From grarpamp at gmail.com  Sat Nov  1 01:22:22 2014
From: grarpamp at gmail.com (grarpamp)
Date: Sat, 1 Nov 2014 04:22:22 -0400
Subject: [tor-talk] Facebook brute forcing hidden services
In-Reply-To: <20141101013146.GR35778@moria.seul.org>
References: <20141031122302.GA5554@glue.grepular.com>
 <20141031125427.GQ35778@moria.seul.org>
 <20141101013146.GR35778@moria.seul.org>
Message-ID: <CAD2Ti29nB460jhtsjyq63R1VBcUcXAUQHscqwrVAg=ya3NPpaw@mail.gmail.com>

I would never use this unless you were actually censored from
accessing facebook via clearnet. All it will do is serve to officially
tell facebook that you are a tor user that FB can then further
discriminate against as a class in the future once they start to
lock down clearnet against exit nodes, travelers, etc or whatever
their scheme is or will be.

Remember, FB's official policy is still:
- Real Names required
- Phone Numbers / ID required
- DOB required
- Gender required
- Email required
- Etc required
- Users are the product that is being mined and sold and shared.

Such non optional elements, and choices, powers and rights
removed from the user, are in direct opposition to the principles
of Tor and anonymity. Normally support for onion/i2p is good thing,
but when still backed by crap like this it's largely meaningless.



https://news.ycombinator.com/item?id=8538281
http://yro.slashdot.org/story/14/10/31/1545231/facebook-sets-up-shop-on-tor
http://www.reddit.com/r/onions/comments/2kvnbw/facebook_accessible_by_onion_address/
http://www.reddit.com/r/TOR/comments/2kvl8r/facebook_now_officially_available_as_a_tor_hidden/

[Some posters already seem to be getting locked out
for using onion but of course cannot truly know why
because FB does not state their metrics.]




From rysiek at hackerspace.pl  Sat Nov  1 00:56:33 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Sat, 01 Nov 2014 08:56:33 +0100
Subject: https://facebookcorewwwi.onion/
In-Reply-To: <5454136D.3070905@aestetix.com>
References: <5281479.Q3Ro4k0Ycc@lapuntu> <5453DDCA.8080709@virtadpt.net>
 <5454136D.3070905@aestetix.com>
Message-ID: <1434508.TqKhgNKVd5@lapuntu>

Dnia piątek, 31 października 2014 15:55:41 aestetix pisze:
> Including anti-surveillance rallies, which is about as ironic as you
> can get.

Here, that's from the Polish Pirate Party.

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: partiapiratow-pl-facebook-06.02.2014.png
Type: image/png
Size: 135490 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141101/ac005a4e/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 411 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141101/ac005a4e/attachment.sig>

From list at sysfu.com  Sat Nov  1 11:51:16 2014
From: list at sysfu.com (Seth)
Date: Sat, 01 Nov 2014 11:51:16 -0700
Subject: https://facebookcorewwwi.onion/
Message-ID: <op.xontbqrrbgbjo9@work-pc>

On Fri, 31 Oct 2014 07:58:18 -0700, rysiek <rysiek at hackerspace.pl> wrote:

> Apart from being torn about the move (good on Facebook to support TOR,  
> but I don't really feel like praising Facebook for anything I guess),  
> there

I see two positive elements to this.

1) Potential massive increase in cover traffic for all Tor users
2) Competitive pressure on other 'social' network services to enable Tor  
.onion access

-- 
Seth
I <3 nicely trimmed email replies




From odinn.cyberguerrilla at riseup.net  Sat Nov  1 05:38:39 2014
From: odinn.cyberguerrilla at riseup.net (odinn)
Date: Sat, 01 Nov 2014 12:38:39 +0000
Subject: [tor-talk] Facebook brute forcing hidden services
In-Reply-To: <CAD2Ti29nB460jhtsjyq63R1VBcUcXAUQHscqwrVAg=ya3NPpaw@mail.gmail.com>
References: <20141031122302.GA5554@glue.grepular.com>
 <20141031125427.GQ35778@moria.seul.org>
 <20141101013146.GR35778@moria.seul.org>
 <CAD2Ti29nB460jhtsjyq63R1VBcUcXAUQHscqwrVAg=ya3NPpaw@mail.gmail.com>
Message-ID: <5454D44F.7060706@riseup.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Reflections..

grarpamp wrote:
> I would never use this unless you were actually censored from 
> accessing facebook via clearnet. All it will do is serve to
> officially tell facebook that you are a tor user that FB can then
> further discriminate against as a class in the future once they
> start to lock down clearnet against exit nodes, travelers, etc or
> whatever their scheme is or will be.


I agree.

I tried out the FB Tor hidden service.  I was censored / banned from
accessing FB at all, and FB demanded a "government ID" in order to
take off the ban ~ I refused to do so.  (not that I wanted to use it,
but after a while I was curious what some distant family and friends
were doing in terms of their activity on FB).

The Tor hidden service allowed me to get far enough into the login
process that I was able to squeeze out a 2FA and complete login,
something I could not do before due to the ban.  It's clear that part
of FB censorship involves discrimination against persons they disagree
with based in part on IP addresses.

> 
> Remember, FB's official policy is still: - Real Names required

FB's centralized platform and ubiquitous selling of people's data is
problematic enough, and their discrimination against people who
identify differently (or who engage in trans-identical expression) is
telling.  It's not a service I want to use, but I've explored in the
past chatting with those who use it, by way of use of the Empathy
program.  (FB is now blocking many users of Empathy as well, btw)

> - Phone Numbers / ID required - DOB required - Gender required -
> Email required - Etc required - Users are the product that is being
> mined and sold and shared.

Exactly ~ none of this should be required.  As wide as its use is, FB
should be viewed as a doomed / dying platform based on its extractive
and oppressive model.  Of note, however:
- - At least 72 percent of online adults use social media, with around
18 percent using twitter, based on 2013 numbers
http://www.pewinternet.org/2013/08/05/72-of-online-adults-are-social-networking-site-users/
- - 42% of online adults use multiple social networking sites, but
Facebook remains a platform of choice, based on 2013 numbers
http://www.pewinternet.org/2013/12/30/social-media-update-2013/
- - A 2014 review of social media marketing indicates that Facebook is
the single biggest social media platform used by marketers (another
reason not to use it, but also makes it obvious that a lot of people
currently find it profitable to use)
http://www.socialmediaexaminer.com/SocialMediaMarketingIndustryReport2014.pdf

These findings seem to indicate that when people are designing
applications that are oriented on the peer-to-peer, decentralized
model, in order to be successful, the applications should be very
simple to use, and provide for ample opportunity for engagement, if
they hope to challenge the well-established centralized models.  As an
example, I've suggested to OpenBazaar team (which is about to release
a new beta version) that they work at making the application "lighter"
as well as easier and friendlier to use in a mobile version, so that
it would have the feel of depop.com
example:
http://www.depop.com/en/francescahall1987/authentic-mulberry-purse-for-sale
Coupling interesting, easy to access listings and posts tailored for
mobile users with easy-to-use commmunication that has broad appeal is
a goal that should be added (or at least, emphasized a lot more) in
p2p development.

> 
> Such non optional elements, and choices, powers and rights removed
> from the user, are in direct opposition to the principles of Tor
> and anonymity. Normally support for onion/i2p is good thing, but
> when still backed by crap like this it's largely meaningless.

Agreed. And the more one posts content to FB as a platform, the more
you give them to mine and profit from.  It should be avoided.

> 
> 
> 
> https://news.ycombinator.com/item?id=8538281 
> http://yro.slashdot.org/story/14/10/31/1545231/facebook-sets-up-shop-on-tor
>
> 
http://www.reddit.com/r/onions/comments/2kvnbw/facebook_accessible_by_onion_address/
> http://www.reddit.com/r/TOR/comments/2kvl8r/facebook_now_officially_available_as_a_tor_hidden/
>
>  [Some posters already seem to be getting locked out for using
> onion but of course cannot truly know why because FB does not state
> their metrics.]
> 

- -- 
http://abis.io ~
"a protocol concept to enable decentralization
and expansion of a giving economy, and a new social good"
https://keybase.io/odinn
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJUVNROAAoJEGxwq/inSG8C8EQIAKQcsXklTH/ZWHuPtU5aP8vl
dw55JpVuFZWhQgYVcPaaUiC6/ht9ybuBDC5UQyBqc2/wEsuMcANs02SZpWYVC8t1
o7OU9t1v44hK1Pd072RriGWGf2uru24lhyTZ3+Uj2xLHQu/PHs9PoekwMGBLBfI8
oCDYsWbJzxzBgQvpTs8nHD8yeG62EZiXHuHV26qDJd4QgBJtTKCsVng6FI1CLtKR
wIQxPTVg4TDIG2tNhb59mLGcYjMp17Jp2lcVklIftQ8+ikyt8UY9iG683PLpTaXA
djFXP+PV23y8wlh/p4S9o2e35s0xexjQaqrevHpfNCTDX2mL5b4vZWLcxFNtamg=
=Uhkv
-----END PGP SIGNATURE-----




From coderman at gmail.com  Sat Nov  1 12:45:26 2014
From: coderman at gmail.com (coderman)
Date: Sat, 1 Nov 2014 12:45:26 -0700
Subject: Fwd: [tor-talk] Cloak Tor Router
In-Reply-To: <CAJVRA1QJ26Vtjt57N4Ducw3LV=MxnqaoGj0DY6L2D4-5vq8rxw@mail.gmail.com>
References: <7488606.2oxgLGVBPl@ncpws04>
 <CAJVRA1QJ26Vtjt57N4Ducw3LV=MxnqaoGj0DY6L2D4-5vq8rxw@mail.gmail.com>
Message-ID: <CAJVRA1S+QP8a1ZxE6hnn5uk6+XRbWMz1Y0Q+XxnCswHCA88kRw@mail.gmail.com>

---------- Forwarded message ----------
From: coderman <coderman at gmail.com>
Date: Sat, 1 Nov 2014 12:42:41 -0700
Subject: Re: [tor-talk] Cloak Tor Router

On 11/1/14, Lars Boegild Thomsen <lth at reclaim-your-privacy.com> wrote:
> ... We - the team behind Cloak - and me (the
> networking and embedded Linux guy in the team) are genuinely concerned about
> privacy and we really would like this product to ...

first question, did you contact Tor Project Inc. about this for their
input? (if yes, what was their take on your aims?)



> The first step was to isolate the Tor/Cloak related stuff from my internal
> source tree and actually put a builtable source online on Github. That is
> currently available here: https://github.com/ReclaimYourPrivacy.

the majority of these repositories are forks of existing public
projects, but not clearly so. (e.g. cloak-routing is a selection of
specific OpenWRT packages, eschalot, etc.)

what do you think of branching from upstream repositories, and keeping
your changes in a manner that upstream would be encouraged to
incorporate?

i have more feedback on code itself, but this is foremost to mention.



> Second step was to document the hardware development to convince everybody
> (hopefully) that we _are_ actually capable of having a device such as this
> manufactured at a competitive price. Most of that documentation went on our
> web-site (https://reclaim-your-privacy.com) and schematics/PCB design on
> Github (same url as before).

i approve of open hardware approach very much :)

perhaps useful to identify what is open (like PCB) and what is not (Atheros)



> I had already (9 month back) come up with some sensible firewall rules that
> would pretty much force all TCP traffic through Tor and since I had been
> running it for 9 month it was at that time fairly well tested

obviously this is not difficult, but it is also more complicated than
just "some sensible rules". e.g.
https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy and
iptables -A OUTPUT -m conntrack --ctstate INVALID -j DROP and all the
other intricacies...



> ... at that time we
> could generate a random root password and WiFi key, flash that to a small
> dedicated R/O partition on the flash, print it on a label attached to the
> box (along with Serial number and MAC address).

it would also be great if you could introduce some per-device unique
entropy seed, obtained from a strong hardware based random number
generator. (how better to signal your interest in utmost privacy, even
if practical benefit is less concrete? :)


> First of all, I would like to hear more opinions about the value of a device
> such as this.

the concept of a portable Tor proxy hardware router that fits in your
pocket is great, in my not so unbiased opinion :)


> I realize that most technically adept people will frown on a a
> "toy" such as the Cloak,

what technical people will frown on is the way the device is presented
to users, and if users are placed into risk by technical errors.


> but this device is really not meant for anybody who
> can install the Tor software on their own or someone who can install Tor on
> a Rasberry Pi.

that's fine; i believe it is possible to make a device that is
transparently usable that also doesn't put users at needless risk, if
that is what you are getting at.

the suggestions others have made that i second:
- block accidental Tor over Tor setups.
- provide a Tor Browser on the supported platforms with TOR_TRANSPROXY=1
- provide automated builds, so that users can keep their device up to
date easily, or use a built-in mechanism to obtain and install the
latest easily.

in general, some guidelines that me as a technical person would like to see:
- the device should fail safe, rather than fail open: if i
accidentally connect my friend's windows XP laptop to your device, it
should block rather than allow all by default.
- support robust stream isolation, beyond what may be default. perhaps
IsolateDestAddr and IsolateByClientAddr on TransPort (this does not
yet exist, but you could code it to the benefit of all Transparent
proxy consumers :)

---

regarding your other information:

from your kickstarter, "We commit to establish and operate new exit
nodes, to ensure that we are pulling our weight. Tor is currently at
approx 2000 users per exit node. For every 1000 devices we ship, we
will establish a new dedicated exit node. "

why the focus on number of exit nodes, instead of contributed exit
capacity?  you're measuring the wrong thing here.

---

i have more feedback, but your responses to these questions will help
me determine how much time i can contribute to an evaluation.

best regards,




From ryacko at gmail.com  Sat Nov  1 14:27:58 2014
From: ryacko at gmail.com (Ryan Carboni)
Date: Sat, 1 Nov 2014 14:27:58 -0700
Subject: https://facebookcorewwwi.onion/
Message-ID: <CAO7N=i2_jeJhtVNFZGAaivHcvyTZ3j41N6vB8gbSdteABpw+vg@mail.gmail.com>

It probably will cost $1 billion to brute force an 80-bit address in a
year. What website is actually worth that much? Not even impersonating
facebook is worth that much, if you limit the value of the Tor address to
the value of the Tor connections to it. The total value of the Tor network
is probably no where near $10 billion (mostly CP and darknets though).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 387 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141101/de898a91/attachment.txt>

From coderman at gmail.com  Sat Nov  1 20:52:14 2014
From: coderman at gmail.com (coderman)
Date: Sat, 1 Nov 2014 20:52:14 -0700
Subject: IPv5 is a laser
Message-ID: <CAJVRA1QF0yhztzgQRy+GPHLo13pe2Fm0HpQZw+KJOrtgqns40A@mail.gmail.com>

http://phenoelit.org/stuff/CSLI.pdf




From juan.g71 at gmail.com  Sat Nov  1 17:55:10 2014
From: juan.g71 at gmail.com (Juan)
Date: Sat, 1 Nov 2014 21:55:10 -0300
Subject: GamerGate (because censorship is dumb)
In-Reply-To: <54547DEB.4010201@lig.net>
References: <CAB4-RpLRCYfcSD+Tp6bV9RCSxvLTDv8M_Y01Gtb=2MTV3-yObw@mail.gmail.com>
 <E1XiMu9-0006nZ-HY@elasmtp-mealy.atl.sa.earthlink.net>
 <CAOE4rSwfdajJbMWEa=UKa-M8-cbahs1S=C5yVnc=_cHcUtHQaQ@mail.gmail.com>
 <45ac353359f0ad85f3a792faa499faba@cryptolab.net>
 <CAOE4rSwbGqh+XMXY=55GVa_4U95F58sXtQkcuHuHYnGkR1R=vg@mail.gmail.com>
 <1a3afa12b6a0da5c252c12e213fc1244@cryptolab.net>
 <CAOE4rSwUyjDP2tQhfrEJ8qLO4Hyt2qc_1KZfL+JV3pk9pmKWiA@mail.gmail.com>
 <1414596042.2993.22.camel@anglachel>
 <CALiz36Oq8KiwNPjMLz8Jkd7XGRHipzKyLKHHrioUKyFsvEeR-Q@mail.gmail.com>
 <54512BB5.1080902@riseup.net> <54547DEB.4010201@lig.net>
Message-ID: <5455809f.2f158c0a.7848.ffffdeb9@mx.google.com>

On Fri, 31 Oct 2014 23:30:03 -0700
Stephen Williams <sdw at lig.net> wrote:

> On 10/29/14, 11:02 AM, Hashem Nasarat wrote:
> >
> > On 10/29/2014 12:24 PM, RKN the_PORTABLE wrote:
> >> ...
> >> Let me sum up gg in a way that I expect cpunks to understand (but
> >> then again, I expected cpunks to have more brain and do better
> >> research rather than just go white knighting):
> >> "Anti-prism people are not pro privacy. They are pro terrorism and
> >> paeodofilia! Snowden is just a racist! He could not cope with
> >> changing times and the fact that new president is black so he sold
> >> out his country and ran away to homophobic and racist RUSSIA!"
> > This analogy is not very useful as USA is also homophobic and
> > racist.
> 
> Not really the same at all.  Russia's government is still actively
> oppressing people in these ways while the US is:
> 
> A) Far less homophobic and racist than it used to be. 

	LMAO! 

	self-parody never ends.





 In some areas,
> hardly at all. B) Has gone from the government homophobia hunting
> people to fire from government jobs in the 1950's to complete
> legality and usually legal protection now. C) The Millennials as a
> group are not homophobic or racist to any measurable degree.
> Remaining pockets are becoming more isolated and their youth are
> changing too, as far as anyone can tell.
> 
> The whole culture is rapidly changing in many ways.  Music, Internet,
> Hollywood, legal cases, politicians (because many have been voted
> out), etc. have all been changing people's opinions.  The rate of
> evolution, or at least the rate of maturation of active cycles has
> been apparently increasing each year.
> 
> Pervasive cell phone video, major cases of corruption and
> overstepping bounds and tragedy have caused major pull back of
> longstanding troublesome trends.
> 
> This is how all of this ties into cypherpunks:  Observing how
> opinions, public sentiment, then enforcement, regulations, and market
> options evolve in each of these cycles should be instructive when
> trying to induce important change.  How can you position things to
> improve better outcomes when inflection points happen?
> 
> sdw
> 




From l at odewijk.nl  Sat Nov  1 15:41:18 2014
From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=)
Date: Sat, 1 Nov 2014 23:41:18 +0100
Subject: [Cryptography] Best internet crypto clock: hmmmmm...
In-Reply-To: <CAAMy4URW+LwpiFO7bGd5wZQV9vyL+6uig95grB2gJ0qt9yfN7A@mail.gmail.com>
References: <E1XiUsD-0007kF-3q@login01.fos.auckland.ac.nz>
 <CA2619CF-6FA2-4BFF-8F2C-DC711087C922@lrw.com>
 <E1XiZ05-0002XD-MO@elasmtp-curtail.atl.sa.earthlink.net>
 <alpine.BSF.2.00.1410271439430.57132@aneurin.horsfall.org>
 <5453845C.1000508@math.ntnu.no>
 <alpine.BSF.2.00.1411010544030.84102@aneurin.horsfall.org>
 <CAD2Ti290r4Y6nMA-ZoyWGrvmubS56i4C351oOVU8sQBu_VCwBQ@mail.gmail.com>
 <CAAMy4URW+LwpiFO7bGd5wZQV9vyL+6uig95grB2gJ0qt9yfN7A@mail.gmail.com>
Message-ID: <CAHWD2rK2C91ffKVZj+PGS-sjYX3p=KOL5-G53fErf_8DZySp_A@mail.gmail.com>

2014-11-01 22:48 GMT+01:00 Tom Mitchell <mitch at niftyegg.com>:

> On Fri, Oct 31, 2014 at 11:51 PM, grarpamp <grarpamp at gmail.com> wrote:
>
>> On Fri, Oct 31, 2014 at 2:57 PM, Dave Horsfall <dave at horsfall.org> wrote:
>> > On Fri, 31 Oct 2014, Harald Hanche-Olsen wrote:
>> >
>> >> Are you perhaps thinking of the so-called EURion constellation?
>>
> ...
>
>> http://www.secretservice.gov/know_your_money.shtml
>>
>> Quality counterfeiters of US notes don't care what
>
>
> One of the driving forces to the changes in currency around
> the globe was angst and some evidence of nation level
> counterfeiting.   Some small number of folk still have first
> hand knowledge of currency attacks in WW2 and how effective
> (or not) these attacks were.  Good accounts are sparse and
> like other secrets seem to still be closely held.
>
> I know that the local farmers market and flea market vendors in
> this area are very cautious about $20 bills that are apparently
> color printer and color copier produced.
>
> I did see some mumble about N. Korea and very high
> end intaglio printing about the same time the US and other
> nations started changing methods and designs.  A secretive
> well funded organization or government can do a lot to
> produce counterfeit money.   A decade or two earlier a lot of
> effort was spent on durability.
>

I was about to mumble a tune about SuperDollars and ww2 currency
devaluation attacks! They never really worked, or turned feasible, because
delivery is quite hard and printing currency is quite expensive.

It goes without saying that the secret service can use OCR
> readers in multiple locations and track each and every printed
> bill.   If their audits detect an interesting level I can see the next
> revision of design getting released into the cycle and aggressive
> audited shredder action for the previous.
>

They hopefully do.

But this is a crypto forum, right? So we can do better than just making
hard-to-produce bills. We can produce an actual signature scheme!

Using any crypto-currency but accepting double spends until an online check
with central authority (blockchain is just a slow and decentralized central
authority) can be done is probably really quite good. Optionally TPM's can
put the central authority in your pocket, or in your bill!

Too bad government sucks at technology.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 4011 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141101/26afa926/attachment.txt>

From l at odewijk.nl  Sat Nov  1 16:46:17 2014
From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=)
Date: Sun, 2 Nov 2014 00:46:17 +0100
Subject: GamerGate (because censorship is dumb)
In-Reply-To: <54547DEB.4010201@lig.net>
References: <CAB4-RpLRCYfcSD+Tp6bV9RCSxvLTDv8M_Y01Gtb=2MTV3-yObw@mail.gmail.com>
 <E1XiMu9-0006nZ-HY@elasmtp-mealy.atl.sa.earthlink.net>
 <CAOE4rSwfdajJbMWEa=UKa-M8-cbahs1S=C5yVnc=_cHcUtHQaQ@mail.gmail.com>
 <45ac353359f0ad85f3a792faa499faba@cryptolab.net>
 <CAOE4rSwbGqh+XMXY=55GVa_4U95F58sXtQkcuHuHYnGkR1R=vg@mail.gmail.com>
 <1a3afa12b6a0da5c252c12e213fc1244@cryptolab.net>
 <CAOE4rSwUyjDP2tQhfrEJ8qLO4Hyt2qc_1KZfL+JV3pk9pmKWiA@mail.gmail.com>
 <1414596042.2993.22.camel@anglachel>
 <CALiz36Oq8KiwNPjMLz8Jkd7XGRHipzKyLKHHrioUKyFsvEeR-Q@mail.gmail.com>
 <54512BB5.1080902@riseup.net> <54547DEB.4010201@lig.net>
Message-ID: <CAHWD2rJ5nsnacFK82ar6oz6ZDVA3yE5CSWqToBeQpuO8eZOp4g@mail.gmail.com>

GamersGate is what happens when a large group is guided by guides that
don't care about them.

#GG is a totally different animal. The result of confusing social media
activity. Activism is not the same as picking a hashtag and tweeting about
it. Last I checked.. I think columns in newspapers were probably the height
of verbal contemplation of policy. For every mayor belief there's a mayor
newspaper, so all parties attend and present their most persuasive
arguments. Leading only to radicalization. Hmmm... Maybe publishing always
sucked? This new hivemind school of thought will never have serious
repercussions and actively weakens interest in things like legal system
critique.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 810 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141102/292b6b06/attachment.txt>

From tigrutigru at gmail.com  Sat Nov  1 18:17:50 2014
From: tigrutigru at gmail.com (tigrutigru at gmail.com)
Date: Sun, 2 Nov 2014 02:17:50 +0100
Subject: [tor-talk] Facebook brute forcing hidden services
In-Reply-To: <mailman.1.1414857601.9165.cypherpunks@cpunks.org>
References: <mailman.1.1414857601.9165.cypherpunks@cpunks.org>
Message-ID: <7D1CD80D-6C98-4796-BB2B-EF4903AD3FDA@gmail.com>

I've been to FSCONS today session: "Blurry line between private service and public infrastructure"
covering a problem with decentralised, federated services and platforms which can be used as an alternative to FB. 

There are many (Diaspora, Frendica, GNU social etc) , but use incompatible protocols, making it hard for users to choose, and fragmenting the community, making it look weak and small. Another problem is that most of them don't have client API's and do have a sorry-looking interface.

However, if those platforms would be compatible and talk to each other - in a session it was called "The Federation", this problem of fragmentation and poor user database is solved.

So far is the most promising solution I heard which can help to get people of Facebook hook, or at least use it when absolutely necessary, not to post your entire life on it.

Most "evil" services we use, just need a decent easy to use functional alternative. 

In the actual lecture the federation of decentralised social networks is described from the 28th minute https://m.youtube.com/watch?v=R_uvYp3fog4 

> On 1 Nov 2014, at 17:00, cypherpunks-request at cpunks.org wrote:
> 
> Re: [tor-talk] Facebook brute forcing hidden services
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 2427 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141102/e349073b/attachment.txt>

From rysiek at hackerspace.pl  Sun Nov  2 01:28:58 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Sun, 02 Nov 2014 09:28:58 +0100
Subject: https://facebookcorewwwi.onion/
In-Reply-To: <1434508.TqKhgNKVd5@lapuntu>
References: <5281479.Q3Ro4k0Ycc@lapuntu> <5454136D.3070905@aestetix.com>
 <1434508.TqKhgNKVd5@lapuntu>
Message-ID: <2281094.zQcSWFGpDG@lapuntu>

Dnia sobota, 1 listopada 2014 08:56:33 rysiek pisze:
> Dnia piątek, 31 października 2014 15:55:41 aestetix pisze:
> > Including anti-surveillance rallies, which is about as ironic as you
> > can get.
> 
> Here, that's from the Polish Pirate Party.

Welp, sending a PNG directly to the list was a brainfart, sorry guys, won't 
happen again.

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 411 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141102/14904517/attachment.sig>

From rysiek at hackerspace.pl  Sun Nov  2 01:33:32 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Sun, 02 Nov 2014 10:33:32 +0100
Subject: [tor-talk] Facebook brute forcing hidden services
In-Reply-To: <7D1CD80D-6C98-4796-BB2B-EF4903AD3FDA@gmail.com>
References: <mailman.1.1414857601.9165.cypherpunks@cpunks.org>
 <7D1CD80D-6C98-4796-BB2B-EF4903AD3FDA@gmail.com>
Message-ID: <17913035.XcKpdGSG2N@lapuntu>

Dnia niedziela, 2 listopada 2014 02:17:50 tigrutigru at gmail.com pisze:
> I've been to FSCONS today session: "Blurry line between private service and
> public infrastructure" covering a problem with decentralised, federated
> services and platforms which can be used as an alternative to FB.

Well hullo tharr. :)

> There are many (Diaspora, Frendica, GNU social etc) , but use incompatible
> protocols, making it hard for users to choose, and fragmenting the
> community, making it look weak and small.

Well, Diaspora, Friendica and Red are already talking to each other with a 
common protocol; Friendica and StatusNet/GNU Social are also compatible. So 
The Federation (as was proposed to name the common network-of-social-networs) 
is already based on 4 different networks; others are finally starting to think 
about getting on the interoperability bandwagon.

Compare and contrast to what was going on 2 years ago:
http://lists.w3.org/Archives/Public/public-fedsocweb/2013May/0058.html

Tl;dr of that thread is "not invented here, impossiburu, we won't bother". 
Methinks we've done some progress.

> Another problem is that most of them don't have client API's and do have a
> sorry-looking interface.

Well, Diaspora's interface is really fine these days. Friendica needs a lot of 
love; Red I don't personally know.

Lack of client API is a huge problem, though. Here's a nice poll about what 
users want/need:
https://joindiaspora.com/posts/4304242

Client API wins hands down.

> However, if those platforms would be compatible and talk to each other - in
> a session it was called "The Federation", this problem of fragmentation and
> poor user database is solved.

Well, as I said, Diaspora, Friendica, Red and GNU Social are already talking 
with each other with common protocols.

> So far is the most promising solution I heard which can help to get people
> of Facebook hook, or at least use it when absolutely necessary, not to post
> your entire life on it.

Thanks; I was just describing what was happening on the libre side of social 
networking.

> Most "evil" services we use, just need a decent easy to use functional
> alternative.

That's the crux, right after getting a common protocol implemented across 
different federated social networks. Also consider:
http://rys.io/en/88

> In the actual lecture the federation of decentralised social networks is
> described from the 28th minute https://m.youtube.com/watch?v=R_uvYp3fog4

And here are the slides:
http://rys.io/static/Blurry-line-between-private-service-and-public-infrastructure-FSCONS2014.pdf
http://rys.io/static/Blurry-line-between-private-service-and-public-infrastructure-FSCONS2014.odp

Also, please join us at The Federation Assembly at #31C3:
https://events.ccc.de/congress/2014/wiki/Assembly:The_Federation

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 411 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141102/50a6adcb/attachment.sig>

From rysiek at hackerspace.pl  Sun Nov  2 02:30:24 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Sun, 02 Nov 2014 11:30:24 +0100
Subject: [tor-talk] Facebook brute forcing hidden services
In-Reply-To: <7D1CD80D-6C98-4796-BB2B-EF4903AD3FDA@gmail.com>
References: <mailman.1.1414857601.9165.cypherpunks@cpunks.org>
 <7D1CD80D-6C98-4796-BB2B-EF4903AD3FDA@gmail.com>
Message-ID: <32907859.pBoRyBKqfr@lapuntu>

Also,

my previous talk (at #30C3) about social network monopolies is here:
http://media.ccc.de/browse/congress/2013/30C3_-_5319_-_en_-_saal_g_-_201312282330_-_technomonopolies_-_rysiek.html#video

Slides:
http://rys.io/static/technomonopolies-30c3.odp

I need to write both up so they are not only on video, I guess.

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 411 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141102/5d6a8f55/attachment.sig>

From edhelas at movim.eu  Sun Nov  2 03:19:24 2014
From: edhelas at movim.eu (edhelas)
Date: Sun, 02 Nov 2014 12:19:24 +0100
Subject: [tor-talk] Facebook brute forcing hidden services
In-Reply-To: <7D1CD80D-6C98-4796-BB2B-EF4903AD3FDA@gmail.com>
References: <mailman.1.1414857601.9165.cypherpunks@cpunks.org>
 <7D1CD80D-6C98-4796-BB2B-EF4903AD3FDA@gmail.com>
Message-ID: <1414927164.16756.1@smtp.etu.univ-nantes.fr>

I can resume this fragmentation issue by a simple sentence that I'm 
saying more and more these days : "If you have a problem, do not write 
an API, write a protocol".

The social federation protocol is already here : it's XMPP. And yes it 
can support everything a social network has to offer (feeds, 
subscriptions, profiles, contact list…). There is already millions of 
users on the XMPP network, and you can easily find several clients on 
all the plateforms for it.

I'm working since 2008 on the Movim project (https://movim.eu/), to 
build a full, good looking, "decentralized" (federated) and open source 
social network on XMPP. And believe me, yes it's possible.

I like the link that the guy made in the presentation with Firefox. Why 
Firefox surpassed IE ? Because they just choose to implement the W3C 
standards and try to improve it (and they offer some nice features too).

Diaspora, GNU Social, Friendica are not trying to do that, they create 
their own "proprietary" protocol to talk between each other and after 
that face the same issues than all the others network : "Hey, we are 
not compatibles ! Lets create an API and the other networks will be 
compatible with us".

So keep calm and implement XMPP ;)

Tim

On dim., nov. 2, 2014 at 2:17 , tigrutigru at gmail.com wrote:
> I've been to FSCONS today session: "Blurry line between private 
> service and public infrastructure"
> covering a problem with decentralised, federated services and 
> platforms which can be used as an alternative to FB.
> 
> There are many (Diaspora, Frendica, GNU social etc) , but use 
> incompatible protocols, making it hard for users to choose, and 
> fragmenting the community, making it look weak and small. Another 
> problem is that most of them don't have client API's and do have a 
> sorry-looking interface.
> 
> However, if those platforms would be compatible and talk to each 
> other - in a session it was called "The Federation", this problem of 
> fragmentation and poor user database is solved.
> 
> So far is the most promising solution I heard which can help to get 
> people of Facebook hook, or at least use it when absolutely 
> necessary, not to post your entire life on it.
> 
> Most "evil" services we use, just need a decent easy to use 
> functional alternative.
> 
> In the actual lecture the federation of decentralised social networks 
> is described from the 28th minute 
> https://m.youtube.com/watch?v=R_uvYp3fog4
> 
> On 1 Nov 2014, at 17:00, cypherpunks-request at cpunks.org wrote:
> 
>> Re: [tor-talk] Facebook brute forcing hidden services
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 3916 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141102/c2dccc7a/attachment.txt>

From rysiek at hackerspace.pl  Sun Nov  2 03:53:38 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Sun, 02 Nov 2014 12:53:38 +0100
Subject: [tor-talk] Facebook brute forcing hidden services
In-Reply-To: <1414927164.16756.1@smtp.etu.univ-nantes.fr>
References: <mailman.1.1414857601.9165.cypherpunks@cpunks.org>
 <7D1CD80D-6C98-4796-BB2B-EF4903AD3FDA@gmail.com>
 <1414927164.16756.1@smtp.etu.univ-nantes.fr>
Message-ID: <4734849.Scac9nlgDo@lapuntu>

Dnia niedziela, 2 listopada 2014 12:19:24 edhelas pisze:
> The social federation protocol is already here : it's XMPP. And yes it 
> can support everything a social network has to offer (feeds, 
> subscriptions, profiles, contact list…). There is already millions of 
> users on the XMPP network, and you can easily find several clients on 
> all the plateforms for it.
> 
> I'm working since 2008 on the Movim project (https://movim.eu/),

So, I'm having a painful flashback from:
http://lists.w3.org/Archives/Public/public-fedsocweb/2013May/0058.html

And my answer to this is: whatever floats your boat.

The biggest problem right now is the network effect and fragmentation, XMPP 
crowd (are you compatible with BuddyCloud, for example?) does not seem to help 
out in this department, so I'm going to promote The Federation, because it 
already has the userbase and it already federates between several networks.

I have no particular preference of a particular protocol. The Federation 
already federates, and that's what counds.

Please, let's not repeat the discussion I just linked, though.

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 411 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141102/a563c304/attachment.sig>

From rysiek at hackerspace.pl  Sun Nov  2 05:37:49 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Sun, 02 Nov 2014 14:37:49 +0100
Subject: [tor-talk] Facebook brute forcing hidden services
In-Reply-To: <1414927164.16756.1@smtp.etu.univ-nantes.fr>
References: <mailman.1.1414857601.9165.cypherpunks@cpunks.org>
 <7D1CD80D-6C98-4796-BB2B-EF4903AD3FDA@gmail.com>
 <1414927164.16756.1@smtp.etu.univ-nantes.fr>
Message-ID: <3182275.bF9ghnmCAF@lapuntu>

Hi,

okay, fuck that, I'm going to dive in, because the level of FUD is strong in 
this one.

Dnia niedziela, 2 listopada 2014 12:19:24 edhelas pisze:
> I can resume this fragmentation issue by a simple sentence that I'm
> saying more and more these days : "If you have a problem, do not write
> an API, write a protocol".

Sure:
https://xkcd.com/927/

I don't understand why we need over9000 different, incompatible federated 
social web protocols. It would seem to me we need *ONE* with several *GOOD* 
implementations.

> The social federation protocol is already here : it's XMPP. And yes it
> can support everything a social network has to offer (feeds,
> subscriptions, profiles, contact list…). There is already millions of
> users on the XMPP network, and you can easily find several clients on
> all the plateforms for it.
> 
> I'm working since 2008 on the Movim project (https://movim.eu/), to
> build a full, good looking, "decentralized" (federated) and open source
> social network on XMPP. And believe me, yes it's possible.

I won't discuss that. I will however point out that "possible" is not enough.

> I like the link that the guy made in the presentation with Firefox. Why
> Firefox surpassed IE ? Because they just choose to implement the W3C
> standards and try to improve it (and they offer some nice features too).

Absolutely.

> Diaspora, GNU Social, Friendica are not trying to do that, they create
> their own "proprietary" protocol

Oh, wow. Do you even understand the words that you use? I mean, "proprietary"? 
It's documented, the code is open, the protocol has at least two FLOSS 
implementations. Seriously, what were you trying to achieve here?

> to talk between each other and after that face the same issues than all the
> others network : "Hey, we are not compatibles ! Lets create an API and the
> other networks will be compatible with us".

No. They created a protocol that other networks implement. For example 
Friendica implements GNU Social's protocol, Diaspora's protocol and their own 
(documented, opensourced) protocol. Red similarily.

Reading a bit on it would be a good idea.

> So keep calm and implement XMPP ;)

No. Come to The Federation assembly at #31C3, get involved in a more 
meaningful way than calling open protocols "proprietary" just because you 
don't know them, and try working with quite a few projects that already 
cooperate and federate with common *protocols* (not APIs).

The question is not "which protocol is better", because while we bikeshed on 
this question, people are still sitting on Failbroke and Shitter, instead of 
moving out of these walled gardens.

The question is: "how can we *cooperate* to get people on the libre, federated 
side of social networks". 1.5 year ago I submitted to all the fedsocnet devs a 
simple question, here's the link again:
http://lists.w3.org/Archives/Public/public-fedsocweb/2013May/0058.html

The answer was: "impossiburu, we won't, not invented here, my protocol is 
better than yours". So instead of trying to herd those cats, I am grabbing the 
opportunity arising from the fact that we already have The Federation. Let's 
expand it and build upon it, eh?

Shouting "XMPP! XMPP!" is not helping.

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 411 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141102/8595fc36/attachment.sig>

From coderman at gmail.com  Sun Nov  2 16:37:19 2014
From: coderman at gmail.com (coderman)
Date: Sun, 2 Nov 2014 16:37:19 -0800
Subject: POTUS jammin'
Message-ID: <CAJVRA1T3kTZNm20K5FVuRjcYSPq7Wj=YpzoOvc2PHpJ6D8PXcg@mail.gmail.com>

https://twitter.com/mattblaze/status/529055344191111169

Fired up a spectrum analyzer as POTUS motorcade went by. Definitely
wideband jamming from lead WHCA vehicle. (& it unpaired my BT headset)

I had been skeptical of reports that they routinely use jammers, but
there was strong wideband noise from abt 700mhz to beyond 2.5 GHz.

VHF was quite clean, which is where most sec svc traffic is.

... it seemed to be about half a block.

---

ultra-wide-band SDR to the rescue? (60Ghz MIMO or bust!)




From edhelas at movim.eu  Sun Nov  2 10:10:46 2014
From: edhelas at movim.eu (edhelas)
Date: Sun, 02 Nov 2014 19:10:46 +0100
Subject: [tor-talk] Facebook brute forcing hidden services
In-Reply-To: <3182275.bF9ghnmCAF@lapuntu>
References: <mailman.1.1414857601.9165.cypherpunks@cpunks.org>
 <7D1CD80D-6C98-4796-BB2B-EF4903AD3FDA@gmail.com>
 <1414927164.16756.1@smtp.etu.univ-nantes.fr> <3182275.bF9ghnmCAF@lapuntu>
Message-ID: <1414951846.30181.0@smtp.etu.univ-nantes.fr>

On dim., nov. 2, 2014 at 2:37 , rysiek <rysiek at hackerspace.pl> wrote:
> Hi,
> 
> okay, fuck that, I'm going to dive in, because the level of FUD is 
> strong in
> this one.

Well, thanks :)

> 
> 
> Dnia niedziela, 2 listopada 2014 12:19:24 edhelas pisze:
>>  I can resume this fragmentation issue by a simple sentence that I'm
>>  saying more and more these days : "If you have a problem, do not 
>> write
>>  an API, write a protocol".
> 
> Sure:
> https://xkcd.com/927/
> 
> I don't understand why we need over9000 different, incompatible 
> federated
> social web protocols. It would seem to me we need *ONE* with several 
> *GOOD*
> implementations.
> 
>>  The social federation protocol is already here : it's XMPP. And yes 
>> it
>>  can support everything a social network has to offer (feeds,
>>  subscriptions, profiles, contact list…). There is already 
>> millions of
>>  users on the XMPP network, and you can easily find several clients 
>> on
>>  all the plateforms for it.
>> 
>>  I'm working since 2008 on the Movim project (https://movim.eu/), to
>>  build a full, good looking, "decentralized" (federated) and open 
>> source
>>  social network on XMPP. And believe me, yes it's possible.
> 
> I won't discuss that. I will however point out that "possible" is not 
> enough.

It's possible to push it forward and try to not reinvent the wheel 
again and again by creating a new protocol.

> 
> 
>>  I like the link that the guy made in the presentation with Firefox. 
>> Why
>>  Firefox surpassed IE ? Because they just choose to implement the W3C
>>  standards and try to improve it (and they offer some nice features 
>> too).
> 
> Absolutely.
> 
>>  Diaspora, GNU Social, Friendica are not trying to do that, they 
>> create
>>  their own "proprietary" protocol
> 
> Oh, wow. Do you even understand the words that you use? I mean, 
> "proprietary"?
> It's documented, the code is open, the protocol has at least two FLOSS
> implementations. Seriously, what were you trying to achieve here?

Ok, the term "proprietary" was a little strong. Of course the 
sourcecode of theses projects is open. But can you give me any serious 
documentations (more than a Wiki or some ML links) that can help me to 
implement properly the Diaspora/Friendica/GNU Social protocols like 
RFC, IETF stuffs ?

A protocol have to be stable in the time, most of theses project just 
create their own protocol from their need. The Diaspora protocol was 
re-written already one time (which totally broke the Friendica 
compatibility at this time), the guys from Status.net moved to 
Pump.io…

> 
> 
>>  to talk between each other and after that face the same issues than 
>> all the
>>  others network : "Hey, we are not compatibles ! Lets create an API 
>> and the
>>  other networks will be compatible with us".
> 
> No. They created a protocol that other networks implement. For example
> Friendica implements GNU Social's protocol, Diaspora's protocol and 
> their own
> (documented, opensourced) protocol. Red similarily.

No, they wrote their own protocol for their own project, and someone 
just try to implement it to try to be compatible. But it's a one way 
work, the guys from Diaspora will not adapt their protocol to help the 
guys from Friendica/GNU Social/whatever.

> 
> 
> Reading a bit on it would be a good idea.
> 
>>  So keep calm and implement XMPP ;)
> 
> No. Come to The Federation assembly at #31C3, get involved in a more
> meaningful way than calling open protocols "proprietary" just because 
> you
> don't know them, and try working with quite a few projects that 
> already
> cooperate and federate with common *protocols* (not APIs).
> 
> The question is not "which protocol is better", because while we 
> bikeshed on
> this question, people are still sitting on Failbroke and Shitter, 
> instead of
> moving out of these walled gardens.
> 
> The question is: "how can we *cooperate* to get people on the libre, 
> federated
> side of social networks". 1.5 year ago I submitted to all the 
> fedsocnet devs a
> simple question, here's the link again:
> http://lists.w3.org/Archives/Public/public-fedsocweb/2013May/0058.html
> 
> The answer was: "impossiburu, we won't, not invented here, my 
> protocol is
> better than yours". So instead of trying to herd those cats, I am 
> grabbing the
> opportunity arising from the fact that we already have The 
> Federation. Let's
> expand it and build upon it, eh?

What is your plan with The Federation ? To build a project to help all 
theses project to talk each others and find a way to "standardize" the 
communications between them to be compatible with eachothers ?

Then you will define some basic schema of authentication/packet format 
(JSON/HTML/XML…)/global architecture…
In the end it will looks like this : https://xkcd.com/927/

If your aim is to ask theses project to have a public API to share 
stuffs between their different servers, well good luck.

> 
> Shouting "XMPP! XMPP!" is not helping.

No, but I prefer to contribute and improve a 15 years old protocol, 
with millions of users and hundred of implementations, managed by a 
strong Fundation that works with the IETF than on a 4 yo protocol 
implented by ~2 project where all the documentation you can find on it 
is here 
https://wiki.diasporafoundation.org/Federation_protocol_overview.

> 
> 
> --
> Pozdr
> rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 6477 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141102/534e0b09/attachment.txt>

From rysiek at hackerspace.pl  Sun Nov  2 10:35:43 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Sun, 02 Nov 2014 19:35:43 +0100
Subject: [tor-talk] Facebook brute forcing hidden services
In-Reply-To: <1414951846.30181.0@smtp.etu.univ-nantes.fr>
References: <mailman.1.1414857601.9165.cypherpunks@cpunks.org>
 <3182275.bF9ghnmCAF@lapuntu> <1414951846.30181.0@smtp.etu.univ-nantes.fr>
Message-ID: <3412171.f7io1AVluf@lapuntu>

Dnia niedziela, 2 listopada 2014 19:10:46 piszesz:
> > okay, fuck that, I'm going to dive in, because the level of FUD is
> > strong in this one.
> 
> Well, thanks :)

Always a pleasure.

> > The question is not "which protocol is better", because while we
> > bikeshed on
> > this question, people are still sitting on Failbroke and Shitter,
> > instead of
> > moving out of these walled gardens.
> > 
> > The question is: "how can we *cooperate* to get people on the libre,
> > federated
> > side of social networks". 1.5 year ago I submitted to all the
> > fedsocnet devs a
> > simple question, here's the link again:
> > http://lists.w3.org/Archives/Public/public-fedsocweb/2013May/0058.html
> > 
> > The answer was: "impossiburu, we won't, not invented here, my
> > protocol is
> > better than yours". So instead of trying to herd those cats, I am
> > grabbing the
> > opportunity arising from the fact that we already have The
> > Federation. Let's
> > expand it and build upon it, eh?
> 
> What is your plan with The Federation ? To build a project to help all
> theses project to talk each others and find a way to "standardize" the
> communications between them to be compatible with eachothers ?

No. To have a single name for these few federated social networks that already 
federate with each other. So that instead of saying "do you have a 
Diaspora/Friendica/Red/GNU Social account?" one can say "do you have a The 
Federation account?"

Because this will:
 - make it easier for the normal users to join ("just choose any of these,
   they're compatible")
 - make it more interesting for developers of other free federated social
   networks to get compatible with The Federation ("it's not a single project,
   a few of them got together already, why not join the happy bunch")

And in the end it's all about this:
http://en.wikipedia.org/wiki/Network_effect

Each of these projects in itself is too small to get users' attention; 
together they have much more chance of that.

> Then you will define some basic schema of authentication/packet format
> (JSON/HTML/XML…)/global architecture…
> In the end it will looks like this : https://xkcd.com/927/

Nobody needs nor wants to define nor create any new protocols. The protocols 
are already there: that's what Diaspora, Friendica, Red and GNU Social use to 
talk to each other.

The ONLY aim of calling it with a collective name is to make it seen as a 
single, huge, federated-and-federating distributed social network. And to get 
the ball rolling on more social networks joining-in and federating.

> If your aim is to ask theses project to have a public API to share
> stuffs between their different servers, well good luck.

They already do. They implement each others' protocols. Nobody has to do 
anything there. I have a Diaspora account and have added friends from 
Friendica and Red servers.

But thanks anyway.

> > Shouting "XMPP! XMPP!" is not helping.
> 
> No, but I prefer to contribute and improve a 15 years old protocol,
> with millions of users and hundred of implementations, managed by a
> strong Fundation that works with the IETF than on a 4 yo protocol
> implented by ~2 project where all the documentation you can find on it
> is here
> https://wiki.diasporafoundation.org/Federation_protocol_overview.

"I guess I'll leave that one until you answer Meredith" would be one answer. 

"I prefer to contribute and improve a ~40 years old protocol with billions of 
users and thousands of implementations (...)" and direct you to e-mail (which 
allows you to share photos and info with your friends, after all), would be 
another, admittedly snarky.

"So how is JID/Jingle client and server implementation work going", would be 
yet another.

"You're very welcome to join The Federation, if you'd like; the easiest way to 
do this would be to either help The Federation projects implement your 
protocol, or implement one of their protocols in your software; in return 
you'll get a huge bunch of active users to federate with, and the user-
perceived value of your network would rise" is the one I'm going with, 
however.

Also, Diaspora is implementing an XMPP-based chat functionality these days 
(should be released soon). So, there's also that.

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 411 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141102/f97f0724/attachment.sig>

From odinn.cyberguerrilla at riseup.net  Sun Nov  2 11:46:57 2014
From: odinn.cyberguerrilla at riseup.net (odinn)
Date: Sun, 02 Nov 2014 19:46:57 +0000
Subject: [tor-talk] Facebook brute forcing hidden services
In-Reply-To: <1414951846.30181.0@smtp.etu.univ-nantes.fr>
References: <mailman.1.1414857601.9165.cypherpunks@cpunks.org>
 <7D1CD80D-6C98-4796-BB2B-EF4903AD3FDA@gmail.com>
 <1414927164.16756.1@smtp.etu.univ-nantes.fr> <3182275.bF9ghnmCAF@lapuntu>
 <1414951846.30181.0@smtp.etu.univ-nantes.fr>
Message-ID: <54568A31.9050609@riseup.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

"Why Not Both?"

;-)

edhelas wrote:
> On dim., nov. 2, 2014 at 2:37 , rysiek <rysiek at hackerspace.pl>
> wrote:
>> Hi,
>> 
>> okay, fuck that, I'm going to dive in, because the level of FUD
>> is strong in this one.
> 
> Well, thanks :)
> 
>> 
>> 
>> Dnia niedziela, 2 listopada 2014 12:19:24 edhelas pisze:
>>> I can resume this fragmentation issue by a simple sentence that
>>> I'm saying more and more these days : "If you have a problem,
>>> do not write an API, write a protocol".
>> 
>> Sure: https://xkcd.com/927/
>> 
>> I don't understand why we need over9000 different, incompatible
>> federated social web protocols. It would seem to me we need *ONE*
>> with several *GOOD* implementations.
>> 
>>> The social federation protocol is already here : it's XMPP. And
>>> yes it can support everything a social network has to offer
>>> (feeds, subscriptions, profiles, contact list…). There is
>>> already millions of users on the XMPP network, and you can
>>> easily find several clients on all the plateforms for it.
>>> 
>>> I'm working since 2008 on the Movim project
>>> (https://movim.eu/), to build a full, good looking,
>>> "decentralized" (federated) and open source social network on
>>> XMPP. And believe me, yes it's possible.
>> 
>> I won't discuss that. I will however point out that "possible" is
>> not enough.
> 
> It's possible to push it forward and try to not reinvent the wheel
> again and again by creating a new protocol.
> 
>> 
>> 
>>> I like the link that the guy made in the presentation with
>>> Firefox. Why Firefox surpassed IE ? Because they just choose to
>>> implement the W3C standards and try to improve it (and they
>>> offer some nice features too).
>> 
>> Absolutely.
>> 
>>> Diaspora, GNU Social, Friendica are not trying to do that, they
>>> create their own "proprietary" protocol
>> 
>> Oh, wow. Do you even understand the words that you use? I mean, 
>> "proprietary"? It's documented, the code is open, the protocol
>> has at least two FLOSS implementations. Seriously, what were you
>> trying to achieve here?
> 
> Ok, the term "proprietary" was a little strong. Of course the
> sourcecode of theses projects is open. But can you give me any
> serious documentations (more than a Wiki or some ML links) that can
> help me to implement properly the Diaspora/Friendica/GNU Social
> protocols like RFC, IETF stuffs ?
> 
> A protocol have to be stable in the time, most of theses project
> just create their own protocol from their need. The Diaspora
> protocol was re-written already one time (which totally broke the
> Friendica compatibility at this time), the guys from Status.net
> moved to Pump.io…
> 
>> 
>> 
>>> to talk between each other and after that face the same issues
>>> than all the others network : "Hey, we are not compatibles !
>>> Lets create an API and the other networks will be compatible
>>> with us".
>> 
>> No. They created a protocol that other networks implement. For
>> example Friendica implements GNU Social's protocol, Diaspora's
>> protocol and their own (documented, opensourced) protocol. Red
>> similarily.
> 
> No, they wrote their own protocol for their own project, and
> someone just try to implement it to try to be compatible. But it's
> a one way work, the guys from Diaspora will not adapt their
> protocol to help the guys from Friendica/GNU Social/whatever.
> 
>> 
>> 
>> Reading a bit on it would be a good idea.
>> 
>>> So keep calm and implement XMPP ;)
>> 
>> No. Come to The Federation assembly at #31C3, get involved in a
>> more meaningful way than calling open protocols "proprietary"
>> just because you don't know them, and try working with quite a
>> few projects that already cooperate and federate with common
>> *protocols* (not APIs).
>> 
>> The question is not "which protocol is better", because while we 
>> bikeshed on this question, people are still sitting on Failbroke
>> and Shitter, instead of moving out of these walled gardens.
>> 
>> The question is: "how can we *cooperate* to get people on the
>> libre, federated side of social networks". 1.5 year ago I
>> submitted to all the fedsocnet devs a simple question, here's the
>> link again: 
>> http://lists.w3.org/Archives/Public/public-fedsocweb/2013May/0058.html
>>
>>
>> 
The answer was: "impossiburu, we won't, not invented here, my protocol is
>> better than yours". So instead of trying to herd those cats, I
>> am grabbing the opportunity arising from the fact that we already
>> have The Federation. Let's expand it and build upon it, eh?
> 
> What is your plan with The Federation ? To build a project to help
> all theses project to talk each others and find a way to
> "standardize" the communications between them to be compatible with
> eachothers ?
> 
> Then you will define some basic schema of authentication/packet
> format (JSON/HTML/XML…)/global architecture… In the end it will
> looks like this : https://xkcd.com/927/
> 
> If your aim is to ask theses project to have a public API to share 
> stuffs between their different servers, well good luck.
> 
>> 
>> Shouting "XMPP! XMPP!" is not helping.
> 
> No, but I prefer to contribute and improve a 15 years old protocol,
> with millions of users and hundred of implementations, managed by a
> strong Fundation that works with the IETF than on a 4 yo protocol
> implented by ~2 project where all the documentation you can find on
> it is here 
> https://wiki.diasporafoundation.org/Federation_protocol_overview.
> 
>> 
>> 
>> -- Pozdr rysiek
> 

- -- 
http://abis.io ~
"a protocol concept to enable decentralization
and expansion of a giving economy, and a new social good"
https://keybase.io/odinn
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJUVooxAAoJEGxwq/inSG8C2UYH/iHIaDFFyj3dwAXRFsLotmRy
M7TfDItF0CVNkSRLXfpBytt6RXMLgQnF9G8cd9SbVTdCWzP1kM3QO/aLWbw42SYj
MCSM0vXtiheY12cgwoGbrMainCC9ovyoY7gS09ch1NMjTp8xZJVfOL4ZBOzAdoQB
XRjWy1egPWv6hn6AtW1kSV0s0bbwyeBZ5oYE5kJkYIGg/eYqHkyHGyqrjk6JbMCa
pvxBzli/h4Z3BtRtpfV17FRcWZ6LRhjZWbPy5yNHLyZmte+huWq5xTIa+DnOrc5D
AoVXnIlpL60aVBXxH15lS90jNsEdvzG6jsmJ2D+Q7JbVkAaCnU6aS+xwYrBLuRc=
=PvkC
-----END PGP SIGNATURE-----




From dan at geer.org  Sun Nov  2 17:32:51 2014
From: dan at geer.org (dan at geer.org)
Date: Sun, 02 Nov 2014 20:32:51 -0500
Subject: are USB floppies toxic?
In-Reply-To: Your message of "Thu, 30 Oct 2014 23:03:59 -0400."
 <35c1bf01-a193-4784-8f05-4a21a6bfafe9@email.android.com>
Message-ID: <20141103013251.604CE22832F@palinka.tinho.net>

With respect to

> More generally, search for "charge only usb cable" ...

at the other end of the spectrum, more or less, see the following.

--dan

-----------------8<------------cut-here------------8<-----------------

kapricasecurity.com/skorpion

Being secure is as easy as charging your phone.

Simply connect your Android device to the Skorpion charger and it will be
scanned for malware, viruses, and malicious rootkits while it charges.

     * Cutting edge security
       Ensure mobile device integrity with Kaprica's leading edge
       innovation. Nation-state quality technology can now be yours.

     * Clear scan results
       LED indicator lights let you know if risks have been detected or if
       your device is clean. A green light means no problems - a red one
       means trouble.

     * Part of your daily routine
       Scan whenever you need to charge - no hassle of extra steps or
       additional software. High level technology at your fingertips.

How does it work?

The Kaprica charger is a three-step system that happens automatically without
any user interaction.

     * 01 Quick Scan
       In as little as 2 minutes you'll know if your mobile device has
       been infected with malware.

     * 02 Deep Scan
       In as little as 6 minutes, a deep scan reveals malicious changes to
       your OS.

     * 03 Report Scan Results
       Our web interface quickly and quietly identifies and reports on any
       malicious content and the cleanliness of your mobile device.

Extensive reporting and interactive dashboard for enterprise-level IT
administrators.

Data collected by the Skorpion charger is sent back to Kaprica's servers and
clearly displayed in the administrative dashboard.




From eric at konklone.com  Sun Nov  2 18:04:16 2014
From: eric at konklone.com (Eric Mill)
Date: Sun, 2 Nov 2014 21:04:16 -0500
Subject: POTUS jammin'
In-Reply-To: <CAJVRA1T3kTZNm20K5FVuRjcYSPq7Wj=YpzoOvc2PHpJ6D8PXcg@mail.gmail.com>
References: <CAJVRA1T3kTZNm20K5FVuRjcYSPq7Wj=YpzoOvc2PHpJ6D8PXcg@mail.gmail.com>
Message-ID: <CANBOYLVaThKUNRxYUyDAniM7XkCKm+aG-yny_Dht+YePK_jEqQ@mail.gmail.com>

Also:

> My back of the envelope energy calculation is that you don't want to be
the motorcycle cop riding right in front of that jammer SUV

> [in response to Q] Very brief exposure, probably not much, but definitely
exceeds OSHA & FCC exposure limits.

https://twitter.com/mattblaze/status/529070276412063745

On Sun, Nov 2, 2014 at 7:37 PM, coderman <coderman at gmail.com> wrote:

> https://twitter.com/mattblaze/status/529055344191111169
>
> Fired up a spectrum analyzer as POTUS motorcade went by. Definitely
> wideband jamming from lead WHCA vehicle. (& it unpaired my BT headset)
>
> I had been skeptical of reports that they routinely use jammers, but
> there was strong wideband noise from abt 700mhz to beyond 2.5 GHz.
>
> VHF was quite clean, which is where most sec svc traffic is.
>
> ... it seemed to be about half a block.
>
> ---
>
> ultra-wide-band SDR to the rescue? (60Ghz MIMO or bust!)
>



-- 
konklone.com | @konklone <https://twitter.com/konklone>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 1866 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141102/575bd308/attachment.txt>

From rysiek at hackerspace.pl  Sun Nov  2 12:44:49 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Sun, 02 Nov 2014 21:44:49 +0100
Subject: BitLocker, OneDrive, PRISM
Message-ID: <83235650.AvCTPMTW7N@lapuntu>

Hi there,

WTF am I reading?
http://cryptome.org/2014/11/ms-onedrive-nsa-prism.htm

"... because the [BitLocker] recovery key is automatically stored in SkyDrive 
for you."

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 411 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141102/2ad816dd/attachment.sig>

From demonfighter at gmail.com  Mon Nov  3 06:52:37 2014
From: demonfighter at gmail.com (Steve Furlong)
Date: Mon, 3 Nov 2014 09:52:37 -0500
Subject: Crypto War Redux
In-Reply-To: <E1XlIFU-0006Lq-Od@elasmtp-kukur.atl.sa.earthlink.net>
References: <E1XlIFU-0006Lq-Od@elasmtp-kukur.atl.sa.earthlink.net>
Message-ID: <CAOFDsm26EbaXc2JuTtaHMbWe9SLfh9ZXnN23hu=MaEe+1xpC0g@mail.gmail.com>

On Mon, Nov 3, 2014 at 9:05 AM, John Young <jya at pipeline.com> wrote:
>
> USG enforcing crypto export controls:

Some of us who are more cynical (read: experienced) never believed the
relaxed enforcement of encryption export controls would stay relaxed. And
some of the more cynical even suspected the laws and regulations on the
books would be enforced with no notice, and retroactively.

And some of the exceptionally cynical may hypothetically have continued to
develop encryption code but never released it under their own names.


--
Neca eos omnes. Deus suos agnoscet. -- Arnaud-Amaury, 1209
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 703 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141103/0c88e529/attachment.txt>

From coderman at gmail.com  Mon Nov  3 11:02:48 2014
From: coderman at gmail.com (coderman)
Date: Mon, 3 Nov 2014 11:02:48 -0800
Subject: RC4 still sucks in the year 2014 - A Practical Attack Against the
 HIVE Hidden Volume Encryption System
Message-ID: <CAJVRA1Q+QC2XW7E0nE9tevVNJ4QsD7QvyxH=cq9RXqOxkk3sYQ@mail.gmail.com>

"""
A Practical Attack Against the HIVE Hidden Volume Encryption System

Kenneth G. Paterson and Mario Strefler

Abstract: The HIVE hidden volume encryption system was proposed by
Blass et al. at ACM-CCS 2014. Even though HIVE has a security proof,
this paper demonstrates an attack on its implementation that breaks
the main security property claimed for the system by its authors,
namely plausible hiding against arbitrary-access adversaries. Our
attack is possible because of HIVE's reliance on the RC4 stream cipher
to fill unused blocks with pseudorandom data. While the attack can be
easily eliminated by using a better pseudorandom generator, it serves
as an example of why RC4 should be avoided in all new applications and
a reminder that one has to be careful when instantiating primitives.
"""
 - http://eprint.iacr.org/2014/901




From eugen at leitl.org  Mon Nov  3 04:40:15 2014
From: eugen at leitl.org (Eugen Leitl)
Date: Mon, 3 Nov 2014 13:40:15 +0100
Subject: Brain decoder can eavesdrop on your inner voice
Message-ID: <20141103124015.GC10467@leitl.org>


http://www.newscientist.com/article/mg22429934.000-brain-decoder-can-eavesdrop-on-your-inner-voice.html

Brain decoder can eavesdrop on your inner voice

29 October 2014 by Helen Thomson

Magazine issue 2993. Subscribe and save

For similar stories, visit the The Human Brain Topic Guide

As you read this, your neurons are firing – that brain activity can now
be decoded to reveal the silent words in your head

TALKING to yourself used to be a strictly private pastime. That's no longer
the case – researchers have eavesdropped on our internal monologue for
the first time. The achievement is a step towards helping people who cannot
physically speak communicate with the outside world.

"If you're reading text in a newspaper or a book, you hear a voice in your
own head," says Brian Pasley at the University of California, Berkeley.
"We're trying to decode the brain activity related to that voice to create a
medical prosthesis that can allow someone who is paralysed or locked in to
speak."

When you hear someone speak, sound waves activate sensory neurons in your
inner ear. These neurons pass information to areas of the brain where
different aspects of the sound are extracted and interpreted as words.

In a previous study, Pasley and his colleagues recorded brain activity in
people who already had electrodes implanted in their brain to treat epilepsy,
while they listened to speech. The team found that certain neurons in the
brain's temporal lobe were only active in response to certain aspects of
sound, such as a specific frequency. One set of neurons might only react to
sound waves that had a frequency of 1000 hertz, for example, while another
set only cares about those at 2000 hertz. Armed with this knowledge, the team
built an algorithm that could decode the words heard based on neural activity
aloneMovie Camera (PLoS Biology, doi.org/fzv269).

The team hypothesised that hearing speech and thinking to oneself might spark
some of the same neural signatures in the brain. They supposed that an
algorithm trained to identify speech heard out loud might also be able to
identify words that are thought.

Mind-reading

To test the idea, they recorded brain activity in another seven people
undergoing epilepsy surgery, while they looked at a screen that displayed
text from either the Gettysburg Address, John F. Kennedy's inaugural address
or the nursery rhyme Humpty Dumpty.

Each participant was asked to read the text aloud, read it silently in their
head and then do nothing. While they read the text out loud, the team worked
out which neurons were reacting to what aspects of speech and generated a
personalised decoder to interpret this information. The decoder was used to
create a spectrogram – a visual representation of the different
frequencies of sound waves heard over time. As each frequency correlates to
specific sounds in each word spoken, the spectrogram can be used to recreate
what had been said. They then applied the decoder to the brain activity that
occurred while the participants read the passages silently to themselves (see
diagram).

