From cathalgarvey at cathalgarvey.me  Sun Jun  1 01:57:17 2014
From: cathalgarvey at cathalgarvey.me (Cathal Garvey)
Date: Sun, 01 Jun 2014 09:57:17 +0100
Subject: is truecrypt dead?
In-Reply-To: <CAD2Ti2--6ne85hWjp=PMB+s++mD5D7-_TGbXYxHU+mzRbMOFjQ@mail.gmail.com>
References: <20140531024605.94E95228241@palinka.tinho.net>
 <5389DEE7.9050600@cathalgarvey.me>
 <1401562408.11168.YahooMailNeo@web126201.mail.ne1.yahoo.com>
 <CAD2Ti2--6ne85hWjp=PMB+s++mD5D7-_TGbXYxHU+mzRbMOFjQ@mail.gmail.com>
Message-ID: <538AEAED.2050401@cathalgarvey.me>

> corp will take the fall for the leak. The leak is out there, but the
> corp dies of negligience or something, rather than from a stand
> up principled fight. That's not a win.

"Halt and catch fire" is a pretty good defense, I think. It's why
Lavabit shut down, after all; it is *better* to crash and burn than
become a cog of oppression.

On 01/06/14 06:03, grarpamp wrote:
> On Sat, May 31, 2014 at 2:53 PM, jim bell <jamesdbell9 at yahoo.com> wrote:
>> https://www.google.com/#q=corporation+cannot+conspire+with+itself
>> deliver a copy of that  NSL letter to each of its employees
>> Obviously, that news will leak.
>> Prosecution of any specific corporate employee will be difficult
>> without very detailed evidence.
> 
> As in the search results... whoever was leaking employee is
> irrelevant, the employee is the corp. If an employee cannot be
> found *and* successfully treated separately from the corp, the
> corp will take the fall for the leak. The leak is out there, but the
> corp dies of negligience or something, rather than from a stand
> up principled fight. That's not a win.
> 
>> The issue will arise:  Can a corporation legally deliver a copy of
>> that NSL to each employee?
> 
> Probably depends on how the letter is worded / addressed.
> The default sense in absense of such restrictions would seem
> to be yes.
> 
> Find bitcoin accepting lawyer to do construction/opinion for
> cpunks list.
> 

-- 
T: @onetruecathal, @IndieBBDNA
P: +353876363185
W: http://indiebiotech.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x988B9099.asc
Type: application/pgp-keys
Size: 6176 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140601/6a637cc6/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140601/6a637cc6/attachment.sig>

From davidroman96 at gmail.com  Sun Jun  1 01:39:08 2014
From: davidroman96 at gmail.com (davidroman96)
Date: Sun, 01 Jun 2014 10:39:08 +0200
Subject: Our nameless project.
In-Reply-To: <538a7f20.6914ec0a.5b23.26b1@mx.google.com>
References: <5389BBDE.8050803@gmail.com> <20140531114251.GB1973@miyamoto>
 <5389C3F1.9050305@gmail.com>
 <CAD2Ti29VBSF=GJ79=RCt6fiHZooHSe0b3CJ43Tt9S0yD7Z-=FA@mail.gmail.com>
 <538A0E4D.3010502@gmail.com> <20140531231915.6628117A58@pb-sasl0.pobox.com>
 <538A6838.8010207@gmail.com>
 <3481d0b0b58130e7eb58a41049097dc8@cajuntechie.org>
 <538a7f20.6914ec0a.5b23.26b1@mx.google.com>
Message-ID: <538AE6AC.9020006@gmail.com>


On 01/06/14 03:19, Juan wrote:
>>> We know that ISP have the 100% of information, 
> 	The ISPs are just branchs of the government, so what's the
> 	point?
>
>
>
 To difficult the espionage and try to improve anonymity. Without open
and transparent organisms (ISP, governments, etc) real privacy and
anonymity is impossible.




From danimoth at cryptolab.net  Sun Jun  1 02:14:18 2014
From: danimoth at cryptolab.net (danimoth)
Date: Sun, 1 Jun 2014 11:14:18 +0200
Subject: Our nameless project.
In-Reply-To: <538AE6AC.9020006@gmail.com>
References: <5389BBDE.8050803@gmail.com> <20140531114251.GB1973@miyamoto>
 <5389C3F1.9050305@gmail.com>
 <CAD2Ti29VBSF=GJ79=RCt6fiHZooHSe0b3CJ43Tt9S0yD7Z-=FA@mail.gmail.com>
 <538A0E4D.3010502@gmail.com>
 <20140531231915.6628117A58@pb-sasl0.pobox.com>
 <538A6838.8010207@gmail.com>
 <3481d0b0b58130e7eb58a41049097dc8@cajuntechie.org>
 <538a7f20.6914ec0a.5b23.26b1@mx.google.com>
 <538AE6AC.9020006@gmail.com>
Message-ID: <20140601091418.GA4128@miyamoto>

On 01/06/14 at 10:39am, davidroman96 wrote:
>  To difficult the espionage and try to improve anonymity. Without open
> and transparent organisms (ISP, governments, etc) real privacy and
> anonymity is impossible.

You are still ignoring my advice to read something about DC nets.
Unfortunately, you are so committed with your opinions, even when facing
a blocking problems (like ISP-blocking your spoofed traffic) that is
near impossible to ''guide`` you. Even in real life, your approach is
totally broken; you should stand on the shoulders of giants and, if you
can, add little pieces to well known state-of-art.

So, instead to wrote / invent / make an anonymous system from scratch,
go using [1] and studying it. From its webpage:

Dissent builds on dining cryptographers and verifiable shuffle
algorithms to offer provable anonymity guarantees, even in the face of
traffic analysis attacks, of the kinds likely to be feasible for
authoritarian governments and their state-controlled ISPs for example.

Dissent seeks to offer accountable anonymity, giving users strong
guarantees of anonymity while also protecting online groups or forums
from anonymous abuse such as spam, Sybil attacks, and sockpuppetry.
Unlike other systems, Dissent can guarantee that each user of an online
forum gets exactly one bandwidth share, one vote, or one pseudonym,
which other users can block in the event of misbehavior.

In your previous email, you clearly doesn't know what you're talking
about.

Disclaimer: I'm not frustrated, thwarted or something like this, I'm
only trying to help you in the only way I know.

[1] http://dedis.cs.yale.edu/dissent/




From davidroman96 at gmail.com  Sun Jun  1 03:46:58 2014
From: davidroman96 at gmail.com (davidroman96)
Date: Sun, 01 Jun 2014 12:46:58 +0200
Subject: Our nameless project.
In-Reply-To: <20140601091418.GA4128@miyamoto>
References: <5389BBDE.8050803@gmail.com> <20140531114251.GB1973@miyamoto>
 <5389C3F1.9050305@gmail.com>
 <CAD2Ti29VBSF=GJ79=RCt6fiHZooHSe0b3CJ43Tt9S0yD7Z-=FA@mail.gmail.com>
 <538A0E4D.3010502@gmail.com> <20140531231915.6628117A58@pb-sasl0.pobox.com>
 <538A6838.8010207@gmail.com>
 <3481d0b0b58130e7eb58a41049097dc8@cajuntechie.org>
 <538a7f20.6914ec0a.5b23.26b1@mx.google.com> <538AE6AC.9020006@gmail.com>
 <20140601091418.GA4128@miyamoto>
Message-ID: <538B04A2.8020008@gmail.com>


On 01/06/14 11:14, danimoth wrote:
> On 01/06/14 at 10:39am, davidroman96 wrote:
>>  To difficult the espionage and try to improve anonymity. Without open
>> and transparent organisms (ISP, governments, etc) real privacy and
>> anonymity is impossible.
> You are still ignoring my advice to read something about DC nets.
> Unfortunately, you are so committed with your opinions, even when facing
> a blocking problems (like ISP-blocking your spoofed traffic) that is
> near impossible to ''guide`` you. Even in real life, your approach is
> totally broken; you should stand on the shoulders of giants and, if you
> can, add little pieces to well known state-of-art.
>
> So, instead to wrote / invent / make an anonymous system from scratch,
> go using [1] and studying it. From its webpage:
>
> Dissent builds on dining cryptographers and verifiable shuffle
> algorithms to offer provable anonymity guarantees, even in the face of
> traffic analysis attacks, of the kinds likely to be feasible for
> authoritarian governments and their state-controlled ISPs for example.
>
> Dissent seeks to offer accountable anonymity, giving users strong
> guarantees of anonymity while also protecting online groups or forums
> from anonymous abuse such as spam, Sybil attacks, and sockpuppetry.
> Unlike other systems, Dissent can guarantee that each user of an online
> forum gets exactly one bandwidth share, one vote, or one pseudonym,
> which other users can block in the event of misbehavior.
>
> In your previous email, you clearly doesn't know what you're talking
> about.
>
> Disclaimer: I'm not frustrated, thwarted or something like this, I'm
> only trying to help you in the only way I know.
>
> [1] http://dedis.cs.yale.edu/dissent/
>
Our idea is not to build a perfect program, is to build a program to
accomplish one goal and improve it as we learn more (in deep
cryptography we are newbies) to do it more useful (and publish it when /
if we get to a reasonable level), but the first step is to present the
idea to be criticized I think. We will learn more about cryptography and
alternative nets (like DC nets), thank to all.




From grarpamp at gmail.com  Sun Jun  1 11:30:57 2014
From: grarpamp at gmail.com (grarpamp)
Date: Sun, 1 Jun 2014 14:30:57 -0400
Subject: [cryptography] The next gen P2P secure email solution
In-Reply-To: <1194846483.156635.1400234437146.JavaMail.www@wwinf8226>
References: <CAD2Ti28MwGU_5gLxMUG61En6NT059rWP=Qbk1O74Vc8hTCrLGw@mail.gmail.com>
 <CAEvNM8m58fOthCbONp84491s=c27wBDefPpNo1wA4h5oa+evTA@mail.gmail.com>
 <1538308832.40108.1398193110797.JavaMail.www@wwinf8228>
 <1674207.VbjJNtGabs@lap>
 <CAD2Ti28Wvwjc7_RD+1jOcWeYvF-9qoEWZeboX-uDL3RKShZ-dg@mail.gmail.com>
 <772145240.115968.1400157383527.JavaMail.www@wwinf8308>
 <CAD2Ti29afVNDp2KCyxrmOVp0AEWUpfB99B0brv5pN0fQj+wqCw@mail.gmail.com>
 <438532216.290372.1400197775126.JavaMail.www@wwinf8314>
 <CAD2Ti2_LH7M16Vw0MXQEYt3-AimvTokpg10fkPc48LS3NVM5zQ@mail.gmail.com>
 <1194846483.156635.1400234437146.JavaMail.www@wwinf8226>
Message-ID: <CAD2Ti2-qzh-vkV9PfM_sa-QG+-3t_mDu5vN3yse57vHk74_4Bw@mail.gmail.com>

In May 2014 someone wrote:
>> > p2p is no panacea, it doesn't scale
>>
>> I believe it could. Even if requiring super aggregating
>> nodes of some sort. Layers of service of the whole
>> DHT space. More research is surely required.

> It is not possible to have fast p2p unless:
> - Cable networks collaborate by increasing bandwidth 7 to 8 times

My references to scale were not intended to be about...
bulk bandwidth across such networks (for example, right
now, I2P and Tor are doing well enough to see very low
quality video between their hidden nodes if you get a lucky
path, and well enough for moving large files around in non
realtime). ie: the nodes have bandwidth available.

But about scaling the node (user) count from millions to billions...
No device (or its ethernet) will be able to manage a 10 billion
entry DHT with a handful of keys, addresses and flags per entry.
But if you break it up into some many clusters/hiers/roles of smaller
DHT's, each knowing how to route queries, sort, and pass entries
around, it might work. Once you've assembled your multihop
path from querying the DHT for nodes, actual data transfer
rates should remain similar. (Provided the network clients
know to reserve bandwidth mod the network average hop count,
by throttling the users usage at their own node).

It would be nice to check some numbers on this for the list.
Is there a wiki or paper repository that discusses plausibly
reachable DHT sizes, time needed for DHT ops to resolve,
and management schemes for such clusters/hiers/roles?


[aside: This everyone online, big DHT, end-to-end reachable
model mirrors the internet today as a general purpose tool.
Perhaps sufficient for many rather sensitive tasks.
When the purpose is narrowed, other models may apply.
For messaging (as is the subject), everyone still needs a
unique address. And since msg delivery/pickup must be
reliable, there is a question of redundancy needed to avoid
random msg loss. Which may turn you away from store-forward,
mixes, and unconscious central storage, etc... towards everyone
online, contact them directly over a path or retry later.
Today it seems that general purpose may be better researched
and easier than more exotic means. Question is, is GP sufficient,
after applying any recent GP tech post I2P and Tor's designs?
ie: Some say timing attacks may be mitigated by fixed packet
lengths and adding chaff over links as cover.]




From grarpamp at gmail.com  Sun Jun  1 12:22:26 2014
From: grarpamp at gmail.com (grarpamp)
Date: Sun, 1 Jun 2014 15:22:26 -0400
Subject: [cryptography] The next gen P2P secure email solution
In-Reply-To: <1194846483.156635.1400234437146.JavaMail.www@wwinf8226>
References: <CAD2Ti28MwGU_5gLxMUG61En6NT059rWP=Qbk1O74Vc8hTCrLGw@mail.gmail.com>
 <CAEvNM8m58fOthCbONp84491s=c27wBDefPpNo1wA4h5oa+evTA@mail.gmail.com>
 <1538308832.40108.1398193110797.JavaMail.www@wwinf8228>
 <1674207.VbjJNtGabs@lap>
 <CAD2Ti28Wvwjc7_RD+1jOcWeYvF-9qoEWZeboX-uDL3RKShZ-dg@mail.gmail.com>
 <772145240.115968.1400157383527.JavaMail.www@wwinf8308>
 <CAD2Ti29afVNDp2KCyxrmOVp0AEWUpfB99B0brv5pN0fQj+wqCw@mail.gmail.com>
 <438532216.290372.1400197775126.JavaMail.www@wwinf8314>
 <CAD2Ti2_LH7M16Vw0MXQEYt3-AimvTokpg10fkPc48LS3NVM5zQ@mail.gmail.com>
 <1194846483.156635.1400234437146.JavaMail.www@wwinf8226>
Message-ID: <CAD2Ti28i5uv2QHoEZ5G-cecBHPtXKtw_x8xKpzLcaf86KGyD5g@mail.gmail.com>

On Fri, May 16, 2014 at 6:01 AM,  <tpb-crypto at laposte.net> wrote:
>> >> pesky to/from/subject/etc headers.

>> > Those are hidden by use of TLS.

>> weaknesses intrinsic to SMTP discussions?
>> Yes, they are hidden in TLS transport on the wire.
>> No, they are not hidden in core or on disk at
>> the intermediate and final message transport
>> nodes. That's bad.

> There is no way to hide metadata because you need a destination for your messages to arrive ... has to find its destinations to deliver its contents.

I generally meant TLS hides the multitude of headers, but
headers themselves are not today encrypted to the recipient
or to the network, so they end up sitting in the open... and
their SMTP style and purpose totally unnecessary to a new
transport network.

Yes of course... the minimum necessary for delivery is the
destination address. If the network design ends up yielding
control protocol returned from the network to the sender, the
source must be present. Your network client node handles
decrypting the content to find enclosed within (or to configurably
affix if missing) any further traditional headers if needed by your
local messaging agent, routing stack, etc. Such content may
contain the unique address key of your correspondant, be signed
by them, etc.

Dest: unique destination address key
Optional network metadata: ...
Src: optional unique src address key if control feedback
Content: encrypted blob

'Optional network metadata' may be needed depending on
the network design, full of sigs, routing, storage or other data.
But it most certainly won't be SMTP headers as we know them
today. And will be encrypted to shield from all but the most
minimum of nodes possible.

Further, if the network ends up being general purpose
bidirectional, such that you might run IP traffic/apps over it,
the source address key will obviously be required in
either the Src or Content contexts.




From rysiek at hackerspace.pl  Sun Jun  1 13:19:13 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Sun, 01 Jun 2014 22:19:13 +0200
Subject: is truecrypt dead?
In-Reply-To: <5389DEE7.9050600@cathalgarvey.me>
References: <20140531024605.94E95228241@palinka.tinho.net>
 <5389DEE7.9050600@cathalgarvey.me>
Message-ID: <6044737.os1AQBNlzh@lapuntu>

Dnia sobota, 31 maja 2014 14:53:43 Cathal Garvey pisze:
> The question is not whether or not you can securely disclose that you
> are under NSL. The question is whether you can do so without, when the
> word breaks, being in trouble for leaking that information.
> 
> So yes, you can establish all sorts of wonderful contraptions that "get
> the word out", publicly or privately, on or off-shore, so that the
> people outside can disseminate warnings that you've been compromised.
> But in the end, the stasi will blame you, and no matter how much
> cooked-up legal convolution you wrap yourself in, they will nail you to
> a cross.
> 
> My view is that engaging in such convolutions serves two
> counterproductive ends:
> 1) It makes it seem as if you acknowledge that you should not be
> disclosing the NSL; a Jury, if you were so lucky and were actually
> allowed to testify before them in your defence (lol Grand Jury) would be
> suspicious of your motives. Why all the cloak-and-dagger? It's easy for
> the prosecution to make you seem shady and suspicious for acting in that
> way.
> 
> 2) It delays your disclosure and allows the stasi time and opportunity
> to preempt and prevent your disclosure entirely.

Good points, thanks.

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140601/c36e8ca1/attachment.sig>

From juan.g71 at gmail.com  Sun Jun  1 19:23:45 2014
From: juan.g71 at gmail.com (Juan)
Date: Sun, 1 Jun 2014 23:23:45 -0300
Subject: American Propaganda
Message-ID: <538bdfb4.034bec0a.0b29.0bea@mx.google.com>



https://www.youtube.com/watch?v=I-xxzOwr7I4


So, snowden says the invasion of irak was launched on 'false premises'
but he doesn't know if the government was lying or there were 'mistakes
of intelligence'.

Yeah right. Poor souls they didn't know what they were doing...




From grarpamp at gmail.com  Sun Jun  1 23:15:12 2014
From: grarpamp at gmail.com (grarpamp)
Date: Mon, 2 Jun 2014 02:15:12 -0400
Subject: [cryptography] The next gen P2P secure email solution
In-Reply-To: <59e50000-a950-467d-8a61-92414db901f4@email.android.com>
References: <CAD2Ti28MwGU_5gLxMUG61En6NT059rWP=Qbk1O74Vc8hTCrLGw@mail.gmail.com>
 <CAEvNM8m58fOthCbONp84491s=c27wBDefPpNo1wA4h5oa+evTA@mail.gmail.com>
 <1538308832.40108.1398193110797.JavaMail.www@wwinf8228>
 <1674207.VbjJNtGabs@lap>
 <CAD2Ti28Wvwjc7_RD+1jOcWeYvF-9qoEWZeboX-uDL3RKShZ-dg@mail.gmail.com>
 <772145240.115968.1400157383527.JavaMail.www@wwinf8308>
 <CAD2Ti29afVNDp2KCyxrmOVp0AEWUpfB99B0brv5pN0fQj+wqCw@mail.gmail.com>
 <438532216.290372.1400197775126.JavaMail.www@wwinf8314>
 <CAD2Ti2_LH7M16Vw0MXQEYt3-AimvTokpg10fkPc48LS3NVM5zQ@mail.gmail.com>
 <1194846483.156635.1400234437146.JavaMail.www@wwinf8226>
 <CAD2Ti2-qzh-vkV9PfM_sa-QG+-3t_mDu5vN3yse57vHk74_4Bw@mail.gmail.com>
 <1963792268.217779.1401672836775.JavaMail.www@wwinf8308>
 <59e50000-a950-467d-8a61-92414db901f4@email.android.com>
Message-ID: <CAD2Ti2-WkHMo3Dv-CbU10KAiiqbvNzih5mhy5Ap6czaEqRmEqQ@mail.gmail.com>

On Sun, Jun 1, 2014 at 9:45 PM, Cathal (phone)
<cathalgarvey at cathalgarvey.me> wrote:
> What about streaming, which is increasingly used to hold power to account in
> real time? Or other rich, necessarily large media which needs to *get out
> fast*? Big media isn't always frivolous. Even frivolity is important, and a
> mixnet without fun is gonna be a small mixnet.

Would you rather have one 4k video taken from someone's phone
jiggling in their backpocket as they run with blood all over the lens,
ten emails from people in situ known to you, or photodumps from
two balcony photographers... all of which just saw some gov beat
the fuck out of a bunch of sitdown protesters?
Either way, the choice is best left to the sender. Our role is merely
to make good systems, explain their design, options and tradeoffs,
and then carry the data.




From cathalgarvey at cathalgarvey.me  Sun Jun  1 18:45:40 2014
From: cathalgarvey at cathalgarvey.me (Cathal (phone))
Date: Mon, 02 Jun 2014 02:45:40 +0100
Subject: [cryptography] The next gen P2P secure email solution
In-Reply-To: <1963792268.217779.1401672836775.JavaMail.www@wwinf8308>
References: <CAD2Ti28MwGU_5gLxMUG61En6NT059rWP=Qbk1O74Vc8hTCrLGw@mail.gmail.com>
 <CAEvNM8m58fOthCbONp84491s=c27wBDefPpNo1wA4h5oa+evTA@mail.gmail.com>
 <1538308832.40108.1398193110797.JavaMail.www@wwinf8228>
 <1674207.VbjJNtGabs@lap>
 <CAD2Ti28Wvwjc7_RD+1jOcWeYvF-9qoEWZeboX-uDL3RKShZ-dg@mail.gmail.com>
 <772145240.115968.1400157383527.JavaMail.www@wwinf8308>
 <CAD2Ti29afVNDp2KCyxrmOVp0AEWUpfB99B0brv5pN0fQj+wqCw@mail.gmail.com>
 <438532216.290372.1400197775126.JavaMail.www@wwinf8314>
 <CAD2Ti2_LH7M16Vw0MXQEYt3-AimvTokpg10fkPc48LS3NVM5zQ@mail.gmail.com>
 <1194846483.156635.1400234437146.JavaMail.www@wwinf8226>
 <CAD2Ti2-qzh-vkV9PfM_sa-QG+-3t_mDu5vN3yse57vHk74_4Bw@mail.gmail.com>
 <1963792268.217779.1401672836775.JavaMail.www@wwinf8308>
Message-ID: <59e50000-a950-467d-8a61-92414db901f4@email.android.com>

What about streaming, which is increasingly used to hold power to account in real time? Or other rich, necessarily large media which needs to *get out fast*? Big media isn't always frivolous. Even frivolity is important, and a mixnet without fun is gonna be a small mixnet.

On 2 June 2014 02:33:56 GMT+01:00, tpb-crypto at laposte.net wrote:
>> Message du 01/06/14 20:37
>> De : "grarpamp" 
>>
>> In May 2014 someone wrote:
>> >> > p2p is no panacea, it doesn't scale
>> >>
>> >> I believe it could. Even if requiring super aggregating
>> >> nodes of some sort. Layers of service of the whole
>> >> DHT space. More research is surely required.
>> 
>> > It is not possible to have fast p2p unless:
>> > - Cable networks collaborate by increasing bandwidth 7 to 8 times
>> 
>> My references to scale were not intended to be about...
>> bulk bandwidth across such networks (for example, right
>> now, I2P and Tor are doing well enough to see very low
>> quality video between their hidden nodes if you get a lucky
>> path, and well enough for moving large files around in non
>> realtime). ie: the nodes have bandwidth available.
>> 
>
>We all wish privacy, not necessarily 4k videos. The current bandwidth
>can provide for 4k videos and also privacy, no matter if a littler
>slower, for a little chat, work and file transfers.
>
>Except if you are into media production or warez, the current bandwidth
>already does the trick for all the rest.

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 2476 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140602/acfbb795/attachment.txt>

From tpb-crypto at laposte.net  Sun Jun  1 18:33:56 2014
From: tpb-crypto at laposte.net (tpb-crypto at laposte.net)
Date: Mon, 02 Jun 2014 03:33:56 +0200
Subject: [cryptography] The next gen P2P secure email solution
In-Reply-To: <CAD2Ti2-qzh-vkV9PfM_sa-QG+-3t_mDu5vN3yse57vHk74_4Bw@mail.gmail.com>
References: <CAD2Ti28MwGU_5gLxMUG61En6NT059rWP=Qbk1O74Vc8hTCrLGw@mail.gmail.com>
 <CAEvNM8m58fOthCbONp84491s=c27wBDefPpNo1wA4h5oa+evTA@mail.gmail.com>
 <1538308832.40108.1398193110797.JavaMail.www@wwinf8228>
 <1674207.VbjJNtGabs@lap>
 <CAD2Ti28Wvwjc7_RD+1jOcWeYvF-9qoEWZeboX-uDL3RKShZ-dg@mail.gmail.com>
 <772145240.115968.1400157383527.JavaMail.www@wwinf8308>
 <CAD2Ti29afVNDp2KCyxrmOVp0AEWUpfB99B0brv5pN0fQj+wqCw@mail.gmail.com>
 <438532216.290372.1400197775126.JavaMail.www@wwinf8314>
 <CAD2Ti2_LH7M16Vw0MXQEYt3-AimvTokpg10fkPc48LS3NVM5zQ@mail.gmail.com>
 <1194846483.156635.1400234437146.JavaMail.www@wwinf8226>
 <CAD2Ti2-qzh-vkV9PfM_sa-QG+-3t_mDu5vN3yse57vHk74_4Bw@mail.gmail.com>
Message-ID: <1963792268.217779.1401672836775.JavaMail.www@wwinf8308>

> Message du 01/06/14 20:37
> De : "grarpamp" 
>
> In May 2014 someone wrote:
> >> > p2p is no panacea, it doesn't scale
> >>
> >> I believe it could. Even if requiring super aggregating
> >> nodes of some sort. Layers of service of the whole
> >> DHT space. More research is surely required.
> 
> > It is not possible to have fast p2p unless:
> > - Cable networks collaborate by increasing bandwidth 7 to 8 times
> 
> My references to scale were not intended to be about...
> bulk bandwidth across such networks (for example, right
> now, I2P and Tor are doing well enough to see very low
> quality video between their hidden nodes if you get a lucky
> path, and well enough for moving large files around in non
> realtime). ie: the nodes have bandwidth available.
> 

We all wish privacy, not necessarily 4k videos. The current bandwidth can provide for 4k videos and also privacy, no matter if a littler slower, for a little chat, work and file transfers.

Except if you are into media production or warez, the current bandwidth already does the trick for all the rest.




From tpb-crypto at laposte.net  Sun Jun  1 20:40:27 2014
From: tpb-crypto at laposte.net (tpb-crypto at laposte.net)
Date: Mon, 02 Jun 2014 05:40:27 +0200
Subject: [cryptography] The next gen P2P secure email solution
In-Reply-To: <59e50000-a950-467d-8a61-92414db901f4@email.android.com>
References: <CAD2Ti28MwGU_5gLxMUG61En6NT059rWP=Qbk1O74Vc8hTCrLGw@mail.gmail.com>
 <CAEvNM8m58fOthCbONp84491s=c27wBDefPpNo1wA4h5oa+evTA@mail.gmail.com>
 <1538308832.40108.1398193110797.JavaMail.www@wwinf8228>
 <1674207.VbjJNtGabs@lap>
 <CAD2Ti28Wvwjc7_RD+1jOcWeYvF-9qoEWZeboX-uDL3RKShZ-dg@mail.gmail.com>
 <772145240.115968.1400157383527.JavaMail.www@wwinf8308>
 <CAD2Ti29afVNDp2KCyxrmOVp0AEWUpfB99B0brv5pN0fQj+wqCw@mail.gmail.com>
 <438532216.290372.1400197775126.JavaMail.www@wwinf8314>
 <CAD2Ti2_LH7M16Vw0MXQEYt3-AimvTokpg10fkPc48LS3NVM5zQ@mail.gmail.com>
 <1194846483.156635.1400234437146.JavaMail.www@wwinf8226>
 <CAD2Ti2-qzh-vkV9PfM_sa-QG+-3t_mDu5vN3yse57vHk74_4Bw@mail.gmail.com>
 <1963792268.217779.1401672836775.JavaMail.www@wwinf8308>
 <59e50000-a950-467d-8a61-92414db901f4@email.android.com>
Message-ID: <922460943.226204.1401680376302.JavaMail.www@wwinf8226>

I think frivolous stuff could wait some more ... but you can always bundle several connections by means of bonding interfaces.

I know it is not the best approach, but let's suppose you need to command a robot or conduct a surgery over p2p. Bonding a few openvpn connections together would do the trick.

> Message du 02/06/14 03:45
> De : "Cathal (phone)" 
> A : tpb-crypto at laposte.net, tpb-crypto at laposte.net, "grarpamp" , p2p-hackers at zim.maski.org
> Copie à : cypherpunks at cpunks.org, cryptography at randombit.net
> Objet : Re: [cryptography] The next gen P2P secure email solution
>

> What about streaming, which is increasingly used to hold power to account in real time? Or other rich, necessarily large media which needs to *get out fast*? Big media isn't always frivolous. Even frivolity is important, and a mixnet without fun is gonna be a small mixnet.
> 
> On 2 June 2014 02:33:56 GMT+01:00, tpb-crypto at laposte.net wrote:
> >> Message du 01/06/14 20:37
> >> De : "grarpamp" 
> >>
> >> In May 2014 someone wrote:
> >> >> > p2p is no panacea, it doesn't scale
> >> >>
> >> >> I believe it could. Even if requiring super aggregating
> >> >> nodes of some sort. Layers of service of the whole
> >> >> DHT space. More research is surely required.
> >> 
> >> > It is not possible to have fast p2p unless:
> >> > - Cable networks collaborate by increasing bandwidth 7 to 8 times
> >> 
> >> My references to scale were not intended to be about...
> >> bulk bandwidth across such networks (for example, right
> >> now, I2P and Tor are doing well enough to see very low
> >> quality video between their hidden nodes if you get a lucky
> >> path, and well enough for moving large files around in non
> >> realtime). ie: the nodes have bandwidth available.
> >> 
> >
> >We all wish privacy, not necessarily 4k videos. The current bandwidth
> >can provide for 4k videos and also privacy, no matter if a littler
> >slower, for a little chat, work and file transfers.
> >
> >Except if you are into media production or warez, the current bandwidth
> >already does the trick for all the rest.
> 
> -- 
> Sent from my Android device with K-9 Mail. Please excuse my brevity.




From rysiek at hackerspace.pl  Mon Jun  2 02:32:17 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Mon, 02 Jun 2014 11:32:17 +0200
Subject: Fwd: is truecrypt dead?
In-Reply-To: <CAFCb7uit9gUJi66kcGY0DptOGtBLLZaSOUG5hBvoUvM-A3Y0oA@mail.gmail.com>
References: <CAFCb7ugZUbmcsP-CidMF_D8Gf-1g9HzZjRpF_kq32-f7zCyLoA@mail.gmail.com>
 <CAFCb7uit9gUJi66kcGY0DptOGtBLLZaSOUG5hBvoUvM-A3Y0oA@mail.gmail.com>
Message-ID: <7303654.QVDuSe5qcp@lapuntu>

Well,

this happened:
https://www.grc.com/misc/truecrypt/truecrypt.htm

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Steven Barnhart (@stevebarnhart) wrote to an eMail address he had used before 
and received several replies from “David.” The following snippets were taken 
from a twitter conversation which then took place between Steven Barnhart 
(@stevebarnhart) and Matthew Green (@matthew_d_green):

    TrueCrypt Developer “David”: “We were happy with the audit, it didn't 
spark anything. We worked hard on this for 10 years, nothing lasts forever.”

    Steven Barnhart (Paraphrasing): Developer “personally” feels that fork is 
harmful: “The source is still available as a reference though.”

    Steven Barnhart: “I asked and it was clear from the reply that "he" 
believes forking's harmful because only they are really familiar w/code.”

    Steven Barnhart: “Also said no government contact except one time 
inquiring about a ‘support contract.’ ”

    TrueCrypt Developer “David” said: “Bitlocker is ‘good enough’ and Windows 
was original ‘goal of the project.’ ”

    Quoting TrueCrypt Developer David: “There is no longer interest.”

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140602/fbc1c726/attachment.sig>

From gfoster at entersection.org  Mon Jun  2 10:44:42 2014
From: gfoster at entersection.org (Gregory Foster)
Date: Mon, 02 Jun 2014 12:44:42 -0500
Subject: US Army research into quantum teleportation of data
Message-ID: <538CB80A.8060405@entersection.org>

Defense Systems (May 30) - "Teleporting information sets stage for
‘cyber secure’ communications":
http://defensesystems.com/Articles/2014/05/30/ARL-Teleportation.aspx

Lots of challenges to overcome, but the advantages are sufficiently
self-evident and seductive to likely warrant substantial funding.

A use case not mentioned: remotely piloted aircraft (drones) without
network lag.

gf

-- 
Gregory Foster || gfoster at entersection.org
@gregoryfoster <> http://entersection.com/




From carimachet at gmail.com  Mon Jun  2 12:48:34 2014
From: carimachet at gmail.com (Cari Machet)
Date: Mon, 2 Jun 2014 19:48:34 +0000
Subject: Pirate Bay co-founder Peter Sunde arrested
In-Reply-To: <1401650018.50783.YahooMailNeo@web126201.mail.ne1.yahoo.com>
References: <1401650018.50783.YahooMailNeo@web126201.mail.ne1.yahoo.com>
Message-ID: <CAGRDzQWntEA66=baT=yP1fEQf6ZbAkLWwessekf_OCiD_bsfwA@mail.gmail.com>

hey any info on where mail can be sent wld be helpful - thanks


On Sun, Jun 1, 2014 at 7:13 PM, jim bell <jamesdbell9 at yahoo.com> wrote:

>
> http://news.yahoo.com/law-finally-catches-pirate-bay-torrent-co-founder-144400334.html
>
> Pirate Bay co-founder Peter Sunde was arrested late Saturday after being
> on the lam for nearly two years. One of the minds behind the
> popular-yet-tantalizingly-illegal file-sharing service had been set to
> serve jail time for copyright violations when he bolted.
>
>
> Four men linked to Pirate Bay were originally sentenced to one year in
> prison and a fine of 32 million crowns ($4.8 million). An appeals court
> later reduced the prison sentences by varying amounts, but raised the fine
> to 46 million Swedish crowns ($6.9 million).
>
> Sunde was arrested in southern Sweden, but he was thought to be living in
> Germany the past few years. The name of his site, Pirate Bay, has become
> shorthand for digital piracy and the accompanying conversations about how
> artists and big businesses are impacted by internet sharing.
> Somewhat fittingly (if you're willing to indulge in some armchair
> psychology), the blurriness of boundaries and borders, the ones breached by
> Pirate Bay and users meeting and operating around the world, have echoes in
> Sunde's biography. In an interview with a Swedish journalist just a few
> weeks ago, Sunde offered this insight:
>
> In Sweden I am considered the Finnish-Norwegian, in Norway
> Finnish-Swedish, and in Finland Swedish-Norwegian. I 've never really
> belonged anywhere."
>
> Peter Althin, who defended Sunde during his trial, said this to a Swedish
> news site about Sunde and his work:
>
> It's about being on the cutting edge if one is going to be successful...
> But if one is too far ahead it is not always about success. Peter fought
> for file-sharing and in 10 years I think it goes without saying that
> file-sharing for one's own needs will be allowed."
>
> Nevertheless, as Sunde heads to jail for eight months, Pirate Bay
> continues to deliver music, movies, games, and other media to users who use
> the service, which is now based out of the Seychelles.
> This article was originally published at The Law Finally Catches Up With
> Pirate Bay Torrent Co-Founder
> <http://www.thewire.com/technology/2014/06/the-law-finally-catches-up-with-pirate-bay-torrent-co-founder/371952/>
>



-- 
Cari Machet
NYC 646-436-7795
carimachet at gmail.com
AIM carismachet
Syria +963-099 277 3243
Amman +962 077 636 9407
Berlin +49 152 11779219
Reykjavik +354 894 8650
Twitter: @carimachet <https://twitter.com/carimachet>

7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187

Ruh-roh, this is now necessary: This email is intended only for the
addressee(s) and may contain confidential information. If you are not the
intended recipient, you are hereby notified that any use of this
information, dissemination, distribution, or copying of this email without
permission is strictly prohibited.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 5508 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140602/83dfacb7/attachment.txt>

From jahlove at riseup.net  Mon Jun  2 15:26:10 2014
From: jahlove at riseup.net (jahlove at riseup.net)
Date: Mon, 2 Jun 2014 22:26:10 -0000
Subject: On mobile security
In-Reply-To: <538CEC67.9070108@owca.info>
References: <538CEC67.9070108@owca.info>
Message-ID: <62eb08fa1276f33d6d8bac98c9f08d36.squirrel@fulvetta.riseup.net>

One thing to note: There is a version of Guardian Rom, which is based on
Replicant that is going to be coming out soon. Replicant is based on
CyanogenMod. There has been talk of a TailsOS for android that is being
built that will be based on Guardian Rom.

I suggest using this Replicant, Guardian Rom, CyanogenMod combo.

For more info on the Tails Phone OS, contact Nathan Freitas aka @n8fr8
For more info on Guardian Rom based on Replicant, contact Kyle Davidson
aka @x942_dev on twitter.

> Hi,
>
> A text about mobile security:
>
> https://pravokator.si/index.php/2014/06/02/on-mobile-phone-security/
>
> Regards,
>
> M.
>





From adi at hexapodia.org  Tue Jun  3 15:53:02 2014
From: adi at hexapodia.org (Andy Isaacson)
Date: Tue, 3 Jun 2014 15:53:02 -0700
Subject: "a skilled backdoor-writer can defeat skilled auditors"?
In-Reply-To: <1800350.DuBgtkdSDz@lapuntu>
References: <1800350.DuBgtkdSDz@lapuntu>
Message-ID: <20140603225302.GJ10586@hexapodia.org>

On Wed, Jun 04, 2014 at 12:35:20AM +0200, rysiek wrote:
> In short several very skilled security auditors examined a small Python 
> program — about 100 lines of code — into which three bugs had been inserted by 
> the authors. There was an “easy,” “medium,” and “hard” backdoor. There were 
> three or four teams of auditors.
> 
> 1. One auditor found the “easy” and the “medium” ones in about 70 minutes, and 
> then spent the rest of the day failing to find any other bugs.
> 
> 2. One team of two auditors found the “easy” bug in about five hours, and 
> spent the rest of the day failing to find any other bugs.
> 
> 3. One auditor found the “easy” bug in about four hours, and then stopped.
> 
> 4. One auditor either found no bugs or else was on a team with the third 
> auditor — the report is unclear.
> 
> See Chapter 7 of Yee’s report for these details.
> 
> I should emphasize that that I personally consider these people to be 
> extremely skilled. One possible conclusion that could be drawn from this 
> experience is that a skilled backdoor-writer can defeat skilled auditors. This 
> hypothesis holds that only accidental bugs can be reliably detected by 
> auditors, not deliberately hidden bugs.
> 
> Anyway, as far as I understand the bugs you folks left in were accidental bugs 
> that you then deliberately didn’t-fix, rather than bugs that you intentionally 
> made hard-to-spot.
> 
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> https://blog.spideroak.com/20140220090004-responsibly-bringing-new-cryptography-product-market#footnote1
> 
> I have no problem believing it is thus, but can't help wondering if there are 
> any ways to mitigate it.


My mitigation would be to make auditing a default-deny rule, rather than
a default-allow.

Security auditing needs to be a holistic analysis, starting by
re-engaging with the requirements, verifying that the design is a
sensible and minimal approach to addressing the requirements, and
verifying that the implementation is a sensible, safe, auditable,
version controlled, approach to the design.

If the auditor at any point says "Well, I wouldn't have *recommended*
that you implement your JSON parsing in ad-hoc C with pointer arithmetic
and poor and misleading comments, but I can't find any *bugs* so I guess
it must be OK" then that is an immediate fail.

This is the default deny: we default to assuming the system is insecure,
and any sign that this might be true results in a failure.

Versus the current auditing method of default-allow: we run the audit,
and if no *concrete* exploits or bugs are found before the auditors run
out of time, then we trumpet that the system "has passed its audit".

Only if the design is sane, the implementation is sane, the development
team is following best practices and defensive coding strategies, with a
cryptographically and procedurally audited edit trail (immutable git
commit logs signed and committed to W/O media) in a development
environment that is safe by default rather than risky by default ...

... then you *might* have a chance of catching the intentional backdoor
inserted by the APT malware on your team member's workstation.

Current efforts in this direction fall *very* far short of the utopia I
describe.

-andy




From dal at riseup.net  Tue Jun  3 13:54:29 2014
From: dal at riseup.net (Douglas Lucas)
Date: Tue, 03 Jun 2014 15:54:29 -0500
Subject: Fw: Pirate Bay co-founder Peter Sunde arrested
In-Reply-To: <1401780214.57947.YahooMailNeo@web126201.mail.ne1.yahoo.com>
References: <1401650018.50783.YahooMailNeo@web126201.mail.ne1.yahoo.com>
 <CAGRDzQWntEA66=baT=yP1fEQf6ZbAkLWwessekf_OCiD_bsfwA@mail.gmail.com>
 <1401766665.41946.YahooMailNeo@web126206.mail.ne1.yahoo.com>
 <1401780214.57947.YahooMailNeo@web126201.mail.ne1.yahoo.com>
Message-ID: <538E3605.20402@riseup.net>

I am told--maybe incorrectly--that alleged Boston Bomber (but see
WhoWhatWhy's reporting) Dzhokhar Tsarnaev should be in the Federal
Prison inmate locator, but isn't. So maybe the people behind the locator
are sometimes deceptive.

Douglas

On 06/03/2014 02:23 AM, jim bell wrote:
> I just realized that he probably isn't yet returned (extradited) to the
> US, and thus probably won't be listed in the BOP Inmate locator system.
> 
> ----- Forwarded Message -----
> *From:* jim bell <jamesdbell9 at yahoo.com>
> *To:* Cari Machet <carimachet at gmail.com>
> *Sent:* Monday, June 2, 2014 8:37 PM
> *Subject:* Re: Pirate Bay co-founder Peter Sunde arrested
> 
> There is such a thing as a Federal Prison inmate locator.  
>  http://www.bop.gov/inmateloc/    
> I tried it, but it doesn't show him.  ( I don't know his age, etc.)  It
> would certainly show him if he is convicted, but before?  Let's figure
> out where (which city) he is in.  Sometimes Federal prisoners are sent
> to county jails while they are waiting for a trial.
>                  Jim Bell
> 
> 
> 
> ------------------------------------------------------------------------
> *From:* Cari Machet <carimachet at gmail.com>
> *To:* jim bell <jamesdbell9 at yahoo.com>
> *Cc:* "cypherpunks at cpunks.org" <cypherpunks at cpunks.org>
> *Sent:* Monday, June 2, 2014 12:48 PM
> *Subject:* Re: Pirate Bay co-founder Peter Sunde arrested
> 
> hey any info on where mail can be sent wld be helpful - thanks
> 
> 
> On Sun, Jun 1, 2014 at 7:13 PM, jim bell <jamesdbell9 at yahoo.com
> <mailto:jamesdbell9 at yahoo.com>> wrote:
> 
>     http://news.yahoo.com/law-finally-catches-pirate-bay-torrent-co-founder-144400334.html
> 
>     Pirate Bay co-founder Peter Sunde was arrested late Saturday after
>     being on the lam for nearly two years. One of the minds behind the
>     popular-yet-tantalizingly-illegal file-sharing service had been set
>     to serve jail time for copyright violations when he bolted. 
>       
> 
> 
> 




From adi at hexapodia.org  Tue Jun  3 18:32:52 2014
From: adi at hexapodia.org (Andy Isaacson)
Date: Tue, 3 Jun 2014 18:32:52 -0700
Subject: "a skilled backdoor-writer can defeat skilled auditors"?
In-Reply-To: <1462819215.136856.1401844030733.JavaMail.www@wwinf8227>
References: <1800350.DuBgtkdSDz@lapuntu> <20140603225302.GJ10586@hexapodia.org>
 <1462819215.136856.1401844030733.JavaMail.www@wwinf8227>
Message-ID: <20140604013251.GL10586@hexapodia.org>

On Wed, Jun 04, 2014 at 03:06:43AM +0200, tpb-crypto at laposte.net wrote:
> Your proposal would cause 99% of software currently in use to be
> rejected

That seems like a feature...

(note that I don't think most software should be audited as security
critical.  We can reduce the Trusted Computing Base and audit only those
bits.)

> and make the development costs increase as astronomically as
> to be compared to medical research.

I like to compare our current situation to the Steam Age.  There was an
enormous amount of innovation in steam power, heating, etc in the 1800s.
There was a concomitant lack of standardized safety measures, and
occasionally boilers exploded taking entire apartment buildings with
them.

Over time the rate of innovation decreased, standardization set in,
safety measures were instituted, and now we have boring steam radiators
in apartment buildings rather than exciting steam-powered Difference
Engines in our pockets.

-andy




From drwho at virtadpt.net  Tue Jun  3 19:10:02 2014
From: drwho at virtadpt.net (The Doctor)
Date: Tue, 03 Jun 2014 19:10:02 -0700
Subject: Google'es End-to-End
In-Reply-To: <538E7115.2010401@cmu.edu>
References: <3663262.z3uQ7fQ3vz@lapuntu>
 <328801251.126680.1401835370727.JavaMail.www@wwinf8306>
 <538E6064.1010101@cmu.edu> <1708528.yaAc8RAH8B@lapuntu>
 <538E7115.2010401@cmu.edu>
Message-ID: <538E7FFA.2010604@virtadpt.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 06/03/2014 06:06 PM, James Murphy wrote:

> email. I was not able to verify the signature though since gpg
> doesn't support elliptic curve keys (I wonder why not). Presumably
> (hopefully) gpg will be adding EC support in the future and this
> will no longer be an issue.

I did a little looking around, and found the following:

http://www.mail-archive.com/gnupg-users at gnupg.org/msg20573.html

Supposedly it was merged into the v2 source tree a few years ago:

https://code.google.com/p/gnupg-ecc/

It seems that at least some of the development builds incorporate ECC
in --expert mode.  I just tried it on my standard install (GnuPG
v2.0.22 (64-bit)) on a new user, and saw no signs of ECC support.
This says that it's in the v2.1.x source tree, which is probably why I
don't have it:

https://superuser.com/questions/623090/how-can-i-use-gnupg-with-ecdsa-keys

What release of GnuPG do you normally use?

- -- 
The Doctor [412/724/301/703] [ZS]
Developer, Project Byzantium: http://project-byzantium.org/

PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F  DD89 3BD8 FF2B 807B 17C1
WWW: https://drwho.virtadpt.net/

"I'd rather remove the thymus gland from a gerbil." --Alton Brown

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCgAGBQJTjn/6AAoJED1np1pUQ8RkLvAQAJLIqcBtnki8SgfJZcLklJNL
fj9kg/zdFfM7g8sIol1Vr6l4JCrc4VGcV7tdy1ItFJ0Hg4cGB8a865CLomobCi6M
fSQIYIHijF50d0J81o4R4wULtLESjmkE7mnET244s8Go7Jt+cCLJa8S7LzMqiQTf
nl0vC4N5HQfQwaKbmuCIcO76X+ADnaCyS3DrrTjQCScpLX0cUmBNi5EsyhBkG+hP
9QTwWOohCrES1KXeZ162gl43grBTakn3D99sLYCkSMeNsAe+k12eBWvokXlOPM2k
Rlag5HxvbTZ25EnTsYhLCB18DVTGLt5Kuto0lLlThhYVD5FVjCu76nmZHqo9K9/Q
d58aNEYn6ZX4N4IHu0/oqZOQlSEjpfW8+1uNQ8JtE1LobBrVjoMlzPuEYUbixB6E
AYjtFHQjHrEpH1nO2viodC7+flXXZMxBon59evaMCB6U3pI2bNNr5YbOYEdcAPGV
thlzoQvquPvm82qUFRsqC9de/NP55zApRMynGoGZoeOMD5r3Z7vu3C5MgJ14jQiZ
7W0KV7Mp4Xbp0Z/7j7g3W9BF3a+I+kOAn/vu6L2Sv6ryKfPznDq+y9F4wGnkwO15
5DNpKQuxn54iERSWMDTQnVazplf3zWD7PicMiSwvLW5a9lT1aQQ3LBiQbKyRXV7/
yq+uqBACWNwfTxloniy2
=O+n5
-----END PGP SIGNATURE-----




From coderman at gmail.com  Tue Jun  3 19:50:20 2014
From: coderman at gmail.com (coderman)
Date: Tue, 3 Jun 2014 19:50:20 -0700
Subject: Announcement of Commencement of Bankruptcy Proceedings
In-Reply-To: <CAKtE3zf_KYg1t-YkEUUxw1SfksdDeSzH8O0nYZYiqUK1zZbDGw@mail.gmail.com>
References: <4D93B28A96981B4AACFD46632E097A2729241E@SVR-OSKVGMBX101.noandt.local>
 <CAKtE3zf_KYg1t-YkEUUxw1SfksdDeSzH8O0nYZYiqUK1zZbDGw@mail.gmail.com>
Message-ID: <CAJVRA1QbJqv86HG-kHTcY9onAQaT9W2dJ277o6L4R0wTL0xLAg@mail.gmail.com>

see also

http://cryptome.org/2014/06/bitcoin-deanon-p2p.pdf

https://willyreport.wordpress.com/2014/05/25/the-willy-report-proof-of-massive-fraudulent-trading-activity-at-mt-gox-and-how-it-has-affected-the-price-of-bitcoin/


On Thu, May 29, 2014 at 11:18 PM, Travis Biehn <tbiehn at gmail.com> wrote:
> Kobayashi
>
> ---------- Forwarded message ----------
> From: "MtGox Bankruptcy Trustee" <mtgox_trustee at noandt.com>
> Date: May 30, 2014 2:16 AM
> Subject: Announcement of Commencement of Bankruptcy Proceedings
> To: "MtGox Bankruptcy Trustee" <mtgox_trustee at noandt.com>
> Cc:
>
> 関係人各位
>
> 株式会社MTGOX（以下「MTGOX」といいます。）につき、平成26年4月24日午後5時00分、東京地方裁判所より破産手続開始決定がなされ、当職が破産管財人に選任されました（東京地方裁判所平成26年（フ）第3830号）。
> 今後、破産管財人において、MTGOXの財産管理換価、債権調査等の破産手続を遂行していきます。
> つきましては、関係者に対する情報提供を目的として、破産手続に関する基本的事項を添付のとおりお知らせいたしますので、ご確認ください。
>
> なお、このメールアドレス（mtgox_trustee at noandt.com
> ）は破産管財人からの送信専用であり、貴殿が本メールアドレス宛の返信等をされても内容確認及び回答などの対応はできません。
> 破産手続の進行等については、ウェブサイト（ http://www.mtgox.com/
> ）で情報提供をする予定ですので、当該ウェブサイトをご確認ください。
> 宜しくお願いいたします。
>
> 破産者株式会社MTGOX  破産管財人弁護士小林信明
>
>
> To whom it may concern,
>
> At 5:00 p.m. on April 24, 2014, the Tokyo District Court granted the order
> for the commencement of the bankruptcy proceedings vis-à-vis MtGox Co., Ltd.
> (“MtGox”), and based upon such order, I was appointed as the bankruptcy
> trustee (Tokyo District Court 2014 (fu) no. 3830).
> The bankruptcy trustee will implement the bankruptcy proceedings, including
> the administration and realization of the assets and investigation of the
> claims.
> For the purpose of providing information to the related parties, we hereby
> inform you of the basic matters regarding the bankruptcy proceedings as
> attached.
>
> This email address（mtgox_trustee at noandt.com） is used only for the purpose of
> sending messages, and we are unable to check and respond to any replies to
> this email address.
> Since we plan to provide the information regarding the bankruptcy
> proceedings by posting it on the website hosted by the bankruptcy trustee (
> http://www.mtgox.com/ ), please check this website.
>
> Bankrupt MtGox Co., Ltd. Bankruptcy trustee Attorney-at-law Nobuaki
> Kobayashi




From coderman at gmail.com  Tue Jun  3 19:53:17 2014
From: coderman at gmail.com (coderman)
Date: Tue, 3 Jun 2014 19:53:17 -0700
Subject: stinky shit in fedland - lawful^H^H^Hless mobile fuckery cover-ups in
 progress...
Message-ID: <CAJVRA1RkMv6RV-UGGfpNyO8kcCF0HLv1AiDxE0uCT-Eq5sZZ=Q@mail.gmail.com>

https://www.aclu.org/blog/national-security-technology-and-liberty/us-marshals-seize-local-cops-cell-phone-tracking-files

---

U.S. Marshals Seize Local Cops’ Cell Phone Tracking Files in
Extraordinary Attempt to Keep Information From Public

06/03/2014
Government Secrecy
By Nathan Freed Wessler, Staff Attorney, ACLU Speech, Privacy &
Technology Project at 12:13pm

A run-of-the-mill public records request about cell phone surveillance
submitted to a local police department in Florida has unearthed
blatant violations of open government laws, including an incredible
seizure of state records by the U.S. Marshals Service, which is part
of the Justice Department. Today the ACLU and the ACLU of Florida
filed an emergency motion in state court to preserve the public’s
right of access to government records.

Over the past several months, the ACLU has filed dozens of public
records requests with Florida law enforcement agencies seeking
information about their use of controversial cell phone tracking
devices known as “stingrays.” (The devices are also known as “cell
site simulators” or “IMSI catchers.”) Stingrays track phones by
mimicking service providers’ cell towers and sending out powerful
signals that trick nearby phones — including phones of countless
bystanders — into sending their locations and identifying information.

The Florida agencies’ responses to our requests have varied widely,
with some stonewalling and others releasing records. The most recent
request went to the Sarasota Police Department, and the fallout from
that request has raised red flag after red flag.

RED FLAG #1: The Sarasota Police initially told us that they had
responsive records, including applications filed by and orders issued
to a local detective under the state “trap and trace” statute that he
had relied on for authorization to conduct stingray surveillance. That
raised the first red flag, since trap and trace orders are typically
used to gather limited information about the phone numbers of incoming
calls, not to track cell phones inside private spaces or conduct
dragnet surveillance. And, such orders require a very low legal
standard. As one federal magistrate judge has held, police should be
permitted to use stingrays only after obtaining a probable cause
warrant, if at all.

RED FLAG #2: The Sarasota Police set up an appointment for us to
inspect the applications and orders, as required by Florida law. But a
few hours before that appointment, an assistant city attorney sent an
email cancelling the meeting on the basis that the U.S. Marshals
Service was claiming the records as their own and instructing the
local cops not to release them. Their explanation: the Marshals
Service had deputized the local officer, and therefore the records
were actually the property of the federal government.

We emphatically disagree, since the Sarasota detective created the
applications, brought them to court, and retained the applications and
orders in his files. Merely giving him a second title (“Special Deputy
U.S. Marshal”) does not change these facts. But regardless, once the
Sarasota Police Department received our records request, state law
required them to hold onto the records for at least 30 days, to give
us an opportunity to go to court and seek an order for release of the
documents.

Instead of complying with that clear legal obligation, the local
police allowed the records to disappear by letting the U.S. Marshals
drive down from their office in Tampa, seize the physical files, and
move them to an unknown location. We’ve seen our fair share of federal
government attempts to keep records about stingrays secret, but we’ve
never seen an actual physical raid on state records in order to
conceal them from public view.

RED FLAG #3: Realizing we weren’t going to get hold of the Sarasota
Police Department’s copies of the applications and orders anytime
soon, we asked the county court if we could obtain copies from its
files. Incredibly, the court said it had no copies. The court doesn’t
even have docket entries indicating that applications were filed or
orders issued. Apparently, the local detective came to court with a
single paper copy of the application and proposed order, and then
walked out with the same papers once signed by a judge.

Court rules — and the First Amendment — require judges to retain
copies of judicial records and to make them available to the public,
but the court (and the detective) completely flouted those
requirements here.

The ACLU’s emergency motion seeks a temporary injunction preventing
the Sarasota Police Department from transferring any more files to the
U.S. Marshals, as well as a determination that the police violated
state law by sending the stingray applications and orders to the
Marshals Service in the first place and an order requiring the police
to produce the records.

When the government obtains court authorization to use invasive
surveillance equipment, the public should not be kept in the dark. We
have open records laws for a reason, but they mean nothing if the
government can violate their clear commands at its whim.




