From coderman at gmail.com  Fri Aug  1 00:20:18 2014
From: coderman at gmail.com (coderman)
Date: Fri, 1 Aug 2014 00:20:18 -0700
Subject: Encrypt iPhone calls app
In-Reply-To: <20140801032626.GB26171@9ac286446c9be08c809eca57f261c57c5d28508f92702bc3>
References: <44151506-A170-4DE3-AC88-02E54384CEEA@gmail.com>
 <20140801032626.GB26171@9ac286446c9be08c809eca57f261c57c5d28508f92702bc3>
Message-ID: <CAJVRA1Rv_2nDAgKVwg0fpbOkNu-YTkKrBAw_O3GV+OEq_ixG2A@mail.gmail.com>

On Thu, Jul 31, 2014 at 8:26 PM, David Hill <dhill+cpunks at mindcry.org> wrote:
>....
> You cannot secure cellphones.

but you *can* put eve out of business, and make mallory's work harder.
(extra credit for pushing mallory to burglary ;)


best regards,




From coderman at gmail.com  Fri Aug  1 07:46:42 2014
From: coderman at gmail.com (coderman)
Date: Fri, 1 Aug 2014 07:46:42 -0700
Subject: Encrypt iPhone calls app
In-Reply-To: <20140801093402.GL6799@ctrlc.hu>
References: <44151506-A170-4DE3-AC88-02E54384CEEA@gmail.com>
 <20140801032626.GB26171@9ac286446c9be08c809eca57f261c57c5d28508f92702bc3>
 <53DB4795.7040909@echeque.com> <20140801093402.GL6799@ctrlc.hu>
Message-ID: <CAJVRA1R4zk1=TL56ddBLwpzbxvOgxHRAiY01MqDL4HnFTvsJ9A@mail.gmail.com>

On Fri, Aug 1, 2014 at 2:34 AM, stef <s at ctrlc.hu> wrote:
> ...
> so is your statement consistent with: http://www.zdziarski.com/blog/?p=3441

mobile is in bad shape,
 - http://labs.bromium.com/2014/07/31/remote-code-execution-on-android-devices/
 - http://www.wired.com/2014/07/hackers-can-control-your-phone-using-a-tool-thats-already-built-into-it/

if anything ever needed giant sandboxes it is mobile, yet expediency
trumps and my yearning for seL4 VT-d ARMs pines ever onward...

the most effective, persistent, stealthy mobile attacks do leverage
IS-* arcana, so perhaps that alone deserving of "very powerful
adversary". (a sick fuck reads IS-3, IS-91, IS-54, IS-136, IS-856,
IS-2000, E-UTRA)


best regards,




From coderman at gmail.com  Fri Aug  1 08:49:28 2014
From: coderman at gmail.com (coderman)
Date: Fri, 1 Aug 2014 08:49:28 -0700
Subject: Fwd: [tor-talk] Tor-ramdisk 20140801 released
In-Reply-To: <53DBB16D.4020108@opensource.dyc.edu>
References: <53DBB16D.4020108@opensource.dyc.edu>
Message-ID: <CAJVRA1RP1ieuFa4ZaTRt2mnGHm2XwPTCApzwvY8XFaVOb8NHyA@mail.gmail.com>

---------- Forwarded message ----------
From: Anthony G. Basile <basile at opensource.dyc.edu>
Date: Fri, Aug 1, 2014 at 8:25 AM
Subject: [tor-talk] Tor-ramdisk 20140801 released


Hi everyone

I want to announce to the list that a new release of tor-ramdisk is
out. Tor-ramdisk is an i686 or x86_64 uClibc-based micro Linux
distribution whose only purpose is to host a Tor server in an
environment that maximizes security and privacy. Security is enhanced
by hardening the kernel and binaries, and privacy is enhanced by
forcing logging to be off at all levels so that even the Tor operator
only has access to minimal information. Finally, since everything runs
in ephemeral memory, no information survives a reboot, except for the
Tor configuration file and the private RSA key, which may be
exported/imported by FTP or SCP.

Changelog:

tor was updated to 0.2.4.23 which addresses CVE-2014-5117.  The kernel
was updated to 3.15.7+ Gentoo's hardened-patches-3.15.7-1.extras.  All
other packages are the same as the previous release.  It is
recommended that users upgrade immediately.  For more information see
https://lists.torproject.org/pipermail/tor-announce/2014-July/000094.html.


i686:
Homepage: http://opensource.dyc.edu/tor-ramdisk
Download: http://opensource.dyc.edu/tor-ramdisk-downloads

x86_64:
Homepage: http://opensource.dyc.edu/tor-x86_64-ramdisk
Download: http://opensource.dyc.edu/tor-x86_64-ramdisk-downloads

--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197




From s at ctrlc.hu  Fri Aug  1 02:34:03 2014
From: s at ctrlc.hu (stef)
Date: Fri, 1 Aug 2014 11:34:03 +0200
Subject: Encrypt iPhone calls app
In-Reply-To: <53DB4795.7040909@echeque.com>
References: <44151506-A170-4DE3-AC88-02E54384CEEA@gmail.com>
 <20140801032626.GB26171@9ac286446c9be08c809eca57f261c57c5d28508f92702bc3>
 <53DB4795.7040909@echeque.com>
Message-ID: <20140801093402.GL6799@ctrlc.hu>

On Fri, Aug 01, 2014 at 05:53:57PM +1000, James A. Donald wrote:
> An attack on cellphones, rather than communications between cellphones would
> be an active attack by a very powerful adversary.  They are not going to
> actively attack everyone, or even very many people.

so is your statement consistent with: http://www.zdziarski.com/blog/?p=3441

-- 
otr fp: https://www.ctrlc.hu/~stef/otr.txt




From jamesd at echeque.com  Fri Aug  1 00:53:57 2014
From: jamesd at echeque.com (James A. Donald)
Date: Fri, 01 Aug 2014 17:53:57 +1000
Subject: Encrypt iPhone calls app
In-Reply-To: <20140801032626.GB26171@9ac286446c9be08c809eca57f261c57c5d28508f92702bc3>
References: <44151506-A170-4DE3-AC88-02E54384CEEA@gmail.com>
 <20140801032626.GB26171@9ac286446c9be08c809eca57f261c57c5d28508f92702bc3>
Message-ID: <53DB4795.7040909@echeque.com>


> On Thu, Jul 31, 2014 at 09:40:50PM -0400, Henry Rivera wrote:
>> Can someone please give me your appraisal of Signal. I'm not noticing the red flags that we see all too often in such sales pitches.
>>
>> https://whispersystems.org/blog/signal/?t=dXNlcmlkPTU1MjE5NjEwLGVtYWlsaWQ9ODkxOQ==

On 2014-08-01 13:26, David Hill wrote:
> You cannot secure cellphones.


An attack on cellphones, rather than communications between cellphones 
would be an active attack by a very powerful adversary.  They are not 
going to actively attack everyone, or even very many people.




From hozer at hozed.org  Fri Aug  1 16:29:34 2014
From: hozer at hozed.org (Troy Benjegerdes)
Date: Fri, 1 Aug 2014 18:29:34 -0500
Subject: Russia want completely ban Bitcoin and other cryptocurrencies
In-Reply-To: <53DBF44F.2070905@openmailbox.org>
References: <53DBF44F.2070905@openmailbox.org>
Message-ID: <20140801232934.GN22640@nl.grid.coop>

On Fri, Aug 01, 2014 at 08:10:55PM +0000, Anton Nesterov wrote:
> Ministry of Finance of Russia drafted a bill to ban cryptocurrencies
> with administrative or criminal penalty for mining and other operation.
> Also they want to censor bitcoin-related websites.
> 
> This will come into force in 2015.
> 
> http://top.rbc.ru/economics/01/08/2014/940521.shtml (in Russian)

I don't know anything about russian politics, but US politicians draft
idiotic rules/legislation all the time that get dramatically changed.

(exhibit a:
http://blogs.wsj.com/moneybeat/2014/07/17/ny-financial-regulator-releases-draft-of-bitlicense-for-bitcoin-businesses/
)

If Russia wishes to exclude themselves from the world economy, that is their
choice, but I suspect their oligarchs will still want to hide money in New York
http://nymag.com/news/features/foreigners-hiding-money-new-york-real-estate-2014-6/
and they'll have to get a Bitlicense to properly launder the transaction.

My prediction is that Bitlicense will evolve into being the much vaunted 
'anonymous digital cash', and you'll just need to pay the proper protection fee
to the state of New York or they will get a bank to hold your funds for ransom
like they are doing to Argentina's on-time debt payments.

I also fully expect other states and nations will get into the licensed cryptocoin
protection racket in ways that reflect their local culture and values.

Don't mess with flyover land if you want to get insurance.
http://www.desmoinesregister.com/story/tech/2014/05/16/des-moines-area-insurers-create-startups-haven-technology-iowa-innovation/9160921/




From komachi at openmailbox.org  Fri Aug  1 13:10:55 2014
From: komachi at openmailbox.org (Anton Nesterov)
Date: Fri, 01 Aug 2014 20:10:55 +0000
Subject: Russia want completely ban Bitcoin and other cryptocurrencies
Message-ID: <53DBF44F.2070905@openmailbox.org>

Ministry of Finance of Russia drafted a bill to ban cryptocurrencies
with administrative or criminal penalty for mining and other operation.
Also they want to censor bitcoin-related websites.

This will come into force in 2015.

http://top.rbc.ru/economics/01/08/2014/940521.shtml (in Russian)




From fnpaladini at gmail.com  Sat Aug  2 08:11:09 2014
From: fnpaladini at gmail.com (Fernando Paladini)
Date: Sat, 2 Aug 2014 12:11:09 -0300
Subject: Russia want completely ban Bitcoin and other cryptocurrencies
In-Reply-To: <20140801232934.GN22640@nl.grid.coop>
References: <53DBF44F.2070905@openmailbox.org>
 <20140801232934.GN22640@nl.grid.coop>
Message-ID: <CACv2fB3GNMxtOYU+5V4Oo5phAKquzsiOxd3stDSnM0_+JDzHVw@mail.gmail.com>

But when they say "criminal penalty for mining and other operation", what
they mean? I say, how can Russia know who are using Bitcoin, how can Russia
know who are trading or mining Bitcoin?

I think this image can describe the idea I want pass:
http://news.insidebitcoins.com/sites/default/files/government-banning-bitcoin.jpg
Am I wrong about that?

I miss the Soviet Union, at least they respected the personal and social
freedom (but, yes, I know Stalin was a lunatic).


2014-08-01 20:29 GMT-03:00 Troy Benjegerdes <hozer at hozed.org>:

> On Fri, Aug 01, 2014 at 08:10:55PM +0000, Anton Nesterov wrote:
> > Ministry of Finance of Russia drafted a bill to ban cryptocurrencies
> > with administrative or criminal penalty for mining and other operation.
> > Also they want to censor bitcoin-related websites.
> >
> > This will come into force in 2015.
> >
> > http://top.rbc.ru/economics/01/08/2014/940521.shtml (in Russian)
>
> I don't know anything about russian politics, but US politicians draft
> idiotic rules/legislation all the time that get dramatically changed.
>
> (exhibit a:
>
> http://blogs.wsj.com/moneybeat/2014/07/17/ny-financial-regulator-releases-draft-of-bitlicense-for-bitcoin-businesses/
> )
>
> If Russia wishes to exclude themselves from the world economy, that is
> their
> choice, but I suspect their oligarchs will still want to hide money in New
> York
>
> http://nymag.com/news/features/foreigners-hiding-money-new-york-real-estate-2014-6/
> and they'll have to get a Bitlicense to properly launder the transaction.
>
> My prediction is that Bitlicense will evolve into being the much vaunted
> 'anonymous digital cash', and you'll just need to pay the proper
> protection fee
> to the state of New York or they will get a bank to hold your funds for
> ransom
> like they are doing to Argentina's on-time debt payments.
>
> I also fully expect other states and nations will get into the licensed
> cryptocoin
> protection racket in ways that reflect their local culture and values.
>
> Don't mess with flyover land if you want to get insurance.
>
> http://www.desmoinesregister.com/story/tech/2014/05/16/des-moines-area-insurers-create-startups-haven-technology-iowa-innovation/9160921/
>



-- 
Fernando Paladini
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 3434 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140802/6340e619/attachment.txt>

From fnpaladini at gmail.com  Sat Aug  2 10:28:37 2014
From: fnpaladini at gmail.com (Fernando Paladini)
Date: Sat, 2 Aug 2014 14:28:37 -0300
Subject: Fwd: Russia want completely ban Bitcoin and other cryptocurrencies
In-Reply-To: <CAEcD9QcJ=jxeWD0rC-8RmENGZd5C1Aw-xo1PX+1FcmU0GfH_2Q@mail.gmail.com>
References: <53DBF44F.2070905@openmailbox.org>
 <20140801232934.GN22640@nl.grid.coop>
 <CACv2fB3GNMxtOYU+5V4Oo5phAKquzsiOxd3stDSnM0_+JDzHVw@mail.gmail.com>
 <CAEcD9QcJ=jxeWD0rC-8RmENGZd5C1Aw-xo1PX+1FcmU0GfH_2Q@mail.gmail.com>
Message-ID: <CACv2fB3kbE8-kGUZQeb5Ae4dr9s5u_RMsTXOZ0fxnQK+9yD-5Q@mail.gmail.com>

It's a joke, keep calm :P

---------- Forwarded message ----------
From: Paweł Zegartowski <pzegar at gmail.com>
Date: 2014-08-02 12:42 GMT-03:00
Subject: Re: Russia want completely ban Bitcoin and other cryptocurrencies
To: Fernando Paladini <fnpaladini at gmail.com>
Cc: cpunks <cypherpunks at cpunks.org>


"I miss the Soviet Union, at least they respected the personal and social
freedom (but, yes, I know Stalin was a lunatic). "

I hope you don't really believe that.


On 2 August 2014 17:11, Fernando Paladini <fnpaladini at gmail.com> wrote:

> But when they say "criminal penalty for mining and other operation", what
> they mean? I say, how can Russia know who are using Bitcoin, how can Russia
> know who are trading or mining Bitcoin?
>
> I think this image can describe the idea I want pass:
> http://news.insidebitcoins.com/sites/default/files/government-banning-bitcoin.jpg
> Am I wrong about that?
>
> I miss the Soviet Union, at least they respected the personal and social
> freedom (but, yes, I know Stalin was a lunatic).
>
>
> 2014-08-01 20:29 GMT-03:00 Troy Benjegerdes <hozer at hozed.org>:
>
> On Fri, Aug 01, 2014 at 08:10:55PM +0000, Anton Nesterov wrote:
>> > Ministry of Finance of Russia drafted a bill to ban cryptocurrencies
>> > with administrative or criminal penalty for mining and other operation.
>> > Also they want to censor bitcoin-related websites.
>> >
>> > This will come into force in 2015.
>> >
>> > http://top.rbc.ru/economics/01/08/2014/940521.shtml (in Russian)
>>
>> I don't know anything about russian politics, but US politicians draft
>> idiotic rules/legislation all the time that get dramatically changed.
>>
>> (exhibit a:
>>
>> http://blogs.wsj.com/moneybeat/2014/07/17/ny-financial-regulator-releases-draft-of-bitlicense-for-bitcoin-businesses/
>> )
>>
>> If Russia wishes to exclude themselves from the world economy, that is
>> their
>> choice, but I suspect their oligarchs will still want to hide money in
>> New York
>>
>> http://nymag.com/news/features/foreigners-hiding-money-new-york-real-estate-2014-6/
>> and they'll have to get a Bitlicense to properly launder the transaction.
>>
>> My prediction is that Bitlicense will evolve into being the much vaunted
>> 'anonymous digital cash', and you'll just need to pay the proper
>> protection fee
>> to the state of New York or they will get a bank to hold your funds for
>> ransom
>> like they are doing to Argentina's on-time debt payments.
>>
>> I also fully expect other states and nations will get into the licensed
>> cryptocoin
>> protection racket in ways that reflect their local culture and values.
>>
>> Don't mess with flyover land if you want to get insurance.
>>
>> http://www.desmoinesregister.com/story/tech/2014/05/16/des-moines-area-insurers-create-startups-haven-technology-iowa-innovation/9160921/
>>
>
>
>
> --
> Fernando Paladini
>



-- 
Pozdrawiam,
Paweł Zegartowski



-- 
Fernando Paladini
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 5167 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140802/80323595/attachment.txt>

From pzegar at gmail.com  Sat Aug  2 08:42:10 2014
From: pzegar at gmail.com (=?UTF-8?Q?Pawe=C5=82_Zegartowski?=)
Date: Sat, 2 Aug 2014 17:42:10 +0200
Subject: Russia want completely ban Bitcoin and other cryptocurrencies
In-Reply-To: <CACv2fB3GNMxtOYU+5V4Oo5phAKquzsiOxd3stDSnM0_+JDzHVw@mail.gmail.com>
References: <53DBF44F.2070905@openmailbox.org>
 <20140801232934.GN22640@nl.grid.coop>
 <CACv2fB3GNMxtOYU+5V4Oo5phAKquzsiOxd3stDSnM0_+JDzHVw@mail.gmail.com>
Message-ID: <CAEcD9QcJ=jxeWD0rC-8RmENGZd5C1Aw-xo1PX+1FcmU0GfH_2Q@mail.gmail.com>

"I miss the Soviet Union, at least they respected the personal and social
freedom (but, yes, I know Stalin was a lunatic). "

I hope you don't really believe that.


On 2 August 2014 17:11, Fernando Paladini <fnpaladini at gmail.com> wrote:

> But when they say "criminal penalty for mining and other operation", what
> they mean? I say, how can Russia know who are using Bitcoin, how can Russia
> know who are trading or mining Bitcoin?
>
> I think this image can describe the idea I want pass:
> http://news.insidebitcoins.com/sites/default/files/government-banning-bitcoin.jpg
> Am I wrong about that?
>
> I miss the Soviet Union, at least they respected the personal and social
> freedom (but, yes, I know Stalin was a lunatic).
>
>
> 2014-08-01 20:29 GMT-03:00 Troy Benjegerdes <hozer at hozed.org>:
>
> On Fri, Aug 01, 2014 at 08:10:55PM +0000, Anton Nesterov wrote:
>> > Ministry of Finance of Russia drafted a bill to ban cryptocurrencies
>> > with administrative or criminal penalty for mining and other operation.
>> > Also they want to censor bitcoin-related websites.
>> >
>> > This will come into force in 2015.
>> >
>> > http://top.rbc.ru/economics/01/08/2014/940521.shtml (in Russian)
>>
>> I don't know anything about russian politics, but US politicians draft
>> idiotic rules/legislation all the time that get dramatically changed.
>>
>> (exhibit a:
>>
>> http://blogs.wsj.com/moneybeat/2014/07/17/ny-financial-regulator-releases-draft-of-bitlicense-for-bitcoin-businesses/
>> )
>>
>> If Russia wishes to exclude themselves from the world economy, that is
>> their
>> choice, but I suspect their oligarchs will still want to hide money in
>> New York
>>
>> http://nymag.com/news/features/foreigners-hiding-money-new-york-real-estate-2014-6/
>> and they'll have to get a Bitlicense to properly launder the transaction.
>>
>> My prediction is that Bitlicense will evolve into being the much vaunted
>> 'anonymous digital cash', and you'll just need to pay the proper
>> protection fee
>> to the state of New York or they will get a bank to hold your funds for
>> ransom
>> like they are doing to Argentina's on-time debt payments.
>>
>> I also fully expect other states and nations will get into the licensed
>> cryptocoin
>> protection racket in ways that reflect their local culture and values.
>>
>> Don't mess with flyover land if you want to get insurance.
>>
>> http://www.desmoinesregister.com/story/tech/2014/05/16/des-moines-area-insurers-create-startups-haven-technology-iowa-innovation/9160921/
>>
>
>
>
> --
> Fernando Paladini
>



-- 
Pozdrawiam,
Paweł Zegartowski
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 4391 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140802/f0374060/attachment.txt>

From l at odewijk.nl  Sat Aug  2 10:47:39 2014
From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=)
Date: Sat, 2 Aug 2014 19:47:39 +0200
Subject: Russia want completely ban Bitcoin and other cryptocurrencies
In-Reply-To: <CACv2fB3kbE8-kGUZQeb5Ae4dr9s5u_RMsTXOZ0fxnQK+9yD-5Q@mail.gmail.com>
References: <53DBF44F.2070905@openmailbox.org>
 <20140801232934.GN22640@nl.grid.coop>
 <CACv2fB3GNMxtOYU+5V4Oo5phAKquzsiOxd3stDSnM0_+JDzHVw@mail.gmail.com>
 <CAEcD9QcJ=jxeWD0rC-8RmENGZd5C1Aw-xo1PX+1FcmU0GfH_2Q@mail.gmail.com>
 <CACv2fB3kbE8-kGUZQeb5Ae4dr9s5u_RMsTXOZ0fxnQK+9yD-5Q@mail.gmail.com>
Message-ID: <CAHWD2rJ_Yioj+vUV-4bfb3gbe571s1N4cfUn3hjkqyACqioQCw@mail.gmail.com>

2014-08-02 19:28 GMT+02:00 Fernando Paladini <fnpaladini at gmail.com>:

> It's a joke, keep calm :P
>

What if they actually did give that respect, but it's all been
propaganda'ed into oblivion?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 515 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140802/9f054e3b/attachment.txt>

From pzegar at gmail.com  Sat Aug  2 10:49:46 2014
From: pzegar at gmail.com (=?UTF-8?Q?Pawe=C5=82_Zegartowski?=)
Date: Sat, 2 Aug 2014 19:49:46 +0200
Subject: Russia want completely ban Bitcoin and other cryptocurrencies
In-Reply-To: <CACv2fB3kbE8-kGUZQeb5Ae4dr9s5u_RMsTXOZ0fxnQK+9yD-5Q@mail.gmail.com>
References: <53DBF44F.2070905@openmailbox.org>
 <20140801232934.GN22640@nl.grid.coop>
 <CACv2fB3GNMxtOYU+5V4Oo5phAKquzsiOxd3stDSnM0_+JDzHVw@mail.gmail.com>
 <CAEcD9QcJ=jxeWD0rC-8RmENGZd5C1Aw-xo1PX+1FcmU0GfH_2Q@mail.gmail.com>
 <CACv2fB3kbE8-kGUZQeb5Ae4dr9s5u_RMsTXOZ0fxnQK+9yD-5Q@mail.gmail.com>
Message-ID: <CAEcD9QcWoeyPvWOuPsChgfEif5q8QRAP0dByrSEj87y6XOuCeg@mail.gmail.com>

Well I'm calm...at least  I'm not the Ukrainian fortunately :P




On 2 August 2014 19:28, Fernando Paladini <fnpaladini at gmail.com> wrote:

> It's a joke, keep calm :P
>
> ---------- Forwarded message ----------
> From: Paweł Zegartowski <pzegar at gmail.com>
> Date: 2014-08-02 12:42 GMT-03:00
> Subject: Re: Russia want completely ban Bitcoin and other cryptocurrencies
> To: Fernando Paladini <fnpaladini at gmail.com>
> Cc: cpunks <cypherpunks at cpunks.org>
>
>
> "I miss the Soviet Union, at least they respected the personal and social
> freedom (but, yes, I know Stalin was a lunatic). "
>
> I hope you don't really believe that.
>
>
> On 2 August 2014 17:11, Fernando Paladini <fnpaladini at gmail.com> wrote:
>
>> But when they say "criminal penalty for mining and other operation", what
>> they mean? I say, how can Russia know who are using Bitcoin, how can Russia
>> know who are trading or mining Bitcoin?
>>
>> I think this image can describe the idea I want pass:
>> http://news.insidebitcoins.com/sites/default/files/government-banning-bitcoin.jpg
>> Am I wrong about that?
>>
>> I miss the Soviet Union, at least they respected the personal and social
>> freedom (but, yes, I know Stalin was a lunatic).
>>
>>
>> 2014-08-01 20:29 GMT-03:00 Troy Benjegerdes <hozer at hozed.org>:
>>
>> On Fri, Aug 01, 2014 at 08:10:55PM +0000, Anton Nesterov wrote:
>>> > Ministry of Finance of Russia drafted a bill to ban cryptocurrencies
>>> > with administrative or criminal penalty for mining and other operation.
>>> > Also they want to censor bitcoin-related websites.
>>> >
>>> > This will come into force in 2015.
>>> >
>>> > http://top.rbc.ru/economics/01/08/2014/940521.shtml (in Russian)
>>>
>>> I don't know anything about russian politics, but US politicians draft
>>> idiotic rules/legislation all the time that get dramatically changed.
>>>
>>> (exhibit a:
>>>
>>> http://blogs.wsj.com/moneybeat/2014/07/17/ny-financial-regulator-releases-draft-of-bitlicense-for-bitcoin-businesses/
>>> )
>>>
>>> If Russia wishes to exclude themselves from the world economy, that is
>>> their
>>> choice, but I suspect their oligarchs will still want to hide money in
>>> New York
>>>
>>> http://nymag.com/news/features/foreigners-hiding-money-new-york-real-estate-2014-6/
>>> and they'll have to get a Bitlicense to properly launder the transaction.
>>>
>>> My prediction is that Bitlicense will evolve into being the much vaunted
>>> 'anonymous digital cash', and you'll just need to pay the proper
>>> protection fee
>>> to the state of New York or they will get a bank to hold your funds for
>>> ransom
>>> like they are doing to Argentina's on-time debt payments.
>>>
>>> I also fully expect other states and nations will get into the licensed
>>> cryptocoin
>>> protection racket in ways that reflect their local culture and values.
>>>
>>> Don't mess with flyover land if you want to get insurance.
>>>
>>> http://www.desmoinesregister.com/story/tech/2014/05/16/des-moines-area-insurers-create-startups-haven-technology-iowa-innovation/9160921/
>>>
>>
>>
>>
>> --
>> Fernando Paladini
>>
>
>
>
> --
> Pozdrawiam,
> Paweł Zegartowski
>
>
>
> --
> Fernando Paladini
>



-- 
Pozdrawiam,
Paweł Zegartowski
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 5816 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140802/1e4150aa/attachment.txt>

From pzegar at gmail.com  Sat Aug  2 11:05:57 2014
From: pzegar at gmail.com (=?UTF-8?Q?Pawe=C5=82_Zegartowski?=)
Date: Sat, 2 Aug 2014 20:05:57 +0200
Subject: Russia want completely ban Bitcoin and other cryptocurrencies
In-Reply-To: <CAHWD2rJ_Yioj+vUV-4bfb3gbe571s1N4cfUn3hjkqyACqioQCw@mail.gmail.com>
References: <53DBF44F.2070905@openmailbox.org>
 <20140801232934.GN22640@nl.grid.coop>
 <CACv2fB3GNMxtOYU+5V4Oo5phAKquzsiOxd3stDSnM0_+JDzHVw@mail.gmail.com>
 <CAEcD9QcJ=jxeWD0rC-8RmENGZd5C1Aw-xo1PX+1FcmU0GfH_2Q@mail.gmail.com>
 <CACv2fB3kbE8-kGUZQeb5Ae4dr9s5u_RMsTXOZ0fxnQK+9yD-5Q@mail.gmail.com>
 <CAHWD2rJ_Yioj+vUV-4bfb3gbe571s1N4cfUn3hjkqyACqioQCw@mail.gmail.com>
Message-ID: <CAEcD9QdSUbyvqiodGnhzbU6iFRw+GMyGi7McYv5k5VDGh5oC7w@mail.gmail.com>

Well, we still do have museums like Belarus / North Corea, I would
recommend a one-year survival there ;-)


On 2 August 2014 19:47, Lodewijk andré de la porte <l at odewijk.nl> wrote:

> 2014-08-02 19:28 GMT+02:00 Fernando Paladini <fnpaladini at gmail.com>:
>
> It's a joke, keep calm :P
>>
>
> What if they actually did give that respect, but it's all been
> propaganda'ed into oblivion?
>



-- 
Pozdrawiam,
Paweł Zegartowski
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 1076 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140802/7b5eddf3/attachment.txt>

From hozer at hozed.org  Sun Aug  3 00:14:21 2014
From: hozer at hozed.org (Troy Benjegerdes)
Date: Sun, 3 Aug 2014 02:14:21 -0500
Subject: Russia want completely ban Bitcoin and other cryptocurrencies
In-Reply-To: <CAHWD2rJ_Yioj+vUV-4bfb3gbe571s1N4cfUn3hjkqyACqioQCw@mail.gmail.com>
References: <53DBF44F.2070905@openmailbox.org>
 <20140801232934.GN22640@nl.grid.coop>
 <CACv2fB3GNMxtOYU+5V4Oo5phAKquzsiOxd3stDSnM0_+JDzHVw@mail.gmail.com>
 <CAEcD9QcJ=jxeWD0rC-8RmENGZd5C1Aw-xo1PX+1FcmU0GfH_2Q@mail.gmail.com>
 <CACv2fB3kbE8-kGUZQeb5Ae4dr9s5u_RMsTXOZ0fxnQK+9yD-5Q@mail.gmail.com>
 <CAHWD2rJ_Yioj+vUV-4bfb3gbe571s1N4cfUn3hjkqyACqioQCw@mail.gmail.com>
Message-ID: <20140803071421.GS22640@nl.grid.coop>

On Sat, Aug 02, 2014 at 07:47:39PM +0200, Lodewijk andré de la porte wrote:
> 2014-08-02 19:28 GMT+02:00 Fernando Paladini <fnpaladini at gmail.com>:
> 
> > It's a joke, keep calm :P
> >
> 
> What if they actually did give that respect, but it's all been
> propaganda'ed into oblivion?

The Soviets had some damned good engineers and scientists, and their designs
(soyuz) are still flying. The space program of the leader of the free world
keeps giving more money to defense contractors. Now tell me again who won
the space race?

War is peace, freedom is slavery, and Carl Marx was right about from each
according to his ability, to each according to his need. This is proven
by the market penetration of the GPLv2 linux kernel. Capitalists need high
quality softare, and they cannot afford the capital to own something that
actually works.

I do not expect copyright will get any weaker until long after a viral 
copyright cryptocurrency has proven more reliable and stable than any fiat
or other currency that can be co-opted like the BSD/MIT licensed Satoshi
Bitcoin client.




From coderman at gmail.com  Sun Aug  3 03:49:00 2014
From: coderman at gmail.com (coderman)
Date: Sun, 3 Aug 2014 03:49:00 -0700
Subject: Fwd: Preferred Roaming List Zero Intercept Attack [was: DEF CON
 nostalgia [before that: going double cryptome at DEF CON 22]][still confusing]
In-Reply-To: <CAJVRA1Tnc0MfUAq6Hh=iBygVAk+2-xd4g0gZiKpiFRi0wVYr0Q@mail.gmail.com>
References: <CAJVRA1Qq1w07ap0BXVW1vv=+PifQ4ddD4E2ST98Ue69B_+kWSQ@mail.gmail.com>
 <CAJVRA1Tnc0MfUAq6Hh=iBygVAk+2-xd4g0gZiKpiFRi0wVYr0Q@mail.gmail.com>
Message-ID: <CAJVRA1S=OY+_n+4Bmh4ZJi+aATMc+H_jEZmMMcksQxFcixDD+w@mail.gmail.com>

---------- Forwarded message ----------
From: coderman <coderman at gmail.com>
Date: Sun, Aug 3, 2014 at 3:47 AM
Subject: Re: Preferred Roaming List Zero Intercept Attack [was: DEF
CON nostalgia [before that: going double cryptome at DEF CON
22]][still confusing]
To: Full Disclosure <fulldisclosure at seclists.org>


On Fri, Aug 1, 2014 at 4:06 AM, coderman <coderman at gmail.com> wrote:
> ...
> Any carrier phones or specific builds known to not accept PRL updates
> without authorization should be noted in response to this thread...


anon from the wiki pointed out the verizon rigmaiden aircard
incident.[0] while not a smart phone, this does illustrate how a
properly privacy conscious device will refuse to accept insufficiently
authenticated roaming list updates. UTStarcom PC5740 at that point in
time resistant to surreptitious corruption of roaming list.

also, more than twenty years for cell locator tech as written. how
many years of PRL Zero tricks?  still soliciting pointers, ...



best regards,


0. "Secrets of FBI Smartphone Surveillance Tool Revealed in Court Fight"
 - http://www.wired.com/2013/04/verizon-rigmaiden-aircard/all/
'''
Verizon reprogrammed the device so that when an incoming voice call
arrived, the card would disconnect from any legitimate cell tower to
which it was already connected, and send real-time cell-site location
data to Verizon, which forwarded the data to the FBI. This allowed the
FBI to position its stingray in the neighborhood where Rigmaiden
resided. The stingray then “broadcast a very strong signal” to force
the air card into connecting to it, instead of reconnecting to a
legitimate cell tower, so that agents could then triangulate signals
coming from the air card and zoom-in on Rigmaiden’s location.

To make sure the air card connected to the FBI’s simulator, Rigmaiden
says that Verizon altered his air card’s Preferred Roaming List so
that it would accept the FBI’s stingray as a legitimate cell site and
not a rogue site, and also changed a data table on the air card
designating the priority of cell sites so that the FBI’s fake site was
at the top of the list.

'''
 - the second "data table on the air card ... designating the priority
of cell sites" not unambiguous. for example, System Determination
Algorithms can utilize recent tower connection history foremost, along
with the "Preferred Roaming List" as commonly used. a stated common
method is listed in priority order:
1. MRU ROAMING History List (MRU)
2. Preferred Roaming List (PRL)


---fwd-ctxt-sw---


please direct questions to Mathew Solnik and Marc Blanchou,
  who are burning all sorts of vuln this week in Vegas.

Cellular Exploitation on a Global Scale: The Rise and Fall of the
Control Protocol
 - https://www.blackhat.com/us-14/briefings.html#Solnik
"... In this presentation, we will discuss and disclose how
Over-the-Air code execution can be obtained on the major cellular
platforms and networks (GSM/CDMA/LTE). Including but not limited to
Android, iOS, Blackberry, and Embedded M2M devices."

such a setup suitable for silent PRL favor and middling as discussed.




From coderman at gmail.com  Sun Aug  3 04:02:36 2014
From: coderman at gmail.com (coderman)
Date: Sun, 3 Aug 2014 04:02:36 -0700
Subject: =?UTF-8?Q?Feds=E2=80=99_Silk_Road_Investigation_Broke_Privacy_Laws=2C_?=
 =?UTF-8?Q?Defendant_Tells_Court?=
Message-ID: <CAJVRA1RDW2jaji6YwLC_e-L35phLxS7NFmGgSj7hKJCL-oPu2A@mail.gmail.com>

http://www.wired.com/2014/08/feds-silk-road-investigation-violated-privacy-law-sites-alleged-creator-tells-court
'''
The Department of Justice sees its takedown of the billion-dollar Silk
Road black market as a massive, victorious drug bust. Ross Ulbricht,
the alleged creator of that anonymous contraband bazaar, now wants to
cast the case in a different light: as a landmark example of the
government trampling privacy rights in the digital world.

In a pre-trial motion filed in the case late Friday night, Ulbricht’s
lawyers laid out a series of arguments to dismiss all charges in the
case based on Ulbricht’s fourth amendment protections against
warrantless searches of his digital property. As early as the FBI’s
initial discovery of servers in Iceland hosting the site on the Tor
anonymity network—seemingly without obtaining a search warrant from a
judge—Ulbricht argues that law enforcement violated his constitutional
right to privacy, tainting all further evidence against him dug up in
the investigation that followed.

“The [electronically stored information] and other material seized and
searched has been contaminated at its source, and at several later
points along the way, rendering the direct and indirect product of
those searches and seizures – in essence, the entire product of the
investigation itself – inadmissible,” a 102-page memo accompanying the
motion summarizes. “Thus, the Fourth Amendment and relevant statutes
require suppression of the fruits of the searches and seizures, and
any evidence or other information derived therefrom.”

The motion refers to 14 distinct searches and seizures of Ulbricht’s
computers, equipment, and online accounts. Beyond the initial tracing
of his alleged servers in Iceland, investigators performed several of
those surveillance operations with “trap and trace” or “pen register”
orders that don’t require the “probable cause” standard necessary to
convince a judge to sign off on a warrant; The warrantless
surveillances ops included asking Comcast for information related to
Ulbricht’s alleged IP address in San Francisco. And even in the cases
when investigators did get a warrant before performing their
searches—as in the case of a Samsung laptop believed to belong to
Ulbricht as well as his Gmail and Facebook accounts—Ulbricht’s defense
argues that those warrants were unconstitutional “general warrants”
that allowed a wholesale dump of his private data rather than allowing
the search for a specific piece of information.

“Many of the warrants…constitute the general warrants abhorred by the
Framers, and which led directly to the Fourth Amendment,” the memo
reads.  “The wholesale collection and study of Mr. Ulbricht’s entire
digital history without limitation – expressly sought in the warrants
and granted – represent the very type of indiscriminate rummaging that
caused the American colonists so much consternation.”

Ulbricht’s memo isn’t simply a demand to dismiss the charges against
him, which include conspiracy to traffic in narcotics, money
laundering, and a “kingpin” statute often used against mob bosses and
drug cartel leaders. It’s also a request for more information from
prosecutors. Despite the “discovery” process designed to give
defendants a chance to review the evidence against them, the memo says
that the government still hasn’t revealed to Ulbricht or the public
many aspects of the investigation. The most crucial of those
information gaps is just how the FBI located the Silk Road’s servers
despite the anonymity protections provided by cryptographic software
Tor.

“All of the searches and seizures are predicated upon the government’s
infiltration of the alleged ‘Silk Road Servers,’” reads the memo.
“However, that event – location of the Silk Road Servers – is shrouded
in mystery, as the means and manner in which that discovery was
accomplished has not been disclosed.”

If that initial pinpointing and penetration of Ulbricht’s alleged
servers—whether by the FBI, the NSA, or investigators with the means
of defeating Tor’s privacy safeguards—is determined to be
unconstitutional, the defense argues it could contaminate virtually
all of the prosecution’s other evidence. It points to what it calls
the “fruit of a poisonous tree” doctrine, stating that an improper
search can invalidate all subsequent searches based on evidence found
in the initial step. And it notes that the requests to judges for
warrants in other steps of the feds’ investigation didn’t explain or
even mention that initial discovery of the Silk Road’s computers in
Iceland.