Despite the neural activity from imagined or actual speech differing
slightly, the decoder was able to reconstruct which words several of the
volunteers were thinking, using neural activity alone (Frontiers in
Neuroengineering, doi.org/whb).

The algorithm isn't perfect, says Stephanie Martin, who worked on the study
with Pasley. "We got significant results but it's not good enough yet to
build a device."

In practice, if the decoder is to be used by people who are unable to speak
it would have to be trained on what they hear rather than their own speech.
"We don't think it would be an issue to train the decoder on heard speech
because they share overlapping brain areas," says Martin.

The team is now fine-tuning their algorithms, by looking at the neural
activity associated with speaking rate and different pronunciations of the
same word, for example. "The bar is very high," says Pasley. "Its preliminary
data, and we're still working on making it better."

The team have also turned their hand to predicting what songs a person is
listening to by playing lots of Pink Floyd to volunteers, and then working
out which neurons respond to what aspects of the music. "Sound is sound,"
says Pasley. "It all helps us understand different aspects of how the brain
processes it."

"Ultimately, if we understand covert speech well enough, we'll be able to
create a medical prosthesis that could help someone who is paralysed, or
locked in and can't speak," he says.

Several other researchers are also investigating ways to read the human mind.
Some can tell what pictures a person is looking at, others have worked out
what neural activity represents certain concepts in the brain, and one team
has even produced crude reproductions of movie clips that someone is watching
just by analysing their brain activity. So is it possible to put it all
together to create one multisensory mind-reading device?

In theory, yes, says Martin, but it would be extraordinarily complicated. She
says you would need a huge amount of data for each thing you are trying to
predict. "It would be really interesting to look into. It would allow us to
predict what people are doing or thinking," she says. "But we need individual
decoders that work really well before combining different senses."

This article appeared in print under the headline "Hearing our inner voice"




From rysiek at hackerspace.pl  Mon Nov  3 04:49:46 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Mon, 03 Nov 2014 13:49:46 +0100
Subject: <unlike-us> news on the alternative social media front
In-Reply-To: <20141103102427.GA26365@lo.psyced.org>
References: <17913035.XcKpdGSG2N@lapuntu>
 <FC23820A-56DE-4657-80C8-1C6A7A5ABFC0@xs4all.nl>
 <20141103102427.GA26365@lo.psyced.org>
Message-ID: <1629103.M5kOg3GNPj@lapuntu>

Hi there,

Dnia poniedziałek, 3 listopada 2014 11:24:28 carlo von lynX pisze:
> The problem is that interoperability is not solving any real problem.

I disagree. The small number of users and the confusion of which network to 
use is a real problem, related to the network effect aka Metcalfe's law:
http://en.wikipedia.org/wiki/Metcalfe%27s_law

The same problem exists with truly distributed social networks, like 
SocialSwarm, MaidSafe, Twister et al. How should a user decide which one they 
should use?

Let's make that step easier by at least making an attempt at interoperability.

> As if any of those platforms was scalable, functional and sexy enough
> to attract a relevant number of people away from the cloud-based systems.
> If one of them was so cool, we wouldn't really need the other ones, so
> interoperability is unnecessary.

To some extent you're right.

> Interoperability is something you should ask from competing proprietary
> systems, but it is irrelevant for free software systems.

I don't agree. These systems already have tens of thousands of users, and 
getting these users together on a single network is one of the challanges.

> So after eleven years working on free "federated" social web thingies all we
> got is some platforms that can talk to each other although they can't scale
> to real world relevant numbers or hide their data from government
> authorities.

How do you know they can't scale? I see Diaspora scaling pretty well so far.
And as far as hiding data from governments is concerned -- sure I'd prefer 
everybody to jump into RetroShare, but that's not gonna happen. And a 
decentralized system is much better, privacy-wise, than a centralized one, 
even if it's not perfect.

> (...)
> > >> Most "evil" services we use, just need a decent easy to use functional
> > >> alternative.
> > > 
> > > That's the crux, right after getting a common protocol implemented
> > > across
> > > different federated social networks. Also consider:
> > > http://rys.io/en/88
> 
> That document mentions SocialSwarm, with a link to
> http://wiki.socialswarm.net/Beyond_the_federation
> which I think explains pretty well how federation will never take off.

Fair enough. But it already has hundreds of thousands of users.

For me, the endgame is indeed complete decentralisation and peer-to-peer 
social networking, a'la SocialSwarm, RetroShare and Twister. None of these are 
ready yet, though, the way Diaspora or Friendica are ready and usable today.

So I'd rather help people switch to Diaspora or Friendica today rather than 
have them wait unspecified amount of time fort the Golden Age of Social 
Networking.

Because once we have them on the free software, decentralised, federated sid, 
we can write bridges/gateways, and have SocialSwarm connect with userbase on 
The Federation.

That's not possibble with *any* walled garden.

> Then it says this, as an excuse for dismissing SocialSwarm:
> > The problem with FreedomBox and SocialSwarm I see is that they are trying
> > to make two hard transitions at once: from centralised to de-centralised,
> > and from third-party-hosted to self-hosted. I believe this is a tad too
> > an ambitious plan and it should be split into two separate steps.
> > However, if we did Step 0 and Step 1 right, they both would have at least
> > a part of their work done for them.
> And that again is wrong because if you have identified the two or
> three crucial problems, trying to fix just one while maintaining
> all the mess of the other two problems is years of efforts for
> little gain: you and your nerd friends are having their own little
> social network, still fully visible to the NSA, while the people
> that you would like to spend more time with you have all logical
> reasons on their side to stick to Facebook etc.

> ( See the examples at the end of
>     http://wiki.socialswarm.net/Beyond_the_federation )

But my girfriend doesn't have to use *my* server, she can choose any of the 
tens of pods worldwide.

> So now you have interoperability which doesn't solve any of the
> three problems:
>   - scalability
>   - social graph protection
>   - end-to-end encryption (the reason why your significant other
> 	will not be free to talk about you while using your server)

So, this is interesting:
https://joindiaspora.com/posts/5069036#b894222043d8013279201a960f0f49a1

RedMatrix supports end-to-end encryption.

> > > Also, please join us at The Federation Assembly at #31C3:
> > > https://events.ccc.de/congress/2014/wiki/Assembly:The_Federation
> 
> Great! Server federation! Keep promoting bad ideas!
> Federation does not solve the problem that SERVERS AREN'T SAFE!

No, they're not. Still, many federating servers controlled by different people 
is much better than a single, centrally controlled network.

Somewhere there's a video of Bruce Schneier talking about how 10000 different 
small and medium e-mail providers is so much better a situation, than 10 large 
ones. That's exactly my point here.

> Servers should not be confided with the social graph of humanity,
> not even if we pay 8 euros a month for them - because their
> virtual memory is easily automatically reapable by authorities.

It is indeed. But if they have to do it on 10000 different servers, that's a 
different ball game than when they have to do it on 10 or 100.

> Even if the FSW solved the problem of efficient distribution,
> which of course it hasn't even properly addressed, it still
> lets the agencies have the entire cake and eat it.

As above.

> How can you guys dare to go to the 31C3 and act as if
> Snowden didn't happen?

You know what? At this point let me say from the depth of my heart: fuck you.

Don't you dare lecture me on Snowden and privacy. The fact that I have 
different take-away from these revelations (e.g. "done now is better than 
perfect in a decade") doesn't give you the right to be a condescending little 
prick, smirking with contempt from your high horse of theoretical technical 
superiority with not much to show for it but a few texts critical of projects 
that work *here and now*.

Where's the code? Where are the tools? How can I get involved? Can I test 
anything, apart from your ability to throw tantrums? Please don't tell me 
that's all you've got in the pipeline since 28C3!

Here are some news for you: FreedomBox is not yet usable. SocialSwarm is not 
yet usable. I'd love them to be, but they're simply not.

And while you berate others about how they act as if "Snowden didn't happen", 
these others are getting people off of Facebook at least, today. That's not 
perfect, but it's a *step*. A step you can either try to build upon, or a step 
you can try to undermine. Guess which has a higher chance of eventually 
solving most or all of the problems you mentioned?

Here, have a read:
https://medium.com/message/81e5f33a24e1

Especially the "In the end, it’s culture that’s broken" part. Come back when 
you do.

> It's annoying that the things we said in 2011 on
> http://secushare.org/2011-FSW-Scalability-Paranoia
> still apply. No progress at all. Had the "federated
> social web" crowd understood and invested half the
> energy in a P2P/onion-relay/multicast kind of "GNU
> Internet" infrastructure, instead of insisting on a
> broken model, we would now have a distributed social
> network that works AND respects basic civil rights.

Had my grandmother had mustache, she would be my grandfather, as we say in 
Poland. Cry me a fucking river.

Also, had you spend the time you have spent writing this e-mail on development 
work, you'd be a few steps closer to your goal. So, there's that.

> Thank you, low-hanging-fruit people, for keeping so many brilliant
> developers off the important projects and distracting even public
> financing with the undead federation rhethoric.

What, now it's my fault that people that are completely unrelated to me and 
that make their own decisions are working on project A instead of project B 
which you tend to prefer? How sad is your world, how filled with bile must you 
be that your pet project is not my pet project, or Friendica/Diaspora/Red 
developers' pet project!

Go out, talk, explain, reach out and convince people it's worthwhile to invest 
their time and effort in your idea. Heck, convince me that's worthwhile and 
that it will get people off of Facebook sooner than in a decade, and I might 
start helping you out!

Hint: blaming me for your own problems with communication and having a fit 
over other people taking different paths than yours is not the perfect 
strategy for that.

> There's nothing as strong as a bad idea whose time has come.
> 
> Terrible to see we haven't made much progress since I said
> that at unlike-us 2012.

Ever thought that might somehow be related to how you go about introducing 
people to your ideas, maybe?

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 411 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141103/3dcd5b9c/attachment.sig>

From cypherpunks at cheiraminhavirilha.com  Mon Nov  3 08:11:43 2014
From: cypherpunks at cheiraminhavirilha.com (Virilha)
Date: Mon, 03 Nov 2014 16:11:43 +0000
Subject: Brain decoder can eavesdrop on your inner voice
In-Reply-To: <20141103124015.GC10467@leitl.org>
Message-ID: <20141103161143.Horde.xmsthx3wcxD8NcGsgLU7xw1@127.0.0.1>


Maybe I will start to wear a hat sooner than I thought.

https://en.wikipedia.org/wiki/Tin_foil_hat

----- Message from Eugen Leitl <eugen at leitl.org> ---------
    Date: Mon, 3 Nov 2014 13:40:15 +0100
    From: Eugen Leitl <eugen at leitl.org>
Subject: Brain decoder can eavesdrop on your inner voice
      To: tt at postbiota.org, neuro at postbiota.org, cypherpunks at cpunks.org


> http://www.newscientist.com/article/mg22429934.000-brain-decoder-can-eavesdrop-on-your-inner-voice.html
>
> Brain decoder can eavesdrop on your inner voice
>
> 29 October 2014 by Helen Thomson
>
> Magazine issue 2993. Subscribe and save
>
> For similar stories, visit the The Human Brain Topic Guide
>
> As you read this, your neurons are firing – that brain activity can now
> be decoded to reveal the silent words in your head
>
> TALKING to yourself used to be a strictly private pastime. That's no longer
> the case – researchers have eavesdropped on our internal monologue for
> the first time. The achievement is a step towards helping people who cannot
> physically speak communicate with the outside world.
>
> "If you're reading text in a newspaper or a book, you hear a voice in your
> own head," says Brian Pasley at the University of California, Berkeley.
> "We're trying to decode the brain activity related to that voice to create a
> medical prosthesis that can allow someone who is paralysed or locked in to
> speak."
>
> When you hear someone speak, sound waves activate sensory neurons in your
> inner ear. These neurons pass information to areas of the brain where
> different aspects of the sound are extracted and interpreted as words.
>
> In a previous study, Pasley and his colleagues recorded brain activity in
> people who already had electrodes implanted in their brain to treat epilepsy,
> while they listened to speech. The team found that certain neurons in the
> brain's temporal lobe were only active in response to certain aspects of
> sound, such as a specific frequency. One set of neurons might only react to
> sound waves that had a frequency of 1000 hertz, for example, while another
> set only cares about those at 2000 hertz. Armed with this knowledge, the team
> built an algorithm that could decode the words heard based on neural activity
> aloneMovie Camera (PLoS Biology, doi.org/fzv269).
>
> The team hypothesised that hearing speech and thinking to oneself might spark
> some of the same neural signatures in the brain. They supposed that an
> algorithm trained to identify speech heard out loud might also be able to
> identify words that are thought.
>
> Mind-reading
>
> To test the idea, they recorded brain activity in another seven people
> undergoing epilepsy surgery, while they looked at a screen that displayed
> text from either the Gettysburg Address, John F. Kennedy's inaugural address
> or the nursery rhyme Humpty Dumpty.
>
> Each participant was asked to read the text aloud, read it silently in their
> head and then do nothing. While they read the text out loud, the team worked
> out which neurons were reacting to what aspects of speech and generated a
> personalised decoder to interpret this information. The decoder was used to
> create a spectrogram – a visual representation of the different
> frequencies of sound waves heard over time. As each frequency correlates to
> specific sounds in each word spoken, the spectrogram can be used to recreate
> what had been said. They then applied the decoder to the brain activity that
> occurred while the participants read the passages silently to themselves (see
> diagram).
>
> Despite the neural activity from imagined or actual speech differing
> slightly, the decoder was able to reconstruct which words several of the
> volunteers were thinking, using neural activity alone (Frontiers in
> Neuroengineering, doi.org/whb).
>
> The algorithm isn't perfect, says Stephanie Martin, who worked on the study
> with Pasley. "We got significant results but it's not good enough yet to
> build a device."
>
> In practice, if the decoder is to be used by people who are unable to speak
> it would have to be trained on what they hear rather than their own speech.
> "We don't think it would be an issue to train the decoder on heard speech
> because they share overlapping brain areas," says Martin.
>
> The team is now fine-tuning their algorithms, by looking at the neural
> activity associated with speaking rate and different pronunciations of the
> same word, for example. "The bar is very high," says Pasley. "Its preliminary
> data, and we're still working on making it better."
>
> The team have also turned their hand to predicting what songs a person is
> listening to by playing lots of Pink Floyd to volunteers, and then working
> out which neurons respond to what aspects of the music. "Sound is sound,"
> says Pasley. "It all helps us understand different aspects of how the brain
> processes it."
>
> "Ultimately, if we understand covert speech well enough, we'll be able to
> create a medical prosthesis that could help someone who is paralysed, or
> locked in and can't speak," he says.
>
> Several other researchers are also investigating ways to read the human mind.
> Some can tell what pictures a person is looking at, others have worked out
> what neural activity represents certain concepts in the brain, and one team
> has even produced crude reproductions of movie clips that someone is watching
> just by analysing their brain activity. So is it possible to put it all
> together to create one multisensory mind-reading device?
>
> In theory, yes, says Martin, but it would be extraordinarily complicated. She
> says you would need a huge amount of data for each thing you are trying to
> predict. "It would be really interesting to look into. It would allow us to
> predict what people are doing or thinking," she says. "But we need individual
> decoders that work really well before combining different senses."
>
> This article appeared in print under the headline "Hearing our inner voice"


----- End message from Eugen Leitl <eugen at leitl.org> -----







From juan.g71 at gmail.com  Mon Nov  3 11:48:08 2014
From: juan.g71 at gmail.com (Juan)
Date: Mon, 3 Nov 2014 16:48:08 -0300
Subject: POTUS jammin'
In-Reply-To: <CAJVRA1T3kTZNm20K5FVuRjcYSPq7Wj=YpzoOvc2PHpJ6D8PXcg@mail.gmail.com>
References: <CAJVRA1T3kTZNm20K5FVuRjcYSPq7Wj=YpzoOvc2PHpJ6D8PXcg@mail.gmail.com>
Message-ID: <5457dba0.0406e00a.2c33.ffff8758@mx.google.com>

On Sun, 2 Nov 2014 16:37:19 -0800
coderman <coderman at gmail.com> wrote:

> https://twitter.com/mattblaze/status/529055344191111169
> 
> Fired up a spectrum analyzer as POTUS motorcade went by. Definitely
> wideband jamming from lead WHCA vehicle. (& it unpaired my BT headset)


	So it is possible to jam the 'spread spectrum' radios that the
	US miltary nazis use? 

	It's possible, say, to jam the control links of the nazis'
	drones? 

 



> 
> I had been skeptical of reports that they routinely use jammers, but
> there was strong wideband noise from abt 700mhz to beyond 2.5 GHz.
> 
> VHF was quite clean, which is where most sec svc traffic is.
> 
> ... it seemed to be about half a block.
> 
> ---
> 
> ultra-wide-band SDR to the rescue? (60Ghz MIMO or bust!)




From guninski at guninski.com  Mon Nov  3 08:30:52 2014
From: guninski at guninski.com (Georgi Guninski)
Date: Mon, 3 Nov 2014 18:30:52 +0200
Subject: are USB floppies toxic?
In-Reply-To: <20141103013251.604CE22832F@palinka.tinho.net>
References: <35c1bf01-a193-4784-8f05-4a21a6bfafe9@email.android.com>
 <20141103013251.604CE22832F@palinka.tinho.net>
Message-ID: <20141103163052.GA2653@sivokote.iziade.m$>

On Sun, Nov 02, 2014 at 08:32:51PM -0500, dan at geer.org wrote:
> With respect to
> 
> > More generally, search for "charge only usb cable" ...
> 
> at the other end of the spectrum, more or less, see the following.
> 

I couldn't read the quoted text in my browsers.

Do they offer moneyback guarantee?

Do they offer the protection their device isn't
infected by unknown, well,  vectors/surfaces/curves/groups/etc.?

-- 
10x



> --dan
> 
> -----------------8<------------cut-here------------8<-----------------
> 
> kapricasecurity.com/skorpion
> 
> Being secure is as easy as charging your phone.
> 
> Simply connect your Android device to the Skorpion charger and it will be
> scanned for malware, viruses, and malicious rootkits while it charges.
> 
>      * Cutting edge security
>        Ensure mobile device integrity with Kaprica's leading edge
>        innovation. Nation-state quality technology can now be yours.
> 
>      * Clear scan results
>        LED indicator lights let you know if risks have been detected or if
>        your device is clean. A green light means no problems - a red one
>        means trouble.
> 
>      * Part of your daily routine
>        Scan whenever you need to charge - no hassle of extra steps or
>        additional software. High level technology at your fingertips.
> 
> How does it work?
> 
> The Kaprica charger is a three-step system that happens automatically without
> any user interaction.
> 
>      * 01 Quick Scan
>        In as little as 2 minutes you'll know if your mobile device has
>        been infected with malware.
> 
>      * 02 Deep Scan
>        In as little as 6 minutes, a deep scan reveals malicious changes to
>        your OS.
> 
>      * 03 Report Scan Results
>        Our web interface quickly and quietly identifies and reports on any
>        malicious content and the cleanliness of your mobile device.
> 
> Extensive reporting and interactive dashboard for enterprise-level IT
> administrators.
> 
> Data collected by the Skorpion charger is sent back to Kaprica's servers and
> clearly displayed in the administrative dashboard.




From coderman at gmail.com  Mon Nov  3 20:02:36 2014
From: coderman at gmail.com (coderman)
Date: Mon, 3 Nov 2014 20:02:36 -0800
Subject: on list moderation of great justice [was: [oss-security] list policy
 (Re: Truly scary SSL 3.0 vuln to be revealed soon:) ]
Message-ID: <CAJVRA1RrngLJUNLZwsbV4NY2DvQ7S1M8+jQV6aPezXE-1qeVnw@mail.gmail.com>

> On Tue, Oct 14, 2014 at 10:48:00PM -0700, Walter Parker wrote:
>> What is this list's policy on Full Disclosure?
>...

as one who enjoys a significant moderation delay on Full-Disclosure,
 i feel qualified to pontificate on this subject. [0]

per the monthly statistics summarized at
http://seclists.org/fulldisclosure/ one can easily see how the careful
pruning of noise on this channel has resulted in double digit density
goodness, e.g. Aug 2014 at 89 posts; a new record of brevity and
decorum!

i for one gladly await the day a more properly, more aggressively
moderated full-disclosure reaches single digits and utmost
conciseness. you can do it, Fyodor!



On 10/15/14, Solar Designer <solar at openwall.com> wrote:
> Looks like I need to comment on the specific questions on list policy:
> ...
> Whatever is sent to the list, if on-topic and otherwise appropriate
> ... is posted with no artificial delay... the only difference from the
> Full-Disclosure mailing list (as far as I understand how it's run) is
> that oss-security is limited to / focused on Open Source.

i for one agree with Full-Disclosure's policy that active
monkey-in-the-middle attacks are of zero interest. spectrum hi jinx?
how cross site...
 [ "The Internet Threat Model" finds your privacy not cost effective. sorry! ]

given such undeniable logic, i must fully support the ongoing total
moderation with infinite delay of coderman at gmail.com on the
full-disclosure list.  never again from coderman is too soon!



finally,

regarding other aspects of full-disclosure, i must disclose that i
have nothing further to say on the conspiracy in the information
security industry to assist various intelligence agencies, including
Attrition.org collaboration with NSA TAO [1] and Fyodor's relationship
with GCHQ's HACIENDA scanner [2].

best regards,



0. see "RC4 is dangerous in ways not yet known - heads up on near
injection WPA2 downgrade to TKIP RC4" - moderated on F-D since Sept.
 , also "Preferred Roaming List Zero Intercept Attack [was: DEF CON
nostalgia [before that: going double cryptome at DEF CON 22]][still
confusing]" moderated days to Aug 4 post send on 1st.

1. "Tailored Access Operations ... Details on a program titled
QUANTUMSQUIRREL indicate NSA ability to masquerade as any routable
IPv4 or IPv6 host."
 - https://en.wikipedia.org/wiki/Tailored_Access_Operations#Virtual_locations

2. "GCHQ project HACIENDA [...] uses [nmap] port scanning to find
vulnerable systems for Five Eyes intelligence agencies."
 - https://en.wikipedia.org/wiki/TCP_Stealth




From coderman at gmail.com  Mon Nov  3 22:23:19 2014
From: coderman at gmail.com (coderman)
Date: Mon, 3 Nov 2014 22:23:19 -0800
Subject: =?UTF-8?Q?Privacy_has_never_been_=E2=80=9Can_absolute_right=E2=80=9D?=
Message-ID: <CAJVRA1RaDbgnQAiET_9SgGJShEEyDVPGuvDwe60cUFsgubD-dg@mail.gmail.com>

“To those of us who have to tackle the depressing end of intelligence
community behaviour on the internet, it can seem that all governments,
telcos, and computing companies are in denial about its misuse."

 [ paraphrased for relevance ]

- http://www.theguardian.com/uk-news/2014/nov/03/privacy-gchq-spying-robert-hannigan

---

GCHQ chief accuses US tech giants of becoming terrorists' 'networks of choice'

New director of UK eavesdropping agency accuses US tech firms of
becoming ‘networks of choice’ for terrorists



Privacy has never been “an absolute right”, according to the new
director of GCHQ, who has used his first public intervention since
taking over at the helm of Britain’s surveillance agency to accuse US
technology companies of becoming “the command and control networks of
choice” for terrorists.

Robert Hannigan said a new generation of freely available technology
has helped groups like Islamic State (Isis) to hide from the security
services and accuses major tech firms of being “in denial”, going
further than his predecessor in seeking to claim that the leaks of
Edward Snowden have aided terror networks.

GCHQ and sister agencies including MI5 cannot tackle those challenges
without greater support from the private sector, “including the
largest US technology companies which dominate the web”, Hannigan
argued in an opinion piece written for the Financial Times just days
into his new job.

Arguing that GCHQ needed to enter into the debate about privacy,
Hannigan said: “I think we have a good story to tell. We need to show
how we are accountable for the data we use to protect people, just as
the private sector is increasingly under pressure to show how it
filters and sells its customers’ data.

“GCHQ is happy to be part of a mature debate on privacy in the digital
age. But privacy has never been an absolute right and the debate about
this should not become a reason for postponing urgent and difficult
decisions.”

Hannigan, who was born in Gloucestershire, not far from GCHQ’s base,
has advised the prime minister on counter-terrorism, intelligence and
security policy, goes on to take aim at the role of major technology
companies. A senior Foreign Office official, Hannigan succeeded Sir
Iain Lobban at the Cheltenham-based surveillance agency.

While not naming any company in particular, the GCHQ director writes:
“To those of us who have to tackle the depressing end of human
behaviour on the internet, it can seem that some technology companies
are in denial about its misuse.

“I suspect most ordinary users of the internet are ahead of them: they
have strong views on the ethics of companies, whether on taxation,
child protection or privacy; they do not want the media platforms they
use with their friends and families to facilitate murder or child
abuse.”

Hannigan asserts that the members of the public “know” the internet
grew out of the values of western democracy and insists that customers
of the technology firms he criticises would be “comfortable with a
better, more sustainable relationship between the agencies and the
technology companies.”

Heading towards the 25th anniversary of the creation of the world wide
web, he calls for a “new deal” between democratic governments and the
technology companies in the area of protecting citizens.

“It should be a deal rooted in the democratic values we share. That
means addressing some uncomfortable truths. Better to do it now than
in the aftermath of greater violence.”

In the same piece, Hannigan says Isis differs from its predecessors in
the security of its communications, presenting an even greater
challenge to the security services.

He writes: “Terrorists have always found ways of hiding their
operations. But today mobile technology and smartphones have increased
the options available exponentially.

“Techniques for encrypting messages or making them anonymous which
were once the preserve of the most sophisticated criminals or nation
states now come as standard. These are supplemented by freely
available programs and apps adding extra layers of security, many of
them proudly advertising that they are ‘Snowden approved’. There is no
doubt that young foreign fighters have learnt and benefited from the
leaks of the past two years.”

Among the advocates of privacy protection who reacted to Hannigan’s
comments, the deputy director of Privacy International, Eric King,
said: “It’s disappointing to see GCHQ’s new director refer to the
internet – the greatest tool for innovation, access to education and
communication humankind has ever known – as a command-and-control
network for terrorists.”

King added: “Before he condemns the efforts of companies to protect
the privacy of their users, perhaps he should reflect on why there has
been so much criticism of GCHQ in the aftermath of the Snowden
revelations. GCHQ’s dirty games – forcing companies to handover their
customers’ data under secret orders, then secretly tapping the private
fibre optic cables between the same companies’ data centres anyway –
have lost GCHQ the trust of the public, and of the companies who
services we use. Robert Hannigan is right, GCHQ does need to enter the
public debate about privacy - but attacking the internet isn’t the
right way to do it.”

The Electronic Frontier Foundation (EFF) meanwhile rejected the notion
that an agreement between companies and governments was needed.

Jillian York, director of international free expression at EFF said:
“A special “deal” between governments and companies isn’t necessary -
law enforcement can conduct open source intelligence on
publicly-posted content on social networks, and can already place
legal requests with respect to users. Allowing governments special
access to private content is not only a violation of privacy, it may
also serve to drive terrorists underground, making the job of law
enforcement even more difficult.”

Welcoming Hannigan’s participation in the public debate, the Labour
Party MP Tom Watson said it helped to map out where we should draw the
line on privacy and helps the same agencies “to rebuild their
legitimacy post-Snowden”.

But he added: “I hope they do not confuse the use of public propaganda
through social media by extremists with the use of the covert
communications. It is illogical to say that because Isis use Twitter,
all our metadata should be collected without warrant.”

Hannigan’s comments come after the director of the FBI, James Comey,
called for “a regulatory or legislative fix” for technology companies’
expanding use of encryption to protect user privacy.

Reacting last month to the introduction of strong default encryption
by Apple and Google on their latest mobile operating systems, Comey
said “the post-Snowden pendulum has swung too far in one direction -
in a direction of fear and mistrust.”

“Justice may be denied because of a locked phone or an encrypted hard
drive,” said Comey. Without a compromise, “homicide cases could be
stalled, suspects could walk free, and child exploitation victims
might not be identified or recovered.”




From coderman at gmail.com  Mon Nov  3 22:44:47 2014
From: coderman at gmail.com (coderman)
Date: Mon, 3 Nov 2014 22:44:47 -0800
Subject: cypherpunk consortium for carefree crossings
Message-ID: <CAJVRA1STjQVZWec3ABxdwtijC9kL5UKinDXZdF3O20NoFjf1tw@mail.gmail.com>

regarding border crossing behaviors of the powers that be,

it seems the most expedient response to detainments and data dupe'ings
[0][1][2] is to answer with deterrent.

possibilities to dissuade dastardly detours:

- sunlight the best disinfectant; publicize attempts at intimidation
and friction at crossings.

- every detainment incurs a disclosure of intelligence collection
technique. (requires a pool of un-disclosed spook ballast)

- every detour spurs privacy enhancing technology development. a
bounty for the most desired improvements, aggressive tactics lead
directly to more users, better features, stronger privacy.


other ideas?

how many Tor trac tickets threatened to be develop to ensure ioerror a
safe domestic passage?


best regards,


0. "... her work has been hampered by constant harassment by border
agents during more than three dozen border crossings into and out of
the United States. She has been detained for hours and interrogated
and agents have seized her computer, cell phone and reporters notes
and not returned them for weeks."
 - https://en.wikipedia.org/wiki/Laura_Poitras#Government_surveillance

1. "I'm flying back to the US after writing about helping Ed Snowden
and the journalists he leaked documents to. Wish me luck at the
border."
 - https://twitter.com/micahflee/status/529191556897443840

2. "I'm looking forward to the time when we don't have to worry about
politically motivated US border harassment. A distant time, probably."
 - https://twitter.com/ioerror/status/529206920838930433




From coderman at gmail.com  Tue Nov  4 00:09:59 2014
From: coderman at gmail.com (coderman)
Date: Tue, 4 Nov 2014 00:09:59 -0800
Subject: Fwd: [seL4 Announce] seL4-based "RefOS" released
In-Reply-To: <mailman.125.1415087951.4341.announce@sel4.systems>
References: <mailman.125.1415087951.4341.announce@sel4.systems>
Message-ID: <CAJVRA1QThPwkgSnmqJPStNc0cjRNtMDij0KYMibjnrf+wtd6mg@mail.gmail.com>

---------- Forwarded message ----------
From: Announcements about seL4  —  low volume list <announce at sel4.systems>
Date: Tue, 4 Nov 2014 06:12:54 +0000
Subject: [seL4 Announce] seL4-based "RefOS" released

Today we announce the release of the RefOS project.  RefOS is an OS
personality that runs on seL4. RefOS stands for "Reference OS", the
aspirational goal of the project, which is to provide a reference OS
personality for seL4.

RefOS is a student project built as a case study to explore more
dynamic virtual memory (VM) management systems than the typical static
systems architected on separation kernels. When compared to statically
allocated systems, a key difference (and complexity) of dynamic VM
management is relaxing the assumption that virtual memory (and memory
objects) are managed by a single task upon the microkernel (or by the
microkernel itself).

RefOS has a distributed VM framework inspired by the Sawmill VM
framework [1], though differing in the centralisation of some core
book-keeping into a single server (mainly fault forwarding and mapping
authorisation). An additional goal of the project was to create
tension between user-level and kernel-level VM primitives to enable
ongoing kernel experimentation in the area of higher-level VM
abstractions.

The current functionality of RefOS consists of processes, an
in-memory boot-image file server, and console support. Additionally,
some games and test applications have been ported to the system.

RefOS is available at https://github.com/seL4/refos-manifest under a
"BSD 2-Clause" license.



[1] Mohit Aron, Jochen Liedtke, Kevin Elphinstone, Yoonho Park, Trent
Jaeger, and Luke Deller. 2001. The sawmill framework for virtual
memory diversity. In Proceedings of the 6th Australasian conference on
Computer systems architecture (ACSAC '01). IEEE Computer Society,
Washington, DC, USA, 3-10.




From jya at pipeline.com  Tue Nov  4 04:15:59 2014
From: jya at pipeline.com (John Young)
Date: Tue, 04 Nov 2014 07:15:59 -0500
Subject: Privacy has always been a fight against rulers and funders
In-Reply-To: <CAJVRA1RaDbgnQAiET_9SgGJShEEyDVPGuvDwe60cUFsgubD-dg@mail.g
 mail.com>
References: <CAJVRA1RaDbgnQAiET_9SgGJShEEyDVPGuvDwe60cUFsgubD-dg@mail.gmail.com>
Message-ID: <E1Xld24-0000iW-Bm@elasmtp-dupuy.atl.sa.earthlink.net>

Verifying US-UK concordance, with FBI head, Director of NSA said
much the same as GCHQ to the US Chamber of Commerce on
October 28, 2014:

https://www.nsa.gov/public_info/speeches_testimonies/28oct14_dirnsa.shtml

These heads of spy and LE agencies are proposing that companies
and citizens continue to serve and become spies, agents, informers,
coverts in mirroring their enemies of their security states. And not only
are asking for patriotic volunteers by sticks of fear and aiding
the enemy but contracting for services by carrots of privileged
briefings, access, profits and tax write-offs. No wonder oligarchs
are increasing and are rushing to aid and abet spies in all
countries.

Will First Look's Racket magazine come to life to join
The Intercept, so buzzworthily named to fit what they
do: front for First Look Media's invention and distribution
of comsec products which if true to the ancients' practice
will spy on the populace with everylasting panoptic look.

This is hardly new, indeed is as old as governments and their
precursor "lawful" rulers of the populace which cannot be
trusted with anarchic self-rule, much less armed with treasonous
cryptoanarchy for absolute right to privacy from rulers.

Even this list of rogues was founded and struggles to survive on
its impossible mission to resist this ancient history and current
fervor of duplicity and dual-use of the ever growing family of
securities -- personal, home, clan, region, nation, global,
religion, ideology -- deployed to simultaneously attack and
protect the populace by declaring who is insider and who
is outsider, take your pick, save your life. Us or them. Divide
and conquer. Praise and smear. Lop heads and drone. Imprison
and exile.

Significantly for this clan, comsec remains an essential tool
for attacking and protecting. It annoys the masters of comsec
no end for rogues to mess with their command and control
communications and ubiquitous civic spying operations.

It requires recruitment of comsec rogues to mess with rogues,
as amply demonstrated here and other security fora where
coders and hackers are prime candidates for quietly switching
sides, remaining in place, covertly informing, sabotaging,
implanting, faulting, I/O erroring, pretending opposition to the
state, stashing their fees, teaching cryptology, advising NGOs,
counseling dissidents, whistling Dixie for media and audiences,
advocating openness, disclosing shallow vulns to hide
the deeper.

This list goes on, as evidenced here and on the gobs of
freedom of information outlets which have spread as widely
as the Internet, black net, deep net, chats, OTRs, Tor, and
now cellphone webs and swarms of earnest instigators
indistinguishable from TLAs taking 100% and giving back
at best 50%, with bountiful support from freedom-loving
oligarchs, soliciting volunteers, paying overseers of
volunteers, accruing profits by shifting taxation to the
populace for their protection and spying on it to assure
system security, oiled with bounties, bonuses and
Sabu-grade walk-frees awards for whistleblowing on the
whistleblowing, and not least, enduring legal fees for ACLU-
grade justice tipped against oppostion to civil liberties
racketeering aided and abetted by backdoored comsec
also known as rule of law.





From coderman at gmail.com  Tue Nov  4 11:57:55 2014
From: coderman at gmail.com (coderman)
Date: Tue, 4 Nov 2014 11:57:55 -0800
Subject: open ASIC SoC
Message-ID: <CAJVRA1QPDFTLzy19XZD_2wiS=8x6k9aodncTkBJKQMgy0ijciw@mail.gmail.com>

given interest in open source privacy enhancing technologies,
 what about open ASIC SoC for privacy routers and other hw?

- 32bit RISC opencores. http://cdn.opencores.org/pdf/or1k-asic.pdf

- TRNG series as native instruction; avalanche + RF + slow sampled
from fast pair into aligned memory target as raw samples, each source
tunable via MSR. http://www.cryptography.com/public/pdf/VIA_rng.pdf ,
http://moonbaseotago.com/onerng/

- Fab with chain of custody via domestic 22-nm foundry services. (Intel, other?)

- Random quality and critical component validation with a FEI Versa 3D
tear down , http://siliconexposed.blogspot.de/2014/03/getting-my-feet-wet-with-invasive_31.html

what else required? (IOMMU isolation?)




From coderman at gmail.com  Tue Nov  4 12:08:01 2014
From: coderman at gmail.com (coderman)
Date: Tue, 4 Nov 2014 12:08:01 -0800
Subject: open ASIC SoC
In-Reply-To: <CAJVRA1QPDFTLzy19XZD_2wiS=8x6k9aodncTkBJKQMgy0ijciw@mail.gmail.com>
References: <CAJVRA1QPDFTLzy19XZD_2wiS=8x6k9aodncTkBJKQMgy0ijciw@mail.gmail.com>
Message-ID: <CAJVRA1QgxHsLi-uYn02Q7+LUtGaQ4dzw53q+v5vDQ2og+OGjQg@mail.gmail.com>

On 11/4/14, coderman <coderman at gmail.com> wrote:
> ... slow sampled from fast pair ...

currently running a long /dev/random cat with mtrngd adding entropy
per post-processed  XSTORE reads,

hwrng read bytes: 531147747500
entropy add bytes: 530776765056
good fips blocks: 212310709
bad fips blocks: 148390
poker run failures: 3516205
bit run failures: 3376041
long run failures: 72955
monobit failures: 63584
continuous run failures: 11896

1Ghz dual entropy source Padlock engine.  more than you'll ever need...

constrast XSTORE running at max rates and mixing / compressing in
userspace with RDRAND/RDSEED allowing zero visibility for confirmation
of expected underlying bit generator behavior.




From ted-lists at xy0.org  Tue Nov  4 09:42:35 2014
From: ted-lists at xy0.org (Ted W.)
Date: Tue, 04 Nov 2014 12:42:35 -0500
Subject: BitLocker, OneDrive, PRISM
In-Reply-To: <83235650.AvCTPMTW7N@lapuntu>
References: <83235650.AvCTPMTW7N@lapuntu>
Message-ID: <5459100B.3010109@xy0.org>

On 11/02/2014 03:44 PM, rysiek wrote:
> Hi there,
>
> WTF am I reading?
> http://cryptome.org/2014/11/ms-onedrive-nsa-prism.htm
>
> "... because the [BitLocker] recovery key is automatically stored in SkyDrive
> for you."
>

Funny that it uploads your Bitlocker key to SkyDrive yet Microsoft has 
yet to implement any kind of formal key escrow in Active Directory...

-- 
Ted W. <ted at xy0.org>




From kanzure at gmail.com  Tue Nov  4 12:30:44 2014
From: kanzure at gmail.com (Bryan Bishop)
Date: Tue, 4 Nov 2014 14:30:44 -0600
Subject: open ASIC SoC
In-Reply-To: <CAJVRA1QPDFTLzy19XZD_2wiS=8x6k9aodncTkBJKQMgy0ijciw@mail.gmail.com>
References: <CAJVRA1QPDFTLzy19XZD_2wiS=8x6k9aodncTkBJKQMgy0ijciw@mail.gmail.com>
Message-ID: <CABaSBawxQ6etwL9AB=UG_njRb=UX6TsJzWHHK-NWC=JwprpBDQ@mail.gmail.com>

On Tue, Nov 4, 2014 at 1:57 PM, coderman <coderman at gmail.com> wrote:
> given interest in open source privacy enhancing technologies,
>  what about open ASIC SoC for privacy routers and other hw?

Are there any open-source ASICs for wifi, bluetooth, gsm, cdma, or
other communication chips?

I briefly glanced and saw:
http://opencores.org/project,bluespec-80211atransmitter
http://opencores.org/project,bluetooth
https://github.com/RangeNetworks/openbts

only slightly related to my request:
https://github.com/travisgoodspeed/80211scrambler
https://github.com/ewa/802.11-data

> - Fab with chain of custody via domestic 22-nm foundry services. (Intel, other?)

I would appreciate any references or links you can provide me to
working chains of custody and their threat models. I am curious to see
what a good one looks like. I think that chain of custody is going to
be problematic because of dopant-level trojans, which can probably
sneak past chain of custody systems. (There are ways to detect
dopant-level trojans, but they are expensive and annoying. Still,
better than nothing of course.)

- Bryan
http://heybryan.org/
1 512 203 0507




From eugen at leitl.org  Tue Nov  4 09:36:15 2014
From: eugen at leitl.org (Eugen Leitl)
Date: Tue, 4 Nov 2014 18:36:15 +0100
Subject: Crypto War Redux
In-Reply-To: <E1XlIFU-0006Lq-Od@elasmtp-kukur.atl.sa.earthlink.net>
References: <E1XlIFU-0006Lq-Od@elasmtp-kukur.atl.sa.earthlink.net>
Message-ID: <20141104173615.GG10467@leitl.org>

On Mon, Nov 03, 2014 at 09:05:10AM -0500, John Young wrote:

> My source:
> http://www.reddit.com/r/snowden/comments/2l5fnm/software_companies_now_on_notice_that_encryption/
> (posted by "platypusmusic", who often has very good posts on Reddit,
> especially in the /r/snowden: http://www.reddit.com/r/snowden/ )

There's also https://www.reddit.com/r/cypherpunks which could use some tender love
and caring, and be it just by way of crossposts from the usual suspect subreddits.




From coderman at gmail.com  Wed Nov  5 00:41:54 2014
From: coderman at gmail.com (coderman)
Date: Wed, 5 Nov 2014 00:41:54 -0800
Subject: open ASIC SoC
In-Reply-To: <CABaSBawxQ6etwL9AB=UG_njRb=UX6TsJzWHHK-NWC=JwprpBDQ@mail.gmail.com>
References: <CAJVRA1QPDFTLzy19XZD_2wiS=8x6k9aodncTkBJKQMgy0ijciw@mail.gmail.com>
 <CABaSBawxQ6etwL9AB=UG_njRb=UX6TsJzWHHK-NWC=JwprpBDQ@mail.gmail.com>
Message-ID: <CAJVRA1SC8NkdV7nRpTJmhjodVsyiUzDf88PHNWgXz3pkwU=LMA@mail.gmail.com>

On 11/4/14, Bryan Bishop <kanzure at gmail.com> wrote:
> ...
> Are there any open-source ASICs for wifi, bluetooth, gsm, cdma, or
> other communication chips?

build in array of direct quadrature modulator circuits (RFIC) in the
desired bands for software stacks across all of the above.  that gets
you performance and efficiency, all in one! (or many, as it were)

there are open source SDR stacks for some of the above, however,
traditional SDR as crudely shoved into a SoC would not work so well.
this is a longer discussion, of course :)



> I would appreciate any references or links you can provide me to
> working chains of custody and their threat models. I am curious to see
> what a good one looks like.

a trusted set of auditors is on premise able to observe the wafer
processing, litho, etc. to die prep and packing, with device testing
results for each core attached.

packages collected till end of run, then trusted auditors depart with
the set of presumably trusted fabrication parts.



> I think that chain of custody is going to
> be problematic because of dopant-level trojans,...

the selective FIB deconstruction to verify, along with constructions
resistant to stealthy dopant tampering, could leave you more confident
that the set of chips so run were not surreptitiously tampered with.

obviously, if chain of custody ever broken, the chips become suspect.



this is all an amusing thought exercise, given the complete lack of
anything remotely as hard to run software wise on top of this
idealistic open soc :)


best regards,




From odinn.cyberguerrilla at riseup.net  Tue Nov  4 17:54:58 2014
From: odinn.cyberguerrilla at riseup.net (odinn)
Date: Wed, 05 Nov 2014 01:54:58 +0000
Subject: Wind River Security Features and Cryptography Libraries
In-Reply-To: <E1XlmRI-0001wc-4x@elasmtp-banded.atl.sa.earthlink.net>
References: <E1XlmRI-0001wc-4x@elasmtp-banded.atl.sa.earthlink.net>
Message-ID: <54598372.8090804@riseup.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

THIS IS WHY IT'S BETTER to just anonymously release some open source
project to the world.  People want to make a bunch of money on
advanced encryption and have a public-facing corporation, they are
gonna get slammed somehow sooner or later, whether it's by way of a
federal so-called "code audit" or via innovation-killing punishment
when people dare to use encryption generated in the US, (shudder!
<insert_scary_thing_here!> _outside_ of the US.

The success of Silent Circle notwithstanding, considering also case(s)
of organizations that have gone through seppuku when threatened by
authorities, I think better models for good encryption (that aren't
going to have its legal problems) are those which are similar to the
model of Whisper Systems (TextSecure, Redphone), and better yet, just
totally non-organizational / anonymous releases or commits of which
there are not thousands, but millions, and growing.

- -o

John Young wrote:
> Wind River Security Features and Cryptography Libraries (which
> appear to be the basis of the $750,000 fine by BIS)
> 
> http://cryptome.org/2014/11/wind-river-security-crypto.pdf
> 
> 
> 

- -- 
http://abis.io ~
"a protocol concept to enable decentralization
and expansion of a giving economy, and a new social good"
https://keybase.io/odinn
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJUWYNyAAoJEGxwq/inSG8Cv4sH/3e6uf8P3dh4NBYSZzMAH8BJ
8fdugq6IEGiAtRWkG8dWK8vIBuuJBRmZU4LMwRPhU68ohLelYjWYjOXHovbztwFF
Y7GAtQOnNr7L3Qs9N4wBperHFt6OVAHf169NsLsF88FFGOh59pgU/J6JWZy/ZWZD
oC/YPd4N4BX5HxbHd+kAyy9/L43T/cnEDmRAk7Zu8vPv9x+d9lSPIm07SUyk79G3
/AjdxvNVQT5rwy5eCFh8eET5dpjy5KFUclTkB/OSXi5ARU10KMDIERUVjK72wTPM
NX+uh4cKjkB/HoaxiliSMN3AuWexwBCxsIBDLF2DSytew+Javt3FNzwbtB7LP6Q=
=syqx
-----END PGP SIGNATURE-----




From grarpamp at gmail.com  Wed Nov  5 00:18:19 2014
From: grarpamp at gmail.com (grarpamp)
Date: Wed, 5 Nov 2014 03:18:19 -0500
Subject: Cody Wilson to run for Bitcoin Foundation board, plans its destruction
Message-ID: <CAD2Ti287Tw2QUs9BnOXAA2+Tk2KkomnDLdVY+c3u03kCFV7PHg@mail.gmail.com>

http://upstart.bizjournals.com/entrepreneurs/hot-shots/2014/11/04/cody-wilson-to-run-for-bitcoin-foundation-board.html?page=all




From uwecerron at gmail.com  Wed Nov  5 02:52:25 2014
From: uwecerron at gmail.com (uwecerron at gmail.com)
Date: Wed, 5 Nov 2014 05:52:25 -0500
Subject: What NSA Is Doing to Improve Security Post-Snowden
In-Reply-To: <5459FDBA.2010403@posteo.de>
References: <5459FDBA.2010403@posteo.de>
Message-ID: <457D7A80-6D21-43BA-9D35-19BE97B4C301@gmail.com>

have you considered he is targeting to a less educated audience?


> On Nov 5, 2014, at 5:36 AM, "George W. Maschke" <georgemaschke at posteo.de> wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> NSA Director Mike Rogers spoke at Stanford University's Hoover
> Institute this past weekend, and a faculty member asked him what the
> NSA is doing with regards to personnel security to stop another
> incident like Edward Snowden's release of classified documents.
> 
> Interestingly, the first and primary measure that the NSA director
> mentioned was polygraph testing. It's interesting because polygraphy
> is a thoroughly discredited pseuodoscience. It depends on the person
> being "tested" being ignorant of the trickery on which the procedure
> relies.
> 
> How ironic that America's most technologically sophisticated
> intelligence agency relies on early 20th century pseudoscience as the
> keystone of its personnel security program.
> 
> For additional commentary, see "NSA Director Mike Rogers on Polygraph
> Screening" on the AntiPolygraph.org blog:
> 
> https://antipolygraph.org/blog/2014/11/04/nsa-director-mike-rogers-on-polygraph-screening/
> 
> 
> George Maschke
> PGP Public Key: 316A947C
> 
> -----BEGIN PGP SIGNATURE-----
> 
> iQIcBAEBCgAGBQJUWf25AAoJEEYqwKuPDNWqPMgP/3QDCJH5epob6MKlYYTAH30A
> gYQBfIkIa93Wufhmt+Od2zlbQSxkshEnD/mNnujqih/bybrvj+OSLR2ejCwzoaL1
> PMoR07E1kJRjKw0wEIbxnf0SLVGJedOHhUsu6/WUJ9DWYZ7mCiSyVgH+AOIhaQDy
> SUFoi9Nl3dZvUBN8FqRPeL4tHp0LG6QIV3N0pZZddOw68qIeI53HQ8Rv14VAFgix
> oAIzHJ77Y+0gcyp1WIxFyopVfnioezf15YVSl3hC0z+m1V/lRFUullHJWWbG4nm9
> xenuqWwVF5T6wj4Lstep5seKBoKobr1+haGPkVfggNcfOMAY4PCjolzmA4j8yOci
> Sn8vx7U1eVGAwdPkppT33ug+GWzj5yXMVCjH95U+JyO6My4cY97YOhtQe5fUn0ep
> vhbPMRy+Q1lvtRYd9lZI/ZLRVOUp1652IqjhgCmIMCCR3ZtSPWq3RQmreepf6XgA
> tCU2u6SkpgK7N2+NvMMFe+lrcBUIxO6MTBW61xl6CHmw3WIsPTUfstwGwcUkm2Im
> jjnQuLNqE+IMEsaZ0202r9791DnohXOtbg7epGSayk35oBA4xvCZm0/A4vStgCSO
> Dt8jSht5ULJZJ1jqnSkkAzfXrKHxlCFRlRkrNWn7qcTKGm2Iza0DCA5513cU80xj
> AD3rPiQBA0/r6N78GYaY
> =9xb+
> -----END PGP SIGNATURE-----




From cathalgarvey at cathalgarvey.me  Wed Nov  5 01:21:12 2014
From: cathalgarvey at cathalgarvey.me (Cathal (Phone))
Date: Wed, 05 Nov 2014 09:21:12 +0000
Subject: open ASIC SoC
In-Reply-To: <CAJVRA1SC8NkdV7nRpTJmhjodVsyiUzDf88PHNWgXz3pkwU=LMA@mail.gmail.com>
References: <CAJVRA1QPDFTLzy19XZD_2wiS=8x6k9aodncTkBJKQMgy0ijciw@mail.gmail.com>
 <CABaSBawxQ6etwL9AB=UG_njRb=UX6TsJzWHHK-NWC=JwprpBDQ@mail.gmail.com>
 <CAJVRA1SC8NkdV7nRpTJmhjodVsyiUzDf88PHNWgXz3pkwU=LMA@mail.gmail.com>
Message-ID: <3A7EBCF4-8A58-4F26-93EB-580D3747EA4D@cathalgarvey.me>

Given the difficulty of trusting auditors and ensuring they see all they need to see, why not push instead for crypto FPGA: consuner hardware, widely available. Probably hard to dope-trojan without breaking, and cleverly random allocation of transistors to the HWPRNG could mitigate.

An open fpga with an open stack would not only be more trustworthy for crypto, I think it'd help legitimise and pave way for small-batch ASIC, too.

On 5 November 2014 08:41:54 GMT+00:00, coderman <coderman at gmail.com> wrote:
>On 11/4/14, Bryan Bishop <kanzure at gmail.com> wrote:
>> ...
>> Are there any open-source ASICs for wifi, bluetooth, gsm, cdma, or
>> other communication chips?
>
>build in array of direct quadrature modulator circuits (RFIC) in the
>desired bands for software stacks across all of the above.  that gets
>you performance and efficiency, all in one! (or many, as it were)
>
>there are open source SDR stacks for some of the above, however,
>traditional SDR as crudely shoved into a SoC would not work so well.
>this is a longer discussion, of course :)
>
>
>
>> I would appreciate any references or links you can provide me to
>> working chains of custody and their threat models. I am curious to
>see
>> what a good one looks like.
>
>a trusted set of auditors is on premise able to observe the wafer
>processing, litho, etc. to die prep and packing, with device testing
>results for each core attached.
>
>packages collected till end of run, then trusted auditors depart with
>the set of presumably trusted fabrication parts.
>
>
>
>> I think that chain of custody is going to
>> be problematic because of dopant-level trojans,...
>
>the selective FIB deconstruction to verify, along with constructions
>resistant to stealthy dopant tampering, could leave you more confident
>that the set of chips so run were not surreptitiously tampered with.
>
>obviously, if chain of custody ever broken, the chips become suspect.
>
>
>
>this is all an amusing thought exercise, given the complete lack of
>anything remotely as hard to run software wise on top of this
>idealistic open soc :)
>
>
>best regards,

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 3022 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141105/463d4834/attachment.txt>

From l at odewijk.nl  Wed Nov  5 00:58:33 2014
From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=)
Date: Wed, 5 Nov 2014 09:58:33 +0100
Subject: Cody Wilson to run for Bitcoin Foundation board,
 plans its destruction
In-Reply-To: <CAD2Ti287Tw2QUs9BnOXAA2+Tk2KkomnDLdVY+c3u03kCFV7PHg@mail.gmail.com>
References: <CAD2Ti287Tw2QUs9BnOXAA2+Tk2KkomnDLdVY+c3u03kCFV7PHg@mail.gmail.com>
Message-ID: <CAHWD2r+0hKWYL8rRkJYT7metPRRg=R7Zt5UwtH3UL7GqAPZ43w@mail.gmail.com>

Without Gavin on board there's very little sense to the Bitcoin Foundation.
What could it to except foster corporate interests?

On the other hand, it was made to foster early adopter interest. And isn't
it doing mostly fine?
On Nov 5, 2014 9:32 AM, "grarpamp" <grarpamp at gmail.com> wrote:

>
> http://upstart.bizjournals.com/entrepreneurs/hot-shots/2014/11/04/cody-wilson-to-run-for-bitcoin-foundation-board.html?page=all
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 845 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141105/511b57ef/attachment.txt>

From georgemaschke at posteo.de  Wed Nov  5 02:36:42 2014
From: georgemaschke at posteo.de (George W. Maschke)
Date: Wed, 05 Nov 2014 10:36:42 +0000
Subject: What NSA Is Doing to Improve Security Post-Snowden
Message-ID: <5459FDBA.2010403@posteo.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

NSA Director Mike Rogers spoke at Stanford University's Hoover
Institute this past weekend, and a faculty member asked him what the
NSA is doing with regards to personnel security to stop another
incident like Edward Snowden's release of classified documents.

Interestingly, the first and primary measure that the NSA director
mentioned was polygraph testing. It's interesting because polygraphy
is a thoroughly discredited pseuodoscience. It depends on the person
being "tested" being ignorant of the trickery on which the procedure
relies.

How ironic that America's most technologically sophisticated
intelligence agency relies on early 20th century pseudoscience as the
keystone of its personnel security program.

For additional commentary, see "NSA Director Mike Rogers on Polygraph
Screening" on the AntiPolygraph.org blog:

https://antipolygraph.org/blog/2014/11/04/nsa-director-mike-rogers-on-polygraph-screening/


George Maschke
PGP Public Key: 316A947C

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJUWf25AAoJEEYqwKuPDNWqPMgP/3QDCJH5epob6MKlYYTAH30A
gYQBfIkIa93Wufhmt+Od2zlbQSxkshEnD/mNnujqih/bybrvj+OSLR2ejCwzoaL1
PMoR07E1kJRjKw0wEIbxnf0SLVGJedOHhUsu6/WUJ9DWYZ7mCiSyVgH+AOIhaQDy
SUFoi9Nl3dZvUBN8FqRPeL4tHp0LG6QIV3N0pZZddOw68qIeI53HQ8Rv14VAFgix
oAIzHJ77Y+0gcyp1WIxFyopVfnioezf15YVSl3hC0z+m1V/lRFUullHJWWbG4nm9
xenuqWwVF5T6wj4Lstep5seKBoKobr1+haGPkVfggNcfOMAY4PCjolzmA4j8yOci
Sn8vx7U1eVGAwdPkppT33ug+GWzj5yXMVCjH95U+JyO6My4cY97YOhtQe5fUn0ep
vhbPMRy+Q1lvtRYd9lZI/ZLRVOUp1652IqjhgCmIMCCR3ZtSPWq3RQmreepf6XgA
tCU2u6SkpgK7N2+NvMMFe+lrcBUIxO6MTBW61xl6CHmw3WIsPTUfstwGwcUkm2Im
jjnQuLNqE+IMEsaZ0202r9791DnohXOtbg7epGSayk35oBA4xvCZm0/A4vStgCSO
Dt8jSht5ULJZJ1jqnSkkAzfXrKHxlCFRlRkrNWn7qcTKGm2Iza0DCA5513cU80xj
AD3rPiQBA0/r6N78GYaY
=9xb+
-----END PGP SIGNATURE-----




From georgemaschke at posteo.de  Wed Nov  5 04:35:08 2014
From: georgemaschke at posteo.de (George W. Maschke)
Date: Wed, 05 Nov 2014 12:35:08 +0000
Subject: What NSA Is Doing to Improve Security Post-Snowden
In-Reply-To: <1415186645.3452260.187308005.3C5F8559@webmail.messagingengine.com>
References: <5459FDBA.2010403@posteo.de>
 <1415186645.3452260.187308005.3C5F8559@webmail.messagingengine.com>
Message-ID: <545A197C.2000000@posteo.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Alfie,

The NSA director mentioned other personnel security measures that he
wasn't prepared to elaborate on, and I suspect that one of these is
indeed the electronic monitoring of personnel.

Last year, I heard from a U.S. Navy SIGINTer that when he reported for
a recent polygraph, he was presented with a printout of logs detailing
his web browsing the night before, on his personal computer using his
personal ISP. The polygraph operator confronted him about having
visited AntiPolygraph.org and then set about trying to discredit the
information we provide.

This person said they'd provide further details later in the day, but
never wrote back and did not respond to repeated follow-up inquiries:

https://antipolygraph.org/blog/2013/10/20/is-antipolygraph-org-being-targeted-by-the-nsa/

George Maschke
PGP Public Key: 316A947C


Alfie John:
> On Wed, Nov 5, 2014, at 09:36 PM, George W. Maschke wrote:
>> Interestingly, the first and primary measure that the NSA
>> director mentioned was polygraph testing. It's interesting
>> because polygraphy is a thoroughly discredited pseuodoscience. It
>> depends on the person being "tested" being ignorant of the
>> trickery on which the procedure relies.
>> 
>> How ironic that America's most technologically sophisticated 
>> intelligence agency relies on early 20th century pseudoscience as
>> the keystone of its personnel security program.
> 
> Does that also mean that the CIA are down in Moscow tracking
> Snowden with Dowsing rods?
> 
> But seriously folks, think for a second about the levels of
> paranoia right now at the NSA's HR department. They know that any
> future applicant could be another Snowden, so what are the chances
> that these new measures include using PRISM selectors on candidates
> to look for dirt or even nude selfies^W^WSIGLOVE?
> 
> Alfie
> 
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJUWhl7AAoJEEYqwKuPDNWqCy0P/jNG2p26CVfTeThbcBXncdPt
MU7zGik2tam8TtZTKK3ZN4C54uGH9Nj6l8+ksEo51wUhVFGVG1okk29GG5Akrf0n
Ma8wXu8KGuomcAjZxJGsaFkbLIPwVXD2Dk8x4p7PyCWqbLTXShw59knw6KnhA2Ws
vVBA7zJXigM6lXmDf/3gkpEbnZiObjLrOBxF+PfSXu63udD9Or4bVlyiZL87cNhi
EIaOSsaM0iPEEyzP2QRMdDqY28H118xWcouTjPFBekTNVPvp4W8k1gt6Qwqj+1pn
fCXh47WcypS2etVeSa5+/qy+WmhT0Iujh/vIHI0VYhRrk6NcOK1xSu/SawGFAb7z
9daFAeGus4fJa5KWTqnTs095tPonIQ9qE+vkxAVn1S1h610+58PrrWrpf/sgfDIE
syDivfuRfiJ1plFYM0BApMlVAHZFN7Hn5aXhDc2tS8HwVPUTutboRBewDamyLyOh
Gw2fxm2r+q77xpjS0SKwT90u7q1ZpnUqEHH1me9fvSno6vQGEpmL71M6G8F40ziS
Uo2qYtGfZyCXfKjX+zj4gkTGi0nTWUyud0tgTlgHO8Mw7mAiYzJpXj9jzB2PGvik
q5oJ+2io8HXlWllED/VlaE+iZoMYRJMiPty08IM4o6VTvfrNZmKKmxr6BFr4j5Lv
UPMF8kbBqnKmblYQFro4
=oPKn
-----END PGP SIGNATURE-----




From l at odewijk.nl  Wed Nov  5 05:01:25 2014
From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=)
Date: Wed, 5 Nov 2014 14:01:25 +0100
Subject: BitLocker, OneDrive, PRISM
In-Reply-To: <5459100B.3010109@xy0.org>
References: <83235650.AvCTPMTW7N@lapuntu> <5459100B.3010109@xy0.org>
Message-ID: <CAHWD2rJAFggsJjJKi+7+Lkkpcb5jtakR10rB4Fo8Mnckb5wL5w@mail.gmail.com>

I stopped being surprised about stuff like this. Silicon Valley exists to
provide technological supremacy and/or hoard private information through
temptation rather than force.

To clarify: the approach currently employed by the NSA is funding and
otherwise supporting and coordinating subverted or subvertable
technological companies. The companies will then deliver a product with
superior fitness for whever purpose it pertains to serve. People will use
the product for those features, forgetting or not knowing it also
obliberates their privacy and leaks all information to the TLA's. The
American government thusly provides a platform for the enhancement of
technology, the economy and the national security. Overall, pretty damn
good deal.

It's unlikely that Google rules the NSA or vise versa. Most likely the
collossus goes where the collossus goes, and the NSA steals through it's
massive infrastructure like lice in it's pelt. Unlike lice, the NSA is
entirely symbiotic with Google. They excert force, mutually, for control,
but so long as people use Google, Google will collect and the NSA will see.
The same applies to every other tech startup out there.

Note that "compliance" can be subtle. It can be a National Security Letter
to key individuals, a janitor or a CEO, or it can be an undetectable
exploit in a router. It can be an undercover agent that came upon good
knowledge of how to achieve a key position. Most likely a wealth of methods
is used simultaniously, none admitted and without mutual knowledge of
activities. If not, dear NSA, please take this as a humble recommendation.

So, does it surprise me that through incompetence, complience, negligence,
malintend or all of the above, this happened? Nah. Tell me once USGOV
starts jailing people for these slights. Being too obvious about it should
be punished, don't you think?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 1985 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141105/97b36167/attachment.txt>

From tbiehn at gmail.com  Wed Nov  5 11:59:05 2014
From: tbiehn at gmail.com (Travis Biehn)
Date: Wed, 5 Nov 2014 14:59:05 -0500
Subject: Cody Wilson to run for Bitcoin Foundation board,
 plans its destruction
In-Reply-To: <CAHWD2r+0hKWYL8rRkJYT7metPRRg=R7Zt5UwtH3UL7GqAPZ43w@mail.gmail.com>
References: <CAD2Ti287Tw2QUs9BnOXAA2+Tk2KkomnDLdVY+c3u03kCFV7PHg@mail.gmail.com>
 <CAHWD2r+0hKWYL8rRkJYT7metPRRg=R7Zt5UwtH3UL7GqAPZ43w@mail.gmail.com>
Message-ID: <CAKtE3zfJGbSUtXNjrGURmqDQ+Vrc3yH_m5HitHBu2DOMCLNiuQ@mail.gmail.com>

Isn't the foundation only as effective as its ability to liaise with major
pool operators?

