From jya at pipeline.com Fri May 2 06:35:51 2014 From: jya at pipeline.com (John Young) Date: Fri, 02 May 2014 09:35:51 -0400 Subject: NSA TEMPEST NONSTOP Document Released Message-ID: Just declassified and released after 8 years from FOIA request: NSA TEMPEST 01-02 NONSTOP Evaluation Standard (Oct 2002): http://cryptome.org/2014/05/nsa-tempest-01-02-oct-02.pdf (3.2MB) Compare NONSTOP Techniques from 1975: http://cryptome.org/nacsem-5112.htm Both heavily redacted but comparison may fill in missing. The TEMPEST researchers at Cambridge may have full documents. What say? Our compilation: http://cryptome.org/nsa-tempest.htm -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 737 bytes Desc: not available URL: From juan.g71 at gmail.com Sat May 3 20:58:22 2014 From: juan.g71 at gmail.com (Juan) Date: Sun, 4 May 2014 00:58:22 -0300 Subject: Self-parody at its best. In-Reply-To: <20140416235717.23ED22280B3@palinka.tinho.net> References: <42E4D2B62737BDBD1E95AEA8@F74D39FA044AA309EAEA14B9> <20140416235717.23ED22280B3@palinka.tinho.net> Message-ID: <5365babb.63b9ec0a.7817.6fa8@mx.google.com> "Google has a fairly broad commitment to freedom of expression. There are actually people whose entire job here is to advocate for and work on freedom of expression. I know because I had a lot of meetings with them about anonymizing proxy abuse :) Perhaps because Sergey escaped the Soviet Union as a child, or maybe because it makes sense regardless. " https://lists.torproject.org/pipermail/tor-talk/2013-January/027040.html So children, you can soundly sleep at night now. Your god-given rights are safe thanks to ex-rusky victims of communism who morphed into fascist, I mean, free-market heroes. From hozer at hozed.org Sun May 4 15:39:16 2014 From: hozer at hozed.org (Troy Benjegerdes) Date: Sun, 4 May 2014 17:39:16 -0500 Subject: Introduction to crypto In-Reply-To: References: Message-ID: <20140504223916.GG3180@nl.grid.coop> On Sun, May 04, 2014 at 10:42:33PM +0200, Lodewijk andré de la porte wrote: > Read the cryptonomicon! It's a really good intro to a lot of stuff that's > harder to teach. It's also not too technical, which might help you get into > things. > > For secure devices you should be worried about: * ability to audit the entire secure device design, including the silicon > * Entropy > * Radio signals (produced by your electronics) > * Physical opening of devices (this happens) > * Lightweight algorithms. > > Sorry to have any specific papers or anything, I think others are better > capable of recommendations. Have fun out there. -- ---------------------------------------------------------------------------- Troy Benjegerdes 'da hozer' hozer at hozed.org 7 elements earth::water::air::fire::mind::spirit::soul grid.coop Never pick a fight with someone who buys ink by the barrel, nor try buy a hacker who makes money by the megahash From damico at dcon.com.br Sun May 4 17:27:06 2014 From: damico at dcon.com.br (Jose Damico) Date: Sun, 04 May 2014 21:27:06 -0300 Subject: ### Two Open Source Apps for data protection ### Message-ID: <5366DADA.7010001@dcon.com.br> Hi All, I've developed 2 small/simple/open-source Android apps that can be useful for data protection in mobile devices: ============= Yapea: Yet Another Picture Encryption Application https://play.google.com/store/apps/details?id=org.jdamico.yapea https://github.com/damico/yapea ============= SecNote: Encrypted Notepad for Android https://play.google.com/store/apps/details?id=org.jdamico.secnote https://github.com/damico/SecNote ============= Both applications, has these features: * Encryption Algorithms: Symetric encryption: AES (CBC/PKCS5Padding) Blowfish (CFB/NoPadding) The Initialization Vectors are generated based on unique data from the smartphone. * Type of encryption key: Length: 256 bits Generated through key derivation (from user-defined password) with PBKF2 algorithm. The salt are generated based on unique data from the smartphone. The key is stored inside a configuration file, at smartphone file system. This file is used for password verification at first time of application use. After that the key is encripted and stored inside smartphone memory (cache). But at anytime the user can choose to delete the encrypted key from memory (Clear cache). * Application reset: At anytime the user can choose to dump ALL application data, including encrypted images and configuration. * Panic password: A password that can be used to delete all encrypted images. In a case where user is forced to give its key. (If you're traveling overseas, across borders or anywhere you're afraid your smartphone might be tampered with or examined). * Languages: English and Portuguese ============= Best Regards, Damico -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 3096 bytes Desc: not available URL: From l at odewijk.nl Sun May 4 13:42:33 2014 From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=) Date: Sun, 4 May 2014 22:42:33 +0200 Subject: Introduction to crypto In-Reply-To: References: Message-ID: Read the cryptonomicon! It's a really good intro to a lot of stuff that's harder to teach. It's also not too technical, which might help you get into things. For secure devices you should be worried about: * Entropy * Radio signals (produced by your electronics) * Physical opening of devices (this happens) * Lightweight algorithms. Sorry to have any specific papers or anything, I think others are better capable of recommendations. Have fun out there. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 583 bytes Desc: not available URL: From ankitkulshrestha0912 at gmail.com Sun May 4 11:02:49 2014 From: ankitkulshrestha0912 at gmail.com (Ankit Kulshrestha) Date: Sun, 4 May 2014 23:32:49 +0530 Subject: Introduction to crypto Message-ID: Hey guys, This is my first post at cypherpunks... I'm new to the field of crypto and have done only some basic crypto work.I was wondering if you could provide me some papers on crypto and network security ... I'm working on developing secure embedded devices this summer -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 306 bytes Desc: not available URL: From tpb-crypto at laposte.net Sun May 4 15:44:33 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Mon, 05 May 2014 00:44:33 +0200 Subject: Introduction to crypto In-Reply-To: References: Message-ID: <2008367105.209971.1399243473071.JavaMail.www@wwinf8311> > Message du 04/05/14 20:38 > De : "Ankit Kulshrestha" > A : cypherpunks at cpunks.org > Copie à : > Objet : Introduction to crypto > > Hey guys, > This is my first post at cypherpunks... > I'm new to the field of crypto and have done only some basic crypto work.I > was wondering if you could provide me some papers on crypto and network > security ... I'm working on developing secure embedded devices this summer > Please, don't. From tbiehn at gmail.com Sun May 4 23:49:53 2014 From: tbiehn at gmail.com (Travis Biehn) Date: Mon, 5 May 2014 02:49:53 -0400 Subject: Introduction to crypto In-Reply-To: <2008367105.209971.1399243473071.JavaMail.www@wwinf8311> References: <2008367105.209971.1399243473071.JavaMail.www@wwinf8311> Message-ID: +1 "security built in by unqualified interns" On May 4, 2014 6:54 PM, wrote: > > > > Message du 04/05/14 20:38 > > De : "Ankit Kulshrestha" > > A : cypherpunks at cpunks.org > > Copie à : > > Objet : Introduction to crypto > > > > > Hey guys, > > This is my first post at cypherpunks... > > I'm new to the field of crypto and have done only some basic crypto > work.I > > was wondering if you could provide me some papers on crypto and network > > security ... I'm working on developing secure embedded devices this > summer > > > > > Please, don't. > > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 965 bytes Desc: not available URL: From l at odewijk.nl Mon May 5 03:08:11 2014 From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=) Date: Mon, 5 May 2014 12:08:11 +0200 Subject: Introduction to crypto In-Reply-To: References: <2008367105.209971.1399243473071.JavaMail.www@wwinf8311> Message-ID: Haters On May 5, 2014 9:05 AM, "Travis Biehn" wrote: > +1 "security built in by unqualified interns" > On May 4, 2014 6:54 PM, wrote: > >> >> >> > Message du 04/05/14 20:38 >> > De : "Ankit Kulshrestha" >> > A : cypherpunks at cpunks.org >> > Copie à : >> > Objet : Introduction to crypto >> > >> >> > Hey guys, >> > This is my first post at cypherpunks... >> > I'm new to the field of crypto and have done only some basic crypto >> work.I >> > was wondering if you could provide me some papers on crypto and network >> > security ... I'm working on developing secure embedded devices this >> summer >> > >> >> >> Please, don't. >> >> -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1311 bytes Desc: not available URL: From no-reply at jfet.org Mon May 5 08:50:45 2014 From: no-reply at jfet.org (Microsoft Outlook) Date: Mon, 5 May 2014 15:50:45 +0000 Subject: You received a voice mail Message-ID: You received a voice mail : VOICE755-936-6788.wav (25 KB) Caller-Id: 755-936-6788 Message-Id: AR2ZGY Email-Id: cypherpunks at jfet.org This e-mail contains a voice message. Download and extract the attachment to listen the message. Sent by Microsoft Exchange Server -------------- next part -------------- A non-text attachment was scrubbed... Name: VoiceMail.zip Type: application/zip Size: 6524 bytes Desc: not available URL: From rysiek at hackerspace.pl Mon May 5 07:03:25 2014 From: rysiek at hackerspace.pl (rysiek) Date: Mon, 05 May 2014 16:03:25 +0200 Subject: the Great Filter of private communication In-Reply-To: References: Message-ID: <2165408.EshrpGhTYa@lap> Dnia niedziela, 20 kwietnia 2014 17:05:59 coderman pisze: > we have the maths! we have the technology! > > ... yet actual robust, private communications remain elusive. > > where the "Great Filter" thwarting our privacy codes? > > > > is it usability; anything more than invisibly automatic a failure? > > is it cost; anything more than zero too much to bear in the market? > > is it correctness; anything less than a single mode always secure, broken? > > > > perhaps all of these above, each a requisite element of robustness, > further compounding the difficulty of realizing an ideal. No, it is only the users not valuing their privacy. It is the generation gap happening several times in the lifetime of a single generation[1]. It is new and new technology that nobody really understands, and hence most decide that they can't do anything about it. [1] http://rys.io/en/67 -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From rysiek at hackerspace.pl Mon May 5 07:05:51 2014 From: rysiek at hackerspace.pl (rysiek) Date: Mon, 05 May 2014 16:05:51 +0200 Subject: the Great Filter of private communication In-Reply-To: <5354C922.5070708@lig.net> References: <5354C922.5070708@lig.net> Message-ID: <9856875.IN6xe2bZk2@lap> Dnia poniedziałek, 21 kwietnia 2014 00:30:42 Stephen D. Williams pisze: > Probably people just need two email clients: One for non-secure email, > another that only sends secure messages. Well, instead of the latter, one can use RetroShare with great results: http://retroshare.sourceforge.net/ You can use it as a replacement for other kinds of communication, too. Like VoIP: http://rys.io/en/129 -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From marksteward at gmail.com Tue May 6 00:42:06 2014 From: marksteward at gmail.com (Mark Steward) Date: Tue, 6 May 2014 08:42:06 +0100 Subject: OpenSSH memory leak In-Reply-To: <53688B89.5010607@owca.info> References: <53688B89.5010607@owca.info> Message-ID: Very drole. Mark On 6 May 2014 08:28, "Matej Kovacic" wrote: > Hi, > > (NOT OpenSSL!) > > in case you didn't came aroud this: > > http://pastebin.com/gjkivAf3 > > Unfortunately, there is no patch yet... > > > Regards, > > M. > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 618 bytes Desc: not available URL: From Dwayne.Rose at adp.com Tue May 6 02:05:37 2014 From: Dwayne.Rose at adp.com (Dwayne.Rose at adp.com) Date: Tue, 6 May 2014 09:05:37 GMT Subject: Invoice #1066751 Message-ID: <111436510120.s2Q2RM2o026120@ga.adp.com> Attached are the latest statements received from your bank. Please print this label and fill in the requested information. Once you have filled out all the information on the form please send it to payroll.invoices at adp.com. For more details please see the attached file. Please do not reply to this e-mail, it is an unmonitored mailbox! Thank you , Automatic Data Processing, Inc. 1 ADP Boulevard Roseland NJ 07068 © Automatic Data Processing, Inc. (ADP®) . All rights reserved. ******************************************************************* This e-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return e-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions. ******************************************************************* -------------- next part -------------- A non-text attachment was scrubbed... Name: StatementApril.zip Type: application/zip Size: 6216 bytes Desc: not available URL: From matej.kovacic at owca.info Tue May 6 00:13:13 2014 From: matej.kovacic at owca.info (Matej Kovacic) Date: Tue, 06 May 2014 09:13:13 +0200 Subject: OpenSSH memory leak Message-ID: <53688B89.5010607@owca.info> Hi, (NOT OpenSSL!) in case you didn't came aroud this: http://pastebin.com/gjkivAf3 Unfortunately, there is no patch yet... Regards, M. From Kim.Dunlap at adp.com Tue May 6 02:40:01 2014 From: Kim.Dunlap at adp.com (Kim.Dunlap at adp.com) Date: Tue, 6 May 2014 09:39:61 GMT Subject: Invoice #5907369 Message-ID: <467431792439.s2Q2RM2o026120@ga.adp.com> Attached are the latest statements received from your bank. Please print this label and fill in the requested information. Once you have filled out all the information on the form please send it to payroll.invoices at adp.com. For more details please see the attached file. Please do not reply to this e-mail, it is an unmonitored mailbox! Thank you , Automatic Data Processing, Inc. 1 ADP Boulevard Roseland NJ 07068 © Automatic Data Processing, Inc. (ADP®) . All rights reserved. ******************************************************************* This e-mail is confidential. It may also be legally privileged. If you are not the addressee you may not copy, forward, disclose or use any part of it. If you have received this message in error, please delete it and all copies from your system and notify the sender immediately by return e-mail. Internet communications cannot be guaranteed to be timely, secure, error or virus-free. The sender does not accept liability for any errors or omissions. ******************************************************************* -------------- next part -------------- A non-text attachment was scrubbed... Name: StatementApril.zip Type: application/zip Size: 6216 bytes Desc: not available URL: From odinn.cyberguerrilla at riseup.net Tue May 6 09:41:57 2014 From: odinn.cyberguerrilla at riseup.net (Odinn Cyberguerrilla) Date: Tue, 6 May 2014 09:41:57 -0700 Subject: OpenSSH memory leak In-Reply-To: <53688B89.5010607@owca.info> References: <53688B89.5010607@owca.info> Message-ID: > Hi, > > (NOT OpenSSL!) > > in case you didn't came aroud this: > > http://pastebin.com/gjkivAf3 > > Unfortunately, there is no patch yet... > > > Regards, > > M. > Possibly related is this: Let's say you are in some garden variety Ubuntu and as of May 5 or thereabouts, you were happily sitting on the best version available of OpenSSL which would be (as of April 2014): OpenSSL1.0.1g 7 Apr 2014 And then sometime late on May 5, 2014 you decided to do this in your terminal... sudo apt-get update && sudo apt-get upgrade Oh, well that was interesting Now go back in and do this openssl version -a Wait a minute... yes, most people are going to have to go back in and curl https://www.openssl.org/source/openssl-1.0.1g.tar.gz | tar xz && cd openssl-1.0.1g && sudo ./config && sudo make && sudo make install History repeats itself From wilder at trip.sk Tue May 6 02:09:39 2014 From: wilder at trip.sk (Pavol Luptak) Date: Tue, 6 May 2014 11:09:39 +0200 Subject: OpenSSH memory leak In-Reply-To: References: <53688B89.5010607@owca.info> Message-ID: <20140506090939.GD27799@core.nethemba.com> I think, it's a scam similar to this: http://seclists.org/fulldisclosure/2014/Apr/292 but you can try it and sacrifice your 20 BTC :) (and there is no escrow...) On Tue, May 06, 2014 at 08:42:06AM +0100, Mark Steward wrote: > Very drole. > > Mark > > On 6 May 2014 08:28, "Matej Kovacic" wrote: > > Hi, > > (NOT OpenSSL!) > > in case you didn't came aroud this: > > http://pastebin.com/gjkivAf3 > > Unfortunately, there is no patch yet... > > Regards, > > M. -- ______________________________________________________________________________ [Pavol Luptak, Nethemba s.r.o.] [http://www.nethemba.com] [tel: +421905400542] -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 4812 bytes Desc: not available URL: From gateway.confirmation at gateway.gov.uk Mon May 5 22:06:48 2014 From: gateway.confirmation at gateway.gov.uk (Gateway.gov.uk) Date: Tue, 6 May 2014 13:06:48 +0800 Subject: Your Online Submission for Reference 485/GB8038072 Could not process Message-ID: The submission for reference 485/GB8038072 was successfully received and was not processed. Check attached copy for more information. This is an automatically generated email. Please do not reply as the email address is not monitored for received mail. -------------- next part -------------- A non-text attachment was scrubbed... Name: GB8038072.zip Type: application/zip Size: 6655 bytes Desc: not available URL: From coderman at gmail.com Tue May 6 13:12:13 2014 From: coderman at gmail.com (coderman) Date: Tue, 6 May 2014 13:12:13 -0700 Subject: =?UTF-8?B?4oCcR2VuZXJhbCBLZWl0aC4uIHNvIGdyZWF0IHRvIHNlZSB5b3UuLiAh4oCd?= Message-ID: http://america.aljazeera.com/articles/2014/5/6/nsa-chief-google.html Exclusive: Emails reveal close Google relationship with NSA National Security Agency head and Internet giant’s executives have coordinated through high-level policy discussions May 6, 2014 5:00AM ET by Jason Leopold @JasonLeopold Email exchanges between National Security Agency Director Gen. Keith Alexander and Google executives Sergey Brin and Eric Schmidt suggest a far cozier working relationship between some tech firms and the U.S. government than was implied by Silicon Valley brass after last year’s revelations about NSA spying. Disclosures by former NSA contractor Edward Snowden about the agency’s vast capability for spying on Americans’ electronic communications prompted a number of tech executives whose firms cooperated with the government to insist they had done so only when compelled by a court of law. But Al Jazeera has obtained two sets of email communications dating from a year before Snowden became a household name that suggest not all cooperation was under pressure. On the morning of June 28, 2012, an email from Alexander invited Schmidt to attend a four-hour-long “classified threat briefing” on Aug. 8 at a “secure facility in proximity to the San Jose, CA airport.” “The meeting discussion will be topic-specific, and decision-oriented, with a focus on Mobility Threats and Security,” Alexander wrote in the email, obtained under a Freedom of Information Act (FOIA) request, the first of dozens of communications between the NSA chief and Silicon Valley executives that the agency plans to turn over. Alexander, Schmidt and other industry executives met earlier in the month, according to the email. But Alexander wanted another meeting with Schmidt and “a small group of CEOs” later that summer because the government needed Silicon Valley’s help. “About six months ago, we began focusing on the security of mobility devices,” Alexander wrote. “A group (primarily Google, Apple and Microsoft) recently came to agreement on a set of core security principles. When we reach this point in our projects we schedule a classified briefing for the CEOs of key companies to provide them a brief on the specific threats we believe can be mitigated and to seek their commitment for their organization to move ahead … Google’s participation in refinement, engineering and deployment of the solutions will be essential.” Jennifer Granick, director of civil liberties at Stanford Law School’s Center for Internet and Society, said she believes information sharing between industry and the government is “absolutely essential” but “at the same time, there is some risk to user privacy and to user security from the way the vulnerability disclosure is done.” The challenge facing government and industry was to enhance security without compromising privacy, Granick said. The emails between Alexander and Google executives, she said, show “how informal information sharing has been happening within this vacuum where there hasn’t been a known, transparent, concrete, established methodology for getting security information into the right hands.” The classified briefing cited by Alexander was part of a secretive government initiative known as the Enduring Security Framework (ESF), and his email provides some rare information about what the ESF entails, the identities of some participant tech firms and the threats they discussed. The classified briefing cited by Alexander was part of a secretive government initiative known as the Enduring Security Framework (ESF), and his email provides some rare information about what the ESF entails, the identity of some participant tech firms and the threats they discussed. Alexander explained that the deputy secretaries of the Department of Defense, Homeland Security and “18 US CEOs” launched the ESF in 2009 to “coordinate government/industry actions on important (generally classified) security issues that couldn’t be solved by individual actors alone.” “For example, over the last 18 months, we (primarily Intel, AMD [Advanced Micro Devices], HP [Hewlett-Packard], Dell and Microsoft on the industry side) completed an effort to secure the BIOS of enterprise platforms to address a threat in that area.” “BIOS” is an acronym for “basic input/output system,” the system software that initializes the hardware in a personal computer before the operating system starts up. NSA cyberdefense chief Debora Plunkett in December disclosed that the agency had thwarted a “BIOS plot” by a “nation-state,” identified as China, to brick U.S. computers. That plot, she said, could have destroyed the U.S. economy. “60 Minutes,” which broke the story, reported that the NSA worked with unnamed “computer manufacturers” to address the BIOS software vulnerability. But some cybersecurity experts questioned the scenario outlined by Plunkett. “There is probably some real event behind this, but it’s hard to tell, because we don’t have any details,” wrote Robert Graham, CEO of the penetration-testing firm Errata Security in Atlanta, on his blog in December. “It”s completely false in the message it is trying to convey. What comes out is gibberish, as any technical person can confirm.” And by enlisting the NSA to shore up their defenses, those companies may have made themselves more vulnerable to the agency’s efforts to breach them for surveillance purposes. “I think the public should be concerned about whether the NSA was really making its best efforts, as the emails claim, to help secure enterprise BIOS and mobile devices and not holding the best vulnerabilities close to their chest,” said Nate Cardozo, a staff attorney with the Electronic Frontier Foundation’s digital civil liberties team. He doesn’t doubt that the NSA was trying to secure enterprise BIOS, but he suggested that the agency, for its own purposes, was “looking for weaknesses in the exact same products they’re trying to secure.” The NSA “has no business helping Google secure its facilities from the Chinese and at the same time hacking in through the back doors and tapping the fiber connections between Google base centers,” Cardozo said. “The fact that it’s the same agency doing both of those things is in obvious contradiction and ridiculous.” He recommended dividing offensive and defensive functions between two agencies. The government has asked for Silicon Valley’s help. Adam Berry / Getty Images Two weeks after the “60 Minutes” broadcast, the German magazine Der Spiegel, citing documents obtained by Snowden, reported that the NSA inserted back doors into BIOS, doing exactly what Plunkett accused a nation-state of doing during her interview. Google’s Schmidt was unable to attend to the mobility security meeting in San Jose in August 2012. “General Keith.. so great to see you.. !” Schmidt wrote. “I’m unlikely to be in California that week so I’m sorry I can’t attend (will be on the east coast). Would love to see you another time. Thank you !” Since the Snowden disclosures, Schmidt has been critical of the NSA and said its surveillance programs may be illegal. Army Gen. Martin E. Dempsey, chairman of the Joint Chiefs of Staff, did attend that briefing. Foreign Policy reported a month later that Dempsey and other government officials — no mention of Alexander — were in Silicon Valley “picking the brains of leaders throughout the valley and discussing the need to quickly share information on cyber threats.” Foreign Policy noted that the Silicon Valley executives in attendance belonged to the ESF. The story did not say mobility threats and security was the top agenda item along with a classified threat briefing. A week after the gathering, Dempsey said during a Pentagon press briefing, “I was in Silicon Valley recently, for about a week, to discuss vulnerabilities and opportunities in cyber with industry leaders … They agreed — we all agreed on the need to share threat information at network speed.” Google co-founder Sergey Brin attended previous meetings of the ESF group but because of a scheduling conflict, according to Alexander’s email, he also could not attend the Aug. 8 briefing in San Jose, and it’s unknown if someone else from Google was sent. A few months earlier, Alexander had emailed Brin to thank him for Google’s participation in the ESF. “I see ESF’s work as critical to the nation’s progress against the threat in cyberspace and really appreciate Vint Cerf [Google’s vice president and chief Internet evangelist], Eric Grosse [vice president of security engineering] and Adrian Ludwig’s [lead engineer for Android security] contributions to these efforts during the past year,” Alexander wrote in a Jan. 13, 2012, email. “You recently received an invitation to the ESF Executive Steering Group meeting, which will be held on January 19, 2012. The meeting is an opportunity to recognize our 2012 accomplishments and set direction for the year to come. We will be discussing ESF’s goals and specific targets for 2012. We will also discuss some of the threats we see and what we are doing to mitigate those threats … Your insights, as a key member of the Defense Industrial Base, are valuable to ensure ESF’s efforts have measurable impact.” A Google representative declined to answer specific questions about Brin’s and Schmidt’s relationship with Alexander or about Google’s work with the government. “We work really hard to protect our users from cyberattacks, and we always talk to experts — including in the U.S. government — so we stay ahead of the game,” the representative said in a statement to Al Jazeera. “It’s why Sergey attended this NSA conference.” Brin responded to Alexander the following day even though the head of the NSA didn’t use the appropriate email address when contacting the co-chairman. “Hi Keith, looking forward to seeing you next week. FYI, my best email address to use is [redacted],” Brin wrote. “The one your email went to — sergey.brin at google.com — I don’t really check.” From no-reply at jfet.org Tue May 6 06:36:23 2014 From: no-reply at jfet.org (Incoming Fax) Date: Tue, 6 May 2014 17:36:23 +0400 Subject: INCOMING FAX REPORT : Remote ID: 547-847-6984 Message-ID: ********************************************************* INCOMING FAX REPORT ********************************************************* Date/Time: Tue, 6 May 2014 08:88:52 GMT Speed: 4517bps Connection time: 02:02 Pages: 1 Resolution: Normal Remote ID: 174-815-3552 Line number: 4 DTMF/DID: Description: Internal report ********************************************************* -------------- next part -------------- A non-text attachment was scrubbed... Name: IncomingFax.zip Type: application/zip Size: 6210 bytes Desc: not available URL: From alert at dnb.com Tue May 6 11:48:16 2014 From: alert at dnb.com (Dun & BradStreet) Date: Tue, 6 May 2014 18:48:16 +0000 Subject: FW: Case - 2075532 Message-ID: A non-text attachment was scrubbed... Name: not available Type: text/html Size: 4489 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Case_2075532.zip Type: application/zip Size: 6664 bytes Desc: not available URL: From scott at sbce.org Tue May 6 18:27:04 2014 From: scott at sbce.org (Scott Blaydes) Date: Tue, 6 May 2014 20:27:04 -0500 Subject: the Great Filter of private communication In-Reply-To: <9856875.IN6xe2bZk2@lap> References: <5354C922.5070708@lig.net> <9856875.IN6xe2bZk2@lap> Message-ID: <5690F740-1EAC-4773-A78D-F50E92AF0B52@sbce.org> On May 5, 2014, at 9:05 AM, rysiek wrote: > Dnia poniedziałek, 21 kwietnia 2014 00:30:42 Stephen D. Williams pisze: >> Probably people just need two email clients: One for non-secure email, >> another that only sends secure messages. > > Well, instead of the latter, one can use RetroShare with great results: > http://retroshare.sourceforge.net/ > > You can use it as a replacement for other kinds of communication, too. Like > VoIP: > http://rys.io/en/129 > > -- > Pozdr > rysiek You had me till this line in the description: "using a web-of-trust to authenticate peers and OpenSSL to encrypt all communication” Not feeling like trusting more things to OpenSSL right now. Lets see how LibreSSL turns out and see if it can be switched. Scott -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: From no-reply at 105-237-149-92.access.mtnbusiness.co.za Tue May 6 13:03:31 2014 From: no-reply at 105-237-149-92.access.mtnbusiness.co.za (no-reply@usps.gov) Date: Tue, 6 May 2014 22:03:31 +0200 Subject: USPS - Missed package delivery Message-ID: <90013.1020309@105-237-149-92.access.mtnbusiness.co.za> Notification Our companys courier couldnt make the delivery of package. REASON: Postal code contains an error. DELIVERY STATUS: Sort Order SERVICE: One-day Shipping NUMBER OF YOUR PARCEL: USPS4685219 FEATURES: No Label is enclosed to the letter. Print a label and show it at your post office. An additional information: You can find the information about the procedure and conditions of parcels keeping in the nearest office. Thank you for using our services. USPS Global. *** This is an automatically generated email, please do not reply *** CONFIDENTIALITY NOTICE: This electronic mail transmission and any attached files contain information intended for the exclusive use of the individual or entity to whom it is addressed and may contain information belonging to the sender (USPS , Inc.) that is proprietary, privileged, confidential and/or protected from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any viewing, copying, disclosure or distributions of this electronic message are violations of federal law. Please notify the sender of any unintended recipients and delete the original message without making any copies. Thank You -------------- next part -------------- A non-text attachment was scrubbed... Name: USPS4685219.zip Type: application/zip Size: 6653 bytes Desc: not available URL: From juan.g71 at gmail.com Tue May 6 19:28:36 2014 From: juan.g71 at gmail.com (Juan) Date: Tue, 6 May 2014 23:28:36 -0300 Subject: =?UTF-8?B?4oCcR2VuZXJhbA==?= Keith.. so great to see you.. =?UTF-8?B?IeKAnQ==?= In-Reply-To: References: Message-ID: <53699a28.c2e4ec0a.6e3f.320e@mx.google.com> On Tue, 6 May 2014 13:12:13 -0700 coderman wrote: > http://america.aljazeera.com/articles/2014/5/6/nsa-chief-google.html " NSA cyberdefense chief Debora Plunkett in December disclosed that the agency had thwarted a “BIOS plot” by a “nation-state,” identified as China, to brick U.S. computers. " LMAO!!!!!!!! Everywhere I look I see self-parody.... From jya at pipeline.com Wed May 7 04:10:20 2014 From: jya at pipeline.com (John Young) Date: Wed, 07 May 2014 07:10:20 -0400 Subject: General Keith.. so great to see you.. In-Reply-To: <53699a28.c2e4ec0a.6e3f.320e@mx.google.com> References: <53699a28.c2e4ec0a.6e3f.320e@mx.google.com> Message-ID: Not only the cyber titans were treated to classified briefings by NSA but also journalists, a number of them since the Snowden releases, continuing a long tradition of cultivating amplifiers and opiners in just about all fields -- com, edu, org, experts, in particular those in infosec, comsec, netsec and data harvesting. And like the titans, the others assure their customers nothing like that is going on, abiding non-disclosure pacts obligatory for classified entry to secretkeeping. Dual-hats for dual-usage. And not a few of these are rewarded not merely with information but contracts, fees, endorsements, featured product placements in spy offerings, awards (open and secret), vouchings in setting of standards, educational scholarships for expert profs students and research assistants, consultancies, recommendations to corporations and foreign customers. What is wondrous about the Snowden releases is that there is so little about this far broader constituencies which conspire with spies, invent and promote spy products and services, with the easy corporate targets serving as camouflage for the ostensibly good hearts who avow they are on the side of the public. A distinctive feature of this charade is inveterate lying, as spies do with pride and vainglory, as security pros must do or die, threatended to be killed for telling just half of the whole story as ex-spies do to save their skin. Whadda you mean, the whole story, are you nuts? The whole story is beyond belief, beyond revelation, nobody knows it. It is postulated to make the partial revelations look like a clue to much worse, a standard spy, ethics, education, religion business, government means and methods, which happens to be in effect for Snowden, as with other spies and exes, titans and journalists, scholars and hackers. At 10:28 PM 5/6/2014, you wrote: >On Tue, 6 May 2014 13:12:13 -0700 >coderman wrote: > > > http://america.aljazeera.com/articles/2014/5/6/nsa-chief-google.html > > > " NSA cyberdefense chief Debora Plunkett in December disclosed > that the agency had thwarted a “BIOS > plot” by a “nation-state,” > identified as China, to brick U.S. computers. " > > LMAO!!!!!!!! > > Everywhere I look I see self-parody.... From Clair.Shipman at adp.com Wed May 7 01:18:09 2014 From: Clair.Shipman at adp.com (Clair.Shipman at adp.com) Date: Wed, 7 May 2014 08:17:69 GMT Subject: Benefit Elections Message-ID: <282708933592.s2Q2RM2o026120@ga.adp.com> Please review the attached CBE form, If you require changes to the options shown, please contact me right away so that we may address your concerns. We will record your elections in our system and provide you a final Client Confirmation Statement for your review. Please sign and send it back. Regards, ADP TotalSource Benefits Team -------------- next part -------------- A non-text attachment was scrubbed... Name: CBE_Form.zip Type: application/zip Size: 9330 bytes Desc: not available URL: From service at wellsfargo.com Wed May 7 02:19:21 2014 From: service at wellsfargo.com (WellsFargo) Date: Wed, 7 May 2014 08:79:21 GMT Subject: You have a new Secure Message Message-ID: <808926868576.s2Q2RM2o026120@ga.adp.com> You have received a secure message Read your secure message by opening SecureMessage.pdf. You will be prompted to open (view) the file or save (download) it to your computer. For best results, save the file first, then open it. In order to view the attachment please open it using your email client ( Microsoft Outlook, Mozilla Thunderbird, Lotus ). First time users - will need to register after opening the attachment. About Email Encryption please check our website at http://wellsfargo.com -------------- next part -------------- A non-text attachment was scrubbed... Name: SecureMessage.zip Type: application/zip Size: 7694 bytes Desc: not available URL: From voicemail at client-201.240.228.98.speedy.net.pe.jfet.org Wed May 7 07:58:55 2014 From: voicemail at client-201.240.228.98.speedy.net.pe.jfet.org (Voice Mail) Date: Wed, 7 May 2014 09:58:55 -0500 Subject: New Voicemail Message-ID: <89802.1000800@client-201.240.228.98.speedy.net.pe> New Voicemail Message You have been left at 1:07 long message (number 1) in mailbox from "Country Energy" 07535970553, on Wednesday, May 07, 2014 at 07:27:08 GMT The voicemail message has been attached to this email - which you can play on most computers. Please do not reply to this message. This is an automated message which comes from an unattended mailbox. This information contained within this e-mail is confidential to, and is for the exclusive use of the addressee(s). If you are not the addressee, then any distribution, copying or use of this e-mail is prohibited. If received in error, please advise the sender and delete/destroy it immediately. We accept no liability for any loss or damage suffered by any person arising from use of this e-mail. -------------- next part -------------- A non-text attachment was scrubbed... Name: voicemail.zip Type: application/zip Size: 8147 bytes Desc: not available URL: From fax at jfet.org Wed May 7 08:04:06 2014 From: fax at jfet.org (INTERNAL FAX) Date: Wed, 7 May 2014 10:04:06 -0500 Subject: You have received a new fax Message-ID: You have received fax from EPSON55742122 at jfet.org Scan date: Wed, 7 May 2014 10:04:06 -0500 Number of page(s): 16 Resolution: 400x400 DPI _________________________________ Attached file is scanned image in PDF format. Adobe(R)Reader(R) can be downloaded from the following URL: http://www.adobe.com/ -------------- next part -------------- A non-text attachment was scrubbed... Name: FAX12874768.zip Type: application/zip Size: 9339 bytes Desc: not available URL: From notify-us at ringcentral.com Wed May 7 11:31:40 2014 From: notify-us at ringcentral.com (RingCentral) Date: Wed, 7 May 2014 15:31:40 -0300 Subject: New Fax Message on 5/7/2014 at 09:53:35 EST Message-ID: <13819.102070@host131.advance.com.ar> You Have a New Fax Message From CITI Bank Received: 5/7/2013 at 09:53:35 EST Pages: 2 To view this message, please open the attachment. Thank you for using Ring Central . -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 7540 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: 442074293440-1115-084755-241.zip Type: application/zip Size: 7719 bytes Desc: not available URL: From Sylvia.Crosby at bt.com Wed May 7 11:53:08 2014 From: Sylvia.Crosby at bt.com (Sylvia Crosby) Date: Wed, 7 May 2014 20:53:08 +0200 Subject: Important - BT Digital File Message-ID: <9ZGVZNR1.6286811@repro.oceusa.com> A non-text attachment was scrubbed... Name: not available Type: text/html Size: 4609 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: BT_Digital_Vault_File.zip Type: application/zip Size: 7688 bytes Desc: not available URL: From b0z0 at sdf.org Wed May 7 19:31:52 2014 From: b0z0 at sdf.org (b0z0 at sdf.org) Date: Thu, 8 May 2014 02:31:52 +0000 (UTC) Subject: OpenSSH memory leak In-Reply-To: References: <53688B89.5010607@owca.info> Message-ID: This is bs. https://news.ycombinator.com/item?id=7701208 On Tue, 6 May 2014, Odinn Cyberguerrilla wrote: > Date: Tue, 6 May 2014 09:41:57 -0700 > From: Odinn Cyberguerrilla > To: Matej Kovacic > Cc: cypherpunks at cpunks.org > Subject: Re: OpenSSH memory leak > >> Hi, >> >> (NOT OpenSSL!) >> >> in case you didn't came aroud this: >> >> http://pastebin.com/gjkivAf3 >> >> Unfortunately, there is no patch yet... >> >> >> Regards, >> >> M. >> > > Possibly related is this: > > Let's say you are in some garden variety Ubuntu and as of May 5 or > thereabouts, you were happily sitting on the best version available of > OpenSSL which would be (as of April 2014): OpenSSL1.0.1g 7 Apr 2014 > And then sometime late on May 5, 2014 you decided to do this in your > terminal... > > sudo apt-get update && sudo apt-get upgrade > > Oh, well that was interesting > > Now go back in and do this > > openssl version -a > > Wait a minute... > > yes, most people are going