The memo backs up its argument by referring to several recent fourth
amendment decisions, most notably the case of Riley vs. California, in
which the Supreme Court ruled that a police can’t search a arrested
suspect’s phone without a warrant due to the massive amount of private
data that sort of digital device contains. It also points to another
case in which Microsoft was ordered to respond to a search warrant for
emails belonging to one of its users, even though the emails were
stored on a foreign server. Ulbricht’s defense points to that second
case as a demonstration that the government ought to seek a warrant
even when the information it’s seeking is stored abroad, as in the
case of the Silk Road’s Icelandic servers.

“The government has not provided any reason why it could not have
pursued, and why it was not obligated under its own theory of the
scope of [the law], to pursue the same avenue – a warrant – for
obtaining the [electronic stored information] on the Silk Road
Server,” the memo reads.

Aside from its Fourth Amendment arguments, the memo makes an unrelated
request: That the prosecution stop calling Ulbricht a murderer. In its
criminal complaint and pre-trial arguments, the prosecution has
referred repeatedly to Ulbricht’s alleged attempts to pay for the
murder of six people, including what the prosecutors describe as a
potential informant against him and a blackmailer. But despite the
fact that Ulbricht still faces a separate murder-for-hire case in
Maryland, he hasn’t been charged with any such killings in the current
Southern District of New York case. The defense argues that means the
prosecution’s murder references are “unduly prejudicial” and violate
Ulbricht’s right to a fair trial.

Those murder charges have weighed heavily on Ulbricht’s reputation,
draining support for a young defendant who might have otherwise been a
cause celebre for privacy and personal freedoms–after all, the Silk
Road’s creator who called himself the “Dread Pirate Roberts” preached
a libertarian philosophy of “victimless” crime and civil disobedience.
With his latest motion, that alleged “pirate” is taking another,
well-timed shot at elevating his case beyond one of a cybercriminal
drug kingpin–this time to a story of illegal government surveillance.
'''




From reed at unsafeword.org  Sun Aug  3 10:02:44 2014
From: reed at unsafeword.org (Reed Black)
Date: Sun, 3 Aug 2014 10:02:44 -0700
Subject: Russia want completely ban Bitcoin and other cryptocurrencies
In-Reply-To: <20140803071421.GS22640@nl.grid.coop>
References: <53DBF44F.2070905@openmailbox.org>
 <20140801232934.GN22640@nl.grid.coop>
 <CACv2fB3GNMxtOYU+5V4Oo5phAKquzsiOxd3stDSnM0_+JDzHVw@mail.gmail.com>
 <CAEcD9QcJ=jxeWD0rC-8RmENGZd5C1Aw-xo1PX+1FcmU0GfH_2Q@mail.gmail.com>
 <CACv2fB3kbE8-kGUZQeb5Ae4dr9s5u_RMsTXOZ0fxnQK+9yD-5Q@mail.gmail.com>
 <CAHWD2rJ_Yioj+vUV-4bfb3gbe571s1N4cfUn3hjkqyACqioQCw@mail.gmail.com>
 <20140803071421.GS22640@nl.grid.coop>
Message-ID: <CAESArwnj5mRx8XjCCCJs3UYDtvmk2F23OyKHatgdX7=J6S7-gg@mail.gmail.com>

I may be responding to a troll posting, but it's a fun one, so...


On Sun, Aug 3, 2014 at 12:14 AM, Troy Benjegerdes <hozer at hozed.org> wrote:

> On Sat, Aug 02, 2014 at 07:47:39PM +0200, Lodewijk andré de la porte wrote:
> > 2014-08-02 19:28 GMT+02:00 Fernando Paladini <fnpaladini at gmail.com>:
> >
> > > It's a joke, keep calm :P
> > >
> >
> > What if they actually did give that respect, but it's all been
> > propaganda'ed into oblivion?
>


> The Soviets had some damned good engineers and scientists, and their
> designs

(soyuz) are still flying. The space program of the leader of the free world

keeps giving more money to defense contractors. Now tell me again who won

the space race?


The Soviets also had some damned bad engineers and scientists. Someone in
an ivory tower decides soaking seeds before planting them will make them
grow better, the state requires it, seeds mold in the ground. How many die
because Soviet science didn't come as an option?

How foreign was the concept of a flush toilet to Soviet troops who ripped
them off the walls when invading westward? They baffled that the toilets
ceased working when leaned against a tree or a tent. Basic conveniences
were utterly foreign to any but the heads of state and their chosen pets.
Even where they had advances that compared to what was available in the
west, it hardly mattered to most of the population.

As to the space program, at their pinnacle they end up copying the Space
Shuttle and other US projects, right down to the placement of left-handed
screws. What lesson were we meant to draw here?



> War is peace, freedom is slavery, and Carl Marx was right about from each
> according to his ability, to each according to his need. This is proven
> by the market penetration of the GPLv2 linux kernel. Capitalists need high
> quality softare, and they cannot afford the capital to own something that
> actually works.
>

GPL has little to nothing to do with Marx.

GPL relies entirely on private ownership of intellectual property for its
enforcement. Private property is GPL's very foundation. And nobody is
compelled to use GPL licensed software, or to agree to a GPL license. Those
who do enter into an agreement aren't even required to redistribute their
changes unless they redistribute the derivative product. There's no
compulsory communal property here, no Marx.

Observe that generally, one can set up GPL and various other forms of
voluntary communal contracts under capitalism. But that doesn't make
capitalism communist/Marxist. It does make capitalism the more flexible
system. One in which the GPL linux kernel is indeed doing well, along with
countless privately owned projects.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 4415 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140803/50267a4c/attachment.txt>

From coderman at gmail.com  Sun Aug  3 14:11:56 2014
From: coderman at gmail.com (coderman)
Date: Sun, 3 Aug 2014 14:11:56 -0700
Subject: [tor-talk] carml: tasty treats from your Tor
In-Reply-To: <86zjflpjh9.fsf@atlantis.meejah.ca>
References: <86zjflpjh9.fsf@atlantis.meejah.ca>
Message-ID: <CAJVRA1SRGs8bgBmrFwFoDvWh6dqsfjf1yu-ygGTXOVVaxo_Q2w@mail.gmail.com>

thank you meejah! this is awesome useful :)

best regards,

---fwd---

On Sun, Aug 3, 2014 at 10:32 AM, meejah <meejah at meejah.ca> wrote:
>
> I've got a first super-alpha release of this thing that's been sitting
> around for a while. Turns out "sanitize a bit" turns into "refactor some
> things" and so forth...
>
> Anyway, carml does various command-line things with Tor and I thought it
> might be useful to others (plays nicely with grep, pipes, etc).
>
> I would really love feedback on whether the "downloadbundle" command is
> doing the right thing with certificate-checks.
>
> https://github.com/meejah/carml
> https://carml.readthedocs.org/en/latest/
>
> You can "pip install carml" to try it out. Recommend doing this in a
> virtualenv:
>
>    virtualenv trycarml
>    ./trycarml/bin/pip install carml
>    ./trycarml/bin/carml help
>
> To check signatures first, instead download the WHL file and associated
> signature from PyPI, gpg --verify it and then replace "install carml"
> with "install path/to/.whl" above.
>
> Some other things to try:
>
>    carml downloadbundle --extract --system-keyring
>    echo "hello darkweb" | carml pastebin
>
> wait for a new consensus to be published, dump it and exit:
>
>    carml events --once NEWCONSENSUS
>
> Currently, the defaults work with a system Tor (i.e. localhost port
> 9051). Probably I'll change this to be TBB defaults. To connect to a Tor
> Browser Bundle instance, do this:
>
>    carml --connect tcp:localhost:9151 monitor
>
> It is written using Twisted and txtorcon.
>
> Thanks,
> meejah




From hozer at hozed.org  Sun Aug  3 15:43:33 2014
From: hozer at hozed.org (Troy Benjegerdes)
Date: Sun, 3 Aug 2014 17:43:33 -0500
Subject: Russia want completely ban Bitcoin and other cryptocurrencies
In-Reply-To: <CAESArwnj5mRx8XjCCCJs3UYDtvmk2F23OyKHatgdX7=J6S7-gg@mail.gmail.com>
References: <53DBF44F.2070905@openmailbox.org>
 <20140801232934.GN22640@nl.grid.coop>
 <CACv2fB3GNMxtOYU+5V4Oo5phAKquzsiOxd3stDSnM0_+JDzHVw@mail.gmail.com>
 <CAEcD9QcJ=jxeWD0rC-8RmENGZd5C1Aw-xo1PX+1FcmU0GfH_2Q@mail.gmail.com>
 <CACv2fB3kbE8-kGUZQeb5Ae4dr9s5u_RMsTXOZ0fxnQK+9yD-5Q@mail.gmail.com>
 <CAHWD2rJ_Yioj+vUV-4bfb3gbe571s1N4cfUn3hjkqyACqioQCw@mail.gmail.com>
 <20140803071421.GS22640@nl.grid.coop>
 <CAESArwnj5mRx8XjCCCJs3UYDtvmk2F23OyKHatgdX7=J6S7-gg@mail.gmail.com>
Message-ID: <20140803224333.GX22640@nl.grid.coop>

On Sun, Aug 03, 2014 at 10:02:44AM -0700, Reed Black wrote:
> I may be responding to a troll posting, but it's a fun one, so...
>

I should probably not read Thomas Piketty's Capital and then post on the 
internet in the same week timespan. But it's been quite an amusing digression.

> 
> On Sun, Aug 3, 2014 at 12:14 AM, Troy Benjegerdes <hozer at hozed.org> wrote:
> 
> > On Sat, Aug 02, 2014 at 07:47:39PM +0200, Lodewijk andré de la porte wrote:
> > > 2014-08-02 19:28 GMT+02:00 Fernando Paladini <fnpaladini at gmail.com>:
> > >
> > > > It's a joke, keep calm :P
> > > >
> > >
> > > What if they actually did give that respect, but it's all been
> > > propaganda'ed into oblivion?
> >
> 
> 
> > The Soviets had some damned good engineers and scientists, and their
> > designs
> 
> (soyuz) are still flying. The space program of the leader of the free world
> 
> keeps giving more money to defense contractors. Now tell me again who won
> 
> the space race?
> 
> 
> The Soviets also had some damned bad engineers and scientists. Someone in
> an ivory tower decides soaking seeds before planting them will make them
> grow better, the state requires it, seeds mold in the ground. How many die
> because Soviet science didn't come as an option?
> 
> How foreign was the concept of a flush toilet to Soviet troops who ripped
> them off the walls when invading westward? They baffled that the toilets
> ceased working when leaned against a tree or a tent. Basic conveniences
> were utterly foreign to any but the heads of state and their chosen pets.
> Even where they had advances that compared to what was available in the
> west, it hardly mattered to most of the population.
> 
> As to the space program, at their pinnacle they end up copying the Space
> Shuttle and other US projects, right down to the placement of left-handed
> screws. What lesson were we meant to draw here?

Don't copy that floppy?

I'd argue the Soyuz was and is the pinnacle of human manned flight, because
it (as far as I know) was not a copy, and it's still flying.
 
> 
> 
> > War is peace, freedom is slavery, and Carl Marx was right about from each
> > according to his ability, to each according to his need. This is proven
> > by the market penetration of the GPLv2 linux kernel. Capitalists need high
> > quality softare, and they cannot afford the capital to own something that
> > actually works.
> >
> 
> GPL has little to nothing to do with Marx.
> 
> GPL relies entirely on private ownership of intellectual property for its
> enforcement. Private property is GPL's very foundation. And nobody is
> compelled to use GPL licensed software, or to agree to a GPL license. Those
> who do enter into an agreement aren't even required to redistribute their
> changes unless they redistribute the derivative product. There's no
> compulsory communal property here, no Marx.
> 
> Observe that generally, one can set up GPL and various other forms of
> voluntary communal contracts under capitalism. But that doesn't make
> capitalism communist/Marxist. It does make capitalism the more flexible
> system. One in which the GPL linux kernel is indeed doing well, along with
> countless privately owned projects.

Marx was worried about endless accumulation of capital by industrialists. I
find it rather hilariously amusing that for Marx's commons to work, it has to
be in the capitalist framework of intellectual property ownership.

The brilliance of the GPL(v2) is the 'compulsory communal' aspect only kicks
in when you sell something. No sale, no compulsion to share with your customers.
It will be interesting to see how the AGPLv3 plays out long-term. I see a lot 
of code getting released under that license, and I expect at some point it 
will start eating the market share of closed-source cloud 'service' providers,
because no capital owner can afford to pay engineers when the competition is
doing the work for free.

I guess Marx got trolled by Richard Stallman.




From reed at unsafeword.org  Sun Aug  3 22:06:16 2014
From: reed at unsafeword.org (Reed Black)
Date: Sun, 3 Aug 2014 22:06:16 -0700
Subject: Russia want completely ban Bitcoin and other cryptocurrencies
In-Reply-To: <20140803224333.GX22640@nl.grid.coop>
References: <53DBF44F.2070905@openmailbox.org>
 <20140801232934.GN22640@nl.grid.coop>
 <CACv2fB3GNMxtOYU+5V4Oo5phAKquzsiOxd3stDSnM0_+JDzHVw@mail.gmail.com>
 <CAEcD9QcJ=jxeWD0rC-8RmENGZd5C1Aw-xo1PX+1FcmU0GfH_2Q@mail.gmail.com>
 <CACv2fB3kbE8-kGUZQeb5Ae4dr9s5u_RMsTXOZ0fxnQK+9yD-5Q@mail.gmail.com>
 <CAHWD2rJ_Yioj+vUV-4bfb3gbe571s1N4cfUn3hjkqyACqioQCw@mail.gmail.com>
 <20140803071421.GS22640@nl.grid.coop>
 <CAESArwnj5mRx8XjCCCJs3UYDtvmk2F23OyKHatgdX7=J6S7-gg@mail.gmail.com>
 <20140803224333.GX22640@nl.grid.coop>
Message-ID: <CAESArw=kQdmmSgv=odFSa3jTc5Yow980g_jM5X-F0U+hJNomOA@mail.gmail.com>

On Sun, Aug 3, 2014 at 3:43 PM, Troy Benjegerdes <hozer at hozed.org> wrote:

> On Sun, Aug 03, 2014 at 10:02:44AM -0700, Reed Black wrote:
> > I may be responding to a troll posting, but it's a fun one, so...
> >
>
> I should probably not read Thomas Piketty's Capital and then post on the
> internet in the same week timespan. But it's been quite an amusing
> digression.


It's basically Das Kapital, with charts and new predictions and suggested
remedies. Nearly a hundred mentions of Marx, and the same blindness about
what happens to capital that's accumulated, but reinvested as all major
accumulations are.

One need only look at any ten years interval where the wealth gap expanded,
and then examine the quantity and quality of goods affordable by the
poorest in that time. It gives question to his predictions and his radical
plans for 80% tax rates and the like. Trying to pull up the wage earners by
pulling down the wage payers hasn't worked yet.

But it does have an interesting parallel to the below...

> > War is peace, freedom is slavery, and Carl Marx was right about from
> each
> > > according to his ability, to each according to his need. This is proven
> > > by the market penetration of the GPLv2 linux kernel. Capitalists need
> high
> > > quality softare, and they cannot afford the capital to own something
> that
> > > actually works.
> > >
> >
> > GPL has little to nothing to do with Marx.
> >
> > GPL relies entirely on private ownership of intellectual property for its
> > enforcement. Private property is GPL's very foundation. And nobody is
> > compelled to use GPL licensed software, or to agree to a GPL license.
> Those
> > who do enter into an agreement aren't even required to redistribute their
> > changes unless they redistribute the derivative product. There's no
> > compulsory communal property here, no Marx.
> >
> > Observe that generally, one can set up GPL and various other forms of
> > voluntary communal contracts under capitalism. But that doesn't make
> > capitalism communist/Marxist. It does make capitalism the more flexible
> > system. One in which the GPL linux kernel is indeed doing well, along
> with
> > countless privately owned projects.
>
> Marx was worried about endless accumulation of capital by industrialists. I
> find it rather hilariously amusing that for Marx's commons to work, it has
> to
> be in the capitalist framework of intellectual property ownership.
>
> The brilliance of the GPL(v2) is the 'compulsory communal' aspect only
> kicks
> in when you sell something. No sale, no compulsion to share with your
> customers.
> It will be interesting to see how the AGPLv3 plays out long-term. I see a
> lot
> of code getting released under that license, and I expect at some point it
> will start eating the market share of closed-source cloud 'service'
> providers,
> because no capital owner can afford to pay engineers when the competition
> is
> doing the work for free.
>

A car maker is at a competitive disadvantage if it wastes time trying to
perfect sheet metal screws and socket wrenches. The other car makers use
commodity parts for anything that isn't a unique selling point and
differentiate by building the last, non-standard parts.

Most businesses and other competitive constructive ventures are like this.

Expect open source software to eat into the platform of just about every
vertical, but expect that to happen with proprietary software developers'
full cooperation. At some point, printer drivers stop being a value added
differentiator and capitalists see the best returns in integrating and
building on top of CUPS. Font engines become uninteresting and FreeType
makes sense. Filesystems, network protocols, web development frameworks,
etc... It's why they'll cooperate to help open source projects develop best
of breed implementations from the bottom up, but stop where proprietary
projects still differentiate themselves in interesting ways. When it gets
close to the consumer, we'll always have gaps the size of the space between
an xtank and a Diablo III.

I'd expect open source projects to subsume more and more things covered by
proprietary software and services today, but I'd also expect closed source
software and walled gardens to continue to be the points of competitive
innovation. By the time there are open source solutions commoditizing
today's cloud services, tomorrow's cloud services will be doing appealing
new things the public thinks it can't live without. That's not a blind
prediction, but an extrapolation of what's already happened. Free WebDAV
implementations are here, but now the public wants built in media
transcoding for mobile, syncing, and other features as part of their web
filesystems. Virtualization systems exist with virtually zero overhead, but
now CTOs expect automatic scaling, monitoring and security as push-button
add ons. Most every well-established cloud service one can name has a
lightweight open source alternative that looks like that cloud service only
a few years ago.

In a way, capitalists need to keep ceding to the commons to control their
costs as they build atop the old in order to afford to stay relevant, or
they need to seek other revenue channels while nearly giving the actual
service away to all comers. It's a bizarre but wonderful generative system.


>
> I guess Marx got trolled by Richard Stallman.
>

It's cute, but I never saw anything where Stallman himself seemed to
believe free software was socialist in nature. (Anyone have pointers on
that?) I know socialists/Marxists love to embrace it and him, but I suspect
the movement and Stallman could at best be called fellow travelers of
Marxism at best. There may be some common activities, but not goals or
ideologies.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 7066 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140803/45ff009f/attachment.txt>

From l at odewijk.nl  Sun Aug  3 16:08:39 2014
From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=)
Date: Mon, 4 Aug 2014 01:08:39 +0200
Subject: Russia want completely ban Bitcoin and other cryptocurrencies
In-Reply-To: <20140803224333.GX22640@nl.grid.coop>
References: <53DBF44F.2070905@openmailbox.org>
 <20140801232934.GN22640@nl.grid.coop>
 <CACv2fB3GNMxtOYU+5V4Oo5phAKquzsiOxd3stDSnM0_+JDzHVw@mail.gmail.com>
 <CAEcD9QcJ=jxeWD0rC-8RmENGZd5C1Aw-xo1PX+1FcmU0GfH_2Q@mail.gmail.com>
 <CACv2fB3kbE8-kGUZQeb5Ae4dr9s5u_RMsTXOZ0fxnQK+9yD-5Q@mail.gmail.com>
 <CAHWD2rJ_Yioj+vUV-4bfb3gbe571s1N4cfUn3hjkqyACqioQCw@mail.gmail.com>
 <20140803071421.GS22640@nl.grid.coop>
 <CAESArwnj5mRx8XjCCCJs3UYDtvmk2F23OyKHatgdX7=J6S7-gg@mail.gmail.com>
 <20140803224333.GX22640@nl.grid.coop>
Message-ID: <CAHWD2rL0hPK+UX4H_oHqUZD7FDk7CSDWGnyvXnEOFNj=FA3aPA@mail.gmail.com>

> > Observe that generally, one can set up GPL and various other forms of
> > voluntary communal contracts under capitalism. But that doesn't make
> > capitalism communist/Marxist. It does make capitalism the more flexible
> > system. One in which the GPL linux kernel is indeed doing well, along
with
> > countless privately owned projects.

I think you should start seeing human beings working for something they
believe they need, money or otherwise.

Marx just saw (afaik) people working hard for short term gains they didn't
enjoy, their daily bread, knowing their works' true fruits were not their
property but their bosses'. The core appeal of communism is that a man
should enjoy the fruits of his labor. Interestingly, that's the core appeal
of capitalism too!

> Marx was worried about endless accumulation of capital by industrialists.
I
> find it rather hilariously amusing that for Marx's commons to work, it
has to
> be in the capitalist framework of intellectual property ownership.
>
> The brilliance of the GPL(v2) is the 'compulsory communal' aspect only
kicks
> in when you sell something. No sale, no compulsion to share with your
customers.

?? People don't want to share?? From popularity to appreciation there's
reasons aplenty!

> It will be interesting to see how the AGPLv3 plays out long-term. I see a
lot
> of code getting released under that license, and I expect at some point it
> will start eating the market share of closed-source cloud 'service'
providers,
> because no capital owner can afford to pay engineers when the competition
is
> doing the work for free.

This is definitely affecting some markets. It lowers the barrier for entry,
driving competition. But the collaboration between companies outcompetes
any private effort, so there is no choice. It's a neat effect, but hardly
of relevance to Marx or even the GPL. The GPL is just what made the effect
happen "in the wild" so strongly that the MBA's couldn't deny it anymore.

The GPL was for people to know what a computer does on their behalves. To
own what they depend upon. The ability to alter what they dislike. And most
importantly, to saveguard against madness. No arbitrary ristrictions will
exist in a open source program for long.

For example: Sumatra PDF and respecting PDF DRM rules are an interesting
discussion, to say the least.

> I guess Marx got trolled by Richard Stallman.

I think everyones trolling himself, first and foremost.

Note to all: "give what you can, take what you need" is in no way fair, nor
even noble. It's economic suicide.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 2961 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140804/405c9903/attachment.txt>

From digitalfolklore at protonmail.ch  Mon Aug  4 09:44:09 2014
From: digitalfolklore at protonmail.ch (Digitalfolklore)
Date: Mon, 4 Aug 2014 12:44:09 -0400
Subject: private windows YosemiteBeta
Message-ID: <4dcc0ffa349b7e5dee37c21ca0fb5e41@protonmail.ch>

A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 453 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140804/448d096a/attachment.txt>

From rysiek at hackerspace.pl  Mon Aug  4 07:08:53 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Mon, 04 Aug 2014 16:08:53 +0200
Subject: Russia want completely ban Bitcoin and other cryptocurrencies
In-Reply-To: <CACv2fB3GNMxtOYU+5V4Oo5phAKquzsiOxd3stDSnM0_+JDzHVw@mail.gmail.com>
References: <53DBF44F.2070905@openmailbox.org>
 <20140801232934.GN22640@nl.grid.coop>
 <CACv2fB3GNMxtOYU+5V4Oo5phAKquzsiOxd3stDSnM0_+JDzHVw@mail.gmail.com>
Message-ID: <67009981.FM1dTBjAdl@lapuntu>

Dnia sobota, 2 sierpnia 2014 12:11:09 Fernando Paladini pisze:
> But when they say "criminal penalty for mining and other operation", what
> they mean? I say, how can Russia know who are using Bitcoin, how can Russia
> know who are trading or mining Bitcoin?

This guy:
http://en.wikipedia.org/wiki/Andrey_Vyshinsky

...once said: "give me a man and I will find a paragraph" (meaning an article 
of law to hang/imprison them).

The proposed Bitcoin ban is just that: a law that is not going to be enforced 
for the general population (as there is no way in hell to do that en masse!), 
but will definitely be used against selected few individuals that Russian 
government has beefs with.
 
> I think this image can describe the idea I want pass:
> http://news.insidebitcoins.com/sites/default/files/government-banning-bitcoi
> n.jpg Am I wrong about that?
> 
> I miss the Soviet Union, at least they respected the personal and social
> freedom (but, yes, I know Stalin was a lunatic).

Instead of asking how much personal or close family experience with the Soviet 
Union you have, or suggesting you read the article I linked above and educate 
yourself a bit, I guess I'll just ignore that statement.

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140804/b921d092/attachment.sig>

From komachi at openmailbox.org  Mon Aug  4 10:54:28 2014
From: komachi at openmailbox.org (Anton Nesterov)
Date: Mon, 04 Aug 2014 17:54:28 +0000
Subject: Ukraine's Security Service asking for blocking separatists websites
Message-ID: <53DFC8D4.8010601@openmailbox.org>

Security Service of Ukraine send a letter to Ukrainian Internet
Association asking for blocking websites which "promotes war, ethnic
hatred, violent changing the constitutional order or territorial
integrity of Ukraine".

List include many Russian-language websites related to separatist
movement of Eastern Ukraine, two videos on YouTube, polish website
wolna-polska.pl and Russian game steaming community goodgame.ru (?).

Ukrainian Internet Association is a trade association of
Internet-related companies founded in 2000.

Original letter
http://www.inau.org.ua/download.php?9034a12e0033c3a5fbfbb5395b35ad9e (in
Ukrainian)




From BM-2cVLUfTET9YmTcfPKdhi5cRmaSykTQrzAX at bitmessage.ch  Mon Aug  4 18:06:07 2014
From: BM-2cVLUfTET9YmTcfPKdhi5cRmaSykTQrzAX at bitmessage.ch (James York)
Date: Mon, 4 Aug 2014 18:06:07 -0700
Subject: Update your Tors - Tor security advisory: "relay early" traffic
 confirmation attack
Message-ID: <57bf9f76e72c02c7c3c63eab1c3d5474.squirrel@bitmessage.ch>

On 2014-08-04 15:33, Cathal Garvey wrote:
> A less controversial reading of the (US Govt Money) >>= Tor "thing" is
that, while the Tor devs may be doing their best, Tor is ultimately an
asset to the US Intelligence apparatus rather than a liability.

  The missing context here is that the NSA runs its own anonymity networks
because it doesn't trust community-run infrastructure.

  Some things are useful to the intelligence community.  Like phones.  And
cars.  And the Internet.  Why disregard a technology just because it might
be used by spies?









From rysiek at hackerspace.pl  Mon Aug  4 10:28:36 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Mon, 04 Aug 2014 19:28:36 +0200
Subject: Encrypt iPhone calls app
In-Reply-To: <20140801032626.GB26171@9ac286446c9be08c809eca57f261c57c5d28508f92702bc3>
References: <44151506-A170-4DE3-AC88-02E54384CEEA@gmail.com>
 <20140801032626.GB26171@9ac286446c9be08c809eca57f261c57c5d28508f92702bc3>
Message-ID: <2015422.IPfqsSmiaT@lapuntu>

Dnia czwartek, 31 lipca 2014 23:26:26 David Hill pisze:
> You cannot secure cellphones.

Here, have a read:
https://medium.com/message/81e5f33a24e1

Pay some special attention to this part:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    “Most of the world does not have install privileges on the computer they 
are using.”

That is, most people using a computer in the world don’t own the computer they 
are using. Whether it’s in a cafe, or school, or work, for a huge portion of 
the world, installing a desktop application isn’t a straightforward option. 
Every week or two, I was being contacted by people desperate for better 
security and privacy options, and I would try to help them. I’d start, 
“Download th…” and then we’d stop. The next thing people would tell me was 
that they couldn’t install software on their computers. Usually this was 
because an IT department somewhere was limiting their rights as a part of 
managing a network. These people needed tools that worked with what they had 
access to, mostly a browser.

So the question I put to hackers, cryptographers, security experts, 
programmers, and so on was this: What’s the best option for people who can’t 
download new software to their machines? The answer was unanimous: nothing. 
They have no options. They are better off talking in plaintext I was told, “so 
they don’t have a false sense of security.” Since they don’t have access to 
better software, I was told, they shouldn’t do anything that might upset the 
people watching them. But, I explained, these are the activists, organizers, 
and journalists around the world dealing with governments and corporations and 
criminals that do real harm, the people in real danger. Then they should buy 
themselves computers, I was told.

That was it, that was the answer: be rich enough to buy your own computer, or 
literally drop dead. I told people that wasn’t good enough, got vilified in a 
few inconsequential Twitter fights, and moved on.

Not long after, I realized where the disconnect was. I went back to the same 
experts and explained: in the wild, in really dangerous situations — even when 
people are being hunted by men with guns — when encryption and security fails, 
no one stops talking. They just hope they don’t get caught.

    The same human impulse that has kept lotteries alive for thousands of 
years keeps people fighting the man against the long odds. “Maybe I’ll get 
away with it, might as well try!”

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140804/b9654c53/attachment.sig>

From rysiek at hackerspace.pl  Mon Aug  4 10:36:04 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Mon, 04 Aug 2014 19:36:04 +0200
Subject: Update your Tors - Tor security advisory: "relay early" traffic
 confirmation attack
In-Reply-To: <20140730152241.GA2517@sivokote.iziade.m$>
References: <CAJVRA1SJYCZWWgZcZsbHcq72W1JcU7kvcau8aPxCuO=+tzn+vg@mail.gmail.com>
 <20140730152241.GA2517@sivokote.iziade.m$>
Message-ID: <1646193.Ui4Tkn3IjY@lapuntu>

Dnia środa, 30 lipca 2014 18:22:41 Georgi Guninski pisze:
> Someone here ranted against Tor and he
> was called a troll IIRC...

Nobody said Tor is perfect. But making the assumption Tor is made imperfect on 
purpose by Tor developers, because they are funded by US money (that's the 
rant you're referring to, right?) is a bit... rich.

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140804/d85bcadd/attachment.sig>

From cathalgarvey at cathalgarvey.me  Mon Aug  4 12:33:29 2014
From: cathalgarvey at cathalgarvey.me (Cathal Garvey)
Date: Mon, 04 Aug 2014 20:33:29 +0100
Subject: Update your Tors - Tor security advisory: "relay early" traffic
 confirmation attack
In-Reply-To: <1646193.Ui4Tkn3IjY@lapuntu>
References: <CAJVRA1SJYCZWWgZcZsbHcq72W1JcU7kvcau8aPxCuO=+tzn+vg@mail.gmail.com>
 <20140730152241.GA2517@sivokote.iziade.m$> <1646193.Ui4Tkn3IjY@lapuntu>
Message-ID: <53DFE009.7050905@cathalgarvey.me>

A less controversial reading of the (US Govt Money) >>= Tor "thing" is
that, while the Tor devs may be doing their best, Tor is ultimately an
asset to the US Intelligence apparatus rather than a liability. That is,
perhaps they haven't convinced the Tor devs to insert backdoors in
anything, but Tor remains something that helpfully concentrates
dissidents while not overly inhibiting the government's ability to round
them up and imprison them when needed.

Part of this is plausible because endpoint security; 'nuff said,
especially as JS is enabled by default in the TBB.

Part of this is plausible because there are plenty of NSA docs in the
wild suggesting that while they can't anonymise everyone at once, they
also don't feel the need to as they can usually anonymise the subset
they care about eventually.

While the Tor devs seem to have a callous disregard for this line of
inquiry (which in itself is worrying), to me it's a healthy thing to
bear in mind. The bottom line is that we're dealing with a piece of
software that purports to blind the world's biggest and most politically
powerful surveillance state, yet receives virtually all of its funding
from that same surveillance state.

Draw your own conclusions based on a weighting of (ability of
individuals to hide traffic from the state) / (ability of the state to
obfuscate intelligence traffic) and taking into consideration how much
smaller the threat model is for a state apparatus with known trusted
servers and alternative traffic routes through compromised botnets and
embassies around the world.

Me, I'm more hopeful for i2p; it's just a pity that it's so oddly put
together right now.

On 04/08/14 18:36, rysiek wrote:
> Dnia środa, 30 lipca 2014 18:22:41 Georgi Guninski pisze:
>> Someone here ranted against Tor and he
>> was called a troll IIRC...
> 
> Nobody said Tor is perfect. But making the assumption Tor is made imperfect on 
> purpose by Tor developers, because they are funded by US money (that's the 
> rant you're referring to, right?) is a bit... rich.
> 

-- 
T: @onetruecathal, @IndieBBDNA
P: +353876363185
W: http://indiebiotech.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x988B9099.asc
Type: application/pgp-keys
Size: 6176 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140804/b4b6f935/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140804/b4b6f935/attachment.sig>

From rysiek at hackerspace.pl  Mon Aug  4 15:01:23 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Tue, 05 Aug 2014 00:01:23 +0200
Subject: on anarchy [was: propaganda on "hurdles for law enforcement"]
In-Reply-To: <CAJVRA1SN46qu2aj-drRfUQb-sS6crkR9Qx4zuzQWpjm3DRUDzQ@mail.gmail.com>
References: <CAJVRA1TBbgbGcLcY7KN9DX8jBH68h=hsZY4M3Uq9K+uK6nNd1w@mail.gmail.com>
 <53d857fe.27bb340a.71ef.3e79@mx.google.com>
 <CAJVRA1SN46qu2aj-drRfUQb-sS6crkR9Qx4zuzQWpjm3DRUDzQ@mail.gmail.com>
Message-ID: <1818027.1p1aRNA48T@lapuntu>

Dnia wtorek, 29 lipca 2014 23:43:35 coderman pisze:
> On Tue, Jul 29, 2014 at 7:32 PM, Juan <juan.g71 at gmail.com> wrote:
> > ...
> > 
> >         First time I come accross the term 'politica nihilism'
> 
> i find absurdism the proper ism-edit-distance betwixt existentialism
> and nihilism, to be honest.
> 
> ... leave political plebicites to the bloviating bourgeoisie ;)

I always favoured Externism:
http://en.wikipedia.org/wiki/Externism

Can we please have political externism? Please?..

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140805/16c7866b/attachment.sig>

From rysiek at hackerspace.pl  Mon Aug  4 15:04:20 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Tue, 05 Aug 2014 00:04:20 +0200
Subject: archive ssl key expired
In-Reply-To: <20140726151328.GE6799@ctrlc.hu>
References: <20140726151328.GE6799@ctrlc.hu>
Message-ID: <1525231.tMCdumr2Us@lapuntu>

Dnia sobota, 26 lipca 2014 17:13:28 stef pisze:
> to whom it may concern:
> https://cpunks.org//pipermail/

How quaint.

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140805/815b8ec1/attachment.sig>

From cathalgarvey at cathalgarvey.me  Tue Aug  5 00:15:49 2014
From: cathalgarvey at cathalgarvey.me (Cathal Garvey)
Date: Tue, 05 Aug 2014 08:15:49 +0100
Subject: Update your Tors - Tor security advisory: "relay early" traffic
 confirmation attack
In-Reply-To: <57bf9f76e72c02c7c3c63eab1c3d5474.squirrel@bitmessage.ch>
References: <57bf9f76e72c02c7c3c63eab1c3d5474.squirrel@bitmessage.ch>
Message-ID: <53E084A5.8090406@cathalgarvey.me>

> Why disregard a technology just because it might
> be used by spies?

Quite right! Good job I didn't say that, then.

I said, rather, that a combination of NSA docs, US government funding,
and the Tor project's own admission that an adversary with sufficient
ability to track and correlate traffic, means that Tor is not likely to
be sufficient against that particular adversary; the US National
Security Infrastructure.

There's nuance in there, of course. The FBI for example are pretty low
on the rungs, and won't get all the Tor-killing toys from the NSA unless
it suits the NSA. The CIA are more likely to get that access or may have
it in-house, but they'll shoot you in your bed rather than make a trial
and reveal their tricks.

Against other governments, whose exit nodes the Tor project don't
explicitly bless in the directory server(s), Tor is likely to be more
valuable. So I'd recommend Tor to a person in China or Iran because,
although both nations also have excellent anti-speech infrastructure,
the structural issues that make me wary of Tor are mostly US centric.

The top-down traffic correlation "thing" is a big problem with the Onion
Routing approach, and something I'm tempted to think recommends i2p's
"Garlic Routing" as a better avenue for research. As all i2p nodes are
by default routing traffic for others, and nodes can be configured to
vary their tunnel length, correlating traffic becomes (AFAIK) far more
difficult even for a top-down adversary. Code i2p up in a safe, portable
and vertically integrated way without untrusted, unsigned code execution
(Javascript) and I'm sold.

On 05/08/14 02:06, James York wrote:
> On 2014-08-04 15:33, Cathal Garvey wrote:
>> A less controversial reading of the (US Govt Money) >>= Tor "thing" is
> that, while the Tor devs may be doing their best, Tor is ultimately an
> asset to the US Intelligence apparatus rather than a liability.
> 
>   The missing context here is that the NSA runs its own anonymity networks
> because it doesn't trust community-run infrastructure.
> 
>   Some things are useful to the intelligence community.  Like phones.  And
> cars.  And the Internet.  Why disregard a technology just because it might
> be used by spies?
> 
> 
> 
> 
> 
> 

-- 
T: @onetruecathal, @IndieBBDNA
P: +353876363185
W: http://indiebiotech.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x988B9099.asc
Type: application/pgp-keys
Size: 6176 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140805/7e06a6a1/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140805/7e06a6a1/attachment.sig>

From komachi at openmailbox.org  Tue Aug  5 01:24:20 2014
From: komachi at openmailbox.org (Anton Nesterov)
Date: Tue, 05 Aug 2014 08:24:20 +0000
Subject: Russian League for Internet Safety propose "pre-filtration of the
 Internet"
Message-ID: <53E094B4.8040802@openmailbox.org>

League for Internet Safety want "two-level filtration of the Internet" —
by blacklists (what already works in Russia) and by content analysis
system which can block a website if the content is prohibited by law.