On Wed, Nov 5, 2014 at 3:58 AM, Lodewijk andré de la porte <l at odewijk.nl>
wrote:

> Without Gavin on board there's very little sense to the Bitcoin
> Foundation. What could it to except foster corporate interests?
>
> On the other hand, it was made to foster early adopter interest. And isn't
> it doing mostly fine?
> On Nov 5, 2014 9:32 AM, "grarpamp" <grarpamp at gmail.com> wrote:
>
>>
>> http://upstart.bizjournals.com/entrepreneurs/hot-shots/2014/11/04/cody-wilson-to-run-for-bitcoin-foundation-board.html?page=all
>>
>


-- 
Twitter <https://twitter.com/tbiehn> | LinkedIn
<http://www.linkedin.com/in/travisbiehn> | GitHub <http://github.com/tbiehn>
| TravisBiehn.com <http://www.travisbiehn.com> | Google Plus
<https://plus.google.com/+TravisBiehn>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 1791 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141105/cd9db46c/attachment.txt>

From coderman at gmail.com  Wed Nov  5 15:30:04 2014
From: coderman at gmail.com (coderman)
Date: Wed, 5 Nov 2014 15:30:04 -0800
Subject: open ASIC SoC
In-Reply-To: <3A7EBCF4-8A58-4F26-93EB-580D3747EA4D@cathalgarvey.me>
References: <CAJVRA1QPDFTLzy19XZD_2wiS=8x6k9aodncTkBJKQMgy0ijciw@mail.gmail.com>
 <CABaSBawxQ6etwL9AB=UG_njRb=UX6TsJzWHHK-NWC=JwprpBDQ@mail.gmail.com>
 <CAJVRA1SC8NkdV7nRpTJmhjodVsyiUzDf88PHNWgXz3pkwU=LMA@mail.gmail.com>
 <3A7EBCF4-8A58-4F26-93EB-580D3747EA4D@cathalgarvey.me>
Message-ID: <CAJVRA1Tf8NT5vyExs+3=vuXDXZ8mX6QBhoeV-K=HVO04TJ+-AA@mail.gmail.com>

On 11/5/14, Cathal (Phone) <cathalgarvey at cathalgarvey.me> wrote:
> Given the difficulty of trusting auditors and ensuring they see all they
> need to see, why not push instead for crypto FPGA...

FPGAs have been used to augment computation ever since they were
developed. (i remember back in the early 90's being able to buy a PCI
FPGA add-on card for accelerated computation)

the problem is efficiency, and in a size pressured SoC design
efficiency (which in turn drives power consumption) is paramount.

not to say it isn't useful, but an FPGA processor compared to a tight,
ASIC SoC, is going to lose by an order of magnitude.

i would however be keen to see how some FPGA components on a RFIC
integrated ASIC SoC could help DSP and related processing with
flexibility while leaving the ASIC core for performance.


fun considerations... too bad nearly everyone in position to
contribute to such an effort is chained by NDAs, Secrecy Acts, or
other binding Confidentiality clauses.


best regards,




From alfiej at fastmail.fm  Wed Nov  5 03:24:05 2014
From: alfiej at fastmail.fm (Alfie John)
Date: Wed, 05 Nov 2014 22:24:05 +1100
Subject: What NSA Is Doing to Improve Security Post-Snowden
In-Reply-To: <5459FDBA.2010403@posteo.de>
References: <5459FDBA.2010403@posteo.de>
Message-ID: <1415186645.3452260.187308005.3C5F8559@webmail.messagingengine.com>

On Wed, Nov 5, 2014, at 09:36 PM, George W. Maschke wrote:
> Interestingly, the first and primary measure that the NSA director
> mentioned was polygraph testing. It's interesting because
> polygraphy is a thoroughly discredited pseuodoscience. It depends
> on the person being "tested" being ignorant of the trickery on
> which the procedure relies.
>
> How ironic that America's most technologically sophisticated
> intelligence agency relies on early 20th century pseudoscience as the
> keystone of its personnel security program.

Does that also mean that the CIA are down in Moscow tracking Snowden
with Dowsing rods?

But seriously folks, think for a second about the levels of paranoia
right now at the NSA's HR department. They know that any future
applicant could be another Snowden, so what are the chances that these
new measures include using PRISM selectors on candidates to look for
dirt or even nude selfies^W^WSIGLOVE?

Alfie

-- 
  Alfie John
  alfiej at fastmail.fm




From grarpamp at gmail.com  Wed Nov  5 20:58:43 2014
From: grarpamp at gmail.com (grarpamp)
Date: Wed, 5 Nov 2014 23:58:43 -0500
Subject: [tor-relays] [tor-talk] Platform diversity in Tor network [was:
 OpenBSD doc/TUNING]
In-Reply-To: <CA+cU71k8zZQg6Tbyxt_VCtB2Gj=96uxYqnDYgvdMS-t3gTZDyA@mail.gmail.com>
References: <CAD2Ti28BFsedyPC7VBR-Rz8c2_4CAQDnBFopnRHEX45sgqmjtA@mail.gmail.com>
 <CA+cU71kXqh-rcfNZErN0QHJ_L2POCJgm8ibAp2H=S4OFVgz2Rg@mail.gmail.com>
 <545A64A0.8030300@mykolab.com>
 <CA+cU71k8zZQg6Tbyxt_VCtB2Gj=96uxYqnDYgvdMS-t3gTZDyA@mail.gmail.com>
Message-ID: <CAD2Ti2_DwL==uN0V2aUMBgMtv3CYugOJBqpcVDh0HKEjgC0U4w@mail.gmail.com>

>> I'd agree simply because Windows presents a much larger attack surface. The
>> amount of code running on a minimal Unix installation plus Tor is a lot less
>> than a Windows system, especially network facing code.
> ...
> Running code, or network accessible code?  Either way I don't see how
> you came to that calculation.  'Minimal' Unix + Tor + SSH restricted
> by SSH Key vs 'Minimal' Windows + Tor + RDP restricted by Client
> Certificate.  I also don't know what you mean by 'minimal' as very few
> ...
> I think a Windows Server, properly configured, is roughly as secure as
> a properly configured Linux Server.
> ...
> I think there have been more bugs that result in RCE on production
> Linux servers running SSH and a webserver in the past 4 years than
> there have been in production Windows servers running RDP and IIS.
> ...
> I think if you're pointing fingers at China and the NSA, you should
> assume they have RCE in both Windows and Linux.
> ...
> I think running relays on Windows Servers is no worse than running
> relays on Linux Servers, and therefore it is good to do, because it
> adds diversity to the network.

Attack surface on a well adminned relay comes down to three things:
- Network stack itself (kernel)
- Daemon software itself (tor + remote admin)
- Their respective use of other kernel/library/shell provided resources.

I might suggest the current proportion of Windows to Linux is
roughly ideal. This is primarily because, all other things set equal
at 'minimal' (= tor + remote admin), good adminning, and good
control of corporate secrets (or moles)... Windows still has one
huge strategic weakness at that point... the magic packet.
It's the whole binary vs. opensource argument. So essentially,
the correct ratio of the two might be the odds you place that
a binary OS has a magic packet. Today's node count shows
73% to opensource platforms. I'd suspect 73% is about where
a lot of analysts might bet on Windows being magical, whether
by/for the NSA, or any other reason or source.

(Remember this...
 https://en.wikipedia.org/wiki/NSAKEY
That was just from running 'strings'. Good luck trolling all of
Windows with a disassembler... a nice fat payoff if you do. And
the number of disassembling vs. opensource auditors is probably
even more heavily skewed. And Windows is 'trusted' by buyers,
nor can you replicate their binaries from any 'source code sharing
agreements'. Then it's Patch Tuesday again... so it could be no
one has or ever will disassemble audit it. So odds end up being
pitched instead. And for many applications, that's good enough.)

The real problem below is the 96% allocation of opensource to
Linux and 4% to Other opensource. That's something that should
be fixed. For these purposes, it doesn't matter which BSD/Other you
pick... once you get the security odds there back towards
say 50:50 Linux:Other, then you can debate userland and relative
security amongst them all you want.

Here's some links to get you started, including two other
main branches of the Unix Kernel family tree at the bottom...

5939 Linux
1591 Windows
 173 FreeBSD http://www.freebsd.org/
  56 Darwin
  44 OpenBSD http://www.openbsd.org/
   7 NetBSD http://netbsd.org/
   6 SunOS
   4 Bitrig https://www.bitrig.org/
   2 GNU/kFreeBSD https://www.debian.org/ports/kfreebsd-gnu/
   2 DragonFly http://www.dragonflybsd.org/
   0 Illumos (OpenSolaris) http://wiki.illumos.org/display/illumos/Distributions
   0 Minix http://www.minix3.org/

Official metrics...
https://metrics.torproject.org/network.html

Someone should really do an analysis of platform vs. exit bandwidth
as well. Anyone?

Also, isn't there some project out there that is counting the historical
number of kernel bugs+severity per OS over time?

[To cpunks to cover all the other volunteer node based networks
out there that could benefit from tuning their platform ratios.]




From coderman at gmail.com  Thu Nov  6 01:00:59 2014
From: coderman at gmail.com (coderman)
Date: Thu, 6 Nov 2014 01:00:59 -0800
Subject: open ASIC SoC
In-Reply-To: <CAJVRA1Tf8NT5vyExs+3=vuXDXZ8mX6QBhoeV-K=HVO04TJ+-AA@mail.gmail.com>
References: <CAJVRA1QPDFTLzy19XZD_2wiS=8x6k9aodncTkBJKQMgy0ijciw@mail.gmail.com>
 <CABaSBawxQ6etwL9AB=UG_njRb=UX6TsJzWHHK-NWC=JwprpBDQ@mail.gmail.com>
 <CAJVRA1SC8NkdV7nRpTJmhjodVsyiUzDf88PHNWgXz3pkwU=LMA@mail.gmail.com>
 <3A7EBCF4-8A58-4F26-93EB-580D3747EA4D@cathalgarvey.me>
 <CAJVRA1Tf8NT5vyExs+3=vuXDXZ8mX6QBhoeV-K=HVO04TJ+-AA@mail.gmail.com>
Message-ID: <CAJVRA1Q5yNKf4HRKm3gu7UOMLkZSETRo25Bhoqf3aMEn-Ozprw@mail.gmail.com>

On 11/5/14, Cathal (Phone) <cathalgarvey at cathalgarvey.me> wrote:
> Given the difficulty of trusting auditors and ensuring they see all they
> need to see,

perhaps relevant:

"With over $6.5 billion in high-tech investments, CNSE's
800,000-square-foot (74,000 m2) Albany NanoTech Complex features the
only fully integrated, 300 mm wafer, computer chip pilot prototyping
and demonstration line..."
- https://en.wikipedia.org/wiki/SEMATECH




From grarpamp at gmail.com  Wed Nov  5 22:17:52 2014
From: grarpamp at gmail.com (grarpamp)
Date: Thu, 6 Nov 2014 01:17:52 -0500
Subject: cypherpunk consortium for carefree crossings
In-Reply-To: <CAJVRA1STjQVZWec3ABxdwtijC9kL5UKinDXZdF3O20NoFjf1tw@mail.gmail.com>
References: <CAJVRA1STjQVZWec3ABxdwtijC9kL5UKinDXZdF3O20NoFjf1tw@mail.gmail.com>
Message-ID: <CAD2Ti28BTiopomuj_X5MLkR34iC0ggcjLmdPR3DYgX-+tiav8g@mail.gmail.com>

On Tue, Nov 4, 2014 at 1:44 AM, coderman <coderman at gmail.com> wrote:
> it seems the most expedient response to detainments and data dupe'ings
> other ideas?

That their duplicators aren't immune to USB and other firmware exploits
that are plugged into them, that they're network connected, that...

Oh the wonderful things security researchers carry with them.




From coderman at gmail.com  Thu Nov  6 01:24:57 2014
From: coderman at gmail.com (coderman)
Date: Thu, 6 Nov 2014 01:24:57 -0800
Subject: Fwd: [Announce] GnuPG 2.1.0 "modern" released
In-Reply-To: <87ioisn1mo.fsf@vigenere.g10code.de>
References: <87ioisn1mo.fsf@vigenere.g10code.de>
Message-ID: <CAJVRA1TvkzupwgbAJeso+XNS8j2mgMSmtJHhjzTXYb8zREaJuA@mail.gmail.com>

---------- Forwarded message ----------
From: Werner Koch <wk at gnupg.org>
Date: Thu, 06 Nov 2014 10:01:51 +0100
Subject: [Announce] GnuPG 2.1.0 "modern" released

Hello!

The GnuPG Project is pleased to announce the availability of a
new release: Version 2.1.0.

The GNU Privacy Guard (GnuPG) is a complete and free implementation of
the OpenPGP standard as defined by RFC-4880 and better known as PGP.

GnuPG, also known as GPG, allows to encrypt and sign data and
communication, features a versatile key management system as well as
access modules for public key directories.  GnuPG itself is a command
line tool with features for easy integration with other applications.
A wealth of frontend applications and libraries making use of GnuPG
are available.  Since version 2 GnuPG provides support for S/MIME and
Secure Shell in addition to OpenPGP.

GnuPG is Free Software (meaning that it respects your freedom). It can
be freely used, modified and distributed under the terms of the GNU
General Public License.

Three different versions of GnuPG are actively maintained:

- GnuPG "modern" (2.1) is the latest development with a lot of new
  features.  This announcement is about the first release of this
  version.

- GnuPG "stable" (2.0) is the current stable version for general use.
  This is what most users are currently using.

- GnuPG "classic" (1.4) is the old standalone version which is most
  suitable for older or embedded platforms.

You may not install "modern" (2.1) and "stable" (2.0) at the same
time.  However, it is possible to install "classic" (1.4) along with
any of the other versions.


What's New in GnuPG-2.1
=======================

  - The file "secring.gpg" is not anymore used to store the secret
    keys.  Merging of secret keys is now supported.

  - All support for PGP-2 keys has been removed for security reasons.

  - The standard key generation interface is now much leaner.  This
    will help a new user to quickly generate a suitable key.

  - Support for Elliptic Curve Cryptography (ECC) is now available.

  - Commands to create and sign keys from the command line without any
    extra prompts are now available.

  - The Pinentry may now show the new passphrase entry and the
    passphrase confirmation entry in one dialog.

  - There is no more need to manually start the gpg-agent.  It is now
    started by any part of GnuPG as needed.

  - Problems with importing keys with the same long key id have been
    addressed.

  - The Dirmngr is now part of GnuPG proper and also takes care of
    accessing keyserver.

  - Keyserver pools are now handled in a smarter way.

  - A new format for locally storing the public keys is now used.
    This considerable speeds up operations on large keyrings.

  - Revocation certificates are now created by default.

  - Card support has been updated, new readers and token types are
    supported.

  - The format of the key listing has been changed to better identify
    the properties of a key.

  - The gpg-agent may now be used on Windows as a Pageant replacement
    for Putty in the same way it is used for years on Unix as
    ssh-agent replacement.

  - Creation of X.509 certificates has been improved.  It is now also
    possible to export them directly in PKCS#8 and PEM format for use
    on TLS servers.

A detailed description of the changes can be found at
https://gnupg.org/faq/whats-new-in-2.1.html .


Getting the Software
====================

Please follow the instructions found at https://gnupg.org/download/ or
read on:

GnuPG 2.1.0 may be downloaded from one of the GnuPG mirror sites or
direct from its primary FTP server.  The list of mirrors can be found
at https://gnupg.org/mirrors.html .  Note that GnuPG is not available
at ftp.gnu.org.

On ftp.gnupg.org you find these files:

 ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.0.tar.bz2  (3039k)
 ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.0.tar.bz2.sig

This is the GnuPG 2.1 source code compressed using BZIP2 and its
OpenPGP signature.

 ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.0_20141105.exe  (6225k)
 ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.0_20141105.exe.sig

This is an experimental installer for Windows including GPA as
graphical key manager and GpgEX as an Explorer extension.  Please
de-install an already installed Gpg4win version before trying this
installer.  This binary version has not been tested very well, thus it
is likely that you will run into problems.  The complete source code
for the software included in this installer is in the same directory;
use the suffix ".tar.xz" instead of ".exe".

Although several beta versions have been released over the course of
the last years, no extensive public field test has been done.  Thus it
is likely that bugs will show up.  Please check the mailing list
archives and the new wiki https://wiki.gnupg.org for latest
information on known problems and workaround.


Checking the Integrity
======================

In order to check that the version of GnuPG which you are going to
install is an original and unmodified one, you can do it in one of
the following ways:

 * If you already have a version of GnuPG installed, you can simply
   verify the supplied signature.  For example to verify the signature
   of the file gnupg-2.1.0.tar.bz2 you would use this command:

     gpg --verify gnupg-2.1.0.tar.bz2.sig

   This checks whether the signature file matches the source file.
   You should see a message indicating that the signature is good and
   made by one or more of the release signing keys.  Make sure that
   this is a valid key, either by matching the shown fingerprint
   against a trustworthy list of valid release signing keys or by
   checking that the key has been signed by trustworthy other keys.
   See below for information on the signing keys.

 * If you are not able to use an existing version of GnuPG, you have
   to verify the SHA-1 checksum.  On Unix systems the command to do
   this is either "sha1sum" or "shasum".  Assuming you downloaded the
   file gnupg-2.1.0.tar.bz2, you would run the command like this:

     sha1sum gnupg-2.1.0.tar.bz2

   and check that the output matches the first line from the
   following list:

2fcd0ca6889ef6cb59e3275e8411f8b7778c2f33  gnupg-2.1.0.tar.bz2
9907cb6509a0e63331b27a92e25c1ef956caaf3b  gnupg-w32-2.1.0_20141105.exe
28dc1365292c61fbb2bbae730d4158f425463c91  gnupg-w32-2.1.0_20141105.tar.xz


Release Signing Keys
====================

To guarantee that a downloaded GnuPG version has not been tampered by
malicious entities we provide signature files for all tarballs and
binary versions.  The keys are also signed by the long term keys of
their respective owners.  Current releases are signed by one or more
of these four keys:

  2048R/4F25E3B6 2011-01-12
  Key fingerprint = D869 2123 C406 5DEA 5E0F  3AB5 249B 39D2 4F25 E3B6
  Werner Koch (dist sig)

  rsa2048/E0856959 2014-10-29
  Key fingerprint = 46CC 7308 65BB 5C78 EBAB  ADCF 0437 6F3E E085 6959
  David Shaw (GnuPG Release Signing Key) <dshaw 'at' jabberwocky.com>

  rsa2048/33BD3F06 2014-10-29
  Key fingerprint = 031E C253 6E58 0D8E A286  A9F2 2071 B08A 33BD 3F06
  NIIBE Yutaka (GnuPG Release Key) <gniibe 'at' fsij.org>

  rsa2048/7EFD60D9 2014-10-19
  Key fingerprint = D238 EA65 D64C 67ED 4C30  73F2 8A86 1B1C 7EFD 60D9
  Werner Koch (Release Signing Key)

You may retrieve these files from the keyservers using this command

  gpg --recv-keys 249B39D24F25E3B6 04376F3EE0856959 \
                  2071B08A33BD3F06 8A861B1C7EFD60D9

The keys are also available at https://gnupg.org/signature_key.html
and in the released GnuPG tarball in the file g10/distsigkey.gpg .
Note that this mail has been signed using my standard PGP key.


Internationalization
====================

This new branch of GnuPG has support for 4 languages: French, German,
Japanese, and Ukrainian.  More translations can be expected with the
next point releases.


Documentation
=============

If you used GnuPG in the past you should read the description of
changes and new features at doc/whats-new-in-2.1.txt or online at

  https://gnupg.org/faq/whats-new-in-2.1.html

The file gnupg.info has the complete user manual of the system.
Separate man pages are included as well but they have not all the
details available in the manual.  It is also possible to read the
complete manual online in HTML format at

  https://gnupg.org/documentation/manuals/gnupg/

or in Portable Document Format at

  https://gnupg.org/documentation/manuals/gnupg.pdf .

The chapters on gpg-agent, gpg and gpgsm include information on how
to set up the whole thing.  You may also want search the GnuPG mailing
list archives or ask on the gnupg-users mailing lists for advise on
how to solve problems.  Many of the new features are around for
several years and thus enough public knowledge is already available.


Support
=======

Please consult the archive of the gnupg-users mailing list before
reporting a bug <https://gnupg.org/documentation/mailing-lists.html>.
We suggest to send bug reports for a new release to this list in favor
of filing a bug at <https://bugs.gnupg.org>.  For commercial support
requests we keep a list of known service companies at:

  https://gnupg.org/service.html

The driving force behind the development of GnuPG is the company of
its principal author, Werner Koch.  Maintenance and improvement of
GnuPG and related software takes up most of their resources.  To allow
him to continue this work he kindly asks to either purchase a support
contract, engage g10 Code for custom enhancements, or to donate money:

  https://gnupg.org/donate/


Thanks
======

We have to thank all the people who helped with this release, be it
testing, coding, translating, suggesting, auditing, administering the
servers, spreading the word, and answering questions on the mailing
lists.  A final big Thank You goes to Hal Finney, who too early passed
away this year.  Hal worked on PGP and helped to make OpenPGP a great
standard; it has been a pleasure having worked with him.




From rich at openwatch.net  Thu Nov  6 13:13:53 2014
From: rich at openwatch.net (Rich Jones)
Date: Thu, 6 Nov 2014 13:13:53 -0800
Subject: Operation Onymous
Message-ID: <CADJYzxLR7c77Ao0FVAd2EyEPE52KH_nM2YE-AAN+DBAKm+9x6w@mail.gmail.com>

Many DNMs seized today, 26 y/o SpaceX engineer arrested in San Francisco,
raids in Ireland,
http://www.businessinsider.com/fbi-silk-road-seized-arrests-2014-11

SR2.0, Hydra and Cloud 9 are all display seized notices. TMP and Agora are
still up.

Here's the criminal complaint:
http://www.scribd.com/doc/245744857/Blake-Benthall-Criminal-Complaint

Full of all kinds of operational fuckuppery on all fronts. Sounds like
they've got more in the pipeline too..

R
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 729 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141106/ebad4c54/attachment.txt>

From afalex169 at gmail.com  Thu Nov  6 03:24:14 2014
From: afalex169 at gmail.com (=?UTF-8?B?INCQ0LvQtdC60YHQsNC90LTRgCA=?=)
Date: Thu, 6 Nov 2014 13:24:14 +0200
Subject: Reverse Engineered Google Docs
Message-ID: <CAEm6Kb+9ZBk-Ns3F16rjjpWMnB=CUpz9naRcyiQVyhwymhyY3g@mail.gmail.com>

http://features.jsomers.net/how-i-reverse-engineered-google-docs/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 446 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141106/09e8aa2e/attachment.txt>

From blibbet at gmail.com  Thu Nov  6 15:43:48 2014
From: blibbet at gmail.com (Blibbet)
Date: Thu, 6 Nov 2014 15:43:48 -0800
Subject: [Announce] GnuPG 2.1.0 "modern" released
In-Reply-To: <545BEAF1.7080806@riseup.net>
References: <87ioisn1mo.fsf@vigenere.g10code.de>
 <CAJVRA1TvkzupwgbAJeso+XNS8j2mgMSmtJHhjzTXYb8zREaJuA@mail.gmail.com>
 <545BEAF1.7080806@riseup.net>
Message-ID: <20141106154348.5de9dfa3@box>


> Explain what this means in plain English for users of Enigmail and
> what they need to do.

The Enigmail docs still say 2.0, not 2.1. I haven't checked the code,
to see if it would handle it. I'd backup your system, try swapping in
new 2.1.0, and see if it works. Or wait for Enigmail to explicitly
mention 2.1 support in their support list or documentation.




From juan.g71 at gmail.com  Thu Nov  6 18:46:56 2014
From: juan.g71 at gmail.com (Juan)
Date: Thu, 6 Nov 2014 23:46:56 -0300
Subject: Operation Onymous
In-Reply-To: <CADJYzxLR7c77Ao0FVAd2EyEPE52KH_nM2YE-AAN+DBAKm+9x6w@mail.gmail.com>
References: <CADJYzxLR7c77Ao0FVAd2EyEPE52KH_nM2YE-AAN+DBAKm+9x6w@mail.gmail.com>
Message-ID: <545c323f.c388e00a.076a.1669@mx.google.com>

On Thu, 6 Nov 2014 13:13:53 -0800
Rich Jones <rich at openwatch.net> wrote:

> Many DNMs seized today, 26 y/o SpaceX engineer arrested in San
> Francisco, raids in Ireland,
> http://www.businessinsider.com/fbi-silk-road-seized-arrests-2014-11


	Duh! Those people didn't know about Tor - an amazing anonimity
	network developed by the US military to protect inalienable
	human rights.

	Had they used Tor, they would have never been caught. 



> 
> SR2.0, Hydra and Cloud 9 are all display seized notices. TMP and
> Agora are still up.
> 
> Here's the criminal complaint:
> http://www.scribd.com/doc/245744857/Blake-Benthall-Criminal-Complaint
> 
> Full of all kinds of operational fuckuppery on all fronts. Sounds like
> they've got more in the pipeline too..
> 
> R




From grarpamp at gmail.com  Thu Nov  6 23:46:40 2014
From: grarpamp at gmail.com (grarpamp)
Date: Fri, 7 Nov 2014 02:46:40 -0500
Subject: [tor-relays] [tor-talk] Platform diversity in Tor network [was:
 OpenBSD doc/TUNING]
In-Reply-To: <20141106074343.GH10768@ns399743.ip-37-59-44.eu>
References: <CAD2Ti28BFsedyPC7VBR-Rz8c2_4CAQDnBFopnRHEX45sgqmjtA@mail.gmail.com>
 <CA+cU71kXqh-rcfNZErN0QHJ_L2POCJgm8ibAp2H=S4OFVgz2Rg@mail.gmail.com>
 <545A64A0.8030300@mykolab.com>
 <CA+cU71k8zZQg6Tbyxt_VCtB2Gj=96uxYqnDYgvdMS-t3gTZDyA@mail.gmail.com>
 <CAD2Ti2_DwL==uN0V2aUMBgMtv3CYugOJBqpcVDh0HKEjgC0U4w@mail.gmail.com>
 <20141106074343.GH10768@ns399743.ip-37-59-44.eu>
Message-ID: <CAD2Ti29hA6LPJPf=Z06QghLN5jJNmceShfeNweZu1YJ1NnmSNg@mail.gmail.com>

On Thu, Nov 6, 2014 at 2:43 AM, David Serrano <tor at dserrano5.es> wrote:
> On 2014-11-05 23:58:43 (-0500), grarpamp wrote:
>>
>> The real problem below is the 96% allocation of opensource to
>> Linux and 4% to Other opensource.
>
>> Someone should really do an analysis of platform vs. exit bandwidth
>> as well. Anyone?
>
> Here ya go. Observed bandwidth per OS in relays having the exit flag:
>
> 93.62% 4459816582 Linux
>  4.51%  214639363 FreeBSD
>  1.25%   59672066 Windows
>  0.25%   11754598 Darwin
>  0.17%    7896687 Bitrig
>  0.15%    6964863 OpenBSD
>  0.06%    3091495 SunOS

This excessive Linux dominance in both node count and
bandwidth really should be balanced out, like why not?
I'd expect if some of the big relays switch to any other OS
that would flatten out the bandwidth part pretty easily. You'd
have to check say the top 10, 25, 50 or so relays to see to
what extent they are part of this mess, I'm sure it's similar.




From cathalgarvey at cathalgarvey.me  Fri Nov  7 01:16:07 2014
From: cathalgarvey at cathalgarvey.me (Cathal Garvey)
Date: Fri, 07 Nov 2014 09:16:07 +0000
Subject: Operation Onymous
In-Reply-To: <CADJYzxLR7c77Ao0FVAd2EyEPE52KH_nM2YE-AAN+DBAKm+9x6w@mail.gmail.com>
References: <CADJYzxLR7c77Ao0FVAd2EyEPE52KH_nM2YE-AAN+DBAKm+9x6w@mail.gmail.com>
Message-ID: <545C8DD7.3050808@cathalgarvey.me>

I want to know why all of these guys are hosting in Ireland. Do we have 
a reputation for being a safe haven? Because we certainly aren't. 
Ireland will do whatever you ask, if you're a country other than 
Ireland. Eager to please! Germany asked us once to buy up all of their 
banks' defaulting loans and save their economy by destroying our own..no 
problem, friends! Why do people think we'll keep out foreign investigations?

And even if we did stand up to foreign powers and keep our own 
jurisdiction, Ireland still wouldn't allow black markets that willingly 
facilitate everything up to the sale of firearms to operate on our 
shores (Nor, IMO, should we).

On 06/11/14 21:13, Rich Jones wrote:
> Many DNMs seized today, 26 y/o SpaceX engineer arrested in San
> Francisco, raids in Ireland,
> http://www.businessinsider.com/fbi-silk-road-seized-arrests-2014-11
>
> SR2.0, Hydra and Cloud 9 are all display seized notices. TMP and Agora
> are still up.
>
> Here's the criminal complaint:
> http://www.scribd.com/doc/245744857/Blake-Benthall-Criminal-Complaint
>
> Full of all kinds of operational fuckuppery on all fronts. Sounds like
> they've got more in the pipeline too..
>
> R




From rich at openwatch.net  Fri Nov  7 10:18:34 2014
From: rich at openwatch.net (Rich Jones)
Date: Fri, 7 Nov 2014 10:18:34 -0800
Subject: Operation Onymous
In-Reply-To: <545C8DD7.3050808@cathalgarvey.me>
References: <CADJYzxLR7c77Ao0FVAd2EyEPE52KH_nM2YE-AAN+DBAKm+9x6w@mail.gmail.com>
 <545C8DD7.3050808@cathalgarvey.me>
Message-ID: <CADJYzxL+MHR_qfxW5p3PJC8EeZze6qj6KfwLfH+-Qn03tGjVEA@mail.gmail.com>

Second wave of arrests:
http://www.wired.com/2014/11/operation-onymous-dark-web-arrests/#

More than 400 onions seized, 17 arrests. "In addition to the takedowns of
drug markets Silk Road 2, Cloud 9 and Hydra revealed Thursday
<http://www.wired.com/2014/11/dark-web-seizures/>, it’s also busted
contraband markets like Pandora, Blue Sky, Topix, Flugsvamp, Cannabis Road,
and Black Market. Other takedown targets included money laundering sites
like Cash Machine, Cash Flow, Golden Nugget and Fast Cash. And agents have
taken from criminal suspects more than $1 million in bitcoin, $250,000 in
cash, as well as an assortment of computers, drugs, gold, silver and
weapons that they had yet to fully catalogue."

R
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 943 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141107/aa99555f/attachment.txt>

From grarpamp at gmail.com  Fri Nov  7 12:26:40 2014
From: grarpamp at gmail.com (grarpamp)
Date: Fri, 7 Nov 2014 15:26:40 -0500
Subject: Node Operators Web Of Trust
Message-ID: <CAD2Ti2__JyLd2CYfWOitEOkPfOFDOiGb7_xqtUCgo+cKrJRVKw@mail.gmail.com>

Is it not time to establish a node operator web of trust?
Look at all the nodes out there with or without 'contact' info,
do you really know who runs them? Have you talked with
them? What are their motivations? Are they your friends?
Do you know where they work, such as you see them every day
stocking grocery store, or in some building with a badge on it?
Does their story jive? Are they active in the community/spaces
we are? Etc. This is huge potential problem.
NOWoT participation is optional, it is of course infiltratable,
and what it proves may be arguable, but it seems a necessary
thing to try as a test of that and to develop a good model.
Many operators know each other in person. And the node
density per geographic region supports getting out to meet
operators even if only for the sole purpose of attesting 'I met
this blob of flesh who proved ownership of node[s] x'.
That's a big start, even against the sybil agents they'd surely
send out to meet you.
Many know exactly who the other is in the active community
such that they can attest at that level. And so on down the
line of different classes of trust that may be developed
and asserted over each claimed operator.
Assuming a NOWoT that actually says something can
be established, is traffic then routable by the user over nodes
via trust metrics in addition to the usual metrics and randomness?
WoT's are an ancient subject... now what are the possibilities and
issues when asserting them over physical nodes, not just over
virtual nodes such as an email address found in your pubkey?
And what about identities that exist only anonymously yet
can prove control over various unique resources?
If such WoT's cannot be proven to have non-value, then it seems
worth doing.

This doesn't just apply to Tor, but to any node based system.




From grarpamp at gmail.com  Fri Nov  7 14:43:31 2014
From: grarpamp at gmail.com (grarpamp)
Date: Fri, 7 Nov 2014 17:43:31 -0500
Subject: Darknets/science vs. GPA/LEA/Law, and playing dirty pool
Message-ID: <CAD2Ti2_XAAMQERRbh48gzzSy385S6cstCT1U1-k6gaUedc_-eg@mail.gmail.com>

On Fri, Nov 7, 2014 at 9:29 AM, Öyvind Saether <oyvinds at everdot.org> wrote:
>> http://www.bbc.com/news/technology-29950946
>
> "The BBC understands that the raid represented both a technological
> breakthrough - with police using new techniques to track down the
> physical location of dark net servers"
>
> They do have the capability to locate Tor hidden services at this point.
>
> To those who want to pretend otherwise: The first step to fixing a
> problem is to admit that it exists. There is no point in pretending
> these .onion sites are secure anymore. The only interesting question
> now is: How can this be fixed?
>
> They could simply look for high amounts of Tor traffic and pull the
> plug in IPs whos traffic pattern look like it may be a hidden service
> and see if anything goes down.

This is a critical weakness of any anonymous system if...
the way things are looking worldwide, GPA's seem to be the real
deal and they seem to have no problem handing off to the LE side,
and laws be damned... well, the old ways are over, it's the Wild West.

Filling all the network links with chaff could be a way to protect users
(maybe they were just loading the homepage over and over), but they
could still bounce all the IP's to look for servers.

There may be an oppurtunity for the operators of anonymous services
to band together and monitor themselves or each other for bounces
simply to confirm if bounce tests are infact happening against all such
service participants, high data/connection rate ones, services based
on age of identity key, or any other such class they are able to identify.
And they'd have to characterize true bounces from network reachability
anomalys.

This is hard to defend against. Store-and-forward... maybe.
Decentralized p2p/blockchain... more likely, at least for market-like
things that could be modeled as transaction-listing-like things.

Another way to test is for someone to use perfect opsec (wifi, tor,
bitcoin, etc), and actually run a number of illegal sites and see what
happens. Then consider some sites may be allowed to live even if
actionable, or simply won't be taken down if there are no real world
links to act on.

Tor had one recent whitepaper that claimed to have actually located
hidden services (real or test) within a minor budget and timeframe by
abusing nothing other than the Tor network itself. Right? Has anyone
replicated that work?

People need to be analysing these court documents very carefully to see
what bits of knowledge can be drawn from them. That's a project in itself
and EFF/Tor wiki would be a good home to begin cataloging them all
and making notes of such things in each case.

It's pretty obvious something is going on besides opsec, especially
with the quotes in the news. Question is, what is it?

Tests need done, knowledge needs found, capabilities need catalogued,
and defenses need developed. Step by step, scientific method.

While you're at it, play some dirty pool in return, set up a bounty for leakers.
Cash, sex, drugs, whatever. Not everyone is motivated by the same things
Ellsberg/Snowden et al are.

> Regardless of how it is actually done: It seems perfectly clear that
> they are able to identify the servers hosting hidden services. Those
> who pretend otherwise at this point are either cointelpro/military/law
> enforcement or morons.




From grarpamp at gmail.com  Fri Nov  7 15:19:04 2014
From: grarpamp at gmail.com (grarpamp)
Date: Fri, 7 Nov 2014 18:19:04 -0500
Subject: [Cryptography] Third amendment crypto defenses
In-Reply-To: <CAOFDsm2z9hyumqkrHhwx5f3=oPdG-6jJdFNJzC6LME=OtptmhA@mail.gmail.com>
References: <CAMm+LwjdGmAJ8fvNFMvNpk1fNnn5+wZyS4kyDTze-PAs2s7=OA@mail.gmail.com>
 <CAOFDsm2z9hyumqkrHhwx5f3=oPdG-6jJdFNJzC6LME=OtptmhA@mail.gmail.com>
Message-ID: <CAD2Ti28BfL5NjK3L+ZRVCGC_jQoNGwwYxtoU2tmPy8zARX4iDA@mail.gmail.com>

On Fri, Nov 7, 2014 at 4:37 PM, Steve Furlong <demonfighter at gmail.com> wrote:
> On Fri, Nov 7, 2014 at 2:46 PM, Phillip Hallam-Baker <phill at hallambaker.com>
> wrote:
>>
>> I think there is a reasonable interpretation
>> which would find that the military should not have anything to do with
>> such activities.
>
> Check the cypherpunks archives from 2001 or 2002. This is not a new idea.

http://www.metzdowd.com/mailman/listinfo/cryptography
Forwarding context to cpunks...

http://scholarship.law.wm.edu/wmborj/vol2/iss1/4
http://www.usatoday.com/story/opinion/2013/07/22/third-amendment-nsa-spying-column/2573225/
http://misguidedchildren.com/technology/2014/01/nsa-violating-3rd-amendment-with-snooping-tactics/10133




From grarpamp at gmail.com  Fri Nov  7 16:22:54 2014
From: grarpamp at gmail.com (grarpamp)
Date: Fri, 7 Nov 2014 19:22:54 -0500
Subject: Darknets/science vs. GPA/LEA/Law, and playing dirty pool
In-Reply-To: <CAD2Ti2_XAAMQERRbh48gzzSy385S6cstCT1U1-k6gaUedc_-eg@mail.gmail.com>
References: <CAD2Ti2_XAAMQERRbh48gzzSy385S6cstCT1U1-k6gaUedc_-eg@mail.gmail.com>
Message-ID: <CAD2Ti293K-HOTeVgb7kHEQO9wrbew1dc0v=KPUfJ4X1wwy+K_A@mail.gmail.com>

On Fri, Nov 7, 2014 at 10:17 AM, Derric Atzrott
<datzrott at alizeepathology.com> wrote:
> warrant request for Benthall and didn't see anything in that besides
> Benthall being stupid and the police being clever.

Reread it. "First" they found the server, then their man, then
trolled up a bunch of stuff happened before and after the server
find to make and support charges on. Look at the dates the
evidence was dug up, not the dates in the evidence itself.

> We'll have to wait for the charging documents to come out for those that
> just got arrested to see how police allege to have found their hidden
> services.  While parallel construction is certainly a possibility, and

> Without an understanding of how hidden services may be broken, there
> is not much that can be done to fix the issue.

I'm going to guess it's not via public papers on locating hidden
services, otherwise they'd just reference that, disclose their operations
and evidence therein, and call it case closed. [Trawling TorHS, Sniper]




From katana at riseup.net  Fri Nov  7 11:40:59 2014
From: katana at riseup.net (katana)
Date: Fri, 07 Nov 2014 20:40:59 +0100
Subject: Fwd: [Announce] GnuPG 2.1.0 "modern" released
In-Reply-To: <545BEAF1.7080806@riseup.net>
References: <87ioisn1mo.fsf@vigenere.g10code.de>
 <CAJVRA1TvkzupwgbAJeso+XNS8j2mgMSmtJHhjzTXYb8zREaJuA@mail.gmail.com>
 <545BEAF1.7080806@riseup.net>
Message-ID: <545D204B.7030704@riseup.net>

Hi odinn,

> Explain what this means in plain English for users of Enigmail and
> what they need to do.

mmh, today, i have compiled it under Ubuntu Trusty and it works with
Enigmail 1.7.2 without problems. The key search with dirmngr/gnutls
doesn't run (or i don't understand it), so i'm using GnuPG 2.0.X for it
as before. But imo, you need GnuPG 2.1 - with Enigmail - only, if you
want to use or try the new ECC keys.

-- 
Katana




From grarpamp at gmail.com  Sat Nov  8 00:13:59 2014
From: grarpamp at gmail.com (grarpamp)
Date: Sat, 8 Nov 2014 03:13:59 -0500
Subject: Darknets/science vs. GPA/LEA/Law, and playing dirty pool
In-Reply-To: <CAD2Ti293K-HOTeVgb7kHEQO9wrbew1dc0v=KPUfJ4X1wwy+K_A@mail.gmail.com>
References: <CAD2Ti2_XAAMQERRbh48gzzSy385S6cstCT1U1-k6gaUedc_-eg@mail.gmail.com>
 <CAD2Ti293K-HOTeVgb7kHEQO9wrbew1dc0v=KPUfJ4X1wwy+K_A@mail.gmail.com>
Message-ID: <CAD2Ti2-p58-1HugdH-zJ9_DTZahECy2athJomwhH9TDsmNCoEg@mail.gmail.com>

> A writes:
> GPA = Government Procurement Agreement ? Asking so I can understand your
post.

Global Passive Adversary, Surveillers, Wiretappers, Data Miners.
To be taken in context of anonymity networks.




From jya at pipeline.com  Sat Nov  8 11:41:36 2014
From: jya at pipeline.com (John Young)
Date: Sat, 08 Nov 2014 14:41:36 -0500
Subject: [Cryptography] $750k Fine for exporting crypto
In-Reply-To: <6C19299C-FB55-472D-9DFB-69092CE86171@lrw.com>
References: <Your message of "Tue,
 04 Nov 2014 19:25:17 -0800." <1415157917.14434.1.camel@sonic.net>
 <20141107034759.C8BEB2281A4@palinka.tinho.net>
 <E1XmxrK-0006IL-F1@elasmtp-kukur.atl.sa.earthlink.net>
 <6C19299C-FB55-472D-9DFB-69092CE86171@lrw.com>
Message-ID: <E1XnBrH-0004Mc-EG@elasmtp-mealy.atl.sa.earthlink.net>

The global internal rot of digital technology dependence appears doing
quite well by inducing ever greater investment and reliance upon
it. Will over-reliance upon secret cryptography be its Achilles heel?
Let us hope so.

Conumdrum is that wholesale monitoring is the result of ubiquitous
digital technology, networks and programs thickly hidden by secret
cryptography, thinly protected, if at all, by never quite effective public
cryptography, ineffective by law by design, by implementation and
by endless excuses to do better next time.

The correlation between the rise of the Internet to advance global
surveillance and public cryptography to persuade the populace there
is hope the surveillance can be countered, is occasionally noted
but not by cryptography fetishists who promote the notion it is possible
to have a global platform of diverse levels for multiple open and
secret uses but still protect at least a few of the levels with encryption.

This despite the legacy of cryptography as a deceptive technology
through and through and foremost, in particular by misleading about
its strengths and weaknesses, its treachery and double-dealing, its
cheating and betraying, its false promises and "confessed" failures.

No doubt all forms of security share these characteristics, eventual
failure is the fundamental outcome of a security system subject to
ceaseless attack. Every fortress fails, every weapon is surpassed,
every peace treaty is transgressed, every ideology collapses, every
nation is overturned; in all cases by excessive conviction that failure
will not happen, and when it does, it occurs by the least expected
means. After a few attempts to repair the majestic defense and
prolong a regime, it finally implodes most often due to internal
rot of those unable to give up comfortable convictions that munitions
are invulnerable, that supreme command and control is protected
against tampering, that oaths and rewards of fealty to the homeland
are insurpassable. Except for the planted cheats of anonymizers
and encryption.




>What we are seeing today is unprecedented in American 
>history:  Wholesale monitoring of entire populations, "just in case" 
>the information might be "needed" later.  Saying "beware, someone 
>evil like Nixon could use this stuff" *misses the point*:  It's bad 
>*even if never abused*.  Its mere *existence* is abuse, no matter 
>who controls it.  If the system were under the control of a saintly 
>administration consisting of nothing but good actors, and there were 
>a magic button that would be pressed just before they handed over 
>the reigns to someone not so saintly that magically erased all the 
>stored information and destroyed the information-gathering systems 
>... it would *still* be wrong.





From guninski at guninski.com  Sat Nov  8 05:49:42 2014
From: guninski at guninski.com (Georgi Guninski)
Date: Sat, 8 Nov 2014 15:49:42 +0200
Subject: Fwd: [Announce] GnuPG 2.1.0 "modern" released
In-Reply-To: <CAJVRA1TvkzupwgbAJeso+XNS8j2mgMSmtJHhjzTXYb8zREaJuA@mail.gmail.com>
References: <87ioisn1mo.fsf@vigenere.g10code.de>
 <CAJVRA1TvkzupwgbAJeso+XNS8j2mgMSmtJHhjzTXYb8zREaJuA@mail.gmail.com>
Message-ID: <20141108134942.GA3888@sivokote.iziade.m$>

did they really fixed the backdoor with colliding keys
via the LSBs of RSA modulus?

http://marc.info/?t=131668247500002&r=1&w=2
http://marc.info/?l=full-disclosure&m=131668247124444&w=2
https://lists.debian.org/deity/2011/09/msg00141.html



On Thu, Nov 06, 2014 at 01:24:57AM -0800, coderman wrote:
> ---------- Forwarded message ----------
> From: Werner Koch <wk at gnupg.org>
> Date: Thu, 06 Nov 2014 10:01:51 +0100
> Subject: [Announce] GnuPG 2.1.0 "modern" released
> 
> Hello!
> 
> The GnuPG Project is pleased to announce the availability of a
> new release: Version 2.1.0.
> 
> The GNU Privacy Guard (GnuPG) is a complete and free implementation of
> the OpenPGP standard as defined by RFC-4880 and better known as PGP.
> 
> GnuPG, also known as GPG, allows to encrypt and sign data and
> communication, features a versatile key management system as well as
> access modules for public key directories.  GnuPG itself is a command
> line tool with features for easy integration with other applications.
> A wealth of frontend applications and libraries making use of GnuPG
> are available.  Since version 2 GnuPG provides support for S/MIME and
> Secure Shell in addition to OpenPGP.
> 
> GnuPG is Free Software (meaning that it respects your freedom). It can
> be freely used, modified and distributed under the terms of the GNU
> General Public License.
> 
> Three different versions of GnuPG are actively maintained:
> 
> - GnuPG "modern" (2.1) is the latest development with a lot of new
>   features.  This announcement is about the first release of this
>   version.
> 
> - GnuPG "stable" (2.0) is the current stable version for general use.
>   This is what most users are currently using.
> 
> - GnuPG "classic" (1.4) is the old standalone version which is most
>   suitable for older or embedded platforms.
> 
> You may not install "modern" (2.1) and "stable" (2.0) at the same
> time.  However, it is possible to install "classic" (1.4) along with
> any of the other versions.
> 
> 
> What's New in GnuPG-2.1
> =======================
> 
>   - The file "secring.gpg" is not anymore used to store the secret
>     keys.  Merging of secret keys is now supported.
> 
>   - All support for PGP-2 keys has been removed for security reasons.
> 
>   - The standard key generation interface is now much leaner.  This
>     will help a new user to quickly generate a suitable key.
> 
>   - Support for Elliptic Curve Cryptography (ECC) is now available.
> 
>   - Commands to create and sign keys from the command line without any
>     extra prompts are now available.
> 
>   - The Pinentry may now show the new passphrase entry and the
>     passphrase confirmation entry in one dialog.
> 
>   - There is no more need to manually start the gpg-agent.  It is now
>     started by any part of GnuPG as needed.
> 
>   - Problems with importing keys with the same long key id have been
>     addressed.
> 
>   - The Dirmngr is now part of GnuPG proper and also takes care of
>     accessing keyserver.
> 
>   - Keyserver pools are now handled in a smarter way.
> 
>   - A new format for locally storing the public keys is now used.
>     This considerable speeds up operations on large keyrings.
> 
>   - Revocation certificates are now created by default.
> 
>   - Card support has been updated, new readers and token types are
>     supported.
> 
>   - The format of the key listing has been changed to better identify
>     the properties of a key.
> 
>   - The gpg-agent may now be used on Windows as a Pageant replacement
>     for Putty in the same way it is used for years on Unix as
>     ssh-agent replacement.
> 
>   - Creation of X.509 certificates has been improved.  It is now also
>     possible to export them directly in PKCS#8 and PEM format for use
>     on TLS servers.
> 
> A detailed description of the changes can be found at
> https://gnupg.org/faq/whats-new-in-2.1.html .
> 
> 
> Getting the Software
> ====================
> 
> Please follow the instructions found at https://gnupg.org/download/ or
> read on:
> 
> GnuPG 2.1.0 may be downloaded from one of the GnuPG mirror sites or
> direct from its primary FTP server.  The list of mirrors can be found
> at https://gnupg.org/mirrors.html .  Note that GnuPG is not available
> at ftp.gnu.org.
> 
> On ftp.gnupg.org you find these files:
> 
>  ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.0.tar.bz2  (3039k)
>  ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-2.1.0.tar.bz2.sig
> 
> This is the GnuPG 2.1 source code compressed using BZIP2 and its
> OpenPGP signature.
> 
>  ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.0_20141105.exe  (6225k)
>  ftp://ftp.gnupg.org/gcrypt/binary/gnupg-w32-2.1.0_20141105.exe.sig
> 
> This is an experimental installer for Windows including GPA as
> graphical key manager and GpgEX as an Explorer extension.  Please
> de-install an already installed Gpg4win version before trying this
> installer.  This binary version has not been tested very well, thus it
> is likely that you will run into problems.  The complete source code
> for the software included in this installer is in the same directory;
> use the suffix ".tar.xz" instead of ".exe".
> 
> Although several beta versions have been released over the course of
> the last years, no extensive public field test has been done.  Thus it
> is likely that bugs will show up.  Please check the mailing list
> archives and the new wiki https://wiki.gnupg.org for latest
> information on known problems and workaround.
> 
> 
> Checking the Integrity
> ======================
> 
> In order to check that the version of GnuPG which you are going to
> install is an original and unmodified one, you can do it in one of
> the following ways:
> 
>  * If you already have a version of GnuPG installed, you can simply
>    verify the supplied signature.  For example to verify the signature
>    of the file gnupg-2.1.0.tar.bz2 you would use this command:
> 
>      gpg --verify gnupg-2.1.0.tar.bz2.sig
> 
>    This checks whether the signature file matches the source file.
>    You should see a message indicating that the signature is good and
>    made by one or more of the release signing keys.  Make sure that
>    this is a valid key, either by matching the shown fingerprint
>    against a trustworthy list of valid release signing keys or by
>    checking that the key has been signed by trustworthy other keys.
>    See below for information on the signing keys.
> 
>  * If you are not able to use an existing version of GnuPG, you have
>    to verify the SHA-1 checksum.  On Unix systems the command to do
>    this is either "sha1sum" or "shasum".  Assuming you downloaded the
>    file gnupg-2.1.0.tar.bz2, you would run the command like this:
> 
>      sha1sum gnupg-2.1.0.tar.bz2
> 
>    and check that the output matches the first line from the
>    following list:
> 
> 2fcd0ca6889ef6cb59e3275e8411f8b7778c2f33  gnupg-2.1.0.tar.bz2
> 9907cb6509a0e63331b27a92e25c1ef956caaf3b  gnupg-w32-2.1.0_20141105.exe
> 28dc1365292c61fbb2bbae730d4158f425463c91  gnupg-w32-2.1.0_20141105.tar.xz
> 
> 
> Release Signing Keys
> ====================
> 
> To guarantee that a downloaded GnuPG version has not been tampered by
> malicious entities we provide signature files for all tarballs and
> binary versions.  The keys are also signed by the long term keys of
> their respective owners.  Current releases are signed by one or more
> of these four keys:
> 
>   2048R/4F25E3B6 2011-01-12
>   Key fingerprint = D869 2123 C406 5DEA 5E0F  3AB5 249B 39D2 4F25 E3B6
>   Werner Koch (dist sig)
> 
>   rsa2048/E0856959 2014-10-29
>   Key fingerprint = 46CC 7308 65BB 5C78 EBAB  ADCF 0437 6F3E E085 6959
>   David Shaw (GnuPG Release Signing Key) <dshaw 'at' jabberwocky.com>
> 
>   rsa2048/33BD3F06 2014-10-29
>   Key fingerprint = 031E C253 6E58 0D8E A286  A9F2 2071 B08A 33BD 3F06
>   NIIBE Yutaka (GnuPG Release Key) <gniibe 'at' fsij.org>
> 
>   rsa2048/7EFD60D9 2014-10-19
>   Key fingerprint = D238 EA65 D64C 67ED 4C30  73F2 8A86 1B1C 7EFD 60D9
>   Werner Koch (Release Signing Key)
> 
> You may retrieve these files from the keyservers using this command
> 
>   gpg --recv-keys 249B39D24F25E3B6 04376F3EE0856959 \
>                   2071B08A33BD3F06 8A861B1C7EFD60D9
> 
> The keys are also available at https://gnupg.org/signature_key.html
> and in the released GnuPG tarball in the file g10/distsigkey.gpg .
> Note that this mail has been signed using my standard PGP key.
> 
> 
> Internationalization
> ====================
> 
> This new branch of GnuPG has support for 4 languages: French, German,
> Japanese, and Ukrainian.  More translations can be expected with the
> next point releases.
> 
> 
> Documentation
> =============
> 
> If you used GnuPG in the past you should read the description of
> changes and new features at doc/whats-new-in-2.1.txt or online at
> 
>   https://gnupg.org/faq/whats-new-in-2.1.html
> 
> The file gnupg.info has the complete user manual of the system.
> Separate man pages are included as well but they have not all the
> details available in the manual.  It is also possible to read the
> complete manual online in HTML format at
> 
>   https://gnupg.org/documentation/manuals/gnupg/
> 
> or in Portable Document Format at
> 
>   https://gnupg.org/documentation/manuals/gnupg.pdf .
> 
> The chapters on gpg-agent, gpg and gpgsm include information on how
> to set up the whole thing.  You may also want search the GnuPG mailing
> list archives or ask on the gnupg-users mailing lists for advise on
> how to solve problems.  Many of the new features are around for
> several years and thus enough public knowledge is already available.
> 
> 
> Support
> =======
> 
> Please consult the archive of the gnupg-users mailing list before
> reporting a bug <https://gnupg.org/documentation/mailing-lists.html>.
> We suggest to send bug reports for a new release to this list in favor
> of filing a bug at <https://bugs.gnupg.org>.  For commercial support
> requests we keep a list of known service companies at:
> 
>   https://gnupg.org/service.html
> 
> The driving force behind the development of GnuPG is the company of
> its principal author, Werner Koch.  Maintenance and improvement of
> GnuPG and related software takes up most of their resources.  To allow
> him to continue this work he kindly asks to either purchase a support
> contract, engage g10 Code for custom enhancements, or to donate money:
> 
>   https://gnupg.org/donate/
> 
> 
> Thanks
> ======
> 
> We have to thank all the people who helped with this release, be it
> testing, coding, translating, suggesting, auditing, administering the
> servers, spreading the word, and answering questions on the mailing
> lists.  A final big Thank You goes to Hal Finney, who too early passed
> away this year.  Hal worked on PGP and helped to make OpenPGP a great
> standard; it has been a pleasure having worked with him.




From guninski at guninski.com  Sat Nov  8 07:12:36 2014
From: guninski at guninski.com (Georgi Guninski)
Date: Sat, 8 Nov 2014 17:12:36 +0200
Subject: Fwd: [Announce] GnuPG 2.1.0 "modern" released
In-Reply-To: <20141108134942.GA3888@sivokote.iziade.m$>
References: <87ioisn1mo.fsf@vigenere.g10code.de>
 <CAJVRA1TvkzupwgbAJeso+XNS8j2mgMSmtJHhjzTXYb8zREaJuA@mail.gmail.com>
 <20141108134942.GA3888@sivokote.iziade.m$>
Message-ID: <20141108151236.GB3888@sivokote.iziade.m$>

On Sat, Nov 08, 2014 at 03:49:42PM +0200, Georgi Guninski wrote:
> did they really fixed the backdoor with colliding keys
> via the LSBs of RSA modulus?
> 
> http://marc.info/?t=131668247500002&r=1&w=2
> http://marc.info/?l=full-disclosure&m=131668247124444&w=2
> https://lists.debian.org/deity/2011/09/msg00141.html
> 
> 
>

more ontopic:
http://archives.neohapsis.com/archives/fulldisclosure/2012-06/0268.html
https://bugs.launchpad.net/ubuntu/+source/apt/+bug/1013128

(google or archives might not like the f word
in the keys ;) ).




From juan.g71 at gmail.com  Sat Nov  8 17:09:50 2014
From: juan.g71 at gmail.com (Juan)
Date: Sat, 8 Nov 2014 22:09:50 -0300
Subject: Operation Onymous
In-Reply-To: <545C8DD7.3050808@cathalgarvey.me>
References: <CADJYzxLR7c77Ao0FVAd2EyEPE52KH_nM2YE-AAN+DBAKm+9x6w@mail.gmail.com>
 <545C8DD7.3050808@cathalgarvey.me>
Message-ID: <545ebe7d.15688c0a.381a.7648@mx.google.com>

On Fri, 07 Nov 2014 09:16:07 +0000
Cathal Garvey <cathalgarvey at cathalgarvey.me> wrote:


> And even if we did stand up to foreign powers and keep our own 
> jurisdiction, Ireland still wouldn't allow black markets that
> willingly facilitate everything up to the sale of firearms to operate
> on our shores (Nor, IMO, should we).


	You seem to be advocating against online black markets in a
	supposedly crpyto-anarchist mailing list? =P

	Granted black markets are less than ideal, but at least people
	can buy what they want...




> 
> On 06/11/14 21:13, Rich Jones wrote:
> > Many DNMs seized today, 26 y/o SpaceX engineer arrested in San
> > Francisco, raids in Ireland,
> > http://www.businessinsider.com/fbi-silk-road-seized-arrests-2014-11
> >
> > SR2.0, Hydra and Cloud 9 are all display seized notices. TMP and
> > Agora are still up.
> >
> > Here's the criminal complaint:
> > http://www.scribd.com/doc/245744857/Blake-Benthall-Criminal-Complaint
> >
> > Full of all kinds of operational fuckuppery on all fronts. Sounds
> > like they've got more in the pipeline too..
> >
> > R




From mroqorm at gmail.com  Sat Nov  8 17:55:42 2014
From: mroqorm at gmail.com (mroq qorm)
Date: Sun, 9 Nov 2014 01:55:42 +0000
Subject: Operation Onymous
In-Reply-To: <CADJYzxLR7c77Ao0FVAd2EyEPE52KH_nM2YE-AAN+DBAKm+9x6w@mail.gmail.com>
References: <CADJYzxLR7c77Ao0FVAd2EyEPE52KH_nM2YE-AAN+DBAKm+9x6w@mail.gmail.com>
Message-ID: <CAC-Vat5cvnSG=vgW6DEKpJ-RTi4XUv0-3x03_eYzpwPQzYB=VA@mail.gmail.com>

looks like there's collateral damage, torservers had some exits seized
- wonder how many more exits are affected that do not have an
organization attached to them

https://blog.torservers.net/20141109/three-servers-offline-likely-seized.html




From coderman at gmail.com  Sun Nov  9 02:05:33 2014
From: coderman at gmail.com (coderman)
Date: Sun, 9 Nov 2014 02:05:33 -0800
Subject: Fwd: insufficient hidden service performance is potential
 de-anonymizing DoS [was Re: [tor-dev] yes hello, internet supervillain here]
In-Reply-To: <CAJVRA1Qc_oDPMyiTKKETqqRrWkTK3j8qwi37ELhOk2xVTyvxqg@mail.gmail.com>
References: <CAJVRA1Qc_oDPMyiTKKETqqRrWkTK3j8qwi37ELhOk2xVTyvxqg@mail.gmail.com>
Message-ID: <CAJVRA1RL4m-RvwwPUg+KwC34GnnLXVyVPpSauqNGZL1-8A6ATw@mail.gmail.com>

---------- Forwarded message ----------
From: coderman <coderman at gmail.com>
Date: Sun, 9 Nov 2014 02:04:59 -0800
Subject: insufficient hidden service performance is potential
de-anonymizing DoS [was Re: [tor-dev] yes hello, internet supervillain
here]

thanks for the transparency, nachash! i am putting this conversation
on tor-talk, since my replies are more noise and less dev, and the
details seem to be around Tor use and configuration.


On 11/8/14, Fears No One <nachash at observers.net> wrote:
> ... Another regret is that pcaps weren't taken, but we both made
> the mistake of assuming that because the DoS was mitigated that nothing
> that was preserved would be all that important anymore. If there was
> more to give, we would have been released it.

the pcap dumps would have been most useful, as the access logs only
identify state transitions. these types of attacks likely utilized
many concurrent requests (perhaps just sending a few bytes of the
request string at once, bit by bit, until a request is complete)

performance analysis and tuning of internet sytems is difficult, and
even more so in this context!  (and performance in anonymity systems
is easily reversed for de-anonymizing DoS)

Andrea's distribution shows this type of behavior, as i would expect it:
https://people.torproject.org/~andrea/loldoxbin-logs/analysis/length_distribution.txt
e.g. send small bits to keep connection active and not closed by
server side client send timeouts, then around 900-1000 chars call it
good and finalize the request.

this may be application of slowloris type DoS to "encourage" HS
operator to use a vulnerable path, or confirm via side channel. (you
stated your web server bound to localhost, so the obvious ones you
avoided at least :)



> The box was an OpenVZ VPS (Essentially a glorified chroot jail, for
> those who are unfamiliar)), so no, there was no physical hardware from
> my standpoint. Thus, full disk crypto wasn't really an option. From the
> standpoint of someone with root access to a dedi with OpenVZ vms,
> finding hidden services that are hosted by customers is a matter of
> looking for files named private_key anywhere under the /vz folder.

of all the virtualization environments, i dislike OpenVZ the most. i
dislike all virtual hosting, however, so don't assume this is a vote
for Docker ;)

pay the extra for dedi on bare metal!



> Neither of us are rolling in fake internet money like the drug market
> operators (Hint: This should indicate to anyone thinking of asking if we
> ran bitcoind that we didn'), so the other alternatives were to either
> use rooted boxes or flip a coin to decide who gets to host from home.

ok, maybe a dedi not an option if you're that tight for cash... :/



> ...  As was the tradition with doxbin boxes, the registration info
> usually either went back to ... Keith Alexander...

i find this amusing! my only suggestion is that you incorporate his nickname,
 Keith "Cowboy" Alexander



> I don't have an exact time, but by around 13:00 UTC or so on the 6th,
> the box was down. When the Silk Road 2.0 seizure news broke, doxbin was
> already gone. I checked the most current doxbin onion and attempted to
> ssh into the box every couple of hours for around the first 24 hours,
> until a friend pointed out that one of the old doxbin onions was serving
> up the Silk Road 2.0 seizure page. At the time, the main onion was
> serving up some 404 page (Which I expected to eventually point to some
> sort of honeypot, but the pigs really let me down on that one), while
> other onions were unresponsive. This had changed by the next day, when
> all the onions from the doxbin box were pointed to the seizure page. The
> speculation has been that the cops were adding onions one at a time, and
> my personal experience supports that. Police who are dedicated to
> seizing and taking control of hidden services are still struggling with
> managing a torrc file efficiently. Go figure.

yup. hence slappy fights over the HSDir descriptor publishing is going
to be effective for who knows how long...



> There was some downtime on the box maybe a month ago, which I originally
> thought was when it got imaged pre-seizure, once all this drama began. I
> can't look at the access log report numbers and say "This is the date,
> because there's a huge dip in traffic" so I'm going to have to get back
> with you on that. The fact that they were adding onions to the seizure
> box over 24 hours after the takendown might suggest that they for some
> reason didn't image it beforehand, which would be a curious break from
> their habits as laid out in past criminal complaints.

this was an international effort, so perhaps just one hand not talking
to the other, is the only conclusion to be drawn.



> An update: All of the access log reports ever generated for doxbin can
> be now be downloaded from the URLs in my initial e-mail. Other people
> wanted some of them to compare to the DoS log reports, so now they can
> pick their own control group.

thanks for this, while not as useful as PCAPs with headers, it is still useful!



> P.S. Neither of us have been arrested or have even noticed any signs of
> in-person heat (Cleaning vans, new neighbors, etc), which also seems to
> point to the doxbin seizure being half-cocked.

how would you know what covert heat looks like?
*grin*



> Here until I'm in handcuffs,

don't plea out!

P.S. public key?


best regards,




From coderman at gmail.com  Sun Nov  9 02:38:11 2014
From: coderman at gmail.com (coderman)
Date: Sun, 9 Nov 2014 02:38:11 -0800
Subject: they crushed Aaron because they could, they destroy lives across the
 globe because they can, my fellow frogs in the boiling pot,
 how much is too much?
Message-ID: <CAJVRA1RPhYgEJ2PDhPMBmBjFFUYAxOHqgGVxrKJPj4GjeUkS6g@mail.gmail.com>

they crushed Aaron because they could,
 they destroy lives across the globe because they can,
  my fellow frogs in the boiling pot,
   how much is too much?

---

http://www.aaronswartzday.org/john-perry-barlow-recalls-a-12-year-old-aaron-swartz/
"""
I’d been asked by the headmaster of Northshore Country Day to come and
speak to the middle school, and, for some reason, there was this 10 or
11 year old that was in among the middle schoolers. And I spent the
afternoon – this was a time when, I don’t think there were that many
people who felt the way I did about this stuff. Most of them are in
this room now. And I was promoting the idea that we could make a world
where anybody anywhere could give his thirst for knowledge and his
curiosity everything that it wanted to know. And *anybody* could know
as much as any human being knew about any thing, in the future. He
didn’t say much. He was extremely memorable, however. He was much
younger. He was all eyes, and mind, and…spiritual radiance, in a way.
And I scarcely saw him again.