From jtmurphy at cmu.edu  Tue Jun  3 16:55:16 2014
From: jtmurphy at cmu.edu (James Murphy)
Date: Tue, 03 Jun 2014 19:55:16 -0400
Subject: Google'es End-to-End
In-Reply-To: <328801251.126680.1401835370727.JavaMail.www@wwinf8306>
References: <3663262.z3uQ7fQ3vz@lapuntu>
 <60003339.126349.1401833983205.JavaMail.www@wwinf8306>
 <1587119.yPTzuntpD3@lapuntu>
 <328801251.126680.1401835370727.JavaMail.www@wwinf8306>
Message-ID: <538E6064.1010101@cmu.edu>

On 6/3/2014 18:42, tpb-crypto at laposte.net wrote:
>> Message du 04/06/14 00:29
>> De : "rysiek" 
>>
>> OHAI,
>>
>> Dnia środa, 4 czerwca 2014 00:19:43 piszesz:
>>>> not sure what to think about this one:
>>>> http://googleonlinesecurity.blogspot.com/2014/06/making-end-to-end-encrypt
>>>> ion-easier-to.html
>>>>
>>>> Technical specs:
>>>> https://code.google.com/p/end-to-end/
>>>
>>> If you want to land on a watch-list and maybe no-fly list, you just install
>>> it in your Chrome. Because as far as we can tell Google is in bed with the
>>> NSA and so the proprietary browser may just flag you to the system and done
>>> you are, or may forward all your messages in the clear. Who knows? Which is
>>> worst?
>>>
>>> That's why there is not foocking way to trust proprietary software.
>>> Companies are forced to act like criminals on behalf of the government.
>>> There is no loyalty, respect, ethics, honesty or even business which the US
>>> government won't try to trample upon.
>>>
>>> If one wants to go crypto, he goes all the way with OpenBSD, Tails, Kali,
>>> Gentoo, Firefox, Midori or even old and good Lynx, but not Chrome.
>>>
>>> lol
>>
>> A heck with it, why not -- I'll play the Google's advocate here.
>>
>> So, the extension itself will be FLOSS, as I understand, so the extension 
>> itself will be audit-able (inb4 openssl, truecrypt). And as I understand it 
>> *will* be installable in Chromium too.
>>
>> Is that an acceptable combination? With such an assumption ("use Chromium, 
>> Luke!"), does End-to-End seem to make sense? Or are there other problems we 
>> need to look into and be wary of?
>>
> 
> With chromium, End-to-End can start looking respectable. But even then Chromium is cranked by a much smaller team than Firefox and surely suffers from the same problems OpenSSL has faced for most of its existence.
> 

I went ahead and tried it out. One click to make a key and it integrates
into gmail. It's not going to replace PGP for anyone who already has a
key pair, but making end-to-end encryption one-click-easy is a shoe in
the door for getting the public to start caring about its own privacy
(and hence ours).




From afalex169 at gmail.com  Tue Jun  3 10:03:45 2014
From: afalex169 at gmail.com (=?UTF-8?B?INCQ0LvQtdC60YHQsNC90LTRgCA=?=)
Date: Tue, 3 Jun 2014 20:03:45 +0300
Subject: TrueCrypt continuation
Message-ID: <CAEm6KbJm0u5uqkPyYn-9Zva4atDYGsONeVQ_hgPTZ5boDkGQjg@mail.gmail.com>

*http://truecrypt.ch/ <http://truecrypt.ch/>http://geekcrypt.net/
<http://geekcrypt.net/>*
​​
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 724 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140603/01a23a07/attachment.txt>

From coderman at gmail.com  Tue Jun  3 20:12:20 2014
From: coderman at gmail.com (coderman)
Date: Tue, 3 Jun 2014 20:12:20 -0700
Subject: stinky shit in fedland - lawful^H^H^Hless mobile fuckery
 cover-ups in progress...
In-Reply-To: <CAJVRA1RkMv6RV-UGGfpNyO8kcCF0HLv1AiDxE0uCT-Eq5sZZ=Q@mail.gmail.com>
References: <CAJVRA1RkMv6RV-UGGfpNyO8kcCF0HLv1AiDxE0uCT-Eq5sZZ=Q@mail.gmail.com>
Message-ID: <CAJVRA1RCf=mSKWuq0C6rfz8g21H+JFXqZhqJsypp1W7B7_CQnQ@mail.gmail.com>

for those new to this game, the storyline is summarized below,


On Tue, Jun 3, 2014 at 7:53 PM, coderman <coderman at gmail.com> wrote:
> ...
> U.S. Marshals Seize Local Cops’ Cell Phone Tracking Files in
> Extraordinary Attempt to Keep Information From Public
>
> RED FLAG #1: The Sarasota Police initially told us that they had
> responsive records, including applications filed by and orders issued
> to a local detective under the state “trap and trace” statute that he
> had relied on for authorization to conduct stingray surveillance. That
> raised the first red flag, since trap and trace orders are typically
> used to gather limited information about the phone numbers of incoming
> calls, not to track cell phones inside private spaces or conduct
> dragnet surveillance...
>
> RED FLAG #2: The Sarasota Police set up an appointment for us to
> inspect the applications and orders, as required by Florida law. But a
> few hours before that appointment, an assistant city attorney sent an
> email cancelling the meeting on the basis that the U.S. Marshals
> Service was claiming the records as their own and instructing the
> local cops not to release them...
>
> RED FLAG #3: Realizing we weren’t going to get hold of the Sarasota
> Police Department’s copies of the applications and orders anytime
> soon, we asked the county court if we could obtain copies from its
> files. Incredibly, the court said it had no copies. The court doesn’t
> even have docket entries indicating that applications were filed or
> orders issued. Apparently, the local detective came to court with a
> single paper copy of the application and proposed order, and then
> walked out with the same papers once signed by a judge.



discoveries we'll get to enjoy, with the appropriate shocked, shocked!
theatrics:

- The Known Tools Have Few Controls and Intentional Secrecy
not only are the Stingray/IMSI catcher devices not properly
controlled, but they are actively shielded from oversight through
non-disclosure / trade-secret / and national security trump card
arguments that don't hold water.

- The Known Tools Hint at Deeper Invasive Techniques, Also Lacking Oversight
not only is location / metadata (penregister) information obtained,
but similar programs with private industry selling advanced tools to
law enforcement will uncover even more egregious violations of law
extending to full content (wiretap) collection without sufficient
authority or oversight.

- The Lawless Intercepts and Unlawful Invasions Of Privacy Shielded by
Prosecutors and Judiciary using Reverse Forensics
 the synergy of "parallel construction meets illegal intercepts" will
uncover the ways in which initial aggressive legal interpretations are
further distorted, and secrecy further applied paramount, to serve the
interests of prosecutor careers and public face over actual justice
and respect for law.

- Truly In-discriminant and Whole-sale Invasions of Constitutionally
Protected Communications Are Routine Fed Behaviors
and not just routine but the expected side effects of military
blunt-force intelligence gathering systems aimed at domestic targets
illegally. these military systems covertly re-purposed for domestic
surveillance at the federal level enjoy FBI DITU running front-man and
cover for all the exceptional secrecy this programs entails. (and why
such truly aggressive offensive techniques applied indiscriminately
have yet to reach state and municipal LE need to know.)




From coderman at gmail.com  Tue Jun  3 20:22:20 2014
From: coderman at gmail.com (coderman)
Date: Tue, 3 Jun 2014 20:22:20 -0700
Subject: PBS Frontline and "The Program"'s "innovative" legal interpretations
 [was: stinky shit in fedland - lawful^H^H^Hless mobile fuckery
 cover-ups in progress...]
Message-ID: <CAJVRA1TmmauPNhd2nhdOdnMVqPPkNzjY6Jztgh5BpPXtPf7hsQ@mail.gmail.com>

regarding the parallel construction and warantless / indiscriminate techniques,

the PBS Frontline program "United States of Secrets" provides an
exceptional analysis of how these invasive and un-constitutional
programs and arguments came into being and expanded across
administrations.

http://www.pbs.org/wgbh/pages/frontline/united-states-of-secrets/ or
http://www.pbs.org/wgbh/pages/frontline/government-elections-politics/united-states-of-secrets/transcript-61/

# convenient links, for those who can't torrent / stream
https://peertech.org/files/PBS.Frontline.2014.United.States.of.Secrets.1.mp4
https://peertech.org/files/PBS.Frontline.2014.United.States.of.Secrets.2.mp4

# plaintext for those with poor clients who can't speak strong SSL/TLS
http://207.198.103.187:8081/PBS.Frontline.2014.United.States.of.Secrets.1.mp4
http://207.198.103.187:8081/PBS.Frontline.2014.United.States.of.Secrets.2.mp4


best regards,


On Tue, Jun 3, 2014 at 8:12 PM, coderman <coderman at gmail.com> wrote:
> ...
> - Truly In-discriminant and Whole-sale Invasions of Constitutionally
> Protected Communications Are Routine Fed Behaviors
> and not just routine but the expected side effects of military
> blunt-force intelligence gathering systems aimed at domestic targets
> illegally. these military systems covertly re-purposed for domestic
> surveillance at the federal level enjoy FBI DITU running front-man and
> cover for all the exceptional secrecy this programs entails. (and why
> such truly aggressive offensive techniques applied indiscriminately
> have yet to reach state and municipal LE need to know.)




From coderman at gmail.com  Tue Jun  3 20:40:07 2014
From: coderman at gmail.com (coderman)
Date: Tue, 3 Jun 2014 20:40:07 -0700
Subject: "a skilled backdoor-writer can defeat skilled auditors"?
In-Reply-To: <1462819215.136856.1401844030733.JavaMail.www@wwinf8227>
References: <1800350.DuBgtkdSDz@lapuntu> <20140603225302.GJ10586@hexapodia.org>
 <1462819215.136856.1401844030733.JavaMail.www@wwinf8227>
Message-ID: <CAJVRA1TCKmK-z+bo9RvG3CS7d4UpBLkiUprd3-TNXCUjO3mPUA@mail.gmail.com>

On Tue, Jun 3, 2014 at 6:06 PM,  <tpb-crypto at laposte.net> wrote:
> ...
> Your proposal [building meaningful security in from the start] would cause 99% of software currently in use to be rejected and make the development costs increase as astronomically as to be compared to medical research.

1% making the cut is a far too generous estimate, perhaps 1% of 1%. as
for the cost issue, which must be paid somewhere,


you make two assumptions:

first, assuming the externalities of insecure systems are simply
non-exist-ant.  the costs of our pervasive vulnerability are
gargantuan, yet the complexity and cost of robust alternatives
instills paralysis. (this lack of significant progress in development
of secure systems feeds your defeatist observations; it's ok ;)

second, that the schedules and styles of development as we currently
practice it will always be.  if you solved a core (commodity) infosec
problem once, very well, in a way that could be widely adopted, you
would only need to implement it once! (then spending five years and
ten fold cost building to last becomes reasonable)


for now, it appears stasis and external costs are the status quo.  the
future, if here at all, is clearly not yet widely distributed...


best regards,




From jtmurphy at cmu.edu  Tue Jun  3 18:06:29 2014
From: jtmurphy at cmu.edu (James Murphy)
Date: Tue, 03 Jun 2014 21:06:29 -0400
Subject: Google'es End-to-End
In-Reply-To: <1708528.yaAc8RAH8B@lapuntu>
References: <3663262.z3uQ7fQ3vz@lapuntu>
 <328801251.126680.1401835370727.JavaMail.www@wwinf8306>
 <538E6064.1010101@cmu.edu> <1708528.yaAc8RAH8B@lapuntu>
Message-ID: <538E7115.2010401@cmu.edu>

On 6/3/2014 20:08, rysiek wrote:
> Dnia wtorek, 3 czerwca 2014 19:55:16 James Murphy pisze:
>> On 6/3/2014 18:42, tpb-crypto at laposte.net wrote:
>>>> Message du 04/06/14 00:29
>>>> De : "rysiek"
>>>>
>>>> OHAI,
>>>>
>>>> Dnia środa, 4 czerwca 2014 00:19:43 piszesz:
>>>>>> not sure what to think about this one:
>>>>>> http://googleonlinesecurity.blogspot.com/2014/06/making-end-to-end-encr
>>>>>> ypt
>>>>>> ion-easier-to.html
>>>>>>
>>>>>> Technical specs:
>>>>>> https://code.google.com/p/end-to-end/
>>>>>
>>>>> If you want to land on a watch-list and maybe no-fly list, you just
>>>>> install
>>>>> it in your Chrome. Because as far as we can tell Google is in bed with
>>>>> the
>>>>> NSA and so the proprietary browser may just flag you to the system and
>>>>> done
>>>>> you are, or may forward all your messages in the clear. Who knows? Which
>>>>> is
>>>>> worst?
>>>>>
>>>>> That's why there is not foocking way to trust proprietary software.
>>>>> Companies are forced to act like criminals on behalf of the government.
>>>>> There is no loyalty, respect, ethics, honesty or even business which the
>>>>> US
>>>>> government won't try to trample upon.
>>>>>
>>>>> If one wants to go crypto, he goes all the way with OpenBSD, Tails,
>>>>> Kali,
>>>>> Gentoo, Firefox, Midori or even old and good Lynx, but not Chrome.
>>>>>
>>>>> lol
>>>>
>>>> A heck with it, why not -- I'll play the Google's advocate here.
>>>>
>>>> So, the extension itself will be FLOSS, as I understand, so the extension
>>>> itself will be audit-able (inb4 openssl, truecrypt). And as I understand
>>>> it
>>>> *will* be installable in Chromium too.
>>>>
>>>> Is that an acceptable combination? With such an assumption ("use
>>>> Chromium,
>>>> Luke!"), does End-to-End seem to make sense? Or are there other problems
>>>> we
>>>> need to look into and be wary of?
>>>
>>> With chromium, End-to-End can start looking respectable. But even then
>>> Chromium is cranked by a much smaller team than Firefox and surely
>>> suffers from the same problems OpenSSL has faced for most of its
>>> existence.
>> I went ahead and tried it out. One click to make a key and it integrates
>> into gmail. It's not going to replace PGP for anyone who already has a
>> key pair, but making end-to-end encryption one-click-easy is a shoe in
>> the door for getting the public to start caring about its own privacy
>> (and hence ours).
> 
> Okay, but how does that play with other PGP users? For example, will I be able 
> to verify your signature with my "old" GPG?
> 

It imported my ascii armored RSA public key just fine. Upon testing, it
correctly sent a signed and encrypted message to my RSA key's associated
email. I was not able to verify the signature though since gpg doesn't
support elliptic curve keys (I wonder why not). Presumably (hopefully)
gpg will be adding EC support in the future and this will no longer be
an issue.




From tbiehn at gmail.com  Tue Jun  3 19:43:33 2014
From: tbiehn at gmail.com (Travis Biehn)
Date: Tue, 3 Jun 2014 22:43:33 -0400
Subject: Google'es End-to-End
In-Reply-To: <60003339.126349.1401833983205.JavaMail.www@wwinf8306>
References: <3663262.z3uQ7fQ3vz@lapuntu>
 <60003339.126349.1401833983205.JavaMail.www@wwinf8306>
Message-ID: <CAKtE3zdcbWRt45GT3dNmrMO9K1XQwZ7p-s_0k38YQBcnH4F52g@mail.gmail.com>

You forgot Quark, bro. http://goto.ucsd.edu/quark/

:( When will verified / managed code OSes be usable?


On Tue, Jun 3, 2014 at 6:19 PM, <tpb-crypto at laposte.net> wrote:

> > Message du 03/06/14 23:57
> > De : "rysiek"
> >
> > Hi there,
> >
> > not sure what to think about this one:
> >
> http://googleonlinesecurity.blogspot.com/2014/06/making-end-to-end-encryption-easier-to.html
> >
> > Technical specs:
> > https://code.google.com/p/end-to-end/
> >
>
> If you want to land on a watch-list and maybe no-fly list, you just
> install it in your Chrome. Because as far as we can tell Google is in bed
> with the NSA and so the proprietary browser may just flag you to the system
> and done you are, or may forward all your messages in the clear. Who knows?
> Which is worst?
>
> That's why there is not foocking way to trust proprietary software.
> Companies are forced to act like criminals on behalf of the government.
> There is no loyalty, respect, ethics, honesty or even business which the US
> government won't try to trample upon.
>
> If one wants to go crypto, he goes all the way with OpenBSD, Tails, Kali,
> Gentoo, Firefox, Midori or even old and good Lynx, but not Chrome.
>
> lol
>



-- 
Twitter <https://twitter.com/tbiehn> | LinkedIn
<http://www.linkedin.com/in/travisbiehn> | GitHub <http://github.com/tbiehn>
| TravisBiehn.com <http://www.travisbiehn.com> | Google Plus
<https://plus.google.com/+TravisBiehn>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 2307 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140603/e7f066c3/attachment.txt>

From rysiek at hackerspace.pl  Tue Jun  3 14:53:03 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Tue, 03 Jun 2014 23:53:03 +0200
Subject: Google'es End-to-End
Message-ID: <3663262.z3uQ7fQ3vz@lapuntu>

Hi there,

not sure what to think about this one:
http://googleonlinesecurity.blogspot.com/2014/06/making-end-to-end-encryption-easier-to.html

Technical specs:
https://code.google.com/p/end-to-end/

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140603/dd6fe206/attachment.sig>

From dal at riseup.net  Tue Jun  3 22:10:17 2014
From: dal at riseup.net (Douglas Lucas)
Date: Wed, 04 Jun 2014 00:10:17 -0500
Subject: #PayPal14: Distributed Donations of Support
Message-ID: <538EAA39.4010109@riseup.net>

Hi cypherpunks,

I am one of the original authors of the May 12 press release
http://pastebin.com/39nSLf94 "No Place to Hide: #PayPal14, Glenn
Greenwald, and the PayPal Billionaire"

Greenbacks' billionaire backer Pierre Omidyar makes the PayPal 14 pay
$86,000 for Distributed Denial-of-Service attacks (DDOS), so we are
promoting Distributed Donations-of-Support (DDOS):

http://www.gofundme.com/Paypal14

Without need of celebrities or go-betweens, you can donate directly to
the PayPal 14 at that page. If you can't chip in, please share that page
and ask people to go back to their roots by helping political
prisoners/hostages directly.

The first week the op raised $5,052.
The second week the op raised $2,298.
Tonight alone the op raised $180.

We had no SONY movie deal and didn't redact anything.

I am sure people who have difficulty unhitching their wagons from
celebrities and 'Thought Leaders' will say what a bad idea it is to
attack Redaction White Man who is telling multi-millionaire anchors
about the NSA to an audience who has already gotten the message the NSA
spies on every undefended gizmo. By the way, the US is not the world;
did you know Nigeria has 'NSA capability' from Israeli tech?

The op got two cool articles the first week:

http://www.ibtimes.co.uk/anonymous-paypal14-campaign-spreads-pirated-copy-glenn-greenwalds-book-snowden-1448913

http://rt.com/usa/158976-greenwald-anonymous-paypal-pastebin/

And best of all, got brave people protesting Greenbacks' Boston tour
stop in person (pics!):

https://twitter.com/Lyzard/status/467085082734624768
https://twitter.com/Aan_ath/status/467101897627668480
https://twitter.com/Free_Hammond/status/467111734579568641
https://twitter.com/Aan_ath/status/467154122995924992

Op-ed expected later this week.

Thanks,

Douglas




From tpb-crypto at laposte.net  Tue Jun  3 15:19:43 2014
From: tpb-crypto at laposte.net (tpb-crypto at laposte.net)
Date: Wed, 04 Jun 2014 00:19:43 +0200
Subject: Google'es End-to-End
In-Reply-To: <3663262.z3uQ7fQ3vz@lapuntu>
References: <3663262.z3uQ7fQ3vz@lapuntu>
Message-ID: <60003339.126349.1401833983205.JavaMail.www@wwinf8306>

> Message du 03/06/14 23:57
> De : "rysiek" 
>
> Hi there,
> 
> not sure what to think about this one:
> http://googleonlinesecurity.blogspot.com/2014/06/making-end-to-end-encryption-easier-to.html
> 
> Technical specs:
> https://code.google.com/p/end-to-end/
> 

If you want to land on a watch-list and maybe no-fly list, you just install it in your Chrome. Because as far as we can tell Google is in bed with the NSA and so the proprietary browser may just flag you to the system and done you are, or may forward all your messages in the clear. Who knows? Which is worst?

That's why there is not foocking way to trust proprietary software. Companies are forced to act like criminals on behalf of the government. There is no loyalty, respect, ethics, honesty or even business which the US government won't try to trample upon.

If one wants to go crypto, he goes all the way with OpenBSD, Tails, Kali, Gentoo, Firefox, Midori or even old and good Lynx, but not Chrome.

lol




From rysiek at hackerspace.pl  Tue Jun  3 15:24:48 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Wed, 04 Jun 2014 00:24:48 +0200
Subject: Google'es End-to-End
In-Reply-To: <60003339.126349.1401833983205.JavaMail.www@wwinf8306>
References: <3663262.z3uQ7fQ3vz@lapuntu>
 <60003339.126349.1401833983205.JavaMail.www@wwinf8306>
Message-ID: <1587119.yPTzuntpD3@lapuntu>

OHAI,

Dnia środa, 4 czerwca 2014 00:19:43 piszesz:
> > not sure what to think about this one:
> > http://googleonlinesecurity.blogspot.com/2014/06/making-end-to-end-encrypt
> > ion-easier-to.html
> > 
> > Technical specs:
> > https://code.google.com/p/end-to-end/
> 
> If you want to land on a watch-list and maybe no-fly list, you just install
> it in your Chrome. Because as far as we can tell Google is in bed with the
> NSA and so the proprietary browser may just flag you to the system and done
> you are, or may forward all your messages in the clear. Who knows? Which is
> worst?
> 
> That's why there is not foocking way to trust proprietary software.
> Companies are forced to act like criminals on behalf of the government.
> There is no loyalty, respect, ethics, honesty or even business which the US
> government won't try to trample upon.
> 
> If one wants to go crypto, he goes all the way with OpenBSD, Tails, Kali,
> Gentoo, Firefox, Midori or even old and good Lynx, but not Chrome.
> 
> lol

A heck with it, why not -- I'll play the Google's advocate here.

So, the extension itself will be FLOSS, as I understand, so the extension 
itself will be audit-able (inb4 openssl, truecrypt). And as I understand it 
*will* be installable in Chromium too.

Is that an acceptable combination? With such an assumption ("use Chromium, 
Luke!"), does End-to-End seem to make sense? Or are there other problems we 
need to look into and be wary of?

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140604/1ccd27ce/attachment.sig>

From rysiek at hackerspace.pl  Tue Jun  3 15:35:20 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Wed, 04 Jun 2014 00:35:20 +0200
Subject: "a skilled backdoor-writer can defeat skilled auditors"?
Message-ID: <1800350.DuBgtkdSDz@lapuntu>

Hi there,

in a different thread, Cam posted a link containing this gem:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

In short several very skilled security auditors examined a small Python 
program — about 100 lines of code — into which three bugs had been inserted by 
the authors. There was an “easy,” “medium,” and “hard” backdoor. There were 
three or four teams of auditors.

1. One auditor found the “easy” and the “medium” ones in about 70 minutes, and 
then spent the rest of the day failing to find any other bugs.

2. One team of two auditors found the “easy” bug in about five hours, and 
spent the rest of the day failing to find any other bugs.

3. One auditor found the “easy” bug in about four hours, and then stopped.

4. One auditor either found no bugs or else was on a team with the third 
auditor — the report is unclear.

See Chapter 7 of Yee’s report for these details.

I should emphasize that that I personally consider these people to be 
extremely skilled. One possible conclusion that could be drawn from this 
experience is that a skilled backdoor-writer can defeat skilled auditors. This 
hypothesis holds that only accidental bugs can be reliably detected by 
auditors, not deliberately hidden bugs.

Anyway, as far as I understand the bugs you folks left in were accidental bugs 
that you then deliberately didn’t-fix, rather than bugs that you intentionally 
made hard-to-spot.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
https://blog.spideroak.com/20140220090004-responsibly-bringing-new-cryptography-product-market#footnote1

I have no problem believing it is thus, but can't help wondering if there are 
any ways to mitigate it.

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140604/6d02572f/attachment.sig>

From tpb-crypto at laposte.net  Tue Jun  3 15:42:50 2014
From: tpb-crypto at laposte.net (tpb-crypto at laposte.net)
Date: Wed, 04 Jun 2014 00:42:50 +0200
Subject: Google'es End-to-End
In-Reply-To: <1587119.yPTzuntpD3@lapuntu>
References: <3663262.z3uQ7fQ3vz@lapuntu>
 <60003339.126349.1401833983205.JavaMail.www@wwinf8306>
 <1587119.yPTzuntpD3@lapuntu>
Message-ID: <328801251.126680.1401835370727.JavaMail.www@wwinf8306>

> Message du 04/06/14 00:29
> De : "rysiek" 
>
> OHAI,
> 
> Dnia środa, 4 czerwca 2014 00:19:43 piszesz:
> > > not sure what to think about this one:
> > > http://googleonlinesecurity.blogspot.com/2014/06/making-end-to-end-encrypt
> > > ion-easier-to.html
> > > 
> > > Technical specs:
> > > https://code.google.com/p/end-to-end/
> > 
> > If you want to land on a watch-list and maybe no-fly list, you just install
> > it in your Chrome. Because as far as we can tell Google is in bed with the
> > NSA and so the proprietary browser may just flag you to the system and done
> > you are, or may forward all your messages in the clear. Who knows? Which is
> > worst?
> > 
> > That's why there is not foocking way to trust proprietary software.
> > Companies are forced to act like criminals on behalf of the government.
> > There is no loyalty, respect, ethics, honesty or even business which the US
> > government won't try to trample upon.
> > 
> > If one wants to go crypto, he goes all the way with OpenBSD, Tails, Kali,
> > Gentoo, Firefox, Midori or even old and good Lynx, but not Chrome.
> > 
> > lol
> 
> A heck with it, why not -- I'll play the Google's advocate here.
> 
> So, the extension itself will be FLOSS, as I understand, so the extension 
> itself will be audit-able (inb4 openssl, truecrypt). And as I understand it 
> *will* be installable in Chromium too.
> 
> Is that an acceptable combination? With such an assumption ("use Chromium, 
> Luke!"), does End-to-End seem to make sense? Or are there other problems we 
> need to look into and be wary of?
> 

With chromium, End-to-End can start looking respectable. But even then Chromium is cranked by a much smaller team than Firefox and surely suffers from the same problems OpenSSL has faced for most of its existence.




From coderman at gmail.com  Wed Jun  4 00:46:57 2014
From: coderman at gmail.com (coderman)
Date: Wed, 4 Jun 2014 00:46:57 -0700
Subject: "a skilled backdoor-writer can defeat skilled auditors"?
In-Reply-To: <538EB484.7040405@tik.ee.ethz.ch>
References: <1800350.DuBgtkdSDz@lapuntu> <20140603225302.GJ10586@hexapodia.org>
 <538EB484.7040405@tik.ee.ethz.ch>
Message-ID: <CAJVRA1R_RoN7RyzCC0bnVv_7Cttgi526McBs+h=+ojAQzsCiYg@mail.gmail.com>

On Tue, Jun 3, 2014 at 10:54 PM, Stephan Neuhaus
<stephan.neuhaus at tik.ee.ethz.ch> wrote:
> ...
> And that I think is going too far.  There might be perfectly valid
> reasons to do what the developer did, and saying post-hoc that you fail
> the audit because you don't like some design choices opens the door to
> personal biases. (Good luck, for example, trying to write nontrivial C
> without at least some form of pointer arithmetic.)

there is a significant difference between engineering for safety,
conservatively.  and sloppy error prone techniques indicating haste
and carelessness.

pointer arithmetic in C may be unavoidable, yet using them
consistently with thoughtfulness and robustness is always a great
idea.

defensive designs and conservative implementations are not "personal
biases" in any form!


[ what is defensive and conservative? well, i know it when i see it! *grin* ]



> If you fail the audit, it's your duty as a professional auditor to
> provide evidence that there is something actually wrong with the
> software.

"why do I need to add braces around my if clause? that's your opinion
about style, who cares??"

'you don't have to, but a trivial edit error could bleed you for years
if you don't!'


if (what) {
  goto fail;
  goto fail;
  /* fail safer! */
}




From carimachet at gmail.com  Tue Jun  3 17:59:06 2014
From: carimachet at gmail.com (Cari Machet)
Date: Wed, 4 Jun 2014 00:59:06 +0000
Subject: Pirate Bay co-founder Peter Sunde arrested
In-Reply-To: <1401834742.54467.YahooMailNeo@web126206.mail.ne1.yahoo.com>
References: <1401650018.50783.YahooMailNeo@web126201.mail.ne1.yahoo.com>
 <CAGRDzQWntEA66=baT=yP1fEQf6ZbAkLWwessekf_OCiD_bsfwA@mail.gmail.com>
 <1401766665.41946.YahooMailNeo@web126206.mail.ne1.yahoo.com>
 <1401780214.57947.YahooMailNeo@web126201.mail.ne1.yahoo.com>
 <538E3605.20402@riseup.net>
 <1401834667.44391.YahooMailNeo@web126205.mail.ne1.yahoo.com>
 <1401834742.54467.YahooMailNeo@web126206.mail.ne1.yahoo.com>
Message-ID: <CAGRDzQWM-oaYGEp638QoWd5YAQ5V4Eoo2Ce0_EhQ5GzcsBW_EA@mail.gmail.com>

my beautiful darlings he is in sweden - he will serve 8 months there - i
got his lawyers name will post info when i hear more


On Tue, Jun 3, 2014 at 10:32 PM, jim bell <jamesdbell9 at yahoo.com> wrote:

> Perhaps Tsarnaev is officially being charged by Massachusetts too, and
> thus (for now, at least)  is in Massachusetts custody.
>           Jim Bell      (been there, done that)
>
>
>
>  ------------------------------
>  *From:* Douglas Lucas <dal at riseup.net>
> *To:* cypherpunks at cpunks.org; carimachet at gmail.com
> *Sent:* Tuesday, June 3, 2014 1:54 PM
> *Subject:* Re: Fw: Pirate Bay co-founder Peter Sunde arrested
>
> I am told--maybe incorrectly--that alleged Boston Bomber (but see
> WhoWhatWhy's reporting) Dzhokhar Tsarnaev should be in the Federal
> Prison inmate locator, but isn't. So maybe the people behind the locator
> are sometimes deceptive.
>
> Douglas
>
> On 06/03/2014 02:23 AM, jim bell wrote:
> > I just realized that he probably isn't yet returned (extradited) to the
> > US, and thus probably won't be listed in the BOP Inmate locator system.
> >
> > ----- Forwarded Message -----
> > *From:* jim bell <jamesdbell9 at yahoo.com>
> > *To:* Cari Machet <carimachet at gmail.com>
> > *Sent:* Monday, June 2, 2014 8:37 PM
> > *Subject:* Re: Pirate Bay co-founder Peter Sunde arrested
> >
> > There is such a thing as a Federal Prison inmate locator.
> >  http://www.bop.gov/inmateloc/
> > I tried it, but it doesn't show him.  ( I don't know his age, etc.)  It
> > would certainly show him if he is convicted, but before?  Let's figure
> > out where (which city) he is in.  Sometimes Federal prisoners are sent
> > to county jails while they are waiting for a trial.
> >                  Jim Bell
> >
> >
> >
> > ------------------------------------------------------------------------
> > *From:* Cari Machet <carimachet at gmail.com>
> > *To:* jim bell <jamesdbell9 at yahoo.com>
> > *Cc:* "cypherpunks at cpunks.org" <cypherpunks at cpunks.org>
> > *Sent:* Monday, June 2, 2014 12:48 PM
> > *Subject:* Re: Pirate Bay co-founder Peter Sunde arrested
> >
> > hey any info on where mail can be sent wld be helpful - thanks
> >
> >
> > On Sun, Jun 1, 2014 at 7:13 PM, jim bell <jamesdbell9 at yahoo.com
> > <mailto:jamesdbell9 at yahoo.com>> wrote:
>
>
>
> >
> >
> http://news.yahoo.com/law-finally-catches-pirate-bay-torrent-co-founder-144400334.html
> >
> >    Pirate Bay co-founder Peter Sunde was arrested late Saturday after
> >    being on the lam for nearly two years. One of the minds behind the
> >    popular-yet-tantalizingly-illegal file-sharing service had been set
> >    to serve jail time for copyright violations when he bolted.
> >
> >
> >
> >
>
>
>
>
>


-- 
Cari Machet
NYC 646-436-7795
carimachet at gmail.com
AIM carismachet
Syria +963-099 277 3243
Amman +962 077 636 9407
Berlin +49 152 11779219
Reykjavik +354 894 8650
Twitter: @carimachet <https://twitter.com/carimachet>

7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187

Ruh-roh, this is now necessary: This email is intended only for the
addressee(s) and may contain confidential information. If you are not the
intended recipient, you are hereby notified that any use of this
information, dissemination, distribution, or copying of this email without
permission is strictly prohibited.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 7399 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140604/4dc0a87e/attachment.txt>

From coderman at gmail.com  Wed Jun  4 01:01:03 2014
From: coderman at gmail.com (coderman)
Date: Wed, 4 Jun 2014 01:01:03 -0700
Subject: stinky shit in fedland - lawful^H^H^Hless mobile fuckery
 cover-ups in progress...
In-Reply-To: <CAJVRA1RCf=mSKWuq0C6rfz8g21H+JFXqZhqJsypp1W7B7_CQnQ@mail.gmail.com>
References: <CAJVRA1RkMv6RV-UGGfpNyO8kcCF0HLv1AiDxE0uCT-Eq5sZZ=Q@mail.gmail.com>
 <CAJVRA1RCf=mSKWuq0C6rfz8g21H+JFXqZhqJsypp1W7B7_CQnQ@mail.gmail.com>
Message-ID: <CAJVRA1RD3Q_t8tTKYKH4vDTxomuAJk_0vg2-mB0iuvxzJVAFZg@mail.gmail.com>

https://www.aclu.org/files/assets/100823_transcription_of_suppression_hearing_28unsealed_pages_11-2429.pdf

Stingrays can track cell phones whenever the phones are turned on, not
just when they are making or receiving calls.

Stingrays force cell phones in range to transmit information back “at
full signal, consuming battery faster.” Is your phone losing battery
power particularly quickly today? Maybe the cops are using a stingray
nearby.

When in use, stingrays are “evaluating all the [cell phone] handsets
in the area” in order to search for the suspect’s phone. That means
that large numbers of innocent bystanders’ location and phone
information is captured.

In this case, police used two versions of the stingray — one mounted
on a police vehicle, and the other carried by hand. Police drove
through the area using the vehicle-based device until they found the
apartment complex in which the target phone was located, and then they
walked around with the handheld device and stood “at every door and
every window in that complex” until they figured out which apartment
the phone was located in. In other words, police were lurking outside
people’s windows and sending powerful electronic signals into their
private homes in order to collect information from within.

The Tallahassee detective testifying in the hearing estimated that,
between spring of 2007 and August of 2010, the Tallahassee Police had
used stingrays approximately “200 or more times.”

it gets worse from here...  ;)




From coderman at gmail.com  Wed Jun  4 01:04:24 2014
From: coderman at gmail.com (coderman)
Date: Wed, 4 Jun 2014 01:04:24 -0700
Subject: stinky shit in fedland - lawful^H^H^Hless mobile fuckery
 cover-ups in progress...
In-Reply-To: <CAJVRA1RD3Q_t8tTKYKH4vDTxomuAJk_0vg2-mB0iuvxzJVAFZg@mail.gmail.com>
References: <CAJVRA1RkMv6RV-UGGfpNyO8kcCF0HLv1AiDxE0uCT-Eq5sZZ=Q@mail.gmail.com>
 <CAJVRA1RCf=mSKWuq0C6rfz8g21H+JFXqZhqJsypp1W7B7_CQnQ@mail.gmail.com>
 <CAJVRA1RD3Q_t8tTKYKH4vDTxomuAJk_0vg2-mB0iuvxzJVAFZg@mail.gmail.com>
Message-ID: <CAJVRA1SnNFcuG2wy60QhbpY9waz2AmXjEWVJEi5tthSVUHy1hw@mail.gmail.com>

On Wed, Jun 4, 2014 at 1:01 AM, coderman <coderman at gmail.com> wrote:
> https://www.aclu.org/files/assets/100823_transcription_of_suppression_hearing_28unsealed_pages_11-2429.pdf

that is the transcript. the summary i included above is in this update post:
 https://www.aclu.org/blog/national-security-technology-and-liberty/victory-judge-releases-information-about-police-use




From rysiek at hackerspace.pl  Tue Jun  3 17:08:02 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Wed, 04 Jun 2014 02:08:02 +0200
Subject: Google'es End-to-End
In-Reply-To: <538E6064.1010101@cmu.edu>
References: <3663262.z3uQ7fQ3vz@lapuntu>
 <328801251.126680.1401835370727.JavaMail.www@wwinf8306>
 <538E6064.1010101@cmu.edu>
Message-ID: <1708528.yaAc8RAH8B@lapuntu>

Dnia wtorek, 3 czerwca 2014 19:55:16 James Murphy pisze:
> On 6/3/2014 18:42, tpb-crypto at laposte.net wrote:
> >> Message du 04/06/14 00:29
> >> De : "rysiek"
> >> 
> >> OHAI,
> >> 
> >> Dnia środa, 4 czerwca 2014 00:19:43 piszesz:
> >>>> not sure what to think about this one:
> >>>> http://googleonlinesecurity.blogspot.com/2014/06/making-end-to-end-encr
> >>>> ypt
> >>>> ion-easier-to.html
> >>>> 
> >>>> Technical specs:
> >>>> https://code.google.com/p/end-to-end/
> >>> 
> >>> If you want to land on a watch-list and maybe no-fly list, you just
> >>> install
> >>> it in your Chrome. Because as far as we can tell Google is in bed with
> >>> the
> >>> NSA and so the proprietary browser may just flag you to the system and
> >>> done
> >>> you are, or may forward all your messages in the clear. Who knows? Which
> >>> is
> >>> worst?
> >>> 
> >>> That's why there is not foocking way to trust proprietary software.
> >>> Companies are forced to act like criminals on behalf of the government.
> >>> There is no loyalty, respect, ethics, honesty or even business which the
> >>> US
> >>> government won't try to trample upon.
> >>> 
> >>> If one wants to go crypto, he goes all the way with OpenBSD, Tails,
> >>> Kali,
> >>> Gentoo, Firefox, Midori or even old and good Lynx, but not Chrome.
> >>> 
> >>> lol
> >> 
> >> A heck with it, why not -- I'll play the Google's advocate here.
> >> 
> >> So, the extension itself will be FLOSS, as I understand, so the extension
> >> itself will be audit-able (inb4 openssl, truecrypt). And as I understand
> >> it
> >> *will* be installable in Chromium too.
> >> 
> >> Is that an acceptable combination? With such an assumption ("use
> >> Chromium,
> >> Luke!"), does End-to-End seem to make sense? Or are there other problems
> >> we
> >> need to look into and be wary of?
> > 
> > With chromium, End-to-End can start looking respectable. But even then
> > Chromium is cranked by a much smaller team than Firefox and surely
> > suffers from the same problems OpenSSL has faced for most of its
> > existence.
> I went ahead and tried it out. One click to make a key and it integrates
> into gmail. It's not going to replace PGP for anyone who already has a
> key pair, but making end-to-end encryption one-click-easy is a shoe in
> the door for getting the public to start caring about its own privacy
> (and hence ours).

Okay, but how does that play with other PGP users? For example, will I be able 
to verify your signature with my "old" GPG?

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140604/61c65364/attachment.sig>

From tpb-crypto at laposte.net  Tue Jun  3 18:01:57 2014
From: tpb-crypto at laposte.net (tpb-crypto at laposte.net)
Date: Wed, 04 Jun 2014 03:01:57 +0200
Subject: Google'es End-to-End
In-Reply-To: <538E6064.1010101@cmu.edu>
References: <3663262.z3uQ7fQ3vz@lapuntu>
 <60003339.126349.1401833983205.JavaMail.www@wwinf8306>
 <1587119.yPTzuntpD3@lapuntu>
 <328801251.126680.1401835370727.JavaMail.www@wwinf8306>
 <538E6064.1010101@cmu.edu>
Message-ID: <1288515844.136815.1401843745271.JavaMail.www@wwinf8227>

> Message du 04/06/14 02:01
> De : "James Murphy" 
>
> On 6/3/2014 18:42, tpb-crypto at laposte.net wrote:
> >> Message du 04/06/14 00:29
> >> De : "rysiek" 
> >>
> >> OHAI,
> >>
> >> Dnia środa, 4 czerwca 2014 00:19:43 piszesz:
> >>>> not sure what to think about this one:
> >>>> http://googleonlinesecurity.blogspot.com/2014/06/making-end-to-end-encrypt
> >>>> ion-easier-to.html
> >>>>
> >>>> Technical specs:
> >>>> https://code.google.com/p/end-to-end/
> >>>
> >>> If you want to land on a watch-list and maybe no-fly list, you just install
> >>> it in your Chrome. Because as far as we can tell Google is in bed with the
> >>> NSA and so the proprietary browser may just flag you to the system and done
> >>> you are, or may forward all your messages in the clear. Who knows? Which is
> >>> worst?
> >>>
> >>> That's why there is not foocking way to trust proprietary software.
> >>> Companies are forced to act like criminals on behalf of the government.
> >>> There is no loyalty, respect, ethics, honesty or even business which the US
> >>> government won't try to trample upon.
> >>>
> >>> If one wants to go crypto, he goes all the way with OpenBSD, Tails, Kali,
> >>> Gentoo, Firefox, Midori or even old and good Lynx, but not Chrome.
> >>>
> >>> lol
> >>
> >> A heck with it, why not -- I'll play the Google's advocate here.
> >>
> >> So, the extension itself will be FLOSS, as I understand, so the extension 
> >> itself will be audit-able (inb4 openssl, truecrypt). And as I understand it 
> >> *will* be installable in Chromium too.
> >>
> >> Is that an acceptable combination? With such an assumption ("use Chromium, 
> >> Luke!"), does End-to-End seem to make sense? Or are there other problems we 
> >> need to look into and be wary of?
> >>
> > 
> > With chromium, End-to-End can start looking respectable. But even then Chromium is cranked by a much smaller team than Firefox and surely suffers from the same problems OpenSSL has faced for most of its existence.
> > 
> 
> I went ahead and tried it out. One click to make a key and it integrates
> into gmail. It's not going to replace PGP for anyone who already has a
> key pair, but making end-to-end encryption one-click-easy is a shoe in
> the door for getting the public to start caring about its own privacy
> (and hence ours).
> 

I find the combination of gmail and chromium while thinking in privacy a risible solution. But hey, it may help grandma think about protecting herself, ok. False sense of security is the best we can hope at this point.

That's sad, man.




From tpb-crypto at laposte.net  Tue Jun  3 18:06:43 2014
From: tpb-crypto at laposte.net (tpb-crypto at laposte.net)
Date: Wed, 04 Jun 2014 03:06:43 +0200
Subject: "a skilled backdoor-writer can defeat skilled auditors"?
In-Reply-To: <20140603225302.GJ10586@hexapodia.org>
References: <1800350.DuBgtkdSDz@lapuntu> <20140603225302.GJ10586@hexapodia.org>
Message-ID: <1462819215.136856.1401844030733.JavaMail.www@wwinf8227>

> Message du 04/06/14 00:58
> De : "Andy Isaacson" 
>
> On Wed, Jun 04, 2014 at 12:35:20AM +0200, rysiek wrote:
> > In short several very skilled security auditors examined a small Python 
> > program — about 100 lines of code — into which three bugs had been inserted by 
> > the authors. There was an “easy,” “medium,” and “hard” backdoor. There were 
> > three or four teams of auditors.
> > 
> > 1. One auditor found the “easy” and the “medium” ones in about 70 minutes, and 
> > then spent the rest of the day failing to find any other bugs.
> > 
> > 2. One team of two auditors found the “easy” bug in about five hours, and 
> > spent the rest of the day failing to find any other bugs.
> > 
> > 3. One auditor found the “easy” bug in about four hours, and then stopped.
> > 
> > 4. One auditor either found no bugs or else was on a team with the third 
> > auditor — the report is unclear.
> > 
> > See Chapter 7 of Yee’s report for these details.
> > 
> > I should emphasize that that I personally consider these people to be 
> > extremely skilled. One possible conclusion that could be drawn from this 
> > experience is that a skilled backdoor-writer can defeat skilled auditors. This 
> > hypothesis holds that only accidental bugs can be reliably detected by 
> > auditors, not deliberately hidden bugs.
> > 
> > Anyway, as far as I understand the bugs you folks left in were accidental bugs 
> > that you then deliberately didn’t-fix, rather than bugs that you intentionally 
> > made hard-to-spot.
> > 
> > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> > https://blog.spideroak.com/20140220090004-responsibly-bringing-new-cryptography-product-market#footnote1
> > 
> > I have no problem believing it is thus, but can't help wondering if there are 
> > any ways to mitigate it.
> 
> 
> My mitigation would be to make auditing a default-deny rule, rather than
> a default-allow.
> 
> Security auditing needs to be a holistic analysis, starting by
> re-engaging with the requirements, verifying that the design is a
> sensible and minimal approach to addressing the requirements, and
> verifying that the implementation is a sensible, safe, auditable,
> version controlled, approach to the design.
> 
> If the auditor at any point says "Well, I wouldn't have *recommended*
> that you implement your JSON parsing in ad-hoc C with pointer arithmetic
> and poor and misleading comments, but I can't find any *bugs* so I guess
> it must be OK" then that is an immediate fail.
> 
> This is the default deny: we default to assuming the system is insecure,
> and any sign that this might be true results in a failure.
> 
> Versus the current auditing method of default-allow: we run the audit,
> and if no *concrete* exploits or bugs are found before the auditors run
> out of time, then we trumpet that the system "has passed its audit".
> 
> Only if the design is sane, the implementation is sane, the development
> team is following best practices and defensive coding strategies, with a
> cryptographically and procedurally audited edit trail (immutable git
> commit logs signed and committed to W/O media) in a development
> environment that is safe by default rather than risky by default ...
> 
> ... then you *might* have a chance of catching the intentional backdoor
> inserted by the APT malware on your team member's workstation.
> 
> Current efforts in this direction fall *very* far short of the utopia I
> describe.
> 
> -andy
> 

Your proposal would cause 99% of software currently in use to be rejected and make the development costs increase as astronomically as to be compared to medical research.

That would also smother the hopes of all people that see coding and computers as a way out of poverty.

Like, outsourcing stuff to Asia would grind to a halt.


I agree your proposal is good and doable, yet at a cost the world doesn't wish to pay.

It wouldn't reduce innovation, probably would increase it, though. Also it would filter out all incompetents and posers, forcing them to adapt or look at burger flipping in McDonald's with other eyes ...




From stephan.neuhaus at tik.ee.ethz.ch  Tue Jun  3 22:54:12 2014
From: stephan.neuhaus at tik.ee.ethz.ch (Stephan Neuhaus)
Date: Wed, 04 Jun 2014 07:54:12 +0200
Subject: "a skilled backdoor-writer can defeat skilled auditors"?
In-Reply-To: <20140603225302.GJ10586@hexapodia.org>
References: <1800350.DuBgtkdSDz@lapuntu> <20140603225302.GJ10586@hexapodia.org>
Message-ID: <538EB484.7040405@tik.ee.ethz.ch>

On 2014-06-04, 00:53, Andy Isaacson wrote:
> If the auditor at any point says "Well, I wouldn't have
> *recommended* that you implement your JSON parsing in ad-hoc C with
> pointer arithmetic and poor and misleading comments, but I can't find
> any *bugs* so I guess it must be OK" then that is an immediate fail.

And that I think is going too far.  There might be perfectly valid
reasons to do what the developer did, and saying post-hoc that you fail
the audit because you don't like some design choices opens the door to
personal biases. (Good luck, for example, trying to write nontrivial C
without at least some form of pointer arithmetic.)

If you fail the audit, it's your duty as a professional auditor to
provide evidence that there is something actually wrong with the
software.  It's OK to single out some pieces of code for closer
inspection because of code smells, but if you try your darnedest to find
something wrong with it and can't, then either the code is OK or you're
not good enough an auditor.  In either case, you can flag the code, you
can recommend rewriting it according to what you think is better style,
but you can't in good conscience fail the audit.

Fun,

Stephan




From tom at ritter.vg  Wed Jun  4 05:50:14 2014
From: tom at ritter.vg (Tom Ritter)
Date: Wed, 4 Jun 2014 08:50:14 -0400
Subject: "a skilled backdoor-writer can defeat skilled auditors"?
In-Reply-To: <538EB484.7040405@tik.ee.ethz.ch>
References: <1800350.DuBgtkdSDz@lapuntu> <20140603225302.GJ10586@hexapodia.org>
 <538EB484.7040405@tik.ee.ethz.ch>
Message-ID: <CA+cU71mDpgRbi8zLV72qwvchN=Vf9JmXudv+=GJc_BaJT3k7kQ@mail.gmail.com>

On 4 June 2014 01:54, Stephan Neuhaus <stephan.neuhaus at tik.ee.ethz.ch>
wrote:

> If you fail the audit, it's your duty as a professional auditor to
>  provide evidence that there is something actually wrong with the
> software.  It's OK to single out some pieces of code for closer
> inspection because of code smells, but if you try your darnedest to find
> something wrong with it and can't, then either the code is OK or you're
> not good enough an auditor.  In either case, you can flag the code, you
> can recommend rewriting it according to what you think is better style,
> but you can't in good conscience fail the audit.
>

Perhaps this is getting too far into nits and wording, but I audit software
for my day job (iSEC Partners).  I'm not speaking for my employer. But,
with very few exceptions (we have a compliance arm for example), one does
not 'Pass' or 'Fail' one of our audits.  (Perhaps they might be better
termed as 'security assessments' then, like we call them internally, but
we're speaking in common english, and people tend to use them synonymously.)

Our customers are (mostly) on board with that too.  They never ask us if
they 'passed' or failed' - I'm certain some of them look at a report where
we failed to 'steal the crown jewels' as a successful audit - but the
expectation we set with them, and they sign on with, is not one of
'Pass/Fail'. And engagements where they want a statement saying they're
secure, we turn down - we're not in the business of rubber stamps*.

Our goal is to review software, identify bugs, and provide recommendations
to fix that issue and prevent it from occurring again. AND, in addition to
the specific bugs, provide general recommendations for the team to make
their application and environment more secure - provide defense in depth.
Maybe I didn't find a bug that let me do X, but if there's a layer of
defense you can put in that would stop someone who did, and you're missing
that layer, I would recommend it.

Examples: I audited an application that had no Mass Assignment bugs - but
no defenses against it either. Blacklists preventing XSS instead of
whitelist approaches, and like Andy said, homebrew C-code parsing JSON. We
'flag'-ed all of that, and told them they should rewrite, rearchitect, or
add layered defenses - even if we couldn't find bugs or bypasses.

So the notion of 'Passing' or 'Failing' an audit is pretty foreign to me.
 Perhaps people mean a different type of work (compliance?) than the one I
do.

-tom

* The closest we get is one where we say 'We tested X as of [Date] for Y
amount of time for the following classes of vulnerabilities, reported them,
retested them Z months later, and confirmed they were fixed.'  As we do
this very rarely, very selectively, for clients we've dealt with before.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 3509 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140604/3e41e3c9/attachment.txt>

From jtmurphy at cmu.edu  Wed Jun  4 06:57:46 2014
From: jtmurphy at cmu.edu (James Murphy)
Date: Wed, 04 Jun 2014 09:57:46 -0400
Subject: Google'es End-to-End
In-Reply-To: <538E7FFA.2010604@virtadpt.net>
References: <3663262.z3uQ7fQ3vz@lapuntu>
 <328801251.126680.1401835370727.JavaMail.www@wwinf8306>
 <538E6064.1010101@cmu.edu> <1708528.yaAc8RAH8B@lapuntu>
 <538E7115.2010401@cmu.edu> <538E7FFA.2010604@virtadpt.net>
Message-ID: <538F25DA.6050100@cmu.edu>

On 6/3/2014 22:10, The Doctor wrote:
> On 06/03/2014 06:06 PM, James Murphy wrote:
> 
>> email. I was not able to verify the signature though since gpg
>> doesn't support elliptic curve keys (I wonder why not). Presumably
>> (hopefully) gpg will be adding EC support in the future and this
>> will no longer be an issue.
> 
> I did a little looking around, and found the following:
> 
> http://www.mail-archive.com/gnupg-users at gnupg.org/msg20573.html
> 
> Supposedly it was merged into the v2 source tree a few years ago:
> 
> https://code.google.com/p/gnupg-ecc/
> 
> It seems that at least some of the development builds incorporate ECC
> in --expert mode.  I just tried it on my standard install (GnuPG
> v2.0.22 (64-bit)) on a new user, and saw no signs of ECC support.
> This says that it's in the v2.1.x source tree, which is probably why I
> don't have it:
> 
> https://superuser.com/questions/623090/how-can-i-use-gnupg-with-ecdsa-keys
> 
> What release of GnuPG do you normally use?
> 
> 

On this machine I'm using
gpg (GnuPG) 2.0.22 (Gpg4win 2.2.1)
libgcrypt 1.5.3

I never noticed the two '?'s in the supported algos before.

Supported algorithms:
Pubkey: RSA, ELG, DSA, ?, ?
Cipher: IDEA, 3DES, CAST5, BLOWFISH, AES, AES192, AES256, TWOFISH,
        CAMELLIA128, CAMELLIA192, CAMELLIA256
Hash: MD5, SHA1, RIPEMD160, SHA256, SHA384, SHA512, SHA224
Compression: Uncompressed, ZIP, ZLIB, BZIP2

Perhaps they are ECDSA and ECDH. In any case gpg --expert --gen-key
doesn't give the option for elliptic curve keys. I guess this is a
developer branch only feature for now.




From adi at hexapodia.org  Wed Jun  4 11:22:52 2014
From: adi at hexapodia.org (Andy Isaacson)
Date: Wed, 4 Jun 2014 11:22:52 -0700
Subject: "a skilled backdoor-writer can defeat skilled auditors"?
In-Reply-To: <CA+cU71mDpgRbi8zLV72qwvchN=Vf9JmXudv+=GJc_BaJT3k7kQ@mail.gmail.com>
References: <1800350.DuBgtkdSDz@lapuntu> <20140603225302.GJ10586@hexapodia.org>
 <538EB484.7040405@tik.ee.ethz.ch>
 <CA+cU71mDpgRbi8zLV72qwvchN=Vf9JmXudv+=GJc_BaJT3k7kQ@mail.gmail.com>
Message-ID: <20140604182252.GM10586@hexapodia.org>

On Wed, Jun 04, 2014 at 08:50:14AM -0400, Tom Ritter wrote:
> On 4 June 2014 01:54, Stephan Neuhaus <stephan.neuhaus at tik.ee.ethz.ch>
> wrote:
> > If you fail the audit, it's your duty as a professional auditor to
> >  provide evidence that there is something actually wrong with the
> > software.  It's OK to single out some pieces of code for closer
> > inspection because of code smells, but if you try your darnedest to find
> > something wrong with it and can't, then either the code is OK or you're
> > not good enough an auditor.  In either case, you can flag the code, you
> > can recommend rewriting it according to what you think is better style,
> > but you can't in good conscience fail the audit.

Stephan,

I strongly disagree.  There are implementations that are Just Too
Complicated and are Impossible To Audit.  Such implementation choices
*do*, empirically, provide cover for bugs; and as we as a society build
more and more software into the fabric of our life-critical systems it's
imperative that "the implementor liked this complexity and refuses to
change it" gives way to the larger goals at stake.  The auditor
absolutely must have leeway to say "no you don't get to write your own
string processing, you are going to use the standard ones."

This kind of feedback is precisely what happens in the higher quality
audits that are becoming standard practice for security-critical
software.

> Perhaps this is getting too far into nits and wording, but I audit software
> for my day job (iSEC Partners).  I'm not speaking for my employer. But,
> with very few exceptions (we have a compliance arm for example), one does
> not 'Pass' or 'Fail' one of our audits.  (Perhaps they might be better
> termed as 'security assessments' then, like we call them internally, but
> we're speaking in common english, and people tend to use them synonymously.)

As a satisifed iSec customer (at a previous job), I have a bit of
insight here.  iSec is a leader in this space and definitely leads by
example.  Across the industry, the average quality of discourse in the
source auditing business is pretty good in my experience; only the
bottom-skimming truly awful auditors reduce their customer-facing
feedback to just a binary pass/fail.

However, inevitably, in the societal analysis of software quality for
practical purposes, reductive reasoning happens.  (This is not a bad
thing, it's absolutely necessary -- we humans don't have the cognitive
capacity to hold a complete decision tree in our head while doing this
reasoning.)  Thus statements like "you should use $OSS_CRYPTO_PACKAGE,
it has passed its audits" end up playing a role in the discourse.

We as domain experts have an obligation to ensure that our contribution
is given appropriate weight in the debate and decisions -- in both
directions.  For example if an auditor sees their results being
mis-interpreted in customer marketing material or media coverage, the
auditor has a moral obligation to correct that and insist that the
mischaracterization stop.  (And yes, I believe that this moral
obligation would override an NDA between the customer and the auditor;
the contract should be structured to recognize this fact.)

-andy




From rysiek at hackerspace.pl  Wed Jun  4 05:39:54 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Wed, 04 Jun 2014 14:39:54 +0200
Subject: "a skilled backdoor-writer can defeat skilled auditors"?
In-Reply-To: <20140604013251.GL10586@hexapodia.org>
References: <1800350.DuBgtkdSDz@lapuntu>
 <1462819215.136856.1401844030733.JavaMail.www@wwinf8227>
 <20140604013251.GL10586@hexapodia.org>
Message-ID: <3570264.Ff0Ev9ACin@lapuntu>

Dnia wtorek, 3 czerwca 2014 18:32:52 piszesz:
> On Wed, Jun 04, 2014 at 03:06:43AM +0200, tpb-crypto at laposte.net wrote:
> > Your proposal would cause 99% of software currently in use to be
> > rejected
> 
> That seems like a feature...
> 
> (note that I don't think most software should be audited as security
> critical.  We can reduce the Trusted Computing Base and audit only those
> bits.)
> 
> > and make the development costs increase as astronomically as
> > to be compared to medical research.
> 
> I like to compare our current situation to the Steam Age.  There was an
> enormous amount of innovation in steam power, heating, etc in the 1800s.
> There was a concomitant lack of standardized safety measures, and
> occasionally boilers exploded taking entire apartment buildings with
> them.
> 
> Over time the rate of innovation decreased, standardization set in,
> safety measures were instituted, and now we have boring steam radiators
> in apartment buildings rather than exciting steam-powered Difference
> Engines in our pockets.

