[liberationtech] Secure alternatives to Dropbox?
Tony Arcieri
bascule at gmail.com
Wed Aug 14 14:32:24 PDT 2013
git-annex is an interesting tool for this purpose that can talk to any
number of secure backends (e.g. Tahoe-LAFS)
http://git-annex.branchable.com/
On Wed, Aug 14, 2013 at 2:01 PM, Web Admin <webadmin at cpj.org> wrote:
> Libtech,
>
> With all the breaches that services like Dropbox have, some peopl suggest
> that creating your own cloud storage system is a way to avoid al that.
> I've heard of PogoPlug (https://pogoplug.com), which you can use to store
> all your data on an external hard drive and access it via a eb interface
> or see the drive as another volume on your computer. I've alsoread about
> OwnCloud (http://owncloud.org), which lets you install open souce
> software on a web server of your choice.
>
> Are either of these servics a more secure alternative to 3rd party
> services like DropBox? My reasonng is that a hacker would first need to
> know you host your own cloud in a articular way to attack it. Is my
> thinking too simplistic? Are there oher services to consider? Activists
> and journalists are the typical groups who use dropbox, not considering
> the risks they are taking. It would be good to be able to advise folks on
> more secure alternatives, if they exist. I'm looking for options that are
> easy to use; many journalists/activists won't use something complicated
> (which is of course an issue).
>
> Any thoughts/criticism welcome. Thank you.
>
>
>
> On 8/13/13 5:55 PM, "liberationtech-request at lists.stanford.edu"
> <liberationtech-request at lists.stanford.edu> wrote:
>
> >Send liberationtech mailing list submissions to
> > liberationtech at lists.stanford.edu
> >
> >To subscribe or unsubscribe via the World Wide Web, visit
> > https://mailman.stanford.edu/mailman/listinfo/liberationtech
> >or, via email, send a message with subject or body 'help' to
> > liberationtech-request at lists.stanford.edu
> >
> >You can reach the person managing the list at
> > liberationtech-owner at lists.stanford.edu
> >
> >When replying, please edit your Subject line so it is more specific
> >than "Re: Contents of liberationtech digest..."
> >
> >
> >Today's Topics:
> >
> > 1. Iran's Internet and the Politics of a New President
> > (Collin Anderson)
> > 2. Re: In defense of client-side encryption (Tom O)
> > 3. Re: In defense of client-side encryption (Steve Weis)
> > 4. Re: Does anyone know a celebrity who feels strongly about
> > privacy issues? (Kyle Maxwell)
> > 5. Re: In defense of client-side encryption (Arjen Kamphuis)
> > 6. Re: Does anyone know a celebrity who feels strongly about
> > privacy issues? (Tony Arcieri)
> > 7. Re: rsync.net Warrant Canary (adrelanos)
> > 8. Re: rsync.net Warrant Canary (adrelanos)
> > 9. Re: rsync.net Warrant Canary (Ali-Reza Anghaie)
> > 10. Adam Curtis on the nature of espionage (Gregory Foster)
> > 11. Re: rsync.net Warrant Canary (Gregory Maxwell)
> > 12. Is spideroak really zero-knowledge? (Percy Alpha)
> > 13. Re: rsync.net rrant Canary (Noon Silk)
> > 14. Re: Is spideak really zero-knowledge? (Tom O)
> > 15. Re: Is spideroak really zero-knowedge? (Tony Arcieri)
> > 16. Re: Is spideroak really zero-knowledge? (Percy Alpha)
> > 17. Re: Is spideroak really zero-knowledge? (Percy Alpha)
> > 18. Re Is spideroak really zero-knowledge? (Patrick Mylund Nielsen)
> > 19. Re: Is spideroak really zero-knowledge? (Tony Arcieri)
> > 20. Re: Is spideroak really zero-knowledge? (Tom O)
> > 21. Re: Is spideroak really zero-knowledge? (Percy Alpha)
> > 22. Re: Can JavaScript cryptography be trusted? (ws: In defense
> > of client-side encryption) (Nadim Kobeissi)
> > 23. Re: Is spideroak really zero-knowledge? (Tony Arcieri)
> > 24. Re: Lavabit, Silent Circle both shut down (Ralph Holz)
> > 25. Re: Does anyone know a celebrity who feels strongly about
> > privacy issues? (Michael Roers)
> > 26. Re: Does anyone know a celebrity who feels strongly about
> > privacy issus? (David Miller)
> > 27. Re: Is spideroak really zero-knowledge? (elijah)
> > 28. Re: avabit, Silent Circle both shut down (taxakis)
> > 29. Re: Petition Google over banning "Servers" on Google Fiber?
> > (KheOps)
> > 30. Swiss VPNs (was: Re: Lavabit, Silent Circle both shut down)
> > (Moritz Bartl)
> > 31. Re: Swiss VPNs (was: Re: Lavabit, Silent Circle both shut
> > down) (taxakis)
> > 32. Re: Swiss VPNs (Moritz Bartl)
> > 33. Re: Is spideroak really zero-knowledge? (Patrick Baxter)
> > 34. Re: From Snowden's email provider. NSL??? (Reed Black)
> > 35. Snowden: Unencrypted Journalist-Source Communications
> > "Unforgivably Reckless" (Nadim Kobeissi)
> > 36. Re: Does anyone know a celebrity who feels strongly about
> > privacy issues? (Lina Srivastava)
> > 37. Re: Snowden: Unencrypted Journalist-Source Communications
> > "Unforgivably Reckless" (Amaelle G)
> > 38. Re: Snowden: Unencrypted Journalist-Source Communications
> > "Unforgivably Reckless" (James S. Tyre)
> > 39. verifying SSL certswas Re: In defense of client-side
> > encryion (Guido Witmond) (Andy Isaacson)
> > 40. Internet Policy Observatory: Call for Proposals (Collin Anderson)
> > 41. Re: Snowden: Unencrypted Journalist-Source Communications
> > "Unforgivably Reckless" (Micah Lee)
> > 42. Re: Lavabit, Silent Circle both shut down (Arjen Kamphuis)
> > 43. Zwiebelfreunde take over popular onion.to Tor gateway
> > (Moritz Bartl)
> > 44. ICANN and WHOIS reform... (Joseph Lorenzo Hall)
> > 45. Re: Does anyone know a celebrity who feels strongly about
> > privacy issues? (Francisco Ruiz)
> > 46. Re: Does anyone know a celebrity who feels strongly about
> > privacy issues? (Francisco Ruiz)
> > 47. Re: [Dewayne-Net] Are Hackers the Next Bogeyman Used to Scare
> > Americans Into Giving Up More Rights? (Bernard Tyers - ei8fdb)
> > 48. Speculation as to what the US government ordered Lavabit to
> > do? (Joseph Lorenzo Hall)
> > 49. Re: In defense of client-side encryption (Francisco Ruiz)
> >
> >
> >----------------------------------------------------------------------
> >
> >Message: 1
> >Date: Tue, 13 Aug 2013 01:54:43 +0200
> >From: Collin Anderson <collin at averysmallbird.com>
> >To: "liberationtech at lists.stanford.edu"
> > <liberationtech at lists.stanford.edu>
> >Subject: [liberationtech] Iran's Internet and the Politics of a New
> > President
> >Message-ID:
> > <CAC+VsLu9o9w03rWrpJZt7WhSG7=
> 9CqMq0p_9O2ETz5r7o+wZRg at mail.gmail.com>
> >Content-Type: text/plain; charset="windows-1252"
> >
> >Libtech,
> >
> >Some of you might be interested in the latest Small Media Infrastructure
> >report, which covers the time between election day and inauguration.
> >Unlike
> >the prior report, which was heavily technical, this iteration largely
> >focuses on the vibrant policy discussion happening around the state
> >infrastructure monopoly, the cancelation of the official VPN service, the
> >release of the officially banned items list, etc. To promote discourse
> >about the expectations and opportunities under Rouhani's administration,
> >we
> >are planning how to open participation, so if you are interested, please
> >get in touch.
> >
> >http://www.smallmedia.org.uk/sites/default/files/u8/iiipjune.pdf
> >
> >*In our previous, election edition of the Iranian Internet Infrastructure
> >and Policy Report, we document the application and relaxation of controls
> >on Internet connectivity and communications timed with the June 14
> >Presidential polls. Despite the introduction of new mechanisms to block
> >tools used to bypass the filtering mechanism, by July the Internet had
> >returned to its previous state of affairs that existed before February.
> >>From technical assessments and the reports of social media users, VPNs
> >>and
> >circumvention software appears to operate normally for many, with specific
> >restrictons still placed on the Tor network and unconfirmed reports of
> >ifficulties with Google?s Android services and Viber. Conflictin
> >accounts
> >of blocking (and unblocking), most likely reflect the decentraization of
> >some forms of filtering down to the level of ISPs. Whereas Parsonline may
> >feel legally authorized to remove restrictions on VPNs, Shatel and others
> >may not. This theme follows for throttling, out- ages, attacks against
> >users and the sporadic reports of the unfiltering of social networks that
> >have occurred across the month. Consequently, this report focuses on Iran,
> >the politics leading up to the transition of presidencies after the
> >election and the refocusing of the state on non-technical, legal means of
> >policing content.*
> >
> >
> >Cordially,
> >Colin
> >--
> >*Collin David Anderson*
> >averysmallbird.com | @cda | Washington, D.C.
> >-------------- ext part --------------
> >An HTML attachment was scrubbed...
> >URL:
> ><http://mailman.stnford.edu/pipermail/liberationtech/attachments/20130813
> >/c7de2725/attachment-0001.html>
> >
> >------------------------------
> >
> >Message: 2
> >Date: Tue, 13 Aug 013 09:58:33 +1000
> >From: Tom O <winterfilth at gmail.com>
> >To: liberationtech <liberatontech at lists.stanford.edu>
> >Subject: Re: [liberationtech] In defense of client-side encryption
> >Message-ID:
> > <
> CAH4Aj8o_q1KZMOLmBwjq7WHZQZGPPB6TFMg8dCYM5nn4jmv8bg at mail.gmail.com>
> >Content-Type: text/plain; charset="iso-8859-1"
> >
> >That's not a good enough reason to trust Germany.
> >
> >They had the capability to create it and the audacity to implement it on
> >their own populace.
> >
> >You know what the outrage taught them, learn to hide your tracks better.
> >
> >Ensuring privacy is not a requirement of the state anymore, it's the
> >responsibility of the citizen.
> >
> >On Tuesday, August 13, 2013, Arjen Kamphuis wrote:
> >
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> On 08/13/2013 12:48 AM, Tom O wrote:
> >> > So re Germany bring the bastion of Internet freedom blah blah, are
> > > we all forgetting about the Staatstrojaner?
> >>
> >> No we are not.But the difference between Germany and many other
> >> countries is the outrage and debate such informaton creates in the
> >> country. In the Netherlands when these kinds of thigs happen everyone
> >> just says: 'but I have nothing to hide'.
> >>
> >> Govenment assholes can be found in any country. It's how the
> >> popultion responds that makes the difference. When Govenor Bush took
> >> power in 2000 almost no-one protested. That was a big mistake. 'Drive
> >> it like you stole it' says the bumpersticker. And the Bush team did.
> >>
> > I'm not saying everything is fine in Deutschland. Compared to any
> >> ther western countries the population is just much more aware of the
> >> imortance to say: stop! to their government every now and then.
> >> German chrches still bear marks from bombs and bullets to remind them
> >> what ultimaely happens when they don't.
> >>
> >>
> >> - --
> >> Met vriendelijke groet/With kind regards,
> >> Arjen Kamphuis
> >> Gendo B.V.
> >>
> >> Main: +31 20 891 0330
> >> mail: arjen at gendo.ch <javascript:;>
> >>
> >> gendo.ch (website)
> >> gendo.nl/blog/arjen (Dutch blog)
> >> gendo.ch/en/blog/arjen (English blog)
> >>
> >> about.me/arjenkamphuis (social media)
> >>
> >> files.gendo.nl/keys/arjen at gendo.ch.asc (public key)
> >> PGP fingerprint:
> >> 55FB B3B7 949D ABF5 F31B BA1D 237D 4C50 118A 0EC2
> >>
> >> Gendo BV Wibautstraat 150, 1091 GR Amsterdam The Netherlands
> >> P please consider the environment before printing this email
> >> ============================================================
> >> This e-mail message and its attachments are subject to the disclaimer
> >> published at the following website of Gendo:
> >> http://www.gendo.nl/disclaimer Gendo B.V. is registered with the trade
> >> register in The Netherlands under number 28116864.
> >> -----BEGIN PGP SIGNATURE-----
> >> Version: GnuPG v1.4.11 (GNU/Linux)
> >> Comment: Using GnuPG with undefined - http://www.enigmail.net/
> >>
> >> iIcBAEBAgAGBQJSCXSgAAoJECN9TFARig7CNGsQAIr3OTYm9KwQUppBb/Kg77Vc
> >> uVpDA6zhi2ThQQEnC/7pel7I45rh/6Z/Onwaerw2FfAbZYpTOJDlC1Z8M/ou9CP5
> >> e4zbk17Dmu8UWZovjf5yLg8LyGBf3wPr6rOW2/LafWlQfofkIlUmptiXGWgDcISw
> >> A+p9vpUYpDgN3wSjh9IFAAXvxW8MM0dx7Y5s2QBe3jiodHQMoRqX39+BxoArKnr8
> >> K3Cc5JuqaWTjUtZ6H/Va4/ltdUkW8cSF4PJEWKmzf/a47W/RYKRALqqsUUU6LJNE
> >> JRTRRgFad0VRQw0b9p/EyeYpow5ppjBMw1HUMWCNduHKjhmjC0uSPwEvyzSoAL2b
> >> o9RF5xLfR3TW8wQ/Z5vbQXNoR+ePSZCxB8RjRzfZXQxT27iQ6Z2EflTl7jJNkYH4
> >> G9+pDrZ+EHTOzS97Qp7dZmaSHsDlRVYHdboRuDmulylEXJgMC/wqRkcltYO8rIu0
> >> 06nX9u9CLt0+AqN016hg2KpAa2LNBONq0EZ/0jJq1Ze58bLkaX4YojzGM3U8l3Tx
> >> gqVKsUiPovkfJgzXR+lkOJaeJJjHmGnTX4q0qixelS/ck3PDWWr4Gc3ns7JEYkIk
> >> cFjNRmK9UZmwt2pdPT86D+Ei2QMAzTLw41yktBdQ3sggNrdXgjkBpMLwDI6cBO1
> >> T1kNkzPdjwP3lfEdgCiF
> >> =5gIb
> >> -----END PGP SIGNATURE-----
> >> --
> >> Librationtech is a public list whose archives are searchable on Google.
> >> Violations of list guidelines will get you moderated:
> >> https://mailman.stanford.edu/milman/listinfo/liberationtech.
> >> Unsubscribe, change to digest, or change password by emailing moderator
> >>at
> >> companys at stanford.edu <javascript:;>.
> >>
> >-------------- next part --------------
> >An HTML attachment was scrubbed...
> >URL:
> ><
> http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130813
> >/70d14440/attachment-0001.html>
> >
> >------------------------------
> >
> >Message: 3
> >Date: Mon, 12 Aug 2013 17:18:12 -0700
> >From: Steve Weis <steveweis at gmail.com>
> >To: liberationtech <liberationtech at lists.stanford.edu>
> >Subject: Re: [liberationtech] In defense of client-side encryption
> >Message-ID:
> > <CACJAJ59u8=
> 8qoVcUoq4v4O72--jBE7SP8tymh_CT3r1i4vGSUw at mail.gmail.com>
> >Content-Type: text/plain; charset="iso-8859-1"
> >
> >Francisco, you assume that all browsers will save a static version of the
> >page identically. This is not the case.
