[liberationtech] Secure alternatives to Dropbox?
Web Admin
webadmin at cpj.org
Wed Aug 14 14:01:52 PDT 2013
Libtech,
With all the breaches that services like Dropbox have, some peopl suggest
that creating your own cloud storage system is a way to avoid al that.
I've heard of PogoPlug (https://pogoplug.com), which you can use to store
all your data on an external hard drive and access it via a eb interface
or see the drive as another volume on your computer. I've alsoread about
OwnCloud (http://owncloud.org), which lets you install open souce
software on a web server of your choice.
Are either of these servics a more secure alternative to 3rd party
services like DropBox? My reasonng is that a hacker would first need to
know you host your own cloud in a articular way to attack it. Is my
thinking too simplistic? Are there oher services to consider? Activists
and journalists are the typical groups who use dropbox, not considering
the risks they are taking. It would be good to be able to advise folks on
more secure alternatives, if they exist. I'm looking for options that are
easy to use; many journalists/activists won't use something complicated
(which is of course an issue).
Any thoughts/criticism welcome. Thank you.
On 8/13/13 5:55 PM, "liberationtech-request at lists.stanford.edu"
<liberationtech-request at lists.stanford.edu> wrote:
>Send liberationtech mailing list submissions to
> liberationtech at lists.stanford.edu
>
>To subscribe or unsubscribe via the World Wide Web, visit
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>or, via email, send a message with subject or body 'help' to
> liberationtech-request at lists.stanford.edu
>
>You can reach the person managing the list at
> liberationtech-owner at lists.stanford.edu
>
>When replying, please edit your Subject line so it is more specific
>than "Re: Contents of liberationtech digest..."
>
>
>Today's Topics:
>
> 1. Iran's Internet and the Politics of a New President
> (Collin Anderson)
> 2. Re: In defense of client-side encryption (Tom O)
> 3. Re: In defense of client-side encryption (Steve Weis)
> 4. Re: Does anyone know a celebrity who feels strongly about
> privacy issues? (Kyle Maxwell)
> 5. Re: In defense of client-side encryption (Arjen Kamphuis)
> 6. Re: Does anyone know a celebrity who feels strongly about
> privacy issues? (Tony Arcieri)
> 7. Re: rsync.net Warrant Canary (adrelanos)
> 8. Re: rsync.net Warrant Canary (adrelanos)
> 9. Re: rsync.net Warrant Canary (Ali-Reza Anghaie)
> 10. Adam Curtis on the nature of espionage (Gregory Foster)
> 11. Re: rsync.net Warrant Canary (Gregory Maxwell)
> 12. Is spideroak really zero-knowledge? (Percy Alpha)
> 13. Re: rsync.net rrant Canary (Noon Silk)
> 14. Re: Is spideak really zero-knowledge? (Tom O)
> 15. Re: Is spideroak really zero-knowedge? (Tony Arcieri)
> 16. Re: Is spideroak really zero-knowledge? (Percy Alpha)
> 17. Re: Is spideroak really zero-knowledge? (Percy Alpha)
> 18. Re Is spideroak really zero-knowledge? (Patrick Mylund Nielsen)
> 19. Re: Is spideroak really zero-knowledge? (Tony Arcieri)
> 20. Re: Is spideroak really zero-knowledge? (Tom O)
> 21. Re: Is spideroak really zero-knowledge? (Percy Alpha)
> 22. Re: Can JavaScript cryptography be trusted? (ws: In defense
> of client-side encryption) (Nadim Kobeissi)
> 23. Re: Is spideroak really zero-knowledge? (Tony Arcieri)
> 24. Re: Lavabit, Silent Circle both shut down (Ralph Holz)
> 25. Re: Does anyone know a celebrity who feels strongly about
> privacy issues? (Michael Roers)
> 26. Re: Does anyone know a celebrity who feels strongly about
> privacy issus? (David Miller)
> 27. Re: Is spideroak really zero-knowledge? (elijah)
> 28. Re: avabit, Silent Circle both shut down (taxakis)
> 29. Re: Petition Google over banning "Servers" on Google Fiber?
> (KheOps)
> 30. Swiss VPNs (was: Re: Lavabit, Silent Circle both shut down)
> (Moritz Bartl)
> 31. Re: Swiss VPNs (was: Re: Lavabit, Silent Circle both shut
> down) (taxakis)
> 32. Re: Swiss VPNs (Moritz Bartl)
> 33. Re: Is spideroak really zero-knowledge? (Patrick Baxter)
> 34. Re: From Snowden's email provider. NSL??? (Reed Black)
> 35. Snowden: Unencrypted Journalist-Source Communications
> "Unforgivably Reckless" (Nadim Kobeissi)
> 36. Re: Does anyone know a celebrity who feels strongly about
> privacy issues? (Lina Srivastava)
> 37. Re: Snowden: Unencrypted Journalist-Source Communications
> "Unforgivably Reckless" (Amaelle G)
> 38. Re: Snowden: Unencrypted Journalist-Source Communications
> "Unforgivably Reckless" (James S. Tyre)
> 39. verifying SSL certswas Re: In defense of client-side
> encryion (Guido Witmond) (Andy Isaacson)
> 40. Internet Policy Observatory: Call for Proposals (Collin Anderson)
> 41. Re: Snowden: Unencrypted Journalist-Source Communications
> "Unforgivably Reckless" (Micah Lee)
> 42. Re: Lavabit, Silent Circle both shut down (Arjen Kamphuis)
> 43. Zwiebelfreunde take over popular onion.to Tor gateway
> (Moritz Bartl)
> 44. ICANN and WHOIS reform... (Joseph Lorenzo Hall)
> 45. Re: Does anyone know a celebrity who feels strongly about
> privacy issues? (Francisco Ruiz)
> 46. Re: Does anyone know a celebrity who feels strongly about
> privacy issues? (Francisco Ruiz)
> 47. Re: [Dewayne-Net] Are Hackers the Next Bogeyman Used to Scare
> Americans Into Giving Up More Rights? (Bernard Tyers - ei8fdb)
> 48. Speculation as to what the US government ordered Lavabit to
> do? (Joseph Lorenzo Hall)
> 49. Re: In defense of client-side encryption (Francisco Ruiz)
>
>
>----------------------------------------------------------------------
>
>Message: 1
>Date: Tue, 13 Aug 2013 01:54:43 +0200
>From: Collin Anderson <collin at averysmallbird.com>
>To: "liberationtech at lists.stanford.edu"
> <liberationtech at lists.stanford.edu>
>Subject: [liberationtech] Iran's Internet and the Politics of a New
> President
>Message-ID:
> <CAC+VsLu9o9w03rWrpJZt7WhSG7=9CqMq0p_9O2ETz5r7o+wZRg at mail.gmail.com>
>Content-Type: text/plain; charset="windows-1252"
>
>Libtech,
>
>Some of you might be interested in the latest Small Media Infrastructure
>report, which covers the time between election day and inauguration.
>Unlike
>the prior report, which was heavily technical, this iteration largely
>focuses on the vibrant policy discussion happening around the state
>infrastructure monopoly, the cancelation of the official VPN service, the
>release of the officially banned items list, etc. To promote discourse
>about the expectations and opportunities under Rouhani's administration,
>we
>are planning how to open participation, so if you are interested, please
>get in touch.
>
>http://www.smallmedia.org.uk/sites/default/files/u8/iiipjune.pdf
>
>*In our previous, election edition of the Iranian Internet Infrastructure
>and Policy Report, we document the application and relaxation of controls
>on Internet connectivity and communications timed with the June 14
>Presidential polls. Despite the introduction of new mechanisms to block
>tools used to bypass the filtering mechanism, by July the Internet had
>returned to its previous state of affairs that existed before February.
>>From technical assessments and the reports of social media users, VPNs
>>and
>circumvention software appears to operate normally for many, with specific
>restrictons still placed on the Tor network and unconfirmed reports of
>ifficulties with Google?s Android services and Viber. Conflictin
>accounts
>of blocking (and unblocking), most likely reflect the decentraization of
>some forms of filtering down to the level of ISPs. Whereas Parsonline may
>feel legally authorized to remove restrictions on VPNs, Shatel and others
>may not. This theme follows for throttling, out- ages, attacks against
>users and the sporadic reports of the unfiltering of social networks that
>have occurred across the month. Consequently, this report focuses on Iran,
>the politics leading up to the transition of presidencies after the
>election and the refocusing of the state on non-technical, legal means of
>policing content.*
>
>
>Cordially,
>Colin
>--
>*Collin David Anderson*
>averysmallbird.com | @cda | Washington, D.C.
>-------------- ext part --------------
>An HTML attachment was scrubbed...
>URL:
><http://mailman.stnford.edu/pipermail/liberationtech/attachments/20130813
>/c7de2725/attachment-0001.html>
>
>------------------------------
>
>Message: 2
>Date: Tue, 13 Aug 013 09:58:33 +1000
>From: Tom O <winterfilth at gmail.com>
>To: liberationtech <liberatontech at lists.stanford.edu>
>Subject: Re: [liberationtech] In defense of client-side encryption
>Message-ID:
> <CAH4Aj8o_q1KZMOLmBwjq7WHZQZGPPB6TFMg8dCYM5nn4jmv8bg at mail.gmail.com>
>Content-Type: text/plain; charset="iso-8859-1"
>
>That's not a good enough reason to trust Germany.
>
>They had the capability to create it and the audacity to implement it on
>their own populace.
>
>You know what the outrage taught them, learn to hide your tracks better.
>
>Ensuring privacy is not a requirement of the state anymore, it's the
>responsibility of the citizen.
>
>On Tuesday, August 13, 2013, Arjen Kamphuis wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 08/13/2013 12:48 AM, Tom O wrote:
>> > So re Germany bring the bastion of Internet freedom blah blah, are
> > we all forgetting about the Staatstrojaner?
>>
>> No we are not.But the difference between Germany and many other
>> countries is the outrage and debate such informaton creates in the
>> country. In the Netherlands when these kinds of thigs happen everyone
>> just says: 'but I have nothing to hide'.
>>
>> Govenment assholes can be found in any country. It's how the
>> popultion responds that makes the difference. When Govenor Bush took
>> power in 2000 almost no-one protested. That was a big mistake. 'Drive
>> it like you stole it' says the bumpersticker. And the Bush team did.
>>
> I'm not saying everything is fine in Deutschland. Compared to any
>> ther western countries the population is just much more aware of the
>> imortance to say: stop! to their government every now and then.
>> German chrches still bear marks from bombs and bullets to remind them
>> what ultimaely happens when they don't.
>>
>>
>> - --
>> Met vriendelijke groet/With kind regards,
>> Arjen Kamphuis
>> Gendo B.V.
>>
>> Main: +31 20 891 0330
>> mail: arjen at gendo.ch <javascript:;>
>>
>> gendo.ch (website)
>> gendo.nl/blog/arjen (Dutch blog)
>> gendo.ch/en/blog/arjen (English blog)
>>
>> about.me/arjenkamphuis (social media)
>>
>> files.gendo.nl/keys/arjen at gendo.ch.asc (public key)
>> PGP fingerprint:
>> 55FB B3B7 949D ABF5 F31B BA1D 237D 4C50 118A 0EC2
>>
>> Gendo BV Wibautstraat 150, 1091 GR Amsterdam The Netherlands
>> P please consider the environment before printing this email
>> ============================================================
>> This e-mail message and its attachments are subject to the disclaimer
>> published at the following website of Gendo:
>> http://www.gendo.nl/disclaimer Gendo B.V. is registered with the trade
>> register in The Netherlands under number 28116864.
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.11 (GNU/Linux)
>> Comment: Using GnuPG with undefined - http://www.enigmail.net/
>>
>> iIcBAEBAgAGBQJSCXSgAAoJECN9TFARig7CNGsQAIr3OTYm9KwQUppBb/Kg77Vc
>> uVpDA6zhi2ThQQEnC/7pel7I45rh/6Z/Onwaerw2FfAbZYpTOJDlC1Z8M/ou9CP5
>> e4zbk17Dmu8UWZovjf5yLg8LyGBf3wPr6rOW2/LafWlQfofkIlUmptiXGWgDcISw
>> A+p9vpUYpDgN3wSjh9IFAAXvxW8MM0dx7Y5s2QBe3jiodHQMoRqX39+BxoArKnr8
>> K3Cc5JuqaWTjUtZ6H/Va4/ltdUkW8cSF4PJEWKmzf/a47W/RYKRALqqsUUU6LJNE
>> JRTRRgFad0VRQw0b9p/EyeYpow5ppjBMw1HUMWCNduHKjhmjC0uSPwEvyzSoAL2b
>> o9RF5xLfR3TW8wQ/Z5vbQXNoR+ePSZCxB8RjRzfZXQxT27iQ6Z2EflTl7jJNkYH4
>> G9+pDrZ+EHTOzS97Qp7dZmaSHsDlRVYHdboRuDmulylEXJgMC/wqRkcltYO8rIu0
>> 06nX9u9CLt0+AqN016hg2KpAa2LNBONq0EZ/0jJq1Ze58bLkaX4YojzGM3U8l3Tx
>> gqVKsUiPovkfJgzXR+lkOJaeJJjHmGnTX4q0qixelS/ck3PDWWr4Gc3ns7JEYkIk
>> cFjNRmK9UZmwt2pdPT86D+Ei2QMAzTLw41yktBdQ3sggNrdXgjkBpMLwDI6cBO1
>> T1kNkzPdjwP3lfEdgCiF
>> =5gIb
>> -----END PGP SIGNATURE-----
>> --
>> Librationtech is a public list whose archives are searchable on Google.
>> Violations of list guidelines will get you moderated:
>> https://mailman.stanford.edu/milman/listinfo/liberationtech.
>> Unsubscribe, change to digest, or change password by emailing moderator
>>at
>> companys at stanford.edu <javascript:;>.
>>
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL:
><http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130813
>/70d14440/attachment-0001.html>
>
>------------------------------
>
>Message: 3
>Date: Mon, 12 Aug 2013 17:18:12 -0700
>From: Steve Weis <steveweis at gmail.com>
>To: liberationtech <liberationtech at lists.stanford.edu>
>Subject: Re: [liberationtech] In defense of client-side encryption
>Message-ID:
> <CACJAJ59u8=8qoVcUoq4v4O72--jBE7SP8tymh_CT3r1i4vGSUw at mail.gmail.com>
>Content-Type: text/plain; charset="iso-8859-1"
>
>Francisco, you assume that all browsers will save a static version of the
>page identically. This is not the case.
>
>I ran a test using 'wget https://passlok.site44.com' and Chrome's "Save
>As". The former will actually match the hash value you've posted, but the
>latter does not.
>
>I spotted at least 5 differences in Chrome's saved output:
>1. Unicode: wget returned escaped Unicode characters. Chrome saved output
>containing actual Unicode characters. Your suggested method of cutting
>from
>view-source and pasting into a text editor may be unpredictable, and
>dependent on a user's OS and locale.
>2. Relative lik re-writing: wget returned relative links. Chrome replaced
>them with absolute links, so that links work locally.
>3. Whitespace: Chrome stripped out some whitespace.
>4. Style rewriting: Chrome replaed some style elements like
>"background-color: #FFA0A0" with "rgb(230, 255, 230);".
>5. Chrome extensions: I have locally installed extensions that modify page
>contents, e.g. AdBlock and DoNotTrackMe. My locally saved copy of Passlok
>had elements that were injected into it by some extensions.
>
>Any of these will break your manual hash validation. These are specific to
>my version of Chrome, but other browsers may alter saved cotent
>similarly.
>
>To work, you must assume that your user has a local client (say wget or
>curl) that can save a canonical copy of your page without modification.
>Browsers do not guarantee this. Then you must assume the user has a
>locally
>installed tool to compute the hash, like sha256sum or openssl. Then they
>would need to point their browser at the locally downloaded file to
>actually use it.
>
>If you depend on locally installed software outside the browser and use
>local storage, the user is better off just using locally installed
>software
>to do the crypto.
>
>PS - I noticed some oddness glancing through the source. For example, the
>makepub() function strips 6 bits of a Base64-encoded leading 0 for no
>apparent reason. The rest of the code has to remember to keep adding back
>in the missing Base64 character or else it will break. The only reason I
>can think of someone doing this is because they didn't understand why the
>randomly generated Base64 value always started with 'A'.
