, and not only was I not guilty of nearly all of the crimes of which I was charged, I was actually a victim of crimes committed by various Federal government employees.  Not only was I assaulted on November 25, 1997 by a government stooge and informant, Ryan Thomas Lund, in order to force me to accept a plea agreement in case 97-5270, Tacoma Federal Court, I was also the victim of an amazing forged (falsified; fictitious; fake) appeal case (Ninth Circuit Court of Appeals, case 99-30210) that was initiated by corrupt government and court employees, and whose pre-April-2000 existence was concealed from me until about June 2003.  Naturally, I concluded that something must be done about this.      The current population of United States Federal prisons is approximately 220,000 inmates.  (In 1980, that population was about 20,000).  Each year, somewhat more than 70,000 new defendants are charged, and the large majority (perhaps 95%) are convicted.  Yet, you might be surprised:  There are only about 3,500 Federal criminal jury trials in America each year.  The reason for the apparent difference is that in the vast majority of such cases, the defendant or defendants accept a plea agreement, which the news media wrongly refers to as a 'plea bargain':  In reality, it's not a 'bargain' for the criminal defendant, and it certainly isn't a 'bargain' for the American taxpayer.  See the "Prisoner's Dilemma".   It's actually a financial disaster of the first magnitude, one which the majority of the American population doesn't know about, and certainly doesn't understand.  But the reason the defendants are motivated to accept those deals is simple:  The Feds threaten them with time far greater than what they'll get if they deal.  So, the very large majority of them deal.  And so, all of us are poorer as a consequence.  The average sentence, we can calculate, is 220,000/70,000, or a bit over 3 years per sentence.  (This is one way to calculate an 'average sentence', there may be others.)     It costs approximately $35,000 to keep a prisoner in Federal prison for one year.  So, for the 220,000 current prisoners, that's a total cost of about $7.7 billion dollars.  If that population could be brought down to the level it was in 1980, or 20,000 prisoners, about $7 billion dollars would be saved.   Even better, it would be far harder to extort people, people such as Barrett Brown (journalist), Kim Dotcom (Megaupload),  Bradley Manning (Cablegate), Ladar Levinson (operator of Lavabit), Edward Snowden (NSA leaker), Ty Warner (Beanie Babies, just convicted of tax evasion) or (now) Ross William Ulbricht, alleged operator of 'Silk Road'.   And, of course, thousands more that are less well-known.   Many of these people have either not committed any crime at all, or even if guilty of something, they shouldn't be punished to the extent the system would want to do.  Or punished at all.     I was pondering this problem in my prison cell one day, and I got yet one more of my 'awfully wonderful, wonderfully awful' ideas.  (Quote from:  "How the Grinch Stole Christmas")  I was almost as energized, and as enthusiastic, as I was in early 1995, when I got the idea that I later turned into my "Assassination Politics" essay.   I thought, what if every Federal defendant could be motivated to refuse to deal, to refuse to accept the deal that's usually offered.  The figure of $5,000 popped into my head.  What if every Federal felony criminal defendant were offered money, let's say $5,000, if they would plead not-guilty (which is their Constitutional right) and to demand a jury trial (which is also their Constitutional right).  The current system has trouble putting on 3,500 Federal felony criminal jury trials per year.  How would that system increase that number significantly?  The number of Federal courtrooms is somewhat fixed, the number of U.S. Attorneys is rather limited as well.  And, Federal court time has to be shared with civil cases, too.  So, it would be hard to imagine a great increase in the number of Federal criminal jury trials held.  If the number of persons convicted could be dropped from 70,000 per year to 4,000 per year, that should save the American taxpayers well over $7 billion per year in prison and jail costs.  Well over 90% of Federal prisons would have to shut within 5 years.     How much would this cost?  Well, assuming a cost-per-offer of $5,000, and perhaps 4,000 trials per year, the cost would be $20 million per year.  For an individual, that's a lot of money.  But for an entire country, that's peanuts.   Yet, it would save the nation $7 billion.  In other words, for every dollar offered to a criminal defendant, the savings to the public would be:    $7 billion/$20 million = $350.     These estimates are not set in stone.  Of course, under this kind of pressure 'the system' would tend to allocate its resources, the limited number of courtroom-days available, and would probably select only the most serious cases for prosecution.  So, while it's possible that some residual amount of plea-bargaining would remain, this same pressure would tend to force officials to accept that defendants serve smaller average sentences than they've been getting, which of course are already much lower than they'd probably like to get.  Even if the resulting average sentence rose to 4 years, the overall population of Federal prisons would drop from 220,000 to about 16,000.  (4 years x 4,000 trials/year).  This would be a great improvement.         The big question is, "Who would pay for this?".  "Therein lies the rub", to quote Hamlet.  Don't expect bigtime drug-dealers to donate:  Their ability to make money would be thwarted if their products were rendered de-facto legal.   However, illegal-drug users would be greatly benefited.  The price of their favorite pastime might very well drop by a factor of 5-10, if the likelihood of getting arrested and charged with providing it was drastically lowered.  That would surely occur if this system was expanded to include state jurisdiction, which is about 10x larger than the Federal system, and thus a cost 10x higher:  $200 million per year..  Another group of people who would benefit would be tax-evaders.  The Wikipedia article on "Tax Evasion in the United States" indicates that the approximate money 'lost' (and thereby gained by non-payers) is $305 billion in 2010.  If only 1/100 of a penny for each dollar thus saved was paid into a fund, that would be $30.5 million, which would be plenty to make sure that Federal tax evasion would be extremely difficult to prosecute.  As well as every other Federal crime.  Most accountants would see that as a good investment, and should advise their clients accordingly.               Jim Bell -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 15228 bytes Desc: not available URL: From eugen at leitl.org Fri Oct 4 08:50:09 2013 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 4 Oct 2013 17:50:09 +0200 Subject: [tor-talk] Guardian Tor article Message-ID: <20131004155009.GW10405@leitl.org> ----- Forwarded message from Roger Dingledine ----- From eugen at leitl.org Fri Oct 4 08:52:23 2013 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 4 Oct 2013 17:52:23 +0200 Subject: [tor-talk] Guardian Tor article Message-ID: <20131004155223.GX10405@leitl.org> ----- Forwarded message from Roger Dingledine ----- From rysiek at hackerspace.pl Fri Oct 4 09:57:34 2013 From: rysiek at hackerspace.pl (rysiek) Date: Fri, 04 Oct 2013 18:57:34 +0200 Subject: [tor-talk] Guardian Tor article In-Reply-To: <20131004155223.GX10405@leitl.org> References: <20131004155223.GX10405@leitl.org> Message-ID: <11717172.0fRRU8D7uM@lap> Okay, The question that I have now is: if this system exploits Firefox to gain root access to the target machine, as I understand, does it target any specific operating systems (nudge-nudge-wink- wink), or does it have the capability to target all OSes? The second seems unlikely, the first would actually be a boon to the FLOSS community. -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From eugen at leitl.org Fri Oct 4 10:01:04 2013 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 4 Oct 2013 19:01:04 +0200 Subject: [tor-talk] Guardian Tor article - better endpoint and application security Message-ID: <20131004170104.GE10405@leitl.org> ----- Forwarded message from coderman ----- Date: Fri, 4 Oct 2013 09:50:14 -0700 From: coderman To: tor-talk at lists.torproject.org Subject: Re: [tor-talk] Guardian Tor article - better endpoint and application security Message-ID: Reply-To: tor-talk at lists.torproject.org On Fri, Oct 4, 2013 at 8:44 AM, defcon wrote: > ... We need to focus more on secure browsers and tools that work over TOR > since they are relying on browser exploits and hacking services on TOR. "p7 Tor Project and friends Recent Activity" http://www.theguardian.com/world/interactive/2013/oct/04/tor-high-secure-internet-anonymity """ Tails: ... Adds Severe CNE misery to the equation ... """ good news everybody; defense is depth is effective and practical! this has been a subject of discussion on the Qubes devel list as well, in the content of Whonix, Tails and other Tor packagings. http://theinvisiblethings.blogspot.com/2011/09/playing-with-qubes-networking-for-fun.html https://www.whonix.org/wiki/Comparison_with_Others qubes devel threads of interest: "Qubes + Whonix" https://groups.google.com/forum/#!topic/qubes-devel/2vnGqsoM9p0 "QuebesOS - Secure Against Spying?" https://groups.google.com/forum/#!topic/qubes-devel/UfmWWiq9-_U "Disposable VM versus local forensics?" https://groups.google.com/forum/#!topic/qubes-devel/QwL5PjqPs-4 best regards, -- tor-talk mailing list - tor-talk at lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: Digital signature URL: From jamesd at echeque.com Fri Oct 4 03:16:48 2013 From: jamesd at echeque.com (James A. Donald) Date: Fri, 04 Oct 2013 20:16:48 +1000 Subject: how to use Tor securely (Re: Silk Road founder arrested ...) In-Reply-To: <20131004090126.GA2045@netbook.cypherspace.org> References: <20131002123743.GA14320@vic20.blipp.com> <524C41F5.5020105@openmail.cc> <1380734343.30026.10.camel@anglachel> <1380740444.30026.18.camel@anglachel> <20131002193108.GA11783@netbook.cypherspace.org> <1380742664.5216.3.camel@anglachel> <20131004002225.AB0F4DFB9@a-pb-sasl-quonix.pobox.com> <20131004081652.GK15039@hexapodia.org> <20131004090126.GA2045@netbook.cypherspace.org> Message-ID: <524E9590.702@echeque.com> On 2013-10-04 19:01, Adam Back wrote: > But the jscript malware was installed via remote compromise onto the Tor > hidden web server. Being behind Tor does not particularly add any > protection to your server, in terms of remote hacking. Probably static > content is safer in general even if it doesnt make flashy cursor hover > boxes > and client-side form pre-validation. Ie instal and turn on noscript - > 99% > of jscript is of no particular use other than making your browser > blink and > show animated ads ;) Noscript prevents the client from being hacked. You seem to be telling us that the Tor hidden web server was hacked by one of its clients, for which problem noscript is irrelevant. Two security failures: The feds were able to find the Tor hidden web server, and, having found it, there was information on the web server that should not have been there. My understanding is that they found a bunch of Tor machines, installed malware by means of rubber hoses, and thus located the Silk Road hidden web server. From dan at geer.org Fri Oct 4 17:46:09 2013 From: dan at geer.org (dan at geer.org) Date: Fri, 04 Oct 2013 20:46:09 -0400 Subject: A CEO who resisted NSA spying is out of prison. In-Reply-To: Your message of "Fri, 04 Oct 2013 11:59:38 PDT." <1380913178.94018.YahooMailNeo@web141201.mail.bf1.yahoo.com> Message-ID: <20131005004609.7A4A322811F@palinka.tinho.net> I find the constant appearance of HTML e-mail here to be surprising. HTML improves nothing and adds risk. Why not have the mailing list censored down to ASCII? Opponents are listening to be sure, but why give them injection points? Or does the libertarian ideal extend to dangerous encodings as a form of free speech? --dan From albill at openbuddha.com Fri Oct 4 21:17:42 2013 From: albill at openbuddha.com (Al Billings) Date: Fri, 04 Oct 2013 21:17:42 -0700 (PDT) Subject: [tor-talk] Guardian Tor article In-Reply-To: References: Message-ID: <1380946661231.bda30bb5@Nodemailer> What makes you think that Chromium would be more secure? — http://makehacklearn.org On Fri, Oct 4, 2013 at 7:11 PM, Moses > wrote: NSA mainly attack TOR user (not TOR itself) by exploiting vulnerabilities in Firefox. Should devs consider to replace the browser in TOR bundle with other browsers (such as chromium)? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 817 bytes Desc: not available URL: From jamesd at echeque.com Fri Oct 4 04:25:43 2013 From: jamesd at echeque.com (James A. Donald) Date: Fri, 04 Oct 2013 21:25:43 +1000 Subject: A CEO who resisted NSA spying is out of prison. In-Reply-To: <20131004100232.GA3061@netbook.cypherspace.org> References: <20131004094627.GF10405@leitl.org> <20131004100232.GA3061@netbook.cypherspace.org> Message-ID: <524EA5B7.5040609@echeque.com> On 2013-10-04 20:02, Adam Back wrote: > People frown at Russian suspected political prosecution (eg oligarchs > falling with someone politically powerful and then with coincidental > timing > finding themselves incarcerated for probably trumped up financial > irregularity or other charges.) > > Here we see it US style. A judicial inquiry should be heard, he should > receive a pardon and compensation. This is a horrendous judicial fraud > sanctioned at high levels and carried out by a complicit justice > system. The perpetrators in NSA, government and justice system should > receive long > prison sentences. Otherwise the rule of law in the US has received a big > credibility hit, the only fig leaf is the shaky plausibility of the > trumped > up charges. > > Unfortunately its not completely impluasible in isolation because wealthy > business people from time to time have committed these exact crimes in > showing poor judgement by backdating options, and insider trading and > such > shenanigans despite already being wealthy enough to not have their grand > children work a day in their lives. > > But it sure looks suspicious and the political cover story has been > blown. At minimum he should get a judicial review or inquiry and probable > vindication. > > Adam > > On Fri, Oct 04, 2013 at 11:46:27AM +0200, Eugen Leitl wrote: >> ----- Forwarded message from nettime's avid reader >> ----- >> >> Date: Fri, 4 Oct 2013 10:58:36 +0200 >> From: nettime's avid reader >> To: nettime-l at kein.org >> Subject: A CEO who resisted NSA spying is out of prison. >> Reply-To: a moderated mailing list for net criticism >> >> >> >> A CEO who resisted NSA spying is out of prison. And he feels >> ‘vindicated’ >> by Snowden leaks. >> http://www.washingtonpost.com/blogs/the-switch/wp/2013/09/30/a-ceo-who-resisted-nsa-spying-is-out-of-prison-and-he-feels-vindicated-by-snowden-leaks/ >> >> >> By Andrea Peterson, Published: September 30 at 12:07 pmE-mail the writer >> Both Edward Snowden and Joseph Nacchio revealed details about some of >> the >> things that go on at NSA headquarters in Fort Meade. >> (REUTERS/NSA/Handout) >> >> Both Edward Snowden and Joseph Nacchio revealed details about some of >> the >> things that go on at NSA headquarters in Fort Meade. (NSA/Reuters) >> >> Just one major telecommunications company refused to participate in a >> legally dubious NSA surveillance program in 2001. A few years later, its >> CEO was indicted by federal prosecutors. He was convicted, served >> four and >> a half years of his sentence and was released this month. Insider trading laws are so vague and all encompassing that it is entirely impossible to be innocent of insider trading, unless you pick your stocks by throwing darts Almost every investor is guilty of insider trading. Prosecutions are selective and arbitrary. From zooko at zooko.com Fri Oct 4 10:44:23 2013 From: zooko at zooko.com (zooko) Date: Fri, 4 Oct 2013 21:44:23 +0400 Subject: how to use Tor securely (Re: Silk Road founder arrested ...) In-Reply-To: <20131004144038.GA9295@netbook.cypherspace.org> References: <1380740444.30026.18.camel@anglachel> <20131002193108.GA11783@netbook.cypherspace.org> <1380742664.5216.3.camel@anglachel> <20131004002225.AB0F4DFB9@a-pb-sasl-quonix.pobox.com> <20131004081652.GK15039@hexapodia.org> <20131004090126.GA2045@netbook.cypherspace.org> <524E9590.702@echeque.com> <20131004142202.GA19027@nestor.local> <20131004144038.GA9295@netbook.cypherspace.org> Message-ID: <20131004174422.GB21808@zooko.com> On Fri, Oct 04, 2013 at 04:40:38PM +0200, Adam Back wrote: > Seems to me if people care about anonymous publication security and > robustness they need static content, distributed, encrypted and integrity > protected. eg like say tahoeLAFS over Tor or something like that. Thanks for mentioning Tahoe-LAFS, Adam. I think combining Tahoe-LAFS with Tor is a good idea. It is already almost there. It is usable, but it doesn't yet protect your anonymity correctly. There is a recent burst of work to improve usability, security, and performance, and we need help. Also, below, I'll talk about the different, but complementary idea of "decentralized web apps" (i.e. Javascript apps hosted on Tahoe-LAFS). But before we get into decentralized web apps, here's the status of Tahoe-LAFS+Tor: it is currently working, by using a socks proxy that routes through Tor and configuring your Tahoe-LAFS instance to use it. Here are some open issue tickets about tweaks to the Tahoe-LAFS software or documentation which are needed: https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1010# use only 127.0.0.1 as local address https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1349# Improve docs about Tahoe-LAFS+Tor https://tahoe-lafs.org/trac/tahoe-lafs/ticket/517# make tahoe Tor- and I2P-friendly Note that some of these tickets refer to I2P, which is another re-routing network sort of like Tor, but the ones I mentioned above are just as applicable to Tor as to I2P. The tickets mention I2P because I2P developers, in addition to Tor developers, are contributing bug reports and patches. There is a recent move to a better approach which doesn't require the user to configure a socks proxy. That approach is to switch Tahoe-LAFS to using a new network abstraction provided by the "Twisted" library which Tahoe-LAFS uses. That abstraction is named "Endpoints". The idea is to switch Tahoe-LAFS from IPv4 to "Endpoints", and then implement Tor and I2P routing as implementations of the "Endpoints" abstraction. This approach would also probably work with a cjdns transport, too. (Also it would help Tahoe-LAFS work over IPv6.) This approach would also allow other Twisted-based applications (besides Tahoe-LAFS) to use those interesting new transport layers. We could use help! If you know Python, please do code-review of these patches: http://foolscap.lothar.com/trac/ticket/203# switch to using Endpoints How to review patches: https://tahoe-lafs.org/trac/tahoe-lafs/wiki/PatchReviewProcess By the way, we LAFS hackers are well aware that anonymity is very hard. In fact, low-latency anonymity against a modern "global surveillance" threat model may be impossible. But even the anonymity properties that *are* possible, and the ones that are currently provided by Tor, might get ruined by some mistake that Tahoe-LAFS makes, so I wouldn't rely on the Tahoe-LAFS+Tor for anonymity until it has had a lot more study and testing. (Which we need help with!) > Of course not as jscript, form, click etc but thats just asking to be hacked > anyway. I don't quite follow this sentence. You can write code that uses Tahoe-LAFS from Javascript if you want. I think that is a *great* idea, and I think that it is inevitable that in the future "decentralized web apps" will be written in either Javascript + LAFS, or else Javascript + some-other-decentralized- storage-system. However, if you are not ready to accept the inevitable and start running Javascript in your web browser, you can also poke at Tahoe-LAFS from plain old HTML forms, or use Tahoe-LAFS from code (written in any programming language) running on your local machine. > As I recall Zooko mentioned you can actually do that - back a web server in > LAFS, then the webserver is nothing but a read-only consumer of LAFS data. > Presumably someone can figure out how to route encrypted, authenticated > change sets or form submussions back to the underlying LAFS over Tor. Here's a live demo of a "decentralized web app" in which all storage in an encrypted, decentralized, fault-tolerant storage network, and all computation is in the client -- in fact in the web browser. The demo is my blog: https://zooko.com/uri/URI:DIR2-MDMF-RO:jf3sqg535zufb43iafx7fpmszq:7icvjsf6ltqr47jdaejvhpguqcfv53k5hqo5hwylquejqf5zkgba/blog.html That link gives you read-only access to my blog. If you interact with it, for example by clicking on "Tags" or using the search box, then you're interacting with Javascript running in your web browser. When *I* interact with it (I have read-write access to my blog), for example by creating new entries or editing existing entries, then I too am interacting Javascript running in my browser. There is no server anywhere that has code for the functionality of my blog. All code that implements functionalit is in the client. The storage server does nothing but store ciphertext to which it doesn't have the decryption key. Now, there's a subtlety here that will probably confuse some people. To be truly *decentralized*, the URL you put into your browser has to start with "http://localhost/", rather than with "http://someone-elses-domain.com/", right? So when you look at the URL above, you aren't actually *using* a decentralized web app, you're looking at a demo of a decentralized web app. To put it another way, when *I* use https://zooko.com, I'm using a decentralized web app, because I control my own node in the network. When I allow *you* to use https://zooko.com, then you are not controlling your own node in the network -- you are relying on me and on my node. But if you install Tahoe-LAFS yourself and connect to the Public Test Grid, then you can join us in playing with true decentralized web apps. :-) Start with the newest version of TiddlyWiki, which comes with a Tahoe-LAFS plugin: https://github.com/Jermolene/TiddlyWiki5/blob/master/plugins/tiddlywiki/tahoelafs/saver.js (The demo above -- my blog -- is a much older and more kludgey combination of TiddlyWiki and Tahoe-LAFS.) Regards, Zooko From adi at hexapodia.org Sat Oct 5 00:17:11 2013 From: adi at hexapodia.org (Andy Isaacson) Date: Sat, 5 Oct 2013 00:17:11 -0700 Subject: [liberationtech] 49 Page NSA analysis of Tor In-Reply-To: <524F2D93.1010605@comcast.net> References: <524F2D93.1010605@comcast.net> Message-ID: <20131005071711.GN15039@hexapodia.org> On Fri, Oct 04, 2013 at 02:05:23PM -0700, d.nix wrote: > Just published by Bart Gellman (Thanks Bart!): > > http://apps.washingtonpost.com/g/page/world/nsa-research-report-on-the-tor-encryption-program/501/ This is the output of a student Summer Program project, as advertised here: http://www.nsa.gov/careers/opportunities_4_u/students/undergraduate/msep.shtml Cryptanalysis and Exploitation Services Summer Program (CES SP) (formerly MSEP) The Cryptanalysis and Exploitation Services Summer Program (CES SP) is open to undergraduate students majoring in mathematics, computer science, or a major with a strong background in math and computer science. Here's one interesting story about a summer program invitation: http://mathbabe.org/2012/08/25/nsa-mathematicians/ The 2006 CES SP Tor paper is pretty superficial; they make several claims that don't bear up under the slightest analysis ("we might be able to MITM a Tor node because the certificates are self-signed") and don't seem to have developed any significant analysis or attacks on the system. This document doesn't give much insight into capabilities the IC has developed against Tor. It's apparently quite common to run multiple research teams (either known or unknown to each other) against a single target, and a few summer students with a dozen lab machines is a pretty small investment. I'd expect there are other programs with more sophisticated attacks, especially now 7 years later. In fact the most enlightening fact about this paper might be that the NSA thought Tor was worth attacking *at all* in 2006. I wonder if tor.eff.org has any referer logs from 2006 showing inbound traffic from http://wiki.gchq/ or similar. -andy From adi at hexapodia.org Sat Oct 5 13:25:20 2013 From: adi at hexapodia.org (Andy Isaacson) Date: Sat, 5 Oct 2013 13:25:20 -0700 Subject: [liberationtech] 49 Page NSA analysis of Tor In-Reply-To: <525031FB.4090304@gmx.com> References: <524F2D93.1010605@comcast.net> <20131005071711.GN15039@hexapodia.org> <9DB4FA45-E882-48DB-9602-30AEBBD9106D@retina.net> <525031FB.4090304@gmx.com> Message-ID: <20131005202520.GP15039@hexapodia.org> On Sat, Oct 05, 2013 at 04:36:27PM +0100, Ximin Luo wrote: > On 05/10/13 16:31, John Adams wrote: > > On Oct 5, 2013, at 12:17 AM, Andy Isaacson wrote: > >> I wonder if tor.eff.org has any referer logs from 2006 showing inbound > >> traffic from http://wiki.gchq/ or similar. > > > > .gchq isn't an Internet TLD, so > > That's doubtful. > > Intranet DNS. If they've been sloppy in blanking their referrers, then > yes this would show up. Yep, I was specifically referring to Referer: headers. I know I've worked at places with an internal wiki, with revealing page titles, with outbound links to our competitor's webpages. *Hopefully* NSA/GCHQ are more clueful than that, but I wouldn't put anything past them at this point. -andy From electromagnetize at gmail.com Sat Oct 5 12:46:27 2013 From: electromagnetize at gmail.com (brian carroll) Date: Sat, 5 Oct 2013 14:46:27 -0500 Subject: =?UTF-8?Q?=5B16=5D_technical_footnote=3A_m=C3=B6bius_code?= Message-ID: // disclaimer: all my posts on cypherpunks are copyright-free... i just watched a video from the Numberphile on youtube and it perfectly captures a conundrum at the intersection of mathematics and language, in a context of communication and interpretation, as this involves read/write processing and potential errors or different pathways to grounding supposedly common [variables], as this also involves boundaries and limits and thresholds that influence it please watch the video before reading the analysis below, so as to consider the information prior to a particular evaluation of it: Politics and Numbers - Numberphile // 7:31 m http://www.youtube.com/watch?v=CfoKor05k1I ---- in the way that [categories] can move from one context of interpretation [A=A] into another [A->B'], so too it is possible that the relation to the data or variables in a given framework could exist in another framework, beyond a given boundary of presupposed interpretation. therefore, hypothetical issues of [skin cream] and [gun control] could be remapped into another context, via ambiguity and relations of observers, that is the dimensionality that potentially could be connected to the concepts in their {superposition}, and thereby euphemism could also exist as a subtext or subconscious or alternately referenced domain that is outside the "normal" interpretation yet still existent in terms of mapping into a shared meaning structure. in this way, responses equated with "correct answers" imply correctness in this secondary realm, as if grounded by the equations and their conclusions. in this way, referencing [cream] and [guns] could relate to sexual politics and their interpretation as well, as if part of the larger inherent dynamics of language as this influences and effects "variables" of math. that is, such parallel processing could be occurring beyond a given boundary, and be camouflaged or hidden by variables as a means of -secret communication- thus: the clear-answering via such quasi-computation that "skin cream is worse" and "ban on guns is better" has different political meaning when evaluated and recontextualized in this hidden framework, which may be the default situation for observer-observer communications, in shared unspoken frameworks. implicit yet operating beyond the given boundary, unlike, or stealth, though of a realm of shared consciousness in some domains and not others. this is indicated in an instance of double-talk (or perhaps there is a more effective word for this) when the narrator confirms YES-YES that his colleague is "good at math" when looking into the camera and then doing a second take- indicating "no", as if there is a parallel realm or juxtaposition in double- or triple-layers of meaning, that instance perhaps mathematic specific (e.g. good at math meaning can deduction of simple analysis (yes) versus literacy of mathematician (no) as a result of arriving at the correct answers, or interpretation). the inflexion then, when the narrator sums up that "there are people who do understand science perfectly well, who still let beliefs CLOUD their judgement", could be grounded in this 'other context' via its use as an analogy or metaphor, shifting or confirming a certain secondary or tertiary meaning that co-exists alongside or embedded or nested within the 'mathematical framework' that undergoes reasoning clash "processing" as if entirely 1:1 by default, even though having these paradoxical aspects of language that it is mediating, that are unstable, and 'multiple' in interpretation, which ground to different circuits or could be _ungrounded yet validated by this transference of 'proof' or 'correctness' via pseudo-mathematical analysis, a secondary reading inferred and -believed- as if primary, yet unchecked in its own framework of assumptions yet by default held as valid, due to its coherence as language via shared awareness, meaning, and thus TRUE by default of its being reasoned in these terms. a context of an educational classroom with a field of lavender chairs perhaps implying a royal instructional dimension, even, as part of an ideological predisposition to how information is transferred on several channels simultaneously, yet also secretly. in this way, so too, programming in relation to the [ideas] thus categorized and used for computation. the inherent potential for möbius code that turns a given interpretation inside-out or is transformed in some elusive way, where a boundary is surpassed yet there is no seeming accounting for its different from the inside. this is how observer-observer relations could occur, where there is discrimination occurring in a given context yet afforded plausible deniability as these issues can simply be denied or disallowed as part of the 'shared awareness'. it is also seemingly how code or programs could exist at other levels or have other unaccounted for functionality, given how they are interpreted and in what dimensions- based on what is shared awareness and shared as boundaries and consciousness. perhaps much goes unnoticed and much is allowed in this same way, as to social dynamics yet also brought into computational contexts, of reasoning and 'seeing' and observing and communication itself. so what if there are hidden rules traveling alongside a given communication exchange, and that these are oftentimes the primary language that is mediated by "equations" as it were, discourse or formulas- and yet it exists beyond an accounting in truth, of the actual issues mediated in this hidden way. to me that is the very basis for tyranny of A=B governing the ability to consider A=A relations, because it is the boundary that limits that consideration, and is ideological and beyond error-correction, functioning as dogma yet also, potentially, shared governing falsity that itself becomes infallible due to its existing in language, as code, or especially as a mathematical construct which actually is subjective and ungrounded. in this way the tyranny of mathematics and linguistics and their hidden service to political agendas, as programmed and codified and parsed, becoming platforms for the false-perspective, while the real reality is muted, unable to speak, deemed crazy to try to account for what is going on that is officially "missing", the hidden data and hidden viewpoints that corrupt and conspire towards certain opaque functioning, given perspective, literacy, boundaries. in other words, [ideas] that become programs and exist in computers are not error-checked or error-corrected at this level of accounting for their functioning, and this could be a realm of the security exploit or 'other coding' by default of the A=B difference in interpretation and this may be inherent and inescapable yet also could be designed for or around, yet requires modeling of paradox to do so, to address the contingencies of variables in their multiplicity. perhaps it is a cognitive exploit, the human processor and human computation that is the issue as it then may read/write or interact with, interpret, and parse other code, whether computer programs or others ideas-- yet the assumption should be this is an ungrounded observational position from the start, that so much is unaccounted for in basic relations, and so much is "believed" even in common terms without the ability to question conclusions or observations, which can skew to only certain predisposed beliefs- very likely due to limits and boundaries allowing for this. and thus the issue of infallible observers who by default may base relations and evaluations upon their unchecked through always already "true" viewpoints, itself is the basis for decentralized tyranny of 'shared beliefs' that by their being shared or confirmed, are equated with truth itself. illiteracy in this context not only involves bounded or limited analysis, it is also dangerous for others who may be silenced from this same activity, where the common false perspective rules and everyone must conform to unspoken yet actively communicated hidden agendas. thus, the mathematics can by default of their being related to and through, as interpreted language, be subjective and provide cover or a mask for other language, as a sign system that provides for such calculations to be confirmed, yet only in pseudo-truth. this is the essential corruption. and it appears to reside in individuals themselves as thinking and non-thinking beings, such that the integrity of an observation may not be required to exist within the observational self, instead it could be assumed a function of language and its external mediation even, 'over there'. in other words, 'errors in truth' may not be recognized or accounted for within the observer themselves, yet form the basis for shared observations with others in these secret or hidden channels in that their being shared is used to confirm their truth, via their usefulness. and yet the self is held beyond account for this, and can continue in error or unchecked in limited or warped or skewed interpretation, and this may be parallel to other observations or coincide with them, beyond a given boundary, where it is shared by some and unnoticed by others. yet this establishes the observer in this realm as an infallible viewpoint, which can then interpret or use structures parasitically while assuming equivalent deduction by inference, yet which would be ungrounded and pseudo-truth by default of its skewed accounting and not being testable or error-corrected in the terms it exists, and instead offer a one-way communication of "belief system" that is not held to any account, yet may govern over what equations can be utilized within what limits, while secretly exploiting them at the same time in this way. thus to propose this is the default situation, until made transparent, and ideas grounded otherwise- and all of this accounted for in modeling of language and mathematics, which until that point would be more false than true, given the probabilities involving continual use of shared frameworks of pseudo-truth that are detached from empirical accounting in the wider context of truth, thus tending toward zero and total falsity by these very same covert means. ad nihilism. 16 -> ig-noble From bascule at gmail.com Sat Oct 5 14:52:33 2013 From: bascule at gmail.com (Tony Arcieri) Date: Sat, 5 Oct 2013 14:52:33 -0700 Subject: [zs-p2p] how to use Tor securely (Re: Silk Road founder arrested ...) Message-ID: On Fri, Oct 4, 2013 at 2:35 PM, Eugen Leitl wrote: > I think that it is inevitable that in the future "decentralized web apps" > will be written in > either Javascript + LAFS, or else Javascript + some-other-decentralized- > storage-system. The Cryptosphere is a heavily Tahoe-LAFS inspired decentralized storage system which is specifically focusing on decentralized HTML+JS apps, FYI: http://cryptosphere.org/ -- Tony Arcieri _______________________________________________ zs-p2p mailing list zs-p2p at zerostate.is https://lists.zerostate.is/mailman/listinfo/zs-p2p ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From jamesd at echeque.com Fri Oct 4 23:03:11 2013 From: jamesd at echeque.com (James A. Donald) Date: Sat, 05 Oct 2013 16:03:11 +1000 Subject: how to use Tor securely (Re: Silk Road founder arrested ...) In-Reply-To: <20131004184952.GL15039@hexapodia.org> References: <1380734343.30026.10.camel@anglachel> <1380740444.30026.18.camel@anglachel> <20131002193108.GA11783@netbook.cypherspace.org> <1380742664.5216.3.camel@anglachel> <20131004002225.AB0F4DFB9@a-pb-sasl-quonix.pobox.com> <20131004081652.GK15039@hexapodia.org> <20131004090126.GA2045@netbook.cypherspace.org> <524E9590.702@echeque.com> <20131004184952.GL15039@hexapodia.org> Message-ID: <524FAB9F.7050106@echeque.com> On 2013-10-05 04:49, Andy Isaacson wrote: > On Fri, Oct 04, 2013 at 08:16:48PM +1000, James A. Donald wrote: >> Two security failures: The feds were able to find the Tor hidden >> web server, and, having found it, there was information on the web >> server that should not have been there. > > Note that this thread has meandered around, discussed several different > security failures, and you seem to be returning to the Silk Road one. > >> My understanding is that they found a bunch of Tor machines, > > I don't see any evidence or claim that the investigation touched, > investigated, or influenced any Tor relays in the published documents > about the Silk Road arrest. Do you have any basis for this > understanding? > > (BTW, it's *very* easy to "find a bunch of Tor machines", most of the > Tor relays' IPs are listed in the public "consensus".) > >> installed malware by means of rubber hoses, > > Again, I see no published claim that any malware was used in this > investigation, nor that the investigators had to lean on anyone (much > less torture them, as the phrase "rubber hose" indicates) to install > malware. Freedom hosting was forced to install malware on servers, which attacked the browsers used by tor clients. This attack did not itself directly expose Silk Road, but Silk Road was successfully attacked at about the same time, so, possibly part of the same operation. Silk Road was directly attacked by malware - they issued numerous complaints about this, and were repeatedly taken down by malware. This happened at about the same time as the Freedom Hosting malware, though there is no direct evidence of a direct connection, other than timing and modus operandi. Simply generating huge amounts of spam and firing it off at Silk Road from time to time would enable a correlation attack. We know, however, that Silk Road was attacked both by huge amounts of spam, and malware. From electromagnetize at gmail.com Sat Oct 5 21:26:52 2013 From: electromagnetize at gmail.com (brian carroll) Date: Sat, 5 Oct 2013 23:26:52 -0500 Subject: [14] random non-random Message-ID: --- general observations --- my snark regarding algorithms was misplaced and also wrongly conveyed, due to both ignorance and error, if not trying to even-out the ability of some to be able to mediate issues in this technically computable approach while others are stuck inside equations that do not work for their basic reality, and then operating within said limits that can align with the ideology of quantification. in some sense, having more defining power than language alone, because of its connection to number and to other connected programs and models and frameworks that are operational, within the shared concepts. and that the gap between these and the world can be immense, yet likewise unaccounted for- and thus being able to place ideas into algorithms, inside of scientific and technological and cultural systems, has within it, this motivational aspect that correlates with power, and in that, determinism, that being able to interact in this realm is closer to the reality, versus to creating the substitute reality of the model. and in this, a coldness or hardness in thinking that may presume existence on these terms, for self or others, when it is not actually this simple or easy to obtain- accurately, yet being able to believe it is so, when reduced into a private viewpoint, especially when shared and protected within a technocratic environment. also wrong, speaking of algorithms without differentiating between those that exist inside computers and electronic circuits of machinery, and the rules and routines outside of this context, in the human step-by-step processing of awareness and interactions. in that they are inherent as an approach, involving first questions and trial and error and building up of empirical heuristic responses, strategies. (perhaps Marvin Minsky here). in this way, the zeitgeist of algos (~pain) could split between thinking and reasoning of humans, and that of machinery, and perhaps of a natural algorithmic computation that occurs within life, as different from that which needs to be programmed to 'think' - and then questioning the rules for approaching this, especially in a relativistic mindset that never can escape from pseudo-truth while also not acknowledging its existence due to the 'impossibility' of absolute truth, which instead replaces it as belief. in that, a truistic substitution occurs in 'knowing' truth cannot be known, which instead becomes this unknowable truth. in the same way 'you cannot prove something true, you can only falsify' is self-contradictory, as it relies on this unprovable truth to validate falsification as this truth. a limit to allowable perception and understanding then frames thinking, etc. (so, this to acknowledge i have the jerk gene, yet overall it hopefully balances out with the benny hill gene also present in better moments.) i think there are assumptions that have been made prematurely about the nature of language, also in terms of its linguistics, and also mathematics that has established a too small boundary around consideration of these situations that then become the realm of code, programs, and computers. and it is connected to the way people think, before the machines are developed, that can also involve errors and bugs in consciousness, reasoning, thinking and relations that formats the technical approach in a given worldview. i do not believe there is an accurate "model" of code (language/mathematic) to develop from within. i believe there is a tremendous gap in approach that is based on flawed and unchecked ideological assumptions about how people actually think, know, and believe that is not accurately translated into technical systems of computation and that the ambiguities these allow and introduce and sustain are today the realm of exploits against humans. this is to propose that both language and mathematics are ungrounded by default of their not being removed of falsity or error in their modeling, and that this relates to normalization of linear sign and symbol systems that can be recombined endlessly yet not error corrected in any instance regarding actual grounded truth from all perspectives, (even scientific data when limits are placed on its evaluation, and thusly made political). it is proposed that this involves the issue of space-time and movement within it, as language goes from point X to point Y and that in this, somehow time makes evaluation of its content a temporary evaluation that is lost to an endless repetition and recreation of observation and perspective such that 'truth' is repeatedly being recreated over and over again, and being copied again and again, copies of copies, without regard to what is the original situation referenced, which has become detached from this and replaced by this very signage. and thus the signs become the false reality and processing can be removed of its earthly connection, disembodied, and made into a pure abstraction, where the binary 'sense' is freed of limits that tie it to shared perception of truth, yet it represents this as the ideal. and the partially shared view becomes warped, onesided, and does not accurately connect to the world, and instead replaces it and enforces this view as a situation of power that can determine what is true, real, 'good'. and there are people programming this, writing code for it, online and off, including in their brains and beliefs that totally rely on this framework to evaluate their self and others, though in an ungrounded condition that must limit the proof and make it unfalsifiable, themselves god, infallible. and thus some people should have no healthcare, no food, the system itself is perfect and there are only immoral people who should suffer for failing in these terms to sustain themselves against natural instinct and basic thinking skills, and instead conform and comply as if animals, else be trained or used as natural resources as part of a slave-based ecosystem. inaccurate modeling of truth in language, to the depth of linguistics, and mathematics allows this condition to be normalized and made real within the 'empire of signs' that have become operational in this way. it is as if to presuppose the SIGN was the first truth, versus what it is referencing and in this gap the distortions and false views take hold of consciousness, as 'nothingness' becomes the cosmic centre of existence, and not shared being. the earthly meridians then are aligned with structures of falsity, and as with institutions and individuals so connected, correspond to its movement and orientations as part of the motor, the mechanism of civilization as a machine, as peoples work together combines into a larger series of forces and it is this momentum captured and extrapolated and extended into the automated machinery working against populations likewise. at its core, once partial truth that has become detached from its external accounting and is essentially a protected realm of lies at the core of false civilization. so there are Supermen at the helm of this global ship of fools who truly believe in an egotistical way, the mandate of such a corrupt enterprise as if born of natural moral virtue and their superior station over others, at the cost of humanity, life, nature, principled development. and that is where the critique arrives from, the illusion of this condition in its higher moral plane versus of a lower, debased existence which is ignored because it is not accounted for, and even more- it is relied upon to keep the system functioning in these, again, protected parameters. as a boundary and limit to manage and maintain-- of *territory* aligned with ideology. and how this relates to maps and mapping, what can be allowed to exist and what cannot, so as to retain control over the illusion and its 'processing' in the given terms, else, gears move slightly out of alignment and noises appear and soon enough, pressures build and the mechanism begins to break apart, and the more this loss of alignment occurs, the less the larger mechanism can function in its totality, gears even working against one another or grinding into the shared structure needed for their support. in this way, the threshold condition and the risk of not being able to contain truth within the designed and relied upon parameters. margins of error in a context where errors are structuralized- thus, margins of truth, narrowed and needed to be limited to allow the false construct is operability and governance. the role of the censor or directive signaling in this regard. and this is sustained by sign-based communications in time, it is proposed and that the space it establishes is a vacuum environment that fills in with this dynamic, due to a natural ungroundedness of observation within these parameters. what if- in contrast- the SIGNs were only best used for twitter-like short statements and not vastly long accounts, if only due to the impossibility of sustaining accurate truth from a single perspective of all that arose before or must be recreated from that view, as 'new code'? what if the very issue is not attaining panoptic accountability of POVs in serial, linear language, and thus there is no error-correction via shared empirical evaluation of all aspects of a situation from N-observers, past, present, and future, to correct the modeling. what if the very conception of this situation of reality is trapped within a false concept of language from the start, and self-limiting observation that seek to determine what can be true given its usefulness in the present and yet over time this has led to a false view evermore far from the truth. what if 'code' and 'programming' are not inherently nor need be linear or serial, in terms of computation and reasoning and instead could be parallel as models of circuitry, where signs are a subsystem of concepts and a way of referencing categories, such as metadata yet could autoconfigure into a map or pathway to convey meaning. thus to tell a story with detail XYZ, instead of needing to recreate the context for this, the detail instead can be situated within the relevant model in the dimensions it exists and thus evaluated that way without recreating the data, and it could be viewed to whatever degree of fidelity with truth as an observer is capable of. a child may observe to a limited level, while a historian or anthropologist or psychologist another. why must the world and its truth be recreated in every instance of communication to say something 'minor' that is embedded within the shared framework, when this very framework is not yet secured? and in this way, from the 1 and 0 of [truth], into [logic], then [concepts] and [patterns] that are then grounded in this sequence, that build up and out from this stable foundation based on N-observers and *hypotheses* that can be viewed from every angle and tested against reality and refined, as part of a shared process of awareness and learning and transferring insight instead of seeking to cordon it off, privatize and limit it, including all human knowledge, making it dependent on money and shared sets (class) in order to allow it to exist, and by default this whole viewpoint cannot be allowed to exist by fiat of dogma, because it would break the ideology that such truth is even possible-- because it is *truly believed* not to exist! in this way, instead of the sign, the circuit. the circuit is what connects the sign to its accounting in truth, via logic. it maps from a realm of communication back to what is referred to, which can be a [model] that is a conceptualization of an idea, including in its weighted probability given all various dimensional factors, and these in a timeless static mode unless put into motion. thus a common referent that sinks from information back to originating truth and its accounting and this for each and every single viewpoint as it relates to reality in all that is known, considered, and unknowable. that would indicate the actual limits and boundaries of perception as combined, especially if AI computers were of this same approach, complementing and working-with and for human awareness, versus against in a onesided gameover scenario today. code itself, in this modular construct, could involve patterns and how they are established, yet inherently the variables would ground towards the most accurate understanding of truth given the combined human awareness, as with adjunct computational resources to sustain and extend this further via its processing and reasoning and insight. the concepts of code and programs then would inherently require grounding for their operation and this as it relates to security - securing of truth, though in a contingent realm of paradox where minor truth may exist in a larger falsity and thus also must be accounted for as truth, recovered. the process this involves in terms of thresholds for data or observations, underlying methodology and barriers to exploiting this system via lesser truth or lies. in this sense a protected domain could exist at a certain level or as a subsystem that would allow only certain access to sensitive data, based on limited access, which is another realm that future crypto could apply, in addition to those who are outside this model or stand against humanity, in terms of their agenda. a liar or mimic would get nowhere. childlike awareness the first defense, in that disregarding truth would no longer be a viable tactic for deceivers. in this way, point line plane and constellations and circuitry, prior to the naming of the concepts as SIGNs, and then the combination or sequence of signs to occur in a pure realm, where a small assortment together in their absolute purity could replace volumes of books in perspective, in that the viewpoint could be explored as an open perspective from any angle to the connected data, moved through and around, questioned and tested, with a fractal read/write capacity inherent in this approach. to escape the page and enter the dimensional screen in depth, endless, as the model may link to others in a larger context, and that this is room needed to begin to explore ideas, not single letters formed into words that each follow another to try to say something that remains beyond the truth it references and relies upon yet cannot call upon or stop this movement to process (T). in this way, 'logical reasoning' stops the sentence and word and requires computation outside this framework, to break back words into concepts and beliefs and map these back into models of truth, and test them against the observational data, and judge their merit, as they tend towards greater truth or rely upon great falsity as perspectives. and that the truth is what must be the guide and compass, and this falsity not allowed nor given the same weight or capacity as a choice that allows desired movements and the moral treason of this, especially as normalized, made routine, etc. for instance, consider [drugs] in the non-pharmaceutical context that can range from positive to very negative effects, as this could be mediated as a shared situation and perhaps involve a ritualistic, responsible access that could be part of cultural learning and connected to self development while removed of exploitation or human suffering and violence brought about by these same dynamics in the existing system. within given parameters it would be possible to take what is true about them and deal with it, and to allow access to this truth while not denying other truth, and if that were possible and could be resolved, could exist in balance for humans so that it could be managed in a healthy and responsible way. again, as ritual or some cultural structure that could allow exploration mind-altering drugs as a particular aspect of development, for some people, if viable for them while for others they may not want it yet would not be negatively effected if it were balanced, respectful, and within certain limits or parameters. say a highly conceptual person who wants to further explore their mind and is guided on this path via established structures, and supported in this, yet also connected to the ground and a world of others, as this may then lead to new insights or discoveries or understanding or awareness, yet in a context that also involves addition, danger, mental health, issues such as abuse that may fracture the psyche of a fragile person, etc. so to account for all these dimensions in an individual circuit and evaluate and in such a way, over repeated instances of this throughout society perhaps it can be an optional path for some and yet not others, yet retain overall cohesion versus setting society to function against itself, and losing the greater purpose and forgetting the obligation involved in shared earthly existence. thus if there were [models] of situations, whatever they may be, over time and repeated iterations, these models would be refined and tested against and made increasingly accurate and grounded in truth, removed of error. and thus differing perspectives could be evaluated in terms of this modeling and 'truth' referenced with regard to all facts and 'theories' (hypotheses) such that what is true in each view is validated in its truth, as part of this process, versus discarded by a winning perspective, as it is today. and thus everything that is true, in its truth, maps back to 1, and all that is false, in its falsity, maps back to 0. though this is contingent and all that is hypothetical or theoretical could also be maintained and accessed again should its previous interpretation have been limited, thus scaffolding of unsupported views could emerge out of a realm of unknowns or the falsified from a given perspective, yet in being reframed or having new evidence, could challenge the existing models once again, perhaps to change or reconfigure or partially dismantle them in whatever inaccuracy exists. in this way, the use of SIGNs to communicate one SIGN after ANOTHER, and needing to rationalize these as a perspective in a long-running framework that is like a unique number sequence or super-long prime number, instead: [concept] [concept] [concept] [concept] as these may be nested or connected together in various _non-linear and-or parallel bit set configurations. the above sequence in its 'content' could hold the information of an entire book, for instance. [internet] [cyberspace] [infrastructure] and these concepts could go back to the quasi-algorithms that model them as ideas, their conceptualization in depth and breadth- as molecules, yet also with nested sets of shared structures and scaffolding... [electromagnetism] [processing] [data] and thus different frameworks could develop or be referenced in a context and perspective could move into and out of these frameworks as structural description where the /concept/ itself is modeled in its truth, there is no warping or distortion or error-involved in its mapping or accounting and if there is it can be observed and error-corrected via debate and panoptic review that defers to truth, firstly. [code] [programming] [crypto] and thus you could go further into a given context or start in one context and move into another, or someone could evaluation particular dimensions of an event or idea, thus inspect and analyze various facets of the whole from any angle, including establishing new perspectives if valid, thus the issue of boundaries or limits or thresholds of ideas, and the conceptualization and conveyance of ideas could remain open to interpretation, given facts and reasoning for a viewpoint. and this would be a right and an obligation. and thus if someone says there is no inherent limit on considering crypto only in a machine context, say involving human perception and relations and communication in an ordinary day-to-day context, this could be referenced in the shared model and allowed to exist as a hypothesis, a potential in whatever truth it may exist, and could be explored versus censored as an idea within an educational context that involves these aspects, versus to fit the exploration only into a finite, limited approach, sans people in their inherent crypto-capacity. in other words, if a person has code and programs (algos) as part of their daily existence, perhaps some of that also involves a cryptographic aspect as it may relate to anthropological and sociological or other issues such as heritage or demographics, that has value in this same context and could and should be explored in its truth. yet in universities today it would likely be disembodied and held outside 'computer science' cryptography when that domain could likely benefit most from challenging ideological conceptions of what crypto is, how it readily functions in the day to day, and what is possible, given shared awareness. and thus the requirement of accountable empirical truth to enable this interdisciplinary transfer and support of knowledge across 'boundaries'. it likely cannot exist as an approach until truth is actually secured and a new approach to language (and mathematics) developed as circuitry, without falling to the weaknesses of existing language to overpower involved truth. --- random re/writes --- i missed it, should have written about stitches and code yet did not enter into sewing itself yet hand sewing seems most closely connected to coding or at least in some aspects. someone did the detail work at some point that may or may not be autogenerated into other patterning, via computation or algorithms, yet like patchwork quilts, taking sections of patterns and placing them and stitching them together in a larger whole, that could in some sense correlate with a program or development approach. programmatic patchwork or quilting of data. there is potentially much more to this yet my limited knowledge prevents exploration. "stitches in time" as code may go through routines or be processed, programs nesting various data modeling and how it is woven together or involves many broken stitches as processed and likewise its relation to the network or webwork in terms of weaving, and then of spiderwoman and such symbolism, or the three sisters. so too, the idea of a discontinuous cipher that is pieced together like a quilt. also, the conceptual aspect of QR-code, perhaps datagram-like characteristic, embedded in its aesthetic, as this could relate to abstract if not asymmetrical quilts that can highly advanced aesthetics likewise, as futuristic as technology and potentially in a realm of electronic fabrics could carry diagnostic or data functions as platform and infrastructure. so again a question of boundaries for interpretation of where ideas function and their potential migration across boundaries or within territories. zero-knowledge crypto in terms of proof and puzzle pieces; may it involve in some sense having a puzzle minus one missing matching piece, or else a single puzzle piece minus the puzzle. (puzzle minus single piece; single piece - puzzle) then, also another tangent though of 'binary truth' that is only partial, perhaps minor, that when its larger condition is falsified, could undergo the equivalent of magnetic reversal (of earth magnetic poles directions) such that the context for observation flips to the view opposite those who are onesided and warped in their observations and self-serving belief- if corollary, then the very foundation of their entirety of observation would vanish, and the truth they are left with would rely upon a structure they have opposed, in a worldview they cannot 'reasonably' function within. in this way, as with technology where a pole reversal could change compass directions overnight and confuse and disorient wildlife, so too binarists .T/ ..4\ =q.. ||9: --- ungrounded numbers --- ...more on the issue of quantification and SIGNs as variables. what seems to be involved is the unaddressed issue of /superposition/ that influences how an observation is grounded or ungrounded, given its interpretation and accounting or lack thereof. and thus, suddenly equating [sign] = 40,020 is also a question of its variability as a sign, its accuracy, for if it has multiple interpretations, this numbering also is fuzzy or ambiguous while presupposedly defined and concrete as a number, as if the calculation or the number is mapped to a solid error-checked reality, when instead the number itself could *symbolize* or emblemize this, yet only as a mirage or belief and not as an actual grounded condition - thus it could be virtual or a false perspective, that the sign of the number then represents. in other words mathematics as it involves number can also be ungrounded and involve error-reliant calculations where assumptions as to shared view or referencing shared facts or conditions may be reliant on limits or partial truth that does not account for other aspect beyond or within a boundary, yet seeks to and defines a territory by this "objective" numbering that actually may exist in subjective and ungrounded terms (A=B) by default, whereby the language of mathematics is itself not empirically situated else could function in some ways as literature, perhaps as ~theorized physics. writing code and programs in terms of number does not make them inherently "objective" (A=A) or more accurate in terms of accounting for reality, yet it may involve inherent rationalization and reductionism and deterministic frameworks that could naively assume so, or involve ideological conceit that equates this with a condition of actively mediating grounded truth. the difference is that this is sign-based interaction, at the level of and within the context of signage and its calculations that have become and are removed from a larger accounting for truth, which is outside its boundary and territory- sort of like a Java sandox situation that replaces the world with a representational version that no longer references truth beyond its borders and thus becomes this truth itself, albeit ungrounded, in error. all language is proposed to share in this conundrum of its serialization an linearization, everything moving in a direction yet never converging into a single central point, every observation moves away from every other even when referencing another, it is bounded within particular and unique frameworks that recreate the world again and again and again, yet adding errors and relying upon distortions and lesser and lesser views to maintain given beliefs, against the surrounding evidence, and thus the primacy of uncritical belief and the utility of mind- and brain-washing and pills and drugs for making populations compliant, malleable to the false-viewpoints. here is the issue with coding and programing and mathematics, numbers, in that the limit or boundary of consideration can add up differently yet this may also be hidden from the computation at another level of processing... 5 + 2 = 7 consider the above calculation of two numbers that equal a third. each as a number could be considered 'finite' and unambiguous as a number, 5=5 &c. no here is where it gets weird, strange. consider that each number could be evaluated as a [sign] that is exists as a variable in an equation... [x] + [y] = [z] for mathematics to be subjective, there needs to be a difference between this sign as it is believed to exist and as it actually exists. and thus a /word/ or /concept/ could be input, such as /work/ and that could have an inherent ambiguity involved and involve estimation and approximately by default of its superposition of meaning, the potential paths of grounding now imagine that /number/ also could have ambiguity, where A=A could move towards A=B even though the SIGN could appear the same, within a certain context or limits or parameters or a boundary or threshold condition... [5] + [2] = [7] what is trying to be established is that each [variable] has a potential for ~fuzziness, in terms of calculation or processing, depending on rules for how it is evaluated. that is, a de facto limit or boundary or parameter that may be assumed to exist may be a faulty assumption that is in error, and that the resulting computation that occurs be ~variable... [5.1] + [2.8] = [7.9] if the above parameters were operational yet hidden, the [variables] could all appear the same (5 + 2 = 7) when removing the decimal placeholder and extra numerical detail, and thus the computation could equate with the initial example even though having this extra data that is invisible or left unconsidered in a given model- due to limits or boundaries and the ability of an observer to account for that level of detail. in this way, if the resulting calculation is concurrently rounded-off in parallel, the same calculation would be as follows: [5.1] + [2.8] = [8] further, if the initial variables were slightly different still, yet another result could occur in this seemingly contained ~"objective" framework... [5.7] + [2.9] = [8.6] or: [5.7] + [2.9] = [9] what this seeks to convey is that if a boundary were to exist within the structural analysis of the code that allowed a floating decimal yet this was hidden, that extra data could be carried in parallel with an equation that could be calculated across a range of outputs due to its variability as evaluated, via limits or boundaries or threshold conditions. not only as a calculation of number, though, as a likely basis for security exploits in that this is how estimation and approximation of variables in pseudo-truth inherently function, that extra-missing part is never accounting for, and it can be the majority of a viewpoint when dealing with words themselves. in this way, the output could vary, given boundaries: [5] + [2] = [7|8|9] that is, if there is some approximation going on, that could be hidden or unaccounted for in each [variable] that is still used for computation or hidden analysis. such that only 5 is accounted for (not 5.2), due to a limit or ambiguous framework, yet could enable other computations to occur. in this way: [~x] + [~y] = [~z] insofar as boundaries may be exploited, in terms of number, which can thus transform the assumption of A=A mathematics into A=B mathematics by default of this missing detail or its shifting, especially if due to confusion or the incapacity to account for what is occurring (perhaps chaos, even, if designed this way). thus ~complexity, paradox, ambiguity as these relate to and potentially exploit conditions of partial truth. this and, in all ways, the use of named variables as SIGNs to denote or connect these to numeral values, as if grounded by default. yet it is not simply to start with A=A correspondence yet is ideologically believed to. instead it is fallacy yet used to govern the world via false perspective --- other --- regarding the HIOX signaling display for bit sets, it would be possible to also connect such display signage with a sensor that could effect and-or influence the sign, updating it via a stream of variability, perhaps much like airport or train station or stock market signage that tallies data anew, or towards a weather station diagnostic recording various parameters though it could be abstracted, and thus sensor data could push through the data matrices and potentially influence or function as an random number generator or, if signs are somehow linked together, a random even generator that could have implicit nervous system connections between chaotic data structures in remote locations, as if entangled, changing, shifting, yet in some dynamics or dimensions stable or able to queue in and out of this state so that the signage itself could remain [variable] as a meta bit set and thus perhaps like rolling code or some waterfall, going through this into another hidden realm, thus needing to get past it to gain access, or that it such randomness or variability functions as a boundary or refresh state that can recombine or alter its structure given input or keys, etc. in this way, tallying chaos. providing context for other crypto structure. --- note on list culture --- (who knew cypherpunks was an underground comedy venue...) Häxan, The Seventh Seal, Mars ⚖ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 33153 bytes Desc: not available URL: From coderman at gmail.com Sat Oct 5 23:43:05 2013 From: coderman at gmail.com (coderman) Date: Sat, 5 Oct 2013 23:43:05 -0700 Subject: [14] random non-random In-Reply-To: References: Message-ID: On Sat, Oct 5, 2013 at 9:26 PM, brian carroll wrote: >... > --- note on list culture --- > > (who knew cypherpunks was an underground comedy venue...) only the singularity would find humor in this list and convey the observation with an n-gram model of such impressive Jaccard distance! ... (o_Ô) From grarpamp at gmail.com Sat Oct 5 23:25:57 2013 From: grarpamp at gmail.com (grarpamp) Date: Sun, 6 Oct 2013 02:25:57 -0400 Subject: A CEO who resisted NSA spying is out of prison. In-Reply-To: <1380913178.94018.YahooMailNeo@web141201.mail.bf1.yahoo.com> References: <20131004094627.GF10405@leitl.org> <20131004100232.GA3061@netbook.cypherspace.org> <524EA5B7.5040609@echeque.com> <1380913178.94018.YahooMailNeo@web141201.mail.bf1.yahoo.com> Message-ID: $5000 to just enter not guilty and likely pay an attorney to defend it / accept dismissal may seem realistic. Thing is, that doesn't leave much payout to defendant. And a fair number of those pleas will be going to trial. That entails conviction risk, and regardless of time dealt, that risk will carry a higher price. > It could be arranged as a charitable contribution ('to encourage > employment of the jury system',) and thus be tax-deductible. Nonprofits, NGO's and crowdfunding appear to be a hot ticket these days. Set one up, pick some jurisdiction somewhere, camp out on the courthouse steps with your cash and attorneys in hand and see what works. Also, no figures were presented regarding cost per case in court system. That matters too. You might be initially faster to jam it, but don't be too sure they won't deputize and set up courts on the front lawn in response. You might have better success paying that $5k to vote however you want them to for the next decade (say defunding things) after their case/time as it might currently go is up. Or as someone said, run nullification TV ads and mailing campaigns. Etc. Not sure what this has to do with cypherpunks, unless you count anonymous bitcoin donations from these CEO's, etc to your project. Last, Joe crack dealer isn't newsworthy or profitable and will be let go to make a docket slot for Joe CEO. So you might have trouble getting funded from that sector without some rethink. From coderman at gmail.com Sun Oct 6 06:19:53 2013 From: coderman at gmail.com (coderman) Date: Sun, 6 Oct 2013 06:19:53 -0700 Subject: SilkRoad coins Message-ID: On Wed, Oct 2, 2013 at 11:56 AM, coderman wrote: > ... > i would be interested to know what coin addresses were seized, and how > they are used going forward (if it all?). they moved the coins to new wallet(s) and who knows what happens to them next... http://blockchain.info/address/1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX?sort=1 http://blockchain.info/unspent?active=1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX&format=html From jya at pipeline.com Sun Oct 6 06:51:29 2013 From: jya at pipeline.com (John Young) Date: Sun, 06 Oct 2013 09:51:29 -0400 Subject: [tor-talk] Silk Road taken down by FBI In-Reply-To: <20131006122841.GZ10405@leitl.org> References: <20131006122841.GZ10405@leitl.org> Message-ID: This October 2, 2013, complaint describes US officials tracking a Silk Road narcotics vendor on- and off-line: http://cryptome.org/2013/10/sadler-white-complaint.pdf From dmarti at zgp.org Sun Oct 6 11:11:46 2013 From: dmarti at zgp.org (Don Marti) Date: Sun, 6 Oct 2013 11:11:46 -0700 Subject: [linux-elitists] Browser fingerprinting Message-ID: <20131006181146.GA21225@zea.gateway.2wire.net> Corporate speak: "Tawakol and Ingis both said the new technology, which is still under development, would allow companies to use alternative approaches that are sometimes called statistical or probabilistic tracking, while remaining in compliance with industry privacy standards." Translation: "Fine, you smug cookie-blocking nerds. We're going to go all browser fingerprinting on you." http://blog.sfgate.com/techchron/2013/10/04/ad-groups-prepare-for-cookieless-future-develop-opt-out-tool-for-alternative-tracking/ Mozilla has been working on cleaning up the third-party cookie problem, and making a dent in it, as you can tell by the complaints from the creepy adtech business. Unfortunately, Firefox appears to be highly fingerprintable. https://panopticlick.eff.org/ says "Your browser fingerprint appears to be unique among the 3,458,043 tested so far." Ouch. Got to get my act together here. But of course the more that I customize, the more unique my browser looks. Who's got a browser that comes up reasonably generic on Panopticlick, and what did you do? -- Don Marti +1-510-332-1587 (mobile) http://zgp.org/~dmarti/ Alameda, California, USA dmarti at zgp.org _______________________________________________ Do not Cc: anyone else on mail sent to this list. The list server is set for maximum one recipient. linux-elitists mailing list linux-elitists at zgp.org http://zgp.org/cgi-bin/mailman/listinfo/linux-elitists ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From eugen at leitl.org Sun Oct 6 03:02:24 2013 From: eugen at leitl.org (Eugen Leitl) Date: Sun, 6 Oct 2013 12:02:24 +0200 Subject: John Lanchester on the Snowden files (Guardian) Message-ID: <20131006100224.GR10405@leitl.org> ----- Forwarded message from Patrice Riemens ----- From eugen at leitl.org Sun Oct 6 03:03:49 2013 From: eugen at leitl.org (Eugen Leitl) Date: Sun, 6 Oct 2013 12:03:49 +0200 Subject: [Cryptography] Crypto Standards v.s. Engineering habits - Was: NIST about to weaken SHA3? Message-ID: <20131006100348.GS10405@leitl.org> ----- Forwarded message from Phillip Hallam-Baker ----- Date: Fri, 4 Oct 2013 09:57:39 -0400 From: Phillip Hallam-Baker To: Alan Braggins Cc: "cryptography at metzdowd.com" Subject: Re: [Cryptography] Crypto Standards v.s. Engineering habits - Was: NIST about to weaken SHA3? Message-ID: On Thu, Oct 3, 2013 at 5:38 AM, Alan Braggins wrote: > On 02/10/13 18:42, Arnold Reinhold wrote: > >> On 1 Oct 2013 23:48 Jerry Leichter wrote: >> >> The larger the construction project, the tighter the limits on this >>> stuff. I used to work with a former structural engineer, and he repeated >>> some of the "bad example" stories they are taught. A famous case a number >>> of years back involved a hotel in, I believe, Kansas City. The hotel had a >>> large, open atrium, with two levels of concrete "skyways" for walking >>> above. The "skyways" were hung from the roof. As the structural engineer >>> specified their attachment, a long threaded steel rod ran from the roof, >>> through one skyway - with the skyway held on by a nut - and then down to >>> the second skyway, also held on by a nut. The builder, realizing that he >>> would have to thread the nut for the upper skyway up many feet of rod, made >>> a "minor" change: He instead used two threaded rods, one from roof to >>> upper skyway, one from upper skyway to lower skyway. It's all the same, >>> right? Well, no: In the original design, the upper nut holds the weight >>> of just the upper skyway. In the m >>> >> o > >> di >> >>> fied version, it holds the weight of *both* skyways. The upper >>> fastening failed, the structure collapsed, and as I recall several people >>> on the skyways at the time were killed. So ... not even a factor of two >>> safety margin there. (The take-away from the story as delivered to future >>> structural engineers was *not* that there wasn't a large enough safety >>> margin - the calculations were accurate and well within the margins used in >>> building such structures. The issue was that no one checked that the >>> structure was actually built as designed.) >>> >> >> This would be the 1981 Kansas City Hyatt Regency walkway collapse ( >> http://en.wikipedia.org/wiki/**Hyatt_Regency_walkway_collapse >> **) >> > > Which says of the original design: "Investigators determined eventually > that this design supported only 60 percent of the minimum load required by > Kansas City building codes.[19]", though the reference seems to be a dead > link. (And as built it supported 30% or the required minimum.) > > So even if it had been built as designed, the safety margin would not > have been "well within the margins used in building such structures". The case is described in Why Buildings Fall Down. The original design was sound structurally but could not be built as it would have required the entire length of the connection rod to be threaded. There was no way to connect one structure to the other. The modified design could be built but had a subtle flaw: the upper skyway was now holding the entire weight of both The strength of the joint was unaffected by the change but the load on the joint doubled. We see very similar effects in cryptographic systems. But the main problem is that our analysis apparatus focuses on the part of the problem we know how to analyze rather than the part of the problem that fails most often. Compare the treatment of coding errors in cryptographic software and the treatment of CA mis-issue. Coding errors are much more likely to impact the end user and much more likely to occur. But those get a free pass. Nobody has ever suggested that the bugs in Sendmail in the early 1990s should have stopped people using the product (OK apart from me). But seven mis-issued certificates and there is a pitchfork wielding mob outside my house. The fact that the Iranian Revolutionary Guard has a web site filled with hijacked software that is larded up with backdoors completely missed the attention of most of the people worrying about the seven certificates, all of which were revoked within minutes and would be rejected by any browser that implemented revocation checking like they should. But much easier to flame on about the evils of CAs than ask why the browser providers prefer shaving a few milliseconds off the latency of their browser response than making their customers secure. Oh and it seems that someone has murdered the head of the IRG cyber effort. I condemn it without qualification. There are many people who have a vested interest in keeping wars and confrontations going. There are many beltway contractors who stand to make a lot of money if they can persuade the US people to fund a fourth branch of the military to fight cyber wars and fund it as lavishly as they have foolishly funded the existing three. A trillion dollars a year spent on bombs bullets and death is no cause for pride. Nobody should ever carry a gun or wear a military uniform with anything other than shame for the fact that our inability to solve our political issues without threat of violence makes it necessary. We do not need to spend hundreds of billions more on a new form of warfare. But there are many who would get a lot richer if we did. As Eisenhower observed, spending too much on the military makes the country less safe. If politicians believe their war machine is invincible, some stupid fool is going to use it just because they can. Just like the last President did. At the end of the cold war when the Soviet Union was on its knees, so was Margaret Thatcher, begging Gorbachev to send the tanks into East Berlin and stop the collapse of the enemy that her world was built in opposition to. And Thatcher claimed to be speaking for the other Western leaders as well. I have the transcript of the meeting if anyone is interested. While most of the information on the Comodo attack is in the public domain there is some that was with-held. The reason was not to protect Comodo but to protect the attacker in the unlikely event that they were actually telling the truth and they were acting outside government direction. The chance is very small but if they were acting on their own initiative and had diverted the entire Iranian Internet they would risk a long prison sentence, possibly a capital sentence if they were caught. I am not going to provide the Iranian authorities with information that could assist them in that even if the guy had attacked us. One of the more ridiculous spectacles resulting from PRISM is the parade of establishment worthies telling us that we don't need to be worried about the government intercepts and we should not worry our silly heads about matters that are too complex to understand. Well I knew quite a few members of the British cabinet when they were up at Oxford, I have known politicians all my life, my cousin was a cabinet member, I have met world leaders and acknowledged leading foreign policy experts. That experience gives me absolutely no confidence in the establishment worthies. -- Website: http://hallambaker.com/ _______________________________________________ The cryptography mailing list cryptography at metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: Digital signature URL: From eugen at leitl.org Sun Oct 6 05:03:54 2013 From: eugen at leitl.org (Eugen Leitl) Date: Sun, 6 Oct 2013 14:03:54 +0200 Subject: Two million 'internet opinion analysts' Message-ID: <20131006120354.GT10405@leitl.org> ----- Forwarded message from nettime's avid reader ----- From eugen at leitl.org Sun Oct 6 05:06:17 2013 From: eugen at leitl.org (Eugen Leitl) Date: Sun, 6 Oct 2013 14:06:17 +0200 Subject: [cryptography] the spell is broken Message-ID: <20131006120616.GV10405@leitl.org> ----- Forwarded message from Jeffrey Goldberg ----- From eugen at leitl.org Sun Oct 6 05:28:41 2013 From: eugen at leitl.org (Eugen Leitl) Date: Sun, 6 Oct 2013 14:28:41 +0200 Subject: [tor-talk] Silk Road taken down by FBI Message-ID: <20131006122841.GZ10405@leitl.org> ----- Forwarded message from mirimir ----- From eugen at leitl.org Sun Oct 6 05:44:14 2013 From: eugen at leitl.org (Eugen Leitl) Date: Sun, 6 Oct 2013 14:44:14 +0200 Subject: [tor-talk] Tips for configuring and using Tor for anonymous Bitcoin usage? Message-ID: <20131006124414.GA10405@leitl.org> ----- Forwarded message from mirimir ----- Date: Thu, 03 Oct 2013 21:12:42 +0000 From: mirimir To: tor-talk at lists.torproject.org Subject: Re: [tor-talk] Tips for configuring and using Tor for anonymous Bitcoin usage? Message-ID: <524DDDCA.3050900 at riseup.net> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0 Reply-To: tor-talk at lists.torproject.org On 10/03/2013 05:45 PM, author at anonymousbitcoinbook.com wrote: > Hey all, > > I'm writing a book about the use of Bitcoin and anonymity. A fair > portion of the book will be dedicated to teaching people how to most > safely use Tor to facilitate anonymity with Bitcoin. Are there any > special tips that people have for configuring Tor or using Tor when > it comes to Bitcoin? I'll have tutorials online "soon" (not in my hands) that cover this in great detail. I recommend mixing through at least three different mixing services, using independent anonymous wallets. > Right now, I'm recommending the use of a LiveCD Linux distro > (Ubuntu) with TorBundle for Linux and the vanilla Bitcoin client for > Linux. A couple tips I'm already aware of are to disable JavaScript > before using (since NoScript currently defaults to being on :() and > to avoid downloading files through the web browser such as PDF > documents. I recommend using Whonix with the Multibit client. The vanilla Bitcoin client downloads the full blockchain, which is far too much for Tor. It's comparable to torrenting an 8 GB video. Multibit is a local client, under user control, but doesn't download the blockchain. It's the recommended default now. > In particular, I'm curious 1) if there needs to be special > configuration to ensure that all DNS request go through Tor, and 2) > whether I can configure the system not to send any internet message > except through the Tor proxy. As I understand Whonix, it's designed not to leak. But I defer to adrelanos for specifics. > Regards, Kristov -- tor-talk mailing list - tor-talk at lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: Digital signature URL: From eugen at leitl.org Sun Oct 6 05:45:19 2013 From: eugen at leitl.org (Eugen Leitl) Date: Sun, 6 Oct 2013 14:45:19 +0200 Subject: [liberationtech] As F.B.I. Pursued Snowden, an E-Mail Service Stood Firm Message-ID: <20131006124519.GB10405@leitl.org> ----- Forwarded message from Michael Allan ----- From eugen at leitl.org Sun Oct 6 05:46:20 2013 From: eugen at leitl.org (Eugen Leitl) Date: Sun, 6 Oct 2013 14:46:20 +0200 Subject: [cryptography] the spell is broken Message-ID: <20131006124620.GC10405@leitl.org> ----- Forwarded message from Jon Callas ----- From eugen at leitl.org Sun Oct 6 05:59:13 2013 From: eugen at leitl.org (Eugen Leitl) Date: Sun, 6 Oct 2013 14:59:13 +0200 Subject: [cryptography] A question about public keys Message-ID: <20131006125913.GH10405@leitl.org> ----- Forwarded message from "James A. Donald" ----- From eugen at leitl.org Sun Oct 6 06:03:05 2013 From: eugen at leitl.org (Eugen Leitl) Date: Sun, 6 Oct 2013 15:03:05 +0200 Subject: [cryptography] the spell is broken Message-ID: <20131006130305.GI10405@leitl.org> ----- Forwarded message from Peter Gutmann ----- From eugen at leitl.org Sun Oct 6 06:07:07 2013 From: eugen at leitl.org (Eugen Leitl) Date: Sun, 6 Oct 2013 15:07:07 +0200 Subject: [cryptography] the spell is broken Message-ID: <20131006130707.GJ10405@leitl.org> ----- Forwarded message from Jeffrey Goldberg ----- Date: Thu, 3 Oct 2013 20:26:00 -0500 From: Jeffrey Goldberg To: Jon Callas Cc: "cryptography at randombit.net" Subject: Re: [cryptography] the spell is broken Message-Id: <601145B1-5C4B-4E27-AD30-6445B8436DE0 at goldmark.org> X-Mailer: Apple Mail (2.1811) Jon, first of all thank you for your extremely thoughtful note. I suspect that we will find that we don’t actually disagree about much, and also my previous rant was driven by the general anger and frustration that all of us are experiencing. That is, I amy have been misdirecting my anger at the whole situation at you, a fellow victim. On 2013-10-03, at 4:31 PM, Jon Callas wrote: > You might call it "security theatre," but I call it (among other things) "protest.” I would put it more strongly than that. I think that NIST needs to be punished. Even if Dual_EC_DRBG were their only lapse, any entity that has allowed themselves to be used that way should be forced to exit the business of being involved in making recommendations on cryptography. I don’t have to think that they are bad people or even that they could have prevented what happened. But I think there needs to be an unambiguous signal to every other (potential) standards body about what happens if you even think of allowing for the sabotage of crypto. I imagine that everyone is looking at public protocols for picking curves now. Everyone is looking at how every step in the establishment of a recommendation can be made provably transparent. That is all a good thing, and it does require that NIST pay dearly. But it isn’t a trust issue. I don’t “trust” the NIST less than I trust any other standard’s body. The need to be put out of the crypto business as a signal and deterrent to others, but not because they are inherently less trustworthy. But not using AES is a protest that hurts only ourselves. It doesn’t punish where punishment is needed. > I have also called it "trust," "conscience," and other things including "emotional." I'm willing to call it "marketing" in the sense that marketing often means non-technical. Agreed. > I disagree with "security theatre" because in my opinion security theatre is *empty* or *mere* trust-building, I still think the term is appropriate, and indeed I think that your sentence about conscience and emotions actually reinforces my claim that it is theater. But I think that it is largely a definitional question which isn’t worth pursuing. I’m using the term in a slightly different way than you are. > but I don't fault you for being upset. I don't blame you for venting in my direction, either. I will, however, repeat that I believe this is something gentlepersons can disagree on. A decision that's right for me might not be right for you and vice-versa. Absolutely! Although I still stand by my “security theater” statement, I think I also mean it less pejoratively than it came across. Anyone (including me and the company that I work for) who has moved to 256 bit symmetric keys is engaging in “security theater” in my sense of the word. It’s nothing to be particularly proud of, but it doesn’t make us the TSA either. > > Since the AES competition, NIST has been taking a world-wide role in crypto standards leadership. Yep. And (sadly) that has go. As I said, they need to pay a heavy price so that it is absolutely clear that some behaviors are beyond the pale. > A good standard, however, is not necessarily the *best*, it's merely agreed upon. That’s true. > I think Twofish is a better algorithm than Rijndael. OK. I was flat out wrong. I was ignorant of your longstanding view of ciphers. I’m not competent to really have an opinion about whether your judgement is correct there, but that isn’t relevant. I thought Twofish was pulled out of a hat. I was wrong. And I also apologize for accusing you of pulling Twofish out of hat. > ZRTP also has in it an option for using Skein's one-pass MAC instead of HMAC-SHA1. Why? Because we think it's more secure in addition to being a lot faster, which is important in an isochronous protocol. I agree that if you are changing ciphersuites, it’s as good a time as any to move to a SHA-3 candidate. And as there some questions that need to be answered about official SHA-3, I’m happy with Skein. Again, I’m not competent to judge the relative merits of SHA-3 candidates. > Silent Phone already has Twofish in it, and is already using Skein-MAC. Ah. So yes, we are in very different starting places. Your choice seems very reasonable. > In Silent Text, we went far more to the "one true ciphersuite" philosophy. I think that Iang's writings on that are brilliant. > > As a cryptographer, I agree, but as an engineer, I want options. I think I am in a different position. I’m neither an engineer nor a cryptographer. I’m the guy who can kinda sorta read bits of the cryptography literature and advise the engineers on what to do with respect to using these tools. And what we decide affects the security of a very large number of users. So for me, the “one true ciphersuite” notion was ideal. I could pay attention and follow the consensus advice. You may be competent to, say, pick Skein over Blake for some particular purpose, but I’m not. And I don’t want to have to make those choices. Not only is it that I don’t want to make such choices, but you shouldn’t want me to either. You don’t want me and zillions of application developers to be making such choices. So the loss of “one true ciphersuite”. Think about it, it’s taken a decade to get typical application developers to understand that for many purposes you can’t just use SHA1, but you need to contain it in HMAC. Now they are going to have to unlearn that for the new class of hash algorithms. If we are forced from the Eden of one true ciphersuite, we may end up with people who really aren’t competent to judge picking algorithms out of a hat. So, I guess that some of my frustration that I’m taking out in various directions is rooted in that. Expelled from the paradise of one true ciphersuit, I have the responsibility to choose between the good and the bad didn’t get enough to eat from the tree of knowledge. > One True Suite works until that suite is no longer true, and then you're left hanging. Yep. I was certainly aware of the risks, but I guess I took a bit of a CYA approach. If people spent enormous amounts of money building certain things into chips, they surely would have investigated very carefully before making such a commitment. (I should say that it really isn't CYA; I want to make the best choices for our customers. I also am intensely curious about this stuff, even if I’m not a cryptographer by any means.) > Now let me go back to my comment about standards. Standards are not about what's *best*, they're about what's *agreed*, and part of what's agreed on is that they're good enough. When one is part of a standards regime, one sublimates one's personal opinions to the collective good of the standard. Yes. I fully agree. And I agree that there were things that went into the selection of Rijndael that may not be what I would chose. I fully get that. But having been selected more than a decade ago, AES has been subject to far far more scrutiny than anything else. As a consequence, I think that the gap between our understanding of AES and the NSA’s is smaller than the gap for lesser studied ciphers. So I’m not talking about following the standard as soon as the winner is declared, but the benefits of it having been the standard for so long decrease my uncertainty about it. > That collective good of the standard is also "security theatre" in the sense that one uses it because it's the thing uses to be part of the community. I can see how that might be the case under an even looser definition than I was using, but I’m not really buying it in this case. > I think Twofish is better than AES. I believe that Skein is better than SHA-2. I also believe in the value of standards. Acknowledged. I had misjudged your motivations, and in a fairly insulting way. I appreciate the grace in your response. > The problem one faces with the BULLRUN documents gives a decision tree. The first question is whether you think they're credible. If you don't think BULLRUN is credible, then there's an easy conclusion -- stay the course. If you think it is credible, then the next decision is whether you think that the NIST standards are flawed, either intentionally or unintentionally; in short, was BULLRUN *successful*. If you think they're flawed, it's easy; you move away from them. My take is that BULLRUN was successful in parts. I’m not sure whether the count Dual_EC_DRBG as a success or not, as problems with it were discovered early. It stank from the outset and BULLRUN just confirmed that the stink had a nasty source. Leaving RSA Inc aside, no one really needed to change ciphersuites. Yet it was that revelation that sent me reeling. So the question which other standards *could* they have gotten away with subverting. Quite simply not everything has the kind of math that Dual_EC_DRBG has and not everything has the same “gaps” in the history of where certain things come from. You seem to be suggesting that if BULLRUN was successful anywhere, then it was successful everywhere (and they tried it with everything). Furthermore, at least with AES, you seem to be assuming that if BULLRUN was successful in a case in 2006, then it was also done successfully before 2001. And so when looking at which things I need to move away from, I have to judge the risks that they’ve been compromised in light of all of the information that we have. The new information was confirmation that at least after 2001, the NSA was willing and able to subvert at least one NIST cryptographic standard. I have to integrate that piece of exceedingly distressing news in light of everything else we know about the things I rely on. And so this is what we rely on: AES, SHA-2, and the (alleged) CSPRNGs in commercial operating systems. Looking at those realistically, my energies haven’t been focused on looking for replacements for AES and SHA2, but how to deal with potentially malicious CSPRNGs from Apple and Microsoft. So my focus on improving key generation against undetectably malicious CSPRNGs. > The hard decision is the one that comes next -- I can state it dramatically as "Do you stand with the NSA or not?" which is an obnoxious way to put it, as there are few of us who would say, "Yes, I stand with the NSA." You can phrase less dramatically it as standing with NIST, or even less dramatically as standing with "the standard." You can even state it as whether you believe BULLRUN was successful, or lots of other ways. I’m sorry, but that I have to reject. That is an all or nothing absolutism that I not only think is wrong, but is pernicious. “If you don’t take my position on all things that have come out of NIST you are a stooge for the NSA”. I really don’t think that is something you want to be saying. > Moreover, it's not all-or-nothing. Bernstein and Lange have been arguing that the NIST curves are flawed since before Snowden. Lots of people have been advocating moving to curve 25519. I want a 384-or-better curve because my One True Curve has been P-384. Ah. Good. You are not taking an all-or-nothing position. I seem to have misread something then. I concur about P-384. Were we using elliptic curves, I would be advocating the same move. > If I'm going to move away from the NIST/NSA curve (which seems wise), what about everything else? This isn’t a philosophical or judgement difference between us. It’s just a technical starting place, but > Conveniently, I happen to have alternates for AES and SHA-2 in my back pocket, where they've been *alternates* in my crypto going back years. They're even in part of the software, sublimated to the goodness of the standard. The work is merely pulling them to the forefront and tying a bow around it. OK. You have persuaded me that you are making the right choice for your situation. > And absolutely, this is an emotional response. It's protest. Intellectually, I believe that AES and SHA2 are not compromised. Emotionally, I am angry and I want to distance myself from even the suggestion that I am standing with the NSA. As Coderman and Iang put it, I want to *signal* my fury. I am so pissed off about this stuff that I don't *care* about baby and bathwater, wheat and chaff, or whatever else. I also want to signal reassurance to the people who use my system that yes, I actually give a damn about this issue. So do I. So do I. I am furious. And I want to let the world know. And most importantly, I want to do what I can to make sure that nothing like this happens again. I wrote at top what kind of signal I think is needed for that. > I admire your cool head, Don’t mistake it for lack of anger. > but I have to stand over there. I apologize for angering you, but I'm not sorry. No apology needed. And I once again apologize for thinking and saying that you made your ciphersuite choices naively. And again, thank you for this discussion. Cheers, -j _______________________________________________ cryptography mailing list cryptography at randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: Digital signature URL: From wb8foz at nrk.com Sun Oct 6 16:56:12 2013 From: wb8foz at nrk.com (David) Date: Sun, 06 Oct 2013 19:56:12 -0400 Subject: trusted computing? In-Reply-To: References: Message-ID: <5251F89C.2090601@nrk.com> On 10/6/13 7:37 PM, Juan Garofalo wrote: > > > What about implementing aes or similar in something like a stm32 arm? > > The micro is interfaced to a keyboard and a lcd text display. Then you > can type your emails or chat messages, have them encrypted in the arm > micro, and sent through usb to a non-trusted host pc(or whatever) for > delivery. I have sometimes fed by paranoia cells by imagining such a separate secure machine interconnected via a rather hard-to-hack link: Taylor UUCP. I guess that reveals my age, and the fact most of my ideas are, well... not always practical. From juan.g71 at gmail.com Sun Oct 6 16:37:04 2013 From: juan.g71 at gmail.com (Juan Garofalo) Date: Sun, 06 Oct 2013 20:37:04 -0300 Subject: trusted computing? Message-ID: What about implementing aes or similar in something like a stm32 arm? The micro is interfaced to a keyboard and a lcd text display. Then you can type your emails or chat messages, have them encrypted in the arm micro, and sent through usb to a non-trusted host pc(or whatever) for delivery. From l at odewijk.nl Sun Oct 6 11:42:00 2013 From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=) Date: Sun, 6 Oct 2013 20:42:00 +0200 Subject: SilkRoad coins In-Reply-To: References: Message-ID: Imagine the dollar falls completely and the US economy switches to BTC. Even then the US still has a huge amount of "money". Haha. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 162 bytes Desc: not available URL: From jamesdbell8 at yahoo.com Sun Oct 6 21:57:57 2013 From: jamesdbell8 at yahoo.com (Jim Bell) Date: Sun, 6 Oct 2013 21:57:57 -0700 (PDT) Subject: A CEO who resisted NSA spying is out of prison. In-Reply-To: References: <20131004094627.GF10405@leitl.org> <20131004100232.GA3061@netbook.cypherspace.org> <524EA5B7.5040609@echeque.com> <1380913178.94018.YahooMailNeo@web141201.mail.bf1.yahoo.com> Message-ID: <1381121877.79525.YahooMailNeo@web141202.mail.bf1.yahoo.com> From: grarpamp Subject: Re: A CEO who resisted NSA spying is out of prison. >$5000 to just enter not guilty and likely pay an attorney to defend >it / accept dismissal may seem realistic. Thing is, that doesn't >leave much payout to defendant. And a fair number of those pleas >will be going to trial. That entails conviction risk, and regardless >of time dealt, that risk will carry a higher price. You are looking at this idea from the standpoint of a single defendant.  I am looking at this from the standpoint of the entire (U.S. federal) court system.  I am aware that most defendants will, in fact, be guilty of the crime charged.  Ordinarily, what happens is that the prosecution offers a plea deal that they consider realistic, and the defendant eventually agrees to some deal, with no trial involved.  That is why about 70,000 new defendants get convicted in the Federal system each year:   As I recall reading, about 3,500 demand, and receive, jury trials.  The remainder, 66,500, are convicted through plea deals.  Currently, many and in fact most of these defendants consider themselves fated to be convicted, and they see no 'upside' to pleading not-guilty and receiving a trial.  But I propose that an amount, for purposes of argument $5,000, be offered.  It will be paid after the defendant enters a not-guilty plea to a Federal felony,  and is sentenced (if he is convicted) or after he is acquitted.  Further, the defendant may direct that the money be paid to a third party, but NOT any government agency, court, or otherwise.     Many defendants who are already resigned to being convicted may have little or no money:  To them, an offer of $5,000 is an amazing windfall.  A person who is facing a (current average) sentence of 3 years (36 months) would get $5000/36 months, or $139 dollars per month, which buys a substantial amount of commissary.  (In prison, they have a store called a 'commissary', where they sell food, clothing, shoes, electronics, OTC medicine, etc.  Prisoners who have this much money live much happier lives in prison, compared to those who don't.)  He has a powerful motivation to accept the money.  Moreover, he knows that every other defendant is being offered the same deal.  He knows that if he pleads not guilty and demands and receives a jury trial, which is his right, he will receive the money.    He will get the money...AFTER he receives the trial.   He will, if necessary, be defended by a 'Federal Public Defender', who is paid by the government.  >> It could be arranged as a charitable contribution ('to encourage >> employment of the jury system',) and thus be tax-deductible. >Nonprofits, NGO's and crowdfunding appear to be a hot ticket these >days. Set one up, pick some jurisdiction somewhere, camp out on the >courthouse steps with your cash and attorneys in hand and see what >works. Well, that's the general idea.  