From s at ctrlc.hu Mon Mar 3 02:57:36 2014 From: s at ctrlc.hu (stef) Date: Mon, 3 Mar 2014 11:57:36 +0100 Subject: STRINT In-Reply-To: <4B654B63C9A4614EA1F088B2490E8F3A0226F877@UCEXBWP009.ep.parl.union.eu> References: <4B654B63C9A4614EA1F088B2490E8F3A0226F877@UCEXBWP009.ep.parl.union.eu> Message-ID: <20140303105736.GM10691@ctrlc.hu> are you as concerned as me regarding the relevance and the utility of some of these papers? it strengthens my opinion that w3 does not seem like a competent place for handling this kind of stuff. some good intentions sprinkled with lots of "libtech plausible deniable Naïveté" and some rare gems hidden in between. source: https://www.w3.org/2014/strint/report.html i started to comment on some of the topics, would be interested in more insights into the others. > 1: Privacy Protected Email > Phillip Hallam-Baker > https://www.w3.org/2014/strint/papers/01.pdf > Abstract: > This proposal is two things: First it shows that with some small adjustments to S/MIME and PGP we can merge two competing end-to-end security proposals that are too hard for people to use into one scheme that provides a useful degree of security with no thought from the user. In cases where the user has security concerns they can easily determine that they are met. The second part of the proposal is that it the Trust set deployed to secure email encryption can be leveraged to solve pretty much every other end-to-end security requirement. If people generate keys for their email we can secure chat, video, 2-facto authentication as well. yaatse (yet another attempt to save email)? this should've been the last paper, if the goal of the conf was to seem competent in this topic... > ============================== > 2: Opportunistic Encryption for MPLS > Stephen Farrell, Adrian Farrrelll > https://www.w3.org/2014/strint/papers/02.pdf > Abstract: > This is an early proposal for a way to do open-channel D-H key agreement and encryption in MPLS. Two things are maybe interesting: a) its an example of trying to add confidentiality to an existing protocol with making PM harder as a specific goal and b) maybe it shows that there could be a benefit in a generic protocol for after-the-fact MITM detection for such cases. It'd probaby be most interesting to discuss (a) as one example of something we want to do more generally and not the specifics of MPLS at the workshop; and I'd be interested in whether or not (b) is tractable (I'm not sure). hmmm, mpls is a very simple thing. and totally irrelevant if people deploy already end-to-end crypto. what is this good for? tagging anonymous streams? i guess i have to read the paper... > ============================== > 3: Overcoming the Friend-or-Foe Paradigm in Secure Communication > Sebastian Gajek, Jan Seedorf, Marc Fischlin, Oezguer Dagdalen > https://www.w3.org/2014/strint/papers/03.pdf > Abstract: > --> Essentially, our point is that with the existing end-to-end client-server security paradigm, e.g. as instantiated in TLS, the "good guys" often actually have to mount attacks in order for middleboxes (which are on the path between client ans server being able) to perform their job. The good guys are thus technically indistinguishable from the bad guys. > --> Concretely, we are proposing to extend TLS in a way that would allow authorized modification of certain, dedicated parts of the TLS payload by middleboxes, while still allowing for integrity verification by clients. The crypto for such "Interferable Secure Communication" exists and we think it is feasible to extend TLS in this way in a reasonable timeframe. i believe they are trying to sell us MITM as something that is also done by the "good guys"? wtf? > ============================== > 4: Flows and Pervasive Monitoring > Ted Hardie > https://www.w3.org/2014/strint/papers/04.pdf > Abstract: This document describes methods that may hinder a pervasive monitor's efforts to derive metadata from flows. There are three main methods discussed in the paper: aggregation, contraflow, and multipath. These are largely side-effects of other efforts at this time, but the paper discusses how they might fit into the design space of efforts intended to combat pervasive monitoring and the related consequences for network operations. > ============================== > 5: BetterCrypto.org Applied Crypto Hardening > Aaron Zauner, L. Aaron Kaplan > https://www.w3.org/2014/strint/papers/05.pdf > Abstract: > BetterCrypto is a community-driven project where admins, engineers, cryptographers, security researchers alike participate in finding well researched best-practices for commonly deployed networked applications and infrastructure. We try to outline a proper interim solution until better protocols and standards are widely deployed. Our hope is that we can contribute to a safer internet for all and better understanding of cryptographic primitives for the operations community that needs to deploy sound security on the public internet. Our focus group: sysadmins / ops. > ============================== > 6: A Complimentary Analysis (The Danger Of The New Internet Choke Points) > Andrei Robachevsky, Christine Runnegar, Karen O'Donoghue, Mat Ford > https://www.w3.org/2014/strint/papers/06.pdf > Abstract: > The ongoing disclosures of pervasive surveillance of Internet users’ communications and data by national signals intelligence agencies have prompted protocol designers, software and hardware vendors, as well as Internet service and content providers, to re-evaluate prevailing security and privacy threat models and to refocus on providing more effective security and confidentiality. At IETF88, there was consensus to address pervasive monitoring as an attack and to consider the pervasive attack threat model when designing a protocol. > In this paper, we offer a complimentary analysis. We identify some of the components of the Internet architecture that provide attractive opportunities for wholesale monitoring and/or interception, and, therefore, represent architectural vulnerabilities, or choke points. We also suggest possible mitigation strategies and pose some of the questions that need to be considered if the Internet is to evolve to reduce such vulnerabilities. Finally, we identify some significant areas of tension or trade-offs, and we consider possible areas for additional efforts. > Also: http://www.internetsociety.org/blog/tech-matters/2014/02/danger-new-internet-choke-points and > http://www.circleid.com/posts/20140218_mind_the_step_function_are_we_really_less_secure_than_a_year_ago/ > ============================== > 7: Trust Issues with Opportunistic Encryption > Scott Rose, Stephen Nightingale, Doug Montgomery > https://www.w3.org/2014/strint/papers/07.pdf > Abstract: > The lack of authentication in opportunistic encryption could have the perverse affect of putting more end users at risk: thinking that they are "secure", an end user may divulge private information to an imposter instead of the service they believe they have contacted. When adding protection mechanisms to protocols, designers and implementers should not downplay the importance of authentication in order to make opportunistic encryption easier to deploy. We advocate that while opportunistic encryption can solve one set of problems, authentication is often desired by end users. > ============================== > 8: Challenges with End-to-End Email Encryption > Jiangshan Yu, Vincent Cheval, Mark Ryan > https://www.w3.org/2014/strint/papers/08.pdf > Abstract: > In this paper we show how the use of an extended certificate transparency can build a secure end-to-end email or messaging system using PKI without requiring trusted parties nor complex p2p key-signing arrangements such as PGP. This makes end-to-end encrypted mail possible, and users do not need to understand or concern themselves with keys or certificates. In addition, we briefly present some related concerns i.e. metadata protection, key loss mitigation, spam detection, and the security of webmail. > ============================== > 9: Strengthening the path and strengthening the end-points > Xavier Marjou, Emile Stephan, Jean-Michel Combes, Iuniana Oprescu > https://www.w3.org/2014/strint/papers/09.pdf > Abstract: > Internet data is more and more subject to pervasive monitoring. This paper investigates ways of enhancing this situation depending on where such pervasive monitoring may occur. There are two different locations to secure: the endpoints and the path between these endpoints. In the present document, we also emphasize the fact that encryption, although bringing additional data confidentiality, might in some cases contradict security’s two other pillars, which are availability and integrity. > ============================== > 10: SIP is Difficult > Jon Peterson > https://www.w3.org/2014/strint/papers/10.pdf > Abstract: > While SIP is widely used as a protocol for real-time communications, it is very difficult to secure from pervasive monitoring. In fact, one could argue that SIP’s susceptibility to mass surveillance was essential to its success in the marketplace. This paper shows why SIP’s design left the door open for eavesdropping, and what lessons RTCWeb could learn from this. > ============================== > 11: Thoughts of Strengthening Network Devices in the Face of Pervasive Surveillance > Dacheng Zhang, Fuyou Miao > https://www.w3.org/2014/strint/papers/11.pdf > Abstract: > The material released by Edward Snowden has raised serious concerns about pervasive surveillance. People worry that their privacy is not properly protected when they are using the Internet. Network product vendors also encounter the doubts on the security of their products (e.g., routers, switches, firewalls). Such doubts are seriously damaging the Internet ecosystem. In this paper we try to analyze the affects brought by the Snowden scandal on our ability to trust products at the core of the Internet and discuss what the standard organization can do to help vendors address these security concerns. > ============================== > 12: Opportunistic Encryption for HTTP URIs > Mark Nottingham > https://www.w3.org/2014/strint/papers/12.pdf > Abstract: > This is a proposed method for using TLS with http:// URIs under discussion in the HTTPbis WG, in particular for HTTP/2 but also applicable to HTTP/1. One of the biggest decisions to make is whether or not to require the certs to validate in this scenario. > ============================== > 13: Cyberdefense­Oriented Multilayer Threat Analysis > Yuji Sekiya, Daisuke Miyamoto, Hajime Tazaki > https://www.w3.org/2014/strint/papers/13.pdf > ============================== > 14: A Threat Model for Pervasive Passive Surveillance > Brian Trammell, Daniel Borkmann, Christian Huitema > https://www.w3.org/2014/strint/papers/14.pdf > Abstract: > This document elaborates a threat model for pervasive surveillance, assuming an adversary with an interest in indiscriminate eavesdropping that can passively observe network traffic at every layer at every point in the network between the endpoints. We provide guidelines on evaluating the observability and inferability of information and metainformation radiated from Internet protocols. The central message to protocol designers: pervasive encryption for confidentiality, protocol and implementation design for simplicity and auditability, flexibility to allow fingerprinting resistance, and moving away from static identifiers can increase protocol-level resistance to pervasive surveillance. > ============================== > 15: Why Provable Transparency is Useful Against Surveillance > Ben Laurie > https://www.w3.org/2014/strint/papers/15.pdf > ============================== > 16: Withheld > ============================== > 17: Monitoring message size to break privacy - Current issues and proposed solutions > Alfredo Pironti > https://www.w3.org/2014/strint/papers/17.pdf > Abstract: > One of the Internet traffic features that can be easily > collected by passive pervasive monitoring is the size of the exchanged > messages, or the total bandwidth used by a conversation. Several works have > showed that careful analysis of this data can break users' expected privacy, > even for encrypted traffic. Despite this, little has been done in practice to > hide message sizes, perhaps because deemed too inefficient or not a realistic > threat. > In this short paper, we contextualize message size analysis in the wider > pervasive monitoring scenario, which encompasses other powerful analysis > techniques, and we re-state the severity of the privacy breach that message > size analysis constitutes. We finally discuss proposals to fix this issue, > considering practical aspects such as required developer awareness, ease of > deployment, efficiency, and interaction with other countermeasures. > ============================== > 18: Withheld > ============================== > 19: Making The Internet Secure By Default > Michael H. Behringer, Max Pritkin, Steinthor Bjarnason > https://www.w3.org/2014/strint/papers/19.pdf > Abstract: > Pervasive monitoring on the Internet is enabled by the lack of general, fundamental security. In his presentation at the 88th IETF Bruce Schneier called for ubiquitous use of security technologies to make pervasive monitoring too expensive and thus impractical. However, today security is too operationally expensive, and thus only used where strictly required. In this position paper we argue that all network transactions can be secure by default, with minimal or no operator involvement. This requires an autonomic approach where all devices in a domain enrol automatically in a trust domain. Once they share a common trust anchor they can secure communications between themselves, following a domain policy which is by default secure. The focus of this proposal is the network itself, with all protocols between network elements, including control plane protocols (e.g., routing protocols) and management plane protocols (e.g., SSH, netconf, etc). The proposal is evolutionary and allows a smooth migration from today’s Internet technology, device by device. > ============================== > 20: Increasing HTTP Transport Confidentiality with TLS Based Alternate Services > Patrick McManus > https://www.w3.org/2014/strint/papers/20.pdf > ============================== > 21: Balance - Societal security versus individual liberty > Scott Cadzow > https://www.w3.org/2014/strint/papers/21.pdf > ============================== > 22: Strengthening the Extensible Messaging and Presence Protocol (XMPP) > Peter Saint-Andre > https://www.w3.org/2014/strint/papers/22.pdf > Abstract: > This document describes existing and potential future efforts at strengthening the Extensible Messaging and Presence Protocol (XMPP), for discussion at the W3C/IAB workshop on Strengthening the Internet Against Pervasive Monitoring (STRINT). > ============================== > 23: The Internet We Want or the Internet We Deserve? > David Rogers > https://www.w3.org/2014/strint/papers/23.pdf > ============================== > 24: Beyond Encrypt Everything: Passive Monitoring > Mark Donnelly, Sam Hartman > https://www.w3.org/2014/strint/papers/24.pdf > ============================== > 25: Examining Proxies to Mitigate Pervasive Surveillance > Eliot Lear, Barbara Fraser > https://www.w3.org/2014/strint/papers/25.pdf > Abstract: > The notion of pervasive surveillance assumes that it is possible for an attacker to have access to all links and devices between end points, as well as end points themselves. We examine this threat is some detail with an eye toward whether trusted intermediaries can provide relief from the attack. We go on to examine the costs associated with the various remediation methods. In at least one case, we challenge the notion that one should encrypt absolutely everything in all cases, as was implied in at least one threat analysis. Finally we summarize in a set of four principles that should be considered in future work. > ============================== > 26: Spontaneous Wireless Networking to Counter Pervasive Monitoring > Emmanuel Baccelli, Oliver Hahm, Matthias Wählisch > https://www.w3.org/2014/strint/papers/26.pdf > Abstract: > Several approaches can be employed to counter pervasive monitoring at large scale on the Internet. One category of approaches aims to harden the current Internet architecture and to increase the security of high profile targets (data centers, exchange points etc.). Another category of approaches aims instead for target dispersal, i.e. disabling systematic mass surveillance via the elimination of existing vantage points, thus forcing surveillance efforts to be more specific and personalized. This paper argues how networking approaches that do not rely on central entities -- but rather on spontaneous interaction, as locally as possible, between autonomous peer entities -- can help realize target dispersal and thus counter pervasive monitoring. > ============================== > 27: Is Opportunistic Encryption the Answer? Practical Benefits and Disadvantages > John Mattsson > https://www.w3.org/2014/strint/papers/27.pdf > Abstract: > In this paper, we give an overview of various opportunistic and unauthenticated encryption techniques, and discuss their benefits, limits, and disadvantages. We recommend the Internet community to clearly define the term “opportunistic encryption” or to use other terms. > We conclude that while opportunistic and unauthenticated encryption certainly has its uses and may with the right choices provide good enough security for a low cost, general deployment of unauthenticated encryption is not an effective way to thwart pervasive monitoring. > ============================== > 28: Clearing off the Cloud over the Internet of Things > Carsten Bormann, Stefanie Gerdes, Olaf Bergmann > https://www.w3.org/2014/strint/papers/28.pdf > Abstract: > As was foreshadowed by product introductions in 2013, the Consumer > Electronics Show 2014 has seen the introduction of a large number of > "Internet of Things" (IoT) innovations. > Almost all of these have in common that they are meant to operate via > Cloud-based services. > In the light of the recent attention to threats by state-level > tenacious attackers with significant infrastructure (STASI), in > particular to their practice of pervasive monitoring, we discuss the > implications of a cloud-centric IoT landscape, and attempt to outline > a set of principles as a program to improve the long-term outlook. > ============================== > 29: The ARPA2.net project; Integrating and bundling hardened services for normal users > Michiel Leenars, Rick van Rein > https://www.w3.org/2014/strint/papers/29.pdf > ============================== > 30: The Trust-to-Trust Model of Cloud Services > Alissa Cooper, Cullen Jennings > https://www.w3.org/2014/strint/papers/30.pdf > ============================== > 31: Linkability Considered Harmful > Leif Johansson > https://www.w3.org/2014/strint/papers/31.pdf > Abstract: > Current debate on pervasive monitoring often focus on passive attacks on the protocol and transport layers but even if these issues were eliminated through the judicious use of encryption, roughly the same information would still be available to an attacker who is able to (legally or otherwize) obtain access to linked data sets which are being maintained by large content and service providers. > ============================== > 32: Simple Opportunistic Encryption > Andrea Bittau, Michael Hamburg, Mark Handley, David Mazières, Dan Boneh > https://www.w3.org/2014/strint/papers/32.pdf > Abstract: > Network traffic encryption is becoming a requirement, not an option. Enabling > encryption will be a communal effort so a solution that gives partial benefits > until fully deployed is needed. A solution that requires little changes to > existing infrastructure will also help as it can be quickly deployed to give > immediate short-term benefits. We argue that tcpcrypt, a TCP option for > opportunistic encryption is the path of least-resistance for a solution against > large-scale traffic encryption. Tcpcrypt requires no changes to applications, > is compatible with existing networks (works with NATs), and just works by > default. It is high performance, so it can be deployed on servers without much > concern. tcpcrypt attempts to maximize security for any given setting. By > default, it will protect against passive eavesdropping, and also allows > detecting large scale interception. With authentication, tcpcrypt can provide > full security against active attackers and so it is a complete solution both for > the short-term and long-term. > ============================== > 33: An Architecture for a Secure Cloud Collaboration System > Cullen Jennings, Suhas Nandakumar > https://www.w3.org/2014/strint/papers/33.pdf > Abstract: > The Internet technical community is looking at ways to address > pervasive attacks as described in several other internet drafts. > [I-D.barnes-pervasive-problem] describes threat model to characterize > various pervasive attacks on the Internet communications. There are > many systems that need to be secured against such attacks but this > paper considers one possible way to secure cloud based collaborations > systems. At a high level, this paper sugests that users or > enterprises could run a key server that manages the keys to access > their content. The cloud service provider would not have access to > decrypt the data stored in the cloud but various users of the cloud > service could get the keys to encrypt and decrypt the contents of > collaboration sessions facilitated by the cloud service. This does > not protect the meta data of who is talking to who but can help > protect the content of the conversations. > ============================== > 34: Security and Simplicity > Steven Bellovin > https://www.w3.org/2014/strint/papers/34.pdf > ============================== > 35: Privacy at the Link Layer > Piers O’Hanlon, Joss Wright, Ian Brown > https://www.w3.org/2014/strint/papers/35.pdf > Abstract: > This paper gives an overview of the privacy issues around the use of link layer identifiers and associated protocols. Whilst the IETF generally specifies IP level protocols it does also address the link layer in protocols such as address resolution, network attachment detection, tunnelling and router redundancy. > The indiscriminate broadcast of a device's MAC address, a unique and effectively personal identifier, allows for unregulated and broad-scale tracking of individuals via their personal devices, whether or not those devices have made use of a particular service or not. These addresses typically remain unchanged for the lifetime of a device, creating a persistent, lifelong tracking capability. The collation of such addresses, primarily WiFi and Bluetooth, has been been gathering pace and is already in use by organisations such as security agencies and advertisers. > Ephemeral addresses are used further up the stack so why not at the link layer? As default devices should use a randomised MAC address and any higher level associations can be maintained as and when approved by the user. > Moreover various other 'performance enhancing' approaches further degrade the privacy of individuals such as proactive discovery of WLAN SSIDs, Detection of Network Attachment (DNA), Wireless ISP roaming (WISPr), name lookups and so on. > All these mechanisms need to be re-examined in the light of pervasive monitoring. > ============================== > 36: Erosion of the moral authority of middleboxes > Joe Hildebrand > https://www.w3.org/2014/strint/papers/36.pdf > Abstract: > Many middleboxes on the Internet attempt to add value to the connections that traverse that point on the network. Problems in their implementations erode the moral authority that otherwise might accrue to the legitimate value that they add. > ============================== > 37: Policy Responses, Implications and Opportunities > Joseph Lorenzo Hall & Runa Sandvik > https://www.w3.org/2014/strint/papers/37.pdf > Abstract: > We raise issues for discussion that lie in the interface between policy and technology. Specifically, we discuss 1) routing, processing and data localization policy mandates (i.e., new laws that may affect how data flows through the 'net; 2) the uncertain possibility of dilution of credibility of IETF and w3c given what we've seen with NIST after NSA-coziness allegations; 3) the claim that strenghtening the internet and web will "help the bad guys" and the dubious need for "lawful intercept" funcationality; and 3) abusive content, cryptography as a controlled export technology, and the need to standardize more anonymity primitives (onion routing, pluggable transport protocols). We also highlight our own work in ensuring that technologists have a voice in policy environments and discuss a few interventions we coordinated over the past year, focusing on software backdoors and NSA surviellance. > ============================== > 38: Is it time to bring back the hosts file? > Peter Eckersley > https://www.w3.org/2014/strint/papers/38.pdf > ============================== > 39: Metaphors matter; application-layer; distribute more > Larry Masinter > https://www.w3.org/2014/strint/papers/39.pdf > Abstract: > 1. Dont say Attack: IETF should stay away from political theatre: changing protocols or workflows not because the change works but just to say you did something. Metaphors matter. > 2. For most relevant threats, traffic analysis is enough, and encyption doesnt mitigate. > 3. The only deployable protection -- if that is what is wanted -- means shifting architecture from client-server to mesh. > ============================== > 40: Levels of Opportunistic Privacy Protection for Messaging-Oriented Architectures > Dave Crocker, Pete Resnick > https://www.w3.org/2014/strint/papers/40.pdf > Abstract: > Messaging protection against pervasive monitoring (PM) needs to cover > primary payload, descriptive meta-data, and traffic-related analysis. > Complete protection against PM, for traffic through complex handling > sequences, has not yet been achieved reliably in real-world operation. > Consequently, this document considers a range of end-to-end, > object-based mechanisms, distinct from channel-based mechanisms. Each > approach offers incremental protection levels that can be provided with > existing, or low-risk, component technologies, such as through the DNS > and MIME conventions. > ============================== > 41: Fingerprinting Guidance for Web Specification Authors > Nick Doty > https://www.w3.org/2014/strint/papers/41.pdf > http://w3c.github.io/fingerprinting-guidance/ > Abstract: > Exposure of settings and characteristics of browsers can impact user privacy by allowing for browser fingerprinting. This document defines different types of fingerprinting, considers distinct levels of mitigation for the related privacy risks and provides guidance for Web specification authors on how to balance these concerns when designing new Web features. > ============================== > 42: Eradicating Bearer Tokens for Session Management > Philippe De Ryck, Lieven Desmet, Frank Piessens, Wouter Joosen > https://www.w3.org/2014/strint/papers/42.pdf > Abstract: > Session management is a crucial component inevery modern web application. It links multiple requests and temporary stateful information together, enabling a rich and interactive user experience. The de facto cookie-based session management mechanism is however flawed by design, enabling the theft of the session cookie through simple eavesdropping or script injection attacks. Possession of the session cookie gives an adversary full control the user’s sover ession, allowing him to impersonate the user to the target application and perform transactions in the user’s name. While several alternatives for secure session management exist, they fail to be adopted due to the introduction of additional roundtrips and overhead, as well as incompatibility with current Web technologies, such as third-party authentication providers, or widely deployed middleboxes, such as web caches. > We identify four key objectives for a secure session management mechanism, aiming to be compatible with the current and future Web. We propose SecSess, a lightweight session management mechanism based on a shared secret between client and server, used to authenticate each request. SecSess ensures that a session remains under control of the parties that established it, and only introduces limited overhead. During session establishment, SecSess introduces no additional roundtrips and only adds 4.3 milliseconds to client-side and server-side processing. Once a session is established, the overhead becomes negligible (<0.1ms), and the average size of the request headers is even smaller than with common session cookies. Additionally, SecSess works well with currently deployed systems, such as web caches and third-party services. SecSess also supports a gradual migration path, while remaining compatible with currently existing applications. > ============================== > 43: STREWS Web-platform security guide: security assessment of the Web ecosystem > Martin Johns, Lieven Desmet > https://www.w3.org/2014/strint/papers/43.pdf > Abstract: > In this document, we report on the Web-platform security guide, which has been developed within the EC-FP7 project STREWS. Based on their research, the STREWS consortium argues that in order to strengthening the Internet (e.g. against pervasive monitoring), it is crucial to also strengthen the web application ecosystem, the de-facto Internet application platform. > ============================== > 44: Pervasive Attack: A Threat Model and Problem Statement > Richard Barnes, Bruce Schneier, Cullen Jennings, Ted Hardie > https://www.w3.org/2014/strint/papers/44.pdf > Abstract: > Documents published in 2013 have revealed several classes of "pervasive" attack on Internet communications. In this document, we review the main attacks that have been published, and develop a threat model that describes these pervasive attacks. Based on this threat model, we discuss the techniques that can be employed in Internet protocol design to increase the protocols robustness to pervasive attacks. > ============================== > 45: Cryptech - Building a More Assured HSM with a More Assured Tool-Chain > Randy Bush > https://www.w3.org/2014/strint/papers/45.pdf > ============================== > 46: Replacing passwords on the Internet AKA post-Snowden Opportunistic Encryption > Ben Laurie, Ian Goldberg > https://www.w3.org/2014/strint/papers/46.pdf > ============================== > 47: End-User Concerns about Pervasive Internet Monitoring: Principles and Practice > Tara Whalen, Stuart Cheshire, David Singer > https://www.w3.org/2014/strint/papers/47.pdf > Abstract: > This position paper will discuss pervasive monitoring on the Internet from the perspective of end users: what are overarching concerns around pervasive monitoring, and what are some steps that could be taken to address those concerns? We begin by exploring a preliminary set of characteristics of systemic surveillance, which can be used to pinpoint dominant concerns of end users that should be addressed through technical means. We then illustrate one specific significant problem facing end users, namely that of certificate errors, which can be exploited to facilitate pervasive surveillance. We suggest that users should not be required to determine whether a certificate error is valid, but instead to block access to websites that generate such errors. We believe this approach would be more effective in protecting end users in an environment of persistent network threats. > ============================== > 48: Developer-Resistant Cryptography > Kelsey Cairns, Graham Steel > https://www.w3.org/2014/strint/papers/48.pdf > Abstract: > "Properly implemented strong crypto systems are one of the few things > that you can rely on" - Edward Snowden. So why is mass surveillance so successful? One (big) problem is endpoint security. Another is that strong crypto systems are sufficiently difficult to implement that often either mistakes are made resulting in catastrophic loss of security, or cryptography is not used at all. What can we do to make cryptography easier to use and more resistant to developer errors? > ============================== > 49: Improving the reliability of key ownership assertions > Kai Engert > https://www.w3.org/2014/strint/papers/49.pdf > Abstract: > A majority of today's secure Internet connections rely on Certificate Authorities not being abused for issueing false certificates (key ownership assertions), which might get abused for interception purposes, despite the risk of detection. I suggest to enhance Internet protocols with protective mechanisms to detect false key ownership assertions. > Ideas: (1) Using a network of proxy services, for example as implemented by the The Onion Router (Tor), consistency checking chould be performed by individual clients, in order to detect assertions that are likely false, prior to allowing a connection (see Detector.io). (2) Extend the idea that notary services provide a second opinion about the correctness of key ownership assertions, by requiring CAs to run such services (kuix.de/mecai). (3) Implement protocol extensions, where client software reports previously seen key ownership assertions to the operators of services, allowing the discovery of false ownership assertions. > ============================== > 50: Mike O'Neill's Position Paper > Mike O'Neill > https://www.w3.org/2014/strint/papers/50.pdf > ============================== > 51: Detecting MITM Attacks on Ephemeral Diffie-Hellman without Relying on a PKI in Real-Time Communications > Alan Johnston > https://www.w3.org/2014/strint/papers/51.pdf > Abstract: > With the recent revelations about pervasive surveillance on the Internet, there is renewed interest in techniques that protect against passive eavesdropping without relying on a Public Key Infrastructure (PKI). An ephemeral Diffie-Hellman (DH) key agreement can provide such protection, but (without authentication) the exchange is vulnerable to a Man in the Middle (MitM) attack. An example of a protocol that has MitM protection for a DH key agreement is ZRTP, RFC 6189, “ZRTP: Media Path Key Agreement for Unicast Secure RTP.” ZRTP provides pervasive surveillance resistant security for Voice over IP (VoIP), video communication, and other real-time communication services. This paper describes the techniques used by ZRTP to detect MitM attacks, and explores whether these techniques could be used to develop a general MitM detection protocol to be used by other non-real-time communication protocols. An example of how ZRTP can provide MitM detection for another protocol, DTLS-SRTP, Datagram Transport Layer Security – Secure Real-time Transport Protocol, is given. > ============================== > 52: Trust & Usability on the Web, a Social/Legal perspective > Rigo Wenning, Bert Bos > https://www.w3.org/2014/strint/papers/52.pdf > Abstract: > (1) The browsers' UIs for security are very technical and seem to > avoid saying anything useful, maybe so that the browsers and CAs cannot be > held responsible. (2) A user wanting to configure security has difficulty > finding the UI and then often discovers that settings are hard-coded or > unclear. (3) The security model is based on trusting a few commercial > entities and mistrusting the user, who ends up without control over his > software if one of those entities is compromised or doesn't share his goals. > Conclusion: We need better UIs, which in turn requires a PKI that has the > metadata and social aspects that help users understand and explore the keys > and the organizations behind them. > ============================== > 53: Hardening Operations and Management Against Passive Eavesdropping > Bernard Aboba > https://www.w3.org/2014/strint/papers/53.pdf > Abstract: > Today within service providers protocols used for operations and management frequently send data in the clear, enabling the data to be collected by passive eavesdroppers. Examples of operations and management protocols include Authentication, Authorization and Accounting (AAA), syslog and Simple Networking Monitoring Protocol (SNMP). Since the publication of "Operational Security Current Practices in Internet Service Provider Environments" [RFC4778], the IETF has developed specifications that enable per-packet confidentiality to be applied to operations and management protocols. By developing updated operational guidance recommending deployment of per-packet confidentiality based on recent IETF Request for Comments (RFCs) and work-in-progress, the IETF can assist in bringing customer and regulatory pressure to bear in improving operational practices. > ============================== > 54: A few theses regarding privacy and security > Andreas Kuckartz > https://www.w3.org/2014/strint/papers/54.pdf > ============================== > 55: Meet the new threat model, same as the old threat model > Eric Rescorla > https://www.w3.org/2014/strint/papers/55.pdf > ============================== > 56: It’s Time for Application-Centric Security > Yuan Gu, Harold Johnson > https://www.w3.org/2014/strint/papers/56.pdf > Abstract: > An 'application' is an organized data/executable-code compound performing a specific function or service. We hold that applications should be protected intrinsically (by obfuscated, tamper-resistant code and data), as well as extrinsically (by encrypted communication, hardened hardware platforms, authenticated access). (1) Cloud-based applications are vulnerable to their hosting services or neighbors. (2) Peripheral-based applications (on phones, pads, PDAs, or more generally in the Internet of Things) are vulnerable because hardware security is inconsistent and very expensive to repair. (3) Browser-based applications are vulnerable because they run on potentially hostile or malware-infected browsers or platforms which we don't control. > Application obfuscations such as homomorphic transforms on data and computation (motto: avoid data or computation in plain form) and increased interdependency (motto: aggressive fragility under tampering) can effectively address these vulnerabilities. > ============================== > 57: Sabatini Monatesti position paper > Sabatine Monatesti > https://www.w3.org/2014/strint/papers/57.pdf > ============================== > 58: Trust problems in pervasive monitoring > Melinda Shore, Karen O'Donoghue > https://www.w3.org/2014/strint/papers/58.pdf > ============================== > 59: Beyond “Just TLS Everywhere”: From Client-encrypted Messaging to Defending the Social Graph > Harry Halpin, George Danezis > https://www.w3.org/2014/strint/papers/59.pdf > ============================== > 60: Network Security as a Public Good > Wendy Seltzer > https://www.w3.org/2014/strint/papers/60.pdf > Abstract: > Network security depends on cooperation of multiple actors in the Internet ecosystem. Standards consortia should support and help coordinate activity to protect the commons. > ============================== > 61: Statement of Interest on behalf of the W3C TAG > Dan Appelquist > https://www.w3.org/2014/strint/papers/61.pdf > ============================== > 62: Improving Security on the Internet > Hannes Tschofenig > https://www.w3.org/2014/strint/papers/62.pdf > ============================== > 63: Protecting customer data from government snooping > Orit Levin > https://www.w3.org/2014/strint/papers/63.pdf > ============================== > 64: Privacy Aware Internet Development Initiative 2014 > Achim Klabunde > https://www.w3.org/2014/strint/papers/64.pdf > Abstract: > Protecting privacy on the Internet requires more than using encryption. Protocols, implementations and applications must minimise the amount of personal data that is distributed and collected. Work is required to develop and disseminate privacy aware design and impmementation techniques to the actual developers. The paper is a call for interest for an initiative aiming to address this need, supported by privacy and technology experts. > ============================== > 65: The Internet is Broken: Idealistic Ideas for Building a NEWGNU Network > Christian Grothoff, Bartlomiej Polot, Carlo von Loesch > https://www.w3.org/2014/strint/papers/65.pdf > Abstract: > This paper describes issues for security and privacy at all layers of the Internet stack and proposes radical changes to the architecture to build a network that offers strong security and privacy by default. > ============================== > 66: Opportunistic Keying as a Countermeasure to Pervasive Monitoring > Stephen Kent > https://www.w3.org/2014/strint/papers/66.pdf > Abstract: > This document was prepared as part of the IETF response to concerns about “pervasive monitoring” as articulated in [draft-farrell-perpass-attack]. It begins by exploring terminology that has been used in IETF standards (and in academic publications) to describe encryption and key management techniques, with a focus on authentication vs. anonymity. Based on this analysis, it propose a new term, “opportunistic keying” (OK) to describe a goal for IETF security protocols, one possible countermeasure to pervasive monitoring. It reviews key management mechanisms used in IETF security protocol standards, with respect to these properties, to identify what changes might be needed to offer OK with minimal changes. The document ends by examining possible impediments to and potential adverse effects associated with deployment and use of techniques that would increase the use of encryption, even when keys are distributed in an unauthenticated manner. > ============================== > 999: The Shadow Internet: liberation from Surveillance, Censorship and Servers > Johan Pouwelse > https://datatracker.ietf.org/doc/draft-pouwelse-perpass-shadow-internet/ > Abstract: > This IETF Perpass document describes some scenarios and requirements for Internet hardening by creating what we term a shadow Internet, defined as an infrastructure in which the ability of governments to conduct indiscriminate eavesdropping or censor media dissemination is reduced. > Internet-deployed code is available for most components of this shadow Internet. > This 18-page document is not available via the STRINT website. > ============================== > 998: Privacy and Networking Functions > Jari Arkko > http://www.arkko.com/ietf/strint/draft-arkko-strint-networking-functions.txt > Abstract: > This paper discusses the inherent tussle between network functions and some aspects of privacy. There is clearly room for a much improved privacy in Internet communications, but there are also interesting interactions with network functions, e.g., what information networks need to provide a service. Exploring these limits is useful to better understand potential improvements. > ============================== > (should this page go down, we have a backup at http://kuix.de:9321/p/strint-abstracts ) > ============================== -- pgp: https://www.ctrlc.hu/~stef/stef.gpg pgp fp: FD52 DABD 5224 7F9C 63C6 3C12 FC97 D29F CA05 57EF otr fp: https://www.ctrlc.hu/~stef/otr.txt From dh.yang at nuricorp.co.kr Wed Mar 5 05:26:15 2014 From: dh.yang at nuricorp.co.kr (<) Date: Wed, 5 Mar 2014 16:26:15 +0300 Subject: Healthy life can be so easy! For women here. Message-ID: <53172006.806020@nacha.org> HelloThere is no difference between you and I.http://pkinspire.com/oln/ Feel yourself healthy women. Buy meds at our store. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 399 bytes Desc: not available URL: From dan at geer.org Wed Mar 5 18:06:38 2014 From: dan at geer.org (dan at geer.org) Date: Wed, 05 Mar 2014 21:06:38 -0500 Subject: a speech Message-ID: <20140306020638.7560B22808E@palinka.tinho.net> Perhaps of some relevance here. We Are All Intelligence Officers Now invited address to the RSA Conference, San Francisco, 28 February 2014 http://geer.tinho.net/geer.rsa.28ii14.txt --dan From hettinga at gmail.com Thu Mar 6 03:27:03 2014 From: hettinga at gmail.com (Robert Hettinga) Date: Thu, 6 Mar 2014 07:27:03 -0400 Subject: a speech In-Reply-To: <20140306020638.7560B22808E@palinka.tinho.net> References: <20140306020638.7560B22808E@palinka.tinho.net> Message-ID: <13E4AD0A-0D92-4CCA-A8F3-09B3C49431C2@gmail.com> On Mar 5, 2014, at 10:06 PM, dan at geer.org wrote: > We Are All Intelligence Officers Now Exactly. Somewhere, Ronald Coase is smiling. Firm size gets smaller with Moore’s law. Networks get more geodesic, cats and dogs living together, mass hysteria, &cet. Most importantly: We have to do our own security, because they *can’t*. Said that to James Kalstrom once during questions from the floor at an MIT thing for one of Whit Diffie’s books. Kinda said his job was obsolete. Also thanked Dr. Diffie for inventing my business. Glares from both of them, for some reason. It’s actually on C-SPAN, or so an also shocked relative told me later. :-) This was before 9/11, of course, before I became a raving “kill the bastards” nationalist. Discovered my inner Andy Jackson, I did. :-). Which I still am, even though gov.us is actually anti-american, now. Now, not only can they *not* provide for our security, which is what we hired them to do, they *won’t*. In fact, they are literally *attacking* everyone. They’re now back to being on the outside of the tent, pissing in again. Which sucks. They’ve gone back to being “they”, even when though they were “us” for a while... Cheers, RAH -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 496 bytes Desc: Message signed with OpenPGP using GPGMail URL: From jamesdbell9 at yahoo.com Thu Mar 6 09:29:07 2014 From: jamesdbell9 at yahoo.com (jim bell) Date: Thu, 6 Mar 2014 09:29:07 -0800 (PST) Subject: See??? In-Reply-To: References: Message-ID: <1394126947.88685.YahooMailNeo@web126205.mail.ne1.yahoo.com> I *told* you I wasn't Sanjuro.      Jim Bell ________________________________ From: Robert Hettinga To: cpunks ; Cryptography List Sent: Thursday, March 6, 2014 6:05 AM Subject: See??? I *told* you I wasn’t Satoshi. ;-) Poor bastard... Cheers, RAH -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1271 bytes Desc: not available URL: From jya at pipeline.com Thu Mar 6 07:01:06 2014 From: jya at pipeline.com (John Young) Date: Thu, 06 Mar 2014 10:01:06 -0500 Subject: See??? Satoshi Nakamoto Smeared In-Reply-To: References: Message-ID: http://mag.newsweek.com/2014/03/14/bitcoin-satoshi-nakamoto.html Leah McGrath Goodman @truth_eater What a piece of shit reporting. Journalists compulsively play pop psychologist is reporting on targets to obscure their lack of technical capability. When ridiculed for this they say readers want the gossip because they too lack technical comprehension. Not a single journalist resists the temptation for slimey personal analysis to boost sales from Obama to Putin to Satoshi, from NY Times to Guardian to WaPo to Wired to The Intercept. Still the tech firms suck up to the ignorant outlets for lurid coverage, crypto firms now leading the pack to promote comsec panic for digital cash-in. You, once honorably corrupt, dear cpunks, should be raking it in as if in compelled to rationalize cryptoligarchy. Fuck them dead, the whipsawing comsec windfall bandits. At 09:05 AM 3/6/2014, you wrote: >I *told* you I wasn't Satoshi. > >;-) > >Poor bastard... > >Cheers, >RAH > > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1306 bytes Desc: not available URL: From hettinga at gmail.com Thu Mar 6 06:05:49 2014 From: hettinga at gmail.com (Robert Hettinga) Date: Thu, 6 Mar 2014 10:05:49 -0400 Subject: See??? Message-ID: I *told* you I wasn’t Satoshi. ;-) Poor bastard... Cheers, RAH -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 496 bytes Desc: Message signed with OpenPGP using GPGMail URL: From jamesdbell9 at yahoo.com Thu Mar 6 10:11:08 2014 From: jamesdbell9 at yahoo.com (jim bell) Date: Thu, 6 Mar 2014 10:11:08 -0800 (PST) Subject: See??? In-Reply-To: <1394126947.88685.YahooMailNeo@web126205.mail.ne1.yahoo.com> References: <1394126947.88685.YahooMailNeo@web126205.mail.ne1.yahoo.com> Message-ID: <1394129468.14451.YahooMailNeo@web126205.mail.ne1.yahoo.com> Actually, I should have said: [Headlines from the future] "I *told* you I wasn't Sanjuro.       Jim Bell ________________________________ From: jim bell To: Robert Hettinga ; "cypherpunks at cpunks.org" Sent: Thursday, March 6, 2014 9:29 AM Subject: Re: See??? I *told* you I wasn't Sanjuro.      Jim Bell ________________________________ From: Robert Hettinga To: cpunks ; Cryptography List Sent: Thursday, March 6, 2014 6:05 AM Subject: See??? I *told* you I wasn’t Satoshi. ;-) Poor bastard... Cheers, RAH -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 3397 bytes Desc: not available URL: From demonfighter at gmail.com Thu Mar 6 10:41:36 2014 From: demonfighter at gmail.com (Steve Furlong) Date: Thu, 6 Mar 2014 13:41:36 -0500 Subject: See??? In-Reply-To: <1394126947.88685.YahooMailNeo@web126205.mail.ne1.yahoo.com> References: <1394126947.88685.YahooMailNeo@web126205.mail.ne1.yahoo.com> Message-ID: I *told* you I wasn't Santuclauso. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 91 bytes Desc: not available URL: From reed at unsafeword.org Thu Mar 6 14:06:09 2014 From: reed at unsafeword.org (Reed Black) Date: Thu, 6 Mar 2014 14:06:09 -0800 Subject: Bounties In-Reply-To: <04B4818B-74E2-4296-B118-0E69B2E679A1@gmail.com> References: <04B4818B-74E2-4296-B118-0E69B2E679A1@gmail.com> Message-ID: It's believed that Satoshi holds a total of what - 8-10% of all BTC mined to date? The deflationary benefit of destroying Satoshi's wallets might be enough motivation for some to do evil. Whether this is the real Satoshi or not, I expect he's taking on a pretty unique set of worries. On Thu, Mar 6, 2014 at 11:38 AM, Bob Hettinga wrote: > > They're talking about offering bounties on anyone who touches Satoshi > Nakamoto. Somewhere, Jim Bell is laughing... > > > Cheers, > > RAH > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1272 bytes Desc: not available URL: From demonfighter at gmail.com Thu Mar 6 12:05:08 2014 From: demonfighter at gmail.com (Steve Furlong) Date: Thu, 6 Mar 2014 15:05:08 -0500 Subject: Bounties In-Reply-To: <04B4818B-74E2-4296-B118-0E69B2E679A1@gmail.com> References: <04B4818B-74E2-4296-B118-0E69B2E679A1@gmail.com> Message-ID: On Thu, Mar 6, 2014 at 2:38 PM, Bob Hettinga wrote: > They're talking about offering bounties on anyone who touches Satoshi Nakamoto. Somewhere, Jim Bell is laughing... Odd phrasing. Seems to imply Jim Bell is dead. I dreamed I saw Jim Bell last night, alive as you and me. -- Neca eos omnes. Deus suos agnoscet. -- Arnaud-Amaury, 1209 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1039 bytes Desc: not available URL: From drwho at virtadpt.net Thu Mar 6 15:20:09 2014 From: drwho at virtadpt.net (The Doctor) Date: Thu, 06 Mar 2014 15:20:09 -0800 Subject: See??? Satoshi Nakamoto Smeared In-Reply-To: References: Message-ID: <531902A9.9080209@virtadpt.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Alleged Creator of Bitcoin Chased Around Los Angeles: http://www.businessinsider.com/there-is-a-bitcoin-car-chase-underway-2014-3 The plot coagulates... - -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ "It just isn't in my nature to buy a lot of canned food and move to Alaska and try to escape the gray goo." --William Gibson -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEAREKAAYFAlMZAqkACgkQO9j/K4B7F8HbrgCg5kaKCFfOIyXE5fbtVPpJhnkc hxcAoPD+ekm3Q/BTQbtZg+F4keM6EWSw =VSet -----END PGP SIGNATURE----- From hettinga at gmail.com Thu Mar 6 11:38:28 2014 From: hettinga at gmail.com (Bob Hettinga) Date: Thu, 6 Mar 2014 15:38:28 -0400 Subject: Bounties Message-ID: <04B4818B-74E2-4296-B118-0E69B2E679A1@gmail.com> They're talking about offering bounties on anyone who touches Satoshi Nakamoto. Somewhere, Jim Bell is laughing… Cheers, RAH -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 677 bytes Desc: not available URL: From jamesdbell9 at yahoo.com Thu Mar 6 15:42:51 2014 From: jamesdbell9 at yahoo.com (jim bell) Date: Thu, 6 Mar 2014 15:42:51 -0800 (PST) Subject: Bounties In-Reply-To: References: <04B4818B-74E2-4296-B118-0E69B2E679A1@gmail.com> Message-ID: <1394149371.41400.YahooMailNeo@web126201.mail.ne1.yahoo.com> From: Steve Furlong To: Bob Hettinga >On Thu, Mar 6, 2014 at 2:38 PM, Bob Hettinga wrote:   >> They're talking about offering bounties on anyone who touches Satoshi Nakamoto. Somewhere, Jim Bell is laughing…   >Odd phrasing. Seems to imply Jim Bell is dead.   >I dreamed I saw Jim Bell last night, >alive as you and me.   Any reports of my demise are at least slightly in error. But, I have been laughing, a bit, about the Mt. Gox situation.  Seems to me that given that since somebody made off ("Made-off"..."Madoff";   I sure wish I had been the first one to invent that joke)  with 6% of the existing (?) supply of Bitcoin, it ought to be awfully difficult for the thief to remain entirely unknown, at least given enough time.  After all, it is well understood that Bitcoin is merely pseudonynous, not entirely anonymous.  Presuming the thief is eventually identified, I wouldn't be surprised if he (or she?) could be "convinced" to return the Bitcoin or what's left of it.  I would be in favor (of course) of withholding a portion of the recovered BTC to fund what amounts to an insurance fund to cover Bitcoin exchanges, but also Silk Road 2.0 and other systems.           Jim Bell -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 3965 bytes Desc: not available URL: From dan at geer.org Thu Mar 6 12:51:50 2014 From: dan at geer.org (dan at geer.org) Date: Thu, 06 Mar 2014 15:51:50 -0500 Subject: See??? In-Reply-To: Your message of "Thu, 06 Mar 2014 18:10:29 +0100." <2440124.vVcht5uTCA@lap> Message-ID: <20140306205150.321A422816B@palinka.tinho.net> >> In a city (LA) where burglars will break into your home for a mere $400 >> flat panel TV, the journalist involved has just painted a bullseye on >> this 64 year old man's back, due to the supposed 1,000,000 bitcoins he >> has. This is a disaster waiting to happen.. I can't believe Newsweek >> actually published his photo, along with his house and car with visible >> license plate > >This should be criminal. Far be it from me to pollute this discussion with references to assassination markets and such sundry things as of which there has never been discussion hereabouts, no sir. Dept. of Obiter Dicta From juan.g71 at gmail.com Thu Mar 6 11:03:51 2014 From: juan.g71 at gmail.com (Juan Garofalo) Date: Thu, 06 Mar 2014 16:03:51 -0300 Subject: See??? Satoshi Nakamoto Smeared In-Reply-To: References: Message-ID: --On Thursday, March 06, 2014 10:01 AM -0500 John Young wrote: > http://mag.newsweek.com/2014/03/14/bitcoin-satoshi-nakamoto.html > You guys think the story is to be believed? <--- I know it's a stupid/rhetorical question, but I couldn't help it =P > > Leah McGrath Goodman > > > @truth_eater > > What a piece of shit reporting. Journalists compulsively play > pop psychologist is reporting on targets to obscure their > lack of technical capability. When ridiculed for this they > say readers want the gossip because they too lack technical > comprehension. > > Not a single journalist resists the temptation for slimey personal > analysis to boost sales from Obama to Putin to Satoshi, from > NY Times to Guardian to WaPo to Wired to The Intercept. > > Still the tech firms suck up to the ignorant outlets for lurid > coverage, crypto firms now leading the pack to promote > comsec panic for digital cash-in. You, once honorably corrupt, > dear cpunks, should be raking it in as if in compelled to > rationalize cryptoligarchy. > > Fuck them dead, the whipsawing comsec windfall bandits. > > > > > At 09:05 AM 3/6/2014, you wrote: >> I *told* you I wasn't Satoshi. >> >> ;-) >> >> Poor bastard... >> >> Cheers, >> RAH >> >> > From jamesdbell9 at yahoo.com Thu Mar 6 16:10:19 2014 From: jamesdbell9 at yahoo.com (jim bell) Date: Thu, 6 Mar 2014 16:10:19 -0800 (PST) Subject: See??? In-Reply-To: References: <1394126947.88685.YahooMailNeo@web126205.mail.ne1.yahoo.com> Message-ID: <1394151019.525.YahooMailNeo@web126204.mail.ne1.yahoo.com> From: Robert Hettinga To: "cypherpunks at cpunks.org"   On Mar 6, 2014, at 1:29 PM, jim bell wrote: >> I *told* you I wasn't Sanjuro. >But, the *do* want to offer *bounties* on anyone who harms Satoshi, so they’ve got *that* goin’ for ‘em. >:-) >Cheers, >RAH Clearly, this points to the need to expand the AP/AM implementations to include 'indefinite targets': AP targets whose names aren't known at the time the donation is made.  And, even targets who really don't even exist at the time the donation is made.  Presumably, Satoshi is still alive and well, thus nobody out there (yet) has harmed him.  Somebody might want to put money (BTC) on anyone who would do so.  I alluded to this at the time I wrote the AP essay, with my reference to using AP to attack car thieves.             Jim Bell -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 3456 bytes Desc: not available URL: From iam at kjro.se Thu Mar 6 15:17:31 2014 From: iam at kjro.se (Kelly John Rose) Date: Thu, 6 Mar 2014 16:17:31 -0700 Subject: Bounties In-Reply-To: References: <04B4818B-74E2-4296-B118-0E69B2E679A1@gmail.com> Message-ID: Unless, of course, he already had given it away to someone else. On Thu, Mar 6, 2014 at 3:06 PM, Reed Black wrote: > It's believed that Satoshi holds a total of what - 8-10% of all BTC mined > to date? The deflationary benefit of destroying Satoshi's wallets might be > enough motivation for some to do evil. > > Whether this is the real Satoshi or not, I expect he's taking on a pretty > unique set of worries. > > > > On Thu, Mar 6, 2014 at 11:38 AM, Bob Hettinga wrote: > >> >> They're talking about offering bounties on anyone who touches Satoshi >> Nakamoto. Somewhere, Jim Bell is laughing... >> >> >> Cheers, >> >> RAH >> > > -- Kelly John Rose Edmonton, AB Phone: +1 647 638-4104 Twitter: @kjrose Skype: kjrose.pr Gtalk: iam at kjro.se MSN: msn at kjro.se Document contents are confidential between original recipients and sender. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2244 bytes Desc: not available URL: From hettinga at gmail.com Thu Mar 6 12:44:34 2014 From: hettinga at gmail.com (Robert Hettinga) Date: Thu, 6 Mar 2014 16:44:34 -0400 Subject: See??? In-Reply-To: <1394126947.88685.YahooMailNeo@web126205.mail.ne1.yahoo.com> References: <1394126947.88685.YahooMailNeo@web126205.mail.ne1.yahoo.com> Message-ID: On Mar 6, 2014, at 1:29 PM, jim bell wrote: > I *told* you I wasn't Sanjuro. But, the *do* want to offer *bounties* on anyone who harms Satoshi, so they’ve got *that* goin’ for ‘em. :-) Cheers, RAH -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 496 bytes Desc: Message signed with OpenPGP using GPGMail URL: From goldismoney at gmx.com Thu Mar 6 07:53:50 2014 From: goldismoney at gmx.com (Gold IsMoney) Date: Thu, 06 Mar 2014 16:53:50 +0100 Subject: See??? In-Reply-To: References: Message-ID: <53189A0E.5030609@gmx.com> On 3/6/2014 3:05 PM, Robert Hettinga wrote: > I *told* you I wasn’t Satoshi. > > ;-) > > Poor bastard... > > Cheers, > RAH In a city (LA) where burglars will break into your home for a mere $400 flat panel TV, the journalist involved has just painted a bullseye on this 64 year old man's back, due to the supposed 1,000,000 bitcoins he has. This is a disaster waiting to happen.. I can't believe Newsweek actually published his photo, along with his house and car with visible license plate From shelley at misanthropia.info Thu Mar 6 17:37:47 2014 From: shelley at misanthropia.info (shelley at misanthropia.info) Date: Thu, 6 Mar 2014 17:37:47 -0800 Subject: Bounties In-Reply-To: <20140307004156.4CA0A2280F0@palinka.tinho.net> Message-ID: <20140307013750.DA7DC680137@frontend2.nyi.mail.srv.osa> I am in agreement with Dan re: it being a gov't op vs 'thief'.  That was my first thought when the story broke, and nothing I've seen or heard since has changed my opinion. -Shelley   On Mar 6, 2014 5:33 PM, dan at geer.org <dan at geer.org> wrote: So, Jim (et al.), you say "thief" w.r.t. Bitcoin. What odds do you give that the theft was a state-level op to derail the Bitcoin economy, i.e., that making money was not the object, rather, let's imagine, that this op hedges the vulnerability of fiat currency to disintermediation. --dan -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 897 bytes Desc: not available URL: From shelley at misanthropia.info Thu Mar 6 17:41:44 2014 From: shelley at misanthropia.info (shelley at misanthropia.info) Date: Thu, 6 Mar 2014 17:41:44 -0800 Subject: See??? In-Reply-To: <5319105B.8090200@metaverse.org> Message-ID: <20140307014147.BBC24C007AC@frontend1.nyi.mail.srv.osa> [fake img] Sign on my cat saying "I am Satoshi!".jpg [/fake img]   On Mar 6, 2014 5:12 PM, Peter Tonoli <anarchie+cpunks at metaverse.org> wrote: On 3/7/14, 10:35 AM, Lodewijk andré de la porte wrote: > But you guys know there's many Satoshi's right? I mean. They're like > Zero or Anonymous! "I am Satoshi!" -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 647 bytes Desc: not available URL: From rysiek at hackerspace.pl Thu Mar 6 09:10:29 2014 From: rysiek at hackerspace.pl (rysiek) Date: Thu, 06 Mar 2014 18:10:29 +0100 Subject: See??? In-Reply-To: <53189A0E.5030609@gmx.com> References: <53189A0E.5030609@gmx.com> Message-ID: <2440124.vVcht5uTCA@lap> Dnia czwartek, 6 marca 2014 16:53:50 Gold IsMoney pisze: > On 3/6/2014 3:05 PM, Robert Hettinga wrote: > > I *told* you I wasn’t Satoshi. > > > > ;-) > > > > Poor bastard... > > > > Cheers, > > RAH > > In a city (LA) where burglars will break into your home for a mere $400 > flat panel TV, the journalist involved has just painted a bullseye on > this 64 year old man's back, due to the supposed 1,000,000 bitcoins he > has. This is a disaster waiting to happen.. I can't believe Newsweek > actually published his photo, along with his house and car with visible > license plate This should be criminal. -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From shelley at misanthropia.info Thu Mar 6 18:57:42 2014 From: shelley at misanthropia.info (shelley at misanthropia.info) Date: Thu, 06 Mar 2014 18:57:42 -0800 Subject: Bounties In-Reply-To: <20140307004156.4CA0A2280F0@palinka.tinho.net> References: <20140307004156.4CA0A2280F0@palinka.tinho.net> Message-ID: <1394161062.7387.91587669.055B38E5@webmail.messagingengine.com> I accidentally cc'd the "other" Crypto list when replying to this email, and got this hilarious response: "Posting of your message titled "Re: Bounties" has been rejected by the list moderator. The moderator gave the following reason for rejecting your request: "Please edit this post and resubmit it after changing it to not be top posted. Thanks"" *chortlesnort* Top posting, bitches! Suck it! (also, I guess they just missed Dan's TOP POST right before mine...) On Thu, Mar 6, 2014, at 04:41 PM, wrote: > > So, Jim (et al.), you say "thief" w.r.t. Bitcoin. > > What odds do you give that the theft was a state-level op to > derail the Bitcoin economy, i.e., that making money was not the > object, rather, let's imagine, that this op hedges the vulnerability > of fiat currency to disintermediation. > > --dan > From jamesdbell9 at yahoo.com Thu Mar 6 19:20:56 2014 From: jamesdbell9 at yahoo.com (jim bell) Date: Thu, 6 Mar 2014 19:20:56 -0800 (PST) Subject: Bounties In-Reply-To: <20140307013750.DA7DC680137@frontend2.nyi.mail.srv.osa> References: <20140307004156.4CA0A2280F0@palinka.tinho.net> <20140307013750.DA7DC680137@frontend2.nyi.mail.srv.osa> Message-ID: <1394162456.66927.YahooMailNeo@web126203.mail.ne1.yahoo.com> If I understand your conclusions, I agree:  It would be far too dangerous to steal 6% of the world's extant Bitcoins if you actually intended to use, i.e. spend, them; but for a state-level actor, a very plausible goal would be to discredit in the public's minds Bitcoins, and that could be done merely by taking and keeping (or destroying) them.  I, of course, believe that ultimately Bitcoins (or at least, some kind of electronic currency) will be the death of all governments.   That would certainly motivate all competent governments to do anything in their power to mess up the operation of any Bitcoin storage and transmission systems.      This is one reason that I think the idiot operators of Mt Gox must not be allowed to get "bankruptcy protection" due to the failure of their operations.  As a practical matter, they don't _need_ financial protection, for no other reason that virtually all of the BTC is already gone.  The kind of 'protection' they really need is from the bullet, the knife, the bomb, the poison, etc.  But, they should stay around long enough to help determine who took the Bitcoins, to find out who did what with them.        Jim Bell ________________________________ From: "shelley at misanthropia.info" To: Cc: cpunks ; Cryptography List Sent: Thursday, March 6, 2014 5:37 PM Subject: Re: Bounties I am in agreement with Dan re: it being a gov't op vs 'thief'.  That was my first thought when the story broke, and nothing I've seen or heard since has changed my opinion. -Shelley   ________________________________ On Mar 6, 2014 5:33 PM, dan at geer.org wrote: So, Jim (et al.), you say "thief" w.r.t. Bitcoin. What odds do you give that the theft was a state-level op to derail the Bitcoin economy, i.e., that making money was not the object, rather, let's imagine, that this op hedges the vulnerability of fiat currency to disintermediation. --dan -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 3922 bytes Desc: not available URL: From dan at geer.org Thu Mar 6 16:41:56 2014 From: dan at geer.org (dan at geer.org) Date: Thu, 06 Mar 2014 19:41:56 -0500 Subject: Bounties In-Reply-To: Your message of "Thu, 06 Mar 2014 15:42:51 PST." <1394149371.41400.YahooMailNeo@web126201.mail.ne1.yahoo.com> Message-ID: <20140307004156.4CA0A2280F0@palinka.tinho.net> So, Jim (et al.), you say "thief" w.r.t. Bitcoin. What odds do you give that the theft was a state-level op to derail the Bitcoin economy, i.e., that making money was not the object, rather, let's imagine, that this op hedges the vulnerability of fiat currency to disintermediation. --dan From demonfighter at gmail.com Thu Mar 6 17:03:29 2014 From: demonfighter at gmail.com (Steve Furlong) Date: Thu, 6 Mar 2014 20:03:29 -0500 Subject: Bounties In-Reply-To: <1394149371.41400.YahooMailNeo@web126201.mail.ne1.yahoo.com> References: <04B4818B-74E2-4296-B118-0E69B2E679A1@gmail.com> <1394149371.41400.YahooMailNeo@web126201.mail.ne1.yahoo.com> Message-ID: On Thu, Mar 6, 2014 at 6:42 PM, jim bell wrote: >> I dreamed I saw Jim Bell last night, >> alive as you and me. That's the (modified) start of the Joe Hill song, in case you didn't recognize it. > it ought to be awfully difficult for the thief to remain entirely unknown, at least given enough > time. After all, it is well understood that Bitcoin is merely pseudonynous, not entirely anonymous. Watch for an anonymizing exchange being set up. Even if the proud new possessor of a bazzillion bitcoins has to lose half of the value in laundering them sufficiently, that's still a nice pile of change. As for Dan Geer's question about state actors, I of course would never suggest my government would do anything illegal or even questionable. -- Neca eos omnes. Deus suos agnoscet. -- Arnaud-Amaury, 1209 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1548 bytes Desc: not available URL: From carimachet at gmail.com Thu Mar 6 13:16:37 2014 From: carimachet at gmail.com (Cari Machet) Date: Thu, 6 Mar 2014 21:16:37 +0000 Subject: See??? Satoshi Nakamoto Smeared In-Reply-To: References: Message-ID: On Thu, Mar 6, 2014 at 3:01 PM, John Young wrote: > http://mag.newsweek.com/2014/03/14/bitcoin-satoshi-nakamoto.html > > Leah McGrath Goodman @truth_eater What a piece of shit reporting. > Journalists compulsively play > pop psychologist is reporting on targets to obscure their > lack of technical capability. When ridiculed for this they > say readers want the gossip because they too lack technical > comprehension. > > Not a single journalist resists the temptation for slimey personal > analysis to boost sales from Obama to Putin to Satoshi, from > NY Times to Guardian to WaPo to Wired to The Intercept. > > Still the tech firms suck up to the ignorant outlets for lurid > coverage, crypto firms now leading the pack to promote > comsec panic for digital cash-in. You, once honorably corrupt, > dear cpunks, should be raking it in as if in compelled to > rationalize cryptoligarchy. > > Fuck them dead, the whipsawing comsec windfall bandits. > > fuck them dead > thats a good one @mtaibbi said the press pools he has been in taught him one major thing journalists are bred to be stupid - he was astonished at their stupidity level but now he is at the intercept crap so.. stupidity rules and all hail to capitalistic fuck alls but i have to disagree with you re the story in terms of the personal analysis re content - they do get into the tech not perfectly but... trying to figure out why someone would want to remain anonymous in this society of star fuckers into infinity is part of the story of bitcoin and there were forensic analysts working on the story the cia connection is interesting when cia mentioned > he is gone - out totally out > > > > At 09:05 AM 3/6/2014, you wrote: > > I *told* you I wasn't Satoshi. > > ;-) > > Poor bastard... > > Cheers, > RAH > > > -- Cari Machet NYC 646-436-7795 carimachet at gmail.com AIM carismachet Syria +963-099 277 3243 Amman +962 077 636 9407 Berlin +49 152 11779219 Reykjavik +354 894 8650 Twitter: @carimachet 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 Ruh-roh, this is now necessary: This email is intended only for the addressee(s) and may contain confidential information. If you are not the intended recipient, you are hereby notified that any use of this information, dissemination, distribution, or copying of this email without permission is strictly prohibited. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 3550 bytes Desc: not available URL: From hettinga at gmail.com Thu Mar 6 17:22:59 2014 From: hettinga at gmail.com (Robert Hettinga) Date: Thu, 6 Mar 2014 21:22:59 -0400 Subject: Bounties In-Reply-To: <20140307004156.4CA0A2280F0@palinka.tinho.net> References: <20140307004156.4CA0A2280F0@palinka.tinho.net> Message-ID: <48DF4613-A826-4549-8CA9-33CD381F4399@gmail.com> I tell all y’all what. Since this Bitcoin thing has really blown up, say the last year or so, the shit-satin’ grin on my face just keeps gettin’ bigger and bigger. Cheers, RAH -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 496 bytes Desc: Message signed with OpenPGP using GPGMail URL: From gwen at cypherpunks.to Thu Mar 6 22:08:37 2014 From: gwen at cypherpunks.to (gwen hastings) Date: Thu, 06 Mar 2014 22:08:37 -0800 Subject: Bounties In-Reply-To: <1394161062.7387.91587669.055B38E5@webmail.messagingengine.com> References: <20140307004156.4CA0A2280F0@palinka.tinho.net> <1394161062.7387.91587669.055B38E5@webmail.messagingengine.com> Message-ID: <53196265.9060703@cypherpunks.to> Fucking hilarious!! what is the freaking fucking problem with top posting... jeese.. I appreciate someone who 'breaks' the rules and top posts and I do it quite deliberately to get the morons and idiots wound up... no fucking rules people get it??? gwen ps I wish "murdering thug" would show back up I always enjoyed his biting commentary. On 3/6/14 6:57 PM, shelley at misanthropia.info wrote: > I accidentally cc'd the "other" Crypto list when replying to this email, > and got this hilarious response: > > "Posting of your message titled "Re: Bounties" > > has been rejected by the list moderator. The moderator gave the > following reason for rejecting your request: > > "Please edit this post and resubmit it after changing it to not be top > posted. Thanks"" > > *chortlesnort* > > Top posting, bitches! Suck it! > > (also, I guess they just missed Dan's TOP POST right before mine...) > > > On Thu, Mar 6, 2014, at 04:41 PM, wrote: >> >> So, Jim (et al.), you say "thief" w.r.t. Bitcoin. >> >> What odds do you give that the theft was a state-level op to >> derail the Bitcoin economy, i.e., that making money was not the >> object, rather, let's imagine, that this op hedges the vulnerability >> of fiat currency to disintermediation. >> >> --dan >> -- Tentacle #99 ecc public key curve p25519(pcp 0.15) 1l0$WoM5C8z=yeZG7?$]f^Uu8.g>4rf#t^6mfW9(rr910 Governments are instituted among men, deriving their just powers from the consent of the governed, that whenever any form of government becomes destructive of these ends, it is the right of the people to alter or abolish it, and to institute new government, laying its foundation on such principles, and organizing its powers in such form, as to them shall seem most likely to effect their safety and happiness.’ https://github.com/TLINDEN/pcp.git to get pcp(curve25519 cli) https://github.com/stef/pbp.git (curve 25519 python based cli) -------------- next part -------------- A non-text attachment was scrubbed... Name: 0x42AA24D5.asc Type: application/pgp-keys Size: 70878 bytes Desc: not available URL: From hozer at hozed.org Thu Mar 6 20:15:12 2014 From: hozer at hozed.org (Troy Benjegerdes) Date: Thu, 6 Mar 2014 22:15:12 -0600 Subject: See??? In-Reply-To: <1394151019.525.YahooMailNeo@web126204.mail.ne1.yahoo.com> References: <1394126947.88685.YahooMailNeo@web126205.mail.ne1.yahoo.com> <1394151019.525.YahooMailNeo@web126204.mail.ne1.yahoo.com> Message-ID: <20140307041511.GS3180@nl.grid.coop> On Thu, Mar 06, 2014 at 04:10:19PM -0800, jim bell wrote: > From: Robert Hettinga > To: "cypherpunks at cpunks.org"   > > On Mar 6, 2014, at 1:29 PM, jim bell wrote: > > >> I *told* you I wasn't Sanjuro. > > >But, the *do* want to offer *bounties* on anyone who harms Satoshi, so they’ve got *that* goin’ for ‘em. > >:-) > >Cheers, > >RAH > > Clearly, this points to the need to expand the AP/AM implementations to include 'indefinite targets': AP targets whose names aren't known at the time the donation is made.  And, even targets who really don't even exist at the time the donation is made.  Presumably, Satoshi is still alive and well, thus nobody out there (yet) has harmed him.  Somebody might want to put money (BTC) on anyone who would do so. >  I alluded to this at the time I wrote the AP essay, with my reference to using AP to attack car thieves.   >           Jim Bell I think you just made Satoshi Nakamoto the most well protected person in history. Well played psy-ops my friend. That's almost as good as the hypothetical game big (insert your boogeyman here) might be playing with Putin to make him think Bitcoin is a NSA/CIA operation to ruin the ruble. I'd rather be a Satoshi than a Vladimir right now. -- ---------------------------------------------------------------------------- Troy Benjegerdes 'da hozer' hozer at hozed.org 7 elements earth::water::air::fire::mind::spirit::soul grid.coop Never pick a fight with someone who buys ink by the barrel, nor try buy a hacker who makes money by the megahash From l at odewijk.nl Thu Mar 6 15:35:51 2014 From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=) Date: Fri, 7 Mar 2014 00:35:51 +0100 Subject: See??? In-Reply-To: <20140306205150.321A422816B@palinka.tinho.net> References: <2440124.vVcht5uTCA@lap> <20140306205150.321A422816B@palinka.tinho.net> Message-ID: But you guys know there's many Satoshi's right? I mean. They're like Zero or Anonymous! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 152 bytes Desc: not available URL: From shelley at misanthropia.info Fri Mar 7 06:01:14 2014 From: shelley at misanthropia.info (shelley at misanthropia.info) Date: Fri, 07 Mar 2014 06:01:14 -0800 Subject: Idiots [was: Bounties] In-Reply-To: <20140307122348.GA27936@fishbowl.rw.madduck.net> References: <20140307004156.4CA0A2280F0@palinka.tinho.net> <20140307071503.GA19260@fishbowl.rw.madduck.net> <1787662.03Jrf7cYhK@lap> <20140307122348.GA27936@fishbowl.rw.madduck.net> Message-ID: <1394200874.18398.91742737.23DBA41F@webmail.messagingengine.com> On Mar 7, 2014 5:22 AM, martin f krafft wrote:  >>Careful, you are confusing the post-facebook generation who think that all problems they encounter are new [...] Your smug misassumptions are amusing, especially when you have no idea what the fuck you are talking about. Neither Gwen nor I are of the "post-facebook" generation. I've been online (meaning using the Internet, which pre-dates the Web by quite a few years- in case you were unaware) since the mid-eighties, during the time of monochrome screens and when telling someone to finger you wouldn't garner snickers from mental midgets like you. You completely missed the point of Gwen's post, in which he clearly talks about breaking 'the rules' to stir up idiots such as yourself, and to which you still felt the need to make a whiny reply- to make yourself feel, what...clever? To give yourself some sense of faux cypherpunks cred? You're not impressing anyone, you just made yourself look a fucking idiot with no reading comprehension. Shut the fuck up and keep your stupid ASSumptions to yourself. From dan at geer.org Fri Mar 7 05:07:53 2014 From: dan at geer.org (dan at geer.org) Date: Fri, 07 Mar 2014 08:07:53 -0500 Subject: See??? In-Reply-To: Your message of "Thu, 06 Mar 2014 22:15:12 CST." <20140307041511.GS3180@nl.grid.coop> Message-ID: <20140307130753.1D79A228108@palinka.tinho.net> > That's almost as good as the hypothetical game big (insert your > boogeyman here) might be playing with Putin to make him think Bitcoin > is a NSA/CIA operation to ruin the ruble. A person of my acquaintance who is a first wave negotiator in international affairs (first wave meaning the deniable precursor labor that occurs before the image-sensitive political class gets visibly involved) recounted how, in discussions in Beijing, this person's counterpart from the "other" side said that it was the assumption in Beijing that Twitter was an American operation constructed to destabilize Iran. This was three years ago. --dan From madduck at madduck.net Thu Mar 6 23:15:03 2014 From: madduck at madduck.net (martin f krafft) Date: Fri, 7 Mar 2014 08:15:03 +0100 Subject: Bounties In-Reply-To: <53196265.9060703@cypherpunks.to> References: <20140307004156.4CA0A2280F0@palinka.tinho.net> <1394161062.7387.91587669.055B38E5@webmail.messagingengine.com> <53196265.9060703@cypherpunks.to> Message-ID: <20140307071503.GA19260@fishbowl.rw.madduck.net> also sprach gwen hastings [2014-03-07 07:08 +0100]: > what is the freaking fucking problem with top posting... jeese.. I > appreciate someone who 'breaks' the rules and top posts and I do it > quite deliberately to get the morons and idiots wound up... > no fucking rules people get it??? It's been part of "netiquette", probably than from before you were born. *plonk* -- martin | http://madduck.net/ | http://two.sentenc.es/ government announcement - the government announced today that it is changing its mascot to a condom because it more clearly reflects the government's political stance. a condom stands up to inflation, halts production, destroys the next generation, protects a bunch of pricks and finally, gives you a sense of security while you're being screwed! spamtraps: madduck.bogus at madduck.net From rysiek at hackerspace.pl Thu Mar 6 23:35:43 2014 From: rysiek at hackerspace.pl (rysiek) Date: Fri, 07 Mar 2014 08:35:43 +0100 Subject: See??? In-Reply-To: <20140307014147.BBC24C007AC@frontend1.nyi.mail.srv.osa> References: <20140307014147.BBC24C007AC@frontend1.nyi.mail.srv.osa> Message-ID: <2917695.CGZpCEKQHi@lap> Dnia czwartek, 6 marca 2014 17:41:44 shelley at misanthropia.info pisze: > [fake img] Sign on my cat saying "I am Satoshi!".jpg [/fake img] From the looks of the cat, it might be *worth* a satoshi, I guess. -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From carimachet at gmail.com Fri Mar 7 00:41:21 2014 From: carimachet at gmail.com (Cari Machet) Date: Fri, 7 Mar 2014 08:41:21 +0000 Subject: Bounties In-Reply-To: <20140307071503.GA19260@fishbowl.rw.madduck.net> References: <20140307004156.4CA0A2280F0@palinka.tinho.net> <1394161062.7387.91587669.055B38E5@webmail.messagingengine.com> <53196265.9060703@cypherpunks.to> <20140307071503.GA19260@fishbowl.rw.madduck.net> Message-ID: top posting profoundly better than bottom where were you all when i was getting slammed on the list here for it and numerous other panzie ass fucked up analities? yes jim that is why i DONT get the state actor part i dont think the premise is correct that if u pull 6% out bitcoin dead > can you prove that mathematically or something somewheres hows ? On Fri, Mar 7, 2014 at 7:15 AM, martin f krafft wrote: > also sprach gwen hastings [2014-03-07 07:08 +0100]: > > what is the freaking fucking problem with top posting... jeese.. I > > appreciate someone who 'breaks' the rules and top posts and I do it > > quite deliberately to get the morons and idiots wound up... > > no fucking rules people get it??? > > It's been part of "netiquette", probably than from before you were > born. > > *plonk* > > -- > martin | http://madduck.net/ | http://two.sentenc.es/ > > government announcement - the government announced today that it is > changing its mascot to a condom because it more clearly reflects the > government's political stance. a condom stands up to inflation, halts > production, destroys the next generation, protects a bunch of pricks > and finally, gives you a sense of security while you're being screwed! > > spamtraps: madduck.bogus at madduck.net > > -- Cari Machet NYC 646-436-7795 carimachet at gmail.com AIM carismachet Syria +963-099 277 3243 Amman +962 077 636 9407 Berlin +49 152 11779219 Reykjavik +354 894 8650 Twitter: @carimachet 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 Ruh-roh, this is now necessary: This email is intended only for the addressee(s) and may contain confidential information. If you are not the intended recipient, you are hereby notified that any use of this information, dissemination, distribution, or copying of this email without permission is strictly prohibited. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2898 bytes Desc: not available URL: From carimachet at gmail.com Fri Mar 7 01:01:14 2014 From: carimachet at gmail.com (Cari Machet) Date: Fri, 7 Mar 2014 09:01:14 +0000 Subject: See??? In-Reply-To: <2917695.CGZpCEKQHi@lap> References: <20140307014147.BBC24C007AC@frontend1.nyi.mail.srv.osa> <2917695.CGZpCEKQHi@lap> Message-ID: very well played sir... beyond as for putin > the west is in love with russian plutocrat raping of russian resources... money so... no elite fuck wants to touch that mirage [SIC] .... west <3 RF + KSA On Fri, Mar 7, 2014 at 7:35 AM, rysiek wrote: > Dnia czwartek, 6 marca 2014 17:41:44 shelley at misanthropia.info pisze: > > [fake img] Sign on my cat saying "I am Satoshi!".jpg [/fake img] > > From the looks of the cat, it might be *worth* a satoshi, I guess. > > -- > Pozdr > rysiek -- Cari Machet NYC 646-436-7795 carimachet at gmail.com AIM carismachet Syria +963-099 277 3243 Amman +962 077 636 9407 Berlin +49 152 11779219 Reykjavik +354 894 8650 Twitter: @carimachet 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 Ruh-roh, this is now necessary: This email is intended only for the addressee(s) and may contain confidential information. If you are not the intended recipient, you are hereby notified that any use of this information, dissemination, distribution, or copying of this email without permission is strictly prohibited. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1857 bytes Desc: not available URL: From hozer at hozed.org Fri Mar 7 08:17:22 2014 From: hozer at hozed.org (Troy Benjegerdes) Date: Fri, 7 Mar 2014 10:17:22 -0600 Subject: See??? In-Reply-To: <20140307130753.1D79A228108@palinka.tinho.net> References: <20140307041511.GS3180@nl.grid.coop> <20140307130753.1D79A228108@palinka.tinho.net> Message-ID: <20140307161722.GT3180@nl.grid.coop> On Fri, Mar 07, 2014 at 08:07:53AM -0500, dan at geer.org wrote: > > > That's almost as good as the hypothetical game big (insert your > > boogeyman here) might be playing with Putin to make him think Bitcoin > > is a NSA/CIA operation to ruin the ruble. > > A person of my acquaintance who is a first wave negotiator in > international affairs (first wave meaning the deniable precursor > labor that occurs before the image-sensitive political class gets > visibly involved) recounted how, in discussions in Beijing, this > person's counterpart from the "other" side said that it was the > assumption in Beijing that Twitter was an American operation > constructed to destabilize Iran. > > This was three years ago. > > --dan And just like Iran, it seems to be all about dead dinosaurs http://www.slate.com/articles/business/moneybox/2014/03/putin_ukraine_and_energy_could_u_s_natural_gas_exports_alter_the_geopolitical.html It had somehow slipped my mind how 'theoildrum.com' went away, and everyone seems to have forgotten $12/MMBTU natural gas. But now we have a global power play that involves exporting every MMBTU that can be fracked and liquified to choke off Russia's economic air supply. Expect $15/mmbtu gas if we have another polar vortex and $8 corn in 2015 or 2016 if this holds. When I ran across http://oilgascoin.do.am/ (oilgascoin crypto coin) I thought it was a sad attempt at a copycatcoin, but it's looking more like the first sign of a cryptocurrency psy-ops arms race. From rysiek at hackerspace.pl Fri Mar 7 01:21:40 2014 From: rysiek at hackerspace.pl (rysiek) Date: Fri, 07 Mar 2014 10:21:40 +0100 Subject: Bounties In-Reply-To: References: <20140307004156.4CA0A2280F0@palinka.tinho.net> <20140307071503.GA19260@fishbowl.rw.madduck.net> Message-ID: <1787662.03Jrf7cYhK@lap> Dnia piątek, 7 marca 2014 08:41:21 Cari Machet pisze: > top posting profoundly better than bottom > > where were you all when i was getting slammed on the list here for it and > numerous other panzie ass fucked up analities? A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? /I know, I know, old news, everybody knows it, but still apparently needs reminding/ -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From hozer at hozed.org Fri Mar 7 08:35:32 2014 From: hozer at hozed.org (Troy Benjegerdes) Date: Fri, 7 Mar 2014 10:35:32 -0600 Subject: Bounties In-Reply-To: <20140307122348.GA27936@fishbowl.rw.madduck.net> References: <20140307004156.4CA0A2280F0@palinka.tinho.net> <20140307071503.GA19260@fishbowl.rw.madduck.net> <1787662.03Jrf7cYhK@lap> <20140307122348.GA27936@fishbowl.rw.madduck.net> Message-ID: <20140307163532.GU3180@nl.grid.coop> On Fri, Mar 07, 2014 at 01:23:48PM +0100, martin f krafft wrote: > also sprach rysiek [2014-03-07 10:21 +0100]: > > A: Because it messes up the order in which people normally read text. > > Q: Why is top-posting such a bad thing? > > A: Top-posting. > > Q: What is the most annoying thing in e-mail? > > > > /I know, I know, old news, everybody knows it, but still apparently needs > > reminding/ > > Careful, you are confusing the post-facebook generation who think > that all problems they encounter are new, and they are the ones > — personally — who have come up with the best solution. ;) > > We should revive usenet without groups.google.com interface and let > natural selection take care of the idiots… ┈┈┈┈┈┈▕▔╲ ┈┈┈┈┈┈┈▏▕▂▂▂ ▂▂▂▂▂▂╱┈▕▂▂▂▏ ▉▉▉▉▉┈┈┈▕▂▂▂▏ like++ ▉▉▉▉▉┈┈┈▕▂▂▂▏ ▔▔▔▔▔▔╲▂▂▂▂I Let me suggest that usenet over IPv7 (ipv6 with integrated per-packet cryptocurrency micropayments) would actually be useful, and instead of *plonk* I can take the idiots money^H^H^H^H^Htokens *then* ignore them and send double your money^H^H^H^H^Htokens back for good posts like this. Excuse me a moment, I have to explain 'satire' to those FINCEN guys knocking at my door again. Every time this happens I have to sit down and have another John Stewart marathon. From anarchie+cpunks at metaverse.org Thu Mar 6 16:18:35 2014 From: anarchie+cpunks at metaverse.org (Peter Tonoli) Date: Fri, 07 Mar 2014 11:18:35 +1100 Subject: See??? In-Reply-To: References: <2440124.vVcht5uTCA@lap> <20140306205150.321A422816B@palinka.tinho.net> Message-ID: <5319105B.8090200@metaverse.org> On 3/7/14, 10:35 AM, Lodewijk andré de la porte wrote: > But you guys know there's many Satoshi's right? I mean. They're like > Zero or Anonymous! "I am Satoshi!" From madduck at madduck.net Fri Mar 7 04:23:48 2014 From: madduck at madduck.net (martin f krafft) Date: Fri, 7 Mar 2014 13:23:48 +0100 Subject: Bounties In-Reply-To: <1787662.03Jrf7cYhK@lap> References: <20140307004156.4CA0A2280F0@palinka.tinho.net> <20140307071503.GA19260@fishbowl.rw.madduck.net> <1787662.03Jrf7cYhK@lap> Message-ID: <20140307122348.GA27936@fishbowl.rw.madduck.net> also sprach rysiek [2014-03-07 10:21 +0100]: > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > A: Top-posting. > Q: What is the most annoying thing in e-mail? > > /I know, I know, old news, everybody knows it, but still apparently needs > reminding/ Careful, you are confusing the post-facebook generation who think that all problems they encounter are new, and they are the ones — personally — who have come up with the best solution. ;) We should revive usenet without groups.google.com interface and let natural selection take care of the idiots… -- martin | http://madduck.net/ | http://two.sentenc.es/ "i started taking an online a.d.d. test, linked from someone's blog. i never finished it; i got distracted, and clicked on random other shiny things" -- andres salomon spamtraps: madduck.bogus at madduck.net -------------- next part -------------- A non-text attachment was scrubbed... Name: digital_signature_gpg.asc Type: application/pgp-signature Size: 1107 bytes Desc: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current) URL: From jya at pipeline.com Fri Mar 7 11:31:58 2014 From: jya at pipeline.com (John Young) Date: Fri, 07 Mar 2014 14:31:58 -0500 Subject: [Cryptography] Are Tor hidden services really hidden? In-Reply-To: References: <3BDD63C9-92A6-4E82-B84B-8E1E8EFC2E6E@gmail.com> Message-ID: "Also keep in mind that there are no confirmed on the record cases to date of a Tor 'break/weakness' having been used to find a user. It appears to be only user error." One of the perdurable claims of comsec promoters is that comsec breaks and weaknesses inevitably turn out to be user errors. Exactly who the fictitious user is remains obscure but assuredly means somebody other than the comsec promoter user who inevitably offers a greatly improved product, trust them. Tor is especially adept at blaming users, itself faultless except for lack of volunteers to patch its innumerable holes (caused by clueless users), so much so one might think that is a feature derived from the religion of national security (actually that is its source and shows its heritage of exculpability) which inevitably fails due to lack of funding, political will, public support, unwillingness of youngsters to die for officer careers, that is customers must suffer for company profits. Has there been a better account of inevitable exculpability for inevitable comsec failure than that by NSA in 1998? http://www.nsa.gov/research/_files/publications/inevitability.pdf Still hope continues -- thanks to Edward Snowden and his legions of inevitable comsec failure promoters: Cyber Security Market Forecast 2014-2024: Prospects For Leading Companies in Military, Government, Critical Infrastructure & Private Sector Protection Defence report Cyber attacks continue to dominate the headlines, and with good reason. While the threat of cyber security is often exaggerated, there is no doubt that the enhanced networking of society has created substantial vulnerabilities lurking within its interconnected pathways. With attackers able to strike from anywhere and inflict damage on a significant (but often unnoticed) scale, the threat has never been greater to the reams of knowledge held by governments and enterprise. There is also the threat to military information sharing networks representing a significant challenge: in an era of increased integration between systems and platforms, the very webs which act as force multipliers could collapse. Efforts to counter these extensive vulnerabilities are presently ongoing to an impressive degree, and the speed of these developments is not expected to lessen unduly. As a consequence, visiongain has assessed that the value of the global Cyber Security market in 2014 will reach $76.68bn. Why you should buy Cyber Security Market Forecast 2014-2024: Prospects For Leading Companies in Military, Government, Critical Infrastructure & Private Sector Protection -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2937 bytes Desc: not available URL: From skquinn at rushpost.com Fri Mar 7 12:54:18 2014 From: skquinn at rushpost.com (Shawn K. Quinn) Date: Fri, 07 Mar 2014 14:54:18 -0600 Subject: Bounties In-Reply-To: <20140307163532.GU3180@nl.grid.coop> References: <20140307004156.4CA0A2280F0@palinka.tinho.net> <20140307071503.GA19260@fishbowl.rw.madduck.net> <1787662.03Jrf7cYhK@lap> <20140307122348.GA27936@fishbowl.rw.madduck.net> <20140307163532.GU3180@nl.grid.coop> Message-ID: <1394225658.13960.91901349.7E6D4784@webmail.messagingengine.com> On Fri, Mar 7, 2014, at 10:35 AM, Troy Benjegerdes wrote: [something that had a stupid ASCII art thumb in it to start] Please do us a favor and don't post horseshit like that thumb on this list again. -- Shawn K. Quinn skquinn at rushpost.com From rich at openwatch.net Fri Mar 7 16:39:12 2014 From: rich at openwatch.net (Rich Jones) Date: Fri, 7 Mar 2014 16:39:12 -0800 Subject: [Cryptography] Are Tor hidden services really hidden? In-Reply-To: <531A5880.4040207@cryptolab.net> References: <3BDD63C9-92A6-4E82-B84B-8E1E8EFC2E6E@gmail.com> <531A5880.4040207@cryptolab.net> Message-ID: > If your hidden service isn't a clusterfuck of unpatched Apache and sketchy PHP scripts, then it's not likely to get taken down or located. I agree with your meaning, but not your conclusion. Sketchy PHP and idiot sysadmins (and methylenedioxypyrovalerone) are certainly the primary reason for the recent rash of high profile 0wnage which has been going on lately, that doesn't mean that avoiding those problems will cover your ass in any way. Given enough time, your hidden service can be deanonymized, as shown here: http://www.ieee-security.org/TC/SP2013/papers/4977a080.pdf As I stated in a previous thread, I think the key is likely to be to a) redundancy and b) constant movement. R -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 912 bytes Desc: not available URL: From grarpamp at gmail.com Fri Mar 7 15:23:27 2014 From: grarpamp at gmail.com (grarpamp) Date: Fri, 7 Mar 2014 18:23:27 -0500 Subject: Obscurity via Cross-Coin Exchanges In-Reply-To: <531A3D8A.5090603@cathalgarvey.me> References: <531A3D8A.5090603@cathalgarvey.me> Message-ID: On Fri, Mar 7, 2014 at 4:43 PM, Cathal Garvey wrote: > As a way for an individual to "launder", does this look plausible? Is it > any better or worse than laundries as they currently exist? Cross coin exchanges are guaranteed free of crypto taint, so that's better. Cross coin may not require KYC due to not touching fiat, so that's better. But you still have two of the same risks as with same chain exchanges... - logs held by the exchanger - watching the amounts in/out. Cross coin is a bit better here for swaps of casual consumer amounts due to the addition of the variable exchange rate (whereas typical same coin swaps have merely their [in]variable fees). Don't expect to securely swap $1m in one easy overnight shot. From griffin at cryptolab.net Fri Mar 7 15:38:40 2014 From: griffin at cryptolab.net (Griffin Boyce) Date: Fri, 07 Mar 2014 18:38:40 -0500 Subject: [Cryptography] Are Tor hidden services really hidden? In-Reply-To: References: <3BDD63C9-92A6-4E82-B84B-8E1E8EFC2E6E@gmail.com> Message-ID: <531A5880.4040207@cryptolab.net> John Young wrote: > "Also keep in mind that there are no confirmed on the record cases to > date of a Tor 'break/weakness' having been used to find a user. It > appears to be only user error." > > One of the perdurable claims of comsec promoters is that comsec > breaks and weaknesses inevitably turn out to be user errors. Exactly > who the fictitious user is remains obscure but assuredly means > somebody other than the comsec promoter user who inevitably > offers a greatly improved product, trust them. If your hidden service isn't a clusterfuck of unpatched Apache and sketchy PHP scripts, then it's not likely to get taken down or located. If you're a terrible webmaster, you're obviously running a huge risk with running a website, even if it is a hidden service. Tor isn't magic. It can't magically make a terrible website awesome. It just adds additional security -- it can't be the *entire* security plan. ~Griffin From rysiek at hackerspace.pl Fri Mar 7 10:54:13 2014 From: rysiek at hackerspace.pl (rysiek) Date: Fri, 07 Mar 2014 19:54:13 +0100 Subject: Idiots [was: Bounties] In-Reply-To: <1394200874.18398.91742737.23DBA41F@webmail.messagingengine.com> References: <20140307004156.4CA0A2280F0@palinka.tinho.net> <20140307122348.GA27936@fishbowl.rw.madduck.net> <1394200874.18398.91742737.23DBA41F@webmail.messagingengine.com> Message-ID: <1494367.Qgbs8vfjB3@lap> Dnia piątek, 7 marca 2014 06:01:14 shelley at misanthropia.info pisze: > On Mar 7, 2014 5:22 AM, martin f krafft wrote: > > >>Careful, you are confusing the post-facebook generation who think > > that all problems they encounter are new [...] > > Your smug misassumptions are amusing, especially when you have no idea > what the fuck you are talking about. > > Neither Gwen nor I are of the "post-facebook" generation. I've been > online (meaning using the Internet, which pre-dates the Web by quite a > few years- in case you were unaware) since the mid-eighties, during the > time of monochrome screens and when telling someone to finger you > wouldn't garner snickers from mental midgets like you. > > You completely missed the point of Gwen's post, in which he clearly > talks about breaking 'the rules' to stir up idiots such as yourself, and > to which you still felt the need to make a whiny reply- to make yourself > feel, what...clever? To give yourself some sense of faux cypherpunks > cred? You're not impressing anyone, you just made yourself look a > fucking idiot with no reading comprehension. > > Shut the fuck up and keep your stupid ASSumptions to yourself. I do appreciate the bottom-posting in this e-mail, though. <3 -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From demonfighter at gmail.com Fri Mar 7 17:10:53 2014 From: demonfighter at gmail.com (Steve Furlong) Date: Fri, 7 Mar 2014 20:10:53 -0500 Subject: [Cryptography] Are Tor hidden services really hidden? In-Reply-To: References: <3BDD63C9-92A6-4E82-B84B-8E1E8EFC2E6E@gmail.com> <531A5880.4040207@cryptolab.net> Message-ID: On Fri, Mar 7, 2014 at 7:39 PM, Rich Jones wrote: > Given enough time, your hidden service can be deanonymized > As I stated in a previous thread, I think the key is likely to be to > a) redundancy and b) constant movement. c) Don't get too big, too complicated, or too fancy. Keep your pages or your apps or your web services tightly focused, and not integrated with anything that can be stripped out. If you have multiple services, separate them logically if not physically, and do not provide the convenience feature of automatically logging a user into a second if logs into a first. Don't bring in outside JavaScript or stylesheets or images that you can avoid. This is not specific to hidden TOR services, or to the blacknet, or to selling drugs by mail. -- Neca eos omnes. Deus suos agnoscet. -- Arnaud-Amaury, 1209 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1195 bytes Desc: not available URL: From cathalgarvey at cathalgarvey.me Fri Mar 7 13:43:38 2014 From: cathalgarvey at cathalgarvey.me (Cathal Garvey) Date: Fri, 07 Mar 2014 21:43:38 +0000 Subject: Obscurity via Cross-Coin Exchanges Message-ID: <531A3D8A.5090603@cathalgarvey.me> Hey all, As it came up in the Mt Gox asides in one of the variously titled threads on Nakomoto etc.: Bitcoin's pretty pseudonymous, rather than anonymous. Coin transactions are public, and some can be pinned to real identities, vendors or products, while others can be well inferred, leaving a smaller, hard to quantify set of "really anonymous" addresses, coins and transactions. Added to that, you have coin "taint" and badly patched wallets that mix coins from other addresses when sending payments, correlating various receiving addresses in one single transaction. There are laundries, but my understanding is that they're not highly regarded; their methods may be questionable, potentially they can be untangled. Without a large enough set of users, you have little guarantee of laundering; if only Alice and Bob pay in, and Alice and Bob receive out, then the recipient set is clearly too bad to protect them! OK, big problem. Zerocoin was designed to help fix that problem, by minting a zero-knowledge-proof based 'coin, but it hasn't yet been implemented. What about simply exchanging different blockchain based coins, though? Would that not help to "launder" with reasonable efficacy, provided both participants use crypto to hide the transaction? From the outside, transactions occur on both blockchains, but there's no "data trail" correlating the transactions with one another as there is within each blockchain. So, Alice buys .4 btc from a friend, but knows the friend's opsec might be poor, or that the transaction may have occurred over a bad channel, or that the coins were purchased from an exchange that demands valid phone numbers, etc.: she wants to launder. She contacts Bob, a Dogecoin seller, to set up a private exchange. She asks him to sell her 0.4btc worth of Dogecoin in two transactions of unequal value (to prevent analysis by exchange rate to ID their transaction). They conduct the exchange over an encrypted channel. From the outside, someone knows she's laundering, and just bought Dogecoin, but because they don't know her Dogecoin receiving addresses, they've lost the scent; she now has 0.4btc worth of Dogecoin, and can convert that back to btc again in the same way. In a round trip, she's broken the chain; she keeps her value, minus fees, of 0.4btc, but now it's in different btc, with no blockchain-recorded transaction logs to link the original, tainted btc to the new, clean btc. As a way for an individual to "launder", does this look plausible? Is it any better or worse than laundries as they currently exist? -- Please help support my crowdfunding campaign, IndieBB: Currently at 44.8% of funding goal, with 6 days left: http://igg.me/at/yourfirstgmo/x/4252296 T: @onetruecathal, @IndieBBDNA P: +3538763663185 W: http://indiebiotech.com -------------- next part -------------- A non-text attachment was scrubbed... Name: 0x988B9099.asc Type: application/pgp-keys Size: 6176 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 901 bytes Desc: OpenPGP digital signature URL: From rysiek at hackerspace.pl Fri Mar 7 12:59:45 2014 From: rysiek at hackerspace.pl (rysiek) Date: Fri, 07 Mar 2014 21:59:45 +0100 Subject: [Cryptography] Are Tor hidden services really hidden? In-Reply-To: References: Message-ID: <1600923.GCIs3JEuu6@lap> Dnia piątek, 7 marca 2014 14:31:58 John Young pisze: > "Also keep in mind that there are no confirmed on the record cases to > date of a Tor 'break/weakness' having been used to find a user. It > appears to be only user error." > > One of the perdurable claims of comsec promoters is that comsec > breaks and weaknesses inevitably turn out to be user errors. Exactly > who the fictitious user is remains obscure but assuredly means > somebody other than the comsec promoter user who inevitably > offers a greatly improved product, trust them. > > Tor is especially adept at blaming users, itself faultless except for lack > of volunteers to patch its innumerable holes Would you care to elaborate on the innumerable holes of TOR, please? -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From l at odewijk.nl Fri Mar 7 14:57:58 2014 From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=) Date: Fri, 7 Mar 2014 23:57:58 +0100 Subject: Obscurity via Cross-Coin Exchanges In-Reply-To: <531A3D8A.5090603@cathalgarvey.me> References: <531A3D8A.5090603@cathalgarvey.me> Message-ID: There is not yet any exchange that does not keep meticulous track of transfers, also due to AML laws. A meta-blockchain unfuzzer might still work, as the other coin would also use one. Or there'd be central tracking. Or it would be zerocoin! As long as zerocoin exists somewhere you can chain-switch (exchange) and anonymize. On Mar 7, 2014 11:05 PM, "Cathal Garvey" wrote: > Hey all, > As it came up in the Mt Gox asides in one of the variously titled > threads on Nakomoto etc.: Bitcoin's pretty pseudonymous, rather than > anonymous. Coin transactions are public, and some can be pinned to real > identities, vendors or products, while others can be well inferred, > leaving a smaller, hard to quantify set of "really anonymous" addresses, > coins and transactions. Added to that, you have coin "taint" and badly > patched wallets that mix coins from other addresses when sending > payments, correlating various receiving addresses in one single > transaction. > > There are laundries, but my understanding is that they're not highly > regarded; their methods may be questionable, potentially they can be > untangled. Without a large enough set of users, you have little > guarantee of laundering; if only Alice and Bob pay in, and Alice and Bob > receive out, then the recipient set is clearly too bad to protect them! > > OK, big problem. Zerocoin was designed to help fix that problem, by > minting a zero-knowledge-proof based 'coin, but it hasn't yet been > implemented. > > What about simply exchanging different blockchain based coins, though? > Would that not help to "launder" with reasonable efficacy, provided both > participants use crypto to hide the transaction? From the outside, > transactions occur on both blockchains, but there's no "data trail" > correlating the transactions with one another as there is within each > blockchain. > > So, Alice buys .4 btc from a friend, but knows the friend's opsec might > be poor, or that the transaction may have occurred over a bad channel, > or that the coins were purchased from an exchange that demands valid > phone numbers, etc.: she wants to launder. > > She contacts Bob, a Dogecoin seller, to set up a private exchange. She > asks him to sell her 0.4btc worth of Dogecoin in two transactions of > unequal value (to prevent analysis by exchange rate to ID their > transaction). They conduct the exchange over an encrypted channel. > > From the outside, someone knows she's laundering, and just bought > Dogecoin, but because they don't know her Dogecoin receiving addresses, > they've lost the scent; she now has 0.4btc worth of Dogecoin, and can > convert that back to btc again in the same way. > > In a round trip, she's broken the chain; she keeps her value, minus > fees, of 0.4btc, but now it's in different btc, with no > blockchain-recorded transaction logs to link the original, tainted btc > to the new, clean btc. > > As a way for an individual to "launder", does this look plausible? Is it > any better or worse than laundries as they currently exist? > > -- > Please help support my crowdfunding campaign, IndieBB: Currently at > 44.8% of funding goal, with 6 days left: > http://igg.me/at/yourfirstgmo/x/4252296 > T: @onetruecathal, @IndieBBDNA > P: +3538763663185 > W: http://indiebiotech.com > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 4002 bytes Desc: not available URL: From rysiek at hackerspace.pl Fri Mar 7 15:13:06 2014 From: rysiek at hackerspace.pl (rysiek) Date: Sat, 08 Mar 2014 00:13:06 +0100 Subject: Obscurity via Cross-Coin Exchanges In-Reply-To: <531A3D8A.5090603@cathalgarvey.me> References: <531A3D8A.5090603@cathalgarvey.me> Message-ID: <2750319.QUFS4bcajf@lap> OHAI, Dnia piątek, 7 marca 2014 21:43:38 Cathal Garvey pisze: > (...) > What about simply exchanging different blockchain based coins, though? > Would that not help to "launder" with reasonable efficacy, provided both > participants use crypto to hide the transaction? From the outside, > transactions occur on both blockchains, but there's no "data trail" > correlating the transactions with one another as there is within each > blockchain. This is interesting. > So, Alice buys .4 btc from a friend, but knows the friend's opsec might > be poor, or that the transaction may have occurred over a bad channel, > or that the coins were purchased from an exchange that demands valid > phone numbers, etc.: she wants to launder. > > She contacts Bob, a Dogecoin seller, to set up a private exchange. She > asks him to sell her 0.4btc worth of Dogecoin in two transactions of > unequal value (to prevent analysis by exchange rate to ID their > transaction). They conduct the exchange over an encrypted channel. > > From the outside, someone knows she's laundering, and just bought > Dogecoin, but because they don't know her Dogecoin receiving addresses, > they've lost the scent; Well played, Sir, I didn't see that pun coming! > she now has 0.4btc worth of Dogecoin, and can convert that back to btc > againin the same way. > > In a round trip, she's broken the chain; she keeps her value, minus > fees, of 0.4btc, but now it's in different btc, with no > blockchain-recorded transaction logs to link the original, tainted btc > to the new, clean btc. Wouldn't it be possible and even possibly more effective (no 3rd party involved, any price can be set) for Alice to do the round-trip by herself? As in: Bob == Alice? I.e. generate a new Dogecoin wallet, generate a new BTC wallet, and use these for the back-and-forth? > As a way for an individual to "launder", does this look plausible? Is it > any better or worse than laundries as they currently exist? -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From hettinga at gmail.com Sat Mar 8 03:48:41 2014 From: hettinga at gmail.com (Robert Hettinga) Date: Sat, 8 Mar 2014 07:48:41 -0400 Subject: Bounties In-Reply-To: <1394225658.13960.91901349.7E6D4784@webmail.messagingengine.com> References: <20140307004156.4CA0A2280F0@palinka.tinho.net> <20140307071503.GA19260@fishbowl.rw.madduck.net> <1787662.03Jrf7cYhK@lap> <20140307122348.GA27936@fishbowl.rw.madduck.net> <20140307163532.GU3180@nl.grid.coop> <1394225658.13960.91901349.7E6D4784@webmail.messagingengine.com> Message-ID: On Mar 7, 2014, at 4:54 PM, Shawn K. Quinn wrote: > Please do us a favor and don't post horseshit like that thumb on this > list again. Somewhere Vulis is laughing… Cheers, RAH Spit! -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 496 bytes Desc: Message signed with OpenPGP using GPGMail URL: From hettinga at gmail.com Sat Mar 8 03:51:48 2014 From: hettinga at gmail.com (Robert Hettinga) Date: Sat, 8 Mar 2014 07:51:48 -0400 Subject: [Cryptography] See??? Satoshi Nakamoto Smeared In-Reply-To: References: Message-ID: <79FD4349-7AE0-48DF-ABED-DDF3CCAE6E22@gmail.com> On Mar 7, 2014, at 9:24 PM, Phillip Hallam-Baker wrote: > Actually RAH did invent BitCoin and was feeling the heat a little and so used some of the $0.5 Billion he stashed away in BTC to hire an actor to pretend to be Satoshi. To act as a distraction... > Dang. It almost worked, too… Poor bastard. Cheers, RAH -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 496 bytes Desc: Message signed with OpenPGP using GPGMail URL: From rysiek at hackerspace.pl Sat Mar 8 02:12:53 2014 From: rysiek at hackerspace.pl (rysiek) Date: Sat, 08 Mar 2014 11:12:53 +0100 Subject: [Cryptography] Are Tor hidden services really hidden? In-Reply-To: References: Message-ID: <1447071.nprlQFz3LT@lap> Dnia piątek, 7 marca 2014 20:10:53 Steve Furlong pisze: > On Fri, Mar 7, 2014 at 7:39 PM, Rich Jones wrote: > > Given enough time, your hidden service can be deanonymized > > > > As I stated in a previous thread, I think the key is likely to be to > > a) redundancy and b) constant movement. > > c) Don't get too big, too complicated, or too fancy. Keep your pages or > your apps or your web services tightly focused, and not integrated with > anything that can be stripped out. If you have multiple services, separate > them logically if not physically, and do not provide the convenience > feature of automatically logging a user into a second if logs into a first. > Don't bring in outside JavaScript or stylesheets or images that you can > avoid. With just a few corner cases (but hey, who embeds YT videos on their site, srsly) ALL external JS/CSS/images/fonts/etc can be avoided. And should be avoided. You need to use a particular library or image resource? Keep these on your server and serve them from there. Can't legally do that? Find other media or libraries instead. Want to use Google Analytics? Why don't you have a seat over there. Over there. > This is not specific to hidden TOR services, or to the blacknet, or to > selling drugs by mail. Indeed. -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From l at odewijk.nl Sat Mar 8 04:00:18 2014 From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=) Date: Sat, 8 Mar 2014 13:00:18 +0100 Subject: [Cryptography] See??? Satoshi Nakamoto Smeared In-Reply-To: References: Message-ID: On Mar 8, 2014 3:42 AM, "Phillip Hallam-Baker" wrote: > Actually RAH did invent BitCoin and was feeling the heat a little and so used some of the $0.5 Billion he stashed away in BTC to hire an actor to pretend to be Satoshi. To act as a distraction... > > > The disclosure of Satoshi might be the start of the end for BTC. Before BitCoin was a tabula risa on which everyone could write their own goals for a perfect currency. Stop talking out of your ass wil you?... ->Newsweek<- > It also means that his family are at risk of being kidnapped by the seedy types that BTC has attracted. > > > -- > Website: http://hallambaker.com/ > > _______________________________________________ > The cryptography mailing list > cryptography at metzdowd.com > http://www.metzdowd.com/mailman/listinfo/cryptography -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1190 bytes Desc: not available URL: From vfwavrwava at yandex.com Sun Mar 9 03:52:53 2014 From: vfwavrwava at yandex.com (David -) Date: Sun, 09 Mar 2014 14:52:53 +0400 Subject: DPL is closing Message-ID: <14631394362373@web12g.yandex.ru> DPL has been mostly unsuccessful at raising money for the cause. I did receive some generous donations, but clearly insufficient. I guess this failure is not very surprising to anyone, since I could just be another scam. Hell, I probably wouldn't donate to such an unreputable identity. I hope that the DPL listed persons will meet their due treatment, to the benefit of the societies that they supposedly represent. Due to the (understandable) lack of funding this DPL will not play a role in this. I hope that other people with more resources will bankroll the first successful prediction, after which credibility should not be an issue anymore. The remaining funds will be tumbled and directed to a charity. David wasn't able to defeat goliath this time. Goodbye. From coderman at gmail.com Sun Mar 9 19:29:22 2014 From: coderman at gmail.com (coderman) Date: Sun, 9 Mar 2014 19:29:22 -0700 Subject: Red Pike cipher In-Reply-To: <53105C26.8060601@cathalgarvey.me> References: <92e6e17e1f1db50b11c13c4a4ca9c25c@remailer.privacy.at> <53105C26.8060601@cathalgarvey.me> Message-ID: On Fri, Feb 28, 2014 at 1:51 AM, Cathal Garvey wrote: > Was it not in vogue during Crypto Wars 1.0 to promulgate ciphers with a > keystrength that was feasible for big-crypto to smash but not the peasantry? welcome to the brave new world: where the ciphers are strong, but the entropy is weak. we live in strange times! From coderman at gmail.com Sun Mar 9 19:33:41 2014 From: coderman at gmail.com (coderman) Date: Sun, 9 Mar 2014 19:33:41 -0700 Subject: Gox dox'ed Message-ID: it seems the answer is here: http://blog.magicaltux.net/wp-content/uploads/2014/03/MtGox2014Leak.zip http://89.248.171.30/MtGox2014Leak.zip https://mega.co.nz/#!0VliDQBA!4Ontdi2MsLD4J5dV1-sr7pAgEYTSMi8rNeEMBikEhAs http://burnbit.com/download/280433/MtGox2014Leak_zip let me know if you're still short a mirror... On Thu, Feb 27, 2014 at 10:16 PM, Juan Garofalo wrote: > > > --On Thursday, February 27, 2014 11:12 PM -0600 Troy Benjegerdes > wrote: > >> >> I'd argue that centralized systems provide, on averge, a larger anonymity >> set and privacy in the majority of cases than decentralized ones. In >> particular exchanges that everyone believes are 'incompetent' are a >> wonderful place to get a lot of cheap plausible deniability by making >> everyone else that uses it pay for it when the house of cards falls down. > > > In the case of something like mtgox, how did it provide privacy? Or > plausible deniality? Users have to send IDs, bank account details, > everything is logged, etc etc. What am I missing? > > > >> >> >> >> -- >> ------------------------------------------------------------------------- >> --- Troy Benjegerdes 'da hozer' >> hozer at hozed.org 7 elements >> earth::water::air::fire::mind::spirit::soul grid.coop >> >> Never pick a fight with someone who buys ink by the barrel, >> nor try buy a hacker who makes money by the megahash >> >> > > From coderman at gmail.com Sun Mar 9 19:37:22 2014 From: coderman at gmail.com (coderman) Date: Sun, 9 Mar 2014 19:37:22 -0700 Subject: Test #1 In-Reply-To: References: <530BDC28.50704@cpunk.us> Message-ID: On Mon, Feb 24, 2014 at 4:24 PM, APX 808 wrote: > Yup, working fine but really silent, weird considering this weekend gotoFail i've never lamented a bug kill like this one. ever since my first mallory'ing with fixed certs have i loved thee... *tears* guess i need to burn them faster... i'm honestly astonished this took so long to discover. WTF!?! From coderman at gmail.com Sun Mar 9 19:41:01 2014 From: coderman at gmail.com (coderman) Date: Sun, 9 Mar 2014 19:41:01 -0700 Subject: CIA Project CHAOS/MHCHAOS In-Reply-To: <530EB3FD.2050903@entersection.org> References: <530EB3FD.2050903@entersection.org> Message-ID: On Wed, Feb 26, 2014 at 7:41 PM, Gregory Foster wrote: >... >> The file [scheduled for destruction] contains 7840 of a total of >> 8,328 folders on individual U.S. persons > > ... > > Now about that alleged CIA/FBI line between foreign and domestic > surveillance... FBI DITU is front man for NSA's domestic adventures. CIA is all humint these days, so boring... From coderman at gmail.com Sun Mar 9 19:48:01 2014 From: coderman at gmail.com (coderman) Date: Sun, 9 Mar 2014 19:48:01 -0700 Subject: [Cryptography] Get offa my lawn. (was Re: BitCoin bug reported) In-Reply-To: <2C454B95-CCE1-43BE-B50C-4556B8ADE398@gmail.com> References: <92747E0D-32A0-4167-A770-D089F277DB87@gmail.com> <2C454B95-CCE1-43BE-B50C-4556B8ADE398@gmail.com> Message-ID: On Mon, Feb 17, 2014 at 10:56 AM, Robert Hettinga wrote: >> Having to file several kinds of forms to get paid for a small consulting job as US citizen outside the US was enough to make me foreswear getting paid for much of anything anymore,... "Please submit forms X, Y, and Z with appropriate certified attestation and accompanying documentation." 'fuck that! i'd rather eat squirrel..' From coderman at gmail.com Sun Mar 9 19:51:33 2014 From: coderman at gmail.com (coderman) Date: Sun, 9 Mar 2014 19:51:33 -0700 Subject: chip vulns [was: Snowden and Compilers] Message-ID: On Tue, Feb 11, 2014 at 1:47 PM, Kelly John Rose wrote: > I could see them more easily subverting chip designs themselves then trying > to subvert the entire compiler ecosystem. ^ this. so,... how 'bout that malay crash? From coderman at gmail.com Sun Mar 9 20:01:46 2014 From: coderman at gmail.com (coderman) Date: Sun, 9 Mar 2014 20:01:46 -0700 Subject: Inferring the NSA's MO from a short clip of Joel Brenner on BBC In-Reply-To: <20140214183724.5F6C42280CC@palinka.tinho.net> References: <20140214183724.5F6C42280CC@palinka.tinho.net> Message-ID: dan you're my favorite source of signal on this list. On Fri, Feb 14, 2014 at 10:37 AM, wrote: > ... > If I may synthesize from the material you posted, in the digital > world we are growing the attack surface faster than we can grow our > defensive capacity. o/~ ... your attack surface is a wonderland, ... o/~ [to the tune of J. Mayer] > I'm on the record in proposing to deliver a shock to the entire > system of software vendors by using the Treasury of the United > States to simply corner the world market in vulnerabilities and > exploits and to concommitantly release them to the public -- the > moral equivalent of administering an unproven chemotherapy for an > otherwise terminal cancer. good first step! then provide blanket legal immunity to security activities. then provide educational support for vulnerability discovery and remediation. then provide material assistance in term of compute, storage, bandwidth toward security efforts. ... why don't people like this idea? i love it! ;) From coderman at gmail.com Sun Mar 9 20:04:56 2014 From: coderman at gmail.com (coderman) Date: Sun, 9 Mar 2014 20:04:56 -0700 Subject: A Surprisingly Easy Tool for Encrypting Email, Courtesy of an Ex-NSA Employee In-Reply-To: <52FAC69A.5030409@virtadpt.net> References: <009101cf2765$6f91a5b0$4eb4f110$@net> <52FAC69A.5030409@virtadpt.net> Message-ID: On Tue, Feb 11, 2014 at 4:55 PM, The Doctor wrote: > .... > Announcing that one is a former NSA employee should be enough to cause > people to run screaming from it... not quite CIA, but really, how many NSA "really" retire? ;) From coderman at gmail.com Sun Mar 9 20:08:37 2014 From: coderman at gmail.com (coderman) Date: Sun, 9 Mar 2014 20:08:37 -0700 Subject: [cryptography] Snowden Drop to Poitras and Greenwald Described In-Reply-To: <52F72DC5.3020407@iang.org> References: <52F72DC5.3020407@iang.org> Message-ID: On Sat, Feb 8, 2014 at 11:27 PM, ianG wrote: > ... So what > British Intelligence did was to switch gears and harass his operations > to make them as difficult as possible. Instead of trying to necessarily > stop the bombs, they pushed gear across that made bomb making risky, and > aggressively clamped down on 'safe' gear where they could. In effect, > making unstable explosives and detonators available, and controlling the > market for the quality stuff. > > So the bomb maker was forced into employing ever more risky techniques ... > > This tactic of harassing the enemy to make mistakes more likely is > rather well known. In war as in business. And it can and is applied to > the media. if you haven't observed this in the information security domain, you're not paying attention, of you're incompetent. From coderman at gmail.com Sun Mar 9 20:12:44 2014 From: coderman at gmail.com (coderman) Date: Sun, 9 Mar 2014 20:12:44 -0700 Subject: Taint Review Team In-Reply-To: <1391552777.89859.YahooMailNeo@web126204.mail.ne1.yahoo.com> References: <1391552777.89859.YahooMailNeo@web126204.mail.ne1.yahoo.com> Message-ID: On Tue, Feb 4, 2014 at 2:26 PM, jim bell wrote: > ... > It appears that these agencies are trying to teach their staff a way to > commit a crime, let's call it "obstruction of justice". hey now, your "crime" is my mistrial and dismissal with prejudice! don't knock it till you've tried it. ;) From coderman at gmail.com Sun Mar 9 20:15:33 2014 From: coderman at gmail.com (coderman) Date: Sun, 9 Mar 2014 20:15:33 -0700 Subject: [cryptography] Jean-Jacques Quisquater on Alleged NSA-GCHQ Hack In-Reply-To: References: Message-ID: On Thu, Feb 6, 2014 at 9:20 AM, John Young wrote: > http://cryptome.org/2014/02/quisquater-comments.htm he got the clueless dork treatment. just watch what they do to peeps they *really* dislike! From coderman at gmail.com Sun Mar 9 20:19:36 2014 From: coderman at gmail.com (coderman) Date: Sun, 9 Mar 2014 20:19:36 -0700 Subject: [cryptography] Alleged NSA-GCHQ Attack on Jean-Jacques Quisquater In-Reply-To: References: Message-ID: On Sun, Feb 2, 2014 at 4:03 AM, John Young wrote: > .... > Apparently Quisquater would not have known about the > attack if not told by an insider. yup. not even a slight concern on their minds. "hmmm, must be updating locate db..." > Any other cryptographer attacked (as if it would be known)? they're boring, admittedly little relevance. ... the hot targets are... ? From coderman at gmail.com Sun Mar 9 20:21:38 2014 From: coderman at gmail.com (coderman) Date: Sun, 9 Mar 2014 20:21:38 -0700 Subject: DPL is closing In-Reply-To: <14631394362373@web12g.yandex.ru> References: <14631394362373@web12g.yandex.ru> Message-ID: On Sun, Mar 9, 2014 at 3:52 AM, David - wrote: > ... > I hope that the DPL listed persons will meet their due treatment... still alive and disgruntled. you failed me David! From coderman at gmail.com Sun Mar 9 20:25:31 2014 From: coderman at gmail.com (coderman) Date: Sun, 9 Mar 2014 20:25:31 -0700 Subject: Oh the humanity!! [was: MaidSafe: p2p encrypted anonymous drivesharing homedir network?] Message-ID: On Thu, Jan 30, 2014 at 3:34 AM, rysiek wrote: > ... > TALKS ABOUT DECENTRALISATION > CHOOSES A CENTRALISED SERVICE AS MAIN COMMUNICATION CHANNEL this shit makes me laugh every day of the week. thank you! From coderman at gmail.com Sun Mar 9 20:30:41 2014 From: coderman at gmail.com (coderman) Date: Sun, 9 Mar 2014 20:30:41 -0700 Subject: Jim Bell comes to Cypherpunks? In-Reply-To: References: <1388522481.31937.YahooMailNeo@web141205.mail.bf1.yahoo.com> <201401011908.s01J8Vtl016061@new.toad.com> <5936A644-1145-4ED7-A10A-90CB4A85990E@riseup.net> <1388622376.69491.YahooMailNeo@web141205.mail.bf1.yahoo.com> <1388652575.95433.YahooMailNeo@web160704.mail.bf1.yahoo.com> <1388654366.20212.YahooMailNeo@web141206.mail.bf1.yahoo.com> Message-ID: On Wed, Jan 29, 2014 at 2:24 PM, Cari Machet wrote: > ... found some beautiful people in san fran to help you with the matter of > handing off your key > > ... the eff declined to help in this matter - for future reference ... ... wut? are my EFF donations dollars going to perry's drug habit or what? From juan.g71 at gmail.com Sun Mar 9 20:04:08 2014 From: juan.g71 at gmail.com (Juan Garofalo) Date: Mon, 10 Mar 2014 00:04:08 -0300 Subject: Gox dox'ed In-Reply-To: References: Message-ID: --On Sunday, March 09, 2014 7:33 PM -0700 coderman wrote: > it seems the answer is here: lol! (See how evil top posting is? =P - It took me a couple of minutes to figure out that my question was finally being answered =) ) > > http://blog.magicaltux.net/wp-content/uploads/2014/03/MtGox2014Leak.zip > http://89.248.171.30/MtGox2014Leak.zip > https://mega.co.nz/#!0VliDQBA!4Ontdi2MsLD4J5dV1-sr7pAgEYTSMi8rNeEMBikEhAs > http://burnbit.com/download/280433/MtGox2014Leak_zip > > > let me know if you're still short a mirror... > > > On Thu, Feb 27, 2014 at 10:16 PM, Juan Garofalo > wrote: >> >> >> --On Thursday, February 27, 2014 11:12 PM -0600 Troy Benjegerdes >> wrote: >> >>> >>> I'd argue that centralized systems provide, on averge, a larger >>> anonymity set and privacy in the majority of cases than decentralized >>> ones. In particular exchanges that everyone believes are 'incompetent' >>> are a wonderful place to get a lot of cheap plausible deniability by >>> making everyone else that uses it pay for it when the house of cards >>> falls down. >> >> >> In the case of something like mtgox, how did it provide privacy? >> Or plausible deniality? Users have to send IDs, bank account >> details, everything is logged, etc etc. What am I missing? >> >> >> >>> >>> >>> >>> -- >>> ----------------------------------------------------------------------- >>> -- --- Troy Benjegerdes 'da hozer' >>> hozer at hozed.org 7 elements >>> earth::water::air::fire::mind::spirit::soul grid.coop >>> >>> Never pick a fight with someone who buys ink by the barrel, >>> nor try buy a hacker who makes money by the megahash >>> >>> >> >> > From coderman at gmail.com Mon Mar 10 00:30:25 2014 From: coderman at gmail.com (coderman) Date: Mon, 10 Mar 2014 00:30:25 -0700 Subject: [cryptography] NIST asks for comment on its crypto standards processes In-Reply-To: <530B1A6D.1060100@iang.org> References: <530B1A6D.1060100@iang.org> Message-ID: On Mon, Feb 24, 2014 at 2:09 AM, ianG wrote: > ... > NIST is responsible for developing standards, guidelines, tools and > metrics to protect non-national security federal information systems... > > In November 2013, NIST announced it would review its cryptographic > standards development process after concerns were raised about > [anything NIST touched or looked at twice] in 2014 NIST transitioned into its proper role as crypto satirist and populist punching bag. by 2020 full irrelevance is expected, with the shame of engineering fraud firmly in the past. best regards, may you live in interesting times! From coderman at gmail.com Mon Mar 10 00:36:22 2014 From: coderman at gmail.com (coderman) Date: Mon, 10 Mar 2014 00:36:22 -0700 Subject: [cryptome] Re: German Television does first Edward Snowden Interview In-Reply-To: References: <52EE5F4E.4090402@riseup.net> <52EE6ED6.10101@riseup.net> <52EE6FBF.3010404@riseup.net> Message-ID: On Sun, Feb 2, 2014 at 10:47 AM, John Young wrote: > Interview on Cryptome since 27 January 2014. > > http://cryptome.org/2014/01/snowden-video-13-0126.zip > > A takedown demand is always welcome to stir hornets > of dissent. since cryptome abandoned twitter, can we get a cryptome-dmca-and-or-legal-takedown feed instead? From rysiek at hackerspace.pl Mon Mar 10 00:12:40 2014 From: rysiek at hackerspace.pl (rysiek) Date: Mon, 10 Mar 2014 08:12:40 +0100 Subject: Oh the humanity!! [was: MaidSafe: p2p encrypted anonymous drivesharing homedir network?] In-Reply-To: References: Message-ID: <15878430.iWgho570zG@lap> Dnia niedziela, 9 marca 2014 20:25:31 coderman pisze: > On Thu, Jan 30, 2014 at 3:34 AM, rysiek wrote: > > ... > > TALKS ABOUT DECENTRALISATION > > CHOOSES A CENTRALISED SERVICE AS MAIN COMMUNICATION CHANNEL > > this shit makes me laugh every day of the week. thank you! This ain't funny! -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From rich at openwatch.net Mon Mar 10 15:51:18 2014 From: rich at openwatch.net (Rich Jones) Date: Mon, 10 Mar 2014 15:51:18 -0700 Subject: DPL is closing In-Reply-To: <14631394362373@web12g.yandex.ru> References: <14631394362373@web12g.yandex.ru> Message-ID: Sad to see this go. Judging by some of the comments on /r/onions, I think most of the community didn't quite get it, and saw your project as less of a political tool and more like something akin to sports betting. Subtlety is a dead art. Now crowd funding is a main-stream thing, I think you have to look at other successful crowd funded campaigns and platforms to see what works and what doesn't. People are more likely to give to individual campaigns rather than general causes, I think DPL may have been a bit too open-ended. I took a stab at something similar but it never got very far off the ground, but perhaps you'd want to talk about picking the pieces up? From my side-project graveyard: https://github.com/Miserlou/HitStarter Also.. does UnfriendlySolution count as a charity? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1007 bytes Desc: not available URL: From grarpamp at gmail.com Mon Mar 10 14:45:33 2014 From: grarpamp at gmail.com (grarpamp) Date: Mon, 10 Mar 2014 17:45:33 -0400 Subject: DPL is closing In-Reply-To: References: <14631394362373@web12g.yandex.ru> Message-ID: > still alive and disgruntled. you failed me David! I'd do it for your BTC wallet, a tank of petrol and a Big Mac. And don't fucking forget the pickle either bitch, I hate it when they do that. BTC: 1NjEAEbmh1F8Z9dG38i22YRWKtXVjBMeMj From l at odewijk.nl Mon Mar 10 17:54:15 2014 From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=) Date: Tue, 11 Mar 2014 01:54:15 +0100 Subject: Jim Bell comes to Cypherpunks? In-Reply-To: References: <1388522481.31937.YahooMailNeo@web141205.mail.bf1.yahoo.com> <201401011908.s01J8Vtl016061@new.toad.com> <5936A644-1145-4ED7-A10A-90CB4A85990E@riseup.net> <1388622376.69491.YahooMailNeo@web141205.mail.bf1.yahoo.com> <1388652575.95433.YahooMailNeo@web160704.mail.bf1.yahoo.com> <1388654366.20212.YahooMailNeo@web141206.mail.bf1.yahoo.com> Message-ID: 2014-03-11 1:27 GMT+01:00 Sampo Syreeni : > On 2014-03-09, coderman wrote: > > are my EFF donations dollars going to perry's drug habit or what? >> > > What you really should be asking is, would that be such a bad thing? Perry works best the way Perry works best. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 709 bytes Desc: not available URL: From coderman at gmail.com Tue Mar 11 02:08:58 2014 From: coderman at gmail.com (coderman) Date: Tue, 11 Mar 2014 02:08:58 -0700 Subject: Jim Bell comes to Cypherpunks? In-Reply-To: References: <1388522481.31937.YahooMailNeo@web141205.mail.bf1.yahoo.com> <201401011908.s01J8Vtl016061@new.toad.com> <5936A644-1145-4ED7-A10A-90CB4A85990E@riseup.net> <1388622376.69491.YahooMailNeo@web141205.mail.bf1.yahoo.com> <1388652575.95433.YahooMailNeo@web160704.mail.bf1.yahoo.com> <1388654366.20212.YahooMailNeo@web141206.mail.bf1.yahoo.com> Message-ID: Jim it seems the cost of key exchange is a fifth of whiskey or a dub of dank... From coderman at gmail.com Tue Mar 11 02:11:00 2014 From: coderman at gmail.com (coderman) Date: Tue, 11 Mar 2014 02:11:00 -0700 Subject: journalist + snowden leaks == keep away forever? Message-ID: "Bart Gellman reveals government officials have warned him he's exposing himself to Espionage Act liability by publishing Snowden documents" From coderman at gmail.com Tue Mar 11 02:24:10 2014 From: coderman at gmail.com (coderman) Date: Tue, 11 Mar 2014 02:24:10 -0700 Subject: journalist + snowden leaks == keep away forever? In-Reply-To: References: Message-ID: On Tue, Mar 11, 2014 at 2:11 AM, coderman wrote: > "Bart Gellman reveals government officials have warned him he's > exposing himself to Espionage Act liability by publishing Snowden > documents" quote appears to be from this story: http://www.theguardian.com/technology/2014/mar/10/edward-snowden-surveillance-government-nsa-gchq-barton-gellman """ Asked whether he has been harassed when writing about Snowden, Gellman said no. "I have not been harassed. I've had some interesting exchanges with government reps of various temperatures. But I speak to them before every story. If they want to demonstrate falsity I want to hear it, and if they want to tell me about specific damage I would be doing then it want to hear that too. I get warnings about the espionage act and I assume that I'm more interesting than I used to be. And Google has warned me that they believe a state-sponsored hacker is attempting to compromise my computer... I assume that is more likely to be a foreign agency." """ --- Snowden has shown the 'huge disparity of surveillance and power', says Gellman Government needs reminding that they work for us, says Pulitzer-winning reporter Barton Gellman, who describes Edward Snowden as ending an era of indifference to surveillance Jemima Kiss theguardian.com, Monday 10 March 2014 16.45 GMT Encryptions tools must be simplified and made accessible for the mainstream, Pulitzer-winning journalist Barton Gellman said on Monday, calling on the tech industry to have the courage and ingenuity to help address the disparity of power between the people and their government. Addressing the SXSW festival shortly before Edward Snowden's live speech by video, Gellman said we are a long way off simple, transparent encryption tools. He cited Pew research which found that 88% of Americans say they have taken steps to protect their privacy in some form. "With all the user interface brains out there we could get easier tools," he said. "But it's not just the ability to encrypt, it's a frame of mind, a workflow and a discipline that is alien to most people, and that is the opposite to the open nature of the consumer internet. You could use Tor to access a site a hundred times, but the 101st time you forget, you may as well not have used Tor." "There are people at this conference who have taken very considerable risk to protect the privacy of their customers and have put themselves at the edge of the door to jail and it will take courage as well as ingenuity to change the way things work." Metadata is more powerful than phone tapping Gellman, who interviewed Snowden in Russia in 2013, said Snowden has highlighted the peak indifference to security. Metadata is incredibly potent as a method of surveillance, yet most internet users fail to understand how powerful it can be in aggregate. "One of the great gifts of Snowden is that he has shown what surveillance can do," he said. Gellman told of a colleague who said he wasn't concerned about metadata and his privacy, a colleague who used Twitter heavily and with location stamps. So Gellman downloaded three months worth of Twitter location stamps and plotted them on a Google map, plotting the times, frequency and significance of each location. His horrified colleague consequently changed much of his behaviour online. "I would rather someone listened in to all my phone calls than accessed my metadata - you can learn much more about me from that metadata." Whistleblowers - traitors or lantern bearers? Gellman doesn't like the word 'whistleblower'. On one side are many in government who say he signed an agreement not to disclose information, and that disclosing specific unlawful behaviour, or waste, should be dealt with by internal channels. Snowden himself did speak to around ten supervisors and to colleagues informally with some questions about their work, and at one point asked if what they were doing would pass 'the front page test'. "That's a pretty bold thing to do when you're gathering documents and speaking to three reporters," he said. "But the illegality test is too narrow. "If the idea is genuine that the government works for us, and information is power, we are living inside a one-way mirror because they know more and more about us and we know less and less about them. There's a huge disparity of power." "Do we think it's a good idea to listen to every call, to bust encryption standards... if it's a big policy question, and stuff is being done behind our backs that might shock us if we knew about it, there's pretty good reason to put it out there. Forget whistleblower - it should be lantern holder." How has the NSA surveillance story stayed live? "Snowden paid very careful attention to what had happened to other whistleblowers that hadn't had a long-term impact, and was careful to produce the documents... If Snowden had asked me 6-8 months later [if this story and still been live] but he has got to have exceed every plausible estimation about impact. It's because he didn't realise the documents all at once." That pace was less about Snowden releasing the documents slowly but about the work journalists need to do to verify and interrogate before they publish. Doctorow said he was most concerned by the programmes known as Bullrun in the US and Edgehill in the UK, which saw the NSA spend $250,000 a year spend trying to sabotage security standards and have backdoors built into security products. "In the second world war, countries had their own encryption tools but now we share networks and tools, and if you can undermine the random number generator - if you can make it less random - and that's what the NSA was doing by trying to trick, buy or persuade companies to make their encryption more breakable," said Gellman. "They would create an encryption standard that only they would break - that would let them be both information assurance and signal intelligence." Was Prism effectively a front for the more substantial fibre optic and undersea cable tapping? Interviewing Gellman, Cory Doctorow said: "The reason for Prism was to give them a plausible reason to know about the things they knew from the fibre taps and not alerting the companies." When Prism started Twitter barely existed, Facebook was limited to college campuses and Google was tiny. How did Snowden get the documents out? Asked whether he has been harassed when writing about Snowden, Gellman said no. "I have not been harassed. I've had some interesting exchanges with government reps of various temperatures. But I speak to them before every story. If they want to demonstrate falsity I want to hear it, and if they want to tell me about specific damage I would be doing then it want to hear that too. I get warnings about the espionage act and I assume that I'm more interesting than I used to be. And Google has warned me that they believe a state-sponsored hacker is attempting to compromise my computer... I assume that is more likely to be a foreign agency." "Do I worry about doing harm and putting lives at risk? Of course I do. There are things in the documents I don't think should be published and there are things Snowden doesn't think should be published... "He's a very smart guy on a lot of levels, and a very nimble mind. There lots of boundaries he draws with me, and as a reporter I look for side-channel attacks... Genghis Khan didn't try to known down the Great Wall of China - he bribed the guards and put up ladders. But he Snowden won't tell me how he got the documents out, for example." From decoy at iki.fi Mon Mar 10 17:27:26 2014 From: decoy at iki.fi (Sampo Syreeni) Date: Tue, 11 Mar 2014 02:27:26 +0200 (EET) Subject: Jim Bell comes to Cypherpunks? In-Reply-To: References: <1388522481.31937.YahooMailNeo@web141205.mail.bf1.yahoo.com> <201401011908.s01J8Vtl016061@new.toad.com> <5936A644-1145-4ED7-A10A-90CB4A85990E@riseup.net> <1388622376.69491.YahooMailNeo@web141205.mail.bf1.yahoo.com> <1388652575.95433.YahooMailNeo@web160704.mail.bf1.yahoo.com> <1388654366.20212.YahooMailNeo@web141206.mail.bf1.yahoo.com> Message-ID: On 2014-03-09, coderman wrote: > are my EFF donations dollars going to perry's drug habit or what? What you really should be asking is, would that be such a bad thing? -- Sampo Syreeni, aka decoy - decoy at iki.fi, http://decoy.iki.fi/front +358-40-3255353, 025E D175 ABE5 027C 9494 EEB0 E090 8BA9 0509 85C2 From carimachet at gmail.com Mon Mar 10 19:47:53 2014 From: carimachet at gmail.com (Cari Machet) Date: Tue, 11 Mar 2014 02:47:53 +0000 Subject: Jim Bell comes to Cypherpunks? In-Reply-To: References: <1388522481.31937.YahooMailNeo@web141205.mail.bf1.yahoo.com> <201401011908.s01J8Vtl016061@new.toad.com> <5936A644-1145-4ED7-A10A-90CB4A85990E@riseup.net> <1388622376.69491.YahooMailNeo@web141205.mail.bf1.yahoo.com> <1388652575.95433.YahooMailNeo@web160704.mail.bf1.yahoo.com> <1388654366.20212.YahooMailNeo@web141206.mail.bf1.yahoo.com> Message-ID: On Tue, Mar 11, 2014 at 12:54 AM, Lodewijk andré de la porte wrote: > 2014-03-11 1:27 GMT+01:00 Sampo Syreeni : > > On 2014-03-09, coderman wrote: >> >> are my EFF donations dollars going to perry's drug habit or what? >>> >> >> What you really should be asking is, would that be such a bad thing? > > > Perry works best the way Perry works best. > fight for your drug addict rights -- Cari Machet NYC 646-436-7795 carimachet at gmail.com AIM carismachet Syria +963-099 277 3243 Amman +962 077 636 9407 Berlin +49 152 11779219 Reykjavik +354 894 8650 Twitter: @carimachet 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 Ruh-roh, this is now necessary: This email is intended only for the addressee(s) and may contain confidential information. If you are not the intended recipient, you are hereby notified that any use of this information, dissemination, distribution, or copying of this email without permission is strictly prohibited. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2027 bytes Desc: not available URL: From carimachet at gmail.com Mon Mar 10 22:42:13 2014 From: carimachet at gmail.com (Cari Machet) Date: Tue, 11 Mar 2014 05:42:13 +0000 Subject: [Cryptography] See??? Satoshi Nakamoto Smeared In-Reply-To: <1394324242.21327.31.camel@excessive.dsl.static.sonic.net> References: <1394324242.21327.31.camel@excessive.dsl.static.sonic.net> Message-ID: On Sun, Mar 9, 2014 at 12:17 AM, Bear wrote: > On Fri, 2014-03-07 at 10:23 -0500, John Kelsey wrote: > > So the reporter found someone who might be the inventor of bitcoin, or > might be a little crazy and just saying so, or might be sick of weirdos > "tracking him down" because of his name and just be saying what he thinks > will get the reporter to go away. From what is in the article, how would > we distinguish these possibilities? > > > > --John > > And let's not forget the possibility, that when he said > "I no longer have anything to do with that and I can't > talk about it," he might have been talking about his prior > work for the US gummint, and the reporter simply quoted > him with an implication that he was talking about Bitcoin. > > "Can't talk about it" is some pretty specific language, I > think. It sounds to me like an NDA, not a project now being > carried on by others. > > I'd never have believed how much reporters misquote folks > or misapply the quotes they reproduce correctly, until I > actually got some first-hand experience with it. > > > and he says something in the ap interview about that bitcoin was developed in 2001 - when i think the whitepaper was presented in 2008 - he says he was working on developing something else at that time i think you are right - i know from dealing with ppl who have signed agreements re classified info that they can be kinda obsessed with that - he may have been referencing that instead journalist can be totally fraudulent for sure but others in the article seemed to blab a lot - people are strange theres like a switch that gets turned on when they talk to interviewers a ´stupid switch´ > > _______________________________________________ > The cryptography mailing list > cryptography at metzdowd.com > http://www.metzdowd.com/mailman/listinfo/cryptography > -- Cari Machet NYC 646-436-7795 carimachet at gmail.com AIM carismachet Syria +963-099 277 3243 Amman +962 077 636 9407 Berlin +49 152 11779219 Reykjavik +354 894 8650 Twitter: @carimachet 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 Ruh-roh, this is now necessary: This email is intended only for the addressee(s) and may contain confidential information. If you are not the intended recipient, you are hereby notified that any use of this information, dissemination, distribution, or copying of this email without permission is strictly prohibited. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 3657 bytes Desc: not available URL: From jamesdbell9 at yahoo.com Tue Mar 11 09:10:12 2014 From: jamesdbell9 at yahoo.com (jim bell) Date: Tue, 11 Mar 2014 09:10:12 -0700 (PDT) Subject: Jim Bell comes to Cypherpunks? In-Reply-To: References: <1388522481.31937.YahooMailNeo@web141205.mail.bf1.yahoo.com> <201401011908.s01J8Vtl016061@new.toad.com> <5936A644-1145-4ED7-A10A-90CB4A85990E@riseup.net> <1388622376.69491.YahooMailNeo@web141205.mail.bf1.yahoo.com> <1388652575.95433.YahooMailNeo@web160704.mail.bf1.yahoo.com> <1388654366.20212.YahooMailNeo@web141206.mail.bf1.yahoo.com> Message-ID: <1394554212.14986.YahooMailNeo@web126201.mail.ne1.yahoo.com> That seems doable.         Jim Bell ________________________________ From: coderman To: Cari Machet Cc: "cypherpunks at cpunks.org" ; "barlow at eff.org" ; "gnu at toad.com" Sent: Tuesday, March 11, 2014 2:08 AM Subject: Re: Jim Bell comes to Cypherpunks? Jim it seems the cost of key exchange is a fifth of whiskey or a dub of dank... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1480 bytes Desc: not available URL: From gfoster at entersection.org Tue Mar 11 09:03:43 2014 From: gfoster at entersection.org (Gregory Foster) Date: Tue, 11 Mar 2014 11:03:43 -0500 Subject: Senator Feinstein, the document leaker Message-ID: <531F33DF.9030804@entersection.org> US Senator Dianne Feinstein (Mar 11) - "Feinstein Statement on Intelligence Committee’s CIA Detention, Interrogation Report": http://www.feinstein.senate.gov/public/index.cfm/press-releases?ID=db84e844-01bb-4eb6-b318-31486374a895 Wherein Senator Feinstein states: > We have no way to determine who made the [CIA's] Internal Panetta Review documents available to the committee. Further, we don’t know whether the documents were provided intentionally by the CIA, unintentionally by the CIA, or intentionally by a whistle-blower. ...and then explains why Senate staffers exfiltrated the documents from the CIA's secure facility: > Unlike the official response, these Panetta Review documents were in agreement with the committee’s findings. That’s what makes them so significant and important to protect. Looks like this information wanted to be free? Quite a story emerging here. gf -- Gregory Foster || gfoster at entersection.org @gregoryfoster <> http://entersection.com/ From iam at kjro.se Tue Mar 11 10:44:34 2014 From: iam at kjro.se (Kelly John Rose) Date: Tue, 11 Mar 2014 11:44:34 -0600 Subject: Satoshi/Newsweek In-Reply-To: References: Message-ID: I'm Satoshi! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 42 bytes Desc: not available URL: From hettinga at gmail.com Tue Mar 11 09:11:58 2014 From: hettinga at gmail.com (Robert Hettinga) Date: Tue, 11 Mar 2014 12:11:58 -0400 Subject: Fwd: Satoshi/Newsweek References: Message-ID: If anyone wants to talk to a reporter about who Satoshi is… Cheers, RAH Begin forwarded message: > From: Rob Wile > Subject: Satoshi/Newsweek > Date: March 11, 2014 at 11:28:55 AM AST > To: hettinga at gmail.com > > Hey Bob, > Thanks for your Twitter bumps. So I really only have one question, which is simply what the process will have to be for discovering the identity of Satoshi, assuming Newsweek got it wrong. It seems like the only real way will be for the guy/gal to out himself, but wanted to hear any additional thoughts you had. > > Thanks, > > Rob > > -- > Rob Wile > Economics Reporter > Business Insider > (w): 646-376-6092 > (c): 312-806-6565 > rwile at businessinsider.com > @rjwile -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2635 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 496 bytes Desc: Message signed with OpenPGP using GPGMail URL: From shelley at misanthropia.info Tue Mar 11 12:18:08 2014 From: shelley at misanthropia.info (shelley at misanthropia.info) Date: Tue, 11 Mar 2014 12:18:08 -0700 Subject: Satoshi/Newsweek In-Reply-To: <1484566.EbqaH4x9nm@lap> Message-ID: <20140311191813.1D0DF680290@frontend2.nyi.mail.srv.osa> >Mar 11, 2014 12:13 PM, rysiek <rysiek at hackerspace.pl> wrote:   >Aren't we all?.. I already called it for my cat, dammit.  My cat is Satoshi! (bottom posted, just for you <3 ) -s -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 320 bytes Desc: not available URL: From griffin at cryptolab.net Tue Mar 11 09:26:01 2014 From: griffin at cryptolab.net (Griffin Boyce) Date: Tue, 11 Mar 2014 12:26:01 -0400 Subject: Fwd: Satoshi/Newsweek In-Reply-To: References: Message-ID: <531F3919.7070003@cryptolab.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 *sigh* Ya got me. I'm Satoshi. Please encrypt all free lunches and/or model trains with GPG 0xB3C79A63. ~Griffin On 03/11/2014 12:11 PM, Robert Hettinga wrote: > > If anyone wants to talk to a reporter about who Satoshi is… > > Cheers, > RAH > > Begin forwarded message: > >> From: Rob Wile >> Subject: Satoshi/Newsweek >> Date: March 11, 2014 at 11:28:55 AM AST >> To: hettinga at gmail.com >> >> Hey Bob, >> Thanks for your Twitter bumps. So I really only have one question, which is simply what the process will have to be for discovering the identity of Satoshi, assuming Newsweek got it wrong. It seems like the only real way will be for the guy/gal to out himself, but wanted to hear any additional thoughts you had. >> >> Thanks, >> >> Rob >> >> -- >> Rob Wile >> Economics Reporter >> Business Insider >> (w): 646-376-6092 >> (c): 312-806-6565 >> rwile at businessinsider.com >> @rjwile > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTHzkZAAoJEAPPSgqzx5pjUqIH/jSCdGiAbSnsc+mP9cZFMJvM cxQstFXNJr0ehvKAtm0gDjVVQNpaprstaiV+0ld9gnrRZkw7U/CRy5MZE/DF/4LS PUQ14ZeGZfU7hB6Zp0d/sUc+kMBqnA1vNje3tWvwitnshZ0ULswWiEiJGMBW1Kck LvxIgijaM7G8KpzifUe/hTK7YIHlAXCj2Hmh+D9n35b95Y1zpUvF9PNWi0UmouRU bloqcRf/wbQaUfr6fX8j+YEjJ+/H8Bsa4EZgpblBboIPW7/UlfHMdMOWbxkUSMp5 5x+ChtRLn/HML0TP1ZWsvcvcq+92Tv2vWRyEqIIfDV2bth011Sy3hfXJgDb+6DE= =z7/O -----END PGP SIGNATURE----- From demonfighter at gmail.com Tue Mar 11 09:38:30 2014 From: demonfighter at gmail.com (Steve Furlong) Date: Tue, 11 Mar 2014 12:38:30 -0400 Subject: Satoshi/Newsweek In-Reply-To: References: Message-ID: I am Satoshicus! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 69 bytes Desc: not available URL: From odinn.cyberguerrilla at riseup.net Tue Mar 11 13:15:40 2014 From: odinn.cyberguerrilla at riseup.net (Odinn Cyberguerrilla) Date: Tue, 11 Mar 2014 13:15:40 -0700 Subject: Update on Giving project up on Bitcointalk [abis.io] Message-ID: <1e74a864a0a967d2ce5597e602dbd613.squirrel@fulvetta.riseup.net> Hi, Here's an update on the project I've been focusing on. https://bitcointalk.org/index.php?topic=511423.msg5645979 Apart from the stuff mentioned on the bitcointalk post, if you know anyone (yourself included) who is good at video, we are looking to make a new and better video (something short for youtube) to encapsulate the idea that would be visually descriptive of the wallet in use. Please circulate widely. Feel free to e-mail me, also on and off I am available for chat (XMPP, via Pidgin OTR / Adium / Chatsecure) at ABISprotocol at dukgo.com Cheers From gwen at cypherpunks.to Tue Mar 11 13:18:54 2014 From: gwen at cypherpunks.to (gwen hastings) Date: Tue, 11 Mar 2014 13:18:54 -0700 Subject: Satoshi/Newsweek In-Reply-To: <1484566.EbqaH4x9nm@lap> References: <1484566.EbqaH4x9nm@lap> Message-ID: <531F6FAE.8010306@cypherpunks.to> But I REALLY AM Satoshi.. I swear on my little pinkie!! -- Tentacle #99 ecc public key curve p25519(pcp 0.15) 1l0$WoM5C8z=yeZG7?$]f^Uu8.g>4rf#t^6mfW9(rr910 Governments are instituted among men, deriving their just powers from the consent of the governed, that whenever any form of government becomes destructive of these ends, it is the right of the people to alter or abolish it, and to institute new government, laying its foundation on such principles, and organizing its powers in such form, as to them shall seem most likely to effect their safety and happiness.’ https://github.com/TLINDEN/pcp.git to get pcp(curve25519 cli) https://github.com/stef/pbp.git (curve 25519 python based cli) -------------- next part -------------- A non-text attachment was scrubbed... Name: 0x42AA24D5.asc Type: application/pgp-keys Size: 70878 bytes Desc: not available URL: From jon at callas.org Tue Mar 11 14:59:06 2014 From: jon at callas.org (Jon Callas) Date: Tue, 11 Mar 2014 14:59:06 -0700 Subject: Satoshi/Newsweek In-Reply-To: <1484566.EbqaH4x9nm@lap> References: <1484566.EbqaH4x9nm@lap> Message-ID: <7AA4690F-40DA-45D4-A28B-84065C78FA9B@callas.org> On Mar 11, 2014, at 11:23 AM, rysiek wrote: > * PGP Signed by an unknown key > > Dnia wtorek, 11 marca 2014 11:44:34 Kelly John Rose pisze: >> I'm Satoshi! > > Aren't we all?.. I'm not. Jon From grarpamp at gmail.com Tue Mar 11 12:09:26 2014 From: grarpamp at gmail.com (grarpamp) Date: Tue, 11 Mar 2014 15:09:26 -0400 Subject: [tor-talk] Craigslist... In-Reply-To: <531F2B5C.9000605@morehouse.me> References: <531F2B5C.9000605@morehouse.me> Message-ID: > Based on my experiences with the (terrible) Craigslist spam ghosting > algo, attempting to get help for that over the random junk I was > legitimately trying to sell which got me ghosted, and then doing a lot > of research on similar problems had by other users... > > ...which led me to reading about Craigslist's history of "litigation > over innovation" and the (inevitable and correct) complaining about > how terrible every /other/ part of the site is... > > ...and the attempts to talk to Craigslist about such problems by users > and litigation targets, all lead me to believe that attempting to > communicate with Craigslist in any way is like talking to a > particularly recalcitrant wall. They do not care. Sadly their US > monopoly position makes it easy for them to act like bad netizens, and > they do. Since the classified market is basically free under them, > they're like the Windows monopoly. Nobody else can get a fair shake > to take them down, even though a lot of people dream of it. > > Best of luck. :( I actually think there's lots of oppurtunity here, with many online services actually... to win by doing things better in a way that serves the users, not primarily the company. There's money in that. re CL: Afaik there's no patent or trademark on classifieds or 'community' moderation. You could win simply by doing that, not pissing off your users by ghosting (aka stating why your rejection happened), and say umm not silently dropping in/out bound mail, and not trying to play nanny mail relay. Non agnostic or faulty delivery liability anyone? By the way, did you know CL has and does archive every post (and quite probably every image and email) since inception in MongoDB? Want to know their reason? Supposed regulatory compliance and 'Oh, our users might want to repost an ad'. Really? From a month ago, a year ago, ten years ago? Bullshit. They're needless data whores acting against you. Anyway, that's off Tor topic. But I will restate my request for blocking policy/implementation info, rationale, and discussion, for any internet service really, whether on or off list. From hettinga at gmail.com Tue Mar 11 15:24:29 2014 From: hettinga at gmail.com (Robert Hettinga) Date: Tue, 11 Mar 2014 18:24:29 -0400 Subject: Satoshi/Newsweek In-Reply-To: <7AA4690F-40DA-45D4-A28B-84065C78FA9B@callas.org> References: <1484566.EbqaH4x9nm@lap> <7AA4690F-40DA-45D4-A28B-84065C78FA9B@callas.org> Message-ID: <3CAB6C09-87AE-4758-A051-9C93DAE93605@gmail.com> On Mar 11, 2014, at 5:59 PM, Jon Callas wrote: > I'm not. Neither am I. No. Really. Cheers, RAH -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 496 bytes Desc: Message signed with OpenPGP using GPGMail URL: From demonfighter at gmail.com Tue Mar 11 16:05:11 2014 From: demonfighter at gmail.com (Steve Furlong) Date: Tue, 11 Mar 2014 19:05:11 -0400 Subject: Satoshi/Newsweek In-Reply-To: <3CAB6C09-87AE-4758-A051-9C93DAE93605@gmail.com> References: <1484566.EbqaH4x9nm@lap> <7AA4690F-40DA-45D4-A28B-84065C78FA9B@callas.org> <3CAB6C09-87AE-4758-A051-9C93DAE93605@gmail.com> Message-ID: On Tue, Mar 11, 2014 at 6:24 PM, Robert Hettinga wrote: > Neither am I. > No. Really. That's just what I'd /expect/ Satoshi to say. Is it just me, or has no one seen Robert and Satoshi in a photograph together? Is it just me, or does that seem mighty conveeeeenient? -- Neca eos omnes. Deus suos agnoscet. -- Arnaud-Amaury, 1209 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 687 bytes Desc: not available URL: From rysiek at hackerspace.pl Tue Mar 11 11:23:01 2014 From: rysiek at hackerspace.pl (rysiek) Date: Tue, 11 Mar 2014 19:23:01 +0100 Subject: Satoshi/Newsweek In-Reply-To: References: Message-ID: <1484566.EbqaH4x9nm@lap> Dnia wtorek, 11 marca 2014 11:44:34 Kelly John Rose pisze: > I'm Satoshi! Aren't we all?.. -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From jamesdbell9 at yahoo.com Tue Mar 11 19:45:53 2014 From: jamesdbell9 at yahoo.com (jim bell) Date: Tue, 11 Mar 2014 19:45:53 -0700 (PDT) Subject: I figured it out! In-Reply-To: References: <1484566.EbqaH4x9nm@lap> <7AA4690F-40DA-45D4-A28B-84065C78FA9B@callas.org> <3CAB6C09-87AE-4758-A051-9C93DAE93605@gmail.com> Message-ID: <1394592353.70054.YahooMailNeo@web126206.mail.ne1.yahoo.com> What happened is this:  Satoshi, deciding that he didn't have enough Bitcoins, stole another 800,000 BTC from  Mt. Gox, and then he hijacked the Malaysia airliner.  Location currently unknown.            Jim Bell -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 427 bytes Desc: not available URL: From rysiek at hackerspace.pl Tue Mar 11 15:13:50 2014 From: rysiek at hackerspace.pl (rysiek) Date: Tue, 11 Mar 2014 23:13:50 +0100 Subject: Satoshi/Newsweek In-Reply-To: <531F6FAE.8010306@cypherpunks.to> References: <1484566.EbqaH4x9nm@lap> <531F6FAE.8010306@cypherpunks.to> Message-ID: <8576908.yBfzsa9DhF@lap> Dnia wtorek, 11 marca 2014 13:18:54 gwen hastings pisze: > But I REALLY AM Satoshi.. I swear on my little Satoshi!! FTFY. -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From decoy at iki.fi Tue Mar 11 17:52:51 2014 From: decoy at iki.fi (Sampo Syreeni) Date: Wed, 12 Mar 2014 02:52:51 +0200 (EET) Subject: Satoshi/Newsweek In-Reply-To: <3CAB6C09-87AE-4758-A051-9C93DAE93605@gmail.com> References: <1484566.EbqaH4x9nm@lap> <7AA4690F-40DA-45D4-A28B-84065C78FA9B@callas.org> <3CAB6C09-87AE-4758-A051-9C93DAE93605@gmail.com> Message-ID: On 2014-03-11, Robert Hettinga wrote: >> I'm not. > > Neither am I. > > No. Really. Yes, of course, but why did you have to do all that to poor Dorian? -- Sampo Syreeni, aka decoy - decoy at iki.fi, http://decoy.iki.fi/front +358-40-3255353, 025E D175 ABE5 027C 9494 EEB0 E090 8BA9 0509 85C2 From marksteward at gmail.com Tue Mar 11 20:11:41 2014 From: marksteward at gmail.com (Mark Steward) Date: Wed, 12 Mar 2014 03:11:41 +0000 Subject: I figured it out! In-Reply-To: <1394592353.70054.YahooMailNeo@web126206.mail.ne1.yahoo.com> References: <1484566.EbqaH4x9nm@lap> <7AA4690F-40DA-45D4-A28B-84065C78FA9B@callas.org> <3CAB6C09-87AE-4758-A051-9C93DAE93605@gmail.com> <1394592353.70054.YahooMailNeo@web126206.mail.ne1.yahoo.com> Message-ID: https://lh4.googleusercontent.com/-R21272HOMn4/Th8cS1_dt_I/AAAAAAAABKc/_eHBtX8h2kA/dragu-ru-clapping2.gif On Wed, Mar 12, 2014 at 2:45 AM, jim bell wrote: > What happened is this: Satoshi, deciding that he didn't have enough > Bitcoins, stole another 800,000 BTC from Mt. Gox, and then he hijacked the > Malaysia airliner. Location currently unknown. > Jim Bell > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 997 bytes Desc: not available URL: From drwho at virtadpt.net Wed Mar 12 10:32:13 2014 From: drwho at virtadpt.net (The Doctor) Date: Wed, 12 Mar 2014 10:32:13 -0700 Subject: Satoshi/Newsweek In-Reply-To: <1484566.EbqaH4x9nm@lap> References: <1484566.EbqaH4x9nm@lap> Message-ID: <53209A1D.1050307@virtadpt.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 03/11/2014 11:23 AM, rysiek wrote: > Aren't we all?.. These folks certainly are... https://github.com/bitcoin/bitcoin/graphs/contributors - -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ "Is this Poli.Sci 101?" "Not remotely." -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEAREKAAYFAlMgmh0ACgkQO9j/K4B7F8GO1ACgu0RHE9dKMsyZBNkwjDjlE6nt 7pcAoONFSL3j1aW4HBkn/n7NMGtpK/Jq =uwb7 -----END PGP SIGNATURE----- From boyscity at gmail.com Wed Mar 12 00:05:46 2014 From: boyscity at gmail.com (Sylvester Liang) Date: Wed, 12 Mar 2014 12:35:46 +0530 Subject: Satoshi/Newsweek In-Reply-To: References: <1484566.EbqaH4x9nm@lap> <7AA4690F-40DA-45D4-A28B-84065C78FA9B@callas.org> <3CAB6C09-87AE-4758-A051-9C93DAE93605@gmail.com> Message-ID: Can i be Satoshi just for once . On Wed, Mar 12, 2014 at 6:22 AM, Sampo Syreeni wrote: > On 2014-03-11, Robert Hettinga wrote: > > I'm not. >>> >> >> Neither am I. >> >> No. Really. >> > > Yes, of course, but why did you have to do all that to poor Dorian? > -- > Sampo Syreeni, aka decoy - decoy at iki.fi, http://decoy.iki.fi/front > +358-40-3255353, 025E D175 ABE5 027C 9494 EEB0 E090 8BA9 0509 85C2 > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1147 bytes Desc: not available URL: From griffin at cryptolab.net Wed Mar 12 11:51:16 2014 From: griffin at cryptolab.net (Griffin Boyce) Date: Wed, 12 Mar 2014 14:51:16 -0400 Subject: Satoshi/Newsweek In-Reply-To: <53209A1D.1050307@virtadpt.net> References: <1484566.EbqaH4x9nm@lap> <53209A1D.1050307@virtadpt.net> Message-ID: <5320ACA4.7090003@cryptolab.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Doctor wrote: > On 03/11/2014 11:23 AM, rysiek wrote: > > > Aren't we all?.. > > These folks certainly are... > > https://github.com/bitcoin/bitcoin/graphs/contributors > *slams fist on desk* I *knew* that @gmaxwell was involved! This whole bitcoin thing is just a conspiracy to take down JSTOR!!!!1 ....too obscure? ;-) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTIKykAAoJEAPPSgqzx5pj/jsIAKP0U67blIVdg+dtey64gS/0 NgsPLViC1PQSs1Wht3gOe30bOcTBkDR5a1htULIW8Z1b4u1mBhMrvBLh0cRrwSJK weNF2ZVBmN1yUSjn9EwIt7MekZ33Bog2dYe9uRDbU2WEG4kQMmxBV7W+36iqik3b DroI8XSwbzDAB5o1umbi2+74h/EIPqODzCKS7Jvy8KFChrTc/lqNvxyuGAowzICt ct71rMPUWN6LxcRVGmjkE7u06beu0c5YUwjB7bWpJMrK1lymKUOObu1nse/lV+B5 zKXfLZGf2nkhG6ADLr+PDY3zztRqI/Z+VOpDM3jVUF/IELL/A3bd4veApXgedS0= =i2h+ -----END PGP SIGNATURE----- From drwho at virtadpt.net Wed Mar 12 14:52:11 2014 From: drwho at virtadpt.net (The Doctor) Date: Wed, 12 Mar 2014 14:52:11 -0700 Subject: Satoshi/Newsweek In-Reply-To: <5320ACA4.7090003@cryptolab.net> References: <1484566.EbqaH4x9nm@lap> <53209A1D.1050307@virtadpt.net> <5320ACA4.7090003@cryptolab.net> Message-ID: <5320D70B.7020008@virtadpt.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 03/12/2014 11:51 AM, Griffin Boyce wrote: > I *knew* that @gmaxwell was involved! This whole bitcoin thing is > just a conspiracy to take down JSTOR!!!!1 ....too obscure? ;-) Maternis, paternis. - -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ Be seeing you... -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEAREKAAYFAlMg1wsACgkQO9j/K4B7F8EVOgCfehiIKdLCjhvb59BIQHHuxn31 7zgAn20DbY2IlanHWeffERhpvtZmyB7B =9RK5 -----END PGP SIGNATURE----- From gfoster at entersection.org Wed Mar 12 16:18:24 2014 From: gfoster at entersection.org (Gregory Foster) Date: Wed, 12 Mar 2014 19:18:24 -0400 Subject: [Effaustin-discuss] Senator Feinstein, the document leaker In-Reply-To: <531F33DF.9030804@entersection.org> References: <531F33DF.9030804@entersection.org> Message-ID: <5320EB40.4030502@entersection.org> On 3/11/14 12:03 PM, Gregory Foster wrote: > US Senator Dianne Feinstein (Mar 11) - "Feinstein Statement on > Intelligence Committee’s CIA Detention, Interrogation Report": > http://www.feinstein.senate.gov/public/index.cfm/press-releases?ID=db84e844-01bb-4eb6-b318-31486374a895 > > Wherein Senator Feinstein states: > >> We have no way to determine who made the [CIA's] Internal Panetta Review documents available to the committee. Further, we don’t know whether the documents were provided intentionally by the CIA, unintentionally by the CIA, or intentionally by a whistle-blower. > > ...and then explains why Senate staffers exfiltrated the documents from > the CIA's secure facility: > >> Unlike the official response, these Panetta Review documents were in agreement with the committee’s findings. That’s what makes them so significant and important to protect. > > Looks like this information wanted to be free? Quite a story emerging here. An unusual flurry of activity on the CIA's YouTube channel, including a newly posted video (from December 2013) of embattled CIA Director Brennan and his wife delivering truckloads of toys for tots: https://www.youtube.com/user/ciagov Must have been keeping that one in the black bag... gf -- Gregory Foster || gfoster at entersection.org @gregoryfoster <> http://entersection.com/ From coderman at gmail.com Wed Mar 12 20:39:40 2014 From: coderman at gmail.com (coderman) Date: Wed, 12 Mar 2014 20:39:40 -0700 Subject: TURBINE Message-ID: so they've been spending tens of millions every year to red team privacy enhancing technologies. when do we get to see the results and improve our tools? ;) https://firstlook.org/theintercept/article/2014/03/12/nsa-plans-infect-millions-computers-malware/ --- How the NSA Plans to Infect 'Millions' of Computers with Malware By Ryan Gallagher and Glenn Greenwald 12 Mar 2014, 9:19 AM EDT Top-secret documents reveal that the National Security Agency is dramatically expanding its ability to covertly hack into computers on a mass scale by using automated systems that reduce the level of human oversight in the process. The classified files - provided previously by NSA whistleblower Edward Snowden - contain new details about groundbreaking surveillance technology the agency has developed to infect potentially millions of computers worldwide with malware "implants." The clandestine initiative enables the NSA to break into targeted computers and to siphon out data from foreign Internet and phone networks. The covert infrastructure that supports the hacking efforts operates from the agency's headquarters in Fort Meade, Maryland, and from eavesdropping bases in the United Kingdom and Japan. GCHQ, the British intelligence agency, appears to have played an integral role in helping to develop the implants tactic. In some cases the NSA has masqueraded as a fake Facebook server, using the social media site as a launching pad to infect a target's computer and exfiltrate files from a hard drive. In others, it has sent out spam emails laced with the malware, which can be tailored to covertly record audio from a computer's microphone and take snapshots with its webcam. The hacking systems have also enabled the NSA to launch cyberattacks by corrupting and disrupting file downloads or denying access to websites. The implants being deployed were once reserved for a few hundred hard-to-reach targets, whose communications could not be monitored through traditional wiretaps. But the documents analyzed by The Intercept show how the NSA has aggressively accelerated its hacking initiatives in the past decade by computerizing some processes previously handled by humans. The automated system - codenamed TURBINE - is designed to "allow the current implant network to scale to large size (millions of implants) by creating a system that does automated control implants by groups instead of individually." In a top-secret presentation, dated August 2009, the NSA describes a pre-programmed part of the covert infrastructure called the "Expert System," which is designed to operate "like the brain." The system manages the applications and functions of the implants and "decides" what tools they need to best extract data from infected machines. Mikko Hypponen, an expert in malware who serves as chief research officer at the Finnish security firm F-Secure, calls the revelations "disturbing." The NSA's surveillance techniques, he warns, could inadvertently be undermining the security of the Internet. "When they deploy malware on systems," Hypponen says, "they potentially create new vulnerabilities in these systems, making them more vulnerable for attacks by third parties." Hypponen believes that governments could arguably justify using malware in a small number of targeted cases against adversaries. But millions of malware implants being deployed by the NSA as part of an automated process, he says, would be "out of control." "That would definitely not be proportionate," Hypponen says. "It couldn't possibly be targeted and named. It sounds like wholesale infection and wholesale surveillance." The NSA declined to answer questions about its deployment of implants, pointing to a new presidential policy directive announced by President Obama. "As the president made clear on 17 January," the agency said in a statement, "signals intelligence shall be collected exclusively where there is a foreign intelligence or counterintelligence purpose to support national and departmental missions, and not for any other purposes." "Owning the Net" The NSA began rapidly escalating its hacking efforts a decade ago. In 2004, according to secret internal records, the agency was managing a small network of only 100 to 150 implants. But over the next six to eight years, as an elite unit called Tailored Access Operations (TAO) recruited new hackers and developed new malware tools, the number of implants soared to tens of thousands. To penetrate foreign computer networks and monitor communications that it did not have access to through other means, the NSA wanted to go beyond the limits of traditional signals intelligence, or SIGINT, the agency's term for the interception of electronic communications. Instead, it sought to broaden "active" surveillance methods - tactics designed to directly infiltrate a target's computers or network devices. In the documents, the agency describes such techniques as "a more aggressive approach to SIGINT" and says that the TAO unit's mission is to "aggressively scale" these operations. But the NSA recognized that managing a massive network of implants is too big a job for humans alone. "One of the greatest challenges for active SIGINT/attack is scale," explains the top-secret presentation from 2009. "Human 'drivers' limit ability for large-scale exploitation (humans tend to operate within their own environment, not taking into account the bigger picture)." The agency's solution was TURBINE. Developed as part of TAO unit, it is described in the leaked documents as an "intelligent command and control capability" that enables "industrial-scale exploitation." TURBINE was designed to make deploying malware much easier for the NSA's hackers by reducing their role in overseeing its functions. The system would "relieve the user from needing to know/care about the details," the NSA's Technology Directorate notes in one secret document from 2009. "For example, a user should be able to ask for 'all details about application X' and not need to know how and where the application keeps files, registry entries, user application data, etc." In practice, this meant that TURBINE would automate crucial processes that previously had to be performed manually - including the configuration of the implants as well as surveillance collection, or "tasking," of data from infected systems. But automating these processes was about much more than a simple technicality. The move represented a major tactical shift within the NSA that was expected to have a profound impact - allowing the agency to push forward into a new frontier of surveillance operations. The ramifications are starkly illustrated in one undated top-secret NSA document, which describes how the agency planned for TURBINE to "increase the current capability to deploy and manage hundreds of Computer Network Exploitation (CNE) and Computer Network Attack (CNA) implants to potentially millions of implants." (CNE mines intelligence from computers and networks; CNA seeks to disrupt, damage or destroy them.) Eventually, the secret files indicate, the NSA's plans for TURBINE came to fruition. The system has been operational in some capacity since at least July 2010, and its role has become increasingly central to NSA hacking operations. Earlier reports based on the Snowden files indicate that the NSA has already deployed between 85,000 and 100,000 of its implants against computers and networks across the world, with plans to keep on scaling up those numbers. The intelligence community's top-secret "Black Budget" for 2013, obtained by Snowden, lists TURBINE as part of a broader NSA surveillance initiative named "Owning the Net." The agency sought $67.6 million in taxpayer funding for its Owning the Net program last year. Some of the money was earmarked for TURBINE, expanding the system to encompass "a wider variety" of networks and "enabling greater automation of computer network exploitation." Circumventing Encryption The NSA has a diverse arsenal of malware tools, each highly sophisticated and customizable for different purposes. One implant, codenamed UNITEDRAKE, can be used with a variety of "plug-ins" that enable the agency to gain total control of an infected computer. An implant plug-in named CAPTIVATEDAUDIENCE, for example, is used to take over a targeted computer's microphone and record conversations taking place near the device. Another, GUMFISH, can covertly take over a computer's webcam and snap photographs. FOGGYBOTTOM records logs of Internet browsing histories and collects login details and passwords used to access websites and email accounts. GROK is used to log keystrokes. And SALVAGERABBIT exfiltrates data from removable flash drives that connect to an infected computer. The implants can enable the NSA to circumvent privacy-enhancing encryption tools that are used to browse the Internet anonymously or scramble the contents of emails as they are being sent across networks. That's because the NSA's malware gives the agency unfettered access to a target's computer before the user protects their communications with encryption. It is unclear how many of the implants are being deployed on an annual basis or which variants of them are currently active in computer systems across the world. Previous reports have alleged that the NSA worked with Israel to develop the Stuxnet malware, which was used to sabotage Iranian nuclear facilities. The agency also reportedly worked with Israel to deploy malware called Flame to infiltrate computers and spy on communications in countries across the Middle East. According to the Snowden files, the technology has been used to seek out terror suspects as well as individuals regarded by the NSA as "extremist." But the mandate of the NSA's hackers is not limited to invading the systems of those who pose a threat to national security. In one secret post on an internal message board, an operative from the NSA's Signals Intelligence Directorate describes using malware attacks against systems administrators who work at foreign phone and Internet service providers. By hacking an administrator's computer, the agency can gain covert access to communications that are processed by his company. "Sys admins are a means to an end," the NSA operative writes. The internal post - titled "I hunt sys admins" - makes clear that terrorists aren't the only targets of such NSA attacks. Compromising a systems administrator, the operative notes, makes it easier to get to other targets of interest, including any "government official that happens to be using the network some admin takes care of." Similar tactics have been adopted by Government Communications Headquarters, the NSA's British counterpart. As the German newspaper Der Spiegel reported in September, GCHQ hacked computers belonging to network engineers at Belgacom, the Belgian telecommunications provider. The mission, codenamed "Operation Socialist," was designed to enable GCHQ to monitor mobile phones connected to Belgacom's network. The secret files deem the mission a "success," and indicate that the agency had the ability to covertly access Belgacom's systems since at least 2010. Infiltrating cellphone networks, however, is not all that the malware can be used to accomplish. The NSA has specifically tailored some of its implants to infect large-scale network routers used by Internet service providers in foreign countries. By compromising routers - the devices that connect computer networks and transport data packets across the Internet - the agency can gain covert access to monitor Internet traffic, record the browsing sessions of users, and intercept communications. Two implants the NSA injects into network routers, HAMMERCHANT and HAMMERSTEIN, help the agency to intercept and perform "exploitation attacks" against data that is sent through a Virtual Private Network, a tool that uses encrypted "tunnels" to enhance the security and privacy of an Internet session. The implants also track phone calls sent across the network via Skype and other Voice Over IP software, revealing the username of the person making the call. If the audio of the VOIP conversation is sent over the Internet using unencrypted "Real-time Transport Protocol" packets, the implants can covertly record the audio data and then return it to the NSA for analysis. But not all of the NSA's implants are used to gather intelligence, the secret files show. Sometimes, the agency's aim is disruption rather than surveillance. QUANTUMSKY, a piece of NSA malware developed in 2004, is used to block targets from accessing certain websites. QUANTUMCOPPER, first tested in 2008, corrupts a target's file downloads. These two "attack" techniques are revealed on a classified list that features nine NSA hacking tools, six of which are used for intelligence gathering. Just one is used for "defensive" purposes - to protect U.S. government networks against intrusions. "Mass exploitation potential" Before it can extract data from an implant or use it to attack a system, the NSA must first install the malware on a targeted computer or network. According to one top-secret document from 2012, the agency can deploy malware by sending out spam emails that trick targets into clicking a malicious link. Once activated, a "back-door implant" infects their computers within eight seconds. There's only one problem with this tactic, codenamed WILLOWVIXEN: According to the documents, the spam method has become less successful in recent years, as Internet users have become wary of unsolicited emails and less likely to click on anything that looks suspicious. Consequently, the NSA has turned to new and more advanced hacking techniques. These include performing so-called "man-in-the-middle" and "man-on-the-side" attacks, which covertly force a user's internet browser to route to NSA computer servers that try to infect them with an implant. To perform a man-on-the-side attack, the NSA observes a target's Internet traffic using its global network of covert "accesses" to data as it flows over fiber optic cables or satellites. When the target visits a website that the NSA is able to exploit, the agency's surveillance sensors alert the TURBINE system, which then "shoots" data packets at the targeted computer's IP address within a fraction of a second. In one man-on-the-side technique, codenamed QUANTUMHAND, the agency disguises itself as a fake Facebook server. When a target attempts to log in to the social media site, the NSA transmits malicious data packets that trick the target's computer into thinking they are being sent from the real Facebook. By concealing its malware within what looks like an ordinary Facebook page, the NSA is able to hack into the targeted computer and covertly siphon out data from its hard drive. A top-secret animation demonstrates the tactic in action. The documents show that QUANTUMHAND became operational in October 2010, after being successfully tested by the NSA against about a dozen targets. According to Matt Blaze, a surveillance and cryptography expert at the University of Pennsylvania, it appears that the QUANTUMHAND technique is aimed at targeting specific individuals. But he expresses concerns about how it has been covertly integrated within Internet networks as part of the NSA's automated TURBINE system. "As soon as you put this capability in the backbone infrastructure, the software and security engineer in me says that's terrifying," Blaze says. "Forget about how the NSA is intending to use it. How do we know it is working correctly and only targeting who the NSA wants? And even if it does work correctly, which is itself a really dubious assumption, how is it controlled?" In an email statement to The Intercept, Facebook spokesman Jay Nancarrow said the company had "no evidence of this alleged activity." He added that Facebook implemented HTTPS encryption for users last year, making browsing sessions less vulnerable to malware attacks. Nancarrow also pointed out that other services besides Facebook could have been compromised by the NSA. "If government agencies indeed have privileged access to network service providers," he said, "any site running only [unencrypted] HTTP could conceivably have its traffic misdirected." A man-in-the-middle attack is a similar but slightly more aggressive method that can be used by the NSA to deploy its malware. It refers to a hacking technique in which the agency covertly places itself between computers as they are communicating with each other. This allows the NSA not only to observe and redirect browsing sessions, but to modify the content of data packets that are passing between computers. The man-in-the-middle tactic can be used, for instance, to covertly change the content of a message as it is being sent between two people, without either knowing that any change has been made by a third party. The same technique is sometimes used by criminal hackers to defraud people. A top-secret NSA presentation from 2012 reveals that the agency developed a man-in-the-middle capability called SECONDDATE to "influence real-time communications between client and server" and to "quietly redirect web-browsers" to NSA malware servers called FOXACID. In October, details about the FOXACID system were reported by the Guardian, which revealed its links to attacks against users of the Internet anonymity service Tor. But SECONDDATE is tailored not only for "surgical" surveillance attacks on individual suspects. It can also be used to launch bulk malware attacks against computers. According to the 2012 presentation, the tactic has "mass exploitation potential for clients passing through network choke points." Blaze, the University of Pennsylvania surveillance expert, says the potential use of man-in-the-middle attacks on such a scale "seems very disturbing." Such an approach would involve indiscriminately monitoring entire networks as opposed to targeting individual suspects. "The thing that raises a red flag for me is the reference to 'network choke points,'" he says. "That's the last place that we should be allowing intelligence agencies to compromise the infrastructure - because that is by definition a mass surveillance technique." To deploy some of its malware implants, the NSA exploits security vulnerabilities in commonly used Internet browsers such as Mozilla Firefox and Internet Explorer. The agency's hackers also exploit security weaknesses in network routers and in popular software plugins such as Flash and Java to deliver malicious code onto targeted machines. The implants can circumvent anti-virus programs, and the NSA has gone to extreme lengths to ensure that its clandestine technology is extremely difficult to detect. An implant named VALIDATOR, used by the NSA to upload and download data to and from an infected machine, can be set to self-destruct - deleting itself from an infected computer after a set time expires. In many cases, firewalls and other security measures do not appear to pose much of an obstacle to the NSA. Indeed, the agency's hackers appear confident in their ability to circumvent any security mechanism that stands between them and compromising a computer or network. "If we can get the target to visit us in some sort of web browser, we can probably own them," an agency hacker boasts in one secret document. "The only limitation is the 'how.'" Covert Infrastructure The TURBINE implants system does not operate in isolation. It is linked to, and relies upon, a large network of clandestine surveillance "sensors" that the agency has installed at locations across the world. The NSA's headquarters in Maryland are part of this network, as are eavesdropping bases used by the agency in Misawa, Japan and Menwith Hill, England. The sensors, codenamed TURMOIL, operate as a sort of high-tech surveillance dragnet, monitoring packets of data as they are sent across the Internet. When TURBINE implants exfiltrate data from infected computer systems, the TURMOIL sensors automatically identify the data and return it to the NSA for analysis. And when targets are communicating, the TURMOIL system can be used to send alerts or "tips" to TURBINE, enabling the initiation of a malware attack. The NSA identifies surveillance targets based on a series of data "selectors" as they flow across Internet cables. These selectors, according to internal documents, can include email addresses, IP addresses, or the unique "cookies" containing a username or other identifying information that are sent to a user's computer by websites such as Google, Facebook, Hotmail, Yahoo, and Twitter. Other selectors the NSA uses can be gleaned from unique Google advertising cookies that track browsing habits, unique encryption key fingerprints that can be traced to a specific user, and computer IDs that are sent across the Internet when a Windows computer crashes or updates. What's more, the TURBINE system operates with the knowledge and support of other governments, some of which have participated in the malware attacks. Classification markings on the Snowden documents indicate that NSA has shared many of its files on the use of implants with its counterparts in the so-called Five Eyes surveillance alliance - the United Kingdom, Canada, New Zealand, and Australia. GCHQ, the British agency, has taken on a particularly important role in helping to develop the malware tactics. The Menwith Hill satellite eavesdropping base that is part of the TURMOIL network, located in a rural part of Northern England, is operated by the NSA in close cooperation with GCHQ. Top-secret documents show that the British base - referred to by the NSA as "MHS" for Menwith Hill Station - is an integral component of the TURBINE malware infrastructure and has been used to experiment with implant "exploitation" attacks against users of Yahoo and Hotmail. In one document dated 2010, at least five variants of the QUANTUM hacking method were listed as being "operational" at Menwith Hill. The same document also reveals that GCHQ helped integrate three of the QUANTUM malware capabilities - and test two others - as part of a surveillance system it operates codenamed INSENSER. GCHQ cooperated with the hacking attacks despite having reservations about their legality. One of the Snowden files, previously disclosed by Swedish broadcaster SVT, revealed that as recently as April 2013, GCHQ was apparently reluctant to get involved in deploying the QUANTUM malware due to "legal/policy restrictions." A representative from a unit of the British surveillance agency, meeting with an obscure telecommunications standards committee in 2010, separately voiced concerns that performing "active" hacking attacks for surveillance "may be illegal" under British law. In response to questions from The Intercept, GCHQ refused to comment on its involvement in the covert hacking operations. Citing its boilerplate response to inquiries, the agency said in a statement that "all of GCHQ's work is carried out in accordance with a strict legal and policy framework which ensures that our activities are authorized, necessary and proportionate, and that there is rigorous oversight." Whatever the legalities of the United Kingdom and United States infiltrating computer networks, the Snowden files bring into sharp focus the broader implications. Under cover of secrecy and without public debate, there has been an unprecedented proliferation of aggressive surveillance techniques. One of the NSA's primary concerns, in fact, appears to be that its clandestine tactics are now being adopted by foreign rivals, too. "Hacking routers has been good business for us and our 5-eyes partners for some time," notes one NSA analyst in a top-secret document dated December 2012. "But it is becoming more apparent that other nation states are honing their skillz [sic] and joining the scene." ------ Documents published with this article: Menwith Hill Station Leverages XKeyscore for Quantum Against Yahoo and Hotmail Five Eyes Hacking Large Routers NSA Technology Directorate Analysis of Converged Data Selector Types There Is More Than One Way to Quantum NSA Phishing Tactics and Man in the Middle Attacks Quantum Insert Diagrams The NSA and GCHQ's QUANTUMTHEORY Hacking Tactics TURBINE and TURMOIL VPN and VOIP Exploitation With HAMMERCHANT and HAMMERSTEIN Industrial-Scale Exploitation Thousands of Implants --- From dan at geer.org Wed Mar 12 18:49:43 2014 From: dan at geer.org (dan at geer.org) Date: Wed, 12 Mar 2014 21:49:43 -0400 Subject: [Effaustin-discuss] Senator Feinstein, the document leaker In-Reply-To: Your message of "Wed, 12 Mar 2014 19:18:24 EDT." <5320EB40.4030502@entersection.org> Message-ID: <20140313014943.7981E228098@palinka.tinho.net> [effaustin cross-posting allowed to stand, but will likely get a bounce] U.S. Constitution, Article 1, Section 6, reads The Senators and Representatives shall receive a Compensation for their Services, to be ascertained by Law, and paid out of the Treasury of the United States. They shall in all Cases, except Treason, Felony and Breach of the Peace, be privileged from Arrest during their Attendance at the Session of their respective Houses, and in going to and returning from the same; and for any Speech or Debate in either House, they shall not be questioned in any other Place. The "Speech or Debate" clause is central here. Sen. Feinstein made her accusations on the floor of the Senate. In the Washington style, her accusations are a declaration of war. The first effect will be that she no longer gets information feeds from the Agencies, which is to say from the Executive Branch. That is a big deal; recall that when asked about what a President Obama would mean to the country's policies, soon-to-be-ex-President Bush said "He'll be fine as soon as he's reading what I'm reading." --dan From griffin at cryptolab.net Wed Mar 12 19:33:39 2014 From: griffin at cryptolab.net (Griffin Boyce) Date: Wed, 12 Mar 2014 22:33:39 -0400 Subject: Satoshi In-Reply-To: <5320D70B.7020008@virtadpt.net> References: <1484566.EbqaH4x9nm@lap> <53209A1D.1050307@virtadpt.net> <5320ACA4.7090003@cryptolab.net> <5320D70B.7020008@virtadpt.net> Message-ID: <53211903.5020904@cryptolab.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Doctor wrote: > Maternis, paternis. ...Well I *am* everywhere for your convenience... -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTIRkDAAoJEAPPSgqzx5pjtdUIAIJBnuVBwsqPgD5+BqD2IrQi 0OHxNZMbbc/21elJ6ELpyHXWiLILgPu0eL6S1lE2UH0YtVLwiM6tpv3L7NYhKvVU Tdc4uvyYvsnJh+tcSQrsqr8khlok5KVXJF86htBPqui4J38lk6HOQrns48NrG934 K0esddSpKKnfjmd7yMN24gfe77tucF70vU3s6Wde/MtOhEmTATmIPyjZEaxBU9Zb THehaen9HIbwS1Pjjt02hplMii1ztkhqwIMSxXVDAG9klt1jddfDhDvIJveOlaWj njmyttSlZGEQKF2//THPJx1Ui2D6hBNo4Edj9A5GtEaebDBmYeB/BlqWKhnQgME= =xetI -----END PGP SIGNATURE----- From coderman at gmail.com Wed Mar 12 22:57:39 2014 From: coderman at gmail.com (coderman) Date: Wed, 12 Mar 2014 22:57:39 -0700 Subject: 2010 TAO QUANTUMINSERT trial against 300 (hard) targets Message-ID: https://s3.amazonaws.com/s3.documentcloud.org/documents/1076891/there-is-more-than-one-way-to-quantum.pdf "TAO implants were deployed via QUANTUMINSERT to targets that were un-exploitable by _any_ other means." if you were on this short list of 300 - you were doing something right! --- Snowden Gatekeepers (TM): what were these 300 like? what can we learn? From coderman at gmail.com Thu Mar 13 00:08:56 2014 From: coderman at gmail.com (coderman) Date: Thu, 13 Mar 2014 00:08:56 -0700 Subject: TURBINE In-Reply-To: References: Message-ID: On Wed, Mar 12, 2014 at 11:26 PM, Scott Blaydes wrote: > ... I knew the Devops movement was going to bite us in the ass. it's not Puppet, it's PUPPET !!! i for one vow never to stray from the reasonable and proportionate use of SSH direction in Ansible,... . . . *inconspicuously raises ulimit nfile to 262140...* From coderman at gmail.com Thu Mar 13 00:34:39 2014 From: coderman at gmail.com (coderman) Date: Thu, 13 Mar 2014 00:34:39 -0700 Subject: QUANTUMINSERT "wide stack" covert network communication In-Reply-To: References: Message-ID: On Wed, Jan 1, 2014 at 3:40 AM, coderman wrote: > it looks like this is called QFIRE / MIDDLEMAN (CovNet?) > http://cryptome.org/2013/12/nsa-qfire.pdf here this type of comms is called: QUANTUMSQUIRREL http://cryptome.org/2014/03/nsa-gchq-quantumtheory.pdf perhaps due to joint GCHQ/NSA effort """" Experimental: QUANTUMSQUIRREL - Truly covert infrastructure, be any IP in the world """" --- selected-slides --- # Components of QUANTUM Architecture: TURMOIL - (or LPT, or LPT-D, what else can you kludge for tipping ... cough.. NINJANIC) - Passive Sensor TURBINE - Active Mission Logic of Remote Agents ISLANDTRANSPORT - Messaging Fabric SURPLUSHANGER - High -> Low diodes STRAIGHTBIZARRE or DAREDEVIL - Implant / Shooter --- # Legacy QUANTUMTHEORY techniques QUANTUMINSERT - HTML Redirection QUANTUMSKY - HTML/TCP resets QUANTUMBOT - IRC botnet hijacking --- # New Hotness QUANTUMBISCUIT - Redirection based on keyword - Mostly HTML Cookie Values QUANTUMDNS - DNS Hijacking - Caching Nameservers QUANTUMBOT2 - Combination of Q-BOT/Q-BISCUIT for web based Command and controlled botnets --- # Experimental QUANTUMCOPPER - File download disruption QUANTUMMUSH - Virtual HUFFMUSH / Targeted Spam Exploitation QUANTUMSPIM - Instant Messaging (MSN chat, XMPP) QUANTUMSQUEEL - Injection into MySQL persistent database connections QUANTUMSQUIRREL - Truly covert infrastructure, be any IP in the world From odinn.cyberguerrilla at riseup.net Thu Mar 13 00:57:15 2014 From: odinn.cyberguerrilla at riseup.net (Odinn Cyberguerrilla) Date: Thu, 13 Mar 2014 00:57:15 -0700 Subject: 2010 TAO QUANTUMINSERT trial against 300 (hard) targets In-Reply-To: References: Message-ID: <667e4629bfa09a305e9c9808643993b4.squirrel@fulvetta.riseup.net> > https://s3.amazonaws.com/s3.documentcloud.org/documents/1076891/there-is-more-than-one-way-to-quantum.pdf > > "TAO implants were deployed via QUANTUMINSERT to targets that were > un-exploitable by _any_ other means." > > if you were on this short list of 300 - you were doing something right! > > > --- > > > Snowden Gatekeepers (TM): > what were these 300 like? > what can we learn? > sparta. From scott at sbce.org Wed Mar 12 23:26:27 2014 From: scott at sbce.org (Scott Blaydes) Date: Thu, 13 Mar 2014 01:26:27 -0500 Subject: TURBINE In-Reply-To: References: Message-ID: On Mar 12, 2014, at 10:39 PM, coderman wrote: > so they've been spending tens of millions every year to red team > privacy enhancing technologies. > > when do we get to see the results and improve our tools? > > ;) > This is the problem with Devops. If it was just good ‘ol sysadmining there wouldn’t be this level of automation, so the NSA would have to infect everyone manually. I knew the Devops movement was going to bite us in the ass. |-) > > https://firstlook.org/theintercept/article/2014/03/12/nsa-plans-infect-millions-computers-malware/ > --- > How the NSA Plans to Infect 'Millions' of Computers with Malware > By Ryan Gallagher and Glenn Greenwald 12 Mar 2014, 9:19 AM EDT > > Top-secret documents reveal that the National Security Agency is > dramatically expanding its ability to covertly hack into computers on > a mass scale by using automated systems that reduce the level of human > oversight in the process. > > The classified files - provided previously by NSA whistleblower Edward > Snowden - contain new details about groundbreaking surveillance > technology the agency has developed to infect potentially millions of > computers worldwide with malware "implants." The clandestine > initiative enables the NSA to break into targeted computers and to > siphon out data from foreign Internet and phone networks. > > The covert infrastructure that supports the hacking efforts operates > from the agency's headquarters in Fort Meade, Maryland, and from > eavesdropping bases in the United Kingdom and Japan. GCHQ, the British > intelligence agency, appears to have played an integral role in > helping to develop the implants tactic. > > In some cases the NSA has masqueraded as a fake Facebook server, using > the social media site as a launching pad to infect a target's computer > and exfiltrate files from a hard drive. In others, it has sent out > spam emails laced with the malware, which can be tailored to covertly > record audio from a computer's microphone and take snapshots with its > webcam. The hacking systems have also enabled the NSA to launch > cyberattacks by corrupting and disrupting file downloads or denying > access to websites. > > The implants being deployed were once reserved for a few hundred > hard-to-reach targets, whose communications could not be monitored > through traditional wiretaps. But the documents analyzed by The > Intercept show how the NSA has aggressively accelerated its hacking > initiatives in the past decade by computerizing some processes > previously handled by humans. The automated system - codenamed TURBINE > - is designed to "allow the current implant network to scale to large > size (millions of implants) by creating a system that does automated > control implants by groups instead of individually." > > In a top-secret presentation, dated August 2009, the NSA describes a > pre-programmed part of the covert infrastructure called the "Expert > System," which is designed to operate "like the brain." The system > manages the applications and functions of the implants and "decides" > what tools they need to best extract data from infected machines. > > Mikko Hypponen, an expert in malware who serves as chief research > officer at the Finnish security firm F-Secure, calls the revelations > "disturbing." The NSA's surveillance techniques, he warns, could > inadvertently be undermining the security of the Internet. > > "When they deploy malware on systems," Hypponen says, "they > potentially create new vulnerabilities in these systems, making them > more vulnerable for attacks by third parties." > > Hypponen believes that governments could arguably justify using > malware in a small number of targeted cases against adversaries. But > millions of malware implants being deployed by the NSA as part of an > automated process, he says, would be "out of control." > > "That would definitely not be proportionate," Hypponen says. "It > couldn't possibly be targeted and named. It sounds like wholesale > infection and wholesale surveillance." > > The NSA declined to answer questions about its deployment of implants, > pointing to a new presidential policy directive announced by President > Obama. "As the president made clear on 17 January," the agency said in > a statement, "signals intelligence shall be collected exclusively > where there is a foreign intelligence or counterintelligence purpose > to support national and departmental missions, and not for any other > purposes." > > > > "Owning the Net" > > The NSA began rapidly escalating its hacking efforts a decade ago. In > 2004, according to secret internal records, the agency was managing a > small network of only 100 to 150 implants. But over the next six to > eight years, as an elite unit called Tailored Access Operations (TAO) > recruited new hackers and developed new malware tools, the number of > implants soared to tens of thousands. > > To penetrate foreign computer networks and monitor communications that > it did not have access to through other means, the NSA wanted to go > beyond the limits of traditional signals intelligence, or SIGINT, the > agency's term for the interception of electronic communications. > Instead, it sought to broaden "active" surveillance methods - tactics > designed to directly infiltrate a target's computers or network > devices. > > In the documents, the agency describes such techniques as "a more > aggressive approach to SIGINT" and says that the TAO unit's mission is > to "aggressively scale" these operations. > > But the NSA recognized that managing a massive network of implants is > too big a job for humans alone. > > "One of the greatest challenges for active SIGINT/attack is scale," > explains the top-secret presentation from 2009. "Human 'drivers' limit > ability for large-scale exploitation (humans tend to operate within > their own environment, not taking into account the bigger picture)." > > The agency's solution was TURBINE. Developed as part of TAO unit, it > is described in the leaked documents as an "intelligent command and > control capability" that enables "industrial-scale exploitation." > > TURBINE was designed to make deploying malware much easier for the > NSA's hackers by reducing their role in overseeing its functions. The > system would "relieve the user from needing to know/care about the > details," the NSA's Technology Directorate notes in one secret > document from 2009. "For example, a user should be able to ask for > 'all details about application X' and not need to know how and where > the application keeps files, registry entries, user application data, > etc." > > In practice, this meant that TURBINE would automate crucial processes > that previously had to be performed manually - including the > configuration of the implants as well as surveillance collection, or > "tasking," of data from infected systems. But automating these > processes was about much more than a simple technicality. The move > represented a major tactical shift within the NSA that was expected to > have a profound impact - allowing the agency to push forward into a > new frontier of surveillance operations. > > The ramifications are starkly illustrated in one undated top-secret > NSA document, which describes how the agency planned for TURBINE to > "increase the current capability to deploy and manage hundreds of > Computer Network Exploitation (CNE) and Computer Network Attack (CNA) > implants to potentially millions of implants." (CNE mines intelligence > from computers and networks; CNA seeks to disrupt, damage or destroy > them.) > > Eventually, the secret files indicate, the NSA's plans for TURBINE > came to fruition. The system has been operational in some capacity > since at least July 2010, and its role has become increasingly central > to NSA hacking operations. > > Earlier reports based on the Snowden files indicate that the NSA has > already deployed between 85,000 and 100,000 of its implants against > computers and networks across the world, with plans to keep on scaling > up those numbers. > > The intelligence community's top-secret "Black Budget" for 2013, > obtained by Snowden, lists TURBINE as part of a broader NSA > surveillance initiative named "Owning the Net." > > The agency sought $67.6 million in taxpayer funding for its Owning the > Net program last year. Some of the money was earmarked for TURBINE, > expanding the system to encompass "a wider variety" of networks and > "enabling greater automation of computer network exploitation." > > > > Circumventing Encryption > > The NSA has a diverse arsenal of malware tools, each highly > sophisticated and customizable for different purposes. > > One implant, codenamed UNITEDRAKE, can be used with a variety of > "plug-ins" that enable the agency to gain total control of an infected > computer. > > An implant plug-in named CAPTIVATEDAUDIENCE, for example, is used to > take over a targeted computer's microphone and record conversations > taking place near the device. Another, GUMFISH, can covertly take over > a computer's webcam and snap photographs. FOGGYBOTTOM records logs of > Internet browsing histories and collects login details and passwords > used to access websites and email accounts. GROK is used to log > keystrokes. And SALVAGERABBIT exfiltrates data from removable flash > drives that connect to an infected computer. > > The implants can enable the NSA to circumvent privacy-enhancing > encryption tools that are used to browse the Internet anonymously or > scramble the contents of emails as they are being sent across > networks. That's because the NSA's malware gives the agency unfettered > access to a target's computer before the user protects their > communications with encryption. > > It is unclear how many of the implants are being deployed on an annual > basis or which variants of them are currently active in computer > systems across the world. > > Previous reports have alleged that the NSA worked with Israel to > develop the Stuxnet malware, which was used to sabotage Iranian > nuclear facilities. The agency also reportedly worked with Israel to > deploy malware called Flame to infiltrate computers and spy on > communications in countries across the Middle East. > > According to the Snowden files, the technology has been used to seek > out terror suspects as well as individuals regarded by the NSA as > "extremist." But the mandate of the NSA's hackers is not limited to > invading the systems of those who pose a threat to national security. > > In one secret post on an internal message board, an operative from the > NSA's Signals Intelligence Directorate describes using malware attacks > against systems administrators who work at foreign phone and Internet > service providers. By hacking an administrator's computer, the agency > can gain covert access to communications that are processed by his > company. "Sys admins are a means to an end," the NSA operative writes. > > The internal post - titled "I hunt sys admins" - makes clear that > terrorists aren't the only targets of such NSA attacks. Compromising a > systems administrator, the operative notes, makes it easier to get to > other targets of interest, including any "government official that > happens to be using the network some admin takes care of." > > Similar tactics have been adopted by Government Communications > Headquarters, the NSA's British counterpart. As the German newspaper > Der Spiegel reported in September, GCHQ hacked computers belonging to > network engineers at Belgacom, the Belgian telecommunications > provider. > > The mission, codenamed "Operation Socialist," was designed to enable > GCHQ to monitor mobile phones connected to Belgacom's network. The > secret files deem the mission a "success," and indicate that the > agency had the ability to covertly access Belgacom's systems since at > least 2010. > > Infiltrating cellphone networks, however, is not all that the malware > can be used to accomplish. The NSA has specifically tailored some of > its implants to infect large-scale network routers used by Internet > service providers in foreign countries. By compromising routers - the > devices that connect computer networks and transport data packets > across the Internet - the agency can gain covert access to monitor > Internet traffic, record the browsing sessions of users, and intercept > communications. > > Two implants the NSA injects into network routers, HAMMERCHANT and > HAMMERSTEIN, help the agency to intercept and perform "exploitation > attacks" against data that is sent through a Virtual Private Network, > a tool that uses encrypted "tunnels" to enhance the security and > privacy of an Internet session. > > The implants also track phone calls sent across the network via Skype > and other Voice Over IP software, revealing the username of the person > making the call. If the audio of the VOIP conversation is sent over > the Internet using unencrypted "Real-time Transport Protocol" packets, > the implants can covertly record the audio data and then return it to > the NSA for analysis. > > But not all of the NSA's implants are used to gather intelligence, the > secret files show. Sometimes, the agency's aim is disruption rather > than surveillance. QUANTUMSKY, a piece of NSA malware developed in > 2004, is used to block targets from accessing certain websites. > QUANTUMCOPPER, first tested in 2008, corrupts a target's file > downloads. These two "attack" techniques are revealed on a classified > list that features nine NSA hacking tools, six of which are used for > intelligence gathering. Just one is used for "defensive" purposes - to > protect U.S. government networks against intrusions. > > > > "Mass exploitation potential" > > Before it can extract data from an implant or use it to attack a > system, the NSA must first install the malware on a targeted computer > or network. > > According to one top-secret document from 2012, the agency can deploy > malware by sending out spam emails that trick targets into clicking a > malicious link. Once activated, a "back-door implant" infects their > computers within eight seconds. > > There's only one problem with this tactic, codenamed WILLOWVIXEN: > According to the documents, the spam method has become less successful > in recent years, as Internet users have become wary of unsolicited > emails and less likely to click on anything that looks suspicious. > > Consequently, the NSA has turned to new and more advanced hacking > techniques. These include performing so-called "man-in-the-middle" and > "man-on-the-side" attacks, which covertly force a user's internet > browser to route to NSA computer servers that try to infect them with > an implant. > > To perform a man-on-the-side attack, the NSA observes a target's > Internet traffic using its global network of covert "accesses" to data > as it flows over fiber optic cables or satellites. When the target > visits a website that the NSA is able to exploit, the agency's > surveillance sensors alert the TURBINE system, which then "shoots" > data packets at the targeted computer's IP address within a fraction > of a second. > > In one man-on-the-side technique, codenamed QUANTUMHAND, the agency > disguises itself as a fake Facebook server. When a target attempts to > log in to the social media site, the NSA transmits malicious data > packets that trick the target's computer into thinking they are being > sent from the real Facebook. By concealing its malware within what > looks like an ordinary Facebook page, the NSA is able to hack into the > targeted computer and covertly siphon out data from its hard drive. A > top-secret animation demonstrates the tactic in action. > > The documents show that QUANTUMHAND became operational in October > 2010, after being successfully tested by the NSA against about a dozen > targets. > > According to Matt Blaze, a surveillance and cryptography expert at the > University of Pennsylvania, it appears that the QUANTUMHAND technique > is aimed at targeting specific individuals. But he expresses concerns > about how it has been covertly integrated within Internet networks as > part of the NSA's automated TURBINE system. > > "As soon as you put this capability in the backbone infrastructure, > the software and security engineer in me says that's terrifying," > Blaze says. > > "Forget about how the NSA is intending to use it. How do we know it is > working correctly and only targeting who the NSA wants? And even if it > does work correctly, which is itself a really dubious assumption, how > is it controlled?" > > In an email statement to The Intercept, Facebook spokesman Jay > Nancarrow said the company had "no evidence of this alleged activity." > He added that Facebook implemented HTTPS encryption for users last > year, making browsing sessions less vulnerable to malware attacks. > > Nancarrow also pointed out that other services besides Facebook could > have been compromised by the NSA. "If government agencies indeed have > privileged access to network service providers," he said, "any site > running only [unencrypted] HTTP could conceivably have its traffic > misdirected." > > A man-in-the-middle attack is a similar but slightly more aggressive > method that can be used by the NSA to deploy its malware. It refers to > a hacking technique in which the agency covertly places itself between > computers as they are communicating with each other. > > This allows the NSA not only to observe and redirect browsing > sessions, but to modify the content of data packets that are passing > between computers. > > The man-in-the-middle tactic can be used, for instance, to covertly > change the content of a message as it is being sent between two > people, without either knowing that any change has been made by a > third party. The same technique is sometimes used by criminal hackers > to defraud people. > > A top-secret NSA presentation from 2012 reveals that the agency > developed a man-in-the-middle capability called SECONDDATE to > "influence real-time communications between client and server" and to > "quietly redirect web-browsers" to NSA malware servers called FOXACID. > In October, details about the FOXACID system were reported by the > Guardian, which revealed its links to attacks against users of the > Internet anonymity service Tor. > > But SECONDDATE is tailored not only for "surgical" surveillance > attacks on individual suspects. It can also be used to launch bulk > malware attacks against computers. > > According to the 2012 presentation, the tactic has "mass exploitation > potential for clients passing through network choke points." > > Blaze, the University of Pennsylvania surveillance expert, says the > potential use of man-in-the-middle attacks on such a scale "seems very > disturbing." Such an approach would involve indiscriminately > monitoring entire networks as opposed to targeting individual > suspects. > > "The thing that raises a red flag for me is the reference to 'network > choke points,'" he says. "That's the last place that we should be > allowing intelligence agencies to compromise the infrastructure - > because that is by definition a mass surveillance technique." > > To deploy some of its malware implants, the NSA exploits security > vulnerabilities in commonly used Internet browsers such as Mozilla > Firefox and Internet Explorer. > > The agency's hackers also exploit security weaknesses in network > routers and in popular software plugins such as Flash and Java to > deliver malicious code onto targeted machines. > > The implants can circumvent anti-virus programs, and the NSA has gone > to extreme lengths to ensure that its clandestine technology is > extremely difficult to detect. An implant named VALIDATOR, used by the > NSA to upload and download data to and from an infected machine, can > be set to self-destruct - deleting itself from an infected computer > after a set time expires. > > In many cases, firewalls and other security measures do not appear to > pose much of an obstacle to the NSA. Indeed, the agency's hackers > appear confident in their ability to circumvent any security mechanism > that stands between them and compromising a computer or network. "If > we can get the target to visit us in some sort of web browser, we can > probably own them," an agency hacker boasts in one secret document. > "The only limitation is the 'how.'" > > > > Covert Infrastructure > > The TURBINE implants system does not operate in isolation. > > It is linked to, and relies upon, a large network of clandestine > surveillance "sensors" that the agency has installed at locations > across the world. > > The NSA's headquarters in Maryland are part of this network, as are > eavesdropping bases used by the agency in Misawa, Japan and Menwith > Hill, England. > > The sensors, codenamed TURMOIL, operate as a sort of high-tech > surveillance dragnet, monitoring packets of data as they are sent > across the Internet. > > When TURBINE implants exfiltrate data from infected computer systems, > the TURMOIL sensors automatically identify the data and return it to > the NSA for analysis. And when targets are communicating, the TURMOIL > system can be used to send alerts or "tips" to TURBINE, enabling the > initiation of a malware attack. > > The NSA identifies surveillance targets based on a series of data > "selectors" as they flow across Internet cables. These selectors, > according to internal documents, can include email addresses, IP > addresses, or the unique "cookies" containing a username or other > identifying information that are sent to a user's computer by websites > such as Google, Facebook, Hotmail, Yahoo, and Twitter. > > Other selectors the NSA uses can be gleaned from unique Google > advertising cookies that track browsing habits, unique encryption key > fingerprints that can be traced to a specific user, and computer IDs > that are sent across the Internet when a Windows computer crashes or > updates. > > What's more, the TURBINE system operates with the knowledge and > support of other governments, some of which have participated in the > malware attacks. > > Classification markings on the Snowden documents indicate that NSA has > shared many of its files on the use of implants with its counterparts > in the so-called Five Eyes surveillance alliance - the United Kingdom, > Canada, New Zealand, and Australia. > > GCHQ, the British agency, has taken on a particularly important role > in helping to develop the malware tactics. The Menwith Hill satellite > eavesdropping base that is part of the TURMOIL network, located in a > rural part of Northern England, is operated by the NSA in close > cooperation with GCHQ. > > Top-secret documents show that the British base - referred to by the > NSA as "MHS" for Menwith Hill Station - is an integral component of > the TURBINE malware infrastructure and has been used to experiment > with implant "exploitation" attacks against users of Yahoo and > Hotmail. > > In one document dated 2010, at least five variants of the QUANTUM > hacking method were listed as being "operational" at Menwith Hill. The > same document also reveals that GCHQ helped integrate three of the > QUANTUM malware capabilities - and test two others - as part of a > surveillance system it operates codenamed INSENSER. > > GCHQ cooperated with the hacking attacks despite having reservations > about their legality. One of the Snowden files, previously disclosed > by Swedish broadcaster SVT, revealed that as recently as April 2013, > GCHQ was apparently reluctant to get involved in deploying the QUANTUM > malware due to "legal/policy restrictions." A representative from a > unit of the British surveillance agency, meeting with an obscure > telecommunications standards committee in 2010, separately voiced > concerns that performing "active" hacking attacks for surveillance > "may be illegal" under British law. > > In response to questions from The Intercept, GCHQ refused to comment > on its involvement in the covert hacking operations. Citing its > boilerplate response to inquiries, the agency said in a statement that > "all of GCHQ's work is carried out in accordance with a strict legal > and policy framework which ensures that our activities are authorized, > necessary and proportionate, and that there is rigorous oversight." > > Whatever the legalities of the United Kingdom and United States > infiltrating computer networks, the Snowden files bring into sharp > focus the broader implications. Under cover of secrecy and without > public debate, there has been an unprecedented proliferation of > aggressive surveillance techniques. One of the NSA's primary concerns, > in fact, appears to be that its clandestine tactics are now being > adopted by foreign rivals, too. > > "Hacking routers has been good business for us and our 5-eyes partners > for some time," notes one NSA analyst in a top-secret document dated > December 2012. "But it is becoming more apparent that other nation > states are honing their skillz [sic] and joining the scene." > > ------ > > Documents published with this article: > > Menwith Hill Station Leverages XKeyscore for Quantum Against Yahoo and Hotmail > Five Eyes Hacking Large Routers > NSA Technology Directorate Analysis of Converged Data > Selector Types > There Is More Than One Way to Quantum > NSA Phishing Tactics and Man in the Middle Attacks > Quantum Insert Diagrams > The NSA and GCHQ's QUANTUMTHEORY Hacking Tactics > TURBINE and TURMOIL > VPN and VOIP Exploitation With HAMMERCHANT and HAMMERSTEIN > Industrial-Scale Exploitation > Thousands of Implants > > > --- -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: From jya at pipeline.com Thu Mar 13 04:11:08 2014 From: jya at pipeline.com (John Young) Date: Thu, 13 Mar 2014 07:11:08 -0400 Subject: TAO QUANTUMINSERT Bonanza In-Reply-To: References: Message-ID: If NSA and GCHQ were, are, doing these alleged operations as surmised with slightest evidence greatly amplified, cherry-picked and moshed like a Tom Clancy hot seller, it is likely the Devil's Duo are meticulously tracking, siphoning and implanting: 1. Those reporting, editing, checking, formatting and posting these stories and documents from various countries and those spying all these from inside and outside. 2. The hosting and keyservers of The Intercept, First Look and interconnections and those spying all these from inside and outside. 3. The transceivals among the media staff, lawyers, bankers, bedmates and those spying all these from inside and outside. 