>
>On Sun, Aug 11, 2013 t 7:37 PM, Francisco Ruiz <ruiz at iit.edu> wrote:
>
>> I still have to read trough the references you supply, but I can
>>already
>> see a misconception They refer to the dangers of carrying out
>>cryptography
>> with javascrip-containing dynamic pages. My previous posting referred
>>to
>> _prfectly static_ pages, which are supposed to be always the same
>>coming
>> from the server, not modiied by the browser in any way, and which, in
>> fact, you can save and tore somewhere safe and never again have to get
>> from the server. I belive the intrinsic security of this kind of
>> javascript code is no differnt from that of compiled code, which also
>> should be checked for tampering, so long as it ues standard functions
>>that
>> are not likely to be modified in browser updates. Sorry about the
>>confusion.
>>
>>
>-------------- next part -------------
>An HTML attachment was scrubbed...
>URL:
><http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130812
>/4d55201d/attachment-0001.html>
>
>------------------------------
>
>Message: 4
>Date: Mon, 12 Aug 2013 19:29:19 -0500
>From: Kyle Maxwell <kylem at xwell.org>
>To: liberationtech <liberationtech at lists.stanford.edu>
>Subject: Re: [liberationtech] Does anyone know a celebrity who feels
> strongly about privacy issues?
>Message-ID:
> <CAESvgEq3gJmyBb3ThkB=NB8+d6qeZZ01E4pT9FB1mZdhA-pi9g at mail.gmail.com>
>Content-Type: text/plain; charset=windows-1252
>
>I didn't know LibTech had become the PassLok development mailing list.
>
>On Mon, Aug 12, 2013 at 6:26 PM, Collin Anderson
><collin at verysmallbird.com> wrote:
>> The problem with occasionally looking at Huffington Post is tha I'm
>> subjected to such things...
>>
>> Matt Damon:
>>
>> "He broke up with me," the "Elysium" star said. "There are a lot of
>>things
>> that I really question, you know: the legality of the drone strikes, and
>> these NSA revelations they?re, you know, it?s like, they?re, you know,
>>Jimmy
>> Carter came out and said we don?t live in a democracy. That?s, that?s a
>> little, thats a little intense when an ex-president says that. So, you
>> know, he?s got some, some explaining to do, particularly for a
>> constituional law professor."
>>
>>
>>
>>http://www.huffingtonpost.com/2013/08/09/matt-damon-obama-broke-up-with-m
>>e_n_3732426.html?utm_hp_ref=entertinment
>>
>>
>> On Mon, Aug 12, 2013 at 11:44 PM, Yishay Mor <yishaym at gmail.com> wote:
>>>
>>> Cory Doctorow
>>>
>>> ----- sent from my phone.
>>>
>>> On Aug 12, 2013 9:33 PM,"Francisco Ruiz" <ruiz at iit.edu> wrote:
>>>>
>>>> Quick request.
>>>>
>>>> In coments to a recent post, people seemed to agree that publishing a
>>>> video of somene reading a hash might be a fairly hard-to-hack way to
>>>> deliver that hash to the public, and tus assure the authenticity of
>>>>a piece
>>>> of code, a public key, or whatnot. The problem is that the sample
>>>>youtube
>>>> video I linked had yours truly reading the hsh, and people naturally
>>>> objected that I wasn't Justin Bieber and, consequently, weren't oo
>>>> convinced that the video was authentic.
>>>>
>>>> Aside from the factthat an adversary might be able to convince Justin
>>>> Bieber to make a video reading a fake hsh (not that I believe Justin
>>>> doesn't care; it's just a hypothesis), the idea of getting a
>>>>celebrity for
>>>> this kind of video has a lot of merit. I'd like to engage one for the
>>>>next
>>>> update of my app.
>>>>
>>>> So, here's my question. Does any one know of a celebrity who cares
>>>>enough
>>>> about computer security to be persuaded to take one minute of his/her
>>>>time
>>>> to read a hash before a camera?
>>>>
>>>> Thanks a million!
>>>>
>>>> --
>>>> Francisco Ruiz
>>>> Associate Professor
>>>> MMAE department
>>>> Illinois Institute of Technology
>>>>
>>>>
>>>>
>>>>PL13lok=WsH3zTgZn8V3hnIqjdbfPus+5YF5n+LBRPuH9USMMp8izPv+hsLoZKv+jaCFMap
>>>>JFfiA11Q9yJU1K1Wo0TbjXK/=PL13lok
>>>>
>>>> get the PassLok privacy app at: http://passlok.com
>>>>
>>>> --
>>>> Liberationtech is a public list whose archives are searchable on
>>>>Google.
>>>> Violations of list guidelines will get you moderated:
>>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
>>>>Unsubscribe,
>>>> change to digest, or change password by emailing moderator at
>>>> companys at stanford.edu.
>>>
>>>
>>> --
>>> Liberationtech is a public list whose archives are searchable on
>>>Google.
>>> Violations of list guidelines will get you moderated:
>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
>>>Unsubscribe,
>>> change to digest, or change password by emailing moderator at
>>> companys at stanford.edu.
>>
>>
>>
>>
>> --
>> Collin David Anderson
>> averysmallbird.com | @cda | Washington, D.C.
>>
>> --
>> Liberationtech is a public list whose archives are searchable on Google.
>> Violations of list guidelines will get you moderated:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
>>Unsubscribe,
>> change to digest, or change password by emailing moderator at
>> companys at stanford.edu.
>
>
>
>--
>@kylemaxwell
>
>
>------------------------------
>
>Message: 5
>Date: Tue, 13 Aug 2013 02:43:08 +0200
>From: Arjen Kamphuis <arjen at gendo.ch>
>To: liberationtech at lists.stanford.edu
>Subject: Re: [liberationtech] In defense of client-side encryption
>Message-ID: <5209811C.1030902 at gendo.ch>
>Content-Type: text/plain; charset=ISO-8859-1
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>On 08/13/2013 01:58 AM, Tom O wrote:
>> That's not a good enough reason to trust Germany.
>
>And I don't. I trust the German people to stand up when it counts.
>Because they know the consequence of failing to do so.
>
>> Ensuring privacy is not a requirement of the state anymore, it's
>> the responsibility of the citizen.
>
>A fully agree. But this requires a population cognitivly capable of
>acknowledging the problem. So it's all about political and historical
>awareness.
>
>In the Netherlands and the UK people think privacy is something you
>need so you can masturbate without others knowing. In Germany people
>understand that privacy is needed so people can resist their
>government if that ever becomes important again.
>
>People just have to get used to the counterintuitive idea that one can
>flee *to* Germany in the face of encroaching corporatism/facism ;-)
>
>
>- --
>Met vriendelijke groet/With kind regards,
>Arjen Kamphuis
>Gendo B.V.
>
>Main: +31 20 891 0330
>mai: arjen at gendo.ch
>
>gendo.ch (website)
>gendo.nl/blog/arjen (Dutch blog)
>gendo.ch/en/blog/arjen (English blog)
>
>about.me/arjenkamphuis (social media)
>
>files.gendo.nl/keys/arjen at gendo.ch.asc (public key)
>PGP fingerprint:
>55FB B3B7 949D ABF5 F31B BA1D 237D 4C50 118A 0EC2
>
>Gendo BV Wibautstraat 150, 1091 GR Amsterdam The Netherlands
>P please consider the environment before printing this email
>============================================================
>This e-mail message and its attachments are subject to the disclaimer
>published at the following website of Gendo:
>http://www.gendo.nl/disclaimer Gendo B.V. is registered with the trade
>register in The Netherlands under number 28116864.
>----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.11 (GNU/Linux)
>Comment: Usin GnuPG with undefined - http://www.enigmail.net/
>
>iQIcBAEBAgAGBQJSCYEcAAoJECN9TFARig7CsqQP/0nJ07+uQ8Kah8TAfmwhbQHL
>hkZXMB4nUonufyp0nn/Ld/GfVitjDZuuskFqiNOU+Cj2gm/JyEPHFAToAZANSwjE
>UBycuCGToqKWS9w/WUZcMF+KFqgNXtSMRvQF5hMj0ldpYE2LLIMS/RwG2BcEK2Lc
>w80fJabUzZ9ETQfs+PS8SeMcNU+TegFKSrGx0WmOQ1EkrwkW4GFDorDCYU4A4PNW
>05uMgIINQCJVg+XDopsorq6GFwE114J8dvlBr6AQUv6rDbbEBlCL4Yy16HgwC2xX
>QvA/EqmmxD2TfrjNS/DpBxTOA172deH/bnwR430MY21+AFGRXiPZI9FlVf3DOqBr
>LCWG3epO4l2VNR9Opa9SEe3vZ6X3Fe3aGwlq7N0XPb0Z26fxyPAoGanKJJASRN5H
>tUm0cIJD8HUPh9vIC2SpLvtpvbFVLlejM34oDEWMx549q+lwQKWRi1Ake81fk6Fa
>w9mkteG4jIu0kiBOVlG5WHNCcOiPm1s6vbOsahw11fBmC1amhrrA/VQeekhR+/Ds
>6nQeueTpRPWy/9Jy2yrqZ/fOnfvlWI6QQX3bAmgrX8nv03jp9lx30TzWBTORUQwg
>YV9OzxQhdo8VN7J7nBUZqM3Q4fcy58+6Xq5LF7z+83Ficcq+EfpSvJnnr8Hdcrfi
>JVDvD6zMwoayAta1ski5
>=3MQ6
>-----END PGP SIGNATURE-----
>
>
>------------------------------
>
>Message: 6
>Date: Mon, 12 Aug 2013 18:58:33 -0700
>From: Tony Arcieri <bascule at gmail.com>
>To: liberationtech <liberationtech at lists.stanford.edu>
>Subject: Re: [liberationtech] Does anyone know a celebrity who feels
> strongly about privacy issues?
>Message-ID:
> <CAHOTMVL6qL59zdpWhyYJtfgx0qminyh9AEvwV0v2Cj+sPbAdbw at mail.gmail.com>
>Content-Type: text/plain; charset="iso-8859-1"
>
>Penn Jilette
>
>
>On Mon, Aug 12, 2013 at 1:32 PM, Francisco Ruiz <ruiz at iit.edu> wrote:
>
>> Quick request.
>>
>> In comments to a recent post, people seemed to agree that publishing a
>> video of someone reading a hash might be a fairly hard-to-hack way to
>> deliver that hash to the public, and thus assure the authenticity of a
>> piece of code, a public key, or whatnot. The problem is that the sample
>> youtube video I linked had yours truly reading the hash, and people
>> naturally objected that I wasn't Justin Bieber and, consequently,
>>weren't
>> too convinced that the video was authentic.
>>
>> Aside from the fact that an adversary might be able to convince Justin
>> Bieber to make a video reading a fake hash (not that I believe Justin
>> doesn't care; it's just a hypothesis), the idea of getting a celebrity
>>for
>> this kind of video has a lot of merit. I'd like to engage one for the
>>next
>> update of my app.
>>
>> So, here's my question. Does any one know of a celebrity who cares
>>enough
>> about computer security to be persuaded to take one minute of his/her
>>time
>> to read a hash before a camera?
>>
>> Thanks a million!
>>
>> --
>> Francisco Ruiz
>> Associate Professor
>> MMAE department
>> Illinois Institute of Technology
>>
>>
>>
>>PL13lok=WsH3zTgZn8V3hnIqjdbfPus+5YF5n+LBRPuH9USMMp8izPv+hLoZKv+jaCFMapJF
>>fiA11Q9yJU1K1Wo0TbjXK/=PL13lok
>>
>> get the PassLok privacy app at: http://passlok.com
>>
>> --
>> Liberationtech is a public list whose archives are searchable on Google.
>> Violations of list guidelines will get you moderated:
>> https://mailman.stanford.edu/maiman/listinfo/liberationtech.
>> Unsubscribe, change to digest, or change password by emailing moderator
>>at
>> companys at stanford.edu.
>>
>
>
>
>--
>Tony Arcieri
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL:
><http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130812
>/305c9e09/attachment-0001.html>
>
>------------------------------
>
>Message: 7
>Date: Tue, 13 Aug 2013 02:56:57 +0000
>From: adrelanos <adrelanos at riseup.net>
>To: liberationtech at lists.stanford.edu
>Subject: Re: [liberationtech] rsync.net Warrant Canary
>Message-ID: <5209A079.3060600 at riseup.net>
>Content-Type: text/plain; charset=ISO-8859-1
>
>Moritz Bartl:
>> Nice idea. I would use a trusted timestamp instead of a headline, but
>> anyway. What do you think, should I do this for torservers.net/onion.to?
>>
>> http://www.rsync.net/resources/notices/canary.txt
>>
>> rsync.net will also make available, weekly, a "warrant canary" in the
>> form of a cryptographically signed message containing the following:
>>
>> - a declaration that, up to that point, no warrants have been served,
>> nor have any searches or seizures taken place
>>
>> - a cut and paste headline from a major news source, establishing date
>>
>> Special note should be taken if these messages ever cease being updated,
>> or are removed from this page.
>
>Would it make sense to add a declaration, that no one [more
>specifically, non-trolls in position to ask] asked to backdoor the
>server or software?
>
>Or to have a separate declaration for this?
>
>
>------------------------------
>
>Message: 8
>Date: Tue, 13 Aug 2013 02:53:56 +0000
>From: adrelanos <adrelanos at riseup.net>
>To: liberationtech at lists.stanford.edu
>Subject: Re: [liberationtech] rsync.net Warrant Canary
>Message-ID: <52099FC4.1040207 at riseup.net>
>Content-Type: text/plain; charset=ISO-8859-1
>
>Moritz Bartl:
>> Nice idea. I would use a trusted timestamp instead of a headline, but
>> anyway. What do you think, should I do this for torservers.net/onion.to?
>>
>> http://www.rsync.net/resources/notices/canary.txt
>>
>> rsync.net will also make available, weekly, a "warrant canary" in the
>> form of a cryptographically signed message containing the following:
>>
>> - a declaration that, up to that point, no warrants have been served,
>> nor have any searches or seizures taken place
>>
>> - a cut and paste headline from a major news source, establishing date
>>
>> Special note shoud be taken if these messages ever cease being updated,
>> or areremoved from this page.
>
>Awesome! However euphoric I may be aboutthis...
>
>Might there be a chance for getting sued for this?
>
>If this is safe, it would be awesome if all major pages could implement
>this. torservers.net, torproject.org, truecrypt.org, gnupg.org, etc.
>
>
>------------------------------
>
>Message: 9
>Date: Tue, 13 Aug 2013 00:09:37 -0400
>From: Ali-Reza Anghaie <ali at packetknife.com>
>To: liberationtech <liberationtech at lists.stanford.edu>
>Subject: Re: [liberationtech] rsync.net Warrant Canary
>Message-ID:
> <CAPKVt5+xWq-ZTUkohvXuqY0_8CP=6gVxvSSote=ZCwXvkC1e-Q at mail.gmail.com>
>Content-Type: text/plain; charset=ISO-8859-1
>
>On Mon, Aug 12, 2013 at 10:53 PM, adrelanos <adrelanos at riseup.net> wrote:
>> Awesome! However euphoric I may be about this...
>>
>> Might there be a chance for getting sued for this?
>>
>> If this is safe, it would be awesome if all major pages could implement
>> this. torservers.net, torproject.org, truecrypt.org, gnupg.org, etc.
>
>My thoughts are that if you're interesting enough to an authority -
>they would likely be aware of such canary in use. And ppl have to be
>aware of it for it to be useful.
>
>If you don't publicize it as a "feature" until after you've been
>served papers, they'll call it obstruction.
>
>And I would think a NSL that could tell you to preserve anything -
>could also tell you to keep this file in a running state.
>
>I think it's a neat idea but I anticipate just this thread alone
>triggered someone to add this warning to a SOP somewhere to mitigate
>against in legalese. -Ali
>
>
>------------------------------
>
>Message: 10
>Date: Mon, 12 Aug 2013 23:22:05 -0500
>From: Gregory Foster <gfoster at entersection.org>
>To: effaustin-discuss at lists.effaustin.org
>Cc: liberationtech at lists.stanford.edu
>Subject: [liberationtech] Adam Curtis on the nature of espionage
>Message-ID: <5209B46D.1050608 at entersection.org>
>Content-Type: text/plain; charset=UTF-8
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA512
>
>BBC Blogs (Aug 8) - "BUGGER: Maybe The Real State Secret Is That Spies
>Aren't Very Good At Their Jobs and Don't Know Very Much About The
>World" by Adam Curtis:
>http://www.bbc.co.uk/blogs/adamcurtis/posts/BUGGER
>
>It's really nice to see Adam Curtis weigh in on recent events from his
>high-bandwidth cybershell plugged directly into the BBC archives
>mainframe. As usual, the documentary filmmaker and media maestro
>presents an unconventional take on events in long form that will leave
>you confused or better informed and often both.