"We propose an Internet filtration system, which can automatically in
real-time determine content of the webpage requested by the user", —
said Denis Davidov, head of league. "The system evaluate content of
webpage and determine a category to which that information relates. If
the category if forbidden, the system automatically blocks a webpage."

League for Internet Safety is a lobbyist organization for Internet
censorship. First censorship law,
https://en.wikipedia.org/wiki/Internet_Restriction_Bill , is their work.


http://roem.ru/2014/08/05/addednews104613 (in Russian)




From bluelotus at openmailbox.org  Tue Aug  5 13:46:18 2014
From: bluelotus at openmailbox.org (bluelotus at openmailbox.org)
Date: Tue, 05 Aug 2014 16:46:18 -0400
Subject: "Blackphone" said to be "a super-secure nsa-proof"
In-Reply-To: <53D0D80C.7060301@owca.info>
References: <1389950750.79148.YahooMailNeo@web141202.mail.bf1.yahoo.com>
 <53d05d2b.479b420a.43fb.ffff99fa@mx.google.com> <53D0D80C.7060301@owca.info>
Message-ID: <332dae2aff0a57036528d1afe852dc03@openmailbox.org>

On 07/24/2014 5:55 am, Matej Kovacic wrote:
> Hi,
> 
>>> <http://www.yahoo.com/tech/startup-launching-a-super-secure-nsa-proof-73511096050.html>
>>> <http:///>
>> 
>> 
>> It's been long enough, has anyone acquired one of these and tested it?
> 
> The problem is:
> https://pravokator.si/index.php/2014/06/02/on-mobile-phone-security/
> 
> Regards,
> 
> M.


http://www.reddit.com/r/Android/comments/2alqi9/diyblackphone_workinprogress/




From juan.g71 at gmail.com  Tue Aug  5 16:31:26 2014
From: juan.g71 at gmail.com (Juan)
Date: Tue, 5 Aug 2014 20:31:26 -0300
Subject: Update your Tors - Tor security advisory: "relay early" traffic
 confirmation attack
In-Reply-To: <108254388.4Uig8uU67Z@lapuntu>
References: <CAJVRA1SJYCZWWgZcZsbHcq72W1JcU7kvcau8aPxCuO=+tzn+vg@mail.gmail.com>
 <1646193.Ui4Tkn3IjY@lapuntu> <53DFE009.7050905@cathalgarvey.me>
 <108254388.4Uig8uU67Z@lapuntu>
Message-ID: <53e167f6.c394ec0a.7e29.ffffb836@mx.google.com>

On Wed, 06 Aug 2014 00:19:17 +0200
rysiek <rysiek at hackerspace.pl> wrote:


> One of the things I have learnt during the years of my brushing
> shoulders with Teh Gummint (public consultations, conferences, etc)
> is that a huge bureaucracy like a government is bound to have
> conflicting interests and fund/take conflicting actions.
> 
> Governments are not homogeneous, to say the least.


	Governments are pretty homoneneous criminal organizations. The
	fact that sometimes different government factions within a
	given government quarrel a bit over the spoils is basically
	meaningless, from the point of view of government victims at
	least.


	In the case of tor - employees of the american nazi military, it
	should be pretty obvious that they are aligned with american
	nazi policies, despite their hypocritical alleged support for
	'free speech'. 


	By the way, if the american nazi government had to fund
	something like tor, what would be the best approach? 

	Two options : One, try to do it secretly. Problem is, it's
	difficult and sooner or later (sooner) people would find out
	and the project reputation would rightfully suffer. 

	So what to do? Well, hide in plain sight! Get the money openly
	from the government and brag about how 'transparent' the scam
	is!! Clever.




> 
> So I can see how a government can fund a tool that is useful for one
> of the departments or agencies, and which at the same time is
> detrimental to actions of some other department or agency.


	As mentioned ad nauseam tor is 'useful'  for the 'intelligence'
	'community'. 


> 
> There's no Huge Plan Or Conspiracy behind it. Just Hanlon's razor, if 
> anything.


	bla bla bla 

	Name calling! You are a witch! You are a conspiracy theorist!!
	You hate AMERIKKKAAA!!!!

	Absolutely none of the government actions are secret.
	Especially things done by the most brutal faction, the
	military. Anything the military do is public, published in
	www.nazis.org and for the common good!!!





> 
> > Draw your own conclusions based on a weighting of (ability of
> > individuals to hide traffic from the state) / (ability of the state
> > to obfuscate intelligence traffic) and taking into consideration
> > how much smaller the threat model is for a state apparatus with
> > known trusted servers and alternative traffic routes through
> > compromised botnets and embassies around the world.
> 
> Yup.
> 
> > Me, I'm more hopeful for i2p; it's just a pity that it's so oddly
> > put together right now.
> 
> Care to elaborate on the "oddly put together" part?
> 




From rysiek at hackerspace.pl  Tue Aug  5 15:19:17 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Wed, 06 Aug 2014 00:19:17 +0200
Subject: Update your Tors - Tor security advisory: "relay early" traffic
 confirmation attack
In-Reply-To: <53DFE009.7050905@cathalgarvey.me>
References: <CAJVRA1SJYCZWWgZcZsbHcq72W1JcU7kvcau8aPxCuO=+tzn+vg@mail.gmail.com>
 <1646193.Ui4Tkn3IjY@lapuntu> <53DFE009.7050905@cathalgarvey.me>
Message-ID: <108254388.4Uig8uU67Z@lapuntu>

Dnia poniedziałek, 4 sierpnia 2014 20:33:29 Cathal Garvey pisze:
> A less controversial reading of the (US Govt Money) >>= Tor "thing" is
> that, while the Tor devs may be doing their best, Tor is ultimately an
> asset to the US Intelligence apparatus rather than a liability. That is,
> perhaps they haven't convinced the Tor devs to insert backdoors in
> anything, but Tor remains something that helpfully concentrates
> dissidents while not overly inhibiting the government's ability to round
> them up and imprison them when needed.

Yeah, that's a legitimate worry, but one that is far from being black or white 
(as in: it's really hard to assess the net impact of such a tactic, and how 
effective it really is).

> Part of this is plausible because endpoint security; 'nuff said,
> especially as JS is enabled by default in the TBB.

I would love to see JS disabled by default (blocked via NoScript, which is 
installed by default in TBB).

> Part of this is plausible because there are plenty of NSA docs in the
> wild suggesting that while they can't anonymise everyone at once, they
> also don't feel the need to as they can usually anonymise the subset
> they care about eventually.

Thing is: even with that taken into account, Tor is of great value, as it 
actually *raises the costs* of surveillance; consider:
http://smarimccarthy.is/blog/2014/05/28/engineering-our-way-out-of-fascism/

> While the Tor devs seem to have a callous disregard for this line of
> inquiry (which in itself is worrying), to me it's a healthy thing to
> bear in mind. The bottom line is that we're dealing with a piece of
> software that purports to blind the world's biggest and most politically
> powerful surveillance state, yet receives virtually all of its funding
> from that same surveillance state.

One of the things I have learnt during the years of my brushing shoulders with 
Teh Gummint (public consultations, conferences, etc) is that a huge 
bureaucracy like a government is bound to have conflicting interests and 
fund/take conflicting actions.

Governments are not homogeneous, to say the least.

So I can see how a government can fund a tool that is useful for one of the 
departments or agencies, and which at the same time is detrimental to actions 
of some other department or agency.

There's no Huge Plan Or Conspiracy behind it. Just Hanlon's razor, if 
anything.

> Draw your own conclusions based on a weighting of (ability of
> individuals to hide traffic from the state) / (ability of the state to
> obfuscate intelligence traffic) and taking into consideration how much
> smaller the threat model is for a state apparatus with known trusted
> servers and alternative traffic routes through compromised botnets and
> embassies around the world.

Yup.

> Me, I'm more hopeful for i2p; it's just a pity that it's so oddly put
> together right now.

Care to elaborate on the "oddly put together" part?

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140806/13cb61fe/attachment.sig>

From gfoster at entersection.org  Wed Aug  6 06:09:19 2014
From: gfoster at entersection.org (Gregory Foster)
Date: Wed, 06 Aug 2014 08:09:19 -0500
Subject: NGA's "Map of the World"
Message-ID: <53E228FF.20604@entersection.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Defense Systems (Aug 4) - "NGA awards $335 million contract [to BAE
Systems] for Map of the World project":
http://defensesystems.com/Articles/2014/08/04/NGA-contract-BAE-Map-of-the-World.aspx

> [The National Geospatial Agency (NGA)] awarded BAE a contract worth
> a maximum of $335 million for help in developing the collection,
> maintenance and utilization of geospatial intelligence data and
> products. The MoW project is expected to serve as the backbone for
> the agency’s intelligence analysis and collection efforts, and
> represents the agency’s move from static maps to dynamic ones.
> 
> Expected to be finished by 2020, the project would eventually allow
> NGA’s partners and customers to visualize and access integrated
> intelligence information relative to geographic features of the
> planet, according to a strategy document released by the agency.

It's no surprise that BAE Systems won the $0.335B contract as they
seem to lead the defense contractor pack in honing the practice of
Activity Based Intelligence (ABI), previously called Pattern of Life
Analysis.
http://www.baesystems.com/article/BAES_162827/inside-activity-based-intelligence

NSA is one of NGA's clients, and this project will solve their desire
to visualize the physical infrastructure of the Internet in realtime.
 Here's an interview with former NGA Director Letitia Long, whom I
believe initiated the project.

Federal Computer Week (Apr 15) - "Long: NGA is moving toward
'immersive intelligence'":
http://fcw.com/articles/2014/04/15/nga-moving-toward-immersive-intelligence.aspx

gf

- -- 
Gregory Foster || gfoster at entersection.org
@gregoryfoster <> http://entersection.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCgAGBQJT4ij8AAoJEMaAACmjGtgjcegP/1luWz8bWBt+KviBZD0PUPbT
S+lj0bPjEsXURFGbn/Tr/Hr2Ls3C6XDBHMAINKp992cmDsKd4l2bHGb5ukbSPX4i
Ln1Vbouv1EK1yao3uG6KOPnwFhywbfanz1tq4pPwgr5Zot6flUDGCpbnJh7PaBRu
AbCNk7aUxM1GO/eH4tk7OMUSGc6WMsvbh2eQGM5equyWdYJf7/ZH6yAr2PxqtbIe
uePlnjPd7yMkqKi3f4aUz7MscfOQAaMOHAr/WK3/QRsS/AZO0tqsiNbeVkL3rQ79
qcJ1MQTxY5CdWVOlNxuGmKXf8S0kHvJueOQIAaKbK7vSiYKD1kuSegpkRX+3DG3N
r0mJCCHCgpG0Iv9xSzskQ7u0rzMcZWzKt+U82UEU0ONdU9LhZlFrjzzxWXIvkJfP
VYqiupo5L+QuZbIn6Lav5yhII6vSjvHJCH9i3Lfn/L36NJDe73U9zmXmmB9MQ8QB
MJWpdK8MZbdmzQAxxGWyGldefDz6VPeB/yiPgPQsBouvMEd/yaitCiCF/eQQl2us
o6wbsDjoKMoCpBJvvq+Mz9FU+w661vBJ4DQuYywtyTXHPWzuqM5uYvKgjP/KJ6In
fhK1hLU9seJMRkHKyUDtU5GMq0PLWbJw09zlWMOlDV1U+9jDtgkHTFJc3O9gjiTE
83i/TewTenQ8rvy14Fgm
=E6e5
-----END PGP SIGNATURE-----




From rysiek at hackerspace.pl  Wed Aug  6 02:13:10 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Wed, 06 Aug 2014 11:13:10 +0200
Subject: Update your Tors - Tor security advisory: "relay early" traffic
 confirmation attack
In-Reply-To: <53e167f6.c394ec0a.7e29.ffffb836@mx.google.com>
References: <CAJVRA1SJYCZWWgZcZsbHcq72W1JcU7kvcau8aPxCuO=+tzn+vg@mail.gmail.com>
 <108254388.4Uig8uU67Z@lapuntu>
 <53e167f6.c394ec0a.7e29.ffffb836@mx.google.com>
Message-ID: <1979218.Ele6Ulio07@lapuntu>

Dnia wtorek, 5 sierpnia 2014 20:31:26 Juan pisze:
> On Wed, 06 Aug 2014 00:19:17 +0200
> 
> rysiek <rysiek at hackerspace.pl> wrote:
> > One of the things I have learnt during the years of my brushing
> > shoulders with Teh Gummint (public consultations, conferences, etc)
> > is that a huge bureaucracy like a government is bound to have
> > conflicting interests and fund/take conflicting actions.
> > 
> > Governments are not homogeneous, to say the least.
> 
> 	Governments are pretty homoneneous criminal organizations. The
> 	fact that sometimes different government factions within a
> 	given government quarrel a bit over the spoils is basically
> 	meaningless, from the point of view of government victims at
> 	least.

Well, obviously you haven't much experience with how governments look from the 
inside.

Ministries and departments have different and conflicting policies regarding 
some of their overlapping responsibilities, and the flow of information is a 
real problem. Add to that some personal animosities and ambitions and you get 
a clusterfuck of an organisation.

A clusterfuck leaving quite a lot of space for projects like Tor.

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140806/5d7299b2/attachment.sig>

From alan at clueserver.org  Wed Aug  6 12:35:46 2014
From: alan at clueserver.org (alan at clueserver.org)
Date: Wed, 6 Aug 2014 12:35:46 -0700 (PDT)
Subject: FinFisher hacked
In-Reply-To: <53E27AA9.40208@gmail.com>
References: <20140806160347.GP26986@leitl.org> <3101788.aNZNV6EjcW@lapuntu>
 <53E27AA9.40208@gmail.com>
Message-ID: <38795.10.6.6.23.1407353746.squirrel@10.6.6.2>

>
>
> On 06/08/14 19:27, rysiek wrote:
>> Dnia środa, 6 sierpnia 2014 18:03:47 Eugen Leitl pisze:
>>>
> http://www.reddit.com/r/Anarchism/comments/2cjlop/gamma_international_leaked
>>> /
>>>
>>> 40 GByte torrent https://netzpolitik.org/wp-upload/finfisher.torrent
>>>
>>> Moar: https://twitter.com/gammagrouppr
>>
>> Whoa.
>>
>>> https://github.com/FinFisher/FinFly-Web
>>
>> GitHub taking this down in 3... 2... 1...
>>
>
> However, It seems that some information are encrypted with gpg...

Any ideas on keys?




From eugen at leitl.org  Wed Aug  6 04:31:49 2014
From: eugen at leitl.org (Eugen Leitl)
Date: Wed, 6 Aug 2014 13:31:49 +0200
Subject: lowRISC -- fully open hardware systems
Message-ID: <20140806113149.GL26986@leitl.org>


http://www.lowrisc.org/

lowRISC
Open to the core

lowRISC is producing fully open hardware systems. From the processor core to the development board, our goal is to create a completely open computing eco-system.

Our open-source SoC (System-on-a-Chip) designs will be based on the 64-bit RISC-V instruction set architecture. Volume silicon manufacture is planned as is a low-cost development board.

lowRISC is a not-for-profit organisation working closely with the University of Cambridge and the open-source community.

To keep track of the project, follow @lowRISC or join our announcements list by entering your email below:

  Submit
The Team

Robert Mullins - Computer Laboratory, University of Cambridge, co-founder of Raspberry Pi
Gavin Ferris - Dreamworks, Radioscape (co-founder), Aspect Capital (former CIO)
Alex Bradbury - Computer Laboratory, University of Cambridge and Raspberry Pi
Technical Advisory Board

Krste Asanovic (UC Berkeley)
Julius Baxter (OpenRISC)
Bunnie Huang (Hacker)
Michael Taylor (UCSD)
Careers

We are currently hiring. Two new positions are available at the Computer Laboratory, University of Cambridge.

Contact us at info at lowrisc.org




From john at johnlgrubbs.net  Wed Aug  6 11:48:46 2014
From: john at johnlgrubbs.net (-John)
Date: Wed, 06 Aug 2014 13:48:46 -0500
Subject: FinFisher hacked
Message-ID: <201408061850.s76Io11W013691@antiproton.jfet.org>


On Aug 6, 2014 12:27 PM, rysiek <rysiek at hackerspace.pl> wrote:
>
> Dnia środa, 6 sierpnia 2014 18:03:47 Eugen Leitl pisze: 
> > http://www.reddit.com/r/Anarchism/comments/2cjlop/gamma_international_leaked 
> > / 
> > 
> > 40 GByte torrent https://netzpolitik.org/wp-upload/finfisher.torrent 
> > 
> > Moar: https://twitter.com/gammagrouppr 
>
> Whoa. 
>
> > https://github.com/FinFisher/FinFly-Web 
>
> GitHub taking this down in 3... 2... 1... 
>

Github already did, but the torrent is everywhere already.
> -- 
> Pozdr 
> rysiek




From eugen at leitl.org  Wed Aug  6 09:03:47 2014
From: eugen at leitl.org (Eugen Leitl)
Date: Wed, 6 Aug 2014 18:03:47 +0200
Subject: FinFisher hacked
Message-ID: <20140806160347.GP26986@leitl.org>


http://www.reddit.com/r/Anarchism/comments/2cjlop/gamma_international_leaked/

40 GByte torrent https://netzpolitik.org/wp-upload/finfisher.torrent

Moar: https://twitter.com/gammagrouppr

https://github.com/FinFisher/FinFly-Web




From rysiek at hackerspace.pl  Wed Aug  6 10:27:46 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Wed, 06 Aug 2014 19:27:46 +0200
Subject: FinFisher hacked
In-Reply-To: <20140806160347.GP26986@leitl.org>
References: <20140806160347.GP26986@leitl.org>
Message-ID: <3101788.aNZNV6EjcW@lapuntu>

Dnia środa, 6 sierpnia 2014 18:03:47 Eugen Leitl pisze:
> http://www.reddit.com/r/Anarchism/comments/2cjlop/gamma_international_leaked
> /
> 
> 40 GByte torrent https://netzpolitik.org/wp-upload/finfisher.torrent
> 
> Moar: https://twitter.com/gammagrouppr

Whoa.

> https://github.com/FinFisher/FinFly-Web

GitHub taking this down in 3... 2... 1...

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140806/ff0b0951/attachment.sig>

From davidroman96 at gmail.com  Wed Aug  6 11:57:45 2014
From: davidroman96 at gmail.com (davidroman96)
Date: Wed, 06 Aug 2014 20:57:45 +0200
Subject: FinFisher hacked
In-Reply-To: <3101788.aNZNV6EjcW@lapuntu>
References: <20140806160347.GP26986@leitl.org> <3101788.aNZNV6EjcW@lapuntu>
Message-ID: <53E27AA9.40208@gmail.com>



On 06/08/14 19:27, rysiek wrote:
> Dnia środa, 6 sierpnia 2014 18:03:47 Eugen Leitl pisze:
>>
http://www.reddit.com/r/Anarchism/comments/2cjlop/gamma_international_leaked
>> /
>>
>> 40 GByte torrent https://netzpolitik.org/wp-upload/finfisher.torrent
>>
>> Moar: https://twitter.com/gammagrouppr
>
> Whoa.
>
>> https://github.com/FinFisher/FinFly-Web
>
> GitHub taking this down in 3... 2... 1...
>

However, It seems that some information are encrypted with gpg...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 1306 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140806/4ccb8726/attachment.txt>

From boyscity at gmail.com  Wed Aug  6 12:32:55 2014
From: boyscity at gmail.com (boyscity)
Date: Thu, 7 Aug 2014 01:02:55 +0530
Subject: FinFisher hacked
In-Reply-To: <53E27AA9.40208@gmail.com>
References: <20140806160347.GP26986@leitl.org> <3101788.aNZNV6EjcW@lapuntu>
 <53E27AA9.40208@gmail.com>
Message-ID: <CAO0y1+_qp4s-7FHzV_RKp8u8To7-3p-aX_YqHNw2jNhdacLwxw@mail.gmail.com>

Any chances he swiped the private key too. A man can dream a bit.
On Aug 7, 2014 12:40 AM, "davidroman96" <davidroman96 at gmail.com> wrote:

>
>
> On 06/08/14 19:27, rysiek wrote:
> > Dnia środa, 6 sierpnia 2014 18:03:47 Eugen Leitl pisze:
> >>
> http://www.reddit.com/r/Anarchism/comments/2cjlop/gamma_international_leaked
> >> /
> >>
> >> 40 GByte torrent https://netzpolitik.org/wp-upload/finfisher.torrent
> >>
> >> Moar: https://twitter.com/gammagrouppr
> >
> > Whoa.
> >
> >> https://github.com/FinFisher/FinFly-Web
> >
> > GitHub taking this down in 3... 2... 1...
> >
>
> However, It seems that some information are encrypted with gpg...
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 1544 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140807/64588741/attachment.txt>

From cypherpunks at cheiraminhavirilha.com  Thu Aug  7 03:30:32 2014
From: cypherpunks at cheiraminhavirilha.com (Virilha)
Date: Thu, 07 Aug 2014 10:30:32 +0000
Subject: FinFisher hacked
In-Reply-To: <38795.10.6.6.23.1407353746.squirrel@10.6.6.2>
References: <20140806160347.GP26986@leitl.org> <3101788.aNZNV6EjcW@lapuntu>
 <53E27AA9.40208@gmail.com> <38795.10.6.6.23.1407353746.squirrel@10.6.6.2>
Message-ID: <20140807103032.Horde.s7nl9veM0jLmHvzD-Z8KWQ1@127.0.0.1>

Someone posted this on reddit. Did not checked.

6ABDA7D0 4FB534CB 42C2DDCE E061DE51 0FEB4CFF 0FC82479 1B14387E  
6D531E64 65BACA20 CBFF2AB4 BA87B977 8E037629 6ABDF71F 9C3E839A  
331A704A 6225EAA0 780E8451 77B11C19 7704B771 A7A4AC21 2B9A229A  
2C52A5C8 F166F2CA C47B1004 695D98C9 70A03877 C56A85E9 4E676679  
7774F144 C3F3EC1B 9BBDD293 F5946EA8 F158ADF2 D81082F4 58143658  
3471B217 06E990A5 8269976E 00BE9690 CF246B05 280AD26F B03A5EA9 977E9F54

Virilha

----- Message from alan at clueserver.org ---------
     Date: Wed, 6 Aug 2014 12:35:46 -0700 (PDT)
     From: alan at clueserver.org
Reply-To: alan at clueserver.org
  Subject: Re: FinFisher hacked
       To: davidroman96 <davidroman96 at gmail.com>
       Cc: cypherpunks at cpunks.org


>>
>>
>> On 06/08/14 19:27, rysiek wrote:
>>> Dnia środa, 6 sierpnia 2014 18:03:47 Eugen Leitl pisze:
>>>>
>> http://www.reddit.com/r/Anarchism/comments/2cjlop/gamma_international_leaked
>>>> /
>>>>
>>>> 40 GByte torrent https://netzpolitik.org/wp-upload/finfisher.torrent
>>>>
>>>> Moar: https://twitter.com/gammagrouppr
>>>
>>> Whoa.
>>>
>>>> https://github.com/FinFisher/FinFly-Web
>>>
>>> GitHub taking this down in 3... 2... 1...
>>>
>>
>> However, It seems that some information are encrypted with gpg...
>
> Any ideas on keys?


----- End message from alan at clueserver.org -----







From grarpamp at gmail.com  Fri Aug  8 01:01:19 2014
From: grarpamp at gmail.com (grarpamp)
Date: Fri, 8 Aug 2014 04:01:19 -0400
Subject: [tor-talk] Craigslist now blocking all Tor IPs? Template for
 anyone:
In-Reply-To: <53E3BE07.7010105@riseup.net>
References: <3660653D-B230-40CA-B641-2C7D815DEE47@mail.bitmessage.ch>
 <53E3BE07.7010105@riseup.net>
Message-ID: <CAD2Ti2-0cjsCyDxotm7H8LVGrcPTd2pO3qThkuPSteZ0nS5i9A@mail.gmail.com>

On Thu, Aug 7, 2014 at 1:57 PM, Mirimir <mirimir at riseup.net> wrote:
> Wrote BM-2cTjsegDfZQNGQWUQjSwro6jrWLC9B3MN3:
>> The automated messages from Craiglist appear like this:
>> This IP has been automatically blocked. If you have questions, please
>> email: blocks-b1406984946068001 at craigslist.org

> Craigslist notoriously ignores such messages.

... yet they clearly and directly invite you to ask them about it.
I quit believing Craigslist was honorable a long time ago.
They are some kind of odd idealogues whose kind obviously
doesn't include you.

Will they ignore those of you who live in the Bay Area?
Craigslist 1381 9th Ave / 222 Sutter St SF, CA, US
As their user (perhaps even paying user), you certainly
have customary ground to engage them in conversation.
I wonder how they treat their paying customers?
And what their fee structure is like?

Or you could just deploy a better list/meme, steal their eyeballs
and run them out of business. They suck pretty hard so there's
lots of oppurtunity there.

ps. They archive every single post, and likely every single
image, email, and phone number... from inception... in perpetuity.
Don't take my word, it's in their videos... a fucking privacy shame.
In fact, at this very moment, they're probably fapping to your gerbil
sex ad that you 'deleted' ten years ago.

[Rant aside, people have a right to be forgotten, and those, like CL,
who willfully disregard that right, without verbosely or obviously
saying so in context (ie: mailing lists obviously have self-run, even
public, archives... that you cannot 'delete'), ... need to be exposed.]




From nathan at squimp.com  Fri Aug  8 03:47:50 2014
From: nathan at squimp.com (Nathan Andrew Fain)
Date: Fri, 08 Aug 2014 12:47:50 +0200
Subject: get_key_info.sh on FinFisher for public key server
Message-ID: <53E4AAD6.2090300@squimp.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have not checked all files, just a sample. as keys have not been
revoked or removed from the public server it would help if someone could
execute the following on every gpg'ed file. as individuals revoke their
keys, if im not mistaken, we will not be able to document the names of
those keys.

[get_key_info.sh]
#!/bin/bash
FILE="$1"
for ID in $(gpg -d "$FILE" |&  awk '{print $7}' | grep -v 'available'); do
 #gpg --dry-run --keyserver pgp.mit.edu --recv-keys 0x${ID}
 echo "ID: 0x$ID"
 w3m -dump "https://pgp.mit.edu/pks/lookup?search=0x${ID}&op=index" \
    | grep pub
done



LOG:

$ ./get_key_info.sh FinIPCatcher.zip.gpg
ID: 0x977E9F54
ID: 0x0FC82479
ID: 0x0FEB4CFF
ID: 0x6225EAA0
ID: 0x58143658
ID: 0x8E037629
ID: 0x8269976E
pub  1024D/66878388 2013-04-17 Alfons Rauscher <alfons.rauscher at vervis.de>
ID: 0xB03A5EA9
ID: 0xD81082F4
pub  2048R/D81082F4 2012-03-08 Melvin Teoh (Gamma Group)
<mt at gammmagroup.com>
ID: 0xF5946EA8
ID: 0x695D98C9
ID: 0x280AD26F
ID: 0xF158ADF2
ID: 0xF166F2CA
pub  2048R/3F895273 2013-03-05 Alexander Hagenah <ah at primepage.de>
ID: 0x7774F144
ID: 0xA7A4AC21
pub  2048R/A7A4AC21 2013-03-05 Hari Purnama (pgp) <hp at gammagroup.com>

$ ./get_key_info.sh FinIP-Catcher-User-Manual.docx.gpg
ID: 0x977E9F54
ID: 0x0FC82479
ID: 0x0FEB4CFF
ID: 0x6225EAA0
ID: 0x58143658
ID: 0x8E037629
ID: 0x8269976E
pub  1024D/66878388 2013-04-17 Alfons Rauscher <alfons.rauscher at vervis.de>
ID: 0xB03A5EA9
ID: 0xD81082F4
pub  2048R/D81082F4 2012-03-08 Melvin Teoh (Gamma Group)
<mt at gammmagroup.com>
ID: 0xF5946EA8
ID: 0x695D98C9
ID: 0x280AD26F
ID: 0xF158ADF2
ID: 0xF166F2CA
pub  2048R/3F895273 2013-03-05 Alexander Hagenah <ah at primepage.de>
ID: 0x7774F144
ID: 0xA7A4AC21
pub  2048R/A7A4AC21 2013-03-05 Hari Purnama (pgp) <hp at gammagroup.com>

$ ./get_key_info.sh FinFly-Web-Syllabus.pdf.gpg
ID: 0x977E9F54
ID: 0x0FC82479
ID: 0x0FEB4CFF
ID: 0x6225EAA0
ID: 0x58143658
ID: 0x8E037629
ID: 0x8269976E
pub  1024D/66878388 2013-04-17 Alfons Rauscher <alfons.rauscher at vervis.de>
ID: 0xB03A5EA9
ID: 0xD81082F4
pub  2048R/D81082F4 2012-03-08 Melvin Teoh (Gamma Group)
<mt at gammmagroup.com>
ID: 0xF5946EA8
ID: 0x695D98C9
ID: 0x280AD26F
ID: 0xF158ADF2
ID: 0xF166F2CA
pub  2048R/3F895273 2013-03-05 Alexander Hagenah <ah at primepage.de>
ID: 0x7774F144
ID: 0xA7A4AC21
pub  2048R/A7A4AC21 2013-03-05 Hari Purnama (pgp) <hp at gammagroup.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlPkqtYACgkQveagdEkPM4CjfACeKDvcaLarLRepieSXiK1blPj+
E/EAoOoWomhgo4dBs3MBr6oIUZkh0pAZ
=PpUm
-----END PGP SIGNATURE-----




From nathan at squimp.com  Fri Aug  8 05:33:46 2014
From: nathan at squimp.com (Nathan Andrew Fain)
Date: Fri, 08 Aug 2014 14:33:46 +0200
Subject: get_key_info.sh on FinFisher for public key server
In-Reply-To: <53E4AAD6.2090300@squimp.com>
References: <53E4AAD6.2090300@squimp.com>
Message-ID: <53E4C3AA.1060702@squimp.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I am mistaken. revoked keys remain on servers. regardless, attempting
to pull ident info from the .gpg files would be appreciated if someone
has the 40GB archive.

On 08/08/2014 12:47 PM, Nathan Andrew Fain wrote:
> I have not checked all files, just a sample. as keys have not been 
> revoked or removed from the public server it would help if someone
> could execute the following on every gpg'ed file. as individuals
> revoke their keys, if im not mistaken, we will not be able to
> document the names of those keys.
> 
> [get_key_info.sh] #!/bin/bash FILE="$1" for ID in $(gpg -d "$FILE"
> |&  awk '{print $7}' | grep -v 'available'); do #gpg --dry-run
> --keyserver pgp.mit.edu --recv-keys 0x${ID} echo "ID: 0x$ID" w3m
> -dump "https://pgp.mit.edu/pks/lookup?search=0x${ID}&op=index" \ |
> grep pub done
> 
> 
> 
> LOG:
> 
> $ ./get_key_info.sh FinIPCatcher.zip.gpg ID: 0x977E9F54 ID:
> 0x0FC82479 ID: 0x0FEB4CFF ID: 0x6225EAA0 ID: 0x58143658 ID:
> 0x8E037629 ID: 0x8269976E pub  1024D/66878388 2013-04-17 Alfons
> Rauscher <alfons.rauscher at vervis.de> ID: 0xB03A5EA9 ID: 0xD81082F4 
> pub  2048R/D81082F4 2012-03-08 Melvin Teoh (Gamma Group) 
> <mt at gammmagroup.com> ID: 0xF5946EA8 ID: 0x695D98C9 ID: 0x280AD26F 
> ID: 0xF158ADF2 ID: 0xF166F2CA pub  2048R/3F895273 2013-03-05
> Alexander Hagenah <ah at primepage.de> ID: 0x7774F144 ID: 0xA7A4AC21 
> pub  2048R/A7A4AC21 2013-03-05 Hari Purnama (pgp)
> <hp at gammagroup.com>
> 
> $ ./get_key_info.sh FinIP-Catcher-User-Manual.docx.gpg ID:
> 0x977E9F54 ID: 0x0FC82479 ID: 0x0FEB4CFF ID: 0x6225EAA0 ID:
> 0x58143658 ID: 0x8E037629 ID: 0x8269976E pub  1024D/66878388
> 2013-04-17 Alfons Rauscher <alfons.rauscher at vervis.de> ID:
> 0xB03A5EA9 ID: 0xD81082F4 pub  2048R/D81082F4 2012-03-08 Melvin
> Teoh (Gamma Group) <mt at gammmagroup.com> ID: 0xF5946EA8 ID:
> 0x695D98C9 ID: 0x280AD26F ID: 0xF158ADF2 ID: 0xF166F2CA pub
> 2048R/3F895273 2013-03-05 Alexander Hagenah <ah at primepage.de> ID:
> 0x7774F144 ID: 0xA7A4AC21 pub  2048R/A7A4AC21 2013-03-05 Hari
> Purnama (pgp) <hp at gammagroup.com>
> 
> $ ./get_key_info.sh FinFly-Web-Syllabus.pdf.gpg ID: 0x977E9F54 ID:
> 0x0FC82479 ID: 0x0FEB4CFF ID: 0x6225EAA0 ID: 0x58143658 ID:
> 0x8E037629 ID: 0x8269976E pub  1024D/66878388 2013-04-17 Alfons
> Rauscher <alfons.rauscher at vervis.de> ID: 0xB03A5EA9 ID: 0xD81082F4 
> pub  2048R/D81082F4 2012-03-08 Melvin Teoh (Gamma Group) 
> <mt at gammmagroup.com> ID: 0xF5946EA8 ID: 0x695D98C9 ID: 0x280AD26F 
> ID: 0xF158ADF2 ID: 0xF166F2CA pub  2048R/3F895273 2013-03-05
> Alexander Hagenah <ah at primepage.de> ID: 0x7774F144 ID: 0xA7A4AC21 
> pub  2048R/A7A4AC21 2013-03-05 Hari Purnama (pgp)
> <hp at gammagroup.com>
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlPkw6oACgkQveagdEkPM4ANaACguyBm86neviJm0AVJxI4lTQiO
VUAAoNhBQRzGesXw6OvZ0VObKgBG+08D
=l5of
-----END PGP SIGNATURE-----




From mrbits.dcf at gmail.com  Fri Aug  8 11:02:26 2014
From: mrbits.dcf at gmail.com (MrBiTs)
Date: Fri, 08 Aug 2014 15:02:26 -0300
Subject: get_key_info.sh on FinFisher for public key server
In-Reply-To: <53E4C3AA.1060702@squimp.com>
References: <53E4AAD6.2090300@squimp.com> <53E4C3AA.1060702@squimp.com>
Message-ID: <53E510B2.8030008@gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 08/08/2014 09:33 AM, Nathan Andrew Fain wrote:
> I am mistaken. revoked keys remain on servers. regardless, attempting to pull ident info from the .gpg files would be
> appreciated if someone has the 40GB archive.

Interesting. And, yes, revoked keys remain on servers. That is the main target. People must be able to know if a key is or not
revoked.