But most of the work will be done by mail:  New cases can be discovered using a system called PACER  (www.pacer.gov) which allows anyone to identify new criminal (or civil, which is irrelevant here) cases.  Form-letters can be sent to defendants, and their attorneys.  >Also, no figures were presented regarding cost per case in court >system. That matters too. You might be initially faster to jam it, >but don't be too sure they won't deputize and set up courts on the >front lawn in response.     Cost-per-case won't be especially relevant.  While the number of physical courtrooms is one limitation, more important is the fact that it is very hard to put on a jury trial.  There is a lot of paperwork, witnesses must be corralled, jurors must be selected.  It ties up a lot of people for days.  Further, the Federal courts are already clogged with civil cases:  There simply is not a lot of 'give' in the current Federal Court system to add a flood of new cases.  Even if, hypothetically, the number of trials could be doubled, from 3,500 to 7,000, that would still be a reduction of a factor of 10 from today's 70,000 defendants.   While it is still conceivable that some defendants will take deals anyway, those deals will probably have to be much better than would have previously been given.     There is also an addition 'attack' that can be added, if it turns out to be desirable.  Regrettably, there are many homeless people who, for one reason or another, would actually be better off if they got sentenced to a few months or years in prison.  "Three hots and a cot", so the saying goes.  Doubtless some substantial proportion of prisoners are exactly such people.  But what if it were publicized that a person could do a 'note-robbery' of a bank, collect the money, and either flee or stay right there, in the bank.  They will get $5,000 after a Federal felony trial.  For some of these people (tens of thousands?) this would amount to a very attractive offer.  It would even more thoroughly flood the Federal 'justice' system. >You might have better success paying that $5k to vote however you >want them to for the next decade (say defunding things) after their >case/time as it might currently go is up. Or as someone said, run >nullification TV ads and mailing campaigns. Etc. >Not sure what this has to do with cypherpunks, unless you count >anonymous bitcoin donations from these CEO's, etc to your project.     If you had made this claim 8 months ago, you would have been widely seen as having a valid point.  The problem is, a lot has happened since then, primarily flowing from Snowden's leaks.  Storage of most/all emails, backdoors in encryption systems, cell-phone metadata collection and (possibly) cell-site location monitoring, as well.  Ultimately, most of the stories contain a 'then X was served with a subpoena', or 'somebody was leaned on by the Feds', or 'the ISP was convinced to turn over secret information'.   These events had their negative consequences because some government had the power to extort cooperation.   Even if the public doesn't hear about these details, they exist.  The power of government is the ability to threaten people or companies with compliance, sometimes (but not always) because they did something illegal, even if they did nothing wrong.  See, for example, Joseph Nacchio, Quest CEO who was victimized apparently for refusal to turn over phone data.      We don't advocate encryption simply because it's fun:  We advocate encryption because it has a tendency to either defeat, or make it harder for, the enemy.  And 'the enemy', more times than not, is a government.  And if that 'enemy' has the ability to threaten, to strongarm, to 'rubber-hose' either our allies or the people we turn to for services, our positions are vastly more tenuous.  >Last, Joe crack dealer isn't newsworthy or profitable and will be >let go to make a docket slot for Joe CEO. So you might have trouble >getting funded from that sector without some rethink. There is no doubt that ultimately, there WILL be some prosecutions, some of which are high-level prosecutions.  Keep in mind that as a libertarian, I would be ecstatic if the Federal government totally lost the ability to enforce anti-drug laws.  But I think that it would be possible to do more than that:  To disable governments' ability to act in any and all ways that violate libertarian principle.  And,  I would rather take my chances if 93% of the prosecutions are disabled, than if 0% are disabled.  I think you need to consider this matter quantitatively, not merely qualitatively.           Jim Bell -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 10936 bytes Desc: not available URL: From coderman at gmail.com Mon Oct 7 00:09:04 2013 From: coderman at gmail.com (coderman) Date: Mon, 7 Oct 2013 00:09:04 -0700 Subject: [linux-elitists] Browser fingerprinting In-Reply-To: <20131007060756.GX10405@leitl.org> References: <20131007060756.GX10405@leitl.org> Message-ID: On Sun, Oct 6, 2013 at 11:07 PM, Eugen Leitl wrote: > ... > Who's got a browser that comes up reasonably generic > on Panopticlick, and what did you do? Tor Browser... just use it in an isolated environment like Qubes, Whonix, Tails, etc. From coderman at gmail.com Mon Oct 7 01:16:54 2013 From: coderman at gmail.com (coderman) Date: Mon, 7 Oct 2013 01:16:54 -0700 Subject: [linux-elitists] Browser fingerprinting In-Reply-To: References: <20131007060756.GX10405@leitl.org> Message-ID: On Mon, Oct 7, 2013 at 12:09 AM, coderman wrote: > [... re: panopticlick ... ] > Tor Browser... just use it in an isolated environment like Qubes, > Whonix, Tails, etc. to be clear, this is true when running Tor and the browser on the same computer, or having a Tor router / proxy appliance that you connect to as transparent proxy. in the latter case, you would still be best served by running a copy of the Tor Browser in "Transparent Tor" mode[0], which delegates routing through Tor to another service, while providing a browser environment with all of the useful protections[1] to avoid this very problem and many others. 0. "Tor Browser - Whonix" transparent proxy mode https://www.whonix.org/wiki/Tor_Browser NOTE: even in this mode, you may want to have the Tor router provide local access to the SOCKS port directly. 1. "The Design and Implementation of the Tor Browser" https://www.torproject.org/projects/torbrowser/design/ From electromagnetize at gmail.com Sun Oct 6 23:22:47 2013 From: electromagnetize at gmail.com (brian carroll) Date: Mon, 7 Oct 2013 01:22:47 -0500 Subject: [21] crypto and surveillance Message-ID: // disclaimer: all my posts and diagrams copyright free... a few ideas related to the context for crypto today. there is certain irony in crypto that can be subverted and used to attack or surveil via stealth. reminds of the basic situation with most home electronics, blackboxed. such as IPcams that remain on 24/7/365 and have microphones accessible over the network, compromises built-in. thus to seek security is to extend the hidden security state and its illegal home invasion. solution: five dollar on/off switch, activate security device only when away, and upon return turn it off again, limiting the designed for boundlessness of political technology. 2-Port RJ45 Manual Network Switch https://www.dropbox.com/s/lk7gg8zgf7wxjjj/RJ45switch.JPG the diagrams here reference the following NSA document... The Borders of Cryptology - NSA & Electronic Warfare* http://cryptome.org/2013/09/nsa-cryptology-borders.pdf diagrams created with the excellent software tool yEd... yEd - Graph Editor - yWorks (freeware) http://www.yworks.com/en/products_yed_about.html the question of crypto in a complex environment where it has both offensive and defensive functioning, relating to weak and strong crypto and security ratings crypto (protection & exploitation) https://www.dropbox.com/s/d7jrpilz35dvk4k/graph1v1.gif the paradoxical utility and purpose of compromised crypto that has both strong and weak, secure and insecure characteristics in a complex environment dual-use multilevel crypto https://www.dropbox.com/s/ndwlu9lqf4yvhy9/graph2v1.gif the role of installation and usage errors as related to security and exploits, inherent in complicated or high-literacy approaches crypto implementation flaw https://www.dropbox.com/s/bjofccwrun7lok1/graph3v1.gif this is the direct reference and extension of the NSA diagram above. cryptanalysis was included, Technical Surveillance Countermeasures (TSCM), though likely other domains are missing or perhaps in relational error. improvements or corrections appreciated... Electromagnetic Borders of Cryptology https://www.dropbox.com/s/tp7dbqjbmpscv0h/diagram4v1.gif this is my estimation of the situation today, based on the above technosocial structure. it does not include many aspects and is limited by my lack of awareness and understanding, though makes an attempt at an integrated view of the larger dynamics involved... Context for computer Crypto today https://www.dropbox.com/s/jn73d4d9b5ksz8u/context5v1.gif additional diagrams will follow, surveying aspects of this same territory... --- Grant Hart - You're the Reflection of the Moon On the Water http://www.youtube.com/watch?v=NTH4Zu8gleA ☾ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 3714 bytes Desc: not available URL: From coderman at gmail.com Mon Oct 7 02:57:56 2013 From: coderman at gmail.com (coderman) Date: Mon, 7 Oct 2013 02:57:56 -0700 Subject: [liberationtech] The missing component: Mobile to Web interoperability (in Internet Freedom Technologies) In-Reply-To: References: <52343467.4050701@infosecurity.ch> <52349795.80502@yahoo.com> <5235D710.2090701@yahoo.com> <5235FD26.6060302@briarproject.org> <52369DB1.1020707@yahoo.com> <5238BFA3.6010302@briarproject.org> <523F4A4C.6060909@yahoo.com> <52405C47.1080807@briarproject.org> <5241133B.9000606@yahoo.com> <52419A20.60902@briarproject.org> <524348C2.1070101@yahoo.com> Message-ID: On Wed, Sep 25, 2013 at 9:32 PM, coderman wrote: > [... re: NSA has found a way to break Tor... ] > i suspect it is the latter that is more concerning. of course NSA has > the ability; but do they share it? the recent releases[0] have shown this to be more complicated than expected. in terms of sharing: other domestic agencies and some of the FVEY partners appear to be partially looped in? likely to find out more over the years,... in terms of breaking Tor: the core Tor protocol and network is described repeatedly as difficult to compromise. attacking the client, opportunistic de-anonymization, selective denial of service, and mallory-in-the-middle attacks, all appear extremely effective when they are pointed at Tor users of interest. Tor's dependencies are failing in practice, rather than the network or protocol itself. Roger says the limited number of users targeted is reassuring, “If those documents actually represent what they can do, they are not as big an adversary as I thought,”[1] the lack of widespread de-anonymization of Tor users is an interesting situation. i do not agree that they don't have the ability. other sources clearly show their privileged positioning in the IP core for active attacks as well as the global passive DPI tapping infrastructure technically capable of linking large numbers of Tor users.[2] instead this implies that the other routes to identifying users, particularly taking advantage of the endpoint and operational risks above, are cheaper and more effective. for less effort and resources locate them via side channel tricks, infect them with spyware, and observe what they do pre-encryption-and-pre-proxy directly. it's clear to see why they've been using this approach. [here is where i plug Qubes Tor VM, Tails, Whonix] so after addressing the client side weaknesses, perhaps the elligator datagram based effort[3] will be making progress in time to thwart this new adversary model as the low hanging fruit of Tor client cracking dries up... ;) best regards, 0. NSA Tor dox: http://www.washingtonpost.com/world/national-security/secret-nsa-documents-show-campaign-against-tor-encrypted-network/2013/10/04/610f08b6-2d05-11e3-8ade-a1f23cda135e_print.html http://cryptome.org/2013/10/nsa-iat-tor.pdf http://cryptome.org/2013/10/nsa-tor.pdf http://cryptome.org/2013/10/gchq-mullenize.pdf http://cryptome.org/2013/10/nsa-egotisticalgiraffe.pdf http://cryptome.org/2013/10/nsa-tor-stinks.pdf http://cryptome.org/2013/10/packet-stain/packet-staining.htm 1. "Secret NSA documents show campaign against Tor encrypted network" http://www.washingtonpost.com/world/national-security/secret-nsa-documents-show-campaign-against-tor-encrypted-network/2013/10/04/610f08b6-2d05-11e3-8ade-a1f23cda135e_print.html 2. passing the buck on the math; the details you need: https://metrics.torproject.org/index.html / https://trac.torproject.org/projects/tor/ticket/6443 , answer for the question: what is the probability of picking a guard and exit relay using any of five-eyes-and-their-friendlies AS'es, or that travels transoceanic cables at these points, or uses guard and exit relays hosted at an IX under legally compelled (FVEY) or unaware collaboration (e.g. Belgacom)? 3. sorry, no; there is no Tor datagram protocol in the works yet, however initial considerations are in progress: "Implement and experiment with one or more datagram-based designs" https://trac.torproject.org/projects/tor/ticket/4684 http://www.cl.cam.ac.uk/~sjm217/papers/tor11datagramcomparison.pdf this is summarized as picking from multiple hard to very hard options. i'm fond of even more difficulty, and combining these techniques and others (multi-path SCTP in userspace, client-side traffic shaping/prioritization, stochastic fair queuing and packet reordering, etc) for better protection against traffic analysis and active attacks.... might take a while to code up *grin* From jamesd at echeque.com Sun Oct 6 12:55:02 2013 From: jamesd at echeque.com (James A. Donald) Date: Mon, 07 Oct 2013 05:55:02 +1000 Subject: [tor-talk] Silk Road taken down by FBI In-Reply-To: <20131006122841.GZ10405@leitl.org> References: <20131006122841.GZ10405@leitl.org> Message-ID: <5251C016.2020809@echeque.com> On 2013-10-06 22:28, Eugen Leitl wrote: > ----- Forwarded message from mirimir ----- > > Date: Thu, 03 Oct 2013 20:58:57 +0000 > From: mirimir > To: tor-talk at lists.torproject.org > Subject: Re: [tor-talk] Silk Road taken down by FBI > Message-ID: <524DDA91.30008 at riseup.net> > User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0 > Reply-To: tor-talk at lists.torproject.org > > On 10/03/2013 05:49 PM, Ahmed Hassan wrote: > >> One question is still remain unanswered. How did they locate >> Silkroad server before locating him? >> >> They had full image of the server before his arrest. Suppose someone is operating a big server that handles lots of traffic. From time to time, you storm that server with spam. NSA observes the corresponding traffic surges. Statistical correlation between spam attacks and data flow eventually reveals the server. We know silk road was attacked with spam and malware. That it was attacked with spam, suggests that malware did not suffice. From juan.g71 at gmail.com Mon Oct 7 02:01:00 2013 From: juan.g71 at gmail.com (Juan Garofalo) Date: Mon, 07 Oct 2013 06:01:00 -0300 Subject: [tor-talk] Silk Road taken down by FBI In-Reply-To: <20131007080201.GF10405@leitl.org> References: <20131006122841.GZ10405@leitl.org> <5251C016.2020809@echeque.com> <20131007080201.GF10405@leitl.org> Message-ID: <7B9754FC91BBB496637FBC92@F74D39FA044AA309EAEA14B9> --On Monday, October 07, 2013 10:02 AM +0200 Eugen Leitl wrote: > On Mon, Oct 07, 2013 at 05:55:02AM +1000, James A. Donald wrote: > >> We know silk road was attacked with spam and malware. That it was > > We know that Freedom Hosting platform was compromised, and > dropped malware via a known vulnerability in the TBB. But that doesn't explain how freedom hosting itself was found in the first place, does it? > > We do not know how exactly TSR was taken down. > There are reasons to suspect that the official story > might be a parallel construct. > >> attacked with spam, suggests that malware did not suffice. > > The rise in Tor traffic well predates the events, and seems > to be entirely attributable to C&C traffic of a botnet. > From eugen at leitl.org Sun Oct 6 23:05:36 2013 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 7 Oct 2013 08:05:36 +0200 Subject: [zfs] [Review] 4185 New hash algorithm support Message-ID: <20131007060536.GW10405@leitl.org> ----- Forwarded message from Saso Kiselkov ----- Date: Mon, 07 Oct 2013 00:47:52 +0100 From: Saso Kiselkov To: illumos-zfs Subject: [zfs] [Review] 4185 New hash algorithm support Message-ID: <5251F6A8.2040305 at gmail.com> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:17.0) Gecko/20130801 Thunderbird/17.0.8 Reply-To: zfs at lists.illumos.org Please review what frankly has become a bit of a large-ish feature: http://cr.illumos.org/~webrev/skiselkov/new_hashes/ This webrev implements new hash algorithms for ZFS with much improved performance. There are three algorithms included: * SHA-512/256: truncated version of SHA-512 per FIPS 180-4. Uses all existing code from the sha2 module (with new H(0) consts), but the native 64-bit arithmetic used in SHA-512 provides a ~50% performance boost relative to SHA-256 on 64-bit hardware. * Skein-512: 80% faster than SHA-256 in optimized C implementation, and a very high security margin (Skein was a finalist in SHA-3). Also includes a KCF SW provider. * Edon-R-512: 350% faster than SHA-256 in optimized C implementation. Security margin lower than Skein. To address any security concerns associated with using new algorithms this patch also implements salted checksum support. We store a random 256-bit secret key (the salt) in the MOS and use it to pre-seed the hash algorithms (Skein and Edon-R use this, SHA-512/256 is just a straight hash). Any attacker thus cannot simply mount a collision attack on the algorithm, since they can't completely control the input. ATM I didn't implement support for booting off of pools with salted checksums, thus root pools are limited to sha256 and the new sha512 (new GRUB stage2 needed for sha512 support, obviously). It's possible, but I see fairly little reason in doing so (is anybody running dedup on their rpool and running into hash performance limitations?). For performance and correctness testing I've included a set of tiny test suites in usr/src/common/crypto/{edonr/skein/sha2}/test. Simply cd into the test subdirectory in a shell with your build environment set up and type 'make'. See attached file for an example of the output. To those who will inevitably ask about Keccak/SHA-3, here are my reasons why I didn't integrate it (in decreasing order of significance): * Keccak's software performance is worse than SHA-2. * There's no hardware support for Keccak and there likely never will be, as SHA-3 != Keccak. * SHA-3 has yet to be standardized, and there are even some questions around that, be they tinfoil hat material or otherwise: http://tiny.cc/schneier_sha-3 * To be sure, at some point in the future there will be HW support for SHA-3 (which may or may not be faster than Edon-R in SW), but seeing as how HW vendors are easily backdoored, I'm not convinced we should put a lot of trust in their work: http://tiny.cc/hw_trojans_becker13 Cheers, -- Saso root at illumos-build:...gate.git/usr/src/common/crypto# for TEST in edonr skein sha2; do ( cd $TEST/test ; make ); done Building 32-bit test... Running 32-bit test... Running algorithm correctness tests: Edon-R-224 Message: test_msg0 Result: OK Edon-R-224 Message: test_msg1 Result: OK Edon-R-256 Message: test_msg0 Result: OK Edon-R-256 Message: test_msg1 Result: OK Edon-R-384 Message: test_msg0 Result: OK Edon-R-384 Message: test_msg2 Result: OK Edon-R-512 Message: test_msg0 Result: OK Edon-R-512 Message: test_msg2 Result: OK Running performance tests (hashing 1024 MiB of data): Edon-R-256 2604591 us (6.05 CPB) Edon-R-512 4227055 us (9.81 CPB) Building 64-bit test... Running 64-bit test... Running algorithm correctness tests: Edon-R-224 Message: test_msg0 Result: OK Edon-R-224 Message: test_msg1 Result: OK Edon-R-256 Message: test_msg0 Result: OK Edon-R-256 Message: test_msg1 Result: OK Edon-R-384 Message: test_msg0 Result: OK Edon-R-384 Message: test_msg2 Result: OK Edon-R-512 Message: test_msg0 Result: OK Edon-R-512 Message: test_msg2 Result: OK Running performance tests (hashing 1024 MiB of data): Edon-R-256 2002762 us (4.65 CPB) Edon-R-512 1006284 us (2.34 CPB) Building 32-bit test... Running 32-bit test... Running algorithm correctness tests: Skein_256/256 Message: test_msg0 Result: OK Skein_256/256 Message: test_msg1 Result: OK Skein_256/256 Message: test_msg2 Result: OK Skein_512/512 Message: test_msg0 Result: OK Skein_512/512 Message: test_msg2 Result: OK Skein_512/512 Message: test_msg3 Result: OK Skein1024/1024 Message: test_msg0 Result: OK Skein1024/1024 Message: test_msg3 Result: OK Skein1024/1024 Message: test_msg4 Result: OK Running performance tests (hashing 1024 MiB of data): Skein_256/256 14110264 us (32.76 CPB) Skein_512/512 12465191 us (28.94 CPB) Skein1024/1024 16864123 us (39.15 CPB) Building 64-bit test... Running 64-bit test... Running algorithm correctness tests: Skein_256/256 Message: test_msg0 Result: OK Skein_256/256 Message: test_msg1 Result: OK Skein_256/256 Message: test_msg2 Result: OK Skein_512/512 Message: test_msg0 Result: OK Skein_512/512 Message: test_msg2 Result: OK Skein_512/512 Message: test_msg3 Result: OK Skein1024/1024 Message: test_msg0 Result: OK Skein1024/1024 Message: test_msg3 Result: OK Skein1024/1024 Message: test_msg4 Result: OK Running performance tests (hashing 1024 MiB of data): Skein_256/256 3328342 us (7.73 CPB) Skein_512/512 2549537 us (5.92 CPB) Skein1024/1024 3547695 us (8.24 CPB) Building 32-bit test... Running 32-bit test... Running algorithm correctness tests: SHA256 Message: test_msg0 Result: OK SHA256 Message: test_msg1 Result: OK SHA384 Message: test_msg0 Result: OK SHA384 Message: test_msg2 Result: OK SHA512 Message: test_msg0 Result: OK SHA512 Message: test_msg2 Result: OK SHA512_224 Message: test_msg0 Result: OK SHA512_224 Message: test_msg2 Result: OK SHA512_256 Message: test_msg0 Result: OK SHA512_256 Message: test_msg2 Result: OK Running performance tests (hashing 1024 MiB of data): SHA256 6745601 us (15.66 CPB) SHA512 19033518 us (44.19 CPB) Building 64-bit test... Running 64-bit test... Running algorithm correctness tests: SHA256 Message: test_msg0 Result: OK SHA256 Message: test_msg1 Result: OK SHA384 Message: test_msg0 Result: OK SHA384 Message: test_msg2 Result: OK SHA512 Message: test_msg0 Result: OK SHA512 Message: test_msg2 Result: OK SHA512_224 Message: test_msg0 Result: OK SHA512_224 Message: test_msg2 Result: OK SHA512_256 Message: test_msg0 Result: OK SHA512_256 Message: test_msg2 Result: OK Running performance tests (hashing 1024 MiB of data): SHA256 4551774 us (10.57 CPB) SHA512 3029591 us (7.03 CPB) ------------------------------------------- illumos-zfs Archives: https://www.listbox.com/member/archive/182191/=now RSS Feed: https://www.listbox.com/member/archive/rss/182191/22842876-6fe17e6f Modify Your Subscription: https://www.listbox.com/member/?member_id=22842876&id_secret=22842876-a25d3366 Powered by Listbox: http://www.listbox.com ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: Digital signature URL: From eugen at leitl.org Sun Oct 6 23:07:56 2013 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 7 Oct 2013 08:07:56 +0200 Subject: [linux-elitists] Browser fingerprinting Message-ID: <20131007060756.GX10405@leitl.org> ----- Forwarded message from Don Marti ----- From wb8foz at nrk.com Mon Oct 7 06:24:46 2013 From: wb8foz at nrk.com (David) Date: Mon, 07 Oct 2013 09:24:46 -0400 Subject: HTML'ed mail In-Reply-To: <20131005004609.7A4A322811F@palinka.tinho.net> References: <20131005004609.7A4A322811F@palinka.tinho.net> Message-ID: <5252B61E.2060303@nrk.com> On 10/4/13 8:46 PM, dan at geer.org wrote: > I find the constant appearance of HTML e-mail here to > be surprising. HTML improves nothing and adds risk. > Why not have the mailing list censored down to ASCII? Agreed. Although I would use the work "refined" not censored. Interestingly, Yahoo lists did an excellent job of stripping out such crapola and serving up useful ASCII. The other commercial mailing list services [Google, etc] don't offer it at all AFAIK. But Yahoo has been "improving" things... they call it NEO. As part of a larger disaster, they have removed that feature. From eugen at leitl.org Mon Oct 7 01:02:01 2013 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 7 Oct 2013 10:02:01 +0200 Subject: [tor-talk] Silk Road taken down by FBI In-Reply-To: <5251C016.2020809@echeque.com> References: <20131006122841.GZ10405@leitl.org> <5251C016.2020809@echeque.com> Message-ID: <20131007080201.GF10405@leitl.org> On Mon, Oct 07, 2013 at 05:55:02AM +1000, James A. Donald wrote: > We know silk road was attacked with spam and malware. That it was We know that Freedom Hosting platform was compromised, and dropped malware via a known vulnerability in the TBB. We do not know how exactly TSR was taken down. There are reasons to suspect that the official story might be a parallel construct. > attacked with spam, suggests that malware did not suffice. The rise in Tor traffic well predates the events, and seems to be entirely attributable to C&C traffic of a botnet. From cane at jondos.de Mon Oct 7 03:45:17 2013 From: cane at jondos.de (Carsten N.) Date: Mon, 07 Oct 2013 10:45:17 +0000 Subject: [linux-elitists] Browser fingerprinting In-Reply-To: <20131007060756.GX10405@leitl.org> References: <20131007060756.GX10405@leitl.org> Message-ID: <525290BD.1040600@jondos.de> On 07.10.2013 06:07, Eugen Leitl wrote: > Who's got a browser that comes up reasonably generic > on Panopticlick, and what did you do? Hello, Panopticlick is a demonstration project, how browser fingerprinting works and not a scientific up2date database for actual used browsers. - The database is not a representative database, because most users, who know something about the project and visit it, use a privacy-friendly browser configuration. - Old entries in the database were not deleted. Firefox 3.5.3 has one of the best ratings in this database. But nobody uses this old browser version any more. You will be unique with this user agent in real life. - It is easy to manipulate the database. You can call the page with your preferred browser multiple times and your preferred browser will be higher rated. Best regards Carsten From str4d at i2pmail.org Mon Oct 7 03:58:41 2013 From: str4d at i2pmail.org (str4d) Date: Mon, 7 Oct 2013 10:58:41 +0000 (UTC) Subject: [tor-talk] Freenet and hidden services Message-ID: <20131007105841.28054AE2B3@smtp.postman.i2p> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 I consider Tahoe-LAFS to be the (current) best solution for this. It provides a distributed data store, which can be used for hosting (with a Javascript "web server"). I know Tahoe works with Tor via SOCKS but I don't personally know of any active networks. Tahoe has been used in I2P as a distributed data store for a long time, and there are several "deepsites" hosted in it. We are actively working to make Tahoe integrate better with Tor/I2P. Zooko recently posted a *much* better summary of this: https://cpunks.org//pipermail/cypherpunks/2013-October/001242.html str4d On 10/07/2013 08:11 PM, Jerzy Łogiewa wrote: > Do you mean if Tor wold have distributed data store like freenet? > > Nice idea, please implement this. :~ > > -- Jerzy Łogiewa -- jerzyma at interia.eu > > On Oct 6, 2013, at 3:26 AM, It's Good to be Alive wrote: > >> Hi, I'm fairly new at Tor, and this is my first time on a mailing >> list, so if there's a better place to ask, let me know. Are >> there any plans, long-term or short, for augmenting Tor with >> Freenet-style resilient, distributed, encrypted hosting in place >> of the current hidden-service model? I understand that they are >> different projects with different goals, but in the wake of the >> Freedom Hosting fiasco it seems that the idea has merit. >> Certainly both sides would benefit? Freenet is not always >> anonymous, and hidden services are not always resilient, but >> together... What are the pros and cons of this idea, and what >> stands in the way of implementing it? Just curious. Cheers! >> Thanks for your time. > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQEcBAEBCgAGBQJSUpPHAAoJENXeOJaUpGWyy/4H/36aYQmjKCPYxT8SdYEL2vOV IJ/vhIhWFeSkS/VKXtMHyP272HR+J+oTQ+IqeFYVD+MZFXWB3+lpoqkvsG8YhCDY yq2k7M8y37vnxwt+KhrEL4Ql6tcwHuA4LcePw9mT1EiPhDFrUKCa2HBIz6SZ7IDz NNN9ISBkt4eslF9k3vUnqWUA4S/Wd4geTtKMJBxgIfXzt0p/ppSm5LR8tSwo/Yxc QMB4SL0toj1srv/fjFKR/Gy4TU3rww9sCr0rDlTtlOx8JVjc9imEynq00WIlQwi1 x1jDLvKvqg2hricJjVMHXRwhERadQjgg2FHxyaE2fpfhOZ6uHjZ7U9XLZTpEFnM= =gliq -----END PGP SIGNATURE----- -- tor-talk mailing list - tor-talk at lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From eugen at leitl.org Mon Oct 7 02:25:43 2013 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 7 Oct 2013 11:25:43 +0200 Subject: [tor-talk] Silk Road taken down by FBI In-Reply-To: <7B9754FC91BBB496637FBC92@F74D39FA044AA309EAEA14B9> References: <20131006122841.GZ10405@leitl.org> <5251C016.2020809@echeque.com> <20131007080201.GF10405@leitl.org> <7B9754FC91BBB496637FBC92@F74D39FA044AA309EAEA14B9> Message-ID: <20131007092543.GM10405@leitl.org> On Mon, Oct 07, 2013 at 06:01:00AM -0300, Juan Garofalo wrote: > But that doesn't explain how freedom hosting itself was found in > the first place, does it? Let's say you run a piece of buggy PHP code as a hidden service, on a mass hoster allowing easy signups and installation of own code, with no hard separation of service hosted, and possibly not even firewall the VM traffic, forcing it through Tor. While it's possible they knew the physical host already, there are certainly far easier ways to nail your ass, given the above. It would be interesting to post a hidden service with actionable content as a honeypot with everything done right, to see what the parallel construct story would emerge. No, I'm not volunteering. From eugen at leitl.org Mon Oct 7 02:37:56 2013 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 7 Oct 2013 11:37:56 +0200 Subject: Analysis of Silk =?utf-8?B?Um9hZOKAmQ==?= =?utf-8?Q?s?= Historical Impact on Bitcoin Message-ID: <20131007093755.GN10405@leitl.org> http://thegenesisblock.com/analysis-silk-roads-historical-impact-bitcoin/ Analysis of Silk Road’s Historical Impact on Bitcoin Oct 3, 2013 Posted By Jonathan Stacke In Featured, News Tagged Bitcoin, Price, Silk Road, Volume Comments 11 Silk Road, the online drug bazaar that has eluded authorities and been ingrained in the bitcoin narrative for years, was shut down yesterday. Ross Ulbricht was named in the court documents outlining Silk Road’s activities, as were a number of key data points that offer insights into the impact the world’s most infamous retail website has had on bitcoin. Ulbricht was caught as a result of human error and excessive risks related to physical delivery of false identification being delivered to his home address in San Francisco from Canada. After tracking the package, authorities found their way to Ulbricht and were able to compile a significant case against him (more details in the official complaint embedded below). Notably, it does not appear he was tracked as the result of any underlying flaws with tor, used for anonymous web browsing, or bitcoin, the only currency accepted on Silk Road. For years the cloaked narcotics website has found its way into bitcoin-oriented conversations, but only now are the qualitative and quantitative data points available to asses Silk Road’s true impact on the fledgling digital currency. A History of Influence Facts offered by federal prosecutors overlayed onto bitcoin trading data tells a convincing story about the intertwined histories of bitcoin and Silk Road. It appears that a significant portion of bitcoin’s early traction and price gains can be traced directly to Silk Road, with that impact waning over time, most dramatically in the past six months. On December 30, 2010, bitcoin was traded at $0.30/BTC. The court documents filed yesterday point to Silk Road’s first known publicity occurring via posts from Ulbricht on internet forums and an explanatory WordPress page beginning on January 27, 2011. Bitcoin tripled in value, reaching parity with USD, just two weeks later on February 8. early 2011 Bitcoin then traded between between $0.65 and $0.80 for the next two months until interest was reignited by coverage in major publications, including TIME Magazine and The New York Times. In the weeks following the NYC piece, bitcoin prices and volume exploded, drawing significant attention from the media. Notably, Gawker broke a story about the Silk Road itself, pushing up the last gain of one of bitcoin’s early bubbles. As bitcoin reached a remarkable 100x year-to-date growth at $30/BTC on June 7, the relationship between Silk Road and bitcoin would see its first true test. On June 8, 2011, Senators Charles Shumer and Joe Manchin wrote a letter to Attorney General Eric Holder, urging him to investigate bitcoin for its relationship to online narcotics purchases, as well as “urge [Holder] to take immediate action and shut down the Silk Road network.” Bitcoin plunged 66% to $10 over the next three days, trending downward to $2 by November 2011. It would seem that in 2011, direct use of bitcoin on Silk Road or speculators on its adoption comprised between 66% and 93% of the currency’s value. 2011 bubble Over the next few months as the calendar rolled over into 2012, once again coverage from a number of important press outlets like TIME and Wired rallied enthusiasm for bitcoin, pushing prices up to a stabilized $5 by February. According to the complaint released yesterday, that is also around the time Ulbricht began to add features to Silk Road, including the establishment of a forum and “stealth mode” for top vendors. In June of 2012, bitcoin began another rally. By this time, infrastructure in the bitcoin world had begun to increase dramatically, including the first bitcoin ASIC companies to begin advertising products and new exchanges being formed. Gawker ran another story about Silk Road in July 2012, which appears to have had positive impact on bitcoin prices, though not nearly to the extent it did previously. The months following proved to be highly transitional, with Bitcoin Foundation putting a public face on the new industry and early 2013 seeing the European financial troubles that led to the climb to $260 in April of this year and unprecedented global attention. Just a few weeks later the markets would see another test of the relationship between Bitcoin and Silk Road. Between April 24 and May 1, Silk Road suffered a series of DDoS attacks that sent bitcoin prices sliding downwards. The negative price action was timed perfectly with the attacks, indicating a strong relationship. While the drop was significant at 35% initially before leveling off around a 25% loss – it was notably lighter than the impact of negative Silk Road news previously. april 2013 ddos Looking at the impact from the most recent news, we see a similar pattern emerging. Despite being the definitive end of Silk Road, with its founder detained and the logos of federal agencies plastered across the site, the impact on bitcoin prices was relatively muted. On the initial news break USD/BTC rates fell 20-35%, depending on the exchange, before settling around 10-15% lower than before the news shortly thereafter. October 2013 Quantifiable Impact Also contained within the filings were a number of aggregate statistics about Silk Road’s transactional volume that shed significant light on how much of the bitcoin market was built around the company’s narcotics trade. Specifically, the complaint states that site’s total revenue between February 2011 and July 2013 was 9.5 million bitcoin. Over that same period approximately 225 million bitcoin were transacted over the block chain, of which the 9.5 million in Silk Road sales accounted for just 4%. Similarly, total exchange volume over the same period was roughly 75 million bitcoin, making Silk Road approximately 12% of total volume. This, of course, assumes all bitcoins used for purchases on the site were purchased on exchanges rather than obtained from in person transactions, mining, earnings, gifts or reused by sellers to purchase from others on the site. Important to remember is that these figures are aggregate stats over two years of revenue. Unless fiat-equivalent sales on Silk Road were growing exponentially alongside bitcoin exchange rates over the past two years, this also means the bitcoin volume listed in the filing is front loaded into the periods when more bitcoins were required for the same fiat equivalent purchasing power. This coincides with the market reactions that also indicates a significantly reduced importance of Silk Road on the bitcoin economy. Looking Forward The bitcoin markets as a whole seem well poised to move forward. An unknown has been removed from the ecosystem, but a number of concerns remain. While bitoin will likely recover, there are probably more than a few concerned bitcoin users right now. The contents of the filing pertained almost exclusively to the charges against Ulbricht, but give little insight into what other information was obtained. Whether or not home addresses or bitcoin addresses of Silk Road users were retained in some way is still unclear and the extent to which such matters are prosecutable has yet to be determined. There is also a strong likelihood of copycat sites arising. While the recent action may deter US citizens, Silk Road was known for its global reach, meaning an aspiring entrepreneur could run a similar company from anywhere in the world. The business model is proven and the technology still apparently sound and repeatable. The downfall was related to human error, which was clearly outlined in the filing, creating an advanced watchlist for the next person to avoid. The barriers to entry are remarkably low and now paired with a known surplus of both demand and supply in the marketplace. While Silk Road’s early impact on digital currency appears to have been quite significant, any new participant at this stage will likely encounter the same decreasing importance to the broader bitcoin ecosystem. From adam at cypherspace.org Mon Oct 7 02:48:18 2013 From: adam at cypherspace.org (Adam Back) Date: Mon, 7 Oct 2013 11:48:18 +0200 Subject: legal game-theory, case for smart-contracts & snow crash (Re: A CEO who resisted NSA spying is out of prison.) In-Reply-To: <1381121877.79525.YahooMailNeo@web141202.mail.bf1.yahoo.com> References: <20131004094627.GF10405@leitl.org> <20131004100232.GA3061@netbook.cypherspace.org> <524EA5B7.5040609@echeque.com> <1380913178.94018.YahooMailNeo@web141201.mail.bf1.yahoo.com> <1381121877.79525.YahooMailNeo@web141202.mail.bf1.yahoo.com> Message-ID: <20131007094818.GA2671@netbook.cypherspace.org> I think maybe you are neglecting game theory for the accused, its hard to incentivize people to act in their collective interests, when they are thinking of their own future freedom and lost earning capacity. I imagine you even have researched the statistics for this, but to summarise the game theory scenario: plea bargaining clearly results in less accurate justice (more innocent people do jail time), but has the real-politic benefit of reducing the cost of implementing justice. The usual pattern (made up average numbers) is accept the plea do a discounted (lower than sentencing guideline) 3 years, reject the plea, the prosecution will make less reasonable/inflated charges (higher than sentencing guidelines, based on more tenuous/unlikey to be provable charges) threatening a scary 30 years, which in reality will be moderated down by a judge if the accused has the money for a decent lawyer to 5 years, if they lose, or 0 years if they win; if they are relying on an overworked, less capable public defender because they dont have the money to buy proper representation, their chances of winning are lower, and if they lose their post-trial sentencing will be higher at 10 years. Now law is a remarkably imprecise subject, especially when muddied with some not-so-scrupulous and politically motivated prosecutors, police entrapment, police bias (push for conviction based on opinion/bias, but statements given disproportionate weight by a system that believes it's officers over the public). (Prosecutors and police are politically motivated because their career depends on conviction rates, headlines). The system seems to largely ignore or not give adequate weight to investigating significant prosecutorial abuse or police bias. Prosecutorial abuse has to be strongly proven, and the perpetrators are career ambitiuous, and legally qualified so know the grey areas they can exploit where the abuse will be unprovable even when it is very rarely alleged, or actually prosecuted. Like police they have the benefit of the doubt, in a judicial system that favors its own officers, and so they are defacto largely immune from sanction from even significant systemic abuse, unless stupid enough to be caught red handed with with a smoking gun. Which is to say even if you have millions to your name for the most capable legal defense, and completely innocent with reasonable but not iron clad alibi, its still subject to a high degree of randomness depending on political motivations surrounding. So therefore people will not fully follow game theory of going for the lowest expected sentencing. Ie if p is probabity of winning, and the numbers above: then its 3 vs expected (p*0+(1-p)*5) so even p=2.5 its 2.5 expected vs 3, so if that was an investment you'd say good lets do it. But if its choice between 3years and no more stress, vs legal defense cost and years of stress followed by 5 years if you're unlucky. The dillema still holds if the odds p=0.75 and you have lots of money I suspect sadly that thats about as high as p gets for many areas of law. You also have to factor in the loss of income (at the average income for prisoners) into the equation, and a premium because people would sooner earn less and have their freedom. You cant reform the system via kickstart fund and incentivize people to not accept pleas, well not at $5k anyway, because they'd need compensation for lost earnings and a huge loss of liberty premium if they lose, a stress premium for going to trial, and expenses for high quality legal defense. Those figures may no longer make game theory economic sense for society, though I do think the centuries old principle that its more important for one innocent party to go free than 100 guilty to be imprisoned is not properly incorporated into the current system as plea bargaining removes most of that intended objective. Even with best attempts at fairness and balance from police, prosecutor and judge (and there are genuine public spirited ethical people in some of those roles, who would ignore the perverse career motivations on principle, so it probably happens some of the time), the outcome STILL has an unfair plea imbalance and STILL high randomness. Its an imperfect system even under the most favorable conditions. I think the solution is to politically vote to arbitrarily cap the incarceration rate to 10,000/annum; the justice system is not allowed to go over that limit by law. They will then focus on cases where they think the incarceration is of most value to society (eg of making the public safer by taking a violent criminal off the streets). Maybe the cap should be adjusted based on false conviction rates, if the false conviction rate increases, the cap decreases. Independent review of potential prosecutor abuses should be increased. Also the system should be restructured to remove the career/political motivation for prosecutors to achieve high conviction rates. Their conviction rate should include a heavy mallus for a false conviction, so they strive to avoid convicting innocent people, and the system should somehow be adjusted to be less adversarial and to remove sentencing penalties for going to trial. eg Maybe the trial sentencing level and charges should be set by an independent neutral body, not the prosecutor, with the objective of keeping the trial and plea sentencing the same. Maybe simpler bargaining should be made illegal. Another specific problem in the US is its a one dollar one vote system, and operating privatized prisons is a high profit business. The prison operators votes therefore likely outweigh the proportion of the public that is aware of the system problems or care enough to vote about it. I believe other eg european justice systems are in fact less prone to these issues. So another solution is to vote with your feet. Basically in such a system you want to avoid even interacting with the legal system or justice system, period. Even volutarily interacting as a random by-stander is unfortunately likely to be net loss to your finances or even freedoms. Even to complain publicly about the defects of the system is probably risky once you have interacted with them. Which is ridiculous but thats the reality. And finally some of the laws on the books are ridiculous on their face in the opinions of the accused's peers. eg computer abuse act which sees Weev in jail and such like stories, and the sentencing guidelines are also often ridiculous and non-proportional eg the sentencing threats to Swartz for what was probably not even a copyright crime (going on the theory from his previous activism pattern that he was aiming to republish the subset of articles that were public domain). His trial sentencing threat was above a 1st degree homicide with iron clad evidence, something's got to be wrong with that. The sentencing board are failing in their task. Something should also be done to restrict scope for judicial vengence also - Swartz made a mockery of a stupid law, with his previous popularly supported activism stunt, and so prosecutors were out to get him. Also legal systems generally seem to lag 50-200 years behind the opinions of the public Some jurisdictions are better than others, but the system of case law mixed with precedent creates a built in brake on legal theory evolution. Out of touch with reality and public opinion prosecutors, judges and sentencing another issue. Probably law should be restricted to 1MByte of ascii text and any law not approved by 90% referendum (1 person one vote, not 1 dollar one vote) struck off automatically every year. This state of significantly imperfect, and hard to reform, high cost legal system issue is why smart-contracts look so attractive. Its not even obvious how to improve the legal systems and they evolve slowly and resist experimental change. Mathematical aprior enforcement, deference to mutually agreed competing impartial arbitrators for dispute. Pseudonymous smart-contracting parties FTW. Of course it doesnt work for in-person crimes, except in a "Snow Crash" sense (cometing legal systems/governments in the same physical space) but a justice system that leant heavily on smart-contracts and refused as a principle to revise contracts where both parties received competent legal advice, nor overturn arbitrator decisions, would be a step forward for society. Adam On Sun, Oct 06, 2013 at 09:57:57PM -0700, Jim Bell wrote: > Subject: Re: A CEO who resisted NSA spying is out of prison. > >$5000 to just enter not guilty and likely pay an attorney to defend > >it / accept dismissal may seem realistic. Thing is, that doesn't > >leave much payout to defendant. And a fair number of those pleas > >will be going to trial. That entails conviction risk, and regardless > >of time dealt, that risk will carry a higher price. From adam at cypherspace.org Mon Oct 7 02:57:44 2013 From: adam at cypherspace.org (Adam Back) Date: Mon, 7 Oct 2013 11:57:44 +0200 Subject: [linux-elitists] Browser fingerprinting In-Reply-To: <20131007060756.GX10405@leitl.org> References: <20131007060756.GX10405@leitl.org> Message-ID: <20131007095744.GB2671@netbook.cypherspace.org> Scary numbers. Even with chrome incognito unique to 1 in 1.7 m on linux. Maybe better on windows. I wonder if no-script would help or is this passive headers only? Seems like the leak was fonts, plugins and user agent in that order at 1 in 128k, 266k, and 1.7m respectivey. Need less chatty browsers. Adam On Mon, Oct 07, 2013 at 08:07:56AM +0200, Eugen Leitl wrote: >----- Forwarded message from Don Marti ----- > >Date: Sun, 6 Oct 2013 11:11:46 -0700 >From: Don Marti >To: linux-elitists at zgp.org >Subject: [linux-elitists] Browser fingerprinting >Message-ID: <20131006181146.GA21225 at zea.gateway.2wire.net> >User-Agent: Mutt/1.5.21 (2010-09-15) > >Corporate speak: "Tawakol and Ingis both said the >new technology, which is still under development, >would allow companies to use alternative approaches >that are sometimes called statistical or probabilistic >tracking, while remaining in compliance with industry >privacy standards." > >Translation: "Fine, you smug cookie-blocking nerds. >We're going to go all browser fingerprinting on you." > > http://blog.sfgate.com/techchron/2013/10/04/ad-groups-prepare-for-cookieless-future-develop-opt-out-tool-for-alternative-tracking/ > >Mozilla has been working on cleaning up the >third-party cookie problem, and making a dent in it, >as you can tell by the complaints from the creepy >adtech business. > >Unfortunately, Firefox appears to be highly >fingerprintable. > >https://panopticlick.eff.org/ says "Your browser >fingerprint appears to be unique among the 3,458,043 >tested so far." > >Ouch. Got to get my act together here. But of >course the more that I customize, the more unique my >browser looks. > >Who's got a browser that comes up reasonably generic >on Panopticlick, and what did you do? > >-- >Don Marti +1-510-332-1587 (mobile) >http://zgp.org/~dmarti/ Alameda, California, USA >dmarti at zgp.org >_______________________________________________ >Do not Cc: anyone else on mail sent to this list. The list server is set for maximum one recipient. >linux-elitists mailing list >linux-elitists at zgp.org >http://zgp.org/cgi-bin/mailman/listinfo/linux-elitists > >----- End forwarded message ----- >-- >Eugen* Leitl leitl http://leitl.org >______________________________________________________________ >ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org >AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From eugen at leitl.org Mon Oct 7 03:43:36 2013 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 7 Oct 2013 12:43:36 +0200 Subject: Russia to monitor 'all communications' at Winter Olympics in Sochi Message-ID: <20131007104336.GU10405@leitl.org> http://www.theguardian.com/world/2013/oct/06/russia-monitor-communications-sochi-winter-olympics Russia to monitor 'all communications' at Winter Olympics in Sochi Exclusive: Investigation uncovers FSB surveillance system – branded 'Prism on steroids' – to listen to all athletes and visitors Shaun Walker in Moscow The Guardian, Sunday 6 October 2013 15.31 BST Sochi, venue for 2014 Winter Olympics The Black Sea resort of Sochi has apparently been wired so that the FSB can log all visitor communications. Photograph: Ignat Kozlov/AP Athletes and spectators attending the Winter Olympics in Sochi in February will face some of the most invasive and systematic spying and surveillance in the history of the Games, documents shared with the Guardian show. Russia's powerful FSB security service plans to ensure that no communication by competitors or spectators goes unmonitored during the event, according to a dossier compiled by a team of Russian investigative journalists looking into preparations for the 2014 Games. In a ceremony on Red Square on Sunday afternoon, the president, Vladimir Putin, held the Olympic flame aloft and sent it on its epic journey around the country, saying Russia and its people had always been imbued with the qualities of "openness and friendship", making Sochi the perfect destination for the Olympics. But government procurement documents and tenders from Russian communication companies indicate that newly installed telephone and internet spying capabilities will give the FSB free rein to intercept any telephony or data traffic and even track the use of sensitive words or phrases mentioned in emails, webchats and on social media. The journalists, Andrei Soldatov and Irina Borogan, who are experts on the Russian security services, collated dozens of open source technical documents published on the Zakupki government procurement agency website, as well as public records of government oversight agencies. They found that major amendments have been made to telephone and Wi-Fi networks in the Black Sea resort to ensure extensive and all-permeating monitoring and filtering of all traffic, using Sorm, Russia's system for intercepting phone and internet communications. Putin at a Sochi Olympic flame ceremony in Moscow on Sunday. Photograph: Ivan Sekretarev/AP The Sorm system is being modernised across Russia, but particular attention has been paid to Sochi given the large number of foreign visitors expected next year. Technical specifications set out by the Russian state telecoms agency also show that a controversial technology known as deep packet inspection, which allows intelligence agencies to filter users by particular keywords, is being installed across Russia's networks, and is required to be compatible with the Sorm system. "For example you can use the keyword Navalny, and work out which people in a particular region are using the word Navalny," says Soldatov, referring to Alexei Navalny, Russia's best-known opposition politician. "Then, those people can be tracked further." Ron Deibert, a professor at the University of Toronto and director of Citizen Lab, which co-operated with the Sochi research, describes the Sorm amendments as "Prism on steroids", referring to the programme used by the NSA in the US and revealed to the Guardian by the whistleblower Edward Snowden. "The scope and scale of Russian surveillance are similar to the disclosures about the US programme but there are subtle differences to the regulations," says Deibert. "We know from Snowden's disclosures that many of the checks were weak or sidestepped in the US, but in the Russian system permanent access for Sorm is a requirement of building the infrastructure." "Even as recently as the Beijing Olympics, the sophistication of surveillance and tracking capabilities were nowhere near where they are today." Gus Hosein, executive director of Privacy International, which also co-operated with the research, said: "Since 2008, more people are travelling with smartphones with far more data than back then, so there is more to spy on." Wary of Sorm's capabilities, earlier this year a leaflet from the US state department's bureau of diplomatic security warned anyone travelling to the Games to be extremely cautious with communications. "Business travellers should be particularly aware that trade secrets, negotiating positions, and other sensitive information may be taken and shared with competitors, counterparts, and/or Russian regulatory and legal entities," the document reads. The advice contains an extraordinary list of precautions for visitors who wish to ensure safe communications, such as removing batteries from phones when not in use and only travelling with "clean" devices. Soldatov and Borogan have discovered that the FSB has been working since 2010 to upgrade the Sorm system to ensure it can cope with the extra traffic during the Games. All telephone and ISP providers have to install Sorm boxes in their technology by law, and once installed, the FSB can access data without the provider ever knowing, meaning every phone call or internet communication can be logged. Although the FSB technically requires a warrant to intercept a communication, it is not obliged to show it to anyone. Tellingly, the FSB has appointed one of its top counterintelligence chiefs, Oleg Syromolotov, to be in charge at Sochi: security will thus be overseen by someone who has spent his career chasing foreign spies rather than terrorists. Another target may well be gay rights, likely to be one of the biggest issues of the Games. Putin has said that competitors who wear rainbow pins, for example, will not be arrested under the country's controversial new law that bans "homosexual propaganda". However, it is likely that any attempts to stage any kind of rally or gathering to support gay rights will be ruthlessly broken up by police, as has been the case on numerous occasions in Russian cities in the past. Using DPI, Russian authorities will be able to identify, tag and follow all visitors to the Olympics, both Russian and foreign, who are discussing gay issues, and possibly planning to organise protests. "Athletes may have particular political views, or they may be openly gay," says Deibert. "I think given recent developments in Russia, we have to be worried about these issues." At a rare FSB press conference this week, an official, Alexei Lavrishchev, denied security and surveillance at the Games would be excessive, and said that the London Olympics featured far more intrusive measures. "There, they even put CCTV cameras in, excuse me for saying it, the toilets," said Lavrishchev. "We are not taking this kind of measure." The FSB did not respond to a request for comment from the Guardian, while a spokesperson for the Sochi Olympics referred all requests to the security services. But Russian authorities often express a belief that NGOs working on human rights and other issues have subversive agendas dictated from abroad, and the FSB apparently feels that with so many potentially dangerous foreigners descending on the Black Sea resort for the Olympics, it has a duty to keep an eye on them. In the end, the goal is overarching, but simple, says Soldatov: "Russian authorities want to make sure that every connection and every move made online in Sochi during the Olympics will be absolutely transparent to the secret services of the country." -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: Digital signature URL: From adam at cypherspace.org Mon Oct 7 03:46:27 2013 From: adam at cypherspace.org (Adam Back) Date: Mon, 7 Oct 2013 12:46:27 +0200 Subject: Analysis of Silk =?utf-8?Q?Road?= =?utf-8?B?4oCZcw==?= Historical Impact on Bitcoin In-Reply-To: <20131007093755.GN10405@leitl.org> References: <20131007093755.GN10405@leitl.org> Message-ID: <20131007104627.GC2671@netbook.cypherspace.org> Great article, good to see bitcoin is at this stage less influenced by news flow and transaction volume of silk road like activities. (Silk Road while interesting to proponents of agoric defacto legal reform by weakening enforceability of drug laws, which it seems was DPR/Ulbricht was a proponent of, the strong short-term success might have been hazardous to bitcoin itself. And I think doesnt really rely on bitcoin anyway as there are in many countries cash pre-paid credit-cards and similar types of systems.) Its a curious effect that part of bitcoins bootstrap to non-toy price, may have been accelerated by silk road itself historically. I suppose its not a unique situation that criminal privacy or non-criminal but privacy sensitive business areas (eg online porn) are innovators in adopting new technolgy with some media reputation for privacy. I am not sure bitcoin is particularly anonymous given the fact exchange interactions are covered by AML/KYC and all payments publicly logged in the clear for anyone to see, and that mixing attempts have been shown to be weak and of questionable effectiveness by statisticians and data analysts (complete with pretty graphs), and that most clients have no automated coin control or sub-wallet feature. There maybe more conventional higher anonymity systems like perhaps pre-paid credit cards, phone cards and such things which can actualy be bought for paper cash, and sometimes deposited electronically (I'm sure criminals and money laundering experts have a better understanding of which systems provide anonymity, those were just off the top of head non-bitcoin, non-cash, payment anonymity examples. An envelope of cash in the mail probably works too though I think that is technical illegal to do even with nominal amounts in some countries). I'm quite sure the criminal options at all levels of scale for payment remote and local involve many more options than bitcoin. At the higher end it blends with and solicits and obtains likely knowing service from established but greedy market players. You can see the odd dataset, eg HSBC being caught laundering $880m of drug cartel and even dirtier money. At least to say its clearly quite dangerous to rely strongly on bitcoin anonymity for non-technical people, or even technical people without serious operational attention and careful tool analysis and selection. A few trivia items from the Silk Road story that seem ambiguous - they opened a package coming from canada to him with fake ids. Seemingly he wanted fake ids for some reason relating to operating the servers (more on that next). But why did they open his package? Bad luck random spot check? Or (more plausible) he bought the fake ids from an ongoing fake-id sting operation in Canada? Or alternatively evidence of parallel constructon disguising NSA Tor backtrace? About why did he even think he needed fake ids. Surely you only need a physical fake id if you are renting servers in person. But why would you do that - physical servers you interact with physically are a needless risk no - if backtraced to IP by Tor attack, the physical connection is made? (Why not rent cloud servers? If renting cloud servers why not pay with prepaid credit cards bought for cash (or bitcoin)? If need to send fake ID to rent cloud servers, surely its lower risk to photoshop them than accept physical delivery of illegal forged ID to your own address, from a criminal or sting fake-id service with a copy of your photo! I dont really get it. Adam On Mon, Oct 07, 2013 at 11:37:56AM +0200, Eugen Leitl wrote: > >http://thegenesisblock.com/analysis-silk-roads-historical-impact-bitcoin/ > >Analysis of Silk Road’s Historical Impact on Bitcoin From eugen at leitl.org Mon Oct 7 04:18:17 2013 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 7 Oct 2013 13:18:17 +0200 Subject: [tor-talk] Freenet and hidden services Message-ID: <20131007111817.GW10405@leitl.org> ----- Forwarded message from str4d ----- From stephan.neuhaus at tik.ee.ethz.ch Mon Oct 7 04:20:09 2013 From: stephan.neuhaus at tik.ee.ethz.ch (Stephan Neuhaus) Date: Mon, 07 Oct 2013 13:20:09 +0200 Subject: [linux-elitists] Browser fingerprinting In-Reply-To: References: <20131007060756.GX10405@leitl.org> Message-ID: <525298E9.3070209@tik.ee.ethz.ch> On 10/07/2013 09:09 AM, coderman wrote: > On Sun, Oct 6, 2013 at 11:07 PM, Eugen Leitl wrote: >> ... >> Who's got a browser that comes up reasonably generic >> on Panopticlick, and what did you do? Firefox with NoScript and Ghostery. About 10 bits of entropy. Not perfect, but not bad either. Stephan From njloof at gmail.com Mon Oct 7 13:29:43 2013 From: njloof at gmail.com (Nathan Loofbourrow) Date: Mon, 7 Oct 2013 13:29:43 -0700 Subject: Bruce Schneier on the good, old air gap In-Reply-To: References: <20131007151629.GI10405@leitl.org> Message-ID: <9BDB2013-E4A9-44EC-9657-318910757532@gmail.com> Perhaps not every device, but maybe just one device you use for reading encrypted mail and the like. It could be a Raspberry Pi you carry in a knapsack, or something. n > On Oct 7, 2013, at 12:14, yersinia wrote: > >> On Mon, Oct 7, 2013 at 5:16 PM, Eugen Leitl wrote: >> >> http://www.wired.com/opinion/2013/10/149481/ >> >> Want to Evade NSA Spying? Don’t Connect to the Internet >> >> BY BRUCE SCHNEIER 10.07.13 6:30 AM >> >> Photo: Ariel Zambelich / WIRED; Illustration: Ross Patton / WIRED >> >> Since I started working with Snowden’s documents, I have been using a number >> of tools to try to stay secure from the NSA. The advice I shared included >> using Tor, preferring certain cryptography over others, and using >> public-domain encryption wherever possible. >> >> I also recommended using an air gap, which physically isolates a computer or >> local network of computers from the internet. (The name comes from the >> literal gap of air between the computer and the internet; the word predates >> wireless networks.) >> >> But this is more complicated than it sounds, and requires explanation. >> >> Since we know that computers connected to the internet are vulnerable to >> outside hacking, an air gap should protect against those attacks. There are a >> lot of systems that use — or should use — air gaps: classified military >> networks, nuclear power plant controls, medical equipment, avionics, and so >> on. >> >> Osama Bin Laden used one. I hope human rights organizations in repressive >> countries are doing the same. >> >> Air gaps might be conceptually simple, but they’re hard to maintain in >> practice. The truth is that nobody wants a computer that never receives files >> from the internet and never sends files out into the internet. What they want >> is a computer that’s not directly connected to the internet, albeit with some >> secure way of moving files on and off. >> >> But every time a file moves back or forth, there’s the potential for attack. >> >> And air gaps have been breached. Stuxnet was a U.S. and Israeli >> military-grade piece of malware that attacked the Natanz nuclear plant in >> Iran. It successfully jumped the air gap and penetrated the Natanz network. >> Another piece of malware named agent.btz, probably Chinese in origin, >> successfully jumped the air gap protecting U.S. military networks. >> >> These attacks work by exploiting security vulnerabilities in the removable >> media used to transfer files on and off the air gapped computers. >> >> Bruce Schneier is a security technologist and author. His latest book is >> Liars and Outliers: Enabling the Trust Society Needs to Survive. >> >> Since working with Snowden’s NSA files, I have tried to maintain a single >> air-gapped computer. It turned out to be harder than I expected, and I have >> ten rules for anyone trying to do the same: >> >> 1. When you set up your computer, connect it to the internet as little as >> possible. It’s impossible to completely avoid connecting the computer to the >> internet, but try to configure it all at once and as anonymously as possible. >> I purchased my computer off-the-shelf in a big box store, then went to a >> friend’s network and downloaded everything I needed in a single session. (The >> ultra-paranoid way to do this is to buy two identical computers, configure >> one using the above method, upload the results to a cloud-based anti-virus >> checker, and transfer the results of that to the air gap machine using a >> one-way process.) >> >> 2. Install the minimum software set you need to do your job, and disable all >> operating system services that you won’t need. The less software you install, >> the less an attacker has available to exploit. I downloaded and installed >> OpenOffice, a PDF reader, a text editor, TrueCrypt, and BleachBit. That’s >> all. (No, I don’t have any inside knowledge about TrueCrypt, and there’s a >> lot about it that makes me suspicious. But for Windows full-disk encryption >> it’s that, Microsoft’s BitLocker, or Symantec’s PGPDisk — and I am more >> worried about large U.S. corporations being pressured by the NSA than I am >> about TrueCrypt.) >> >> 3. Once you have your computer configured, never directly connect it to the >> internet again. Consider physically disabling the wireless capability, so it >> doesn’t get turned on by accident. >> >> 4. If you need to install new software, download it anonymously from a random >> network, put it on some removable media, and then manually transfer it to the >> air gapped computer. This is by no means perfect, but it’s an attempt to make >> it harder for the attacker to target your computer. >> >> 5. Turn off all auto-run features. This should be standard practice for all >> the computers you own, but it’s especially important for an air-gapped >> computer. Agent.btz used autorun to infect U.S. military computers. >> >> 6. Minimize the amount of executable code you move onto the air-gapped >> computer. Text files are best. Microsoft Office files and PDFs are more >> dangerous, since they might have embedded macros. Turn off all macro >> capabilities you can on the air-gapped computer. Don’t worry too much about >> patching your system; in general, the risk of the executable code is worse >> than the risk of not having your patches up to date. You’re not on the >> internet, after all. >> >> 7. Only use trusted media to move files on and off air-gapped computers. A >> USB stick you purchase from a store is safer than one given to you by someone >> you don’t know — or one you find in a parking lot. >> >> 8. For file transfer, a writable optical disk (CD or DVD) is safer than a USB >> stick. Malware can silently write data to a USB stick, but it can’t spin the >> CD-R up to 1000 rpm without your noticing. This means that the malware can >> only write to the disk when you write to the disk. You can also verify how >> much data has been written to the CD by physically checking the back of it. >> If you’ve only written one file, but it looks like three-quarters of the CD >> was burned, you have a problem. Note: the first company to market a USB stick >> with a light that indicates a write operation — not read or write; I’ve got >> one of those — wins a prize. >> >> 9. When moving files on and off your air-gapped computer, use the absolute >> smallest storage device you can. And fill up the entire device with random >> files. If an air-gapped computer is compromised, the malware is going to try >> to sneak data off it using that media. While malware can easily hide stolen >> files from you, it can’t break the laws of physics. So if you use a tiny >> transfer device, it can only steal a very small amount of data at a time. If >> you use a large device, it can take that much more. Business-card-sized >> mini-CDs can have capacity as low as 30 MB. I still see 1-GB USB sticks for >> sale. >> >> 10. Consider encrypting everything you move on and off the air-gapped >> computer. Sometimes you’ll be moving public files and it won’t matter, but >> sometimes you won’t be, and it will. And if you’re using optical media, those >> disks will be impossible to erase. Strong encryption solves these problems. >> And don’t forget to encrypt the computer as well; whole-disk encryption is >> the best. >> >> One thing I didn’t do, although it’s worth considering, is use a stateless >> operating system like Tails. You can configure Tails with a persistent volume >> to save your data, but no operating system changes are ever saved. Booting >> Tails from a read-only DVD — you can keep your data on an encrypted USB stick >> — is even more secure. Of course, this is not foolproof, but it greatly >> reduces the potential avenues for attack. >> >> Yes, all this is advice for the paranoid. And it’s probably impossible to >> enforce for any network more complicated than a single computer with a single >> user. But if you’re thinking about setting up an air-gapped computer, you >> already believe that some very powerful attackers are after you personally. >> If you’re going to use an air gap, use it properly. >> >> Of course you can take things further. I have met people who have physically >> removed the camera, microphone, and wireless capability altogether. But >> that’s too much paranoia for me right now. > > I like Bruce much, i have read all of him, every book, mostly article, from years. But no normal person would follow these advice, all smartphones should be turned off, each tablet, and every pc should be turned in a anonyomous client of an anonymous network. Sure, who believe in the paranoia model definitely find comfort in these indications, for example i am one. But those who follow this model, really, are following it also not in only the cyberspace, but also in the real life, every day ? Really? Internet is perhaps evil but perhaps also our world is not so a sane and secure place, sometime (or every time, depend). > > Best -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 10504 bytes Desc: not available URL: From eugen at leitl.org Mon Oct 7 04:55:36 2013 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 7 Oct 2013 13:55:36 +0200 Subject: A CEO who resisted NSA spying is out of prison. In-Reply-To: <20131005004609.7A4A322811F@palinka.tinho.net> References: <1380913178.94018.YahooMailNeo@web141201.mail.bf1.yahoo.com> <20131005004609.7A4A322811F@palinka.tinho.net> Message-ID: <20131007115536.GY10405@leitl.org> On Fri, Oct 04, 2013 at 08:46:09PM -0400, dan at geer.org wrote: > > I find the constant appearance of HTML e-mail here to > be surprising. HTML improves nothing and adds risk. A good point. I deal with that by alternative_order text/plain text/html text/enrichened auto_view text/html which calls links via /etc/mailcap text/plain; less '%s'; needsterminal text/html; /usr/bin/sensible-browser '%s'; description=HTML Text; nametemplate=%s.html ... How exploitable is /usr/bin/links? > Why not have the mailing list censored down to ASCII? > Opponents are listening to be sure, but why give them > injection points? Or does the libertarian ideal extend > to dangerous encodings as a form of free speech? From eugen at leitl.org Mon Oct 7 07:50:38 2013 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 7 Oct 2013 16:50:38 +0200 Subject: interesting commercial cjdns project: Enigmabox Message-ID: <20131007145038.GH10405@leitl.org> Just came across http://enigmabox.net/ which is a commercial project using cjdns/Hyperboria for transport and offers end to end encrypted VoIP and operates http (and more?) exits. The hardware seems to be PCEngines ALIX. It doesn't ship with Tor, but Tor can be used with it. Don't see any open source, but users are getting root access on the system. From grarpamp at gmail.com Mon Oct 7 14:10:14 2013 From: grarpamp at gmail.com (grarpamp) Date: Mon, 7 Oct 2013 17:10:14 -0400 Subject: [Cryptography] Universal security measures for crypto primitives In-Reply-To: <1C105E86-11D2-49E0-ACB8-FCBCB98AA168@lrw.com> References: <1C105E86-11D2-49E0-ACB8-FCBCB98AA168@lrw.com> Message-ID: On Oct 7, 2013, at 1:43 AM, Peter Gutmann wrote: > Given the recent debate about security levels for different key sizes, the > following paper by Lenstra, Kleinjung, and Thome may be of interest: > > "Universal security from bits and mips to pools, lakes and beyond" > http://eprint.iacr.org/2013/635.pdf On Mon, Oct 7, 2013 at 10:46 AM, Jerry Leichter wrote: > Then: "...fundamental limits will let you make about 3*10^94 ~ 2^315 [bit] flips > and store about 2^315 bits Then perhaps by the time that engine gets near 256 bits done crunching you, any given secret holder will be either dead, too old / pardonable, or society will have moved on, thereby placing the secret into one of historical value only. It would probably also cost about 2^315 bits to build and operate. Not many 100yr secrets out there besides grand conspiracies and whodunit's, and those don't really need crypto. Might as well bump everything to 512 just to be safe from physics ;) From eugen at leitl.org Mon Oct 7 08:16:29 2013 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 7 Oct 2013 17:16:29 +0200 Subject: Bruce Schneier on the good, old air gap Message-ID: <20131007151629.GI10405@leitl.org> http://www.wired.com/opinion/2013/10/149481/ Want to Evade NSA Spying? Don’t Connect to the Internet BY BRUCE SCHNEIER 10.07.13 6:30 AM Photo: Ariel Zambelich / WIRED; Illustration: Ross Patton / WIRED Since I started working with Snowden’s documents, I have been using a number of tools to try to stay secure from the NSA. The advice I shared included using Tor, preferring certain cryptography over others, and using public-domain encryption wherever possible. I also recommended using an air gap, which physically isolates a computer or local network of computers from the internet. (The name comes from the literal gap of air between the computer and the internet; the word predates wireless networks.) But this is more complicated than it sounds, and requires explanation. Since we know that computers connected to the internet are vulnerable to outside hacking, an air gap should protect against those attacks. There are a lot of systems that use — or should use — air gaps: classified military networks, nuclear power plant controls, medical equipment, avionics, and so on. Osama Bin Laden used one. I hope human rights organizations in repressive countries are doing the same. Air gaps might be conceptually simple, but they’re hard to maintain in practice. The truth is that nobody wants a computer that never receives files from the internet and never sends files out into the internet. What they want is a computer that’s not directly connected to the internet, albeit with some secure way of moving files on and off. But every time a file moves back or forth, there’s the potential for attack. And air gaps have been breached. Stuxnet was a U.S. and Israeli military-grade piece of malware that attacked the Natanz nuclear plant in Iran. It successfully jumped the air gap and penetrated the Natanz network. Another piece of malware named agent.btz, probably Chinese in origin, successfully jumped the air gap protecting U.S. military networks. These attacks work by exploiting security vulnerabilities in the removable media used to transfer files on and off the air gapped computers. Bruce Schneier is a security technologist and author. His latest book is Liars and Outliers: Enabling the Trust Society Needs to Survive. Since working with Snowden’s NSA files, I have tried to maintain a single air-gapped computer. It turned out to be harder than I expected, and I have ten rules for anyone trying to do the same: 1. When you set up your computer, connect it to the internet as little as possible. It’s impossible to completely avoid connecting the computer to the internet, but try to configure it all at once and as anonymously as possible. I purchased my computer off-the-shelf in a big box store, then went to a friend’s network and downloaded everything I needed in a single session. (The ultra-paranoid way to do this is to buy two identical computers, configure one using the above method, upload the results to a cloud-based anti-virus checker, and transfer the results of that to the air gap machine using a one-way process.) 2. Install the minimum software set you need to do your job, and disable all operating system services that you won’t need. The less software you install, the less an attacker has available to exploit. I downloaded and installed OpenOffice, a PDF reader, a text editor, TrueCrypt, and BleachBit. That’s all. (No, I don’t have any inside knowledge about TrueCrypt, and there’s a lot about it that makes me suspicious. But for Windows full-disk encryption it’s that, Microsoft’s BitLocker, or Symantec’s PGPDisk — and I am more worried about large U.S. corporations being pressured by the NSA than I am about TrueCrypt.) 3. Once you have your computer configured, never directly connect it to the internet again. Consider physically disabling the wireless capability, so it doesn’t get turned on by accident. 4. If you need to install new software, download it anonymously from a random network, put it on some removable media, and then manually transfer it to the air gapped computer. This is by no means perfect, but it’s an attempt to make it harder for the attacker to target your computer. 5. Turn off all auto-run features. This should be standard practice for all the computers you own, but it’s especially important for an air-gapped computer. Agent.btz used autorun to infect U.S. military computers. 6. Minimize the amount of executable code you move onto the air-gapped computer. Text files are best. Microsoft Office files and PDFs are more dangerous, since they might have embedded macros. Turn off all macro capabilities you can on the air-gapped computer. Don’t worry too much about patching your system; in general, the risk of the executable code is worse than the risk of not having your patches up to date. You’re not on the internet, after all. 7. Only use trusted media to move files on and off air-gapped computers. A USB stick you purchase from a store is safer than one given to you by someone you don’t know — or one you find in a parking lot. 8. For file transfer, a writable optical disk (CD or DVD) is safer than a USB stick. Malware can silently write data to a USB stick, but it can’t spin the CD-R up to 1000 rpm without your noticing. This means that the malware can only write to the disk when you write to the disk. You can also verify how much data has been written to the CD by physically checking the back of it. If you’ve only written one file, but it looks like three-quarters of the CD was burned, you have a problem. Note: the first company to market a USB stick with a light that indicates a write operation — not read or write; I’ve got one of those — wins a prize. 9. When moving files on and off your air-gapped computer, use the absolute smallest storage device you can. And fill up the entire device with random files. If an air-gapped computer is compromised, the malware is going to try to sneak data off it using that media. While malware can easily hide stolen files from you, it can’t break the laws of physics. So if you use a tiny transfer device, it can only steal a very small amount of data at a time. If you use a large device, it can take that much more. Business-card-sized mini-CDs can have capacity as low as 30 MB. I still see 1-GB USB sticks for sale. 10. Consider encrypting everything you move on and off the air-gapped computer. Sometimes you’ll be moving public files and it won’t matter, but sometimes you won’t be, and it will. And if you’re using optical media, those disks will be impossible to erase. Strong encryption solves these problems. And don’t forget to encrypt the computer as well; whole-disk encryption is the best. One thing I didn’t do, although it’s worth considering, is use a stateless operating system like Tails. You can configure Tails with a persistent volume to save your data, but no operating system changes are ever saved. Booting Tails from a read-only DVD — you can keep your data on an encrypted USB stick — is even more secure. Of course, this is not foolproof, but it greatly reduces the potential avenues for attack. Yes, all this is advice for the paranoid. And it’s probably impossible to enforce for any network more complicated than a single computer with a single user. But if you’re thinking about setting up an air-gapped computer, you already believe that some very powerful attackers are after you personally. If you’re going to use an air gap, use it properly. Of course you can take things further. I have met people who have physically removed the camera, microphone, and wireless capability altogether. But that’s too much paranoia for me right now. From albill at openbuddha.com Mon Oct 7 17:54:37 2013 From: albill at openbuddha.com (Al Billings) Date: Mon, 7 Oct 2013 17:54:37 -0700 Subject: HTML'ed mail In-Reply-To: References: <20131005004609.7A4A322811F@palinka.tinho.net> <5252B61E.2060303@nrk.com> Message-ID: <5B58D96D3436449395FBB04F526B3EDE@openbuddha.com> Get off my lawn! (top posted, of course!) -- Al Billings http://makehacklearn.org On Monday, October 7, 2013 at 5:39 PM, Sandy Harris wrote: > It is the sender's job. No-one should be sending such stuff > to a public list since it serves no useful purpose. If your > client won't send clean ASCII-only email, then switch to > a client that will. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2668 bytes Desc: not available URL: From tbiehn at gmail.com Mon Oct 7 14:56:06 2013 From: tbiehn at gmail.com (Travis Biehn) Date: Mon, 7 Oct 2013 17:56:06 -0400 Subject: HTML'ed mail In-Reply-To: <5252B61E.2060303@nrk.com> References: <20131005004609.7A4A322811F@palinka.tinho.net> <5252B61E.2060303@nrk.com> Message-ID: On Oct 7, 2013 9:28 AM, "David" wrote: > > On 10/4/13 8:46 PM, dan at geer.org wrote: > >> I find the constant appearance of HTML e-mail here to >> be surprising. HTML improves nothing and adds risk. >> Why not have the mailing list censored down to ASCII? > > > Agreed. Although I would use the work "refined" not censored. > > Interestingly, Yahoo lists did an excellent job of stripping out such crapola and serving up useful ASCII. The other commercial mailing list services [Google, etc] don't offer it at all AFAIK. > > But Yahoo has been "improving" things... they call it NEO. As part of a larger disaster, they have removed that feature. > > Thanks for creating a new thread. This isn't the mailing lists job; it is your clients job. If you don't want to see HTML email then use a client that can't / won't interpret it. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1245 bytes Desc: not available URL: From watsonbladd at gmail.com Mon Oct 7 19:13:26 2013 From: watsonbladd at gmail.com (Watson Ladd) Date: Mon, 7 Oct 2013 19:13:26 -0700 Subject: [tor-talk] What the NSA cares about getting and defenses Message-ID: Prompted by the Ars Technica reporting on QUANTUM, I took a look at the slide and read the text, as well as compared to the MULLINIZE document describing NAT breaking. My conclusion is that the NSA obtains significant amounts of information from user activity in between closing browsers, and that current Tor Browser Bundle remains vulnerable to this attack. QUANTUM appears to rely on inserting fake references to third party assets and manipulating cookies in the requests made by the browser in response. I propose that we block third party cookies unless over HTTPS to mitigate this problem, and try to encourage users to use more frequent new identities. MULLINIZE achieves the reliable tracking of individual users behind a NAT through similar tricks. It is clear that the NSA views this information as valuable, even without real-world addresses to tie to it. Linkability across pages is difficult: breaking sessions is a major cost of the obvious no cookies approach to preventing this sort of attack. Sincerely, Watson -- tor-talk mailing list - tor-talk at lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From skquinn at rushpost.com Mon Oct 7 17:51:33 2013 From: skquinn at rushpost.com (Shawn K. Quinn) Date: Mon, 07 Oct 2013 19:51:33 -0500 Subject: HTML'ed mail In-Reply-To: References: <20131005004609.7A4A322811F@palinka.tinho.net> <5252B61E.2060303@nrk.com> Message-ID: <1381193493.12780.31220357.4FD9529D@webmail.messagingengine.com> On Mon, Oct 7, 2013, at 07:39 PM, Sandy Harris wrote: > On Mon, Oct 7, 2013 at 5:56 PM, Travis Biehn wrote: > > This isn't the mailing lists job; it is your clients job. > > If you don't want to see HTML email then use a client that can't / won't > > interpret it. > > It is the sender's job. No-one should be sending such stuff > to a public list since it serves no useful purpose. If your > client won't send clean ASCII-only email, then switch to > a client that will. > > If senders do not do that, there are four options: flame > them to a crisp (off-list, please!), let every reader handle > it, remove the HTML at the server, or set the server to > drop such messages entirely. I'd prefer the last, with > an appropriate bounce message, I think the third option is a reasonable compromise. I have reluctantly began to tolerate some HTML mail since I am doing some marketing research and consulting. But on a list like this, I agree, cute pink bunny backgrounds, funny fonts, and a number of other silly things that HTML mail allows don't belong. For that matter I can't think of one good reason to allow HTML mail. I can think of plenty of bad reasons though... -- Shawn K. Quinn skquinn at rushpost.com From sandyinchina at gmail.com Mon Oct 7 17:39:14 2013 From: sandyinchina at gmail.com (Sandy Harris) Date: Mon, 7 Oct 2013 20:39:14 -0400 Subject: HTML'ed mail In-Reply-To: References: <20131005004609.7A4A322811F@palinka.tinho.net> <5252B61E.2060303@nrk.com> Message-ID: On Mon, Oct 7, 2013 at 5:56 PM, Travis Biehn wrote: >>> I find the constant appearance of HTML e-mail here to >>> be surprising. ... > This isn't the mailing lists job; it is your clients job. > If you don't want to see HTML email then use a client that can't / won't > interpret it. It is the sender's job. No-one should be sending such stuff to a public list since it serves no useful purpose. If your client won't send clean ASCII-only email, then switch to a client that will. If senders do not do that, there are four options: flame them to a crisp (off-list, please!), let every reader handle it, remove the HTML at the server, or set the server to drop such messages entirely. I'd prefer the last, with an appropriate bounce message, From yersinia.spiros at gmail.com Mon Oct 7 12:14:35 2013 From: yersinia.spiros at gmail.com (yersinia) Date: Mon, 7 Oct 2013 21:14:35 +0200 Subject: Bruce Schneier on the good, old air gap In-Reply-To: <20131007151629.GI10405@leitl.org> References: <20131007151629.GI10405@leitl.org> Message-ID: On Mon, Oct 7, 2013 at 5:16 PM, Eugen Leitl wrote: > > http://www.wired.com/opinion/2013/10/149481/ > > Want to Evade NSA Spying? Don’t Connect to the Internet > > BY BRUCE SCHNEIER 10.07.13 6:30 AM > > Photo: Ariel Zambelich / WIRED; Illustration: Ross Patton / WIRED > > Since I started working with Snowden’s documents, I have been using a > number > of tools to try to stay secure from the NSA. The advice I shared included > using Tor, preferring certain cryptography over others, and using > public-domain encryption wherever possible. > > I also recommended using an air gap, which physically isolates a computer > or > local network of computers from the internet. (The name comes from the > literal gap of air between the computer and the internet; the word predates > wireless networks.) > > But this is more complicated than it sounds, and requires explanation. > > Since we know that computers connected to the internet are vulnerable to > outside hacking, an air gap should protect against those attacks. There > are a > lot of systems that use — or should use — air gaps: classified military > networks, nuclear power plant controls, medical equipment, avionics, and so > on. > > Osama Bin Laden used one. I hope human rights organizations in repressive > countries are doing the same. > > Air gaps might be conceptually simple, but they’re hard to maintain in > practice. The truth is that nobody wants a computer that never receives > files > from the internet and never sends files out into the internet. What they > want > is a computer that’s not directly connected to the internet, albeit with > some > secure way of moving files on and off. > > But every time a file moves back or forth, there’s the potential for > attack. > > And air gaps have been breached. Stuxnet was a U.S. and Israeli > military-grade piece of malware that attacked the Natanz nuclear plant in > Iran. It successfully jumped the air gap and penetrated the Natanz network. > Another piece of malware named agent.btz, probably Chinese in origin, > successfully jumped the air gap protecting U.S. military networks. > > These attacks work by exploiting security vulnerabilities in the removable > media used to transfer files on and off the air gapped computers. > > Bruce Schneier is a security technologist and author. His latest book is > Liars and Outliers: Enabling the Trust Society Needs to Survive. > > Since working with Snowden’s NSA files, I have tried to maintain a single > air-gapped computer. It turned out to be harder than I expected, and I have > ten rules for anyone trying to do the same: > > 1. When you set up your computer, connect it to the internet as little as > possible. It’s impossible to completely avoid connecting the computer to > the > internet, but try to configure it all at once and as anonymously as > possible. > I purchased my computer off-the-shelf in a big box store, then went to a > friend’s network and downloaded everything I needed in a single session. > (The > ultra-paranoid way to do this is to buy two identical computers, configure > one using the above method, upload the results to a cloud-based anti-virus > checker, and transfer the results of that to the air gap machine using a > one-way process.) > > 2. Install the minimum software set you need to do your job, and disable > all > operating system services that you won’t need. The less software you > install, > the less an attacker has available to exploit. I downloaded and installed > OpenOffice, a PDF reader, a text editor, TrueCrypt, and BleachBit. That’s > all. (No, I don’t have any inside knowledge about TrueCrypt, and there’s a > lot about it that makes me suspicious. But for Windows full-disk encryption > it’s that, Microsoft’s BitLocker, or Symantec’s PGPDisk — and I am more > worried about large U.S. corporations being pressured by the NSA than I am > about TrueCrypt.) > > 3. Once you have your computer configured, never directly connect it to the > internet again. Consider physically disabling the wireless capability, so > it > doesn’t get turned on by accident. > > 4. If you need to install new software, download it anonymously from a > random > network, put it on some removable media, and then manually transfer it to > the > air gapped computer. This is by no means perfect, but it’s an attempt to > make > it harder for the attacker to target your computer. > > 5. Turn off all auto-run features. This should be standard practice for all > the computers you own, but it’s especially important for an air-gapped > computer. Agent.btz used autorun to infect U.S. military computers. > > 6. Minimize the amount of executable code you move onto the air-gapped > computer. Text files are best. Microsoft Office files and PDFs are more > dangerous, since they might have embedded macros. Turn off all macro > capabilities you can on the air-gapped computer. Don’t worry too much about > patching your system; in general, the risk of the executable code is worse > than the risk of not having your patches up to date. You’re not on the > internet, after all. > > 7. Only use trusted media to move files on and off air-gapped computers. A > USB stick you purchase from a store is safer than one given to you by > someone > you don’t know — or one you find in a parking lot. > > 8. For file transfer, a writable optical disk (CD or DVD) is safer than a > USB > stick. Malware can silently write data to a USB stick, but it can’t spin > the > CD-R up to 1000 rpm without your noticing. This means that the malware can > only write to the disk when you write to the disk. You can also verify how > much data has been written to the CD by physically checking the back of it. > If you’ve only written one file, but it looks like three-quarters of the CD > was burned, you have a problem. Note: the first company to market a USB > stick > with a light that indicates a write operation — not read or write; I’ve got > one of those — wins a prize. > > 9. When moving files on and off your air-gapped computer, use the absolute > smallest storage device you can. And fill up the entire device with random > files. If an air-gapped computer is compromised, the malware is going to > try > to sneak data off it using that media. While malware can easily hide stolen > files from you, it can’t break the laws of physics. So if you use a tiny > transfer device, it can only steal a very small amount of data at a time. > If > you use a large device, it can take that much more. Business-card-sized > mini-CDs can have capacity as low as 30 MB. I still see 1-GB USB sticks for > sale. > > 10. Consider encrypting everything you move on and off the air-gapped > computer. Sometimes you’ll be moving public files and it won’t matter, but > sometimes you won’t be, and it will. And if you’re using optical media, > those > disks will be impossible to erase. Strong encryption solves these problems. > And don’t forget to encrypt the computer as well; whole-disk encryption is > the best. > > One thing I didn’t do, although it’s worth considering, is use a stateless > operating system like Tails. You can configure Tails with a persistent > volume > to save your data, but no operating system changes are ever saved. Booting > Tails from a read-only DVD — you can keep your data on an encrypted USB > stick > — is even more secure. Of course, this is not foolproof, but it greatly > reduces the potential avenues for attack. > > Yes, all this is advice for the paranoid. And it’s probably impossible to > enforce for any network more complicated than a single computer with a > single > user. But if you’re thinking about setting up an air-gapped computer, you > already believe that some very powerful attackers are after you personally. > If you’re going to use an air gap, use it properly. > > Of course you can take things further. I have met people who have > physically > removed the camera, microphone, and wireless capability altogether. But > that’s too much paranoia for me right now. > I like Bruce much, i have read all of him, every book, mostly article, from years. But no normal person would follow these advice, all smartphones should be turned off, each tablet, and every pc should be turned in a anonyomous client of an anonymous network. Sure, who believe in the paranoiamodel definitely find comfort in these indications, for example i am one. But those who follow this model, really, are following it also not in only the cyberspace, but also in the real life, every day ? Really? Internet is perhaps evil but perhaps also our world is not so a sane and secure place, sometime (or every time, depend). Best -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 9887 bytes Desc: not available URL: From zooko at leastauthority.com Mon Oct 7 14:17:14 2013 From: zooko at leastauthority.com (Zooko Wilcox-OHearn) Date: Mon, 7 Oct 2013 21:17:14 +0000 Subject: [zfs] [Review] 4185 New hash algorithm support Message-ID: Hi folks: I just joined this list because I saw this thread. I'm one of the architects of a distributed storage system named Tahoe-LAFS (https://Tahoe-LAFS.org). It has quite a few things in common with ZFS, architecturally, but it is also very different from ZFS, because it's not so much a real *filesystem* as it is like a BitTorrent that has an upload button as well as a download button. But it is like ZFS inasmuch as they both involve a heck of a lot of hashing for error-detection. I'm also an author of a secure hash function which has been designed for this kind of usage and which you should consider as an alternative to SHA-256, Edon-R, or Skein for use in ZFS. It is named BLAKE2. Here are the slides I presented about BLAKE2 at a recent academic crypto conference: ¹. ¹ https://blake2.net/acns/slides.html The slides mention ZFS. ZFS is mentioned on a slide with a list of tools that use secure hash functions for data-intensive purposes. Out of the list there, Tahoe-LAFS and ZFS are the only ones that use a hash function which is actually secure — SHA-256. The others all use hash functions that are known to be more or less unsafe — MD5 and SHA-1. So, before I go on with my pitch for why you should consider BLAKE2, first please clarify for me whether ZFS really needs a collision-resistant hash function, or whether it needs only a MAC. I had thought until now that ZFS doesn't need a collision-resistant hash unless dedup is turned on, and that if dedup is turned on it needs a collision-resistant hash. But this thread seems to indicate that even when dedup is turned on, it might be possible to use a MAC, by having a pool-wide secret to use for the MAC key… If I understand correctly (which I probably don't), that would make it impossible for anyone who doesn't know the secret to cause collisions during dedup, but still possible for someone who knows the secret (presumably root on that system, or someone who stole the secret) to generate blocks that would collide during dedup. If you used a collision-resistant hash for that purpose, then nobody would be able to cause collisions. If you need a MAC, I suggest Poly1305-AES. It is very efficient, has a nice proof that it is as secure as AES is, and it is part of a new proposed cipher suite for TLS ². ² http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-01 If you need a collision-resistant hash function, I suggest BLAKE2. It is more efficient than SHA-256, Skein, or Keccak (see ³), and it has a better reputation among cryptographers than Edon-R has. In fact, BLAKE2's parent, BLAKE, was rated by NIST as being even more well-studied than Keccak was — see my slides, linked above, for quotes from NIST's final report on the SHA-3 contest. ³ http://bench.cr.yp.to/results-hash.html#amd64-hydra8 I get the impression that BLAKE2 has gotten a certain "mind-share" among cryptographers, because after this article ⁴ from the Center for Democracy and Technology came out, questioning NIST's plans to modify SHA-3 to improve its performance, there has been a heated discussion on the SHA-3 mailing list, and several of the cryptographers in that discussion (including the inventors of Keccak) have mentioned BLAKE2 as an example of a high-performance hash function. There has been one academic research paper analyzing BLAKE2 so far: ⁵ (in addition to a ton of them analyzing its predecessor, BLAKE, during the SHA-3 contest). ⁴ https://www.cdt.org/blogs/joseph-lorenzo-hall/2409-nist-sha-3 ⁵ http://eprint.iacr.org/2013/467 In addition to being high-performance in normal single-stream mode, BLAKE2 comes with parallelized modes, so that you can use 4 or 8 CPU cores to compute a hash up to 4- or 8- times as fast. You can get the academic papers, source code (both simple reference implementations and optimized implementations in various languages), test vectors, and so on: https://blake2.net Regards, Zooko Wilcox-O'Hearn Founder, CEO, and Customer Support Rep https://LeastAuthority.com Freedom matters. ------------------------------------------- illumos-zfs Archives: https://www.listbox.com/member/archive/182191/=now RSS Feed: https://www.listbox.com/member/archive/rss/182191/22842876-6fe17e6f Modify Your Subscription: https://www.listbox.com/member/?member_id=22842876&id_secret=22842876-a25d3366 Powered by Listbox: http://www.listbox.com ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From gfoster at entersection.org Mon Oct 7 19:34:52 2013 From: gfoster at entersection.org (Gregory Foster) Date: Mon, 07 Oct 2013 21:34:52 -0500 Subject: HTML'ed mail In-Reply-To: <5B58D96D3436449395FBB04F526B3EDE@openbuddha.com> References: <20131005004609.7A4A322811F@palinka.tinho.net> <5252B61E.2060303@nrk.com> <5B58D96D3436449395FBB04F526B3EDE@openbuddha.com> Message-ID: <52536F4C.6000006@entersection.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 10/7/13 7:54 PM, Al Billings wrote: > Get off my lawn! > > (top posted, of course!) > > -- Al Billings http://makehacklearn.org > > On Monday, October 7, 2013 at 5:39 PM, Sandy Harris wrote: > >> It is the sender's job. No-one should be sending such stuff to a >> public list since it serves no useful purpose. If your client >> won't send clean ASCII-only email, then switch to a client that >> will. May I propose an inductive hypothesis, akin to Godwin's Law[1]: As time passes on any email list configured to accept HTML email, the probability of the occurrence of the[2] HTML/ASCII email conversation approaches 1. gf [1] Wikipedia - "Godwin's Law" http://en.wikipedia.org/wiki/Godwin's_law [2] Note the intentional use of "the" to signify a singular conversation, as the substance of this conversation is always the same, though the outcome depends wholly on the constitution of any particular list's constituents. - -- Gregory Foster || gfoster at entersection.org @gregoryfoster <> http://entersection.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBCgAGBQJSU29GAAoJEMaAACmjGtgj3vcP+QGZkKHKxPwL4YIyyVscZYJ/ yLjG4NOSu7aR/s0I/WN+ambq0PHWMH7tbWtwFtcdsyrmKofJ3g5x5jlFdFtcdTHs sWrbJS0+jQtf/lv0009BHeTxlO92v0FNjfORLHITpKzuEAm4t5Yl0B9XJ3ZfE6ot aovuA/cp+nTWXm6fE09OBWVwG9GHneb8HZFozWDeqfIwrEi5jSl4vW3q/88CpYUX +Hzb+RuLlVDoWZ0MmQasjMCW8t3Cwn9NH0TFIViFRjTa1x36TmFb7ePdOeDWImBD NyDl/K4HqiE7NLNJUzRiArwaOMrFaQl7klxURlxmNc0jmRdEHeSSZe9EorcT4S9F ET977y8I4Bi0o8LxMhQbI7tCvpbGT6GC60XhtBD2uu4HkAmrRJSKz5UCfoNXjGnM v4ql15TTDangWbKAfxrSWkBRpUiSttx5xRkXtS4kXFBLP9KelzbQ614gThogzDmm l9Z5+ewAhdl25z+S+IVZTKJqAER6jAiLeDEDLD9CJ4pnUovNkd9loj8ZLuljA0xm JaP6514aXJ7UFcmPHbPlkvczuaV/En6HihRgk4P9M+srscuEIKKRvtgsptmRnwrn DDVjzjGwHh/LkfCaKJ+0/Rp88fbn6DO53XrgcgzZpKSV3ACW1rxA3wFIdWW/578y n6yj9CdenXBK5x8Hzc8+ =MdLK -----END PGP SIGNATURE----- From eugen at leitl.org Mon Oct 7 13:54:35 2013 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 7 Oct 2013 22:54:35 +0200 Subject: [Cryptography] Iran and murder Message-ID: <20131007205435.GN10405@leitl.org> ----- Forwarded message from John Kelsey ----- Date: Mon, 7 Oct 2013 12:03:20 -0400 From: John Kelsey To: Phillip Hallam-Baker Cc: "cryptography at metzdowd.com" , "James A. Donald" Subject: [Cryptography] Iran and murder Message-Id: <81634C0C-DC57-4AED-80B3-74FEDBC859B9 at gmail.com> X-Mailer: iPad Mail (10B329) Alongside Phillip's comments, I'll just point out that assassination of key people is a tactic that the US and Israel probably don't have any particular advantages in. It isn't in our interests to encourage a worldwide tacit acceptance of that stuff. I suspect a lot of the broad principles we have been pushing (assassinations and drone bombings can be done anywhere, cyber attacks against foreign countries are okay when you're not at war, spying on everyone everywhere is perfectly acceptable policy) are in the short-term interests of various powerful people and factions in the US, but are absolutely horrible ideas when you consider the long-term interests of the US. We are a big, rich, relatively free country with lots of government scientists and engineers (especially when you consider funding) and tons of our economy and our society moving online. We are more vulnerable to widespread acceptance of these bad principles than almost anyone, ultimately, But doing all these things has won larger budgets and temporary successes for specific people and agencies today, whereas the costs of all this will land on us all in the future. --John _______________________________________________ The cryptography mailing list cryptography at metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: Digital signature URL: From eugen at leitl.org Mon Oct 7 14:27:29 2013 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 7 Oct 2013 23:27:29 +0200 Subject: [zfs] [Review] 4185 New hash algorithm support Message-ID: <20131007212729.GT10405@leitl.org> ----- Forwarded message from Zooko Wilcox-OHearn ----- From eugen at leitl.org Mon Oct 7 14:55:49 2013 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 7 Oct 2013 23:55:49 +0200 Subject: Bruce Schneier on the good, old air gap In-Reply-To: References: <20131007151629.GI10405@leitl.org> Message-ID: <20131007215549.GY10405@leitl.org> On Mon, Oct 07, 2013 at 09:14:35PM +0200, yersinia wrote: > I like Bruce much, i have read all of him, every book, mostly article, > from years. But no normal person would follow these advice, all smartphones That advice is not exactly targeted towards Jane Doe. > should be turned off, each tablet, and every pc should be turned in a Some people don't have mobile phones. Others leave them at home, or remove the power pack when it matters. > anonyomous client of an anonymous network. Sure, who believe in the No. You just need to buy an offline machine, e.g. a used notebook. Separation by air gap was SOP in the intelligence community before virtualization allowed to separate trust compartments in one machine. I trust air gap much more than hypervisors. > paranoiamodel > definitely find comfort in these indications, for example i am one. But those > who follow this model, really, are following it also not in only the > cyberspace, but also in the real life, every day ? Really? Internet is I don't understand the problem. Bruce gave good basic opsec advice, what's the problem with following it up in practice but to tamper-proof against evil maid attacks? > perhaps evil but perhaps also our world is not so a sane and secure place, > sometime (or every time, depend). From joseph at josephholsten.com Mon Oct 7 21:55:09 2013 From: joseph at josephholsten.com (Joseph Holsten) Date: Tue, 8 Oct 2013 04:55:09 +0000 Subject: who are the service operators here? Message-ID: I'm currently working on both chef cookbooks and dockerfiles for a bunch of old services I used to run in the good old days (pre 2000) of cypherpunks. Boring stuff like qmail, tinydns, pgp keyserver. But I'm dying to know what fancy new services people are operating these days. Any distributed chat ops? Blob/file storage? Remailers? Bitcoin pools? In another vein, what ops do you think a self-sufficient punk ought to be running? I'm thinking I absolutely need: - Tor endpoint - vpn endpoint (openvpn?) - smtp/imap sever (what's modern?