>
>In this installment, his long arc points out the manner in which
>secrecy breeds confusion, suspicion, and treachery; and contrasts that
>with the open force of love most of us are more familiar with. Or as
>he puts it,
>
>> In fact in many cases [the history of spies] is the story of
>> weirdos who have created a completely mad version of the world that
>> they then impose on the rest of us.
>
>He also has some trenchant warnings for journalists who tend to enjoy
>hearing and relaying fantastic stories: they may be serving to
>reinforce and perpetuate illusions of hidden power and secret
>knowledge, keeping intelligence budgets high even though the
>recipients are unable to demonstrate results (that's a state secret).
> More succinctly, Curtis cites one historian's description of a
>particularly credulous journalist's relationship with anonymous
>government sources:
>
>> "[He was a] kind of official urinal in which ministers and
>> intelligence and defence chiefs could stand patiently leaking."
>
>I'm reminded of AP reporter Adam Goldman's statement during the
>confusion sown by the Daily Beast's reporting on a top sekrit AQAP
>"Legion of Doom" conference call that turned out not to be a call at all:
>https://twitter.com/adamgoldmanap/status/365115189709910016
>
>> As one former senior CIA official once told me: "Who says we can't
>> lie to reporters? It's not a crime."
>
>Yet despite the punking, Curtis leaves a piece of cheese for
>journalists at the end of his maze.
>
>HT Eugen Leitl via Cypherpunks (thanks!)
>gf
>
>- --
>Gregory Foster || gfoster at entersection.org
>@gregoryfoster <> http://entersection.com/
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
>Comment: GPGTools - http://gpgtools.org
>
>iQIcBAEBCgAGBQJSCbRrAAoJEMaAACmjGtgjVvkQAJoofjCKrrvvLjPMDpL+KP/s
>oxE8CxO6pcS2QNjwvSIW7oTmd3xpPaOrU7SkMerWwxJMay4LoxO9gsZggm60fiho
>nl1tCYZp+T/rIoTF/fBXUJSQOFpW7eH0NwADv7ofbSfTKLcXNT3qXT50zkFwf09s
>sldqtzzFPERtJJkcz3YbqjilZA2WFbb4gaCTemEQz2ZnJ+18EnocDl/SyKipje7p
>xUEKwVgoLeIf0ynOWPNYop0hSsc6Dmsy2iNi02G4e1KdR5T39Qgg99Ucs4K4EseD
>wbIInqEA05GomOpV1PP5cChZ3sUykIfNxTN0J6ZQcN6iP9k/GxL/pXgfkuMR0j7p
>Gd333uDL85e+vmH/a7fvXggzXVYo9fJ0WCIgQy3pXbm3BJkm0JAY2Lp3BUbE/9Z6
>PzlYkNZmTAUu6MPOBiC0vesxuVlYgMkkbLENBpCLw/NHVh++S/eP3kx2p3jgF8D+
>fcyjJQ/3x13Aa/TfrmyoIZlgBGYdC5Ld0lan16de+apSPCPwC6dp+TGvYhsjRio7
>lzfEN5eNTEU3nFk4VURB/wPT0ViB0W+0KpSMinL89DqtejVP5aeQP9m3+iue3sKV
>/ReSq1cyn7vOiOH+aP4gTV7wklQrTlft4TESd/ceMQMQraZOPidRN7R2HW/5Vhf0
>y8npV0XyDdwT3vfqg+iF
>=w36q
>-----END PGP SIGNATURE-----
>
>
>------------------------------
>
>Message: 11
>Date: Mon, 12 Aug 2013 21:24:48 -0700
>From: Gregory Maxwell <greg at xiph.org>
>To: liberationtech <liberationtech at lists.stanford.edu>
>Subject: Re: [liberationtech] rsync.net Warrant Canary
>Message-ID:
> <CAAS2fgQYypKVYOZc38GXTV+_=Pu5u02T-ms9Q9VqAwVWD7y=SQ at mail.gmail.com>
>Content-Type: text/plain; charset=UTF-8
>
>On Mon, Aug 12, 2013 at 7:53 PM, adrelanos <adrelanos at riseup.net> wrote:
>> Awesome! However euphoric I may be about this...
>> Might there be a chance for getting sued for this?
>> If this is safe, it would be awesome if all major pages could implement
>> this. torservers.net, torproject.org, truecrypt.org, gnupg.org, etc.
>
>Courts, in general, don't usually seem too pleased with "games". What
>happens if you get ordered to lie with one of these canaries?
>
>My guess is that you're no better off with a canary that you may be
>explicitly forced to keep up, or retrospectively get nailed for
>removing, than you would be just being--"oops"--sloppy with your
>document management practices and letting the NSL get out. ("You mean
>I don't put this document in my public DMCA notice folder??") That the
>kind of party who isn't willing to take the risk of intentionally or
>"accidentally" breaching their secrecy order isn't going to take the
>risk of actually following through with their canary procedure. And if
>you are willing to take those risks, you don't need the canary.
>
>As a result, a canary probably gives a false sense of security. With
>that in mind, I think there are ethical problems with putting up a
>canary unless you can say to yourself, in advance, that even if you
>were specifically ordered to fake it you'd violate the order (or
>preserve the intent of your commitment by shutting down completely).
>
>It's also possible that your integrity could be compromised by a
>planted employee who is working for another interest. As a user I
>wouldn't give these canaries much credibility?in fact, the parties who
>can most easily post canaries, with the least risk, are the ones
>running outright honeypots. "Absolutely 100% guaranteed to not be a
>spy!" As a user I wouldn't demand my service providers face jail time
>for ignoring a canary preservation order either, so I shouldn't expect
>them to... so I shouldn't expect canaries to be very useful.
>
>Better to build systems that are structurally secure and can't easily
>be silently compromised, and encourage people to migrate to those
>where possible?and assume every non-structurally secure system is
>compromised already.
>
>
>------------------------------
>
>Message: 12
>Date: Mon, 12 Aug 2013 22:10:14 -0700
>From: Percy Alpha <percyalpha at gmail.com>
>To: liberationtech <liberationtech at lists.stanford.edu>
>Subject: [liberationtech] Is spideroak really zero-knowledge?
>Message-ID:
> <CACAJzve6mXesjtMJkAnwzOWfX0wHKS1myCiY6Ndv1dnosc+FSw at mail.gmail.com>
>Content-Type: text/plain; charset="utf-8"
>
>Spideroak claims to use client-side encryption for desktop client but
>doesn't not use zero-knowledge password proof for mobile Apps or website
>portal.
>
>In light of Lavabit, spideroak could also forced to intercept password if
>users ever use mobile Apps or website login while being gagged . Then all
>encrypted data will be retroactively compromised.
>
>Percy Alpha(PGP <https://en.greatfire.org/contact#alt>)
>GreatFire.org Team
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL:
><http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130812
>/08fbc3b2/attachment-0001.html>
>
>------------------------------
>
>Message: 13
>Date: Tue, 13 Aug 2013 15:10:49 +1000
>From: Noon Silk <noonslists at gmail.com>
>To: liberationtech <liberationtech at lists.stanford.edu>
>Subject: Re: [liberationtech] rsync.net Warrant Canary
>Message-ID:
> <CADt_azamTwX1acuApX+MeL6VktyKT=bvAJC0bvCd74ixhfszJQ at mail.gmail.com>
>Content-Type: text/plain; charset="windows-1252"
>
>On Tue, Aug 13, 2013 at 2:24 PM, Gregory Maxwell <greg at xiph.org> wrote:
>
>> On Mon, Aug 12, 2013 at 7:53 PM, adrelanos <adrelanos at riseup.net> wrote:
>> > Awesome! However euphoric I may be about this...
>> > Might there be a chance for getting sued for this?
>> > If this is safe, it would be awesome if all major pages could
>>implement
>> > this. torservers.net, torproject.org, truecrypt.org, gnupg.org, etc.
>>
>> [...]
>>
>
>
>> Better to build systems that are structurally secure and can't easily
>> be silently compromised, and encourage people to migrate to those
>> where possible?and assume every non-structurally secure system is
>> compromised already.
>>
>
>Well said.
>
>Let's just all move to Tahoe-LAFS already.
>
>--
>Noon Silk
>
>Fancy a quantum lunch? https://sites.google.com/site/quantumlunch/
>
>"Every morning when I wake up, I experience an exquisite joy ? the joy
>of being this signature."
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL:
><http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130813
>/375c5500/attachment-0001.html>
>
>------------------------------
>
>Message: 14
>Date: Tue, 13 Aug 2013 15:16:11 +1000
>From: Tom O <winterfilth at gmail.com>
>To: liberationtech <liberationtech at lists.stanford.edu>
>Subject: Re: [liberationtech] Is spideroak really zero-knowledge?
>Message-ID:
> <CAH4Aj8q+tKrBw6oBF63Or++AhMwPyNUtDuWzQ-fM40-bfE8Sow at mail.gmail.com>
>Content-Type: text/plain; charset="windows-1252"
>
>Percy
>
>>From https://spideroak.com/mobile
>
>"
>How Mobile Works with SpiderOak?s Zero Knowledge Policy
>
>Here's the deal: when accessing your data via the SpiderOak website or on
>a
>mobile device you must enter your password. The password will then exist
>in
>the SpiderOak server memory for the duration of your browsing session. For
>this amount of time your password is stored in encrypted memory and never
>written to an unencrypted disk. The moment your browsing session ends your
>password is destroyed and no further trace is left.
>
>The instance above represents the only situation where your data could
>potentially be readable to someone with access to the SpiderOak servers.
>That said, no one except a select number of SpiderOak employees will ever
>have access to the SpiderOak servers. To fully retain our 'zero-knowledge'
>privacy, we recommend you always access your data via the SpiderOak
>desktop
>application which downloads your data before decrypting it locally."
>
>
>On Tue, Aug 13, 2013 at 3:10 PM, Percy Alpha <percyalpha at gmail.com> wrote:
>
>> Spideroak claims to use client-side encryption for desktop client but
>> doesn't not use zero-knowledge password proof for mobile Apps or website
>> portal.
>>
>> In light of Lavabit, spideroak could also forced to intercept password
>>if
>> users ever use mobile Apps or website login while being gagged . Then
>>all
>> encrypted data will be retroactively compromised.
>>
>> Percy Alpha(PGP <https://en.greatfire.org/contact#alt>)
>> GreatFire.org Team
>>
>> --
>> Liberationtech is a public list whose archives are searchable on Google.
>> Violations of list guidelines will get you moderated:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
>> Unsubscribe, change to digest, or change password by emailing moderator
>>at
>> companys at stanford.edu.
>>
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL:
><http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130813
>/6baa0fe2/attachment-0001.html>
>
>------------------------------
>
>Message: 15
>Date: Mon, 12 Aug 2013 22:25:26 -0700
>From: Tony Arcieri <tony.arcieri at gmail.com>
>To: liberationtech <liberationtech at lists.stanford.edu>
>Subject: Re: [liberationtech] Is spideroak really zero-knowledge?
>Message-ID:
> <CAHOTMV+pc+NyjJ9LHeKuWWJ1ysQPKA8pt-Anapdu9bkh=1aWBg at mail.gmail.com>
>Content-Type: text/plain; charset="iso-8859-1"
>
>On Mon, Aug 12, 2013 at 10:10 PM, Percy Alpha <percyalpha at gmail.com>
>wrote:
>
>> Spideroak claims to use client-side encryption for desktop client but
>> doesn't not use zero-knowledge password proof for mobile Apps or website
>> portal.
>>
>
>SpiderOak (mis)uses the term "zero knowledge" to mean end-to-end (or
>client-side) encryption. They aren't talking about a zero knowledge proof.
>
>The defense I've heard for SpiderOak using "zero knowledge" to mean this
>is
>other people do it too, so it's okay.
>
>--
>Tony Arcieri
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL:
><http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130812
>/7e3b3c7b/attachment-0001.html>
>
>------------------------------
>
>Message: 16
>Date: Mon, 12 Aug 2013 22:35:37 -0700
>From: Percy Alpha <percyalpha at gmail.com>
>To: liberationtech <liberationtech at lists.stanford.edu>
>Subject: Re: [liberationtech] Is spideroak really zero-knowledge?
>Message-ID:
> <CACAJzvfyH8=-hTRmuxTdqRv8QoU-eLob5c6bSF1yROTdBxsQMw at mail.gmail.com>
>Content-Type: text/plain; charset="utf-8"
>
>@Tom, "For this amount of time your password is stored in encrypted
>memory"
>but to actually use the key, the key has to be in plain-text form for
>sometime, during which it can be (forced to )intercepted.
>
>If they can force Lavabit to intercept users' emails, why can't they ask
>spideroak to secretly intercept users' moible app login?
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL:
><http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130812
>/00e08154/attachment-0001.html>
>
>------------------------------
>
>Message: 17
>Date: Mon, 12 Aug 2013 22:36:59 -0700
>From: Percy Alpha <percyalpha at gmail.com>
>To: liberationtech <liberationtech at lists.stanford.edu>
>Subject: Re: [liberationtech] Is spideroak really zero-knowledge?
>Message-ID:
> <CACAJzvcsy2g7ZJuo7b7YWB37EZ1WNZzQKzmdm-Aq4fo7KhA3pA at mail.gmail.com>
>Content-Type: text/plain; charset="utf-8"
>
>@Tony, they claim to use zero-knowledge password proof for desktop client,
>but not for mobile or website. I wonder why, not accepted by App Store?
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL:
><http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130812
>/3fd7a126/attachment-0001.html>
>
>------------------------------
>
>Message: 18
>Date: Tue, 13 Aug 2013 01:38:44 -0400
>From: Patrick Mylund Nielsen <cryptography at patrickmylund.com>
>To: liberationtech <liberationtech at lists.stanford.edu>
>Subject: Re: [liberationtech] Is spideroak really zero-knowledge?
>Message-ID:
> <CAEw2jfwC3-yC=u81HQfg5LKJ3VKxVXPO_hESe1aLwG2L1Ox=YA at mail.gmail.com>
>Content-Type: text/plain; charset="utf-8"
>
>On Tue, Aug 13, 2013 at 1:35 AM, Percy Alpha <percyalpha at gmail.com> wrote:
>
>> @Tom, "For this amount of time your password is stored in encrypted
>> memory" but to actually use the key, the key has to be in plain-text
>>form
>> for sometime, during which it can be (forced to )intercepted.
>>
>> If they can force Lavabit to intercept users' emails, why can't they ask
>> spideroak to secretly intercept users' moible app login?
>>
>
>They (or somebody else) can. So don't use mobile login.
>
>Curious why the regular client logic can't run on mobile. Too intensive to
>decrypt metadata maybe?
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL:
><http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130813
>/13d65f35/attachment-0001.html>
>
>------------------------------
>
>Message: 19
>Date: Mon, 12 Aug 2013 22:41:20 -0700
>From: Tony Arcieri <tony.arcieri at gmail.com>
>To: liberationtech <liberationtech at lists.stanford.edu>
>Subject: Re: [liberationtech] Is spideroak really zero-knowledge?
>Message-ID:
> <CAHOTMVJ+afb21+dxkfboLG5orF5HJnj=D3OihDuUEfOkZ6+ETQ at mail.gmail.com>
>Content-Type: text/plain; charset="iso-8859-1"
>
>On Mon, Aug 12, 2013 at 10:36 PM, Percy Alpha <percyalpha at gmail.com>
>wrote:
>
>> @Tony, they claim to use zero-knowledge password proof for desktop
>>client,
>> but not for mobile or website. I wonder why, not accepted by App Store?
>>
>
>Can you please link specifically to what you're talking about? Their
>marketing material is littered with the words "zero-knowledge" but as far
>as I have ever seen the intended meaning is "we encrypt stuff client-side
>before it hits the network"
>
>--
>Tony Arcieri
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL:
><http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130812
>/8cc4a1b1/attachment-0001.html>
>
>------------------------------
>
>Message: 20
>Date: Tue, 13 Aug 2013 15:44:28 +1000
>From: Tom O <winterfilth at gmail.com>
>To: liberationtech <liberationtech at lists.stanford.edu>
>Subject: Re: [liberationtech] Is spideroak really zero-knowledge?
>Message-ID:
> <CAH4Aj8rVmYzCWrkh83nNf=JyHO4ap=bFXX=nopj80QDxYh8Ngg at mail.gmail.com>
>Content-Type: text/plain; charset="iso-8859-1"
>
>I'm not saying they cant. I'm saying they acknowledge it, althought the
>way
>they do makes it seem as if its a non-issue.
>
>I don't think it is.