- -- 
echo
920680245503158263821824753325972325831728150312428342077412537729420364909318736253880971145983128276953696631956862757408858710644955909208239222408534030331747172248238293509539472164571738870818862971439246497991147436431430964603600458631758354381402352368220521740203494788796697543569807851284795072334480481413675418412856581412376640379241258356436205061541557366641602992820546646995466P
| dc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJT5RCyAAoJEG7IGPwrPKWrr8kH/2Uv3xuUtDl5KCyjHqkZ7A3n
rNajQMlGei4QC6WOWFLFeArg8izs3Cx0jQoMpAh71MNd3m73hLKiHuQCOJEpp8eC
1EQnYffI9v8iUc6vGEj80YmfY9yjgnaP0wchk531j/XWYjyuz/PIpraAxPWx5Okk
ZVE0HmbQu9gwAuA6B6ggB8pbJtq9G9be3mJ7XrInHxVKyaoWi7AvZe4Y5KgzEfU/
FuZo+kZV+rDHf4xhstkfekVFqAJFLVybxz2Yh/PjyP6Vnhk820YmcFqg6dyH0W4s
Lot9O3GdPVQPxC+8ARjuj1iry1+LJ3A7GnaT0qeej6po1p19WIOt9ucWPs4oqV8=
=nC6u
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3750 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140808/765b1887/attachment.bin>

From nathan at squimp.com  Fri Aug  8 06:04:33 2014
From: nathan at squimp.com (Nathan Andrew Fain)
Date: Fri, 08 Aug 2014 15:04:33 +0200
Subject: get_key_info.sh on FinFisher for public key server
In-Reply-To: <53E4AAD6.2090300@squimp.com>
References: <53E4AAD6.2090300@squimp.com>
Message-ID: <53E4CAE1.2010806@squimp.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

someone else already mapped the destination keys to available info
from key servers:

https://news.ycombinator.com/item?id=8146200
https://pad.riseup.net/p/OmJHHd0z1SGb

On 08/08/2014 12:47 PM, Nathan Andrew Fain wrote:
> I have not checked all files, just a sample. as keys have not been 
> revoked or removed from the public server it would help if someone
> could execute the following on every gpg'ed file. as individuals
> revoke their keys, if im not mistaken, we will not be able to
> document the names of those keys.
> 
> [get_key_info.sh] #!/bin/bash FILE="$1" for ID in $(gpg -d "$FILE"
> |&  awk '{print $7}' | grep -v 'available'); do #gpg --dry-run
> --keyserver pgp.mit.edu --recv-keys 0x${ID} echo "ID: 0x$ID" w3m
> -dump "https://pgp.mit.edu/pks/lookup?search=0x${ID}&op=index" \ |
> grep pub done
> 
> 
> 
> LOG:
> 
> $ ./get_key_info.sh FinIPCatcher.zip.gpg ID: 0x977E9F54 ID:
> 0x0FC82479 ID: 0x0FEB4CFF ID: 0x6225EAA0 ID: 0x58143658 ID:
> 0x8E037629 ID: 0x8269976E pub  1024D/66878388 2013-04-17 Alfons
> Rauscher <alfons.rauscher at vervis.de> ID: 0xB03A5EA9 ID: 0xD81082F4 
> pub  2048R/D81082F4 2012-03-08 Melvin Teoh (Gamma Group) 
> <mt at gammmagroup.com> ID: 0xF5946EA8 ID: 0x695D98C9 ID: 0x280AD26F 
> ID: 0xF158ADF2 ID: 0xF166F2CA pub  2048R/3F895273 2013-03-05
> Alexander Hagenah <ah at primepage.de> ID: 0x7774F144 ID: 0xA7A4AC21 
> pub  2048R/A7A4AC21 2013-03-05 Hari Purnama (pgp)
> <hp at gammagroup.com>
> 
> $ ./get_key_info.sh FinIP-Catcher-User-Manual.docx.gpg ID:
> 0x977E9F54 ID: 0x0FC82479 ID: 0x0FEB4CFF ID: 0x6225EAA0 ID:
> 0x58143658 ID: 0x8E037629 ID: 0x8269976E pub  1024D/66878388
> 2013-04-17 Alfons Rauscher <alfons.rauscher at vervis.de> ID:
> 0xB03A5EA9 ID: 0xD81082F4 pub  2048R/D81082F4 2012-03-08 Melvin
> Teoh (Gamma Group) <mt at gammmagroup.com> ID: 0xF5946EA8 ID:
> 0x695D98C9 ID: 0x280AD26F ID: 0xF158ADF2 ID: 0xF166F2CA pub
> 2048R/3F895273 2013-03-05 Alexander Hagenah <ah at primepage.de> ID:
> 0x7774F144 ID: 0xA7A4AC21 pub  2048R/A7A4AC21 2013-03-05 Hari
> Purnama (pgp) <hp at gammagroup.com>
> 
> $ ./get_key_info.sh FinFly-Web-Syllabus.pdf.gpg ID: 0x977E9F54 ID:
> 0x0FC82479 ID: 0x0FEB4CFF ID: 0x6225EAA0 ID: 0x58143658 ID:
> 0x8E037629 ID: 0x8269976E pub  1024D/66878388 2013-04-17 Alfons
> Rauscher <alfons.rauscher at vervis.de> ID: 0xB03A5EA9 ID: 0xD81082F4 
> pub  2048R/D81082F4 2012-03-08 Melvin Teoh (Gamma Group) 
> <mt at gammmagroup.com> ID: 0xF5946EA8 ID: 0x695D98C9 ID: 0x280AD26F 
> ID: 0xF158ADF2 ID: 0xF166F2CA pub  2048R/3F895273 2013-03-05
> Alexander Hagenah <ah at primepage.de> ID: 0x7774F144 ID: 0xA7A4AC21 
> pub  2048R/A7A4AC21 2013-03-05 Hari Purnama (pgp)
> <hp at gammagroup.com>
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlPkyuEACgkQveagdEkPM4CwiACgnmUFbBf/pXt4mLedbTcb7GSW
hwAAnRphdAejZa4Fr911qySyrCi5Rmvz
=Rn5a
-----END PGP SIGNATURE-----




From komachi at openmailbox.org  Fri Aug  8 10:08:27 2014
From: komachi at openmailbox.org (Anton Nesterov)
Date: Fri, 08 Aug 2014 17:08:27 +0000
Subject: Russia want to force all Internet resources install their surveillance
 system
Message-ID: <53E5040B.10706@openmailbox.org>

PM Dmitry Medvedev signed a decree about an upgrade to Russian
surveillance system targeted to users of websites.

It says that "organizer of spreading of the information" must sign a
plan with Federal Security Service to install surveillance
software/hardware with direct link to Federal Security Service, like it
works with ISPs and other communication providers now. The details about
installed software and hardware is confidential. It's not clear who will
pay for this, but probably it will be resource owners, like it work with
ISPs and other communication operators.

"Organizer of spreading of the information" is a term introduced by
Federal law N 97-FZ of 05.05.2014 (called by media "bloggers law"
because it also force bloggers to register in special "bloggers
registry"), it means somebody who make works something that send any
information over the Internet, basically it's any website, email server
or anything. That law also force them to store all logs about user's
actions (even for anonymous users) for 6 months.

It's not only Federal Security Service who can access that information,
it's any authority who has the right to do operative investigate
activities. Currently it's near 6 authorities, including Federal Drug
Service, Federal Tax Service, Federal Guard Service and others.

Federal law N 97-FZ of 05.05.2014 came in force on 1st August.

>From the fact that Russian telephone surveillance system called SORM
(system for operative investigative activities), SORM-2 for Internet,
and SORM-3 for storing logs, this can be named SORM-4.

http://publication.pravo.gov.ru/Document/View/0001201408040006 the
decree (in Russian)
http://graph.document.kremlin.ru/page.aspx?1;3632115 "Bloggers law" (in
Russian)
http://top.rbc.ru/society/07/08/2014/941618.shtml news report (in Russian)




From grarpamp at gmail.com  Fri Aug  8 16:19:54 2014
From: grarpamp at gmail.com (grarpamp)
Date: Fri, 8 Aug 2014 19:19:54 -0400
Subject: [tor-talk] [OT] deleting publicly posted content
In-Reply-To: <1407507198.581308.150586269.4B0D78C0@webmail.messagingengine.com>
References: <3660653D-B230-40CA-B641-2C7D815DEE47@mail.bitmessage.ch>
 <53E3BE07.7010105@riseup.net>
 <CAD2Ti2-0cjsCyDxotm7H8LVGrcPTd2pO3qThkuPSteZ0nS5i9A@mail.gmail.com>
 <53E4BD6B.5060404@cyblings.on.ca>
 <1407507198.581308.150586269.4B0D78C0@webmail.messagingengine.com>
Message-ID: <CAD2Ti28N9XM+ooHj+e6S7F0PwRseG7cm3GCNa++6pQE8XufB8g@mail.gmail.com>

On Fri, Aug 8, 2014 at 10:13 AM, Geoff Down <geoffdown at fastmail.net> wrote:
> On Fri, Aug 8, 2014, at 01:07 PM, krishna e bera wrote:
>> There is no inherent "right to forget" anything that ever happens in
>> public, because that would require invading people's minds and archives.
>>  Court decisions requiring Google to delete correct information from
>> search results are misguided - if anything they should require fuller
>> search results showing the context and followup events (for example,
>> information that may have exonerated the persons in question).
>> Archives that are not subject to jurisdictional or changing legal
>> currents, are a good use case for Tor hidden services.
>  We have the right to ephemeral conversation, even in public.
> Before mass surveillance and recording became possible, that right was
> respected.
> The new laws attempt to restore that right.

Before, it was a subconscious unthought mode of inter conduct (if not a firmly
developed expectation) as outcome of natural limiting circumstances...
ie: it wasn't possible to recorde peoples lives, so the context or concept was
not thought among people. Just some limited and expensive gov't tax, census,
bank type systems.Then cheap computers everywhere hit and the nazis began
collecting in mass again. The new laws are a restoration of
expectation in the form of
an enforceable right, which is now necessary form to do it against the
lack of natural
limit. The laws are not even close to restoring the formal mode/expectation, and
the abuse of imbedding, collection, using and sharing without explicit
permission and
policy based release from the principal is abhorrent to the former
natural way in
which they would conduct. Society is slower than data and must exert its control
over it and its greed until it has developed to handle such thoughts.

Beyond even any reasonable 'need', phone companies maintaining *decades*
of CDR's, CC purchases, and CL *not* 'deleting' posts are all equal evils. Turns
out phone companies *gave* the metas to govt's and whoever else for whatever
use internal and external via chains of weak or strong MOU's, secrets, etc. Now
what exactly do you think content mines like CL, your mail, your facebook are
doing with your content??? Hint: much worse. It's hugely unethical to the person
and society to collect, keep this, let alone process and do whatever
with it. It's
faster than expectation. There is an inherent ethical right to respect
the society
and principal person, especially if you are faster. That includes
forgetting and not
even [ab]using them in the first place. Otherwise you are basically
stealing lunch
money from retards. That's bad.

There's also distinct differences between the service itself doing the
(unfortunately
now very often) unexpected or contrary to 'delete' recording, and
public recording
and mining contexts, ethics, etc. Altavista was nice, but did society
really need it
grown into the GoogleMine? GeoCities --> FaceBookMine? Who will honor your
request to delete yourself from old 'non-service-made' public
geocities/usenet archives
today, from facebook archive 30yr from now? We are still slow and
stupid, particularly
in hindsight, therefore in a digital age we need now encode that
right... just as we had
been natural forgotten with time, physically moving, and new
associations before then.
And to encode not to keep... because we are too slow to make that
decision right now.




From hettinga at gmail.com  Sat Aug  9 04:07:50 2014
From: hettinga at gmail.com (Robert Hettinga)
Date: Sat, 9 Aug 2014 07:07:50 -0400
Subject: openPDS - The privacy-preserving Personal Data Store
Message-ID: <2CF36F52-C2AB-42D0-98EA-18ADA977B6DB@gmail.com>


http://openpds.media.mit.edu/#philosophy

PUBLICATIONS AND SELECTED PRESS

openPDS allows users to collect, store, and give fine-grained access to their data all while protecting their privacy.

With the rise of smartphones and their built-in sensors as well as web-apps, an increasing amount of personal data is being silently collected. Personal data–digital information about users’ location, calls, web-searches, and preferences–is undoubtedly the oil of the new economy. However, the lack of access to the data makes it very hard if not impossible for an individual to understand and manage the risks associated with the collected data. Therefore, advancements in using and mining this data have to evolve in parallel with considerations about ownership and privacy.

Many of the initial and critical steps towards individuals data ownership are technological. Given the huge number of data sources that a user interacts with on a daily basis, interoperability is not enough. Rather, the user needs to actually own a secured space, a Personal Data Store (PDS) acting as a centralized location where his data live. Owning a PDS would allow the user to view and reason about the data collected. The user can then truly control the flow of data and manage fine-grained authorizations for accessing his data.

openPDS: Protecting the Privacy of Metadata through SafeAnswers, PLoS One, 10.1371 (2014)
On the Trusted Use of Large-Scale Personal Data, IEEE Data Engineering Bulletin, 35-4 (2012)
Big Data Is Opening Doors, but Maybe Too Many, The New-York Times
ACLU: AT&T Customer Privacy at Risk, Wall Street Journal - CIO Journal
Own your own data, MIT News
Big Data : pourquoi nos métadonnées sont-elles plus personnelles que nos empreintes digitales ?, Le Monde
Private data gatekeeper stands between you and the NSA, New Scientist
MIT Wants You To Own Your Own Data, Not Give It Away, New Scientist
MIT-designed system lets you take control of your data, Wired (UK)
Getting More Value from Cell-Phone Data, Technology Review
openPDS software focuses on control of personal data, Phys.org
How to stop the NSA spying on your data, New Scientist
Why the collision of big data and privacy will require a new realpolitik, GigaOM
3 Projects Prove Privacy Is Not Dead, Scientific American
Reiventing Society in the Wake of Big Data, The Edge
New system would allow individuals to pick and choose what data to share with websites, mobile apps, Phys.org
A Major ISP Wants to Give Consumers a Cut of the Online Data Market, Vice.com
Protecting privacy online, Science Daily
Collecte de métadonnées : est-il trop tard pour s’inquiéter?, Radio Canada (FR)
Deine Daten gehören dir: Wie ein System namens OpenPDS den Datenschutz revolutionieren könnte, T3N (DE)
Visuals

openPDS privacy settings (.zip)


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 496 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140809/5b1b5d95/attachment.sig>

From grarpamp at gmail.com  Sat Aug  9 10:51:59 2014
From: grarpamp at gmail.com (grarpamp)
Date: Sat, 9 Aug 2014 13:51:59 -0400
Subject: Yahoo To Add PGP Encryption For Email
Message-ID: <CAD2Ti2_ixS-B1MGVkWE=4=awx=LpAdZOt3Jk_uWkJMYGL9oqRA@mail.gmail.com>

http://tech-beta.slashdot.org/story/14/08/08/1219241/yahoo-to-add-pgp-encryption-for-email

Unusual to see slashdot pointing out obvious weaknesses
in server side/pushed crypto offerings... someone got a clue.
Still, more crypto is nice to have out there.




From digitalfolklore at protonmail.ch  Sat Aug  9 17:26:46 2014
From: digitalfolklore at protonmail.ch (Digitalfolklore)
Date: Sat, 9 Aug 2014 20:26:46 -0400
Subject: whois hack back
Message-ID: <9a0f08e184270e228abf945562347600@protonmail.ch>

A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 1028 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140809/bb0b12c6/attachment.txt>

From crypto at jpunix.net  Sun Aug 10 02:25:31 2014
From: crypto at jpunix.net (Crypto)
Date: Sun, 10 Aug 2014 04:25:31 -0500
Subject: Bitcoin Armory not as secure as =?UTF-8?Q?promised=3F?=
Message-ID: <ce6fe95d2dddce73e5a4343bce4c068e@jpunix.net>

Hello Everyone!

It appears that Bitcoin Armory, supposedly one of the most secure 
Bitcoin wallets isn't so secure after all. Check out this forum post for 
more details.

https://bitcointalk.org/index.php?topic=731315.0

-- 
Crypto
https://www.digitalocean.com/?refcode=b90b690ca5bb




From s at ctrlc.hu  Sun Aug 10 02:28:22 2014
From: s at ctrlc.hu (stef)
Date: Sun, 10 Aug 2014 11:28:22 +0200
Subject: openPDS - The privacy-preserving Personal Data Store
In-Reply-To: <2CF36F52-C2AB-42D0-98EA-18ADA977B6DB@gmail.com>
References: <2CF36F52-C2AB-42D0-98EA-18ADA977B6DB@gmail.com>
Message-ID: <20140810092822.GK7852@ctrlc.hu>

does anyone in this project have any cryptographic, security and
privacy-related respect? to me this looks like the kind of smartphone app that
we're having fun about every week when they save email or chat.

-- 
otr fp: https://www.ctrlc.hu/~stef/otr.txt




From l at odewijk.nl  Sun Aug 10 09:44:22 2014
From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=)
Date: Sun, 10 Aug 2014 18:44:22 +0200
Subject: Bitcoin Armory not as secure as promised?
In-Reply-To: <ce6fe95d2dddce73e5a4343bce4c068e@jpunix.net>
References: <ce6fe95d2dddce73e5a4343bce4c068e@jpunix.net>
Message-ID: <CAHWD2rJgDAoXcsnojSQbfRpz03xoHjpV1uPHCFHkXYWaH0nEpA@mail.gmail.com>

So, the response was this:

> Guys, calm down.
> The code you posted doesn't send your username to bitcoinarmory.com, it
> sends the *truncated hash* of your user home directory path.  This does
> not give us any information about you except that it will be the same when
> your system makes multiple requests for version/announcement information.
> We*intentionally* chose this *instead* of tracking by IP because we knew
> that IP logging was "not cool".  And in the end, we don't care about your
> IP, we only use it the ID for collecting statistics about what operatings
> systems are being use to run Armory and what versions people are using,
> especially after announcing new versions.  This helps us remove duplicates.
> Armory (the company) only tracks unique IDs long enough to collect daily
> statistics of our user base, like how many people have upgraded.  If a
> announce-request is made and comes from an ID we have never seen, we add
> the OS and Armory version to the statistics.  Otherwise we ignore it.
> That's it.  We added the unique ID so that we have a way to count unique
> users *without* logging IP addresses.    We also add the ability for you
> disable this by running with "--skip-annuonce-check".
> As a company, we have to have *some* way to measure our userbase, and we
> felt this was the least intrusive way possible.  And you can opt-out.



But without salting the hash it's more reversible than it has to be.
Another issue is the ignoring of proxy settings and therefore collection of
IP addresses either by Armory or by other actors.

Sorry guys, I've been out all day, but I've been thinking about this.  You
> all are absolutely right.  We made two mistakes:
>
> (1) We assumed that because we choose not to store/process the IP data,
> that users would believe us that we don't
> (2) We incorrectly assumed the that space of user home paths on your
> desktop was big enough that the 4 byte identifier would not have adverse
> privacy implications. I did not consider that people's home usernames might
> be, say, their username on bitcointalk.org
>
> It's quite clear that those two pieces of data do have pretty serious
> privacy implications.  I want to fix this ASAP.
>
> To be clear, the reason we made the unique identifiers is *because* we
> don't want to store any IP data for the reasons described: if there was a
> subpoena of some sort, we'd prefer to not have anything to reveal.  And we
> don't store it.  But, we incorrectly assumed that the unique identifiers
> would be sufficiently non-privacy-leaking while still allowing us to remove
> duplicates (in response to justus: we want an identifier that will be
> persistent between loads so that users that start the program over and over
> are not counted for each start--as we all know, a lot of users have
> difficulty with Armory and will start it 300 times to try to get it to
> work).  It is clear these were bad assumptions since we technically
> *could* be storing both which *would be* quite bad.
>
> I hope we've generated enough good faith with the community that we get a
> little slack that this was not our intention.  I take the blame for not
> realizing that, and I want to make sure that it is fixed.  ASAP.  I will
> happily take feedback on how this should be adjusted so that we can meet
> our goals without compromising the privacy of the users.
>
> I agree we should decouple the option from the announcement fetching.  We
> consider announcements to be extremely important, and why we made that
> difficult to disable:  if there's a critical security (or privacy!)
> vulnerability in Armory, there is a very short window where someone might
> try to exploit it to steal peoples' coins, and there's no better way to
> help users than to make sure a big scary warning pops up the next time they
> start Armory.  The fact that we coupled the OS/version reporting with meant
> that it was as hard to disable that as it is the announcement fetching.  We
> can easily separate them and will happily make it easy to disable the
> OS/version reporting.
>
>
> Re privacy policy:  On the advice of our lawyer, we included the "may
> collect IP addresses" because we have no way to prove that we don't.  And
> since our website uses google-analytics, we don't have control over what
> google does with the access patterns of users to our website.  It was a bit
> of CYA that companies have to abide by, especially in the US.  Note we
> describe at the bottom of that page we describe how to disable it
> <https://bitcoinarmory.com/download/privacy-policy/> with a link to our
> troubleshooting page.
>
> On the upside: another positive example of the power of open-source
> software.  We have casually encouraged users to go through the code base,
> and we even contacted the Open Crypto Audit Project to try to get a code
> review (and never heard back from them).  We are obviously believers in
> open-source, and here's the first solid example of Armory getting better
> because of it.  We will get this fixed.



Of course people are still hating. I think it's possible that the
overcollection was accidental. It is somewhat odd that the reason for the
accident was commercialism.



2014-08-10 11:25 GMT+02:00 Crypto <crypto at jpunix.net>:

> Hello Everyone!
>
> It appears that Bitcoin Armory, supposedly one of the most secure Bitcoin
> wallets isn't so secure after all. Check out this forum post for more
> details.
>
> https://bitcointalk.org/index.php?topic=731315.0
>
> --
> Crypto
> https://www.digitalocean.com/?refcode=b90b690ca5bb
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 14060 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140810/9791e854/attachment.txt>

From rysiek at hackerspace.pl  Sun Aug 10 16:26:32 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Mon, 11 Aug 2014 01:26:32 +0200
Subject: Ripple's consensus algorithm.
In-Reply-To: <53E7F54C.80805@echeque.com>
References: <CANEZrP2jriLF-mXYTg=B5kjJ2_PPOzNOZVrnRXc_T1gH7pA1MQ@mail.gmail.com>
 <CAD2Ti29CP01BiEC-7fQnwQ_fSfeqEOj47LxDtm=4JGyvLZJEbg@mail.gmail.com>
 <53E7F54C.80805@echeque.com>
Message-ID: <1808556.hB6R8Xv0mx@lapuntu>

Dnia poniedziałek, 11 sierpnia 2014 08:42:20 James A. Donald pisze:
> Bitcoin's consensus algorithm is weight of computing power, which is OK
> as long as weight of computing power aligns with interest in bitcoin
> being a useful currency.

Aye.

> Weight of stake would be better, but so far I am unaware of any
> satisfactory proposals for weight of stake.

Aye².

> Ripples consensus algorithm is weight of club members, and the process
> for getting into the club is opaque, as are the interests and incentives
> of the existing club members.

Aye³.

> I would suppose one gets into the club if no existing member blackballs
> you, which would be fine if there is already sufficient diversity of
> interests within the club.

If the rule is "you can get in as long as nobody blackballs you", the more 
members and the more diversity there is "in", the larger chance you will get 
blackballed.

Which means, the more members, the harder to get in.

> It is not obvious to me how well the ripple consensus algorithm would
> work in the event of substantial conflicts between club members, or bad
> behavior by club members, or bad things happening to the network.
>
> Has it been analyzed for performance in the event of bad behavior by
> some club members?

Good question.

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140811/2f8c9f66/attachment.sig>

From invalidheader at gmail.com  Mon Aug 11 09:37:53 2014
From: invalidheader at gmail.com (Andrew White)
Date: Mon, 11 Aug 2014 09:37:53 -0700
Subject: cypherpunks Digest, Vol 14, Issue 11
In-Reply-To: <mailman.1.1407772801.13254.cypherpunks@cpunks.org>
References: <mailman.1.1407772801.13254.cypherpunks@cpunks.org>
Message-ID: <CA+gYD=_VsQqV4_tGwjQ0NdV4np_afTETU4=bpsKQ6iFqcELCwQ@mail.gmail.com>

>
>
> Message: 2
> Date: Mon, 11 Aug 2014 08:42:20 +1000
> From: "James A. Donald" <jamesd at echeque.com>
> To: cypherpunks at cpunks.org
> Subject: Ripple's consensus algorithm.
> Message-ID: <53E7F54C.80805 at echeque.com>
> Content-Type: text/plain; charset=UTF-8; format=flowed
>
> Bitcoin's consensus algorithm is weight of computing power, which is OK
> as long as weight of computing power aligns with interest in bitcoin
> being a useful currency.
>
> Weight of stake would be better, but so far I am unaware of any
> satisfactory proposals for weight of stake.
>
>
This is called "proof of stake" not weight of stake and is different from
Ripple's consensus process.



> Ripples consensus algorithm is weight of club members, and the process
> for getting into the club is opaque, as are the interests and incentives
> of the existing club members.
>

This doesn't really describe how Ripple works. Ripple relies on the
agreement of 80% or more of validator nodes per gateway to verify if a
transaction took place or not. I write more about this in
http://rippleinvestmentguide.com/


>
> I would suppose one gets into the club if no existing member blackballs
> you, which would be fine if there is already sufficient diversity of
> interests within the club.
>

Only if 80% of the networks validator nodes do that which is in practice
not likely to happen on a large enough scale.


>
> It is not obvious to me how well the ripple consensus algorithm would
> work in the event of substantial conflicts between club members, or bad
> behavior by club members, or bad things happening to the network.


> Has it been analyzed for performance in the event of bad behavior by
> some club members?
>

I'll ping David Schwartz one of the co-inventors about this question.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 3170 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140811/d808a7c0/attachment.txt>

From juan.g71 at gmail.com  Mon Aug 11 13:24:08 2014
From: juan.g71 at gmail.com (Juan)
Date: Mon, 11 Aug 2014 17:24:08 -0300
Subject: Update your Tors - Tor security advisory: "relay early" traffic
 confirmation attack
In-Reply-To: <1979218.Ele6Ulio07@lapuntu>
References: <CAJVRA1SJYCZWWgZcZsbHcq72W1JcU7kvcau8aPxCuO=+tzn+vg@mail.gmail.com>
 <108254388.4Uig8uU67Z@lapuntu>
 <53e167f6.c394ec0a.7e29.ffffb836@mx.google.com>
 <1979218.Ele6Ulio07@lapuntu>
Message-ID: <53e924fb.0938ec0a.5497.4914@mx.google.com>

On Wed, 06 Aug 2014 11:13:10 +0200
rysiek <rysiek at hackerspace.pl> wrote:

> Dnia wtorek, 5 sierpnia 2014 20:31:26 Juan pisze:
> > On Wed, 06 Aug 2014 00:19:17 +0200
> > 
> > rysiek <rysiek at hackerspace.pl> wrote:
> > > One of the things I have learnt during the years of my brushing
> > > shoulders with Teh Gummint (public consultations, conferences,
> > > etc) is that a huge bureaucracy like a government is bound to have
> > > conflicting interests and fund/take conflicting actions.
> > > 
> > > Governments are not homogeneous, to say the least.
> > 
> > 	Governments are pretty homoneneous criminal organizations.
> > The fact that sometimes different government factions within a
> > 	given government quarrel a bit over the spoils is basically
> > 	meaningless, from the point of view of government victims at
> > 	least.
> 
> Well, obviously you haven't much experience with how governments look
> from the inside.

	...but I do have some inside information about the 'legal
	system', having been raised by lawyers =P 

> 
> Ministries and departments have different and conflicting policies
> regarding some of their overlapping responsibilities, and the flow of
> information is a real problem. Add to that some personal animosities
> and ambitions and you get a clusterfuck of an organisation.

	Yes, all of that is true. I am aware of the fact that there are
	different factions inside a government. I did explicitly
	mention that. It doesn't affect my argument(s) though.



> 
> A clusterfuck leaving quite a lot of space for projects like Tor.
> 

	Sorry, but that's circular. 

	You *assume* tor isn't designed as a tool to further imperial
	american policies and you arrive at the conclusion that there
	are some 'good guys' in the US government. 

	Too bad your assumption is what you actually need to prove. 
	
	The argument here is that tor is a small network that can be
	more or less easily 'traffic analyzed'  by the US government -
	the same government that created it. This is not 'rocket
	science'...




	

	

	
	








From rysiek at hackerspace.pl  Mon Aug 11 14:09:52 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Mon, 11 Aug 2014 23:09:52 +0200
Subject: Update your Tors - Tor security advisory: "relay early" traffic
 confirmation attack
In-Reply-To: <53e924fb.0938ec0a.5497.4914@mx.google.com>
References: <CAJVRA1SJYCZWWgZcZsbHcq72W1JcU7kvcau8aPxCuO=+tzn+vg@mail.gmail.com>
 <1979218.Ele6Ulio07@lapuntu> <53e924fb.0938ec0a.5497.4914@mx.google.com>
Message-ID: <3216983.cEZSaLLodi@lapuntu>

Dnia poniedziałek, 11 sierpnia 2014 17:24:08 Juan pisze:
> On Wed, 06 Aug 2014 11:13:10 +0200
> 
> rysiek <rysiek at hackerspace.pl> wrote:
> > Dnia wtorek, 5 sierpnia 2014 20:31:26 Juan pisze:
> > > On Wed, 06 Aug 2014 00:19:17 +0200
> > > 
> > > rysiek <rysiek at hackerspace.pl> wrote:
> > > > One of the things I have learnt during the years of my brushing
> > > > shoulders with Teh Gummint (public consultations, conferences,
> > > > etc) is that a huge bureaucracy like a government is bound to have
> > > > conflicting interests and fund/take conflicting actions.
> > > > 
> > > > Governments are not homogeneous, to say the least.
> > > 	
> > > 	Governments are pretty homoneneous criminal organizations.
> > > 
> > > The fact that sometimes different government factions within a
> > > 
> > > 	given government quarrel a bit over the spoils is basically
> > > 	meaningless, from the point of view of government victims at
> > > 	least.
> > 
> > Well, obviously you haven't much experience with how governments look
> > from the inside.
> 
> 	...but I do have some inside information about the 'legal
> 	system', having been raised by lawyers =P
> 
> > Ministries and departments have different and conflicting policies
> > regarding some of their overlapping responsibilities, and the flow of
> > information is a real problem. Add to that some personal animosities
> > and ambitions and you get a clusterfuck of an organisation.
> 
> 	Yes, all of that is true. I am aware of the fact that there are
> 	different factions inside a government. I did explicitly
> 	mention that. It doesn't affect my argument(s) though.
> 
> > A clusterfuck leaving quite a lot of space for projects like Tor.
> 
> 	Sorry, but that's circular.
> 
> 	You *assume* tor isn't designed as a tool to further imperial
> 	american policies and you arrive at the conclusion that there
> 	are some 'good guys' in the US government.

No, I didn't say there are any "good guys" (nor that there aren't any, mind 
you). But even between a clusterfuck of "bad guys", each dragging in their own 
direction, simply *because* they are dragging all in different directions, 
there might be space for some neat projects.

Think of it as a hack on the system.

Guy A needs total secrecy of communication for their moles in third world 
countries and finances a tool that incidentally is a huge PITA for guy B, that 
tries to surveil everything and everybody.

Guy A and guy B are far enough from each other 
(system/hierarchy/department/competence-wise) that they do not co-operate, nor 
even know of each other too well. Or: they know of each other and are in a 
state of "cold war" for resources or ambition-related aims.

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140811/e478d2d1/attachment.sig>

From ryacko at gmail.com  Tue Aug 12 08:14:39 2014
From: ryacko at gmail.com (Ryan Carboni)
Date: Tue, 12 Aug 2014 08:14:39 -0700
Subject: [cryptography] A post-spy world
In-Reply-To: <E1XGwYA-0004Z3-DQ@elasmtp-scoter.atl.sa.earthlink.net>
References: <E1XGwYA-0004Z3-DQ@elasmtp-scoter.atl.sa.earthlink.net>
Message-ID: <CAO7N=i3q80s6AY419ON0uEw2GBLb2+MvtjFx4vaA4XytgZnFZQ@mail.gmail.com>

John Young, true masterspy.


On Mon, Aug 11, 2014 at 1:52 PM, John Young <jya at pipeline.com> wrote:

>  "We are moving toward a post-spy world, according to the guy that runs
> the CIA’s venture capital arm."
>
>
> http://www.defenseone.com/technology/2014/08/10-ways-make-internet-safe-cyber-attacks/90866/?oref=d-channelriver
> <http://t.co/5eYfbRYU8k>
>
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 1024 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140812/66372742/attachment.txt>

From ryacko at gmail.com  Tue Aug 12 10:41:25 2014
From: ryacko at gmail.com (Ryan Carboni)
Date: Tue, 12 Aug 2014 10:41:25 -0700
Subject: cypherpunks Digest, Vol 14, Issue 12
In-Reply-To: <mailman.1.1407859202.20519.cypherpunks@cpunks.org>
References: <mailman.1.1407859202.20519.cypherpunks@cpunks.org>
Message-ID: <CAO7N=i1F=GmVut=YTJfxu_GzHD4E9sa4z_+9wGknUDufmNnE=w@mail.gmail.com>

>
> So if that bill will be passed, National Security and Defense Council
> can ban any foreign media, website, foundation, movement, printed
> material, etc. without court.
>

Syria was under martial law... for several decades prior to their civil war.

But than again... for a few years, Lincoln was a dictator, going so far to
even free the slaves amid disapproval from his cabinet.


On Tue, Aug 12, 2014 at 9:00 AM, <cypherpunks-request at cpunks.org> wrote:

> Send cypherpunks mailing list submissions to
>         cypherpunks at cpunks.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         https://cpunks.org/mailman/listinfo/cypherpunks
> or, via email, send a message with subject or body 'help' to
>         cypherpunks-request at cpunks.org
>
> You can reach the person managing the list at
>         cypherpunks-owner at cpunks.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of cypherpunks digest..."
>
>
> Today's Topics:
>
>    1. Re: cypherpunks Digest, Vol 14, Issue 11 (Andrew White)
>    2. Re: Update your Tors - Tor security advisory: "relay early"
>       traffic confirmation attack (Juan)
>    3. A post-spy world (John Young)
>    4. Re: Update your Tors - Tor security advisory: "relay early"
>       traffic confirmation attack (rysiek)
>    5. SnakeoilMailbox? (rysiek)
>    6. Ukraine passed the bill about sanctions in first reading, it
>       give power to close media, websites, and more (Anton Nesterov)
>    7. Re: [cryptography] A post-spy world (Ryan Carboni)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 11 Aug 2014 09:37:53 -0700
> From: Andrew White <invalidheader at gmail.com>
> To: cypherpunks at cpunks.org
> Subject: Re: cypherpunks Digest, Vol 14, Issue 11
> Message-ID:
>         <CA+gYD=_VsQqV4_tGwjQ0NdV4np_afTETU4=
> bpsKQ6iFqcELCwQ at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> >
> >
> > Message: 2
> > Date: Mon, 11 Aug 2014 08:42:20 +1000
> > From: "James A. Donald" <jamesd at echeque.com>
> > To: cypherpunks at cpunks.org
> > Subject: Ripple's consensus algorithm.
> > Message-ID: <53E7F54C.80805 at echeque.com>
> > Content-Type: text/plain; charset=UTF-8; format=flowed
> >
> > Bitcoin's consensus algorithm is weight of computing power, which is OK
> > as long as weight of computing power aligns with interest in bitcoin
> > being a useful currency.
> >
> > Weight of stake would be better, but so far I am unaware of any
> > satisfactory proposals for weight of stake.
> >
> >
> This is called "proof of stake" not weight of stake and is different from
> Ripple's consensus process.
>
>
>
> > Ripples consensus algorithm is weight of club members, and the process
> > for getting into the club is opaque, as are the interests and incentives
> > of the existing club members.
> >
>
> This doesn't really describe how Ripple works. Ripple relies on the
> agreement of 80% or more of validator nodes per gateway to verify if a
> transaction took place or not. I write more about this in
> http://rippleinvestmentguide.com/
>
>
> >
> > I would suppose one gets into the club if no existing member blackballs
> > you, which would be fine if there is already sufficient diversity of
> > interests within the club.
> >
>
> Only if 80% of the networks validator nodes do that which is in practice
> not likely to happen on a large enough scale.
>
>
> >
> > It is not obvious to me how well the ripple consensus algorithm would
> > work in the event of substantial conflicts between club members, or bad
> > behavior by club members, or bad things happening to the network.
>
>
> > Has it been analyzed for performance in the event of bad behavior by
> > some club members?
> >
>
> I'll ping David Schwartz one of the co-inventors about this question.
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://cpunks.org/pipermail/cypherpunks/attachments/20140811/d808a7c0/attachment-0001.html
> >
>
> ------------------------------
>
> Message: 2
> Date: Mon, 11 Aug 2014 17:24:08 -0300
> From: Juan <juan.g71 at gmail.com>
> To: cypherpunks at cpunks.org
> Subject: Re: Update your Tors - Tor security advisory: "relay early"
>         traffic confirmation attack
> Message-ID: <53e924fb.0938ec0a.5497.4914 at mx.google.com>
> Content-Type: text/plain; charset=US-ASCII
>
> On Wed, 06 Aug 2014 11:13:10 +0200
> rysiek <rysiek at hackerspace.pl> wrote:
>
> > Dnia wtorek, 5 sierpnia 2014 20:31:26 Juan pisze:
> > > On Wed, 06 Aug 2014 00:19:17 +0200
> > >
> > > rysiek <rysiek at hackerspace.pl> wrote:
> > > > One of the things I have learnt during the years of my brushing
> > > > shoulders with Teh Gummint (public consultations, conferences,
> > > > etc) is that a huge bureaucracy like a government is bound to have
> > > > conflicting interests and fund/take conflicting actions.
> > > >
> > > > Governments are not homogeneous, to say the least.
> > >
> > >     Governments are pretty homoneneous criminal organizations.
> > > The fact that sometimes different government factions within a
> > >     given government quarrel a bit over the spoils is basically
> > >     meaningless, from the point of view of government victims at
> > >     least.
> >
> > Well, obviously you haven't much experience with how governments look
> > from the inside.
>
>         ...but I do have some inside information about the 'legal
>         system', having been raised by lawyers =P
>
> >
> > Ministries and departments have different and conflicting policies
> > regarding some of their overlapping responsibilities, and the flow of
> > information is a real problem. Add to that some personal animosities
> > and ambitions and you get a clusterfuck of an organisation.
>
>         Yes, all of that is true. I am aware of the fact that there are
>         different factions inside a government. I did explicitly
>         mention that. It doesn't affect my argument(s) though.
>
>
>
> >
> > A clusterfuck leaving quite a lot of space for projects like Tor.
> >
>
>         Sorry, but that's circular.
>
>         You *assume* tor isn't designed as a tool to further imperial
>         american policies and you arrive at the conclusion that there
>         are some 'good guys' in the US government.
>
>         Too bad your assumption is what you actually need to prove.
>
>         The argument here is that tor is a small network that can be
>         more or less easily 'traffic analyzed'  by the US government -
>         the same government that created it. This is not 'rocket
>         science'...
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 11 Aug 2014 16:52:19 -0400
> From: John Young <jya at pipeline.com>
> To: cypherpunks at cpunks.org, cryptography at randombit.net,
>         cryptography at metzdowd.com
> Subject: A post-spy world
> Message-ID: <E1XGwYA-0004Z3-DQ at elasmtp-scoter.atl.sa.earthlink.net>
> Content-Type: text/plain; charset="utf-8"; Format="flowed"
>
> "We are moving toward a post-spy world, according to the guy that
> runs the CIA's venture capital arm."
>
> <http://t.co/5eYfbRYU8k>
> http://www.defenseone.com/technology/2014/08/10-ways-make-internet-safe-cyber-attacks/90866/?oref=d-channelriver
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://cpunks.org/pipermail/cypherpunks/attachments/20140811/b84e1581/attachment-0001.html
> >
>
> ------------------------------
>
> Message: 4
> Date: Mon, 11 Aug 2014 23:09:52 +0200
> From: rysiek <rysiek at hackerspace.pl>
> To: cypherpunks at cpunks.org
> Subject: Re: Update your Tors - Tor security advisory: "relay early"
>         traffic confirmation attack
> Message-ID: <3216983.cEZSaLLodi at lapuntu>
> Content-Type: text/plain; charset="utf-8"
>
> Dnia poniedziałek, 11 sierpnia 2014 17:24:08 Juan pisze:
> > On Wed, 06 Aug 2014 11:13:10 +0200
> >
> > rysiek <rysiek at hackerspace.pl> wrote:
> > > Dnia wtorek, 5 sierpnia 2014 20:31:26 Juan pisze:
> > > > On Wed, 06 Aug 2014 00:19:17 +0200
> > > >
> > > > rysiek <rysiek at hackerspace.pl> wrote:
> > > > > One of the things I have learnt during the years of my brushing
> > > > > shoulders with Teh Gummint (public consultations, conferences,
> > > > > etc) is that a huge bureaucracy like a government is bound to have
> > > > > conflicting interests and fund/take conflicting actions.
> > > > >
> > > > > Governments are not homogeneous, to say the least.
> > > >
> > > >   Governments are pretty homoneneous criminal organizations.
> > > >
> > > > The fact that sometimes different government factions within a
> > > >
> > > >   given government quarrel a bit over the spoils is basically
> > > >   meaningless, from the point of view of government victims at
> > > >   least.
> > >
> > > Well, obviously you haven't much experience with how governments look
> > > from the inside.
> >
> >       ...but I do have some inside information about the 'legal
> >       system', having been raised by lawyers =P
> >
> > > Ministries and departments have different and conflicting policies
> > > regarding some of their overlapping responsibilities, and the flow of
> > > information is a real problem. Add to that some personal animosities
> > > and ambitions and you get a clusterfuck of an organisation.
> >
> >       Yes, all of that is true. I am aware of the fact that there are
> >       different factions inside a government. I did explicitly
> >       mention that. It doesn't affect my argument(s) though.
> >
> > > A clusterfuck leaving quite a lot of space for projects like Tor.
> >
> >       Sorry, but that's circular.
> >
> >       You *assume* tor isn't designed as a tool to further imperial
> >       american policies and you arrive at the conclusion that there
> >       are some 'good guys' in the US government.
>
> No, I didn't say there are any "good guys" (nor that there aren't any, mind
> you). But even between a clusterfuck of "bad guys", each dragging in their
> own
> direction, simply *because* they are dragging all in different directions,
> there might be space for some neat projects.
>
> Think of it as a hack on the system.
>
> Guy A needs total secrecy of communication for their moles in third world
> countries and finances a tool that incidentally is a huge PITA for guy B,
> that
> tries to surveil everything and everybody.
>
> Guy A and guy B are far enough from each other
> (system/hierarchy/department/competence-wise) that they do not co-operate,
> nor
> even know of each other too well. Or: they know of each other and are in a
> state of "cold war" for resources or ambition-related aims.
>
> --
> Pozdr
> rysiek
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: signature.asc
> Type: application/pgp-signature
> Size: 316 bytes
> Desc: This is a digitally signed message part.
> URL: <
> http://cpunks.org/pipermail/cypherpunks/attachments/20140811/e478d2d1/attachment-0001.sig
> >
>
> ------------------------------
>
> Message: 5
> Date: Tue, 12 Aug 2014 11:01:54 +0200
> From: rysiek <rysiek at hackerspace.pl>
> To: cypherpunks at cpunks.org
> Subject: SnakeoilMailbox?
> Message-ID: <1604479.NSJMfQmOgd at lapuntu>
> Content-Type: text/plain; charset="utf-8"
>
> Hi there,
>
> so, this got sent my way:
> http://securemailbox.com/
>
> It rings several of stef-defined bells for snakeoil, but maybe I don't see
> something? Anybody any info on this?
>
> --
> Pozdr
> rysiek
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: signature.asc
> Type: application/pgp-signature
> Size: 316 bytes
> Desc: This is a digitally signed message part.
> URL: <
> http://cpunks.org/pipermail/cypherpunks/attachments/20140812/1c341c0e/attachment-0001.sig
> >
>
> ------------------------------
>
> Message: 6
> Date: Tue, 12 Aug 2014 13:01:43 +0000
> From: Anton Nesterov <komachi at openmailbox.org>
> To: cypherpunks at cpunks.org
> Subject: Ukraine passed the bill about sanctions in first reading, it
>         give power to close media, websites, and more
> Message-ID: <53EA1037.5090805 at openmailbox.org>
> Content-Type: text/plain; charset=utf-8
>
> It includes many types of sanctions, but most interesting is that ones:
>
> 9) the prohibition or restriction of the retransmission of television
> and radio channels;
> 10) the prohibition to use radio frequency resource of Ukraine;
> 11) the restriction or termination of the media or other information
> activities, including those in the Internet;
> 12) the restriction or prohibition of production or distribution of
> printed materials and other information materials;
> 24) the prohibition of political parties, movements and other civil
> society associations and foundations;
>
> So if that bill will be passed, National Security and Defense Council
> can ban any foreign media, website, foundation, movement, printed
> material, etc. without court.
>
> http://osvita.mediasapiens.ua/material/33612 news report (in Ukrainian)
> http://w1.c1.rada.gov.ua/pls/zweb2/webproc4_1?pf3511=51915 text (in
> Ukrainian)
>
>
> ------------------------------
>
> Message: 7
> Date: Tue, 12 Aug 2014 08:14:39 -0700
> From: Ryan Carboni <ryacko at gmail.com>
> To: cypherpunks at cpunks.org, cryptography at randombit.net
> Subject: Re: [cryptography] A post-spy world
> Message-ID:
>         <CAO7N=
> i3q80s6AY419ON0uEw2GBLb2+MvtjFx4vaA4XytgZnFZQ at mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> John Young, true masterspy.
>
>
> On Mon, Aug 11, 2014 at 1:52 PM, John Young <jya at pipeline.com> wrote:
>
> >  "We are moving toward a post-spy world, according to the guy that runs
> > the CIA’s venture capital arm."
> >
> >
> >
> http://www.defenseone.com/technology/2014/08/10-ways-make-internet-safe-cyber-attacks/90866/?oref=d-channelriver
> > <http://t.co/5eYfbRYU8k>
> >
> > _______________________________________________
> > cryptography mailing list
> > cryptography at randombit.net
> > http://lists.randombit.net/mailman/listinfo/cryptography
> >
> >
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <
> http://cpunks.org/pipermail/cypherpunks/attachments/20140812/66372742/attachment-0001.html
> >
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> cypherpunks mailing list
> cypherpunks at cpunks.org
> https://cpunks.org/mailman/listinfo/cypherpunks
>
>
> ------------------------------
>
> End of cypherpunks Digest, Vol 14, Issue 12
> *******************************************
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 20605 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140812/afc9af61/attachment.txt>