I love that analoy. I was usually using "one of the reasons bridges are safe 
today is because we have safety standards and not everybody can build one", 
but yours is much better.

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140604/4bd0ab86/attachment.sig>

From drwho at virtadpt.net  Wed Jun  4 18:07:58 2014
From: drwho at virtadpt.net (The Doctor)
Date: Wed, 04 Jun 2014 18:07:58 -0700
Subject: Google'es End-to-End
In-Reply-To: <538F25DA.6050100@cmu.edu>
References: <3663262.z3uQ7fQ3vz@lapuntu>
 <328801251.126680.1401835370727.JavaMail.www@wwinf8306>
 <538E6064.1010101@cmu.edu> <1708528.yaAc8RAH8B@lapuntu>
 <538E7115.2010401@cmu.edu> <538E7FFA.2010604@virtadpt.net>
 <538F25DA.6050100@cmu.edu>
Message-ID: <538FC2EE.5070902@virtadpt.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 06/04/2014 06:57 AM, James Murphy wrote:

> I never noticed the two '?'s in the supported algos before.

An interesting observation.

> Supported algorithms: Pubkey: RSA, ELG, DSA, ?, ?

Here's what I have in the same place:

Pubkey: RSA, ELG, DSA, ECC, ?

A little nosing around reveals this:

http://lists.gnupg.org/pipermail/gnupg-devel/2014-January/028147.html

So, the two question marks should be 'ECC' and 'ECC'.

> Perhaps they are ECDSA and ECDH. In any case gpg --expert
> --gen-key doesn't give the option for elliptic curve keys. I guess
> this is a developer branch only feature for now.

Mine does not support it, either, and the existing documentation is
that is is a development branch (v2.1.x) only option.

- -- 
The Doctor [412/724/301/703] [ZS]
Developer, Project Byzantium: http://project-byzantium.org/

PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F  DD89 3BD8 FF2B 807B 17C1
WWW: https://drwho.virtadpt.net/

"The little boat flipped over." --The Plague, _Hackers_

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCgAGBQJTj8LuAAoJED1np1pUQ8RkSHsP/Rjnhuwtm83Zamoc2c8VPYD8
58UKOMKBGLkd3s2HevsH0VSi0eA9kXDivxsQVDQzHunpKYGdx1yTlSbl+Unm3uLd
YWL6zv1F7ze4zO1hlj9RUozDG8IifR2VWeGxv1JL8s/Qz/GMSd6yJuBtvXQwi3s9
TGdIzB4VHcYwZIXk4KlgJAbntCdGaAroevY6eCC404MsQ4TmVf3fFmGfdWVo2CyL
pOlrn/1EF8ZCj2X0vh8iKuq8kEqe9cQSJNBG8ABpPBeqt372fBZ10i4GPFQbw3LX
4ooLaUN7evYMsgu1umJ7XcXPdqviBl5CkiiaVb7M9BZMiqAh8Kg5hNW7fq+FGc0K
1DOSImKlDj6I/FSm2Z5tKY5NXYqr7fdUkJGAOnTpiKY/GQJznz9MRBDaHPNyvDqn
uO9d7n495DV+UFDnI0LbxdE/MlDgYirFMzGDy+EzJWr44zNUaK0hr4VzBK++iTgk
K57gUMAPCAUCpLBGuKOhqrnD6TeNh4RarH90LzLVOtKxoQsP6Rrg6pg/uzjUh/+m
Y74gnu4qmGCMfgS7EJIFboYgR3tGz6Qub4Hx4PmGGf+S3kV+3Tbc0XtwSMNf9Bn0
Bt5aMHpw/+UJT9tvSgXzd5iWL1J27M3oMRmDamk1WyyVSdlqLF3ZohOqcqX+KBa/
lFCOtFoIX1Xe2zkvCFcN
=u/Zd
-----END PGP SIGNATURE-----




From drwho at virtadpt.net  Wed Jun  4 18:46:06 2014
From: drwho at virtadpt.net (The Doctor)
Date: Wed, 04 Jun 2014 18:46:06 -0700
Subject: Google'es End-to-End
In-Reply-To: <538fc5c0.847cec0a.075e.ffffb63c@mx.google.com>
References: <3663262.z3uQ7fQ3vz@lapuntu>
 <328801251.126680.1401835370727.JavaMail.www@wwinf8306>
 <538E6064.1010101@cmu.edu> <1708528.yaAc8RAH8B@lapuntu>
 <538E7115.2010401@cmu.edu> <538E7FFA.2010604@virtadpt.net>
 <538F25DA.6050100@cmu.edu> <538FC2EE.5070902@virtadpt.net>
 <538fc5c0.847cec0a.075e.ffffb63c@mx.google.com>
Message-ID: <538FCBDE.4000408@virtadpt.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 06/04/2014 06:22 PM, Juan wrote:

> mine says : RSA, ELG, NSA, DSA, ECC, ?

Hey!  What was that?

<turns and looks around...>

- -- 
The Doctor [412/724/301/703] [ZS]
Developer, Project Byzantium: http://project-byzantium.org/

PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F  DD89 3BD8 FF2B 807B 17C1
WWW: https://drwho.virtadpt.net/

"The little boat flipped over." --The Plague, _Hackers_

-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCgAGBQJTj8veAAoJED1np1pUQ8Rk8ZIP/0f5W/4FtIwdhMooNquHnapq
+gHNn/K59dLnKpp8ndmEEhrTkuZNU9P4rNd/S6ElPjOVzMK5K7AnIb4O9MkYWdJe
XqLtjOa95u4sB5jyOZeWGl9uCY8kZceT6NbPK3d57dW9uNYS2bBljxYiGZDn5jnN
8dZoQr4bG3rsmk7KQBtuqA+acw9ciWktrFlxPqXrUJ8sObaotPIfwWouEwKu+Nd/
WzdOt5gJyZAPsH89eFyUunZU+9Qinx0DM4otaUe6O9vd4TTnh0nlCAmNANul8EIe
kquvvh0HS+9U//gdqCHWc0YrSUVebHZ6kQKRLtSnnp3lziG+AFhJbFmJPheQ4+Jx
0DJdGQrS7teSKgxCwZ+UkLfQ5Pyb31ZMVyWfoKyzATLAKGNZie4gnpekG3a5mO9e
txMTxKrtxOmRX6QrlVNlL2kOr7wST1xxEZQ1lupIQe61xpHHVJWmL/ezgDQwx4j9
aOxcgrt1s4T1zHT88En2CklxT3Nxvv92DA1FXj8gky17o3gi85A/H8MEM0kCmhSk
ysOsxIx+dNfhL6QRh1Y38LnXD+DUwB1y3wAANw13unPKRvu0pRa23Pg529AwC1UX
P90K/P2FW1H1/zktL+XPg7y27xjlqUNa8bGNggxyyYhgy6Qaav4B7xwlZzvCZpF9
lrLVRn0CRiamhYUl6Rzb
=PiE8
-----END PGP SIGNATURE-----




From jamesd at echeque.com  Wed Jun  4 05:15:37 2014
From: jamesd at echeque.com (James A. Donald)
Date: Wed, 04 Jun 2014 22:15:37 +1000
Subject: "a skilled backdoor-writer can defeat skilled auditors"?
In-Reply-To: <1800350.DuBgtkdSDz@lapuntu>
References: <1800350.DuBgtkdSDz@lapuntu>
Message-ID: <538F0DE9.1020204@echeque.com>

On 2014-06-04 08:35, rysiek wrote:
> Hi there,
>
> in a different thread, Cam posted a link containing this gem:
>
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
>
> In short several very skilled security auditors examined a small Python
> program — about 100 lines of code — into which three bugs had been inserted by
> the authors. There was an “easy,” “medium,” and “hard” backdoor. There were
> three or four teams of auditors.
>
> 1. One auditor found the “easy” and the “medium” ones in about 70 minutes, and
> then spent the rest of the day failing to find any other bugs.
>
> 2. One team of two auditors found the “easy” bug in about five hours, and
> spent the rest of the day failing to find any other bugs.
>
> 3. One auditor found the “easy” bug in about four hours, and then stopped.
>
> 4. One auditor either found no bugs or else was on a team with the third
> auditor — the report is unclear.
>
> See Chapter 7 of Yee’s report for these details.
>
> I should emphasize that that I personally consider these people to be
> extremely skilled. One possible conclusion that could be drawn from this
> experience is that a skilled backdoor-writer can defeat skilled auditors. This
> hypothesis holds that only accidental bugs can be reliably detected by
> auditors, not deliberately hidden bugs.
>
> Anyway, as far as I understand the bugs you folks left in were accidental bugs
> that you then deliberately didn’t-fix, rather than bugs that you intentionally
> made hard-to-spot.
>
> - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
> https://blog.spideroak.com/20140220090004-responsibly-bringing-new-cryptography-product-market#footnote1
>
> I have no problem believing it is thus, but can't help wondering if there are
> any ways to mitigate it.
>


The underhanded C contest produced stuff that was pretty easy to detect. 
  Maybe Python supports more subtle bugs, or maybe the auditors sucked.




From juan.g71 at gmail.com  Wed Jun  4 18:22:11 2014
From: juan.g71 at gmail.com (Juan)
Date: Wed, 4 Jun 2014 22:22:11 -0300
Subject: Google'es End-to-End
In-Reply-To: <538FC2EE.5070902@virtadpt.net>
References: <3663262.z3uQ7fQ3vz@lapuntu>
 <328801251.126680.1401835370727.JavaMail.www@wwinf8306>
 <538E6064.1010101@cmu.edu> <1708528.yaAc8RAH8B@lapuntu>
 <538E7115.2010401@cmu.edu> <538E7FFA.2010604@virtadpt.net>
 <538F25DA.6050100@cmu.edu> <538FC2EE.5070902@virtadpt.net>
Message-ID: <538fc5c0.847cec0a.075e.ffffb63c@mx.google.com>

On Wed, 04 Jun 2014 18:07:58 -0700
The Doctor <drwho at virtadpt.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> On 06/04/2014 06:57 AM, James Murphy wrote:
> 
> > I never noticed the two '?'s in the supported algos before.
> 
> An interesting observation.
> 
> > Supported algorithms: Pubkey: RSA, ELG, DSA, ?, ?
> 
> Here's what I have in the same place:
> 
> Pubkey: RSA, ELG, DSA, ECC, ?


	mine says : RSA, ELG, NSA, DSA, ECC, ?







From lists at infosecurity.ch  Wed Jun  4 21:05:42 2014
From: lists at infosecurity.ch (Fabio Pietrosanti (naif))
Date: Thu, 05 Jun 2014 06:05:42 +0200
Subject: Google'es End-to-End
In-Reply-To: <3663262.z3uQ7fQ3vz@lapuntu>
References: <3663262.z3uQ7fQ3vz@lapuntu>
Message-ID: <538FEC96.8050306@infosecurity.ch>

Il 6/3/14, 11:53 PM, rysiek ha scritto:
> Hi there,
>
> not sure what to think about this one:
>
http://googleonlinesecurity.blogspot.com/2014/06/making-end-to-end-encryption-easier-to.html
>
> Technical specs:
> https://code.google.com/p/end-to-end/
>
It's very bad that they reimplemented a new PGP stack in JS when there
is a multi-stakeholder community effort with OpenPGP.js www.openpgpjs.org

Look their comments about it:
https://news.ycombinator.com/item?id=7843297
"Not a stupid question at all. We actually considered this option, but
OpenPGP.js looked pretty bad back then.
Security-wise the library wasn't in good shape.
One of our cryptographers would "classify [OpenPGP.js] as trash.
It has been audited recently, but the result doesn't look very good either"

I think that Google should make a turn-back and switch to using
OpenPGP.js, that's a modular, secure, widely compatible and performant
PGP stack library in javascript, with heavy improvements done in the
last 9 months, thanks to multiple developers working on it for different
projects.

I reported such issue here:
https://code.google.com/p/end-to-end/issues/detail?id=3

-- 
Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights
http://logioshermes.org - http://globaleaks.org - http://tor2web.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 2484 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140605/80669b97/attachment.txt>

From stephan.neuhaus at tik.ee.ethz.ch  Thu Jun  5 00:16:19 2014
From: stephan.neuhaus at tik.ee.ethz.ch (Stephan Neuhaus)
Date: Thu, 05 Jun 2014 09:16:19 +0200
Subject: "a skilled backdoor-writer can defeat skilled auditors"?
In-Reply-To: <CAJVRA1R_RoN7RyzCC0bnVv_7Cttgi526McBs+h=+ojAQzsCiYg@mail.gmail.com>
References: <1800350.DuBgtkdSDz@lapuntu>	<20140603225302.GJ10586@hexapodia.org>	<538EB484.7040405@tik.ee.ethz.ch>
 <CAJVRA1R_RoN7RyzCC0bnVv_7Cttgi526McBs+h=+ojAQzsCiYg@mail.gmail.com>
Message-ID: <53901943.7040603@tik.ee.ethz.ch>

On 2014-06-04, 09:46, coderman wrote:
> there is a significant difference between engineering for safety,
> conservatively.  and sloppy error prone techniques indicating haste
> and carelessness.
> 
> pointer arithmetic in C may be unavoidable, yet using them
> consistently with thoughtfulness and robustness is always a great
> idea.

Absolutely. My gripe was with the "automatic fail" of the OP.  It's
perfectly fine to say "this code doesn't look as if it was engineered
for safety and you should consider rewriting it", and you can say "I
can't audit this code, it's too complex for me", but you can't, IMHO,
say "I fail this code's audit because it has a number of code smells"
unless absence of code smells was a design requirement or there is
evidence that these code smells are associated with security problems.

Fun,

Stephan
-- 




From stephan.neuhaus at tik.ee.ethz.ch  Thu Jun  5 00:16:24 2014
From: stephan.neuhaus at tik.ee.ethz.ch (Stephan Neuhaus)
Date: Thu, 05 Jun 2014 09:16:24 +0200
Subject: "a skilled backdoor-writer can defeat skilled auditors"?
In-Reply-To: <20140604182252.GM10586@hexapodia.org>
References: <1800350.DuBgtkdSDz@lapuntu>
 <20140603225302.GJ10586@hexapodia.org> <538EB484.7040405@tik.ee.ethz.ch>
 <CA+cU71mDpgRbi8zLV72qwvchN=Vf9JmXudv+=GJc_BaJT3k7kQ@mail.gmail.com>
 <20140604182252.GM10586@hexapodia.org>
Message-ID: <53901948.5080702@tik.ee.ethz.ch>

On 2014-06-04, 20:22, Andy Isaacson wrote:
> On Wed, Jun 04, 2014 at 08:50:14AM -0400, Tom Ritter wrote:
>> On 4 June 2014 01:54, Stephan Neuhaus <stephan.neuhaus at tik.ee.ethz.ch>
>> wrote:
>>> If you fail the audit, it's your duty as a professional auditor to
>>>  provide evidence that there is something actually wrong with the
>>> software.  It's OK to single out some pieces of code for closer
>>> inspection because of code smells, but if you try your darnedest to find
>>> something wrong with it and can't, then either the code is OK or you're
>>> not good enough an auditor.  In either case, you can flag the code, you
>>> can recommend rewriting it according to what you think is better style,
>>> but you can't in good conscience fail the audit.
> 
> Stephan,
> 
> I strongly disagree.  There are implementations that are Just Too
> Complicated and are Impossible To Audit.  Such implementation choices
> *do*, empirically, provide cover for bugs; and as we as a society build
> more and more software into the fabric of our life-critical systems it's
> imperative that "the implementor liked this complexity and refuses to
> change it" gives way to the larger goals at stake.  The auditor
> absolutely must have leeway to say "no you don't get to write your own
> string processing, you are going to use the standard ones."

I think that we are mostly in agreement, except perhaps in wording. We
both agree that auditors rarely "pass/fail" software in a binary
fashion.  And as I wrote, the auditor absolutely has the leeway to
recommend rewriting.

But my gripe was with the "automatic fail" in the original post, to
which I said that this was "going too far".  If you do go that far
(i.e., don't just recommend changes, but "fail" the audit), your verdict
must be founded on evidence.  For example, if it were actually true that
complexity, "empirically, provides cover for bugs", that would be a
perfectly good argument in favour of failing an audit.  It's just that
I've worked for a few years in precisely this field and all the studies
I saw simply failed to show the necessary correlations. (The best study
I know, by Yonghee Shin and Laurie Williams, shows rho <= 0.3, and that
on the vulnerability-infested Mozilla JavaScript engine. See
http://collaboration.csc.ncsu.edu/laurie/Papers/p47-shin.pdf)  This
shows, I think, that auditors must be extra careful not to confuse
folklore with evidence.

You can say "this code is too complex for me to audit", and you can add
"this should give you food for thought and you should consider rewriting
it in a simpler style", but *as the auditor* you cannot say "I fail the
code because I can't audit it" unless auditability was a design
requirement. (For the *owners* of the code, their options are of course
much greater, but we were talking about this from the auditor's
perspective, and the OP talked about an "automatic fail" if the code
turned out to have certain smells.  If a smell isn't backed up by
evidence, it's just a personal prejudice or folklore.  Which,
incidentally, would be excellent new terms to replace "Best Practice" in
many cases.)

Again, please note that I agree with you that auditability and
simplicity, using braces even for single-line if-statements, library
functions rather than self-made string libraries, and all these other
things, ought to be design requirements, especially for
security-critical software, because they make auditing easier.  It's
just that if it wasn't, then you can fault the design requirements
(though that may be outside your remit as auditor), but you can't
"automatically fail" the implementation.

Fun,

Stephan




From tommy at collison.ie  Thu Jun  5 10:09:42 2014
From: tommy at collison.ie (Tommy Collison)
Date: Thu, 05 Jun 2014 10:09:42 -0700
Subject: Reset the Net
In-Reply-To: <AB210B03-9DC1-40AD-A179-CDA4FDF2DC5C@jerryrw.com>
References: <AB210B03-9DC1-40AD-A179-CDA4FDF2DC5C@jerryrw.com>
Message-ID: <5390A456.3080703@collison.ie>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

In terms of disclosure or giving away personal details, I think it
depends on who you're giving this stuff to. Reset the Net's goals are
much closer aligned with mine than Facebook's, for instance. Also, I
think FB's selling your personal data in a way RTN isn't going to.


On 6/5/14, 7:13 AM, Jerry wrote:
> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
> 
> Anyone else find it ironic that the reset the net site asks you to
> take back your privacy online by providing your email address?
> 
> "On June 5, I will take strong steps to protect my freedom from
> government mass surveillance. I expect the services I use to do the
> same."
> 
> https://www.resetthenet.org/ -----BEGIN PGP SIGNATURE----- Version:
> GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: GPGTools -
> http://gpgtools.org
> 
> iQEcBAEBAgAGBQJTkHskAAoJEBuh/pdhlD5190QH/07t6NrJjKWlJr1LMQFFmx1S 
> l6mDhq1DYO97lio2AYslNv4bL98cIK/uWpI/Z3AsnJfvhzC9rl5MhiYkmeNbSt4U 
> cPmPA9OWJtWPEU1d1978rAWfz3+OnbLgnm9FYGJyJpcnokedomldJnerj2pVp9/+ 
> OmEd9JsirDug0sW6Uf0m8gMPTLvrbC9QmGdM7QJw8Ela1+iN9HJbCn3iiW2aH5v5 
> QNw4zFbpdTkRG6enkVSkUk5Z3J9lmIO6w9m1rmeQ3MABhyzOOsbqqNmr04plD0QW 
> Qnisa9XbeWgxz+v1puV0+n2oWBJk78M70a8s9b+jrhXHiAtPV5uzyddrqo3sV60= 
> =zPS+ -----END PGP SIGNATURE-----
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - https://gpgtools.org

iQEcBAEBCgAGBQJTkKRWAAoJEBBZ6Jnxfzq6zSoH/A2P2DRgZ1R+AibatG5HHasl
dkmC0gM2hu695JkaH/qm8EdBqo6Cyu+e1gq1XV69hEdfvFfGGfO0rusKg1OsS30h
Uzdj3SK0nKDasv26ThILwlnompzHIBoNMWCsoBC0SDI2+Utd6JAalLGO3Sc434Y0
BNVaf5+mRXhX3JVLiRej1lcCgWAqMUVS2k+wbGvd2aapUOtpjs0+MRgU6KKYle8g
e/qh83+jG1Vob++hpSk80+RMLc0aRgJwh1uB7FJYPKlPvtqX67AYo0x/I3NroYvm
vbOI0B+tcZgO579Cwh0XB+LYVQ25M0MnONLdaLywFehvNSxForiEhLUAqWBxmKM=
=tRMN
-----END PGP SIGNATURE-----




From jerry at jerryrw.com  Thu Jun  5 07:13:50 2014
From: jerry at jerryrw.com (Jerry)
Date: Thu, 5 Jun 2014 10:13:50 -0400
Subject: Reset the Net
Message-ID: <AB210B03-9DC1-40AD-A179-CDA4FDF2DC5C@jerryrw.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Anyone else find it ironic that the reset the net site asks you to take back your privacy online by providing your email address?

"On June 5, I will take strong steps to protect my freedom from government mass surveillance. I expect the services I use to do the same." 

https://www.resetthenet.org/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.18 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQEcBAEBAgAGBQJTkHskAAoJEBuh/pdhlD5190QH/07t6NrJjKWlJr1LMQFFmx1S
l6mDhq1DYO97lio2AYslNv4bL98cIK/uWpI/Z3AsnJfvhzC9rl5MhiYkmeNbSt4U
cPmPA9OWJtWPEU1d1978rAWfz3+OnbLgnm9FYGJyJpcnokedomldJnerj2pVp9/+
OmEd9JsirDug0sW6Uf0m8gMPTLvrbC9QmGdM7QJw8Ela1+iN9HJbCn3iiW2aH5v5
QNw4zFbpdTkRG6enkVSkUk5Z3J9lmIO6w9m1rmeQ3MABhyzOOsbqqNmr04plD0QW
Qnisa9XbeWgxz+v1puV0+n2oWBJk78M70a8s9b+jrhXHiAtPV5uzyddrqo3sV60=
=zPS+
-----END PGP SIGNATURE-----




From alfiej at fastmail.fm  Wed Jun  4 19:48:26 2014
From: alfiej at fastmail.fm (Alfie John)
Date: Thu, 05 Jun 2014 14:48:26 +1200
Subject: Google'es End-to-End
In-Reply-To: <60003339.126349.1401833983205.JavaMail.www@wwinf8306>
References: <3663262.z3uQ7fQ3vz@lapuntu>
 <60003339.126349.1401833983205.JavaMail.www@wwinf8306>
Message-ID: <1401936506.9705.125349797.23EFDF8B@webmail.messagingengine.com>

On Wed, Jun 4, 2014, at 10:19 AM, tpb-crypto at laposte.net wrote:
> If you want to land on a watch-list and maybe no-fly list, you just
> install it in your Chrome. Because as far as we can tell Google is in bed
> with the NSA and so the proprietary browser may just flag you to the
> system and done you are, or may forward all your messages in the clear.
> Who knows? Which is worst?
> 
> That's why there is not foocking way to trust proprietary software.
> Companies are forced to act like criminals on behalf of the government.
> There is no loyalty, respect, ethics, honesty or even business which the
> US government won't try to trample upon.

Someone's already submitted a bug report:

  https://code.google.com/p/end-to-end/issues/detail?id=9

Alfie

-- 
  Alfie John
  alfiej at fastmail.fm




From fox at vbfox.net  Thu Jun  5 07:37:58 2014
From: fox at vbfox.net (Black Fox)
Date: Thu, 5 Jun 2014 16:37:58 +0200
Subject: Google'es End-to-End
In-Reply-To: <1401936506.9705.125349797.23EFDF8B@webmail.messagingengine.com>
References: <3663262.z3uQ7fQ3vz@lapuntu>
 <60003339.126349.1401833983205.JavaMail.www@wwinf8306>
 <1401936506.9705.125349797.23EFDF8B@webmail.messagingengine.com>
Message-ID: <CAANMsOHgSiKgUjdNVzuz304mDeSfDO-BLPN9d2eyLTrkA6LD3A@mail.gmail.com>

On Thu, Jun 5, 2014 at 4:48 AM, Alfie John <alfiej at fastmail.fm> wrote:
>
> On Wed, Jun 4, 2014, at 10:19 AM, tpb-crypto at laposte.net wrote:
> > That's why there is not foocking way to trust proprietary software.
> > Companies are forced to act like criminals on behalf of the government.
> > There is no loyalty, respect, ethics, honesty or even business which the
> > US government won't try to trample upon.
>
> Someone's already submitted a bug report:
>
>   https://code.google.com/p/end-to-end/issues/detail?id=9

Cute, but the threat model of the submitter seem unclear to me, in
what is it different here from gpg binaries provided by a linux
distribution package ?

If even only one person have access to the packaging keys and is of
american nationality he can receive a National Security Letter and
would have to comply (Rubber hose is obviously working too if they
want to risk it). Using quantum insert they don't even need to change
the packages for everyone, only you.

Updates for any software executing with access to your private data
are dangerous.

I don't see why this subject is present in the issue tracker of an
extension... it's a lot more general issue (Except for the fact that
Google bashing is cool today).




From carimachet at gmail.com  Thu Jun  5 11:12:18 2014
From: carimachet at gmail.com (Cari Machet)
Date: Thu, 5 Jun 2014 18:12:18 +0000
Subject: Reset the Net
In-Reply-To: <5390A456.3080703@collison.ie>
References: <AB210B03-9DC1-40AD-A179-CDA4FDF2DC5C@jerryrw.com>
 <5390A456.3080703@collison.ie>
Message-ID: <CAGRDzQVMpTXpOT=FioJCHdwsDC9wGb4dGz_P3bKGyuU+5J+pYw@mail.gmail.com>

i like how the supporters like boing boing will change to ssl but ssl is
now ?

but purity is a coffin... ?


On Thu, Jun 5, 2014 at 5:09 PM, Tommy Collison <tommy at collison.ie> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
>
> In terms of disclosure or giving away personal details, I think it
> depends on who you're giving this stuff to. Reset the Net's goals are
> much closer aligned with mine than Facebook's, for instance. Also, I
> think FB's selling your personal data in a way RTN isn't going to.
>
>
> On 6/5/14, 7:13 AM, Jerry wrote:
> > -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
> >
> > Anyone else find it ironic that the reset the net site asks you to
> > take back your privacy online by providing your email address?
> >
> > "On June 5, I will take strong steps to protect my freedom from
> > government mass surveillance. I expect the services I use to do the
> > same."
> >
> > https://www.resetthenet.org/ -----BEGIN PGP SIGNATURE----- Version:
> > GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: GPGTools -
> > http://gpgtools.org
> >
> > iQEcBAEBAgAGBQJTkHskAAoJEBuh/pdhlD5190QH/07t6NrJjKWlJr1LMQFFmx1S
> > l6mDhq1DYO97lio2AYslNv4bL98cIK/uWpI/Z3AsnJfvhzC9rl5MhiYkmeNbSt4U
> > cPmPA9OWJtWPEU1d1978rAWfz3+OnbLgnm9FYGJyJpcnokedomldJnerj2pVp9/+
> > OmEd9JsirDug0sW6Uf0m8gMPTLvrbC9QmGdM7QJw8Ela1+iN9HJbCn3iiW2aH5v5
> > QNw4zFbpdTkRG6enkVSkUk5Z3J9lmIO6w9m1rmeQ3MABhyzOOsbqqNmr04plD0QW
> > Qnisa9XbeWgxz+v1puV0+n2oWBJk78M70a8s9b+jrhXHiAtPV5uzyddrqo3sV60=
> > =zPS+ -----END PGP SIGNATURE-----
> >
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
> Comment: GPGTools - https://gpgtools.org
>
> iQEcBAEBCgAGBQJTkKRWAAoJEBBZ6Jnxfzq6zSoH/A2P2DRgZ1R+AibatG5HHasl
> dkmC0gM2hu695JkaH/qm8EdBqo6Cyu+e1gq1XV69hEdfvFfGGfO0rusKg1OsS30h
> Uzdj3SK0nKDasv26ThILwlnompzHIBoNMWCsoBC0SDI2+Utd6JAalLGO3Sc434Y0
> BNVaf5+mRXhX3JVLiRej1lcCgWAqMUVS2k+wbGvd2aapUOtpjs0+MRgU6KKYle8g
> e/qh83+jG1Vob++hpSk80+RMLc0aRgJwh1uB7FJYPKlPvtqX67AYo0x/I3NroYvm
> vbOI0B+tcZgO579Cwh0XB+LYVQ25M0MnONLdaLywFehvNSxForiEhLUAqWBxmKM=
> =tRMN
> -----END PGP SIGNATURE-----
>



-- 
Cari Machet
NYC 646-436-7795
carimachet at gmail.com
AIM carismachet
Syria +963-099 277 3243
Amman +962 077 636 9407
Berlin +49 152 11779219
Reykjavik +354 894 8650
Twitter: @carimachet <https://twitter.com/carimachet>

7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187

Ruh-roh, this is now necessary: This email is intended only for the
addressee(s) and may contain confidential information. If you are not the
intended recipient, you are hereby notified that any use of this
information, dissemination, distribution, or copying of this email without
permission is strictly prohibited.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 3624 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140605/2ea44d1e/attachment.txt>

From eric at konklone.com  Thu Jun  5 17:34:05 2014
From: eric at konklone.com (Eric Mill)
Date: Thu, 5 Jun 2014 20:34:05 -0400
Subject: Google'es End-to-End
In-Reply-To: <1921140716.121780.1402008068215.JavaMail.www@wwinf8309>
References: <3663262.z3uQ7fQ3vz@lapuntu>
 <60003339.126349.1401833983205.JavaMail.www@wwinf8306>
 <1401936506.9705.125349797.23EFDF8B@webmail.messagingengine.com>
 <1921140716.121780.1402008068215.JavaMail.www@wwinf8309>
Message-ID: <CANBOYLVu-xCMn=LvAa9AnNaZ+X9-=HV+ys2+PyLV0afimNLTGw@mail.gmail.com>

This seems like a good project, that will move PGP usability and standards
forward. It's also a big deal for Google to throw its support to the
project, since it is in direct tension with the business model Gmail is
built on (scanning your emails).

The auto-update feature is a big deal that will have to get wrestled with
openly as this moves further. Perhaps they'll work out a separate update
policy for it, who knows. But it'll also have applications outside of a
place in the Chrome Web Store.

For example, hopefully much of this work (especially the JS crypto work)
will also turn out to be reusable in Firefox.


On Thu, Jun 5, 2014 at 6:41 PM, <tpb-crypto at laposte.net> wrote:

> > Message du 05/06/14 04:54
> > De : "Alfie John"
> >
> > On Wed, Jun 4, 2014, at 10:19 AM, tpb-crypto at laposte.net wrote:
> > > If you want to land on a watch-list and maybe no-fly list, you just
> > > install it in your Chrome. Because as far as we can tell Google is in
> bed
> > > with the NSA and so the proprietary browser may just flag you to the
> > > system and done you are, or may forward all your messages in the clear.
> > > Who knows? Which is worst?
> > >
> > > That's why there is not foocking way to trust proprietary software.
> > > Companies are forced to act like criminals on behalf of the government.
> > > There is no loyalty, respect, ethics, honesty or even business which
> the
> > > US government won't try to trample upon.
> >
> > Someone's already submitted a bug report:
> >
> > https://code.google.com/p/end-to-end/issues/detail?id=9
> >
>
> It is interesting to note how this guy brushed the issue aside while
> clearly not addressing the concern at all, but make-believing it is
> addressed:
>
> >#5 evn at google.com
> >Yes, we treat this concern very seriously.
> >I closed it because we aren't auto-updating any extensions (there's no
> CRX we are shipping that could be auto-updated).
>
> Yeah, they aren't auto-updating extensions, but this doesn't concern other
> extensions, this concerns the core of the browser itself.
>
> These reactions plus the way we see this "innovation" pushed in the
> specialized media already is a sure indicator that the backdoor is in place
> already to trap the fools.
>
> Run this thing and get all your messages stored in the clear, in an
> obscure datacenter, forever.
>



-- 
konklone.com | @konklone <https://twitter.com/konklone>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 3297 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140605/394b06e3/attachment.txt>

From eric at konklone.com  Thu Jun  5 17:34:46 2014
From: eric at konklone.com (Eric Mill)
Date: Thu, 5 Jun 2014 20:34:46 -0400
Subject: Google'es End-to-End
In-Reply-To: <CAANMsOHgSiKgUjdNVzuz304mDeSfDO-BLPN9d2eyLTrkA6LD3A@mail.gmail.com>
References: <3663262.z3uQ7fQ3vz@lapuntu>
 <60003339.126349.1401833983205.JavaMail.www@wwinf8306>
 <1401936506.9705.125349797.23EFDF8B@webmail.messagingengine.com>
 <CAANMsOHgSiKgUjdNVzuz304mDeSfDO-BLPN9d2eyLTrkA6LD3A@mail.gmail.com>
Message-ID: <CANBOYLW+BuuQntp=ArksFwm3d9Lh4Ws-UD3=CQ0yXdXZzH0qQg@mail.gmail.com>

On Thu, Jun 5, 2014 at 10:37 AM, Black Fox <fox at vbfox.net> wrote:

> On Thu, Jun 5, 2014 at 4:48 AM, Alfie John <alfiej at fastmail.fm> wrote:
> >
> > On Wed, Jun 4, 2014, at 10:19 AM, tpb-crypto at laposte.net wrote:
> > > That's why there is not foocking way to trust proprietary software.
> > > Companies are forced to act like criminals on behalf of the government.
> > > There is no loyalty, respect, ethics, honesty or even business which
> the
> > > US government won't try to trample upon.
> >
> > Someone's already submitted a bug report:
> >
> >   https://code.google.com/p/end-to-end/issues/detail?id=9
>
> Cute, but the threat model of the submitter seem unclear to me, in
> what is it different here from gpg binaries provided by a linux
> distribution package ?
>
> If even only one person have access to the packaging keys and is of
> american nationality he can receive a National Security Letter and
> would have to comply (Rubber hose is obviously working too if they
> want to risk it). Using quantum insert they don't even need to change
> the packages for everyone, only you.
>
> Updates for any software executing with access to your private data
> are dangerous.
>
> I don't see why this subject is present in the issue tracker of an
> extension... it's a lot more general issue (Except for the fact that
> Google bashing is cool today).
>

This seems like a good project, that will move PGP usability and standards
forward. It's also a big deal for Google to throw its support to the
project, since it is in direct tension with the business model Gmail is
built on (scanning your emails).

The auto-update feature is a big deal that will have to get wrestled with
openly as this moves further. Perhaps they'll work out a separate update
policy for it, who knows. But it'll also have applications outside of a
place in the Chrome Web Store.

For example, hopefully much of this work (especially the JS crypto work)
will also turn out to be reusable in Firefox.

-- 
konklone.com | @konklone <https://twitter.com/konklone>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 3714 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140605/470de5f5/attachment.txt>

From tpb-crypto at laposte.net  Thu Jun  5 12:42:51 2014
From: tpb-crypto at laposte.net (tpb-crypto at laposte.net)
Date: Thu, 05 Jun 2014 21:42:51 +0200
Subject: "a skilled backdoor-writer can defeat skilled auditors"?
In-Reply-To: <CAJVRA1TCKmK-z+bo9RvG3CS7d4UpBLkiUprd3-TNXCUjO3mPUA@mail.gmail.com>
References: <1800350.DuBgtkdSDz@lapuntu> <20140603225302.GJ10586@hexapodia.org>
 <1462819215.136856.1401844030733.JavaMail.www@wwinf8227>
 <CAJVRA1TCKmK-z+bo9RvG3CS7d4UpBLkiUprd3-TNXCUjO3mPUA@mail.gmail.com>
Message-ID: <1224529849.35465.1401997371228.JavaMail.www@wwinf8306>

> Message du 04/06/14 05:40
> De : "coderman" 
>
> On Tue, Jun 3, 2014 at 6:06 PM,  wrote:
> > ...
> > Your proposal [building meaningful security in from the start] would cause 99% of software currently in use to be rejected and make the development costs increase as astronomically as to be compared to medical research.
> 
> 1% making the cut is a far too generous estimate, perhaps 1% of 1%. as
> for the cost issue, which must be paid somewhere,
> 
> 
> you make two assumptions:
> 
> first, assuming the externalities of insecure systems are simply
> non-exist-ant. the costs of our pervasive vulnerability are
> gargantuan, yet the complexity and cost of robust alternatives
> instills paralysis. (this lack of significant progress in development
> of secure systems feeds your defeatist observations; it's ok ;)
> 

I kind of feel like an ant looking at the task of moving a mountain.

> second, that the schedules and styles of development as we currently
> practice it will always be. if you solved a core (commodity) infosec
> problem once, very well, in a way that could be widely adopted, you
> would only need to implement it once! (then spending five years and
> ten fold cost building to last becomes reasonable)
> 

Yah no, we never know when a problem is really solved. We may consider it solved, then someone comes and breaks it for us. Not even formal proofs stand forever.




From tpb-crypto at laposte.net  Thu Jun  5 15:41:08 2014
From: tpb-crypto at laposte.net (tpb-crypto at laposte.net)
Date: Fri, 06 Jun 2014 00:41:08 +0200
Subject: Google'es End-to-End
In-Reply-To: <1401936506.9705.125349797.23EFDF8B@webmail.messagingengine.com>
References: <3663262.z3uQ7fQ3vz@lapuntu>
 <60003339.126349.1401833983205.JavaMail.www@wwinf8306>
 <1401936506.9705.125349797.23EFDF8B@webmail.messagingengine.com>
Message-ID: <1921140716.121780.1402008068215.JavaMail.www@wwinf8309>

> Message du 05/06/14 04:54
> De : "Alfie John" 
>
> On Wed, Jun 4, 2014, at 10:19 AM, tpb-crypto at laposte.net wrote:
> > If you want to land on a watch-list and maybe no-fly list, you just
> > install it in your Chrome. Because as far as we can tell Google is in bed
> > with the NSA and so the proprietary browser may just flag you to the
> > system and done you are, or may forward all your messages in the clear.
> > Who knows? Which is worst?
> > 
> > That's why there is not foocking way to trust proprietary software.
> > Companies are forced to act like criminals on behalf of the government.
> > There is no loyalty, respect, ethics, honesty or even business which the
> > US government won't try to trample upon.
> 
> Someone's already submitted a bug report:
> 
> https://code.google.com/p/end-to-end/issues/detail?id=9
> 

It is interesting to note how this guy brushed the issue aside while clearly not addressing the concern at all, but make-believing it is addressed:

>#5 evn at google.com
>Yes, we treat this concern very seriously.
>I closed it because we aren't auto-updating any extensions (there's no CRX we are shipping that could be auto-updated).

Yeah, they aren't auto-updating extensions, but this doesn't concern other extensions, this concerns the core of the browser itself.

These reactions plus the way we see this "innovation" pushed in the specialized media already is a sure indicator that the backdoor is in place already to trap the fools.

Run this thing and get all your messages stored in the clear, in an obscure datacenter, forever.




From gfoster at entersection.org  Fri Jun  6 11:17:36 2014
From: gfoster at entersection.org (Gregory Foster)
Date: Fri, 06 Jun 2014 13:17:36 -0500
Subject: "Ephemeral" Biometrics
Message-ID: <539205C0.3020706@entersection.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Federal Business Opportunities (Jun 4) - "Ephemeral Biometrics: An
Alternative to Traditional, Event-based Authentication" by Sandia
National Laboratories:
https://www.fbo.gov/index?s=opportunity&mode=form&id=06e9abca57bdd9dac64902e39f039c4f&tab=core&_cview=0

> Sandia National Laboratories is engaged in ongoing research and
> development into transformational upgrades in the area of cyber
> identity management as well as Insider Threat Monitoring by using
> Ephemeral Biometrics (EB). EB is unique because individual
> identities are tied to living biometric data that is active and
> continuous. The purpose of the research is to derive convenient
> authentication techniques (e.g., alternatives to passwords) that
> are both active and continuous while at the same time significantly
> improving authenticity and integrity of cyber identities.

"Ephemeral Biometrics: What are they and what do they solve?" by Sung
Choi and David Zage of Sandia National Laboratories (2013):
https://www.cs.purdue.edu/homes/zagedj/docs/iccst2013.pdf

I'm not really sure what's ephemeral about redefining authentication
to mean continuous monitoring.

This work directly targets insider threat concerns raised
post-Snowden, and provides further evidence that entities obsessed
with secrecy will destroy their own effectiveness in pursuit of an
improbable if not impossible definition of "security" which attempts
to hermetically seal systems that include human beings.

Good luck with that!
gf

- -- 
Gregory Foster || gfoster at entersection.org
@gregoryfoster <> http://entersection.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCgAGBQJTkgW/AAoJEMaAACmjGtgjxLIQALl48hrZKW1sWVWyIKcsb7hu
0ZPYm/FRrYnNHwAeAN/vWdVxrUyhRLKBCs+2H8v5C7Na2df1AqInZ1H9AGD1j84M
iwZtHWMVkFvkcVDW+NMINRoHSjUdrPqIh+RP0KseMZTPTaelSD+tVEmUedSzOLgV
km/OZ5URefIRSFjP3p6pA+YxZoZOU8UlwSxJFv9o4Vs/k1lwLDE+BYErabTXrFoe
MWJhKhQWpisLD6QGBq+LRcTq+P+fpJlu6pRJFQR8mUIWsgZwr4OtQvXxjXFDO16K
jaBVBSB0bdgQV4d8HLJE1dJek3fe1q9i9YEYBL2p91voTTKmPwkDIcmj9X9ZfNR1
lO5AXZh1H+rhO1OAfqlkvI0VYxAzO7AerKS+tPwh0lw3VSZYiBZawtJb3t/2snF9
R/02NRXfKZOFqKUQUH1bRkrFuKDRudmhtomafCek1MShVgR9BlAjFHcMjFa0gXBy
FUo1D8ouzWYfwAM/0eVwDX9YAMX3tr3vl0KopFTEyFzolIapg9wbDeesIn4mu24P
8zDJUew+5wcHTc9ZPFZhdh6xGC9SoLvAPaqVTTSx3tTcxbdIouiIWyaQUOXNdteb
KM9FEa+e9j5TggnaxuNuDpbBXVlKlou9oee/vge7OdS0EHqStPthckt3Vhp0Lv59
HzJ56AjJ0zh2iRLX/9Wt
=KZuq
-----END PGP SIGNATURE-----




From gfoster at entersection.org  Fri Jun  6 12:05:23 2014
From: gfoster at entersection.org (Gregory Foster)
Date: Fri, 06 Jun 2014 14:05:23 -0500
Subject: Cellphone Operator Reveals Scale of Government Snooping
In-Reply-To: <1402080228.56201.YahooMailNeo@web126206.mail.ne1.yahoo.com>
References: <1402080228.56201.YahooMailNeo@web126206.mail.ne1.yahoo.com>
Message-ID: <539210F3.501@entersection.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 6/6/14, 1:43 PM, jim bell wrote:
> http://news.yahoo.com/cellphone-operator-reveals-scale-govt-snooping-114153281--finance.html
>
>  LONDON (AP) — Government snooping into phone networks is
> extensive worldwide, one of the world's largest cellphone companies
> revealed Friday, saying that several countries demand direct access
> to its networks without warrant or prior notice.

Thanks for sending this.

Vodafone - Law Enforcement Disclosure Report (2014)
http://www.vodafone.com/content/sustainabilityreport/2014/index/operating_responsibly/privacy_and_security/law_enforcement.html

Here's the report itself:
http://www.vodafone.com/content/dam/sustainability/2014/pdf/operating-responsibly/vodafone_law_enforcement_disclosure_report.pdf

gf

- -- 
Gregory Foster || gfoster at entersection.org
@gregoryfoster <> http://entersection.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCgAGBQJTkhDxAAoJEMaAACmjGtgjcg8P/0FHCRmkkQCSGQoUg+q7XnAO
G3+Y9QR0RqgDZV7pUjotu5xRLy6GlJ6Uy6nDQ52KV8pMNs183Q0JxYegU7ae3QOS
2l5JxP2ychVK5r7dZpOaM1OpCMjo5fujJxvzmQZebYEDY23AU0fOGY3uO0SjQdvu
kolEYsyagxt8Ng/CpGTlNfR5gQ/k4DWmUxVWa3iXWuyqtFJh62ERZhs5suVpnl8N
OIVqExR86xSNv0yYrqKUOZeQSq4By6NHr5sUkMwQPgfOpBWeRFHeDQHhgcQeAPGB
vQCLCS/ysLKjvilfTxK4lplzLnE0eZAc6srZsVezJ1nEQWinqxVIEocCC8WMHME4
RxeiONF7jfX5q0K4wDArR+OgmxymIhrG48A4Dm3bKrfHetOYJ3owd863bUt7IWNI
qfNa3PATtyhPBUalJNt8A2ZXuOPDPRp642P0n/uS9aXgMIJPf+KuRgdaUw5pZPii
tvk79PkTCDSyvJoefeYUxUKDlsWkEulY1ACSg0hriUeD7ZI4jnUpavEFs617bbLW
Jx2L7s0YWLQqQmMHctk8bTrQi8VqHWNegunKh/0g6zKJMGGv29AjghQlpdyrHNn2
LWTO7GwctgWRoEtG1F60+Lzz2YOS8k3uuCGJjZQihFreGtJcmoX9Q1zc9spEFA++
dbkg/qvFQZTxD5icgnM3
=PXkw
-----END PGP SIGNATURE-----




From coderman at gmail.com  Fri Jun  6 14:06:43 2014
From: coderman at gmail.com (coderman)
Date: Fri, 6 Jun 2014 14:06:43 -0700
Subject: Fwd: Help investigate cell phone snooping by police nationwide
In-Reply-To: <74862d74361490eca930f43845394c7298b.20140606145310@mail193.atl21.rsgsv.net>
References: <74862d74361490eca930f43845394c7298b.20140606145310@mail193.atl21.rsgsv.net>
Message-ID: <CAJVRA1TTtN10ppc=s8At2DEB-jWxiHmKBt95BtF67Q10i2VX9A@mail.gmail.com>

---------- Forwarded message ----------
From: Michael at MuckRock <michael at muckrock.com>
Date: Fri, Jun 6, 2014 at 7:53 AM
Subject: Help investigate cell phone snooping by police nationwide


Hi,

Right now, we're gearing for MuckRock's biggest investigative project
yet, and we need your help. First, a little context.

Local police departments across America are increasingly tapping into
information from your cell phone: Your location, who you're with, who
you are calling. Using fake cell phone towers, often called Stingrays,
they generally don't even need a warrant, and have relatively few
restrictions on who, when, and what they collect. Or how they use it.
Since these programs are often funded by federal grants,  very few
people outside of law enforcement know how, or even if, they're being
used, with almost non-existent debate about if this information should
be collected, and what limits should be set for for how it's used or
how long it's kept.

This is where you come in. We're launching this project on Beacon
Reader, where a donation of just $5, about what it costs for us to
successfully file a request, can make a big difference. Just like with
the Drone Census, often times MuckRock is the *only* group asking for
this information, which otherwise would never be made public.

You can support the project at this link, and, again, even just $5 can
make a huge difference:

https://www.muckrock.com/

If you're not in a position to help financially, we would still really
appreciate your help — share what we're up to with your friends,
sending in news articles you see or tips regarding cell phone
tracking, and, in a few days, sending in information regarding which
departments you'd like us to file with through a special page on
MuckRock.

Thanks for all your support in the past, and we're looking forward to
working with you to shine a light on this under-reported area.

Thanks,
Michael




From shelley at misanthropia.info  Fri Jun  6 14:36:25 2014
From: shelley at misanthropia.info (shelley at misanthropia.info)
Date: Fri, 06 Jun 2014 14:36:25 -0700
Subject: [cryptome] Fwd: Help investigate cell phone snooping by police
 nationwide
In-Reply-To: <CAJVRA1TTtN10ppc=s8At2DEB-jWxiHmKBt95BtF67Q10i2VX9A@mail.gmail.com>
References: <74862d74361490eca930f43845394c7298b.20140606145310@mail193.atl21.rsgsv.net>
 <CAJVRA1TTtN10ppc=s8At2DEB-jWxiHmKBt95BtF67Q10i2VX9A@mail.gmail.com>
Message-ID: <1402090585.15493.126084309.57EF8952@webmail.messagingengine.com>

On Fri, Jun 6, 2014, at 02:06 PM, coderman wrote:
> ---------- Forwarded message ----------
> From: Michael at MuckRock <>
> Date: Fri, Jun 6, 2014 at 7:53 AM
> Subject: Help investigate cell phone snooping by police nationwide

[...]
>You can support the project at this link, and, again, even just $5 can
> make a huge difference:

Here's the direct link (I don't click the tracking links in the
newsletter, either):
http://www.beaconreader.com/projects/the-spy-in-your-pocket

Maybe it's just my crappy mobile, but I didn't see the link on the main
Muckrock page.

-S

> 
> 
> Hi,
> 
> Right now, we're gearing for MuckRock's biggest investigative project
> yet, and we need your help. First, a little context.
> 
> Local police departments across America are increasingly tapping into
> information from your cell phone: Your location, who you're with, who
> you are calling. Using fake cell phone towers, often called Stingrays,
> they generally don't even need a warrant, and have relatively few
> restrictions on who, when, and what they collect. Or how they use it.
> Since these programs are often funded by federal grants,  very few
> people outside of law enforcement know how, or even if, they're being
> used, with almost non-existent debate about if this information should
> be collected, and what limits should be set for for how it's used or
> how long it's kept.
> 
> This is where you come in. We're launching this project on Beacon
> Reader, where a donation of just $5, about what it costs for us to
> successfully file a request, can make a big difference. Just like with
> the Drone Census, often times MuckRock is the *only* group asking for
> this information, which otherwise would never be made public.
> 
> You can support the project at this link, and, again, even just $5 can
> make a huge difference:
> 
> 
> 
> If you're not in a position to help financially, we would still really
> appreciate your help — share what we're up to with your friends,
> sending in news articles you see or tips regarding cell phone
> tracking, and, in a few days, sending in information regarding which
> departments you'd like us to file with through a special page on
> MuckRock.
> 
> Thanks for all your support in the past, and we're looking forward to
> working with you to shine a light on this under-reported area.
> 
> Thanks,
> Michael
> 




From jamesdbell9 at yahoo.com  Fri Jun  6 17:49:41 2014
From: jamesdbell9 at yahoo.com (jim bell)
Date: Fri, 6 Jun 2014 17:49:41 -0700 (PDT)
Subject: Fwd: Help investigate cell phone snooping by police nationwide
In-Reply-To: <CAJVRA1TTtN10ppc=s8At2DEB-jWxiHmKBt95BtF67Q10i2VX9A@mail.gmail.com>
References: <74862d74361490eca930f43845394c7298b.20140606145310@mail193.atl21.rsgsv.net>
 <CAJVRA1TTtN10ppc=s8At2DEB-jWxiHmKBt95BtF67Q10i2VX9A@mail.gmail.com>
Message-ID: <1402102181.86677.YahooMailNeo@web126202.mail.ne1.yahoo.com>

In a previous note on Cypherpunks, I believe I read that exposure to one of these Stingrays causes a cell phone to emit its signal at maximum power, causing a battery drain.  This suggests that a simple Stingray-detector could be built, using an old cell-phone, a power-supply with a current-limit-detector connected to an alarm.  If the cell phone emits maximum RF-signal, it will use a considerable DC power, which could be set to trigger the DC-current alarm.  (Am I correct in thinking that the old cell-phone doesn't even have to be 'active', meaning that it doesn't have to have a contracted service associated with it?)
        Jim Bell


________________________________
 From: coderman <coderman at gmail.com>


---------- Forwarded message ----------
From: Michael at MuckRock <michael at muckrock.com>
Date: Fri, Jun 6, 2014 at 7:53 AM
Subject: Help investigate cell phone snooping by police nationwide


Hi,

Right now, we're gearing for MuckRock's biggest investigative project
yet, and we need your help. First, a little context.

Local police departments across America are increasingly tapping into
information from your cell phone: Your location, who you're with, who
you are calling. Using fake cell phone towers, often called Stingrays,
they generally don't even need a warrant, and have relatively few
restrictions on who, when, and what they collect. Or how they use it.
Since these programs are often funded by federal grants,  very few
people outside of law enforcement know how, or even if, they're being
used, with almost non-existent debate about if this information should
be collected, and what limits should be set for for how it's used or
how long it's kept.

This is where you come in. We're launching this project on Beacon
Reader, where a donation of just $5, about what it costs for us to
successfully file a request, can make a big difference. Just like with
the Drone Census, often times MuckRock is the *only* group asking for
this information, which otherwise would never be made public.

You can support the project at this link, and, again, even just $5 can
make a huge difference:

https://www.muckrock.com/

If you're not in a position to help financially, we would still really
appreciate your help — share what we're up to with your friends,
sending in news articles you see or tips regarding cell phone
tracking, and, in a few days, sending in information regarding which
departments you'd like us to file with through a special page on
MuckRock.

Thanks for all your support in the past, and we're looking forward to
working with you to shine a light on this under-reported area.

Thanks,
Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 3750 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140606/4d88cce7/attachment.txt>

From jamesdbell9 at yahoo.com  Fri Jun  6 21:30:02 2014
From: jamesdbell9 at yahoo.com (jim bell)
Date: Fri, 6 Jun 2014 21:30:02 -0700 (PDT)
Subject: New vulnerability in OpenSSL
Message-ID: <1402115402.69908.YahooMailNeo@web126205.mail.ne1.yahoo.com>

https://www.yahoo.com/tech/here-we-go-again-new-vulnerability-discovered-in-87983540829.html


BOSTON — Security researchers have uncovered new bugs in the Web encryption software that caused the pernicious “Heartbleed” Internet threat that surfaced in April.

Experts said the newly discovered vulnerabilities in OpenSSL, which could allow hackers to spy on communications, do not appear to be as serious a threat as Heartbleed.
The new bugs were disclosed on Thursday as the group responsible for developing that software released an OpenSSL update that contains seven security fixes.
Experts said that websites and technology firms that use OpenSSL technology should install the update on their systems as quickly as possible. Still, they said that could take several days or weeks because companies need to first test systems to make sure they are compatible with the update.
"They are going to have to patch. This will take some time," said Lee Weiner, senior vice president with cybersecurity software maker Rapid7.
OpenSSL technology is used on about two-thirds of all websites, including ones run by Amazon.com, Facebook, Google, and Yahoo. It is also incorporated into thousands of technology products from companies, including Cisco Systems, Hewlett-Packard, IBM, Intel, and Oracle.
The widespread Heartbleed bug surfaced in April when it was disclosed that the flaw potentially exposed users of those websites and technologies to attack by hackers who could steal large quantities of data without leaving a trace. That prompted fear that attackers may have compromised large numbers of networks without their knowledge.
Security experts said Thursday that the newly discovered bugs are more difficult to exploit than Heartbleed, making those vulnerabilities less of a threat.
Still, until users of the technology update their systems, “there is a window of opportunity” for sophisticated hackers to launch attacks and exploit the newly uncovered vulnerabilities, said Tal Klein, vice president of strategy with cloud security firm Adallom.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 4290 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140606/0a60d3fd/attachment.txt>

From shelley at misanthropia.info  Fri Jun  6 21:58:15 2014
From: shelley at misanthropia.info (shelley at misanthropia.info)
Date: Fri, 06 Jun 2014 21:58:15 -0700
Subject: New vulnerability in OpenSSL
In-Reply-To: <1402115402.69908.YahooMailNeo@web126205.mail.ne1.yahoo.com>
References: <1402115402.69908.YahooMailNeo@web126205.mail.ne1.yahoo.com>
Message-ID: <1402117095.5035.126155881.6BD236E1@webmail.messagingengine.com>

On Fri, Jun 6, 2014, at 09:30 PM, jim bell wrote:
> 
> 
> 
> BOSTON — Security researchers have uncovered new bugs in the Web
> encryption software that caused the pernicious “Heartbleed” Internet
> threat that surfaced in April.

Direct info:
https://www.openssl.org/news/secadv_20140605.txt


> 
> Experts said the newly discovered vulnerabilities in OpenSSL, which could
> allow hackers to spy on communications, do not appear to be as serious a
> threat as Heartbleed.
> The new bugs were disclosed on Thursday as the group responsible for
> developing that software released an OpenSSL update that contains seven
> security fixes.
> Experts said that websites and technology firms that use OpenSSL
> technology should install the update on their systems as quickly as
> possible. Still, they said that could take several days or weeks because
> companies need to first test systems to make sure they are compatible
> with the update.
> "They are going to have to patch. This will take some time," said Lee
> Weiner, senior vice president with cybersecurity software maker Rapid7.
> OpenSSL technology is used on about two-thirds of all websites, including
> ones run by Amazon.com, Facebook, Google, and Yahoo. It is also
> incorporated into thousands of technology products from companies,
> including Cisco Systems, Hewlett-Packard, IBM, Intel, and Oracle.
> The widespread Heartbleed bug surfaced in April when it was disclosed
> that the flaw potentially exposed users of those websites and
> technologies to attack by hackers who could steal large quantities of
> data without leaving a trace. That prompted fear that attackers may have
> compromised large numbers of networks without their knowledge.
> Security experts said Thursday that the newly discovered bugs are more
> difficult to exploit than Heartbleed, making those vulnerabilities less
> of a threat.
> Still, until users of the technology update their systems, “there is a
> window of opportunity” for sophisticated hackers to launch attacks and
> exploit the newly uncovered vulnerabilities, said Tal Klein, vice
> president of strategy with cloud security firm Adallom.