> >
> >I ran a test using 'wget https://passlok.site44.com' and Chrome's "Save
> >As". The former will actually match the hash value you've posted, but the
> >latter does not.
> >
> >I spotted at least 5 differences in Chrome's saved output:
> >1. Unicode: wget returned escaped Unicode characters. Chrome saved output
> >containing actual Unicode characters. Your suggested method of cutting
> >from
> >view-source and pasting into a text editor may be unpredictable, and
> >dependent on a user's OS and locale.
> >2. Relative lik re-writing: wget returned relative links. Chrome replaced
> >them with absolute links, so that links work locally.
> >3. Whitespace: Chrome stripped out some whitespace.
> >4. Style rewriting: Chrome replaed some style elements like
> >"background-color: #FFA0A0" with "rgb(230, 255, 230);".
> >5. Chrome extensions: I have locally installed extensions that modify page
> >contents, e.g. AdBlock and DoNotTrackMe. My locally saved copy of Passlok
> >had elements that were injected into it by some extensions.
> >
> >Any of these will break your manual hash validation. These are specific to
> >my version of Chrome, but other browsers may alter saved cotent
> >similarly.
> >
> >To work, you must assume that your user has a local client (say wget or
> >curl) that can save a canonical copy of your page without modification.
> >Browsers do not guarantee this. Then you must assume the user has a
> >locally
> >installed tool to compute the hash, like sha256sum or openssl. Then they
> >would need to point their browser at the locally downloaded file to
> >actually use it.
> >
> >If you depend on locally installed software outside the browser and use
> >local storage, the user is better off just using locally installed
> >software
> >to do the crypto.
> >
> >PS - I noticed some oddness glancing through the source. For example, the
> >makepub() function strips 6 bits of a Base64-encoded leading 0 for no
> >apparent reason. The rest of the code has to remember to keep adding back
> >in the missing Base64 character or else it will break. The only reason I
> >can think of someone doing this is because they didn't understand why the
> >randomly generated Base64 value always started with 'A'.
> >
> >On Sun, Aug 11, 2013 t 7:37 PM, Francisco Ruiz <ruiz at iit.edu> wrote:
> >
> >> I still have to read trough the references you supply, but I can
> >>already
> >> see a misconception They refer to the dangers of carrying out
> >>cryptography
> >> with javascrip-containing dynamic pages. My previous posting referred
> >>to
> >> _prfectly static_ pages, which are supposed to be always the same
> >>coming
> >> from the server, not modiied by the browser in any way, and which, in
> >> fact, you can save and tore somewhere safe and never again have to get
> >> from the server. I belive the intrinsic security of this kind of
> >> javascript code is no differnt from that of compiled code, which also
> >> should be checked for tampering, so long as it ues standard functions
> >>that
> >> are not likely to be modified in browser updates. Sorry about the
> >>confusion.
> >>
> >>
> >-------------- next part -------------
> >An HTML attachment was scrubbed...
> >URL:
> ><
> http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130812
> >/4d55201d/attachment-0001.html>
> >
> >------------------------------
> >
> >Message: 4
> >Date: Mon, 12 Aug 2013 19:29:19 -0500
> >From: Kyle Maxwell <kylem at xwell.org>
> >To: liberationtech <liberationtech at lists.stanford.edu>
> >Subject: Re: [liberationtech] Does anyone know a celebrity who feels
> > strongly about privacy issues?
> >Message-ID:
> > <CAESvgEq3gJmyBb3ThkB=
> NB8+d6qeZZ01E4pT9FB1mZdhA-pi9g at mail.gmail.com>
> >Content-Type: text/plain; charset=windows-1252
> >
> >I didn't know LibTech had become the PassLok development mailing list.
> >
> >On Mon, Aug 12, 2013 at 6:26 PM, Collin Anderson
> ><collin at verysmallbird.com> wrote:
> >> The problem with occasionally looking at Huffington Post is tha I'm
> >> subjected to such things...
> >>
> >> Matt Damon:
> >>
> >> "He broke up with me," the "Elysium" star said. "There are a lot of
> >>things
> >> that I really question, you know: the legality of the drone strikes, and
> >> these NSA revelations they?re, you know, it?s like, they?re, you know,
> >>Jimmy
> >> Carter came out and said we don?t live in a democracy. That?s, that?s a
> >> little, thats a little intense when an ex-president says that. So, you
> >> know, he?s got some, some explaining to do, particularly for a
> >> constituional law professor."
> >>
> >>
> >>
> >>
> http://www.huffingtonpost.com/2013/08/09/matt-damon-obama-broke-up-with-m
> >>e_n_3732426.html?utm_hp_ref=entertinment
> >>
> >>
> >> On Mon, Aug 12, 2013 at 11:44 PM, Yishay Mor <yishaym at gmail.com> wote:
> >>>
> >>> Cory Doctorow
> >>>
> >>> ----- sent from my phone.
> >>>
> >>> On Aug 12, 2013 9:33 PM,"Francisco Ruiz" <ruiz at iit.edu> wrote:
> >>>>
> >>>> Quick request.
> >>>>
> >>>> In coments to a recent post, people seemed to agree that publishing a
> >>>> video of somene reading a hash might be a fairly hard-to-hack way to
> >>>> deliver that hash to the public, and tus assure the authenticity of
> >>>>a piece
> >>>> of code, a public key, or whatnot. The problem is that the sample
> >>>>youtube
> >>>> video I linked had yours truly reading the hsh, and people naturally
> >>>> objected that I wasn't Justin Bieber and, consequently, weren't oo
> >>>> convinced that the video was authentic.
> >>>>
> >>>> Aside from the factthat an adversary might be able to convince Justin
> >>>> Bieber to make a video reading a fake hsh (not that I believe Justin
> >>>> doesn't care; it's just a hypothesis), the idea of getting a
> >>>>celebrity for
> >>>> this kind of video has a lot of merit. I'd like to engage one for the
> >>>>next
> >>>> update of my app.
> >>>>
> >>>> So, here's my question. Does any one know of a celebrity who cares
> >>>>enough
> >>>> about computer security to be persuaded to take one minute of his/her
> >>>>time
> >>>> to read a hash before a camera?
> >>>>
> >>>> Thanks a million!
> >>>>
> >>>> --
> >>>> Francisco Ruiz
> >>>> Associate Professor
> >>>> MMAE department
> >>>> Illinois Institute of Technology
> >>>>
> >>>>
> >>>>
> >>>>PL13lok=WsH3zTgZn8V3hnIqjdbfPus+5YF5n+LBRPuH9USMMp8izPv+hsLoZKv+jaCFMap
> >>>>JFfiA11Q9yJU1K1Wo0TbjXK/=PL13lok
> >>>>
> >>>> get the PassLok privacy app at: http://passlok.com
> >>>>
> >>>> --
> >>>> Liberationtech is a public list whose archives are searchable on
> >>>>Google.
> >>>> Violations of list guidelines will get you moderated:
> >>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> >>>>Unsubscribe,
> >>>> change to digest, or change password by emailing moderator at
> >>>> companys at stanford.edu.
> >>>
> >>>
> >>> --
> >>> Liberationtech is a public list whose archives are searchable on
> >>>Google.
> >>> Violations of list guidelines will get you moderated:
> >>> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> >>>Unsubscribe,
> >>> change to digest, or change password by emailing moderator at
> >>> companys at stanford.edu.
> >>
> >>
> >>
> >>
> >> --
> >> Collin David Anderson
> >> averysmallbird.com | @cda | Washington, D.C.
> >>
> >> --
> >> Liberationtech is a public list whose archives are searchable on Google.
> >> Violations of list guidelines will get you moderated:
> >> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> >>Unsubscribe,
> >> change to digest, or change password by emailing moderator at
> >> companys at stanford.edu.
> >
> >
> >
> >--
> >@kylemaxwell
> >
> >
> >------------------------------
> >
> >Message: 5
> >Date: Tue, 13 Aug 2013 02:43:08 +0200
> >From: Arjen Kamphuis <arjen at gendo.ch>
> >To: liberationtech at lists.stanford.edu
> >Subject: Re: [liberationtech] In defense of client-side encryption
> >Message-ID: <5209811C.1030902 at gendo.ch>
> >Content-Type: text/plain; charset=ISO-8859-1
> >
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA1
> >
> >On 08/13/2013 01:58 AM, Tom O wrote:
> >> That's not a good enough reason to trust Germany.
> >
> >And I don't. I trust the German people to stand up when it counts.
> >Because they know the consequence of failing to do so.
> >
> >> Ensuring privacy is not a requirement of the state anymore, it's
> >> the responsibility of the citizen.
> >
> >A fully agree. But this requires a population cognitivly capable of
> >acknowledging the problem. So it's all about political and historical
> >awareness.
> >
> >In the Netherlands and the UK people think privacy is something you
> >need so you can masturbate without others knowing. In Germany people
> >understand that privacy is needed so people can resist their
> >government if that ever becomes important again.
> >
> >People just have to get used to the counterintuitive idea that one can
> >flee *to* Germany in the face of encroaching corporatism/facism ;-)
> >
> >
> >- --
> >Met vriendelijke groet/With kind regards,
> >Arjen Kamphuis
> >Gendo B.V.
> >
> >Main: +31 20 891 0330
> >mai: arjen at gendo.ch
> >
> >gendo.ch (website)
> >gendo.nl/blog/arjen (Dutch blog)
> >gendo.ch/en/blog/arjen (English blog)
> >
> >about.me/arjenkamphuis (social media)
> >
> >files.gendo.nl/keys/arjen at gendo.ch.asc (public key)
> >PGP fingerprint:
> >55FB B3B7 949D ABF5 F31B BA1D 237D 4C50 118A 0EC2
> >
> >Gendo BV Wibautstraat 150, 1091 GR Amsterdam The Netherlands
> >P please consider the environment before printing this email
> >============================================================
> >This e-mail message and its attachments are subject to the disclaimer
> >published at the following website of Gendo:
> >http://www.gendo.nl/disclaimer Gendo B.V. is registered with the trade
> >register in The Netherlands under number 28116864.
> >----BEGIN PGP SIGNATURE-----
> >Version: GnuPG v1.4.11 (GNU/Linux)
> >Comment: Usin GnuPG with undefined - http://www.enigmail.net/
> >
> >iQIcBAEBAgAGBQJSCYEcAAoJECN9TFARig7CsqQP/0nJ07+uQ8Kah8TAfmwhbQHL
> >hkZXMB4nUonufyp0nn/Ld/GfVitjDZuuskFqiNOU+Cj2gm/JyEPHFAToAZANSwjE
> >UBycuCGToqKWS9w/WUZcMF+KFqgNXtSMRvQF5hMj0ldpYE2LLIMS/RwG2BcEK2Lc
> >w80fJabUzZ9ETQfs+PS8SeMcNU+TegFKSrGx0WmOQ1EkrwkW4GFDorDCYU4A4PNW
> >05uMgIINQCJVg+XDopsorq6GFwE114J8dvlBr6AQUv6rDbbEBlCL4Yy16HgwC2xX
> >QvA/EqmmxD2TfrjNS/DpBxTOA172deH/bnwR430MY21+AFGRXiPZI9FlVf3DOqBr
> >LCWG3epO4l2VNR9Opa9SEe3vZ6X3Fe3aGwlq7N0XPb0Z26fxyPAoGanKJJASRN5H
> >tUm0cIJD8HUPh9vIC2SpLvtpvbFVLlejM34oDEWMx549q+lwQKWRi1Ake81fk6Fa
> >w9mkteG4jIu0kiBOVlG5WHNCcOiPm1s6vbOsahw11fBmC1amhrrA/VQeekhR+/Ds
> >6nQeueTpRPWy/9Jy2yrqZ/fOnfvlWI6QQX3bAmgrX8nv03jp9lx30TzWBTORUQwg
> >YV9OzxQhdo8VN7J7nBUZqM3Q4fcy58+6Xq5LF7z+83Ficcq+EfpSvJnnr8Hdcrfi
> >JVDvD6zMwoayAta1ski5
> >=3MQ6
> >-----END PGP SIGNATURE-----
> >
> >
> >------------------------------
> >
> >Message: 6
> >Date: Mon, 12 Aug 2013 18:58:33 -0700
> >From: Tony Arcieri <bascule at gmail.com>
> >To: liberationtech <liberationtech at lists.stanford.edu>
> >Subject: Re: [liberationtech] Does anyone know a celebrity who feels
> > strongly about privacy issues?
> >Message-ID:
> > <
> CAHOTMVL6qL59zdpWhyYJtfgx0qminyh9AEvwV0v2Cj+sPbAdbw at mail.gmail.com>
> >Content-Type: text/plain; charset="iso-8859-1"
> >
> >Penn Jilette
> >
> >
> >On Mon, Aug 12, 2013 at 1:32 PM, Francisco Ruiz <ruiz at iit.edu> wrote:
> >
> >> Quick request.
> >>
> >> In comments to a recent post, people seemed to agree that publishing a
> >> video of someone reading a hash might be a fairly hard-to-hack way to
> >> deliver that hash to the public, and thus assure the authenticity of a
> >> piece of code, a public key, or whatnot. The problem is that the sample
> >> youtube video I linked had yours truly reading the hash, and people
> >> naturally objected that I wasn't Justin Bieber and, consequently,
> >>weren't
> >> too convinced that the video was authentic.
> >>
> >> Aside from the fact that an adversary might be able to convince Justin
> >> Bieber to make a video reading a fake hash (not that I believe Justin
> >> doesn't care; it's just a hypothesis), the idea of getting a celebrity
> >>for
> >> this kind of video has a lot of merit. I'd like to engage one for the
> >>next
> >> update of my app.
> >>
> >> So, here's my question. Does any one know of a celebrity who cares
> >>enough
> >> about computer security to be persuaded to take one minute of his/her
> >>time
> >> to read a hash before a camera?
> >>
> >> Thanks a million!
> >>
> >> --
> >> Francisco Ruiz
> >> Associate Professor
> >> MMAE department
> >> Illinois Institute of Technology
> >>
> >>
> >>
> >>PL13lok=WsH3zTgZn8V3hnIqjdbfPus+5YF5n+LBRPuH9USMMp8izPv+hLoZKv+jaCFMapJF
> >>fiA11Q9yJU1K1Wo0TbjXK/=PL13lok
> >>
> >> get the PassLok privacy app at: http://passlok.com
> >>
> >> --
> >> Liberationtech is a public list whose archives are searchable on Google.
> >> Violations of list guidelines will get you moderated:
> >> https://mailman.stanford.edu/maiman/listinfo/liberationtech.
> >> Unsubscribe, change to digest, or change password by emailing moderator
> >>at
> >> companys at stanford.edu.
> >>
> >
> >
> >
> >--
> >Tony Arcieri
> >-------------- next part --------------
> >An HTML attachment was scrubbed...
> >URL:
> ><
> http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130812
> >/305c9e09/attachment-0001.html>
> >
> >------------------------------
> >
> >Message: 7
> >Date: Tue, 13 Aug 2013 02:56:57 +0000
> >From: adrelanos <adrelanos at riseup.net>
> >To: liberationtech at lists.stanford.edu
> >Subject: Re: [liberationtech] rsync.net Warrant Canary
> >Message-ID: <5209A079.3060600 at riseup.net>
> >Content-Type: text/plain; charset=ISO-8859-1
> >
> >Moritz Bartl:
> >> Nice idea. I would use a trusted timestamp instead of a headline, but
> >> anyway. What do you think, should I do this for torservers.net/onion.to
> ?