{ - file/blob server (tahoe-lafs, camlistore?) - jabber server (ejabberd?) (Yes, my homepage is showing a ruby script. No, I don't have time to fix it in situ. Thus setting up my own servers) -- ~j -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 496 bytes Desc: Message signed with OpenPGP using GPGMail URL: From kb at karelbilek.com Mon Oct 7 19:57:02 2013 From: kb at karelbilek.com (=?ISO-8859-1?Q?Karel_B=EDlek?=) Date: Tue, 8 Oct 2013 04:57:02 +0200 Subject: HTML'ed mail In-Reply-To: <52536F4C.6000006@entersection.org> References: <20131005004609.7A4A322811F@palinka.tinho.net> <5252B61E.2060303@nrk.com> <5B58D96D3436449395FBB04F526B3EDE@openbuddha.com> <52536F4C.6000006@entersection.org> Message-ID: [image: Inline image 1] On Tue, Oct 8, 2013 at 4:34 AM, Gregory Foster wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > On 10/7/13 7:54 PM, Al Billings wrote: > > Get off my lawn! > > > > (top posted, of course!) > > > > -- Al Billings http://makehacklearn.org > > > > On Monday, October 7, 2013 at 5:39 PM, Sandy Harris wrote: > > > >> It is the sender's job. No-one should be sending such stuff to a > >> public list since it serves no useful purpose. If your client > >> won't send clean ASCII-only email, then switch to a client that > >> will. > > > May I propose an inductive hypothesis, akin to Godwin's Law[1]: > > As time passes on any email list configured to accept HTML email, the > probability of the occurrence of the[2] HTML/ASCII email conversation > approaches 1. > > gf > > [1] Wikipedia - "Godwin's Law" > http://en.wikipedia.org/wiki/Godwin's_law > > [2] Note the intentional use of "the" to signify a singular > conversation, as the substance of this conversation is always the > same, though the outcome depends wholly on the constitution of any > particular list's constituents. > > - -- > Gregory Foster || gfoster at entersection.org > @gregoryfoster <> http://entersection.com/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.19 (Darwin) > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCgAGBQJSU29GAAoJEMaAACmjGtgj3vcP+QGZkKHKxPwL4YIyyVscZYJ/ > yLjG4NOSu7aR/s0I/WN+ambq0PHWMH7tbWtwFtcdsyrmKofJ3g5x5jlFdFtcdTHs > sWrbJS0+jQtf/lv0009BHeTxlO92v0FNjfORLHITpKzuEAm4t5Yl0B9XJ3ZfE6ot > aovuA/cp+nTWXm6fE09OBWVwG9GHneb8HZFozWDeqfIwrEi5jSl4vW3q/88CpYUX > +Hzb+RuLlVDoWZ0MmQasjMCW8t3Cwn9NH0TFIViFRjTa1x36TmFb7ePdOeDWImBD > NyDl/K4HqiE7NLNJUzRiArwaOMrFaQl7klxURlxmNc0jmRdEHeSSZe9EorcT4S9F > ET977y8I4Bi0o8LxMhQbI7tCvpbGT6GC60XhtBD2uu4HkAmrRJSKz5UCfoNXjGnM > v4ql15TTDangWbKAfxrSWkBRpUiSttx5xRkXtS4kXFBLP9KelzbQ614gThogzDmm > l9Z5+ewAhdl25z+S+IVZTKJqAER6jAiLeDEDLD9CJ4pnUovNkd9loj8ZLuljA0xm > JaP6514aXJ7UFcmPHbPlkvczuaV/En6HihRgk4P9M+srscuEIKKRvtgsptmRnwrn > DDVjzjGwHh/LkfCaKJ+0/Rp88fbn6DO53XrgcgzZpKSV3ACW1rxA3wFIdWW/578y > n6yj9CdenXBK5x8Hzc8+ > =MdLK > -----END PGP SIGNATURE----- > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 3063 bytes Desc: not available URL: From joseph at josephholsten.com Mon Oct 7 22:10:27 2013 From: joseph at josephholsten.com (Joseph Holsten) Date: Tue, 8 Oct 2013 05:10:27 +0000 Subject: HTML'ed mail In-Reply-To: <1381193493.12780.31220357.4FD9529D@webmail.messagingengine.com> References: <20131005004609.7A4A322811F@palinka.tinho.net> <5252B61E.2060303@nrk.com> <1381193493.12780.31220357.4FD9529D@webmail.messagingengine.com> Message-ID: <5D70941A-2823-4140-835E-7CCC6CD9588F@josephholsten.com> On 2013-10-08, at 00:51, "Shawn K. Quinn" wrote: > On Mon, Oct 7, 2013, at 07:39 PM, Sandy Harris wrote: >> On Mon, Oct 7, 2013 at 5:56 PM, Travis Biehn wrote: >>> This isn't the mailing lists job; it is your clients job. >>> If you don't want to see HTML email then use a client that can't / won't >>> interpret it. >> >> It is the sender's job. No-one should be sending such stuff >> to a public list since it serves no useful purpose. If your >> client won't send clean ASCII-only email, then switch to >> a client that will. >> >> If senders do not do that, there are four options: flame >> them to a crisp (off-list, please!), let every reader handle >> it, remove the HTML at the server, or set the server to >> drop such messages entirely. I'd prefer the last, with >> an appropriate bounce message, > > I think the third option is a reasonable compromise. I have reluctantly > began to tolerate some HTML mail since I am doing some marketing > research and consulting. But on a list like this, I agree, cute pink > bunny backgrounds, funny fonts, and a number of other silly things that > HTML mail allows don't belong. For that matter I can't think of one good > reason to allow HTML mail. I can think of plenty of bad reasons > though... It is the user/client's responsibility. Otherwise, you are susceptible to tracking pixels. Which I include in most of my emails these days. I say as I send from my work machine, with a client that is entirely vulnerable to the things I argue are terrible. -- ~j -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 496 bytes Desc: Message signed with OpenPGP using GPGMail URL: From joseph at josephholsten.com Mon Oct 7 22:10:54 2013 From: joseph at josephholsten.com (Joseph Holsten) Date: Tue, 8 Oct 2013 05:10:54 +0000 Subject: HTML'ed mail In-Reply-To: References: <20131005004609.7A4A322811F@palinka.tinho.net> <5252B61E.2060303@nrk.com> <5B58D96D3436449395FBB04F526B3EDE@openbuddha.com> <52536F4C.6000006@entersection.org> Message-ID: <519A338D-FE7C-46B0-BEBF-5795F750909C@josephholsten.com> [shed: bike] On 2013-10-08, at 02:57, Karel Bílek wrote: > [image: Inline image 1] > > > On Tue, Oct 8, 2013 at 4:34 AM, Gregory Foster wrote: > >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA512 >> >> On 10/7/13 7:54 PM, Al Billings wrote: >>> Get off my lawn! >>> >>> (top posted, of course!) >>> >>> -- Al Billings http://makehacklearn.org >>> >>> On Monday, October 7, 2013 at 5:39 PM, Sandy Harris wrote: >>> >>>> It is the sender's job. No-one should be sending such stuff to a >>>> public list since it serves no useful purpose. If your client >>>> won't send clean ASCII-only email, then switch to a client that >>>> will. >> >> >> May I propose an inductive hypothesis, akin to Godwin's Law[1]: >> >> As time passes on any email list configured to accept HTML email, the >> probability of the occurrence of the[2] HTML/ASCII email conversation >> approaches 1. >> >> gf >> >> [1] Wikipedia - "Godwin's Law" >> http://en.wikipedia.org/wiki/Godwin's_law >> >> [2] Note the intentional use of "the" to signify a singular >> conversation, as the substance of this conversation is always the >> same, though the outcome depends wholly on the constitution of any >> particular list's constituents. >> >> - -- >> Gregory Foster || gfoster at entersection.org >> @gregoryfoster <> http://entersection.com/ >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG/MacGPG2 v2.0.19 (Darwin) >> Comment: GPGTools - http://gpgtools.org >> >> iQIcBAEBCgAGBQJSU29GAAoJEMaAACmjGtgj3vcP+QGZkKHKxPwL4YIyyVscZYJ/ >> yLjG4NOSu7aR/s0I/WN+ambq0PHWMH7tbWtwFtcdsyrmKofJ3g5x5jlFdFtcdTHs >> sWrbJS0+jQtf/lv0009BHeTxlO92v0FNjfORLHITpKzuEAm4t5Yl0B9XJ3ZfE6ot >> aovuA/cp+nTWXm6fE09OBWVwG9GHneb8HZFozWDeqfIwrEi5jSl4vW3q/88CpYUX >> +Hzb+RuLlVDoWZ0MmQasjMCW8t3Cwn9NH0TFIViFRjTa1x36TmFb7ePdOeDWImBD >> NyDl/K4HqiE7NLNJUzRiArwaOMrFaQl7klxURlxmNc0jmRdEHeSSZe9EorcT4S9F >> ET977y8I4Bi0o8LxMhQbI7tCvpbGT6GC60XhtBD2uu4HkAmrRJSKz5UCfoNXjGnM >> v4ql15TTDangWbKAfxrSWkBRpUiSttx5xRkXtS4kXFBLP9KelzbQ614gThogzDmm >> l9Z5+ewAhdl25z+S+IVZTKJqAER6jAiLeDEDLD9CJ4pnUovNkd9loj8ZLuljA0xm >> JaP6514aXJ7UFcmPHbPlkvczuaV/En6HihRgk4P9M+srscuEIKKRvtgsptmRnwrn >> DDVjzjGwHh/LkfCaKJ+0/Rp88fbn6DO53XrgcgzZpKSV3ACW1rxA3wFIdWW/578y >> n6yj9CdenXBK5x8Hzc8+ >> =MdLK >> -----END PGP SIGNATURE----- >> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 496 bytes Desc: Message signed with OpenPGP using GPGMail URL: From juan.g71 at gmail.com Tue Oct 8 01:22:41 2013 From: juan.g71 at gmail.com (Juan Garofalo) Date: Tue, 08 Oct 2013 05:22:41 -0300 Subject: [tor-talk] Silk Road taken down by FBI In-Reply-To: <20131007092543.GM10405@leitl.org> References: <20131006122841.GZ10405@leitl.org> <5251C016.2020809@echeque.com> <20131007080201.GF10405@leitl.org> <7B9754FC91BBB496637FBC92@F74D39FA044AA309EAEA14B9> <20131007092543.GM10405@leitl.org> Message-ID: <9D855188DAB27EE582B3132C@F74D39FA044AA309EAEA14B9> --On Monday, October 07, 2013 11:25 AM +0200 Eugen Leitl wrote: > On Mon, Oct 07, 2013 at 06:01:00AM -0300, Juan Garofalo wrote: > >> But that doesn't explain how freedom hosting itself was found in >> the first place, does it? > > Let's say you run a piece of buggy PHP code as a hidden > service, on a mass hoster allowing easy signups and installation > of own code, with no hard separation of service hosted, and possibly > not even firewall the VM traffic, forcing it through Tor. That is possible, but is there evidence of that actually happening, in the case of freedom hosting? Hadn't fh been running for a couple of years, like silk road? (or more?) - If fh's security was so lousy the so called authorities should have got him (way) sooner? > > While it's possible they knew the physical host already, > there are certainly far easier ways to nail your ass, given > the above. Yes, I realize that pwning the server through a PHP exploit or the like is far easier - The main reason I see that explanation as not fully satisfactory is that the attack (if it was possible) was not tried sooner. > > It would be interesting to post a hidden service with actionable > content as a honeypot with everything done right, to see what the > parallel construct story would emerge. Indeed. >No, I'm not volunteering. hehe =) From electromagnetize at gmail.com Tue Oct 8 05:01:43 2013 From: electromagnetize at gmail.com (brian carroll) Date: Tue, 8 Oct 2013 07:01:43 -0500 Subject: NSA UTAH data center Message-ID: Power surges 'cripple NSA data centre' http://www.bbc.co.uk/news/technology-24443266 "It said civil contractors were confident the problem had been solved but a special US Army engineer investigation team had said the cause was "not yet sufficiently understood" to be sure that it would not happen again." From saftergood at fas.org Tue Oct 8 08:59:10 2013 From: saftergood at fas.org (Steven Aftergood) Date: Tue, 08 Oct 2013 08:59:10 -0700 Subject: Secrecy News -- 10/08/13 Message-ID: <181be29e41961c44cc8cf25aaf148cf5@lists.fas.org> Format Note: If you cannot easily read the text below, or you prefer to receive Secrecy News in another format, please reply to this email to let us know. SECRECY NEWS from the FAS Project on Government Secrecy Volume 2013, Issue No. 87 October 8, 2013 Secrecy News Blog: http://blogs.fas.org/secrecy/ ** CIA HALTS PUBLIC ACCESS TO OPEN SOURCE SERVICE CIA HALTS PUBLIC ACCESS TO OPEN SOURCE SERVICE For more than half a century, the public has been able to access a wealth of information collected by U.S. intelligence from unclassified, open sources around the world. At the end of this year, the Central Intelligence Agency will terminate that access. The U.S. intelligence community's Open Source Center (OSC), which is managed by the CIA, will cease to provide its information feed to the publicly accessible World News Connection as of December 31, 2013, according to an announcement from the National Technical Information Service (NTIS), which operates the World News Connection (WNC). The WNC "is an online news service, only accessible via the World Wide Web, that offers an extensive array of translated and English-language news and information," an NTIS brochure explains. "Particularly effective in its coverage of local media sources, WNC provides you with the power to identify what really is happening in a specific country or region. Compiled from thousands of non-U.S. media sources, the information in WNC covers significant socioeconomic, political, scientific, technical, and environmental issues and events." "The information is obtained from full text and summaries of newspaper articles, conference proceedings, television and radio broadcasts, periodicals, and non-classified technical reports. New information is entered into WNC every government business day. Generally, new information is available within 48-72 hours from the time of original publication or broadcast." "For over 60 years, analysts from OSC's domestic and overseas bureaus have monitored timely and pertinent open-source materials, including grey literature. Uniquely, WNC allows you to take advantage of the intelligence gathering experience of OSC," the NTIS brochure says. Soon, that will no longer be true. http://www.ntis.gov/products/wnc.aspx The WNC public feed from the Open Source Center is a highly attenuated version of what is available to official government users. Within government, copyright considerations are ignored, but for public distribution they must be respected, and so (with some exceptions) only information products whose creators have signed a royalty agreement with NTIS are publicly released. Even with that significant limitation and the attendant public subscription fees, the NTIS World News Connection has remained a highly prized resource for news reporters, foreign policy analysts, students and interested members of the public. I check it almost every day. Recently, for example, I have been following official statements from Russian officials who allege that the U.S. is covertly developing biological weapons for use against Russia in a military laboratory in the Republic of Georgia. The claim seems bizarre, but may nevertheless be politically significant. Detailed English-language coverage of the matter, or of many other stories of regional interest and importance, is not readily available elsewhere. (Moreso than in the past, however, portions of the material that is publicly accessible through WNC can be obtained elsewhere, through other news services or foreign websites.) The reasons for the decision to terminate the World News Connection are a bit obscure. Producing it is not a drain on U.S. intelligence-- the marginal costs of providing the additional feed to NTIS are close to zero. (The total budget for open source intelligence was about $384 million in FY2012, according to classified budget records obtained by the Washington Post from Edward Snowden.) However, the program is a headache for NTIS to manage, particularly since NTIS officials had to negotiate numerous contracts with media source providers to offer their products to the public. But the large majority of that work has already been accomplished, and now it will be rendered useless. Mary Webster of the Open Source Center had initially proposed to cancel the public information feed as of September 30, according to an NTIS official. Then she was persuaded to grant a six month reprieve. But in the end, a cut-off date of December 31, 2013 was set. If that comes to pass, it will be a blow to researchers and proponents of public intelligence. The Federation of American Scientists had previously argued that the U.S. government should actually expand public access to open source intelligence by publishing all unclassified, uncopyrighted Open Source Center products. ("Open Up Open Source Intelligence," Secrecy News, August 24, 2011.) Instead, even the current range of publications will no longer be systematically released. (Only a small fraction of publicly unreleased OSC records ever seem to leak.) http://blogs.fas.org/secrecy/2011/08/open_up_osint/ Although the Open Source Center is managed by the Central Intelligence Agency, it is formally a component of the Office of the Director of National Intelligence. Yet the move the terminate public access to OSC products seemed to catch the ODNI unawares. "Obviously our attention is on a possible lapse in appropriations, but we are looking into this," said an ODNI spokesman on September 30, just before the government shutdown. "The information provided through NTIS makes an irreplaceable contribution to U.S. national security," wrote Prof. Gary G. Sick of Columbia University in an October 1999 letter, in response to a previous proposal to curtail coverage in the World News Connection. The World News Connection "informs us about other countries in ways that otherwise would be nearly impossible," Dr. Sick wrote. "It costs virtually nothing in comparison with almost any other national security system. It is not as sexy as a bomber or a missile, but its contributions to national security can be attested to by generations of policy-makers. I was in the White House during the Iranian revolution and the hostage crisis, and my respect for the power of this information was born at that time. I often found it more helpful than the reams of classified material that came across my desk at the NSC." http://www.fas.org/irp/fbis/sicklet.html _______________________________________________ Secrecy News is written by Steven Aftergood and published by the Federation of American Scientists. The Secrecy News Blog is at: http://www.fas.org/blog/secrecy/ To SUBSCRIBE to Secrecy News, go to: http://blogs.fas.org/secrecy/subscribe/ To UNSUBSCRIBE, go to http://blogs.fas.org/secrecy/unsubscribe/ OR email your request to saftergood at fas.org Secrecy News is archived at: http://www.fas.org/sgp/news/secrecy/index.html Support the FAS Project on Government Secrecy with a donation: https://members.fas.org/donate _______________________ Steven Aftergood Project on Government Secrecy Federation of American Scientists web: www.fas.org/sgp/index.html email: saftergood at fas.org voice: (202) 454-4691 twitter: @saftergood ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From eugen at leitl.org Tue Oct 8 01:52:49 2013 From: eugen at leitl.org (Eugen Leitl) Date: Tue, 8 Oct 2013 10:52:49 +0200 Subject: [tor-talk] Convergence and Exit Nodes Message-ID: <20131008085249.GF10405@leitl.org> ----- Forwarded message from Sean Alexandre ----- Date: Mon, 7 Oct 2013 21:21:49 -0400 From: Sean Alexandre To: tor-talk at lists.torproject.org Subject: [tor-talk] Convergence and Exit Nodes Message-ID: <20131008012149.GA17533 at tuzo> User-Agent: Mutt/1.5.21 (2010-09-15) Reply-To: tor-talk at lists.torproject.org In light of FoxAcid and the NSA hijacking traffic coming out of exit nodes [1], I'm wondering about the possibilities for building counter measures into exit nodes. To start it might be something as simple as bundling some type alternate CA system such Convergence into exit nodes [2]. Have exit nodes compare what they're seeing, and raise a flag if they see anything suspicious. Over time this could be built out into a fuller set of tools: honey pot HTTP requests to get more info on odd certs and DNS responses, etc. Run responses through automated Tor Browser Bundles on VMs that do system monitoring to watch for exploits, etc, etc. It seems this is an area with a lot of potential for increasing the safety of Tor users. The main goal would be to more quickly expose 0days being used to compromise users, and get them fixed. Also, to flag suspicious IP addresses. Thoughts? [1] http://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-online-anonymity [2] https://en.wikipedia.org/wiki/Convergence_%28SSL%29 -- tor-talk mailing list - tor-talk at lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: Digital signature URL: From eugen at leitl.org Tue Oct 8 02:09:52 2013 From: eugen at leitl.org (Eugen Leitl) Date: Tue, 8 Oct 2013 11:09:52 +0200 Subject: [tor-talk] What the NSA cares about getting and defenses Message-ID: <20131008090952.GG10405@leitl.org> ----- Forwarded message from Watson Ladd ----- From tedks at riseup.net Tue Oct 8 09:02:50 2013 From: tedks at riseup.net (Ted Smith) Date: Tue, 08 Oct 2013 12:02:50 -0400 Subject: [tor-talk] Silk Road taken down by FBI In-Reply-To: <9D855188DAB27EE582B3132C@F74D39FA044AA309EAEA14B9> References: <20131006122841.GZ10405@leitl.org> <5251C016.2020809@echeque.com> <20131007080201.GF10405@leitl.org> <7B9754FC91BBB496637FBC92@F74D39FA044AA309EAEA14B9> <20131007092543.GM10405@leitl.org> <9D855188DAB27EE582B3132C@F74D39FA044AA309EAEA14B9> Message-ID: <1381248170.20637.3.camel@anglachel> On Tue, 2013-10-08 at 05:22 -0300, Juan Garofalo wrote: > That is possible, but is there evidence of that actually > happening, in the > case of freedom hosting? > > Hadn't fh been running for a couple of years, like silk road? > (or more?) - > If fh's security was so lousy the so called authorities should have > got him > (way) sooner? The Wired articles mention that the FBI and the operator "struggled for control of the servers" by changing passwords on each other. You're ignoring the fact that once a server is exploited, it's an unbounded road from there to actionable, convictable evidence. Suppose the Freedom Hosting operator only ever logged in via SSH over another hidden service endpoint. How would the FBI find him? What if the servers they compromised were VMs with traffic forced through Tor? What if they were some other crazy configuration dreamed up by someone hosting a hidden service hosting service? For DPR, we know he got lazy, and more than that, that he was extremely sloppy. I'd bet that the Freedom Hosting guy was a similar situation. There are plenty of illegal *websites* that haven't been busted yet. -- Sent from Ubuntu -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part URL: From wb8foz at nrk.com Tue Oct 8 09:42:55 2013 From: wb8foz at nrk.com (David) Date: Tue, 08 Oct 2013 12:42:55 -0400 Subject: Feds Arrest Alleged Top Silk Road Drug Seller In-Reply-To: <20131008151550.GW10405@leitl.org> References: <20131008151550.GW10405@leitl.org> Message-ID: <5254360F.7060507@nrk.com> So the obvious question not getting much coverage in the mainstream press: How much domestic work is the Fort doing to carry the FBI's baggage in these recent cases? Is it legal? Separately: I seem to recall a story a few years back about the Fort helping the Feebees on a crypto ops, but not the details. Does that trigger any neurons here? From jamesdbell8 at yahoo.com Tue Oct 8 13:10:49 2013 From: jamesdbell8 at yahoo.com (Jim Bell) Date: Tue, 8 Oct 2013 13:10:49 -0700 (PDT) Subject: Feds Arrest Alleged Top Silk Road Drug Seller In-Reply-To: <5254360F.7060507@nrk.com> References: <20131008151550.GW10405@leitl.org> <5254360F.7060507@nrk.com> Message-ID: <1381263049.86292.YahooMailNeo@web141204.mail.bf1.yahoo.com>     You asked, "is it legal?".  Well, I (happily) no longer have access to the Lexis Law Library computers in prison, so I can't easily look up legal precedent.  However, I don't think that much precedent will exist on this issue:  It is 'cutting edge' law.  Chances are good that it isn't legal, in the sense that it hasn't been declared legal.  From what I read on recent CP messages, it sounds like the Feds are engaging in what would be, if done by non-government types, illegal 'cracking'.  Flooding a server in a denial of service attack is presumably illegal today, if done in America, and also if done in America directed against foreign hardware/software.  Placing malware is probably also illegal in such situations.  And since one of the servers in question is in France, French law would presumably apply as well.  (It is possible those government-types who engaged in these actions are now criminals, from the standpoint of French law, or even American law, although perhaps nothing will be done about that.)    The next question is, "Can the fruits of these activities be used in court against [fill in the blanks]?".  There is a doctrine in American law called "Fruit of the poisonous tree" see   http://en.wikipedia.org/wiki/Fruit_of_the_poisonous_tree  , which generally prohibits the use of evidence obtained by the commission of a crime.  But since this doctrine was initiated many decades ago, long before the Internet era, it cannot be certain  how this principle will be applied to computer communications.   http://www.law.cornell.edu/wex/fruit_of_the_poisonous_tree     Actually, I was on numerous occasions the victim precisely this kind of activity:  The car I drove (in June 1998 and April 2000-October 2000) had a GPS tracking transmitter placed on it, without a warrant.  (the then-current legal thinking was that no such warrant was required; in 1999 there was a Ninth Circuit Court of Appeals case, US v. McIver, that upheld this idea, although that case was quite distinguishable from mine because in the McIver case, there was 1.  A real crime.   2.  That the vehicle and the defendant were connected to.  (Neither of which existed in my case June 1998 or April 2000-October 2000.)  Curiously, despite the presence of the tracking device probably as early as April 2000, the Feds went through the motions of getting a (secret, of course) warrant for a DIFFERENT tracking device in late October, 2000, omitting any mention of the fact that they had such a tracker already placed for many months.  A lawyer would use this as evidence of deception by the Feds, and of admission that they knew that the previously-placed tracker was illegal:  Otherwise, why bother obtaining that October 2000 warrant, if they could have used the information from the previous device at any trial?    In January 2012, in a case U.S. v. Jones, the Supreme Court decided that placing such transmitters (even if the car in question is on publicly-accessible property) required a warrant:  In other words, to do so without a warrant is illegal and a violation of the 4th Amendment to the U.S. Constitution.      Don't think I was unaware of the (likely) placement of that 2000 tracking device.  I virtually assumed such a thing was there.  But, try as I might, I couldn't get my crooked, colluding attorney (Robert Leen, appointed about November 21, 2000) to demand the fruit of that previous (2000, and 1998) tracking devices for trial.  It isn't that the information thus collected was important in itself:  Rather, the mere fact that a tracking device was placed (without probable cause, or reasonable suspicion that any crime had been, was being, or would be committed, would have exposed a lot of the criminality committed by the Feds.  They would have had to answer the question, "Why did you place those tracking devices on Mr. Bell's car, if you had no reason to believe there was a legitimate law-enforcement reason to do so?".    I attempted to fire attorney Leen about December 8, 2000, when he refused to actually defend me by looking for and asking for such evidence.  (The evidence I already knew existed.)     Curiously, Andy Greenberg (author of "This Machine Kills Secrets") falsely claimed in his book that I had fired every lawyer I was given.  The truth is more enlightening:  In fact, I didn't fire (or even attempt to fire) my first lawyer, Peter Avenia:  He resigned, against my opposition to that, in early-mid-1999.  Every subsequent lawyer I had I ATTEMPTED to fire, yet in each case I was unsuccessful at accomplishing that.  I attempted to fire them when I verified that they were intending to betray me; but I was in all cases entirely unsuccessful at firing them.  They were allowed to stay by the judge, purporting to 'represent' me for many months or even years, until they were successful at doing the damage to me that they intended to do.  At that point, and ONLY at that point, did they leave, usually by requesting the judge to allow them to resign.  So it is accurate to claim that I never 'fired' any lawyer:  I was never allowed to do so.     Note:  Andy Greenberg could have avoided a great deal of error in his writing if he had merely sent to me a copy of what he intended to write, to give me the opportunity to correct it.  He didn't.      Jim Bell ________________________________ From: David To: cypherpunks at cpunks.org Sent: Tuesday, October 8, 2013 9:42 AM Subject: Re: Feds Arrest Alleged Top Silk Road Drug Seller So the obvious question not getting much coverage in the mainstream press:     How much domestic work is the Fort doing to     carry the FBI's baggage in these recent cases?     Is it legal? Separately: I seem to recall a story a few years back about the Fort helping the Feebees on a crypto ops, but not the details. Does that trigger any neurons here? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 7256 bytes Desc: not available URL: From jvictors at jessevictors.com Tue Oct 8 12:23:48 2013 From: jvictors at jessevictors.com (Jesse Victors) Date: Tue, 08 Oct 2013 13:23:48 -0600 Subject: [tor-relays] NSA's "Tor Stinks" Message-ID: <52545BC4.3020106@jessevictors.com> I recently ran across several articles related to the NSA's attempts at cracking Tor and de-anonymizing its users. They are after terrorists and other individuals who seek to do harm of course, but their work obviously has implications into other Tor users, the vast majority of whom use Tor for legal and proper activities. So far, it appears that the cryptographic standards and protocols implemented by the Tor devs appear to be holding, which I find interesting. The NSA has been trying other methods to figure out Tor, including identifying and then infecting user machines, trying to control/hijack the Tor network, or by influencing the network as a whole, and they've had a very small amount of success, but not much. One thing that was especially interesting to me (and I expect to everyone on this mailing list) is that they are trying to control more relays via cooperation or direct access, which can then be used for timing attacks or disruptions to the users. They are also trying to shape traffic to friendly exits. For anyone interested, I would highly recommend these links: http://www.theguardian.com/world/interactive/2013/oct/04/tor-stinks-nsa-presentation-document http://www.bbc.co.uk/news/technology-24429332 http://www.theguardian.com/world/2013/oct/04/nsa-gchq-attack-tor-network-encryption Also, from http://www.theguardian.com/world/interactive/2013/oct/04/tor-high-secure-internet-anonymity it appears that their opinion of Tails is that it "adds severe CNE misery to [the] equation". These are all highly informative articles, and it appears that Tor is remaining resilient to their efforts, as long as people (including relay/exit operators) use the latest software, remain aware that Tor doesn't protect them in all aspects, and as long as there are enough non-NSA relays and exits (we need more!) such that everything they see still remains encrypted and anonymous. Interesting I say. Jesse V. _______________________________________________ tor-relays mailing list tor-relays at lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From lee at guardianproject.info Tue Oct 8 13:39:08 2013 From: lee at guardianproject.info (Lee Azzarello) Date: Tue, 8 Oct 2013 16:39:08 -0400 Subject: NSA UTAH data center In-Reply-To: References: Message-ID: I guess inventing new math to break crypto has some physics problems. -lee On Tue, Oct 8, 2013 at 3:28 PM, Lodewijk andré de la porte wrote: > The massive quantum computer has unpredictable power consumption. > > > 2013/10/8 brian carroll >> >> Power surges 'cripple NSA data centre' >> http://www.bbc.co.uk/news/technology-24443266 >> >> "It said civil contractors were confident the problem had been >> solved but a special US Army engineer investigation team had said the >> cause was "not yet sufficiently understood" to be sure that it would >> not happen again." > > From eugen at leitl.org Tue Oct 8 08:15:50 2013 From: eugen at leitl.org (Eugen Leitl) Date: Tue, 8 Oct 2013 17:15:50 +0200 Subject: Feds Arrest Alleged Top Silk Road Drug Seller Message-ID: <20131008151550.GW10405@leitl.org> https://krebsonsecurity.com/2013/10/feds-arrest-alleged-top-silk-road-drug-seller/ Feds Arrest Alleged Top Silk Road Drug Seller Federal authorities last week arrested a Washington state man accused of being one of the most active and sought-after drug dealers on the online black market known as the “Silk Road.” Meanwhile, new details about the recent coordinated takedown of the Silk Road became public, as other former buyers and sellers on the fraud bazaar pondered who might be next and whether competing online drug markets will move in to fill the void. NOD's feedback from Silk Road buyers, according to the government. A complaint unsealed Oct. 2 by the U.S. District Court for the Western District of Washington at Seattle alleges that Steven Lloyd Sadler, 40, of Bellevue, Wash., used the nickname “NOD” on the Silk Road, and was among the “top one percent of sellers” on the Silk Road, selling high-quality cocaine, heroin and methamphetamine in small, individual-use amounts to hundreds of buyers around the world. Investigators with the FBI and U.S. Post Office inspectors say they tracked dozens of packages containing drugs allegedly shipped by Sadler and a woman who was living with him at the time of his arrest. Authorities tied Sadler to the Silk Road after intercepting a package of cocaine and heroin destined for an Alaskan resident. That resident agreed to cooperate with authorities in the hopes of reducing his own sentence, and said he’d purchased the drugs from NOD via the Silk Road. Agents in Seattle sought and were granted permission to place GPS tracking devices on Sadler’s car and that of his roommate, Jenna White, also charged in this case. Investigators allege that the tracking showed the two traveled to at least 38 post offices in the Seattle area during the surveillance period. Interestingly, the investigators used the feedback on NOD’s Silk Road seller profile to get a sense of the volume of drugs he sold. Much like eBay sellers, merchants on the Silk Road are evaluated by previous buyers, who are encouraged to leave feedback about the quality of the seller’s goods and services. According to the government, NOD had 1,400 reviews for individual sales/purchases of small amounts of drugs, including: 2,269.5 grams of cocaine, 593 grams of heroin and 105 grams of meth. The complaint notes that these amounts don’t count sales going back more than five months prior to the investigation, when NOD first created his Silk Road vendor account. Cryptome has published a copy of the complaint (PDF) against Sadler. A copy of Sadler’s case docket is here. NOD’s reputation on the Silk Road also was discussed for several months on this Reddit thread. Many readers of last week’s story on the Silk Road takedown have been asking what is known about the locations of the Silk Road servers that were copied by the FBI. It’s still unclear how agents gained access to those servers, but a civil forfeiture complaint released by the Justice Department shows that they were aware of five, geographically dispersed servers that were supporting the Silk Road, either by directly hosting the site and/or hosting the Bitcoin wallets that the Silk Road maintains for buyers and sellers. Two of those servers were located in Iceland, one in Latvia, another in Switzerland, and apparently one in the United States. See the map above. As if the subset of Bitcoin users who frequented the Silk Road already didn’t have enough to worry about, there are indications that the individual(s) responsible for creating a competing Tor-based drug market — SheepMarketplace — may have made some missteps that could make it easier for authorities to discover the true location of that fraud bazaar as well. Check out this Reddit thread for more on that. Also, there are some indications that a Silk Road 2.0 is in the works, at least according to DailyGadgetry.com. If that doesn’t work out, perhaps would-be future Dread Pirate Robertses will turn to Bitwasp, a budding Github project which aims to provide open source code for setting up standalone markets using Bitcoin. “I think what you’re going to see is that a lot of me-too communities spring up and get squished pretty quickly,” said Nicholas Weaver, a researcher at the International Computer Science Institute (ICSI) and at University of California San Diego. “Part of the reason why the Silk Road was so useful was that it was so popular, and a half dozen smaller markets could be far less efficient than these larger markets. But personally, I’m betting we’ll soon see a fair number of them.” Finally, it seems a large number of Bitcoin users have been spending tiny fractions of their coinage to send messages to the FBI’s Bitcoin address on Blockchain. Some of the love letters to the FBI are amusing, such as, “All your Bitcoins are belong to us,” while others sound a defiant tone, including this one: ”One star is born as another fades away. Which one will come next? is my favorite riddle.” Said a girl puffing rings in a dot, dot, dash haze. “No worry, No hurry. They can’t stop the signal.” Update, Oct. 8, 2013: The BBC is reporting that four men have been arrested in the U.K. for alleged drug offenses on the Silk Road, and that more arrests are expected in the coming weeks. The BBC quotes the U.K. National Crime Agency as saying such sites would are a “key priority.” From eugen at leitl.org Tue Oct 8 08:35:45 2013 From: eugen at leitl.org (Eugen Leitl) Date: Tue, 8 Oct 2013 17:35:45 +0200 Subject: [zs-p2p] how to use Tor securely (Re: Silk Road founder arrested ...) Message-ID: <20131008153545.GX10405@leitl.org> ----- Forwarded message from Tony Arcieri ----- From jamesdbell8 at yahoo.com Tue Oct 8 20:00:04 2013 From: jamesdbell8 at yahoo.com (Jim Bell) Date: Tue, 8 Oct 2013 20:00:04 -0700 (PDT) Subject: legal game-theory, case for smart-contracts & snow crash (Re: A CEO who resisted NSA spying is out of prison.) In-Reply-To: <20131007094818.GA2671@netbook.cypherspace.org> References: <20131004094627.GF10405@leitl.org> <20131004100232.GA3061@netbook.cypherspace.org> <524EA5B7.5040609@echeque.com> <1380913178.94018.YahooMailNeo@web141201.mail.bf1.yahoo.com> <1381121877.79525.YahooMailNeo@web141202.mail.bf1.yahoo.com> <20131007094818.GA2671@netbook.cypherspace.org> Message-ID: <1381287604.40903.YahooMailNeo@web141206.mail.bf1.yahoo.com>     I don't think I'm ignoring game-theory as much as you may think I am.  Obviously, people who are independently wealthy (and particularly if they have high incomes) are powerfully motivated to challenge any charges.  To them that $5,000 reward will have little effect at all.  The reason I think 'denial-of-disservice' will work is that a very large fraction of (current) Federal criminal defendants are not well financed, and in some cases many will view a few months (or years) in the pen as being tolerable.  There are probably 40,000 illegal-aliens, mostly drug smugglers.  A whole slew of bank-robbers.  A large fraction of the rest are there due to drug cases.  Only a very small proportion of those prisoners are the kind of wealthy, savvy people that you are describing.  Now, understand that one reason I believe what I do is because of a great deal of experience in observing the system first-hand, and it would take a long time to expose you to enough facts to demonstrate why I believe the things I do.  Your analysis is seemingly plausible if every defendant in question is independently rich, white-collar, and intelligent, but most prisoners don't have those advantages.      I understand why (in theory) plea-bargaining is done.  The problem, it's been horribly misused:  It was, no doubt, used in 1980 when there were about 20,000 Federal prisoners.  But rather than keeping the total prisoner population down and within reasonable limits, they decided to 'blow up the balloon' as far as they could, and thus the current figure is 220,000 prisoners.  'Plea bargaining' is precisely what made this abuse possible.   It WASN'T because people suddenly (or even gradually, over time) decided to commit 11 times as much crime as before!  This is a clue (!) that this increase in prisoner population isn't an unavoidable outcome, but in fact is entirely artificial and certainly avoidable endpoint.  http://www.forbes.com/sites/walterpavlo/2013/08/12/no-matter-the-dojs-announcement-the-federal-prison-population-will-grow/       I don't disagree with your idea of capping convictions (by law) at, say, 10,000 per year, at least as a concept: In fact, I can see that it would be a great step forward.  But the difficulty is, how can that be done?  Is it possible to force it on 'the system'?  And given America's corrupt/incompetent/malicious Congress, would they have a reason to vote in such a limitation?   They voted for the legislation that brought us to where we are now, and have tolerated it for 30+ years.   What I am proposing ought to work with that effect, even better, but without any need to convince these guys that it's a good outcome.   (Even better:  My idea amounts to a system to cap convictions at perhaps 5,000 per year, limited not by 'law' but instead to clog the system with its own detritus.)      Another solution I'd implement ("if I were King...") would be to prohibit sentencing convicted defendants at more than 10% greater than the time offered in the plea agreement (If the plea agreement offered 36 months, the ending sentence if convicted would be no greater than 39.6 months):  The current system only tries 5% of the defendants by jury; if sentences were limited to that 10% upgrade, far more defendants would demand a jury trial, and that would 'automatically' limit the number of defendants who could be convicted.  So, that would be a solution.  But getting Congress to approve such a change in law would be difficult or impossible.  (At least without AP-type convincing.)   I think America's Founding Fathers would have been astonished to learn that the jury system has been so obviously subverted as it is today.  But I am not in any way confident that such a solution could, in fact, be implemented, particularly against the will (and, thus, the influence) of the hundreds of thousands of people (cops, lawyers, judges, prison guards) who profit from the current system.      Also, I should mention that there have been and are a lot of illegal (not legal) activities in regards to Federal criminal sentencing over the last 13 years.  In 2000 there was a case called 'Apprendi v. New Jersey', which started out on the right track but all Federal appeals courts rejected the application of its principle to Federal criminal cases.  Then there was Blakely v. Washington (2004) which further expanded the thrust of the principle.  Unfortunately, an evil bitch named Ginsburg screwed up things in a truly wacky Supreme Court case called U.S. v. Booker (2005)  http://en.wikipedia.org/wiki/United_States_v._Booker    , completely backsliding in this line of cases.  Probably none of you reading the CP list have any idea what an atrocious history these cases had, especially Booker, but they are in large part why I have absolutely no confidence at all that the Federal 'criminal justice' system has any hope of being repaired, except perhaps by AP or 'denial of disservice attack' methods.             Jim Bell ________________________________ From: Adam Back To: Jim Bell Cc: grarpamp ; "cypherpunks at cpunks.org" ; Adam Back Sent: Monday, October 7, 2013 2:48 AM Subject: legal game-theory, case for smart-contracts & snow crash (Re: A CEO who resisted NSA spying is out of prison.) I think maybe you are neglecting game theory for the accused, its hard to incentivize people to act in their collective interests, when they are thinking of their own future freedom and lost earning capacity.  I imagine you even have researched the statistics for this, but to summarise the game theory scenario: plea bargaining clearly results in less accurate justice (more innocent people do jail time), but has the real-politic benefit of reducing the cost of implementing justice.  The usual pattern (made up average numbers) is accept the plea do a discounted (lower than sentencing guideline) 3 years, reject the plea, the prosecution will make less reasonable/inflated charges (higher than sentencing guidelines, based on more tenuous/unlikey to be provable charges) threatening a scary 30 years, which in reality will be moderated down by a judge if the accused has the money for a decent lawyer to 5 years, if they lose, or 0 years if they win; if they are relying on an overworked, less capable public defender because they dont have the money to buy proper representation, their chances of winning are lower, and if they lose their post-trial sentencing will be higher at 10 years. Now law is a remarkably imprecise subject, especially when muddied with some not-so-scrupulous and politically motivated prosecutors, police entrapment, police bias (push for conviction based on opinion/bias, but statements given disproportionate weight by a system that believes it's officers over the public).  (Prosecutors and police are politically motivated because their career depends on conviction rates, headlines).  The system seems to largely ignore or not give adequate weight to investigating significant prosecutorial abuse or police bias.  Prosecutorial abuse has to be strongly proven, and the perpetrators are career ambitiuous, and legally qualified so know the grey areas they can exploit where the abuse will be unprovable even when it is very rarely alleged, or actually prosecuted.  Like police they have the benefit of the doubt, in a judicial system that favors its own officers, and so they are defacto largely immune from sanction from even significant systemic abuse, unless stupid enough to be caught red handed with with a smoking gun.  Which is to say even if you have millions to your name for the most capable legal defense, and completely innocent with reasonable but not iron clad alibi, its still subject to a high degree of randomness depending on political motivations surrounding. So therefore people will not fully follow game theory of going for the lowest expected sentencing.  Ie if p is probabity of winning, and the numbers above: then its 3 vs expected (p*0+(1-p)*5) so even p=2.5 its 2.5 expected vs 3, so if that was an investment you'd say good lets do it.  But if its choice between 3years and no more stress, vs legal defense cost and years of stress followed by 5 years if you're unlucky.  The dillema still holds if the odds p=0.75 and you have lots of money I suspect sadly that thats about as high as p gets for many areas of law.  You also have to factor in the loss of income (at the average income for prisoners) into the equation, and a premium because people would sooner earn less and have their freedom. You cant reform the system via kickstart fund and incentivize people to not accept pleas, well not at $5k anyway, because they'd need compensation for lost earnings and a huge loss of liberty premium if they lose, a stress premium for going to trial, and expenses for high quality legal defense. Those figures may no longer make game theory economic sense for society, though I do think the centuries old principle that its more important for one innocent party to go free than 100 guilty to be imprisoned is not properly incorporated into the current system as plea bargaining removes most of that intended objective. Even with best attempts at fairness and balance from police, prosecutor and judge (and there are genuine public spirited ethical people in some of those roles, who would ignore the perverse career motivations on principle, so it probably happens some of the time), the outcome STILL has an unfair plea imbalance and STILL high randomness.  Its an imperfect system even under the most favorable conditions. I think the solution is to politically vote to arbitrarily cap the incarceration rate to 10,000/annum; the justice system is not allowed to go over that limit by law.  They will then focus on cases where they think the incarceration is of most value to society (eg of making the public safer by taking a violent criminal off the streets).  Maybe the cap should be adjusted based on false conviction rates, if the false conviction rate increases, the cap decreases.  Independent review of potential prosecutor abuses should be increased.  Also the system should be restructured to remove the career/political motivation for prosecutors to achieve high conviction rates.  Their conviction rate should include a heavy mallus for a false conviction, so they strive to avoid convicting innocent people, and the system should somehow be adjusted to be less adversarial and to remove sentencing penalties for going to trial.  eg Maybe the trial sentencing level and charges should be set by an independent neutral body, not the prosecutor, with the objective of keeping the trial and plea sentencing the same.  Maybe simpler bargaining should be made illegal. Another specific problem in the US is its a one dollar one vote system, and operating privatized prisons is a high profit business.  The prison operators votes therefore likely outweigh the proportion of the public that is aware of the system problems or care enough to vote about it.  I believe other eg european justice systems are in fact less prone to these issues. So another solution is to vote with your feet. Basically in such a system you want to avoid even interacting with the legal system or justice system, period.  Even volutarily interacting as a random by-stander is unfortunately likely to be net loss to your finances or even freedoms.  Even to complain publicly about the defects of the system is probably risky once you have interacted with them.  Which is ridiculous but thats the reality. And finally some of the laws on the books are ridiculous on their face in the opinions of the accused's peers.  eg computer abuse act which sees Weev in jail and such like stories, and the sentencing guidelines are also often ridiculous and non-proportional eg the sentencing threats to Swartz for what was probably not even a copyright crime (going on the theory from his previous activism pattern that he was aiming to republish the subset of articles that were public domain).  His trial sentencing threat was above a 1st degree homicide with iron clad evidence, something's got to be wrong with that.  The sentencing board are failing in their task.  Something should also be done to restrict scope for judicial vengence also - Swartz made a mockery of a stupid law, with his previous popularly supported activism stunt, and so prosecutors were out to get him. Also legal systems generally seem to lag 50-200 years behind the opinions of the public Some jurisdictions are better than others, but the system of case law mixed with precedent creates a built in brake on legal theory evolution. Out of touch with reality and public opinion prosecutors, judges and sentencing another issue.  Probably law should be restricted to 1MByte of ascii text and any law not approved by 90% referendum (1 person one vote, not 1 dollar one vote) struck off automatically every year. This state of significantly imperfect, and hard to reform, high cost legal system issue is why smart-contracts look so attractive.  Its not even obvious how to improve the legal systems and they evolve slowly and resist experimental change.  Mathematical aprior enforcement, deference to mutually agreed competing impartial arbitrators for dispute.  Pseudonymous smart-contracting parties FTW.  Of course it doesnt work for in-person crimes, except in a "Snow Crash" sense (cometing legal systems/governments in the same physical space) but a justice system that leant heavily on smart-contracts and refused as a principle to revise contracts where both parties received competent legal advice, nor overturn arbitrator decisions, would be a step forward for society. Adam On Sun, Oct 06, 2013 at 09:57:57PM -0700, Jim Bell wrote: >  Subject: Re: A CEO who resisted NSA spying is out of prison. >  >$5000 to just enter not guilty and likely pay an attorney to defend >  >it / accept dismissal may seem realistic. Thing is, that doesn't >  >leave much payout to defendant. And a fair number of those pleas >  >will be going to trial. That entails conviction risk, and regardless >  >of time dealt, that risk will carry a higher price. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 20461 bytes Desc: not available URL: From coderman at gmail.com Tue Oct 8 20:20:31 2013 From: coderman at gmail.com (coderman) Date: Tue, 8 Oct 2013 20:20:31 -0700 Subject: legal game-theory, case for smart-contracts & snow crash (Re: A CEO who resisted NSA spying is out of prison.) In-Reply-To: <1381287604.40903.YahooMailNeo@web141206.mail.bf1.yahoo.com> References: <20131004094627.GF10405@leitl.org> <20131004100232.GA3061@netbook.cypherspace.org> <524EA5B7.5040609@echeque.com> <1380913178.94018.YahooMailNeo@web141201.mail.bf1.yahoo.com> <1381121877.79525.YahooMailNeo@web141202.mail.bf1.yahoo.com> <20131007094818.GA2671@netbook.cypherspace.org> <1381287604.40903.YahooMailNeo@web141206.mail.bf1.yahoo.com> Message-ID: On Tue, Oct 8, 2013 at 8:00 PM, Jim Bell wrote: > ... Probably none of you reading the CP list > have any idea what an atrocious history these cases had, especially Booker, > but they are in large part why I have absolutely no confidence at all that > the Federal 'criminal justice' system has any hope of being repaired, except > perhaps by AP or 'denial of disservice attack' methods. Jim, you're preaching to the choir. i am certain that one day, on our present course, Booker reasoning will be applied to CFAA conspiracy resulting in a grey hat hacker convicted and sentenced under the most extreme interpretation of potential harm for un-utilized 0day(s). scores of lifetimes penance compelled for considering the possibilities of the "weird machine"... a brave new world indeed! From l at odewijk.nl Tue Oct 8 12:28:39 2013 From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=) Date: Tue, 8 Oct 2013 21:28:39 +0200 Subject: NSA UTAH data center In-Reply-To: References: Message-ID: The massive quantum computer has unpredictable power consumption. 2013/10/8 brian carroll > Power surges 'cripple NSA data centre' > http://www.bbc.co.uk/news/technology-24443266 > > "It said civil contractors were confident the problem had been > solved but a special US Army engineer investigation team had said the > cause was "not yet sufficiently understood" to be sure that it would > not happen again." > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 874 bytes Desc: not available URL: From ali at packetknife.com Tue Oct 8 19:38:41 2013 From: ali at packetknife.com (Ali-Reza Anghaie) Date: Tue, 8 Oct 2013 22:38:41 -0400 Subject: [drone-list] Joshua Foust on LARs Message-ID: On Tue, Oct 8, 2013 at 10:34 PM, Gregory Foster wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > National Journal (Oct 8) - "Soon, Drones May Be Able to Make Lethal > Decisions on Their Own" by @JoshuaFoust: > http://www.nationaljournal.com/national-security/soon-drones-may-be-able-to-make-lethal-decisions-on-their-own-20131008 > > This unusual article is belied by its title, as it seems to marshal > evidence against the likelihood of military usage of lethal autonomous > robots (LARs) citing the very real fear of political consequences. > But freelance journalist Joshua Foust is a hawk and military realist, > so here's his hidden suggestion offered after illustrating how command > and control is a weak link in the global drone war machine: > >> It may be that the only way to make a drone truly secure is to >> allow it to make its own decisions without a human controller: if >> it receives no outside commands, then it cannot be hacked (at least >> as easily). And that's where LARs, might be the most attractive. > > gf I find his tone here curious since he is also quite insistent that NSA abuse is fairly mundane and - while agreeing with calls for more technical controls - seems perfectly happy to consider the existing ones good enough to agree with the NSA's assertions "no harm, no foul".. I also think that assertion of human control is glib-ludicrous, especially after calling out (rightfully) Greenwald's sudden "expertise" on all matters technical. I like Foust generally but he keeps getting the idea of controls balanced against human activity wrong IMO. -Ali -- Want to unsubscribe? Want to receive a weekly digest instead of daily emails? Change your preferences: https://mailman.stanford.edu/mailman/listinfo/drone-list or email companys at stanford.edu ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From g13005 at gmail.com Tue Oct 8 22:57:12 2013 From: g13005 at gmail.com (Chris Olesch) Date: Wed, 9 Oct 2013 00:57:12 -0500 Subject: NSA UTAH data center In-Reply-To: References: Message-ID: That datacenter has been open 8 days and already a crisis. I find it hard to believe they can compare themselves against facilities like Equinix. Especially if the NSA needs more than 10Mega Watts of power all to themselves. :) “Building C7 in Utah provides our customers with data center designs and operational mantras that address many concerns the IT buyer has today; such as low disaster risk, abundant low latency connectivity options, future proofing power and cooling, and a footprint they can grow in — all at a lower cost. C7 in Utah offers a cost-effective alternative to the Las Vegas, Phoenix, and Denver markets and is well on par with data centers from Equinix (EQIX), CyrusOne (CONE), and Digital Realty Trust (DRT). The customer experience is our focus, and our designs to provide uninterruptible power and cooling are paramount.” http://www.c7dc.com/company/newsroom/c7-data-centers-launches-new-95000-foot-data-center-and-office-complex-in-utah/ -- -- -Christopher Olesch *"Affordable IT Services for Non-Profit & Small Business"* || http://www.ngotechnology.org/ || http://www.linkedin.com/in/chrisoleschjr *Masonic Affiliations:* || http://www.scottishritechicago.org || http://www.supremecouncil.org/ || http://www.ilmason.org/ *Online Artistic Portfolio* || http://cjolesch.deviantart.com/ On Tue, Oct 8, 2013 at 3:39 PM, Lee Azzarello wrote: > I guess inventing new math to break crypto has some physics problems. > > -lee > > On Tue, Oct 8, 2013 at 3:28 PM, Lodewijk andré de la porte > wrote: > > The massive quantum computer has unpredictable power consumption. > > > > > > 2013/10/8 brian carroll > >> > >> Power surges 'cripple NSA data centre' > >> http://www.bbc.co.uk/news/technology-24443266 > >> > >> "It said civil contractors were confident the problem had been > >> solved but a special US Army engineer investigation team had said the > >> cause was "not yet sufficiently understood" to be sure that it would > >> not happen again." > > > > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 3422 bytes Desc: not available URL: From grarpamp at gmail.com Wed Oct 9 00:54:39 2013 From: grarpamp at gmail.com (grarpamp) Date: Wed, 9 Oct 2013 03:54:39 -0400 Subject: legal game-theory, case for smart-contracts & snow crash (Re: A CEO who resisted NSA spying is out of prison.) In-Reply-To: References: <20131004094627.GF10405@leitl.org> <20131004100232.GA3061@netbook.cypherspace.org> <524EA5B7.5040609@echeque.com> <1380913178.94018.YahooMailNeo@web141201.mail.bf1.yahoo.com> <1381121877.79525.YahooMailNeo@web141202.mail.bf1.yahoo.com> <20131007094818.GA2671@netbook.cypherspace.org> <1381287604.40903.YahooMailNeo@web141206.mail.bf1.yahoo.com> Message-ID: On Tue, Oct 8, 2013 at 11:20 PM, coderman wrote: > On Tue, Oct 8, 2013 at 8:00 PM, Jim Bell wrote: >> ... they are in large part why I have absolutely no confidence at all that >> the ... system has any hope of being repaired, except >> perhaps by AP or 'denial of disservice attack' methods. > > Jim, you're preaching to the choir. Aye, lest any be unfamiliar with history... once systems begin engaging in self protection, there is little hope in repair, ever. At that point, only the fight has meaning, and keeps the fighters going, until, one day, they tear down that wall and step through to start anew, that noble cause which compelled them to fight. No one's words here, but those of history. Perhaps one day history will break from its well worn pattern of renewal and begin to record a novel continuum. An interesting day that will be. From nathan at guardianproject.info Wed Oct 9 02:53:49 2013 From: nathan at guardianproject.info (Nathan of Guardian) Date: Wed, 09 Oct 2013 05:53:49 -0400 Subject: [guardian-dev] Gibberbot: add strong encryption level Message-ID: <525527AD.9060905@guardianproject.info> On 10/09/2013 01:28 AM, Satz Klauer wrote: > Sorry, I don't agree with you. Servers are "secured" by self-signed > certificates mainly. If not the whole certificate thingy itself is not > secure (as we have seen last years where certificate authorities have > been hacked and crackers have created their own, fully valid but wrong > certificates). Gibberbot v12 (aka "ChatSecure") does not use any Certificate Authority root trust anymore. We either use certificate pinning for known services like Google, Dukgo, Facebook, etc, or we present a dialog with the certificate information for manual verification. That said, as others have pointed out, the *entire* point of OTR is that you are not trusting the transport encryption or chat server with your message encryption. Even if the server is 100% compromised, you have a means to know that your session is being MITM'd as well, if you perform the verify stap. More on that below... > So key exchange is done via an insecure channel, a person does not > know who gets the key or if there is a man in the middle. So this > mechanism provides some elusory security. OTR provides two mechanisms for verification of a key, and we have worked to make it very easy in Gibberbot/CS to perform this operation, through a few actions. Once you start an OTR session up, you are prompted to "Tap to verify". This brings up the profile dialog box with three options 1) Manually verify fingerprint of the person you are chatting with by visually comparing your fingerprints (over the phone, etc) 2) Scan the fingerprint of the person using a QR code / barcode scanner, if you are standing near them 3) Use a Question+Answer or Shared Secret method to authenticate session (based on the OTR "Socialist Millionaire" protocol) from inside the OTR chat itself Once you've done this, you can trust that your session is private and not being intercepted. Otherwise, your concept about generating static keys outside of the session, and pre-sharing and verifying them directly with your contact is great... it's called OpenPGP! Many people have been asking to add some form of PGP support into Gibberbot/CS, and we are considering it. +n _______________________________________________ Guardian-dev mailing list Post: Guardian-dev at lists.mayfirst.org List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To Unsubscribe Send email to: Guardian-dev-unsubscribe at lists.mayfirst.org Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/eugen%40leitl.org You are subscribed as: eugen at leitl.org ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From jya at pipeline.com Wed Oct 9 04:55:39 2013 From: jya at pipeline.com (John Young) Date: Wed, 09 Oct 2013 07:55:39 -0400 Subject: NSA UTAH data center In-Reply-To: References: Message-ID: The NSA Data Center is bit more complicated than the usual commercial hotel or center, and perhaps is unprecedented, thus haunted by errata. It is composed of two apparently identical facilities, mirror images of one another, connected by an administrative block. Each facility has a data unit, a pair of 16-generator units, a bank of cooling towers, fuel tanks and appurtances. There is a single conventional electrical sub-station for the complex. It is it not known if both facilities were affected or only one of them. Nor is not known whether the power surges came from the conventional electrical power system or the generators, or from testing the emergency shutdown of the conventional and the kick-in of the back-up gen sets. Perhaps both powered up briefly simultaneously, overloaded surge protectors failed, excessive juice blasted the cables, panels, processors. The relatively small dollar amounts indicate that only some parts were affected. An odd feature is the banana shape, with non-parallel units, whether for aesthetics or to avoid some unknown richochet of parallelism so common in DoD and most other facilities. Imagine that the lack of parallelism, surely due to the conceit of crazed design architects eager to be different from insanely rational engineers, caused bizarre effects, or the engineers fought back with the customary make-work sabotage. This theory is most pleasing to this nuthouse designer. It fits the welter of new USG facilities worldwide which appear to have been designed by and for the bureaucratcially insane, aptly, expense not even considered, exemplary bloat essential, security bollixed to the max, national debt boosting cost over-runs and late completion obligatory for congressional inspection junkets, followed quickly by applaudable manifold jobs making repair of faults, corrections of errant design, IG investigations squelched and bigger appropriations next time. For evidence peruse the the bloated list of USG and commercial work by the data center architects, KlingStubbins. This is USACE and GSA heaven-sent pork unbridled by modesty of pre-911 war-winding-down pecuniousness. http://www.klingstubbins.com/clientlist/clientlist_alphabetical.html Then see the twisted edifice psycholpathology spread: the mirror-funhouse new headquarters for Canadian Communications Security Establishment in which the architects have been Boozed-Allened to barbarize disorienting havoc in concert with the agency's mission to cackle and banshee at the humongous wastage: http://www.hdrinc.com/portfolio/communications-security-establishment-canada-csec-long-term-accommodation-project This is what has come from the massively copulating Internet, data, metadata, teradata, supercalifornication data. Imaginary only to be sure, processors idled, generators asleep, power errantly dribbling like release of Snowden's imaginary booze distillery. From hallam at gmail.com Wed Oct 9 05:44:05 2013 From: hallam at gmail.com (Phillip Hallam-Baker) Date: Wed, 9 Oct 2013 08:44:05 -0400 Subject: [Cryptography] Iran and murder Message-ID: On Wed, Oct 9, 2013 at 12:44 AM, Tim Newsham wrote: > > We are more vulnerable to widespread acceptance of these bad principles > than > > almost anyone, ultimately, But doing all these things has won larger > budgets > > and temporary successes for specific people and agencies today, whereas > > the costs of all this will land on us all in the future. > > The same could be (and has been) said about offensive cyber warfare. > I said the same thing in the launch issue of cyber-defense. Unfortunately the editor took it into his head to conflate inventing the HTTP referer field etc. with rather more and so I can't point people at the article as they refuse to correct it. I see cyber-sabotage as being similar to use of chemical or biological weapons: It is going to be banned because the military consequences fall far short of being decisive, are unpredictable and the barriers to entry are low. STUXNET has been relaunched with different payloads countless times. So we are throwing stones the other side can throw back with greater force. We have a big problem in crypto because we cannot now be sure that the help received from the US government in the past has been well intentioned or not. And so a great deal of time is being wasted right now (though we will waste orders of magnitude more of their time). At the moment we have a bunch of generals and contractors telling us that we must spend billions on the ability to attack China's power system in case they attack ours. If we accept that project then we can't share technology that might help them defend their power system which cripples our ability to defend our own. So a purely hypothetical attack promoted for the personal enrichment of a few makes us less secure, not safer. And the power systems are open to attack by sufficiently motivated individuals. The sophistication of STUXNET lay in its ability to discriminate the intended target from others. The opponents we face simply don't care about collateral damage. So I am not impressed by people boasting about the ability of some country (not an ally of my country BTW) to perform targeted murder overlooks the fact that they can and likely will retaliate with indiscriminate murder in return. I bet people are less fond of drones when they start to realize other countries have them as well. Lets just stick to defense and make the NATO civilian infrastructure secure against cyber attack regardless of what making that technology public might do for what some people insist we should consider enemies. -- Website: http://hallambaker.com/ _______________________________________________ The cryptography mailing list cryptography at metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From moritz at headstrong.de Tue Oct 8 23:57:32 2013 From: moritz at headstrong.de (Moritz) Date: Wed, 09 Oct 2013 08:57:32 +0200 Subject: NSA UTAH data center Power Consumption FOIA Message-ID: <5254FE5C.3040000@headstrong.de> https://www.muckrock.com/foi/united-states-of-america-10/nsas-utah-data-center-tax-communications-5715/#724978-payment-required "This is a request under the Freedom of Information Act. I hereby request the following records: A copy of any letters, emails, or other communications sent or received by the NSA to any representatives of Utah government agencies or policy makers regarding utility rates and taxes in connection with the NSA's Utah Data Center and/or Utah HB325." "As stated in our previous letter dated 14 June 2013, and based on the information you provided in your letter, you are considered an "all other" requester. You must pay for search time in excess of 2 hours and duplication in excess of 100 pages. We have expended your two free hours of search and some responsive records were located within that timeframe. A detailed review to determine the releasability of this information is required. We estimate that the costs involved to further search for material responsive to your request will be approximately $264.00. " From eugen at leitl.org Wed Oct 9 00:58:18 2013 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 9 Oct 2013 09:58:18 +0200 Subject: [drone-list] Joshua Foust on LARs Message-ID: <20131009075818.GK10405@leitl.org> ----- Forwarded message from Ali-Reza Anghaie ----- From companys at stanford.edu Wed Oct 9 10:01:52 2013 From: companys at stanford.edu (Yosem Companys) Date: Wed, 09 Oct 2013 10:01:52 -0700 (PDT) Subject: [liberationtech] The Unintended Consequences of Internet Diffusion: Evidence from Malaysia - CDDRL Message-ID: <20130929032139.14625.98397@domU-12-31-39-0A-A0-4F> http://cddrl.stanford.edu/events/7900 The Unintended Consequences of Internet Diffusion: Evidence from Malaysia Program on Liberation Technology Seminar Series DATE AND TIME October 10, 2013 4:30 PM - 6:00 PM AVAILABILITY Open to the public No RSVP required SPEAKER Luke Miner - Data Scientist at Stanford University Abstract: Can the introduction of the Internet undermine incumbent power in a semi-authoritarian regime? I examine this question using evidence from Malaysia, where the incumbent coalition lost its 40-year monopoly on power in 2008. I develop a novel methodology for measuring Internet penetration, matching IP addresses with physical locations, and apply it to the 2004 to 2008 period in Malaysia. Using distance to the backbone to instrument for endogenous Internet penetration, I find that areas with higher Internet penetration experience higher voter turnout and higher candidate turnover, with the Internet accounting for one-third of the 11% swing against the incumbent party in 2008. The results suggest that, in the absence of the Internet, the opposition would not have achieved its historic upset in the 2008 elections. Luke Miner is a recent Ph.D. in Economics from the London School of Economics. He was also a postdoctoral fellowship at the Center on Democracy, Development and the Rule of Law (CDDRL) in the Liberation Technology program. He is currently working as a data scientist in the tech sector. Miner’s research interests are political economy and development economics. In particular, he aims to quantitatively assess the effect of the Internet and new media on political accountability, development, and election outcomes. His past research finds a strong effect of Internet diffusion on results of Malaysia's 2008 elections, where it contributed to the ruling coalition's largest electoral setback in thirty years. His current research looks at the effect of the Internet on the 2008 US presidential elections, in particular as a means of promoting campaign contributions. LOCATION Wallenberg Theater Wallenberg Hall 450 Serra Mall, Building 160 Stanford, Ca 94305-2055 -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu. ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From joseph at josephholsten.com Wed Oct 9 03:24:13 2013 From: joseph at josephholsten.com (Joseph Holsten) Date: Wed, 9 Oct 2013 10:24:13 +0000 Subject: NSA UTAH data center In-Reply-To: References: Message-ID: Due diligence for datacenters is hard. Power and network claims are easy to make on paper. It's easy to just pay for equinix or supernap, but how do you prove you can actually handle their reqs when competitive bidding doesn't involve setting up a proof of concept install and load test? Much less prove QoS or response time or other things that you can't possibly compare on paper. Though I imagine the fort's ability to vet SLAs in contracts and enforce those clauses is way beyond most legal entities. On 2013-10-09, at 05:57, Chris Olesch wrote: > That datacenter has been open 8 days and already a crisis. I find it hard to believe they can compare themselves against facilities like Equinix. Especially if the NSA needs more than 10Mega Watts of power all to themselves. :) > > “Building C7 in Utah provides our customers with data center designs and operational mantras that address many concerns the IT buyer has today; such as low disaster risk, abundant low latency connectivity options, future proofing power and cooling, and a footprint they can grow in — all at a lower cost. C7 in Utah offers a cost-effective alternative to the Las Vegas, Phoenix, and Denver markets and is well on par with data centers from Equinix (EQIX), CyrusOne (CONE), and Digital Realty Trust (DRT). The customer experience is our focus, and our designs to provide uninterruptible power and cooling are paramount.” > > http://www.c7dc.com/company/newsroom/c7-data-centers-launches-new-95000-foot-data-center-and-office-complex-in-utah/ > > -- > -- > -Christopher Olesch > > "Affordable IT Services for Non-Profit & Small Business" > || http://www.ngotechnology.org/ > || http://www.linkedin.com/in/chrisoleschjr > > Masonic Affiliations: > || http://www.scottishritechicago.org > || http://www.supremecouncil.org/ > || http://www.ilmason.org/ > > Online Artistic Portfolio > || http://cjolesch.deviantart.com/ > > > On Tue, Oct 8, 2013 at 3:39 PM, Lee Azzarello wrote: > I guess inventing new math to break crypto has some physics problems. > > -lee > > On Tue, Oct 8, 2013 at 3:28 PM, Lodewijk andré de la porte wrote: > > The massive quantum computer has unpredictable power consumption. > > > > > > 2013/10/8 brian carroll > >> > >> Power surges 'cripple NSA data centre' > >> http://www.bbc.co.uk/news/technology-24443266 > >> > >> "It said civil contractors were confident the problem had been > >> solved but a special US Army engineer investigation team had said the > >> cause was "not yet sufficiently understood" to be sure that it would > >> not happen again." > > > > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 496 bytes Desc: Message signed with OpenPGP using GPGMail URL: From joseph at josephholsten.com Wed Oct 9 03:37:24 2013 From: joseph at josephholsten.com (Joseph Holsten) Date: Wed, 9 Oct 2013 10:37:24 +0000 Subject: legal game-theory, case for smart-contracts & snow crash (Re: A CEO who resisted NSA spying is out of prison.) In-Reply-To: <1381287604.40903.YahooMailNeo@web141206.mail.bf1.yahoo.com> References: <20131004094627.GF10405@leitl.org> <20131004100232.GA3061@netbook.cypherspace.org> <524EA5B7.5040609@echeque.com> <1380913178.94018.YahooMailNeo@web141201.mail.bf1.yahoo.com> <1381121877.79525.YahooMailNeo@web141202.mail.bf1.yahoo.com> <20131007094818.GA2671@netbook.cypherspace.org> <1381287604.40903.YahooMailNeo@web141206.mail.bf1.yahoo.com> Message-ID: <5A939395-DDAB-45E2-95FC-D44365B98BDC@josephholsten.com> On 2013-10-09, at 03:00, Jim Bell wrote: > [...] I have absolutely no confidence at all that the Federal 'criminal justice' system has any hope of being repaired, except perhaps by AP or 'denial of disservice attack' methods. To sidetrack entirely, what would you consider a reasonable system? -- ~j -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 496 bytes Desc: Message signed with OpenPGP using GPGMail URL: From eugen at leitl.org Wed Oct 9 02:37:07 2013 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 9 Oct 2013 11:37:07 +0200 Subject: Attacking Tor: how the NSA targets users' online anonymity Message-ID: <20131009093707.GQ10405@leitl.org> (Use VM jails with amnesiac distros like Tails for daily browsing, separate security compartments using CubeOS and related, use air gap with USB sneakernet (using *nix with no USB autorun) to encrypt/decrypt and maintain sensitive information in general). http://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-online-anonymity Attacking Tor: how the NSA targets users' online anonymity Secret servers and a privileged position on the internet's backbone used to identify users and attack target computers Bruce Schneier theguardian.com, Friday 4 October 2013 15.50 BST Tor is a well-designed and robust anonymity tool, and successfully attacking it is difficult. Photograph: Magdalena Rehova/Alamy The online anonymity network Tor is a high-priority target for the National Security Agency. The work of attacking Tor is done by the NSA's application vulnerabilities branch, which is part of the systems intelligence directorate, or SID. The majority of NSA employees work in SID, which is tasked with collecting data from communications systems around the world. According to a top-secret NSA presentation provided by the whistleblower Edward Snowden, one successful technique the NSA has developed involves exploiting the Tor browser bundle, a collection of programs designed to make it easy for people to install and use the software. The trick identified Tor users on the internet and then executes an attack against their Firefox web browser. The NSA refers to these capabilities as CNE, or computer network exploitation. The first step of this process is finding Tor users. To accomplish this, the NSA relies on its vast capability to monitor large parts of the internet. This is done via the agency's partnership with US telecoms firms under programs codenamed Stormbrew, Fairview, Oakstar and Blarney. The NSA creates "fingerprints" that detect http requests from the Tor network to particular servers. These fingerprints are loaded into NSA database systems like XKeyscore, a bespoke collection and analysis tool which NSA boasts allows its analysts to see "almost everything" a target does on the internet. Using powerful data analysis tools with codenames such as Turbulence, Turmoil and Tumult, the NSA automatically sifts through the enormous amount of internet traffic that it sees, looking for Tor connections. Last month, Brazilian TV news show Fantastico showed screenshots of an NSA tool that had the ability to identify Tor users by monitoring internet traffic. The very feature that makes Tor a powerful anonymity service, and the fact that all Tor users look alike on the internet, makes it easy to differentiate Tor users from other web users. On the other hand, the anonymity provided by Tor makes it impossible for the NSA to know who the user is, or whether or not the user is in the US. After identifying an individual Tor user on the internet, the NSA uses its network of secret internet servers to redirect those users to another set of secret internet servers, with the codename FoxAcid, to infect the user's computer. FoxAcid is an NSA system designed to act as a matchmaker between potential targets and attacks developed by the NSA, giving the agency opportunity to launch prepared attacks against their systems. Once the computer is successfully attacked, it secretly calls back to a FoxAcid server, which then performs additional attacks on the target computer to ensure that it remains compromised long-term, and continues to provide eavesdropping information back to the NSA. Exploiting the Tor browser bundle Tor is a well-designed and robust anonymity tool, and successfully attacking it is difficult. The NSA attacks we found individually target Tor users by exploiting vulnerabilities in their Firefox browsers, and not the Tor application directly. This, too, is difficult. Tor users often turn off vulnerable services like scripts and Flash when using Tor, making it difficult to target those services. Even so, the NSA uses a series of native Firefox vulnerabilities to attack users of the Tor browser bundle. According to the training presentation provided by Snowden, EgotisticalGiraffe exploits a type confusion vulnerability in E4X, which is an XML extension for Javascript. This vulnerability exists in Firefox 11.0 – 16.0.2, as well as Firefox 10.0 ESR – the Firefox version used until recently in the Tor browser bundle. According to another document, the vulnerability exploited by EgotisticalGiraffe was inadvertently fixed when Mozilla removed the E4X library with the vulnerability, and when Tor added that Firefox version into the Tor browser bundle, but NSA were confident that they would be able to find a replacement Firefox exploit that worked against version 17.0 ESR. The Quantum system To trick targets into visiting a FoxAcid server, the NSA relies on its secret partnerships with US telecoms companies. As part of the Turmoil system, the NSA places secret servers, codenamed Quantum, at key places on the internet backbone. This placement ensures that they can react faster than other websites can. By exploiting that speed difference, these servers can impersonate a visited website to the target before the legitimate website can respond, thereby tricking the target's browser to visit a Foxacid server. In the academic literature, these are called "man-in-the-middle" attacks, and have been known to the commercial and academic security communities. More specifically, they are examples of "man-on-the-side" attacks. They are hard for any organization other than the NSA to reliably execute, because they require the attacker to have a privileged position on the internet backbone, and exploit a "race condition" between the NSA server and the legitimate website. This top-secret NSA diagram, made public last month, shows a Quantum server impersonating Google in this type of attack. The NSA uses these fast Quantum servers to execute a packet injection attack, which surreptitiously redirects the target to the FoxAcid server. An article in the German magazine Spiegel, based on additional top secret Snowden documents, mentions an NSA developed attack technology with the name of QuantumInsert that performs redirection attacks. Another top-secret Tor presentation provided by Snowden mentions QuantumCookie to force cookies onto target browsers, and another Quantum program to "degrade/deny/disrupt Tor access". This same technique is used by the Chinese government to block its citizens from reading censored internet content, and has been hypothesized as a probable NSA attack technique. The FoxAcid system According to various top-secret documents provided by Snowden, FoxAcid is the NSA codename for what the NSA calls an "exploit orchestrator," an internet-enabled system capable of attacking target computers in a variety of different ways. It is a Windows 2003 computer configured with custom software and a series of Perl scripts. These servers are run by the NSA's tailored access operations, or TAO, group. TAO is another subgroup of the systems intelligence directorate. The servers are on the public internet. They have normal-looking domain names, and can be visited by any browser from anywhere; ownership of those domains cannot be traced back to the NSA. However, if a browser tries to visit a FoxAcid server with a special URL, called a FoxAcid tag, the server attempts to infect that browser, and then the computer, in an effort to take control of it. The NSA can trick browsers into using that URL using a variety of methods, including the race-condition attack mentioned above and frame injection attacks. FoxAcid tags are designed to look innocuous, so that anyone who sees them would not be suspicious. An example of one such tag [LINK REMOVED] is given in another top-secret training presentation provided by Snowden. There is no currently registered domain name by that name; it is just an example for internal NSA training purposes. The training material states that merely trying to visit the homepage of a real FoxAcid server will not result in any attack, and that a specialized URL is required. This URL would be created by TAO for a specific NSA operation, and unique to that operation and target. This allows the FoxAcid server to know exactly who the target is when his computer contacts it. According to Snowden, FoxAcid is a general CNE system, used for many types of attacks other than the Tor attacks described here. It is designed to be modular, with flexibility that allows TAO to swap and replace exploits if they are discovered, and only run certain exploits against certain types of targets. The most valuable exploits are saved for the most important targets. Low-value exploits are run against technically sophisticated targets where the chance of detection is high. TAO maintains a library of exploits, each based on a different vulnerability in a system. Different exploits are authorized against different targets, depending on the value of the target, the target's technical sophistication, the value of the exploit, and other considerations. In the case of Tor users, FoxAcid might use EgotisticalGiraffe against their Firefox browsers. FoxAcid servers also have sophisticated capabilities to avoid detection and to ensure successful infection of its targets. One of the top-secret documents provided by Snowden demonstrates how FoxAcid can circumvent commercial products that prevent malicious software from making changes to a system that survive a reboot process. According to a top-secret operational management procedures manual provided by Snowden, once a target is successfully exploited it is infected with one of several payloads. Two basic payloads mentioned in the manual, are designed to collect configuration and location information from the target computer so an analyst can determine how to further infect the computer. These decisions are made in part by the technical sophistication of the target and the security software installed on the target computer; called Personal Security Products or PSP, in the manual. FoxAcid payloads are updated regularly by TAO. For example, the manual refers to version 8.2.1.1 of one of them. FoxAcid servers also have sophisticated capabilities to avoid detection and to ensure successful infection of its targets. The operations manual states that a FoxAcid payload with the codename DireScallop can circumvent commercial products that prevent malicious software from making changes to a system that survive a reboot process. The NSA also uses phishing attacks to induce users to click on FoxAcid tags. TAO additionally uses FoxAcid to exploit callbacks – which is the general term for a computer infected by some automatic means – calling back to the NSA for more instructions and possibly to upload data from the target computer. According to a top-secret operational management procedures manual, FoxAcid servers configured to receive callbacks are codenamed FrugalShot. After a callback, the FoxAcid server may run more exploits to ensure that the target computer remains compromised long term, as well as install "implants" designed to exfiltrate data. By 2008, the NSA was getting so much FoxAcid callback data that they needed to build a special system to manage it all. From lists at pingle.org Wed Oct 9 08:59:51 2013 From: lists at pingle.org (Jim Pingle) Date: Wed, 09 Oct 2013 11:59:51 -0400 Subject: [pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others? Message-ID: <52557D77.6000504@pingle.org> On 10/9/2013 11:20 AM, Paul Kunicki wrote: > I think that in light of the recent news of the NSA coercing various > organizations to provide them with means to eavesdrop this message has > merit and deserves response although I doubt the NSA really needs > cooperation from these guys. Does anyone else care to comment ? As far as I'm aware, nobody has contacted us, but if they did I may not know. They aren't really interested in end-user firewalls, they want infrastructure routers. We had a discussion on this already a month ago. http://lists.pfsense.org/pipermail/list/2013-September/004543.html Our code is all open source. In addition to our own code, code is also pulled from places such as FreeBSD, OpenSSL, and so on. So while our code is clean, it might be possible that if something we depend on has a flaw (perhaps by design in an encryption algorithm...) then it might be carried over. Nothing intentional on our part, and if such a thing is discovered and the offending code is fixed, we'd pull it in ASAP. So it would be more interesting to focus on FreeBSD, OpenSSL, OpenVPN, racoon, and other similar projects upon which we depend. Jim _______________________________________________ List mailing list List at lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From eugen at leitl.org Wed Oct 9 03:02:20 2013 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 9 Oct 2013 12:02:20 +0200 Subject: [guardian-dev] Gibberbot: add strong encryption level Message-ID: <20131009100220.GR10405@leitl.org> ----- Forwarded message from Nathan of Guardian ----- From joebtfsplk at gmx.com Wed Oct 9 10:41:04 2013 From: joebtfsplk at gmx.com (Joe Btfsplk) Date: Wed, 09 Oct 2013 12:41:04 -0500 Subject: [tor-talk] Tor Weekly News — October 9th, 2013 Message-ID: <52559530.1060502@gmx.com> On 10/9/2013 10:27 AM, Lunar wrote: > ======================================================================== > Tor Weekly News October 9th, 2013 > ======================================================================== > > Welcome to the fifteenth issue of Tor Weekly News, the weekly newsletter > that covers what's happening in the world of Tor — “king of high-secure, > low-latency anonymity” [1]. > > [1] http://www.theguardian.com/world/interactive/2013/oct/04/tor-high-secure-internet-anonymity > > New tranche of NSA/GCHQ Tor documents released > ---------------------------------------------- > > ... a series of stories were published > in the Guardian and the Washington Post that detailed alleged attempts > by NSA, GCHQ, and their allies to defeat or circumvent the protection > that Tor offers its users. ... > > The documents in question [3] offer,... a summary of > attacks against Tor users and the network as a whole that they have > considered or carried out. > I'm sure Tor developers have considered the real possibility that some or all of what different agencies release, about their capabilities & successes (or lack of) against Tor - or anything else, is misinformation, designed to make the Tor Project AND users more comfortable in continuing to use TBB. Logically, if any agency or adversary divulged they can somewhat successfully track users or "infiltrate the system," then most would stop using it and a valuable method to gather information or catch "criminals" would cease to exist. Good poker players and gov'ts NEVER reveal their hands. I wouldn't take seriously anything that ANY gov't publicly reveals about their technology or intelligence capability (or lack there or). Over a long history, it's been repeatedly shown that advanced gov'ts always know more & have more technology capability, than is revealed. That is, often until decades later, when the real truth comes out. It's no different now. -- tor-talk mailing list - tor-talk at lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From gurstein at gmail.com Wed Oct 9 15:12:22 2013 From: gurstein at gmail.com (michael gurstein) Date: Wed, 9 Oct 2013 15:12:22 -0700 Subject: [liberationtech] FW: [bestbits] Rousseff & Chehade: Brazil will host world event on Internet governance in 2014 Message-ID: <0f4501cec53c$a90304a0$fb090de0$@gmail.com> A very very important post-Snowden development. Bravo to Brazil (and Chehade)! M Bestbits.net [mailto:bestbits-request at lists.bestbits.net] On Behalf Of Carlos A. Afonso Sent: Wednesday, October 09, 2013 2:46 PM To: Civil Society Internet Governance Caucus - IGC; NCSG List; BestBits List Subject: [bestbits] Rousseff & Chehade: Brazil will host world event on Internet governance in 2014 [sorry for possible duplicate posts] Dear people Here is the Google Translate English version (I did some editing) of the official report on the meeting between President Rousseff and ICANN's President and CEO Fadi Chehadé, which just happened. The original version in Brazilian Portuguese is at the end. fraternal regards --c.a. http://convergenciadigital.uol.com.br/cgi/cgilua.exe/sys/start.htm?infoid=35 107&sid=4&utm_source=twitterfeed&utm_medium=twitter#.UlXEbbOm1q8 Brazil will host world event on Internet governance >From the editor :: Convergência Digital :: 09/10/2013 Brazil will host the meeting in 2014 to discuss the necessary changes to Internet governance. After meeting with the president of the Internet Corporation for Assigned Names and Numbers (Icann, its acronym in English), Fadi Chehadé, President Dilma Rousseff agreed to meet global leaders from different sectors interested in the topic. According to Chehadé, the world counts on Brazil's leadership on this issue, after President Dilma Rousseff spoke at the opening of the 68th UN General Assembly, held in September in the United States. "The world heard the Brazilian president, who spoke with deep conviction, with great courage, and expressed the frustration that many people around the world feel about the fact that the trust relationship we have with the Internet had been broken,"said, revealing that the speech by Dilma was the motivation of his proposal for their meeting. Chehadé cited allegations of espionage involving the communication of Brazilian authorities and citizens, among them the very president, Petrobras and the Ministry of Mines and Energy. "I came to ask the president to elevate her leadership to a new level, to ensure that we can all get together around a new model of governance in which all are equal," he said. The president of Icann said that future decisions on how leaders can manage the internet should be based on the principles of the Civil Rights Framework for the Internet in Brazil which is going through the National Congress. Fadi Chehadé was yesterday (Oct.7th) with Communications Minister Paulo Bernardo, to ask for help from Brazil to start discussions about changes in the governance of the Internet, and said that the arrangements should begin this year. According to him, the need for a new governing body of the Internet requires the involvement of multiple actors, not just the government. "I understand that the internet has a new feature that requires active participation by governments, their respective agencies within the United Nations, but also in the context of users, civil society, the technicians, who after all make the Internet work," Chehadé defended. For the president of the corporation, academics and industrialists need to participate in the debate, as they reflect on rights and carry out the management of the Internet infrastructure. The president of Icann said telecommunications companies must also attend the conference."They are integral part of the family with which we must work," he said. According to Paulo Bernardo, President Dilma agreed that changes in network governance must occur multilaterally and with the participation of all actors who engage the internet, and said that "we must not allow economic, political and religious interests to interfere in the free circulation of ideas." The minister said that the suggestion of the president is that the event be held in April 2014 in Rio de Janeiro. Source : Agência Brazil -------- original in pt-br ------------- O Brasil vai sediar em 2014 o encontro para discutir as mudanças necessárias para a governança da internet. Após se encontrar com o presidente da Corporação da Internet para Atribuição de Nomes e Números (Icann, na sigla em inglês), Fadi Chehadé, a presidenta Dilma Rousseff concordou em reunir líderes globais de diferentes setores interessados no tema. De acordo com Chehadé, o mundo conta com a liderança brasileira nesta questão, depois que a Presidenta Dilma Rousseff discursou na abertura da 68ª Assembleia Geral da ONU, ocorrida em setembro nos Estados Unidos. “O mundo ouviu a Presidenta brasileira, que falou com profunda convicção, com muita coragem, e externou a frustração que muitas pessoas, em todo mundo, sentiam com o fato de que a confiança havia sido quebrada que temos com relação à internet”, disse, revelando que o discurso de Dilma foi a motivação da sua proposta para o encontro. Chehadé citou as denúncias de espionagem envolvendo a comunicação de autoridades e cidadãos brasileiros, dentre eles a própria presidenta, a Petrobras e o Ministério de Minas e Energia. “Vim solicitar à presidenta que elevasse sua liderança a um novo nível, de modo a assegurar que todos possamos nos reunir em torno de um novo modelo de governança, em que todos sejamos iguais”, afirmou. O presidente da Icann disse que as futuras decisões sobre como os líderes poderão gerir a internet devem ter como base os princípios do marco civil brasileiro, que tramita no Congresso Nacional. Fadi Chehadé esteve anteontem (7) com o ministro das Comunicações, Paulo Bernardo, a fim de pedir ajuda do Brasil para iniciar os debates sobre mudanças na governança da internet, e disse que as articulações devem começar este ano. Segundo ele, a necessidade de um novo órgão gestor da internet passa pela participação de múltiplos atores, não só do governo. “Entendo que a internet tem um novo recurso, que exige participação ativa por parte dos governos, dos seus respectivos órgãos no âmbito das Nações Unidas, mas também no âmbito dos usuários, da sociedade civil, dos técnicos, que afinal de contas fazem a internet funcionar”, defendeu Chehadé. Para o presidente da corporação, os acadêmicos e industriais precisam participar do debate, pois refletem sobre o direito e fazem a gestão da infraestrutura da internet. O presidente da Icann disse que as empresas de telecomunicações devem também participar da conferência. “Elas são parte integrante da família com a qual precisamos trabalhar”, afirmou. Segundo Paulo Bernardo, a presidenta Dilma concordou que as mudanças na governança da rede devem ocorrer de forma multilateral e com a participação de todos os atores que se envolvem a internet, e disse que não se pode “permitir que interesses econômicos, políticos e religiosos interfiram na livre circulação das ideias”. O ministro informou que a sugestão da presidenta é que o evento ocorra em abril de 2014 no Rio de Janeiro. fonte: Agência Brasil -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu. ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From taxakis at gmail.com Wed Oct 9 06:31:24 2013 From: taxakis at gmail.com (taxakis) Date: Wed, 9 Oct 2013 15:31:24 +0200 Subject: [cryptome] snaps Message-ID: <019501cec4f3$da288a30$8e799e90$@com> Backdoors revisited by Ed Felten: https://freedom-to-tinker.com/blog/felten/the-linux-backdoor-attempt-of-2003 / with a referral to: https://lwn.net/Articles/57135/ Blackhole malware exploit kit suspect arrested: http://www.bbc.co.uk/news/technology-24456988 How Lavabit Melted Down: http://www.newyorker.com/online/blogs/elements/2013/10/how-lavabit-edward-sn owden-email-service-melted-down.html ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From eugen at leitl.org Wed Oct 9 06:57:46 2013 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 9 Oct 2013 15:57:46 +0200 Subject: [cryptome] snaps Message-ID: <20131009135746.GX10405@leitl.org> ----- Forwarded message from taxakis ----- From eugen at leitl.org Wed Oct 9 06:57:54 2013 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 9 Oct 2013 15:57:54 +0200 Subject: [cryptome] snaps Message-ID: <20131009135754.GY10405@leitl.org> ----- Forwarded message from taxakis ----- Date: Wed, 9 Oct 2013 15:42:26 +0200 From: taxakis To: cryptome at freelists.org Subject: [cryptome] snaps Message-ID: <019601cec4f5$64723140$2d5693c0$@com> X-Mailer: Microsoft Office Outlook 12.0 Reply-To: cryptome at freelists.org The NSA's New Risk Analysis (Bruce Schneier): https://www.schneier.com/blog/archives/2013/10/the_nsas_new_ri.html EFF Submits Comments to 'Independent' Office of the Director of National Intelligence's Review Group: https://www.eff.org/deeplinks/2013/10/eff-submits-comments-independent-offic e-director-national-intellgences-review David Cameron endorses MI5 chief's condemnation of Snowden leaks: http://www.theguardian.com/uk-news/2013/oct/09/david-cameron-mi5-chief-edwar d-snowden-gchq-leaks UK Police Orders Registrars to Suspend Domains of Major Torrent Sites: http://torrentfreak.com/uk-police-orders-registrars-to-suspend-domains-of-ma jor-torrent-sites-131009/ Did The NSA Help With The Silk Road Investigation? http://www.forbes.com/fdc/welcome_mjx.shtml Fact: the NSA gets negligible intel from Americans' metadata. So end collection: http://www.theguardian.com/commentisfree/2013/oct/08/nsa-bulk-metadata-surve illance-intelligence ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: Digital signature URL: From measl at mfn.org Wed Oct 9 13:58:26 2013 From: measl at mfn.org (J.A. Terranson) Date: Wed, 9 Oct 2013 15:58:26 -0500 (CDT) Subject: who are the service operators here? In-Reply-To: References: Message-ID: > In another vein, what ops do you think a self-sufficient punk ought to be running? I'm thinking I absolutely need: > - Tor endpoint A word of caution: I have run both a high throughput remailer, and a low-bandwidth (3mb) TOR exit node, both in the early through mid aughts. If you are serious, you need to get you legal house in order, as you will be spending a fair bit of your time with the feebies. Make sure you have an attorney who reallyunderstands what you are doing, and make sure s/he's got a hefty retainer ($5,000.00 seemed to be about right). Also, and most importantly, make sure this legal beagle is willing to both give you their direct cellphone/pager #, but that they are willing to actually drop everything and go get your ass out of the pokey at 03:00! And yes, 03:00-06:00 really is the favorite "raid time" for a certain testosterone addled federal police agency. Don't get me wrong, I'm not saying don't do it: I think *everyone* should, at least for a years or so, for a variety of technical, political, and other reasons. But you *cannot* go in unprepared! //Alif -- Those who make peaceful change impossible, make violent revolution inevitable. An American Spring is coming: one way or another. From lunar at torproject.org Wed Oct 9 08:27:02 2013 From: lunar at torproject.org (Lunar) Date: Wed, 9 Oct 2013 17:27:02 +0200 Subject: [tor-talk] Tor Weekly News — October 9th, 2013 Message-ID: <20131009152702.GA17748@loar> ======================================================================== Tor Weekly News October 9th, 2013 ======================================================================== Welcome to the fifteenth issue of Tor Weekly News, the weekly newsletter that covers what's happening in the world of Tor — “king of high-secure, low-latency anonymity” [1]. [1] http://www.theguardian.com/world/interactive/2013/oct/04/tor-high-secure-internet-anonymity New tranche of NSA/GCHQ Tor documents released ---------------------------------------------- After a cameo appearance in previous leaked intelligence documents [2], Tor found itself at the center of attention in the latest installment of the ongoing Snowden disclosures after a series of stories were published in the Guardian and the Washington Post that detailed alleged attempts by NSA, GCHQ, and their allies to defeat or circumvent the protection that Tor offers its users. A number of source materials, redacted by the newspapers, were published to accompany the articles. The documents in question [3] offer, alongside characteristically entertaining illustrations [4], an overview of the Tor network from the point of view of the intelligence agencies, as well as a summary of attacks against Tor users and the network as a whole that they have considered or carried out. Despite the understandable concern provoked among users by these disclosures, Tor developers themselves were encouraged by the often relatively basic or out-of-date nature of the attacks described. In response to one journalist's request for comment, Roger Dingledine wrote that “we still have a lot of work to do to make Tor both safe and usable, but we don't have any new work based on these slides” [5]. Have a look at the documents yourself, and feel free to raise any questions with the community on the mailing lists or IRC channels. [2] https://blog.torproject.org/blog/tor-nsa-gchq-and-quick-ant-speculation [3] http://media.encrypted.cc/files/nsa [4] https://twitter.com/EFF/status/386291345301581825 [5] https://blog.torproject.org/blog/yes-we-know-about-guardian-article#comment-35793 tor 0.2.5.1-alpha is out ------------------------ Roger Dingledine announced [6] the first alpha release in the tor 0.2.5.x series, which among many other improvements introduces experimental support for syscall sandboxing on Linux, as well as statistics reporting for pluggable transports usage on compatible bridges. Roger warned that “this is the first alpha release in a new series, so expect there to be bugs. Users who would rather test out a more stable branch should stay with 0.2.4.x for now.” 0.2.5.1-alpha will not immediately appear on the main download pages, in order to avoid having too many versions listed at once. Please feel free to test the new release [7], and report any bugs you find! [6] https://lists.torproject.org/pipermail/tor-talk/2013-October/030269.html [7] https://www.torproject.org/dist/ How did Tor achieve reproducible builds? ---------------------------------------- At the end of June, Mike Perry announced [8] the first release of the Tor Browser Bundle 3.0 alpha series, featuring release binaries “exactly reproducible from the source code by anyone”. In a subsequent blog post [9] published in August, he explained why it mattered. Mike has just published the promised follow-up piece [10] describing how this feat was achieved in the new Tor Browser Bundle build process. He explains how Gitian [11] is used to create a reproducible build environment, the tools used to produce cross-platform binaries for Windows and OS X from a Linux environment, and several issues that prevented the builds from being entirely deterministic. The latter range from timestamps to file ordering differences when looking up a directory, with an added 3 bytes of pure mystery. There is more work to be done to “prevent the adversary from compromising the (substantially weaker) Ubuntu build and packaging processes” currently used for the toolchain. Mike also wrote about making the build of the compiler and toolchain part of the build process, cross-compilation between multiple architectures, and the work being done by Linux distributions to produce deterministic builds from their packages. If you are interested in helping, or working on your own software project, there is a lot to be learned by reading the blog post in full. [8] https://blog.torproject.org/blog/tor-browser-bundle-30alpha2-released [9] https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise [10] https://blog.torproject.org/blog/deterministic-builds-part-two-technical-details [11] http://gitian.org/howto.html Toward a new Tor Instant Messaging Bundle ----------------------------------------- A first meeting last week kicked-off the “Attentive Otter project” [12] which aims to come up with a new bundle for instant messaging. The first meeting mainly consisted in trying to enumerate the various options. In the end, people volunteered to research three different implementation ideas. Thijs Alkemade and Jurre van Bergen explored the possibilty of using Pidgin/libpurple [13] as the core component. Jurre also prepared an analysis of xmpp-client [14], together with David Goulet, Nick Mathewson, Arlo Breault, and George Kadianakis. As a third option, Mike Perry took a closer look at Instantbird/Thunderbird [15] with Sukhbir Singh. All the options have their pros and cons, and they will probably be discussed on the tor-dev mailing list and at the next “Attentive Otter” meeting. [12] https://trac.torproject.org/projects/tor/wiki/org/sponsors/Otter/Attentive [13] https://lists.torproject.org/pipermail/tor-dev/2013-October/005544.html [14] https://lists.torproject.org/pipermail/tor-dev/2013-October/005546.html [15] https://lists.torproject.org/pipermail/tor-dev/2013-October/005555.html More monthly status reports for September 2013 ---------------------------------------------- The wave of regular monthly reports from Tor project members continued this week with submissions from George Kadianakis [16], Lunar [17], Sathyanarayanan Gunasekaran [18], Ximin Luo [19], Matt Pagan [20], Pearl Crescent [21], Colin C. [22], Arlo Breault [23], Karsten Loesing [24], Jason Tsai [25], the Tor help desk [26], Sukhbir Singh [27], Nick Mathewson [28], Mike Perry [29], Andrew Lewman [30], Aaron G [31], and the Tails folks [32]. [16] https://lists.torproject.org/pipermail/tor-reports/2013-October/000346.html [17] https://lists.torproject.org/pipermail/tor-reports/2013-October/000347.html [18] https://lists.torproject.org/pipermail/tor-reports/2013-October/000348.html [19] https://lists.torproject.org/pipermail/tor-reports/2013-October/000349.html [20] https://lists.torproject.org/pipermail/tor-reports/2013-October/000350.html [21] https://lists.torproject.org/pipermail/tor-reports/2013-October/000351.html [22] https://lists.torproject.org/pipermail/tor-reports/2013-October/000352.html [23] https://lists.torproject.org/pipermail/tor-reports/2013-October/000353.html [24] https://lists.torproject.org/pipermail/tor-reports/2013-October/000354.html [25] https://lists.torproject.org/pipermail/tor-reports/2013-October/000355.html [26] https://lists.torproject.org/pipermail/tor-reports/2013-October/000356.html [27] https://lists.torproject.org/pipermail/tor-reports/2013-October/000357.html [28] https://lists.torproject.org/pipermail/tor-reports/2013-October/000358.html [29] https://lists.torproject.org/pipermail/tor-reports/2013-October/000359.html [30] https://lists.torproject.org/pipermail/tor-reports/2013-October/000360.html [31] https://lists.torproject.org/pipermail/tor-reports/2013-October/000361.html [32] https://lists.torproject.org/pipermail/tor-reports/2013-October/000362.html Tor Help Desk Roundup --------------------- A number of users wanted to know if Tor was still safe to use given the recent news that Tor users have been targeted by the NSA. We directed these users to the Tor Project's official statement on the subject [33]. One of the most popular questions the help desk receives continues to be whether or not Tor is available on iOS devices. Currently there is no officially supported solution, although more than one project has been presented [34, 35]. The United Kingdom is now one of the countries where citizens request assistance circumventing a national firewall [36]. [33] https://blog.torproject.org/blog/yes-we-know-about-guardian-article [34] https://lists.torproject.org/pipermail/tor-dev/2013-October/005542.html [35] https://trac.torproject.org/projects/tor/ticket/8933 [36] https://lists.torproject.org/pipermail/tor-talk/2013-July/029054.html Miscellaneous news ------------------ Thanks to Grozdan [37], Simon Gattner from Netzkonstrukt Berlin [38], Wollomatic [39], and Haskell [40] for setting up new mirrors of the Tor project website. [37] https://lists.torproject.org/pipermail/tor-mirrors/2013-September/000366.html [38] https://lists.torproject.org/pipermail/tor-mirrors/2013-September/000370.html [39] https://lists.torproject.org/pipermail/tor-mirrors/2013-October/000374.html [40] https://lists.torproject.org/pipermail/tor-mirrors/2013-October/000375.html Arlo Breault sent out a request for comments on a possible new version of the check.torproject.org page [41]. [41] https://lists.torproject.org/pipermail/tor-talk/2013-October/030253.html Runa Sandvik announced [42] that the Tor Stack Exchange page has moved from private beta to public beta. If you'd like to help answer Tor-related questions (or ask them), get involved now! [43] [42] https://lists.torproject.org/pipermail/tor-talk/2013-October/030269.html [43] http://tor.stackexchange.com/ Philipp Winter sent out a call for testing (and installation instructions) for the ScrambleSuit pluggable transports protocol [44]. [44] https://lists.torproject.org/pipermail/tor-talk/2013-October/030252.html Not strictly Tor-related, but Mike Perry started an interesting discussion [45] about the “web of trust” system, as found in OpenPGP. The discussion was also held on the MonkeySphere mailing list, which prompted Daniel Kahn Gilmor to reply with many clarifications regarding the various properties and processes of the current implementation. To sum it up, Ximin Luo started [46] a new documentation project [47] “to describe and explain security issues relating to identity, in (hopefully) simple and non-implementation-specific language”. [45] https://lists.torproject.org/pipermail/tor-talk/2013-September/030235.html [46] https://lists.riseup.net/www/arc/monkeysphere/2013-10/msg00000.html [47] https://github.com/infinity0/idsec/ The listmaster role has been better defined [48] and is now performed by a team consisting of Andrew Lewman, Damian Johnson, and Karsten Loesing. Thanks to them! [48] https://trac.torproject.org/projects/tor/wiki/org/operations/Infrastructure/lists.torproject.org Roger Dingledine released an official statement on the Tor project blog [49] regarding the takedown of the Silk Road hidden service and the arrest of its alleged operator. [49] https://blog.torproject.org/blog/tor-and-silk-road-takedown Fabio Pietrosanti asked [50] for reviews of “experimental Tor performance tuning for a Tor2web node.” Feel free to have a look [51] and provide feedback. [50] https://lists.torproject.org/pipermail/tor-talk/2013-October/030405.html [51] https://github.com/globaleaks/Tor2web-3.0/wiki/Performance-tuning Claudiu-Vlad Ursache announced [52] the initial release of CPAProxy [53], “a thin Objective-C wrapper around Tor”. This is the first component of a project to “release a free open-source browser on the App Store that uses this wrapper and Tor to anonymize requests.” Claudiu-Vlad left several questions open, and solicited opinions on the larger goal. [52] https://lists.torproject.org/pipermail/tor-dev/2013-October/005545.html [53] https://github.com/ursachec/CPAProxy Upcoming events --------------- Oct 09-10 | Andrew speaking at Secure Poland 2013 | Warszawa, Poland | http://www.secure.edu.pl/ | Oct 11 | Kelley @ Journalist Training Event | Helsiniki, Finland | http://www.journalistiliitto.fi/jp13/ | Nov 04-05 | 20th ACM Conference on Computer and Communications Security | Berlin, Germany | http://www.sigsac.org/ccs/CCS2013/ This issue of Tor Weekly News has been assembled by Lunar, harmony, dope457 and Matt Pagan. Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page [54], write down your name and subscribe to the team mailing list [55] if you want to get involved! [54] https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews [55] https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team -- tor-talk mailing list - tor-talk at lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From eugen at leitl.org Wed Oct 9 08:30:43 2013 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 9 Oct 2013 17:30:43 +0200 Subject: [tor-talk] Tor Weekly News =?utf-8?B?4oCU?= =?utf-8?Q?_October?= 9th, 2013 Message-ID: <20131009153043.GF10405@leitl.org> ----- Forwarded message from Lunar ----- From eugen at leitl.org Wed Oct 9 09:14:22 2013 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 9 Oct 2013 18:14:22 +0200 Subject: [pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others? Message-ID: <20131009161422.GL10405@leitl.org> ----- Forwarded message from Jim Pingle ----- From jim at netgate.com Wed Oct 9 09:38:50 2013 From: jim at netgate.com (Jim Thompson) Date: Wed, 9 Oct 2013 18:38:50 +0200 Subject: [pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others? Message-ID: Exactly, although this rule doesn’t just apply to “small companies”. Big companies have shown to just roll over and give up the customer’s data. So asking the question is stupid(*), because a lie is indistinguishable from the truth. No, the NSA hasn’t approached us about pfSense, or adding a “back door”, or anything similar. Nor has anyone else. The next step is yours. I am told that the NSA did review a version of pfSense that was made for a customer which would filter SCADA protocols. I can’t verify that or not. Note also that someone DID once accuse OpenBSD of having a problem with it’s IPSEC processing, which Theo *vehemently* denied. http://www.informationweek.com/security/vulnerabilities/openbsd-founder-believes-fbi-built-ipsec/228900037 http://marc.info/?l=openbsd-tech&m=129236621626462&w=2 Sam Leffler, about four years earlier, found a bug in the AH processing, which he fixed (in FreeBSD) and handed back to the OpenBSD. They patched same, but never gave any acknowledgement to Sam. So, maybe you should run OpenBSD. Jim * as it turns our, yes, Samantha, there is a Santa Clause^W^W^W^Ware stupid questions. On Oct 9, 2013, at 6:22 PM, Walter Parker wrote: > The big problem with asking the question "Has the NSA required you to add a back door?" is that no small company that wants to say in business can or will say yes (If they do, no one will trust/use the product unless forced themselves). The company will agree/be forced to say no. How does one tell that no from an authentic no? > > Therefore, once trust is question, the only way to be sure is to do the self review suggested earlier... > > However, from my perspective, the code in pfSense is more like to be secure than any commercial, closed source solution. See prior threads about FreeBSD security. > > > Walter > > > On Wed, Oct 9, 2013 at 9:10 AM, Thinker Rix wrote: > On 2013-10-09 19:03, Jim Thompson wrote: > (TIC mode: on) > Sorry, but I guess the whole matter - not only concerning pfSense, but the current threat to our civilization by our criminal governments as a whole - is much too serious for any "TIC-modes".. > > _______________________________________________ > List mailing list > List at lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list > > > > -- > The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis > _______________________________________________ > List mailing list > List at lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list _______________________________________________ List mailing list List at lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From eugen at leitl.org Wed Oct 9 09:43:18 2013 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 9 Oct 2013 18:43:18 +0200 Subject: [pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others? Message-ID: <20131009164318.GN10405@leitl.org> ----- Forwarded message from Jim Thompson ----- From joebtfsplk at gmx.com Wed Oct 9 16:43:56 2013 From: joebtfsplk at gmx.com (Joe Btfsplk) Date: Wed, 09 Oct 2013 18:43:56 -0500 Subject: [tor-talk] Tor Weekly News — October 9th, 2013 Message-ID: <5255EA3C.8030809@gmx.com> On 10/9/2013 5:32 PM, Juan Garofalo wrote: > > > Why hasn't Snowden published all the stuff he got from the NSA > nazis? Why hasn't he uploaded it to wikileaks for instance? Or > torrented it? > > Top 10 Reasons Snowden hasn't published his documents: 10. Wiki what? 9. Unaware of statute of limitations on publishing stolen government documents. 8. Can't find a ghost writer. 7. Been too busy traveling. 6. Worried it might hurt his chances for public office. 5. Waiting for The Presidential Medal of Freedom, for exposing violation of the Constitution. 4. Has grown fond of eating & breathing. 3. Hoping for Ambassadorship of Syria. 2. Holding them as "Get Out of Jail" card. 1. Waiting for ABC to offer movie of the week deal. -- tor-talk mailing list - tor-talk at lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From eugen at leitl.org Wed Oct 9 11:27:26 2013 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 9 Oct 2013 20:27:26 +0200 Subject: [liberationtech] The Unintended Consequences of Internet Diffusion: Evidence from Malaysia - CDDRL Message-ID: <20131009182726.GQ10405@leitl.org> ----- Forwarded message from Yosem Companys ----- From eugen at leitl.org Wed Oct 9 11:57:11 2013 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 9 Oct 2013 20:57:11 +0200 Subject: [tor-talk] Tor Weekly =?utf-8?Q?News_?= =?utf-8?B?4oCU?= October 9th, 2013 Message-ID: <20131009185711.GT10405@leitl.org> ----- Forwarded message from Joe Btfsplk ----- From electromagnetize at gmail.com Wed Oct 9 19:11:57 2013 From: electromagnetize at gmail.com (brian carroll) Date: Wed, 9 Oct 2013 21:11:57 -0500 Subject: NSA data centre power surges & unknowns... Message-ID: Lodewijk andré de la porte wrote: > The massive quantum computer has unpredictable power consumption. Lee Azzarello wrote: > I guess inventing new math to break crypto has some physics problems. these comments has me contemplating what a large-scale networked quantum computer installation would involve.. and to what extent the image of racks of servers may note correlate with the computing technology inside the boxes, or in some percentage of the data centre. in other words- how would a quantum installation differ from the classical computer systems of the last many decades- would they be of yet another smaller scale or would an installation inherently be enormous. what if the data centre was all quantum computing in terms of the data throughput - do these numbers correlate or are different approaches to security calculations required is it possible that a 'computer within a computer' could exist, such that a quantum chip could be embedded and use a classical electronic based system, that is, some form of stealth or hidden computing that occurs in a parallel hidden framework, including for networking data. could ethernet or fibre channel be used or would it need to be different, say tuned resonant circuits computing in other dimensionality. would such an installation be possible and be manageable via secondary, zoned interface, and not noticeable, especially if sealed into processors or chips and thus tamper- and inspection-proof. to what extent may the data centre be a Spruce Goose or Glomar Explorer, providing conventional 'economies-of-scale' development for computing that is beyond this present-day technological situation. the idea that the NSA would field an early quantum computer in such a situation seems unlikely. especially if considering the scale issue whereby early computing starts large and shrinks down, thus ENIAC or other room or warehouse sized earlier computer installations of newly developing technology eventually moving into transistor and integrated circuit (IC) fabrications, personal computing, server boxes instead of tape-storage mainframes, and now cellphones compared to peak computing power thirty or more years earlier. would quantum computers require different storage technology, for instance, or could they rely on today's storage- or would it need to be formatted differently. and given massive parallelism and the nature of supercomputers to be custom programmed and time-shared by various projects, could such a quantum device exist nested in another system yet be linked in parallel to make a massive installation, and then be called upon for particular vexing tasks versus number crunching or data processing that can effectively be managed via existing tech, such as voice recognition or text analysis in particular modeling approaches. i wonder if - and perhaps it is entirely wrong-minded - in some way -- besides the issue of batteries as a limit upon scale and usability of computing resources, that if the electron itself is a false-limit and there could be smaller particle flows harnessed via destabilizing the natural equilibrium and thus the imbalance forces movement of charge at a smaller scale or within a different kind of circuitry that could be nested inside a larger electronic installation. what if a quantum computer would be equivalent to a tiny unmarked IC on a circuitboard and yet would it require access to the same components of existing computer architectures today or could it operate beyond or outside this, say as a connectable linked quantum processor networked into parallelism, for calculations alone. would a quantum computer installation be humongous or could a sufficiently developed (say, over the last 50 years) quantum computer be the size of a PC today yet wield teraflop or beyond capacity. what would be a telltale sign of such computing. could it involve strange or aberrant electronic or electrical interference or events, is it possible that the flow of electrons may interfere with such computation or that such a computer may need to be isolated else it could force strange current backwards, beyond diode barricades even, given weirdness of the physics. would the power draw be the same or more or less. would existing parallel software approaches even be viable within such a context or is it reliant upon assumptions that no longer apply if one or more foundations of existing computer architectures are changed or made unnecessary. is a quantum computer only quantum in some senses, such as processing, and this stops at I/O or other supposed 'motherboard' interactions, or would the entire circuit be changed. could there be hybrids where both co-exist, or like questioned, if one computing system could be embedded within another, via protected boundary? (this is already assumed for tech today, though seemingly in the same realm of technology in the mundane sense, like masquerade processing or other mystery functionality) the assumption i think is most likely if such a scenario existed would be that any such quantum technology would be highly advanced from the rudimentary first stages it exists today in the commercial realm, and would be possible to deploy and crack crypto en masse and that there is not symmetry between AES256 and this giant installation- built just for that- and instead whatever capacity were to exist it would be so far beyond the requirements of existing crypto as to provide decades of headroom for more data crunching atop what exists to be parsed and analyzed, catalogued, and stored in terms of record keeping. that it would involve 'big picture' data modeling of the state itself in its many and various dimensions as they are correlated- or perhaps that is only the domain of the underground data centres, who knows. in other words: can the assumption be made that the image of rows upon rows of computing servers equal 'traditional computing power' or might they function as the signage for conventional technology when stealth computing infrastructure could be within the mystery boxes networked and sparking. is it conventional for such feedback upon large scale installations or could such aberrations or anomalies indicate other possibilities, as commented. is there some truth to the irreverence, in that would anyone in the public know or be able to know, or even in government or private service - unless vetted and kept out of the mainstream, and its venue of conventional technological development. could quantum computing exist over the existing internet and be unrecognized or would it require its own parallel infrastructure. would the equivalent of a non-stealth advanced quantum computer installation be at the same scale or, if unhidden, potentially much smaller, else indicate anything if the existing installation was entirely or a large percentage of quantum computers. what would it mean for crypto, for instance. would emissions or anything else provide indication of quantum versus traditional computing architectures, via escaped signature forms of data structuring tuned into remotely. what would it mean, otherwise. (i put these things here at the bottom to make space for the post, there is no extra line break at the end, so the list footer often crunches the last line of text. even if fixed/added i may include an ASCII character anyway, for issues of symbolism as it relates to code and processing) xp -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 7792 bytes Desc: not available URL: From bill.stewart at pobox.com Wed Oct 9 21:59:36 2013 From: bill.stewart at pobox.com (Bill Stewart) Date: Wed, 09 Oct 2013 21:59:36 -0700 Subject: NSA data centre power surges & unknowns... In-Reply-To: References: Message-ID: <20131010052119.046BDD2AA@a-pb-sasl-quonix.pobox.com> Current quantum computers aren't that big, but they're only good for multiplying numbers up to 15 (I've heard rumors of 21!) As with the early Cray supercomputers, where the size of the air conditioners and power systems were much larger than the round wirey bits, a quantum computer is likely to be pretty small but may have some bigger helium coolers on-site. Remember that you're trying to entangle subatomic particles, and maybe have some magnetic detector things that still aren't all that big. If quantum computers became practical, they'd be using them to crack codes, factoring 1024-bit numbers or whatever. What's really big are the NON-quantum computers they'd be using to attack those problems now. The reason they need all that space is almost certainly for conventional data storage and processing. They want to be able to collect and store everybody's phone calls, locations, credit card purchases, and internet traffic, so they're handling multiple petabytes of data a day, finding the interesting bits, correlating the interesting people with other people who might have been in the same place at the same time, saving the parts that might be useful later. Maybe doing some voice recognition on all their phone calls. It takes a lot of basic horsepower and storage, and the correlation takes a lot of memory. I think they've bought themselves a lot of cheap-ass electrical work, done by people who assume that scaling up power requirements for a conventional data center by a factor of 10-100 doesn't change the principles. At 07:11 PM 10/9/2013, brian carroll wrote: >Lodewijk andré de la porte <l at odewijk.nl> wrote: > > > The massive quantum computer has unpredictable power consumption. > >Lee Azzarello ><lee at guardianproject.info> wrote: > > > I guess inventing new math to break crypto has some physics problems. > > >these comments has me contemplating what a >large-scale networked quantum computer >installation would involve.. and to what extent >the image of racks of servers may note correlate >with the computing technology inside the boxes, >or in some percentage of the data centre. > >in other words- how would a quantum installation >differ from the classical computer systems of >the last many decades- would they be of yet >another smaller scale or would an installation >inherently be enormous. what if the data centre >was all quantum computing in terms of the data >throughput - do these numbers correlate or are >different approaches to security calculations required > >is it possible that a 'computer within a >computer' could exist, such that a quantum chip >could be embedded and use a classical electronic >based system, that is, some form of stealth or >hidden computing that occurs in a parallel >hidden framework, including for networking data. >could ethernet or fibre channel be used or would >it need to be different, say tuned resonant >circuits computing in other dimensionality. From eugen at leitl.org Wed Oct 9 13:37:25 2013 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 9 Oct 2013 22:37:25 +0200 Subject: Secrecy News -- 10/08/13 Message-ID: <20131009203725.GB10405@leitl.org> ----- Forwarded message from Steven Aftergood ----- From eugen at leitl.org Wed Oct 9 13:40:23 2013 From: eugen at leitl.org (Eugen Leitl) Date: Wed, 9 Oct 2013 22:40:23 +0200 Subject: [Cryptography] Iran and murder Message-ID: <20131009204023.GD10405@leitl.org> ----- Forwarded message from Phillip Hallam-Baker ----- From pgut001 at cs.auckland.ac.nz Wed Oct 9 05:22:45 2013 From: pgut001 at cs.auckland.ac.nz (Peter Gutmann) Date: Thu, 10 Oct 2013 01:22:45 +1300 Subject: NSA UTAH data center In-Reply-To: Message-ID: John Young writes: >The NSA Data Center is bit more complicated than the usual commercial hotel >or center, and perhaps is unprecedented, thus haunted by errata. For people wanting more information, the Domestic Surveillance Directorate web site ("The men and women who work for the Domestic Surveillance Directorate are Americans first, last, and always. Each employee is required to take a solemn oath to support and defend the United States against all enemies, especially domestic") has the details: http://nsa.gov1.info/utah-data-center/index.html Peter :-). From dan at geer.org Thu Oct 10 04:47:17 2013 From: dan at geer.org (dan at geer.org) Date: Thu, 10 Oct 2013 07:47:17 -0400 Subject: NSA data centre power surges & unknowns... In-Reply-To: Your message of "Wed, 09 Oct 2013 21:59:36 PDT." <20131010052119.046BDD2AA@a-pb-sasl-quonix.pobox.com> Message-ID: <20131010114717.D7F3D228F16@palinka.tinho.net> In the design envelope for the data center, perhaps there is a nugget of insight in this thread and the topic it entails. http://www.pupman.com/listarchives/2003/November/msg00428.html Not a physicist, --dan From lists at pingle.org Thu Oct 10 05:19:40 2013 From: lists at pingle.org (Jim Pingle) Date: Thu, 10 Oct 2013 08:19:40 -0400 Subject: [pfSense] Crypto/RNG Suggestions Message-ID: <52569B5C.5030804@pingle.org> I'm moving this to a fresh thread so that it will be unencumbered by the other discussion that has strayed a bit. Even if one were to ignore government agency interference, finding the best crypto choices is a good topic, but it can easily get lost in the other discussion when some people have written off the other topic. So lets try to keep this thread solely on the technical topic of cryptographic quality. On 10/10/2013 5:39 AM, Giles Coochey wrote: > 1. Which Ciphers & Transforms should we now consider secure (pfsense > provides quite a few cipher choices over some other off the shelf hardware. I haven't yet seen anything conclusive. People have called into question some or all of ECC, NSA's suggested Suite B, and so on. I put some links in a previous message[1]. If anyone knows of some solid research showing specific ciphers have been compromised, I'd love to see it so we can inform users. > 2. What hardware / software & configuration changes can we consider to > improve RNG and ensure that should we increase the bit size of our > encryption, reduce lifetimes of our SAs that we can still ensure we have > enough entropy in the RNG on a device that is typically starved of > traditional entropy sources. We use the RNG from FreeBSD so that may be a better question for a FreeBSD-specific forum or list. There may be people here that know, however, you're more likely to get better feedback from FreeBSD directly. Jim 1: http://lists.pfsense.org/pipermail/list/2013-October/004773.html _______________________________________________ List mailing list List at lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From eugen at leitl.org Thu Oct 10 01:06:10 2013 From: eugen at leitl.org (Eugen Leitl) Date: Thu, 10 Oct 2013 10:06:10 +0200 Subject: [liberationtech] FW: [bestbits] Rousseff & Chehade: Brazil will host world event on Internet governance in 2014 Message-ID: <20131010080610.GJ10405@leitl.org> ----- Forwarded message from michael gurstein ----- From iggdawg at gmail.com Thu Oct 10 07:13:51 2013 From: iggdawg at gmail.com (Ian Bowers) Date: Thu, 10 Oct 2013 10:13:51 -0400 Subject: [pfSense] Can pfSense be considered trusted? What implementations of VPNs can now be trusted? Message-ID: On Thu, Oct 10, 2013 at 9:50 AM, Giles Coochey wrote: > Trying to get this back on-topic, I will change the subject however, to > alleviate the issues the anti-tin-foil-hat-brigade have. (ps I am also > top-posting on purpose as I believe the conversation below has near to no > relevance to my questions, but simply is an argument as to whether these > questions should be asked, to which I believe in the affirmative). > > I have various questions to offer for discussion which have been > bothering me since various security related issues that have appeared in > the media recently: (see: https://www.schneier.com/crypto-gram-1309.html) > > Clearly, at the moment, open source security tools ought to have an > advantage over closed-source tools. However, peer review of open-source > code is not always complete, and there have been questions whether even > algorithms have been subverted. > > 1. The random number generator - As pfSense uses FreeBSD this may well be > a FreeBSD specific question, however, are there any ways within pfsense > that we can improve the entropy pool that the random number gets its > randomness from? Has anyone had any experience of implementing an external > entropy source (e.g. http://www.entropykey.co.uk/) in pfsense? > 2. Cipher Selection - we're not all cryptoanalysts, so statements like > 'trust the math' don't always mean much to us, given the reports in the > media, what is considered a safe cypher? I recently switched from AES-256 > to Blowfish-256, hashing from SHA-1 to SHA-512 and pfs group 2 to pfs group > 5, and I reduced my SA lifetimes from 28800 to 1800. Could that be > considered overkill? What Cipher's are others using? Have any of you, who > have been made recently aware of the media coverage recently, also changed > your cipher selection? What kind of changes did you make? > 3. pfSense - In general do you consider pfsense secure?? As we are > apparently told, asking whether the NSA has inserted or influenced the code > in any way either in the pfsense code, or the upstream base (FreeBSD) is a > question that we can't ask, as if it were the case then the NSA would have > instructed someone in the know, to answer in the no. > > > > 1) I don't have the expertise to talk about RNGs in such a way that I feel confident that my response is something other people should actually listen to. The good ones are based on thermal noise or some other sort of "truly" random source. but flaws in the software that processes this can make it less random. This is a rabbit hole I've chosen not to dive down yet, but made it a point to be aware of and follow along with as things unfold. So I'll defer to others here. 2) Apologies for answering out of order, but it's early and my brain is working that way. PFS group 5 is typically a good functional minimum, I bump it up where appropriate, but I find in the higher PFS group I run into interop issues when connecting to different vendors. Most everything supports groups 1, 2, and 5, but 5 is my minimum unless someone has a good reason. Cisco has a reputation for support of legacy protocols and configurations (which is a double edged sword for sure), and even they are saying groups 1 and 2 should not be used. For SA lifetimes I'm ok with 28800 for phase 1, and 3600 for phase 2. Phase 2 is really where you need to mix it up frequently. it's less important with phase 1. Opinions on this differ, but if you have PFS in play on phase 2, the lifetime of phase 1 becomes much less important. But play it how you like it, modern CPUs have the horsepower to renegotiate frequently. For encryption ciphers I rock AES-256 all day every day when I can. I've done my homework on the AES development and selection process, and I'm satisfied (for now) with how open it was and how it was critiqued. It's also the strongest encryption cipher that with widespread support, and even on my home network I have LAN-2-LAN tunnels to multiple vendors' gear. roll that into how primitive many remote access clients can be, and AES-256 typically comes out on top as the best you can get and still have a good chance of your peer supporting it. As far as hashing, I'm still rocking SHA-1 for now because I see abuse of the hashing algorithm for a functional attack as something that would only realistically be used in a real-time man in the middle type attack. A lot of other cards have to have fallen down for this to become a problem. I'm under that kind of attack, I've got bigger problems. That being said, I can't think of a good reason NOT to bump up hashing either. so play it as you like it. 3) FreeBSD is very mature, and very well reviewed. I've looked into FreeBSD to my personal satisfaction. OpenBSD may be abrasive as a community at times, but their work product is pretty impressive in terms of being clean and funcitonal. I was very happy with how they handled that whole IPSec fiasco in 2011. I've been following pfSense for a while now, and I've used it off and on for years. I'm very satisfied by the quality and oversight of the coding. But by all means dig as long as your curiosity holds out. you can never be "100% sure" of the security of any software, but "sufficiently sure" is absolutely worth looking into. Ian _______________________________________________ List mailing list List at lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From l at odewijk.nl Thu Oct 10 01:24:36 2013 From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=) Date: Thu, 10 Oct 2013 10:24:36 +0200 Subject: NSA data centre power surges & unknowns... In-Reply-To: <20131010052119.046BDD2AA@a-pb-sasl-quonix.pobox.com> References: <20131010052119.046BDD2AA@a-pb-sasl-quonix.pobox.com> Message-ID: 2013/10/10 Bill Stewart > I think they've bought themselves a lot of cheap-ass electrical work, done > by people who assume that > scaling up power requirements for a conventional data center by a factor > of 10-100 doesn't change the principles. Most reasonable explanation yet. More reasonable than a secret large-enough quantum computer. But I continue to suspect they have one more well hidden. This has the level of "secret that people that "know a lot" know". It kind of satisfies our need to know about secret stuff the government does. The actually secret stuff, well, don't you wish we knew. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 952 bytes Desc: not available URL: From eugen at leitl.org Thu Oct 10 01:36:44 2013 From: eugen at leitl.org (Eugen Leitl) Date: Thu, 10 Oct 2013 10:36:44 +0200 Subject: NSA data centre power surges & unknowns... In-Reply-To: References: <20131010052119.046BDD2AA@a-pb-sasl-quonix.pobox.com> Message-ID: <20131010083644.GN10405@leitl.org> On Thu, Oct 10, 2013 at 10:24:36AM +0200, Lodewijk andré de la porte wrote: > Most reasonable explanation yet. More reasonable than a secret large-enough > quantum computer. But I continue to suspect they have one more well hidden. > This has the level of "secret that people that "know a lot" know". It kind > of satisfies our need to know about secret stuff the government does. The > actually secret stuff, well, don't you wish we knew. You obviously have to consider not just the known unknowns, but also unknown unknowns. FWIW, I much doubt they can factor large numbers with QC (if you want to make sure, do a lit review on QC, pull up the list of names, and see whether some of them suddenly stopped publishing, or greatly reduced their publishing rate), but public key cryptosystems do have a slight smell about them lately. We definitely need more diversity in cryptosystems, and should revert to systems which are more well-understood, and focus on future systems that are simple to analyze. From taxakis at gmail.com Thu Oct 10 01:37:08 2013 From: taxakis at gmail.com (taxakis) Date: Thu, 10 Oct 2013 10:37:08 +0200 Subject: Audit of TrueCrypt Message-ID: <000c01cec593$e83d29f0$b8b77dd0$@com> http://www.fundfill.com/fund/4-spzFJdDQk211KJDAUfcOw==# If sharing this link, please use http://fundfill.com/fund/TrueCryptAudited A working draft of our rules is at http://istruecryptauditedyet.com. Stay tuned, and follow #istruecryptauditedyet on twitter. ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From eugen at leitl.org Thu Oct 10 01:37:36 2013 From: eugen at leitl.org (Eugen Leitl) Date: Thu, 10 Oct 2013 10:37:36 +0200 Subject: Audit of TrueCrypt Message-ID: <20131010083736.GP10405@leitl.org> ----- Forwarded message from taxakis ----- From giles at coochey.net Thu Oct 10 02:39:46 2013 From: giles at coochey.net (Giles Coochey) Date: Thu, 10 Oct 2013 10:39:46 +0100 Subject: [pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others? Message-ID: <525675E2.4090707@coochey.net> On 10/10/2013 09:38, Thinker Rix wrote: > On 2013-10-10 01:13, Przemysław Pawełczyk wrote: >> On Thu, 10 Oct 2013 00:05:22 +0300 >> Thinker Rix wrote: >> >>> Well, actually I started this thread with a pretty frank, >>> straight-forward and very simple question. >> That's right and they were justified. > > Thank you! > >> BTW, you pushed to the corner the (un)famous American hubris (Obama: US >> is exceptional.), that's the nasty answers from some. > > Yes, I guess I have hit a whole bunch of different nerves with my > question, and I find it to be highly interesting to observe some of > the awkward reactions, socioscientificly and psychologically. > > I have been insulted, I have been bullied, I have been called to > self-censor myself and at the end some users "virtually joined" to > give the illusion of a majority an muzzle me, stating, that my > question has no place at this pfSense mailing list. Really amazing, > partly hilarious reactions, I think. > These reactions say so much about how far the whole surveillance > and mind-suppression has proceeded already and how much it has > influenced the thoughts and behavior of formerly free people by > now. Frightening. > >> Thinker Rix, you are not alone at your unease pressing you to ask >> those questions about pfSense and NSA. > > Thank you for showing your support openly! I too was surprised to see some activity on the pfsense list, after seeing only a few posts per week I checked today to find several dozen messages talking about a topic I have been concerned with myself - as a network security specialist, how much can I trust the firewalls I use, be they embedded devices, software packages, or 'hardware' from manufacturers. There are many on-topic things to discuss here: 1. Which Ciphers & Transforms should we now consider secure (pfsense provides quite a few cipher choices over some other off the shelf hardware. 2. What hardware / software & configuration changes can we consider to improve RNG and ensure that should we increase the bit size of our encryption, reduce lifetimes of our SAs that we can still ensure we have enough entropy in the RNG on a device that is typically starved of traditional entropy sources. This is so much on-topic, I am surprised that there has been a movement to call this thread to stop, granted - it may seem that the conversation may drift into a political one, with regard to privacy law etc... however, that is a valid sub-topic for a discussion list that addresses devices that are designed and implemented to safe-guard privacy. -- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 780677 +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk giles at coochey.net _______________________________________________ List mailing list List at lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From eugen at leitl.org Thu Oct 10 01:44:44 2013 From: eugen at leitl.org (Eugen Leitl) Date: Thu, 10 Oct 2013 10:44:44 +0200 Subject: [tor-talk] Tor Weekly =?utf-8?Q?News_?= =?utf-8?B?4oCU?= October 9th, 2013 Message-ID: <20131010084444.GR10405@leitl.org> ----- Forwarded message from Joe Btfsplk ----- From taxakis at gmail.com Thu Oct 10 02:21:52 2013 From: taxakis at gmail.com (taxakis) Date: Thu, 10 Oct 2013 11:21:52 +0200 Subject: snaps Message-ID: <006301cec59a$291b6620$7b523260$@com> >From Ietf: https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-01 (pdf available) >From Tor-talk: "Why the web of trust sucks" by Mike Perry https://lists.torproject.org/pipermail/tor-talk/2013-September/030235.html Mail cient: http://flowingmail.com/ On encrypted video and the open web by W3C: http://www.w3.org/blog/2013/10/on-encrypted-video-and-the-open-web/ The following is not for the technically challenged. It does not directly deal with crypto, but the new set does include over 100 new instructions. And the latter will undoubtedly contain several 'interesting' vectors. Future instruction set AVX-512: http://agner.org/optimize/blog/read.php?i=288 ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From eugen at leitl.org Thu Oct 10 03:50:23 2013 From: eugen at leitl.org (Eugen Leitl) Date: Thu, 10 Oct 2013 12:50:23 +0200 Subject: snaps Message-ID: <20131010105023.GW10405@leitl.org> ----- Forwarded message from taxakis ----- From frank at journalistsecurity.net Thu Oct 10 13:00:00 2013 From: frank at journalistsecurity.net (frank at journalistsecurity.net) Date: Thu, 10 Oct 2013 13:00:00 -0700 Subject: [liberationtech] CPJ: Obama and the Press Message-ID: <20131010130000.1dfe975c9695ebf5a1af6ff0ac4840df.42412b554a.wbe@email15.secureserver.net> The piece below may be of even more interest to many here. It goes through case by case of Obama administration investigations, subpoenas and surveillance of US journalists. And it may well be the longest report CPJ has ever produced. Significant in that over 90 percent of CPJ's work is focused on press freedom and related issues in less developed nations. http://www.cpj.org/reports/2013/10/obama-and-the-press-us-leaks-surveillance-post-911.php The Obama Administration and the Press Leak investigations and surveillance in post-9/11 America U.S. President Barack Obama came into office pledging open government, but he has fallen short of his promise. Journalists and transparency advocates say the White House curbs routine disclosure of information and deploys its own media to evade scrutiny by the press. Aggressive prosecution of leakers of classified information and broad electronic surveillance programs deter government sources from speaking to journalists. A CPJ special report by Leonard Downie Jr. with reporting by Sara Rafsky Barack Obama leaves a press conference in the East Room of the White House August 9. (AFP/Saul Loeb) Barack Obama leaves a press conference in the East Room of the White House August 9. (AFP/Saul Loeb) Published October 10, 2013 WASHINGTON, D.C. In the Obama administration’s Washington, government officials are increasingly afraid to talk to the press. Those suspected of discussing with reporters anything that the government has classified as secret are subject to investigation, including lie-detector tests and scrutiny of their telephone and e-mail records. An “Insider Threat Program” being implemented in every government department requires all federal employees to help prevent unauthorized disclosures of information by monitoring the behavior of their colleagues. Six government employees, plus two contractors including Edward Snowden, have been subjects of felony criminal prosecutions since 2009 under the 1917 Espionage Act, accused of leaking classified information to the press—compared with a total of three such prosecutions in all previous U.S. administrations. Still more criminal investigations into leaks are under way. Reporters’ phone logs and e-mails were secretly subpoenaed and seized by the Justice Department in two of the investigations, and a Fox News reporter was accused in an affidavit for one of those subpoenas of being “an aider, abettor and/or conspirator” of an indicted leak defendant, exposing him to possible prosecution for doing his job as a journalist. In another leak case, a New York Times reporter has been ordered to testify against a defendant or go to jail. More in this report • CPJ’s Recommendations On the blog • The US press is our press In print • Download the pdf In other languages • Español • Português Compounding the concerns of journalists and the government officials they contact, news stories based on classified documents obtained from Snowden have revealed extensive surveillance of Americans’ telephone and e-mail traffic by the National Security Agency. Numerous Washington-based journalists told me that officials are reluctant to discuss even unclassified information with them because they fear that leak investigations and government surveillance make it more difficult for reporters to protect them as sources. “I worry now about calling somebody because the contact can be found out through a check of phone records or e-mails,” said veteran national security journalist R. Jeffrey Smith of the Center for Public Integrity, an influential nonprofit government accountability news organization in Washington. “It leaves a digital trail that makes it easier for the government to monitor those contacts,” he said. “I think we have a real problem,” said New York Times national security reporter Scott Shane. “Most people are deterred by those leaks prosecutions. They’re scared to death. There’s a gray zone between classified and unclassified information, and most sources were in that gray zone. Sources are now afraid to enter that gray zone. It’s having a deterrent effect. If we consider aggressive press coverage of government activities being at the core of American democracy, this tips the balance heavily in favor of the government.” At the same time, the journalists told me, designated administration spokesmen are often unresponsive or hostile to press inquiries, even when reporters have been sent to them by officials who won’t talk on their own. Despite President Barack Obama’s repeated promise that his administration would be the most open and transparent in American history, reporters and government transparency advocates said they are disappointed by its performance in improving access to the information they need. “This is the most closed, control freak administration I’ve ever covered,” said David E. Sanger, veteran chief Washington correspondent of The New York Times. Obama and host Jay Leno tape 'The Tonight Show with Jay Leno' at NBC Studios on August 6 in Burbank, California. (AFP/Mandel Ngan) Obama and host Jay Leno tape 'The Tonight Show with Jay Leno' at NBC Studios on August 6 in Burbank, California. (AFP/Mandel Ngan) The Obama administration has notably used social media, videos, and its own sophisticated websites to provide the public with administration-generated information about its activities, along with considerable government data useful for consumers and businesses. However, with some exceptions, such as putting the White House visitors’ logs on the whitehouse.gov website and selected declassified documents on the new U.S. Intelligence Community website, it discloses too little of the information most needed by the press and public to hold the administration accountable for its policies and actions. “Government should be transparent,” Obama stated on the White House website, as he has repeatedly in presidential directives. “Transparency promotes accountability and provides information for citizens about what their government is doing.” But his administration’s actions have too often contradicted Obama’s stated intentions. “Instead,” New York Times public editor Margaret Sullivan wrote earlier this year, “it’s turning out to be the administration of unprecedented secrecy and unprecedented attacks on a free press.” “President Obama had said that default should be disclosure,” Times reporter Shane told me. “The culture they’ve created is not one that favors disclosure.” White House officials, in discussions with me, strongly objected to such characterizations. They cited statistics showing that Obama gave more interviews to news, entertainment, and digital media in his first four-plus years in office than Presidents George W. Bush and Bill Clinton did in their respective first terms, combined. They pointed to presidential directives to put more government data online, to speed up processing of Freedom of Information Act requests, and to limit the amount of government information classified as secret. And they noted the declassification and public release of information about NSA communications surveillance programs in the wake of Snowden’s leak of voluminous secret documents to The Washington Post and the Guardian. “The idea that people are shutting up and not leaking to reporters is belied by the facts,” Obama’s press secretary, Jay Carney, told me, pointing in frustration to anonymously sourced media reports that same day about planning for military action against the government of President Bashar al-Assad in Syria. “We make an effort to communicate about national security issues in on-the-record and background briefings by sanctioned sources,” said deputy White House national security adviser Ben Rhodes. “And we still see investigative reporting from nonsanctioned sources with lots of unclassified information and some sensitive information.” He cited as an example the administration’s growing, if belated, official openness about its use of drone aircraft to attack suspected terrorists, including declassification of information about strikes in Yemen and Somalia, following revelations about drone attacks in the news media. “If you can be transparent, you can defend the policy,” Rhodes told me. “But then you’re accused of jeopardizing national security. You’re damned if you do and damned if you don’t. There is so much political controversy over everything in Washington. It can be a disincentive.” The administration’s war on leaks and other efforts to control information are the most aggressive I’ve seen since the Nixon administration, when I was one of the editors involved in The Washington Post’s investigation of Watergate. The 30 experienced Washington journalists at a variety of news organizations whom I interviewed for this report could not remember any precedent. “There’s no question that sources are looking over their shoulders,” Michael Oreskes, a senior managing editor of The Associated Press, told me months after the government, in an extensive leak investigation, secretly subpoenaed and seized records for telephone lines and switchboards used by more than 100 AP reporters in its Washington bureau and elsewhere. “Sources are more jittery and more standoffish, not just in national security reporting. A lot of skittishness is at the more routine level. The Obama administration has been extremely controlling and extremely resistant to journalistic intervention. There’s a mind-set and approach that holds journalists at a greater distance.” Washington Post national security reporter Rajiv Chandrasekaran, a member of CPJ’s board of directors, told me that “one of the most pernicious effects is the chilling effect created across government on matters that are less sensitive but certainly in the public interest as a check on government and elected officials. It serves to shield and obscure the business of government from necessary accountability.” Obama answers questions from the media in the Brady press briefing room at the White House, April 30. (Reuters/Jason Reed) Obama answers questions from the media in the Brady press briefing room at the White House, April 30. (Reuters/Jason Reed) Frank Sesno, a former CNN Washington bureau chief who is now director of the School of Media and Public Affairs at George Washington University, said he thought the combined efforts of the administration were “squeezing the flow of information at several pressure points.” He cited investigations of “leakers and journalists doing business with them” and limitations on “everyday access necessary for the administration to explain itself and be held accountable.” The Insider Threat Program being implemented throughout the Obama administration to stop leaks—first detailed by the McClatchy newspapers’ Washington bureau in late June—has already “created internal surveillance, heightened a degree of paranoia in government and made people conscious of contacts with the public, advocates, and the press,” said a prominent transparency advocate, Steven Aftergood, director of the Government Secrecy Project at the Federation of American Scientists in Washington. None of these measures is anything like the government controls, censorship, repression, physical danger, and even death that journalists and their sources face daily in many countries throughout the world—from Asia, the Middle East and Africa to Russia, parts of Europe and Latin America, and including nations that have offered asylum from U.S. prosecution to Snowden. But the United States, with its unique constitutional guarantees of free speech and a free press—essential to its tradition of government accountability—is not any other country. “The investigation and potential indictment of investigative journalists for the crime of doing their jobs well enough to make the government squirm is nothing new,” Suzanne Nossel, executive director of PEN American Center, wrote earlier this year. “It happens all over the world, and is part of what the Obama administration has fought against in championing press and Internet freedom globally. By allowing its own campaign against national security leaks to become grounds for trampling free expression, the administration has put a significant piece of its very own foreign policy and human rights legacy at risk.” Financial Times correspondent Richard McGregor told me that, after coming to Washington several years ago from a posting in China, he was surprised to find that “covering this White House is pretty miserable in terms of getting anything of substance to report on in what should be a much more open system. If the U.S. starts backsliding, it is not only a bad example for more closed states, but also for other democracies that have been influenced by the U.S.” to make their governments more transparent. This report will examine all these issues: legal policies of the Obama administration that disrupt relationships between journalists and government sources; the surveillance programs that cast doubt on journalists’ ability to protect those sources; restrictive practices for disclosing information that make it more difficult to hold the government accountable for its actions and decision-making; and manipulative use of administration-controlled media to circumvent scrutiny by the press. September 11, 2001, is a watershed Of course, every U.S. administration in modern times has tried, with varying degrees of success, to control its message and manage contacts with the media and the public. “When I’m asked what is the most manipulative and secretive administration I’ve covered, I always say it’s the one in office now,” Bob Schieffer, the veteran CBS television news anchor and chief Washington correspondent, told me. “Every administration learns from the previous administration. They become more secretive and put tighter clamps on information. This administration exercises more control than George W. Bush’s did, and his before that.” The terrorist attacks on the United States on September 11, 2001, were a watershed. They led to a rapid buildup of what The Washington Post later characterized as a sprawling “Top Secret America” of intelligence and other government agencies, special military forces, and private contractors to combat terrorism. The “black budget” for the 16 U.S. intelligence agencies alone was more than $50 billion for the fiscal year 2013, according to an NSA document Edward Snowden gave to The Post. Since the 9/11 attacks, “the national security role of the government has increased hugely,” said Harvard Law School professor Jack Goldsmith, a senior national security lawyer in the Pentagon and the Justice Department during the Bush administration. It has amounted to a “gigantic expansion of the secrecy system,” he told me, “both the number of secrets and the numbers of people with access to secrets.” By 2011, more than 4 million Americans had security clearances for access to classified information of one kind or another, according to a U. S. Intelligence Community report to Congress required by the 2010 Intelligence Authorization Act, and more and more information was being classified as secret. In that year alone, government employees made 92 million decisions to classify information—one measure of what Goldsmith called “massive, massive over-classification.” For example, the 250,000 U.S. State Department cables that Army Pvt. Chelsea Manning (then known as Pvt. Bradley Manning) downloaded and gave to the Wikileaks website included countless previously published newspaper articles that were classified as secret in diplomatic dispatches to Washington. President George W. Bush is applauded after signing the FISA Amendments Act of 2008 in the White House Rose Garden. (AP/Ron Edmonds) President George W. Bush is applauded after signing the FISA Amendments Act of 2008 in the White House Rose Garden. (AP/Ron Edmonds) The Patriot Act, passed by Congress after the 9/11 attacks and since amended and extended in duration, gave the government increased powers to protect national security, including secret investigations of suspected terrorist activity. During the Bush administration, the NSA, working with the Federal Bureau of Investigation, secretly monitored large amounts of telephone calls that flowed through U.S. telecommunications companies and facilities. This electronic surveillance to detect terrorism threats was eventually authorized and expanded by the closed FISA court created by the 1978 Foreign Intelligence Surveillance Act, enabling the NSA to secretly collect, store, and access records of most telephone and Internet traffic in and passing through the United States. Initially, the American press did not discover these or other secret counterterrorism activities. It also did not appear to be aggressive in challenging President George W. Bush’s rationale for going to war in Iraq, in addition to the continuing military activity in Afghanistan. “The Bush administration was working to sell the wars and covert programs to journalists,” syndicated foreign affairs columnist David Ignatius told me. “Access was a routine matter.” But the press coverage gradually changed. In 2003, reporter Barton Gellman detailed in The Washington Post how an American task force had been unable to find any evidence of weapons of mass destruction in Iraq after the American invasion. In 2004, CBS television news and New Yorker magazine writer Seymour Hersh separately reported that U.S. soldiers and intelligence agency interrogators had abused and tortured wartime prisoners in Iraq’s Abu Ghraib prison. In 2005, Washington Post reporter Dana Priest revealed that the Central Intelligence Agency had detained and aggressively interrogated terrorism suspects in extralegal “black site” secret prisons outside the U.S. Later that year, New York Times reporters James Risen and Eric Lichtblau first reported about the warrantless intercepts of Americans’ telephone calls in the NSA’s secret electronic surveillance program. In 2006, Risen published a book in which he revealed a failed CIA covert operation to sabotage Iran’s nuclear program. These kinds of revelations enabled Americans to learn about questionable actions by their government and judge for themselves. But they infuriated Bush administration officials, who tried to persuade news executives to stop or delay such stories, which depended, in part, on confidential government sources of classified information. The Bush administration started intensive investigations to identify the sources for the stories on CIA secret prisons and NSA electronic surveillance and for Risen’s book. By the time Bush left office, no one had been prosecuted, although a CIA officer was fired for unreported contacts with Priest, and several Justice Department investigations were continuing. The Bush White House and Vice President Dick Cheney did not hesitate to take issue with an increasingly adversarial press publicly and privately, especially as the wars in Iraq and Afghanistan—and the Bush administration itself—became more unpopular. But journalists and news executives, including myself, were still able to engage knowledgeable officials at the highest levels of the administration in productive dialogue, including discussions of sensitive stories about classified national security activities. “The Bush administration had a worse reputation,” Marcus Brauchli, my immediate successor as executive editor of The Washington Post, told me, “but, in practice, it was much more accepting of the role of journalism in national security.” And not just in national security. Ellen Weiss, Washington bureau chief for E.W. Scripps newspapers and stations, said “the Obama administration is far worse than the Bush administration” in trying to thwart accountability reporting about government agencies. Among several examples she cited, the Environmental Protection Agency “just wouldn’t talk to us” or release records about environmental policy review panels “filled by people with ties to target companies.” Obama promises transparency Obama, who during the 2008 campaign had criticized the “excessive secrecy” of the Bush administration, came into the Oval Office promising an unprecedentedly open government. By the end of his first full day there on January 21, 2009, he had issued directives to government agencies to speed up their responses to Freedom of Information Act requests and to establish “Open Government Initiative” websites with information about their activities and the data they collect. Obama’s ‘Open Government Initiative’ websites turned out to be part of a strategy to minimize the administration’s exposure to the press. (CPJ) Obama’s ‘Open Government Initiative’ websites turned out to be part of a strategy to minimize the administration’s exposure to the press. (CPJ) The government websites turned out to be part of a strategy, honed during Obama’s presidential campaign, to use the Internet to dispense to the public large amounts of favorable information and images generated by his administration, while limiting its exposure to probing by the press. Veteran political journalists Jim VandeHei and Mike Allen described the administration’s message machine this way on the news website Politico: “One authentically new technique pioneered by the Obama White House is government creation of content—photos of the president, videos of White House officials, blog posts written by Obama aides—which can then be instantly released to the masses through social media. And they are obsessed with taking advantage of Twitter, Facebook, YouTube and every other social media forum, not just for campaigning, but governing. They are more disciplined about cracking down on staff that leak, or reporters who write things they don’t like.” A senior White House official told me, “There are new means available to us because of changes in the media, and we’d be guilty of malpractice if we didn’t use them.” The official said that, for example, the White House often communicated brief news announcements on Twitter to the more than 4 million followers of @whitehouse. “Some of you have said that I’m ignoring the Washington press corps—that we’re too controlling,” Obama jokingly told assembled journalists at the annual Gridiron Dinner in Washington in March. “Well, you know what? You were right. I was wrong, and I want to apologize in a video you can watch exclusively at whitehouse.gov,” one of the administration’s websites. “There is no access to the daily business in the Oval Office, who the president meets with, who he gets advice from,” said ABC News White House correspondent Ann Compton, who has been covering presidents since Gerald Ford. She said many of Obama’s important meetings with major figures from outside the administration on issues like health care, immigration, or the economy are not even listed on Obama’s public schedule. This makes it more difficult for the news media to inform citizens about how the president makes decisions and who is influencing them. “In the past,” Compton told me, “we would often be called into the Roosevelt Room at the beginning of meetings to hear the president’s opening remarks and see who’s in the meeting, and then we could talk to some of them outside on the driveway afterward. This president has wiped all that coverage off the map. He’s the least transparent of the seven presidents I’ve covered in terms of how he does his daily business.” The White House produces its own short newscast, ‘West Wing Week,’ on events which journalists may not have known about. (CPJ) The White House produces its own short newscast, ‘West Wing Week,’ on events which journalists may not have known about. (CPJ) Instead of providing greater access for reporting by knowledgeable members of the press, Compton noted, the Obama White House produces its own short newscast, “West Wing Week,” which it posts on the White House website. “It’s five minutes of their own video and sound from events the press didn’t even know about,” she said. “When you call the White House press office to ask a question or seek information, they refer us to White House websites,” said Chris Schlemon, Washington producer for Britain’s Channel 4 television news network. “We have to use White House website content, White House videos of the president’s interviews with local television stations and White House photographs of the president.” The Obama administration is using social media “to end run the news media completely,” Sesno at George Washington University told me. “Open dialogue with the public without filters is good, but if used for propaganda and to avoid contact with journalists, it’s a slippery slope.” Brushing off such concerns as special pleading from the news media, a senior administration official told me that White House videos of otherwise closed meetings, for example, provide the public with “a net increase in the visibility of these meetings.” Several reporters told me that the White House press office and public affairs officials in many government agencies often don’t respond to their questions and interview requests or are bullying when they do. “In the Obama administration, there is across-the-board hostility to the media,” said veteran Washington correspondent and author Josh Meyer, who reports for the Atlantic Media national news website Quartz. “They don’t return repeated phone calls and e-mails. They feel entitled to and expect supportive media coverage.” Reporters and editors said they often get calls from the White House complaining about news content about the administration. “Sometimes their levels of sensitivity amaze me—about something on Twitter or a headline on our website,” said Washington Post Managing Editor Kevin Merida. Obama press secretary Carney, who had covered the White House for Time magazine, minimized such complaints as being part of a “natural tension” in any administration’s relationship with the press. “That’s not new. I was yelled at by people during the Clinton and Bush administrations,” he told me. White House Press Secretary Jay Carney, a former journalist, says media complaints are part of a 'natural tension' in any administration’s relationship with the press. (Reuters/Kevin Lamarque) White House Press Secretary Jay Carney, a former journalist, says media complaints are part of a 'natural tension' in any administration’s relationship with the press. (Reuters/Kevin Lamarque) “The Obama people will spend an hour with you, off the record, arguing about the premise of the story,” said Josh Gerstein, who covers the White House and its information policies for Politico. “If the story is basically one that they don’t want to come out, they won’t even give you the basic facts.” Eric Schmitt, national security correspondent of The New York Times, told me: “There’s almost an obligation to control the message the way they did during the campaign. More insidious than the chilling effect of the leaks investigations is the slow roll or stall. People say, ‘I have to get back to you. I have to clear it with public affairs.’” “They’re so on message,” said Channel 4’s Schlemon. “I thought Bush was on message, but they’ve taken it to a whole new level.” White House under pressure to stop leaks As this information-control culture took root after Obama entered the White House in January 2009, his administration also came under growing pressure from U.S. intelligence agencies and congressional intelligence committees to stem what they considered an alarming accumulation of leaks of national security information. According to a New York Times story this summer, Obama’s first director of national intelligence, Dennis C. Blair, noted that during the previous four years 153 national security leaks had been referred by the intelligence agencies in “crime reports” to the Justice Department, but that only 24 had been investigated by the FBI, and no leaker had yet been prosecuted in those investigations. “According to Mr. Blair,” The Times reported, “the effort got under way after Fox News reported in June 2009 that American intelligence had gleaned word from within North Korea of plans for an imminent nuclear test.” Blair told The Times that he and Attorney General Eric H. Holder Jr. then coordinated a more aggressive approach aimed at producing speedy prosecutions. “We were hoping to get somebody and make people realize that there are consequences to this and it needed to stop,” Blair told The Times. “It was never a conscious decision to bring more of these cases than we ever had,” Matthew Miller, Holder’s spokesman at the time, told me this summer. “It was a combination of things. There were more crime reports from the intelligence agencies than in previous years. There was pressure” from Capitol Hill, where Holder, Blair and other administration officials “were being harangued by both sides: ‘Why aren’t leakers being prosecuted? Why aren’t they being disciplined?’” “Some strong cases,” inherited from the Bush administration, “were already in process,” Miller said. “And a number of cases popped up that were easier to prosecute” with “electronic evidence,” including telephone and e-mail records of government officials and journalists. “Before, you needed to have the leaker admit it, which doesn’t happen,” he added, “or the reporter to testify about it, which doesn’t happen.” Leak prosecutions under Obama have been “a kind of slap in the face,” said Smith of the Center for Public Integrity. “It means you have to use extraordinary measures for contacts with officials speaking without authorization.” Use of Espionage Act gathers steam The first Obama administration prosecution for leaking information popped up quickly in April 2009, when a Hebrew linguist under contract with the FBI, Shamai K. Leibowitz, gave a blogger classified information about Israel. The administration has never disclosed the nature of the information, the identity of the blogger, or the government’s evidence in the relatively little-noticed case. Leibowitz pleaded guilty in May 2010, and was sentenced to 20 months in prison for a violation of the 1917 Espionage Act. It was the Obama administration’s initial use of a law passed during World War I to prevent spying for foreign enemies. The campaign against leaks then gathered steam with Espionage Act prosecutions in two of the investigations inherited from the Bush administration. In the first, NSA employee Thomas Drake was indicted on April 14, 2010, on charges of providing information to The Baltimore Sun in 2006 and 2007 about spending and management issues at the NSA, including disagreements about competing secret communications surveillance programs. Drake gave information to Siobhan Gorman, then a Sun reporter, including copies of documents that, in his view, showed the NSA had wrongly shelved a cheaper surveillance program with privacy safeguards for Americans in favor of a much more costly program without such safeguards. Drake and two of his NSA colleagues believed they were whistle-blowers who had first voiced their concerns within the NSA and to a sympathetic congressional investigator, to no avail. Gorman’s stories in the Sun angered government officials, including Gen. Michael Hayden, who was the NSA director when Drake objected to Hayden’s decision to switch the communications surveillance programs. At the time when the Sun was publishing Gorman’s stories, the Bush administration’s investigation of the 2005 New York Times story about NSA warrantless communications surveillance had not found any leakers to prosecute. Apparently Drake, his NSA colleagues, and the congressional investigator to whom Drake had turned then became the focus of that investigation, even though they were never identified as sources for The Times. The homes of the other three—former NSA officials William Binney and J. Kirk Weibe and House Intelligence Committee staff member Diane Roark—were raided by armed federal agents on July 26, 2007. The raids frightened and angered them, but they were not prosecuted. However, when Drake’s home was searched four months later, federal agents found copies of documents about the NSA programs that were the subjects of The Baltimore Sun stories. Drake volunteered to investigators that, acting as a whistle-blower, he had sent copies of documents and hundreds of e-mails to Sun reporter Gorman. Only after the Obama administration took office more than a year later, and the Justice Department became more aggressive in prosecuting leakers, was Drake indicted on 10 felony counts, including violations of the Espionage Act, for “willful retention of national defense information” and “making false statements” when he insisted to federal agents that the documents he had copies of were not secret. Eventually, Drake’s lawyers and supporters showed that most of the information at issue was not classified or, as former Justice spokesman Miller told me, “other officials had been talking about the same things.” In June, as the government’s case “fell apart,” in Miller’s words, the federal prosecutor agreed not to seek a prison sentence for Drake in return for his guilty plea to the misdemeanor crime of misusing the NSA’s computer system. When Judge Richard D. Bennett sentenced Drake in Federal District Court to a year’s probation and 240 hours of community service, he said it was “unconscionable” that Drake and his family had endured “four years of hell” before the government dismissed its 10-count felony indictment. Drake, who was forced to resign from the NSA, now works in an Apple computer store. Former NSA director Hayden told me that, despite his differences with Drake, the employee should never have been prosecuted under the Espionage Act. “He should have been fired for unauthorized meetings with the press,” Hayden said. “Prosecutorial overreach was so great that it collapsed under its own weight.” Whatever his role in the NSA’s internal rivalries at the time, Drake appears to be a whistle-blower whose information about the secretive agency’s telecommunications surveillance methods should have resulted in greater government accountability at the time, rather than a criminal prosecution for spying. Who is a whistle-blower? In the second investigation inherited from the Bush administration, former CIA officer Jeffrey Sterling was indicted on Dec. 22, 2010, and arrested on Jan. 6, 2011, on charges of providing New York Times reporter James Risen with extensive information about a failed CIA effort to sabotage Iran’s nuclear program. The Times never published a story about it, but the information appeared to be the basis for a chapter in Risen’s 2006 book, State of War. Sterling, who is black, had unsuccessfully sued the CIA for discrimination after he lost his job there. New York Times reporter James Risen has vowed to go to jail rather than identify a source in court. (AP/The New York Times) New York Times reporter James Risen has vowed to go to jail rather than identify a source in court. (AP/The New York Times) Years of communications records for the two men were subpoenaed and seized during the government’s investigation—and itemized in Sterling’s indictment. They showed dozens of telephone calls and e-mails between Sterling and Risen, beginning in 2002, when Risen wrote in The Times about Sterling’s allegations of racial discrimination when he worked on the CIA’s Iran task force. In hindsight, it was the first clear evidence that the Justice Department was digging into the phone and e-mail records of both government officials and journalists while investigating leaks. “Jeffrey Sterling is not a whistle-blower,” Miller, the former Justice Department spokesman, insisted to me, even though Sterling, whatever his motive, apparently was knowledgeable about significant problems plaguing the CIA at the time. “He was fired for cause. He went to court and the case was thrown out. No waste, fraud, or abuse was involved.” This is a disturbing distinction that the Obama administration has made repeatedly. Exposing “waste, fraud and abuse” is considered to be whistle-blowing. But exposing questionable government policies and actions, even if they could be illegal or unconstitutional, is often considered to be leaking that must be stopped and punished. This greatly reduces the potential for the press to help hold the government accountable to citizens. Beginning in early 2008, the Justice Department repeatedly tried to subpoena Risen to testify against Sterling in what has become a long-running legal battle closely watched by journalists and media lawyers. In support of the latest subpoena, filed in April 2010, Justice argued that “James Risen is an eyewitness to the serious crimes with which the grand jury charged Sterling.” In July 2011, Judge Leonie Brinkema ruled in Federal District Court that, while Risen must testify to the accuracy of his reporting, he could not be compelled by the government to reveal his source. She concluded that courts, dating back to the U.S. Supreme Court’s divided ruling in Branzburg v. Hayes in 1972, had, in effect, established a qualified privilege under the First Amendment that protects reporters against identifying their sources if their need to protect their sources’ identities to do their reporting outweighs the government’s need for the reporters’ testimony to establish its case. It was the first time a reporter had successfully invoked such a privilege at the grand jury and trial stages of a federal prosecution. The Obama administration appealed Brinkema’s decision, leaving the Sterling trial in limbo. A coalition of 29 news organizations and related groups came forward to support Risen, a two-time winner of the Pulitzer Prize for journalism. In an appellate brief, they pointed to the many significant national security and government accountability news stories over the years that could not have been reported by the press without confidential sources. However, in July this year, a three-judge panel of the U.S. Court of Appeals for the Fourth Circuit in Richmond, Va., reversed Brinkema’s decision from two years earlier. A 2-to-1 majority ruled that the First Amendment did not protect Risen from being forced to testify against his source. Also citing Branzburg, Chief Judge William Byrd Traxler wrote: “Clearly, Risen’s direct, firsthand account of the criminal conduct indicted by the grand jury cannot be obtained by alternative means, as Risen is without dispute the only witness who can offer this testimony.” Ominously, perhaps, Traxler added that Risen “is inextricably involved in it. Without him, the alleged crime would not have occurred, since he was the recipient of illegally-disclosed, classified information.” Dissenting, Judge Roger Gregory argued that the decision could be a serious blow to investigative journalism. “The majority exalts the interests of the government while unduly trampling those of the press,” he wrote, “and, in doing so, severely impinges on the press and the free flow of information in our society.” Risen asked the full 15-judge appellate court to review the case, and he vowed to go to jail rather than identify his source. Backed once again by many press organizations, he also formally asked the Justice Department to withdraw the subpoena. The Justice Department has continued to press for enforcement of the subpoena by asking the full appellate court not to hear further arguments in the case. Manning case is a turning point The Obama administration’s next prosecution originated with a June 11, 2009, story on the Fox News network’s website. Fox News’s chief Washington correspondent, James Rosen, reported that U.S. Intelligence had discovered that North Korea was planning, in defiance of the United Nations, to escalate its nuclear program and conduct another nuclear weapons test. The Justice Department soon began a secret investigation, which produced an August 19, 2010, felony indictment of Stephen Jin-Woo Kim, a State Department contract analyst. He was charged with violating the Espionage Act by giving classified intelligence information about North Korea to Rosen, who was not named in the indictment. The indictment of Kim contained just two bare-bones paragraphs—the tip of an iceberg of secret investigations on which the Obama administration and the press would collide resoundingly nearly three years later. Overshadowing the Kim case at the time was the arrest in May 2010 of Manning, the Army private, in the most voluminous leak of classified documents in U.S. history. Manning was an emotionally troubled young soldier concerned about U.S. conduct in the wars in Iraq and Afghanistan. Manning used computer access as an Army intelligence analyst in Baghdad to download an enormous amount of classified information and give it to the anti-secrecy group Wikileaks. The data included more than 250,000 U.S. State Department diplomatic cables, 500,000 U.S. Army incident reports from the two wars, dossiers on terrorist suspects detained at Guantánamo Bay, and videos of two American airstrikes that killed civilians in Iraq and Afghanistan. Army Pvt. Chelsea Manning (then known as Pvt. Bradley Manning) was arrested for the most voluminous leak of classified documents in U.S. history. (AP/Patrick Semansky) Army Pvt. Chelsea Manning (then known as Pvt. Bradley Manning) was arrested for the most voluminous leak of classified documents in U.S. history. (AP/Patrick Semansky) News media throughout the world published scores of stories based on the documents obtained through Wikileaks during 2010 and 2011. The State Department cables contained American diplomats’ unvarnished views of numerous countries’ government and diplomatic activities. The military logs detailed troubling issues, including civilian deaths, in waging the wars in Iraq and Afghanistan. While news organizations did further reporting for what they published, and decided to leave out some names and other details after talking to government officials, Wikileaks posted unredacted documents on its own website, exposing, among other things, the identities of foreign nationals in contact with U.S. embassies around the world. Manning was eventually charged in a military court with 22 offenses, including violations of the Espionage Act, and pleaded guilty in February 2013 to 10 of the lesser charges of accessing and communicating classified information. The government nevertheless continued to pursue the prosecution, and Manning was convicted by a military judge in July of the rest of the charges, except the most serious offense under the Uniform Code of Military Justice—aiding the enemy. In August, the court-martial judge, Col. Denise R. Lind, sentenced Manning to 35 years in prison. With credit for time served awaiting the trial and verdict, she could be eligible for parole in seven years. It was a long sentence for leaking classified information, as extensive as it was, to news media, rather than spying for a foreign government. The Manning case appears to have been another turning point. “After Wikileaks, the administration got together and decided we’re not going to let this happen again,” said Lucy Dalglish, who monitored developments closely while director of the Reporters Committee for the Freedom of the Press. “Prosecution under the 1917 Espionage Act is almost their only tool,” she told me. “They’re sending a message. It’s a strategy.” Dalglish, now dean of the Philip Merrill College of Journalism at the University of Maryland, along with Danielle Brian of the Project on Government Oversight (POGO) and other longtime government transparency advocates, met with President Obama in the Oval Office on March 28, 2011, to thank him for his frequent promises about transparency and early actions on open government. They used the opportunity to explain why they thought much more needed to be done. According to Brian’s written account in the POGO blog the next day, the president seemed sympathetic to the issues they raised, including the over-classification of government information as secret. But when Brian brought up “the current aggressive prosecution of national security whistle-blowers” and the “need to create safe channels for disclosure of wrongdoing in national security agencies,” she wrote, “The president shifted in his seat and learned forward. He said he wanted to engage on this topic because that may be where we have some differences. He said he doesn’t want to protect the people who leak to the media war plans that could impact the troops. He differentiated these leaks from those whistle-blowers exposing a contractor getting paid for work they are not performing.” Dalglish told me there was a follow-up meeting at the White House in June 2011, with national security journalists and lawyers from the director of national intelligence, CIA, FBI and the Pentagon. But they made little progress. “When the journalists said that in the past you could negotiate with agencies” about national security information, “there was no real response,” Dalglish recalled. When they asked, with the Risen subpoena in mind, about a proposed federal shield law that could protect reporters from being forced to identify their sources, Dalglish said, the lawyers told them, “You can get a shield law, but you’ve probably seen your last subpoena. We don’t need you anymore.” Another leaker’s motives in question On October 7, 2011, the Obama White House launched an ambitious new effort to curb leaks. “Following the unlawful disclosure of classified information by Wikileaks,” it announced, “the National Security Staff formed an interagency committee to review the policies and practices surrounding the handling of classified information, and to recommend government-wide actions to reduce the risk of a future breach.” An accompanying executive order from the president established an Insider Threat Task Force to develop within a year “a government-wide program for insider threat detection and prevention to improve protection and reduce potential vulnerabilities of classified information from exploitation, compromise, or other unauthorized disclosure.” Meanwhile, the administration launched another Espionage Act prosecution. Former CIA officer John Kiriakou was indicted on April 5, 2012, on five felony counts accusing him of disclosing classified information, including the names of two CIA agents, to freelance journalist Matthew Cole and to New York Times reporter Scott Shane. Kiriakou, who retired from the CIA in 2004, had led the team that located and captured senior Al Qaeda operative Abu Zubaydah in 2002 in Pakistan. He became a sought-after news source—and a bête noire for the CIA—after a 2007 ABC News television interview in which he confirmed that Zubaydah had been water-boarded during his interrogation. Kiriakou said he believed the measure was necessary, legal, and effective, but probably constituted torture that should not be used again. Amid his many subsequent media appearances and contacts with journalists, Kiriakou discussed a covert CIA agent with Cole, who, in turn, discussed the agent with a researcher for defense lawyers for Al Qaeda suspects detained at Guantánamo Bay. Later, Kiriakou confirmed to Shane the identity of a former CIA officer, Deuce Martinez, who was involved in the Zubaydah interrogation. Shane told me that Kiriakou had showed him a non-CIA private business card for Martinez, whom Shane was trying to locate. “Martinez had been undercover, but he had asked that he no longer be, and he wasn’t,” said Shane, who wrote a detailed Times story about “enhanced interrogations” of terrorist suspects, which stated that Martinez had declined to be interviewed. Former CIA officer John Kiriakou walks to U.S. District Court in Alexandria, Virginia, October 23, 2012. (AP/Cliff Owen) Former CIA officer John Kiriakou walks to U.S. District Court in Alexandria, Virginia, October 23, 2012. (AP/Cliff Owen) When government officials discovered that the Guantánamo defense lawyers were identifying CIA witnesses to their clients’ interrogation, the agency filed a crime report that prompted a Justice Department investigation. A defense lawyer and a researcher, who had been targets of the inquiry, were eventually cleared of any illegality. Instead, the investigation turned into a criminal leaks case after investigators seized scores of e-mails between Kiriakou and journalists. They revealed Kiriakou as both Cole’s source of the identity of the covert CIA agent and a frequent contact of Times reporter Shane. In a plea bargain, Kiriakou admitted guilt on October 22, 2012, to a single count of violating the Intelligence Identities Protection Act for giving the covert CIA agent’s name to Cole. In return, the other charges, including three counts of violating the Espionage Act, were dropped. Kiriakou was sentenced to 30 months in prison. Once again, there was disagreement about the leaker’s motivation in a questionable espionage case. Kiriakou and his supporters characterized him as a patriotic, if self-promoting, whistle-blower who exposed abusive interrogation methods later condemned as torture, while none of the government officials responsible for them had been punished. However, Judge Brinkema said in sentencing Kiriakou, “this is not a case of a whistle-blower” because of the seriousness of revealing the identity of a covert intelligence officer. In a statement to CIA employees the day after Kiriakou’s sentencing, David H. Petraeus, then the CIA director, made clear the administration’s intentions. “The case yielded the first successful prosecution”—under the Intelligence Identities Protection Act—“in 27 years, and it marks an important victory for our agency, for our intelligence community, and for the country,” Petraeus told them. “Oaths do matter, and there are indeed consequences for those who believe they are above the laws that protect our fellow officers and enable American intelligence agencies to operate with the requisite degree of secrecy.” The chilling lesson for reporters and sources, The Times’s Shane told me, contrary to Petraeus, “is that seemingly innocuous e-mails not containing classified information can be construed as a crime.” Journalist and author Steve Coll, now dean of the Columbia School of Journalism, raised questions about the case in a New Yorker magazine article last April. “Which matters more: Kiriakou’s motives or his reliability, or the fact that, however inelegantly, he helped to reveal that a sitting president”—George W. Bush—“had ordered international crimes?” Coll asked. “Does the emphasis on the messenger obscure the message?” There is no “perfect solution to this problem” of how to protect necessary secrets while informing citizens about their government, Jack Goldsmith, the Harvard Law professor and former Bush administration lawyer, told me. “Too much secrecy and too much leaking are both bad.” he said. “A leaker has to be prepared to subject himself to the penalties of law, but leaks can serve a really important role in helping to correct government malfeasance, to encourage government to be careful about what it does in secret and to preserve democratic processes.” Climate of fear sets in The next escalation in the Obama administration’s war on leaks had already been prompted by a May 7, 2012, Associated Press story revealing the CIA’s success in penetrating a Yemen-based group, Al-Qaeda in the Arabian Peninsula, that had developed an improved “underwear bomb” improvised explosive device (IED) for a suicide bomber to detonate aboard U.S.