From coderman at gmail.com  Sat Jun  7 01:04:25 2014
From: coderman at gmail.com (coderman)
Date: Sat, 7 Jun 2014 01:04:25 -0700
Subject: Fwd: Help investigate cell phone snooping by police nationwide
In-Reply-To: <1402102181.86677.YahooMailNeo@web126202.mail.ne1.yahoo.com>
References: <74862d74361490eca930f43845394c7298b.20140606145310@mail193.atl21.rsgsv.net>
 <CAJVRA1TTtN10ppc=s8At2DEB-jWxiHmKBt95BtF67Q10i2VX9A@mail.gmail.com>
 <1402102181.86677.YahooMailNeo@web126202.mail.ne1.yahoo.com>
Message-ID: <CAJVRA1RnSZKGnr05+d3KBDh9q_6EzZHM6Otd-Q0fYTa9vn0JMQ@mail.gmail.com>

hey Jim!

let's smoke that blunt, trade some keys, shoot some shit, and i'll
tell you stories.

still up for a july key party?

:)


On Fri, Jun 6, 2014 at 5:49 PM, jim bell <jamesdbell9 at yahoo.com> wrote:
> In a previous note on Cypherpunks, I believe I read that exposure to one of
> these Stingrays causes a cell phone to emit its signal at maximum power,
> causing a battery drain....




From jamesdbell9 at yahoo.com  Sat Jun  7 01:08:09 2014
From: jamesdbell9 at yahoo.com (jim bell)
Date: Sat, 7 Jun 2014 01:08:09 -0700 (PDT)
Subject: Fwd: Help investigate cell phone snooping by police nationwide
In-Reply-To: <CAJVRA1RnSZKGnr05+d3KBDh9q_6EzZHM6Otd-Q0fYTa9vn0JMQ@mail.gmail.com>
References: <74862d74361490eca930f43845394c7298b.20140606145310@mail193.atl21.rsgsv.net>	<CAJVRA1TTtN10ppc=s8At2DEB-jWxiHmKBt95BtF67Q10i2VX9A@mail.gmail.com>	<1402102181.86677.YahooMailNeo@web126202.mail.ne1.yahoo.com>
 <CAJVRA1RnSZKGnr05+d3KBDh9q_6EzZHM6Otd-Q0fYTa9vn0JMQ@mail.gmail.com>
Message-ID: <1402128489.10377.YahooMailNeo@web126201.mail.ne1.yahoo.com>

Oh, I suppose...
     Jim Bell


________________________________
 From: coderman <coderman at gmail.com>
To: jim bell <jamesdbell9 at yahoo.com> 
Cc: cpunks <cypherpunks at cpunks.org>; "cryptome at freelists.org" <cryptome at freelists.org> 
Sent: Saturday, June 7, 2014 1:04 AM
Subject: Re: Fwd: Help investigate cell phone snooping by police nationwide
 

hey Jim!

let's smoke that blunt, trade some keys, shoot some shit, and i'll
tell you stories.

still up for a july key party?

:)





On Fri, Jun 6, 2014 at 5:49 PM, jim bell <jamesdbell9 at yahoo.com> wrote:
> In a previous note on Cypherpunks, I believe I read that exposure to one of
> these Stingrays causes a cell phone to emit its signal at maximum power,
> causing a battery drain....
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 1947 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140607/5a13f5e1/attachment.txt>

From coderman at gmail.com  Sat Jun  7 01:10:44 2014
From: coderman at gmail.com (coderman)
Date: Sat, 7 Jun 2014 01:10:44 -0700
Subject: [cryptome] Re: Fwd: Help investigate cell phone snooping by
 police nationwide
In-Reply-To: <1402112543.24123.126145001.7D0D6075@webmail.messagingengine.com>
References: <74862d74361490eca930f43845394c7298b.20140606145310@mail193.atl21.rsgsv.net>
 <CAJVRA1TTtN10ppc=s8At2DEB-jWxiHmKBt95BtF67Q10i2VX9A@mail.gmail.com>
 <1402090585.15493.126084309.57EF8952@webmail.messagingengine.com>
 <CACtDtiw_Txv=Hip5_dn1=CdVsHP-ctvW9vs+6tu0Nehg+y=9Dg@mail.gmail.com>
 <1402112543.24123.126145001.7D0D6075@webmail.messagingengine.com>
Message-ID: <CAJVRA1S36T=F1eh=5YiFj8KO-gxVgpQ2Za=WTA-nSMW3Ywvv2w@mail.gmail.com>

On Fri, Jun 6, 2014 at 8:42 PM,  <shelley at misanthropia.info> wrote:
>....
> Unfortunately, using airplane mode is not enough to keep you from being
> tracked.  You must remove the battery.

i can confirm this directly. a ride into Vegas for DC 20 demonstrated
that Alexander's toys have the ability to inject into receive only
(airplane mode) and tip to exploitation.  (baseband exploits being
exceptional at leaking keys, elevating privs, and erasing tracks...)

battery out or faraday caged the only effective options.

(or as Snowden demonstrated, put in a fridge to avoid scrutiny and
audio capture the best idea.  non-serial tower associations are an
anomaly alerted and acted upon.)




From coderman at gmail.com  Sat Jun  7 01:12:55 2014
From: coderman at gmail.com (coderman)
Date: Sat, 7 Jun 2014 01:12:55 -0700
Subject: Fwd: Help investigate cell phone snooping by police nationwide
In-Reply-To: <1402128489.10377.YahooMailNeo@web126201.mail.ne1.yahoo.com>
References: <74862d74361490eca930f43845394c7298b.20140606145310@mail193.atl21.rsgsv.net>
 <CAJVRA1TTtN10ppc=s8At2DEB-jWxiHmKBt95BtF67Q10i2VX9A@mail.gmail.com>
 <1402102181.86677.YahooMailNeo@web126202.mail.ne1.yahoo.com>
 <CAJVRA1RnSZKGnr05+d3KBDh9q_6EzZHM6Otd-Q0fYTa9vn0JMQ@mail.gmail.com>
 <1402128489.10377.YahooMailNeo@web126201.mail.ne1.yahoo.com>
Message-ID: <CAJVRA1QbAqnzWSvZqwPqsHaOVNBdktvfMv+jaNbE8obKgOBp_w@mail.gmail.com>

On Sat, Jun 7, 2014 at 1:08 AM, jim bell <jamesdbell9 at yahoo.com> wrote:
> Oh, I suppose...
>      Jim Bell


all the cool kids are doing it!

best regards,
   codermange  (surprised Jim's email's aren't going into SPAM for once...)




From coderman at gmail.com  Sat Jun  7 01:18:45 2014
From: coderman at gmail.com (coderman)
Date: Sat, 7 Jun 2014 01:18:45 -0700
Subject: [was: Internet Giants erect barriers to spy agencies]
Message-ID: <CAJVRA1SymA_sp==aznfAk+-_6R+vMShbmpqqsFQKTh-cJtOBYw@mail.gmail.com>

On Fri, Jun 6, 2014 at 10:50 PM, jim bell <jamesdbell9 at yahoo.com> wrote:
> ...
> After years of cooperating with the government, the immediate goal now is to
> thwart Washington — as well as Beijing and Moscow.


i'm holding my breath...




From rysiek at hackerspace.pl  Fri Jun  6 16:43:43 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Sat, 07 Jun 2014 01:43:43 +0200
Subject: Reset the Net
In-Reply-To: <CAGRDzQVMpTXpOT=FioJCHdwsDC9wGb4dGz_P3bKGyuU+5J+pYw@mail.gmail.com>
References: <AB210B03-9DC1-40AD-A179-CDA4FDF2DC5C@jerryrw.com>
 <5390A456.3080703@collison.ie>
 <CAGRDzQVMpTXpOT=FioJCHdwsDC9wGb4dGz_P3bKGyuU+5J+pYw@mail.gmail.com>
Message-ID: <1439714.8WVidTZNpU@lapuntu>

Also, this:
https://joindiaspora.com/posts/4208716

"#ResetTheNet - one of best jokes in 2014.

    #dropbox - Dropbox is promoting security best practices and government
 surveillance reform.

    #Google is releasing email encryption tools and data, and supporting real
 surveillance reform."

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140607/ca73db0f/attachment.sig>

From shelley at misanthropia.info  Sat Jun  7 15:30:10 2014
From: shelley at misanthropia.info (shelley at misanthropia.info)
Date: Sat, 07 Jun 2014 15:30:10 -0700
Subject: Fwd: Re: [FD] More OpenSSL issues
Message-ID: <1402180210.6400.126320229.2065BEFA@webmail.messagingengine.com>

re: Jim's post from yesterday.  From the Full Disclosure list:

On Sat, Jun 7, 2014, at 02:04 PM, Craig Young wrote:
Yeah, definitely not in the same ballpark as heartbleed fortunately.

I have posted a detection script on the Tripwire blog to identify
servers
permitting the early CCS:
http://www.tripwire.com/state-of-security/incident-detection/detection-script-for-cve-2014-0224-openssl-cipher-change-spec-injection/

It should detect potentially vulnerable hosts with a variety of
configurations.

Thanks,
Craig


> On Jun 6, 2014 3:36 AM, "P Vixie" <> wrote:
> 
> > This does not appear to be the same panic level as the previous patch. In
> > other words the previous openssl vuln was worse than the instability of
> > all-night patching. This one is not. Take time to roll out right.
> >
> > On June 5, 2014 7:51:50 AM PDT, Jordan Urie <> wrote:
> > >Ladies and Gentlemen,
> > >
> > >
> > >
> > >There's an MITM in there, and a potential for buffer over-runs.
> > >
> > >Patch up :-)
> > >
> > >
> > >Jordan
> > >
> > >--
> > >
> > >Jordan R. Urie
> > >
> > >UP Technology Consulting, Inc.
> > >1129 - 177A St. SW
> > >Edmonton, AB  T6W 2A1
> > >Phone: 
> > >
> > >www.uptech.ca
> > >
> > >_______________________________________________
> > >Sent through the Full Disclosure mailing list
> > >
> > >Web Archives & RSS: 
> >
> > --
> > Sent from my Android phone with K-9 Mail. Please excuse my brevity.
> >
> > _______________________________________________
> > Sent through the Full Disclosure mailing list
> > 
> > Web Archives & RSS: 
> >
> 
> _______________________________________________
> Sent through the Full Disclosure mailing list
> 
> Web Archives & RSS: 




From grarpamp at gmail.com  Sat Jun  7 22:51:18 2014
From: grarpamp at gmail.com (grarpamp)
Date: Sun, 8 Jun 2014 01:51:18 -0400
Subject: [Cryptography] Help investigate cell phone snooping by police
 nationwide
In-Reply-To: <CAAMy4USQvf_7iVhw6rTSjEy0e4PJNxmpY5ugAkWpcc=fsbg1yg@mail.gmail.com>
References: <74862d74361490eca930f43845394c7298b.20140606145310@mail193.atl21.rsgsv.net>
 <CAJVRA1TTtN10ppc=s8At2DEB-jWxiHmKBt95BtF67Q10i2VX9A@mail.gmail.com>
 <1402090585.15493.126084309.57EF8952@webmail.messagingengine.com>
 <CACtDtiw_Txv=Hip5_dn1=CdVsHP-ctvW9vs+6tu0Nehg+y=9Dg@mail.gmail.com>
 <1402112543.24123.126145001.7D0D6075@webmail.messagingengine.com>
 <CAJVRA1S36T=F1eh=5YiFj8KO-gxVgpQ2Za=WTA-nSMW3Ywvv2w@mail.gmail.com>
 <E1WtFKU-0000Da-Jy@elasmtp-junco.atl.sa.earthlink.net>
 <CAOLP8p5pfNppq1+PzWiCFrV0abvN=dMoVyLy61q-ktJK-zR85Q@mail.gmail.com>
 <CAAMy4USQvf_7iVhw6rTSjEy0e4PJNxmpY5ugAkWpcc=fsbg1yg@mail.gmail.com>
Message-ID: <CAD2Ti2-gvs29iBA2X+cA34naRn64fTpq+e_xDTZiPJvqKzzObA@mail.gmail.com>

>>>> (or as Snowden demonstrated, put in a fridge to avoid scrutiny and
>>>> audio capture the best idea.  non-serial tower associations are an
>>>> anomaly alerted and acted upon.)

Faraday cages concept really depend on the freqs they are designed
to inhibit, pressure, sound, radio, optic, etc. Given wide enough freqs,
one cage does not service all.
A fridge has plastec and magnetic gaskets, over maybe 2cm variant
gap, so not a complete EM seal (at whichever specifical freqs).
And grounding issue. But good at human sound deading.
Microwave door shield is closer to cell phone freq shield.
If you cannot simply remove the battery preferably, that is.
As always, test first. And is easy to find phones to test
all phone bands with.
TEMPEST.




From grarpamp at gmail.com  Sat Jun  7 23:05:00 2014
From: grarpamp at gmail.com (grarpamp)
Date: Sun, 8 Jun 2014 02:05:00 -0400
Subject: [Cryptography] Help investigate cell phone snooping by police
 nationwide
In-Reply-To: <5393DC53.2010303@sidney.com>
References: <74862d74361490eca930f43845394c7298b.20140606145310@mail193.atl21.rsgsv.net>
 <CAJVRA1TTtN10ppc=s8At2DEB-jWxiHmKBt95BtF67Q10i2VX9A@mail.gmail.com>
 <1402090585.15493.126084309.57EF8952@webmail.messagingengine.com>
 <CACtDtiw_Txv=Hip5_dn1=CdVsHP-ctvW9vs+6tu0Nehg+y=9Dg@mail.gmail.com>
 <1402112543.24123.126145001.7D0D6075@webmail.messagingengine.com>
 <CAJVRA1S36T=F1eh=5YiFj8KO-gxVgpQ2Za=WTA-nSMW3Ywvv2w@mail.gmail.com>
 <E1WtFKU-0000Da-Jy@elasmtp-junco.atl.sa.earthlink.net>
 <CAOLP8p5pfNppq1+PzWiCFrV0abvN=dMoVyLy61q-ktJK-zR85Q@mail.gmail.com>
 <5393DC53.2010303@sidney.com>
Message-ID: <CAD2Ti2-baQb0NVcgYEM3GAWX_1iJBD_=bc5fm1wqcdpWGbbTgA@mail.gmail.com>

On Sat, Jun 7, 2014 at 11:45 PM, Sidney Markowitz <sidney at sidney.com> wrote:
> I don't know what would make me feel safer - putting the phones in a microwave
> oven with the chance that the door could easily be left ajar, or getting the
> acoustic insulation and masking hum of a refrigerator.

Trust the microwave you tested, right, because you do not know
what quality DSP is pricessing your remaining 5dB audio over
your entire conversation. Or put microwave in fridge ;)
aka: remove battery / crush/displace phone... be happy.




From oottela at cs.helsinki.fi  Sat Jun  7 19:33:39 2014
From: oottela at cs.helsinki.fi (oottela)
Date: Sun, 08 Jun 2014 05:33:39 +0300
Subject: Tinfoil Chat
Message-ID: <c7ab9f4690b04e17c2a08634ddee7797@cs.helsinki.fi>

I'd like to share a project I came up with back in spring 2012 and 
begun working after the Snowden leaks started.

Highlights are

-OTP encryption for perfect secrecy
-OTP encrypted Keccak HMACs to prevent undetectable message tampering
-HW TRNG to generate truly random keys (Von Neumann whitened)
-HW Data diodes to provide immunity against message exfiltration 
attacks originating from network.

Source code and links to whitepaper and manual are available from

https://github.com/maqp/tfc/

Regards, Markus




From indeyets at gmail.com  Sun Jun  8 01:51:45 2014
From: indeyets at gmail.com (Alexey Zakhlestin)
Date: Sun, 8 Jun 2014 12:51:45 +0400
Subject: US Army research into quantum teleportation of data
In-Reply-To: <538CB80A.8060405@entersection.org>
References: <538CB80A.8060405@entersection.org>
Message-ID: <E8289A2F-4B5F-420A-B944-432D41323DCB@gmail.com>


On 02 Jun 2014, at 21:44, Gregory Foster <gfoster at entersection.org> wrote:

Defense Systems (May 30) - "Teleporting information sets stage for
‘cyber secure’ communications":
http://defensesystems.com/Articles/2014/05/30/ARL-Teleportation.aspx

Lots of challenges to overcome, but the advantages are sufficiently
self-evident and seductive to likely warrant substantial funding.

A use case not mentioned: remotely piloted aircraft (drones) without
network lag.

Decoding of information transferred via quantum teleportation still requires transmission of state info (2 bits per 1 q-bit) via conventional side-channel.
see https://en.wikipedia.org/wiki/Quantum_teleportation#Protocol

so network lag is still there.


--
Alexey Zakhlestin
CTO at Grids.by/you
https://github.com/indeyets
PGP key: http://indeyets.ru/alexey.zakhlestin.pgp.asc



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140608/0fa89a38/attachment.sig>

From guninski at guninski.com  Sun Jun  8 03:38:09 2014
From: guninski at guninski.com (Georgi Guninski)
Date: Sun, 8 Jun 2014 13:38:09 +0300
Subject: New vulnerability in OpenSSL
In-Reply-To: <1402117095.5035.126155881.6BD236E1@webmail.messagingengine.com>
References: <1402115402.69908.YahooMailNeo@web126205.mail.ne1.yahoo.com>
 <1402117095.5035.126155881.6BD236E1@webmail.messagingengine.com>
Message-ID: <20140608103809.GA2472@sivokote.iziade.m$>

On Fri, Jun 06, 2014 at 09:58:15PM -0700, shelley at misanthropia.info wrote:
> On Fri, Jun 6, 2014, at 09:30 PM, jim bell wrote:
> 
> Direct info:
> https://www.openssl.org/news/secadv_20140605.txt
> 
> 
> > 
> > Experts said the newly discovered vulnerabilities in OpenSSL, which could
> > allow hackers to spy on communications, do not appear to be as serious a
> > threat as Heartbleed.

>From the FA:

> This is potentially exploitable to run arbitrary code on a vulnerable client or server.

This appears _worse_ than HB to me.
"Potentially" usually just downplays the issue -
it either exploitable or not.




From guninski at guninski.com  Sun Jun  8 03:52:42 2014
From: guninski at guninski.com (Georgi Guninski)
Date: Sun, 8 Jun 2014 13:52:42 +0300
Subject: Going to jail nowadays for owning a book, wtf?
In-Reply-To: <1277349505.29568.1400688303149.JavaMail.www@wwinf8229>
References: <20140521134649.GA2610@sivokote.iziade.m$>
 <1277349505.29568.1400688303149.JavaMail.www@wwinf8229>
Message-ID: <20140608105242.GB2472@sivokote.iziade.m$>

On Wed, May 21, 2014 at 06:05:03PM +0200, tpb-crypto at laposte.net wrote:
> 
> Would you be in favor of charging someone for possessing things like:
> - Pedophile instruction manual;

The brits are gonna implement this:
http://www.theregister.co.uk/2014/06/04/queens_speech_computer_misuse/

Queen's Speech: Computer Misuse Act to be amended, tougher sentences
planned
And possessing ‘paedophilic manuals' will be an offence




From grarpamp at gmail.com  Sun Jun  8 11:13:26 2014
From: grarpamp at gmail.com (grarpamp)
Date: Sun, 8 Jun 2014 14:13:26 -0400
Subject: [Cryptography] Help investigate cell phone snooping by police
 nationwide
In-Reply-To: <1402247055.70505.YahooMailNeo@web126201.mail.ne1.yahoo.com>
References: <74862d74361490eca930f43845394c7298b.20140606145310@mail193.atl21.rsgsv.net>
 <CAJVRA1TTtN10ppc=s8At2DEB-jWxiHmKBt95BtF67Q10i2VX9A@mail.gmail.com>
 <1402090585.15493.126084309.57EF8952@webmail.messagingengine.com>
 <CACtDtiw_Txv=Hip5_dn1=CdVsHP-ctvW9vs+6tu0Nehg+y=9Dg@mail.gmail.com>
 <1402112543.24123.126145001.7D0D6075@webmail.messagingengine.com>
 <CAJVRA1S36T=F1eh=5YiFj8KO-gxVgpQ2Za=WTA-nSMW3Ywvv2w@mail.gmail.com>
 <E1WtFKU-0000Da-Jy@elasmtp-junco.atl.sa.earthlink.net>
 <CAOLP8p5pfNppq1+PzWiCFrV0abvN=dMoVyLy61q-ktJK-zR85Q@mail.gmail.com>
 <CAAMy4USQvf_7iVhw6rTSjEy0e4PJNxmpY5ugAkWpcc=fsbg1yg@mail.gmail.com>
 <CAD2Ti2-gvs29iBA2X+cA34naRn64fTpq+e_xDTZiPJvqKzzObA@mail.gmail.com>
 <1402247055.70505.YahooMailNeo@web126201.mail.ne1.yahoo.com>
Message-ID: <CAD2Ti2_86VFTmm3ETp4fOme__7bs323ngwwE8gaGQcp15b3VwA@mail.gmail.com>

On Sun, Jun 8, 2014 at 1:04 PM, jim bell <jamesdbell9 at yahoo.com> wrote:
> Why not wrap the phone in a couple of layers of aluminum foil?  (Although,
> it won't shield against audio if that's being recorded even while an RF
> contact does not exist...)

The thread referred to refrigerators and microwaves.
Yes even an ungrounded single layer aluminum foil bag with
singlefold seam is able to block phones here. Test as desired.
Unlike the former devices, foil is also light and easily
carried for travel anywhere if battery is hardwired
and/or you don't trust 'off' button. Also things like evercap
and RF id/power may play in some devices.




From pgut001 at cs.auckland.ac.nz  Sun Jun  8 12:47:20 2014
From: pgut001 at cs.auckland.ac.nz (Peter Gutmann)
Date: Mon, 09 Jun 2014 07:47:20 +1200
Subject: [Cryptography] Help investigate cell phone snooping by police
 nationwide
In-Reply-To: <1402247055.70505.YahooMailNeo@web126201.mail.ne1.yahoo.com>
Message-ID: <E1Wtj3o-0003fx-CE@login01.fos.auckland.ac.nz>

jim bell <jamesdbell9 at yahoo.com> writes:

>Why not wrap the phone in a couple of layers of aluminum foil? 

People can use the material that was left over from when they made the hat.

Peter.




From cathalgarvey at cathalgarvey.me  Mon Jun  9 02:28:41 2014
From: cathalgarvey at cathalgarvey.me (Cathal Garvey)
Date: Mon, 09 Jun 2014 10:28:41 +0100
Subject: Tinfoil Chat
In-Reply-To: <c7ab9f4690b04e17c2a08634ddee7797@cs.helsinki.fi>
References: <c7ab9f4690b04e17c2a08634ddee7797@cs.helsinki.fi>
Message-ID: <53957E49.3010005@cathalgarvey.me>

Interesting; I'm scanning the code now, but won't pretend to be an expert.

First thing, your HMAC code is possibly vulnerable to a timing attack:
https://github.com/maqp/tfc/blob/master/Rx.py
..using direct string/byte comparisons for HMACs can be vulnerable as
most languages will shortcut on the first mismatch. In your case, using
this attack might require the means to craft a message that matches a
certain hash, but maybe someone who knows more could use this to recover
key material? The way to avoid this is a comparison function whose time
does not depend on the likeness or unlikeness of the compared values,
for example by xoring the strings or characters.

Second issue is the use of LibPurple at all. It's widely considered to
be a security trainwreck, and given its poor reputation *and* the total
disinclination of the libpurple devs to bother with security concerns at
all, it's easy to imagine anything up to remote code execution in
libpurple compromising the whole system.

So, your tinfoil hat could be as secure as anything, but relying on
libpurple may undermine the entire exercise. Using a different transport
may be more valuable.

Finally, you're using a custom HWRNG, and reading with custom C code to
a file. Firstly, why is this a C function, when you could probably
achieve it in Python? But, more importantly, why not use the system call
to deliver this entropy to /dev/urandom, and use that? The mixing code
for /dev/urandom has received pretty good review, far more than your
code can hope for, so the more you rely on /dev/urandom IMO the better.
There's a Linux system call to mix entropy into the system pool, and
your HWRNG would be well served to use that if you ask me.

And, you could probably access that call using ctypes from Python
without requiring your end users to compile C. The less compilation
required, the more likely you are to get user buy-in.


On 08/06/14 03:33, oottela wrote:
> I'd like to share a project I came up with back in spring 2012 and begun
> working after the Snowden leaks started.
> 
> Highlights are
> 
> -OTP encryption for perfect secrecy
> -OTP encrypted Keccak HMACs to prevent undetectable message tampering
> -HW TRNG to generate truly random keys (Von Neumann whitened)
> -HW Data diodes to provide immunity against message exfiltration attacks
> originating from network.
> 
> Source code and links to whitepaper and manual are available from
> 
> https://github.com/maqp/tfc/
> 
> Regards, Markus

-- 
T: @onetruecathal, @IndieBBDNA
P: +353876363185
W: http://indiebiotech.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x988B9099.asc
Type: application/pgp-keys
Size: 6176 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140609/f27999ea/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140609/f27999ea/attachment.sig>

From jya at pipeline.com  Mon Jun  9 08:54:37 2014
From: jya at pipeline.com (John Young)
Date: Mon, 09 Jun 2014 11:54:37 -0400
Subject: [Cryptography] Help investigate cell phone snooping by
 police nationwide
In-Reply-To: <1402247055.70505.YahooMailNeo@web126201.mail.ne1.yahoo.com
 >
References: <74862d74361490eca930f43845394c7298b.20140606145310@mail193.atl21.rsgsv.net>
 <CAJVRA1TTtN10ppc=s8At2DEB-jWxiHmKBt95BtF67Q10i2VX9A@mail.gmail.com>
 <1402090585.15493.126084309.57EF8952@webmail.messagingengine.com>
 <CACtDtiw_Txv=Hip5_dn1=CdVsHP-ctvW9vs+6tu0Nehg+y=9Dg@mail.gmail.com>
 <1402112543.24123.126145001.7D0D6075@webmail.messagingengine.com>
 <CAJVRA1S36T=F1eh=5YiFj8KO-gxVgpQ2Za=WTA-nSMW3Ywvv2w@mail.gmail.com>
 <E1WtFKU-0000Da-Jy@elasmtp-junco.atl.sa.earthlink.net>
 <CAOLP8p5pfNppq1+PzWiCFrV0abvN=dMoVyLy61q-ktJK-zR85Q@mail.gmail.com>
 <CAAMy4USQvf_7iVhw6rTSjEy0e4PJNxmpY5ugAkWpcc=fsbg1yg@mail.gmail.com>
 <CAD2Ti2-gvs29iBA2X+cA34naRn64fTpq+e_xDTZiPJvqKzzObA@mail.gmail.com>
 <1402247055.70505.YahooMailNeo@web126201.mail.ne1.yahoo.com>
Message-ID: <E1Wu1uT-0007pP-8i@elasmtp-junco.atl.sa.earthlink.net>

Tinfoil is not sufficent any more due to increased sensitivy of
interceptors. False protection left in place as ploy.

False TEMPEST protection is especially effective, the best
remains classified in a rolling fashion: more leaked to delude
the more unleaked of what works. Inadvertent emanations
are increasingly inadvertent as research in those waves
leaps by giant bounds.

Not news to this crafty gaggle of uncontrollably paranoidic
deceptors braying about faults, patches, new faults, new
paths, rolling thunder to panic herds of panic-herders,
pardon, infiltrated standards setters.

Jim, you may be the only experienced expert here in
betrayal by trustees inside and outside the penal colony,
pardon, West of the Pecos justice rigged-comsec
industry. All hail MIT, industry leader of techno-rigging.

BTW, are you at liberty to reveal the secrets of bio-chemical
TEMPEST? The inadvertent body odor is somewhat more
reliable than facial and corporeal. Rumor of testing on the
bio-chem harvesting in prisons, separation of sexes into
their many varieties of posturing, impostering, hybridity
and crossings.

After 9/11 batteries of full sprectrum bio-chem sensors
were set up in NYC transporation nodes, pretending to be
about snffing for bombs but actually about varieties of
human emanations. Later transformed and cloaked into
the Microsoft-NYPD Domain Awareness program which
pretended to be about data-gathering and infiltrating
suspected terrorist conclaves, vaunted by resucitated
HUMINT, but about, well, that's not for the inexperienced
emanator to know.


>Why not wrap the phone in a couple of layers of aluminum 
>foil?  (Although, it won't shield against audio if that's being 
>recorded even while an RF contact does not exist...)
>      Jim Bell





From coderman at gmail.com  Mon Jun  9 13:40:25 2014
From: coderman at gmail.com (coderman)
Date: Mon, 9 Jun 2014 13:40:25 -0700
Subject: [cryptography] [Cryptography] Help investigate cell phone
 snooping by police nationwide
In-Reply-To: <E1Wu1uT-0007pP-8i@elasmtp-junco.atl.sa.earthlink.net>
References: <74862d74361490eca930f43845394c7298b.20140606145310@mail193.atl21.rsgsv.net>
 <CAJVRA1TTtN10ppc=s8At2DEB-jWxiHmKBt95BtF67Q10i2VX9A@mail.gmail.com>
 <1402090585.15493.126084309.57EF8952@webmail.messagingengine.com>
 <CACtDtiw_Txv=Hip5_dn1=CdVsHP-ctvW9vs+6tu0Nehg+y=9Dg@mail.gmail.com>
 <1402112543.24123.126145001.7D0D6075@webmail.messagingengine.com>
 <CAJVRA1S36T=F1eh=5YiFj8KO-gxVgpQ2Za=WTA-nSMW3Ywvv2w@mail.gmail.com>
 <E1WtFKU-0000Da-Jy@elasmtp-junco.atl.sa.earthlink.net>
 <CAOLP8p5pfNppq1+PzWiCFrV0abvN=dMoVyLy61q-ktJK-zR85Q@mail.gmail.com>
 <CAAMy4USQvf_7iVhw6rTSjEy0e4PJNxmpY5ugAkWpcc=fsbg1yg@mail.gmail.com>
 <CAD2Ti2-gvs29iBA2X+cA34naRn64fTpq+e_xDTZiPJvqKzzObA@mail.gmail.com>
 <1402247055.70505.YahooMailNeo@web126201.mail.ne1.yahoo.com>
 <E1Wu1uT-0007pP-8i@elasmtp-junco.atl.sa.earthlink.net>
Message-ID: <CAJVRA1TC9+AB3bD5QLGMR-fTE_XScm4JGhUH7UE=h4gHx_CyrA@mail.gmail.com>

On Mon, Jun 9, 2014 at 8:54 AM, John Young <jya at pipeline.com> wrote:
> ...
> BTW, are you at liberty to reveal the secrets of bio-chemical
> TEMPEST? The inadvertent body odor is somewhat more
> reliable than facial and corporeal. Rumor of testing on the
> bio-chem harvesting in prisons, separation of sexes into
> their many varieties of posturing, impostering, hybridity
> and crossings.


there's an industry around such sensing; the microprocessor coming to
field assays on a chip.

where is the privacy advocate's concern on such chemsense developments?

(a few conference papers and journal proceedings, is all the rest classified?)




From cathalgarvey at cathalgarvey.me  Mon Jun  9 06:10:54 2014
From: cathalgarvey at cathalgarvey.me (Cathal Garvey)
Date: Mon, 09 Jun 2014 14:10:54 +0100
Subject: "Ephemeral" Biometrics
In-Reply-To: <0D1161FC-E3DB-4A1B-BD86-73A27B17EC63@gmail.com>
References: <539205C0.3020706@entersection.org>
 <0D1161FC-E3DB-4A1B-BD86-73A27B17EC63@gmail.com>
Message-ID: <5395B25E.2000108@cathalgarvey.me>

Also, many (perhaps most) biometrics can  be trivially forged. Facial
pictures are laughable without depth, but a 3D printed mask can probably
fool them even then. DNA is trivial to copy using the same methods
forensics depend on to ID it (and there are even companies that will
produce artificial DNA fingerprints to-order, now). Fingerprints can be
cloned using toner, and even enhancements like temperature/humidity..
observe CCC's defeat of the iPhone fingerprint scanner within days of
release.

On 09/06/14 14:02, Tomas -Overdrive- Petru wrote:
> I do not like biometric idea at all, because we can change password, but how can I change biometric measurements in the moment, something goes wrong? E.g. digital copy of biometrics is stolen [and that will happen for sure].
> 
> Biometic is useless for me.
> 
> ˜ Tomas
> 
> 
> On 06 Jun 2014, at 20:17, Gregory Foster <gfoster at entersection.org> wrote:
> 
>> Signed PGP part
>> Federal Business Opportunities (Jun 4) - "Ephemeral Biometrics: An
>> Alternative to Traditional, Event-based Authentication" by Sandia
>> National Laboratories:
>> https://www.fbo.gov/index?s=opportunity&mode=form&id=06e9abca57bdd9dac64902e39f039c4f&tab=core&_cview=0
>>
>>> Sandia National Laboratories is engaged in ongoing research and
>>> development into transformational upgrades in the area of cyber
>>> identity management as well as Insider Threat Monitoring by using
>>> Ephemeral Biometrics (EB). EB is unique because individual
>>> identities are tied to living biometric data that is active and
>>> continuous. The purpose of the research is to derive convenient
>>> authentication techniques (e.g., alternatives to passwords) that
>>> are both active and continuous while at the same time significantly
>>> improving authenticity and integrity of cyber identities.
>>
>> "Ephemeral Biometrics: What are they and what do they solve?" by Sung
>> Choi and David Zage of Sandia National Laboratories (2013):
>> https://www.cs.purdue.edu/homes/zagedj/docs/iccst2013.pdf
>>
>> I'm not really sure what's ephemeral about redefining authentication
>> to mean continuous monitoring.
>>
>> This work directly targets insider threat concerns raised
>> post-Snowden, and provides further evidence that entities obsessed
>> with secrecy will destroy their own effectiveness in pursuit of an
>> improbable if not impossible definition of "security" which attempts
>> to hermetically seal systems that include human beings.
>>
>> Good luck with that!
>> gf
>>
>> --
>> Gregory Foster || gfoster at entersection.org
>> @gregoryfoster <> http://entersection.com/
>>
> 
> 

-- 
T: @onetruecathal, @IndieBBDNA
P: +353876363185
W: http://indiebiotech.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x988B9099.asc
Type: application/pgp-keys
Size: 6176 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140609/b021a5c3/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140609/b021a5c3/attachment.sig>

From cathalgarvey at cathalgarvey.me  Mon Jun  9 06:28:16 2014
From: cathalgarvey at cathalgarvey.me (Cathal Garvey)
Date: Mon, 09 Jun 2014 14:28:16 +0100
Subject: "Ephemeral" Biometrics
In-Reply-To: <7883158.UUiWVOGdQP@lapuntu>
References: <539205C0.3020706@entersection.org>
 <0D1161FC-E3DB-4A1B-BD86-73A27B17EC63@gmail.com>
 <5395B25E.2000108@cathalgarvey.me> <7883158.UUiWVOGdQP@lapuntu>
Message-ID: <5395B670.3010406@cathalgarvey.me>

XXI Century Tech in the sense that it's powerless against the faceless
organisations who rule over we e-peasants? :)

On 09/06/14 14:25, rysiek wrote:
> Dnia poniedziałek, 9 czerwca 2014 14:10:54 Cathal Garvey pisze:
>> Also, many (perhaps most) biometrics can  be trivially forged. Facial
>> pictures are laughable without depth, but a 3D printed mask can probably
>> fool them even then. DNA is trivial to copy using the same methods
>> forensics depend on to ID it (and there are even companies that will
>> produce artificial DNA fingerprints to-order, now). Fingerprints can be
>> cloned using toner, and even enhancements like temperature/humidity..
>> observe CCC's defeat of the iPhone fingerprint scanner within days of
>> release.
> 
> BUT IT'S SO COOOL!
> I mean, it's like XXI Century Technology, but today!
> You know, you swipe a finger and SHAZZAM, you're authenticated! It's *magic*!
> 

-- 
T: @onetruecathal, @IndieBBDNA
P: +353876363185
W: http://indiebiotech.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x988B9099.asc
Type: application/pgp-keys
Size: 6176 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140609/d1c819ca/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140609/d1c819ca/attachment.sig>

From cathalgarvey at cathalgarvey.me  Mon Jun  9 06:47:39 2014
From: cathalgarvey at cathalgarvey.me (Cathal Garvey)
Date: Mon, 09 Jun 2014 14:47:39 +0100
Subject: "Ephemeral" Biometrics
In-Reply-To: <16502848.XronO3KdKQ@lapuntu>
References: <539205C0.3020706@entersection.org> <7883158.UUiWVOGdQP@lapuntu>
 <5395B670.3010406@cathalgarvey.me> <16502848.XronO3KdKQ@lapuntu>
Message-ID: <5395BAFB.1020108@cathalgarvey.me>

Oh I fully expected as much!

On 09/06/14 14:37, rysiek wrote:
> Dnia poniedziałek, 9 czerwca 2014 14:28:16 Cathal Garvey pisze:
>> XXI Century Tech in the sense that it's powerless against the faceless
>> organisations who rule over we e-peasants? :)
> 
> I hope you do realise there was a fair amount of sarcasm in my message. :)
> 

-- 
T: @onetruecathal, @IndieBBDNA
P: +353876363185
W: http://indiebiotech.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x988B9099.asc
Type: application/pgp-keys
Size: 6176 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140609/04c19d7e/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140609/04c19d7e/attachment.sig>

From tpetru at gmail.com  Mon Jun  9 06:02:30 2014
From: tpetru at gmail.com (Tomas -Overdrive- Petru)
Date: Mon, 9 Jun 2014 15:02:30 +0200
Subject: "Ephemeral" Biometrics
In-Reply-To: <539205C0.3020706@entersection.org>
References: <539205C0.3020706@entersection.org>
Message-ID: <0D1161FC-E3DB-4A1B-BD86-73A27B17EC63@gmail.com>

I do not like biometric idea at all, because we can change password, but how can I change biometric measurements in the moment, something goes wrong? E.g. digital copy of biometrics is stolen [and that will happen for sure].

Biometic is useless for me.

˜ Tomas


On 06 Jun 2014, at 20:17, Gregory Foster <gfoster at entersection.org> wrote:

> Signed PGP part
> Federal Business Opportunities (Jun 4) - "Ephemeral Biometrics: An
> Alternative to Traditional, Event-based Authentication" by Sandia
> National Laboratories:
> https://www.fbo.gov/index?s=opportunity&mode=form&id=06e9abca57bdd9dac64902e39f039c4f&tab=core&_cview=0
> 
> > Sandia National Laboratories is engaged in ongoing research and
> > development into transformational upgrades in the area of cyber
> > identity management as well as Insider Threat Monitoring by using
> > Ephemeral Biometrics (EB). EB is unique because individual
> > identities are tied to living biometric data that is active and
> > continuous. The purpose of the research is to derive convenient
> > authentication techniques (e.g., alternatives to passwords) that
> > are both active and continuous while at the same time significantly
> > improving authenticity and integrity of cyber identities.
> 
> "Ephemeral Biometrics: What are they and what do they solve?" by Sung
> Choi and David Zage of Sandia National Laboratories (2013):
> https://www.cs.purdue.edu/homes/zagedj/docs/iccst2013.pdf
> 
> I'm not really sure what's ephemeral about redefining authentication
> to mean continuous monitoring.
> 
> This work directly targets insider threat concerns raised
> post-Snowden, and provides further evidence that entities obsessed
> with secrecy will destroy their own effectiveness in pursuit of an
> improbable if not impossible definition of "security" which attempts
> to hermetically seal systems that include human beings.
> 
> Good luck with that!
> gf
> 
> --
> Gregory Foster || gfoster at entersection.org
> @gregoryfoster <> http://entersection.com/
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 2831 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140609/b9318ff7/attachment.txt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140609/b9318ff7/attachment.sig>

From rysiek at hackerspace.pl  Mon Jun  9 06:25:22 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Mon, 09 Jun 2014 15:25:22 +0200
Subject: "Ephemeral" Biometrics
In-Reply-To: <5395B25E.2000108@cathalgarvey.me>
References: <539205C0.3020706@entersection.org>
 <0D1161FC-E3DB-4A1B-BD86-73A27B17EC63@gmail.com>
 <5395B25E.2000108@cathalgarvey.me>
Message-ID: <7883158.UUiWVOGdQP@lapuntu>

Dnia poniedziałek, 9 czerwca 2014 14:10:54 Cathal Garvey pisze:
> Also, many (perhaps most) biometrics can  be trivially forged. Facial
> pictures are laughable without depth, but a 3D printed mask can probably
> fool them even then. DNA is trivial to copy using the same methods
> forensics depend on to ID it (and there are even companies that will
> produce artificial DNA fingerprints to-order, now). Fingerprints can be
> cloned using toner, and even enhancements like temperature/humidity..
> observe CCC's defeat of the iPhone fingerprint scanner within days of
> release.

BUT IT'S SO COOOL!
I mean, it's like XXI Century Technology, but today!
You know, you swipe a finger and SHAZZAM, you're authenticated! It's *magic*!

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140609/c3de69b7/attachment.sig>

From rysiek at hackerspace.pl  Mon Jun  9 06:37:45 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Mon, 09 Jun 2014 15:37:45 +0200
Subject: "Ephemeral" Biometrics
In-Reply-To: <5395B670.3010406@cathalgarvey.me>
References: <539205C0.3020706@entersection.org> <7883158.UUiWVOGdQP@lapuntu>
 <5395B670.3010406@cathalgarvey.me>
Message-ID: <16502848.XronO3KdKQ@lapuntu>

Dnia poniedziałek, 9 czerwca 2014 14:28:16 Cathal Garvey pisze:
> XXI Century Tech in the sense that it's powerless against the faceless
> organisations who rule over we e-peasants? :)

I hope you do realise there was a fair amount of sarcasm in my message. :)

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140609/1b607140/attachment.sig>

From grarpamp at gmail.com  Mon Jun  9 13:36:10 2014
From: grarpamp at gmail.com (grarpamp)
Date: Mon, 9 Jun 2014 16:36:10 -0400
Subject: "Ephemeral" Biometrics
In-Reply-To: <5395B25E.2000108@cathalgarvey.me>
References: <539205C0.3020706@entersection.org>
 <0D1161FC-E3DB-4A1B-BD86-73A27B17EC63@gmail.com>
 <5395B25E.2000108@cathalgarvey.me>
Message-ID: <CAD2Ti2_Ty+TeRctFjyJ9jzkAeBYZco2mi6cwQTqVCVoxwZiwLw@mail.gmail.com>

On Mon, Jun 9, 2014 at 9:10 AM, Cathal Garvey
<cathalgarvey at cathalgarvey.me> wrote:
> Also, many (perhaps most) biometrics can  be trivially forged. Facial
> pictures are laughable without depth, but a 3D printed mask can probably
> fool them even then. DNA is trivial to copy using the same methods
> forensics depend on to ID it (and there are even companies that will
> produce artificial DNA fingerprints to-order, now). Fingerprints can be
> cloned using toner, and even enhancements like temperature/humidity..
> observe CCC's defeat of the iPhone fingerprint scanner within days of
> release.

Biometrics suck for privacy and security because you're
often giving them a sample of the raw biodata itself... your picture,
palmprint, dna. They have that and can use it against you or
lose custody and you yourself have been compromised with no
own fault of yours and cannot go back.
Now if you give it to your own machine which makes and
presents a hash to others, you are safer there. But no more secure
than former.
Two factors of 'know' and 'have' with threat of sanction usually
works fine. ie: HOTP, secureid, key+pin, your own biohash, etc.
Be careful what you wish for, some holes have value.




From dan at geer.org  Mon Jun  9 20:27:27 2014
From: dan at geer.org (dan at geer.org)
Date: Mon, 09 Jun 2014 23:27:27 -0400
Subject: [cryptography] [Cryptography] Help investigate cell phone
 snooping by police nationwide
In-Reply-To: Your message of "Sun, 08 Jun 2014 01:51:18 EDT."
 <CAD2Ti2-gvs29iBA2X+cA34naRn64fTpq+e_xDTZiPJvqKzzObA@mail.gmail.com>
Message-ID: <20140610032727.68E0D2280C1@palinka.tinho.net>


The order of optimality:

1. no cell phone no how
2. cell phone with battery removed
3. disinformation feed
4. faraday cage for otherwise operational phone

Film at 11,

--dan




From cathalgarvey at cathalgarvey.me  Tue Jun 10 02:42:05 2014
From: cathalgarvey at cathalgarvey.me (Cathal Garvey)
Date: Tue, 10 Jun 2014 10:42:05 +0100
Subject: odour detection
In-Reply-To: <5396B208.5010805@owca.info>
References: <74862d74361490eca930f43845394c7298b.20140606145310@mail193.atl21.rsgsv.net>
 <CAJVRA1TTtN10ppc=s8At2DEB-jWxiHmKBt95BtF67Q10i2VX9A@mail.gmail.com>
 <1402090585.15493.126084309.57EF8952@webmail.messagingengine.com>
 <CACtDtiw_Txv=Hip5_dn1=CdVsHP-ctvW9vs+6tu0Nehg+y=9Dg@mail.gmail.com>
 <1402112543.24123.126145001.7D0D6075@webmail.messagingengine.com>
 <CAJVRA1S36T=F1eh=5YiFj8KO-gxVgpQ2Za=WTA-nSMW3Ywvv2w@mail.gmail.com>
 <E1WtFKU-0000Da-Jy@elasmtp-junco.atl.sa.earthlink.net>
 <CAOLP8p5pfNppq1+PzWiCFrV0abvN=dMoVyLy61q-ktJK-zR85Q@mail.gmail.com>
 <CAAMy4USQvf_7iVhw6rTSjEy0e4PJNxmpY5ugAkWpcc=fsbg1yg@mail.gmail.com>
 <CAD2Ti2-gvs29iBA2X+cA34naRn64fTpq+e_xDTZiPJvqKzzObA@mail.gmail.com>
 <1402247055.70505.YahooMailNeo@web126201.mail.ne1.yahoo.com>
 <E1Wu1uT-0007pP-8i@elasmtp-junco.atl.sa.earthlink.net>
 <1402379144.40372.YahooMailNeo@web126202.mail.ne1.yahoo.com>
 <5396B208.5010805@owca.info>
Message-ID: <5396D2ED.2080006@cathalgarvey.me>

It would be my opinion, off the top of my head, that this approach would
not be useful in a "mass surveillance" context. Many of the volotiles
under study would be abundant in ambient air pollution or even in clear
country air; that they have diagnostic significance is tied to the
context of a direct breath test, for example.

So, I can imagine a mass-surveillance apparatus attempting to detect
ketones as part of a system that detects diabetics or drunkards, but
where a simple breeze is enough to mask a potential match, and a rotting
piece of fruit discarded on the subway floor is enough to swamp the
sensors for hours.

Smell is all about context, and it's the sort of context I am doubtful
could be made useful in a computerised fashion for mass surveillance.
Quite unlike, for example, sound, vision or even smell, which are far
more easily localisable and distinguishable.

On 10/06/14 08:21, Matej Kovacic wrote:
> Hi,
> 
>> be expected to vary depending on his recent diet, or perhaps whether he
>> has been ill recently.  I have heard occasional references to the idea
>> of diagnosing people of various illnesses based on the presence of
>> minute amounts of chemicals in breath (a neat idea, BTW).  
> 
> There is some serious research about this:
> 
> - https://www.youtube.com/watch?v=1i-Rx-Nsf3E
> 
> - http://www.nature.com/bjc/journal/v103/n4/full/6605810a.html
> 
> -
> http://pubget.com/paper/18594325/analysis-of-volatile-organic-compounds-in-the-exhaled-breath-for-the-diagnosis-of-lung-cancer
> 
> - http://www.jthoracdis.com/article/view/1560/html
> 
> A little older research:
> -
> http://www.foxnews.com/story/2007/02/28/breath-odor-can-be-key-to-detecting-cancer/
> 
> - http://news.bbc.co.uk/2/hi/health/3682722.stm
> 
> -
> http://gut.bmj.com/content/early/2011/01/17/gut.2010.218305.short?q=w_gut_ahead_tab
> 
> P. S: If anyone has any recent information about this (especially
> clinical tests), please let me know. It is an area which is of a great
> interest to me.
> 
> Regards,
> 
> Matej
> 

-- 
T: @onetruecathal, @IndieBBDNA
P: +353876363185
W: http://indiebiotech.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x988B9099.asc
Type: application/pgp-keys
Size: 6176 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140610/6fac1513/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140610/6fac1513/attachment.sig>

From dan at geer.org  Tue Jun 10 08:36:25 2014
From: dan at geer.org (dan at geer.org)
Date: Tue, 10 Jun 2014 11:36:25 -0400
Subject: [cryptography] [Cryptography] Help investigate cell phone
 snooping by police nationwide
In-Reply-To: Your message of "Mon, 09 Jun 2014 13:40:25 PDT."
 <CAJVRA1TC9+AB3bD5QLGMR-fTE_XScm4JGhUH7UE=h4gHx_CyrA@mail.gmail.com>
Message-ID: <20140610153625.DDBC3228100@palinka.tinho.net>


[lots of cross posting, as per original]

Stipulating that I'm not in any conceivable sense the last word on
this topic, you might find some of this

  Tradeoffs in Cyber Security
  Dan Geer, 9 October 13, UNCC
  http://geer.tinho.net/geer.uncc.9x13.txt

relevant.  If short on reading time, scan down to "Marcia Hofmann."

--dan




From grarpamp at gmail.com  Tue Jun 10 13:52:59 2014
From: grarpamp at gmail.com (grarpamp)
Date: Tue, 10 Jun 2014 16:52:59 -0400
Subject: Cryptome down
Message-ID: <CAD2Ti2_hRzYUH5U02boCjcrF5yjs6Cw_94y2dEUdkGF3DQ15TA@mail.gmail.com>

403: Forbidden

This error message is generated when the web server is trying to
access a file that does not exist or has been configured incorrectly


Troubleshooting suggestions:

Ensure that you have a valid home page defined in your website
directory (example: /htdocs/index.html, /htdocs/index.php). On Unix,
this is case sensitive and must be all lower case.

In your Account Manager, under Hosting Tools, click to .Reset File Permissions..




From coderman at gmail.com  Wed Jun 11 15:29:48 2014
From: coderman at gmail.com (coderman)
Date: Wed, 11 Jun 2014 15:29:48 -0700
Subject: Cryptome down
In-Reply-To: <CAD2Ti2_hRzYUH5U02boCjcrF5yjs6Cw_94y2dEUdkGF3DQ15TA@mail.gmail.com>
References: <CAD2Ti2_hRzYUH5U02boCjcrF5yjs6Cw_94y2dEUdkGF3DQ15TA@mail.gmail.com>
Message-ID: <CAJVRA1TK6Js66CmSKh2WXcCuYy24+vRPSWFzF+_GHVDbjgHcBQ@mail.gmail.com>

On Tue, Jun 10, 2014 at 1:52 PM, grarpamp <grarpamp at gmail.com> wrote:
> 403: Forbidden


it's back now.

... and for future reference, you may check:
https://twitter.com/Cryptomeorg
http://cryptomeorg.siteprotect.net/




From coderman at gmail.com  Wed Jun 11 15:40:12 2014
From: coderman at gmail.com (coderman)
Date: Wed, 11 Jun 2014 15:40:12 -0700
Subject: Encryption Works - Off Topic
Message-ID: <CAJVRA1TvGx9t9b3vh=UDgGhBhPOExPq3CS6F8a7QrZsbykdykw@mail.gmail.com>

On Tue, Jun 10, 2014 at 9:15 PM, Mark Thomas <mark00thomas at me.com> wrote:
> I sent this email to John since he is the only one who answered the question
> I asked about your statement.
>
> Do you care to respond?


i'm not sure what you expect me to say.

Encryption Works -
 usually against the interests of its users!

as we have seen from the current leaks and past history, encryption
tells you where the interesting data and networks are, and also where
not to bother attacking.

encryption provides cover for backdoors and side channels you don't
know are there.

encryption with broken keys provides false confidence leading to greater losses.

encryption with poor usability fails catastrophically, undoing the
privacy of all prior exchanges in a single fatal swoop.

encryption's specialized nature leads to centralized authorities and
experts easily compromised unwittingly, or wittingly. (or both at
once!)

you see where this is going...


is it useless?  i think not.  (blanket, passive surveillance always
worthwhile to thwart)
 but it's no where near sufficient as a privacy enhancing technology itself.




From grarpamp at gmail.com  Wed Jun 11 19:49:03 2014
From: grarpamp at gmail.com (grarpamp)
Date: Wed, 11 Jun 2014 22:49:03 -0400
Subject: Cryptome down
In-Reply-To: <CAJVRA1TK6Js66CmSKh2WXcCuYy24+vRPSWFzF+_GHVDbjgHcBQ@mail.gmail.com>
References: <CAD2Ti2_hRzYUH5U02boCjcrF5yjs6Cw_94y2dEUdkGF3DQ15TA@mail.gmail.com>
 <CAJVRA1TK6Js66CmSKh2WXcCuYy24+vRPSWFzF+_GHVDbjgHcBQ@mail.gmail.com>
Message-ID: <CAD2Ti2-JUys0vkZQuizUPaaMEfStMDjTqjqE6+pY35uCkxbOxg@mail.gmail.com>

On Wed, Jun 11, 2014 at 6:29 PM, coderman <coderman at gmail.com> wrote:
> ... and for future reference, you may check:
> https://twitter.com/Cryptomeorg
> http://cryptomeorg.siteprotect.net/

http://www.freelists.org/archive/cryptome/




From thefox21at at gmail.com  Wed Jun 11 23:46:10 2014
From: thefox21at at gmail.com (Christian Mayer)
Date: Thu, 12 Jun 2014 08:46:10 +0200
Subject: Cryptome down
In-Reply-To: <CAJVRA1TK6Js66CmSKh2WXcCuYy24+vRPSWFzF+_GHVDbjgHcBQ@mail.gmail.com>
References: <CAD2Ti2_hRzYUH5U02boCjcrF5yjs6Cw_94y2dEUdkGF3DQ15TA@mail.gmail.com>
 <CAJVRA1TK6Js66CmSKh2WXcCuYy24+vRPSWFzF+_GHVDbjgHcBQ@mail.gmail.com>
Message-ID: <CACZmauc3YfxAnPYjHm-yWi-EQTK5wb+6jLJvofPpXnSHfbzRvw@mail.gmail.com>

Why was it down?


On Thu, Jun 12, 2014 at 12:29 AM, coderman <coderman at gmail.com> wrote:

> On Tue, Jun 10, 2014 at 1:52 PM, grarpamp <grarpamp at gmail.com> wrote:
> > 403: Forbidden
>
>
> it's back now.
>
> ... and for future reference, you may check:
> https://twitter.com/Cryptomeorg
> http://cryptomeorg.siteprotect.net/
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 909 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140612/d42c1440/attachment.txt>

From odinn.cyberguerrilla at riseup.net  Thu Jun 12 14:27:02 2014
From: odinn.cyberguerrilla at riseup.net (Odinn Cyberguerrilla)
Date: Thu, 12 Jun 2014 14:27:02 -0700
Subject: Fwd: Re: [FD] More OpenSSL issues
In-Reply-To: <1402180210.6400.126320229.2065BEFA@webmail.messagingengine.com>
References: <1402180210.6400.126320229.2065BEFA@webmail.messagingengine.com>
Message-ID: <e64d76dde651bf6f823f473d015dd1d5.squirrel@fulvetta.riseup.net>

Hello,

I'm inviting whoever wants to, and is interested in doing so, to add to
this guide on openssl issues (which probably given the pace of openssl
developments, is very likely not up to par with where it should be for
humans to read and benefit meaningfully from it).  It's focused on
benefiting open source operating system users and throws some tidbits in
for Mac/OSX folks as well.

Please feel free to make pull request to change it if it needs change,
addition, whatever, at:

https://github.com/btcfoundationedcom/btcfoundationedcom.github.io/blob/master/proposals/heartbleedmitigation.md

If interested in other sorts of participation (including if you want to
join the repo as collaborator), please see the blog at:
https://github.com/btcfoundationedcom/btcfoundationedcom.github.io/blob/master/blog/01-decentralization.md

and the readme at:
https://github.com/btcfoundationedcom/btcfoundationedcom.github.io

Cheers!