> >>
> >> http://www.rsync.net/resources/notices/canary.txt
> >>
> >> rsync.net will also make available, weekly, a "warrant canary" in the
> >> form of a cryptographically signed message containing the following:
> >>
> >> - a declaration that, up to that point, no warrants have been served,
> >> nor have any searches or seizures taken place
> >>
> >> - a cut and paste headline from a major news source, establishing date
> >>
> >> Special note should be taken if these messages ever cease being updated,
> >> or are removed from this page.
> >
> >Would it make sense to add a declaration, that no one [more
> >specifically, non-trolls in position to ask] asked to backdoor the
> >server or software?
> >
> >Or to have a separate declaration for this?
> >
> >
> >------------------------------
> >
> >Message: 8
> >Date: Tue, 13 Aug 2013 02:53:56 +0000
> >From: adrelanos <adrelanos at riseup.net>
> >To: liberationtech at lists.stanford.edu
> >Subject: Re: [liberationtech] rsync.net Warrant Canary
> >Message-ID: <52099FC4.1040207 at riseup.net>
> >Content-Type: text/plain; charset=ISO-8859-1
> >
> >Moritz Bartl:
> >> Nice idea. I would use a trusted timestamp instead of a headline, but
> >> anyway. What do you think, should I do this for torservers.net/onion.to
> ?
> >>
> >> http://www.rsync.net/resources/notices/canary.txt
> >>
> >> rsync.net will also make available, weekly, a "warrant canary" in the
> >> form of a cryptographically signed message containing the following:
> >>
> >> - a declaration that, up to that point, no warrants have been served,
> >> nor have any searches or seizures taken place
> >>
> >> - a cut and paste headline from a major news source, establishing date
> >>
> >> Special note shoud be taken if these messages ever cease being updated,
> >> or areremoved from this page.
> >
> >Awesome! However euphoric I may be aboutthis...
> >
> >Might there be a chance for getting sued for this?
> >
> >If this is safe, it would be awesome if all major pages could implement
> >this. torservers.net, torproject.org, truecrypt.org, gnupg.org, etc.
> >
> >
> >------------------------------
> >
> >Message: 9
> >Date: Tue, 13 Aug 2013 00:09:37 -0400
> >From: Ali-Reza Anghaie <ali at packetknife.com>
> >To: liberationtech <liberationtech at lists.stanford.edu>
> >Subject: Re: [liberationtech] rsync.net Warrant Canary
> >Message-ID:
> > <CAPKVt5+xWq-ZTUkohvXuqY0_8CP=6gVxvSSote=
> ZCwXvkC1e-Q at mail.gmail.com>
> >Content-Type: text/plain; charset=ISO-8859-1
> >
> >On Mon, Aug 12, 2013 at 10:53 PM, adrelanos <adrelanos at riseup.net> wrote:
> >> Awesome! However euphoric I may be about this...
> >>
> >> Might there be a chance for getting sued for this?
> >>
> >> If this is safe, it would be awesome if all major pages could implement
> >> this. torservers.net, torproject.org, truecrypt.org, gnupg.org, etc.
> >
> >My thoughts are that if you're interesting enough to an authority -
> >they would likely be aware of such canary in use. And ppl have to be
> >aware of it for it to be useful.
> >
> >If you don't publicize it as a "feature" until after you've been
> >served papers, they'll call it obstruction.
> >
> >And I would think a NSL that could tell you to preserve anything -
> >could also tell you to keep this file in a running state.
> >
> >I think it's a neat idea but I anticipate just this thread alone
> >triggered someone to add this warning to a SOP somewhere to mitigate
> >against in legalese. -Ali
> >
> >
> >------------------------------
> >
> >Message: 10
> >Date: Mon, 12 Aug 2013 23:22:05 -0500
> >From: Gregory Foster <gfoster at entersection.org>
> >To: effaustin-discuss at lists.effaustin.org
> >Cc: liberationtech at lists.stanford.edu
> >Subject: [liberationtech] Adam Curtis on the nature of espionage
> >Message-ID: <5209B46D.1050608 at entersection.org>
> >Content-Type: text/plain; charset=UTF-8
> >
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA512
> >
> >BBC Blogs (Aug 8) - "BUGGER: Maybe The Real State Secret Is That Spies
> >Aren't Very Good At Their Jobs and Don't Know Very Much About The
> >World" by Adam Curtis:
> >http://www.bbc.co.uk/blogs/adamcurtis/posts/BUGGER
> >
> >It's really nice to see Adam Curtis weigh in on recent events from his
> >high-bandwidth cybershell plugged directly into the BBC archives
> >mainframe. As usual, the documentary filmmaker and media maestro
> >presents an unconventional take on events in long form that will leave
> >you confused or better informed and often both.
> >
> >In this installment, his long arc points out the manner in which
> >secrecy breeds confusion, suspicion, and treachery; and contrasts that
> >with the open force of love most of us are more familiar with. Or as
> >he puts it,
> >
> >> In fact in many cases [the history of spies] is the story of
> >> weirdos who have created a completely mad version of the world that
> >> they then impose on the rest of us.
> >
> >He also has some trenchant warnings for journalists who tend to enjoy
> >hearing and relaying fantastic stories: they may be serving to
> >reinforce and perpetuate illusions of hidden power and secret
> >knowledge, keeping intelligence budgets high even though the
> >recipients are unable to demonstrate results (that's a state secret).
> > More succinctly, Curtis cites one historian's description of a
> >particularly credulous journalist's relationship with anonymous
> >government sources:
> >
> >> "[He was a] kind of official urinal in which ministers and
> >> intelligence and defence chiefs could stand patiently leaking."
> >
> >I'm reminded of AP reporter Adam Goldman's statement during the
> >confusion sown by the Daily Beast's reporting on a top sekrit AQAP
> >"Legion of Doom" conference call that turned out not to be a call at all:
> >https://twitter.com/adamgoldmanap/status/365115189709910016
> >
> >> As one former senior CIA official once told me: "Who says we can't
> >> lie to reporters? It's not a crime."
> >
> >Yet despite the punking, Curtis leaves a piece of cheese for
> >journalists at the end of his maze.
> >
> >HT Eugen Leitl via Cypherpunks (thanks!)
> >gf
> >
> >- --
> >Gregory Foster || gfoster at entersection.org
> >@gregoryfoster <> http://entersection.com/
> >-----BEGIN PGP SIGNATURE-----
> >Version: GnuPG/MacGPG2 v2.0.19 (Darwin)
> >Comment: GPGTools - http://gpgtools.org
> >
> >iQIcBAEBCgAGBQJSCbRrAAoJEMaAACmjGtgjVvkQAJoofjCKrrvvLjPMDpL+KP/s
> >oxE8CxO6pcS2QNjwvSIW7oTmd3xpPaOrU7SkMerWwxJMay4LoxO9gsZggm60fiho
> >nl1tCYZp+T/rIoTF/fBXUJSQOFpW7eH0NwADv7ofbSfTKLcXNT3qXT50zkFwf09s
> >sldqtzzFPERtJJkcz3YbqjilZA2WFbb4gaCTemEQz2ZnJ+18EnocDl/SyKipje7p
> >xUEKwVgoLeIf0ynOWPNYop0hSsc6Dmsy2iNi02G4e1KdR5T39Qgg99Ucs4K4EseD
> >wbIInqEA05GomOpV1PP5cChZ3sUykIfNxTN0J6ZQcN6iP9k/GxL/pXgfkuMR0j7p
> >Gd333uDL85e+vmH/a7fvXggzXVYo9fJ0WCIgQy3pXbm3BJkm0JAY2Lp3BUbE/9Z6
> >PzlYkNZmTAUu6MPOBiC0vesxuVlYgMkkbLENBpCLw/NHVh++S/eP3kx2p3jgF8D+
> >fcyjJQ/3x13Aa/TfrmyoIZlgBGYdC5Ld0lan16de+apSPCPwC6dp+TGvYhsjRio7
> >lzfEN5eNTEU3nFk4VURB/wPT0ViB0W+0KpSMinL89DqtejVP5aeQP9m3+iue3sKV
> >/ReSq1cyn7vOiOH+aP4gTV7wklQrTlft4TESd/ceMQMQraZOPidRN7R2HW/5Vhf0
> >y8npV0XyDdwT3vfqg+iF
> >=w36q
> >-----END PGP SIGNATURE-----
> >
> >
> >------------------------------
> >
> >Message: 11
> >Date: Mon, 12 Aug 2013 21:24:48 -0700
> >From: Gregory Maxwell <greg at xiph.org>
> >To: liberationtech <liberationtech at lists.stanford.edu>
> >Subject: Re: [liberationtech] rsync.net Warrant Canary
> >Message-ID:
> > <CAAS2fgQYypKVYOZc38GXTV+_=Pu5u02T-ms9Q9VqAwVWD7y=
> SQ at mail.gmail.com>
> >Content-Type: text/plain; charset=UTF-8
> >
> >On Mon, Aug 12, 2013 at 7:53 PM, adrelanos <adrelanos at riseup.net> wrote:
> >> Awesome! However euphoric I may be about this...
> >> Might there be a chance for getting sued for this?
> >> If this is safe, it would be awesome if all major pages could implement
> >> this. torservers.net, torproject.org, truecrypt.org, gnupg.org, etc.
> >
> >Courts, in general, don't usually seem too pleased with "games". What
> >happens if you get ordered to lie with one of these canaries?
> >
> >My guess is that you're no better off with a canary that you may be
> >explicitly forced to keep up, or retrospectively get nailed for
> >removing, than you would be just being--"oops"--sloppy with your
> >document management practices and letting the NSL get out. ("You mean
> >I don't put this document in my public DMCA notice folder??") That the
> >kind of party who isn't willing to take the risk of intentionally or
> >"accidentally" breaching their secrecy order isn't going to take the
> >risk of actually following through with their canary procedure. And if
> >you are willing to take those risks, you don't need the canary.
> >
> >As a result, a canary probably gives a false sense of security. With
> >that in mind, I think there are ethical problems with putting up a
> >canary unless you can say to yourself, in advance, that even if you
> >were specifically ordered to fake it you'd violate the order (or
> >preserve the intent of your commitment by shutting down completely).
> >
> >It's also possible that your integrity could be compromised by a
> >planted employee who is working for another interest. As a user I
> >wouldn't give these canaries much credibility?in fact, the parties who
> >can most easily post canaries, with the least risk, are the ones
> >running outright honeypots. "Absolutely 100% guaranteed to not be a
> >spy!" As a user I wouldn't demand my service providers face jail time
> >for ignoring a canary preservation order either, so I shouldn't expect
> >them to... so I shouldn't expect canaries to be very useful.
> >
> >Better to build systems that are structurally secure and can't easily
> >be silently compromised, and encourage people to migrate to those
> >where possible?and assume every non-structurally secure system is
> >compromised already.
> >
> >
> >------------------------------
> >
> >Message: 12
> >Date: Mon, 12 Aug 2013 22:10:14 -0700
> >From: Percy Alpha <percyalpha at gmail.com>
> >To: liberationtech <liberationtech at lists.stanford.edu>
> >Subject: [liberationtech] Is spideroak really zero-knowledge?
> >Message-ID:
> > <
> CACAJzve6mXesjtMJkAnwzOWfX0wHKS1myCiY6Ndv1dnosc+FSw at mail.gmail.com>
> >Content-Type: text/plain; charset="utf-8"
> >
> >Spideroak claims to use client-side encryption for desktop client but
> >doesn't not use zero-knowledge password proof for mobile Apps or website
> >portal.
> >
> >In light of Lavabit, spideroak could also forced to intercept password if
> >users ever use mobile Apps or website login while being gagged . Then all
> >encrypted data will be retroactively compromised.
> >
> >Percy Alpha(PGP <https://en.greatfire.org/contact#alt>)
> >GreatFire.org Team
> >-------------- next part --------------
> >An HTML attachment was scrubbed...
> >URL:
> ><
> http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130812
> >/08fbc3b2/attachment-0001.html>
> >
> >------------------------------
> >
> >Message: 13
> >Date: Tue, 13 Aug 2013 15:10:49 +1000
> >From: Noon Silk <noonslists at gmail.com>
> >To: liberationtech <liberationtech at lists.stanford.edu>
> >Subject: Re: [liberationtech] rsync.net Warrant Canary
> >Message-ID:
> > <CADt_azamTwX1acuApX+MeL6VktyKT=
> bvAJC0bvCd74ixhfszJQ at mail.gmail.com>
> >Content-Type: text/plain; charset="windows-1252"
> >
> >On Tue, Aug 13, 2013 at 2:24 PM, Gregory Maxwell <greg at xiph.org> wrote:
> >
> >> On Mon, Aug 12, 2013 at 7:53 PM, adrelanos <adrelanos at riseup.net>
> wrote:
> >> > Awesome! However euphoric I may be about this...
> >> > Might there be a chance for getting sued for this?
> >> > If this is safe, it would be awesome if all major pages could
> >>implement
> >> > this. torservers.net, torproject.org, truecrypt.org, gnupg.org, etc.
> >>
> >> [...]
> >>
> >
> >
> >> Better to build systems that are structurally secure and can't easily
> >> be silently compromised, and encourage people to migrate to those
> >> where possible?and assume every non-structurally secure system is
> >> compromised already.
> >>
> >
> >Well said.
> >
> >Let's just all move to Tahoe-LAFS already.
> >
> >--
> >Noon Silk
> >
> >Fancy a quantum lunch? https://sites.google.com/site/quantumlunch/
> >
> >"Every morning when I wake up, I experience an exquisite joy ? the joy
> >of being this signature."
> >-------------- next part --------------
> >An HTML attachment was scrubbed...
> >URL:
> ><
> http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130813
> >/375c5500/attachment-0001.html>
> >
> >------------------------------
> >
> >Message: 14
> >Date: Tue, 13 Aug 2013 15:16:11 +1000
> >From: Tom O <winterfilth at gmail.com>
> >To: liberationtech <liberationtech at lists.stanford.edu>
> >Subject: Re: [liberationtech] Is spideroak really zero-knowledge?
> >Message-ID:
> > <
> CAH4Aj8q+tKrBw6oBF63Or++AhMwPyNUtDuWzQ-fM40-bfE8Sow at mail.gmail.com>
> >Content-Type: text/plain; charset="windows-1252"
> >
> >Percy
> >
> >>From https://spideroak.com/mobile
> >
> >"
> >How Mobile Works with SpiderOak?s Zero Knowledge Policy
> >
> >Here's the deal: when accessing your data via the SpiderOak website or on
> >a
> >mobile device you must enter your password. The password will then exist
> >in
> >the SpiderOak server memory for the duration of your browsing session. For
> >this amount of time your password is stored in encrypted memory and never
> >written to an unencrypted disk. The moment your browsing session ends your
> >password is destroyed and no further trace is left.
> >
> >The instance above represents the only situation where your data could
> >potentially be readable to someone with access to the SpiderOak servers.
> >That said, no one except a select number of SpiderOak employees will ever
> >have access to the SpiderOak servers. To fully retain our 'zero-knowledge'
> >privacy, we recommend you always access your data via the SpiderOak
> >desktop
> >application which downloads your data before decrypting it locally."