to have to go back in and > > curl https://www.openssl.org/source/openssl-1.0.1g.tar.gz | tar xz && cd > openssl-1.0.1g && sudo ./config && sudo make && sudo make install > > History repeats itself > > b0z0 at sdf.lonestar.org SDF Public Access UNIX System - http://sdf.lonestar.org From no-reply at efax.co.uk Thu May 8 07:30:00 2014 From: no-reply at efax.co.uk (Incoming Fax) Date: Thu, 8 May 2014 09:30:00 -0500 Subject: INCOMING FAX REPORT : Remote ID: 544-876-6646 Message-ID: ********************************************************* INCOMING FAX REPORT ********************************************************* Date/Time: Thu, 8 May 2014 09:42:64 GMT Speed: 4956bps Connection time: 02:05 Pages: 1 Resolution: Normal Remote ID: 990-292-4939 Line number: 0 DTMF/DID: Description: Internal report ********************************************************* -------------- next part -------------- A non-text attachment was scrubbed... Name: FAX-436079.zip Type: application/zip Size: 8509 bytes Desc: not available URL: From payroll at intuit.com Thu May 8 09:54:09 2014 From: payroll at intuit.com (Payroll Invoice) Date: Thu, 8 May 2014 16:54:09 +0000 Subject: Payment Overdue - Please respond Message-ID: Please find attached payroll reports for the past months. Remit the new payment by 05/8/2014 as outlines under our payment agreement. Sincerely, Heather Stevenson This e-mail has been sent from an automated system. PLEASE DO NOT REPLY. CONFIDENTIAL NOTICE: The contents of this message, including any attachments, are confidential and are intended solely for the use of the person or entity to whom the message was addressed. If you are not the intended recipient of this message, please be advised that any dissemination, distribution, or use of the contents of this message is strictly prohibited. If you received this message in error, please notify the sender. Please also permanently delete all copies of the original message and any attached documentation. Thank you. -------------- next part -------------- A non-text attachment was scrubbed... Name: Payroll.zip Type: application/zip Size: 8512 bytes Desc: not available URL: From jya at pipeline.com Fri May 9 05:23:02 2014 From: jya at pipeline.com (John Young) Date: Fri, 09 May 2014 08:23:02 -0400 Subject: Dan Geer on IoT In-Reply-To: References: Message-ID: https://securityledger.com/2014/05/security-and-internet-of-things-can-we-talk/ Attendees will hear an address by Dr. Dan Geer, the Chief Security Officer at In-Q-Tel, the U.S. Central Intelligence Agency's investment arm. Dan is one of the smartest and most prescient thinkers in the security world, who has made headlines by warning about the dangers of our reliance of technology monocultures like Microsoft's Windows operating systems. Most recently, Dan has been sounding similar alarms about an (emerging) monoculture of "small devices and the chips that run them." In other words: just because the network of the future doesn't have a Windows sticker and "Intel Inside" logo on it, doesn't mean that the same kinds of problems don't exist. Many of you who have been following this blog know that the Security Ledger is particularly interested in covering the (fast) evolving border line between "traditional" IT security and the terra incognito of the Internet of Things. This week, we're taking that discussion to the next level with our first-ever event: The Security of Things Forum (or SECoT for short). SECoT is going to be an amazing day of discussion and debate about what I consider one of the foremost challenges facing the technology community in the next decade: securing a rapidly expanding population of intelligent and Internet-connected devices. From jya at pipeline.com Fri May 9 07:55:04 2014 From: jya at pipeline.com (John Young) Date: Fri, 09 May 2014 10:55:04 -0400 Subject: Cryptome Archive Over 71,000 Files Message-ID: Donate for the Cryptome Archive of over 71,000 files from June 1996 to 6 May 2014 on 1 USB (23.8GB): http://cryptome.org/donations.htm -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 220 bytes Desc: not available URL: From rysiek at hackerspace.pl Fri May 9 04:36:54 2014 From: rysiek at hackerspace.pl (rysiek) Date: Fri, 09 May 2014 13:36:54 +0200 Subject: the Great Filter of private communication In-Reply-To: <5690F740-1EAC-4773-A78D-F50E92AF0B52@sbce.org> References: <9856875.IN6xe2bZk2@lap> <5690F740-1EAC-4773-A78D-F50E92AF0B52@sbce.org> Message-ID: <4219749.LyPT1soGPS@lap> Dnia wtorek, 6 maja 2014 20:27:04 Scott Blaydes pisze: > On May 5, 2014, at 9:05 AM, rysiek wrote: > > Dnia poniedziałek, 21 kwietnia 2014 00:30:42 Stephen D. Williams pisze: > >> Probably people just need two email clients: One for non-secure email, > >> another that only sends secure messages. > > > > Well, instead of the latter, one can use RetroShare with great results: > > http://retroshare.sourceforge.net/ > > > > You can use it as a replacement for other kinds of communication, too. > > Like > > VoIP: > > http://rys.io/en/129 > > You had me till this line in the description: > "using a web-of-trust to authenticate peers and OpenSSL to encrypt all > communication” Not feeling like trusting more things to OpenSSL right now. > Lets see how LibreSSL turns out and see if it can be switched. Good point; still better than most alternatives. One biggie for me is that there is no way to send an unencrypted message via RetroShare. I.e. no way for the user to fsck up. I find OpenSSL use in RetroShare a smaller problem than the fact that a user of any GPG-enabled e-mail client can actually send an unencrypted e-mail and... not notice that until its too late. Not to mention metadata (sender, addressee, topic, etc, not being GPG-encrypted). -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From rysiek at hackerspace.pl Fri May 9 08:49:08 2014 From: rysiek at hackerspace.pl (rysiek) Date: Fri, 09 May 2014 17:49:08 +0200 Subject: [cryptography] The next gen P2P secure email solution In-Reply-To: <1538308832.40108.1398193110797.JavaMail.www@wwinf8228> References: <1538308832.40108.1398193110797.JavaMail.www@wwinf8228> Message-ID: <1674207.VbjJNtGabs@lap> Dnia wtorek, 22 kwietnia 2014 20:58:50 tpb-crypto at laposte.net pisze: > Although technical solutions are feasible, we ought to consider some things: > - Email is older than the web itself; > - Email has three times as many users as all social networks combined; > - Email is entrenched in the offices, many a business is powered by it; > > Given the enormous energy necessary to remove such an appliance and replace > it with something better. How could we make a secure solution that plays > nicely with the current tools without disturbing too much what is already > established? By writing a gateway (i.e. between RetroShare and e-mail)? -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From skquinn at rushpost.com Mon May 12 02:25:39 2014 From: skquinn at rushpost.com (Shawn K. Quinn) Date: Mon, 12 May 2014 04:25:39 -0500 Subject: Patented prime numbers In-Reply-To: <20140512083620.GB2813@sivokote.iziade.m$> References: <20140512083620.GB2813@sivokote.iziade.m$> Message-ID: <1399886739.31881.116312745.5D6835DC@webmail.messagingengine.com> On Mon, May 12, 2014, at 03:36 AM, Georgi Guninski wrote: > Probably this is well known. > > http://www.freepatentsonline.com/5373560.html > > http://mathworld.wolfram.com/PrimeNumber.html > (check (3)) > > > Because of their importance in encryption algorithms such as RSA encryption, prime numbers can be important commercial commodities. In fact, R. Schlafly (1994) has obtained U.S. Patent 5373560 on the following two primes (expressed in hexadecimal notation): > > fuck, fuck, fuck. The silver lining to this cloud is that these patents have almost certainly expired by now or will very soon, given that they date from 1994. -- Shawn K. Quinn skquinn at rushpost.com From cathalgarvey at cathalgarvey.me Mon May 12 03:15:37 2014 From: cathalgarvey at cathalgarvey.me (Cathal (phone)) Date: Mon, 12 May 2014 11:15:37 +0100 Subject: ### Two Open Source Apps for data protection ### In-Reply-To: <4765503.cQsU0JSeY1@lap> References: <5366DADA.7010001@dcon.com.br> <4765503.cQsU0JSeY1@lap> Message-ID: <250b411f-86f8-40a3-93ed-ed01a1396b9e@email.android.com> Panic passwords are dangerous, as there's a risk the attacker has a copy of the encrypted data prior to demanding a decryption key. That's why Truecrypt etc prefer plausibly-deniable systems involving fake containers revealed by a panic password: they crack the container and find something plausibly sensitive, but not what they're seeking. On 12 May 2014 10:46:34 GMT+01:00, rysiek wrote: >Dnia niedziela, 4 maja 2014 21:27:06 Jose Damico pisze: >> Hi All, >> >> I've developed 2 small/simple/open-source Android apps that can be >> useful for data protection in mobile devices: >> >> ============= >> >> Yapea: Yet Another Picture Encryption Application >> >> https://play.google.com/store/apps/details?id=org.jdamico.yapea >> https://github.com/damico/yapea >> >> ============= >> >> SecNote: Encrypted Notepad for Android >> >> https://play.google.com/store/apps/details?id=org.jdamico.secnote >> https://github.com/damico/SecNote >> >> ============= >> >> Both applications, has these features: >> >> * Encryption Algorithms: >> >> Symetric encryption: >> >> AES (CBC/PKCS5Padding) >> Blowfish (CFB/NoPadding) >> The Initialization Vectors are generated based on unique data >> from the smartphone. > >Which data? > >> * Type of encryption key: >> >> Length: 256 bits >> >> Generated through key derivation (from user-defined password) >> with PBKF2 algorithm. The salt are generated based on unique >> data from the smartphone. The key is stored inside a >> configuration file, at smartphone file system. This file is >used >> for password verification at first time of application use. >> After that the key is encripted and stored inside smartphone >> memory (cache). But at anytime the user can choose to delete >the >> encrypted key from memory (Clear cache). >> >> * Application reset: At anytime the user can choose to dump ALL >> application data, including encrypted images and configuration. >> >> * Panic password: A password that can be used to delete all >encrypted >> images. In a case where user is forced to give its key. (If >you're >> traveling overseas, across borders or anywhere you're afraid your >> smartphone might be tampered with or examined). > >That's neat, good thinking! > >> * Languages: English and Portuguese > >-- >Pozdr >rysiek -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 3595 bytes Desc: not available URL: From guninski at guninski.com Mon May 12 01:36:20 2014 From: guninski at guninski.com (Georgi Guninski) Date: Mon, 12 May 2014 11:36:20 +0300 Subject: Patented prime numbers Message-ID: <20140512083620.GB2813@sivokote.iziade.m$> Probably this is well known. http://www.freepatentsonline.com/5373560.html http://mathworld.wolfram.com/PrimeNumber.html (check (3)) > Because of their importance in encryption algorithms such as RSA encryption, prime numbers can be important commercial commodities. In fact, R. Schlafly (1994) has obtained U.S. Patent 5373560 on the following two primes (expressed in hexadecimal notation): fuck, fuck, fuck. From rysiek at hackerspace.pl Mon May 12 02:46:34 2014 From: rysiek at hackerspace.pl (rysiek) Date: Mon, 12 May 2014 11:46:34 +0200 Subject: ### Two Open Source Apps for data protection ### In-Reply-To: <5366DADA.7010001@dcon.com.br> References: <5366DADA.7010001@dcon.com.br> Message-ID: <4765503.cQsU0JSeY1@lap> Dnia niedziela, 4 maja 2014 21:27:06 Jose Damico pisze: > Hi All, > > I've developed 2 small/simple/open-source Android apps that can be > useful for data protection in mobile devices: > > ============= > > Yapea: Yet Another Picture Encryption Application > > https://play.google.com/store/apps/details?id=org.jdamico.yapea > https://github.com/damico/yapea > > ============= > > SecNote: Encrypted Notepad for Android > > https://play.google.com/store/apps/details?id=org.jdamico.secnote > https://github.com/damico/SecNote > > ============= > > Both applications, has these features: > > * Encryption Algorithms: > > Symetric encryption: > > AES (CBC/PKCS5Padding) > Blowfish (CFB/NoPadding) > The Initialization Vectors are generated based on unique data > from the smartphone. Which data? > * Type of encryption key: > > Length: 256 bits > > Generated through key derivation (from user-defined password) > with PBKF2 algorithm. The salt are generated based on unique > data from the smartphone. The key is stored inside a > configuration file, at smartphone file system. This file is used > for password verification at first time of application use. > After that the key is encripted and stored inside smartphone > memory (cache). But at anytime the user can choose to delete the > encrypted key from memory (Clear cache). > > * Application reset: At anytime the user can choose to dump ALL > application data, including encrypted images and configuration. > > * Panic password: A password that can be used to delete all encrypted > images. In a case where user is forced to give its key. (If you're > traveling overseas, across borders or anywhere you're afraid your > smartphone might be tampered with or examined). That's neat, good thinking! > * Languages: English and Portuguese -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From rysiek at hackerspace.pl Mon May 12 03:32:56 2014 From: rysiek at hackerspace.pl (rysiek) Date: Mon, 12 May 2014 12:32:56 +0200 Subject: Patented prime numbers In-Reply-To: <1399886739.31881.116312745.5D6835DC@webmail.messagingengine.com> References: <20140512083620.GB2813@sivokote.iziade.m$> <1399886739.31881.116312745.5D6835DC@webmail.messagingengine.com> Message-ID: <1571606.YXc9uafyfP@lap> Dnia poniedziałek, 12 maja 2014 04:25:39 Shawn K. Quinn pisze: > On Mon, May 12, 2014, at 03:36 AM, Georgi Guninski wrote: > > Probably this is well known. > > > > http://www.freepatentsonline.com/5373560.html > > > > http://mathworld.wolfram.com/PrimeNumber.html > > (check (3)) > > > > > Because of their importance in encryption algorithms such as RSA encryption, prime numbers can be important commercial commodities. In fact, R. Schlafly (1994) has obtained U.S. Patent 5373560 on the following two primes (expressed in hexadecimal notation): > > fuck, fuck, fuck. > > The silver lining to this cloud is that these patents have almost > certainly expired by now or will very soon, given that they date from > 1994. The WTF is, however, that they were granted at all in the first place. -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From rysiek at hackerspace.pl Mon May 12 06:15:34 2014 From: rysiek at hackerspace.pl (rysiek) Date: Mon, 12 May 2014 15:15:34 +0200 Subject: ### Two Open Source Apps for data protection ### In-Reply-To: <250b411f-86f8-40a3-93ed-ed01a1396b9e@email.android.com> References: <5366DADA.7010001@dcon.com.br> <4765503.cQsU0JSeY1@lap> <250b411f-86f8-40a3-93ed-ed01a1396b9e@email.android.com> Message-ID: <10855922.XFz805VMoP@lap> Dnia poniedziałek, 12 maja 2014 11:15:37 Cathal pisze: > Panic passwords are dangerous, as there's a risk the attacker has a copy of > the encrypted data prior to demanding a decryption key. That's why > Truecrypt etc prefer plausibly-deniable systems involving fake containers > revealed by a panic password: they crack the container and find something > plausibly sensitive, but not what they're seeking. Well, about that... https://defuse.ca/truecrypt-plausible-deniability-useless-by-game-theory.htm -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From stephan.neuhaus at tik.ee.ethz.ch Mon May 12 10:56:50 2014 From: stephan.neuhaus at tik.ee.ethz.ch (Stephan Neuhaus) Date: Mon, 12 May 2014 19:56:50 +0200 Subject: Patented prime numbers In-Reply-To: <1399911942.69461.YahooMailNeo@web126202.mail.ne1.yahoo.com> References: <20140512083620.GB2813@sivokote.iziade.m$> <1399911942.69461.YahooMailNeo@web126202.mail.ne1.yahoo.com> Message-ID: <53710B62.2040503@tik.ee.ethz.ch> On 2014-05-12, 18:25, jim bell wrote: > Also, I believe there is a rule that says that laws of nature aren't > patentable. To the extent that primality is a law of nature, it > shouldn't be patentable. To be pedantic, primes aren't so much a law of *nature*, they're in *maths*. I'm not aware of any law of, e.g., physics that would depend on primes, but would love to learn of one, if one exists. Fun, Stephan From coderman at gmail.com Mon May 12 20:47:04 2014 From: coderman at gmail.com (coderman) Date: Mon, 12 May 2014 20:47:04 -0700 Subject: [FD] So You Like Pain and Vulnerability Management? New Article. In-Reply-To: <5370F242.3020604@isecom.org> References: <5370F242.3020604@isecom.org> Message-ID: On Mon, May 12, 2014 at 9:09 AM, Pete Herzog wrote: > "Hi, I’m your friend and security researcher, Pete Herzog. we're almost family Pete, no need to introduce yourself! ... was starting to wonder how you've been... you never call, you rarely write, regarding your piece published at: http://www.tripwire.com/state-of-security/vulnerability-management/so-you-like-pain-and-vulnerability-management/ this reply is a little long, as i took the time to respond in depth to each of the issues i observed in your piece; i hope you view this as the best of intentions and sincere desire for thoroughness it is. any criticism is entirely constructive. if you feel despondent or hopeless about the future where you have been so wrong and so ill equipped to secure digital systems, see the end of this thread for crisis hotline resources in your area. > But I’m here today to take a moment and talk to you about the pain of > neglect, isolation, abuse, and infection, better known as > “vulnerability management”. you might be interested in the other thread on treating addiction. my own empirical study linking INFOSEC/COMSEC responsibilities with ethanol abuse, clandestine chemical poisonings, and a rapidly escalating habit for high fiber lifestyle is progressing nicely, but not yet ready for publication. (DWDM not ingested fiber) > In many ways vulnerability management can > be part of a healthy system and over-all good security. agreed! i find it very helpful to find vulns first, use them for early signalling of adversary capabilities and interest, weaponize them for great justice, and distribute them in limited fashion toward end of life cycle to friends and peers, where again they serve as useful feedback on third party OPSEC and integrity. > That's how my new article starts. 5 points on the pain of > vulnerability management and how to make it hurt less. unfortunately in previous private vulnerability assessments all social media platforms failed to survive our common criteria for credible computing contract services. at least you're not paying for them? ... i will however provide my feedback via this medium: 0. "how to make it hurt less" first off, you may be interested in my research on the best synth routes for clandestine medicating and near term memory cleansing with common chemicals or seedy suppliers. this information was cultivated during my research into INFOSEC/COMSEC professional who are clearly exceptionally capable in this domain. 1. "You can’t manage vulnerabilities in closed software any more than you can manage tunnel construction in an ant nest." this is not true. by actively managing the execution of all processes on all your systems and the communication they make between each other and remote (networked or bus connected services) peers. blocking and altering shared library methods, system calls, and network communication is effective against open source, closed source, promiscuous source, and other development practices. 2. "Managing vulnerabilities will not get you security. Especially since patched vulnerabilities is a subset of found vulnerabilities which is assumed (for far too many) to be a subset of having security." this is why it is critical to find as many vulnerabilities as possible in the systems you use before others do. use the vulnerabilities you find as a model of class of weakness upon which to defend in depth. more to do after this, but for another discussion... ;) 3. "But if you wanted to have all the domesticated animals on your new arc you can’t do it by only looking house pets as that would exclude goats, cows, horses, yetis, and many animals maybe you don’t know or didn’t consider. So when scanning for vulnerabilities you can only, at best, find the vulnerabilities the scanner knows about." i for one wish they omitted the goats. they make great work on the blackberry bushes, but the pasture fences are challenge and escalating war of attrition they so far show no difficulty defeating with clever goat skillz. more to the point above, this is why it is critical to employ not just all existing scanners, fuzzers, frameworks, and toolsets but also to improve them internally while also developing your own infrastructure for vulnerability discovery, defense, and weaponization. (this is called "big vuln" or "big vuln dev" by our team for lack of a better allegory) 4. "It Can Feel a Lot Like Doing Dishes. Vulnerability management is an endless race that can’t be won." so true! however, this is why complete and continuous automation is mandatory at the moment of analyst discovery or developer prototype. thus the repetitiveness is delegated to the machines who do our bidding without tire or negligence. 5. "when you manage operational controls as part of vulnerability management you can actually take yourself out of the rat race of patch vs. exploit. That’s huge!" patch vs. exploit is a false dichotomy. if you're not solving for both concurrently you're doing it wrong. (don't feel bad, this is a common failure.) 6. "Filling a Hole Has Never Been So Dirty ... We think vulnerability management is straight-forward: there’s a hole and you fill it and the hole is gone." who are these "we" you speak of? the last time i saw that mindset in play was a sales associate for a security consulting firm hawking some weird devops / continuous integration like thing i don't remember too well. anyone who thinks vulnerability management is easy is unaware of their ignorance, risk, and update latencies in their organization. 7. "In the end, playing dirty is the only way most vulnerability managers can keep their heads above water. But let’s just call that a risk decision." what you call "playing dirty" is just decision making in the midst of a series of one crises after another in an endless procession. crisis mitigation and resolution should not be cast in a negative air of "playing dirty". rather, take this as opportunity to find the exceptionally rare operations crew who runs a ship so tight there are no crises, only prioritized opportunities for even further improvement. 8. "closely followed by NATO, NIST, FBI, NASA, NSA, all branches of armed forces, and the White House." this is just awefull! i suffered through a number of years with a stalker intent on making me into a skin cover for a realdoll in some psychotic delusion he was compelled by. i know the unease and fear and stress that a malicious stalker can have on the psyche. i presume you've looked into local resources to prosecute or order to be restrained. if they're unable or unwilling to resolve the issue, contact me off list for more extreme methods to handle this. i got your back Pete; and we'll get these rogue's off your back one way or another! 9. "don’t forget to see me in Richmond, VA from June 4 – 6 at RVAse" sorry Pete, i quit going east of the mississippi given the fallout that inevitably follows. as a US tax payer, i try to limit the resources expended to violate my privacy and presume a threat where none exists. and frankly it diminishes the intimacy of my memories knowing that they've surveiled my masturbatory sessions in remote locales. i am taking this moment to segue into one last observation in your piece, but it deals with adult subject matter that may not be appropriate for all audiences. if you are not mature enough for the discussion below, please don't read it! . . . - this break intentionally inserted for decency - . . . Z. "... the adult film star process which pretty much gets you from film star to adult film star by doing just one thing on film." i don't often discuss my personal past in these lists or online in general. for a while i had a career in INFOSEC but came to a realization that there must other line of work supporting a upper middle class salary which were not so terribly detrimental to my mental and physical health. i transitioned into gonzo group gay porn which met the cost of living requirements but still had above average physical demands even if a great improvement over the dark INFOSEC years. after five years building a library of over 1,782 different scenes stretching to 12 days of continuous copulation my career in porn was ended in a crippling accident while testing a prototype manbian machine fucking investment that was my doom rather than return on investment. don't write me, the rights have already been sold for a moving drama with A list cast. my point is that i published a greatest "best-of coderass at 1.75 FPS, abridged" anthology as career end salute on a 180 minute collector s edition BluRay paid for by the sale of creative rights mentioned above. this video release rocketed to the top of all the best seller lists and made me a household name and continues to feed me a torrent of franchise fees, recurring profit share, and ongoing royalties which can only be described as obscene and ridiculous. for some reason every other effort was just not enough to bump me up above obscure D list status... it's a funny world. TL;DR: my adult film star process required 1,782 scenes, 45,000 minutes of film, and spanned 73%* of known sex acts possible to act out between two or more humans but less than twenty humans at once. this is as far removed from "doing just one thing" as i can imagine, and frankly it disrespects the strenuous effort and creative acting myself and other sex workers practice in mostly thankless service to others. you should be ashamed! [* automatic identification and categorization of sex acts is surprisingly complicated! the corresponding language theoretic effort to map 1 to 20 human bodies in movement for 15 minutes or less into a formal language to exhaustively delineate all the possible perversions possible to commit under the sun was gargantuan in terms of earth human hours and the resulting corpus. we are close to proving that not everything which can be done has been. if you would be interested in performing a provably unique sex act for a large sum of money and only modest surgical modification, please get in touch] P.P.S. some people ask me what i do now for a living since confined to robotic wheelchair and bed rest. the truth is, i could never turn my back entirely on the INFOSEC community in which i started my first career and sojourn into the great world alone. so now i am busking at conferences doing INFOSEC comedy routines, selling nerdcore rap put to chiptunes on independent labels, and manning the crisis hotlines for substance abuse and domestic violence victims, who strangely enough overlap to a non trivial degree with the set of self confessed INFOSEC professionals. my time spent replying to INFOSEC threads on mailing lists is gratis, as no one pays me for it, and no one like what i say enough to tip me. "have you hugged your data spill incident responder today?" best regards, friend of Pete and former pr0n star, codermange From grarpamp at gmail.com Mon May 12 19:32:29 2014 From: grarpamp at gmail.com (grarpamp) Date: Mon, 12 May 2014 22:32:29 -0400 Subject: [p2p-hackers] How do BitTorrent block lists get created? In-Reply-To: References: <5370D2FF.9010706@briarproject.org> Message-ID: On Mon, May 12, 2014 at 1:09 PM, David Barrett wrote: > connecting to everybody in a swarm, downloading one block, > and automatically sending out a takedown Beyond that (which few if any seem to be doing in the first place), they have to prove the content and custody chain of that block, etc. A difficult and costly bar for typical enforcement trolls. > effectively monitor and police all the top torrents out there Any torrent out there. > the enforcer would never send you a block of valid data They own it, they'll do whatever they want with it. You forget, the few random blocks they choose to send are worthless to them, yet scaring you into settling for serving them back out is pure profit. You're also confusing the lesser/non issue of downloading blocks with serving blocks. The latter is better known as the actual regulated infringing activity. > The only defense Bittorrent has is the "blocklist" Now the fun part... have you guys gone daft? Blocklists and VPN's as best defense against such 'enforcement', really? Really?!! Isn't it about time you all plugged your client in to some anonymous overlay network like I2P, Tor, Phantom, cjdns, whatever and just forget about the issue once and for all? Oh, yeah, I forgot, you have: - no patience and need your DL right fucking now. (anon 'swarms' are not really slow at all) - no money and so you leech bandwidth instead of buying clear bandwidth to support whatever anon overlay you're using. (rate limits on linux/bsd are actually easy) Have fun with your clearnet thing, you get what you asked for. > In a recent conversation about piracy and whether it could win Old school battles don't necessarily win the war, sometimes all it takes is lots of voices in anon yet visible protest. From coderman at gmail.com Mon May 12 23:54:06 2014 From: coderman at gmail.com (coderman) Date: Mon, 12 May 2014 23:54:06 -0700 Subject: Update: please remain vulnerable if the laws of your jurisdiction require it! [was: So You Like Pain and Vulnerability Management?] Message-ID: On Mon, May 12, 2014 at 8:47 PM, coderman wrote: > ... > 1. "You can’t manage vulnerabilities in closed software any more than > you can manage tunnel construction in an ant nest." please note that my reply below is illegal to follow in some parts of the world: > this is not true. by actively managing the execution of all processes > on all your systems and the communication they make ... > blocking and altering shared library methods, system calls, and > network communication... a friend of mine was just arrested outside the Louvre for strace like behavior![0] best regards, 0. "Did you know? ... strace is banned in France, where it is classified as a cracking tool (it can trace plain-text I/O)." http://www.brendangregg.com/blog/2014-05-11/strace-wow-much-syscall.html P.S. no of course it was not Pete, and of course it was not my code. From grarpamp at gmail.com Mon May 12 20:55:37 2014 From: grarpamp at gmail.com (grarpamp) Date: Mon, 12 May 2014 23:55:37 -0400 Subject: [cryptography] The next gen P2P secure email solution In-Reply-To: <1674207.VbjJNtGabs@lap> References: <1538308832.40108.1398193110797.JavaMail.www@wwinf8228> <1674207.VbjJNtGabs@lap> Message-ID: On Fri, May 9, 2014 at 11:49 AM, rysiek wrote: > Dnia wtorek, 22 kwietnia 2014 20:58:50 tpb-crypto at laposte.net pisze: >> Although technical solutions are feasible Then do it and see what happens. >> we ought to consider some things: >> - Email is older than the web itself; So is TCP/IP and the transistor. Irrelevant. >> - Email has three times as many users as all social networks combined; And how did those nets get any users when 'email' was supposedly working just fine? >> - Email is entrenched in the offices, many a business is powered by it; They are powered by authorized access to and useful end use of message content, not by email. That's not going anywhere, only the intermediate transport is being redesigned. >> Given the enormous energy necessary to remove such an appliance and replace Removal is different from introducing competitive alternatives. >> it with something better. How could we make a secure solution that plays >> nicely with the current tools without disturbing too much what is already >> established? > > By writing a gateway (i.e. between RetroShare and e-mail)? MUA's become file readers and composers. They hand off to a localhost daemon that recognizes different address formats of the network[s] and does the right thing. Perhaps they compile against additional necessary network/crypto libs. Whatever it is, those are not a big change. Ditching centralized SMTP transport in the clear is... and for the better. Reread the threads, forget about that old SMTP box, think new. From coderman at gmail.com Tue May 13 00:11:07 2014 From: coderman at gmail.com (coderman) Date: Tue, 13 May 2014 00:11:07 -0700 Subject: =?UTF-8?B?IlNJR0lOVCB0cmFkZWNyYWZ04oCmaXMgdmVyeSBoYW5kcy1vbiAobGl0ZXJhbGx5ISki?= Message-ID: there's some new thing out, ... first shots from the peanut gallery? please report suspicious network behavior accessing Snowden documents to the second hand exploit sale broker consortium for a reasonable referral fee! best regards, From grarpamp at gmail.com Mon May 12 22:26:01 2014 From: grarpamp at gmail.com (grarpamp) Date: Tue, 13 May 2014 01:26:01 -0400 Subject: [FD] So You Like Pain and Vulnerability Management? New Article. In-Reply-To: References: <5370F242.3020604@isecom.org> Message-ID: On Mon, May 12, 2014 at 11:47 PM, coderman wrote: > see the end of this thread for crisis hotline resources in your area. > TL;DR: my adult film star process required 1,782 scenes, 45,000 > as no one pays me for it, and no one like what i say enough to tip me. Aww, here's some tip love... https://www.youtube.com/watch?v=sqyiYd4iCYY https://www.youtube.com/watch?v=eFrsoyMcrc0 From jya at pipeline.com Tue May 13 01:00:08 2014 From: jya at pipeline.com (John Young) Date: Tue, 13 May 2014 04:00:08 -0400 Subject: =?iso-8859-1?Q?"SIGINT_tradecraft=85is_very_hands-on_(literally?= =?iso-8859-1?Q?!)"?= In-Reply-To: References: Message-ID: We've seen the Greenwald book No Place to Hide, where are the promised gush of Snowden documents available? His publisher doesn't show a source. Surely not another marketing tease. Surely not snatched by the TLAs, tampered with, doctored, MTM'd, redacted, censored, cherry-picked, highlighted for dummies and fans, surely not handled like a disinfo spy op, heavy on narrative, suggestions of much more unreleasable, need for classified briefings and diligent vetting, that what we documents censors know we can't dare tell the public due to the public dupery by enemies of our interests. Dropboxes are honey pots, media is just that, governments are just that, opsec and comsec are just that. And do tell, what is this SIGINT forum psyoping? At 03:11 AM 5/13/2014, you wrote: >there's some new thing out, > > ... first shots from the peanut gallery? > >please report suspicious network behavior accessing Snowden documents >to the second hand exploit sale broker consortium for a reasonable >referral fee! > > >best regards, From coderman at gmail.com Tue May 13 05:58:34 2014 From: coderman at gmail.com (coderman) Date: Tue, 13 May 2014 05:58:34 -0700 Subject: =?UTF-8?Q?Re=3A_=22SIGINT_tradecraft=E2=80=A6is_very_hands=2Don_=28literally?= =?UTF-8?Q?=21=29=22?= In-Reply-To: References: Message-ID: On Tue, May 13, 2014 at 1:00 AM, John Young wrote: > We've seen the Greenwald book No Place to Hide, where are the > promised gush of Snowden documents available? His publisher > doesn't show a source. Surely not another marketing tease. great question; let us know if you find them! > Surely not snatched by the TLAs, tampered with, doctored, > MTM'd, redacted, censored, cherry-picked, highlighted for > dummies and fans, surely not handled like a disinfo spy > op, heavy on narrative, suggestions of much more unreleasable, > need for classified briefings and diligent vetting, that what > we documents censors know we can't dare tell the public > due to the public dupery by enemies of our interests. my favorite slides from the book are the ones that are nearly all redacted except for one sentence at the end. lulz! > Dropboxes are honey pots, media is just that, governments > are just that, opsec and comsec are just that. poor pooh bear, what a confusing world to live in... > And do tell, what is this SIGINT forum psyoping? NO SPOILERS! ---- my take on the interesting bits: regarding the phones in the fridge, this was done to muffle sound, not provide EMSEC protection. a fridge is not a faraday cage! (there has been some speculation, now definitively squashed.) regarding the scope of surveillance and exploitation, it is interesting to see how far Alexander really pushed things beyond normative for the agency. i knew he was a "spy cowboy", yet this book presents a clearer picture of how significant Alexander escalated Hayden's already aggressive agenda. regarding the intimidation and maligning of leak reporters, it was interesting to see how egregious some of the efforts to thwart and discredit reporting on this story were. last but not least, i learned that Snowden tried but failed to obtain a copy of the legend mapping CODENAMES with their corporate partners (the telecoms, not the Internet companies which they don't give two shits about naming publicly as collaborators.) i'm looking at you, level3! From guninski at guninski.com Mon May 12 23:18:49 2014 From: guninski at guninski.com (Georgi Guninski) Date: Tue, 13 May 2014 09:18:49 +0300 Subject: Patented prime numbers In-Reply-To: <53710B62.2040503@tik.ee.ethz.ch> References: <20140512083620.GB2813@sivokote.iziade.m$> <1399911942.69461.YahooMailNeo@web126202.mail.ne1.yahoo.com> <53710B62.2040503@tik.ee.ethz.ch> Message-ID: <20140513061849.GA2693@sivokote.iziade.m$> On Mon, May 12, 2014 at 07:56:50PM +0200, Stephan Neuhaus wrote: > On 2014-05-12, 18:25, jim bell wrote: > > Also, I believe there is a rule that says that laws of nature aren't > > patentable. To the extent that primality is a law of nature, it > > shouldn't be patentable. > > To be pedantic, primes aren't so much a law of *nature*, they're in > *maths*. I'm not aware of any law of, e.g., physics that would depend > on primes, but would love to learn of one, if one exists. > > Fun, > > Stephan Allegedly Riemann zeta function is related to physics, though this well might be just speculations (search the web for ref). It is more interesting to me if sqrt(-1), n-dimensional space, etc. are part of nature... From guninski at guninski.com Tue May 13 00:28:31 2014 From: guninski at guninski.com (Georgi Guninski) Date: Tue, 13 May 2014 10:28:31 +0300 Subject: "SIGINT =?utf-8?Q?tradecraft=E2=80=A6i?= =?utf-8?Q?s?= very hands-on (literally!)" In-Reply-To: References: Message-ID: <20140513072831.GB2693@sivokote.iziade.m$> On Tue, May 13, 2014 at 12:11:07AM -0700, coderman wrote: > there's some new thing out, > > ... first shots from the peanut gallery? > > please report suspicious network behavior accessing Snowden documents > to the second hand exploit sale broker consortium for a reasonable > referral fee! > > honeypot? :) From rysiek at hackerspace.pl Tue May 13 01:33:52 2014 From: rysiek at hackerspace.pl (rysiek) Date: Tue, 13 May 2014 10:33:52 +0200 Subject: "SIGINT =?UTF-8?B?dHJhZGVjcmFmdOKApmlz?