>
>I prefer tahoe-lafs
>
>
>On Tue, Aug 13, 2013 at 3:35 PM, Percy Alpha <percyalpha at gmail.com> wrote:
>
>> @Tom, "For this amount of time your password is stored in encrypted
>> memory" but to actually use the key, the key has to be in plain-text
>>form
>> for sometime, during which it can be (forced to )intercepted.
>>
>> If they can force Lavabit to intercept users' emails, why can't they ask
>> spideroak to secretly intercept users' moible app login?
>>
>> --
>> Liberationtech is a public list whose archives are searchable on Google.
>> Violations of list guidelines will get you moderated:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
>> Unsubscribe, change to digest, or change password by emailing moderator
>>at
>> companys at stanford.edu.
>>
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL:
><http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130813
>/85956552/attachment-0001.html>
>
>------------------------------
>
>Message: 21
>Date: Mon, 12 Aug 2013 23:02:50 -0700
>From: Percy Alpha <percyalpha at gmail.com>
>To: liberationtech <liberationtech at lists.stanford.edu>
>Subject: Re: [liberationtech] Is spideroak really zero-knowledge?
>Message-ID:
> <CACAJzvd9GjqDKBH_ns24SwDM4kzAAPYLPom8x3w5Fdg20494Kg at mail.gmail.com>
>Content-Type: text/plain; charset="utf-8"
>
>@Tony,
>"The secret that keeps your data accessible to you alone is your SpiderOak
>password, which is never transmitted to SpiderOak in its original form."
>https://spideroak.com/engineering_matters
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL:
><http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130812
>/bf20305e/attachment-0001.html>
>
>------------------------------
>
>Message: 22
>Date: Tue, 13 Aug 2013 10:09:40 +0300
>From: Nadim Kobeissi <nadim at nadim.cc>
>To: liberationtech <liberationtech at lists.stanford.edu>
>Subject: Re: [liberationtech] Can JavaScript cryptography be trusted?
> (was: In defense of client-side encryption)
>Message-ID: <7D0C5E94-30EE-4949-87C7-3FEAAF35B5A3 at nadim.cc>
>Content-Type: text/plain; charset="iso-8859-1"
>
>Quickly adding my blog post on the matter to this thread. Would love to
>hear discussion regarding it:
>
>http://log.nadim.cc/?p=33
>
>NK
>
>On 2013-08-13, at 1:58 AM, Tony Arcieri <bascule at gmail.com> wrote:
>
>> On Mon, Aug 12, 2013 at 3:07 PM, Ali-Reza Anghaie <ali at packetknife.com>
>>wrote:
>> I'm sorry but aren't we spending a lot of time conflating code
>> quality, secure coding practices, software distribution, .. with
>> ~JavaScript in a browser~?
>>
>> I think the title of the thread has a lot to do with that. Fixed! ;)
>>
>> --
>> Tony Arcieri
>> --
>> Liberationtech is a public list whose archives are searchable on
>>Google. Violations of list guidelines will get you moderated:
>>https://mailman.stanford.edu/mailman/listinfo/liberationtech.
>>Unsubscribe, change to digest, or change password by emailing moderator
>>at companys at stanford.edu.
>
>
>------------------------------
>
>Message: 23
>Date: Tue, 13 Aug 2013 00:32:43 -0700
>From: Tony Arcieri <bascule at gmail.com>
>To: liberationtech <liberationtech at lists.stanford.edu>
>Subject: Re: [liberationtech] Is spideroak really zero-knowledge?
>Message-ID:
> <CAHOTMVKM5+Wn_TH3QqnYq6KcKM4WNSdWiP5OFGwLZH7ZV8VHOA at mail.gmail.com>
>Content-Type: text/plain; charset="iso-8859-1"
>
>On Mon, Aug 12, 2013 at 11:02 PM, Percy Alpha <percyalpha at gmail.com>
>wrote:
>
>> @Tony,
>> "The secret that keeps your data accessible to you alone is your
>>SpiderOak
>> password, which is never transmitted to SpiderOak in its original form."
>> https://spideroak.com/engineering_matters
>>
>
>Again, they seem to be talking about client-side encryption here. A
>zero-knowledge proof around a password looks a bit more like this:
>
>https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol#Protocol
>
>Short of implementing something like SRP they don't have a true "zero
>knowledge" system IMO
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL:
><http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130813
>/b3c8dce8/attachment-0001.html>
>
>------------------------------
>
>Message: 24
>Date: Tue, 13 Aug 2013 10:51:33 +0200
>From: Ralph Holz <holz at net.in.tum.de>
>To: liberationtech at lists.stanford.edu
>Subject: Re: [liberationtech] Lavabit, Silent Circle both shut down
>Message-ID: <5209F395.9020804 at net.in.tum.de>
>Content-Type: text/plain; charset=ISO-8859-1
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Hi Arjen,
>
>>> May I ask what Swiss providers would you recommend?
>>
>> (disclaimer: I am normally very hesitant to 'advertise' for
>> specific companies since as a consultant I do my very best to
>> remain independent from having any interest in procurement of
>> specific products or services).
>
>Duly noted. :)
>
>> SwissVPN provides some nice VPN services but it is not the only
>> VPN provider I use.
>
>That's the company I use, too - and ultimately the reason I am asking
>because Chris Soghoian once told me that they log the connections.
>This seems to be supported by this inquiry made in 2011:
>
>http://torrentfreak.com/which-vpn-providers-really-take-anonymity-seriousl
>y-111007/
>
>They log for 6 months and say they will respond to requests under
>Swiss law.
>
>I would be surprised if other Swiss providers wouldn't do the same,
>but I am very happy to hear otherwise?
>
>Ralph
>
>- --
>Ralph Holz
>I8 - Network Architectures and Services
>Technische Universit?t M?nchen
>http://www.net.in.tum.de/de/mitarbeiter/holz/
>Phone +49.89.289.18043
>PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.14 (GNU/Linux)
>Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
>iQEcBAEBAgAGBQJSCfOSAAoJEFIODINpsAPvznoH/jKnUEbbpS8Ahgl8dZ8OCE+g
>QQSxeFSR1MRDaHYWaNkL/tSRpUZheI9wbSAZI0kU0dGyJXSvE9WHFNUmasNGi6DY
>OT8XQxgcl/wQggAv1zGDFAlPImg0eJej8L6hRvtcZgGH6h9nkGyTenkdhjMohn6U
>aCBp69dG31mvsIE8QHIe/EirVO+y1JY1D+0NoIz238VS4w9zZH5E6XZ1zEJ1KC7d
>yF6lI73g5NQIcM3WIJjYJUrfaY+Nj8g+ZwBb50BEDbaUtny2jic/Gi5EjXD8c/UT
>XnmcbeqHg+hDRGHF7cSAoFTKMbFDCr5Y4GeNQVQ4w/GQslxr6SK4fO6fqoG5K8E=
>=1WXH
>-----END PGP SIGNATURE-----
>
>
>------------------------------
>
>Message: 25
>Date: Tue, 13 Aug 2013 10:37:44 +0100
>From: Michael Rogers <michael at briarproject.org>
>To: liberationtech <liberationtech at lists.stanford.edu>
>Subject: Re: [liberationtech] Does anyone know a celebrity who feels
> strongly about privacy issues?
>Message-ID: <5209FE68.8030201 at briarproject.org>
>Content-Type: text/plain; charset=ISO-8859-1
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>On 12/08/13 21:32, Francisco Ruiz wrote:
>> So, here's my question. Does any one know of a celebrity who cares
>> enough about computer security to be persuaded to take one minute
>> of his/her time to read a hash before a camera?
>
>I'd like to second Guido's objection that most people don't know what
>a hash is, or have the skills or software required to verify one, so
>this isn't an effective security measure for most people.
>
>Even if it were, you'd have to ask the celebrity to read a new hash
>for every version of the software, and the videos for old versions
>could be used in a rollback attack.
>
>Cheers,
>Michael
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.10 (GNU/Linux)
>
>iQEcBAEBAgAGBQJSCf5oAAoJEBEET9GfxSfMUB4H/RTrYX1we2t1p9+TeXm21GV2
>OWJkZvWLvfDmJqf/utJNoFH4wgLkDvziWrTCqGWbuDlPlmLzNTvGvIZio9i82cUT
>tja1bnmPr17BDz5Msn8d4/BFdjrV957e1S3P2Tqx8GGaZFAYCi5EX57Q7G2Lvphj
>4NDkDOFEfwfQ38azsBNokdUXo5Ek98I2SXv2GG3ac8N1a2HBVpsHr3lqfsZLDTyS
>LrwM6dPCEWV+kd8+VsOjokKB8y7o9lUjLMmOvMtM4dC9bak8OoDy+fkxWkmMf48v
>KBRqsPN6rasEmDxGRDtLZN0CAzEMGcmndJDqMY4tV/v9IgnLRScaMJaz8Fsc8cY=
>=7Qy4
>-----END PGP SIGNATURE-----
>
>
>------------------------------
>
>Message: 26
>Date: Tue, 13 Aug 2013 10:52:49 +0100
>From: David Miller <david at deadpansincerity.com>
>To: liberationtech <liberationtech at lists.stanford.edu>
>Subject: Re: [liberationtech] Does anyone know a celebrity who feels
> strongly about privacy issues?
>Message-ID:
> <CAHwn12+1g863UgP+bsajCZWEgeYZVEEqPKVxPf7c0vmi7EQ8eQ at mail.gmail.com>
>Content-Type: text/plain; charset="iso-8859-1"
>
>Maybe the celebrity could read the binary sequence of a compiled program,
>and the user could take dictation into a simple command line script?
>
>
>On 13 August 2013 10:37, Michael Rogers <michael at briarproject.org> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> On 12/08/13 21:32, Francisco Ruiz wrote:
>> > So, here's my question. Does any one know of a celebrity who cares
>> > enough about computer security to be persuaded to take one minute
>> > of his/her time to read a hash before a camera?
>>
>> I'd like to second Guido's objection that most people don't know what
>> a hash is, or have the skills or software required to verify one, so
>> this isn't an effective security measure for most people.
>>
>> Even if it were, you'd have to ask the celebrity to read a new hash
>> for every version of the software, and the videos for old versions
>> could be used in a rollback attack.
>>
>> Cheers,
>> Michael
>>
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG v1.4.10 (GNU/Linux)
>>
>> iQEcBAEBAgAGBQJSCf5oAAoJEBEET9GfxSfMUB4H/RTrYX1we2t1p9+TeXm21GV2
>> OWJkZvWLvfDmJqf/utJNoFH4wgLkDvziWrTCqGWbuDlPlmLzNTvGvIZio9i82cUT
>> tja1bnmPr17BDz5Msn8d4/BFdjrV957e1S3P2Tqx8GGaZFAYCi5EX57Q7G2Lvphj
>> 4NDkDOFEfwfQ38azsBNokdUXo5Ek98I2SXv2GG3ac8N1a2HBVpsHr3lqfsZLDTyS
>> LrwM6dPCEWV+kd8+VsOjokKB8y7o9lUjLMmOvMtM4dC9bak8OoDy+fkxWkmMf48v
>> KBRqsPN6rasEmDxGRDtLZN0CAzEMGcmndJDqMY4tV/v9IgnLRScaMJaz8Fsc8cY=
>> =7Qy4
>> -----END PGP SIGNATURE-----
>> --
>> Liberationtech is a public list whose archives are searchable on Google.
>> Violations of list guidelines will get you moderated:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
>> Unsubscribe, change to digest, or change password by emailing moderator
>>at
>> companys at stanford.edu.
>>
>
>
>
>--
>Love regards etc
>
>David Miller
>http://www.deadpansincerity.com
>07854 880 883
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL:
><http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130813
>/34682d03/attachment-0001.html>
>
>------------------------------
>
>Message: 27
>Date: Tue, 13 Aug 2013 02:52:50 -0700
>From: elijah <elijah at riseup.net>
>To: liberationtech <liberationtech at lists.stanford.edu>
>Subject: Re: [liberationtech] Is spideroak really zero-knowledge?
>Message-ID: <520A01F2.4040808 at riseup.net>
>Content-Type: text/plain; charset=UTF-8
>
>On 08/13/2013 12:32 AM, Tony Arcieri wrote:
>
>> On Mon, Aug 12, 2013 at 11:02 PM, Percy Alpha <percyalpha at gmail.com
>> <mailto:percyalpha at gmail.com>> wrote:
>>
>> @Tony,
>> "The secret that keeps your data accessible to you alone is your
>> SpiderOak password, which is never transmitted to SpiderOak in its
>> original form." https://spideroak.com/engineering_matters
>>
>>
>> Again, they seem to be talking about client-side encryption here. A
>> zero-knowledge proof around a password looks a bit more like this:
>>
>> https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol#Protocol
>>
>> Short of implementing something like SRP they don't have a true "zero
>> knowledge" system IMO
>
>Curious, they used to actually include some notes on how they use a zero
>knowledge proof for authentication, but it has been taken down.
>Waybackmachine has the old text:
>
>http://web.archive.org/web/20130430135938/https://spideroak.com/engineerin
>g_matters
>
>Perhaps they changed how they do authentication.
>
>-elijah
>
>
>------------------------------
>
>Message: 28
>Date: Tue, 13 Aug 2013 13:16:15 +0200
>From: "taxakis" <taxakis at gmail.com>
>To: "'liberationtech'" <liberationtech at lists.stanford.edu>
>Subject: Re: [liberationtech] Lavabit, Silent Circle both shut down
>Message-ID: <00f101ce9816$86d19e30$9474da90$@com>
>Content-Type: text/plain; charset="iso-8859-1"
>
>Hi guys:
>
>Safe and secure are relevant. But, Arjen is absolutely right, Switzerland
>is at the moment the best place to have your materials hosted. It's also
>the
>place where Silent Circle looks at. And one where Wikileaks is hosted.
>Some
>on this list still have doubts, even about Switzerland. Never a bad idea
>to
>be paranoid of course, but there are some logical reasons why Switzerland
>is
>a good choice. Here are the main ones:
>
>The Swiss are well known for their bank secrecy. A fact which is hated and
>regularly contested by the E.U. and the U.S. Banks in CH need to be
>extremely careful in guarding their own nations' interest, of which
>banking,
>tourism, cheese and watch making are core values. There are some pretty
>harsh rules in place to protect those interests. Of course when there is a
>major crime Swiss police cooperates with other nations. But saving money
>in
>a bank is definitively not seen as a crime. And so far as I know there is
>not any remote chance that the U.S. and/or the E.U. will be able to force
>a
>change. Like lately by levying huge fines on the UBS bank. They try
>though:)
>
>
>There is yet another reason. And that is because Switzerland is the second
>seat nation of the United Nations, while being itself not a member, only
>observer to U.N. The U.S. has many times (as also revealed by Snowden)
>attempted to bribe Swiss officials and business people and/or coerce them.
>CIA has been fairly active, but to no avail. Swiss have also taken
>serious
>countermeasures against intrusions. This hostile behavior from the U.S.
>towards Switzerland is taken seriously into account as well. It isn't
>really
>productive to enhance friendships.
>
>Then Switzerland still feels abused by the U.S., in particular by the NSA,
>because of the Crypto AG affair of some decennia back. Search the web to
>get
>the historical details. Whatever happened, happened, but it was surely
>not
>in the core interest of the Swiss people.
>
>And finally, once every year there is a meeting of all chiefs and
>directors
>of (western)European intelligence services, called the Club du Berne, in
>Switzerland. Switzerland was chosen as a meeting place because of its
>impartiality and integrity.
>Surely, one of the 'Five Eyes Nations' is present as well. And word has it
>that it's not playing a role of any significance.
>
>No the above is not a guarantee that nobody will attempt to intrude in a
>system, in Switzerland. It will happen, and occasionally with success. But
>the Swiss government, businesses and people are very keen to stop the
>bullets before these hit somebody. In particular from other European
>nations
>and the United States.
>
>And finally, am I Swiss? Absolutely not, but these days I wish I was :)
>And,
>yes, I do host my Internet business activities there, and I mean since
>1994.
>That's almost 20 years, and I have never been disappointed. And that does
>count for something. Do follow Arjen's leads, search the web, and by all
>means go there and meet them in person.
>
>Greetz
>RTF
>
>
>-----Original Message-----
>From: liberationtech-bounces at lists.stanford.edu
>[mailto:liberationtech-bounces at lists.stanford.edu] On Behalf Of Ralph Holz
>Sent: Tuesday, August 13, 2013 10:52 AM
>To: liberationtech at lists.stanford.edu
>Subject: Re: [liberationtech] Lavabit, Silent Circle both shut down
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Hi Arjen,
>
>>> May I ask what Swiss providers would you recommend?