-bound aircraft. At the request of the White House and the CIA, the AP had held the story for five days to protect continuing aspects of the covert operation. The AP’s discussions with government officials were similar to many I had participated in with several administrations during my years as executive editor of The Washington Post, when I was deciding how to publish significant stories about national security without causing unnecessary harm. After the AP story first appeared on its wire service, the White House spoke freely about it on the record, publicly congratulating the CIA. Intelligence officials, however, were angry that the AP story and subsequent reporting had revealed their covert operation in Yemen. “The irresponsible and damaging leak of information was made,” CIA Director John Brennan later told Congress, “when someone informed The Associated Press that the U.S. had intercepted an IED that was supposed to be used in an attack and that the U.S. government currently had the IED in its possession and was studying it.” Brennan said that he had himself been questioned by the FBI in the investigation of the leak. Then, on June 1, 2012, The New York Times published a story by David E. Sanger describing a covert operation code-named Olympic Games, in which a computer worm called Stuxnet, developed by the U.S. and Israel, had been used in cyberattacks on the computer systems running Iran’s main nuclear enrichment facilities. Sanger also detailed the operation in his book, Confront and Conceal, published at the same time. Even though the existence of the worm was already known because a computer error had sent it around the world two years earlier, the details in Sanger’s story and book helped cause political trouble for Obama. Republicans in Congress and conservative pundits loudly accused the administration of purposely leaking classified information used in the AP and New York Times stories to embellish Obama’s counterterrorism credentials in an election year. The Justice Department responded by opening aggressive investigations to find and prosecute the unnamed sources of both stories. Rejecting Republican calls for special prosecutors, Attorney General Holder assigned two senior U.S. attorneys to run the investigations. The New York Times reported that federal prosecutors and the FBI questioned scores of officials throughout the government who had knowledge of either covert operation or who were identified in computer analyses of phone, text, and e-mail records as having any contact with the journalists involved. “A memo went out from the chief of staff a year ago to White House employees and the intelligence agencies that told people to freeze and retain any e-mail, and presumably phone logs, of communications with me,” Sanger told me. As a result, he said, longtime sources would no longer talk to him. “They tell me, ‘David, I love you, but don’t e-mail me. Let’s don’t chat until this blows over.’” Director of National Intelligence James Clapper testifies at a Senate Intelligence Committee hearing on FISA legislation on September 26. (Reuters/Jason Reed) Director of National Intelligence James Clapper testifies at a Senate Intelligence Committee hearing on FISA legislation on September 26. (Reuters/Jason Reed) The director of national intelligence, James Clapper, announced on June 25, 2012, his own internal steps to stem leaks. Employees of all 16 U.S. intelligence agencies—including the CIA, NSA, FBI and Defense Intelligence Agency—would be asked during routine polygraph examinations whether they had disclosed any classified information to anyone. And the new inspector general for the Intelligence Community, with jurisdiction over all its agencies, would investigate leak cases that had not produced prosecutions by the Justice Department to determine what alternative action should be taken. A classified report from the inspector general to Clapper, obtained about the same time by the Federation of American Scientists’ Project on Government Secrecy, showed that the inspector general was already reviewing 375 unresolved investigations of intelligence agency employees. Five months later, on November 21, 2012, after a year’s planning by its Insider Threat Task Force, the White House issued a presidential memorandum instructing all federal government departments and agencies to set up Insider Threat Programs to monitor employees with access to classified information and prevent “unauthorized disclosure.” According to the National Insider Threat Policy, each agency must, among other things, develop procedures “ensuring employee awareness of their responsibility to report, as well as how and to whom to report, suspected insider threat activity.” Officials cited the Manning case as the kind of threat the program was intended to prevent. A survey of government department and agencies this summer by the Washington bureau of the McClatchy newspapers found that they had wide latitude in defining what kinds of behavior constituted a threat. “Government documents reviewed by McClatchy illustrate how some agencies are using that latitude to pursue unauthorized disclosures of any information, not just classified material,” it reported in June. “They also show how millions of federal employees and contractors must watch for ‘high-risk persons or behaviors’ among co-workers and could face penalties, including criminal charges, for failing to report them. Leaks to media are equated with espionage.” Michael Hayden, who was director of the NSA and then the CIA during the Bush administration, told me that, in his view, the unfolding Insider Threat Program “is designed to chill any conversation whatsoever.” “The simplest thing to do is to avoid contacts with the press,” the government transparency advocate Steven Aftergood said about the program. “It discourages even casual contacts with the press and members of the public,” he said. “Reporters are interviewing sources through intermediaries now,” Washington Post national news editor Cameron Barr told me, “so the sources can truthfully answer on polygraphs that they didn’t talk to reporters.” Media outraged over AP secret subpoena In May of this year, two revelations of Justice Department tactics in the war on leaks caused already roiling tensions between news media and the Obama administration to boil over. On May 13, the Justice Department informed the Associated Press—three months after the fact—that as part of its investigation of the AP story a year earlier about the CIA’s covert operation in Yemen, it had secretly subpoenaed and seized all records for 20 AP telephone lines and switchboards for April and May of 2012. The records included outgoing calls for the work and personal phone lines of individual reporters, for AP news bureau lines in New York, Washington, and Hartford, Conn., and for the main AP phone number in the press gallery of the U.S. House of Representatives. Although only five AP reporters and an editor were involved in the May 12, 2012, Yemen story, “thousands upon thousands of newsgathering calls” by more than 100 AP journalists using newsroom, home, and mobile phones were included in the seized records, AP President Gary Pruitt said in an interview with CBS News’ “Face the Nation” television program. “There can be no possible justification for such an overbroad collection of the telephone communications of The Associated Press and its reporters,” Pruitt wrote in a letter of protest to Attorney General Holder. “These records potentially reveal communications with confidential sources across all of the newsgathering activities undertaken by the AP during a two-month period, provide a road map to AP’s newsgathering operations and disclose information about AP’s activities and operation that the government has no conceivable right to know.” “I don’t know what their motive is,” Pruitt said on “Face the Nation.” But, he added, “I know what the message being sent is: If you talk to the press, we’re going after you.” There was an immediate outcry from the rest of the press. The next day, a coalition of more than 50 American news media organizations—including the Newspaper Association of America, National Association of Broadcasters, American Society of News Editors, Society of Professional Journalists, ABC, NBC, CNN, NPR, Gannett, McClatchy, Tribune, The New York Times, and The Washington Post—joined the Reporters Committee for the Freedom of the Press in a strong protest letter to Holder. The secret subpoena and seizure of AP phone records, the letter stated, call “into question the very integrity of Department of Justice policies toward the press and its ability to balance, on its own, its police powers against the First Amendment rights of the news media and the public’s interest in reporting all manner of government conduct, including matters touching on national security which lie at the heart of this case.” CPJ’s board of directors also sent an unprecedented letter of protest to Holder. News organizations accuse Attorney General Eric Holder of ignoring Justice Department guidelines governing subpoenas of journalists. (AP/J. Scott Applewhite) News organizations accuse Attorney General Eric Holder of ignoring Justice Department guidelines governing subpoenas of journalists. (AP/J. Scott Applewhite) Substantively, the news organizations charged in their letter that the Justice Department “appears to have ignored or brushed aside almost every aspect” of its own four-decade-old guidelines governing subpoenas of journalists and news organizations. The Justice guidelines prescribed that such a subpoena should be used only a last resort in a federal investigation. They stated that “the subpoena should be as narrowly drawn as possible,” that the targeted news organization “shall be given reasonable and timely notice” to negotiate the subpoena with Justice or to fight it in court, and that “the approach in every case must be to strike the proper balance between the public’s interest in the free dissemination of ideas and information and the public’s interest in effective law enforcement and the fair administration of justice.” By secretly serving the subpoena for the records directly on telephone companies without notifying the AP, the Justice Department avoided negotiations with the news agency or a court challenge over its broad scope. That would be permitted as an exception to the Justice guidelines if prosecutors believed prior notification and negotiations would “pose a substantial threat to the integrity of the investigation.” But there was never an explanation of what threat might have been posed in this case, since preservation of the records by the phone companies was never in question and the news leak under investigation had occurred long before. I can remember only one similar event during my 17 years as executive editor of The Washington Post. In 2008, the FBI director at the time, Robert S. Mueller III, formally apologized to me and to the executive editor of The New York Times for the unexplained secret seizure four years earlier of the phone records of our foreign correspondents working in Jakarta, Indonesia—because the Justice guidelines had been violated and no subpoena had been issued. But I recall a number of instances during several U.S. administrations in which other federal investigative requests, for which the newspaper had prior notification, were successfully negotiated in ways that protected our newsgathering independence in accordance with the Justice guidelines. A week after the revelation of the secret seizure of AP telephone records, The Washington Post reported that the Justice Department had also secretly subpoenaed and seized telephone and e-mail records of the Fox News chief Washington correspondent, James Rosen, in the Espionage Act prosecution of Stephen Jin-Woo Kim. Federal investigators used the records to trace phone conversations and e-mail exchanges between Rosen and Kim in June, 2009, at the time of Rosen’s story about U.S. intelligence monitoring of North Korea’s nuclear program. Although investigators had already gathered evidence from Kim’s phone records and computer at the State Department, where he worked as a contract analyst with access to classified information, they used the secret subpoena to seize Rosen’s phone records and personal e-mails. They also used electronic security badge records to track the comings and goings of Rosen and Kim at the State Department. Most disturbing for journalists and news organizations, the FBI affidavit filed in support of the successful federal court application for the secret subpoena declared that “there is probable cause to believe that the reporter has committed or is committing a violation” of the Espionage Act—“at the very least, either as an aider, abettor and/or co-conspirator” —in seeking and accepting information from Kim while doing his job as a journalist. “The reporter did so by employing flattery and playing to Mr. Kim’s vanity and ego,” the affidavit said, potentially—if not laughably—criminalizing a routine interview tip taught to every cub reporter. Although the secret subpoena was approved by Holder in May 2010, it and the records seizure did not become known until court records were unsealed three years later. Those records showed that the Justice Department went back to court repeatedly during that time for approval to avoid notifying Rosen and Fox News about the subpoena, in an apparent effort to continue to monitor Rosen’s e-mail for other contacts with government officials. It amounted to open-ended government surveillance of a reporter’s communications. “As with the AP subpoenas, this search is overbroad and has a chilling effect on reporters,” stated a Wall Street Journal editorial that expressed a view widespread among journalists. “The chilling is even worse in this case because Mr. Rosen’s personal communications were subject to search for what appears to be an extended period of time. With the Fox News search following the AP subpoenas, we now have evidence of a pattern of anti-media behavior. … The suspicion has to be that maybe these ‘leak’ investigations are less about deterring leakers and more about intimidating the press.” In the midst of the controversy, Obama said in a major speech on national security at the National Defense University on May 23 that he was “troubled by the possibility that leak investigations may chill the investigative journalism that holds government accountable.” He said, “Journalists should not be at legal risk for doing their jobs,” even though his administration would still aggressively investigate government officials “who break the law” by leaking classified information. The president asked Holder “to review existing Department of Justice guidelines governing investigations that involve reporters.” And Obama called on Congress to revive and pass a federal “shield law”—similar to those in 40 states and the District of Columbia—that would spell out defenses for journalists facing legal efforts to uncover their confidential sources and reporting contacts. Two months later, after a series of Justice Department meetings with news executives, reporters, and media lawyers, Holder announced Obama-approved revisions to the Justice guidelines that somewhat narrowed the circumstances under which federal investigators could subpoena and seize communications records of news organizations or reporters. News organizations would be given advance notice of such subpoenas unless the attorney general personally determined “for compelling reasons” that it would pose a clear and substantial threat to an investigation. Search warrants could be issued for a reporter’s phone and e-mail records only if the journalist was the focus of a criminal investigation for conduct not connected to ordinary newsgathering. “Members of the news media will not be subject to prosecution based solely on newsgathering activities,” the Justice Department said. It also would explore “ways in which intelligence agencies themselves, in the first instance, can address information leaks internally through administrative means, such as the withdrawal of security clearances and imposition of other sanctions,” rather than criminal prosecutions. Media lawyers who negotiated with Justice welcomed the revisions to the guidelines as significant progress, despite remaining exceptions. The reactions of journalists were mixed. Times reporter Sanger told me that the revisions were “just formalizing what was observed in past administrations. The guidelines worked pretty well until the Obama administration came in.” Even as the Justice Department was working with the news media on revising the guidelines, it was using the Associated Press reporters’ phone records it had secretly seized to identify and convict a former FBI agent for the leak about the covert CIA operation in Yemen. On September 23, Justice announced that Donald J. Sachtleben, a former FBI bomb technician working as a contractor for the bureau, had agreed to plead guilty to “unlawfully disclosing national defense information relating to a disrupted terrorist plot” in Yemen. “Sachtleben was identified as a suspect in the case of this unauthorized disclosure” to a reporter, according to the announcement, “only after toll records for phone numbers related to the reporter were obtained through a subpoena and compared to other evidence collected during the leak investigation.” Sachtleben agreed to a 43-month prison sentence in the leak case, in addition to a 97-month sentence for his guilty plea in an unrelated child pornography case. U.S. Senators South Carolina Republican Lindsey Graham, right, and Charles Schumer, a New York Democrat, proposed a new shield law to protect journalists from having to identify their sources. (Reuters/Claro Cortes IV) U.S. Senators South Carolina Republican Lindsey Graham, right, and Charles Schumer, a New York Democrat, proposed a new shield law to protect journalists from having to identify their sources. (Reuters/Claro Cortes IV) Focusing on what it called the defendant’s “egregious betrayal of our national security” in the AP case, the Justice announcement contained another strong warning to potential leakers of classified information to the news media. “This prosecution demonstrates our deep resolve to hold accountable anyone who would violate their solemn duty to protect our nation’s secrets and to prevent future, potentially devastating leaks by those who would wantonly ignore their obligations to safeguard classified information,” it stated. “With these charges, a message has been sent that this type of behavior is completely unacceptable and no person is above the law.” After reiterating that the seized phone records of AP reporters had enabled the FBI to identify Sachtleben, the statement added, “The FBI will continue to take all necessary steps to pursue such individuals who put the security of our nation and the lives of others at risk by their disclosure of sensitive information.” While it didn’t address the breadth and secrecy of the AP subpoena, Justice appeared to be vowing that it would, when it deemed necessary, make aggressive use of the national security exceptions in both its revised guidelines and a proposed federal shield law for reporters. Weeks before this announcement, a supporter of a federal shield law, Sen. Ron Wyden, the Oregon Democrat, expressed his concerns about targeting reporters’ phone records to discover their sources. “As a member of the Senate Intelligence Committee for a decade now, I won’t take a back seat to anybody in protecting genuine national security information, but that doesn’t mean that everything done in the name of stopping leaks is a good public policy,” Wyden told me. “Some of the tactics the Justice Department has used in recent leaks investigations have been overly broad. Seizing phone records of journalists is in effect treating journalists as accomplices in committing crimes.” Obama and Holder have both expressed support for congressional passage of a federal reporter shield law. A compromise bill approved by the Senate Judiciary Committee on September 12 would make it more difficult for the government in federal investigations to compel reporters to reveal their sources except in “classified leak cases when information would prevent or mitigate an act of terrorism or harm to national security.” It would require a judge, not the attorney general, to approve subpoenas for reporters’ records or sources. A potential sticking point for the shield law had been how Congress should define who is a journalist in this participatory digital media era. The compromise language in the Senate bill would cover anyone who had an “employment relationship” with a news organization for at least one year in the past 20 years, or three months in the previous five years; student journalists; anyone with a “substantial track record” of freelance journalism in the previous five years; and anyone else “whom a federal judge has decided should be able to avail him or herself of the protections of the privilege, consistent with the interests of justice and the protection of lawful and legitimate newsgathering activities.” Journalists and press freedom advocates are divided over whether the federal government should define who is a journalist at all, even though many state shield laws already do. They are concerned about any restrictions on whose journalism would be protected. “You give us a definition of what a journalist is, you define exemptions, you’re painting us into a corner,” Scott Armstrong, an independent investigative journalist and the executive director of the government transparency advocate Information Trust, said of the reporter shield legislation at a Newseum Institute panel discussion in Washington in September. Armstrong said that, as a First Amendment absolutist, he opposes any congressional legislation governing the press. He added that the national security exemption means that the legislation “won’t protect national security reporters. Federal agencies can still investigate us.” But others on the panel argued that a shield law would provide some needed protection from federal government interference for countless journalists covering other subjects across the country. “This shield law could keep a lot of reporters out of court,” said Kevin Goldberg, legal counsel for the American Society of News Editors. Congressional passage of a federal shield law in some form would “not be a cure-all, but helpful,” Michael Oreskes of the AP told me, if it is “a statement that the act of reporting and finding sources is as important as the constitutional right to publish.” Surveillance revelations deepen the chill While the fate of the shield legislation remained uncertain, the Obama administration, Congress, and the American people reacted to Snowden’s revelations about the NSA’s extensive secret collection and surveillance of American and foreign telephone and e-mail traffic. On June 5, the Guardian and The Washington Post began publishing what became a steady stream of stories, documents, and exhibits from the large amount of highly classified information Snowden had given separately to Post reporter Barton Gellman and Guardian reporter Glenn Greenwald. Snowden was connected to them by documentary filmmaker Laura Poitras, who was developing a documentary about U.S. electronic surveillance, and who shared some reporting with the two journalists. A monitor in a Hong Kong shopping mall broadcasts news on the charges against Edward Snowden on June 22, 2013. (Reuters/Bobby Yip) A monitor in a Hong Kong shopping mall broadcasts news on the charges against Edward Snowden on June 22, 2013. (Reuters/Bobby Yip) Snowden, while working as a Booz Allen Hamilton consultant for the NSA in Hawaii in the spring of 2013, downloaded a still-unknown amount of information about the NSA’s secret surveillance programs. He communicated with Gellman by encrypted e-mail and met secretly with Greenwald and Poitras in Hong Kong. Their stories revealed details of secret NSA operations that acquire, store, and search huge amounts of telephone call, text, and e-mail data from American telephone and Internet companies, under secret FISA court authorization, to find and track communications that might be tied to terrorist activity. The published documents also included the “black budget” for U.S. intelligence agencies, classified government charts illustrating how the NSA surveillance programs operate, and legal memos and FISA court decisions underpinning the programs. Not long after publication began in The Post and the Guardian, Snowden publicly identified himself as the source of their information. When Gellman asked him at the time about his motive, Snowden said he had discovered an immense expansion of government electronic surveillance, which is “such a direct threat to democratic government that I have risked my life and family for it.” On June 21, the Justice Department unsealed a criminal complaint, filed a week earlier, charging Snowden with several violations of the Espionage Act. The U.S. government began a wide-ranging effort to have him extradited to the United States, including revoking his passport. But Snowden eventually made his way from Hong Kong to Russia, where he was granted temporary asylum on August 1. Greenwald and Poitras worked on his stories and her documentary in Brazil, expressing concern about the U.S. and allied governments’ using border security powers to harass and hamper them. Poitras, whose previous films were critical of U.S. anti-terrorism policies, had already been stopped and questioned and had her computers searched several times by the U.S. Customs and Border Patrol when re-entering the country in recent years. Greenwald’s partner, David Miranda, serving as a courier for him and the Guardian, was similarly detained and his equipment confiscated at Heathrow airport in London on his way back to Rio de Janeiro from Europe in mid-August. That appeared to be part of an effort by British officials to stop or limit the Guardian’s publication of material from Snowden, which included U.S. government documents describing the NSA’s collaboration on electronic surveillance with its secretive British counterpart, Government Communications Headquarters (GCHQ). After threatening the use of Britain’s draconian Official Secrets Act, officials supervised destruction in the Guardian offices of computer hard drives containing some of the secret files obtained by Snowden, even though other copies remained in the U.S. and Brazil. Like The Washington Post, the Guardian continued to publish stories based on Snowden’s documents, and it began sharing some of them with The New York Times and the nonprofit investigative reporting group ProPublica, based in New York. At this writing, no connection has been established between the NSA surveillance programs and the many leak investigations being conducted by the Obama administration—but the surveillance has added to the fearful atmosphere surrounding contacts between American journalists and government sources. “There is greater concern that their communications are being monitored—office phones, e-mail systems,” Post reporter Chandrasekaran said. “I have to resort to personal e-mail or face to face, even for things I would consider routine.” Journalists who aren’t worried about their communications being monitored should be; if not, they could be putting their sources at risk, said Oktavía Jónsdóttir, program director of the S.A.F.E. Initiative of the Washington-based nonprofit IREX, which advocates for independent media and civil society internationally. “The key I think is whether journalists today can guarantee their sources anonymity, and at this point that is very difficult, but I will say, not impossible,” Jónsdóttir said. “Sources need to understand the risks they take, agree with the journalists how far they will go and then put ultimate trust in that individual’s ability to protect that information and ensure that even though the information may be compromised, the source is not.” Washington Post national security reporter Dana Priest told me: “People think they’re looking at reporters’ records. I’m writing fewer things in e-mail. I’m even afraid to tell officials what I want to talk about because it’s all going into one giant computer.” The work of foreign journalists could be especially vulnerable to surveillance by the NSA or other U.S. intelligence agencies, because they are legally authorized to monitor telephone and Internet communications of non-U.S. nationals. The German magazine Der Spiegel, citing documents from Snowden, reported in August that the NSA had hacked into internal communications of the international news organization Al-Jazeera. The Qatar-based broadcaster and the U.S. government have often been at odds since it broadcast videotaped statements by Osama bin Laden after the 9/11 attacks. Peter Horrocks, director of global news at the BBC, said all journalists at the British broadcaster must now take training in information security. “The nature of their work means journalists are often in touch with organizations representing extremist viewpoints and sources whose identities must be protected, and the BBC is particularly concerned with protecting those journalists who are travelling and working in sensitive locations,” he said. Germans protest the U.S. National Security Agency's monitoring of international Internet traffic in Frankfurt on July 27, 2013. (Reuters/Kai Pfaffenbach) Germans protest the U.S. National Security Agency's monitoring of international Internet traffic in Frankfurt on July 27, 2013. (Reuters/Kai Pfaffenbach) The European Union opened an investigation in September “to determine the impact of [U.S.] surveillance activities on EU citizens,” including journalists. In teleconferenced testimony to the European Parliament’s Civil Liberties Committee, Guardian editor Alan Rusbridger said that Miranda’s airport detention and the destruction of NSA materials at the Guardian could be “chilling and obstructive to journalism.” He called for EU oversight of such actions by member governments, adding, “Please find ways to protect journalism.” Five days after Snowden was charged, Barton Gellman was asked in a panel discussion at the Center for Strategic and International Studies in Washington why he and The Post had published stories based on classified documents from Snowden. “Congress passes a vague law and a secret court makes secret rulings,” Gellman said. “Where should the line be between intelligence gathering and privacy? We haven’t had that discussion.” The discussion started by Snowden’s revelations quickly grew into a national debate. Members of Congress complained publicly that they had been kept in the dark or misled about the nature and dimensions of the NSA programs. Clapper, the director of national intelligence, was forced to apologize for falsely denying in earlier testimony to Congress that the NSA had secretly collected data about the telephone calls of millions of Americans. A bipartisan group of 26 senators wrote to Clapper to demand more information about the NSA surveillance, which they said “raises serious civil liberties concerns and all but removes the public from an informed national security and civil liberties debate.” Two judges of the secret FISA court gave unprecedented, if brief, statements about how it worked to The Washington Post. Senate Intelligence Committee chairwoman Dianne Feinstein wrote an opinion article in The Post defending the NSA surveillance as a necessary counterterrorism tool, while promising to work in Congress to make changes “to increase transparency and improve privacy protections.” In July, as more members of Congress expressed skepticism about the NSA programs and what they knew about them, several of them introduced bills to rein in the programs. On July 24, a bipartisan plan to defund the NSA’s telephone data collection program was defeated by just seven votes in the House of Representatives. The Obama administration responded by explaining for the first time the legal rationale, execution and oversight of the secret NSA surveillance programs. The president declassified and ordered the release of many previously secret government reports, court decisions, and other documents, including the total number of surveillance orders issued each year to telecommunications companies. At a news conference on August 9, the president said he would ask Congress to tighten privacy protections in the Patriot Act authorization of the NSA programs and add an advocate for privacy rights to the secret FISA court proceedings that govern the NSA programs, in which only the government has been represented. He also created a panel to assess the phone records collection programs and suggest changes by the end of the year. Adding to his administration’s roster of government-run information sites, Obama announced that the 16-agency U.S. Intelligence Community was launching its own website, “IC on the Record.” The website posts statements from intelligence agencies, responses to what they characterize as erroneous press reports, and copies of declassified documents, which were dramatically labeled on the website with illustrations of opened locks. Though the White House is taking credit for this welcome new openness about the NSA’s activities, the fact is that the Obama administration—and the Bush administration before it—should have been more open and accountable for the NSA’s surveillance activities in the first place. It seems highly unlikely this new transparency would have begun without Snowden’s disclosures. That would appear to make him a whistle-blower, although he obviously broke laws governing access to highly classified information and his own security clearance, and the full extent, distribution and potential national security impact of the information he obtained is still not known. In November, the president signed the congressionally passed Whistle-Blower Act of 2012, along with a presidential policy directive aimed at protecting from retaliation all government whistle-blowers, including employees—but not contractors—in intelligence agencies. However, the administration won an appellate court decision in August that takes away from the many federal employees in designated “national security sensitive” positions the right to appeal personnel actions by their agencies, which could include retaliation for whistle-blowing. And the administration has insisted that government whistle-blowers first raise their issues internally, rather than to outsiders, including the press. Senator Wyden told me that he has studied the intelligence agencies’ personnel rules and found that whistle-blowers “have to go first to the people perpetrating the problems they want to expose, before they can come to Congress, for example. There are a mountain of barriers and hurdles for intelligence agency whistle-blowers,” he said. “We have a president with two minds in regard to whistle-blowing,” said Angela Canterbury, director of public policy for the Project on Government Oversight. “He deserves credit for doing more than any other president, but there’s a different policy for classified information whistle-blowers.” The 16-agency U.S. Intelligence Community launched a new website following criticism that surveillance policies were not transparent. (CPJ) The 16-agency U.S. Intelligence Community launched a new website following criticism that surveillance policies were not transparent. (CPJ) When I asked deputy national security adviser Ben Rhodes about this, he said, “The president doesn’t like leaks of unauthorized information that can harm national security.” But not nearly all “unauthorized” or classified government information presents that danger. The Obama administration could do much more to reduce unnecessary classification. “The system is bent deeply in the direction of over-classification of information,” Senator Wyden said. “If done properly to protect only genuine national security information, it would be easier to protect government secrets.” He said it seemed as if classification were being used more to protect people from political embarrassment. “Even when acting in good faith, officials are liable to over-classify,” said open government advocate Steven Aftergood. “There is no review of classification decisions.” Obama directed government officials in a December 2009 executive order not to classify information if they had significant doubts about whether it needed to be secret. The number of newly classified documents has declined somewhat since then, according to the White House, and declassification of older documents has accelerated. But the administration has yet to take action on more far-reaching recommendations to reduce over-classification made to the president in a December 6, 2012, report by the congressionally authorized Public Interest Declassification Board (PIDB). It concluded that “present practices for classification and declassification of national security information are outmoded, unsustainable and keep too much information from the public.” The administration’s accelerated cyberwarfare activities, revealed in news reports of documents provided by Snowden, were cited by The Times’sSanger as an example of information the government should have declassified in some form before it was leaked. “I think there is a public interest in revealing things like that to alert the American people that an entirely new class of weapons to which the U.S. would be vulnerable were being deployed by the U.S.—to start public debate, even if the details of it are classified.” In an April 23, 2013, open letter, 30 government transparency organizations called on the president “to promptly establish and provide active White House leadership for a Security Classification Reform Steering Committee” to push government agencies to implement the PIDB recommendations “to help correct what you have called ‘the problem of over-classification.’” The groups urged that the White House “take ownership of the reform effort.” The White House and the Justice Department should also vigorously enforce the directive they issued on the president’s first full day in office, ordering government agencies to respond to Freedom of Information Act requests “promptly and in a spirit of cooperation.” It directed that information should not be withheld merely because “public officials might be embarrassed by disclosure, because errors and failures might be revealed, or because of speculative or abstract fears.” The default response to information inquiries, with or without formal FOIA requests, was supposed to be disclosure. Instead, reporters and open government advocates told me that their FOIA requests too often faced denials, delays, unresponsiveness or demands for exorbitant fees, with cooperation or obstruction varying widely from agency to agency. Government transparency advocate Danielle Brian of POGO told me that, while “non-intelligence parts” of the Pentagon were responsive to information requests, many other parts of the Obama administration—especially the State Department, Agency for International Development, and the Environmental Protection Agency—were “off the charts bad on FOIA.” An Associated Press analysis, published in March, found that “more often than it ever has,” the Obama administration “cited legal exceptions to censor or withhold the material” and “frequently cited the need to protect national security and internal deliberations.” Some of the administration’s new government information policies also contain vague privacy exceptions that could be used to hide records crucial to accountability reporting about such subjects as health care payments, government subsidies, workplace accidents, or detentions of terrorism suspects. A Washington-based consortium of more than 80 open government advocacy organizations called OpenTheGovernment.org is working on recommendations to the Obama administration to make the FOIA work better for the press and the public. They include reducing the number and breadth of exemptions used to withhold requested information, creating an effective process for appealing and overturning denials of information, reforming fee systems in federal agencies, and streamlining and centralizing the federal FOIA system, as some other countries have done. When I asked Lucy Dalglish what she thought the Obama administration should do to fulfill the president’s promises of transparency and open government, her list included: Keep fewer secrets, improve the FOIA process, be open and honest about government surveillance, and build better bridges with the press, rather than trying to control or shut it out. With so much government information digitally accessible in so many places to so many people, there are likely to be more Mannings and Snowdens among those who grew up in a digital world with blurred boundaries between public and private, shared and secret information. That makes access by the press to a range of government sources of information and guidance more important than ever. “Closing doors to reporters is hurting themselves,” Washington Post journalist and author Bob Woodward told me, “because less responsible news organizations will publish or broadcast whatever they want. In the end, it does not hurt the press; it can damage national security.” Journalists from other countries pointed out that hostility by the U.S. government to the news media can be damaging to press freedom elsewhere, contrary to the openness the Obama administration has been advocating internationally. Mohamed Elmenshawy, the widely published Egyptian columnist and director of regional studies at the Middle Eastern Institute in Washington, said, “As journalists from Third World countries, we look at the U.S. as a model for the very things we want: more freedom of expression and professionalism. We are fighting for free news and not to be threatened, and when we see some issues here regarding regulating news and reporting, it is bad news for us because usually our governments, especially undemocratic ones, use this as an example in a very negative way.” President Obama is faced with many challenges during his remaining years in office, the outcome of which will help shape his legacy. Among them is fulfilling his very first promise—to make his administration the most transparent in American history amid national security concerns, economic uncertainty, political polarization, and rapid technological change. Whether he succeeds could have a lasting impact on U.S. government accountability and on the standing of America as an international example of press freedom. Leonard Downie Jr., vice president at large and former executive editor of The Washington Post, is the Weil Family Professor of Journalism at Arizona State University’s Walter Cronkite School of Journalism and Mass Communication. He is a founder and a current director of Investigative Reporters and Editors and the author of five books. Sara Rafsky, Americas research associate for the Committee to Protect Journalists in New York, contributed to this report. October 10, 2013 10:00 AM ET Frank SmythExecutive DirectorGlobal Journalist Securityfrank at journalistsecurity.netTel. + 1 202 244 0717Cell + 1 202 352 1736Twitter: @JournoSecurityWebsite: www.journalistsecurity.netPGP Public Key 92861E6B -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu. ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From eugen at leitl.org Thu Oct 10 04:01:34 2013 From: eugen at leitl.org (Eugen Leitl) Date: Thu, 10 Oct 2013 13:01:34 +0200 Subject: [pfSense] NSA: Is pfSense infiltrated by "big brother" NSA or others? Message-ID: <20131010110134.GZ10405@leitl.org> ----- Forwarded message from Giles Coochey ----- From michael at briarproject.org Thu Oct 10 05:03:58 2013 From: michael at briarproject.org (Michael Rogers) Date: Thu, 10 Oct 2013 13:03:58 +0100 Subject: [guardian-dev] ADTN: Anonymous Delay-Tolerant Network Message-ID: <525697AE.7010807@briarproject.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, Ana Barroso gave an exciting presentation at CTS IV about a new idea for anonymous communication. Briefly, the idea is to use short-range communication between mobile devices to create a delay-tolerant network. Any member of the network can send messages anonymously to the whole network, and members who know each other can use the network to exchange end-to-end encrypted private messages. An adversary who can observe the whole network and participate in it can't tell: * Which users are sending messages, as opposed to just forwarding them * Which user is the source of an anonymous message * Which users are the source and destination of a private message * Which users know each other These are strong anonymity properties that are clearly applicable to activist use cases, so I'd like to see this thing built. It does't, unfortunately, follow that I can build it on my own, but with our collective skills, experience and fragments of reusable code I think we can put together a proof-of-concept Android app with minimal risk of karoshi. I've set up a Github project and a couple of mailing lists. Please join the adtn-devel list if you'd like to discuss or contribute to the project, or the adtn-announce list for occasional updates. Ana's working on a tech report that will describe how her idea works. Looking forward to your comments, suggestions and pull requests. https://github.com/akwizgran/adtn http://sourceforge.net/p/adtn/mailman Cheers, Michael -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJSVpetAAoJEBEET9GfxSfMaJEH/iMdicp88t1+euSXpDW8FAEn py+0ZjxPL2haJN4BKKY17qzP8hA9Qk07RSzex22PFzastczcfGTRHen7R5VWCckd Ti0QuDaJCtGXrl3JGeKhsPwDYh7UR4/pe3n0GwJz5zemwMsIQNRYAMLrJJmwlU7M 4C+zd9x9j+jXtJvOpoGzfEcnNUfBq0I/NfQZ+hVDHBuu351R0nzskswj6NvgPFT4 4a0QRQ9Oljv7Fca9j/HG1RPMatMYl/qGOR0UrlJoE/x8VM1NEHoZbzP75ldm3dom mrbRc+LMCIaSJ4cK2SShIVSb/GDG+M/rYZj6T79+KsfjFJAXcG7VuXatZy3Nr1A= =vK8q -----END PGP SIGNATURE----- _______________________________________________ Guardian-dev mailing list Post: Guardian-dev at lists.mayfirst.org List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev To Unsubscribe Send email to: Guardian-dev-unsubscribe at lists.mayfirst.org Or visit: https://lists.mayfirst.org/mailman/options/guardian-dev/eugen%40leitl.org You are subscribed as: eugen at leitl.org ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From eugen at leitl.org Thu Oct 10 05:13:36 2013 From: eugen at leitl.org (Eugen Leitl) Date: Thu, 10 Oct 2013 14:13:36 +0200 Subject: Cryptographers condemn US =?utf-8?Q?Nation?= =?utf-8?Q?al_Security_Agency=E2=80=99?= =?utf-8?Q?s?= tapping and tampering, but mathematicians shrug. Message-ID: <20131010121336.GC10405@leitl.org> http://www.nature.com/news/researchers-split-over-nsa-hacking-1.13911 Researchers split over NSA hacking Cryptographers condemn US National Security Agency’s tapping and tampering, but mathematicians shrug. Ann Finkbeiner 08 October 2013 The National Security Agency is the largest employer of mathematicians in the United States. PATRICK SEMANSKY/ASSOCIATED PRESS The US National Security Agency (NSA) has upset a great many people this year. Since June, newspapers have been using documents leaked by former intelligence worker Edward Snowden to show how the secretive but powerful agency has spied on the communications of US citizens and foreign governments. Last month, the media reported that the NSA, which is based in Fort Meade, Maryland, had undermined Internet security standards. The revelations have sparked international outrage at the highest levels — even the president of Brazil cancelled a visit to the United States because of the spying. Yet amid the uproar, NSA-supported mathematicians and computer scientists have remained mostly quiet, to the growing frustration of others in similar fields. “Most have never met a funding source they do not like,” says Phillip Rogaway, a computer scientist at the University of California, Davis, who has sworn not to accept NSA funding and is critical of other researchers’ silence. “And most of us have little sense of social responsibility.” Mathematicians and the NSA are certainly interdependent. The agency declares that it is the United States’ largest maths employer, and Samuel Rankin, director of the Washington DC office of the American Mathematical Society, estimates that the agency hires 30–40 mathematicians every year. The NSA routinely holds job fairs on university campuses, and academic researchers can work at the agency on sabbaticals. In 2013, the agency’s mathematical sciences programme offered more than US$3.3 million in research grants. Furthermore, the NSA has designated more than 150 colleges and universities as centres of excellence, which qualifies students and faculty members for extra support. It can also fund research indirectly through other agencies, and so the total amount of support may be much higher. A leaked budget document says that the NSA spends more than $400 million a year on research and technology — although only a fraction of this money might go to research outside the agency itself. “I understand what’s in the newspapers, but the NSA is funding serious long-term fundamental research and I’m happy they’re doing it.” Many US researchers, especially those towards the basic-research end of the spectrum, are comfortable with the NSA’s need for their expertise. Christopher Monroe, a physicist at the University of Maryland in College Park, is among them. He previously had an NSA grant for basic research on controlling cold atoms, which can form the basis of the qubits of information in quantum computers. He notes that he is free to publish in the open literature, and he has no problems with the NSA research facilities in physical sciences, telecommunications and languages that sit on his campus. Monroe is sympathetic to the NSA’s need to track the develop­ment of quantum computers that could one day be used to crack codes beyond the ability of conventional machines. “I understand what’s in the newspapers,” he says, “but the NSA is funding serious long-term fundamental research and I’m happy they’re doing it.” Dena Tsamitis, director of education, outreach and training at Carnegie Mellon University’s cybersecurity research centre in Pittsburgh, Pennsylvania, also wants to maintain the relationship. She oversees visitors and recruiters from the NSA but her centre gets no direct funding. She says that her graduate students understand the NSA’s public surveillance to be “a policy decision, not a technology decision. Our students are most interested in the technology.” And the NSA, she says — echoing many other researchers — “has very interesting technology problems”. The academics who are professionally uneasy with the NSA tend to lie on the applied end of the spectrum: they work on computer security and cryptography rather than pure mathematics and basic physics. Matthew Green, a cryptographer at Johns Hopkins University in Baltimore, Maryland, says that these researchers are unsettled in part because they are dependent on protocols developed by the US National Institute of Standards and Technology (NIST) to govern most encrypted web traffic. When it was revealed that the NSA had inserted a ‘back door’ into the NIST standards to allow snooping, some of them felt betrayed. “We certainly had no idea that they were tampering with products or standards,” says Green. He is one of 47 technologists who on 4 October sent a letter to the director of a group created last month by US President Barack Obama to review NSA practices, protesting because the group does not include any independent technologists. Edward Felten, who studies computer security at Princeton University in New Jersey, says that the NSA’s breach of security standards means that cryptographers will need to change what they call their threat model — the set of assumptions about possible attacks to guard against. Now the attacks might come from the home team. “There was a sense of certain lines that NSA wouldn’t cross,” says Felten, “and now we’re not so sure about that.” Nature 502, 152 (10 October 2013) doi:10.1038/502152a From elijah at riseup.net Thu Oct 10 14:17:01 2013 From: elijah at riseup.net (elijah) Date: Thu, 10 Oct 2013 14:17:01 -0700 Subject: [liberationtech] 10 reasons not to start using PGP Message-ID: <5257194D.1050202@riseup.net> On 10/10/2013 12:23 PM, carlo von lynX wrote: > 1. Downgrade Attack: The risk of using it wrong. Fixed in the new generation of clients (mailpile, LEAP, etc). > 2. The OpenPGP Format: You might aswell run around the city naked. Fixed by using StartTLS with DANE (supported in the new version of postfix). Admittedly, this makes sysadmin's job more challenging, but LEAP is working to automate the hard stuff (https://leap.se/platform). > 3. Transaction Data: He knows who you are talking to. Fixed in the short term by using StartTLS with DANE. Fixed in the long term by adopting one of these approaches: https://leap.se/en/routing > 4. No Forward Secrecy: It makes sense to collect it all. Imperfectly fixed in the short term using StartTLS with only PFS ciphers enabled. This could be fixed in the long term by using Trevor Perrin's scheme for triple EC Diffie-Hellman exchange. This has been implemented by moxie for SMS, and could be for SMTP (https://whispersystems.org/blog/simplifying-otr-deniability/). > 5. Cryptogeddon: Time to upgrade cryptography itself? New version of GPG supports ECC, but of course nothing in the snowden leaks suggest we need to abandon RSA of sufficient key length (just the ECC curves that have *always* been suspicious). > 6. Federation: Get off the inter-server super-highway. Federated transport with spool-then-forward time delay is likely a much more feasible way to thwart traffic analysis than attempting to lay down a high degree of cover traffic for direct peer to peer transport. This is, of course, an area of active academic research and it would be irresponsible to say that we definitively know how to prevent traffic analysis, either with p2p or federation. > 7. Statistical Analysis: Guessing on the size of messages. Easily fixed. > 8. Workflow: Group messaging with PGP is impractical. No one anywhere has solved the problem of asynchronous, forward-secret group cryptography. There are, however, working models of group cryptography using OpenPGP, such as SELS (http://sels.ncsa.illinois.edu/). This approach makes key management more difficult, but we need to automate key management anyway for OpenPGP to be usable enough for wider adoption. > 9. TL;DR: I don't care. I've got nothing to hide. This critique rests on the assumption that the problems with email are unfixable. > 10. The Bootstrap Fallacy: But my friends already have e-mail! Email remains one of the two killer apps of the internet, and is unlikely to vanish any time soon. Simple steps we can take to make it much better seem like a wise investment in energy. There are two approaches to addressing the problems with email: (1) assert that email is hopeless and must be killed off. (2) identify areas where we can fix email to bring it into the 21st century. I think that approach #1 is irresponsible: regardless of one's personal feelings about email, it is certainly not a lost cause, and asserting that it is will make it more difficult to build support for fixing it. Approach #2 is certainly an uphill battle, but there are a growing number of organizations working on it. LEAP's (free software) efforts are outlined here: https://leap.se/email. We have it working, we just need to get it mature enough for production use. -elijah -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu. ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From eugen at leitl.org Thu Oct 10 05:21:32 2013 From: eugen at leitl.org (Eugen Leitl) Date: Thu, 10 Oct 2013 14:21:32 +0200 Subject: [pfSense] Crypto/RNG Suggestions Message-ID: <20131010122132.GE10405@leitl.org> ----- Forwarded message from Jim Pingle ----- From eugen at leitl.org Thu Oct 10 05:22:18 2013 From: eugen at leitl.org (Eugen Leitl) Date: Thu, 10 Oct 2013 14:22:18 +0200 Subject: [guardian-dev] ADTN: Anonymous Delay-Tolerant Network Message-ID: <20131010122218.GF10405@leitl.org> ----- Forwarded message from Michael Rogers ----- From giles at coochey.net Thu Oct 10 06:50:41 2013 From: giles at coochey.net (Giles Coochey) Date: Thu, 10 Oct 2013 14:50:41 +0100 Subject: [pfSense] Can pfSense be considered trusted? What implementations of VPNs can now be trusted? Message-ID: <5256B0B1.2050501@coochey.net> Trying to get this back on-topic, I will change the subject however, to alleviate the issues the anti-tin-foil-hat-brigade have. (ps I am also top-posting on purpose as I believe the conversation below has near to no relevance to my questions, but simply is an argument as to whether these questions should be asked, to which I believe in the affirmative). I have various questions to offer for discussion which have been bothering me since various security related issues that have appeared in the media recently: (see: https://www.schneier.com/crypto-gram-1309.html) Clearly, at the moment, open source security tools ought to have an advantage over closed-source tools. However, peer review of open-source code is not always complete, and there have been questions whether even algorithms have been subverted. 1. The random number generator - As pfSense uses FreeBSD this may well be a FreeBSD specific question, however, are there any ways within pfsense that we can improve the entropy pool that the random number gets its randomness from? Has anyone had any experience of implementing an external entropy source (e.g. http://www.entropykey.co.uk/) in pfsense? 2. Cipher Selection - we're not all cryptoanalysts, so statements like 'trust the math' don't always mean much to us, given the reports in the media, what is considered a safe cypher? I recently switched from AES-256 to Blowfish-256, hashing from SHA-1 to SHA-512 and pfs group 2 to pfs group 5, and I reduced my SA lifetimes from 28800 to 1800. Could that be considered overkill? What Cipher's are others using? Have any of you, who have been made recently aware of the media coverage recently, also changed your cipher selection? What kind of changes did you make? 3. pfSense - In general do you consider pfsense secure?? As we are apparently told, asking whether the NSA has inserted or influenced the code in any way either in the pfsense code, or the upstream base (FreeBSD) is a question that we can't ask, as if it were the case then the NSA would have instructed someone in the know, to answer in the no. On 10/10/2013 12:33, Rüdiger G. Biernat wrote: > This discussion about security/NSA/encryption IS important. Please go on. > > > Von Samsung Mobile gesendet > > > -------- Ursprüngliche Nachricht -------- > Von: Giles Coochey > Datum:10.10.2013 11:39 (GMT+01:00) > An: list at lists.pfsense.org > Betreff: Re: [pfSense] NSA: Is pfSense infiltrated by "big brother" > NSA or others? > > On 10/10/2013 09:38, Thinker Rix wrote: > > On 2013-10-10 01:13, Przemys?aw Pawe?czyk wrote: > >> On Thu, 10 Oct 2013 00:05:22 +0300 > >> Thinker Rix wrote: > >> > >>> Well, actually I started this thread with a pretty frank, > >>> straight-forward and very simple question. > >> That's right and they were justified. > > > > Thank you! > > > >> BTW, you pushed to the corner the (un)famous American hubris (Obama: US > >> is exceptional.), that's the nasty answers from some. > > > > Yes, I guess I have hit a whole bunch of different nerves with my > > question, and I find it to be highly interesting to observe some of > > the awkward reactions, socioscientificly and psychologically. > > > > I have been insulted, I have been bullied, I have been called to > > self-censor myself and at the end some users "virtually joined" to > > give the illusion of a majority an muzzle me, stating, that my > > question has no place at this pfSense mailing list. Really amazing, > > partly hilarious reactions, I think. > > These reactions say so much about how far the whole surveillance and > > mind-suppression has proceeded already and how much it has influenced > > the thoughts and behavior of formerly free people by now. Frightening. > > > >> Thinker Rix, you are not alone at your unease pressing you to ask > >> those questions about pfSense and NSA. > > > > Thank you for showing your support openly! > > I too was surprised to see some activity on the pfsense list, after > seeing only a few posts per week I checked today to find several dozen > messages talking about a topic I have been concerned with myself - as a > network security specialist, how much can I trust the firewalls I use, > be they embedded devices, software packages, or 'hardware' from > manufacturers. > There are many on-topic things to discuss here: > 1. Which Ciphers & Transforms should we now consider secure (pfsense > provides quite a few cipher choices over some other off the shelf > hardware. > 2. What hardware / software & configuration changes can we consider to > improve RNG and ensure that should we increase the bit size of our > encryption, reduce lifetimes of our SAs that we can still ensure we have > enough entropy in the RNG on a device that is typically starved of > traditional entropy sources. > > This is so much on-topic, I am surprised that there has been a movement > to call this thread to stop, granted - it may seem that the conversation > may drift into a political one, with regard to privacy law etc... > however, that is a valid sub-topic for a discussion list that addresses > devices that are designed and implemented to safe-guard privacy. > > -- > Regards, > > Giles Coochey, CCNP, CCNA, CCNAS > NetSecSpec Ltd > +44 (0) 8444 780677 > +44 (0) 7983 877438 > http://www.coochey.net > http://www.netsecspec.co.uk > giles at coochey.net > > > > _______________________________________________ > List mailing list > List at lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list > > > _______________________________________________ > List mailing list > List at lists.pfsense.org > http://lists.pfsense.org/mailman/listinfo/list -- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 780677 +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk giles at coochey.net _______________________________________________ List mailing list List at lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From vivek at khera.org Thu Oct 10 12:23:06 2013 From: vivek at khera.org (Vick Khera) Date: Thu, 10 Oct 2013 15:23:06 -0400 Subject: [pfSense] Can pfSense be considered trusted? What implementations of VPNs can now be trusted? Message-ID: On Thu, Oct 10, 2013 at 1:19 PM, Jim Thompson wrote: > > Is there any mechanism to insert ciphers into Pfsense that are not > currently supported? > > You have the source code. > > I, for one, am uninterested in non standards-compliant (and thus > interoperable) implementations. > I personally choose the ciphers that are "hardware" optimized, since my low-end home router (ALIX) gets me faster vpn performance when I do, and I transfer files to/from office all the time. So if the GUI recommends XYZ because it is hardware accelerated, I choose it. That said, a lot of the panic-driven-secure-your-web-sites-against-the-NSA instructions recommend enabling ciphers that use ephemeral session keys. The OpenSSL included in pfSense 2.1 supports many of these. Type this "/usr/local/bin/openssl ciphers" to see them all. The ones that end with "E" in the first component are the ones with the ephemeral key-. Now, how to convince the GUI to make use of these for IPsec or OpenVPN I do not know. I'm sure you can do it via direct config file tweakage, though. I think IPsec renegotiates keys every 60 minutes anyway, so they'd have to do a lot of key breaking to snoop your data, unless they could predict your keys or sneak a MitM attack on you. To list the "strong" ciphers only, use this: /usr/local/bin/openssl ciphers "TLSv1.2:-MD5:-RC4:-aNULL:-MED:-LOW:-EXP:-NULL" _______________________________________________ List mailing list List at lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From eugen at leitl.org Thu Oct 10 07:39:35 2013 From: eugen at leitl.org (Eugen Leitl) Date: Thu, 10 Oct 2013 16:39:35 +0200 Subject: [pfSense] Can pfSense be considered trusted? What implementations of VPNs can now be trusted? Message-ID: <20131010143935.GL10405@leitl.org> ----- Forwarded message from Giles Coochey ----- From cathalgarvey at cathalgarvey.me Thu Oct 10 09:01:18 2013 From: cathalgarvey at cathalgarvey.me (Cathal Garvey) Date: Thu, 10 Oct 2013 17:01:18 +0100 Subject: [GnuPG] : Question - collective entity key management In-Reply-To: <5256C9D8.1060709@gmail.com> References: <5256C9D8.1060709@gmail.com> Message-ID: <20131010170118.03d5ae29@Neptune> Have a server with a master key that decrypts incoming mail, re-encrypts with board members' individual subkeys? If it *has* to be the same email account, does it support IMAP? If so, IMAP behaves like a folder; you can take stuff out, and put it back in again. A Python script could be written to scan over new mail, remove "master key" mail and deposit "subkey-re-encrypted" mail. When members access the mail, it will usually have been accessed, re-encrypted and replaced with one they can decrypt. If not, they'll have to wait a few minutes and try again. On Thu, 10 Oct 2013 17:38:00 +0200 Tomas Overdrive Petru wrote: > Hi all, > > may I have a question? > > I need to manage key for encrypt/sign of [not-only] e-mail > communication for group of peoplewhich is partially dynamic. > Basically it is some elected administrative board. > > My ideawas to create some master key than subkeys and in case subkeys > are revoced [member of admin-board was not elected,whole admin-board > is re-elected etc.]. > > Problem is, that all of the members are using same email e.g. > member at board.eg > > As soon as member should not be able to read this email, his key > should be disallowed to decrypt messages on this email. > > Can I ask for some HowTo or just correct my point of view, because it > seems definitely wrong. > > Thx, > ~ Over > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: not available URL: From tpetru at gmail.com Thu Oct 10 08:38:00 2013 From: tpetru at gmail.com (Tomas Overdrive Petru) Date: Thu, 10 Oct 2013 17:38:00 +0200 Subject: [GnuPG] : Question - collective entity key management Message-ID: <5256C9D8.1060709@gmail.com> Hi all, may I have a question? I need to manage key for encrypt/sign of [not-only] e-mail communication for group of peoplewhich is partially dynamic. Basically it is some elected administrative board. My ideawas to create some master key than subkeys and in case subkeys are revoced [member of admin-board was not elected,whole admin-board is re-elected etc.]. Problem is, that all of the members are using same email e.g. member at board.eg As soon as member should not be able to read this email, his key should be disallowed to decrypt messages on this email. Can I ask for some HowTo or just correct my point of view, because it seems definitely wrong. Thx, ~ Over -- “Borders I have never seen one. But I have heard they exist in the minds of some people.” ― Thor Heyerdahl www...................http://overdrive.a-nihil.net twitter...............https://twitter.com/#!/idoru23 blog..................http://d8ofh8.blogspot.com GnuPG public key......http://overdrive.a-nihil.net/overdrive.txt GnuPG key FingerPrint.072C C0AD 88EF F681 5E52 5329 8483 4860 6E19 949D -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 4616 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 553 bytes Desc: OpenPGP digital signature URL: From eugen at leitl.org Thu Oct 10 08:41:58 2013 From: eugen at leitl.org (Eugen Leitl) Date: Thu, 10 Oct 2013 17:41:58 +0200 Subject: [pfSense] Can pfSense be considered trusted? What implementations of VPNs can now be trusted? Message-ID: <20131010154158.GQ10405@leitl.org> ----- Forwarded message from Ian Bowers ----- From patrice at xs4all.nl Thu Oct 10 11:41:55 2013 From: patrice at xs4all.nl (Patrice Riemens) Date: Thu, 10 Oct 2013 20:41:55 +0200 Subject: Pascal Zachary: Rules for the Digital Panopticon (IEEE) Message-ID: <0adf8f7abff38f778a06f8b776729759.squirrel@webmail.xs4all.nl> original to: http://spectrum.ieee.org/computing/software/rules-for-the-digital-panopticon Rules for the Digital Panopticon The technologies of persistent surveillance can protect us only if certain boundaries are respected By G. Pascal Zachary (Posted 20 Sep 2013) For centuries, we humans have lacked the all-knowing, all-seeing mechanisms to credibly predict and prevent bad actions by others. Now these very powers of preemption are perhaps within our grasp, thanks to a confluence of technologies. In the foreseeable future, governments, and perhaps some for-profit corporations and civil-society groups, will design, construct, and deploy surveillance systems that aim to predict and prevent bad actions—and to identify, track, and neutralize people who commit them. And when contemplating these systems, let’s broadly agree that we should prevent the slaughter of children at school and the abduction, rape, and ­imprisonment of women. And let’s also agree that we should thwart lethal attacks against lawful government. Of late, the U. S. government gets most of the attention in this arena, and for good reason. The National Security Agency, through its vast capacity to track virtually every phone call, e-mail, and text message, promises new forms of preemption through a system security experts call persistent surveillance. The Boston Marathon bombing, in April, reinforced the impression that guaranteed prevention against unwanted harm is elusive, if not impossible. Yet the mere chance of stopping the next mass shooting or terror attack persuades many people of the benefits of creating a high-tech version of the ­omniscient surveillance construct that, in 1787, the British philosopher Jeremy Bentham conceived as a panopticon: a prison with a central viewing station for watching all the inmates at once. Some activists complain about the potential of such a system to violate basic freedoms, including the right to privacy. But others will be seduced by the lure of techno fixes. For example, how could anyone object to a digital net that protects a school from abusive predators? Ad hoc surveillance will inevitably proliferate. Dropcam and other cheap surveillance programs, already popular among the tech-savvy, will spread widely. DIY and vigilante panopticons will complicate matters. Imagine someone like George ­Zimmerman, the Florida neighborhood watchman, equipped not with a gun but with a digital surveillance net, allowing him to track pretty much anything—on his smartphone. With data multiplying exponentially and technology inexorably advancing, the question is not whether an all-encompassing surveillance systems will be deployed. The question is how, when, and how many. In the absence of settled laws and norms, the role of engineers looms large. They will shoulder much of the burden of designing systems in ways that limit the damage to innocents while maximizing the pressures brought to bear on bad guys. But where do the responsibilities of ­engineers begin and end? It is too early to answer conclusively, but engineers would do well to keep a few fundamental principles in mind: Keep humans in the loop, but insist they follow the “rules of the road.” Compiling and analyzing data can be done by machines. But it would be best to design these surveillance systems so that a human reviews and ponders the data before any irreversible actions are taken. If citizens want to spy on one another, as they inevitably will, impose binding rules on how they do so. Design self-correcting systems that eject tainted or wrong information fast and inexpensively. Create a professional ethos and explicit standards of behavior for engineers, code writers, and designers who contribute significantly to the creation of panopticon-like systems. Delete the old stuff routinely. Systems should mainly contain real-time data. They should not become archives tracing the lives of innocents. Engineers acting responsibly are no guarantee that panopticons will not come to control us. But they can be part of getting this brave new world right. About the Author G. Pascal Zachary is the author of Endless Frontier: Vannevar Bush, Engineer of the American Century (Free Press, 1997). He teaches at Arizona State University. # distributed via : no commercial use without permission # is a moderated mailing list for net criticism, # collaborative text filtering and cultural politics of the nets # more info: http://mx.kein.org/mailman/listinfo/nettime-l # archive: http://www.nettime.org contact: nettime at kein.org ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From moritz at headstrong.de Thu Oct 10 11:51:57 2013 From: moritz at headstrong.de (Moritz) Date: Thu, 10 Oct 2013 20:51:57 +0200 Subject: [GnuPG] : Question - collective entity key management In-Reply-To: <5256C9D8.1060709@gmail.com> References: <5256C9D8.1060709@gmail.com> Message-ID: <5256F74D.2000305@headstrong.de> Hi, Group key management is a PITA. http://schleuder2.nadir.org/ is about the best you can do: A server receives and decrypts the messages, then re-encrypts and forwards them towards the (current) group of recipients. --Mo From mail at makk.es Thu Oct 10 12:19:33 2013 From: mail at makk.es (Max Jonas Werner) Date: Thu, 10 Oct 2013 21:19:33 +0200 Subject: [webp2p] Demo of a WebRTC P2P network Message-ID: <5256FDC5.9090906@makk.es> (this is an x-post from discuss-webrtc) Hi, for all those interested in WebRTC DataChannel development: We've released a prototype implementation of an in-browser P2P network this week. You can find the library and demos at https://github.com/boplish/ This is actually part of a bigger project the details of which you'll find in our papers (http://inet.cpt.haw-hamburg.de/publications/vws-lwpcd-13.html and http://inet.cpt.haw-hamburg.de/publications/vws-cunwp-13.html) so we'll be working constantly on extending the codebase and appreciate any feedback. Cheers! Max ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From lynX at time.to.get.psyced.org Thu Oct 10 12:23:28 2013 From: lynX at time.to.get.psyced.org (carlo von lynX) Date: Thu, 10 Oct 2013 21:23:28 +0200 Subject: [liberationtech] 10 reasons not to start using PGP Message-ID: <20131010192328.GA18814@lo.psyced.org> We had some debate on this topic at the Circumvention Tech Summit and I got some requests to publish my six reasons not to use PGP. Well, I spent a bit more time on it and now they turned into 10 reasons not to. Some may appear similar or identical, but actually they are on top of each other. Corrections and religious flame wars are welcome. YMMV. ---------------------------------- TEN REASONS NOT TO START USING PGP ---------------------------------- Coloured version at http://secushare.org/PGP [01]Pretty Good Privacy is better than no encryption at all, and being [02]end-to-end it is also better than relying on [03]SMTP over [04]TLS (that is, point-to-point between the mail servers while the message is unencrypted in-between), but is it still a good choice for the future? Is it something we should recommend to people who are asking for better privacy today? 1. Downgrade Attack: The risk of using it wrong. Modern cryptographic communication tools simply do not provide means to exchange messages without encryption. With e-mail the risk always remains that somebody will send you sensitive information in cleartext - simply because they can, because it is easier, because they don't have your public key yet and don't bother to find out about it, or just by mistake. Maybe even because they know they can make you angry that way - and excuse themselves pretending incompetence. Some people even manage to reply unencrypted to an encrypted message, although PGP software should keep them from doing so. The way you can simply not use encryption is also the number one problem with [05]OTR, the off-the-record cryptography method for instant messaging. 2. The OpenPGP Format: You might aswell run around the city naked. As Stf pointed out at CTS, thanks to its easily detectable [06]OpenPGP Message Format it is an easy exercise for any manufacturer of [07]Deep Packet Inspection hardware to offer a detection capability for PGP-encrypted messages anywhere in the flow of Internet communications, not only within SMTP. So by using PGP you are making yourself visible. Stf has been suggesting to use a non-detectable wrapping format. That's something, but it doesn't handle all the other problems with PGP. 3. Transaction Data: He knows who you are talking to. Should Mallory not [08]possess the private keys to your mail provider's TLS connection yet, he can simply intercept the communication by means of a [11]man-in-the-middle attack, using a valid fake certificate that he can make for himself on the fly. It's a bull run, you know? Even if you employ PGP, Mallory can trace who you are talking to, when and how long. He can guess at what you are talking about, especially since some of you will put something meaningful in the unencrypted Subject header. Should Mallory have been distracted, he can still recover your mails by visiting your provider's server. Something to do with a PRISM, I heard. On top of that, TLS itself is being recklessly deployed without forward secrecy most of the time. 4. No Forward Secrecy: It makes sense to collect it all. As Eddie has told us, Mallory is keeping a complete collection of all PGP mails being sent over the Internet, just in case the necessary private keys may one day fall into his hands. This makes sense because PGP lacks [12]forward secrecy. The characteristic by which encryption keys are frequently refreshed, thus the private key matching the message is soon destroyed. Technically PGP is capable of refreshing subkeys, but it is so tedious, it is not being practiced - let alone being practiced the way it should be: at least daily. 5. Cryptogeddon: Time to upgrade cryptography itself? Mallory may also be awaiting the day when RSA cryptography will be cracked and all encrypted messages will be retroactively readable. Anyone who recorded as much PGP traffic as possible will one day gain strategic advantages out of that. According to Mr Alex Stamos that day may be closer than PGP advocates think as [13]RSA cryptography may soon be cracked. This might be true, or it may be counter-intelligence to scare people away from RSA into the arms of [14]elleptic curve cryptography (ECC). A motivation to do so would have been to get people to use the curves recommended by the NIST, as they were created using magic numbers chosen without explanation by the NSA. No surprise they are suspected [15]to be corrupted. With both of these developments in mind, the alert cryptography activist scene seems now to converge on [16]Curve25519, a variant of ECC whose parameters where elaborated mathematically (they are the smallest numbers that satisfy all mathematical criteria that were set forth). ECC also happens to be a faster and more compact encryption technique, which you should take as an incentive to increase the size of your encryption keys. It is up to you to worry if it's more likely that RSA or ECC will be cracked in future, or you may want to ask a mathematician. 6. Federation: Get off the inter-server super-highway. NSA officials have been reported saying that NSA does not keep track of all the peer-to-peer traffic as it is just large amounts of mostly irrelevant copyright infringement. It is thus a very good idea to develop a communications tool that embeds its ECC- encrypted information into plenty of P2P cover traffic. Although this information is only given by hearsay, it is a reasonable consideration to make. By travelling the well-established and surveilled paths of e-mail, PGP is unnecessarily superexposed. Would be much better, if the same PGP was being handed from computer to computer directly. Maybe even embedded into a picture, movie or piece of music using [17]steganography. 7. Statistical Analysis: Guessing on the size of messages. Especially for chats and remote computer administration it is known that the size and frequency of small encrypted snippets can be observed long enough to guess the contents. This is a problem with SSH and OTR more than with PGP, but also PGP would be smarter if the messages were padded to certain standard sizes, making them look all uniform. 8. Workflow: Group messaging with PGP is impractical. Have you tried making a mailing list with people sharing private messages? It's a cumbersome configuration procedure and inefficient since each copy is re-encrypted. You can alternatively all share the same key, but that's a different cumbersome configuration procedure. Modern communication tools automate the generation and distribution of group session keys so you don't need to worry. You just open up a working group and invite the people to work with. 9. TL;DR: I don't care. I've got nothing to hide. So you think PGP is enough for you since you aren't saying anything reaaally confidential? Nobody actually cares how much you want to lie yourself stating you have nothing to hide. If that was the case, why don't you do it on the street, as John Lennon used to ask? It's not about you, it's about your civic duty not to be a member of a predictable populace. If somebody is able to know all your preferences, habits and political views, you are causing severe damage to democratic society. That's why it is not enough that you are covering naughty parts of yourself with a bit of PGP, if all the rest of it is still in the nude. Start feeling guilty. Now. 10. The Bootstrap Fallacy: But my friends already have e-mail! But everyone I know already has e-mail, so it is much easier to teach them to use PGP. Why would I want to teach them a new software!? That's a fallacy. Truth is, all people that want to start improving their privacy have to install new software. Be it on top of super-surveilled e-mail or safely independent from it. In any case you will have to make a [18]safe exchange of the public keys, and e-mail won't be very helpful at that. In fact you make it easy for Mallory to connect your identity to your public key for all future times. If you really think your e-mail consumption set-up is so amazing and you absolutely don't want to start all over with a completely different kind of software, look out for upcoming tools that let you use mail clients on top. Not the other way around. But what should I do then!?? So that now we know 10 reasons not to use PGP over e-mail, let's first acknowledge that there is no easy answer. Electronic privacy is a crime zone with blood freshly spilled all over. None of the existing tools are fully good enough. We have to get used to the fact that new tools will come out twice a year. Mallory has an interest in making us believe encryption isn't going to work anyway - but internal data leaked by Mr Snowden shows that encryption actually works. We should just care to use it the best way. That means, not with PGP. There is no one magic bullet you can learn about. You have to get used to learning new software frequently. You have to teach the basics of encryption independently from any software, especially from the one that does it wrong the most. In the [09]comparison we have listed a few currently existing technologies, that provide a safer messaging experience than PGP. The problem with those frequently is, that they haven't been peer reviewed. You may want to invest time or money in having projects peer reviewed for safety. Pond is currently among the most interesting projects for mail privacy, hiding its padded undetectable crypto in the general noise of Tor. Tor is a good place to hide private communication since the bulk of Tor traffic seems to be anonymized transactions with Facebook and the like. Even better source of cover traffic is file sharing, that's why RetroShare and GNUnet both have solid file sharing functionality to let you hide your communications in. Mallory will try to adapt and keep track of our communications as we dive into cover traffic, but it will be a very hard challenge for him, also because all of these technologies are working to switch to Curve25519. Secushare intends to only support Curve25519 to impede [10]downgrade attacks. Until the next best practice comes out. It's an arms race. Time to lay down your old bayonet while Mallory is pointing a nuclear missile at you. Thank you, PGP. Thank you Mr Zimmermann for bringing encryption technology to the simple people, back in 1991. It has been an invaluable tool for twenty years, we will never forget. But it is overdue to move on. References 01. https://en.wikipedia.org/wiki/Pretty%20Good%20Privacy 02. http://secushare.org/end2end 03. https://en.wikipedia.org/wiki/SMTP 04. https://en.wikipedia.org/wiki/TLS 05. https://en.wikipedia.org/wiki/Off-the-Record_Messaging 06. http://tools.ietf.org/html/rfc4880 07. https://en.wikipedia.org/wiki/Deep_packet_inspection 08. http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security 09. http://secushare.org/comparison 10. http://crypto.stackexchange.com/questions/10493/why-is-tls-susceptible-to-protocol-downgrade-attacks 11. http://en.wikipedia.org/wiki/man-in-the-middle%20attack 12. https://en.wikipedia.org/wiki/Forward_secrecy 13. http://www.heise.de/tr/artikel/Die-Krypto-Apokalypse-droht-1942212.html 14. https://en.wikipedia.org/wiki/Elliptic_curve_cryptography 15. http://www.wired.com/threatlevel/2013/09/rsa-advisory-nsa-algorithm/ 16. https://gnunet.org/curve25519 17. https://en.wikipedia.org/wiki/steganography 18. http://secushare.org/rendezvous P.S. Thanks for feedback to tg, duy and especially Mr Grothoff. -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu. ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From diocles at debian.org Thu Oct 10 15:25:18 2013 From: diocles at debian.org (Tim Retout) Date: Thu, 10 Oct 2013 23:25:18 +0100 Subject: [Freedombox-discuss] Tor Message-ID: <1381443918.9831.69.camel@air> On Tue, 2013-10-08 at 11:04 +0200, Petter Reinholdtsen wrote: > So to me, it seem like routing all traffic through Tor bring the > advantage of making it harder to track your location while changing > the set of people that can perform MITM attack on you. It is not like > using Tor for everything is introducing some new threat. It is > already known that NSA and China rutinely perform MITM attach on > non-Tor traffic, and I assume others do as well. So we are left with > probability calculations instead to evaluate the threat. I agree to some extent, but my assessment of the probabilities is still that using Tor unencrypted is going to cause you new and interesting security problems. Privacy and anonymity are different things, and actually I am more worried about privacy first. There's no point using Tor to access a cloud-based email service. I want to focus on getting everyone's data decentralized, and their communications encrypted. > While talking about these topics with a friend, I just got a tip > about PORTALofPi, which is a ARch based Raspberry Pi setup to force > all traffic over Tor. See > for that recipe. Grugq's writing is very interesting: http://grugq.github.io/ He recommends using a VPN over Tor to avoid monitoring by malicious exit nodes (which of course won't avoid monitoring by the VPN provider): http://grugq.github.io/blog/2013/06/14/you-cant-get-there-from-here/ http://www.slideshare.net/grugq/opsec-for-hackers (NSFW, slide 137 onwards) -- Tim Retout _______________________________________________ Freedombox-discuss mailing list Freedombox-discuss at lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From lynX at time.to.get.psyced.org Thu Oct 10 15:08:47 2013 From: lynX at time.to.get.psyced.org (carlo von lynX) Date: Fri, 11 Oct 2013 00:08:47 +0200 Subject: [liberationtech] 10 reasons not to start using PGP Message-ID: <20131010220847.GH22105@lo.psyced.org> Hello again. I will answer to most comments all in a single mail to avoid clogging libtech. While I wrote this another ten mails have slipped in, so expect another large reply to those. :-) On 10/10/2013 10:00 PM, Richard Brooks wrote: > 10 reasons to give up, stop trying, hide in a corner, and die. Sorry if I start talking about the alternatives only at the very end of the document. This is about becoming aware of how serious the problem is and to start directing some energy into fueling the alternatives which are popping up like mushrooms just recently. For the obvious reasons. And I specifically mention peer reviewing them. So the message is: go get yourself new tools and teach your peers to use the new tool of the day. On 10/10/2013 10:11 PM, Pranesh Prakash wrote: > Interesting. But someone should also write a piece called "1 reason not > to criticise security tech without clearly stating threat model which > serves as basis for that criticism". What if Mallory isn't a > well-funded governmental organization but is the admin who runs your > employer's email servers? That's a good point. The reason why I don't pay attention to lesser threat models is that the loss in quality of democracy we are currently experiencing is large enough that I don't see much use for a distinction of threat models - especially since alternatives that work better than PGP exist, so they are obviously also better for lesser threat models. For example, I don't think that a dissident in Irya (ficticious country) is better off if no-one but Google Mail knows that he is a dissident. Should at any later time in his life someone with access to that data find it useful to use it against the dissident, he can still do it. And who knows what the world looks like in twenty years from now? Not saying give up and die. Saying if you can opt for better security, don't postpone learning about it. If you can invest money in making it a safe option, don't waste time with yet another PGP GUI project. > This should actually be two lists: reasons not to use e-mail, and > reasons not to use OpenPGP over e-mail. Fine with me. I don't think it makes much difference for the end user whether SMTP federation or actual PGP is failing her. > Only reasons 2, 3, 4, 5, 7, 8 are really about OpenPGP (you should've > stuck to "6 reasons not to use PGP"), and at least three of them are > really good reasons to look for alternatives. There are no good > alternatives over e-mail: S/MIME unfortunately suffers from many of the > same issues as OpenPGP, and then some more. I don't find S/MIME worth mentioning anymore. It has so failed us. But maybe I should for completeness? > And reason #1 is something that the client should take care of (ideally > with default settings), and not the encryption protocol. Why are you > attacking OpenPGP and OTR for this? Because it's not true that the client can handle it. The fact that an email address exists implies that some folks will send unencrypted stuff to it. I experienced this. Just yesterday a friend changed his life plans because of an unencrypted message. Yes, you could enforce PGP once it's configured - but you can't opt out from e-mail. That is evil. Look at any of the alternatives instead. None of them allow you to transmit an unencrypted message. In fact all the modern systems use the public key for addressing, so you can't do it wrong. > And thank you so much for the comparative chart. It is *very* useful. My pleasure. I felt the need to do this since I get asked for recommendations frequently - and I don't like to say.. wait until secushare is ready. I don't want to wait for it myself. > Why doesn't telephony have SIP? It should. What would the icons be that you would put there? I'm not familiar with end-to-end encryption over SIP for instance. On 10/10/2013 10:33 PM, Marcin de Kaminski wrote: > Agreed. The threat model discussion clearly is too often lost in all > the current post-Snowden debates. We need to remember that a lot if > solutions might not be enough to protect anyone against NSAish > authorities but more than enough against other, most real, threats > to peoples personal safety. Regular employers, schools, parents, skiddies, whatever. I think if employers, schools, parents, skiddies can find out who you are exchanging encrypted messages with, that can be a very real threat to you. Using a tool that looks like it does something totally different.. on your screen, over the network and even on your hard disk.. can save your physical integrity. On 10/10/2013 09:55 PM, adrelanos wrote: > Thank you for doing this work! > The world needs someone facing the truth, explaining why gpg isn't the > solution, advocating positive change. It's a communicative task, a very > difficult one. As long there is gpg, most geeks don't see need to create > better alternatives. Glad someone is understanding the positivity in awareness and will to move forward. Ignoring threats just because they are depressing is a bit like sticking your head in the ground. > I'd say, gpg's development slowed down. They're qualified but standing > in their own way. They should break compatibility with commercial PGP > (not because thats good, just because it's easier to implement better > solutions), also break compatibility with RFCs, implement better > solutions and standardize later. The current "first standardize, then > maybe implement, and don't implement if it's not standardized" approach > is much too slow, can't keep up with real developments in real word. The whole architecture is wrong. There is hardly anything worth keeping in the old PGP approach except for the cryptographic basics. All the modern alternatives use a completely different approach. > (Still don't even have mail subject encryption.) If Bitmessage succeeds > (I haven't learned much about it yet), and actually provides better > protection than gpg, I am happy with that also if there isn't a RFC. If > Bitmessage gets really popular, I am sure they'll somehow work things > out and happen to standardize it later. Thanks for reminding me to look at Bitmessage. I was postponing that unnecessarily. I read the whitepaper and have added it to the comparison table according to the claims in it. The architecture sounds a bit like the one of IRC, but without multicast routing - so I expect it to run into serious scalability issues. It will probably have to split into several incompatible networks as it grows. It will also probably keep your computer a lot more busy than you expect from a communication tool. But for the time being it is a crypto-strategically much safer approach than PGP. Concerning standardization: It is a VERY BAD development that it has become en vogue to require standardization from projects that haven't even started functioning. It has been detrimental to the social tool scene: None of them work well enough to actually scale and replace Facebook, but the scalability problems are already being cemented into "open standards," ensuring that they never will. You must ALWAYS have a working pioneer tool FIRST, then dissect the way it works and derive a standard out of it. Bittorrent is a good example for that. It's one of the few things that actually works. Imagine if Napster and Soulseek had developed an open standard. It would only have delayed the introduction of Bittorrent, promoting an inferior technology by standardization. Open standards are part of the problem, not the solution. > Sometimes I even think, if there wasn't gpg, new approaches had better > chances reaching critical mass. Good point. libtech is the place where people put time and money into these things. Figuring out the ultimate UX fix for PGP won't solve the underlying problems. The number of PGP critics is growing. On Thu, Oct 10, 2013 at 12:40:55PM -0700, Jillian C. York wrote: > In my opinion, this makes about as much sense as telling people who are > already having sex not to use condoms. I am saying to use condoms that don't slip off during intercourse and explaining why the old condom technology has a tendency to break. > Consider mine a critique of why this post makes almost no sense to and > won't convince any member of the public. I'm sure some of the geeks here > will have a field day with it, but some of it is barely in my realm of > understanding (and while I'm admittedly not a 'geek', I've been working in > this field for a long time, which puts me at the top rung of your 'average > user' base). Well, maybe we can find wordings that make it more understandable. Of course the links are meant for being clicked upon when necessary. > TL;DR: This may well be a solid argument for convincing developers to > implement better UIs, etc, but it doesn't work for its intended purpose, > which seems to be convincing n00bs not to use PGP. No, it is exactly about not trying to fix on the UI level what is fundamentally beyond repair. > > 2. The OpenPGP Format: You might aswell run around the city naked. > > > > As Stf pointed out at CTS, thanks to its easily detectable [06]OpenPGP > > Message Format it is an easy exercise for any manufacturer of [07]Deep > > Packet Inspection hardware to offer a detection capability for > > PGP-encrypted messages anywhere in the flow of Internet communications, > > not only within SMTP. So by using PGP you are making yourself visible. > > > > Stf has been suggesting to use a non-detectable wrapping format. That's > > something, but it doesn't handle all the other problems with PGP. > > Okay, this part requires more explanation for the layman, methinks. It's > not intuitive for a non-tech to understand. Didn't feel like including an explanation of Deep Packet Inspection and elaborate on the recognizable characteristics of the OpenPGP format as it would explode the paragraph a bit, but maybe that's wrong. Depends on who my target audience is. Somebody like you could be. Does it work by following the links or does it get too abstract from there .. in the sense that you can read the Wikipedia pages but fail to connect the dots? > > 3. Transaction Data: He knows who you are talking to. > > > > Should Mallory not [08]possess the private keys to your mail provider's > > TLS connection yet, he can simply intercept the communication by means > > of a [11]man-in-the-middle attack, using a valid fake certificate that > > he can make for himself on the fly. It's a bull run, you know? > > You're not going to convince anyone with jargony talk. If this is still jargony to you, hmmm... you are unlikely to understand the risks you are exposed to by using the Internet from day to day. These are concepts that anyone in the circumvention business must be aware of. You can choose to not read the Guardian article and not try to understand what's going on, but then you should better just trust that the conclusion is not made up: > > Even if you employ PGP, Mallory can trace who you are talking to, when > > and how long. He can guess at what you are talking about, especially > > since some of you will put something meaningful in the unencrypted > > Subject header. > > Again, this is a call for better education around email practices, not for > people to stop using PGP. There is nothing you can do with email that saves you from this happening. Thus, it's not a problem of practices. It's a question of throwing away the broken condom and learn about new contraceptive technology. > > Should Mallory have been distracted, he can still recover your mails by > > visiting your provider's server. Something to do with a PRISM, I heard. > > On top of that, TLS itself is being recklessly deployed without forward > > secrecy most of the time. > > > > 4. No Forward Secrecy: It makes sense to collect it all. > > > > As Eddie has told us, Mallory is keeping a complete collection of all > > PGP mails being sent over the Internet, just in case the necessary > > private keys may one day fall into his hands. This makes sense because > > PGP lacks [12]forward secrecy. The characteristic by which encryption > > keys are frequently refreshed, thus the private key matching the > > message is soon destroyed. Technically PGP is capable of refreshing > > subkeys, but it is so tedious, it is not being practiced - let alone > > being practiced the way it should be: at least daily. > > Again: Fair criticism, but unclear why this should convince one NOT to use > PGP. Rather, it should convince us to improve mechanisms and add forward > secrecy. You mean I should explain why it is impossible to add forward secrecy to PGP over e-mail by design? I thought that was going to be clear. > > 6. Federation: Get off the inter-server super-highway. > > > > NSA officials have been reported saying that NSA does not keep track of > > all the peer-to-peer traffic as it is just large amounts of mostly > > irrelevant copyright infringement. It is thus a very good idea to > > develop a communications tool that embeds its ECC- encrypted > > information into plenty of P2P cover traffic. > > > > Although this information is only given by hearsay, it is a reasonable > > consideration to make. By travelling the well-established and > > surveilled paths of e-mail, PGP is unnecessarily superexposed. Would be > > much better, if the same PGP was being handed from computer to computer > > directly. Maybe even embedded into a picture, movie or piece of music > > using [17]steganography. > > Steganography, really? Sigh. One of the options that are safer than PGP is steganography, yes. > > 7. Statistical Analysis: Guessing on the size of messages. > > > > Especially for chats and remote computer administration it is known > > that the size and frequency of small encrypted snippets can be observed > > long enough to guess the contents. This is a problem with SSH and OTR > > more than with PGP, but also PGP would be smarter if the messages were > > padded to certain standard sizes, making them look all uniform. > > It would be great, yes. Still doesn't convince me that using PGP isn't > worthwhile. This one alone not necessarily, it's the least bad one of all. > > 8. Workflow: Group messaging with PGP is impractical. > > > > Have you tried making a mailing list with people sharing private > > messages? It's a cumbersome configuration procedure and inefficient > > since each copy is re-encrypted. You can alternatively all share the > > same key, but that's a different cumbersome configuration procedure. > > > > Modern communication tools automate the generation and distribution of > > group session keys so you don't need to worry. You just open up a > > working group and invite the people to work with. > > Okay, yes, you've got me here. PGP sucks for group discussion, although I > fail to see why group discussion is an imperative. But what, do you > suggest, is an immediate alternative? Nothing? Right, okay...still using > PGP. The article is not meant to be an advertisement for the alternatives. With my working group we are currently exchanging materials by means of RetroShare. It takes a bit getting used to as you would not expect that a file sharing app should be used for by-the-way features like its built-in homebrewn mail system and forum messaging - and to expect it to be safer than regular e-mail. But RetroShare does indeed solve some of the things listed in this long list (see the comparison for details). The downside is, nobody is willing to put her hands in the fire to guarantee it is a safe choice of software and the source code, as frequently with file sharing tools, is too complex to be an easy read. So it is an amazing feature beast pending peer review. Briar is expected to be a better solution, but it is in alpha stage. Both should probably be used over Tor for obfuscation, as they don't provide for that themselves. And then there is Pond, which is technologically a work of art, but it doesn't facilitate group communication (yet). > > 9. TL;DR: I don't care. I've got nothing to hide. > > > > So you think PGP is enough for you since you aren't saying anything > > reaaally confidential? Nobody actually cares how much you want to lie > > yourself stating you have nothing to hide. If that was the case, why > > don't you do it on the street, as John Lennon used to ask? > > > > It's not about you, it's about your civic duty not to be a member of a > > predictable populace. If somebody is able to know all your preferences, > > habits and political views, you are causing severe damage to democratic > > society. That's why it is not enough that you are covering naughty > > parts of yourself with a bit of PGP, if all the rest of it is still in > > the nude. Start feeling guilty. Now. > > Again: This is merely a reason to convince people to use encryption MORE > OFTEN (which EFF does and which I fully support). I agree that you should use encryption MORE.. but use it BETTER! > > 10. The Bootstrap Fallacy: But my friends already have e-mail! > > > > But everyone I know already has e-mail, so it is much easier to teach > > them to use PGP. Why would I want to teach them a new software!? > > > > That's a fallacy. Truth is, all people that want to start improving > > their privacy have to install new software. Be it on top of > > super-surveilled e-mail or safely independent from it. In any case you > > will have to make a [18]safe exchange of the public keys, and e-mail > > won't be very helpful at that. In fact you make it easy for Mallory to > > connect your identity to your public key for all future times. > > > > If you really think your e-mail consumption set-up is so amazing and > > you absolutely don't want to start all over with a completely different > > kind of software, look out for upcoming tools that let you use mail > > clients on top. Not the other way around. > > I don't even get what you're saying here. What, do you suggest, is the new > software to teach people if not PGP? I am saying that teaching people PGP is MORE work than getting them to installed any of - Pond - Briar - RetroShare - Bitmessage And that I hope that we will have more projects to list and that we will not feel guilty for doing so. RetroShare has a terribly confusing UI (but the developers are just waiting for some UX designer to tell them what to do) and I bet the others need a hand on that front, too. > > But what should I do then!?? > > > > So that now we know 10 reasons not to use PGP over e-mail, let's first > > acknowledge that there is no easy answer. Electronic privacy is a crime > > zone with blood freshly spilled all over. None of the existing tools > > are fully good enough. We have to get used to the fact that new tools > > will come out twice a year. > > Cop-out. "Don't use PGP but I can't suggest anything for you." Silly. Where does it say that? Here comes the part that you were missing: > > In the [09]comparison we have listed a few currently existing > > technologies, that provide a safer messaging experience than PGP. The > > problem with those frequently is, that they haven't been peer reviewed. > > You may want to invest time or money in having projects peer reviewed > > for safety. > > > > Pond is currently among the most interesting projects for mail privacy, > > hiding its padded undetectable crypto in the general noise of Tor. Tor > > is a good place to hide private communication since the bulk of Tor > > traffic seems to be anonymized transactions with Facebook and the like. > > Even better source of cover traffic is file sharing, that's why > > RetroShare and GNUnet both have solid file sharing functionality to let > > you hide your communications in. You gave up reading just a few paragraphs too early.... -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu. ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From lynX at time.to.get.psyced.org Thu Oct 10 17:14:29 2013 From: lynX at time.to.get.psyced.org (carlo von lynX) Date: Fri, 11 Oct 2013 02:14:29 +0200 Subject: [liberationtech] 10 reasons not to start using PGP Message-ID: <20131011001429.GI22105@lo.psyced.org> Next collection of answers to replies. Expect yours to be somewhere in here. Thanks for all the feedback! I actually expected harsher religious replies! :) On 10/10/2013 10:55 PM, Enrique Piracés wrote: > I think this is a good topic for debate among those who can or are > currently developing security tools/protocols, and it is one way to > further discuss usability as a security feature in communities like > this one. That said, I think it is really bad advice and I encourage > you to refrain from providing this as a suggestion for users who may > put themselves or others at risk as a result of it. The opening sentence says "Pretty Good Privacy is better than no encryption at all ..." > Also, I think the title is misleading, as most of the article is about > why PGP is not an ideal solution for the future (a point where I think > you would find significant agreement). Again, suggesting not to use > PGP without providing a functional alternative is irresponsible. I am suggesting four alternatives and indicating to work harder to make them viable tools for everyone as we should no longer postpone replacing PGP and e-mail. Of course I would also appreciate attention regarding the fifth, secushare. On 10/10/2013 10:57 PM, Jonathan Wilkes wrote: > Bitmessage doesn't have forward secrecy, and AFAICT there's no > way to easily add it later on. If I understood the principle correctly it allows you to generate new "accounts" freely, so you can put your *next* account name into a message. If both sides do this, they can obfuscate their identities a bit. And you can automate it. You could also re-key at each message with PGP, but I presume it would make your implementation incompatible with everybody else's. On 10/10/2013 11:08 PM, Gregory Maxwell wrote: > I'm surprised to see this list has missed the thing that bugs me most > about PGP: It conflates non-repudiation and authentication. > > I send Bob an encrypted message that we should meet to discuss the > suppression of free speech in our country. Bob obviously wants to be > sure that the message is coming from me, but maybe Bob is a spy ... > and with PGP the only way the message can easily be authenticated as > being from me is if I cryptographically sign the message, creating > persistent evidence of my words not just to Bob but to Everyone! I kind-of lumped it mentally together with forward secrecy, because for both problems the answer is Diffie-Hellman. But you are right, it is the eleventh reason. > My other big technical complaint about PGP is (3) in the post, that > every encrypted message discloses what key you're communicating with. > PGP easily _undoes_ the privacy that an anonymity network like tor can > provide. It's possible to use --hidden-recipient but almost no one > does. Guess what, none of the alternative messaging tools would dream of putting the recipient address close to the message. They just make sure that it somehow gets there. > Its also easy to produce a litany of non-technical complaints: PGP is > almost universally misused (even by people whos lives may depend on > its correct use), the WOT leaks tons of data, etc. Oh yes, I completely forgot to link that long article that recently came out criticizing the PGP web of trust. > In my view the use of PGP is more appropriately seen as a statement > about the kind of world we want to have— one where encryption is > lawful, widely used, and uncontroversial— and less of a practical way > to achieve security against many threats that exist today. It is not enough for the purpose of protecting democracy, therefore it's one of those statements that backfire: The adversary doesn't care about you making that statement and can use it against you. On 10/11/2013 12:17 AM, Jillian C. York wrote: > Just replying to this bit of your reply to me; the rest made sense Grrreat. > On Thu, Oct 10, 2013 at 3:08 PM, carlo von lynX > > wrote: > > > If this is still jargony to you, hmmm... you are unlikely to understand > > the risks you are exposed to by using the Internet from day to day. > > These are concepts that anyone in the circumvention business must > > be aware of. You can choose to not read the Guardian article and not > > try to understand what's going on, but then you should better just > > trust that the conclusion is not made up: > > No, see that's the thing: /I /get it, but I don't think I'm totally your > target audience (I've been using PGP for years, you're talking to people > who haven't started yet, right?) No, not really. It is for the multipliers and activists. The ones that carry the torch to the people. The Luciphers. You have been carrying PGP to the people and I am suggesting you should consider giving them other tools, and educating them to question those tools and look out for even newer tools. And help make these tools safe, reviewed and usable. Then again I wouldn't mind if normal people /get/ it, too, but I wouldn't want them to opt out the easy way by stopping to use cryptography. > You want criticism? There it is. Your writing does not work for the > general public. You write in a way that feels condescending and assumes > that the reader already has a full grasp of why those things are issues. I tried to hide the depth in the links so that it's still readable for someone who already knows all that stuff. > On the one hand, you're telling people that PGP is too hard/broken, > while with the other you're expecting them to already understand it/the > threat model. > > Also, I have no idea what is meant by the "bull run" comment in that > sentence. If you want your piece to have any reach beyond the English > language, consider tightening up your writing. It is mentioned in the article. It's the NSA program that enables them to hijack any TLS connection on the fly. It was mentioned in television news some weeks ago, too. The way I put it in that text is a hint saying "if you don't understand this, you should seriousy consider reading the linked articles..." ;-) On Thu, Oct 10, 2013 at 02:17:01PM -0700, elijah wrote: > On 10/10/2013 12:23 PM, carlo von lynX wrote: > > > 1. Downgrade Attack: The risk of using it wrong. > > Fixed in the new generation of clients (mailpile, LEAP, etc). Except for the fact that you are still using a mail address, thus it can ALWAYS be used without encryption -> FAIL. > > 2. The OpenPGP Format: You might aswell run around the city naked. > > Fixed by using StartTLS with DANE (supported in the new version of > postfix). Admittedly, this makes sysadmin's job more challenging, but > LEAP is working to automate the hard stuff (https://leap.se/platform). Are you alluding to https://datatracker.ietf.org/doc/draft-ietf-dane-smtp-with-dane/ ? > > 3. Transaction Data: He knows who you are talking to. > > Fixed in the short term by using StartTLS with DANE. Fixed in the long > term by adopting one of these approaches: https://leap.se/en/routing Hm, all of the approaches presume that there is something like a server that a dissident can trust. > > 4. No Forward Secrecy: It makes sense to collect it all. > > Imperfectly fixed in the short term using StartTLS with only PFS ciphers > enabled. This could be fixed in the long term by using Trevor Perrin's > scheme for triple EC Diffie-Hellman exchange. This has been implemented > by moxie for SMS, and could be for SMTP > (https://whispersystems.org/blog/simplifying-otr-deniability/). You are slowly turning the email network in some sort of a Tor. Hehe. > > 5. Cryptogeddon: Time to upgrade cryptography itself? > > New version of GPG supports ECC, but of course nothing in the snowden > leaks suggest we need to abandon RSA of sufficient key length (just the > ECC curves that have *always* been suspicious). Ok, how does it figure out the recipient can handle ECC? > > 6. Federation: Get off the inter-server super-highway. > > Federated transport with spool-then-forward time delay is likely a much > more feasible way to thwart traffic analysis than attempting to lay down > a high degree of cover traffic for direct peer to peer transport. This Feasible? Such tools already exist. File sharing happens. Tor, too. Whereas obfuscation over mail servers needs to be deployed first. > is, of course, an area of active academic research and it would be > irresponsible to say that we definitively know how to prevent traffic > analysis, either with p2p or federation. I think tools should do both spool-then-forward and play with cover traffic. If GNUnet as an academic project is working so much on the cover traffic bit, some academic results maybe exist. The terms P2P and federation are starting to get confusing. So-called P2P tools are sometimes actually employing dumb relay servers, which kind of defeats the original definition of P2P. And you are talking of federation servers that, although they are using plaintext email addresses, are actually not knowing where they are sending things to. That kind of goes beyond the traditional notion of federation. So in a way both are converging to a similar strategy. The difference that remains is that P2P uses DHT-resolution strategies like GNS to address any node, be it at home or in a server rack, while federation sticks to domain names and therefore cannot easily include user endpoints. Also, as you pointed out, it needs a whole lot of administration work. A DHT just works out of the box by using it. And then there are also social approaches to discovery... Still I have a feeling the DHT approach, especially with built-in lookup privacy like GNS/GADS has it, is superior. On the other hand, maintaining the domain name hell is backwards compatible to current e-mail. The question is if that is actually doing anyone any good. Maybe if you can convince spammers to use LEAP they will provide not only for nuisance but also for cover traffic. :) > > 7. Statistical Analysis: Guessing on the size of messages. > > Easily fixed. > > > 8. Workflow: Group messaging with PGP is impractical. > > No one anywhere has solved the problem of asynchronous, forward-secret I think you have to be a bit opportunistic about it. Briar does it somehow, if I understood correctly. > group cryptography. There are, however, working models of group > cryptography using OpenPGP, such as SELS > (http://sels.ncsa.illinois.edu/). This approach makes key management > more difficult, but we need to automate key management anyway for > OpenPGP to be usable enough for wider adoption. Yes. Key management is an API, not a user interface. Automatic import of embedded secret keys sounds like a major cultural revolution for good ole PGP. No surprise none of the list clients supports that yet. Interesting developments. Not enough to consider this path worth pursueing but in the category of better-than-nothing. > > 9. TL;DR: I don't care. I've got nothing to hide. > > This critique rests on the assumption that the problems with email are > unfixable. Yes. That even if all the effort is done you will still be receiving unencrypted mail because you have a mail address. You will still have a multitude of hosts that are still "unfixed." That you will still carry a dependency on DNS and X.509 around your neck just to be able to be backwards compatible to an e-mail system of which you hope you won't have to send or receive any messages since they will damage your privacy. So what is this terrific effort to stay backward compatible good for? I don't see it being a worthwhile goal. There is so much broken about it while a fresh start, where every participant is safe by definition, is so much more useful. Especially you don't have that usability challenge of having to explain to your users that some addresses are superduper safe while other addresses are lacking solid degree of privacy. And I still haven't understood where I get my trustworthy server from. I know I can rent one, but even if I have a root shell on it, it doesn't mean it is safe. So yes, I can't find a way to believe that those fixes actually can fix the entire architecture. > > 10. The Bootstrap Fallacy: But my friends already have e-mail! > > Email remains one of the two killer apps of the internet, and is > unlikely to vanish any time soon. Simple steps we can take to make it > much better seem like a wise investment in energy. I've read that claim before and I am sure Facebook has already proven us wrong. Wasn't it in the news a year ago that e-mail was losing users to Facebook messaging? And I don't see a use in maintaining e-mail if I have to rebuild my trust network, anyway. > There are two approaches to addressing the problems with email: > > (1) assert that email is hopeless and must be killed off. > (2) identify areas where we can fix email to bring it into the 21st century. > > I think that approach #1 is irresponsible: regardless of one's personal > feelings about email, it is certainly not a lost cause, and asserting > that it is will make it more difficult to build support for fixing it. I think I have laid out why it is indeed a lost cause. > Approach #2 is certainly an uphill battle, but there are a growing > number of organizations working on it. LEAP's (free software) efforts > are outlined here: https://leap.se/email. We have it working, we just > need to get it mature enough for production use. You didn't actually address the "bootstrap fallacy" that I pointed out. -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu. ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From jamesd at echeque.com Thu Oct 10 14:41:56 2013 From: jamesd at echeque.com (James A. Donald) Date: Fri, 11 Oct 2013 07:41:56 +1000 Subject: [pfSense] Can pfSense be considered trusted? What implementations of VPNs can now be trusted? In-Reply-To: <20131010143935.GL10405@leitl.org> References: <20131010143935.GL10405@leitl.org> Message-ID: <52571F24.4030105@echeque.com> On 2013-10-11 00:39, Eugen Leitl wrote: > ----- Forwarded message from Giles Coochey ----- > 2. Cipher Selection - we're not all cryptoanalysts, so statements like > 'trust the math' don't always mean much to us, given the reports in > the media, what is considered a safe cypher? I recently switched from > AES-256 to Blowfish-256, hashing from SHA-1 to SHA-512 and pfs group 2 > to pfs group 5, and I reduced my SA lifetimes from 28800 to 1800. > Could that be considered overkill? What Cipher's are others using? > Have any of you, who have been made recently aware of the media > coverage recently, also changed your cipher selection? What kind of > changes did you make? Overkill is a rational and appropriate response to recent revelations. NIST is actually out to get you, so you might as well put on a tinfoil hat to be on the safe side. Yes, there really is a gigantic government conspiracy, no kidding. While I am pretty sure AES and SHA 256 is perfectly safe, in view of recent events, I would follow the lead of the highly competent cryptographer Jon Callas, http://www.mail-archive.com/infowarrior at attrition.org/msg10926.html and use non NIST algorithms: Use Twofish in place of AES if convenient to do so, and Skein hash in place of SHA hash. From jamesd at echeque.com Thu Oct 10 14:53:02 2013 From: jamesd at echeque.com (James A. Donald) Date: Fri, 11 Oct 2013 07:53:02 +1000 Subject: [pfSense] Crypto/RNG Suggestions In-Reply-To: <20131010122132.GE10405@leitl.org> References: <20131010122132.GE10405@leitl.org> Message-ID: <525721BE.3050704@echeque.com> On 2013-10-10 22:21, Eugen Leitl wrote: > ----- Forwarded message from Jim Pingle ----- > > I haven't yet seen anything conclusive. People have called into question > some or all of ECC, NSA's suggested Suite B, and so on. I put some links > in a previous message[1]. If anyone knows of some solid research showing > specific ciphers have been compromised, I'd love to see it so we can > inform users. There is a smoking gun on one of random number generators. There is strong circumstantial evidence, reason for suspicion, on suggested Suite B. AES and SHA look to be fine, but using them gives the appearance to end users that you might be playing footsie with NIST. Jon Callas has therefore made Twofish and Skein the default for silent circle. From dan at geer.org Fri Oct 11 05:12:01 2013 From: dan at geer.org (dan at geer.org) Date: Fri, 11 Oct 2013 08:12:01 -0400 Subject: HTML'ed mail In-Reply-To: Your message of "Mon, 07 Oct 2013 17:56:06 EDT." Message-ID: <20131011121201.CE3E0228348@palinka.tinho.net> | This isn't the mailing lists job; it is your clients job. | If you don't want to see HTML email then use a client that can't / won't | interpret it. I do. And it spits out statistics on to whom/what the mail that won't be shown was addressed. I started this as cpunks kept showing up. The irony of that was compelling. Onward, --dan From adi at hexapodia.org Fri Oct 11 09:35:42 2013 From: adi at hexapodia.org (Andy Isaacson) Date: Fri, 11 Oct 2013 09:35:42 -0700 Subject: who are the service operators here? In-Reply-To: <20131011114213.GY10405@leitl.org> References: <20131011114213.GY10405@leitl.org> Message-ID: <20131011163542.GL27838@hexapodia.org> On Fri, Oct 11, 2013 at 01:42:13PM +0200, Eugen Leitl wrote: > I think we need more hidden services to make the darknet more attractive, > less exits. The open Internet has been dead for a while, time to accept it. > > Running a non-exit relay from home is still worthwhile, since it raises the > bar for physical access, and also increases the traffic background. > > Decentral search is pretty important, we could really use lots of > YaCy nodes as hidden services -- indexing not just the hidden web, of > course. Hmmm, I hadn't heard of YaCy before, thanks for the mention! > I wish there was a library of different privacy-based appliances in > virtual formats (.ovf) which are kept up to date for easy deployment > (even though running it on bare iron would be preferable). That would > seem to be a lot of work, though, and run into trust issues. OVF is a dead end AFAICS. It's not perfect, but the combination of Chef/Puppet (to specify + install + configure the software stack) plus Vagrant (to specify + install + configure the base VM) seems like a more fruitful path forward. There are some missing pieces; for example, it's regrettably common in current Cookbooks and Vagrantfiles to download unsigned-and-unhashed code from the network and trust it. But that's fixable with more hashing and content addressed storage. -andy From jamesdbell8 at yahoo.com Fri Oct 11 09:46:42 2013 From: jamesdbell8 at yahoo.com (Jim Bell) Date: Fri, 11 Oct 2013 09:46:42 -0700 (PDT) Subject: Pascal Zachary: Rules for the Digital Panopticon (IEEE) In-Reply-To: <20131011081049.GU10405@leitl.org> References: <20131011081049.GU10405@leitl.org> Message-ID: <1381510002.69373.YahooMailNeo@web141206.mail.bf1.yahoo.com> ----- Forwarded message from Patrice Riemens ----- Date: Thu, 10 Oct 2013 20:41:55 +0200 From: Patrice Riemens To: nettime-l at kein.org Subject: Pascal Zachary: Rules for the Digital Panopticon (IEEE) Message-ID: <0adf8f7abff38f778a06f8b776729759.squirrel at webmail.xs4all.nl> User-Agent: SquirrelMail/1.4.18 Reply-To: a moderated mailing list for net criticism original to: http://spectrum.ieee.org/computing/software/rules-for-the-digital-panopticon Rules for the Digital Panopticon The technologies of persistent surveillance can protect us only if certain boundaries are respected By G. Pascal Zachary (Posted 20 Sep 2013) >For centuries, we humans have lacked the all-knowing, all-seeing >mechanisms to credibly predict and prevent bad actions by others. Now >these very powers of preemption are perhaps within our grasp, thanks >to a confluence of technologies. >In the foreseeable future, governments, and perhaps some for-profit >corporations and civil-society groups, will design, construct, and >deploy surveillance systems that aim to predict and prevent bad >actions and to identify, track, and neutralize people who commit them. >And when contemplating these systems, lets broadly agree that we >should prevent the slaughter of children at school and the abduction, >rape, and ­imprisonment of women. And lets also agree that we should >thwart lethal attacks against lawful government. Sorry, but I can't agree with that last statement.  "Lawful government"?  Which government would be willing to admit that it isn't 'lawful'?  The only government I would consider 'lawful' is one which complies with libertarianism's 'Non initiation of force/fraud principle', but since I am aware of no such government, I cannot agree that this statement has any practical purpose.  And while I might wryly agree with it, it would only be on the condition that all employees and officeholders of real (non-compliant with NIOFFP) government surrender, resign, and return every penny of money paid their for their 'services', back to 'day 1' of their employment.  And, of course, compensating all victims of that government for their damages and suffering.  Indoctrinated with the idea that they had the right to do what they did, I doubt that any of them would comply. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 3659 bytes Desc: not available URL: From eugen at leitl.org Fri Oct 11 01:10:49 2013 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 11 Oct 2013 10:10:49 +0200 Subject: Pascal Zachary: Rules for the Digital Panopticon (IEEE) Message-ID: <20131011081049.GU10405@leitl.org> ----- Forwarded message from Patrice Riemens ----- From eugen at leitl.org Fri Oct 11 01:13:02 2013 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 11 Oct 2013 10:13:02 +0200 Subject: [webp2p] Demo of a WebRTC P2P network Message-ID: <20131011081302.GV10405@leitl.org> ----- Forwarded message from Max Jonas Werner ----- From eugen at leitl.org Fri Oct 11 01:13:45 2013 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 11 Oct 2013 10:13:45 +0200 Subject: [pfSense] Can pfSense be considered trusted? What implementations of VPNs can now be trusted? Message-ID: <20131011081345.GW10405@leitl.org> ----- Forwarded message from Vick Khera ----- From eugen at leitl.org Fri Oct 11 01:14:17 2013 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 11 Oct 2013 10:14:17 +0200 Subject: [liberationtech] 10 reasons not to start using PGP Message-ID: <20131011081417.GX10405@leitl.org> ----- Forwarded message from carlo von lynX ----- From felix at openflows.com Fri Oct 11 01:19:31 2013 From: felix at openflows.com (Felix Stalder) Date: Fri, 11 Oct 2013 10:19:31 +0200 Subject: Pascal Zachary: Rules for the Digital Panopticon (IEEE) Message-ID: <5257B493.1010201@openflows.com> The concept of the panopticon has been very popular ever since Foucault elevated it to the rank of a central metaphor for modernity in "Discipline and Punishment" (1975). And the NSA revelations seem to confirm its usefulness once again. But I think this is mistaken. We are not living in a panoptic world at all, at least not in the Bentham/Foucault sense of the term (is there any other?). I follow here largely Zygmunt Bauman, one of the last negative thinkers in the European tradition. He makes two arguments against in this regard: First: "Today's Big Brother is not about keeping people in and making them stick to the line, but about kicking people out and making sure that when they are kicked out that they will duly go and won't come back." And, more importantly, Bauman argues, power hates the responsibility/costs that comes with being a prison guard / running a prison (assuming they have not been turned into a source of profit). They don't want to be tied down, together with the inmates. They want to be mobile, weightless and separate. So surveillance has been decentralized and turned into task performed by the prison inmates themselves, and make into a precondition for staying inside: think credit ratings, facebook friends, google ranks etc. You have to make yourself continuously and actively available for surveillance, provide your own data, in your own time and at your own costs, in order to avoid big brother to jump into action and kick you out. Some people are using the concept of "ban-opticon" to express this. On 10/10/2013 08:41 PM, Patrice Riemens wrote: > > original to: > http://spectrum.ieee.org/computing/software/rules-for-the-digital-panopticon <...> -- ||||||||||||||||||||||||||||||||| http://felix.openflows.com |OPEN PGP: 056C E7D3 9B25 CAE1 336D 6D2F 0BBB 5B95 0C9F F2AC # distributed via : no commercial use without permission # is a moderated mailing list for net criticism, # collaborative text filtering and cultural politics of the nets # more info: http://mx.kein.org/mailman/listinfo/nettime-l # archive: http://www.nettime.org contact: nettime at kein.org ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From morlockelloi at yahoo.com Fri Oct 11 10:27:50 2013 From: morlockelloi at yahoo.com (morlockelloi at yahoo.com) Date: Fri, 11 Oct 2013 10:27:50 -0700 Subject: Pascal Zachary: Rules for the Digital Panopticon (IEEE) Message-ID: This realization per se is pretty much useless, as are endless ruminations regarding how free we were, once upon time. The old Marxist postulate that awareness will save the species is blatantly false - look around you. These technologies came to rule the world because their proponents made coherent efforts to make it so. The only way to do something about it is to actively develop other technologies which tilt the balance in the direction you like better. Countering technology with words, laws and general awareness will get you nowhere. See 'bronze age'. The corollary is that the future belongs to the few, not to the masses, because high tech is centralized by nature, as it requires understanding, and those capabilities are scarce. The rest are fucked ... I mean 'users'. There are only competing elites. > NSA at all. It is about the dawning realization that we all now live > inside a "virtual" system that compels us to *control* ourselves, > since all the details of our lives are being "remembered," in a way > that no *human* civilization has EVER even imagined it could do! # distributed via : no commercial use without permission # is a moderated mailing list for net criticism, # collaborative text filtering and cultural politics of the nets # more info: http://mx.kein.org/mailman/listinfo/nettime-l # archive: http://www.nettime.org contact: nettime at kein.org ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From nico at cryptonector.com Fri Oct 11 08:53:03 2013 From: nico at cryptonector.com (Nico Williams) Date: Fri, 11 Oct 2013 10:53:03 -0500 Subject: [Cryptography] prism-proof email in the degenerate case Message-ID: <20131011155302.GA8170@gmail.com> On Thu, Oct 10, 2013 at 04:22:50PM -0400, Jerry Leichter wrote: > On Oct 10, 2013, at 11:58 AM, "R. Hirschfeld" wrote: > > Very silly but trivial to "implement" so I went ahead and did so: > > > > To send a prism-proof email, encrypt it for your recipient and send it > > to irrefrangible at mail.unipay.nl.... > Nice! I like it. Me too. I've been telling people that all PRISM will accomplish regarding the bad guys is to get them to use dead drops, such as comment posting on any of millions of blogs -- low bandwidth, undetectable. The technique in this thread makes the use of a dead drop obvious, and adds significantly to the recipient's work load, but in exchange brings the bandwidth up to more usable levels. Either way the communicating peers must pre-agree a number of things -- a traffic analysis achilles point, but it's one-time vulnerability, and chances are people who would communicate this way already have such meetings. > A couple of comments: > > 1. Obviously, this has scaling problems. The interesting question is > how to extend it while retaining the good properties. If participants > are willing to be identified to within 1/k of all the users of the > system (a set which will itself remain hidden by the system), choosing > one of k servers based on a hash of the recipient would work. (A > concerned recipient could, of course, check servers that he knows > can't possibly have his mail.) Can one do better? Each server/list is a channel. Pre-agree on channels or use hashes. If the latter then the hashes have to be of {sender, recipient}, else one party has a lot of work to do, but then again, using just the sender or just the recipient helps protect the other party against traffic analysis. Assuming there are millions of "channels" then maybe something like H({sender, truncate(H(recipient), log2(number-of-channels-to check))}) will do just fine. And truncate(H(recipient, log2(num-channels))) can be used for introduction purposes. The number of servers/lists divides the total work to do to receive a message. > 2. The system provides complete security for recipients (all you can > tell about a recipient is that he can potentially receive messages - > though the design has to be careful so that a recipient doesn't, for > example, release timing information depending on whether his > decryption succeeded or not). However, the protection is more limited > for senders. A sender can hide its activity by simply sending random > "messages", which of course no one will ever be able to decrypt. Of > course, that adds yet more load to the entire system. But then the sender can't quite prove that they didn't send anything. In a rubber hose attack this could be a problem. This also applies to recipients: they can be observed fetching messages, and they can be observed expending power trying to find ones addressed to them. Also, there's no DoS protection: flooding the lists with bogus messages is a DoS on recipients. Nico -- _______________________________________________ The cryptography mailing list cryptography at metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From eugen at leitl.org Fri Oct 11 02:48:16 2013 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 11 Oct 2013 11:48:16 +0200 Subject: [liberationtech] CPJ: Obama and the Press Message-ID: <20131011094816.GF10405@leitl.org> ----- Forwarded message from frank at journalistsecurity.net ----- From eugen at leitl.org Fri Oct 11 03:59:16 2013 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 11 Oct 2013 12:59:16 +0200 Subject: [liberationtech] 10 reasons not to start using PGP Message-ID: <20131011105916.GH10405@leitl.org> ----- Forwarded message from elijah ----- From eugen at leitl.org Fri Oct 11 04:12:18 2013 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 11 Oct 2013 13:12:18 +0200 Subject: [liberationtech] 10 reasons not to start using PGP Message-ID: <20131011111218.GO10405@leitl.org> ----- Forwarded message from carlo von lynX ----- From eugen at leitl.org Fri Oct 11 04:13:44 2013 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 11 Oct 2013 13:13:44 +0200 Subject: [Freedombox-discuss] Tor Message-ID: <20131011111344.GP10405@leitl.org> ----- Forwarded message from Tim Retout ----- From eugen at leitl.org Fri Oct 11 04:29:31 2013 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 11 Oct 2013 13:29:31 +0200 Subject: [liberationtech] 10 reasons not to start using PGP Message-ID: <20131011112931.GW10405@leitl.org> ----- Forwarded message from carlo von lynX ----- From eugen at leitl.org Fri Oct 11 04:42:13 2013 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 11 Oct 2013 13:42:13 +0200 Subject: who are the service operators here? In-Reply-To: References: Message-ID: <20131011114213.GY10405@leitl.org> On Wed, Oct 09, 2013 at 03:58:26PM -0500, J.A. Terranson wrote: > Don't get me wrong, I'm not saying don't do it: I think *everyone* should, > at least for a years or so, for a variety of technical, political, and > other reasons. But you *cannot* go in unprepared! I think we need more hidden services to make the darknet more attractive, less exits. The open Internet has been dead for a while, time to accept it. Running a non-exit relay from home is still worthwhile, since it raises the bar for physical access, and also increases the traffic background. Decentral search is pretty important, we could really use lots of YaCy nodes as hidden services -- indexing not just the hidden web, of course. I wish there was a library of different privacy-based appliances in virtual formats (.ovf) which are kept up to date for easy deployment (even though running it on bare iron would be preferable). That would seem to be a lot of work, though, and run into trust issues. From tedks at riseup.net Fri Oct 11 10:59:54 2013 From: tedks at riseup.net (Ted Smith) Date: Fri, 11 Oct 2013 13:59:54 -0400 Subject: [liberationtech] 10 reasons not to start using PGP In-Reply-To: <20131011105916.GH10405@leitl.org> References: <20131011105916.GH10405@leitl.org> Message-ID: <1381514394.19757.0.camel@anglachel> One reason to start using PGP: 1. Worse is better. Something is better than nothing. On Fri, 2013-10-11 at 12:59 +0200, Eugen Leitl wrote: > ----- Forwarded message from elijah ----- > > Date: Thu, 10 Oct 2013 14:17:01 -0700 > From: elijah > To: liberationtech at lists.stanford.edu > Subject: Re: [liberationtech] 10 reasons not to start using PGP > Message-ID: <5257194D.1050202 at riseup.net> > User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0 > Reply-To: liberationtech > > On 10/10/2013 12:23 PM, carlo von lynX wrote: > > > 1. Downgrade Attack: The risk of using it wrong. > > Fixed in the new generation of clients (mailpile, LEAP, etc). > > > 2. The OpenPGP Format: You might aswell run around the city naked. > > Fixed by using StartTLS with DANE (supported in the new version of > postfix). Admittedly, this makes sysadmin's job more challenging, but > LEAP is working to automate the hard stuff (https://leap.se/platform). > > > 3. Transaction Data: He knows who you are talking to. > > Fixed in the short term by using StartTLS with DANE. Fixed in the long > term by adopting one of these approaches: https://leap.se/en/routing > > > 4. No Forward Secrecy: It makes sense to collect it all. > > Imperfectly fixed in the short term using StartTLS with only PFS ciphers > enabled. This could be fixed in the long term by using Trevor Perrin's > scheme for triple EC Diffie-Hellman exchange. This has been implemented > by moxie for SMS, and could be for SMTP > (https://whispersystems.org/blog/simplifying-otr-deniability/). > > > 5. Cryptogeddon: Time to upgrade cryptography itself? > > New version of GPG supports ECC, but of course nothing in the snowden > leaks suggest we need to abandon RSA of sufficient key length (just the > ECC curves that have *always* been suspicious). > > > 6. Federation: Get off the inter-server super-highway. > > Federated transport with spool-then-forward time delay is likely a much > more feasible way to thwart traffic analysis than attempting to lay down > a high degree of cover traffic for direct peer to peer transport. This > is, of course, an area of active academic research and it would be > irresponsible to say that we definitively know how to prevent traffic > analysis, either with p2p or federation. > > > 7. Statistical Analysis: Guessing on the size of messages. > > Easily fixed. > > > 8. Workflow: Group messaging with PGP is impractical. > > No one anywhere has solved the problem of asynchronous, forward-secret > group cryptography. There are, however, working models of group > cryptography using OpenPGP, such as SELS > (http://sels.ncsa.illinois.edu/). This approach makes key management > more difficult, but we need to automate key management anyway for > OpenPGP to be usable enough for wider adoption. > > > 9. TL;DR: I don't care. I've got nothing to hide. > > This critique rests on the assumption that the problems with email are > unfixable. > > > 10. The Bootstrap Fallacy: But my friends already have e-mail! > > Email remains one of the two killer apps of the internet, and is > unlikely to vanish any time soon. Simple steps we can take to make it > much better seem like a wise investment in energy. > > There are two approaches to addressing the problems with email: > > (1) assert that email is hopeless and must be killed off. > (2) identify areas where we can fix email to bring it into the 21st century. > > I think that approach #1 is irresponsible: regardless of one's personal > feelings about email, it is certainly not a lost cause, and asserting > that it is will make it more difficult to build support for fixing it. > > Approach #2 is certainly an uphill battle, but there are a growing > number of organizations working on it. LEAP's (free software) efforts > are outlined here: https://leap.se/email. We have it working, we just > need to get it mature enough for production use. > > -elijah > -- > Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu. > > ----- End forwarded message ----- -- Sent from Ubuntu -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part URL: From tpetru at gmail.com Fri Oct 11 08:31:31 2013 From: tpetru at gmail.com (Tomas Overdrive Petru) Date: Fri, 11 Oct 2013 17:31:31 +0200 Subject: who are the service operators here? In-Reply-To: <20131011114213.GY10405@leitl.org> References: <20131011114213.GY10405@leitl.org> Message-ID: <525819D3.9070800@gmail.com> Joseph's question is really important not even for me, as for person, who just want to try to run multi-purpose "home server". I think it is good idea for some bigger Documentation and HowTo project, too. Eugen's idea to have .ovf packages for different purposes is relevant too. Both ideas still need to be answered, and seems to me even propagated, so let me add one more question: Is there some Propaganda/Documentation Project/HowTo Wiki for this purpose? One of interesting .ovf I have found is *Liberté Linux*: http://dee.su/liberte [seems to be kind of out-dated] One of interesting "multi purpose, out of the box, home server" seems to be this: *arkOS: Building the anti-cloud (on a Raspberry Pi) - open source, Raspberry Pi - Development - Techworld* http://www.techworld.com.au/article/528273/arkos_building_anti-cloud_raspberry_pi_/ Both projects seems to be worth to add human power to and more propaganda. *Tails* https://tails.boum.org/ seems to be paranoid enough to not to support .ovf, or em'I wrong? BTW all of mentioned projects are good hint, what is trend on side of services but list of services and tools is still more than welcome. Btw2: On this wiki, I'm tiring to complete list of user side apps for different platforms, so it could be helpful too: https://brmlab.cz/project/crypto-anonymity_knowbase Regards, ~ Over Dne 11.10.2013 13:42, Eugen Leitl napsal(a): > On Wed, Oct 09, 2013 at 03:58:26PM -0500, J.A. Terranson wrote: > >> Don't get me wrong, I'm not saying don't do it: I think *everyone* should, >> at least for a years or so, for a variety of technical, political, and >> other reasons. But you *cannot* go in unprepared! > I think we need more hidden services to make the darknet more attractive, > less exits. The open Internet has been dead for a while, time to accept it. > > Running a non-exit relay from home is still worthwhile, since it raises the > bar for physical access, and also increases the traffic background. > > Decentral search is pretty important, we could really use lots of > YaCy nodes as hidden services -- indexing not just the hidden web, of > course. > > I wish there was a library of different privacy-based appliances in > virtual formats (.ovf) which are kept up to date for easy deployment > (even though running it on bare iron would be preferable). That would > seem to be a lot of work, though, and run into trust issues. -- “Borders I have never seen one. But I have heard they exist in the minds of some people.” ― Thor Heyerdahl www...................http://overdrive.a-nihil.net twitter...............https://twitter.com/#!/idoru23 GoogleTalk/Jabber.....tpetru at gmail.com blog..................http://d8ofh8.blogspot.com last.fm...............http://www.last.fm/user/overdrive23 GnuPG public key......http://overdrive.a-nihil.net/overdrive.txt GnuPG key FingerPrint.072C C0AD 88EF F681 5E52 5329 8483 4860 6E19 949D -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 4316 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 553 bytes Desc: OpenPGP digital signature URL: From eugen at leitl.org Fri Oct 11 08:53:25 2013 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 11 Oct 2013 17:53:25 +0200 Subject: who are the service operators here? In-Reply-To: <525819D3.9070800@gmail.com> References: <20131011114213.GY10405@leitl.org> <525819D3.9070800@gmail.com> Message-ID: <20131011155325.GJ10405@leitl.org> On Fri, Oct 11, 2013 at 05:31:31PM +0200, Tomas Overdrive Petru wrote: > *Tails* https://tails.boum.org/ seems to be paranoid enough to not to > support .ovf, or em'I wrong? Their official position IIRC is that they discourage VM use, so they might not want to offer a virtual appliance. While they're technically correct, there's value in virtual network plumbing, so you can build up separated compartments, and routers which force everything through Tor. It would reduce the threshold of entry, even though there are ways of detecting that you're running in a hypervisor jail, and break out of it. From tpetru at gmail.com Fri Oct 11 09:33:08 2013 From: tpetru at gmail.com (Tomas Overdrive Petru) Date: Fri, 11 Oct 2013 18:33:08 +0200 Subject: [cPUNK-BOX] : Re: who are the service operators here? In-Reply-To: <20131011155325.GJ10405@leitl.org> References: <20131011114213.GY10405@leitl.org> <525819D3.9070800@gmail.com> <20131011155325.GJ10405@leitl.org> Message-ID: <52582844.7060608@gmail.com> I'm using Tails inside virtual boxes only, because there is almost zero possibility of local data theft or local attack in my case, much more problematic is "Open Internet". So I think they are too much paranoid for my purpose and could be good idea to try to discuss it with them. Even I like design of Liberte Linux more [smaller, faster, same amount of tools, encrypted filestystem usable even under Windows...]. But we seems to be little bit OT, better to return back to question: what server application to run these days for self-suficient-anarcho-cPUNK-box. I think people from FreedomBox thread & Tor thread should be able to answer us best. Btw I see FreedomBox as unusable overkill, but it is just my IMHO. Too much crypto* == no usability for everyday purposes [which is basically exactly, why I'm reading this mailing list and doing wiki]. We must count with users as my mother is. She is able to encrypt/sign e-mail with Enigmail and use OTR and TrueCrypt... that is good example, where all of this should lead on user level. e.g. Pidgin + OTR plugin, Thunderbird + Enigmail, Ubuntu -- good user experience, not really much ponts, where even my Mother "can do it completely wrong" ... it is Facebook century, even most stupid or non-techie from primary school are on netz. Nobody cares about mailing lists and bbses anymore. Time to do it completely transparent [really gr8 job Enigmail !!!] --> Tails is killing itself because crypto* overkill even on web now [even I understand it could be good to have complex, it should not be default... propaganda and education should not kill usability, even it IS fu*ng important] Smart aPUNK study and is able to configure server, but does not understand elliptic curves on math level. Still MUCH better to understand concepts and be able to run it relatively fast and secure, than undrstand math and not 2 be able to do revolution, eh? have an ice day, ~ Over Dne 11.10.2013 17:53, Eugen Leitl napsal(a): > On Fri, Oct 11, 2013 at 05:31:31PM +0200, Tomas Overdrive Petru wrote: > >> *Tails* https://tails.boum.org/ seems to be paranoid enough to not to >> support .ovf, or em'I wrong? > Their official position IIRC is that they discourage VM use, > so they might not want to offer a virtual appliance. > > While they're technically correct, there's value in virtual > network plumbing, so you can build up separated compartments, and > routers which force everything through Tor. > > It would reduce the threshold of entry, even though there > are ways of detecting that you're running in a hypervisor > jail, and break out of it. > > -- “Borders I have never seen one. But I have heard they exist in the minds of some people.” ― Thor Heyerdahl www...................http://overdrive.a-nihil.net CellPhone.............00420-721-007-507 twitter...............https://twitter.com/#!/idoru23 GoogleTalk/Jabber.....tpetru at gmail.com blog..................http://d8ofh8.blogspot.com last.fm...............http://www.last.fm/user/overdrive23 GnuPG public key......http://overdrive.a-nihil.net/overdrive.txt GnuPG key FingerPrint.072C C0AD 88EF F681 5E52 5329 8483 4860 6E19 949D -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 553 bytes Desc: OpenPGP digital signature URL: From laurens at daemon.be Fri Oct 11 13:11:35 2013 From: laurens at daemon.be (Laurens Vets) Date: Fri, 11 Oct 2013 22:11:35 +0200 Subject: The Great Firewall of Belgium Message-ID: <2616223add8c39ca68bc9e0b4cb4014e@daemon.be> Hello, The major ISPs of Belgium were forced to block certain sites starting in 2009. The list of blocked websites is secret (except for the gambling sites blocked due to regulatory issues with the Belgian gaming commission). The blocked sites can be categorized as: - websits containing child porn - child porn whistleblowing sites (long story) - Regulatory issues with the gaming commission (this list is public) - Piracy related (The Pirate Bay amongst others) - Webshops selling illegal medicine and other forbidden products I've been trying to uncover this list here: http://www.randomstuff.be/your-government-is-lying-to-you-and-something-about-censorship/ Basically, DNS requests for those websites are redirected to a government controlled webserver. What other techniques are there (besides checking every site on the internet) to try and uncover whether sites are blocked in Belgium? -Laurens From eugen at leitl.org Fri Oct 11 13:40:35 2013 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 11 Oct 2013 22:40:35 +0200 Subject: Pascal Zachary: Rules for the Digital Panopticon (IEEE) Message-ID: <20131011204035.GO10405@leitl.org> ----- Forwarded message from morlockelloi at yahoo.com ----- From electromagnetize at gmail.com Fri Oct 11 22:02:42 2013 From: electromagnetize at gmail.com (brian carroll) Date: Sat, 12 Oct 2013 00:02:42 -0500 Subject: NSA data centre power surges & unknowns... Message-ID: thanks to everyone for sharing their views regarding my forward-leaning speculation about the NSA facility... two additional observations: 1) if the NSA Utah data centre is not involved in quantum computing in any way, as per the larger society and its synchronization with existing tools and technologies manufactured and standardized likewise in the mainstream- it is curious to what extent non-quantum computing technologies could potentially exist in such a scenario, yet remain secret and off-limits. this is to consider the basic technology research and scientific advances that are oftentimes in the news on physics sites, such that university or corporate RD&D labs have achieved a latest milestone, and that a given improvement may make it to market in the next 10-20 years, and then from this frontier of development, a gap with the present in what appears to be an 80s computing paradigm largely seemingly unchanged, perhaps mostly in terms of the OS itself and how data is managed on these electronic filing cabinet devices that collectively become the worldwide junk drawer (aka Internet and WWW), the epitome of "bureaucracy" as networked furniture. for instance, what if the facade of a computing server has hidden or advanced technology within it, in such an installation, that may change the equations for how data is being processed. 'spintronics' is one such area, various approaches to memory are others, that could potentially have larger combined effects if built-out at scale, perhaps the equations would differ or the methodology or techniques employed to discern and sift thru data. and thus, it is still wondered if in the gap between where research is and is essentially "bounded" both within a secret government context and also outside of a public, commercial mainstream domain, what may actually be going on in the inner workings as it relates to what is going on within the surveillance society itself and its capacity to process vast amounts of data that seemingly would require more 'organizational capacity' than just brute force computing alone-- meaning: the capacity to compute "unknowns" in a running, looping equation... which to me appears to be what serial processors are not good at, and instead seemingly must arrive at an answer; and even parallelism within serial processing (non-quantum), from my truly naive and completely limited understanding and perhaps errored viewpoint, would only best be served by quantum nonlinear or multilinear processing across vast amounts of data sets that may not have known correlations to start and instead to build these up and test against models. can equations or algorithms do what the hardware cannot do, in its logic-based biased processing via digitalism, or might other transistors and other ways of balancing these computations more towards weighted analog looping means exist by which to 'naturally approach' this situation, from big picture to local instances, versus localized modeling outward, via rationalization. that is, in conceptual terms, what if the likelihood that coherence could be decided upon or determined by a software framework alone, versus having additional capacity both in advanced hardware components, to both assist and allow for such nonlinear massively dynamic (ecological) capacity for global computation across all interconnected sets-- perhaps such data sets could even would shrink the example of weather modeling for supercomputing to a minor issue by comparison, given a potentially wider range of knowns that are relationally unknown in their effects, given empirical evaluation, and the massive floating unknown that may never be computed for beyond a vague nebulous threat-condition, some threshold that suddenly grounds in the modeling and triggers alerts or forecasts based on statistics as this relates to recorded data, live surveillance, the entirety of this, in situ. i think what would be impossible about a traditional computing paradigm for this situation would be the incapacity of 'knowing' what to model given the vast amounts of data and their instability in terms of limits to what can be known and understood, versus what is probabilistic and reevaluated again and again and again, and perhaps tens of thousands of such equations that may exist in various computations, and then the 'meta-algorithm' that may govern over this situation-- is it a man's judgement for how this data is interpreted and thus the situation is managed as if an office computer that is queried- or may 'computational reasoning' exist in the form of AI that is running models, both theories and competing hypotheses - in parallel - and that these are built of past events and future statistical graphs, and potentially reveal *constellations* or patterns that begin to match what was a previous condition or sequence, and thus the computer is determining the direction of what is tapped based on its inferences and its deductive and inductive, ~intuitive reasoning. now, i totally believe it is technologically possible to do this-- just not with today's limited equipment and software paradigm-- not a chance. it is too heavily biased in both processing and computer architecture to allow for open-ended questioning. everything must be rationalized in advance, it is the way the logic-gates work on the PNP and NPN transistors. there is no 'unknown' state within the circuitry, and whatever may be achieved via software would be unnatural to the hardware and bounded in its capacity and functioning against the direction of current, as if an aberration. or thus is the foolish explanation i conjure from the abstract. that it is going against the grain of electrical current, essentially. it is like telling someone who is entirely vested in a binary mindset to consider a paradoxical situation, and how for its resolution it must be bounded within that worldview and made to fit within its sampling (1/0) else the model or worldview fails. the paradox would need to fit within the bit and not exist beyond or outside it else it would not exist or be real. so how can an entire paradoxical situation that is actively parsed exist in a running model of 'rationalization' in terms of computation, if the charge itself is biased to an on/off state for any given consideration when the majority likely remain gray-area computations and empirically unknown, except within a sliding scale analog-like weighting that shifts modeling. perhaps parallel software could "model" this, yet how effectively if such data can only be run one-way and must be restarted and recalculated versus allowing the data to live in ambiguity and continuously compute itself, in a realm that is too highly constrained by binary modeling, determined by it, and thus would bound any such computation to only what the technology allows in its bias, and thus limits how much can be questioned, asked, and allowed to be unknown, ambiguous, and computed this way. is it not possible that stuxnet-like influences could exist if making a continuous brute-force calculation upon a massively changing real-time model that it could essentially burn-out the serial processes linked in parallel via networking, such that they would be performing at peak rates and potentially overheat or have a limit to what kinds of data could be processed and in what fidelity-- and could such fidelity with the world of real-time surveillance and state threat modeling exist in its vastness and nth-degree unknowns and run that within the parameters of petaflops and not consider all the other issues that may limit such computations, such as how the processing itself disallows certain considerations that appear solved or actively processed -somehow- and to me that explanation is that there is a highly advanced system that is naturally capable, not by brute-force or by chess-computer linear one-point perspective, and instead by utilizing knowledge of nature and how quantum mechanics relates directly with paradox and in this context- it is probable a quantum computer could only do this level of computation that is integrative and a basis for threat analysis, albeit perhaps guided by a too-simple binary interface or outlook or way of managing a situation due to lack of previous experience for guidance. that is: it is likely impossible that existing technology could carry the computational and data load in terms of its organization and coherence as a computing model of N-dimensions or interrelated degrees. it likely does not involve a simple script or algorithm that rationalizes the entirety of what is going on, and instead it likely would emerge as a pattern from within the churning cauldron of data, well beyond meta-data, only an ingredient amongst vast many others that span any relevant archivable referenceable 'known' form that could establish a model, from any given perspective. and thus be evaluated in terms of computer reasoning versus human reasoning, and gauge insight upon what correlations may be beyond the human limit of considering as shared sets, versus what such computing power could compare and consider (and thus, perhaps the AI develops its own algorithms and has its own working hypotheses- yet this would inherent require grounding with the hardware, that allows this and does not involve translating or other lossy middle-management or mediation that skews or warps or limits the running iterative computation or nonlinear computational analysis). so while a step can be taken back from the assumption of a fielded quantum computer in a seemingly mundane gargantuan data centre/warehouse, what is occurring within the existing surveillance regime does not realistically appear to be grounded in such a facility, either. it does not add up, the capacity of storing records versus making judgments based on such data, yet not only that data, everything that is known and modeled in terms of the issues and the society and economic, social, political dimensions, locally and globally, as it fits into a whole model and local instances- where might that computation occur and it is my view that it is impossible for this to be occurring outside a quantum context, in terms of efficiency. lacking this capacity would involve constantly fighting the equipment and being limited in approaching 'questioning itself', though this is also the majority situation. it is an entirely different approach than the internet and desktop and workstations equipment of today. it is beyond the binary. there is nothing to bet on it either. either the government has a viable working model of the state in all of its dimensions or it does not have this capacity. and there is every indication it does have this today and yet meta-data is like a binary worldview of the existing situation, and too limited to get at what boundaries are involved in terms of citizens and law and representation and rules, including for those in government. if it does involve a realm of meta-computing and yet computing is the limit to what can be reasoned, then as with physics and metaphysics- it is in that gap that the reality is lost and another world exists outside the other and could even be beyond accountability as a result of plausible deniability. it is implausible a non-quantum computer could be modeling state data in its ubiquity in a running simulation given existing binary technology. 2) Google and Nasa just announced a video of their quantum computer that is actually an installation of a quantum processor whose 'number crunching' will apparently help optimize algorithms for the Google Glass blink apps. and a question encountered in this application of D-Wave quantum chip is what to do with this technology- effectively a new kind of calculator it seems, given the approach. A first look inside Google's futuristic quantum lab // video http://www.theverge.com/2013/10/10/4824026/a-first-look-inside-googles-secretive-quantum-lab in other words, it is not a 'quantum computer' that is installed and thus there are no other quantum-specific devices connected to it, such that it seems the pins in the chip lead directly to software to run queries, and this sustained within a sealed supercold environment, to allow it to occur. so it is more like a micro-controller or integrated circuit than a multi-use processor in the sense it is outside of a motherboard context or larger connected circuitry, or so it appears by my naive account. and so there is this disjunction between what data processing today must be capable of, in terms of processing, and then this 'first steps' approach that is fielded in the commercial and scientific realm of Google and NASA. like the computation of the 'state mind' and the situation in the body of the state are mismatched and there is dissonance between what is said and what is being done- which begs for mistrust if not fear, deity state, etc. so the question asked in the video is what can a quantum processor do. what is it capable of. and i tend to imagine it is precisely this realm of the paradoxical and the N-dimensional that begins in the gray-area with very limited models and AI, and cosmic-soup-like, allows this data situation to computationally bubble bubble while on the lookout for toil and trouble. the random number generator (RNG) itself seems most closely aligned with the paradigm of quantum mechanics - as a field of superposition and of potentiality -- and this is where paradoxical unknowns would emerge from as contingent patterns in terms of their grounded interconnectivity within the ecologically and dynamically linked empirical models. even more the case, or so it is proposed, are random event generators in relation to spooky action at a distance. if these purposeful RNGs are somehow linked and-or _grounded, as if quantum-tuned sensor-boxes even, that extrasensory aspect of birds knowing navigation or animals knowing of earthquakes via uncanny abilities could also exist naturally within the computer hardware model at the physical level, if sensitive to various indicators and 'aware' or capable of making-sense of the chaotic input. humans on the internet who may gauge a larger situation via interactions without this being voiced, is similar to a distributed sensor network in its parallel computation, grounded locally, and its predictive capacity in that something may not feel right or a particular momentum may be sensed and thus serve as a meridian or guideline or boundary via lines of force like intuitive calculation. so too, computer processing whereby the logic is capable of assessing existing and potential N-dimensional connections and boundaries and considering the dynamics involved, hunches, intuitions. for instance, a software program could be written to look at bird call data as it relates to air quality as this relates to news reports and events. if you know what you are looking for, it could be rationalized-- find these criteria and in matching those patterns x=y. yet what if the computer was able to take any data, and consider any event from a largely unbounded context, and thus it could begin to process the migration of birds in realm time with pollution levels as it relates to, say, periods of heavy traffic due to sporting events in a given sector. and the algorithm would find such correlations, yet not stop at this, and keep looking and evaluating. and perhaps there are 'infinitely more variables than equations', and thus quadratic approaches are beyond the bounds of a limited viewpoint or rationalization, where kind of perspective that seeks to view a situation that is too small to accurately model it then becomes the sign of the thing it seeks to understand, where the model replaces the entity itself. (note: this as it relates to conservation issues, politics, saving one species to jeopardize another; else, technology and wildlife and ecosystems, wind turbines and bird and bat and eagle deaths, etc) in a binary approach, the 'good enough' model allows the extraneous data to be ignored or kept out of the analysis -- yet this does not work at scale, because the bias and warping and skew and distortion only increases with each further reliance upon inaccuracies in the false framework. you could not have accuracy at the level of the state via such an approach when in a context of ubiquitous information, there would be a total onesided madness. and it does not appear this is actually the case. again, beyond binarism. thus highly-dimensional modeling may begin as inaccurate models and require constant analysis and refinement that only a computer could be in the vast data relations required. for instance, taking all sensor data from street infrastructure regarding pollution and toxins, all weather, traffic, news, academic research, epistemological models, social, economic, anything of any import that can exist in an equation, -- essentially a noise field -- and then allow whatever potential interconnection exists to be modeled as a possibility, whether activated as a structural scaffold of a hypothesis or not, and that through educational, career, taxes, health records, and other indicators - across all known statistics viewed as an empirical framework for pattern matching past, present, and future events -- to then see what stands-out in a given moment or in a particular context or perspective, and that like the extrasensory 'knowing' or intuitive understanding, somehow the model could suddenly achieve a strange coherence in the data modeled, and this could occur from the ground-up from the particulate to the whole and entirely or mostly in a referenced-based AI computational approach, yet requiring a capacity of parallel linked quantum supercomputers to achieve. there is no time-sharing on a system like this, it would always be on and running and like the birth of a universe, would grow and grow and grow, and while accessed, ultimately it would be best at modeling these chaotic and unknown dynamics itself -- allowed to run and compute, reason autonomously so as to consider these dynamics, while humans could input models and help evaluate models and assumptions. yet ultimately its accuracy is not within the 1 and 0 of binary digits as representations of on/off switches, instead it would be this 1 and 0 mapping directly to truth, the basis for grounding the software model in the hardware physical world as it relates to matter, energy, and information. it would not inherently involve an extra layer or distancing from this, seemingly, an additional language and translation. if allowed, the paradoxical processing of gray-area conditions by a quantum computer installation could - in accordance with AI and 3-value and N-value logical reasoning - achieve this 'holistic' approach yet with attributes of analog characteristic of shifting parameters and sliding scale analyses. in this way the rigidity of binary 2-value computation that does not allow the truth to exist would instead not allow the assumption of truth within the modeling of representational signs (programming, models themselves, beliefs) to become the truth by default of this interaction (true belief) and instead, this truth would need to be earned by massive reasoning that is tied into facts and physics and human knowledge, from the beginning, and not some ideological bubble-universe that has control over the equipment. grounded sensing, in other words. if a linear supercomputer can take input from every weather station and model weather systems worldwide, given what is known about cloud system formation, wind and temperature and humidity, and various weather systems and events- what can it do beyond this same seemingly *fixed* boundary that could involve birds or wildlife or sounds or resonance or people who have broken bones that ache before a storm or who immediately know tornado weather minutes far ahead of warning sirens. if they are outside the model, that is not computed. yet what if that data somehow could be connected to, yet the software and hardware model do not allow it, because it is a deterministic approach, rationalized within a given set of parameters where it controls the knowns via leaving out the unknowns. what if the unknowns are where the discovery is for new knowledge. what if the gathered flight of seagulls indicates a thunderstorm two days out with a degree of certainty before computer models or at least could be correlated with such observations, tested as empirical evidence as part of a larger hypothesis of integrated systems. and what if this was only one aspect of one question of a given scenario in a given discipline of which there are trillions to consider. the boundaries kill off the ideas, certainties replace and stand-in for uncertainty, controlling what is interpreted and allowed to be considered within modeling that then limits and bounds knowledge to only what can be known from a given view, and that its inaccuracies become structural, beyond questioning, dogma. say, a non-electromagnetic view of the universe as this relates to weather and cloud systems as giant charge-based entities (electric weather). The Electric Universe / Electrical Weather http://www.holoscience.com/wp/synopsis/synopsis-9-electrical-weather/ what seems most likely in my naive estimation is that the quantum computer in its capacity for paradoxical computation and looping heuristic methods for meta-modeling across multiple interrelated scales simultaneously, is that this ecological condition of reality and this dimensional capacity of massive quantum installations linked together in parallel would allow for this evaluation by default of a natural affinity for the physics involved, and this goes beyond just the processor itself and into its grounding at the macro-level with material entanglement, whereby sensor networks that count microns of chemicals could potentially be remotely entangled in their data sets this way, so that a trigger upon one variable may effect others at a distance likewise, in terms of latent superposition potentialities. in this way, the grounded antenna or the ground wire, as with the sensor connected to a proposed LED signaling display influencing or becoming an RNG input, could have a autonomic nervous system alongside the brain-based computational reasoning, whereby ~sensing may remain ambiguous yet also be highly connected in other hidden or missing or gray area dimensionality that could like junk DNA recombine in a given instance as a pattern or allow other frameworks to exist and this seems inherent or unique to the quantum situation, in that the grounding of the computer also would be a grounding of the data model in terms of its realism, that the information modeled accurately maps into the world and is harmonized with it, and that this diagnostic evaluation occurs if not also in terms of error-correction or tabulation or computational processing. perhaps there is intelligence within the current itself, in terms of entanglement, and so perhaps the entangling of computers in a monitoring sense of environment or various "dimensions" would also be involved in how data is effectively processed. this versus having society serve a flawed computer model, subservient to it, versus the ability to question the model and test it against the truth of all combined data within the given hypotheses, and the issue of going against nature. the microns of chemicals cannot simply be ignored. the poison in the air, toxins everywhere, sick and inhuman approaches as this relates to ethics and morality. essentially-- the society is schizophrenic and allowed to be this way in the binary ideology and its computer model, required even, enforced, yet denied by those who benefit via onesideness, the inequality, exploitativeness, the epic swindle for fake immortal gain. thus it is proposed that the quantum computer as a device would have this RNG/REG aspect that relates to grounding data, and this could connect with sensors or various other inputs (as if peripherals perhaps). in this way, a quantum computer installation at massive scale could parse all traffic cams, all weather info, all news and knowledge and reference all books and texts in all languages, and build up models within these as frameworks for evaluating issues of concern as tools for state management and governance - or tyranny. and thus the short-circuit if this were amiss or something was off about it, sparking loose-ends that need to be pulled to find out there is binarism at the helm of such computational power and that its output is skewed towards the ideological, due to boundaries that are retained from a given mindset or too narrow belief system, etc. and that this could likely be expected as a result of not know the questions to ask when faced with the physics involved, in their metaphysical dimensions. forcing the data versus listening to it. forcing answers via biased views versus allowing questions to exist, coherence discerned logical reasoning. this as it relates to private mankind and public humanity, as referenced to the US Constitution or ignoring and replacing it via its substitution as a hollowed-out digital sign. the state as empty set. any tyranny is possible. ♬ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 25986 bytes Desc: not available URL: From electromagnetize at gmail.com Sat Oct 12 00:33:52 2013 From: electromagnetize at gmail.com (brian carroll) Date: Sat, 12 Oct 2013 02:33:52 -0500 Subject: Computer H14 Message-ID: // absolutely wild Jim Henson AT&T technology parables, via digg... Tech Time Warp of the Week: Jim Henson’s Muppet Computer, 1963 By Daniela Hernandez http://www.wired.com/wiredenterprise/2013/10/tech-time-warp-of-the-week-jim-henson-builds-snarky-robot-for-att/ From grarpamp at gmail.com Sat Oct 12 01:54:30 2013 From: grarpamp at gmail.com (grarpamp) Date: Sat, 12 Oct 2013 04:54:30 -0400 Subject: who are the service operators here? In-Reply-To: <20131011114213.GY10405@leitl.org> References: <20131011114213.GY10405@leitl.org> Message-ID: On Fri, Oct 11, 2013 at 7:42 AM, Eugen Leitl wrote: > I think we need more hidden services to make the darknet more attractive, > less exits. The open Internet has been dead for a while, time to accept it. If you are referring to Tor, there are at least 700 such services that you could find rather easily right now. That's ~75% more since two months. From xlene at 404ed.org Fri Oct 11 16:31:55 2013 From: xlene at 404ed.org (xlene) Date: Sat, 12 Oct 2013 10:31:55 +1100 Subject: who are the service operators here? In-Reply-To: <20131011163542.GL27838@hexapodia.org> References: <20131011114213.GY10405@leitl.org> <20131011163542.GL27838@hexapodia.org> Message-ID: <52588A6B.6060307@404ed.org> On 12/10/13 03:35, Andy Isaacson wrote: > On Fri, Oct 11, 2013 at 01:42:13PM +0200, Eugen Leitl wrote: >> I think we need more hidden services to make the darknet more attractive, >> less exits. The open Internet has been dead for a while, time to accept it. >> >> Running a non-exit relay from home is still worthwhile, since it raises the >> bar for physical access, and also increases the traffic background. >> >> Decentral search is pretty important, we could really use lots of >> YaCy nodes as hidden services -- indexing not just the hidden web, of >> course. > Hmmm, I hadn't heard of YaCy before, thanks for the mention! > >> I wish there was a library of different privacy-based appliances in >> virtual formats (.ovf) which are kept up to date for easy deployment >> (even though running it on bare iron would be preferable). That would >> seem to be a lot of work, though, and run into trust issues. > OVF is a dead end AFAICS. > > It's not perfect, but the combination of Chef/Puppet (to specify + > install + configure the software stack) plus Vagrant (to specify + > install + configure the base VM) seems like a more fruitful path > forward. There are some missing pieces; for example, it's regrettably > common in current Cookbooks and Vagrantfiles to download > unsigned-and-unhashed code from the network and trust it. But that's > fixable with more hashing and content addressed storage. > > -andy coreOS also has potential still has some bugs but looks promising. From eugen at leitl.org Sat Oct 12 02:28:36 2013 From: eugen at leitl.org (Eugen Leitl) Date: Sat, 12 Oct 2013 11:28:36 +0200 Subject: who are the service operators here? In-Reply-To: References: <20131011114213.GY10405@leitl.org> Message-ID: <20131012092836.GP10405@leitl.org> On Sat, Oct 12, 2013 at 04:54:30AM -0400, grarpamp wrote: > On Fri, Oct 11, 2013 at 7:42 AM, Eugen Leitl wrote: > > I think we need more hidden services to make the darknet more attractive, > > less exits. The open Internet has been dead for a while, time to accept it. > > If you are referring to Tor, there are at least 700 such services that you > could find rather easily right now. That's ~75% more since two months. Certainly nice growth, but realistically won't be sustained post-Snowden. Most-used services on the Internet is search, and there's just one useful search engine in onionland: 3g2upl4pq6kufc4m.onion and it's not operated by multiple, independent, noncommercial parties. From jim at netgate.com Sat Oct 12 09:59:33 2013 From: jim at netgate.com (Jim Thompson) Date: Sat, 12 Oct 2013 11:59:33 -0500 Subject: [pfSense] naive suggestion: conform to US laws Message-ID: <9D8BFE6E-48A9-42E2-A494-99892FA27C90@netgate.com> On Oct 12, 2013, at 7:20 AM, Thinker Rix wrote: > On 2013-10-11 22:33, Walter Parker wrote: >> Yes, you have been informed correctly. There are more than 2. According the World Atlas (http://www.worldatlas.com/nations.htm#.UlhOHVFDsnY) the number is someone between 189 and 196. > > No kidding! ;-) > >> But you did not answer the question asked: Name the country that you would move the project to and why you believe that country would do a better job? > > Why should *I* name it and why should I present ready solutions for an idea another community member brought up? Why should anybody be in a position to present ready solutions at this point? How about having a fruitful discussion and find solutions together? There is no reason to build a house on sand. There is no fruitful discussion to be had when the premise is patently false. >> Then because the USA can't be trusted, who is going to replace the Americans on the project? > > You are mixing things up here. Just because the USA invented their tyrannous "Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act", for which they perversely coined the euphemistic term "Patriot Act" and there fore can not be trusted anymore for hosting anything there, why should the Americans be replaced?!?!? > >> The name and logo are owned by an American company. > > I guess, that is true, i.e. that ESF registered pfSense and it's log as a brand name. You seem upset at this. Why? Instead of some kooky conspiracy theory that ESF could be tortured or pressured to weaken pfSense, is this the *real* issue you have? >> I doubt they want to give them up to a foreign company owned by non-Americans > > Nobody suggested that. Try thinking a bit more outside the box! > For instance: A non-profit foundation could be founded in a country outside the USA, and the brand, hosting of the project, etc. be transferred to that company. A board would be elected for this foundation who just a few basic things annually to keep the foundation running. > ESF on the other side would be released of a great threat! They could continue offering their pfSense services to their customers as usual, but from now on nobody could come and force them to do things to pfSense since "they have nothing to do with it”. You seem upset that ESF controls the project. Why? >> just to make it harder for the American government to pressure the project. > > Incorporating pfSense and bringing it out of the reach of US-domestic jurisdiction would not "make it harder" but "impossible" to pressure the project. You have provided no explanation (other than “rubber hoses”) for what form that “pressure” would take. >> If the rest of world wants to fork the project because of concerns about the US government, fine, but I don't think you will get buy in from ESF [the American company that owns the rights to the name pfSense]. > > Why to fork the code base?! No one suggested that - and no one suggested to do things without - or even against - the key people of the ESF. Right the opposite. It would even protect the ESF! > >> Once again, name some names. Who do you consider more trustworthy? > > I am not Jesus to hand solutions to the community on a silver platter though point in fact, Jesus didn’t hand anyone a solution. > (but surely would be available for a *constructive* and *well-disposed*, *amicable* discussion to find solutions together!). I know of quite a lot of countries that seem interesting for a closer analysis for this cause and surely would propose one or another in such a constructive discussion. > > Generally, what Adrian proposed makes only sense, if the community - including ESF - understands the threat and decides to act proactively to fight this threat. “The community” doesn’t own the copyright on the code, nor the trademarks to the names used. Those belong to ESF. Further, you’ve hypothesized about a ‘threat’ without providing any factual basis for same. The term for this form of argument is “conspiracy theory”. Since pfSense is open source (specifically, the BSD license), “the community” (or rather “a community”) could take the decision to fork the code and create their own solution. It’s been attempted a couple times, but none of these have flourished. While I don’t encourage forks (it’s typically not good for either project), occasionally they work out (at least for a while), I don’t go out of my way to inhibit those who wish to fork. However, in any case, such a community would be prohibited from naming the result “pfSense”. > But since 33% of the ESF - namely Jim Thompson You greatly inflate my ownership interest here. > - prefers bullying, insulting, frightening and muzzling anybody who brings up the threat that we are facing, trying to strike dead any thought as soon as it comes up (strange, isn't it?), Not as strange as someone randomly showing up one day, hiding under a pseudonym, having never posted to a pfSense list before, making accusations. You started throwing accusations, and yes, I got hostile. Mostly I got hostile because your accusations are baseless, and despite my challenge, you refuse to drop it. Since your activities are not furthering the project (find bugs, or at least make proposals), you’re wasting everyone’s time. (I’d quote Spock here, but…) Goodness man, you don’t even understand what happened with Lavabit, or why the situation would be different if a three letter agency were to show up on the doorstep one morning and demand that we weaken the project. Despite my challenges (“name the law that they would use”), you refuse to respond, instead ducking for cover in your empty, baseless accusations that “it might happen”. Specifically, Lavabit ran afoul of the Stored Communications Act (http://en.wikipedia.org/wiki/Stored_Communications_Act), "a law that addresses voluntary and compelled disclosure of "stored wire and electronic communications and transactional records" held by third-party internet service providers (ISPs)." ESF is not an ISP. The SCA does not apply. CALEA (http://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act) obliges telecommunications companies to make it possible for law enforcement agencies to tap any phone conversations carried out over its networks, as well as making call detail records available. Common carriers, facilities-based broadband Internet access providers, and providers of interconnected Voice over Internet Protocol (VoIP) service – all three types of entities are defined to be “telecommunications carriers” and must meet the requirements of CALEA. Since ESF is not a “telecommunications carrier”, CALEA does not apply to your proposed “FBI/NSA on the doorstep” scenario. Even the various provisions of the PATRIOT act of 2001 (and it’s follow-ons) do not apply. The most abusive of these, the so called “NSLs” are really a demand letter issued to a particular entity or organization to turn over various records and data pertaining to individuals, and an accompanying "gag order". Since pfSense has no reason to store any records, there is nothing to hand over. You could *perhaps* make the case that the config backup service could be attacked this way, but it was specifically designed such that ESF (or before January, BSDP) doesn’t have access to the plaintext configuration. It is encrypted by the remote user, and we store the result. We don’t know the keys. Thus, my challenge stands. You have yet to offer ANY legal authority under which the NSA (or any other agency of the US government) could demand that ESF make changes to pfSense. Some here in the “community” seem upset that I’ve been so abrasive with you. If you had an actual argument that made sense, you and they would see a different side (“Oh, you’re right. We should find a way to close that loophole.”) Instead, you stood on your accusations, despite any factual basis. Your "Culture of fear” argument was roughly equivalent to the meme of a couple years ago: "Did Glenn Beck Rape And Murder A Young Girl In 1990?” This hoax began as a parody of public perception of Glenn Beck’s over-the-top interview antics on his self-titled television show Glenn Beck, wherein he frequently asks his guests to disprove highly speculative and often outrageous assertions. (Just like you did.) About.com published an article titled “Internet Hoax Says Glenn Beck Raped, Murdered Young Girl in 1990”, which called the hoax a textbook example of “…how to construct Internet smear campaigns…” (http://urbanlegends.about.com/b/2009/09/03/internet-hoax-says-glenn-beck-raped-murdered-young-girl-in-1990.htm) So yes, I went after you, because the correct response here is to not let the attempt at a smear campaign stand. People love to take silence as assent. Placating you would have been a mistake of the first order. In the past, I’ve stood up to AT&T. It took a decade, and was both expensive and exhausting. I won. Fnord. You and those in the community who are upset with my behavior (whilst I was defending ESF and pfSense from your smear tactics) can bet their last Euro/Dollar/Yen that I’ll be 10X more abrasive with the US Government if they attempted what you accuse. Were I to seek a country that was at least outwardly opposed to the behavior of the US security apparatus (and its related apparatus in other countries), I might consider Brazil. That time is not now. What you probably don’t appreciate is that the actual “we write code before breakfast” people employed by ESF to work on pfSense are already outside the US(*). One of them lives in Brazil, another in Albania. Perhaps of interest. Perhaps not. At the very least, they’re not subject to US law, so it would be difficult to get them to “go quiet” about any attempt to weaken the codebase of pfSense. Jim (*) Jim Pingle does some, but not as much as the others. He does, however, carry most of the support load. _______________________________________________ List mailing list List at lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From jim at netgate.com Sat Oct 12 14:36:47 2013 From: jim at netgate.com (Jim Thompson) Date: Sat, 12 Oct 2013 16:36:47 -0500 Subject: [pfSense] naive suggestion: conform to US laws Message-ID: <9BD42070-7086-41C6-8E52-C5DB49C500ED@netgate.com> On Oct 12, 2013, at 1:35 PM, Chris L wrote: > >> On 2013-10-12 01:40, Jim Thompson wrote: >>> >>> I'm not willing to endure this uninformed Alex Jonesian crapfest. > > Nice position to take, except Alex Jones was right. Sigh. As much as this doesn’t belong on the pfsense list… I actually know Alex, or did, 13 year ago. I got friendly enough with him back in the mid-late 90s that we had each other’s cell phone numbers. Back then Jamie and I were involved with Fringeware. http://en.wikipedia.org/wiki/FringeWare_Review http://www.austinchronicle.com/issues/vol16/issue26/screens.fringeware.html Fringeware became an advertiser on Alex Jones' radio show (on KLBJ, before he got booted). On the front-end, I was a respected advertiser. Meanwhile, others associated with Fringeware were culture-jamming him on the back-end. the result: #discordia Oh, the memories this brings back. (As you’ll see, the FBI showed up to demand something, didn’t have a warrant, and was shown the sidewalk.) http://www.wingtv.net/thorn2006/jarhead.html http://www.austinchronicle.com/news/2000-07-14/77932/ Clayton, btw is a dear friend. Easily one of the most brilliant people I’ve ever known. I hope he speaks at my funeral. Other fun was had at Fringeware. We supported the Yes Men (http://en.wikipedia.org/wiki/The_Yes_Men) We actually hosted their website, as well as that of RTmark for a period in the late 90s on the same machine used for smallworks.com (which was originally the corporation behind the firewall named “Netgate”), fringeware.com, etc. One of their pranks was that they setup a website named www.gwbush.com. (http://en.wikipedia.org/wiki/The_Yes_Men#George_W._Bush http://theyesmen.org/hijinks/gwbush http://www.rtmark.com/bush.html) which resulted in Bush’s famous "There ought to be limits to freedom,” quote. http://www.rtmark.com/bushpr2.html The great untold story on this is that all these websites were hosted in a shitty office building on Shoal Creek Blvd, one floor up from the then offices of "Karl Rove & Associates” even as they fought to shutdown gwbush.com. The #irony was delicious, and they never succeeded. :-) Anyway, you might want to study up on STRATFOR, or Mary Maroney, who was the editor and chief of Infowars magazine until earlier this year. Maroney formerly worked for Stratfor and Parker Media here in Austin. If you don’t know who they are, then I suggest more research on your part. Have fun, but be careful when you enter the rabbit hole. Snowden and Manning are both late-comers to the party: http://www.newyorker.com/reporting/2011/05/23/110523fa_fact_mayer?currentPage=all http://www.technologyreview.com/news/519661/nsas-own-hardware-backdoors-may-still-be-a-problem-from-hell/ http://cryptome.org/nsa-ssl-email.htm http://news.cnet.com/8301-31921_3-20017671-281.html http://www.wired.com/images_blogs/threatlevel/2013/09/15-shumow.pdf (see also: http://www.wired.com/threatlevel/?p=85661) http://arstechnica.com/security/2013/01/secret-backdoors-found-in-firewall-vpn-gear-from-barracuda-networks/ http://dl.packetstormsecurity.net/papers/general/my_research1.pdf http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.154.825 / http://www.cs.ucf.edu/~czou/research/Chipset%20Backdoor-AsiaCCS09.pdf (now consider all the cheerleading for Intel Ethernet chips on the various pfSense lists…) Jim _______________________________________________ List mailing list List at lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From dan at geer.org Sat Oct 12 15:02:03 2013 From: dan at geer.org (dan at geer.org) Date: Sat, 12 Oct 2013 18:02:03 -0400 Subject: how to use Tor securely (Re: Silk Road founder arrested ...) In-Reply-To: Your message of "Fri, 04 Oct 2013 06:15:30 PDT." Message-ID: <20131012220203.47B2D22814C@palinka.tinho.net> [forwarded for the 5th paragraph] http://www.bbc.co.uk/news/technology-24495029 The "dark web" services used by criminals will continue to evolve in an attempt to evade authorities, the UK's cybercrime boss has warned. Last week, notorious drugs market place the Silk Road was shut down after a lengthy investigation. Andy Archibald, interim head of the National Cyber Crime Unit (NCCU), said officers identified individuals who were using the site. But he said new methods were needed to keep up with the threat. "[Online anonymity service] Tor evolves, and will resecure itself," Mr Archibald told the BBC's technology correspondent Rory Cellan-Jones. "The success we've had may not necessarily mean that by the same routes and same approaches we can get into other criminal forums. "We have to continually probe and identify those forums and then seek to infiltrate them and use other tools. "It's not simply a case of because we were able to infiltrate Tor on this occasion that we'll be able to do it next time around as well." Mr Archibald's comments came as the NCCU announced its first conviction. Twenty-seven-year-old Olukunle Babatunde received a five years and six month prison sentence. The man, from Croydon, south London, pleaded guilty to using "phishing" scams in an attempt to defraud banks, financial institutions and their customers. From adrelanos at riseup.net Sat Oct 12 11:53:38 2013 From: adrelanos at riseup.net (adrelanos) Date: Sat, 12 Oct 2013 18:53:38 +0000 Subject: [liberationtech] Whonix Anonymous Operating System Version 7 Released! Message-ID: <52599AB2.5070305@riseup.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Whonix is an operating system focused on anonymity, privacy and security. It's based on the Tor anonymity network, Debian GNU/Linux and the principle of security by isolation. DNS leaks are impossible, and not even malware with root privileges can find out the user's real IP. Whonix consists of two parts: One solely runs Tor and acts as a gateway, which we call Whonix-Gateway. The other, which we call Whonix-Workstation, is on a completely isolated network. Only connections through Tor are possible. Download: https://www.whonix.org/wiki/Download Users of Whonix 0.5.6 and below: There is no upgrade path from Whonix 0.5.6 to Whonix 7. You have to manually download new Whonix images. Call for Help: If you know shell scripting (/bin/bash) and linux sysadmin, please join us! There are plenty of ways to make Whonix safer. We are also looking for an https direct download mirror. Whonix 7 Changelog: * Updated Tor to 0.2.4. * Installed obfs3 by default. (for obfsproxy bridges) * New Identity button on Tor Browser is now functional thanks to the Control Port Filter Proxy (#3). * Tor Browser is now the system default browser (#86). In addition, when opening a link or an html file it will ask for confirmation to avoid accidental linking. (configurable) * Graphical Whonix-Gateway (#26). Optionally, if you reduce Whonix-Gateway RAM to below 500 MB, let's say to 128 MB, you automagically end up with the usual non-graphical Whonix-Gateway. (configurable) * Whonix now includes an updater. It can not be promised that you will never have to download a new image for next stable releases, but we are on that way. Interested testers may have to download images of testing releases from time to time. * Tor networking is disabled for the first start of Whonix-Gateway. The connection wizard (whonixsetup) will automatically start to help enabling Tor or setting up bridges. This is useful for people using bridges to connect to the Tor network to hide the fact that they are using Tor. * The current Tor Browser Bundle (TBB) Alpha, which will soon become the new TBB stable, will work out of the box in Whonix, even if you download and install it manually from torproject.org. This is useful for the case that the Whonix Tor Browser updater breaks due to changes on torproject.org. Tor over Tor situation will be automatically prevented on manual installs. * Boot Clock Randomization. * Time Sanity Check. * Higher console resolution: 1024x768 (without X). * Disabled the throw-keyids option on gpg.conf due to usability issues. Enable it manually if you need it. * Fixed uwt. To do certain tasks such as installing the Adobe Flash plugin or running update-command-not-found you no longer need to "chmod -x /usr/local/bin/curl". * Deactivated the kgpg tray icon by default (#10), not perfect, but less confusing, since it will now start in foreground by default and no longer as tray icon (which was automatically and confusingly hidden by default). * Downloading Tor Browser and signature from idnxcnkne4qt76tg.onion instead of torproject.org for better security when run inside Whonix. * Time Privacy wrapper (optional). * Enable "apparmor=1 security=apparmor" by default (didn't enable enforce mode or add any useful profiles yet). * Manpages for scripts which come with Whonix. * Flexible modular .d style configuration folders: /etc/whonix.d/, /etc/whonix_firewall.d/, /etc/controlportfilt.d/. * Moved blog to wordpress.com, better than sourceforge, because wordpress.com supports SSL, closed #23. * Lots of other improvements and bug fixes which can be found under the git log. -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJSWZqwAAoJEJwTGtNxOq7vH9YP/jwBuyMyFZ4hP9AMgPHjMTHG uxYRy7mHzJIum9goghWrAgYTys3oGyHDSMTuhErcJ+bEV4jb2WAqifUa+iId8rs/ 6HeHfssctY7fHoxbaKbapMlCJ6JN0pU23RtsWsZcn5jXaldmtVHMlS4PWMuU56Mh oSuH2cw6KvsKo/QO3F7xVnYy4VNX28oEeF3dWf4keZN8Sr+Nezlci0nPYYuHCNv/ DUwv1kpSW5B5+Ki5xJW9CgiGeOtw7kwL2w4gbcI7yAywEWytCkVeDHCF/sHdqYf/ PcCpQ23FQmRBB3MKLNF1qr47uj1ninbM+EPLtZQV9vVx3Qpgcv9mnMEV2zu1/geu ydjXMZv+v3UmFvG//Uttciga7Dk4XXpY8HKglS0YkRY0E7KLOkdRvO2Y2G57EQMC Pp2UoSWv43gBtoeKNIJXwjrm7UDPvhB6UHavORIB7feeBI4ke0FN6vJ81jpwUvIm PV2yBXfBguByZvG2oRUbQbgKFcg/OfD+ydOG+SJwcqNops28VjJ7qcgsUFb4vk/m v83DzogQOB0Wz0iWBlZkBTH8OI7+HebX+ocrLuGQif9z2OHGQ2UzeKgFlg97gj6N l2rD0JWHbqPhXvLKJIzNZAWN9QAuIo0QCPPcpBWKvlaQTKalxnFsm7Gz4Pg5eSdZ cgSrquvrMEOLlNGRagZ9 =nyvS -----END PGP SIGNATURE----- -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu. ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From daw at cs.berkeley.edu Sat Oct 12 19:35:04 2013 From: daw at cs.berkeley.edu (David Wagner) Date: Sat, 12 Oct 2013 19:35:04 -0700 Subject: [Cryptography] Plug for crypto.stackexchange.com Message-ID: <1381631704.24985.33312825.0DBEAC1B@webmail.messagingengine.com> I've noticed quite a few questions on this list recently of the form "How do I do X?" "What is the right cryptographic primitive for goal X?" etc. I'd like to plug the following site: http://crypto.stackexchange.com/ Cryptography Stack Exchange It is an excellent place to post questions like that and get helpful answers. I encourage folks to give it a try, if they have questions like the ones I listed above. By posting there, you will not only get good answers, but those answers will also be documented in a form that's well-suited for others with the same problem to find and benefit from. I'm not trying to drive people away from this mailing list, just pointing out an additional resource that may be helpful. Or, if you're feeling helpful and community-minded, you can subscribe and help answer other people's questions there. (That site is like Stack Overflow, for those familiar with Stack Overflow, except that it is focused on cryptography. There is also a site on information security: http://security.stackexchange.com/ ) _______________________________________________ The cryptography mailing list cryptography at metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From eugen at leitl.org Sat Oct 12 10:38:52 2013 From: eugen at leitl.org (Eugen Leitl) Date: Sat, 12 Oct 2013 19:38:52 +0200 Subject: [pfSense] naive suggestion: conform to US laws Message-ID: <20131012173852.GU10405@leitl.org> ----- Forwarded message from Jim Thompson ----- From eugen at leitl.org Sat Oct 12 10:40:57 2013 From: eugen at leitl.org (Eugen Leitl) Date: Sat, 12 Oct 2013 19:40:57 +0200 Subject: [Freedombox-discuss] Which mesh system should be included in the Freedombox? Message-ID: <20131012174057.GW10405@leitl.org> ----- Forwarded message from Paul Gardner-Stephen ----- From tpetru at gmail.com Sat Oct 12 11:16:08 2013 From: tpetru at gmail.com (Tomas Overdrive Spider Petru) Date: Sat, 12 Oct 2013 20:16:08 +0200 Subject: who are the service operators here? In-Reply-To: References: Message-ID: <525991E8.8060000@gmail.com> I have started BRMLAB Prague Hackerspace project related to this mailing-list thread and opened wiki : https://www.brmlab.cz/project/cpunk_box It is not public writable [will follow probably], but usable as propaganda/information page. So if this thread survive and will lead to something interesting, it will be linked there, same as everything we will find altogether with people from HS and so on. Regards, ~ Over On 10/08/2013 06:55 AM, Joseph Holsten wrote: > I'm currently working on both chef cookbooks and dockerfiles for a bunch of old services I used to run in the good old days (pre 2000) of cypherpunks. Boring stuff like qmail, tinydns, pgp keyserver. But I'm dying to know what fancy new services people are operating these days. Any distributed chat ops? Blob/file storage? Remailers? Bitcoin pools? > > In another vein, what ops do you think a self-sufficient punk ought to be running? I'm thinking I absolutely need: > - Tor endpoint > - vpn endpoint (openvpn?) > - smtp/imap sever (what's modern?{ > - file/blob server (tahoe-lafs, camlistore?) > - jabber server (ejabberd?) > > (Yes, my homepage is showing a ruby script. No, I don't have time to fix it in situ. Thus setting up my own servers) > -- > ~j -- “Borders I have never seen one. But I have heard they exist in the minds of some people.” ― Thor Heyerdahl www...................http://overdrive.a-nihil.net twitter...............https://twitter.com/#!/idoru23 GoogleTalk/Jabber.....tpetru at gmail.com blog..................http://d8ofh8.blogspot.com last.fm...............http://www.last.fm/user/overdrive23 GnuPG public key......http://overdrive.a-nihil.net/overdrive.txt GnuPG key FingerPrint.072C C0AD 88EF F681 5E52 5329 8483 4860 6E19 949D -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 551 bytes Desc: OpenPGP digital signature URL: From paul at servalproject.org Sat Oct 12 02:53:27 2013 From: paul at servalproject.org (Paul Gardner-Stephen) Date: Sat, 12 Oct 2013 20:23:27 +1030 Subject: [Freedombox-discuss] Which mesh system should be included in the Freedombox? Message-ID: Hello all, On Sat, Oct 12, 2013 at 6:06 PM, Petter Reinholdtsen wrote: > > [Sandy Harris] > > As I see it, security has to be the first consideration for any Box > > component, including a mesh system. Given the stated project goals we > > should not even consider anything unless we have good reason to > > consider it secure. > > Well, I believe that is putting the cart in front of the horse, given > the current amount of people involved. I believe we first need to get > something useful that can be located in the privacy of the users homes > to get that legal protection, and then we can continue improving that to > make it more and more "secure", which is a word that mean different > things to different people and thus hard to have as a fuzzy goal. > > This mean to me that we pick solutions already in common use and > integrate it into the Freedombox, and depend on the rest of the free > software community to audit it (with our help, if someone in the > Freedombox want to spend time on it). > > > If something looks desirable but has not had an audit for security, > > then auditing it and contributing fixes if needed is more important > > for the Box than things like getting it into Debian or making it run > > on a Dreamplug. > > I am happy to hear that you want to focus on that area, and suggest you > have a look at the batman-adv mesh routing system when you find time to > audit mesh systems. > > I've concluded I will focus on batman-adv for now, as it provide layer 2 > mesh networking (as in both IPv4 and IPv6 will work) and is used by the > Serval project that provide a peer-to-peer phone system that allow phone > calls and "SMS" messaging without central infrastucture. If the > freedombox provide mesh nodes compatible with the Serval project, we get > free software phone support for free. :) > So some clarification here: Serval used to use the original layer-3 batman, and can still coexist with batman, batman-adv, babel, olsrd etc. But Serval now includes its own mesh routing protocol, for many of the reasons that are stimulating discussion here. Some of those reasons include the difficulty of making a secure fully distributed network, especially a mesh network. Indeed, this was a major reason for us side-stepping IP, and creating our own mesh-oriented network layer. We started from the ground-up by using public cryptography keys as network addresses. This means that we promiscuously share and exchange public keys on the network as part of its inherent operation. It also means that end-to-end encryption is trivial, requires no key exchange, centralised authority or other complication. Indeed, encryption is so simple in the Serval network layer that we enable it by default: you need to set flags on a packet if you don't want it signed and encrypted. Careful choice of crypto system means that it is still fast, and doesn't need huge keys. We also added an address abbreviation scheme that means that we typically have smaller network headers than IPv4, let alone IPv6. That leaves only key verification to ensure private man-in-the-middle-free communications with any party on the network -- a problem that the open-source community has largely solved with web of trust. This security platform was recently recognised at the Global Security Challenge grand-final in London where we received an Honourable Mention, coming a close second in the entire competition -- against entrants from the USA, UK, Israel and other major players in the security space. We do not rest on our laurels, nor do we take the praise of men as meaning that we have a perfect or vulnerability-free system. But we do believe that we have created something that has great potential in the open-source world, and especially for projects like Freedom Box where private correspondence (text, voice and data) on a fully-distributed self-organising network is a major objective. As mentioned, because all Serval services operate in parallel to IP, this means you can mix and match Serval service with your favourite traditional mesh routing protocols should you wish to use them. It also means that we can use interesting radio platforms that are too slow to be useful on IP, e.g., ~100kbit/sec ISM band radios that have ranges 10x to 100x that of Wi-Fi. We already have a working example of this in our Serval Mesh Extender hardware device, which also shares many common objectives with the Freedom Box. We think that we have some interesting technologies that are of use to this community, and of course since we develop them as free and open-source software, we encourage this community to take whatever they find useful, and perhaps even open a conversation for us to work out what activities and efforts are in the intersection of our needs and objectives, and apply some combined energy that will accelerate our mutual progress towards our goals. Paul. > See my blog post from yesterday, > http://people.skolelinux.org/pere/blog/Oslo_community_mesh_network___with_NUUG_and_Hackeriet_at_Hausmania.html > >, > for more details of what I have found out so far. > > -- > Happy hacking > Petter Reinholdtsen > > _______________________________________________ > Freedombox-discuss mailing list > Freedombox-discuss at lists.alioth.debian.org > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss > _______________________________________________ Freedombox-discuss mailing list Freedombox-discuss at lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From eugen at leitl.org Sat Oct 12 12:16:51 2013 From: eugen at leitl.org (Eugen Leitl) Date: Sat, 12 Oct 2013 21:16:51 +0200 Subject: [liberationtech] Whonix Anonymous Operating System Version 7 Released! Message-ID: <20131012191651.GY10405@leitl.org> ----- Forwarded message from adrelanos ----- From nettime at kein.org Sat Oct 12 17:53:37 2013 From: nettime at kein.org (nettime's_roving_reporter) Date: Sat, 12 Oct 2013 23:53:37 -0100 Subject: Milton Mueller: Core Internet institutions abandon the US Government Message-ID: < http://www.internetgovernance.org/2013/10/11/the-core-internet-institutions-abandon-the-us-government/ > The core Internet institutions abandon the US Government [Milton Mueller] October 11, 2013 In Montevideo, Uruguay this week, the Directors of all the major Internet organizations - ICANN, the Internet Engineering Task Force, the Internet Architecture Board, the World Wide Web Consortium, the Internet Society, all five of the regional Internet address registries - turned their back on the US government. With striking unanimity, the organizations that actually develop and administer Internet standards and resources initiated a break with 3 decades of U.S. dominance of Internet governance. [15]A statement released by this group called for "accelerating the globalization of ICANN and IANA functions, towards an environment in which all stakeholders, including all governments, participate on an equal footing." That part of the statement constituted an explicit rejection of the US Commerce Department's unilateral oversight of ICANN through the IANA contract. It also indirectly attacks the US unilateral approach to the Affirmation of Commitments, the pact between the US and ICANN which provides for periodic reviews of its activities by the GAC and other members of the ICANN community. (The Affirmation was conceived as an agreement between ICANN and the US exclusively - it would not have been difficult to allow other states to sign on as well.) 15. http://www.icann.org/en/news/announcements/announcement-07oct13-en.htm Underscoring the global significance and the determination of the group to have a global impact, the Montevideo statement was released in English, Spanish, French, Arabic, Russian and Chinese. In conversations with some of the participants of the Montevideo meeting, it became clear that they were thinking of new forms of multistakeholder oversight as a substitute for US oversight, although no detailed blueprint exists. But that was only the beginning. A day after the Montevideo declaration, the President and CEO of ICANN, Fadi Chehadi - the man vetted by the US government to lead its keystone Internet governance institution - met with Brazilian President Dilma Rousseff. And at this meeting, Chehade engaged in some audacious private Internet diplomacy. He asked "the president [of Brazil] to elevate her leadership to a new level, to ensure that we can all get together around a new model of governance in which all are equal." A press release from the Brazilian government said that President Rousseff [16]wanted the event to be held in April 2014 in Rio de Janeiro. The President of ICANN thus not only allied himself with a political figure who has been intensely critical of the US government and the NSA spying program, he conspired with her to convene a global meeting to begin forging a new system of Internet governance that would move beyond the old world of US hegemony. 16. http://www.news24.com/Technology/News/Brazil-to-host-internet-governance-summit-20131010 Make no mistake about it: this is important. It is the latest, and one of the most significant manifestations of the fallout from the Snowden revelations about NSA spying on the global Internet. It's one thing when the government of Brazil, a longtime antagonist regarding the US role in Internet governance, gets indignant and makes threats because of the revelations. And of course, the gloating of representatives of the International Telecommunication Union could be expected. But this is different. Brazil's state is now allied with the spokespersons for all of the organically evolved Internet institutions, the representatives of the very "multi-stakeholder model" the US purports to defend. You know you've made a big mistake, a life-changing mistake, when even your own children abandon you en masse. Here at the Internet Governance Project we take only a grim satisfaction in this latest turn of events. We have been urging the USG to end its privileged role and complete the privatization of the DNS management for nearly ten years. The proper substitute for unilateral Commerce Department oversight, we argued, was not multilateral "political oversight" but[17] an international agreement articulating clear rules regarding what ICANN can and cannot do, an agreement that explicitly protects freedom of expression and other individual rights and liberal Internet governance principles. We have heard every argument imaginable about why this did not have to happen: no one really cared about the governance of the DNS root; there was no better alternative; the rest of the world secretly wanted the US to do this; etc., etc. A combination of arrogance, complacency and domestic political pressure prevented any action. 17. http://www.internetgovernance.org/2009/06/08/igp-calls-for-us-led-international-agreement-on-icann/ Had that advice been heeded, had the US sought to divest itself of its unilateral oversight on its own initiative, it could have exercised some control over the transition and advanced its cherished values of freedom and democracy. It could have ensured, for example, that an independent ICANN was subject to clear limits on its authority and to new forms of accountability, which it badly needs. Now the U.S. has lost the initiative, irretrievably. The future evolution of Internet # distributed via : no commercial use without permission # is a moderated mailing list for net criticism, # collaborative text filtering and cultural politics of the nets # more info: http://mx.kein.org/mailman/listinfo/nettime-l # archive: http://www.nettime.org contact: nettime at kein.org ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From eugen at leitl.org Sat Oct 12 15:07:46 2013 From: eugen at leitl.org (Eugen Leitl) Date: Sun, 13 Oct 2013 00:07:46 +0200 Subject: [pfSense] naive suggestion: conform to US laws Message-ID: <20131012220746.GA10405@leitl.org> ----- Forwarded message from Jim Thompson ----- From eugen at leitl.org Sat Oct 12 15:10:34 2013 From: eugen at leitl.org (Eugen Leitl) Date: Sun, 13 Oct 2013 00:10:34 +0200 Subject: Milton Mueller: Core Internet institutions abandon the US Government Message-ID: <20131012221034.GD10405@leitl.org> ----- Forwarded message from nettime's_roving_reporter ----- From l at odewijk.nl Sat Oct 12 15:45:36 2013 From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=) Date: Sun, 13 Oct 2013 00:45:36 +0200 Subject: The Great Firewall of Belgium In-Reply-To: <2616223add8c39ca68bc9e0b4cb4014e@daemon.be> References: <2616223add8c39ca68bc9e0b4cb4014e@daemon.be> Message-ID: 2013/10/11 Laurens Vets > I've been trying to uncover this list here: http://www.randomstuff.be/** > your-government-is-lying-to-**you-and-something-about-**censorship/ > > Basically, DNS requests for those websites are redirected to a government > controlled webserver. > > What other techniques are there (besides checking every site on the > internet) to try and uncover whether sites are blocked in Belgium? > 1. Legal (most ineffective) 2. Pursuade an employee of a Belgian ISP (they must have the list) 3. Brute forcing the "government controlled" webserver and seeing what it responds to (might respond to everything equally though) 4. Crack into Belgian ISP or government anywhere where the list is compiled or actually applied. (Not recommended) Up to about 8 characters a full brute-force is kinda feasible. I suspect that some blocked websites might very well have more than 8 characters, so it truly doesn't work. Using this index (highly questionable) it claims 40billion pages, which is actually kind of doable. Problem is obtaining that list, which is not quite doable. (And maybe your ISP claiming you're operating outside normal parameters) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1873 bytes Desc: not available URL: From electromagnetize at gmail.com Sat Oct 12 23:00:05 2013 From: electromagnetize at gmail.com (brian carroll) Date: Sun, 13 Oct 2013 01:00:05 -0500 Subject: [15] perimeter observat!ons Message-ID: --- code characteristics --- i was going to attempt a real-world example though it is too complicated without computer tools and lack of mathematical skills to provide a deep enough reference for real world crypto requirements. there are several ideas for using HIOX as calculus and set theory permutations that could have direct relevance yet to actually get into it this functionality is more than email provides as a communications medium. thus, in considering this possibility a generic example was considered in the typical approach, to introduce a programming language. yet even this is limited and tends to the computational enigma or knotted condition inherent in the dynamics it involves. and thus, instead of providing one of likely thousands of approaches, it was instead decided that a limit of trying to approach this situation would be provided, to get at the unique existing conditions of considering the mathematic of language and vice versa. HELLO WORLD if considering the above statement, what is interesting to me about their combined signage is that 7 of the 10 letters can be resolved in within the numeral '8' which also is the seven-segment LED display. thus the letters (H, E, L, L, O, O, L) can all be compressed into a single symbol and in its partial capacity to represent specific alphabetic patterns -not all- the domain for potentially mapped letters into a mystery word has less than 26 options of the alphabet itself: 88888 W8R8D this assumes the rectilinear seven-segment LED display or other rectilinear alphanumeric character is the basis for a common typographic standard. it has a Wheel of Fortune gameshow aspect to it, certainly. consider then a general wildcard condition, any letter number or symbol, in comparison: ***** W*R*D what does it mean. well, if it was known that there are two words, and the number count of a shared symbol containing the necessary letter is 7, then it narrows down this potential for 26+ letters +10 numbers +other symbols into a realm tending towards a limited alphabet, focused on letters alone. and if this was a known structure, then evaluation could proceed based on what is most likely within these given parameters. 88888 W8R8D for the second word ('WORLD') the more intense HIOX or Union Jack 16 segment LED display symbol would be necessary to map the remaining letters (W, R, D). thus consider that two different patterns potentially exist that could map the two words in a permutive range, such that: 88888 *8*8* in this example the asterisk would actually be the Union Jack or 16 segment display, while the '8' would be equivalent to a 7 segment display. a number sign is going to be substituted instead, to not mistake it for a general wildcard existing beyond the alphanumeric framework... 88888 #8#8# so imagine that the number sign above equates with the HIOX symbol for the remaining letters W, R, D. while the first word and several letters of the second are contained in the generic 7 segment display and its alphabet, it begins in a minimal condition already compared to the more elaborate 16 segment display. yet if considering the letters W, R, D within that context those letters when overlaid in its structure do not require the full symbol for their combined representation, that can be compressed in a shared state of superposition. please look at the following mapping of the 'segments' as annoted at from the website of a 16 segment display manufacturer... APPLICATION NOTE 1131 http://www.maximintegrated.com/app-notes/index.mvp/id/1131 each of the sixteeen segments has its own specific letter or letter-number combination to help describe what parts of the LED are turned on and off, to help map this to pin-out diagrams and programming instructions for an IC display driver else microcontroller. considering that the remaining letters in the second word (W, R, D) do not require all sixteen segments to be illuminated at once to contain all of these three letters as a potential query reply, a specific symbol could be mapped out of this 16 segment display that is closer to a 7 segment LED display ('8') with some extra detailing, equivalent to a connection from the upper left to lower right, and from lower left to middle center. yet as the 16 segment display is wider and bifurcated down the centerline (to allow letters such as W to exist, as a mirroring of two letters V|V), this comparison is only descriptive and would require the 16 segment display to start with, as the 7 segment has no diagonals or centerline to reference. alot of description that evaporates into abstraction, potentially- yet the specific idea of this is that a minimal number of segments can establish a referenceable symbol for the remaining letters W,R,D and that this is essentially a symbol 8' with a diagonal from top left to lower right, and from lower left to the middle, approximately. in the technical terms as it relates to the annotated segments from the url above: a1, a2, b, c, d1, d2, e, f, g1, g2, (which creates the equivalent to an 8 or letter B) -and- h, k, (first diagonal), m (second diagonal). this mapping of letters onto a minimized common symbol demonstates that the 16 segment display can be minimized to a smaller format 13 segments, that then limits the potential letters that could exist and be autogenerated via bit set evaluation of the placeholder symbol (#) so in other words, HELLO WORLD could be reduced to two symbols: 8,#, whereby the first contains 7 letters and the second, which is a stand-in for a 13 active segments of a sixteen segment LED display, is a custom symbol for the remaining three letters. it is important to make clear that a single symbol (HIOX, or Union Jack, equivalent to the 16 segment LED display) could render the entire statement HELLO WORLD via one symbol and yet that would look like this, to start: ##### ##### and thus the odds are much better with the following, where only a limited amount of letters are possible for a majority of the unknown characters... 