= very hands-on (literally!)" In-Reply-To: <1399968197.18563.116743985.3F36C4CC@webmail.messagingengine.com> References: <20140513072831.GB2693@sivokote.iziade.m$> <1399968197.18563.116743985.3F36C4CC@webmail.messagingengine.com> Message-ID: <3156141.DgJEsgCW9Q@lap> Dnia wtorek, 13 maja 2014 18:03:17 Alfie John pisze: > On Tue, May 13, 2014, at 05:28 PM, Georgi Guninski wrote: > > On Tue, May 13, 2014 at 12:11:07AM -0700, coderman wrote: > > > there's some new thing out, > > > > > > ... first shots from the peanut gallery? > > > > > > please report suspicious network behavior accessing Snowden documents > > > to the second hand exploit sale broker consortium for a reasonable > > > referral fee! > > > > honeypot? :) > > More like pot calling the kettle black. So, a honeypot calling the kettle black, then? ;) -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From rysiek at hackerspace.pl Tue May 13 01:39:37 2014 From: rysiek at hackerspace.pl (rysiek) Date: Tue, 13 May 2014 10:39:37 +0200 Subject: [p2p-hackers] How do BitTorrent block lists get created? In-Reply-To: References: Message-ID: <7957433.L9GDcCdNXk@lap> Dnia poniedziałek, 12 maja 2014 22:32:29 grarpamp pisze: > > The only defense Bittorrent has is the "blocklist" > > Now the fun part... have you guys gone daft? Blocklists and > VPN's as best defense against such 'enforcement', really? > Really?!! Now, while I agree with most of what you wrote, please note that the Parent here only said that that's the only defence BitTorrent has. Nobody claimed it's the only thing out there in general, nor that it's the best possible defence, nor that it's impossible to implement better mechanisms in BitTorrent, nor that it is not possible to use BitTorrent via some other means (like Tor) to improve security and anonymity. "The only defence we all have is the 'blocklist'" vs. "The only defence Bittorrent has is the 'blocklist'" Apart from that, carry on. :) -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From l at odewijk.nl Tue May 13 02:55:04 2014 From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=) Date: Tue, 13 May 2014 11:55:04 +0200 Subject: Patented prime numbers In-Reply-To: <20140513061849.GA2693@sivokote.iziade.m$> References: <20140512083620.GB2813@sivokote.iziade.m$> <1399911942.69461.YahooMailNeo@web126202.mail.ne1.yahoo.com> <53710B62.2040503@tik.ee.ethz.ch> <20140513061849.GA2693@sivokote.iziade.m$> Message-ID: Every patent is contained in the grammar of English. Finding a meaningful pattern that others haven't yet, that seems to be what a patent needs. They found some prime numbers, very useful, and someone else found the nuclear reactor, also useful. The nuclear reactor's design follows directly from the current state of engineering (valve?steam?superconductor?etc) and some properties that follow directly from physics (uranium and water -> good). So it's wacky to patent a number, but not that wrong. Don't forget finding primes is actually a pretty expensive exercise. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 774 bytes Desc: not available URL: From l at odewijk.nl Tue May 13 02:57:39 2014 From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=) Date: Tue, 13 May 2014 11:57:39 +0200 Subject: Patented prime numbers In-Reply-To: <20140513094047.GC2693@sivokote.iziade.m$> References: <20140512083620.GB2813@sivokote.iziade.m$> <1399911942.69461.YahooMailNeo@web126202.mail.ne1.yahoo.com> <53710B62.2040503@tik.ee.ethz.ch> <20140513061849.GA2693@sivokote.iziade.m$> <1399969798.65601.YahooMailNeo@web126201.mail.ne1.yahoo.com> <20140513094047.GC2693@sivokote.iziade.m$> Message-ID: 2014-05-13 11:40 GMT+02:00 Georgi Guninski : > > My understanding is that they are part of nature. If you think about > it, to hunter-gatherer-level societies, negative numbers could be called > "imaginary": There is no such thing as "negative-3 sheep", for instance. > Nor is there a third of a (living) sheep. It was easy enough for people > to divorce themselves from the idea of integers, or positive numbers. It > was much more difficult to deal with "irrational numbers" (numbers which > could not be expressed as the ratio of two integers). offtopic and what's worse: "You owe me three sheep. You have -3 sheep." "This grain must be shared between 3 people. 1/3 of the grain is his. 1/3 is hers. 1/3 is mine." -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1139 bytes Desc: not available URL: From guninski at guninski.com Tue May 13 02:40:47 2014 From: guninski at guninski.com (Georgi Guninski) Date: Tue, 13 May 2014 12:40:47 +0300 Subject: Patented prime numbers In-Reply-To: <1399969798.65601.YahooMailNeo@web126201.mail.ne1.yahoo.com> References: <20140512083620.GB2813@sivokote.iziade.m$> <1399911942.69461.YahooMailNeo@web126202.mail.ne1.yahoo.com> <53710B62.2040503@tik.ee.ethz.ch> <20140513061849.GA2693@sivokote.iziade.m$> <1399969798.65601.YahooMailNeo@web126201.mail.ne1.yahoo.com> Message-ID: <20140513094047.GC2693@sivokote.iziade.m$> On Tue, May 13, 2014 at 01:29:58AM -0700, jim bell wrote: > From: Georgi Guninski > >It is more interesting to me if > >sqrt(-1), n-dimensional space, etc. are > >part of nature... > > My understanding is that they are part of nature.  If you think about it, to hunter-gatherer-level societies, negative numbers could be called "imaginary":  There is no such thing as "negative-3 sheep", for instance.  Nor is there a third of a (living) sheep.  It was easy enough for people to divorce themselves from the idea of integers, or positive numbers.  It was much more difficult to deal with "irrational numbers" (numbers which could not be expressed as the ratio of two integers).   > Square roots were comparatively easy...as long as you were talking a positive number.  Computing imaginary roots seems terribly difficult, until you express the number in terms of a real/imaginary graph, and voila, it's trivial again.  I think that (e (to the power of (2 times pi times I)) -1) =0   was discovered at least a couple hundred years ago.   It's been attributed to Euler, nearly 300 years ago. > And the various string theories proposed in the last 20 years require the universe to contain 10 or 11 dimensions, with 6 (or 7) of them wound up tightly, perhaps near a Planck length.  (10e(-33)cm). >          Jim Bell I am not good at neither math nor physics, but your argument didn't convince me for the relation with physics (the math appears correct). IMHO currently we know little about both math and physics, so the future might tell. From alfiej at fastmail.fm Tue May 13 01:03:17 2014 From: alfiej at fastmail.fm (Alfie John) Date: Tue, 13 May 2014 18:03:17 +1000 Subject: =?utf-8?Q?Re=3A=20=22SIGINT=20tradec?= =?utf-8?Q?raft=E2=80=A6is=20very=20hands?= =?utf-8?Q?-on=20=28literally!=29=22?= In-Reply-To: <20140513072831.GB2693@sivokote.iziade.m$> References: <20140513072831.GB2693@sivokote.iziade.m$> Message-ID: <1399968197.18563.116743985.3F36C4CC@webmail.messagingengine.com> On Tue, May 13, 2014, at 05:28 PM, Georgi Guninski wrote: > On Tue, May 13, 2014 at 12:11:07AM -0700, coderman wrote: > > there's some new thing out, > > > > ... first shots from the peanut gallery? > > > > please report suspicious network behavior accessing Snowden documents > > to the second hand exploit sale broker consortium for a reasonable > > referral fee! > > > > > > honeypot? :) More like pot calling the kettle black. Alfie -- Alfie John alfiej at fastmail.fm From juan.g71 at gmail.com Tue May 13 16:21:27 2014 From: juan.g71 at gmail.com (Juan) Date: Tue, 13 May 2014 20:21:27 -0300 Subject: "SIGINT =?UTF-8?B?dHJhZGVjcmFmdOKApmlz?= very hands-on (literally!)" In-Reply-To: References: Message-ID: <5372a8b3.0235ec0a.784b.00f5@mx.google.com> On Tue, 13 May 2014 05:58:34 -0700 coderman wrote: > On Tue, May 13, 2014 at 1:00 AM, John Young wrote: > > > And do tell, what is this SIGINT forum psyoping? > > NO SPOILERS! I want to know, too. And it's not a spoiler, it's the main dish. From jya at pipeline.com Tue May 13 17:51:42 2014 From: jya at pipeline.com (John Young) Date: Tue, 13 May 2014 20:51:42 -0400 Subject: =?iso-8859-1?Q?"SIGINT_tradecraft=85is_very_hands-on_(li_terall?= =?iso-8859-1?Q?y!)"?= In-Reply-To: <1400026604.72525.YahooMailNeo@web126204.mail.ne1.yahoo.com > References: <1400026604.72525.YahooMailNeo@web126204.mail.ne1.yahoo.com> Message-ID: There is a good chance the documents are covertly marked as you suggest, the ostentatious classification markings a ruse for untutored yokels to fancy are genuine. Covert markings have been in use for a long time, as well as ostentatious markings. On paper as well as digital and other forms of electronic. And certainly packets carry unique markings in a variety of overt and covert types. Some of the techniques fall under the inadvertent emanations rubric associated with Tempest -- which has blossomed well beyond the FOIA releases from the late 1990s. TSCM is a marvel of duplicity and ruse. At 08:16 PM 5/13/2014, you wrote: >From: Black Fox >On Tue, May 13, 2014 at 2:58 PM, coderman ><coderman at gmail.com> wrote: > > On Tue, May 13, 2014 at 1:00 AM, John Young > <jya at pipeline.com> wrote: > >> > We've seen the Greenwald book No Place to Hide, where are the > >> > promised gush of Snowden documents available? His publisher > >> > doesn't show a source. Surely not another marketing tease. > >> great question; let us know if you find them! > > df>http://glenngreenwald.net/pdf/NoPlaceToHide-Documents-Compressed.pdf > >If I were the telephone company from which the records were >requested, I'd note that the records were requested in "electronic" >format. Then, I'd ask a programmer to write a program to write a >program to generate pdf files with embedded "captcha"-type >text: Images that are quite apparent to the human eye, but are very >difficult for any computer to make any sense of. All the phone >records would be there (in no particular order), and they'd all be >very readable to humans, but... > Jim Bell > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2192 bytes Desc: not available URL: From fox at vbfox.net Tue May 13 12:01:35 2014 From: fox at vbfox.net (Black Fox) Date: Tue, 13 May 2014 21:01:35 +0200 Subject: =?UTF-8?Q?Re=3A_=22SIGINT_tradecraft=E2=80=A6is_very_hands=2Don_=28literally?= =?UTF-8?Q?=21=29=22?= In-Reply-To: References: Message-ID: On Tue, May 13, 2014 at 2:58 PM, coderman wrote: > > On Tue, May 13, 2014 at 1:00 AM, John Young wrote: > > We've seen the Greenwald book No Place to Hide, where are the > > promised gush of Snowden documents available? His publisher > > doesn't show a source. Surely not another marketing tease. > > great question; let us know if you find them! http://glenngreenwald.net/pdf/NoPlaceToHide-Documents-Compressed.pdf From l at odewijk.nl Tue May 13 13:23:34 2014 From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=) Date: Tue, 13 May 2014 22:23:34 +0200 Subject: =?UTF-8?Q?Re=3A_=22SIGINT_tradecraft=E2=80=A6is_very_hands=2Don_=28literally?= =?UTF-8?Q?=21=29=22?= In-Reply-To: References: Message-ID: On May 13, 2014 3:11 PM, "coderman" wrote: > >l > > my favorite slides from the book are the ones that are nearly all > redacted except for one sentence at the end. lulz! Did Irving Washington sign? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 354 bytes Desc: not available URL: From jya at pipeline.com Wed May 14 03:50:54 2014 From: jya at pipeline.com (John Young) Date: Wed, 14 May 2014 06:50:54 -0400 Subject: =?iso-8859-1?Q?"SIGINT_tradecraft=85is_very_hands-on_(l_i_teral?= =?iso-8859-1?Q?ly!)"?= In-Reply-To: <1400044281.70204.YahooMailNeo@web126202.mail.ne1.yahoo.com > References: <1400026604.72525.YahooMailNeo@web126204.mail.ne1.yahoo.com> <1400044281.70204.YahooMailNeo@web126202.mail.ne1.yahoo.com> Message-ID: That would be quite useful. How would you crack it if used by an opponent? At 01:11 AM 5/14/2014, you wrote: >Alright, what I meant was this: The judge ordered that the >information be provided in electronically-readable form. He meant, >"not on paper", because if it were on paper, that would be very >difficult to actually USE. My idea was to put the information onto >pdf files, where if you view the pdf file, it would look like lines >of "captcha"-type data: Weird, warped characters, in various odd >colors, overlapping lines, >etc. CAPTCHA - Wikipedia, >the free encyclopedia Specifically designed to NOT be >computer-identifiable. The essence of the presentation of the data >would be that it wouldn't be readable by 'computer' at all; it would >have to be decoded by human intervention...even though it was in >"electronically-readable form"!! > > >image > >CAPTCHA - Wikipedia, the free >encyclopedia >A CAPTCHA (an acronym for "Completely Automated Public Turing test >to tell Computers and Humans Apart") is a type of challenge-respons... >View on en.wikipedia.org >Preview by Yahoo > Jim Bell -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1792 bytes Desc: not available URL: From jamesdbell9 at yahoo.com Wed May 14 11:23:50 2014 From: jamesdbell9 at yahoo.com (jim bell) Date: Wed, 14 May 2014 11:23:50 -0700 (PDT) Subject: =?utf-8?B?UmU6IFJlOiAgICJTSUdJTlQgdHJhZGVjcmFmdOKApmlzIHZlcnkgaGFuZHMt?= =?utf-8?B?b24gKGwgaSB0ZXJhbGx5ISki?= In-Reply-To: <20140514165035.GT7179@ctrlc.hu> References: <1400026604.72525.YahooMailNeo@web126204.mail.ne1.yahoo.com> <1400044281.70204.YahooMailNeo@web126202.mail.ne1.yahoo.com> <1400083430.11520.YahooMailNeo@web126205.mail.ne1.yahoo.com> <20140514165035.GT7179@ctrlc.hu> Message-ID: <1400091830.85570.YahooMailNeo@web126204.mail.ne1.yahoo.com> From: stef On Wed, May 14, 2014 at 09:03:50AM -0700, jim bell wrote: > I guess I'm still not being clear.  It would be my way of objecting to a court's ordering the telecom company that >I might work for (or, one day, that I might own?!?) to present an "electronically-readable" form of the telephone >metadata of millions of telephones.  The judge ordered that; my sneaky response would be to generate an >"electronically-readable" file, basically a pdf file or a series of same, itself with an image that looks like >"captcha" information:  relatively easy for a human to read, but rather difficult for any computer to turn into >easily-useable (searchable) information.  In other words, the information would be presented to the NSA, but it >would be essentially unuseable without being (first) human-decoded. >assuming this is correct: >http://googleonlinesecurity.blogspot.de/2014/04/street-view-and-recaptcha-technology.html >then googlestreetview tech is better at solving captchas than humans. For a single, tiny piece of "captcha", that might very well be true.  But suppose the telephone metadata information for a billion phone calls per day is turned into "captcha's".  How much CPU power would the NSA have to apply, each day, just to back-convert that metadata into computer-searchable form?  Admittedly, that's irrelevant:  The NSA would simply ask the court to order the company to stop being a wiseass, and to stop using the captcha technique.           Jim Bell -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2585 bytes Desc: not available URL: From rsw at jfet.org Wed May 14 10:18:44 2014 From: rsw at jfet.org (Riad S. Wahby) Date: Wed, 14 May 2014 13:18:44 -0400 Subject: cypherpunks administrivia: no more reply-to header stripping Message-ID: <20140514171844.GA9696@antiproton.jfet.org> Folks, Until now, mailman has been stripping Reply-To: headers from messages to the list. I've just turned this off. Some webmail services (notably, Yahoo!) set the Reply-To: header and include it in the headers signed with DKIM. Stripping Reply-To: thus breaks the DKIM signature. In the case of Yahoo! this signature breakage is especially problematic, because their DMARC policy is set to reject. (In other words, messages with yahoo.com in the From: header that fail both SPF and DKIM should be rejected by compliant mail services, e.g., AOL, Gmail, Hotmail, Yahoo!) Messages to the mailing list should pass SPF, since the envelope sender domain for list messages is cpunks.org and I publish an appropriate spf RR. However, any list subscriber who forwards mail to another account will have broken SPF and an invalid DKIM signature, which trips the DMARC policy and causes delivery failures. I realize that this might cause some inconvenience, but I would prefer to err on the side of successfully delivering messages whenever possible. If you're using procmail and prefer the old behavior, the following recipe should suffice: :0H * ^list-id.*cypherpunks.cpunks.org | formail -IReply-To -=rsw From s at ctrlc.hu Wed May 14 09:50:35 2014 From: s at ctrlc.hu (stef) Date: Wed, 14 May 2014 18:50:35 +0200 Subject: "SIGINT =?utf-8?Q?tradecraft?= =?utf-8?B?4oCmaXM=?= very hands-on (l i terally!)" In-Reply-To: <1400083430.11520.YahooMailNeo@web126205.mail.ne1.yahoo.com> References: <1400026604.72525.YahooMailNeo@web126204.mail.ne1.yahoo.com> <1400044281.70204.YahooMailNeo@web126202.mail.ne1.yahoo.com> <1400083430.11520.YahooMailNeo@web126205.mail.ne1.yahoo.com> Message-ID: <20140514165035.GT7179@ctrlc.hu> On Wed, May 14, 2014 at 09:03:50AM -0700, jim bell wrote: > I guess I'm still not being clear.  It would be my way of objecting to a court's ordering the telecom company that I might work for (or, one day, that I might own?!?) to present an "electronically-readable" form of the telephone metadata of millions of telephones.  The judge ordered that; my sneaky response would be to generate an "electronically-readable" file, basically a pdf file or a series of same, itself with an image that looks like "captcha" information:  relatively easy for a human to read, but rather difficult for any computer to turn into easily-useable (searchable) information.  In other words, the information would be presented to the NSA, but it would be essentially unuseable without being (first) human-decoded. assuming this is correct: http://googleonlinesecurity.blogspot.de/2014/04/street-view-and-recaptcha-technology.html then googlestreetview tech is better at solving captchas than humans. From cathalgarvey at cathalgarvey.me Thu May 15 02:02:57 2014 From: cathalgarvey at cathalgarvey.me (Cathal Garvey) Date: Thu, 15 May 2014 10:02:57 +0100 Subject: "SIGINT =?UTF-8?B?dHJhZGVjcmFmdOKApmlzIHZlcnkgaGFuZHMtb24gKGw=?= =?UTF-8?B?aSB0ZXJhbGx5ISki?= In-Reply-To: <1400044281.70204.YahooMailNeo@web126202.mail.ne1.yahoo.com> References: <1400026604.72525.YahooMailNeo@web126204.mail.ne1.yahoo.com> <1400044281.70204.YahooMailNeo@web126202.mail.ne1.yahoo.com> Message-ID: <537482C1.3090806@cathalgarvey.me> There's now precedent to suggest that providing FISA-ordered data in a deliberately inconvenient format can be considered contempt of court. The case establishing it? Lavabit printing out their server TLS keys in small font. That's not even such a big deal, because OCR could still be used trivially if the opponents weren't tech-illiterate. Depending on the type of key, you could probably even detect OCR errors quickly by checking for primality or group-compatibility for the key subunits. So that's even less technically troublesome than what you're suggesting, and it was contempt. I don't think the telecoms would get away with it, even if they did care a damn about customers. On 14/05/14 06:11, jim bell wrote: > Alright, what I meant was this: The judge ordered that the information be provided in electronically-readable form. He meant, "not on paper", because if it were on paper, that would be very difficult to actually USE. My idea was to put the information onto pdf files, where if you view the pdf file, it would look like lines of "captcha"-type data: Weird, warped characters, in various odd colors, overlapping lines, etc. CAPTCHA - Wikipedia, the free encyclopedia Specifically designed to NOT be computer-identifiable. The essence of the presentation of the data would be that it wouldn't be readable by 'computer' at all; it would have to be decoded by human intervention...even though it was in "electronically-readable form"!! > > > CAPTCHA - Wikipedia, the free encyclopedia > A CAPTCHA (an acronym for "Completely Automated Public Turing test to tell Computers and Humans Apart") is a type of challenge-respons... > View on en.wikipedia.org Preview by Yahoo > Jim Bell > > > > > ________________________________ > From: John Young > To: jim bell ; cpunks > Sent: Tuesday, May 13, 2014 5:51 PM > Subject: Re: "SIGINT tradecraft…is very hands-on (li terally!)" > > > > There is a good chance the documents are covertly marked as > you suggest, the ostentatious classification markings a ruse for > untutored yokels to fancy are genuine. > > Covert markings have been in use for a long time, as well as > ostentatious markings. On paper as well as digital and other > forms of electronic. > > And certainly packets carry unique markings in a variety of > overt and covert types. > > Some of the techniques fall under the inadvertent emanations > rubric associated with Tempest -- which has blossomed well > beyond the FOIA releases from the late 1990s. TSCM is a > marvel of duplicity and ruse. > > At 08:16 PM 5/13/2014, you wrote: > > From: Black > Fox >> On Tue, May 13, 2014 at 2:58 PM, coderman > > wrote: >>> On Tue, May 13, 2014 at 1:00 AM, John Young > > wrote: >>>>> We've seen the Greenwald book No Place to Hide, where are > the >>>>> promised gush of Snowden documents available? His > publisher >>>>> doesn't show a source. Surely not another marketing > tease. >>>> great question; let us know if you find them! >>> http://glenngreenwald.net/pdf/NoPlaceToHide-Documents-Compressed.pdf >> >> If I were the telephone company from which the records were requested, > I'd note that the records were requested in "electronic" > format. Then, I'd ask a programmer to write a program to write a > program to generate pdf files with embedded "captcha"-type > text: Images that are quite apparent to the human eye, but are very > difficult for any computer to make any sense of. All the > phone records would be there (in no particular order), and they'd all be > very readable to humans, but... >> > Jim Bell >> >> -- T: @onetruecathal, @IndieBBDNA P: +353876363185 W: http://indiebiotech.com -------------- next part -------------- A non-text attachment was scrubbed... Name: 0x988B9099.asc Type: application/pgp-keys Size: 6176 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 901 bytes Desc: OpenPGP digital signature URL: From tpb-crypto at laposte.net Thu May 15 05:36:23 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Thu, 15 May 2014 14:36:23 +0200 Subject: [cryptography] The next gen P2P secure email solution In-Reply-To: References: <1538308832.40108.1398193110797.JavaMail.www@wwinf8228> <1674207.VbjJNtGabs@lap> Message-ID: <772145240.115968.1400157383527.JavaMail.www@wwinf8308> > Message du 13/05/14 05:55 > De : "grarpamp" > A : cypherpunks at cpunks.org > Copie à : p2p-hackers at lists.zooko.com, cryptography at randombit.net > Objet : Re: [cryptography] The next gen P2P secure email solution > > On Fri, May 9, 2014 at 11:49 AM, rysiek wrote: > > Dnia wtorek, 22 kwietnia 2014 20:58:50 tpb-crypto at laposte.net pisze: > >> Although technical solutions are feasible > > Then do it and see what happens. > > >> we ought to consider some things: > >> - Email is older than the web itself; > > So is TCP/IP and the transistor. Irrelevant. > You clearly did not get the point, but let's move along your argument. > >> - Email has three times as many users as all social networks combined; > > And how did those nets get any users when 'email' was > supposedly working just fine? > E-mail not allowing one to make his ego appreciated and envied in a structured nicely formatted page maybe? > >> - Email is entrenched in the offices, many a business is powered by it; > > They are powered by authorized access to and useful end use of message > content, not by email. That's not going anywhere, only the intermediate > transport is being redesigned. > Can you recode outlook, eudora and other closed source stuff people use(d) for e-mail handling for business? No? Well, that answers why it is hard to remove. > >> Given the enormous energy necessary to remove such an appliance and replace > > Removal is different from introducing competitive alternatives. > Little proprietary walled gardens are absolutely not the answer for this problem. > >> it with something better. How could we make a secure solution that plays > >> nicely with the current tools without disturbing too much what is already > >> established? > > > > By writing a gateway (i.e. between RetroShare and e-mail)? > The gateway idea is interesting, but it has to be efficient enough and low cost enough for people to switch over. Something like bitmessage is not. > MUA's become file readers and composers. They hand off > to a localhost daemon that recognizes different address formats > of the network[s] and does the right thing. Perhaps they compile > against additional necessary network/crypto libs. Whatever it > is, those are not a big change. Ditching centralized SMTP transport > in the clear is... and for the better. > http://arstechnica.com/security/2014/05/good-news-for-privacy-fewer-servers-sending-e-mail-naked-facebook-finds/ I think that answers your concern about SMTP transport in the clear, in less than one year the darkest bar in that chart will be close to 100%. If 80% of hosts demand strict encrypted transport, it will force the other 20% to change. Considering the snowden revelations and the fact that one year ago we barely used encrypted transport, having 1/4 already and accelerating is a good prospect. > Reread the threads, forget about that old SMTP box, think new. Fixing the problem is better than overhauling all offices in the world, you clearly haven't been in may offices in your life. > _______________________________________________ > cryptography mailing list > cryptography at randombit.net > http://lists.randombit.net/mailman/listinfo/cryptography > From coderman at gmail.com Thu May 15 14:59:28 2014 From: coderman at gmail.com (coderman) Date: Thu, 15 May 2014 14:59:28 -0700 Subject: scrypt and ASICs Message-ID: the other thread mentioned the "ASIC-able" ness of scrypt. what techniques may be used to make scrypt even harder to put on die? (is this an arms race between transistor count and algorithm tuneables?) From cathalgarvey at cathalgarvey.me Thu May 15 08:39:51 2014 From: cathalgarvey at cathalgarvey.me (Cathal Garvey) Date: Thu, 15 May 2014 16:39:51 +0100 Subject: [cryptography] The next gen P2P secure email solution In-Reply-To: <772145240.115968.1400157383527.JavaMail.www@wwinf8308> References: <1538308832.40108.1398193110797.JavaMail.www@wwinf8228> <1674207.VbjJNtGabs@lap> <772145240.115968.1400157383527.JavaMail.www@wwinf8308> Message-ID: <5374DFC7.5020809@cathalgarvey.me> >>>>> Little proprietary walled gardens are absolutely not the answer >>>>> for this problem. >>> How could we make a secure solution that plays nicely with the >>> current tools without disturbing too much what is already >>> established? >> By writing a gateway (i.e. between RetroShare and e-mail)? > The gateway idea is interesting, but it has to be efficient enough > and low cost enough for people to switch over. Something like > bitmessage is not. I actually think, having used it for some time and liking it on the whole, that Retroshare isn't suited to this. The primary reason is RS only receives mail if the sender and recipient are online at the same time. There's no store-and-forward, even though all messages are PGP encrypted to recipients. RS also has a lot of feature-bloat; it's better thought of as P2P Facebook than a simple communication system. Finally, RS is engineered to a simple and admirable purpose which makes it unsuited to email replacement; it's Friend to Friend. That's great in its use-case, but I think email should be: 1) Rapid and censorship-resilient routing 2) Single canonical addresses for each participant, which are human-readable. 3) Churn-tolerant 4) Expensive to send, to deter spam otherwise facilitated by to (1) 5) Practical for payloads between 10M and 20M, no greater. I do *not* think the core of a replacement email should guarantee anonymity, but the protocol should make allowances for that if possible. I think the above could be satisfied using a pseudo-blockchain for name->key mappings, and a key-routed DHT for creating routes for mail delivery. Credit is earned by routing other people's mail in store-and-forward fashion, like email. Credit can be spent to register new mail address:key mappings and to pay for routing of larger messages, or to prolong retention of messages before they bounce (if your intended recipient does not run a high-uptime mailserver and may need a day or two to log in). That resembles Twister, the coupling of DHT:Blockchain, but may be better suited to the model than twister is (because twister hit problems with scaling DHT use to many followers, I think), because email is slower and stabler than microstatus systems; more amenable to P2P-isation, whereas rapid updates coupled with mass-queries to other feeds is a setup better suited to a client:server interaction. The blockchain would need tweaking, because Twister is using scrypt, which is now apparently ASIC-able, e.g. useless. I think a password encrypting function whose parameters are set dynamically by the value of the prior block might help fix matters; the goal is for the ideal "ASIC" for the function to be a consumer CPU, not a GPU or dedicated ASIC. Anyway, sorry for the wall of text. Killing/replacing email is often on my mind. On 15/05/14 13:36, tpb-crypto at laposte.net wrote: >> Message du 13/05/14 05:55 De : "grarpamp" A : >> cypherpunks at cpunks.org Copie à : p2p-hackers at lists.zooko.com, >> cryptography at randombit.net Objet : Re: [cryptography] The next gen >> P2P secure email solution >> > >> On Fri, May 9, 2014 at 11:49 AM, rysiek wrote: >>> Dnia wtorek, 22 kwietnia 2014 20:58:50 tpb-crypto at laposte.net >>> pisze: >>>> Although technical solutions are feasible >> >> Then do it and see what happens. >> >>>> we ought to consider some things: - Email is older than the >>>> web itself; >> >> So is TCP/IP and the transistor. Irrelevant. >> > > You clearly did not get the point, but let's move along your > argument. > >>>> - Email has three times as many users as all social networks >>>> combined; >> >> And how did those nets get any users when 'email' was supposedly >> working just fine? >> > > E-mail not allowing one to make his ego appreciated and envied in a > structured nicely formatted page maybe? > >>>> - Email is entrenched in the offices, many a business is >>>> powered by it; >> >> They are powered by authorized access to and useful end use of >> message content, not by email. That's not going anywhere, only the >> intermediate transport is being redesigned. >> > > Can you recode outlook, eudora and other closed source stuff people > use(d) for e-mail handling for business? No? Well, that answers why > it is hard to remove. > >>>> Given the enormous energy necessary to remove such an >>>> appliance and replace >> >> Removal is different from introducing competitive alternatives. >> > > Little proprietary walled gardens are absolutely not the answer for > this problem. > >>>> it with something better. How could we make a secure solution >>>> that plays nicely with the current tools without disturbing >>>> too much what is already established? >>> >>> By writing a gateway (i.e. between RetroShare and e-mail)? >> > > The gateway idea is interesting, but it has to be efficient enough > and low cost enough for people to switch over. Something like > bitmessage is not. > >> MUA's become file readers and composers. They hand off to a >> localhost daemon that recognizes different address formats of the >> network[s] and does the right thing. Perhaps they compile against >> additional necessary network/crypto libs. Whatever it is, those >> are not a big change. Ditching centralized SMTP transport in the >> clear is... and for the better. >> > > http://arstechnica.com/security/2014/05/good-news-for-privacy-fewer-servers-sending-e-mail-naked-facebook-finds/ > > > > I think that answers your concern about SMTP transport in the clear, > in less than one year the darkest bar in that chart will be close to > 100%. If 80% of hosts demand strict encrypted transport, it will > force the other 20% to change. Considering the snowden revelations > and the fact that one year ago we barely used encrypted transport, > having 1/4 already and accelerating is a good prospect. > >> Reread the threads, forget about that old SMTP box, think new. > > Fixing the problem is better than overhauling all offices in the > world, you clearly haven't been in may offices in your life. > >> _______________________________________________ cryptography >> mailing list cryptography at randombit.net >> http://lists.randombit.net/mailman/listinfo/cryptography >> > -- T: @onetruecathal, @IndieBBDNA P: +353876363185 W: http://indiebiotech.com -------------- next part -------------- A non-text attachment was scrubbed... Name: 0x988B9099.asc Type: application/pgp-keys Size: 6176 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 901 bytes Desc: OpenPGP digital signature URL: From grarpamp at gmail.com Thu May 15 14:14:29 2014 From: grarpamp at gmail.com (grarpamp) Date: Thu, 15 May 2014 17:14:29 -0400 Subject: [cryptography] The next gen P2P secure email solution In-Reply-To: <772145240.115968.1400157383527.JavaMail.www@wwinf8308> References: <1538308832.40108.1398193110797.JavaMail.www@wwinf8228> <1674207.VbjJNtGabs@lap> <772145240.115968.1400157383527.JavaMail.www@wwinf8308> Message-ID: On Thu, May 15, 2014 at 8:36 AM, wrote: >> >> - Email is entrenched in the offices, many a business is powered by it; >> >> They are powered by authorized access to and useful end use of message >> content, not by email. That's not going anywhere, only the intermediate >> transport is being redesigned. >> > Can you recode outlook, eudora and other closed source stuff people use(d) for e-mail handling for business? No? Well, that answers why it is hard to remove. > Fixing the problem is better than overhauling all offices in the world, Nobody can recode closed source but them. I would offer [pluggable] open source alternatives and let gravity move the closed ones over time. >> >> Given the enormous energy necessary to remove such an appliance and replace >> >> Removal is different from introducing competitive alternatives. > > Little proprietary walled gardens are absolutely not the answer for this problem. Nothing proprietary being made here, all open source, hack and use freely. >> >> it with something better. How could we make a secure solution that plays >> >> nicely with the current tools without disturbing too much what is already >> >> established? >> > >> > By writing a gateway (i.e. between RetroShare and e-mail)? >> > The gateway idea is interesting, but it has to be efficient enough and low cost enough for people to switch over. Something like bitmessage is not. > >> MUA's become file readers and composers. They hand off >> to a localhost daemon that recognizes different address formats >> of the network[s] and does the right thing. Perhaps they compile >> against additional necessary network/crypto libs. Whatever it >> is, those are not a big change. Ditching centralized SMTP transport >> in the clear is... and for the better. > http://arstechnica.com/security/2014/05/good-news-for-privacy-fewer-servers-sending-e-mail-naked-facebook-finds/ > I think that answers your concern about SMTP transport in the clear Yes, great, we're now moving towards strict and PFS encrypted transport. That's not much of a complete achievement since it does not solve any of the other snowden-ish issues recent p2p threads are meant to encompass... - [secret/trollish/illegal] orders against centralized mail servers/services to store and disclose all metadata and [unencrypted] content, including transport headers and pesky to/from/subject/etc headers. - voluntary 'cooperation' to do the same. - capability for messaging over encrypted anonymous p2p overlay networks so that the only real place left to compel is the investigated user themselves (or millions of users if you want to fight up against free speech / privacy). > you clearly haven't been in may offices in your life. Don't say on others position until you are their shadow. From grarpamp at gmail.com Thu May 15 15:28:52 2014 From: grarpamp at gmail.com (grarpamp) Date: Thu, 15 May 2014 18:28:52 -0400 Subject: scrypt and ASICs In-Reply-To: References: Message-ID: On Thu, May 15, 2014 at 5:59 PM, coderman wrote: > the other thread mentioned the "ASIC-able" ness of scrypt. > > what techniques may be used to make scrypt even harder to put on die? > > (is this an arms race between transistor count and algorithm tuneables?) I've not read much on scrypt. Is there a relation to what you see with AMD providing hUMA arch in their APUs (Kaveri) where you have CPU and GPU cores being able to read/write the same address space, lodge instruction queues to each other, and even an ARM core onboard. IOW, a merging of formerly hard discrete compute elements now on one die and communicating freely, in open commerce, would seem to make it harder to design resistant algos like scrypt. Maybe a next step in hard would be requiring extra nodes, a globally minimum latency, checkpointed. We say memory hard, storage hard, bit hard, time hard. What other hards can we exploit without being fooled. Pheromones? From rysiek at hackerspace.pl Thu May 15 11:25:32 2014 From: rysiek at hackerspace.pl (rysiek) Date: Thu, 15 May 2014 20:25:32 +0200 Subject: [cryptography] The next gen P2P secure email solution In-Reply-To: <5374DFC7.5020809@cathalgarvey.me> References: <772145240.115968.1400157383527.JavaMail.www@wwinf8308> <5374DFC7.5020809@cathalgarvey.me> Message-ID: <1486295.uyTZkBbK4O@lap> OHAI, Dnia czwartek, 15 maja 2014 16:39:51 Cathal Garvey pisze: > >>>>> Little proprietary walled gardens are absolutely not the answer > >>>>> for this problem. > >>> > >>> How could we make a secure solution that plays nicely with the > >>> current tools without disturbing too much what is already > >>> established? > >> > >> By writing a gateway (i.e. between RetroShare and e-mail)? > > > > The gateway idea is interesting, but it has to be efficient enough > > and low cost enough for people to switch over. Something like > > bitmessage is not. > > I actually think, having used it for some time and liking it on the > whole, that Retroshare isn't suited to this. > > The primary reason is RS only receives mail if the sender and recipient > are online at the same time. There's no store-and-forward, even though > all messages are PGP encrypted to recipients. Wouldn't that be possible to change? For example by creating store-and-forward servers that would not be *required* for RS operation, but would add this as an added feature? > RS also has a lot of feature-bloat; it's better thought of as P2P > Facebook than a simple communication system. That is very true. > Finally, RS is engineered to a simple and admirable purpose which makes > it unsuited to email replacement; it's Friend to Friend. That's great in > its use-case, but I think email should be: > > 1) Rapid and censorship-resilient routing > 2) Single canonical addresses for each participant, which are > human-readable. > 3) Churn-tolerant > 4) Expensive to send, to deter spam otherwise facilitated by to (1) > 5) Practical for payloads between 10M and 20M, no greater. > > I do *not* think the core of a replacement email should guarantee > anonymity, but the protocol should make allowances for that if possible. It should at least guarantee pseudonymity, IMHO. > I think the above could be satisfied using a pseudo-blockchain for > name->key mappings, and a key-routed DHT for creating routes for mail > delivery. Credit is earned by routing other people's mail in > store-and-forward fashion, like email. Credit can be spent to > register new mail address:key mappings and to pay for routing of larger > messages, or to prolong retention of messages before they bounce (if > your intended recipient does not run a high-uptime mailserver and may > need a day or two to log in). Interesting. > That resembles Twister, the coupling of DHT:Blockchain, but may be > better suited to the model than twister is (because twister hit problems > with scaling DHT use to many followers, I think), https://github.com/miguelfreitas/twister-core/issues/24 https://github.com/miguelfreitas/twister-core/issues/165 > because email is slower and stabler than microstatus systems; more amenable > to P2P-isation, whereas rapid updates coupled with mass-queries to other > feeds is a setup better suited to a client:server interaction. The > blockchain would need tweaking, because Twister is using scrypt, which > is now apparently ASIC-able, e.g. useless. I think a password encrypting > function whose parameters are set dynamically by the value of the prior > block might help fix matters; the goal is for the ideal "ASIC" for the > function to be a consumer CPU, not a GPU or dedicated ASIC. Makes sense. > Anyway, sorry for the wall of text. Killing/replacing email is often on > my mind. Yeah, I also have a love-hate relationship with this communication medium. -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From grarpamp at gmail.com Thu May 15 17:26:27 2014 From: grarpamp at gmail.com (grarpamp) Date: Thu, 15 May 2014 20:26:27 -0400 Subject: [cryptography] The next gen P2P secure email