4. The comsec wizards being consulted and those they are leaking stuff to and those spying all these from inside and outside. 5. The officials being asked for comment and their roladexes of insiders and those spying all these from inside and outside. 6. The multiple-agencies counter-counter-intel agents double-checking everyone involved and those spying all these from inside and outside. 7. The thousands necessarily swept up in the spiderwebs of linkages for immediate or distant actionable operations and those spying all these from inside and outside. 8. The other national spies working the same territories of gullible targets armored with the world's greatest comsec protection, no matter what ex-spies and ex-contractors claim is absolutely dependable means to assure nobody is swiping and siphoning and those spying all these from inside and outside. Months, years to come, there will be even more gushings about what has been dribbled out with insufficient context to understand what is media hyperbole and what is worth worrying about and those spying all these from inside and outside standards orgs, FOI racketeering, crypto entrepreneurs of com, edu, org and open source treacheries. Recap: About 1,333 Snowden documents have been released by commercial media, none for free. Greenwald has said he gets about $1,500 per story in which he gets a byline. Excluding the $1M signing bonus he has allegedly got from Omidyar, he has made at least another million. Gellman, Poitras perhaps the same (Poitras may have gotten a similar signing bonus). Other dozens of reporters were paid a percentage of that. So it might be estimated the gang of reporters have garnered some $4-5M so far. Media outlets have probably earned 10 times that in sales and ads. The USG, allies and enemies have probably received similar amounts to respond to Snowden, some $50-100M. So call it a $200-500M affair to date. If the USG and other govs work the bonanza as predicted, over 10-20 years the operation will generate, conservatively, a $1-5T boost for comsec religionists and exploiters of media, spies, universities, telcos, web operators, program peddlers, AV magicians, games designers, not counting SM and SEOs and spammers and botnets. Black markets could match that amount, or multiples of it. Meanwhile the comsec industry -- gov, mil, com, edu, org -- will continue reaping the rewards of faith-based sin and salvation. Thanks, Ed. At 01:57 AM 3/13/2014, coderman wrote: >https://s3.amazonaws.com/s3.documentcloud.org/documents/1076891/there-is-more-than-one-way-to-quantum.pdf > >"TAO implants were deployed via QUANTUMINSERT to targets that were >un-exploitable by _any_ other means." > >if you were on this short list of 300 - you were doing something right! > > >--- > > >Snowden Gatekeepers (TM): > what were these 300 like? > what can we learn? From jya at pipeline.com Thu Mar 13 04:33:32 2014 From: jya at pipeline.com (John Young) Date: Thu, 13 Mar 2014 07:33:32 -0400 Subject: TAO QUANTUMINSERT Bonanza In-Reply-To: References: Message-ID: Thanks, Ed, comsec evangelist extraordinaire. If the media operation goes well Snowden could die penniless like the genius Tesla was aced by profit-driven Edison. From coderman at gmail.com Thu Mar 13 09:37:22 2014 From: coderman at gmail.com (coderman) Date: Thu, 13 Mar 2014 09:37:22 -0700 Subject: Privacy Enforced [was: Comsec as Public Utility Beyond Illusory Privacy] Message-ID: On Thu, Mar 13, 2014 at 6:59 AM, John Young wrote: > Snowden may have raised the prospect of comsec as a public utility > like power, water, gas, sewage, air quality, environmental protection > and telecommunications... > > Comsec as a right for human discourse rather than a commercial > service could enforce privacy beyond easy violation for official > and commercial purposes... > > The problem will be as ever the commercial and governmental > exploiters aiming to protect their interests against that of > the public. i suggest changing the balance of power in favor of the public. four distinct efforts would do: 1) Blanket Legal Invulnerability Remove all criminal and civil liability for "hacking", computer trespass, and all related activities performed over data networks; establish proactive "shield" legislation to protect and encourage unrestricted security research of any subject on any network. extend to international agreements for blanket protection in all jurisdictions. 2) Educational Support Everywhere Establish lock picking, computing, and hacking curriculum in pre school through grade school with subsidized access to technical resources including mobile, tablet, laptop test equipment, grid/cloud computing on-demand, software defined radios with full receive/transmit, and gigabit internet service or faster. 3) Collaborative Competitions Organize a program of blue and red teaming challenges for educational and public participation at the district, regional, and national level cultivating expertise and rewarding it with hacking toys, access, and monies. 4) Privileged Positioning Direct and unrestricted backbone access to various individuals or groups who demonstrate competence in either the educational or competitive realms, in order for them to mount additional attack strategies against any reach-able target. this access must consist of both passive taps of backbone traffic as well as injection taps for raw packet transmission at core rates. this should be available on the Internet backbone at internet exchanges, private fiber through public right of way, and core networks of operators of licensed wireless spectrum. 0) end result / strong attractor: Open software and hardware widely in use in post-privacy-protection-purge future will invert power structure to defender with near unassailable advantage in "cyber domain". Any attacker required to compete against the global, collaborative, massive, iterative-crowd-hardened systems publicly in use. (good luck!) From jya at pipeline.com Thu Mar 13 06:59:24 2014 From: jya at pipeline.com (John Young) Date: Thu, 13 Mar 2014 09:59:24 -0400 Subject: Comsec as Public Utility Beyond Illusory Privacy Message-ID: Snowden may have raised the prospect of comsec as a public utility like power, water, gas, sewage, air quality, environmental protection and telecommunications. Privacy protection has been shown to be illusory at best, deceptive at worst, due to the uncontrollable technology applied erroneously for national security. Each of the other public utilities began as private offerings before becoming commercialized and then institutionalized as necessities, many eventually near or wholly monopolies. Each also evolved into military targets for control, contamination, destruction, and in some cases excluded as too essential for civilian livelihood to target. Comsec as a right for human discourse rather than a commercial service could enforce privacy beyond easy violation for official and commercial purposes. Freedom of comsec, say, as a new entry in the US Bill of Rights could lead the way for it to be a fundamental element of Human Rights. The problem will be as ever the commercial and governmental exploiters aiming to protect their interests against that of the public. FCC and NIST, indeed, the three branches, are hardly reliable to pursue this, so beholden to the spy agencies they cannot be trusted. NSA's ubiquitous spying on everybody at home and elsewhere with technology beyond accountability does raise the chances of getting agreement of all targets -- gov, com, edu, org -- to say enough is enough, national security has become a catchall for inexcusable invasion of the public realm. From coderman at gmail.com Thu Mar 13 10:01:45 2014 From: coderman at gmail.com (coderman) Date: Thu, 13 Mar 2014 10:01:45 -0700 Subject: [cryptography] Privacy Enforced [was: Comsec as Public Utility Beyond Illusory Privacy] In-Reply-To: References: Message-ID: On Thu, Mar 13, 2014 at 9:47 AM, Alexandre Anzala-Yamajako wrote: > If OpenSSL has taught us one thing over the years it's that collaborative > dev doesn't mean perfection and far from it. you'll notice that my focus is on testing and breaking, not developing. i agree in full that developers often make poor testers, and the developer mindset not like the attacker perspective. > Also your first point sounds a lot like privacy is not a right you have but > something that has to earned through technical expertise it is a right. but how do you know you've got it unless you verify? (how to verify properly? well, it takes a global village ;) From hettinga at gmail.com Thu Mar 13 07:53:50 2014 From: hettinga at gmail.com (Robert Hettinga) Date: Thu, 13 Mar 2014 10:53:50 -0400 Subject: TURBINE In-Reply-To: <20140313100036.GE26986@leitl.org> References: <20140313100036.GE26986@leitl.org> Message-ID: On Mar 13, 2014, at 6:00 AM, Eugen Leitl wrote: > Let's doxx the spooks. Somewhere, Jim Bell is laughing. Maybe even here… Cheers, RAH -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 496 bytes Desc: Message signed with OpenPGP using GPGMail URL: From eugen at leitl.org Thu Mar 13 03:00:36 2014 From: eugen at leitl.org (Eugen Leitl) Date: Thu, 13 Mar 2014 11:00:36 +0100 Subject: TURBINE In-Reply-To: References: Message-ID: <20140313100036.GE26986@leitl.org> On Wed, Mar 12, 2014 at 08:39:40PM -0700, coderman wrote: > so they've been spending tens of millions every year to red team > privacy enhancing technologies. > > when do we get to see the results and improve our tools? > > ;) > > > > https://firstlook.org/theintercept/article/2014/03/12/nsa-plans-infect-millions-computers-malware/ Above is a declaration of war. Here's a modest counterproposal. What do intelligence services fear most? Like cockroaches, they hate the light. Public scrutiny is their permethrin. So what we need is a hidden service (Tahoe LAFS as distributed storage backend run by many volunteers world-wide) where annotated collection of personal information can be crowdsourced. You can start collecting license plates and match them to addresses and photos. Let's doxx the spooks. All intelligence services, all countries. Make sure to vet data against malicious contamination. Publish them all, and let God sort them out. P.S. If you intend to do it, make sure you never talk about it in public. Just publish code anonymously, and invite collaborators after a closed beta. Make it easy to use, make it secure. Good luck. From hozer at hozed.org Thu Mar 13 09:39:26 2014 From: hozer at hozed.org (Troy Benjegerdes) Date: Thu, 13 Mar 2014 11:39:26 -0500 Subject: TURBINE In-Reply-To: <20140313100036.GE26986@leitl.org> References: <20140313100036.GE26986@leitl.org> Message-ID: <20140313163926.GZ3180@nl.grid.coop> On Thu, Mar 13, 2014 at 11:00:36AM +0100, Eugen Leitl wrote: > On Wed, Mar 12, 2014 at 08:39:40PM -0700, coderman wrote: > > so they've been spending tens of millions every year to red team > > privacy enhancing technologies. > > > > when do we get to see the results and improve our tools? > > > > ;) > > > > > > > > https://firstlook.org/theintercept/article/2014/03/12/nsa-plans-infect-millions-computers-malware/ > > Above is a declaration of war. Here's a modest counterproposal. > > What do intelligence services fear most? Like cockroaches, > they hate the light. Public scrutiny is their permethrin. > > So what we need is a hidden service (Tahoe LAFS as distributed > storage backend run by many volunteers world-wide) where annotated > collection of personal information can be crowdsourced. You can > start collecting license plates and match them to addresses and > photos. > > Let's doxx the spooks. All intelligence services, all countries. > Make sure to vet data against malicious contamination. Publish > them all, and let God sort them out. > > P.S. If you intend to do it, make sure you never talk about it in > public. Just publish code anonymously, and invite collaborators > after a closed beta. Make it easy to use, make it secure. Good luck. uh-huh. I thank you for you valiant attempt at entrapment. It's far more fun and confuses the crap out of paranoid people to have no secrets, and no paranoia. There are good people who work for these agencies that will discover I have nothing to hide. And I'm counting on the dark-cockroach power battles to strategically leak information harmful to their dark-roach opponents, much like I'm sure some roach leaked information to Senator Feinstein to try to build their own budget. Or was it the Mossad, or German intelligence that decided to hang the CIA in their own noose? From cypher at cpunk.us Thu Mar 13 11:50:42 2014 From: cypher at cpunk.us (Cypher) Date: Thu, 13 Mar 2014 13:50:42 -0500 Subject: TURBINE In-Reply-To: <20140313100036.GE26986@leitl.org> References: <20140313100036.GE26986@leitl.org> Message-ID: <5321FE02.6080904@cpunk.us> On 03/13/2014 05:00 AM, Eugen Leitl wrote: > On Wed, Mar 12, 2014 at 08:39:40PM -0700, coderman wrote: >> so they've been spending tens of millions every year to red team >> privacy enhancing technologies. >> >> when do we get to see the results and improve our tools? >> >> ;) >> >> >> >> https://firstlook.org/theintercept/article/2014/03/12/nsa-plans-infect-millions-computers-malware/ > >> > Above is a declaration of war. Here's a modest counterproposal. > > What do intelligence services fear most? Like cockroaches, they > hate the light. Public scrutiny is their permethrin. > > So what we need is a hidden service (Tahoe LAFS as distributed > storage backend run by many volunteers world-wide) where annotated > collection of personal information can be crowdsourced. You can > start collecting license plates and match them to addresses and > photos. > > Let's doxx the spooks. All intelligence services, all countries. > Make sure to vet data against malicious contamination. Publish them > all, and let God sort them out. I don't think this goes far enough at all. They won't care if their information is out there. Similar actions by Anonymous have shown that. They use it as a base for even more propaganda to the people as to why this type of pervasive survelliance is needed. What we /need/, IMHO, is infiltration. Straight out infiltration. We need to operate just like we would in any regular battle: we need good people to find jobs within the various agencies that provide them sufficiently high level access so that they can leak information to the public. You want to scare them? Take away the security of them trusting /anybody/. Let them vet people out the ass with their useless polygraphs and psychological testing procedures. People dedicated to exposing their evil will pass them, get jobs, and leak the hell out of their information. Cypher From rysiek at hackerspace.pl Thu Mar 13 07:55:57 2014 From: rysiek at hackerspace.pl (rysiek) Date: Thu, 13 Mar 2014 15:55:57 +0100 Subject: Comsec as Public Utility Beyond Illusory Privacy In-Reply-To: References: Message-ID: <3151017.Pm4tplElkv@lap> Hi there, Dnia czwartek, 13 marca 2014 09:59:24 John Young pisze: > (...) > Freedom of comsec, say, as a new entry in the US Bill of Rights > could lead the way for it to be a fundamental element of Human > Rights. You had me up until this part. We don't need it. We have the secrecy of correspondence in most democratic countries: http://en.wikipedia.org/wiki/Secrecy_of_correspondence Well, the US kind of needs to get it into the Bill of Rights, maybe, but not as "comsec", but as plain old "secrecy of correspondence". Why? Because instead of creating a new "cyber"/"comsec" right, it's high time we uphold the rights we already have. Otherwise, once a new technology comes, we will have to fight this fight all over again -- as this will no longer be "comsec", but (say) "quantumsec". Again, where we have secrecy of correspondence already -- let's enforce it; where it is not there, it needs to be implemented and enshrined in law. But only as a general rule of "secrecy of correspondence", not as "comsec", not as "postal secrecy", not as "telephone privacy", as otherwise we will have the same discussion in 5-10 years all over again. -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From tpb-crypto at laposte.net Thu Mar 13 09:02:23 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Thu, 13 Mar 2014 17:02:23 +0100 Subject: Comsec as Public Utility Beyond Illusory Privacy In-Reply-To: References: Message-ID: <1777033677.98407.1394726542915.JavaMail.www@wwinf8307> > Message du 13/03/14 15:33 > De : "John Young" > A : cypherpunks at cpunks.org, cryptography at randombit.net, cryptome at freelists.org > Copie à : > Objet : Comsec as Public Utility Beyond Illusory Privacy > > Snowden may have raised the prospect of comsec as a public utility > like power, water, gas, sewage, air quality, environmental protection > and telecommunications. Privacy protection has been shown to be > illusory at best, deceptive at worst, due to the uncontrollable > technology applied erroneously for national security. > > Each of the other public utilities began as private offerings before > becoming commercialized and then institutionalized as necessities, > many eventually near or wholly monopolies. > > Each also evolved into military targets for control, contamination, > destruction, and in some cases excluded as too essential for > civilian livelihood to target. > > Comsec as a right for human discourse rather than a commercial > service could enforce privacy beyond easy violation for official > and commercial purposes. > > Freedom of comsec, say, as a new entry in the US Bill of Rights > could lead the way for it to be a fundamental element of Human > Rights. > > The problem will be as ever the commercial and governmental > exploiters aiming to protect their interests against that of > the public. > > FCC and NIST, indeed, the three branches, are hardly reliable to > pursue this, so beholden to the spy agencies they cannot be trusted. > > NSA's ubiquitous spying on everybody at home and elsewhere > with technology beyond accountability does raise the chances of > getting agreement of all targets -- gov, com, edu, org -- to say > enough is enough, national security has become a catchall for > inexcusable invasion of the public realm. > > > It remembers me when someone proposed that IPv6 encryption should become optional and the proposal was accepted. If we had IPv6 encrypted by now, things would be a little bit different ... From eugen at leitl.org Thu Mar 13 09:35:42 2014 From: eugen at leitl.org (Eugen Leitl) Date: Thu, 13 Mar 2014 17:35:42 +0100 Subject: TURBINE In-Reply-To: References: <20140313100036.GE26986@leitl.org> Message-ID: <20140313163542.GI26986@leitl.org> On Thu, Mar 13, 2014 at 10:53:50AM -0400, Robert Hettinga wrote: > > On Mar 13, 2014, at 6:00 AM, Eugen Leitl wrote: > > > Let's doxx the spooks. > > Somewhere, Jim Bell is laughing. Maybe even here… Actually, we demonstrably have a case of collusion among rogue intelligence services of several countries for the purpose of undermining the democratic order and the constitution of said countries, which is high treason, if you care about such trifles. If nobody else is taking measures (official stonewalling is slowly getting there, making such individuals actually potentially complicit in high treason) GG Art 20 (arguably, also Art 32 StGB) applies and taking countermeasures by individual citizens is lawful. Always IANAL, of course. So if the state is not taking measures against surveillance gear on US embassies or unlawful data collection by foreign intelligence agencies, individuals are by law allowed to. See e.g. https://lqfb.piratenpartei.de/lf/initiative/show/6555.html https://lqfb.piratenpartei.de/lf/suggestion/show/12807.html http://www.golem.de/news/spionage-hilft-nur-noch-notwehr-gegen-die-nsa-1401-104106.html http://www.sueddeutsche.de/politik/geheimer-krieg-us-beamte-ueberpruefen-reisende-in-deutschland-1.1820764 http://www.sueddeutsche.de/politik/geheimer-krieg-us-beamte-ueberpruefen-reisende-in-deutschland-1.1820764-2 Doxxing foreign (of course, everybody is a foreigner, somewhere) intelligence and special services appears a rather mild measure, under the circumstances. From hozer at hozed.org Thu Mar 13 20:52:14 2014 From: hozer at hozed.org (Troy Benjegerdes) Date: Thu, 13 Mar 2014 22:52:14 -0500 Subject: Comsec as Public Utility Beyond Illusory Privacy In-Reply-To: <1777033677.98407.1394726542915.JavaMail.www@wwinf8307> References: <1777033677.98407.1394726542915.JavaMail.www@wwinf8307> Message-ID: <20140314035214.GB3180@nl.grid.coop> > > getting agreement of all targets -- gov, com, edu, org -- to say > > enough is enough, national security has become a catchall for > > inexcusable invasion of the public realm. > > > > > > > > It remembers me when someone proposed that IPv6 encryption should become optional and the proposal was accepted. If we had IPv6 encrypted by now, things would be a little bit different ... > And networks would be harder to debug, unless you happened to work for the comsec utility or the NSA and already had all the decryption keys. Let me suggestion using IPv7 where encryption is also optional, but at least happens to use the same ecdsa keys you use for your money to encrypt packets if you so desire. -- ---------------------------------------------------------------------------- Troy Benjegerdes 'da hozer' hozer at hozed.org 7 elements earth::water::air::fire::mind::spirit::soul grid.coop Never pick a fight with someone who buys ink by the barrel, nor try buy a hacker who makes money by the megahash From coderman at gmail.com Fri Mar 14 03:57:45 2014 From: coderman at gmail.com (coderman) Date: Fri, 14 Mar 2014 03:57:45 -0700 Subject: truth so frank it's super classified! Message-ID: paraphrasing: "we pay them with dirt and tech" (correspondingly: zero stones; ZERO CRATES!!!) " What do Third Parties .. want from us? Generally speaking, our Third Party partners want access to our technology... In exchange for their providing unique accesses, ... we provide them with technical solutions (e.g., hardware, software) and/or access to related technology. " - http://cryptome.org/2014/03/nsa-third-parties.pdf also choice: " Are our foreign intelligence relationships usually insulated from short-term political ups and downs...? For a variety of reasons, our intelligence relationships are rarely disrupted by foreign political perturbations, foreign or _domestic_. First we are helping our partners [... with intelligence]. Second, in many of our foreign partners' capitals, few senior officials outside of their defense-intelligence apparatus are witting to any SIGINT connection to U.S./NSA. " From jya at pipeline.com Fri Mar 14 05:40:06 2014 From: jya at pipeline.com (John Young) Date: Fri, 14 Mar 2014 08:40:06 -0400 Subject: Comsec as Public Utility Beyond Illusory Privacy In-Reply-To: <20140314035214.GB3180@nl.grid.coop> References: <1777033677.98407.1394726542915.JavaMail.www@wwinf8307> <20140314035214.GB3180@nl.grid.coop> Message-ID: At 11:52 PM 3/13/2014, Troy Benjegerdes sigged: "earth::water::air::fire::mind::spirit::soul" Your sig: "earth::water::air::fire::mind::spirit::soul" (EWAFMSS) pretty well covers the area of operations needing ubiquitous comsec against ubuiquitous spying of EWAFMSS. Certainly there will be violations and spying by those who design, run and abuse the systems of EWAFMSS. Especially those who are excused from accountability to "maintain the systems, or debug" EWAFMSS. More narrowly, system operators, network operators, maintenance staff, repariers, holders of keys to and lockpicks of the systems, ie, the Snowdens, the spies, the governors, will usurp control and unilaterally or collectively decide they know what is best for the systems' users, and that inevitably coincides with self-interest of the system operators of EWAFMSS. Given that inevitability of self-interest, cloaked in high-minded rationales of public service, or national security, what inevitably must be done to reign in the inevitable abusers of privilege, public service, national security, ie EWAFMSS. A range of options: assassination, revolution, counterspying, treason, war, founding of new faiths, schemes and con jobs in EWAFMSS. For comsec that could entail implantation of electroshock devices in every system operator which punishes, or in extremity, kills, for misbehavior programmed into the widgets. Hack a key, pick a lock, mosh RNG, open a backdoor, break a vow of public service, get singed as a warning, keep it up, get fried. This is basicly what NSA is implanting around the globe in systems if not witting and unwitting operators. Starting with implantation of their own Snowdens of devices of disinformation which leads the poor goofs to think they know the system vulns. Then the goofs spread the disinfo to, say, the Greenwalds, Poitras's and Gellmans who then goofily spread it to the public goofiness consumers. Blessing this operation is the FISC judges who mightily try to understand WTF DoJ is blowing at them to cloud what NSA is actually doing with its systems of EWAFMSS. Read the FISC orders to see the solons gyrate and spasm a pretense of understanding what is intended ot be non-understandable. NSA proceeds totally unhindered to do what it wants with abusing EWAFMSS, condoned by FISC glossing of the abuse -- what is done in the US is done worldwide for managing and exploiting for self-interest EWAFMSS. Yes, these very lists foster the appeal of exploiting the expoitation of EWAFMSS by pretending to oppose it, to found a new scheme of assassination, revolution, etc, etc. This will inevitably lead to compromisable proponents to be bribed and recruited for service in the established exploiters: billionaires, journalists, lawyers, courts, tech corporations, telcos, LEs, TLAs, Vaticans, Israelis, Muslims, Tea Parties, nations, black marketers, financial crime syndicates, freedom of information hustlers, leakers, and, most beautifully remunerative, crypto-comsec mofos. There's the pitch for comsec public utility, crypto-comsec mofos signing up to be implanted with EM devices for a Tor-Greenwald-grade lifetime of comfort bribe to loyally and patriotically run the sysems of EWAFMSS. Then immediately break the vow, hack the devices, cheat, lie, steal, bolthole an embassy, refuge in a rogue state, for a while enjoy the warm feeling of triumph, then be Zapped remotely for belief in knowing more than the Devil in the Details. >And networks would be harder to debug, unless you happened to work for the >comsec utility or the NSA and already had all the decryption keys. > >Let me suggestion using IPv7 where encryption is also optional, but at least >happens to use the same ecdsa keys you use for your money to encrypt packets >if you so desire. > >-- >---------------------------------------------------------------------------- >Troy Benjegerdes 'da hozer' hozer at hozed.org >7 elements > grid.coop > > Never pick a fight with someone who buys ink by the barrel, > nor try buy a hacker who makes money by the megahash From jya at pipeline.com Fri Mar 14 06:03:15 2014 From: jya at pipeline.com (John Young) Date: Fri, 14 Mar 2014 09:03:15 -0400 Subject: Comsec as Public Utility Beyond Illusory Privacy Message-ID: Snowden's video, comments and talks at SXSW convey the failure to aim higher with ubiquitous comsec, instead to remain within the comfortable fold of Snowden's "do no harm to national security." This blind faith in natsec cautionary implantation in Snowden and his media outlets aided by technical advisors and officials, assures redaction-rich risklessness in accord with the NSA-DoJ-bamboozled FISC orders guaranteeing continuation of control of EWAFMSS. From demonfighter at gmail.com Fri Mar 14 07:47:32 2014 From: demonfighter at gmail.com (Steve Furlong) Date: Fri, 14 Mar 2014 10:47:32 -0400 Subject: TURBINE In-Reply-To: <20140314134548.GL26986@leitl.org> References: <20140313100036.GE26986@leitl.org> <5321FE02.6080904@cpunk.us> <20140314134548.GL26986@leitl.org> Message-ID: On Fri, Mar 14, 2014 at 9:45 AM, Eugen Leitl wrote: > Au contraire, name and shame does work for criminals. Consider > drone operators or black ops being outed, or NSA cybercriminals > published with full name and address. I assure they're not going > to take it lightly any more than sex offenders want to see > their mugs and full addresses and map locations published. Without admitting to anything which might result in criminal charges or civil action, I may or may not have been involved in collating and publishing the home addresses and various personal information on city police and local politicians and bureaucrats where I used to live. And Eugen is absolutely correct: once the web site was publicized, the official response was apoplectic. "Shrieking eschatonic hysteria" would not be an overstatement. See, it's perfectly fine for the police or the city government to "accidentally" release all sorts of personal information on people who were arrested but not charged, but it's a totally different matter for the home address of the chief of police or the feminine hygiene brand preference of the city attorney to be made public. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1491 bytes Desc: not available URL: From pgut001 at cs.auckland.ac.nz Thu Mar 13 15:55:11 2014 From: pgut001 at cs.auckland.ac.nz (Peter Gutmann) Date: Fri, 14 Mar 2014 11:55:11 +1300 Subject: [cryptography] 2010 TAO QUANTUMINSERT trial against 300 (hard) targets In-Reply-To: <95300E05-99F4-4FEF-BA5C-A3ECE7956695@seer-grog.net> Message-ID: Greg Rose writes: >You get the routers to create valid-looking certificates for the endpoints, >to mount man-in-the-middle attacks. This is relatively easy for home routers, since the self-signed certs they're configured with are frequently CA certs. In other words they ship from the factory in a MITM-ready state. Peter. From tedks at riseup.net Fri Mar 14 09:34:57 2014 From: tedks at riseup.net (Ted Smith) Date: Fri, 14 Mar 2014 12:34:57 -0400 Subject: TURBINE In-Reply-To: <20140314134548.GL26986@leitl.org> References: <20140313100036.GE26986@leitl.org> <5321FE02.6080904@cpunk.us> <20140314134548.GL26986@leitl.org> Message-ID: <1394814897.11114.14.camel@anglachel> On Fri, 2014-03-14 at 14:45 +0100, Eugen Leitl wrote: > However, intelligence people do not operate in a vacuum. They use > the same public infrastructure as you. They don't teleport in and > out of their facilities. Collecting and crosscorrelating publicly > available data is powerful while invidual risk is low to zero. > Leaking large batches is safe if you follow standard security > procedures. Animal liberation activists have been using similar tactics (infiltration and outing) for a long while; anyone interested should look into the SHAC campaign for strategic/tactical inspiration. This is the best retrospective I think exists, but I'd love to be wrong: http://www.crimethinc.com/texts/rollingthunder/shac.php -- Sent from Ubuntu -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part URL: From joseph.g.tag at gmail.com Fri Mar 14 11:39:52 2014 From: joseph.g.tag at gmail.com (Joseph Tag) Date: Fri, 14 Mar 2014 14:39:52 -0400 Subject: Subject: Re: Comsec as Public Utility Beyond Illusory Privacy Message-ID: Hello, Everyone. I learn much, here. There are three (3) major situations where encryption is really helpful. 1) encrypting a Password in the Log-on / Access Control activity . 2) Creating a new password or Message Authentication Code (MAC) and 3) Using encryption to support and provide for a Digital Signature. As Information Technology evolved from "mainframe" computers, "minicomputers" "LAN's" and Laptop PC's , notebook PCs were installed used and connected around the world, so did the need for people to install and maintain them. Those are my concerns about when to use encryption. I always use https:/ And, with so many things; tinkering, tampering, sabotaging, tapping, thumping, and corrupting all things techologic has occurred. Sometimes, I get frustrated with what I understand the legal system is NOT doing. I should feel free to modify my use of an AES Algorithm ( 24--64 bit pre-whitening with Rijndael, Twofish, Serpent, RC6, MARS ) ; applying a larger-than-standard keysize ( i.e: 384--576 bits of key ) ; in a well engineered metal box (form factor) . We should not feel a need to Destroy/Zeroize our systems, when the Feds come knocking on our door. If I encrypt messages about my plans, they should be secure until I change them ( and escape ) It is frustrating, the current situation. Lots of food for thought. Best wishes to all. Joe end: 2:35PM; 14MAR2014 -- --- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1710 bytes Desc: not available URL: From eugen at leitl.org Fri Mar 14 06:45:48 2014 From: eugen at leitl.org (Eugen Leitl) Date: Fri, 14 Mar 2014 14:45:48 +0100 Subject: TURBINE In-Reply-To: <5321FE02.6080904@cpunk.us> References: <20140313100036.GE26986@leitl.org> <5321FE02.6080904@cpunk.us> Message-ID: <20140314134548.GL26986@leitl.org> On Thu, Mar 13, 2014 at 01:50:42PM -0500, Cypher wrote: > I don't think this goes far enough at all. They won't care if their > information is out there. Similar actions by Anonymous have shown Au contraire, name and shame does work for criminals. Consider drone operators or black ops being outed, or NSA cybercriminals published with full name and address. I assure they're not going to take it lightly any more than sex offenders want to see their mugs and full addresses and map locations published. > that. They use it as a base for even more propaganda to the people as > to why this type of pervasive survelliance is needed. > > What we /need/, IMHO, is infiltration. Straight out infiltration. We I agree, but it's a different kettle of fish entirely. The probability overlap of being both willing to risk and able (to be hired) is negligible. Plus security measures are much higher after the last heist. Not to say impossible, but personal risk is much higher, and potential ROI is considerably lower. > need to operate just like we would in any regular battle: we need good > people to find jobs within the various agencies that provide them > sufficiently high level access so that they can leak information to > the public. You want to scare them? Take away the security of them > trusting /anybody/. Let them vet people out the ass with their useless > polygraphs and psychological testing procedures. People dedicated to > exposing their evil will pass them, get jobs, and leak the hell out of > their information. That would be nice. But realistically only a very rate exception. However, intelligence people do not operate in a vacuum. They use the same public infrastructure as you. They don't teleport in and out of their facilities. Collecting and crosscorrelating publicly available data is powerful while invidual risk is low to zero. Leaking large batches is safe if you follow standard security procedures. > Cypher > > From tpb-crypto at laposte.net Fri Mar 14 07:10:38 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Fri, 14 Mar 2014 15:10:38 +0100 Subject: Comsec as Public Utility Beyond Illusory Privacy In-Reply-To: <20140314035214.GB3180@nl.grid.coop> References: <1777033677.98407.1394726542915.JavaMail.www@wwinf8307> <20140314035214.GB3180@nl.grid.coop> Message-ID: <65556698.184400.1394806238174.JavaMail.www@wwinf8222> > Message du 14/03/14 04:52 > De : "Troy Benjegerdes" > A : tpb-crypto at laposte.net > Copie à : "John Young" , cypherpunks at cpunks.org, cryptography at randombit.net, cryptome at freelists.org > Objet : Re: Comsec as Public Utility Beyond Illusory Privacy > > > > getting agreement of all targets -- gov, com, edu, org -- to say > > > enough is enough, national security has become a catchall for > > > inexcusable invasion of the public realm. > > > > > > > > > > > > > It remembers me when someone proposed that IPv6 encryption should become optional and the proposal was accepted. If we had IPv6 encrypted by now, things would be a little bit different ... > > > > And networks would be harder to debug, unless you happened to work for the > comsec utility or the NSA and already had all the decryption keys. > > Let me suggestion using IPv7 where encryption is also optional, but at least > happens to use the same ecdsa keys you use for your money to encrypt packets > if you so desire. > > -- > ---------------------------------------------------------------------------- > Troy Benjegerdes 'da hozer' hozer at hozed.org > 7 elements earth::water::air::fire::mind::spirit::soul grid.coop > > Never pick a fight with someone who buys ink by the barrel, > nor try buy a hacker who makes money by the megahash > > I absolutely don't see the point that justifies debugging network problems to be a bigger concern than the privacy of everyone in the world. Debugging be damned. We should move to quantum-proof crypto, ECDSA is merely a stopgap. From grarpamp at gmail.com Sat Mar 15 15:25:08 2014 From: grarpamp at gmail.com (grarpamp) Date: Sat, 15 Mar 2014 18:25:08 -0400 Subject: [cryptography] 2010 TAO QUANTUMINSERT trial against 300 (hard) targets In-Reply-To: References: <95300E05-99F4-4FEF-BA5C-A3ECE7956695@seer-grog.net> Message-ID: On Thu, Mar 13, 2014 at 11:13 AM, Jason Iannone wrote: > And remain undetected? That's a nontrivial task and one that I would > suspect generates interesting CPU or other resource utilization anomalies. > It's a pretty high risk activity. The best we can hope for is someone > discovering the exploit and publicly dissecting it. See, the standard defense for all this is to lock down the cert fingerprints of your real destination to prevent cert games. Then add in DNSSEC [1] and even IPSEC [1] to make sure things all match up. That does make things much harder. Problem still lies where your adversary has stolen or co-op'd the PK of your dest cert, and rigged the routing path to route-map your applicable src/dest/port IP tuples to residing off their private port in the local (to you or your dest) DC. Right??? >From which they proceed to bugger you through their transparent proxy to the real dest. It's not a bulk tool as that might tip off some non-moled-out-cert-group network groupie at the dest site that a lot of users come from some IP. And it's definitely for 'high value only' given the work/risk. But still... PKI-WOT bidirectional security between you and your dest of global bgp advert/nexthop routing infrastructure anyone? Everyone seems to trust the network to route... and even then [1]. [1] Similarly stolen/co-op'd as need be. > pg > This is relatively easy for home routers, since the self-signed certs they're > configured with are frequently CA certs. In other words they ship from the > factory in a MITM-ready state. > > > On Thu, Mar 13, 2014 at 8:50 AM, Greg Rose wrote: >> >> You get the routers to create valid-looking certificates for the >> endpoints, to mount man-in-the-middle attacks. >> >> On Mar 13, 2014, at 6:28 , Jason Iannone wrote: >> >> > The First Look article is light on details so I don't know how one gets >> > from "infect[ing] large-scale network routers" to "perform[ing] >> > “exploitation attacks” against data that is sent through a Virtual Private >> > Network." I'd like to better understand that. >> > >> > >> > On Thu, Mar 13, 2014 at 7:22 AM, Jeffrey Walton >> > wrote: >> > On Thu, Mar 13, 2014 at 9:17 AM, Jason Iannone >> > wrote: >> > > Are there details regarding Hammerstein? Are they actually breaking >> > > routers? >> > Cisco makes regular appearances on Bugtraq an Full Disclosure. Pound >> > for pound, there's probably more exploits for Cisco gear than Linux >> > and Windows combined. >> > >> > Jeff >> > >> > > On Thu, Mar 13, 2014 at 2:40 AM, Jeffrey Walton >> > > wrote: >> > >> >> > >> On Thu, Mar 13, 2014 at 1:57 AM, coderman wrote: >> > >> > >> > >> > >> > >> > https://s3.amazonaws.com/s3.documentcloud.org/documents/1076891/there-is-more-than-one-way-to-quantum.pdf >> > >> > >> > >> > "TAO implants were deployed via QUANTUMINSERT to targets that were >> > >> > un-exploitable by _any_ other means." >> > >> > >> > >> And Schneier's Guardian article on the Quantum and FoxAcid systems: >> > >> >> > >> >> > >> http://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-online-anonymity. From jya at pipeline.com Sun Mar 16 06:34:11 2014 From: jya at pipeline.com (John Young) Date: Sun, 16 Mar 2014 09:34:11 -0400 Subject: Journalists Shill Sources and Secrets Message-ID: Journalists Shill Sources and Secrets http://sourcesandsecrets.com/ Advertised with $20,000 full-page vanity ad in the New York Times, 16 March 2014. Coordinated with the NYT's release of its Snowden files series and books by Greenwald and Gellman, and video by Poitras, as well as capacious media roll-outs, conferences, celebrity profiles, movies, awards, prizes, law suits, mock threats, and phony investigations. Also coordinated with the rise of billionaire and corporate-funded "non-profit" journalism like ProPublica, The Intercept and The Marshall Project which pay over $500,000 top salaries, some with over $1M in total compensation packages. http://cryptome.org/2014/03/npj-14-0314.pdf See dozens of conference sponsors of commercial journalism at bottom. This conference is full. Registration is now closed for this event. Sources + Secrets A Conference on the Press, the Government and National Security Friday, March 21, 2014 at 8:00AM at The TimesCenter 242 West 41st Street New York, NY 10018 Focusing on the divide between the government and the press over coverage of national security issues, the Sources + Secrets Conference will examine the legal basis and scope of government actions that have hampered the work of journalists and offer administration representatives an opportunity to present their case for secrecy. Agenda THE LONG ARM OF THE LAW: panel on the Espionage Act, recent court decisions and Justice Department guidelines on subpoenas to reporters Ben Wizner, A.C.L.U.; David A. Schulz, First Amendment litigator; Laura R. Handman, First Amendment litigator; Jeffrey Toobin, The New Yorker. Moderator: Adam Liptak, The New York Times PERILS OF COVERING NATIONAL SECURITY: panel on the impact of government actions on confidential sources and reporting techniques Jane Mayer, The New Yorker; Mark Mazzetti, The New York Times; Peter Maass, writer; and Robert L. Deitz, former general counsel, N.S.A. and senior councillor to the C.I.A. director. Moderator: Bob Woodward, The Washington Post THE SNOWDEN REVELATIONS: Roger Cohen, The New York Times, interviews Glenn Greenwald, The Guardian; Laura Poitras, The New York Times; and Barton Gellman, The Washington Post, via Skype PROSPECTS FOR A FEDERAL SHIELD LAW: discussion of the proposed Free Flow of Information Act Bill Keller, editor in chief, The Marshall Project, interviews Senator Charles Schumer, followed by panel with Senator Schumer; Quinn Norton, freelance journalist, activist; Jonathan Landay, McClatchy; Scott Horton, reporter, Harper's Magazine; and Kenneth L. Wainstein, former assistant attorney general for national security and homeland security advisor WHERE DO WE GO FROM HERE? Panel discussion on achieving a balance between press freedom and national security Jill Abramson, executive editor, The New York Times; Martin Baron, executive editor, The Washington Post; David Remnick, editor, The New Yorker; Katrina vanden Heuvel, editor and publisher, The Nation; Robert S. Litt, General Counsel, Office of the Director of National Intelligence. Moderator: Ken Auletta, The New Yorker SUPPORTED BY ABC News; The Annenberg Center on Communication, Leadership & Policy; The Arthur L. Carter Journalism Institute at New York University; The Associated Press; CBS; The Center for Communication; the Center for Investigative Reporting; The Center for Public Integrity; CNN; Columbia Graduate School of Journalism; The Committee to Protect Journalists; The Denver Post; Frontline; The Hearst Corporation; The Huffington Post; Investigative Reporters and Editors; The Shorenstein Center on Media, Politics and Public Policy; The Los Angeles Times; The McClatchy Company; the Medill National Security Journalism Initiative; The Milwaukee Journal Sentinel; The New York Review of Books; The New Yorker; the Newspaper Association of America; The Nieman Foundation; NOLA.com/The Times-Picayune; PEN American Center; The Philip Merrill College of Journalism; The Poynter Institute; ProPublica; The Record and Herald News of North Jersey; the Reporters Committee for Freedom of the Press; Reporters Without Borders; Reuters; UC Berkeley Graduate School of Journalism; The Wall Street Journal and The Washington Post. From odinn.cyberguerrilla at riseup.net Sun Mar 16 18:57:03 2014 From: odinn.cyberguerrilla at riseup.net (Odinn Cyberguerrilla) Date: Sun, 16 Mar 2014 18:57:03 -0700 Subject: usual or desperate call for white papers? In-Reply-To: <1755038.FCJpYuC3iC@lap> References: <1755038.FCJpYuC3iC@lap> Message-ID: <65ddda0e6d171d7519c1feb2b5524620.squirrel@fruiteater.riseup.net> More on the usual or desperate call for papers below. Am weighing whether or not to submit one that will make the reviewers shake their heads and vomit. Shouldn't be hard. https://www.defcon.org/html/defcon-22/dc-22-cfp-form.html > Dnia niedziela, 16 marca 2014 21:36:38 Cari Machet pisze: >> 'Air Force Research Laboratory Information Directorate (AFRL/RI) is >> soliciting white papers for various scientific studies, investigations, >> and >> experiments to increase our knowledge, understanding and capability in >> order to expand cyber operations technologies within the Department of >> Defense (DoD).' >> >> https://www.fbo.gov/index?s=opportunity&mode=form&id=0daa017bdb65a7d810e3778 >> bc763960a&tab=core&_cview=1 > > I'm sure there is a way to troll the shit out of them a'la Mr Sokal: > http://en.wikipedia.org/wiki/Sokal_affair > > -- > Pozdr > rysiek From carimachet at gmail.com Sun Mar 16 14:36:38 2014 From: carimachet at gmail.com (Cari Machet) Date: Sun, 16 Mar 2014 21:36:38 +0000 Subject: usual or desperate call for white papers? Message-ID: 'Air Force Research Laboratory Information Directorate (AFRL/RI) is soliciting white papers for various scientific studies, investigations, and experiments to increase our knowledge, understanding and capability in order to expand cyber operations technologies within the Department of Defense (DoD).' https://www.fbo.gov/index?s=opportunity&mode=form&id=0daa017bdb65a7d810e3778bc763960a&tab=core&_cview=1 -- Cari Machet NYC 646-436-7795 carimachet at gmail.com AIM carismachet Syria +963-099 277 3243 Amman +962 077 636 9407 Berlin +49 152 11779219 Reykjavik +354 894 8650 Twitter: @carimachet 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 Ruh-roh, this is now necessary: This email is intended only for the addressee(s) and may contain confidential information. If you are not the intended recipient, you are hereby notified that any use of this information, dissemination, distribution, or copying of this email without permission is strictly prohibited. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1433 bytes Desc: not available URL: From hozer at hozed.org Sun Mar 16 21:09:53 2014 From: hozer at hozed.org (Troy Benjegerdes) Date: Sun, 16 Mar 2014 23:09:53 -0500 Subject: Comsec as Public Utility Beyond Illusory Privacy In-Reply-To: <65556698.184400.1394806238174.JavaMail.www@wwinf8222> References: <1777033677.98407.1394726542915.JavaMail.www@wwinf8307> <20140314035214.GB3180@nl.grid.coop> <65556698.184400.1394806238174.JavaMail.www@wwinf8222> Message-ID: <20140317040953.GC3180@nl.grid.coop> > > > It remembers me when someone proposed that IPv6 encryption should become optional and the proposal was accepted. If we had IPv6 encrypted by now, things would be a little bit different ... > > > > > > > And networks would be harder to debug, unless you happened to work for the > > comsec utility or the NSA and already had all the decryption keys. > > > > Let me suggestion using IPv7 where encryption is also optional, but at least > > happens to use the same ecdsa keys you use for your money to encrypt packets > > if you so desire. > > > > -- > > ---------------------------------------------------------------------------- > > Troy Benjegerdes 'da hozer' hozer at hozed.org > > 7 elements earth::water::air::fire::mind::spirit::soul grid.coop > > > > Never pick a fight with someone who buys ink by the barrel, > > nor try buy a hacker who makes money by the megahash > > > > > > I absolutely don't see the point that justifies debugging network problems to be a bigger concern than the privacy of everyone in the world. Debugging be damned. > > We should move to quantum-proof crypto, ECDSA is merely a stopgap. Most people will happily trade privacy for some 'free stuff'. Encrypting things nobody cares about hiding seems like a losing battle not worth fighting. 'De-bugging' is also de-bugging and removal of surveilance devices. If everything (including the network path my data takes) is encrypted, then I have no real ability to know if it's being tapped, redirected, or misdirected. From rysiek at hackerspace.pl Sun Mar 16 15:18:19 2014 From: rysiek at hackerspace.pl (rysiek) Date: Sun, 16 Mar 2014 23:18:19 +0100 Subject: usual or desperate call for white papers? In-Reply-To: References: Message-ID: <1755038.FCJpYuC3iC@lap> Dnia niedziela, 16 marca 2014 21:36:38 Cari Machet pisze: > 'Air Force Research Laboratory Information Directorate (AFRL/RI) is > soliciting white papers for various scientific studies, investigations, and > experiments to increase our knowledge, understanding and capability in > order to expand cyber operations technologies within the Department of > Defense (DoD).' > > https://www.fbo.gov/index?s=opportunity&mode=form&id=0daa017bdb65a7d810e3778 > bc763960a&tab=core&_cview=1 I'm sure there is a way to troll the shit out of them a'la Mr Sokal: http://en.wikipedia.org/wiki/Sokal_affair -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From carimachet at gmail.com Sun Mar 16 18:14:49 2014 From: carimachet at gmail.com (Cari Machet) Date: Mon, 17 Mar 2014 01:14:49 +0000 Subject: usual or desperate call for white papers? In-Reply-To: <1755038.FCJpYuC3iC@lap> References: <1755038.FCJpYuC3iC@lap> Message-ID: On Sun, Mar 16, 2014 at 10:18 PM, rysiek wrote: > Dnia niedziela, 16 marca 2014 21:36:38 Cari Machet pisze: > > 'Air Force Research Laboratory Information Directorate (AFRL/RI) is > > soliciting white papers for various scientific studies, investigations, > and > > experiments to increase our knowledge, understanding and capability in > > order to expand cyber operations technologies within the Department of > > Defense (DoD).' > > > > > https://www.fbo.gov/index?s=opportunity&mode=form&id=0daa017bdb65a7d810e3778 > > bc763960a&tab=core&_cview=1 > > I'm sure there is a way to troll the shit out of them a'la Mr Sokal: > http://en.wikipedia.org/wiki/Sokal_affair > ooooo curve encryption but ... not ... hehehe mind cogs turning.... i like the getting classified shit how to part now the libertarians on this list hate the anarchists even more > yay! > > -- > Pozdr > rysiek -- Cari Machet NYC 646-436-7795 carimachet at gmail.com AIM carismachet Syria +963-099 277 3243 Amman +962 077 636 9407 Berlin +49 152 11779219 Reykjavik +354 894 8650 Twitter: @carimachet 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 Ruh-roh, this is now necessary: This email is intended only for the addressee(s) and may contain confidential information. If you are not the intended recipient, you are hereby notified that any use of this information, dissemination, distribution, or copying of this email without permission is strictly prohibited. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2611 bytes Desc: not available URL: From carimachet at gmail.com Sun Mar 16 18:25:36 2014 From: carimachet at gmail.com (Cari Machet) Date: Mon, 17 Mar 2014 01:25:36 +0000 Subject: Journalists Shill Sources and Secrets In-Reply-To: References: Message-ID: On Sun, Mar 16, 2014 at 1:34 PM, John Young wrote: > Journalists Shill Sources and Secrets > > http://sourcesandsecrets.com/ > > Advertised with $20,000 full-page vanity ad in the New York Times, 16 > March 2014. > > Coordinated with the NYT's release of its Snowden files series and books > by Greenwald and Gellman, and video by Poitras, as well as capacious media > roll-outs, conferences, celebrity profiles, movies, awards, prizes, law > suits, mock threats, and phony investigations. > > Also coordinated with the rise of billionaire and corporate-funded > "non-profit" journalism like ProPublica, The Intercept and The Marshall > Project which pay over $500,000 top salaries, some with over $1M in total > compensation packages. http://cryptome.org/2014/03/npj-14-0314.pdf > > See dozens of conference sponsors of commercial journalism at bottom. > wait ... are you saying money corrupts ??? > > > Ben Wizner, A.C.L.U.; David A. Schulz, First Amendment litigator; Laura R. > Handman, First Amendment litigator; Jeffrey Toobin, The New Yorker. > Moderator: Adam Liptak, The New York Times > > Jane Mayer, The New Yorker; Mark Mazzetti, The New York Times; Peter > Maass, writer; and Robert L. Deitz, former general counsel, N.S.A. and > senior councillor to the C.I.A. director. Moderator: Bob Woodward, The > Washington Post > > THE SNOWDEN REVELATIONS: Roger Cohen, The New York Times, interviews Glenn > Greenwald, The Guardian; Laura Poitras, The New York Times; and Barton > Gellman, The Washington Post, via Skype > > Bill Keller, editor in chief, The Marshall Project, interviews Senator > Charles Schumer, followed by panel with Senator Schumer; Quinn Norton, > freelance journalist, activist; Jonathan Landay, McClatchy; Scott Horton, > reporter, Harper's Magazine; and Kenneth L. Wainstein, former assistant > attorney general for national security and homeland security advisor > > Jill Abramson, executive editor, The New York Times; Martin Baron, > executive editor, The Washington Post; David Remnick, editor, The New > Yorker; Katrina vanden Heuvel, editor and publisher, The Nation; Robert S. > Litt, General Counsel, Office of the Director of National Intelligence. > Moderator: Ken Auletta, The New Yorker if you are saying that corruption is at hand then how can we trust the supposed human beings behind any of these names ? i mean i think you are saying corruption is at hand but i dont want to assume anything... -- Cari Machet NYC 646-436-7795 carimachet at gmail.com AIM carismachet Syria +963-099 277 3243 Amman +962 077 636 9407 Berlin +49 152 11779219 Reykjavik +354 894 8650 Twitter: @carimachet 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 Ruh-roh, this is now necessary: This email is intended only for the addressee(s) and may contain confidential information. If you are not the intended recipient, you are hereby notified that any use of this information, dissemination, distribution, or copying of this email without permission is strictly prohibited. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 3996 bytes Desc: not available URL: From grarpamp at gmail.com Mon Mar 17 01:38:49 2014 From: grarpamp at gmail.com (grarpamp) Date: Mon, 17 Mar 2014 04:38:49 -0400 Subject: cyberwarfare by lawyers In-Reply-To: References: Message-ID: > One debate in the new wild west of cyberwarfare law is between two schools > of thought about where to draw the line of which cyber operations should be > declared illegal under international law.' Keep in mind the US thinks it's both legal and good to fly drones around the world killing people remotely. It's that remote aspect that seems to draw in the weak minded, cyber or otherwise. Kind of hard to get it twisted like that when you're face to face in person. From carimachet at gmail.com Mon Mar 17 00:17:07 2014 From: carimachet at gmail.com (Cari Machet) Date: Mon, 17 Mar 2014 07:17:07 +0000 Subject: cyberwarfare by lawyers Message-ID: 'The Jerusalem Post recently interviewed Col. Sharon Afek, formerly deputy head of the IDF's legal division, who wrote a 149-page treatise on cyber warfare law - the first treatise of that comprehensiveness by a military lawyer of his rank and stature.' http://www.jpost.com/Defense/Analysis-How-Israel-is-dealing-with-cyber-warfares-new-stage-345578 'Many are also asking more strongly than ever: "Is international law still relevant?" Afek, who views his treatise also as a "bridge" between the pre- and post-cyber world of war, answers with a resounding "yes," but then goes further to try to resolve some of the questions of how and where it applies. One debate in the new wild west of cyberwarfare law is between two schools of thought about where to draw the line of which cyber operations should be declared illegal under international law.' http://www.jpost.com/Features/Front-Lines/A-revolution-in-war-339962 -- Cari Machet NYC 646-436-7795 carimachet at gmail.com AIM carismachet Syria +963-099 277 3243 Amman +962 077 636 9407 Berlin +49 152 11779219 Reykjavik +354 894 8650 Twitter: @carimachet 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 Ruh-roh, this is now necessary: This email is intended only for the addressee(s) and may contain confidential information. If you are not the intended recipient, you are hereby notified that any use of this information, dissemination, distribution, or copying of this email without permission is strictly prohibited. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2091 bytes Desc: not available URL: From jya at pipeline.com Mon Mar 17 05:06:01 2014 From: jya at pipeline.com (John Young) Date: Mon, 17 Mar 2014 08:06:01 -0400 Subject: Comsec as Public Utility Beyond Illusory Privacy In-Reply-To: <20140317040953.GC3180@nl.grid.coop> References: <1777033677.98407.1394726542915.JavaMail.www@wwinf8307> <20140314035214.GB3180@nl.grid.coop> <65556698.184400.1394806238174.JavaMail.www@wwinf8222> <20140317040953.GC3180@nl.grid.coop> Message-ID: At 12:09 AM 3/17/2014, Troy Benjegerdes wrote: >If everything (including the network path my data takes) is encrypted, >then I have no real ability to know if it's being tapped, redirected, >or misdirected. A point not well emphasized by cryptographers, in public at least, and advocates of encryption as the essential requirement for comsec. "Unbeakable crypto" may not be used as much as it once was but there are a host of newly-minted versions of snake oilish assurances dominating the booming comsec market, thanks to Snowden's magnificent gift, estimated to eventually reach the trillion dollar level in two decades, to the gov-com-edu-org comsec panic industry. Operators of systems, and the necessarily breachable security they offer, remain the achilles heels of comsec. Lavabit is only one of the instances in which sysadmins are compromised. Ubiquitous deployment of crypto throughout telecom and cyber systems is vulnerable to sysadmins who insist on full access to everything to "de-bug" and run their systems, especially those SAs easily manipulated by front offices and their ever so cooperative legal and financial advisors. Not many SAs wil do what Snowden did in the "public interest" which just happens to be a great fortune maker for media and comsec hustlers. End to end encryption is currently a hot recommendation of choice for comsec but skips over what happens behind, below, around and inside "end to end" code, hardware, implementation, and most of all the traffic flow of the precious capsules emitting transceiver vapor trails, EM clutter, arfully cloaked gaps, doors, handshakes, implants, bugs (and "de-bugs"), ways in and out, checks, double checks, safety plugs, sigs, nyms, language hints, and manifold uniquenesses witting and unwitting of fallible hunks of meat. It is, or should be, primary for cryptographers to publicly admit cryptosystems inevitably fail, as some do despite being overridden by sales and CEOs and investors, being bribed and NDA'd into complicity, or in worst cases threatened with prosecution for revealing in natsec systems built-in faults or more deviously, pretending there are none while glossing deep deception with shallow claims that there are always a few which can be repaired, nothing is perfect, you get what you pay for, etc, etc, the formulaic exculpation inherent in the word "security." No question this is expecting cryptographers to be more honest than the rest of the greedy "professional" class so avid to profess public interest while gobbling the public's hard earned with gleeful transgression slathered in "industry standards" and global treaties to assure governments and corporations remain piggish and dispensaries of rewards for the professional classes which find oligarchal enticements "irresistable" as Greenwald slobbered in agreeing to work closely with gov-com to withhold secrets under guise of ventriloquizing Snowden's "causing no harm to national security." "Causing no harm to national security" is verily medieval in its creed-promotional organized religion fervor. Cryptographers have long been missionaries for this duplicitous "trust us" faith, so it figures they will evangelize among journalists to adopt encryption to upgrade the low value of the fear and trembling scripture, and, as always, the compensation for scribes of arcane holy writ of bare panic and crypto balm. From jya at pipeline.com Mon Mar 17 06:16:28 2014 From: jya at pipeline.com (John Young) Date: Mon, 17 Mar 2014 09:16:28 -0400 Subject: Journalists Shill Sources and Secrets In-Reply-To: References: Message-ID: At 09:25 PM 3/16/2014, Cari Machet wrote: wait ... are you saying money corrupts ??? if you are saying that corruption is at hand then how can we trust the supposed human beings behind any of these names ? i mean i think you are saying corruption is at hand but i dont want to assume anything... Assume this promotional creed screed for national security journalism: http://cryptome.org/2014/03/sources-and-secrets-brief.pdf No, media venality is not news. What is worth examining is the long-term exploitation of "national security" as a joint gov-com-edu-org racket to manipulate secretkeeping as a wealth concentration industry. This has been commonplace since the national security state was invented after WW2 and led to need for continuous spying to manufacture enemies and to arm for diddly squat combat against fictious foes by hugely expensive but hardly ever used armaments. Cryptosystems among the black budgetary wastage. In particular cryptosystem popularization (as here and its emulators) as ostensible opposition to the national security racket, begun in the flower-child 60s to flower wildly in the 90s and rise to a kudzu crescendo with Snowden's operation to validate crypto use against illusory enemies within the state, cloaked as usual by the blanket exculpt "to do no harm to national security," then hide behind privileged natsec journalism so dirty and complicit in govenment affairs it needs protection from the public, so merely dribbles dainty tidbits of threats to privacy and to advance the favorite ACLU and EFF lawyerly fund-raising hobgobblin of constitutional violation. FISA Court jiggery-pokery by lawfare warriors indicates that lawyers and judges know diddly about comsec technology but dare not admit it and lose control of the public narrative of threat and protection obligatory in the trillion dollar national security hootenany which compares to organized religion of the medieval era which ruled heaven and earth with fantasticly frightening and pleasuring tales of evil and salvation. Adled journalists are racing to adopt encryption as crusading chain mail raiment, ignorant of how easily it can be penetrated, but no matter, what will really protect the valiant journalists is "constitutional protection," a comedy of conceit and stupidity usually associated with court jesters. From dahanm at gmail.com Mon Mar 17 02:15:34 2014 From: dahanm at gmail.com (Michael Dahan) Date: Mon, 17 Mar 2014 11:15:34 +0200 Subject: cyberwarfare by lawyers In-Reply-To: References: Message-ID: A few comments regarding both articles. There is nothing that is new in either pieces. There is alot of fluff and Israeli self promotion in both - in that sense I see both articles as a form of psyops. Regarding Afek's "groundbreaking" thesis - bullshit. Perhaps in Hebrew it is unique, but the legal aspects of cyberwar have been researched and discussed in many forums. The Tallinn document of the EU for example. International relations theory, political science and legal theory, within academia and the military have been dealing with this for years. For example, serious treatment of the concept of "just war" in cyber terms. As a senior legal officer in the IDF, Afek is directly responsible, at the macro level, for whitewashing the Israeli occupation of Palestine, and at the micro level legalizing Israeli crimes against Palestinians. Exactly the kind of person you would want to draft a thesis on cyberwar. Not. One can google Saalbach, or Thomas Ridd as a start regarding a more serious discussion of cyberwar. Michael Dahan On Mar 17, 2014 9:30 AM, "Cari Machet" wrote: > 'The Jerusalem Post recently interviewed Col. Sharon Afek, formerly deputy > head of the IDF's legal division, who wrote a 149-page treatise on cyber > warfare law - the first treatise of that comprehensiveness by a military > lawyer of his rank and stature.' > > > http://www.jpost.com/Defense/Analysis-How-Israel-is-dealing-with-cyber-warfares-new-stage-345578 > > 'Many are also asking more strongly than ever: "Is international law still > relevant?" Afek, who views his treatise also as a "bridge" between the pre- > and post-cyber world of war, answers with a resounding "yes," but then goes > further to try to resolve some of the questions of how and where it applies. > > One debate in the new wild west of cyberwarfare law is between two schools > of thought about where to draw the line of which cyber operations should be > declared illegal under international law.' > > http://www.jpost.com/Features/Front-Lines/A-revolution-in-war-339962 > -- > Cari Machet > NYC 646-436-7795 > carimachet at gmail.com > AIM carismachet > Syria +963-099 277 3243 > Amman +962 077 636 9407 > Berlin +49 152 11779219 > Reykjavik +354 894 8650 > Twitter: @carimachet > > 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 > > Ruh-roh, this is now necessary: This email is intended only for the > addressee(s) and may contain confidential information. If you are not the > intended recipient, you are hereby notified that any use of this > information, dissemination, distribution, or copying of this email without > permission is strictly prohibited. > > > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 3959 bytes Desc: not available URL: From dan at geer.org Mon Mar 17 11:36:54 2014 From: dan at geer.org (dan at geer.org) Date: Mon, 17 Mar 2014 14:36:54 -0400 Subject: a prediction market denominated in Bitcoin Message-ID: <20140317183654.9BAEC22808F@palinka.tinho.net> http://www.siliconrepublic.com/start-ups/item/33411-irish-start-up-launches/ https://www.predictious.com/ Onward, --dan From dan at geer.org Mon Mar 17 12:15:55 2014 From: dan at geer.org (dan at geer.org) Date: Mon, 17 Mar 2014 15:15:55 -0400 Subject: cyberwarfare by lawyers In-Reply-To: Your message of "Mon, 17 Mar 2014 07:17:07 -0000." Message-ID: <20140317191555.401512280CA@palinka.tinho.net> May I suggest A Fierce Domain: Conflict in Cyberspace, 1986 to 2012 http://www.amazon.com/Fierce-Domain-Conflict-Cyberspace-1986/dp/098932740X The Tallinn Manual on the International Law Applicable to Cyber Warfare http://www.ccdcoe.org/249.html and a whole lot of ongoing things at http://www.lawfareblog.com/ --dan From mixmaster at remailer.privacy.at Mon Mar 17 08:51:31 2014 From: mixmaster at remailer.privacy.at (Anonymous Remailer (austria)) Date: Mon, 17 Mar 2014 16:51:31 +0100 (CET) Subject: MH370 in hangar at Diego Garcia, detainees already rendered Message-ID: <91de68915bd3eccc81b7fd37325aae71@remailer.privacy.at> The flight was hijacked by a non secured flightplan upload to the flight management system. It was then flown to Diego Garcia, where the passengers were disembarked by force, the selectees from the passenger list are in one of the US navy brig ships anchored since 9/11 at Diego Garcia, "chatting" with CIA interrogators. Disposition of the other detainees passengers NOT known at the present. The statement released by the malaysian gov is false. They know where the detainees are. The adsb xmissions aboard the 777 are handled by an older subsystem and are NOT so easily silenced from the cockpit. By the same token the flight management system flight plan upload capability aboard boeing planes has been shown to be insecure and vunerable by security researchers since the B737. The worst part of all is that the "simulators" for the FMS are a windows based program that is linked with the libraries either representing the windows environment of the simulator OR thet are linked with the "production" libraries to produce the FMS firmware for use on the aircraft itself. Thing about programming in a windows environment? ALL the fucking calls are unique to the Microsoft windows environment and NOT portable at all to other runtime environments, UNLESS that runtime is windows based.. say like windows mobile(big flop) or a proposed hypothetical environment I am going to call Windows PLANE. Windows PLANE would have inherited the same crappy programming environment that caused the US Navy to do an abrupt 180 turnaround prom putting its firecontrol and navigation systems under control of windows after a near disaster in the mid alantic caused by windows domain failuresa Windows PLANE would have all the same flaws as the crappy laptop you like to lug around Fucking Boeing, all of those windows development asshats that did this need killin' for putting their personal profit ahead of the lives of millions who fly. From griffin at cryptolab.net Tue Mar 18 01:13:46 2014 From: griffin at cryptolab.net (Griffin Boyce) Date: Tue, 18 Mar 2014 04:13:46 -0400 Subject: Blade Runner Mesh Networking Message-ID: <5328003A.4090703@cryptolab.net> So if (spoiler) Deckard's a replicant, and he knows about Rachel's implanted memories right after meeting her, and Gaff knows about Deckard's unicorn dream right after it happens... Does that mean that the replicants are all meshing? ~Griffin From drwho at virtadpt.net Tue Mar 18 10:33:23 2014 From: drwho at virtadpt.net (The Doctor) Date: Tue, 18 Mar 2014 10:33:23 -0700 Subject: MH370 in hangar at Diego Garcia, detainees already rendered In-Reply-To: <53286479.3070000@cathalgarvey.me> References: <91de68915bd3eccc81b7fd37325aae71@remailer.privacy.at> <53286479.3070000@cathalgarvey.me> Message-ID: <53288363.10308@virtadpt.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 03/18/2014 08:21 AM, Cathal Garvey wrote: > That all the Pilots are saying "Probably Fire" and nobody's > listening, > in favour of all sorts of bizarre and unlikely conspiracies, says a > lot about our maturity and our level of openness to fearmongering. To be fair, we also live in a time in which the most paranoid rantings were found to pale in comparison to what is really going on thanks to Snowden. - -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ "Open your mind, son, or someone may open it for you." --Walter Bishop -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEAREKAAYFAlMog2MACgkQO9j/K4B7F8F11gCgzu+tgw4sF5YCcUcfS4GxxdXb DXYAnAyjanmfJK0I8Bfp0Pmd261wgdp1 =ebxT -----END PGP SIGNATURE----- From hettinga at gmail.com Tue Mar 18 07:45:49 2014 From: hettinga at gmail.com (Robert Hettinga) Date: Tue, 18 Mar 2014 10:45:49 -0400 Subject: MH370 in hangar at Diego Garcia, detainees already rendered In-Reply-To: <91de68915bd3eccc81b7fd37325aae71@remailer.privacy.at> References: <91de68915bd3eccc81b7fd37325aae71@remailer.privacy.at> Message-ID: On Mar 17, 2014, at 11:51 AM, Anonymous Remailer (austria) wrote: > Diego Garcia Fuck tinfoil. Cypherpunks use graphene. Cheers, RAH ;-) Curiouser and curiouser, innit? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 496 bytes Desc: Message signed with OpenPGP using GPGMail URL: From demonfighter at gmail.com Tue Mar 18 08:45:36 2014 From: demonfighter at gmail.com (Steve Furlong) Date: Tue, 18 Mar 2014 11:45:36 -0400 Subject: MH370 in hangar at Diego Garcia, detainees already rendered In-Reply-To: <53286479.3070000@cathalgarvey.me> References: <91de68915bd3eccc81b7fd37325aae71@remailer.privacy.at> <53286479.3070000@cathalgarvey.me> Message-ID: On Tue, Mar 18, 2014 at 11:21 AM, Cathal Garvey < cathalgarvey at cathalgarvey.me> wrote: > That all the Pilots are saying "Probably Fire" and nobody's listening, > in favour of all sorts of bizarre and unlikely conspiracies, says a lot > about our maturity and our level of openness to fearmongering. But... but... Nukes! It's for the chiiiiildren! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 747 bytes Desc: not available URL: From cathalgarvey at cathalgarvey.me Tue Mar 18 08:21:29 2014 From: cathalgarvey at cathalgarvey.me (Cathal Garvey) Date: Tue, 18 Mar 2014 15:21:29 +0000 Subject: MH370 in hangar at Diego Garcia, detainees already rendered In-Reply-To: References: <91de68915bd3eccc81b7fd37325aae71@remailer.privacy.at> Message-ID: <53286479.3070000@cathalgarvey.me> So pissed off with all the crap on this plane. Everyone wants to spin some story about how it implicates their favourite enemy. The "Intelligence Community" are suggesting it's hackers, so they can use it as a pearl harbour to attack the hacker community, and the media are sucking it up. I've seen two separate accounts from Pilots who present the view that, based on prior examples and their own training and experience, everything about the flight's flightpath, instrumentation failure, radio-darkness and disappearance is consistent with an onboard fire. Once suggested underinflated landing gear on long takeoff under hot/humid conditions could create blowout/smoulder conditions for frontal landing gear, which would smoke out the plane. In prior cases where this happens, a fire in landing gear can destroy a plane in ~5m, destroying control instrumentation. But first, procedures for firefighting demand nonessential instruments *including radio* are disabled while the fault and fire location are determined. Again in prior cases, the plane will (with an experienced pilot) immediately divert path to the nearest, not the "best", airport, which is what this did. And again as in prior cases, it may eventually fail to arrive as the crew succumb to smoke (oxygen masks not an option in case of fires) and the plane will fly "dark" on autopilot until ditching in the ocean. That all the Pilots are saying "Probably Fire" and nobody's listening, in favour of all sorts of bizarre and unlikely conspiracies, says a lot about our maturity and our level of openness to fearmongering. On 18/03/14 14:45, Robert Hettinga wrote: > > On Mar 17, 2014, at 11:51 AM, Anonymous Remailer (austria) wrote: > >> Diego Garcia > > Fuck tinfoil. > > Cypherpunks use graphene. > > Cheers, > RAH > ;-) > > Curiouser and curiouser, innit? > -- T: @onetruecathal, @IndieBBDNA P: +3538763663185 W: http://indiebiotech.com -------------- next part -------------- A non-text attachment was scrubbed... Name: 0x988B9099.asc Type: application/pgp-keys Size: 6176 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 901 bytes Desc: OpenPGP digital signature URL: From coderman at gmail.com Tue Mar 18 15:42:43 2014 From: coderman at gmail.com (coderman) Date: Tue, 18 Mar 2014 15:42:43 -0700 Subject: usual or desperate call for white papers? In-Reply-To: <65ddda0e6d171d7519c1feb2b5524620.squirrel@fruiteater.riseup.net> References: <1755038.FCJpYuC3iC@lap> <65ddda0e6d171d7519c1feb2b5524620.squirrel@fruiteater.riseup.net> Message-ID: On Sun, Mar 16, 2014 at 6:57 PM, Odinn Cyberguerrilla wrote: > ... weighing whether > or not to submit one that will make the reviewers shake their heads and > vomit. Shouldn't be hard. teaser? honestly, the only reason to DEF CON since the alexis is the party track. :P~ [ back at the alexis, you partied while amusing self with the spectacle of the Lynn sploit or Skylarov shakedown... ] From rysiek at hackerspace.pl Tue Mar 18 09:16:39 2014 From: rysiek at hackerspace.pl (rysiek) Date: Tue, 18 Mar 2014 17:16:39 +0100 Subject: MH370 in hangar at Diego Garcia, detainees already rendered In-Reply-To: References: <91de68915bd3eccc81b7fd37325aae71@remailer.privacy.at> <53286479.3070000@cathalgarvey.me> Message-ID: <1807661.IBLc83o9ae@lap> Dnia wtorek, 18 marca 2014 11:45:36 Steve Furlong pisze: > On Tue, Mar 18, 2014 at 11:21 AM, Cathal Garvey < > > cathalgarvey at cathalgarvey.me> wrote: > > That all the Pilots are saying "Probably Fire" and nobody's listening, > > in favour of all sorts of bizarre and unlikely conspiracies, says a lot > > about our maturity and our level of openness to fearmongering. > > But... but... Nukes! > > It's for the chiiiiildren! NUKE THE CHILDREN FROM ORBIT. The only way, to be sure. -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From nymble at gmail.com Tue Mar 18 17:51:30 2014 From: nymble at gmail.com (nymble) Date: Tue, 18 Mar 2014 17:51:30 -0700 Subject: NSA+Huawei In-Reply-To: References: <20140317191555.401512280CA@palinka.tinho.net> Message-ID: <7C31595F-E391-41CA-96B9-B785477A2B3D@gmail.com> A joint contribution by the NSA and Huawei just removed the AES-SIV mode of operation from IEEE 802.11: https://mentor.ieee.org/802.11/dcn/14/11-14-0414-00-00ai-resolution-to-open-security-comments-not-related-to-siv.docx Very strange bedfellows. AES-SIV was being proposed in the draft for a key wrap application. AES-CCM is now the only alternative … SIV is increasingly my favorite AEAD mode. It is more efficient over-the wire than CCM or GCM and is 'nonce safe’. Is anyone using or considering ChaCha-SIV? Nonce-safe is a very nice property - particularly for multicast applications. From coderman at gmail.com Tue Mar 18 18:08:28 2014 From: coderman at gmail.com (coderman) Date: Tue, 18 Mar 2014 18:08:28 -0700 Subject: MH370 in hangar at Diego Garcia, detainees already rendered In-Reply-To: <5328E01F.3070000@cathalgarvey.me> References: <91de68915bd3eccc81b7fd37325aae71@remailer.privacy.at> <53286479.3070000@cathalgarvey.me> <5328E01F.3070000@cathalgarvey.me> Message-ID: On Tue, Mar 18, 2014 at 5:09 PM, Cathal Garvey wrote: > ... > To me this has all the hallmarks of an unfortunate accident, and after > reading the pilots' fire explanations, both of which referenced > real-world examples, I'm pretty happy to agree with the experts in > aviation over the Intel wonks looking for Cyber Pearl Harbour or the > media fools looking for an amazing scoop. part of me wonders if airtrans tampering is like cutting transoceanic fibers - a nuclear option no sane actor considers. (the CIA was crazy on LSD, power, coke, and testosterone during their early fatal flight fuckery days in commie theaters [read: legally insane]) when was the last time you heard of any serious black ops taking down birds? (low tech individuals or loosely grouped fanatics not applicable) i do recommend private flights, however. TSA does poor frottage (~_~;) --- other overblown fears: - clowns - the other From coderman at gmail.com Tue Mar 18 18:15:46 2014 From: coderman at gmail.com (coderman) Date: Tue, 18 Mar 2014 18:15:46 -0700 Subject: Fwd: [Ach] You Won't Be Needing These Any More:, On Removing Unused Certi cates From Trust, Stores In-Reply-To: <5328EE7F.9070503@azet.org> References: <5328EE7F.9070503@azet.org> Message-ID: Fwd^2: ---------- Forwarded message ---------- From: Aaron Zauner ... Date: Tue, Mar 18, 2014 at 6:10 PM Subject: [Ach] You Won't Be Needing These Any More:, On Removing Unused Certi cates From Trust, Stores Recommended reading: https://www2.dcsec.uni-hannover.de/files/fc14_unused_cas.pdf (PDF copypasta with missing characters following): ``` 6 Conclusion In this paper we argued for the removal of CA certi cates that do not sign any certi cates used in HTTPS connections from desktop and browser trust stores. We based our analysis on an Internet-wide dataset of 48 million HTTPS certi cates and compared them to trust stores from all major browser and OS vendors. We were able to identify 140 CA certi cates included in twelve trust stores from all major platforms that are never used for signing certi cates used in HTTPS. Based on these ndings, we suggest to remove or restrict these CA certi cates. Using two months' worth of TLS handshake data from our university network, we con rmed that removing these certi cates from users' trust stores would not result in a single HTTPS warning message. Thus, this action provides a simple and low-cost real-world improvement that users can implement right now to make their HTTPS connections more secure. We are working on creating tools and scripts to automate this process for different browsers and operating systems. Our current list of CAs we recommend for removal is a conservative one. It includes all CAs that have never signed a HTTPS certi cate. In future work,we would like to analyze the trade-off between false positives and the size of the trust store, as well as look into mechanisms to restrict the capabilities of certi cates on the Android platform. ``` Aaron _______________________________________________ Ach mailing list Ach at lists.cert.at http://lists.cert.at/cgi-bin/mailman/listinfo/ach From cathalgarvey at cathalgarvey.me Tue Mar 18 11:21:48 2014 From: cathalgarvey at cathalgarvey.me (Cathal Garvey (Phone)) Date: Tue, 18 Mar 2014 18:21:48 +0000 Subject: MH370 in hangar at Diego Garcia, detainees already rendered In-Reply-To: <53288363.10308@virtadpt.net> References: <91de68915bd3eccc81b7fd37325aae71@remailer.privacy.at> <53286479.3070000@cathalgarvey.me> <53288363.10308@virtadpt.net> Message-ID: ..not the most paranoid. Snowden's docs are not yet believed to contain Lizard People..which is SUSPICIOUS On 18 March 2014 17:33:23 GMT, The Doctor wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA512 > >On 03/18/2014 08:21 AM, Cathal Garvey wrote: > >> That all the Pilots are saying "Probably Fire" and nobody's >> listening, > > > >> in favour of all sorts of bizarre and unlikely conspiracies, says a >> lot about our maturity and our level of openness to fearmongering. > >To be fair, we also live in a time in which the most paranoid rantings >were found to pale in comparison to what is really going on thanks to >Snowden. > >- -- >The Doctor [412/724/301/703] [ZS] >Developer, Project Byzantium: http://project-byzantium.org/ > >PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 >WWW: https://drwho.virtadpt.net/ > >"Open your mind, son, or someone may open it for you." --Walter Bishop > >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v2.0.22 (GNU/Linux) >Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > >iEYEAREKAAYFAlMog2MACgkQO9j/K4B7F8F11gCgzu+tgw4sF5YCcUcfS4GxxdXb >DXYAnAyjanmfJK0I8Bfp0Pmd261wgdp1 >=ebxT >-----END PGP SIGNATURE----- -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2078 bytes Desc: not available URL: From juan.g71 at gmail.com Tue Mar 18 15:27:17 2014 From: juan.g71 at gmail.com (Juan Garofalo) Date: Tue, 18 Mar 2014 19:27:17 -0300 Subject: MH370 in hangar at Diego Garcia, detainees already rendered In-Reply-To: <53286479.3070000@cathalgarvey.me> References: <91de68915bd3eccc81b7fd37325aae71@remailer.privacy.at> <53286479.3070000@cathalgarvey.me> Message-ID: --On Tuesday, March 18, 2014 3:21 PM +0000 Cathal Garvey wrote: > > That all the Pilots are saying "Probably Fire" and nobody's listening, > in favour of all sorts of bizarre and unlikely conspiracies, says a lot > about our maturity and our level of openness to fearmongering. Is the 'probably fire' theory compatible with this? http://blogs.crikey.com.au/planetalking/2014/03/16/mh370-x-factors-continue-to-baffle-airline-insiders/ " there were regular stand-by pings from the airliner's otherwise disabled ACARS automated performance update system, between 1.07 am KL time on 8 March when that system stopped filing data, and that last known ping at 8.11 the same morning" http://online.wsj.com/article/SB10001424052702304185104579437573396580350.html "The automatic pings, or attempts to link up with satellites operated by Inmarsat PLC, occurred a number of times after Flight 370's last verified position, the people briefed on the situation said, indicating that at least through those five hours, the Boeing Co. BA -1.10% 777 carrying 239 people remained intact and hadn't been destroyed in a crash, act of sabotage or explosion." etc? > > On 18/03/14 14:45, Robert Hettinga wrote: >> >> On Mar 17, 2014, at 11:51 AM, Anonymous Remailer (austria) >> wrote: >> >>> Diego Garcia >> >> Fuck tinfoil. >> >> Cypherpunks use graphene. >> >> Cheers, >> RAH >> ;-) >> >> Curiouser and curiouser, innit? >> > > -- > T: @onetruecathal, @IndieBBDNA > P: +3538763663185 > W: http://indiebiotech.com > From coderman at gmail.com Tue Mar 18 20:25:45 2014 From: coderman at gmail.com (coderman) Date: Tue, 18 Mar 2014 20:25:45 -0700 Subject: MH370 in hangar at Diego Garcia, detainees already rendered In-Reply-To: <1712356997.146139.1395198482157.JavaMail.www@wwinf8211> References: <91de68915bd3eccc81b7fd37325aae71@remailer.privacy.at> <53286479.3070000@cathalgarvey.me> <5328E01F.3070000@cathalgarvey.me> <1712356997.146139.1395198482157.JavaMail.www@wwinf8211> Message-ID: On Tue, Mar 18, 2014 at 8:08 PM, wrote: > ... > Yes, some countries do cut oceanic cables for spying, it was done in the past, it can be done today. ... true. it all falls apart. what a crazy world!? (to be fair, it is one thing to fuck-up a splice on a cable and cause an outage, and quite another to deploy le trawlers and tear shit up en masse...) From coderman at gmail.com Tue Mar 18 20:34:16 2014 From: coderman at gmail.com (coderman) Date: Tue, 18 Mar 2014 20:34:16 -0700 Subject: Special Source Operations puzzles Message-ID: in the SSO overview slide there are three colors: https://peertech.org/files/sso-in-mah-tubes.jpg --- i fancy them as follows: GREEN: legally compelled and gagged plaintext access through service providers, like BLARNEY and PRISM RED: financially motivated secret agreement with "special partners" for filthy lucre. e.g. GTE fiber access. BLUE: unilateral / non-cooperative operations; covert black bag taps. --- if most facilities, like room 641A, are in RED zones, then recent ground breaking improvements in BLUE may be miniaturized and covert taps with selectors and large local cache. alternatively, new capability could be upgrades to the RED facilities where BLUE traffic is conveniently co-processed, cached, and UPSTREAM'ed. paging Top Level Telecom, ;) From coderman at gmail.com Tue Mar 18 20:50:53 2014 From: coderman at gmail.com (coderman) Date: Tue, 18 Mar 2014 20:50:53 -0700 Subject: MH370 in hangar at Diego Garcia, detainees already rendered In-Reply-To: References: <91de68915bd3eccc81b7fd37325aae71@remailer.privacy.at> <53286479.3070000@cathalgarvey.me> <5328E01F.3070000@cathalgarvey.me> <1712356997.146139.1395198482157.JavaMail.www@wwinf8211> Message-ID: On Tue, Mar 18, 2014 at 8:45 PM, Lodewijk andré de la porte wrote: > ... Or worse: to deploy le > trawlers WHILE you're splicing the cable elsewhere, so it will definitely be > legitly cut and fixed somewhere and you get some retries if you messed up. i declare to you: it is totally legit for breaks to occur simultaneously at both ends of a fiber much more frequently than for a single cut along a length. i once had this explained to me as "if you pull and break at one end, it pulls on the other, and breaks there too. totally normal! please consider it no further." totally plausible... right? ;P From carimachet at gmail.com Tue Mar 18 15:03:11 2014 From: carimachet at gmail.com (Cari Machet) Date: Tue, 18 Mar 2014 22:03:11 +0000 Subject: cyberwarfare by lawyers In-Reply-To: <20140317191555.401512280CA@palinka.tinho.net> References: <20140317191555.401512280CA@palinka.tinho.net> Message-ID: On Mon, Mar 17, 2014 at 7:15 PM, wrote: > > May I suggest > > A Fierce Domain: Conflict in Cyberspace, 1986 to 2012 > http://www.amazon.com/Fierce-Domain-Conflict-Cyberspace-1986/dp/098932740X > > The Tallinn Manual on the International Law Applicable to Cyber Warfare > http://www.ccdcoe.org/249.html > > and a whole lot of ongoing things at > http://www.lawfareblog.com/ > > > --dan > > thanks for the resources everyone - yes to all - of my look is the gap between tech and law and the bloody concept that law is not a construct but an absolute that the religious look to for their ethical objectification of the actions they perform under the logo of 'state' arguably the most oppressive violent and destructive structural force not sure the pathetic position of so called international law (jewish state or not) can encompass tech so easily... -- Cari Machet NYC 646-436-7795 carimachet at gmail.com AIM carismachet Syria +963-099 277 3243 Amman +962 077 636 9407 Berlin +49 152 11779219 Reykjavik +354 894 8650 Twitter: @carimachet 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 Ruh-roh, this is now necessary: This email is intended only for the addressee(s) and may contain confidential information. If you are not the intended recipient, you are hereby notified that any use of this information, dissemination, distribution, or copying of this email without permission is strictly prohibited. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2376 bytes Desc: not available URL: From carimachet at gmail.com Tue Mar 18 15:08:47 2014 From: carimachet at gmail.com (Cari Machet) Date: Tue, 18 Mar 2014 22:08:47 +0000 Subject: usual or desperate call for white papers? In-Reply-To: <65ddda0e6d171d7519c1feb2b5524620.squirrel@fruiteater.riseup.net> References: <1755038.FCJpYuC3iC@lap> <65ddda0e6d171d7519c1feb2b5524620.squirrel@fruiteater.riseup.net> Message-ID: On Mon, Mar 17, 2014 at 1:57 AM, Odinn Cyberguerrilla < odinn.cyberguerrilla at riseup.net> wrote: > More on the usual or desperate call for papers below. Am weighing whether > or not to submit one that will make the reviewers shake their heads and > vomit. Shouldn't be hard. > > https://www.defcon.org/html/defcon-22/dc-22-cfp-form.html > is this a joke? actual people actually made this cartoon? what can we glob at them like a paint bomb on a so called masterpiece > > > Dnia niedziela, 16 marca 2014 21:36:38 Cari Machet pisze: > >> 'Air Force Research Laboratory Information Directorate (AFRL/RI) is > >> soliciting white papers for various scientific studies, investigations, > >> and > >> experiments to increase our knowledge, understanding and capability in > >> order to expand cyber operations technologies within the Department of > >> Defense (DoD).' > >> > >> > https://www.fbo.gov/index?s=opportunity&mode=form&id=0daa017bdb65a7d810e3778 > >> bc763960a&tab=core&_cview=1 > > > > I'm sure there is a way to troll the shit out of them a'la Mr Sokal: > > http://en.wikipedia.org/wiki/Sokal_affair > > > > -- > > Pozdr > > rysiek > > > -- Cari Machet NYC 646-436-7795 carimachet at gmail.com AIM carismachet Syria +963-099 277 3243 Amman +962 077 636 9407 Berlin +49 152 11779219 Reykjavik +354 894 8650 Twitter: @carimachet 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 Ruh-roh, this is now necessary: This email is intended only for the addressee(s) and may contain confidential information. If you are not the intended recipient, you are hereby notified that any use of this information, dissemination, distribution, or copying of this email without permission is strictly prohibited. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2974 bytes Desc: not available URL: From cathalgarvey at cathalgarvey.me Tue Mar 18 17:09:03 2014 From: cathalgarvey at cathalgarvey.me (Cathal Garvey) Date: Wed, 19 Mar 2014 00:09:03 +0000 Subject: MH370 in hangar at Diego Garcia, detainees already rendered In-Reply-To: References: <91de68915bd3eccc81b7fd37325aae71@remailer.privacy.at> <53286479.3070000@cathalgarvey.me> Message-ID: <5328E01F.3070000@cathalgarvey.me> One account I read held that telemetry is initially disabled, then re-enabled sequentially while the cause is narrowed down. But that the priorities are so urgent (you have about 3 minutes to live) that actually using the communications equipment is not an option; the pilot must immediately land while trying to narrow the problem, full-stop. The scenario plays out in other cases that didn't go well that the crew ultimately succumb to smoke/monoxide inhalation and simply pass out, leaving the plane continuing on autopilot, *and pinging quietly*, until it ditches. That was the scenario I read, at least. All the other scenarios seem equally unlikely in the first place, but also unlikely to be so clean and tidy. Hackers hack the instruments? Great! How many flight-school trained hackers can successfully pilot a plane from the in-flight entertainment system? In fact, how many hackers of that calibre, full-stop, have any experience flying planes? That's your suspect group. Where are they, then? Government or state-sponsored hijackers? Then why such a confusing job? Why so silent yet also suspicious? And why instantly turn to the nearest airport, whereas hijackers would take a more circuitous route? Want to just crash a plane because you're a fairy-tale terrorist? Then why the silence, and no terror-inspiring speeches claiming credit, and why disable radio communications on the plane? You want terror, right mister stereotyped extremely-unlikely-person? To me this has all the hallmarks of an unfortunate accident, and after reading the pilots' fire explanations, both of which referenced real-world examples, I'm pretty happy to agree with the experts in aviation over the Intel wonks looking for Cyber Pearl Harbour or the media fools looking for an amazing scoop. On 18/03/14 22:27, Juan Garofalo wrote: > > > --On Tuesday, March 18, 2014 3:21 PM +0000 Cathal Garvey > wrote: > >> >> That all the Pilots are saying "Probably Fire" and nobody's listening, >> in favour of all sorts of bizarre and unlikely conspiracies, says a lot >> about our maturity and our level of openness to fearmongering. > > > Is the 'probably fire' theory compatible with this? > > http://blogs.crikey.com.au/planetalking/2014/03/16/mh370-x-factors-continue-to-baffle-airline-insiders/ > > > " there were regular stand-by pings from the airliner's otherwise disabled > ACARS automated performance update system, between 1.07 am KL time on 8 > March when that system stopped filing data, and that last known ping at > 8.11 the same morning" > > > http://online.wsj.com/article/SB10001424052702304185104579437573396580350.html > > "The automatic pings, or attempts to link up with satellites operated by > Inmarsat PLC, occurred a number of times after Flight 370's last verified > position, the people briefed on the situation said, indicating that at > least through those five hours, the Boeing Co. BA -1.10% 777 carrying 239 > people remained intact and hadn't been destroyed in a crash, act of > sabotage or explosion." > > > etc? > > > > > > >> >> On 18/03/14 14:45, Robert Hettinga wrote: >>> >>> On Mar 17, 2014, at 11:51 AM, Anonymous Remailer (austria) >>> wrote: >>> >>>> Diego Garcia >>> >>> Fuck tinfoil. >>> >>> Cypherpunks use graphene. >>> >>> Cheers, >>> RAH >>> ;-) >>> >>> Curiouser and curiouser, innit? >>> >> >> -- >> T: @onetruecathal, @IndieBBDNA >> P: +3538763663185 >> W: http://indiebiotech.com >> > > -- T: @onetruecathal, @IndieBBDNA P: +3538763663185 W: http://indiebiotech.com -------------- next part -------------- A non-text attachment was scrubbed... Name: 0x988B9099.asc Type: application/pgp-keys Size: 6176 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 901 bytes Desc: OpenPGP digital signature URL: From grarpamp at gmail.com Tue Mar 18 21:30:54 2014 From: grarpamp at gmail.com (grarpamp) Date: Wed, 19 Mar 2014 00:30:54 -0400 Subject: [Ach] You Won't Be Needing These Any More:, On Removing Unused Certi cates From Trust, Stores In-Reply-To: <5329142A.6050706@azet.org> References: <5328EE7F.9070503@azet.org> <5328F7FC.5060802@iang.org> <5329142A.6050706@azet.org> Message-ID: >> Nice! Now, if they could package up a plugin or a new root list such >> that we could write in 2 lines what busy sysadms had to do, I'd say it >> would make a great recommendation. There is an '-ignore-list' feature in https://github.com/agl/extract-nss-root-certs > Yea. That won't work at all, there's no clear authority [sic!] on who > can decide a CA is not trustworthy. And no way to tell what CA's are or aren't trustworthy. It's simply about reducing your needless exposure. > my list of trusted CAs is empty. Starting from empty is actually pretty easy, a lot of services start to be covered with under 50 certs. Especially for small sets of web users. From juan.g71 at gmail.com Wed Mar 19 00:03:25 2014 From: juan.g71 at gmail.com (Juan Garofalo) Date: Wed, 19 Mar 2014 04:03:25 -0300 Subject: MH370 in hangar at Diego Garcia, detainees already rendered In-Reply-To: <5328E01F.3070000@cathalgarvey.me> References: <91de68915bd3eccc81b7fd37325aae71@remailer.privacy.at> <53286479.3070000@cathalgarvey.me> <5328E01F.3070000@cathalgarvey.me> Message-ID: --On Wednesday, March 19, 2014 12:09 AM +0000 Cathal Garvey wrote: > One account I read held that telemetry is initially disabled, then > re-enabled sequentially while the cause is narrowed down. But that the > priorities are so urgent (you have about 3 minutes to live) that > actually using the communications equipment is not an option; the pilot > must immediately land while trying to narrow the problem, full-stop. > > The scenario plays out in other cases that didn't go well that the crew > ultimately succumb to smoke/monoxide inhalation and simply pass out, > leaving the plane continuing on autopilot, *and pinging quietly*, until > it ditches. So the fire was big enough to poison the biological systems aboard the plane, but not big enough to cause any substantial damage to the mechanical systems - I guess that's a possibility. For what it's worth, I don't subscribe to any particular theory, and I'm not inclined to believe in terrists either. (Well, except for the big terrorist organizations known as 'governments') > > That was the scenario I read, at least. All the other scenarios seem > equally unlikely in the first place, but also unlikely to be so clean > and tidy. Hackers hack the instruments? Great! How many flight-school > trained hackers can successfully pilot a plane from the in-flight > entertainment system? In fact, how many hackers of that calibre, > full-stop, have any experience flying planes? That's your suspect group. > Where are they, then? > > Government or state-sponsored hijackers? Then why such a confusing job? > Why so silent yet also suspicious? And why instantly turn to the nearest > airport, whereas hijackers would take a more circuitous route? > > Want to just crash a plane because you're a fairy-tale terrorist? Then > why the silence, and no terror-inspiring speeches claiming credit, and > why disable radio communications on the plane? You want terror, right > mister stereotyped extremely-unlikely-person? > > To me this has all the hallmarks of an unfortunate accident, and after > reading the pilots' fire explanations, both of which referenced > real-world examples, I'm pretty happy to agree with the experts in > aviation over the Intel wonks looking for Cyber Pearl Harbour or the > media fools looking for an amazing scoop. > > On 18/03/14 22:27, Juan Garofalo wrote: >> >> >> --On Tuesday, March 18, 2014 3:21 PM +0000 Cathal Garvey >> wrote: >> >>> >>> That all the Pilots are saying "Probably Fire" and nobody's listening, >>> in favour of all sorts of bizarre and unlikely conspiracies, says a lot >>> about our maturity and our level of openness to fearmongering. >> >> >> Is the 'probably fire' theory compatible with this? >> >> http://blogs.crikey.com.au/planetalking/2014/03/16/mh370-x-factors-cont >> inue-to-baffle-airline-insiders/ >> >> >> " there were regular stand-by pings from the airliner's otherwise >> disabled ACARS automated performance update system, between 1.07 am KL >> time on 8 March when that system stopped filing data, and that last >> known ping at 8.11 the same morning" >> >> >> http://online.wsj.com/article/SB100014240527023041851045794375733965803 >> 50.html >> >> "The automatic pings, or attempts to link up with satellites operated by >> Inmarsat PLC, occurred a number of times after Flight 370's last verified >> position, the people briefed on the situation said, indicating that at >> least through those five hours, the Boeing Co. BA -1.10% 777 carrying 239 >> people remained intact and hadn't been destroyed in a crash, act of >> sabotage or explosion." >> >> >> etc? >> >> >> >> >> >> >>> >>> On 18/03/14 14:45, Robert Hettinga wrote: >>>> >>>> On Mar 17, 2014, at 11:51 AM, Anonymous Remailer (austria) >>>> wrote: >>>> >>>>> Diego Garcia >>>> >>>> Fuck tinfoil. >>>> >>>> Cypherpunks use graphene. >>>> >>>> Cheers, >>>> RAH >>>> ;-) >>>> >>>> Curiouser and curiouser, innit? >>>> >>> >>> -- >>> T: @onetruecathal, @IndieBBDNA >>> P: +3538763663185 >>> W: http://indiebiotech.com >>> >> >> > > -- > T: @onetruecathal, @IndieBBDNA > P: +3538763663185 > W: http://indiebiotech.com > From l at odewijk.nl Tue Mar 18 20:06:14 2014 From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=) Date: Wed, 19 Mar 2014 04:06:14 +0100 Subject: NSA+Huawei In-Reply-To: <7C31595F-E391-41CA-96B9-B785477A2B3D@gmail.com> References: <20140317191555.401512280CA@palinka.tinho.net> <7C31595F-E391-41CA-96B9-B785477A2B3D@gmail.com> Message-ID: The more the NSA removes competition the more obvious it is what's exploited. I can't read the document right now, do they actually have a good reason to remove it? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 194 bytes Desc: not available URL: From tpb-crypto at laposte.net Tue Mar 18 20:08:02 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Wed, 19 Mar 2014 04:08:02 +0100 Subject: MH370 in hangar at Diego Garcia, detainees already rendered In-Reply-To: References: <91de68915bd3eccc81b7fd37325aae71@remailer.privacy.at> <53286479.3070000@cathalgarvey.me> <5328E01F.3070000@cathalgarvey.me> Message-ID: <1712356997.146139.1395198482157.JavaMail.www@wwinf8211> > Message du 19/03/14 02:38 > De : "coderman" > part of me wonders if airtrans tampering is like cutting transoceanic > fibers - a nuclear option no sane actor considers. > (the CIA was crazy on LSD, power, coke, and testosterone during their > early fatal flight fuckery days in commie theaters [read: legally > insane]) In 2006, the entire South America got cut from the internet for three days because the only oceanic cable reaching down there at that time was "accidentally" cut, Murrikans rushed there to "fix" it ... later on we discovered that it was not cut by accident and South American governments had spread cables to Africa and New Zealand that didn't cope with the demand. Now they are completing the job by extending cables to Europe. Yes, some countries do cut oceanic cables for spying, it was done in the past, it can be done today. From l at odewijk.nl Tue Mar 18 20:10:03 2014 From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=) Date: Wed, 19 Mar 2014 04:10:03 +0100 Subject: MH370 in hangar at Diego Garcia, detainees already rendered In-Reply-To: References: <91de68915bd3eccc81b7fd37325aae71@remailer.privacy.at> <53286479.3070000@cathalgarvey.me> <5328E01F.3070000@cathalgarvey.me> Message-ID: Well, it seems obvious to me that they flew to high and accidentally escaped gravity. I think it's extra likely with Bitcoin wanting to go to the moon all the time, and there is a lot of MtGox Bitcoins that aren't "gone, just temporarily unavailable at the moment". This explains everything perfectly for me. I'm sure the passengers will be very happy to have gone so far with such cheap tickets. Next up: Litecoin to the moon. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 638 bytes Desc: not available URL: From l at odewijk.nl Tue Mar 18 20:45:07 2014 From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=) Date: Wed, 19 Mar 2014 04:45:07 +0100 Subject: MH370 in hangar at Diego Garcia, detainees already rendered In-Reply-To: References: <91de68915bd3eccc81b7fd37325aae71@remailer.privacy.at> <53286479.3070000@cathalgarvey.me> <5328E01F.3070000@cathalgarvey.me> <1712356997.146139.1395198482157.JavaMail.www@wwinf8211> Message-ID: 2014-03-19 4:25 GMT+01:00 coderman : > (to be fair, it is one thing to fuck-up a splice on a cable and cause > an outage, and quite another to deploy le trawlers and tear shit up en > masse...) > It's yet another to deploy le trawlers to pretend to tear shit up en masse whilst in fact you just fucked up your splice! Or worse: to deploy le trawlers WHILE you're splicing the cable elsewhere, so it will definitely be legitly cut and fixed somewhere and you get some retries if you messed up. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 871 bytes Desc: not available URL: From azet at azet.org Tue Mar 18 20:51:06 2014 From: azet at azet.org (Aaron Zauner) Date: Wed, 19 Mar 2014 04:51:06 +0100 Subject: [Ach] You Won't Be Needing These Any More:, On Removing Unused Certi cates From Trust, Stores In-Reply-To: <5328F7FC.5060802@iang.org> References: <5328EE7F.9070503@azet.org> <5328F7FC.5060802@iang.org> Message-ID: <5329142A.6050706@azet.org> Hi Ian, ianG wrote: > Nice! Now, if they could package up a plugin or a new root list such > that we could write in 2 lines what busy sysadms had to do, I'd say it > would make a great recommendation. > > What I'm trying to get away from is the notion that we should put a > simply list in the doc and say "oh, and strip these out! You know > how, vi is your friend..." Yea. That won't work at all, there's no clear authority [sic!] on who can decide a CA is not trustworthy. Experience has to show that, and in that case a lot of the big CAs will fail an evaluation. If you ask me, it's pretty easy, my list of trusted CAs is empty. Automated generation of lists of CAs that are simply unused is just the first step. I think certificate-transparency is a good way to do that, the rest is basically automation. For example: one can provide chef, puppet, ansible recipies for linux and mac clients, a similar solution for windows and mobile devices should also be doable. Aaron -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 801 bytes Desc: OpenPGP digital signature URL: From nymble at gmail.com Wed Mar 19 10:19:33 2014 From: nymble at gmail.com (nymble) Date: Wed, 19 Mar 2014 10:19:33 -0700 Subject: NSA+Huawei In-Reply-To: References: <20140317191555.401512280CA@palinka.tinho.net> <7C31595F-E391-41CA-96B9-B785477A2B3D@gmail.com> Message-ID: <0E612D40-C573-413A-86B6-C308A47BBB57@gmail.com> On Mar 18, 2014, at 8:06 PM, Lodewijk andré de la porte wrote: > The more the NSA removes competition the more obvious it is what's exploited. I can't read the document right now, do they actually have a good reason to remove it? Document is not worth reading except for the context. No reason is provided .. except by others in room that CCM is NIST approved and SIV is not. CCM is used in all 802.11 hardware, but not for this application, so HW is not a relevant arguement. From coderman at gmail.com Wed Mar 19 10:47:38 2014 From: coderman at gmail.com (coderman) Date: Wed, 19 Mar 2014 10:47:38 -0700 Subject: NSA+Huawei In-Reply-To: <0E612D40-C573-413A-86B6-C308A47BBB57@gmail.com> References: <20140317191555.401512280CA@palinka.tinho.net> <7C31595F-E391-41CA-96B9-B785477A2B3D@gmail.com> <0E612D40-C573-413A-86B6-C308A47BBB57@gmail.com> Message-ID: On Wed, Mar 19, 2014 at 10:19 AM, nymble wrote: > ... CCM is _NIST approved_ and SIV is not. NIST has so perverted the ways of randomness, their crimes an affront to decency and entropy oppression... explain to current day me how y2k day me playing with first generation C5XL single source XSTORE feature would over a decade later still be dealing with a shit pool of broken randomness in crypto everywhere. the only consolation being that the technology irrelevant total fuck-ups, like goto fail, or debian openssl, or android secure random, prove that the world needs to learn to sweat the simple, dead important stuff before they get all concerned and atwatter over the esoterics of threat models and computational complexity. . . . i have been informed that hackers and cypherpunks and malcontents are more productive countering the quo when they are amused or happy. ... "2014 [and counting] - never have we reduced the scope of info|comsuck unknown unknowns at a faster rate!" for the REers ... "2014 [and counting] - never have we expanded our attack surfaces at a faster rate!" , ... the and counting is a heavy handed overt reference to the fact that i will overdose on some cool new future drug long before the trickle of disclosure reaches its conslusion. this is not an acceptable circumstance. -_- (did do lul right?) From rysiek at hackerspace.pl Wed Mar 19 02:48:53 2014 From: rysiek at hackerspace.pl (rysiek) Date: Wed, 19 Mar 2014 10:48:53 +0100 Subject: MH370 in hangar at Diego Garcia, detainees already rendered In-Reply-To: References: <91de68915bd3eccc81b7fd37325aae71@remailer.privacy.at> Message-ID: <2293803.8N1sZasSuN@lap> Dnia środa, 19 marca 2014 04:10:03 Lodewijk andré de la porte pisze: > Well, it seems obvious to me that they flew to high and accidentally > escaped gravity. Well, close, but no bone. They *did* fly too high, but that got them too close to the sun, and shit just started to melt. There was a tructural failure of wings, and the whole thing went down lie a rock. -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From coderman at gmail.com Wed Mar 19 11:02:20 2014 From: coderman at gmail.com (coderman) Date: Wed, 19 Mar 2014 11:02:20 -0700 Subject: NSA+Huawei In-Reply-To: References: <20140317191555.401512280CA@palinka.tinho.net> <7C31595F-E391-41CA-96B9-B785477A2B3D@gmail.com> <0E612D40-C573-413A-86B6-C308A47BBB57@gmail.com> Message-ID: On Wed, Mar 19, 2014 at 10:47 AM, coderman wrote: > ... > (did do lul right?) i forgot citelulz 0. "I know that I know nothing" https://en.wikipedia.org/wiki/Epistemic_modal_logic 1. "42 Years for Snowden docs release" http://cryptome.org/2013/11/snowden-tally.htm 2. when living better with chemistry: at least do so safely! we keep losing un-replaceable brilliance; pointless losses. https://www.erowid.org "Know thyself" From coderman at gmail.com Wed Mar 19 11:57:31 2014 From: coderman at gmail.com (coderman) Date: Wed, 19 Mar 2014 11:57:31 -0700 Subject: telesnowden selected excerpts Message-ID: a few things i found interesting, per http://blog.inside.com/blog/2014/3/10/edward-snowden-sxsw-full-transcription-and-video (better script and transcode?) --- emphasis on attacks against crypto systems by targeting the random number generator(s): "typically it is the random number generators that are attacked as opposed to the encryption algorithms" "... encryption does work.... a basic protection[,] it is a defense against the dark arts for the digital realm. This is something we all need to be not only implementing but actively researching and improving on an academic level. The grad students of today and tomorrow need to keep today's threat on online to inform tomorrows. We need all those brilliant Belgian cryptographers to go alright we know that these encryption algorithms we are using today work typically it is the random number generators that are attacked as opposed to the encryption algorithms themselves. How can we make them ____ how can we test them? This is _____ it is not going to go away tomorrow, but it is the steps we take today. The moral commitment. The philosophical commitment, the commercial commitment to protect and enforce our liberties through technical standards to allow us to reclaim the open and trusted." --- "By doing end to end encryption you force what they are called ... global passive adversaries to go for the end points that is the... computers. And the result of that is a constitutional, more carefully overseeing sort of intelligence gathering model. Where if they want to gather somebody's communications they have to target them specifically. They can't just target everybody all the time and then when they want to read your stuff they go back in a time machine and say what did they say you know in 2006. They can't pitch exploits in every computer in the world without getting caught. That is the value of end to end encryption and that is what we need to be thinking about." the targeted attacks under a different authorization and more restrict controls? would like details on "constraints" and "authorizations" and specific projectnames. :) ---- "The NSA the sort of global mass surveillance that is occurring in all of these countries. Not just the US it is important to remember that this is a global issue. They are setting fire to the future of the internet." this is a global problem. somehow, with decades of growth nurtured and shaped and guided along flawed trajectories, we looked around and found everyone and everything bathed in surveillance and privacy invasion, myriad motives across state/corporate/professional boundaries coopted in blissful or willful ignorance as was chosen. --- "Let me embrace thee, sour adversity, for wise men say it is the wisest course." - William Shakespeare From coderman at gmail.com Wed Mar 19 12:30:06 2014 From: coderman at gmail.com (coderman) Date: Wed, 19 Mar 2014 12:30:06 -0700 Subject: targeted attack authorizations and oversight Message-ID: > "... to go for the end points [requires?] a constitutional, more carefully > overseeing sort of intelligence gathering model." having observed domestic LE (inc. FBI) in action and military systems in action, they usually have distinct and different characteristics: LE specific and narrow and by the book and for the record, this is a specific focus they give attention. Military any-and-all-means-to-the-end less discriminating, brute strength ground out the solution by force majeure method. anomaly: the DC 19 rogue base stations DITU DRT technique was in-discriminant (until it had to be :) and yet the DC 20 NSA TAO/QUANTUM*.* style "in the towers" absurd over kill attacks were also absolutely precise - if your "selector"(phone) was not on the list you'd never know [without some fancy watching close to target, perhaps?]. if you were indeed on the shitlist, every sensor, stored byte, and key material got compromised instantly; your airplane mode is funny cute. ... presumably "anything in range of the Rio and our multiwatt amps" they argued was targeted and limited. as for had to be discriminating, if you want to load test spook gear just figure out what drives their automation and then jam the fuck to 11 on that signal. [where signal is anything that feeds the weird machine; take all advantages inherent in attacker perspective! fork bombs and kernel panics equally disruptive] anomaly reloaded: DC 21: nobody playing? you're still watching; fair is fair! ... From juan.g71 at gmail.com Wed Mar 19 12:41:48 2014 From: juan.g71 at gmail.com (Juan Garofalo) Date: Wed, 19 Mar 2014 16:41:48 -0300 Subject: MH370 in hangar at Diego Garcia, detainees already rendered In-Reply-To: <2293803.8N1sZasSuN@lap> References: <91de68915bd3eccc81b7fd37325aae71@remailer.privacy.at> <2293803.8N1sZasSuN@lap> Message-ID: <75E35A0470BC48751A4C1E96@F74D39FA044AA309EAEA14B9> --On Wednesday, March 19, 2014 10:48 AM +0100 rysiek wrote: > Dnia środa, 19 marca 2014 04:10:03 Lodewijk andré de la porte pisze: >> Well, it seems obvious to me that they flew to high and accidentally >> escaped gravity. > > Well, close, but no bone. They *did* fly too high, but that got them too > close to the sun, and shit just started to melt. That's why wings made out of wax should be banned. > There was a tructural > failure of wings, and the whole thing went down lie a rock. > > -- > Pozdr > rysiek From jya at pipeline.com Wed Mar 19 13:52:00 2014 From: jya at pipeline.com (John Young) Date: Wed, 19 Mar 2014 16:52:00 -0400 Subject: Skype and Crypto Pushed by Snowden a Ploy? In-Reply-To: References: Message-ID: In connection with using "encrypted, secure connection" Skype for Snowden's imagery at SXSW and TED, as well as encrypted comms with journalists and event organizers, what has led these comsec advisors to believe that all too vulnerable Skype is secure, as well as all too vulnerable popular crypto pushed for journalists? Is there any indication Snowden has deployed less vulnerable protections which have not been disclosed as backing for his encouragement to trust encryption and to allow Skype to finger his location and leak his comms? To be sure, many of his remarks seem to be carefully scripted for low-brow consumption characteristic of journalism. So there may be a secure back-channel being used with Skype and pop crypto as diversion. The low-brow slides, clips, short docs, redactions released by the media point to a deception of some sort yet to be disclosed until 25 years has passed. Hyperventilating press accounts of the releases suggest either deception, inexperience or technical ignorance or all. Still, that kind of misleading comsec deception would be commonplace security measures characterisitic of NSA and wizards -- to induce the flock to churn massive amount publicity about encrypted comms -- and Skype -- to camouflage the Tor, blacker and deeper comms, not to say the even blacker and deeper tools not seen by Snowden or not yet released. More sopisticated would be to use the small amount of NSA releases to cloak far greater distribution (a method used by WikiLeaks and the black market as well as the spy industry). That too would closer to what the big boys and girls do, and therefore would be exactly what they are watching for. Including watching for ploys to hide ploys. . From odinn.cyberguerrilla at riseup.net Wed Mar 19 17:32:11 2014 From: odinn.cyberguerrilla at riseup.net (Odinn Cyberguerrilla) Date: Wed, 19 Mar 2014 17:32:11 -0700 Subject: SHA-7 crypto patented by Italian Postal Service In-Reply-To: <532A0B1E.7030600@infosecurity.ch> References: <532A0B1E.7030600@infosecurity.ch> Message-ID: They do know how to make us laugh. > LOL - LOL - LOL - LOL - LOL > > On italian government "innovation portal" it has been published a patent > by the "Italian Postal Service" of SHA-7 : > "The encryption SHA-7 allows to generate a unique “message digest” " > > LOL reading on http://italiainnovatori.gov.it/en/innovations/sha-7-2/ > > -naif > From odinn.cyberguerrilla at riseup.net Wed Mar 19 18:30:08 2014 From: odinn.cyberguerrilla at riseup.net (Odinn Cyberguerrilla) Date: Wed, 19 Mar 2014 18:30:08 -0700 Subject: DEFCON On The Mat In-Reply-To: References: <1755038.FCJpYuC3iC@lap> <65ddda0e6d171d7519c1feb2b5524620.squirrel@fruiteater.riseup.net> Message-ID: <297261db52d2f33654ff60c1cb2de047.squirrel@fulvetta.riseup.net> DEFCON On The Mat (A submittal in response to the DEFCON 22 Call for Papers) • Presenter Information: I am an entity, floating about. • Presentation Information: This is a challenge, mostly directed to the DEFCON 22 organizers, to engage in sparring matches, one on one, with each other, and with me, should I decide to attend. Each match will be refereed by someone (whoever is willing and able to call a beginning and end to the matches and who will spend time on the mat along with two opponents). Each participant must begin and end each match with a bow to their opponent. Respect is the keyword. • Scheduling Information: Whenever you are up for it. • Equipment requirements: Your fists, feet, and sparring gear (don't forget a protective crotch cup). Also, bring protective headgear and a mouthpiece. Forearm guards, leg guards, and chest gear highly advisable. Booties and soft gloves are ok, but frowned upon. Make up your own mind, but protect your head and your middle bits. If you have interlocking foam squares (portable mat components), such as a bunch of SoftTiles, bring them and help make a mat. Don't wait for someone else to do it, just do it. • Speaker Bio(s): Who said I would be speaking? You want to speak to me, meet me on the mat. • Abstract: Matches begin when random referee (whoever wants to stand in the mat area) says "Start!" or "Begin!" or "Shi-jak!" 시작 • Outline: Try not to bleed too much. See detailed outline in lower portion of this submittal. • Supporting Files: Look around. See papers scattered on floor. • Submission Agreements: You agree that if you are put in a submission hold that you will agree to never ask for submission agreements again. Presenter Information Primary Speaker Name: Odinn Primary Speaker Email Address: odinn.cyberguerrilla at riseup.net Primary Speaker Phone Number: Sure, funny. Primary Speaker postal address: No address provided. No honorarium requested. Has the speaker(s) spoken at a previous DEF CON? No. Presentation Information Presentation Title: DEFCON On The Mat Is there a demonstration? Yes. Are you releasing a new tool? Please. Are you releasing a new exploit? That depends on what happens to you during the match. Is there audience participation? Audience not participating in matches or persons who come without required gear must remain outside of match area. Length of presentation? Could be an hour. Could be longer. Up to you. Are you currently submitting this topic to any other conferences held prior to DEF CON 22? No. Are you submitting to Black Hat USA? No. Has this presentation been given or accepted to any other venue or conference? No. Is your ability or willingness to speak predicated on your talk being accepted at Black Hat USA? No. Scheduling Is there a specific day or time by which you must present? No. Equipment needs & special requests: -All the wireless internet I need and desire -Some kind of technically competent helper human to help me connect my Palm-powered Tungsten T to the Internet. It has Palm OS 5, a TI OMAP 144 MHz processor, and bluetooth, so maybe you can make it work. -Drinks, such as vodka and also water, if you have it. It must be clean water, though. -Some kind of good food that is not rotten. Pears and bananas are nice. Hamburgers are good. -Please do not claim that someone stole your forearm guards or demand to use someone else's chest piece. You are responsible for your own gear. No whining. -Take your hits without crying out in pain, it doesn't look well to be moaning and groaning when you have previously agreed to a match and have entered upon the mat willingly. -Thoughtful conversation -Respect -If I decide to come, you will pay for all my goodies and not attempt to charge me anything for attending. Failure to comply with this special request will result in chaos Will you require more than 1 LCD projector feed? No. Will you require a white board? No Are there any other special equipment needs that you will require? If you have SoftTiles that are interlocking please bring them, they make nice mat material. I would like you to bring some concrete blocks. If you have them lying around or can get them easily, maybe 8 or 10 of them. However, they need to be the kind without rebar in them as they will probably all get broken in a demonstration. Also bring pencils or chopsticks so we can put those between the blocks while the blocks are waiting to be broken. Best blocks are 4" standard concrete blocks or 8" standard concrete blocks. Thank you Also, I like hamburgers. Speaker Bio(s): I am a fellow human. As an entity, floating about, I am happy to be here with you and share your experiences, fantasies, delusions, etc. Thank you. Blessings. Abstract: Meh. Get to the mat. Detailed Outline: 1) Get your gear on 2) Line up in orderly way and proceed to mat 3) When it is your turn to go, step onto the mat, bow to your opponent, and wait for the referee to say "Start!" or "Begin!" or "Shi-ha" or something that indicates the match has begun. 4) Fight. 5) The referee (random participant who decides to ref) will time the match, at most two rounds of a minute each. At end of first round you get a break of about 30 seconds. Referee decides when break begins and ends. 6) Referee notes second round is over. It is not necessary for referee to say whether or not someone has "won." It is about respect. 7) Both match participants bow to each other, shake hands, and leave the mat. Grant of Copyright Use I warrant that the above work has not been previously published elsewhere, or if it has, that I have obtained permission for its publication by DEF CON Communications, Inc. and that I will promptly supply DEF CON Communications, Inc. with wording for crediting the original publication and copyright owner. If I am selected for presentation, I hereby give DEF CON Communications, Inc. permission to duplicate, record and redistribute this presentation, which includes, but is not limited to, the conference proceedings, conference CD, video, audio, and hand-outs to the conference attendees for educational, on-line, and all other purposes. Terms of Speaking Requirements 1) I will submit a completed presentation, a copy of the tool(s) and/or code(s), and a reference to all of the tool(s), law(s), Web sites and/or publications referenced to at the end of my talk and as described in this CFP submission for publication on the conference CD by 12:00 noon PST, July 15, 2014. (Irrelevant) 2) I will submit a final Abstract and Biography for the DEF CON website and Printed Conference Materials by 12:00 noon PST, June 20, 2014. (Maybe) 3) I understand if I fail to submit a completed presentation by July 15, 2014, I may be replaced by an alternate presentation or may forfeit my honorarium. This decision will be made by DEF CON and I will be informed in writing of my status. (I don't want an honorarium) 4) I will include a detailed bibliography as either a separate document or included within the presentation of all resources cited and/or used in my presentation. (I'll think about it) 5) I will complete my presentation within the time allocated to me - not running over, or excessively under the time allocation. (Yes) 6) I understand that DEF CON will provide 1 LCD projector feed, 2 screens, microphones, wired and/or wireless Internet. I understand that I am responsible for providing all other necessary equipment, including laptops and machines (with VGA output), to complete my presentation. (mmkay) 7) If applicable, I will submit within 5 days of the completion of the conference any updated, revised or additional presentation(s) or materials that were used in my presentation but not included on the conference CD or conference proceedings. (mmkay) Terms of Speaking Remuneration 1) I understand that I will be responsible for my own hotel and travel expenses. (That's not exactly what I had in mind, but....) 2) I understand that DEF CON will issue one $300 payment per presentation. (sigh) 3) I understand that I may receive payment on-site at the conference. If not, I must provide a valid name and postal mail address so that payment may be mailed. Payment will be made in form of corporate check. In some rare cases, you may be required to complete a W8 (Non-U.S. Citizen) or W9 (U.S. Citizen) before payment is issued. (right, fine) 4) I understand that I will be paid 30 days from the end of the conference, after I have completed my presentation. I may choose to waive my $300 speaking fee in exchange for 3 DEF CON Human badges. (I don't want a speaking fee and I don't want your badges) 5) I understand that should my talk be determined to be unsuitable (e.g. a vendor or sales pitch, a talk on the keeping of goats, etc.) after I have presented, that I will not receive an honorarium. (mmkay) As detailed above, I, (insert primary speaker name), have read and agree to the Grant of Copyright Use. I, (insert primary speaker name), have read and agree to the Terms of Speaking Requirements. I, (insert primary speaker name), have read and agree to the Agreement to Terms of Speaking Remuneration or I will forfeit my honorarium. (yeah, ok. done) From grarpamp at gmail.com Wed Mar 19 17:36:40 2014 From: grarpamp at gmail.com (grarpamp) Date: Wed, 19 Mar 2014 20:36:40 -0400 Subject: Skype and Crypto Pushed by Snowden a Ploy? In-Reply-To: References: Message-ID: > In connection with using "encrypted, secure connection" Skype for > Snowden's imagery at SXSW and TED, as well as encrypted comms > with journalists and event organizers, what has led these comsec > advisors to believe that all too vulnerable Skype is secure, as well > as all too vulnerable popular crypto pushed for journalists? > > Is there any indication Snowden has deployed less vulnerable > protections which have not been disclosed as backing for his > encouragement to trust encryption and to allow Skype to > finger his location and leak his comms? If this was a live conference stream with media types, direct Skype may have been used since: - Training a bunch of idiots to use something secure is a pain. Perhaps traded off with a disposable location and/or that Snowden is now diplomatically safe in Russia. - Tor's network characteristics are usually ok for some voice, but insufficient for live media video. https://en.wikipedia.org/wiki/Skype https://en.wikipedia.org/wiki/Skype_protocol https://en.wikipedia.org/wiki/Skype_security http://ashkansoltani.org/?s=skype That said, Skype is closed source, carries no future guarantees, and has a controversial track record... therefore it should not be trusted under any circumstances. Far better options exist for approaching your private comms needs... https://www.prism-break.org/ From cypher at cpunk.us Wed Mar 19 18:42:14 2014 From: cypher at cpunk.us (Cypher) Date: Wed, 19 Mar 2014 20:42:14 -0500 Subject: Fwd: A new Mixmaster is in the works! In-Reply-To: <532A4633.1010101@jpunix.net> References: <532A4633.1010101@jpunix.net> Message-ID: <532A4776.3040303@cpunk.us> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 A few of us have decided to take a crack at updating Mixmaster. The announcement is below. Feedback is welcomed. Anthony - -------- Original Message -------- Subject: A new Mixmaster is in the works! Date: Wed, 19 Mar 2014 20:36:51 -0500 From: Crypto Hello Everyone! Today Lance Cottrell (the original author of Mixmaster) myself, (chief Mixmaster Alpha tester and contributor) and Anthony Papillion (Cypher) had a meeting on Jitsi to discuss the current status of Mixmaster and remailers in general. We have decided that we are going to investigate updating to a new Mixmaster that will fill the weaknesses and issues that are present in the current version of Mixmaster (Mixmaster 3.0). The first issue will address the 1024-bit key length. We will be looking at the development code currently available on the Internet. The first thing we will do is to implement a 4096-bit key structure. More features are under discussion. We would like your input on what features you would like to see. Please keep in mind that we are looking at functionality first. Secondly we are looking at introducing a desktop GUI for major operating systems. Lastly we want to make using remailers and encryption as seamless as possible. Your thoughts and suggestions are welcome but please remember that it is just the three of us so let's keep the "exotic" stuff to the end of the project. -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJTKkdjAAoJEFuutbL6JoJr9bIP+wXcbDdBjBaA27/rBu0M54D8 4ghwgpbcmCo6iKZzBJphwuV0cDbEqqlNUBslJVmOqRBftWkpN9t4v4rggWmzSs4S RNZVMPm5ad6DcW9eJTvnuldW/BL95arrolSLja0jLv5CaFLdaGo3PnBThoRQFxT9 82mTx5Fzdc+s+OVSIuO/FGeVFWhCZsru9nUlUT82rnrbNYeTnuR9iQUNltFlkM1S yDS2sAaP+0fKJQUo4lsRO8dCxKRvLln0yJDNLdZvH3Am8sBIgbBg4DvF++ZRx6nz V3mAPmmDXU37w+0GLdad1Euuge+Wj74Wha/zKTeCRs2fKwBffIAdepVLzVd/X2fX dI+lO2MIKkp6xvJIqMy9O+g26YJfNx1hYLdA9glCflpVioEQqiMsy7ech7Fltgbv wAtZfLrkl+FMUTQUy7lwMLv7gAPIW4qc1WZBJiB9cMqxQvNW0gOazLvWD0fsg7/d i6RRmqik7cQyyW9MOy3agnC3tLvdYwIV2yMAyB5WRrNl0QaDPEb7J7bzRSZOFosB DcbH7ZuuGjvRhSsyEu/lT8Ad6GJ+OYKO3C/ODO8jyok9Cxv03YoZeVoj3xbFVWrL zpETZGPDMjQ1m3SrQiU+kaJY2vns3XRFEao+/sz+7YxmS3kDA+OZguoRVkek0+im FwAuh/nO85QZAnGL2Q2O =aj0r -----END PGP SIGNATURE----- From rysiek at hackerspace.pl Wed Mar 19 13:39:29 2014 From: rysiek at hackerspace.pl (rysiek) Date: Wed, 19 Mar 2014 21:39:29 +0100 Subject: MH370 in hangar at Diego Garcia, detainees already rendered In-Reply-To: <75E35A0470BC48751A4C1E96@F74D39FA044AA309EAEA14B9> References: <91de68915bd3eccc81b7fd37325aae71@remailer.privacy.at> <2293803.8N1sZasSuN@lap> <75E35A0470BC48751A4C1E96@F74D39FA044AA309EAEA14B9> Message-ID: <17018182.ic1XYYlMP2@lap> Dnia środa, 19 marca 2014 16:41:48 Juan Garofalo pisze: > --On Wednesday, March 19, 2014 10:48 AM +0100 rysiek > > wrote: > > Dnia środa, 19 marca 2014 04:10:03 Lodewijk andré de la porte pisze: > >> Well, it seems obvious to me that they flew to high and accidentally > >> escaped gravity. > > > > Well, close, but no bone. They *did* fly too high, but that got them too > > close to the sun, and shit just started to melt. > > That's why wings made out of wax should be banned. I guess it depends on how close to the sun you get. -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From lists at infosecurity.ch Wed Mar 19 14:24:46 2014 From: lists at infosecurity.ch (Fabio Pietrosanti (naif)) Date: Wed, 19 Mar 2014 22:24:46 +0100 Subject: SHA-7 crypto patented by Italian Postal Service Message-ID: <532A0B1E.7030600@infosecurity.ch> LOL - LOL - LOL - LOL - LOL On italian government "innovation portal" it has been published a patent by the "Italian Postal Service" of SHA-7 : "The encryption SHA-7 allows to generate a unique “message digest” " LOL reading on http://italiainnovatori.gov.it/en/innovations/sha-7-2/ -naif From rysiek at hackerspace.pl Thu Mar 20 01:13:23 2014 From: rysiek at hackerspace.pl (rysiek) Date: Thu, 20 Mar 2014 09:13:23 +0100 Subject: Skype and Crypto Pushed by Snowden a Ploy? In-Reply-To: References: Message-ID: <3666998.YoCz6bq7TR@lap> Dnia środa, 19 marca 2014 20:36:40 grarpamp pisze: > > In connection with using "encrypted, secure connection" Skype for > > Snowden's imagery at SXSW and TED, as well as encrypted comms > > with journalists and event organizers, what has led these comsec > > advisors to believe that all too vulnerable Skype is secure, as well > > as all too vulnerable popular crypto pushed for journalists? > > > > Is there any indication Snowden has deployed less vulnerable > > protections which have not been disclosed as backing for his > > encouragement to trust encryption and to allow Skype to > > finger his location and leak his comms? > > If this was a live conference stream with media types, direct Skype > may have been used since: > - Training a bunch of idiots to use something secure is a pain. > Perhaps traded off with a disposable location and/or that Snowden > is now diplomatically safe in Russia. > - Tor's network characteristics are usually ok for some voice, > but insufficient for live media video. > > https://en.wikipedia.org/wiki/Skype > https://en.wikipedia.org/wiki/Skype_protocol > https://en.wikipedia.org/wiki/Skype_security > http://ashkansoltani.org/?s=skype > > That said, Skype is closed source, carries no future guarantees, > and has a controversial track record... therefore it should not be > trusted under any circumstances. Far better options exist for > approaching your private comms needs... > https://www.prism-break.org/ I am waiting and giddy for a moment when RetroShare implements video. THey did a pretty good job with VoIP: http://rys.io/en/129 -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From coderman at gmail.com Thu Mar 20 09:22:02 2014 From: coderman at gmail.com (coderman) Date: Thu, 20 Mar 2014 09:22:02 -0700 Subject: targeted attack authorizations and oversight In-Reply-To: References: Message-ID: On Wed, Mar 19, 2014 at 12:30 PM, coderman wrote: > ... > anomaly: > > the DC 19 rogue base stations DITU DRT technique was in-discriminant > (until it had to be :) per C.S.'s clarification, this makes sense if military equipment, automation, and exploits used in domestic LE OP under guise of FBI procedure and controls at DC 19. migration to "in the towers" thus also viewed as remedy to numerous shortcomings of prior effort and lessons learned. make no mistake: the biggest hack of all at DEF CON 20 performed by Alexander and his toys; total control of netspace around hacker headspace, silent and smooth; Christopher Walken wowed himself, like nothing nowhere. US public paid for the domestic red team privilege in the billions as legal spirit is crushed under a magnificient sophistry of imminent threats and exigent circumstances for the very public good(ly fucked). """ Tech companies can honestly say they've never shared customer data/with the NSA, since they give it to the FBI (which then gives it to NSA) """ - Christopher Soghoian https://twitter.com/csoghoian/status/446638027381964800 From coderman at gmail.com Thu Mar 20 09:30:48 2014 From: coderman at gmail.com (coderman) Date: Thu, 20 Mar 2014 09:30:48 -0700 Subject: Fwd: FD mailing list died. Time for new one (or something better!) In-Reply-To: References: Message-ID: over on the OSS list i have been venting some bullshit friction over the full-disclosure cave in and closure. for shame! see also thread on more better mixmasters, ---------- Forwarded message ---------- From: coderman Date: Thu, Mar 20, 2014 at 3:18 AM Subject: Re: FD mailing list died. Time for new one (or something better!) To: oss-security at lists.openwall.com a modest and proportionate proposal, fuller-disclosure: - a hidden list (local accts only, no clearnet linkage) - a hidden daily digest (per mod prefs, see below) - a hidden xmpp (otr required - plaintext abused) - a hidden web archive (of the list traffic, read-only) - a hidden public chat (group xmpp+/|ircd, no clearnet linkage) - a hidden pastebin with or without simple nonce auth - a advogato reputation sys to stack rank and put below the fold (for list digest content, public chat, web archive, and public pastes) use case A: "JerkVendor is Jerk" - more accomodating disclosure fails, good faith and gratis effort returned with bile. - bugtraq drama ensues, takedowns. - "Hey, the advisory is still up here! -> fullerd.onion/..." use case B: "The Hot Drop" - *whispers* 'remember the Athens Affair? i'd rather not Opt-Out to report' - BREAKING NEWS: "Anonymous russian hackers drop dox on spyhack to darknet fullerd.onion..." use case C: "It's my party and I'll..." - 'so how it happened was, , i coaxed pre-auth SSL cert parsefail remote exec with escalate to system' - "Hey DEF CON! fuck that full-disclosure closure drama, let's get this party started!" - DEF CON XX official start and group xmpp/ircd distributes nonce for 0day to thousands of hidden participants simultaneously. [ remainder of distribution happens over sneakernet at con due to unexplained outage across entire Tor network for all users... ] not a concern at all, ever: - "HOLY SHIT TAKE THAT DOWN NOW!!!" legal motions - "HOLY SHIT TAKE THAT DOWN NOW!!!" supporter/peer pressure - "HOLY SHIT TAKE THAT DOWN NOW!!!" matters of national security - "HOLY SHIT TAKE THAT DOWN NOW!!!" hint in datagram at 100Gbps [ the inverse is use case D: "99.44% Peace of Mind" ] i don't see the point in anything less; other technologies filling existing roles fine, while the truly necessary drops have zero outlet. . . . finding someone with strong reputation and good judgement to publicly validate and speak to the efforts of the equally reputable but absolutely anonymous service operator? ... now that's a hard sell ... *grin* From coderman at gmail.com Thu Mar 20 09:31:33 2014 From: coderman at gmail.com (coderman) Date: Thu, 20 Mar 2014 09:31:33 -0700 Subject: Fwd: FD mailing list died. Time for new one (or something better!) In-Reply-To: References: Message-ID: ---------- Forwarded message ---------- From: coderman Date: Thu, Mar 20, 2014 at 7:22 AM Q: "Onions are fragile and sporadically un-available." A: that's not a question ;) see also Q: ".. How do faster soliderer onions?" A: glad you asked, earth human! for a limited time only!! [ ... shipping and handling not included, ... ] + with consensus, namecoin to a set of consistent or rotating onion URIs + concurrent hidden service endpoints to map addresses aggressively + concurrent ipv4 or ipv6 addrspaces to hidden web services on TCP/DNS + including those discussed built on multi-homed stream transports to the mapped endpoints Q: "How do you trust shady ipv4, ipv6, openssl, zlib, libevent, http, smtp, wtfp web attack surface?" A: clearly you should not. a legit op accrues pwn pot as show of good faith... [swelling pool of shadydogecoins for great justice!] Q: "Where is it?" A: ,, hah! almost got me! .. i know nothing. [ i hear the gruqq awaits to check your opsec at the subscreen? i was hallucinating. there were squirrels... ] Q: "Can this veer any further off-topic?" A: you're no exile from zeroed list, are you :P PS: the sooner someone leaks the bootstrap to hidden fuller disclosure the sooner i can take this tangent back apropos *grin* Q: "If I show you my digests will you show me yours teehee?" A: sure; builds ~200-500min - afford your patience accordingly. (builders shamelessly solicited) --- > a modest and proportionate proposal, > > fuller-disclosure:... From coderman at gmail.com Thu Mar 20 09:32:12 2014 From: coderman at gmail.com (coderman) Date: Thu, 20 Mar 2014 09:32:12 -0700 Subject: Fwd: FD mailing list died. Time for new one (or something better!) In-Reply-To: References: Message-ID: ---------- Forwarded message ---------- Date: Thu, Mar 20, 2014 at 8:38 AM specifically you are building hardened, reproducible pkgs/isos from snapshots of - live Qubes OS for baremetal layer - tails, whonix, kali, arch, ramfsonly variants, exotics per all reqs - ENTROPY DONE RIGHT, END TO END, FROM DEVELOPER COMMITS TO RUNTIME GUESTS ^this is capitalized because after decades of seeding crypto laughbly wrong, we're still routinely making laughably wrong seeds, everywhere... i am getting desperate! ,see also: http://blog.cryptographyengineering.com/2014/03/how-do-you-know-if-rng-is-working.html - the bootstrap client is built for native platforms to retrieve over various means for linux32, linux64, osx32, osx64, win32, win64, android, iOS, windows mobile which deploys the hardened bare metal systems with scrutinized builds above OH: "duuuuude, don't do it. no. don't. no no no." 'cmon, :) how long have you wanted to see a nice weaponized pre-auth ssl+escalate drop? :) :) :)' "not funny! these are operations nightmares you fucker!" Q: "I heard infosec is dead. the citation was infosuck as definitive. #oldtimers and stuff" A: i don't know shit, but one thing i do know is: if your hacker peer group is this bad and/or one of the 1:4 malicious entrapping snitches and/or ALL got v8nd doing stupid shit while high on stupid shit making stupid judgement calls and/or otherwise failed to be decent humans - then you're doing it wrong! good news it is not too late to make good friends and get over your bullshit ;) [in all seriousness, it's an amazing time to be alive! the unappreciated work that is being done is everywhere if you make an effort to seek it out.] Q: "How big could such a bounty/bet get?" A: if i was the CIA i would take the snowden docs that are eventually after 42 years or so disseminated in full and dump them to the hidden fuller disclosure. drop a few TAO 0day expected to lose utility on the list as false flag. use it to grind some axes through SUBQUANTUMSQUIRRELMESH cover and use pilfered bounty to bet against the opers driving "perceived risk of running hidden site" to level 'wutsohigh'. then i'd use black funds stoking social media fire storm, the righteous furor pre-disposing the public to zero sympathy for what follows. nulling the meatbags simple as identities strategically leaked for hidden disclosure service operators to "lower american clandestine chemical cleaners" for prompt chemical dissolution. the subsequent narco pulp tie up bolsters pre-seeded notions that said "criminal hacker terrorists working for foreign intelligence services conspiring to kill americans with logic bombs thrown from darknet intertubes" deserved righteous death by sword clearly, if not for this narco deal then surely for . finally, having driven the bounty on the hidden disclosure service to an absurd level twice the GDP of china, i would dump and mix the coins to a hidden wallet and disappear into history, never to be seen or heard from again. TL;DR: the pot could be twice the GDP of china if the CIA is playing the game with us and feeling extra dirty. [ 35 yrs later: the fact this was an exceptionally compartmentalized black op is quietly noted along with a few hundred thousand other arcane dumps no once cares about anymore... also un-noted: this operation was 100% sucessful in scaring all the fear cowed whitehats, grayhats, blackhats and inbetween from ever thinking about operating a truly fully disclosing forum for communication in the modern world. times have changed you hacker punks! ] Q: "When I asked if this could get any further off-topic, I was lamenting - not challenging!" A: hey, i'm not the one who is slacking on the disclosure of the hidden disclosure service! i just expand the anonymity set here... FIN: really done on this subject. if you're actually curious and willing to volunteer time and testing, go off-list and on-crypto :) https://peertech.org/files/0x65A847E7C2B9380C-pub.txt current OTR 157B7040 4339EFCA D83EF33D 7064F401 843A7E98 https://peertech.org/files/otr.txt From coderman at gmail.com Thu Mar 20 09:55:49 2014 From: coderman at gmail.com (coderman) Date: Thu, 20 Mar 2014 09:55:49 -0700 Subject: FD mailing list died. Time for new one (or something better!) In-Reply-To: References: Message-ID: On Thu, Mar 20, 2014 at 3:18 AM, coderman wrote: > a modest and proportionate proposal, >... > finding someone with strong reputation and good judgement to publicly > validate and speak to the efforts of the equally reputable but > absolutely anonymous service operator? > ... now that's a hard sell ... *grin* if finding said operators for a dedicated service is hard then finding a quorum to run mixmasterminions as intake to hidden list likely just as peril fraught. note that a local only (hidden only) mailer would be easy enough to extend to link to incoming mix messages, if/when desired, in addition to Usenet intake, as also mentioned. a persistent and available store of disclosures (late comers seeking archives) is a critical requirement. your threat model is the nation state intelligence community tailored operations teams. [see also: malware list DoS on orig Stuxnet payload xmit, belgian cyptographers blowing up bullruns, etc.] - every other adversary is a cake walk in comparison.** --- in a sense, the robust full-disclosure replacement problem is fundamentally the secure whistleblower leak site problem is fundamentally the "user friendly, fails safe, default always anon" communication problem. "this is a global problem" "you are the firefighters", "..." --- ** so, what happened at DEF CON 22 was, ... From pgut001 at cs.auckland.ac.nz Wed Mar 19 16:31:11 2014 From: pgut001 at cs.auckland.ac.nz (Peter Gutmann) Date: Thu, 20 Mar 2014 12:31:11 +1300 Subject: SHA-7 crypto patented by Italian Postal Service In-Reply-To: <532A0B1E.7030600@infosecurity.ch> Message-ID: "Fabio Pietrosanti (naif)" writes: >On italian government "innovation portal" it has been published a patent by >the "Italian Postal Service" of SHA-7 : "The encryption SHA-7 allows to >generate a unique “message digest” " > >LOL reading on http://italiainnovatori.gov.it/en/innovations/sha-7-2/ Is there any indication of what this SHA-7 is? Before I pass judgement I'd like to see a document from a technical writer rather than a generic press release that potentially mangles beyond recognition what they've actually done. Peter. From coderman at gmail.com Thu Mar 20 13:52:49 2014 From: coderman at gmail.com (coderman) Date: Thu, 20 Mar 2014 13:52:49 -0700 Subject: FD mailing list died. Time for new one (or something better!) In-Reply-To: References: Message-ID: On Thu, Mar 20, 2014 at 9:55 AM, coderman wrote: > ... as some earlier experiments on ad-hoc usability observations, win desktop user with technical ability able to download and verify signatures on TBB within ~6m, including pubkey and digest based verification. bootstrapping and verifying correct Tor use in the browser to a check site consumed another 4min. downloading pidgin with otr and configuring to use ccc.de with encryption, create new account on server yes, enable OTR, generate key and note fingerprint, set settings to always enforce OTR and don't log OTR chats (if not already defaulted to don't save) consumed another 6min. in total, 16min to bootstrap private end-to-end messaging over Tor anonymity network. not bad! bridge and obfuscated proxy support now also as easy (mostly :) --- for mobile space, the experience with a different guinea pig was similar with Orbot and ChatSecure(Gibberbot), ~10-15min to provision new client. --- configuring hidden services securely is where things currently fall apart, as I have not been able to walk a new user through this process without significant difficulties and confusion. this is essentially on par with encrypted email using the usual suspects, which i also could not successfully walk a new user through without significant difficulties and configurations prone to silent catastrophic failures to encrypt. --- this is why xmpp with otr is called out for consistent usability and availability benefits over standard email or listserv (on osx, win, *nix, android, ios, windows phone, ?) as for how long to deploy? time an ansible playbook the definitive answer. till then! [ more than a cypherpunk hacker day, less than a cypherpunk hacker month... probably. ] From coderman at gmail.com Thu Mar 20 15:59:10 2014 From: coderman at gmail.com (coderman) Date: Thu, 20 Mar 2014 15:59:10 -0700 Subject: DEFCON On The Mat In-Reply-To: References: <297261db52d2f33654ff60c1cb2de047.squirrel@fulvetta.riseup.net> Message-ID: "Odinn Cyberguerrilla" wrote: > > DEFCON On The Mat at what point should you decide to, and to what number, do parrallel'ize the mats? [ i have a conjecture to test during peak mat traffic, congested singleton mat may skew results ... ] best regards, good luck :) From coderman at gmail.com Thu Mar 20 17:15:08 2014 From: coderman at gmail.com (coderman) Date: Thu, 20 Mar 2014 17:15:08 -0700 Subject: "I hunt sysadmins" Message-ID: can such a tasking pass my PCI PA-DSS audit for me?? "Imagine a master list of all admins of all networks on earth..." 