But years later… Last year, at one point, when I was with a bunch of
copyright barons in Paris at the EG8, and they were all talking about
how enforcement and education was gonna come out right, and it was
gonna be just like the War on some Drugs. And I happened to be on a
panel with these guys. I said “you know, you think you’ve won this
thing, or you will win this thing. But the truth is that you’ve turned
a whole generation into an electronic Hezbollah. And you will be dead
when they are alive. And I was thinking of Aaron Swartz and it’s
really very difficult for me to see that he is dead, and they are
alive. But he is not dead, and they will be.
"""

---

i cried when Aaron died,
 i raged when Snowden leaked,
  yet now i am calm and dedicated.
enough!




From grarpamp at gmail.com  Sun Nov  9 10:47:26 2014
From: grarpamp at gmail.com (grarpamp)
Date: Sun, 9 Nov 2014 13:47:26 -0500
Subject: [tor-talk] insufficient hidden service performance is potential
 de-anonymizing DoS [was Re: [tor-dev] yes hello, internet supervillain here]
In-Reply-To: <20141109160835.GC26807@dysnomia.persephoneslair.org>
References: <CAJVRA1Qc_oDPMyiTKKETqqRrWkTK3j8qwi37ELhOk2xVTyvxqg@mail.gmail.com>
 <CAJVRA1SGKkYQ-hk2RiciMAVvG-UR8nX2okmgvb7tD6nyyN9_ZQ@mail.gmail.com>
 <CAJVRA1Smof5HKJAPCEg-CKTErnM8g0BJDTiyv6TpR0B4Mpv_0g@mail.gmail.com>
 <20141109160835.GC26807@dysnomia.persephoneslair.org>
Message-ID: <CAD2Ti2-8muM890pEKRKtE9ffh-vRvcJrgfmG++XF4bdcMZLW+g@mail.gmail.com>

On Sun, Nov 9, 2014 at 11:08 AM, Andrea Shepard <andrea at torproject.org> wrote:
> Yes, and that is what it looks like.  The strings 'code', 'old' and 'fail' in
> the URLs seen in nachash's logs were also present as top-level directories on
> his site, and he apparently had a 404 redirect to his index page - so a
> buggy crawler might well produce something like the observed pattern.  Who
> would leave an obviously broken crawler producing nothing of interest like
> that running for such a long time and O(1M) requests, though?  An attack
> designed to look like skiddie bullshit is starting to sound plausible.

> coderman:
> morals of this story:
> - never assume a crash or DoS is innocuous on the Tor network.
> - always get packet captures to diagnose trouble! (not just request logs)
> - "the old tricks, still the best tricks..."

In one of many threads, mine being 'dirty pool', there is forming a
good variety of such morals to live by and areas of action to pursue.
HS operators banding together to compare the above logs is one
of them. You could conceivably throw the logs/pcaps from many
relays and onions into a splunk.onion instance and try to mine some
knowledge out of them that way. Tor is a jointly owned wide area
infrastructure... seems time to apply the traditional net/sec tools
to it and see what's up on your own network.




From coderman at gmail.com  Sun Nov  9 13:50:09 2014
From: coderman at gmail.com (coderman)
Date: Sun, 9 Nov 2014 13:50:09 -0800
Subject: [tor-talk] insufficient hidden service performance is potential
 de-anonymizing DoS [was Re: [tor-dev] yes hello, internet supervillain here]
In-Reply-To: <CAD2Ti2-8muM890pEKRKtE9ffh-vRvcJrgfmG++XF4bdcMZLW+g@mail.gmail.com>
References: <CAJVRA1Qc_oDPMyiTKKETqqRrWkTK3j8qwi37ELhOk2xVTyvxqg@mail.gmail.com>
 <CAJVRA1SGKkYQ-hk2RiciMAVvG-UR8nX2okmgvb7tD6nyyN9_ZQ@mail.gmail.com>
 <CAJVRA1Smof5HKJAPCEg-CKTErnM8g0BJDTiyv6TpR0B4Mpv_0g@mail.gmail.com>
 <20141109160835.GC26807@dysnomia.persephoneslair.org>
 <CAD2Ti2-8muM890pEKRKtE9ffh-vRvcJrgfmG++XF4bdcMZLW+g@mail.gmail.com>
Message-ID: <CAJVRA1SHXOfmuFx56t0wEM4e-F8-ev9qoSBPc9F22D6wn1pneg@mail.gmail.com>

On 11/9/14, grarpamp <grarpamp at gmail.com> wrote:
> ...
> HS operators banding together to compare the above logs is one
> of them. You could conceivably throw the logs/pcaps from many
> relays and onions into a splunk.onion instance and try to mine some
> knowledge out of them that way. Tor is a jointly owned wide area
> infrastructure... seems time to apply the traditional net/sec tools
> to it and see what's up on your own network.


if you'd like to help test, the existing PyLoris implementation does
not handle hidden services well, instead uses host DNS to lookup and
then connect to IP address.

i have modified a Tor HS PyLoris and updated the HS 100 connections
ticket with a copy:
  https://trac.torproject.org/projects/tor/ticket/8902#comment:7


best regards,




From grarpamp at gmail.com  Sun Nov  9 20:31:11 2014
From: grarpamp at gmail.com (grarpamp)
Date: Sun, 9 Nov 2014 23:31:11 -0500
Subject: Fwd: [Cryptography] From IP: Peter Swire looking for crypto policy
 expertise....
In-Reply-To: <CAC9sZLdyRPwfmMKoReYd0XZEVGrbsYgxAYCDZuo5=hizeMq_uw@mail.gmail.com>
References: <CAC9sZLdyRPwfmMKoReYd0XZEVGrbsYgxAYCDZuo5=hizeMq_uw@mail.gmail.com>
Message-ID: <CAD2Ti29aShFOg45y8dE8qQZ2BgLr3xsBrLPHH1GXmKhphg+55Q@mail.gmail.com>

---------- Forwarded message ----------
From: Peter Trei <petertrei at gmail.com>
Date: Sun, Nov 9, 2014 at 6:59 PM
Subject: [Cryptography] From IP: Peter Swire looking for crypto policy
expertise....
To: "cryptography at metzdowd.com" <cryptography at metzdowd.com>


Slightly off-topic, but may be of interest to some:


From rich at openwatch.net  Mon Nov 10 16:06:23 2014
From: rich at openwatch.net (Rich Jones)
Date: Mon, 10 Nov 2014 16:06:23 -0800
Subject: Operation Onymous
In-Reply-To: <CAC-Vat5cvnSG=vgW6DEKpJ-RTi4XUv0-3x03_eYzpwPQzYB=VA@mail.gmail.com>
References: <CADJYzxLR7c77Ao0FVAd2EyEPE52KH_nM2YE-AAN+DBAKm+9x6w@mail.gmail.com>
 <CAC-Vat5cvnSG=vgW6DEKpJ-RTi4XUv0-3x03_eYzpwPQzYB=VA@mail.gmail.com>
Message-ID: <CADJYzx+3pN35E=FMCZ+ohqiwV8Lgqg9DLSB0TCr1ckGBzM_6nA@mail.gmail.com>

Interesting but unreported development: TheMarketPlace, aka "TMP", is now
also gone, although it haven't seen anything about it in any of the
government press releases. There is no seizure notice, it has simply
vanished.

The interesting thing here is that TMP operated over I2P rather than Tor.
There was a Tor gateway, but I believe the hidden service still operated as
a proxy inlet to the eepsite. If it has been seized as part of Operation
Onymous, this would be the first time (that I've heard about) that law
enforcement has been able to disrupt services on the I2P network.

It's also quite possible that the operators simply got skittish and bailed.
I certainly wouldn't blame them.

Anyway, if anybody has any other information about LEO activities on I2P,
I'd love to know more.

R

(ps - is anybody out there actually interested in any of these marketplace
updates? If not, I'll stop, I'm basically just passing along news from
various subreddits anyway.)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 1129 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141110/4e329a9f/attachment.txt>

From komachi at openmailbox.org  Mon Nov 10 08:42:48 2014
From: komachi at openmailbox.org (Anton Nesterov)
Date: Mon, 10 Nov 2014 16:42:48 +0000
Subject: National Bank of Ukraine on Bitcoin
Message-ID: <5460EB08.9040204@openmailbox.org>

"...hryvnia is the only legal tender in Ukraine, adopted by all natural
and legal persons without any restriction on all territory of Ukraine
for the transfer and settlement.

<...>

Issuing and turnover any other currencies [besides hryvnia] and using of
money surrogates for payments is forbidden<...>

Given the above, National Bank of Ukraine considers "virtual
currency/cryptocurrency" Bitcoin as a money surrogate that isn't
providing real value and can not be used by individuals and entities on
the territory of Ukraine for payments, because it is contrary to the
norms of Ukrainian legislation.

<...>

However, the international distribution of such payments attractive for
illegal activities, including money laundering and financing of
terrorist activities.

We emphasize that user is responsible for all the risks in use "virtual
currency/cryptocurrency" Bitcoin. National Bank of Ukraine as a
regulator is not liable for risks and losses associated with use of
"virtual currency/cryptocurrency" Bitcoin.

In order to protect consumers rights and safety of money transfer,
National Bank of Ukraine encourages citizens to use services of only
those payment systems/settlement systems, which included the National
Bank's Registry of payment systems, settlement systems, participants in
these systems and service providers of payment infrastructure."

So it's not says Ukraine bans Bitcoin (some media already published such
statements), it says Bitcoin already illegal in Ukraine, as any currency
besides hryvnia, and says govt isn't responsible for any risks with
using Bitcoin.

Official statement:
http://bank.gov.ua/control/uk/publish/article?art_id=11879608&cat_id=80928
(in Ukrainian)
Law of Ukraine "About National bank of Ukraine":
http://zakon2.rada.gov.ua/laws/show/679-14 (in Ukrainian)

-- 
https://nesterov.pw
GPG key: 0CE8 65F1 9043 2B11 25A5 74A7 1187 6869 67AA 56E4
https://keybase.io/komachi/key.asc




From grarpamp at gmail.com  Mon Nov 10 14:53:35 2014
From: grarpamp at gmail.com (grarpamp)
Date: Mon, 10 Nov 2014 17:53:35 -0500
Subject: National Bank of Ukraine on Bitcoin
In-Reply-To: <5460EB08.9040204@openmailbox.org>
References: <5460EB08.9040204@openmailbox.org>
Message-ID: <CAD2Ti29RNy-PvkWAZ-WqbUfSdmv0X4E7HpS2d_=ztmCJ8Pyytw@mail.gmail.com>

On Mon, Nov 10, 2014 at 11:42 AM, Anton Nesterov
<komachi at openmailbox.org> wrote:
> "...hryvnia is the only legal tender in Ukraine, adopted by all natural
>
> Issuing and turnover any other currencies [besides hryvnia] and using of
> money surrogates for payments is forbidden<...>
>
> Given the above, National Bank of Ukraine considers "virtual
> currency/cryptocurrency" Bitcoin as a money surrogate that isn't
>
> We emphasize that user is responsible for all the risks in use "virtual
> currency/cryptocurrency" Bitcoin. National Bank of Ukraine as a
> regulator is not liable for risks and losses associated with use of
>
> National Bank of Ukraine encourages citizens to use services of only
> those payment systems/settlement systems, which included the National
> Bank's Registry of payment systems, settlement systems, participants in
> these systems and service providers of payment infrastructure."

> So it's not says Ukraine bans Bitcoin (some media already published such
> statements), it says Bitcoin already illegal in Ukraine, as any currency
> besides hryvnia, and says govt isn't responsible for any risks with
> using Bitcoin.
>
> http://bank.gov.ua/control/uk/publish/article?art_id=11879608&cat_id=80928
> http://zakon2.rada.gov.ua/laws/show/679-14 (in Ukrainian)

It's a careful difference between banning for everyone, and
banning/regulating that which is under your purview as given
to yourself in law. ('Official' currency... like govt issuing, for paying
taxes with govt, interacting with govt regulated banks, and among
govts, etc. Not for use purposes among private entities such
as people, stores, employment, etc).

Are there any countries where banks and/or currency are
independent entities from the government? Their position on
bitcoin would be interesting.

If I were a bank, I'd fight *for* bitcoin so that I could offer wallet,
exchange and retail services for fee, market the banks mining
operations as investments, etc. Lots of money to be made there.

Eventually maybe no one will care to define 'official', only that
things just work.




From apexcp at gmail.com  Mon Nov 10 16:35:17 2014
From: apexcp at gmail.com (Patrick)
Date: Mon, 10 Nov 2014 19:35:17 -0500
Subject: Operation Onymous
In-Reply-To: <CADJYzx+3pN35E=FMCZ+ohqiwV8Lgqg9DLSB0TCr1ckGBzM_6nA@mail.gmail.com>
References: <CADJYzxLR7c77Ao0FVAd2EyEPE52KH_nM2YE-AAN+DBAKm+9x6w@mail.gmail.com>
 <CAC-Vat5cvnSG=vgW6DEKpJ-RTi4XUv0-3x03_eYzpwPQzYB=VA@mail.gmail.com>
 <CADJYzx+3pN35E=FMCZ+ohqiwV8Lgqg9DLSB0TCr1ckGBzM_6nA@mail.gmail.com>
Message-ID: <CAOHwwFLXyY9jsPFUHayDKhyjZ8+Snojqk_Q1mJSZu4bV+pYAMA@mail.gmail.com>

Rich,

I saw TMP going away,  very interesting. However, I think the absence of a
seizure notice says it all. The owner, like others, probably decided to
quit while he was ahead and out of cuffs. What is funny is that no bitcoins
will likely be lost because TMP uses multi sig, so the feds can't take
anything without other the buyer and seller agreeing.

That's not to say that I have a definitive answer but that was my read on
the situation.

On Mon, Nov 10, 2014 at 7:06 PM, Rich Jones <rich at openwatch.net> wrote:

> Interesting but unreported development: TheMarketPlace, aka "TMP", is now
> also gone, although it haven't seen anything about it in any of the
> government press releases. There is no seizure notice, it has simply
> vanished.
>
> The interesting thing here is that TMP operated over I2P rather than Tor.
> There was a Tor gateway, but I believe the hidden service still operated as
> a proxy inlet to the eepsite. If it has been seized as part of Operation
> Onymous, this would be the first time (that I've heard about) that law
> enforcement has been able to disrupt services on the I2P network.
>
> It's also quite possible that the operators simply got skittish and
> bailed. I certainly wouldn't blame them.
>
> Anyway, if anybody has any other information about LEO activities on I2P,
> I'd love to know more.
>
> R
>
> (ps - is anybody out there actually interested in any of these marketplace
> updates? If not, I'll stop, I'm basically just passing along news from
> various subreddits anyway.)
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 1997 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141110/4073ccb5/attachment.txt>

From grarpamp at gmail.com  Mon Nov 10 18:17:00 2014
From: grarpamp at gmail.com (grarpamp)
Date: Mon, 10 Nov 2014 21:17:00 -0500
Subject: Fwd: [Cryptography] "DarkHotel" APT routinely breaking RSA512
In-Reply-To: <E1Xnxnf-0003yi-VM@elasmtp-spurfowl.atl.sa.earthlink.net>
References: <E1Xnxnf-0003yi-VM@elasmtp-spurfowl.atl.sa.earthlink.net>
Message-ID: <CAD2Ti29AYaH3UtTOn=1mfVnUuyHz7+azgcBcAXZT6koO19JMQw@mail.gmail.com>

---------- Forwarded message ----------
From: Henry Baker <hbaker1 at pipeline.com>
Date: Mon, Nov 10, 2014 at 5:50 PM
Subject: [Cryptography] "DarkHotel" APT routinely breaking RSA512
To: cryptography at metzdowd.com


"The Darkhotel crew’s skillset allows it to launch interesting
cryptographical attacks, for instance factoring 512 bit RSA keys"

The keys are used to create bogus certificates, e.g.,

GTE
CyberTrust
Digisign Server iD
(Enrich)
flexicorp.jaring.my sha1/
RSA (512 bits)
Expired 12/17/2008 12/17/2010

Equifax
Secure
eBusiness
CA 1
Equifax Secure
eBusiness CA 1
secure.hotelreykjavik.i s
md5/RSA (512 bits)
invalid Sig 2/27/2005 3/30/2007

http://www.net-security.org/secworld.php?id=17612

http://25zbkz3k00wn2tp5092n6di7b5k.wpengine.netdna-cdn.com/files/2014/11/darkhotel_kl_07.11.pdf


_______________________________________________
The cryptography mailing list
cryptography at metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography




From eugen at leitl.org  Tue Nov 11 04:28:46 2014
From: eugen at leitl.org (Eugen Leitl)
Date: Tue, 11 Nov 2014 13:28:46 +0100
Subject: SpaceX Will Announce Micro-Satellites For Low Cost Internet Within
 Three Months
Message-ID: <20141111122846.GP10467@leitl.org>


http://techcrunch.com/2014/11/10/spacex-will-announce-micro-satellites-for-low-cost-internet-within-three-months/




From eugen at leitl.org  Tue Nov 11 04:39:23 2014
From: eugen at leitl.org (Eugen Leitl)
Date: Tue, 11 Nov 2014 13:39:23 +0100
Subject: OpenBazaar Beta 3.0 =?utf-8?B?4oCcVGFicml6?= =?utf-8?B?4oCd?= is
 released
Message-ID: <20141111123923.GQ10467@leitl.org>


https://blog.openbazaar.org/beta-3-0-tabriz-is-released/

Beta 3.0 “Tabriz” is released

November 10, 2014  Sam Patterson

The third OpenBazaar beta release is now available. With this release, we’re starting the tradition of naming our releases after great bazaars from all around the world, with the first being Tabriz, a market in Iran which is one of the oldest bazaars in the Middle East.

Tabriz represents a significant amount of work for our developers, with more than 350 commits, and merging more than 70 pull requests from the community. We thank everyone who contributed.

One of the major improvements in Tabriz is the ability to run on Windows. If you’d like to become a beta tester, download the Windows binary [signature here], unzip the file and run the OpenBazaar.exe file. In case our site goes down, you can get a torrent with this magnet link.

For a full list of changes in Tabriz, check out the changelog.

Testing
If you want to become a beta tester and are running on Mac or Linux, follow these instructions in your terminal:

If you don’t have Git installed on Linux, open terminal (Ctrl+Alt+T) and type:

sudo apt-get install git

If you don’t have Git installed for OSX, download here and install.

Now run:

git clone https://github.com/OpenBazaar/OpenBazaar.git

Once that’s complete, change directories:

cd OpenBazaar

Run the configure with this command:

./configure.sh
If you’ve already been running OpenBazaar, you need to update the code. In terminal, run the following commands:

git pull

./configure.sh

To start your node:

./openbazaar start

To stop your node:

./openbazaar stop

To get help on the commands you can use with OpenBazaar:

./openbazaar help

If you find a bug, please let us know on our Github or on the bug reporting thread in our subreddit.

3.0 beta Tabriz




From georgemaschke at posteo.de  Tue Nov 11 06:35:25 2014
From: georgemaschke at posteo.de (George W. Maschke)
Date: Tue, 11 Nov 2014 14:35:25 +0000
Subject: RedPhone Removed from Google Play Store
Message-ID: <54621EAD.8090905@posteo.de>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Early today, 11 November 2014, Open Whisper Systems' RedPhone app was
removed from the Google Play Store:

https://play.google.com/store/apps/details?id=org.thoughtcrime.redphone

By contrast, TextSecure remains available:

https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms

and Open Whisper Systems' iOS app, Signal, remains available:

https://itunes.apple.com/us/app/signal-private-messenger/id874139669

Any ideas what may have happened?

George Maschke
PGP Public Key: 316A947C

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJUYh6sAAoJEEYqwKuPDNWqjbMQAICkb6KOLQsnXlx8Fsb+7Z9j
naSroIJxqODaPLJKkZm7K8DVHlG1xwFT6PLVLs6gof0Ux3QsxVOdPO4VOgZruCcg
4fhRpu9ecnJrkhn3l861kwb+1AqDpZmbZeJEDMOIv71lmwv1MbT1WL19Sih60yz1
V8lOL0vn2T4UPWZMlul0kVlEOEPWgIbNBC/XhVbgPXjSoMS30vXeWgrn78yO0lue
N7IAFUxwmict/d/0gzL+7XXXbCgt2faMsp4bLb8OOpd6PDd1csysexpkJM4KYVo+
OUatjMPSYruOrqFg2cYFDnA+O+GcW6WC3wcNN9+1MdbILjuUdgLHIPGhsDvQTOqN
gq743pjUpecjC5sU5A5066gztpg6PBhvUlkdwOWsBlJ4qEnPBntowq6SnFbS56Oq
bkxgMT5cgPcZHt5nFbAUEktW4z8Ex6OofVlqSK8N/wUTWjar6tdYSn7dF2nNZNFp
5Qu8gcnGbUtrFl6g/dgtUa0g151poXcc1qXRj3FekL4jvXr/iy8HBGpNsP7aGwmi
djT+Fhvv4CmX9ExOOhJjUZaxwbWb+t8hXQz3QRUkYw7RHwspGd5Bb9MStbnKWKOD
zhWVjNU5sHeC+oTI0rqTWK3WeRiKofEmhDOBBMkua/BiOoZbXsxgSQ/2JxCUmLJ9
R/ipJzsmKfxsfteQiCrb
=i/ph
-----END PGP SIGNATURE-----




From odinn.cyberguerrilla at riseup.net  Tue Nov 11 09:30:09 2014
From: odinn.cyberguerrilla at riseup.net (odinn)
Date: Tue, 11 Nov 2014 17:30:09 +0000
Subject: RedPhone Removed from Google Play Store
In-Reply-To: <54621EAD.8090905@posteo.de>
References: <54621EAD.8090905@posteo.de>
Message-ID: <546247A1.3030600@riseup.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Yes, I have an idea.  The US corporation-state is unhappy that people
can make sexy calls (or any other calls) to each other that the US
corporation-state is not privy to.  They have complained to Google.
Someone pulled it from the store.  A debate ensued on whether or not
that would be appropriate, thus while hot air is being expelled the
other secure apps remain in Google's Play store.

Nonetheless the apps will remain available elsewhere even if pulled
from store.

There is a thread related to these issues on twitter which I recommend
you visit (dated from the time when Google Play had censored
adblockplus and disconnectme, removing them from the Google Play store):

https://twitter.com/AnonyOdinn/status/506325144382341120

Text of the statements which started the thread, my response to it,
and adblockplus's response:

"ashkan soltani ‏@ashk4n Aug 29

Conflict of interests - Google removes privacy preserving apps
@AdblockPlus and @disconnectme from Android Play store
http://blogs.wsj.com/digits/2014/08/28/why-some-privacy-apps-get-blocked-from-the-android-play-store/..."

"@dgouldin @ashk4n Yes, & @disconnectme @AdblockPlus @bitpay +others
should provide links (to dl client) independent from any website service"

"Adblock Plus ‏@AdblockPlus Sep 1

@AnonyOdinn @dgouldin @ashk4n You can grab our APK here:
https://adblockplus.org/en/android"


George W. Maschke:
> Early today, 11 November 2014, Open Whisper Systems' RedPhone app
> was removed from the Google Play Store:
> 
> https://play.google.com/store/apps/details?id=org.thoughtcrime.redphone
>
>  By contrast, TextSecure remains available:
> 
> https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms
>
>  and Open Whisper Systems' iOS app, Signal, remains available:
> 
> https://itunes.apple.com/us/app/signal-private-messenger/id874139669
>
>  Any ideas what may have happened?
> 
> George Maschke PGP Public Key: 316A947C
> 
> 

- -- 
http://abis.io ~
"a protocol concept to enable decentralization
and expansion of a giving economy, and a new social good"
https://keybase.io/odinn
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJUYkehAAoJEGxwq/inSG8C284H/0/QI82K1ahaWeRuujP7sasy
zGnXb5pkr6kTKleTQhRXuXfA1OgDcKXFnrd+FaZKtdzdgnmPM8U5vm/sr8pQ40i/
YjulJtDmbV3nrR4scp9iAXanabWR8lF/ya8+pUTUfuuHFHhjIdhUNIo448V8rLx/
gk1MzR76Ba0OWXRh1s9lDEXiYdgw5+/BzP3gIdglKTCif7w5Ky6eApqYY57jmJeL
pCmhoUymLx7m0ADWCwf6Qbv3WmSgj1bloZF9Y/tNZImp6X1Yn6DWcwmaDkv4dSOT
omSW7uIRTaeHK5S3gzuUBWLfSbgd2XYs5KYNsbfQHsyIL6xBnmfmzAUhRg8Bm4g=
=h3Qz
-----END PGP SIGNATURE-----




From cathalgarvey at cathalgarvey.me  Tue Nov 11 11:31:18 2014
From: cathalgarvey at cathalgarvey.me (Cathal (Phone))
Date: Tue, 11 Nov 2014 19:31:18 +0000
Subject: RedPhone Removed from Google Play Store
In-Reply-To: <546247A1.3030600@riseup.net>
References: <54621EAD.8090905@posteo.de> <546247A1.3030600@riseup.net>
Message-ID: <1A04175B-8126-4BA0-9C9F-57D2A1C2E455@cathalgarvey.me>

It's an enduring disappointment to those of us too security/privacy conscious to install Google Play that Moxie refuses to distribute signed APKs through any other channel. It also confuses the heck out of me that someone who makes an app *explicitly* to guard against intermediaries doesn't actually understand why I might distrust Google as much as my network provider.

Anyways, without a Google account Redphone performs very poorly, so I don't use it, but I've got a good network of Textsecure users going based on self-compiled, unmaintained APKs, precisely the outcome Moxie claims Google Play helps prevent. Bad Incentives, I guess.

On 11 November 2014 17:30:09 GMT+00:00, odinn <odinn.cyberguerrilla at riseup.net> wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA512
>
>Yes, I have an idea.  The US corporation-state is unhappy that people
>can make sexy calls (or any other calls) to each other that the US
>corporation-state is not privy to.  They have complained to Google.
>Someone pulled it from the store.  A debate ensued on whether or not
>that would be appropriate, thus while hot air is being expelled the
>other secure apps remain in Google's Play store.
>
>Nonetheless the apps will remain available elsewhere even if pulled
>from store.
>
>There is a thread related to these issues on twitter which I recommend
>you visit (dated from the time when Google Play had censored
>adblockplus and disconnectme, removing them from the Google Play
>store):
>
>https://twitter.com/AnonyOdinn/status/506325144382341120
>
>Text of the statements which started the thread, my response to it,
>and adblockplus's response:
>
>"ashkan soltani ‏@ashk4n Aug 29
>
>Conflict of interests - Google removes privacy preserving apps
>@AdblockPlus and @disconnectme from Android Play store
>http://blogs.wsj.com/digits/2014/08/28/why-some-privacy-apps-get-blocked-from-the-android-play-store/..."
>
>"@dgouldin @ashk4n Yes, & @disconnectme @AdblockPlus @bitpay +others
>should provide links (to dl client) independent from any website
>service"
>
>"Adblock Plus ‏@AdblockPlus Sep 1
>
>@AnonyOdinn @dgouldin @ashk4n You can grab our APK here:
>https://adblockplus.org/en/android"
>
>
>George W. Maschke:
>> Early today, 11 November 2014, Open Whisper Systems' RedPhone app
>> was removed from the Google Play Store:
>> 
>>
>https://play.google.com/store/apps/details?id=org.thoughtcrime.redphone
>>
>>  By contrast, TextSecure remains available:
>> 
>>
>https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms
>>
>>  and Open Whisper Systems' iOS app, Signal, remains available:
>> 
>> https://itunes.apple.com/us/app/signal-private-messenger/id874139669
>>
>>  Any ideas what may have happened?
>> 
>> George Maschke PGP Public Key: 316A947C
>> 
>> 
>
>- -- 
>http://abis.io ~
>"a protocol concept to enable decentralization
>and expansion of a giving economy, and a new social good"
>https://keybase.io/odinn
>-----BEGIN PGP SIGNATURE-----
>
>iQEcBAEBCgAGBQJUYkehAAoJEGxwq/inSG8C284H/0/QI82K1ahaWeRuujP7sasy
>zGnXb5pkr6kTKleTQhRXuXfA1OgDcKXFnrd+FaZKtdzdgnmPM8U5vm/sr8pQ40i/
>YjulJtDmbV3nrR4scp9iAXanabWR8lF/ya8+pUTUfuuHFHhjIdhUNIo448V8rLx/
>gk1MzR76Ba0OWXRh1s9lDEXiYdgw5+/BzP3gIdglKTCif7w5Ky6eApqYY57jmJeL
>pCmhoUymLx7m0ADWCwf6Qbv3WmSgj1bloZF9Y/tNZImp6X1Yn6DWcwmaDkv4dSOT
>omSW7uIRTaeHK5S3gzuUBWLfSbgd2XYs5KYNsbfQHsyIL6xBnmfmzAUhRg8Bm4g=
>=h3Qz
>-----END PGP SIGNATURE-----

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 4711 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141111/68cde896/attachment.txt>

From griffin at cryptolab.net  Tue Nov 11 16:38:49 2014
From: griffin at cryptolab.net (Griffin Boyce)
Date: Tue, 11 Nov 2014 19:38:49 -0500
Subject: Fwd: [liberationtech] XMPP object encryption at IETF about to die...
In-Reply-To: <5462A769.8060605@cdt.org>
References: <5462A769.8060605@cdt.org>
Message-ID: <490c98c8-8300-414e-ac8d-636689b16017@email.android.com>

FYI:


-------- Original Message --------
From: Joseph Lorenzo Hall <joe at cdt.org>
Sent: November 11, 2014 7:18:49 PM EST
To: liberationtech <liberationtech at lists.stanford.edu>
Subject: [liberationtech] XMPP object encryption at IETF about to die...

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

I'm here at IETF 91 hanging with all the protocol nerds. I was talking
to someone about OTR and they pointed out that the object-encryption
standard for XMPP that has been put forward is about to die due to
lack of interest and engagement:

http://tools.ietf.org/html/draft-miller-xmpp-e2e

Has anyone seen this and thinks it could be a good thing to
standardize? I realize it's a subset of what OTR provides but I'm
wondering if this could be something we as a community might want to
work with in this kind of standards body.

Any e2e-has-a-posse folks have an interest here or is standardization
not an interest or desire?

best, Joe

- -- 
Joseph Lorenzo Hall
Chief Technologist
Center for Democracy & Technology
1634 I ST NW STE 1100
Washington DC 20006-4011
(p) 202-407-8825
(f) 202-637-0968
joe at cdt.org
PGP: https://josephhall.org/gpg-key
fingerprint: 3CA2 8D7B 9F6D DBD3 4B10  1607 5F86 6987 40A9 A871


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (Darwin)

iQIcBAEBCAAGBQJUYqdpAAoJEF+GaYdAqahxuxsP/iABSEXS2U9ZexGDyKCVdCKD
uiOI7lLzXBta+BDqh3UPIdb2vyQDJLUcnYuYL2ywBy3vaPDdm3NZMnYEEG4Rg96+
Yg1xyJtNZXGD/qs+bLb3po87dJzHINif7gg+IQs9NmfPt+oEu6WJIBH5ZBzwweTy
FI7uxCvAxEkweCj8XP5O40EZX416EIVBi2gR+IUXK2clxbPLBCeu59xzLSvp9/on
TQgDVq6SO4kCoZNktuXg1b6aOUEnk8ZoQLFGwq/CRaw4zc6/FUI74dQ6jGSaMOHR
Edr99rUEXPKqxPXnDsi8Rw/4bgWogP2qYEmdVhh7Y9kzkQmiSih3wVxutsHJ3Fb7
DamUjZQ+rdGv4AMwy1dDaSPw1ij2V7csYJl2mb3OXFHmB2V0RZBBNgvXduju3ThX
h3xNU7VE/5r6vBSiYLDtqMY/UPwrYKsvJ/N2ditIxVmOgtKVEdnQHh3OVZlKfMDE
LsaZjjmQNOJoUO/TyTic5kOjhcHLnhgRfVEedwniSStFYBqrPYrGnovAQn5mns6j
FXTq29A3UT6aF1iawd0Ut9WxK4AhxzlH83ZaaURKFsLVkm5ycHfSgBUb+nz5fiPW
+QTyExfhZxYo2fEUzPPwwGKwYc0Ytvif+GlxOP80VekS8R5ajI1J8xzHPtxLJQFI
qXMnJu4ilQlRgLVhlztN
=6app
-----END PGP SIGNATURE-----

-- 
Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 3147 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141111/e8e3bfe6/attachment.txt>

From l at odewijk.nl  Tue Nov 11 11:53:27 2014
From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=)
Date: Tue, 11 Nov 2014 20:53:27 +0100
Subject: RedPhone Removed from Google Play Store
In-Reply-To: <1A04175B-8126-4BA0-9C9F-57D2A1C2E455@cathalgarvey.me>
References: <54621EAD.8090905@posteo.de> <546247A1.3030600@riseup.net>
 <1A04175B-8126-4BA0-9C9F-57D2A1C2E455@cathalgarvey.me>
Message-ID: <CAHWD2rLOBHd=o4gbxkiCUoKrMrabZhWbdEp_FU_1do0xr5YjBQ@mail.gmail.com>

I'm still confused as to why Moxxie decided to build apps for Android.
Android is a really bad environment, security wise. The securephone (or
whatever it's called) did very little to assuage worries. The stack is way
too tall! The attack surface is *huge*. Then through the Google Store,
which is a problem too. Maybe Moxxie decided that any threat model that
include an adversarial Google will result in immediate loss, thus decided
that Google was his friend?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 528 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141111/e25066fc/attachment.txt>

From fox at vbfox.net  Tue Nov 11 15:00:04 2014
From: fox at vbfox.net (Black Fox)
Date: Wed, 12 Nov 2014 00:00:04 +0100
Subject: RedPhone Removed from Google Play Store
In-Reply-To: <54621EAD.8090905@posteo.de>
References: <54621EAD.8090905@posteo.de>
Message-ID: <CAANMsOE_mpDoP1JpvKnj8meZbJ1S89GTCso9EjL1ipgevKKQEg@mail.gmail.com>

On Tue, Nov 11, 2014 at 3:35 PM, George W. Maschke
<georgemaschke at posteo.de> wrote:
> Early today, 11 November 2014, Open Whisper Systems' RedPhone app was
> removed from the Google Play Store:
>
> Any ideas what may have happened?

Seem like even @whispersystems don't have any idea :

@whispersystems: RedPhone was removed from the Play Store today. We
don't yet know why,
but we've reached out to Google support for more information.
https://twitter.com/whispersystems/status/532300506618527745

@whispersystems: If anyone at Google or with contacts at Google can
help us with getting RedPhone
reinstated, please get in touch or give us a hand.
https://twitter.com/whispersystems/status/532300810810437632




From grarpamp at gmail.com  Tue Nov 11 22:28:52 2014
From: grarpamp at gmail.com (grarpamp)
Date: Wed, 12 Nov 2014 01:28:52 -0500
Subject: GoldBug SF projects [was: Bittorrent Bleep]
In-Reply-To: <CAD2Ti2_eG8NPm5nJ3YVpwmK_totjKpaLzsw1nR3xrQ5es0QHyw@mail.gmail.com>
References: <CAD2Ti2-BgskWH1LXfWVr89vGByu8b1k52VL84vrH3y4ZEWVnoA@mail.gmail.com>
 <CAD2Ti280QCEBo7maHvt_NkZuf7yt_so8dY45smr5ecV1eGdmAA@mail.gmail.com>
 <CADS43vCD_k0-wZ7skCsqG98vbW3Vn7Fnt4cUVzawTa0n1tSzOg@mail.gmail.com>
 <CAD2Ti28iDxVpbCFAO0RKiKRHv-bg9sdowzK6Y0FvD5tdWT6DZw@mail.gmail.com>
 <CAD2Ti2-pKewLHXtOEHpN_Y44h_dFgBBcbVoKzkAENKrytEBizA@mail.gmail.com>
 <CAD2Ti295eczCXS_7DxQX6K5f5=ZznBTuWfzHUfN7_GhnxPmfTw@mail.gmail.com>
 <CAOsGNSQ5EhA6mSOJpG366h7cgN9eVqwofPLQxHUfjjV9VKg_hQ@mail.gmail.com>
 <CAD2Ti2_eG8NPm5nJ3YVpwmK_totjKpaLzsw1nR3xrQ5es0QHyw@mail.gmail.com>
Message-ID: <CAD2Ti29AKJ+4rXV8qT9xtMMsDUO-s+vRss9dOQkO5ZiFG+K-qA@mail.gmail.com>

Even they fail so many chances before, still giving them another oppurtunity...
https://sourceforge.net/p/goldbug/discussion/general/thread/1b87ed55/




From odinn.cyberguerrilla at riseup.net  Tue Nov 11 17:49:06 2014
From: odinn.cyberguerrilla at riseup.net (odinn)
Date: Wed, 12 Nov 2014 01:49:06 +0000
Subject: RedPhone Removed from Google Play Store
In-Reply-To: <CAHWD2rLOBHd=o4gbxkiCUoKrMrabZhWbdEp_FU_1do0xr5YjBQ@mail.gmail.com>
References: <54621EAD.8090905@posteo.de> <546247A1.3030600@riseup.net>
 <1A04175B-8126-4BA0-9C9F-57D2A1C2E455@cathalgarvey.me>
 <CAHWD2rLOBHd=o4gbxkiCUoKrMrabZhWbdEp_FU_1do0xr5YjBQ@mail.gmail.com>
Message-ID: <5462BC92.4020806@riseup.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Well, not trying to be blunt about it, but maybe the reason why Moxie
decided to build apps for Android, is because Android tipped over 80
percent market share before even 2014, and who wouldn't want to try to
provide good privacy for that large of a userbase?  or maybe it is
some other reason, maybe you could ask Moxie, who I've copied on this.
 But with that said, with that many users, good apps that provide
people with choices as to how to protect their information are necessary.

By the way, I use RedPhone and TextSecure, and I recommend them to
others. I'm aware of the issues that have arisen in connection with
analyses of TextSecure and CyanogenMod (and the issues that people
raise with Android), but I still think that RedPhone and TextSecure
are some of the best things out there particularly when compared to
many other similar apps on the market.

Really these kind of things (Google Play's censorship of Adblockplus
and disconnectme in the past, as examples, and Google pulling RedPhone
off Play, more recently) make it clear though that you can't have
Google as your friend for long and if you're going to put an app out
it should be downloadable from your project site, downloadable from
github, and accessible (for mobile apps / droid) via
 https://f-droid.org/ as well.

Don't you dare tell me people should go get an iPhone (yes, Signal is
available for iPhone, which is surely good for the many iPhone users,
and that's a good thing) in light of Apple's horrific practices such
as, but not limited to, this:
http://blog.crackpassword.com/2014/06/breaking-into-icloud-no-password-required/#more-2597
or this (re.: Yosemite and iCloud):
http://datavibe.net/~sneak/20141023/wtf-icloud/
etc.


Lodewijk andré de la porte:
> I'm still confused as to why Moxxie decided to build apps for
> Android. Android is a really bad environment, security wise. The
> securephone (or whatever it's called) did very little to assuage
> worries. The stack is way too tall! The attack surface is *huge*.
> Then through the Google Store, which is a problem too. Maybe Moxxie
> decided that any threat model that include an adversarial Google
> will result in immediate loss, thus decided that Google was his
> friend?
> 

- -- 
http://abis.io ~
"a protocol concept to enable decentralization
and expansion of a giving economy, and a new social good"
https://keybase.io/odinn
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJUYrySAAoJEGxwq/inSG8Cl4QH/ivNfUcC1gkzxamtosZ9CiiS
nEfsVIlS/Zw2/31fQ9hjZqH0V8UCu86mDJxLiUtnD0JbyKgaNWt08dGJJLuxn+tU
JglsVk5PrTZTICGML8Mrf4Qr/0k+a1+LtmBqCl3p/Myiy0ZjZCBgE8m6LakvtSc6
7GtpqeqFUluECB/+e7mEAJHqZtnnbcNAGH7iStfzAmQ+3W0TPS68MRibRoKH43zP
1LYaymgQKJtOdPme99cexDEdS1xNUZhTc56BMWJhxS8mN4LYw6dqXx8zyEI+jkRs
0WWec43Acqwglt4/YDoXvc3y4u41FI2LUGvB0LyI5ri5AW88fx1sZ1P6id7hQu4=
=5h6+
-----END PGP SIGNATURE-----




From odinn.cyberguerrilla at riseup.net  Tue Nov 11 17:57:57 2014
From: odinn.cyberguerrilla at riseup.net (odinn)
Date: Wed, 12 Nov 2014 01:57:57 +0000
Subject: Fwd: [liberationtech] XMPP object encryption at IETF about to
 die...
In-Reply-To: <490c98c8-8300-414e-ac8d-636689b16017@email.android.com>
References: <5462A769.8060605@cdt.org>
 <490c98c8-8300-414e-ac8d-636689b16017@email.android.com>
Message-ID: <5462BEA5.5090606@riseup.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Lack of interest and engagement????

Maybe I'm thinking of different things here, but OTR is part and
parcel of how Adium works, and cypherpunks has an OTR plugin for Pidgin.

And these tools are very widely used by those who utilize XMPP option
through either Adium or Pidgin with OTR!  There's no lack of interest
in it.

As an aside:

You can use https://tox.im with Pidgin or Adium:
1) https://lilithlela.cyberguerrilla.org/?p=3060
2) https://wiki.tox.im/Tox_Pidgin_Protocol_Plugin
3) https://wiki.tox.im/Adium_Tox_Plugin

So... getting to my question:

Griffin, by lack of interest and engagement, do you mean that more
people need to comment on tools.ietf.org/html/draft-miller-xmpp-e2e in
order for it to move forward, or... something else?

And if our comments in support of this object-encryption standard are
needed, to who should they be best directed for greatest effect?

Griffin Boyce:
> FYI:
> 
> 
> -------- Original Message -------- From: Joseph Lorenzo Hall
> <joe at cdt.org> Sent: November 11, 2014 7:18:49 PM EST To:
> liberationtech <liberationtech at lists.stanford.edu> Subject:
> [liberationtech] XMPP object encryption at IETF about to die...
> 
> I'm here at IETF 91 hanging with all the protocol nerds. I was
> talking to someone about OTR and they pointed out that the
> object-encryption standard for XMPP that has been put forward is
> about to die due to lack of interest and engagement:
> 
> http://tools.ietf.org/html/draft-miller-xmpp-e2e
> 
> Has anyone seen this and thinks it could be a good thing to 
> standardize? I realize it's a subset of what OTR provides but I'm 
> wondering if this could be something we as a community might want
> to work with in this kind of standards body.
> 
> Any e2e-has-a-posse folks have an interest here or is
> standardization not an interest or desire?
> 
> best, Joe
> 
> 

- -- 
http://abis.io ~
"a protocol concept to enable decentralization
and expansion of a giving economy, and a new social good"
https://keybase.io/odinn
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJUYr6lAAoJEGxwq/inSG8CDjoIAJAkjIEC5/YY1rduRev6uocI
GDMhFHjufM4yq3QYFX8WZgg3eN5kYHiWmZOM6QOxH+uExa+fQxZ67fwcTPJnB5PO
SVrgwV3TbkgYYB1c//YMmGkQ/U2nIKt039R/nShAok4NTsF9amNgEPuwnF7hQx41
A182e3RZG/q53f1BfS9FHQV3OYBCqEoD2xGydEUPzXAhfYq1CmToohtm7TcS0+cm
Cjdj7yVb4iqbBjG7L5Wki3THIyItu+rgIeDmEYSXZ5tBsN3qs1pIEiw97lgdOiMt
d/yAonvyh9W1QGaTgMSGIO3VJ/A0yqhwm2N6BgLCukuQZ9Tw+7qcsDE8ux6poj8=
=eTXh
-----END PGP SIGNATURE-----




From lists at infosecurity.ch  Wed Nov 12 00:16:29 2014
From: lists at infosecurity.ch (Fabio Pietrosanti - lists)
Date: Wed, 12 Nov 2014 09:16:29 +0100
Subject: GoldBug SF projects [was: Bittorrent Bleep]
In-Reply-To: <CAD2Ti29AKJ+4rXV8qT9xtMMsDUO-s+vRss9dOQkO5ZiFG+K-qA@mail.gmail.com>
References: <CAD2Ti2-BgskWH1LXfWVr89vGByu8b1k52VL84vrH3y4ZEWVnoA@mail.gmail.com>
 <CAD2Ti280QCEBo7maHvt_NkZuf7yt_so8dY45smr5ecV1eGdmAA@mail.gmail.com>
 <CADS43vCD_k0-wZ7skCsqG98vbW3Vn7Fnt4cUVzawTa0n1tSzOg@mail.gmail.com>
 <CAD2Ti28iDxVpbCFAO0RKiKRHv-bg9sdowzK6Y0FvD5tdWT6DZw@mail.gmail.com>
 <CAD2Ti2-pKewLHXtOEHpN_Y44h_dFgBBcbVoKzkAENKrytEBizA@mail.gmail.com>
 <CAD2Ti295eczCXS_7DxQX6K5f5=ZznBTuWfzHUfN7_GhnxPmfTw@mail.gmail.com>
 <CAOsGNSQ5EhA6mSOJpG366h7cgN9eVqwofPLQxHUfjjV9VKg_hQ@mail.gmail.com>
 <CAD2Ti2_eG8NPm5nJ3YVpwmK_totjKpaLzsw1nR3xrQ5es0QHyw@mail.gmail.com>
 <CAD2Ti29AKJ+4rXV8qT9xtMMsDUO-s+vRss9dOQkO5ZiFG+K-qA@mail.gmail.com>
Message-ID: <5463175D.7070205@infosecurity.ch>

I'm thinking that Infiltration and Information Deception are probably
the best strategies with those folks.

A weekend with Pizza+Beer drafting 4-5 well SEO-optimized websites, to
represent a different "reality" of them? ;)

Counter-PsyOPS-Team ? ;)

-naif

On 11/12/14 7:28 AM, grarpamp wrote:
> Even they fail so many chances before, still giving them another oppurtunity...
> https://sourceforge.net/p/goldbug/discussion/general/thread/1b87ed55/




From list at sysfu.com  Wed Nov 12 15:13:32 2014
From: list at sysfu.com (Seth)
Date: Wed, 12 Nov 2014 15:13:32 -0800
Subject: RedPhone Removed from Google Play Store
In-Reply-To: <58392590e28400e4d3d23366b0c760dc@openmailbox.org>
References: <54621EAD.8090905@posteo.de> <546247A1.3030600@riseup.net>
 <1A04175B-8126-4BA0-9C9F-57D2A1C2E455@cathalgarvey.me>
 <58392590e28400e4d3d23366b0c760dc@openmailbox.org>
Message-ID: <op.xo8isujabgbjo9@work-pc>

On Wed, 12 Nov 2014 14:29:04 -0800, <bluelotus at openmailbox.org> wrote:
> Where can TextSecure be downloaded?

Best workaround I've found so far if you want to download Google Play APKs  
on your computer and then transfer them to your phone manually is Raccoon:

http://www.onyxbits.de/raccoon

Requires java along with a 'dummy' Google account, but gets the job done  
with the least amount of hassle.

Unfortunately, it appears that TextSecure still requires the Google  
Services framework to be installed and running on the Android device.  
Haven't figured out yet how to do this manually this without installing  
Google Play.

Also, FWIW, you can (or at least you used to be able to) manually remove a  
Google account from an Android phone without having to factory reset the  
device.

http://www.sleetherz.com/android-news/how-to-change-gmail-account-on-android-market-without-factory-reset/2511/
-- 
Seth
I <3 nicely trimmed email replies




From bluelotus at openmailbox.org  Wed Nov 12 14:29:04 2014
From: bluelotus at openmailbox.org (bluelotus at openmailbox.org)
Date: Wed, 12 Nov 2014 17:29:04 -0500
Subject: RedPhone Removed from Google Play Store
In-Reply-To: <1A04175B-8126-4BA0-9C9F-57D2A1C2E455@cathalgarvey.me>
References: <54621EAD.8090905@posteo.de> <546247A1.3030600@riseup.net>
 <1A04175B-8126-4BA0-9C9F-57D2A1C2E455@cathalgarvey.me>
Message-ID: <58392590e28400e4d3d23366b0c760dc@openmailbox.org>

Cathal, thank you for pointing out the hypocrisy of privacy app 
developers not making their apps available without a Google account. I 
too refuse to have a Google account so cannot use Google Play.

Thanks for making TextSecure available to non Google account holders. 
Where can TextSecure be downloaded?

On 11/11/2014 2:31 pm, Cathal (Phone) wrote:
> It's an enduring disappointment to those of us too security/privacy
> conscious to install Google Play that Moxie refuses to distribute
> signed APKs through any other channel. It also confuses the heck out
> of me that someone who makes an app *explicitly* to guard against
> intermediaries doesn't actually understand why I might distrust Google
> as much as my network provider.
> 
> Anyways, without a Google account Redphone performs very poorly, so I
> don't use it, but I've got a good network of Textsecure users going
> based on self-compiled, unmaintained APKs, precisely the outcome Moxie
> claims Google Play helps prevent. Bad Incentives, I guess.
> 
> On 11 November 2014 17:30:09 GMT+00:00, odinn
> <odinn.cyberguerrilla at riseup.net> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA512
>> 
>> Yes, I have an idea.  The US corporation-state is unhappy that people
>> can make sexy calls (or any other calls) to each other that the US
>> corporation-state is not privy to.  They have complained to Google.
>> Someone pulled it from the store.  A debate ensued on whether or not
>> that would be appropriate, thus while hot air is being expelled the
>> other secure apps remain in Google's Play store.
>> 
>> Nonetheless the apps will remain available elsewhere even if pulled
>> from store.
>> 
>> There is a thread related to these issues on twitter which I recommend
>> you visit (dated from the time when Google Play had censored
>> adblockplus and disconnectme, removing them from the Google Play
>> store):
>> 
>> https://twitter.com/AnonyOdinn/status/506325144382341120
>> 
>> Text of the statements which started the thread, my response to it,
>> and adblockplus's response:
>> 
>> "ashkan soltani ‏@ashk4n Aug 29
>> 
>> Conflict of interests - Google removes privacy preserving apps
>> @AdblockPlus and @disconnectme from Android Play store
>> http://blogs.wsj.com/digits/2014/08/28/why-some-privacy-apps-get-blocked-from-the-android-play-store/..."
>> 
>> "@dgouldin @ashk4n Yes, & @disconnectme @AdblockPlus @bitpay +others
>> should provide links (to dl client) independent from any website
>> service"
>> 
>> "Adblock Plus ‏@AdblockPlus Sep 1
>> 
>> @AnonyOdinn @dgouldin @ashk4n You can grab our APK here:
>> https://adblockplus.org/en/android"
>> 
>> 
>> George W. Maschke:
>>> Early today, 11 November 2014, Open Whisper Systems' RedPhone app
>>> was removed from the Google Play Store:
>>> 
>>> 
>> https://play.google.com/store/apps/details?id=org.thoughtcrime.redphone
>>> 
>>>  By contrast, TextSecure remains available:
>>> 
>>> 
>> https://play.google.com/store/apps/details?id=org.thoughtcrime.securesms
>>> 
>>>  and Open Whisper Systems' iOS app, Signal, remains available:
>>> 
>>> https://itunes.apple.com/us/app/signal-private-messenger/id874139669
>>> 
>>>  Any ideas what may have happened?
>>> 
>>> George Maschke PGP Public Key: 316A947C
>>> 
>>> 
>> 
>> - --
>> http://abis.io ~
>> "a protocol concept to enable decentralization
>> and expansion of a giving economy, and a new social good"
>> https://keybase.io/odinn
>> -----BEGIN PGP SIGNATURE-----
>> 
>> iQEcBAEBCgAGBQJUYkehAAoJEGxwq/inSG8C284H/0/QI82K1ahaWeRuujP7sasy
>> zGnXb5pkr6kTKleTQhRXuXfA1OgDcKXFnrd+FaZKtdzdgnmPM8U5vm/sr8pQ40i/
>> YjulJtDmbV3nrR4scp9iAXanabWR8lF/ya8+pUTUfuuHFHhjIdhUNIo448V8rLx/
>> gk1MzR76Ba0OWXRh1s9lDEXiYdgw5+/BzP3gIdglKTCif7w5Ky6eApqYY57jmJeL
>> pCmhoUymLx7m0ADWCwf6Qbv3WmSgj1bloZF9Y/tNZImp6X1Yn6DWcwmaDkv4dSOT
>> omSW7uIRTaeHK5S3gzuUBWLfSbgd2XYs5KYNsbfQHsyIL6xBnmfmzAUhRg8Bm4g=
>> =h3Qz
>> -----END PGP SIGNATURE-----




From guninski at guninski.com  Wed Nov 12 09:38:50 2014
From: guninski at guninski.com (Georgi Guninski)
Date: Wed, 12 Nov 2014 19:38:50 +0200
Subject: Fwd: [Cryptography] "DarkHotel" APT routinely breaking RSA512
In-Reply-To: <CAD2Ti29AYaH3UtTOn=1mfVnUuyHz7+azgcBcAXZT6koO19JMQw@mail.gmail.com>
References: <E1Xnxnf-0003yi-VM@elasmtp-spurfowl.atl.sa.earthlink.net>
 <CAD2Ti29AYaH3UtTOn=1mfVnUuyHz7+azgcBcAXZT6koO19JMQw@mail.gmail.com>
Message-ID: <20141112173850.GA3828@sivokote.iziade.m$>

On Mon, Nov 10, 2014 at 09:17:00PM -0500, grarpamp wrote:
> ---------- Forwarded message ----------
> From: Henry Baker <hbaker1 at pipeline.com>
> Date: Mon, Nov 10, 2014 at 5:50 PM
> Subject: [Cryptography] "DarkHotel" APT routinely breaking RSA512
> To: cryptography at metzdowd.com
> 
> 
> "The Darkhotel crew’s skillset allows it to launch interesting
> cryptographical attacks, for instance factoring 512 bit RSA keys"
> 

Factoring RSA 512 is well within earthy resources as of now.
Probably modest botnet (for sieving) + good machines for linear
algebra will factor RSA 512 in moderate time.

The interesting question is:  did they some crypto breakthrough?

btw, RSA cancelled their monetary challenges even for >512...



> The keys are used to create bogus certificates, e.g.,
> 
> GTE
> CyberTrust
> Digisign Server iD
> (Enrich)
> flexicorp.jaring.my sha1/
> RSA (512 bits)
> Expired 12/17/2008 12/17/2010
> 
> Equifax
> Secure
> eBusiness
> CA 1
> Equifax Secure
> eBusiness CA 1
> secure.hotelreykjavik.i s
> md5/RSA (512 bits)
> invalid Sig 2/27/2005 3/30/2007
> 
> http://www.net-security.org/secworld.php?id=17612
> 
> http://25zbkz3k00wn2tp5092n6di7b5k.wpengine.netdna-cdn.com/files/2014/11/darkhotel_kl_07.11.pdf
> 
> 
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography




From rysiek at hackerspace.pl  Wed Nov 12 11:03:04 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Wed, 12 Nov 2014 20:03:04 +0100
Subject: Fwd: [liberationtech] XMPP object encryption at IETF about to
 die...
In-Reply-To: <5462BEA5.5090606@riseup.net>
References: <5462A769.8060605@cdt.org>
 <490c98c8-8300-414e-ac8d-636689b16017@email.android.com>
 <5462BEA5.5090606@riseup.net>
Message-ID: <5533345.nzTu7Wq55D@lapuntu>

Dnia środa, 12 listopada 2014 01:57:57 odinn pisze:
> Lack of interest and engagement????
> 
> Maybe I'm thinking of different things here, but OTR is part and
> parcel of how Adium works, and cypherpunks has an OTR plugin for Pidgin.
> 
> And these tools are very widely used by those who utilize XMPP option
> through either Adium or Pidgin with OTR!  There's no lack of interest
> in it.
> 
> As an aside:
> 
> You can use https://tox.im with Pidgin or Adium:
> 1) https://lilithlela.cyberguerrilla.org/?p=3060
> 2) https://wiki.tox.im/Tox_Pidgin_Protocol_Plugin
> 3) https://wiki.tox.im/Adium_Tox_Plugin
> 
> So... getting to my question:
> 
> Griffin, by lack of interest and engagement, do you mean that more
> people need to comment on tools.ietf.org/html/draft-miller-xmpp-e2e in
> order for it to move forward, or... something else?
> 
> And if our comments in support of this object-encryption standard are
> needed, to who should they be best directed for greatest effect?

As far as I understand, this draft is something different from OTR, and maybe 
that's the reason it dies a slow death -- OTR is "good enough".

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 411 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141112/02821a37/attachment.sig>

From rysiek at hackerspace.pl  Wed Nov 12 14:43:43 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Wed, 12 Nov 2014 23:43:43 +0100
Subject: they crushed Aaron because they could,
 they destroy lives across the globe because they can,
 my fellow frogs in the boiling pot, how much is too much?
In-Reply-To: <CAJVRA1RPhYgEJ2PDhPMBmBjFFUYAxOHqgGVxrKJPj4GjeUkS6g@mail.gmail.com>
References: <CAJVRA1RPhYgEJ2PDhPMBmBjFFUYAxOHqgGVxrKJPj4GjeUkS6g@mail.gmail.com>
Message-ID: <28319447.SkdxyahaPg@lapuntu>

Thanks,

good one.

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 411 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141112/b9f67939/attachment.sig>

From eugen at leitl.org  Thu Nov 13 00:52:35 2014
From: eugen at leitl.org (Eugen Leitl)
Date: Thu, 13 Nov 2014 09:52:35 +0100
Subject: Lantern: One Device, Free Data From Space Forever
Message-ID: <20141113085235.GR10467@leitl.org>


https://www.indiegogo.com/projects/lantern-one-device-free-data-from-space-forever

Global access to the Internet’s best content on your mobile device. Anonymous. Uncensored. Free.
 Chicago, Illinois, United States   Technology


A Library In Every Pocket

“The Short Wave Radio for the Digital Age.” -- Fast Company

“A Tiny Satellite Dish That Brings Info to the World’s Deadzones.” -- Wired

“Outernet aims to provide data to the net unconnected.” -- BBC

"Billions of people around the world don't have access to the Internet, so the next big thing is trying to connect the world." -- CNN


Lantern is an anonymous portable library that constantly receives free data from space.

Like the water we drink or the air we breathe, the information we consume feeds the very essence of what it means to be human. Lantern establishes a new baseline of human knowledge. We are not fixing the world for people, we are giving them the information they need to fix it themselves.

Lantern continuously receives radio waves broadcast by Outernet from space. Lantern turns the signal into digital files, like webpages, news articles, ebooks, videos, and music. Lantern can receive and store any type of digital file on its internal drive. To view the content stored in Lantern, turn on the Wi-Fi hotspot and connect to Lantern with any Wi-Fi enabled device. All you need is a browser.

Oh, and Outernet is free to use, always.

[...]




From adi at hexapodia.org  Thu Nov 13 10:29:05 2014
From: adi at hexapodia.org (Andy Isaacson)
Date: Thu, 13 Nov 2014 10:29:05 -0800
Subject: Lantern: One Device, Free Data From Space Forever
In-Reply-To: <1994186.yFoYsa0xCB@lapuntu>
References: <20141113085235.GR10467@leitl.org>
 <1994186.yFoYsa0xCB@lapuntu>
Message-ID: <20141113182905.GH25368@hexapodia.org>

On Thu, Nov 13, 2014 at 11:17:25AM +0100, rysiek wrote:
> Dnia czwartek, 13 listopada 2014 09:52:35 Eugen Leitl pisze:
> > https://www.indiegogo.com/projects/lantern-one-device-free-data-from-space-forever
[snip]
> > Lantern continuously receives radio waves broadcast by Outernet from space.


> > device. All you need is a browser.
> > 
> > Oh, and Outernet is free to use, always.

Outernet, at least, appears to be a real thing:

http://en.wikipedia.org/wiki/Outernet

https://www.outernet.is

> Is it just me, or does it reek of snakeoil?.. Also, is it in any way related 
> to:
> https://getlantern.org/

Appears to be a different project.

-andy




From cathalgarvey at cathalgarvey.me  Thu Nov 13 03:12:23 2014
From: cathalgarvey at cathalgarvey.me (Cathal Garvey)
Date: Thu, 13 Nov 2014 11:12:23 +0000
Subject: RedPhone Removed from Google Play Store
In-Reply-To: <op.xo8isujabgbjo9@work-pc>
References: <54621EAD.8090905@posteo.de> <546247A1.3030600@riseup.net>
 <1A04175B-8126-4BA0-9C9F-57D2A1C2E455@cathalgarvey.me>
 <58392590e28400e4d3d23366b0c760dc@openmailbox.org>
 <op.xo8isujabgbjo9@work-pc>
Message-ID: <54649217.4010106@cathalgarvey.me>

Nope, I haven't had to install Play for Textsecure at all, and I don't 
use or have a personal Google account. When it offers to set up data 
channel, just skip it, and TS reverts to encrypting over SMS instead.

Redphone also has a "no google" mode where it announces incoming calls 
to other RP users with a simultaneous SMS, but I've found it to be very 
buggy in my builds; calls connect but no sound transmitted, etc.

As far as "where to get it", here's a copy: 
https://ngrok.com:61924/owncloud/public.php?service=files&t=264659e23e8733b528386eaa6f52d5ef

Cert is self-signed:
SHA1: 63:9B:E2:FA:D8:A9:66:DE:46:B7:E4:C2:18:47:73:04:C0:12:FE:1F
SHA256: 
CF:D2:82:0D:C8:65:CE:EB:2E:3F:36:EC:DA:9E:82:4E:2E:BD:51:19:6A:7E:11:65:50:40:57:9E:B8:79:8D:A2

This is an older build by now. Frankly I'm holding out for a JS build of 
Textsecure and I'll probably try FFOS, then. FDroid and Textsecure are 
my "killer apps" tying me to Android. I just wish Moxie would let them 
play nice together.

On 12/11/14 23:13, Seth wrote:
> On Wed, 12 Nov 2014 14:29:04 -0800, <bluelotus at openmailbox.org> wrote:
>> Where can TextSecure be downloaded?
>
> Best workaround I've found so far if you want to download Google Play
> APKs on your computer and then transfer them to your phone manually is
> Raccoon:
>
> http://www.onyxbits.de/raccoon
>
> Requires java along with a 'dummy' Google account, but gets the job done
> with the least amount of hassle.
>
> Unfortunately, it appears that TextSecure still requires the Google
> Services framework to be installed and running on the Android device.
> Haven't figured out yet how to do this manually this without installing
> Google Play.
>
> Also, FWIW, you can (or at least you used to be able to) manually remove
> a Google account from an Android phone without having to factory reset
> the device.
>
> http://www.sleetherz.com/android-news/how-to-change-gmail-account-on-android-market-without-factory-reset/2511/
>




From rysiek at hackerspace.pl  Thu Nov 13 02:17:25 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Thu, 13 Nov 2014 11:17:25 +0100
Subject: Lantern: One Device, Free Data From Space Forever
In-Reply-To: <20141113085235.GR10467@leitl.org>
References: <20141113085235.GR10467@leitl.org>
Message-ID: <1994186.yFoYsa0xCB@lapuntu>

Dnia czwartek, 13 listopada 2014 09:52:35 Eugen Leitl pisze:
> https://www.indiegogo.com/projects/lantern-one-device-free-data-from-space-f
> orever
> 
> Global access to the Internet’s best content on your mobile device.
> Anonymous. Uncensored. Free. Chicago, Illinois, United States   Technology
> 
> 
> A Library In Every Pocket
> 
> “The Short Wave Radio for the Digital Age.” -- Fast Company
> 
> “A Tiny Satellite Dish That Brings Info to the World’s Deadzones.” -- Wired
> 
> “Outernet aims to provide data to the net unconnected.” -- BBC
> 
> "Billions of people around the world don't have access to the Internet, so
> the next big thing is trying to connect the world." -- CNN
> 
> 
> Lantern is an anonymous portable library that constantly receives free data
> from space.
> 
> Like the water we drink or the air we breathe, the information we consume
> feeds the very essence of what it means to be human. Lantern establishes a
> new baseline of human knowledge. We are not fixing the world for people, we
> are giving them the information they need to fix it themselves.
> 
> Lantern continuously receives radio waves broadcast by Outernet from space.
> Lantern turns the signal into digital files, like webpages, news articles,
> ebooks, videos, and music. Lantern can receive and store any type of
> digital file on its internal drive. To view the content stored in Lantern,
> turn on the Wi-Fi hotspot and connect to Lantern with any Wi-Fi enabled
> device. All you need is a browser.
> 
> Oh, and Outernet is free to use, always.
> 
> [...]