> >
> >
> >On Tue, Aug 13, 2013 at 3:10 PM, Percy Alpha <percyalpha at gmail.com>
> wrote:
> >
> >> Spideroak claims to use client-side encryption for desktop client but
> >> doesn't not use zero-knowledge password proof for mobile Apps or website
> >> portal.
> >>
> >> In light of Lavabit, spideroak could also forced to intercept password
> >>if
> >> users ever use mobile Apps or website login while being gagged . Then
> >>all
> >> encrypted data will be retroactively compromised.
> >>
> >> Percy Alpha(PGP <https://en.greatfire.org/contact#alt>)
> >> GreatFire.org Team
> >>
> >> --
> >> Liberationtech is a public list whose archives are searchable on Google.
> >> Violations of list guidelines will get you moderated:
> >> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> >> Unsubscribe, change to digest, or change password by emailing moderator
> >>at
> >> companys at stanford.edu.
> >>
> >-------------- next part --------------
> >An HTML attachment was scrubbed...
> >URL:
> ><
> http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130813
> >/6baa0fe2/attachment-0001.html>
> >
> >------------------------------
> >
> >Message: 15
> >Date: Mon, 12 Aug 2013 22:25:26 -0700
> >From: Tony Arcieri <tony.arcieri at gmail.com>
> >To: liberationtech <liberationtech at lists.stanford.edu>
> >Subject: Re: [liberationtech] Is spideroak really zero-knowledge?
> >Message-ID:
> > <CAHOTMV+pc+NyjJ9LHeKuWWJ1ysQPKA8pt-Anapdu9bkh=
> 1aWBg at mail.gmail.com>
> >Content-Type: text/plain; charset="iso-8859-1"
> >
> >On Mon, Aug 12, 2013 at 10:10 PM, Percy Alpha <percyalpha at gmail.com>
> >wrote:
> >
> >> Spideroak claims to use client-side encryption for desktop client but
> >> doesn't not use zero-knowledge password proof for mobile Apps or website
> >> portal.
> >>
> >
> >SpiderOak (mis)uses the term "zero knowledge" to mean end-to-end (or
> >client-side) encryption. They aren't talking about a zero knowledge proof.
> >
> >The defense I've heard for SpiderOak using "zero knowledge" to mean this
> >is
> >other people do it too, so it's okay.
> >
> >--
> >Tony Arcieri
> >-------------- next part --------------
> >An HTML attachment was scrubbed...
> >URL:
> ><
> http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130812
> >/7e3b3c7b/attachment-0001.html>
> >
> >------------------------------
> >
> >Message: 16
> >Date: Mon, 12 Aug 2013 22:35:37 -0700
> >From: Percy Alpha <percyalpha at gmail.com>
> >To: liberationtech <liberationtech at lists.stanford.edu>
> >Subject: Re: [liberationtech] Is spideroak really zero-knowledge?
> >Message-ID:
> > <CACAJzvfyH8=-
> hTRmuxTdqRv8QoU-eLob5c6bSF1yROTdBxsQMw at mail.gmail.com>
> >Content-Type: text/plain; charset="utf-8"
> >
> >@Tom, "For this amount of time your password is stored in encrypted
> >memory"
> >but to actually use the key, the key has to be in plain-text form for
> >sometime, during which it can be (forced to )intercepted.
> >
> >If they can force Lavabit to intercept users' emails, why can't they ask
> >spideroak to secretly intercept users' moible app login?
> >-------------- next part --------------
> >An HTML attachment was scrubbed...
> >URL:
> ><
> http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130812
> >/00e08154/attachment-0001.html>
> >
> >------------------------------
> >
> >Message: 17
> >Date: Mon, 12 Aug 2013 22:36:59 -0700
> >From: Percy Alpha <percyalpha at gmail.com>
> >To: liberationtech <liberationtech at lists.stanford.edu>
> >Subject: Re: [liberationtech] Is spideroak really zero-knowledge?
> >Message-ID:
> > <
> CACAJzvcsy2g7ZJuo7b7YWB37EZ1WNZzQKzmdm-Aq4fo7KhA3pA at mail.gmail.com>
> >Content-Type: text/plain; charset="utf-8"
> >
> >@Tony, they claim to use zero-knowledge password proof for desktop client,
> >but not for mobile or website. I wonder why, not accepted by App Store?
> >-------------- next part --------------
> >An HTML attachment was scrubbed...
> >URL:
> ><
> http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130812
> >/3fd7a126/attachment-0001.html>
> >
> >------------------------------
> >
> >Message: 18
> >Date: Tue, 13 Aug 2013 01:38:44 -0400
> >From: Patrick Mylund Nielsen <cryptography at patrickmylund.com>
> >To: liberationtech <liberationtech at lists.stanford.edu>
> >Subject: Re: [liberationtech] Is spideroak really zero-knowledge?
> >Message-ID:
> > <CAEw2jfwC3-yC=u81HQfg5LKJ3VKxVXPO_hESe1aLwG2L1Ox=
> YA at mail.gmail.com>
> >Content-Type: text/plain; charset="utf-8"
> >
> >On Tue, Aug 13, 2013 at 1:35 AM, Percy Alpha <percyalpha at gmail.com>
> wrote:
> >
> >> @Tom, "For this amount of time your password is stored in encrypted
> >> memory" but to actually use the key, the key has to be in plain-text
> >>form
> >> for sometime, during which it can be (forced to )intercepted.
> >>
> >> If they can force Lavabit to intercept users' emails, why can't they ask
> >> spideroak to secretly intercept users' moible app login?
> >>
> >
> >They (or somebody else) can. So don't use mobile login.
> >
> >Curious why the regular client logic can't run on mobile. Too intensive to
> >decrypt metadata maybe?
> >-------------- next part --------------
> >An HTML attachment was scrubbed...
> >URL:
> ><
> http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130813
> >/13d65f35/attachment-0001.html>
> >
> >------------------------------
> >
> >Message: 19
> >Date: Mon, 12 Aug 2013 22:41:20 -0700
> >From: Tony Arcieri <tony.arcieri at gmail.com>
> >To: liberationtech <liberationtech at lists.stanford.edu>
> >Subject: Re: [liberationtech] Is spideroak really zero-knowledge?
> >Message-ID:
> > <CAHOTMVJ+afb21+dxkfboLG5orF5HJnj=
> D3OihDuUEfOkZ6+ETQ at mail.gmail.com>
> >Content-Type: text/plain; charset="iso-8859-1"
> >
> >On Mon, Aug 12, 2013 at 10:36 PM, Percy Alpha <percyalpha at gmail.com>
> >wrote:
> >
> >> @Tony, they claim to use zero-knowledge password proof for desktop
> >>client,
> >> but not for mobile or website. I wonder why, not accepted by App Store?
> >>
> >
> >Can you please link specifically to what you're talking about? Their
> >marketing material is littered with the words "zero-knowledge" but as far
> >as I have ever seen the intended meaning is "we encrypt stuff client-side
> >before it hits the network"
> >
> >--
> >Tony Arcieri
> >-------------- next part --------------
> >An HTML attachment was scrubbed...
> >URL:
> ><
> http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130812
> >/8cc4a1b1/attachment-0001.html>
> >
> >------------------------------
> >
> >Message: 20
> >Date: Tue, 13 Aug 2013 15:44:28 +1000
> >From: Tom O <winterfilth at gmail.com>
> >To: liberationtech <liberationtech at lists.stanford.edu>
> >Subject: Re: [liberationtech] Is spideroak really zero-knowledge?
> >Message-ID:
> > <CAH4Aj8rVmYzCWrkh83nNf=JyHO4ap=bFXX=
> nopj80QDxYh8Ngg at mail.gmail.com>
> >Content-Type: text/plain; charset="iso-8859-1"
> >
> >I'm not saying they cant. I'm saying they acknowledge it, althought the
> >way
> >they do makes it seem as if its a non-issue.
> >
> >I don't think it is.
> >
> >I prefer tahoe-lafs
> >
> >
> >On Tue, Aug 13, 2013 at 3:35 PM, Percy Alpha <percyalpha at gmail.com>
> wrote:
> >
> >> @Tom, "For this amount of time your password is stored in encrypted
> >> memory" but to actually use the key, the key has to be in plain-text
> >>form
> >> for sometime, during which it can be (forced to )intercepted.
> >>
> >> If they can force Lavabit to intercept users' emails, why can't they ask
> >> spideroak to secretly intercept users' moible app login?
> >>
> >> --
> >> Liberationtech is a public list whose archives are searchable on Google.
> >> Violations of list guidelines will get you moderated:
> >> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> >> Unsubscribe, change to digest, or change password by emailing moderator
> >>at
> >> companys at stanford.edu.
> >>
> >-------------- next part --------------
> >An HTML attachment was scrubbed...
> >URL:
> ><
> http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130813
> >/85956552/attachment-0001.html>
> >
> >------------------------------
> >
> >Message: 21
> >Date: Mon, 12 Aug 2013 23:02:50 -0700
> >From: Percy Alpha <percyalpha at gmail.com>
> >To: liberationtech <liberationtech at lists.stanford.edu>
> >Subject: Re: [liberationtech] Is spideroak really zero-knowledge?
> >Message-ID:
> > <
> CACAJzvd9GjqDKBH_ns24SwDM4kzAAPYLPom8x3w5Fdg20494Kg at mail.gmail.com>
> >Content-Type: text/plain; charset="utf-8"
> >
> >@Tony,
> >"The secret that keeps your data accessible to you alone is your SpiderOak
> >password, which is never transmitted to SpiderOak in its original form."
> >https://spideroak.com/engineering_matters
> >-------------- next part --------------
> >An HTML attachment was scrubbed...
> >URL:
> ><
> http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130812
> >/bf20305e/attachment-0001.html>
> >
> >------------------------------
> >
> >Message: 22
> >Date: Tue, 13 Aug 2013 10:09:40 +0300
> >From: Nadim Kobeissi <nadim at nadim.cc>
> >To: liberationtech <liberationtech at lists.stanford.edu>
> >Subject: Re: [liberationtech] Can JavaScript cryptography be trusted?
> > (was: In defense of client-side encryption)
> >Message-ID: <7D0C5E94-30EE-4949-87C7-3FEAAF35B5A3 at nadim.cc>
> >Content-Type: text/plain; charset="iso-8859-1"
> >
> >Quickly adding my blog post on the matter to this thread. Would love to
> >hear discussion regarding it:
> >
> >http://log.nadim.cc/?p=33
> >
> >NK
> >
> >On 2013-08-13, at 1:58 AM, Tony Arcieri <bascule at gmail.com> wrote:
> >
> >> On Mon, Aug 12, 2013 at 3:07 PM, Ali-Reza Anghaie <ali at packetknife.com>
> >>wrote:
> >> I'm sorry but aren't we spending a lot of time conflating code
> >> quality, secure coding practices, software distribution, .. with
> >> ~JavaScript in a browser~?
> >>
> >> I think the title of the thread has a lot to do with that. Fixed! ;)
> >>
> >> --
> >> Tony Arcieri
> >> --
> >> Liberationtech is a public list whose archives are searchable on
> >>Google. Violations of list guidelines will get you moderated:
> >>https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> >>Unsubscribe, change to digest, or change password by emailing moderator
> >>at companys at stanford.edu.
> >
> >
> >------------------------------
> >
> >Message: 23
> >Date: Tue, 13 Aug 2013 00:32:43 -0700
> >From: Tony Arcieri <bascule at gmail.com>
> >To: liberationtech <liberationtech at lists.stanford.edu>
> >Subject: Re: [liberationtech] Is spideroak really zero-knowledge?
> >Message-ID:
> > <
> CAHOTMVKM5+Wn_TH3QqnYq6KcKM4WNSdWiP5OFGwLZH7ZV8VHOA at mail.gmail.com>
> >Content-Type: text/plain; charset="iso-8859-1"
> >
> >On Mon, Aug 12, 2013 at 11:02 PM, Percy Alpha <percyalpha at gmail.com>
> >wrote:
> >
> >> @Tony,
> >> "The secret that keeps your data accessible to you alone is your
> >>SpiderOak
> >> password, which is never transmitted to SpiderOak in its original form."
> >> https://spideroak.com/engineering_matters
> >>
> >
> >Again, they seem to be talking about client-side encryption here. A
> >zero-knowledge proof around a password looks a bit more like this:
> >
> >https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol#Protocol
> >
> >Short of implementing something like SRP they don't have a true "zero
> >knowledge" system IMO
> >-------------- next part --------------
> >An HTML attachment was scrubbed...
> >URL:
> ><
> http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130813
> >/b3c8dce8/attachment-0001.html>
> >
> >------------------------------
> >
> >Message: 24
> >Date: Tue, 13 Aug 2013 10:51:33 +0200
> >From: Ralph Holz <holz at net.in.tum.de>
> >To: liberationtech at lists.stanford.edu
> >Subject: Re: [liberationtech] Lavabit, Silent Circle both shut down
> >Message-ID: <5209F395.9020804 at net.in.tum.de>
> >Content-Type: text/plain; charset=ISO-8859-1
> >
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA1
> >
> >Hi Arjen,
> >
> >>> May I ask what Swiss providers would you recommend?
> >>
> >> (disclaimer: I am normally very hesitant to 'advertise' for
> >> specific companies since as a consultant I do my very best to
> >> remain independent from having any interest in procurement of
> >> specific products or services).
> >
> >Duly noted. :)
> >
> >> SwissVPN provides some nice VPN services but it is not the only
> >> VPN provider I use.
> >
> >That's the company I use, too - and ultimately the reason I am asking
> >because Chris Soghoian once told me that they log the connections.
> >This seems to be supported by this inquiry made in 2011:
> >
> >
> http://torrentfreak.com/which-vpn-providers-really-take-anonymity-seriousl
> >y-111007/
> >
> >They log for 6 months and say they will respond to requests under
> >Swiss law.
> >
> >I would be surprised if other Swiss providers wouldn't do the same,
> >but I am very happy to hear otherwise?
> >
> >Ralph
> >
> >- --
> >Ralph Holz
> >I8 - Network Architectures and Services
> >Technische Universit?t M?nchen
> >http://www.net.in.tum.de/de/mitarbeiter/holz/
> >Phone +49.89.289.18043
> >PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF
> >-----BEGIN PGP SIGNATURE-----
> >Version: GnuPG v1.4.14 (GNU/Linux)
> >Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> >
> >iQEcBAEBAgAGBQJSCfOSAAoJEFIODINpsAPvznoH/jKnUEbbpS8Ahgl8dZ8OCE+g
> >QQSxeFSR1MRDaHYWaNkL/tSRpUZheI9wbSAZI0kU0dGyJXSvE9WHFNUmasNGi6DY
> >OT8XQxgcl/wQggAv1zGDFAlPImg0eJej8L6hRvtcZgGH6h9nkGyTenkdhjMohn6U
> >aCBp69dG31mvsIE8QHIe/EirVO+y1JY1D+0NoIz238VS4w9zZH5E6XZ1zEJ1KC7d
> >yF6lI73g5NQIcM3WIJjYJUrfaY+Nj8g+ZwBb50BEDbaUtny2jic/Gi5EjXD8c/UT
> >XnmcbeqHg+hDRGHF7cSAoFTKMbFDCr5Y4GeNQVQ4w/GQslxr6SK4fO6fqoG5K8E=
> >=1WXH
> >-----END PGP SIGNATURE-----
> >
> >
> >------------------------------
> >
> >Message: 25
> >Date: Tue, 13 Aug 2013 10:37:44 +0100
> >From: Michael Rogers <michael at briarproject.org>
> >To: liberationtech <liberationtech at lists.stanford.edu>
> >Subject: Re: [liberationtech] Does anyone know a celebrity who feels
> > strongly about privacy issues?