From rysiek at hackerspace.pl  Tue Aug 12 02:01:54 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Tue, 12 Aug 2014 11:01:54 +0200
Subject: SnakeoilMailbox?
Message-ID: <1604479.NSJMfQmOgd@lapuntu>

Hi there,

so, this got sent my way:
http://securemailbox.com/

It rings several of stef-defined bells for snakeoil, but maybe I don't see 
something? Anybody any info on this?

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140812/1c341c0e/attachment.sig>

From komachi at openmailbox.org  Tue Aug 12 06:01:43 2014
From: komachi at openmailbox.org (Anton Nesterov)
Date: Tue, 12 Aug 2014 13:01:43 +0000
Subject: Ukraine passed the bill about sanctions in first reading, it give
 power to close media, websites, and more
Message-ID: <53EA1037.5090805@openmailbox.org>

It includes many types of sanctions, but most interesting is that ones:

9) the prohibition or restriction of the retransmission of television
and radio channels;
10) the prohibition to use radio frequency resource of Ukraine;
11) the restriction or termination of the media or other information
activities, including those in the Internet;
12) the restriction or prohibition of production or distribution of
printed materials and other information materials;
24) the prohibition of political parties, movements and other civil
society associations and foundations;

So if that bill will be passed, National Security and Defense Council
can ban any foreign media, website, foundation, movement, printed
material, etc. without court.

http://osvita.mediasapiens.ua/material/33612 news report (in Ukrainian)
http://w1.c1.rada.gov.ua/pls/zweb2/webproc4_1?pf3511=51915 text (in
Ukrainian)




From cathalgarvey at cathalgarvey.me  Tue Aug 12 11:42:16 2014
From: cathalgarvey at cathalgarvey.me (Cathal Garvey)
Date: Tue, 12 Aug 2014 19:42:16 +0100
Subject: [Cryptography] miniLock seems pretty interesting
In-Reply-To: <20140721162504.GX26986@leitl.org>
References: <20140721162504.GX26986@leitl.org>
Message-ID: <53EA6008.7030603@cathalgarvey.me>

For those who aren't so keen on JS crypto even when implemented as an
extension (or for those who, like me, think of Chromium as gussied up
spyware), I re-implemeted miniLock in Python and released it today on
Github and PyPI:

https://github.com/cathalgarvey/deadlock
https://pypi.python.org/pypi/deadlock

I added a few features, some of which are only partially implemented.
For one thing, the most secure feature of miniLock, that your key is not
stored but always generated from memory, is now optional for the
YOLO/lazy crowd; you can optionally generate a plaintext copy of your
key and use it to encrypt and decrypt. More practically, there's a
petnames system so you can store and name IDs for other people, and then
encrypt to the petnames.

Also partially implemented but not from the terminal interface is a
means to try and brute-force a prefixed or suffixed ID, though it's not
parallelised yet; I need to learn more about the multiprocess module
first. This is for "vanity" addresses, like one beginning with "cathal",
but lacking the hardware I'd need to accomplish that myself it's just
there because I could write it rather than by true aspiration.

Another handy feature; if you direct deadlock to encrypt a directory, it
will automatically zip the directory and encrypt the zipfile. Recipients
must still manually unzip the files; no way am I opening up that
security bug in my code!

Thoughts, feedback, flames etc. welcome. Unless you're bitching about
lack of explicit WinMac support; that's entirely your problem to figure
out. :)

best,
Cathal

On 21/07/14 17:25, Eugen Leitl wrote:
> ----- Forwarded message from Eric Mill <eric at konklone.com> -----
> 
> Date: Mon, 21 Jul 2014 09:48:32 -0400
> From: Eric Mill <eric at konklone.com>
> To: "cryptography at metzdowd.com List" <cryptography at metzdowd.com>
> Subject: [Cryptography] miniLock seems pretty interesting
> Message-ID: <CANBOYLVg=Dndusthy82zbksDwyVupdHU9BaSL1mE6199FbvmYQ at mail.gmail.com>
> 
> I saw this announced at HOPE X this weekend:
> 
> http://minilock.io/
> 
> It uses curve25519 <http://cr.yp.to/ecdh.html>, which requires much smaller
> keys (32 or 64 bits) to ensure security -- and so it basically just demands
> a strong passphrase from the user from which can be derived a strong
> private key.
> 
> The developer has a video <http://vimeo.com/101237413> and slides
> <http://minilock.io/files/HOPEX.pdf> to go along with it, and in general
> focused his energy on persuading the audience that JavaScript crypto is a
> necessary and achievable part of the future.
> 
> -- Eric
> 

-- 
T: @onetruecathal, @IndieBBDNA
P: +353876363185
W: http://indiebiotech.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x988B9099.asc
Type: application/pgp-keys
Size: 6176 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140812/bb1e246b/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140812/bb1e246b/attachment.sig>

From rysiek at hackerspace.pl  Tue Aug 12 11:28:39 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Tue, 12 Aug 2014 20:28:39 +0200
Subject: cypherpunks Digest, Vol 14, Issue 12
In-Reply-To: <CAO7N=i1F=GmVut=YTJfxu_GzHD4E9sa4z_+9wGknUDufmNnE=w@mail.gmail.com>
References: <mailman.1.1407859202.20519.cypherpunks@cpunks.org>
 <CAO7N=i1F=GmVut=YTJfxu_GzHD4E9sa4z_+9wGknUDufmNnE=w@mail.gmail.com>
Message-ID: <4013868.BxrU0E0gfg@lapuntu>

Dnia wtorek, 12 sierpnia 2014 10:41:25 Ryan Carboni pisze:
> > So if that bill will be passed, National Security and Defense Council
> > can ban any foreign media, website, foundation, movement, printed
> > material, etc. without court.
> 
> Syria was under martial law... for several decades prior to their civil war.
> 
> But than again... for a few years, Lincoln was a dictator, going so far to
> even free the slaves amid disapproval from his cabinet.

Dictators that *free* the slaves I can totally dig. It's the opposite action 
that gets me really worried.

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140812/9ac5100f/attachment.sig>

From dan at geer.org  Tue Aug 12 19:23:35 2014
From: dan at geer.org (dan at geer.org)
Date: Tue, 12 Aug 2014 22:23:35 -0400
Subject: A post-spy world
In-Reply-To: Your message of "Mon, 11 Aug 2014 16:52:19 EDT."
 <E1XGwYA-0004Z3-DQ@elasmtp-scoter.atl.sa.earthlink.net>
Message-ID: <20140813022335.8EB792280E7@palinka.tinho.net>


John Young
 | "We are moving toward a post-spy world, according to the guy that 
 | runs the CIA's venture capital arm."

FWIW, I don't run In-Q-Tel, In-Q-Tel isn't a venture firm, and I
don't recall saying "post-spy" at all.  Full text of the speech is
at geer.tinho.net/geer.blackhat.6viii14.txt, see for yourselves.

In the meantime, tell me if PPD-28 would be satisfied were an
artificial semi-intelligence doing the searches rather than humans.
What if surveillance data was mined not by people who could go to
jail but by self-modifying programs that co-evolve with the subject
of the surveillance.  Tell me that "the more complex the decision
the more surely it will be left to humans" is a long-term guiding
ethic.  Opine on whether "algorithmic regulation" aimed at a single
individual needs be visible to that individual if due process is
to be preserved.  Perhaps also read "We Are All Intelligence Agents
Now", the final technical talk at last February's RSA Conference;
see geer.tinho.net/geer.rsa.28ii14.txt .

Still got no Clearance...

--dan




From rsw at jfet.org  Tue Aug 12 19:30:22 2014
From: rsw at jfet.org (Riad S. Wahby)
Date: Tue, 12 Aug 2014 22:30:22 -0400
Subject: SSL cert expired for cpunks.org
In-Reply-To: <1407877362.2252571.152019793.37ED1E19@webmail.messagingengine.com>
References: <1407877362.2252571.152019793.37ED1E19@webmail.messagingengine.com>
Message-ID: <20140813023022.GA23534@antiproton.jfet.org>

Alfie John <alfiej at fastmail.fm> wrote:
> In case it was missed, the cert for cpunks.org expired last month.

Sorry about that---got busy and lost track of it. I'll get it fixed in
the next day or two.

Thanks for the heads-up (and the kind offer),

-=rsw




From alfiej at fastmail.fm  Tue Aug 12 14:02:42 2014
From: alfiej at fastmail.fm (Alfie John)
Date: Tue, 12 Aug 2014 23:02:42 +0200
Subject: SSL cert expired for cpunks.org
Message-ID: <1407877362.2252571.152019793.37ED1E19@webmail.messagingengine.com>

Hi guys,

In case it was missed, the cert for cpunks.org expired last month.

If money is the only reason it wasn't renewed, contact me off list and
I'll happily pay for it.

Alfie

-- 
  Alfie John
  alfiej at fastmail.fm




From alfiej at fastmail.fm  Tue Aug 12 20:08:25 2014
From: alfiej at fastmail.fm (Alfie John)
Date: Wed, 13 Aug 2014 05:08:25 +0200
Subject: [Cryptography] A post-spy world
In-Reply-To: <20140813022335.8EB792280E7@palinka.tinho.net>
References: <20140813022335.8EB792280E7@palinka.tinho.net>
Message-ID: <1407899305.2336870.152109361.6FD46E09@webmail.messagingengine.com>

On Wed, Aug 13, 2014, at 04:23 AM, dan at geer.org wrote:
> John Young
>  | "We are moving toward a post-spy world, according to the guy that
>  | runs the CIA's venture capital arm."
>
> FWIW, I don't run In-Q-Tel, In-Q-Tel isn't a venture firm, and I don't
> recall saying "post-spy" at all.  Full text of the speech is at
> geer.tinho.net/geer.blackhat.6viii14.txt, see for yourselves.

What a weird statement to make (not sure if trolling). From In-Q-
Tel's website:

  "We identify and invest in venture-backed startups developing
  technologies that will provide “ready-soon innovation” (within 36
  months) vital to the intelligence community mission...

  As a strategic investor, our model is unique. Our investments
  accelerate product development and add mission-critical capabilities
  with the sole purpose of delivering these cutting-edge technologies to
  IC end users quickly and efficiently."

> In the meantime, tell me if PPD-28 would be satisfied were an
> artificial semi-intelligence doing the searches rather than humans.
> What if surveillance data was mined not by people who could go to jail
> but by self-modifying programs that co-evolve with the subject of the
> surveillance.

Is it a police beating still called a police beating if the police shut
their eyes while lashing out?

If decisions or recordings are being made about my data, and not by my
service providers, then my data is being surveilled. Regardless of
whether it was done by a human or a computer.

Alfie

-- 
  Alfie John
  alfiej at fastmail.fm




From z9wahqvh at gmail.com  Wed Aug 13 04:54:20 2014
From: z9wahqvh at gmail.com (z9wahqvh)
Date: Wed, 13 Aug 2014 07:54:20 -0400
Subject: [Cryptography] A post-spy world
In-Reply-To: <1407899305.2336870.152109361.6FD46E09@webmail.messagingengine.com>
References: <20140813022335.8EB792280E7@palinka.tinho.net>
 <1407899305.2336870.152109361.6FD46E09@webmail.messagingengine.com>
Message-ID: <CAJoS0DW+n-kSk784jyUudabWGPVpKv+F96VuvJEyZVq8gkVEJw@mail.gmail.com>

since I find Mr Geer's commentary among the most interesting and informed
of all those on this list (very odd to even suspect him of trolling), I
investigated what you wrote, and here's what I found.

your own quotation notes that IQT says "our model is unique." "unique"
because they do not consider themselves a venture firm. that same paragraph
(read whole thing at https://www.iqt.org/about-iqt/) ends: "for each dollar
that IQT invests in a company, the venture capital community invests more
than nine dollars." clearly, IQT does not see itself as part of the VC
community.

the reasons for this look relatively straightforward: IQT is a
not-for-profit, and VC is built exclusively around making direct financial
profit from its investment. a not-for-profit VC is almost a contradiction
in terms, since "profit" and "venture" in this context mean almost the same
thing.

Practically, VCs have, as a rule, a hands-off if perhaps mentorly
relationship with their investments. that page makes clear that IQT gets
directly involved with their partner companies, probably including
technologists and technologies.

this list discusses matters of great detail and legal import frequently,
and precise accuracy in these matters strikes me as essential.

i am not endorsing what IQT does, or the correctness of Mr Geer's
statements, and I have no remote connection with any of the parties or
their services, but am very interested in the record being kept clear.

On Tue, Aug 12, 2014 at 11:08 PM, Alfie John <alfiej at fastmail.fm> wrote:

>
> What a weird statement to make (not sure if trolling). From In-Q-
> Tel's website:
>
>   "We identify and invest in venture-backed startups developing
>   technologies that will provide “ready-soon innovation” (within 36
>   months) vital to the intelligence community mission...
>
>   As a strategic investor, our model is unique. Our investments
>   accelerate product development and add mission-critical capabilities
>   with the sole purpose of delivering these cutting-edge technologies to
>   IC end users quickly and efficiently."
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 2721 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140813/10dccf0e/attachment.txt>

From drwho at virtadpt.net  Wed Aug 13 10:26:25 2014
From: drwho at virtadpt.net (The Doctor)
Date: Wed, 13 Aug 2014 10:26:25 -0700
Subject: [Cryptography] A post-spy world
In-Reply-To: <1407934388.3718004.152250341.6B738DB8@webmail.messagingengine.com>
References: <20140813022335.8EB792280E7@palinka.tinho.net>
 <1407899305.2336870.152109361.6FD46E09@webmail.messagingengine.com>
 <CAJoS0DW+n-kSk784jyUudabWGPVpKv+F96VuvJEyZVq8gkVEJw@mail.gmail.com>
 <1407934388.3718004.152250341.6B738DB8@webmail.messagingengine.com>
Message-ID: <53EB9FC1.4010701@virtadpt.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 08/13/2014 05:53 AM, Alfie John wrote:

> In other words, they are more like a high-valued customer that want
> for heavy customisation. Perhaps this is an easier way to get shit
> done rather than go through the request for tenders route.

- From observing some of the companies that In-Q-Tel's backed, there
also seems to be an element of "My employers get good use out of your
product.  Here, have a cookie.  Keep up the good work."

- -- 
The Doctor [412/724/301/703] [ZS]
Developer, Project Byzantium: http://project-byzantium.org/

PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F  DD89 3BD8 FF2B 807B 17C1
WWW: https://drwho.virtadpt.net/

Life is too short to drink bad coffee.

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJT65/BAAoJED1np1pUQ8RkrZIP/3rbYdaeuvM/HX/W3GhMc14Q
KcMEX+SnzsQgn6UlJ2BRG8VGelYF0lNhx8yyRhyjLwf+Yqo406Nul1Tb7zA9jif8
pGT2zIQ67AQTgRrrAgdLQnyP69vccxLzgScMqLjgwS8OXNZFygZEBwYoVW0IMj8N
Soo6xBQUl6OOpYa42fB/fYDEp2h0XR6CepUWBJZykN0cLswmW3Z9BJsrhbxAw/0T
XyN4vr3a7nEp7ZWstIUVbyul+GEtpxEMELQSPpkGzvJ1v0ZGQHYi84KlgPby4tam
s0Jk4wXmOeMzVH7gCZB6jgrLHMnOC40SAg+Z1hrsWuLEoVParSwtlSMZdT1XF1OM
N/idodcYIrAX/kASJtgIFKsd0bOQvOyg3t4GkmGKuQfaOdqUkaz/MPKLLbP3fjvH
sUPs8I/NVQjE7TQQKDhZa4t4wigTFj4OFLshw90Vw6n5L4um//5TIxrmdpZNY0ra
uAzKgRLLZRu/yahNzmq+Q3qgqm+i/cil9IlarC2nyoQvmrHCKh7aZxBbRkfQOtw0
rjYPs0ZNX8j1NSVi+z0NiLkHN9k/FSqkD27TTc6KsYt1zn29AxQ0QM1kh36dX2u3
274o27sQDmmA937hlXkPLclJBVPp8XKsx7n/TTcsDLbURHagE9goEfNkI82glP6v
2Fl5qhP5EGbW3XVp2JjV
=MaXF
-----END PGP SIGNATURE-----




From tom at vondein.org  Wed Aug 13 03:05:15 2014
From: tom at vondein.org (Thomas von Dein)
Date: Wed, 13 Aug 2014 12:05:15 +0200
Subject: [Cryptography] miniLock seems pretty interesting
In-Reply-To: <53EA6008.7030603@cathalgarvey.me>
References: <20140721162504.GX26986@leitl.org>
 <53EA6008.7030603@cathalgarvey.me>
Message-ID: <20140813100515.GN11694@r4>

On Tue, Aug 12, 2014 at 07:42:16PM +0100, Cathal Garvey wrote:
> For those who aren't so keen on JS crypto even when implemented as an
> extension (or for those who, like me, think of Chromium as gussied up
> spyware), I re-implemeted miniLock in Python and released it today on
> Github and PyPI:
> 
> https://github.com/cathalgarvey/deadlock
> https://pypi.python.org/pypi/deadlock

So, now there are 5 different implementations for essentially the same
thing:

- reop (http://www.tedunangst.com/flak/post/reop)
- pbp (https://github.com/stef/pbp)
- pcp (https://github.com/TLINDEN/pcp)
- minilock: (http://minilock.io)
- deadlock (https://github.com/cathalgarvey/deadlock)



- Tom




From cathalgarvey at cathalgarvey.me  Wed Aug 13 06:29:37 2014
From: cathalgarvey at cathalgarvey.me (Cathal Garvey)
Date: Wed, 13 Aug 2014 14:29:37 +0100
Subject: [Cryptography] miniLock seems pretty interesting
In-Reply-To: <20140813100515.GN11694@r4>
References: <20140721162504.GX26986@leitl.org>
 <53EA6008.7030603@cathalgarvey.me> <20140813100515.GN11694@r4>
Message-ID: <53EB6841.2030203@cathalgarvey.me>

While I'm happy to see my own work in an august list like that, I'd just
like to point out that saying anything based on NaCl is "basically the
same thing" is like accusing any scheme using sha256 and aes256
primitives of being the "same thing". If the schemes are not compatible
or close to compatible, if they have different threat models or
implementations, or different intended use-cases, they can hardly be
called the same thing.

Now, miniLock format could be used as a PGP alternative, and I'd be
interested in making deadlock suitable for hooking into mail clients
that can preprocess incoming or outgoing mail with user-configured
scripts so it could be used as such, but I don't think it wasn't written
for that (ask Nadim his intended use-case for miniLock, I guess).

So, while all of those are NaCl based, I'd say only miniLock and
deadlock are "essentially the same thing" because they're
implementations of the same protocol and basic use-case.

On 13/08/14 11:05, Thomas von Dein wrote:
> On Tue, Aug 12, 2014 at 07:42:16PM +0100, Cathal Garvey wrote:
>> For those who aren't so keen on JS crypto even when implemented as an
>> extension (or for those who, like me, think of Chromium as gussied up
>> spyware), I re-implemeted miniLock in Python and released it today on
>> Github and PyPI:
>>
>> https://github.com/cathalgarvey/deadlock
>> https://pypi.python.org/pypi/deadlock
> 
> So, now there are 5 different implementations for essentially the same
> thing:
> 
> - reop (http://www.tedunangst.com/flak/post/reop)
> - pbp (https://github.com/stef/pbp)
> - pcp (https://github.com/TLINDEN/pcp)
> - minilock: (http://minilock.io)
> - deadlock (https://github.com/cathalgarvey/deadlock)
> 
> 
> 
> - Tom
> 

-- 
Twitter: @onetruecathal, @formabiolabs
Phone: +353876363185
Blog: http://indiebiotech.com
miniLock.io: JjmYYngs7akLZUjkvFkuYdsZ3PyPHSZRBKNm6qTYKZfAM
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x988B9099.asc
Type: application/pgp-keys
Size: 6176 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140813/1d650623/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140813/1d650623/attachment.sig>

From alfiej at fastmail.fm  Wed Aug 13 05:53:08 2014
From: alfiej at fastmail.fm (Alfie John)
Date: Wed, 13 Aug 2014 14:53:08 +0200
Subject: [Cryptography] A post-spy world
In-Reply-To: <CAJoS0DW+n-kSk784jyUudabWGPVpKv+F96VuvJEyZVq8gkVEJw@mail.gmail.com>
References: <20140813022335.8EB792280E7@palinka.tinho.net>
 <1407899305.2336870.152109361.6FD46E09@webmail.messagingengine.com>
 <CAJoS0DW+n-kSk784jyUudabWGPVpKv+F96VuvJEyZVq8gkVEJw@mail.gmail.com>
Message-ID: <1407934388.3718004.152250341.6B738DB8@webmail.messagingengine.com>

On Wed, Aug 13, 2014, at 01:54 PM, z9wahqvh wrote:
> your own quotation notes that IQT says "our model is unique." "unique"
> because they do not consider themselves a venture firm. that same
> paragraph (read whole thing at https://www.iqt.org/about-iqt/) ends:
> "for each dollar that IQT invests in a company, the venture capital
> community invests more than nine dollars." clearly, IQT does not see
> itself as part of the VC community.

IQT aren't a charity. If they are not taking equity or profits, then
they are wanting something else. From more reading, it looks like what
they do is provide funding to companies that have interesting products,
and pay to re-purpose for in-house use.

In other words, they are more like a high-valued customer that want for
heavy customisation. Perhaps this is an easier way to get shit done
rather than go through the request for tenders route.

> the reasons for this look relatively straightforward: IQT is a not-for-
> profit, and VC is built exclusively around making direct financial
> profit from its investment. a not-for-profit VC is almost a
> contradiction in terms, since "profit" and "venture" in this context
> mean almost the same thing.
>
> Practically, VCs have, as a rule, a hands-off if perhaps mentorly
> relationship with their investments. that page makes clear that IQT
> gets directly involved with their partner companies, probably
> including technologists and technologies.

I'm not sure which VCs you're talking about. Besides a seed round, most
VCs will want at least one seats on the board for control. Definitely
not hands-off.

> i am not endorsing what IQT does, or the correctness of Mr Geer's
> statements, and I have no remote connection with any of the parties or
> their services, but am very interested in the record being kept clear.

And I'm all for that too. That's why I made the comment.

Alfie

-- 
  Alfie John
  alfiej at fastmail.fm




From guninski at guninski.com  Wed Aug 13 06:59:51 2014
From: guninski at guninski.com (Georgi Guninski)
Date: Wed, 13 Aug 2014 16:59:51 +0300
Subject: DropItLike
In-Reply-To: <20140721101304.GB6799@ctrlc.hu>
References: <CAJVRA1RKRgC5COw-UzGdxwyWs3JZJ1H4hmb8ghr0sQR-QBFA=g@mail.gmail.com>
 <20140721101304.GB6799@ctrlc.hu>
Message-ID: <20140813135951.GB2538@sivokote.iziade.m$>

On Mon, Jul 21, 2014 at 12:13:04PM +0200, stef wrote:
> On Mon, Jul 21, 2014 at 02:35:21AM -0700, coderman wrote:
> > https://github.com/mozilla/DropItLike
> 
> quite disappointing (but then i have no expectations when it comes to
> mozilla), looks like mostly a pile of libtech crap to m
>

quite agree about mozilla.




From stephan.neuhaus at tik.ee.ethz.ch  Wed Aug 13 10:47:41 2014
From: stephan.neuhaus at tik.ee.ethz.ch (Stephan Neuhaus)
Date: Wed, 13 Aug 2014 19:47:41 +0200
Subject: [Cryptography] miniLock seems pretty interesting
In-Reply-To: <20140813100515.GN11694@r4>
References: <20140721162504.GX26986@leitl.org>
 <53EA6008.7030603@cathalgarvey.me> <20140813100515.GN11694@r4>
Message-ID: <53EBA4BD.6050006@tik.ee.ethz.ch>

On 2014-08-13, 12:05, Thomas von Dein wrote:
> So, now there are 5 different implementations for essentially the
> same thing:

And even if that were true (which it might well be, didn't check),
that's bad because...?  OpenSSL has a problem because (among other
things) there are no real competitors.  With more, and truly different
implementations, things *will* be different and they *might* be better.

Fun,

Stephan




From tom at vondein.org  Wed Aug 13 11:30:13 2014
From: tom at vondein.org (Thomas von Dein)
Date: Wed, 13 Aug 2014 20:30:13 +0200
Subject: [Cryptography] miniLock seems pretty interesting
In-Reply-To: <53EBA4BD.6050006@tik.ee.ethz.ch>
References: <20140721162504.GX26986@leitl.org>
 <53EA6008.7030603@cathalgarvey.me> <20140813100515.GN11694@r4>
 <53EBA4BD.6050006@tik.ee.ethz.ch>
Message-ID: <20140813183013.GQ11694@r4>

On Wed, Aug 13, 2014 at 07:47:41PM +0200, Stephan Neuhaus wrote:
> On 2014-08-13, 12:05, Thomas von Dein wrote:
> > So, now there are 5 different implementations for essentially the
> > same thing:
> 
> And even if that were true (which it might well be, didn't check),
> that's bad because...?  OpenSSL has a problem because (among other
> things) there are no real competitors.  With more, and truly different
> implementations, things *will* be different and they *might* be better.

Well, ok, I didn't see it from that viewpoint, so it's essentially a
good thing :) My bad..




best,
Tom




From bluelotus at openmailbox.org  Wed Aug 13 18:31:39 2014
From: bluelotus at openmailbox.org (bluelotus at openmailbox.org)
Date: Wed, 13 Aug 2014 21:31:39 -0400
Subject: Shipment Interdiction
Message-ID: <9de4c88b9ca9d709ccac10f55b7a5256@openmailbox.org>

The package was not interdicted to Sarasota, Florida. It was interdicted 
from Sarasota, Florida. Three times! Where is it now?

I purchased a Toshiba Portege R205 from an Ebay seller. I needed an 
ultraportable laptop pre2008 as explained in:

http://www.reddit.com/r/privacy/comments/2cu80z/former_m15_officer_and_whistleblower_warns/

I commuted 11 hours to Sarasota, Florida to personally pick up the 
laptop. Prior computers I purchased from Ebay and retailers were 
indicted, implanted and infected. See 
http://www.reddit.com/r/techsupport/comments/2a24sh/removing_bulldozer_implant_from_my_laptops/

That night, I disassembled, air gapped, reassembled my laptop. I glued 
four screws on the back to attempt to prevent it from being disassembled 
and implanted. That night, hackers broke into my hotel room while I was 
sleeping. They drilled out the glued screws, implanted, physically 
damaged the keyboard and infected.

On Saturday, July 19, 2014, I dropped off my Toshiba, along with an 
interdicted and tampered Fedora CD, infected flashdrive and an infected 
raspberry pi to a FedEx authorized reseller in downtown Sarasota.

FedEx's policy is not to notify the shipper and the recipient of the 
redirection.

I asked Michael how recipients are allowed to change the address without 
the consent or knowledge of the shipper. I explained that when I was the 
recipient and wanted to change the address, FedEx instructed me to ask 
the shipper to change the address. Michael explained that I had not 
placed restrictions on my account to prevent the shipping address from 
being redirected. Michael instructed me to ask the Revenue Department to 
do so.

I asked an employee for the number of the Revenue Department. Employee 
refused to look up the number and misrepresented the Revenue Department 
did not have a direct phone number. Instead, the employee transferred 
me.

The Revenue Department employee did not know their direct phone number. 
I hung up. I called back 800-463-3339 and again asked for the Revenue 
Department's telephone number. I was finally given 800-622-1147.

I asked an employee in the Revenue Department to transfer me to a 
supervisor. However, I was transferred to Bobby in Customers Relations. 
I asked Bobby to transfer me to a supervisor in the Revenue Department. 
Bobby misrepresented that she is a supervisor in the Revenue Department. 
I asked Bobbie for her contact information in the event that I needed to 
contact her again. Bobbie misrepresented her contact information is 
BRIFTOC. Bobby failed to give her ID number.

I asked Bobby why I was not offered restriction options when I set up my 
account. Nor was I notified of restrictions options there after until 
today. Bobby did not give an answer. I asked Bobby to place restrictions 
on my account prohibiting redirecting the shipping address without my 
knowledge and consent.

I asked Bobby to escalate my complaint. Bobby wanted me to write a 
letter to FedEx. There is no point spending the time and money on my 
prepaid phone to call Fedex, if I have to write a letter, print it out 
and mail it. I insisted Bobby write up a complaint. Bobby did not give 
me a case number. I asked Bobby to email or fax the complaint to me. 
Bobby said she could not email or fax.

Interdiction #2:

Michael informed me that morning the package was being returned to me 
because the recipient had not picked it up at the FedEx location in 
Beaverton, Oregon.

The hackers' timing was perfect. Since I am being hacked in real time, 
the hackers knew that I logged into my FedEx account. FedEx holds 
packages for pick up for five business days. Yet, FedEx held the package 
much longer. All of a sudden, FedEx is returning it to shipper. I had 
departed Sarasota, FL. Returning it to Sarasota, FL would have placed 
the package at risk.

FedEx should notify shippers and recipients before packages are being 
returned to shipper.

Michael promised to have the package delivered to the initial address. 
Michael left a voicemail confirming that the package was being 
redirected to the initial address.

Interdiction #3:

I did not know Coderman's phone number so I gave my phone number on the 
ground shipping label. On August 5, 2014, I received an automated 
voicemail that the package will be delivered tomorrow, that a signature 
is required and a recommendation to chose the option hold for pick up.

I had not requested a signature. Nor did the tracking information 
display that a signature was required. A signature requirement can be 
used as an alibi to return a package to the shipper if the recipient is 
not home and does not make arrangements to sign for the package.

I tried to reach Bobby but Carolyn ID 921550 did not even try to 
transfer me to Bobby. Customer Relations' direct telephone number should 
be given to customers. Supervisors should be able to give out extension 
numbers.

Instead Carolyn transferred me to a female employee in El Paso. It took 
her a while to read the notes on my account to find out who Bobby is. 
Bobby had left for the day. I asked to speak to a supervisor. She told 
me supervisors left for the day. I asked what the supervisors' hours 
are. She refused to tell me. She told me a signature was not required.

Interdiction #4:

She informed me the package was being returned to FedEx Office in 
Beaverton, Oregon.

Again, I asked to speak to a supervisor. She transferred me to Carlos ID 
892831. Carlos confirmed that signature was not required and that 
package was being returned to FedEx Office in Beaverton, Oregon. Carlos 
could not explain why the package was redirected again to FedEx Office. 
I asked how the redirections were being requested. Carlos explained the 
recipient went on FedEx's website. I argued that the recipient had not 
requested redirections. Carlos argued no one else would know the 
tracking number and recipient's contact information. I requested an 
investigation on the identity of the person performing the redirections.

I asked Carlos how the shipment was again redirected without my 
knowledge or consent. I explained to Carlos that Bobby had placed 
restrictions on my account prohibiting redirection. Carlos explained 
that Bobby does not place restrictions on accounts. That Bobby could 
only forward my request for restrictions.

I should never have been transferred to Bobby. when I argued with Bobby 
that she was not the appropriate employee to be transferred to, Bobby 
should have transferred me to an employee who can place restrictions. I 
complained to Carlos that shippers and recipients should be notified 
when shipments are redirected.

The next day, August 6, 2014, I received email notification that the 
package was delivered to FedEx Office in Beaverton, OR. I asked to speak 
to Bobbie, Michael and Carlos. They were not available. An employee told 
me the package was delivered to the initial address.

Was it? I emailed Coderman several times and am waiting for his reply.

FedEx should have a fax number or an email address to forward complaints 
to. Instead, FedEx merely offers an online form to fill out. The form 
has a size restriction. I could not copy and paste this complaint into 
its form. On August 6, 2014, I mailed a complaint requesting FedEx to 
email or fax their investigation, confirmation that restrictions has 
been placed on my account and to waive the shipping fee. To date, FedEx 
has not responded.