> re: Jim's post from yesterday.  From the Full Disclosure list:
>
> On Sat, Jun 7, 2014, at 02:04 PM, Craig Young wrote:
> Yeah, definitely not in the same ballpark as heartbleed fortunately.
>
> I have posted a detection script on the Tripwire blog to identify
> servers
> permitting the early CCS:
> http://www.tripwire.com/state-of-security/incident-detection/detection-script-for-cve-2014-0224-openssl-cipher-change-spec-injection/
>
> It should detect potentially vulnerable hosts with a variety of
> configurations.
>
> Thanks,
> Craig
>
>
>> On Jun 6, 2014 3:36 AM, "P Vixie" <> wrote:
>>
>> > This does not appear to be the same panic level as the previous patch.
>> In
>> > other words the previous openssl vuln was worse than the instability
>> of
>> > all-night patching. This one is not. Take time to roll out right.
>> >
>> > On June 5, 2014 7:51:50 AM PDT, Jordan Urie <> wrote:
>> > >Ladies and Gentlemen,
>> > >
>> > >
>> > >
>> > >There's an MITM in there, and a potential for buffer over-runs.
>> > >
>> > >Patch up :-)
>> > >
>> > >
>> > >Jordan
>> > >
>> > >--
>> > >
>> > >Jordan R. Urie
>> > >
>> > >UP Technology Consulting, Inc.
>> > >1129 - 177A St. SW
>> > >Edmonton, AB  T6W 2A1
>> > >Phone:
>> > >
>> > >www.uptech.ca
>> > >
>> > >_______________________________________________
>> > >Sent through the Full Disclosure mailing list
>> > >
>> > >Web Archives & RSS:
>> >
>> > --
>> > Sent from my Android phone with K-9 Mail. Please excuse my brevity.
>> >
>> > _______________________________________________
>> > Sent through the Full Disclosure mailing list
>> >
>> > Web Archives & RSS:
>> >
>>
>> _______________________________________________
>> Sent through the Full Disclosure mailing list
>>
>> Web Archives & RSS:
>





From grarpamp at gmail.com  Thu Jun 12 13:57:56 2014
From: grarpamp at gmail.com (grarpamp)
Date: Thu, 12 Jun 2014 16:57:56 -0400
Subject: Internet Giants erect barriers to spy agencies
In-Reply-To: <20140612170237.00001be0@unknown>
References: <1402120241.94408.YahooMailNeo@web126202.mail.ne1.yahoo.com>
 <20140612170237.00001be0@unknown>
Message-ID: <CAD2Ti2_+=WZfU59=ejLeeE_W2mwzT+XGHcjFLN=Zca=07bP3=g@mail.gmail.com>

On Thu, Jun 12, 2014 at 4:02 PM, user <juan.g71 at gmail.com> wrote:
>> Facebook,
>> Microsoft and Yahoo are taking similar steps.

All of these and Google are also moving towards phone
'auth' (aka: database of you), and 'real name' government
picture ID policies. Don't expect your accounts to be
grandfathered, Facebook is already locking longstanding
accounts out that do not provide these.

It would seem there is now good oppurtunity for people
to spin up alternative projects to the big 4 that would
take a nice post-snowden post-big-data approach
to respecting people and their right to privacy, etc.
A good strong no bullshit stance on that could be
quite profitable in its own right when compared to
the abysmal big 4. It won't be free, but it could be
anon... $25/year cash in the mail x 1M users = $$$.
Who's in?




From juan.g71 at gmail.com  Thu Jun 12 13:02:37 2014
From: juan.g71 at gmail.com (user)
Date: Thu, 12 Jun 2014 17:02:37 -0300
Subject: Internet Giants erect barriers to spy agencies
In-Reply-To: <1402120241.94408.YahooMailNeo@web126202.mail.ne1.yahoo.com>
References: <1402120241.94408.YahooMailNeo@web126202.mail.ne1.yahoo.com>
Message-ID: <20140612170237.00001be0@unknown>


> http://www.nytimes.com/2014/06/07/technology/internet-giants-erect-barriers-to-spy-agencies.html?mabReward=RI%3A15&module=WelcomeBackModal&contentCollection=Fashion%20%26%20Style&region=FixedCenter&action=click&pgtype=article
> 
> 
> MOUNTAIN VIEW, Calif. — Just down the road from Google’s main campus
> here, engineers for the company are accelerating what has become the
> newest arms race in modern technology: They are making it far more
> difficult — and far more expensive — for the National Security Agency
> and the intelligence arms of other governments around the world to
> pierce their systems.



	How can such fuckingly stupid lies be so blatantly thrown up? 

	Dont these shitbags have a shred of decency left in them? (I
	guess mines a typical rhetorical question....)

	Thereś something these people really excell at it and it is not
	engineering. It is hypocrisy. These shitbags are the biggest
	 hypocrites in all fucking christendom (which for them
	is, of course, ´the whole universe´)


	 

> As fast as it can, Google is sealing up cracks
> in its systems that Edward J. Snowden revealed the N.S.A. had
> brilliantly exploited. It is encrypting more data

	bla bla bla  - more puke

> as it moves among
> its servers and helping customers encode their own emails.

	mooooore puke!!!!!

	Yes, google does not do evil.


> Facebook,
> Microsoft and Yahoo are taking similar steps. 

	Yes, we believe in motherfucking jesuschrist and
	microsoft...and the founding fuckers.













From oottela at cs.helsinki.fi  Fri Jun 13 09:28:10 2014
From: oottela at cs.helsinki.fi (oottela)
Date: Fri, 13 Jun 2014 19:28:10 +0300
Subject: Tinfoil Chat
Message-ID: <e27c13781ebfe213142b1cb21c0e948c@cs.helsinki.fi>

Hi Cathal. Thanks for your review!

The RxM that does the MAC verification doesn't leak data to network 
connected computer so attacker would have to have line of sight to 
display of RxM and through trial and error send tampered packets until 
one doesn't show the warning about tampering. By then user should have 
pretty good idea about what is going on. Recovering key material 
shouldn't be a problem since key is not reused in signing of new 
messages. The implementation however has now been changed while fixing 
more critical vulnerability with hash function input size.

Regarding second issue, LibPurple does not contribute to privacy of 
messages in any way. The only thing the computer that LibPurple is 
running on handles is OTP encrypted data. OTP keys and plaintext 
messages never touch that computer and malicious functionality of that 
computer can not possibly request the actual keys from waterfall secured 
TxM or RxM. The whitepaper explains why the system is secure even if 
attacker gains root access to computer where Pidgin is running.

I did not write the program that samples entropy via GPIO. Programs 
written in C generally work faster so I didn't feel the need to redo the 
part. Also, the installer takes care of compiling. I've done some 
testing and according to Ent /dev/urandom is more random (7.999995 bits 
/ byte ) source than the TRNG (7.997587 bits / byte). However I'm 
somewhat concerned about seeding, pseudo randomness and effect of modern 
hwrng devices - can seeding of urandom be compromised by /dev/hwrng 
input from processor with dopant trojan even if mixing entropy from 
functional TRNG is done. I'll have to read about the issue before I'll 
change the implementation. After all, with the TRNG there should be no 
auto-correlation if sampling speed is slow enough, and no bias when Von 
Neumann correction is used, despite what statistical tests say.

Also, I'll look into the ctypes library and see about the difference in 
sampling speed. As user has access to source I suppose compiling doesn't 
endanger the security in any notable way.

On 09.06.2014 12:28, Cathal Garvey wrote:
> Interesting; I'm scanning the code now, but won't pretend to be an 
> expert.
>
> First thing, your HMAC code is possibly vulnerable to a timing 
> attack:
> https://github.com/maqp/tfc/blob/master/Rx.py
> ..using direct string/byte comparisons for HMACs can be vulnerable as
> most languages will shortcut on the first mismatch. In your case, 
> using
> this attack might require the means to craft a message that matches a
> certain hash, but maybe someone who knows more could use this to 
> recover
> key material? The way to avoid this is a comparison function whose 
> time
> does not depend on the likeness or unlikeness of the compared values,
> for example by xoring the strings or characters.
>
> Second issue is the use of LibPurple at all. It's widely considered 
> to
> be a security trainwreck, and given its poor reputation *and* the 
> total
> disinclination of the libpurple devs to bother with security concerns 
> at
> all, it's easy to imagine anything up to remote code execution in
> libpurple compromising the whole system.
>
> So, your tinfoil hat could be as secure as anything, but relying on
> libpurple may undermine the entire exercise. Using a different 
> transport
> may be more valuable.
>
> Finally, you're using a custom HWRNG, and reading with custom C code 
> to
> a file. Firstly, why is this a C function, when you could probably
> achieve it in Python? But, more importantly, why not use the system 
> call
> to deliver this entropy to /dev/urandom, and use that? The mixing 
> code
> for /dev/urandom has received pretty good review, far more than your
> code can hope for, so the more you rely on /dev/urandom IMO the 
> better.
> There's a Linux system call to mix entropy into the system pool, and
> your HWRNG would be well served to use that if you ask me.
>
> And, you could probably access that call using ctypes from Python
> without requiring your end users to compile C. The less compilation
> required, the more likely you are to get user buy-in.
>
>
> On 08/06/14 03:33, oottela wrote:
>> I'd like to share a project I came up with back in spring 2012 and 
>> begun
>> working after the Snowden leaks started.
>>
>> Highlights are
>>
>> -OTP encryption for perfect secrecy
>> -OTP encrypted Keccak HMACs to prevent undetectable message 
>> tampering
>> -HW TRNG to generate truly random keys (Von Neumann whitened)
>> -HW Data diodes to provide immunity against message exfiltration 
>> attacks
>> originating from network.
>>
>> Source code and links to whitepaper and manual are available from
>>
>> https://github.com/maqp/tfc/
>>
>> Regards, Markus




From grarpamp at gmail.com  Fri Jun 13 17:00:44 2014
From: grarpamp at gmail.com (grarpamp)
Date: Fri, 13 Jun 2014 20:00:44 -0400
Subject: Amazing NSA excuse
In-Reply-To: <1402642573.28065.YahooMailNeo@web126204.mail.ne1.yahoo.com>
References: <1402642573.28065.YahooMailNeo@web126204.mail.ne1.yahoo.com>
Message-ID: <CAD2Ti2-WbQjrjyxc3ESBahJaGq09=hak0CZsL=bd6MdH_F=cVA@mail.gmail.com>

On Fri, Jun 13, 2014 at 2:56 AM, jim bell <jamesdbell9 at yahoo.com> wrote:
> http://theweek.com/article/index/262945/the-nsa-has-a-shocking-new-excuse-for-destroying-evidence
> "One thing that makes reporting on the NSA so difficult is that you have to
> deconstruct their statements like Derrida to figure out what they're
> actually saying.
> ...
> "The NSA's legal squirming is bad enough. But an agency writing itself a
> blank check to allegedly destroy evidence based on the sheer size and
> complexity of the possibly illegal program in questionis another thing
> entirely. There shouldn't be an "unless your dragnet surveillance program is
> reallybig" exception to the Fourth Amendment.

A lot of the issue is why *your* records, metadata, and maybe even full
take, are on government disks if *you* have not been the subject of a specific
warrant against you under the Fourth. That's not supposed to happen
(ie: it's illegal, regardless of whatever postprocessing, access, expiry
and oversight rules there may be) and that bothers people, a lot...
the slippery slope, grandness, secrecy, and handwavy assuredness of it all.
People want genuine discovery on these programs so they can make the call.

The govt likes to wave examples of specific cases, but seem to be
debunked by media security analysts as not particularly constituting
the claimed 'immediate and grave danger[s] to the national security"
[docket 244 page 6], such that ordinary quality investigations and
specific warrants might suffice. People want to see the cases and
define immediate and grave for themselves.

People don't seem to mind vacuuming up overseas background
noise as spy-vs-spy gamesmanship, but question how that may
now be resulting in various things like drone killings without public
trials. People wonder what they did, and where it could lead if unchecked.
Then the stingrays, parallel construction, Lavabits and much more.

A difficult balance to be sure. And the media columns only have space
for glossing both sides. The docs behind the above referenced news
article are available if you want to read what the news is talking about...

https://www.eff.org/nsa-spying
https://www.eff.org/cases/jewel
https://ia600508.us.archive.org/10/items/gov.uscourts.cand.207206/gov.uscourts.cand.207206.docket.html




From grarpamp at gmail.com  Fri Jun 13 21:24:46 2014
From: grarpamp at gmail.com (grarpamp)
Date: Sat, 14 Jun 2014 00:24:46 -0400
Subject: [Cryptography] ghash.io hits 50% of the Bitcoin compute power
In-Reply-To: <20140613224342.3cf9aae8@jabberwock.cb.piermont.com>
References: <20140613095109.74c0c0be@jabberwock.cb.piermont.com>
 <CAMm+LwipRyU_yvOst7UwaCSG=dmgGy1aA=wEJSd-U=7im-jL8w@mail.gmail.com>
 <20140613174446.1b1eb388@jabberwock.cb.piermont.com>
 <CAD2Ti2-T2-VrUgL-drqzFxsPE546qRDNWLApg2U32+33Q2AALg@mail.gmail.com>
 <20140613224342.3cf9aae8@jabberwock.cb.piermont.com>
Message-ID: <CAD2Ti28nWGLqA5A7vvo__7cGYAG3njtkB0TDzc-H0zxRvKMrdQ@mail.gmail.com>

On Fri, Jun 13, 2014 at 10:43 PM, Perry E. Metzger <perry at piermont.com> wrote:
> And how do these others know that the public key in question has any
> connection to a particular set of coins in the ledger? How do they
> know that some other key, in fact, isn't the correct one?

Because the former owner signed the 'coins' over to the public
key in question, confirmed all the way back to their first generation,
in a ledger back to the genesis. You were given (bought) the deed
of your house from someone, confirmed by many titles before
in recorders ledger, right?

> Who is everybody?

Everyone who says, "well, my chain was at this height
before suspect 51% attack (or other) issue, let's compare."
Though that's an event you *really* want to avoid. Thus for
their own good people will move off ghash.io. Or will plain stop
transacting and starve the pools of trans fees and trans
to scam.

And how many dollars on hardware and power would an
'unknown' pool of say government or criminals need to
reach 51% on their own for disruption or profit? By now,
maybe an amount that might be hard to keep quiet.

> Do millions of people actually store and check the complete block
> chain on a routine basis? Where did your little cellphone wallet
> app get its blockchain from? When was the last time you verified the
> custody chain of all coins? Does your cellphone wallet app do that
> all the time? Where do people get this historical ledger from?

There are verifiable and agreed upon checkpoints...
https://en.bitcoin.it/wiki/Checkpoint_Lockin
https://bitcointalk.org/index.php?topic=145386.0
https://bitcointalk.org/index.php?topic=117982.0
https://bitcointalk.org/index.php?topic=252937.0

> I think you're trusting quite a bit here.
>
> Bitcoin isn't primarily protected by mathematics, it is primarily
> protected by a social process that can be gamed. Gaming it is
> nontrivial because the social process is protected by cryptography,
> but there seems like a great deal of religion behind people's claims
> of how well it all works in the face of attack, perhaps because a lot
> of people want it to work very, very badly.

Agreed there is a lot of trust, crazy trust, and the adoption in actual business
using it (not simply user2user beer and pizza trade), is a bit amazing.
So far it's held up. Try to break it or game it, mathematically or
operationally, huge recognition for anyone who does.
Those with personal money (not mined) in their hoards are on their own risk
decision on that, at least until say the ten year mark and the laws prove out.
Others have mined or can mine, or invest, to recover/recoup their entry
which makes it free for them.
The rest seem to get in, buy a pizza, and get out (perhaps wisely).

https://en.bitcoin.it/wiki/Contingency_plans

Lots people should read, learn and evaluate, me too. Meanwhile, I
don't have a problem putting some disposable funds into holding,
trading, commerce, or related bitcoin business and seeing what happens.
Call me stupid, seems more fun, profitable and useable than blowing
lottery tickets would be. And if that's all it's ever good for you can have
my wallet after you break Bitcoin ;-)

https://en.bitcoin.it/wiki/Trade
https://bitcoinaverage.com/




From coderman at gmail.com  Sat Jun 14 01:12:09 2014
From: coderman at gmail.com (coderman)
Date: Sat, 14 Jun 2014 01:12:09 -0700
Subject: Internet Giants erect barriers to spy agencies
In-Reply-To: <CAD2Ti2_+=WZfU59=ejLeeE_W2mwzT+XGHcjFLN=Zca=07bP3=g@mail.gmail.com>
References: <1402120241.94408.YahooMailNeo@web126202.mail.ne1.yahoo.com>
 <20140612170237.00001be0@unknown>
 <CAD2Ti2_+=WZfU59=ejLeeE_W2mwzT+XGHcjFLN=Zca=07bP3=g@mail.gmail.com>
Message-ID: <CAJVRA1SMSRnMz8xcm78mhPVFQ9hhtJiG733Xgt4v7Ze1GzFLCg@mail.gmail.com>

On Thu, Jun 12, 2014 at 1:57 PM, grarpamp <grarpamp at gmail.com> wrote:
> ...
> All of these and Google are also moving towards phone
> 'auth' (aka: database of you), and 'real name' government
> picture ID policies. Don't expect your accounts to be
> grandfathered,

i'll be your canary in the coal mine...

;)




From coderman at gmail.com  Sat Jun 14 02:12:50 2014
From: coderman at gmail.com (coderman)
Date: Sat, 14 Jun 2014 02:12:50 -0700
Subject: Amazing NSA excuse
In-Reply-To: <CAD2Ti2-WbQjrjyxc3ESBahJaGq09=hak0CZsL=bd6MdH_F=cVA@mail.gmail.com>
References: <1402642573.28065.YahooMailNeo@web126204.mail.ne1.yahoo.com>
 <CAD2Ti2-WbQjrjyxc3ESBahJaGq09=hak0CZsL=bd6MdH_F=cVA@mail.gmail.com>
Message-ID: <CAJVRA1QjbU8gXrGwxvp0WCkF40Poj4LpEkfdD5+hUOnMAmESdg@mail.gmail.com>

On Fri, Jun 13, 2014 at 5:00 PM, grarpamp <grarpamp at gmail.com> wrote:
> On Fri, Jun 13, 2014 at 2:56 AM, jim bell <jamesdbell9 at yahoo.com> wrote:
>> ...
>> "The NSA's legal squirming is bad enough. But an agency writing itself a
>> blank check to allegedly destroy evidence based on the sheer size and
>> complexity of the possibly illegal program in questionis another thing
>> entirely. There shouldn't be an "unless your dragnet surveillance program is
>> reallybig" exception to the Fourth Amendment.
>
> A lot of the issue is why *your* records, metadata, and maybe even full
> take, are on government disks if *you* have not been the subject of a specific
> warrant against you under the Fourth. That's not supposed to happen
> (ie: it's illegal, regardless of whatever postprocessing, access, expiry
> and oversight rules there may be) and that bothers people, a lot....


feature; not bug!

configure plausible deniability to zeroise incriminating information.
utilize exceptionally compartmented collections to destroy credible opponents.
walk away successful without a trace to be seen...

these fucks are playing a dirty game... how best to curtail?




From bbrewer at littledystopia.net  Sat Jun 14 11:42:31 2014
From: bbrewer at littledystopia.net (b. brewer)
Date: Sat, 14 Jun 2014 14:42:31 -0400
Subject: Geoff Stone, Obama's Review Group
In-Reply-To: <20140404042502.7DA6C2280B0@palinka.tinho.net>
References: <20140404042502.7DA6C2280B0@palinka.tinho.net>
Message-ID: <539C9797.6000503@littledystopia.net>

On 4/4/2014 12:25 AM, dan at geer.org wrote:
> Responding to various,
> 
> Google up Geoff Stone; he's a Constitutional lawyer, clerked for 
> Brennan, was Dean of the Law School and then Provost of U Chicago. 
> His relationship with President Obama may well result in Obama's 
> Presidential Library coming to U Chicago.  Maybe that is
> comforting. Maybe that feeds your conclusions about how broad The
> Conspiracy is.

.......

> --dan
> 

So, because not only has he played 'in the system', but in fact
excelled 'in the system', he is meant to be viewed as a MORE
trustworthy source?

Conclusions, fed.

Next, work on feeding the homeless....




From grarpamp at gmail.com  Sat Jun 14 18:42:16 2014
From: grarpamp at gmail.com (grarpamp)
Date: Sat, 14 Jun 2014 21:42:16 -0400
Subject: Amazing NSA excuse
In-Reply-To: <CAJVRA1QjbU8gXrGwxvp0WCkF40Poj4LpEkfdD5+hUOnMAmESdg@mail.gmail.com>
References: <1402642573.28065.YahooMailNeo@web126204.mail.ne1.yahoo.com>
 <CAD2Ti2-WbQjrjyxc3ESBahJaGq09=hak0CZsL=bd6MdH_F=cVA@mail.gmail.com>
 <CAJVRA1QjbU8gXrGwxvp0WCkF40Poj4LpEkfdD5+hUOnMAmESdg@mail.gmail.com>
Message-ID: <CAD2Ti2-3U3mseQgneTuHBVexRTqRkzCuTGs+3pU9E63s2yV8Vw@mail.gmail.com>

On Sat, Jun 14, 2014 at 5:12 AM, coderman <coderman at gmail.com> wrote:
> these fucks are playing a dirty game... how best to curtail?

Technically?
Raise costs, decrease easily accessible signal... everyone encrypt,
p2p, and even obfuscate route, everything. You can't really expect
the masses to do this on their own, so much as you might hate it,
you're going to have to write addon gui's and docs and make it cool.

In business?
Stop collecting, mining and voluntarily sharing... as an abhorrance
against humanity. Rise from your own depravity. You can still make
an honest dollar without it. These days respecting privacy sells,
at least a little more than it did previously.

Politically?

I've been told that voting, letter writing, calling, visiting,
funding, running for office [1], and all manner of other civic and civil
participation works, across all areas public and private.

I've also been told that hard drives really disklike the presence
of sledgehammers in their midst, especially when brought in by angry
mobs wielding pitchforks.

I've no idea there, choose your own adventure.

[1] Cypherpunk is not incompatible with lawbook, taxbook, execbook.
It's total greenfield.




From sdw at lig.net  Sun Jun 15 09:34:01 2014
From: sdw at lig.net (Stephen D. Williams)
Date: Sun, 15 Jun 2014 09:34:01 -0700
Subject: Lois Lerner's conveeeeeeeeeeniently-lost emails.
In-Reply-To: <C48EE51B-4A69-4E59-A9BE-0E6A5453338A@gmail.com>
References: <1402814887.32476.YahooMailNeo@web126202.mail.ne1.yahoo.com>
 <C48EE51B-4A69-4E59-A9BE-0E6A5453338A@gmail.com>
Message-ID: <539DCAF9.1030206@lig.net>

I assume she was using Outlook and probably Exchange.  Does anyone using Outlook really expect to be able to reliably have access to 
their old email very long?  I think "those people" are idiots...  I'd guess that Outlook / Exchange versioning issues, curruption, 
periodic rebuilds / restarts, and general Windows / Microsoft related confusion led periodic lossage that is just the cost of using 
such technology.

I have a continuous archive of email spanning more than 20 years, and something like 25-30GB, online and always accessible to me. 
And with numerous backups, all easy to make and restore.  And all using mbox format, around since essentially the beginning of 
email, which is resilient to corruption, truncation, etc.

In multiple cases, at multiple companies, people have needed access to old email and documents which I had but were long ago lost to 
everyone else (who mostly used Outlook).  In one case, it allowed a new contract worth probably more than a million or two.

Email is my most reliable source of stored and organized knowledge.  I've been hard at work, in my fragmented spare time, working on 
a true knowledgebase app / interchange format / distributed security system.  (The key problem really is a much better user 
interface paradigm.)  You can bet there will be a couple ways to represent and archive it that is as resilient as mbox.

Stephen

On 6/15/14, 8:05 AM, Henry Rivera wrote:
>
> On Jun 15, 2014, at 2:48 AM, jim bell <jamesdbell9 at yahoo.com <mailto:jamesdbell9 at yahoo.com>> wrote:
>
>> Note:  I wonder what kind of email system would be:   1.  Used by the Federal Government.  2.  NOT be regularly backed-up.   3. 
>>  Would lose up to two (2) years of emails in a crash.
>>          Jim Bell
>> [article follows]
>
> Generously giving them the benefit of the doubt, I'm under the impression that the backup is what failed. I would assume the 
> target of the investigation deleted her inbox.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 3085 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140615/70aab478/attachment.txt>

From 4chaos.onelove at gmail.com  Sun Jun 15 08:05:55 2014
From: 4chaos.onelove at gmail.com (Henry Rivera)
Date: Sun, 15 Jun 2014 11:05:55 -0400
Subject: Lois Lerner's conveeeeeeeeeeniently-lost emails.
In-Reply-To: <1402814887.32476.YahooMailNeo@web126202.mail.ne1.yahoo.com>
References: <1402814887.32476.YahooMailNeo@web126202.mail.ne1.yahoo.com>
Message-ID: <C48EE51B-4A69-4E59-A9BE-0E6A5453338A@gmail.com>


> On Jun 15, 2014, at 2:48 AM, jim bell <jamesdbell9 at yahoo.com> wrote:
> 
> Note:  I wonder what kind of email system would be:   1.  Used by the Federal Government.  2.  NOT be regularly backed-up.   3.  Would lose up to two (2) years of emails in a crash.
>          Jim Bell
> [article follows]

Generously giving them the benefit of the doubt, I'm under the impression that the backup is what failed. I would assume the target of the investigation deleted her inbox. 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 980 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140615/98159353/attachment.txt>

From wb8foz at nrk.com  Sun Jun 15 08:56:23 2014
From: wb8foz at nrk.com (David)
Date: Sun, 15 Jun 2014 11:56:23 -0400
Subject: Lois Lerner's conveeeeeeeeeeniently-lost emails.
In-Reply-To: <1402814887.32476.YahooMailNeo@web126202.mail.ne1.yahoo.com>
References: <1402814887.32476.YahooMailNeo@web126202.mail.ne1.yahoo.com>
Message-ID: <539DC227.9040608@nrk.com>

On 6/15/14 2:48 AM, jim bell wrote:

> Note:  I wonder what kind of email system would be: 1.  Used by the
> Federal Government. 2.  NOT be regularly backed-up. 3.  Would lose up
> to two (2) years of emails in a crash.

The one run by the lowest bidder subcontractor.

Outside of The Fort, the concept of the USG actually employing IT people 
with the Right Stuff is rapidly fading in the rear view mirror.

[I obviously don't know the specifics of this case, but in general....]

More amusing to me is the Fort telling His Honor they can't obey an order 
to NOT delete records, because that's too complicated....

<http://www.washingtonpost.com/blogs/the-switch/wp/2014/06/09/nsa-our-systems-are-so-complex-we-cant-stop-them-from-deleting-data-wanted-for-lawsuit/>




From jamesdbell9 at yahoo.com  Sun Jun 15 12:29:03 2014
From: jamesdbell9 at yahoo.com (jim bell)
Date: Sun, 15 Jun 2014 12:29:03 -0700 (PDT)
Subject: Fw: Lois Lerner's conveeeeeeeeeeniently-lost emails.
In-Reply-To: <1402860045.13208.YahooMailNeo@web126203.mail.ne1.yahoo.com>
References: <1402814887.32476.YahooMailNeo@web126202.mail.ne1.yahoo.com>
 <15109134.TbKs85M3k7@lapuntu>
 <1402860045.13208.YahooMailNeo@web126203.mail.ne1.yahoo.com>
Message-ID: <1402860543.47927.YahooMailNeo@web126204.mail.ne1.yahoo.com>

Somebody reminded me...

>> Note:  I wonder what kind of email system would be:   1.  Used by the




>> Federal Government.  2.  NOT be regularly backed-up.   3.  Would lose up to
>> two (2) years of emails in a crash. Jim
 Bell
>> [article follows]
>I'm sure they'd be able to find backups in a serverfarm in Utah, eh?


Excellent point!  Although, that Utah operation might not have been functioning in 2011.  But presumably the NSA had a smaller operation somewhere else prior to that.
So, who wants to REMIND the prosecutors in IRS-gate that somebody else has these emails?

Maybe the future for the NSA will be as a type of "super-backwards-Carbonite" operation?  But instead of, "Pay us money and we'll back up your emails", it'll be, "Pay us money and we WON'T back up your emails"!!!
        Jim Bell
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 2573 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140615/1524fd14/attachment.txt>

From juan.g71 at gmail.com  Sun Jun 15 12:42:14 2014
From: juan.g71 at gmail.com (Juan)
Date: Sun, 15 Jun 2014 16:42:14 -0300
Subject: Lois Lerner's conveeeeeeeeeeniently-lost emails.
In-Reply-To: <539DC227.9040608@nrk.com>
References: <1402814887.32476.YahooMailNeo@web126202.mail.ne1.yahoo.com>
 <539DC227.9040608@nrk.com>
Message-ID: <20140615164214.0000472e@unknown>

On Sun, 15 Jun 2014 11:56:23 -0400
David <wb8foz at nrk.com> wrote:

> On 6/15/14 2:48 AM, jim bell wrote:
> 
> > Note:  I wonder what kind of email system would be: 1.  Used by the
> > Federal Government. 2.  NOT be regularly backed-up. 3.  Would lose
> > up to two (2) years of emails in a crash.
> 
> The one run by the lowest bidder subcontractor.


	Ah yes. The stingy taxpayers are to blame actually. Not willing
	to pay higer taxes. 

	
> 
> Outside of The Fort, the concept of the USG actually employing IT
> people with the Right Stuff is rapidly fading in the rear view mirror.
> 
> [I obviously don't know the specifics of this case, but in
> general....]
> 
> More amusing to me is the Fort telling His Honor they can't obey an
> order to NOT delete records, because that's too complicated....
> 
> <http://www.washingtonpost.com/blogs/the-switch/wp/2014/06/09/nsa-our-systems-are-so-complex-we-cant-stop-them-from-deleting-data-wanted-for-lawsuit/>




From juan.g71 at gmail.com  Sun Jun 15 12:47:01 2014
From: juan.g71 at gmail.com (Juan)
Date: Sun, 15 Jun 2014 16:47:01 -0300
Subject: Amazing NSA excuse
In-Reply-To: <CAD2Ti2-3U3mseQgneTuHBVexRTqRkzCuTGs+3pU9E63s2yV8Vw@mail.gmail.com>
References: <1402642573.28065.YahooMailNeo@web126204.mail.ne1.yahoo.com>
 <CAD2Ti2-WbQjrjyxc3ESBahJaGq09=hak0CZsL=bd6MdH_F=cVA@mail.gmail.com>
 <CAJVRA1QjbU8gXrGwxvp0WCkF40Poj4LpEkfdD5+hUOnMAmESdg@mail.gmail.com>
 <CAD2Ti2-3U3mseQgneTuHBVexRTqRkzCuTGs+3pU9E63s2yV8Vw@mail.gmail.com>
Message-ID: <20140615164701.000060c9@unknown>

On Sat, 14 Jun 2014 21:42:16 -0400
grarpamp <grarpamp at gmail.com> wrote:

> Politically?
> 
> I've been told that voting, letter writing, calling, visiting,
> funding, running for office [1], and all manner of other civic and
> civil participation works, across all areas public and private.


	If thats what youve been told, then  you need to stop
	listening to people who don´t know the ABC of political theory 



> 
> I've also been told that hard drives really disklike the presence
> of sledgehammers in their midst, especially when brought in by angry
> mobs wielding pitchforks.
> 
> I've no idea there, choose your own adventure.
> 
> [1] Cypherpunk is not incompatible with lawbook, taxbook, execbook.
> It's total greenfield.





From juan.g71 at gmail.com  Sun Jun 15 14:51:36 2014
From: juan.g71 at gmail.com (Juan)
Date: Sun, 15 Jun 2014 18:51:36 -0300
Subject: Amazing NSA excuse
In-Reply-To: <19241935.PNfpNnN5Yf@lapuntu>
References: <1402642573.28065.YahooMailNeo@web126204.mail.ne1.yahoo.com>
 <CAD2Ti2-3U3mseQgneTuHBVexRTqRkzCuTGs+3pU9E63s2yV8Vw@mail.gmail.com>
 <20140615164701.000060c9@unknown> <19241935.PNfpNnN5Yf@lapuntu>
Message-ID: <20140615185136.00005978@unknown>

On Sun, 15 Jun 2014 22:22:01 +0200
rysiek <rysiek at hackerspace.pl> wrote:

> Dnia niedziela, 15 czerwca 2014 16:47:01 Juan pisze:
> > On Sat, 14 Jun 2014 21:42:16 -0400
> > 
> > grarpamp <grarpamp at gmail.com> wrote:
> > > Politically?
> > > 
> > > I've been told that voting, letter writing, calling, visiting,
> > > funding, running for office [1], and all manner of other civic and
> > > civil participation works, across all areas public and private.
> > 
> > 	If thats what youve been told, then  you need to stop
> > 	listening to people who don´t know the ABC of political
> > theory
> 
> From the perspective of a person deeply involved in the anti-ACTA
> process in the EU[1][2], and having come to conclusions that are
> compatible with what grarpamp "has been told", I would like to thank
> you for enlightening us so insightfully and verbosely. The power of
> your arguments combined with the clarity of your delivery are truly
> magnificent.
> 

	Too bad I simply stated a fact. 

	Your sarcasm is out of place and the joke is on you.

	I suggest that you, too, get to the core of political
	theory...and practice


> No, please, no need for any more concrete information, I think we can
> all agree that at this point it would be hard to not be convinced to
> what you so skilfully put forward.

	bla bla bla - sign some useless petition to your masters, play
	the politicians´ game. Fancy that you are an oh so great
	activist.

	

	
	


> 
> [1] http://rys.io/en/59
> [2] http://rys.io/en/70
> 





From grarpamp at gmail.com  Sun Jun 15 18:33:16 2014
From: grarpamp at gmail.com (grarpamp)
Date: Sun, 15 Jun 2014 21:33:16 -0400
Subject: Amazing NSA excuse
In-Reply-To: <6769200.xWRNA1bpxd@lapuntu>
References: <1402642573.28065.YahooMailNeo@web126204.mail.ne1.yahoo.com>
 <19241935.PNfpNnN5Yf@lapuntu> <20140615185136.00005978@unknown>
 <6769200.xWRNA1bpxd@lapuntu>
Message-ID: <CAD2Ti2_kxPfMdmnWET3LiLF=u9Vv+VmHSV61XoL=G06LdY6TtQ@mail.gmail.com>

On Sun, Jun 15, 2014 at 6:37 PM, rysiek <rysiek at hackerspace.pl> wrote:
>> these fucks are playing a dirty game... how best to curtail?

> And your solution instead is what exactly? "Nah, sit on yer arse, nothing's
> gonna change"? That sounds familiar:

Speaking of arse, I've head this works too...

https://www.youtube.com/watch?v=lEOOZDbMrgE




From rysiek at hackerspace.pl  Sun Jun 15 12:38:01 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Sun, 15 Jun 2014 21:38:01 +0200
Subject: Lois Lerner's conveeeeeeeeeeniently-lost emails.
In-Reply-To: <1402814887.32476.YahooMailNeo@web126202.mail.ne1.yahoo.com>
References: <1402814887.32476.YahooMailNeo@web126202.mail.ne1.yahoo.com>
Message-ID: <58477169.aplyj8uJs2@lapuntu>

Dnia sobota, 14 czerwca 2014 23:48:07 jim bell pisze:
> Note:  I wonder what kind of email system would be:   1.  Used by the
> Federal Government.  2.  NOT be regularly backed-up.   3.  Would lose up to
> two (2) years of emails in a crash. Jim Bell
> [article follows]

I'm sure they'd be able to find backups in a serverfarm in Utah, eh?

-- 
Pozdr
rysiek

P.S.
Originally sent just to Jim, due to a keyboard SNAFU.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140615/4507a185/attachment.sig>

From rysiek at hackerspace.pl  Sun Jun 15 13:22:01 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Sun, 15 Jun 2014 22:22:01 +0200
Subject: Amazing NSA excuse
In-Reply-To: <20140615164701.000060c9@unknown>
References: <1402642573.28065.YahooMailNeo@web126204.mail.ne1.yahoo.com>
 <CAD2Ti2-3U3mseQgneTuHBVexRTqRkzCuTGs+3pU9E63s2yV8Vw@mail.gmail.com>
 <20140615164701.000060c9@unknown>
Message-ID: <19241935.PNfpNnN5Yf@lapuntu>

Dnia niedziela, 15 czerwca 2014 16:47:01 Juan pisze:
> On Sat, 14 Jun 2014 21:42:16 -0400
> 
> grarpamp <grarpamp at gmail.com> wrote:
> > Politically?
> > 
> > I've been told that voting, letter writing, calling, visiting,
> > funding, running for office [1], and all manner of other civic and
> > civil participation works, across all areas public and private.
> 
> 	If thats what youve been told, then  you need to stop
> 	listening to people who don´t know the ABC of political theory

From the perspective of a person deeply involved in the anti-ACTA process in 
the EU[1][2], and having come to conclusions that are compatible with what 
grarpamp "has been told", I would like to thank you for enlightening us so 
insightfully and verbosely. The power of your arguments combined with the 
clarity of your delivery are truly magnificent.

No, please, no need for any more concrete information, I think we can all 
agree that at this point it would be hard to not be convinced to what you so 
skilfully put forward.

[1] http://rys.io/en/59
[2] http://rys.io/en/70

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140615/6059ae2f/attachment.sig>

From rysiek at hackerspace.pl  Sun Jun 15 13:34:34 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Sun, 15 Jun 2014 22:34:34 +0200
Subject: Fw: Lois Lerner's conveeeeeeeeeeniently-lost emails.
In-Reply-To: <1402860543.47927.YahooMailNeo@web126204.mail.ne1.yahoo.com>
References: <1402814887.32476.YahooMailNeo@web126202.mail.ne1.yahoo.com>
 <1402860045.13208.YahooMailNeo@web126203.mail.ne1.yahoo.com>
 <1402860543.47927.YahooMailNeo@web126204.mail.ne1.yahoo.com>
Message-ID: <1512285.pUK8ziohtv@lapuntu>

Dnia niedziela, 15 czerwca 2014 12:29:03 jim bell pisze:
> Somebody reminded me...
> 
> >> Note:  I wonder what kind of email system would be:   1.  Used by the
> >> Federal Government.  2.  NOT be regularly backed-up.   3.  Would lose up
> >> to
> >> two (2) years of emails in a crash. Jim Bell
> >> [article follows]
> >
> >I'm sure they'd be able to find backups in a serverfarm in Utah, eh?
> 
> Excellent point!  Although, that Utah operation might not have been
> functioning in 2011.  But presumably the NSA had a smaller operation
> somewhere else prior to that. So, who wants to REMIND the prosecutors in
> IRS-gate that somebody else has these emails?

That would be a great "unstoppable force -- please meet immovable object" 
moment, I think. Fun to watch. Very popcorn-worthy.

> Maybe the future for the NSA will be as a type of
> "super-backwards-Carbonite" operation?  But instead of, "Pay us money and
> we'll back up your emails", it'll be, "Pay us money and we WON'T back up
> your emails"!!!

A rock-solid business model, I give you that! ;)

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140615/2bbe4068/attachment.sig>

From rysiek at hackerspace.pl  Sun Jun 15 15:37:23 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Mon, 16 Jun 2014 00:37:23 +0200
Subject: Amazing NSA excuse
In-Reply-To: <20140615185136.00005978@unknown>
References: <1402642573.28065.YahooMailNeo@web126204.mail.ne1.yahoo.com>
 <19241935.PNfpNnN5Yf@lapuntu> <20140615185136.00005978@unknown>
Message-ID: <6769200.xWRNA1bpxd@lapuntu>

Dnia niedziela, 15 czerwca 2014 18:51:36 Juan pisze:
> On Sun, 15 Jun 2014 22:22:01 +0200
> 
> rysiek <rysiek at hackerspace.pl> wrote:
> > Dnia niedziela, 15 czerwca 2014 16:47:01 Juan pisze:
> > > On Sat, 14 Jun 2014 21:42:16 -0400
> > > 
> > > grarpamp <grarpamp at gmail.com> wrote:
> > > > Politically?
> > > > 
> > > > I've been told that voting, letter writing, calling, visiting,
> > > > funding, running for office [1], and all manner of other civic and
> > > > civil participation works, across all areas public and private.
> > > 	
> > > 	If thats what youve been told, then  you need to stop
> > > 	listening to people who don´t know the ABC of political
> > > 
> > > theory
> > 
> > From the perspective of a person deeply involved in the anti-ACTA
> > process in the EU[1][2], and having come to conclusions that are
> > compatible with what grarpamp "has been told", I would like to thank
> > you for enlightening us so insightfully and verbosely. The power of
> > your arguments combined with the clarity of your delivery are truly
> > magnificent.
> 
> 	Too bad I simply stated a fact.

Well, actually, you haven't really stated anything. You just said "grarpamp, 
you're wrong", without saying anything about in what manner he supposedly is 
wrong, and why you think he is wrong.

> 	Your sarcasm is out of place and the joke is on you.
> 
> 	I suggest that you, too, get to the core of political
> 	theory...and practice

See, the problem is not that we disagree, the problem is that so far you 
haven't really said anything. grarpamp stipulated that "X" works, or so he has 
heard, you said "nope" and neither of you offered any support.

I can find some support for grarpamp's stipulation in my own practice and 
history, and while I appreciate your smirk cynicism, saying "read political 
theory" is simply not enough of an argument.

Not to mention, neither I nor grarpamp said anything on what is the exact 
mechanism of how civil participation works. For instance, I would be the first 
to admit that it's not a silver bullet and I'm far from the naïve, idealistic 
view of "politicians really listen to what we write"; rather, usually, it's a 
game of interests, and sometimes -- like during the ACTA crisis in EU -- 
public involvement can be just the straw that's needed to change something.

> > No, please, no need for any more concrete information, I think we can
> > all agree that at this point it would be hard to not be convinced to
> > what you so skilfully put forward.
> 
> 	bla bla bla - sign some useless petition to your masters, play
> 	the politicians´ game. Fancy that you are an oh so great
> 	activist.

And your solution instead is what exactly? "Nah, sit on yer arse, nothing's 
gonna change"? That sounds familiar:
http://rys.io/en/112

I am really curious as to what exactly is your reason to even write such e-
mails? If you know of a better solution, why not share? If there is no 
solution you can see, at all, why not get on with your life of bliss and not-
giving-a-fsck? Surely, if civil participation can't do shit, your e-mail to 
this list can do even less!

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140616/7bf76228/attachment.sig>

From alfiej at fastmail.fm  Sun Jun 15 14:15:34 2014
From: alfiej at fastmail.fm (Alfie John)
Date: Mon, 16 Jun 2014 09:15:34 +1200
Subject: Lois Lerner's conveeeeeeeeeeniently-lost emails.
In-Reply-To: <1402814887.32476.YahooMailNeo@web126202.mail.ne1.yahoo.com>
References: <1402814887.32476.YahooMailNeo@web126202.mail.ne1.yahoo.com>
Message-ID: <1402866934.14138.129051973.0D557B6E@webmail.messagingengine.com>

All of the comments so far are playing into the red herring of the
technical issues of email backups. You're forgetting that losing email
access is now modus operandi to stonewalling investigations:

  - http://en.wikipedia.org/wiki/Bush_White_House_email_controversy
  - http://www.propublica.org/article/nsa-says-it-cant-search-own-emails

What people should be talking about instead is the drafting of a bill
for record retention following the requirements of Sarbanes–Oxley,
specifically for government communications to be used in criminal
investigations against the government. To be explicit, all government
communications should be duplicated into a read-only archive and kept
there for at minimum seven years. And to borrow from a now well-known
NSA program, an XKEYSCORE system should be developed where criminal
investigators can use "selectors" to target people and keywords.

The government shouldn't be worried if they have nothing to hide.

Alfie

On Sun, Jun 15, 2014, at 06:48 PM, jim bell wrote:
> Note:  I wonder what kind of email system would be:   1.  Used by the
> Federal Government.  2.  NOT be regularly backed-up.   3.  Would lose up
> to two (2) years of emails in a crash.
>          Jim Bell
> [article follows]
> 
> http://news.yahoo.com/lawmakers-fume-over-lost-emails-irs-probe-080830845--politics.html
> 
> WASHINGTON (AP) — Congressional investigators are fuming over revelations
> that the Internal Revenue Service has lost a trove of emails to and from
> a central figure in the agency's tea party controversy.
> The IRS said Lois Lerner's computer crashed in 2011, wiping out an untold
> number of emails that were being sought by congressional investigators.
> The investigators want to see all of Lerner's emails from 2009 to 2013 as
> part of their probe into the way agents handled applications for
> tax-exempt status by tea party and other conservative groups.
> Lerner headed the IRS division that processes applications for tax-exempt
> status. The IRS acknowledged last year that agents had improperly
> scrutinized applications by some conservative groups.
> "Do they really expect the American people to believe that, after having
> withheld these emails for a year, they're just now realizing the most
> critical time period is missing?" said Rep. Darrell Issa, R-Calif.,
> chairman of the House Oversight Committee. "If there wasn't nefarious
> conduct that went much higher than Lois Lerner in the IRS targeting
> scandal, why are they playing these games?"
> The Oversight Committee is one of three congressional committees
> investigating the IRS over its handling of tea party applications from
> 2010 to 2012. The Justice Department and the IRS inspector general are
> also investigating.
> Congressional investigators have shown that IRS officials in Washington
> were closely involved in the handling of tea party applications, many of
> which languished for more than a year without action. But so far, they
> have not publicly produced evidence that anyone outside the agency
> directed the targeting or even knew about it.
> If anyone in the Obama administration outside the agency was involved,
> investigators were hoping for clues in Lerner's emails.
> "The fact that I am just learning about this, over a year into the
> investigation, is completely unacceptable and now calls into question the
> credibility of the IRS' response to congressional inquiries," said Rep.
> Dave Camp, R-Mich., chairman of the House Ways and Means Committee.
> "There needs to be an immediate investigation and forensic audit by
> Department of Justice as well as the inspector general."
> The IRS said technicians went to great lengths trying to recover data
> from Lerner's computer in 2011. In emails provided by the IRS,
> technicians said they sent the computer to a forensic lab run by the
> agency's criminal investigations unit. But to no avail.
> The IRS was able to generate 24,000 Lerner emails from the 2009 to 2011
> because Lerner had copied in other IRS employees. The agency said it
> pieced together the emails from the computers of 82 other IRS employees.
> But an untold number are gone. Camp's office said the missing emails are
> mainly ones to and from people outside the IRS, "such as the White House,
> Treasury, Department of Justice, FEC, or Democrat offices."
> Anti-tax advocate Grover Norquist called the episode "the worst attempt
> to blame technology in service of a cover-up since the infamous 18-minute
> gap" in former President Richard Nixon's Watergate tapes.
> The IRS said in a statement that more than 250 IRS employees have been
> working to assist congressional investigations, spending nearly $10
> million to produce more than 750,000 documents.
> Overall, the IRS said it is producing a total of 67,000 emails to and
> from Lerner, covering the period from 2009 to 2013.
> "The IRS is committed to working with Congress," the IRS said in a
> statement. "The IRS has remained focused on being thorough and responding
> as quickly as possible to the wide-ranging requests from Congress while
> taking steps to protect underlying taxpayer information."
> Sen. Orrin Hatch of Utah, the top Republican on the Senate Finance
> Committee, called Friday's disclosure "an outrageous impediment" to the
> committee's investigation.
> "Even more egregious is the fact we are learning about this a full year
> after our initial request to provide the committee with any and all
> documents relating to our investigation," Hatch said.
> Lerner has emerged as a key figure in the tea party probe. In May 2013,
> she was the first IRS official to publicly acknowledge that agents had
> improperly scrutinized applications.
> About two weeks later, Lerner was subpoenaed to testify at a
> congressional hearing. But after making a brief statement in which she
> said she had done nothing wrong, Lerner refused to answer questions,
> invoking her constitutional right against self-incrimination.
> The IRS placed Lerner on administrative leave shortly after the
> congressional hearing. She retired last fall.
> In May, the House voted to hold Lerner in contempt of Congress. Her case
> has been turned over to the U.S. attorney for the District of Columbia.


-- 
  Alfie John
  alfiej at fastmail.fm




From rysiek at hackerspace.pl  Mon Jun 16 00:55:20 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Mon, 16 Jun 2014 09:55:20 +0200
Subject: Amazing NSA excuse
In-Reply-To: <CAD2Ti2_kxPfMdmnWET3LiLF=u9Vv+VmHSV61XoL=G06LdY6TtQ@mail.gmail.com>
References: <1402642573.28065.YahooMailNeo@web126204.mail.ne1.yahoo.com>
 <6769200.xWRNA1bpxd@lapuntu>
 <CAD2Ti2_kxPfMdmnWET3LiLF=u9Vv+VmHSV61XoL=G06LdY6TtQ@mail.gmail.com>
Message-ID: <1760892.A05dsCBiM4@lapuntu>

Dnia niedziela, 15 czerwca 2014 21:33:16 grarpamp pisze:
> On Sun, Jun 15, 2014 at 6:37 PM, rysiek <rysiek at hackerspace.pl> wrote:
> >> these fucks are playing a dirty game... how best to curtail?
> > 
> > And your solution instead is what exactly? "Nah, sit on yer arse,
> > nothing's
> 
> > gonna change"? That sounds familiar:
> Speaking of arse, I've head this works too...
> 
> https://www.youtube.com/watch?v=lEOOZDbMrgE

I prefer this version though:
https://www.youtube.com/watch?v=d6wRkzCW5qI

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140616/00b6f437/attachment.sig>

From juan.g71 at gmail.com  Mon Jun 16 12:00:39 2014
From: juan.g71 at gmail.com (Juan)
Date: Mon, 16 Jun 2014 16:00:39 -0300
Subject: Amazing NSA excuse
In-Reply-To: <6769200.xWRNA1bpxd@lapuntu>
References: <1402642573.28065.YahooMailNeo@web126204.mail.ne1.yahoo.com>
 <19241935.PNfpNnN5Yf@lapuntu> <20140615185136.00005978@unknown>
 <6769200.xWRNA1bpxd@lapuntu>
Message-ID: <20140616160039.00006570@unknown>

On Mon, 16 Jun 2014 00:37:23 +0200
rysiek <rysiek at hackerspace.pl> wrote:


> > 	Too bad I simply stated a fact.
> 
> Well, actually, you haven't really stated anything. You just said
> "grarpamp, you're wrong",

	And that, indeed, is a statement. Grarpamp said he was told
	pigs fly. I replied  ¨what you´ve been told is wrong¨.
	<---statement.


 
> without saying anything about in what
> manner he supposedly is wrong, and why you think he is wrong.

	You are right. I didn´t provide any further comment. Just
	like grarpamp did =). 

	Now, as far as I can tell, grarpamp´s statement is meant as
	irony. He isn´t just saying that writting letters to
	politicians ´works´ - he´s saying it in a particular way which
	underscores the message. 

	By saying ¨Oh, I was told this works¨, he actually means ¨this
	definitely works and only idiots would doubt it¨


> 
> > 	Your sarcasm is out of place and the joke is on you.
> > 
> > 	I suggest that you, too, get to the core of political
> > 	theory...and practice
> 
> See, the problem is not that we disagree, the problem is that so far
> you haven't really said anything. grarpamp stipulated that "X" works,
> or so he has heard, you said "nope" and neither of you offered any
> support.

	Again, he just basically stated a falsehood, and ´supported´ it
	by hearsay, If we assume he wasn´t being ironic. 

	Either way, irony or not, he made an unsupported and mostly
	wrong assertion. 

	I replied with an unsupported but correct assertion. 


> 
> I can find some support for grarpamp's stipulation in my own practice
> and history, and while I appreciate your smirk cynicism, saying "read
> political theory" is simply not enough of an argument.
> 

	Except I didn´t mean it as an argument. 

> Not to mention, neither I nor grarpamp said anything on what is the
> exact mechanism of how civil participation works.
> For instance, I
> would be the first to admit that it's not a silver bullet and I'm far
> from the naïve, idealistic view of "politicians really listen to what
> we write"; rather, usually, it's a game of interests, and sometimes
> -- like during the ACTA crisis in EU -- public involvement can be
> just the straw that's needed to change something.

	Ah, OK,. I can agree with that.

	But your position strikes me as rather different from what
	grarpamp said. 

	Whereas you´re saying that some kind of public involvement
	*can* work, and you are correctly noting the nature of the
	political  system (corrupt by design), grarpamp did nothing of
	the sort. 


	

> 
> > > No, please, no need for any more concrete information, I think we
> > > can all agree that at this point it would be hard to not be
> > > convinced to what you so skilfully put forward.
> > 
> > 	bla bla bla - sign some useless petition to your masters,
> > play the politicians´ game. Fancy that you are an oh so great
> > 	activist.
> 
> And your solution instead is what exactly? "Nah, sit on yer arse,
> nothing's gonna change"? That sounds familiar:

	I didn´t say ¨nothing´ gonna chage¨.

	But I´ll say it now : nothing is going to change IF you use the
	´democratic tools´ given to us  serfs  by the ´democratic
	masters´.

	If public involvement means rioting and killing state
	personnel, then we are talking. 

	If public involvment means taking money from the pentagon to
	create an ´anonimity network´ to spy on ¨the west´s enemies¨
	, then public involvement is a bad joke. Counterproductive. Or
	exactly what the powers that be want. 

	
> http://rys.io/en/112
> 
> I am really curious as to what exactly is your reason to even write
> such e- mails?


	Well, at the very least, to correct people like grarpamps, and
	any other people  who either support the american
	government in particular, or support the fuckingly stupid  and
	criminal idea of ¨good government¨ and ¨good politicians¨ in
	general.

	I would have thought that preaching anarchy in this list would
	be be preaching to the choir, but I am not so sure that´s the
	case now.

	
> If you know of a better solution, why not share? If
> there is no solution you can see, at all, why not get on with your
> life of bliss and not- giving-a-fsck? Surely, if civil participation
> can't do shit, your e-mail to this list can do even less!
> 

	Except I didn´t say that civil participation can´t do shit. I
	objected to the particular kind of civil participation that
	grarpamp suggested. 

	Did he, for instance write  ¨I was told civil DISOBEDIENCE
	works¨? and then I shot down his assertion? Nope...


 









From grarpamp at gmail.com  Mon Jun 16 15:49:25 2014
From: grarpamp at gmail.com (grarpamp)
Date: Mon, 16 Jun 2014 18:49:25 -0400
Subject: Amazing NSA excuse
In-Reply-To: <20140616160039.00006570@unknown>
References: <1402642573.28065.YahooMailNeo@web126204.mail.ne1.yahoo.com>
 <19241935.PNfpNnN5Yf@lapuntu> <20140615185136.00005978@unknown>
 <6769200.xWRNA1bpxd@lapuntu> <20140616160039.00006570@unknown>
Message-ID: <CAD2Ti2-O3qYRFKjw+oCGg0NbtZB+8z9ORXnSocaF75fEW8HZ3A@mail.gmail.com>

On Mon, Jun 16, 2014 at 3:00 PM, Juan <juan.g71 at gmail.com> wrote:
> On Mon, 16 Jun 2014 00:37:23 +0200
> rysiek <rysiek at hackerspace.pl> wrote:
>         And that, indeed, is a statement. Grarpamp said he was told
>         pigs fly. I replied  ¨what you´ve been told is wrong¨.

I have indeed been told pigs can fly.
I laugh and say they need bigger ears.
Yet I'm sure the three of us could get
together someday, smoke some peyote, and
discover the real state of affairs regarding
these pigs. Until then... to flight!




From juan.g71 at gmail.com  Mon Jun 16 18:52:50 2014
From: juan.g71 at gmail.com (Juan)
Date: Mon, 16 Jun 2014 22:52:50 -0300
Subject: Amazing NSA excuse
In-Reply-To: <CAD2Ti2-O3qYRFKjw+oCGg0NbtZB+8z9ORXnSocaF75fEW8HZ3A@mail.gmail.com>
References: <1402642573.28065.YahooMailNeo@web126204.mail.ne1.yahoo.com>
 <19241935.PNfpNnN5Yf@lapuntu> <20140615185136.00005978@unknown>
 <6769200.xWRNA1bpxd@lapuntu> <20140616160039.00006570@unknown>
 <CAD2Ti2-O3qYRFKjw+oCGg0NbtZB+8z9ORXnSocaF75fEW8HZ3A@mail.gmail.com>
Message-ID: <20140616225250.00005c2a@unknown>

On Mon, 16 Jun 2014 18:49:25 -0400
grarpamp <grarpamp at gmail.com> wrote:

> On Mon, Jun 16, 2014 at 3:00 PM, Juan <juan.g71 at gmail.com> wrote:
> > On Mon, 16 Jun 2014 00:37:23 +0200
> > rysiek <rysiek at hackerspace.pl> wrote:
> >         And that, indeed, is a statement. Grarpamp said he was told
> >         pigs fly. I replied  ¨what you´ve been told is wrong¨.
> 
> I have indeed been told pigs can fly.
> I laugh and say they need bigger ears.
> Yet I'm sure the three of us could get
> together someday, smoke some peyote, and
> discover the real state of affairs regarding
> these pigs. Until then... to flight!
> 

	Cheers ^-^






From scott at sbce.org  Tue Jun 17 09:21:12 2014
From: scott at sbce.org (Scott Blaydes)
Date: Tue, 17 Jun 2014 11:21:12 -0500
Subject: Tor DNSBL
In-Reply-To: <20140616225250.00005c2a@unknown>
References: <1402642573.28065.YahooMailNeo@web126204.mail.ne1.yahoo.com>
 <19241935.PNfpNnN5Yf@lapuntu> <20140615185136.00005978@unknown>
 <6769200.xWRNA1bpxd@lapuntu> <20140616160039.00006570@unknown>
 <CAD2Ti2-O3qYRFKjw+oCGg0NbtZB+8z9ORXnSocaF75fEW8HZ3A@mail.gmail.com>
 <20140616225250.00005c2a@unknown>
Message-ID: <064DD534-C7B7-4943-9C0E-A94B617A6CFF@sbce.org>


Started running a Tor relay node yesterday and found myself on the DAN TOR DNS Blacklist. Just wondered if anyone else running a node had any issues with email while running a relay node on the same server? 

I figured this crowd was probably experienced in running Tor nodes, so hope you don’t mind me asking.