> >Message-ID: <5209FE68.8030201 at briarproject.org>
> >Content-Type: text/plain; charset=ISO-8859-1
> >
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA1
> >
> >On 12/08/13 21:32, Francisco Ruiz wrote:
> >> So, here's my question. Does any one know of a celebrity who cares
> >> enough about computer security to be persuaded to take one minute
> >> of his/her time to read a hash before a camera?
> >
> >I'd like to second Guido's objection that most people don't know what
> >a hash is, or have the skills or software required to verify one, so
> >this isn't an effective security measure for most people.
> >
> >Even if it were, you'd have to ask the celebrity to read a new hash
> >for every version of the software, and the videos for old versions
> >could be used in a rollback attack.
> >
> >Cheers,
> >Michael
> >
> >-----BEGIN PGP SIGNATURE-----
> >Version: GnuPG v1.4.10 (GNU/Linux)
> >
> >iQEcBAEBAgAGBQJSCf5oAAoJEBEET9GfxSfMUB4H/RTrYX1we2t1p9+TeXm21GV2
> >OWJkZvWLvfDmJqf/utJNoFH4wgLkDvziWrTCqGWbuDlPlmLzNTvGvIZio9i82cUT
> >tja1bnmPr17BDz5Msn8d4/BFdjrV957e1S3P2Tqx8GGaZFAYCi5EX57Q7G2Lvphj
> >4NDkDOFEfwfQ38azsBNokdUXo5Ek98I2SXv2GG3ac8N1a2HBVpsHr3lqfsZLDTyS
> >LrwM6dPCEWV+kd8+VsOjokKB8y7o9lUjLMmOvMtM4dC9bak8OoDy+fkxWkmMf48v
> >KBRqsPN6rasEmDxGRDtLZN0CAzEMGcmndJDqMY4tV/v9IgnLRScaMJaz8Fsc8cY=
> >=7Qy4
> >-----END PGP SIGNATURE-----
> >
> >
> >------------------------------
> >
> >Message: 26
> >Date: Tue, 13 Aug 2013 10:52:49 +0100
> >From: David Miller <david at deadpansincerity.com>
> >To: liberationtech <liberationtech at lists.stanford.edu>
> >Subject: Re: [liberationtech] Does anyone know a celebrity who feels
> > strongly about privacy issues?
> >Message-ID:
> > <
> CAHwn12+1g863UgP+bsajCZWEgeYZVEEqPKVxPf7c0vmi7EQ8eQ at mail.gmail.com>
> >Content-Type: text/plain; charset="iso-8859-1"
> >
> >Maybe the celebrity could read the binary sequence of a compiled program,
> >and the user could take dictation into a simple command line script?
> >
> >
> >On 13 August 2013 10:37, Michael Rogers <michael at briarproject.org> wrote:
> >
> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1
> >>
> >> On 12/08/13 21:32, Francisco Ruiz wrote:
> >> > So, here's my question. Does any one know of a celebrity who cares
> >> > enough about computer security to be persuaded to take one minute
> >> > of his/her time to read a hash before a camera?
> >>
> >> I'd like to second Guido's objection that most people don't know what
> >> a hash is, or have the skills or software required to verify one, so
> >> this isn't an effective security measure for most people.
> >>
> >> Even if it were, you'd have to ask the celebrity to read a new hash
> >> for every version of the software, and the videos for old versions
> >> could be used in a rollback attack.
> >>
> >> Cheers,
> >> Michael
> >>
> >> -----BEGIN PGP SIGNATURE-----
> >> Version: GnuPG v1.4.10 (GNU/Linux)
> >>
> >> iQEcBAEBAgAGBQJSCf5oAAoJEBEET9GfxSfMUB4H/RTrYX1we2t1p9+TeXm21GV2
> >> OWJkZvWLvfDmJqf/utJNoFH4wgLkDvziWrTCqGWbuDlPlmLzNTvGvIZio9i82cUT
> >> tja1bnmPr17BDz5Msn8d4/BFdjrV957e1S3P2Tqx8GGaZFAYCi5EX57Q7G2Lvphj
> >> 4NDkDOFEfwfQ38azsBNokdUXo5Ek98I2SXv2GG3ac8N1a2HBVpsHr3lqfsZLDTyS
> >> LrwM6dPCEWV+kd8+VsOjokKB8y7o9lUjLMmOvMtM4dC9bak8OoDy+fkxWkmMf48v
> >> KBRqsPN6rasEmDxGRDtLZN0CAzEMGcmndJDqMY4tV/v9IgnLRScaMJaz8Fsc8cY=
> >> =7Qy4
> >> -----END PGP SIGNATURE-----
> >> --
> >> Liberationtech is a public list whose archives are searchable on Google.
> >> Violations of list guidelines will get you moderated:
> >> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> >> Unsubscribe, change to digest, or change password by emailing moderator
> >>at
> >> companys at stanford.edu.
> >>
> >
> >
> >
> >--
> >Love regards etc
> >
> >David Miller
> >http://www.deadpansincerity.com
> >07854 880 883
> >-------------- next part --------------
> >An HTML attachment was scrubbed...
> >URL:
> ><
> http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130813
> >/34682d03/attachment-0001.html>
> >
> >------------------------------
> >
> >Message: 27
> >Date: Tue, 13 Aug 2013 02:52:50 -0700
> >From: elijah <elijah at riseup.net>
> >To: liberationtech <liberationtech at lists.stanford.edu>
> >Subject: Re: [liberationtech] Is spideroak really zero-knowledge?
> >Message-ID: <520A01F2.4040808 at riseup.net>
> >Content-Type: text/plain; charset=UTF-8
> >
> >On 08/13/2013 12:32 AM, Tony Arcieri wrote:
> >
> >> On Mon, Aug 12, 2013 at 11:02 PM, Percy Alpha <percyalpha at gmail.com
> >> <mailto:percyalpha at gmail.com>> wrote:
> >>
> >> @Tony,
> >> "The secret that keeps your data accessible to you alone is your
> >> SpiderOak password, which is never transmitted to SpiderOak in its
> >> original form." https://spideroak.com/engineering_matters
> >>
> >>
> >> Again, they seem to be talking about client-side encryption here. A
> >> zero-knowledge proof around a password looks a bit more like this:
> >>
> >> https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol#Protocol
> >>
> >> Short of implementing something like SRP they don't have a true "zero
> >> knowledge" system IMO
> >
> >Curious, they used to actually include some notes on how they use a zero
> >knowledge proof for authentication, but it has been taken down.
> >Waybackmachine has the old text:
> >
> >
> http://web.archive.org/web/20130430135938/https://spideroak.com/engineerin
> >g_matters
> >
> >Perhaps they changed how they do authentication.
> >
> >-elijah
> >
> >
> >------------------------------
> >
> >Message: 28
> >Date: Tue, 13 Aug 2013 13:16:15 +0200
> >From: "taxakis" <taxakis at gmail.com>
> >To: "'liberationtech'" <liberationtech at lists.stanford.edu>
> >Subject: Re: [liberationtech] Lavabit, Silent Circle both shut down
> >Message-ID: <00f101ce9816$86d19e30$9474da90$@com>
> >Content-Type: text/plain; charset="iso-8859-1"
> >
> >Hi guys:
> >
> >Safe and secure are relevant. But, Arjen is absolutely right, Switzerland
> >is at the moment the best place to have your materials hosted. It's also
> >the
> >place where Silent Circle looks at. And one where Wikileaks is hosted.
> >Some
> >on this list still have doubts, even about Switzerland. Never a bad idea
> >to
> >be paranoid of course, but there are some logical reasons why Switzerland
> >is
> >a good choice. Here are the main ones:
> >
> >The Swiss are well known for their bank secrecy. A fact which is hated and
> >regularly contested by the E.U. and the U.S. Banks in CH need to be
> >extremely careful in guarding their own nations' interest, of which
> >banking,
> >tourism, cheese and watch making are core values. There are some pretty
> >harsh rules in place to protect those interests. Of course when there is a
> >major crime Swiss police cooperates with other nations. But saving money
> >in
> >a bank is definitively not seen as a crime. And so far as I know there is
> >not any remote chance that the U.S. and/or the E.U. will be able to force
> >a
> >change. Like lately by levying huge fines on the UBS bank. They try
> >though:)
> >
> >
> >There is yet another reason. And that is because Switzerland is the second
> >seat nation of the United Nations, while being itself not a member, only
> >observer to U.N. The U.S. has many times (as also revealed by Snowden)
> >attempted to bribe Swiss officials and business people and/or coerce them.
> >CIA has been fairly active, but to no avail. Swiss have also taken
> >serious
> >countermeasures against intrusions. This hostile behavior from the U.S.
> >towards Switzerland is taken seriously into account as well. It isn't
> >really
> >productive to enhance friendships.
> >
> >Then Switzerland still feels abused by the U.S., in particular by the NSA,
> >because of the Crypto AG affair of some decennia back. Search the web to
> >get
> >the historical details. Whatever happened, happened, but it was surely
> >not
> >in the core interest of the Swiss people.
> >
> >And finally, once every year there is a meeting of all chiefs and
> >directors
> >of (western)European intelligence services, called the Club du Berne, in
> >Switzerland. Switzerland was chosen as a meeting place because of its
> >impartiality and integrity.
> >Surely, one of the 'Five Eyes Nations' is present as well. And word has it
> >that it's not playing a role of any significance.
> >
> >No the above is not a guarantee that nobody will attempt to intrude in a
> >system, in Switzerland. It will happen, and occasionally with success. But
> >the Swiss government, businesses and people are very keen to stop the
> >bullets before these hit somebody. In particular from other European
> >nations
> >and the United States.
> >
> >And finally, am I Swiss? Absolutely not, but these days I wish I was :)
> >And,
> >yes, I do host my Internet business activities there, and I mean since
> >1994.
> >That's almost 20 years, and I have never been disappointed. And that does
> >count for something. Do follow Arjen's leads, search the web, and by all
> >means go there and meet them in person.
> >
> >Greetz
> >RTF
> >
> >
> >-----Original Message-----
> >From: liberationtech-bounces at lists.stanford.edu
> >[mailto:liberationtech-bounces at lists.stanford.edu] On Behalf Of Ralph
> Holz
> >Sent: Tuesday, August 13, 2013 10:52 AM
> >To: liberationtech at lists.stanford.edu
> >Subject: Re: [liberationtech] Lavabit, Silent Circle both shut down
> >
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA1
> >
> >Hi Arjen,
> >
> >>> May I ask what Swiss providers would you recommend?
> >>
> >> (disclaimer: I am normally very hesitant to 'advertise' for specific
> >> companies since as a consultant I do my very best to remain
> >> independent from having any interest in procurement of specific
> >> products or services).
> >
> >Duly noted. :)
> >
> >> SwissVPN provides some nice VPN services but it is not the only VPN
> >> provider I use.
> >
> >That's the company I use, too - and ultimately the reason I am asking
> >because Chris Soghoian once told me that they log the connections.
> >This seems to be supported by this inquiry made in 2011:
> >
> >
> http://torrentfreak.com/which-vpn-providers-really-take-anonymity-seriousl
> >y-
> >111007/
> >
> >They log for 6 months and say they will respond to requests under Swiss
> >law.
> >
> >I would be surprised if other Swiss providers wouldn't do the same, but I
> >am
> >very happy to hear otherwise?
> >
> >Ralph
> >
> >- --
> >Ralph Holz
> >I8 - Network Architectures and Services
> >Technische Universit?t M?nchen
> >http://www.net.in.tum.de/de/mitarbeiter/holz/
> >Phone +49.89.289.18043
> >PGP: A805 D19C E23E 6BBB E0C4 86DC 520E 0C83 69B0 03EF -----BEGIN PGP
> >SIGNATURE-----
> >Version: GnuPG v1.4.14 (GNU/Linux)
> >Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> >
> >iQEcBAEBAgAGBQJSCfOSAAoJEFIODINpsAPvznoH/jKnUEbbpS8Ahgl8dZ8OCE+g
> >QQSxeFSR1MRDaHYWaNkL/tSRpUZheI9wbSAZI0kU0dGyJXSvE9WHFNUmasNGi6DY
> >OT8XQxgcl/wQggAv1zGDFAlPImg0eJej8L6hRvtcZgGH6h9nkGyTenkdhjMohn6U
> >aCBp69dG31mvsIE8QHIe/EirVO+y1JY1D+0NoIz238VS4w9zZH5E6XZ1zEJ1KC7d
> >yF6lI73g5NQIcM3WIJjYJUrfaY+Nj8g+ZwBb50BEDbaUtny2jic/Gi5EjXD8c/UT
> >XnmcbeqHg+hDRGHF7cSAoFTKMbFDCr5Y4GeNQVQ4w/GQslxr6SK4fO6fqoG5K8E=
> >=1WXH
> >-----END PGP SIGNATURE-----
> >--
> >Liberationtech is a public list whose archives are searchable on Google.
> >Violations of list guidelines will get you moderated:
> >https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> Unsubscribe,
> >change to digest, or change password by emailing moderator at
> >companys at stanford.edu.
> >
> >
> >
> >------------------------------
> >
> >Message: 29
> >Date: Tue, 13 Aug 2013 13:23:01 +0000
> >From: KheOps <kheops at ceops.eu>
> >To: liberationtech <liberationtech at lists.stanford.edu>
> >Subject: Re: [liberationtech] Petition Google over banning "Servers"
> > on Google Fiber?
> >Message-ID: <20130813132300.GA2815 at ceops.eu>
> >Content-Type: text/plain; charset=us-ascii; x-action=pgp-signed
> >
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA1
> >
> >Hi all,
> >
> >On Tue, Aug 13, 2013 at 01:24:07AM +0200, Moritz Bartl wrote:
> >> Thank you EFF for the well-written reminder:
> >>
> >>
> https://www.eff.org/deeplinks/2013/08/google-fiber-continues-awful-isp-tr
> >>adition-banning-servers
> >
> >[...]
> >
> >> We should petition Google to get rid of this. Does anyone know if EFF
> >> planning such an action, or do you have contacts to organizational
> >> networks to get it going properly?
> >
> >A petition is probably worth giving a try, but in the end Google are on
> >their infrastructure and selling access under their terms of service, so
> >it may be quite a difficult challenge. Even more difficult since, as far
> >as I understand, many other operators do the same on the market.
> >
> >There are similar issues in France: a few ISPs providing high-speed fiber
> >connection forbid in the same way hosting a server at home (unless you
> >pay more). In addition, some do not provide a fixed IP address to
> >practically make things more difficult.
> >
> >We all understand that this violates Net Neutrality and prevents citizens
> >from reclaiming control of their data to have a decent level of privacy.
> >We subsequently understand that this is a serious issue from a democracy
> >point of view, knowing governments' surveillance practices.