Is it just me, or does it reek of snakeoil?.. Also, is it in any way related 
to:
https://getlantern.org/

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 411 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141113/d2721c12/attachment.sig>

From eric at konklone.com  Thu Nov 13 09:51:33 2014
From: eric at konklone.com (Eric Mill)
Date: Thu, 13 Nov 2014 12:51:33 -0500
Subject: RedPhone Removed from Google Play Store
In-Reply-To: <54649217.4010106@cathalgarvey.me>
References: <54621EAD.8090905@posteo.de> <546247A1.3030600@riseup.net>
 <1A04175B-8126-4BA0-9C9F-57D2A1C2E455@cathalgarvey.me>
 <58392590e28400e4d3d23366b0c760dc@openmailbox.org>
 <op.xo8isujabgbjo9@work-pc> <54649217.4010106@cathalgarvey.me>
Message-ID: <CANBOYLWfdu-eiJKSm5scT6tHCLxLVGYmicLozjKYcHTKx5CfUg@mail.gmail.com>

Moxie's laid out very clear reasons for why he uses Google Play and
discourages other people from building it. You may not agree with him, but
he at least has what I think is a coherent security model that he's
sticking to.

Really great discussion on it here:

https://github.com/whispersystems/textsecure/issues/53
https://github.com/whispersystems/textsecure/issues/127

Namely, he trusts apps signed with his signature (a process he manages
using his own airgapped system) and that's it. *You* may not hinge your
trust of the application on his signature, but he does, and he wants
ideally every TextSecure install to have it.

Both threads above are from before the CyanogenMod deal. To make that
happen, Moxie's team built a secure self-update path for the app, which
removed most of the barriers to requiring Google Play.

The other main barrier is push delivery, which right now uses Google Cloud
Messaging. High quality push delivery to a kabillion devices is very hard,
and not easy to replace. However, Moxie has encouraged people to take
advantage of the server's WebSockets support, and to build an option for
that into the client if they want to remove the last barrier to Google
support -- while warning that WebSockets delivery will not be nearly as
good as GCM-based delivery.

I was talking with a friend about this over the weekend, and I think that
the push that's happening for fully reproducible builds -- where every
build produces an identical binary with an identical hash -- would resolve
some of the issues Moxie has.

Then, Moxie can sign the hash of the binary, and others who build the
source code or get binaries from other places can verify that hash. That
still requires some tooling or verification UX, and for builds to be
reproducible by other people than Moxie, but it could make a difference.

-- Eric

On Thu, Nov 13, 2014 at 6:12 AM, Cathal Garvey <cathalgarvey at cathalgarvey.me
> wrote:

> Nope, I haven't had to install Play for Textsecure at all, and I don't use
> or have a personal Google account. When it offers to set up data channel,
> just skip it, and TS reverts to encrypting over SMS instead.
>
> Redphone also has a "no google" mode where it announces incoming calls to
> other RP users with a simultaneous SMS, but I've found it to be very buggy
> in my builds; calls connect but no sound transmitted, etc.
>
> As far as "where to get it", here's a copy: https://ngrok.com:61924/
> owncloud/public.php?service=files&t=264659e23e8733b528386eaa6f52d5ef
>
> Cert is self-signed:
> SHA1: 63:9B:E2:FA:D8:A9:66:DE:46:B7:E4:C2:18:47:73:04:C0:12:FE:1F
> SHA256: CF:D2:82:0D:C8:65:CE:EB:2E:3F:36:EC:DA:9E:82:4E:2E:BD:51:19:
> 6A:7E:11:65:50:40:57:9E:B8:79:8D:A2
>
> This is an older build by now. Frankly I'm holding out for a JS build of
> Textsecure and I'll probably try FFOS, then. FDroid and Textsecure are my
> "killer apps" tying me to Android. I just wish Moxie would let them play
> nice together.
>
>
> On 12/11/14 23:13, Seth wrote:
>
>> On Wed, 12 Nov 2014 14:29:04 -0800, <bluelotus at openmailbox.org> wrote:
>>
>>> Where can TextSecure be downloaded?
>>>
>>
>> Best workaround I've found so far if you want to download Google Play
>> APKs on your computer and then transfer them to your phone manually is
>> Raccoon:
>>
>> http://www.onyxbits.de/raccoon
>>
>> Requires java along with a 'dummy' Google account, but gets the job done
>> with the least amount of hassle.
>>
>> Unfortunately, it appears that TextSecure still requires the Google
>> Services framework to be installed and running on the Android device.
>> Haven't figured out yet how to do this manually this without installing
>> Google Play.
>>
>> Also, FWIW, you can (or at least you used to be able to) manually remove
>> a Google account from an Android phone without having to factory reset
>> the device.
>>
>> http://www.sleetherz.com/android-news/how-to-change-
>> gmail-account-on-android-market-without-factory-reset/2511/
>>
>>


-- 
konklone.com | @konklone <https://twitter.com/konklone>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 5742 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141113/a68c7056/attachment.txt>

From guninski at guninski.com  Thu Nov 13 03:57:05 2014
From: guninski at guninski.com (Georgi Guninski)
Date: Thu, 13 Nov 2014 13:57:05 +0200
Subject: [Cryptography] "DarkHotel" APT routinely breaking RSA512
In-Reply-To: <07FA144E-064C-47FF-9BAA-89D8B2DDA462@callas.org>
References: <E1Xnxnf-0003yi-VM@elasmtp-spurfowl.atl.sa.earthlink.net>
 <CAD2Ti29AYaH3UtTOn=1mfVnUuyHz7+azgcBcAXZT6koO19JMQw@mail.gmail.com>
 <20141112173850.GA3828@sivokote.iziade.m$>
 <07FA144E-064C-47FF-9BAA-89D8B2DDA462@callas.org>
Message-ID: <20141113115705.GA2515@sivokote.iziade.m$>

On Wed, Nov 12, 2014 at 02:07:36PM -0800, Jon Callas wrote:
> > Factoring RSA 512 is well within earthy resources as of now.
> > Probably modest botnet (for sieving) + good machines for linear
> > algebra will factor RSA 512 in moderate time.
> > 
> > The interesting question is:  did they some crypto breakthrough?
> > 
> > btw, RSA cancelled their monetary challenges even for >512...
> 
> One can factor RSA 512 with less than earthly resources. One friend of mine back in 2009 was factoring RSA 512 with a single tower machine in about two weeks. He upgraded the machine in 2011 and could do it in about ten days.
> 
> 	Jon

Didn't know it was so fast.

For what time a botnet of million computers (AFAIK such exist)
will do the sieving for RSA 1024 using GNFS?




From drwho at virtadpt.net  Thu Nov 13 14:27:46 2014
From: drwho at virtadpt.net (The Doctor)
Date: Thu, 13 Nov 2014 14:27:46 -0800
Subject: Lantern: One Device, Free Data From Space Forever
In-Reply-To: <1994186.yFoYsa0xCB@lapuntu>
References: <20141113085235.GR10467@leitl.org> <1994186.yFoYsa0xCB@lapuntu>
Message-ID: <54653062.1040107@virtadpt.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 11/13/2014 02:17 AM, rysiek wrote:

> Is it just me, or does it reek of snakeoil?.. Also, is it in any
> way related

The "magick satellite network ov data" that's always on?  Yeah, it
smells a little funny to me.  Satellite time isn't cheap.  HP printer
ink is way cheaper.  On the other hand, I found these from the same
project:

https://outernet-project.github.io/orx-install/

https://github.com/Outernet-Project/orx-install

They specifically talk about using some of the sub-$20us software
defined receivers (like the RTLSDR) to pick up the data to store
locally.  They have quite a few public repositories that might be
worth picking through, for that matter:

https://github.com/Outernet-Project

I don't have a whole lot of time to go hunting right now, but what
little I've done suggests that the source for odda (OuterNet Data
Delivery Agent, which takes the data stream from the sat downlink and
writes it as files appropriately) isn't available, or at least not
yet.  For setting up a data archive like that (which is an interest of
mine), I can't, in good conscience, trust a daemon the source of which
I can't examine.  Too much at risk for my use cases.

> to: https://getlantern.org/

Doesn't look like it.

- -- 
The Doctor [412/724/301/703] [ZS]
Developer, Project Byzantium: http://project-byzantium.org/

PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F  DD89 3BD8 FF2B 807B 17C1
WWW: https://drwho.virtadpt.net/

"Cameramen cannot survive on fast food and porn alone." --Anthony Bourdain

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJUZTBhAAoJED1np1pUQ8Rk67QP/34MLsz0aVCCzMrSZuPGmOk3
L/H0oHenjnArtp1Ziq/3/l+iFD71mfjbQ83FI19JKuGk5ZsHOivoZgtby+kuZORY
KsNvGZuP5NxkgXDadhKXdPMrMUpX47/XCSKspZRXeLGfWsi/FvsyfgZAR573hTBV
W5CEju0BsBg8mpZ0YS97o2TWRpgAvXc5JcuDQQXXOlaA9GDkhZ0Dp5bBjoML72oY
R/D4oUA5ns1hyRMMkYL3gNd6F6sRNbeoP6gV15JdyX/K4j4WbjytNjeQXJcFafGO
apJ7tQqjgQRPQea4SUn8oft/3H82f+3pdWIOdSrlZXBsJGoXfNk5THMErKBXrvC4
jx+h64OKyQvNJmw10SweDM85iNbre9hpSACJNMeUWMXWvDPUY9WBSWy78+UNRbvB
Ur4vNrEevtaFGLMAxL0rT70Whg84dFp8C9Du1vFSFHoJX4R/bSn18x91/slNgLQ6
zzhwrTbxB/m/ElGliokKrPJyK0kY8Y/GVSFbAoJLw1CPUk9/x9ITUUu4sjVJiyqt
YqzkSYWrcWz5poaVky+x+qCB1H6oUg5bwxukeyLt/4GbJTcN9bKy+IXxPkevNCYL
6BPhoDaDzFgNmyQ9r/oxyY8ESQed4Gqga2rAuKsO2F3PP11EksQ+M3rQOqYFjkBk
+utmpfY1yZoKR8Y1bXfO
=DGi9
-----END PGP SIGNATURE-----




From tbiehn at gmail.com  Thu Nov 13 13:47:20 2014
From: tbiehn at gmail.com (Travis Biehn)
Date: Thu, 13 Nov 2014 16:47:20 -0500
Subject: Lantern: One Device, Free Data From Space Forever
In-Reply-To: <20141113182905.GH25368@hexapodia.org>
References: <20141113085235.GR10467@leitl.org> <1994186.yFoYsa0xCB@lapuntu>
 <20141113182905.GH25368@hexapodia.org>
Message-ID: <CAKtE3zdbgHvtexhnxVgqeQPZ32YjPKg5mQgFs2-M_7+VPYjATg@mail.gmail.com>

Do your own research on my statements, they are based on a brief review of
their marketing materials from 1-2 months ago:

The biggest problem I have with this project is that the sats are
centralized. I don't see how it can live up to 'censorship free.'

It depends on a crowd-sourced list of articles + funding from private
advertisers.

You need to be morally aligned with the 'majority of people' - the
minorities are still oppressed and marginalized. Corporate interests pay
for top hits. Not enough protection against sybil attacks. Many, many many
many more problems they need to address.

Neat idea on the face, though, just need to iron out some really big
problems (sybil, distributed control of sat systems, ???.)

-Travis

On Thu, Nov 13, 2014 at 1:29 PM, Andy Isaacson <adi at hexapodia.org> wrote:

> On Thu, Nov 13, 2014 at 11:17:25AM +0100, rysiek wrote:
> > Dnia czwartek, 13 listopada 2014 09:52:35 Eugen Leitl pisze:
> > >
> https://www.indiegogo.com/projects/lantern-one-device-free-data-from-space-forever
> [snip]
> > > Lantern continuously receives radio waves broadcast by Outernet from
> space.
>
>
> > > device. All you need is a browser.
> > >
> > > Oh, and Outernet is free to use, always.
>
> Outernet, at least, appears to be a real thing:
>
> http://en.wikipedia.org/wiki/Outernet
>
> https://www.outernet.is
>
> > Is it just me, or does it reek of snakeoil?.. Also, is it in any way
> related
> > to:
> > https://getlantern.org/
>
> Appears to be a different project.
>
> -andy
>



-- 
Twitter <https://twitter.com/tbiehn> | LinkedIn
<http://www.linkedin.com/in/travisbiehn> | GitHub <http://github.com/tbiehn>
| TravisBiehn.com <http://www.travisbiehn.com> | Google Plus
<https://plus.google.com/+TravisBiehn>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 2929 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141113/1cea7c87/attachment.txt>

From cathalgarvey at cathalgarvey.me  Thu Nov 13 11:41:58 2014
From: cathalgarvey at cathalgarvey.me (Cathal Garvey)
Date: Thu, 13 Nov 2014 19:41:58 +0000
Subject: RedPhone Removed from Google Play Store
In-Reply-To: <CANBOYLWfdu-eiJKSm5scT6tHCLxLVGYmicLozjKYcHTKx5CfUg@mail.gmail.com>
References: <54621EAD.8090905@posteo.de> <546247A1.3030600@riseup.net>
 <1A04175B-8126-4BA0-9C9F-57D2A1C2E455@cathalgarvey.me>
 <58392590e28400e4d3d23366b0c760dc@openmailbox.org>
 <op.xo8isujabgbjo9@work-pc> <54649217.4010106@cathalgarvey.me>
 <CANBOYLWfdu-eiJKSm5scT6tHCLxLVGYmicLozjKYcHTKx5CfUg@mail.gmail.com>
Message-ID: <54650986.6060400@cathalgarvey.me>

Oh, for sure Moxie has a threat model that makes sense to him, but I 
dispute that it makes any sense in the real world. Google's certificate 
system is TOFU, so whatever certificate Google pushes to a users' device 
is what that device trusts updates from thenceforth. And, there's no 
obvious way for an Android user to verify a certificate *even if they 
were so inclined*. For my part, as an Android user with a knowledge of 
and interest in crypto, I have *never* checked a signed APK. Ever.

So, if even the more technical end of Moxie's customer base don't check 
APK signatures, and if most people simply take what Google Play offers 
them, what's to stop Google pushing a malicious TextSecure? Nothing. 
Nothing, at all, ever. And all the machinations and air-gaps Moxie and 
co implement are meaningless, because the TOFU scheme makes Google the 
root of all trust on the Google Play market.

If it were merely about certificates, Moxie would offer up-to-date APKs 
through his own website and F-Droid repository, allowing him to have 
utter control over timely updates without an intermediate trusted agent. 
But he doesn't, and when I asked I finally got an answer: It's because 
F-Droid doesn't offer metrics, debugging, and analytics. Essentially, he 
wants Google play so he can get silent feedback on what the Apps are 
doing in the wild.

I don't object to this as long as it's opt-in for users, but I do object 
that it's being presented as something (threat model) rather than 
developer convenience. I love TextSecure, and I'm grateful to Moxie and 
co for creating it. It lets me layer security on a legacy platform that 
everyone uses in a way that's transparent and extremely user-friendly, 
while offering security granularity for those so inclined (cert checks). 
But the delivery is through an intermediary that are essentially a 
public-facing wing of the NSA, and they have total control over the 
trust/threat model for 95% of the user-base. So..I don't even.

On 13/11/14 17:51, Eric Mill wrote:
> Moxie's laid out very clear reasons for why he uses Google Play and
> discourages other people from building it. You may not agree with him,
> but he at least has what I think is a coherent security model that he's
> sticking to.
>
> Really great discussion on it here:
>
> https://github.com/whispersystems/textsecure/issues/53
> https://github.com/whispersystems/textsecure/issues/127
>
> Namely, he trusts apps signed with his signature (a process he manages
> using his own airgapped system) and that's it. *You* may not hinge your
> trust of the application on his signature, but he does, and he wants
> ideally every TextSecure install to have it.
>
> Both threads above are from before the CyanogenMod deal. To make that
> happen, Moxie's team built a secure self-update path for the app, which
> removed most of the barriers to requiring Google Play.
>
> The other main barrier is push delivery, which right now uses Google
> Cloud Messaging. High quality push delivery to a kabillion devices is
> very hard, and not easy to replace. However, Moxie has encouraged people
> to take advantage of the server's WebSockets support, and to build an
> option for that into the client if they want to remove the last barrier
> to Google support -- while warning that WebSockets delivery will not be
> nearly as good as GCM-based delivery.
>
> I was talking with a friend about this over the weekend, and I think
> that the push that's happening for fully reproducible builds -- where
> every build produces an identical binary with an identical hash -- would
> resolve some of the issues Moxie has.
>
> Then, Moxie can sign the hash of the binary, and others who build the
> source code or get binaries from other places can verify that hash. That
> still requires some tooling or verification UX, and for builds to be
> reproducible by other people than Moxie, but it could make a difference.
>
> -- Eric
>
> On Thu, Nov 13, 2014 at 6:12 AM, Cathal Garvey
> <cathalgarvey at cathalgarvey.me <mailto:cathalgarvey at cathalgarvey.me>> wrote:
>
>     Nope, I haven't had to install Play for Textsecure at all, and I
>     don't use or have a personal Google account. When it offers to set
>     up data channel, just skip it, and TS reverts to encrypting over SMS
>     instead.
>
>     Redphone also has a "no google" mode where it announces incoming
>     calls to other RP users with a simultaneous SMS, but I've found it
>     to be very buggy in my builds; calls connect but no sound
>     transmitted, etc.
>
>     As far as "where to get it", here's a copy:
>     https://ngrok.com:61924/__owncloud/public.php?service=__files&t=__264659e23e8733b528386eaa6f52d5__ef
>     <https://ngrok.com:61924/owncloud/public.php?service=files&t=264659e23e8733b528386eaa6f52d5ef>
>
>     Cert is self-signed:
>     SHA1: 63:9B:E2:FA:D8:A9:66:DE:46:B7:__E4:C2:18:47:73:04:C0:12:FE:1F
>     SHA256:
>     CF:D2:82:0D:C8:65:CE:EB:2E:3F:__36:EC:DA:9E:82:4E:2E:BD:51:19:__6A:7E:11:65:50:40:57:9E:B8:79:__8D:A2
>
>     This is an older build by now. Frankly I'm holding out for a JS
>     build of Textsecure and I'll probably try FFOS, then. FDroid and
>     Textsecure are my "killer apps" tying me to Android. I just wish
>     Moxie would let them play nice together.
>
>
>     On 12/11/14 23:13, Seth wrote:
>
>         On Wed, 12 Nov 2014 14:29:04 -0800, <bluelotus at openmailbox.org
>         <mailto:bluelotus at openmailbox.org>> wrote:
>
>             Where can TextSecure be downloaded?
>
>
>         Best workaround I've found so far if you want to download Google
>         Play
>         APKs on your computer and then transfer them to your phone
>         manually is
>         Raccoon:
>
>         http://www.onyxbits.de/raccoon
>
>         Requires java along with a 'dummy' Google account, but gets the
>         job done
>         with the least amount of hassle.
>
>         Unfortunately, it appears that TextSecure still requires the Google
>         Services framework to be installed and running on the Android
>         device.
>         Haven't figured out yet how to do this manually this without
>         installing
>         Google Play.
>
>         Also, FWIW, you can (or at least you used to be able to)
>         manually remove
>         a Google account from an Android phone without having to factory
>         reset
>         the device.
>
>         http://www.sleetherz.com/__android-news/how-to-change-__gmail-account-on-android-__market-without-factory-reset/__2511/
>         <http://www.sleetherz.com/android-news/how-to-change-gmail-account-on-android-market-without-factory-reset/2511/>
>
>
>
>
> --
> konklone.com <https://konklone.com> | @konklone
> <https://twitter.com/konklone>




From grarpamp at gmail.com  Thu Nov 13 19:38:11 2014
From: grarpamp at gmail.com (grarpamp)
Date: Thu, 13 Nov 2014 22:38:11 -0500
Subject: [Cryptography] ISPs caught in STARTTLS downgrade attacks
In-Reply-To: <1415905281.18842.1.camel@sonic.net>
References: <1415905281.18842.1.camel@sonic.net>
Message-ID: <CAD2Ti29VEzncusJHz-NK7XA+mCr2H2HZE0OVDRhUGpCqzAibQQ@mail.gmail.com>

On Thu, Nov 13, 2014 at 2:01 PM, Bear <bear at sonic.net> wrote:
> End-to-end email encryption solutions such as PGP do not
> protect crucial elements in the headers.

Failure!

> STARTTLS
> ... can only be run by the parties that run the mail
> servers.

Failure!

>  Since most correspondents rely on mail servers operated
> by their ISP's

Failure!

> (and most ISP's block customer mail servers as
> non-negotiable policy in order to limit spam sending)

Failure!

> The plaintext of STARTTLS
> email is normally visible to the sender's ISP and receiver's
> ISP.

Failure!

> Unfortunately, the ISPs do not risk substantial losses from
> failures of STARTTLS

Failure!

> and can subvert or fail to implement it
> in ways not immediately visible to those who do.

Failure!

> Predictably
> some have therefore been subverting or failing to implement
> it.

Win! (For them and their cronies that is.)

Traditional mail providers love:
a) Money
b) Plaintext
c) Control

They have stakes in their own game, you are not a stakeholder,
thus they are not your friends.

In this world, your only friend is you. You need to thus:
a) Donate to account agnostic infrastructures that you use
b) Remain in control of all keying and encrypt everything
c) Use a P2P model, retain control, no more 'accounts', accounts
   are control and privacy failures individualized just for you

> I'm increasingly of the opinion that there is no protocol
> that can be derived from SMTP and compatible with it

The traditional email model as we know it is fucked. You CANNOT fix
'Email'. And anyone who claims they can is full of shit. The model
is broken. You have to throw it out and create a new messaging model.

> that
> can provide the practical privacy of a paper letter in a
> paper envelope.

No!, there is no privacy there whatsoever.
1) All addressing/envelope info is recorded/imaged at the processing
facility, tracked, stored forever, and shared with adversaries.
2) Users are similarly imaged and linked via payments at drop off
and pick up.
3) It's not encrypted.
4) The user has to trust untrustworthy entities with 1, 2 and 3.

That is abject failure! To even bring it up as supposedly being
secure, even if only to compare models with grandma... is ludicrous.
The post is secure by fiat, and these days the word of fiat isn't
enough to buy the damn stamp. Even grandma will tell you that.

> Sigh.  One more round of "Internet Mail, Privacy Fail."

You cannot fix Email. Period.

The only real solution is messaging end user to end user over an
anonymous encrypted P2P network.

Here's a long thread on that you can read and start working towards:

The next gen P2P secure email solution
https://cpunks.org/pipermail/cypherpunks/2013-December/002638.html
...
https://cpunks.org/pipermail/cypherpunks/2014-July/004900.html




From grarpamp at gmail.com  Thu Nov 13 19:59:28 2014
From: grarpamp at gmail.com (grarpamp)
Date: Thu, 13 Nov 2014 22:59:28 -0500
Subject: List Administrivia: archive stripping
Message-ID: <CAD2Ti2_5B4feoFbDGua5pPdXg-x9z4ie_bq0+GaDG12FNs3FAQ@mail.gmail.com>

Noticed the web archives are mangling
'string at string' type constructs found in the body
of posts. This harms and alters whatever the author
was saying, particularly for code-like constructs.
Any spammers will simply subscribe to the
list and parse out all such address-like things
as they are posted in real time.
So please disable this misguided mangling.
Thanks.

foo at example.com




From rsw at jfet.org  Thu Nov 13 22:25:37 2014
From: rsw at jfet.org (Riad S. Wahby)
Date: Fri, 14 Nov 2014 01:25:37 -0500
Subject: List Administrivia: archive stripping
In-Reply-To: <CAD2Ti2_5B4feoFbDGua5pPdXg-x9z4ie_bq0+GaDG12FNs3FAQ@mail.gmail.com>
References: <CAD2Ti2_5B4feoFbDGua5pPdXg-x9z4ie_bq0+GaDG12FNs3FAQ@mail.gmail.com>
Message-ID: <20141114062537.GA24479@antiproton.jfet.org>

grarpamp <grarpamp at gmail.com> wrote:
> So please disable this misguided mangling.

I'm fairly certain the source material for the archives aren't
mangled, so upon turning off the relevant setting the original
appearance of messages will be restored.

Before I throw the switch, any thoughts on why we might not want to
make this change?

-=rsw




From parkrmoore at gmail.com  Fri Nov 14 09:32:37 2014
From: parkrmoore at gmail.com (Parker Moore)
Date: Fri, 14 Nov 2014 09:32:37 -0800
Subject: Doing HTTPS everywhere in the .gov space
In-Reply-To: <20141114170658.GA3783@sivokote.iziade.m$>
References: <CANBOYLVhZ3vCY5M2Soxu63kpGTpf2k_8GQUNRcnTaGxcvHwVGQ@mail.gmail.com>
 <20141114170658.GA3783@sivokote.iziade.m$>
Message-ID: <4358C8E2-BEEA-47C5-B2A4-25683B02FF99@gmail.com>

Interesting conjectures! But... What do they have to do with https everywhere that Eric mentioned? They're very general thoughts. And even if we only have 5 years, why not enforce https on .gov sites until then? Seems like a win to me, no matter how long government survives.

Parker

> Am 14.11.2014 um 09:06 schrieb Georgi Guninski <guninski at guninski.com>:
> 
> Didn't know .gov dudes _openly_ post here.
> 
> For a discussion, let me make some conjectures about *us.gov.
> 
> Conjecture 1. USA is a pyramid, AKA Ponzi scheme
> Conjecture 2. USA will die in its present form in at most 5
> years (possibly causing troubles to other nations too).
> Conjecture 3. USA will be bought by the People's Republic 
> of China (PRC) in at most 5 years (possibly with other
> investors). [This already happened to some USA corporations].
> 
> Best of luck,
> -- 
> gg
> 
> 
>> On Fri, Nov 14, 2014 at 11:13:41AM -0500, Eric Mill wrote:
>> Hey,
>> 
>> I wrote a piece today for my organization, 18F, about our HTTPS-everywhere
>> policy for the .gov websites we build inside the US government:
>> 
>> https://18f.gsa.gov/2014/11/13/why-we-use-https-in-every-gov-website-we-make/
>> 
>> I wanted to give this list some extra context, since I understand the US
>> government is a big, complicated, freighted topic. Below is my *personal*
>> attempt to describe my workplace and is not anything close to an official
>> description or the voice of the government.
>> 
>> 18F[1] is a team of ~70 people working as full time employees inside the US
>> federal government. (The name comes from the street intersection -- 18th St
>> & F St -- that its HQ is at in DC.) 18F as a unit was created around a year
>> ago to be a competent, top class in-house technology team for the US
>> federal government.
>> 
>> A driving idea here is that the government shouldn't need to outsource its
>> *entire* technical brain to contractors, and that government services can
>> be simple and even beautiful. If you've noticed what's happened over the
>> last few years in the UK at https://www.gov.uk by the Government Digital
>> Service[2], 18F takes a lot of inspiration from them.
>> 
>> 18F is housed inside the General Services Administration, an independent
>> federal agency[3] that does as many different things as its name implies,
>> from running all the buildings to housing the nation's data catalog at
>> Data.gov. It's an "independent" federal agency in that it's not subject to
>> the same level of direct executive and White House control that cabinet
>> agencies are. It's the same kind of "independent" that lets the FCC
>> potentially disagree with the President on net neutrality, for example.
>> 
>> The team has people all over the country (it has a big SF office, for
>> example), many of which have either never been in government before, or who
>> came in after doing the Presidential Innovation Fellows[4] program.
>> 
>> I joined 18F after working for 5 years on open data apps, infrastructure,
>> and policy at the Sunlight Foundation[5], a non-profit in DC that pushes
>> for open government. I had also done a fair amount of work around privacy,
>> HTTPS, and ongoing judicial activity around surveillance. I get to continue
>> doing all of that work in my personal capacity.
>> 
>> I say this just to try to communicate that the 18F team has some very
>> sincere people trying to make the US government work better for people all
>> over the world, and to do right by technology in the process. We have
>> substantial support and autonomy to make that happen.
>> 
>> When it comes to HTTPS, the .gov surface area is absolutely enormous, and
>> moving it helps move the whole Internet forward. Bringing the government in
>> line with the rest of the web/security community (and being loud about it)
>> is one of my big priorities at 18F, and so I wanted to share this here with
>> you all.
>> 
>> -- Eric
>> 
>> [1] https://18f.gsa.gov/
>> [2] https://gds.blog.gov.uk/
>> [3]
>> https://en.wikipedia.org/wiki/Independent_agencies_of_the_United_States_government
>> [4] https://en.wikipedia.org/wiki/Presidential_Innovation_Fellows
>> [5] https://sunlightfoundation.com/
>> 
>> -- 
>> konklone.com | @konklone <https://twitter.com/konklone>




From eric at konklone.com  Fri Nov 14 08:13:41 2014
From: eric at konklone.com (Eric Mill)
Date: Fri, 14 Nov 2014 11:13:41 -0500
Subject: Doing HTTPS everywhere in the .gov space
Message-ID: <CANBOYLVhZ3vCY5M2Soxu63kpGTpf2k_8GQUNRcnTaGxcvHwVGQ@mail.gmail.com>

Hey,

I wrote a piece today for my organization, 18F, about our HTTPS-everywhere
policy for the .gov websites we build inside the US government:

https://18f.gsa.gov/2014/11/13/why-we-use-https-in-every-gov-website-we-make/

I wanted to give this list some extra context, since I understand the US
government is a big, complicated, freighted topic. Below is my *personal*
attempt to describe my workplace and is not anything close to an official
description or the voice of the government.

18F[1] is a team of ~70 people working as full time employees inside the US
federal government. (The name comes from the street intersection -- 18th St
& F St -- that its HQ is at in DC.) 18F as a unit was created around a year
ago to be a competent, top class in-house technology team for the US
federal government.

A driving idea here is that the government shouldn't need to outsource its
*entire* technical brain to contractors, and that government services can
be simple and even beautiful. If you've noticed what's happened over the
last few years in the UK at https://www.gov.uk by the Government Digital
Service[2], 18F takes a lot of inspiration from them.

18F is housed inside the General Services Administration, an independent
federal agency[3] that does as many different things as its name implies,
from running all the buildings to housing the nation's data catalog at
Data.gov. It's an "independent" federal agency in that it's not subject to
the same level of direct executive and White House control that cabinet
agencies are. It's the same kind of "independent" that lets the FCC
potentially disagree with the President on net neutrality, for example.

The team has people all over the country (it has a big SF office, for
example), many of which have either never been in government before, or who
came in after doing the Presidential Innovation Fellows[4] program.

I joined 18F after working for 5 years on open data apps, infrastructure,
and policy at the Sunlight Foundation[5], a non-profit in DC that pushes
for open government. I had also done a fair amount of work around privacy,
HTTPS, and ongoing judicial activity around surveillance. I get to continue
doing all of that work in my personal capacity.

I say this just to try to communicate that the 18F team has some very
sincere people trying to make the US government work better for people all
over the world, and to do right by technology in the process. We have
substantial support and autonomy to make that happen.

When it comes to HTTPS, the .gov surface area is absolutely enormous, and
moving it helps move the whole Internet forward. Bringing the government in
line with the rest of the web/security community (and being loud about it)
is one of my big priorities at 18F, and so I wanted to share this here with
you all.

-- Eric

[1] https://18f.gsa.gov/
[2] https://gds.blog.gov.uk/
[3]
https://en.wikipedia.org/wiki/Independent_agencies_of_the_United_States_government
[4] https://en.wikipedia.org/wiki/Presidential_Innovation_Fellows
[5] https://sunlightfoundation.com/

-- 
konklone.com | @konklone <https://twitter.com/konklone>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 4120 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141114/cfb4ac5b/attachment.txt>

From tedks at riseup.net  Fri Nov 14 09:26:34 2014
From: tedks at riseup.net (Ted Smith)
Date: Fri, 14 Nov 2014 12:26:34 -0500
Subject: Lantern: One Device, Free Data From Space Forever
In-Reply-To: <CAKtE3zdbgHvtexhnxVgqeQPZ32YjPKg5mQgFs2-M_7+VPYjATg@mail.gmail.com>
References: <20141113085235.GR10467@leitl.org> <1994186.yFoYsa0xCB@lapuntu>
 <20141113182905.GH25368@hexapodia.org>
 <CAKtE3zdbgHvtexhnxVgqeQPZ32YjPKg5mQgFs2-M_7+VPYjATg@mail.gmail.com>
Message-ID: <1415985994.10475.2.camel@anglachel>

It's "censorship-free" in the sense that a nation-state can't
effectively block their citizens from using Lantern. 

So, it's a censorship-free centralized distribution system, as opposed
to a censorship-proof decentralized publishing system like Freenet.

And it's centralized, so as soon as the central authority (the
satellites) are compromised, the whole system is owned.

IMO this is a neat first step -- it's not the whole way, but it's
getting there. Now we just need Freenet or similar on decentralized
microsats.

On Thu, 2014-11-13 at 16:47 -0500, Travis Biehn wrote:
> Do your own research on my statements, they are based on a brief
> review of their marketing materials from 1-2 months ago:
> 
> 
> The biggest problem I have with this project is that the sats are
> centralized. I don't see how it can live up to 'censorship free.'
> 
> 
> It depends on a crowd-sourced list of articles + funding from private
> advertisers.
> 
> 
> You need to be morally aligned with the 'majority of people' - the
> minorities are still oppressed and marginalized. Corporate interests
> pay for top hits. Not enough protection against sybil attacks. Many,
> many many many more problems they need to address.
> 
> 
> Neat idea on the face, though, just need to iron out some really big
> problems (sybil, distributed control of sat systems, ???.)
> 
> 
> -Travis
> 
> On Thu, Nov 13, 2014 at 1:29 PM, Andy Isaacson <adi at hexapodia.org>
> wrote:
>         On Thu, Nov 13, 2014 at 11:17:25AM +0100, rysiek wrote:
>         > Dnia czwartek, 13 listopada 2014 09:52:35 Eugen Leitl pisze:
>         > >
>         https://www.indiegogo.com/projects/lantern-one-device-free-data-from-space-forever
>         [snip]
>         > > Lantern continuously receives radio waves broadcast by
>         Outernet from space.
>         
>         
>         > > device. All you need is a browser.
>         > >
>         > > Oh, and Outernet is free to use, always.
>         
>         Outernet, at least, appears to be a real thing:
>         
>         http://en.wikipedia.org/wiki/Outernet
>         
>         https://www.outernet.is
>         
>         > Is it just me, or does it reek of snakeoil?.. Also, is it in
>         any way related
>         > to:
>         > https://getlantern.org/
>         
>         Appears to be a different project.
>         
>         -andy
> 
> 
> 
> 
> -- 
> Twitter | LinkedIn | GitHub | TravisBiehn.com | Google Plus
> 

-- 
Sent from Ubuntu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141114/c3369d75/attachment.sig>

From snehan.kekre612 at protonmail.ch  Fri Nov 14 11:21:09 2014
From: snehan.kekre612 at protonmail.ch (Snehan Kekre)
Date: Fri, 14 Nov 2014 14:21:09 -0500
Subject: https://facebookcorewwwi.onion/
Message-ID: <4ad5f8f80ea16e4659213646262dd5f6@protonmail.ch>

A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 2073 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141114/a25cecfd/attachment.txt>

From tedks at riseup.net  Fri Nov 14 11:29:45 2014
From: tedks at riseup.net (Ted Smith)
Date: Fri, 14 Nov 2014 14:29:45 -0500
Subject: RedPhone Removed from Google Play Store
In-Reply-To: <CANBOYLW1srykCLo3WGs-9AtWir8_sappkPAr_w9ymO31+5cMbg@mail.gmail.com>
References: <54621EAD.8090905@posteo.de> <546247A1.3030600@riseup.net>
 <1A04175B-8126-4BA0-9C9F-57D2A1C2E455@cathalgarvey.me>
 <58392590e28400e4d3d23366b0c760dc@openmailbox.org>
 <op.xo8isujabgbjo9@work-pc> <54649217.4010106@cathalgarvey.me>
 <CANBOYLWfdu-eiJKSm5scT6tHCLxLVGYmicLozjKYcHTKx5CfUg@mail.gmail.com>
 <54650986.6060400@cathalgarvey.me>
 <CANBOYLW1srykCLo3WGs-9AtWir8_sappkPAr_w9ymO31+5cMbg@mail.gmail.com>
Message-ID: <1415993385.10475.14.camel@anglachel>

On Thu, 2014-11-13 at 18:06 -0500, Eric Mill wrote:
> This isn't accurate, in practice. In theory, Google could replace any
> certificate they want for first use. But they clearly don't do that
> for everyone (Moxie or someone would notice), and if they did it in a
> targeted way, it could only be on the first use. That's a threat
> vector, but only viable under both targeted and specific
> circumstances.
> 
> 
> So "what's to stop Google pushing a malicious TextSecure? Nothing.
> Nothing, at all, ever." isn't accurate -- you can trust that you're
> highly likely to get the real TS binary on first install, and then
> guarantee that you're getting a binary signed by the same person for
> updates.

But Google can silently update their services providing this "guarantee"
and remove it. 

Could they do this without anyone noticing? Probably not on a wide
scale. But it's still not a guarantee. 

There's essentially no way to get around this on Android, which is I
think why Moxie has abandoned that goal. If a solution exists, the
people detracting TextSecure for using Google infrastructure should
build that solution, fork TextSecure, and add it. Code speaks louder
than words. 

-- 
Sent from Ubuntu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141114/244c729e/attachment.sig>

From juan.g71 at gmail.com  Fri Nov 14 10:54:53 2014
From: juan.g71 at gmail.com (Juan)
Date: Fri, 14 Nov 2014 15:54:53 -0300
Subject: Doing HTTPS everywhere in the .gov space
In-Reply-To: <CANBOYLVhZ3vCY5M2Soxu63kpGTpf2k_8GQUNRcnTaGxcvHwVGQ@mail.gmail.com>
References: <CANBOYLVhZ3vCY5M2Soxu63kpGTpf2k_8GQUNRcnTaGxcvHwVGQ@mail.gmail.com>
Message-ID: <54664f95.c71f8c0a.15c5.ffffd528@mx.google.com>

On Fri, 14 Nov 2014 11:13:41 -0500
Eric Mill <eric at konklone.com> wrote:
> Hey,



	Is it possible for this mailing list to sink any lower? 

	
	




> 
> I wrote a piece today for my organization, 18F, about our
> HTTPS-everywhere policy for the .gov websites we build inside the US
> government:
> 
> https://18f.gsa.gov/2014/11/13/why-we-use-https-in-every-gov-website-we-make/
> 
> I wanted to give this list some extra context, since I understand the
> US government is a big, complicated, freighted topic. Below is my
> *personal* attempt to describe my workplace and is not anything close
> to an official description or the voice of the government.
> 
> 18F[1] is a team of ~70 people working as full time employees inside
> the US federal government. (The name comes from the street
> intersection -- 18th St & F St -- that its HQ is at in DC.) 18F as a
> unit was created around a year ago to be a competent, top class
> in-house technology team for the US federal government.
> 
> A driving idea here is that the government shouldn't need to
> outsource its *entire* technical brain to contractors, and that
> government services can be simple and even beautiful. If you've
> noticed what's happened over the last few years in the UK at
> https://www.gov.uk by the Government Digital Service[2], 18F takes a
> lot of inspiration from them.
> 
> 18F is housed inside the General Services Administration, an
> independent federal agency[3] that does as many different things as
> its name implies, from running all the buildings to housing the
> nation's data catalog at Data.gov. It's an "independent" federal
> agency in that it's not subject to the same level of direct executive
> and White House control that cabinet agencies are. It's the same kind
> of "independent" that lets the FCC potentially disagree with the
> President on net neutrality, for example.
> 
> The team has people all over the country (it has a big SF office, for
> example), many of which have either never been in government before,
> or who came in after doing the Presidential Innovation Fellows[4]
> program.
> 
> I joined 18F after working for 5 years on open data apps,
> infrastructure, and policy at the Sunlight Foundation[5], a
> non-profit in DC that pushes for open government. I had also done a
> fair amount of work around privacy, HTTPS, and ongoing judicial
> activity around surveillance. I get to continue doing all of that
> work in my personal capacity.
> 
> I say this just to try to communicate that the 18F team has some very
> sincere people trying to make the US government work better for
> people all over the world, and to do right by technology in the
> process. We have substantial support and autonomy to make that happen.
> 
> When it comes to HTTPS, the .gov surface area is absolutely enormous,
> and moving it helps move the whole Internet forward. Bringing the
> government in line with the rest of the web/security community (and
> being loud about it) is one of my big priorities at 18F, and so I
> wanted to share this here with you all.
> 
> -- Eric
> 
> [1] https://18f.gsa.gov/
> [2] https://gds.blog.gov.uk/
> [3]
> https://en.wikipedia.org/wiki/Independent_agencies_of_the_United_States_government
> [4] https://en.wikipedia.org/wiki/Presidential_Innovation_Fellows
> [5] https://sunlightfoundation.com/
> 




From jya at pipeline.com  Fri Nov 14 12:59:14 2014
From: jya at pipeline.com (John Young)
Date: Fri, 14 Nov 2014 15:59:14 -0500
Subject: Doing HTTPS everywhere in the .gov space
In-Reply-To: <20141114170658.GA3783@sivokote.iziade.m$>
References: <CANBOYLVhZ3vCY5M2Soxu63kpGTpf2k_8GQUNRcnTaGxcvHwVGQ@mail.gmail.com>
 <20141114170658.GA3783@sivokote.iziade.m$>
Message-ID: <E1XpNyH-00020R-K2@elasmtp-kukur.atl.sa.earthlink.net>

Dot gov subscribers have been around since the beginning.
Some wear dual hats, some switch back and forth. Some use
nyms, some use personal mail, some are open, some are
hidden. This is how crypto has always worked, no other way
to do it. Cannot be one-sided, cannot be perfect, snake oil
as common as trustworthy, deception essential, honesty
a sure sign of dishonesty. RTFM, RTF archives, filled with
tips about using mail lists for FUD. Without FUD no need
for crypto. Gov FUD is oxymoronic which is why crypto
is basic to any regime.

70 people is about what the USG needs for comsec. 10 capable
ones, 60 to pad the payroll and please Congressional earmarkers.
75,000 is shale-fracked snakeoil. Ft Meade better used for
a Swedish massage spa.



At 12:06 PM 11/14/2014, you wrote:
>Didn't know .gov dudes _openly_ post here.
>
>For a discussion, let me make some conjectures about *us.gov.
>
>Conjecture 1. USA is a pyramid, AKA Ponzi scheme
>Conjecture 2. USA will die in its present form in at most 5
>years (possibly causing troubles to other nations too).
>Conjecture 3. USA will be bought by the People's Republic
>of China (PRC) in at most 5 years (possibly with other
>investors). [This already happened to some USA corporations].
>
>Best of luck,
>--
>gg
>
>
>On Fri, Nov 14, 2014 at 11:13:41AM -0500, Eric Mill wrote:
> > Hey,
> >
> > I wrote a piece today for my organization, 18F, about our HTTPS-everywhere
> > policy for the .gov websites we build inside the US government:
> >
> > 
> https://18f.gsa.gov/2014/11/13/why-we-use-https-in-every-gov-website-we-make/
> >
> > I wanted to give this list some extra context, since I understand the US
> > government is a big, complicated, freighted topic. Below is my *personal*
> > attempt to describe my workplace and is not anything close to an official
> > description or the voice of the government.
> >
> > 18F[1] is a team of ~70 people working as full time employees inside the US
> > federal government. (The name comes from the street intersection -- 18th St
> > & F St -- that its HQ is at in DC.) 18F as a unit was created around a year
> > ago to be a competent, top class in-house technology team for the US
> > federal government.
> >
> > A driving idea here is that the government shouldn't need to outsource its
> > *entire* technical brain to contractors, and that government services can
> > be simple and even beautiful. If you've noticed what's happened over the
> > last few years in the UK at https://www.gov.uk by the Government Digital
> > Service[2], 18F takes a lot of inspiration from them.
> >
> > 18F is housed inside the General Services Administration, an independent
> > federal agency[3] that does as many different things as its name implies,
> > from running all the buildings to housing the nation's data catalog at
> > Data.gov. It's an "independent" federal agency in that it's not subject to
> > the same level of direct executive and White House control that cabinet
> > agencies are. It's the same kind of "independent" that lets the FCC
> > potentially disagree with the President on net neutrality, for example.
> >
> > The team has people all over the country (it has a big SF office, for
> > example), many of which have either never been in government before, or who
> > came in after doing the Presidential Innovation Fellows[4] program.
> >
> > I joined 18F after working for 5 years on open data apps, infrastructure,
> > and policy at the Sunlight Foundation[5], a non-profit in DC that pushes
> > for open government. I had also done a fair amount of work around privacy,
> > HTTPS, and ongoing judicial activity around surveillance. I get to continue
> > doing all of that work in my personal capacity.
> >
> > I say this just to try to communicate that the 18F team has some very
> > sincere people trying to make the US government work better for people all
> > over the world, and to do right by technology in the process. We have
> > substantial support and autonomy to make that happen.
> >
> > When it comes to HTTPS, the .gov surface area is absolutely enormous, and
> > moving it helps move the whole Internet forward. Bringing the government in
> > line with the rest of the web/security community (and being loud about it)
> > is one of my big priorities at 18F, and so I wanted to share this here with
> > you all.
> >
> > -- Eric
> >
> > [1] https://18f.gsa.gov/
> > [2] https://gds.blog.gov.uk/
> > [3]
> > 
> https://en.wikipedia.org/wiki/Independent_agencies_of_the_United_States_government
> > [4] https://en.wikipedia.org/wiki/Presidential_Innovation_Fellows
> > [5] https://sunlightfoundation.com/
> >
> > --
> > konklone.com | @konklone <https://twitter.com/konklone>





From juan.g71 at gmail.com  Fri Nov 14 12:36:31 2014
From: juan.g71 at gmail.com (Juan)
Date: Fri, 14 Nov 2014 17:36:31 -0300
Subject: Doing HTTPS everywhere in the .gov space
In-Reply-To: <CAHWD2rJCR=E9eRrSpmXooeJrVEu3DVQicLRzLx+9RNc3+eTWfw@mail.gmail.com>
References: <CANBOYLVhZ3vCY5M2Soxu63kpGTpf2k_8GQUNRcnTaGxcvHwVGQ@mail.gmail.com>
 <54664f95.c71f8c0a.15c5.ffffd528@mx.google.com>
 <CAHWD2rJCR=E9eRrSpmXooeJrVEu3DVQicLRzLx+9RNc3+eTWfw@mail.gmail.com>
Message-ID: <5466676a.4642e00a.3752.ffffa39a@mx.google.com>

On Fri, 14 Nov 2014 20:43:43 +0100
Lodewijk andré de la porte <l at odewijk.nl> wrote:

> Governments doing a better job at government would be a great thing.


	Not sure what you mean by that. As far as I'm concered the only
	'job' the government should be doing is disappearing from the
	face of the earth.

	The fact remains though, some US government employee posting,
	 in an allegedly'cypherpunk' mailing list, crap about
	what the government does, is a joke.

	The motherfucking nazis from the US government
	use 'https'! That's so important! So relevant to the sort of
	values cypherpunks supposedly stand for. 

	lol



> Technology is pretty much the alfa and omega of service nowadays. I
> think a team of 80 has it's work cut out for it!
> 
> Regarding security, the NSA has your back (not mine, hah!) so don't
> worry too much about it.


	Not sure what you mean by that, but I'm not a subject of
	the US nazi sate. Unless by 'has my back' you mean they are
	likely to shoot me from behind... 


> 
> (Also, 18f is more like a false and incomplete answer to "ASL?")





From grarpamp at gmail.com  Fri Nov 14 15:37:24 2014
From: grarpamp at gmail.com (grarpamp)
Date: Fri, 14 Nov 2014 18:37:24 -0500
Subject: Fwd: [Cryptography] FW: IAB Statement on Internet Confidentiality
In-Reply-To: <2A0EFB9C05D0164E98F19BB0AF3708C71D50B358B8@USMBX1.msg.corp.akamai.com>
References: <99E579B9-63A7-4C4F-864F-84F539B8381E@iab.org>
 <2A0EFB9C05D0164E98F19BB0AF3708C71D50B358B8@USMBX1.msg.corp.akamai.com>
Message-ID: <CAD2Ti28Vawm_wan3O1OAxewEWjEBmvqZQabp+CAXq1WBHB27iQ@mail.gmail.com>

---------- Forwarded message ----------
From: Salz, Rich <rsalz at akamai.com>
Date: Fri, Nov 14, 2014 at 8:46 AM
Subject: [Cryptography] FW: IAB Statement on Internet Confidentiality
To: "cryptography at metzdowd.com" <cryptography at metzdowd.com>



-----Original Message-----
From: IAB Chair [mailto:iab-chair at iab.org]
Sent: Friday, November 14, 2014 4:26 AM
To: IETF Announce
Cc: IAB; IETF
Subject: IAB Statement on Internet Confidentiality

Please find this statement issued by the IAB today.

On behalf of the IAB,
  Russ Housley
  IAB Chair

= = = = = = = = = = = = =

IAB Statement on Internet Confidentiality

In 1996, the IAB and IESG recognized that the growth of the Internet
depended on users having confidence that the network would protect
their private information.  RFC 1984 documented this need.  Since that
time, we have seen evidence that the capabilities and activities of
attackers are greater and more pervasive than previously known.  The
IAB now believes it is important for protocol designers, developers,
and operators to make encryption the norm for Internet traffic.
Encryption should be authenticated where possible, but even protocols
providing confidentiality without authentication are useful in the
face of pervasive surveillance as described in RFC 7258.

Newly designed protocols should prefer encryption to cleartext operation.
There may be exceptions to this default, but it is important to
recognize that protocols do not operate in isolation.  Information
leaked by one protocol can be made part of a more substantial body of
information by cross-correlation of traffic observation.  There are
protocols which may as a result require encryption on the Internet
even when it would not be a requirement for that protocol operating in
isolation.

We recommend that encryption be deployed throughout the protocol stack
since there is not a single place within the stack where all kinds of
communication can be protected.

The IAB urges protocol designers to design for confidential operation
by default.  We strongly encourage developers to include encryption in
their implementations, and to make them encrypted by default.  We
similarly encourage network and service operators to deploy encryption
where it is not yet deployed, and we urge firewall policy
administrators to permit encrypted traffic.

We believe that each of these changes will help restore the trust
users must have in the Internet.  We acknowledge that this will take
time and trouble, though we believe recent successes in content
delivery networks, messaging, and Internet application deployments
demonstrate the feasibility of this migration.  We also acknowledge
that many network operations activities today, from traffic management
and intrusion detection to spam prevention and policy enforcement,
assume access to cleartext payload.  For many of these activities
there are no solutions yet, but the IAB will work with those affected
to foster development of new approaches for these activities which
allow us to move to an Internet where traffic is confidential by
default.

_______________________________________________
The cryptography mailing list
cryptography at metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography




From guninski at guninski.com  Fri Nov 14 09:06:58 2014
From: guninski at guninski.com (Georgi Guninski)
Date: Fri, 14 Nov 2014 19:06:58 +0200
Subject: Doing HTTPS everywhere in the .gov space
In-Reply-To: <CANBOYLVhZ3vCY5M2Soxu63kpGTpf2k_8GQUNRcnTaGxcvHwVGQ@mail.gmail.com>
References: <CANBOYLVhZ3vCY5M2Soxu63kpGTpf2k_8GQUNRcnTaGxcvHwVGQ@mail.gmail.com>
Message-ID: <20141114170658.GA3783@sivokote.iziade.m$>

Didn't know .gov dudes _openly_ post here.

For a discussion, let me make some conjectures about *us.gov.

Conjecture 1. USA is a pyramid, AKA Ponzi scheme
Conjecture 2. USA will die in its present form in at most 5
years (possibly causing troubles to other nations too).
Conjecture 3. USA will be bought by the People's Republic 
of China (PRC) in at most 5 years (possibly with other
investors). [This already happened to some USA corporations].

Best of luck,
-- 
gg


On Fri, Nov 14, 2014 at 11:13:41AM -0500, Eric Mill wrote:
> Hey,
> 
> I wrote a piece today for my organization, 18F, about our HTTPS-everywhere
> policy for the .gov websites we build inside the US government:
> 
> https://18f.gsa.gov/2014/11/13/why-we-use-https-in-every-gov-website-we-make/
> 
> I wanted to give this list some extra context, since I understand the US
> government is a big, complicated, freighted topic. Below is my *personal*
> attempt to describe my workplace and is not anything close to an official
> description or the voice of the government.
> 
> 18F[1] is a team of ~70 people working as full time employees inside the US
> federal government. (The name comes from the street intersection -- 18th St
> & F St -- that its HQ is at in DC.) 18F as a unit was created around a year
> ago to be a competent, top class in-house technology team for the US
> federal government.
> 
> A driving idea here is that the government shouldn't need to outsource its
> *entire* technical brain to contractors, and that government services can
> be simple and even beautiful. If you've noticed what's happened over the
> last few years in the UK at https://www.gov.uk by the Government Digital
> Service[2], 18F takes a lot of inspiration from them.
> 
> 18F is housed inside the General Services Administration, an independent
> federal agency[3] that does as many different things as its name implies,
> from running all the buildings to housing the nation's data catalog at
> Data.gov. It's an "independent" federal agency in that it's not subject to
> the same level of direct executive and White House control that cabinet
> agencies are. It's the same kind of "independent" that lets the FCC
> potentially disagree with the President on net neutrality, for example.
> 
> The team has people all over the country (it has a big SF office, for
> example), many of which have either never been in government before, or who
> came in after doing the Presidential Innovation Fellows[4] program.
> 
> I joined 18F after working for 5 years on open data apps, infrastructure,
> and policy at the Sunlight Foundation[5], a non-profit in DC that pushes
> for open government. I had also done a fair amount of work around privacy,
> HTTPS, and ongoing judicial activity around surveillance. I get to continue
> doing all of that work in my personal capacity.
> 
> I say this just to try to communicate that the 18F team has some very
> sincere people trying to make the US government work better for people all
> over the world, and to do right by technology in the process. We have
> substantial support and autonomy to make that happen.
> 
> When it comes to HTTPS, the .gov surface area is absolutely enormous, and
> moving it helps move the whole Internet forward. Bringing the government in
> line with the rest of the web/security community (and being loud about it)
> is one of my big priorities at 18F, and so I wanted to share this here with
> you all.
> 
> -- Eric
> 
> [1] https://18f.gsa.gov/
> [2] https://gds.blog.gov.uk/
> [3]
> https://en.wikipedia.org/wiki/Independent_agencies_of_the_United_States_government
> [4] https://en.wikipedia.org/wiki/Presidential_Innovation_Fellows
> [5] https://sunlightfoundation.com/
> 
> -- 
> konklone.com | @konklone <https://twitter.com/konklone>




From grarpamp at gmail.com  Fri Nov 14 16:44:23 2014
From: grarpamp at gmail.com (grarpamp)
Date: Fri, 14 Nov 2014 19:44:23 -0500
Subject: Free Data From Space Forever vs. GuerrillaNets
Message-ID: <CAD2Ti293zm-LLqm6SB8sQTK6AqhXF3p6EiFyN5EHgx4rXybgEg@mail.gmail.com>

On Fri, Nov 14, 2014 at 12:26 PM, Ted Smith <tedks at riseup.net> wrote:
> It's "censorship-free" in the sense that a nation-state can't
> effectively block their citizens from using Lantern.
>
> So, it's a censorship-free centralized distribution system, as opposed
> to a censorship-proof decentralized publishing system like Freenet.
>
> And it's centralized, so as soon as the central authority (the
> satellites) are compromised, the whole system is owned.
>
> IMO this is a neat first step -- it's not the whole way, but it's
> getting there. Now we just need Freenet or similar on decentralized
> microsats.

The only thing you'll ever get from space is whatever whoever
owns the satnet wants you to see. The idea that people are just
going to be able to bounce their own unregulated networks
off transponders for free as in freedom is ridiculous unless
you own your cube and all means of its control. Hint: not
going to happen, let alone at any reasonable price point.

If its that freedom you want today, go spend $100 and wire/wifi
your residence to two of your neighbors and run CJDNS, etc on top
of it. Repeat until you cover the globe in an individually segment
owned meshnet, anonymized and encrypted on top for censorship
resistance. Use whichever layer you want therein, the clear or
anon one.

It is the strict individual ownership and private peering of individual sized
components of the network that keeps you free from all realistic
physical/legal controls. And self-reinforcing deployment of encryption
and anonymity that gives you freedom to share whatever data and
thoughts you want with others and others with you... beyond just what
you and your two neighbors might like chatting about.

The greater percent of any network you cede to groupthink, groupbuy,
and groupcontrol the less freedom you have. Launching and running
shit in space involves a lot of freedom robbing group*.

Homework: Do the math on number of residences / land parcels
in your country. See how $100 in wire/wifi and router ports from each
of them compares to the cost for each to truly own their own sat and
sat link. Figure in launches, electricity, replacement, adversary
HERF/laser attacks on the sats, millions of individual sat nodes
colliding with stuff, network redundancy achieved, stability and
speed of local wire in the ground, etc. Even at $500 to $1000 worth
of onetime or amortized costs I'd bet wire/wifi guerrilla nets still win.




From guninski at guninski.com  Fri Nov 14 10:09:42 2014
From: guninski at guninski.com (Georgi Guninski)
Date: Fri, 14 Nov 2014 20:09:42 +0200
Subject: Doing HTTPS everywhere in the .gov space
In-Reply-To: <4358C8E2-BEEA-47C5-B2A4-25683B02FF99@gmail.com>
References: <CANBOYLVhZ3vCY5M2Soxu63kpGTpf2k_8GQUNRcnTaGxcvHwVGQ@mail.gmail.com>
 <20141114170658.GA3783@sivokote.iziade.m$>
 <4358C8E2-BEEA-47C5-B2A4-25683B02FF99@gmail.com>
Message-ID: <20141114180942.GB3783@sivokote.iziade.m$>

On Fri, Nov 14, 2014 at 09:32:37AM -0800, Parker Moore wrote:
> Interesting conjectures! But... What do they have to do with https everywhere that Eric mentioned? They're very general thoughts. And even if we only have 5 years, why not enforce https on .gov sites until then? Seems like a win to me, no matter how long government survives.
> 
> Parker
> 

They have something to do with https everywhere on .gov IMHO.

I don't want to read "https everywhere on shit*".

Conjectured slave suggests use "https everywhere on conjectured
pyramid".



> > Am 14.11.2014 um 09:06 schrieb Georgi Guninski <guninski at guninski.com>:
> > 
> > Didn't know .gov dudes _openly_ post here.
> > 
> > For a discussion, let me make some conjectures about *us.gov.
> > 
> > Conjecture 1. USA is a pyramid, AKA Ponzi scheme
> > Conjecture 2. USA will die in its present form in at most 5
> > years (possibly causing troubles to other nations too).
> > Conjecture 3. USA will be bought by the People's Republic 
> > of China (PRC) in at most 5 years (possibly with other
> > investors). [This already happened to some USA corporations].
> > 
> > Best of luck,
> > -- 
> > gg
> > 
> > 
> >> On Fri, Nov 14, 2014 at 11:13:41AM -0500, Eric Mill wrote:
> >> Hey,
> >> 
> >> I wrote a piece today for my organization, 18F, about our HTTPS-everywhere
> >> policy for the .gov websites we build inside the US government:
> >> 
> >> https://18f.gsa.gov/2014/11/13/why-we-use-https-in-every-gov-website-we-make/
> >> 
> >> I wanted to give this list some extra context, since I understand the US
> >> government is a big, complicated, freighted topic. Below is my *personal*
> >> attempt to describe my workplace and is not anything close to an official
> >> description or the voice of the government.
> >> 
> >> 18F[1] is a team of ~70 people working as full time employees inside the US
> >> federal government. (The name comes from the street intersection -- 18th St
> >> & F St -- that its HQ is at in DC.) 18F as a unit was created around a year
> >> ago to be a competent, top class in-house technology team for the US
> >> federal government.
> >> 
> >> A driving idea here is that the government shouldn't need to outsource its
> >> *entire* technical brain to contractors, and that government services can
> >> be simple and even beautiful. If you've noticed what's happened over the
> >> last few years in the UK at https://www.gov.uk by the Government Digital
> >> Service[2], 18F takes a lot of inspiration from them.
> >> 
> >> 18F is housed inside the General Services Administration, an independent
> >> federal agency[3] that does as many different things as its name implies,
> >> from running all the buildings to housing the nation's data catalog at
> >> Data.gov. It's an "independent" federal agency in that it's not subject to
> >> the same level of direct executive and White House control that cabinet
> >> agencies are. It's the same kind of "independent" that lets the FCC
> >> potentially disagree with the President on net neutrality, for example.
> >> 
> >> The team has people all over the country (it has a big SF office, for
> >> example), many of which have either never been in government before, or who
> >> came in after doing the Presidential Innovation Fellows[4] program.
> >> 
> >> I joined 18F after working for 5 years on open data apps, infrastructure,
> >> and policy at the Sunlight Foundation[5], a non-profit in DC that pushes
> >> for open government. I had also done a fair amount of work around privacy,
> >> HTTPS, and ongoing judicial activity around surveillance. I get to continue
> >> doing all of that work in my personal capacity.
> >> 
> >> I say this just to try to communicate that the 18F team has some very
> >> sincere people trying to make the US government work better for people all
> >> over the world, and to do right by technology in the process. We have
> >> substantial support and autonomy to make that happen.
> >> 
> >> When it comes to HTTPS, the .gov surface area is absolutely enormous, and
> >> moving it helps move the whole Internet forward. Bringing the government in
> >> line with the rest of the web/security community (and being loud about it)
> >> is one of my big priorities at 18F, and so I wanted to share this here with
> >> you all.
> >> 
> >> -- Eric
> >> 
> >> [1] https://18f.gsa.gov/
> >> [2] https://gds.blog.gov.uk/
> >> [3]
> >> https://en.wikipedia.org/wiki/Independent_agencies_of_the_United_States_government
> >> [4] https://en.wikipedia.org/wiki/Presidential_Innovation_Fellows
> >> [5] https://sunlightfoundation.com/
> >> 
> >> -- 
> >> konklone.com | @konklone <https://twitter.com/konklone>




From l at odewijk.nl  Fri Nov 14 11:43:43 2014
From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=)
Date: Fri, 14 Nov 2014 20:43:43 +0100
Subject: Doing HTTPS everywhere in the .gov space
In-Reply-To: <54664f95.c71f8c0a.15c5.ffffd528@mx.google.com>
References: <CANBOYLVhZ3vCY5M2Soxu63kpGTpf2k_8GQUNRcnTaGxcvHwVGQ@mail.gmail.com>
 <54664f95.c71f8c0a.15c5.ffffd528@mx.google.com>
Message-ID: <CAHWD2rJCR=E9eRrSpmXooeJrVEu3DVQicLRzLx+9RNc3+eTWfw@mail.gmail.com>

Governments doing a better job at government would be a great thing.
Technology is pretty much the alfa and omega of service nowadays. I think a
team of 80 has it's work cut out for it!

Regarding security, the NSA has your back (not mine, hah!) so don't worry
too much about it.

(Also, 18f is more like a false and incomplete answer to "ASL?")
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 437 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141114/3bd2e1f4/attachment.txt>

From grarpamp at gmail.com  Fri Nov 14 18:21:50 2014
From: grarpamp at gmail.com (grarpamp)
Date: Fri, 14 Nov 2014 21:21:50 -0500
Subject: RedPhone Removed from Google Play Store
In-Reply-To: <1415993385.10475.14.camel@anglachel>
References: <54621EAD.8090905@posteo.de> <546247A1.3030600@riseup.net>
 <1A04175B-8126-4BA0-9C9F-57D2A1C2E455@cathalgarvey.me>
 <58392590e28400e4d3d23366b0c760dc@openmailbox.org>
 <op.xo8isujabgbjo9@work-pc> <54649217.4010106@cathalgarvey.me>
 <CANBOYLWfdu-eiJKSm5scT6tHCLxLVGYmicLozjKYcHTKx5CfUg@mail.gmail.com>
 <54650986.6060400@cathalgarvey.me>
 <CANBOYLW1srykCLo3WGs-9AtWir8_sappkPAr_w9ymO31+5cMbg@mail.gmail.com>
 <1415993385.10475.14.camel@anglachel>
Message-ID: <CAD2Ti29v0CN_4=04eU3idjAgVLop8vELKqx-ggL_MdM=5GBAng@mail.gmail.com>

On Fri, Nov 14, 2014 at 2:29 PM, Ted Smith <tedks at riseup.net> wrote:
> There's essentially no way to get around this on Android, which is I
> think why Moxie has abandoned that goal. If a solution exists, the
> people detracting TextSecure for using Google infrastructure should
> build that solution, fork TextSecure, and add it. Code speaks louder
> than words.