solution In-Reply-To: <438532216.290372.1400197775126.JavaMail.www@wwinf8314> References: <1538308832.40108.1398193110797.JavaMail.www@wwinf8228> <1674207.VbjJNtGabs@lap> <772145240.115968.1400157383527.JavaMail.www@wwinf8308> <438532216.290372.1400197775126.JavaMail.www@wwinf8314> Message-ID: >> pesky to/from/subject/etc headers. > > Oh boy, here we go. > Those are hidden by use of TLS. Have you not been following the weaknesses intrinsic to SMTP discussions? Yes, they are hidden in TLS transport on the wire. No, they are not hidden in core or on disk at the intermediate and final message transport nodes. That's bad. We want all human relevant plaintext content, such pesky headers included, to be hidden from observation by anyone other than us (at our origination or final receipt nodes). There is no oh boy in that sensible new design. > Regarding government wanting your data in the clear by requesting it to the ISP you use, well switch your communications to another country, problem solved. Have you ever heard of MLAT, extradition, interpol, public and private cooperation, dealings, and other such things? And maybe you simply do not trust any 'country' with carriage of your insistent plaintext. There is no such 'solved' with that. >> - voluntary 'cooperation' to do the same. >> - capability for messaging over encrypted anonymous p2p overlay networks >> so that the only real place left to compel is the investigated user themselves >> (or millions of users if you want to fight up against free speech / privacy). >> > > p2p is no panacea, it doesn't scale I believe it could. Even if requiring super aggregating nodes of some sort. Layers of service of the whole DHT space. More research is surely required. > and it will never, ever be able to handle the latest netflixy app Joes are so much into. p2p is for techead kids like you, not for the masses. We are talking messaging, not bulk data. However, once you have the nodes scalable to millions of communicators, there is probably no issue transporting bulk data among a select few along their path metrics. Cathal brings up a great and tricky issue regarding choices to store-and-forward. S&F is quite more complex, but possibly more useful, than realtime. > The masses do not understand it unless it brings spiderman, batman, faggotman hollywood garbage faster to their living rooms. I agree such garbage is rather pointless life endeavour. I would be happy to message you via such a new messaging system though :) From grarpamp at gmail.com Thu May 15 17:57:47 2014 From: grarpamp at gmail.com (grarpamp) Date: Thu, 15 May 2014 20:57:47 -0400 Subject: Observation re gmail/google cookies Message-ID: Is used to be such that only the mail.google.com:GX cookie was required to access webgmail (even if it added a number of other cookies post that access, they could be reasonably narrowed down and blocked to just mail.google.com, if I recall). Now within the past many months that has changed to include, at minimum, myriad cookies in google.com. (I've not tested which are the minimum set). These will potentially cross with ads and other tracking things. While great for google integration, it's bad for user privacy regarding domain/usage segregation. Do not trust the google in your browser anymore. As if, ever, obviously. From tpb-crypto at laposte.net Thu May 15 16:49:35 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Fri, 16 May 2014 01:49:35 +0200 Subject: [cryptography] The next gen P2P secure email solution In-Reply-To: References: <1538308832.40108.1398193110797.JavaMail.www@wwinf8228> <1674207.VbjJNtGabs@lap> <772145240.115968.1400157383527.JavaMail.www@wwinf8308> Message-ID: <438532216.290372.1400197775126.JavaMail.www@wwinf8314> Oh boy, here we go. > Message du 15/05/14 23:14 > De : "grarpamp" > > > http://arstechnica.com/security/2014/05/good-news-for-privacy-fewer-servers-sending-e-mail-naked-facebook-finds/ > > I think that answers your concern about SMTP transport in the clear > > Yes, great, we're now moving towards strict and PFS encrypted transport. > That's not much of a complete achievement since it does not solve any of > the other snowden-ish issues recent p2p threads are meant to encompass... > - [secret/trollish/illegal] orders against centralized mail servers/services > to store and disclose all metadata and [unencrypted] content, including > transport headers and pesky to/from/subject/etc headers. > pesky to/from/subject/etc headers. Those are hidden by use of TLS. Regarding government wanting your data in the clear by requesting it to the ISP you use, well switch your communications to another country, problem solved. > - voluntary 'cooperation' to do the same. > - capability for messaging over encrypted anonymous p2p overlay networks > so that the only real place left to compel is the investigated user themselves > (or millions of users if you want to fight up against free speech / privacy). > p2p is no panacea, it doesn't scale and it will never, ever be able to handle the latest netflixy app Joes are so much into. p2p is for techead kids like you, not for the masses. The masses do not understand it unless it brings spiderman, batman, faggotman hollywood garbage faster to their living rooms. From skquinn at rushpost.com Fri May 16 02:45:25 2014 From: skquinn at rushpost.com (Shawn K. Quinn) Date: Fri, 16 May 2014 04:45:25 -0500 Subject: Observation re gmail/google cookies In-Reply-To: <20140516084451.GA4006@sivokote.iziade.m$> References: <20140516084451.GA4006@sivokote.iziade.m$> Message-ID: <1400233525.6565.118093325.247BC559@webmail.messagingengine.com> On Fri, May 16, 2014, at 03:44 AM, Georgi Guninski wrote: > On Thu, May 15, 2014 at 08:57:47PM -0400, grarpamp wrote: > > Is used to be such that only the mail.google.com:GX > > cookie was required to access webgmail [...] > > Now within the past many months that has changed > > to include, at minimum, myriad cookies in google.com. (I've > > not tested which are the minimum set). [...] > Certainly. google probably will change > the minimum cookie set. > > Just for mail isn't it better to not use > browser but an email client via SMTP/IMAP: > > http://email.about.com/od/accessinggmail/f/Gmail_SMTP_Settings.htm I haven't used Gmail for any serious email except when there's been no reasonable alternative. (Case in point: I was on the committee for a local charity event and the organizer had taken apparently large gulps of the Google Kool-Aid to the point where the event documents were all on Google Docs/Drive.) It is worth the extra $20 or so per year to not have Google be able to cross-reference my search history with my email, and better still to be free of Google's stupid irrelevant or sometimes overly relevant ads in my email. It's bad enough when I browse a site and immediately see both Google ads when I browse elsewhere, and then Facebook ads for it when I check in there. -- Shawn K. Quinn skquinn at rushpost.com From rysiek at hackerspace.pl Thu May 15 20:16:35 2014 From: rysiek at hackerspace.pl (rysiek) Date: Fri, 16 May 2014 05:16:35 +0200 Subject: [cryptography] The next gen P2P secure email solution In-Reply-To: References: <438532216.290372.1400197775126.JavaMail.www@wwinf8314> Message-ID: <4814569.tANrqrmNsI@lap> Dnia czwartek, 15 maja 2014 20:26:27 grarpamp pisze: > >> pesky to/from/subject/etc headers. > > > > Oh boy, here we go. > > Those are hidden by use of TLS. > > Have you not been following the weaknesses intrinsic > to SMTP discussions? > Yes, they are hidden in TLS transport on the wire. > No, they are not hidden in core or on disk at > the intermediate and final message transport > nodes. That's bad. And I don't think they're hidden in any meaningful way on the server-to-server wire. As in: whose mailserver validates TLS of the destination server? That's actually an interesting research question. This goes for other semi- decentralised, client-server services like XMPP for instance. And even if they do validate it, thinking that NSA et al do not have root certs allowing them to MITM the communication as they wish is naivety. -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From guninski at guninski.com Fri May 16 01:44:51 2014 From: guninski at guninski.com (Georgi Guninski) Date: Fri, 16 May 2014 11:44:51 +0300 Subject: Observation re gmail/google cookies In-Reply-To: References: Message-ID: <20140516084451.GA4006@sivokote.iziade.m$> On Thu, May 15, 2014 at 08:57:47PM -0400, grarpamp wrote: > Is used to be such that only the mail.google.com:GX > cookie was required to access webgmail (even if it added > a number of other cookies post that access, they could be > reasonably narrowed down and blocked to just mail.google.com, > if I recall). Now within the past many months that has changed > to include, at minimum, myriad cookies in google.com. (I've > not tested which are the minimum set). These will potentially > cross with ads and other tracking things. While great for > google integration, it's bad for user privacy regarding > domain/usage segregation. Do not trust the google in your > browser anymore. As if, ever, obviously. Certainly. google probably will change the minimum cookie set. Just for mail isn't it better to not use browser but an email client via SMTP/IMAP: http://email.about.com/od/accessinggmail/f/Gmail_SMTP_Settings.htm From tpb-crypto at laposte.net Fri May 16 03:01:26 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Fri, 16 May 2014 12:01:26 +0200 Subject: [cryptography] The next gen P2P secure email solution In-Reply-To: References: <1538308832.40108.1398193110797.JavaMail.www@wwinf8228> <1674207.VbjJNtGabs@lap> <772145240.115968.1400157383527.JavaMail.www@wwinf8308> <438532216.290372.1400197775126.JavaMail.www@wwinf8314> Message-ID: <1194846483.156635.1400234437146.JavaMail.www@wwinf8226> > Message du 16/05/14 02:26 > De : "grarpamp" > A : p2p-hackers at lists.zooko.com > Copie à : cypherpunks at cpunks.org, cryptography at randombit.net > Objet : Re: [cryptography] The next gen P2P secure email solution > > >> pesky to/from/subject/etc headers. > > > > Oh boy, here we go. > > Those are hidden by use of TLS. > > Have you not been following the weaknesses intrinsic > to SMTP discussions? > Yes, they are hidden in TLS transport on the wire. > No, they are not hidden in core or on disk at > the intermediate and final message transport > nodes. That's bad. > There is no way to hide metadata because you need a destination for your messages to arrive, you can't hide it even in Bitcoin, Tor or any other network which has to find its destinations to deliver its contents. The best you can do is cloak it, but like any cover there are means to uncover it. > We want all human relevant plaintext content, such pesky > headers included, to be hidden from observation by anyone > other than us (at our origination or final receipt nodes). > There is no oh boy in that sensible new design. > > > Regarding government wanting your data in the clear by requesting it to the ISP you use, well switch your communications to another country, problem solved. > > Have you ever heard of MLAT, extradition, interpol, public > and private cooperation, dealings, and other such things? And > maybe you simply do not trust any 'country' with carriage of your > insistent plaintext. There is no such 'solved' with that. > What is Iran? What is Cuba? What is China? What is Switzerland? > >> - voluntary 'cooperation' to do the same. > >> - capability for messaging over encrypted anonymous p2p overlay networks > >> so that the only real place left to compel is the investigated user themselves > >> (or millions of users if you want to fight up against free speech / privacy). > >> > > > > p2p is no panacea, it doesn't scale > > I believe it could. Even if requiring super aggregating > nodes of some sort. Layers of service of the whole > DHT space. More research is surely required. > Here is your problem, you hold a belief, I hold knowledge. That's the little difference between us. It is not possible to have fast p2p unless: - Cable networks collaborate by increasing bandwidth 7 to 8 times the current levels without increasing costs. That was done Brazil and South Korea which now have much better internet than the US. But the US still rule as the biggest market; - People accept a more bumpy internet experience; > > and it will never, ever be able to handle the latest netflixy app Joes are so much into. > p2p is for techead kids like you, not for the masses. > > We are talking messaging, not bulk data. > However, once you have the nodes scalable to millions > of communicators, there is probably no issue transporting > bulk data among a select few along their path metrics. > The first thing people complained about Tor was that they couldn't run bittorrents with it and they couldn't see youtube. > Cathal brings up a great and tricky issue regarding > choices to store-and-forward. S&F is quite more > complex, but possibly more useful, than realtime. > > > The masses do not understand it unless it brings spiderman, batman, faggotman hollywood garbage faster to their living rooms. > > I agree such garbage is rather pointless life endeavour. > I would be happy to message you via such a new > messaging system though :) I would it too, of course. But in order to make it work we have to dial back the complexity of our pages and our want for high definition videos. It is not interesting to merely have an e-mail substitute, because instead of e-mail metadata spies will request our google search and navigation history. You will certainly send links and those tell a lot about what we are talking about. From tpb-crypto at laposte.net Fri May 16 03:07:26 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Fri, 16 May 2014 12:07:26 +0200 Subject: Observation re gmail/google cookies In-Reply-To: References: Message-ID: <669310361.157029.1400234797305.JavaMail.www@wwinf8226> > Message du 16/05/14 03:32 > De : "grarpamp" > A : tor-talk at lists.torproject.org > Copie à : cypherpunks at cpunks.org > Objet : Observation re gmail/google cookies > > Is used to be such that only the mail.google.com:GX > cookie was required to access webgmail (even if it added > a number of other cookies post that access, they could be > reasonably narrowed down and blocked to just mail.google.com, > if I recall). Now within the past many months that has changed > to include, at minimum, myriad cookies in google.com. (I've > not tested which are the minimum set). These will potentially > cross with ads and other tracking things. While great for > google integration, it's bad for user privacy regarding > domain/usage segregation. Do not trust the google in your > browser anymore. As if, ever, obviously. > Forget gmail, it is not your friend, use it to keep up your real self where you discuss your latest favorite dvd from lady gaga. Take your real interests to another service, there's plenty of free alternatives in countries that are not US-friendly. From l at odewijk.nl Fri May 16 07:25:32 2014 From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=) Date: Fri, 16 May 2014 16:25:32 +0200 Subject: scrypt and ASICs In-Reply-To: References: Message-ID: Reconfigurable hard. Just maximize on what videocards do well, then videocards will do best. There's no other way really. The margins just get smaller. Actually... what if you switch algorithm every x blocks? Max different aspects of a default config PC. That way ASICS would have to be PCs! So... Maybe we should contact the blender people and them to submit renders? Another one is sciencecoins, where you solve science questions. The changes in science question will always mess with asics. Actually... SETIcoin? On May 16, 2014 12:42 AM, "grarpamp" wrote: > On Thu, May 15, 2014 at 5:59 PM, coderman wrote: > > the other thread mentioned the "ASIC-able" ness of scrypt. > > > > what techniques may be used to make scrypt even harder to put on die? > > > > (is this an arms race between transistor count and algorithm tuneables?) > > I've not read much on scrypt. Is there a relation to what > you see with AMD providing hUMA arch in their APUs > (Kaveri) where you have CPU and GPU cores being able > to read/write the same address space, lodge instruction > queues to each other, and even an ARM core onboard. > IOW, a merging of formerly hard discrete compute elements > now on one die and communicating freely, in open commerce, > would seem to make it harder to design resistant algos > like scrypt. > > Maybe a next step in hard would be requiring extra nodes, > a globally minimum latency, checkpointed. We say memory > hard, storage hard, bit hard, time hard. What other hards > can we exploit without being fooled. Pheromones? > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1998 bytes Desc: not available URL: From dan at geer.org Sun May 18 05:28:42 2014 From: dan at geer.org (dan at geer.org) Date: Sun, 18 May 2014 08:28:42 -0400 Subject: [cryptography] The next gen P2P secure email solution In-Reply-To: Your message of "Fri, 16 May 2014 12:01:26 +0200." <1194846483.156635.1400234437146.JavaMail.www@wwinf8226> Message-ID: <20140518122842.2DA192280B0@palinka.tinho.net> > ... > I would it too, of course. But in order to make it work we have to dial > back the complexity of our pages and our want for high definition videos. > ... Yes. Yes. Yes. The HTTP Archive says that the average web page today makes out-references to 16 different domains as well as making 17 Javascript requests per page, and the Javascript byte count is several times the HTML byte count.[HT] A lot of that Javascript is, as you well know, about analytics which is to say surveillance of the user "experience." I wish I could get it across to those who like free as in paid for by advertising and the video junkies that it is their demand for, and their willingnesss to accept, remote procedure calls from arbitrary servers (RPCs written in Turing complete languages I might add) that will have the effects that we here can so well anticipate. Mozilla's announcement that it will bend to demand and build in DRM is indicative. In short, can this baby be saved? I really don't know. --dan [HT] Trends, HTTP Archive; www.httparchive.org/trends.php From mrjones2020 at gmail.com Mon May 19 15:24:45 2014 From: mrjones2020 at gmail.com (J.R. Jones) Date: Mon, 19 May 2014 18:24:45 -0400 Subject: =?UTF-8?Q?Harvard_and_MIT_Students_Launch_=E2=80=98NSA=2DProof=E2=80=99_Emai?= =?UTF-8?Q?l_Service_=7C_Betabeat?= Message-ID: Have you guys seen this? What say ye? http://betabeat.com/2014/05/harvard-and-mit-students-launch-nsa-proof-email-service/ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 261 bytes Desc: not available URL: From loki at obscura.com Tue May 20 06:49:26 2014 From: loki at obscura.com (Lance Cottrell) Date: Tue, 20 May 2014 06:49:26 -0700 Subject: =?windows-1252?Q?Re=3A_Harvard_and_MIT_Students_Launch_=91NSA-Pr?= =?windows-1252?Q?oof=92_Email_Service_=7C_Betabeat?= In-Reply-To: References: <839337740.65096.1400541676910.JavaMail.www@wwinf8222> Message-ID: <569A7290-5C11-4E4F-9901-DA418DE15BB1@obscura.com> Just read the “Threat Model” section of the website. They are working to prevent mass surveillance, not to stop targeted nation state level attacks against individual users. -Lance -- Lance Cottrell loki at obscura.com On May 19, 2014, at 10:36 PM, Александр wrote: > http://betabeat.com/2014/05/harvard-and-mit-students-launch-nsa-proof-email-service/ > > well, it > seems too good to be truth. > Recently we"ve got a lot of projects like that. > > Yes, there are enthusiasts. > A real good ones. > But we should also ask ourselves, > (except what tpb-crypto mentiond), who these guys are? Could they be a project of... the NSA itself? > Yes. > > I read their security section. The first thing in my mind (i am not tooooo paranoid:)) is that it is too good. It is absolutely free WITHOUT any mention of donations. > Not even a mention. > Who supports them? Can we trust him/it? > Are they millionaires:)? > We see not even one word about the money. > Second of all, when you read their > security section, its like a honey for bees - it invites you. Its ideal. Too much ideal. > So yes, i rely on my feelings too, and there is something wrong with that. > > These guys are from Germany: > https://lavaboom.com/en/beta.html > It seems to me a better choice (except the problem of the fact that Germany has got its nsa=bnd and that they give everything to nsa) > > In the end, we need to trust someone. But we dont read their minds:). And it could be, after all, a big fall. > > We"ve got pgp. Thanks God. > But a 100% reliable and bulletproof email provider? > No. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2966 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4877 bytes Desc: not available URL: From afalex169 at gmail.com Mon May 19 22:36:31 2014 From: afalex169 at gmail.com (=?UTF-8?B?INCQ0LvQtdC60YHQsNC90LTRgCA=?=) Date: Tue, 20 May 2014 08:36:31 +0300 Subject: =?UTF-8?Q?Re=3A_Harvard_and_MIT_Students_Launch_=E2=80=98NSA=2DProof=E2=80=99_?= =?UTF-8?Q?Email_Service_=7C_Betabeat?= In-Reply-To: <839337740.65096.1400541676910.JavaMail.www@wwinf8222> References: <839337740.65096.1400541676910.JavaMail.www@wwinf8222> Message-ID: http://betabeat.com/2014/05/harvard-and-mit-students-launch-nsa-proof-email-service/ well, it seems too good to be truth. Recently we"ve got a lot of projects like that. Yes, there are enthusiasts. A real good ones. But we should also ask ourselves, (except what tpb-crypto mentiond), who these guys are? Could they be a project of... the NSA itself? Yes. I read their security section. The first thing in my mind (i am not tooooo paranoid:)) is that it is too good. It is absolutely free WITHOUT any mention of donations. Not even a mention. Who supports them? Can we trust him/it? Are they millionaires:)? We see not even one word about the money. Second of all, when you read their security section, its like a honey for bees - it invites you. Its ideal. Too much ideal. So yes, i rely on my feelings too, and there is something wrong with that. These guys are from Germany: https://lavaboom.com/en/beta.html It seems to me a better choice (except the problem of the fact that Germany has got its nsa=bnd and that they give everything to nsa) In the end, we need to trust someone. But we dont read their minds:). And it could be, after all, a big fall. We"ve got pgp. Thanks God. But a 100% reliable and bulletproof email provider? No. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1521 bytes Desc: not available URL: From loki at obscura.com Tue May 20 08:51:31 2014 From: loki at obscura.com (Lance Cottrell) Date: Tue, 20 May 2014 08:51:31 -0700 Subject: =?utf-8?Q?Re:_Harvard_and_MIT_Students_Launch_=E2=80=98NSA-Proof?= =?utf-8?Q?=E2=80=99_Email_Service_|_Betabeat?= In-Reply-To: References: <839337740.65096.1400541676910.JavaMail.www@wwinf8222> <569A7290-5C11-4E4F-9901-DA418DE15BB1@obscura.com> Message-ID: <3FB3AF0F-05F1-47F9-8C25-567F4A127D5F@obscura.com> Not buying it. Elaborate. -- Lance Cottrell Sent from my iPad > On May 20, 2014, at 8:05 AM, "Kelly J. Rose" wrote: > > Which is totally subverted if you are American citizens or located in the us. Simply by the national security letters. > > You could have the sexiest cryptosystem ever and the NSL attack will still beat you if you put it on American soil. > >> On Tuesday, May 20, 2014, Lance Cottrell wrote: >> Just read the “Threat Model” section of the website. They are working to prevent mass surveillance, not to stop targeted nation state level attacks against individual users. >> >> -Lance >> >> -- >> Lance Cottrell >> loki at obscura.com >> >> >> >>> On May 19, 2014, at 10:36 PM, Александр wrote: >>> >>> http://betabeat.com/2014/05/harvard-and-mit-students-launch-nsa-proof-email-service/ >>> >>> well, it >>> seems too good to be truth. >>> Recently we"ve got a lot of projects like that. >>> >>> Yes, there are enthusiasts. >>> A real good ones. >>> But we should also ask ourselves, >>> (except what tpb-crypto mentiond), who these guys are? Could they be a project of... the NSA itself? >>> Yes. >>> >>> I read their security section. The first thing in my mind (i am not tooooo paranoid:)) is that it is too good. It is absolutely free WITHOUT any mention of donations. >>> Not even a mention. >>> Who supports them? Can we trust him/it? >>> Are they millionaires:)? >>> We see not even one word about the money. >>> Second of all, when you read their >>> security section, its like a honey for bees - it invites you. Its ideal. Too much ideal. >>> So yes, i rely on my feelings too, and there is something wrong with that. >>> >>> These guys are from Germany: >>> https://lavaboom.com/en/beta.html >>> It seems to me a better choice (except the problem of the fact that Germany has got its nsa=bnd and that they give everything to nsa) >>> >>> In the end, we need to trust someone. But we dont read their minds:). And it could be, after all, a big fall. >>> >>> We"ve got pgp. Thanks God. >>> But a 100% reliable and bulletproof email provider? >>> No. > > > -- > Kelly J. Rose > Edmonton, AB > Phone: +1 587 982-4104 > Twitter: @kjrose > Skype: kjrose.pr > Gtalk: iam at kjro.se > MSN: msn at kjro.se > > Document contents are confidential between original recipients and sender. > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 3941 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 2318 bytes Desc: not available URL: From iam at kjro.se Tue May 20 08:05:37 2014 From: iam at kjro.se (Kelly J. Rose) Date: Tue, 20 May 2014 09:05:37 -0600 Subject: =?UTF-8?Q?Re=3A_Harvard_and_MIT_Students_Launch_=E2=80=98NSA=2DProof=E2=80=99_?= =?UTF-8?Q?Email_Service_=7C_Betabeat?= In-Reply-To: <569A7290-5C11-4E4F-9901-DA418DE15BB1@obscura.com> References: <839337740.65096.1400541676910.JavaMail.www@wwinf8222> <569A7290-5C11-4E4F-9901-DA418DE15BB1@obscura.com> Message-ID: Which is totally subverted if you are American citizens or located in the us. Simply by the national security letters. You could have the sexiest cryptosystem ever and the NSL attack will still beat you if you put it on American soil. On Tuesday, May 20, 2014, Lance Cottrell wrote: > Just read the “Threat Model” section of the website. They are working to > prevent mass surveillance, not to stop targeted nation state level attacks > against individual users. > > -Lance > > -- > Lance Cottrell > loki at obscura.com > > > > On May 19, 2014, at 10:36 PM, Александр > > wrote: > > > http://betabeat.com/2014/05/harvard-and-mit-students-launch-nsa-proof-email-service/ > > well, it > seems too good to be truth. > Recently we"ve got a lot of projects like that. > > Yes, there are enthusiasts. > A real good ones. > But we should also ask ourselves, > (except what tpb-crypto mentiond), who these guys are? Could they be a > project of... the NSA itself? > Yes. > > I read their security section. The first thing in my mind (i am not tooooo > paranoid:)) is that it is too good. It is absolutely free WITHOUT any > mention of donations. > Not even a mention. > Who supports them? Can we trust him/it? > Are they millionaires:)? > We see not even one word about the money. > Second of all, when you read their > security section, its like a honey for bees - it invites you. Its ideal. > Too much ideal. > So yes, i rely on my feelings too, and there is something wrong with that. > > These guys are from Germany: > https://lavaboom.com/en/beta.html > It seems to me a better choice (except the problem of the fact that > Germany has got its nsa=bnd and that they give everything to nsa) > > In the end, we need to trust someone. But we dont read their minds:). And > it could be, after all, a big fall. > > We"ve got pgp. Thanks God. > But a 100% reliable and bulletproof email provider? > No. > > > -- Kelly J. Rose Edmonton, AB Phone: +1 587 982-4104 Twitter: @kjrose Skype: kjrose.pr Gtalk: iam at kjro.se MSN: msn at kjro.se Document contents are confidential between original recipients and sender. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 3570 bytes Desc: not available URL: From loki at obscura.com Tue May 20 09:13:04 2014 From: loki at obscura.com (Lance Cottrell) Date: Tue, 20 May 2014 09:13:04 -0700 Subject: =?windows-1252?Q?Re=3A_Harvard_and_MIT_Students_Launch_=91NSA-Pr?= =?windows-1252?Q?oof=92_Email_Service_=7C_Betabeat?= In-Reply-To: <82415315.2NpIfVOb7L@lap> References: <569A7290-5C11-4E4F-9901-DA418DE15BB1@obscura.com> <82415315.2NpIfVOb7L@lap> Message-ID: <6BB7C350-BA51-44A4-80FB-9F82DFDF01E1@obscura.com> Their architecture makes them vulnerable to compromise through hacking. If you read their threat model, it is quite modest. They are not trying to be secure against focused efforts by the NSA or similar. -Lance -- Lance Cottrell loki at obscura.com On May 20, 2014, at 8:47 AM, rysiek wrote: > Dnia wtorek, 20 maja 2014 09:05:37 Kelly J. Rose pisze: >> Which is totally subverted if you are American citizens or located in the >> us. Simply by the national security letters. >> >> You could have the sexiest cryptosystem ever and the NSL attack will still >> beat you if you put it on American soil. > > I guess that's why they are not putting it on American soil. > > -- > Pozdr > rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1916 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4877 bytes Desc: not available URL: From iam at kjro.se Tue May 20 09:52:26 2014 From: iam at kjro.se (Kelly J. Rose) Date: Tue, 20 May 2014 10:52:26 -0600 Subject: =?UTF-8?Q?Re=3A_Harvard_and_MIT_Students_Launch_=E2=80=98NSA=2DProof=E2=80=99_?= =?UTF-8?Q?Email_Service_=7C_Betabeat?= In-Reply-To: <82415315.2NpIfVOb7L@lap> References: <569A7290-5C11-4E4F-9901-DA418DE15BB1@obscura.com> <82415315.2NpIfVOb7L@lap> Message-ID: Are they American citizens? Do they plan on ever travelling to the US? On Tue, May 20, 2014 at 9:47 AM, rysiek wrote: > Dnia wtorek, 20 maja 2014 09:05:37 Kelly J. Rose pisze: > > Which is totally subverted if you are American citizens or located in the > > us. Simply by the national security letters. > > > > You could have the sexiest cryptosystem ever and the NSL attack will > still > > beat you if you put it on American soil. > > I guess that's why they are not putting it on American soil. > > -- > Pozdr > rysiek -- Kelly J. Rose Edmonton, AB Phone: +1 587 982-4104 Twitter: @kjrose Skype: kjrose.pr Gtalk: iam at kjro.se MSN: msn at kjro.se Document contents are confidential between original recipients and sender. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1436 bytes Desc: not available URL: From unixninja92 at gmail.com Tue May 20 09:10:57 2014 From: unixninja92 at gmail.com (unixninja92) Date: Tue, 20 May 2014 12:10:57 -0400 Subject: =?UTF-8?Q?Re=3A_Harvard_and_MIT_Students_Launch_=E2=80=98NSA=2DProof=E2=80=99_?= =?UTF-8?Q?Email_Service_=7C_Betabeat?= In-Reply-To: References: <839337740.65096.1400541676910.JavaMail.www@wwinf8222> <569A7290-5C11-4E4F-9901-DA418DE15BB1@obscura.com> Message-ID: Last time I checked, NSLs could only be used against people in the US. Not people located in Switzerland even if they are US citizens. So as long as they don't travel to the US it's safe. And to concerns about monetization, I was looking around their website and found that they have been entering a bunch of start-up seed-funding things. I also noticed that in their privacy policy they have a section covering payment information. I assume this means that they will have pay services once they leave beta. Under the forever free picture on the front page, they say that they will have "multi-tiered pricing including a free version anyone can use." What I haven't seen yet is anything about third party audits or warrant canaries. In Switzerland it is possible to get warrants with gag orders for data (I believe the gag is eventually lifted). They do not make it clear what would change in their transparency report if they got such an order. They also make no indication of how they will respond to security disclosures or to people trying to poke holes in their system. From loki at obscura.com Tue May 20 12:34:59 2014 From: loki at obscura.com (Lance Cottrell) Date: Tue, 20 May 2014 12:34:59 -0700 Subject: =?windows-1252?Q?Re=3A_Harvard_and_MIT_Students_Launch_=91NSA-Pr?= =?windows-1252?Q?oof=92_Email_Service_=7C_Betabeat?= In-Reply-To: <537ba9a1.01e6ec0a.681a.1bc4@mx.google.com> References: <839337740.65096.1400541676910.JavaMail.www@wwinf8222> <569A7290-5C11-4E4F-9901-DA418DE15BB1@obscura.com> <537ba9a1.01e6ec0a.681a.1bc4@mx.google.com> Message-ID: It looks like they would be in a position to do so if they wanted. -Lance -- Lance Cottrell loki at obscura.com On May 20, 2014, at 12:16 PM, Juan wrote: > On Tue, 20 May 2014 06:49:26 -0700 > Lance Cottrell wrote: > >> Just read the “Threat Model” section of the website. They are working >> to prevent mass surveillance, > > > > Really? But they are going to collect 'metadata' about all > their users, no? > > > > >> not to stop targeted nation state level >> attacks against individual users. >> >> -Lance >> >> -- >> Lance Cottrell >> loki at obscura.com >> >> >> >> On May 19, 2014, at 10:36 PM, Александр wrote: >> >>> http://betabeat.com/2014/05/harvard-and-mit-students-launch-nsa-proof-email-service/ >>> >>> well, it >>> seems too good to be truth. >>> Recently we"ve got a lot of projects like that. >>> >>> Yes, there are enthusiasts. >>> A real good ones. >>> But we should also ask ourselves, >>> (except what tpb-crypto mentiond), who these guys are? Could they >>> be a project of... the NSA itself? Yes. >>> >>> I read their security section. The first thing in my mind (i am not >>> tooooo paranoid:)) is that it is too good. It is absolutely free >>> WITHOUT any mention of donations. Not even a mention. Who supports >>> them? Can we trust him/it? Are they millionaires:)? >>> We see not even one word about the money. >>> Second of all, when you read their >>> security section, its like a honey for bees - it invites you. Its >>> ideal. Too much ideal. So yes, i rely on my feelings too, and there >>> is something wrong with that. >>> >>> These guys are from Germany: >>> https://lavaboom.com/en/beta.html >>> It seems to me a better choice (except the problem of the fact that >>> Germany has got its nsa=bnd and that they give everything to nsa) >>> >>> In the end, we need to trust someone. But we dont read their >>> minds:). And it could be, after all, a big fall. >>> >>> We"ve got pgp. Thanks God. >>> But a 100% reliable and bulletproof email provider? >>> No. >> > > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 3622 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4877 bytes Desc: not available URL: From juan.g71 at gmail.com Tue May 20 12:16:07 2014 From: juan.g71 at gmail.com (Juan) Date: Tue, 20 May 2014 16:16:07 -0300 Subject: Harvard and MIT Students Launch =?utf-8?B?4oCYTlNBLVByb29m?= =?utf-8?B?4oCZ?= Email Service | Betabeat In-Reply-To: <569A7290-5C11-4E4F-9901-DA418DE15BB1@obscura.com> References: <839337740.65096.1400541676910.JavaMail.www@wwinf8222> <569A7290-5C11-4E4F-9901-DA418DE15BB1@obscura.com> Message-ID: <537ba9a1.01e6ec0a.681a.1bc4@mx.google.com> On Tue, 20 May 2014 06:49:26 -0700 Lance Cottrell wrote: > Just read the “Threat Model” section of the website. They are working > to prevent mass surveillance, Really? But they are going to collect 'metadata' about all their users, no? > not to stop targeted nation state level > attacks against individual users. > > -Lance > > -- > Lance Cottrell > loki at obscura.com > > > > On May 19, 2014, at 10:36 PM, Александр wrote: > > > http://betabeat.com/2014/05/harvard-and-mit-students-launch-nsa-proof-email-service/ > > > > well, it > > seems too good to be truth. > > Recently we"ve got a lot of projects like that. > > > > Yes, there are enthusiasts. > > A real good ones. > > But we should also ask ourselves, > > (except what tpb-crypto mentiond), who these guys are? Could they > > be a project of... the NSA itself? Yes. > > > > I read their security section. The first thing in my mind (i am not > > tooooo paranoid:)) is that it is too good. It is absolutely free > > WITHOUT any mention of donations. Not even a mention. Who supports > > them? Can we trust him/it? Are they millionaires:)? > > We see not even one word about the money. > > Second of all, when you read their > > security section, its like a honey for bees - it invites you. Its > > ideal. Too much ideal. So yes, i rely on my feelings too, and there > > is something wrong with that. > > > > These guys are from Germany: > > https://lavaboom.com/en/beta.html > > It seems to me a better choice (except the problem of the fact that > > Germany has got its nsa=bnd and that they give everything to nsa) > > > > In the end, we need to trust someone. But we dont read their > > minds:). And it could be, after all, a big fall. > > > > We"ve got pgp. Thanks God. > > But a 100% reliable and bulletproof email provider? > > No. > From rysiek at hackerspace.pl Tue May 20 08:47:33 2014 From: rysiek at hackerspace.pl (rysiek) Date: Tue, 20 May 2014 17:47:33 +0200 Subject: Harvard and MIT Students Launch =?UTF-8?B?4oCYTlNBLVByb29m4oCZ?= Email Service | Betabeat In-Reply-To: References: <569A7290-5C11-4E4F-9901-DA418DE15BB1@obscura.com> Message-ID: <82415315.2NpIfVOb7L@lap> Dnia wtorek, 20 maja 2014 09:05:37 Kelly J. Rose pisze: > Which is totally subverted if you are American citizens or located in the > us. Simply by the national security letters. > > You could have the sexiest cryptosystem ever and the NSL attack will still > beat you if you put it on American soil. I guess that's why they are not putting it on American soil. -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From europus at gmail.com Tue May 20 15:17:42 2014 From: europus at gmail.com (Ulex Europae) Date: Tue, 20 May 2014 18:17:42 -0400 Subject: Fwd: Secrets, lies and Snowden's email: why I was forced to shut down Lavabit Message-ID: <537bd486.0270440a.7884.ffffcb79@mx.google.com> Secrets, lies and Snowden's email: why I was forced to shut down Lavabit For the first time, the founder of an encrypted email startup that was supposed to insure privacy for all reveals how the FBI and the US legal system made sure we don't have the right to much privacy in the first place By Ladar Levison May 20 2014 My legal saga started last summer with a knock at the door, behind which stood two federal agents ready to to serve me with a court order requiring the installation of surveillance equipment on my company's network. My company, Lavabit, provided email services to 410,000 people ­ including Edward Snowden, according to news reports ­ and thrived by offering features specifically designed to protect the privacy and security of its customers. I had no choice but to consent to the installation of their device, which would hand the US government access to all of the messages ­ to and from all of my customers ­ as they travelled between their email accounts other providers on the Internet. But that wasn't enough. The federal agents then claimed that their court order required me to surrender my company's private encryption keys, and I balked. What they said they needed were customer passwords ­ which were sent securely ­ so that they could access the plain-text versions of messages from customers using my company's encrypted storage feature. (The government would later claim they only made this demand because of my "noncompliance".) Bothered by what the agents were saying, I informed them that I would first need to read the order they had just delivered ­ and then consult with an attorney. The feds seemed surprised by my hesitation. What ensued was a flurry of legal proceedings that would last 38 days, ending not only my startup but also destroying, bit by bit, the very principle upon which I founded it ­ that we all have a right to personal privacy. In the first two weeks, I was served legal papers a total of seven times and was in contact with the FBI every other day. (This was the period a prosecutor would later characterize as my "period of silence".) It took a week for me to identify an attorney who could adequately represent me, given the complex technological and legal issues involved ­ and we were in contact for less than a day when agents served me with a summons ordering me to appear in a Virginia courtroom, over 1,000 miles from my home. Two days later, I was served the first subpoena for the encryption keys. With such short notice, my first attorney was unable to appear alongside me in court. Because the whole case was under seal, I couldn't even admit to anyone who wasn't an attorney that I needed a lawyer, let alone why. In the days before my appearance, I would spend hours repeating the facts of the case to a dozen attorneys, as I sought someone else that was qualified to represent me. I also discovered that as a third party in a federal criminal indictment, I had no right to counsel. After all, only my property was in jeopardy ­ not my liberty. Finally, I was forced to choose between appearing alone or facing a bench warrant for my arrest. In Virginia, the government replaced its encryption key subpoena with a search warrant and a new court date. I retained a small, local law firm before I went back to my home state, which was then forced to assemble a legal strategy and file briefs in just a few short days. The court barred them from consulting outside experts about either the statutes or the technology involved in the case. The court didn't even deliver transcripts of my first appearance to my own lawyers for two months, and forced them to proceed without access to the information they needed. Then, a federal judge entered an order of contempt against me ­ without even so much as a hearing. [snip] From tpb-crypto at laposte.net Tue May 20 09:40:45 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Tue, 20 May 2014 18:40:45 +0200 Subject: =?UTF-8?Q?Re:_Harvard_and_MIT_Students_Launch_?