>>
>> (disclaimer: I am normally very hesitant to 'advertise' for specific
>> companies since as a consultant I do my very best to remain
>> independent from having any interest in procurement of specific
>> products or services).
>
>Duly noted. :)
>
>> SwissVPN provides some nice VPN services but it is not the only VPN
>> provider I use.
>
>That's the company I use, too - and ultimately the reason I am asking
>because Chris Soghoian once told me that they log the connections.
>This seems to be supported by this inquiry made in 2011:
>
>http://torrentfreak.com/which-vpn-providers-really-take-anonymity-seriousl
>y-
>111007/
>
>They log for 6 months and say they will respond to requests under Swiss
>law.
>
>I would be surprised if other Swiss providers wouldn't do the same, but I
>am
>very happy to hear otherwise?
>
>Ralph
>
>- --
>Ralph Holz
>I8 - Network Architectures and Services
>Technische Universit?t M?nchen
>http://www.net.in.tum.de/de/mitarbeiter/holz/
>Phone +49.89.289.18043
>PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF -----BEGIN PGP
>SIGNATURE-----
>Version: GnuPG v1.4.14 (GNU/Linux)
>Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
>iQEcBAEBAgAGBQJSCfOSAAoJEFIODINpsAPvznoH/jKnUEbbpS8Ahgl8dZ8OCE+g
>QQSxeFSR1MRDaHYWaNkL/tSRpUZheI9wbSAZI0kU0dGyJXSvE9WHFNUmasNGi6DY
>OT8XQxgcl/wQggAv1zGDFAlPImg0eJej8L6hRvtcZgGH6h9nkGyTenkdhjMohn6U
>aCBp69dG31mvsIE8QHIe/EirVO+y1JY1D+0NoIz238VS4w9zZH5E6XZ1zEJ1KC7d
>yF6lI73g5NQIcM3WIJjYJUrfaY+Nj8g+ZwBb50BEDbaUtny2jic/Gi5EjXD8c/UT
>XnmcbeqHg+hDRGHF7cSAoFTKMbFDCr5Y4GeNQVQ4w/GQslxr6SK4fO6fqoG5K8E=
>=1WXH
>-----END PGP SIGNATURE-----
>--
>Liberationtech is a public list whose archives are searchable on Google.
>Violations of list guidelines will get you moderated:
>https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe,
>change to digest, or change password by emailing moderator at
>companys at stanford.edu.
>
>
>
>------------------------------
>
>Message: 29
>Date: Tue, 13 Aug 2013 13:23:01 +0000
>From: KheOps <kheops at ceops.eu>
>To: liberationtech <liberationtech at lists.stanford.edu>
>Subject: Re: [liberationtech] Petition Google over banning "Servers"
> on Google Fiber?
>Message-ID: <20130813132300.GA2815 at ceops.eu>
>Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Hi all,
>
>On Tue, Aug 13, 2013 at 01:24:07AM +0200, Moritz Bartl wrote:
>> Thank you EFF for the well-written reminder:
>>
>>https://www.eff.org/deeplinks/2013/08/google-fiber-continues-awful-isp-tr
>>adition-banning-servers
>
>[...]
>
>> We should petition Google to get rid of this. Does anyone know if EFF
>> planning such an action, or do you have contacts to organizational
>> networks to get it going properly?
>
>A petition is probably worth giving a try, but in the end Google are on
>their infrastructure and selling access under their terms of service, so
>it may be quite a difficult challenge. Even more difficult since, as far
>as I understand, many other operators do the same on the market.
>
>There are similar issues in France: a few ISPs providing high-speed fiber
>connection forbid in the same way hosting a server at home (unless you
>pay more). In addition, some do not provide a fixed IP address to
>practically make things more difficult.
>
>We all understand that this violates Net Neutrality and prevents citizens
>from reclaiming control of their data to have a decent level of privacy.
>We subsequently understand that this is a serious issue from a democracy
>point of view, knowing governments' surveillance practices.
>
>Now, in case it could be of any use in the US, in France & Europe I see
>two types of initiatives that try to push things in a better direction:
>- - at the European Parliament some advocacy groups have tried to push
>the fact that a company could not say that they sell "internet access" if
>what they sell contains violations to Net Neutrality (I don't know the
>details on the situation of this political battle, but you get the idea);
>- - in France, we have more and more associative (non-profit) ISPs
>providing internet access to small numbers of people - the core ideas are
>to provide a neutral access (to the extent permitted by law) and promote
>decentralization (as in internet) through the creation of many little
>structures; the oldest and biggest, French Data Network (FDN) created a
>Federation (FFDN) in which the smaller and more local ones are gathered;
>we would really like this kind of initiative to spread - take a look
>there http://www.ffdn.org, some posts are in English
>
>All the best,
>KheOps
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v2.0.20 (GNU/Linux)
>
>iQEcBAEBAgAGBQJSCjM0AAoJEK9g/8GX/m3dUB4IAMh6qFnPhE5L6uQDzWWxGlU1
>0Paqfs7OodmOW0DiD1oEbMX3EFAIR341MP7Lck2JDbKRBHqUPw/SJOi9fNUKGujW
>Ai5lV9ZVUYudCzsHVqczDorVUKbC7DyYRgVZ+7PJ5KGFzUpt9XGkdPfEGnXmXFOE
>2QeYTcUTJzmBG9tjMwh6xpKglrltz4gp1sYyWCEJZuiBea6iBkU15WBiJLZ5zhE+
>3a7DnAa9gB+FgVG9bWDx7a2PIH2TOxQ2lEo8P3QrRf7VHZzm7pfxb/PDzpzW6Euw
>9UOxddUDg2NPak8fPocWOc/+vqfyLY7VL9gfhmL53tXUbiaPsEkHCfwG7Z0btiU=
>=h0AL
>-----END PGP SIGNATURE-----
>
>
>------------------------------
>
>Message: 30
>Date: Tue, 13 Aug 2013 13:46:24 +0200
>From: Moritz Bartl <moritz at torservers.net>
>To: liberationtech at lists.stanford.edu
>Subject: [liberationtech] Swiss VPNs (was: Re: Lavabit, Silent Circle
> both shut down)
>Message-ID: <520A1C90.4010902 at torservers.net>
>Content-Type: text/plain; charset=ISO-8859-1
>
>On 13.08.2013 10:51, Ralph Holz wrote:
>>> SwissVPN provides some nice VPN services but it is not the only
>>> VPN provider I use.
>> They log for 6 months and say they will respond to requests under
>> Swiss law.
>> I would be surprised if other Swiss providers wouldn't do the same,
>> but I am very happy to hear otherwise?
>
>Switzerland has data retention laws. While it might be good for
>oligarchs to hide their money, it is not good for online privacy.
>
>--
>Moritz Bartl
>https://www.torservers.net/
>
>
>------------------------------
>
>Message: 31
>Date: Tue, 13 Aug 2013 14:20:26 +0200
>From: "taxakis" <taxakis at gmail.com>
>To: "'liberationtech'" <liberationtech at lists.stanford.edu>
>Subject: Re: [liberationtech] Swiss VPNs (was: Re: Lavabit, Silent
> Circle both shut down)
>Message-ID: <01b501ce981f$7ea5b440$7bf11cc0$@com>
>Content-Type: text/plain; charset="us-ascii"
>
>Oligarchs and privacy advocates have something in common.
>If you got a better place, please name it.
>And by the by, forget Germany, it may not have data retention (for now),
>but
>it does have 50,000 American troops, a refurbished Bad Aibling with all
>newly trained German personnel, and a huge Intel building in Berlin that
>can
>house 101 Airborne in the basement. While the abolished Pullach
>establishment is readied for 'modern intel testing equipment'.
>
>RTF
>
>-----Original Message-----
>From: liberationtech-bounces at lists.stanford.edu
>[mailto:liberationtech-bounces at lists.stanford.edu] On Behalf Of Moritz
>Bartl
>Sent: Tuesday, August 13, 2013 1:46 PM
>To: liberationtech at lists.stanford.edu
>Subject: [liberationtech] Swiss VPNs (was: Re: Lavabit, Silent Circle both
>shut down)
>
>On 13.08.2013 10:51, Ralph Holz wrote:
>>> SwissVPN provides some nice VPN services but it is not the only VPN
>>> provider I use.
>> They log for 6 months and say they will respond to requests under
>> Swiss law.
>> I would be surprised if other Swiss providers wouldn't do the same,
>> but I am very happy to hear otherwise?
>
>Switzerland has data retention laws. While it might be good for oligarchs
>to
>hide their money, it is not good for online privacy.
>
>--
>Moritz Bartl
>https://www.torservers.net/
>--
>Liberationtech is a public list whose archives are searchable on Google.
>Violations of list guidelines will get you moderated:
>https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe,
>change to digest, or change password by emailing moderator at
>companys at stanford.edu.
>
>
>
>------------------------------
>
>Message: 32
>Date: Tue, 13 Aug 2013 15:25:45 +0200
>From: Moritz Bartl <moritz at torservers.net>
>To: liberationtech at lists.stanford.edu
>Subject: Re: [liberationtech] Swiss VPNs
>Message-ID: <520A33D9.5080504 at torservers.net>
>Content-Type: text/plain; charset=ISO-8859-1
>
>On 13.08.2013 14:20, taxakis wrote:
>> Oligarchs and privacy advocates have something in common.
>> If you got a better place, please name it.
>
>I don't. I still believe we should stop being naive and promote Iceland
>or Switzerland, just because we think they offer better privacy. In
>general, just because you read something in the news, don't just believe
>it.
>
>I never said Germany was a better place.
>
>Yes, I should have quotable sources at hand, but at the moment I don't.
>A good address for a more detailed answer would be the Chaos Computer
>Club Switzerland, http://www.ccc-ch.ch/ , and, for Iceland, try the
>people behind IMMI, https://immi.is/ .
>
>The interesting part about Iceland is that there is a slight chance of
>*making it* a privacy-friendly jurisdiction. It is not, yet. If media
>always convey the picture of a privacy-friendly country, its own
>politicians will start believing it and fight for it, hopefully.
>
>--
>Moritz Bartl
>https://www.torservers.net/
>
>
>------------------------------
>
>Message: 33
>Date: Tue, 13 Aug 2013 03:07:27 -0700
>From: Patrick Baxter <patch at cs.ucsb.edu>
>To: liberationtech <liberationtech at mailman.stanford.edu>
>Subject: Re: [liberationtech] Is spideroak really zero-knowledge?
>Message-ID:
> <CALSDXiBHpiMrsG=0nfsAT41XXvv=7GiFMb757=EQpRdxoHnuow at mail.gmail.com>
>Content-Type: text/plain; charset=ISO-8859-1
>
>They've also been working on an open source version of their client
>and server software called crypton (https://crypton.io/)
>
>It implements the protocol originally listed on their site as Elijah
>pointed out with the wayback machine.
>
>On Tue, Aug 13, 2013 at 2:52 AM, elijah <elijah at riseup.net> wrote:
>> On 08/13/2013 12:32 AM, Tony Arcieri wrote:
>>
>>> On Mon, Aug 12, 2013 at 11:02 PM, Percy Alpha <percyalpha at gmail.com
>>> <mailto:percyalpha at gmail.com>> wrote:
>>>
>>> @Tony,
>>> "The secret that keeps your data accessible to you alone is your
>>> SpiderOak password, which is never transmitted to SpiderOak in its
>>> original form." https://spideroak.com/engineering_matters
>>>
>>>
>>> Again, they seem to be talking about client-side encryption here. A
>>> zero-knowledge proof around a password looks a bit more like this:
>>>
>>> https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol#Protocol
>>>
>>> Short of implementing something like SRP they don't have a true "zero
>>> knowledge" system IMO
>>
>> Curious, they used to actually include some notes on how they use a zero
>> knowledge proof for authentication, but it has been taken down.
>> Waybackmachine has the old text:
>>
>>
>>http://web.archive.org/web/20130430135938/https://spideroak.com/engineeri
>>ng_matters
>>
>> Perhaps they changed how they do authentication.
>>
>> -elijah
>> --
>> Liberationtech is a public list whose archives are searchable on
>>Google. Violations of list guidelines will get you moderated:
>>https://mailman.stanford.edu/mailman/listinfo/liberationtech.
>>Unsubscribe, change to digest, or change password by emailing moderator
>>at companys at stanford.edu.
>
>
>------------------------------
>
>Message: 34
>Date: Tue, 13 Aug 2013 08:52:11 -0700
>From: Reed Black <reed at unsafeword.org>
>To: liberationtech <liberationtech at lists.stanford.edu>
>Subject: Re: [liberationtech] From Snowden's email provider. NSL???
>Message-ID:
> <CAESArwmaboc5GR=1j1o+Mws5w2QiHjdW2dMGDcwaBdDC04B9qw at mail.gmail.com>
>Content-Type: text/plain; charset=ISO-8859-1
>
>On Sun, Aug 11, 2013 at 4:46 AM, Michael Rogers
><michael at briarproject.org> wrote:
>>> The app store can't substitute a different binary (no developer
>>>signing key), users
>>> can verify that the app was what the developer produced (via pulling
>>>the binary and
>>> checking the hash), and advanced users can verify that what the
>>>developer
>>> produced is what they produce via the replicable build process.
>>
>> I don't know how the Apple or Chrome app stores work, but on Android
>>the user
>> doesn't have a standard way to obtain the developer's key, so the app
>>store could
>> sign a modified binary with any key.
>
>Signing isn't sufficient without some means of invalidation under the
>developer's control. Even putting aside users who are slow to update,
>select users can be served older versions of apps with known
>vulnerabilities intact.
>
>
>------------------------------
>
>Message: 35
>Date: Tue, 13 Aug 2013 19:00:20 +0300
>From: Nadim Kobeissi <nadim at nadim.cc>
>To: liberationtech <liberationtech at lists.stanford.edu>
>Subject: [liberationtech] Snowden: Unencrypted Journalist-Source
> Communications "Unforgivably Reckless"
>Message-ID: <F6299665-152B-4304-AEF2-4B1A8A76E405 at nadim.cc>
>Content-Type: text/plain; charset="windows-1252"
>
>Hey LibTech,
>
>In a recently published interview with the New York Times, Edward Snowden
>called unencrypted communications between journalists and sources
>"unforgivably reckless":
>
>"I was surprised to realize that there were people in news organizations
>who didn?t recognize any unencrypted message sent over the Internet is
>being delivered to every intelligence service in the world. In the wake
>of this year?s disclosures, it should be clear that unencrypted
>journalist-source communication is unforgivably reckless."
>
>http://www.nytimes.com/2013/08/18/magazine/snowden-maass-transcript.html
>
>I hope sending this along will be useful for journalists on this list as
>well as for those who need extra material to help them convince their
>journalist friends to adopt privacy-preserving practices. As usual, I'll
>take the opportunity to again vouch for the need for accessible, easy to
>use encryption, like what Guardian Project, Whisper Systems and Cryptocat
>are working on.
>
>NK
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL:
><http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130813
>/bad26d1f/attachment-0001.html>
>
>------------------------------
>
>Message: 36
>Date: Tue, 13 Aug 2013 12:41:25 -0400
>From: Lina Srivastava <lina at linasrivastava.com>
>To: liberationtech <liberationtech at lists.stanford.edu>
>Subject: Re: [liberationtech] Does anyone know a celebrity who feels
> strongly about privacy issues?
>Message-ID:
> <CAKwxpww7B+pWSaurwsc565E8-6vkU4ZPdt2eraq5adi=AdvuXQ at mail.gmail.com>
>Content-Type: text/plain; charset="iso-8859-1"
>
>So not sure this is taking the discussion in a direction useful to this
>list, but a thought-- celebrities are not likely to be available to do
>something like this -- i.e., a series of readings on youtube videos --
>unless the videos were connected to a high-profile campaign, a
>film/documentary, or run by an organization that they are connected to or
>doing a favor for (and the favor is usually done through a celebrity
>that's
>a friend or their management. And the negotiation of a campaign that
>incorporates a celebrtiy is complicated and time-consuming, and once done,
>is difficult to manage. It's not impossible and it's not that celebrities
>(John Cusack was a great suggestion, by the way) wouldn't be interested in
>the issue, it's just that it may not be worth the time you'd spend in
>trying to attract someone.
>
>Having said that, if anyone ever did want to attract a celebrity to a
>high-profile cause, start by inquiring with CAA or the Global Philanthropy
>Group. Or if you want a simple retweet for profile, most celebrities are
>pretty obliging with that.