At lot of the issue is that currently the OS map on phones looks like:
'Android/green' hardware = Google OS, 'iWhatever/white' hardware = Apple OS.
The solution is to remove the '=' ties between the two. Already we are
seeing porting efforts by BSD and Linux kernels to the ARM
and other hardware commonly found in phones and other less than
PC form factors. And hardware integrators are making more open-friendly
devices where they can, perhaps someday up to and including baseband.
Eventually, other than some binary driver blobs, you'll probably see a full
Unix running on them in 5 years, driven by 'just because it's cool', and to
get out from under the complete hardware to appstore, bottom to top,
stacks we're stuck with today.

With the nexus6 and the droid sdk, you could strip out a big chunk
of useless google stuff and make your own rom. Even without venturing
into unix porting efforts. Guardianproject and some other customization
efforts seem to be doing just that.

'Appstores' are nothing more than the commercial side of things
with all the typical historical lock ins. Eventually opensource
provides alternatives and demand leverage to open up some
cracks as happened with PC's and Microsoft. Those cracks build.




From grarpamp at gmail.com  Fri Nov 14 18:41:01 2014
From: grarpamp at gmail.com (grarpamp)
Date: Fri, 14 Nov 2014 21:41:01 -0500
Subject: Fwd: [Cryptography] ISPs caught in STARTTLS downgrade attacks
In-Reply-To: <alpine.BSF.2.11.1411141641261.773@aneurin.horsfall.org>
References: <1415905281.18842.1.camel@sonic.net>
 <CAD2Ti29VEzncusJHz-NK7XA+mCr2H2HZE0OVDRhUGpCqzAibQQ@mail.gmail.com>
 <alpine.BSF.2.11.1411141641261.773@aneurin.horsfall.org>
Message-ID: <CAD2Ti28FLOQ_5-pc4gn9P3bE7uWf2p4_c0sTKuNELj1FUjms7Q@mail.gmail.com>

---------- Forwarded message ----------
From: Dave Horsfall <dave at horsfall.org>
Date: Fri, Nov 14, 2014 at 12:47 AM
Subject: Re: [Cryptography] ISPs caught in STARTTLS downgrade attacks
To: Cryptography List <cryptography at metzdowd.com>


On Thu, 13 Nov 2014, grarpamp wrote:

> > that can provide the practical privacy of a paper letter in a paper
> > envelope.
>
> No!, there is no privacy there whatsoever.
> 1) All addressing/envelope info is recorded/imaged at the processing
> facility, tracked, stored forever, and shared with adversaries.
> 2) Users are similarly imaged and linked via payments at drop off
> and pick up.
> 3) It's not encrypted.
> 4) The user has to trust untrustworthy entities with 1, 2 and 3.

Funny you should say that; it seems Australia Post has come clean:

http://www.smh.com.au/national/australia-post-data-shows-more-mail-being-accessed-by-government-agencies-20141113-11lp0h.html

(You may need to be a subscriber)

Australia Post data shows more mail being accessed by government agencies

Australia Post disclosed confidential information to law enforcement,
security and other government agencies more than 10,000 times in 2013-14,
an increase of 25 per cent over the past four years.

According to statistics released by the postal corporation, "specially
protected" information, which includes information about letters and
parcels and other private client information was provided to government
agencies by Australia Post on 5635 occasions – more than twice the number
four years ago.

Federal government investigators accessing specially protected information
include the Australian Federal Police, the Australian Crime Commission,
the Department of Immigration and Border Protection, the Australian
Customs Service, the Australian Taxation Office, Centrelink, Medicare and
the Child Support Agency.

Victorian and Queensland police as well as the NSW Crime Commission and
the Western Australian Corruption and Crime Commission also received such
private information.

Postal information that is not "specially protected", including names and
addresses on the outside of letters and parcels, was disclosed by
Australia Post on another 4367 occasions.

Government agencies accessing this postal "metadata" include the
Australian Securities and Investments Commission, the Australian
Communications and Media Authority, and the federal departments of
agriculture, environment, defence, foreign affairs and trade, health and
ageing.

State police and anti-corruption agencies, state revenue offices, consumer
affairs, workplace and environmental regulators as well as the RSPCA also
accessed the information.

An Australia Post spokesperson said the corporation only discloses
information to authorised agencies "under a law of the Commonwealth, or
for the enforcement of criminal law, or for enforcement of a law imposing
a pecuniary penalty, or the protection of the public revenue".

The spokesperson emphasised information is disclosed "only after the
'authorised agency' requesting the information from us establishes that
the information is reasonably required for … lawful purposes".

The total of 10,002 disclosures in 2013-14 was 5 per cent higher than in
the previous year, despite a 4.8 per cent decline in the volume of letters
delivered by Australia Post.

Only 19 disclosures of postal information were made to the Australian
Security Intelligence Organisation.  This figure for 2013-14 is down from
31 disclosures in the previous year and is the lowest in a decade.

Australia Post's statistics show ASIO's access to postal information
peaked in 2005-06 and 2006-07, with 117 and 226 disclosures respectively,
a period that covered major counter-terrorism investigations in Victoria
and New South Wales.

ASIO must obtain a warrant from the Attorney-General to seek any postal
information from Australia Post.  Although the 2013-14 disclosure
statistics precede the recent surge in counter-terrorism operations
focused on supporters of the so-called Islamic State, the figures do
suggest that ASIO's investigations target quite small numbers of people.

However, the Australia Post statistics also show that despite consistent
declines in mail volume, confidential postal information is increasingly
accessed by police, by government agencies enforcing laws that impose
financial penalties and for "the protection of the public revenue".

--
Dave Horsfall DTM (VK2KFU)  "Bliss is a MacBook with a FreeBSD server."
http://www.horsfall.org/spam.html (and check the home page whilst you're there)
_______________________________________________
The cryptography mailing list
cryptography at metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography




From snehan.kekre612 at protonmail.ch  Sat Nov 15 05:04:18 2014
From: snehan.kekre612 at protonmail.ch (Snehan Kekre)
Date: Sat, 15 Nov 2014 08:04:18 -0500
Subject: Tor users can be de-anonymised by analysing router information
Message-ID: <b069f8db725ece77b4a237cd6b881bf8@protonmail.ch>

A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 4865 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141115/4c1a0b7c/attachment.txt>

From coluccelli at gmail.com  Sat Nov 15 03:07:07 2014
From: coluccelli at gmail.com (Potito Coluccelli)
Date: Sat, 15 Nov 2014 12:07:07 +0100
Subject: they crushed Aaron because they could, they destroy lives across
 the globe because they can, my fellow frogs in the boiling pot,
 how much is too much?
In-Reply-To: <28319447.SkdxyahaPg@lapuntu>
References: <CAJVRA1RPhYgEJ2PDhPMBmBjFFUYAxOHqgGVxrKJPj4GjeUkS6g@mail.gmail.com>
 <28319447.SkdxyahaPg@lapuntu>
Message-ID: <CALk3+sjL26Tk8kBkNagXt_DLsogA+ofabAA_3O_an6Jhg4_5uA@mail.gmail.com>

:'(

2014-11-12 23:43 GMT+01:00 rysiek <rysiek at hackerspace.pl>:

> Thanks,
>
> good one.
>
> --
> Pozdr
> rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 480 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141115/d843187a/attachment.txt>

From mirimir at riseup.net  Sat Nov 15 12:26:44 2014
From: mirimir at riseup.net (Mirimir)
Date: Sat, 15 Nov 2014 13:26:44 -0700
Subject: Tor users can be de-anonymised by analysing router information
In-Reply-To: <b069f8db725ece77b4a237cd6b881bf8@protonmail.ch>
References: <b069f8db725ece77b4a237cd6b881bf8@protonmail.ch>
Message-ID: <5467B704.9070107@riseup.net>

On 11/15/2014 06:04 AM, Snehan Kekre wrote:
> Research undertaken between 2008 and 2014 suggests that more than 81% of Tor 
> clients can be ‘de-anonymised’ – their originating IP addresses revealed – by 
> exploiting the ‘Netflow’ 
> <http://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-netflow/index.html> technology 
> that Cisco has built into its router protocols, and similar traffic analysis 
> software running by default in the hardware of other manufacturers.
> 
> Professor Sambuddho Chakravarty 
> <https://sites.google.com/site/sambuddhochakravarty/>, a former researcher at 
> Columbia University’s Network Security Lab <http://nsl.cs.columbia.edu/> and now 
> researching Network Anonymity and Privacy at the Indraprastha Institute of 
> Information Technology in Delhi, has co-published a series of papers over the 
> last six years outlining the attack vector, and claims a 100% ‘decloaking’ 
> success rate under laboratory conditions, and 81.4% in the actual wilds of the 
> Tor network.
> 
> Chakravarty’s technique 
> <https://mice.cs.columbia.edu/getTechreport.php?techreportID=1545&format=pdf&> [PDF] 
> involves introducing disturbances in the highly-regulated environs of Onion 
> Router protocols using a modified public Tor server running on Linux - hosted at 
> the time at Columbia University. His work on large-scale traffic analysis 
> attacks in the Tor environment has convinced him that a well-resourced 
> organisation could achieve an extremely high capacity to de-anonymise Tor 
> traffic on an ad hoc basis – but also that one would not necessarily need the 
> resources of a nation state to do so, stating that a single AS (Autonomous 
> System) could monitor more than 39% of randomly-generated Tor circuits.
> 
> Chakravarty says: /“…it is not even essential to be a global adversary to launch 
> such traffic analysis attacks. A powerful, yet non- global adversary could use 
> traffic analysis methods […] to determine the various relays participating in a 
> Tor circuit and directly monitor the traffic entering the entry node of the 
> victim connection,”/
> 
> The technique depends on injecting a repeating traffic pattern – such as HTML 
> files, the same kind of traffic of which most Tor browsing consists – into the 
> TCP connection that it sees originating in the target exit node, and then 
> comparing the server’s exit traffic for the Tor clients, as derived from the 
> router’s flow records, to facilitate client identification.
> 
> Tor is susceptible to this kind of traffic analysis because it was designed for 
> low-latency. Chakravarty explains: /“//To achieve acceptable quality of service, 
> [Tor attempts] to preserve packet interarrival characteristics, such as 
> inter-packet delay. Consequently, a powerful adversary can mount traffic 
> analysis attacks by observing similar traffic patterns at various points of the 
> network, linking together otherwise unrelated network connections.”/
> 
> The online section of the research involved identifying ‘victim’ clients in 
> Planetlab <https://www.planet-lab.org/> locations in Texas, Belgium and Greece, 
> and exercised a variety of techniques and configurations, some involving control 
> of entry and exit nodes, and others which achieved considerable success by only 
> controlling one end or the other.
> 
> Traffic analysis of this kind does not involve the enormous expense and 
> infrastructural effort that the NSA put into their FoxAcid Tor redirects 
> <http://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-online-anonymity>, 
> but it benefits from running one or more high-bandwidth, high-performance, 
> high-uptime Tor relays.
> 
> The forensic interest 
> <https://www.cryptocoinsnews.com/how-fbi-illegally-hacked-silk-road-servers-find-alleged-pirate-ross-ulbricht/> in 
> quite how international cybercrime initiative ‘Operation Onymous’ defied Tor’s 
> obfuscating protocols to expose 
> <http://thestack.com/operation-onymous-seize-hundreds-underground-drug-weapons-cybermarkets-071114> hundreds 
> of ‘dark net’ sites, including infamous online drug warehouse Silk Road 2.0, has 
> led many to conclude that the core approach to deanonymisation of Tor clients 
> depends upon becoming a ‘relay of choice’ – and a default resource when 
> Tor-directed DDOS attacks put ‘amateur’ servers out of service 
> <http://www.coindesk.com/silk-road-2-0-shrugs-sophisticated-ddos-attack/>.

I also recommend his PhD thesis:

Sambuddho Chakravarty (2014) Traffic Analysis Attacks and Defenses in
Low Latency Anonymous Communication
http://www.cs.columbia.edu/~angelos/Papers/theses/sambuddho_thesis.pdf




From odinn.cyberguerrilla at riseup.net  Sat Nov 15 18:40:09 2014
From: odinn.cyberguerrilla at riseup.net (odinn)
Date: Sun, 16 Nov 2014 02:40:09 +0000
Subject: Tor users can be de-anonymised by analysing router information
In-Reply-To: <5467B704.9070107@riseup.net>
References: <b069f8db725ece77b4a237cd6b881bf8@protonmail.ch>
 <5467B704.9070107@riseup.net>
Message-ID: <54680E89.1030007@riseup.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

In addition to Chakravarty's PhD thesis (recommended by Mirimir), I
also humbly (and perhaps somewhat selfishly, too) provide, for the
record, my recent comments which suggest that both user choice and
warnings are appropos:

https://github.com/OpenBazaar/OpenBazaar/issues/866#issuecomment-62577905

https://forum.unsystem.net/t/interoperability-and-trans-identical-identity-decentralization-proposals-thoughts-for-review/333/18

#torgate

Respect,

- -O



Mirimir:
> On 11/15/2014 06:04 AM, Snehan Kekre wrote:
>> Research undertaken between 2008 and 2014 suggests that more than
>> 81% of Tor clients can be ‘de-anonymised’ – their originating IP
>> addresses revealed – by exploiting the ‘Netflow’ 
>> <http://www.cisco.com/c/en/us/products/ios-nx-os-software/ios-netflow/index.html>
>> technology that Cisco has built into its router protocols, and
>> similar traffic analysis software running by default in the
>> hardware of other manufacturers.
>> 
>> Professor Sambuddho Chakravarty 
>> <https://sites.google.com/site/sambuddhochakravarty/>, a former
>> researcher at Columbia University’s Network Security Lab
>> <http://nsl.cs.columbia.edu/> and now researching Network
>> Anonymity and Privacy at the Indraprastha Institute of 
>> Information Technology in Delhi, has co-published a series of
>> papers over the last six years outlining the attack vector, and
>> claims a 100% ‘decloaking’ success rate under laboratory
>> conditions, and 81.4% in the actual wilds of the Tor network.
>> 
>> Chakravarty’s technique 
>> <https://mice.cs.columbia.edu/getTechreport.php?techreportID=1545&format=pdf&>
>> [PDF] involves introducing disturbances in the highly-regulated
>> environs of Onion Router protocols using a modified public Tor
>> server running on Linux - hosted at the time at Columbia
>> University. His work on large-scale traffic analysis attacks in
>> the Tor environment has convinced him that a well-resourced 
>> organisation could achieve an extremely high capacity to
>> de-anonymise Tor traffic on an ad hoc basis – but also that one
>> would not necessarily need the resources of a nation state to do
>> so, stating that a single AS (Autonomous System) could monitor
>> more than 39% of randomly-generated Tor circuits.
>> 
>> Chakravarty says: /“…it is not even essential to be a global
>> adversary to launch such traffic analysis attacks. A powerful,
>> yet non- global adversary could use traffic analysis methods […]
>> to determine the various relays participating in a Tor circuit
>> and directly monitor the traffic entering the entry node of the 
>> victim connection,”/
>> 
>> The technique depends on injecting a repeating traffic pattern –
>> such as HTML files, the same kind of traffic of which most Tor
>> browsing consists – into the TCP connection that it sees
>> originating in the target exit node, and then comparing the
>> server’s exit traffic for the Tor clients, as derived from the 
>> router’s flow records, to facilitate client identification.
>> 
>> Tor is susceptible to this kind of traffic analysis because it
>> was designed for low-latency. Chakravarty explains: /“//To
>> achieve acceptable quality of service, [Tor attempts] to preserve
>> packet interarrival characteristics, such as inter-packet delay.
>> Consequently, a powerful adversary can mount traffic analysis
>> attacks by observing similar traffic patterns at various points
>> of the network, linking together otherwise unrelated network
>> connections.”/
>> 
>> The online section of the research involved identifying ‘victim’
>> clients in Planetlab <https://www.planet-lab.org/> locations in
>> Texas, Belgium and Greece, and exercised a variety of techniques
>> and configurations, some involving control of entry and exit
>> nodes, and others which achieved considerable success by only 
>> controlling one end or the other.
>> 
>> Traffic analysis of this kind does not involve the enormous
>> expense and infrastructural effort that the NSA put into their
>> FoxAcid Tor redirects 
>> <http://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-online-anonymity>,
>>  but it benefits from running one or more high-bandwidth,
>> high-performance, high-uptime Tor relays.
>> 
>> The forensic interest 
>> <https://www.cryptocoinsnews.com/how-fbi-illegally-hacked-silk-road-servers-find-alleged-pirate-ross-ulbricht/>
>> in quite how international cybercrime initiative ‘Operation
>> Onymous’ defied Tor’s obfuscating protocols to expose 
>> <http://thestack.com/operation-onymous-seize-hundreds-underground-drug-weapons-cybermarkets-071114>
>> hundreds of ‘dark net’ sites, including infamous online drug
>> warehouse Silk Road 2.0, has led many to conclude that the core
>> approach to deanonymisation of Tor clients depends upon becoming
>> a ‘relay of choice’ – and a default resource when Tor-directed
>> DDOS attacks put ‘amateur’ servers out of service 
>> <http://www.coindesk.com/silk-road-2-0-shrugs-sophisticated-ddos-attack/>.
>
>> 
> I also recommend his PhD thesis:
> 
> Sambuddho Chakravarty (2014) Traffic Analysis Attacks and Defenses
> in Low Latency Anonymous Communication 
> http://www.cs.columbia.edu/~angelos/Papers/theses/sambuddho_thesis.pdf
>
> 
> 

- -- 
http://abis.io ~
"a protocol concept to enable decentralization
and expansion of a giving economy, and a new social good"
https://keybase.io/odinn
-----BEGIN PGP SIGNATURE-----

iQEcBAEBCgAGBQJUaA6IAAoJEGxwq/inSG8C+3oH/RW79GQk1WoP1SRybhHvXTyL
iezN+QieOaN+bm6cNMn2QQ/Vi8ubPNuJUb+lmQUjE43CR0b6Sly4H6lFw1+03izK
jpDDj+sSpMLcKKg7A5G6HIGQ5Z/ZS6gClg3SRsPG67DU2bDq5qcf3q9uefWm+xTG
MrweLk8G/9QwTqVUR0DvOv38uH8ExuZxtSAvBpYshcCiOATqG0RqcfAewwrmSFcA
DWzFuXH+xcRPY1+4KnOel6n4v1Fg1yLQRLOjAsngXXdZY8hJJ+rXSmiydLTt/wMX
AastnRjcXjSsQuWvzxpsSQ+0H7a3n4aAhDDfUBf88MrK5Nx5ay/cXchaSpFNBRc=
=jmGI
-----END PGP SIGNATURE-----




From jya at pipeline.com  Sun Nov 16 08:22:54 2014
From: jya at pipeline.com (John Young)
Date: Sun, 16 Nov 2014 11:22:54 -0500
Subject: Call for publication of all Snowden papers gets louder
Message-ID: <E1Xq2aH-0005kd-4x@elasmtp-dupuy.atl.sa.earthlink.net>

https://translate.google.com/translate?sl=auto&tl=en&js=y&prev=_t&hl=en&ie=UTF-8&u=http%3A%2F%2Fwww.heise.de%2Fnewsticker%2Fmeldung%2FRuf-nach-Veroeffentlichung-der-Snowden-Papiere-wird-lauter-2457781.html%3Fwt_mc%3Drss.ho.beitrag.atom&edit-text=

EN:

Call for publication of all Snowden papers gets louder

The Amsterdam Media Professor Geert Lovink left 
no doubt that in his opinion the medium term, the 
entire treasure of the NSA Whistleblowers must be 
made and archived publicly. Such an approach has 
a very different range than the global 24-hour 
news machine. "Journalists want to make headlines 
and politics", was the founder of the Institute 
of Network Cultures . But it was important to think long-term.

The Snowden-papers offer unique insight into a 
loud Lovink "information-military complex in the 
making": They showed roughly, "who are the actors 
and what technologies they use." In addition, 
they made different impact of monitoring on 
individual countries or regions significantly and 
who personally was affected as a group or 
society. Taken together, this was "for all 
investigative journalists around the world for decades interesting".

DE:

Ruf nach Veröffentlichung der Snowden-Papiere wird lauter

Der Amsterdamer Medienprofessor Geert Lovink ließ 
keinen Zweifel daran, dass seiner Meinung nach 
mittelfristig der gesamte Schatz des 
NSA-Whistleblowers öffentlich gemacht und 
archiviert werden müsse. Eine solche 
Herangehensweise habe eine ganz andere Reichweite 
als die globale 
24-Stunden-Nachrichtenmaschinerie. "Journalisten 
wollen Schlagzeilen und Politik machen", befand 
der Gründer des Institute of Network Cultures. Es 
gelte aber, langfristiger zu denken.

Die Snowden-Papiere bieten laut Lovink 
einzigartige Einsicht in einen 
"informations-militärischen Komplex im Werden": 
Sie zeigten etwa auf, "wer die Akteure sind und 
welche Technologien sie nutzen". Darüber hinaus 
machten sie unterschiedliche Auswirkungen der 
Überwachung auf einzelne Länder oder Regionen 
deutlich und wer persönlich, als Gruppe oder 
Gesellschaft betroffen sei. Zusammengenommen sei 
dies "für alle investigativen Journalisten 
weltweit über Jahrzehnte hinweg interessant".






From juan.g71 at gmail.com  Sun Nov 16 15:11:34 2014
From: juan.g71 at gmail.com (Juan)
Date: Sun, 16 Nov 2014 20:11:34 -0300
Subject: Doing HTTPS everywhere in the .gov space
In-Reply-To: <20141116183528.GA2620@sivokote.iziade.m$>
References: <CANBOYLVhZ3vCY5M2Soxu63kpGTpf2k_8GQUNRcnTaGxcvHwVGQ@mail.gmail.com>
 <54664f95.c71f8c0a.15c5.ffffd528@mx.google.com>
 <20141116183528.GA2620@sivokote.iziade.m$>
Message-ID: <54692ebb.502fe00a.5279.ffffcd6c@mx.google.com>

On Sun, 16 Nov 2014 20:35:29 +0200
Georgi Guninski <guninski at guninski.com> wrote:

> On Fri, Nov 14, 2014 at 03:54:53PM -0300, Juan wrote:
> > On Fri, 14 Nov 2014 11:13:41 -0500
> > Eric Mill <eric at konklone.com> wrote:
> > > Hey,
> > 
> > 
> > 
> > 	Is it possible for this mailing list to sink any lower? 
> > 
> > 	
> > 	
> > 
> > 
> > 
> >
> 
> As a true optimist, i believe this list can sink till minus
> infinity ;)

	that's the spirit! =)

> 
> Though as a pessimist, counter-trolling against .gov,
> doesn't appear a good sign for the list (probably just one
> less puppet acc.)
> 
> 
> 




From guninski at guninski.com  Sun Nov 16 10:35:29 2014
From: guninski at guninski.com (Georgi Guninski)
Date: Sun, 16 Nov 2014 20:35:29 +0200
Subject: Doing HTTPS everywhere in the .gov space
In-Reply-To: <54664f95.c71f8c0a.15c5.ffffd528@mx.google.com>
References: <CANBOYLVhZ3vCY5M2Soxu63kpGTpf2k_8GQUNRcnTaGxcvHwVGQ@mail.gmail.com>
 <54664f95.c71f8c0a.15c5.ffffd528@mx.google.com>
Message-ID: <20141116183528.GA2620@sivokote.iziade.m$>

On Fri, Nov 14, 2014 at 03:54:53PM -0300, Juan wrote:
> On Fri, 14 Nov 2014 11:13:41 -0500
> Eric Mill <eric at konklone.com> wrote:
> > Hey,
> 
> 
> 
> 	Is it possible for this mailing list to sink any lower? 
> 
> 	
> 	
> 
> 
> 
>

As a true optimist, i believe this list can sink till minus
infinity ;)

Though as a pessimist, counter-trolling against .gov,
doesn't appear a good sign for the list (probably just one
less puppet acc.)






From rysiek at hackerspace.pl  Sun Nov 16 13:55:19 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Sun, 16 Nov 2014 22:55:19 +0100
Subject: Doing HTTPS everywhere in the .gov space
In-Reply-To: <CAHWD2rJCR=E9eRrSpmXooeJrVEu3DVQicLRzLx+9RNc3+eTWfw@mail.gmail.com>
References: <CANBOYLVhZ3vCY5M2Soxu63kpGTpf2k_8GQUNRcnTaGxcvHwVGQ@mail.gmail.com>
 <54664f95.c71f8c0a.15c5.ffffd528@mx.google.com>
 <CAHWD2rJCR=E9eRrSpmXooeJrVEu3DVQicLRzLx+9RNc3+eTWfw@mail.gmail.com>
Message-ID: <10119748.xvE1PQbfef@lapuntu>

Dnia piątek, 14 listopada 2014 20:43:43 Lodewijk andré de la porte pisze:
> Governments doing a better job at government would be a great thing.
> Technology is pretty much the alfa and omega of service nowadays. I think a
> team of 80 has it's work cut out for it!
> 
> Regarding security, the NSA has your back (not mine, hah!) so don't worry
> too much about it.
> 
> (Also, 18f is more like a false and incomplete answer to "ASL?")

18f.gsa.gov seems a complete answer to me. ;)

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 411 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141116/d66ec958/attachment.sig>

From rysiek at hackerspace.pl  Sun Nov 16 13:59:27 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Sun, 16 Nov 2014 22:59:27 +0100
Subject: Lantern: One Device, Free Data From Space Forever
In-Reply-To: <1415985994.10475.2.camel@anglachel>
References: <20141113085235.GR10467@leitl.org>
 <CAKtE3zdbgHvtexhnxVgqeQPZ32YjPKg5mQgFs2-M_7+VPYjATg@mail.gmail.com>
 <1415985994.10475.2.camel@anglachel>
Message-ID: <2612270.3TpeH98IcB@lapuntu>

Dnia piątek, 14 listopada 2014 12:26:34 Ted Smith pisze:
> It's "censorship-free" in the sense that a nation-state can't
> effectively block their citizens from using Lantern.
> 
> So, it's a censorship-free centralized distribution system, as opposed
> to a censorship-proof decentralized publishing system like Freenet.

Call it "for-the-time-being-supposedly-censorship-free", and I might agree.

> And it's centralized, so as soon as the central authority (the
> satellites) are compromised, the whole system is owned.

Exactly.

> IMO this is a neat first step -- it's not the whole way, but it's
> getting there. Now we just need Freenet or similar on decentralized
> microsats.

This would be interesting, along with some mesh networks, the FFDN (and 
similar initiatives), and some free spectrum maybe.

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 411 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141116/c10aeee8/attachment.sig>

From coderman at gmail.com  Mon Nov 17 10:06:11 2014
From: coderman at gmail.com (coderman)
Date: Mon, 17 Nov 2014 10:06:11 -0800
Subject: Fwd: [Dailydave] More info on SSLMAGEDON
In-Reply-To: <546A1B76.2090204@immunityinc.com>
References: <546A1B76.2090204@immunityinc.com>
Message-ID: <CAJVRA1RT2t5=jiDguB6grLH+u41+Mkrdv0bnneNcXmj2V4hF1w@mail.gmail.com>

---------- Forwarded message ----------
From: Dave Aitel <dave at immunityinc.com>
Date: Mon, 17 Nov 2014 10:59:50 -0500
Subject: [Dailydave] More info on SSLMAGEDON

Our friends at BeyondTrust have a page on the bug now:
http://blog.beyondtrust.com/triggering-ms14-066

One thing I think people are missing is that this bug works by default
on Windows 7 and above. You can force a client cert down Window's
throat, which triggers the vulnerability regardless of configuration
settings. Of course, what you do next, is the fun part. Immunity's
researchers are investigating many techniques, one of which is to attack
the crypto variables directly. This may allow a Heartbleed-or-worse
style exploitation without code execution at all...




From grarpamp at gmail.com  Mon Nov 17 10:10:51 2014
From: grarpamp at gmail.com (grarpamp)
Date: Mon, 17 Nov 2014 13:10:51 -0500
Subject: G20: Bank deposits not money but paper investments, BTC, Cyprus
Message-ID: <CAD2Ti2-A1Lu5iDduZ68RW6x3=gg1LecX1fXJijRGBnVRbPNz8g@mail.gmail.com>

http://www.reddit.com/r/Bitcoin/comments/2mk0bp/bank_deposits_will_soon_no_longer_be_considered/




From grarpamp at gmail.com  Mon Nov 17 14:33:50 2014
From: grarpamp at gmail.com (grarpamp)
Date: Mon, 17 Nov 2014 17:33:50 -0500
Subject: G20: Bank deposits not money but paper investments, BTC, Cyprus
In-Reply-To: <20141117183650.GC3758@sivokote.iziade.m$>
References: <CAD2Ti2-A1Lu5iDduZ68RW6x3=gg1LecX1fXJijRGBnVRbPNz8g@mail.gmail.com>
 <20141117183650.GC3758@sivokote.iziade.m$>
Message-ID: <CAD2Ti29Lrx=EOi3xRku37Moad8CeAURni2F7ao8FYhCRssn4xw@mail.gmail.com>

On Mon, Nov 17, 2014 at 1:36 PM, Georgi Guninski <guninski at guninski.com> wrote:
>> http://www.reddit.com/r/Bitcoin/comments/2mk0bp/bank_deposits_will_soon_no_longer_be_considered/
>
> This appears as "New Order" to me.

What, you mean like these? ...

https://www.youtube.com/results?search_query=george+bush+new+world+order
https://www.youtube.com/watch?v=w0yhHHPc7IU

> Though is consistent with the conjectures here:
> https://cpunks.org//pipermail/cypherpunks/2014-November/005954.html

So US bigwigs become Chinese citizens, puppets, or
tossed in the grinder?




From guninski at guninski.com  Mon Nov 17 09:27:32 2014
From: guninski at guninski.com (Georgi Guninski)
Date: Mon, 17 Nov 2014 19:27:32 +0200
Subject: Doing HTTPS everywhere in the .gov space
In-Reply-To: <10119748.xvE1PQbfef@lapuntu>
References: <CANBOYLVhZ3vCY5M2Soxu63kpGTpf2k_8GQUNRcnTaGxcvHwVGQ@mail.gmail.com>
 <54664f95.c71f8c0a.15c5.ffffd528@mx.google.com>
 <CAHWD2rJCR=E9eRrSpmXooeJrVEu3DVQicLRzLx+9RNc3+eTWfw@mail.gmail.com>
 <10119748.xvE1PQbfef@lapuntu>
Message-ID: <20141117172732.GA3758@sivokote.iziade.m$>

On Sun, Nov 16, 2014 at 10:55:19PM +0100, rysiek wrote:
> Dnia piątek, 14 listopada 2014 20:43:43 Lodewijk andré de la porte pisze:
> > Governments doing a better job at government would be a great thing.
> > Technology is pretty much the alfa and omega of service nowadays. I think a
> > team of 80 has it's work cut out for it!
> > 
> > Regarding security, the NSA has your back (not mine, hah!) so don't worry
> > too much about it.
> > 
> > (Also, 18f is more like a false and incomplete answer to "ASL?")
> 
> 18f.gsa.gov seems a complete answer to me. ;)
> 

lol ;) this might explain why so unusually many 18f ask me
for light while smoking cigarettes ;)


> -- 
> Pozdr
> rysiek





From guninski at guninski.com  Mon Nov 17 09:59:01 2014
From: guninski at guninski.com (Georgi Guninski)
Date: Mon, 17 Nov 2014 19:59:01 +0200
Subject: Doing HTTPS everywhere in the .gov space
In-Reply-To: <54692ebb.502fe00a.5279.ffffcd6c@mx.google.com>
References: <CANBOYLVhZ3vCY5M2Soxu63kpGTpf2k_8GQUNRcnTaGxcvHwVGQ@mail.gmail.com>
 <54664f95.c71f8c0a.15c5.ffffd528@mx.google.com>
 <20141116183528.GA2620@sivokote.iziade.m$>
 <54692ebb.502fe00a.5279.ffffcd6c@mx.google.com>
Message-ID: <20141117175901.GB3758@sivokote.iziade.m$>

On Sun, Nov 16, 2014 at 08:11:34PM -0300, Juan wrote:
> On Sun, 16 Nov 2014 20:35:29 +0200
> Georgi Guninski <guninski at guninski.com> wrote:
> 
> > On Fri, Nov 14, 2014 at 03:54:53PM -0300, Juan wrote:
> > > On Fri, 14 Nov 2014 11:13:41 -0500
> > > Eric Mill <eric at konklone.com> wrote:
> > > > Hey,
> > > 
> > > 
> > > 
> > > 	Is it possible for this mailing list to sink any lower? 
> > > 
> > > 	
> > > 	
> > > 
> > > 
> > > 
> > >
> > 
> > As a true optimist, i believe this list can sink till minus
> > infinity ;)
> 
> 	that's the spirit! =)
> 

well, i don't care much.
few sinks don't hurt me much (there are a lot of whores).
if i consider the list sinking, i will leave it and seek for
a new one (i already left bugrtaq and fyodor's FD).


> > 
> > Though as a pessimist, counter-trolling against .gov,
> > doesn't appear a good sign for the list (probably just one
> > less puppet acc.)
> > 
> > 
> > 




From coderman at gmail.com  Mon Nov 17 20:07:25 2014
From: coderman at gmail.com (coderman)
Date: Mon, 17 Nov 2014 20:07:25 -0800
Subject: Doing HTTPS everywhere in the .gov space
In-Reply-To: <22847071.Ho2iyb9A7x@lapuntu>
References: <CANBOYLVhZ3vCY5M2Soxu63kpGTpf2k_8GQUNRcnTaGxcvHwVGQ@mail.gmail.com>
 <54692ebb.502fe00a.5279.ffffcd6c@mx.google.com>
 <20141117175901.GB3758@sivokote.iziade.m$>
 <22847071.Ho2iyb9A7x@lapuntu>
Message-ID: <CAJVRA1QJK6s8Dyb6MppuOpd7VQw_waQzB17DZjPe4kxiO2Pd0g@mail.gmail.com>

On 11/17/14, rysiek <rysiek at hackerspace.pl> wrote:
> Dnia poniedziałek, 17 listopada 2014 19:59:01 Georgi Guninski pisze:
>> ...
>> well, i don't care much.
>> few sinks don't hurt me much (there are a lot of whores).
>> if i consider the list sinking, i will leave it and seek for
>> a new one (i already left bugrtaq and fyodor's FD).
>
> Cool! Now we have a "list is sinking canary"! ;)


you'll know it's over when i am moderated on cypherpunks.

best regards,


[ i can get behind an infinite mod delay on FD, but cpunks is sacred! ]




From guninski at guninski.com  Mon Nov 17 10:36:50 2014
From: guninski at guninski.com (Georgi Guninski)
Date: Mon, 17 Nov 2014 20:36:50 +0200
Subject: G20: Bank deposits not money but paper investments, BTC, Cyprus
In-Reply-To: <CAD2Ti2-A1Lu5iDduZ68RW6x3=gg1LecX1fXJijRGBnVRbPNz8g@mail.gmail.com>
References: <CAD2Ti2-A1Lu5iDduZ68RW6x3=gg1LecX1fXJijRGBnVRbPNz8g@mail.gmail.com>
Message-ID: <20141117183650.GC3758@sivokote.iziade.m$>

On Mon, Nov 17, 2014 at 01:10:51PM -0500, grarpamp wrote:
> http://www.reddit.com/r/Bitcoin/comments/2mk0bp/bank_deposits_will_soon_no_longer_be_considered/

This appears as "New Order" to me.
Though is consistent with the conjectures here:
https://cpunks.org//pipermail/cypherpunks/2014-November/005954.html




From rysiek at hackerspace.pl  Mon Nov 17 12:46:40 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Mon, 17 Nov 2014 21:46:40 +0100
Subject: Doing HTTPS everywhere in the .gov space
In-Reply-To: <20141117175901.GB3758@sivokote.iziade.m$>
References: <CANBOYLVhZ3vCY5M2Soxu63kpGTpf2k_8GQUNRcnTaGxcvHwVGQ@mail.gmail.com>
 <54692ebb.502fe00a.5279.ffffcd6c@mx.google.com>
 <20141117175901.GB3758@sivokote.iziade.m$>
Message-ID: <22847071.Ho2iyb9A7x@lapuntu>

Dnia poniedziałek, 17 listopada 2014 19:59:01 Georgi Guninski pisze:
> On Sun, Nov 16, 2014 at 08:11:34PM -0300, Juan wrote:
> > On Sun, 16 Nov 2014 20:35:29 +0200
> > 
> > Georgi Guninski <guninski at guninski.com> wrote:
> > > On Fri, Nov 14, 2014 at 03:54:53PM -0300, Juan wrote:
> > > > On Fri, 14 Nov 2014 11:13:41 -0500
> > > > 
> > > > Eric Mill <eric at konklone.com> wrote:
> > > > > Hey,
> > > > 	
> > > > 	Is it possible for this mailing list to sink any lower?
> > > 
> > > As a true optimist, i believe this list can sink till minus
> > > infinity ;)
> > 	
> > 	that's the spirit! =)
> 
> well, i don't care much.
> few sinks don't hurt me much (there are a lot of whores).
> if i consider the list sinking, i will leave it and seek for
> a new one (i already left bugrtaq and fyodor's FD).

Cool! Now we have a "list is sinking canary"! ;)

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 411 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141117/62528fae/attachment.sig>

From juan.g71 at gmail.com  Mon Nov 17 21:34:47 2014
From: juan.g71 at gmail.com (Juan)
Date: Tue, 18 Nov 2014 02:34:47 -0300
Subject: Doing HTTPS everywhere in the .gov space
In-Reply-To: <CAHWD2rK2YpOtee35nzHhmOLhdYcMMK1X6x2nENnYq_O71Ue_Xw@mail.gmail.com>
References: <CANBOYLVhZ3vCY5M2Soxu63kpGTpf2k_8GQUNRcnTaGxcvHwVGQ@mail.gmail.com>
 <54664f95.c71f8c0a.15c5.ffffd528@mx.google.com>
 <CAHWD2rJCR=E9eRrSpmXooeJrVEu3DVQicLRzLx+9RNc3+eTWfw@mail.gmail.com>
 <5466676a.4642e00a.3752.ffffa39a@mx.google.com>
 <CAHWD2rK2YpOtee35nzHhmOLhdYcMMK1X6x2nENnYq_O71Ue_Xw@mail.gmail.com>
Message-ID: <546ada0a.d4248c0a.02c6.1868@mx.google.com>

On Tue, 18 Nov 2014 05:51:45 +0100
Lodewijk andré de la porte <l at odewijk.nl> wrote:

> Why are you always so mad, Juan?

	I'm not mad. I simply don't bother with fake politeness.

> 
> On Nov 14, 2014 9:48 PM, "Juan" <juan.g71 at gmail.com> wrote:
> >
> > On Fri, 14 Nov 2014 20:43:43 +0100
> > Lodewijk andré de la porte <l at odewijk.nl> wrote:
> >
> > > Governments doing a better job at government would be a great
> > > thing.
> >
> >
> >         Not sure what you mean by that. As far as I'm concered the
> > only 'job' the government should be doing is disappearing from the
> >         face of the earth.
> 
> Let's leave governance to the free market, the bigger the capitalist
> the more righteous his decrees!

	That's not what free market governance stands for although some
	utilitarians  may say stuff along those lines. 



> Market competition will enforce 100%
> transparacy, else people will visit the competition for it! In any
> true free market economies of scale don't exist and competition is so
> closely tied any offense will cause disappearance! Finance is totally
> not already so unbalanced a free market cannot exist!
> 
> I fiercely hate anyone telling me what to do or what to think.

	Well, if you do hate being controlled, I hope you're not
	supporting government(s)...



> Vacuum
> reality arguments essential to capitalism, and the ease at which
> they're propagated, recently anger me about as much.
> 
> We have true capitalism already Juan! Governments compete for
> posession of the mind! 

	'true capitalism' requires unconditional respect for individual
	rights. Governments do not respect those rights at all so I'm
	not sure how you manage to equate criminal competition between
	criminal organizations (competing mafias or 'governments') with
	'true capitalism'.

	Unless of course your argument is simply misrepresentation.



> Ideologies live and die in an eternal struggle
> for superior infectiousness! Violence, justice, law, masscre,
> kindness, all these things are founded in an inherently "free market"
> reality!

> 
> The truth is we're closing on the endgame. The one true ideological
> survivor. Some hybrid monster of many governments clustered into a
> supergovernment that spans mankind and directs all that is. 

	Well, that is a possibility and I imagine it's favored by a few
	people...

> It's inevitable; economies of scale at work. Slowly all our
> diversities will fade as we live in a completely artificially
> equalized reality, no ability to compete due to immense scale. In
> more ways than not, we're already there.
> 
> My suggestion is to welcome our new robotic overlords. Or, steer the
> vehicle instead of denying you're in it. Just deal with it somehow.

	What did I deny? 
> 
> Maybe we can create such an overgovernment that all our desired
> freedoms and abilities are present in the future (unlike today!).

	So you are just another government advocate? And a world
	wide government to boot?

> 
> >         The motherfucking nazis from the US government
> >         use 'https'! That's so important! So relevant to the sort of
> >         values cypherpunks supposedly stand for.
> >
> >         lol
> 
> What are you badmouthing nazi's for? Easy on the US cool-aid, mate.
> 
> >         Not sure what you mean by that, but I'm not a subject of
> >         the US nazi sate. Unless by 'has my back' you mean they are
> >         likely to shoot me from behind...
> 
> http://vimeo.com/m/8991951

	I knew that song. It's pretty good. I remember reading a random
	forum with some americans discussing it, and some saying 
	that although the song might be satire, it was also praise for
	american 'culture' - oh well...

> 
> I meant USGOV protects USGOV. (Although not USGOV employees per se...)
> Cybersecurity wise USGOV probably doesn't/hardly need HTTPS,
> depending on the abilities of adversaries.

	Of course. US govt using https in their stupid propaganda
	websites is irrelant. What is weird is that some US govt
	employee bothered to advertise it here. Is he clueless?
	Was he trolling? 




From l at odewijk.nl  Mon Nov 17 20:51:45 2014
From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=)
Date: Tue, 18 Nov 2014 05:51:45 +0100
Subject: Doing HTTPS everywhere in the .gov space
In-Reply-To: <5466676a.4642e00a.3752.ffffa39a@mx.google.com>
References: <CANBOYLVhZ3vCY5M2Soxu63kpGTpf2k_8GQUNRcnTaGxcvHwVGQ@mail.gmail.com>
 <54664f95.c71f8c0a.15c5.ffffd528@mx.google.com>
 <CAHWD2rJCR=E9eRrSpmXooeJrVEu3DVQicLRzLx+9RNc3+eTWfw@mail.gmail.com>
 <5466676a.4642e00a.3752.ffffa39a@mx.google.com>
Message-ID: <CAHWD2rK2YpOtee35nzHhmOLhdYcMMK1X6x2nENnYq_O71Ue_Xw@mail.gmail.com>

Why are you always so mad, Juan?

On Nov 14, 2014 9:48 PM, "Juan" <juan.g71 at gmail.com> wrote:
>
> On Fri, 14 Nov 2014 20:43:43 +0100
> Lodewijk andré de la porte <l at odewijk.nl> wrote:
>
> > Governments doing a better job at government would be a great thing.
>
>
>         Not sure what you mean by that. As far as I'm concered the only
>         'job' the government should be doing is disappearing from the
>         face of the earth.

Let's leave governance to the free market, the bigger the capitalist the
more righteous his decrees! Market competition will enforce 100%
transparacy, else people will visit the competition for it! In any true
free market economies of scale don't exist and competition is so closely
tied any offense will cause disappearance! Finance is totally not already
so unbalanced a free market cannot exist!

I fiercely hate anyone telling me what to do or what to think. Vacuum
reality arguments essential to capitalism, and the ease at which they're
propagated, recently anger me about as much.

We have true capitalism already Juan! Governments compete for posession of
the mind! Ideologies live and die in an eternal struggle for superior
infectiousness! Violence, justice, law, masscre, kindness, all these things
are founded in an inherently "free market" reality!

The truth is we're closing on the endgame. The one true ideological
survivor. Some hybrid monster of many governments clustered into a
supergovernment that spans mankind and directs all that is. It's
inevitable; economies of scale at work. Slowly all our diversities will
fade as we live in a completely artificially equalized reality, no ability
to compete due to immense scale. In more ways than not, we're already there.

My suggestion is to welcome our new robotic overlords. Or, steer the
vehicle instead of denying you're in it. Just deal with it somehow.

Maybe we can create such an overgovernment that all our desired freedoms
and abilities are present in the future (unlike today!).

>         The motherfucking nazis from the US government
>         use 'https'! That's so important! So relevant to the sort of
>         values cypherpunks supposedly stand for.
>
>         lol

What are you badmouthing nazi's for? Easy on the US cool-aid, mate.

>         Not sure what you mean by that, but I'm not a subject of
>         the US nazi sate. Unless by 'has my back' you mean they are
>         likely to shoot me from behind...

http://vimeo.com/m/8991951

I meant USGOV protects USGOV. (Although not USGOV employees per se...)
Cybersecurity wise USGOV probably doesn't/hardly need HTTPS, depending on
the abilities of adversaries.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 3241 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141118/5cd8ca99/attachment.txt>

From rysiek at hackerspace.pl  Tue Nov 18 01:20:31 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Tue, 18 Nov 2014 10:20:31 +0100
Subject: Doing HTTPS everywhere in the .gov space
In-Reply-To: <546ada0a.d4248c0a.02c6.1868@mx.google.com>
References: <CANBOYLVhZ3vCY5M2Soxu63kpGTpf2k_8GQUNRcnTaGxcvHwVGQ@mail.gmail.com>
 <CAHWD2rK2YpOtee35nzHhmOLhdYcMMK1X6x2nENnYq_O71Ue_Xw@mail.gmail.com>
 <546ada0a.d4248c0a.02c6.1868@mx.google.com>
Message-ID: <1880110.u2gcy3O0eV@lapuntu>

Dnia wtorek, 18 listopada 2014 02:34:47 Juan pisze:
> On Tue, 18 Nov 2014 05:51:45 +0100
> 
> Lodewijk andré de la porte <l at odewijk.nl> wrote:
> > Why are you always so mad, Juan?
> 
> 	I'm not mad. I simply don't bother with fake politeness.

Why bother with writing at all? :)

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 411 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141118/df221562/attachment.sig>

From eric at konklone.com  Tue Nov 18 11:23:10 2014
From: eric at konklone.com (Eric Mill)
Date: Tue, 18 Nov 2014 14:23:10 -0500
Subject: Doing HTTPS everywhere in the .gov space
In-Reply-To: <546ada0a.d4248c0a.02c6.1868@mx.google.com>
References: <CANBOYLVhZ3vCY5M2Soxu63kpGTpf2k_8GQUNRcnTaGxcvHwVGQ@mail.gmail.com>
 <54664f95.c71f8c0a.15c5.ffffd528@mx.google.com>
 <CAHWD2rJCR=E9eRrSpmXooeJrVEu3DVQicLRzLx+9RNc3+eTWfw@mail.gmail.com>
 <5466676a.4642e00a.3752.ffffa39a@mx.google.com>
 <CAHWD2rK2YpOtee35nzHhmOLhdYcMMK1X6x2nENnYq_O71Ue_Xw@mail.gmail.com>
 <546ada0a.d4248c0a.02c6.1868@mx.google.com>
Message-ID: <CANBOYLUx_jinHLkpWQkZupq22rdOUXp9nXX-Nkj4zYTy=DWSFA@mail.gmail.com>

>
> > I meant USGOV protects USGOV. (Although not USGOV employees per se...)
> > Cybersecurity wise USGOV probably doesn't/hardly need HTTPS,
> > depending on the abilities of adversaries.
>
>         Of course. US govt using https in their stupid propaganda
>         websites is irrelant. What is weird is that some US govt
>         employee bothered to advertise it here. Is he clueless?
>         Was he trolling?
>

I wasn't trolling. I've been a member of this list, and paying close
attention to the field, since well before I joined the US government (which
happened back in May).

Before this, I worked for 5 years at a relatively adversarial non-profit
group focused on government transparency, called the Sunlight Foundation.

I also did personal work on furthering encryption and drawing attention to
government surveillance:

https://konklone.com/post/switch-to-https-now-for-free
https://konklone.com/post/the-door-to-the-fisa-court
https://twitter.com/fisacourt

I still work on them, and stuff like it, in my personal capacity. I'm on
the record in all kinds of places, in my personal capacity, supporting what
Edward Snowden did and pushing for technical changes and policy reform to
curtail surveillance.

I completely expect (and find welcome and appropriate) high levels of
skepticism for anything the US government does. All I can tell you is where
I'm coming from, and the actions my team is taking.

In my government capacity, when https://letsencrypt.org is operational next
year, I hope to get as many .gov domains to use their certificates as I can.

-- Eric



-- 
konklone.com | @konklone <https://twitter.com/konklone>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 3004 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141118/c4949136/attachment.txt>

From william at tuffbizz.com  Tue Nov 18 12:47:29 2014
From: william at tuffbizz.com (William Woodruff)
Date: Tue, 18 Nov 2014 15:47:29 -0500
Subject: Doing HTTPS everywhere in the .gov space
In-Reply-To: <CANBOYLUx_jinHLkpWQkZupq22rdOUXp9nXX-Nkj4zYTy=DWSFA@mail.gmail.com>
References: <CANBOYLVhZ3vCY5M2Soxu63kpGTpf2k_8GQUNRcnTaGxcvHwVGQ@mail.gmail.com>
 <54664f95.c71f8c0a.15c5.ffffd528@mx.google.com>
 <CAHWD2rJCR=E9eRrSpmXooeJrVEu3DVQicLRzLx+9RNc3+eTWfw@mail.gmail.com>
 <5466676a.4642e00a.3752.ffffa39a@mx.google.com>
 <CAHWD2rK2YpOtee35nzHhmOLhdYcMMK1X6x2nENnYq_O71Ue_Xw@mail.gmail.com>
 <546ada0a.d4248c0a.02c6.1868@mx.google.com>
 <CANBOYLUx_jinHLkpWQkZupq22rdOUXp9nXX-Nkj4zYTy=DWSFA@mail.gmail.com>
Message-ID: <546BB061.9070204@tuffbizz.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I, for one, think that security of any sort is a great improvement.

There are plenty of reasons to be suspicious when handing data over to
the government, but you might as well be guaranteed your
privacy/security *while* doing it.

William

On 11/18/2014 02:23 PM, Eric Mill wrote:
>> I meant USGOV protects USGOV. (Although not USGOV employees per
>> se...) Cybersecurity wise USGOV probably doesn't/hardly need
>> HTTPS, depending on the abilities of adversaries.
> 
> Of course. US govt using https in their stupid propaganda websites
> is irrelant. What is weird is that some US govt employee bothered
> to advertise it here. Is he clueless? Was he trolling?
> 
> 
> I wasn't trolling. I've been a member of this list, and paying
> close attention to the field, since well before I joined the US
> government (which happened back in May).
> 
> Before this, I worked for 5 years at a relatively adversarial
> non-profit group focused on government transparency, called the
> Sunlight Foundation.
> 
> I also did personal work on furthering encryption and drawing
> attention to government surveillance:
> 
> https://konklone.com/post/switch-to-https-now-for-free 
> https://konklone.com/post/the-door-to-the-fisa-court 
> https://twitter.com/fisacourt
> 
> I still work on them, and stuff like it, in my personal capacity.
> I'm on the record in all kinds of places, in my personal capacity,
> supporting what Edward Snowden did and pushing for technical
> changes and policy reform to curtail surveillance.
> 
> I completely expect (and find welcome and appropriate) high levels
> of skepticism for anything the US government does. All I can tell
> you is where I'm coming from, and the actions my team is taking.
> 
> In my government capacity, when https://letsencrypt.org is
> operational next year, I hope to get as many .gov domains to use
> their certificates as I can.
> 
> -- Eric
> 
> 
> 
> -- konklone.com <https://konklone.com> | @konklone 
> <https://twitter.com/konklone>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBAgAGBQJUa7BhAAoJEFdZT8v9QYjyOyAH/3hsKBFs+INnAH0ahWm/Z7Yb
Wd0cjlcLPE9eHHDZv4WXJgn3NVGisHSqqRnq7xJbIU8BIZXHp9euy1MUMPLVknoZ
aksxZiNwLs9G94EjjcJQ8qi/0AjPZyHKrIKVd74bNsouODf0YzdTX48TLDzbLFd6
UyCmFKTjxK7Rp2mF84rvnaMjan0XU2sSxUeqpRCbzOgquh/CGHOQSQDuN6P+Qyce
8g9XQgZmeDO2dhTUiqw3zfGC1Kv45wIUbwhwVSnvF4nu1jA82GoooJpgDyzy4o7U
kG6OKQQATfSLLLuc2SC0tJsGExz8chDa/PJChTy93UTRTy5KztzmC+M65yGyXr8=
=T+wb
-----END PGP SIGNATURE-----




From juan.g71 at gmail.com  Tue Nov 18 16:53:00 2014
From: juan.g71 at gmail.com (Juan)
Date: Tue, 18 Nov 2014 21:53:00 -0300
Subject: Doing HTTPS everywhere in the .gov space
In-Reply-To: <CANBOYLUx_jinHLkpWQkZupq22rdOUXp9nXX-Nkj4zYTy=DWSFA@mail.gmail.com>
References: <CANBOYLVhZ3vCY5M2Soxu63kpGTpf2k_8GQUNRcnTaGxcvHwVGQ@mail.gmail.com>
 <54664f95.c71f8c0a.15c5.ffffd528@mx.google.com>
 <CAHWD2rJCR=E9eRrSpmXooeJrVEu3DVQicLRzLx+9RNc3+eTWfw@mail.gmail.com>
 <5466676a.4642e00a.3752.ffffa39a@mx.google.com>
 <CAHWD2rK2YpOtee35nzHhmOLhdYcMMK1X6x2nENnYq_O71Ue_Xw@mail.gmail.com>
 <546ada0a.d4248c0a.02c6.1868@mx.google.com>
 <CANBOYLUx_jinHLkpWQkZupq22rdOUXp9nXX-Nkj4zYTy=DWSFA@mail.gmail.com>
Message-ID: <546be982.c462e00a.58e2.0db8@mx.google.com>



	Thanks for the update Eric.




On Tue, 18 Nov 2014 14:23:10 -0500
Eric Mill <eric at konklone.com> wrote:

> 
> I wasn't trolling. I've been a member of this list, and paying close
> attention to the field, since well before I joined the US government
> (which happened back in May).
> 
> Before this, I worked for 5 years at a relatively adversarial
> non-profit group focused on government transparency, called the
> Sunlight Foundation.
> 
> I also did personal work on furthering encryption and drawing
> attention to government surveillance:
> 
> https://konklone.com/post/switch-to-https-now-for-free
> https://konklone.com/post/the-door-to-the-fisa-court
> https://twitter.com/fisacourt
> 
> I still work on them, and stuff like it, in my personal capacity. I'm
> on the record in all kinds of places, in my personal capacity,
> supporting what Edward Snowden did and pushing for technical changes
> and policy reform to curtail surveillance.
> 
> I completely expect (and find welcome and appropriate) high levels of
> skepticism for anything the US government does. All I can tell you is
> where I'm coming from, and the actions my team is taking.
> 
> In my government capacity, when https://letsencrypt.org is
> operational next year, I hope to get as many .gov domains to use
> their certificates as I can.
> 
> -- Eric
> 
> 
> 




From rysiek at hackerspace.pl  Tue Nov 18 15:24:59 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Wed, 19 Nov 2014 00:24:59 +0100
Subject: Doing HTTPS everywhere in the .gov space
In-Reply-To: <CANBOYLUx_jinHLkpWQkZupq22rdOUXp9nXX-Nkj4zYTy=DWSFA@mail.gmail.com>
References: <CANBOYLVhZ3vCY5M2Soxu63kpGTpf2k_8GQUNRcnTaGxcvHwVGQ@mail.gmail.com>
 <546ada0a.d4248c0a.02c6.1868@mx.google.com>
 <CANBOYLUx_jinHLkpWQkZupq22rdOUXp9nXX-Nkj4zYTy=DWSFA@mail.gmail.com>
Message-ID: <1519029.afl6NSM4FS@lapuntu>

Dnia wtorek, 18 listopada 2014 14:23:10 Eric Mill pisze:
> > > I meant USGOV protects USGOV. (Although not USGOV employees per se...)
> > > Cybersecurity wise USGOV probably doesn't/hardly need HTTPS,
> > > depending on the abilities of adversaries.
> > > 
> >         Of course. US govt using https in their stupid propaganda
> >         websites is irrelant. What is weird is that some US govt
> >         employee bothered to advertise it here. Is he clueless?
> >         Was he trolling?
> 
> I wasn't trolling. I've been a member of this list, and paying close
> attention to the field, since well before I joined the US government (which
> happened back in May).
> 
> Before this, I worked for 5 years at a relatively adversarial non-profit
> group focused on government transparency, called the Sunlight Foundation.

Oh my. Now get ready for the trolls doing reverse-jumping-to-conclusions that 
Sunlight Foundation must be a USGOV front.

Anywhoo, thanks for sharing, and keep up the good work. I subscribe to the 
idea that if something brings more encryption to the open web, it's a good 
idea.

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 411 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141119/29b7cc2b/attachment.sig>

From rysiek at hackerspace.pl  Tue Nov 18 15:35:53 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Wed, 19 Nov 2014 00:35:53 +0100
Subject: WhisperSystems + WhatsApp
Message-ID: <2429476.9jgn6LQJC8@lapuntu>

Well,

I didn't see THAT coming:
https://whispersystems.org/blog/whatsapp/

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 411 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141119/a956bac8/attachment.sig>

From eric at konklone.com  Tue Nov 18 22:25:42 2014
From: eric at konklone.com (Eric Mill)
Date: Wed, 19 Nov 2014 01:25:42 -0500
Subject: WhisperSystems + WhatsApp
In-Reply-To: <2429476.9jgn6LQJC8@lapuntu>
References: <2429476.9jgn6LQJC8@lapuntu>
Message-ID: <CANBOYLVgVY18sPa_0O6_x5pBZD_BtsMgwowwtRqcqkVmbusDNg@mail.gmail.com>

This was honestly just about as exciting as the new EFF/Mozilla/Akamai/etc
CA. Strong encryption with no UX degradation, for *so* many people, and the
post certainly indicates it'll be going into the rest of WhatsApp's native
applications.

I'm sure this fed into improvements into the TextSecure protocol, and that
the PR will help WhisperSystems obtain more partnerships like this. A great
day for the TS project.

On Tue, Nov 18, 2014 at 6:35 PM, rysiek <rysiek at hackerspace.pl> wrote:

> Well,
>
> I didn't see THAT coming:
> https://whispersystems.org/blog/whatsapp/
>
> --
> Pozdr
> rysiek




-- 
konklone.com | @konklone <https://twitter.com/konklone>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 1321 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141119/b5b126f1/attachment.txt>

From contact at subrosa.io  Wed Nov 19 04:05:48 2014
From: contact at subrosa.io (Subrosa.io)
Date: Wed, 19 Nov 2014 04:05:48 -0800
Subject: WhisperSystems + WhatsApp
In-Reply-To: <mailman.14.1416388713.1805.cypherpunks@cpunks.org>
References: <mailman.14.1416388713.1805.cypherpunks@cpunks.org>
Message-ID: <149c7f08e26.bca1698d219617.5960259610670712782@subrosa.io>

4. How is the key stored on the user's device? Is it backed up by Android's Sync to Google's servers, or backed up by iCloud to Apple's servers? 

5. Even if there is no backdoor right now, an automatic update can easily sneak in a "key escrow".

WhatsApp's "end to end encryption" is voodoo. You cannot expect security from closed source code, certainly not automatically updating closed source code.

---- On Wed, 19 Nov 2014 09:46:50 +0100   wrote ---- 
>Date: Wed, 19 Nov 2014 09:46:50 +0100
>From: Marco Pozzato <mpodroid at gmail.com>
>To: Eric Mill <eric at konklone.com>
>Cc: cypherpunks <cypherpunks at cpunks.org>
>Subject: Re: WhisperSystems + WhatsApp
>Message-ID:
>    <CAHzaDb=TdsPZDXdOOF1+D_gBu=JxtArJ5+SE+tghMAK-+6k4mQ at mail.gmail.com>
>Content-Type: text/plain; charset="utf-8"
>
>WhisperSystems designed good protocols, but I am afraid that Moxie was too
>anxious to release this info and hit ENTER key too early :-)
>
>I am quite skeptical about the actual value from the security point of this
>press release.
>
>WhisperSystems reports about end-to-end encryption, that means, I encrypt
>my message with an encryption key that only you or both of us know.
>
> 1. How can we negotiate that key? Users are not involved, but everything
> happens automatically, under the hood, between two whatsapp clients. How?
> they negotiate the encryption keys through whatsapp servers: is it my own
> key or the NSA one? are they leaking the key to Facebook?
> 2. We do need to authenticate the identity, eg: via QR code,
> fingerprint, spell it loudly on the phone, etc.., which reduces usability,
> especially for mass market.
> 3. Last but not least: even if we authenticated identities and keys, how
> can we be sure that whatsapp client is really using the authenticated keys
> and not the NSA keys, maybe only on a white list of suspected mobile phone
> numbers? above all, they provide a proprietary and closed source app
>
>The security model is faulted, at the root level:
>
> - If I subscribe to a security service - such as messaging -, the
> service provider is untrusted by default. I need total transparency ->
> every single components in the architecture should be auditable and open
> source
> - If mobile app is closed source, I can trust only the infrastructure
> that should be under my full control, to be sure that no information leak
> outside infrastructure is ever possible.
>
>
>My 2 cents
>
>Marco




From cathalgarvey at cathalgarvey.me  Wed Nov 19 01:18:10 2014
From: cathalgarvey at cathalgarvey.me (Cathal (Phone))
Date: Wed, 19 Nov 2014 09:18:10 +0000
Subject: WhisperSystems + WhatsApp
In-Reply-To: <CAHzaDb=TdsPZDXdOOF1+D_gBu=JxtArJ5+SE+tghMAK-+6k4mQ@mail.gmail.com>
References: <2429476.9jgn6LQJC8@lapuntu>
 <CANBOYLVgVY18sPa_0O6_x5pBZD_BtsMgwowwtRqcqkVmbusDNg@mail.gmail.com>
 <CAHzaDb=TdsPZDXdOOF1+D_gBu=JxtArJ5+SE+tghMAK-+6k4mQ@mail.gmail.com>
Message-ID: <9AF6C350-E5C5-4753-BEDF-AA106E3B4321@cathalgarvey.me>

Eh, easier than than. Keys generated end to end by the book, then code in the closed source spyware app justs lifts them and posts to FB.

Open protocols in closed apps are meaningless.

On 19 November 2014 08:46:50 GMT+00:00, Marco Pozzato <mpodroid at gmail.com> wrote:
>WhisperSystems designed good protocols, but I am afraid that Moxie was
>too
>anxious to release this info and hit ENTER key too early :-)
>
>I am quite skeptical about the actual value from the security point of
>this
>press release.
>
>WhisperSystems reports about end-to-end encryption, that means, I
>encrypt
>my message with an encryption key that only you or both of us know.
>
>1. How can we negotiate that key? Users are not involved, but
>everything
>happens automatically, under the hood, between two whatsapp clients.
>How?
>they negotiate the encryption keys through whatsapp servers: is it my
>own
>   key or the NSA one? are they leaking the key to Facebook?
>   2. We do need to authenticate the identity, eg: via QR code,
>fingerprint, spell it loudly on the phone,  etc.., which reduces
>usability,
>   especially for mass market.
>3. Last but not least: even if we authenticated identities and keys,
>how
>can we be sure that whatsapp client is really using the authenticated
>keys
>and not the NSA keys, maybe only on a white list of suspected mobile
>phone
>   numbers? above all, they provide a proprietary and closed source app
>
>The security model is faulted, at the root level:
>
>   - If I subscribe to a security service - such as messaging -,  the
> service provider is untrusted by default. I need total transparency ->
>every single components in the architecture should be auditable and
>open
>   source
>  - If mobile app is closed source, I can trust only the infrastructure
>that should be under my full control, to be sure that no information
>leak
>   outside infrastructure is ever possible.
>
>
>My 2 cents
>
>Marco
>
>2014-11-19 7:25 GMT+01:00 Eric Mill <eric at konklone.com>:
>
>> This was honestly just about as exciting as the new
>EFF/Mozilla/Akamai/etc
>> CA. Strong encryption with no UX degradation, for *so* many people,
>and the
>> post certainly indicates it'll be going into the rest of WhatsApp's
>native
>> applications.
>>
>> I'm sure this fed into improvements into the TextSecure protocol, and
>that
>> the PR will help WhisperSystems obtain more partnerships like this. A
>great
>> day for the TS project.
>>
>> On Tue, Nov 18, 2014 at 6:35 PM, rysiek <rysiek at hackerspace.pl>
>wrote:
>>
>>> Well,
>>>
>>> I didn't see THAT coming:
>>> https://whispersystems.org/blog/whatsapp/
>>>
>>> --
>>> Pozdr
>>> rysiek
>>
>>
>>
>>
>> --
>> konklone.com | @konklone <https://twitter.com/konklone>
>>

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 4199 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141119/84d6e957/attachment.txt>

From cathalgarvey at cathalgarvey.me  Wed Nov 19 01:28:50 2014
From: cathalgarvey at cathalgarvey.me (Cathal (Phone))
Date: Wed, 19 Nov 2014 09:28:50 +0000
Subject: Whatsapp open source
In-Reply-To: <CAHzaDbkR_KFkORr3+QMS7YOGyHGw985K-T1sKvJ4J6NRMnzNMw@mail.gmail.com>
References: <CAHzaDbkR_KFkORr3+QMS7YOGyHGw985K-T1sKvJ4J6NRMnzNMw@mail.gmail.com>
Message-ID: <596A5B13-D960-4A9D-80EA-3893EE85D7DB@cathalgarvey.me>

ah, now that actually means something, then. If WhatsApp's client is auditable then it's great news. Otherwise, no matter what convolutions the trustworthy *part* of the code undergoes to ensure end-to-end, the rest can just clone the keys and post home.