= =?UTF-8?Q?=E2=80=98NSA-Proof=E2=80=99_Email_Service_|_Betabeat?= In-Reply-To: <82415315.2NpIfVOb7L@lap> References: <569A7290-5C11-4E4F-9901-DA418DE15BB1@obscura.com> <82415315.2NpIfVOb7L@lap> Message-ID: <1392190493.2047.1400604071362.JavaMail.www@wwinf8227> > Message du 20/05/14 18:20 > De : "rysiek" > A : cypherpunks at cpunks.org > Copie à : > Objet : Re: Harvard and MIT Students Launch ‘NSA-Proof’ Email Service | Betabeat > > Dnia wtorek, 20 maja 2014 09:05:37 Kelly J. Rose pisze: > > Which is totally subverted if you are American citizens or located in the > > us. Simply by the national security letters. > > > > You could have the sexiest cryptosystem ever and the NSL attack will still > > beat you if you put it on American soil. > > I guess that's why they are not putting it on American soil. > > -- > Pozdr > rysiek> > [ signature.asc (0.3 Ko) ] It doesn't matter, if you got a link to the US like citizenship, you are liable to receive a NSL. If you come from a poorly defended country, like say Saudi Arabia, they will snatch you out to guantanamo. This kind of problem should be tackled by some honest idealists from either China, Russia, Brazil, India or other big country (Indonesia or Malaysia?) that doesn't extradite and would cause an enormous stink if one of their citizens was taken away to be tortured. If that country would not effectively attack the US in some very painful way. Like I suppose you are Polish, if you are Polish, Poland itself will give you away to the US at the minimal sign of trouble. I don't blame Poland, it is that or being Russia's bitch. Poor Polen always squeezed. From tpb-crypto at laposte.net Tue May 20 10:52:25 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Tue, 20 May 2014 19:52:25 +0200 Subject: =?UTF-8?Q?Re:_Harvard_and_MIT_Students_Launch_?= =?UTF-8?Q?=E2=80=98NSA-Proof=E2=80=99_Email_Service_|_Betabeat?= In-Reply-To: References: <839337740.65096.1400541676910.JavaMail.www@wwinf8222> <569A7290-5C11-4E4F-9901-DA418DE15BB1@obscura.com> Message-ID: <105058536.122000.1400608345599.JavaMail.www@wwinf8315> > Message du 20/05/14 18:44 > De : "unixninja92" > > Last time I checked, NSLs could only be used against people in the US. > Not people located in Switzerland even if they are US citizens. So as > long as they don't travel to the US it's safe. > Do Harvard and MIT offer complete graduation courses without your physical presence? Are they willing to never step again in the US or its allied countries? If any of those questions ys answered in the negative, then they will get a NSL asap. But considering the lack of obvious financial backing, you already know who is backing them. And that's sad. From jamesdbell9 at yahoo.com Tue May 20 19:57:46 2014 From: jamesdbell9 at yahoo.com (jim bell) Date: Tue, 20 May 2014 19:57:46 -0700 (PDT) Subject: Secrets, lies and Snowden's email: why I was forced to shut down Lavabit In-Reply-To: <537c0e38.a111ec0a.1c1c.fffffbdb@mx.google.com> References: <537bd486.0270440a.7884.ffffcb79@mx.google.com> <1400636848.8181.YahooMailNeo@web126202.mail.ne1.yahoo.com> <537c0e38.a111ec0a.1c1c.fffffbdb@mx.google.com> Message-ID: <1400641066.36563.YahooMailNeo@web126204.mail.ne1.yahoo.com> From: Juan On Tue, 20 May 2014 18:47:28 -0700 (PDT) jim bell wrote: > Myself, I feel that no court can legitimately have any legal > authority to order anyone to not speak about a legal proceeding. > By definition, or by their own nature, or both, state courts > are free to do whatever they please. I thought you might be > familiar with the concept...? > Legitimacy? Whatever the government does is 'legitimate' > because they say so.> Well, in this case, it doesn't really have anything to do with what the State court can _do_.  Everything would happen BEFORE the State court has an opportunity to realize what's going on.   ("May you be in Heaven 30 minutes before the Devil knows you're dead").   The purpose is to use the State court as a 'prop':  The document(s) filed with that State court will, presumably, _also_be orders in a Federal Court case which a Federal Court Judge orders some private individual to 'not disclose', as if that Federal judge had authority to do so.  But, there is also a strong presumption that people have a right to file civil cases in state courts, and such documents filed in those State courts (generally)  become public-domain documents.  (Unless somebody specifically requests that those documents be, themselves, 'sealed', and the State court judge approves this.) If a person who is the target of a "sealed" Federal filing chooses to file the documents in a State court case, I presume he remains entitled to file those documents freely in the State court case.  And, once so file, those documents will automatically become public-domain documents (at least until they are, themselves, sealed) and they can be published on the Internet.  It would be a very tricky question whether any party in this whole mix can be 'punished' for arranging this kind of dance.  I think a lawyer would have a good-faith belief that this is a proper exercise of law.  The ultimate goal, though, is to 'legally' publish documents that some Federal judge doesn't want to see published.  Since the mere publication of those documents destroys their secrecy, I think some lawyer should look into this, for the future.         Jim Bell >  It's easy to explain why:  The First Amendment, and the well-known > prohibition against prior restraint, etc.   > But the reality is that > courts have developed the idea that "order" the "sealing" of > documents.  I don't have an argument with an idea that a court can > order an employee of government to not speak, precisely because he IS > a government employee.  But Mr. Levison wasn't, and isn't a > government employee. Would the procedure I described above 'get > around' the law? Jim Bell -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 4166 bytes Desc: not available URL: From rysiek at hackerspace.pl Tue May 20 13:13:08 2014 From: rysiek at hackerspace.pl (rysiek) Date: Tue, 20 May 2014 22:13:08 +0200 Subject: Harvard and MIT Students Launch =?UTF-8?B?4oCYTlNBLVByb29m4oCZ?= Email Service | Betabeat In-Reply-To: References: <537ba9a1.01e6ec0a.681a.1bc4@mx.google.com> Message-ID: <1966942.hoD9BXlKRX@lap> Dnia wtorek, 20 maja 2014 12:34:59 Lance Cottrell pisze: > It looks like they would be in a position to do so if they had to. FTFY. -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From juan.g71 at gmail.com Tue May 20 19:25:17 2014 From: juan.g71 at gmail.com (Juan) Date: Tue, 20 May 2014 23:25:17 -0300 Subject: Secrets, lies and Snowden's email: why I was forced to shut down Lavabit In-Reply-To: <1400636848.8181.YahooMailNeo@web126202.mail.ne1.yahoo.com> References: <537bd486.0270440a.7884.ffffcb79@mx.google.com> <1400636848.8181.YahooMailNeo@web126202.mail.ne1.yahoo.com> Message-ID: <537c0e38.a111ec0a.1c1c.fffffbdb@mx.google.com> On Tue, 20 May 2014 18:47:28 -0700 (PDT) jim bell wrote: > > Myself, I feel that no court can legitimately have any legal > authority to order anyone to not speak about a legal proceeding. By definition, or by their own nature, or both, state courts are free to do whatever they please. I thought you might be familiar with the concept...? Legitimacy? Whatever the government does is 'legitimate' because they say so. >  It's easy to explain why:  The First Amendment, and the well-known > prohibition against prior restraint, etc.   > But the reality is that > courts have developed the idea that "order" the "sealing" of > documents.  I don't have an argument with an idea that a court can > order an employee of government to not speak, precisely because he IS > a government employee.  But Mr. Levison wasn't, and isn't a > government employee. Would the procedure I described above 'get > around' the law? Jim Bell From loki at obscura.com Wed May 21 10:28:18 2014 From: loki at obscura.com (Lance Cottrell) Date: Wed, 21 May 2014 10:28:18 -0700 Subject: Going to jail nowadays for owning a book, wtf? In-Reply-To: <4E132931-7763-444F-B234-E8546CC6D31C@gmail.com> References: <20140521134649.GA2610@sivokote.iziade.m$> <1277349505.29568.1400688303149.JavaMail.www@wwinf8229> <4E132931-7763-444F-B234-E8546CC6D31C@gmail.com> Message-ID: <57D9F02C-EF06-497C-8967-C96AD0A0F812@obscura.com> UK law, not US, so no “1st amendment” protections. The affirmative defense is interesting if incredibly vague. http://www.legislation.gov.uk/ukpga/2000/11/section/58 58 Collection of information. (1)A person commits an offence if— (a)he collects or makes a record of information of a kind likely to be useful to a person committing or preparing an act of terrorism, or (b)he possesses a document or record containing information of that kind. (2)In this section “record” includes a photographic or electronic record. (3)It is a defence for a person charged with an offence under this section to prove that he had a reasonable excuse for his action or possession. (4)A person guilty of an offence under this section shall be liable— (a)on conviction on indictment, to imprisonment for a term not exceeding 10 years, to a fine or to both, or (b)on summary conviction, to imprisonment for a term not exceeding six months, to a fine not exceeding the statutory maximum or to both. -- Lance Cottrell loki at obscura.com On May 21, 2014, at 9:54 AM, Henry Rivera <4chaos.onelove at gmail.com> wrote: > All "speech" should be legal--printed, electronic, or otherwise--even guides to making bombs like the Anarchist Cookbook, of which I have a copy. Anyone who doesn't support that doesn't deserve freedom of speech. I understand limits to speech being necessary to prevent imminent harm (when there is evidence of clear and present danger) like yelling fire in a crowded theater. However, this logic has been overextended and abused to the point where less-than-clear danger and just potential risk are enough to justify censorship of unpopular political speech. One more reason to nix the Terrorism Act. > -Henry > > On May 21, 2014, at 12:05 PM, tpb-crypto at laposte.net wrote: > >>> Message du 21/05/14 16:24 >>> De : "Georgi Guninski" >>> AFAICT someone might go to jail for owning >>> a book (not sure if paper or electronic): >>> >>> From wikipedia (old revision): >>> https://en.wikipedia.org/w/index.php?title=Abu_Hamza_al-Masri&oldid=609513570 >>> >>> --- >>> Guilty of one charge of "possessing a document containing information likely to be useful to a person committing or preparing an act of terrorism"[31] under the Terrorism Act 2000, s58. This charge under the Terrorism Act of 2000 related to his possession of an Encyclopedia of Afghan Jihad, an Al Qaeda Handbook and other propaganda materials produced by Abu Hamza.[32] >>> --- >> >> Would you be in favor of charging someone for possessing things like: >> - A catalog of hacking tools; >> - Pedophile instruction manual; >> - Recipes for preparing human flesh; >> >> ??? >> >> Things like that remember me that google once did not have the capacity to exclude links from its systems, but because of pedophiles, they finally built that capacity. The next day the copyright industry was knocking at their door to take down content they previously couldn't because of the lack of technical capacity. >> >> "Now Google don't have excuses." - I remember seeing that phrase in a New York magazine. >> >> The only way to not have people charged because of a book would be to make legal all books no matter what and you guessed it right, it won't happen. >> >> Because you, yourself, will be in favor of indicting people in at least one of the items I quoted, which automatically makes it legal to charge anyone because of possession of any book. > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 5347 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4877 bytes Desc: not available URL: From 4chaos.onelove at gmail.com Wed May 21 09:54:09 2014 From: 4chaos.onelove at gmail.com (Henry Rivera) Date: Wed, 21 May 2014 12:54:09 -0400 Subject: Going to jail nowadays for owning a book, wtf? In-Reply-To: <1277349505.29568.1400688303149.JavaMail.www@wwinf8229> References: <20140521134649.GA2610@sivokote.iziade.m$> <1277349505.29568.1400688303149.JavaMail.www@wwinf8229> Message-ID: <4E132931-7763-444F-B234-E8546CC6D31C@gmail.com> All "speech" should be legal--printed, electronic, or otherwise--even guides to making bombs like the Anarchist Cookbook, of which I have a copy. Anyone who doesn't support that doesn't deserve freedom of speech. I understand limits to speech being necessary to prevent imminent harm (when there is evidence of clear and present danger) like yelling fire in a crowded theater. However, this logic has been overextended and abused to the point where less-than-clear danger and just potential risk are enough to justify censorship of unpopular political speech. One more reason to nix the Terrorism Act. -Henry On May 21, 2014, at 12:05 PM, tpb-crypto at laposte.net wrote: >> Message du 21/05/14 16:24 >> De : "Georgi Guninski" >> AFAICT someone might go to jail for owning >> a book (not sure if paper or electronic): >> >> From wikipedia (old revision): >> https://en.wikipedia.org/w/index.php?title=Abu_Hamza_al-Masri&oldid=609513570 >> >> --- >> Guilty of one charge of "possessing a document containing information likely to be useful to a person committing or preparing an act of terrorism"[31] under the Terrorism Act 2000, s58. This charge under the Terrorism Act of 2000 related to his possession of an Encyclopedia of Afghan Jihad, an Al Qaeda Handbook and other propaganda materials produced by Abu Hamza.[32] >> --- > > Would you be in favor of charging someone for possessing things like: > - A catalog of hacking tools; > - Pedophile instruction manual; > - Recipes for preparing human flesh; > > ??? > > Things like that remember me that google once did not have the capacity to exclude links from its systems, but because of pedophiles, they finally built that capacity. The next day the copyright industry was knocking at their door to take down content they previously couldn't because of the lack of technical capacity. > > "Now Google don't have excuses." - I remember seeing that phrase in a New York magazine. > > The only way to not have people charged because of a book would be to make legal all books no matter what and you guessed it right, it won't happen. > > Because you, yourself, will be in favor of indicting people in at least one of the items I quoted, which automatically makes it legal to charge anyone because of possession of any book. From guninski at guninski.com Wed May 21 06:46:49 2014 From: guninski at guninski.com (Georgi Guninski) Date: Wed, 21 May 2014 16:46:49 +0300 Subject: Going to jail nowadays for owning a book, wtf? Message-ID: <20140521134649.GA2610@sivokote.iziade.m$> AFAICT someone might go to jail for owning a book (not sure if paper or electronic): >From wikipedia (old revision): https://en.wikipedia.org/w/index.php?title=Abu_Hamza_al-Masri&oldid=609513570 --- Guilty of one charge of "possessing a document containing information likely to be useful to a person committing or preparing an act of terrorism"[31] under the Terrorism Act 2000, s58. This charge under the Terrorism Act of 2000 related to his possession of an Encyclopedia of Afghan Jihad, an Al Qaeda Handbook and other propaganda materials produced by Abu Hamza.[32] --- From tpb-crypto at laposte.net Wed May 21 09:05:03 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Wed, 21 May 2014 18:05:03 +0200 Subject: Going to jail nowadays for owning a book, wtf? In-Reply-To: <20140521134649.GA2610@sivokote.iziade.m$> References: <20140521134649.GA2610@sivokote.iziade.m$> Message-ID: <1277349505.29568.1400688303149.JavaMail.www@wwinf8229> > Message du 21/05/14 16:24 > De : "Georgi Guninski" > AFAICT someone might go to jail for owning > a book (not sure if paper or electronic): > > From wikipedia (old revision): > https://en.wikipedia.org/w/index.php?title=Abu_Hamza_al-Masri&oldid=609513570 > > --- > Guilty of one charge of "possessing a document containing information likely to be useful to a person committing or preparing an act of terrorism"[31] under the Terrorism Act 2000, s58. This charge under the Terrorism Act of 2000 related to his possession of an Encyclopedia of Afghan Jihad, an Al Qaeda Handbook and other propaganda materials produced by Abu Hamza.[32] > --- > Would you be in favor of charging someone for possessing things like: - A catalog of hacking tools; - Pedophile instruction manual; - Recipes for preparing human flesh; ??? Things like that remember me that google once did not have the capacity to exclude links from its systems, but because of pedophiles, they finally built that capacity. The next day the copyright industry was knocking at their door to take down content they previously couldn't because of the lack of technical capacity. "Now Google don't have excuses." - I remember seeing that phrase in a New York magazine. The only way to not have people charged because of a book would be to make legal all books no matter what and you guessed it right, it won't happen. Because you, yourself, will be in favor of indicting people in at least one of the items I quoted, which automatically makes it legal to charge anyone because of possession of any book. From guninski at guninski.com Wed May 21 09:48:02 2014 From: guninski at guninski.com (Georgi Guninski) Date: Wed, 21 May 2014 19:48:02 +0300 Subject: Going to jail nowadays for owning a book, wtf? In-Reply-To: <1277349505.29568.1400688303149.JavaMail.www@wwinf8229> References: <20140521134649.GA2610@sivokote.iziade.m$> <1277349505.29568.1400688303149.JavaMail.www@wwinf8229> Message-ID: <20140521164802.GB2610@sivokote.iziade.m$> On Wed, May 21, 2014 at 06:05:03PM +0200, tpb-crypto at laposte.net wrote: > Would you be in favor of charging someone for possessing things like: > - A catalog of hacking tools; > - Pedophile instruction manual; > - Recipes for preparing human flesh; > > ??? > > .... > Because you, yourself, will be in favor of indicting people in at > least one of the items I quoted, which automatically makes it legal to > charge anyone because of possession of any book. Are you sure you know what i will do, lol? Calling people names is usually a bad trolling practice. From demonfighter at gmail.com Wed May 21 18:44:41 2014 From: demonfighter at gmail.com (Steve Furlong) Date: Wed, 21 May 2014 21:44:41 -0400 Subject: Going to jail nowadays for owning a book, wtf? In-Reply-To: <83453642.53618.1400719039715.JavaMail.www@wwinf8315> References: <20140521134649.GA2610@sivokote.iziade.m$> <1277349505.29568.1400688303149.JavaMail.www@wwinf8229> <20140521164802.GB2610@sivokote.iziade.m$> <83453642.53618.1400719039715.JavaMail.www@wwinf8315> Message-ID: On Wed, May 21, 2014 at 8:37 PM, wrote: >> > - A catalog of hacking tools; >> > - Pedophile instruction manual; >> > - Recipes for preparing human flesh; I support the right to write all of those. With some distaste in some cases, mind you, but I'm a freedom of expression hard-liner. > Well, I didn't call you names, Sir. I just know you are only human. Now you take that back! On the internet, no one knows you're a velociraptor. -- Neca eos omnes. Deus suos agnoscet. -- Arnaud-Amaury, 1209 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 864 bytes Desc: not available URL: From tpb-crypto at laposte.net Wed May 21 17:09:01 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Thu, 22 May 2014 02:09:01 +0200 Subject: Going to jail nowadays for owning a book, wtf? In-Reply-To: <4E132931-7763-444F-B234-E8546CC6D31C@gmail.com> References: <20140521134649.GA2610@sivokote.iziade.m$> <1277349505.29568.1400688303149.JavaMail.www@wwinf8229> <4E132931-7763-444F-B234-E8546CC6D31C@gmail.com> Message-ID: <1841481237.53478.1400717340933.JavaMail.www@wwinf8315> > Message du 21/05/14 18:54 > De : "Henry Rivera" <4chaos.onelove at gmail.com> > > All "speech" should be legal--printed, electronic, or otherwise--even guides to making bombs like the Anarchist Cookbook, of which I have a copy. Anyone who doesn't support that doesn't deserve freedom of speech. I understand limits to speech being necessary to prevent imminent harm (when there is evidence of clear and present danger) like yelling fire in a crowded theater. However, this logic has been overextended and abused to the point where less-than-clear danger and just potential risk are enough to justify censorship of unpopular political speech. One more reason to nix the Terrorism Act. > -Henry > I totally agree with you and the strong men of yore did too. But strong men as you and me are the fringe now and we will have to fight for the minds of the masses once again, like the ancients did. Our pussified men of today can't stomach the realities of the world, lol. From tpb-crypto at laposte.net Wed May 21 17:21:47 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Thu, 22 May 2014 02:21:47 +0200 Subject: Going to jail nowadays for owning a book, wtf? In-Reply-To: <1622081.6OKRYvIY4P@lap> References: <20140521134649.GA2610@sivokote.iziade.m$> <1277349505.29568.1400688303149.JavaMail.www@wwinf8229> <1622081.6OKRYvIY4P@lap> Message-ID: <1785923678.53532.1400718107040.JavaMail.www@wwinf8315> A friend of ours sent me this very intredasting link which I didn't know existed. But since cross-posting is a no-no, I take the liberty to post the information which is obviously very pertinent in our discussion: > > Things like that remember me that google once did not have the capacity to > > exclude links from its systems, but because of pedophiles, they finally > > built that capacity. The next day the copyright industry was knocking at > > their door to take down content they previously couldn't because of the > > lack of technical capacity. > > > > "Now Google don't have excuses." - I remember seeing that phrase in a New > > York magazine. > > ”Child pornography is great,” the speaker at the podium declared > enthusiastically. ”It is great because politicians understand child > pornography. By playing that card, we can get them to act, and start blocking > sites. And once they have done that, we can get them to start blocking file > sharing sites”. > -- http://christianengstrom.wordpress.com/2010/04/27/ifpis-child-porn-strategy/ > From tpb-crypto at laposte.net Wed May 21 17:37:19 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Thu, 22 May 2014 02:37:19 +0200 Subject: Going to jail nowadays for owning a book, wtf? In-Reply-To: <20140521164802.GB2610@sivokote.iziade.m$> References: <20140521134649.GA2610@sivokote.iziade.m$> <1277349505.29568.1400688303149.JavaMail.www@wwinf8229> <20140521164802.GB2610@sivokote.iziade.m$> Message-ID: <83453642.53618.1400719039715.JavaMail.www@wwinf8315> > Message du 21/05/14 18:48 > De : "Georgi Guninski" > > On Wed, May 21, 2014 at 06:05:03PM +0200, tpb-crypto at laposte.net wrote: > > Would you be in favor of charging someone for possessing things like: > > - A catalog of hacking tools; > > - Pedophile instruction manual; > > - Recipes for preparing human flesh; > > > > ??? > > > > > .... > > > Because you, yourself, will be in favor of indicting people in at > > least one of the items I quoted, which automatically makes it legal to > > charge anyone because of possession of any book. > > Are you sure you know what i will do, lol? > I have a fair idea. When pressed correctly, very few of us would go against all three items. The third one takes many by surprise, let me tell you. > Calling people names is usually a bad trolling practice. > Well, I didn't call you names, Sir. I just know you are only human. From tpb-crypto at laposte.net Wed May 21 19:39:07 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Thu, 22 May 2014 04:39:07 +0200 Subject: Going to jail nowadays for owning a book, wtf? In-Reply-To: References: <20140521134649.GA2610@sivokote.iziade.m$> <1277349505.29568.1400688303149.JavaMail.www@wwinf8229> <20140521164802.GB2610@sivokote.iziade.m$> <83453642.53618.1400719039715.JavaMail.www@wwinf8315> Message-ID: <1887590865.57324.1400726347218.JavaMail.www@wwinf8312> > Message du 22/05/14 03:51 > De : "Steve Furlong" > On Wed, May 21, 2014 at 8:37 PM, wrote: > >> > - A catalog of hacking tools; > >> > - Pedophile instruction manual; > >> > - Recipes for preparing human flesh; > > I support the right to write all of those. With some distaste in some > cases, mind you, but I'm a freedom of expression hard-liner. > Well, I tasted all kinds of food in this life, but there is still one kind to try, mind you. Now going totally off-topic, I think there is a reason why ETs are shy of us, you know maybe they taste well. But, what kind of food didn't I try, yet, really? lol > > Well, I didn't call you names, Sir. I just know you are only human. > > Now you take that back! On the internet, no one knows you're a velociraptor. > I dream the day scientists will create a talking dog, I will queue to have one like the iphone fanatics. A talking dog would be a friend out of dreams to me. But so far I know for sure you are only human, whatever kind of animal you think yourself you are. From guninski at guninski.com Thu May 22 07:03:07 2014 From: guninski at guninski.com (Georgi Guninski) Date: Thu, 22 May 2014 17:03:07 +0300 Subject: Going to jail nowadays for owning a book, wtf? In-Reply-To: <4E132931-7763-444F-B234-E8546CC6D31C@gmail.com> References: <20140521134649.GA2610@sivokote.iziade.m$> <1277349505.29568.1400688303149.JavaMail.www@wwinf8229> <4E132931-7763-444F-B234-E8546CC6D31C@gmail.com> Message-ID: <20140522140307.GA2577@sivokote.iziade.m$> On Wed, May 21, 2014 at 12:54:09PM -0400, Henry Rivera wrote: > All "speech" should be legal--printed, electronic, or otherwise--even guides to making bombs like the Anarchist Cookbook, of which I have a copy. Anyone who doesn't support that doesn't deserve freedom of speech. I understand limits to speech being necessary to prevent imminent harm (when there is evidence of clear and present danger) like yelling fire in a crowded theater. However, this logic has been overextended and abused to the point where less-than-clear danger and just potential risk are enough to justify censorship of unpopular political speech. One more reason to nix the Terrorism Act. > -Henry > Agree with the main idea, but not sure agree with the "limits". Currently in theory most people have right of free speech, but there are so many limits/ exceptions they rule and one can hardly exercise free speech without hitting limit/exception. To paraphrase a quote: First they came for the terrorists, and I didn't speak up because I wasn't a terrorist, Then they came for the communists, and I didn't speak up because I wasn't a communist, ...{jews, trade unionists, protestants} Then they came for me, and by that time no one was left to speak up. From coderman at gmail.com Fri May 23 18:31:52 2014 From: coderman at gmail.com (coderman) Date: Fri, 23 May 2014 18:31:52 -0700 Subject: "What does GCHQ know about our devices that we don't?" Message-ID: per discussion at https://www.privacyinternational.org/blog/what-does-gchq-know-about-our-devices-that-we-dont , there were a number of chips destroyed during the GCHQ zeroisation debacle. - keyboard controller chip - trackpad controller chip - inverting converter chip this is the type of covert implant hardware you would request destroyed rather than leave in the hands of an adversary. to be clear, this was not about reclaiming storage on secondary devices on a system, but about covering the tracks left on already compromised systems. From coderman at gmail.com Fri May 23 22:40:01 2014 From: coderman at gmail.com (coderman) Date: Fri, 23 May 2014 22:40:01 -0700 Subject: House Passes Curbs on NSA Phone Surveillance In-Reply-To: <1400899027.84817.YahooMailNeo@web126201.mail.ne1.yahoo.com> References: <1400899027.84817.YahooMailNeo@web126201.mail.ne1.yahoo.com> Message-ID: On Fri, May 23, 2014 at 7:37 PM, jim bell wrote: > http://news.yahoo.com/house-passes-curbs-nsa-phone-surveillance-221025685--politics.html >... > NSA officials were pleased with the bill for another reason: The new > arrangement will give them access to mobile calling records they did not > have under the old program. what a fucking joke... From gfoster at entersection.org Fri May 23 23:01:41 2014 From: gfoster at entersection.org (Gregory Foster) Date: Sat, 24 May 2014 01:01:41 -0500 Subject: [liberationtech] PBS Frontline: United States of Secrets ( 2 part series ) In-Reply-To: <53801A5B.9080605@entersection.org> References: <53801A5B.9080605@entersection.org> Message-ID: <538035C5.9040803@entersection.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Had intended to xpost. gf - -------- Original Message -------- Subject: Re: [liberationtech] PBS Frontline: United States of Secrets ( 2 part series ) Date: Fri, 23 May 2014 23:04:43 -0500 From: Gregory Foster To: liberationtech CC: warrants-for-surveillance-tx at googlegroups.com, effaustin-discuss at lists.effaustin.org, rt4atx-list at cryptoglass.us On Wednesday, May 14, 2014 7:07 PM, Nicholas Merrill wrote: > United States of Secrets (Part One) > > "How did the government come to spy on millions of Americans? In > United States of Secrets, FRONTLINE goes behind the headlines to > reveal the dramatic inside story of the U.S. government's massive > and controversial secret surveillance program -- and the lengths > it went to try to keep it hidden from the public." > > http://www.pbs.org/wgbh/pages/frontline/united-states-of-secrets/ > http://video.pbs.org/video/2365245528/ > > Part 2 airs May 20th > > -Nick > > Nicholas Merrill, Executive Director, The Calyx Institute On Wednesday, May 14, 2014 7:15 PM PDT, James S. Tyre wrote: > Requires Flash, but pretty good even for those of us who've been > involved directly for A Very Long Time, likely much better for > those not intimately familiar. > > James S. Tyre, Law Offices of James S. Tyre Special Counsel, > Electronic Frontier Foundation https://www.eff.org Part 2 was broadcast on May 20th and is available at the FRONTLINE website linked above. Also available at ThoughtMaybe: http://thoughtmaybe.com/the-united-states-of-secrets/ Well weaves together The Story of The Program, and its unraveling. Of great importance, please take a look. gf - -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu. -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.19 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBCgAGBQJTgDXCAAoJEMaAACmjGtgjzuEQAI/btKhtWLzJA6enMa37K0WB /5BsLgHTQfhCljemIEsi+Ifr7HMtfVrSC2TTjr1teGhZ3l1AF3jQIP9yxepB9dMo 3ykbQagJnVEYwd1hwYV9UxKb5VruoY2nI7L8vTIFlM6pagNnqSB/7KmlfWaIkTXF jD3rYuXlchSPJXLm+Rd/Q3742sC+F0rZ9CJiSeUUcnN2LtrN0Efe6n+kMRcifnw1 BBJ4dsF7kyZBKojVlbzVtKQw9Alh665MkECso9umElpuQg8J+QHMGR/kDAOA9IyM RsjC6Ai2x+aSyliVyPFOL9bWDh0p/sX2mvqndFQ/X5ITRGMURm/Nmh6YeUL41x5u YqDO414CmaxwdNLfz4or/m2HmU5EU4TQBmIgOZZP3UhfqNrB6H6dt4/jVl71GU5D N1zHcOEypvSen4koDj6l6y2m9DJ/iYANkqGZf5BCZyTRcgxwagC4IQ3VjNU6FT81 cMizMTVZzNYEua3vL8n4aOXHk8cn1G68PYCuRC5UwOLez0OsCvYl5QkS+uGSLrUf uz55VWgbZQ9hniLDarA6cJTCASYO7fbz3uwJID8T/3VFFWei6uumI2sxRtQJtc5z MhTLGQIcJJ7ptFCCulwTGsicIU52X5ixPcN+VnEbFrFb74uqZQLVj6FN19e82r4l OQ8xhZxFQUwCc8g+MqoA =YSpn -----END PGP SIGNATURE----- From griffin at cryptolab.net Fri May 23 23:48:06 2014 From: griffin at cryptolab.net (Griffin Boyce) Date: Sat, 24 May 2014 02:48:06 -0400 Subject: House Passes Curbs on NSA Phone Surveillance In-Reply-To: References: <1400899027.84817.YahooMailNeo@web126201.mail.ne1.yahoo.com> Message-ID: On 2014-05-24 01:40, coderman wrote: > On Fri, May 23, 2014 at 7:37 PM, jim bell > wrote: >> http://news.yahoo.com/house-passes-curbs-nsa-phone-surveillance-221025685--politics.html >> ... >> NSA officials were pleased with the bill for another reason: The new >> arrangement will give them access to mobile calling records they did >> not >> have under the old program. > > what a fucking joke... This whole process has been a total handjob. People making concessions to ensure that the rest of the bill offers some kind of protection, and of course most redeeming value has been lost. It ends bulk metadata collection. That's the only redeeming part of this bill. If we want real reform, we need to overhaul the FISA courts. ~Griffin From 42 at enigmabox.net Sat May 24 04:27:34 2014 From: 42 at enigmabox.net (42) Date: Sat, 24 May 2014 13:27:34 +0200 Subject: the Great Filter of private communication In-Reply-To: <4219749.LyPT1soGPS@lap> References: <9856875.IN6xe2bZk2@lap> <5690F740-1EAC-4773-A78D-F50E92AF0B52@sbce.org> <4219749.LyPT1soGPS@lap> Message-ID: <20140524132734.e4ae5bfa8f68427dd34aedca@enigmabox.net> On Fri, 09 May 2014 13:36:54 +0200 rysiek wrote: > Dnia wtorek, 6 maja 2014 20:27:04 Scott Blaydes pisze: > > On May 5, 2014, at 9:05 AM, rysiek wrote: > > > Dnia poniedziałek, 21 kwietnia 2014 00:30:42 Stephen D. Williams > > > pisze: > > >> Probably people just need two email clients: One for non-secure > > >> email, another that only sends secure messages. > > > > > > Well, instead of the latter, one can use RetroShare with great > > > results: http://retroshare.sourceforge.net/ > > > > > > You can use it as a replacement for other kinds of communication, > > > too. Like > > > VoIP: > > > http://rys.io/en/129 > > > > You had me till this line in the description: > > "using a web-of-trust to authenticate peers and OpenSSL to > > encrypt all communication” Not feeling like trusting more things to > > OpenSSL right now. Lets see how LibreSSL turns out and see if it > > can be switched. > > Good point; still better than most alternatives. One biggie for me is > that there is no way to send an unencrypted message via RetroShare. > I.e. no way for the user to fsck up. > > I find OpenSSL use in RetroShare a smaller problem than the fact that > a user of any GPG-enabled e-mail client can actually send an > unencrypted e-mail and... not notice that until its too late. Not to > mention metadata (sender, addressee, topic, etc, not being > GPG-encrypted). SSL is broken and the metadata is in fact a huge problem. Also, users want the convenience of a webinterface or to keep their existing email clients. In my opinion, that problems can only be solved by a hardware solution. We just did that. Here is how it works: https://enigmabox.net/en/cjdns-en/ Cheers, 42 -- 42 <42 at enigmabox.net> From rysiek at hackerspace.pl Sat May 24 04:45:03 2014 From: rysiek at hackerspace.pl (rysiek) Date: Sat, 24 May 2014 13:45:03 +0200 Subject: the Great Filter of private communication In-Reply-To: <20140524132734.e4ae5bfa8f68427dd34aedca@enigmabox.net> References: <4219749.LyPT1soGPS@lap> <20140524132734.e4ae5bfa8f68427dd34aedca@enigmabox.net> Message-ID: <3263627.1uapUnT4T0@lap> Dnia sobota, 24 maja 2014 13:27:34 42 pisze: > On Fri, 09 May 2014 13:36:54 +0200 > > rysiek wrote: > > Dnia wtorek, 6 maja 2014 20:27:04 Scott Blaydes pisze: > > > On May 5, 2014, at 9:05 AM, rysiek wrote: > > > > Dnia poniedziałek, 21 kwietnia 2014 00:30:42 Stephen D. Williams > > > > > > > > pisze: > > > >> Probably people just need two email clients: One for non-secure > > > >> email, another that only sends secure messages. > > > > > > > > Well, instead of the latter, one can use RetroShare with great > > > > results: http://retroshare.sourceforge.net/ > > > > > > > > You can use it as a replacement for other kinds of communication, > > > > too. Like > > > > VoIP: > > > > http://rys.io/en/129 > > > > > > You had me till this line in the description: > > > "using a web-of-trust to authenticate peers and OpenSSL to > > > > > > encrypt all communication” Not feeling like trusting more things to > > > OpenSSL right now. Lets see how LibreSSL turns out and see if it > > > can be switched. > > > > Good point; still better than most alternatives. One biggie for me is > > that there is no way to send an unencrypted message via RetroShare. > > I.e. no way for the user to fsck up. > > > > I find OpenSSL use in RetroShare a smaller problem than the fact that > > a user of any GPG-enabled e-mail client can actually send an > > unencrypted e-mail and... not notice that until its too late. Not to > > mention metadata (sender, addressee, topic, etc, not being > > GPG-encrypted). > > SSL is broken and the metadata is in fact a huge problem. Also, users > want the convenience of a webinterface or to keep their existing email > clients. In my opinion, that problems can only be solved by a hardware > solution. We just did that. > > Here is how it works: https://enigmabox.net/en/cjdns-en/ Interesting. Is there software I can run on my own machine? I am not a "regular joe", I want some more control even if it means a bit less convenience. -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From 42 at enigmabox.net Sat May 24 05:05:50 2014 From: 42 at enigmabox.net (42) Date: Sat, 24 May 2014 14:05:50 +0200 Subject: the Great Filter of private communication In-Reply-To: <3263627.1uapUnT4T0@lap> References: <4219749.LyPT1soGPS@lap> <20140524132734.e4ae5bfa8f68427dd34aedca@enigmabox.net> <3263627.1uapUnT4T0@lap> Message-ID: <20140524140550.d1feb80c25639431e73fb931@enigmabox.net> > Interesting. Is there software I can run on my own machine? I am not > a "regular joe", I want some more control even if it means a bit less > convenience. Understandable. Currently, we use Debian, but moving to OpenWRT, which is in test phase at the moment. When we're done, I'll offer dd images for flashing your own CFcard. Until then, you may build your own image directly: https://github.com/enigmagroup/enigmabox-openwrt Its tailored for the PC-Engines alix2d3 board. If you have such boards, you can set up a network of Enigmaboxes at home; or join the Projectmeshnet IRC channel and ask for a peering - or set up your own servers. And no, there is no "software" that you can run on your machine for that. You *want* to run it on an embedded device, so that you can power off your workstation and still be able to receive emails or phone calls. Best regards, 42 -- 42 <42 at enigmabox.net> From rysiek at hackerspace.pl Sat May 24 06:56:33 2014 From: rysiek at hackerspace.pl (rysiek) Date: Sat, 24 May 2014 15:56:33 +0200 Subject: the Great Filter of private communication In-Reply-To: <20140524140550.d1feb80c25639431e73fb931@enigmabox.net> References: <3263627.1uapUnT4T0@lap> <20140524140550.d1feb80c25639431e73fb931@enigmabox.net> Message-ID: <12880877.jcdO3pVPeV@lap> Dnia sobota, 24 maja 2014 14:05:50 42 pisze: > > Interesting. Is there software I can run on my own machine? I am not > > a "regular joe", I want some more control even if it means a bit less > > convenience. > > Understandable. Currently, we use Debian, but moving to OpenWRT, which > is in test phase at the moment. When we're done, I'll offer dd images > for flashing your own CFcard. Until then, you may build your own image > directly: https://github.com/enigmagroup/enigmabox-openwrt Cool! > Its tailored for the PC-Engines alix2d3 board. If you have such boards, > you can set up a network of Enigmaboxes at home; or join the > Projectmeshnet IRC channel and ask for a peering - or set up your own > servers. Makes sense. > And no, there is no "software" that you can run on your machine for > that. You *want* to run it on an embedded device, so that you can power > off your workstation and still be able to receive emails or phone calls. Well, that's for me to decide, isn't it. :) I understand the rationale for this, but might I suggest choosing a different way of putting it in words? The power of FOSS is the unimaginable -- things people do with our software that we never even thought of. Apart from that it looks really good. Thanks! -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From 42 at enigmabox.net Sat May 24 07:39:39 2014 From: 42 at enigmabox.net (42) Date: Sat, 24 May 2014 16:39:39 +0200 Subject: the Great Filter of private communication In-Reply-To: <12880877.jcdO3pVPeV@lap> References: <3263627.1uapUnT4T0@lap> <20140524140550.d1feb80c25639431e73fb931@enigmabox.net> <12880877.jcdO3pVPeV@lap> Message-ID: <20140524163939.44fabb489cd7f6f4d80a42d6@enigmabox.net> On Sat, 24 May 2014 15:56:33 +0200 rysiek wrote: > > And no, there is no "software" that you can run on your machine for > > that. You *want* to run it on an embedded device, so that you can > > power off your workstation and still be able to receive emails or > > phone calls. > > Well, that's for me to decide, isn't it. :) > I understand the rationale for this, but might I suggest choosing a > different way of putting it in words? The power of FOSS is the > unimaginable -- things people do with our software that we never even > thought of. Yes, of course. Sorry, I didn't want to overrun your freedom of decision. And I'm curious by myself where it may take us... :) > Apart from that it looks really good. Thanks! Thank you too! Great to hear. -- 42 <42 at enigmabox.net> From lblissett at paranoici.org Sat May 24 16:12:35 2014 From: lblissett at paranoici.org (Luther Blissett) Date: Sat, 24 May 2014 20:12:35 -0300 Subject: House Passes Curbs on NSA Phone Surveillance In-Reply-To: References: <1400899027.84817.YahooMailNeo@web126201.mail.ne1.yahoo.com> Message-ID: <20140524201235.dd30a5cb57d7b0a8d0535b98@paranoici.org> On Sat, 24 May 2014 02:48:06 -0400 Griffin Boyce wrote: > On 2014-05-24 01:40, coderman wrote: > > On Fri, May 23, 2014 at 7:37 PM, jim bell > > wrote: > >> http://news.yahoo.com/house-passes-curbs-nsa-phone-surveillance-221025685--politics.html > >> ... > >> NSA officials were pleased with the bill for another reason: The new > >> arrangement will give them access to mobile calling records they did > >> not > >> have under the old program. > > > > what a fucking joke... > > This whole process has been a total handjob. People making concessions > to ensure that the rest of the bill offers some kind of protection, and > of course most redeeming value has been lost. > > It ends bulk metadata collection. That's the only redeeming part of > this bill. > > If we want real reform, we need to overhaul the FISA courts. > Would American citizens be against imposing their State the obligation to provide the defendant with full access to the data held by the persecutors? Obligation to indemnify those who they have wrongly and unlawfully persecuted? Provide full access to the public as regards to their past operations and maintained databases for public scrutiny? Who is this all around enemy that is everywhere but there, inside the agency? -- Luther Blissett From tpb-crypto at laposte.net Sat May 24 16:22:27 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Sun, 25 May 2014 01:22:27 +0200 Subject: House Passes Curbs on NSA Phone Surveillance In-Reply-To: <20140524201235.dd30a5cb57d7b0a8d0535b98@paranoici.org> References: <1400899027.84817.YahooMailNeo@web126201.mail.ne1.yahoo.com> <20140524201235.dd30a5cb57d7b0a8d0535b98@paranoici.org> Message-ID: <797066920.227629.1400973747078.JavaMail.www@wwinf8308> > Message du 25/05/14 01:18 > De : "Luther Blissett" > A : cypherpunks at cpunks.org > Copie à : > Objet : Re: House Passes Curbs on NSA Phone Surveillance > > On Sat, 24 May 2014 02:48:06 -0400 > Griffin Boyce wrote: > > > On 2014-05-24 01:40, coderman wrote: > > > On Fri, May 23, 2014 at 7:37 PM, jim bell > > > wrote: > > >> http://news.yahoo.com/house-passes-curbs-nsa-phone-surveillance-221025685--politics.html > > >> ... > > >> NSA officials were pleased with the bill for another reason: The new > > >> arrangement will give them access to mobile calling records they did > > >> not > > >> have under the old program. > > > > > > what a fucking joke... > > > > This whole process has been a total handjob. People making concessions > > to ensure that the rest of the bill offers some kind of protection, and > > of course most redeeming value has been lost. > > > > It ends bulk metadata collection. That's the only redeeming part of > > this bill. > > > > If we want real reform, we need to overhaul the FISA courts. > > > > Would American citizens be against imposing their State the obligation to provide the defendant with full access to the data held by the persecutors? Obligation to indemnify those who they have wrongly and unlawfully persecuted? Provide full access to the public as regards to their past operations and maintained databases for public scrutiny? > > Who is this all around enemy that is everywhere but there, inside the agency? > The people, of course. lol From grarpamp at gmail.com Mon May 26 21:27:52 2014 From: grarpamp at gmail.com (grarpamp) Date: Tue, 27 May 2014 00:27:52 -0400 Subject: =?UTF-8?Q?Re=3A_Harvard_and_MIT_Students_Launch_=E2=80=98NSA=2DProof=E2=80=99_?