> >
> >Now, in case it could be of any use in the US, in France & Europe I see
> >two types of initiatives that try to push things in a better direction:
> >- - at the European Parliament some advocacy groups have tried to push
> >the fact that a company could not say that they sell "internet access" if
> >what they sell contains violations to Net Neutrality (I don't know the
> >details on the situation of this political battle, but you get the idea);
> >- - in France, we have more and more associative (non-profit) ISPs
> >providing internet access to small numbers of people - the core ideas are
> >to provide a neutral access (to the extent permitted by law) and promote
> >decentralization (as in internet) through the creation of many little
> >structures; the oldest and biggest, French Data Network (FDN) created a
> >Federation (FFDN) in which the smaller and more local ones are gathered;
> >we would really like this kind of initiative to spread - take a look
> >there http://www.ffdn.org, some posts are in English
> >
> >All the best,
> >KheOps
> >-----BEGIN PGP SIGNATURE-----
> >Version: GnuPG v2.0.20 (GNU/Linux)
> >
> >iQEcBAEBAgAGBQJSCjM0AAoJEK9g/8GX/m3dUB4IAMh6qFnPhE5L6uQDzWWxGlU1
> >0Paqfs7OodmOW0DiD1oEbMX3EFAIR341MP7Lck2JDbKRBHqUPw/SJOi9fNUKGujW
> >Ai5lV9ZVUYudCzsHVqczDorVUKbC7DyYRgVZ+7PJ5KGFzUpt9XGkdPfEGnXmXFOE
> >2QeYTcUTJzmBG9tjMwh6xpKglrltz4gp1sYyWCEJZuiBea6iBkU15WBiJLZ5zhE+
> >3a7DnAa9gB+FgVG9bWDx7a2PIH2TOxQ2lEo8P3QrRf7VHZzm7pfxb/PDzpzW6Euw
> >9UOxddUDg2NPak8fPocWOc/+vqfyLY7VL9gfhmL53tXUbiaPsEkHCfwG7Z0btiU=
> >=h0AL
> >-----END PGP SIGNATURE-----
> >
> >
> >------------------------------
> >
> >Message: 30
> >Date: Tue, 13 Aug 2013 13:46:24 +0200
> >From: Moritz Bartl <moritz at torservers.net>
> >To: liberationtech at lists.stanford.edu
> >Subject: [liberationtech] Swiss VPNs (was: Re: Lavabit, Silent Circle
> > both shut down)
> >Message-ID: <520A1C90.4010902 at torservers.net>
> >Content-Type: text/plain; charset=ISO-8859-1
> >
> >On 13.08.2013 10:51, Ralph Holz wrote:
> >>> SwissVPN provides some nice VPN services but it is not the only
> >>> VPN provider I use.
> >> They log for 6 months and say they will respond to requests under
> >> Swiss law.
> >> I would be surprised if other Swiss providers wouldn't do the same,
> >> but I am very happy to hear otherwise?
> >
> >Switzerland has data retention laws. While it might be good for
> >oligarchs to hide their money, it is not good for online privacy.
> >
> >--
> >Moritz Bartl
> >https://www.torservers.net/
> >
> >
> >------------------------------
> >
> >Message: 31
> >Date: Tue, 13 Aug 2013 14:20:26 +0200
> >From: "taxakis" <taxakis at gmail.com>
> >To: "'liberationtech'" <liberationtech at lists.stanford.edu>
> >Subject: Re: [liberationtech] Swiss VPNs (was: Re: Lavabit, Silent
> > Circle both shut down)
> >Message-ID: <01b501ce981f$7ea5b440$7bf11cc0$@com>
> >Content-Type: text/plain; charset="us-ascii"
> >
> >Oligarchs and privacy advocates have something in common.
> >If you got a better place, please name it.
> >And by the by, forget Germany, it may not have data retention (for now),
> >but
> >it does have 50,000 American troops, a refurbished Bad Aibling with all
> >newly trained German personnel, and a huge Intel building in Berlin that
> >can
> >house 101 Airborne in the basement. While the abolished Pullach
> >establishment is readied for 'modern intel testing equipment'.
> >
> >RTF
> >
> >-----Original Message-----
> >From: liberationtech-bounces at lists.stanford.edu
> >[mailto:liberationtech-bounces at lists.stanford.edu] On Behalf Of Moritz
> >Bartl
> >Sent: Tuesday, August 13, 2013 1:46 PM
> >To: liberationtech at lists.stanford.edu
> >Subject: [liberationtech] Swiss VPNs (was: Re: Lavabit, Silent Circle both
> >shut down)
> >
> >On 13.08.2013 10:51, Ralph Holz wrote:
> >>> SwissVPN provides some nice VPN services but it is not the only VPN
> >>> provider I use.
> >> They log for 6 months and say they will respond to requests under
> >> Swiss law.
> >> I would be surprised if other Swiss providers wouldn't do the same,
> >> but I am very happy to hear otherwise?
> >
> >Switzerland has data retention laws. While it might be good for oligarchs
> >to
> >hide their money, it is not good for online privacy.
> >
> >--
> >Moritz Bartl
> >https://www.torservers.net/
> >--
> >Liberationtech is a public list whose archives are searchable on Google.
> >Violations of list guidelines will get you moderated:
> >https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> Unsubscribe,
> >change to digest, or change password by emailing moderator at
> >companys at stanford.edu.
> >
> >
> >
> >------------------------------
> >
> >Message: 32
> >Date: Tue, 13 Aug 2013 15:25:45 +0200
> >From: Moritz Bartl <moritz at torservers.net>
> >To: liberationtech at lists.stanford.edu
> >Subject: Re: [liberationtech] Swiss VPNs
> >Message-ID: <520A33D9.5080504 at torservers.net>
> >Content-Type: text/plain; charset=ISO-8859-1
> >
> >On 13.08.2013 14:20, taxakis wrote:
> >> Oligarchs and privacy advocates have something in common.
> >> If you got a better place, please name it.
> >
> >I don't. I still believe we should stop being naive and promote Iceland
> >or Switzerland, just because we think they offer better privacy. In
> >general, just because you read something in the news, don't just believe
> >it.
> >
> >I never said Germany was a better place.
> >
> >Yes, I should have quotable sources at hand, but at the moment I don't.
> >A good address for a more detailed answer would be the Chaos Computer
> >Club Switzerland, http://www.ccc-ch.ch/ , and, for Iceland, try the
> >people behind IMMI, https://immi.is/ .
> >
> >The interesting part about Iceland is that there is a slight chance of
> >*making it* a privacy-friendly jurisdiction. It is not, yet. If media
> >always convey the picture of a privacy-friendly country, its own
> >politicians will start believing it and fight for it, hopefully.
> >
> >--
> >Moritz Bartl
> >https://www.torservers.net/
> >
> >
> >------------------------------
> >
> >Message: 33
> >Date: Tue, 13 Aug 2013 03:07:27 -0700
> >From: Patrick Baxter <patch at cs.ucsb.edu>
> >To: liberationtech <liberationtech at mailman.stanford.edu>
> >Subject: Re: [liberationtech] Is spideroak really zero-knowledge?
> >Message-ID:
> > <CALSDXiBHpiMrsG=0nfsAT41XXvv=7GiFMb757=
> EQpRdxoHnuow at mail.gmail.com>
> >Content-Type: text/plain; charset=ISO-8859-1
> >
> >They've also been working on an open source version of their client
> >and server software called crypton (https://crypton.io/)
> >
> >It implements the protocol originally listed on their site as Elijah
> >pointed out with the wayback machine.
> >
> >On Tue, Aug 13, 2013 at 2:52 AM, elijah <elijah at riseup.net> wrote:
> >> On 08/13/2013 12:32 AM, Tony Arcieri wrote:
> >>
> >>> On Mon, Aug 12, 2013 at 11:02 PM, Percy Alpha <percyalpha at gmail.com
> >>> <mailto:percyalpha at gmail.com>> wrote:
> >>>
> >>> @Tony,
> >>> "The secret that keeps your data accessible to you alone is your
> >>> SpiderOak password, which is never transmitted to SpiderOak in its
> >>> original form." https://spideroak.com/engineering_matters
> >>>
> >>>
> >>> Again, they seem to be talking about client-side encryption here. A
> >>> zero-knowledge proof around a password looks a bit more like this:
> >>>
> >>> https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol#Protocol
> >>>
> >>> Short of implementing something like SRP they don't have a true "zero
> >>> knowledge" system IMO
> >>
> >> Curious, they used to actually include some notes on how they use a zero
> >> knowledge proof for authentication, but it has been taken down.
> >> Waybackmachine has the old text:
> >>
> >>
> >>
> http://web.archive.org/web/20130430135938/https://spideroak.com/engineeri
> >>ng_matters
> >>
> >> Perhaps they changed how they do authentication.
> >>
> >> -elijah
> >> --
> >> Liberationtech is a public list whose archives are searchable on
> >>Google. Violations of list guidelines will get you moderated:
> >>https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> >>Unsubscribe, change to digest, or change password by emailing moderator
> >>at companys at stanford.edu.
> >
> >
> >------------------------------
> >
> >Message: 34
> >Date: Tue, 13 Aug 2013 08:52:11 -0700
> >From: Reed Black <reed at unsafeword.org>
> >To: liberationtech <liberationtech at lists.stanford.edu>
> >Subject: Re: [liberationtech] From Snowden's email provider. NSL???
> >Message-ID:
> > <CAESArwmaboc5GR=
> 1j1o+Mws5w2QiHjdW2dMGDcwaBdDC04B9qw at mail.gmail.com>
> >Content-Type: text/plain; charset=ISO-8859-1
> >
> >On Sun, Aug 11, 2013 at 4:46 AM, Michael Rogers
> ><michael at briarproject.org> wrote:
> >>> The app store can't substitute a different binary (no developer
> >>>signing key), users
> >>> can verify that the app was what the developer produced (via pulling
> >>>the binary and
> >>> checking the hash), and advanced users can verify that what the
> >>>developer
> >>> produced is what they produce via the replicable build process.
> >>
> >> I don't know how the Apple or Chrome app stores work, but on Android
> >>the user
> >> doesn't have a standard way to obtain the developer's key, so the app
> >>store could
> >> sign a modified binary with any key.
> >
> >Signing isn't sufficient without some means of invalidation under the
> >developer's control. Even putting aside users who are slow to update,
> >select users can be served older versions of apps with known
> >vulnerabilities intact.
> >
> >
> >------------------------------
> >
> >Message: 35
> >Date: Tue, 13 Aug 2013 19:00:20 +0300
> >From: Nadim Kobeissi <nadim at nadim.cc>
> >To: liberationtech <liberationtech at lists.stanford.edu>
> >Subject: [liberationtech] Snowden: Unencrypted Journalist-Source
> > Communications "Unforgivably Reckless"
> >Message-ID: <F6299665-152B-4304-AEF2-4B1A8A76E405 at nadim.cc>
> >Content-Type: text/plain; charset="windows-1252"
> >
> >Hey LibTech,
> >
> >In a recently published interview with the New York Times, Edward Snowden
> >called unencrypted communications between journalists and sources
> >"unforgivably reckless":
> >
> >"I was surprised to realize that there were people in news organizations
> >who didn?t recognize any unencrypted message sent over the Internet is
> >being delivered to every intelligence service in the world. In the wake
> >of this year?s disclosures, it should be clear that unencrypted
> >journalist-source communication is unforgivably reckless."
> >
> >http://www.nytimes.com/2013/08/18/magazine/snowden-maass-transcript.html
> >
> >I hope sending this along will be useful for journalists on this list as
> >well as for those who need extra material to help them convince their
> >journalist friends to adopt privacy-preserving practices. As usual, I'll
> >take the opportunity to again vouch for the need for accessible, easy to
> >use encryption, like what Guardian Project, Whisper Systems and Cryptocat
> >are working on.
> >
> >NK
> >-------------- next part --------------
> >An HTML attachment was scrubbed...
> >URL:
> ><
> http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130813
> >/bad26d1f/attachment-0001.html>
> >
> >------------------------------
> >
> >Message: 36
> >Date: Tue, 13 Aug 2013 12:41:25 -0400
> >From: Lina Srivastava <lina at linasrivastava.com>
> >To: liberationtech <liberationtech at lists.stanford.edu>
> >Subject: Re: [liberationtech] Does anyone know a celebrity who feels
> > strongly about privacy issues?
> >Message-ID:
> > <CAKwxpww7B+pWSaurwsc565E8-6vkU4ZPdt2eraq5adi=
> AdvuXQ at mail.gmail.com>
> >Content-Type: text/plain; charset="iso-8859-1"
> >
> >So not sure this is taking the discussion in a direction useful to this
> >list, but a thought-- celebrities are not likely to be available to do
> >something like this -- i.e., a series of readings on youtube videos --
> >unless the videos were connected to a high-profile campaign, a
> >film/documentary, or run by an organization that they are connected to or
> >doing a favor for (and the favor is usually done through a celebrity
> >that's
> >a friend or their management. And the negotiation of a campaign that
> >incorporates a celebrtiy is complicated and time-consuming, and once done,
> >is difficult to manage. It's not impossible and it's not that celebrities
> >(John Cusack was a great suggestion, by the way) wouldn't be interested in
> >the issue, it's just that it may not be worth the time you'd spend in
> >trying to attract someone.
> >
> >Having said that, if anyone ever did want to attract a celebrity to a
> >high-profile cause, start by inquiring with CAA or the Global Philanthropy
> >Group. Or if you want a simple retweet for profile, most celebrities are
> >pretty obliging with that.
> >
> >Lina
> >
> >On Tue, Aug 13, 2013 at 5:52 AM, David Miller
> ><david at deadpansincerity.com>wrote:
> >
> >> Maybe the celebrity could read the binary sequence of a compiled
> >>program,
> >> and the user could take dictation into a simple command line script?
> >>
> >>
> >> On 13 August 2013 10:37, Michael Rogers <michael at briarproject.org>
> >>wrote:
> >>
> >>> -----BEGIN PGP SIGNED MESSAGE-----
> >>> Hash: SHA1
> >>>
> >>> On 12/08/13 21:32, Francisco Ruiz wrote:
> >>> > So, here's my question. Does any one know of a celebrity who cares
> >>> > enough about computer security to be persuaded to take one minute
> >>> > of his/her time to read a hash before a camera?
> >>>
> >>> I'd like to second Guido's objection that most people don't know what
> >>> a hash is, or have the skills or software required to verify one, so
> >>> this isn't an effective security measure for most people.
> >>>
> >>> Even if it were, you'd have to ask the celebrity to read a new hash
> >>> for every version of the software, and the videos for old versions
> >>> could be used in a rollback attack.
> >>>
> >>> Cheers,
> >>> Michael
> >>>
> >>> -----BEGIN PGP SIGNATURE-----
> >>> Version: GnuPG v1.4.10 (GNU/Linux)
> >>>
> >>> iQEcBAEBAgAGBQJSCf5oAAoJEBEET9GfxSfMUB4H/RTrYX1we2t1p9+TeXm21GV2
> >>> OWJkZvWLvfDmJqf/utJNoFH4wgLkDvziWrTCqGWbuDlPlmLzNTvGvIZio9i82cUT
> >>> tja1bnmPr17BDz5Msn8d4/BFdjrV957e1S3P2Tqx8GGaZFAYCi5EX57Q7G2Lvphj
> >>> 4NDkDOFEfwfQ38azsBNokdUXo5Ek98I2SXv2GG3ac8N1a2HBVpsHr3lqfsZLDTyS
> >>> LrwM6dPCEWV+kd8+VsOjokKB8y7o9lUjLMmOvMtM4dC9bak8OoDy+fkxWkmMf48v
> >>> KBRqsPN6rasEmDxGRDtLZN0CAzEMGcmndJDqMY4tV/v9IgnLRScaMJaz8Fsc8cY=
> >>> =7Qy4
> >>> -----END PGP SIGNATURE-----
> >>> --
> >>> Liberationtech is a public list whose archives are searchable on
> >>>Google.
> >>> Violations of list guidelines will get you moderated:
> >>> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> >>> Unsubscribe, change to digest, or change password by emailing
> >>>moderator at
> >>> companys at stanford.edu.