Thank you,
Scott Blaydes
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140617/31247241/attachment.sig>

From scott at sbce.org  Tue Jun 17 10:01:28 2014
From: scott at sbce.org (Scott Blaydes)
Date: Tue, 17 Jun 2014 12:01:28 -0500
Subject: Tor DNSBL
In-Reply-To: <53A0705B.9080601@c3l.lu>
References: <1402642573.28065.YahooMailNeo@web126204.mail.ne1.yahoo.com>
 <19241935.PNfpNnN5Yf@lapuntu> <20140615185136.00005978@unknown>
 <6769200.xWRNA1bpxd@lapuntu> <20140616160039.00006570@unknown>
 <CAD2Ti2-O3qYRFKjw+oCGg0NbtZB+8z9ORXnSocaF75fEW8HZ3A@mail.gmail.com>
 <20140616225250.00005c2a@unknown>
 <064DD534-C7B7-4943-9C0E-A94B617A6CFF@sbce.org> <53A0705B.9080601@c3l.lu>
Message-ID: <22000F8C-6998-4542-B70B-E3E864101C2C@sbce.org>


On Jun 17, 2014, at 11:44 AM, Tyler Durden <virii at c3l.lu> wrote:

> Hi
> 
> I'm one from "Frenn vun der Enn" a Torservers.net partner organisation.
> If you run a Tor exit on your own server (which you use for other stuff) it won't take long to get yourself blacklisted.
> We recommend to put the node on another server or to change your exit node to a relay or bridge.
> 

I am running a relay only node, so the issues with an exit node shouldn’t get me. It looks like this list pulled the server via the Nickname field in the Tor config.

Do you have problems on the relay only nodes?
> 
> 
> 
> Greetings
> 
> On 2014-06-17 18:21, Scott Blaydes wrote:
> >
> 
>       > Started running a Tor relay node yesterday and found myself
>       on the DAN TOR DNS Blacklist. Just wondered if anyone else running
>       a node had any issues with email while running a relay node on the
>       same server? 
> 
> 
>       >
> 
> 
>       > I figured this crowd was probably experienced in running Tor
>       nodes, so hope you don’t mind me asking.
> 
> 
>       >
> 
> 
>       > Thank you,
> 
> 
>       > Scott Blaydes
> 
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140617/027938d2/attachment.sig>

From grarpamp at gmail.com  Tue Jun 17 12:19:40 2014
From: grarpamp at gmail.com (grarpamp)
Date: Tue, 17 Jun 2014 15:19:40 -0400
Subject: Tor DNSBL
In-Reply-To: <064DD534-C7B7-4943-9C0E-A94B617A6CFF@sbce.org>
References: <1402642573.28065.YahooMailNeo@web126204.mail.ne1.yahoo.com>
 <19241935.PNfpNnN5Yf@lapuntu> <20140615185136.00005978@unknown>
 <6769200.xWRNA1bpxd@lapuntu> <20140616160039.00006570@unknown>
 <CAD2Ti2-O3qYRFKjw+oCGg0NbtZB+8z9ORXnSocaF75fEW8HZ3A@mail.gmail.com>
 <20140616225250.00005c2a@unknown>
 <064DD534-C7B7-4943-9C0E-A94B617A6CFF@sbce.org>
Message-ID: <CAD2Ti28uuBmG5dcQ7cP_DdG4-sue0bf2GO6XYuWzv3crvv7nHA@mail.gmail.com>

On Tue, Jun 17, 2014 at 12:21 PM, Scott Blaydes <scott at sbce.org> wrote:
> while running a relay node on the same server?

Yes, a relay IP can expect all manner of blockage, or none at all,
even for non-exit relays [which is dumb, but true]. It depends on
what the far end is doing. Best practice is to run the relay
on its own IP.
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays




From virii at c3l.lu  Tue Jun 17 09:44:11 2014
From: virii at c3l.lu (Tyler Durden)
Date: Tue, 17 Jun 2014 18:44:11 +0200
Subject: Tor DNSBL
In-Reply-To: <064DD534-C7B7-4943-9C0E-A94B617A6CFF@sbce.org>
References: <1402642573.28065.YahooMailNeo@web126204.mail.ne1.yahoo.com>
 <19241935.PNfpNnN5Yf@lapuntu> <20140615185136.00005978@unknown>
 <6769200.xWRNA1bpxd@lapuntu> <20140616160039.00006570@unknown>
 <CAD2Ti2-O3qYRFKjw+oCGg0NbtZB+8z9ORXnSocaF75fEW8HZ3A@mail.gmail.com>
 <20140616225250.00005c2a@unknown>
 <064DD534-C7B7-4943-9C0E-A94B617A6CFF@sbce.org>
Message-ID: <53A0705B.9080601@c3l.lu>

Hi

I'm one from "Frenn vun der Enn" a Torservers.net partner organisation.
If you run a Tor exit on your own server (which you use for other stuff)
it won't take long to get yourself blacklisted.
We recommend to put the node on another server or to change your exit
node to a relay or bridge.




Greetings

On 2014-06-17 18:21, Scott Blaydes wrote:
>
> Started running a Tor relay node yesterday and found myself on the DAN
TOR DNS Blacklist. Just wondered if anyone else running a node had any
issues with email while running a relay node on the same server?
>
> I figured this crowd was probably experienced in running Tor nodes, so
hope you don’t mind me asking.
>
> Thank you,
> Scott Blaydes


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 1149 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140617/0675b884/attachment.txt>

From dan at geer.org  Tue Jun 17 16:16:43 2014
From: dan at geer.org (dan at geer.org)
Date: Tue, 17 Jun 2014 19:16:43 -0400
Subject: Fw: Lois Lerner's conveeeeeeeeeeniently-lost emails.
In-Reply-To: Your message of "Sun, 15 Jun 2014 12:29:03 PDT."
 <1402860543.47927.YahooMailNeo@web126204.mail.ne1.yahoo.com>
Message-ID: <20140617231643.369AD2280DC@palinka.tinho.net>


so conveeeeeeeeeeeenient that one can only recall that

   "Some circumstantial evidence is very strong, as when you find
   a trout in the milk."  H.D. Thoreau





From odinn.cyberguerrilla at riseup.net  Tue Jun 17 19:42:25 2014
From: odinn.cyberguerrilla at riseup.net (Odinn Cyberguerrilla)
Date: Tue, 17 Jun 2014 19:42:25 -0700
Subject: dm-crypt+LUKS
In-Reply-To: <53A0EC7C.6020208@dcon.com.br>
References: <53A0EC7C.6020208@dcon.com.br>
Message-ID: <9a086756fb479e378f6f2898ea4f8056.squirrel@fulvetta.riseup.net>

> Hey people,
>
> Could you give me your impressions about the use (only in Linux) of
> dm-crypt + LUKS instead of truecrypt?

The developers for Tails (https://tails.boum.org/) chose LUKS for Tails
1.0.1 ~ LUKS being a version of cryptsetup, using dm-crypt on backend. 
This is what you are suggesting to use I guess?

I'd say the Tails developers made a good choice.

>
> For me there is no need to use my encrypted disks with OSX or Windows,
> so, due the last movements of truecrypt, I am planning to move my
> encrypted disks from truecrypt to dm-crypt + LUKS.
>
> Did you see is as a bad decision, in terms of possible flaws in dm-crypt?


Not a bad decision at all.  Here is an excellent post about some
reasonable options...
http://grugq.tumblr.com/post/60464139008/alternative-truecrypt-implementations

>
> Best Regards
>
> yap
>





From rysiek at hackerspace.pl  Tue Jun 17 11:14:02 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Tue, 17 Jun 2014 20:14:02 +0200
Subject: Tor DNSBL
In-Reply-To: <22000F8C-6998-4542-B70B-E3E864101C2C@sbce.org>
References: <1402642573.28065.YahooMailNeo@web126204.mail.ne1.yahoo.com>
 <53A0705B.9080601@c3l.lu> <22000F8C-6998-4542-B70B-E3E864101C2C@sbce.org>
Message-ID: <2570955.EtANakARFk@lapuntu>

Dnia wtorek, 17 czerwca 2014 12:01:28 Scott Blaydes pisze:
> On Jun 17, 2014, at 11:44 AM, Tyler Durden <virii at c3l.lu> wrote:
> > Hi
> > 
> > I'm one from "Frenn vun der Enn" a Torservers.net partner organisation.
> > If you run a Tor exit on your own server (which you use for other stuff)
> > it won't take long to get yourself blacklisted. We recommend to put the
> > node on another server or to change your exit node to a relay or bridge.
> I am running a relay only node, so the issues with an exit node shouldn’t
> get me. It looks like this list pulled the server via the Nickname field in
> the Tor config.
> 
> Do you have problems on the relay only nodes?

I had problems with it some time ago -- lab I worked in was banned from 
editing Wikipedia by not logged-in users because of it.

Lately, one of large hosting providers shut down our server because we had a 
TOR hidden service running there (NOT a relay/bridge/exit node).

There is a lot of hate towards TOR. :/

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140617/6bca9465/attachment.sig>

From damico at dcon.com.br  Tue Jun 17 18:33:48 2014
From: damico at dcon.com.br (Jose Damico)
Date: Tue, 17 Jun 2014 22:33:48 -0300
Subject: dm-crypt+LUKS
Message-ID: <53A0EC7C.6020208@dcon.com.br>

Hey people,

Could you give me your impressions about the use (only in Linux) of
dm-crypt + LUKS instead of truecrypt?

For me there is no need to use my encrypted disks with OSX or Windows,
so, due the last movements of truecrypt, I am planning to move my
encrypted disks from truecrypt to dm-crypt + LUKS.

Did you see is as a bad decision, in terms of possible flaws in dm-crypt?

Best Regards

yap




From grarpamp at gmail.com  Tue Jun 17 20:50:54 2014
From: grarpamp at gmail.com (grarpamp)
Date: Tue, 17 Jun 2014 23:50:54 -0400
Subject: Fwd: [Cryptography] bitcoins over the air
In-Reply-To: <alpine.DEB.2.02.1406180331380.16383@lakka.kapsi.fi>
References: <alpine.DEB.2.02.1406180331380.16383@lakka.kapsi.fi>
Message-ID: <CAD2Ti29nx4gQepPvY5NKJU=Vn-Z1igchyT64-2G5muWuWtO64A@mail.gmail.com>

---------- Forwarded message ----------
From: Sampo Syreeni <decoy at iki.fi>
Date: Tue, Jun 17, 2014 at 8:59 PM
Subject: [Cryptography] bitcoins over the air
To: cryptography-list <cryptography at metzdowd.com>


In case people are interested in a project of a friend of mine, Joel
Lehtonen (aka Zouppen) is on a fast track to implementing Bitcoin
transaction and blockchain broadcast over the airwaves. Everything is
half done, so he might need some help; at the same time that half-done
then also includes half the funding, half the code, and half the
negotiation with the Finnish monopoly DVB-T provider, Digita, to
actually broadcast the stuff to a couple of million strong. Even if
it's just a test, it's already well on its way to happening in a month
or so; so it will.

If people are willing to chip in, especially with funding, deeper code
knowhow, radio-fu, and the rest of the useful ones, do contact him, or
me (aka decoy), on FB/G+/IRCNet/freenode, or better yet join
#bitcoinradio on the latter.

In particular we don't have any idea of how to push transactions back
towards the network over any sort of cheap-to-free, preferably
universal radio path. If you do, even in a quilted fashion, we'd
really like to know. And since the only ones who're really allowed to
experiment on them waves today are hams, those of you who possess that
qualification, your input is in the direst of needs.

Finally, I hope this isn't too much off topic; it *is* about spreading
a cryptocurrency and finding its optimal OTA protocols, after all. Not
perhaps the most usual stuff on-list nowadays...but certainly the kind
of across-the-board architectural stuff the list started out with, in
the crypto days of yonder. I hope it fits.
--
Sampo Syreeni, aka decoy - decoy at iki.fi, http://decoy.iki.fi/front
+358-40-3255353, 025E D175 ABE5 027C 9494 EEB0 E090 8BA9 0509 85C2
_______________________________________________
The cryptography mailing list
cryptography at metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography




From list at sysfu.com  Wed Jun 18 00:53:13 2014
From: list at sysfu.com (Seth)
Date: Wed, 18 Jun 2014 00:53:13 -0700
Subject: Tor DNSBL
Message-ID: <op.xhm36z0fbgbjo9@work-pc.lan>

On Tue, 17 Jun 2014 09:21:12 -0700, Scott Blaydes <scott at sbce.org> wrote:
> Started running a Tor relay node yesterday and found myself on the DAN  
> TOR DNS Blacklist. Just wondered if anyone else running a node had any  
> issues with email while running a relay node on the same server?

Yes, I've had a handful outbound emails bounce because of that stupid  
blacklist. (I run a Tor relay and mail server from home on the same public  
IP)

Guy running the blacklist won't even allow you view his dumb-ass blacklist  
web page (https://www.dan.me.uk/dnsbl) from any Tor exit or *or non-exit  
relay node* for that matter.

Which is just pure idiocy because it takes about 10 seconds to circumvent  
the block for anybody with two braincells to rub together. (ever heard of  
GOOGLE CACHE ya JACK-ASS?!!)

Just goes to show you the mindset of the person running the thing IMO.

As for inbound email to an IP running a Tor relay, I have had zero  
problems that I am aware of. Just hit up mailgun or sendgrid for a free  
personal relay account or grab a cheap VPS to relay all your outbound mail  
through and you're golden.
-- 
Seth
Thank you for trimming your replies




From berciano at soydelbierzo.com  Wed Jun 18 01:15:03 2014
From: berciano at soydelbierzo.com (Jorge SoydelBierzo)
Date: Wed, 18 Jun 2014 10:15:03 +0200
Subject: dm-crypt+LUKS
In-Reply-To: <53A0EC7C.6020208@dcon.com.br>
References: <53A0EC7C.6020208@dcon.com.br>
Message-ID: <CAH5Mu9X36HFSQXYtExk0K_bs=KcNCkAv4S=R-6-T56J8O7DVNw@mail.gmail.com>

I've been using it for a long time, now with the nuke option developed by
Kali Linux team for cryptsetup

http://www.phoronix.com/scan.php?page=news_item&px=MTU2MjQ
El 18/06/2014 03:42, "Jose Damico" <damico at dcon.com.br> escribió:

> Hey people,
>
> Could you give me your impressions about the use (only in Linux) of
> dm-crypt + LUKS instead of truecrypt?
>
> For me there is no need to use my encrypted disks with OSX or Windows,
> so, due the last movements of truecrypt, I am planning to move my
> encrypted disks from truecrypt to dm-crypt + LUKS.
>
> Did you see is as a bad decision, in terms of possible flaws in dm-crypt?
>
> Best Regards
>
> yap
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 1034 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140618/5169a679/attachment.txt>

From jamesdbell9 at yahoo.com  Thu Jun 19 13:10:02 2014
From: jamesdbell9 at yahoo.com (jim bell)
Date: Thu, 19 Jun 2014 13:10:02 -0700
Subject: Tell a lie,
 remove the gear: How the NSA covers up when cable taps are found
Message-ID: <1403208602.64643.YahooMailNeo@web126202.mail.ne1.yahoo.com>

http://arstechnica.com/tech-policy/2014/06/tell-a-lie-remove-the-gear-how-the-nsa-covers-up-when-cable-taps-are-found/

Tell a lie, remove the gear: How the NSA covers up when cable taps are found
Get caught, remove the evidence, and come up with a plausible cover story.
by Nate Anderson - June 19 2014, 10:56am PDT23Der Spiegel via Edward Snowden via NSA
Sometimes, the spooks do get caught. German magazine Der Spiegel yesterday revealed a new slide (PDF) from the Edward Snowden document cache that offers a tantalizing glimpse of what it looks like when someone stumbles on an intelligence agency cable tap.
The NSA's Special Source Operations (SSO) branch isn't in the business of computer hacking but of cable tapping; its logo shows an eagle flying above the globe and clutching a string of wires in its talons. These taps, each obscured with a codename, are often made deep within the network of telecom providers and often with the cooperation of key executives. But sometimes non-cleared people start raising questions about just what might be going on, as was the case with AT&T whistleblower Mark Klein, who revealed an NSA "secret room" in San Francisco.
On March 14, 2013, an SSO weekly briefing included a note regarding such a discovery. The unit had been informed two days earlier that "the access point for WHARPDRIVE was discovered by commercial consortium personnel. Witting partner personnel have removed the evidence and a plausible cover story was provided. All collection has ceased."
According to Der Spiegel, Wharpdrive was a fiber-optic cable tap (underseas fiber is often laid by consortia of companies, so it's possible this took place at an onshore landing point for such a cable). Employees from one of the companies involved—though not the company that had a relationship with NSA and the German intelligence agency BND—apparently noticed some unusual gear and commented on it. In response, the company involved with the NSA ("witting partner personnel") removed the tap and made up a story to explain what the gear in question had been doing.
Though the NSA lost access to Wharpdrive, it wasn't for long. Der Spiegel cites additional documents in its possession and says that "a team was quietly put together to reinstall the program."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 6336 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140619/a89e4d37/attachment.txt>

From rysiek at hackerspace.pl  Thu Jun 19 12:50:45 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Thu, 19 Jun 2014 21:50:45 +0200
Subject: dm-crypt+LUKS
In-Reply-To: <CAH5Mu9X36HFSQXYtExk0K_bs=KcNCkAv4S=R-6-T56J8O7DVNw@mail.gmail.com>
References: <53A0EC7C.6020208@dcon.com.br>
 <CAH5Mu9X36HFSQXYtExk0K_bs=KcNCkAv4S=R-6-T56J8O7DVNw@mail.gmail.com>
Message-ID: <1890591.XrNezZXXHb@lapuntu>

Dnia środa, 18 czerwca 2014 10:15:03 Jorge SoydelBierzo pisze:
> I've been using it for a long time, now with the nuke option developed by
> Kali Linux team for cryptsetup
> 
> http://www.phoronix.com/scan.php?page=news_item&px=MTU2MjQ

+1, a long-time happpy user. It's also neatly integrated into all major Linux 
DEs out there, so you can have an encrypted external drive or pendrive, usable 
across different machines.

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140619/00a83831/attachment.sig>

From sandyinchina at gmail.com  Thu Jun 19 19:02:35 2014
From: sandyinchina at gmail.com (Sandy Harris)
Date: Thu, 19 Jun 2014 22:02:35 -0400
Subject: Introduction to crypto
In-Reply-To: <CAPTZjw5v1fmoEBSwmYf-On9VwxgRAgr3Zz_tH+SKnJ2uRtGV-Q@mail.gmail.com>
References: <CAPTZjw5v1fmoEBSwmYf-On9VwxgRAgr3Zz_tH+SKnJ2uRtGV-Q@mail.gmail.com>
Message-ID: <CACXcFmnyA08PmyU0HfY6L7nij+JLNSvrzTA8W2A9Z40AZ8LY3g@mail.gmail.com>

Ankit Kulshrestha <ankitkulshrestha0912 at gmail.com> wrote:

> I'm new to the field of crypto and
> ... I'm working on developing secure embedded devices this summer

That's not a good combination.
>From http://en.citizendium.org/wiki/Cryptography#Cryptography_is_difficult

" As for databases and real-time programming, cryptography looks
deceptively simple. The basic ideas are indeed simple and almost any
programmer can fairly easily implement something that handles
straightforward cases. However, as in the other fields, there are also
some quite tricky aspects to the problems and anyone who tackles the
hard cases without both some study of relevant theory and considerable
practical experience is almost certain to get it wrong. This is
demonstrated far too often.

I'd say start with Ross Anderson's book. The 1st edition is online & free:
http://www.cl.cam.ac.uk/~rja14/book.html
Either a bookstore or a university library should have the 2nd
edition, which I'm told is even better.




From stephan.neuhaus at tik.ee.ethz.ch  Thu Jun 19 23:08:23 2014
From: stephan.neuhaus at tik.ee.ethz.ch (Stephan Neuhaus)
Date: Fri, 20 Jun 2014 08:08:23 +0200
Subject: Introduction to crypto
In-Reply-To: <CACXcFmnyA08PmyU0HfY6L7nij+JLNSvrzTA8W2A9Z40AZ8LY3g@mail.gmail.com>
References: <CAPTZjw5v1fmoEBSwmYf-On9VwxgRAgr3Zz_tH+SKnJ2uRtGV-Q@mail.gmail.com>
 <CACXcFmnyA08PmyU0HfY6L7nij+JLNSvrzTA8W2A9Z40AZ8LY3g@mail.gmail.com>
Message-ID: <53A3CFD7.7060705@tik.ee.ethz.ch>

On 2014-06-20, 04:02, Sandy Harris wrote:
> I'd say start with Ross Anderson's book. The 1st edition is online & free:
> http://www.cl.cam.ac.uk/~rja14/book.html
> Either a bookstore or a university library should have the 2nd
> edition, which I'm told is even better.

Just a small corection, but the web page you linked to already has the
SECOND edition online and for free.  And yes, it IS lots better than the
first edition.

Fun,

Stephan
-- 




From damico at dcon.com.br  Fri Jun 20 06:58:30 2014
From: damico at dcon.com.br (Jose Damico)
Date: Fri, 20 Jun 2014 10:58:30 -0300
Subject: Ars Thecnica TrueCrypt Disinformation Article ???
Message-ID: <53A43E06.5080800@dcon.com.br>

This article from Ars 
(http://arstechnica.com/security/2014/06/following-truecrypts-bombshell-advisory-developer-says-fork-is-impossible/)

******
Following TrueCrypt’s bombshell advisory, developer says fork is 
“impossible”
TrueCrypt developer withholds permission, suggests "starting from scratch."
******

Seems to be a text inserted by some Intelligence Agency, as part of a 
disinformation agenda, with the aim of sowing fear in those who has 
interest in fork TrueCrypt.
For me, there are no real facts demonstrated in the article. Also at end 
of the day, some organization or institution must claim the ownership of 
truecrypt in order to protect its interests over the source code.

Am I right? What do you think?

yap




From damico at dcon.com.br  Fri Jun 20 08:14:10 2014
From: damico at dcon.com.br (Jose Damico)
Date: Fri, 20 Jun 2014 12:14:10 -0300
Subject: Ars Thecnica TrueCrypt Disinformation Article ???
In-Reply-To: <CAEm6KbKBWDoDv_4CMx3=VMGg1_OCMzPVK1egKqHqWXzJ+MTcCA@mail.gmail.com>
References: <53A43E06.5080800@dcon.com.br>
 <CAEm6KbKBWDoDv_4CMx3=VMGg1_OCMzPVK1egKqHqWXzJ+MTcCA@mail.gmail.com>
Message-ID: <53A44FC2.9080102@dcon.com.br>

Where I can read?
I wrote about it 30 minutes ago on "cryptography at metzdowd.com 
<mailto:cryptography at metzdowd.com>" ​

:)

On 06/20/2014 12:08 PM, Александр wrote:
> I wrote about it 30 minutes ago on "cryptography at metzdowd.com 
> <mailto:cryptography at metzdowd.com>" ​
>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 1273 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140620/5b4c4e1c/attachment.txt>

From mrbits.dcf at gmail.com  Fri Jun 20 09:03:26 2014
From: mrbits.dcf at gmail.com (MrBiTs)
Date: Fri, 20 Jun 2014 13:03:26 -0300
Subject: Keybase.io
Message-ID: <53A45B4E.7090405@gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello, guys


Keybase.io seems to be a great tool to create a true WoT. Are anybody in there? They are working with invitations.

CheerS

- -- 
echo
920680245503158263821824753325972325831728150312428342077412537729420364909318736253880971145983128276953696631956862757408858710644955909208239222408534030331747172248238293509539472164571738870818862971439246497991147436431430964603600458631758354381402352368220521740203494788796697543569807851284795072334480481413675418412856581412376640379241258356436205061541557366641602992820546646995466P
| dc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCAAGBQJTpFtOAAoJEG7IGPwrPKWrrmgIAJe2oyJodQtlMmi4cNZ/tCXq
vGLnzkOos4PZYiIxM8Vx/gb5LaYZnK30tJ9eXkiUBw9d0OVdMLnBSCDvlPLiGOL0
gww+vzv8Ys005rdK8wfEs5BwZxRJUbA6yQ4BGPsmoWfO8ceUodzwmKi861dwe8sY
CRqtHPsLEULO0ChSmNOL+nSDhZITTpFmK27Nu3/3BMxImDb0iCktJ/JGeRnId4pm
lmiVgPkJMUlT2c18EZRZuqf3oMNBoN9ce1e5Mbfun+STd33d5/5yxpiPfAnxmtSn
rWEY4C+6c8fh/Nf5MvX4nGZlbejBxeCdZUqIIv3ZPIxAaVhCnbnLfrWXp3qRN8g=
=s7LH
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3750 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140620/2cba6731/attachment.bin>

From jya at pipeline.com  Fri Jun 20 10:15:10 2014
From: jya at pipeline.com (John Young)
Date: Fri, 20 Jun 2014 13:15:10 -0400
Subject: Assange
In-Reply-To: <CAEm6KbLjFGq_xc3eRqzfJ7g2Y1KvYhYtJB-a=+RUOZO5OqtaYA@mail.g
 mail.com>
References: <CAEm6KbLjFGq_xc3eRqzfJ7g2Y1KvYhYtJB-a=+RUOZO5OqtaYA@mail.gmail.com>
Message-ID: <E1Wy2N1-0000NM-9h@elasmtp-kukur.atl.sa.earthlink.net>

Virtually nobody is not exploiting Assange for their own purposes.
Kristinn Hrafnsson is among the media monsters, pro and con,
creating and feeding a market for their derivative shallowness of
Assange's fame.

Our latest derivative exploitation over eight years:

http://cryptome.org/2014/06/saluations-assange.htm

To be sure, Assange has derivatively exploited Cypherpunks
since about 1995, naming a book, articles, talks, brags,
after this collective as if his own. That ownership, to be certain,
is a given of this list as it should be everywhere to combat the
thieves and spies of content, branded, marked up and marketed
by way of centralizing media monstrosities.

Combat between cryptoarchists of centralized control and
cryptoanarchists of distributed uncontrol wll go on forever.
Assange's fame and infame are being fought over by
centralizers and decentralzers. Which way he will tip is
his secret of controlling the tusslers as well as what
he whispers to those he is fucking.





From cathalgarvey at cathalgarvey.me  Fri Jun 20 09:09:00 2014
From: cathalgarvey at cathalgarvey.me (Cathal Garvey)
Date: Fri, 20 Jun 2014 17:09:00 +0100
Subject: Keybase.io
In-Reply-To: <53A45B4E.7090405@gmail.com>
References: <53A45B4E.7090405@gmail.com>
Message-ID: <53A45C9C.6030608@cathalgarvey.me>

I wouldn't say "true", I'd say "proto". In the end, you're still relying
on a central point of trust, in this case Keybase, for a lot of the key
distribution, but as a way to bootstrap a WoT that can outgrow Keybase I
think it looks really promising. I'm not one to shirk hackish solutions
in favour of purity, because purity has barely worked in decades of PGP
WoT building.

Speaking of Keybase, anyone got an invite? :)

On 20/06/14 17:03, MrBiTs wrote:
> Hello, guys
> 
> 
> Keybase.io seems to be a great tool to create a true WoT. Are anybody in there? They are working with invitations.
> 
> CheerS
> 
> 

-- 
T: @onetruecathal, @IndieBBDNA
P: +353876363185
W: http://indiebiotech.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x988B9099.asc
Type: application/pgp-keys
Size: 6176 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140620/1e89df95/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140620/1e89df95/attachment.sig>

From grarpamp at gmail.com  Fri Jun 20 14:30:54 2014
From: grarpamp at gmail.com (grarpamp)
Date: Fri, 20 Jun 2014 17:30:54 -0400
Subject: [cryptography] How big a speedup through storage?
In-Reply-To: <0F05B86A-3533-46E2-BFB9-EF5FE1C3BDA2@goldmark.org>
References: <CAHWD2r+QaYRuL1BukWsY57RXC-4fsmZgUNbRL7Ni6JKXSgRF9Q@mail.gmail.com>
 <0F05B86A-3533-46E2-BFB9-EF5FE1C3BDA2@goldmark.org>
Message-ID: <CAD2Ti2-s26N=4OCd7cXa=Huay+bU488=6jpxZJgBN4wbm2ytLQ@mail.gmail.com>

On Fri, Jun 20, 2014 at 3:23 PM, Jeffrey Goldberg <jeffrey at goldmark.org> wrote:
> On 2014-06-19, at 10:42 PM, Lodewijk andré de la porte <l at odewijk.nl> wrote:
>
>> With common algorithms, how much would a LOT of storage help?
>
> Well, with an unimaginable amount of storage it is possible to shave a few bits off of AES.
>
> As {Bogdanov, Andrey and Khovratovich, Dmitry and Rechberger, Christian} say in Biclique Cryptanalysis of the Full AES (ASIACRYPT 2011) [PDF at http://research.microsoft.com/en-us/projects/cryptanalysis/aesbc.pdf ]
>
> "This approach for 8-round AES-128 yields a key recovery with computational complexity about 2^125.34, data complexity 2^88, memory complexity 2^8, and success probability 1.”
>
> It’s that 2^88 that requires a LOT of storage. I’m not sure if that 2^88) is in bits or AES blocks, but let’s assume bits. Facebook is said to store about 2^62 bits, so we are looking at something 2^26 times larger than Facebook’s data storage.

8 rounds, lot more to go.

>> I know this one organization that seems to be building an omnious observation storage facility,
>
> Any (reliable) estimates on how big?

I believe the square footage is public, if not guesstimate by parking spaces etc
in JYA's sat photos. Then fill it to the brim with nothing but 6TB
drives, less some
space for racks, aisles, power, network at say 50% better density than industry
best [1]. That's your physical upper bound.
$10M in drives at consumer pricing will get you a raw 177PB, or 236PB at double
the space and power. Or $1B for 17EB. Budget is an issue.

Give it a shot on paper, best estimate wins...

[1] If all you care about is storage, you plug drives into tiny custom
storage fabric
asics and present giant block devices at the end of each row or room, not into
bulky servers. Commodity CPU's have 64bit address space, ZFS covers that.
Or go custom access/compute on your data as well.

http://en.wikipedia.org/wiki/ZFS#Capacity




From jya at pipeline.com  Fri Jun 20 15:05:51 2014
From: jya at pipeline.com (John Young)
Date: Fri, 20 Jun 2014 18:05:51 -0400
Subject: Assange
In-Reply-To: <53A4A8CA.7080300@rayservers.net>
References: <CAEm6KbLjFGq_xc3eRqzfJ7g2Y1KvYhYtJB-a=+RUOZO5OqtaYA@mail.gmail.com>
 <E1Wy2N1-0000NM-9h@elasmtp-kukur.atl.sa.earthlink.net>
 <53A4A8CA.7080300@rayservers.net>
Message-ID: <E1Wy6vN-0007FQ-JV@elasmtp-curtail.atl.sa.earthlink.net>

At 05:34 PM 6/20/2014, you wrote:

Thanks. Correction:

http://cryptome.org/2014/06/salutations-assange.htm

>Do you want a cup of *t* ?




From afalex169 at gmail.com  Fri Jun 20 08:08:32 2014
From: afalex169 at gmail.com (=?UTF-8?B?INCQ0LvQtdC60YHQsNC90LTRgCA=?=)
Date: Fri, 20 Jun 2014 18:08:32 +0300
Subject: Ars Thecnica TrueCrypt Disinformation Article ???
In-Reply-To: <53A43E06.5080800@dcon.com.br>
References: <53A43E06.5080800@dcon.com.br>
Message-ID: <CAEm6KbKBWDoDv_4CMx3=VMGg1_OCMzPVK1egKqHqWXzJ+MTcCA@mail.gmail.com>

​​
​Exactly!

I wrote about it 30 minutes ago on "cryptography at metzdowd.com"​


I ​
> ​wonder, why everybody assume ​
> ​that this statement is from the actual developer of TrueCrypt?
>
> I guess, that the "bad guys" who wanted to kill the project, would be very
> happy to kill its fork too. So should"nt we be a little bit more suspicious
> to statements that refer to the "dev" of TrueCrypt?​
> ​​
> ​
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 2058 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140620/d3d68942/attachment.txt>

From guninski at guninski.com  Fri Jun 20 08:10:19 2014
From: guninski at guninski.com (Georgi Guninski)
Date: Fri, 20 Jun 2014 18:10:19 +0300
Subject: Hackers reverse-engineer NSA spy kit using off-the-shelf parts
Message-ID: <20140620151019.GA2545@sivokote.iziade.m$>

http://www.theregister.co.uk/2014/06/19/hackers_reverseengineer_nsa_spying_devices_using_offtheshelf_parts/

Hackers reverse-engineer NSA spy kit using off-the-shelf parts

Link to http://www.nsaplayset.org/




From afalex169 at gmail.com  Fri Jun 20 08:27:20 2014
From: afalex169 at gmail.com (=?UTF-8?B?INCQ0LvQtdC60YHQsNC90LTRgCA=?=)
Date: Fri, 20 Jun 2014 18:27:20 +0300
Subject: Ars Thecnica TrueCrypt Disinformation Article ???
In-Reply-To: <53A44FC2.9080102@dcon.com.br>
References: <53A43E06.5080800@dcon.com.br>
 <CAEm6KbKBWDoDv_4CMx3=VMGg1_OCMzPVK1egKqHqWXzJ+MTcCA@mail.gmail.com>
 <53A44FC2.9080102@dcon.com.br>
Message-ID: <CAEm6KbJdCsa+0Swqyu=Ayx2Gn3wYRPFTkvzz=9pwDinupFmtKQ@mail.gmail.com>

Jose, its a mailing list:
http://www.metzdowd.com/mailman/listinfo/cryptography
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 176 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140620/d14fe1dc/attachment.txt>

From afalex169 at gmail.com  Fri Jun 20 09:06:36 2014
From: afalex169 at gmail.com (=?UTF-8?B?INCQ0LvQtdC60YHQsNC90LTRgCA=?=)
Date: Fri, 20 Jun 2014 19:06:36 +0300
Subject: Assange
Message-ID: <CAEm6KbLjFGq_xc3eRqzfJ7g2Y1KvYhYtJB-a=+RUOZO5OqtaYA@mail.gmail.com>

http://rt.com/op-edge/167324-assange-wikileaks-human-rights/


http://rt.com/op-edge/163608-assange-god-lonely-man/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 584 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140620/85945eae/attachment.txt>

From felix at tribut.de  Fri Jun 20 12:00:08 2014
From: felix at tribut.de (Felix Eckhofer)
Date: Fri, 20 Jun 2014 21:00:08 +0200
Subject: Keybase.io
In-Reply-To: <53A45B4E.7090405@gmail.com>
References: <53A45B4E.7090405@gmail.com>
Message-ID: <db290e245e37384a554298bc98095c2f@tribut.de>

Hey.

Am 20.06.2014 18:03, schrieb MrBiTs:
> Keybase.io seems to be a great tool to create a true WoT. Are anybody
> in there? They are working with invitations.

Still have a handful of invites left. Just send me an email if you're 
interested.



felix




From carimachet at gmail.com  Fri Jun 20 14:48:11 2014
From: carimachet at gmail.com (Cari Machet)
Date: Fri, 20 Jun 2014 21:48:11 +0000
Subject: Assange
In-Reply-To: <53A4A8CA.7080300@rayservers.net>
References: <CAEm6KbLjFGq_xc3eRqzfJ7g2Y1KvYhYtJB-a=+RUOZO5OqtaYA@mail.gmail.com>
 <E1Wy2N1-0000NM-9h@elasmtp-kukur.atl.sa.earthlink.net>
 <53A4A8CA.7080300@rayservers.net>
Message-ID: <CAGRDzQXMK-Vw14kw19MyrKTa-Vkb+AxUHd3GDfxn0Qip8jyztw@mail.gmail.com>

fuck the state in all its incarnations

'There is nothing like an accusation of rape when it comes to destroying a
man's reputation and character. The accusation alone carries with it a mark
of shame that can never be completely eradicated.' since when has this been
a reality? - total crap

dear john wight please dont write about camus


On Fri, Jun 20, 2014 at 9:34 PM, beam <beam at rayservers.net> wrote:

> Do you want a cup of *t* ?
>
> On 20/06/2014 19:15, John Young wrote:
> > Virtually nobody is not exploiting Assange for their own purposes.
> > Kristinn Hrafnsson is among the media monsters, pro and con,
> > creating and feeding a market for their derivative shallowness of
> > Assange's fame.
> >
> > Our latest derivative exploitation over eight years:
> >
> > http://cryptome.org/2014/06/saluations-assange.htm
> >
> > To be sure, Assange has derivatively exploited Cypherpunks
> > since about 1995, naming a book, articles, talks, brags,
> > after this collective as if his own. That ownership, to be certain,
> > is a given of this list as it should be everywhere to combat the
> > thieves and spies of content, branded, marked up and marketed
> > by way of centralizing media monstrosities.
> >
> > Combat between cryptoarchists of centralized control and
> > cryptoanarchists of distributed uncontrol wll go on forever.
> > Assange's fame and infame are being fought over by
> > centralizers and decentralzers. Which way he will tip is
> > his secret of controlling the tusslers as well as what
> > he whispers to those he is fucking.
> >
> >
>
>
>


-- 
Cari Machet
NYC 646-436-7795
carimachet at gmail.com
AIM carismachet
Syria +963-099 277 3243
Amman +962 077 636 9407
Berlin +49 152 11779219
Reykjavik +354 894 8650
Twitter: @carimachet <https://twitter.com/carimachet>

7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187

Ruh-roh, this is now necessary: This email is intended only for the
addressee(s) and may contain confidential information. If you are not the
intended recipient, you are hereby notified that any use of this
information, dissemination, distribution, or copying of this email without
permission is strictly prohibited.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 3043 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140620/e3dcfcf9/attachment.txt>

From coderman at gmail.com  Fri Jun 20 22:30:50 2014
From: coderman at gmail.com (coderman)
Date: Fri, 20 Jun 2014 22:30:50 -0700
Subject: Hackers reverse-engineer NSA spy kit using off-the-shelf parts
In-Reply-To: <20140620151019.GA2545@sivokote.iziade.m$>
References: <20140620151019.GA2545@sivokote.iziade.m$>
Message-ID: <CAJVRA1S_SWF=wQCiA+hAE2=mr2m=9yvB+ACYV5-ZO-cm1LBUaA@mail.gmail.com>

On Fri, Jun 20, 2014 at 8:10 AM, Georgi Guninski <guninski at guninski.com> wrote:
> http://www.theregister.co.uk/2014/06/19/hackers_reverseengineer_nsa_spying_devices_using_offtheshelf_parts/

my biased thoughts:

1. attacking like NSA means being in the middle.  you can do this over
various types of networks and protocols with very modest hardware;.
less than off-the-shelf. the key is position, not hardware brute
strength. (i don't consider passive surveillance an attack - more like
an operational reality ;)

2. scale and effectiveness are the dials that distinguish NSA attacks
from other adversaries.  scale in the sense they're pwning global
networks as mandatory objective; DPI at terabits an interesting
technical challenge by any measure.  and effectiveness in that
tailored access and offensive espionage techniques combine into a
platform where many-0day and fully automated attack sequences are
shown to achieve objectives with regularity and totality that makes
any offensive infosec analyst admire.

the hardware bits get exotic when dealing on fringe power levels,
miniature scale, or algorithmic complexities outside the norm. these
exotic hardware kits are by no means mandatory, nor the most
interesting aspect of these systems.
  (okay, spygear always admittedly cool however impractical :)


best regards,




From coderman at gmail.com  Fri Jun 20 22:35:59 2014
From: coderman at gmail.com (coderman)
Date: Fri, 20 Jun 2014 22:35:59 -0700
Subject: Fwd: [cryptography] [Cryptography] encrypting hard drives (was Re:
 Shredding a file on a flash-based file system?)
In-Reply-To: <CAD2Ti2_Mu-72bh=Wt3nfE==U_=V0xfd1uUN4ymPr160hJsiAaA@mail.gmail.com>
References: <53A25FC7.5040105@connotech.com> <53A2E91B.8060802@av8n.com>
 <20140619134829.5d7bd14a@jabberwock.cb.piermont.com>
 <1403207567.1908.23.camel@excessive.dsl.static.sonic.net>
 <20140619160912.1de6acce@jabberwock.cb.piermont.com>
 <20140619201818.GA611@everywhere.office.omniti.com>
 <CAD2Ti2_Mu-72bh=Wt3nfE==U_=V0xfd1uUN4ymPr160hJsiAaA@mail.gmail.com>
Message-ID: <CAJVRA1Rx-xDpg34NqrH0MyA8Vsypwa=X68QoaCd4t-KBxXiQVg@mail.gmail.com>

---------- Forwarded message ----------
From: grarpamp <grarpamp at gmail.com>
Date: Thu, Jun 19, 2014 at 2:27 PM
Subject: Re: [cryptography] [Cryptography] encrypting hard drives (was
Re: Shredding a file on a flash-based file system?)


On Thu, Jun 19, 2014 at 4:18 PM, Dan McDonald <danmcd at kebe.com> wrote:
> ZFS crypto, closed-source thanks to Oracle, was supposed to address this
> problem.  Its design was to apply crypto in the "ZIO" path, like it does for
> checksums.  I've not used Oracle Solaris, but apparently ZFS crypto is in
> there and it supposedly works.

And as in the design papers/blogs, Oracle ZFS seems to have some
data that is not encrypted that arguably should be.
https://blogs.oracle.com/darren/entry/zfs_encryption_what_is_on

> And let me state for people wondering, "Why isn't it in OpenZFS already?"

In the OpenZFS world, you deploy each OS's FDE underneath ZFS.
OpenZFS will likely add native encryption feature flag someday to
satiate those who want per dataset keying, etc... but, thanks to Oracle,
anything post zfs28/zpool5 might not end up interoperating.
https://en.wikipedia.org/wiki/ZFS
http://www.open-zfs.org/




From thefox21at at gmail.com  Fri Jun 20 14:05:51 2014
From: thefox21at at gmail.com (Christian Mayer)
Date: Fri, 20 Jun 2014 23:05:51 +0200
Subject: Keybase.io
In-Reply-To: <53A45B4E.7090405@gmail.com>
References: <53A45B4E.7090405@gmail.com>
Message-ID: <CACZmaudgxVW-FjLXmZXw_rudtH275aUPZ9BRFk_PuHccTEYHgA@mail.gmail.com>

Yes, they are working with invitations. But I wouldn't say that's a real
WoT. You even can invite people you're not trusting. You can create a fake
Twitter account, a fake GitHub account, ... that looks like real.

I still have 4 invites left. If you're interested send me an email.


On Fri, Jun 20, 2014 at 6:03 PM, MrBiTs <mrbits.dcf at gmail.com> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello, guys
>
>
> Keybase.io seems to be a great tool to create a true WoT. Are anybody in
> there? They are working with invitations.
>
> CheerS
>
> - --
> echo
>
> 920680245503158263821824753325972325831728150312428342077412537729420364909318736253880971145983128276953696631956862757408858710644955909208239222408534030331747172248238293509539472164571738870818862971439246497991147436431430964603600458631758354381402352368220521740203494788796697543569807851284795072334480481413675418412856581412376640379241258356436205061541557366641602992820546646995466P
> | dc
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.14 (GNU/Linux)
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQEcBAEBCAAGBQJTpFtOAAoJEG7IGPwrPKWrrmgIAJe2oyJodQtlMmi4cNZ/tCXq
> vGLnzkOos4PZYiIxM8Vx/gb5LaYZnK30tJ9eXkiUBw9d0OVdMLnBSCDvlPLiGOL0
> gww+vzv8Ys005rdK8wfEs5BwZxRJUbA6yQ4BGPsmoWfO8ceUodzwmKi861dwe8sY
> CRqtHPsLEULO0ChSmNOL+nSDhZITTpFmK27Nu3/3BMxImDb0iCktJ/JGeRnId4pm
> lmiVgPkJMUlT2c18EZRZuqf3oMNBoN9ce1e5Mbfun+STd33d5/5yxpiPfAnxmtSn
> rWEY4C+6c8fh/Nf5MvX4nGZlbejBxeCdZUqIIv3ZPIxAaVhCnbnLfrWXp3qRN8g=
> =s7LH
> -----END PGP SIGNATURE-----
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 2257 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140620/d4af6a6c/attachment.txt>

From beam at rayservers.net  Fri Jun 20 14:34:02 2014
From: beam at rayservers.net (beam)
Date: Fri, 20 Jun 2014 23:34:02 +0200
Subject: Assange
In-Reply-To: <E1Wy2N1-0000NM-9h@elasmtp-kukur.atl.sa.earthlink.net>
References: <CAEm6KbLjFGq_xc3eRqzfJ7g2Y1KvYhYtJB-a=+RUOZO5OqtaYA@mail.gmail.com>
 <E1Wy2N1-0000NM-9h@elasmtp-kukur.atl.sa.earthlink.net>
Message-ID: <53A4A8CA.7080300@rayservers.net>

Do you want a cup of *t* ?

On 20/06/2014 19:15, John Young wrote:
> Virtually nobody is not exploiting Assange for their own purposes.
> Kristinn Hrafnsson is among the media monsters, pro and con,
> creating and feeding a market for their derivative shallowness of
> Assange's fame.
> 
> Our latest derivative exploitation over eight years:
> 
> http://cryptome.org/2014/06/saluations-assange.htm
> 
> To be sure, Assange has derivatively exploited Cypherpunks
> since about 1995, naming a book, articles, talks, brags,
> after this collective as if his own. That ownership, to be certain,
> is a given of this list as it should be everywhere to combat the
> thieves and spies of content, branded, marked up and marketed
> by way of centralizing media monstrosities.
> 
> Combat between cryptoarchists of centralized control and
> cryptoanarchists of distributed uncontrol wll go on forever.
> Assange's fame and infame are being fought over by
> centralizers and decentralzers. Which way he will tip is
> his secret of controlling the tusslers as well as what
> he whispers to those he is fucking.
> 
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140620/44cbf9be/attachment.sig>

From gutemhc at gmail.com  Fri Jun 20 19:34:32 2014
From: gutemhc at gmail.com (Gutem)
Date: Fri, 20 Jun 2014 23:34:32 -0300
Subject: Keybase.io
In-Reply-To: <CACZmaudgxVW-FjLXmZXw_rudtH275aUPZ9BRFk_PuHccTEYHgA@mail.gmail.com>
References: <53A45B4E.7090405@gmail.com>
 <CACZmaudgxVW-FjLXmZXw_rudtH275aUPZ9BRFk_PuHccTEYHgA@mail.gmail.com>
Message-ID: <CAEEDy1zwzg5h+Fg=fLgW6jnLuQ+FXx7o0R8zgfFyFJ8vjUKRvA@mail.gmail.com>

I'm using it, but haven't any invites...

Att,
- Gutem

-------------------------------------------------------------------------------------------
Registered Linux User: 562142
keybase.io/gutem


2014-06-20 18:05 GMT-03:00 Christian Mayer <thefox21at at gmail.com>:

> Yes, they are working with invitations. But I wouldn't say that's a real
> WoT. You even can invite people you're not trusting. You can create a fake
> Twitter account, a fake GitHub account, ... that looks like real.
>
> I still have 4 invites left. If you're interested send me an email.
>
>
> On Fri, Jun 20, 2014 at 6:03 PM, MrBiTs <mrbits.dcf at gmail.com> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> Hello, guys
>>
>>
>> Keybase.io seems to be a great tool to create a true WoT. Are anybody in
>> there? They are working with invitations.
>>
>> CheerS
>>
>> - --
>> echo
>>
>> 920680245503158263821824753325972325831728150312428342077412537729420364909318736253880971145983128276953696631956862757408858710644955909208239222408534030331747172248238293509539472164571738870818862971439246497991147436431430964603600458631758354381402352368220521740203494788796697543569807851284795072334480481413675418412856581412376640379241258356436205061541557366641602992820546646995466P
>> | dc
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.14 (GNU/Linux)
>> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>>
>> iQEcBAEBCAAGBQJTpFtOAAoJEG7IGPwrPKWrrmgIAJe2oyJodQtlMmi4cNZ/tCXq
>> vGLnzkOos4PZYiIxM8Vx/gb5LaYZnK30tJ9eXkiUBw9d0OVdMLnBSCDvlPLiGOL0
>> gww+vzv8Ys005rdK8wfEs5BwZxRJUbA6yQ4BGPsmoWfO8ceUodzwmKi861dwe8sY
>> CRqtHPsLEULO0ChSmNOL+nSDhZITTpFmK27Nu3/3BMxImDb0iCktJ/JGeRnId4pm
>> lmiVgPkJMUlT2c18EZRZuqf3oMNBoN9ce1e5Mbfun+STd33d5/5yxpiPfAnxmtSn
>> rWEY4C+6c8fh/Nf5MvX4nGZlbejBxeCdZUqIIv3ZPIxAaVhCnbnLfrWXp3qRN8g=
>> =s7LH
>> -----END PGP SIGNATURE-----
>>
>>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 2927 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140620/c45f9c8e/attachment.txt>

From beam at rayservers.net  Fri Jun 20 15:39:12 2014
From: beam at rayservers.net (beam)
Date: Sat, 21 Jun 2014 00:39:12 +0200
Subject: Assange
In-Reply-To: <CAGRDzQXMK-Vw14kw19MyrKTa-Vkb+AxUHd3GDfxn0Qip8jyztw@mail.gmail.com>
References: <CAEm6KbLjFGq_xc3eRqzfJ7g2Y1KvYhYtJB-a=+RUOZO5OqtaYA@mail.gmail.com>
 <E1Wy2N1-0000NM-9h@elasmtp-kukur.atl.sa.earthlink.net>
 <53A4A8CA.7080300@rayservers.net>
 <CAGRDzQXMK-Vw14kw19MyrKTa-Vkb+AxUHd3GDfxn0Qip8jyztw@mail.gmail.com>
Message-ID: <53A4B810.6080203@rayservers.net>

John posted the following link:
http://cryptome.org/2014/06/saluations-assange.htm

See *saluations*

Without a *t*

My little joke was not to your liking I guess.

Add a *t* between *u* and *a*

You will get the right link.

;)

On 20/06/2014 23:48, Cari Machet wrote:
> fuck the state in all its incarnations
> 
> 'There is nothing like an accusation of rape when it comes to destroying a
> man's reputation and character. The accusation alone carries with it a mark
> of shame that can never be completely eradicated.' since when has this been
> a reality? - total crap
> 
> dear john wight please dont write about camus
> 
> 
> On Fri, Jun 20, 2014 at 9:34 PM, beam <beam at rayservers.net> wrote:
> 
>> Do you want a cup of *t* ?
>>
>> On 20/06/2014 19:15, John Young wrote:
>>> Virtually nobody is not exploiting Assange for their own purposes.
>>> Kristinn Hrafnsson is among the media monsters, pro and con,
>>> creating and feeding a market for their derivative shallowness of
>>> Assange's fame.
>>>
>>> Our latest derivative exploitation over eight years:
>>>
>>> http://cryptome.org/2014/06/saluations-assange.htm
>>>
>>> To be sure, Assange has derivatively exploited Cypherpunks
>>> since about 1995, naming a book, articles, talks, brags,
>>> after this collective as if his own. That ownership, to be certain,
>>> is a given of this list as it should be everywhere to combat the
>>> thieves and spies of content, branded, marked up and marketed
>>> by way of centralizing media monstrosities.
>>>
>>> Combat between cryptoarchists of centralized control and
>>> cryptoanarchists of distributed uncontrol wll go on forever.
>>> Assange's fame and infame are being fought over by
>>> centralizers and decentralzers. Which way he will tip is
>>> his secret of controlling the tusslers as well as what
>>> he whispers to those he is fucking.
>>>
>>>
>>
>>
>>
> 
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140621/0153035d/attachment.sig>

From grarpamp at gmail.com  Sat Jun 21 00:10:58 2014
From: grarpamp at gmail.com (grarpamp)
Date: Sat, 21 Jun 2014 03:10:58 -0400
Subject: [cryptography] How big a speedup through storage?
In-Reply-To: <39979738-2A03-4952-A714-4DB5D1EA4CA6@goldmark.org>
References: <CAHWD2r+QaYRuL1BukWsY57RXC-4fsmZgUNbRL7Ni6JKXSgRF9Q@mail.gmail.com>
 <0F05B86A-3533-46E2-BFB9-EF5FE1C3BDA2@goldmark.org>
 <CAD2Ti2-s26N=4OCd7cXa=Huay+bU488=6jpxZJgBN4wbm2ytLQ@mail.gmail.com>
 <39979738-2A03-4952-A714-4DB5D1EA4CA6@goldmark.org>
Message-ID: <CAD2Ti2_Dcrqrnp30QJJdoH95zCF2E7QH1nw_Lrn9v-0nv5opow@mail.gmail.com>

On Fri, Jun 20, 2014 at 6:35 PM, Jeffrey Goldberg <jeffrey at goldmark.org> wrote:
> (I hope it is clear that I do not think of this as anything like a practical
> threat to AES.

Of course, 8 rounds at 2^unreachable is not practical.

> I had just remembered this paper, with its enormous data
> requirements when I saw original question.)

>>> Any (reliable) estimates on how big?
>
>> $10M in drives at consumer pricing will get you a raw 177PB, or 236PB at
>> double the space and power. Or $1B for 17EB. Budget is an issue.
>
> As always, let’s go with the high estimate in the hands of the attacker. We
> are still far far short of the storage requirements for this particular attack
> (and all for less than a 2-bit gain).
>
> So I think that it is safe to say that all that data storage is not an attempt
> to use the particular attack I cited.

I meant as answer 'estimates on how big' question. Take what we know
about storage, figure in some good efficiencies for the 'storage only' case.
And figure what can be bought and operated year on year per foot. You could
hide/support $1B + $1B/year but $10B/yr would be hard given entire intel
budget is $80B, or $50+B if you drop mil. So...

1) How big can you get within budget?
2) What can you do with it re: a) crypto, or b) otherwise?

https://en.wikipedia.org/wiki/United_States_intelligence_budget
https://en.wikipedia.org/wiki/United_States_Intelligence_Community
http://www.martingrandjean.ch/data-visualization-top-secret-us-intelligence-budget/




From grarpamp at gmail.com  Sat Jun 21 00:18:34 2014
From: grarpamp at gmail.com (grarpamp)
Date: Sat, 21 Jun 2014 03:18:34 -0400
Subject: Hackers reverse-engineer NSA spy kit using off-the-shelf parts
In-Reply-To: <CAJVRA1S_SWF=wQCiA+hAE2=mr2m=9yvB+ACYV5-ZO-cm1LBUaA@mail.gmail.com>
References: <20140620151019.GA2545@sivokote.iziade.m$>
 <CAJVRA1S_SWF=wQCiA+hAE2=mr2m=9yvB+ACYV5-ZO-cm1LBUaA@mail.gmail.com>
Message-ID: <CAD2Ti2_kMzi1fueGJntc9AEvg4iTWXH_NQQ6KO9Y3utp2S2NQw@mail.gmail.com>

On Sat, Jun 21, 2014 at 1:30 AM, coderman <coderman at gmail.com> wrote:
> On Fri, Jun 20, 2014 at 8:10 AM, Georgi Guninski <guninski at guninski.com> wrote:
>> http://www.theregister.co.uk/2014/06/19/hackers_reverseengineer_nsa_spying_devices_using_offtheshelf_parts/
>
> my biased thoughts:
>
> 1. attacking like NSA means being in the middle.  you can do this over
> various types of networks and protocols with very modest hardware;.
> less than off-the-shelf. the key is position, not hardware brute
> strength. (i don't consider passive surveillance an attack - more like
> an operational reality ;)


http://yatebts.com/products.php
http://home.ettus.com/
http://sdr.osmocom.org/trac/wiki/rtl-sdr




From grarpamp at gmail.com  Sat Jun 21 00:33:05 2014
From: grarpamp at gmail.com (grarpamp)
Date: Sat, 21 Jun 2014 03:33:05 -0400
Subject: Keybase.io
In-Reply-To: <53A52B28.9050200@riseup.net>
References: <53A45B4E.7090405@gmail.com>
	<53A52B28.9050200@riseup.net>
Message-ID: <CAD2Ti28ba65DqX9bvc95fGB1YgB_GZV_XSoZt=J0tutvxwDWSw@mail.gmail.com>

On Sat, Jun 21, 2014 at 2:50 AM, kossy <kossy at riseup.net> wrote:
> I have a few invites left. Message me if you are interested.

Invites serve no purpose other than for the 'system' to link you
to someone else. A farce upon the naive under the draw of
temporarily achieving elite social status. No thanks, you can
keep your invites.




From adi at hexapodia.org  Sat Jun 21 05:14:52 2014
From: adi at hexapodia.org (Andy Isaacson)
Date: Sat, 21 Jun 2014 05:14:52 -0700
Subject: dm-crypt+LUKS
In-Reply-To: <53A0EC7C.6020208@dcon.com.br>
References: <53A0EC7C.6020208@dcon.com.br>
Message-ID: <20140621121452.GP10586@hexapodia.org>

On Tue, Jun 17, 2014 at 10:33:48PM -0300, Jose Damico wrote:
> Could you give me your impressions about the use (only in Linux) of
> dm-crypt + LUKS instead of truecrypt?
> 
> For me there is no need to use my encrypted disks with OSX or Windows,
> so, due the last movements of truecrypt, I am planning to move my
> encrypted disks from truecrypt to dm-crypt + LUKS.

The design and implementation of dm-crypt + LUKS appears to be solid.
The code is well maintained and your use case is well supported by
distributions and other software.

I haven't given it a thorough audit but at least dm-crypt has avoided
many of the OMG WTF bugs and design flaws that have plagued other disk
encryption systems (looking at you, ecryptfs).