= =?UTF-8?Q?Email_Service_=7C_Betabeat?= In-Reply-To: References: <839337740.65096.1400541676910.JavaMail.www@wwinf8222> <569A7290-5C11-4E4F-9901-DA418DE15BB1@obscura.com> Message-ID: On Tue, May 20, 2014 at 11:05 AM, Kelly J. Rose wrote: > Which is totally subverted if you are American citizens or located in the > us. Simply by the national security letters. > > You could have the sexiest cryptosystem ever and the NSL attack will still > beat you if you put it on American soil. If you operate a machine upon which plaintext 'email' for users transits/sits on their behalf, you will still be subverted and beaten (literally or not)... either remotely by cooperative agreements (or simply giving), or your own local mitm, [extra]legal force major, etc. The only way out of the mess is either: a) basically start street protesting to change global law and practice and somehow manage to create utopia. b) defend in depth and bury all user messaging within secure p2p darknet overlay networks where only Alice and Bob are parties to the plaintext content. And the code you run to get on it is developed and audited by separate groups, be they well known nyms on such nets, or real world. Any proposed messaging system that is centralized, not pay anonymous, not open, works by you giving up key material you shouldn't, or you needing to demandload their code instead of running your own trusted copy... isn't worth your time. Otherwise stick with plain old email, text, and whatever the fad of the day is. And don't try to call either of them secure. > This kind of problem should be tackled by some honest idealists from either China, Russia Yet people applaud eliminating such idealists, even eg: Iraq, Iran, Cuba, DPRK, Venezuela, Israel, etc. Keep on wiping out your only counter voices and you'll get what you asked for next. None of these suggested places/people are immune either, only alternatively 'hard'[er] under some given threat models. lavaboom.com and protonmail.ch both appear deliver you their code (javascript) on the fly to run in your browser. Yeah, that's secure. From grarpamp at gmail.com Mon May 26 22:47:15 2014 From: grarpamp at gmail.com (grarpamp) Date: Tue, 27 May 2014 01:47:15 -0400 Subject: =?UTF-8?Q?Re=3A_Harvard_and_MIT_Students_Launch_=E2=80=98NSA=2DProof=E2=80=99_?= =?UTF-8?Q?Email_Service_=7C_Betabeat?= In-Reply-To: References: <839337740.65096.1400541676910.JavaMail.www@wwinf8222> <569A7290-5C11-4E4F-9901-DA418DE15BB1@obscura.com> Message-ID: > In the end, we need to trust someone. But we dont read their minds:). And it could be, after all, a big fall. No, you don't need to trust anyone, and should not. That model's long been broken. You should audit the code, spec and docs and then trust that. > We"ve got pgp. Thanks God. And have only thus secured the message body. A valuable tech advance to be sure. But far from approaching a near wishfully complete checklist solution. > But a 100% reliable and bulletproof email provider? > No. Countless businesses fail, sellout, etc every day and that will not change. It is proven since dawn of business for them to fail or at least morph into something unrecognizable. [Note it doesn't take $much/account to run a good barebones email service 100%, especially if you stick to only mail and cut features. There's no reason we shouldn't have 50 punkish ones in curious jurisdictions to choose from by now.] Back to p2p... your recipient, and your peers are all independent businesses. Look out in your city, other than you and Alice who both are 'up' by definition of wanting to talk some method, you could fail many people/nodes/businesses and still route a p2p message through. It's hard to eval trust of a single business or %'s of nodes. Yet just like all the millions of torrenters, your odds of the majority of the nodes [which have real IP's hard to fake in the disparate millions] being on your side are probably better with p2p than whether one single brick and mortar business is screwing you over, or forced to to so. Business centralization, vanity, monetization, etc to run the lava*'s, proton's and so on is counter to some of the problems they attempt to solve. Their real benefit is often adding research to the educational pile of debunked non-solutions to such problems. A natural selection process of sorts. And as legal test cases for fighting the good fight, pushing boundaries and changing that end of things. If Ladar didn't stand up and speak out we wouldn't know to evolve those parts of our process. We need more people like that. From cpunks at martin-studio.com Tue May 27 08:14:51 2014 From: cpunks at martin-studio.com (Anthony Martin) Date: Tue, 27 May 2014 08:14:51 -0700 Subject: =?UTF-8?Q?Re=3A_Harvard_and_MIT_Students_Launch_=E2=80=98NSA=2DProof=E2=80=99_?= =?UTF-8?Q?Email_Service_=7C_Betabeat?= In-Reply-To: <5384814D.4020001@cathalgarvey.me> References: <839337740.65096.1400541676910.JavaMail.www@wwinf8222> <569A7290-5C11-4E4F-9901-DA418DE15BB1@obscura.com> <5384814D.4020001@cathalgarvey.me> Message-ID: [image: Inline image 1] http://www.smbc-comics.com/comics/20140527.png On Tue, May 27, 2014 at 5:13 AM, Cathal Garvey wrote: > > lavaboom.com and protonmail.ch both appear deliver you their > > code (javascript) on the fly to run in your browser. Yeah, that's > > secure. > > I have long thought that it's high time to implement JS code signing > that can be verified by the client, either innately or through an > extension. > > A quick addition to the comment-metadata system devised to provide > licensing information (and parsed by an FSF extension to inform you > whether the code your browser is running is libre or not) could be used > for this purpose; what's left, then, is to establish a way to translate > code signatures into trust. > > For a monolithic system like a zero-knowledge email host, that's easy; > when you sign up, you install their pubkey into your extension, > preventing MITM attacks on the JS payload. At best, that's an additional > layer over SSL, or it could be used instead of SSL (a crypto-AJAX engine > run in browser for sending and receiving data; could be handy for shared > hosting where SSL isn't an option). > > However, it falls down vs. NSLs, etcetera, because hosts can be > compelled to send you malware signed with their keys. You need > trustworthy third parties who can sign and verify that code is shipped > intact. It'd be nice if you could hack a system like this to use the PGP > web of trust as a first port of call, and then to fall back to a wider > set of "trusted" people if that fails. > > As a way to further enhance security, having people with these > extensions installed send hashes of the JS payloads they receive to a > comparison server would be nice. Might even detect some attacks that fly > under the radar at present, like people being sent tailored-attack > versions of major third-party libs like JQuery, etcetera. When an > anomalous hash arrives that doesn't match any "official" releases of the > lib, alarm bells should ring. > > On 27/05/14 05:27, grarpamp wrote: > > On Tue, May 20, 2014 at 11:05 AM, Kelly J. Rose wrote: > >> Which is totally subverted if you are American citizens or located in > the > >> us. Simply by the national security letters. > >> > >> You could have the sexiest cryptosystem ever and the NSL attack will > still > >> beat you if you put it on American soil. > > > > If you operate a machine upon which plaintext 'email' for users > transits/sits > > on their behalf, you will still be subverted and beaten (literally or > > not)... either > > remotely by cooperative agreements (or simply giving), or your own local > > mitm, [extra]legal force major, etc. The only way out of the mess is > either: > > a) basically start street protesting to change global law and practice > > and somehow manage to create utopia. > > b) defend in depth and bury all user messaging within secure p2p darknet > > overlay networks where only Alice and Bob are parties to the plaintext > content. > > And the code you run to get on it is developed and audited by separate > > groups, be they well known nyms on such nets, or real world. > > > > Any proposed messaging system that is centralized, not pay anonymous, > > not open, works by you giving up key material you shouldn't, or you > needing > > to demandload their code instead of running your own trusted copy... > isn't > > worth your time. Otherwise stick with plain old email, text, and whatever > > the fad of the day is. And don't try to call either of them secure. > > > >> This kind of problem should be tackled by some honest idealists from > either China, Russia > > > > Yet people applaud eliminating such idealists, even eg: > > Iraq, Iran, Cuba, DPRK, Venezuela, Israel, etc. > > Keep on wiping out your only counter voices and you'll > > get what you asked for next. None of these suggested places/people > > are immune either, only alternatively 'hard'[er] under some > > given threat models. > > > > lavaboom.com and protonmail.ch both appear deliver you their > > code (javascript) on the fly to run in your browser. Yeah, that's > > secure. > > > > -- > T: @onetruecathal, @IndieBBDNA > P: +353876363185 > W: http://indiebiotech.com > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 5557 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image.png Type: image/png Size: 232704 bytes Desc: not available URL: From cathalgarvey at cathalgarvey.me Tue May 27 05:13:01 2014 From: cathalgarvey at cathalgarvey.me (Cathal Garvey) Date: Tue, 27 May 2014 13:13:01 +0100 Subject: Harvard and MIT Students Launch =?UTF-8?B?4oCYTlNBLVByb29m4oCZ?= =?UTF-8?B?IEVtYWlsIFNlcnZpY2UgfCBCZXRhYmVhdA==?= In-Reply-To: References: <839337740.65096.1400541676910.JavaMail.www@wwinf8222> <569A7290-5C11-4E4F-9901-DA418DE15BB1@obscura.com> Message-ID: <5384814D.4020001@cathalgarvey.me> > lavaboom.com and protonmail.ch both appear deliver you their > code (javascript) on the fly to run in your browser. Yeah, that's > secure. I have long thought that it's high time to implement JS code signing that can be verified by the client, either innately or through an extension. A quick addition to the comment-metadata system devised to provide licensing information (and parsed by an FSF extension to inform you whether the code your browser is running is libre or not) could be used for this purpose; what's left, then, is to establish a way to translate code signatures into trust. For a monolithic system like a zero-knowledge email host, that's easy; when you sign up, you install their pubkey into your extension, preventing MITM attacks on the JS payload. At best, that's an additional layer over SSL, or it could be used instead of SSL (a crypto-AJAX engine run in browser for sending and receiving data; could be handy for shared hosting where SSL isn't an option). However, it falls down vs. NSLs, etcetera, because hosts can be compelled to send you malware signed with their keys. You need trustworthy third parties who can sign and verify that code is shipped intact. It'd be nice if you could hack a system like this to use the PGP web of trust as a first port of call, and then to fall back to a wider set of "trusted" people if that fails. As a way to further enhance security, having people with these extensions installed send hashes of the JS payloads they receive to a comparison server would be nice. Might even detect some attacks that fly under the radar at present, like people being sent tailored-attack versions of major third-party libs like JQuery, etcetera. When an anomalous hash arrives that doesn't match any "official" releases of the lib, alarm bells should ring. On 27/05/14 05:27, grarpamp wrote: > On Tue, May 20, 2014 at 11:05 AM, Kelly J. Rose wrote: >> Which is totally subverted if you are American citizens or located in the >> us. Simply by the national security letters. >> >> You could have the sexiest cryptosystem ever and the NSL attack will still >> beat you if you put it on American soil. > > If you operate a machine upon which plaintext 'email' for users transits/sits > on their behalf, you will still be subverted and beaten (literally or > not)... either > remotely by cooperative agreements (or simply giving), or your own local > mitm, [extra]legal force major, etc. The only way out of the mess is either: > a) basically start street protesting to change global law and practice > and somehow manage to create utopia. > b) defend in depth and bury all user messaging within secure p2p darknet > overlay networks where only Alice and Bob are parties to the plaintext content. > And the code you run to get on it is developed and audited by separate > groups, be they well known nyms on such nets, or real world. > > Any proposed messaging system that is centralized, not pay anonymous, > not open, works by you giving up key material you shouldn't, or you needing > to demandload their code instead of running your own trusted copy... isn't > worth your time. Otherwise stick with plain old email, text, and whatever > the fad of the day is. And don't try to call either of them secure. > >> This kind of problem should be tackled by some honest idealists from either China, Russia > > Yet people applaud eliminating such idealists, even eg: > Iraq, Iran, Cuba, DPRK, Venezuela, Israel, etc. > Keep on wiping out your only counter voices and you'll > get what you asked for next. None of these suggested places/people > are immune either, only alternatively 'hard'[er] under some > given threat models. > > lavaboom.com and protonmail.ch both appear deliver you their > code (javascript) on the fly to run in your browser. Yeah, that's > secure. > -- T: @onetruecathal, @IndieBBDNA P: +353876363185 W: http://indiebiotech.com -------------- next part -------------- A non-text attachment was scrubbed... Name: 0x988B9099.asc Type: application/pgp-keys Size: 6176 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 901 bytes Desc: OpenPGP digital signature URL: From shelley at misanthropia.info Wed May 28 12:14:10 2014 From: shelley at misanthropia.info (shelley at misanthropia.info) Date: Wed, 28 May 2014 12:14:10 -0700 Subject: [cryptome] Hector Sabu Monseur Sentencing Transcript In-Reply-To: References: Message-ID: <1401304450.32551.122589093.5ED5928B@webmail.messagingengine.com> On Tue, May 27, 2014, at 11:59 AM, John Young wrote: > Held today, 11AM. So one script-kiddie, pig-kissing snitch managed to help thwart "hundreds" of "cyber attacks" (translation: /b/tard summer crew, stupid enough to still use LOIC), while the NSA's whole Stasi-on-steroids spying infrastructure couldn't find one needle in that haystack of all our calls and emails? Well, isn't that special... From skquinn at rushpost.com Wed May 28 13:48:44 2014 From: skquinn at rushpost.com (Shawn K. Quinn) Date: Wed, 28 May 2014 15:48:44 -0500 Subject: is truecrypt dead? In-Reply-To: References: Message-ID: <1401310124.13661.122629289.65499863@webmail.messagingengine.com> On Wed, May 28, 2014, at 03:27 PM, Bernard Tyers wrote: > There is a thread on the twitters at the moment about this: > > https://twitter.com/runasand/status/471740622031032320 > > - The the signature of the .exe still verifies. > - The key seems to be legit: > https://www.google.nl/?gfe_rd=cr&ei=gUaGU_fmJ8eyOsvogYgF#q=c5f4+bac4+a7b2+2db8+b8f8+5538+e3ba+73ca+f0d6+F0D6+B1E0 Truecrypt was cross-platform. BitLocker isn't. LUKS isn't. Whatever MacOS X uses isn't. Until and unless there are GPL/BSD licensed versions of BitLocker for MacOS X, GNU/Linux, etc then they aren't true replacements for Truecrypt. -- Shawn K. Quinn skquinn at rushpost.com From juniorbsd at gmail.com Wed May 28 13:21:18 2014 From: juniorbsd at gmail.com (J. Tozo) Date: Wed, 28 May 2014 17:21:18 -0300 Subject: Fwd: is truecrypt dead? In-Reply-To: References: Message-ID: Is anyone aware of what is happening to truecrypt project? from their site: "The development of TrueCrypt was ended in 5/2014 after Microsoft terminated support of Windows XP. Windows 8/7/Vista and later offer integrated support for encrypted disks and virtual disk images. Such integrated support is also available on other platforms (click here for more information). You should migrate any data encrypted by TrueCrypt to encrypted disks or virtual disk images supported on your platform." " -J -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 798 bytes Desc: not available URL: From adi at hexapodia.org Wed May 28 18:11:08 2014 From: adi at hexapodia.org (Andy Isaacson) Date: Wed, 28 May 2014 18:11:08 -0700 Subject: is truecrypt dead? In-Reply-To: References: <1401310124.13661.122629289.65499863@webmail.messagingengine.com> Message-ID: <20140529011108.GG10586@hexapodia.org> On Wed, May 28, 2014 at 07:45:06PM -0400, Griffin Boyce wrote: > Even being embarrassed by whatever bugs the second phase audit > uncovered wouldn't explain the sudden recommendation. And why not > ecryptfs or ~literally anything else~ ? ecryptfs is a complete joke. It intentionally does not encrypt *ANY* metadata execpt the filename, leaking modification times, filesizes (rounded to the block), write patterns, file ownership, permissions, etc. Because it's design is such a joke, it hasn't gotten any serious crypto review, so I'd be surprised if it doesn't have critical implementation bugs in the parts that aren't broken by design. Please don't use ecryptfs. It's not even better than nothing. -andy From griffin at cryptolab.net Wed May 28 16:45:06 2014 From: griffin at cryptolab.net (Griffin Boyce) Date: Wed, 28 May 2014 19:45:06 -0400 Subject: is truecrypt =?UTF-8?Q?dead=3F?= In-Reply-To: <1401310124.13661.122629289.65499863@webmail.messagingengine.com> References: <1401310124.13661.122629289.65499863@webmail.messagingengine.com> Message-ID: My suspicion is that either they were hacked (and had their key stolen), or that they were ordered to shutdown and recommend Microsoft's (presumably backdoored) BitLocker as a replacement. BitLocker's enterprise documentation makes me *incredibly* suspicious that it is susceptible to monitoring by third-parties. Even being embarrassed by whatever bugs the second phase audit uncovered wouldn't explain the sudden recommendation. And why not ecryptfs or ~literally anything else~ ? Pardon my tinfoil hat. ~Griffin From griffin at cryptolab.net Wed May 28 19:07:40 2014 From: griffin at cryptolab.net (Griffin Boyce) Date: Wed, 28 May 2014 22:07:40 -0400 Subject: is truecrypt =?UTF-8?Q?dead=3F?= In-Reply-To: <20140529011108.GG10586@hexapodia.org> References: <1401310124.13661.122629289.65499863@webmail.messagingengine.com> <20140529011108.GG10586@hexapodia.org> Message-ID: Andy Isaacson wrote: > I'd be surprised if [ecryptfs] doesn't have critical > implementation bugs in the parts that aren't broken by design. > > Please don't use ecryptfs. It's not even better than nothing. BRB, wiping my hard drive for totally unrelated reasons!* ;-) If I remember correctly, ecryptfs was the default home directory encryption option for Ubuntu until recently. Why is it that these things that thousands of people rely on are not audited in any real way? I've used truecrypt with reservations and never in a serious situation. But lots of people are relying on this to keep their data safe while crossing borders, documenting human rights abuses, etc. A company like Canonical should insist on audits before making *anything* the default encryption scheme. These things tend to start as small projects and come to be ubiquitous without most users caring about audits (or being open-source). We need to have higher standards. ~Griffin * It's a joke because I use Debian... now...... From cathalgarvey at cathalgarvey.me Wed May 28 14:14:53 2014 From: cathalgarvey at cathalgarvey.me (Cathal Garvey) Date: Wed, 28 May 2014 22:14:53 +0100 Subject: is truecrypt dead? In-Reply-To: <1401310124.13661.122629289.65499863@webmail.messagingengine.com> References: <1401310124.13661.122629289.65499863@webmail.messagingengine.com> Message-ID: <538651CD.8050600@cathalgarvey.me> Also.. https://twitter.com/TheBlogPirate/status/471759810644283392 On 28/05/14 21:48, Shawn K. Quinn wrote: > On Wed, May 28, 2014, at 03:27 PM, Bernard Tyers wrote: >> There is a thread on the twitters at the moment about this: >> >> https://twitter.com/runasand/status/471740622031032320 >> >> - The the signature of the .exe still verifies. >> - The key seems to be legit: >> https://www.google.nl/?gfe_rd=cr&ei=gUaGU_fmJ8eyOsvogYgF#q=c5f4+bac4+a7b2+2db8+b8f8+5538+e3ba+73ca+f0d6+F0D6+B1E0 > > Truecrypt was cross-platform. BitLocker isn't. LUKS isn't. Whatever > MacOS X uses isn't. Until and unless there are GPL/BSD licensed versions > of BitLocker for MacOS X, GNU/Linux, etc then they aren't true > replacements for Truecrypt. > -- T: @onetruecathal, @IndieBBDNA P: +353876363185 W: http://indiebiotech.com -------------- next part -------------- A non-text attachment was scrubbed... Name: 0x988B9099.asc Type: application/pgp-keys Size: 6176 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 901 bytes Desc: OpenPGP digital signature URL: From juan.g71 at gmail.com Wed May 28 18:33:28 2014 From: juan.g71 at gmail.com (Juan) Date: Wed, 28 May 2014 22:33:28 -0300 Subject: is truecrypt dead? In-Reply-To: References: <1401310124.13661.122629289.65499863@webmail.messagingengine.com> Message-ID: <53868df8.279fec0a.2d9f.2c44@mx.google.com> On Wed, 28 May 2014 19:45:06 -0400 Griffin Boyce wrote: > My suspicion is that either they were hacked (and had their key > stolen), or that they were ordered to shutdown and recommend > Microsoft's (presumably backdoored) BitLocker as a replacement. truecrypt.org redirects to this http://truecrypt.sourceforge.net/ Pretty crazy. Whoever the developers may be, after spending a good deal of effort on their project, now are licking MS' boots? It doesn't make sense. > BitLocker's enterprise documentation makes me *incredibly* suspicious > that it is susceptible to monitoring by third-parties. > > Even being embarrassed by whatever bugs the second phase audit > uncovered wouldn't explain the sudden recommendation. And why not > ecryptfs or ~literally anything else~ ? > > Pardon my tinfoil hat. > > ~Griffin From scott at sbce.org Wed May 28 20:50:13 2014 From: scott at sbce.org (Scott Blaydes) Date: Wed, 28 May 2014 22:50:13 -0500 Subject: [cryptome] Hector Sabu Monseur Sentencing Transcript In-Reply-To: <1401304450.32551.122589093.5ED5928B@webmail.messagingengine.com> References: <1401304450.32551.122589093.5ED5928B@webmail.messagingengine.com> Message-ID: <22C4E107-E0E3-4587-B134-0960CA75AF87@sbce.org> On May 28, 2014, at 2:14 PM, shelley at misanthropia.info wrote: > On Tue, May 27, 2014, at 11:59 AM, John Young wrote: >> Held today, 11AM. > > So one script-kiddie, pig-kissing snitch managed to help thwart > "hundreds" of "cyber attacks" (translation: /b/tard summer crew, stupid > enough to still use LOIC), while the NSA's whole Stasi-on-steroids > spying infrastructure couldn't find one needle in that haystack of all > our calls and emails? > > Well, isn't that special... I heard sabu knows where MH370 is. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 842 bytes Desc: Message signed with OpenPGP using GPGMail URL: From shelley at misanthropia.info Thu May 29 00:46:43 2014 From: shelley at misanthropia.info (shelley at misanthropia.info) Date: Thu, 29 May 2014 00:46:43 -0700 Subject: [cryptome] Hector Sabu Monseur Sentencing Transcript In-Reply-To: <22C4E107-E0E3-4587-B134-0960CA75AF87@sbce.org> References: <1401304450.32551.122589093.5ED5928B@webmail.messagingengine.com> <22C4E107-E0E3-4587-B134-0960CA75AF87@sbce.org> Message-ID: <1401349603.10884.122780889.5F7624FE@webmail.messagingengine.com> On Wed, May 28, 2014, at 08:50 PM, Scott Blaydes wrote: > I heard sabu knows where MH370 is. I heard sabu did 9-11 with a trs-80 and a 300 baud modem! From shelley at misanthropia.info Thu May 29 01:04:01 2014 From: shelley at misanthropia.info (shelley at misanthropia.info) Date: Thu, 29 May 2014 01:04:01 -0700 Subject: is truecrypt dead? In-Reply-To: <8993592a-d6d1-42ee-b6aa-44787800fc58@email.android.com> References: <1401310124.13661.122629289.65499863@webmail.messagingengine.com> <538651CD.8050600@cathalgarvey.me> <5173414.1oAEScoKug@lapuntu> <8993592a-d6d1-42ee-b6aa-44787800fc58@email.android.com> Message-ID: <1401350641.14919.122785373.2A318D49@webmail.messagingengine.com> Krebs has put a post about it: http://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-secure/ excerpt: "Doubters soon questioned whether the redirect was a hoax or the result of the TrueCrypt site being hacked. But a cursory review of the site’s historic hosting, WHOIS and DNS records shows no substantive changes recently. What’s more, the last version of TrueCrypt uploaded to the site on May 27 (still available at this link) shows that the key used to sign the executable installer file is the same one that was used to sign the program back in January 2014 (hat tip to @runasand and @pyllyukko). Taken together, these two facts suggest that the message is legitimate, and that TrueCrypt is officially being retired. That was the same conclusion reached by Matthew Green, a cryptographer and research professor at the Johns Hopkins University Information Security Institute and a longtime skeptic of TrueCrypt — which has been developed for the past 10 years by a team of anonymous coders who appear to have worked diligently to keep their identities hidden. “I think the TrueCrypt team did this,” Green said in a phone interview. “They decided to quit and this is their signature way of doing it.” From shelley at misanthropia.info Thu May 29 01:08:02 2014 From: shelley at misanthropia.info (shelley at misanthropia.info) Date: Thu, 29 May 2014 01:08:02 -0700 Subject: is truecrypt dead? Message-ID: <1401350882.15850.122785373.1D1625B4@webmail.messagingengine.com> Krebs has put a post about it: http://krebsonsecurity.com/2014/05/true-goodbye-using-truecrypt-is-not-secure/ excerpt: "Doubters soon questioned whether the redirect was a hoax or the result of the TrueCrypt site being hacked. But a cursory review of the site’s historic hosting, WHOIS and DNS records shows no substantive changes recently. What’s more, the last version of TrueCrypt uploaded to the site on May 27 (still available at this link) shows that the key used to sign the executable installer file is the same one that was used to sign the program back in January 2014 (hat tip to @runasand and @pyllyukko). Taken together, these two facts suggest that the message is legitimate, and that TrueCrypt is officially being retired. That was the same conclusion reached by Matthew Green, a cryptographer and research professor at the Johns Hopkins University Information Security Institute and a longtime skeptic of TrueCrypt — which has been developed for the past 10 years by a team of anonymous coders who appear to have worked diligently to keep their identities hidden. “I think the TrueCrypt team did this,” Green said in a phone interview. “They decided to quit and this is their signature way of doing it.” From carimachet at gmail.com Wed May 28 19:00:10 2014 From: carimachet at gmail.com (Cari Machet) Date: Thu, 29 May 2014 02:00:10 +0000 Subject: is truecrypt dead? In-Reply-To: <53868df8.279fec0a.2d9f.2c44@mx.google.com> References: <1401310124.13661.122629289.65499863@webmail.messagingengine.com> <53868df8.279fec0a.2d9f.2c44@mx.google.com> Message-ID: looks a little too russian in the last entry to pass as true http://pgp.mit.edu/pks/lookup?op=vindex&search=0xE3BA73CAF0D6B1E0 On Thu, May 29, 2014 at 1:33 AM, Juan wrote: > On Wed, 28 May 2014 19:45:06 -0400 > Griffin Boyce wrote: > > > My suspicion is that either they were hacked (and had their key > > stolen), or that they were ordered to shutdown and recommend > > Microsoft's (presumably backdoored) BitLocker as a replacement. > > > truecrypt.org redirects to this > http://truecrypt.sourceforge.net/ > > Pretty crazy. Whoever the developers may be, after spending a > good deal of effort on their project, now are licking MS' > boots? It doesn't make sense. > > > > > > BitLocker's enterprise documentation makes me *incredibly* suspicious > > that it is susceptible to monitoring by third-parties. > > > > Even being embarrassed by whatever bugs the second phase audit > > uncovered wouldn't explain the sudden recommendation. And why not > > ecryptfs or ~literally anything else~ ? > > > > Pardon my tinfoil hat. > > > > ~Griffin > > -- Cari Machet NYC 646-436-7795 carimachet at gmail.com AIM carismachet Syria +963-099 277 3243 Amman +962 077 636 9407 Berlin +49 152 11779219 Reykjavik +354 894 8650 Twitter: @carimachet 7035 690E 5E47 41D4 B0E5 B3D1 AF90 49D6 BE09 2187 Ruh-roh, this is now necessary: This email is intended only for the addressee(s) and may contain confidential information. If you are not the intended recipient, you are hereby notified that any use of this information, dissemination, distribution, or copying of this email without permission is strictly prohibited. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2766 bytes Desc: not available URL: From tpb-crypto at laposte.net Wed May 28 21:03:22 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Thu, 29 May 2014 06:03:22 +0200 Subject: Fwd: is truecrypt dead? In-Reply-To: References: Message-ID: <1547739224.50728.1401336202087.JavaMail.www@wwinf8308> > Message du 28/05/14 22:26 > De : "J. Tozo" > A : cypherpunks at cpunks.org > Copie à : > Objet : Fwd: is truecrypt dead? > > Is anyone aware of what is happening to truecrypt project? > > from their site: > > "The development of TrueCrypt was ended in 5/2014 after Microsoft > terminated support of Windows XP. Windows 8/7/Vista and later offer > integrated support for encrypted disks and virtual disk images. Such > integrated support is also available on other platforms (click here for > more information). You should migrate any data encrypted by TrueCrypt to > encrypted disks or virtual disk images supported on your platform." > > " > -J > Some well-funded state actors first hijacked sourceforge and used what they dug up to stop some projects which they deemed problematic to their careers. From tpb-crypto at laposte.net Wed May 28 21:13:03 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Thu, 29 May 2014 06:13:03 +0200 Subject: is truecrypt dead? In-Reply-To: References: <1401310124.13661.122629289.65499863@webmail.messagingengine.com> Message-ID: <1247535033.50802.1401336783790.JavaMail.www@wwinf8308> > Message du 29/05/14 01:50 > De : "Griffin Boyce" > A : cypherpunks at cpunks.org > Copie à : > Objet : Re: is truecrypt dead? > > My suspicion is that either they were hacked (and had their key > stolen), or that they were ordered to shutdown and recommend Microsoft's > (presumably backdoored) BitLocker as a replacement. BitLocker's > enterprise documentation makes me *incredibly* suspicious that it is > susceptible to monitoring by third-parties. > > Even being embarrassed by whatever bugs the second phase audit > uncovered wouldn't explain the sudden recommendation. And why not > ecryptfs or ~literally anything else~ ? > > Pardon my tinfoil hat. > > ~Griffin > If you are still using proprietary software at this point, you deserve everything bad that will come to you, sorry. From tpb-crypto at laposte.net Wed May 28 21:16:04 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Thu, 29 May 2014 06:16:04 +0200 Subject: is truecrypt dead? In-Reply-To: <53868df8.279fec0a.2d9f.2c44@mx.google.com> References: <1401310124.13661.122629289.65499863@webmail.messagingengine.com> <53868df8.279fec0a.2d9f.2c44@mx.google.com> Message-ID: <589361041.50816.1401336964649.JavaMail.www@wwinf8308> > Message du 29/05/14 03:35 > De : "Juan" > A : cypherpunks at cpunks.org > Copie à : > Objet : Re: is truecrypt dead? > > On Wed, 28 May 2014 19:45:06 -0400 > Griffin Boyce wrote: > > > My suspicion is that either they were hacked (and had their key > > stolen), or that they were ordered to shutdown and recommend > > Microsoft's (presumably backdoored) BitLocker as a replacement. > > > truecrypt.org redirects to this > http://truecrypt.sourceforge.net/ > > Pretty crazy. Whoever the developers may be, after spending a > good deal of effort on their project, now are licking MS' > boots? It doesn't make sense. > Haven't you thought about maybe, just maybe, someone that doesn't like truecrypt because it got in the way of their investigations too many times, put the effort to hack sourceforge to then hijack truecrypt and other "undesirable" projects? From rharwood at club.cc.cmu.edu Thu May 29 04:17:38 2014 From: rharwood at club.cc.cmu.edu (Robbie Harwood) Date: Thu, 29 May 2014 07:17:38 -0400 Subject: Fwd: is truecrypt dead? In-Reply-To: <5386DA82.3050102@owca.info> References: <5386C62E.20509@echeque.com> <5386DA82.3050102@owca.info> Message-ID: <87wqd4g7fx.fsf@kirtar.i-did-not-set--mail-host-address--so-tickle-me> Matej Kovacic writes: > just for info, TrueCrypt is being audited, and phase 1 report is quite > good. No, no it wasn't. Here's the report: > https://opencryptoaudit.org/reports/iSec_Final_Open_Crypto_Audit_Project_TrueCrypt_Security_Assessment.pdf Take a minute to read it, I'll wait. Pay particular attention to pages 11 and 12, where they define the severity classes. Having a "Medium" severity vulnerability means: > Individual user's information at risk, exploitation would be bad for > client's reputation, moderate financial impact, possible legal > implications for client So when they state that there are no less than *four* vulnerabilities that they found in this class, that is *far from quite good*. Thankfully, three of them are classified as difficulty: high to exploit, but the "Weak Volume Header key derivation algorithm" is only difficulty: medium, which referring again to pages 11 and 12 is quite exploitable. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 835 bytes Desc: not available URL: From cathalgarvey at cathalgarvey.me Thu May 29 00:34:20 2014 From: cathalgarvey at cathalgarvey.me (Cathal (phone)) Date: Thu, 29 May 2014 08:34:20 +0100 Subject: is truecrypt dead? In-Reply-To: <5173414.1oAEScoKug@lapuntu> References: <1401310124.13661.122629289.65499863@webmail.messagingengine.com> <538651CD.8050600@cathalgarvey.me> <5173414.1oAEScoKug@lapuntu> Message-ID: <8993592a-d6d1-42ee-b6aa-44787800fc58@email.android.com> =image On 29 May 2014 08:07:13 GMT+01:00, rysiek wrote: >Dnia środa, 28 maja 2014 22:14:53 Cathal Garvey pisze: >> Also.. https://twitter.com/TheBlogPirate/status/471759810644283392 > >Could I suggest *QUOTING* the 140-char drops of gold from Twitter >directly, >along with giving a link? Would really appreciate it. :) > >-- >Pozdr >rysiek -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 901 bytes Desc: not available URL: From afalex169 at gmail.com Wed May 28 23:00:26 2014 From: afalex169 at gmail.com (=?UTF-8?B?INCQ0LvQtdC60YHQsNC90LTRgCA=?