> >>>
> >>
> >>
> >>
> >> --
> >> Love regards etc
> >>
> >> David Miller
> >> http://www.deadpansincerity.com
> >> 07854 880 883
> >>
> >> --
> >> Liberationtech is a public list whose archives are searchable on Google.
> >> Violations of list guidelines will get you moderated:
> >> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> >> Unsubscribe, change to digest, or change password by emailing moderator
> >>at
> >> companys at stanford.edu.
> >>
> >
> >
> >
> >--
> >Lina Srivastava
> >--
> >linasrivastava.com | twitter <http://twitter.com/lksriv> |
> >linkedin<http://www.linkedin.com/in/linasrivastava>
> >-------------- next part --------------
> >An HTML attachment was scrubbed...
> >URL:
> ><
> http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130813
> >/2db32e14/attachment-0001.html>
> >
> >------------------------------
> >
> >Message: 37
> >Date: Tue, 13 Aug 2013 19:12:38 +0200
> >From: Amaelle G <amaelle at micro-ouvert.net>
> >To: liberationtech <liberationtech at lists.stanford.edu>
> >Subject: Re: [liberationtech] Snowden: Unencrypted Journalist-Source
> > Communications "Unforgivably Reckless"
> >Message-ID: <5CB1045A-5100-4A6A-B36C-05B157F0E5C2 at micro-ouvert.net>
> >Content-Type: text/plain; charset="utf-8"
> >
> >Hi Nadim & all,
> >
> >Le 13 ao?t 2013 ? 18:00, Nadim Kobeissi <nadim at nadim.cc> a ?crit :
> >
> >>
> http://www.nytimes.com/2013/08/18/magazine/snowden-maass-transcript.html
> >>
> >> I hope sending this along will be useful for journalists on this list
> >>as well as for those who need extra material to help them convince their
> >>journalist friends to adopt privacy-preserving practices. As usual, I'll
> >>take the opportunity to again vouch for the need for accessible, easy to
> >>use encryption, like what Guardian Project, Whisper Systems and
> >>Cryptocat are working on.
> >
> >It is obviously one side-effect of PRISM revelations that more & more
> >journalists now feel the urge to update their work habits in order to
> >protect their sources. And the more accessible tools we have, the easier
> >it is for the people who feel concerned by these issues to advocate for
> >such improvements.
> >
> >Good occasion for me to thank all the people involved in projects for
> >easy-to-use anonymization & encryption :)
> >
> >Cheers,
> >
> >Amaelle
> >
> >--
> >
> >Amaelle Guiton
> >Journalisme au futur ext?rieur @ Radio France & ailleurs
> >0x77775AF9 / micro_ouvert at jabber.ubuntu-fr.org
> >-------------- next part --------------
> >An HTML attachment was scrubbed...
> >URL:
> ><
> http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130813
> >/483dafff/attachment-0001.html>
> >
> >------------------------------
> >
> >Message: 38
> >Date: Tue, 13 Aug 2013 10:37:13 -0700
> >From: "James S. Tyre" <jstyre at eff.org>
> >To: "'liberationtech'" <liberationtech at lists.stanford.edu>
> >Subject: Re: [liberationtech] Snowden: Unencrypted Journalist-Source
> > Communications "Unforgivably Reckless"
> >Message-ID: <020401ce984b$bf8fbb00$3eaf3100$@eff.org>
> >Content-Type: text/plain; charset="us-ascii"
> >
> >The passage Nadim highlights is of course quite appropriate for this
> >list. But for those
> >who have some extra time (it's very long) the whole article is worth
> >reading.
> >
> >
> >
> >--
> >
> >James S. Tyre
> >
> >Law Offices of James S. Tyre
> >
> >10736 Jefferson Blvd., #512
> >
> >Culver City, CA 90230-4969
> >
> >310-839-4114/310-839-4602(fax)
> >
> >jstyre at jstyre.com
> >
> >Policy Fellow, Electronic Frontier Foundation
> >
> >https://www.eff.org
> >
> >
> >
> >From: liberationtech-bounces at lists.stanford.edu
> >[mailto:liberationtech-bounces at lists.stanford.edu] On Behalf Of Nadim
> >Kobeissi
> >Sent: Tuesday, August 13, 2013 9:00 AM
> >To: liberationtech
> >Subject: [liberationtech] Snowden: Unencrypted Journalist-Source
> >Communications
> >"Unforgivably Reckless"
> >
> >
> >
> >Hey LibTech,
> >
> >
> >
> >In a recently published interview with the New York Times, Edward Snowden
> >called
> >unencrypted communications between journalists and sources "unforgivably
> >reckless":
> >
> >
> >
> >"I was surprised to realize that there were people in news organizations
> >who didn't
> >recognize any unencrypted message sent over the Internet is being
> >delivered to every
> >intelligence service in the world. In the wake of this year's
> >disclosures, it should be
> >clear that unencrypted journalist-source communication is unforgivably
> >reckless."
> >
> >
> >
> >http://www.nytimes.com/2013/08/18/magazine/snowden-maass-transcript.html
> >
> >
> >
> >I hope sending this along will be useful for journalists on this list as
> >well as for those
> >who need extra material to help them convince their journalist friends to
> >adopt
> >privacy-preserving practices. As usual, I'll take the opportunity to
> >again vouch for the
> >need for accessible, easy to use encryption, like what Guardian Project,
> >Whisper Systems
> >and Cryptocat are working on.
> >
> >
> >
> >NK
> >
> >-------------- next part --------------
> >An HTML attachment was scrubbed...
> >URL:
> ><
> http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130813
> >/c0cc21c1/attachment-0001.html>
> >
> >------------------------------
> >
> >Message: 39
> >Date: Tue, 13 Aug 2013 10:42:05 -0700
> >From: Andy Isaacson <adi at hexapodia.org>
> >To: liberationtech <liberationtech at lists.stanford.edu>
> >Subject: [liberationtech] verifying SSL certs (was Re: In defense of
> > client-side encryption (Guido Witmond)
> >Message-ID: <20130813174205.GR27178 at hexapodia.org>
> >Content-Type: text/plain; charset=us-ascii
> >
> >On Mon, Aug 12, 2013 at 11:10:39AM +0200, Guido Witmond wrote:
> >> There is another problem. You rely on HTTPS. Here is the 64000 dollar
> >> question:
> >>
> >> Q._"What is the CA-certificate for your banks' website?"_
> >>
> >> I ask that question to anyone who claims to be security conscious. No
> >> one has given me positive answer so far. Not even a wrong answer. Only
> >> that people don't know.
> >>
> >> So I take it for granted that people won't verify anything, ever.
> >
> >FWIW, I did run my browser in "trust on first use" (TOFU) mode -- I
> >deleted all the CA certs and manually added exceptions for each site, as
> >I encountered the certificate warnings -- for several years. I've given
> >up on that for modern websites because
> >
> > - sites frequently include resources from other hostnames, and JS/CSS
> > https errors are silently ignored by Firefox
> > - loadbalanced websites frequently have multiple certificates for a
> > single hostname, and Firefox only allows a single certificate
> > exception per hostname
> > - expiration times have come down to, generally, 1 year, and with
> > multiple certs per page, I was approving a new cert for most pages at
> > least once every few months, decreasing the value of Trust in TOFU.
> >
> >So in some sense I would have been able to answer that "what is the cert
> >for your bank", by saying "the one that I approved last year and has
> >been correctly working since then". But the world has passed that model
> >by.
> >
> >-andy
> >
> >
> >------------------------------
> >
> >Message: 40
> >Date: Tue, 13 Aug 2013 19:45:27 +0200
> >From: Collin Anderson <collin at averysmallbird.com>
> >To: "liberationtech at lists.stanford.edu"
> > <liberationtech at lists.stanford.edu>
> >Subject: [liberationtech] Internet Policy Observatory: Call for
> > Proposals
> >Message-ID:
> > <
> CAC+VsLvEB6X-6gtsXqRD+onjdsxASNRjHeqay5_psRfbruSb7g at mail.gmail.com>
> >Content-Type: text/plain; charset="windows-1252"
> >
> >Libtech -- This might be promising for the academics and researchers
> >amongst us.
> >
> >
> http://cgcsblog.asc.upenn.edu/2013/07/31/internet-policy-observatory-call-
> >for-proposals/
> >
> >Internet Policy Observatory: Call for Proposals
> >
> >The Center for Global Communication Studies (CGCS) at the Annenberg School
> >for Communication at the University of Pennsylvania, announces a call for
> >proposals under its Internet Policy Observatory (IPO). One of the goals of
> >IPO is helping to develop a broad understanding of the conditions,
> >processes and stakeholders that drive the development of Internet policies
> >in pivotal countries, and of how those conditions influence developments
> >at
> >the regional and international levels.
> >
> >Proposals should address one or both of the two RFPs described below:
> >
> >* Internet Policy Observatory Regional Hub Grants
> >* Internet Policy Observatory Thematic Grants
> >
> >Internet Policy Observatory ? Regional Hub Grant
> >
> >The objective of this Call is to add to a global network of Regional Hubs
> >supporting Internet policy research with specific regional perspectives.
> >The purpose of these grants is to encourage research from a variety of
> >disciplines to help further understanding on how global Internet policies
> >evolve.
> >
> >This Call is open to persons and organizations who are particularly
> >interested in Internet policy research, and who are based in countries
> >that
> >are located within (1) Latin America & Caribbean, (2) Middle-East and
> >North
> >Africa[1], (3) South & South-East Asia[2] / Pacific (4) Central Asia[3](5)
> >East Asia[4] (6) Sub-Saharan Africa.
> >
> >Research groups, universities, and civil society organizations which
> >already have research programs on Internet policy issues in the relevant
> >countries and regions are particularly encouraged to apply. Beneficiaries
> >of related, but different grants awarded under the Internet Policy
> >Observatory may also apply to this call.
> >
> >Eligible proposals should address four core deliverables (Please view the
> >full RFP for complete descriptions of deliverables):
> >
> >1. Hub Study: The Internet Policy Observatory welcomes proposals that seek
> >to investigate Internet policy issues within specific countries within a
> >region, or alternatively the region as a whole. Potential topics to
> >consider range across the wider field of Internet policy, including, but
> >are not limited to, issues of Internet governance, Internet filtration and
> >censorship, implications of military and security services activities and
> >concerns on policy development, to name but a few examples.
> >
> >2. Hub Survey: Proposals should speak to the organization?s capacity to
> >carry out qualitative and quantitative research. As part of the Internet
> >Policy Observatory?s effort to create a global Delphi (expert) survey on
> >Internet policy formation, organizations will be expected to incorporate a
> >strategy for the creation and implementation of regional surveys.
> >
> >3. Hub View: A key task of the Regional Hubs is to regularly provide news
> >on Internet-policy-relevant developments within their region to the IPO
> >website.
> >
> >4. Hub Action: Each Regional Hub should also propose further, regional
> >specific activity ? such as local conferences or workshops ? that can be
> >financed directly from the Grant or might be financed from other sources.
> >
> >Grants are expected to be USD 20,000-40,000 per application selected.
> >
> >Applications should be submitted by 5pm EST on September 15, 2013.
> >
> >Click here for the full RFP, including information about eligibility,
> >deliverables, submission guidelines, and award criteria.
> >
> >Internet Policy Observatory Thematic Grants
> >
> >The objective of this Call is to encourage research by individuals and
> >institutions particularly interested in Internet policy issues.
> >
> >This Call is open to persons and organizations who are particularly
> >interested in Internet policy research and who are based in key
> >countries/regions or led by a consortium that is located within the key
> >regions.
> >
> >Research groups and civil society organizations which already have
> >research
> >programs on Internet policy issues in the relevant countries and regions
> >are particularly encouraged to apply. Fluency in English is required both
> >for research and relevant administration tasks.
> >
> >The thematic focus of the proposals may include, but is not limited to,
> >one
> >of the general areas (for full descriptions, please view the full RFP.
> >
> >* Technical developments and Internet policy
> >* Governance and Internet policy
> >* Internet policy and Internet/cyberspace ownership
> >* Social media and Internet policy
> >* The socio-economic impact of Internet policy
> >* The language of Internet Policy
> >
> >Applications should be submitted by 5pm EST on September 15, 2013.
> >
> >Click here for the full RFP, including information about eligibility,
> >deliverables, submission guidelines, and award criteria.
> >
> >For more information, please direct comments and questions to
> >internetpolicy at asc.upenn.edu
> >
> >--
> >*Collin David Anderson*
> >averysmallbird.com | @cda | Washington, D.C.
> >-------------- next part --------------
> >An HTML attachment was scrubbed...
> >URL:
> ><
> http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130813
> >/a4eda25a/attachment-0001.html>
> >
> >------------------------------
> >
> >Message: 41
> >Date: Tue, 13 Aug 2013 11:23:10 -0700
> >From: Micah Lee <micahflee at riseup.net>
> >To: liberationtech at lists.stanford.edu
> >Subject: Re: [liberationtech] Snowden: Unencrypted Journalist-Source
> > Communications "Unforgivably Reckless"
> >Message-ID: <520A798E.9080101 at riseup.net>
> >Content-Type: text/plain; charset="iso-8859-1"
> >
> >On 08/13/2013 09:00 AM, Nadim Kobeissi wrote:
> >> I hope sending this along will be useful for journalists on this list as
> >> well as for those who need extra material to help them convince their
> >> journalist friends to adopt privacy-preserving practices. As usual, I'll
> >> take the opportunity to again vouch for the need for accessible, easy to
> >> use encryption, like what Guardian Project, Whisper Systems and
> >> Cryptocat are working on.
> >
> >I've written a fairly comprehensive guide to using the tools that Laura
> >Poitras, Glenn Greenwald, and Edward Snowden use to communicate
> >securely, written primarily for journalists:
> >
> >https://pressfreedomfoundation.org/encryption-works
> >
> >--
> >Micah Lee
> >@micahflee
> >
> >
> >------------------------------
> >
> >Message: 42
> >Date: Tue, 13 Aug 2013 20:46:59 +0200
> >From: Arjen Kamphuis <arjen at gendo.ch>
> >To: liberationtech at lists.stanford.edu
> >Subject: Re: [liberationtech] Lavabit, Silent Circle both shut down
> >Message-ID: <520A7F23.1070906 at gendo.ch>
> >Content-Type: text/plain; charset=ISO-8859-1
> >
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA1
> >
> >On 08/13/2013 10:51 AM, Ralph Holz wrote:
> >> That's the company I use, too - and ultimately the reason I am
> >> asking because Chris Soghoian once told me that they log the
> >> connections. This seems to be supported by this inquiry made in
> >> 2011:
> >>
> >>
> >>
> http://torrentfreak.com/which-vpn-providers-really-take-anonymity-serious
> >>ly-111007/
> >>
> >>
> >>
> >They log for 6 months and say they will respond to requests under
> >> Swiss law.
> >
> >And that is a shitty situation. Swiss law however does affords at
> >least some protections under the Swiss constitution. Unlike US law
> >where all rights are instantly meaningless as soon as somebody says
> >'terrorism' (these effects also apply to US puppet-states such as UK
> >and the Netherlands). Note that under Swiss law the wikileaks.ch
> >domain was never taken down despite massive diplomatic pressure from
> >the US to do so. France caved in even faster than in the summer of
> >1940 and took down wikileaks.fr
> >
> >I'll be the last person to claim either Switserland or Germany are
> >ideal. But having looked around I can't find better places right now.