From coderman at gmail.com  Thu Aug 14 00:02:42 2014
From: coderman at gmail.com (coderman)
Date: Thu, 14 Aug 2014 03:02:42 -0400
Subject: Shipment Interdiction
In-Reply-To: <9de4c88b9ca9d709ccac10f55b7a5256@openmailbox.org>
References: <9de4c88b9ca9d709ccac10f55b7a5256@openmailbox.org>
Message-ID: <CAJVRA1TkvN0FQcVFSYnA7ca8Ku-B5VC+o+i82CsBX5mhk+P0xg@mail.gmail.com>

On 8/13/14, bluelotus at openmailbox.org <bluelotus at openmailbox.org> wrote:
> [ lots of mishandling ]
> ...
> Was it? I emailed Coderman several times and am waiting for his reply.


what a cluster...  it arrived while away. not expecting anything
interesting at this point. :/

fuck fedex!

best regards,




From ryacko at gmail.com  Thu Aug 14 11:19:03 2014
From: ryacko at gmail.com (Ryan Carboni)
Date: Thu, 14 Aug 2014 11:19:03 -0700
Subject: Some History
Message-ID: <CAO7N=i3ss+pUgKfoci2vQpGGh7U5_vQs3Y-f1LTGzdR05gYHrQ@mail.gmail.com>

http://www.yak.net/surfpunk/issues/0105

>The FBI and the Justice Department say the initiative would
> 	>not expand their power, but would ensure access to the type of
> 	>communications they have been entitled to tap for years.
>
>
> 	This is totally bogus.
>
> 	The FBI has never had the right to watch computer programs
> 	execute.  Now that computer programs are being written as
> 	distributed systems, what was originally written to be an
> 	internal subroutine call can look like a message over the
> 	phone system.
>
> 	The FBI never had the right to bug corporate conference rooms.
> 	Now that companies are using videoconferencing, a private
> 	corporate conference could look like a phone call.
>
> 	Etc.
>
> 	This needs to be fought.
>
> 	 - Carl
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 1253 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140814/96f15a9a/attachment.txt>

From tbiehn at gmail.com  Thu Aug 14 09:20:56 2014
From: tbiehn at gmail.com (Travis Biehn)
Date: Thu, 14 Aug 2014 12:20:56 -0400
Subject: Shipment Interdiction
In-Reply-To: <CAJVRA1TkvN0FQcVFSYnA7ca8Ku-B5VC+o+i82CsBX5mhk+P0xg@mail.gmail.com>
References: <9de4c88b9ca9d709ccac10f55b7a5256@openmailbox.org>
 <CAJVRA1TkvN0FQcVFSYnA7ca8Ku-B5VC+o+i82CsBX5mhk+P0xg@mail.gmail.com>
Message-ID: <CAKtE3zdSnphcSd9CfFj-ceAWu+Q+42esemASXKY+Ki9M5ELncg@mail.gmail.com>

In for jpegs.
Will we be able to see entropy anomaly from jpeg interdiction and
modification?

Travis
On Aug 14, 2014 3:21 AM, "coderman" <coderman at gmail.com> wrote:

> On 8/13/14, bluelotus at openmailbox.org <bluelotus at openmailbox.org> wrote:
> > [ lots of mishandling ]
> > ...
> > Was it? I emailed Coderman several times and am waiting for his reply.
>
>
> what a cluster...  it arrived while away. not expecting anything
> interesting at this point. :/
>
> fuck fedex!
>
> best regards,
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 891 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140814/5329f8b7/attachment.txt>

From komachi at openmailbox.org  Thu Aug 14 10:27:23 2014
From: komachi at openmailbox.org (Anton Nesterov)
Date: Thu, 14 Aug 2014 17:27:23 +0000
Subject: Ukraine passed the bill about sanctions in first reading, it
 give power to close media, websites, and more
In-Reply-To: <53EA1037.5090805@openmailbox.org>
References: <53EA1037.5090805@openmailbox.org>
Message-ID: <53ECF17B.3000403@openmailbox.org>

Seems like it finally passed, but without that bad things
http://w1.c1.rada.gov.ua/pls/zweb2/webproc34?id=&pf3511=51915&pf35401=311045

But seems like The National Television and Radio Broadcasting Council of
Ukraine asking now for blocking Russian-language Euronews (but not
Ukrainian), says it's "propagandist"
http://www.nrada.gov.ua/ua/news/radanews/23304.html

Anton Nesterov wrote:
> It includes many types of sanctions, but most interesting is that ones:
> 
> 9) the prohibition or restriction of the retransmission of television
> and radio channels;
> 10) the prohibition to use radio frequency resource of Ukraine;
> 11) the restriction or termination of the media or other information
> activities, including those in the Internet;
> 12) the restriction or prohibition of production or distribution of
> printed materials and other information materials;
> 24) the prohibition of political parties, movements and other civil
> society associations and foundations;
> 
> So if that bill will be passed, National Security and Defense Council
> can ban any foreign media, website, foundation, movement, printed
> material, etc. without court.
> 
> http://osvita.mediasapiens.ua/material/33612 news report (in Ukrainian)
> http://w1.c1.rada.gov.ua/pls/zweb2/webproc4_1?pf3511=51915 text (in
> Ukrainian)
> 




From mrjones2020 at gmail.com  Fri Aug 15 11:46:30 2014
From: mrjones2020 at gmail.com (J.R. Jones)
Date: Fri, 15 Aug 2014 14:46:30 -0400
Subject: Plausible deniability...
Message-ID: <CADDVf2+GAXPjmHsOui+VaZbeOCYENxuSBxhB1yNydvJpauucCg@mail.gmail.com>

So how do you all go about maintaining said deniability... Hidden volumes
etc.
Any way to use LUKS yet?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 127 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140815/10b1b0e2/attachment.txt>

From tbiehn at gmail.com  Fri Aug 15 13:46:16 2014
From: tbiehn at gmail.com (Travis Biehn)
Date: Fri, 15 Aug 2014 16:46:16 -0400
Subject: Plausible deniability...
In-Reply-To: <CADDVf2+GAXPjmHsOui+VaZbeOCYENxuSBxhB1yNydvJpauucCg@mail.gmail.com>
References: <CADDVf2+GAXPjmHsOui+VaZbeOCYENxuSBxhB1yNydvJpauucCg@mail.gmail.com>
Message-ID: <CAKtE3zcGQHG8Dpxc4OF398yVevdocGAkzcFne1ANwnkGXBf7ZA@mail.gmail.com>

By posting about it to cpunks?

Hidden volume plausible deniability is neither useable nor robust.

1) File creation / Access Times
2) The oppressive regime already has root on your box.
3) The oppressive regime already has a camera trained on your box.
4) All operating systems are dogshit.

Use LUKS. Disable your wireless. Never loose physical control over your
device. Nothing says plausible deniability like a pile of Carbon...

-Travis


On Fri, Aug 15, 2014 at 2:46 PM, J.R. Jones <mrjones2020 at gmail.com> wrote:

> So how do you all go about maintaining said deniability... Hidden volumes
> etc.
> Any way to use LUKS yet?
>



-- 
Twitter <https://twitter.com/tbiehn> | LinkedIn
<http://www.linkedin.com/in/travisbiehn> | GitHub <http://github.com/tbiehn>
| TravisBiehn.com <http://www.travisbiehn.com> | Google Plus
<https://plus.google.com/+TravisBiehn>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 1511 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140815/9a43dc3c/attachment.txt>

From skquinn at rushpost.com  Fri Aug 15 15:16:01 2014
From: skquinn at rushpost.com (Shawn K. Quinn)
Date: Fri, 15 Aug 2014 17:16:01 -0500
Subject: Interdiction of MIPS tablet
In-Reply-To: <3ed7b7810443b00286061a0886e9abc2@openmailbox.org>
References: <3ed7b7810443b00286061a0886e9abc2@openmailbox.org>
Message-ID: <1408140961.14240.83.camel@klax>

On Fri, 2014-08-15 at 17:30 -0400, bluelotus at openmailbox.org wrote:
> Another item that was apparently interdicted is  media card reader.
> 
> http://www.ebay.com/itm/281206663913?_trksid=p2059210.m2749.l2649&ssPageName=STRK%3AMEBIDX%3AIT
> 
> I purchased it on 8/8/2014. Yet, post office does not give tracking 
> information:
> 
> https://tools.usps.com/go/TrackConfirmAction?qtc_tLabels1=92748999964015553004467996

USPS should give tracking information if it's being sent via a mail
class which has delivery confirmation. Even with FedEx Smartpost where
USPS handles the final delivery, USPS should still have tracking info
for its portion of the delivery. At least this has been my experience.

-- 
Shawn K. Quinn <skquinn at rushpost.com>




From bluelotus at openmailbox.org  Fri Aug 15 14:30:59 2014
From: bluelotus at openmailbox.org (bluelotus at openmailbox.org)
Date: Fri, 15 Aug 2014 17:30:59 -0400
Subject: Interdiction of MIPS tablet
Message-ID: <3ed7b7810443b00286061a0886e9abc2@openmailbox.org>

Last week, I purchased a MIPS tablet on ebay and a rooted Nooks Tablet 
with CyanogenMod. Nooks was shipped priority mail and arrived yesterday.

Nooks tablet:
http://www.ebay.com/itm/291214398900?_trksid=p2059210.m2749.l2649&ssPageName=STRK%3AMEBIDX%3AIT

tracking info:
https://tools.usps.com/go/TrackConfirmAction?qtc_tLabels1=9405509699939140591669

MIPS tablet was shipped FedEx Smart Post. It was interdicted and being 
returned to shipper:

MIPS tablet:
http://www.ebay.com/itm/201145886170?_trksid=p2059210.m2749.l2649&ssPageName=STRK%3AMEBIDX%3AIT

tracking info:
https://www.fedex.com/fedextrack/html/index.html?tracknumbers=979792712285097&cntry_code=us&language=en&r=g

"Delivery exception" "Returning package to shipper. Incorrect address, 
unable to deliver - Returning package to shipper - Please contact 
shipper/merchant for details"

I purchased a Nooks tablet solely because its OMAP4 CPU has mask ROM.
http://www.reddit.com/r/Android/comments/2d8lni/mask_rom_prevents_bios_rootkits_texas_instruments/

I purchased a MIPS tablet hoping BadBIOS doesn't infect MIPS and because 
MIPS hardware assisted virtualization is not as developed as ARM's 
Trustzone and Mobicore. I don't trust HAV.

I wish local retailers sold them so I could have purchased them in 
person.

I ordered a T5 Torx screwdriver to remove the screws in the Nook so I 
can air gap it. If the screws are glued, I will promptly sell or donate 
it.

Another item that was apparently interdicted is  media card reader.

http://www.ebay.com/itm/281206663913?_trksid=p2059210.m2749.l2649&ssPageName=STRK%3AMEBIDX%3AIT

I purchased it on 8/8/2014. Yet, post office does not give tracking 
information:

https://tools.usps.com/go/TrackConfirmAction?qtc_tLabels1=92748999964015553004467996

Hackers have repeatedly stolen my media card readers, opened up and 
broken my media card readers and broke the write protection switch on 
three Digital Intelligence media card write blockers. They attempt to 
force me to use flashdrives. They haven't broken the write protection 
switch on my Kanguru flashblu write blocker. For some reason, 
flashdrives are easier to flash firmware or infect than micro SD cards.




From bluelotus at openmailbox.org  Fri Aug 15 18:30:53 2014
From: bluelotus at openmailbox.org (bluelotus at openmailbox.org)
Date: Fri, 15 Aug 2014 21:30:53 -0400
Subject: Interdiction of MIPS tablet
In-Reply-To: <53EE888D.4020503@gmx.com>
References: <3ed7b7810443b00286061a0886e9abc2@openmailbox.org>
 <53EE888D.4020503@gmx.com>
Message-ID: <016da718d7693eba6179510ef212bf4d@openmailbox.org>

Thanks for the compliment. Sorry your tech packages have been 
interdicted.

http://www.reddit.com/r/badBIOS/comments/2bfgxi/updated_definition_of_air_gapping_infected/

http://www.reddit.com/r/badBIOS/comments/24diso/photos_of_piezo_electric_two_way_transducers_on/

My only witty thread:

http://www.reddit.com/r/badBIOS/comments/2d6dp5/diy_how_to_destroy_bios_chip_when_replacing_bios/


On 08/15/2014 6:24 pm, Sam Gordon wrote:
> Could you go into more detail by what you mean by air-gapping? The
> removal of wireless equipment, destruction of ports, etc -- or
> something entirely different?
> 
> I find your posts interesting, and have experienced re-routed tech
> packages myself.
> 
> Thanks,
> Sam




From bluelotus at openmailbox.org  Fri Aug 15 18:54:56 2014
From: bluelotus at openmailbox.org (bluelotus at openmailbox.org)
Date: Fri, 15 Aug 2014 21:54:56 -0400
Subject: Interdiction of MIPS tablet
In-Reply-To: <1408140961.14240.83.camel@klax>
References: <3ed7b7810443b00286061a0886e9abc2@openmailbox.org>
 <1408140961.14240.83.camel@klax>
Message-ID: <21c57565958fac58d46976870318d9c5@openmailbox.org>

Shawn Quinn, you are correct. I apologize for only giving the UPS 
information. Copying the tracking number 	92748999964015553004467996 in 
a search engine didn't bring up UPS. It brought up USPS.

I never heard of UPS Mail Innovations before. Similar to FedEx Smart. 
UPS is the initial shipper and transfers the package to USPS.

Entering the tracking number in UPS.com brought up more information. The 
URL is http://wwwapps.ups.com/WebTracking/track If this does not bring 
up the tracking info, enter 92748999964015553004467996

I purchased the media card reader on August 8, 2014. Shipper shipped it 
from Texas on August 12, 2014. Appears to have arrived in Nashville, TN 
yesterday. Yet, won't be delivered until Wednesday:

Projected Delivery Date: 08/20/2014

I am visiting Nashville. I wasn't planning on staying that long.

Also on August 8, I ordered an external battery pack for the Nook tablet 
and MIPS tablet. I wanted to follow Ed Jamison's advice in Dragos Ruiu's 
Google+ on using external batteries to prevent powerline hacking.

http://www.ebay.com/itm/271374866573?_trksid=p2059210.m2749.l2649&var=570253326449&ssPageName=STRK%3AMEBIDX%3AIT

I changed my address from Sarasota, FL to Nashville, TN. However, my 
address was mysteriously changed back to Sarasota, FL. I complained to 
Ebay that Ebay's and PayPal's purchase confirmation should contain the 
shipping address. It doesn't. It was not until the seller emailed the 
tracking number that I saw the shipping address. I promptly notified the 
seller of the correct address. Seller confirmed correcting address.
Today, package arrived in Sarasota, FL:

https://tools.usps.com/go/TrackConfirmAction?qtc_tLabels1=9374869903500099131358


On 08/15/2014 6:16 pm, Shawn K. Quinn wrote:
> On Fri, 2014-08-15 at 17:30 -0400, bluelotus at openmailbox.org wrote:
>> Another item that was apparently interdicted is  media card reader.
>> 
>> http://www.ebay.com/itm/281206663913?_trksid=p2059210.m2749.l2649&ssPageName=STRK%3AMEBIDX%3AIT
>> 
>> I purchased it on 8/8/2014. Yet, post office does not give tracking
>> information:
>> 
>> https://tools.usps.com/go/TrackConfirmAction?qtc_tLabels1=92748999964015553004467996
> 
> USPS should give tracking information if it's being sent via a mail
> class which has delivery confirmation. Even with FedEx Smartpost where
> USPS handles the final delivery, USPS should still have tracking info
> for its portion of the delivery. At least this has been my experience.




From zen at freedbms.net  Fri Aug 15 19:54:13 2014
From: zen at freedbms.net (Zenaan Harkness)
Date: Sat, 16 Aug 2014 12:54:13 +1000
Subject: Plausible deniability...
In-Reply-To: <CAKtE3zcGQHG8Dpxc4OF398yVevdocGAkzcFne1ANwnkGXBf7ZA@mail.gmail.com>
References: <CADDVf2+GAXPjmHsOui+VaZbeOCYENxuSBxhB1yNydvJpauucCg@mail.gmail.com>
 <CAKtE3zcGQHG8Dpxc4OF398yVevdocGAkzcFne1ANwnkGXBf7ZA@mail.gmail.com>
Message-ID: <CAOsGNSTPtTJprdU=SOAVg5sx+nzrL_R4E1Fxt-Tvc2ZaYCkxCA@mail.gmail.com>

> On Fri, Aug 15, 2014 at 2:46 PM, J.R. Jones <mrjones2020 at gmail.com> wrote:
>> So how do you all go about maintaining said deniability... Hidden volumes
>> etc.
>> Any way to use LUKS yet?

On 8/16/14, Travis Biehn <tbiehn at gmail.com> wrote:
> By posting about it to cpunks?
>
> Hidden volume plausible deniability is neither useable nor robust.
>
> 1) File creation / Access Times
> 2) The oppressive regime already has root on your box.
> 3) The oppressive regime already has a camera trained on your box.
> 4) All operating systems are dogshit.
>
> Use LUKS. Disable your wireless. Never loose physical control over your
> device. Nothing says plausible deniability like a pile of Carbon...

What, being human?




From bluelotus at openmailbox.org  Sat Aug 16 13:19:10 2014
From: bluelotus at openmailbox.org (bluelotus at openmailbox.org)
Date: Sat, 16 Aug 2014 16:19:10 -0400
Subject: shipment interdiction [was: BadBIOS forensics]
In-Reply-To: <D4761877-2306-43BE-B088-11F24046C14C@thestarbucks.com>
References: <CAJVRA1QMGkfR-ffN=GMMM2dFxb-_kf9+hx4-au+FKmyUz_qkSQ@mail.gmail.com>
 <D4761877-2306-43BE-B088-11F24046C14C@thestarbucks.com>
Message-ID: <490bb3e392204d3397f62e28797d23a6@openmailbox.org>

Bryan Starbuck, I apologize for the delay in anwering your question. 
Your suggestion of keeping profiles is excellent. You are probably 
familiar with nonprofits being surveilled, harassed and hacked by former 
NSA trained hackers.

“We know this company has subcontracted with a company called NetSafe, 
which is a company of former NSA officials skilled in hacking and things 
like that,” says Greenpeace researcher Charlie Cray, referring to a case 
in which Greenpeace has filed a lawsuit against Dow Chemical for its 
alleged spying activities."
http://venturebeat.com/2013/11/25/wal-mart-coca-cola-mcdonalds-spying-on-nonprofits-allegedly-with-former-nsa-cia-hackers/

Before the above article was written, I wrote a discussion thread on 
this. Readers are reluctant to concede that abusers hire private 
investigators who hire hackers.

http://www.reddit.com/r/privacy/comments/23ljti/private_investigators_hire_nsa_trained_hackers/

Yes, you are correct I am an USA citizen. I was a plaintiff in a ten 
year long lawsuit.

It is common practice for defense law firms to retain private 
investigators. Private investigators surveil and

harass plaintiffs. In prior years, private investigators would hire 
apprentices to break in, steal documents and

return documents. Former law enforcement are qualified to obtain a 
private investigator license. Those without law

enforcement background are required to work for a private investigator 
as an apprentice for private investigators a

minimum of two years to qualify for a state license.

Hiring apprentices is a huge profit maker. Private investigators require 
retainer fees paid in advance. Their

retainer agreement, if offered, do not itemize apprentice fees, and do 
not promise itemized invoices. PIs charge

their hourly rate but have apprentices, with little or no training, 
perform the work. This is somewhat equivalent

to law firms charging attorney fees for work paralegals perform.

"Licensing requirements for private investigators vary from state to 
state. In some they are required to be

licensed at the municipal level. In others they need a permit in order 
to carry a firearm. According to the Bureau

of Labor Statistics, no licenses specifically sanctioning 
computer-forensics investigation exist, although some

states require this type of investigator to obtain a PI license. A 
number of states don't require licenses for private investigators at 
all." http://projects.aljazeera.com/2013/pi/

Why would states even consider requiring a PI license for computer 
forensics investigation? Why not just a computer science degree? States 
do not have any educational requirements for licensing PIs. A high 
school drop out without any computer science classes can be licensed for 
computer forensics investigation merely by apprenticing for two years. 
Computer experience is not required during the two year apprenticeship.

Obviously, private investigators lobbied states to require a PI license 
for computer forensics. Is a PI license for computer forensics a cover 
to conceal their hacking?

Defense firms would list the stolen and replaced documents in a Request 
for Production of Documents. Thereby, the produced documents could be 
introduced as evidence.

In these high tech times,private investigators hire black hat hackers 
who are adept at picking locks, gaining physical access to computers and 
external hard drives and disassemblying, implanting and infecting 
computers.

Hackers hack plaintiffs' computers and smartphones in real time. Also 
plaintiffs' families and other contacts' computers and smartphones. 
Hackers actively impede plaintiffs from working on litigation and 
working on everything else.

There is a huge cover up of private investigators' conduct. They have an 
active lobby. They lobbied for exemption of any statutes limiting 
drones. 
http://nypost.com/2014/07/13/private-eyes-using-drones-to-nab-scammers-cheating-spouses/

"National Council of Investigation and Security Services (NCISS), an 
association of PIs and security guards that monitors privacy-related 
laws and promotes ethical conduct within its industry, go to Capitol 
Hill every year to lobby Congress, ensuring that it does not 
inadvertently restrict access to data or equipment."
http://projects.aljazeera.com/2013/pi/  
http://www.nciss.org/legislation/latest-legislation.php

The federal government, who hires private investigator firms to develop 
social media sock puppets, protected them.

My case is atypical. It was not the defendant's law firm that hired 
private investigators. The defendant himself hired private investigators 
who hired hackers. Who he hired are top notch professionals. The type 
that law firms would hire and refer to other law firms and defendants. 
The defendant acted on very good referrals.

Update including two case numbers on interdiction of MIPS tablet is at:
http://www.reddit.com/r/Android/comments/2dq9vw/fedex_makes_interdiction_of_mips_android_tablet/


On 07/19/2014 9:42 pm, Bryan Starbuck wrote:
> If you don’t mind saying, can you say if you are a US citizen?  
> (Probably)
> 
> Do you work on an open source project like TOR?  Do you think they do
> that because you do development?
> 
> I’d love if we build a profile of who they actively perform hardware
> attacks on.  They likely repeat this on categories of people (TOR
> devs, employees at CAs, etc.).   Even if you can give a vague category
> (crypto-currency vs open source file system encryption, etc.)
> 
> That one lady on twitter was a TOR dev.
> 
> I’d love us to deduce as many patterns as possible, so those people
> can be incredibly diligent.
> 
> Best,
> -Bryanest regards,




From m4dh4tt3r at gmail.com  Sat Aug 16 14:21:53 2014
From: m4dh4tt3r at gmail.com (Christopher Nielsen)
Date: Sat, 16 Aug 2014 16:21:53 -0500
Subject: [cryptography] Question About Best Practices for Personal File
 Encryption
In-Reply-To: <F7C97902-8B14-4F7D-95D1-D556E0A2B3DE@gmail.com>
References: <E1XA8J1-0001Vo-NV@elasmtp-dupuy.atl.sa.earthlink.net>
 <F7C97902-8B14-4F7D-95D1-D556E0A2B3DE@gmail.com>
Message-ID: <CAH7AAvrDefYbmqh2MHdmrD2GpXbO7sFs3VTtv_Tzjnm-PtVsYw@mail.gmail.com>

On Aug 15, 2014 11:06 PM, "Mark Thomas" <mark00thomas at gmail.com> wrote:
>
> I have a question for the group, if I may ask it here and in this manner
(?).
>
> What are you guys using to encrypt individual files and folders or even
entire drives like a USB?
>
> I am thinking that:
>
> 1. any commercial product could be compromised and not completely secure.
Like Apple’s FileVault2, which Apple has a key to.

The comment about Apple is simply false. Apple does not have a key to
FileVault2 unless you escrow your key with them. I know this because a dear
friend recently passed, and his family was not able to gain access to his
encrypted drives through Apple.

That said, FileVault2 is susceptible to offline dictionary attacks on the
password, or if you can get access while the drive is online, there are
attacks on the Keychain.

> 2. It is probably open source.

What makes you think open source will save you? All the eyeballs looking at
the code? That was proven a false sense of security when heartbleed was
announced.

> 3. It is probably implemented with the command line.
>
> Am I on the right track? If so does anyone know of a helpful guide to get
started with OpenSSL on the command line besides the man pages?
>
> Regards,
>
> Mark
> _______________________________________________
> cryptography mailing list
>cryptography at randombit.net
>http://lists.randombit.net/mailman/listinfo/cryptography
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 1823 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140816/a70aecd6/attachment.txt>

From die at dieconsulting.com  Sat Aug 16 14:51:28 2014
From: die at dieconsulting.com (David I. Emery)
Date: Sat, 16 Aug 2014 17:51:28 -0400
Subject: [cryptography] Question About Best Practices for Personal File
 Encryption
In-Reply-To: <CAH7AAvrDefYbmqh2MHdmrD2GpXbO7sFs3VTtv_Tzjnm-PtVsYw@mail.gmail.com>
References: <E1XA8J1-0001Vo-NV@elasmtp-dupuy.atl.sa.earthlink.net>
 <F7C97902-8B14-4F7D-95D1-D556E0A2B3DE@gmail.com>
 <CAH7AAvrDefYbmqh2MHdmrD2GpXbO7sFs3VTtv_Tzjnm-PtVsYw@mail.gmail.com>
Message-ID: <20140816215128.GE23842@pig.dieconsulting.com>

On Sat, Aug 16, 2014 at 04:21:53PM -0500, Christopher Nielsen wrote:
> The comment about Apple is simply false. Apple does not have a key to
> FileVault2 unless you escrow your key with them. I know this because a dear
> friend recently passed, and his family was not able to gain access to his
> encrypted drives through Apple.

	You may be right or may not, but I certainly have to think that
if there is a backdoor password to Filevault2 it is quite likely that
Apple would not choose to disclose that fact to just some random user
who had lost files due to forgotten passwords.

	One imagines that unless Apple wants to declare their security
breakable and presumably bear the burden of having every law enforcement
agency, divorce attorney, corporate trial lawyer and government
intelligence operation around the world - along with  millions of users
with various grades of good and bad stories about why they need Apple to
break into Filevault2 partitions demanding help (often for much less
than it costs Apple to provide it and handle the legal costs to validate
the reasons for and authority of the requester to break in) that they
would not wish to share the fact that there is a deliberate backdoor
mechanism to break in or even a known bug that would allow it.

	And that of course begs the question of whether such a publicly
announced backdoor could ever be kept secret and reserved for Apple
alone as it would become an instant target for every hacker and spy and
corporate espionage type to reverse engineer... or steal from inside
Apple.

	On the other hand, given the right appeals to patriotism, and
national security along with blackmail type arm twisting from certain
governments, I'd not be sure they would not provide help or have not
been forced to design things so they can.   Only a few folks at Apple
probably know the real truth about this... one way or the other.


-- 
  Dave Emery N1PRE/AE, die at dieconsulting.com  DIE Consulting, Weston, Mass 02493
"An empty zombie mind with a forlorn barely readable weatherbeaten
'For Rent' sign still vainly flapping outside on the weed encrusted pole - in 
celebration of what could have been, but wasn't and is not to be now either."




From coderman at gmail.com  Sat Aug 16 20:15:49 2014
From: coderman at gmail.com (coderman)
Date: Sat, 16 Aug 2014 23:15:49 -0400
Subject: fun games against skilled adversaries [was: shipment interdiction
 [was: BadBIOS forensics]]
Message-ID: <CAJVRA1Q81aq01JQ4FLAg3a80jyQKig1XeZNiKc2Jvdt40i=kng@mail.gmail.com>

On 8/16/14, bluelotus at openmailbox.org <bluelotus at openmailbox.org> wrote:
> Bryan Starbuck, I apologize for the delay in anwering your question.
> Your suggestion of keeping profiles is excellent. You are probably
> familiar with nonprofits being surveilled, harassed and hacked by former
> NSA trained hackers.
> ...
> Before the above article was written, I wrote a discussion thread on
> this. Readers are reluctant to concede that abusers hire private
> investigators who hire hackers.


the "security industry" as oriented toward the consumer public is
focused on broad threats and general risks. the specialized
particulars of targeted exploitation for whatever reason are the realm
of nation state espionage, law enforcement technical surveillance, and
high power corporate conflicts.

individuals facing advanced attackers are left with nearly no avenues
of reputable relief.

the vagaries of how anyone might encounter "advanced attackers" are as
myriad and expansive as the history of human kind itself.  jilted
lover, bruised ego, psychotic obsession, voyueristic thrills, the list
goes well beyond the common corporate investigations and government
espionage hijinx...



> In these high tech times,private investigators hire black hat hackers
> who are adept at picking locks, gaining physical access to computers and
> external hard drives and disassemblying, implanting and infecting
> computers.

i find it amusing that the largest repository of black hats and
malicious tech is employed by the United States Government itself.

at least those tax dollars are some of the most effective put to use?  ;)



> My case is atypical. It was not the defendant's law firm that hired
> private investigators. The defendant himself hired private investigators
> who hired hackers. Who he hired are top notch professionals. The type
> that law firms would hire and refer to other law firms and defendants.
> The defendant acted on very good referrals.


it is slow going digging into your gear; will report in a few weeks.
as mentioned before, due to interdiction of shipment i don't expect
much of interest. but never say never...

best regards,
   dokermange; doing mah best to poke bears and burn vulns



P.S. if you would like to participate in a weaponized-sploits-for-free
program with coderman please provide a cell phone number and physical
address in united states for delivery of honey tokens to trigger tips.
not responsible for damaged or turned-malicious hardware in your
vacinity or possession. special restrictions may apply. LIMITED TIME
ONLY! #YOLO #RENDITIONCON #WTFBBQ




From coderman at gmail.com  Sat Aug 16 21:42:23 2014
From: coderman at gmail.com (coderman)
Date: Sun, 17 Aug 2014 00:42:23 -0400
Subject: Fwd: [liberationtech] New Citizen Lab report
In-Reply-To: <20140815164428.emee20a04gg008sk@webmail.utoronto.ca>
References: <20140815164428.emee20a04gg008sk@webmail.utoronto.ca>
Message-ID: <CAJVRA1THzsdhRZ5D8R+57oDNoZ5Ue3ESnhw6FYYH3LvWipSmQg@mail.gmail.com>

---------- Forwarded message ----------
From: r.deibert at utoronto.ca
Date: Fri, 15 Aug 2014 16:44:28 -0400
Subject: [liberationtech] New Citizen Lab report

Dear LibTech

I am pleased to announce a new Citizen Lab report published today,
authored by Morgan Marquis-Boire and entitled "Schrodinger?s Cat Video
and the Death of Clear-Text."

The key findings are outlined below:

	?	Commercial network injection appliances are actively targeting
Google?s YouTube and Microsoft?s Live services in order to install
surveillance implants on targets across the globe.

	?	Documents indicate that a prototype for targeted surveillance
network injection appliances sold to the governments of Oman and
Turkmenistan was designed by CloudShield Technologies, a US Department
of Defense contractor.

	?	This report reveals never before seen documentation on the
operation of Network Injection appliances from both Hacking Team and
FinFisher and provides source code for an early prototype of
FinFisher?s FinFly ISP product.

A link to the full report is here:
https://citizenlab.org/2014/08/cat-video-and-the-death-of-clear-text/

The Washington Post has extensive coverage on the report, which can be
found here:
http://www.washingtonpost.com/blogs/the-switch/wp/2014/08/15/how-your-cat-video-addiction-could-be-used-to-hack-you/

Morgan Marquis-Boire has written an oped at The Intercept:
https://firstlook.org/theintercept/2014/08/15/cat-video-hack/

Relatedly, my "Open Letter" on behalf of the Citizen Lab to Hacking
Team was published last week:
https://citizenlab.org/2014/08/open-letter-hacking-team/

Cheers
Ron




From s at ctrlc.hu  Sat Aug 16 16:32:12 2014
From: s at ctrlc.hu (stef)
Date: Sun, 17 Aug 2014 01:32:12 +0200
Subject: [cryptography] Question About Best Practices for Personal
 File Encryption
In-Reply-To: <7EB9B67B-214C-45C8-BB28-D5520742B562@gmail.com>
References: <E1XA8J1-0001Vo-NV@elasmtp-dupuy.atl.sa.earthlink.net>
 <F7C97902-8B14-4F7D-95D1-D556E0A2B3DE@gmail.com>
 <CAH7AAvrDefYbmqh2MHdmrD2GpXbO7sFs3VTtv_Tzjnm-PtVsYw@mail.gmail.com>
 <CAH8yC8kV_+6nXu1-gVQTGnkjVi1RTLTA5MMvy09vVzopVh1ZHw@mail.gmail.com>
 <7EB9B67B-214C-45C8-BB28-D5520742B562@gmail.com>
Message-ID: <20140816233212.GK7852@ctrlc.hu>

On Sat, Aug 16, 2014 at 06:26:28PM -0500, Mark Thomas wrote:
> Am I on the right track? If so does anyone know of a helpful guide to get started with OpenSSL on the command line besides the man pages?

last time i checked openssl does no authenticated encryption on the command line.

-- 
otr fp: https://www.ctrlc.hu/~stef/otr.txt




From bluelotus at openmailbox.org  Sun Aug 17 06:14:27 2014
From: bluelotus at openmailbox.org (bluelotus at openmailbox.org)
Date: Sun, 17 Aug 2014 09:14:27 -0400
Subject: Fwd: [liberationtech] New Citizen Lab report
In-Reply-To: <CAJVRA1THzsdhRZ5D8R+57oDNoZ5Ue3ESnhw6FYYH3LvWipSmQg@mail.gmail.com>
References: <20140815164428.emee20a04gg008sk@webmail.utoronto.ca>
 <CAJVRA1THzsdhRZ5D8R+57oDNoZ5Ue3ESnhw6FYYH3LvWipSmQg@mail.gmail.com>
Message-ID: <d066e73a47c28d2e4ebfefbb6522dc74@openmailbox.org>

Thank you coderman for the articles. They provide rare evidence that 
private investigators purchase and use spyware:

"Both Hacking Team and FinFisher claim that they only sell to 
governments, but recently leaked documents appear to show that FinFisher 
has sold to at least one private security company." 
https://firstlook.org/theintercept/2014/08/15/cat-video-hack/

"Customer email addresses in the collection appeared to belong to a 
German surveillance company," 
http://www.propublica.org/article/leaked-docs-show-spyware-used-to-snoop-on-u.s.-computers

On 08/17/2014 12:42 am, coderman wrote:
> ---------- Forwarded message ----------
> From: r.deibert at utoronto.ca
> Date: Fri, 15 Aug 2014 16:44:28 -0400
> Subject: [liberationtech] New Citizen Lab report
> 
> Dear LibTech
> 
> I am pleased to announce a new Citizen Lab report published today,
> authored by Morgan Marquis-Boire and entitled "Schrodinger?s Cat Video
> and the Death of Clear-Text."
> 
> The key findings are outlined below:
> 
> 	?	Commercial network injection appliances are actively targeting
> Google?s YouTube and Microsoft?s Live services in order to install
> surveillance implants on targets across the globe.
> 
> 	?	Documents indicate that a prototype for targeted surveillance
> network injection appliances sold to the governments of Oman and
> Turkmenistan was designed by CloudShield Technologies, a US Department
> of Defense contractor.
> 
> 	?	This report reveals never before seen documentation on the
> operation of Network Injection appliances from both Hacking Team and
> FinFisher and provides source code for an early prototype of
> FinFisher?s FinFly ISP product.
> 
> A link to the full report is here:
> https://citizenlab.org/2014/08/cat-video-and-the-death-of-clear-text/
> 
> The Washington Post has extensive coverage on the report, which can be
> found here:
> http://www.washingtonpost.com/blogs/the-switch/wp/2014/08/15/how-your-cat-video-addiction-could-be-used-to-hack-you/
> 
> Morgan Marquis-Boire has written an oped at The Intercept:
> https://firstlook.org/theintercept/2014/08/15/cat-video-hack/
> 
> Relatedly, my "Open Letter" on behalf of the Citizen Lab to Hacking
> Team was published last week:
> https://citizenlab.org/2014/08/open-letter-hacking-team/
> 
> Cheers
> Ron




From bluelotus at openmailbox.org  Sun Aug 17 06:53:13 2014
From: bluelotus at openmailbox.org (bluelotus at openmailbox.org)
Date: Sun, 17 Aug 2014 09:53:13 -0400
Subject: fun games against skilled adversaries [was: shipment
 interdiction [was: BadBIOS forensics]]
In-Reply-To: <CAJVRA1Q81aq01JQ4FLAg3a80jyQKig1XeZNiKc2Jvdt40i=kng@mail.gmail.com>
References: <CAJVRA1Q81aq01JQ4FLAg3a80jyQKig1XeZNiKc2Jvdt40i=kng@mail.gmail.com>
Message-ID: <449527c16924f07204bdcc10ee6389a9@openmailbox.org>

"high power corporate conflicts" include litigation, defense law firms 
and private investigators.

My theory is that the categories blend into each other. Former CIA, FBI, 
NSA, Homeland Security and law enforcement employees can immediately 
qualified for a private investigator license. They retain their 
government contacts. Do corporations, defense law firms and/or private 
investigators request NSA and/or Joint Threat Research Intelligence 
Group to place their targets on their watch lists? Free hacking and 
surveillance paid by taxpayers.

"Both the Obama and Bush administrations have refused to disclose the 
criteria for adding a name to one of its terrorist watch lists."
http://www.nationaljournal.com/tech/why-the-nsa-keeps-tracking-people-even-after-they-re-dead-20140723

"It broadens the authority of government officials to “nominate” people 
to the watchlists based on what is vaguely described as “fragmentary 
information.”
http://www.shtfplan.com/headline-news/frightening-obama-approves-substantial-expansion-of-domestic-terrorist-watch-lists-concrete-facts-are-not-necessary_07242014

Glenn Greenwald had promised to provide a list of names of people on 
National Counterterrorism Center's watch list. If my name was on the 
list, that would confirm my theory. Glenn Greenwald released numbers but 
not names. If names are ever released, I will provide an update:

"According a report by the Intercept, of the 680,000 people on the 
terrorist watchlist, the government classifies some 40 percent as having 
“no recognized terrorist group affiliation.” In other words, the federal 
government tracks some 280,000 people without any proven links to 
terrorism.