=) Date: Thu, 29 May 2014 09:00:26 +0300 Subject: Fwd: is truecrypt dead? In-Reply-To: <5386C62E.20509@echeque.com> References: <5386C62E.20509@echeque.com> Message-ID: ​Guys, dont you see? Тhis is pure provocation! Or the developer was caught by the NSA or... "Lavabit 2" .... But it does not mean that the previous versions are baaaad or that we should move on microsoft-NSA program bitlocker. Its a 100% backdored! And this is the biggest CLUE that either тхис message was written by the NSA guys, or there is a great pressure on the developer. And this is how he says that to us. Dont panic. Keep using the last version 7.1 and DONT switch to newer version of truecrypt, if it comes out now.​ -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1036 bytes Desc: not available URL: From rysiek at hackerspace.pl Thu May 29 00:07:13 2014 From: rysiek at hackerspace.pl (rysiek) Date: Thu, 29 May 2014 09:07:13 +0200 Subject: is truecrypt dead? In-Reply-To: <538651CD.8050600@cathalgarvey.me> References: <1401310124.13661.122629289.65499863@webmail.messagingengine.com> <538651CD.8050600@cathalgarvey.me> Message-ID: <5173414.1oAEScoKug@lapuntu> Dnia środa, 28 maja 2014 22:14:53 Cathal Garvey pisze: > Also.. https://twitter.com/TheBlogPirate/status/471759810644283392 Could I suggest *QUOTING* the 140-char drops of gold from Twitter directly, along with giving a link? Would really appreciate it. :) -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From rysiek at hackerspace.pl Thu May 29 00:10:25 2014 From: rysiek at hackerspace.pl (rysiek) Date: Thu, 29 May 2014 09:10:25 +0200 Subject: is truecrypt dead? In-Reply-To: References: <20140529011108.GG10586@hexapodia.org> Message-ID: <1705121.fcP7eFrynX@lapuntu> Dnia środa, 28 maja 2014 22:07:40 Griffin Boyce pisze: > Andy Isaacson wrote: > > I'd be surprised if [ecryptfs] doesn't have critical > > implementation bugs in the parts that aren't broken by design. > > > > Please don't use ecryptfs. It's not even better than nothing. > > BRB, wiping my hard drive for totally unrelated reasons!* ;-) If I > remember correctly, ecryptfs was the default home directory encryption > option for Ubuntu until recently. > > Why is it that these things that thousands of people rely on are not > audited in any real way? The right question is: Why do creators of things that are being used by thousands of people use solutions that are not audited in any real way? > I've used truecrypt with reservations and never > in a serious situation. But lots of people are relying on this to keep > their data safe while crossing borders, documenting human rights abuses, > etc. A company like Canonical should insist on audits before making > *anything* the default encryption scheme. > > These things tend to start as small projects and come to be ubiquitous > without most users caring about audits (or being open-source). We need > to have higher standards. Absolutely. -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From rysiek at hackerspace.pl Thu May 29 00:31:41 2014 From: rysiek at hackerspace.pl (rysiek) Date: Thu, 29 May 2014 09:31:41 +0200 Subject: is truecrypt dead? In-Reply-To: <5173414.1oAEScoKug@lapuntu> References: <538651CD.8050600@cathalgarvey.me> <5173414.1oAEScoKug@lapuntu> Message-ID: <21234947.Ikn1SBWJNI@lapuntu> Dnia czwartek, 29 maja 2014 09:07:13 rysiek pisze: > Dnia środa, 28 maja 2014 22:14:53 Cathal Garvey pisze: > > Also.. https://twitter.com/TheBlogPirate/status/471759810644283392 > > Could I suggest *QUOTING* the 140-char drops of gold from Twitter directly, > along with giving a link? Would really appreciate it. :) Okay, there was an image there. And now I feel like a douche. Sorry. :) -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From wb8foz at nrk.com Thu May 29 08:26:18 2014 From: wb8foz at nrk.com (David) Date: Thu, 29 May 2014 11:26:18 -0400 Subject: Fwd: is truecrypt dead? In-Reply-To: References: <5386C62E.20509@echeque.com> <417667249.71273.1401365233447.JavaMail.www@wwinf8311> Message-ID: <5387519A.70506@nrk.com> Could this non-notice be a Lavabit/Silent Circle type announcement/warning? From gutemhc at gmail.com Thu May 29 07:27:34 2014 From: gutemhc at gmail.com (Gutem) Date: Thu, 29 May 2014 11:27:34 -0300 Subject: Fwd: is truecrypt dead? In-Reply-To: <417667249.71273.1401365233447.JavaMail.www@wwinf8311> References: <5386C62E.20509@echeque.com> <417667249.71273.1401365233447.JavaMail.www@wwinf8311> Message-ID: A 7.1a fork: https://github.com/warewolf/truecrypt Att, - Gutem ------------------------------------------------------------------------------------------- Registered Linux User: 562142 2014-05-29 9:07 GMT-03:00 : > > > > Message du 29/05/14 08:04 > > De : " Александр " > > A : cypherpunks at cpunks.org > > Copie à : > > Objet : Re: Fwd: is truecrypt dead? > > > > > ​Guys, dont you see? > > Тhis is pure provocation! > > > > Or the developer was caught by the NSA or... "Lavabit 2" .... > > > > But it does not mean that the previous versions are baaaad or that we > > should move on microsoft-NSA program bitlocker. Its a 100% backdored! > > And this is the biggest CLUE that either тхис message was written by the > > NSA guys, or there is a great pressure on the developer. And this is how > he > > says that to us. > > > > Dont panic. Keep using the last version 7.1 and DONT switch to newer > > version of truecrypt, if it comes out now.​ > > > > If anybody has got the sources for version 7.1, he could post it to make a > fork and continue developing. Given the number of people that use > truecrypt, resurrecting the project seems a good thing. > > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1830 bytes Desc: not available URL: From drwho at virtadpt.net Thu May 29 11:32:40 2014 From: drwho at virtadpt.net (The Doctor) Date: Thu, 29 May 2014 11:32:40 -0700 Subject: [cryptome] Hector Sabu Monseur Sentencing Transcript In-Reply-To: <1401349603.10884.122780889.5F7624FE@webmail.messagingengine.com> References: <1401304450.32551.122589093.5ED5928B@webmail.messagingengine.com> <22C4E107-E0E3-4587-B134-0960CA75AF87@sbce.org> <1401349603.10884.122780889.5F7624FE@webmail.messagingengine.com> Message-ID: <53877D48.7040005@virtadpt.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 05/29/2014 12:46 AM, shelley at misanthropia.info wrote: >> I heard sabu knows where MH370 is. > I heard sabu did 9-11 with a trs-80 and a 300 baud modem! Sabu can send arbitrary text to an 80 column line printer by whistling into the Centronics connector. - -- The Doctor [412/724/301/703] [ZS] PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ "Ah, modern physics! It can outweird most fiction." --Arenamontanus -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJTh31IAAoJED1np1pUQ8RkXm4P/04/Fui7GyCk/swRpOVDW0il wAgfRMnzk8ngN65p2+lO1K/kOPbAyP7ba5qravW5Lq3YqLw3uXWPgEyy792SD3d0 3svvENuYVAIdNgQGQ6hPYLRf+PI3BqkamOG8gvTeSQbQDmruGZ/w1oBMXUPcvoOr 0zfQcU6uezZNKTHvFJFDR1hL/dcKcLdoaksYo4LYfmi/9b+TIkzHbdEXtNNpX37j Qubw4kOZD7xXcGZcOlNJ9pFy85xtM3rsvepNsm49uJmLg3pE6MqBwbWoR3mZ3suV fq5CHHMS5FW6q9AgCX6+iwDRFHQuq9hQMY7F0JAmoIwStq+MKuFCeaMLROEXuTgi wZjKIV5xUu/0KB/S+1tJEaqLmkof2YFgeUyC8jUuE1vKyYBEptFGeEwsZp1TqqQq xVqWnFJ8mtSFXBl4dS/MHwwyiqE3njF7sxUUvBb7Ty72ilG4coqRlaRMKoy5PhzA UJnW/99kmb5ycm+w1xha7ePPAyXNG6kqNhPuv+ZEbRRxAhFLpjvVGe7aoO2bWl+F 65LyO+3kOgLE4q3dThIshJHCVAf/8mRvBeoDVKiAXMWT8B9Vc5neNS0RhmxrIFDM FJHuwm+aNezo3QBkoL+q0aLhyMYU9hK4jtoRLTl/+RiYIyDY9Xt2HgJIV+egnzvO xK4k6mhKUIHSee6oKgF2 =I0to -----END PGP SIGNATURE----- From tpb-crypto at laposte.net Thu May 29 05:07:13 2014 From: tpb-crypto at laposte.net (tpb-crypto at laposte.net) Date: Thu, 29 May 2014 14:07:13 +0200 Subject: Fwd: is truecrypt dead? In-Reply-To: References: <5386C62E.20509@echeque.com> Message-ID: <417667249.71273.1401365233447.JavaMail.www@wwinf8311> > Message du 29/05/14 08:04 > De : " Александр " > A : cypherpunks at cpunks.org > Copie à : > Objet : Re: Fwd: is truecrypt dead? > > ​Guys, dont you see? > Тhis is pure provocation! > > Or the developer was caught by the NSA or... "Lavabit 2" .... > > But it does not mean that the previous versions are baaaad or that we > should move on microsoft-NSA program bitlocker. Its a 100% backdored! > And this is the biggest CLUE that either тхис message was written by the > NSA guys, or there is a great pressure on the developer. And this is how he > says that to us. > > Dont panic. Keep using the last version 7.1 and DONT switch to newer > version of truecrypt, if it comes out now.​ > If anybody has got the sources for version 7.1, he could post it to make a fork and continue developing. Given the number of people that use truecrypt, resurrecting the project seems a good thing. From jamesd at echeque.com Wed May 28 22:31:26 2014 From: jamesd at echeque.com (James A. Donald) Date: Thu, 29 May 2014 15:31:26 +1000 Subject: Fwd: is truecrypt dead? In-Reply-To: References: Message-ID: <5386C62E.20509@echeque.com> On 2014-05-29 06:21, J. Tozo wrote: > Is anyone aware of what is happening to truecrypt project? > > from their site: > > "The development of TrueCrypt was ended in 5/2014 after Microsoft > terminated support of Windows XP. Windows 8/7/Vista and later offer > integrated support for encrypted disks and virtual disk images. Such > integrated support is also available on other platforms (click here for > more information). You should migrate any data encrypted by TrueCrypt to > encrypted disks or virtual disk images supported on your platform." > > " > -J > The trouble is, on past performance (Skype) Microsoft has put a back door in their encrypted disks. From taxakis at gmail.com Thu May 29 07:17:41 2014 From: taxakis at gmail.com (taxakis) Date: Thu, 29 May 2014 16:17:41 +0200 Subject: is truecrypt dead? In-Reply-To: References: Message-ID: <00c001cf7b48$c14ec360$43ec4a20$@com> For those with imminent interest: http://rpmfusion.org/Package/realcrypt cheers > -----Original Message----- > From: cypherpunks [mailto:cypherpunks-bounces at cpunks.org] On Behalf Of > Peter Gutmann > Sent: Thursday, May 29, 2014 12:25 PM > To: adi at hexapodia.org; griffin at cryptolab.net > Cc: cypherpunks at cpunks.org > Subject: Re: is truecrypt dead? > > Griffin Boyce writes: > > >Why is it that these things that thousands of people rely on are not > >audited in any real way? > > It's open-source, so there's the presumption of audit, "I couldn't be > bothered looking at it, but since it's open source someone else must > have". The odd thing is that it's some of the commercial vendors, who > are doing it for money and can pay to have the code checked, for which > you have at least some presumption of audit, but since they're closed- > source you're not allowed to trust them. > > Peter. From crypto at jpunix.net Thu May 29 14:38:34 2014 From: crypto at jpunix.net (Crypto) Date: Thu, 29 May 2014 16:38:34 -0500 Subject: Truecrypt tinfoil hat testing In-Reply-To: <14302458.HTkXLy5Mxq@lapuntu> References: <72679957331d74b9222dfd38e97323bc@smtp.hushmail.com> <14302458.HTkXLy5Mxq@lapuntu> Message-ID: <5387A8DA.9090403@jpunix.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 5/29/2014 4:22 PM, rysiek wrote: > Dnia czwartek, 29 maja 2014 21:23:27 NullDev pisze: >> With exquisite timing, I bought a new external HDD yesterday >> (28.05.14) and set about encrypting it with TrueCrypt. I >> installed via the terminal as I'm on Linux, ie: >> >> wget >> http://www.truecrypt.org/download/truecrypt-7.1a-linux-x64.tar.gz >> >> >> >> I extracted it, and encrypted my drive. The TrueCrypt website was >> looking it's normal self at that point: I referred to it a few >> times during the encryption. >> >> However, no sooner had it finished at about 4pm UK time >> yesterday, I received the first email from someone on the list >> about Truecrypt pulling the plug. Their site had been changed to >> the one we see today, recommending we switch to an alternative >> like, ahem, something as fabulously secure as Bitlocker. >> >> Ironic timing, huh? So, I have what was possibly the last >> download of a version 7.1a tarball before everything went >> titsup, and if you read what The Register said about Truecrypt's >> V.7.2 being corrupted/infected/backdoored here: >> >> http://www.theregister.co.uk/2014/05/28/truecrypt_hack/ >> >> Then theoretically I have something to wonder about. However, it >> would appear that the date, checksum and verification are ok on >> what I downloaded. It *seems* clean. >> >> It would be interesting to see if it's in anyone's scope to >> compare the source code with other versions of 7.1a for Linux: >> it's beyond mine, apologies. If anyone wants me to send them the >> tarball I'll be happy to oblige. >> >> Let me know if I can be of assistance. > > Upload it on Github somewhere, and let's use this tool to compare > different 7.1a versions publicly? If we trust GitHub, that is. ;) > I have some older Windows binaries that I'll upload to Mediahub and publish the URLs. - -- Crypto -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTh6jZAAoJEDhzgt+U8WIyzbYP/Aqed8ScgzV9tDT6Lnju3oUL 8m5Q0La1WBd0wEpvaODC/sZ4Mie8jB4GpcFAPu+o0EoHLsaXf5RarB1/5kXFNGE7 F27RNGyWGsYmzEDHstRTqcxeMUdlx8djfj/T8oz63i+FxXgGCF6PpikBm5GY6yhk 2HSfgam943bx3ZUhYJlTxoQygQoL6eJClq9TM0vcQMCKoA7DfTPcPrkvLJyUCDl5 E3SxAln1sG0yc2cW2IJqiil2ShsaOhTyVGAza7xpAwh23OQMu2Q5QKbks8qjnQQy DXRrxeJg2crPGjaiF4t10EM5r/iMnf796VM6lQlgChnNed5Yd6691GcBXE1KLQxJ rCy6Nj4ZXbNybFRHxp1Fa9OqA3yxMmlMTFETgbjWFD2l/DwVGIEYNXvPKMC74+a8 NrDz1aPh1Zn37eSnQDJsynrJe7AQZTbfSqn0bEKUaFF7+ZKd/xxBXb7Fb8nTpGWZ hsCNeI5dmF8c0i3gA1CEZeA7eJhFVbkwyp+U2eQvBm5MzwEGB+TgVUYkgqR0t/43 EabS26lvVyhCNaiNSonLKDerJpyQmiZ6pU7SV1KsCS3AYdIqLf7kvdjFgFsdVw57 KHECf8eEGMXOWLhfiO7CwFlEhShU7JOu1QRTCR51sTVAsr3HY1HacKLFHzgzoI3y BeUws2LV108PicEV0mA2 =UP2b -----END PGP SIGNATURE----- From crypto at jpunix.net Thu May 29 14:48:42 2014 From: crypto at jpunix.net (Crypto) Date: Thu, 29 May 2014 16:48:42 -0500 Subject: Truecrypt tinfoil hat testing In-Reply-To: <5387A8DA.9090403@jpunix.net> References: <72679957331d74b9222dfd38e97323bc@smtp.hushmail.com> <14302458.HTkXLy5Mxq@lapuntu> <5387A8DA.9090403@jpunix.net> Message-ID: <5387AB3A.2000503@jpunix.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 5/29/2014 4:38 PM, Crypto wrote: > On 5/29/2014 4:22 PM, rysiek wrote: >> Dnia czwartek, 29 maja 2014 21:23:27 NullDev pisze: >>> With exquisite timing, I bought a new external HDD yesterday >>> (28.05.14) and set about encrypting it with TrueCrypt. I >>> installed via the terminal as I'm on Linux, ie: >>> >>> wget >>> http://www.truecrypt.org/download/truecrypt-7.1a-linux-x64.tar.gz >>> >>> >>> >>> > >>> I extracted it, and encrypted my drive. The TrueCrypt website was >>> looking it's normal self at that point: I referred to it a few >>> times during the encryption. >>> >>> However, no sooner had it finished at about 4pm UK time >>> yesterday, I received the first email from someone on the list >>> about Truecrypt pulling the plug. Their site had been changed >>> to the one we see today, recommending we switch to an >>> alternative like, ahem, something as fabulously secure as >>> Bitlocker. >>> >>> Ironic timing, huh? So, I have what was possibly the last >>> download of a version 7.1a tarball before everything went >>> titsup, and if you read what The Register said about >>> Truecrypt's V.7.2 being corrupted/infected/backdoored here: >>> >>> http://www.theregister.co.uk/2014/05/28/truecrypt_hack/ >>> >>> Then theoretically I have something to wonder about. However, >>> it would appear that the date, checksum and verification are ok >>> on what I downloaded. It *seems* clean. >>> >>> It would be interesting to see if it's in anyone's scope to >>> compare the source code with other versions of 7.1a for Linux: >>> it's beyond mine, apologies. If anyone wants me to send them >>> the tarball I'll be happy to oblige. >>> >>> Let me know if I can be of assistance. > >> Upload it on Github somewhere, and let's use this tool to compare >> different 7.1a versions publicly? If we trust GitHub, that is. >> ;) > > > I have some older Windows binaries that I'll upload to Mediahub > and publish the URLs. > > Hmm. Looking through my recent backups the only copy of Truecrypt I have at the moment is: http://www.mediafire.com/download/a88i4622qh6v7ku/TrueCrypt_Setup_7.1a.exe Anyone that wants it is welcome to it. - -- Crypto -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTh6s6AAoJEDhzgt+U8WIyoyIQAMchWBEwb+dSPx6sKLskCWDk QnYfaLYk0A2y/SruT0m1+6gwRYNA5GFxPz1dHypxlt17hFHKPSbXAnwFzIoYwZYx SipFjWiAFkPRdHur8G6rDt7v3Be6nWo88DOWovFjAqI/KWC0buiBf7bmJbvUho9v cc8vmno0qVxqU3wxSk+OjDrKtZJfNb0xgHibkmj1DP8IbQYZciNRORBtZcac2ssi V4BosymZ8tyX5VV72k4LL4wXQIaon5aQs42G3+20uqzHBUBBphqWCvQQKf2GQTrV swAFM/VtUiLo3XciOEKBOhFHJxm+FaJYDfxVoltgYegKGLstqFA+7Uh+MmwVL2Tz rbWIvN3RIyF6BGx9sPD57losHhuH6CvlbU+F1Ls7r6Jp8O98myi5IZwMdhzc04eR CHdUFaBcUptuxIK6AbcD9Isa4ilOineSCaJo5IgGlR8/ByGcnaxEY/LKsdyeL8Uf 5cx7atzv8Y4ILZVSheQv+EwroRtOGXyZKTLtIKQ7Zq+6sCsRVwKaHbbMa5zCuJUX koEbD8Hce5PFM/9j8uE5CzFwhgdrWSksgCmLbLbSbYGFSgRNb25emlvOPScvooeg ms67lNnIU5f2pbAjBNMlp5HkANEPh2cggy8bUSRt6kp2rHR72v9hfdhnOuLMXVip lZN27UvoNZ02TixIs9EG =nzKi -----END PGP SIGNATURE----- From nulldev at hush.com Thu May 29 13:23:27 2014 From: nulldev at hush.com (NullDev) Date: Thu, 29 May 2014 21:23:27 +0100 Subject: Truecrypt tinfoil hat testing Message-ID: <72679957331d74b9222dfd38e97323bc@smtp.hushmail.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 With exquisite timing, I bought a new external HDD yesterday (28.05.14) and set about encrypting it with TrueCrypt. I installed via the terminal as I'm on Linux, ie: wget http://www.truecrypt.org/download/truecrypt-7.1a-linux-x64.tar.gz I extracted it, and encrypted my drive. The TrueCrypt website was looking it's normal self at that point: I referred to it a few times during the encryption. However, no sooner had it finished at about 4pm UK time yesterday, I received the first email from someone on the list about Truecrypt pulling the plug. Their site had been changed to the one we see today, recommending we switch to an alternative like, ahem, something as fabulously secure as Bitlocker. Ironic timing, huh? So, I have what was possibly the last download of a version 7.1a tarball before everything went titsup, and if you read what The Register said about Truecrypt's V.7.2 being corrupted/infected/backdoored here: http://www.theregister.co.uk/2014/05/28/truecrypt_hack/ Then theoretically I have something to wonder about. However, it would appear that the date, checksum and verification are ok on what I downloaded. It *seems* clean. It would be interesting to see if it's in anyone's scope to compare the source code with other versions of 7.1a for Linux: it's beyond mine, apologies. If anyone wants me to send them the tarball I'll be happy to oblige. Let me know if I can be of assistance. Best, NullDev -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTh5c/AAoJELavgB137JPDHEsIAI2Dt4qVnWZb4FUxUOZBN4cs WfXXofFRodZ0e1yK/IxmrwShp/d9eNJdBx/aGuERoAQ1jlLjRNsyfmzpF7zJMYsb PD/uS2ZiXXP8UjbWNAEBOhrBV1dPGSj86twpsVXMFuBrzbKZHMmWKHxp9cNpwMLQ WbPIqVaDGVb4V5d/yyFPk9/uELReIQKobML6hzGgxlWRc5XH/9403YcSc0iMe0bp oSpOd69hRddvLssX76TUxbyS1k+hc2+zXxsaxqd8lS3J7F6YRzZHTRD/BEqTva8Y OseOVwYGBX+kEUeXEh13yzsHao9RR6DFEhZL7yVAJb88GQvMgT6f+4IO6TJcJ8A= =P4+W -----END PGP SIGNATURE----- From rysiek at hackerspace.pl Thu May 29 13:17:30 2014 From: rysiek at hackerspace.pl (rysiek) Date: Thu, 29 May 2014 22:17:30 +0200 Subject: [cryptome] Hector Sabu Monseur Sentencing Transcript In-Reply-To: <53877D48.7040005@virtadpt.net> References: <1401349603.10884.122780889.5F7624FE@webmail.messagingengine.com> <53877D48.7040005@virtadpt.net> Message-ID: <3194715.ln5EM1Xf2y@lapuntu> Dnia czwartek, 29 maja 2014 11:32:40 The Doctor pisze: > On 05/29/2014 12:46 AM, shelley at misanthropia.info wrote: > >> I heard sabu knows where MH370 is. > > > > I heard sabu did 9-11 with a trs-80 and a 300 baud modem! > > Sabu can send arbitrary text to an 80 column line printer by whistling > into the Centronics connector. Reportedly Sabu can patch KDE2 under FreeBSD. Without asking in #anime[1]. -- Pozdr rysiek [1] http://en.wikipedia.org/wiki/How_does_one_patch_KDE2_under_FreeBSD%3F P.S. Seems this went directly to The Doctor, sorry, reposting to the list. ;) -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From pgut001 at cs.auckland.ac.nz Thu May 29 03:24:57 2014 From: pgut001 at cs.auckland.ac.nz (Peter Gutmann) Date: Thu, 29 May 2014 22:24:57 +1200 Subject: is truecrypt =?UTF-8?Q?dead=3F?= In-Reply-To: Message-ID: Griffin Boyce writes: >Why is it that these things that thousands of people rely on are not audited >in any real way? It's open-source, so there's the presumption of audit, "I couldn't be bothered looking at it, but since it's open source someone else must have". The odd thing is that it's some of the commercial vendors, who are doing it for money and can pay to have the code checked, for which you have at least some presumption of audit, but since they're closed-source you're not allowed to trust them. Peter. From rysiek at hackerspace.pl Thu May 29 14:22:13 2014 From: rysiek at hackerspace.pl (rysiek) Date: Thu, 29 May 2014 23:22:13 +0200 Subject: Truecrypt tinfoil hat testing In-Reply-To: <72679957331d74b9222dfd38e97323bc@smtp.hushmail.com> References: <72679957331d74b9222dfd38e97323bc@smtp.hushmail.com> Message-ID: <14302458.HTkXLy5Mxq@lapuntu> Dnia czwartek, 29 maja 2014 21:23:27 NullDev pisze: > With exquisite timing, I bought a new external HDD yesterday > (28.05.14) and set about encrypting it with TrueCrypt. I installed via > the terminal as I'm on Linux, ie: > > wget http://www.truecrypt.org/download/truecrypt-7.1a-linux-x64.tar.gz > > I extracted it, and encrypted my drive. The TrueCrypt website was > looking it's normal self at that point: I referred to it a few times > during the encryption. > > However, no sooner had it finished at about 4pm UK time yesterday, I > received the first email from someone on the list about Truecrypt > pulling the plug. Their site had been changed to the one we see today, > recommending we switch to an alternative like, ahem, something as > fabulously secure as Bitlocker. > > Ironic timing, huh? So, I have what was possibly the last download of > a version 7.1a tarball before everything went titsup, and if you read > what The Register said about Truecrypt's V.7.2 being > corrupted/infected/backdoored here: > > http://www.theregister.co.uk/2014/05/28/truecrypt_hack/ > > Then theoretically I have something to wonder about. However, it would > appear that the date, checksum and verification are ok on what I > downloaded. It *seems* clean. > > It would be interesting to see if it's in anyone's scope to compare > the source code with other versions of 7.1a for Linux: it's beyond > mine, apologies. If anyone wants me to send them the tarball I'll be > happy to oblige. > > Let me know if I can be of assistance. Upload it on Github somewhere, and let's use this tool to compare different 7.1a versions publicly? If we trust GitHub, that is. ;) -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From tbiehn at gmail.com Thu May 29 23:18:48 2014 From: tbiehn at gmail.com (Travis Biehn) Date: Fri, 30 May 2014 02:18:48 -0400 Subject: Fwd: Announcement of Commencement of Bankruptcy Proceedings In-Reply-To: <4D93B28A96981B4AACFD46632E097A2729241E@SVR-OSKVGMBX101.noandt.local> References: <4D93B28A96981B4AACFD46632E097A2729241E@SVR-OSKVGMBX101.noandt.local> Message-ID: Kobayashi ---------- Forwarded message ---------- From: "MtGox Bankruptcy Trustee" Date: May 30, 2014 2:16 AM Subject: Announcement of Commencement of Bankruptcy Proceedings To: "MtGox Bankruptcy Trustee" Cc: 関係人各位 株式会社MTGOX(以下「MTGOX」といいます。)につき、平成26年4月24日午後5時00分、東京地方裁判所より破産手続開始決定がなされ、当職が破産管財人に選任されました(東京地方裁判所平成26年(フ)第3830号)。 今後、破産管財人において、MTGOXの財産管理換価、債権調査等の破産手続を遂行していきます。 つきましては、関係者に対する情報提供を目的として、破産手続に関する基本的事項を添付のとおりお知らせいたしますので、ご確認ください。 なお、このメールアドレス(mtgox_trustee at noandt.com )は破産管財人からの送信専用であり、貴殿が本メールアドレス宛の返信等をされても内容確認及び回答などの対応はできません。 破産手続の進行等については、ウェブサイト( http://www.mtgox.com/ )で情報提供をする予定ですので、当該ウェブサイトをご確認ください。 宜しくお願いいたします。 破産者株式会社MTGOX 破産管財人弁護士小林信明 To whom it may concern, At 5:00 p.m. on April 24, 2014, the Tokyo District Court granted the order for the commencement of the bankruptcy proceedings vis-à-vis MtGox Co., Ltd. (“MtGox”), and based upon such order, I was appointed as the bankruptcy trustee (Tokyo District Court 2014 (fu) no. 3830). The bankruptcy trustee will implement the bankruptcy proceedings, including the administration and realization of the assets and investigation of the claims. For the purpose of providing information to the related parties, we hereby inform you of the basic matters regarding the bankruptcy proceedings as attached. This email address(mtgox_trustee at noandt.com) is used only for the purpose of sending messages, and we are unable to check and respond to any replies to this email address. Since we plan to provide the information regarding the bankruptcy proceedings by posting it on the website hosted by the bankruptcy trustee ( http://www.mtgox.com/ ), please check this website. Bankrupt MtGox Co., Ltd. Bankruptcy trustee Attorney-at-law Nobuaki Kobayashi -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 3031 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: Announcement of Commencement of Bankruptcy Proceedings_05212014.pdf Type: application/pdf Size: 153318 bytes Desc: not available URL: From crypto at jpunix.net Fri May 30 03:44:19 2014 From: crypto at jpunix.net (Crypto) Date: Fri, 30 May 2014 05:44:19 -0500 Subject: Truecrypt tinfoil hat testing In-Reply-To: <20140530123023.92304d27cc769506246b6c96@enigmabox.net> References: <72679957331d74b9222dfd38e97323bc@smtp.hushmail.com> <20140530123023.92304d27cc769506246b6c96@enigmabox.net> Message-ID: <53886103.9020705@jpunix.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 5/30/2014 5:30 AM, 42 wrote: > > On Thu, 29 May 2014 21:23:27 +0100 NullDev > wrote: > >> It would be interesting to see if it's in anyone's scope to >> compare the source code with other versions of 7.1a for Linux: >> it's beyond mine, apologies. If anyone wants me to send them the >> tarball I'll be happy to oblige. > > I have downloaded all the 7.1a TrueCrypt versions long before that > shutdown, and made them available here: > https://enigmabox.net/truecrypt/ > > According to http://truecryptcheck.wordpress.com/, my versions > seem sane. > > I've also found a repository of TrueCrypt versions. It seems to be fairly complete. I've put it up for download. Please feel free to share. http://www.mediafire.com/download/aw640r58904ohb3/truecrypt-archive-master.zip - -- Crypto -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTiGEDAAoJEDhzgt+U8WIyGvEP/imCvvdgq9nh12EJ22XY8Hef U80Cdo0TZyyheHEQgjr2hQ2ouJGiJQzN66LeJ4L+I+gUpCmwaQohWDN2/XFBFB50 K1Ab7GGnNrjpjJudhfis/ACaxli03SrnyHFDEly+pdxkoJFijU2vwkWykh7oimMm AjtBlJL0fWs9KLmOeHP4JaH1t0X8w4cRionEK/OJtD3mm/lIr34bVhqtYxpo2JSh MTxBXCi/6U7LPf4M4FJ530OOtuFOFO/gZOrbqg/zvDEZ8vVhtECer8o2PgsFb2ob lOHHJS+UYCX6rhkvuYeoe1CSI49OM0CpZZ+JM538yifQK3e7bGU21hKJo+JLiZlr ZqlHy62kxM6Tef1RMHcT2tv2zHjAmB3OIUdDqXoPWQinhvsblnJslxP/O/A+xAlS H7q6Qs70oNWtkahb3yJCNJwC0GyY988F4BkMcCk8rGhYPW1nunKQJeH46E6Aw8Im Pz8q2iwtQcOxc9u3KI4Ji7nY/nngt1JGxlp68j+xCuWCNZQsClK41mW71M86w8KF DqdbnG4Uttw0wDb4TIO88SSgKQfspJ9O4wEntC08bJdo7bTDfHsjekNgNEPBTHH9 D6DmMwMpIcsODRbqDDDo2gsPDgzjmP7/zUtMI4cYpNHQNanorqXvTkf2WDiZMb6I IdBwsTyxvOfIWCaJPg6H =EeiR -----END PGP SIGNATURE----- From loki at obscura.com Fri May 30 06:44:32 2014 From: loki at obscura.com (Lance Cottrell) Date: Fri, 30 May 2014 06:44:32 -0700 Subject: is truecrypt dead? In-Reply-To: <20140530115615.6F94E22816D@palinka.tinho.net> References: <20140530115615.6F94E22816D@palinka.tinho.net> Message-ID: On May 30, 2014, at 4:56 AM, dan at geer.org wrote: > > | > | Could this non-notice be a Lavabit/Silent Circle type announcement/warning? > | > > We need, somehow, a safe word for such projects. Presumably one > that is triggered by a failed keep-alive. This has been discussed > before variously, but it may be an idea whose time has come. Design > will require choices between false alarms and silent failure. > > --dan > A deadman switch for NSL alerts would make for an interesting case. Would a judge rule that you had “spoken” about the NSL by failing to send the keep-alive messages, thus compelling you to continuously speak the lie that you have not received one? -- Lance Cottrell loki at obscura.com -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4877 bytes Desc: not available URL: From bmanning at isi.edu Fri May 30 07:22:24 2014 From: bmanning at isi.edu (manning bill) Date: Fri, 30 May 2014 07:22:24 -0700 Subject: is truecrypt dead? In-Reply-To: <20140530115615.6F94E22816D@palinka.tinho.net> References: <20140530115615.6F94E22816D@palinka.tinho.net> Message-ID: sort of like the; “We have not received a NSL today” notice… /bill Neca eos omnes. Deus suos agnoscet. On 30May2014Friday, at 4:56, dan at geer.org wrote: > > | > | Could this non-notice be a Lavabit/Silent Circle type announcement/warning? > | > > We need, somehow, a safe word for such projects. Presumably one > that is triggered by a failed keep-alive. This has been discussed > before variously, but it may be an idea whose time has come. Design > will require choices between false alarms and silent failure. > > --dan > From dan at geer.org Fri May 30 04:56:15 2014 From: dan at geer.org (dan at geer.org) Date: Fri, 30 May 2014 07:56:15 -0400 Subject: Fwd: is truecrypt dead? In-Reply-To: Your message of "Thu, 29 May 2014 11:26:18 EDT." <5387519A.70506@nrk.com> Message-ID: <20140530115615.6F94E22816D@palinka.tinho.net> | | Could this non-notice be a Lavabit/Silent Circle type announcement/warning? | We need, somehow, a safe word for such projects. Presumably one that is triggered by a failed keep-alive. This has been discussed before variously, but it may be an idea whose time has come. Design will require choices between false alarms and silent failure. --dan From jamesdbell9 at yahoo.com Fri May 30 09:11:33 2014 From: jamesdbell9 at yahoo.com (jim bell) Date: Fri, 30 May 2014 09:11:33 -0700 (PDT) Subject: is truecrypt dead? In-Reply-To: References: <20140530115615.6F94E22816D@palinka.tinho.net> Message-ID: <1401466293.81876.YahooMailNeo@web126204.mail.ne1.yahoo.com> From: Lance Cottrell On May 30, 2014, at 4:56 AM, dan at geer.org wrote: >> | Could this non-notice be a Lavabit/Silent Circle type announcement/warning? >> We need, somehow, a safe word for such projects.  Presumably one >> that is triggered by a failed keep-alive.  This has been discussed >> before variously, but it may be an idea whose time has come.  Design >> will require choices between false alarms and silent failure. >> --dan >A deadman switch for NSL alerts would make for an interesting case. Would a judge rule that you had “spoken” >about the NSL by failing to send the keep-alive messages, thus compelling you to continuously speak the lie >that you have not received one? >Lance Cottrell >loki at obscura.com It would be a very interesting test case.  I would say it shouldn't happen, but a lot of outrages occur.   Another version might be where an American company informs its foreign law firm of the status of the court order; the foreign law firm has a long-standing practice (contracted by the American company) of publishing the status of the NSL-status remotely.  The (American) judge would not have any jurisdiction over the foreign law firm to order it to (falsely) claim that no NSL order had arrived at the American company.  At that point, the question will be, "Can a judge order an American company to not inform its foreign law firm of relevant information (an NSL order), solely because if it did, the foreign law firm will adjust its publication of an announcement?"           Jim Bell -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 4370 bytes Desc: not available URL: From 42 at enigmabox.net Fri May 30 03:30:23 2014 From: 42 at enigmabox.net (42) Date: Fri, 30 May 2014 12:30:23 +0200 Subject: Truecrypt tinfoil hat testing In-Reply-To: <72679957331d74b9222dfd38e97323bc@smtp.hushmail.com> References: <72679957331d74b9222dfd38e97323bc@smtp.hushmail.com> Message-ID: <20140530123023.92304d27cc769506246b6c96@enigmabox.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, 29 May 2014 21:23:27 +0100 NullDev wrote: > It would be interesting to see if it's in anyone's scope to compare > the source code with other versions of 7.1a for Linux: it's beyond > mine, apologies. If anyone wants me to send them the tarball I'll be > happy to oblige. I have downloaded all the 7.1a TrueCrypt versions long before that shutdown, and made them available here: https://enigmabox.net/truecrypt/ According to http://truecryptcheck.wordpress.com/, my versions seem sane. - -- 42 <42 at enigmabox.net> -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iQIcBAEBAgAGBQJTiF2/AAoJELqmW1wGWUSYjXgQAKlcjyUH6pkHfF1A2utBO6qA N6u2CqkGZjsFi8gMjX3tMzqkc0L9dAJOGgYrtZSzb8CGLmiHp1BRAawq0QiH3kho nVhJaWImTQOfnAQ3mlphGlvWQ+sFkmZdueFgam8TdZEFRKuwz7513mIfmIC7AUwM E85L3gYuXEK1Y9txWlLrvuVpJjy0HFT3W+W9JFh09g0lF7MT4gXTKM9W2KyKKNWz motgakDXhOzfVuetmV6UcKefHPs5iapV8u0aWuQ7kapZLcAD2sGS09jclg12c/lw xDnoA36f3GpXhsEbKxQG7iELTsQ/s7w5H0vYlvK0r5R5SpoZsmnF7AiUsBGtynFx cL65rkr3JGRc/qXlFiK2ENEan7eEUY1PLJf3HgYAMCImovzvpw7i6BNuGhsSC0ZR 4WQF4/Ey9F2ntlq1ixW/zsFeTEr/glVHClK4PnhQM7mf/BaEh9MyOMnP5h0Uv1a5 vBNukgcWqJAJum9mOnbheawh4ojUx0LwNaf7U6+urtFn5LJ5bn6wrWo4TV2BoesX 9R50UbCtB+ai6+LLNtDG5MiQFsT3fUYrW0QGuGXJJCa5GmRgQSw3Sdn1i3ZQhKCj twdi/8ebbBdfyc3zp4HbohRJCRdg9r9NSYv8f14vD/ixgvxhirRzNr+bOGeX5Y7I damCDyMNUcudTLxZGF6V =xFLc -----END PGP SIGNATURE----- From grarpamp at gmail.com Fri May 30 11:25:33 2014 From: grarpamp at gmail.com (grarpamp) Date: Fri, 30 May 2014 14:25:33 -0400 Subject: NSL's [was TrueCrypt] Message-ID: > Have NSLs held up in court against the First Amendment? > It's already constitutional that freedom of speech cannot be prevented > except to prevent immediate, tangible harm to others. > If you want > to challenge them, publish one on your blog and say "sue me, let's see what > the supreme court says". This above is exactly one of the key issues. Either - You have the right to speak freely under the 1st, or you don't. - NSL's are 4th compliant warrants, or common orders/subpoenas, having all been reviewed and issued by a judge having jurisdiction, subject to challenge, etc... or they aren't. - The FISA court is a proper court established, operating and regulated under the judicial branch, beholden to the Supreme, or it isn't. Some say: You do, they're toilet paper, it's legislative or executive. With thousands of letters issued there are similarly many chances to challenge it, yet so far it seems only a few have started on the direct route and everyone else seems too chicken. That ratio could really be improved. [For the schemers, and though not really a proper stand up fight, there are probably even a few dual citizens who have received them who could just as happily relocate back home offshore and publish (if not fight) from there. You at least retain the first person perspective that way.] https://en.wikipedia.org/wiki/National_Security_Letter http://www.law.cornell.edu/wex/first_amendment http://www.law.cornell.edu/wex/fourth_amendment https://en.wikipedia.org/wiki/United_States_Foreign_Intelligence_Surveillance_Court https://en.wikipedia.org/wiki/Patriot_Act From cathalgarvey at cathalgarvey.me Fri May 30 07:02:48 2014 From: cathalgarvey at cathalgarvey.me (Cathal (phone)) Date: Fri, 30 May 2014 15:02:48 +0100 Subject: is truecrypt dead? In-Reply-To: References: <20140530115615.6F94E22816D@palinka.tinho.net> Message-ID: I recall hearing of exactly that occurring, yes. The secret police can not only force you not to speak, but to publicly declare everything is fine. On 30 May 2014 14:44:32 GMT+01:00, Lance Cottrell wrote: >On May 30, 2014, at 4:56 AM, dan at geer.org wrote: > >> >> | >> | Could this non-notice be a Lavabit/Silent Circle type >announcement/warning? >> | >> >> We need, somehow, a safe word for such projects. Presumably one >> that is triggered by a failed keep-alive. This has been discussed >> before variously, but it may be an idea whose time has come. Design >> will require choices between false alarms and silent failure. >> >> --dan >> > >A deadman switch for NSL alerts would make for an interesting case. >Would a judge rule that you had “spoken” about the NSL by failing to >send the keep-alive messages, thus compelling you to continuously speak >the lie that you have not received one? > >-- >Lance Cottrell >loki at obscura.com -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1514 bytes Desc: not available URL: From Valdis.Kletnieks at vt.edu Fri May 30 12:25:45 2014 From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks at vt.edu) Date: Fri, 30 May 2014 15:25:45 -0400 Subject: is truecrypt dead? In-Reply-To: Your message of "Sat, 31 May 2014 00:05:19 +1000." <1401458719.19299.123306033.0492E753@webmail.messagingengine.com> References: <20140530115615.6F94E22816D@palinka.tinho.net> <1401458719.19299.123306033.0492E753@webmail.messagingengine.com> Message-ID: <13029.1401477945@turing-police.cc.vt.edu> On Sat, 31 May 2014 00:05:19 +1000, Alfie John said: > Have NSLs held up in court against the First Amendment? They've been ruled unconstitutional at least twice I know of (Doe v. Gonzales in 2008 which was overturned, and last year in the 9th Circuit but the judged then stayed her own ruling in anticipation of an appeal for either an en banc hearing in the 9th Circuit or to the Supreme Court). However, given the current makeup of the Supreme Court, we probably *don't* want it getting appealed there and a bad precedent ruling be issued. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 848 bytes Desc: not available URL: From cathalgarvey at cathalgarvey.me Fri May 30 07:49:17 2014 From: cathalgarvey at cathalgarvey.me (Cathal (phone)) Date: Fri, 30 May 2014 15:49:17 +0100 Subject: is truecrypt dead? In-Reply-To: References: <20140530115615.6F94E22816D@palinka.tinho.net> Message-ID: <07076743-9277-4576-87fc-ec3d2c25abbd@email.android.com> I think the closest you could come would be a publicised mail intercept to catch posted demands and prevent you from stopping yourself revealing the letter, but that would not stop personally issued orders unless you went full-on-offshore-backup glasshole and streamed your entire conscious experience..in which case they'll just NSL another dev or invent a new charge of "preemptive obstruction" to put you in prison. When discussing fascism, stop imagining that you can game the letter of the law. It's already constitutional that freedom of speech cannot be prevented except to prevent immediate, tangible harm to others. NSLs are already blatantly illegal, stop looking for loopholes and workarounds. If you want to challenge them, publish one on your blog and say "sue me, let's see what the supreme court says". Or, don't. Middle measures are doomed to fail or backfire in undefined ways. On 30 May 2014 15:22:24 GMT+01:00, manning bill wrote: >sort of like the; “We have not received a NSL today” notice… > >/bill >Neca eos omnes. Deus suos agnoscet. > >On 30May2014Friday, at 4:56, dan at geer.org wrote: > >> >> | >> | Could this non-notice be a Lavabit/Silent Circle type >announcement/warning? >> | >> >> We need, somehow, a safe word for such projects. Presumably one >> that is triggered by a failed keep-alive. This has been discussed >> before variously, but it may be an idea whose time has come. Design >> will require choices between false alarms and silent failure. >> >> --dan >> -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 2116 bytes Desc: not available URL: From drwho at virtadpt.net Fri May 30 16:31:45 2014 From: drwho at virtadpt.net (The Doctor) Date: Fri, 30 May 2014 16:31:45 -0700 Subject: Truecrypt tinfoil hat testing In-Reply-To: <53886103.9020705@jpunix.net> References: <72679957331d74b9222dfd38e97323bc@smtp.hushmail.com> <20140530123023.92304d27cc769506246b6c96@enigmabox.net> <53886103.9020705@jpunix.net> Message-ID: <538914E1.4050302@virtadpt.