-andy




From kossy at riseup.net  Fri Jun 20 23:50:16 2014
From: kossy at riseup.net (kossy)
Date: Sat, 21 Jun 2014 06:50:16 +0000
Subject: Keybase.io
In-Reply-To: <53A45B4E.7090405@gmail.com>
References: <53A45B4E.7090405@gmail.com>
Message-ID: <53A52B28.9050200@riseup.net>

I have a few invites left. Message me if you are interested.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140621/47971e1a/attachment.sig>

From coderman at gmail.com  Sun Jun 22 01:46:44 2014
From: coderman at gmail.com (coderman)
Date: Sun, 22 Jun 2014 01:46:44 -0700
Subject: [cryptography] Stealthy Dopant-Level Hardware Trojans
In-Reply-To: <20130913094924.GW10405@leitl.org>
References: <20130913094924.GW10405@leitl.org>
Message-ID: <CAJVRA1RNOrjNpjnZF84bBoyXiU6KSz=jHTyAiLUAeB0O1P8D+g@mail.gmail.com>

On Fri, Sep 13, 2013 at 2:49 AM, Eugen Leitl <eugen at leitl.org> wrote:
> ...
> http://people.umass.edu/gbecker/BeckerChes13.pdf
>
> Stealthy Dopant-Level Hardware Trojans ?
>
> Georg T. Becker1


this paper has disappeared from the net.  any one have copies?
(looking at you, JYA ;)

[bonus points for backstory on the distribution woes]




From coderman at gmail.com  Sun Jun 22 02:49:03 2014
From: coderman at gmail.com (coderman)
Date: Sun, 22 Jun 2014 02:49:03 -0700
Subject: [cryptography] Stealthy Dopant-Level Hardware Trojans
In-Reply-To: <53A6A526.5060606@briarproject.org>
References: <20130913094924.GW10405@leitl.org>
 <CAJVRA1RNOrjNpjnZF84bBoyXiU6KSz=jHTyAiLUAeB0O1P8D+g@mail.gmail.com>
 <53A6A526.5060606@briarproject.org>
Message-ID: <CAJVRA1QEEEy8pTFoWrCEjFnAzg_aiJE+7MPwH6dtBXnWXeJ38A@mail.gmail.com>

On Sun, Jun 22, 2014 at 2:43 AM, Michael Rogers
<michael at briarproject.org> wrote:
>...
> http://www.emsec.rub.de/research/publications/Hardware-Trojans/
> ...
> PhD students suck at maintaining their web pages.


ah well, :)

  full URI to PDF for posterity:
 http://www.emsec.rub.de/media/crypto/veroeffentlichungen/2014/02/20/BeckerChes13.pdf


thanks to al!  best regards,




From s at ctrlc.hu  Sun Jun 22 02:05:33 2014
From: s at ctrlc.hu (stef)
Date: Sun, 22 Jun 2014 11:05:33 +0200
Subject: [cryptography] Stealthy Dopant-Level Hardware Trojans
In-Reply-To: <CAJVRA1RNOrjNpjnZF84bBoyXiU6KSz=jHTyAiLUAeB0O1P8D+g@mail.gmail.com>
References: <20130913094924.GW10405@leitl.org>
 <CAJVRA1RNOrjNpjnZF84bBoyXiU6KSz=jHTyAiLUAeB0O1P8D+g@mail.gmail.com>
Message-ID: <20140622090533.GB7889@ctrlc.hu>

On Sun, Jun 22, 2014 at 01:46:44AM -0700, coderman wrote:
> On Fri, Sep 13, 2013 at 2:49 AM, Eugen Leitl <eugen at leitl.org> wrote:
> > ...
> > http://people.umass.edu/gbecker/BeckerChes13.pdf
> >
> > Stealthy Dopant-Level Hardware Trojans ?
> >
> > Georg T. Becker1
> 
> this paper has disappeared from the net.  any one have copies?

http://sgnsa2lp64l6v3l6.onion/BeckerChes13.pdf

-- 
otr fp: https://www.ctrlc.hu/~stef/otr.txt




From beam at rayservers.net  Sun Jun 22 07:21:19 2014
From: beam at rayservers.net (beam)
Date: Sun, 22 Jun 2014 16:21:19 +0200
Subject: [cryptography] Stealthy Dopant-Level Hardware Trojans
In-Reply-To: <CAJVRA1RNOrjNpjnZF84bBoyXiU6KSz=jHTyAiLUAeB0O1P8D+g@mail.gmail.com>
References: <20130913094924.GW10405@leitl.org>
 <CAJVRA1RNOrjNpjnZF84bBoyXiU6KSz=jHTyAiLUAeB0O1P8D+g@mail.gmail.com>
Message-ID: <53A6E65F.5050504@rayservers.net>

If I may, use the digital time capsule and you will get the file.

On 22/06/2014 10:46, coderman wrote:
> On Fri, Sep 13, 2013 at 2:49 AM, Eugen Leitl <eugen at leitl.org> wrote:
>> ...
>> http://people.umass.edu/gbecker/BeckerChes13.pdf
>>
>> Stealthy Dopant-Level Hardware Trojans ?
>>
>> Georg T. Becker1
> 
> 
> this paper has disappeared from the net.  any one have copies?
> (looking at you, JYA ;)
> 
> [bonus points for backstory on the distribution woes]
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140622/161ef988/attachment.sig>

From rich at openwatch.net  Mon Jun 23 10:06:08 2014
From: rich at openwatch.net (Rich Jones)
Date: Mon, 23 Jun 2014 10:06:08 -0700
Subject: Cryptome down
In-Reply-To: <CACZmauc3YfxAnPYjHm-yWi-EQTK5wb+6jLJvofPpXnSHfbzRvw@mail.gmail.com>
References: <CAD2Ti2_hRzYUH5U02boCjcrF5yjs6Cw_94y2dEUdkGF3DQ15TA@mail.gmail.com>
 <CAJVRA1TK6Js66CmSKh2WXcCuYy24+vRPSWFzF+_GHVDbjgHcBQ@mail.gmail.com>
 <CACZmauc3YfxAnPYjHm-yWi-EQTK5wb+6jLJvofPpXnSHfbzRvw@mail.gmail.com>
Message-ID: <CADJYzx+XoYSstvY3Pwz7M=MAcH2gd_1SUu-o2rEbc2dWAvOiCg@mail.gmail.com>

Cryptome and the mirror down again.


On Wed, Jun 11, 2014 at 11:46 PM, Christian Mayer <thefox21at at gmail.com>
wrote:

> Why was it down?
>
>
> On Thu, Jun 12, 2014 at 12:29 AM, coderman <coderman at gmail.com> wrote:
>
>> On Tue, Jun 10, 2014 at 1:52 PM, grarpamp <grarpamp at gmail.com> wrote:
>> > 403: Forbidden
>>
>>
>> it's back now.
>>
>> ... and for future reference, you may check:
>> https://twitter.com/Cryptomeorg
>> http://cryptomeorg.siteprotect.net/
>>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 1379 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140623/ce4b2c1e/attachment.txt>

From jya at pipeline.com  Mon Jun 23 10:22:37 2014
From: jya at pipeline.com (John Young)
Date: Mon, 23 Jun 2014 13:22:37 -0400
Subject: Cryptome down
In-Reply-To: <CADJYzx+XoYSstvY3Pwz7M=MAcH2gd_1SUu-o2rEbc2dWAvOiCg@mail.g
 mail.com>
References: <CAD2Ti2_hRzYUH5U02boCjcrF5yjs6Cw_94y2dEUdkGF3DQ15TA@mail.gmail.com>
 <CAJVRA1TK6Js66CmSKh2WXcCuYy24+vRPSWFzF+_GHVDbjgHcBQ@mail.gmail.com>
 <CACZmauc3YfxAnPYjHm-yWi-EQTK5wb+6jLJvofPpXnSHfbzRvw@mail.gmail.com>
 <CADJYzx+XoYSstvY3Pwz7M=MAcH2gd_1SUu-o2rEbc2dWAvOiCg@mail.gmail.com>
Message-ID: <E1Wz7vw-0003AZ-B3@elasmtp-galgo.atl.sa.earthlink.net>

NetSol discovered a single corrupt file, which has been removed. Should
be active soon.


At 01:06 PM 6/23/2014, you wrote:
>Cryptome and the mirror down again.
>
>
>On Wed, Jun 11, 2014 at 11:46 PM, Christian Mayer 
><<mailto:thefox21at at gmail.com>thefox21at at gmail.com> wrote:
>Why was it down?
>
>
>On Thu, Jun 12, 2014 at 12:29 AM, coderman 
><<mailto:coderman at gmail.com>coderman at gmail.com> wrote:
>On Tue, Jun 10, 2014 at 1:52 PM, grarpamp 
><<mailto:grarpamp at gmail.com>grarpamp at gmail.com> wrote:
> > 403: Forbidden
>
>
>it's back now.
>
>... and for future reference, you may check:
><https://twitter.com/Cryptomeorg>https://twitter.com/Cryptomeorg
>http://cryptomeorg.siteprotect.net/
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 1046 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140623/d23ac997/attachment.txt>

From drwho at virtadpt.net  Mon Jun 23 13:35:33 2014
From: drwho at virtadpt.net (The Doctor)
Date: Mon, 23 Jun 2014 13:35:33 -0700
Subject: [cryptography] Stealthy Dopant-Level Hardware Trojans
In-Reply-To: <CAJVRA1RNOrjNpjnZF84bBoyXiU6KSz=jHTyAiLUAeB0O1P8D+g@mail.gmail.com>
References: <20130913094924.GW10405@leitl.org>
 <CAJVRA1RNOrjNpjnZF84bBoyXiU6KSz=jHTyAiLUAeB0O1P8D+g@mail.gmail.com>
Message-ID: <53A88F95.1090302@virtadpt.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 06/22/2014 01:46 AM, coderman wrote:

> this paper has disappeared from the net.  any one have copies? 
> (looking at you, JYA ;)

Got a copy right here (note: link is behind a self-signed cert):

https://drwho.virtadpt.net/files/BeckerChes13.pdf

SHA-512:
58a92fe0bccbad8aacb9ca073836d43b9789426b3869f1f7630f73e0cdc4f967d64fc8b1e7b83b31d58a62e1b1cb6e8027ad0605d37675f79c3270e84270de65

- -- 
The Doctor [412/724/301/703] [ZS]
Developer, Project Byzantium: http://project-byzantium.org/

PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F  DD89 3BD8 FF2B 807B 17C1
WWW: https://drwho.virtadpt.net/

Your sword has begun to glow very brightly.

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJTqI+VAAoJED1np1pUQ8Rki3EP/ReTd9+tKn82/LzlJPrdOspv
wM1we3i30EjiHGltIZpKvnZQ2mAqB/JRwPnfqDkmSP02a/PRT2r83esIh0pIq4rH
1pEzpjyTfjmtj3laHFl8GJrIbsAGMpkEcvxJTWeBa/njde7Xf3H7inS6usm1s1OO
OjCL9PqUf4XcIHXtzQZW8/Xu83xivKVdC7GbCa4WeiJxrCdBrorIu2LaHGk0Oo+G
Kg2t8VULr1z/5Xjs0pG/wH5zjI/68B3uxwDyrVG0Ulyfzo41LzLLB5sa/fnkhK83
C96Puj36QDVRIP/5T5vF1Zee7g7X5alzr6LDjzvxQnyJizjKhVpPBys0xIDSYdY9
RwUttDAPk3WpdAxZTGuBFbTVornSzeH0HD460Ki0KTyTcS+SXxHaNc2WIy2J7/rN
qo9orwkSUjRHMmTnpYZ8El2foO07G88GnN2y4y6oT+j/hctr4Hls/y2wnR2mZQWU
0BND+dOdjvzMu3PCapXn5D8jC6KyByiivco5yfNKTcaoPAdnm6GYR7L9eEm2ws9a
wuA6tM0xgmMiRoMdHBegIjrB5fhKgmgZ4BLwiYIuu7TaFB8TiX7c6l/uFyzUH4Ka
+2fJzLXj6Xs34p/GLNVt6wXPNmwGbuM+SofQFBqBvSrsAKJBl7kJofrSHq3rUevU
VQWAAh9+Yq9zacnwN8jm
=4Bpe
-----END PGP SIGNATURE-----




From eric at konklone.com  Mon Jun 23 11:05:00 2014
From: eric at konklone.com (Eric Mill)
Date: Mon, 23 Jun 2014 14:05:00 -0400
Subject: Keybase.io
In-Reply-To: <53A45C9C.6030608@cathalgarvey.me>
References: <53A45B4E.7090405@gmail.com> <53A45C9C.6030608@cathalgarvey.me>
Message-ID: <CANBOYLUEBj2abN8xx5_EyAS2EUa6HhB-racvFYAn0yY0kPJibA@mail.gmail.com>

On Fri, Jun 20, 2014 at 12:09 PM, Cathal Garvey <
cathalgarvey at cathalgarvey.me> wrote:

> I wouldn't say "true", I'd say "proto". In the end, you're still relying
> on a central point of trust, in this case Keybase, for a lot of the key
> distribution, but as a way to bootstrap a WoT that can outgrow Keybase I
> think it looks really promising. I'm not one to shirk hackish solutions
> in favour of purity, because purity has barely worked in decades of PGP
> WoT building.
>
> Speaking of Keybase, anyone got an invite? :)
>

I've been very impressed with how Keybase has evolved, and how well they
explain their model to users. It is without a doubt what I'd recommend to a
semi- or un-technical user to get them started.

They have a walkthrough of their approach to security and threat models
here:
https://keybase.io/docs/server_security

And they explain "tracking" in detail here: https://keybase.io/docs/tracking


>
> On 20/06/14 17:03, MrBiTs wrote:
> > Hello, guys
> >
> >
> > Keybase.io seems to be a great tool to create a true WoT. Are anybody in
> there? They are working with invitations.
> >
> > CheerS
> >
> >
>
> --
> T: @onetruecathal, @IndieBBDNA
> P: +353876363185
> W: http://indiebiotech.com
>



-- 
konklone.com | @konklone <https://twitter.com/konklone>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 2598 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140623/63f090a3/attachment.txt>

From mrbits.dcf at gmail.com  Tue Jun 24 04:22:11 2014
From: mrbits.dcf at gmail.com (MrBiTs)
Date: Tue, 24 Jun 2014 08:22:11 -0300
Subject: Keybase.io
In-Reply-To: <CANBOYLUEBj2abN8xx5_EyAS2EUa6HhB-racvFYAn0yY0kPJibA@mail.gmail.com>
References: <53A45B4E.7090405@gmail.com> <53A45C9C.6030608@cathalgarvey.me>
 <CANBOYLUEBj2abN8xx5_EyAS2EUa6HhB-racvFYAn0yY0kPJibA@mail.gmail.com>
Message-ID: <53A95F63.8030104@gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> I've been very impressed with how Keybase has evolved, and how well they explain their model to users. It is without a doubt
> what I'd recommend to a semi- or un-technical user to get them started.
> 
> They have a walkthrough of their approach to security and threat models here: https://keybase.io/docs/server_security
> 
> And they explain "tracking" in detail here: https://keybase.io/docs/tracking

More than only create a great documentation, the wrapper they wrote in NodeJS abstracts GnuPG commands making easy to any
un-technical person to use cryptography constantly. Of course a little bit of paranoya is always good, and I don't agree with the
idea to host my private keys in a server I don't control, even cyphered with a password, but I think it can solve the problem that
users forget or loose your keys and our keychain remains with unuseable, no revogated keys.

CheerS

- -- 
echo
920680245503158263821824753325972325831728150312428342077412537729420364909318736253880971145983128276953696631956862757408858710644955909208239222408534030331747172248238293509539472164571738870818862971439246497991147436431430964603600458631758354381402352368220521740203494788796697543569807851284795072334480481413675418412856581412376640379241258356436205061541557366641602992820546646995466P
| dc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCAAGBQJTqV9jAAoJEG7IGPwrPKWrSqUIAJvz47cjDQ5A3k7kOowbvinR
i5+epHyDZYdYVAYmAlge9mLv4MnUDSsMYBFTtwKRuV8p5Afpr4SYsjFRZDOo0v3F
kMZhPs7CPtigeWgXAlADHiO8V9+0PKv7r8StZARh5QtuZqh7P45+vEEjCi9hcdv3
QvmeTsAUVQrA+NZMvdr+iaCUFwI+RX/5fveJyoxFSIk0OBavkdL/NtYsIZhgtWwQ
DrYrHSzTSkXsiFczNXtSysrIjypJ9zRt046sHi8haClQkDPi1JZejzG9OKAkFu5E
O4bkZjjRZtb//tVQTj0MhCDcRhoWA50MNGVrUbe29UApFpT6fYbsKS+3bQ0GGYk=
=xPvg
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3750 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140624/6642386c/attachment.bin>

From mrbits.dcf at gmail.com  Tue Jun 24 04:57:24 2014
From: mrbits.dcf at gmail.com (MrBiTs)
Date: Tue, 24 Jun 2014 08:57:24 -0300
Subject: Keybase.io
In-Reply-To: <53A960F8.30709@cathalgarvey.me>
References: <53A45B4E.7090405@gmail.com> <53A45C9C.6030608@cathalgarvey.me>
 <CANBOYLUEBj2abN8xx5_EyAS2EUa6HhB-racvFYAn0yY0kPJibA@mail.gmail.com>
 <53A95F63.8030104@gmail.com> <53A960F8.30709@cathalgarvey.me>
Message-ID: <53A967A4.8000909@gmail.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 06/24/2014 08:28 AM, Cathal Garvey wrote:
> Wait, do you *have* to keep your private keys in keybase? I thought it was mostly pubkey operations?
> 
> I'm much more skeptical if they keep private keys, that's dark stuff. Imagine how many private keys are protected with terrible
> passwords, and what damage you could do to the WOT if you could just quietly crack enough keys in the WOT and use them to sign
> a fraudulent cert?
> 

You don't HAVE to, but they give this possibility. You can (if you want) store your private key in Keybase. They ask you to cypher
your private key locally and send it to Keybase's servers. If you don't store your private key in its databases, you are unable to
use some online services they offer, like to sign documents. You only will be able to do that using his NodeJS tool. But, your
point is my point. I believe serious security professionals or people that understand the importance of cryptography first don't
will send the private keys for Keybase and, second, if they do, they will use a strong password. We never must forget
http://xkcd.com/936/

But, we know average people uses very weak passwords and only one password for everything. So, as I told, a little bit of paranoya
is good, and this "feature" makes me believe a little less in Keybase, unfortunatelly. The main idea is pretty good and I'm trying
to implement this culture in Brazil for a long time, but I use to say that ordinary people don't like computers: they like Skype,
Facebook, Instragam... So, people don't care about privacy. If the same people see that movie about Asange, or read his book, or
see the last news about privacy and Google and start to learn about cryptography, they will store private keys with lame
passwords, and we'll have this fraudulent cert risc.

In my opinion, nothing will replace a good key signature party, anyway.

- -- 
echo
920680245503158263821824753325972325831728150312428342077412537729420364909318736253880971145983128276953696631956862757408858710644955909208239222408534030331747172248238293509539472164571738870818862971439246497991147436431430964603600458631758354381402352368220521740203494788796697543569807851284795072334480481413675418412856581412376640379241258356436205061541557366641602992820546646995466P
| dc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBCAAGBQJTqWejAAoJEG7IGPwrPKWrPgsIAJfKidpM828JdBNDnVVBUeWf
ZD+Jj54+MM979mYKipLSD/fDGTv4RsUf6/qhgcdQyYNehVwA2q9vwoJAg6asn69+
6/ypDzLVfH599Hq8b/EUQgBDxwgXzoeg0BOCuzSBY6axgmJclVZCQWpWto+8iEEb
9FpM1qIX6QLuUR9qhh1tahsYdWerQsbj55S31mwnkhkbNBteKJQHT3cLRbzEZpAM
khFP/lK4xCmR3vAvQHszEN0mcvsxmieX4y3mrN9mYCHsFNhLGuKo2mNfIk4oIxt2
eFsCm+tJTQgYJ1byw6Oxzc970J0tR/cjSwZd0DDssDc3muRXhZQGrmNXeTnUdU4=
=0lT5
-----END PGP SIGNATURE-----

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3750 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140624/efaca88f/attachment.bin>

From drwho at virtadpt.net  Tue Jun 24 10:18:22 2014
From: drwho at virtadpt.net (The Doctor)
Date: Tue, 24 Jun 2014 10:18:22 -0700
Subject: Keybase.io
In-Reply-To: <53A960F8.30709@cathalgarvey.me>
References: <53A45B4E.7090405@gmail.com> <53A45C9C.6030608@cathalgarvey.me>
 <CANBOYLUEBj2abN8xx5_EyAS2EUa6HhB-racvFYAn0yY0kPJibA@mail.gmail.com>
 <53A95F63.8030104@gmail.com> <53A960F8.30709@cathalgarvey.me>
Message-ID: <53A9B2DE.9030400@virtadpt.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 06/24/2014 04:28 AM, Cathal Garvey wrote:
> Wait, do you *have* to keep your private keys in keybase? I thought
> it was mostly pubkey operations?

You do not.  keybase.io works just fine as a CLI app if you don't.
- From the frontpage:

"Keybase.io is also a Keybase client, however certain crypto actions
(signing and decrypting) are limited to users who store
client-encrypted copies of their private keys on the server, >>>an
optional feature we didn't mention above<<<."

keybase.io does an okay job of making some GPG commands easier to use
and remember.  At the very least it files a few of the rough edges off.

gpg -s -o something.gpg -r "bob at laundry.gov.uk" -e fooble.txt

vs

keybase encrypt bob -o something.gpg -s -m fooble.txt

It's got some pretty nasty warts of its own, though.  For example, the
user cannot encrypt to multiple recipients at this time
(https://github.com/keybase/node-client/issues/152).  It's a little
slow on startup.  The command to list your keybase.io keyring (which
is distinct from the contents of ~/.gnupg/pubring.gpg) is highly
unintuitive.  It abstracts away fewer of the common GPG command line
options than it seems.

After playing around with it for a few weeks, I think that apps like
gpg-crypter (http://gpg-crypter.sourceforge.net/) and GPG4win seem a
little more intuitive for new users.

- -- 
The Doctor [412/724/301/703] [ZS]
Developer, Project Byzantium: http://project-byzantium.org/

PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F  DD89 3BD8 FF2B 807B 17C1
WWW: https://drwho.virtadpt.net/

"Maybe I'll be wantin' a bagel with my coffee.."

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJTqbLdAAoJED1np1pUQ8Rkvh0P/j1oH9GwviuzxoX3/7SGhEdz
gQIiBuwM5lMEuz+YWZRx9nWT4/4Nd8rtbOM6rRF3OqWiVGPpaf3DmcrFwdJsVl/u
5E0bHouQXMqxisQzNEJ7i/JAYqlMjAEbVb2Ot4ArWNovCk/IwgONyGh52uAujAYv
1GWsOC7tXFnETM+QhDgn78uKswPet0a8HizNdKPZQKK+qftgZDxtZ3A2q9Tc5oBn
HxzB8Wrnm7jERMei41CYFn1O/Yk6hfYKD0Y9sPIAbui88b3y1XkE/KXCHma3626p
oDstRhCMMI8ztjsa4AiEVZkrlbJWK8AoTlwpNybcbCW/aeqg6gX1SaPgNzX8OKe0
1iT6eD+NUDQdGjRmaiLKpP55oqmLsq/9/TunUluuCpB3TK1gUndgDeokOQu2lZci
n80Re/mdIlutAgTTVMdzfFcOY92lePMGDI88bJUosY294tCvR8gRIHPJqF4YM+cD
+LyTn2iUXOZH2xv6vRZyY0uI1W7Oa5mNrhXRnDfZNIrjo1s6aDAw9lgN6JhP3Bo7
AHFUddP2ULzI0jF3U/e9qz43dhMPPaLBODR6igBk4QY8MHtlTGHsZHnO1aAmIoeu
u8zbBuSohGjThxHlR2FCjwJTR8ccIkuHqpi39rD+0dOf4XsVWyA/b/HthME5pCy0
BKRPni0zcO3+AXYP8FrI
=3v6s
-----END PGP SIGNATURE-----




From drwho at virtadpt.net  Tue Jun 24 10:21:48 2014
From: drwho at virtadpt.net (The Doctor)
Date: Tue, 24 Jun 2014 10:21:48 -0700
Subject: Keybase.io
In-Reply-To: <53A96BE9.4080709@cathalgarvey.me>
References: <53A45B4E.7090405@gmail.com> <53A45C9C.6030608@cathalgarvey.me>
 <CANBOYLUEBj2abN8xx5_EyAS2EUa6HhB-racvFYAn0yY0kPJibA@mail.gmail.com>
 <53A95F63.8030104@gmail.com> <53A960F8.30709@cathalgarvey.me>
 <53A967A4.8000909@gmail.com> <53A96BE9.4080709@cathalgarvey.me>
Message-ID: <53A9B3AC.9080404@virtadpt.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 06/24/2014 05:15 AM, Cathal Garvey wrote:

> The problem with Keybase is that the infrastructure they're based
> upon, PGP/GPG, is probably not using modern key generation
> algorithms by default for symmetric encryption of keys. So, how
> many keys are

This should be pretty easy to test.  Anybody got a spare keybase.io
invite that they're willing to burn for a test run?

> not-entirely-trivial to crack. But keybase can't even enforce
> that, because the PGP infrastructure is too legacy-laden.

I have to agree with you on that.

- -- 
The Doctor [412/724/301/703] [ZS]
Developer, Project Byzantium: http://project-byzantium.org/

PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F  DD89 3BD8 FF2B 807B 17C1
WWW: https://drwho.virtadpt.net/

"Gentlemen, you can't fight in here! This is the War Room!" --Merkin
Muffley

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJTqbOsAAoJED1np1pUQ8Rk+YAP/2PqSBpPRE1yIM7NmWllQ0XU
/GmWHSTJ2ptuhyBiXgtg7crMfR8ov0eP/IVtgJ6ZW+MMyPvclPvKKKg5lUCpO6c2
kIO4HjmacZ7JoZh0hF2ps80Xa2/xOxJc1lAgvpNEQe3SWVFcxQXzqYLYAFgtL3Mv
OatPP+H5m0g2dQY1+/4uSWx24FjVNjFbiYEUc6C1sdouwwPA2MqrcnnnOOJ5xDf4
qotisNUu3Zt9jc4KT5cGdAJKkLcGMStH4bzhwX6a1N+5y5lwKqB5VPhAx8O0kh8D
Hv3TcxnXVMAtgVN7ruj20Zxm4Z5lHTWX0DmdxkCH0o8BXWXUT44ijxj6y/VTT9eu
9nIagrAryCid8ihL7RaLBvzBOd6xHEFg4VVvzASWsElp9HIBnxE1QUFMz48PzbjO
308LiEc4FvNjyf1XjtStJNNssXP9Wcc8pNzitoRU+F+4cQJUPrsE45xCMJ8VFK47
cu6yJGEfVboG9mpzTCKIllvm7vgDKtssGqTpNoOGus+Vc4jxqFBug0NX9vlPRtmC
rgcLlp2srL2LeWqYOfIkYBcGxFat6702UoE22c9o6RINW+/6YXrg4jpvRcmEJHI5
VSQD0aN6AANovhRqD6DYUYRLBCb3utACExK8I/zTXy3e4U9hS0/sFxPRKcWt8oQS
SqCtDCFXL2Y6vmPmQ27G
=UnFY
-----END PGP SIGNATURE-----




From cathalgarvey at cathalgarvey.me  Tue Jun 24 04:28:56 2014
From: cathalgarvey at cathalgarvey.me (Cathal Garvey)
Date: Tue, 24 Jun 2014 12:28:56 +0100
Subject: Keybase.io
In-Reply-To: <53A95F63.8030104@gmail.com>
References: <53A45B4E.7090405@gmail.com> <53A45C9C.6030608@cathalgarvey.me>
 <CANBOYLUEBj2abN8xx5_EyAS2EUa6HhB-racvFYAn0yY0kPJibA@mail.gmail.com>
 <53A95F63.8030104@gmail.com>
Message-ID: <53A960F8.30709@cathalgarvey.me>

Wait, do you *have* to keep your private keys in keybase? I thought it
was mostly pubkey operations?

I'm much more skeptical if they keep private keys, that's dark stuff.
Imagine how many private keys are protected with terrible passwords, and
what damage you could do to the WOT if you could just quietly crack
enough keys in the WOT and use them to sign a fraudulent cert?

On 24/06/14 12:22, MrBiTs wrote:
>> I've been very impressed with how Keybase has evolved, and how well they explain their model to users. It is without a doubt
>> what I'd recommend to a semi- or un-technical user to get them started.
> 
>> They have a walkthrough of their approach to security and threat models here: https://keybase.io/docs/server_security
> 
>> And they explain "tracking" in detail here: https://keybase.io/docs/tracking
> 
> More than only create a great documentation, the wrapper they wrote in NodeJS abstracts GnuPG commands making easy to any
> un-technical person to use cryptography constantly. Of course a little bit of paranoya is always good, and I don't agree with the
> idea to host my private keys in a server I don't control, even cyphered with a password, but I think it can solve the problem that
> users forget or loose your keys and our keychain remains with unuseable, no revogated keys.
> 
> CheerS
> 
> 

-- 
T: @onetruecathal, @IndieBBDNA
P: +353876363185
W: http://indiebiotech.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x988B9099.asc
Type: application/pgp-keys
Size: 6176 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140624/e2f125e3/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140624/e2f125e3/attachment.sig>

From cathalgarvey at cathalgarvey.me  Tue Jun 24 05:15:37 2014
From: cathalgarvey at cathalgarvey.me (Cathal Garvey)
Date: Tue, 24 Jun 2014 13:15:37 +0100
Subject: Keybase.io
In-Reply-To: <53A967A4.8000909@gmail.com>
References: <53A45B4E.7090405@gmail.com> <53A45C9C.6030608@cathalgarvey.me>
 <CANBOYLUEBj2abN8xx5_EyAS2EUa6HhB-racvFYAn0yY0kPJibA@mail.gmail.com>
 <53A95F63.8030104@gmail.com> <53A960F8.30709@cathalgarvey.me>
 <53A967A4.8000909@gmail.com>
Message-ID: <53A96BE9.4080709@cathalgarvey.me>

> So, as I told, a little bit of paranoya is good, and this "feature" 
> makes me believe a little less in Keybase, unfortunatelly. The main 
> idea is pretty good and I'm trying to implement this culture in
> Brazil for a long time, but I use to say that ordinary people don't
> like computers: they like Skype, Facebook, Instragam... So, people
> don't care about privacy. If the same people see that movie about
> Asange, or read his book, or see the last news about privacy and
> Google and start to learn about cryptography, they will store private
> keys with lame passwords, and we'll have this fraudulent
> cert risc.

I'm not against cloud-keys as long as they're encrypted, and I've
thought of services that make use of cloud-stored keys in the past. But
the critical ingredient to getting this right is CPU/RAM-hard key
generating functions to make "bad" passwords "barely acceptable", and
"userland" code that rejects stupid passwords entirely.
Of course, hackers will be able to circumvent
shitty-password-restrictions, but we hope that the band of people
competent enough to circumvent password quality checks yet stupid enough
to use a bad password is small.

The problem with Keybase is that the infrastructure they're based upon,
PGP/GPG, is probably not using modern key generation algorithms by
default for symmetric encryption of keys. So, how many keys are
encrypted using key algos that are easily cracked? If they were using
hard keygen algos, then even bad-but-not-terrible passwords would be
not-entirely-trivial to crack. But keybase can't even enforce that,
because the PGP infrastructure is too legacy-laden.

On 24/06/14 12:57, MrBiTs wrote:
> On 06/24/2014 08:28 AM, Cathal Garvey wrote:
>> Wait, do you *have* to keep your private keys in keybase? I
>> thought it was mostly pubkey operations?
> 
>> I'm much more skeptical if they keep private keys, that's dark 
>> stuff. Imagine how many private keys are protected with terrible 
>> passwords, and what damage you could do to the WOT if you could 
>> just quietly crack enough keys in the WOT and use them to sign a 
>> fraudulent cert?
> 
> 
> You don't HAVE to, but they give this possibility. You can (if you 
> want) store your private key in Keybase. They ask you to cypher your 
> private key locally and send it to Keybase's servers. If you don't 
> store your private key in its databases, you are unable to use some 
> online services they offer, like to sign documents. You only will be 
> able to do that using his NodeJS tool. But, your point is my point.
> I believe serious security professionals or people that understand
> the importance of cryptography first don't will send the private keys
> for Keybase and, second, if they do, they will use a strong password.
> We never must forget http://xkcd.com/936/
> 
> But, we know average people uses very weak passwords and only one 
> password for everything. So, as I told, a little bit of paranoya is 
> good, and this "feature" makes me believe a little less in Keybase, 
> unfortunatelly. The main idea is pretty good and I'm trying to 
> implement this culture in Brazil for a long time, but I use to say 
> that ordinary people don't like computers: they like Skype,
> Facebook, Instragam... So, people don't care about privacy. If the
> same people see that movie about Asange, or read his book, or see the
> last news about privacy and Google and start to learn about
> cryptography, they will store private keys with lame passwords, and
> we'll have this fraudulent cert risc.
> 
> In my opinion, nothing will replace a good key signature party, 
> anyway.
> 
> 

-- 
T: @onetruecathal, @IndieBBDNA
P: +353876363185
W: http://indiebiotech.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x988B9099.asc
Type: application/pgp-keys
Size: 6176 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140624/e044a09a/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140624/e044a09a/attachment.sig>

From grarpamp at gmail.com  Tue Jun 24 13:02:20 2014
From: grarpamp at gmail.com (grarpamp)
Date: Tue, 24 Jun 2014 16:02:20 -0400
Subject: List of digital currencies?
Message-ID: <CAD2Ti28fSnaSdBOZ2rA+7=TpscjtznnJBziTgL3XovvYuLe-+Q@mail.gmail.com>

Any links to a list of digital currencies organized by technology?

ie: Bitcoin has countless forks characterized by nothing more
than adjusting (or not) the operating parameters of the bitcoin.org
code and starting their own genesis. Others may swap out the
hash or crypto functions within that. While useful to list them
all under the aforesaid parent technology 'Bitcoin', they are all
ultimately uninteresting and a waste of time to research.

A real list would group all the digital currencies by genuine differences
in architecture... those archs thus resulting in their suitability to different
applications, capabilities to anonymity, features for centralization/regulation,
etc.

So now you might have
Bitcoin
Paypal, Linden
Some other various coin designs
Currencies that pass serialized 'banknotes' around




From nathan at squimp.com  Tue Jun 24 12:21:20 2014
From: nathan at squimp.com (Nathan Andrew Fain)
Date: Tue, 24 Jun 2014 21:21:20 +0200
Subject: =?UTF-8?B?d2HNo82jzaPNo82jzaPNo82jzaPNo82jzaPNo82jzaPNo82jzaPNo2w=?=
 =?UTF-8?B?bC1vZi1zaGVlzaTNpM2kzaTNpM2kzaTNpM2kzaTNpM2kzaTNpM2kzaTNpM2kzaQ=?=
 =?UTF-8?B?zaTNpM2kzaTNpM2kzaTNpM2kzaTNpM2kzaTNpM2kzaTNpM2kzaTNpM2kzaTNpM2k?=
 =?UTF-8?B?cCBpzaXNpW4gdGhlYXRlciAoesO8cmNoLCBqdW4yNi1qdWw3KQ==?=
Message-ID: <53A9CFB0.5070308@squimp.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://gessnerallee.ch
("begin statistical purification" on 1st and every 5th load)

We(*) are putting together a theater show/installation for Festspiele
Zürich at the Gessnerallee theater called Anonymous-P. It's a show
between us and the cell phones of the audience. Something between
Defcons "Wall-of-Sheep" on steroids as well as a game we developed for
profiling between audience members. Over top of it all are 3 actors
dealing with the topics of privacy and digital fingerprinting in their
own way.

http://vimeo.com/99041398

It's either going to be epic or a complete disaster. Test runs have
proven interesting. It is strange when an actor pulls you aside to help
you change your phone so you stop leaking passwords (which 1 in 10
people do). Or when your interaction with the game has made the
conclusion that you are most likely to lie. Or when you have to pay the
higher price for a beer that's listed between 2 to 7chf just because the
barman thinks you are rich (you have an iPhone or data game determined
you make over 5000chf).

Come see it if you get a chance or know someone interested.


* We: myself, another anonymous coder, Chris Kondek, Christiane Kühl,
Phil Hayes, Sonja Füsti, Hannes Strobl



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlOpz7AACgkQveagdEkPM4BYrwCeLU7+hWVAUixZFGtYzYx8PBxv
rvQAn2ic2nzWn/YkV+j21aAc9WW33EJn
=PJZQ
-----END PGP SIGNATURE-----




From grarpamp at gmail.com  Tue Jun 24 18:32:29 2014
From: grarpamp at gmail.com (grarpamp)
Date: Tue, 24 Jun 2014 21:32:29 -0400
Subject: NSA aims for absolute surveillance
Message-ID: <CAD2Ti29UgPUAiPTJW=p4REC-0C+QEkxHKr_n_7-h_P0eK-EQpw@mail.gmail.com>

https://www.youtube.com/watch?v=FScSpFZjFf0




From coderman at gmail.com  Tue Jun 24 22:08:15 2014
From: coderman at gmail.com (coderman)
Date: Tue, 24 Jun 2014 22:08:15 -0700
Subject: [cryptography] List of digital currencies?
In-Reply-To: <CAD2Ti28fSnaSdBOZ2rA+7=TpscjtznnJBziTgL3XovvYuLe-+Q@mail.gmail.com>
References: <CAD2Ti28fSnaSdBOZ2rA+7=TpscjtznnJBziTgL3XovvYuLe-+Q@mail.gmail.com>
Message-ID: <CAJVRA1SmwkkfDjFmMGhSd7grLk7uvZEzyxD04vXpQT6eo10=Aw@mail.gmail.com>

On Tue, Jun 24, 2014 at 1:02 PM, grarpamp <grarpamp at gmail.com> wrote:
> Any links to a list of digital currencies organized by technology?
>
> ie: Bitcoin has countless forks characterized by nothing more
> than adjusting (or not) the operating parameters of the bitcoin.org
> code and starting their own genesis. Others may swap out the
> hash or crypto functions within that. While useful to list them
> all under the aforesaid parent technology 'Bitcoin', they are all
> ultimately uninteresting and a waste of time to research.


agreed. but have you seen the majesty of my wuffie?




From raphael.carrier at gmail.com  Tue Jun 24 19:14:55 2014
From: raphael.carrier at gmail.com (Raphael Carrier)
Date: Tue, 24 Jun 2014 22:14:55 -0400
Subject: List of digital currencies?
In-Reply-To: <CAD2Ti28fSnaSdBOZ2rA+7=TpscjtznnJBziTgL3XovvYuLe-+Q@mail.gmail.com>
References: <CAD2Ti28fSnaSdBOZ2rA+7=TpscjtznnJBziTgL3XovvYuLe-+Q@mail.gmail.com>
Message-ID: <CAJBEnCE+e8fiFjbSFH4-xLU509yjc4t660bGUbp6pWKEaEksdQ@mail.gmail.com>

coinmarketcap has an option to filter out pre-mined and non mineable, a
diff of the main list and this one would make a great start for a list
https://coinmarketcap.com/views/filter-non-mineable-and-premined/

As far as i know these are the ones that aren't just a bitcoin fork:
Ripple
NXT
Mastercoin
Ethereum
Coinffeine
MAIDsafe
Smartcoin
Protoshares

If you're starting a google doc spreadsheet, I'd be willing to help, pm me
with an invite



On Tue, Jun 24, 2014 at 4:02 PM, grarpamp <grarpamp at gmail.com> wrote:

> Any links to a list of digital currencies organized by technology?
>
> ie: Bitcoin has countless forks characterized by nothing more
> than adjusting (or not) the operating parameters of the bitcoin.org
> code and starting their own genesis. Others may swap out the
> hash or crypto functions within that. While useful to list them
> all under the aforesaid parent technology 'Bitcoin', they are all
> ultimately uninteresting and a waste of time to research.
>
> A real list would group all the digital currencies by genuine differences
> in architecture... those archs thus resulting in their suitability to
> different
> applications, capabilities to anonymity, features for
> centralization/regulation,
> etc.
>
> So now you might have
> Bitcoin
> Paypal, Linden
> Some other various coin designs
> Currencies that pass serialized 'banknotes' around
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 3365 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140624/e09ce57d/attachment.txt>

From cryptomars at cryptoparty.fr  Tue Jun 24 23:16:50 2014
From: cryptomars at cryptoparty.fr (Cryptoparty Marseille)
Date: Wed, 25 Jun 2014 08:16:50 +0200
Subject: Keybase.io
In-Reply-To: <53A96BE9.4080709@cathalgarvey.me>
References: <53A45B4E.7090405@gmail.com> <53A45C9C.6030608@cathalgarvey.me>
 <CANBOYLUEBj2abN8xx5_EyAS2EUa6HhB-racvFYAn0yY0kPJibA@mail.gmail.com>
 <53A95F63.8030104@gmail.com> <53A960F8.30709@cathalgarvey.me>
 <53A967A4.8000909@gmail.com> <53A96BE9.4080709@cathalgarvey.me>
Message-ID: <53AA6952.9060407@cryptoparty.fr>

On 24/06/2014 14:15, Cathal Garvey wrote:
>> So, as I told, a little bit of paranoya is good, and this "feature" 
>> makes me believe a little less in Keybase, unfortunatelly. The main 
>> idea is pretty good and I'm trying to implement this culture in
>> Brazil for a long time, but I use to say that ordinary people don't
>> like computers: they like Skype, Facebook, Instragam... So, people
>> don't care about privacy. If the same people see that movie about
>> Asange, or read his book, or see the last news about privacy and
>> Google and start to learn about cryptography, they will store private
>> keys with lame passwords, and we'll have this fraudulent
>> cert risc.
> I'm not against cloud-keys as long as they're encrypted, and I've
> thought of services that make use of cloud-stored keys in the past. But
> the critical ingredient to getting this right is CPU/RAM-hard key
> generating functions to make "bad" passwords "barely acceptable", and
> "userland" code that rejects stupid passwords entirely.
> Of course, hackers will be able to circumvent
> shitty-password-restrictions, but we hope that the band of people
> competent enough to circumvent password quality checks yet stupid enough
> to use a bad password is small.
>
> The problem with Keybase is that the infrastructure they're based upon,
> PGP/GPG, is probably not using modern key generation algorithms by
> default for symmetric encryption of keys.
What do you mean by that precisely?
I don't think PGP/GPG/OpenPGP is meant to encrypt private keys on
servers. In what way OpenPG or GnuPG would be linked with keybase.io
private key encryption scheme or algorithms choice? I don't know
everything about OpenPGP standard but I'm pretty sure it doesn't deal
with such things.
>  So, how many keys are
> encrypted using key algos that are easily cracked? If they were using
> hard keygen algos, then even bad-but-not-terrible passwords would be
> not-entirely-trivial to crack. But keybase can't even enforce that,
> because the PGP infrastructure is too legacy-laden.
Again, what has PGP/GPG/OpenPGP to do with keybase.io good or bad
choices (you don't seem to know anything about that either by the way
:-) regarding encryption of secrets on their servers? I don't get it.
>
> On 24/06/14 12:57, MrBiTs wrote:
>> On 06/24/2014 08:28 AM, Cathal Garvey wrote:
>>> Wait, do you *have* to keep your private keys in keybase? I
>>> thought it was mostly pubkey operations?
>>> I'm much more skeptical if they keep private keys, that's dark 
>>> stuff. Imagine how many private keys are protected with terrible 
>>> passwords, and what damage you could do to the WOT if you could 
>>> just quietly crack enough keys in the WOT and use them to sign a 
>>> fraudulent cert?
>>
>> You don't HAVE to, but they give this possibility. You can (if you 
>> want) store your private key in Keybase. They ask you to cypher your 
>> private key locally and send it to Keybase's servers. If you don't 
>> store your private key in its databases, you are unable to use some 
>> online services they offer, like to sign documents. You only will be 
>> able to do that using his NodeJS tool. But, your point is my point.
>> I believe serious security professionals or people that understand
>> the importance of cryptography first don't will send the private keys
>> for Keybase and, second, if they do, they will use a strong password.
>> We never must forget http://xkcd.com/936/
>>
>> But, we know average people uses very weak passwords and only one 
>> password for everything. So, as I told, a little bit of paranoya is 
>> good, and this "feature" makes me believe a little less in Keybase, 
>> unfortunatelly. The main idea is pretty good and I'm trying to 
>> implement this culture in Brazil for a long time, but I use to say 
>> that ordinary people don't like computers: they like Skype,
>> Facebook, Instragam... So, people don't care about privacy. If the
>> same people see that movie about Asange, or read his book, or see the
>> last news about privacy and Google and start to learn about
>> cryptography, they will store private keys with lame passwords, and
>> we'll have this fraudulent cert risc.
>>
>> In my opinion, nothing will replace a good key signature party, 
>> anyway.
>>
>>
Pontifex
www.cryptoparty.fr

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140625/b8e08914/attachment.sig>

From beam at rayservers.net  Wed Jun 25 01:47:49 2014
From: beam at rayservers.net (beam)
Date: Wed, 25 Jun 2014 10:47:49 +0200
Subject: Keybase.io
In-Reply-To: <53A45B4E.7090405@gmail.com>
References: <53A45B4E.7090405@gmail.com>
Message-ID: <53AA8CB5.4010303@rayservers.net>

On 20/06/2014 18:03, MrBiTs wrote:
> Hello, guys

Hi


> Keybase.io seems to be a great tool

My first impressions it is hosted on amazon...

My questions:
How is it secure?
How the pubkey is transfered?
Is it encrypted from server to client?
How do you manage MiTM?


> to create a true WoT. 

I am sorry to play the devil advocate here but at the moment, this is a
true LoT => Lack of TRUST

Please secure your infrastructure, secure your servers until you are
able to provide a secure openpgp keyserver service and a secure
encryption message service.


> Are anybody in there?

Yes ;)


> They are working with invitations.

Please stop spreading invitations.




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140625/8d6666ca/attachment.sig>

From cathalgarvey at cathalgarvey.me  Wed Jun 25 03:19:57 2014
From: cathalgarvey at cathalgarvey.me (Cathal (phone))
Date: Wed, 25 Jun 2014 11:19:57 +0100
Subject: why do you sign your mails?
In-Reply-To: <20140625092049.GN7889@ctrlc.hu>
References: <20140625092049.GN7889@ctrlc.hu>
Message-ID: <441c6182-f5ac-46c0-8d47-cfe14add7bf4@email.android.com>

Mail client's configured to. Also, it establishes a history of key use in a public forum.

On 25 June 2014 10:20:50 GMT+01:00, stef <s at ctrlc.hu> wrote:
>i noticed lots of users pgp-sign their mails to mailing-lists. what
>exactly is
>the reason/usecase/attackvector you defend against for that? what
>exactly is
>the reason for doing so on public mailing lists? and why does it make
>sense to
>sign irrelevant messages like "+1" or "just kidding" - assuming no
>stego
>usecase is in play.
>
>-- 
>otr fp: https://www.ctrlc.hu/~stef/otr.txt

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 840 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140625/6208b015/attachment.txt>

From s at ctrlc.hu  Wed Jun 25 02:20:50 2014
From: s at ctrlc.hu (stef)
Date: Wed, 25 Jun 2014 11:20:50 +0200
Subject: why do you sign your mails?
Message-ID: <20140625092049.GN7889@ctrlc.hu>

i noticed lots of users pgp-sign their mails to mailing-lists. what exactly is
the reason/usecase/attackvector you defend against for that? what exactly is
the reason for doing so on public mailing lists? and why does it make sense to
sign irrelevant messages like "+1" or "just kidding" - assuming no stego
usecase is in play.

-- 
otr fp: https://www.ctrlc.hu/~stef/otr.txt




From cathalgarvey at cathalgarvey.me  Wed Jun 25 04:37:26 2014
From: cathalgarvey at cathalgarvey.me (Cathal Garvey)
Date: Wed, 25 Jun 2014 12:37:26 +0100
Subject: Keybase.io
In-Reply-To: <53AA6952.9060407@cryptoparty.fr>
References: <53A45B4E.7090405@gmail.com> <53A45C9C.6030608@cathalgarvey.me>
 <CANBOYLUEBj2abN8xx5_EyAS2EUa6HhB-racvFYAn0yY0kPJibA@mail.gmail.com>
 <53A95F63.8030104@gmail.com> <53A960F8.30709@cathalgarvey.me>
 <53A967A4.8000909@gmail.com> <53A96BE9.4080709@cathalgarvey.me>
 <53AA6952.9060407@cryptoparty.fr>
Message-ID: <53AAB476.6010400@cathalgarvey.me>

Hey Pontifex,

>> The problem with Keybase is that the infrastructure they're based upon,
>> PGP/GPG, is probably not using modern key generation algorithms by
>> default for symmetric encryption of keys.
>
> What do you mean by that precisely?
> I don't think PGP/GPG/OpenPGP is meant to encrypt private keys on
> servers. In what way OpenPG or GnuPG would be linked with keybase.io
> private key encryption scheme or algorithms choice? I don't know
> everything about OpenPGP standard but I'm pretty sure it doesn't deal
> with such things.

Exactly, it doesn't. OpenPGP/GnuPG allows (strongly encourages!) you to
encrypt your private key, so that you can only perform private key
operations if you provide your passphrase.

*In theory*, a well-encrypted private key can be uploaded to the NSA's
own servers without hazard; this is the idea of "semantic security", I'm
told. So, uploading a well-encrypted private keypair to keybase *should*
be OK, with certain caveats.

Leaving aside that it's a bad idea anyway, because the fewer copies of
your private key there are under various passphrases the better, my main
concern is that OpenPGP never was designed for semantic security with
modern key-cracking in mind. So, decrypting private keys for use is
quite fast, whereas you really want decryption to take a second or more
so that brute-force cracking will take forever.

Really though, I'm wondering whether it makes no difference how good the
key schedule is because many people will continue to use terrible
passphrases for their keys, and keybase or their NSA friends could just
parallel-brute-force every key in the DB and compromise those keys
quickly, using them to spread falsified keys with good standing in the WoT.

>>  So, how many keys are
>> encrypted using key algos that are easily cracked? If they were using
>> hard keygen algos, then even bad-but-not-terrible passwords would be
>> not-entirely-trivial to crack. But keybase can't even enforce that,
>> because the PGP infrastructure is too legacy-laden.
>
> Again, what has PGP/GPG/OpenPGP to do with keybase.io good or bad
> choices (you don't seem to know anything about that either by the way
> :-) regarding encryption of secrets on their servers? I don't get it.

You're making assumptions about my level of knowledge on the subject,
here. I'm discussing the suitability of the key schedules used for
encrypted PGP private keys by available software, and whether these
schedules are suitable for use entrusting your key to a remote, US-based
webservice in a "zero knowledge" way. Especially as probably most
OpenPGP implementations won't sanitise stupid passphrases.

-- 
T: @onetruecathal, @IndieBBDNA
P: +353876363185
W: http://indiebiotech.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x988B9099.asc
Type: application/pgp-keys
Size: 6176 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140625/b0d03a73/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140625/b0d03a73/attachment.sig>

From rysiek at hackerspace.pl  Wed Jun 25 03:50:46 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Wed, 25 Jun 2014 12:50:46 +0200
Subject: why do you sign your mails?
In-Reply-To: <20140625092049.GN7889@ctrlc.hu>
References: <20140625092049.GN7889@ctrlc.hu>
Message-ID: <3376925.6H1uHk86cQ@lapuntu>

Dnia środa, 25 czerwca 2014 11:20:50 stef pisze:
> i noticed lots of users pgp-sign their mails to mailing-lists. what exactly
> is the reason/usecase/attackvector you defend against for that? what
> exactly is the reason for doing so on public mailing lists? and why does it
> make sense to sign irrelevant messages like "+1" or "just kidding" -
> assuming no stego usecase is in play.

I sign my e-mails for the same reasons I undersign them. E-mail is dead-easy 
to forge, so when I have something to say, I sign it in a way to ensure that 
it's as unforgeable as possible.

I sign *all* my e-mail (and try to encrypt as much as possible, but that's 
another thing), even trivial, so that if anybody gets e-mail from me that is 
*not* signed, they will be more likely to suspect foul play.

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140625/4a285aea/attachment.sig>

From rysiek at hackerspace.pl  Wed Jun 25 03:52:36 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Wed, 25 Jun 2014 12:52:36 +0200
Subject: why do you sign your mails?
In-Reply-To: <20140625092049.GN7889@ctrlc.hu>
References: <20140625092049.GN7889@ctrlc.hu>
Message-ID: <23794078.OsRUET4Cvr@lapuntu>

Dnia środa, 25 czerwca 2014 11:20:50 stef pisze:
> i noticed lots of users pgp-sign their mails to mailing-lists. what exactly
> is the reason/usecase/attackvector you defend against for that? what
> exactly is the reason for doing so on public mailing lists? and why does it
> make sense to sign irrelevant messages like "+1" or "just kidding" -
> assuming no stego usecase is in play.

One more reason: spreading the word about GPG/PGP. This actually helps get 
people interested in encryption, and helps also inform people that do have a 
GPG/PGP key (but for different reasons do not use them on a general basis), 
that here's a person that does use it, and it's possible to encrypt e-mails to 
that person.

Which might not be all that important on cpunks, I give you that, but a rule 
is a rule. ;)

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140625/281647a0/attachment.sig>

From david.vorick at gmail.com  Wed Jun 25 13:10:39 2014
From: david.vorick at gmail.com (David Vorick)
Date: Wed, 25 Jun 2014 15:10:39 -0500
Subject: [cryptography] List of digital currencies?
In-Reply-To: <CAJVRA1SmwkkfDjFmMGhSd7grLk7uvZEzyxD04vXpQT6eo10=Aw@mail.gmail.com>
References: <CAD2Ti28fSnaSdBOZ2rA+7=TpscjtznnJBziTgL3XovvYuLe-+Q@mail.gmail.com>
 <CAJVRA1SmwkkfDjFmMGhSd7grLk7uvZEzyxD04vXpQT6eo10=Aw@mail.gmail.com>
Message-ID: <CAFVRnyoxW2Ac8UAP+ONJSG7s4u-ViESMRanWtmAaLuz_tNB1kg@mail.gmail.com>

I'd like to see Sia added to the list, not very mainstream but it's the
only quorum based cryptocurrency (that I know of)

www.siacoin.com


On Wed, Jun 25, 2014 at 12:08 AM, coderman <coderman at gmail.com> wrote:

> On Tue, Jun 24, 2014 at 1:02 PM, grarpamp <grarpamp at gmail.com> wrote:
> > Any links to a list of digital currencies organized by technology?
> >
> > ie: Bitcoin has countless forks characterized by nothing more
> > than adjusting (or not) the operating parameters of the bitcoin.org
> > code and starting their own genesis. Others may swap out the
> > hash or crypto functions within that. While useful to list them
> > all under the aforesaid parent technology 'Bitcoin', they are all
> > ultimately uninteresting and a waste of time to research.
>
>
> agreed. but have you seen the majesty of my wuffie?
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 1377 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140625/d0bbcdff/attachment.txt>

From guninski at guninski.com  Wed Jun 25 05:11:53 2014
From: guninski at guninski.com (Georgi Guninski)
Date: Wed, 25 Jun 2014 15:11:53 +0300
Subject: [OT] Libreoffice's VBA and cross platform virii
Message-ID: <20140625121153.GA2555@sivokote.iziade.m$>

http://lwn.net/headlines/newrss
Ubuntu has updated libreoffice 
(14.04 LTS: unexpected VBA macro execution)

They might make client virii cross platform,
the way java is screwing people.




From rysiek at hackerspace.pl  Wed Jun 25 13:21:04 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Wed, 25 Jun 2014 22:21:04 +0200
Subject: SSL Co-op
Message-ID: <1714525.rN0PzF0okU@lapuntu>

So,

this has been proposed:
http://www.hezmatt.org/~mpalmer/blog/2014/06/05/ssl-certificate-cooperative.html
http://www.hezmatt.org/~mpalmer/blog/2014/06/25/moving-forward-with-an-ssl-coop.html
http://www.sslcoop.org/

"The vision of the SSL Co-operative is to be a professionally-operated,
 member-controlled globally-trusted Certification Authority, serving the
 identity verification and management needs of its members.

 At present, this initiative is in the analysis and planning stage.
 Investigation is underway to determine the full set of costs involved, both
 financial and temporal.

 If you think a member-controlled CA that puts the interests of its members,
 and that of the Internet community, ahead of profits is a good idea, and
 might consider being a member if it gets off the ground, I would appreciate
 it if you would fill out a short survey letting me know a little bit about
 your organisation, to ensure that the co-op best serves your needs."