'Inside the NSA's Secret Efforts to Hunt and Hack System Administrators' - https://firstlook.org/theintercept/article/2014/03/20/inside-nsa-secret-efforts-hunt-hack-system-administrators/ also, slides: https://s3.amazonaws.com/s3.documentcloud.org/documents/1094387/i-hunt-sys-admins.pdf """ Across the world, people who work as system administrators keep computer networks in order - and this has turned them into unwitting targets of the National Security Agency for simply doing their jobs. According to a secret document provided by NSA whistleblower Edward Snowden, the agency tracks down the private email and Facebook accounts of system administrators (or sys admins, as they are often called), before hacking their computers to gain access to the networks they control. The document consists of several posts - one of them is titled "I hunt sys admins" - that were published in 2012 on an internal discussion board hosted on the agency's classified servers. They were written by an NSA official involved in the agency's effort to break into foreign network routers, the devices that connect computer networks and transport data across the Internet. By infiltrating the computers of system administrators who work for foreign phone and Internet companies, the NSA can gain access to the calls and emails that flow over their networks. The classified posts reveal how the NSA official aspired to create a database that would function as an international hit list of sys admins to potentially target. Yet the document makes clear that the admins are not suspected of any criminal activity - they are targeted only because they control access to networks the agency wants to infiltrate. "Who better to target than the person that already has the 'keys to the kingdom'?" one of the posts says. The NSA wants more than just passwords. The document includes a list of other data that can be harvested from computers belonging to sys admins, including network maps, customer lists, business correspondence and, the author jokes, "pictures of cats in funny poses with amusing captions." The posts, boastful and casual in tone, contain hacker jargon (pwn, skillz, zomg, internetz) and are punctuated with expressions of mischief. "Current mood: devious," reads one, while another signs off, "Current mood: scheming." The author of the posts, whose name is being withheld by The Intercept, is a network specialist in the agency's Signals Intelligence Directorate, according to other NSA documents. The same author wrote secret presentations related to the NSA's controversial program to identify users of the Tor browser - a privacy-enhancing tool that allows people to browse the Internet anonymously. The network specialist, who served as a private contractor prior to joining the NSA, shows little respect for hackers who do not work for the government. One post expresses disdain for the quality of presentations at Blackhat and Defcon, the computer world's premier security and hacker conferences: It is unclear how precise the NSA's hacking attacks are or how the agency ensures that it excludes Americans from the intrusions. The author explains in one post that the NSA scours the Internet to find people it deems "probable" administrators, suggesting a lack of certainty in the process and implying that the wrong person could be targeted. It is illegal for the NSA to deliberately target Americans for surveillance without explicit prior authorization. But the employee's posts make no mention of any measures that might be taken to prevent hacking the computers of Americans who work as sys admins for foreign networks. Without such measures, Americans who work on such networks could potentially fall victim to an NSA infiltration attempt. The NSA declined to answer questions about its efforts to hack system administrators or explain how it ensures Americans are not mistakenly targeted. Agency spokeswoman Vanee' Vines said in an email statement: "A key part of the protections that apply to both U.S. persons and citizens of other countries is the mandate that information be in support of a valid foreign intelligence requirement, and comply with U.S. Attorney General-approved procedures to protect privacy rights." As The Intercept revealed last week, clandestine hacking has become central to the NSA's mission in the past decade. The agency is working to aggressively scale its ability to break into computers to perform what it calls "computer network exploitation," or CNE: the collection of intelligence from covertly infiltrated computer systems. Hacking into the computers of sys admins is particularly controversial because unlike conventional targets - people who are regarded as threats - sys admins are not suspected of any wrongdoing. In a post calling sys admins "a means to an end," the NSA employee writes, "Up front, sys admins generally are not my end target. My end target is the extremist/terrorist or government official that happens to be using the network some admin takes care of." The first step, according to the posts, is to collect IP addresses that are believed to be linked to a network's sys admin. An IP address is a series of numbers allocated to every computer that connects to the Internet. Using this identifier, the NSA can then run an IP address through the vast amount of signals intelligence data, or SIGINT, that it collects every day, trying to match the IP address to personal accounts. "What we'd really like is a personal webmail or Facebook account to target," one of the posts explains, presumably because, whereas IP addresses can be shared by multiple people, "alternative selectors" like a webmail or Facebook account can be linked to a particular target. You can "dumpster-dive for alternate selectors in the big SIGINT trash can" the author suggests. Or "pull out your wicked Google-fu" (slang for efficient Googling) to search for any "official and non-official e-mails" that the targets may have posted online. Once the agency believes it has identified a sys admin's personal accounts, according to the posts, it can target them with its so-called QUANTUM hacking techniques. The Snowden files reveal that the QUANTUM methods have been used to secretly inject surveillance malware into a Facebook page by sending malicious NSA data packets that appear to originate from a genuine Facebook server. This method tricks a target's computer into accepting the malicious packets, allowing the NSA to infect the targeted computer with a malware "implant" and gain unfettered access to the data stored on its hard drive. "Just pull those selectors, queue them up for QUANTUM, and proceed with the pwnage," the author of the posts writes. ("Pwnage," short for "pure ownage," is gamer-speak for defeating opponents.) The author adds, triumphantly, "Yay! /throws confetti in the air." In one case, these tactics were used by the NSA's British counterpart, Government Communications Headquarters, or GCHQ, to infiltrate the Belgian telecommunications company Belgacom. As Der Speigel revealed last year, Belgacom's network engineers were targeted by GCHQ in a QUANTUM mission named "Operation Socialist" - with the British agency hacking into the company's systems in an effort to monitor smartphones. While targeting innocent sys admins may be surprising on its own, the "hunt sys admins" document reveals how the NSA network specialist secretly discussed building a "master list" of sys admins across the world, which would enable an attack to be initiated on one of them the moment their network was thought to be used by a person of interest. One post outlines how this process would make it easier for the NSA's specialist hacking unit, Tailored Access Operations (TAO), to infiltrate networks and begin collecting, or "tasking," data: Aside from offering up thoughts on covert hacking tactics, the author of these posts also provides a glimpse into internal employee complaints at the NSA. The posts describe how the agency's spies gripe about having "dismal infrastructure" and a "Big Data Problem" because of the massive volume of information being collected by NSA surveillance systems. For the author, however, the vast data troves are actually something to be enthusiastic about. "Our ability to pull bits out of random places of the Internet, bring them back to the mother-base to evaluate and build intelligence off of is just plain awesome!" the author writes. "One of the coolest things about it is how much data we have at our fingertips." """ From jamesdbell9 at yahoo.com Thu Mar 20 22:25:27 2014 From: jamesdbell9 at yahoo.com (jim bell) Date: Thu, 20 Mar 2014 22:25:27 -0700 (PDT) Subject: "Whew, wondered where we'd put those 200,000 BTC!" Message-ID: <1395379527.21155.YahooMailNeo@web126203.mail.ne1.yahoo.com> http://www.engadget.com/2014/03/20/mt-gox-apparently-found-200-000-bitcoin-in-an-old-wallet-shoul/?ncid=txtlnkusaolp00000589 "In a bit of news that's familiar to anyone who ever put on an old jacket and found $20 in the pocket, embattled Bitcoin exchange Mt. Gox has made a fortuitous discovery. The company announced (PDF) in Japan that it found 200,000 Bitcoin (worth nearly $116 million at the moment) in a wallet from 2011 that it no longer used. That's less than a quarter of the 850,000 Bitcoins CEO Mark Karpeles reported were missing, but at the moment, at least it's something. According to its statement, the coins were moved to online wallets on the 7th, and then to offline wallets on the 14th and 15th. The mystery of what happened to Mt. Gox's funds is still far from solved, but between this news and reports of updated balances for account holders, it seems possible that there's something to be recovered from the shuttered exchange. Next up, removing all of the cushions from the sofa and pulling it away from the wall." -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 3696 bytes Desc: not available URL: From jamesdbell9 at yahoo.com Thu Mar 20 23:26:00 2014 From: jamesdbell9 at yahoo.com (jim bell) Date: Thu, 20 Mar 2014 23:26:00 -0700 (PDT) Subject: "I hunt sysadmins" In-Reply-To: <37FF1E5D-8489-43D1-A7F0-E40A18AB5F14@sbce.org> References: <37FF1E5D-8489-43D1-A7F0-E40A18AB5F14@sbce.org> Message-ID: <1395383160.43334.YahooMailNeo@web126202.mail.ne1.yahoo.com> From: Scott Blaydes On Mar 20, 2014, at 7:15 PM, coderman wrote: >> can such a tasking pass my PCI PA-DSS audit for me?? > >> "Imagine a master list of all admins of all networks on earth..." >> >> >> 'Inside the NSA's Secret Efforts to Hunt and Hack System Administrators' >> - https://firstlook.org/theintercept/article/2014/03/20/inside-nsa-secret-efforts-hunt-hack-system-administrators/ >>  also, slides: >>      https://s3.amazonaws.com/s3.documentcloud.org/documents/1094387/i-hunt-sys-admins.pdf >> """ >Instead of Zuckerburg calling Obama to complain, how about blocking all federal government IPs for 24 hours? Even better, how about Google? >Just call it an “outage” due to having to spend extra time on encrypting all of their traffic between data centers. >DNSBL for known intelligence community IPs? Sure they rotate a lot, but if we can make the cost of doing business higher and higher with no real >benefit, someone should eventually cut the funding. Start tracking what companies are providing IP services via contract and then blacklist the IP >blocks of those companies. I really don’t care if I ever get an email from Stratfor or they ever visit any of my sites. >Had the idea all of about 60 seconds before trying to write it down, so I am sure I am forgetting something (or somethings).   All good ideas have to come from someplace.            Jim Bell -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2920 bytes Desc: not available URL: From coderman at gmail.com Thu Mar 20 23:53:00 2014 From: coderman at gmail.com (coderman) Date: Thu, 20 Mar 2014 23:53:00 -0700 Subject: "I hunt sysadmins" In-Reply-To: <37FF1E5D-8489-43D1-A7F0-E40A18AB5F14@sbce.org> References: <37FF1E5D-8489-43D1-A7F0-E40A18AB5F14@sbce.org> Message-ID: On Thu, Mar 20, 2014 at 10:54 PM, Scott Blaydes wrote: > ... how about blocking all federal government IPs for 24 hours? QUANTUMTHEORY means if they're in path you're fucked. ;) by tapping and injecting at the physical backbone fiber and core switch interfaces they get to be anyone and say anything. NSA has turned the whole internet into a DEF CON WiFi war zone... -------------- next part -------------- A non-text attachment was scrubbed... Name: QUANTUMSQUIRREL.JPG Type: image/jpeg Size: 29674 bytes Desc: not available URL: From scott at sbce.org Thu Mar 20 22:54:14 2014 From: scott at sbce.org (Scott Blaydes) Date: Fri, 21 Mar 2014 00:54:14 -0500 Subject: "I hunt sysadmins" In-Reply-To: References: Message-ID: <37FF1E5D-8489-43D1-A7F0-E40A18AB5F14@sbce.org> On Mar 20, 2014, at 7:15 PM, coderman wrote: > can such a tasking pass my PCI PA-DSS audit for me?? > > "Imagine a master list of all admins of all networks on earth..." > > > 'Inside the NSA's Secret Efforts to Hunt and Hack System Administrators' > - https://firstlook.org/theintercept/article/2014/03/20/inside-nsa-secret-efforts-hunt-hack-system-administrators/ > also, slides: > https://s3.amazonaws.com/s3.documentcloud.org/documents/1094387/i-hunt-sys-admins.pdf > """ Instead of Zuckerburg calling Obama to complain, how about blocking all federal government IPs for 24 hours? Even better, how about Google? Just call it an “outage” due to having to spend extra time on encrypting all of their traffic between data centers. DNSBL for known intelligence community IPs? Sure they rotate a lot, but if we can make the cost of doing business higher and higher with no real benefit, someone should eventually cut the funding. Start tracking what companies are providing IP services via contract and then blacklist the IP blocks of those companies. I really don’t care if I ever get an email from Stratfor or they ever visit any of my sites. Had the idea all of about 60 seconds before trying to write it down, so I am sure I am forgetting something (or somethings). -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: From njloof at gmail.com Fri Mar 21 04:06:53 2014 From: njloof at gmail.com (Nathan Loofbourrow) Date: Fri, 21 Mar 2014 04:06:53 -0700 Subject: To Tor or not to Tor? In-Reply-To: <3735791.WCR3VjPavv@lap> References: <3735791.WCR3VjPavv@lap> Message-ID: <9B62CD31-473E-4F99-BEC8-FDCB8BEFDEE6@gmail.com> Can't speak to the 2nd part, but to the first: in the US, for example, the number of active Tor users is in the hundreds of thousands, so you stand out but not much. On the other hand, even at the height of the protests in Egypt there were at most 1500 Tor users in the whole country. That's a lot of doors to knock on but not prohibitively many. n > On Mar 21, 2014, at 3:04, rysiek wrote: > > Hi there, > > As I am running a local cryptoparty and do a lot of basic encryption/privacy > talks and workshops, I am often recommending Tor as one of the means of > protecting one's privacy and yes, even security (for example, by running a > hidden service and making it possible for users not to leave the darknet). > > Of course it's far from being enough, and I make that very clear. > > But lately I got to wonder if using Tor does more harm than good? If the NSA > can impersonate any IP on the planet, they can impersonate any Tor node; tis > has two important consequences: > > 1. they know when you're using Tor, and can flag you accordingly, and (for > example) deliver some nastiness when (not "if"!) they get the chance, > because "when you have something to hide..." > > 2. they can guess with high probability whom are you communicating with; they > don't have to break encryption, it's enough they listen-in and see that a > Tor packet from your IP to Node A is x bytes; a packet from Node A to Node > B is x-( header + Tor encryption layer size ) bytes, and so on. > > So, is using Tor today doing more harm than good? Would ordinary Joe Schmoes > be far better of not using Tor? How about more high-profile targets, like > activists/hacktivists, etc? > > -- > Pozdr > rysiek From dan at geer.org Fri Mar 21 04:17:55 2014 From: dan at geer.org (dan at geer.org) Date: Fri, 21 Mar 2014 07:17:55 -0400 Subject: "I hunt sysadmins" In-Reply-To: Your message of "Fri, 21 Mar 2014 00:54:14 CDT." <37FF1E5D-8489-43D1-A7F0-E40A18AB5F14@sbce.org> Message-ID: <20140321111755.7F6452280D7@palinka.tinho.net> | DNSBL for known intelligence community IPs? Sure they rotate a lot, but | if we can make the cost of doing business higher and higher with no real | benefit, someone should eventually cut the funding. Start tracking what | companies are providing IP services via contract and then blacklist the | IP blocks of those companies. I really don't care if I ever get an | email from Stratfor or they ever visit any of my sites. | | Had the idea all of about 60 seconds before trying to write it down, so | I am sure I am forgetting something (or somethings). This is the future, Sir, a dramatically balkanized Internet. What you suggest is what many, perhaps most, countries wish at the level of state policy. 12mars.rsf.org/2014-en/enemies-of-the-internet-2014-entities-at-the-he art-of-censorship-and-surveillance/ Today is the golden age of search. Savor it. --dan From jya at pipeline.com Fri Mar 21 05:01:19 2014 From: jya at pipeline.com (John Young) Date: Fri, 21 Mar 2014 08:01:19 -0400 Subject: Compromised Sys Admin Hunters and Tor In-Reply-To: <3735791.WCR3VjPavv@lap> References: <3735791.WCR3VjPavv@lap> Message-ID: Sys admins catch you hunting them and arrange compromises to fit your demands so you can crow about how skilled you are. Then you hire them after being duped as you duped to be hired. The lead Tor designer reportedly (via Washington Post) had a session with NSA to brief on how to compromise it, although "compromise" was not used nor is the word used by gov-com-org-edu. http://cryptome.org/2013/10/nsa-tor-dingledine.htm Not many honest comsec wizards nowadays are promising more than compromised comsec, and the compromise is gradually increasing as Snowden material is dribbled out to convince the public and wizards not a hell of a lot can be done about it except believe in and buy more compromised comsec. Not news here and in comsec wizard-land, to be sure, but compromised comsec is the industry standard, as the industry and its wizards in and out of government enjoy the boom and bust in comsec tools generated by precursors of Snowden, Snowden and his successors. Compromisability is assumed by the comsec industry to be a fundamental feature in all nations, no need to advertise it, much better to advertise how great comsec is and now much it is needed. Crypto-wizards have a long history of compromising believers who hire them and who suffer their promises of highly trusted protection. Trusted comsec is necessary to get persons to pack their comms with compromisable information. The greater the trust the greater the revelations of just what is desired. So what if laws are aleays jiggered to allow access to the revelations "under legal pressure" and "FISC orders." That has been a fundamental feature of crypto and comsec wizardry. At 06:04 AM 3/21/2014, you wrote: >Hi there, > >As I am running a local cryptoparty and do a lot of basic encryption/privacy >talks and workshops, I am often recommending Tor as one of the means of >protecting one's privacy and yes, even security (for example, by running a >hidden service and making it possible for users not to leave the darknet). > >Of course it's far from being enough, and I make that very clear. > >But lately I got to wonder if using Tor does more harm than good? If the NSA >can impersonate any IP on the planet, they can impersonate any Tor node; tis >has two important consequences: > >1. they know when you're using Tor, and can flag you accordingly, and (for > example) deliver some nastiness when (not "if"!) they get the chance, > because "when you have something to hide..." > >2. they can guess with high probability whom are you communicating with; they > don't have to break encryption, it's enough they listen-in and see that a > Tor packet from your IP to Node A is x bytes; a packet from Node A to Node > B is x-( header + Tor encryption layer size ) bytes, and so on. > >So, is using Tor today doing more harm than good? Would ordinary Joe Schmoes >be far better of not using Tor? How about more high-profile targets, like >activists/hacktivists, etc? > >-- >Pozdr >rysiek From iam at kjro.se Fri Mar 21 07:20:02 2014 From: iam at kjro.se (Kelly John Rose) Date: Fri, 21 Mar 2014 08:20:02 -0600 Subject: "Whew, wondered where we'd put those 200,000 BTC!" In-Reply-To: <1395379527.21155.YahooMailNeo@web126203.mail.ne1.yahoo.com> References: <1395379527.21155.YahooMailNeo@web126203.mail.ne1.yahoo.com> Message-ID: On Thu, Mar 20, 2014 at 11:25 PM, jim bell wrote: > > http://www.engadget.com/2014/03/20/mt-gox-apparently-found-200-000-bitcoin-in-an-old-wallet-shoul/?ncid=txtlnkusaolp00000589 > > "In a bit of news that's familiar to anyone who ever put on an old jacket > and found $20 in the pocket, embattled Bitcoin exchange Mt. Gox has made a > fortuitous discovery. The company announced (PDF) in > Japan that it found 200,000 Bitcoin (worth nearly $116 million at the > moment) in a wallet from 2011 that it no longer used. That's less than a > quarter of the 850,000 Bitcoins CEO Mark Karpeles reported were missing, > but at the moment, at least it's something. According to its statement, the > coins were moved to online wallets on the 7th, and then to offline wallets > on the 14th and 15th. The mystery of what happened to Mt. Gox's funds is > still far from solved, but between this news and reports of updated balances > for account holders, > it seems possible that there's something to be recovered from the shuttered > exchange. Next up, removing all of the cushions from the sofa and pulling > it away from the wall." > > > If that doesn't inspire confidence in you, I don't know what will! Honestly, I really wonder what would happen if some developers who understand financial cryptography and how banks properly work built a real bitcoin exchange. Considering how well it has done with incompetents like this, I'm betting a properly programmed and vetted system may be quite successful. Too bad I don't have 200,000 BTC to do just that. -- Kelly John Rose Twitter: @kjrose Skype: kjrose.pr Gtalk: iam at kjro.se MSN: msn at kjro.se Document contents are confidential between original recipients and sender. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 5013 bytes Desc: not available URL: From jya at pipeline.com Fri Mar 21 05:20:08 2014 From: jya at pipeline.com (John Young) Date: Fri, 21 Mar 2014 08:20:08 -0400 Subject: Dynasty of Compromised Comsec and Legal Protection Message-ID: The marriage of flexible legal protections and malleable comsec is a venerable dynasty of compromise. From iam at kjro.se Fri Mar 21 08:30:54 2014 From: iam at kjro.se (Kelly John Rose) Date: Fri, 21 Mar 2014 09:30:54 -0600 Subject: "Whew, wondered where we'd put those 200,000 BTC!" In-Reply-To: References: <1395379527.21155.YahooMailNeo@web126203.mail.ne1.yahoo.com> Message-ID: But wouldn't that lead to... *SHOCK* fractional reserves! On Fri, Mar 21, 2014 at 8:36 AM, Sylvester Liang wrote: > Try asking gox if they lend you the 200,000 BTC to do that. > > > On Fri, Mar 21, 2014 at 7:50 PM, Kelly John Rose wrote: > >> On Thu, Mar 20, 2014 at 11:25 PM, jim bell wrote: >> >>> >>> http://www.engadget.com/2014/03/20/mt-gox-apparently-found-200-000-bitcoin-in-an-old-wallet-shoul/?ncid=txtlnkusaolp00000589 >>> >>> "In a bit of news that's familiar to anyone who ever put on an old >>> jacket and found $20 in the pocket, embattled Bitcoin exchange Mt. Gox has >>> made a fortuitous discovery. The company announced (PDF) in >>> Japan that it found 200,000 Bitcoin (worth nearly $116 million at the >>> moment) in a wallet from 2011 that it no longer used. That's less than a >>> quarter of the 850,000 Bitcoins CEO Mark Karpeles reported were missing, >>> but at the moment, at least it's something. According to its statement, the >>> coins were moved to online wallets on the 7th, and then to offline wallets >>> on the 14th and 15th. The mystery of what happened to Mt. Gox's funds is >>> still far from solved, but between this news and reports of updated balances >>> for account holders, >>> it seems possible that there's something to be recovered from the shuttered >>> exchange. Next up, removing all of the cushions from the sofa and pulling >>> it away from the wall." >>> >>> >>> >> If that doesn't inspire confidence in you, I don't know what will! >> >> Honestly, I really wonder what would happen if some developers who >> understand financial cryptography and how banks properly work built a real >> bitcoin exchange. Considering how well it has done with incompetents like >> this, I'm betting a properly programmed and vetted system may be quite >> successful. >> >> Too bad I don't have 200,000 BTC to do just that. >> >> -- >> Kelly John Rose >> Twitter: @kjrose >> Skype: kjrose.pr >> Gtalk: iam at kjro.se >> MSN: msn at kjro.se >> >> Document contents are confidential between original recipients and sender. >> > > -- Kelly John Rose Edmonton, AB Phone: +1 587 982-4104 Twitter: @kjrose Skype: kjrose.pr Gtalk: iam at kjro.se MSN: msn at kjro.se Document contents are confidential between original recipients and sender. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 6506 bytes Desc: not available URL: From iam at kjro.se Fri Mar 21 08:44:11 2014 From: iam at kjro.se (Kelly John Rose) Date: Fri, 21 Mar 2014 09:44:11 -0600 Subject: "Whew, wondered where we'd put those 200,000 BTC!" In-Reply-To: <3459624.CSoC9HjDX7@lap> References: <1395379527.21155.YahooMailNeo@web126203.mail.ne1.yahoo.com> <3459624.CSoC9HjDX7@lap> Message-ID: On Fri, Mar 21, 2014 at 8:59 AM, rysiek wrote: > Dnia piątek, 21 marca 2014 08:20:02 Kelly John Rose pisze: > > On Thu, Mar 20, 2014 at 11:25 PM, jim bell > wrote: > > > > http://www.engadget.com/2014/03/20/mt-gox-apparently-found-200-000-bitcoin > > > -in-an-old-wallet-shoul/?ncid=txtlnkusaolp00000589 > > > > > > "In a bit of news that's familiar to anyone who ever put on an old > jacket > > > and found $20 in the pocket, embattled Bitcoin exchange Mt. Gox has > made a > > > fortuitous discovery. The company announced > > > (PDF) in > Japan > > > that it found 200,000 Bitcoin (worth nearly $116 million at the moment) > > > in a wallet from 2011 that it no longer used. That's less than a > quarter > > > of the 850,000 Bitcoins CEO Mark Karpeles reported were missing, but at > > > the moment, at least it's something. According to its statement, the > > > coins were moved to online wallets on the 7th, and then to offline > > > wallets on the 14th and 15th. The mystery of what happened to Mt. Gox's > > > funds is > > > still far from solved, but between this news and reports of updated > > > balances for account > > > holders >, > > > it seems possible that there's something to be recovered from the > > > shuttered exchange. Next up, removing all of the cushions from the sofa > > > and pulling it away from the wall." > > > > If that doesn't inspire confidence in you, I don't know what will! > > > > Honestly, I really wonder what would happen if some developers who > > understand financial cryptography and how banks properly work built a > real > > bitcoin exchange. Considering how well it has done with incompetents like > > this, I'm betting a properly programmed and vetted system may be quite > > successful. > > I'm betting the exactly other way. "First to the market" and some snakeoil > usually, unfortunately, win by leaps and bounds with "well-designed and > properly implemented". > > -- > Pozdr > rysiek Snakeoil will be good at sucking money out of suckers with more dollars than sense. Bitcoin, or some other cryptocurrency, really does have potential as a way to grease the gears of international finance or micropayments, but not really as a complete currency replacement in my opinion. The problem here is that there is no legitimate or reasonable way to buy into the market without going through these snakeoil-like dealers. -- Kelly John Rose Twitter: @kjrose Skype: kjrose.pr Gtalk: iam at kjro.se MSN: msn at kjro.se Document contents are confidential between original recipients and sender. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 4240 bytes Desc: not available URL: From rysiek at hackerspace.pl Fri Mar 21 02:55:58 2014 From: rysiek at hackerspace.pl (rysiek) Date: Fri, 21 Mar 2014 10:55:58 +0100 Subject: "I hunt sysadmins" In-Reply-To: References: <37FF1E5D-8489-43D1-A7F0-E40A18AB5F14@sbce.org> Message-ID: <155048758.30WIuK4xdd@lap> Dnia czwartek, 20 marca 2014 23:53:00 coderman pisze: > On Thu, Mar 20, 2014 at 10:54 PM, Scott Blaydes wrote: > > ... how about blocking all federal government IPs for 24 hours? > > QUANTUMTHEORY means if they're in path you're fucked. ;) As far as I understand the idea, blocking would not aim at making it impossible for the NSA to listen-in; instead, it would be a retaliatory tactic, a way of saying "fuck you, we do not like what you're doing". Think of it as a trade embargo. But it would require a lot of balls from these companies. Balls which (I have a hunch) people like Zuckerberg might lack. -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From rysiek at hackerspace.pl Fri Mar 21 03:04:43 2014 From: rysiek at hackerspace.pl (rysiek) Date: Fri, 21 Mar 2014 11:04:43 +0100 Subject: To Tor or not to Tor? Message-ID: <3735791.WCR3VjPavv@lap> Hi there, As I am running a local cryptoparty and do a lot of basic encryption/privacy talks and workshops, I am often recommending Tor as one of the means of protecting one's privacy and yes, even security (for example, by running a hidden service and making it possible for users not to leave the darknet). Of course it's far from being enough, and I make that very clear. But lately I got to wonder if using Tor does more harm than good? If the NSA can impersonate any IP on the planet, they can impersonate any Tor node; tis has two important consequences: 1. they know when you're using Tor, and can flag you accordingly, and (for example) deliver some nastiness when (not "if"!) they get the chance, because "when you have something to hide..." 2. they can guess with high probability whom are you communicating with; they don't have to break encryption, it's enough they listen-in and see that a Tor packet from your IP to Node A is x bytes; a packet from Node A to Node B is x-( header + Tor encryption layer size ) bytes, and so on. So, is using Tor today doing more harm than good? Would ordinary Joe Schmoes be far better of not using Tor? How about more high-profile targets, like activists/hacktivists, etc? -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From eric at konklone.com Fri Mar 21 11:17:02 2014 From: eric at konklone.com (Eric Mill) Date: Fri, 21 Mar 2014 14:17:02 -0400 Subject: Using some crypto to make gov't dataset identifiers better Message-ID: So this is a little different from the usual fare here, but my colleague Tom Lee at the Sunlight Foundation has been thinking about using basic cryptographic concepts to convince governments to publish more unique identifiers in their datasets -- even when the identifiers they have in their *databases* is sensitive (like SSNs). The problem of anonymizing unique data is in some senses easier than others here, because in some gov't contexts, making things personally identifiable isn't the problem -- the *intent* is to publish personally identifiable, connect-able information, like for campaign donors and lobbyists. So the Mosaic Effect (de-anonymizing Netflix data) is less of a concern. Depends on the problem, though. After talking about it on a coupleof lists, Tom blogged it up: http://sunlightfoundation.com/blog/2014/03/20/a-little-math-could-make-identifiers-a-whole-lot-better/ Your feedback would be very welcome, either here or in public fora. Of course, convincing government agencies to actually do this sort of thing might be a challenge, but there's a lot of levels and branches of government out there - you never know who might lead the way. -- Eric -- konklone.com | @konklone -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1868 bytes Desc: not available URL: From rysiek at hackerspace.pl Fri Mar 21 07:59:52 2014 From: rysiek at hackerspace.pl (rysiek) Date: Fri, 21 Mar 2014 15:59:52 +0100 Subject: "Whew, wondered where we'd put those 200,000 BTC!" In-Reply-To: References: <1395379527.21155.YahooMailNeo@web126203.mail.ne1.yahoo.com> Message-ID: <3459624.CSoC9HjDX7@lap> Dnia piątek, 21 marca 2014 08:20:02 Kelly John Rose pisze: > On Thu, Mar 20, 2014 at 11:25 PM, jim bell wrote: > > http://www.engadget.com/2014/03/20/mt-gox-apparently-found-200-000-bitcoin > > -in-an-old-wallet-shoul/?ncid=txtlnkusaolp00000589 > > > > "In a bit of news that's familiar to anyone who ever put on an old jacket > > and found $20 in the pocket, embattled Bitcoin exchange Mt. Gox has made a > > fortuitous discovery. The company announced > > (PDF) in Japan > > that it found 200,000 Bitcoin (worth nearly $116 million at the moment) > > in a wallet from 2011 that it no longer used. That's less than a quarter > > of the 850,000 Bitcoins CEO Mark Karpeles reported were missing, but at > > the moment, at least it's something. According to its statement, the > > coins were moved to online wallets on the 7th, and then to offline > > wallets on the 14th and 15th. The mystery of what happened to Mt. Gox's > > funds is > > still far from solved, but between this news and reports of updated > > balances for account > > holders, > > it seems possible that there's something to be recovered from the > > shuttered exchange. Next up, removing all of the cushions from the sofa > > and pulling it away from the wall." > > If that doesn't inspire confidence in you, I don't know what will! > > Honestly, I really wonder what would happen if some developers who > understand financial cryptography and how banks properly work built a real > bitcoin exchange. Considering how well it has done with incompetents like > this, I'm betting a properly programmed and vetted system may be quite > successful. I'm betting the exactly other way. "First to the market" and some snakeoil usually, unfortunately, win by leaps and bounds with "well-designed and properly implemented". -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From iam at kjro.se Fri Mar 21 15:53:05 2014 From: iam at kjro.se (Kelly John Rose) Date: Fri, 21 Mar 2014 16:53:05 -0600 Subject: "Whew, wondered where we'd put those 200,000 BTC!" In-Reply-To: <20140321213911.E1F212280A4@palinka.tinho.net> References: <20140321213911.E1F212280A4@palinka.tinho.net> Message-ID: Does anyone have their contact info? On Fri, Mar 21, 2014 at 3:39 PM, wrote: > > > Try asking gox if they lend you the 200,000 BTC to do that. > > If serious, ask the Winklevoss Twins. > > --dan > > -- Kelly John Rose Edmonton, AB Phone: +1 587 982-4104 Twitter: @kjrose Skype: kjrose.pr Gtalk: iam at kjro.se MSN: msn at kjro.se Document contents are confidential between original recipients and sender. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1021 bytes Desc: not available URL: From dan at geer.org Fri Mar 21 14:39:11 2014 From: dan at geer.org (dan at geer.org) Date: Fri, 21 Mar 2014 17:39:11 -0400 Subject: "Whew, wondered where we'd put those 200,000 BTC!" In-Reply-To: Your message of "Fri, 21 Mar 2014 20:06:35 +0530." Message-ID: <20140321213911.E1F212280A4@palinka.tinho.net> > Try asking gox if they lend you the 200,000 BTC to do that. If serious, ask the Winklevoss Twins. --dan From coderman at gmail.com Fri Mar 21 19:25:27 2014 From: coderman at gmail.com (coderman) Date: Fri, 21 Mar 2014 19:25:27 -0700 Subject: [cryptography] Compromised Sys Admin Hunters and Tor In-Reply-To: References: <3735791.WCR3VjPavv@lap> Message-ID: On Fri, Mar 21, 2014 at 5:01 AM, John Young wrote: > Sys admins catch you hunting them and arrange compromises > to fit your demands so you can crow about how skilled you are. > Then you hire them after being duped as you duped to be hired. everything old is new again, betrayals for lucre, for lust, for fame, for fear, ... this is why some technology consumers demand independent validation[0] to confirm to their own eyes if design matches intent; if operation matches assurance. how can you even trust the word of a third party verifying integrity if you can't determine integrity yourself? caution: this line of reasoning leads to long dependencies... ;) > The lead Tor designer reportedly (via Washington Post) had a > session with NSA to brief on how to compromise it, although > "compromise" was not used nor is the word used by > gov-com-org-edu. > > http://cryptome.org/2013/10/nsa-tor-dingledine.htm the beauty of privacy, like freedom, is that it floats all boats. [ i may not agree with what you do with free, uncensored communication, yet i code and toil for your ability to communicate regardless. ] in all seriousness, what you describe at the root of things: systems that are inherently and fundamentally compromising, if you have the right adversary, if you have the right resources, is absolutely true! in industry speak this is characterized in terms of "risk management". in military, aimed at a higher common denominator, yet fundamentally just as vulnerable (built to a more competent attacker. a larger resource stream.) there are defeatists a plenty, having looked around the state of things, and fall to nothing but despair. i think it is reasonable to demand complete transparency and utmost correctness and reliability in these technologies we depend on. that's a radically different future than what we have now or can think of in terms of current engineering capabilities. never the less, a future worth aiming toward! finally, to your mention of the meeting with NSA, this is interesting from a reversing the adversary's perspective. [since presumably Roger does not hold clearance of course, this is all treating Roger as hostile witness!] let's review it: --- Roger Dingledine at NSA NOV 2007 ... >> Contents >> 1 (U) Talk by Roger Dingledine at NSA, 11/01/2007 at R&E (Sponsored by NSA RT) >> o 1.1 (U) Who are TOR Customers? >> o 1.2 (U) Anonymity System Concepts >> o 1.3 (U) TOR Issues the usual culprits. >> (U) Talk by Roger Dingledine at NSA, 11/01/2007 at R&E (Sponsored by NSA RT) next time ask for them to sponsor bridges, obfuscated proxies, and fast exits? :) [only half in jest, as QUANTUMSQUIRREL would also make a great single, large exit for entire Tor network as has been mentioned in the past! constantly changing set of address space would avoid censorship and blocking into and out of the network. (though i would _only_ use NSANet as a obfuscated proxy first hop to hidden services or as last hop exit relay to clearnet where they occurr no where else along my circuit.)] >> (U) Roger Dingledine, now of Torproject.org, was one of the principle inventors or TOR. Current usage statistics quoted are 200K users and 1K servers. When asked about trends, he had no concrete data - Being a non-profit open-source effort, the collector of statistics has not been active recently. now there are metrics :) https://metrics.torproject.org/ >> (U) The obligatory "Anonymity is not equal to Cryptography" and "Anonymity is not equal to Steganography" admonishments were given early on. >> (U) Who are TOR Customers? >> (U) Mr. Dingledine mentioned that the way TOR is spun is dependent on who the "spinee" is. Using the typical (in the cryptography world), Alice and Bob as communicants, he described several Alices: >> (U) 1. Blogger Alice, who wants to be able to write to a blog in an anonymous way. >> (U) 2. 8 yr. old Alice, who wants to be able to post to sites for children in a way insuring her true name and location are not discovered. >> (U) 3. Sick Alice, who want to research information on her illness on the Internet while not enabling anyone to determine her true name and location. >> (U) 4. Consumer Alice, who wants to research possible purchases without having a database of her marketing habits being built without (or with her weak) consent. >> (U) 5. Oppressed Alice, who lives in a repressive country (no or limited free speech) and wants to talk about things contrary to her governments positions. The countries he used as examples were France, Germany (prohibitions on fascist writings?) and the US (not sure what he meant here?). >> (U) 6. Turning to "Business Alice", we had examples of companies not wanting to give up their business secrets to competitors via their Internet usage patterns. An anecdote was given of some business getting a different HTML page displayed when the same URL was accessed with and without TOR. >> (U) 7. "Law Enforcement Alice" was concerned with the ability of anonymous agents/informants to really main anonymous when contacting their law enforcement ties. communicating a message to be best received by the audience. Roger's had some practice! again, the beauty of anonymity is that it floats all boats... [e.g. magically getting mutually distrusting, even opposed entities to cooperate on a shared goal.] >> (U) Anonymity System Concepts >> (U) Running ones own anonymity service vs. Using a 3rd party service: If one uses one's own service, its pretty obvious who the user is :-) >> (U) Low Latency Anonymity Service vs. High Latency Anonymity Service: The difference is in how paranoid someone really is. In a Low Latency Anonymity Service (all common proxies, TOR, others), there is a rerouting through some number of proxies, but there is no attempt to reorder packets or artificially introduce latencies. The result is something which can be used for most web and instant messaging / chat applications with only minimal notice of delays by the user. In a high latency service, proxies attempt to randomly reorder an delay packet so that it is harder to track traffic. Such systems are really only useful for such protocols as email. >> (U) The most recent and advanced High Latency anonymity service was the /*MixMinion*/ family of open source projects. Mr. Dingledine was one of the key developers of these. His opinion is that the very limited utility of such projects has caused them to wither on the vine. He does *not* see any major development in such services for other than research in the forseeable future. Another key point is that the degree of anonymity in any system is proportional to the number of users. If noone is using any of the high latency systems, why bother. This proportionality is one of the ideas Mr. Dingledine refers to as a /tension/ in the world of anonymity systems. yup, a nice summation. from here it gets a bit more interesting... >> (U) TOR Issues >> (U) The short description of TOR for the reader is as follows: The user, via his/her TOR client, queries one of 5 directory servers for the current list of TOR nodes. Using metrics such as availability and bandwidth in conjunction with random choice, a set of 3 proxies is chosen for a "circuit". It is this circuit which is used, with a unique layer of encryption on each link, for anonymous Internet interactions. >> (U) The lifetime of a circuit, a tuneable parameter, is another /tension/, this one specific to TOR. The longer the circuit life, the more various traffic that may transit it, forming a knowable relationship between the traffic streams. Too short of a lifetime means too much time/CPU is spent building circuits. The original default lifetime was 30 seconds but is now 10 minutes. Everything is tweakable in TOR, so a user if free to choose his/her own circuit lifetime. But this is dangerous, as a unique circuit lifetime could easily become a user identification feature :-). note the knowing, smily face at end. they either had started on or already had the ability to detect anomalous circuits, likely based around active/targeted DoS among who knows how many other possibilities they've been working on since "Tor stinks" :-) unfortunately anything further that would be useful would also be classified and thus not in this doc. [pointers and future articles solicited!] >> (U) Mr. Dingeldine was asked about the concrete choice of a 3-long circuit. This is unlikely to change soon, as it appears to be a very suitable tradeoff. >> (U) The mention of SOCKS proxies, such as /*Privoxy*/ as a bump in the chain before TOR was mentioned. These proxies can intercept and cleanup things such as cookies to further help anonymity. back to boring fact taking again... *yawn* >> (U) The current "owner" of TOR is torproject.org, a US registerd 501(C) non-profit organization, of which Mr. Dingledine is a principal. In addition to specific technology issues such as scaling, other categories of work are: >> (U) 1. Usability (Targetting the ability of other than tech-savvy users to embrace the technology) it has become so much better since 2007! >> 2. Incentives (Trying to get more people to run TOR servers) great progress here too, i think. >> 3. Design for Scalability/Decentralization >> 3a. Regarding scalability of the TOR network, Mr. Dingledine proffered the guess that 2000-3000 is a rough upper limit on the number of nodes in the pool before a new topology may be advised. >> 3b. Decentralization means less reliance on a very small set of trusted Directory Servers (curently 5) robust decentralized systems, still fucking hard in 2014! >> 4. Continued research on attacks and the mitigation thereof. >> 5. Continued provision of documentation and user technical support. that's it. one bone, in the whole unclassified pile. so where's the docs with the circa 2011/2012 state-of-the-art Tor attacks? :) From coderman at gmail.com Fri Mar 21 19:49:51 2014 From: coderman at gmail.com (coderman) Date: Fri, 21 Mar 2014 19:49:51 -0700 Subject: To Tor or not to Tor? In-Reply-To: <3735791.WCR3VjPavv@lap> References: <3735791.WCR3VjPavv@lap> Message-ID: On Fri, Mar 21, 2014 at 3:04 AM, rysiek wrote: > Hi there, > > As I am running a local cryptoparty and do a lot of basic encryption/privacy > talks and workshops, I am often recommending Tor as one of the means of > protecting one's privacy and yes, even security speaking as a security enthusiasts and attending venues where hostile networks are expected and common, i can sum up my personal position as: 1. Tor has worked in environments where no other communication could. this includes situations where everything not-Tor was blocked or actively attacked. for this reason alone i believe it is an indispensable tool in the security practitioner's toolbox. 2. Exit nodes should be considered hostile. you'll be wrong most of the time (by design) but it doesn't hurt to remember that plain-text is not only observed but trivially manipulated through exit relays. 3. Defense in depth! Not only do 0day happen, but also accidents, oversights, catastrophes, the slow march of time... This can mean running a live Tor distro like Tails or constructing a series of isolated VMs for research on Qubes with a Tor Proxy VM. as for the concerns about identifying Tor users, the latest Tor bundles and Tails image have support for obfuscated proxies into the Tor network and other bridges. if Tor use alone is a concern, you're doing OPSEC wrong and/or living where obfuscated proxies are necessary. best regards, From boyscity at gmail.com Fri Mar 21 07:32:16 2014 From: boyscity at gmail.com (Sylvester Liang) Date: Fri, 21 Mar 2014 20:02:16 +0530 Subject: "Whew, wondered where we'd put those 200,000 BTC!" In-Reply-To: <1395379527.21155.YahooMailNeo@web126203.mail.ne1.yahoo.com> References: <1395379527.21155.YahooMailNeo@web126203.mail.ne1.yahoo.com> Message-ID: Just shows that gox was run by a bunch of unprofessional bunch. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 117 bytes Desc: not available URL: From boyscity at gmail.com Fri Mar 21 07:36:35 2014 From: boyscity at gmail.com (Sylvester Liang) Date: Fri, 21 Mar 2014 20:06:35 +0530 Subject: "Whew, wondered where we'd put those 200,000 BTC!" In-Reply-To: References: <1395379527.21155.YahooMailNeo@web126203.mail.ne1.yahoo.com> Message-ID: Try asking gox if they lend you the 200,000 BTC to do that. On Fri, Mar 21, 2014 at 7:50 PM, Kelly John Rose wrote: > On Thu, Mar 20, 2014 at 11:25 PM, jim bell wrote: > >> >> http://www.engadget.com/2014/03/20/mt-gox-apparently-found-200-000-bitcoin-in-an-old-wallet-shoul/?ncid=txtlnkusaolp00000589 >> >> "In a bit of news that's familiar to anyone who ever put on an old jacket >> and found $20 in the pocket, embattled Bitcoin exchange Mt. Gox has made a >> fortuitous discovery. The company announced (PDF) in >> Japan that it found 200,000 Bitcoin (worth nearly $116 million at the >> moment) in a wallet from 2011 that it no longer used. That's less than a >> quarter of the 850,000 Bitcoins CEO Mark Karpeles reported were missing, >> but at the moment, at least it's something. According to its statement, the >> coins were moved to online wallets on the 7th, and then to offline wallets >> on the 14th and 15th. The mystery of what happened to Mt. Gox's funds is >> still far from solved, but between this news and reports of updated balances >> for account holders, >> it seems possible that there's something to be recovered from the shuttered >> exchange. Next up, removing all of the cushions from the sofa and pulling >> it away from the wall." >> >> >> > If that doesn't inspire confidence in you, I don't know what will! > > Honestly, I really wonder what would happen if some developers who > understand financial cryptography and how banks properly work built a real > bitcoin exchange. Considering how well it has done with incompetents like > this, I'm betting a properly programmed and vetted system may be quite > successful. > > Too bad I don't have 200,000 BTC to do just that. > > -- > Kelly John Rose > Twitter: @kjrose > Skype: kjrose.pr > Gtalk: iam at kjro.se > MSN: msn at kjro.se > > Document contents are confidential between original recipients and sender. > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 5578 bytes Desc: not available URL: From adam at cypherspace.org Fri Mar 21 12:12:53 2014 From: adam at cypherspace.org (Adam Back) Date: Fri, 21 Mar 2014 20:12:53 +0100 Subject: anyone have libtech archives? Message-ID: <20140321191253.GA7452@netbook.cypherspace.org> For old cpunks, who may have been subscribed to libtech: I am curious to lookup some discussion around b-money, bit-gold those parts which were not posted on cpunks at the time. This would be like 1997-2005 say. (I believe it is different to, or an earlier incarnation of the libertech list, at least the archives on that list dont go back that far.) (Presuming that it was not a private/invite only list! If so offlist doc drop:) Adam From dan at geer.org Fri Mar 21 19:53:31 2014 From: dan at geer.org (dan at geer.org) Date: Fri, 21 Mar 2014 22:53:31 -0400 Subject: [cryptography] Compromised Sys Admin Hunters and Tor In-Reply-To: Your message of "Fri, 21 Mar 2014 19:25:27 PDT." Message-ID: <20140322025332.048E22280B3@palinka.tinho.net> At this point, one can but humbly remember John 8:7, ...He that is without sin among you, let him first cast a stone... --dan From cathalgarvey at cathalgarvey.me Fri Mar 21 17:34:07 2014 From: cathalgarvey at cathalgarvey.me (Cathal Garvey) Date: Sat, 22 Mar 2014 00:34:07 +0000 Subject: "Whew, wondered where we'd put those 200,000 BTC!" In-Reply-To: References: <20140321213911.E1F212280A4@palinka.tinho.net> Message-ID: <532CDA7F.4010805@cathalgarvey.me> You're doing it wrong if you don't make your pitch as a series of blocks added to the blockchain. On 21/03/14 22:53, Kelly John Rose wrote: > Does anyone have their contact info? > > > On Fri, Mar 21, 2014 at 3:39 PM, wrote: > >> >> > Try asking gox if they lend you the 200,000 BTC to do that. >> >> If serious, ask the Winklevoss Twins. >> >> --dan >> >> > > -- T: @onetruecathal, @IndieBBDNA P: +3538763663185 W: http://indiebiotech.com -------------- next part -------------- A non-text attachment was scrubbed... Name: 0x988B9099.asc Type: application/pgp-keys Size: 6176 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 901 bytes Desc: OpenPGP digital signature URL: From scott at sbce.org Fri Mar 21 22:35:40 2014 From: scott at sbce.org (Scott Blaydes) Date: Sat, 22 Mar 2014 00:35:40 -0500 Subject: Compromised Sys Admin Hunters and Tor In-Reply-To: References: <3735791.WCR3VjPavv@lap> Message-ID: <7CC69605-7886-4282-A3CE-1E33B48B7951@sbce.org> On Mar 21, 2014, at 7:01 AM, John Young wrote: > Sys admins catch you hunting them and arrange compromises > to fit your demands so you can crow about how skilled you are. > Then you hire them after being duped as you duped to be hired. > I guess I am odd or just not skilled. I don’t really want to spend more time admining boxes/networks just to keep out the people who work for me and are supposed to protect me. Setting up honeypots so I can catch the NSA? No overtime for that. The idea of having the option to spend time away from the computer is nice. Hell, I am trying to housebreak a new puppy, I don’t have time to housebreak the NSA also. Scott -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: From scott at sbce.org Fri Mar 21 23:04:28 2014 From: scott at sbce.org (Scott Blaydes) Date: Sat, 22 Mar 2014 01:04:28 -0500 Subject: To Tor or not to Tor? In-Reply-To: <3735791.WCR3VjPavv@lap> References: <3735791.WCR3VjPavv@lap> Message-ID: On Mar 21, 2014, at 5:04 AM, rysiek wrote: > 1. they know when you're using Tor, and can flag you accordingly, and (for > example) deliver some nastiness when (not "if"!) they get the chance, > because "when you have something to hide…” The old argument for convincing people to use crypto when they “have nothing to hide” was the postal analogy. Do you send your snail mail in an envelope? If you have nothing to hide why not use postcards? The idea is that if you are sending everything encrypted, when you do have something to hide it doesn’t stand out. Now people use envelopes for privacy and out of convention. If everyone did the same thing with crypto,used it for privacy and out of convention, intelligence agencies wouldn’t be able flag suspicious communications easily. Sorry, not really a “to Tor or not to Tor” answer, but something I remember using in the past. Scott -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: From scott at sbce.org Fri Mar 21 23:23:32 2014 From: scott at sbce.org (Scott Blaydes) Date: Sat, 22 Mar 2014 01:23:32 -0500 Subject: "I hunt sysadmins" In-Reply-To: <20140321111755.7F6452280D7@palinka.tinho.net> References: <20140321111755.7F6452280D7@palinka.tinho.net> Message-ID: <643BC0CD-2772-42D8-A573-F1F6596AF838@sbce.org> On Mar 21, 2014, at 6:17 AM, dan at geer.org wrote: > > | DNSBL for known intelligence community IPs? Sure they rotate a lot, but > | if we can make the cost of doing business higher and higher with no real > | benefit, someone should eventually cut the funding. Start tracking what > | companies are providing IP services via contract and then blacklist the > | IP blocks of those companies. I really don't care if I ever get an > | email from Stratfor or they ever visit any of my sites. > | > | Had the idea all of about 60 seconds before trying to write it down, so > | I am sure I am forgetting something (or somethings). > > > This is the future, Sir, a dramatically balkanized Internet. > What you suggest is what many, perhaps most, countries wish > at the level of state policy. > > 12mars.rsf.org/2014-en/enemies-of-the-internet-2014-entities-at-the-he > art-of-censorship-and-surveillance/ > > Today is the golden age of search. Savor it. > > --dan > If the traffic is garbage (NSA fake social media accounts, intrusion attempts) what is the difference from stopping spam or bonnet traffic? Is some intel operative’s traffic wanted anymore than the 419 spam from kids from a 3rd world country in a cyber cafe? I guess I don’t see this as censorship since I am blocking due to the type of traffic, not what is being said. There are already some programs that block traffic to and from known malware sites, who cares if the malware comes from the NSA or Ethiopia’s Information Network Security Agency? Maybe John McAfee needs to take his company back and release something that really tries to protect you. Buy the Platinum Edition and get a free suppressor! (Offer not valid in Belize) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: From stephan.neuhaus at tik.ee.ethz.ch Fri Mar 21 22:59:52 2014 From: stephan.neuhaus at tik.ee.ethz.ch (Stephan Neuhaus) Date: Sat, 22 Mar 2014 06:59:52 +0100 Subject: [cryptography] Compromised Sys Admin Hunters and Tor In-Reply-To: References: <3735791.WCR3VjPavv@lap> Message-ID: <532D26D8.2@tik.ee.ethz.ch> On 2014-03-22, 04:28, Nico Williams wrote: > Insiders are always your biggest threat. I'm always interested in empirical evidence for the things that we believe to be true. Do you have any? Fun, Stephan From hozer at hozed.org Sat Mar 22 08:29:39 2014 From: hozer at hozed.org (Troy Benjegerdes) Date: Sat, 22 Mar 2014 10:29:39 -0500 Subject: [cryptography] Compromised Sys Admin Hunters and Tor In-Reply-To: <20140322025332.048E22280B3@palinka.tinho.net> References: <20140322025332.048E22280B3@palinka.tinho.net> Message-ID: <20140322152939.GH3180@nl.grid.coop> On Fri, Mar 21, 2014 at 10:53:31PM -0400, dan at geer.org wrote: > > At this point, one can but humbly remember John 8:7, > > ...He that is without sin among you, let him first cast a stone... For then I shall cast a stone upon myself, for I have commited the gravest of sins upon the altar of transparency and rule of law I have signed a non-disclosure agreement[*] [*] dislaimer: Due to recent publicly documented leaks, any information I may or may not have agreed to not disclose may or may not be copied, duplicated, archived, and disclosed to unauthorized third parties, including, but not limited to government agents, private contractors, and ethical rogue sysadmins From hozer at hozed.org Sat Mar 22 08:43:04 2014 From: hozer at hozed.org (Troy Benjegerdes) Date: Sat, 22 Mar 2014 10:43:04 -0500 Subject: Using some crypto to make gov't dataset identifiers better In-Reply-To: References: Message-ID: <20140322154304.GI3180@nl.grid.coop> On Fri, Mar 21, 2014 at 02:17:02PM -0400, Eric Mill wrote: > So this is a little different from the usual fare here, but my colleague > Tom Lee at the Sunlight Foundation has been thinking about using basic > cryptographic concepts to convince governments to publish more unique > identifiers in their datasets -- even when the identifiers they have in > their *databases* is sensitive (like SSNs). > > The problem of anonymizing unique data is in some senses easier than others > here, because in some gov't contexts, making things personally identifiable > isn't the problem -- the *intent* is to publish personally identifiable, > connect-able information, like for campaign donors and lobbyists. So the > Mosaic Effect (de-anonymizing Netflix data) is less of a concern. Depends > on the problem, though. > > After talking about it on a > coupleof > lists, > Tom blogged it up: > > http://sunlightfoundation.com/blog/2014/03/20/a-little-math-could-make-identifiers-a-whole-lot-better/ > > Your feedback would be very welcome, either here or in public fora. Of > course, convincing government agencies to actually do this sort of thing > might be a challenge, but there's a lot of levels and branches of > government out there - you never know who might lead the way. I need a reliable identifier to implement http://minco.me/ Now the next question is it mathematically possible to come up with a reliable and deterministic way of creating a public PII (identifier) with a distributed system? What if, instead of government agencies, we had Notary Publics sign a document with a 'secret' nonce to create the PII? ---------------------------------------------------------------------------- Troy Benjegerdes 'da hozer' hozer at hozed.org 7 elements earth::water::air::fire::mind::spirit::soul grid.coop Never pick a fight with someone who buys ink by the barrel, nor try buy a hacker who makes money by the megahash From rysiek at hackerspace.pl Sat Mar 22 02:52:05 2014 From: rysiek at hackerspace.pl (rysiek) Date: Sat, 22 Mar 2014 10:52:05 +0100 Subject: To Tor or not to Tor? In-Reply-To: References: <3735791.WCR3VjPavv@lap> Message-ID: <1720534.dfrF402S2Z@lap> Dnia sobota, 22 marca 2014 01:04:28 Scott Blaydes pisze: > On Mar 21, 2014, at 5:04 AM, rysiek wrote: > > 1. they know when you're using Tor, and can flag you accordingly, and (for > > > > example) deliver some nastiness when (not "if"!) they get the chance, > > because "when you have something to hide…” > > The old argument for convincing people to use crypto when they “have nothing > to hide” was the postal analogy. Do you send your snail mail in an > envelope? If you have nothing to hide why not use postcards? The idea is > that if you are sending everything encrypted, when you do have something to > hide it doesn’t stand out. Now people use envelopes for privacy and out of > convention. If everyone did the same thing with crypto,used it for privacy > and out of convention, intelligence agencies wouldn’t be able flag > suspicious communications easily. > > Sorry, not really a “to Tor or not to Tor” answer, but something I remember > using in the past. I am well aware of this argument, and I use it often. My question here is different: with all the info we have about Snowden, QUANTUM, etc, and with the number of Tor users today, AND with some Tor design choices (like: not padding the packets so that each packet, regardless of between which nodes it is sent and how many encryption layers have already beed removed -- has the same length, which would make it that much harder to do traffic analysis), is it PRACTICALLY REALLY better to use Tor, OR does it get people flagged and exploited in other ways? For Joe Schmoe, is it better to use Tor, or to hide in the noise? I guess one part of the question is the fact that NSA probably doesn't really have to break encryption, they just need info on who is communicating with whom, exploit one of these endpoints and get all the unencrypted logs, data, etc they want. -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From hozer at hozed.org Sat Mar 22 08:55:10 2014 From: hozer at hozed.org (Troy Benjegerdes) Date: Sat, 22 Mar 2014 10:55:10 -0500 Subject: "Whew, wondered where we'd put those 200,000 BTC!" In-Reply-To: References: <1395379527.21155.YahooMailNeo@web126203.mail.ne1.yahoo.com> Message-ID: <20140322155510.GJ3180@nl.grid.coop> On Fri, Mar 21, 2014 at 08:20:02AM -0600, Kelly John Rose wrote: > On Thu, Mar 20, 2014 at 11:25 PM, jim bell wrote: > > > > > http://www.engadget.com/2014/03/20/mt-gox-apparently-found-200-000-bitcoin-in-an-old-wallet-shoul/?ncid=txtlnkusaolp00000589 > > > > "In a bit of news that's familiar to anyone who ever put on an old jacket > > and found $20 in the pocket, embattled Bitcoin exchange Mt. Gox has made a > > fortuitous discovery. The company announced (PDF) in > > Japan that it found 200,000 Bitcoin (worth nearly $116 million at the > > moment) in a wallet from 2011 that it no longer used. That's less than a > > quarter of the 850,000 Bitcoins CEO Mark Karpeles reported were missing, > > but at the moment, at least it's something. According to its statement, the > > coins were moved to online wallets on the 7th, and then to offline wallets > > on the 14th and 15th. The mystery of what happened to Mt. Gox's funds is > > still far from solved, but between this news and reports of updated balances > > for account holders, > > it seems possible that there's something to be recovered from the shuttered > > exchange. Next up, removing all of the cushions from the sofa and pulling > > it away from the wall." > > > > > > > If that doesn't inspire confidence in you, I don't know what will! > > Honestly, I really wonder what would happen if some developers who > understand financial cryptography and how banks properly work built a real > bitcoin exchange. Considering how well it has done with incompetents like > this, I'm betting a properly programmed and vetted system may be quite > successful. > > Too bad I don't have 200,000 BTC to do just that. WTF, seriously... What crypto-nerds fail to understand is human-factors, and use-of-force, because properly run BANKS call in guys with guns when money gets stolen, and if it's stolen electronically, transactions get reversed. If you think MtGox is incompetent, then show me the fucking code of a better exchange, or shut the fuck up. If you think you need 'money' to build such a thing, then you have even less of a grasp on the human factors than the banks do on cryptographic secrets. If you think you need 'money' to write a better exchange, then you are just another crypto-snake-oil salesman, and are WORSE than Gox, who at least gave us a good example of failure. However, if you want to put your code (and failures) where your mouth is, I'll give you free room and board if you show me good code, and an honest effort to learn from failure. Nowhere in this exchange is money involved. -- ---------------------------------------------------------------------------- Troy Benjegerdes 'da hozer' hozer at hozed.org 7 elements earth::water::air::fire::mind::spirit::soul grid.coop Never pick a fight with someone who buys ink by the barrel, nor try buy a hacker who makes money by the megahash From iam at kjro.se Sat Mar 22 13:15:35 2014 From: iam at kjro.se (Kelly John Rose) Date: Sat, 22 Mar 2014 14:15:35 -0600 Subject: "Whew, wondered where we'd put those 200,000 BTC!" In-Reply-To: <402906430.408005.1395511502206.JavaMail.www@wwinf8309> References: <1395379527.21155.YahooMailNeo@web126203.mail.ne1.yahoo.com> <20140322155510.GJ3180@nl.grid.coop> <402906430.408005.1395511502206.JavaMail.www@wwinf8309> Message-ID: On Saturday, March 22, 2014, wrote: > > Message du 22/03/14 17:28 > > De : "Troy Benjegerdes" > > If you think you need 'money' to write a better exchange, then you are > just > > another crypto-snake-oil salesman, and are WORSE than Gox, who at least > gave > > us a good example of failure. > > > > However, if you want to put your code (and failures) where your mouth is, > > I'll give you free room and board if you show me good code, and an honest > > effort to learn from failure. Nowhere in this exchange is money involved. > > Most of the guys willing to create a new exchange are figuring they need > to pay a team of professional C programmers if they want their system > working without hacks, because lately 90% of coders barely get through with > Python, lol. > Having worked on some complex banking and accounting systems before, I know there is a lot more to the equation than simple coding up some crappy ruby code and putting fixes in place whenever it doesn't quite do what you want. Financial cryptography is expensive to do mostly because there is a strong need to not only implement good code, but also make sure the engineering is done correctly the first time and that it has the expensive physical security to back it up. -- Kelly John Rose Edmonton, AB Phone: +1 587 982-4104 Twitter: @kjrose Skype: kjrose.pr Gtalk: iam at kjro.se MSN: msn at kjro.se Document contents are confidential between original recipients and sender. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2021 bytes Desc: not available URL: From dan at geer.org Sat Mar 22 12:21:28 2014 From: dan at geer.org (dan at geer.org) Date: Sat, 22 Mar 2014 15:21:28 -0400 Subject: fractional reserves (was Re: Gox) In-Reply-To: The Vernal Equinox, 16:57 UTC 20 March 2014 Message-ID: <20140322192128.A508D2280F5@palinka.tinho.net> It was quoted: > "Injections in coin are most useful (enough to run the exchange) but > some cash is also needed to not run a fractional reserve" Those who find BitCoin interesting and wish it was more like world class banking will perhaps also be interested in this (de-html-ized) description of what that means: 21stcenturywire.com/2014/03/21/the-latest-heist-us-quietly-snatches-the-ukraines-gold-reserves/ The Latest Heist: US Quietly Snatches the Ukraine's Gold Reserves March 21, 2014 As the dust settles in Kiev, another money trail has been revealed... According to reports out of Kiev (see links below), the US has quietly transfers 33 tons of Ukrainian gold out of the country and back to vaults in the US. Presumably, this sovereign wealth transfer would be counted as partial "collateral" for a fresh round of IMF, US FED, and ECB paper debt that is currently being organised for dumping into the Ukraine's economic black hole. Multiple inquiries to US Federal Reserve administrators into the location of the Ukraine's gold have been met with the proverbial `pass the buck', making tracking and tracking the final resting place of these 33 tonnes very difficult indeed - but one can expect that the NY Fed is probably the institution who has masterminded this financial heist. Note how gold flows into New York, but has difficulty flowing out of US private banking hands as is the case with the `confiscation' of Germany's gold. Numerous attempts by Bundesbank to repatriate its gold reserves have been met with a brick wall, and to date, Germany has only recovered a miniscule 5 tonnes directly from the NY Fed - out of the total 674 tonnes (an additional 32 tonnes were recovered via French central bank). It's worth pointing out here that when NATO sacked Libya in 2011, one of the first items that came into question was the gold in Libya's state-run central bank. Prior to the NATO takeover of that country, Libya had one of the highest per capita gold reserves in the world, alongside Lebanon, giving Libya a distinct advantage should it carry out former Libyan leader Muammar Muhammad al-Gaddafi's long-term financial transition to a gold-backed Libyan Dinar. As you can imagine, this is no longer the case in Tripoli. Additionally, like Libya, both Syria and Iran are two of the world's last remaining nation states who both have state-run central banks and gold reserves which fall outside of the world's private central banking syndicate. Needless to say, you can see an obvious pattern emerging here. And the story continues... The Big Lie + What Happened To Ukraine's Gold? By PM Fund Manager Dave Kranzler Investment Research Dynamics The Big Lie is that Central Banks don't care about gold. Nothing could be further from the truth. Ben Bernanke, more than once, claimed that he didn't understand gold. When Ron Paul asked Bernanke in front of Congress why Central Banks own gold if it's irrelevant, Bernanke flippantly suggested that it was out of tradition. In both cases Bernanke was lying and he knew it. In comparison, Greenspan seemed to have some respect for the laws of economics and - at least that I can recall - never would outright state that gold was not an economic factor. Greenspan lied as much as Bernanke did about everything else but he never committed himself to lie about gold. Most of you have probably read Greenspan's 1966 essay, "Gold and Economic Freedom" (linked). I have read it several times because it explains as well as anything out there why gold works as a currency and why Government-issued fiat currency does not. What I find amazing about The Big Lie about Central Banks and gold is that if gold really is considered to be irrelevant, the how come Central Banks - especially the Fed - are so secretive about their gold storage and trading activities? What's even more amazing is that no one other than Ron Paul and GATA asks them about this. Think about it. GATA spent a lot of money on legal fees attempting to get the Fed to publicly disclose its records related to the Fed's gold activities. The Fed spent even more money denying GATA's quest. And how come the Fed won't submit to a public, independent audit of its gold vaults? This brings me to the issue of the Ukraine's gold. According to public records, the Government of Ukraine owns 33 tonnes of gold that was being safekept in Ukraine. Last week a Ukrainian newspaper reported that acting PM Arseny Yatsenyuk ordered the transfer of that gold to the United States. The actual report is here: LINK. Jesse's Cafe Americain provided a translated version here: LINK. On the assumption that the report is true, and so far I have not seen any commentary or articles suggesting it is not true, the biggest question is, how come the U.S. has absolutely no problem loading up and transporting 33 tonnes of gold from Ukraine to the U.S. but seems to have difficulty loading up and transporting any of Germany's gold from New York to Berlin? And how come the U.S. and Ukraine seem to care about that gold at all, if indeed gold is irrelevant? It would seem that it would be a lot less expensive and logistically complicated just to have the U.S. military post a few armed guards around the gold if they're worried about theft. On the other hand, I'm sure Putin would be happy to buy the gold from Ukraine. What makes the story even more interesting is that GATA's Chris Powell has spent considerable time trying to get an answer to the question of whether or not the U.S. has taken custody of Ukraine's gold. When he queried the NY Fed, they responded with: "A spokesman for the New York Fed said simply: "Any inquiry regarding gold accounts should be directed to the account holder. You may want to contact the National Bank of Ukraine to discuss this report" (LINK). After trying for two days to get an answer from the U.S. State Department, they finally responded by referring him to the NY Fed (LINK). The final piece in verifying that the report is true is deflection from Ukraine. Mr. Powell has queried the National Bank of Ukraine, the Ukrainian Embassy in DC, and the Ukrainian mission to the UN in NYC. Crickets. As Chris states the case: "The difficulty in getting a straight answer here is pretty good evidence that the Ukrainian gold indeed has been sent to the United States." Unfortunately, it is likely that the citizens of Ukraine will end up paying the same price for allowing the U.S. to "safekeep" their sovereign gold. That price is the comforting knowledge that their gold has been delivered safely to vaults in China under U.S./UK bullion bank contractual delivery obligations, where it will be locked away for centuries. From demonfighter at gmail.com Sat Mar 22 13:56:46 2014 From: demonfighter at gmail.com (Steve Furlong) Date: Sat, 22 Mar 2014 16:56:46 -0400 Subject: "Whew, wondered where we'd put those 200,000 BTC!" In-Reply-To: References: <1395379527.21155.YahooMailNeo@web126203.mail.ne1.yahoo.com> <20140322155510.GJ3180@nl.grid.coop> <402906430.408005.1395511502206.JavaMail.www@wwinf8309> Message-ID: On Sat, Mar 22, 2014 at 4:15 PM, Kelly John Rose wrote: > Financial cryptography is expensive to do mostly because > ... make sure the engineering is done correctly the first time If you're going to jump straight in to the real world of real money, yes. But you can take baby steps, running a service with limited clients and limited amounts, or with play money. Wasn't that part of the appeal of MtGox, that it had been running as an exchange for years, before getting into the BitCoin world? I think the assumption was that they seemed to know what they were doing, so it was safe enough to use them for trading BTC and "real" money. (Note that I never had anything to do with MtGox, or indeed with BitCoin. This was not so much a matter of crypto paranoia as a matter of mortgage, three kids, and a wife who won't stop spending.) -- Neca eos omnes. Deus suos agnoscet. -- Arnaud-Amaury, 1209 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1253 bytes Desc: not available URL: From coderman at gmail.com Sat Mar 22 18:10:58 2014 From: coderman at gmail.com (coderman) Date: Sat, 22 Mar 2014 18:10:58 -0700 Subject: Fwd: [RNG] Haveged - A Simple Entropy Daemon In-Reply-To: References: <20140322193813.GP29711@subspacefield.org> Message-ID: fwd, and added comment at end about a "upstream distribution" of repute. ---------- Forwarded message ---------- From: coderman Date: Sat, Mar 22, 2014 at 6:06 PM Subject: Re: [RNG] Haveged - A Simple Entropy Daemon To: Brad Martin On Sat, Mar 22, 2014 at 5:44 PM, Brad Martin wrote: > ... > When great HWRNG is working, it can be damned difficult to find the > signatures - but they're always there. Even in the best case, cryptographers > must whiten, if only to scramble those signatures. But the magic is in that > underlying raw data - so unpredictable! this too, a much longer discussion. we are in agreement, though one point: when FreeBSD decided against direct use of _both_ RDRAND and XSTORE, it was not an equal dismissal. RDRAND is specifically, and intentionally designed without direct access to the physical entropy sources, while XSTORE allows direct access to a userspace entropy daemon through the MSR configuration bits. XSTORE in raw mode, to userspace entropy daemon (rngd) that continously monitors for catastrophic failure (as above), and then _conservatively_ digests and folds the entropy before adding to OS kernel entropy pool is a robust configuration. RDRAND and RDSEED inherently crippled - if you had to pick a design, you would pick raw access with open and independent validation of run-time behavior with configurable conservative'ness as you so chose. instead, NIST and FIPS push _hard_ on opaque designs without raw access. in turn, US Gov pushes vendors hard for NIST/FIPS compliance. this is just one stream of influence working against the interest of users and strong privacy. if you really want to do entropy without repute: 1.: it starts with development and distribution, where every host and runtime is seeded with distinct mastering entropy that is mixed on first boot.