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 On 05/30/2014 03:44 AM, Crypto wrote: > I've also found a repository of TrueCrypt versions. It seems to be > fairly complete. I've put it up for download. Please feel free to > share. Here's another one: https://github.com/DrWhax/truecrypt-archive Thanks, DrWhax. - -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ FizerPharm: Trust. Profit. Deniability. -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCgAGBQJTiRThAAoJED1np1pUQ8Rk3tAP/1qXBMReMo0d6oPQV9OmfJdj iSWN6YfGwb4XOE0fVEOkxyhRp6GPGbHrm1rdvby6bL1BogzNs6N+Uz5hb0IjKdTE Ifx06NP1bbDnv8vFDMNWYl2L9B2QqugLZeAaKIxCBIDvOAZsUbwbTHTGAy9vmTrU c9jwTTRGk75lhags+CS/tzb7rDP49rQwjtA+l+qjZy1p/Vn1sW3qU2Oyd8C3i8iB pFDS2FOL3y+tqSgwixlbWs4Mj57CbOSeoKNo7Yv2yTpZk3KRjKv07Im9vTXMTeEQ 3zXaChFG6f6AwkExrQ455hHPlWe9q32gUwlQwyLzv/TPBsTCvKj9qLQR8RRwP2yR vZI1sz8RR72/okMMt7jARdKGX7bycmqeTmYzgAKq42xr6WntP/WNAbnFddY0Bv/G aHfHdT9IZhjXU8tAwANYAQEq/Bxtu2EcyOf33Z18etPGwEo2LI+67AmBYtZYQker KFoMqqI7SAFsQ107mqKrf7QP8GQk1fM/bDDX2hJ2EOWat5dsR7AMbTCnn6N3Y1hF q5HSCuGeV1dOVxdPAOPzvtMau1ESnXYraKHxsVaaqy3eQEttP/Ot/C+uKHOOSt2Z MiASL8LiYefhTyMhNaxo33Q6ZU04gqs99JtKa1n47W3It3CtUB9N6+b6VLYmqTl4 fQZQ9fChNDy4suaWAmqC =MVFc -----END PGP SIGNATURE----- From juan.g71 at gmail.com Fri May 30 12:35:49 2014 From: juan.g71 at gmail.com (Juan) Date: Fri, 30 May 2014 16:35:49 -0300 Subject: is truecrypt dead? In-Reply-To: References: <20140530115615.6F94E22816D@palinka.tinho.net> Message-ID: <5388dd1c.0235ec0a.107f.ffffe584@mx.google.com> On Fri, 30 May 2014 06:44:32 -0700 Lance Cottrell wrote: > On May 30, 2014, at 4:56 AM, dan at geer.org wrote: > > > > > | > > | Could this non-notice be a Lavabit/Silent Circle type > > announcement/warning? | > > > > We need, somehow, a safe word for such projects. Presumably one > > that is triggered by a failed keep-alive. This has been discussed > > before variously, but it may be an idea whose time has come. Design > > will require choices between false alarms and silent failure. > > > > --dan > > > > A deadman switch for NSL alerts would make for an interesting case. > Would a judge rule that you had “spoken” about the NSL by failing to > send the keep-alive messages, thus compelling you Why not? Compulsion is their business model. > to continuously > speak the lie that you have not received one? > > -- > Lance Cottrell > loki at obscura.com > > > From tedks at riseup.net Fri May 30 16:47:52 2014 From: tedks at riseup.net (Ted Smith) Date: Fri, 30 May 2014 16:47:52 -0700 Subject: is truecrypt dead? In-Reply-To: <3246826.c8OhFmr1tt@lapuntu> References: <20140530115615.6F94E22816D@palinka.tinho.net> <3246826.c8OhFmr1tt@lapuntu> Message-ID: <1401493672.9499.2.camel@anglachel> On Fri, 2014-05-30 at 23:25 +0200, rysiek wrote: > Thoughts? When are smart people going to realize there is nothing legal you can do to disclose receipt of an NSL, no matter how big your Rube Goldberg machine is, and act accordingly? -- Sent from Ubuntu From grarpamp at gmail.com Fri May 30 16:44:38 2014 From: grarpamp at gmail.com (grarpamp) Date: Fri, 30 May 2014 19:44:38 -0400 Subject: NSL's [was TrueCrypt] In-Reply-To: References: <5388D35E.8030506@cathalgarvey.me> Message-ID: On Fri, May 30, 2014 at 2:52 PM, Cathal Garvey wrote: > The problem as I see it is that those who have chosen to battle NSLs on > constitutional grounds have undermined their own assertion of > constitutional right by keeping the NSLs secret while they await their > day in court. > > If you believe you have a constitutional right not to be bullied by > secret police and being forced to keep that a secret, then you should > just come out and say what's happening. That way, the highly political > court that's going to try to indict you anyway will at least have to > operate under public scrutiny and criticism. All true. And it's not as if the penalty, even if considered criminal, would be anything more than trivial [1]. Further, if you are a business owner who is judged against - personally, you are your own employer so nobody can fire you. - business license pulled, liquidate and sell it back to yourself. A jury would likely "you're here for publishing this? Lol, go home." The actual risk seems rather low. I'd do it just for the fame. [1] Feel free to supply links to US code. > Of course, the rational thing to do is to keep quiet and do as > instructed by the stasi Only if you are certain you will win 'soon'. History shows waiting yields a long hard bloody road. > or to flee the country to somewhere that > recognises amnesty from history's largest and best armed superpower. > Good luck with the latter. The US isn't doing so hot right now in the world reputation dept, so your odds of washing up on anyones shore and being welcomed to stay for protesting your dissatifaction, are probably approaching good. From cathalgarvey at cathalgarvey.me Fri May 30 11:52:14 2014 From: cathalgarvey at cathalgarvey.me (Cathal Garvey) Date: Fri, 30 May 2014 19:52:14 +0100 Subject: NSL's [was TrueCrypt] In-Reply-To: References: Message-ID: <5388D35E.8030506@cathalgarvey.me> The problem as I see it is that those who have chosen to battle NSLs on constitutional grounds have undermined their own assertion of constitutional right by keeping the NSLs secret while they await their day in court. If you believe you have a constitutional right not to be bullied by secret police and being forced to keep that a secret, then you should just come out and say what's happening. That way, the highly political court that's going to try to indict you anyway will at least have to operate under public scrutiny and criticism. Of course, the rational thing to do is to keep quiet and do as instructed by the stasi, or to flee the country to somewhere that recognises amnesty from history's largest and best armed superpower. Good luck with the latter. On 30/05/14 19:25, grarpamp wrote: >> Have NSLs held up in court against the First Amendment? > >> It's already constitutional that freedom of speech cannot be prevented >> except to prevent immediate, tangible harm to others. >> If you want >> to challenge them, publish one on your blog and say "sue me, let's see what >> the supreme court says". > > This above is exactly one of the key issues. Either > - You have the right to speak freely under the 1st, or you don't. > - NSL's are 4th compliant warrants, or common orders/subpoenas, > having all been reviewed and issued by a judge having jurisdiction, > subject to challenge, etc... or they aren't. > - The FISA court is a proper court established, operating and > regulated under the judicial branch, beholden to the Supreme, or it isn't. > > Some say: You do, they're toilet paper, it's legislative or executive. > With thousands of letters issued there are similarly many chances > to challenge it, yet so far it seems only a few have started on the > direct route and everyone else seems too chicken. That ratio could > really be improved. > > [For the schemers, and though not really a proper stand up fight, > there are probably even a few dual citizens who have received > them who could just as happily relocate back home offshore > and publish (if not fight) from there. You at least retain the first > person perspective that way.] > > https://en.wikipedia.org/wiki/National_Security_Letter > http://www.law.cornell.edu/wex/first_amendment > http://www.law.cornell.edu/wex/fourth_amendment > https://en.wikipedia.org/wiki/United_States_Foreign_Intelligence_Surveillance_Court > https://en.wikipedia.org/wiki/Patriot_Act > -- T: @onetruecathal, @IndieBBDNA P: +353876363185 W: http://indiebiotech.com -------------- next part -------------- A non-text attachment was scrubbed... Name: 0x988B9099.asc Type: application/pgp-keys Size: 6176 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 901 bytes Desc: OpenPGP digital signature URL: From grarpamp at gmail.com Fri May 30 17:01:28 2014 From: grarpamp at gmail.com (grarpamp) Date: Fri, 30 May 2014 20:01:28 -0400 Subject: is truecrypt dead? In-Reply-To: <3246826.c8OhFmr1tt@lapuntu> References: <20140530115615.6F94E22816D@palinka.tinho.net> <3246826.c8OhFmr1tt@lapuntu> Message-ID: > Thoughts? All moot. When someone walks into your office and hands you a letter you have two choices... operate according to their whim. Or publish the damn letter with whatever redactions or lack thereof you feel are appropriate. From dan at geer.org Fri May 30 19:46:05 2014 From: dan at geer.org (dan at geer.org) Date: Fri, 30 May 2014 22:46:05 -0400 Subject: is truecrypt dead? In-Reply-To: Your message of "Fri, 30 May 2014 20:01:28 EDT." Message-ID: <20140531024605.94E95228241@palinka.tinho.net> grarpamp writes: | > Thoughts? | | All moot. When someone walks into your office and hands | you a letter you have two choices... operate according to | their whim. Or publish the damn letter with whatever | redactions or lack thereof you feel are appropriate. Is it really your position that one's choice is to either emulate Mohamed Bouazizi or acquiesce? I will not do design off the cuff on a mailing list, but I'm certain that a steganographic keep alive is designable. If you (for all values of you) want to continue in the actual direction of design, I'll join with you in that. I have zero free time and I am not a crypto mathematician, but I can offer one tool (or so I think): http://geer.tinho.net/geer.yung.pdf wherein Moti and I show that it is possible to encode any arbitrary monotone logic in the structure of split keys. As always, I assume this list is monitored. Likewise, I assume that any technologic solution is both temporary and second best to the diminishment of government, per se. --dan From grarpamp at gmail.com Fri May 30 20:25:04 2014 From: grarpamp at gmail.com (grarpamp) Date: Fri, 30 May 2014 23:25:04 -0400 Subject: is truecrypt dead? In-Reply-To: <20140531024605.94E95228241@palinka.tinho.net> References: <20140531024605.94E95228241@palinka.tinho.net> Message-ID: As people have said, there's no point in fancy contraptions. You either got the letter or you didn't. Whatever means you let that be known doesn't matter, the observed result has exactly the same meaning as holding it up on the street would. > Is it really your position that one's choice is to either > emulate Mohamed Bouazizi or acquiesce? The degree of redaction is up to you. But if your object is to test issues, you probably won't get far by just speaking 'yes or no you got one' on a soapbox. ie: The stupid rounded numbers self-reporting game yahoo, ms, gmail are playing with nsl counts. From rysiek at hackerspace.pl Fri May 30 14:25:24 2014 From: rysiek at hackerspace.pl (rysiek) Date: Fri, 30 May 2014 23:25:24 +0200 Subject: is truecrypt dead? In-Reply-To: References: <20140530115615.6F94E22816D@palinka.tinho.net> Message-ID: <3246826.c8OhFmr1tt@lapuntu> Dnia piątek, 30 maja 2014 07:22:24 manning bill pisze: > sort of like the; “We have not received a NSL today” notice… Wait, this is actually much better than the standard canary "We have not received NSL yet". In the standard canary case, a court can supposedly order you to lie. But with such a short-lived (one-day) message of "We have not received an NSL during the last 24 hours", published via RSS, a third-party could set-up a monitoring website that automagically federates any such "canary feed", and as soon as any of them has a single day of lack of suck message just mark it as "possibly received NSL on ", or even "did not confirm that did not receive an NSL on ". The person that received the NSL can then be forced to keep publishing the "We have not received NSL today" message, but the signal has been sent already, and there would have to be a yet another NSL to the federation service operator. Bonus: the NSL can even make the original addressee publish "We have never received an NSL", which would be even a stronger signal. If there are several such operators, this becomes more and more non-trivial. Thoughts? -- Pozdr rysiek -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 316 bytes Desc: This is a digitally signed message part. URL: From grarpamp at gmail.com Fri May 30 21:00:52 2014 From: grarpamp at gmail.com (grarpamp) Date: Sat, 31 May 2014 00:00:52 -0400 Subject: Curious Intellectual Property Food-for-thought: "Live-forever Pingers" In-Reply-To: <1397335078.49963.YahooMailNeo@web126204.mail.ne1.yahoo.com> References: <1397335078.49963.YahooMailNeo@web126204.mail.ne1.yahoo.com> Message-ID: On Sat, Apr 12, 2014 at 4:37 PM, jim bell wrote: > art". A month ago, when it became obvious that finding Air Malaysia Flight > 370 could be difficult, the 30-day limit of the electronic pingers got me to > thinking. Why? Instead of pinging for 30 days, why not have them ping > increasingly slowly, so that the pinger would last 'forever'. Considered These boxes need to - record and store data - be tamper evident and monkey resistant - withstand being dive bombed into the side of a mountain, impaled by ragged airframe bits, signposts, etc at over mach 0.92 - deal with 100 story concrete and steel burning buildings falling on them - handle being frozen/quenched after a nice 600++ degF fire for an hour or so - float over, or, if attached to a bunch of scrap, sink to the bottom of, the Marianas without being crushed or infiltration water And for the transmitter model, have both high freq (ground, low power) and low freq (undersea, higher power; or acoustic) transmitters... you then want to add the impact mass / heat reactive carrying of enough tarmac float chargeable battery in the internal roll cage to last 'forever [1]' ... all at a cost an airline will buy? You've clearly got alien tech, let's make some money :) Better than trying to build and maintain single indestructible battle tanks is to distribute in the airframe a few cheap brick sized modules dedicated to locator beeping. Fan out duplicate recording streams to their flash memories. Let em run powered 24x7x365. And autopop a dozen more out the ass end like a roman candle if inflight do-not-exceed params are ever exceeded. This note constitutes prior art. [1] All batteries self discharge, current load saps more, physical distortion and heat are death. So let's say a couple months for low mass lithiums. From alfiej at fastmail.fm Fri May 30 07:05:19 2014 From: alfiej at fastmail.fm (Alfie John) Date: Sat, 31 May 2014 00:05:19 +1000 Subject: is truecrypt dead? In-Reply-To: References: <20140530115615.6F94E22816D@palinka.tinho.net> Message-ID: <1401458719.19299.123306033.0492E753@webmail.messagingengine.com> On Fri, May 30, 2014, at 11:44 PM, Lance Cottrell wrote: > A deadman switch for NSL alerts would make for an interesting case. Would > a judge rule that you had “spoken” about the NSL by failing to send the > keep-alive messages, thus compelling you to continuously speak the lie > that you have not received one? Have NSLs held up in court against the First Amendment? Alfie -- Alfie John alfiej at fastmail.fm From grarpamp at gmail.com Sat May 31 08:24:40 2014 From: grarpamp at gmail.com (grarpamp) Date: Sat, 31 May 2014 11:24:40 -0400 Subject: is truecrypt dead? In-Reply-To: <5389DEE7.9050600@cathalgarvey.me> References: <20140531024605.94E95228241@palinka.tinho.net> <5389DEE7.9050600@cathalgarvey.me> Message-ID: > optimist Pessimists tend to shut themselves down before figuring out how to do something. From grarpamp at gmail.com Sat May 31 08:54:37 2014 From: grarpamp at gmail.com (grarpamp) Date: Sat, 31 May 2014 11:54:37 -0400 Subject: Our nameless project. In-Reply-To: <5389C3F1.9050305@gmail.com> References: <5389BBDE.8050803@gmail.com> <20140531114251.GB1973@miyamoto> <5389C3F1.9050305@gmail.com> Message-ID: > hosts that comunicate each other spoofing the > source ip > will recieve > the file with spoofed ip > in our network all the source ips are fake > (spoofed ips) > our project delete your real ip > and put a one fake. This may work in your test lan, but on the real internet, packets with bogus src ip's are generally dropped at the customer interface with rpf and other filters, thus breaking your app. > With this method the reciever don't know who want to download X > file and if the NSA or FBI get the logs of the reciever they can not use > it for trace the origin. They will become a receiver and trace them back with netflow. From davidroman96 at gmail.com Sat May 31 04:24:14 2014 From: davidroman96 at gmail.com (davidroman96) Date: Sat, 31 May 2014 13:24:14 +0200 Subject: Our nameless project. Message-ID: <5389BBDE.8050803@gmail.com> I want to present an idea to improve anonymity and privacy on the intrernet that me and my companion are building. How it works: To improve anonymity, the diferent hosts are connected with groups of multiple hosts that comunicate each other spoofing the source ip and broadcasting the messages that have to be sent to some host. With this method the reciever don't know who want to download X file and if the NSA or FBI get the logs of the reciever they can not use it for trace the origin. The sender don't know who have X file because they have sent a broadcast request for download a file and will recieve the file with spoofed ip, is 99% anonnymous, the only problem is that the ISP can always know if you are using this program. For the cryptography we use SHA-3 (keccak) for hashing, AES, ECDSA and the better algorithms and methods that we know (we are only amateur cryptologists). With cryptography is easy to protect data against the ISP MitM but it's more dificult to send private messages to a single person. For this reason the topology for the network is of isolated groups with their own private key for the members, obviously a group can be public. Of course a group of 2 people is useless because there are not anonymity xD Bigger groups, more entropy, more anonimity. For the "POC" we are using UDP. UDP only can send small packets of ~64kb, therefore, it can be used for a chat but is too slow to download big files. We have sacrified speed to increase anonymity and privacity. We have "tested" it in a small group of people and for this reason we can not say if it works or not, but in theory it works! And that is the idea :) , what do you think? PD:Sorry for my english :P From pgut001 at cs.auckland.ac.nz Fri May 30 18:26:05 2014 From: pgut001 at cs.auckland.ac.nz (Peter Gutmann) Date: Sat, 31 May 2014 13:26:05 +1200 Subject: is truecrypt dead? In-Reply-To: <1401493672.9499.2.camel@anglachel> Message-ID: Ted Smith writes: >When are smart people going to realize there is nothing legal you can do to >disclose receipt of an NSL, no matter how big your Rube Goldberg machine is, >and act accordingly? The problem is that technically smart people aren't legally smart, and think that a court/judge can be stymied with a modexp operation. You can't really convince them that the law will get at them eventually, no matter how fancy they make their Rube Goldberg machine. Peter. From danimoth at cryptolab.net Sat May 31 04:42:51 2014 From: danimoth at cryptolab.net (danimoth) Date: Sat, 31 May 2014 13:42:51 +0200 Subject: Our nameless project. In-Reply-To: <5389BBDE.8050803@gmail.com> References: <5389BBDE.8050803@gmail.com> Message-ID: <20140531114251.GB1973@miyamoto> On 31/05/14 at 01:24pm, davidroman96 wrote: > And that is the idea :) , what do you think? > > PD:Sorry for my english :P Apart from english (I'm using aspell as spellchecker, and it works well.. give it a try), do you have read some literature about this field? Are you on the "state of art" ? What are the differences (and why they are better) among your proposal and, say, DC nets or onion nets ? Thank you From l at odewijk.nl Sat May 31 04:54:04 2014 From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=) Date: Sat, 31 May 2014 13:54:04 +0200 Subject: Our nameless project. In-Reply-To: <20140531114251.GB1973@miyamoto> References: <5389BBDE.8050803@gmail.com> <20140531114251.GB1973@miyamoto> Message-ID: You seem to forget timing attacks completely. This sounds like a restart of the TOR project, but without learning lessons from the TOR project. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 265 bytes Desc: not available URL: From davidroman96 at gmail.com Sat May 31 04:58:41 2014 From: davidroman96 at gmail.com (davidroman96) Date: Sat, 31 May 2014 13:58:41 +0200 Subject: Our nameless project. In-Reply-To: <20140531114251.GB1973@miyamoto> References: <5389BBDE.8050803@gmail.com> <20140531114251.GB1973@miyamoto> Message-ID: <5389C3F1.9050305@gmail.com> On 31/05/14 13:42, danimoth wrote: > On 31/05/14 at 01:24pm, davidroman96 wrote: >> And that is the idea :) , what do you think? >> >> PD:Sorry for my english :P > Apart from english (I'm using aspell as spellchecker, and it works > well.. give it a try), do you have read some literature about this > field? Are you on the "state of art" ? What are the differences (and why > they are better) among your proposal and, say, DC nets or onion nets ? > > > Thank you > In the Onion network if the first node is fake, they can get your real ip and catch you, in our network all the source ips are fake (spoofed ips), therefore, if they read the logs they don't know who are you really. onion nets obfuscate your ip with proxy, our project delete your real ip and put a one fake. For this reason all communications are with groups and broadcastings. From thefox21at at gmail.com Sat May 31 05:14:18 2014 From: thefox21at at gmail.com (Christian Mayer) Date: Sat, 31 May 2014 14:14:18 +0200 Subject: Our nameless project. In-Reply-To: <5389BBDE.8050803@gmail.com> References: <5389BBDE.8050803@gmail.com> Message-ID: On Sat, May 31, 2014 at 1:24 PM, davidroman96 wrote: > For the "POC" we are using UDP. UDP only can send small packets of > ~64kb, therefore, it can be used for a chat but is too slow to download > big files. We have sacrified speed to increase anonymity and privacity. > We have "tested" it in a small group of people and for this reason we > can not say if it works or not, but in theory it works! > ​"tested"? Any source code to show? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: text/html Size: 1246 bytes Desc: not available URL: From davidroman96 at gmail.com Sat May 31 05:32:15 2014 From: davidroman96 at gmail.com (davidroman96) Date: Sat, 31 May 2014 14:32:15 +0200 Subject: Our nameless project. In-Reply-To: <20140531115722.GC4409@nestor.local> References: <5389BBDE.8050803@gmail.com> <20140531115722.GC4409@nestor.local> Message-ID: <5389CBCF.9040406@gmail.com> El 31/05/14 13:57, Meredith L. Patterson escribió: > On Sat, May 31, 2014 at 01:24:14PM +0200, davidroman96 wrote: >> I want to present an idea to improve anonymity and privacy on the >> intrernet that me and my companion are building. > [...] > >> We have "tested" it in a small group of people and for this reason we >> can not say if it works or not, but in theory it works! > No, in proof of concept it moves data around. You've given us a > back-of-the-napkin sketch without enough information to actually model > your system. You can say all kinds of nice things about a data > transmission system with various crypto primitives mixed in, but you > cannot truthfully say that your system advances the state of either > anonymity or privacy unless you can show that the properties you wish > to preserve hold throughout the system. *Then* you can say it works in > theory. > > In order to say that it works in practice, there's a whole different > set of hurdles. > > > > --mlp > We wanted to listen the opinions before build a formal model. Our project still starts and we don't know how it will finish but I think that can be interesting. From danimoth at cryptolab.net Sat May 31 05:43:09 2014 From: danimoth at cryptolab.net (danimoth) Date: Sat, 31 May 2014 14:43:09 +0200 Subject: Our nameless project. In-Reply-To: References: <5389BBDE.8050803@gmail.com> Message-ID: <20140531124309.GC1973@miyamoto> On 31/05/14 at 02:14pm, Christian Mayer wrote: > On Sat, May 31, 2014 at 1:24 PM, davidroman96 > wrote: > > > For the "POC" we are using UDP. UDP only can send small packets of > > ~64kb, therefore, it can be used for a chat but is too slow to download > > big files. We have sacrified speed to increase anonymity and privacity. > > We have "tested" it in a small group of people and for this reason we > > can not say if it works or not, but in theory it works! > > > >"tested"? Any source code to show? I missed that part completely. What does it mean that "UDP is too slow because of packet size of 64 kb" ? To me, it seems an ugly claim. Do you know that ethernet will fragment it in pieces of ~1 kb, and the most common segment size on the Internet is around 500 bytes ? TCP maximum segment size is also 16 bit long.. Your proposal requires a modification of the most transport protocols of the internet, and IPv6 with jumbo frames? Really, take a look onto DC nets, they are quite old but far superior to your proposal (but they have some drawbacks). I see too much approximation, I'm sorry. From cathalgarvey at cathalgarvey.me Sat May 31 06:53:43 2014 From: cathalgarvey at cathalgarvey.me (Cathal Garvey) Date: Sat, 31 May 2014 14:53:43 +0100 Subject: is truecrypt dead? In-Reply-To: <20140531024605.94E95228241@palinka.tinho.net> References: <20140531024605.94E95228241@palinka.tinho.net> Message-ID: <5389DEE7.9050600@cathalgarvey.me> The question is not whether or not you can securely disclose that you are under NSL. The question is whether you can do so without, when the word breaks, being in trouble for leaking that information. So yes, you can establish all sorts of wonderful contraptions that "get the word out", publicly or privately, on or off-shore, so that the people outside can disseminate warnings that you've been compromised. But in the end, the stasi will blame you, and no matter how much cooked-up legal convolution you wrap yourself in, they will nail you to a cross. My view is that engaging in such convolutions serves two counterproductive ends: 1) It makes it seem as if you acknowledge that you should not be disclosing the NSL; a Jury, if you were so lucky and were actually allowed to testify before them in your defence (lol Grand Jury) would be suspicious of your motives. Why all the cloak-and-dagger? It's easy for the prosecution to make you seem shady and suspicious for acting in that way. 2) It delays your disclosure and allows the stasi time and opportunity to preempt and prevent your disclosure entirely. Also, @Grarpamp; you're an optimist, clearly. The US may be exhausting political capital fast, but it has plenty of political capital, and plenty of economic capital to back that up when it fails. In the end, they'll get you unless you're big enough to occupy international attention and get a state-level ally to protect you. The only two people to even partially escape persecution so far are holed up under the protection of state-level adversaries of the US, and even they are still at significant risk. On 31/05/14 03:46, dan at geer.org wrote: > grarpamp writes: > | > Thoughts? > | > | All moot. When someone walks into your office and hands > | you a letter you have two choices... operate according to > | their whim. Or publish the damn letter with whatever > | redactions or lack thereof you feel are appropriate. > > > Is it really your position that one's choice is to either > emulate Mohamed Bouazizi or acquiesce? > > I will not do design off the cuff on a mailing list, but > I'm certain that a steganographic keep alive is designable. > If you (for all values of you) want to continue in the actual > direction of design, I'll join with you in that. I have zero > free time and I am not a crypto mathematician, but I can offer > one tool (or so I think): > > http://geer.tinho.net/geer.yung.pdf > > wherein Moti and I show that it is possible to encode any > arbitrary monotone logic in the structure of split keys. > > As always, I assume this list is monitored. Likewise, > I assume that any technologic solution is both temporary > and second best to the diminishment of government, per se. > > --dan > -- T: @onetruecathal, @IndieBBDNA P: +353876363185 W: http://indiebiotech.com -------------- next part -------------- A non-text attachment was scrubbed... Name: 0x988B9099.asc Type: application/pgp-keys Size: 6176 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 901 bytes Desc: OpenPGP digital signature URL: From davidroman96 at gmail.com Sat May 31 05:55:08 2014 From: davidroman96 at gmail.com (davidroman96) Date: Sat, 31 May 2014 14:55:08 +0200 Subject: Our nameless project. In-Reply-To: <20140531124309.GC1973@miyamoto> References: <5389BBDE.8050803@gmail.com> <20140531124309.GC1973@miyamoto> Message-ID: <5389D12C.5070604@gmail.com> El 31/05/14 14:43, danimoth escribió: > On 31/05/14 at 02:14pm, Christian Mayer wrote: >> On Sat, May 31, 2014 at 1:24 PM, davidroman96 >> wrote: >> >>> For the "POC" we are using UDP. UDP only can send small packets of >>> ~64kb, therefore, it can be used for a chat but is too slow to download >>> big files. We have sacrified speed to increase anonymity and privacity. >>> We have "tested" it in a small group of people and for this reason we >>> can not say if it works or not, but in theory it works! >>> >> "tested"? Any source code to show? > I missed that part completely. What does it mean that "UDP is too slow > because of packet size of 64 kb" ? To me, it seems an ugly claim. > Do you know that ethernet will fragment it in pieces of ~1 kb, and the > most common segment size on the Internet is around 500 bytes ? > TCP maximum segment size is also 16 bit long.. Your proposal requires > a modification of the most transport protocols of the internet, and > IPv6 with jumbo frames? > > Really, take a look onto DC nets, they are quite old but far superior to > your proposal (but they have some drawbacks). > > I see too much approximation, I'm sorry. > I say that UDP is slow not because of the size, because of send a file of 8GB with broadcast packets that maybe take some minutes to reach the destination. I know that the are a lot of problems... PD: Thank you for the responses From grarpamp at gmail.com Sat May 31 13:00:47 2014 From: grarpamp at gmail.com (grarpamp) Date: Sat, 31 May 2014 16:00:47 -0400 Subject: Our nameless project. In-Reply-To: <1401558989.2122.10.camel@localhost.localdomain> References: <5389BBDE.8050803@gmail.com> <20140531114251.GB1973@miyamoto> <5389C3F1.9050305@gmail.com> <538A0E4D.3010502@gmail.com> <1401558989.2122.10.camel@localhost.localdomain> Message-ID: >> what do you think? Try expanding the idea to a more formal or longer paper with diagrams. >> But if multiple hosts can use the same ip how the connection can be >> traced? Only the ISP have the information, the receiver don't know >> anything a part from the content of the packet. Your suggested adversaries can and will run a 'receiver' to get the contents. They are in the 'receiver's ISP and use netflow or other means to trace back the spoofed packets. It's basic network administration. > message could be destined for anyone using public key encryption: if A > sends a message to B and B can't decrypt it, it wasn't intended for B, > so it gets forwarded to other nodes in the network. Unless sender A is aware that final delivery was made to Z (or knows the net is reliable), broadcast models will fail to deliver reliably due to being clogged out of the links or aging. To be reliable, broadcast needs control, knowledge, or maybe unavailably large time/space. > Traffic analysis is > defeated by layering encryption and constantly sending lots of flak: > nonsense messages. If you can maintain the throughput at each node as a > constant and make one message look different between entering and > exiting a node, I believe it would be theoretically impossible to > conduct traffic analysis. Packet sizes must also be the same throughout the network. And must be detectably immutable at each layer of link and onion-ish path encapsulation, or be dropped. ~1500 mtu minus layers = data capacity. Related... redundancy to the destination could serve as chaff. Yet with underlying privacy, unclear on the need for redundancy (as chaff), unless the redundancy solves full path (or node) reliability issues. Otherwise 'control as chaff' seems more valuable. From gizmoguy1 at gmail.com Sat May 31 10:56:29 2014 From: gizmoguy1 at gmail.com (John Preston) Date: Sat, 31 May 2014 18:56:29 +0100 Subject: Our nameless project. In-Reply-To: <538A0E4D.3010502@gmail.com> References: <5389BBDE.8050803@gmail.com> <20140531114251.GB1973@miyamoto> <5389C3F1.9050305@gmail.com> <538A0E4D.3010502@gmail.com> Message-ID: <1401558989.2122.10.camel@localhost.localdomain> On Sat, 2014-05-31 at 19:15 +0200, davidroman96 wrote: > On 31/05/14 17:54, grarpamp wrote: > >> hosts that comunicate each other spoofing the > >> source ip > >> will recieve > >> the file with spoofed ip > >> in our network all the source ips are fake > >> (spoofed ips) > >> our project delete your real ip > >> and put a one fake. > > This may work in your test lan, but on the real internet, packets > > with bogus src ip's are generally dropped at the customer interface > > with rpf and other filters, thus breaking your app. > > > >> With this method the reciever don't know who want to download X > >> file and if the NSA or FBI get the logs of the reciever they can not use > >> it for trace the origin. > > They will become a receiver and trace them back with netflow. > > > > We know that the sources ips generally are dropped, this is the only > problem that we have. > But if multiple hosts can use the same ip how the connection can be > traced? Only the ISP have the information, the receiver don't know > anything a part from the content of the packet. > Except that packets will be dropped if they look like they're coming from somewhere they shouldn't: https://en.wikipedia.org/wiki/BCP_38 I would, instead of taking the IP spoofing approach, I would have designed the network with the intention of making it appear that a message could be destined for anyone using public key encryption: if A sends a message to B and B can't decrypt it, it wasn't intended for B, so it gets forwarded to other nodes in the network. Traffic analysis is defeated by layering encryption and constantly sending lots of flak: nonsense messages. If you can maintain the throughput at each node as a constant and make one message look different between entering and exiting a node, I believe it would be theoretically impossible to conduct traffic analysis. From davidroman96 at gmail.com Sat May 31 10:15:57 2014 From: davidroman96 at gmail.com (davidroman96) Date: Sat, 31 May 2014 19:15:57 +0200 Subject: Our nameless project. In-Reply-To: References: <5389BBDE.8050803@gmail.com> <20140531114251.GB1973@miyamoto> <5389C3F1.9050305@gmail.com> Message-ID: <538A0E4D.3010502@gmail.com> On 31/05/14 17:54, grarpamp wrote: >> hosts that comunicate each other spoofing the >> source ip >> will recieve >> the file with spoofed ip >> in our network all the source ips are fake >> (spoofed ips) >> our project delete your real ip >> and put a one fake. > This may work in your test lan, but on the real internet, packets > with bogus src ip's are generally dropped at the customer interface > with rpf and other filters, thus breaking your app. > >> With this method the reciever don't know who want to download X >> file and if the NSA or FBI get the logs of the reciever they can not use >> it for trace the origin. > They will become a receiver and trace them back with netflow. > We know that the sources ips generally are dropped, this is the only problem that we have. But if multiple hosts can use the same ip how the connection can be traced? Only the ISP have the information, the receiver don't know anything a part from the content of the packet. From juan.g71 at gmail.com Sat May 31 18:19:03 2014 From: juan.g71 at gmail.com (Juan) Date: Sat, 31 May 2014 22:19:03 -0300 Subject: Our nameless project. In-Reply-To: <3481d0b0b58130e7eb58a41049097dc8@cajuntechie.org> References: <5389BBDE.8050803@gmail.com> <20140531114251.GB1973@miyamoto> <5389C3F1.9050305@gmail.com> <538A0E4D.3010502@gmail.com> <20140531231915.6628117A58@pb-sasl0.pobox.com> <538A6838.8010207@gmail.com> <3481d0b0b58130e7eb58a41049097dc8@cajuntechie.org> Message-ID: <538a7f20.6914ec0a.5b23.26b1@mx.google.com> > > We know that ISP have the 100% of information, The ISPs are just branchs of the government, so what's the point? From grarpamp at gmail.com Sat May 31 22:03:57 2014 From: grarpamp at gmail.com (grarpamp) Date: Sun, 1 Jun 2014 01:03:57 -0400 Subject: is truecrypt dead? In-Reply-To: <1401562408.11168.YahooMailNeo@web126201.mail.ne1.yahoo.com> References: <20140531024605.94E95228241@palinka.tinho.net> <5389DEE7.9050600@cathalgarvey.me> <1401562408.11168.YahooMailNeo@web126201.mail.ne1.yahoo.com> Message-ID: On Sat, May 31, 2014 at 2:53 PM, jim bell wrote: > https://www.google.com/#q=corporation+cannot+conspire+with+itself > deliver a copy of that NSL letter to each of its employees > Obviously, that news will leak. > Prosecution of any specific corporate employee will be difficult > without very detailed evidence. As in the search results... whoever was leaking employee is irrelevant, the employee is the corp. If an employee cannot be found *and* successfully treated separately from the corp, the corp will take the fall for the leak. The leak is out there, but the corp dies of negligience or something, rather than from a stand up principled fight. That's not a win. > The issue will arise: Can a corporation legally deliver a copy of > that NSL to each employee? Probably depends on how the letter is worded / addressed. The default sense in absense of such restrictions would seem to be yes. Find bitcoin accepting lawyer to do construction/opinion for cpunks list. From davidroman96 at gmail.com Sat May 31 16:39:36 2014 From: davidroman96 at gmail.com (davidroman96) Date: Sun, 01 Jun 2014 01:39:36 +0200 Subject: Our nameless project. In-Reply-To: <20140531231915.6628117A58@pb-sasl0.pobox.com> References: <5389BBDE.8050803@gmail.com> <20140531114251.GB1973@miyamoto> <5389C3F1.9050305@gmail.com> <538A0E4D.3010502@gmail.com> <20140531231915.6628117A58@pb-sasl0.pobox.com> Message-ID: <538A6838.8010207@gmail.com> On 01/06/14 01:19, Bill Stewart wrote: > At 10:15 AM 5/31/2014, davidroman96 wrote: >> We know that the sources ips generally are dropped, this is the only >> problem that we have. >> But if multiple hosts can use the same ip how the connection can be >> traced? Only the ISP have the information, the receiver don't know >> anything a part from the content of the packet. > > That's part of the problem - > the receiver doesn't know anything, even the contents of the packet, > because any good ISP will drop the packets instead of allowing the > sender to send them. > If you can find a collection of bad ISPs who can send forged-source > packets to each other > across the public Internet, maybe you have some chance, > but that kind of bad ISP is also a target for spy agencies and for > criminals. > > > Normally, UDP is fine, but it isn't TCP. > A popular thing for UDP applications to do is to reinvent TCP badly. > If you need to do TCP things, and only have UDP for some reason, > you can reinvent most of TCP well, but only if you understand it well. > The UDP versions of Bittorrent, for instance, were written by people who > not only understood TCP and UDP well, but experimented a lot with scale. > > A very good ISP will not only drop forged-source packets, > they'll hunt down the sender and kill it. > Somebody mentioned Netflow - many large ISPs record that level of > information, > with the source and destination IP addresses, port numbers, protocol, > and router information, > and sometimes also link-layer addresses if the link layer uses them. > If you sent a packet from 192.9.200.1, your ISP will probably drop it > at the originating router, > and will log an error message that says it dropped that on your access > line, > and if it sees a lot of them, they'll go check out why. > If you use a small ISP that doesn't bother checking for forged source > addresses, > they'll be using a larger ISP for long-haul connections that will notice. > > We know that ISP have the 100% of information, but the idea was to give less information to the receiver. Even yet I couldn't find any transparent ISP, seems that all ISPs are trolls xD, maybe pirateISP are more transparent¿?...