The government also keeps another database, and it takes even less 
suspicion to get a person place on it and under the gaze of federal 
snoops. According to the Intercept, most people on the watchlist start 
out on a classified list know as the Terrorist Identities Datamart 
Environment (TIDE).

The TIDE database actually allows for targeting people based on far less 
evidence than the already lax standards used for placing people on the 
watchlist. A more expansive—and invasive—database, TIDE’s information is 
shared across the U.S. intelligence community, as well as with commando 
units from the Special Operations Command and with domestic agencies 
such as the New York City Police Department.

According to the released documents, the feds monitor 320,000 additional 
people under the larger TIDE database. That puts the number of 
individuals on under the government microscope at over 1 million. The 
Intercept reports that as of the Summer of 2013, the watchlist included 
5,000 Americans, with another 15,800 targeted in TIDE."

http://www.offnow.org/documents_reveal_chilling_details_about_terrorist_watchlist


On 08/16/2014 11:15 pm, coderman wrote:

> the "security industry" as oriented toward the consumer public is
> focused on broad threats and general risks. the specialized
> particulars of targeted exploitation for whatever reason are the realm
> of nation state espionage, law enforcement technical surveillance, and
> high power corporate conflicts.
> 
> individuals facing advanced attackers are left with nearly no avenues
> of reputable relief.




From hozer at hozed.org  Sun Aug 17 09:35:21 2014
From: hozer at hozed.org (Troy Benjegerdes)
Date: Sun, 17 Aug 2014 11:35:21 -0500
Subject: economic cost of lost emails.
In-Reply-To: <539DCAF9.1030206@lig.net>
References: <1402814887.32476.YahooMailNeo@web126202.mail.ne1.yahoo.com>
 <C48EE51B-4A69-4E59-A9BE-0E6A5453338A@gmail.com>
 <539DCAF9.1030206@lig.net>
Message-ID: <20140817163521.GK22640@nl.grid.coop>

On Sun, Jun 15, 2014 at 09:34:01AM -0700, Stephen D. Williams wrote:
> I assume she was using Outlook and probably Exchange.  Does anyone
> using Outlook really expect to be able to reliably have access to
> their old email very long?  I think "those people" are idiots...
> I'd guess that Outlook / Exchange versioning issues, curruption,
> periodic rebuilds / restarts, and general Windows / Microsoft
> related confusion led periodic lossage that is just the cost of
> using such technology.
> 
> I have a continuous archive of email spanning more than 20 years,
> and something like 25-30GB, online and always accessible to me. And
> with numerous backups, all easy to make and restore.  And all using
> mbox format, around since essentially the beginning of email, which
> is resilient to corruption, truncation, etc.
> 
> In multiple cases, at multiple companies, people have needed access
> to old email and documents which I had but were long ago lost to
> everyone else (who mostly used Outlook).  In one case, it allowed a
> new contract worth probably more than a million or two.
> 
> Email is my most reliable source of stored and organized knowledge.
> I've been hard at work, in my fragmented spare time, working on a
> true knowledgebase app / interchange format / distributed security
> system.  (The key problem really is a much better user interface
> paradigm.)  You can bet there will be a couple ways to represent and
> archive it that is as resilient as mbox.
> 
> Stephen
> 

This is from another thread, from awhile ago, but it popped up in my
mutt window today.

At my last 'full-time employee' gig, I was at a company that effectively 
lobotomized themselves with an idiotic "data retention policy". One test
engineer had 20 years of email going nearly back to when the company was 
started, and 'policy' was that it must be deleted.

The problem with that policy is that now you incentivize your employees
(and contractors) to run their own mail infrastructure and duplicate
everthing off-site because that is what any good attorney representing
the employee or the contractor would advise you to do.

Now the company attorney can, with a straight face, say "we deleted that
email, per our document retention policy". But anyone that can read 
between the lines can (or should) know that the good engineers will 
have off-company backups, and that email should be easily acquireable 
with an appropriate targeted spear-phishing expedition if you want to 
be covert, or a 'better job offer' if you want to be overt.

So what's the economic cost of lobotomizing your company by using exchange
and delete-this data retention policies?

really I think it's just a game venture capitalists play where they tell
investors that this company A really has unique new fancy IP when it all
just came from company B because you hired all their engineers and their
email archives.

-- 
----------------------------------------------------------------------------
Troy Benjegerdes                 'da hozer'                  hozer at hozed.org
7 elements      earth::water::air::fire::mind::spirit::soul        grid.coop

      Never pick a fight with someone who buys ink by the barrel,
         nor try buy a hacker who makes money by the megahash




From bascule at gmail.com  Sun Aug 17 14:49:48 2014
From: bascule at gmail.com (Tony Arcieri)
Date: Sun, 17 Aug 2014 14:49:48 -0700
Subject: [cryptography] Question About Best Practices for Personal File
 Encryption
In-Reply-To: <F7C97902-8B14-4F7D-95D1-D556E0A2B3DE@gmail.com>
References: <E1XA8J1-0001Vo-NV@elasmtp-dupuy.atl.sa.earthlink.net>
 <F7C97902-8B14-4F7D-95D1-D556E0A2B3DE@gmail.com>
Message-ID: <CAHOTMVJWZym9ZEhk4mSd0mGT8Jerv0SvurtZ2usFodqN9XcUOA@mail.gmail.com>

On Fri, Aug 15, 2014 at 9:05 PM, Mark Thomas <mark00thomas at gmail.com> wrote:

> any commercial product could be compromised and not completely secure.
> Like Apple’s FileVault2, which Apple has a key to.


There aren't known backdoors in FileVault2, or for that mater, Microsoft's
Bitlocker. Apple, on the other hand, has been pretty forthcoming with law
enforcement backdoors in iPhones (which, actually, seem fairly reasonable,
IMO)

Don't trust their encrypted filesystem? You better not trust the OS either,
for that surely has access to all of the encryption keys you've ever put in
main memory.

tl;dr: if you don't trust proprietary encrypted filesystems, you better not
trust the proprietary OSes they're built into either.

-- 
Tony Arcieri
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 1337 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140817/028071a1/attachment.txt>

From adi at hexapodia.org  Sun Aug 17 15:06:58 2014
From: adi at hexapodia.org (Andy Isaacson)
Date: Sun, 17 Aug 2014 15:06:58 -0700
Subject: [cryptography] Question About Best Practices for Personal File
 Encryption
In-Reply-To: <1408308993.4145919.153686805.74F2CD04@webmail.messagingengine.com>
References: <E1XA8J1-0001Vo-NV@elasmtp-dupuy.atl.sa.earthlink.net>
 <F7C97902-8B14-4F7D-95D1-D556E0A2B3DE@gmail.com>
 <CAH7AAvrDefYbmqh2MHdmrD2GpXbO7sFs3VTtv_Tzjnm-PtVsYw@mail.gmail.com>
 <1408308993.4145919.153686805.74F2CD04@webmail.messagingengine.com>
Message-ID: <20140817220658.GG32086@hexapodia.org>

On Sun, Aug 17, 2014 at 10:56:33PM +0200, Alfie John wrote:
> Given an open source program, it can be accountable by anyone. If there
> is a bug, it can be patched. If there is a deliberate backdoor, it can
> be pointed to as an example of why to completely abandon the program and
> mark the developer as tainted forever.

I'm a significant proponent of open source, and the benefits you
enumerate here are definitely true.  Open source can be helpful in
reviewing code, in grokking developer intent, in providing a hash-chain
guarantee of code lineage, in providing change history and justification
when reviewing new releases of a previously audited program, and in
fostering positive engineering practices.

However --

> Given a proprietary program, it is accountable to the supplier and you
> have no other option. If there is a bug, all you can do is hope for a
> patch. If there is a deliberate backdoor, all you can do is hope that
> someone will spots if it is ever reverse engineered.

Your "proprietary program" strawman is full of holes.

The intellectual labor of decompiling a program delivered as a binary is
not especially large compared to the labor required to do a thorough
systematic review.  Given IDA Pro and a non-obfuscated Win32 or Linux
app, people I trust say the decompilation process is on the order of
10%-20% of the total effort of a review.

Binary patches are not great by any means, but they are definitely a
feasible method of deploying fixes, and this method works and is well
tested in the real world.  Some kinds of deployments basically require
binary patching, no matter what the underlying source management
technology.  (The Linux Ksplice project provides one prominent example.)

Backdoors are an enormous problem for both open source and
binary-distribution codebases, and claiming that open source will save
you from backdoors ignores the reality of the situation.  Just to start,

http://underhanded.xcott.com/
http://www.wired.com/2013/04/underhanded-c-contest/
http://graphics.stanford.edu/~danielrh/vote/vote.html
http://codegolf.stackexchange.com/questions/tagged/underhanded?sort=votes&pageSize=50

"Building Reliable Voting Machine Software", Ka-Ping Yee
http://zesty.ca/voting/

page 148 of http://zesty.ca/pubs/yee-phd.pdf provides a sobering
assessment of the difficulty of finding intentionally inserted bugs in
open source software.

-andy




From adi at hexapodia.org  Sun Aug 17 15:44:51 2014
From: adi at hexapodia.org (Andy Isaacson)
Date: Sun, 17 Aug 2014 15:44:51 -0700
Subject: How does the Hacking Team network malware work? How bad is it?
In-Reply-To: <CANBOYLX5fqC2Pd3G5LPrD7AnyoW5WhYY3965cfyw=s=mN5+cWA@mail.gmail.com>
References: <CANBOYLX5fqC2Pd3G5LPrD7AnyoW5WhYY3965cfyw=s=mN5+cWA@mail.gmail.com>
Message-ID: <20140817224450.GH32086@hexapodia.org>

On Sun, Aug 17, 2014 at 05:24:38PM -0400, Eric Mill wrote:
> I've read the Intercept's writeup[1], and read through Citizen Lab's
> writeup[2]. I'm having trouble understanding the attack surface, and how
> widely applicable the vulnerability is.
> 
> Are MS and Google targeted because of their ubiquity, or is there also
> something (besides not using HTTPS) that they did to make their services
> vulnerable?

As an attacker, you want your attack to be targeted to a single user.
(It's not the end of the world if you QUANTUMINSERT a few extra
machines, but byspray increases the likelihood of a sample escaping to a
non-colluding AV vendor [if there are any of those] or a curious
researcher.)

So you want to target a HTTP session that you have high assurance
belongs to the targeted user.

For targets who have a Google account, Google has helpfully assigned
cookies which associate the user's account with the HTTP stream.  These
cookies are initially established over https, but are linked to YouTube
cookies for unencrypted http so that YouTube can provide valuable
advertising services at lower cost than serving over HTTPS.

> How can there be a remote code vulnerability so low in the stack that it
> can be injected at the packet level, but high enough that TLS encryption
> foils the attack?

The general technique is flexible to any targeted vulnerable network
software, but to make my description more concrete, the Flash one is
very understandable.  The Flash plugin has hundreds of unpatched RCE
vulns.  The exploit for these vulns is generally a sequence of a few
hundred ActionScript bytecode instructions.  The YouTube webpage serves
a very standardized Flash .flv file which is nearly identical for every
video.  So as the QUANTUMINSERT vendor, you code up a module which takes
the .flv off the wire from the server, patches it to include the
exploit, and puts a new .flv on the wire to the user.  Then you wire
that up to an inline capture appliance which uses an FPGA running at
10GigE wire speed to match HTTP responses that contain the desired
cookie, and just wait for your target to desire a fuzzy kitten video.

I don't know any details of any fielded systems, so the following is
just my description of a sensible way to build this product.  (I have
some experience building products with these technologies.)

The injection is extremely low level, at the Ethernet frame processing
layer.  The FPGA has the responsibility of running at line rate and
forwarding all frames except those belonging to a stream marked as a
match.

When the regex engine running in the FPGA sees the Cookie: header of the
target, it notes the IP-4-tuple (srcIP, srcPort, dstIP, dstPort) as an
intercepted stream, and forwards those packets to a higher-level
software layer.  Every other stream on the network keeps running as
normal.

At the higher layer, QUANTUMINSERT wants to keep youtube.com happy, so
it forges the ACK packets that the browser would have been sending.
QUANTUMINSERT also can see what packets the browser has received so far,
and the data that youtube.com was sending.  QUANTUMINSERT then edits the
FLV, on the fly, so that it contains the exploit code *and* the fluffy
kitten video.  The resulting FLV is the same size or maybe a few hundred
bytes longer, but that's peanuts compared to the size of the MPEG video
stream, so nobody notices.

>From the point of view of youtube.com, the unmolested flv was served.
>From the point of view of the browser, youtube.com sent it a flv to run,
it just arrived 150 milliseconds later than expected (due to the
QUANTUMINSERT flv editing software).  From the point of view of the
user, the fluffy cat video pranced as expected.  From the point of view
of the Mukhabarat, they've got a backdoor into the PC of another
dangerous twitter user.

(OK the Bahraini Mukhabarat don't use QUANTUMINSERT, they are a Hacking
Team customer.  Same difference.)

> Does this affect Windows only? Through particular browsers?

Any specific attack is platform+browser dependent, but the general
technique works everywhere where you have 0day RCE vulns.  (ie
everywhere.)  Browser and OS vulnerability mitigation techniques like
ASLR and (especially) sandboxing highly vulnerable components like Flash
can help enormously by raising the complexity of exploits, by reducing
the supply of known+weaponized 0day, and by requiring more complicated
multistage exploits.

If you haven't read it already, the WaPo spy story is *incredible*:

http://www.washingtonpost.com/world/national-security/spyware-tools-allow-buyers-to-slip-malicious-code-into-youtube-videos-microsoft-pages/2014/08/15/31c5696c-249c-11e4-8593-da634b334390_story.html

-andy




From eric at konklone.com  Sun Aug 17 14:24:38 2014
From: eric at konklone.com (Eric Mill)
Date: Sun, 17 Aug 2014 17:24:38 -0400
Subject: How does the Hacking Team network malware work? How bad is it?
Message-ID: <CANBOYLX5fqC2Pd3G5LPrD7AnyoW5WhYY3965cfyw=s=mN5+cWA@mail.gmail.com>

Hi,

I've read the Intercept's writeup[1], and read through Citizen Lab's
writeup[2]. I'm having trouble understanding the attack surface, and how
widely applicable the vulnerability is.

Are MS and Google targeted because of their ubiquity, or is there also
something (besides not using HTTPS) that they did to make their services
vulnerable?

How can there be a remote code vulnerability so low in the stack that it
can be injected at the packet level, but high enough that TLS encryption
foils the attack?

Does this affect Windows only? Through particular browsers?

I'm certainly up for using this as an argument for how difficult it is to
predict the severity and creativity of MITM attacks, but I would like to
better understand the magnitude of the disclosure.

Thanks,
Eric

[1] https://firstlook.org/theintercept/2014/08/15/cat-video-hack/
[2] https://citizenlab.org/2014/08/cat-video-and-the-death-of-clear-text/

-- 
https://konklone.com | https://twitter.com/konklone
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 1527 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140817/d6793d26/attachment.txt>

From alfiej at fastmail.fm  Sun Aug 17 13:56:33 2014
From: alfiej at fastmail.fm (Alfie John)
Date: Sun, 17 Aug 2014 22:56:33 +0200
Subject: [cryptography] Question About Best Practices for Personal File
 Encryption
In-Reply-To: <CAH7AAvrDefYbmqh2MHdmrD2GpXbO7sFs3VTtv_Tzjnm-PtVsYw@mail.gmail.com>
References: <E1XA8J1-0001Vo-NV@elasmtp-dupuy.atl.sa.earthlink.net>
 <F7C97902-8B14-4F7D-95D1-D556E0A2B3DE@gmail.com>
 <CAH7AAvrDefYbmqh2MHdmrD2GpXbO7sFs3VTtv_Tzjnm-PtVsYw@mail.gmail.com>
Message-ID: <1408308993.4145919.153686805.74F2CD04@webmail.messagingengine.com>

On Sat, Aug 16, 2014, at 11:21 PM, Christopher Nielsen wrote:
> > 2. It is probably open source.
>
> What makes you think open source will save you? All the eyeballs
> looking at the code? That was proven a false sense of security when
> heartbleed was announced.

Can we please stop perpetuating that Open Source is the less secure
option? Linus said "given enough eyeballs, all bugs are shallow", he
didn't say "all bugs are non-existent".

Given an open source program, it can be accountable by anyone. If there
is a bug, it can be patched. If there is a deliberate backdoor, it can
be pointed to as an example of why to completely abandon the program and
mark the developer as tainted forever.

Given a proprietary program, it is accountable to the supplier and you
have no other option. If there is a bug, all you can do is hope for a
patch. If there is a deliberate backdoor, all you can do is hope that
someone will spots if it is ever reverse engineered.

In other words:

  - Open Source: "trust, but verify"
  - Proprietary: "trust, and have faith in the supplier"

Given the current Snowden climate, you would be naive to choose a
proprietary option. Prove me wrong.

Alfie

-- 
  Alfie John
  alfiej at fastmail.fm




From gutemhc at gmail.com  Mon Aug 18 09:33:25 2014
From: gutemhc at gmail.com (Gutem)
Date: Mon, 18 Aug 2014 13:33:25 -0300
Subject: Gyroscopes in Android phones can be turned into always-on microphones
Message-ID: <440C59C5-8604-4BDE-9595-B4807560C468@gmail.com>

FYI: http://www.geek.com/android/gyroscopes-in-android-phones-can-be-turned-into-always-on-microphones-1602140/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140818/6a576b7e/attachment.sig>

From marco.streng at genesis-mining.com  Mon Aug 18 09:26:49 2014
From: marco.streng at genesis-mining.com (Marco Streng)
Date: Mon, 18 Aug 2014 18:26:49 +0200
Subject: [Cryptography] GPU Farm
Message-ID: <53F22949.5020909@genesis-mining.com>

Hello Guys from metzdowd,

I really like your mailing list and following it longer time now.
Since I think the posts there are really of high quality and the
people participating really know what they are talking about I would
love to ask a specific question that could be really interesting for
everyone there.

I come from a company that is doing cryptocurrency mining in large
scale and currently we are thinking about a use case for our 1300 high
end GPU farm that is not necessarily profit oriented, but most
importantly interesting and exciting. I asked a lot of people till now
and also people from chaos computer club in germany, where I received
especially ideas pointing to using the farm to decrypt emails or other
decryption services. Also I was suggested to use it to decrypt the
NSA_KEY, but that is obviously not doable in human time even if the
farm would be 1000x bigger.
Do you have any interesting idea what to do with the farm? If we like
the project it we wouldn't hesitate to start directly!

I would really appreciate if you could ask this to the mailing list
and I am really excited about the answers. What do you think?

Greetings,
Marco

-- 
Marco Streng
www.genesis-mining.com
CEO & Co Founder
+491602482228

_______________________________________________
The cryptography mailing list
cryptography at metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

----- End forwarded message -----




From contact at subrosa.io  Tue Aug 19 03:33:38 2014
From: contact at subrosa.io (Subrosa Team)
Date: Tue, 19 Aug 2014 03:33:38 -0700
Subject: New end to end encrypted IM/VOIP web app focused on ease of use
Message-ID: <147ed6bc188.f5d4b41f116455.5490629446127454680@subrosa.io>

Subrosa is an open source, end to end encrypted messaging / VOIP app focused on being easy to use for the general public. We made Subrosa in response to the mass surveillance revelations programs, and to address the difficulty of current tools for the average user. Oh, and it supports group video chats.

Site, and hosted version to try it out: https://subrosa.io

Why make something new?

We've tried getting our non-techie contacts to use GPG/OTR/etc. Our personal experiences are that spending hours per person we want to talk to, teaching them how to use the tool, and helping them when they inevitably come across an issue (e.g. lose their keys) are just not practical. We think there's a place for an end to end encrypted messaging platform usable by *everyone*.

Furthermore, not everyone cares about crypto. Subrosa is just as easy to use as making a Skype account, while key generation, etc are all performed behind the scenes. For end to end encryption to be widely adopted, it needs to convince people who don't care about it as well. And that means it can't be any harder, or more confusing than popular offerings.

Subrosa does cryptography transparently, however we don't *hide* information such as fingerprints (so you can verify you're not being MITM attacked, by us). RSA keypairs are stored on our servers, with the private key being passed through PBKDF2 with the user password (not sent). Messages are encrypted using exchanged AES keys, with VOIP/video chats encrypted with SRTP.

We know web crypto, when executing code from a remote server, has grave security implications. For ease of use, we do have a hosted version. Subrosa's client is fully open source however, and you can (and should!) run a local copy of the client. We use the ForgeJS library. http://github.com/subrosa-io/subrosa-client

We're also fully committed to end to end encryption. We don't have any "gotchas" like iMessage being end to end for delivery, but storing the plaintext of messages in iCloud. We shouldn't have the ability to read any messages, in all circumstances (assuming local client).

Please let us know what you think about Subrosa, and pick at this :)




From contact at subrosa.io  Tue Aug 19 06:38:39 2014
From: contact at subrosa.io (Subrosa Team)
Date: Tue, 19 Aug 2014 06:38:39 -0700
Subject: New end to end encrypted IM/VOIP web app focused on ease of use
In-Reply-To: <53F34BFE.8030607@tik.ee.ethz.ch>
References: <53F34BFE.8030607@tik.ee.ethz.ch>
Message-ID: <147ee700dc2.ecc044ed147133.6080483176426959847@subrosa.io>

We just have one client. 

The hosted version is the client hosted by us, on our web server. You can access it at https://subrosa.io/app/

You can download the client code, and run it from your computer, or host it on your own web server. It's identical.

The difference is by hosting the code yourself, you can be assured that the correct code is being executed.  

For RSA private keys, user settings, etc, they're all encrypted with the user password (through PBKDF2) before being sent to the server. The server is just a dumb pipe that stores and passes encrypted information we don't have the keys to. 

(Sorry, didn't cc the mailing list)

---- On Tue, 19 Aug 2014 06:07:10 -0700 Stephan Neuhaus<stephan.neuhaus at tik.ee.ethz.ch> wrote ---- 

 > Hi Subrosa Team, 
 >  
 > sounds like an interesting project!  I am however slightly confused 
 > about what you mean by "hosted version" and "client".  Is this a web app 
 > or is it a web app that also has a non-web (= hosted) version, providing 
 > the same functionality, but where stuff (like RSA keypairs, for example) 
 > is stored locally instead of on your servers?  If so, what exactly is 
 > the "client"? 
 >  
 > Fun, 
 >  
 > Stephan 
 >  
 > 




From hozer at hozed.org  Tue Aug 19 07:50:44 2014
From: hozer at hozed.org (Troy Benjegerdes)
Date: Tue, 19 Aug 2014 09:50:44 -0500
Subject: Gyroscopes in Android phones can be turned into always-on
 microphones
In-Reply-To: <20140819123735.GV26986@leitl.org>
References: <440C59C5-8604-4BDE-9595-B4807560C468@gmail.com>
 <20140819085820.GT26986@leitl.org>
 <CAOsGNSTU2gm-kKD8FJHkgjAoAu7MMwrN7Hj6r_-sO34ohRJ6CA@mail.gmail.com>
 <20140819123735.GV26986@leitl.org>
Message-ID: <20140819145044.GL22640@nl.grid.coop>

On Tue, Aug 19, 2014 at 02:37:35PM +0200, Eugen Leitl wrote:
> On Tue, Aug 19, 2014 at 10:02:55PM +1000, Zenaan Harkness wrote:
> > On 8/19/14, Eugen Leitl <eugen at leitl.org> wrote:
> > > On Mon, Aug 18, 2014 at 01:33:25PM -0300, Gutem wrote:
> > >> FYI:
> > >> http://www.geek.com/android/gyroscopes-in-android-phones-can-be-turned-into-always-on-microphones-1602140/
> > >
> > > Mobile handsets are intrinsically untrusted. You can put up the
> > > baseband spyware into a MiFi, and only use WLAN from a trusted,
> > > blobless device, only with end to end encryption.
> > >
> > > Of course this means you have to tear down your neural-sourced
> > > MiFi puck first, to see what you can see.
> > >
> > > In unrelated vein, I've recently read that it was the spooks
> > > that killed the digital pulse radio star, by limiting licensend
> > > power to toy levels. Apparently they were very unhappy with a
> > > radio that's hard to look for.
> > 
> > Link please?
> 
> Caveat, speculation:
> 
> http://www.cringely.com/2014/05/15/nsa-help-kill-uwb/

UWB is a great idea in theory, until you build an antenna, or you 
avoid the antenna and the UWB noise floor ends up as a DDOS attack
on all your existing communications channels.

I'm an engineer and I'm very unhappy with the investor snake oil
that was sold as UWB.

Now if you run UWB over dedicated copper/fiber that might be quite
interesting, but only if you design it so the MAC address of the 
transmitter is basically being broadcast in the clear so you can 
find where your copper is being an antenna and fix it.

Maybe UWB should be the new standard for 10-gigabit over Cat5e




From xgermx at gmail.com  Tue Aug 19 08:24:06 2014
From: xgermx at gmail.com (xgermx)
Date: Tue, 19 Aug 2014 10:24:06 -0500
Subject: [Cryptography] GPU Farm
In-Reply-To: <20140819085339.GS26986@leitl.org>
References: <20140819085339.GS26986@leitl.org>
Message-ID: <CABP-PKNZLsZV6teFqRqyM1JAxmXEZaF_O5wFmYjb1phEfDV+Ng@mail.gmail.com>

Many people are curious about the 40GB Fin Fisher dump, which is mostly
comprised of GPG encrypted files.
Could be an interesting application of raw compute power.
http://www.reddit.com/r/Anarchism/comments/2cjlop/gamma_international_leaked/

xgermx


On Tue, Aug 19, 2014 at 3:53 AM, Eugen Leitl <eugen at leitl.org> wrote:

> ----- Forwarded message from Marco Streng <marco.streng at genesis-mining.com>
> -----
>
> Date: Mon, 18 Aug 2014 18:26:49 +0200
> From: Marco Streng <marco.streng at genesis-mining.com>
> To: cryptography at metzdowd.com
> Subject: [Cryptography] GPU Farm
> Message-ID: <53F22949.5020909 at genesis-mining.com>
> User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:24.0) Gecko/20100101
> Thunderbird/24.6.0
>
> Hello Guys from metzdowd,
>
> I really like your mailing list and following it longer time now.
> Since I think the posts there are really of high quality and the
> people participating really know what they are talking about I would
> love to ask a specific question that could be really interesting for
> everyone there.
>
> I come from a company that is doing cryptocurrency mining in large
> scale and currently we are thinking about a use case for our 1300 high
> end GPU farm that is not necessarily profit oriented, but most
> importantly interesting and exciting. I asked a lot of people till now
> and also people from chaos computer club in germany, where I received
> especially ideas pointing to using the farm to decrypt emails or other
> decryption services. Also I was suggested to use it to decrypt the
> NSA_KEY, but that is obviously not doable in human time even if the
> farm would be 1000x bigger.
> Do you have any interesting idea what to do with the farm? If we like
> the project it we wouldn't hesitate to start directly!
>
> I would really appreciate if you could ask this to the mailing list
> and I am really excited about the answers. What do you think?
>
> Greetings,
> Marco
>
> --
> Marco Streng
> www.genesis-mining.com
> CEO & Co Founder
> +491602482228
>
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
>
> ----- End forwarded message -----
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 3294 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140819/9cd88f62/attachment.txt>

From eugen at leitl.org  Tue Aug 19 01:53:39 2014
From: eugen at leitl.org (Eugen Leitl)
Date: Tue, 19 Aug 2014 10:53:39 +0200
Subject: [Cryptography] GPU Farm
Message-ID: <20140819085339.GS26986@leitl.org>

----- Forwarded message from Marco Streng <marco.streng at genesis-mining.com> -----


From eugen at leitl.org  Tue Aug 19 01:58:20 2014
From: eugen at leitl.org (Eugen Leitl)
Date: Tue, 19 Aug 2014 10:58:20 +0200
Subject: Gyroscopes in Android phones can be turned into always-on
 microphones
In-Reply-To: <440C59C5-8604-4BDE-9595-B4807560C468@gmail.com>
References: <440C59C5-8604-4BDE-9595-B4807560C468@gmail.com>
Message-ID: <20140819085820.GT26986@leitl.org>

On Mon, Aug 18, 2014 at 01:33:25PM -0300, Gutem wrote:
> FYI: http://www.geek.com/android/gyroscopes-in-android-phones-can-be-turned-into-always-on-microphones-1602140/

Mobile handsets are intrinsically untrusted. You can put up the
baseband spyware into a MiFi, and only use WLAN from a trusted,
blobless device, only with end to end encryption.

Of course this means you have to tear down your neural-sourced
MiFi puck first, to see what you can see.

In unrelated vein, I've recently read that it was the spooks
that killed the digital pulse radio star, by limiting licensend
power to toy levels. Apparently they were very unhappy with a
radio that's hard to look for. 




From eugen at leitl.org  Tue Aug 19 05:37:35 2014
From: eugen at leitl.org (Eugen Leitl)
Date: Tue, 19 Aug 2014 14:37:35 +0200
Subject: Gyroscopes in Android phones can be turned into always-on
 microphones
In-Reply-To: <CAOsGNSTU2gm-kKD8FJHkgjAoAu7MMwrN7Hj6r_-sO34ohRJ6CA@mail.gmail.com>
References: <440C59C5-8604-4BDE-9595-B4807560C468@gmail.com>
 <20140819085820.GT26986@leitl.org>
 <CAOsGNSTU2gm-kKD8FJHkgjAoAu7MMwrN7Hj6r_-sO34ohRJ6CA@mail.gmail.com>
Message-ID: <20140819123735.GV26986@leitl.org>

On Tue, Aug 19, 2014 at 10:02:55PM +1000, Zenaan Harkness wrote:
> On 8/19/14, Eugen Leitl <eugen at leitl.org> wrote:
> > On Mon, Aug 18, 2014 at 01:33:25PM -0300, Gutem wrote:
> >> FYI:
> >> http://www.geek.com/android/gyroscopes-in-android-phones-can-be-turned-into-always-on-microphones-1602140/
> >
> > Mobile handsets are intrinsically untrusted. You can put up the
> > baseband spyware into a MiFi, and only use WLAN from a trusted,
> > blobless device, only with end to end encryption.
> >
> > Of course this means you have to tear down your neural-sourced
> > MiFi puck first, to see what you can see.
> >
> > In unrelated vein, I've recently read that it was the spooks
> > that killed the digital pulse radio star, by limiting licensend
> > power to toy levels. Apparently they were very unhappy with a
> > radio that's hard to look for.
> 
> Link please?

Caveat, speculation:

http://www.cringely.com/2014/05/15/nsa-help-kill-uwb/




From stephan.neuhaus at tik.ee.ethz.ch  Tue Aug 19 06:07:10 2014
From: stephan.neuhaus at tik.ee.ethz.ch (Stephan Neuhaus)
Date: Tue, 19 Aug 2014 15:07:10 +0200
Subject: New end to end encrypted IM/VOIP web app focused on ease of use
In-Reply-To: <147ed6bc188.f5d4b41f116455.5490629446127454680@subrosa.io>
References: <147ed6bc188.f5d4b41f116455.5490629446127454680@subrosa.io>
Message-ID: <53F34BFE.8030607@tik.ee.ethz.ch>

Hi Subrosa Team,

sounds like an interesting project!  I am however slightly confused
about what you mean by "hosted version" and "client".  Is this a web app
or is it a web app that also has a non-web (= hosted) version, providing
the same functionality, but where stuff (like RSA keypairs, for example)
is stored locally instead of on your servers?  If so, what exactly is
the "client"?

Fun,

Stephan




From cyberkiller8 at gmail.com  Tue Aug 19 07:39:11 2014
From: cyberkiller8 at gmail.com (=?UTF-8?B?IsWBdWthc3ogXCJDeWJlciBLaWxsZXJcIiBLb3JwYWxza2ki?=)
Date: Tue, 19 Aug 2014 16:39:11 +0200
Subject: New end to end encrypted IM/VOIP web app focused on ease of use
In-Reply-To: <147ed6bc188.f5d4b41f116455.5490629446127454680@subrosa.io>
References: <147ed6bc188.f5d4b41f116455.5490629446127454680@subrosa.io>
Message-ID: <53F3618F.3050205@gmail.com>

W dniu 19.08.2014 12:33, Subrosa Team pisze:
> Subrosa is an open source, end to end encrypted messaging / VOIP app focused on being easy to use for the general public. We made Subrosa in response to the mass surveillance revelations programs, and to address the difficulty of current tools for the average user. Oh, and it supports group video chats.
(...)
> Please let us know what you think about Subrosa, and pick at this :)
> 

What about interoperability with other (standard - OpenPGP, etc.)
solutions? Because we all see a lot of "new and easy" tools for crypto
meant for "everyone", but even if one would come to trust one of them
(which is a separate matter), then each of them is it's own walled garden.

You know where this leads to - either use them all at once, or lose
contacts that are on the other side of the wall.


-- 
Łukasz "Cyber Killer" Korpalski

mail: cyberkiller8 at gmail.com
xmpp: cyber_killer at jabster.pl
site: http://website.cybkil.cu.cc
gpgkey: 0x72511999 @ hkp://keys.gnupg.net

//When replying to my e-mail, kindly please
//write your message below the quoted text.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140819/f7d2d918/attachment.sig>

From edhelas at movim.eu  Tue Aug 19 07:44:06 2014
From: edhelas at movim.eu (edhelas)
Date: Tue, 19 Aug 2014 16:44:06 +0200
Subject: New end to end encrypted IM/VOIP web app focused on ease of use
In-Reply-To: <147ee700dc2.ecc044ed147133.6080483176426959847@subrosa.io>
References: <147ee700dc2.ecc044ed147133.6080483176426959847@subrosa.io>
Message-ID: <1408459446.689.1@smtp.etu.univ-nantes.fr>

Hi,

It's always good to see that people are working on tools to protect 
privacy and open the sourcecode. But i'm a bit disapointed by your 
approach which is for me a "already seen" centralized encrypted chat.

I trully think that we need to do more than reinvent the wheel and 
build several chat clients that are not compatible between them. We 
just need to work on standard, decentralized protocols (like XMPP) ad 
implemented them properly in nice clients.

By using a universal standard the users will be able to choose between 
several solutions which are all compatibles. All theses clients are 
implemented using several languages on several platforms too.

There's already a bunch of tools in XMPP to do that, we are just 
waiting for nice clients :)

P.S.: I'm working on XMPP for a couple of years now

Regards,

Tim

On mar., août 19, 2014 at 3:38 , Subrosa Team <contact at subrosa.io> 
wrote:
> We just have one client.
> 
> The hosted version is the client hosted by us, on our web server. You 
> can access it at https://subrosa.io/app/
> 
> You can download the client code, and run it from your computer, or 
> host it on your own web server. It's identical.
> 
> The difference is by hosting the code yourself, you can be assured 
> that the correct code is being executed.
> 
> For RSA private keys, user settings, etc, they're all encrypted with 
> the user password (through PBKDF2) before being sent to the server. 
> The server is just a dumb pipe that stores and passes encrypted 
> information we don't have the keys to.
> 
> (Sorry, didn't cc the mailing list)
> 
> ---- On Tue, 19 Aug 2014 06:07:10 -0700 Stephan 
> Neuhaus<stephan.neuhaus at tik.ee.ethz.ch> wrote ----
> 
>  > Hi Subrosa Team,
>  >
>  > sounds like an interesting project!  I am however slightly confused
>  > about what you mean by "hosted version" and "client".  Is this a 
> web app
>  > or is it a web app that also has a non-web (= hosted) version, 
> providing
>  > the same functionality, but where stuff (like RSA keypairs, for 
> example)
>  > is stored locally instead of on your servers?  If so, what exactly 
> is
>  > the "client"?
>  >
>  > Fun,
>  >
>  > Stephan
>  >
>  >
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 2484 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140819/770b6bc0/attachment.txt>

From rysiek at hackerspace.pl  Tue Aug 19 09:27:07 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Tue, 19 Aug 2014 18:27:07 +0200
Subject: [Cryptography] GPU Farm
In-Reply-To: <CABP-PKNZLsZV6teFqRqyM1JAxmXEZaF_O5wFmYjb1phEfDV+Ng@mail.gmail.com>
References: <20140819085339.GS26986@leitl.org>
 <CABP-PKNZLsZV6teFqRqyM1JAxmXEZaF_O5wFmYjb1phEfDV+Ng@mail.gmail.com>
Message-ID: <1627398.7C9OevA6HH@lapuntu>

Dnia wtorek, 19 sierpnia 2014 10:24:06 xgermx pisze:
> Many people are curious about the 40GB Fin Fisher dump, which is mostly
> comprised of GPG encrypted files.
> Could be an interesting application of raw compute power.
> http://www.reddit.com/r/Anarchism/comments/2cjlop/gamma_international_leaked
> /

+1 for FinFisher

/me also ponders the insurance.aes256 file, but hey, maybe better not touch
 it?/

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140819/12da9ec3/attachment.sig>

From hozer at hozed.org  Tue Aug 19 18:20:17 2014
From: hozer at hozed.org (Troy Benjegerdes)
Date: Tue, 19 Aug 2014 20:20:17 -0500
Subject: New end to end encrypted IM/VOIP web app focused on ease of use
In-Reply-To: <5442904.NpBnJ0sfty@lapuntu>
References: <147ed6bc188.f5d4b41f116455.5490629446127454680@subrosa.io>
 <5442904.NpBnJ0sfty@lapuntu>
Message-ID: <20140820012017.GM22640@nl.grid.coop>

On Tue, Aug 19, 2014 at 11:35:18PM +0200, rysiek wrote:
> Well,
> 
> not trying to be a wet blanket, but why use Subrosa, when RetroShare does 
> almost all of that (sans group video conferences), and does not require a 
> single server, at all?
> 
> If RS was able to get crypto right and in a completely decentralised manner, 
> why go back to client-server architecture, with all it's potential single 
> points of failure?
> 

Deployment. Since there is no AGPLv3 hardware that contains all the tools 
required to design (and validate no trojan circuits), we might as well just
use client-server from groups that we have some confidence in their motives,
or at least that write good code.