>
>Lina
>
>On Tue, Aug 13, 2013 at 5:52 AM, David Miller
><david at deadpansincerity.com>wrote:
>
>> Maybe the celebrity could read the binary sequence of a compiled
>>program,
>> and the user could take dictation into a simple command line script?
>>
>>
>> On 13 August 2013 10:37, Michael Rogers <michael at briarproject.org>
>>wrote:
>>
>>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>> On 12/08/13 21:32, Francisco Ruiz wrote:
>>> > So, here's my question. Does any one know of a celebrity who cares
>>> > enough about computer security to be persuaded to take one minute
>>> > of his/her time to read a hash before a camera?
>>>
>>> I'd like to second Guido's objection that most people don't know what
>>> a hash is, or have the skills or software required to verify one, so
>>> this isn't an effective security measure for most people.
>>>
>>> Even if it were, you'd have to ask the celebrity to read a new hash
>>> for every version of the software, and the videos for old versions
>>> could be used in a rollback attack.
>>>
>>> Cheers,
>>> Michael
>>>
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.4.10 (GNU/Linux)
>>>
>>> iQEcBAEBAgAGBQJSCf5oAAoJEBEET9GfxSfMUB4H/RTrYX1we2t1p9+TeXm21GV2
>>> OWJkZvWLvfDmJqf/utJNoFH4wgLkDvziWrTCqGWbuDlPlmLzNTvGvIZio9i82cUT
>>> tja1bnmPr17BDz5Msn8d4/BFdjrV957e1S3P2Tqx8GGaZFAYCi5EX57Q7G2Lvphj
>>> 4NDkDOFEfwfQ38azsBNokdUXo5Ek98I2SXv2GG3ac8N1a2HBVpsHr3lqfsZLDTyS
>>> LrwM6dPCEWV+kd8+VsOjokKB8y7o9lUjLMmOvMtM4dC9bak8OoDy+fkxWkmMf48v
>>> KBRqsPN6rasEmDxGRDtLZN0CAzEMGcmndJDqMY4tV/v9IgnLRScaMJaz8Fsc8cY=
>>> =7Qy4
>>> -----END PGP SIGNATURE-----
>>> --
>>> Liberationtech is a public list whose archives are searchable on
>>>Google.
>>> Violations of list guidelines will get you moderated:
>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
>>> Unsubscribe, change to digest, or change password by emailing
>>>moderator at
>>> companys at stanford.edu.
>>>
>>
>>
>>
>> --
>> Love regards etc
>>
>> David Miller
>> http://www.deadpansincerity.com
>> 07854 880 883
>>
>> --
>> Liberationtech is a public list whose archives are searchable on Google.
>> Violations of list guidelines will get you moderated:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
>> Unsubscribe, change to digest, or change password by emailing moderator
>>at
>> companys at stanford.edu.
>>
>
>
>
>--
>Lina Srivastava
>--
>linasrivastava.com | twitter <http://twitter.com/lksriv> |
>linkedin<http://www.linkedin.com/in/linasrivastava>
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL:
><http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130813
>/2db32e14/attachment-0001.html>
>
>------------------------------
>
>Message: 37
>Date: Tue, 13 Aug 2013 19:12:38 +0200
>From: Amaelle G <amaelle at micro-ouvert.net>
>To: liberationtech <liberationtech at lists.stanford.edu>
>Subject: Re: [liberationtech] Snowden: Unencrypted Journalist-Source
> Communications "Unforgivably Reckless"
>Message-ID: <5CB1045A-5100-4A6A-B36C-05B157F0E5C2 at micro-ouvert.net>
>Content-Type: text/plain; charset="utf-8"
>
>Hi Nadim & all,
>
>Le 13 ao?t 2013 ? 18:00, Nadim Kobeissi <nadim at nadim.cc> a ?crit :
>
>> http://www.nytimes.com/2013/08/18/magazine/snowden-maass-transcript.html
>>
>> I hope sending this along will be useful for journalists on this list
>>as well as for those who need extra material to help them convince their
>>journalist friends to adopt privacy-preserving practices. As usual, I'll
>>take the opportunity to again vouch for the need for accessible, easy to
>>use encryption, like what Guardian Project, Whisper Systems and
>>Cryptocat are working on.
>
>It is obviously one side-effect of PRISM revelations that more & more
>journalists now feel the urge to update their work habits in order to
>protect their sources. And the more accessible tools we have, the easier
>it is for the people who feel concerned by these issues to advocate for
>such improvements.
>
>Good occasion for me to thank all the people involved in projects for
>easy-to-use anonymization & encryption :)
>
>Cheers,
>
>Amaelle
>
>--
>
>Amaelle Guiton
>Journalisme au futur ext?rieur @ Radio France & ailleurs
>0x77775AF9 / micro_ouvert at jabber.ubuntu-fr.org
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL:
><http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130813
>/483dafff/attachment-0001.html>
>
>------------------------------
>
>Message: 38
>Date: Tue, 13 Aug 2013 10:37:13 -0700
>From: "James S. Tyre" <jstyre at eff.org>
>To: "'liberationtech'" <liberationtech at lists.stanford.edu>
>Subject: Re: [liberationtech] Snowden: Unencrypted Journalist-Source
> Communications "Unforgivably Reckless"
>Message-ID: <020401ce984b$bf8fbb00$3eaf3100$@eff.org>
>Content-Type: text/plain; charset="us-ascii"
>
>The passage Nadim highlights is of course quite appropriate for this
>list. But for those
>who have some extra time (it's very long) the whole article is worth
>reading.
>
>
>
>--
>
>James S. Tyre
>
>Law Offices of James S. Tyre
>
>10736 Jefferson Blvd., #512
>
>Culver City, CA 90230-4969
>
>310-839-4114/310-839-4602(fax)
>
>jstyre at jstyre.com
>
>Policy Fellow, Electronic Frontier Foundation
>
>https://www.eff.org
>
>
>
>From: liberationtech-bounces at lists.stanford.edu
>[mailto:liberationtech-bounces at lists.stanford.edu] On Behalf Of Nadim
>Kobeissi
>Sent: Tuesday, August 13, 2013 9:00 AM
>To: liberationtech
>Subject: [liberationtech] Snowden: Unencrypted Journalist-Source
>Communications
>"Unforgivably Reckless"
>
>
>
>Hey LibTech,
>
>
>
>In a recently published interview with the New York Times, Edward Snowden
>called
>unencrypted communications between journalists and sources "unforgivably
>reckless":
>
>
>
>"I was surprised to realize that there were people in news organizations
>who didn't
>recognize any unencrypted message sent over the Internet is being
>delivered to every
>intelligence service in the world. In the wake of this year's
>disclosures, it should be
>clear that unencrypted journalist-source communication is unforgivably
>reckless."
>
>
>
>http://www.nytimes.com/2013/08/18/magazine/snowden-maass-transcript.html
>
>
>
>I hope sending this along will be useful for journalists on this list as
>well as for those
>who need extra material to help them convince their journalist friends to
>adopt
>privacy-preserving practices. As usual, I'll take the opportunity to
>again vouch for the
>need for accessible, easy to use encryption, like what Guardian Project,
>Whisper Systems
>and Cryptocat are working on.
>
>
>
>NK
>
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL:
><http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130813
>/c0cc21c1/attachment-0001.html>
>
>------------------------------
>
>Message: 39
>Date: Tue, 13 Aug 2013 10:42:05 -0700
>From: Andy Isaacson <adi at hexapodia.org>
>To: liberationtech <liberationtech at lists.stanford.edu>
>Subject: [liberationtech] verifying SSL certs (was Re: In defense of
> client-side encryption (Guido Witmond)
>Message-ID: <20130813174205.GR27178 at hexapodia.org>
>Content-Type: text/plain; charset=us-ascii
>
>On Mon, Aug 12, 2013 at 11:10:39AM +0200, Guido Witmond wrote:
>> There is another problem. You rely on HTTPS. Here is the 64000 dollar
>> question:
>>
>> Q._"What is the CA-certificate for your banks' website?"_
>>
>> I ask that question to anyone who claims to be security conscious. No
>> one has given me positive answer so far. Not even a wrong answer. Only
>> that people don't know.
>>
>> So I take it for granted that people won't verify anything, ever.
>
>FWIW, I did run my browser in "trust on first use" (TOFU) mode -- I
>deleted all the CA certs and manually added exceptions for each site, as
>I encountered the certificate warnings -- for several years. I've given
>up on that for modern websites because
>
> - sites frequently include resources from other hostnames, and JS/CSS
> https errors are silently ignored by Firefox
> - loadbalanced websites frequently have multiple certificates for a
> single hostname, and Firefox only allows a single certificate
> exception per hostname
> - expiration times have come down to, generally, 1 year, and with
> multiple certs per page, I was approving a new cert for most pages at
> least once every few months, decreasing the value of Trust in TOFU.
>
>So in some sense I would have been able to answer that "what is the cert
>for your bank", by saying "the one that I approved last year and has
>been correctly working since then". But the world has passed that model
>by.
>
>-andy
>
>
>------------------------------
>
>Message: 40
>Date: Tue, 13 Aug 2013 19:45:27 +0200
>From: Collin Anderson <collin at averysmallbird.com>
>To: "liberationtech at lists.stanford.edu"
> <liberationtech at lists.stanford.edu>
>Subject: [liberationtech] Internet Policy Observatory: Call for
> Proposals
>Message-ID:
> <CAC+VsLvEB6X-6gtsXqRD+onjdsxASNRjHeqay5_psRfbruSb7g at mail.gmail.com>
>Content-Type: text/plain; charset="windows-1252"
>
>Libtech -- This might be promising for the academics and researchers
>amongst us.
>
>http://cgcsblog.asc.upenn.edu/2013/07/31/internet-policy-observatory-call-
>for-proposals/
>
>Internet Policy Observatory: Call for Proposals
>
>The Center for Global Communication Studies (CGCS) at the Annenberg School
>for Communication at the University of Pennsylvania, announces a call for
>proposals under its Internet Policy Observatory (IPO). One of the goals of
>IPO is helping to develop a broad understanding of the conditions,
>processes and stakeholders that drive the development of Internet policies
>in pivotal countries, and of how those conditions influence developments
>at
>the regional and international levels.
>
>Proposals should address one or both of the two RFPs described below:
>
>* Internet Policy Observatory Regional Hub Grants
>* Internet Policy Observatory Thematic Grants
>
>Internet Policy Observatory ? Regional Hub Grant
>
>The objective of this Call is to add to a global network of Regional Hubs
>supporting Internet policy research with specific regional perspectives.
>The purpose of these grants is to encourage research from a variety of
>disciplines to help further understanding on how global Internet policies
>evolve.
>
>This Call is open to persons and organizations who are particularly
>interested in Internet policy research, and who are based in countries
>that
>are located within (1) Latin America & Caribbean, (2) Middle-East and
>North
>Africa[1], (3) South & South-East Asia[2] / Pacific (4) Central Asia[3](5)
>East Asia[4] (6) Sub-Saharan Africa.
>
>Research groups, universities, and civil society organizations which
>already have research programs on Internet policy issues in the relevant
>countries and regions are particularly encouraged to apply. Beneficiaries
>of related, but different grants awarded under the Internet Policy
>Observatory may also apply to this call.
>
>Eligible proposals should address four core deliverables (Please view the
>full RFP for complete descriptions of deliverables):
>
>1. Hub Study: The Internet Policy Observatory welcomes proposals that seek
>to investigate Internet policy issues within specific countries within a
>region, or alternatively the region as a whole. Potential topics to
>consider range across the wider field of Internet policy, including, but
>are not limited to, issues of Internet governance, Internet filtration and
>censorship, implications of military and security services activities and
>concerns on policy development, to name but a few examples.
>
>2. Hub Survey: Proposals should speak to the organization?s capacity to
>carry out qualitative and quantitative research. As part of the Internet
>Policy Observatory?s effort to create a global Delphi (expert) survey on
>Internet policy formation, organizations will be expected to incorporate a
>strategy for the creation and implementation of regional surveys.
>
>3. Hub View: A key task of the Regional Hubs is to regularly provide news
>on Internet-policy-relevant developments within their region to the IPO
>website.
>
>4. Hub Action: Each Regional Hub should also propose further, regional
>specific activity ? such as local conferences or workshops ? that can be
>financed directly from the Grant or might be financed from other sources.
>
>Grants are expected to be USD 20,000-40,000 per application selected.
>
>Applications should be submitted by 5pm EST on September 15, 2013.
>
>Click here for the full RFP, including information about eligibility,
>deliverables, submission guidelines, and award criteria.
>
>Internet Policy Observatory Thematic Grants
>
>The objective of this Call is to encourage research by individuals and
>institutions particularly interested in Internet policy issues.
>
>This Call is open to persons and organizations who are particularly
>interested in Internet policy research and who are based in key
>countries/regions or led by a consortium that is located within the key
>regions.
>
>Research groups and civil society organizations which already have
>research
>programs on Internet policy issues in the relevant countries and regions
>are particularly encouraged to apply. Fluency in English is required both
>for research and relevant administration tasks.
>
>The thematic focus of the proposals may include, but is not limited to,
>one
>of the general areas (for full descriptions, please view the full RFP.
>
>* Technical developments and Internet policy
>* Governance and Internet policy
>* Internet policy and Internet/cyberspace ownership
>* Social media and Internet policy
>* The socio-economic impact of Internet policy
>* The language of Internet Policy
>
>Applications should be submitted by 5pm EST on September 15, 2013.
>
>Click here for the full RFP, including information about eligibility,
>deliverables, submission guidelines, and award criteria.
>
>For more information, please direct comments and questions to
>internetpolicy at asc.upenn.edu
>
>--
>*Collin David Anderson*
>averysmallbird.com | @cda | Washington, D.C.
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL:
><http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130813
>/a4eda25a/attachment-0001.html>
>
>------------------------------
>
>Message: 41
>Date: Tue, 13 Aug 2013 11:23:10 -0700
>From: Micah Lee <micahflee at riseup.net>
>To: liberationtech at lists.stanford.edu
>Subject: Re: [liberationtech] Snowden: Unencrypted Journalist-Source
> Communications "Unforgivably Reckless"
>Message-ID: <520A798E.9080101 at riseup.net>
>Content-Type: text/plain; charset="iso-8859-1"
>
>On 08/13/2013 09:00 AM, Nadim Kobeissi wrote:
>> I hope sending this along will be useful for journalists on this list as
>> well as for those who need extra material to help them convince their
>> journalist friends to adopt privacy-preserving practices. As usual, I'll
>> take the opportunity to again vouch for the need for accessible, easy to
>> use encryption, like what Guardian Project, Whisper Systems and
>> Cryptocat are working on.
>
>I've written a fairly comprehensive guide to using the tools that Laura
>Poitras, Glenn Greenwald, and Edward Snowden use to communicate
>securely, written primarily for journalists:
>
>https://pressfreedomfoundation.org/encryption-works
>
>--
>Micah Lee
>@micahflee
>
>
>------------------------------
>
>Message: 42
>Date: Tue, 13 Aug 2013 20:46:59 +0200
>From: Arjen Kamphuis <arjen at gendo.ch>
>To: liberationtech at lists.stanford.edu
>Subject: Re: [liberationtech] Lavabit, Silent Circle both shut down
>Message-ID: <520A7F23.1070906 at gendo.ch>
>Content-Type: text/plain; charset=ISO-8859-1
>
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>On 08/13/2013 10:51 AM, Ralph Holz wrote:
>> That's the company I use, too - and ultimately the reason I am
>> asking because Chris Soghoian once told me that they log the
>> connections. This seems to be supported by this inquiry made in
>> 2011:
>>
>>
>>http://torrentfreak.com/which-vpn-providers-really-take-anonymity-serious
>>ly-111007/
>>
>>
>>
>They log for 6 months and say they will respond to requests under
>> Swiss law.
>
>And that is a shitty situation. Swiss law however does affords at
>least some protections under the Swiss constitution. Unlike US law
>where all rights are instantly meaningless as soon as somebody says
>'terrorism' (these effects also apply to US puppet-states such as UK
>and the Netherlands). Note that under Swiss law the wikileaks.ch
>domain was never taken down despite massive diplomatic pressure from
>the US to do so. France caved in even faster than in the summer of
>1940 and took down wikileaks.fr
>
>I'll be the last person to claim either Switserland or Germany are
>ideal. But having looked around I can't find better places right now.
>If somebody does know of a better place to put servers I'd love to
>know about it. Obviously territory and law are just a little extra
>defense-in-depth. I believe much more in privacy-by-tech over
>privacy-by-policy/law.