** 2.: every physical host contains two (redundant) physical entropy sources run in continuous verification with immediate halt/panic on dual physical source failure. 3.: opportunistic entropy gathering daemons also running on host including haveged, dakarand, and kernel interrupt and activity scavenging. 4.: virtio-random device support feed into guest OSes from host entropy pool. (Qemu, KVM, Vbox, etc.) 5.: at shutdown of physical host entropy state is saved to FDE protected root volume for re-incorporation into entropy state on next start. 6.: as signal of care, in all mastering images and runtime ensure that /dev/urandom links to /dev/random special device. 7.: use the strace to confirm in every application that appropriate entropy from /dev/*random is read when generating keys or nonces. [post to HN when confused about key length equivalences and application level entropy pools...] ** your distribution in turn is fully reproducible, and the builder of your images provides you an installation image signed by them, including all the other public sigs, and including the per-instance entropy, the entirety of which is then also signed again. you exchanged keys in person at some point in the past, to get your first copy of $secure_distro, and have been using meatspace authenticated keys ever since... From coderman at gmail.com Sat Mar 22 18:56:04 2014 From: coderman at gmail.com (coderman) Date: Sat, 22 Mar 2014 18:56:04 -0700 Subject: secure anonymous decentralized systems [was: "Whew, wondered where we'd put those 200,000 BTC!"] Message-ID: this thread needs more violin and cutting one's self. my comments on this familiar lament inline,... On Sat, Mar 22, 2014 at 6:14 PM, Lodewijk andré de la porte wrote: > ... > The sad part is that I got scared away from [storing value on-line] ... > > I spent days feeling sick because I couldn't figure out a way to do > exchanges distributed over sufficiently geographically disperse points to > avoid trouble with a single government going mad. Then I realized the > Megaupload situation means that any US-ally country is susceptible to a > planned US-exercise. > > Once I found that I cannot trust maybe 150 countries in the world with the > rest being mostly unsuitable, that turned into a bit of a problem... > > Then you realize you're still not physically secure. The server itself is a > hotbox of 100% exposure... > > If you let the box call homes first (homes is the list of other servers) it > can use it's already present crypto to prevent any possible MITM or > listening in. So that's good. Problem is a little liquid nitrogen, > connection on a bus or firewire port, etc. is enough to make the server > bleed information faster than the Titanic ate water. So you have to cut the > firefire connections (USB is okay and convenient AFAIC) and heat-conductive > epoxy the motherboard, RAM and a good margin around the CPU too (use a > taller and wider cooler than usual). Maybe even run some wires through it to > measure breach. > > Then you find out Intel's chips have all sorts of hyperintelligence on it to > allow "remote administration" which just blew my fucking mind halfway across > the galaxy. [ED:. yes, it really is this bad!] > > Once you have your physical platform you have to make sure the software is > okay. I found that it's entirely impossible to not trust your compiler. And > the likelihood of cutting yourself is way too high with low level languages. > ... But you have to, because you can't do better. ... > > By now I'm a week further in worrying and researching, I'm sweating more at > night, I don't feel comfortable using my own computer anymore, I don't > understand why the world isn't a chaotic place where no computer ever is not > hacked out of it's guts. I realize it's probably because nobody is motivated > and smart enough to go through the effort, and then also doesn't get caught > except for those that'd pay a high price to hide their capabilities, which > is why you'd never notice. it's like a pair of glasses you put on, and can't take off! " i see vulns, everywhere! " ;P > Knowing all this I quite damn well decided I couldn't make a secure and > reliable centralized exchange. No distributed exchange would earn me a > profit, which I'd need to produce more software to help other people's life > better, so that wouldn't really help either. Aside from the fact that it > would not be popular because it'd be slower and less easy than a "central" > exchange. see also stealthy dopant level trojans, beam-steering TEMPEST, and you've seen much the same as i on my excursion down what it takes to build "secure anonymous decentralized systems". ( decentralized meaning that every node potentially equal, which means that every threat model a node might experience must be defended, which means you're building to the absolute hardest target, which means you've adopted multiple nation state attackers into scope, which means you're building something entirely unlike what we currently have or know how to build, and absolutely a long way from here...) wanna help? just working on the pieces is useful! [see also, not getting discouraged and giving up. *grin*] > Overall I decided I respect greatly the people that take on this challenge. > This was over a year ago. have you gone through the NSA TAO and SSO catalog? this is a great resource for putting some technical capability around the threat models above, and building test systems able to carry out attacks like those above. (for testing. in a test environment. of course :) > Looking at the hacks that happen I'm mostly shocked to find the level of > stupidity. Shocked as much to see how long things just go on without > significant trouble. and you wonder why USGov is trying to beat miscreants into submission with CFAA life destruction. everyone is passing the security buck, DA gotta do something... [this is just one of many poor trends.] > MtGox failing because money dissapeared over the > years... That was shocking at an unbelievable level. you must be new to interwebs? see also, every blackhat doxing crew since ever. > ... The list goes on. see also, every blackhat doxing crew since ever. > So I think I'm capable of making an exchange platform that's far better than > what's out there right now. And I will once I have time (I really don't have > it right now, life is such a fuzz). > > I still question if it'd be used by anyone. But at least I can try. don't do it. instead, build software secure and usable enough that every average user can be their own exchange and bank without falling prey to haxxors or stupidity. oh, someone told me that i'm depressing the hackers with my realism and please try to make the self hurt less desirable, so here, my real world cover is goat farmer: https://peertech.org/files/totes-coders-goats.jpg [ i hope that didn't reduce my anonymity set too much! ] -------------- next part -------------- A non-text attachment was scrubbed... Name: totes-coders-goats.jpg Type: image/jpeg Size: 30727 bytes Desc: not available URL: From coderman at gmail.com Sat Mar 22 19:01:51 2014 From: coderman at gmail.com (coderman) Date: Sat, 22 Mar 2014 19:01:51 -0700 Subject: this looks like a fun conference In-Reply-To: References: Message-ID: On Sat, Mar 22, 2014 at 6:31 PM, Cari Machet wrote: > The Expo > The exposition will be unclassified and will consist of a two day event as > an adjunct to the SIGINT Conference. The conference sessions will be > conducted in a classified area in close proximity to the exhibits. how big can a pelican case be before it attracts unwanted attention, you think? i tried to dress a 2750 as an AWESOME-O robot, alas, the attempted fondlings and frotterage gave it away... From tpb-crypto at laposte.net Sat Mar 22 11:05:02 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Sat, 22 Mar 2014 19:05:02 +0100 Subject: "Whew, wondered where we'd put those 200,000 BTC!" In-Reply-To: <20140322155510.GJ3180@nl.grid.coop> References: <1395379527.21155.YahooMailNeo@web126203.mail.ne1.yahoo.com> <20140322155510.GJ3180@nl.grid.coop> Message-ID: <402906430.408005.1395511502206.JavaMail.www@wwinf8309> > Message du 22/03/14 17:28 > De : "Troy Benjegerdes" > If you think you need 'money' to write a better exchange, then you are just > another crypto-snake-oil salesman, and are WORSE than Gox, who at least gave > us a good example of failure. > > However, if you want to put your code (and failures) where your mouth is, > I'll give you free room and board if you show me good code, and an honest > effort to learn from failure. Nowhere in this exchange is money involved. Most of the guys willing to create a new exchange are figuring they need to pay a team of professional C programmers if they want their system working without hacks, because lately 90% of coders barely get through with Python, lol. From blibbet at gmail.com Sat Mar 22 19:19:34 2014 From: blibbet at gmail.com (Blibbet) Date: Sat, 22 Mar 2014 19:19:34 -0700 Subject: citizen privacy groups? Message-ID: <532E44B6.1070501@gmail.com> Hi, We're trying to build a list of contacts to (city,county,state,county)-based privacy groups, to see if a multi-city coalition would be helpful. We have private contacts that we're hoping to shortly have a mailing list setup, so they can communicate better. Below is current list I'm aware of. There's many cities that I can't find groups for; are things really that bad? :-( If you have a contact at one of these groups, please contact me off-list! Thanks! Lee ---------- Seattle Privacy https://www.seattleprivacy.org/ Oakland Privacy http://oaklandwiki.org/Oakland_Privacy_Working_Group Los Angeles: Stop LAPD Spying Coalition http://stoplapdspying.org/ Oregon: https://twitter.com/OregonPrivacy Austin, Texas: EFF Austin http://effaustin.org/about/ http://twitter.com/EFFaustin https://www.facebook.com/eff.austin Texas: Texas Electronic Privacy Coalition http://txepc.org/ Texas: Restore the Fourth ATX https://twitter.com/Restore4thATX http://restorethe4th.com/ https://www.facebook.com/RestoreThe4thAustin New York:The Calyx Institute https://calyxinstitute.org/ Germany: list of local AK Vorrat (German Working Group on Data Retention) groups https://wiki.vorratsdatenspeicherung.de/Ortsgruppen Cologne, Germany: http://cologne.stopwatchingus.info/demo-12-april/en.html ---------- From iam at kjro.se Sat Mar 22 19:58:07 2014 From: iam at kjro.se (Kelly John Rose) Date: Sat, 22 Mar 2014 20:58:07 -0600 Subject: "Whew, wondered where we'd put those 200,000 BTC!" In-Reply-To: <1260891211.239945.1395540842017.JavaMail.www@wwinf8308> References: <1395379527.21155.YahooMailNeo@web126203.mail.ne1.yahoo.com> <20140322155510.GJ3180@nl.grid.coop> <1260891211.239945.1395540842017.JavaMail.www@wwinf8308> Message-ID: On Sat, Mar 22, 2014 at 8:14 PM, wrote: > There's a reason computer security professionals are amongst the most well > paid employees which big corporations and rich governments only can hire. This is probably the most accurate statement I've read around this silliness in months. -- Kelly John Rose Twitter: @kjrose Skype: kjrose.pr Gtalk: iam at kjro.se MSN: msn at kjro.se Document contents are confidential between original recipients and sender. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1108 bytes Desc: not available URL: From dan at geer.org Sat Mar 22 20:14:37 2014 From: dan at geer.org (dan at geer.org) Date: Sat, 22 Mar 2014 23:14:37 -0400 Subject: "Whew, wondered where we'd put those 200,000 BTC!" In-Reply-To: Your message of "Sun, 23 Mar 2014 03:14:02 BST." <1260891211.239945.1395540842017.JavaMail.www@wwinf8308> Message-ID: <20140323031437.E1ABF2280B9@palinka.tinho.net> It were write that: > You are in the same boat of Karpeles and Ulbricht, they also were > barely able to code some interpreted language and they were overwhelmed > by the intricacies of the systems they were building. Until they > finally brought disaster for themselves and everyone that depended > on them. True but inevitable. Humans can design systems more complex than they can then operate. The financial sector's "flash crashes" are one, but only one, public proof-by-demonstration of that fact. I predict that the fifty interlocked insurance exchanges for Obamacare will be another. It is likely that any cryptocurrency exchange that is center-free and self-mobile is harder still. The HTTP Archive says that the average web page now makes out-references to 16 different domains as well as making 17 Javascript requests per page, and the Javascript byte count is five times the HTML byte count. Above some threshold of system complexity, it is no longer possible to test, it is only possible to react to emergent behavior. Even the lowliest Internet user is involved -- on the top level page for a major news site, I found 400 out-references to 85 unique domains each of which is similarly constructed. If you leave those pages up, then because most such pages have an auto-refresh, moving your ass to a new subnet signals to every single advertising network that you have done so. --dan From juan.g71 at gmail.com Sat Mar 22 19:28:53 2014 From: juan.g71 at gmail.com (Juan Garofalo) Date: Sat, 22 Mar 2014 23:28:53 -0300 Subject: "Whew, wondered where we'd put those 200,000 BTC!" In-Reply-To: References: <1395379527.21155.YahooMailNeo@web126203.mail.ne1.yahoo.com> <20140322155510.GJ3180@nl.grid.coop> Message-ID: --On Sunday, March 23, 2014 2:14 AM +0100 Lodewijk andré de la porte wrote: > > Looking at the hacks that happen I'm mostly shocked to find the level of > stupidity. Shocked as much to see how long things just go on without > significant trouble. MtGox failing because money dissapeared over the > years... That was shocking at an unbelievable level. Unbelievable because it's bullshit. Just like the last piece of news saying that they magically 'found' 200k btc. From carimachet at gmail.com Sat Mar 22 18:31:51 2014 From: carimachet at gmail.com (Cari Machet) Date: Sun, 23 Mar 2014 01:31:51 +0000 Subject: this looks like a fun conference Message-ID: *The Expo* The exposition will be unclassified and will consist of a two day event as an adjunct to the SIGINT Conference. The conference sessions will be conducted in a classified area in close proximity to the exhibits. *The Conference* This classified conference will focus on the preeminent intelligence issues facing those who are tasked with SIGINT as part of their mission. Over 1500 participants from the US intelligence community and throughout the world will attend this conference. https://www.fbcinc.com/event.aspx/Q6UJ9A00YDM3 -- Cari Machet NYC 646-436-7795 carimachet at gmail.com AIM carismachet Syria +963-099 277 3243 Amman +962 077 636 9407 Berlin +49 152 11779219 Reykjavik +354 894 8650 Twitter: @carimachet 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 Ruh-roh, this is now necessary: This email is intended only for the addressee(s) and may contain confidential information. If you are not the intended recipient, you are hereby notified that any use of this information, dissemination, distribution, or copying of this email without permission is strictly prohibited. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1724 bytes Desc: not available URL: From l at odewijk.nl Sat Mar 22 18:14:01 2014 From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=) Date: Sun, 23 Mar 2014 02:14:01 +0100 Subject: "Whew, wondered where we'd put those 200,000 BTC!" In-Reply-To: <20140322155510.GJ3180@nl.grid.coop> References: <1395379527.21155.YahooMailNeo@web126203.mail.ne1.yahoo.com> <20140322155510.GJ3180@nl.grid.coop> Message-ID: 2014-03-22 16:55 GMT+01:00 Troy Benjegerdes : > If you think MtGox is incompetent, then show me the fucking code of a > better > exchange, or shut the fuck up. If you think you need 'money' to build such > a thing, then you have even less of a grasp on the human factors than the > banks do on cryptographic secrets. > The sad part is that I got scared away from the exchange business because I thought it would be nearly impossible to get it 100% secure. And if it were less then 100% secure, how could I take people's money? I spent days feeling sick because I couldn't figure out a way to do exchanges distributed over sufficiently geographically disperse points to avoid trouble with a single government going mad. Then I realized the Megaupload situation means that any US-ally country is susceptible to a planned US-exercise. Once I found that I cannot trust maybe 150 countries in the world with the rest being mostly unsuitable, that turned into a bit of a problem. Suddenly you find yourself thinking about how to get servers up in Iran, Irak, India?, Morocco?, Laos?, Vietnam?, Cuba, Russia, China, North Korea (scratch that) and maybe Iceland and some micronations. You're thinking you can't trust others to set up the server, and you don't want the costs, exposure and actual unsafety that comes with visiting all America's enemies so you'll end up shipping wholesome servers to be loaded straight into a rack. Then you realize you're still not physically secure. The server itself is a hotbox of 100% exposure. It's exceedingly unusual to want a physically dispersed leaderless secure computing cluster with hot failover of a large portion of servers (>49% is impossible, can't determine if you're being fucked in the BGP). If you let the box call homes first (homes is the list of other servers) it can use it's already present crypto to prevent any possible MITM or listening in. So that's good. Problem is a little liquid nitrogen, connection on a bus or firewire port, etc. is enough to make the server bleed information faster than the Titanic ate water. So you have to cut the firefire connections (USB is okay and convenient AFAIC) and heat-conductive epoxy the motherboard, RAM and a good margin around the CPU too (use a taller and wider cooler than usual). Maybe even run some wires through it to measure breach. I have some additional ideas that are better obscure than open, but you get the level of obnoxious. It's still not secure yet though, and that bothers me a lot. Then you find out Intel's chips have all sorts of hyperintelligence on it to allow "remote administration" which just blew my fucking mind halfway across the galaxy. "Dear NSA, have a backdoor into any PC that has a NIC. Thank you for making us the industry leader, Kind regards\nX\nIntel". So I'm thinking you'll probably want the beefiest ARM processor or maybe even AMD (have to do more research). Of course a wiretap could expose the magic packets, to prevent the NSA from being able to launder the exploit as some more simple hack that doesn't point the finger at them. And then their ability here couldn't be used because they want to reserve it for, you know, WW3 time (hey China). Once you have your physical platform you have to make sure the software is okay. I found that it's entirely impossible to not trust your compiler. And the likelihood of cutting yourself is way too high with low level languages. I've so far permitted myself to use Node.js, and I feel plenty bad about that. You can not trust your SSL unit. You can not trust any library or database software. But you have to, because you can't do better. (I did go for OpenBSD, although many things required hand compilation which I wasn't familiar with ) By now I'm a week further in worrying and researching, I'm sweating more at night, I don't feel comfortable using my own computer anymore, I don't understand why the world isn't a chaotic place where no computer ever is not hacked out of it's guts. I realize it's probably because nobody is motivated and smart enough to go through the effort, and then also doesn't get caught except for those that'd pay a high price to hide their capabilities, which is why you'd never notice. Knowing all this I quite damn well decided I couldn't make a secure and reliable centralized exchange. No distributed exchange would earn me a profit, which I'd need to produce more software to help other people's life better, so that wouldn't really help either. Aside from the fact that it would not be popular because it'd be slower and less easy than a "central" exchange. Overall I decided I respect greatly the people that take on this challenge. This was over a year ago. Looking at the hacks that happen I'm mostly shocked to find the level of stupidity. Shocked as much to see how long things just go on without significant trouble. MtGox failing because money dissapeared over the years... That was shocking at an unbelievable level. The first thing would be a BIG CLOCK in the office, showing total supposed amount of Bitcoin according to the servers and the total amount supposedly in wallets according to the Blockchain. If not that than at least an alarm on a dedicated phone, e-mails and a message on the admin interface (if you have one). Somehow they had none of those. I'm amazed. This is just an aspect. They run Ubuntu (thick stack linux) and PHP (thick stack webserver), which are illogical choices. The list goes on. So I think I'm capable of making an exchange platform that's far better than what's out there right now. And I will once I have time (I really don't have it right now, life is such a fuzz). I still question if it'd be used by anyone. But at least I can try. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 7368 bytes Desc: not available URL: From tpb-crypto at laposte.net Sat Mar 22 19:14:02 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Sun, 23 Mar 2014 03:14:02 +0100 Subject: "Whew, wondered where we'd put those 200,000 BTC!" In-Reply-To: References: <1395379527.21155.YahooMailNeo@web126203.mail.ne1.yahoo.com> <20140322155510.GJ3180@nl.grid.coop> Message-ID: <1260891211.239945.1395540842017.JavaMail.www@wwinf8308> > Message du 23/03/14 02:46 > De : "Lodewijk andré de la porte" > A : "Troy Benjegerdes" > Copie à : "cypherpunks at cpunks.org" > Objet : Re: "Whew, wondered where we'd put those 200,000 BTC!" > > 2014-03-22 16:55 GMT+01:00 Troy Benjegerdes : > > > If you think MtGox is incompetent, then show me the fucking code of a > > better > > exchange, or shut the fuck up. If you think you need 'money' to build such > > a thing, then you have even less of a grasp on the human factors than the > > banks do on cryptographic secrets. > > > > The sad part is that I got scared away from the exchange business because I > thought it would be nearly impossible to get it 100% secure. And if it were > less then 100% secure, how could I take people's money? > > I spent days feeling sick because I couldn't figure out a way to do > exchanges distributed over sufficiently geographically disperse points to > avoid trouble with a single government going mad. Then I realized the > Megaupload situation means that any US-ally country is susceptible to a > planned US-exercise. > > Once I found that I cannot trust maybe 150 countries in the world with the > rest being mostly unsuitable, that turned into a bit of a problem. Suddenly > you find yourself thinking about how to get servers up in Iran, Irak, > India?, Morocco?, Laos?, Vietnam?, Cuba, Russia, China, North Korea > (scratch that) and maybe Iceland and some micronations. > > You're thinking you can't trust others to set up the server, and you don't > want the costs, exposure and actual unsafety that comes with visiting all > America's enemies so you'll end up shipping wholesome servers to be loaded > straight into a rack. > > Then you realize you're still not physically secure. The server itself is a > hotbox of 100% exposure. It's exceedingly unusual to want a physically > dispersed leaderless secure computing cluster with hot failover of a large > portion of servers (>49% is impossible, can't determine if you're being > fucked in the BGP). > > If you let the box call homes first (homes is the list of other servers) it > can use it's already present crypto to prevent any possible MITM or > listening in. So that's good. Problem is a little liquid nitrogen, > connection on a bus or firewire port, etc. is enough to make the server > bleed information faster than the Titanic ate water. So you have to cut the > firefire connections (USB is okay and convenient AFAIC) and heat-conductive > epoxy the motherboard, RAM and a good margin around the CPU too (use a > taller and wider cooler than usual). Maybe even run some wires through it > to measure breach. > > I have some additional ideas that are better obscure than open, but you get > the level of obnoxious. It's still not secure yet though, and that bothers > me a lot. > > Then you find out Intel's chips have all sorts of hyperintelligence on it > to allow "remote administration" which just blew my fucking mind halfway > across the galaxy. "Dear NSA, have a backdoor into any PC that has a NIC. > Thank you for making us the industry leader, Kind regards\nX\nIntel". So > I'm thinking you'll probably want the beefiest ARM processor or maybe even > AMD (have to do more research). Of course a wiretap could expose the magic > packets, to prevent the NSA from being able to launder the exploit as some > more simple hack that doesn't point the finger at them. And then their > ability here couldn't be used because they want to reserve it for, you > know, WW3 time (hey China). > > Once you have your physical platform you have to make sure the software is > okay. I found that it's entirely impossible to not trust your compiler. And > the likelihood of cutting yourself is way too high with low level > languages. I've so far permitted myself to use Node.js, and I feel plenty > bad about that. You can not trust your SSL unit. You can not trust any > library or database software. But you have to, because you can't do better. > (I did go for OpenBSD, although many things required hand compilation which > I wasn't familiar with ) > > By now I'm a week further in worrying and researching, I'm sweating more at > night, I don't feel comfortable using my own computer anymore, I don't > understand why the world isn't a chaotic place where no computer ever is > not hacked out of it's guts. I realize it's probably because nobody is > motivated and smart enough to go through the effort, and then also doesn't > get caught except for those that'd pay a high price to hide their > capabilities, which is why you'd never notice. > > Knowing all this I quite damn well decided I couldn't make a secure and > reliable centralized exchange. No distributed exchange would earn me a > profit, which I'd need to produce more software to help other people's life > better, so that wouldn't really help either. Aside from the fact that it > would not be popular because it'd be slower and less easy than a "central" > exchange. > > Overall I decided I respect greatly the people that take on this challenge. > This was over a year ago. > > > Looking at the hacks that happen I'm mostly shocked to find the level of > stupidity. Shocked as much to see how long things just go on without > significant trouble. MtGox failing because money dissapeared over the > years... That was shocking at an unbelievable level. The first thing would > be a BIG CLOCK in the office, showing total supposed amount of Bitcoin > according to the servers and the total amount supposedly in wallets > according to the Blockchain. If not that than at least an alarm on a > dedicated phone, e-mails and a message on the admin interface (if you have > one). Somehow they had none of those. I'm amazed. This is just an aspect. > They run Ubuntu (thick stack linux) and PHP (thick stack webserver), which > are illogical choices. The list goes on. > > > So I think I'm capable of making an exchange platform that's far better > than what's out there right now. And I will once I have time (I really > don't have it right now, life is such a fuzz). > > I still question if it'd be used by anyone. But at least I can try. > I can't answer to all your concerns separately as it seems you have got one very big problem: you are into computers, but you have trouble compiling - merely compiling - programs for OpenBSD. You are in the same boat of Karpeles and Ulbricht, they also were barely able to code some interpreted language and they were overwhelmed by the intricacies of the systems they were building. Until they finally brought disaster for themselves and everyone that depended on them. In order to grasp the seriousness of things, you gotta start with something simpler which doesn't require so many security skills, like games. Then you build up your knowledge until one day you can make your own exchange. But until that point, it is irresponsible to try as you have well noticed. Regarding the rest of your concerns, everything can be dealt with properly, but it takes years of learning. There's a reason computer security professionals are amongst the most well paid employees which big corporations and rich governments only can hire. From l at odewijk.nl Sat Mar 22 19:49:04 2014 From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=) Date: Sun, 23 Mar 2014 03:49:04 +0100 Subject: secure anonymous decentralized systems [was: "Whew, wondered where we'd put those 200,000 BTC!"] In-Reply-To: References: Message-ID: 2014-03-23 2:56 GMT+01:00 coderman : > have you gone through the NSA TAO and SSO catalog? The day it was leaked. Made a writeup on a list too. Massive amount of stuff. I was happy it leaked, I was saying that they *must* be doing that for *years*. At least, to everyone who wouldn't label me a paranoid guy right away. Now they won't label me like that so easily :). don't do it. instead, build software secure and usable enough that > every average user can be their own exchange and bank without falling > prey to haxxors or stupidity. Once I'd have done that I'll be half a year further. If it works out everyone will think it's pretty cool and it'd be totally useless to me otherwise. I can move on to the next thing, but most likely I'll need some money and that'll be the end of the fight for freedom. I much prefer the scenario where the central and quite secure exchange works and half the profit is poured purely into increased security, the other half towards the next projects. If it all bloats up enough there'll be a little horde of people working on those problems I'd have tackled myself years later. In that scenario everyone wins much more. I also still believe I can make it "secure" whatever that means. Pretty much impossible to hack, is the idea. I can't really go into thoughts about how2 distributed secure application right now. It's worth mentioning RetroShare as an existent solution (that's probably not secure at all) and Zero Reserve https://bitcointalk.org/index.php?topic=295930.0. Both attempts at this ideal without any use of those terrible "Interpreted languages" (this sentence is a joke). ttyl -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2746 bytes Desc: not available URL: From l at odewijk.nl Sat Mar 22 19:56:28 2014 From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=) Date: Sun, 23 Mar 2014 03:56:28 +0100 Subject: "Whew, wondered where we'd put those 200,000 BTC!" In-Reply-To: <1260891211.239945.1395540842017.JavaMail.www@wwinf8308> References: <1395379527.21155.YahooMailNeo@web126203.mail.ne1.yahoo.com> <20140322155510.GJ3180@nl.grid.coop> <1260891211.239945.1395540842017.JavaMail.www@wwinf8308> Message-ID: 2014-03-23 3:14 GMT+01:00 : > > I can't answer to all your concerns separately as it seems you have got > one very big problem: you are into computers, but you have trouble > compiling - merely compiling - programs for OpenBSD. > Given the amount of unix knowledge involved I don't think that judges me at all. Maybe you judge me for my lack of unix skills, which I would easily admit are lacking. > You are in the same boat of Karpeles and Ulbricht, they also were barely > able to code some interpreted language and they were overwhelmed by the > intricacies of the systems they were building. Until they finally brought > disaster for themselves and everyone that depended on them. > I don't feel comfortable being put at the advanced PHP magic level. I doubt it's fair to my skill. Ulbricht actually did pretty well. Bringing disaster is also avoidable on many different levels. > In order to grasp the seriousness of things, you gotta start with > something simpler which doesn't require so many security skills, like > games. Then you build up your knowledge until one day you can make your own > exchange. > Making games will not help you learn security at all. It might make you learn coding fast and dirty. They're totally different styles. > But until that point, it is irresponsible to try as you have well noticed. Do or do not. There is no try. > Regarding the rest of your concerns, everything can be dealt with > properly, but it takes years of learning. There's a reason computer > security professionals are amongst the most well paid employees which big > corporations and rich governments only can hire. > It's most likely the lack of appeal of a security job. It takes more than learning actually, it takes inventing. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2756 bytes Desc: not available URL: From l at odewijk.nl Sat Mar 22 20:00:49 2014 From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=) Date: Sun, 23 Mar 2014 04:00:49 +0100 Subject: "Whew, wondered where we'd put those 200,000 BTC!" In-Reply-To: References: <1395379527.21155.YahooMailNeo@web126203.mail.ne1.yahoo.com> <20140322155510.GJ3180@nl.grid.coop> Message-ID: 2014-03-23 3:28 GMT+01:00 Juan Garofalo : > --On Sunday, March 23, 2014 2:14 AM +0100 Lodewijk andré de la porte > wrote: > > > > > Looking at the hacks that happen I'm mostly shocked to find the level of > > stupidity. Shocked as much to see how long things just go on without > > significant trouble. MtGox failing because money dissapeared over the > > years... That was shocking at an unbelievable level. > > Unbelievable because it's bullshit. Just like the last piece of > news > saying that they magically 'found' 200k btc. > It's easy to think it's a big scam, but it doesn't make sense. If magicaltux wanted to "walk away with the money" he would do better hiring someone else as CEO and then just doing whatever the hell he wanted with his financial returns. In at most 20 years he'd have all the money he just stole, with none of the crime, shaming, etc, legally! He'll truly never be able to launder those "stolen" Bitcoin. The leaked info is incredible, but it's all quite coherent. I haven't made up my mind yet. We'll see it play out. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1808 bytes Desc: not available URL: From tpb-crypto at laposte.net Sat Mar 22 20:16:14 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Sun, 23 Mar 2014 04:16:14 +0100 Subject: "Whew, wondered where we'd put those 200,000 BTC!" In-Reply-To: References: <1395379527.21155.YahooMailNeo@web126203.mail.ne1.yahoo.com> <20140322155510.GJ3180@nl.grid.coop> <1260891211.239945.1395540842017.JavaMail.www@wwinf8308> Message-ID: <211033411.240184.1395544573966.JavaMail.www@wwinf8308> > Message du 23/03/14 03:56 > De : "Lodewijk andré de la porte" > A : tpb-crypto at laposte.net > Copie à : "Troy Benjegerdes" , "cypherpunks at cpunks.org" > Objet : Re: "Whew, wondered where we'd put those 200,000 BTC!" > > 2014-03-23 3:14 GMT+01:00 : > > > > > I can't answer to all your concerns separately as it seems you have got > > one very big problem: you are into computers, but you have trouble > > compiling - merely compiling - programs for OpenBSD. > > > > Given the amount of unix knowledge involved I don't think that judges me at > all. Maybe you judge me for my lack of unix skills, which I would easily > admit are lacking. > > > > You are in the same boat of Karpeles and Ulbricht, they also were barely > > able to code some interpreted language and they were overwhelmed by the > > intricacies of the systems they were building. Until they finally brought > > disaster for themselves and everyone that depended on them. > > > > I don't feel comfortable being put at the advanced PHP magic level. I doubt > it's fair to my skill. Ulbricht actually did pretty well. Bringing disaster > is also avoidable on many different levels. > > > > In order to grasp the seriousness of things, you gotta start with > > something simpler which doesn't require so many security skills, like > > games. Then you build up your knowledge until one day you can make your own > > exchange. > > > > Making games will not help you learn security at all. It might make you > learn coding fast and dirty. They're totally different styles. > > > > But until that point, it is irresponsible to try as you have well noticed. > > > Do or do not. There is no try. > > > > Regarding the rest of your concerns, everything can be dealt with > > properly, but it takes years of learning. There's a reason computer > > security professionals are amongst the most well paid employees which big > > corporations and rich governments only can hire. > > > > It's most likely the lack of appeal of a security job. It takes more than > learning actually, it takes inventing. > Many people think that if Facebook and Wikipedia use PHP, then PHP may be secure enough to work with money. Meanwhile raw money provides a much bigger bounty than hacking Facebook or Wikipedia, which probably have security holes in numbers that are orders of magnitude more than any small Bitcoin exchange. That's why properly coded C and Cobol are used by most financial institutions, yes Cobol, as incredible is it may seem, it powers most financial transactions behind fancy web browsers. Because even if a banking system is simpler than a Wikipedia, its security will be tried many, many, many more times than Wikipedia. While a hack into Wikipedia is something to be concerned about, it won't destroy it, while taking all the money away will destroy a business. When I referred to games, I was referring to simpler and non-serious systems that people will try to hack in for fun. If you build such system, any system, that's training for some serious stuff in the future. Ulbricht only knew some PHP coding and looked for help in order to create more advanced stuff, worse yet he had his servers discovered and mirrored and probably exploited before he would even notice it. How can one be so low in their opsec that he doesn't ship a server for colocation with its USB ports desoldered and plied away? Or at least disabled in the firmware? All your concerns are valid, meanwhile think about how you could work around every single one of them and note them down. Then once in a while you review your list, until you have solved most theoretical issues. Then you build a non-serious system and offer bounties for finding exploits and people will find them, because you will never manage to plug all holes and the invader has just to find one hole open. From carimachet at gmail.com Sat Mar 22 21:18:35 2014 From: carimachet at gmail.com (Cari Machet) Date: Sun, 23 Mar 2014 04:18:35 +0000 Subject: this looks like a fun conference In-Reply-To: References: Message-ID: theres a link for how to be an exhibitor and in that case you could probably haul in a truck without anyone a lookin a second time past preferences on trucks: ryder wt ´93 and oklehomie betcha 200,000 bitcoins ya dont know why On Sun, Mar 23, 2014 at 2:01 AM, coderman wrote: > On Sat, Mar 22, 2014 at 6:31 PM, Cari Machet wrote: > > The Expo > > The exposition will be unclassified and will consist of a two day event > as > > an adjunct to the SIGINT Conference. The conference sessions will be > > conducted in a classified area in close proximity to the exhibits. > > > how big can a pelican case be before it attracts unwanted attention, you > think? > > i tried to dress a 2750 as an AWESOME-O robot, > alas, the attempted fondlings and frotterage gave it away... > -- Cari Machet NYC 646-436-7795 carimachet at gmail.com AIM carismachet Syria +963-099 277 3243 Amman +962 077 636 9407 Berlin +49 152 11779219 Reykjavik +354 894 8650 Twitter: @carimachet 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 Ruh-roh, this is now necessary: This email is intended only for the addressee(s) and may contain confidential information. If you are not the intended recipient, you are hereby notified that any use of this information, dissemination, distribution, or copying of this email without permission is strictly prohibited. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2124 bytes Desc: not available URL: From carimachet at gmail.com Sat Mar 22 21:23:59 2014 From: carimachet at gmail.com (Cari Machet) Date: Sun, 23 Mar 2014 04:23:59 +0000 Subject: citizen privacy groups? In-Reply-To: <532E44B6.1070501@gmail.com> References: <532E44B6.1070501@gmail.com> Message-ID: i have a pretty big list they are usually known globally as transparency groups i will give you access... its on fing google docs but... its a great need for these groups to communicate i agree but i have found people are generally at the same point with things - math there are only so many scenarios... but for them to communicate wld b an amp On Sun, Mar 23, 2014 at 2:19 AM, Blibbet wrote: > Hi, > > We're trying to build a list of contacts to (city,county,state,county)-based > privacy groups, to see if a multi-city coalition would be helpful. We have > private contacts that we're hoping to shortly have a mailing list setup, so > they can communicate better. > > Below is current list I'm aware of. There's many cities that I can't find > groups for; are things really that bad? :-( > > If you have a contact at one of these groups, please contact me off-list! > > Thanks! > Lee > > ---------- > > Seattle Privacy > https://www.seattleprivacy.org/ > > Oakland Privacy > http://oaklandwiki.org/Oakland_Privacy_Working_Group > > Los Angeles: > Stop LAPD Spying Coalition > http://stoplapdspying.org/ > > Oregon: > https://twitter.com/OregonPrivacy > > Austin, Texas: EFF Austin > http://effaustin.org/about/ > http://twitter.com/EFFaustin > https://www.facebook.com/eff.austin > > Texas: Texas Electronic Privacy Coalition > http://txepc.org/ > > Texas: Restore the Fourth ATX > https://twitter.com/Restore4thATX > http://restorethe4th.com/ > https://www.facebook.com/RestoreThe4thAustin > > New York:The Calyx Institute > https://calyxinstitute.org/ > > Germany: > list of local AK Vorrat (German Working Group on Data Retention) > groups > https://wiki.vorratsdatenspeicherung.de/Ortsgruppen > > Cologne, Germany: > http://cologne.stopwatchingus.info/demo-12-april/en.html > > ---------- > > -- Cari Machet NYC 646-436-7795 carimachet at gmail.com AIM carismachet Syria +963-099 277 3243 Amman +962 077 636 9407 Berlin +49 152 11779219 Reykjavik +354 894 8650 Twitter: @carimachet 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 Ruh-roh, this is now necessary: This email is intended only for the addressee(s) and may contain confidential information. If you are not the intended recipient, you are hereby notified that any use of this information, dissemination, distribution, or copying of this email without permission is strictly prohibited. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 4116 bytes Desc: not available URL: From carimachet at gmail.com Sat Mar 22 21:36:02 2014 From: carimachet at gmail.com (Cari Machet) Date: Sun, 23 Mar 2014 04:36:02 +0000 Subject: citizen privacy groups? In-Reply-To: References: <532E44B6.1070501@gmail.com> Message-ID: so i gave u access to the doc but i wanted to let you know some orgs are just gov transparency targeting specific parts of gov and some i have found not really functioning - very few but after compilation they died so... its where my list is now there are a lot on there tons in germany of course - let me know if you have any questions On Sun, Mar 23, 2014 at 4:23 AM, Cari Machet wrote: > i have a pretty big list they are usually known globally as transparency > groups i will give you access... its on fing google docs but... > > its a great need for these groups to communicate i agree but i have found > people are generally at the same point with things - math there are only so > many scenarios... but for them to communicate wld b an amp > > > On Sun, Mar 23, 2014 at 2:19 AM, Blibbet wrote: > >> Hi, >> >> We're trying to build a list of contacts to (city,county,state,county)-based >> privacy groups, to see if a multi-city coalition would be helpful. We have >> private contacts that we're hoping to shortly have a mailing list setup, so >> they can communicate better. >> >> Below is current list I'm aware of. There's many cities that I can't find >> groups for; are things really that bad? :-( >> >> If you have a contact at one of these groups, please contact me off-list! >> >> Thanks! >> Lee >> >> ---------- >> >> Seattle Privacy >> https://www.seattleprivacy.org/ >> >> Oakland Privacy >> http://oaklandwiki.org/Oakland_Privacy_Working_Group >> >> Los Angeles: >> Stop LAPD Spying Coalition >> http://stoplapdspying.org/ >> >> Oregon: >> https://twitter.com/OregonPrivacy >> >> Austin, Texas: EFF Austin >> http://effaustin.org/about/ >> http://twitter.com/EFFaustin >> https://www.facebook.com/eff.austin >> >> Texas: Texas Electronic Privacy Coalition >> http://txepc.org/ >> >> Texas: Restore the Fourth ATX >> https://twitter.com/Restore4thATX >> http://restorethe4th.com/ >> https://www.facebook.com/RestoreThe4thAustin >> >> New York:The Calyx Institute >> https://calyxinstitute.org/ >> >> Germany: >> list of local AK Vorrat (German Working Group on Data Retention) >> groups >> https://wiki.vorratsdatenspeicherung.de/Ortsgruppen >> >> Cologne, Germany: >> http://cologne.stopwatchingus.info/demo-12-april/en.html >> >> ---------- >> >> > > > -- > Cari Machet > NYC 646-436-7795 > carimachet at gmail.com > AIM carismachet > Syria +963-099 277 3243 > Amman +962 077 636 9407 > Berlin +49 152 11779219 > Reykjavik +354 894 8650 > Twitter: @carimachet > > 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 > > Ruh-roh, this is now necessary: This email is intended only for the > addressee(s) and may contain confidential information. If you are not the > intended recipient, you are hereby notified that any use of this > information, dissemination, distribution, or copying of this email without > permission is strictly prohibited. > > > -- Cari Machet NYC 646-436-7795 carimachet at gmail.com AIM carismachet Syria +963-099 277 3243 Amman +962 077 636 9407 Berlin +49 152 11779219 Reykjavik +354 894 8650 Twitter: @carimachet 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 Ruh-roh, this is now necessary: This email is intended only for the addressee(s) and may contain confidential information. If you are not the intended recipient, you are hereby notified that any use of this information, dissemination, distribution, or copying of this email without permission is strictly prohibited. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 6113 bytes Desc: not available URL: From tpb-crypto at laposte.net Sat Mar 22 20:55:09 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Sun, 23 Mar 2014 04:55:09 +0100 Subject: "Whew, wondered where we'd put those 200,000 BTC!" In-Reply-To: <20140323031437.E1ABF2280B9@palinka.tinho.net> References: Your message of "Sun, 23 Mar 2014 03:14:02 BST." <1260891211.239945.1395540842017.JavaMail.www@wwinf8308> <20140323031437.E1ABF2280B9@palinka.tinho.net> Message-ID: <690328051.240270.1395546909582.JavaMail.www@wwinf8308> > Message du 23/03/14 04:45 > De : dan at geer.org > A : cypherpunks at cpunks.org > Copie à : > Objet : Re: "Whew, wondered where we'd put those 200,000 BTC!" > > > It were write that: > > > You are in the same boat of Karpeles and Ulbricht, they also were > > barely able to code some interpreted language and they were overwhelmed > > by the intricacies of the systems they were building. Until they > > finally brought disaster for themselves and everyone that depended > > on them. > > True but inevitable. Humans can design systems more complex than > they can then operate. The financial sector's "flash crashes" are > one, but only one, public proof-by-demonstration of that fact. I > predict that the fifty interlocked insurance exchanges for Obamacare > will be another. It is likely that any cryptocurrency exchange > that is center-free and self-mobile is harder still. The HTTP > Archive says that the average web page now makes out-references to > 16 different domains as well as making 17 Javascript requests per > page, and the Javascript byte count is five times the HTML byte > count. > > Above some threshold of system complexity, it is no longer possible > to test, it is only possible to react to emergent behavior. Even > the lowliest Internet user is involved -- on the top level page for > a major news site, I found 400 out-references to 85 unique domains > each of which is similarly constructed. If you leave those pages > up, then because most such pages have an auto-refresh, moving your > ass to a new subnet signals to every single advertising network > that you have done so. > > --dan > Your comments naturally lead us to think how to make simple systems, yet functional enough for the purpose we are building them. We are up to a revival in self-made purpose-specific web servers. Learning the few needed protocols and building from the ground up using open-source tools seems the way to go. Notwithstanding hardware issues, using things out of intel and amd seems also to become a trend. From tpb-crypto at laposte.net Sat Mar 22 20:58:39 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Sun, 23 Mar 2014 04:58:39 +0100 Subject: "Whew, wondered where we'd put those 200,000 BTC!" Message-ID: <2055249344.240279.1395547119333.JavaMail.www@wwinf8308> > Message du 23/03/14 04:45 > De : dan at geer.org > A : cypherpunks at cpunks.org > Copie à : > Objet : Re: "Whew, wondered where we'd put those 200,000 BTC!" > > > It were write that: > > > You are in the same boat of Karpeles and Ulbricht, they also were > > barely able to code some interpreted language and they were overwhelmed > > by the intricacies of the systems they were building. Until they > > finally brought disaster for themselves and everyone that depended > > on them. > > True but inevitable. Humans can design systems more complex than > they can then operate. The financial sector's "flash crashes" are > one, but only one, public proof-by-demonstration of that fact. I > predict that the fifty interlocked insurance exchanges for Obamacare > will be another. It is likely that any cryptocurrency exchange > that is center-free and self-mobile is harder still. The HTTP > Archive says that the average web page now makes out-references to > 16 different domains as well as making 17 Javascript requests per > page, and the Javascript byte count is five times the HTML byte > count. > > Above some threshold of system complexity, it is no longer possible > to test, it is only possible to react to emergent behavior. Even > the lowliest Internet user is involved -- on the top level page for > a major news site, I found 400 out-references to 85 unique domains > each of which is similarly constructed. If you leave those pages > up, then because most such pages have an auto-refresh, moving your > ass to a new subnet signals to every single advertising network > that you have done so. > > --dan > Your comments naturally lead us to think how to make simple systems, yet functional enough for the purpose we are building them. KISS is coming back into vogue. We are up to a revival in self-made purpose-specific web servers. Learning the few needed protocols and building from the ground up using open-source tools seems the way to go. Notwithstanding hardware issues, using things out of intel and amd seems also to become a trend. From boyscity at gmail.com Sat Mar 22 19:48:33 2014 From: boyscity at gmail.com (Sylvester Liang) Date: Sun, 23 Mar 2014 08:18:33 +0530 Subject: "Whew, wondered where we'd put those 200,000 BTC!" In-Reply-To: References: <1395379527.21155.YahooMailNeo@web126203.mail.ne1.yahoo.com> <20140322155510.GJ3180@nl.grid.coop> <402906430.408005.1395511502206.JavaMail.www@wwinf8309> Message-ID: What the cryptocurrency ecosystem needs to realize, is that the protection of the customer must be foremost. BTC is a great system for sellers and receivers, however there is very little protection for the buyer and Caveat emptor is not going to work as a scapegoat any more. It is time that businesses not only exchanges but payment processors, shopping sites, wallet services, etc needs to start standardizing proper security framework. What we need is an active change in the cryptocurrency industry. A formation of a independent decentralized certifying agency, that can audit, check and provide policy and guidelines for cryptocurrency based businesses. It should be self regulated and highly transparent and should only work with business. What this body would do, is have a checklist of requirement that each business has to fulfill in terms of IT Security, Customer service policy, accounting and book keeping, Tax policy (according to each country), Independent review of the Code being implemented, Approved hardware, and physical security and inspection. Basis which the business is given an accredit score. The scoring system should be such, that it allows small start ups to improve score and not reflect negatively. There should be guidelines that businesses can follow to gain higher scores if they decide to implement those guidelines, the most important thing that the body needs to do, is to promote new businesses to start and help them improve on Security, Customer service and Accounting. These are the three fundamental thing that needs to be checked and audited. Protecting customer by implementing a rating system is what's needed at this time. I dont know if this is viable but i think it may work. On Sun, Mar 23, 2014 at 1:45 AM, Kelly John Rose wrote: > On Saturday, March 22, 2014, wrote: > >> > Message du 22/03/14 17:28 >> > De : "Troy Benjegerdes" >> > If you think you need 'money' to write a better exchange, then you are >> just >> > another crypto-snake-oil salesman, and are WORSE than Gox, who at least >> gave >> > us a good example of failure. >> > >> > However, if you want to put your code (and failures) where your mouth >> is, >> > I'll give you free room and board if you show me good code, and an >> honest >> > effort to learn from failure. Nowhere in this exchange is money >> involved. >> >> Most of the guys willing to create a new exchange are figuring they need >> to pay a team of professional C programmers if they want their system >> working without hacks, because lately 90% of coders barely get through with >> Python, lol. >> > > Having worked on some complex banking and accounting systems before, I > know there is a lot more to the equation than simple coding up some crappy > ruby code and putting fixes in place whenever it doesn't quite do what you > want. > > Financial cryptography is expensive to do mostly because there is a strong > need to not only implement good code, but also make sure the engineering is > done correctly the first time and that it has the expensive physical > security to back it up. > > > -- > Kelly John Rose > Edmonton, AB > Phone: +1 587 982-4104 > Twitter: @kjrose > Skype: kjrose.pr > Gtalk: iam at kjro.se > MSN: msn at kjro.se > > Document contents are confidential between original recipients and sender. > > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 4381 bytes Desc: not available URL: From hozer at hozed.org Sun Mar 23 16:33:23 2014 From: hozer at hozed.org (Troy Benjegerdes) Date: Sun, 23 Mar 2014 18:33:23 -0500 Subject: "Whew, wondered where we'd put those 200,000 BTC!" In-Reply-To: <690328051.240270.1395546909582.JavaMail.www@wwinf8308> References: <1260891211.239945.1395540842017.JavaMail.www@wwinf8308> <20140323031437.E1ABF2280B9@palinka.tinho.net> <690328051.240270.1395546909582.JavaMail.www@wwinf8308> Message-ID: <20140323233323.GN3180@nl.grid.coop> > > It were write that: > > > > > You are in the same boat of Karpeles and Ulbricht, they also were > > > barely able to code some interpreted language and they were overwhelmed > > > by the intricacies of the systems they were building. Until they > > > finally brought disaster for themselves and everyone that depended > > > on them. > > > > True but inevitable. Humans can design systems more complex than > > they can then operate. The financial sector's "flash crashes" are > > one, but only one, public proof-by-demonstration of that fact. I > > predict that the fifty interlocked insurance exchanges for Obamacare > > will be another. It is likely that any cryptocurrency exchange > > that is center-free and self-mobile is harder still. The HTTP > > Archive says that the average web page now makes out-references to > > 16 different domains as well as making 17 Javascript requests per > > page, and the Javascript byte count is five times the HTML byte > > count. > > > > Above some threshold of system complexity, it is no longer possible > > to test, it is only possible to react to emergent behavior. Even > > the lowliest Internet user is involved -- on the top level page for > > a major news site, I found 400 out-references to 85 unique domains > > each of which is similarly constructed. If you leave those pages > > up, then because most such pages have an auto-refresh, moving your > > ass to a new subnet signals to every single advertising network > > that you have done so. > > > > --dan > > > > Your comments naturally lead us to think how to make simple systems, yet functional enough for the purpose we are building them. > > We are up to a revival in self-made purpose-specific web servers. Learning the few needed protocols and building from the ground up using open-source tools seems the way to go. > > Notwithstanding hardware issues, using things out of intel and amd seems also to become a trend. > If you focus on user-experience, simplicity, and minimal dependencies you might end up writing an exchange in python and running it on this: http://micropython.org/ , and then getting an insurance company to underwrite customers for any loss, including hacks. Next step is make it run on a cpu you can audit the VHDL for... http://yasep.org/ -- ---------------------------------------------------------------------------- Troy Benjegerdes 'da hozer' hozer at hozed.org 7 elements earth::water::air::fire::mind::spirit::soul grid.coop Never pick a fight with someone who buys ink by the barrel, nor try buy a hacker who makes money by the megahash From l at odewijk.nl Sun Mar 23 17:00:20 2014 From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=) Date: Mon, 24 Mar 2014 01:00:20 +0100 Subject: "Whew, wondered where we'd put those 200,000 BTC!" In-Reply-To: <20140323233323.GN3180@nl.grid.coop> References: <1260891211.239945.1395540842017.JavaMail.www@wwinf8308> <20140323031437.E1ABF2280B9@palinka.tinho.net> <690328051.240270.1395546909582.JavaMail.www@wwinf8308> <20140323233323.GN3180@nl.grid.coop> Message-ID: 2014-03-24 0:33 GMT+01:00 Troy Benjegerdes : > , and then getting an insurance company to underwrite > customers for any loss, including hacks. > This. I'm totally not sure how to go about that though. Damn shame there. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 650 bytes Desc: not available URL: From erehwon at c4i.org Sun Mar 23 23:38:26 2014 From: erehwon at c4i.org (William Knowles) Date: Mon, 24 Mar 2014 01:38:26 -0500 (CDT) Subject: Documentary to be filmed on the life of the last original Navajo Code Talkers, Chester Nez Message-ID: http://www.infosecnews.org/documentary-to-be-filmed-on-the-life-of-the-last-original-navajo-code-talkers-chester-nez/ By William Knowles Senior Editor InfoSec News March 24, 2013 Chester Nez, the last surviving member of the original 29 Navajo Code Talkers, will be the subject of filmmaker David DeJonge's upcoming 30-minute documentary. "Chester is the last link from the Navajo people who forged a secret code that helped win the Second World War. Their code led to the training of 400+ additional Navajo code talkers. To record his story in first hand is critical to American and military history." DeJonge said. DeJonge who is well known for his work with the last WWI veteran Frank Buckles, and also his documentary "Pershing's Last Patriot", began producing the documentary on Nez after a visit to Gallup, New Mexico. Nez served with the United States Marines in the Pacific and helped defeat the Japanese by creating a code, using the Navajo language, that was never broken. Sent to a boarding school as a child, Nez and other Navajo children were discouraged from speaking their native language and instructed to only use English, but that didn't stop them from whispering Navajo to each other in secret. In 1942, Navajo were recruited from boarding schools to join the Marines and use their unique skills to develop an unbreakable code to pass messages. The film will tell Nez's story from childhood through today. [...] -- GPG key on request http://www.c4i.org/erehwon/ From iam at kjro.se Mon Mar 24 09:45:37 2014 From: iam at kjro.se (Kelly John Rose) Date: Mon, 24 Mar 2014 10:45:37 -0600 Subject: "Whew, wondered where we'd put those 200,000 BTC!" In-Reply-To: <2037519107.13722.1395676217325.JavaMail.www@wwinf8307> References: <1260891211.239945.1395540842017.JavaMail.www@wwinf8308> <20140323031437.E1ABF2280B9@palinka.tinho.net> <690328051.240270.1395546909582.JavaMail.www@wwinf8308> <20140323233323.GN3180@nl.grid.coop> <83785819.11305.1395674549770.JavaMail.www@wwinf8307> <2037519107.13722.1395676217325.JavaMail.www@wwinf8307> Message-ID: On Mon, Mar 24, 2014 at 9:50 AM, wrote: > > > > Message du 24/03/14 16:38 > > De : "Lodewijk andré de la porte" > > A : tpb-crypto at laposte.net > > Copie à : "Troy Benjegerdes" , "cypherpunks at cpunks.org" > > Objet : Re: "Whew, wondered where we'd put those 200,000 BTC!" > > > > > 2014-03-24 16:22 GMT+01:00 : > > > > > I appreciate your ideas, how much would they scale? Can one squeeze 300 > > > customers per unit and link many parallel units? > > > > > > > I've yet to see a multiprocessor trade matching engine. > > > > Seems like the only way to know, is to try. > > But if you don't program C already, building a processor using VHDL and > another chip to interpret Python, then fitting them together with some USB > and ethernet ports seems to be quite a daunting task. > > The money would pay out, but the starting capital is in the thousands of > programming hours specifically for embedded systems. > > Yeah, especially if you are going to put in any time doing full code review to avoid the many pitfalls and security that could occur in a distributed system like this. -- Kelly John Rose Edmonton, AB Phone: +1 587 982-4104 Twitter: @kjrose Skype: kjrose.pr Gtalk: iam at kjro.se MSN: msn at kjro.se Document contents are confidential between original recipients and sender. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2252 bytes Desc: not available URL: From pgut001 at cs.auckland.ac.nz Sun Mar 23 18:47:16 2014 From: pgut001 at cs.auckland.ac.nz (Peter Gutmann) Date: Mon, 24 Mar 2014 14:47:16 +1300 Subject: "Whew, wondered where we'd put those 200,000 BTC!" In-Reply-To: Message-ID: Kelly John Rose writes: >Having worked on some complex banking and accounting systems before, I know >there is a lot more to the equation than simple coding up some crappy ruby >code and putting fixes in place whenever it doesn't quite do what you want. > >Financial cryptography is expensive to do mostly because there is a strong >need to not only implement good code, but also make sure the engineering is >done correctly the first time and that it has the expensive physical security >to back it up. Absolutely. Some time ago I had a long chat with someone who worked on large- scale financial processing systems. Among other things his organisation tends to act as a stress test for any hardware or software they use since they push it beyond what anyone else ever manages (and no, it's not HFT, just standard banking clearing). Their prime directive is that financial value can never be created or destroyed, so you can never have a situation in which a failure anywhere will result in one blob of financial value being recorded in two locations, or no locations. Saying that you'll address this by rolling back transactions won't fly both because no standard database can handle the load they work at, and because the financial world isn't going to stop and wait while you perform a rollback. To give some examples of what this entails, they only use the outer sets of tracks on their disk arrays to maximise data throughput/minimise head movement, if they were to use the entire platter the system couldn't keep up. Cacheing doesn't help, they did try it with the most exotic cacheing technology that EMC could provide them and found that after X hours throughput dropped to a fraction of what it had been. Although EMC had simulated this situation they never expected that anyone would be able to do it in real life. They also managed to figure out the computing power of a USG agency using a certain type of architecture because, when they wanted to buy the entire production run of a particular just-introduced CPU for several months they found that an unnamed US customer had already bought six months worth of production ahead of them. I think this is about as far from hacking together "some crappy ruby code" as you can get while still remaining on the same planet. Peter. From hozer at hozed.org Mon Mar 24 12:56:43 2014 From: hozer at hozed.org (Troy Benjegerdes) Date: Mon, 24 Mar 2014 14:56:43 -0500 Subject: "Whew, wondered where we'd put those 200,000 BTC!" In-Reply-To: References: <1260891211.239945.1395540842017.JavaMail.www@wwinf8308> <20140323031437.E1ABF2280B9@palinka.tinho.net> <690328051.240270.1395546909582.JavaMail.www@wwinf8308> <20140323233323.GN3180@nl.grid.coop> <83785819.11305.1395674549770.JavaMail.www@wwinf8307> Message-ID: <20140324195643.GO3180@nl.grid.coop> On Mon, Mar 24, 2014 at 04:38:37PM +0100, Lodewijk andré de la porte wrote: > 2014-03-24 16:22 GMT+01:00 : > > > I appreciate your ideas, how much would they scale? Can one squeeze 300 > > customers per unit and link many parallel units? > > > > I've yet to see a multiprocessor trade matching engine. Do https://github.com/PhantomPhreak/counterpartyd and https://ripple.com/guide-to-currency-trading-on-the-ripple-network/ count as trade matching engines? Why in the world do we need a centralized trade matching engine when the commodities (corn) and customers (grocery stores) are fundamentally distributed anyway? If someone wants the absolute best price possible in the world for their stock trade, then they can spend a gazillion dollars on brokers and HFT and microsecond latency to the exchange floor. But I want to be able to execute corn futures trades and physical delivery contracts from the server in my combine that knows to-the-bushel how much I'm pulling out of the field. I mean, I've got to have *something* to do while the babysitting the GPS guidance system .... -- ---------------------------------------------------------------------------- Troy Benjegerdes 'da hozer' hozer at hozed.org 7 elements earth::water::air::fire::mind::spirit::soul grid.coop Never pick a fight with someone who buys ink by the barrel, nor try buy a hacker who makes money by the megahash From grarpamp at gmail.com Mon Mar 24 12:25:30 2014 From: grarpamp at gmail.com (grarpamp) Date: Mon, 24 Mar 2014 15:25:30 -0400 Subject: "Whew, wondered where we'd put those 200,000 BTC!" In-Reply-To: References: Message-ID: > So how do they do that? If there's power failure on a specific box... There is transactional integrity where you're good until the failure, then you halt and fix/failover/etc. It's relatively cheap and popular. > I can imagine mitigating this by redundantly processing everything Then there are things called non-stop-computing where the whole system is transactioned. Some of that happens in systems like these. How close these things get to being bulletproof I've not looked into. https://en.wikipedia.org/wiki/IBM_System_z Also Sun, HP, Fujitsu and the like. Look into what NASDAQ runs... From hozer at hozed.org Mon Mar 24 13:47:03 2014 From: hozer at hozed.org (Troy Benjegerdes) Date: Mon, 24 Mar 2014 15:47:03 -0500 Subject: "Whew, wondered where we'd put those 200,000 BTC!" In-Reply-To: References: Message-ID: <20140324204703.GS3180@nl.grid.coop> On Mon, Mar 24, 2014 at 04:37:37PM +0100, Lodewijk andré de la porte wrote: > 2014-03-24 2:47 GMT+01:00 Peter Gutmann : > > > Their prime directive is that financial value can never be > > created or destroyed, so you can never have a situation in which a failure > > anywhere will result in one blob of financial value being recorded in two > > locations, or no locations. Saying that you'll address this by rolling > > back > > transactions won't fly both because no standard database can handle the > > load > > they work at, and because the financial world isn't going to stop and wait > > while you perform a rollback. > > > > So how do they do that? If there's power failure on a specific box, what > happens? Are all transactions synced to disk before commit, thus minimal > rollbacks? A minimal rollback takes a very small margin of what would > happen in case of power failure on a box. Maybe they have several boxes > advocating a single transaction, so that expectible failures would never > crash a system completely. Except the financial world DID crash, and they just had the government(s) print new money to do the rollback for them. That's the difference with MtGox, there's no single authority (or distributed consensus mechanism) that is capable of rolling anything back.... except for the Japanese bankruptcy proceeding. So maybe technically you could argue the **accounting** database system never crashed, but we were feeding in garbage mortages and processing meaningless transactions at a rate the world had never seen before or since. And then it took at least 3-5 years to rollback and unwind all the corrupted input data. -- ---------------------------------------------------------------------------- Troy Benjegerdes 'da hozer' hozer at hozed.org 7 elements earth::water::air::fire::mind::spirit::soul grid.coop Never pick a fight with someone who buys ink by the barrel, nor try buy a hacker who makes money by the megahash From tpb-crypto at laposte.net Mon Mar 24 08:22:29 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Mon, 24 Mar 2014 16:22:29 +0100 Subject: "Whew, wondered where we'd put those 200,000 BTC!" In-Reply-To: <20140323233323.GN3180@nl.grid.coop> References: <1260891211.239945.1395540842017.JavaMail.www@wwinf8308> <20140323031437.E1ABF2280B9@palinka.tinho.net> <690328051.240270.1395546909582.JavaMail.www@wwinf8308> <20140323233323.GN3180@nl.grid.coop> Message-ID: <83785819.11305.1395674549770.JavaMail.www@wwinf8307> > If you focus on user-experience, simplicity, and minimal dependencies you > might end up writing an exchange in python and running it on this: > http://micropython.org/ , and then getting an insurance company to underwrite > customers for any loss, including hacks. > > Next step is make it run on a cpu you can audit the VHDL for... > http://yasep.org/ > I appreciate your ideas, how much would they scale? Can one squeeze 300 customers per unit and link many parallel units? From l at odewijk.nl Mon Mar 24 08:37:37 2014 From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=) Date: Mon, 24 Mar 2014 16:37:37 +0100 Subject: "Whew, wondered where we'd put those 200,000 BTC!" In-Reply-To: References: Message-ID: 2014-03-24 2:47 GMT+01:00 Peter Gutmann : > Their prime directive is that financial value can never be > created or destroyed, so you can never have a situation in which a failure > anywhere will result in one blob of financial value being recorded in two > locations, or no locations. Saying that you'll address this by rolling > back > transactions won't fly both because no standard database can handle the > load > they work at, and because the financial world isn't going to stop and wait > while you perform a rollback. > So how do they do that? If there's power failure on a specific box, what happens? Are all transactions synced to disk before commit, thus minimal rollbacks? A minimal rollback takes a very small margin of what would happen in case of power failure on a box. Maybe they have several boxes advocating a single transaction, so that expectible failures would never crash a system completely. I can imagine mitigating this by redundantly processing everything, in which case sequence must be kept somehow and so I can't imagine it being ridiculously fast. Maybe you mean the throughput is insane, because that'd make more sense given the multiple months of CPU being thrown at it. If you didn't then caching would just slow things down (most of the time). Finance should run better on SSDs, so I imagine this is an old story. Overall a bit confusing, and I'd love some more details! Like, why are they even using disks when fiber and RAM might be faster and similarly reliable? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2126 bytes Desc: not available URL: From l at odewijk.nl Mon Mar 24 08:38:37 2014 From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=) Date: Mon, 24 Mar 2014 16:38:37 +0100 Subject: "Whew, wondered where we'd put those 200,000 BTC!" In-Reply-To: <83785819.11305.1395674549770.JavaMail.www@wwinf8307> References: <1260891211.239945.1395540842017.JavaMail.www@wwinf8308> <20140323031437.E1ABF2280B9@palinka.tinho.net> <690328051.240270.1395546909582.JavaMail.www@wwinf8308> <20140323233323.GN3180@nl.grid.coop> <83785819.11305.1395674549770.JavaMail.www@wwinf8307> Message-ID: 2014-03-24 16:22 GMT+01:00 : > I appreciate your ideas, how much would they scale? Can one squeeze 300 > customers per unit and link many parallel units? > I've yet to see a multiprocessor trade matching engine. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 589 bytes Desc: not available URL: From tpb-crypto at laposte.net Mon Mar 24 08:50:17 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Mon, 24 Mar 2014 16:50:17 +0100 Subject: "Whew, wondered where we'd put those 200,000 BTC!" In-Reply-To: References: <1260891211.239945.1395540842017.JavaMail.www@wwinf8308> <20140323031437.E1ABF2280B9@palinka.tinho.net> <690328051.240270.1395546909582.JavaMail.www@wwinf8308> <20140323233323.GN3180@nl.grid.coop> <83785819.11305.1395674549770.JavaMail.www@wwinf8307> Message-ID: <2037519107.13722.1395676217325.JavaMail.www@wwinf8307> > Message du 24/03/14 16:38 > De : "Lodewijk andré de la porte" > A : tpb-crypto at laposte.net > Copie à : "Troy Benjegerdes" , "cypherpunks at cpunks.org" > Objet : Re: "Whew, wondered where we'd put those 200,000 BTC!" > > 2014-03-24 16:22 GMT+01:00 : > > > I appreciate your ideas, how much would they scale? Can one squeeze 300 > > customers per unit and link many parallel units? > > > > I've yet to see a multiprocessor trade matching engine. > Seems like the only way to know, is to try. But if you don't program C already, building a processor using VHDL and another chip to interpret Python, then fitting them together with some USB and ethernet ports seems to be quite a daunting task. The money would pay out, but the starting capital is in the thousands of programming hours specifically for embedded systems. From juan.g71 at gmail.com Mon Mar 24 13:28:29 2014 From: juan.g71 at gmail.com (Juan Garofalo) Date: Mon, 24 Mar 2014 17:28:29 -0300 Subject: "Whew, wondered where we'd put those 200,000 BTC!" In-Reply-To: <20140324195643.GO3180@nl.grid.coop> References: <1260891211.239945.1395540842017.JavaMail.www@wwinf8308> <20140323031437.E1ABF2280B9@palinka.tinho.net> <690328051.240270.1395546909582.JavaMail.www@wwinf8308> <20140323233323.GN3180@nl.grid.coop> <83785819.11305.1395674549770.JavaMail.www@wwinf8307> <20140324195643.GO3180@nl.grid.coop> Message-ID: --On Monday, March 24, 2014 2:56 PM -0500 Troy Benjegerdes wrote: > Why in the world do we need a centralized trade matching engine when the > commodities (corn) and customers (grocery stores) are fundamentally > distributed anyway? Good question. > > > I mean, I've got to have *something* to do while the babysitting the GPS > guidance system .... Isn't gps completely centralized and run by you-know-who? > > -- > ------------------------------------------------------------------------- > --- Troy Benjegerdes 'da hozer' > hozer at hozed.org 7 elements > earth::water::air::fire::mind::spirit::soul grid.coop > > Never pick a fight with someone who buys ink by the barrel, > nor try buy a hacker who makes money by the megahash > > From dan at geer.org Mon Mar 24 16:04:27 2014 From: dan at geer.org (dan at geer.org) Date: Mon, 24 Mar 2014 19:04:27 -0400 Subject: "Whew, wondered where we'd put those 200,000 BTC!" In-Reply-To: Your message of "Mon, 24 Mar 2014 17:28:29 -0300." Message-ID: <20140324230427.C3F562280AB@palinka.tinho.net> wrote: > Why in the world do we need a centralized trade matching engine when the > commodities (corn) and customers (grocery stores) are fundamentally > distributed anyway? Get big or get out. -- Earl Butz, Sec of Agriculture for Jimmy Carter ( Do you have an autopilot on your receiver truck? ) --dan From hozer at hozed.org Mon Mar 24 20:23:32 2014 From: hozer at hozed.org (Troy Benjegerdes) Date: Mon, 24 Mar 2014 22:23:32 -0500 Subject: "Whew, wondered where we'd put those 200,000 BTC!" In-Reply-To: <20140324230427.C3F562280AB@palinka.tinho.net> References: <20140324230427.C3F562280AB@palinka.tinho.net> Message-ID: <20140325032332.GU3180@nl.grid.coop> On Mon, Mar 24, 2014 at 07:04:27PM -0400, dan at geer.org wrote: > > wrote: > > Why in the world do we need a centralized trade matching engine when the > > commodities (corn) and customers (grocery stores) are fundamentally > > distributed anyway? > > > Get big or get out. > -- Earl Butz, Sec of Agriculture for Jimmy Carter > > > ( Do you have an autopilot on your receiver truck? ) > > --dan Folks that want to eat are cheaper than autopilots ;) And technically, I don't have the autopilot for the combine either but that should be easily solvable with a couple engineering interns if I can trade on my phone when I stop to unload. Get smart and read the source or go bankrupt -- Farmer Troy From hozer at hozed.org Mon Mar 24 20:29:39 2014 From: hozer at hozed.org (Troy Benjegerdes) Date: Mon, 24 Mar 2014 22:29:39 -0500 Subject: "Whew, wondered where we'd put those 200,000 BTC!" In-Reply-To: References: <1260891211.239945.1395540842017.JavaMail.www@wwinf8308> <20140323031437.E1ABF2280B9@palinka.tinho.net> <690328051.240270.1395546909582.JavaMail.www@wwinf8308> <20140323233323.GN3180@nl.grid.coop> <83785819.11305.1395674549770.JavaMail.www@wwinf8307> <20140324195643.GO3180@nl.grid.coop> Message-ID: <20140325032939.GV3180@nl.grid.coop> On Mon, Mar 24, 2014 at 05:28:29PM -0300, Juan Garofalo wrote: > > > --On Monday, March 24, 2014 2:56 PM -0500 Troy Benjegerdes > wrote: > > > > Why in the world do we need a centralized trade matching engine when the > > commodities (corn) and customers (grocery stores) are fundamentally > > distributed anyway? > > Good question. > > > > > > > > I mean, I've got to have *something* to do while the babysitting the GPS > > guidance system .... > > Isn't gps completely centralized and run by you-know-who? You-know-who costs me significantly less money than JpGoldKochMorgan's centralized high-frequency trading. Besides you-know-who would rather tax the middle class to buy fuel from me than have to send more kids to drive fuel tankers over IEDs. From apx.808 at gmail.com Tue Mar 25 08:02:33 2014 From: apx.808 at gmail.com (APX 808) Date: Tue, 25 Mar 2014 12:02:33 -0300 Subject: To Tor or not to Tor? In-Reply-To: <1720534.dfrF402S2Z@lap> References: <3735791.WCR3VjPavv@lap> <1720534.dfrF402S2Z@lap> Message-ID: On Mar 21, 2014, at 5:04 AM, rysiek wrote: > If the NSA can impersonate any IP on the planet, they can impersonate any Tor node. Shouldn't they have the node's private key too? Just having the IP they would receive encrypted traffic, they wouldn't be able to route it, your communication would fail and another TOR circuit would be used. Cheerz http://apx808.blogspot.com On Sat, Mar 22, 2014 at 6:52 AM, rysiek wrote: > Dnia sobota, 22 marca 2014 01:04:28 Scott Blaydes pisze: > > On Mar 21, 2014, at 5:04 AM, rysiek wrote: > > > 1. they know when you're using Tor, and can flag you accordingly, and > (for > > > > > > example) deliver some nastiness when (not "if"!) they get the chance, > > > because "when you have something to hide..." > > > > The old argument for convincing people to use crypto when they "have > nothing > > to hide" was the postal analogy. Do you send your snail mail in an > > envelope? If you have nothing to hide why not use postcards? The idea is > > that if you are sending everything encrypted, when you do have something > to > > hide it doesn't stand out. Now people use envelopes for privacy and out > of > > convention. If everyone did the same thing with crypto,used it for > privacy > > and out of convention, intelligence agencies wouldn't be able flag > > suspicious communications easily. > > > > Sorry, not really a "to Tor or not to Tor" answer, but something I > remember > > using in the past. > > I am well aware of this argument, and I use it often. My question here is > different: with all the info we have about Snowden, QUANTUM, etc, and with > the > number of Tor users today, AND with some Tor design choices (like: not > padding > the packets so that each packet, regardless of between which nodes it is > sent > and how many encryption layers have already beed removed -- has the same > length, which would make it that much harder to do traffic analysis), is it > PRACTICALLY REALLY better to use Tor, OR does it get people flagged and > exploited in other ways? > > For Joe Schmoe, is it better to use Tor, or to hide in the noise? > > I guess one part of the question is the fact that NSA probably doesn't > really > have to break encryption, they just need info on who is communicating with > whom, exploit one of these endpoints and get all the unencrypted logs, > data, > etc they want. > > -- > Pozdr > rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 3316 bytes Desc: not available URL: From pgut001 at cs.auckland.ac.nz Mon Mar 24 18:11:10 2014 From: pgut001 at cs.auckland.ac.nz (Peter Gutmann) Date: Tue, 25 Mar 2014 14:11:10 +1300 Subject: "Whew, wondered where we'd put those 200,000 BTC!" In-Reply-To: Message-ID: =?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?= writes: >So how do they do that? If there's power failure on a specific box, what >happens? Are all transactions synced to disk before commit, thus minimal >rollbacks? A minimal rollback takes a very small margin of what would happen >in case of power failure on a box. Maybe they have several boxes advocating a >single transaction, so that expectible failures would never crash a system >completely. This was a software guy (quoting what he knew about some of the special hardware features), so he didn't go into that much detail on this sort of thing, but in any case it's problem that's been (mostly) solved for decades, just look for discussions of high-availability systems (https://archive.org/details/reliablecomputer00siew is one good starting point). It's not for nothing that, for example, Tandems are sold under the name NonStop (they're covered in a case study in the book referenced above). I was in a Tandem shop some years ago when it experienced a rapid sequence of power glitches. The mass of IT gear in the building needed everything from a reboot to a reinstall to hardware replacement to get working again. One of their techies took me into the mainframe room to the Tandem console, which had a series of reports "Power lost / Power restored / Power lost / ...". Apart from that there had been no effect. There's a story that during the Loma Prieta earthquake a data centre containing a Tandem machine was damaged in the quake. It continued running, lying on its side surrounded by debris, until they could bring in heavy equipment to push it upright again. Peter. From coderman at gmail.com Tue Mar 25 18:49:10 2014 From: coderman at gmail.com (coderman) Date: Tue, 25 Mar 2014 18:49:10 -0700 Subject: To Tor or not to Tor? In-Reply-To: References: <3735791.WCR3VjPavv@lap> <1720534.dfrF402S2Z@lap> Message-ID: correct, an IP alone insufficient to impersonate a Tor node. you would also need key material. (active use of stolen keys to facilitate secondary attacks would be interesting to inventory from leaks...) From jya at pipeline.com Wed Mar 26 04:23:13 2014 From: jya at pipeline.com (John Young) Date: Wed, 26 Mar 2014 07:23:13 -0400 Subject: To Tor or not to Tor? In-Reply-To: <11011018.QPPdtXFcDq@lap> References: <3735791.WCR3VjPavv@lap> <11011018.QPPdtXFcDq@lap> Message-ID: Ubiquitous use of a comsec system is a vulnerability, whether PGP or Tor or another popular means. Crypto advocates and Tor encourage widespread use as a defense but may be luring victims into traps. The more users of a system the more likely it will be attacked by officials or by malefactors. And the attacks are most often overlooked in the volume, or excused as a price of popularity, fixes underway, always underway, keeping coders and investors happy as engineers mud-wrestling and financiers soused. Most trusted systems (MTS) are where the money is, as with banks, so that's where robbers make their living, and MTS set up budgets for loss, PR, lobbying, training staff in cover-ups and workarounds, hiring ex-regulators and distinguished industry leaders as advisors, board members and faces of the MTS around the planet. The lucrative boomlet in comsec generated by Snowden Inc's marketing gambit promoting encryption and enhanced comsec among media mouthpiece megaphones indicates that another cycle of dubity of the status quo comsec confidence game is to be followed by a repair and rejigger protection racket, as evidenced on these mail lists, at conferences, and no doubt in halls of semi-classified exchanges everready to share tips and tricks to ratchet up demand for security in all its devilish manifestations. Was it not mere months ago when a call was issued to redesign and or replace the entire Internet from top to bottom, the whole thing, to end the futile comsec tinkering and delusionary marketing, no way the Frankenstein could be made secure for human use, it had fundamental faults which precluded durable comsec. Perhaps re-Frankensteining is being done in semi-classified halls, hindered by by official and commercial and scholarly exploiters of the monster's faults to advance their interests in advocating MTS for public use, just keep those research and investment funds flowing. No risk, no security market, so what fool would want an Internet that had no faults. No bank would want perfect security to be available directly to customers. No military or spy agency would want perfect national security available to the citizenry. No government would want a threat-free populace. No comsec industry would want ... Best to aim for pretty good comsec and call it best that can be done but cheating happens, thank you Edward Snowden, so prepare for disaster "not if, not when, but now." Intel committees wokring hand in hand with Snowden Inc. to keep the public panicky and needful of secrecy protection of the holy grail, national security backed by WMD. In short, Tor is a confidence game, crypto is a confidence game, no better than military, espionage, publicity, entertainment, finance, law, insurance, education and religion. Oops those are the primary routes to wealth and power concentration and need for WMD protection. What, you say WMD is a confidence game? Getoutahere, that's top secret codeword core faith in secretkeeping. Without that fundamental Frankensteinian fault nobody would buy security against the Doctors of monsters working hard at most secret laboratories on earth to devise crypto for assuring WMD comms and launch threats are pretty good at persuading the public to pay the steep protection fee -- which it should be noted is laundered through IRS and NGOs, blessed by FRS and SEC. Damn 3 lettered agencies of God. From rysiek at hackerspace.pl Wed Mar 26 02:47:52 2014 From: rysiek at hackerspace.pl (rysiek) Date: Wed, 26 Mar 2014 10:47:52 +0100 Subject: To Tor or not to Tor? In-Reply-To: References: <3735791.WCR3VjPavv@lap> Message-ID: <11011018.QPPdtXFcDq@lap> Dnia wtorek, 25 marca 2014 18:49:10 coderman pisze: > correct, an IP alone insufficient to impersonate a Tor node. you > would also need key material. Ok, I was not being very clear what I meant. I meant a situation in which the NSA can listen-in on any connection in the clearnet, including connections between Tor nodes. They *can't* break the encryption nor do they have the keys... ...*But* (esp. if most of these nodes are in the US) they *can* observe that in sequence there are packets being sent between IP1, IP2, IP3 and IP4, and that these packets get smaller at each step, in a way that is coherent with removing layers of Tor encryption. What they can get from that is information; IP1 is communicating via Tor with IP4. So now they know whom to target with QUANTUM when they'd be using clearnet for something. Tor encryption gets less relevant if NSA gets access to the endpoints via other means, and for that they need to know whom to target. Observing packets flying between Tor nodes can give them that info -- at least that's a suggestion somebody made elsewhere. So my question is, does that make sense? Is that a viable threat? -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From coderman at gmail.com Wed Mar 26 17:01:45 2014 From: coderman at gmail.com (coderman) Date: Wed, 26 Mar 2014 17:01:45 -0700 Subject: To Tor or not to Tor? In-Reply-To: <11011018.QPPdtXFcDq@lap> References: <3735791.WCR3VjPavv@lap> <11011018.QPPdtXFcDq@lap> Message-ID: On Wed, Mar 26, 2014 at 2:47 AM, rysiek wrote: > ... > I meant a situation in which the NSA can listen-in on any connection in the > clearnet, including connections between Tor nodes. ok. this is sounding like classic traffic analysis (on the "metadata" rather than the content, so to speak). > They *can't* break the > encryption nor do they have the keys... ok. > ...*But* (esp. if most of these nodes are in the US) they *can* observe that > in sequence there are packets being sent between IP1, IP2, IP3 and IP4, and > that these packets get smaller at each step, in a way that is coherent with > removing layers of Tor encryption. Tor cells use padding, but this alone is not sufficient to defeat traffic analysis. > What they can get from that is information; IP1 is communicating via Tor with > IP4. > > So now they know whom to target with QUANTUM when they'd be using clearnet for > something. this is why i am fond of everything dark! namecoin to hidden services, no DNS, no plaintext. (not entirely defeating QUATUMTHEORY, but much of it!) > Tor encryption gets less relevant if NSA gets access to the endpoints via > other means, and for that they need to know whom to target. Observing packets > flying between Tor nodes can give them that info -- at least that's a > suggestion somebody made elsewhere. the anonymity set is large, but maybe that isn't sufficient. this is exactly the same argument for or against zero knowledge mixes. sure, they offer stronger protection from traffic analysis, but the anonymity set of users is tiny, making that theoretical hardness useless in practical terms. > So my question is, does that make sense? Is that a viable threat? depending on where you stand, and what network you egress, it may make absolutely perfect sense - Tor use alone drawing scrutiny that draws conflict. from my personal experience, _not_ in places where Tor use alone is suspect, it has been a essential tool. if you're concerned about NSA/TAO/SSO then you're speaking of two broad domains of concern: 1. pervasive, passive global intercept - this is where Tor and encryption come in. you've just made it harder, and turned something global and passive ineffective, pushing activity toward: 2. tailored access - the black bag jobs, weaponized exploits, HUMINT attacks, etc. if you've pushed your adversary to these means, you've achieved a COMSEC and symbolic victory. you don't defend against #2, you just fail less quickly...[0] 0. there are exceptions. these are left an exercise for the reader :) From coderman at gmail.com Wed Mar 26 17:05:58 2014 From: coderman at gmail.com (coderman) Date: Wed, 26 Mar 2014 17:05:58 -0700 Subject: [cryptography] To Tor or not to Tor? In-Reply-To: References: <3735791.WCR3VjPavv@lap> <11011018.QPPdtXFcDq@lap> Message-ID: On Wed, Mar 26, 2014 at 4:23 AM, John Young wrote: > Ubiquitous use of a comsec system is a vulnerability, whether > PGP or Tor or another popular means. "Ubiquitous trust in technology without assurances nor fail-safes is a vulnerability" - fixed that for you JYA plenty of corollaries in architecture, to be sure. ;) From gfoster at entersection.org Wed Mar 26 21:48:33 2014 From: gfoster at entersection.org (Gregory Foster) Date: Wed, 26 Mar 2014 23:48:33 -0500 Subject: The National Security Agency at the Crossroads (Austin: Apr 3-4) Message-ID: <5333ADA1.8080702@entersection.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 The National Security Agency at the Crossroads (Austin: Apr 3-4) https://strausscenter.org/details/279-privacy-surveillance-and-the-nsa.html If you review the agenda and speaker list, you'll see this event is a pretty big deal. > The Intelligence Studies Project is a joint venture of the Strauss > Center and Clements Center at the University of Texas at Austin, > aiming to encourage policy-relevant academic inquiry into the past, > present, and future of intelligence agencies and the legal, policy, > and technological environments in which they operate. Nothing > better illustrates the need for such inquiry than the events of the > past year surrounding the National Security Agency. As part of a > larger effort to improve public understanding of those events, the > Robert S. Strauss Center for International Security and Law and the > William P. Clements Jr. Center for History, Strategy & Statecraft > are hosting a major interdisciplinary conference focused on the NSA > from April 3rd through 4th. It will cover topics including the > history of the NSA, the role of the media in revealing classified > information about its activities, the legal architecture in which > it operates, the compliance and oversight mechanisms associated > with the NSA, the diplomatic fallout from the recent revelations, > and the prospects for reform. Although open to the public, the event is already waitlisted. I'm aware of at least a few concerned citizens who signed up to attend and plan to document the event through various channels. http://www.eventbrite.com/e/privacy-surveillance-and-the-nsa-tickets-8953832153 If you have an interest in this event you'd like to discuss, please contact me off list. gf - -- Gregory Foster || gfoster at entersection.org @gregoryfoster <> http://entersection.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBCgAGBQJTM62eAAoJEMaAACmjGtgj8NsP/AxHR2VOTHivwqv7MmnkZ9kS l+kFi9RC9ZB0e80jAljc32FnIRWhhmry1/BOU9dgtWEzmcpfInAQdTHV01droXT1 XlxiEvVfv5Sh7Ln3gE4nv2UgUFTy8GXZAmRoVilr/SCietQd5nOFoWhzLPEsnfGw PYAUE5FHu4Sh2tEcCJDSGPZOe/Rd7QvlU4qd3drTOwnC840X5x0CtylGXVWHxMcl K/nAzuMkhB+Zd3tErka2yR7vw42Ch5PeT6qN3c5TtLywhAVSamqQjzWfeJdx6NMk /F89Q8oJcJ1zLfpePhuj+m4FRCTq3/ONmk+d4NpwRAP5v+BeXk4EyHadibf5GJX2 7IUlR77p1cTi//QvwvkQq0iBnESBDRu+JaUI8fX2bluuIK9PZnS/AJG4A8KE9ujo wciHmFk0uAuxw5GqHNF0VLo8JQjc2DDNcmsHheVXuzE9txMShdgonWPoxVfouXys JetLGAZwFhbxfku5bXpqVYnNLQi5FfMaIEZ6saT8cEWdbuCpbuXKSAsEMSY/LIjK DaITHHO+YiRD7qlM/TakpI934F925k4pQ3rA3Y32ObihacjQHysN2LkOhUPuITY7 RLbUCbww1Dcb0QGUgib7INSRTWnN+vt+fsN07jgTtXr60VfXdGF3pUHAxqZ9d/nX esziR2DQx3s7u+15clcf =Wdx1 -----END PGP SIGNATURE----- From grarpamp at gmail.com Thu Mar 27 00:20:04 2014 From: grarpamp at gmail.com (grarpamp) Date: Thu, 27 Mar 2014 03:20:04 -0400 Subject: [cryptography] To Tor or not to Tor? In-Reply-To: References: <3735791.WCR3VjPavv@lap> <11011018.QPPdtXFcDq@lap> Message-ID: On Wed, Mar 26, 2014 at 7:23 AM, John Young wrote: > Ubiquitous use of a comsec system is a vulnerability Which ubiquity, in the curious case of Tor/I2P, appears to be holding up reasonably well so far. That is to say, who can state a case where a weakness in those systems (documented, or not) was exploited publicly to jail someone? Tor people seem to say it's possible, and the four horsemen have been operating in these nets for many years. Yet we're not seeing any canaries dropping in public. Why? And there's mountains of lesser [computer/finance] crime, filesharing, etc on these nets, with no sign of those actors being disrupted either. Let's move to leaks, a civil/criminal matter. That's the one thing that has had perhaps even zero first person appearance on .onion/.i2p. Why not? (Discounting docs from criminal hacks above, submission portals to third party publishers, mirrors, etc.) What if the docs that say, places like Cryptome, have had to pull due to threat of legal/ToS action... were hosted and told by the leaker/collator themselves on these nets? Who will carry the future gilded staffs of Cryptome, full-disclosure, WL, etc? And more importantly, where? What if a new set of Top Secret Snowden-like docs were hosted on tor/i2p? What if they had fewer silly redactions, or more sources and methods? Or serious political/geo/nwo intrigue the likes we've not yet seen? Are these nets only suited to street crime? Is offloading through the media the only suitable/safe place for high crime and politic? If not already present on these nets (some classes noted above), and thus far apparently immune (perhaps foolishly so), then what exactly are the needed test cases that will start producing not just dead canaries, but public record of what killed them? Any musing of 'To Tor or not to Tor?' must put consensus and evidence to these sorts of questions. From cathalgarvey at cathalgarvey.me Thu Mar 27 03:05:15 2014 From: cathalgarvey at cathalgarvey.me (Cathal Garvey) Date: Thu, 27 Mar 2014 10:05:15 +0000 Subject: [cryptography] To Tor or not to Tor? In-Reply-To: References: <3735791.WCR3VjPavv@lap> <11011018.QPPdtXFcDq@lap> Message-ID: <5333F7DB.1080701@cathalgarvey.me> I'm in devil's advocate territory here, because I neither trust nor distrust Tor/i2p, feeling that we can't really be sure one way or another. But: > Which ubiquity, in the curious case of Tor/I2P, appears to be holding > up reasonably well so far. That is to say, who can state a case > where a weakness in those systems (documented, or not) was exploited > publicly to jail someone? Tor people seem to say it's possible, and > the four horsemen have been operating in these nets for many years. > Yet we're not seeing any canaries dropping in public. Why? > > And there's mountains of lesser [computer/finance] crime, filesharing, > etc on these nets, with no sign of those actors being disrupted > either. Time for me to fulfil Godwin's Law and discuss Nazis! When the UK broke Enigma, they were able to decrypt Nazi comms with their spies on UK mainland, and by the end of the war they had turned or neatly disposed of the lot of them. This was so effective that by the time the V2 rockets started raining down, the UK were able to feed false info back along the wires instructing the Nazis to aim wildly off target, and telling them that the casualties were drastic, and the (extremely expensive) program a wild success. In the modern day, you have a scenario where every significant opponent of the fascists use forms of cryptography that *may* be vulnerable to the fascists' level of technical sophistication; we don't know, really. But if they *can* crack Tor/i2p in limited circumstances, they sure as hell wouldn't let anybody know; including the monkies in the "lower" agencies who might do something as dumb as prosecuting someone on Tor-derived evidence. They would instead use the information as the UK did on their predecessors: to identify, neutralise or (better yet) turn them when necessary, but until that point simply to gather more information and find more targets. The patience of spies can look like inability or apathy, until they have cause to act. On 27/03/14 07:20, grarpamp wrote: > On Wed, Mar 26, 2014 at 7:23 AM, John Young wrote: >> Ubiquitous use of a comsec system is a vulnerability > > Which ubiquity, in the curious case of Tor/I2P, appears to be holding > up reasonably well so far. That is to say, who can state a case > where a weakness in those systems (documented, or not) was exploited > publicly to jail someone? Tor people seem to say it's possible, and > the four horsemen have been operating in these nets for many years. > Yet we're not seeing any canaries dropping in public. Why? > > And there's mountains of lesser [computer/finance] crime, filesharing, > etc on these nets, with no sign of those actors being disrupted > either. > > Let's move to leaks, a civil/criminal matter. That's the one thing > that has had perhaps even zero first person appearance on .onion/.i2p. > Why not? (Discounting docs from criminal hacks above, submission > portals to third party publishers, mirrors, etc.) > What if the docs that say, places like Cryptome, have had to pull > due to threat of legal/ToS action... were hosted and told by the > leaker/collator themselves on these nets? > > Who will carry the future gilded staffs of Cryptome, full-disclosure, > WL, etc? And more importantly, where? > > What if a new set of Top Secret Snowden-like docs were hosted on > tor/i2p? What if they had fewer silly redactions, or more sources > and methods? Or serious political/geo/nwo intrigue the likes we've > not yet seen? > > Are these nets only suited to street crime? Is offloading through > the media the only suitable/safe place for high crime and politic? > > If not already present on these nets (some classes noted above), > and thus far apparently immune (perhaps foolishly so), then what > exactly are the needed test cases that will start producing not > just dead canaries, but public record of what killed them? > > Any musing of 'To Tor or not to Tor?' must put consensus and evidence > to these sorts of questions. > -- T: @onetruecathal, @IndieBBDNA P: +3538763663185 W: http://indiebiotech.com -------------- next part -------------- A non-text attachment was scrubbed... Name: 0x988B9099.asc Type: application/pgp-keys Size: 6176 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 901 bytes Desc: OpenPGP digital signature URL: From rysiek at hackerspace.pl Thu Mar 27 03:02:34 2014 From: rysiek at hackerspace.pl (rysiek) Date: Thu, 27 Mar 2014 11:02:34 +0100 Subject: To Tor or not to Tor? In-Reply-To: References: <3735791.WCR3VjPavv@lap> <11011018.QPPdtXFcDq@lap> Message-ID: <3111520.9ACB4WKK2r@lap> Dnia środa, 26 marca 2014 17:01:45 coderman pisze: > On Wed, Mar 26, 2014 at 2:47 AM, rysiek wrote: > > ... > > I meant a situation in which the NSA can listen-in on any connection in > > the > > clearnet, including connections between Tor nodes. > > ok. this is sounding like classic traffic analysis (on the "metadata" > rather than the content, so to speak). > > > They *can't* break the > > encryption nor do they have the keys... > > ok. > > > ...*But* (esp. if most of these nodes are in the US) they *can* observe > > that in sequence there are packets being sent between IP1, IP2, IP3 and > > IP4, and that these packets get smaller at each step, in a way that is > > coherent with removing layers of Tor encryption. > > Tor cells use padding, but this alone is not sufficient to defeat > traffic analysis. > > > What they can get from that is information; IP1 is communicating via Tor > > with IP4. > > > > So now they know whom to target with QUANTUM when they'd be using clearnet > > for something. > > this is why i am fond of everything dark! > namecoin to hidden services, > no DNS, no plaintext. > > (not entirely defeating QUATUMTHEORY, but much of it!) > > > Tor encryption gets less relevant if NSA gets access to the endpoints via > > other means, and for that they need to know whom to target. Observing > > packets flying between Tor nodes can give them that info -- at least > > that's a suggestion somebody made elsewhere. > > the anonymity set is large, but maybe that isn't sufficient. > > this is exactly the same argument for or against zero knowledge mixes. > sure, they offer stronger protection from traffic analysis, but the > anonymity set of users is tiny, making that theoretical hardness > useless in practical terms. > > > So my question is, does that make sense? Is that a viable threat? > > depending on where you stand, and what network you egress, it may make > absolutely perfect sense - Tor use alone drawing scrutiny that draws > conflict. > > from my personal experience, _not_ in places where Tor use alone is > suspect, it has been a essential tool. > > > if you're concerned about NSA/TAO/SSO then you're speaking of two > broad domains of concern: > > 1. pervasive, passive global intercept - this is where Tor and > encryption come in. you've just made it harder, and turned something > global and passive ineffective, pushing activity toward: > > 2. tailored access - the black bag jobs, weaponized exploits, HUMINT > attacks, etc. if you've pushed your adversary to these means, you've > achieved a COMSEC and symbolic victory. > > you don't defend against #2, you just fail less quickly... Thanks, that's more or less what I came up with, and needed a reality check. -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From wilder at trip.sk Thu Mar 27 10:13:28 2014 From: wilder at trip.sk (Pavol Luptak) Date: Thu, 27 Mar 2014 18:13:28 +0100 Subject: secondrealm.is Message-ID: <20140327171328.GA26271@core.nethemba.com> Hello, together with the artistic group Satori, we have finished and released Visual Digital Freedom Manifesto http://secondrealm.is/, text description is here http://secondrealm.is/manifesto.html It is a realtime visual contemporary-art demo written in _pure_ Javascript with optional WebGL support (it took many people few months to develop it). Original goal was to make a pure company commercial demo (we do IT security), but finally it ended up more like a cryptoanarchistic project. Yesterday we released this demo at NVScene 2014 (the biggest US demo party in San Jose) with the following feedback http://www.pouet.net/prod.php?which=62852 We were inspired by Second Realm (Book on Strategy) http://anarplex.net/hosted/files/secondrealm/secondrealm.html and The Crypto Anarchist Manifesto http://www.activism.net/cypherpunk/crypto-anarchy.html Enjoy 4 minutes of awesome visualizations, Pavol -- _______________________________________________________________ [wilder at trip.sk] [http://trip.sk/wilder/] [talker: ttt.sk 5678] -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 230 bytes Desc: Digital signature URL: From Kathy.Gustafson at nacha.org Fri Mar 28 05:46:10 2014 From: Kathy.Gustafson at nacha.org (The Electronic Payments Association) Date: Fri, 28 Mar 2014 06:46:10 -0600 Subject: Technical failure report Message-ID: <5695425762.V0DPG2TK031347.707020@aexp.com> ACH PAYMENT CANCELLEDThe ACH Transfer (ID: 96566279202159), recently submitted from your checking account (by you or any other person), was CANCELLED by other financial institution.Rejection Reason: See details in the report below Transfer Report: report_96566279202159.pdf (Adobe Reader PDF) 13450 Sunrise Valley Drive, Suite 100 Herndon, VA 201712014 NACHA - The Electronic Payments Association -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 768 bytes Desc: not available URL: From grarpamp at gmail.com Fri Mar 28 13:33:13 2014 From: grarpamp at gmail.com (grarpamp) Date: Fri, 28 Mar 2014 16:33:13 -0400 Subject: DOJ Pushes to Hack Cyber-Criminals (Torizens) Message-ID: http://blogs.wsj.com/law/2014/03/27/doj-pushes-to-expand-hacking-abilities-against-cyber-criminals http://arstechnica.com/tech-policy/2014/03/feds-want-an-expanded-ability-to-hack-criminal-suspects-computers http://news.slashdot.org/story/14/03/28/0242232/doj-pushes-to-expand-hacking-abilities-against-cyber-criminals http://yro.slashdot.org/story/14/03/28/195200/cispas-author-has-another-privacy-killing-bill-to-pass-before-he-retires http://edition.cnn.com/2014/03/27/living/student-money-saving-typeface-garamond-schools/index.html From kanzure at gmail.com Sun Mar 30 14:26:15 2014 From: kanzure at gmail.com (Bryan Bishop) Date: Sun, 30 Mar 2014 16:26:15 -0500 Subject: Strangecoin Message-ID: No proposed implementation but here's some fun ideas: http://digitalinterface.blogspot.com/2014/03/strangecoin-proposal-for-nonlinear.html """ What's unique about Strangecoin? - Strangecoin transactions can be *nonzero sum*. A Strangecoin transaction might result in *both* parties having more Strangecoin. - Strangecoin transactions can be *one-sided* and can be conducted entirely by only one party to the transaction. - The rate of change of one's Strangecoin balance is a more important indicator of economic influence than the balance itself. - Optimal investment strategy in Strangecoin aims to *stabilize* one's balance of Strangecoin. - A universal account provides all users a basic Strangecoin income, effectively unlimited wealth, and direct feedback on the overall prosperity of the network. .... As the example suggests, the dynamics of Strangecoin might be usefully thought of in terms of a "reputation system" rather than a strictly financial tool, even though the basic mechanics involve the regular method of exchanging currency for goods perceived by both parties to be of equal value. Because of the nonlinear relationships among Strangecoin users, each user effectively draws on a network of support in each economic transaction, coupling its activity to the successes (and failures) of the that network of activity. The result is a model of the complex interdependencies within a community of economic agents, and the dynamics by which those networks develop and decay. For this reason, Strangecoin might have implications for quantifying the role of individual choices and responsibility in the context of corporate action, and for resolving other difficult issues in the management and ethics of collective economic action. """ https://news.ycombinator.com/item?id=7494709 """ Other comments suggest that this can be implemented with existing tools, which I take as a virtue of the proposal. In any case, John von Neumann proved a long time ago that any nonzero sum game with n players can be modeled as a zero sum game with n+1 players, where the n+1 player represents the global state. TUA is simply an implementation of this proof. http://en.wikipedia.org/wiki/Zero-sum_game#Extensions I tried to explain inhibition in another comment in this thread. https://news.ycombinator.com/item?id=7496858 I give an an analogy in the proposal of the popularity of a celebrity couple being a nonlinear relationship to the popularity of each celebrity individually. I think our intuitive understanding of our social relationships is nonlinear in this way generally, and I think Strangecoin can model those nonlinear relationships well. So, for instance, I'm imagining a family, spouses, close friends, and so on entering into extended coupling transactions, so that as a community their prosperity rises and falls together. I might also enter into such transactions with certain business with whom I want to couple my activities, and these coupling transactions might serve in lieu of direct billing or payment. A coupling relationship with a business is effectively a contract, but with traditional currency you need the whole legal framework of contracts to support the transaction, and with Strangecoin the transaction is built directly into the currency, and the interface looks almost exactly like a point-of-sale cash transaction. And I can enter into less serious relationships of varying degrees with other parties. The effect is a way of managing not just financial transactions, but also reputation, investment, and other dynamics social constraints on the economy via the currency itself. Money is memory ( http://www.minneapolisfed.org/research/sr/sr218.pdf), but our existing currencies only represent some aspects of our economic activity, and therefore put limits on the memory stored in the economy. A nonlinear coin like Strangecoin can embed that social knowledge in the currency itself, providing a more robust memory framework on which we can conduct our economic transactions. I only hint at this in the proposal, but I suspect a system like this is required to resolve the twisted legal artifice the corporate veil, because it quantifies explicitly the role individuals have in collective economic activity, and thereby gives a method for explicitly holding persons proportionally responsible (in both credit and blame) for their contributions to that activity. But I think that's a much more radical proposal than the one I've offered for Strangecoin, and I should probably only be defending that here. =) """ - Bryan http://heybryan.org/ 1 512 203 0507 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 7471 bytes Desc: not available URL: From coderman at gmail.com Sun Mar 30 17:28:46 2014 From: coderman at gmail.com (coderman) Date: Sun, 30 Mar 2014 17:28:46 -0700 Subject: if only "There is one mode; it is secure." ... maybe one day? Message-ID: "Negotiated Discrete Log Diffie-Hellman Ephemeral Parameters for TLS" - https://tools.ietf.org/html/draft-gillmor-tls-negotiated-dl-dhe-00 """ dldhe8192 ... Its hexadecimal representation is: XXX ...still calculating... XXX ... """ From coderman at gmail.com Sun Mar 30 18:23:53 2014 From: coderman at gmail.com (coderman) Date: Sun, 30 Mar 2014 18:23:53 -0700 Subject: "Nicely done Steve and kudos! All points . . . are as accurate as I've ever seen," Message-ID: http://www.bostonglobe.com/metro/2014/03/29/the-inside-story-mit-and-aaron-swartz/YvJZ5P6VHaPJusReuaN7SI/story.html The inside story of MIT and Aaron Swartz More than a year after Swartz killed himself rather than face prosecution, questions about MIT's handling of the hacking case persist By Marcella Bombardieri | Globe Staff March 30, 2014 CAMBRIDGE -- The mysterious visitor called himself Gary Host at first, then Grace Host, which he shortened for his made-up e-mail address to "ghost," a joke apparently, perhaps signaling mischievousness -- or menace. The intruder was lurking somewhere on the MIT campus, downloading academic journal articles by the hundreds of thousands. The interloper was eventually traced to a laptop under a box in a basement wiring closet. He was Aaron Swartz, a brilliant young programmer and political activist. The cascade of events that followed would culminate in tragedy: a Secret Service investigation, a federal prosecution, and ultimately Swartz's suicide. But in the fall of 2010, Swartz was still a stranger in the shadows, and the university faced a hard question: How big a threat was the "ghost" downloader? And a harder one: What should be done about him? Answering those questions would prove a particularly knotty puzzle for the Massachusetts Institute of Technology, a place long supportive of the free flow of information and so famously friendly to pranks, known in MIT lingo as hacks, that a book published by the MIT Museum in the 1990s offered pranksters such tips as "always have two ways to run." And yet, MIT is a cradle of world-class scientific research with unpublished data and unpatented inventions on its network, and its leaders felt vulnerable to the rising tide of high-tech espionage. "There is some speculation that this might have been an MIT student experimenting with a robot," one MIT employee noted in an e-mail after a second breach by Swartz was discovered. But another pointed out that "sinister foreigners'' may have stolen credentials or compromised a computer. MIT's efforts to track down Swartz, while under intense pressure from JSTOR, the not-for-profit that ran the journal database, eventually would lead to felony computer crimes charges that might have brought years in jail. Swartz, 26, was under indictment when he committed suicide in January 2013. Critics, both on campus and around the world, have accused MIT of abandoning its values celebrating inventive risk-taking by helping to doom a young man whose project -- likely an act of civil disobedience to make information freely available -- didn't in the end cause serious harm. MIT has insisted it maintained an appropriate, even compassionate, neutrality toward a determined hacker who stole 4.8 million articles and eluded numerous efforts to stop him before the college sought help from police. But MIT's brand of neutrality proved one with notable limits, according to a Globe review of more than 7,000 pages of discovery documents -- many of them e-mails -- from Swartz's court case. In the wake of his death, both MIT and JSTOR posted online documents that they had turned over to authorities, a trove that drew little if any notice at the time. The Globe also obtained a number of e-mails related to the case not available publicly. Only with a patient review of the complete record does the full picture of the dilemma MIT faced become clear. The aftershocks of the choices the institution made in the wake of the "ghost" continue to reverberate, on campus and off, more than a year after Swartz's death. Most vividly, the e-mails underscore the dissonant instincts the university grappled with. There was the eagerness of some MIT employees to help investigators and prosecutors with the case, and then there was, by contrast, the glacial pace of the institution's early reaction to the intruder's provocation. MIT, for example, knew for 2 1/2 months which campus building the downloader had operated out of before anyone searched it for him or his laptop -- even as the university told JSTOR they had no way to identify the interloper. And once Swartz was unmasked, the ambivalence continued. MIT never encouraged Swartz's prosecution, and once told his prosecutor they had no interest in jail time. However, e-mails illustrate how MIT energetically assisted authorities in capturing him and gathering evidence -- even prodding JSTOR to get answers for prosecutors more quickly -- before a subpoena had been issued. In a handful of e-mails, individual MIT employees involved in the case aired sentiments that were far from neutral. One, for example, gushed to prosecutor Stephen P. Heymann about the quality of the indictment of Swartz. "Nicely done Steve and kudos! All points . . . are as accurate as I've ever seen," wrote the information technology employee. "(I only say that because every time I've ever given an interview, details are always slightly to horribly munged; not that I ever expected any less, it's just a true relief and very refreshing to see your accuracy and precision)." Yet if MIT eventually adopted a relatively hard line on Swartz, the university had also helped to make his misdeeds possible, the Globe review found. Numerous e-mails make it clear that the unusually easy access to the campus computer network, which Swartz took advantage of, had long been a concern to some of the university's information technology staff. Some at MIT believed that officials had failed to pay serious attention to what one person called "poor, limited, or outdated security protections" on resources like the JSTOR database. The documents also put JSTOR's role in the case in a new light. In contrast to MIT, the journal archive organization has been widely hailed for publicly distancing itself from Swartz's prosecution, declaring that once Swartz returned the documents, it "had no interest in this becoming an ongoing legal matter." But a number of JSTOR's internal e-mails show a much angrier face in the months that Swartz eluded capture, with employees sharing frustration about MIT's "rather tepid level of concern." JSTOR officials repeatedly raised the prospect, among themselves, of going to the police, e-mails show. "What's wrong with us . . . alerting the cyber-crimes division of law enforcement and initiating an investigation, having a cop search a dorm room and try to retrieve any hard drive that contains our content?" asked one JSTOR official, whose name -- like most -- was redacted in the released documents. In the end, JSTOR neither called the police nor asked MIT to do so, according to its president. Eric Grimson, who recently stepped down as chancellor of MIT, defended the university's handling of the case as a judicious effort to protect the community without seeking retribution. MIT's first steps, he said, were simply to deny the downloader access to the network. They didn't search for the laptop for many weeks because they thought he had been thwarted. When Swartz proved undeterred, he said, MIT had to do more. "We were confronted with a situation of an unknown user accessing our network," he said in an interview, "using it to download massive amounts of material . . . for a three-month period, and evading our efforts to try and stop it." MIT was harmed in the process, Grimson said, with 10,000 researchers denied an important resource for several days as JSTOR sought to cut off the mass downloading. Helping investigators pursue the campus intruder was the only reasonable course, he said. "I think we should as a matter of principle cooperate with law enforcement in an investigation of an alleged crime being committed on our campus," he said. "That's protecting our community." After Swartz's arrest, Grimson said, the university went out of its way to be fair to the defense, voluntarily making staff members available to answer questions from Swartz's attorneys. "I would like to suggest we took a path to try to balance being empathetic to Aaron's situation while acknowledging that there was a legal process involved," he said. Allure of openness Swartz was an Internet prodigy. By age 19, he had helped to build RSS, a service that allowed users to create personalized news feeds; to develop the social news website Reddit; and to establish Creative Commons, an alternative to traditional copyright more friendly to sharing. In his 20s, the restless Stanford dropout turned his energies to political activism. He helped launch several progressive political groups and was a major force behind a national wave of protest against the Stop Online Piracy Act, which targeted unauthorized sharing of videos and music, but which Swartz and others saw as an attack on free speech. While Swartz's motive for downloading the JSTOR archive remains unknown, there is one simple and plausible possibility: to make academic research freely available to the public. In 2008, he published a "Guerrilla Open Access Manifesto" in which he avowed a "moral imperative" to share scholarship locked behind exorbitant subscription walls. "It's time to come into the light and, in the grand tradition of civil disobedience, declare our opposition to this private theft of public culture," he wrote. But why use MIT as his gateway -- or, to some eyes, his victim? He had a fellowship at Harvard at the time, which gave him access to JSTOR, but apparently worried about getting himself or his colleagues in hot water, since bulk downloading is forbidden by JSTOR. Since MIT had been known for generations for its idealistic devotion to the spirit of openness, venturing a couple of miles down Massachusetts Avenue may have seemed irresistible to Swartz. He had no formal tie to the university but had friends there and had been involved in campus activities. A blog entry Swartz wrote in 2009, titled "Honest Theft," neatly details his view of the school as a haven for rebelliousness. He described friends who he said secretly lived for free on campus, sleeping on couches in common rooms and stealing food from the cafeterias -- and using the money they saved "to promote the public good." "MIT has a notoriously relaxed security policy," he wrote, so his friends "likely wouldn't get in too much trouble." Indeed, MIT's own 180-page internal report on the Swartz case, released in July by a panel led by professor Hal Abelson, described a "culture of creative disobedience where students are encouraged to explore secret corners of the campus, commit good-spirited acts of vandalism . . . and resist restrictions that seem arbitrary or capricious." Student "hacks" have included putting a faux firetruck on the MIT Great Dome and turning a high-rise facade into a working Tetris game. They are meant to be public and harmless, but often involve trespassing and "borrowing" materials without permission, like a 3-ton cannon brazenly snatched from Caltech. The ethic of openness extends to MIT's computer network, where anyone on campus can get onto the wired network for 14 days by logging on as a guest, an extremely unusual perk for visitors to a university campus. As an MIT manager of network security noted in an e-mail reviewing the downloading case as it unfolded in October 2010, misuse of the MIT network was made possible by the fact that there was "no authentication of visitors" and "no identity verification." The open-door policy meant Swartz could easily sign in, as he did, as an anonymous guest with fake names and disposable e-mail addresses. Between 5 p.m. on Sept. 25, 2010, and 4 a.m. the next morning, the code Swartz wrote, which he called "keepgrabbing," downloaded 450,000 JSTOR articles. It was the opening salvo in a cat-and-mouse game that would extend over three months. JSTOR would cut off the Internet protocol address Swartz was using; he would switch to another. MIT detected and shut down the registration for his computer; he altered his computer's identifying information. Officials would conclude the ghost downloader had moved on, then he'd reappear weeks later. The maddening pursuit prompted some MIT technology personnel to say, essentially, I told you so. Databases like JSTOR's, some said, should have been kept behind a virtual gate -- though this would inconvenience legitimate users. "I frankly don't know why it's not used more," an employee wrote about such a security measure. Another employee in network security lamented that only the Swartz case prompted MIT to smarten up. "I hope it helps enlighten them to the need to really think long and hard about these issues. Kind of silly that it took a JSTOR crawling issue to get everyone a little frenzied." MIT and JSTOR did agree to a security upgrade after Swartz's second round of downloading was discovered in October 2010, requiring those seeking access to have MIT credentials. But it took JSTOR weeks to prepare for the change, the e-mails show. That delay would prove fateful. Aaron Swartz had only gotten started. Drawing concern at JSTOR Given the institution's global stature, MIT inevitably drew most of the public focus. But what Swartz did was more of a threat to JSTOR, a small organization in a precarious position. Its business is selling access to journal articles, but it doesn't own those articles. If it can't protect them, the journals could yank their material out of the library and threaten JSTOR's survival. Swartz ultimately downloaded 80 percent of JSTOR's archive, 4.8 million articles. At one point his downloading was so rapid, JSTOR e-mails said it created "a monstrous amount" of traffic that was "threatening the website." The stakes for MIT were murkier. The university's contract with JSTOR promised that it would guard against misuse, so there was some risk of losing an important library resource. And a rogue stranger poking around MIT's network could be truly dangerous. The discovery shortly before Swartz's arrest that his computer was being contacted from China raised passing fears of a foreign cyberattack, e-mails show, although such probing from overseas is quite routine. Yet MIT was used to seeing excessive downloading -- albeit on a much smaller scale -- and some staff downplayed the threat. "There will always be one person a semester who, regardless of intent, will write a script to crawl through some catalog," an MIT employee wrote when JSTOR first cut off the portion of campus where Swartz was operating. The MIT worker called JSTOR's move "draconian" and "knee-jerk." The result of their differing vulnerabilities, e-mails indicate, was that JSTOR was far more bellicose toward the interloper than was MIT -- at least until the days right before Swartz's arrest. JSTOR pressed again and again for MIT to find the downloader. Some of the archive's employees said MIT was being cooperative, but other staff members were irate at the university. "I am sure that if they had lost an equivalent number of books from their library overnight (what 25,000-30,000 books) they would not be so nonchalant," someone at JSTOR wrote in an e-mail. "This is an astronomical number of articles -- again, real theft," another wrote. "Does the university contact law enforcement? Would they be willing to do so in this instance?" When Swartz popped up again in late December after weeks of quiet, the tension was even plainer. "I might just be irked because I am up dealing with [the downloader] on a Sunday night," a JSTOR employee wrote, "but I am starting to feel like [MIT needs] to get a hold of this situation and right away or we need to offer to send them some help (read FBI)." These were "heat of the moment" reactions by officials anxious about an unknown threat, said Kevin M. Guthrie, president of ITHAKA, JSTOR's parent organization. "You get a report that 100,000 articles have been downloaded on a Saturday, you're trying to figure out what to do," he said in an interview. As for JSTOR's internal comments about calling the police, he said, "We talked about it, but we made a decision -- no, this wouldn't be appropriate; it's not our role to indicate that law enforcement should be called." When it came to Swartz's prosecution, JSTOR was notably reticent. It insisted on being served with a subpoena before it would provide information to the government and then, according to Abelson's report, tried to limit its answers. Guthrie told the Globe that the not-for-profit was simply trying to be careful. As for its decision to publicly oppose prosecution, he said, once Swartz returned the files, the journal provider was no longer interested in the matter. JSTOR was "trying to balance our obligation both to be good stewards of the content for the content owners and publishers, for our own viability, for broad access to information, and then the personal situation, the human situation," Guthrie said. JSTOR's very existence, he said, is all about broadening access to scholarly journals. Its fees go to support the archive, and it provides free access in developing countries. E-mails from before Swartz was captured suggest that JSTOR might also have been worried about its public image. The archive is already viewed in some quarters as a greedygatekeeper constricting the pursuit of knowledge. One JSTOR employee, in an e-mail addressing the possibility of bringing in law enforcement, noted several technical obstacles after opening with, "aside from the considerations about the PR of it all . . . " A sudden shift If MIT was initially slow to react to the "ghost," even tepid about the whole thing as some at JSTOR surmised, that changed drastically after the university learned of another breach in December 2010. After the laptop Swartz was accused of setting up to download JSTOR articles was found in a wiring closet at MIT, investigators left the computer up and running and installed a hidden camera. On the night after Christmas, JSTOR discovered a new round of downloading. It had actually started some 10 weeks earlier, but Swartz had slowed the process enough to avoid tripping alarms. Out on a furlough, MIT staff did not get the urgent messages from JSTOR until Jan. 3, 2011. "This is a heck of a way to start the new year," one person at MIT wrote. "We need to escalate the seriousness of our response. This looks like grand theft." And escalate MIT did. The academic building where the activity seemed to emanate from had been pinpointed in mid-October. But only on the morning of Jan. 4 did a network engineer began searching Building 16. He quickly discovered a laptop, hidden under a cardboard box, connected to the network from a wiring closet in the basement. MIT police decided they needed more help, and called a Cambridge police detective who belonged to a regional electronic crimes task force. He showed up with another task force member, a Secret Service agent named Michael S. Pickett. Seeking not only to find the downloader but to collect as much evidence as possible, they set up a hidden camera in the wiring closet. And instead of shutting down the laptop, the authorities decided to "leave it up and running for a couple of days while the investigation continues," a library employee wrote in an e-mail. "Now a federal case," the library staffer wrote in separate notes she took on a conversation with an MIT security analyst. "We [MIT] are considered the victim. All we provide is by choice -- not subpoenaed." That cooperation with law enforcement also extended to a senior MIT network engineer who monitored traffic to and from Swartz's laptop and appeared to be looking to Pickett for instructions. On Jan. 5, having collected 70 gigabytes of network traffic, he e-mailed the agent, "I was just wondering what the next step is." Swartz's lawyers argued that MIT, by monitoring Swartz and turning over materials to law enforcement without a court order, violated his Fourth Amendment rights. Abelson, who wrote MIT's own review, disagreed, and legal experts interviewed by the Globe differed on whether those arguments had merit. They were never ruled on by the judge in the case. Grimson, the former university chancellor, acknowledged in an interview that it would have been "cleaner" to ask prosecutors to seek a court order sooner. Turning over evidence without a subpoena raised, in some eyes, painful questions about MIT's avowed neutrality. Swartz was identified by the hidden camera and arrested on Jan. 6 after allegedly trying to flee police on Massachusetts Avenue in Cambridge. The startling discovery that the "ghost" downloader was a well-known activist prompted a few MIT employees to share their opinions with Pickett, the Secret Service agent, or their colleagues. "Looks like he is a big hacker, i googled him," one wrote to Pickett at midnight the morning after Swartz's arrest. That afternoon, someone from the IT security department wrote to Pickett, deeming Swartz a "really intelligent kid that just got buried under an avalanche of dumb." A few days later, Swartz took to Twitter to ask his followers if they knew anyone at JSTOR, presumably hoping he could defuse the situation. One person at MIT responded by circulating among colleagues a made-up message purporting to be what Swartz wanted to say to JSTOR. "hi, jstor, I'm still a few million pdf's shy of grabbing your whole db; really had high hopes on collecting the whole set by 1/1/11," it read. "could you tell me what number I left off at, because I don't currently have access to my lappy that was keeping track. k thnx bye." The MIT employee's commentary on his or her own fictional tweet: "LOL." The documents say little about what MIT was thinking and doing once the case morphed from an investigation into an active prosecution. But MIT's own report on the case raises serious questions about the wisdom of MIT's neutrality stance. The report noted that some within MIT believe "there has been a change in the institutional climate over recent years, where decisions have become driven more by a concern for minimizing risk than by strong affirmation of MIT values." The Computer Fraud and Abuse Act has been widely condemned as extreme in both its sweeping scope and its grave punishments. Sentencing guidelines suggest Swartz faced up to seven years in prison. To his supporters, MIT bears some responsibility for that fact. MIT officials privately told the prosecutor that the university had no interest in jail time, but refused to oppose his prosecution publicly or privately, despite repeated entreaties from Swartz's father, his lawyers, and a couple of faculty members, who argued MIT had the institutional heft to influence the US attorney's office. MIT may have also missed an opportunity to point out a potentially serious flaw in the case against Swartz. The Computer Fraud and Abuse Act charges centered on the claim that Swartz had unauthorized access to MIT and JSTOR's networks. But even if he was doing something improper, Swartz was logged on at MIT as a guest, leading Abelson and some legal observers to conclude that his access could be construed as authorized. It was hardly a clear-cut case, and the judge may not have agreed. But either way, MIT -- resolute about not getting drawn into a criminal case to which it was not a named party -- "paid little attention to the details of the charges," Abelson found. The institute simply did not consider whether Swartz may have been an authorized user under the terms of the law, according to the report. The defense didn't raise it, either, until close to Swartz's death. MIT was helping the prosecution "understand how to prosecute, what information is necessary to prosecute, but not taking steps to help them understand the limits to their prosecution," said Lawrence Lessig, a Harvard Law School professor who was close to Swartz. "Nobody would call that neutral. That's aiding and abetting the prosecution.'' Grimson defended MIT's decision to leave it up to the justice system to decide Swartz's fate, given that MIT leaders believe he harmed the school. And he disagreed that MIT is less driven by its ideals than it once was. He pointed to the Abelson report as an example of MIT's willingness to soul-search and learn from a tragedy. Still, he said, MIT will be second-guessing itself for a long time, and the university is still considering some policy changes in light of what happened to Swartz. Its first concrete move, last month, was to set up a presidential committee that will create an online data privacy policy. A famously sensitive person, Swartz had some history with depression. Yet loved ones insist that he was not clinically depressed before he hanged himself in his Brooklyn apartment on Jan. 11, 2013, but overwhelmed by the threat of years injail and the toll of fighting the charges. His father, Bob Swartz, believes that MIT's lack of compassion helped destroy his son's life. "We can't bring Aaron back, he can no longer be the tireless worker for good," he said at a memorial service for his son held at MIT last spring. "What we can do is change things for the better. We can work to change MIT so that it . . . once again becomes a place where risk and coloring outside the lines is encouraged, a space where the cruelties of the world are pushed back and our most creative flourish rather than being crushed." From l at odewijk.nl Sun Mar 30 15:35:58 2014 From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=) Date: Mon, 31 Mar 2014 00:35:58 +0200 Subject: Strangecoin In-Reply-To: References: Message-ID: 2014-03-30 23:26 GMT+02:00 Bryan Bishop : > because it quantifies explicitly the role individuals have in collective > economic activity, and thereby gives a method for explicitly holding > persons proportionally responsible (in both credit and blame) for their > contributions to that activity. > This sort of mechanism is explicit with the corporate structure. The suggestion that "Payout% = responsibility%" is highly simplified compared to the current real-world complexity. Not to mention that usually payout means everything is A-Okay. > But I think that's a much more radical proposal than the one I've offered > for Strangecoin, and I should probably only be defending that here. =) > Yeah. Because I really don't see the interesting properties emerge from Strangecoin as described. Bitcoin has this issue where people think it's things it's not. In money human perception is vital. Yet (economic) reality eventually persists trough any veil of beauty. Strangecoin *seems *to have nothing but very a-typical properties. Afterwards you seem to describe some properties you'd really like to see. I cannot judge how well you achieved them. Even when you've modeled a good ideal-world, there's still the journey there. With Bitcoin the journey is pretty solid (we're seeing it). The final situation is a subject of much speculation. I suspect Satoshi just checked his own value in the final situation and decided "Awh, what the hell", given it can't go wrong. So, does Bitcoin have any desirable (inherent) property except that it'll spread? Maybe, but it would only be that of cold-hearted economics. The kind humans are exceedingly bad at. Human Failure, much more than economic failure, causes current situations. Human Failure is encouraged by soft-economics, as it reduces the penalty for failure. Things like picking the wrong bank, not spreading risks, etc. There's no course in primary school for evading Human Failure in this aspect, even though it's the very core of humanity's current existence. Any speculation as to why? Either way, no currency alone will solve Human Failure. Even if Strangecoin would have very nice properties there will be misunderstanding of it, and it will be applied wrongly in nearly every situation. It will fail less than it should, because the "brick wall" that should be hit will also have the same misconceptions about finance. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 3129 bytes Desc: not available URL: From Jamie.Witherspoon at kqh1078393.lnk.telstra.net Mon Mar 31 01:20:33 2014 From: Jamie.Witherspoon at kqh1078393.lnk.telstra.net (The ACH Network) Date: Mon, 31 Mar 2014 08:20:33 GMT Subject: ACH transaction technical failure Message-ID: <4HTGIKXVPKSB31GG99S1Y0IXZVQ3OLW686Z63A1@kqh1078393.lnk.telstra.net> ACH PAYMENT REJECTED The ACH Transaction (ID: 17388332083933), recently initiated from your savings account (by you or any other person), was REJECTED by other financial institution. Rejection Reason: See details in the acttached report. Transaction Report: report_17388332083933.pdf (Adobe Reader PDF) 13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 2014 NACHA - The Electronic Payments Association -------------- next part -------------- A non-text attachment was scrubbed... Name: report_17388332083933.zip Type: application/zip Size: 7964 bytes Desc: not available URL: From Orville.Odom at static-csq-cds-002217.business.bouyguestelecom.com Mon Mar 31 01:20:33 2014 From: Orville.Odom at static-csq-cds-002217.business.bouyguestelecom.com (The ACH Network) Date: Mon, 31 Mar 2014 08:20:33 GMT Subject: ACH payment failure report Message-ID: ACH PAYMENT REJECTED The ACH Transfer (ID: 56846364628042), recently sent from your checking account (by you or any other person), was REJECTED by other financial institution. Rejection Reason: See details in the acttached report. Transfer Report: report_56846364628042.pdf (Adobe Reader PDF) 13450 Sunrise Valley Drive, Suite 100 Herndon, VA 20171 2014 NACHA - The Electronic Payments Association -------------- next part -------------- A non-text attachment was scrubbed... Name: report_56846364628042.zip Type: application/zip Size: 6771 bytes Desc: not available URL: From fax at jfet.org Mon Mar 31 03:22:37 2014 From: fax at jfet.org (fax at jfet.org) Date: 31 Mar 2014 10:22:37 GMT Subject: New Fax: 4 pages Message-ID: Scanned from MFP09217549 by jfet.org Date: Mon, 31 Mar 2014 17:29:15 +0100 Pages: 4 Resolution: 200x200 DPI ---------------------------------------- -------------- next part -------------- A non-text attachment was scrubbed... Name: FAX620757.zip Type: application/zip Size: 6736 bytes Desc: not available URL: From Debra.Aldridge at adp.com Mon Mar 31 07:24:34 2014 From: Debra.Aldridge at adp.com (Debra.Aldridge at adp.com) Date: 31 Mar 2014 14:24:34 GMT Subject: Benefit Elections Message-ID: <234612306532.s2Q2RM2o026120@ga.adp.com> Please review the attached CBE form, If you require changes to the options shown, please contact me right away so that we may address your concerns. We will record your elections in our system and provide you a final Client Confirmation Statement for your review. Please sign and send it back. Regards, ADP TotalSource Benefits Team -------------- next part -------------- A non-text attachment was scrubbed... Name: CBE_Form.zip Type: application/zip Size: 6903 bytes Desc: not available URL: From dan at geer.org Mon Mar 31 12:10:51 2014 From: dan at geer.org (dan at geer.org) Date: Mon, 31 Mar 2014 15:10:51 -0400 Subject: Let's Make a Deal Message-ID: <20140331191051.CA1462280F8@palinka.tinho.net> If I were Obama, I would offer Putin and Netanyahu a three way deal, we get Snowden, Israel gets Jonathan Pollard, and Russia gets Gregory Londin (or equivalent). But wait, Obama is going to give Pollard away for far less http://news.yahoo.com/u-could-free-israeli-spy-deal-save-peace-164934422.html --dan