88888 #8#8# the issue of structure is what is involved in this evaluation, as a hint or clue or patterning that can help consider ways that alphanumerics already relate in terms of their own internal structuring, as a display format. in case it is not readily evident what this implies, it is that those letters represented by the stand-in symbol '8' can only render a limited amount of letters, given specific rules. thus a 'W' cannot be rendered within that form, nor a letter 'V', etc. so it narrows down what letters could exist there. and likewise for the 13 segment custom symbol, an 'X' could not be rendered nor a 'T' or other letters. and thus while the probabilities for letter combinations are probably enormous (and this is provided as a test case for computer experiment, to gauge the numbers involved in a most simple display of words) there are many fewer options that exist between a combined 7-segment and 13-segment symbol permutation than a 7-segment and 16-segment display combined, given dictionaries that could find words that may fit the given criteria. so a kind of compression or packing and unpacking could exist in relation to words and symbols, and it is a question of how this is approach and how it is dealt with. if you have one symbol for both words the approach is moot, the patterns are structureless. whereas if a sequence occurs whereby an evaluation of text considers the structure of a statement, and then explores how this may be minimized into a smaller format, given rules, it would be possible to reduce the quantity of letters via such compression, into particular or peculiar symbols, that are mapped into or back onto sentences, that may have additional numeric or other instructions as a guide for this (perhaps a shared key even). in this way, the symbol 8# with 2,5 could carry the compressed statement though lacks arrangement or sequence information to where the 7-segment letters and 13-segment letters would be placed, such that various combinations could exist in two words of five letters each... 88888 #8888 8###8 88888 these are essentially impossible computations in terms of hundreds and thousands if not many more combinations of potential words and meanings, it could easily involve tens of thousands of [word1] [word2] sequences. instruction for two words, five letters each (2,5) requires an additional set of arrangement data, such that there are seven places for '8' and three for '#'... in other words, 7('8') and 3('#') 8888# ##888 #88#8 8888# the arbitrary examples shown demonstrate the variability for this mapping and thus the original words would not be possible given the sequence if it is not capable of regenerating the correct origional pattern (HELLO WORLD) so now this is getting complicated for a simple statement, such that 7('8'), 3('#') and (2,5) remain wihtin a realm of untethered abstraction. a further structure for symbol placement within words is required, to make sure that they are correctly placed or mapped into the linear arrangement. one way of doing this would be '8'{1-5,7,9} and '#'{6-10}, whereby: 2,5 ('8'{1-5,7,9}; '#'{6-10} ) the instructions: two words, five letters each, symbol '8' for letters 1-5 (first word), 7 and 9; symbol '#' for letters 6-10 (second word) 88888 #8#8# given these dynamics, and the geometrical structure inherent in letters and numbers, it would be possible to de|con-struct words and sentences into a more abstracted format that would not be readily decipherable, if the key to unpacking the data was not shared or available. this could be as simple as a minimal superposition of letters, say a J or L that are mirror-images in a given display font that could equate with a capital letter U. and thus the placement of the 'U' could stand for both of these letters. in this way it is a question of what structures are referenced and under what specific conditions, and this need not be limited by a particular display and could instead become an issue of dots and diagonals and vertical and horizontal bars that are detached from alphanumeric signs, if an algorithm exists to process statement into this abstraction and back out again. there are several ways to approach the original situation and this is only one partial approach. another would be to take the common letters of HELLO WORLD, and address the three common letters L and two letters O, such that: L,O (HE WRD) and then perhaps again the 'H' and 'E' could easily fit into a 7-segement LED display format ('8') and the WRD as before into the 13 segments ('#') of a Union Jack LED display... L,O ('8,#') and so it goes, such that the L,O, could be L,7 and yet combine into letter O, and whatever rules may exist or be applied in a given ruleset approach. the point is about existing patterns within language as a common structure or scaffolding that has geometrical attributes that can be harnessed and that has inherent meaning in the interrelational meanings between SIGNs, in that signs can exist within other signs, embedded and-or in superposition, and that these typographic or display characteristics can be harnessed, used, adapted, in terms of their transformative ability and capacity. perhaps the above example indicates that the algorithms would be larger than the statements, yet what if the distribution was offset somehow such that data could be compressed within a Menger sponge via superset(set(subset)) nesting via Fibonacci series, or some other approach. it may involve another consideration yet somewhere they could also be connected if a means of placing data was mapped similar to rules of a chess board and the arrangement of its pieces, yet with letters and numbers and symbols. the aspect of the puzzle, such that it there is a limit to its brute-force computation yet with the correct key can be deciphered or decrypted via computation, eventually to make its way into clear text. this could be an issue of manual analysis or involve many sequenced steps, where brute-force could never break the patterns down from their abstract condition because the particular perspective for the given instance is beyond the threshold needed to allow viable computational decypting- it is basically infinite. this generic abstraction is not particularly helpful yet it provides basic context for evaluation of beginning considerations, as simple as it gets in a larger realm of computers and algorithms. and perhaps this is nothing yet though if it is not an existing approach, it potentially offers something beyond the existing interpretation or limits for how data is considered in terms of its inherent signage, and whether this is hollow represetnation or filled with symbolism and meaning by default- and thus grounded in a deeper way in terms of its actual truth or floating in a subjective confined limit that contains interpretation and allows codes to be easily conceptualized within particular parameters and conventions that are already established. the short way of conveying the same idea is that the role of TYPOGRAPHY in relation to cryptography is vital in this approach, whereas its absence in crypto calculations would also signify a lack of depth in the language and calculations used, to those of iconic signs, not within their structures. in this way the calculative aspects of mathesis, of math-language dynamics within geometrical interrelation, via trans-formational and -mutational patterning, could within its abstraction, allow estoteric computations to occur beyond the known or perceivable or modeled boundary of cryptography, for those with the keys. and perhaps this is entirely of the traditional approach, the issues of compressing statements into another secret format, yet has this occured 'infra-letter' and 'infra-number' or has it remained bounded by letters and numbers, and thus not dealing with the structural segments that de|con-struct the entirety of language into smaller bits. and so that is the question and challenge and the insanity of the probabilities in computing what an ordinary sentence could be, even having the code and potentially even the key, and yet not the perspective to view it within. in other words, how is it known what plain text viewpoint is the correct one. and thus the crucial role of aesthetics and thresholds of shared literacy. (note: the above example does not consider what would be assumed involved missing steps, such as substitutions, mirroring, and other transformative approaches implicit in this calculability and hiding information within other information or altering its signage and default interpretation. it may not require computation for SMS conveyances though for twitter-level likely would involve significant processing, though potentially massive processing if trying to brute-force crack messages and it is proposed and hypothesized this could be made impossible, quite easily (via bit sets)) (one way to conceptualize it is expansion of a bit set in a bounded range, say uncompressing a bit.set string for between 3-10 letter words, and then the key would be an algorithm that hunts and pecks data out of the expanded field via particular algorithm, in this way gathering puzzle pieces within the noise field and reassembling them locally, else locating and mapping relations within the expanded interiority as a constellation or given viewpoint which could potentially shift given what key is activated, say for instance a superposition condition of mirroring, where meaning shifts given directionality and thus ambiguity is retained by default even if an observer has some of the puzzle, they may not have the right interpretation and thus multiple boundaries or mazes within labyrinths within funhouses with trapdoors leading to dungeons within castles, false perspectives, etc. the voyeur observer or surveiller not realizing they are trapped, if ever, until it is too late and their actions are bounded, further limited, led into closed rooms that get smaller and smaller with no escape possible. the danger here for the uninitiated and opponents would be following and trying to decipher the situation. this is bamboo spear jungle trap cryptography. once they think or believe they understand- it is over. as if a reverse-form of nihilism even. the transformation of one-point perspective that is ungrounded, focused on falsity and nothingness, as everything splays out the further it is approached, nothing relates to anything, everything relates with everything. madness. loss of coherence. pure paranoia. and then the clanking and sharpening of metal, ever louder, evermore near...) --- anomaly --- for sake of completeness in the previous HELLO WORLD example, it was also discovered that it is possible to compact everything into the 7-segment LED display or rectilinear number '8', if the ruleset and instructions allow for the rotation and upper- and lower-case variability. in this way... H E L L O 3 O r L d the number 3 stands-in for the letter W rotated sideways. and thus the way that this statement could be evaluated differs from the previous approach and involves different specific instructions, as would other methods. not mentioned in this approach would be the breakdown of letters into the corresponding segments and mapping these to particular letters in their various states of potential, whether mutation or transformed. and this could even be numerical, so that no words are visible in the messaging. --- note on equality --- all observations are not equal. nor are all observers equal in their POVs. the vavlue of the observations must be grounded within truth and related within an empirical structuring to evaluate views of a given perspective. and the views that are functioning in a minor truth or pseudo-truth or partial-truth are not -equal- to those that have removed falsity from the frameworks used to model and mediate and communicate this shared truth. it may not be a possible condition today, given tools and issues of literacy, and yet, those who defer to truth are not the same as those who deny it and use it to their onesided advantage to exploit reasoning via power politics. it is an important distinction that truth does not equal pseudo-truth, it does not equate with 'allowable falsity' as part of the shared relation. that is heresy as far as ideas go. errors should not be normalized yet those relying on errors could tend to believe they are equals with those who do not. the difference is that the people whose ideas are based within truth, built upon its foundation, are capable of debating the ideas and having them challenged - for the strength of the ideas is their truth, and thus the logical reasoning of hypotheses and conceptualization of reality in this condition -- removed of known warping, skew, distortion -- is the way of strengthening the ideas, which become robust through their fitness for accurately modeling a situation, and they can withstand critique and can be altered and improved, which is the obligation. whereas those who do not allow 'their ideas' to be evaluated are weak-minded and have weak-ideas that cannot withstand critique and falsification is disallowed, and thus the viewpoint is made infallible-- and yet this ungrounded relativism may still assume an equality with truth that is vetted beyond its boundary. this is an act of egotism and a conceit and form of narcissism. such views can be entirely defeated, the minor truth salvaged, yet the false worldview itself collapsed and utterly abolished for the false perspective it is. and thus "debate" within a non-binary logical framework is the threshold for the accountability and testing of the limits of a given pseudo-truth POV. in that, when reasoned outside the binary viewpoint and not allowed to rely on ideological opinions and 'true beliefs', the ones and zeros of the ideas themselves and the arguments can be dismantled and the minor truth (1) can be separated from the majority falsity (0) including lies, deception, and bad faith of intellectual posturing, and thus what is shared is truth (1) yet what is unshared and differentiated is the opponents reliance on lies and falsehoods and manipulating this truth to a onesided agenda, and that cannot simply be erased or equated with a more pure and honest pursuit in service to truth and its vital role in developing civilization, including morally and ethically. versus its corruption, bringing about its demise. these are not equal agendas or equal goals- they are antagonistic relations and thus those who serve falsity are not the same as those who serve truth. those who surveill and oppress those in service to truth, however relative their viewpoint is legitimized, are essentially enemies and opponents of this truth and are not equals are observers, thinkers, or doers. if someone does not recognize truth beyond their limited viewpoint they cannot be reasoned with, the only reasoning they recognize is power itself as truth, in that power determines what is real, what is true, what is good, etc. so this is to make a distinction between those who 'believe' things without the need for external verification of these same beliefs, as different from those who require this as a necessary process of self-auditing and accounting. in this way, when someone is pointing a cellphone to monitor you on the street, and tallying such data, they operate in a particular framework that is oppressive to others in the society, and their actions are not invisible nor without consequence. it is not simply a mistake or misinterpretation, yet this would be the relativists argument, trying to retain a shared set evaluation as if in-group when actively and parasitically hostile. (whats next- electroshock dog collars and invisible fencing for bad citizens?)these people are scum. there are leagues of citizen surveillers sustaining the embubbled false reality that cellphones and monitoring apps allow, as if subconscious to the surveillers even, as if a dream-state, as if no one notices them pointing their cellphone at people walking by, data paparazzi for the evil dictatorial takeover, these cyborg and mindless zombie the latest ground troops of successive invasions, large populations of drones that are pointing and clicking their binary ideology into existence, they are not 'traditional' citizens nor constitutionally constrained in their activities. nor should they be defended by these parameters either, for involvement in illegal offensive operations and cattle chute coordination of citizenry mapped to the warped and SUPERSECRET "encrypted" masterplan. T =/= pT empirical truth =/= relativistic pseudo-truth grounded observation =/= ungrounded observation truth =/= partial truth + massive falsehood honesty =/= lies, distortions, onesidedness MEDIOCRITY IS TYRANNY ---- Scholars in Bondage Dogma dominates studies of kink http://chronicle.com/article/Scholars-in-Bondage/139251/ Paprika, Babette's Feast, Koyaanisqatsi ¿ ç ñ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 24100 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: superposition.gif Type: image/gif Size: 1568 bytes Desc: not available URL: From BM-2cWsmYXZ1wDRbXAriL1tFwmsm4mbCAqD9Q at bitmessage.ch Sat Oct 12 18:30:39 2013 From: BM-2cWsmYXZ1wDRbXAriL1tFwmsm4mbCAqD9Q at bitmessage.ch (Johnny Carson) Date: Sun, 13 Oct 2013 01:30:39 +0000 Subject: [tor-talk] What are some free and private email providers? Message-ID: <5259F7BF.8060703@bitmessage.ch> Joe Btfsplk: > On 10/12/2013 3:52 PM, Edgar S wrote: >> I was also left hanging when tormail shut down. I've found one that >> meets my needs. Based in Switzerland. It is Tor-friendly for both >> signups and webmail. Has both an onion hidden address, >> http://bitmailendavkbec.onion, and an open address, bitmessage.ch. Free. >> The only drawback is that you have to accept an assigned username that >> is a long string of random characters. >> >> Another possibility is URSSMail http://urssmail.org/ >> http://f3ljvgyyujmnfhvi.onion. Based in Russia and Brazil. Neither are >> very friendly to the NSA. It seems to have some problems currently. I >> thought I had created an account, but then I couldn't log into it. But >> it lets you assign your own username, and is free, although BTC >> donations are requested. As I write, the hidden service is down. > I guess you went thru part of the signup process to see it assigns a > random string as your acct username / email address? > It told me the registration was "having problems." How long was the > random assigned name? > > That'd be a bit tough sending mail to general people. But, if you want > privacy... > I wonder if there's an option to enter a name that goes in front of the > email user name, like most clients or even ISPs allow? > > I guess it'd be fine for typical mail, but the entire size per message > limit is 2 MB. I too use Bitmessage.ch by their hidden service address (SSL). I use Torbirdy with Thunderbird. When I send emails to people I just enter a name into Thunderbird and that's the name a recipient sees. The email address of course is long, but I haven't found anyone that seemed to care. I dont send big files though, the 2 mb limit is low. A trace of an email sent through Tor and then Bitmessage and then to the recipient shows Tor exit node IP address, without usable metadata AFAIU what Bitmessage.ch does for metadata. There's a new Tor Mail Gateway coming online and it sounds bad ass: https://www.whonix.org/wiki/Special:AWCforum/sp/id429 https://lists.torproject.org/pipermail/tor-talk/2013-August/thread.html#29464 https://github.com/moba/tor2mail -- tor-talk mailing list - tor-talk at lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From eugen at leitl.org Sun Oct 13 01:36:23 2013 From: eugen at leitl.org (Eugen Leitl) Date: Sun, 13 Oct 2013 10:36:23 +0200 Subject: [tor-talk] What are some free and private email providers? Message-ID: <20131013083623.GL10405@leitl.org> ----- Forwarded message from Johnny Carson ----- From eugen at leitl.org Sun Oct 13 01:37:45 2013 From: eugen at leitl.org (Eugen Leitl) Date: Sun, 13 Oct 2013 10:37:45 +0200 Subject: [Cryptography] Plug for crypto.stackexchange.com Message-ID: <20131013083745.GM10405@leitl.org> ----- Forwarded message from David Wagner ----- From gfoster at entersection.org Sun Oct 13 09:20:00 2013 From: gfoster at entersection.org (Gregory Foster) Date: Sun, 13 Oct 2013 11:20:00 -0500 Subject: SafeSlinger Message-ID: <525AC830.70908@entersection.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 YouTube (Oct 11) - "SafeSlinger for Secure Communications" http://www.youtube.com/watch?v=IFXL8fUqNKY > [Carnegie Mellon University] CyLab researchers have developed and > released a new smartphone app to provide users with a free and easy > to use means for secure messaging and file transfer. With > SafeSlinger, a user can establish secure communications directly > with trusted individuals and groups in ten seconds, with nothing > more than the smartphone in their hand. > > Learn more: http://www.cylab.cmu.edu/safeslinger Mobile: > http://www.cylab.cmu.edu/safeslinger/m.html ymmv, gf - -- Gregory Foster || gfoster at entersection.org @gregoryfoster <> http://entersection.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBCgAGBQJSWsguAAoJEMaAACmjGtgjQzoP/RNpnrU02UmIYd1Ac+VhOEa1 bedKKGpORAOu0FTFZTXEyRHgkA3Te5smB1kC1TEVtLWf/uyUT0EGUTrKjORZ71cL n09fVTkiYYeDIWB4h0Y9j/9y2gggRqZI78mTTAtb/3M5APcQAzc0CLYhKwD2l+Oj Ko1/bI6Y92I/TuHPKqruzcCFQuhyhdu4b8+79fsu8bBUhjVmPlk0oJrSWN6of6GO 9c/K+tu1Hr374Qyibcd1ZyYqAmrkVaWTQ1GRiA7Ek5Z8G1uipdRneCCMbW0jUIPI wZ8q0bIVibwkPhMLWvgo5VY6YBCr6dwves6Ec9N7h/Q+vg5yLJTytH5vBhX6oIub hFCt1ZzbwY2dTzQPxE5xvFSTCd7lKHoi13IsD1mfs//NsexktFxCJvHw9rEYB2HB 0wQx5hiSMfbIvsYBaxEW6b1a2pyF2dPEim5rBpkZudfRm+NG3SfIWHjRn82+gwVx dRV+i/e6RuphtO7sDn7wIKIQTJmbS3MQWNX99lKZvoDonpnxmgprsidRztEFcX7s eCUEYsrdlpl/b1Qu4LCbMD5daXX6CZ1i7UQ4U5EZT7cXo12Ear2f/pbwafAgNL03 Mr6joxd6sNnX8sN+kHJ/5C2693P5XCTMfhdmIVY6OW7H/pRA/vj9dyLwLtZJdY4+ 8QkOqbCGYQjul1wGld3I =0ho5 -----END PGP SIGNATURE----- From jim at netgate.com Sun Oct 13 10:03:24 2013 From: jim at netgate.com (Jim Thompson) Date: Sun, 13 Oct 2013 12:03:24 -0500 Subject: [pfSense] not all backdoors are NSA backdoors Message-ID: <8A9B7EB1-2D12-49EE-8FE9-70D2FF25BB0A@netgate.com> It occurs to me that being more ‘conversational’ with the community might be a good thing. Describing what is happening with pfSense, and why, and engaging the pfsense community in the process could be a good thing. My first attempt is included herein. But first, on the tail of the recent thread that erupted here, consider this backdoor that someone (?) recently (?) discovered (?) in the firmware for certain D-link routers: http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/ If you read the article, the user agent string that bypasses authentication (according to the post) can be read backwards as "Edit by 04882 Joel Backdoor”. One possible Joel is Joel Liu, Senior Director-Chief Technology Office Alpha Networks: http://www.joesdata.com/executive/Joel_Liu_421313008.html Alpha Networks being a spin-off of D-Link. http://www.alphanetworks.com/_english/06_about/01_detail.php?appid=143&pid=12 They have a GPL compliance office: http://www.alphanetworks.com/_english/10_gpl/gpl.php, but you can bet they won’t ship you >that< source code. [Normally, if one is going to hide secret strings inside the binary, one also obfuscates them. An example: http://www.codeproject.com/Articles/502283/Strings-Obfuscation-System] ... In some respects, the recent thread was about fear of asymmetric information, that those inside ESF have information and access that the community does not. In contract theory and economics, information asymmetry deals with the study of decisions in transactions where one party has more or better information than the other. In contrast to neo-classical economics which assumes perfect information, this is about "What We Don't Know". This creates an imbalance of power in transactions which can sometimes cause the transactions to go awry, in the worst case a kind of market failure. Specific to the subject, the information asymmetry here is the community’s supposed inability to observe and/or verify ESF's actions. To the best of our ability so far, pfSense is both observable and verifiable. The source code is on github (https://github.com/pfsense/), and the build process is quasi-documented. Getting something like the ‘backdoor by Joel’ above into the codebase without detection would be difficult if not impossible. (There are more subversive means, which I touched on mid-thread, but they still fail in the presence of a public development process.) Frankly, (between you and I), the pfSense build process could be better documented. Truth be told: the build system for pfSense is archaic. Nobody associated with it (at this point) likes it. Simultaneously, everyone is afraid to replace it. “There be dragons…” An action-item post 2.2 (and it’s move to FreeBSD 10) is to clean-up the build system, possibly making it more like that which builds FreeBSD, rather than the mess of shell (and PHP) scripts that exists now. Having a cleaner build system could lead to better verification of the resultant bits. Another issue is the proliferation of pfSense mirrors. How do we (all) trust the bits on these mirrors, given that they’re run by parties entirely independent and remotely located from ESF? One possible solution: signed packages, and there was a bit of infrastructure put in-place just prior to the 2.1 release. We’ve yet to accomplish the rest of this, but.. it’s coming. As always, if you have ideas(*), bring them forward. Jim (*) that don’t involve re-incorporating as a non-US, non-profit company… _______________________________________________ List mailing list List at lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From bill.stewart at pobox.com Sun Oct 13 17:06:22 2013 From: bill.stewart at pobox.com (Bill Stewart) Date: Sun, 13 Oct 2013 17:06:22 -0700 Subject: [linux-elitists] Browser fingerprinting In-Reply-To: <20131007060756.GX10405@leitl.org> References: <20131007060756.GX10405@leitl.org> Message-ID: <20131014000636.44F74DD8F@a-pb-sasl-quonix.pobox.com> >Date: Sun, 6 Oct 2013 11:11:46 -0700 >From: Don Marti > >Translation: "Fine, you smug cookie-blocking nerds. >We're going to go all browser fingerprinting on you." >... >Unfortunately, Firefox appears to be highly fingerprintable. One reason Firefox is highly fingerprintable is that it sends a list of your available fonts to the web server so the server can format its pages with cool fonts instead of boring fonts if you're able to read them. That often turns out to be surprisingly unique, at least if you like fonts, and AFAIK it's not just the fonts you've configured into your browser, it's the fonts configured into your computer. For instance, my work PC has a font for the $DAYJOB corporate logo, and has since acquired a couple more fonts so I can display their newer marketing presentations correctly in Powerpoint, plus it's got the dozen or two different monospace console fonts I was trying out to find a good one for programming use, and the usual collection of Bocklin and Dwarvish and Tibetan that old hippies usually have on our computers, just in case we might need to count to nine billion or have an appropriate password entry form. When I first tested it with the panopticlick tool, it was unique; there are now a couple other similar machines (but that's "my machine's IE", "my machine's Firefox", and "my machine running Win7 with the Long Term Support version of Firefox that Corporate IT department makes us use", so it's still unique in reality.) Sure would be nice if Mozilla had an option for "only announce the standard vanilla web fonts". From bill.stewart at pobox.com Sun Oct 13 17:27:44 2013 From: bill.stewart at pobox.com (Bill Stewart) Date: Sun, 13 Oct 2013 17:27:44 -0700 Subject: A CEO who resisted NSA spying is out of prison. In-Reply-To: <20131004094627.GF10405@leitl.org> References: <20131004094627.GF10405@leitl.org> Message-ID: <20131014003459.E37CADE94@a-pb-sasl-quonix.pobox.com> At 02:46 AM 10/4/2013, Eugen Leitl wrote: >Just one major telecommunications company refused to participate in a >legally dubious NSA surveillance program in 2001. A few years later, its >CEO was indicted by federal prosecutors. He was convicted, served four and >a half years of his sentence and was released this month. >... >Nacchio was convicted of selling of Qwest stock in early 2001, not long >before the company hit financial troubles. I never liked Joe Nacchio, back when he and I used to work for the same company. I didn't know him personally (he was probably a VP by then, in a different organization); he was an aggressive sales guy who liked to brag about his Porsche. But he was also insightful about the state of the business even in the mid-80s, and anybody in 2000-2001 who didn't have a clue that the telcos were in for a world of trouble had no business running one. He might have had more specific knowledge about the specific troubles Qwest was having, but besides the overall crash that the DotCom boom was going through, the telcos had just done a huge round of overbuilding on fiber, there was a glut of the stuff because everybody was doing it, and DWDM (dense wavelength division multiplexing) meant that you had to pour a huge amount of new capital into optical hardware on the endpoints just to keep up with the Joneses, because the price per bit-mile of the actual fiber you had in the ground was dropping rapidly. From eugen at leitl.org Sun Oct 13 11:07:21 2013 From: eugen at leitl.org (Eugen Leitl) Date: Sun, 13 Oct 2013 20:07:21 +0200 Subject: [pfSense] not all backdoors are NSA backdoors Message-ID: <20131013180721.GT10405@leitl.org> ----- Forwarded message from Jim Thompson ----- From arlolra at gmail.com Sun Oct 13 21:28:09 2013 From: arlolra at gmail.com (Arlo Breault) Date: Sun, 13 Oct 2013 21:28:09 -0700 Subject: [tor-dev] Attention Otters Message-ID: <5C68F77BAD8D432BB29EC4EBEE0432B6@gmail.com> Not sure the following is entirely clear or complete, but I tried to capture the concerns from the meeting and the ensuing discussion. Hope it helps. Arlo Attentive Otter Plan ==================== Goal ---- Add instant-messaging to the Tor browser bundle in order to provide a secure communication tool which supports the free flow of information online. Overview -------- Instantbird [1] is a cross-platform IM client based on Mozilla's XULRunner. The following presents the necessary steps to turn Instantbird into the future Tor Messenger. A Way Forward ------------- 1. Remove libpurple dependence This is a trivial amount of work and changes to the build to support it would be accepted upstream. They are already considering moving libpurple, and the added protocols it supports, to an add-on for reasons of licensing/code quality. JS implementations of the following protocols exist: XMPP, Google Talk, Facebook, IRC, Twitter, with Yahoo landing soon and AIM/ICQ started but further away. 2. OTR support Instantbird currently lacks support for OTR. Two pieces are needed here: a suitable OTR implementation, and an interface between the client and that library (essentially, the role that pidgin-otr plays). To get started, for the OTR library, a js-ctypes wrapper of libotr should be used in conjunction with the message observer API. Code [2] from a few years ago towards this end has been written but probably needs to be dusted off and extended. An effort is underway at Mozilla to implement OTR in JS using NSS, which could be dropped in as a replacement. A patch has been submitted [3] but it looks far from complete, so I wouldn't expect it anytime soon. When asked, they said it won't be ready for *a while*. Should the NSS implementation fail to materialize entirely, they would still be willing to take the ctypes wrapper and libotr, as it doesn't present any licensing issues. In his analysis, Mike suggested converting the ctypes wrapper to an XPCOM wrapper but it's unclear why that's preferable. The front-end side seems like a larger undertaking. This involves not only the interaction with the message observer API but handling the quirks in the various protocols (think /me in IRC), authentication including SMP, and importing and storing long-term keys. Sukhe estimated at least a month of development time and expressed an interest in being the one to undertake it. On the bright side, the Instantbird team seems eager for OTR support and this work will most likely be upstreamed. 3. Disable logging An add-on may be required to ensure certain desirable configurations, like logging disable by default. A difference in goals between UX for the average user and the TIMBB user may force us to maintain these changes. 4. Tor controller Tor Launcher will be used as the controller. Sukhe has already reported having this working. Using only JS protocol implementations means all traffic goes through nsIChannels, making proxy support fairly easy to verify. For DNS, network.proxy.socks_remote_dns should be set. DNS SRV should not be an issue seeing as how it isn't supported by Mozilla [4]. Should test for other UDP traffic leaks. 5. Messaging window Jail it to type=content. Preferably everything is displayed in plaintext, with HTML disabled or at least sanitized with an XSS filter [5]. Disable JS and other features. Make use of all the preferences from TorBirdy. 6. Installer and updates Leverage the work that's already being done on Mozilla's updater for the TBB. 7. Deterministic builds Deterministic builds for the TBB was a major undertaking. I can't imagine this case being any different, less the experience and groundwork already laid. 8. Sandboxing Come up with a practical, cross-platform way to sandbox the application. I don't have an answer here. Maybe you do. 9. Audit - Instantbird's render attack surface (content window, XSS filter, etc.) - Crypto in NSS and how JS uses it - Interface between the UI and OTR - Proxy by-pass - And more ... 10. Translations Instantbird is available in 14 languages, including French and Spanish. However, none are RTL and we want to support Arabic and Farsi. Messaging should already work for RTL languagues though, they've fixed a few bugs to ensure it, and reflecting the UI is reported to not be a ton of work. They are definitely willing to accept patches here. 11. Other considerations - Disable Instantbird's built-in auto-updater and crash reporter - For sure OTR on by default, but maybe disallow any non-OTR comm. entirely - CA verification: TOFU mode? Pin popular domains? - Disable older TLS/SSL suites - Consider the interaction between all three Tor bundles (FF, TB, IM). Tor Launcher could attempt to authenticate and read settings from an already running control port. - Choose a different default profile folder (to avoid picking up plugins and other unsafe settings) References ---------- [1] http://instantbird.com/ [2] https://gitorious.org/fireotr/fireotr [3] https://bugzilla.mozilla.org/show_bug.cgi?id=779052#c20 [4] https://bugzilla.mozilla.org/show_bug.cgi?id=14328 [5] https://mxr.mozilla.org/comm-beta/source/chat/modules/imContentSink.jsm _______________________________________________ tor-dev mailing list tor-dev at lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From electromagnetize at gmail.com Sun Oct 13 21:50:43 2013 From: electromagnetize at gmail.com (brian carroll) Date: Sun, 13 Oct 2013 23:50:43 -0500 Subject: [22] parameters Message-ID: --- overview --- a previous example of subjective mathematics was given related to how the calculation 5 x 2 could occur across a range of 7 through 9, if the decimal place was unaccounted for yet still existed in a hidden computation. using exponentials this range can be further demonstrated, and with enough mathematical know-how potentially any whole number sum could be produced 5^.1 + 2^.1 = 2 5^2 + 2^2 = 29 5^3 + 2^3 = 133 this indicates that what is outside the boundary of consideration could also have some effect on what is occurring inside of it, depending upon how it is modeled and how the data is accounted for or may exist without such evaluation or could have ambiguities or anomalies built-into it, which can be exploited to produce alternative results in another hidden framework [5] + [2] = [2|29|133] in other words, this 'extra information' exists beyond the boundary of the numbers 5 and 2, such that for example... [5]^2 + [2]^2 = 29 if only accounting for what is inside the boundary, the result is obvious: [5] + [2] = 7 and thus the sum could actually be variable, even while 'limited', which could be an issue of ~appearance or a facade calculation that obscures other processing that could be occurring simultaneously. [5] + [2] = [sum] in other words, depending upon how the calculation is observed, reviewed, and evaluated, extra information or details could exist beyond a threshold that hides relevant data about the calculation taking place, allowing two or more calculations to occur simultaneously. thus if only whole numbers are accounted for and yet there are floating decimal point operations and fractions involved or rounding, these could be areas for exploits or holes. the skewed ideological nature of relativism is such, that 2+2 could be said to sum up to 2.3, given an authority based viewpoint... [2]^.1 + [2]^.3= [2.3] and therefore if a student were to say 2+2=4, this could be denied because it is not the same framework a given privileged perspective uses, which then all must use to pass their 'subjective mathematics' course, a great many ~theory-based University professors relying on these tactics. therefore 2 + 2 = 2.3 could be standardized as a viewpoint and function outside of other checks and balances and simply be declared true, because the calculation can be made, even while its 'extra information' may not be accounted for within the shared situation itself, and instead become the dogmatic assumption required so as to obtain the only correct answer. [2] + [2] = 2.3 // CORRECT [2] + [2] = 4 // INCORRECT addressing the extra information could be made off-limits yet still be used and required to obtain the given result, and thus by default the actual non-tainted calculation can be ruled 'out of bounds' for not acknowledging or ceding to the default biased assumption, which skews the calculation. [pT] + [pT] = [range of pT] [T] + [T] = [empirical truth] it really matters where the boundaries are drawn and how they are accounted for, because it would be wrong to assume 2 + 2 = 2.3 without recognizing the role of exponential power in altering the whole number values. in this way, what is false can be equated with what is true, yet only because it is not resolving anomalies into a truth-only framework, and it is this leeway or skew, warping, distortion, and bias that can force false perspectives in this same way, computer modeling of society and issues of surveillance, where 'terror' may be mapped onto citizens en masse, via criteria that are beyond actual accounting or oversight -- if not due to issues of language and psychology that are allowed given a privatized corrupted worldview via the broken US Constitution, allowing private man to manipulate events in that finite, limited framework so it firstly benefits male-male historical relations. what if, for instance, a cabal developed whereby by privilege of this viewpoint, e.g. a hostile homosexual male point of view was the grounding of the surveillance state, and its associated politics as this relates to harassment of citizens or being blacklisted or even denied healthcare. that is the same issue of accountability and boundaries and how moving goalposts allows these types of abuses to exist within the system and systematically become the basis for oppressive institutionalized behavior. and thus, in the above example, what if sexual harassment were to occur via surveillance in that peculiar context- that the private male-gaze of the state is trying to out a citizen, and that type of extra data involved in calculations. it is perhaps absurd, though perhaps not, if unregulated and unaccounted for. the larger issue being that computer models can likewise be bounded and allow ~privileged ("royal") interpretations that are ungrounded or skewed by default of not accounting for binary biasing, subjective (A=B) evalautions, and relativistic framework that operate only or primarily in pseudo-truth and its evershifty onesided "reasoning" er ~processing, which can brute force a resulting false perspective that is presupposed to be shared by all because it can be thought and believed to exist, by fiat of everyday SIGN-BASED "computation" that is essentially saying: i see, i say, i believe myself. and this extends into: we agree, we believe, this is shared reality. the problem with this situation is life and reality are more complicated than this simplistic framework and yet if error-correction is not allowed or views outside the particular boundary or that question it are silenced, then it is a self-sustaining bubble environment of close-minded believers in a particular finite view of partial truth that is equated with universal truth, such that pT=T. yet also, a particular individual viewpoint takes precedent over all the others that have better information or do not rely on errors, which instead can just be ignored and denied as 'less than'. individual.pT > group.T the way this should ideally work is that the empirical truth of humanity would error-check and correct the individual partial truth, yet if the individual POV is ruling over humans, then it becomes 'the law' by way of power, 'the truth', albeit virtual, ungrounded, disconnected from reality. individual.T > group.pT the way democracy should work is that this feedback of individual viewpoint into the larger empirical framework should be embraced, welcomed and not shutdown by censorship or other means, yet this is instead what occurs in educational institutions and society at large via conformist 'true belief'. dictator.pT > citizens.T in this way, state cyberattacks against citizens could break equipment to force silence and enforce ideological boundaries, to make sure feedback cannot occur which challenges the ruling viewpoint, even though warped and reliant upon errors, false beliefs and incorrect assumptions dictator.power > citizens.truth (empirical) the idea then of accountability is that this process is reversed and held to account in a legal framework of constitutional law, else it is denied and the functioning state is illegal, beyond law, exploiting its citizens dictator.power < citizens.truth private.POV.pT < public.TRUTH relativistic.pT < empirical.TRUTH so a situation in a failed state could devolve to the point that a private police state is on the offensive against the public human state... private.police-state > public.human.state and this very situation can likewise be reversed... private.police-state < public.human.state thus, in terms of mass surveillance these various categories and boundaries can help shape the policies or lack of oversight or incapacity to reason about what is occurring in the terms it occurring within, due to illiteracy which may be inherent though also enforced, via silencing, censorship, and blacklisting and destruction of other viewpoints that challenge and seek to change the false perspective to a more accurate, accountable shared view private.mass.surveillance > human citizenry private.warped.politics.pT > human.TRUTH relativistic.power.pT > empirical.TRUTH evil.rogue.state.pT > human.state.TRUTH in this condition there is code, signage, language and algoritms, numbers flowing through equations said or believed to /represent/ the situation and peoples interests, yet what [people], how is this defined and accounted for and to what degree is this false, based on the surrounding evidence of a despoiled environment and broken civilization, from minds to products to institutions to ideas, a total and complete manufacturing of failure, and thus the centrality of the role of ILLITERACY in allowing and enabling this status quo, basically by going along with the existing outdated paradigm, incrementally improving upon ungrounded and biased assumptions, and so-on the big picture idea is that you would not want to limit or censor or skew or force a perspective upon reality that is inaccurate or limiting or false as that would bound what can be known and interpreted, yet this subversion could occur in a state computing or other scenario, such as with quantum all-seeing distributed networked supercomputing whereby 'the ambiguity' is forced into a narrow ideological framework and cherry-picked to get results or supporting data that allows actions to be justified via these corrupted models-- corrupted in their relation with ideas, the observation of signs as if 'the reality' versus referencing it elsewhere, conduits not things-in-themselves. such a confusion or idiocy could lead to citizens being perceived and treated as if potential terrorists, by default of a too limited onesided evaluation of the data, and its forced binarization into the same old relativistic private gaming that constitution 'history' allows the danger is that this is the *default* condition, the rules organizing and quasi-governing systems, the capacity to legitimize this activity via 'biased processing' of binary ideologues which force privatized reasoning into these false and error-ridden frameworks as if 'universal truth' by the very declaration of a shared perspective and denial of any other evidence that does not fit the model or challenges it or inconveniences that view, and this situation has been normalized, equated with 'public agenda' even and therefore the oppression exist within minds, and interpretations and this involves illiteracy if not malice and mendacity to the human project and its existing outside-the-lines is how it is allowed to continue, for the parallel activity is not being accounted for in the calculations, it can be sidestepped, and in doing so, takes on all the force of law-- as language, ungrounded sign-based communication substituted for truth itself. this then enshrined in technology, the operating system of the rogue state, and in individuals and society via institutional and mass media programming such that behavioral compliance is the first and ultimately the only choice (this possible because "logic" has been removed from calculations and thus the biased subjectivity of A=B observations the basis for such politics, uncorrected and uncorrectable relativism is the carte blanche powerplay) --- literacy and observation --- so rationalization can be in error and this is proposed the default situation with the flawed frameworks that exist that society malfunctions within, most especially issues of money and [economics], which relies so extremely on privately skewed pseudo-truth that it is the antithesis of the principle of economy, and yet unaccountable to this empirical reasoning. the rationalization of a finite viewpoint, a partial infinitesimal slice of larger situation by a particular observer/s and framework, then can reduce via CENSORSHIP what data is inside the model and held outside its boundary while also including other hidden data that remains unaccounted for, as bias and skew and warping and distortion, that is unable to be calculated in terms outside the perspective. it is disallowed, becomes faith-based, and an answered question- institutionalized. "this is true because it is good for us, etc. "if you do not accept our truth you are bad for us, etc. this reductionism is tied to a limited rationalization, which is based on observations by people who agree or share a particular framework or view, yet this is not inherently grounded and removed of falsity- instead it is inherently pseudo-truth and reliant on errors biasing and warped beliefs until corrected, removed of these-- which is where the societal short-circuiting occurs, the lack of any need or requirement to do this outside of a private framework and belief system or private POV or ID. say sex or gender or demographics or political party. there is no requirement to acknowledge 'truth' existing outside this private boundary, as per the US Constitution (!) and therefore, this choosing-truth becomes a RIGHT of private citizens, and this collapses a larger shared public framework by dividing and subdividing again and again across every issue and viewpoint until there is no shared perspective for issues -- only infantile babbling (this in a context of the internet as global adolescent playpen, likewise) so in this devolved condition, an unnatural state of illiteracy exists where the 'common framework' cannot be allowed or established, either by hostilities of others, including the state, manifested by private attacks via representatives of its ideology or by official state action itself, else the incapacity of people to communicate in empirical terms about the situation that exists, removed of biasing or boundaries and thresholds that create exceptions to everything outside a given viewpoint, which can either be incapable of acknowledging what exists to retain equilibrium in existing conditions, or also has no shared framework to communicate within, for the perspectives beyond a given specific limit. in that, the common structure is absent from social relations, the education system built around this division of thought and action, whereas what is needed is a generic or generalist viewpoint that transcends the finite specialist awareness and its limits to shared considerations within a given boundary. in other words, the ability to communicate and understand -across boundaries- has been lost in the very era when humanity is most connected by technological tools and yet there is SILENCE about the issues that exist in the terms they exist within, when instead the 'representative media estate' and its failed role as representers of public will themselves have collapsed, having no backbone for real questions, perhaps due to hidden dictatorship and real-world consequences of going against the prevailing private agenda. if people were able to logically reason beyond binary viewpoints the issues that exist could be dealt with forthrightly in a constitutional context, yet the very absence of this, due to forced illiteracy, prevents it. the very educational system that is supposed to uphold ideals of such feedback itself destroyed and disallowing viewpoints beyond the correct perspective within classes and thus formatting minds and manners and relations this way that results in total incapacitation of the population to deal with its own situation in the state, which leaves corporate citizens the only competent selfish actors ('virtual citizens'), legal entities which now basically are representers of a portion of a privatized public viewpoint, those whose careers align with the given agendas, whether health-care or high-tech or privatized state and federal bureaucracy itself -- against the citizenry. a cannibalistic exploitative self-defeating, oppressive ideological policy that stands-in for polity in a mass mediated internet-is-TV surrealism, everything moving lock-step in the same direction of a global wind-up watch, whether it is realized or not- it is a gigantic automated machine, and people are effectively and essentially enslaved, imprisoned within it and by default function against one another via these insane dynamics, unless accurately accounting for the situation beyond enronomic beliefs "truth itself" is not being accessed simply by communicating viewpoints within language, and yet this is the assumption that allows all this to occur without correction. instead, truth must be secured. and thus if it is trapped within ideology, that must be addressed, evaluated, transformed so that it is not a hidden limit and that such warped dynamics are neutralized and what is true can be freed from a constraining falsity. and to do this requires logic that goes beyond the prevailing binary ideology that is at this moment celebrated as a triumphant revelation of a friction-free life in a future-world, a religious-like transcendent experience -- "if only you fully and truly believe, then you can code your own reality, our reality" -- and this is outright fucking false. idiotic. it is an absolute scam. massive INSTITUTIONALIZED BULLSHIT. this is private religion that has taken over the educational system in the form of underachieving technology and associated 'agendas' that further inculcate the mindless drone roles for populations, outlawing questions beyond the given limits and boundaries. it is essentially an antihuman policy, removing human values, replacing these with machine values for a class that exploits and benefits most from this approach, yet remains hidden as a middle-managing elite. going along with this situation, you survive. questioning it, you are removed from the society, become a commodity, a natural resource, guinea pig, lab rat, etc. relativistic 'literacy' allows this, as long as you share the POV you can ignore the negatives and proceed and succeed within society, even though it is costing you your humanity as well as the humanity of others, who likely are heavily oppressed by the same activities some people need to survive, while others deal with the ecological or social or economic impacts of the few or some who survive at the expense of the many, including nature itself in that greed has destroyed the environment and living systems to the point that natural wealth has be obliterated via this same systematic processing beyond the boundary, then. the price of clean air or water that is not filled with chemicals. a world where breast milk is not laced with fire retardant or psychiatric drugs. these issues do not get accounted for nor are they corrected in the 'data processing' of civilization. it is instead allowed to continue as a ~normalized situation, ad absurdum ad infiniti so the issue of observation is directly tied to that of perspective, the framework that defines the viewpoint, what the parameters are for the observer and observation, and this conceptualization is critical yet also is lacking as an awareness. society while highly visual still consists of citizens without rudimentary skills for communicating ideas, especially in terms of diagramming at the level of cave people about what is going on. instead it is pushed into sign-based linear communication, versus a more pure and basic evaluation of hypotheses and recurring models of questions and situations that can be referenced again and again, versus writing a new viewpoint over and over, rewriting, resaying, trillions of times over the point being, the observer as an entity, a person or surveillance cam, is not conceptualized in an accurate grounded way by default, and instead relies upon a 'partial literacy' that is established in pseudo-truth, and this ungrounded condition itself involves boundaries related to viewpoint and ~perspective, limits to what is seen and unseen, what is allowed to exist as parameters or not allowed, and this [variables] of observation then are also involved in the issues they connect to and are reliant upon thus, the surveillance camera that peers into the world is not by default in a state of 'empirical truth' in terms of its operation, it is probable it exists in a partial-truth (pT) that involves skew and distortion and binary bias that influences its interpretation, and that this exists in a private framework via constitutional law, that can allow boundaries to be edited and crossed by its corrupted, relativistic (A=B) subjectivist POV, whereby some private citizens may surveil others for political advantage and there is nothing to stop this from proceeding in these same terms, if there is a breakdown in the language itself needed to correct the errors, because these issues are not calculated inside the box, instead they are hidden, parallel computations that involve psychologies and agendas, the realities of bullying behaviors of oppressors, the traits of domination needing display by those believing themselves more powerful, to prove to the oppressed their superiority via such aggression. it is an issue of limits, just as with people who may 'keep out' views or beliefs or truth they do not want to acknowledge because it negatively effects their own version of events which best suits their particular private conditions in other words, limits and boundaries and parameters are involved also in 'not seeing' and thus censoring what is seen or observed or related to, via how this is calculated, processed, considered, and in what logical terms thus, the surveillance camera can have a warped POV as it looks into the surrounding world, it can be interpreting situations in skewed frameworks that rely on errors or ignore facts and data and omit vital dynamics from the models used to evaluate situations. and yet they stand in judgement as do people, as if the action of observation is itself directly connected with -absolute truth- by default, which allows lies to be structuralized, beliefs to take over as understanding and shared awareness, the partialness the realm of exploit, the area of failure in approach and understanding, such that the ideology appears to be that "truth can be engineered", if not via simply forcing a perspective that is shared by the masses as if reality local and global, relative and empirical, many individual views of a larger shared truth - yet what if it is only partial, and censored, or limited or not calculated accurately and thus it does it not add, realistically, in that what is said and is believed to represent the situation actually is not capable of this, and in some sense, this representation is corrupted. what if these limits and shared frameworks are based in errors if not lies that are unaccountable to correction, even by ego-based beliefs such that an observer views themselves as infallible, this narcissism, and that the condition of relation is stuck in this broken dynamic and thus perspective cannot get beyond it or outside the skew and instead relies upon it, this to include organizations and ideological and individual belief systems, as if the global population is to some extent viable, certifiably crazy. then what? how do you get to shared observations in truth if the processing of events is skewed and strange calculations are normalized and shared as the collective abstraction, and yet this is inaccurate, untrue, false, bad even what if this condition of partial literacy of specialists is nested within a larger illiteracy of the shared condition, via set(subset) relations: society (individual) illiteracy (partial-literacy) if people were to try to communicate, most likely it would need to occur beyond their private boundary to get at what is going on -at scale- within the larger society, yet these views could likewise be contained within a warped, skewed relativistic framework of each person if ungrounded in their views, such that their right is to censor or limit external truth, even if partial, which then bounds this larger social connection to only subset relations in a shared language or viewpoint. thus, "classes" or shared sets of parameters that limit the macro-organism and prevent a supraorganism from ever existing at the level of the state, everything divided this way --- what is literacy --- vital basic knowledge and skills are missing from society today and this limits what connections people can have and in what terms, and this is the result of the way people are educated, in what frameworks and beliefs and via what methods and curricula, skillsets and pedagogy, and relationships literacy involves a human component and is assumed based within nature, though exists in a context of technology that "interprets" environments. most simply literacy seems to correspond with accurate observation and awareness, such that what is perceived corresponds to what actually exists, to some degree of fidelity, from partial to a more complete understanding as this involves limits and boundaries of perception, modeling of ideas thus if a person is near a bridge and they view a streetlamp, they may recognize a streetlamp and correctly observe it, via pattern matching based on previous experience. and perhaps they notice certain variables- that it is a particular type of streetlamp, its color, height, material, and then they are on to the next observation and so there may be some inherence in the groundedness of such observations in that, within particular limits- there could be empirical truth that is relativistically evaluated and this could be accurate and thus a basis for general observations could be considered 'literate' to some bounded extent another person could see the same streetlight in the context of a bridge and notice the wildgrass and embankment it is situated within, could notice the bugs and spiderwebs inside the glass case, know a little history of the infrastructure, consider the aesthetics of the concrete bridge versus steel or aluminum armature for the light, its brown color as camouflage to blend into environments as this relates to infrastructure (green transformers as if bushes, grey telephone switches as if rocks) and consider the poetry it may involve under the existing cloud cover and melancholy mood, whereby in its detached condition it is as if a statue watching over passersby, and perhaps is imagined as silent witness to the same day in the same moment a third person could exist who has access to all empirical knowledge of a common data model, and thus when observing this same streetlight scene they could access the history of the lighting type, the type of bridge span, the name of the bolts visible, and reference the street lighting system to then consider the name of the particular color of paint used on its surface, the composition of the particular metal, what the names of nearby plants are, the sound of a bird catalogued and identified to its specificity, and then to review the history of concrete- that any such observation would map to what is known about what is observed- whether by natural instance of the distributed yet entangled empirical mind or via technological apparatus that queries a database and then pattern matches against such parameters- and in this example it would be proposed unlimited, to a certain boundary that then is unknown or not yet modeled this way-- thus a threshold area where questions exist and hypotheses are actively interpreting the data the omniscient-like awareness of the third example is not different in its truth from the first, which is proposed to correlate with A=A awareness. though it may be more involved or function well beyond the particular limits of observation of a given observer, based on what parameters can be evaluated. someone who sees the paint and notices its color may do so to some degree, yet another observer may match this to an actual color sample and name via data query, or know of the molecular composition of the paint and consider this in relation to that of the metal used in the streetlight armature. so a limited view could become more comprehensive and yet there could be instances of literacy in all these cases, though some observation may be more knowledgeable or access more detail or contextual data or understanding and more accurately model the situation in the totality of the dimensions it exists, which could be a vast many, given what is being observed. and it is that question of the potential observation, what is the potential knowledge that could be yielded from a situation, as if via a live archaeological dig (yet interdisciplinary, across all disciplines in all their dimensions as a shared empirical framework)... such that a given plot of space-time could be accounted for in its entirety, conceptualized and empirically modeled... and what if such modeling could one day be remotely accessed via tools, to allow extended literacy of the group into individual situations, and what if technology helped this to occur versus became a limit for any such interactions with nature and ourselves beyond a warped configuration hell-bent on keeping this capacity away from humans you would need to have a common model for observations that society would be developed around, both in the way people think and consider ideas and communicate and in how tools allow access to this knowledge, which then becomes a basis for shared governance. what is a critical difference between the most basic pattern recognition (streetlamp = streetlamp) versus its N-dimensional consideration, is that limits may exist that bound a given observation to particular views or a particular interpretative framework, and thus the sliding scale of literacy as it relates to people seeing what they are able to see based on what they know and what they think about. thus an unthinking person may not see what is directly in front of them because they are not aware or are 'elsewhere' in their relation, whereas a person who observes what is in front of them in terms of physical artifacts may not have words or language to describe or define what they are seeing in the terms it exists, or it may be crude by comparison to someone with expert or specialist knowledge who knows the particular details a situation involves - thus the information of the utility person and gardener and structural engineers and maintenance crew and this could be an issue of parameters- what experience does a person have who is observing, as to what can be accounted for in the observation and thus, a person who knows chemistry or biology or particular ecosystems or city history would have a further expanded understanding of the context for what is observed in its given dimensions, as they may or may not apply directly to the streetlamp, in situ, as it is evaluated in given terms. literacy could be unbounded, or bounded and infinite, and could involve a *potential* such that observations of an event could cross various limits or categories of consideration, based upon the parameters of evaluation accessible and used by the observer. relational navigation of structural frameworks of the empirical model, as signs and systems interrelate and interconnect across various dimensions, this the ecology of nested sets dynamics, the interdisciplinary yet integrated empirical perspective. now an individual may have a limit upon what can be observed and known in their particular experience, yet questioning could exist beyond this limit and thus face that threshold condition of 'not knowing' and yet not having data to learn from either, perhaps comparable to a wall of illiteracy. and this could be rather immediate for most everyone to some degree or other. yet a transformed relation could exist, whether natural or augmented that allows such data to be queried and thus each person could reference such a shared empirical model and surpass these limits, answer and consider these questions, and build up a higher resolution model and understanding that is removed of errors or wrong assumptions, and thus operate in A=A fidelity, evaluated in terms of an error-corrected contingent modeling of truth, versus relying on a local particular view based in pseudotruth by default what is more, someone could have access to omniscient technological tools and yet have faulty modeling, ungrounded and skewed observations based on wrong assumptions that rely upon limits and false frameworks, and thus while they could access 'greater knowledge' they may be censoring or editing out data and only seeing certain views yet also biased, warped, distorted observations that are shared in this shared computational state; and thus to some extent in their inaccurate observations (A=B), even while having advanced technology, could be less literate than those without the same tools, because their modeling is wrong and limited and bounded by a certain ideological interpretation, thus preventing accurate observation to some limit or degree or within certain dimensions; pattern matching could for instance be crude in such an approach, yet not be accounted for in its error-reliance nor in its deviation from lawful existence with others who are in the same environment, yet may not be evaluated in these terms thus, a class or group of people could have such technology akin to highly advanced Google Glass that functions as technological eyeballs connected to databases, and they could be surveilling others via this covert capacity, yet the pattern-matching could itself be off, inaccurate, flawed, and thus false positives could exist, or 'truth' that may be inside that viewpoint may only be partial, yet believed absolute truth, for lack of any outside accountability for the error-rate it involves. and that could then lead to a false perspective for the surveillance cameras, who peer outward, in that what they are seeing may not be 'reality itself' and instead could involve and does involve warping, skew, and distortion by default of ideological biasing and relativistic frameworks, in the context of absolute truth, beyond that given boundary, to include all truth of the shared situation. such a technological viewpoint could be self-sustaining, not requiring an outside validation because it is 'above' or governing over the destruction of civilization- yet its presumption of superiority and correctness, as with assumptions that signs wrongly equal what they signify, could ignore external truth and operate within that threshold and limit and parameters that allow a onesided viewpoint to persist unchallenged and without regard to truth beyond that contained and managed boundary. say, all truth that exists that is not contained within the model, yet viewed subservient to it, such as the cosmos itself in its entirety and all that it involves. and thus to take a finite limited perspective and privilege it over all other truth, by denying or ignoring or oppressing and silencing it, then can also establish certain dynamics that are mediated in terms of relations, this is to include those that are perceived 'lower' when they are in fact 'higher' in the realm of knowledge and awareness and understanding of what is, yet the power relations in a corrupted society may exploit this and allow the partial view to manage and rule over the human viewpoint, instead, which replaces truth with its substitute, aka the global false perspective. in that corruption, technological tools for those in societal systems then seem to encourage incapacity to change these parameters and limits, and school systems actively censor and punish independent thought and ideas that do not conform to the limits and enforced boundaries, and it is these vary constraints that the machinery requires people to submit to in order to function as it does today. else everyone is a potential wrench thrown into the ideological works, and thus must be discarded as a threat to the maintenance and smooth operation of the warped wheelwork, biased gearing. a savagery and violence exists in the realm of stopping thought and ideas and human actions via these same viewpoints, stopping communications and basic relations, reference to the dimensions that exist via accurate modeling and portrayals, instead this brings on punishment, retaliation, aggressions those who defer to truth are connected with humans, yet though those who require truth to defer to their private viewpoints are not the same, they have given up something essential to get where they are, and they require the limits to be what they are, in order to succeed in that given approach, yet this is the same requirement of the broken tools and broken society, that it remains broken and this be normalized, for some to succeed within the system while all other humans fail and are subjugated by this agenda the binary computer is the artifact that maps directly to this same flawed modeling and the oppressive political ideology that rules over civilization as a state of disease, focused upon death and money and SHIT, to be honest, as its ethics and morality, as if fucking people over is a virtue somehow, and then this encoded into peoples minds, relations, activities, and into the code and software and hardware that subverts the tools and allows them to be exploited, broken, and crippled if their use is beyond the boundary or jeopardizes the feelings of the ideologues who just want to feel safe, and so activities and thoughts that they are threatened by become limits, as it does not serve their governing agenda, and so on, as this involves what is not accounted for in the given calculations in surveillance society the thing is, you could have the most advanced technology in the world, say a distributed network of quantum supercomputers -- yet if the modeling and viewpoint and interpretation inside the device is flawed and biased, in can instead serve tyranny and become the foundation for lawless oppression over a captive population. the way people think, their psychology and the limits and frameworks they rely upon matter, it influences and effects how the tools develop and who they serve -- some private subset or the human public and thus the minds that are managing the technological works cannot by default be assumed to have access to unfettered truth, nor should they be allowed to operate under the assumption of infallible decision-making that is reliant on binary views, a too simple simplicity for issues at stake, and instead accountability _must occur at this interior level in terms of A=A accuracy in a model of empirical truth, and not A=B or B=B inaccuracy that is normalized via biased relativism of a privatized hidden mindset that is assumed 'true' by default of being able to communicate via signs as if the signage itself is self-validating. that is madness, diagnostically. there is no reason to believe the interior perspective is actually either grounded or sane, given the standardization of mediocrity. it is far more likely it is corrupted like every other institutional system and operates in parameters that are inaccurately mapped to reality and decision-making occurs within those warped and skewed frameworks by default. it is highly probable and extremely unlikely spontaneous empirical truth is generated within existing binary, relativistic contexts, now matter how subtle. in this way, the same flaws inherent in the desktop and networked computer systems of today, yet at the core of the state, and likewise equally able to be fully exploited for a private onesided agenda unless brought under control and audited and answerable to the human public it supposedly serves in its mission. that is a notion that cannot be based on hidden trust and requires accountability and oversight and understanding of the processes and models by which these perspective-machines are tabulating citizens into state modeling and how private corporations are likewise exploiting these dynamics for profit, both political and monetary. the tools are inherently flawed unless removed of error. they do not start clean, especially if protected in their error-reliant processing. they must be held to a higher standard than personal evaluation and 'true belief'. such religious faith in technocracy has no place as a ruling ideology because its values - the parameters of its perspective - are machine-based and thus it is trivial to edit out human details and awareness and provide a false viewpoint by which to observe, peer into peoples lives and oppress them via this same infrastructure. the core problem is thinking, belief that is detached from its accountability to and service to greater truth. a subverted state that is attacking its own citizens via cyberwarfare is a state that is attacking itself, except the equation can be flipped... private.state > public.state private.state < public.state accountability can occur in reverse, the panoptic lens can force review of situations beyond account due to limits used to hide political agendas. the evidence of an offensive against citizens indicates corruption at the core and that these same tools are being exploited for private political gain and should not be allowed to continue under the existing management, as the continued operation of the surveillance infrastructure under the existing terms is a threat to citizen and the larger society for lack of accounting for a larger truth than what exists on the inside within a finite worldview the only basis for accountability will be empirical truth removed of lies and falsehoods and too highly constricted limits to what can be discussed about what the issue are and how they are modeled via code, programming, software and hardware tools. people have a right to know how they are being modeled and if these models are accurate. it is certain they are skewed and biased, given institutional and societal adherence to binary ideology, the lingua franca of today. something vital has been lost and needs to be recovered. truth needs to be secured, in peoples minds and within the core of the calculations in technological society. anything less is tyranny, and the basis for its legitimation, sustenance, and further antihuman extension (if the state is operating within a false perspective it is a threat to everybody and must be corrected. there is every indication this is the situation. if this false perspective is used to interpret surveillance, then the models themselves must be reviewed for their accuracy, it cannot be assumed as a preexisting condition simply due to sign-based beliefs.) icepick, sawmill, electric winch ☎ <---> ☎ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 43915 bytes Desc: not available URL: From cathalgarvey at cathalgarvey.me Sun Oct 13 17:28:11 2013 From: cathalgarvey at cathalgarvey.me (Cathal Garvey) Date: Mon, 14 Oct 2013 01:28:11 +0100 Subject: [linux-elitists] Browser fingerprinting In-Reply-To: <20131014000636.44F74DD8F@a-pb-sasl-quonix.pobox.com> References: <20131007060756.GX10405@leitl.org> <20131014000636.44F74DD8F@a-pb-sasl-quonix.pobox.com> Message-ID: <20131014012811.6d6463f5@Neptune> > Sure would be nice if Mozilla had an option for "only announce the > standard vanilla web fonts". Check out firegloves. It's outdated, and I'd love to see it getting some love, but it's a great POC for anti-fingerprinting in Firefox. Still works with Iceweasel 20, so it's aged well for an apparently unmaintained academic project. Among the key features; a restricted set of fonts sent to sites, possibly including cycling the fonts randomly to confuse fingerprinting by recurrent font-lists. Note though, it breaks some websites in a manner akin to fascist-maxima-noscript. So you'll sometimes need to disable it; Paypal is a good example. User-agents are the devil, though, because whatever about other sources of browser entropy, the User Agent is a big honking bonus score every site gets for zero effort. Worse, most efforts to minimise User-Agents can end up maximising them instead, and there don't seem to be any *current* lists of "most common user-agent string" to work from to reduce entropy. I've set mine to a super-generic-looking Windows/Firefox setting, but as other people upgrade their browsers and OSes and as architectures get more diverse, browser UAs are getting more and more diverse, too.. I vote we ditch them entirely and just assume that all browsers to HTML5 or GTFO. On Sun, 13 Oct 2013 17:06:22 -0700 Bill Stewart wrote: > > >Date: Sun, 6 Oct 2013 11:11:46 -0700 > >From: Don Marti > > > >Translation: "Fine, you smug cookie-blocking nerds. > >We're going to go all browser fingerprinting on you." > >... > >Unfortunately, Firefox appears to be highly fingerprintable. > > One reason Firefox is highly fingerprintable is that it sends a list > of your available fonts to the web server so the server can format > its pages with cool fonts instead of boring fonts if you're able to > read them. That often turns out to be surprisingly unique, at least > if you like fonts, and AFAIK it's not just the fonts you've > configured into your browser, it's the fonts configured into your > computer. > > For instance, my work PC has a font for the $DAYJOB corporate logo, > and has since acquired a couple more fonts so I can display their > newer marketing presentations correctly in Powerpoint, plus it's got > the dozen or two different monospace console fonts I was trying out > to find a good one for programming use, and the usual collection of > Bocklin and Dwarvish and Tibetan that old hippies usually have on our > computers, just in case we might need to count to nine billion or > have an appropriate password entry form. When I first tested it with > the panopticlick tool, it was unique; there are now a couple other > similar machines (but that's "my machine's IE", "my machine's > Firefox", and "my machine running Win7 with the Long Term Support > version of Firefox that Corporate IT department makes us use", so > it's still unique in reality.) > > Sure would be nice if Mozilla had an option for "only announce the > standard vanilla web fonts". > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: not available URL: From eugen at leitl.org Sun Oct 13 23:24:35 2013 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 14 Oct 2013 08:24:35 +0200 Subject: [tor-dev] Attention Otters Message-ID: <20131014062435.GF10405@leitl.org> ----- Forwarded message from Arlo Breault ----- From katana at riseup.net Mon Oct 14 00:27:41 2013 From: katana at riseup.net (katana) Date: Mon, 14 Oct 2013 09:27:41 +0200 Subject: [linux-elitists] Browser fingerprinting In-Reply-To: <20131014012811.6d6463f5@Neptune> References: <20131007060756.GX10405@leitl.org> <20131014000636.44F74DD8F@a-pb-sasl-quonix.pobox.com> <20131014012811.6d6463f5@Neptune> Message-ID: <525B9CED.20907@riseup.net> Hi, > Check out firegloves. It's outdated, and I'd love to see it getting > some love, but it's a great POC for anti-fingerprinting in Firefox. In about their FPDetective Framework , the authors wrote about Firegloves: "Additionally, Firegloves limits the number of fonts that a single browser tab can load and reports false dimension values for the offsetWidth and offsetHeight properties of HTML elements to evade JavaScript-based font detection. We evaluated the effectiveness of Firegloves’ as a countermeasure to fingerprinting, and discovered several shortcomings. For instance, instead of relying on offsetWidth and offsetHeight values, we could easily use the width and the height of the rectangle object returned by getBoundingClientRect method, which returns the text’s dimensions, even more precisely than the original methods. This enabled us to detect the same list of fonts as we would without the Firegloves extension installed. Surprisingly, our probe for fonts was not limited by the claimed cap on the number of fonts per tab. This might be due to a bug, or to changes in the Firefox extension system that have been introduced after FireGloves, which is not currently being maintained, was first developed. Although Firegloves spoofs the browser’s user-agent and platform to pretend to be a Mozilla Firefox version 6 running on a Windows operating system, the navigator.oscpu is left unmodified, revealing the true platform. Moreover, Firegloves did not remove any of the new methods intro- duced in later versions of Mozilla Firefox and available in the navigator object, such as navigator.mozCameras and navigator.doNotTrack." I add: OK, the naviagtor.oscpu issue can be fixed easily, but the timezone feature doesnt't work too with enabled JavaScript. --- Katana From albill at openbuddha.com Mon Oct 14 09:54:24 2013 From: albill at openbuddha.com (Al Billings) Date: Mon, 14 Oct 2013 09:54:24 -0700 Subject: [linux-elitists] Browser fingerprinting In-Reply-To: <20131014131033.0ee9af12@Neptune> References: <20131007060756.GX10405@leitl.org> <20131014000636.44F74DD8F@a-pb-sasl-quonix.pobox.com> <20131014012811.6d6463f5@Neptune> <525B9CED.20907@riseup.net> <20131014131033.0ee9af12@Neptune> Message-ID: About 19 years ago, it was. The rest of the world (and web developers) moved on since then. From: Cathal Garvey Cathal Garvey Wasn't the whole idea of  browser rendering that the server would send one canonical page to the  client, and the client is responsible for rendering?  --  Al Billings http://makehacklearn.org -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 3348 bytes Desc: not available URL: From jya at pipeline.com Mon Oct 14 07:12:13 2013 From: jya at pipeline.com (John Young) Date: Mon, 14 Oct 2013 10:12:13 -0400 Subject: Assassination Politics on Ycombinator In-Reply-To: <20131014100204.GA28712@netbook.cypherspace.org> References: <20131014091833.GV10405@leitl.org> <20131014100204.GA28712@netbook.cypherspace.org> Message-ID: Snapshot this morning: http://cryptome.org/2013/10/ap-ycombinator-13-1014-0944.htm From tpetru at gmail.com Mon Oct 14 01:43:10 2013 From: tpetru at gmail.com (Tomas Overdrive Petru) Date: Mon, 14 Oct 2013 10:43:10 +0200 Subject: Silk Road founder arrested ... In-Reply-To: <1380741786.15249.YahooMailNeo@web141201.mail.bf1.yahoo.com> References: <20131002123743.GA14320@vic20.blipp.com> <524C41F5.5020105@openmail.cc> <1380734343.30026.10.camel@anglachel> <1380741786.15249.YahooMailNeo@web141201.mail.bf1.yahoo.com> Message-ID: <525BAE9E.7040901@gmail.com> On 2.10.2013 21:23, Jim Bell wrote: > What if, for example, the Feds were no longer able to prosecute > 70,000 people per year (the current figure, approximately), but > instead were limited to, say, 5,000 per year? > Jim Bell > > > Jim, this argument does not work and it is really dangerous because : - if there is some totalistic system/strong law enforcing, than atmosphere of terror could destroy whatever people try during time - there where already "electronic terrorism" raids and prosecutions in cases like 4chan/anonymous when LOIC was used - a lot of people just joined DDoSing of some servers and they where thinking "we are many, no problem" and it was So I find this argument serously dangerous, because "System" is just gristmill and relatively a lot of time, to finish its job. Basically LAW against BC should not be approved by society. ~ Over -- “Borders I have never seen one. But I have heard they exist in the minds of some people.” ― Thor Heyerdahl www...................http://overdrive.a-nihil.net twitter...............https://twitter.com/#!/idoru23 GoogleTalk/Jabber.....tpetru at gmail.com last.fm...............http://www.last.fm/user/overdrive23 GnuPG public key......http://overdrive.a-nihil.net/overdrive.txt GnuPG key FingerPrint.072C C0AD 88EF F681 5E52 5329 8483 4860 6E19 949D -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2793 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 553 bytes Desc: OpenPGP digital signature URL: From griffin at cryptolab.net Mon Oct 14 07:55:56 2013 From: griffin at cryptolab.net (Griffin Boyce) Date: Mon, 14 Oct 2013 10:55:56 -0400 Subject: Browser fingerprinting In-Reply-To: <4444FC40-50C3-4AAD-A53C-920E45B0810F@kuketz.de> References: <20131007060756.GX10405@leitl.org> <20131014000636.44F74DD8F@a-pb-sasl-quonix.pobox.com> <20131014012811.6d6463f5@Neptune> <525B9CED.20907@riseup.net> <20131014131033.0ee9af12@Neptune> <525BF5A7.1080801@appelbaum.net> <4444FC40-50C3-4AAD-A53C-920E45B0810F@kuketz.de> Message-ID: <525C05FC.3000702@cryptolab.net> Mike Kuketz wrote: > > As an alternative to the Tor Browser i suggest the following: > On this site you can check your browser > "visibility": http://ip-check.info/?lang=en Yeah, if you don't need or want location anonymity, there are a lot of really good options out there. RequestPolicy takes a lot of tinkering (which can be *really* aggravating), but it's incredibly useful for blocking tracking scripts. Modifying one's user-agent string was found to be a CFAA violation during Weev's trial. Who knew? Ashkan Soltani wrote a really great opinion piece on this [1]. In addition to the other great recommendations, I'd highly recommend blocking Flash if you're concerned about privacy. Not only do flash cookies persist longer / are hard to block / are harder to remove, but it's easy to fingerprint someone via a tiny bit of flash. Flash is also enabled by default on Google Chrome, so check out FlashBlock [2]. It also offers more granularity in case you like gaming :D best, Griffin [1] http://www.wired.com/opinion/2013/07/the-catch-22-of-internet-commerce-and-privacy-could-mean-youre-the-bad-guy/ [2] https://chrome.google.com/webstore/detail/flashblock/gofhjkjmkpinhpoiabjplobcaignabnl?hl=en -- "Cypherpunks write code not flame wars." --Jurre van Bergen #Foucault / PGP: 0xAE792C97 / OTR: saint at jabber.ccc.de My posts are my own, not my employer's. From eugen at leitl.org Mon Oct 14 02:03:52 2013 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 14 Oct 2013 11:03:52 +0200 Subject: Pascal Zachary: Rules for the Digital Panopticon (IEEE) Message-ID: <20131014090352.GS10405@leitl.org> ----- Forwarded message from Felix Stalder ----- From eugen at leitl.org Mon Oct 14 02:04:42 2013 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 14 Oct 2013 11:04:42 +0200 Subject: [Cryptography] prism-proof email in the degenerate case Message-ID: <20131014090442.GT10405@leitl.org> ----- Forwarded message from Nico Williams ----- From eugen at leitl.org Mon Oct 14 02:18:33 2013 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 14 Oct 2013 11:18:33 +0200 Subject: [tor-relays] NSA's "Tor Stinks" Message-ID: <20131014091833.GV10405@leitl.org> ----- Forwarded message from Jesse Victors ----- From alfiej at fastmail.fm Sun Oct 13 17:45:02 2013 From: alfiej at fastmail.fm (Alfie John) Date: Mon, 14 Oct 2013 11:45:02 +1100 Subject: [linux-elitists] Browser fingerprinting In-Reply-To: <20131014012811.6d6463f5@Neptune> References: <20131007060756.GX10405@leitl.org> <20131014000636.44F74DD8F@a-pb-sasl-quonix.pobox.com> <20131014012811.6d6463f5@Neptune> Message-ID: <1381711502.26005.33570853.18DA6075@webmail.messagingengine.com> On Mon, Oct 14, 2013, at 11:28 AM, Cathal Garvey wrote: > > Sure would be nice if Mozilla had an option for "only announce the > > standard vanilla web fonts". That would be great, along with: - "only use mandatory required headers" (e.g. Host, eTags*) - "use custom request headers" (without resorting to Live HTTP Headers for each request) *thinking about this more, eTags could also be used to track users if MITMed. > User-agents are the devil, though, because whatever about other sources > of browser entropy, the User Agent is a big honking bonus score every > site gets for zero effort. Worse, most efforts to minimise User-Agents > can end up maximising them instead, and there don't seem to be any > *current* lists of "most common user-agent string" to work from to > reduce entropy. I've set mine to a super-generic-looking > Windows/Firefox setting, but as other people upgrade their browsers and > OSes and as architectures get more diverse, browser UAs are getting > more and more diverse, too.. Speaking of User-Agents being evil: http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/ Alfie -- Alfie John alfiej at fastmail.fm From adam at cypherspace.org Mon Oct 14 03:02:04 2013 From: adam at cypherspace.org (Adam Back) Date: Mon, 14 Oct 2013 12:02:04 +0200 Subject: [tor-relays] NSA's "Tor Stinks" In-Reply-To: <20131014091833.GV10405@leitl.org> References: <20131014091833.GV10405@leitl.org> Message-ID: <20131014100204.GA28712@netbook.cypherspace.org> Btw speaking of GCHQ or NSA operating Tor nodes, of course that is inevitable; and to the extent that they are not perfectly policy aligned a good thing, and they'll try to do a professional job of securing their own tor nodes :) eg if you are a chinese dissident maybe you want to use them as one hop. You just dont want them controlling to many nodes. And probably the Russians, French, Israelis, Chinese etc are all running Tor nodes and even less mutually cooperative. What we could really do with is North Korea, and Iran intelligence services running some also. I suspect to the extent that they are experiencing limited success you could imagine its because not ony are some nodes controlled by users, but more that some are operated by mutually distrustful competing intelligence agencies. The intelligence agency nodes are probably better secured than user nodes, though some user nodes maybe run by security capable and conscious users. The intelligence agencies however have a budget for and hoard of unpublished 0-days on PC & router operating systems so they have a slight edge. Also the intelligence agency is not going to cave under legal pressure when someone from law enforcement comes with threats and demands relating to exit traffic so they have that advantage too. It would be better to my mind if they just came out and said yes this is our node and ran it from their own domain tor.gchq.gov.uk or tor.nsa.gov; then users could opt to use it. However I suspect they think no one would use it, or the people they actively want to use it (who they are trying to trace) would avoid it. Could be useful if they used an identified one and a plausibly hidden one. Speaking of plausibly hidden I notice there is mention of code word 'NEWTONS CRADLE' in one of the docs for a GCHQ tor node operation, speculating could that be some MoD funded student at cambridge in their dorm? (Quite commnon in the UK for students to be sponsored by a company they will work for afterwards or a government career they took a break from. A couple of my classmates at BSc, University of Exeter (UK) comp sci BSc were openly MoD sponsored.) No matter, its trivial for establishment to provide perfect cover for node operation, just run from home address, or persuade ISP/telco to route traffic via DSL lines identifying IP address range as a IP forwarding proxy. They can do whatever they want, you'd think that more likely, however a university dorm IP address range would look nice and plausible/credible also, maybe more so than a DSL address. Probably a university upstream or the university IT itself (universities often take defense contracts) could fake it or operate it under contract with intelligence cleared dual-hat admin if they cared enough. I do think it would be very useful if the intelligence agencies running tor nodes also ran one on their own domain. Then you could route via one who's government is overtly supportive of your political cause. (Doesnt protect you from backroom information exchange deals and horse trading, which I'm sure happens even with sworn enemies, but its a start if you are unintersting enough!) However I expect another reason they dont want to do that is they dont want to enable people to get stronger privacy period. They have a dual hat, they want internet privacy for their own open source research, but they selfishly dont want other users to have privacy or gain any privacy as a side-effect from their own. Adam On Mon, Oct 14, 2013 at 11:18:33AM +0200, Eugen Leitl wrote: >----- Forwarded message from Jesse Victors ----- > >Date: Tue, 08 Oct 2013 13:23:48 -0600 >From: Jesse Victors >To: tor-relays at lists.torproject.org >Subject: [tor-relays] NSA's "Tor Stinks" >Message-ID: <52545BC4.3020106 at jessevictors.com> >User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0 >Reply-To: tor-relays at lists.torproject.org > > >I recently ran across several articles related to the NSA's attempts at >cracking Tor and de-anonymizing its users. They are after terrorists and >other individuals who seek to do harm of course, but their work >obviously has implications into other Tor users, the vast majority of >whom use Tor for legal and proper activities. So far, it appears that >the cryptographic standards and protocols implemented by the Tor devs >appear to be holding, which I find interesting. The NSA has been trying >other methods to figure out Tor, including identifying and then >infecting user machines, trying to control/hijack the Tor network, or by >influencing the network as a whole, and they've had a very small amount >of success, but not much. One thing that was especially interesting to >me (and I expect to everyone on this mailing list) is that they are >trying to control more relays via cooperation or direct access, which >can then be used for timing attacks or disruptions to the users. They >are also trying to shape traffic to friendly exits. For anyone >interested, I would highly recommend these links: >http://www.theguardian.com/world/interactive/2013/oct/04/tor-stinks-nsa-presentation-document >http://www.bbc.co.uk/news/technology-24429332 >http://www.theguardian.com/world/2013/oct/04/nsa-gchq-attack-tor-network-encryption > >Also, from >http://www.theguardian.com/world/interactive/2013/oct/04/tor-high-secure-internet-anonymity >it appears that their opinion of Tails is that it "adds severe CNE >misery to [the] equation". These are all highly informative articles, >and it appears that Tor is remaining resilient to their efforts, as long >as people (including relay/exit operators) use the latest software, >remain aware that Tor doesn't protect them in all aspects, and as long >as there are enough non-NSA relays and exits (we need more!) such that >everything they see still remains encrypted and anonymous. Interesting I >say. > >Jesse V. > > > > >_______________________________________________ >tor-relays mailing list >tor-relays at lists.torproject.org >https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays > > >----- End forwarded message ----- >-- >Eugen* Leitl leitl http://leitl.org >______________________________________________________________ >ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org >AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From cathalgarvey at cathalgarvey.me Mon Oct 14 05:10:33 2013 From: cathalgarvey at cathalgarvey.me (Cathal Garvey) Date: Mon, 14 Oct 2013 13:10:33 +0100 Subject: [linux-elitists] Browser fingerprinting In-Reply-To: <525B9CED.20907@riseup.net> References: <20131007060756.GX10405@leitl.org> <20131014000636.44F74DD8F@a-pb-sasl-quonix.pobox.com> <20131014012811.6d6463f5@Neptune> <525B9CED.20907@riseup.net> Message-ID: <20131014131033.0ee9af12@Neptune> Well, crap. Thanks for that! Anyone with FF-plugin chops care to make a better version? This all seems a bit backwards, though. Wasn't the whole idea of browser rendering that the server would send one canonical page to the client, and the client is responsible for rendering? Our browsers shouldn't even be telling the server their dimensions, CPUs and OSes; if we can't render the page sent by the site, either we or the site are at fault but not our architectures and OSes. This internet is broken, make me a new one. On Mon, 14 Oct 2013 09:27:41 +0200 katana wrote: > Hi, > > > Check out firegloves. It's outdated, and I'd love to see it getting > > some love, but it's a great POC for anti-fingerprinting in Firefox. > > In > about their FPDetective Framework > , the authors wrote > about Firegloves: > > "Additionally, Firegloves limits the number of fonts that a single > browser tab can load and reports false dimension values for the > offsetWidth and offsetHeight properties of HTML elements to evade > JavaScript-based font detection. We evaluated the effectiveness of > Firegloves’ as a countermeasure to fingerprinting, and discovered > several shortcomings. For instance, instead of relying on offsetWidth > and offsetHeight values, we could easily use the width and the height > of the rectangle object returned by getBoundingClientRect method, > which returns the text’s dimensions, even more precisely than the > original methods. This enabled us to detect the same list of fonts as > we would without the Firegloves extension installed. Surprisingly, > our probe for fonts was not limited by the claimed cap on the number > of fonts per tab. This might be due to a bug, or to changes in the > Firefox extension system that have been introduced after FireGloves, > which is not currently being maintained, was first developed. > Although Firegloves spoofs the browser’s user-agent and platform to > pretend to be a Mozilla Firefox version 6 running on a Windows > operating system, the navigator.oscpu is left unmodified, revealing > the true platform. Moreover, Firegloves did not remove any of the new > methods intro- duced in later versions of Mozilla Firefox and > available in the navigator object, such as navigator.mozCameras and > navigator.doNotTrack." > > I add: OK, the naviagtor.oscpu issue can be fixed easily, but the > timezone feature doesnt't work too with enabled JavaScript. > > --- > Katana -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: not available URL: From eugen at leitl.org Mon Oct 14 04:25:54 2013 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 14 Oct 2013 13:25:54 +0200 Subject: [serval-project-dev] Roaming between mesh extenders Message-ID: <20131014112554.GE10405@leitl.org> ----- Forwarded message from Paul Gardner-Stephen ----- From rich at openwatch.net Mon Oct 14 13:26:15 2013 From: rich at openwatch.net (Rich Jones) Date: Mon, 14 Oct 2013 13:26:15 -0700 Subject: Why Android SSL was downgraded from AES256-SHA to RC4-MD5 in late 2010 Message-ID: Nasty: http://op-co.de/blog/posts/android_ssl_downgrade/ Looks like ignorance rather than malice, but that's a pretty fucking bone-headed maneuver. Normally the Android guys are quite sharp, so a mistake like this actually strikes me as a little bit fishy. Here's the guy responsible for the commit: http://carlstrom.com/ http://www.linkedin.com/in/carlstrom Worth a follow-up? R -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 663 bytes Desc: not available URL: From jacob at appelbaum.net Mon Oct 14 06:46:15 2013 From: jacob at appelbaum.net (Jacob Appelbaum) Date: Mon, 14 Oct 2013 13:46:15 +0000 Subject: [linux-elitists] Browser fingerprinting In-Reply-To: <20131014131033.0ee9af12@Neptune> References: <20131007060756.GX10405@leitl.org> <20131014000636.44F74DD8F@a-pb-sasl-quonix.pobox.com> <20131014012811.6d6463f5@Neptune> <525B9CED.20907@riseup.net> <20131014131033.0ee9af12@Neptune> Message-ID: <525BF5A7.1080801@appelbaum.net> Cathal Garvey: > Well, crap. Thanks for that! > > Anyone with FF-plugin chops care to make a better version? The Tor Browser, of course! https://www.torproject.org/torbrowser/design These may be interesting to you: https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise https://blog.torproject.org/blog/deterministic-builds-part-two-technical-details Source and binary releases are available - I suggest using the 3.0 alphas to help us improve them for general use: https://blog.torproject.org/category/tags/tbb-30 All the best, Jacob From cathalgarvey at cathalgarvey.me Mon Oct 14 07:33:41 2013 From: cathalgarvey at cathalgarvey.me (Cathal Garvey) Date: Mon, 14 Oct 2013 15:33:41 +0100 Subject: [linux-elitists] Browser fingerprinting In-Reply-To: <525BF5A7.1080801@appelbaum.net> References: <20131007060756.GX10405@leitl.org> <20131014000636.44F74DD8F@a-pb-sasl-quonix.pobox.com> <20131014012811.6d6463f5@Neptune> <525B9CED.20907@riseup.net> <20131014131033.0ee9af12@Neptune> <525BF5A7.1080801@appelbaum.net> Message-ID: <20131014153341.5af687a3@Neptune> > The Tor Browser, of course! > > https://www.torproject.org/torbrowser/design :) Fair point! I guess if I want a common user-agent from a browser that minimises fingerprinting generally, I couldn't get any better than Tor Browser with the Tor bits turned off. Come to think of it, I may just do that now for my routine-daily-browser and replace Iceweasel with a gutted version of Tor BB's Aurora build. Thanks! On Mon, 14 Oct 2013 13:46:15 +0000 Jacob Appelbaum wrote: > Cathal Garvey: > > Well, crap. Thanks for that! > > > > Anyone with FF-plugin chops care to make a better version? > > The Tor Browser, of course! > > https://www.torproject.org/torbrowser/design > > These may be interesting to you: > > > https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise > > > https://blog.torproject.org/blog/deterministic-builds-part-two-technical-details > > Source and binary releases are available - I suggest using the 3.0 > alphas to help us improve them for general use: > > https://blog.torproject.org/category/tags/tbb-30 > > All the best, > Jacob > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: not available URL: From eugen at leitl.org Mon Oct 14 06:36:14 2013 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 14 Oct 2013 15:36:14 +0200 Subject: funding Tor development Message-ID: <20131014133614.GA30003@leitl.org> Guys, in order to minimize Tor Project's dependance on federal funding and/or increase what they can do it would be great to have some additional funding ~10 kUSD/month. If anyone is aware of anyone who can provide funding at that level or higher, please contact execdir at torproject.org From electromagnetize at gmail.com Mon Oct 14 13:52:54 2013 From: electromagnetize at gmail.com (brian carroll) Date: Mon, 14 Oct 2013 15:52:54 -0500 Subject: [20] surveying the minefield Message-ID: the idea may at first seem strange or improbable, though machines can effectively 'lie' by sustaining and enforcing a false perspective where errors and deception are normalized into shared structuring. the exchange of data -in its skew or misrepresentation- can become foundational to a given reality that has an implicit if covert agenda connected to it, which can range across cultural domains, including politics, economics, social and demographic aims, pitting some against others, yet unaccounted for. [machine1] <--- lies ---> [machine2] such a false perspective then depends upon how ideas are modeled, (thus also situations they seek to encompass, via automated surveying via the surveillance infrastructure monitoring citizens from various angles) [binary1] <--- lies ---> [binary2] these views can be 'shared' and thus presumed legitimate by default of this sharing of a common framework, even if private and only partially true, yet also carrying the mantle of 'public observation' within a default context. what is important to note is that the much can be ignored from this POV and yet can be equated with representing a total situation, likewise. in that the edited parameters of perception, even if technical, in their onesided evaluation, still carry a presumption of accuracy within the shared frame. and this can be standardized, institutionalized, yet remain ~ungrounded, and thus, the error-rate instead of being dealt with and removed becomes structural and of a protected, insulated domain instead, a leverage point that can be used to gain advantage via exploiting the uneven relations between what is inside the boundary and what it observes onesidedly by not accounting