On 19 November 2014 09:15:04 GMT+00:00, Marco Pozzato <mpodroid at gmail.com> wrote:
>I just double checked:
>
>   - twitter: moxie wrote "it's the same code"
>   - github: GPL3 license
>
>That means that Whatsapp is going to open source their app: this is
>awesome!
>
>Marco

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 962 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141119/eb1b9cf8/attachment.txt>

From cathalgarvey at cathalgarvey.me  Wed Nov 19 01:31:49 2014
From: cathalgarvey at cathalgarvey.me (Cathal (Phone))
Date: Wed, 19 Nov 2014 09:31:49 +0000
Subject: Whatsapp open source
In-Reply-To: <CAHzaDbkR_KFkORr3+QMS7YOGyHGw985K-T1sKvJ4J6NRMnzNMw@mail.gmail.com>
References: <CAHzaDbkR_KFkORr3+QMS7YOGyHGw985K-T1sKvJ4J6NRMnzNMw@mail.gmail.com>
Message-ID: <09855D1E-F907-4BC6-B106-EA6562B0896B@cathalgarvey.me>

Though bear in mind that if Moxie had all code contributors assign copyright to him, then he has the right to waive the GPL when using that code with closed partners. Only if contributors keep their rights and publish in GPL do you iron-clad the GPL into the codebase, because now to sidestep your commitment to freedom you must go back and re-implement all the code whose copyright belongs to a contributor.

So, GPL or no, there is scope for Moxie to renege and offer alternate licensing on OWS code to WhatsApp, but only if contributor code is either excised or copyright transferred.

On 19 November 2014 09:15:04 GMT+00:00, Marco Pozzato <mpodroid at gmail.com> wrote:
>I just double checked:
>
>   - twitter: moxie wrote "it's the same code"
>   - github: GPL3 license
>
>That means that Whatsapp is going to open source their app: this is
>awesome!
>
>Marco

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 1295 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141119/b1bbd04e/attachment.txt>

From mpodroid at gmail.com  Wed Nov 19 00:46:50 2014
From: mpodroid at gmail.com (Marco Pozzato)
Date: Wed, 19 Nov 2014 09:46:50 +0100
Subject: WhisperSystems + WhatsApp
In-Reply-To: <CANBOYLVgVY18sPa_0O6_x5pBZD_BtsMgwowwtRqcqkVmbusDNg@mail.gmail.com>
References: <2429476.9jgn6LQJC8@lapuntu>
 <CANBOYLVgVY18sPa_0O6_x5pBZD_BtsMgwowwtRqcqkVmbusDNg@mail.gmail.com>
Message-ID: <CAHzaDb=TdsPZDXdOOF1+D_gBu=JxtArJ5+SE+tghMAK-+6k4mQ@mail.gmail.com>

WhisperSystems designed good protocols, but I am afraid that Moxie was too
anxious to release this info and hit ENTER key too early :-)

I am quite skeptical about the actual value from the security point of this
press release.

WhisperSystems reports about end-to-end encryption, that means, I encrypt
my message with an encryption key that only you or both of us know.

   1. How can we negotiate that key? Users are not involved, but everything
   happens automatically, under the hood, between two whatsapp clients. How?
   they negotiate the encryption keys through whatsapp servers: is it my own
   key or the NSA one? are they leaking the key to Facebook?
   2. We do need to authenticate the identity, eg: via QR code,
   fingerprint, spell it loudly on the phone,  etc.., which reduces usability,
   especially for mass market.
   3. Last but not least: even if we authenticated identities and keys, how
   can we be sure that whatsapp client is really using the authenticated keys
   and not the NSA keys, maybe only on a white list of suspected mobile phone
   numbers? above all, they provide a proprietary and closed source app

The security model is faulted, at the root level:

   - If I subscribe to a security service - such as messaging -,  the
   service provider is untrusted by default. I need total transparency ->
   every single components in the architecture should be auditable and open
   source
   - If mobile app is closed source, I can trust only the infrastructure
   that should be under my full control, to be sure that no information leak
   outside infrastructure is ever possible.


My 2 cents

Marco

2014-11-19 7:25 GMT+01:00 Eric Mill <eric at konklone.com>:

> This was honestly just about as exciting as the new EFF/Mozilla/Akamai/etc
> CA. Strong encryption with no UX degradation, for *so* many people, and the
> post certainly indicates it'll be going into the rest of WhatsApp's native
> applications.
>
> I'm sure this fed into improvements into the TextSecure protocol, and that
> the PR will help WhisperSystems obtain more partnerships like this. A great
> day for the TS project.
>
> On Tue, Nov 18, 2014 at 6:35 PM, rysiek <rysiek at hackerspace.pl> wrote:
>
>> Well,
>>
>> I didn't see THAT coming:
>> https://whispersystems.org/blog/whatsapp/
>>
>> --
>> Pozdr
>> rysiek
>
>
>
>
> --
> konklone.com | @konklone <https://twitter.com/konklone>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 3484 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141119/570e4515/attachment.txt>

From cathalgarvey at cathalgarvey.me  Wed Nov 19 01:49:53 2014
From: cathalgarvey at cathalgarvey.me (Cathal (Phone))
Date: Wed, 19 Nov 2014 09:49:53 +0000
Subject: Whatsapp open source
In-Reply-To: <CAK9dnSwmhG7h15WhB=u1cF5W3yetj9DwNpKuSW=RRGR-rRiA8Q@mail.gmail.com>
References: <CAHzaDbkR_KFkORr3+QMS7YOGyHGw985K-T1sKvJ4J6NRMnzNMw@mail.gmail.com>
 <CAK9dnSwmhG7h15WhB=u1cF5W3yetj9DwNpKuSW=RRGR-rRiA8Q@mail.gmail.com>
Message-ID: <BD2294A8-4219-44C2-B795-B147220A3415@cathalgarvey.me>

So their is a CLA? Forget end to end security, then.

On 19 November 2014 09:35:35 GMT+00:00, CodesInChaos <codesinchaos at gmail.com> wrote:
>The copyright holder can always dual-license it. In the case of text
>secure it's a bit more complicated, but still the CLA allows OWS to
>dual-license the code. So I wouldn't expect anything.

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 676 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141119/8dabeea7/attachment.txt>

From cathalgarvey at cathalgarvey.me  Wed Nov 19 02:08:32 2014
From: cathalgarvey at cathalgarvey.me (Cathal (Phone))
Date: Wed, 19 Nov 2014 10:08:32 +0000
Subject: Whatsapp open source
In-Reply-To: <BD2294A8-4219-44C2-B795-B147220A3415@cathalgarvey.me>
References: <CAHzaDbkR_KFkORr3+QMS7YOGyHGw985K-T1sKvJ4J6NRMnzNMw@mail.gmail.com>
 <CAK9dnSwmhG7h15WhB=u1cF5W3yetj9DwNpKuSW=RRGR-rRiA8Q@mail.gmail.com>
 <BD2294A8-4219-44C2-B795-B147220A3415@cathalgarvey.me>
Message-ID: <204F9EDD-21C1-4207-BB35-C6ABD1AE7128@cathalgarvey.me>

(Goddammit typos, I'm not actually illiterate I promise)

On 19 November 2014 09:49:53 GMT+00:00, "Cathal (Phone)" <cathalgarvey at cathalgarvey.me> wrote:
>So their is a CLA? Forget end to end security, then.
>
>On 19 November 2014 09:35:35 GMT+00:00, CodesInChaos
><codesinchaos at gmail.com> wrote:
>>The copyright holder can always dual-license it. In the case of text
>>secure it's a bit more complicated, but still the CLA allows OWS to
>>dual-license the code. So I wouldn't expect anything.
>
>-- 
>Sent from my Android device with K-9 Mail. Please excuse my brevity.

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 1038 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141119/7e1c041a/attachment.txt>

From mpodroid at gmail.com  Wed Nov 19 01:15:04 2014
From: mpodroid at gmail.com (Marco Pozzato)
Date: Wed, 19 Nov 2014 10:15:04 +0100
Subject: Whatsapp open source
Message-ID: <CAHzaDbkR_KFkORr3+QMS7YOGyHGw985K-T1sKvJ4J6NRMnzNMw@mail.gmail.com>

I just double checked:

   - twitter: moxie wrote "it's the same code"
   - github: GPL3 license

That means that Whatsapp is going to open source their app: this is awesome!

Marco
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 305 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141119/b7a78ecc/attachment.txt>

From cathalgarvey at cathalgarvey.me  Wed Nov 19 02:19:58 2014
From: cathalgarvey at cathalgarvey.me (Cathal (Phone))
Date: Wed, 19 Nov 2014 10:19:58 +0000
Subject: Whatsapp open source
In-Reply-To: <546C6BB6.3070806@fsfe.org>
References: <CAHzaDbkR_KFkORr3+QMS7YOGyHGw985K-T1sKvJ4J6NRMnzNMw@mail.gmail.com>
 <546C6BB6.3070806@fsfe.org>
Message-ID: <484E2862-44E8-49EA-9157-3A6C3D379DF0@cathalgarvey.me>

"This license is for your protection as a Contributor"

What a load of shite. Here, have my copyright. I'm safer without it, I could slip on it or something.

On 19 November 2014 10:06:46 GMT+00:00, Nikos Roussos <comzeradd at fsfe.org> wrote:
>On 11/19/2014 11:15 AM, Marco Pozzato wrote:
>> I just double checked:
>> 
>>   * twitter: moxie wrote "it's the same code"
>>   * github: GPL3 license
>> 
>> That means that Whatsapp is going to open source their app: this is
>awesome!
>
>Probably not.
>
>Open Whispers has the right to dual license the code to any
>OSI-approved
>license (eg. BSD) for a 3rd party.
>https://whispersystems.org/cla/

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 1233 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141119/78ab58f2/attachment.txt>

From codesinchaos at gmail.com  Wed Nov 19 01:35:35 2014
From: codesinchaos at gmail.com (CodesInChaos)
Date: Wed, 19 Nov 2014 10:35:35 +0100
Subject: Whatsapp open source
In-Reply-To: <CAHzaDbkR_KFkORr3+QMS7YOGyHGw985K-T1sKvJ4J6NRMnzNMw@mail.gmail.com>
References: <CAHzaDbkR_KFkORr3+QMS7YOGyHGw985K-T1sKvJ4J6NRMnzNMw@mail.gmail.com>
Message-ID: <CAK9dnSwmhG7h15WhB=u1cF5W3yetj9DwNpKuSW=RRGR-rRiA8Q@mail.gmail.com>

The copyright holder can always dual-license it. In the case of text
secure it's a bit more complicated, but still the CLA allows OWS to
dual-license the code. So I wouldn't expect anything.




From comzeradd at fsfe.org  Wed Nov 19 02:06:46 2014
From: comzeradd at fsfe.org (Nikos Roussos)
Date: Wed, 19 Nov 2014 12:06:46 +0200
Subject: Whatsapp open source
In-Reply-To: <CAHzaDbkR_KFkORr3+QMS7YOGyHGw985K-T1sKvJ4J6NRMnzNMw@mail.gmail.com>
References: <CAHzaDbkR_KFkORr3+QMS7YOGyHGw985K-T1sKvJ4J6NRMnzNMw@mail.gmail.com>
Message-ID: <546C6BB6.3070806@fsfe.org>

On 11/19/2014 11:15 AM, Marco Pozzato wrote:
> I just double checked:
> 
>   * twitter: moxie wrote "it's the same code"
>   * github: GPL3 license
> 
> That means that Whatsapp is going to open source their app: this is awesome!

Probably not.

Open Whispers has the right to dual license the code to any OSI-approved
license (eg. BSD) for a 3rd party.
https://whispersystems.org/cla/



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141119/33292893/attachment.sig>

From adi at hexapodia.org  Wed Nov 19 13:35:33 2014
From: adi at hexapodia.org (Andy Isaacson)
Date: Wed, 19 Nov 2014 13:35:33 -0800
Subject: WhisperSystems + WhatsApp
In-Reply-To: <9AF6C350-E5C5-4753-BEDF-AA106E3B4321@cathalgarvey.me>
References: <2429476.9jgn6LQJC8@lapuntu>
 <CANBOYLVgVY18sPa_0O6_x5pBZD_BtsMgwowwtRqcqkVmbusDNg@mail.gmail.com>
 <CAHzaDb=TdsPZDXdOOF1+D_gBu=JxtArJ5+SE+tghMAK-+6k4mQ@mail.gmail.com>
 <9AF6C350-E5C5-4753-BEDF-AA106E3B4321@cathalgarvey.me>
Message-ID: <20141119213533.GE5226@hexapodia.org>

On Wed, Nov 19, 2014 at 09:18:10AM +0000, Cathal (Phone) wrote:
> Eh, easier than than. Keys generated end to end by the book, then code
> in the closed source spyware app justs lifts them and posts to FB.
> 
> Open protocols in closed apps are meaningless.

Not meaningless, although of course open source would be preferable from
a trustability standpoint.  I've got the executable code for the
proprietary WhatsApp apk installed on my phone, and can reverse engineer
it if I so choose.  (I'm running CM11 so extracting the APKs is fairly
straightforward.)  I also have automatic app updates turned off, so I
know when the code is supposed to change.

Of course it would be Best (TM) if everyone could use a completely
free operating system and had complete freedom to inspect all the code
we depend on.  But given the world we live in, 600M users with access to
E2E encrypted messaging is better than 600M users without such access.

-andy




From grarpamp at gmail.com  Wed Nov 19 11:25:37 2014
From: grarpamp at gmail.com (grarpamp)
Date: Wed, 19 Nov 2014 14:25:37 -0500
Subject: [Cryptography] STARTTLS,
 was IAB Statement on Internet Confidentiality
In-Reply-To: <201411190429.sAJ4TbCl011736@new.toad.com>
References: <20141119005010.4209.qmail@ary.lan>
 <201411190429.sAJ4TbCl011736@new.toad.com>
Message-ID: <CAD2Ti28Hhk60Wg+-XyVV7Pp15yVfV02jUA7bHs7aPNyB+i9CMA@mail.gmail.com>

On Tue, Nov 18, 2014 at 11:29 PM, John Gilmore <gnu at toad.com> wrote:
> Censorship of customer communications is always a "best practice"
> according to some people.  Blocking communications based on the port
> number in use?

Today some people on this list tried to tell me that 'Port 25 is SMTP'.
That's funny because I use it for SSH.

> That seems to many people to be heinous,
> "picking winners and losers", discriminating against
> traffic based on what the endpoint services are, etc.  Wasn't
> Network Neutrality supposed to outlaw all such discrimination?

Yes it was.

> Or, is it a catchphrase for "only the politically correct people
> are allowed to censor or discriminate against traffic"?

It's doublespeak now, said political promises vanish once elected.
If the discriminators get their way you better hope you have
real estate in the Balkans.

> The fact that some ISPs covertly built that censorship into a
> supposedly transparent network must be why I never get any spam these
> days.  But it doesn't matter to zealots whether their methods actually
> work or not.  They're mad at spammers, and "Hulk smash" is their main
> response.  Reason, principle, protocols, and respect all went out the
> window.
>
> Anti-spammers have done far more damage to the Internet than spammers.
> Now they are claiming that we can't be permitted to encrypt our
> Internet connections because then their censorship scheme would stop
> working?

Yes they are. You better encrypt the net now before they're
able to inject that power twist into arguments of political arms.

> I don't see any spammers claiming that end users should not
> be permitted to encrypt their emails nor any other traffic.  To take
> the privacy of our communications into our own hands, it is the
> anti-spammers who stand in our way, not the spammers.

Just like AdBlockPlus, user's mail clients should be shipped and
extensible with simple local filtering spam/virus/malware processing
engines. Users, having no such simple plugin tools available to them
in early days, complained of spam which drove provider/anti filtering
more than providers separate ability to handle the traffic load did. All
the anti position did for providers was shift their cost from disk spool
storing it to cpu rejecting it. And users got censorship tools developed
and deployed against them in return. Failure!

Users need to do their own filtering and encrypt now.

>> Here, for example, is a
>> recommendation on the topic that MAAWG published in 2005:
>>
>> https://www.maawg.org/sites/maawg/files/news/MAAWG_Port25rec0511.pdf
>
> Exactly -- an anti-spammer group, the "Messaging, Malware and Mobile
> Anti-Abuse Working Group", MAAWG.  Hmm, there seem to be more M's in
> there than in their domain name.  Perhaps once they started advocating
> censorship for one reason ("Messaging"), they found all sorts of
> other reasons for it, too.  When you have a censorship hammer, every
> problem looks like a need for censorship.
>
>         John Gilmore
>        (who regularly, daily, gets his personally typed emails - just
>         like this one -- censored without recourse, by the ISPs of
>         recipients who rely on unreliable third party censorship
>         blacklists.)




From adi at hexapodia.org  Wed Nov 19 15:40:30 2014
From: adi at hexapodia.org (Andy Isaacson)
Date: Wed, 19 Nov 2014 15:40:30 -0800
Subject: WhisperSystems + WhatsApp
In-Reply-To: <E35225E9-0737-4090-A34B-4344C104C646@cathalgarvey.me>
References: <2429476.9jgn6LQJC8@lapuntu>
 <CANBOYLVgVY18sPa_0O6_x5pBZD_BtsMgwowwtRqcqkVmbusDNg@mail.gmail.com>
 <CAHzaDb=TdsPZDXdOOF1+D_gBu=JxtArJ5+SE+tghMAK-+6k4mQ@mail.gmail.com>
 <9AF6C350-E5C5-4753-BEDF-AA106E3B4321@cathalgarvey.me>
 <20141119213533.GE5226@hexapodia.org>
 <E35225E9-0737-4090-A34B-4344C104C646@cathalgarvey.me>
Message-ID: <20141119234030.GH5226@hexapodia.org>

On Wed, Nov 19, 2014 at 10:58:56PM +0000, Cathal (Phone) wrote:
> Not if that E2E protocol is entirely undermined. Which is the case
> here: trust is security. If 600M people think they have privacy and
> don't, that's a problem.

Have you heard of the phrase "harm reduction"?  You can't solve a
social/technical problem by insisting that only perfect solutions are
acceptable.  You must provide incremental solutions that can be part of
a broad based move from the horrible place where we are now, towards a
more safe future.

I mean, *you* can do whatever you want, but users are going to ignore
solutions that don't connect to where they are today.  "Incremental
steps with continuous improvement" is a model for advice that actually
works in improving outcomes for real populations.  "Burn everything to
the ground and start over" is a model for advice that lets activists
maintain ideological purity without dirtying their hands with actual
people's actual problems.

-andy




From grarpamp at gmail.com  Wed Nov 19 13:05:02 2014
From: grarpamp at gmail.com (grarpamp)
Date: Wed, 19 Nov 2014 16:05:02 -0500
Subject: [Cryptography] FW: IAB Statement on Internet Confidentiality
In-Reply-To: <CAAMy4USnObh7oAx6A=UnuCPnQMMrxahi8a0vmQ=8o58KDEHyww@mail.gmail.com>
References: <99E579B9-63A7-4C4F-864F-84F539B8381E@iab.org>
 <2A0EFB9C05D0164E98F19BB0AF3708C71D50B358B8@USMBX1.msg.corp.akamai.com>
 <54678204.6020204@iang.org>
 <20141117045411.Horde.mxsOgaNurekWJvP6R_Wi8Q1@gator4012.hostgator.com>
 <CAAMy4USnObh7oAx6A=UnuCPnQMMrxahi8a0vmQ=8o58KDEHyww@mail.gmail.com>
Message-ID: <CAD2Ti29fkYNhGVvMr4ZtdgCtn9x80=3HT-9UGEO_gxoXHta7iw@mail.gmail.com>

On Tue, Nov 18, 2014 at 2:21 PM, Tom Mitchell <mitch at niftyegg.com> wrote:
>> On a more serious note, the IAB statement below opens up a whole can of
>> worms.
>>
>> 1. The vast bulk of the Internet protocols now and in the future already
>> exist. How are we going to retrofit them or somehow deal with them?  New
>> secure protocols will be a tiny percentage of the installed base of insecure
>> protocols.
>
> If the goal is too large nothing will happen.
>
> Pick one service (like mail) and design a protocol that
> can be used between hosts.
>
> <simple-mind>
> Mail is a good example because it is store and forward.
> At a big service like Yahoo or Google there are many sites
> and internal store and forward links could use the new protocol.
>
> At first key management might keep the new connections inside
> a service.   Later a pair like Yahoo and Google could exchange
> keys then others.
> ...

Blah blah blah same old tired centralized intermediary smtp email
services, lack of privacy/anonymity, and application of control/censorship.

If the goal is not dreamily large enough and totally revolutionary,
nothing will happen but regurgitated refits instead of replacements.
Try setting the goal of P2P messaging over an encrypted anonymous
P2P overlay network instead. Do you believe pigs can fly? I do.

> All that is needed is a specific service and specific firewall rules that
> current Cisco
> and the like hardware can enforce and audit.

More central censorship and control. Where's my DNA based
onramp access and Clipper card again... must have left it in the
tax machine.




From guninski at guninski.com  Wed Nov 19 09:23:06 2014
From: guninski at guninski.com (Georgi Guninski)
Date: Wed, 19 Nov 2014 19:23:06 +0200
Subject: Doing HTTPS everywhere in the .gov space
In-Reply-To: <CANBOYLUx_jinHLkpWQkZupq22rdOUXp9nXX-Nkj4zYTy=DWSFA@mail.gmail.com>
References: <CANBOYLVhZ3vCY5M2Soxu63kpGTpf2k_8GQUNRcnTaGxcvHwVGQ@mail.gmail.com>
 <54664f95.c71f8c0a.15c5.ffffd528@mx.google.com>
 <CAHWD2rJCR=E9eRrSpmXooeJrVEu3DVQicLRzLx+9RNc3+eTWfw@mail.gmail.com>
 <5466676a.4642e00a.3752.ffffa39a@mx.google.com>
 <CAHWD2rK2YpOtee35nzHhmOLhdYcMMK1X6x2nENnYq_O71Ue_Xw@mail.gmail.com>
 <546ada0a.d4248c0a.02c6.1868@mx.google.com>
 <CANBOYLUx_jinHLkpWQkZupq22rdOUXp9nXX-Nkj4zYTy=DWSFA@mail.gmail.com>
Message-ID: <20141119172306.GA2565@sivokote.iziade.m$>

On Tue, Nov 18, 2014 at 02:23:10PM -0500, Eric Mill wrote:
> >
> > > I meant USGOV protects USGOV. (Although not USGOV employees per se...)
> > > Cybersecurity wise USGOV probably doesn't/hardly need HTTPS,
> > > depending on the abilities of adversaries.
> >
> >         Of course. US govt using https in their stupid propaganda
> >         websites is irrelant. What is weird is that some US govt
> >         employee bothered to advertise it here. Is he clueless?
> >         Was he trolling?
> >
> 
> I wasn't trolling. I've been a member of this list, and paying close
> attention to the field, since well before I joined the US government (which
> happened back in May).
>

Dude, don't take it personally but I consider you of type $X$.

By an axiom of mine type $X$ sucks, sorry.

Have you considered to do something about the Detroit bankruptcy,
estimated at $18–20 billion :
http://en.wikipedia.org/w/index.php?title=Detroit_bankruptcy&oldid=634222478






From grarpamp at gmail.com  Wed Nov 19 17:17:42 2014
From: grarpamp at gmail.com (grarpamp)
Date: Wed, 19 Nov 2014 20:17:42 -0500
Subject: [Cryptography] FW: IAB Statement on Internet Confidentiality
In-Reply-To: <Pine.NEB.4.64.1411171503300.23371@panix3.panix.com>
References: <99E579B9-63A7-4C4F-864F-84F539B8381E@iab.org>
 <2A0EFB9C05D0164E98F19BB0AF3708C71D50B358B8@USMBX1.msg.corp.akamai.com>
 <54678204.6020204@iang.org>
 <20141117045411.Horde.mxsOgaNurekWJvP6R_Wi8Q1@gator4012.hostgator.com>
 <Pine.NEB.4.64.1411171503300.23371@panix3.panix.com>
Message-ID: <CAD2Ti28LUR8wOeQjgFtk500-D7TzNHGeWsJn0DTuoa-6oRm8nw@mail.gmail.com>

>>> IAB Statement on Internet Confidentiality
>>> Encryption should be authenticated where possible, but even protocols
>>> providing confidentiality without authentication are useful in the
>>> face of pervasive surveillance as described in RFC 7258.
>>> https://tools.ietf.org/html/rfc7258

>> Alex:
>> On a more serious note, the IAB statement below opens up a whole
>> can of worms. You can't [...]

>> [... cants, buts, excuses, grandmas, future protocols and policy,
>> stake making and preserving, wimps, legal, etc... on and on...
>> ad nauseum]

> Ian / Jay:
> Wot?  I encrypt all the time without dealing with legal issues.
> ...
> No more free lunches, no more rolling over and playing doggy.
> ...
> No, we need not negotiate with ourselves before building and deploying stuff.
> https://www.fourmilab.ch/documents/digital-imprimatur/

Indeed. Many seem to be missing the hidden extension / meaning
of whitewashed quasi-political statements like those of the IAB
that are now coming from various entities, and it's a point that
needs made directly, at least regarding one aspect of things...

It's not anymore about 'should encrypt by default'... continuing
to give yourselves the lazy fallback excuse of oppurtunistic crypto
and waiting for someone else to do it. It's not anymore about asking
your masters for permission to do what is not regulated today, or
giving them seats and chance to muddle / dictate your protocols
before they're developed / deployed.

It's about 'must encrypt' and turning plaintext completely off NOW!
It's about telling all the lazy oppurtunistic fiber tapping passive
surveillors, (who are today breaking fundamental inalienable human
rights not just regulations, and without asking first)... to FUCK
OFF! This is not a time to play nice and compromise... it's war,
one which they started against you. So deploy your crypto now, far
and wide, and faster than the enemy can respond. Mass internet
entrenchment has a winning history against subsequent fiat.

We won the first crypto war, now it's time to win the second one.
Flip the crypto switch, from off to on. Don't ask, don't tell, just
do it.

Mail providers and web services... turn plaintext off!
Banks, schools, utilities, blogs, socialnets, OS distributions,
user applications... the public facing, used by the public, whole
lot of you... everyone, everywhere... just turn plaintext off!
All plaintext transports over the internet... OFF!

Even decentralized P2P applications such as chat / filesharing apps
that wish no model using CA certs, can still enforce crypto by
skipping cert checking under self-signed certs or using [EC]DHE
style crypto session negotiation.

There's no lack of capability or support among all these internet
facing services and apps used by the general public anymore. Every
OS / library can deal with TLS 1.0+ or key negotiation for that.
And you don't need some grand crypto scheme that you all love to
pontificate in endless circles about right now either. Just turn
the damn plaintext OFF and tell everyone to go read the FAQ and
update their end if they can't connect. Then worry about your pie
in the sky later. It doesn't have to be perfect, all you need to
do is shift the game from taking cheap passive global wire surveillance
up the ass, to requiring more expensive targeted active attacks.
Simply turning off the plaintext does that, it's a huge win!
https://en.wikipedia.org/wiki/Transport_Layer_Security#Applications_and_adoption

And while you're at it, set up a nonprofit CA foundation to issue
free certs and get it added to the Mozilla and MS cert stores
specifically for the purpose of accomplishing 'plaintext off'. CA's
are useless profiteers who couldn't authenticate their own ass as
customers anyways, and cert stores are uselessly bloated with both
them and enemy entities... so just give the damn certs away to
anyone who can publish a proof of ownership flag / TLS cert on the
forward reference to their own services... simply to quiet self-signed
warnings. Nice to see something like this just dropped as I write:
https://letsencrypt.org/

Pick July 4 2015 as the day to disable plaintext, since by then
everything worth anything will support TLS 1.2 / good negotiation
parameters, and it's a fitting meme.

And if you don't like that flag, hoist another one...
https://en.wikipedia.org/wiki/International_Talk_Like_a_Pirate_Day

Now quit reading, making excuses and waiting... the enemy will just
stomp all over your flag. Go get started on your code, updates and
crypto configs... you've got a flag day to make.




From cathalgarvey at cathalgarvey.me  Wed Nov 19 14:58:56 2014
From: cathalgarvey at cathalgarvey.me (Cathal (Phone))
Date: Wed, 19 Nov 2014 22:58:56 +0000
Subject: WhisperSystems + WhatsApp
In-Reply-To: <20141119213533.GE5226@hexapodia.org>
References: <2429476.9jgn6LQJC8@lapuntu>
 <CANBOYLVgVY18sPa_0O6_x5pBZD_BtsMgwowwtRqcqkVmbusDNg@mail.gmail.com>
 <CAHzaDb=TdsPZDXdOOF1+D_gBu=JxtArJ5+SE+tghMAK-+6k4mQ@mail.gmail.com>
 <9AF6C350-E5C5-4753-BEDF-AA106E3B4321@cathalgarvey.me>
 <20141119213533.GE5226@hexapodia.org>
Message-ID: <E35225E9-0737-4090-A34B-4344C104C646@cathalgarvey.me>

Not if that E2E protocol is entirely undermined. Which is the case here: trust is security. If 600M people think they have privacy and don't, that's a problem.

On 19 November 2014 21:35:33 GMT+00:00, Andy Isaacson <adi at hexapodia.org> wrote:
>On Wed, Nov 19, 2014 at 09:18:10AM +0000, Cathal (Phone) wrote:
>> Eh, easier than than. Keys generated end to end by the book, then
>code
>> in the closed source spyware app justs lifts them and posts to FB.
>> 
>> Open protocols in closed apps are meaningless.
>
>Not meaningless, although of course open source would be preferable
>from
>a trustability standpoint.  I've got the executable code for the
>proprietary WhatsApp apk installed on my phone, and can reverse
>engineer
>it if I so choose.  (I'm running CM11 so extracting the APKs is fairly
>straightforward.)  I also have automatic app updates turned off, so I
>know when the code is supposed to change.
>
>Of course it would be Best (TM) if everyone could use a completely
>free operating system and had complete freedom to inspect all the code
>we depend on.  But given the world we live in, 600M users with access
>to
>E2E encrypted messaging is better than 600M users without such access.
>
>-andy

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 1746 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141119/e2888d5b/attachment.txt>

From skquinn at rushpost.com  Wed Nov 19 21:36:04 2014
From: skquinn at rushpost.com (Shawn K. Quinn)
Date: Wed, 19 Nov 2014 23:36:04 -0600
Subject: Fwd: [Cryptography] Why mobile and consumer ISPs shouldn't
 censor encryption or the net
In-Reply-To: <CAD2Ti2_=t+_4OVFcxknHLtiWAg9Sn8ZqdhBAU1_V7_AYTm0A8Q@mail.gmail.com>
References: <Pine.NEB.4.64.1411181458220.10548@panix3.panix.com>
 <20141119005010.4209.qmail@ary.lan>
 <CA+cU71nUQSS7o7iHyTnxgjwHDnq3TMjdHqcf0UJ0se_UeDog4Q@mail.gmail.com>
 <201411200131.sAK1V4Cl025381@new.toad.com>
 <CAD2Ti2_=t+_4OVFcxknHLtiWAg9Sn8ZqdhBAU1_V7_AYTm0A8Q@mail.gmail.com>
Message-ID: <1416461764.30764.1.camel@klax>

On Wed, 2014-11-19 at 23:53 -0500, grarpamp wrote:
> Like T-Mobile
> deciding that you can't access http://mpp.org from your phone (try it)
> because it publishes about the politics of drugs, and "drugs are
> bad". 

For the record, I have a T-Mobile phone and this URL is accessible from
that phone in Houston, TX, US, as of the date and time of this message.

-- 
Shawn K. Quinn <skquinn at rushpost.com>




From comzeradd at fsfe.org  Thu Nov 20 01:05:38 2014
From: comzeradd at fsfe.org (Nikos Roussos)
Date: Thu, 20 Nov 2014 11:05:38 +0200
Subject: WhisperSystems + WhatsApp
In-Reply-To: <20141119234030.GH5226@hexapodia.org>
References: <2429476.9jgn6LQJC8@lapuntu>
 <CANBOYLVgVY18sPa_0O6_x5pBZD_BtsMgwowwtRqcqkVmbusDNg@mail.gmail.com>
 <CAHzaDb=TdsPZDXdOOF1+D_gBu=JxtArJ5+SE+tghMAK-+6k4mQ@mail.gmail.com>
 <9AF6C350-E5C5-4753-BEDF-AA106E3B4321@cathalgarvey.me>
 <20141119213533.GE5226@hexapodia.org>
 <E35225E9-0737-4090-A34B-4344C104C646@cathalgarvey.me>
 <20141119234030.GH5226@hexapodia.org>
Message-ID: <546DAEE2.1060001@fsfe.org>

On 11/20/2014 01:40 AM, Andy Isaacson wrote:
> On Wed, Nov 19, 2014 at 10:58:56PM +0000, Cathal (Phone) wrote:
>> Not if that E2E protocol is entirely undermined. Which is the case
>> here: trust is security. If 600M people think they have privacy and
>> don't, that's a problem.
> 
> Have you heard of the phrase "harm reduction"?  You can't solve a
> social/technical problem by insisting that only perfect solutions are
> acceptable.  You must provide incremental solutions that can be part of
> a broad based move from the horrible place where we are now, towards a
> more safe future.

Unless when it's not an improvement. False privacy promises are worse
than no promises.

> I mean, *you* can do whatever you want, but users are going to ignore
> solutions that don't connect to where they are today.  "Incremental
> steps with continuous improvement" is a model for advice that actually
> works in improving outcomes for real populations.  "Burn everything to
> the ground and start over" is a model for advice that lets activists
> maintain ideological purity without dirtying their hands with actual
> people's actual problems.

Both WhatsApp + TextSecure are centralized systems (which also happen to
want full access to you contacts list). So it's actually a radical
deterioration compared the decentralized protocols we built all these years.

It's not about ideological purity. It's usually the "realists" who
choose the easy path of building closed silos instead of getting their
hands dirty and improve existing working technologies.


-- 
Nikos Roussos
http://www.roussos.cc

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141120/286032fd/attachment.sig>

From grarpamp at gmail.com  Thu Nov 20 19:31:15 2014
From: grarpamp at gmail.com (grarpamp)
Date: Thu, 20 Nov 2014 22:31:15 -0500
Subject: Microsoft Root Certificate Bundle, where?
Message-ID: <CAD2Ti29rOU0JznTFikja_vHg5gG43sehSB6O1VcKfpBb_pXKfA@mail.gmail.com>

MS root cert docs indicate they switched at vista
from manual/auto downloadable updates to some form
of OS online on the fly only auto update system.
Where link at microsoft can one still download a file containing
their entire current root cert bundle in some parseable format?

It has to be somewhere near here but I'm dense today...
http://social.technet.microsoft.com/wiki/contents/articles/3281.introduction-to-the-microsoft-root-certificate-program.aspx

ex: mozilla is here
https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt




From cathalgarvey at cathalgarvey.me  Sat Nov 22 06:33:40 2014
From: cathalgarvey at cathalgarvey.me (Cathal (Phone))
Date: Sat, 22 Nov 2014 14:33:40 +0000
Subject: Top Obama Admin DOJ Official to Apple,
 Google: Encryption Will Lead to Dead Kids
In-Reply-To: <CAHWD2r+83t5xO=5G4XH0WQ4ebopEabxT5u0+R+JL=qRii+mfzQ@mail.gmail.com>
References: <CAOsGNSQHdswK0FpOvzhooE4d8v-Zis0YwCAEvQXx9CZqZte4PA@mail.gmail.com>
 <CAHWD2r+83t5xO=5G4XH0WQ4ebopEabxT5u0+R+JL=qRii+mfzQ@mail.gmail.com>
Message-ID: <E027C580-C180-4041-AA9D-DA8EB6F16F9B@cathalgarvey.me>

Actually, a little bit of lithium in the water may save lives..

On 22 November 2014 14:15:32 GMT+00:00, "Lodewijk andré de la porte" <l at odewijk.nl> wrote:
>Well, it's true. Civil rights and privacy cost a great deal. The
>problem
>is, governmental terror costs way more. And even with a good government
>(never happened, won't happen without a good amount of Change) the loss
>of
>liberty is a damage paid cheaply with children's lives.
>
>That sounds harsh, but it isn't. Unless they're going to make
>believable
>statistics about the amount of deaths there's no argument at all. A
>cheaper
>seatbelt costs lives. Not putting lithium in the water costs lives.
>Influenza, and a lack of smart and organized medical spending are the
>scourge of humanity. The bureaucratic response to crisies, big and
>small,
>costs lives. Actually, the car is probably the greatest affront to
>public
>safety there ever was.
>
>But they're not talking about the car, are they?

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 1354 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141122/7993ab05/attachment.txt>

From gfoster at entersection.org  Sat Nov 22 12:55:52 2014
From: gfoster at entersection.org (Gregory Foster)
Date: Sat, 22 Nov 2014 14:55:52 -0600
Subject: Fed proposal for Virginia cellphone data sharing network
Message-ID: <5470F858.4030906@entersection.org>

United States Attorney’s Office in the Eastern District of Virginia
(~2011) - "A Proposal for the Creation of the Hampton Roads Telephone
Intercept Sharing Network (HRTISN)" by Investigative Analyst Paul B.
Swartz:
https://www.documentcloud.org/documents/1364622-hampton-roads-usatty.html

via

arstechnica (Nov 21) - "Feds proposed the secret phone database used by
local Virginia cops" by @cfarivar:
http://arstechnica.com/tech-policy/2014/11/feds-proposed-the-secret-phone-database-used-by-local-virginia-cops/

gf

-- 
Gregory Foster || gfoster at entersection.org
@gregoryfoster <> http://entersection.com/




From l at odewijk.nl  Sat Nov 22 06:15:32 2014
From: l at odewijk.nl (=?UTF-8?Q?Lodewijk_andr=C3=A9_de_la_porte?=)
Date: Sat, 22 Nov 2014 15:15:32 +0100
Subject: Top Obama Admin DOJ Official to Apple, Google: Encryption Will
 Lead to Dead Kids
In-Reply-To: <CAOsGNSQHdswK0FpOvzhooE4d8v-Zis0YwCAEvQXx9CZqZte4PA@mail.gmail.com>
References: <CAOsGNSQHdswK0FpOvzhooE4d8v-Zis0YwCAEvQXx9CZqZte4PA@mail.gmail.com>
Message-ID: <CAHWD2r+83t5xO=5G4XH0WQ4ebopEabxT5u0+R+JL=qRii+mfzQ@mail.gmail.com>

Well, it's true. Civil rights and privacy cost a great deal. The problem
is, governmental terror costs way more. And even with a good government
(never happened, won't happen without a good amount of Change) the loss of
liberty is a damage paid cheaply with children's lives.

That sounds harsh, but it isn't. Unless they're going to make believable
statistics about the amount of deaths there's no argument at all. A cheaper
seatbelt costs lives. Not putting lithium in the water costs lives.
Influenza, and a lack of smart and organized medical spending are the
scourge of humanity. The bureaucratic response to crisies, big and small,
costs lives. Actually, the car is probably the greatest affront to public
safety there ever was.

But they're not talking about the car, are they?
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 872 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141122/16c2d640/attachment.txt>

From nathan at squimp.com  Sat Nov 22 07:42:11 2014
From: nathan at squimp.com (Nathan Andrew Fain)
Date: Sat, 22 Nov 2014 16:42:11 +0100
Subject: Top Obama Admin DOJ Official to Apple, Google: Encryption Will
 Lead to Dead Kids
In-Reply-To: <E027C580-C180-4041-AA9D-DA8EB6F16F9B@cathalgarvey.me>
References: <CAOsGNSQHdswK0FpOvzhooE4d8v-Zis0YwCAEvQXx9CZqZte4PA@mail.gmail.com>
 <CAHWD2r+83t5xO=5G4XH0WQ4ebopEabxT5u0+R+JL=qRii+mfzQ@mail.gmail.com>
 <E027C580-C180-4041-AA9D-DA8EB6F16F9B@cathalgarvey.me>
Message-ID: <5470AED3.1070902@squimp.com>

A little bit of encryption in the water saves more

Isn't the chicken and egg of humanity fun. Put in a little crypto,
people die, pull out a little crypto, people die. Whether they look at
only the chicken or only the egg seems to depend ot the objective to
retain the status quo because anything else is scary, to them.

now, where can i find some crypto water

On 22/11/2014 15:33, Cathal (Phone) wrote:
> Actually, a little bit of lithium in the water may save lives..
>
> On 22 November 2014 14:15:32 GMT+00:00, "Lodewijk andré de la porte"
<l at odewijk.nl> wrote:
>
>     Well, it's true. Civil rights and privacy cost a great deal. The
problem is, governmental terror costs way more. And even with a good
government (never happened, won't happen without a good amount of
Change) the loss of liberty is a damage paid cheaply with children's lives.
>
>     That sounds harsh, but it isn't. Unless they're going to make
believable statistics about the amount of deaths there's no argument at
all. A cheaper seatbelt costs lives. Not putting lithium in the water
costs lives. Influenza, and a lack of smart and organized medical
spending are the scourge of humanity. The bureaucratic response to
crisies, big and small, costs lives. Actually, the car is probably the
greatest affront to public safety there ever was.
>
>     But they're not talking about the car, are they?
>
>
> --
> Sent from my Android device with K-9 Mail. Please excuse my brevity.





From tom at ritter.vg  Sat Nov 22 18:24:19 2014
From: tom at ritter.vg (Tom Ritter)
Date: Sat, 22 Nov 2014 20:24:19 -0600
Subject: Microsoft Root Certificate Bundle, where?
In-Reply-To: <CAD2Ti29rOU0JznTFikja_vHg5gG43sehSB6O1VcKfpBb_pXKfA@mail.gmail.com>
References: <CAD2Ti29rOU0JznTFikja_vHg5gG43sehSB6O1VcKfpBb_pXKfA@mail.gmail.com>
Message-ID: <CA+cU71mG-bkX9OWmtxUtJrEVhLqGtH5PUoDHY2kJgij_=bYSWQ@mail.gmail.com>

On 20 November 2014 at 21:31, grarpamp <grarpamp at gmail.com> wrote:
> MS root cert docs indicate they switched at vista
> from manual/auto downloadable updates to some form
> of OS online on the fly only auto update system.
> Where link at microsoft can one still download a file containing
> their entire current root cert bundle in some parseable format?

I don't know.

But I know some copy of it can be accessed here:
https://github.com/nabla-c0d3/sslyze/blob/master/plugins/data/trust_stores/microsoft.pem

I don't know how it's generated, how complete it is, or how up to date
it is.  Depending on your needs to may be sufficient, or may be
unusable.

-tom




From guninski at guninski.com  Sat Nov 22 10:28:10 2014
From: guninski at guninski.com (Georgi Guninski)
Date: Sat, 22 Nov 2014 20:28:10 +0200
Subject: Liars and "justice for all"
Message-ID: <20141122182810.GA3832@sivokote.iziade.m$>

Saw this on local news, probably the search terms are
"Ricky Jackson" + <something about justice>

According to:
https://www.themarshallproject.org/2014/11/21/the-corrections
>  In Ohio, Ricky Jackson and Wiley Bridgeman were freed hours 
>  ago, 39 years after they were wrongfully convicted of murder 
> – during the Ford administration.

...

> because the principal witness against them, a boy of 12 at the time,
> now says he lied when he identified Jackson, Bridgeman, and a third
> man as murderers. “Everything was a lie,” said the witness, Eddie
> Vernon. “They were all lies.”




From gfoster at entersection.org  Sun Nov 23 08:53:47 2014
From: gfoster at entersection.org (Gregory Foster)
Date: Sun, 23 Nov 2014 10:53:47 -0600
Subject: [Effaustin-discuss] Fed proposal for Virginia cellphone data
 sharing network
In-Reply-To: <5470F858.4030906@entersection.org>
References: <5470F858.4030906@entersection.org>
Message-ID: <5472111B.1050501@entersection.org>

On 11/22/14, 2:55 PM, Gregory Foster wrote:
> United States Attorney’s Office in the Eastern District of Virginia
> (~2011) - "A Proposal for the Creation of the Hampton Roads Telephone
> Intercept Sharing Network (HRTISN)" by Investigative Analyst Paul B.
> Swartz:
> https://www.documentcloud.org/documents/1364622-hampton-roads-usatty.html
> 
> via
> 
> arstechnica (Nov 21) - "Feds proposed the secret phone database used by
> local Virginia cops" by @cfarivar:
> http://arstechnica.com/tech-policy/2014/11/feds-proposed-the-secret-phone-database-used-by-local-virginia-cops/


The hardware and software infrastructure recommended by the federal
prosecutors office is called "Pen-Link" by Pen-Link, Ltd. (Lincoln, NE):
https://www.penlink.com/

Here's a listing of 339 federal contract events with Pen-Link, Ltd.:
https://www.fpds.gov/ezsearch/fpdsportal?indexName=awardfull&templateName=1.4.4&s=FPDS&q=VENDOR_FULL_NAME%3A%22PEN-LINK%2C+LTD.%22&x=32&y=15

And here's a graphic analysis of expenditures on Pen-Link hardware,
software, services, and training by year stacked by federal agency:
http://jsfiddle.net/gregoryfoster/eb2zgre2/7/embedded/result/

There are some interesting signs in the data which suggest the manner in
which familiarity with Pen-Link's capabilities spread throughout the
USG, geographically across the US (see DEA data), and across the world
(see State Department records - although Pen-Link, Ltd. also exports
across the globe).  The tripling of investment by the DEA in 2014 is
noteworthy.  GSA records over $50M USD worth of contract events dating
back to an initial engagement in 1995 by the DEA and the U.S. Marshals
Service.

gf

-- 
Gregory Foster || gfoster at entersection.org
@gregoryfoster <> http://entersection.com/




From grarpamp at gmail.com  Sun Nov 23 21:03:10 2014
From: grarpamp at gmail.com (grarpamp)
Date: Mon, 24 Nov 2014 00:03:10 -0500
Subject: [tor-talk] Propsal for decentralization of the Tor network
In-Reply-To: <CAGRDzQW570-hH07W8DVPCm=0UNmC4ddT0QNiavvCypMUiuj1DA@mail.gmail.com>
References: <008cbe7468ef38777d2e2addf83b21b2.squirrel@bitmailendavkbec.onion>
 <CAAS2fgSJ7fqJeGYDBX0qc7XtoeNOt6j-KCdjuN63GxYt-Pc94Q@mail.gmail.com>
 <CAGRDzQW570-hH07W8DVPCm=0UNmC4ddT0QNiavvCypMUiuj1DA@mail.gmail.com>
Message-ID: <CAD2Ti2-Myzuiba1UVAKn9RMQ4-r0JJmcPtCBnsCKbA5MzY_K_g@mail.gmail.com>

> prove decentralization creates vulnerability to a larger degree
> than centralization

Maybe the centralization issue should revolve around things other
than such two sided math proofs should neither side win...

1) There's expectation that some TPO-like entity will blackball
known bad nodes, a non-human distributed authority (be it DHT or
otherwise) doesn't permit that. Which is actually a non issue because
users can simply subscribe to whichever trusted blackball source
they desire. Onionland may still be providing some of these bad
node listing services.

AFAIK, that's the only real service Tor authorities provide today.
The rest is under the hood of the *only protocol* in (3) below.

2) The network simply cannot run if some or all of the nine authorities
are taken offline. Even users passing around their descriptors file
and continuing to run can't be done because the code doesn't support
that. So the network dies. Tor right now is like the centralized
'illegal' filesharing traffic model ie: Napster... every single
central sharing service that had human figureheads in control of
the network got shutdown. When the heat comes to Tor, it will get
shut down if its fixed human authorities can't stand the heat.
There are not an endless number of figureheads, but there are an
endless number of users. For which, as with DHT torrenting and
bitcoin, the responsibility for those networks is so distributed
that it's pointless to try taking them down. Phantom, I2P, and a
number of others are also distributed and seem to be working fine
as well.

3) Bitcoin and torrent also work as protoools because all users
agree that the protocol is *the one and only true protocol*, they
are at risk if they change, so a self maintaining gravity is both
present and natural. If there are forks, they don't last because
users figure it out and abandon them or at least stop until the
network figures itself out. This is why Tor bootstrapping isn't an
issue either... you're unlikely to bootstrap yourself into a bogus
network for very long, especially if you do reasonable research in
the network socialnet beforehand.

Self host the repository, ship with signed recent descriptor and
bad nodes subscription lists, bootstrap into that, and let network
dynamics and user choice run from there. At least that's the model
of some other networks.


Tor is probably central today as a result of inheriting a central
design model. Thereafter if not remaining so from simple gravity
then from either:
A) waiting for a chance to stand up with its authorities for the
   sake of proving out fundamental privacy/speech geopolitics.
B) putting them in the position of standing as test fodder.
C) trending nefarious.

Tor is a US entity which has certain benefits and weaknesses. And
the international support structure of (A) should be analyzed and
stress tested to determine its strength bfore relying on it. All
the while noting and incorporating similarities to the WL, Snowden,
filesharing, and crypto battles, etc.

Curiously, whenever all is said, it's still useful to have both
centralized and decentralized networks surviving under pressure.

Yet is centralization actually *required*, say to achieve something
specific beyond that, or which cannot be modeled decentrally with
some decision elements pushed out to the user.




From grarpamp at gmail.com  Mon Nov 24 20:30:29 2014
From: grarpamp at gmail.com (grarpamp)
Date: Mon, 24 Nov 2014 23:30:29 -0500
Subject: [Cryptography] Blogpost: CITAS,
 a new FBI security program proposal
In-Reply-To: <5473DA5F.3060901@sonic.net>
References: <5473DA5F.3060901@sonic.net>
Message-ID: <CAD2Ti2-b8TAT_r+KvCQW=2NgmG9dCZ6GUqPH6jLtvg8j1JfzBA@mail.gmail.com>

> genuinely seems likely to support rather than subvert security

Security is not bringing more people onto your net or with you
as partners, let alone biased LE. Do you let cops sleep in your
house to protect you? What about that little dimebag you like to
toke on Fridays? Besides, if they want the service, corps don't
need LE to do what they can already do together neutrally on
their own, or by subscribing to equivalent commercial honeypot
services. What is this, infraguard 2.0? Clipper? Dept of redundancy?
Big brother? TIA?

Also, latency/TTL detection of remote hosting..

Heads up to Tor people, and cpunks to carve it up further.


On Mon, Nov 24, 2014 at 8:24 PM, Ray Dillinger <bear at sonic.net> wrote:
> Note to list participants: check the CC line of the original message
> before responding.  We are aware that this list is always monitored, but
> this time I have explicitly invoked monitoring and explicitly invite
> response.  Hello Agent Chesson; feel free to join the (list and)
> discussion if you have something to add or correct.  It's a moderated
> and usually very polite list, although events in the last couple of
> years have caused some resentment and a great deal of distrust here
> toward American Three-Letter agencies.
>
> Brief: The FBI is proposing a security service to assist American
> companies in achieving network security. It is called CITAS, for
> "Computer Intrusion Threat Assessment System."  It is not an active
> program yet; My impression that it is the proposal and brainchild of
> special agent John B. Chesson and that he is actively trying to raise
> support for it both within the agency and among its potential clients.
>
> This is one of very few proposals I have seen from any US agency that
> genuinely seems likely to support rather than subvert security, in the
> strict sense of owners retaining control of the assets they own.  It
> does not require backdoors, it does not require keeping insecure
> plaintext traffic on the network, and it does not propose to compel
> participation.
>
> What it proposes is that companies who join the service allocate an IP
> address on their company's subnet for the use of the FBI, and the FBI
> can then set up a honeypot at that IP address. Routers and switches in
> the company's DMZ would direct traffic to the honeypot just as though it
> were a company machine, leaving no clues to the contrary in route traces
> or DNS, but the traffic would tunnel over some other channel, probably a
> VPN, to a location controlled by the FBI.
>
> The honeypot would be physically located at and controlled by an FBI
> data center. This does not imply that the FBI gets any
> "behind-the-firewall" view of a company's network; the company's
> firewall can distrust the honeypot just as much as it distrusts unknown
> IP addresses out in the wild.
>
> The FBI would monitor the honeypots in real time for threats and
> attacks, and when any "significant" threat or breach is detected, share
> the information immediately with the subscribing company.
>
> Less briefly:
> http://dillingers.com/blog/2014/11/24/citas-threat-assessment-system/ ‎
>
> This arrangement strikes me as likely to be highly effective in terms of
> security, because the FBI could leverage manpower and monitoring effort
> across a huge pool of honeypots truly indistinguishable to attackers
> from genuine targets.  Effort spent by an FBI agent to understand and
> script a log checker for a new threat would instantly apply to thousands
> of companies via the honeypots sharing software, where the equivalent
> effort spent by anyone else takes weeks to months to achieve wide
> adoption, and never achieves wide adoption until after it is redone for
> the nth time by many open-source volunteers.
>
> This arrangement also strikes me as problematic in that it would also
> allow the FBI to set up a huge pool of Tor, Gnutella, Bittorrent, etc,
> nodes truly indistinguishable to users from genuine nodes run by people
> who support anonymity, uncensored journalism, whistleblowers, and free
> speech. The data would, of course, be shared across all the usual
> law-enforcement, espionage, and security agencies of the US. Although to
> be honest, these services are already so heavily monitored that there is
> little left to lose.
>
> Although Agent Chesson, whose presentation I attended, did not mention
> these other uses, I would expect widespread adoption of this system to
> mean effectively the death of "anonymous" P2P services such as Tor, due
> to the simple fact of most of the gateway nodes being FBI-operated
> sockpuppets.  While Tor or something like it remains the only way in
> most of the world to use the Internet for uncensored journalism or
> whistleblowing, the FBI cannot possibly ignore that as a channel it is
> also used by criminals.
>
> There is also some risk to the companies involved in the existence of
> machines which they do not control but which have addresses publicly on
> record as belonging to that company's subnet.  They could experience
> adverse public perception if a honeypot became publicly known as
> someplace where an unsavory or criminal activity were happening and its
> address were traced back to the company's IP block.
>
>
> Ray "Bear" Dillinger
>
>
>
>
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography




From martin.rublik at gmail.com  Tue Nov 25 00:08:51 2014
From: martin.rublik at gmail.com (Martin Rublik)
Date: Tue, 25 Nov 2014 09:08:51 +0100
Subject: Microsoft Root Certificate Bundle, where?
In-Reply-To: <CAD2Ti29rOU0JznTFikja_vHg5gG43sehSB6O1VcKfpBb_pXKfA@mail.gmail.com>
References: <CAD2Ti29rOU0JznTFikja_vHg5gG43sehSB6O1VcKfpBb_pXKfA@mail.gmail.com>
Message-ID: <54743913.10202@gmail.com>

On 21. 11. 2014 4:31, grarpamp wrote:
> MS root cert docs indicate they switched at vista
> from manual/auto downloadable updates to some form
> of OS online on the fly only auto update system.
> Where link at microsoft can one still download a file containing
> their entire current root cert bundle in some parseable format?
> 
> It has to be somewhere near here but I'm dense today...
> http://social.technet.microsoft.com/wiki/contents/articles/3281.introduction-to-the-microsoft-root-certificate-program.aspx
> 
> ex: mozilla is here
> https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt
> 


This might help http://unmitigatedrisk.com/?p=259 also check
http://catalog.update.microsoft.com/v7/site/Search.aspx?q=root%20certificate%20update
for recent version of the CTL.

HTH

Martin





From grarpamp at gmail.com  Tue Nov 25 19:09:23 2014
From: grarpamp at gmail.com (grarpamp)
Date: Tue, 25 Nov 2014 22:09:23 -0500
Subject: Microsoft Root Certificate Bundle, where?
In-Reply-To: <CAD2Ti29rOU0JznTFikja_vHg5gG43sehSB6O1VcKfpBb_pXKfA@mail.gmail.com>
References: <CAD2Ti29rOU0JznTFikja_vHg5gG43sehSB6O1VcKfpBb_pXKfA@mail.gmail.com>
Message-ID: <CAD2Ti28LUuhs80m1SX5=ZEKE_iQmFvV=A5xng+d9O2K6-FHiRQ@mail.gmail.com>

> MS root cert docs indicate they switched at vista
> from manual/auto downloadable updates to some form
> of OS online on the fly only auto update system.
>
> Where link at microsoft can one still download a file containing
> their entire current root cert bundle in some parseable format?
>
> It has to be somewhere near here but I'm dense today...
> http://social.technet.microsoft.com/wiki/contents/articles/3281.introduction-to-the-microsoft-root-certificate-program.aspx
>
> ex: mozilla is here
> https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt

Hi :) Can you document in a doc file in your repo as to where
and how you are obtaining all the trust stores found below?
I forgot about the others besides MS/Mozilla. Such documentation
would be valuable to the community.

https://github.com/nabla-c0d3/sslyze/tree/master/plugins/data/trust_stores




From grarpamp at gmail.com  Tue Nov 25 19:19:15 2014
From: grarpamp at gmail.com (grarpamp)
Date: Tue, 25 Nov 2014 22:19:15 -0500
Subject: Microsoft Root Certificate Bundle, where?
In-Reply-To: <54743913.10202@gmail.com>
References: <CAD2Ti29rOU0JznTFikja_vHg5gG43sehSB6O1VcKfpBb_pXKfA@mail.gmail.com>
 <54743913.10202@gmail.com>
Message-ID: <CAD2Ti29nEWtFhEY36Na8HeExJU9Ub+DnPO9b3ecenMgfuhH_Sg@mail.gmail.com>

On Tue, Nov 25, 2014 at 3:08 AM, Martin Rublik <martin.rublik at gmail.com> wrote:
> This might help http://unmitigatedrisk.com/?p=259 also check

That seems to reference old MS cert distribution models
and cert data stores. And uses cloudflare captcha.

> http://catalog.update.microsoft.com/v7/site/Search.aspx?q=root%20certificate%20update
> for recent version of the CTL.

"To use this Web site's full functionality, you must be running
Microsoft Internet Explorer 6.0 or later.
If you prefer to use a different Web browser, you can get updates from
the Microsoft Download Center."

So what whole cert stores do you see here at your link above?
I believe they may not include anything Vista or beyond.
Most specifically, any entire cert store dated at or beyond
the Sep 29, 2014 update linked in my former post subtitled
'Windows Root CA Members / September 2014 Root Certificates Update'.
If available as such, please advise and I'll enable MSIE browsing
your link to obtain.




From grarpamp at gmail.com  Tue Nov 25 19:58:04 2014
From: grarpamp at gmail.com (grarpamp)
Date: Tue, 25 Nov 2014 22:58:04 -0500
Subject: [Cryptography] Blogpost: CITAS,
 a new FBI security program proposal
In-Reply-To: <5474AEC5.6090909@sonic.net>
References: <5473DA5F.3060901@sonic.net>
 <CAD2Ti2-b8TAT_r+KvCQW=2NgmG9dCZ6GUqPH6jLtvg8j1JfzBA@mail.gmail.com>
 <5474AEC5.6090909@sonic.net>
Message-ID: <CAD2Ti28SbBWeFr=uQ6Qe6zqPssN7-q-yyOsEExCSbSKtgO-j+A@mail.gmail.com>

>>> http://www.metzdowd.com/pipermail/cryptography/2014-November/023693.html
>>> http://dillingers.com/blog/2014/11/24/citas-threat-assessment-system/
>> let alone biased LE
>> Heads up to Tor people, and cpunks to carve it up further.
> This isn't the usual LE proposal

Following on some related and technical comments...

While my analogy and definition of security may not have been best
suited, nor is this reply, the point remains that there is nothing
special here for you as a corp. Anything you say that LE can provide
for *you* with honeypots can also be sourced internally or from the
open market and your subsequent call to LE to mop up upon discovery
of badness therein.

What is unique here is that LE will be classifying things learned
from the HP's as gov't secrets. That's a hard problem. As opposed
to telling you all of what you need to know to secure your own net
under internal policies and vendor contracts that you would otherwise
remain in control of.

Further, technically, parking an HP on your net only tells you about
what happens regarding via that HP, nothing else. And since you
must distrust this other party HP [1], then all you've got is a
cracked HP outside your trust zone, no different than any other box
on the internet. It's limited vantage point and bogus security
metrics argument.

Sure, the US gov't might be able, on the whole from this, to correlate
and expose more nation-state/international crime sources against
the US and embarrass some foreign diplomats. That's always a good
and fun thing [2]. And the services of LE are indeed valuable.

However do not make the mistake of thinking that *you yourself*
will benefit *directly* from this program, that's not what it's
designed for or capable of. In fact, you will be left out as dog
food in case of 'national security priorities/secrets' arise.

The responsibility for securing your net still rests with you and
you alone as always. The better way to be more secure is to ignore
these silly sales schemes and look same effort at your own processes,
weaknesses, code, OS/hardware, compartmentalization, etc. Maybe
<=1% of that ends up being the use of HP's. Improve those own things
overall and you'll be far better off.

> This arrangement also strikes me as problematic in that it would also
> allow the FBI to set up a huge pool of Tor, Gnutella, Bittorrent, etc,
> nodes truly indistinguishable to users from genuine nodes run by people
> who support anonymity, uncensored journalism, whistleblowers, and free
> speech.

Last, what if one day *you* _need_ to use a freedom network and
they've sybil'd up their nodes *against you*? Be careful what you
ask for and invite into your home in the name of security, you might
just get it... applied against you in time of need.

> economic output if it didn't cost so damn much to keep MS boxes
> secure

Well then the solution there is clear... get rid of the MS boxes,
and those who sold and administer them. Like HP's, nothing special
about MS either.

Time limited I maybe not reply further.

[1] For reasons of both sanity and legal insufficiency of any
indemnity offered.

[2] Note that some megacorps follow their own allegience... claiming
the flag of whichever market suits them best at the moment.




From tbiehn at gmail.com  Wed Nov 26 08:54:46 2014
From: tbiehn at gmail.com (Travis Biehn)
Date: Wed, 26 Nov 2014 11:54:46 -0500
Subject: [tor-talk] [Cryptography] Blogpost: CITAS, a new FBI security
 program proposal
In-Reply-To: <CAD2Ti28SbBWeFr=uQ6Qe6zqPssN7-q-yyOsEExCSbSKtgO-j+A@mail.gmail.com>
References: <5473DA5F.3060901@sonic.net>
 <CAD2Ti2-b8TAT_r+KvCQW=2NgmG9dCZ6GUqPH6jLtvg8j1JfzBA@mail.gmail.com>
 <5474AEC5.6090909@sonic.net>
 <CAD2Ti28SbBWeFr=uQ6Qe6zqPssN7-q-yyOsEExCSbSKtgO-j+A@mail.gmail.com>
Message-ID: <CAKtE3zesFVWOCuK3bSF-nf83MRz-ho-ijhtFv2OntQzRtQ2Mtw@mail.gmail.com>

LE, Gov and private industry have always been bedfellows - they will
continue to enjoy preferential treatment and advanced threat intelligence
whilst sacrificing 'secrecy' both of internal operations and client
information for the privilege.

The gov can get IP addresses for sybil attacks, they don't need to smuggle
honeypots into internal networks to accomplish this.

The problem is that the 'day one' offering is very light, just a honeypot -
after the target is socialized 'day two' 'enhanced feeds' can be marketed
by LE & Gov by turning on the two-way flow of information. Casual erosion
of trust / privacy boundaries.

Which, of course, only further cements the old adages espoused on these
lists.