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140625/def8212f/attachment.sig>

From scott at sbce.org  Wed Jun 25 21:55:06 2014
From: scott at sbce.org (Scott Blaydes)
Date: Wed, 25 Jun 2014 23:55:06 -0500
Subject: why do you sign your mails?
In-Reply-To: <23794078.OsRUET4Cvr@lapuntu>
References: <20140625092049.GN7889@ctrlc.hu> <23794078.OsRUET4Cvr@lapuntu>
Message-ID: <5466B723-CF66-4838-A5F0-8D4B661FC65C@sbce.org>


On Jun 25, 2014, at 5:52 AM, rysiek <rysiek at hackerspace.pl> wrote:

> Dnia środa, 25 czerwca 2014 11:20:50 stef pisze:
>> i noticed lots of users pgp-sign their mails to mailing-lists. what exactly
>> is the reason/usecase/attackvector you defend against for that? what
>> exactly is the reason for doing so on public mailing lists? and why does it
>> make sense to sign irrelevant messages like "+1" or "just kidding" -
>> assuming no stego usecase is in play.
> 
> One more reason: spreading the word about GPG/PGP. This actually helps get 
> people interested in encryption, and helps also inform people that do have a 
> GPG/PGP key (but for different reasons do not use them on a general basis), 
> that here's a person that does use it, and it's possible to encrypt e-mails to 
> that person.
> 
> Which might not be all that important on cpunks, I give you that, but a rule 
> is a rule. ;)

I do it to let the people I am communicating with through plaintext email know that I am setup and configured to handle encrypted communications. All they need to do is pull my pub key off of a key server and then our communications are encrypted from that point forward.

The prevention of being impersonated is also one reason, along with a way to secretly signal to the recipient that I am under duress and my words may not be my own.

Course that all goes out the window when emailing from my cellphone. That ain’t no way I want my private key on my cellphone.

Thank you,
Scott Blaydes


========================\        /----------------------------------------------------------
scott at sbce.org                           \    /    *BSD/Linux Advocate	crypto user 
 GPG 096EECF0D8A2381E         \/     Society for Better Computing Ethics
gpg key on keyserver                   /  \                  http://sbce.org/
-------------------------------------------/      \==================================



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140625/0e16bff8/attachment.sig>

From morgan at cypherpunk.net.nz  Thu Jun 26 09:47:13 2014
From: morgan at cypherpunk.net.nz (Morgan Mayhem)
Date: Thu, 26 Jun 2014 09:47:13 -0700
Subject: Research into Law Enforcement surveillance technology
Message-ID: <CAAFncwCD4Un6+UsHaE7XqCO8tkw1_BjKtGDk7E20OgtACQ7AhA@mail.gmail.com>

Recently released research on software used by police / intelligence
agencies for mobile phone surveillance:
https://citizenlab.org/2014/06/backdoor-hacking-teams-tradecraft-android-implant/
.

The piece in Wired piece covering this was particularly well done:
http://www.wired.com/2014/06/remote-control-system-phone-surveillance/

Also worth a glance:

Associated Press:
http://bigstory.ap.org/article/eyes-you-experts-reveal-police-hacking-methods-0
VICE:
http://motherboard.vice.com/read/police-grade-mobile-spyware-is-spreading-through-saudi-arabia-and-beyond
International Business Times:
http://www.ibtimes.co.uk/hacking-team-tools-allow-governments-take-full-control-your-smartphone-1453987


-- 
Seek not the favor of the multitude; it is seldom got by honest and lawful
means. But seek the testimony of few; and number not voices, but weigh them
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 4692 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140626/9cfc705e/attachment.txt>

From scott at sbce.org  Thu Jun 26 07:48:25 2014
From: scott at sbce.org (Scott Blaydes)
Date: Thu, 26 Jun 2014 09:48:25 -0500
Subject: why do you sign your mails?
In-Reply-To: <53ABECF2.4050600@cryptoparty.fr>
References: <20140625092049.GN7889@ctrlc.hu> <23794078.OsRUET4Cvr@lapuntu>
 <5466B723-CF66-4838-A5F0-8D4B661FC65C@sbce.org>
 <53ABECF2.4050600@cryptoparty.fr>
Message-ID: <B1DC945A-CF98-4957-A1D4-4A5D4170BB50@sbce.org>


On Jun 26, 2014, at 4:50 AM, Cryptoparty Marseille <cryptomars at cryptoparty.fr> wrote:
>> 
>> Course that all goes out the window when emailing from my cellphone. That ain’t no way I want my private key on my cellphone.
> Maybe you could create a signing subkey specifically for your cell phone.
>> 

That is a good idea, but I just don’t feel comfortable doing anything GPG/PGP related on my phone. Part of it is paranoia, part of it is grounded in reason. If confiscated by a LEO, the fact that I have encryption related apps will make my phone even more interesting to them.

Thank you,
Scott Blaydes

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140626/a4ac653b/attachment.sig>

From coderman at gmail.com  Thu Jun 26 11:27:24 2014
From: coderman at gmail.com (coderman)
Date: Thu, 26 Jun 2014 11:27:24 -0700
Subject: [cryptography] Stealthy Dopant-Level Hardware Trojans
In-Reply-To: <CAJVRA1QEEEy8pTFoWrCEjFnAzg_aiJE+7MPwH6dtBXnWXeJ38A@mail.gmail.com>
References: <20130913094924.GW10405@leitl.org>
 <CAJVRA1RNOrjNpjnZF84bBoyXiU6KSz=jHTyAiLUAeB0O1P8D+g@mail.gmail.com>
 <53A6A526.5060606@briarproject.org>
 <CAJVRA1QEEEy8pTFoWrCEjFnAzg_aiJE+7MPwH6dtBXnWXeJ38A@mail.gmail.com>
Message-ID: <CAJVRA1R3rZGYHcU1KVgtwCRxnfJ+mipy8YTjL4nyJOwxaqvbOg@mail.gmail.com>

On Sun, Jun 22, 2014 at 2:49 AM, coderman <coderman at gmail.com> wrote:
>...
>   full URI to PDF for posterity:
>  http://www.emsec.rub.de/media/crypto/veroeffentlichungen/2014/02/20/BeckerChes13.pdf


one last note:

it has been pointed out that this paper discusses one potential
implementation of the gates in question and does not actually
represent Intel chip designs as produced.  it is not clear how many
potential ASIC runs could be affecting by this technique.

i am accepting BTC donations for a FIB rig and operating costs, with
the promise to public domain the imaging.
 ;)


best regards,




From cryptomars at cryptoparty.fr  Thu Jun 26 02:50:42 2014
From: cryptomars at cryptoparty.fr (Cryptoparty Marseille)
Date: Thu, 26 Jun 2014 11:50:42 +0200
Subject: why do you sign your mails?
In-Reply-To: <5466B723-CF66-4838-A5F0-8D4B661FC65C@sbce.org>
References: <20140625092049.GN7889@ctrlc.hu> <23794078.OsRUET4Cvr@lapuntu>
 <5466B723-CF66-4838-A5F0-8D4B661FC65C@sbce.org>
Message-ID: <53ABECF2.4050600@cryptoparty.fr>

On 26/06/2014 06:55, Scott Blaydes wrote:
> On Jun 25, 2014, at 5:52 AM, rysiek <rysiek at hackerspace.pl> wrote:
>
>> Dnia środa, 25 czerwca 2014 11:20:50 stef pisze:
>>> i noticed lots of users pgp-sign their mails to mailing-lists. what exactly
>>> is the reason/usecase/attackvector you defend against for that? what
>>> exactly is the reason for doing so on public mailing lists? and why does it
>>> make sense to sign irrelevant messages like "+1" or "just kidding" -
>>> assuming no stego usecase is in play.
>> One more reason: spreading the word about GPG/PGP. This actually helps get 
>> people interested in encryption, and helps also inform people that do have a 
>> GPG/PGP key (but for different reasons do not use them on a general basis), 
>> that here's a person that does use it, and it's possible to encrypt e-mails to 
>> that person.
>>
>> Which might not be all that important on cpunks, I give you that, but a rule 
>> is a rule. ;)
> I do it to let the people I am communicating with through plaintext email know that I am setup and configured to handle encrypted communications. All they need to do is pull my pub key off of a key server and then our communications are encrypted from that point forward.
>
> The prevention of being impersonated is also one reason, along with a way to secretly signal to the recipient that I am under duress and my words may not be my own.
>
> Course that all goes out the window when emailing from my cellphone. That ain’t no way I want my private key on my cellphone.
Maybe you could create a signing subkey specifically for your cell phone.
>
> Thank you,
> Scott Blaydes
>
>
> ========================\        /----------------------------------------------------------
> scott at sbce.org                           \    /    *BSD/Linux Advocate	crypto user 
>  GPG 096EECF0D8A2381E         \/     Society for Better Computing Ethics
> gpg key on keyserver                   /  \                  http://sbce.org/
> -------------------------------------------/      \==================================
>
>
>
cryptomars
cryptoparty.fr

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 897 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140626/5c5c76aa/attachment.sig>

From indeyets at gmail.com  Thu Jun 26 23:43:02 2014
From: indeyets at gmail.com (Alexey Zakhlestin)
Date: Fri, 27 Jun 2014 10:43:02 +0400
Subject: What do you think about it: <<www.unseen.is>> - a service that
 provides privacy and security for messaging, email and calling
In-Reply-To: <CAEm6KbJtRt-prnsDw=00fM+tQgEL6mJPRNKNqEdws=m6tHXXcA@mail.gmail.com>
References: <CAEm6KbJtRt-prnsDw=00fM+tQgEL6mJPRNKNqEdws=m6tHXXcA@mail.gmail.com>
Message-ID: <D4AC436D-3F98-4DE1-854E-8274C2ACDB1D@gmail.com>

1. Closed source
2. Closed protocol
3. No real technical details
4. No mentions of independent security audit

…

On 27 Jun 2014, at 09:54, Александр <afalex169 at gmail.com> wrote:

<snip>

--
Alexey Zakhlestin
CTO at Grids.by/you
https://github.com/indeyets
PGP key: http://indeyets.ru/alexey.zakhlestin.pgp.asc



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140627/5185e382/attachment.sig>

From grarpamp at gmail.com  Sat Jun 28 00:32:57 2014
From: grarpamp at gmail.com (grarpamp)
Date: Sat, 28 Jun 2014 03:32:57 -0400
Subject: NSA drone flight
Message-ID: <CAD2Ti2876yE4c3pz_WM7CJHip8nkQLPtjtmcXyZXDtsQnKnYbA@mail.gmail.com>

http://www.wired.com/2014/06/protestors-launch-a-135-foot-blimp-over-the-nsas-utah-data-center/




From parker at eff.org  Sat Jun 28 12:55:41 2014
From: parker at eff.org (Parker Higgins)
Date: Sat, 28 Jun 2014 13:55:41 -0600
Subject: NSA drone flight
In-Reply-To: <CAD2Ti2876yE4c3pz_WM7CJHip8nkQLPtjtmcXyZXDtsQnKnYbA@mail.gmail.com>
References: <CAD2Ti2876yE4c3pz_WM7CJHip8nkQLPtjtmcXyZXDtsQnKnYbA@mail.gmail.com>
Message-ID: <53AF1DBD.7050906@eff.org>

Minor correction to the subject line: this vehicle was not unmanned. I
was one of two people in it.

Thanks,
Parker

On 6/28/14 1:32 AM, grarpamp wrote:
> http://www.wired.com/2014/06/protestors-launch-a-135-foot-blimp-over-the-nsas-utah-data-center/
> 

-- 
Parker Higgins
Activist
Electronic Frontier Foundation
https://eff.org

815 Eddy Street
San Francisco, CA 94109-7701




From grarpamp at gmail.com  Sat Jun 28 12:00:45 2014
From: grarpamp at gmail.com (grarpamp)
Date: Sat, 28 Jun 2014 15:00:45 -0400
Subject: readysim prepaid gsm - privacy focused marketing?
Message-ID: <CAD2Ti2-AGuc8-hc=HCnbJ3jBowrT-QA6icQGYxSVXbmOrcVt7Q@mail.gmail.com>

A curious positioning among phone providers...

https://www.readysim.com/who-its-for.html
https://www.torproject.org/about/torusers.html.en
http://arstechnica.com/business/2013/03/ready-sim-offers-cheap-short-term-and-disposable-mobile-service/




From wb8foz at nrk.com  Sat Jun 28 15:51:16 2014
From: wb8foz at nrk.com (David)
Date: Sat, 28 Jun 2014 18:51:16 -0400
Subject: readysim prepaid gsm - privacy focused marketing?
In-Reply-To: <CAD2Ti2-AGuc8-hc=HCnbJ3jBowrT-QA6icQGYxSVXbmOrcVt7Q@mail.gmail.com>
References: <CAD2Ti2-AGuc8-hc=HCnbJ3jBowrT-QA6icQGYxSVXbmOrcVt7Q@mail.gmail.com>
Message-ID: <53AF46E4.8030105@nrk.com>

On 6/28/14 3:00 PM, grarpamp wrote:
> A curious positioning among phone providers...
>
> https://www.readysim.com/who-its-for.html
> https://www.torproject.org/about/torusers.html.en
> http://arstechnica.com/business/2013/03/ready-sim-offers-cheap-short-term-and-disposable-mobile-service/

What good is such unless you also change phones?
[The IMEA is also logged...]




From rysiek at hackerspace.pl  Sat Jun 28 16:39:42 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Sun, 29 Jun 2014 01:39:42 +0200
Subject: readysim prepaid gsm - privacy focused marketing?
In-Reply-To: <53AF46E4.8030105@nrk.com>
References: <CAD2Ti2-AGuc8-hc=HCnbJ3jBowrT-QA6icQGYxSVXbmOrcVt7Q@mail.gmail.com>
 <53AF46E4.8030105@nrk.com>
Message-ID: <3115741.jqNZEQYWpI@lapuntu>

Dnia sobota, 28 czerwca 2014 18:51:16 David pisze:
> On 6/28/14 3:00 PM, grarpamp wrote:
> > A curious positioning among phone providers...
> > 
> > https://www.readysim.com/who-its-for.html
> > https://www.torproject.org/about/torusers.html.en
> > http://arstechnica.com/business/2013/03/ready-sim-offers-cheap-short-term-> > and-disposable-mobile-service/
> What good is such unless you also change phones?
> [The IMEA is also logged...]

Well, at least now you have that covered. Getting another phone without 
providing your ID is much easier than getting a new SIM.

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140629/a6ecf890/attachment.sig>

From grarpamp at gmail.com  Sat Jun 28 23:21:57 2014
From: grarpamp at gmail.com (grarpamp)
Date: Sun, 29 Jun 2014 02:21:57 -0400
Subject: NSA drone flight
In-Reply-To: <53AF1DBD.7050906@eff.org>
References: <CAD2Ti2876yE4c3pz_WM7CJHip8nkQLPtjtmcXyZXDtsQnKnYbA@mail.gmail.com>
 <53AF1DBD.7050906@eff.org>
Message-ID: <CAD2Ti2-MjngOiwS5=5+koP0qA5BbyTr01NcSh6Csr85CBmN0vw@mail.gmail.com>

On Sat, Jun 28, 2014 at 3:55 PM, Parker Higgins <parker at eff.org> wrote:
> Minor correction to the subject line: this vehicle was not unmanned. I
> was one of two people in it.

I know. Drones also spy, spies also droneish, bit of mashup to go with
humorous overflight NSA.




From jya at pipeline.com  Sun Jun 29 08:39:15 2014
From: jya at pipeline.com (John Young)
Date: Sun, 29 Jun 2014 11:39:15 -0400
Subject: Jabber
In-Reply-To: <92709E37-36BD-40A2-9EF9-9565E7D6D716@riseup.net>
References: <92709E37-36BD-40A2-9EF9-9565E7D6D716@riseup.net>
Message-ID: <E1X1HBE-00021i-JC@elasmtp-kukur.atl.sa.earthlink.net>

At 10:20 AM 6/29/2014, you wrote:

>any add. info on 'compromised jabber'?
>Got some hints as well - nothing clear.

"Compromised" is the time's opportunistic word for ever more anti-NSA 
comsec, mom.

Cisco Jabber Client (scroll down):

http://www.dailykos.com/story/2014/04/11/1291357/-NSA-Kept-You-Unsecure-It-Knew-of-Hearbleed-Bug-But-Used-it-Instead-of-Fixing-the-Security-Breach

"

Linked In Microsoft Office + Jabber Listed in Spy Program Specialty" 
(scroll down)

https://www.techdirt.com/articles/20130617/13482623512/discovering-names-secret-nsa-surveillance-programs-via-linkedin.shtml

US Secret Service reportedly rigged access to Jabber to take down 
Silk Road and others. Can't find reference.

Allegations also made against Chaos Computer Club being "compromised."

No question that all these could be disinfo ops to distrust the 
services, discourage use and drive users to less
trustworthy servcies. However, the post-Snowden rise in "secure drop 
boxes," "NSA-proof email," and the bountiful other snake oils by the 
comsec industry and peculiarly opportunistic do-gooders suggests there are
willing and unwilling cooperators with the spooks industry, and not 
least, the thriving anti-spooks industry consulting the spooks on 
what can be done "without harming national security."

Cypherpunks laid the foundation for this, no question, and a few have 
gone on to do rather well at working both sides of comsec, that is 
what comsec has always been: duplicitous, sneaky, treacherous, lying, 
cheating, why not tell it snakily, downright upright-humans raping 
the planet and beyond the blob, the stars.

Examine speaker bureau offerings for who is traveling the blob 
peddling prime snake fracking.









From l at odewijk.nl  Sun Jun 29 05:25:29 2014
From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=)
Date: Sun, 29 Jun 2014 14:25:29 +0200
Subject: NSA drone flight
In-Reply-To: <53AF1DBD.7050906@eff.org>
References: <CAD2Ti2876yE4c3pz_WM7CJHip8nkQLPtjtmcXyZXDtsQnKnYbA@mail.gmail.com>
 <53AF1DBD.7050906@eff.org>
Message-ID: <CAHWD2rLdy2YCc119-Gf2YskHDWYr6N3+bUH2KyaU6TUCMe01ng@mail.gmail.com>

2014-06-28 21:55 GMT+02:00 Parker Higgins <parker at eff.org>:

> Minor correction to the subject line: this vehicle was not unmanned. I
> was one of two people in it.
>
> Thanks,
> Parker
>

I had a big laugh, nice!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 565 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140629/b498e82a/attachment.txt>

From coderman at gmail.com  Sun Jun 29 16:46:25 2014
From: coderman at gmail.com (coderman)
Date: Sun, 29 Jun 2014 16:46:25 -0700
Subject: NSA drone flight
In-Reply-To: <53AF1DBD.7050906@eff.org>
References: <CAD2Ti2876yE4c3pz_WM7CJHip8nkQLPtjtmcXyZXDtsQnKnYbA@mail.gmail.com>
 <53AF1DBD.7050906@eff.org>
Message-ID: <CAJVRA1QJsF9oK7B7naLKDisj0-E9nE8tf3s1uKCc0M+06oMx-Q@mail.gmail.com>

On Sat, Jun 28, 2014 at 12:55 PM, Parker Higgins <parker at eff.org> wrote:
> Minor correction to the subject line: this vehicle was not unmanned. I
> was one of two people in it.


i can't be the only one who'd pay good money for such a chartered flight!

kudos and best regards,




From guninski at guninski.com  Sun Jun 29 07:48:00 2014
From: guninski at guninski.com (Georgi Guninski)
Date: Sun, 29 Jun 2014 17:48:00 +0300
Subject: NSA drone flight
In-Reply-To: <CAD2Ti2876yE4c3pz_WM7CJHip8nkQLPtjtmcXyZXDtsQnKnYbA@mail.gmail.com>
References: <CAD2Ti2876yE4c3pz_WM7CJHip8nkQLPtjtmcXyZXDtsQnKnYbA@mail.gmail.com>
Message-ID: <20140629144733.GA2144@sivokote.iziade.m$>

On Sat, Jun 28, 2014 at 03:32:57AM -0400, grarpamp wrote:
> http://www.wired.com/2014/06/protestors-launch-a-135-foot-blimp-over-the-nsas-utah-data-center/

If it were unmanned couldn't it drop
some stuff on them?




From juan.g71 at gmail.com  Sun Jun 29 14:04:02 2014
From: juan.g71 at gmail.com (Juan)
Date: Sun, 29 Jun 2014 18:04:02 -0300
Subject: Tor
Message-ID: <20140629180402.00007cb6@unknown>



The tor 'anonimity'  network is a project of the US military. As such,
it must serve the ends of the US military. 

If the alleged ends of the tor project do not match the ends of the US
military, the alleged tor ends are just a cover lie, or a lame
half-truth at best.


The real ends of the US military, are, of course, not 'officially'
acknowledged though they are widely known, even among half-educated
observers.


The US military is the biggest criminal organization on the planet 
and its real purpose is to further the global interests of the US
government and US fascist business. To do this  they routinely invade
countries and murder millions of people.

Bear in mind the moral outlook of these people when analyzing their
actions.

Would the US military create an anonimity network that they can't
subvert? Of course not. 

The tor network can prevent ordinary users A and B from learning their
respective locations, but if a third party C (say, US government) can
monitor A's and B's traffic, it can 'deanonimize'  them.

As a side note, tor can be and is routinely blocked, rendering it
rather useless. In cases where tor could make people anonymous, at
least from the point of view of servers like, say, IRC servers , access
is blocked by the servers operators. So much for 'free speech'.

Suming up, the first objective of the tor network is to give a 'gratis'
and subverted 'tool' to...targets of government surveillance. Pure
altruism.


Another  objective of the tor network is to get around the blocking
system of, say, the chinese network. Since china is firewalled, the US
military can't easily spy on chinese people.

So, what the tor employees (accomplices of the fascist US governemnt)
do is 

1) pretend that they 'fight'  for ' free speech' in china

2) gather information about people in china who, by using tor, signal
that they are potentially 'interesting' to the US military.  

Again, the 'official' motives and the real motives do not match,


-------------

So far, I got this far =P  -  Ill add more stuff later ....




From demonfighter at gmail.com  Sun Jun 29 15:28:59 2014
From: demonfighter at gmail.com (Steve Furlong)
Date: Sun, 29 Jun 2014 18:28:59 -0400
Subject: Tor
In-Reply-To: <8616650.h6vFVNbIRO@lapuntu>
References: <20140629180402.00007cb6@unknown>
	<8616650.h6vFVNbIRO@lapuntu>
Message-ID: <CAOFDsm303RGgef_z32y+RYCbmwHAXw8U1_j+XF+RN5vVspzRQA@mail.gmail.com>

On Sun, Jun 29, 2014 at 6:14 PM, rysiek <rysiek at hackerspace.pl> wrote:
> /me grabs popcorn

Better to grab popcorn than what Juan grabbed as he stroked himself into a
frenzy up there.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 321 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140629/b124a0f1/attachment.txt>

From tom at ritter.vg  Sun Jun 29 16:11:31 2014
From: tom at ritter.vg (Tom Ritter)
Date: Sun, 29 Jun 2014 19:11:31 -0400
Subject: [liberationtech] Nsa-observer: organising nsa leaks by attack
 vector
In-Reply-To: <CAE873AA-026E-4918-B2CA-A0ACBE35F171@gmail.com>
References: <1403615736.13581.132987521.471F759E@webmail.messagingengine.com>
 <CAE873AA-026E-4918-B2CA-A0ACBE35F171@gmail.com>
Message-ID: <CA+cU71=P4yWVdy=TJnGYDPmRa+vzUdUE9xV5OB9-JOoZa1VX0A@mail.gmail.com>

On 29 June 2014 13:13, Alexey Zakhlestin <indeyets at gmail.com> wrote:
> Seems to be down. Was data released somewhere else?

It is up for me.  The site itself is open source
(https://github.com/albancrommer/nsa-observer) and the data ex
exportable (https://www.nsa-observer.net/export/json).

-tom




From juan.g71 at gmail.com  Sun Jun 29 16:06:43 2014
From: juan.g71 at gmail.com (Juan)
Date: Sun, 29 Jun 2014 20:06:43 -0300
Subject: Tor
In-Reply-To: <8616650.h6vFVNbIRO@lapuntu>
References: <20140629180402.00007cb6@unknown>
	<8616650.h6vFVNbIRO@lapuntu>
Message-ID: <20140629200643.0000234a@unknown>

On Mon, 30 Jun 2014 00:14:04 +0200
rysiek <rysiek at hackerspace.pl> wrote:

> Dnia niedziela, 29 czerwca 2014 18:04:02 Juan pisze:
> > The tor 'anonimity'  network is a project of the US military. As
> > such, it must serve the ends of the US military.
> 
> /me grabs popcorn

	Well, thanks. 

	I can finally put you in the correct category =)

	



> 




From indeyets at gmail.com  Sun Jun 29 10:13:09 2014
From: indeyets at gmail.com (Alexey Zakhlestin)
Date: Sun, 29 Jun 2014 21:13:09 +0400
Subject: [liberationtech] Nsa-observer: organising nsa leaks by attack
 vector
In-Reply-To: <1403615736.13581.132987521.471F759E@webmail.messagingengine.com>
References: <1403615736.13581.132987521.471F759E@webmail.messagingengine.com>
Message-ID: <CAE873AA-026E-4918-B2CA-A0ACBE35F171@gmail.com>

Seems to be down. Was data released somewhere else?


On 24 Jun 2014, at 17:15, Todd Weiler <tweiler at operamail.com> wrote:

> A brilliant site was quietly launched a while back:
>
> https://www.nsa-observer.net/
>
> It classifies the recent NSA revelations by Programs, Attack Vectors,
> and Compartments, even providing the database in JSON format. The
> dataset could feed some interesting research.

--
Alexey Zakhlestin
CTO at Grids.by/you
https://github.com/indeyets
PGP key: http://indeyets.ru/alexey.zakhlestin.pgp.asc



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140629/5283010f/attachment.sig>

From lists at sadiqs.com  Sun Jun 29 20:05:43 2014
From: lists at sadiqs.com (Sadiq Saif)
Date: Sun, 29 Jun 2014 23:05:43 -0400
Subject: Tor
In-Reply-To: <20140629200643.0000234a@unknown>
References: <20140629180402.00007cb6@unknown>	<8616650.h6vFVNbIRO@lapuntu>
 <20140629200643.0000234a@unknown>
Message-ID: <53B0D407.4020704@sadiqs.com>

On 6/29/2014 19:06, Juan wrote:

> 
> 	Well, thanks. 
> 
> 	I can finally put you in the correct category =)

An IRC user? :)

-- 
Sadiq Saif
XMPP - staticsafe at jabber.org




From coderman at gmail.com  Sun Jun 29 23:20:33 2014
From: coderman at gmail.com (coderman)
Date: Sun, 29 Jun 2014 23:20:33 -0700
Subject: Tor
In-Reply-To: <alpine.DEB.2.02.1406300223580.14125@lakka.kapsi.fi>
References: <20140629180402.00007cb6@unknown>
 <alpine.DEB.2.02.1406300223580.14125@lakka.kapsi.fi>
Message-ID: <CAJVRA1R500YOG_zVSw8DG_ToL=p7sYA18dXZFuWp-Mz3HSX7Uw@mail.gmail.com>

On Sun, Jun 29, 2014 at 4:25 PM, Sampo Syreeni <decoy at iki.fi> wrote:
> On 2014-06-29, Juan wrote:
>
>> The tor 'anonimity' network is a project of the US military. As such, it
>> must serve the ends of the US military.
>
>
> Yes, well, fuck you. I read much of code, I run an exit node, and just fuck
> you and your germ line.


i actually don't see the problem with the "Tor must serve the
interests of some of the US military" line, even if couched in most
offensive manner above, "serves ... US military"

the beauty of Tor specifically and anonymity networks in general is that
 proper privacy floats all boats!


everyone should be using a good mix and overlay, the feds, the fuzz,
the fuckups, and the fucktards. your mother, too.



best regards,
    the most anonymous fuckwit




From odinn.cyberguerrilla at riseup.net  Sun Jun 29 23:40:06 2014
From: odinn.cyberguerrilla at riseup.net (Odinn Cyberguerrilla)
Date: Sun, 29 Jun 2014 23:40:06 -0700
Subject: Tor
In-Reply-To: <20140629180402.00007cb6@unknown>
References: <20140629180402.00007cb6@unknown>
Message-ID: <5731d0f5cf4d54c502bb9242efcc3d4c.squirrel@fruiteater.riseup.net>

This list is seriously full of FUD lately..  but then again, when has it
not been?

On the other hand. people should be aware of the limitations and problems
inherent to any tool they use.  For example, you can't put your hand under
the place where you are slamming the hammer down.  As Odinn, I have been
compelled to remind Odinson of this from time to time.

Here are some tidbits which may be relevant to the Tor-as-tool discussion
and what to be aware of:

(Note: This clear warning about some issues with certain aspects of use of
Tor is from the Tor Project itself. They are right to provide cautionary
information so that users of the project do not inadvertently harm
themselves with the tools provided.)
https://www.torproject.org/docs/faq#WarningsAboutSOCKSandDNSInformationLeaks

(The following is a guide which may be helpful on issues both related to
Tor as well as to other tools, which suggests use of SOCKS4A)
https://lilithlela.cyberguerrilla.org/?p=5794

Have fun out there.  And be careful with the hammer.

-Odinn



>
>
> The tor 'anonimity'  network is a project of the US military. As such,
> it must serve the ends of the US military.
>
> If the alleged ends of the tor project do not match the ends of the US
> military, the alleged tor ends are just a cover lie, or a lame
> half-truth at best.
>
>
> The real ends of the US military, are, of course, not 'officially'
> acknowledged though they are widely known, even among half-educated
> observers.
>
>
> The US military is the biggest criminal organization on the planet
> and its real purpose is to further the global interests of the US
> government and US fascist business. To do this  they routinely invade
> countries and murder millions of people.
>
> Bear in mind the moral outlook of these people when analyzing their
> actions.
>
> Would the US military create an anonimity network that they can't
> subvert? Of course not.
>
> The tor network can prevent ordinary users A and B from learning their
> respective locations, but if a third party C (say, US government) can
> monitor A's and B's traffic, it can 'deanonimize'  them.
>
> As a side note, tor can be and is routinely blocked, rendering it
> rather useless. In cases where tor could make people anonymous, at
> least from the point of view of servers like, say, IRC servers , access
> is blocked by the servers operators. So much for 'free speech'.
>
> Suming up, the first objective of the tor network is to give a 'gratis'
> and subverted 'tool' to...targets of government surveillance. Pure
> altruism.
>
>
> Another  objective of the tor network is to get around the blocking
> system of, say, the chinese network. Since china is firewalled, the US
> military can't easily spy on chinese people.
>
> So, what the tor employees (accomplices of the fascist US governemnt)
> do is
>
> 1) pretend that they 'fight'  for ' free speech' in china
>
> 2) gather information about people in china who, by using tor, signal
> that they are potentially 'interesting' to the US military.
>
> Again, the 'official' motives and the real motives do not match,
>
>
> -------------
>
> So far, I got this far =P  -  Ill add more stuff later ....
>





From rysiek at hackerspace.pl  Sun Jun 29 15:14:04 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Mon, 30 Jun 2014 00:14:04 +0200
Subject: Tor
In-Reply-To: <20140629180402.00007cb6@unknown>
References: <20140629180402.00007cb6@unknown>
Message-ID: <8616650.h6vFVNbIRO@lapuntu>

Dnia niedziela, 29 czerwca 2014 18:04:02 Juan pisze:
> The tor 'anonimity'  network is a project of the US military. As such,
> it must serve the ends of the US military.

/me grabs popcorn

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140630/a69b64bb/attachment.sig>

From coderman at gmail.com  Mon Jun 30 00:33:30 2014
From: coderman at gmail.com (coderman)
Date: Mon, 30 Jun 2014 00:33:30 -0700
Subject: Tor and proxy bypass
Message-ID: <CAJVRA1RrFAeu9o5ZLchofFK_WxhZYP+dYiwQz1kyZBvgnYMwXw@mail.gmail.com>

On Sun, Jun 29, 2014 at 11:40 PM, Odinn Cyberguerrilla
<odinn.cyberguerrilla at riseup.net> wrote:
> ...
> Here are some tidbits which may be relevant to the Tor-as-tool discussion
> and what to be aware of:...
> https://www.torproject.org/docs/faq#WarningsAboutSOCKSandDNSInformationLeaks
> ...
> https://lilithlela.cyberguerrilla.org/?p=5794


on the subject, the recently published state of proxy bypass on mobile:

"The problem behind mobile Tor browsers' ip disclosure"
 http://xordern.net/ip-leakage-of-mobile-tor-browsers.html


note how defense in depth as far as transparent proxy via root privs
nulls this one, but opens other privacy risks...

everything old is new again,
 [ if it was my favorites on repeat, i'd be less cranky ;) .]



best regards,




From scott at sbce.org  Sun Jun 29 23:25:42 2014
From: scott at sbce.org (Scott Blaydes)
Date: Mon, 30 Jun 2014 01:25:42 -0500
Subject: Tor
In-Reply-To: <alpine.DEB.2.02.1406300223580.14125@lakka.kapsi.fi>
References: <20140629180402.00007cb6@unknown>
 <alpine.DEB.2.02.1406300223580.14125@lakka.kapsi.fi>
Message-ID: <D10AD82F-9E9E-4006-A106-8EE8349225D9@sbce.org>


On Jun 29, 2014, at 6:25 PM, Sampo Syreeni <decoy at iki.fi> wrote:

> On 2014-06-29, Juan wrote:
> 
>> The tor 'anonimity' network is a project of the US military. As such, it must serve the ends of the US military.
> 
> Yes, well, fuck you. I read much of code, I run an exit node, and just fuck you and your germ line.
> -- 
> Sampo Syreeni, aka decoy - decoy at iki.fi, http://decoy.iki.fi/front
> +358-40-3255353, 025E D175 ABE5 027C 9494 EEB0 E090 8BA9 0509 85C2

You know those times you step away from the computer to have a life and you come back to something like this message…WTF did I miss?


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140630/9fb96759/attachment.sig>

From rysiek at hackerspace.pl  Sun Jun 29 17:01:55 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Mon, 30 Jun 2014 02:01:55 +0200
Subject: Tor
In-Reply-To: <alpine.DEB.2.02.1406300223580.14125@lakka.kapsi.fi>
References: <20140629180402.00007cb6@unknown>
 <alpine.DEB.2.02.1406300223580.14125@lakka.kapsi.fi>
Message-ID: <6885202.SpEd5tlOii@lapuntu>

Dnia poniedziałek, 30 czerwca 2014 02:25:06 Sampo Syreeni pisze:
> On 2014-06-29, Juan wrote:
> > The tor 'anonimity' network is a project of the US military. As such,
> > it must serve the ends of the US military.
> 
> Yes, well, fuck you. I read much of code, I run an exit node, and just
> fuck you and your germ line.

Oh, come on. I'm sure Juan has created a much better and much more independent 
project than Tor, and used by many, many more people in situations far more 
dangerous than what Tor even dares to touch. The very fact that we haven't 
heard of it shows how clandestine and well-managed it is.

And I'm sure we'll all hear about this very project on this list, as soon as 
Juan gets the documentation in order (*obviously* the code is perfect, so no 
need to get that in order, duh!).

While I applaud the strive for a perfect documentation before release, really 
Juan, "release early, release often"; we'd all be glad to help!

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140630/3f7c6b09/attachment.sig>

From decoy at iki.fi  Sun Jun 29 16:25:06 2014
From: decoy at iki.fi (Sampo Syreeni)
Date: Mon, 30 Jun 2014 02:25:06 +0300 (EEST)
Subject: Tor
In-Reply-To: <20140629180402.00007cb6@unknown>
References: <20140629180402.00007cb6@unknown>
Message-ID: <alpine.DEB.2.02.1406300223580.14125@lakka.kapsi.fi>

On 2014-06-29, Juan wrote:

> The tor 'anonimity' network is a project of the US military. As such, 
> it must serve the ends of the US military.

Yes, well, fuck you. I read much of code, I run an exit node, and just 
fuck you and your germ line.
-- 
Sampo Syreeni, aka decoy - decoy at iki.fi, http://decoy.iki.fi/front
+358-40-3255353, 025E D175 ABE5 027C 9494 EEB0 E090 8BA9 0509 85C2




From l at odewijk.nl  Sun Jun 29 17:52:37 2014
From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=)
Date: Mon, 30 Jun 2014 02:52:37 +0200
Subject: Tor
In-Reply-To: <6885202.SpEd5tlOii@lapuntu>
References: <20140629180402.00007cb6@unknown>
 <alpine.DEB.2.02.1406300223580.14125@lakka.kapsi.fi>
 <6885202.SpEd5tlOii@lapuntu>
Message-ID: <CAHWD2rKHBWCgJ4c+dH8JSWZyuLDZ5O9s4D273SPPtD8XPNEJfg@mail.gmail.com>

Tor is funded by the US government, not the US military per se. The same US
gov is funding research and efforts of breaking it. It's funding it to
saveguard free speech and all that good stuff, and it's funding the attack
to safeguard American supremacy (and maybe something about terrorism and
crime).

Somehow it seems as wonderfully inefficient as it seems perfectly
reasonable. And if you don't think it's reasonable, doesn't that just make
more sense? It's the USA!

Is Tor imperfect? Yeah, probably. But it's the best tool out there atm. Is
Tor intentionally imperfect? No evidence of it. Is reality a strange place
to be? Definitely. Are Tor people completely untrustworthy? What's trust
got to do with good code and crypto?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 896 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140630/654e161d/attachment.txt>

From grarpamp at gmail.com  Mon Jun 30 00:28:11 2014
From: grarpamp at gmail.com (grarpamp)
Date: Mon, 30 Jun 2014 03:28:11 -0400
Subject: Frontline: US of Secrets: Diane Roark
Message-ID: <CAD2Ti2-AozuSzBtQyd9LcnAgaR+NhH_UuekVHNno1eSor2Z1eg@mail.gmail.com>

http://www.pbs.org/wgbh/pages/frontline/government-elections-politics/united-states-of-secrets/the-frontline-interview-diane-roark/
https://www.youtube.com/watch?v=AMIrmt9sZyY
https://en.wikipedia.org/wiki/Trailblazer_Project




From tbiehn at gmail.com  Mon Jun 30 06:11:53 2014
From: tbiehn at gmail.com (Travis Biehn)
Date: Mon, 30 Jun 2014 09:11:53 -0400
Subject: Tor
In-Reply-To: <20140630081720.GB29883@nestor.local>
References: <20140629180402.00007cb6@unknown>
 <alpine.DEB.2.02.1406300223580.14125@lakka.kapsi.fi>
 <6885202.SpEd5tlOii@lapuntu>
 <CAHWD2rKHBWCgJ4c+dH8JSWZyuLDZ5O9s4D273SPPtD8XPNEJfg@mail.gmail.com>
 <20140630081720.GB29883@nestor.local>
Message-ID: <CAKtE3zfpuZbuxpcQMVAiAaN5b5yiJHijjygV70cPOryFL99uQw@mail.gmail.com>

On Jun 30, 2014 4:28 AM, "Meredith L. Patterson" <mlp at upstandinghackers.com>
wrote:
>
> On Mon, Jun 30, 2014 at 02:52:37AM +0200, Lodewijk andré de la porte
wrote:
> > Tor is funded by the US government, not the US military per se. The
same US
> > gov is funding research and efforts of breaking it.
>
> Yup. Not only that, .gov organisations all have their own budgets and
> spending authority, most of them don't talk to each other, and a lot
> of them don't like each other. USG may be a hydra, but it's a hydra
> whose heads are so badly tied in knots that noticeable things only
> happen when one of the heads gets itself some wiggle room.
>
> Also, neither "government funding" or even "DoD funding" *necessarily*
> imply that DoD has any say over what ships. I don't think I'm the only
> Cyber Fast Track participant on this list, but
> https://github.com/UpstandingHackers/hammer was funded through CFT,
> and anyone is welcome to audit the source and read the commit logs; I
> can tell you who all the committers are, most aren't American, and the
> ones who are are me and my partner. Our interaction with DoD (or,
> well, our contract facilitator) consisted of "Here's the latest
> milestone" --> "make && make check worked, here's the money for that
> milestone" every few months. That's all.
>
> I hear some variation on the "Tor is a government op!" drum banged
> every six months or so, so I guess it was time. Can we at least get
> some variation this time, maybe spin some conspiracy theories about
> Paul Syverson instead of falling back on that tired old canard about
> Roger's internship? Or aliens? Working Area51 in would be cool.
>
> (Disclaimer: of course I don't think Syverson is a plant, nor do I
> think Tor is a honeypot. Do not harass Paul Syverson or his family, or
> the least I will do will be to throw a habanero martini in your face.)
>
> Cheers,
> --mlp
Juan,

I totally agree with you - I think its also important to note that there
are some other things nefariously invented by the US military that you
should investigate:
Duct Tape
The Internet

You may find an incomplete list here:
http://en.m.wikipedia.org/wiki/Military_invention

Please let me know when your research on things I shouldn't use is
complete. Please ensure that your arguments are half baked and
sensationalist... actually I'm not worried. You've got this!

In other news:
It's good that you researched who originally created the technology. The
motivations behind that and individuals involved are important pieces.
Where the money comes from certainly is important. As well as picking up on
the projects governance. This should make you wary of the Tor project - and
prompt additional research.
Should your technical or cultural research raise anything alarming - let
someone know.

This list is comprised of a good many intelligent and wary people who have
carried out the same research - it has informed their use of the tool but
so far not caused any wholesale abandonment.

Travis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 3696 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140630/1b20e692/attachment.txt>

From hozer at hozed.org  Mon Jun 30 09:02:53 2014
From: hozer at hozed.org (Troy Benjegerdes)
Date: Mon, 30 Jun 2014 11:02:53 -0500
Subject: Search History Skeptic
Message-ID: <20140630160253.GJ3180@nl.grid.coop>

This is close to the tinfoil hat terrority, but what if:

* hack target's corporate email
* hack target's facebook
* observe them (via webcams, etc)
* generate psychological profile
* plant search results https://www.google.com/search?q=hot+car+death+search
* distract target with emails from the boss and facebook posts
* target leaves kid in a hot car
* target goes to jail. Much cleaner than drones or assassination.

But where's the 'profit' part? There's got to be profit here somewhere...

What, if any, defense is there to this kind of social engineering attack?

* this message copyright 2014 Troy Benjegerdes, License fee for lawyers
  using this message in a criminal defense case is to donate 1% of legal 
  fees to be split between the EFF and ACLU *
(yes, I am shamelessly copyrighting this shit for profit, just like all 
the so called 'news' outlets are)

-- 
----------------------------------------------------------------------------
Troy Benjegerdes                 'da hozer'                  hozer at hozed.org
7 elements      earth::water::air::fire::mind::spirit::soul        grid.coop

      Never pick a fight with someone who buys ink by the barrel,
         nor try buy a hacker who makes money by the megahash




From l at odewijk.nl  Mon Jun 30 02:31:38 2014
From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=)
Date: Mon, 30 Jun 2014 11:31:38 +0200
Subject: cypherpunks, see what you've done! :( [was Fwd: titcoin]
In-Reply-To: <CAJVRA1RuKXuJVWEywicQ7D5-dXVc8p=UGPcbyqf_NUOAkrau1g@mail.gmail.com>
References: <CAJVRA1RuKXuJVWEywicQ7D5-dXVc8p=UGPcbyqf_NUOAkrau1g@mail.gmail.com>
Message-ID: <CAHWD2rJNyyDJ-PpBEcF8zJwC_nttRmbDJhpJgG5ZnUir7OgWOg@mail.gmail.com>

There's been a cannabiscoin for quite a while. I think it has actually been
used a bit too. Maybe in the US some sellers insist?

PornHub supporting might help and it might not.

It just really isn't about technology I'm afraid. It could be, if you would
take offense to >240 blockchains each with lowered security factors.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 388 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140630/371d0da0/attachment.txt>

From rich at openwatch.net  Mon Jun 30 12:20:09 2014
From: rich at openwatch.net (Rich Jones)
Date: Mon, 30 Jun 2014 12:20:09 -0700
Subject: Search History Skeptic
In-Reply-To: <20140630182414.GK3180@nl.grid.coop>
References: <20140630160253.GJ3180@nl.grid.coop> <2793972.p9bSS2Tm8S@lapuntu>
 <20140630182414.GK3180@nl.grid.coop>
Message-ID: <CADJYzxJwBkQNbiCybEVej1isKMYL4G1vZ3du0-9BiyVtCZ-tsA@mail.gmail.com>

The flip side of this is something we've been talking about doing for ages
- an alibi generator service. Give it your keys and accounts, it'll
generate a fake Google search for directions, create GPS coordinates of a
trip to the store, purchase a sandwich, then write a review for the
sandwich online, etc. etc. etc.. meanwhile, you're really hanging out at
your underground cryptography book club, snoops none the wiser.

R
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 516 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140630/3ed87250/attachment.txt>

From hozer at hozed.org  Mon Jun 30 11:24:14 2014
From: hozer at hozed.org (Troy Benjegerdes)
Date: Mon, 30 Jun 2014 13:24:14 -0500
Subject: Search History Skeptic
In-Reply-To: <2793972.p9bSS2Tm8S@lapuntu>
References: <20140630160253.GJ3180@nl.grid.coop> <2793972.p9bSS2Tm8S@lapuntu>
Message-ID: <20140630182414.GK3180@nl.grid.coop>

On Mon, Jun 30, 2014 at 07:12:20PM +0200, rysiek wrote:
> Dnia poniedziałek, 30 czerwca 2014 11:02:53 Troy Benjegerdes pisze:
> > (yes, I am shamelessly copyrighting this shit for profit, just like all
> > the so called 'news' outlets are)
> 
> That means nobody can copy the description, but the idea is perfectly 
> copyable; what you would need is a patent.
> 

Dangit, now I have to find a patent lawyer who likes trolling.

Copyright addendum: anyone with a .pl email address can do whatever the 
hell they like to the referenced message, including remove my copyright.
But only if they have publicly posted to cypherpunks.

Lawyers still might get sued.

There, fixed the license for you.




From grarpamp at gmail.com  Mon Jun 30 13:54:33 2014
From: grarpamp at gmail.com (grarpamp)
Date: Mon, 30 Jun 2014 16:54:33 -0400
Subject: Intersection of Projects [Illegal Activity As Security and Anonymity
 Metric]
Message-ID: <CAD2Ti28A_8Ucn5PL-EpkLNp9iw9zneCtNqLfDa5JWj0c5FvQdw@mail.gmail.com>

In a long thread starting here:
https://lists.torproject.org/pipermail/tor-talk/2014-June/033406.html

On Mon, Jun 30, 2014 at 3:22 PM, Morgan Smith <tor-exit0 at intersafeit.com> wrote:
> On 6/28/2014 10:01 AM, Mark McCarron wrote:
>> Anyway, we have a simple solution to this global view and hidden services.  We just implement a distributed hosting solution within the Tor system and end-to-end visibility is gone.
> I'm nowhere near done sifting through this thread however Freenet may
> may already provide this kind of functionality. In the spirit of
> software doing one only and doing it well then perhaps it is good to be
> handled by a separate project.

If I recall correctly, this subthread was about people getting
shuttered because their Apache etc was insecure, and that
somehow creating [paid] hosting services for them within
relatively general purpose nets like Tor was the solution. News:
those services are still open to the same exploits, and still use
the same HS mechanism that has potential whitepaper
exploits too. Further, he [or whoever OP'd the subthread] did
not define what they meant by "distributed' or "removing 'visibility'
of one end".

Stepping back from the above specific, and re: Freenet...
I think someone else mentioned or hinted at layering to
enhance things. Yes, interestingly you can in fact
layer some systems upon general anonymous transports,
especially if they offer IP transport. ie: Use Tor/I2P
with onioncat, cjdns, phantom... layer tahoe+lafs,
freenet, messaging, Bitcoin, torrent, etc on top. Gnunet,
MaidSafe and others I missed probably fit somewhere too.
Mash it up however you like. (Excepting where they did not
coordinate their collision spaces, such as in IPv6 addressing).
It tends to be complex, slow and fraught with timeouts,
but some combinations work ok.

At some point you must regularly sit back from your own
project or usage and take time to categorize all the systems
out there, what they are good and bad at, and then admit
to yourself (or as a user) whether layering is valid... or more
importantly, whether you should merge forces with other projects
to, up to and including, scrapping old and writing new projects
that provide both user utility and resistance against attacks
of interest. Or is your usage the best it can be? Can you in fact
create an all in one tool? Or can you create a well defined
intersection amongst projects / tools such that their layered sum
equals coverage against all attack classes, or the subset you're
interested in or subject to. And can you create a similar intersection
matrix for the services offered (web, messaging, storage) by such
networks. Can you coordinate research, structure and promote
projects in such a way as to cooperatively and formally provide a
complete set of resistance and services?




From rysiek at hackerspace.pl  Mon Jun 30 10:12:20 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Mon, 30 Jun 2014 19:12:20 +0200
Subject: Search History Skeptic
In-Reply-To: <20140630160253.GJ3180@nl.grid.coop>
References: <20140630160253.GJ3180@nl.grid.coop>
Message-ID: <2793972.p9bSS2Tm8S@lapuntu>

Dnia poniedziałek, 30 czerwca 2014 11:02:53 Troy Benjegerdes pisze:
> (yes, I am shamelessly copyrighting this shit for profit, just like all
> the so called 'news' outlets are)

That means nobody can copy the description, but the idea is perfectly 
copyable; what you would need is a patent.

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140630/365e698a/attachment.sig>

From s at ctrlc.hu  Mon Jun 30 10:53:48 2014
From: s at ctrlc.hu (stef)
Date: Mon, 30 Jun 2014 19:53:48 +0200
Subject: Reversing Stealthy Dopant-Level Circuits
Message-ID: <20140630175348.GR6697@ctrlc.hu>

http://eprint.iacr.org/2014/508

>  Abstract: A successful detection of the stealthy dopant-level circuit
>  (trojan), proposed by Becker et al. at CHES 2013, is reported. Contrary to
>  an assumption made by Becker et al., dopant types in active region are
>  visible with either scanning electron microscopy (SEM) or focused ion beam
>  (FIB) imaging. The successful measurement is explained by an LSI failure
>  analysis technique called the passive voltage contrast. The experiments are
>  conducted by measuring a dedicated chip. The chip uses the diffusion
>  programmable device: an anti-reverse-engineering technique by the same
>  principle as the stealthy dopant-level trojan. The chip is delayered down
>  to the contact layer, and images are taken with (1) an optical microscope,
>  (2) SEM, and (3) FIB. As a result, the four possible dopant-well
>  combinations, namely (i) p+/n-well, (ii) p+/p-well, (iii) n+/n-well and
>  (iv) n+/p-well are distinguishable in the SEM images. Partial but
>  sufficient detection is also achieved with FIB. Although the stealthy
>  dopant-level circuits are visible, however, they potentially make a
>  detection harder. That is because the contact layer should be measured. We
>  show that imaging the contact layer is at most 16-times expensive than that
>  of a metal layer in terms of the number of images

-- 
otr fp: https://www.ctrlc.hu/~stef/otr.txt




From rysiek at hackerspace.pl  Mon Jun 30 11:35:33 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Mon, 30 Jun 2014 20:35:33 +0200
Subject: Search History Skeptic
In-Reply-To: <20140630182414.GK3180@nl.grid.coop>
References: <20140630160253.GJ3180@nl.grid.coop> <2793972.p9bSS2Tm8S@lapuntu>
 <20140630182414.GK3180@nl.grid.coop>
Message-ID: <1740238.n7KcsOX64u@lapuntu>

Dnia poniedziałek, 30 czerwca 2014 13:24:14 Troy Benjegerdes pisze:
> On Mon, Jun 30, 2014 at 07:12:20PM +0200, rysiek wrote:
> > Dnia poniedziałek, 30 czerwca 2014 11:02:53 Troy Benjegerdes pisze:
> > > (yes, I am shamelessly copyrighting this shit for profit, just like all
> > > the so called 'news' outlets are)
> > 
> > That means nobody can copy the description, but the idea is perfectly
> > copyable; what you would need is a patent.
> 
> Dangit, now I have to find a patent lawyer who likes trolling.
> 
> Copyright addendum: anyone with a .pl email address can do whatever the
> hell they like to the referenced message, including remove my copyright.
> But only if they have publicly posted to cypherpunks.
> 
> Lawyers still might get sued.
> 
> There, fixed the license for you.

Much obliged. :)

Now, that seems like something that would allow me to actually sublicense that 
work to anybody. So, here goes!

Following message is based on a mail authored by Troy Benjegerdes, and is 
hereby licensed under CC By 3.0 unported.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

This is close to the tinfoil hat territory, but what if...

 - hack target's corporate email
 - hack target's social network
 - observe them (via webcams, etc)
 - generate psychological profile
 - plant search results https://www.google.com/search?q=hot+car+death+search
 - distract target with emails from the boss and social network posts
 - target leaves child in a hot car
 - target goes to jail. Much cleaner than drones or assassination.

But where's the 'profit' part? There's got to be profit here somewhere...

What, if any, defence is there to this kind of social-engineering attack?

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140630/7c2f1bf5/attachment.sig>

From juan.g71 at gmail.com  Mon Jun 30 18:43:40 2014
From: juan.g71 at gmail.com (Juan)
Date: Mon, 30 Jun 2014 22:43:40 -0300
Subject: Tor
In-Reply-To: <4502977.PQn2iEyROi@lapuntu>
References: <20140629180402.00007cb6@unknown> <6885202.SpEd5tlOii@lapuntu>
 <20140520201315.00000c4d@unknown> <4502977.PQn2iEyROi@lapuntu>
Message-ID: <20140630224340.00006b93@unknown>

On Tue, 01 Jul 2014 01:53:29 +0200
rysiek <rysiek at hackerspace.pl> wrote:

> 
> > 	¨rysek¨ ¨Oh, come on. I'm sure Juan has created a much
> > better and much more independent project than Tor,¨
> 
> It's "rysiek".
 
	Oh I am so sorry my lord. 



> 
> > 	What I´ve done or have not done has nothing to do with the
> > facts I mentioned and the soundness of my  analysis.
> 
> How do we know you're not funded by the NSA to sow dissent in the
> community, 

	What community? The community of tax funded parasites who
	pretend to be freedom fighters? =)

	Notice 

	a) the  NSA has no interest in attacking those. They are their
	own people after all =)

	b) you are an enlightened __________ (fill in the blank) who
	doesnt believe in conspiracy theories. Or you just dont believe
	in them when it suits you?

	

>smearing good projects and burning precious time of people
> involved in them? Not that it happens, right? Right?

	Oh my god. It is a conspiracy against tor!!!

> http://yro.slashdot.org/story/14/02/25/0359246/nsa-and-ghcq-employing-shills-to-poison-web-forum-discourse
> 
> > 	And yes. I, personally, am much more  independent
> > 	than people on the payroll of the US government, go figure.
> 
> Nobody gives a fuck, go figure. :)

	Yeah I get that you are ¨nobody¨ =)

	



> 





From eric at konklone.com  Mon Jun 30 20:27:29 2014
From: eric at konklone.com (Eric Mill)
Date: Mon, 30 Jun 2014 23:27:29 -0400
Subject: NSA drone flight
In-Reply-To: <53AF1DBD.7050906@eff.org>
References: <CAD2Ti2876yE4c3pz_WM7CJHip8nkQLPtjtmcXyZXDtsQnKnYbA@mail.gmail.com>
 <53AF1DBD.7050906@eff.org>
Message-ID: <CANBOYLUQS7wdGKR+4+fa=A0S7GzpaiaObfaRLQr_-F430CQw3A@mail.gmail.com>

On Sat, Jun 28, 2014 at 3:55 PM, Parker Higgins <parker at eff.org> wrote:

> Minor correction to the subject line: this vehicle was not unmanned. I
> was one of two people in it.
>
> Thanks,
> Parker
>

Rejected for top-posting


>
> On 6/28/14 1:32 AM, grarpamp wrote:
> >
> http://www.wired.com/2014/06/protestors-launch-a-135-foot-blimp-over-the-nsas-utah-data-center/
> >
>
> --
> Parker Higgins
> Activist
> Electronic Frontier Foundation
> https://eff.org
>
> 815 Eddy Street
> San Francisco, CA 94109-7701
>



-- 
konklone.com | @konklone <https://twitter.com/konklone>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 1601 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140630/4515f78a/attachment.txt>

From rysiek at hackerspace.pl  Mon Jun 30 16:53:29 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Tue, 01 Jul 2014 01:53:29 +0200
Subject: Tor
In-Reply-To: <20140520201315.00000c4d@unknown>
References: <20140629180402.00007cb6@unknown> <6885202.SpEd5tlOii@lapuntu>
 <20140520201315.00000c4d@unknown>
Message-ID: <4502977.PQn2iEyROi@lapuntu>

Dnia wtorek, 20 maja 2014 20:13:15 Juan pisze:
> 	Ok : first the conclusion. The % of braindead tor zealots in
> 	this list is higher than in tortalk.  Yes, that makes it clear
> 	what kind of joke this ´cypherpunk´ mailing list is.
> 
> 	Except mostly for posts from John Young, the content, and
> 	politics here are  worse than what youd expect from joe sixpack.

Yeah, I agree.

This list is waaay too low for you. I mean, you can do so much better.

I appreciate the pearls that you throw in front of us piglets here, but 
honestly, we're simply not able to comprehend (even less truly recognise the 
value of) them.

Not really worth your time.

> 	¨rysek¨ ¨Oh, come on. I'm sure Juan has created a much better
> 	and much more independent project than Tor,¨

It's "rysiek".

> 	What I´ve done or have not done has nothing to do with the facts
> 	I mentioned and the soundness of my  analysis.

How do we know you're not funded by the NSA to sow dissent in the community, 
smearing good projects and burning precious time of people involved in them? 
Not that it happens, right? Right?
http://yro.slashdot.org/story/14/02/25/0359246/nsa-and-ghcq-employing-shills-to-poison-web-forum-discourse

> 	And yes. I, personally, am much more  independent
> 	than people on the payroll of the US government, go figure.

Nobody gives a fuck, go figure. :)

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20140701/d932be1f/attachment.sig>