for truth at the level of machines and representation, we have given machines the ability to lie to us. faulty modeling enshrined in the silicon and circuitboards provides the structure to sustain and further extend the faulty views of people, extended within the technological tools that then are subverted by this fundamental impurity, where, specifically- the 1's and 0's of binary ideology are equated as if absolute truths while not connected to its logical accounting beyond an ideology of 'true belief' and thus these ones and zeros are emblematic or 'symbols' of a truth that is actually absent within the technology-- it is nowhere represented in the modeling of data itself, which instead occurs only within language and its conventions and does not require accordance with grounded nature outside this view, such that reality is replaced by its system of signification, the 'representation' replaces the reality, and narrows down the dimensions to only what can be allowed to exist as it benefits a particular viewpoint that no longer has human values as its purpose continual decision-making technology has become disconnected from humanity and thus society this way and the digital equipment stands in for 'accountable truth' as if devices themselves are this higher realm of understanding and awareness, vs. lower and so people begin to serve machines and the nothingness (absent of truth) at their centre as if the higher calling, when instead their representation of reality is highly limited, finite, and warped, constrained and censoring what exists to only a particular flawed relativistic model that is biased to serve only some people, at the cost and labor of the many it exploits life, nature, love, are nowhere present except as they can be represented as commodified SIGNs to be exploited, systematically, via state machinery. in that, in the internal 'digital universe' established, these unmapped relations are anomalies that get described away in other limiting terms and thus are established in warped structural frameworks that become normalized as the basis for shared awareness - love equated with a brain state or with chemical processes that can be artificially induced or engineered, versus a different approach regarding its mystery and boundary where reductionism is incapable of accounting for its greater truth, due to ideology and dogma. this is how scientific methodology becomes deterministic as a worldview that supposes itself capable of rationalizing the world in its actuality without accounting for the actual dimensions which must be edited to fit the worldview and its agenda, thus the parameters of observation and also the establishment of a constrained evaluation that becomes structural and in this way- the world of life and its situations are modeled within lesser views than what actually exists, protected by this binarist representation that replaces the world with a substitute model said and believed to be the defining truth, which becomes the foundation for 'machine' relations and observations between humans, and between humans and machinery. as if the use of programming code written in C++ is by default grounded in the world an accessing external truth by using SIGNs to represent external events; versus having these assumptions actually tested as hypotheses, and held to account for errors, which has been removed from the process of ideas not just any errors, technical, ideological errors, errors of observation that go beyond the institutionalized dogma, into the code of the perceivers and deciders and hold those relations and observations to account for how situations are modeled and in what terms, because this can be exploited, the world can be misrepresented in its entirety and if not held to account can become normalized and the basis for day-to-day existence, a corruption that is sustained and extended by technology that extends this ~processing so how do you get to the errored code if it exists prior to its input into the machines and the creation of machine-based frameworks and modeling. what if people today are not required to be honest or truthful (as their *private right*, no less) thus grounding is not required via relativist and subjective agendas that exploit the A=B mismatch, as if A=A activity how to get to the code within a person who parses situations inaccurately and seek its correction, especially with a breakdown in communications such that language cannot sustain such in-depth considerations between peoples, is everything reliant on peoples conscience then, to do the right thing, or on the ability of sociopaths to lie and feel no remorse or obligation for truth beyond their self-interested boundary? how did error and lies become acceptable as a basis for relations, unless to exploit eachother and divide citizens into smaller and smaller enclaves of un/shared awareness. is not the ability to rationalize inaccurate worldviews as personal operating systems somehow involved in the deeper corruption as it relates to ideas, how they are detached from reality and accounting beyond a given boundary which then becomes the self and its ego, personal or shared beliefs about how individuals and groups exist, compete or cooperate, yet beyond further accounting in actual truth, beyond some shared level of communication this is insane, in terms of logic and empirical truth, because language-relations can be largely ungrounded, superficial, manipulating frameworks to force and warp perspectives to fit agendas and some of these views are larger than others, controlling them within skewed ideological ecosystems and thus a gigantic warped mechanism can exist that presumes shared truth as shared belief that remains unchecked beyond the enforced boundaries, and this goes into peoples nervous systems, their brains and how they think, prior to this communication with others - their own self-conception and self-accounting as a being in relation to all that is, and the presumption of knowing or not knowing and choosing or finding a path to function within that syncronizes with the larger momentum and allows survival, and yet this very path of least resistance is likely by default antihuman and against humans and civilization itself, as miswired and misdirected and the individual is not held to account for their internal errors in terms of themselves, necessarily, and can go about being inaccurate in observations or bias toward partial-truths while ignoring others, then assuming this condition translates into a pure truth of machinery via outward action, that provides a platform for this same way of being that can and does exist in a bubble or virtual condition in terms of its truth, in that it is by default a detached condition from the actual nature of things as they exist, beyond the given warped model representing them this is why the outward survey requires first an inward survey of the self prior to seeking to determine external changes - and is a major failure of activists who require moral compliance from another while not necessarily having the same integrity in their own lives, in terms of grounded truth- instead it can become another exploit in a competitive scheme, worthwhile perhaps though unsound in terms of shared reasoning, tit-for-tat scenarios that are the very basis for their destruction as ungrounded approaches, an issue of dealing in language and systems of representation versus truth as the mediator, thus signs of things and their interactions in competition versus alignment via shared truth and common agenda, which then places those who serve truth on the same side, and those who share lies as the enemy. if caught in relativism and protected boundaries, that next step can never be achieved, and thus the dance can legitimize the false perspective and provides needed symbolic checks and balances for status quo relations, versus a deeper interrogation of culture beyond the superficial, whereby advertising of non-profits or other organizations eventually replaces the issue with their own cause, a hollowed-out exercise of self-sameness of the shared underlying ideology, no matter what is said, via such 'grounding' if everything was as easy to determine was simply writing about it and-or having observations and communicating -- people would probably think they are REALLY SMART and could self-righteously go about justifying any action that they deem correct as being correct, as long as no feedback exists that counters this belief. therefore people could think or believe what they are doing is really radical or politically challenging powers that be because they are functioning in a particular domain in those terms -- yet to what effect is this stageplay, a song and dance routine, versus getting to the core condition that could actually change what is going on-- and what will it take to get there if a boundary exists within the minds of people who may think 'conventional approaches' are adequate to the existential task even while insurmountable in these same mindsets and ways of relating what if the biggest impediment to change is the individual observer, the self who is set in their views and is not requiring of a higher degree of fidelity with the external world, given private predisposition to what can be a selfish or self-serving protected viewpoint-- what if individualism has been corrupted to the point that individuals are recoded in group-think and behave like a herd even while having all the choices in the world to pursue their own interests (while ignoring most everyone elses likewise) what if the code of self is in error, the psychological, emotional, mental way of being, and that interactions between a self and itself is in error? what if people are fucked up in their views by default- what then... and what if this is allowed by ungrounded, unaccountable beliefs that are detached from empirical truth beyond a protected private boundary- and that no obligation exists to humility or to 'reason' beyond this limited narrow framework, as is peoples *privatized* rights, via the corrupt constitution, which becomes a document allowing and enforcing COLLECTIVE IDIOCY instead how to deal with that situation, the encoding of an ideological default state within people, straight of the womb or test-tube that then can be fast tracked into the automated machinery and exploited over a lifetime for profit, while surviving or struggling to, to greater or lesser degrees and what if the obligation of the education system to deal with this as a condition has been obliterated, such that truth is absent from schools and instead everything is mediated in terms of appropriate language (SIGNS) that involves standardized tests that validate correct pattern matching, even while it is to institutionalize B=A and B=B dynamics, yet questioning this condition is not allowed and the boundaries are enforced, especially via psychiatric feedback for challengers, misfits, strugglers, the abused so dealing with truth is basically ILLEGAL within society, and the last place you will have it dealt with is within the court system because the law is based within accounting for events within ungrounded LANGUAGE, the sign of what occurs, versus in its truth as tallies to ones or zeros. that is unless you get access to the supreme court and constitutional review to test the source code itself as a framework for this 'shared truth' that is not actually this, yet functionally and legally represents it, including the above actions that set people against one another in exploitative terms in this way, people and the machinery that extends the faulty actions that are believed good, true, correct, right, and yet are oftentimes opposite of this if accurately accounted for beyond the given limits of interpretation and via censoring or limiting outside observation, this can be disallowed and thus the false perspective, whether in peoples shared ideas or within the technologies developed and used for daily exchange can exist in the same rotten and corrupted frameworks and be required as a basis for shared exchange when it is this very process which relies upon unchecked falsehood and thus automatically extends it via its continued use, as a methodology in contrast, if each individual was assisted from birth to old age in developing self awareness, and given the basic skills and tools to map their own consciousness and understanding in a personal circuit of the self, a diagram of all their attributes and goals and combined health and education records and skills and career data, that this self-diagnostic capacity then would be the most accurate model of the self that could be referenced for a person as they relate to others within the larger state, and data that is external would be matched against the personal model, such that if points of view conflict, it can be mediated in the given frameworks versus having one biased viewpoint have authority over another even though it may not be accurate or could rely on structural falsehoods. thus, if a student questions something in class, it could be reviewed by others in the objective terms it exists within (A=A) instead of misrepresented by those who ideologically subvert this process (A=B and-or B=B), and therefore an obligation would exist to mediate this condition of shared truth and the lies would have no place as situations are accurately accounted for, given the data that is continually checked by outsider observers as people are interacting with others and other systems in the shared environment [A=A] <---> [A=B] the difficulty is that there is no obligation of citizens to operate within an A=A framework due to relativism which negates the possibility of shared truth, while at the same time exploiting this as a universal perspective, which establishes a boundary for what can and cannot be a shared viewpoint and thus a 'subjective objectivism' is universalized that only allows its limited parameters to be allowed for relations, even while flawed and reliant upon errors, which enable further exploitations to take place against any truth that exists, via arbitrary onesided evaluations that are effectively the politicization of the entire infrastructure of society, most especially via academics where the threat of 'new ideas' is largest new ideas meaning empirical truth, accounting with western philosophy and cultural traditions, that kind of thing that is disregarded as out of date or fanciful, censoring the very structure of logical reasoning, and in doing so allowing the false perspective to rule over all interpretation. thus to succeed in this system requires belief, to belief what is said, as it is said as a sign or correct pattern that can be matched to the self and adhered to, versus questioned or considered or thought about beyond the particular enforced boundary -- or else! you can lose your ability to live in the society, be sent all the way to the bottom to be ground up by the base functioning of the automated machinery, as systems exploit people as cattle, guided into appropriate processing, all eventually slaughterhoused 'trust the machine' is like 'trust the liar', it just does not work that way in terms of the greater truth involved. yet doing so can bring benefits within those parameters, yet the price is truth itself, a disconnection from the larger issues involved. the representation does not match the reality, and in that gap, the exploit. and it begins in the person, within the individual mindset and its enculturation, whereby false frameworks are normalized and the basis for relations and exchange, including in the tools themselves, digital technology- the networked media jukeboxes that people carry around, represented by candy-store icons, mapping only to certain highly constrained dimensions that keep everything in the ideological box yet may allow the perception that activity actually exists beyond this limit, and that would be illusory, the entire system is engineered from the ground up, as if the context is a wild frontier and not disneyland from the start, the groundplane not full of wires and automated sensing mechanism, a managed stage and scenery and actors everyone playing their unique parts so what if individuals start with an A=B worldview, and this limits their larger interactions in the world beyond a given limit or private boundary. what if the code they think in their brains is even B=B as if A=A, and yet it is unaccounted for in this inaccuracy. say- having no relation to the context in which events occur and only viewing things in their immediacy and locally, say no technological history or understanding taught in school so it seems that issues of today are those of the 18th and 19th century instead, and so an immediate [sign] can be evaluated outside a realistic context and oversimplified and analysed in inaccurate terms which are those of entire political platforms and agendas even, missing information never accounted for in scratch-my-back exchanges that serve the 'common good' which is the past and present evil in its inadequacy and deep mendacity people with partial views could assume 'total literacy' in a binary mindset even while reliant upon falsity, and this can manage over others, including other truth, which is ignored or falsified by its ability to be limited or stopped entirely, via hostilities or censorship or containment, etc. and thus in the realm of the ungrounded empire of signage, an egotist could easily believe they 'know everything' in their particular warped framework and function within the system in these partial terms, for self-interested goals that serve a like population that benefits from this, while ignoring and oppressing those who do not and are not served by the corruption of pseudo-truth universalized and made authoritarian, people submitting to lies and deceptions and frameworks of falsehood and basing relations on these simply to survive, to have a chance at continuing to breathe instead of fighting an "irrational" enigma that forces people straight into madness due to its insane dimensions, which do not add up to a sane worldview and instead it is antihuman, it is oppressive, it is illegal, unconstitutional yet none of this is of significant if truth is not logically accounted for the winners are the schemers and scammers and liars and cheats and now the entire state system and world system is based upon this 'shared principle' as a basis for governing power, the constitution ~interpreted this way thus allows its justification, so long as truth is allowed to be misrepresented and there is no way to sanely prove, given the evidence, what is going on unless of course the source code is everywhere around us and it is a limit of our own inaccuracies to not be able to read it and communicate our ideas about the shared situation. to do so requires getting truth grounded in a shared framework of logic, beyond the binary, getting clear about what the issues are, understanding and comprehending the modeling of empirical truth (A=A) in a relativistic framework (A=B), and then taking on situations via public debate of ideas -- contests of worldviews where LANGUAGE would no longer be used to 'hide truth' via powerplays of ungrounded subjective rhetoric and instead would be brought down to ones and zeros of truth and falsity, accuracy of beliefs and ideas structurally accounted for in terms of their allegiance or ignoring of the involved parameters, beyond just the limited boundaries of a given perspective, to include the larger situation that is ignored because it can be removed from the shared equations, as is the privilege of the dishonest and corrupt who exploit these dynamics, (and this can include anyone determined to 'choose their own reality') how can accurate code be written if it is not firstly based in truth that is beyond the bias or error-rate of the coder. it takes other people and observations to check against, other modeling beyond finite limits and boundaries, the threshold of self as detached versus connected with others and of dimensionality that extends into ecosystems and is not containable only within an enforced narrow worldview -- truth is held captive inside of pseudo-truth and falsity, and this can be within a person themselves thus, firstly, how to free the person from the inherited, surrounding, and absorbed falsity of environment and others that formats the self- how to get that distance and recognize that fallibility of the self, that it is the very imperfection of an individual that leads to their perfection as an optimizing being, by accounting for errors allows these to no longer limit or constrain functioning within lesser circuitry and adaptation and growth and development can occur beyond the false boundaries - once released from the inaccuracy as a malfunctional framework. and what if this is the goal of society, to help people develop into who they most actually are, and to support this self-development because it is the long-term best approach to improving society via high functioning citizenry, versus today which seeks to constrain and disallow this develop, keeping most everyone stupid and limiting only 10% of the brain to be used in the education system (or else- the psychiatrist and psychiatric pills for you!) what if society was not an antihuman environment, and what if to get there requires a new relation between people, and what if the way people are now formatted prevents this, due to constrained private boundaries that limit and protect awareness, yet this is also the essential self-corruption, that it can protect inaccurate views and beliefs sheltered within false models and beliefs that remain unchecked and uncorrected and are even the basis for shared relations, in that careers or marriages or other relations may be developed in that inaccurate context. thus what if any acknowledgment of error or inaccuracy could lead to negative repercussions and jeopardize the fragile sandcastles of peoples lives, where such revelations could become weaknesses, and set a person up against themselves in their functioning, when their brain and its beliefs are in opposition to what the body does and the conflicts that can arise in realizing a schizophrenic, fragmented condition required and normalized within society, as the status quo itself maybe it is the system that is actually crazy - and following along is the crazy thing, and waking up to this is actually about BECOMING SANE and not about losing your mind, and instead about finding it, grounding it in the more realistic situation, just as 9/11 did for a great many here, because finally some of the dimensions that exist beyond a given boundary were brought back into the world and could begin to be discussed in potentially more realistic terms, yet this itself was détourned, again via language so what if everyone exists in 'some truth' or partial truth, and this is a pseudo- condition, in that it is ambiguous and variant in terms of how it can be and is accounted for. [truth] is not 100% absolute, instead it is embedded in frameworks and contexts that carry it and these can be in error in terms of viewpoint or beliefs or perspective or facts and even subverted or twisted, such that truth is aligned within a warped worldview that then becomes normalized and the basis for relations and exchange, as with today so what if this toxic situation is the default condition for observation, such that the individual observer exists in a condition of 'some truth' and the goal is to remove the errors, simplify the situation by getting rid of the false beliefs in the modeling of events, and in doing so, while perhaps a less elaborate construct, a more accurate belief that tends towards A=A awareness, than relies upon A=B assumptions, including falsehoods needed to sustain the view. the ability to error-correct, fallibility, is the key to the cybernetic circuitry of self, allowing improvement. it is not an issue of weakness to be able to accurately account for the nature of the self to enable better self governance, management, and interactions with others. it is necessary and vital to unlocking the self beyond limiting constraints and false boundaries that contain the self within institutionalized views and inaccuracies that forbid development beyond the given belief system it is liberation, this accurate accounting of the self and freedom from the structuring of lies and deceptions, shared and unshared. it is the ability to 'know' what is known, and be able to defend this in terms of its truth, in a larger empirical framework of truth beyond the self alone, as this relates to humanity, the interconnectedness of shared human perspective thus to get the ones and zeros of truth and falsity accounted for within the self then enables relations with others that are not reliant upon the frameworks of 'shared lies', by default. and such true is only devalued when it is downgraded into a pseudo-truth evaluation and forced to be limited by a false worldview for what greater truth involves. it is a litmus test for ideology, where peoples boundaries are, who can and cannot be reasoned with and within or beyond protected or chosen boundaries. thus a closeminded biased programmer who codes this way likely has their own biased OS of self that is the basis for this imbalance externalized. so too, a person who has internal equilibrium with greater truth may balance external dynamics in an alignment more conducive to exchange in this way. the free flow of information and ideas requires free minds, in other words and the censorship or limiting of ideas and actions, in their truth, is an indication also of an inner disposition of those with such decision-making, that it is a tell basically about the logical reasoning running the works. this too can be exploited. the programming of self, not the automatic NLP brute-force of another and instead, 'processing' or logical reasoning, how a system works, within what dimensions, by what routines and flows, can then establish a way of coding based on a way of being, its foundation in truth, and built up from that awareness, reliant upon it and tested against it in terms of self-accountability, versus missing this vital step and running 'beliefs' without necessary grounding, as these become systems and technologies and administration and ruling agendas perhaps in this way social engineering has within its domain the issues of the programmer as a model of the computing paradigm they in turn develop, such that their modeling and thinking and motivations extend outward into systems yet relate back to the self as observer and decider, including in moral or ethical or ideological dimensions. and thus flaws in personality or flaws in beliefs or manipulations in these realms could be a continuum, and allowing insight into the nature of the exploit by those who exploit, as they think this way or rely on such deceptions, yet may also not be able to accurately account for themselves in these terms- seeing or evaluating the self accurately- looking into the mirror and see who is actually there versus who is believed there ("who is the fairest of them all", etc.) the signs can lie, can be hollowed-out, shallow, detached from truth yet *appear* to equate with an idea, to represent a truth, stand-in for it, and as long as no one is the wiser, this could be a successful approach though it remains virtual, the bubble can always be popped by outside accounting, and thus the way things are calculated and in what parameters does matter for how events are considered, communicated about, what is allowed reality and in this way, the masquerade of self as people may be externalized and held beyond this internal accounting for beliefs and actions, such that pseudo-truth is all that is required to sustained warped true belief' that is self-serving and dishonest, such that the person or IMAGE in the mirror is a fake, ungrounded in relation to actual existence, a conceit or ego that is daydreaming in terms of the chosen ideological terms of existence, and all that exists beyond this self interest remains unaccounted for and the external pressures involved, kept away from influencing these beliefs because it can be kept outside or protected against, via private enclaves; though at some point this could fail, and another world could take over and then this same person would have to come to terms with external accounting beyond the limited view, and for this their worldview would be effectively crushed, their ability to reason in these same terms and carry such beliefs would no longer be allowable, given the larger situation that now must be confronted and dealt with-- especially on terms other than self-beneficial. how well can liars do when the lies are no longer allowable as a practice. what happens when the accounting involves them losing jobs, careers, their houses, as others have due to the treachery of their antihuman ideology the danger is the encryption of the self that may not allow a self to be decrypted, if the key of truth is ignored. and thus those who can unlock themselves from the falsity have a different capacity for functioning than those who cannot audit themselves, take account of their actual condition versus a sign-based self-belief that wills itself into shallow existence, despite the facts and evidence. a volatile combination for instant madness, this. the self inaccessible, running hostile code, no way to masquerade, then stuck in a reframed reconstituted operating system of the state that seeks out the errors for removal. those humans aligned with truth on the one side, antihumans on the other. it is not appearance that is the issue, it is actuality, grounded beliefs as this relates to actions and integrity again in terms of security, the falsity of self and its ability to be exploited by self or others, or produce continual errors in processing then is a critical failure that must be remedied. the self needs to establish a 1=1 relation with truth and get beyond the reliance on manipulations that allow subjectivity to overrule evidence and disregard empirical modeling; that is, the conceit and narcissism of 'thinking' as binary onesideness that prevents thought via certainty of knowing a pseudo-truth viewpoint in terms of 'true belief' as if absolute and verified universally while false. those who do not do this perhaps are limited by parameters or boundaries that must be protected or confused and knotted and short-circuiting, yet also can rely upon this as a devious tactic that prolongs and extends the techniques of exploitation reliant on false frameworks and mimicry, saying one thing and doing another, as if it is beyond external calculation even. this situation and these interactions becomes transparent, freudian slips or tells or evidence of warped beliefs and limiting worldviews that seek to control and determine 'external events' in a bounded self-serving biased rationalization, that safely operates within a shared zone of ideology needless to say, this is also an operating system, these peoples mindsets are running routines in their brain-based platforms, programs and scripts and parsing data in certain parameters that exploit data and force it into particular skewed, self-serving views -- and thus, 3-value and N-value interactions can probe these situations and gain awareness of what these parameters are, what the limits are, how decision-making is justified and validated, what functions as proof (pattern matching, sign/image-based) and it is this same approach that extends into distributed technology systems, as the all-seeing eye of surveillance, the hidden identity that observes wrongly and seeks advantage through these same means, though here wetware where does the secure code begin and end. where does the insecure code begin and end. where does the corruption exist and extend from. it is thus the idea that truth is the basis for this evaluation of security, and lies are what allow insecurity in this context. if you run secure code on your machinery, if that is the goal, so too the self, or it could be in error sanaam, galangal, staranise ✉ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 34739 bytes Desc: not available URL: From taxakis at gmail.com Mon Oct 14 07:12:50 2013 From: taxakis at gmail.com (taxakis) Date: Mon, 14 Oct 2013 16:12:50 +0200 Subject: [cryptome] snaps Message-ID: <00ad01cec8e7$77bd5360$6737fa20$@com> http://www.theguardian.com/uk-news/2013/oct/13/gchq-accused-monitoring-privileged-emails-lawyer-client-libya?CMP=twt_gu http://venturebeat.com/2013/10/08/ibm-researcher-can-decipher-your-personality-in-200-tweets/ http://wikileaks.org/Video-Edward-Snowden-wins-Sam.html? http://wikileaks.org/WikiLeaks-Releases-Fifth-Estate.html http://www.johndcook.com/blog/2013/10/12/prime-generating-fractions/ http://www.livescience.com/39821-mathematics-links-quantum-encryption-black-holes.html http://www.feld.com/wp/archives/2013/03/why-am-i-forbidden-from-using-my-iphone-in-us-immigration-areas.html https://blog.thijsalkema.de/blog/2013/10/08/piercing-through-whatsapps-encryption-2/ http://www.gwern.net/Terrorism%20is%20not%20about%20Terror http://www.internetgovernance.org/2013/10/11/the-core-internet-institutions-abandon-the-us-government/ ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From eugen at leitl.org Mon Oct 14 07:14:51 2013 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 14 Oct 2013 16:14:51 +0200 Subject: [cryptome] snaps Message-ID: <20131014141451.GM10405@leitl.org> ----- Forwarded message from taxakis ----- From data at kuketz.de Mon Oct 14 07:30:18 2013 From: data at kuketz.de (Mike Kuketz) Date: Mon, 14 Oct 2013 16:30:18 +0200 Subject: [linux-elitists] Browser fingerprinting In-Reply-To: <525BF5A7.1080801@appelbaum.net> References: <20131007060756.GX10405@leitl.org> <20131014000636.44F74DD8F@a-pb-sasl-quonix.pobox.com> <20131014012811.6d6463f5@Neptune> <525B9CED.20907@riseup.net> <20131014131033.0ee9af12@Neptune> <525BF5A7.1080801@appelbaum.net> Message-ID: <4444FC40-50C3-4AAD-A53C-920E45B0810F@kuketz.de> > Cathal Garvey: >> Well, crap. Thanks for that! >> >> Anyone with FF-plugin chops care to make a better version? > > The Tor Browser, of course! > > https://www.torproject.org/torbrowser/design > > These may be interesting to you: > > > https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise > > > https://blog.torproject.org/blog/deterministic-builds-part-two-technical-details > > Source and binary releases are available - I suggest using the 3.0 > alphas to help us improve them for general use: > > https://blog.torproject.org/category/tags/tbb-30 > > All the best, > Jacob > As an alternative to the Tor Browser i suggest the following: On this site you can check your browser "visibility": http://ip-check.info/?lang=en I think with the JonDo Firefox profile (https://anonymous-proxy-servers.net/en/jondofox.html) and these addons it's not easy to fingerprint you: - Adblock Edge - BetterPrivacy - CookieMonster - Disconnect - NoScript - RequestPolicy About a week i published an article about RequestPolicy on my IT security blog: RequestPolicy – Mehr Kontrolle beim Surfen It explains some tracking and why RequestPolicy is a fine Firefox addon. It's in german, but you can use Google Translate. Best regards, Mike Kuketz -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2475 bytes Desc: not available URL: From bill.stewart at pobox.com Mon Oct 14 17:24:18 2013 From: bill.stewart at pobox.com (Bill Stewart) Date: Mon, 14 Oct 2013 17:24:18 -0700 Subject: [linux-elitists] Browser fingerprinting In-Reply-To: <20131014181542.GY10405@leitl.org> References: <20131007060756.GX10405@leitl.org> <20131014000636.44F74DD8F@a-pb-sasl-quonix.pobox.com> <20131014012811.6d6463f5@Neptune> <525B9CED.20907@riseup.net> <20131014131033.0ee9af12@Neptune> <20131014173022.GA32033@netbook.cypherspace.org> <20131014181542.GY10405@leitl.org> Message-ID: <20131015002423.DACBDE31E@a-pb-sasl-quonix.pobox.com> At 11:15 AM 10/14/2013, Eugen Leitl wrote: >On Mon, Oct 14, 2013 at 07:30:22PM +0200, Adam Back wrote: > > > Well you should say the web developers regressed since then. > >The worst is that the entire trainwreck has been so >predictable, right from the start. If by "right from the start" you're including "back in ~1987, when I was on standards committees that were specifying SGML for their applications", then yes, the trainwreck was around then, even before HTML or the web. "Computer-Aided Logistics Support", aka CALS, was trying to address standards for handling documentation, mainly for the aircraft business and military contractors; you couldn't fit the design and maintenance documentation for a typical cargo airplane into the airplane itself. The people who got the concept wanted to be able to do things like have maintenance manuals that you could read on whatever display you had, whether it's a high-res computer terminal or a monospaced wrist-mounted screen when you were standing on a ladder working on an engine, and you'd have objects like "a 2nd-level header". The people who didn't get it wanted to be able to have data formats that could keep track of page numbers (so you could replicate taking the old page 1435.2 out of a 3-ring binder and replace it with an updated version), and objects like "a line of 14-point bold-faced text." We ended up with some botched DTD that sort of let you do both, badly. Graphics were supposed to be in a portable vector-based format, but they didn't have that finished while I was still working on that committee. And eventually Sir Tim came up with HTML, which was sort of like a simplified DTD that did basic markup mostly correctly (plus hypertext and forms entry!), though with bitmapped pictures, and later people started to botch it up by letting you specify specific fonts and layouts (even if the reader's display didn't look like the author's), and Javascript to try to plaster over the botches, and it's been unsafely downhill from there. From tom at ritter.vg Mon Oct 14 14:30:09 2013 From: tom at ritter.vg (Tom Ritter) Date: Mon, 14 Oct 2013 17:30:09 -0400 Subject: An Interview with Simon Persson of CounterMail In-Reply-To: <09cebb934a7f5049e5888a339eda559d.cm1@countermail.com> References: <09cebb934a7f5049e5888a339eda559d.cm1@countermail.com> Message-ID: "You can delete the private key from our server (but we recommend this only for advanced users, your private key is always encrypted on our server anyway" This sounds pretty similar to Lavabit. The server stores your emails encrypted, but they're decrypted for you when you login, using your password as the key to decrypt your private key. The difference (I think, I never used Lavabit) is that you can retrieve the private key from Countermail and then ask them to delete it. It would be even nicer if they let you upload your public key so they never see the private key. You'd still have to trust them not to copy plaintext as it's coming in, which depending on how you think about it might be equivalent to them having a private key to your mail in the first place. In all these 'secure email' providers, they all have the same problem: they see incoming plaintext, and could be compelled to store it/record it. It's not their fault, they do the best they can, it's just how email works. -tom From bill.stewart at pobox.com Mon Oct 14 17:45:26 2013 From: bill.stewart at pobox.com (Bill Stewart) Date: Mon, 14 Oct 2013 17:45:26 -0700 Subject: Bitcoin mining efficiency and Botnets Message-ID: <20131015004529.5D989E413@a-pb-sasl-quonix.pobox.com> http://www.techweekeurope.co.uk/news/zeroaccess-bitcoin-botnet-sinkholed-128331?ModPagespeed=noscript Zeroaccess was a botnet that did a bunch of things, such as fake ad clicks and Bitcoin mining. A DNS sinkhole was created to attack its DNS-based communications, which took out about 1/3 of the botnet. One side issue that I found interesting, besides the usual security stuff, was the assertion that "The botnet's Bitcoin operation was only profitable because it used stolen electricity: it used about $561,000 of electricity a day on its victims' machines, while only generating $2,165 a day." What does this say about the future of Bitcoin mining? I'm guessing that the botnet only mined on CPUs, not on GPUs, because doing GPU calculations requires adapting code to different kinds of hardware and is likely to have visible effects on the screen if you're not careful, but even so, does this mean that Bitcoin miners who want to make a profit are going to need to dump general-purpose machines in favor of specialized hardware such as FPGAs or ASICs? Or is buying a high-end GPU still good enough? From coderman at gmail.com Mon Oct 14 18:01:59 2013 From: coderman at gmail.com (coderman) Date: Mon, 14 Oct 2013 18:01:59 -0700 Subject: Bitcoin mining efficiency and Botnets In-Reply-To: <20131015004529.5D989E413@a-pb-sasl-quonix.pobox.com> References: <20131015004529.5D989E413@a-pb-sasl-quonix.pobox.com> Message-ID: On Mon, Oct 14, 2013 at 5:45 PM, Bill Stewart wrote: > ... > "The botnet's Bitcoin operation was only profitable because it used > stolen electricity: > it used about $561,000 of electricity a day on its victims' > machines, while only generating $2,165 a day." > What does this say about the future of Bitcoin mining? that it is getting harder ;) > I'm guessing that the botnet only mined on CPUs, not on GPUs, > because doing GPU calculations requires adapting code to different kinds of > hardware > and is likely to have visible effects on the screen if you're not careful, it used both, and yes, you need to tune the kernels and work load conservatively to not cause performance degradation visible to the user. this is entirely doable and i've seen it done. > but even so, does this mean that Bitcoin miners who want to make a profit > are going to need to dump general-purpose machines in favor of specialized > hardware > such as FPGAs or ASICs? Or is buying a high-end GPU still good enough? GPU miners are the new CPU miners. it's an all ASIC game now... best regards, From coderman at gmail.com Mon Oct 14 18:07:57 2013 From: coderman at gmail.com (coderman) Date: Mon, 14 Oct 2013 18:07:57 -0700 Subject: [cryptography] /dev/random is not robust Message-ID: On Mon, Oct 14, 2013 at 5:35 PM, wrote: > http://eprint.iacr.org/2013/338.pdf "...it remains unclear if these attacks lead to actual exploitable vulnerabilities in practice." in my mtrngd for XSTORE i not only fed /dev/random when it became write-able (entropy less than full) but also fed it at regular intervals, specifically to keep the pool fresh. in the standard rng-tools rngd, you specify this parameter with the timeout parameter, "Interval written to random-device when the entropy pool is full, in seconds (default: 60)" i am pleased to see this made it into the stock rngd source! best regards, _______________________________________________ cryptography mailing list cryptography at randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From gnu at toad.com Mon Oct 14 18:53:58 2013 From: gnu at toad.com (John Gilmore) Date: Mon, 14 Oct 2013 18:53:58 -0700 Subject: [Cryptography] "/dev/random is not robust" Message-ID: <201310150153.r9F1rwqQ011302@new.toad.com> > http://eprint.iacr.org/2013/338.pdf I'll be the first to admit that I don't understand this paper. I'm just an engineer, not a mathematician. But it looks to me like the authors are academics, who create an imaginary construction method for a random number generator, then prove that /dev/random is not the same as their method, and then suggest that /dev/random be revised to use their method, and then show how much faster their method is. All in all it seems to be a pitch for their method, not a serious critique of /dev/random. They labeled one of their construction methods "robustness", but it doesn't mean what you think the word means. It's defined by a mess of greek letters like this: Theorem 2. Let n > m, , ?? ??? be integers. Assume that G : {0, 1}m ??? {0, 1}n+ is a deterministic (t, ??prg )- pseudorandom generator. Let G = (setup, refresh, next) be defined as above. Then G is a ((t , qD , qR , qS ), ?? ??? , ??)- 2 robust PRNG with input where t ??? t, ?? = qR (2??prg +qD ??ext +2???n+1 ) as long as ?? ??? ??? m+2 log(1/??ext )+1, n ??? m + 2 log(1/??ext ) + log(qD ) + 1. Yeah, what he said! Nowhere do they seem to show that /dev/random is actually insecure. What they seem to show is that it does not meet the "robustness" criterion that they arbitrarily picked for their own construction. Their key test is on pages 23-24, and begins with "After a state compromise, A (the adversary) knows all parameters." The comparison STARTS with the idea that the enemy has figured out all of the hidden internal state of /dev/random. Then the weakness they point out seems to be that in some cases of new, incoming randomness with mis-estimated entropy, /dev/random doesn't necessarily recover over time from having had its entire internal state somehow compromised. This is not very close to what "/dev/random is not robust" means in English. Nor is it close to what others might assume the paper claims, e.g. "/dev/random is not safe to use". John PS: After attending a few crypto conferences, I realized that academic pressures tend to encourage people to write incomprehensible papers, apparently because if nobody reading their paper can understand it, then they look like geniuses. But when presenting at a conference, if nobody in the crowd can understand their slides, then they look like idiots. So the key to understanding somebody's incomprehensible paper is to read their slides and watch their talk, 80% of which is often explanations of the background needed to understand the gibberish notations they invented in the paper. I haven't seen either the slides or the talk relating to this paper. _______________________________________________ The cryptography mailing list cryptography at metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From bill.stewart at pobox.com Mon Oct 14 18:58:47 2013 From: bill.stewart at pobox.com (Bill Stewart) Date: Mon, 14 Oct 2013 18:58:47 -0700 Subject: Bitcoin mining efficiency and Botnets Message-ID: <20131015015851.A78C3E7FF@a-pb-sasl-quonix.pobox.com> Lodewijk andré de la porte sent an interesting reply. >Date: Tue, 15 Oct 2013 02:57:52 +0200 >Subject: Re: Bitcoin mining efficiency and Botnets >From: Lodewijk andré de la porte > >"High end" (optimal for mining != high end per >se) GPU's have been dumped since forever in >favor of FPGAs. Some people picked them for >availability or resell value even in the FPGA era. > >FPGA is now totally dead because ASICs rule the >game totally. They're totally Bitcoin exclusive >so resale value if Bitcoin goes bam is 0. >They're flooding the market at increasingly >competitive prices and there's likely no money >to be made off them soon, except where electricity is cheap. > >If your profit depends on bitcoin achieving a >certain success it is usually better to buy BTC >directly, and save yourself risk and hassle with physical objects. > >Note: Litecoin's mayor advantage is that it's >something that works relatively better on GPU. >There GPU is still fighting FPGA and ASIC would >be less feasible (maybe even infeasible?) bc of memory demands. From electromagnetize at gmail.com Mon Oct 14 17:08:52 2013 From: electromagnetize at gmail.com (brian carroll) Date: Mon, 14 Oct 2013 19:08:52 -0500 Subject: clarification re: [20] Message-ID: quoth me-self: so what if everyone exists in 'some truth' or partial truth, and this is a > pseudo- condition, in that it is ambiguous and variant in terms of how it > can be and is accounted for. [truth] is not 100% absolute, instead it is > embedded in frameworks and contexts that carry it and these can be in error > in terms of viewpoint or beliefs or perspective or facts and even subverted > or twisted, such that truth is aligned within a warped worldview that then > becomes normalized and the basis for relations and exchange, as with today > abstract point requiring clarification: "truth in itself" is proposed true when removed of any known errors, contingently absolute (100%) yet when represented in frameworks of signs, there can be variability due to this embedded or nested condition where truth is being referenced or carried within or by the signage- thus a [sign] for truth, meant to represent it is not this actual truth, it is a conduit or circuit to it, yet may have other characteristics or boundaries as a sign- there may be relativistic aspects involved whereby the word [truth] does not equate with truth universally, given perspective and limits and literacy or its variability in a context of language- whatever is true about truth would be represented in other sign-based translations of this concept of truth, only the specific english-version... (perhaps this is not enough to clarify the many issues involved though they have been addressed elsewhere, where this condition of partial truth is refined into empirical truth, though it occurs conceptually, not just as a sign that represents the concept- and thus, the sign of truth given the observation could be a binary observation of only some part of it, yet equated with it, via its [word] for instance)... [truth] [لجنة تقصي الحقائق] [истината] [veritat] [真相] [αλήθεια] [האמת] [真実] [진실] [حقیقت] [pravda] [ความจริง] [Gerçek şu ki] [Істина] [سچائی] [sự thật] ...it is thus proposed that the fidelity with absolute truth is not a default condition of reading/writing such signs, and instead is minimal with regard to actual grounded truth, bound by the observer and shared observation, in whatever dimensions may exist, which can be arbitrary and minimal in comparison to what the situation actually involves, and that to get at that depth and breadth requires N-dimensional panoptic modeling of various perspectives of pseudo-truth, methodologically evaluated and removed of known errors and running as a working hypothesis of reality, versus a default belief that observations in and of themselves are accurate simply by processing reality in particular frameworks and sharing experience... this can be empirically ungrounded, reliant on limits or errors, relativistic and must be accounted for to validate the modeling, yet linear language itself does not allow this, which is why modeling and diagrams are necessary, to stop the flow of time to delve into the concepts and evaluate their accuracy in terms of structures and frameworks and dimensions and dynamics, versus assuming a non-existent common understanding validates 'beliefs' when they are shared yet these observations do not inherently ground into the same structures, such that a [concept] could be interpreted multiple ways via its superposition, thus the issue of representation in terms of its variability, the instability of language, perhaps best noted by the error or typo which breaks the illusion of perfect transmission of theorized truth that does not actually exist beyond the observer in a limited framework, beyond external accounting. language itself is rigged, a game. it does not map to truth by default. it is corrupted, an image-based pattern-matching exercise that covers truth and replaces it by hollowing it out. it is surface-level evaluation, allows and requires this, unless logic cracks it open and demands truth be accounted for in these statements. otherwise it is friction-free ideology, believe what you will, find others, create your own perspective, etc. truth is underneath or accessed by this insofar as it is accurately referenced, yet it is almost tangential to the language, to the description needed to recreate the world through a constant requirement of story telling and context in order to say anything beyond the shared limited boundary, which is inherently tedious and inefficient and ineffective. in this way also, millions of lines of code and issues of how 'truth' of data is parsed, based on how it is represented in terms of signs, concepts, patterns, relational dynamics. --- not sure unicode-8 will render various signage, thus attachment included... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 5287 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signs representing truth.PNG Type: image/png Size: 7208 bytes Desc: not available URL: From albill at openbuddha.com Mon Oct 14 19:27:07 2013 From: albill at openbuddha.com (Al Billings) Date: Mon, 14 Oct 2013 19:27:07 -0700 (PDT) Subject: [linux-elitists] Browser fingerprinting In-Reply-To: <20131014173022.GA32033@netbook.cypherspace.org> References: <20131014173022.GA32033@netbook.cypherspace.org> Message-ID: <1381804027490.ae5de89b@Nodemailer> Only if you wish it was "the good old days" but then this is the list with folks that refuse to run JavaScript and don't understand why anyone would want to use twitter, as I recall. Al On Mon, Oct 14, 2013 at 10:30 AM, Adam Back > wrote: Well you should say the web developers regressed since then. Adam -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 798 bytes Desc: not available URL: From adam at cypherspace.org Mon Oct 14 10:30:22 2013 From: adam at cypherspace.org (Adam Back) Date: Mon, 14 Oct 2013 19:30:22 +0200 Subject: [linux-elitists] Browser fingerprinting In-Reply-To: References: <20131007060756.GX10405@leitl.org> <20131014000636.44F74DD8F@a-pb-sasl-quonix.pobox.com> <20131014012811.6d6463f5@Neptune> <525B9CED.20907@riseup.net> <20131014131033.0ee9af12@Neptune> Message-ID: <20131014173022.GA32033@netbook.cypherspace.org> Well you should say the web developers regressed since then. Adam On Mon, Oct 14, 2013 at 09:54:24AM -0700, Al Billings wrote: > About 19 years ago, it was. The rest of the world (and web developers) > moved on since then. > __________________________________________________________________ > > From: Cathal Garvey [1]Cathal Garvey > > Wasn't the whole idea of > browser rendering that the server would send one canonical page to the > client, and the client is responsible for rendering? From jd.cypherpunks at gmail.com Mon Oct 14 10:50:30 2013 From: jd.cypherpunks at gmail.com (jd.cypherpunks at gmail.com) Date: Mon, 14 Oct 2013 19:50:30 +0200 Subject: Assassination Politics on Ycombinator In-Reply-To: References: <20131014091833.GV10405@leitl.org> <20131014100204.GA28712@netbook.cypherspace.org> Message-ID: Reposted Jim's original at http://cpunks.wordpress.com/2013/10/14/assassination-politics-199596/ b/c too many young people didn't read it. --Michael 14.10.2013 - 16:12 John Young : > Snapshot this morning: > > http://cryptome.org/2013/10/ap-ycombinator-13-1014-0944.htm > > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1608 bytes Desc: not available URL: From shelley at misanthropia.info Mon Oct 14 20:09:20 2013 From: shelley at misanthropia.info (shelley at misanthropia.info) Date: Mon, 14 Oct 2013 20:09:20 -0700 Subject: To Get Around US Law, The NSA Collects Email Address Books And Chat Buddy Lists From Foreign Locations Message-ID: <20131015030923.D88B2680138@frontend2.nyi.mail.srv.osa> http://m.techcrunch.com/2013/10/14/to-get-around-us-law-the-nsa-collects-email-address-books-and-chat-buddy-lists-from-foreign-locations/ To Get Around US Law, The NSA Collects Email Address Books And Chat Buddy Lists From Foreign Locations by ALEX WILHELM posted 2 Hours Ago The Washington Post [link below] broke news this afternoon that the National Security Agency (NSA) is collecting huge numbers of email address books and chat buddy lists for both foreign individuals and United States citizens. It appears that the NSA lacks Congressional authority to collect buddy lists and address book information in the way that it currently does. As the Post rightly points out, address book data can include physical addresses, very personal information, and more. To get around that lack of a mandate, the NSA has agreements with non-U.S. telcos and works with other, non-U.S. intelligence groups. So to get its hands on even more information, the NSA avoids the constraints of its provided oversight and legal boundaries, by going to alternative sources of the data that it wants. That matters because the rules of other countries for tracking the communication of United States citizens are more lax. Recall that the NSA is in some ways slowed from collecting information on citizens of the United States, but not those of other countries. So, if the NSA is willing to accept data from foreign intelligence agencies that it is not able to collect in this case, why not in other cases as well? If the NSA won’t respect the constraints that are put in place on its actions for a reason, and will instead shirk its responsibilities and find a way to get all the data it could ever desire, then we have even less reason to trust its constant petitions that it follows the law, and is the only thing keeping the United States safe from conflagration. The Post continues: “When information passes through ‘the overseas collection apparatus,’ [an intelligence office] added, ‘the assumption is you’re not a U.S. person.’” This means that when the NSA sweeps up contact data, buddy lists, and address sets from overseas, the same rules that keep it from collecting information on United States citizens aren’t likely in play. Minimization, it would seem, would be minimal. The phone metadata program knows who you called, when, and for how long. PRISM can force your private information out of major Internet companies. XKeyscore can read your email, and tracks most of what you do online. And the above program circumvents Congressional oversight by collecting more data on U.S. citizens by merely executing that collection abroad. How private are you feeling? – Facebook provided TechCrunch with the following statement: “As we have said many times, we believe that while governments have an important responsibility to keep people safe, it is possible to do so while also being transparent. We strongly encourage all governments to provide greater transparency about their efforts aimed at keeping the public safe, and we will continue to be aggressive advocates for greater disclosure.” Microsoft repeated to TechCrunch what it had told the Washington Post, that it “does not provide any government with direct or unfettered access to our customers’ data” and that if the above revelations are true, then the company would “have significant concerns.” Source: http://www.washingtonpost.com/world/national-security/nsa-collects-millions-of-e-mail-address-books-globally/2013/10/14/8e58b5be-34f9-11e3-80c6-7e6dd8d22d8f_story.html (also archived at Cryptome) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 4248 bytes Desc: not available URL: From eugen at leitl.org Mon Oct 14 11:15:42 2013 From: eugen at leitl.org (Eugen Leitl) Date: Mon, 14 Oct 2013 20:15:42 +0200 Subject: [linux-elitists] Browser fingerprinting In-Reply-To: <20131014173022.GA32033@netbook.cypherspace.org> References: <20131007060756.GX10405@leitl.org> <20131014000636.44F74DD8F@a-pb-sasl-quonix.pobox.com> <20131014012811.6d6463f5@Neptune> <525B9CED.20907@riseup.net> <20131014131033.0ee9af12@Neptune> <20131014173022.GA32033@netbook.cypherspace.org> Message-ID: <20131014181542.GY10405@leitl.org> On Mon, Oct 14, 2013 at 07:30:22PM +0200, Adam Back wrote: > Well you should say the web developers regressed since then. The worst is that the entire trainwreck has been so predictable, right from the start. From chad at sveltemail.com Mon Oct 14 11:49:24 2013 From: chad at sveltemail.com (chad at sveltemail.com) Date: Mon, 14 Oct 2013 20:49:24 +0200 Subject: An Interview with Simon Persson of CounterMail Message-ID: <09cebb934a7f5049e5888a339eda559d.cm1@countermail.com> Hey Everyone, I posted this up on HN and Reddit, and it was largely ignored. Perhaps you guys will find it interesting... http://www.unfinishedman.com/interview-simon-persson-founder-countermail-secure-email-provider/ From paul at servalproject.org Mon Oct 14 03:50:34 2013 From: paul at servalproject.org (Paul Gardner-Stephen) Date: Mon, 14 Oct 2013 21:20:34 +1030 Subject: [serval-project-dev] Roaming between mesh extenders Message-ID: Hello, On Mon, Oct 14, 2013 at 8:56 PM, Paul Gardner-Stephen < paul at servalproject.org> wrote: > Hello, > > > On Mon, Oct 14, 2013 at 4:47 PM, Eugen Leitl wrote: > >> On Mon, Oct 14, 2013 at 07:39:41AM +1030, Paul Gardner-Stephen wrote: >> > Hello, >> > >> > On Mon, Oct 14, 2013 at 4:41 AM, Miles wrote: >> > >> > > >> > > Is each mesh extender supposed to have a distinct ip range for the >> public >> > > network? That's what commotion &etc do. >> > > >> > >> > We haven't done that yet. Partly because in a large network there just >> > aren't enough IPv4 addresses to support unique IP ranges for each. We >> can >> > of course still greatly reduce the probability of a nearby collision by >> > doing so, and so probably should, and possibly randomise on boot. >> >> Have you looked into cjdns way of doing things? > > > No, we haven't. We are quite happy to apply a more sophisticated approach > than we do now for this. From a pragmatic perspective it might make sense > for us to just copy what Commotion do. I don't know if they are using > cjdns. > Just a followup having read a little more about cjdns now -- basically Serval doesn't need cjdns because the Serval overlay mesh network uses public keys as network addresses. Being an overlay, it is also possible for us to use arbitrary transports, and not have to worry about needing root access on a device. This means that we can make a 1st-class Android mesh client that doesn't need root, for example. The use of public keys as network addresses means that all communications can be encrypted and authenticated without any further complications. The use of IP on Serval mesh nodes is just to provide something for the mesh to tunnel over, so the IP configuration is not interesting to us, and can be configured however the user otherwise wishes if they want it to interoperate with some existing IP network or mesh. Paul. > Paul. > > >> -- >> You received this message because you are subscribed to the Google Groups >> "Serval Project Developers" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to serval-project-developers+unsubscribe at googlegroups.com. >> To post to this group, send email to >> serval-project-developers at googlegroups.com. >> Visit this group at >> http://groups.google.com/group/serval-project-developers. >> For more options, visit https://groups.google.com/groups/opt_out. >> > > -- You received this message because you are subscribed to the Google Groups "Serval Project Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to serval-project-developers+unsubscribe at googlegroups.com. To post to this group, send email to serval-project-developers at googlegroups.com. Visit this group at http://groups.google.com/group/serval-project-developers. For more options, visit https://groups.google.com/groups/opt_out. ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From cathalgarvey at cathalgarvey.me Mon Oct 14 14:16:41 2013 From: cathalgarvey at cathalgarvey.me (Cathal Garvey) Date: Mon, 14 Oct 2013 22:16:41 +0100 Subject: Assassination Politics on Ycombinator In-Reply-To: References: <20131014091833.GV10405@leitl.org> <20131014100204.GA28712@netbook.cypherspace.org> Message-ID: <20131014221641.48b4da6d@Neptune> > Reposted Jim's original at > http://cpunks.wordpress.com/2013/10/14/assassination-politics-199596/ > b/c too many young people didn't read it. --Michael Funny, I was just reading about restitutionary justice this morning. Reminded me of a longstanding thought process indicting "retributionary justice" for many of the failing in our societal system. That is, we punish people for things, expecting that the threat of punishment, or the experience of punishment, will prevent crime. But, it doesn't, at all. Assassination politics is just extreme retributionary justice. It's a lipstick-on-a-pig rebranding that's easy to sell to crypto-enthusiasts; "Look, we can use crypto to solve all societal problems, including keeping politicians honest!". To some extent it might, but it certainly wouldn't solve the problem as well as, er, most viable alternatives. It'll just breed a generation of smarter crooked politicians. On Mon, 14 Oct 2013 19:50:30 +0200 "jd.cypherpunks at gmail.com" wrote: > Reposted Jim's original at > http://cpunks.wordpress.com/2013/10/14/assassination-politics-199596/ > b/c too many young people didn't read it. --Michael > > > 14.10.2013 - 16:12 John Young : > > > Snapshot this morning: > > > > http://cryptome.org/2013/10/ap-ycombinator-13-1014-0944.htm > > > > > > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: not available URL: From dj at deadhat.com Mon Oct 14 17:35:13 2013 From: dj at deadhat.com (dj at deadhat.com) Date: Tue, 15 Oct 2013 00:35:13 -0000 Subject: [Cryptography] /dev/random is not robust Message-ID: <4ca15bb1026e7a249f79a415fb1f9042.squirrel@www.deadhat.com> http://eprint.iacr.org/2013/338.pdf _______________________________________________ The cryptography mailing list cryptography at metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From joseph at josephholsten.com Mon Oct 14 18:14:46 2013 From: joseph at josephholsten.com (Joseph Holsten) Date: Tue, 15 Oct 2013 01:14:46 +0000 Subject: Bitcoin mining efficiency and Botnets In-Reply-To: <20131015004529.5D989E413@a-pb-sasl-quonix.pobox.com> References: <20131015004529.5D989E413@a-pb-sasl-quonix.pobox.com> Message-ID: <09D6B7DE-68E6-44B3-8571-F43F2FAD5CCF@josephholsten.com> On 2013-10-15, at 00:45, Bill Stewart wrote: > http://www.techweekeurope.co.uk/news/zeroaccess-bitcoin-botnet-sinkholed-128331?ModPagespeed=noscript > > does this mean that Bitcoin miners who want to make a profit > are going to need to dump general-purpose machines in favor of specialized hardware > such as FPGAs or ASICs? Yes. They already have. -- ~j -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 496 bytes Desc: Message signed with OpenPGP using GPGMail URL: From coderman at gmail.com Tue Oct 15 03:16:55 2013 From: coderman at gmail.com (coderman) Date: Tue, 15 Oct 2013 03:16:55 -0700 Subject: Bitcoin mining efficiency and Botnets In-Reply-To: <20131015110341.34dff884@Neptune> References: <20131015004529.5D989E413@a-pb-sasl-quonix.pobox.com> <20131015110341.34dff884@Neptune> Message-ID: On Tue, Oct 15, 2013 at 3:03 AM, Cathal Garvey wrote: >.... > People focus too much on the "profit" miners make, and not the > verifiability and anarchism they are supposed to be providing to the > bitcoin network. this is why it is useful to run a bitcoind and contribute to the network, even if you do not mine. as for contributing with a CPU or GPU it is simply not worth the power cost. buy coins and run nodes; participate in the digital economy! mining was always intended as a bootstrap, not a means unto itself... From coderman at gmail.com Tue Oct 15 03:45:19 2013 From: coderman at gmail.com (coderman) Date: Tue, 15 Oct 2013 03:45:19 -0700 Subject: Bitcoin mining efficiency and Botnets In-Reply-To: <20131015113102.4f427b39@Neptune> References: <20131015004529.5D989E413@a-pb-sasl-quonix.pobox.com> <20131015110341.34dff884@Neptune> <20131015113102.4f427b39@Neptune> Message-ID: On Tue, Oct 15, 2013 at 3:31 AM, Cathal Garvey wrote: > ... If you can [EDIT: out resource a majority of the network] ... > you can rewrite recent history in > bitcoin, selectively permit transactions between other peers, cause > general havoc. the key is an attacker taking over some majority of the network. this is a much longer tangent, of which mining capacity is just a part, and i still assert that CPU and GPU mining doesn't factor into the overall risk from malicious peers. > The reward for mining was the bootstrap, but mining > itself is a critical part of what makes bitcoin work. in some few score years there will be zero coins rewarded for mining blocks - the financial incentive, for what it is currently, merely a transient part of the bootstrap. is mining important? sure. but that does not mean a CPU or GPU can contribute meaningfully to the current network. litecoin, as mentioned in another reply, is certainly relevant for these architectures however. and again, it is just as important to participate in the network, even if you do not mine! this will always be true, while financial incentives for mining are transient and volatile. From coderman at gmail.com Tue Oct 15 07:39:24 2013 From: coderman at gmail.com (coderman) Date: Tue, 15 Oct 2013 07:39:24 -0700 Subject: Bitcoin mining efficiency and Botnets In-Reply-To: <525D2317.8050500@witmond.nl> References: <20131015004529.5D989E413@a-pb-sasl-quonix.pobox.com> <20131015110341.34dff884@Neptune> <20131015113102.4f427b39@Neptune> <525D2317.8050500@witmond.nl> Message-ID: On Tue, Oct 15, 2013 at 4:12 AM, Guido Witmond wrote: > ... [transaction fees, if applied, are non-zero] ... > So there will be an incentive to run a 'miner'. > > And when bitcoin usage grows to the cash flow of a medium sized country, > the payout will be better than that of a state lottery. And your lottery > ticket is a one time purchase. perhaps your reference to lottery is appropriate; mining as a novelty and entertainment, rather than means producing effort. we can argue about the greater flaws in our projections, but odds are scores of decades fall against both our favor in some unexpected ways... in any case, more circular arguments. if i could spend X on power for GPU or direct BTC purchase, the latter is the better investment. if you continue to claim CPU and GPU mining (for bitcoin currently, not litecoin currently) is effective, show me math ;) From dan at geer.org Tue Oct 15 05:01:11 2013 From: dan at geer.org (dan at geer.org) Date: Tue, 15 Oct 2013 08:01:11 -0400 Subject: [linux-elitists] Browser fingerprinting In-Reply-To: Your message of "Mon, 14 Oct 2013 09:54:24 PDT." Message-ID: <20131015120111.290F22282F1@palinka.tinho.net> Cathal Garvey > Wasn't the whole idea of browser rendering that the server would > send one canonical page to the client, and the client is responsible > for rendering? If only. The client is now the server's server. And, yeah, I am one of those who refuses Javascript, so the web is shrinking fast from where I sit. Oh, well. --dan From me at staticsafe.ca Tue Oct 15 06:20:08 2013 From: me at staticsafe.ca (staticsafe) Date: Tue, 15 Oct 2013 09:20:08 -0400 Subject: [linux-elitists] Browser fingerprinting In-Reply-To: <20131015122704.GE10405@leitl.org> References: <20131015120111.290F22282F1@palinka.tinho.net> <20131015122704.GE10405@leitl.org> Message-ID: <525D4108.8090606@staticsafe.ca> On 10/15/2013 08:27, Eugen Leitl wrote: > On Tue, Oct 15, 2013 at 08:01:11AM -0400, dan at geer.org wrote: > >> And, yeah, I am one of those who refuses Javascript, so >> the web is shrinking fast from where I sit. Oh, well. > > As long as you're jailing your browser into an amnesiac > compartment and run TBB (latest 3 alpha is pretty good) > your risk is minimal. > What about the people who don't want to use TBB (like me)? A Firefox addon collection [0] would be a nice start, if it doesn't already exist. [0] - https://addons.mozilla.org/en-US/firefox/collections/ -- staticsafe O< ascii ribbon campaign - stop html mail - www.asciiribbon.org Please don't top post. It is not logical. Please don't CC me! I'm subscribed to whatever list I just posted on. From eugen at leitl.org Tue Oct 15 00:50:12 2013 From: eugen at leitl.org (Eugen Leitl) Date: Tue, 15 Oct 2013 09:50:12 +0200 Subject: NSA collects millions of e-mail address books globally Message-ID: <20131015075011.GG10405@leitl.org> http://www.washingtonpost.com/world/national-security/nsa-collects-millions-of-e-mail-address-books-globally/2013/10/14/8e58b5be-34f9-11e3-80c6-7e6dd8d22d8f_story.html?wpisrc=al_national NSA collects millions of e-mail address books globally Video: In June, President Obama said the NSA’s email collecting program “does not apply to U.S. citizens.” By Barton Gellman and Ashkan Soltani, Tuesday, October 15, 12:53 AM E-mail the writer The National Security Agency is harvesting hundreds of millions of contact lists from personal e-mail and instant messaging accounts around the world, many of them belonging to Americans, according to senior intelligence officials and top-secret documents provided by former NSA contractor Edward Snowden. The collection program, which has not been disclosed before, intercepts e-mail address books and “buddy lists” from instant messaging services as they move across global data links. Online services often transmit those contacts when a user logs on, composes a message, or synchronizes a computer or mobile device with information stored on remote servers. Rather than targeting individual users, the NSA is gathering contact lists in large numbers that amount to a sizable fraction of the world’s e-mail and instant messaging accounts. Analysis of that data enables the agency to search for hidden connections and to map relationships within a much smaller universe of foreign intelligence targets. During a single day last year, the NSA’s Special Source Operations branch collected 444,743 e-mail address books from Yahoo, 105,068 from Hotmail, 82,857 from Facebook, 33,697 from Gmail and 22,881 from unspecified other providers, according to an internal NSA PowerPoint presentation. Those figures, described as a typical daily intake in the document, correspond to a rate of more than 250 million a year. Each day, the presentation said, the NSA collects contacts from an estimated 500,000 buddy lists on live-chat services as well as from the inbox displays of Web-based e-mail accounts. The collection depends on secret arrangements with foreign telecommunications companies or allied intelligence services in control of facilities that direct traffic along the Internet’s main data routes. Although the collection takes place overseas, two senior U.S. intelligence officials acknowledged that it sweeps in the contacts of many Americans. They declined to offer an estimate but did not dispute that the number is likely to be in the millions or tens of millions. A spokesman for the Office of the Director of National Intelligence, which oversees the NSA, said the agency “is focused on discovering and developing intelligence about valid foreign intelligence targets like terrorists, human traffickers and drug smugglers. We are not interested in personal information about ordinary Americans.” The spokesman, Shawn Turner, added that rules approved by the attorney general require the NSA to “minimize the acquisition, use and dissemination” of information that identifies a U.S. citizen or permanent resident. The NSA’s collection of nearly all U.S. call records, under a separate program, has generated significant controversy since it was revealed in June. The NSA’s director, Gen. Keith B. Alexander, has defended “bulk” collection as an essential counterterrorism and foreign intelligence tool, saying, “You need the haystack to find the needle.” Contact lists stored online provide the NSA with far richer sources of data than call records alone. Address books commonly include not only names and e-mail addresses, but also telephone numbers, street addresses, and business and family information. Inbox listings of e-mail accounts stored in the “cloud” sometimes contain content, such as the first few lines of a message. Taken together, the data would enable the NSA, if permitted, to draw detailed maps of a person’s life, as told by personal, professional, political and religious connections. The picture can also be misleading, creating false “associations” with ex-spouses or people with whom an account holder has had no contact in many years. The NSA has not been authorized by Congress or the special intelligence court that oversees foreign surveillance to collect contact lists in bulk, and senior intelligence officials said it would be illegal to do so from facilities in the United States. The agency avoids the restrictions in the Foreign Intelligence Surveillance Act by intercepting contact lists from access points “all over the world,” one official said, speaking on the condition of anonymity to discuss the classified program. “None of those are on U.S. territory.” Because of the method employed, the agency is not legally required or technically able to restrict its intake to contact lists belonging to specified foreign intelligence targets, he said. When information passes through “the overseas collection apparatus,” the official added, “the assumption is you’re not a U.S. person.” In practice, data from Americans is collected in large volumes — in part because they live and work overseas, but also because data crosses international boundaries even when its American owners stay at home. Large technology companies, including Google and Facebook, maintain data centers around the world to balance loads on their servers and work around outages. A senior U.S. intelligence official said the privacy of Americans is protected, despite mass collection, because “we have checks and balances built into our tools.” NSA analysts, he said, may not search within the contacts database or distribute information from it unless they can “make the case that something in there is a valid foreign intelligence target in and of itself.” In this program, the NSA is obliged to make that case only to itself or others in the executive branch. With few exceptions, intelligence operations overseas fall solely within the president’s legal purview. The Foreign Intelligence Surveillance Act, enacted in 1978, imposes restrictions only on electronic surveillance that targets Americans or takes place on U.S. territory. By contrast, the NSA draws on authority in the Patriot Act for its bulk collection of domestic phone records, and it gathers online records from U.S. Internet companies, in a program known as PRISM, under powers granted by Congress in the FISA Amendments Act. Those operations are overseen by the Foreign Intelligence Surveillance Court. Sen. Dianne Feinstein, the California Democrat who chairs the Senate Intelligence Committee, said in August that the committee has less information about, and conducts less oversight of, intelligence gathering that relies solely on presidential authority. She said she planned to ask for more briefings on those programs. “In general, the committee is far less aware of operations conducted under 12333,” said a senior committee staff member, referring to Executive Order 12333, which defines the basic powers and responsibilities of the intelligence agencies. “I believe the NSA would answer questions if we asked them, and if we knew to ask them, but it would not routinely report these things, and, in general, they would not fall within the focus of the committee.” Because the agency captures contact lists “on the fly” as they cross major Internet switches, rather than “at rest” on computer servers, the NSA has no need to notify the U.S. companies that host the information or to ask for help from them. “We have neither knowledge of nor participation in this mass collection of web-mail addresses or chat lists by the government,” said Google spokeswoman Niki Fenwick. At Microsoft, spokeswoman Nicole Miller said the company “does not provide any government with direct or unfettered access to our customers’ data,” adding that “we would have significant concerns if these allegations about government actions are true.” Facebook spokeswoman Jodi Seth said that “we did not know and did not assist” in the NSA’s interception of contact lists. It is unclear why the NSA collects more than twice as many address books from Yahoo than the other big services combined. One possibility is that Yahoo, unlike other service providers, has left connections to its users unencrypted by default. Suzanne Philion, a Yahoo spokeswoman, said Monday in response to an inquiry from The Washington Post that, beginning in January, Yahoo would begin encrypting all its e-mail connections. Google was the first to secure all its e-mail connections, turning on “SSL encryption” globally in 2010. People with inside knowledge said the move was intended in part to thwart large-scale collection of its users’ information by the NSA and other intelligence agencies. The volume of NSA contacts collection is so high that it has occasionally threatened to overwhelm storage repositories, forcing the agency to halt its intake with “emergency detasking” orders. Three NSA documents describe short-term efforts to build an “across-the-board technology throttle for truly heinous data” and longer-term efforts to filter out information that the NSA does not need. Spam has proven to be a significant problem for the NSA — clogging databases with information that holds no foreign intelligence value. The majority of all e-mails, one NSA document says, “are SPAM from ‘fake’ addresses and never ‘delivered’ to targets.” In fall 2011, according to an NSA presentation, the Yahoo account of an Iranian target was “hacked by an unknown actor,” who used it to send spam. The Iranian had “a number of Yahoo groups in his/her contact list, some with many hundreds or thousands of members.” The cascading effects of repeated spam messages, compounded by the automatic addition of the Iranian’s contacts to other people’s address books, led to a massive spike in the volume of traffic collected by the Australian intelligence service on the NSA’s behalf. After nine days of data- bombing, the Iranian’s contact book and contact books for several people within it were “emergency detasked.” In a briefing from the NSA’s Large Access Exploitation working group, that example was used to illustrate the need to narrow the criteria for data interception. It called for a “shifting collection philosophy”: “Memorialize what you need” vs. “Order one of everything off the menu and eat what you want.” Julie Tate contributed to this report. Soltani is an independent security researcher and consultant. From eugen at leitl.org Tue Oct 15 01:28:53 2013 From: eugen at leitl.org (Eugen Leitl) Date: Tue, 15 Oct 2013 10:28:53 +0200 Subject: [Cryptography] /dev/random is not robust Message-ID: <20131015082853.GL10405@leitl.org> ----- Forwarded message from dj at deadhat.com ----- From eugen at leitl.org Tue Oct 15 01:30:54 2013 From: eugen at leitl.org (Eugen Leitl) Date: Tue, 15 Oct 2013 10:30:54 +0200 Subject: [cryptography] /dev/random is not robust Message-ID: <20131015083054.GM10405@leitl.org> ----- Forwarded message from coderman ----- From eugen at leitl.org Tue Oct 15 01:49:41 2013 From: eugen at leitl.org (Eugen Leitl) Date: Tue, 15 Oct 2013 10:49:41 +0200 Subject: [Cryptography] "/dev/random is not robust" Message-ID: <20131015084941.GO10405@leitl.org> ----- Forwarded message from John Gilmore ----- From cathalgarvey at cathalgarvey.me Tue Oct 15 02:54:04 2013 From: cathalgarvey at cathalgarvey.me (Cathal Garvey) Date: Tue, 15 Oct 2013 10:54:04 +0100 Subject: [linux-elitists] Browser fingerprinting In-Reply-To: <1381804027490.ae5de89b@Nodemailer> References: <20131014173022.GA32033@netbook.cypherspace.org> <1381804027490.ae5de89b@Nodemailer> Message-ID: <20131015105404.097eac36@Neptune> > with folks that refuse to run JavaScript Not "JavaScript"; "Unverified, potentially malicious code with a rich history of exploits inside a frame I use to navigate the online world". It wouldn't matter if the code was LISP or Python; the problem isn't the language, it's the context. That said, I do run Javascript, albiet through NoScript. I just wish there were more fine-grained policy restrictions I could place on it, such as "No XmlHttpRequest/Websocket" or "No browser introspection (fonts, boundaries, etc.)", and let webapps that are trying to fingerprint me without my permission just crash and burn. On Mon, 14 Oct 2013 19:27:07 -0700 (PDT) "Al Billings" wrote: > Only if you wish it was "the good old days" but then this is the list > with folks that refuse to run JavaScript and don't understand why > anyone would want to use twitter, as I recall. > > > > > > Al > > > > > On Mon, Oct 14, 2013 at 10:30 AM, Adam Back > > wrote: Well you > should say the web developers regressed since then. > > > Adam -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: not available URL: From cathalgarvey at cathalgarvey.me Tue Oct 15 03:03:41 2013 From: cathalgarvey at cathalgarvey.me (Cathal Garvey) Date: Tue, 15 Oct 2013 11:03:41 +0100 Subject: Bitcoin mining efficiency and Botnets In-Reply-To: <20131015004529.5D989E413@a-pb-sasl-quonix.pobox.com> References: <20131015004529.5D989E413@a-pb-sasl-quonix.pobox.com> Message-ID: <20131015110341.34dff884@Neptune> > careful, but even so, does this mean that Bitcoin miners who want to > make a profit are going to need to dump general-purpose machines in > favor of specialized hardware > such as FPGAs or ASICs? Or is buying a high-end GPU still good > enough? People focus too much on the "profit" miners make, and not the verifiability and anarchism they are supposed to be providing to the bitcoin network. In that regard, arguably the most important, bitcoin has already failed entirely. Of course, bitcoin is a startlingly obvious example of code with politics baked in, and you're seeing the natural play-out of that political philosophy in bitcoin with little artificial interruption; corruption, oligarchy, and the creation of a false market controlled by monopolistic cartels which fluctuates in price only when it is profitable to the cartels for it to do so. Much of this is beyond the control of an algorithm. The wealthy will always be able to out-mine the poor if it's a straight battle of who-buys-more-hardware. However, bitcoin has fallen so quickly because it's created a threshold cut-off for those below a certain income bracket, so that those who are not already reasonably wealthy can now not hope to compete in mining operations. Litecoin was doing better while it was CPU-bound, because the cost of setting up a mining operation on CPUs is more linear; the poor get poor hardware, the rich get rich hardware, but the relationship isn't as exponential as it is with CPU->GPU->FPGA->ASIC. Now that Litecoin's basically GPU only, it's also a little worse than it started, but there's no evidence at this point that it'll go FPGA. However, I do think we need an even Lite-r 'coin, running a hash that won't even scale in GPUs. Keep this to the unit of hardware that's most scalar in quality/price and most accessible to the people who most need to trust a currency; the people spending the greatest proportion of their income in daily life, the middle and lower income fraction. I'm interested in the outcome of the password hashing competition to see if this yields something 'coinable. My ideal hash for a 'coin, unrealistic as it is even in theory, is a hash that practically defines the instruction set and architecture of a prototypical CPU, so that translating it into specialised hardware is either impossible, or merely creates a more efficient CPU, which is better marketed as a CPU than a mining rig. In other words, the state-of-the-art in CPUs is exactly the state-of-the-art in CPUcoin mining. :) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: not available URL: From eugen at leitl.org Tue Oct 15 02:08:29 2013 From: eugen at leitl.org (Eugen Leitl) Date: Tue, 15 Oct 2013 11:08:29 +0200 Subject: [linux-elitists] Browser fingerprinting In-Reply-To: <1381804027490.ae5de89b@Nodemailer> References: <20131014173022.GA32033@netbook.cypherspace.org> <1381804027490.ae5de89b@Nodemailer> Message-ID: <20131015090829.GQ10405@leitl.org> On Mon, Oct 14, 2013 at 07:27:07PM -0700, Al Billings wrote: > Only if you wish it was "the good old days" but then this is the list with folks The future that never was was built with Lisp machines and NeWS. > that refuse to run JavaScript and don't understand why anyone would want to use twitter, as I recall. Twatr who? From cathalgarvey at cathalgarvey.me Tue Oct 15 03:31:02 2013 From: cathalgarvey at cathalgarvey.me (Cathal Garvey) Date: Tue, 15 Oct 2013 11:31:02 +0100 Subject: Bitcoin mining efficiency and Botnets In-Reply-To: References: <20131015004529.5D989E413@a-pb-sasl-quonix.pobox.com> <20131015110341.34dff884@Neptune> Message-ID: <20131015113102.4f427b39@Neptune> > mining was always intended as a bootstrap, not a means unto itself... Not so; mining is what fixes the history of transactions and protects the integrity of the entire currency. If you can out-mine everyone else, by even a small margin, you can rewrite recent history in bitcoin, selectively permit transactions between other peers, cause general havoc. The reward for mining was the bootstrap, but mining itself is a critical part of what makes bitcoin work. And this part is principally what's broken, because it uses a hardware-optimisible hash. > this is why it is useful to run a bitcoind and contribute to the > network, even if you do not mine. > as for contributing with a CPU or GPU it is simply not worth the > power cost. > buy coins and run nodes; participate in the digital economy! I'll happily use Bitcoin as a medium of exchange in the same way I would any currency. I just think we need to grow up and look at the project critically; has it met its goals? No. Then like good engineers, try again. Bitcoin was supposed to be different: 1) It was supposed to be outside the control of any individual or group. This is obviously failed, as mining pools have actually had to voluntarily stop growing in order to not pass the 50% margin of dominance over the mining pool. 2) It was supposed to be scaleable by individuals to prevent monopoly; the old myth "if anyone looks like they'll become dominant, we'll all fire up mining rigs and stop them!"-> does this look realistic anymore? 3) It was supposed to be a "free market currency" obeying simple supply and demand, but there is evidence of price fixing and market manipulation by those with enough money to pump and dump the currency when it suits them. 4) It was supposed to be untraceable, but for architectural and simple network-analysis reasons, it's not untraceable to a large enough opponent. If you ask me, this is the reason the NSA hasn't just fired up its sha256 brute-forcing rigs to out-mine everyone and destroy the currency. There are areas where bitcoin has succeeded. It's offering a real alternative to credit cards and conventional banking online, and that's great. But the political, architectural and privacy goals are a flop, and the mining pools who control bitcoin at this point won't back the developers if they try to fix the architecture. It's deadlocked; it needs replacing. And, as big and awesome as bitcoin is, nobody should every have expected us to get P2P anarchic crypto-currency right the first time. On Tue, 15 Oct 2013 03:16:55 -0700 coderman wrote: > On Tue, Oct 15, 2013 at 3:03 AM, Cathal Garvey > wrote: > >.... > > People focus too much on the "profit" miners make, and not the > > verifiability and anarchism they are supposed to be providing to the > > bitcoin network. > > this is why it is useful to run a bitcoind and contribute to the > network, even if you do not mine. > > as for contributing with a CPU or GPU it is simply not worth the > power cost. > > buy coins and run nodes; participate in the digital economy! > > > > mining was always intended as a bootstrap, not a means unto itself... -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: not available URL: From liberationtech at njw.me.uk Tue Oct 15 03:36:30 2013 From: liberationtech at njw.me.uk (Nick) Date: Tue, 15 Oct 2013 11:36:30 +0100 Subject: [liberationtech] NSA collects millions of e-mail address books globally Message-ID: <20131015103630.GA3319@starfish> On Tue, Oct 15, 2013 at 11:49:46AM +0200, Moritz Bartl wrote: > A self-hosted mail provider will obviously *not* help much against NSAs > mass collection of emails and email addresses. Don't sell it as a > "solution" in this context. Well the article seems to be talking about "address books", as opposed to just harvesting email addresses without context. The same thing could be (and is being) done through metadata capture too, but if I read the article correctly, the direct address book pillaging (which may have extra useful metadata on contact networks compared to collecting email headers over time) is something that using any (secure) self-hosted provider (or local client) would defeat. But as to your general point, I agree that hijacking every thread with adverts for a project is certainly not an activity that is OK, and is not the sort of behaviour that fills me with confidence about said project. -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu. ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From Adi Tue Oct 15 12:16:28 2013 From: Adi (Adi) Date: October 15, 2013 12:16:28 AM EDT Subject: A personal apology Message-ID: The purpose of this email is to explain why I will not be able to attend the forthcoming meeting of the History of Cryptology conference, even though I submitted a paper which was formally accepted. As an active participant in the exciting developments in academic cryptography in the last 35 years, I thought that it would be a wonderful opportunity to meet all of you, but unfortunately the US bureaucracy has made this impossible. The story is too long to describe in detail, so I will only provide its main highlights here. I planned to visit the US for several months, in order to attend the Crypto 2013 conference, the History of Cryptology conference, and to visit several universities and research institutes in between in order to meet colleagues and give scientific lectures. To do all of these, I needed a new J1 visa, and I filed the visa application at the beginning of June, two and a half months before my planned departure to the Crypto conference in mid August. I applied so early since it was really important for me to attend the Crypto conference – I was one of the founders of this flagship annual academic event (I actually gave the opening talk in the first session of the first meeting of this conference in 1981) and I did my best to attend all its meetings in the last 32 years. To make a long story short, after applying some pressure and pulling a lot of strings, I finally got the visa stamped in my passport on September 30-th, exactly four months after filing my application, and way beyond the requested start date of my visit. I was lucky in some sense, since on the next day the US government went into shutdown, and I have no idea how this could have affected my case. Needless to say, the long uncertainty had put all my travel plans (flights, accomodations, lecture commitments, etc) into total disarray. It turns out that I am not alone, and many foreign scientists are now facing the same situation. Here is what the president of the Weizmann Institute of Science (where I work in Israel) wrote in July 2013 to the US Ambassador in Israel: “I’m allowing myself to write you again, on the same topic, and related to the major difficulties the scientists of the Weizmann Institute of Science are experiencing in order to get Visa to the US. In my humble opinion, we are heading toward a disaster, and I have heard many people, among them our top scientists, saying that they are not willing anymore to visit the US, and collaborate with American scientists, because of the difficulties. It is clear that scientists have been singled out, since I hear that other ‘simple citizen’, do get their visa in a short time.” Even the president of the US National Academy of Science (of which I am a member) tried to intervene, without results. He was very sympathetic, writing to me at some stage: “Dear Professor Shamir I have been hoping, day by day, that your visa had come through. It is very disappointing to receive your latest report. We continue to try by seeking extra attention from the U. S. Department of State, which has the sole authority in these matters. As you know, the officers of the Department of State in embassies around the world also have much authority. I am personally very sympathetic and hopeful that your efforts and patience will still yield results but also realize that this episode has been very trying. We hope to hear of a last-minute success. Yours sincerely, Ralph J. Cicerone” What does all of this have to do with the History of Cryptology conference? In January 2013 I submitted a paper titled “The Cryptology of John Nash From a Modern Perspective” to the conference, and a short time afterwards I was told by the organizers that it was accepted. In July 2013 I told the NSA-affiliated conference organizers that I was having some problems in getting my visa, and gently asked whether they could do something about it. Always eager to help, the NSA people leaped into action, and immediately sent me a short email written with a lot of tact: “The trouble you are having is regrettable…Sorry you won’t be able to come to our conference. We have submitted our program and did not include you on it.” I must admit that in my 35 years of attending many conferences, it had never happened to me that an accepted paper of mine was yanked out from the official program in such a unilateral way. However, since I never try to go to places where I do not feel wanted, I decided to inform MIT that a window had become available in my busy schedule. They immediately invited me to visit them on October 17 and 18, and to give a major lecture during my visit. Naturally, I accepted their gracious invitation. The final twist in this saga happened a few days ago, when out of the blue I was suddenly reinvited by the conference organizers to attend the event and to present my paper. However, this is too late now, since I am already fully committed to my visit to MIT. So what is the bottom line of this whole unhappy episode? Clearly, no one in the US is trying to see the big picture, and the heavy handed visa bureaucracy you have created seems to be collapsing under its own weight. This is not a security issue – I have been to the US close to a hundred times so far (including some multi-year visits), and had never overstayed my visas. In addition, the number of terrorists among the members of the US National Academy of Science is rather small. As a friend of the US I am deeply worried that if you continue to delay visas in such a way, the only thing you will achieve is to alienate many world-famous foreign scientists, forcing them to increase their cooperation with European or Chinese scientists whose countries roll the red carpet for such visits. Is this really in the US best interest? Best personal wishes, and apologies for not being able to meet you in person, Adi Shamir From eugen at leitl.org Tue Oct 15 03:36:32 2013 From: eugen at leitl.org (Eugen Leitl) Date: Tue, 15 Oct 2013 12:36:32 +0200 Subject: [liberationtech] NSA collects millions of e-mail address books globally Message-ID: <20131015103632.GB10405@leitl.org> ----- Forwarded message from Nick ----- From rrb at acm.org Tue Oct 15 09:44:07 2013 From: rrb at acm.org (Richard Brooks) Date: Tue, 15 Oct 2013 12:44:07 -0400 Subject: [liberationtech] NSA must be best informed entity regarding viagra market Message-ID: <525D70D7.90501@acm.org> Since most email is spam, how productive is the NSA dragnet? http://www.washingtonpost.com/blogs/the-switch/wp/2013/10/15/the-nsas-giant-utah-data-center-will-probably-hold-a-bunch-of-spam/?wpisrc=nl_tech -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu. ----- End forwarded message ----- -- Eugen* Leitl leitl http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5 From guido at witmond.nl Tue Oct 15 03:53:04 2013 From: guido at witmond.nl (Guido Witmond) Date: Tue, 15 Oct 2013 12:53:04 +0200 Subject: Sunny future. Was: Bitcoin mining efficiency and Botnets In-Reply-To: <20131015110341.34dff884@Neptune> References: <20131015004529.5D989E413@a-pb-sasl-quonix.pobox.com> <20131015110341.34dff884@Neptune> Message-ID: <525D1E90.7000404@witmond.nl> On 10/15/13 12:03, Cathal Garvey wrote: > People focus too much on the "profit" miners make, and not the > verifiability and anarchism they are supposed to be providing to the > bitcoin network. In that regard, arguably the most important, bitcoin > has already failed entirely. > > Of course, bitcoin is a startlingly obvious example of code with > politics baked in, and you're seeing the natural play-out of that > political philosophy in bitcoin with little artificial interruption; > corruption, oligarchy, and the creation of a false market controlled by > monopolistic cartels which fluctuates in price only when it is > profitable to the cartels for it to do so. I don't see it so bleak. I think the politics are playing out perfectly. With cheap ASICS flooding the market, these come in the reach of ordinary people who can run one on a second hand solar panel during the day. Don't bother wasting expensive electricity on it. With millions of people running these, the influence of the cartels diminishes. And I have a (small) chance of winning the jackpot with the payment fees too. Heck, I bet you can get rich selling kits with a solar panel and a ASIC-miner. Cheers, Guido. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 897 bytes Desc: OpenPGP digital signature URL: From l at odewijk.nl Tue Oct 15 04:06:21 2013 From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=) Date: Tue, 15 Oct 2013 13:06:21 +0200 Subject: Sunny future. Was: Bitcoin mining efficiency and Botnets In-Reply-To: <525D1E90.7000404@witmond.nl> References: <20131015004529.5D989E413@a-pb-sasl-quonix.pobox.com> <20131015110341.34dff884@Neptune> <525D1E90.7000404@witmond.nl> Message-ID: 2013/10/15 Guido Witmond > I think the politics are playing out perfectly. With cheap ASICS > flooding the market, these come in the reach of ordinary people who can > run one on a second hand solar panel during the day. Don't bother > wasting expensive electricity on it. > Solar panel energy is very expensive in most countries (those that aren't especially sunny) > With millions of people running these, the influence of the cartels > diminishes. And I have a (small) chance of winning the jackpot with the > payment fees too. > Cartels (or just "the wealthy") have more money to spend on whatever there is to be bought. So it was when Bitcoin were cheap, so it is while ASICS get cheaper, so it will be for the time to come. > Heck, I bet you can get rich selling kits with a solar panel and a > ASIC-miner. > That might be true. But many people with startups consider their startup to be the product, to be sold to a big company later on. The world simply is quite bleak. Bitcoin however dodges the bleakness by being a product without judgement on color. It simply is what it is. It tolerates a few employing the rest of humanity as slaves, but also doesn't allow the few to dominate their ability to have free money exchanges. Although it doesn't save the many foolish people, it reserves them the ability to save themselves later. That might be the best we can do right now. Maybe, if we believe the many will stay foolish no matter the incentive, then it is the best we can ever do. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2414 bytes Desc: not available URL: From l at odewijk.nl Tue Oct 15 04:08:39 2013 From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=) Date: Tue, 15 Oct 2013 13:08:39 +0200 Subject: clarification re: [20] In-Reply-To: References: Message-ID: 2013/10/15 brian carroll > not sure unicode-8 will render various signage, thus attachment included... Works perfectly for me. UTF-8 is supposed to do this sort of stuff, and does so wonderfully. More important question is: can you pronounce them all? And if you cannot pronounce truth, what other ways can you not perceive or produce it. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 736 bytes Desc: not available URL: From guido at witmond.nl Tue Oct 15 04:12:23 2013 From: guido at witmond.nl (Guido Witmond) Date: Tue, 15 Oct 2013 13:12:23 +0200 Subject: Bitcoin mining efficiency and Botnets In-Reply-To: References: <20131015004529.5D989E413@a-pb-sasl-quonix.pobox.com> <20131015110341.34dff884@Neptune> <20131015113102.4f427b39@Neptune> Message-ID: <525D2317.8050500@witmond.nl> On 10/15/13 12:45, coderman wrote: > > in some few score years there will be zero coins rewarded for mining > blocks - the financial incentive, for what it is currently, merely a > transient part of the bootstrap. > https://en.bitcoin.it/wiki/FAQ#If_no_more_coins_are_going_to_be_generated.2C_will_more_blocks_be_created.3F There will always be the reward of the payment fees for 'mining' the next block. So there will be an incentive to run a 'miner'. And when bitcoin usage grows to the cash flow of a medium sized country, the payout will be better than that of a state lottery. And your lottery ticket is a one time purchase. Guido. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 897 bytes Desc: OpenPGP digital signature URL: From l at odewijk.nl Tue Oct 15 04:13:27 2013 From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=) Date: Tue, 15 Oct 2013 13:13:27 +0200 Subject: Bitcoin mining efficiency and Botnets In-Reply-To: <20131015110341.34dff884@Neptune> References: <20131015004529.5D989E413@a-pb-sasl-quonix.pobox.com> <20131015110341.34dff884@Neptune> Message-ID: 2013/10/15 Cathal Garvey > People focus too much on the "profit" miners make, and not the > verifiability and anarchism they are supposed to be providing to the > bitcoin network. In that regard, arguably the most important, bitcoin > has already failed entirely. > This was by design. Reg. CPU coin: it gives intense advantages to botnet owners and doesn't require people to be heavily vested into Bitcoin. It would also allow web companies to fix their server's low CPU occupancy. I'm not sure you'd achieve anything you'd like to achieve. The CPU algorithm itself is most troublesome. Remember it must also have no parallel equivalent, and stand the torn of time turning present day CPUs into next day GPU cores. (See also: Bulldozer) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1316 bytes Desc: not available URL: From cathalgarvey at cathalgarvey.me Tue Oct 15 05:16:21 2013 From: cathalgarvey at cathalgarvey.me (Cathal Garvey) Date: Tue, 15 Oct 2013 13:16:21 +0100 Subject: [linux-elitists] Browser fingerprinting In-Reply-To: <525D2C52.1020801@echeque.com> References: <20131014173022.GA32033@netbook.cypherspace.org> <1381804027490.ae5de89b@Nodemailer> <20131015105404.097eac36@Neptune> <525D2C52.1020801@echeque.com> Message-ID: <20131015131621.005755a8@Neptune> > Javascript can be controlled by being recompiled into the Caja subset > of javascript. I've been thinking along these lines, all right. So what functions of Javascript are nonessential to the concept of a "rich webapp" but useful for abuse and fingerprinting? If you could strip JS down to a set of awesome functions that reduce the abuse potential, what stuff would you strip out? A lot of the nasty stuff isn't even JS engine stuff, it's DOM stuff from the browser being made available to JS, so it's not entirely linguistic. A lot of it's bad API, probably much harder to fix. Still, reduced-set JS, with an in-browser standard for verifying signed JS code, would be great. I'm often boggled when I think this over that RMS forgot to include code signing in his suggestion for how to markup non-trivial JS with source code and license text; I figured "code verification" would be a crucial part of the Free Software philosophy when it comes to drive-by code. Another crucial change I'd like to see: immutable javascript. When including a script with the