-Travis

On Tue, Nov 25, 2014 at 10:58 PM, grarpamp <grarpamp at gmail.com> wrote:

> >>>
> http://www.metzdowd.com/pipermail/cryptography/2014-November/023693.html
> >>> http://dillingers.com/blog/2014/11/24/citas-threat-assessment-system/
> >> let alone biased LE
> >> Heads up to Tor people, and cpunks to carve it up further.
> > This isn't the usual LE proposal
>
> Following on some related and technical comments...
>
> While my analogy and definition of security may not have been best
> suited, nor is this reply, the point remains that there is nothing
> special here for you as a corp. Anything you say that LE can provide
> for *you* with honeypots can also be sourced internally or from the
> open market and your subsequent call to LE to mop up upon discovery
> of badness therein.
>
> What is unique here is that LE will be classifying things learned
> from the HP's as gov't secrets. That's a hard problem. As opposed
> to telling you all of what you need to know to secure your own net
> under internal policies and vendor contracts that you would otherwise
> remain in control of.
>
> Further, technically, parking an HP on your net only tells you about
> what happens regarding via that HP, nothing else. And since you
> must distrust this other party HP [1], then all you've got is a
> cracked HP outside your trust zone, no different than any other box
> on the internet. It's limited vantage point and bogus security
> metrics argument.
>
> Sure, the US gov't might be able, on the whole from this, to correlate
> and expose more nation-state/international crime sources against
> the US and embarrass some foreign diplomats. That's always a good
> and fun thing [2]. And the services of LE are indeed valuable.
>
> However do not make the mistake of thinking that *you yourself*
> will benefit *directly* from this program, that's not what it's
> designed for or capable of. In fact, you will be left out as dog
> food in case of 'national security priorities/secrets' arise.
>
> The responsibility for securing your net still rests with you and
> you alone as always. The better way to be more secure is to ignore
> these silly sales schemes and look same effort at your own processes,
> weaknesses, code, OS/hardware, compartmentalization, etc. Maybe
> <=1% of that ends up being the use of HP's. Improve those own things
> overall and you'll be far better off.
>
> > This arrangement also strikes me as problematic in that it would also
> > allow the FBI to set up a huge pool of Tor, Gnutella, Bittorrent, etc,
> > nodes truly indistinguishable to users from genuine nodes run by people
> > who support anonymity, uncensored journalism, whistleblowers, and free
> > speech.
>
> Last, what if one day *you* _need_ to use a freedom network and
> they've sybil'd up their nodes *against you*? Be careful what you
> ask for and invite into your home in the name of security, you might
> just get it... applied against you in time of need.
>
> > economic output if it didn't cost so damn much to keep MS boxes
> > secure
>
> Well then the solution there is clear... get rid of the MS boxes,
> and those who sold and administer them. Like HP's, nothing special
> about MS either.
>
> Time limited I maybe not reply further.
>
> [1] For reasons of both sanity and legal insufficiency of any
> indemnity offered.
>
> [2] Note that some megacorps follow their own allegience... claiming
> the flag of whichever market suits them best at the moment.
> --
> tor-talk mailing list - tor-talk at lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>



-- 
Twitter <https://twitter.com/tbiehn> | LinkedIn
<http://www.linkedin.com/in/travisbiehn> | GitHub <http://github.com/tbiehn>
| TravisBiehn.com <http://www.travisbiehn.com> | Google Plus
<https://plus.google.com/+TravisBiehn>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 5971 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141126/3ddf7db7/attachment.txt>

From gfoster at entersection.org  Wed Nov 26 16:48:24 2014
From: gfoster at entersection.org (Gregory Foster)
Date: Wed, 26 Nov 2014 18:48:24 -0600
Subject: POTUS jammin'
In-Reply-To: <54766c3a.0334e00a.4aff.37ab@mx.google.com>
References: <5457dba0.0406e00a.2c33.ffff8758@mx.google.com>
 <20141126221127.C1CA4228191@palinka.tinho.net>
 <54766c3a.0334e00a.4aff.37ab@mx.google.com>
Message-ID: <547674D8.4070001@entersection.org>

On Wed, 26 Nov 2014 17:11:27 -0500 dan at geer.org wrote:
>>  | 	So it is possible to jam the 'spread spectrum' radios that
>> the | 	US miltary nazis use?
>>  |
>>  | 	It's possible, say, to jam the control links of the nazis'
>>  | 	drones?
>>
>>
>> Thank you, Mr. Godwin.
>> --dan

On 11/26/14, 6:13 PM, Juan wrote:
> 	
> 	Dan, can't you answer the question? 
> 
> 	Or perhaps you don't want to answer the question and compromise
> 	the abilities of your nazi friends? 
> 


Did Dan Geer just troll Juan for the holidays?

gf

-- 
Gregory Foster || gfoster at entersection.org
@gregoryfoster <> http://entersection.com/




From juan.g71 at gmail.com  Wed Nov 26 16:13:33 2014
From: juan.g71 at gmail.com (Juan)
Date: Wed, 26 Nov 2014 21:13:33 -0300
Subject: POTUS jammin'
In-Reply-To: <20141126221127.C1CA4228191@palinka.tinho.net>
References: <5457dba0.0406e00a.2c33.ffff8758@mx.google.com>
 <20141126221127.C1CA4228191@palinka.tinho.net>
Message-ID: <54766c3a.0334e00a.4aff.37ab@mx.google.com>

On Wed, 26 Nov 2014 17:11:27 -0500
dan at geer.org wrote:

>  | 	So it is possible to jam the 'spread spectrum' radios that
> the | 	US miltary nazis use? 
>  | 
>  | 	It's possible, say, to jam the control links of the nazis'
>  | 	drones? 
> 
> 
> Thank you, Mr. Godwin.


	
	Dan, can't you answer the question? 

	Or perhaps you don't want to answer the question and compromise
	the abilities of your nazi friends? 








> 
> --dan
> 




From grarpamp at gmail.com  Thu Nov 27 00:10:11 2014
From: grarpamp at gmail.com (grarpamp)
Date: Thu, 27 Nov 2014 03:10:11 -0500
Subject: POTUS jammin'
In-Reply-To: <547674D8.4070001@entersection.org>
References: <5457dba0.0406e00a.2c33.ffff8758@mx.google.com>
 <20141126221127.C1CA4228191@palinka.tinho.net>
 <54766c3a.0334e00a.4aff.37ab@mx.google.com>
 <547674D8.4070001@entersection.org>
Message-ID: <CAD2Ti2-tEyfjtQ5-AOQd5oT9wU6StVuZwx3apLrsq9OmrtxRyw@mail.gmail.com>

On Wed, Nov 26, 2014 at 7:48 PM, Gregory Foster
<gfoster at entersection.org> wrote:
> Did Dan Geer just troll Juan for the holidays?

Don't know, but this list is
'discussing cryptography and its effect on society'

Jammin is crypto, on topic.
Characterization of applied crypto to nazi purpose is society, on topic.
Calling godwin is debate of individual socialites, off topic.

So continuing on topic...
I'd bet there are papers somewhere about the difficulty in jammin
true spread spectrum crypto stuff. Perhaps HERFing
the receiver junction is better option if in range.




From grarpamp at gmail.com  Thu Nov 27 00:13:09 2014
From: grarpamp at gmail.com (grarpamp)
Date: Thu, 27 Nov 2014 03:13:09 -0500
Subject: Deanonymisation of clients in Bitcoin P2P network
Message-ID: <CAD2Ti2-VLSMy5b+wXoaouZ_4r3ppX2Z4UYRiJ-ssQet1n9hidg@mail.gmail.com>

http://orbilu.uni.lu/handle/10993/18679
Biryukov, Khovratovich, Pustogarov
Nov-2014

Bitcoin is a digital currency which relies on a distributed set of
miners to mint coins and on a peer-to-peer network to broadcast
transactions. The identities of Bitcoin users are hidden behind
pseudonyms (public keys) which are recommended to be changed
frequently in order to increase transaction unlinkability.
We present an efficient method to deanonymize Bitcoin users, which
allows to link user pseudonyms to the IP addresses where the
transactions are generated. Our techniques work for the most common
and the most challenging scenario when users are behind NATs or
firewalls of their ISPs. They allow to link transactions of a user
behind a NAT and to distinguish connections and transactions of
different users behind the same NAT. We also show that a natural
countermeasure of using Tor or other anonymity services can be cut-off
by abusing anti-DoS countermeasures of the bitcoin network. Our
attacks require only a few machines and have been experimentally
verified. We propose several countermeasures to mitigate these new
attacks.




From rysiek at hackerspace.pl  Thu Nov 27 00:41:08 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Thu, 27 Nov 2014 09:41:08 +0100
Subject: POTUS jammin'
In-Reply-To: <547674D8.4070001@entersection.org>
References: <5457dba0.0406e00a.2c33.ffff8758@mx.google.com>
 <54766c3a.0334e00a.4aff.37ab@mx.google.com>
 <547674D8.4070001@entersection.org>
Message-ID: <32967932.Izb2kmRMNC@lapuntu>

Dnia środa, 26 listopada 2014 18:48:24 Gregory Foster pisze:
> On Wed, 26 Nov 2014 17:11:27 -0500 dan at geer.org wrote:
> >>  | 	So it is possible to jam the 'spread spectrum' radios that
> >> 
> >> the | 	US miltary nazis use?
> >> 
> >>  | 	It's possible, say, to jam the control links of the nazis'
> >>  | 	drones?
> >> 
> >> Thank you, Mr. Godwin.
> >> --dan
> 
> On 11/26/14, 6:13 PM, Juan wrote:
> > 	Dan, can't you answer the question?
> > 	
> > 	Or perhaps you don't want to answer the question and compromise
> > 	the abilities of your nazi friends?
> 
> Did Dan Geer just troll Juan for the holidays?

God, Win!

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 411 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141127/165acb82/attachment.sig>

From rysiek at hackerspace.pl  Thu Nov 27 00:49:24 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Thu, 27 Nov 2014 09:49:24 +0100
Subject: POTUS jammin'
In-Reply-To: <CAD2Ti2-tEyfjtQ5-AOQd5oT9wU6StVuZwx3apLrsq9OmrtxRyw@mail.gmail.com>
References: <5457dba0.0406e00a.2c33.ffff8758@mx.google.com>
 <547674D8.4070001@entersection.org>
 <CAD2Ti2-tEyfjtQ5-AOQd5oT9wU6StVuZwx3apLrsq9OmrtxRyw@mail.gmail.com>
Message-ID: <2159726.KtGl5e85mm@lapuntu>

Dnia czwartek, 27 listopada 2014 03:10:11 grarpamp pisze:
> Characterization of applied crypto to nazi purpose is society, on topic.

I did nazi that coming.
Honestly, the word "nazi" was absolutely unnecessary in the question about 
jamming US military, and served only the purpose of getting the heat of the 
discussion up.

Which it failed, thanks to Mr Godwin and Mr Geer. :)

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 411 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141127/4c8f508d/attachment.sig>

From juan.g71 at gmail.com  Thu Nov 27 13:01:01 2014
From: juan.g71 at gmail.com (Juan)
Date: Thu, 27 Nov 2014 18:01:01 -0300
Subject: POTUS jammin'
In-Reply-To: <2159726.KtGl5e85mm@lapuntu>
References: <5457dba0.0406e00a.2c33.ffff8758@mx.google.com>
 <547674D8.4070001@entersection.org>
 <CAD2Ti2-tEyfjtQ5-AOQd5oT9wU6StVuZwx3apLrsq9OmrtxRyw@mail.gmail.com>
 <2159726.KtGl5e85mm@lapuntu>
Message-ID: <54779096.0f108c0a.6a41.4cfd@mx.google.com>

On Thu, 27 Nov 2014 09:49:24 +0100
rysiek <rysiek at hackerspace.pl> wrote:

> Dnia czwartek, 27 listopada 2014 03:10:11 grarpamp pisze:
> > Characterization of applied crypto to nazi purpose is society, on
> > topic.
> 
> I did nazi that coming.
> Honestly, the word "nazi" was absolutely unnecessary 


	Your loyalty for the US nazi governemnt is touching rysiek. 


> in the question
> about jamming US military, and served only the purpose of getting the
> heat of the discussion up.
> 
> Which it failed, thanks to Mr Godwin and Mr Geer. :)

	




> 




From cathalgarvey at cathalgarvey.me  Thu Nov 27 14:51:27 2014
From: cathalgarvey at cathalgarvey.me (Cathal Garvey)
Date: Thu, 27 Nov 2014 22:51:27 +0000
Subject: Drones, Rifles, Fascism (Was: POTUS jammin')
In-Reply-To: <54779096.0f108c0a.6a41.4cfd@mx.google.com>
References: <5457dba0.0406e00a.2c33.ffff8758@mx.google.com>
 <547674D8.4070001@entersection.org>
 <CAD2Ti2-tEyfjtQ5-AOQd5oT9wU6StVuZwx3apLrsq9OmrtxRyw@mail.gmail.com>
 <2159726.KtGl5e85mm@lapuntu> <54779096.0f108c0a.6a41.4cfd@mx.google.com>
Message-ID: <5477AAEF.5000208@cathalgarvey.me>

The word you're looking for is "fascist". The Nazis were one particular 
expression and culture of fascist, by no means the only one and 
certainly not the last.

I happen to disagree with the supposed primacy of Godwin's Law because 
the Nazis are a cultural touchstone on the horrors of fascism in 
practice, a thing we should all remain vigilant upon. A friend pointed 
out to me that more people have died of fascism than gun crime, and that 
(until recently) civil gun ownership was a good preventative measure 
against fascism.

I was never against small arms ownership per se, but it put the argument 
for civil ownership of rifles in perspective for me. With Drones 
everywhere these days, I don't think rifles matter anymore, though; so 
it's moot as far as I'm concerned.

Not being a violent person by nature, I'd like to think that our future 
solutions against fascism are social and network-based, but there's room 
to discuss whether civil access to drones and other automated weapons 
will play a role against fascist uprisings; if the Rifle was the 
standard of anti-fascism in the past, is the drone the standard now? Or 
is it the ubiquitous camera? I'd rather think the latter, but cameras 
don't seem to stop militarised "police" from assaulting civilians, they 
just cover their badges and storm-trooper onwards*.

In the ideal case, we find a way to undermine this violence. But, when 
the fascists come to round up their subject of persecution du jour, I do 
believe those people should be entitled to self defence.

Just some evening thoughts, sorry.

*It was only when observing the behaviour of US/UK police towards 
civilians, particularly the former, that I realised how lucky we are in 
Ireland to have an unarmed police force whose title "Garda Siochána" 
literally means "Guardians of the Peace". They're prone to ego trips, 
sure, but unarmed citizens don't get 10-round clips emptied into them, ever.

On 27/11/14 21:01, Juan wrote:
> On Thu, 27 Nov 2014 09:49:24 +0100
> rysiek <rysiek at hackerspace.pl> wrote:
>
>> Dnia czwartek, 27 listopada 2014 03:10:11 grarpamp pisze:
>>> Characterization of applied crypto to nazi purpose is society, on
>>> topic.
>>
>> I did nazi that coming.
>> Honestly, the word "nazi" was absolutely unnecessary
>
>
> 	Your loyalty for the US nazi governemnt is touching rysiek.
>
>
>> in the question
>> about jamming US military, and served only the purpose of getting the
>> heat of the discussion up.
>>
>> Which it failed, thanks to Mr Godwin and Mr Geer. :)
>
> 	
>
>
>
>
>>
>




From rysiek at hackerspace.pl  Thu Nov 27 15:34:50 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Fri, 28 Nov 2014 00:34:50 +0100
Subject: Drones, Rifles, Fascism (Was: POTUS jammin')
In-Reply-To: <5477AAEF.5000208@cathalgarvey.me>
References: <5457dba0.0406e00a.2c33.ffff8758@mx.google.com>
 <54779096.0f108c0a.6a41.4cfd@mx.google.com>
 <5477AAEF.5000208@cathalgarvey.me>
Message-ID: <2206339.BSqZH3ENuq@lapuntu>

Dnia czwartek, 27 listopada 2014 22:51:27 Cathal Garvey pisze:
> The word you're looking for is "fascist". The Nazis were one particular
> expression and culture of fascist, by no means the only one and
> certainly not the last.

+1

> I happen to disagree with the supposed primacy of Godwin's Law because
> the Nazis are a cultural touchstone on the horrors of fascism in
> practice, a thing we should all remain vigilant upon.

Absolutely. Problem is, *calling* something fascism/nazism does not make it 
so, and calling too many things this makes it "a boy that cried wolf" kind of 
story.

There are legitimate grievances towards any government, and I happen to be 
particularly critical of the US government (yes, to a large extent I *would* 
call it fascist, due to <insert-a-branch>-industrial-complex), but I choose 
not to use that particular word and instead try to work on the merits of the 
situation.

Using "nazi"/"fascism" card is easy, emotionally charged, usually unnecessary, 
and instead of moving the discussion forward -- breaks it into two entrenched 
camps.

This is precisely why I find Godwin's Law so useful. It allows people to 
easily counter such a demagoguery and bring the discussion back to the merits 
-- as exemplified by this very thread (and, in particular, your e-mail), 
actually. :)

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 411 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141128/1854f594/attachment.sig>

From coderman at gmail.com  Fri Nov 28 00:46:47 2014
From: coderman at gmail.com (coderman)
Date: Fri, 28 Nov 2014 00:46:47 -0800
Subject: POTUS jammin'
In-Reply-To: <CAD2Ti2-tEyfjtQ5-AOQd5oT9wU6StVuZwx3apLrsq9OmrtxRyw@mail.gmail.com>
References: <5457dba0.0406e00a.2c33.ffff8758@mx.google.com>
 <20141126221127.C1CA4228191@palinka.tinho.net>
 <54766c3a.0334e00a.4aff.37ab@mx.google.com>
 <547674D8.4070001@entersection.org>
 <CAD2Ti2-tEyfjtQ5-AOQd5oT9wU6StVuZwx3apLrsq9OmrtxRyw@mail.gmail.com>
Message-ID: <CAJVRA1QrHsr68=CwxSC_m9zdie7QzOtWXOVp+yHmaQNCXuUsQg@mail.gmail.com>

> On Wed, Nov 26, 2014 at 7:48 PM, Gregory Foster
> <gfoster at entersection.org> wrote:
>> Did Dan Geer just troll Juan for the holidays?

we all celebrate in preferred personal ways,
 :P


On 11/27/14, grarpamp <grarpamp at gmail.com> wrote:
> Jammin is crypto, on topic...
> So continuing on topic...
> I'd bet there are papers somewhere about the difficulty in jammin
> true spread spectrum crypto stuff. Perhaps HERFing
> the receiver junction is better option if in range.

here's the game:
a. you control power
b. you control range
c. you control complexity


so spreading spectrum farther, gets you lobes outside selective denial
of service. but range can also extend to beam form in addition to beam
width.

power, of course, a similar game of effort - rise above the elevated
noise floor for the win.

a different type of attack and avoidance, in coding complexity, even
up to logical protocol DoS.

thus, to be the most difficult to deter, you would max all three: very
high powered, very wide band,complex coded and efficient cognitive
links over MIMO beam forming foundation.

not long ago such requirements were comical. recently they became
economically not completely infeasible.

one day, eminently portable.. :)


best regards and nazi holidays,




From coderman at gmail.com  Fri Nov 28 00:50:44 2014
From: coderman at gmail.com (coderman)
Date: Fri, 28 Nov 2014 00:50:44 -0800
Subject: Microsoft Root Certificate Bundle, where?
In-Reply-To: <CAD2Ti29nEWtFhEY36Na8HeExJU9Ub+DnPO9b3ecenMgfuhH_Sg@mail.gmail.com>
References: <CAD2Ti29rOU0JznTFikja_vHg5gG43sehSB6O1VcKfpBb_pXKfA@mail.gmail.com>
 <54743913.10202@gmail.com>
 <CAD2Ti29nEWtFhEY36Na8HeExJU9Ub+DnPO9b3ecenMgfuhH_Sg@mail.gmail.com>
Message-ID: <CAJVRA1T8RfvCUVzz-Dx__eAFT65e7XXsN0Sx1GwMhX=kDyFz+g@mail.gmail.com>

On 11/25/14, grarpamp <grarpamp at gmail.com> wrote:
> ...
> "To use this Web site's full functionality, you must be running
> Microsoft Internet Explorer 6.0 or later.
> If you prefer to use a different Web browser, you can get updates from
> the Microsoft Download Center."
>
> So what whole cert stores do you see here at your link above?


what this means is: to get the certificate store you run a current
version of windows. to run a current version of windows, run windows
update or download the updates directly from Microsoft Download
Center.

if you don't want to run windows, then why do you care about windows certs?
 (we know the answer, but M$ says sod off)




From coderman at gmail.com  Fri Nov 28 00:56:45 2014
From: coderman at gmail.com (coderman)
Date: Fri, 28 Nov 2014 00:56:45 -0800
Subject: [Cryptography] STARTTLS,
 was IAB Statement on Internet Confidentiality
In-Reply-To: <CAD2Ti28Hhk60Wg+-XyVV7Pp15yVfV02jUA7bHs7aPNyB+i9CMA@mail.gmail.com>
References: <20141119005010.4209.qmail@ary.lan>
 <201411190429.sAJ4TbCl011736@new.toad.com>
 <CAD2Ti28Hhk60Wg+-XyVV7Pp15yVfV02jUA7bHs7aPNyB+i9CMA@mail.gmail.com>
Message-ID: <CAJVRA1TCE+_qmo+yj4ydBOV7jdbKS53cZ1hD7=72r0jX2Js0Bg@mail.gmail.com>

On 11/19/14, grarpamp <grarpamp at gmail.com> wrote:
> ...
> Today some people on this list tried to tell me that 'Port 25 is SMTP'.
> That's funny because I use it for SSH.

and i run OpenVPN on UDP 53 and TCP 443.

the problem is i can only run them on some provider networks, just
like an ICMP tunnel only works so many places.

fuck the public Internet[0], let's all meet on ORCHID overlays! [1]



0. the Internet, as we used to think of decentralized edge driven
networks, is dead.  post-Snowden, all IPv4 is DEF CON wireless. let it
die in peace...

1. and by this i mean ORCHIDv2 on a traffic analysis resistant
datagram anonymity network, like Tor on steroids with GPA and
active-DeanonDoS resistance.




From coderman at gmail.com  Fri Nov 28 00:59:59 2014
From: coderman at gmail.com (coderman)
Date: Fri, 28 Nov 2014 00:59:59 -0800
Subject: Delivery Status Notification (Failure)
In-Reply-To: <089e0112bf844350fc0508e77169@google.com>
References: <CAJVRA1TCE+_qmo+yj4ydBOV7jdbKS53cZ1hD7=72r0jX2Js0Bg@mail.gmail.com>
 <089e0112bf844350fc0508e77169@google.com>
Message-ID: <CAJVRA1QhVC3eqLgpZbJz4w2MheyG3izPqstNwLZsMW0b6PL5Bg@mail.gmail.com>

On 11/28/14, Mail Delivery Subsystem <mailer-daemon at googlemail.com> wrote:
> Delivery to the following recipient failed permanently:
>
>      cryptography at metzdowd.com


speaking of failures,
   nothing expresses my contempt for email like a gmail account :)


happy plain text holidays!




From coderman at gmail.com  Fri Nov 28 01:07:36 2014
From: coderman at gmail.com (coderman)
Date: Fri, 28 Nov 2014 01:07:36 -0800
Subject: WhisperSystems + WhatsApp
In-Reply-To: <20141119234030.GH5226@hexapodia.org>
References: <2429476.9jgn6LQJC8@lapuntu>
 <CANBOYLVgVY18sPa_0O6_x5pBZD_BtsMgwowwtRqcqkVmbusDNg@mail.gmail.com>
 <CAHzaDb=TdsPZDXdOOF1+D_gBu=JxtArJ5+SE+tghMAK-+6k4mQ@mail.gmail.com>
 <9AF6C350-E5C5-4753-BEDF-AA106E3B4321@cathalgarvey.me>
 <20141119213533.GE5226@hexapodia.org>
 <E35225E9-0737-4090-A34B-4344C104C646@cathalgarvey.me>
 <20141119234030.GH5226@hexapodia.org>
Message-ID: <CAJVRA1R3gN366zHBUOVZAmGEZjCuu=CdzxXs5BuCSJC18eqHsg@mail.gmail.com>

On 11/19/14, Andy Isaacson <adi at hexapodia.org> wrote:
> ...
> Have you heard of the phrase "harm reduction"?  You can't solve a
> social/technical problem by insisting that only perfect solutions are
> acceptable.  You must provide incremental solutions that can be part of
> a broad based move from the horrible place where we are now, towards a
> more safe future.

i used to agree with this, and then i realized this is bad advice if
incremental improvements are resulting in less security over time.

said another way, if you are currently falling behind quickly, by not
moving, then moving ahead at a walk just means you fail less soon than
others.

everyone ends up in fail, however.



> I mean, *you* can do whatever you want, but users are going to ignore
> solutions that don't connect to where they are today.  "Incremental
> steps with continuous improvement" is a model for advice that actually
> works in improving outcomes for real populations.  "Burn everything to
> the ground and start over" is a model for advice that lets activists
> maintain ideological purity without dirtying their hands with actual
> people's actual problems.

i think this is only true if the magnitude of broken and incompetent
crushes you into inaction.

if instead it spurs you to build, for years, on something of a solid
base, then criticism must be deferred until that base is put to the
test.

of course, my time spent writing rebuttal subtracted from the time
best applied proving or denying in practice, arm chair theory inviting
as it is...


best regards,




From jya at pipeline.com  Fri Nov 28 05:25:36 2014
From: jya at pipeline.com (John Young)
Date: Fri, 28 Nov 2014 08:25:36 -0500
Subject: What Is Good Encryption Software?
Message-ID: <E1XuLXH-0004md-9s@elasmtp-kukur.atl.sa.earthlink.net>

Reader asks: What Is Good Encryption Software?

http://cryptome.org/2014/11/what-is-good-crypto.htm

I have contacted you asking about certain security questions.
After reading a few of the Snowden leaked documents, I have
started to be more aware of my privacy being at risk. I have a
few questions concerning certain programs and safety tips.

First, I've recently started to doubt about my encryption software.
Is Symantec's "PGP Endpoint" a good hard drive encryption software?

In other words, is it trustworthy since it is an American company.
And if not, what encryption software is the best for Mac.

Second, is "ProtonMail" as secure as they say it is? If not, what
email provider doesen't let the NSA see into my account.

Third, is Jetico inc's "Bestcrypt Container Encryption" trustworthy?
If not, what could be an alternative.

Fourth, are these encryption types good? Blowfish, Gost & AES - 256bit.
And which encryption type remains the best above all?

Last, is Kaspersky a good anti-virus software? If not, which one is the
best for Mac.

-----

Important, difficult questions, likely to produce a range of answers.
We will publish for answers.





From martin.rublik at gmail.com  Fri Nov 28 00:36:07 2014
From: martin.rublik at gmail.com (Martin Rublik)
Date: Fri, 28 Nov 2014 09:36:07 +0100
Subject: Microsoft Root Certificate Bundle, where?
In-Reply-To: <CAD2Ti29nEWtFhEY36Na8HeExJU9Ub+DnPO9b3ecenMgfuhH_Sg@mail.gmail.com>
References: <CAD2Ti29rOU0JznTFikja_vHg5gG43sehSB6O1VcKfpBb_pXKfA@mail.gmail.com>
 <54743913.10202@gmail.com>
 <CAD2Ti29nEWtFhEY36Na8HeExJU9Ub+DnPO9b3ecenMgfuhH_Sg@mail.gmail.com>
Message-ID: <547833F7.9080005@gmail.com>

On 26. 11. 2014 4:19, grarpamp wrote:
> On Tue, Nov 25, 2014 at 3:08 AM, Martin Rublik <martin.rublik at gmail.com> wrote:
>> This might help http://unmitigatedrisk.com/?p=259 also check
> 
> That seems to reference old MS cert distribution models
> and cert data stores. And uses cloudflare captcha.

I'm sorry if I provided outdated information. Anyway I think that Microsoft
still uses CTLs in order to update the trust store. For the reference see for
example https://support.microsoft.com/kb/2677070 or
https://technet.microsoft.com/en-us/library/security/2982792.aspx

CTLs can be downloaded using any browser on these URLs:

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab

http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab

Unfortunatelly, the CTL does not contain entire certificate only its hash, but
using the link provided you can download the certificates.

If you have a Windows machine with certutil you can parse and download the CTL
with a simple powershell script:

certutil -dump .\authroot.stl | findstr "Identifier:" | ForEach-Object -Process {
	$caCertSKI=$_.split(":")[1].Replace(" ","")
	$caCertSKI
	Invoke-WebRequest
"http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/$caCertSKI.crt"
-OutFile "$caCertSKI.crt"}



Martin




From cathalgarvey at cathalgarvey.me  Fri Nov 28 05:52:17 2014
From: cathalgarvey at cathalgarvey.me (Cathal Garvey)
Date: Fri, 28 Nov 2014 13:52:17 +0000
Subject: POTUS jammin'
In-Reply-To: <CAJVRA1QrHsr68=CwxSC_m9zdie7QzOtWXOVp+yHmaQNCXuUsQg@mail.gmail.com>
References: <5457dba0.0406e00a.2c33.ffff8758@mx.google.com>
 <20141126221127.C1CA4228191@palinka.tinho.net>
 <54766c3a.0334e00a.4aff.37ab@mx.google.com>
 <547674D8.4070001@entersection.org>
 <CAD2Ti2-tEyfjtQ5-AOQd5oT9wU6StVuZwx3apLrsq9OmrtxRyw@mail.gmail.com>
 <CAJVRA1QrHsr68=CwxSC_m9zdie7QzOtWXOVp+yHmaQNCXuUsQg@mail.gmail.com>
Message-ID: <54787E11.7080402@cathalgarvey.me>

To clarify on your "complexity" argument, are you saying that the 
POTUS-parade may be employing technology that detects other devices by 
their output signatures, then fires a noise-beam specifically at them to 
maximise power delivery and minimise energy costs/unnecessary interference?

If that were the case, then a shielded, passive receiver ought to be OK, 
would that not include a HAM radio in listen-only mode? (<- Knows little 
about HAM) ->So, did OP broadcast much prior to the interference, or was 
their rig poorly shielded?

For my part, I just doubt they're using intelligent jamming because cost 
isn't really a factor in their requirements, is it? They can just blare 
out on all the frequencies they care about, and strong-arm providers at 
other spectra to blackzone the region. How much power is needed to jam 
at the frequency band you described? We're talking about a cavalcade 
that could, if they considered it necessary, employ a portable nuke! 
Power ain't a limiting factor! :)

On 28/11/14 08:46, coderman wrote:
>> On Wed, Nov 26, 2014 at 7:48 PM, Gregory Foster
>> <gfoster at entersection.org> wrote:
>>> Did Dan Geer just troll Juan for the holidays?
>
> we all celebrate in preferred personal ways,
>   :P
>
>
> On 11/27/14, grarpamp <grarpamp at gmail.com> wrote:
>> Jammin is crypto, on topic...
>> So continuing on topic...
>> I'd bet there are papers somewhere about the difficulty in jammin
>> true spread spectrum crypto stuff. Perhaps HERFing
>> the receiver junction is better option if in range.
>
> here's the game:
> a. you control power
> b. you control range
> c. you control complexity
>
>
> so spreading spectrum farther, gets you lobes outside selective denial
> of service. but range can also extend to beam form in addition to beam
> width.
>
> power, of course, a similar game of effort - rise above the elevated
> noise floor for the win.
>
> a different type of attack and avoidance, in coding complexity, even
> up to logical protocol DoS.
>
> thus, to be the most difficult to deter, you would max all three: very
> high powered, very wide band,complex coded and efficient cognitive
> links over MIMO beam forming foundation.
>
> not long ago such requirements were comical. recently they became
> economically not completely infeasible.
>
> one day, eminently portable.. :)
>
>
> best regards and nazi holidays,
>




From coderman at gmail.com  Fri Nov 28 16:59:50 2014
From: coderman at gmail.com (coderman)
Date: Fri, 28 Nov 2014 16:59:50 -0800
Subject: POTUS jammin'
In-Reply-To: <54787E11.7080402@cathalgarvey.me>
References: <5457dba0.0406e00a.2c33.ffff8758@mx.google.com>
 <20141126221127.C1CA4228191@palinka.tinho.net>
 <54766c3a.0334e00a.4aff.37ab@mx.google.com>
 <547674D8.4070001@entersection.org>
 <CAD2Ti2-tEyfjtQ5-AOQd5oT9wU6StVuZwx3apLrsq9OmrtxRyw@mail.gmail.com>
 <CAJVRA1QrHsr68=CwxSC_m9zdie7QzOtWXOVp+yHmaQNCXuUsQg@mail.gmail.com>
 <54787E11.7080402@cathalgarvey.me>
Message-ID: <CAJVRA1RqEBm-NbQcuU6MzH+fHNcKqGR9qh4B_xwgD+78xTCkGg@mail.gmail.com>

On 11/28/14, Cathal Garvey <cathalgarvey at cathalgarvey.me> wrote:
> To clarify on your "complexity" argument, are you saying that the
> POTUS-parade may be employing technology that detects other devices by
> their output signatures, then fires a noise-beam specifically at them to
> maximise power delivery and minimise energy costs/unnecessary interference?

to clarify, the POTUS jammin' described by OP is a simple, and brute
case.  however, there is precedent for "intelligent jamming", where
attempts to avoid the specific DoS using wide band, complex encoding
would be met with a specific wide-band, complex response telling you
to get stuffed. these systems cooperate together, and surely
countermeasures are in place if you evade the trivial measures.

note that avoiding POTUS jammin' is a violation of FCC regs, #include
<std_disclaimer> etc,...



> If that were the case, then a shielded, passive receiver ought to be OK,

a shielded, passive receiver would be overwhelmed by the brute flood.



> For my part, I just doubt they're using intelligent jamming because cost
> isn't really a factor in their requirements, is it? They can just blare
> out on all the frequencies they care about,

yup.



> How much power is needed to jam
> at the frequency band you described? We're talking about a cavalcade
> that could, if they considered it necessary, employ a portable nuke!
> Power ain't a limiting factor! :)

they probably use a few tens of watts EIRP at most, unless they need
to react to a perceived threat to penetrate that barrier. military
systems go to many thousands of watts.

best regards,




From coderman at gmail.com  Fri Nov 28 18:09:20 2014
From: coderman at gmail.com (coderman)
Date: Fri, 28 Nov 2014 18:09:20 -0800
Subject: WhisperSystems + WhatsApp
In-Reply-To: <7747702.P3C0aqJKYt@lapuntu>
References: <2429476.9jgn6LQJC8@lapuntu> <20141119234030.GH5226@hexapodia.org>
 <CAJVRA1R3gN366zHBUOVZAmGEZjCuu=CdzxXs5BuCSJC18eqHsg@mail.gmail.com>
 <7747702.P3C0aqJKYt@lapuntu>
Message-ID: <CAJVRA1So-tXejjYrJxMnJ7V=de0dPEJtknwf=oc9L-B=dOqv3g@mail.gmail.com>

On 11/28/14, rysiek <rysiek at hackerspace.pl> wrote:
>
> There will always be different approaches to such things...
> ... The demarcation line is *not* clear and depends heavily
> on circumstances.

for my second act as devil's advocate,
 i declare that it is unreasonable to demand users recognize or
understand a threat model.

thus every system must be engineered to withstand the most difficult
and well resourced threats, such that a solution covers all threat
models sufficiently.

how can making it even harder, make it simpler?  well, that's the
trick, isn't it? :)

best regards,




From adi at hexapodia.org  Fri Nov 28 20:00:10 2014
From: adi at hexapodia.org (Andy Isaacson)
Date: Fri, 28 Nov 2014 20:00:10 -0800
Subject: WhisperSystems + WhatsApp
In-Reply-To: <CAJVRA1So-tXejjYrJxMnJ7V=de0dPEJtknwf=oc9L-B=dOqv3g@mail.gmail.com>
References: <2429476.9jgn6LQJC8@lapuntu> <20141119234030.GH5226@hexapodia.org>
 <CAJVRA1R3gN366zHBUOVZAmGEZjCuu=CdzxXs5BuCSJC18eqHsg@mail.gmail.com>
 <7747702.P3C0aqJKYt@lapuntu>
 <CAJVRA1So-tXejjYrJxMnJ7V=de0dPEJtknwf=oc9L-B=dOqv3g@mail.gmail.com>
Message-ID: <20141129040010.GD5226@hexapodia.org>

On Fri, Nov 28, 2014 at 06:09:20PM -0800, coderman wrote:
> for my second act as devil's advocate,
>  i declare that it is unreasonable to demand users recognize or
> understand a threat model.
> 
> thus every system must be engineered to withstand the most difficult
> and well resourced threats, such that a solution covers all threat
> models sufficiently.

Agreed on the first point, disagree on the second.  Any system that
claims to be secure will attract uses that are inappropriate to its
assumptions.  Documentation is not enough to dissuade this.

A colleague and I, both interested in modern cryptographic systems,
started to collaborate on a new project, using Pond.  Months later, we
realized that we had communicated useful information early on, over Pond
exclusively, and the "social norm that communications are deleted after
a few days" resulted in us losing important notes about the early days
of our project.

Even though it was clearly documented and I had simultaneously advocated
Pond to other experimental users for exactly this feature, I didn't
think through the consequences of this design feature for my use case.
I didn't even realize that I *had* a use case, until much later.

For this scenario, it turns out we wanted a modern secure communication
system more like Prate, https://github.com/kragen/prate .  Except
perhaps with email-sized-message semantics rather than chat semantics
(or email in addition to chat?).

Generalizing from this specific example, you can find many other
examples of a security system being used outside of its designed
envelope.

ssh is widely used for login to ephemeral hosts, reducing
TOFU to single session duration.

ssh is used with github as merely a bidirectionally-key-authenticated
transport layer ("git clone git at github.com:kragen/prate") rather than
its original remote shell purpose.

HTTPS x509 DV certificates have the mostly verstigal x.500 (iirc?)
Location/organization/etc naming support, the CN/sAN fields being nearly
the only operative ones.

HTTPS virtually never uses the many varied client authentication
mechanisms supported in TLS (client certificates, SRP, etc), instead
Rails and the many other web-app frameworks implement user
authentication over the top using passwords and cookies etc.

-andy




From jd.cypherpunks at gmail.com  Fri Nov 28 12:08:30 2014
From: jd.cypherpunks at gmail.com (jd.cypherpunks at gmail.com)
Date: Fri, 28 Nov 2014 21:08:30 +0100
Subject: [cryptography] What Is Good Encryption Software?
In-Reply-To: <E1XuLXH-0004md-9s@elasmtp-kukur.atl.sa.earthlink.net>
References: <E1XuLXH-0004md-9s@elasmtp-kukur.atl.sa.earthlink.net>
Message-ID: <818562C1-FE88-4343-8BF3-62B612A0B07F@gmail.com>

Looking for 
Perfect Cryptography: The One-Time Pad
http://www.cs.utsa.edu/~wagner/laws/pad.html
Simple and Secure.
Have Fun!

--Michael
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 907 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141128/9e1f02a8/attachment.txt>

From rysiek at hackerspace.pl  Fri Nov 28 14:42:24 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Fri, 28 Nov 2014 23:42:24 +0100
Subject: WhisperSystems + WhatsApp
In-Reply-To: <CAJVRA1R3gN366zHBUOVZAmGEZjCuu=CdzxXs5BuCSJC18eqHsg@mail.gmail.com>
References: <2429476.9jgn6LQJC8@lapuntu> <20141119234030.GH5226@hexapodia.org>
 <CAJVRA1R3gN366zHBUOVZAmGEZjCuu=CdzxXs5BuCSJC18eqHsg@mail.gmail.com>
Message-ID: <7747702.P3C0aqJKYt@lapuntu>

Dnia piątek, 28 listopada 2014 01:07:36 coderman pisze:
> On 11/19/14, Andy Isaacson <adi at hexapodia.org> wrote:
> > ...
> > Have you heard of the phrase "harm reduction"?  You can't solve a
> > social/technical problem by insisting that only perfect solutions are
> > acceptable.  You must provide incremental solutions that can be part of
> > a broad based move from the horrible place where we are now, towards a
> > more safe future.
> 
> i used to agree with this, and then i realized this is bad advice if
> incremental improvements are resulting in less security over time.
> 
> said another way, if you are currently falling behind quickly, by not
> moving, then moving ahead at a walk just means you fail less soon than
> others.
> 
> everyone ends up in fail, however.

Still, I prefer to land in fail less soon; maybe in the meantime somebody 
*does* find a perfect solution I can switch to? For the time being it still 
makes sense to make sure I fail "the least soon" as I can.

> > I mean, *you* can do whatever you want, but users are going to ignore
> > solutions that don't connect to where they are today.  "Incremental
> > steps with continuous improvement" is a model for advice that actually
> > works in improving outcomes for real populations.  "Burn everything to
> > the ground and start over" is a model for advice that lets activists
> > maintain ideological purity without dirtying their hands with actual
> > people's actual problems.
> 
> i think this is only true if the magnitude of broken and incompetent
> crushes you into inaction.
> 
> if instead it spurs you to build, for years, on something of a solid
> base, then criticism must be deferred until that base is put to the
> test.

Well, "criticism" maybe, but then again should you be busy building your 
perfect solution from ground up, instead of criticising other people's 
temporary solutions today? ;)

> of course, my time spent writing rebuttal subtracted from the time
> best applied proving or denying in practice, arm chair theory inviting
> as it is...

Ah, yes. There we are. :)

There will always be different approaches to such things. Sometimes it *does* 
make sense to wait for the perfect solution; sometimes it *does* make sense to 
use harm reduction techniques. The demarcation line is *not* clear and depends 
heavily on circumstances.

Hence, throwing any incomplete solution out just because it's incomplete, 
without looking at what a particular threat model is and if maybe, just maybe, 
it can lower the threat level to people that would be otherwise completely 
exposed, is disingenuous.

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 411 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141128/2dbd9830/attachment.sig>

From coderman at gmail.com  Sat Nov 29 02:47:01 2014
From: coderman at gmail.com (coderman)
Date: Sat, 29 Nov 2014 02:47:01 -0800
Subject: WhisperSystems + WhatsApp
In-Reply-To: <20141129040010.GD5226@hexapodia.org>
References: <2429476.9jgn6LQJC8@lapuntu> <20141119234030.GH5226@hexapodia.org>
 <CAJVRA1R3gN366zHBUOVZAmGEZjCuu=CdzxXs5BuCSJC18eqHsg@mail.gmail.com>
 <7747702.P3C0aqJKYt@lapuntu>
 <CAJVRA1So-tXejjYrJxMnJ7V=de0dPEJtknwf=oc9L-B=dOqv3g@mail.gmail.com>
 <20141129040010.GD5226@hexapodia.org>
Message-ID: <CAJVRA1RmO1_LXdk0pzTV2d7cJ4e_fVL7JwMxFJLEp4hRcZhVhg@mail.gmail.com>

On 11/28/14, Andy Isaacson <adi at hexapodia.org> wrote:
> ...
> A colleague and I, both interested in modern cryptographic systems,
> started to collaborate on a new project, using Pond.  Months later, we
> realized that we had communicated useful information early on, over Pond
> exclusively, and the "social norm that communications are deleted after
> a few days" resulted in us losing important notes about the early days
> of our project.
>
> Even though it was clearly documented and I had simultaneously advocated
> Pond to other experimental users for exactly this feature, I didn't
> think through the consequences of this design feature for my use case.
> I didn't even realize that I *had* a use case, until much later.

an interesting anecdote.  friends and i had prior moved to
configurations with explicitly no logging (a change from defaults,
since OTR in most clients would log to disk by default)

a change to pond no different, as prior expectations assumed no persistence...



> For this scenario, it turns out we wanted a modern secure communication
> system more like Prate, https://github.com/kragen/prate .

we ended up on random etherpads on a trusted host. (e.g. one of our own).



> Generalizing from this specific example, you can find many other
> examples of a security system being used outside of its designed
> envelope.

very true; evokes Gibson:
  “The street finds its own uses for things.”


(and in the example above, the URI itself the authenticator for the
random pad...)


best regards,




From juan.g71 at gmail.com  Sat Nov 29 12:29:51 2014
From: juan.g71 at gmail.com (Juan)
Date: Sat, 29 Nov 2014 17:29:51 -0300
Subject: POTUS jammin'
In-Reply-To: <CAJVRA1RqEBm-NbQcuU6MzH+fHNcKqGR9qh4B_xwgD+78xTCkGg@mail.gmail.com>
References: <5457dba0.0406e00a.2c33.ffff8758@mx.google.com>
 <20141126221127.C1CA4228191@palinka.tinho.net>
 <54766c3a.0334e00a.4aff.37ab@mx.google.com>
 <547674D8.4070001@entersection.org>
 <CAD2Ti2-tEyfjtQ5-AOQd5oT9wU6StVuZwx3apLrsq9OmrtxRyw@mail.gmail.com>
 <CAJVRA1QrHsr68=CwxSC_m9zdie7QzOtWXOVp+yHmaQNCXuUsQg@mail.gmail.com>
 <54787E11.7080402@cathalgarvey.me>
 <CAJVRA1RqEBm-NbQcuU6MzH+fHNcKqGR9qh4B_xwgD+78xTCkGg@mail.gmail.com>
Message-ID: <547a2c49.d4178c0a.2097.2af3@mx.google.com>

On Fri, 28 Nov 2014 16:59:50 -0800
coderman <coderman at gmail.com> wrote:


> > If that were the case, then a shielded, passive receiver ought to
> > be OK,
> 
> a shielded, passive receiver would be overwhelmed by the brute flood.
> 
> 

	Excuse my ignorance, but wouldn't a shielded receiver be a
	useless receiver? 

	If you shield a receiver from a jamming signal, you are also
	shielding it from the signal you want to receive? What am I
	missing? 





From wilfred at vt.edu  Sat Nov 29 22:19:11 2014
From: wilfred at vt.edu (Wilfred Guerin)
Date: Sat, 29 Nov 2014 20:19:11 -1000
Subject: POTUS jammin'
In-Reply-To: <CAJVRA1T3kTZNm20K5FVuRjcYSPq7Wj=YpzoOvc2PHpJ6D8PXcg@mail.gmail.com>
References: <CAJVRA1T3kTZNm20K5FVuRjcYSPq7Wj=YpzoOvc2PHpJ6D8PXcg@mail.gmail.com>
Message-ID: <CAG+6jOa28dk2Ovj68p7jgT9=N+CBtZUmnrTDC_iQb7Y2u7NvjA@mail.gmail.com>

recall http://pastebin.com/Sf1Y2MLu

the forward sar is designed for road intercept at speed, recall russian pm
was knocked semi-conscious and chinese pm induced vomiting at apec
honolulu, seated in limo directly in front of usa suv w/ aegis class weapon
control, uwb diverse modes.




On Sunday, November 2, 2014, coderman <coderman at gmail.com> wrote:

> https://twitter.com/mattblaze/status/529055344191111169
>
> Fired up a spectrum analyzer as POTUS motorcade went by. Definitely
> wideband jamming from lead WHCA vehicle. (& it unpaired my BT headset)
>
> I had been skeptical of reports that they routinely use jammers, but
> there was strong wideband noise from abt 700mhz to beyond 2.5 GHz.
>
> VHF was quite clean, which is where most sec svc traffic is.
>
> ... it seemed to be about half a block.
>
> ---
>
> ultra-wide-band SDR to the rescue? (60Ghz MIMO or bust!)
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 1290 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141129/d473c94e/attachment.txt>

From wilfred at vt.edu  Sat Nov 29 22:38:24 2014
From: wilfred at vt.edu (Wilfred Guerin)
Date: Sat, 29 Nov 2014 20:38:24 -1000
Subject: ODNI Jammin' (Shill Kooks)
Message-ID: <CAG+6jOb4L5X4=zFXRAo18s=T918az_=ozji43uMY1E1+idhqJA@mail.gmail.com>

>
> DNI Alexander W. Joel CLPO formerly General Counsel of CIA (yes, those
> torture authorizations) is first cousin of notorious belly-dancer Jill
> Kelley of Tampa who 'did' CIA Petraeus "out with a bang" by way of his
> uncle FBI GC Patrick W Kelley (brother David Kelley of NSA Ft Gordon 1988,
> Y2K & disa, ncs) and grandfather Clarence M Kelley (FBI Nixon) and cousin
> Sean M Joyce the black money 9/11 FBI guy .. 6/745 terrorist thugs
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 570 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141129/7b7d072a/attachment.txt>

From wilfred at vt.edu  Sat Nov 29 22:51:52 2014
From: wilfred at vt.edu (Wilfred Guerin)
Date: Sat, 29 Nov 2014 20:51:52 -1000
Subject: ODNI Jammin' (Shill Kooks)
In-Reply-To: <CAG+6jOb4L5X4=zFXRAo18s=T918az_=ozji43uMY1E1+idhqJA@mail.gmail.com>
References: <CAG+6jOb4L5X4=zFXRAo18s=T918az_=ozji43uMY1E1+idhqJA@mail.gmail.com>
Message-ID: <CAG+6jOYMRd05dVc9xHDAsQrZk-96thrguq0x5XY+VcAkVMRb7A@mail.gmail.com>

Sean M Joyce:

sister Dot Joyce (Boston Massacre)
uncle Patrick W Kelley (FBI OIC "Privacy", CALEA) & David Kelley (Jill
Kelley, head of Y2K)
-- Clarence M Kelley (FBI Nixon)
former wife Vida G Bottom FBI SAC Honolulu who ran Snowden as
Insider-Threat demonstrations after hand-off from CIA Gen. Kelley who ran
Dell Computer Japan operation now boyfriend of Pierre Omidyar after ebay,
oracle, microsoft, etc extortion as head of pre-cyber for silicon valley in
1990s and led government corruption / white collar crime sting known as 9/11
- Joyce may also be boyfriend of Gordon M Snow who wrote storyline for 9/11
as Pat(sie) Kelley is flagarantly homosexual

On Saturday, November 29, 2014, Wilfred Guerin <wilfred at vt.edu> wrote:

> DNI Alexander W. Joel CLPO formerly General Counsel of CIA (yes, those
>> torture authorizations) is first cousin of notorious belly-dancer Jill
>> Kelley of Tampa who 'did' CIA Petraeus "out with a bang" by way of his
>> uncle FBI GC Patrick W Kelley (brother David Kelley of NSA Ft Gordon 1988,
>> Y2K & disa, ncs) and grandfather Clarence M Kelley (FBI Nixon) and cousin
>> Sean M Joyce the black money 9/11 FBI guy .. 6/745 terrorist thugs
>>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 1546 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141129/78a90e2f/attachment.txt>

From coderman at gmail.com  Sat Nov 29 23:30:49 2014
From: coderman at gmail.com (coderman)
Date: Sat, 29 Nov 2014 23:30:49 -0800
Subject: POTUS jammin'
In-Reply-To: <547a2c49.d4178c0a.2097.2af3@mx.google.com>
References: <5457dba0.0406e00a.2c33.ffff8758@mx.google.com>
 <20141126221127.C1CA4228191@palinka.tinho.net>
 <54766c3a.0334e00a.4aff.37ab@mx.google.com>
 <547674D8.4070001@entersection.org>
 <CAD2Ti2-tEyfjtQ5-AOQd5oT9wU6StVuZwx3apLrsq9OmrtxRyw@mail.gmail.com>
 <CAJVRA1QrHsr68=CwxSC_m9zdie7QzOtWXOVp+yHmaQNCXuUsQg@mail.gmail.com>
 <54787E11.7080402@cathalgarvey.me>
 <CAJVRA1RqEBm-NbQcuU6MzH+fHNcKqGR9qh4B_xwgD+78xTCkGg@mail.gmail.com>
 <547a2c49.d4178c0a.2097.2af3@mx.google.com>
Message-ID: <CAJVRA1Ruqh=27-HvJ9K-DvTi2aMUsY6peapbb4yc0QgNrW0ZKA@mail.gmail.com>

On 11/29/14, Juan <juan.g71 at gmail.com> wrote:
> ...
> 	Excuse my ignorance, but wouldn't a shielded receiver be a
> 	useless receiver?

not a bad question;
 you don't appreciate variable attenuation until you've used it
effectively to locate an emitter or test specific boundary conditions.

also note that shielding may be partial to eliminate or deflect
emissions from a given direction.

best regards,




From ryacko at gmail.com  Sun Nov 30 00:55:12 2014
From: ryacko at gmail.com (Ryan Carboni)
Date: Sun, 30 Nov 2014 00:55:12 -0800
Subject: [tor-talk] [Cryptography] Blogpost: CITAS, a new FBI security
 program proposal
Message-ID: <CAO7N=i3UtqY_YnCiWt2t_s=6PmnZdHfg7L-ta3PwPYak-Fjbpg@mail.gmail.com>

While my analogy and definition of security may not have been best
suited, nor is this reply, the point remains that there is nothing
special here for you as a corp. Anything you say that LE can provide
for *you* with honeypots can also be sourced internally or from the
open market and your subsequent call to LE to mop up upon discovery
of badness therein.


Revolutionary concept... but businesses could work together on their own
initiative. It's how inter-bank checking began.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 686 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141130/e6a742f9/attachment.txt>

From cathalgarvey at cathalgarvey.me  Sun Nov 30 02:20:39 2014
From: cathalgarvey at cathalgarvey.me (Cathal (Phone))
Date: Sun, 30 Nov 2014 10:20:39 +0000
Subject: POTUS jammin'
In-Reply-To: <CAJVRA1Ruqh=27-HvJ9K-DvTi2aMUsY6peapbb4yc0QgNrW0ZKA@mail.gmail.com>
References: <5457dba0.0406e00a.2c33.ffff8758@mx.google.com>
 <20141126221127.C1CA4228191@palinka.tinho.net>
 <54766c3a.0334e00a.4aff.37ab@mx.google.com>
 <547674D8.4070001@entersection.org>
 <CAD2Ti2-tEyfjtQ5-AOQd5oT9wU6StVuZwx3apLrsq9OmrtxRyw@mail.gmail.com>
 <CAJVRA1QrHsr68=CwxSC_m9zdie7QzOtWXOVp+yHmaQNCXuUsQg@mail.gmail.com>
 <54787E11.7080402@cathalgarvey.me>
 <CAJVRA1RqEBm-NbQcuU6MzH+fHNcKqGR9qh4B_xwgD+78xTCkGg@mail.gmail.com>
 <547a2c49.d4178c0a.2097.2af3@mx.google.com>
 <CAJVRA1Ruqh=27-HvJ9K-DvTi2aMUsY6peapbb4yc0QgNrW0ZKA@mail.gmail.com>
Message-ID: <3F8E9EF8-50CD-4E4D-BF6A-71441D33516B@cathalgarvey.me>

Yea, I was referring to emissions shielding, so that when in "receive" mode there is little or no signal output from the device that can indicate its presence to a targeted jammer.

On 30 November 2014 07:30:49 GMT+00:00, coderman <coderman at gmail.com> wrote:
>On 11/29/14, Juan <juan.g71 at gmail.com> wrote:
>> ...
>> 	Excuse my ignorance, but wouldn't a shielded receiver be a
>> 	useless receiver?
>
>not a bad question;
> you don't appreciate variable attenuation until you've used it
>effectively to locate an emitter or test specific boundary conditions.
>
>also note that shielding may be partial to eliminate or deflect
>emissions from a given direction.
>
>best regards,

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 1204 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141130/cac5668d/attachment.txt>

From lists at infosecurity.ch  Sun Nov 30 01:55:07 2014
From: lists at infosecurity.ch (Fabio Pietrosanti (naif) - lists)
Date: Sun, 30 Nov 2014 10:55:07 +0100
Subject: VeraCrypt Trustworthiness?
Message-ID: <547AE97B.6040101@infosecurity.ch>

Yo,

a friendly human rights lawyer just asked me for an opinion on
VeraCrypt's Trustworthiness.

I never heard about such project: https://veracrypt.codeplex.com/

Does the community have some critics or favorable opinion about that, in
place of truecrypt?

-- 
Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights
http://logioshermes.org - https://globaleaks.org - https://tor2web.org - https://ahmia.fi




From tony.arcieri at gmail.com  Sun Nov 30 15:42:23 2014
From: tony.arcieri at gmail.com (Tony Arcieri)
Date: Sun, 30 Nov 2014 15:42:23 -0800
Subject: [Cryptography] Toxic Combination
In-Reply-To: <1417388305.1370157.197062997.275205C6@webmail.messagingengine.com>
References: <547B9253.3060908@witmond.nl>
 <1417388305.1370157.197062997.275205C6@webmail.messagingengine.com>
Message-ID: <CAHOTMVLw3jX5GRb1iVbKDwzRP5wZjGP8xCh+4=8gaZGziSSO4g@mail.gmail.com>

On Sun, Nov 30, 2014 at 2:58 PM, Alfie John <alfiej at fastmail.fm> wrote:

> I think a better solution would be something like implementing Digest
> Authentication (RFC 2069, but replacing MD5 with something like AES-256
> and allow it to be upgradable) in the browser. The password field value
> would then be replaced with the value from the DA call and no secrets
> would be leaked. This solution would get way faster adoption.


There's also the FIDO Alliance's Universal Authentication Factor:

http://fidoalliance.org/specs/fido-uaf-overview-v1.0-rd-20140209.pdf

-- 
Tony Arcieri
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 1305 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141130/c26c817b/attachment.txt>

From jya at pipeline.com  Sun Nov 30 13:07:00 2014
From: jya at pipeline.com (John Young)
Date: Sun, 30 Nov 2014 16:07:00 -0500
Subject: Encryption Experts and Snake Oilers Quacking Like Governments
Message-ID: <E1XvBhL-00077z-71@elasmtp-mealy.atl.sa.earthlink.net>

Capitalizing on the comsec frenzy, several sites, probably many,
are offering to encrypt for those who do not want install programs
or find them too difficult to use. All appear to promise that no
records, private and public keys, email addresses or content
will be kept. Trust them.

For example, here's one used to send encrypted messages:

https://www.igolder.com/pgp/encryption/

This approach suggests that the renewed crypto wars have again
bred a new round of opportunities to beguile those who yearn for
comsec but do not know how to get it, nor how to evaluate the
offerings, in particular those provided by US producers which they
doubt are free of government manipulation. But they also doubt that
any cryptosystem is free of that, thanks to the NSA revelations of
global cooperation among nations to do what NSA does, and the
failure of crypto experts and firms to fully disclose their aid to
governments, before and after Snowden's revelations.

So the downside of Snowden's revelations is that there is considerable
suspicion that all crypto is compromised, and, worse, that snake oil
is not really different from the good stuff for the ordinary user who lacks
the technical skills to distinguish them. And that comsec experts are
in league with authorities to dupe the public by excessive warning
of snake oil to peddle their own offerings, that is, experts and
snake oilers are doing what governments do.

Trust Snowden, trust experts, trust governments, but distrust
snake oil. Wait, users say, how can we tell the difference when
they all quack like ducks.





From gfoster at entersection.org  Sun Nov 30 14:49:05 2014
From: gfoster at entersection.org (Gregory Foster)
Date: Sun, 30 Nov 2014 16:49:05 -0600
Subject: RU Sirius on Cypherpunks (2013)
Message-ID: <547B9EE1.1010205@entersection.org>

The Verge (Mar 7, 2013) - "Cypherpunk rising: WikiLeaks, encryption, and
the coming surveillance dystopia" by @StealThisSingul:
http://www.theverge.com/2013/3/7/4036040/cypherpunks-julian-assange-wikileaks-encryption-surveillance-dystopia

> EARLY CYPHERPUNK IN FACT AND FICTION
> CYPHERPUNK WAS BOTH AN EXCITING NEW VISION FOR SOCIAL CHANGE AND A FUN SUBCULTURE DEDICATED TO MAKING IT HAPPEN
>
> Flashback: Berkeley, California 1992. I pick up the ringing phone. My writing partner, St. Jude Milhon, is shouting down the line: "I’ve got it! Cypherpunk!"

gf

-- 
Gregory Foster || gfoster at entersection.org
@gregoryfoster <> http://entersection.com/




From rysiek at hackerspace.pl  Sun Nov 30 11:59:08 2014
From: rysiek at hackerspace.pl (rysiek)
Date: Sun, 30 Nov 2014 20:59:08 +0100
Subject: VeraCrypt Trustworthiness?
In-Reply-To: <547AE97B.6040101@infosecurity.ch>
References: <547AE97B.6040101@infosecurity.ch>
Message-ID: <2937890.u4g8Kt8zPu@lapuntu>

Dnia niedziela, 30 listopada 2014 10:55:07 Fabio Pietrosanti  - lists pisze:
> Yo,
> 
> a friendly human rights lawyer just asked me for an opinion on
> VeraCrypt's Trustworthiness.
> 
> I never heard about such project: https://veracrypt.codeplex.com/

CodePlex? I'll pass.

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 411 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141130/d365c125/attachment.sig>

From cyberkiller8 at gmail.com  Sun Nov 30 23:18:43 2014
From: cyberkiller8 at gmail.com (=?UTF-8?B?xYF1a2FzeiAnQ3liZXIgS2lsbGVyJyBLb3JwYWxza2k=?=)
Date: Mon, 01 Dec 2014 08:18:43 +0100
Subject: VeraCrypt Trustworthiness?
In-Reply-To: <2937890.u4g8Kt8zPu@lapuntu>
References: <547AE97B.6040101@infosecurity.ch> <2937890.u4g8Kt8zPu@lapuntu>
Message-ID: <547C1653.6060609@gmail.com>

W dniu 30.11.2014 o 20:59, rysiek pisze:
> Dnia niedziela, 30 listopada 2014 10:55:07 Fabio Pietrosanti  - lists pisze:
>> Yo,
>>
>> a friendly human rights lawyer just asked me for an opinion on
>> VeraCrypt's Trustworthiness.
>>
>> I never heard about such project: https://veracrypt.codeplex.com/
> 
> CodePlex? I'll pass.
> 

Judging by the screenshots it looks just like a rebranded Truecrypt. I'd
keep away too.

-- 
Łukasz "Cyber Killer" Korpalski

mail: cyberkiller8 at gmail.com
xmpp: cyber_killer at jabster.pl
site: http://website.cybkil.cu.cc
gpgkey: 0x72511999 @ hkp://keys.gnupg.net

//When replying to my e-mail, kindly please
//write your message below the quoted text.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cpunks.org/pipermail/testlist/attachments/20141201/aaa18f58/attachment.sig>

From alfiej at fastmail.fm  Sun Nov 30 14:58:25 2014
From: alfiej at fastmail.fm (Alfie John)
Date: Mon, 01 Dec 2014 09:58:25 +1100
Subject: [Cryptography] Toxic Combination
In-Reply-To: <547B9253.3060908@witmond.nl>
References: <547B9253.3060908@witmond.nl>
Message-ID: <1417388305.1370157.197062997.275205C6@webmail.messagingengine.com>

On Mon, Dec 1, 2014, at 08:55 AM, Guido Witmond wrote:
> I'm starting to consider the combination of current best practice with
> server certificates and password to be a Toxic Combination.
> 
> The general issue is twofold:
> 
>     People need to validate the authenticity of a site before typing in
> their password;
> 
>     The password gets transmitted to the other party.

And this is taken advantage of every day by phishing attacks. However
although your solution of setting up DNSSEC and DANE is the _correct_
solution, it's just too complex and hard to get right for a lot of
system admins so it's not going to get uptake - just look at how PGP is
also the _correct solution_ for encrypting messages and yet has not had
the uptake since 1991!

I think a better solution would be something like implementing Digest
Authentication (RFC 2069, but replacing MD5 with something like AES-256
and allow it to be upgradable) in the browser. The password field value
would then be replaced with the value from the DA call and no secrets
would be leaked. This solution would get way faster adoption.

Alfie

> Most people assume that if it looks like their bank and the address bar
> is green then it should be safe. Regrettably, it’s not. Criminals obtain
> valid certificates using stolen creditcards and passports. The true
> method for authenticating a site requires verification of server
> certificate fingerprints. And if you don’t know what that means, you
> have to spot the spelling errors, the differences in layout and other
> mistakes to detect the scammers. Good luck!
> 
> The second part is just as problematic: The password must remain secret,
> yet it must be transmitted to the other side to log in.
> 
> This is the Toxic Combination. One failure to detect a scammer’s site
> and the password is compromised. The scammers can do everything that you
> can do with the password.
> 
> 
> [promo]
> 
> For more information, please see:
> 
> http://eccentric-authentication.org/blog/2014/11/30/spot-the-differences.html
> 
> http://eccentric-authentication.org/Usable-Security.pdf
> 
> [/promo]

-- 
  Alfie John
  alfiej at fastmail.fm