>
>In the words of the great American strategist Lt Lockhart:
>http://youtu.be/UdK3ZImjPsY
>
>
>- --
>Met vriendelijke groet/With kind regards,
>Arjen Kamphuis
>Gendo B.V.
>
>Main: +31 20 891 0330
>mail: arjen at gendo.ch
>
>gendo.ch (website)
>gendo.nl/blog/arjen (Dutch blog)
>gendo.ch/en/blog/arjen (English blog)
>
>about.me/arjenkamphuis (social media)
>
>files.gendo.nl/keys/arjen at gendo.ch.asc (public key)
>PGP fingerprint:
>55FB B3B7 949D ABF5 F31B BA1D 237D 4C50 118A 0EC2
>
>Gendo BV Wibautstraat 150, 1091 GR Amsterdam The Netherlands
>P please consider the environment before printing this email
>============================================================
>This e-mail message and its attachments are subject to the disclaimer
>published at the following website of Gendo:
>http://www.gendo.nl/disclaimer Gendo B.V. is registered with the trade
>register in The Netherlands under number 28116864.
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.11 (GNU/Linux)
>Comment: Using GnuPG with undefined - http://www.enigmail.net/
>
>iQIcBAEBAgAGBQJSCn8jAAoJECN9TFARig7CyYYQAIcMdwdQCRBWHstGPpPkoiH0
>uCI8GO20krfIYekX3J7u1DgkwEkgXZzkI45J4xqfzaEAHWrZWDowFbROO8Tiybia
>d9PjpWX++S6xYvIFOm+G53XxpC3svaPcE2LIbZIuqrBpemF0yZ2YdDCwOXfEEm/G
>dNyoq6DSlve7cKUBZv9jCVHDm8LJI10pJ2chgB8rzpL/6A1oIt2OjLLXPdLjdRmW
>fOKi//Dmv3Vhe5Ox6ik4twPxYMbuI2Ur1s2eOdLjOpXHUm4QK/FtnkazpArRNGkm
>Zo7IZoY807Gb0RUst2brgY0rBfPVFHI+MxLwmbTuxRhbiwJHUqzKFjQoWjeOVGdr
>r8AU97kDRkjdPV71uZSU5hNWgYpwmf2QIhQqEWprXma815GOSqMyVgFeysd1CPKC
>0AK0++m5xNZ2yi6XIBEpkbZlVIba15J/qic93dD0kKm+B2aCstbnVCdHZnvLAudB
>ZbIXQn9vEqKvyCAx2wi4HCGqxi/hsUzhxeX8rWA6FIp0rwgi+u9I1m7/AaFD6AYY
>h51aGgmOTOahhxU17tJ3SGG7NVetw78qbgGZ+uVx5VqtJC43yppL0mz+QUSRad5m
>vIlqgWKVyb86rDgiTk0R97vekfblM5qxYklBiguP7fKW3c0ghqi7XGsvdJzH/B0A
>024Dfr8vrPAQkOtrYnU+
>=Hime
>-----END PGP SIGNATURE-----
>
>
>------------------------------
>
>Message: 43
>Date: Tue, 13 Aug 2013 20:59:22 +0200
>From: Moritz Bartl <moritz at torservers.net>
>To: liberationtech <liberationtech at lists.stanford.edu>
>Subject: [liberationtech] Zwiebelfreunde take over popular onion.to
> Tor gateway
>Message-ID: <520A820A.4060703 at torservers.net>
>Content-Type: text/plain; charset=windows-1252
>
>Hi Libtechies,
>
>I hope you don't mind me putting this press release here. Please spread
>if you like it.
>
>----------------------------------------------------------------------
>
># Zwiebelfreunde take over popular onion.to Tor gateway
>
>(Dresden, 13.8.2013) The non-profit organization Zwiebelfreunde e.V. is
>known for the ?Torservers? project, which over the past years has grown
>into a global network of organizations that maintain server
>infrastructure for the open anonymization network Tor. Today,
>Zwiebelfreunde has taken over a very popular web gateway for Tor hidden
>services, onion.to.
>
>Tor hidden services provide anonymity for website owners, mail
>providers, chat systems and other Internet services. Hidden services are
>designed to be accessed using Tor Browser, which additionally provides
>anonymity for users of the service. Web gateways such as onion.to
>provide a convenient way to reach hidden services using a regular
>browser without having to install Tor. A side effect is that the broad
>world of hidden services are exposed to search engines and can thus be
>indexed and found. The trade-off is that users lose anonymity: Both the
>gateway and the hidden service can track users across visits, and
>determine the user's IP address. That is why Zwiebelfreunde strongly
>encourages people to download Tor Browser instead.
>
>?By exposing hidden services to the public, we hope to attract even more
>users and widen the spectrum of available services within the Tor
>network.?, says Zwiebelfreunde founder and president Moritz Bartl. ?I
>can imagine privacy-friendly email services to be based fully on hidden
>services in the future, for example.?
>
>The current gateway server is located in Iceland, and another one will
>be added in the near future.
>
>https://www.onion.to/
>
>An example hidden service can be found at
>https://duskgytldkxiuqc6.onion.to/
>
># Zwiebelfreunde e.V.
>
>The German non-profit association Zwiebelfreunde e.V. serves as a
>platform for projects in the area of safe and anonymous communication.
>The organization facilitates and participates in educational events
>about technological advances in the area of privacy, and connects
>professionals to spread knowledge and experience on these fields.
>
>?Zwiebelfreunde? is German for ?Friends of the Onion?, as a reference to
>Onion Routing, the name of the concept behind Tor for anonymizing
>communication: Messages are passed through relays that each removes one
>layer of encryption, like peeling the skin of an onion.
>Contact
>
># Contact
>
>Moritz Bartl
>Zwiebelfreunde e.V.
>c/o DID Dresdner Institut f?r Datenschutz
>Palaisplatz 3
>D-01097 Dresden
>Germany
>
>press at torservers.net
>Tel.: +49-(0)351 / 212 960 18
>Fax.: +49-(0)911 / 308 4466 748
>http://www.torservers.net/
>http://www.twitter.com/torservers/
>
>
>
>------------------------------
>
>Message: 44
>Date: Tue, 13 Aug 2013 15:00:32 -0400
>From: Joseph Lorenzo Hall <joe at cdt.org>
>To: liberationtech <liberationtech at lists.stanford.edu>
>Subject: [liberationtech] ICANN and WHOIS reform...
>Message-ID: <520A8250.30803 at cdt.org>
>Content-Type: text/plain; charset=windows-1252
>
>Hi all,
>
>I didn't see any individuals or orgs from libtech comment to ICANN on
>the recent report to reform WHOIS. I wanted to put this on your
>collective radar if it's of interest to you.
>
>TL;DR: ICANN is working on reforming WHOIS, and their Experts' Working
>Group has come up with a pretty bad proposal, in our opinion. It would
>centralize validated registrant data and streamline "legitimate" access
>to this data. It would do things that appear almost entirely motivated
>by law enforcement and intellectual property interests, without much
>consideration of the interests of individual and non-commercial
>registrants.
>
>I'm including our blog post below... and a link to the 6-page comment
>that is our critique of their proposal. This was joint work with a
>marvelous CDT intern, a super-technical law student at Berkeley, Joe
>Mornin. He's behind http://latexforlawyers.org/ and many good things to
>come.
>
>----
>PDF of full comments:
>https://www.cdt.org/files/pdfs/20130812_whois_comments-cdt.pdf
>
>Blog post... (links in original)
>
>https://www.cdt.org/blogs/joseph-lorenzo-hall/1308icann-must-do-better-job
>-privacy-and-whois
>
>ICANN Must Do a Better Job with Privacy and WHOIS
>
>by Joseph Lorenzo Hall
>August 13, 2013
>
>In June, an Expert Working Group (EWG) with ICANN ? the entity that
>controls the allocation of domain names and IP addresses on the Internet
>? released a report that proposed extensive changes to the WHOIS system.
>WHOIS allows anyone to look up details on who owns a domain name (e.g.,
>the cdt.org WHOIS entry). The EWG asked for public input in response to
>their report and yesterday CDT submitted comments critical of the draft
>report, specifically focusing on serious privacy concerns.
>
>WHOIS, which was developed way back in 1982, initially served as a
>mechanism to identify who operated certain servers to make it easier to
>get contact information of these operators in case something technical
>went awry. These days, with many, many millions of domain names in
>operation and many more on the horizon, WHOIS is showing its age in a
>number of respects. For example, for personal domain registrants ? e.g.,
>josephall.org ? WHOIS essentially reports sensitive contact information,
>notably email addresses, postal addresses, and phone numbers. It?s
>widely known that WHOIS data is highly inaccurate; many individual
>domain name registrants provide inaccurate data to avoid having their
>personal information broadcast to the world (to be fair, spammers and
>scammers also provide inaccurate data to avoid scrutiny). Many others ?
>like me! ? use proxy services that mask personal information but that
>still allow email and postal mail to eventually be routed to them
>through the proxy provider.
>
>The EWG was chartered to provide possible solutions for a revamped WHOIS
>that would better address privacy, security, and accessibility of WHOIS
>data. The draft report proposed a centralized, validated WHOIS system
>with a gated access model where registrant data would be made freely
>available. In our comments we raised a number of concerns about this
>approach and offered recommendations, including:
>
> The current WHOIS system raises privacy and free expression concerns
>by requiring registrants to disclose sensitive information. The EWG
>report does a good job of outlining use cases for access to currently
>available registrant data, but we think it should also reexaminine what
>data must be available today, in light of the vastly more complex modern
>Internet environment.
> The proposed privacy scheme and validation of registrants is
>unnecessary and unworkable. Instead, ICANN should protect registrants?
>privacy by default. We believe that individual registrants
>(noncommercial entities) should not have any information disclosed by
>default other than what is needed for the proper technical functioning
>of the domain name system.
> A centralized system is unnecessary and unstable. The gatekeeper
>under the new proposal would be a poor substitute for existing legal
>processes because the WHOIS database operator would likely lack the
>capacity to identify and/or reject illegitimate or overly broad
>requests. ICANN is unique and must act in an extra-jurisdictional
>capacity, so it is difficult to see how this new WHOIS would deal with,
>for example, a Chinese law enforcement request targeting a citizen of
>another country.
>
>Additionally, the EWG focused on a single model for a new registrant
>database, rather than a suite of possible models for the public and
>stakeholders to consider. This greatly limits the conversation that can
>be had around possible enhancements to WHOIS. We encourage ICANN to
>consider multiple solutions to this complicated problem and believe the
>EWG should be explicitly re-tasked with recommending a number of
>additional models in light of feedback they receive, not just the one
>current flawed proposal.
>
>
>--
>Joseph Lorenzo Hall
>Senior Staff Technologist
>Center for Democracy & Technology
>1634 I ST NW STE 1100
>Washington DC 20006-4011
>(p) 202-407-8825
>(f) 202-637-0968
>joe at cdt.org
>PGP: https://josephhall.org/gpg-key
>fingerprint: BE7E A889 7742 8773 301B 4FA1 C0E2 6D90 F257 77F8
>
>
>
>
>------------------------------
>
>Message: 45
>Date: Tue, 13 Aug 2013 15:25:55 -0500
>From: Francisco Ruiz <ruiz at iit.edu>
>To: liberationtech <liberationtech at lists.stanford.edu>
>Subject: Re: [liberationtech] Does anyone know a celebrity who feels
> strongly about privacy issues?
>Message-ID:
> <CAAO5Wsz4iVKYXhei00OtiG0HN+oQN=uwWip31ATz9jpmWaEw6A at mail.gmail.com>
>Content-Type: text/plain; charset="windows-1252"
>
>Hi Kyle, don't take it so hard. I asked this question so _everybody_ who'd
>like to try the celebrity video trick would be able to collect a few
>likely
>candidates. Likely others will beat me to it.
>
>On Mon, Aug 12, 2013 at 7:29 PM, Kyle Maxwell <kylem at xwell.org> wrote:
>
>> I didn't know LibTech had become the PassLok development mailing list.
>>
>> On Mon, Aug 12, 2013 at 6:26 PM, Collin Anderson
>> <collin at averysmallbird.com> wrote:
>> > The problem with occasionally looking at Huffington Post is that I'm
>> > subjected to such things...
>> >
>> > Matt Damon:
>> >
>> > "He broke up with me," the "Elysium" star said. "There are a lot of
>> things
>> > that I really question, you know: the legality of the drone strikes,
>>and
>> > these NSA revelations they?re, you know, it?s like, they?re, you know,
>> Jimmy
>> > Carter came out and said we don?t live in a democracy. That?s, that?s
>>a
>> > little, that?s a little intense when an ex-president says that. So,
>>you
>> > know, he?s got some, some explaining to do, particularly for a
>> > constitutional law professor."
>> >
>> >
>> >
>>
>>http://www.huffingtonpost.com/2013/08/09/matt-damon-obama-broke-up-with-m
>>e_n_3732426.html?utm_hp_ref=entertainment
>> >
>> >
>> > On Mon, Aug 12, 2013 at 11:44 PM, Yishay Mor <yishaym at gmail.com>
>>wrote:
>> >>
>> >> Cory Doctorow
>> >>
>> >> ----- sent from my phone.
>> >>
>> >> On Aug 12, 2013 9:33 PM, "Francisco Ruiz" <ruiz at iit.edu> wrote:
>> >>>
>> >>> Quick request.
>> >>>
>> >>> In comments to a recent post, people seemed to agree that
>>publishing a
>> >>> video of someone reading a hash might be a fairly hard-to-hack way
>>to
>> >>> deliver that hash to the public, and thus assure the authenticity
>>of a
>> piece
>> >>> of code, a public key, or whatnot. The problem is that the sample
>> youtube
>> >>> video I linked had yours truly reading the hash, and people
>>naturally
>> >>> objected that I wasn't Justin Bieber and, consequently, weren't too
>> >>> convinced that the video was authentic.
>> >>>
>> >>> Aside from the fact that an adversary might be able to convince
>>Justin
>> >>> Bieber to make a video reading a fake hash (not that I believe
>>Justin
>> >>> doesn't care; it's just a hypothesis), the idea of getting a
>>celebrity
>> for
>> >>> this kind of video has a lot of merit. I'd like to engage one for
>>the
>> next
>> >>> update of my app.
>> >>>
>> >>> So, here's my question. Does any one know of a celebrity who cares
>> enough
>> >>> about computer security to be persuaded to take one minute of
>>his/her
>> time
>> >>> to read a hash before a camera?
>> >>>
>> >>> Thanks a million!
>> >>>
>> >>> --
>> >>> Francisco Ruiz
>> >>> Associate Professor
>> >>> MMAE department
>> >>> Illinois Institute of Technology
>> >>>
>> >>>
>> >>>
>>
>>PL13lok=WsH3zTgZn8V3hnIqjdbfPus+5YF5n+LBRPuH9USMMp8izPv+hsLoZKv+jaCFMapJF
>>fiA11Q9yJU1K1Wo0TbjXK/=PL13lok
>> >>>
>> >>> get the PassLok privacy app at: http://passlok.com
>> >>>
>> >>> --
>> >>> Liberationtech is a public list whose archives are searchable on
>> Google.
>> >>> Violations of list guidelines will get you moderated:
>> >>> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
>> Unsubscribe,
>> >>> change to digest, or change password by emailing moderator at
>> >>> companys at stanford.edu.
>> >>
>> >>
>> >> --
>> >> Liberationtech is a public list whose archives are searchable on
>>Google.
>> >> Violations of list guidelines will get you moderated:
>> >> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
>> Unsubscribe,
>> >> change to digest, or change password by emailing moderator at
>> >> companys at stanford.edu.
>> >
>> >
>> >
>> >
>> > --
>> > Collin David Anderson
>> > averysmallbird.com | @cda | Washington, D.C.
>> >
>> > --
>> > Liberationtech is a public list whose archives are searchable on
>>Google.
>> > Violations of list guidelines will get you moderated:
>> > https://mailman.stanford.edu/mailman/listinfo/liberationtech.
>> Unsubscribe,
>> > change to digest, or change password by emailing moderator at
>> > companys at stanford.edu.
>>
>>
>>
>> --
>> @kylemaxwell
>> --
>> Liberationtech is a public list whose archives are searchable on Google.
>> Violations of list guidelines will get you moderated:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
>> Unsubscribe, change to digest, or change password by emailing moderator
>>at
>> companys at stanford.edu.