How do I get Retroshare on my phone? (okay, bad question, because Qualcomm
has my keys), but if I want my friends to use it, It needs to work on 
android/ios/etc.


-- 
----------------------------------------------------------------------------
Troy Benjegerdes                 'da hozer'                  hozer at hozed.org
7 elements      earth::water::air::fire::mind::spirit::soul        grid.coop

      Never pick a fight with someone who buys ink by the barrel,
         nor try buy a hacker who makes money by the megahash




From zen at freedbms.net  Tue Aug 19 05:02:55 2014
From: zen at freedbms.net (Zenaan Harkness)
Date: Tue, 19 Aug 2014 22:02:55 +1000
Subject: Gyroscopes in Android phones can be turned into always-on
 microphones
In-Reply-To: <20140819085820.GT26986@leitl.org>
References: <440C59C5-8604-4BDE-9595-B4807560C468@gmail.com>
 <20140819085820.GT26986@leitl.org>
Message-ID: <CAOsGNSTU2gm-kKD8FJHkgjAoAu7MMwrN7Hj6r_-sO34ohRJ6CA@mail.gmail.com>

On 8/19/14, Eugen Leitl <eugen at leitl.org> wrote:
> On Mon, Aug 18, 2014 at 01:33:25PM -0300, Gutem wrote:
>> FYI:
>> http://www.geek.com/android/gyroscopes-in-android-phones-can-be-turned-into-always-on-microphones-1602140/
>
> Mobile handsets are intrinsically untrusted. You can put up the
> baseband spyware into a MiFi, and only use WLAN from a trusted,
> blobless device, only with end to end encryption.
>
> Of course this means you have to tear down your neural-sourced
> MiFi puck first, to see what you can see.
>
> In unrelated vein, I've recently read that it was the spooks
> that killed the digital pulse radio star, by limiting licensend
> power to toy levels. Apparently they were very unhappy with a
> radio that's hard to look for.

Link please?




From rysiek at hackerspace.pl  Tue Aug 19 14:35:18 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Tue, 19 Aug 2014 23:35:18 +0200
Subject: New end to end encrypted IM/VOIP web app focused on ease of use
In-Reply-To: <147ed6bc188.f5d4b41f116455.5490629446127454680@subrosa.io>
References: <147ed6bc188.f5d4b41f116455.5490629446127454680@subrosa.io>
Message-ID: <5442904.NpBnJ0sfty@lapuntu>

Well,

not trying to be a wet blanket, but why use Subrosa, when RetroShare does 
almost all of that (sans group video conferences), and does not require a 
single server, at all?

If RS was able to get crypto right and in a completely decentralised manner, 
why go back to client-server architecture, with all it's potential single 
points of failure?

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140819/d1d030ba/attachment.sig>

From tom at ritter.vg  Wed Aug 20 09:10:35 2014
From: tom at ritter.vg (Tom Ritter)
Date: Wed, 20 Aug 2014 11:10:35 -0500
Subject: New end to end encrypted IM/VOIP web app focused on ease of use
In-Reply-To: <147ed6bc188.f5d4b41f116455.5490629446127454680@subrosa.io>
References: <147ed6bc188.f5d4b41f116455.5490629446127454680@subrosa.io>
Message-ID: <CA+cU71mitxJHtKgSuiYvj=xBy8qcsbQiqonYs=ZUD1O5A7vn1g@mail.gmail.com>

This is cool!  I love the combined distribution of providing a hosted
version, and encouraging people to host it themselves.

I looked into the code to understand more about how it works.  Is it
fair to say that you use WebRTC with SRTP for the transport
encryption, and then a homebaked AES-GCM-based protocol with RSA
public keys to do the encrypted chat/actions/invites, and also to
distribute/authenticate the WebRTC fingerprints?

-tom

On 19 August 2014 05:33, Subrosa Team <contact at subrosa.io> wrote:
> Subrosa is an open source, end to end encrypted messaging / VOIP app focused on being easy to use for the general public. We made Subrosa in response to the mass surveillance revelations programs, and to address the difficulty of current tools for the average user. Oh, and it supports group video chats.
>
> Site, and hosted version to try it out: https://subrosa.io
>
> Why make something new?
>
> We've tried getting our non-techie contacts to use GPG/OTR/etc. Our personal experiences are that spending hours per person we want to talk to, teaching them how to use the tool, and helping them when they inevitably come across an issue (e.g. lose their keys) are just not practical. We think there's a place for an end to end encrypted messaging platform usable by *everyone*.
>
> Furthermore, not everyone cares about crypto. Subrosa is just as easy to use as making a Skype account, while key generation, etc are all performed behind the scenes. For end to end encryption to be widely adopted, it needs to convince people who don't care about it as well. And that means it can't be any harder, or more confusing than popular offerings.
>
> Subrosa does cryptography transparently, however we don't *hide* information such as fingerprints (so you can verify you're not being MITM attacked, by us). RSA keypairs are stored on our servers, with the private key being passed through PBKDF2 with the user password (not sent). Messages are encrypted using exchanged AES keys, with VOIP/video chats encrypted with SRTP.
>
> We know web crypto, when executing code from a remote server, has grave security implications. For ease of use, we do have a hosted version. Subrosa's client is fully open source however, and you can (and should!) run a local copy of the client. We use the ForgeJS library. http://github.com/subrosa-io/subrosa-client
>
> We're also fully committed to end to end encryption. We don't have any "gotchas" like iMessage being end to end for delivery, but storing the plaintext of messages in iCloud. We shouldn't have the ability to read any messages, in all circumstances (assuming local client).
>
> Please let us know what you think about Subrosa, and pick at this :)
>




From rysiek at hackerspace.pl  Wed Aug 20 06:59:38 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Wed, 20 Aug 2014 15:59:38 +0200
Subject: New end to end encrypted IM/VOIP web app focused on ease of use
In-Reply-To: <20140820012017.GM22640@nl.grid.coop>
References: <147ed6bc188.f5d4b41f116455.5490629446127454680@subrosa.io>
 <5442904.NpBnJ0sfty@lapuntu> <20140820012017.GM22640@nl.grid.coop>
Message-ID: <2306283.ZHTeLBXrGy@lapuntu>

Dnia wtorek, 19 sierpnia 2014 20:20:17 piszesz:
> On Tue, Aug 19, 2014 at 11:35:18PM +0200, rysiek wrote:
> > Well,
> > 
> > not trying to be a wet blanket, but why use Subrosa, when RetroShare does
> > almost all of that (sans group video conferences), and does not require a
> > single server, at all?
> > 
> > If RS was able to get crypto right and in a completely decentralised
> > manner, why go back to client-server architecture, with all it's
> > potential single points of failure?
> 
> Deployment. Since there is no AGPLv3 hardware that contains all the tools
> required to design (and validate no trojan circuits), we might as well just
> use client-server from groups that we have some confidence in their motives,
> or at least that write good code.

So you either have a situation in which you use free software secure 
communication project on unverified hardware, or a situation in which you use 
a free software secure communication project with potential single points of 
failure, and on unverified hardware.

Both situations are not great, but one is a bit less bad. Can you spot, which? 
;)

> How do I get Retroshare on my phone? (okay, bad question, because Qualcomm
> has my keys), but if I want my friends to use it, It needs to work on
> android/ios/etc.

The same way you get Subrosa on any client right now: write a mobile client 
for it. Instead of writing a new client-server architecture (which *should* be 
considered obsolete by now, IMVHO) tool, why not expand upon the completely 
decentralised projects?

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140820/c825518b/attachment.sig>

From rysiek at hackerspace.pl  Wed Aug 20 07:01:17 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Wed, 20 Aug 2014 16:01:17 +0200
Subject: Plausible deniability...
In-Reply-To: <CAKtE3zcGQHG8Dpxc4OF398yVevdocGAkzcFne1ANwnkGXBf7ZA@mail.gmail.com>
References: <CADDVf2+GAXPjmHsOui+VaZbeOCYENxuSBxhB1yNydvJpauucCg@mail.gmail.com>
 <CAKtE3zcGQHG8Dpxc4OF398yVevdocGAkzcFne1ANwnkGXBf7ZA@mail.gmail.com>
Message-ID: <5145410.N5heKcUaIz@lapuntu>

Dnia piątek, 15 sierpnia 2014 16:46:16 Travis Biehn pisze:
> By posting about it to cpunks?
> 
> Hidden volume plausible deniability is neither useable nor robust.
> 
> 1) File creation / Access Times
> 2) The oppressive regime already has root on your box.
> 3) The oppressive regime already has a camera trained on your box.
> 4) All operating systems are dogshit.

5) Plausible deniability is useless per game theory:
https://defuse.ca/truecrypt-plausible-deniability-useless-by-game-theory.htm

> Use LUKS. Disable your wireless. Never loose physical control over your
> device. Nothing says plausible deniability like a pile of Carbon...

+1

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140820/a218e430/attachment.sig>

From contact at subrosa.io  Thu Aug 21 05:45:30 2014
From: contact at subrosa.io (Subrosa Team)
Date: Thu, 21 Aug 2014 05:45:30 -0700
Subject: New end to end encrypted IM/VOIP web app focused on ease of
 use
In-Reply-To: <CA+cU71mitxJHtKgSuiYvj=xBy8qcsbQiqonYs=ZUD1O5A7vn1g@mail.gmail.com>
References: <CA+cU71mitxJHtKgSuiYvj=xBy8qcsbQiqonYs=ZUD1O5A7vn1g@mail.gmail.com>
Message-ID: <147f899bae4.10c37358c136089.7177799444321617101@subrosa.io>

Thanks! Yes, that's correct. We're also looking into implementing forward secrecy in this asynchronous environment with support for large group chats.

Key management is another important aspect, and something that has a high learning curve for the average user. For Subrosa, we've tried to make globally accessible keyrings without compromising security. Each user has a profile blob, which contains their RSA private key, AES-GCM keys, and user settings. The profile blob is encrypted with a PBKDF2-derived key from the user password.

The encrypted profile blob is sync'd with the server. When logging in, the client is required to send a hash of the derived key (the server knows this as the client sends the hash during registration) before the server returns the encrypted blob to counter offline brute-forcing attacks on the password.

---- On Wed, 20 Aug 2014 09:10:35 -0700 Tom Ritter  wrote ---- 

>This is cool! I love the combined distribution of providing a hosted 
>version, and encouraging people to host it themselves. 
> 
>I looked into the code to understand more about how it works. Is it 
>fair to say that you use WebRTC with SRTP for the transport 
>encryption, and then a homebaked AES-GCM-based protocol with RSA 
>public keys to do the encrypted chat/actions/invites, and also to 
>distribute/authenticate the WebRTC fingerprints? 
> 
>-tom 
> 
>On 19 August 2014 05:33, Subrosa Team <contact at subrosa.io> wrote: 
>> Subrosa is an open source, end to end encrypted messaging / VOIP app focused on being easy to use for the general public. We made Subrosa in response to the mass surveillance revelations programs, and to address the difficulty of current tools for the average user. Oh, and it supports group video chats. 
>> 
>> Site, and hosted version to try it out: https://subrosa.io 
>> 
>> Why make something new? 
>> 
>> We've tried getting our non-techie contacts to use GPG/OTR/etc. Our personal experiences are that spending hours per person we want to talk to, teaching them how to use the tool, and helping them when they inevitably come across an issue (e.g. lose their keys) are just not practical. We think there's a place for an end to end encrypted messaging platform usable by *everyone*. 
>> 
>> Furthermore, not everyone cares about crypto. Subrosa is just as easy to use as making a Skype account, while key generation, etc are all performed behind the scenes. For end to end encryption to be widely adopted, it needs to convince people who don't care about it as well. And that means it can't be any harder, or more confusing than popular offerings. 
>> 
>> Subrosa does cryptography transparently, however we don't *hide* information such as fingerprints (so you can verify you're not being MITM attacked, by us). RSA keypairs are stored on our servers, with the private key being passed through PBKDF2 with the user password (not sent). Messages are encrypted using exchanged AES keys, with VOIP/video chats encrypted with SRTP. 
>> 
>> We know web crypto, when executing code from a remote server, has grave security implications. For ease of use, we do have a hosted version. Subrosa's client is fully open source however, and you can (and should!) run a local copy of the client. We use the ForgeJS library. http://github.com/subrosa-io/subrosa-client 
>> 
>> We're also fully committed to end to end encryption. We don't have any "gotchas" like iMessage being end to end for delivery, but storing the plaintext of messages in iCloud. We shouldn't have the ability to read any messages, in all circumstances (assuming local client). 
>> 
>> Please let us know what you think about Subrosa, and pick at this :) 
>> 
>




From bluelotus at openmailbox.org  Thu Aug 21 10:55:23 2014
From: bluelotus at openmailbox.org (bluelotus at openmailbox.org)
Date: Thu, 21 Aug 2014 13:55:23 -0400
Subject: Gyroscope not only eavesdrop but also power line hack via VLF
Message-ID: <b3e5feea9d584a389f6149b94d1e9488@openmailbox.org>

http://www.reddit.com/r/badBIOS/comments/2e3yuv/badbios_transmits_ultrasound_via_piezo_can/
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: pubkey.asc
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140821/914a6b04/attachment.asc>

From gfoster at entersection.org  Sat Aug 23 12:01:29 2014
From: gfoster at entersection.org (Gregory Foster)
Date: Sat, 23 Aug 2014 14:01:29 -0500
Subject: Columbia XRay web transparency project
Message-ID: <53F8E509.6060407@entersection.org>

https://github.com/matlecu/xray

> XRay is a research project from Columbia University that aims to improve transparency of data usage on the web. You can learn more on our website.

http://xray.cs.columbia.edu/

> ...we developed XRay, a new tool that reveals which data in a web account, such as emails, searches, or viewed products, are being used to target which outputs, such as ads, recommended products, or prices. It can increase end-user awareness about what the services they use do with their data, and it can enable auditors and watchdogs with the necessary tools to keep the Web in check.
> 
> Currently, XRay can reveal some forms of targeting for Gmail ads, Amazon product recommendations, and YouTube video recommendations. However, XRay's core mechanisms are largely service-agnostic, providing the necessary building blocks that we hope will enable a new generation of auditing tools that will help lift the curtain on how users' personal data is being used.
> 
> Using our XRay Gmail prototype, we found some pretty interesting examples of data uses, such as a number of ads targeting depression, cancer, and other illnesses. We also saw quite a few subprime loan ads for used cars that targeted debt, loan, or borrow keywords in users' inboxes.

YouTube (Aug 20) - "XRay: web transparency tool":
https://www.youtube.com/watch?v=VxH20ey2d7k

HT @kdnuggets:
https://twitter.com/kdnuggets/status/503198576798089216

gf

-- 
Gregory Foster || gfoster at entersection.org
@gregoryfoster <> http://entersection.com/




From gfoster at entersection.org  Sat Aug 23 13:00:55 2014
From: gfoster at entersection.org (Gregory Foster)
Date: Sat, 23 Aug 2014 15:00:55 -0500
Subject: [liberationtech] Columbia XRay web transparency project
In-Reply-To: <53F8E509.6060407@entersection.org>
References: <53F8E509.6060407@entersection.org>
Message-ID: <53F8F2F7.5030300@entersection.org>

On 8/23/14, 2:01 PM, Gregory Foster wrote:
> https://github.com/matlecu/xray
> 
>> XRay is a research project from Columbia University that aims to
>> improve transparency of data usage on the web. You can learn more
>> on our website.
> 
> http://xray.cs.columbia.edu/
> 
>> ...we developed XRay, a new tool that reveals which data in a web
>> account, such as emails, searches, or viewed products, are being
>> used to target which outputs, such as ads, recommended products,
>> or prices. It can increase end-user awareness about what the
>> services they use do with their data, and it can enable auditors
>> and watchdogs with the necessary tools to keep the Web in check.
>> 
>> Currently, XRay can reveal some forms of targeting for Gmail ads,
>> Amazon product recommendations, and YouTube video
>> recommendations. However, XRay's core mechanisms are largely
>> service-agnostic, providing the necessary building blocks that we
>> hope will enable a new generation of auditing tools that will
>> help lift the curtain on how users' personal data is being used.
>> 
>> Using our XRay Gmail prototype, we found some pretty interesting
>> examples of data uses, such as a number of ads targeting
>> depression, cancer, and other illnesses. We also saw quite a few
>> subprime loan ads for used cars that targeted debt, loan, or
>> borrow keywords in users' inboxes.
> 
> YouTube (Aug 20) - "XRay: web transparency tool": 
> https://www.youtube.com/watch?v=VxH20ey2d7k
> 
> HT @kdnuggets: 
> https://twitter.com/kdnuggets/status/503198576798089216


"XRay: Enhancing the Web’s Transparency with Differential Correlation"
Presented at the 23rd Usenix Security Symposium (Aug 20-22)
by @matlecu, et. al.
https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/lecuyer
paper:
https://www.usenix.org/system/files/conference/usenixsecurity14/sec14-paper-lecuyer.pdf
slides:
https://www.usenix.org/sites/default/files/conference/protected-files/sec14_slides_lecuyer.pdf

NYT Bits Blog (Aug 18) - "XRay: A New Tool for Tracking the Use of
Personal Data on the Web" by @SteveLohr:
http://bits.blogs.nytimes.com/2014/08/18/xray-a-new-tool-for-tracking-the-use-of-personal-data-on-the-web/

gf

-- 
Gregory Foster || gfoster at entersection.org
@gregoryfoster <> http://entersection.com/




From eric at konklone.com  Mon Aug 25 09:35:49 2014
From: eric at konklone.com (Eric Mill)
Date: Mon, 25 Aug 2014 12:35:49 -0400
Subject: I made a site to test SHA-1 vs SHA-2
Message-ID: <CANBOYLWFfA1SNXGjiL3zoRwNArvweP8XaeyU+=-s7_jWvMiuVQ@mail.gmail.com>

Feedback welcome on the site, copy, and methods:

https://shaaaaaaaaaaaaa.com

I'm taking bug reports and requests on GitHub:
https://github.com/konklone/shaaaaaaaaaaaaa/issues/

-- Eric

-- 
konklone.com | @konklone <https://twitter.com/konklone>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 604 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140825/e293a8c1/attachment.txt>

From coderman at gmail.com  Tue Aug 26 12:01:26 2014
From: coderman at gmail.com (coderman)
Date: Tue, 26 Aug 2014 12:01:26 -0700
Subject: If you ran a Bitcoin related service before the thing hit $100
 you prolly ought to be somewhat concerned and/or prepared
In-Reply-To: <20140826110556.GC26986@leitl.org>
References: <20140826110556.GC26986@leitl.org>
Message-ID: <CAJVRA1REPfttKPuVzfasaV-T7rhW1hpJJAGxo_Ozp9R2iqX1MA@mail.gmail.com>

On 8/26/14, Eugen Leitl <eugen at leitl.org> wrote:
>
> ... Under the impression the two gentlemen at my door step might be
> some sort of process servers or collections agents visiting about my
> substantial student loan debt I begrudgingly inquire as to what is going
> on.
> They inquire as to who I am, and I inquire as to who they are...


doing it right -^




From eugen at leitl.org  Tue Aug 26 04:05:57 2014
From: eugen at leitl.org (Eugen Leitl)
Date: Tue, 26 Aug 2014 13:05:57 +0200
Subject: If you ran a Bitcoin related service before the thing hit $100 you
 prolly ought to be somewhat concerned and/or prepared
Message-ID: <20140826110556.GC26986@leitl.org>


http://www.thedrinkingrecord.com/2014/08/25/a-law-enforcement-encounter-if-you-ran-a-bitcoin-related-service-before-the-thing-hit-100-you-prolly-ought-to-be-somewhat-concerned-andor-prepared/ 

A Law Enforcement Encounter: If you ran a Bitcoin related service before the
thing hit $100 you prolly ought to be somewhat concerned and/or prepared

Posted on August 25, 2014

So this afternoon I was roused from my day slumber by vigorous knocking at my
front door. Under the impression the two gentlemen at my door step might be
some sort of process servers or collections agents visiting about my
substantial student loan debt I begrudgingly inquire as to what is going on.
They inquire as to who I am, and I inquire as to who they are. 1 When they
show badges I offer confirmation that I am indeed the person referred to
frequently by the slave name2 they used.

Their inquiry was laser focused on any information I might have about
connections between BTCPak  and The Silk Road3 of which I have none that
can't be discovered by scraping public information off of the public web.
BTCPak was this thing that accepted Bitcoin and provided prepaid codes you
could load on to shitty Debit cards. I was new and didn't know any better so
I had some of the most costly eatings and drinkings of my life. BTCPak was
one of the more expensive ways to turn Bitcoin into US Dollars, but its
advantage was it was fast and had a great reputation for working. If there
weren't any codes to be had, the site wouldn't take Bitcoin. If you sent it
Bitcoin it gave you the code in six confirmations.  There was no market I
knew of to feed the codes the other direction.  The entire venture didn't
even really seem to be a business. It just seemed to be a machine DBordello
built to acquire Bitcoin in an automated fashion which as far as I can tell
was turned off, because the future he was buying all of the cheap coins for
finally arrived.

A notable thing that kept coming up was an incredulity on the part of the
investigators was that there was much of anything happening in early Bitcoin
that wasn't shady and related to Black Market drugs. In reality a lot of
stuff was happening on the plaintext Internet without the slightest shade of
illegality. I mentioned the Devcoin4 thing that was my first source of any
actual amount of Bitcoin. Devcoin was/is this arrangement where by dumping
text into a wiki you earned coins on an altchain. You could then take the
coins to this shitty exchange called Vircurex where you could dump them for
BTC. As astounding as it seems at the time when I started doing this devcoin
thing dumping a few thousand words in their wiki was probably worth a two
digit number of BTC in the first month I got paid. Fuck me for having been so
shortsighted and having not quite stumbled into what actual people were
writing about Bitcoin. As astoundingly stupid as the premise sounds much of
early Bitcoin involved people throwing coins around for appallingly,
dumbfoundingly, stupid reasons in the name of "supporting Bitcoin" and
"getting the ecosystem moving." Many stupid and lucrative things were scams
of the Pirateat40 and GLBSE sort,5 I instead did the writing for Devcoins
thing because I like sleeping soundly at night.

What you, dear reader can take from this encounter is that if you were
involved with Bitcoin before Coindesk6 became a thing and live in the United
States, you too might be questioned by agents of two separate federal law
enforcement agencies at the same time. If they are asking about BTCPak now,
who knows how long the backlog of sites and ventures they are working through
is. It's something to prepare for.  When the agents suggested that I probably
never expected they'd find me, they seemed a little shock when I replied that
I kind of expected this attention eventually. I don't exactly keep the
connections between my self and my slave name incredibly well guarded
secrets, at least not on the scale of Silk Road users and administrators.

This old Boy Scout would like to remind everyone of the motto: "Be Prepared".

The reason for this is in my jurisdiction failure to identify yourself in a
law enforcement encounter is a crime  of questionable constitutional
provenance, while having a conversation with a debt collector or process
server that consists of nothing on your part other than intoning "Fuck You" a
myriad of different was is great justice for all and legally sound.  ↩

This odd thing happens when use a screen name  long enough and act with
established, credible pseudononymity in a space long enough, especially one
with such an effective Web of Trust surrounding it. The layperson Toby gets
asked about the learned amateur Bingo's hobby and suddenly you find yourself
in an IRL encounter where you feel like you are wearing a person suit.
Welcome to the future, its a weird fucking place.  ↩

That thing I've avoided and wrote about on this blog before.   ↩

Even though devcoin has dropped twenty times in value from ~200 satoshis per
to ~10 satoshis per now, holding it would still have booked a dollar
denominated gain over the time. But no, holding Devcoin would be stupid.  ↩

Well so it would have seemed at least to the people running them. Running
such a thing though doesn't fit my acceptable risk profile in the same way
The Silk Road never fit my acceptable risk profile.  ↩

Yes, the FBI agent name dropped Coindesk as a thing he reads as well as
admitting to having a small amount of Bitcoin.  ↩

This entry was posted in Bitcoin, Commentary, Disclosures, News. Bookmark the
permalink.




From eugen at leitl.org  Fri Aug 29 01:26:53 2014
From: eugen at leitl.org (Eugen Leitl)
Date: Fri, 29 Aug 2014 10:26:53 +0200
Subject: Hal Finney cryopreserved
Message-ID: <20140829082653.GC13138@leitl.org>


http://lists.extropy.org/pipermail/extropy-chat/2014-August/082585.html 

Max More max at maxmore.com 

Thu Aug 28 18:41:54 UTC 2014

Previous message: [ExI] It's alive?

Next message: [ExI] Hal Finney being cryopreserved now

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I am both sad and happy to tell you that long-time Extropy
Institute/Extropy magazine/Extropy chat list member -- and honored
cypherpunk and Bitcoin pioneer – was declared clinically dead this morning
and is now being cryopreserved.



Hal was diagnosed with ALS five years ago. He made it clear that once he
lost the ability to communicate, he did not want his vital functions
supported any further but should be allowed to cease functioning and
promptly be cryopreserved. Hal and Fran Finney arrived in Scottsdale,
Arizona on Tuesday where he was checked into ICU of a hospital near Alcor.
After administration of drugs to ensure no consciousness, his ventilator
was removed. Although the doctors expected all breathing to cease within an
hour, Hal’s body kept going until shortly before 9:00 am this morning,
August 28, 2014.



Immediately after pronouncement of legal death, Alcor’s standby team went
into action, restoring circulation, ventilation, administering an array of
medications, and initiating external cooling. Surgery is currently underway
to enable us to replace Hal’s blood and interstitial fluids with
cryoprotectant. Once perfusion is finished we will be able to plunge Hal’s
temperature down past the freezing point without any significant ice
formation. Once he is down to around -110 degC we will slow cooling and
take a couple more days to reach the final storage temperature of -196
degC. After that, Hal will be placed in long-term storage and cared for
until the day when repair and revival may be possible.



Hal’s wife, Fran (also an Alcor member) has stayed by Hal’s side throughout
and is observing our procedures firsthand.



Since Hal is open about his Alcor membership and said that he would be
happy for us to tell people about his choice if it might be good for
cryonics, we will be issuing a press release, as well as writing something
more extensive for *Cryonics* magazine and elsewhere. If you have thoughts
on Hal and his life and work, please send them to me.



Hal, I know I speak for many when I say that I look forward to speaking to
you again sometime in the future and to throwing a party in honor of your
revival.



--Max

-- 
Max More, PhD
Strategic Philosopher
Co-editor, *The Transhumanist Reader*
http://www.amazon.com/Transhumanist-Reader-Contemporary-Technology-Philosophy/dp/1118334310/ref=sr_1_1?s=books&ie=UTF8&qid=1372225570&sr=1-1&keywords=the+transhumanist+reader
President & CEO, Alcor Life Extension Foundation




From bluelotus at openmailbox.org  Fri Aug 29 08:50:25 2014
From: bluelotus at openmailbox.org (bluelotus at openmailbox.org)
Date: Fri, 29 Aug 2014 11:50:25 -0400
Subject: Update on interdiction, secret GSM
Message-ID: <6ce75a672f22afff9b82f117bdc25ded@openmailbox.org>

I purchased the latest smartphone with a slider qwerty keyboard. A 
Motorola Droid 4 with CM11 and a T5 torx screwdriver from Ebay. The two 
T5 screws to the battery ribbon cable had been glued. I discarded the 
smartphone.
http://www.reddit.com/r/privacy/comments/2e7lwl/of_mylar_bags_to_block_phones_and_tablets_rfid/

Nook Tablet with CM 10 arrived DOA. I could not go past the CM welcome 
screen. Tablet wouldn't shut down or reboot. I returned it to the 
seller.

MIPS tablet #1 didn't charge via USB port, was missing file manager, 
Adobe Reader, Skype and app installer, would not mount my SD card and 
bricked my 16 GB SD card. I tried to use tablet #1's micro USB port to 
copy my personal files but tablet's USB port would not function.
http://www.reddit.com/r/badBIOS/comments/2ejydo/mips_processors_are_rare_more_secure_and/

MIPS tablet #2 did charge via USB port, was missing app installer but 
had file manager, Adobe Reader, Skype and two games whereas tablet #1 
did not have any games, mounted my SD card but bricked my 8 GB SD card. 
I was able to copy my personal files using the tablet's micro USB port.
http://www.reddit.com/r/badBIOS/comments/2el93r/cannot_air_gap_mips_tablet/

aLogcat logs disclose secret GSM in MIPS tablet #2:
http://www.reddit.com/r/badBIOS/comments/2eub37/secret_gsm_in_mips_tablet_interdicted_and/

Hours after posting the above thread yesterday, my MIPS tablet #2 was 
stolen from my room.

Were my laptops implanted with GSM and infected with firmware rootkits 
when they were interdicted? I had assumed FM radio transceiver/beacon 
implants or badBIOS.

Many of the linux /var/logs I was denied permission to read even though 
I had logged into the graphical desktop on my laptops. A few of the 
/var/logs were of unknown file type. The type was unknown to the file 
manager. Had the firmware rootkits not tampered with the /var/logs, GSM 
may have been reported in the logs.

Military contractors getting special access to surveillance programs.
https://www.youtube.com/watch?v=JyT7yzap1Wc

Greenpeace loses lawsuit over being hacked by former NSA hackers hired 
by private investigators hired by corporation
http://readersupportednews.org/opinion2/277-75/25479-focus-corporations-spy-on-nonprofits-with-impunity

"Last year, California’s Pacific Gas and Electric Company (PG&E) was 
required after an investigation to pay $390,000 to the state’s General 
Fund after it was discovered that they were spying on anti-smart meter 
activist groups."
http://www.foxnews.com/us/2014/04/17/is-your-home-energy-meter-spying-on/







From whonixqubes at mail2tor.com  Fri Aug 29 07:59:25 2014
From: whonixqubes at mail2tor.com (whonixqubes at mail2tor.com)
Date: Fri, 29 Aug 2014 14:59:25 -0000
Subject: [tor-talk] New Announcement: Qubes + Whonix is now available!
Message-ID: <070faaa2512fca0b48fd5427127ef917.squirrel@mail2tor2zyjdctd.onion>

For those interested in Tor, Security, Qubes, Whonix, etc...

With the help of several kind people in the Whonix & Qubes communities, I
have successfully integrated the Qubes + Whonix operating systems
together.


For those who would prefer Whonix as an alternative to TorVM in Qubes (for
torifying your VM traffic), this option is now available to you.

This initial Qubes + Whonix configuration is achived using current versions:

 - Qubes R2rc2 & Whonix 8.2

Qubes + Whonix currently exists as a customized dual HVM configuration:

 - Whonix-Gateway HVM + Whonix-Workstation HVM


A simple networking setup for Qubes + Whonix would look like:

 - NetVM <- FirewallVM <- Whonix-Gateway <- Whonix-Workstation

Where, for example, the Whonix-Gateway conceptually replaces TorVM as your
Tor ProxyVM, and Whonix-Workstation conceptually replaces your standard
AppVMs (AnonVMs).


You can get the Qubes + Whonix step-by-step instructions and more info here:

https://www.whonix.org/wiki/Qubes


All suggestions and feedback are welcome!

I look forward to helping make Qubes + Whonix integration even tighter and
more seamless throughout the future.

If you're interested in the future growth of the Qubes + Whonix platform,
then please join in with us to actively further this goal.

For example, when ProxyVM support is added to the Qubes Debian Template,
we can take Qubes + Whonix beyond the current HVM limitation and utilize a
naitive ProxyVM + AppVM setup for Whonix.


Thank you again to everyone who helped me bring the first known successful
Qubes + Whonix configuration to the world...

Patrick, Joanna, Marek, Jason, Axon, cprise, and everyone else who has
helped! Thank you! :)


P.S. Qubes + Whonix 9 support is coming soon!

-- 
tor-talk mailing list - tor-talk at lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

----- End forwarded message -----




From eugen at leitl.org  Fri Aug 29 08:31:27 2014
From: eugen at leitl.org (Eugen Leitl)
Date: Fri, 29 Aug 2014 17:31:27 +0200
Subject: [tor-talk] New Announcement: Qubes + Whonix is now available!
Message-ID: <20140829153127.GI13138@leitl.org>

----- Forwarded message from whonixqubes at mail2tor.com -----


From checker at panix.com  Sun Aug 31 17:35:43 2014
From: checker at panix.com (Frank Forman)
Date: Mon, 1 Sep 2014 00:35:43 +0000 (GMT)
Subject: [tt] NYT: Hal Finney, Cryptographer and Bitcoin Pioneer, Dies at 58
Message-ID: <Pine.NEB.4.64.1409010035310.8967@panix2.panix.com>

Hal Finney, Cryptographer and Bitcoin Pioneer, Dies at 58
http://www.nytimes.com/2014/08/31/business/hal-finney-cryptographer-and-bitcoin-pioneer-dies-at-58.html

By NATHANIEL POPPER

Hal Finney, a cryptographer and one of the earliest users and
developers of the virtual currency Bitcoin, died on Thursday in
Phoenix. He was 58.

Mr. Finney had been paralyzed by amyotrophic lateral sclerosis, or
A.L.S., and was taken off life support at Paradise Valley Hospital,
his wife, Fran Finney, said. She said his body was immediately
prepared for cryonic preservation by the Alcor Life Extension
Foundation in Scottsdale, Ariz., according to his wishes.

A graduate of the California Institute of Technology, Mr. Finney was
a longtime futurist who put his programming skills to work in the
service of his ideals, particularly his desire to see the privacy of
individuals protected.

In 1991, he began doing volunteer work for a new software project
known as Pretty Good Privacy, or P.G.P., and immediately became one
of the central players in developing the program. P.G.P. aimed to
make it possible for people everywhere to encrypt electronic
communication in a way that could not be read by anyone other than
the intended recipient. The program used relatively new innovations
in encryption that are still thought to be invulnerable to code
breakers.

Mr. Finney wrote in 1992 that cryptographic technology appealed to
him because he worried about the ability of corporations and
governments to snoop on citizens.

"The work we are doing here, broadly speaking, is dedicated to this
goal of making Big Brother obsolete," he wrote to an online group of
fellow privacy activists.

The original author of P.G.P., Philip R. Zimmermann, quickly became
the target of federal prosecutors, who believed that the software
broke United States laws against exporting military-grade encryption
software.

While the investigation went on and became a major cause for civil
libertarians, Mr. Finney played a more quiet role in P.G.P. to avoid
becoming a target himself. Mr. Zimmermann said in an interview that
this decision meant Mr. Finney did not get proper credit for some of
the important innovations he had made in the development of P.G.P.

When the investigation concluded in 1996 without any charges being
filed, P.G.P. became a company, and Mr. Zimmermann set out to hire
Mr. Finney as his first employee.

Mr. Zimmermann, in an interview before Mr. Finney died, said Mr.
Finney was unusual in the field because he had none of the asocial
tendencies and physical awkwardness that are commonly associated
with people in the programming world. Rather, he said, Mr. Finney
was a gregarious man who loved skiing and long-distance running.

"Sometimes people pay some price for being extremely smart--they
are deficient in some emotional quality," Mr. Zimmermann said. "Hal
was not like that."

While working on P.G.P., Mr. Finney was a regular participant in a
number of futurist mailing lists, the most famous of which gave
birth to the Cypherpunk movement, dedicated to privacy-enhancing
cryptography.

Following these lists, Mr. Finney became fascinated by the concept
of digital currencies that could not be tracked by governments and
banks.

He was involved in many experiments aimed at creating an anonymous
form of digital money, including his own invention, in 2004, of
reusable proofs of work. Though that system never took off, he
quickly saw the promise of the Bitcoin project when it was announced
on an obscure email list in 2008 by a creator with the pseudonym
Satoshi Nakamoto.

Bitcoin used some of the same cryptographic tools harnessed by
P.G.P. and held out the promise that participants could choose to be
anonymous when spending money online.

When the project drew criticism from other cryptographers, Mr.
Finney was among the first people to defend it. He downloaded the
Bitcoin software the day it was released. The day after that, he
took part in the first transaction on the network when Satoshi
Nakamoto sent him 10 Bitcoins.

His early work on Bitcoin and his programming background led to
frequent speculation in the Bitcoin community that Mr. Finney was
Satoshi Nakamoto, a claim he always denied.

Soon after getting started with Bitcoin, Mr. Finney learned in 2009
that he had A.L.S., and he withdrew, for a time, from active
participation in the project.

Harold Thomas Finney II was born on May 4, 1956, in Coalinga,
Calif., to Virginia and Harold Thomas Finney. His father was a
petroleum engineer.

After graduating from Caltech in 1979 with a degree in engineering,
he worked for a company that developed video games like Astroblast
and Space Attack.

As a young man, Mr. Finney developed an interest in preserving life
through cryonic freezing until better, life-enhancing technologies
were invented, said a college roommate, Yin Shih. In 1992, Mr.
Finney visited the Alcor facility with his wife to determine whether
he wanted to sign up his family to be preserved in Alcor's
"containment vessels."

"In my personal opinion, anyone born today has a better than 50-50
chance of living effectively forever," he wrote at the time.

Mr. Finney remained an employee of the P.G.P. Corporation until his
retirement in 2011, working from his home in Santa Barbara, Calif.

In the last few years, Mr. Finney was able to move only his facial
muscles, but he communicated and wrote Bitcoin-related software
using a computer that tracked his eye movement.

"I'm pretty lucky overall," Mr. Finney wrote on a Bitcoin website in
2013. "Even with the A.L.S., my life is very satisfying."

As the price of Bitcoins rose, his family, to pay for his medical
care, was able to sell some of the coins he secured in the early
days.

Besides his son, Jason, and his wife, he is survived by a daughter,
Erin Finney; two sisters, Kathleen Finney and Patricia Wolf; and a
brother, Michael. His wife, a physical therapist whom he met at
Caltech, spent most of her days caring for him in his final years.

After Mr. Finney's death, the freezing of his remains was announced
by another futurist, Max More. "Hal," he wrote in a statement
online. "I know I speak for many when I say that I look forward to
speaking to you again sometime in the future and to throwing a party
in honor of your revival."
_______________________________________________
tt mailing list
tt at postbiota.org
http://postbiota.org/mailman/listinfo/tt

----- End forwarded message -----