>>
>
>
>
>--
>Francisco Ruiz
>Associate Professor
>MMAE department
>Illinois Institute of Technology
>
>PL13lok=WsH3zTgZn8V3hnIqjdbfPus+5YF5n+LBRPuH9USMMp8izPv+hsLoZKv+jaCFMapJFf
>iA11Q9yJU1K1Wo0TbjXK/=PL13lok
>
>get the PassLok privacy app at: http://passlok.com
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL:
><http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130813
>/5cd95e3b/attachment-0001.html>
>
>------------------------------
>
>Message: 46
>Date: Tue, 13 Aug 2013 15:37:19 -0500
>From: Francisco Ruiz <ruiz at iit.edu>
>To: liberationtech <liberationtech at lists.stanford.edu>
>Subject: Re: [liberationtech] Does anyone know a celebrity who feels
> strongly about privacy issues?
>Message-ID:
> <CAAO5Wsxz95TRJwFAs1aH=udxZ1J6qmRDGbF+qd3P7xC=Jg68EQ at mail.gmail.com>
>Content-Type: text/plain; charset="iso-8859-1"
>
>Hi Guido,
>
>This looks very interesting, but I have trouble understanding it. Can you
>give me a sample URL where this is being shown in action?
>
>Many thanks.
>
>On Mon, Aug 12, 2013 at 4:34 PM, Guido Witmond <guido at witmond.nl> wrote:
>
>> Dear professor Ruiz.
>>
>>
>> The real issue is to create an *easy* way to do hash validation
>> correctly. Reading a hash on youtube is not going to make it.
>>
>> You use HTTPS without DNSSEC and DANE. Please use those first. It solves
>> a lot of your server validation issues. At least it allows your users'
>> browsers to validate code44.com.
>>
>> I repeat: Hashes are for computers, not for people.
>>
>>
>>
>> Plugging my own warez: I believe I've come up with a way to do DNSSEC
>> and DANE in combination with a certificate repository. It allows the
>> browser to validate the authenticity of a server certificate.
>>
>> When validated it can be sure that the javascript found at a page is
>> indeed that what the page-author wanted. Please see:
>>
>>
>>http://eccentric-authentication.org/blog/2013/03/23/Cryptographic-same-or
>>igin-policy.html
>>
>>
>> And please ask if anything is unclear. I love to receive comments on
>> where I'm right or wrong.
>>
>> Regards, Guido.
>>
>>
>> --
>> Liberationtech is a public list whose archives are searchable on Google.
>> Violations of list guidelines will get you moderated:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
>> Unsubscribe, change to digest, or change password by emailing moderator
>>at
>> companys at stanford.edu.
>>
>
>
>
>--
>Francisco Ruiz
>Associate Professor
>MMAE department
>Illinois Institute of Technology
>
>PL13lok=WsH3zTgZn8V3hnIqjdbfPus+5YF5n+LBRPuH9USMMp8izPv+hsLoZKv+jaCFMapJFf
>iA11Q9yJU1K1Wo0TbjXK/=PL13lok
>
>get the PassLok privacy app at: http://passlok.com
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL:
><http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130813
>/08d00b6d/attachment-0001.html>
>
>------------------------------
>
>Message: 47
>Date: Tue, 13 Aug 2013 22:37:14 +0100
>From: Bernard Tyers - ei8fdb <ei8fdb at ei8fdb.org>
>To: liberationtech <liberationtech at lists.stanford.edu>
>Subject: Re: [liberationtech] [Dewayne-Net] Are Hackers the Next
> Bogeyman Used to Scare Americans Into Giving Up More Rights?
>Message-ID: <74F5DB36-8061-457D-8177-9E7ADCE31FE6 at ei8fdb.org>
>Content-Type: text/plain; charset="us-ascii"
>
>Haven't "hackers" always been portrayed in a way to scare people? * If
>it's not dDoSing script kiddies, its zombie network owning Latvian
>mafias..
>
>If this *is* the case, how can General Alexander go to Blackhat 2013 and
>say (paraphrasing) "we (CIA) use the same tools as you do. Help us
>protect America by teaching us rad haxoring skills."?
>
>
>*: I still have a problem with the incorrect use of the word hacker
>here..but it's already passed into common usage.
>
>
>
>On 12 Aug 2013, at 22:55, michael gurstein <gurstein at gmail.com> wrote:
>
>> -----Original Message-----
>> From: dewayne-net at warpspeed.com [mailto:dewayne-net at warpspeed.com] On
>>Behalf
>> Of Dewayne Hendricks
>> Sent: Tuesday, August 13, 2013 4:32 AM
>> To: Multiple recipients of Dewayne-Net
>> Subject: [Dewayne-Net] Are Hackers the Next Bogeyman Used to Scare
>>Americans
>> Into Giving Up More Rights?
>>
>> Are Hackers the Next Bogeyman Used to Scare Americans Into Giving Up
>>More
>> Rights?
>> Has "terrorism" grown a little stale as an all purpose boogeyman?
>> By Digby
>> Aug 12 2013
>>
>><http://www.alternet.org/are-hackers-next-bogeyman-used-scare-americans-g
>>ivi
>> ng-more-rights>
>>
>> Marcy Wheeler has been speculating for a very long time that the real
>> purpose of all this NSA collection isn't terrorism, it's hacking. These
>> comments last week from Michael Hayden lend a lot of credence to that
>>theory
>> in my eyes:
>>
>> "If and when our government grabs Edward Snowden, and brings him back
>>here
>> to the United States for trial, what does this group do?" said retired
>>air
>> force general Michael Hayden, who from 1999 to 2009 ran the NSA and
>>then the
>> CIA, referring to "nihilists, anarchists, activists, Lulzsec, Anonymous,
>> twentysomethings who haven't talked to the opposite sex in five or six
>> years".
>> "They may want to come after the US government, but frankly, you know,
>>the
>> dot-mil stuff is about the hardest target in the United States," Hayden
>> said, using a shorthand for US military networks. "So if they can't
>>create
>> great harm to dot-mil, who are they going after? Who for them are the
>>World
>> Trade Centers? The World Trade Centers, as they were for al-Qaida."
>>
>> That's just a tiny bit overwrought for an allegedly serious expert,
>>don't
>> you think? In fact, it sounds like the kind of thing we heard from
>>various
>> members of the Bush administration during the early days after 9/11.
>>And it
>> certainly indicates, as Wheeler has been speculating, that the
>>government is
>> stretching the terrorism laws to include hacking. They certainly are
>>using
>> the same histrionic language to describe it.
>>
>> Under Hayden, the NSA began to collect, among other things, the phone
>> records and internet data of Americans without warrants after 9/11, a
>> drastic departure from its traditional mission of collecting foreign
>> intelligence. A variety of technically sophisticated collection and
>>analysis
>> programs, codenamed Stellar Wind, were the genesis of several of the NSA
>> efforts that Snowden disclosed to the Guardian and the Washington Post.
>>
>> [snip]
>>
>> Dewayne-Net RSS Feed: <http://www.warpspeed.com/wordpress>
>>
>>
>>
>> --
>> Liberationtech is a public list whose archives are searchable on
>>Google. Violations of list guidelines will get you moderated:
>>https://mailman.stanford.edu/mailman/listinfo/liberationtech.
>>Unsubscribe, change to digest, or change password by emailing moderator
>>at companys at stanford.edu.
>
>--------------------------------------
>Bernard / bluboxthief / ei8fdb
>
>IO91XM / www.ei8fdb.org
>
>
>------------------------------
>
>Message: 48
>Date: Tue, 13 Aug 2013 17:54:14 -0400
>From: Joseph Lorenzo Hall <joe at cdt.org>
>To: liberationtech <liberationtech at lists.stanford.edu>
>Subject: [liberationtech] Speculation as to what the US government
> ordered Lavabit to do?
>Message-ID: <520AAB06.3090804 at cdt.org>
>Content-Type: text/plain; charset=ISO-8859-1
>
>I don't think I've seen educated speculation here about what the court
>order that Lavabit received actually ordered them to do. Here is my own
>guess and I'm wondering if people have thoughts.
>
>First, from an interview with Ladar Levison (
>http://possibility.com/LavabitArchitecture.html ) it seems clear that
>they wrote ciphertext to disk for each message in a users' account:
>
>"* Do you use any particularly cool technologies or algorithms?
>
>The way we encrypt messages before storing them is relatively unique.
>We only know of one commercial service, and one commercial product that
>will secure user data using asymmetric encryption before writing it to
>disk. Basically we generate public and private keys for the user and
>then encrypt the private key using a derivative of the plain text
>password. We then encrypt user messages using their public key before
>writing them to disk. (Alas, right now this is only available to paid
>users.)"
>
>So, in excruciating detail I read this to mean:
>
>1. When a user signs-up, they create a log-in password.
>2. The system creates a key pair.
>3. The private key is encrypted symmetrically using some hard variant of
>the log-in password.
>4. Both keys stored to disk. Clear private key wiped from memory on
>log-out.
>6. Whenever a message is stored for the user (regardless of login
>state), the system encrypts it with the public key.
>5. When a user logs in, their login password is turned into the hard
>variant and used to symmetrically decrypt the private key. This private
>key is placed in secure memory, etc.
>7. When the user views a message (or presumably searches an encrypted
>index of messages), it uses the private key in memory to decrypt it.
>7. When the user logs out, the private key in memory is wiped.
>
>This means that access to decrypted message content was only
>available when a user was logged in. From a surveillance perspective,
>this means that the private key would have to be read from memory or
>during the write to memory. (I still don't know how password changes
>would work here... maybe they just re-encrypt the private key with the
>new hard variant?)
>
>This is all to say that I suspect the government's order requested
>ongoing access to the private key(s) in memory for some subset of
>Lavabit users, such that they could ask in the future for the encrypted
>contents of those users' accounts and easily look up these private keys
>to get the message cleartext.
>
>It's unclear to me if this would require an order that ordered Lavabit
>to write software to do this (e.g., a backdoor), but it sounds like
>that's the case. And it seems clear that by shutting down the service
>last week, no one can log-in again such that their ciphertext is safe.
>
>best, Joe
>
>--
>Joseph Lorenzo Hall
>Senior Staff Technologist
>Center for Democracy & Technology
>1634 I ST NW STE 1100
>Washington DC 20006-4011
>(p) 202-407-8825
>(f) 202-637-0968
>joe at cdt.org
>PGP: https://josephhall.org/gpg-key
>fingerprint: BE7E A889 7742 8773 301B 4FA1 C0E2 6D90 F257 77F8
>
>
>
>
>------------------------------
>
>Message: 49
>Date: Tue, 13 Aug 2013 16:54:54 -0500
>From: Francisco Ruiz <ruiz at iit.edu>
>To: liberationtech <liberationtech at lists.stanford.edu>
>Subject: Re: [liberationtech] In defense of client-side encryption
>Message-ID:
> <CAAO5WsyPOCvaE8HY9MWwMMfVpz9V_D3XdOPKMCSxZTQ8NJe9OQ at mail.gmail.com>
>Content-Type: text/plain; charset="iso-8859-1"
>
>Hi Steve. I want to thank you for taking your time to help me. Your
>comments are awesome. May I follow up with some short questions, right
>after some of your comments?
>
>Many thanks in advance.
>
>On Mon, Aug 12, 2013 at 7:18 PM, Steve Weis <steveweis at gmail.com> wrote:
>
>> Francisco, you assume that all browsers will save a static version of
>>the
>> page identically. This is not the case.
>>
>> I ran a test using 'wget https://passlok.site44.com' and Chrome's "Save
>> As". The former will actually match the hash value you've posted, but
>>the
>> latter does not.
>>
>> I spotted at least 5 differences in Chrome's saved output:
>> 1. Unicode: wget returned escaped Unicode characters. Chrome saved
>>output
>> containing actual Unicode characters. Your suggested method of cutting
>>from
>> view-source and pasting into a text editor may be unpredictable, and
>> dependent on a user's OS and locale.
>>
>
>I think the Unicode characters got in when I added the qr.js code, which
>had comments in Korean ;-) Do you think it's maybe best to get rid of
>anything that is not strict ASCII? The code doesn't need any special
>characters.
>
>
>> 2. Relative link re-writing: wget returned relative links. Chrome
>>replaced
>> them with absolute links, so that links work locally.
>>
>
>I've toyed with the idea of making absolute the couple relative links in
>there: the png for making a mobil icon, and the help page. Maybe it's
>better if they are absolute so the browser doesn't change them, uh?
>
>
>> 3. Whitespace: Chrome stripped out some whitespace.
>>
>
>I've tried to make super-sure that the code has no leading and no trailing
>spaces or linefeeds, so maybe wget is adding spaces?
>
>4. Style rewriting: Chrome replaced some style elements like
>> "background-color: #FFA0A0" with "rgb(230, 255, 230);".
>> 5. Chrome extensions: I have locally installed extensions that modify
>>page
>> contents, e.g. AdBlock and DoNotTrackMe. My locally saved copy of
>>Passlok
>> had elements that were injected into it by some extensions.
>>
>> Any of these will break your manual hash validation. These are specific
>>to
>> my version of Chrome, but other browsers may alter saved content
>>similarly.
>>
>
>I've spent a lot of time making the code run nice and polishing the user
>interface. I didn't suspect code validation was going to be this
>difficult.
>Truth is, most users are never going to bother with validating the code,
>but a few will care intensely about this.
>
>
>>
>> To work, you must assume that your user has a local client (say wget or
>> curl) that can save a canonical copy of your page without modification.
>> Browsers do not guarantee this. Then you must assume the user has a
>>locally
>> installed tool to compute the hash, like sha256sum or openssl. Then they
>> would need to point their browser at the locally downloaded file to
>> actually use it.
>>
>> If you depend on locally installed software outside the browser and use
>> local storage, the user is better off just using locally installed
>>software
>> to do the crypto.
>>
>> PS - I noticed some oddness glancing through the source. For example,
>>the
>> makepub() function strips 6 bits of a Base64-encoded leading 0 for no
>> apparent reason. The rest of the code has to remember to keep adding
>>back
>> in the missing Base64 character or else it will break. The only reason I
>> can think of someone doing this is because they didn't understand why
>>the
>> randomly generated Base64 value always started with 'A'.
>>
>
>Ah, you saw that. It's the elliptic curve output. SJCL handles points and
>exponents as complex recursive objects. In order to display them for the
>user, I extract the data and convert it into base64. For reasons that I
>don't fully understand (probably having to do with 521, the true bit
>length
>of the elliptic curve numbers, not being divisible by 6), those strings
>always start with "A". Since I intensely dislike displaying supposedly
>random-looking strings that always begin with the same character, I strip
>it, but instruct the functions that read those strings from the interface
>to add it again before they do any calculations.
>
>Thanks again, Steve!
>
>
>>
>> On Sun, Aug 11, 2013 at 7:37 PM, Francisco Ruiz <ruiz at iit.edu> wrote:
>>
>>> I still have to read through the references you supply, but I can
>>>already
>>> see a misconception. They refer to the dangers of carrying out
>>>cryptography
>>> with javascript-containing dynamic pages. My previous posting referred
>>>to
>>> _perfectly static_ pages, which are supposed to be always the same
>>>coming
>>> from the server, not modified by the browser in any way, and which, in
>>> fact, you can save and store somewhere safe and never again have to get
>>> from the server. I believe the intrinsic security of this kind of
>>> javascript code is no different from that of compiled code, which also
>>> should be checked for tampering, so long as it uses standard functions
>>>that
>>> are not likely to be modified in browser updates. Sorry about the
>>>confusion.
>>>
>>>
>> --
>> Liberationtech is a public list whose archives are searchable on Google.
>> Violations of list guidelines will get you moderated:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
>> Unsubscribe, change to digest, or change password by emailing moderator
>>at
>> companys at stanford.edu.
>>
>
>
>
>--
>Francisco Ruiz
>Associate Professor
>MMAE department
>Illinois Institute of Technology
>
>PL13lok=WsH3zTgZn8V3hnIqjdbfPus+5YF5n+LBRPuH9USMMp8izPv+hsLoZKv+jaCFMapJFf
>iA11Q9yJU1K1Wo0TbjXK/=PL13lok
>
>get the PassLok privacy app at: http://passlok.com
>-------------- next part --------------
>An HTML attachment was scrubbed...
>URL:
><http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130813
>/f54136e4/attachment.html>
>
>------------------------------
>
>--
>Liberationtech is a public list whose archives are searchable on Google.
>Violations of list guidelines will get you moderated:
>https://mailman.stanford.edu/mailman/listinfo/liberationtech.
>Unsubscribe, change to digest, or change password by emailing moderator
>at companys at stanford.edu.
>
>End of liberationtech Digest, Vol 168, Issue 2
>**********************************************
More information about the liberationtech
mailing list