> >If somebody does know of a better place to put servers I'd love to
> >know about it. Obviously territory and law are just a little extra
> >defense-in-depth. I believe much more in privacy-by-tech over
> >privacy-by-policy/law.
> >
> >In the words of the great American strategist Lt Lockhart:
> >http://youtu.be/UdK3ZImjPsY
> >
> >
> >- --
> >Met vriendelijke groet/With kind regards,
> >Arjen Kamphuis
> >Gendo B.V.
> >
> >Main: +31 20 891 0330
> >mail: arjen at gendo.ch
> >
> >gendo.ch (website)
> >gendo.nl/blog/arjen (Dutch blog)
> >gendo.ch/en/blog/arjen (English blog)
> >
> >about.me/arjenkamphuis (social media)
> >
> >files.gendo.nl/keys/arjen at gendo.ch.asc (public key)
> >PGP fingerprint:
> >55FB B3B7 949D ABF5 F31B BA1D 237D 4C50 118A 0EC2
> >
> >Gendo BV Wibautstraat 150, 1091 GR Amsterdam The Netherlands
> >P please consider the environment before printing this email
> >============================================================
> >This e-mail message and its attachments are subject to the disclaimer
> >published at the following website of Gendo:
> >http://www.gendo.nl/disclaimer Gendo B.V. is registered with the trade
> >register in The Netherlands under number 28116864.
> >-----BEGIN PGP SIGNATURE-----
> >Version: GnuPG v1.4.11 (GNU/Linux)
> >Comment: Using GnuPG with undefined - http://www.enigmail.net/
> >
> >iQIcBAEBAgAGBQJSCn8jAAoJECN9TFARig7CyYYQAIcMdwdQCRBWHstGPpPkoiH0
> >uCI8GO20krfIYekX3J7u1DgkwEkgXZzkI45J4xqfzaEAHWrZWDowFbROO8Tiybia
> >d9PjpWX++S6xYvIFOm+G53XxpC3svaPcE2LIbZIuqrBpemF0yZ2YdDCwOXfEEm/G
> >dNyoq6DSlve7cKUBZv9jCVHDm8LJI10pJ2chgB8rzpL/6A1oIt2OjLLXPdLjdRmW
> >fOKi//Dmv3Vhe5Ox6ik4twPxYMbuI2Ur1s2eOdLjOpXHUm4QK/FtnkazpArRNGkm
> >Zo7IZoY807Gb0RUst2brgY0rBfPVFHI+MxLwmbTuxRhbiwJHUqzKFjQoWjeOVGdr
> >r8AU97kDRkjdPV71uZSU5hNWgYpwmf2QIhQqEWprXma815GOSqMyVgFeysd1CPKC
> >0AK0++m5xNZ2yi6XIBEpkbZlVIba15J/qic93dD0kKm+B2aCstbnVCdHZnvLAudB
> >ZbIXQn9vEqKvyCAx2wi4HCGqxi/hsUzhxeX8rWA6FIp0rwgi+u9I1m7/AaFD6AYY
> >h51aGgmOTOahhxU17tJ3SGG7NVetw78qbgGZ+uVx5VqtJC43yppL0mz+QUSRad5m
> >vIlqgWKVyb86rDgiTk0R97vekfblM5qxYklBiguP7fKW3c0ghqi7XGsvdJzH/B0A
> >024Dfr8vrPAQkOtrYnU+
> >=Hime
> >-----END PGP SIGNATURE-----
> >
> >
> >------------------------------
> >
> >Message: 43
> >Date: Tue, 13 Aug 2013 20:59:22 +0200
> >From: Moritz Bartl <moritz at torservers.net>
> >To: liberationtech <liberationtech at lists.stanford.edu>
> >Subject: [liberationtech] Zwiebelfreunde take over popular onion.to
> > Tor gateway
> >Message-ID: <520A820A.4060703 at torservers.net>
> >Content-Type: text/plain; charset=windows-1252
> >
> >Hi Libtechies,
> >
> >I hope you don't mind me putting this press release here. Please spread
> >if you like it.
> >
> >----------------------------------------------------------------------
> >
> ># Zwiebelfreunde take over popular onion.to Tor gateway
> >
> >(Dresden, 13.8.2013) The non-profit organization Zwiebelfreunde e.V. is
> >known for the ?Torservers? project, which over the past years has grown
> >into a global network of organizations that maintain server
> >infrastructure for the open anonymization network Tor. Today,
> >Zwiebelfreunde has taken over a very popular web gateway for Tor hidden
> >services, onion.to.
> >
> >Tor hidden services provide anonymity for website owners, mail
> >providers, chat systems and other Internet services. Hidden services are
> >designed to be accessed using Tor Browser, which additionally provides
> >anonymity for users of the service. Web gateways such as onion.to
> >provide a convenient way to reach hidden services using a regular
> >browser without having to install Tor. A side effect is that the broad
> >world of hidden services are exposed to search engines and can thus be
> >indexed and found. The trade-off is that users lose anonymity: Both the
> >gateway and the hidden service can track users across visits, and
> >determine the user's IP address. That is why Zwiebelfreunde strongly
> >encourages people to download Tor Browser instead.
> >
> >?By exposing hidden services to the public, we hope to attract even more
> >users and widen the spectrum of available services within the Tor
> >network.?, says Zwiebelfreunde founder and president Moritz Bartl. ?I
> >can imagine privacy-friendly email services to be based fully on hidden
> >services in the future, for example.?
> >
> >The current gateway server is located in Iceland, and another one will
> >be added in the near future.
> >
> >https://www.onion.to/
> >
> >An example hidden service can be found at
> >https://duskgytldkxiuqc6.onion.to/
> >
> ># Zwiebelfreunde e.V.
> >
> >The German non-profit association Zwiebelfreunde e.V. serves as a
> >platform for projects in the area of safe and anonymous communication.
> >The organization facilitates and participates in educational events
> >about technological advances in the area of privacy, and connects
> >professionals to spread knowledge and experience on these fields.
> >
> >?Zwiebelfreunde? is German for ?Friends of the Onion?, as a reference to
> >Onion Routing, the name of the concept behind Tor for anonymizing
> >communication: Messages are passed through relays that each removes one
> >layer of encryption, like peeling the skin of an onion.
> >Contact
> >
> ># Contact
> >
> >Moritz Bartl
> >Zwiebelfreunde e.V.
> >c/o DID Dresdner Institut f?r Datenschutz
> >Palaisplatz 3
> >D-01097 Dresden
> >Germany
> >
> >press at torservers.net
> >Tel.: +49-(0)351 / 212 960 18
> >Fax.: +49-(0)911 / 308 4466 748
> >http://www.torservers.net/
> >http://www.twitter.com/torservers/
> >
> >
> >
> >------------------------------
> >
> >Message: 44
> >Date: Tue, 13 Aug 2013 15:00:32 -0400
> >From: Joseph Lorenzo Hall <joe at cdt.org>
> >To: liberationtech <liberationtech at lists.stanford.edu>
> >Subject: [liberationtech] ICANN and WHOIS reform...
> >Message-ID: <520A8250.30803 at cdt.org>
> >Content-Type: text/plain; charset=windows-1252
> >
> >Hi all,
> >
> >I didn't see any individuals or orgs from libtech comment to ICANN on
> >the recent report to reform WHOIS. I wanted to put this on your
> >collective radar if it's of interest to you.
> >
> >TL;DR: ICANN is working on reforming WHOIS, and their Experts' Working
> >Group has come up with a pretty bad proposal, in our opinion. It would
> >centralize validated registrant data and streamline "legitimate" access
> >to this data. It would do things that appear almost entirely motivated
> >by law enforcement and intellectual property interests, without much
> >consideration of the interests of individual and non-commercial
> >registrants.
> >
> >I'm including our blog post below... and a link to the 6-page comment
> >that is our critique of their proposal. This was joint work with a
> >marvelous CDT intern, a super-technical law student at Berkeley, Joe
> >Mornin. He's behind http://latexforlawyers.org/ and many good things to
> >come.
> >
> >----
> >PDF of full comments:
> >https://www.cdt.org/files/pdfs/20130812_whois_comments-cdt.pdf
> >
> >Blog post... (links in original)
> >
> >
> https://www.cdt.org/blogs/joseph-lorenzo-hall/1308icann-must-do-better-job
> >-privacy-and-whois
> >
> >ICANN Must Do a Better Job with Privacy and WHOIS
> >
> >by Joseph Lorenzo Hall
> >August 13, 2013
> >
> >In June, an Expert Working Group (EWG) with ICANN ? the entity that
> >controls the allocation of domain names and IP addresses on the Internet
> >? released a report that proposed extensive changes to the WHOIS system.
> >WHOIS allows anyone to look up details on who owns a domain name (e.g.,
> >the cdt.org WHOIS entry). The EWG asked for public input in response to
> >their report and yesterday CDT submitted comments critical of the draft
> >report, specifically focusing on serious privacy concerns.
> >
> >WHOIS, which was developed way back in 1982, initially served as a
> >mechanism to identify who operated certain servers to make it easier to
> >get contact information of these operators in case something technical
> >went awry. These days, with many, many millions of domain names in
> >operation and many more on the horizon, WHOIS is showing its age in a
> >number of respects. For example, for personal domain registrants ? e.g.,
> >josephall.org ? WHOIS essentially reports sensitive contact information,
> >notably email addresses, postal addresses, and phone numbers. It?s
> >widely known that WHOIS data is highly inaccurate; many individual
> >domain name registrants provide inaccurate data to avoid having their
> >personal information broadcast to the world (to be fair, spammers and
> >scammers also provide inaccurate data to avoid scrutiny). Many others ?
> >like me! ? use proxy services that mask personal information but that
> >still allow email and postal mail to eventually be routed to them
> >through the proxy provider.
> >
> >The EWG was chartered to provide possible solutions for a revamped WHOIS
> >that would better address privacy, security, and accessibility of WHOIS
> >data. The draft report proposed a centralized, validated WHOIS system
> >with a gated access model where registrant data would be made freely
> >available. In our comments we raised a number of concerns about this
> >approach and offered recommendations, including:
> >
> > The current WHOIS system raises privacy and free expression concerns
> >by requiring registrants to disclose sensitive information. The EWG
> >report does a good job of outlining use cases for access to currently
> >available registrant data, but we think it should also reexaminine what
> >data must be available today, in light of the vastly more complex modern
> >Internet environment.
> > The proposed privacy scheme and validation of registrants is
> >unnecessary and unworkable. Instead, ICANN should protect registrants?
> >privacy by default. We believe that individual registrants
> >(noncommercial entities) should not have any information disclosed by
> >default other than what is needed for the proper technical functioning
> >of the domain name system.
> > A centralized system is unnecessary and unstable. The gatekeeper
> >under the new proposal would be a poor substitute for existing legal
> >processes because the WHOIS database operator would likely lack the
> >capacity to identify and/or reject illegitimate or overly broad
> >requests. ICANN is unique and must act in an extra-jurisdictional
> >capacity, so it is difficult to see how this new WHOIS would deal with,
> >for example, a Chinese law enforcement request targeting a citizen of
> >another country.
> >
> >Additionally, the EWG focused on a single model for a new registrant
> >database, rather than a suite of possible models for the public and
> >stakeholders to consider. This greatly limits the conversation that can
> >be had around possible enhancements to WHOIS. We encourage ICANN to
> >consider multiple solutions to this complicated problem and believe the
> >EWG should be explicitly re-tasked with recommending a number of
> >additional models in light of feedback they receive, not just the one
> >current flawed proposal.
> >
> >
> >--
> >Joseph Lorenzo Hall
> >Senior Staff Technologist
> >Center for Democracy & Technology
> >1634 I ST NW STE 1100
> >Washington DC 20006-4011
> >(p) 202-407-8825
> >(f) 202-637-0968
> >joe at cdt.org
> >PGP: https://josephhall.org/gpg-key
> >fingerprint: BE7E A889 7742 8773 301B 4FA1 C0E2 6D90 F257 77F8
> >
> >
> >
> >
> >------------------------------
> >
> >Message: 45
> >Date: Tue, 13 Aug 2013 15:25:55 -0500
> >From: Francisco Ruiz <ruiz at iit.edu>
> >To: liberationtech <liberationtech at lists.stanford.edu>
> >Subject: Re: [liberationtech] Does anyone know a celebrity who feels
> > strongly about privacy issues?
> >Message-ID:
> > <CAAO5Wsz4iVKYXhei00OtiG0HN+oQN=
> uwWip31ATz9jpmWaEw6A at mail.gmail.com>
> >Content-Type: text/plain; charset="windows-1252"
> >
> >Hi Kyle, don't take it so hard. I asked this question so _everybody_ who'd
> >like to try the celebrity video trick would be able to collect a few
> >likely
> >candidates. Likely others will beat me to it.
> >
> >On Mon, Aug 12, 2013 at 7:29 PM, Kyle Maxwell <kylem at xwell.org> wrote:
> >
> >> I didn't know LibTech had become the PassLok development mailing list.
> >>
> >> On Mon, Aug 12, 2013 at 6:26 PM, Collin Anderson
> >> <collin at averysmallbird.com> wrote:
> >> > The problem with occasionally looking at Huffington Post is that I'm
> >> > subjected to such things...
> >> >
> >> > Matt Damon:
> >> >
> >> > "He broke up with me," the "Elysium" star said. "There are a lot of
> >> things
> >> > that I really question, you know: the legality of the drone strikes,
> >>and
> >> > these NSA revelations they?re, you know, it?s like, they?re, you know,
> >> Jimmy
> >> > Carter came out and said we don?t live in a democracy. That?s, that?s
> >>a
> >> > little, that?s a little intense when an ex-president says that. So,
> >>you
> >> > know, he?s got some, some explaining to do, particularly for a
> >> > constitutional law professor."
> >> >
> >> >
> >> >
> >>
> >>
> http://www.huffingtonpost.com/2013/08/09/matt-damon-obama-broke-up-with-m
> >>e_n_3732426.html?utm_hp_ref=entertainment
> >> >
> >> >
> >> > On Mon, Aug 12, 2013 at 11:44 PM, Yishay Mor <yishaym at gmail.com>
> >>wrote:
> >> >>
> >> >> Cory Doctorow
> >> >>
> >> >> ----- sent from my phone.
> >> >>
> >> >> On Aug 12, 2013 9:33 PM, "Francisco Ruiz" <ruiz at iit.edu> wrote:
> >> >>>
> >> >>> Quick request.
> >> >>>
> >> >>> In comments to a recent post, people seemed to agree that
> >>publishing a
> >> >>> video of someone reading a hash might be a fairly hard-to-hack way
> >>to
> >> >>> deliver that hash to the public, and thus assure the authenticity
> >>of a
> >> piece
> >> >>> of code, a public key, or whatnot. The problem is that the sample
> >> youtube
> >> >>> video I linked had yours truly reading the hash, and people
> >>naturally
> >> >>> objected that I wasn't Justin Bieber and, consequently, weren't too
> >> >>> convinced that the video was authentic.
> >> >>>
> >> >>> Aside from the fact that an adversary might be able to convince
> >>Justin
> >> >>> Bieber to make a video reading a fake hash (not that I believe
> >>Justin
> >> >>> doesn't care; it's just a hypothesis), the idea of getting a
> >>celebrity
> >> for
> >> >>> this kind of video has a lot of merit. I'd like to engage one for
> >>the
> >> next
> >> >>> update of my app.
> >> >>>
> >> >>> So, here's my question. Does any one know of a celebrity who cares
> >> enough
> >> >>> about computer security to be persuaded to take one minute of
> >>his/her
> >> time
> >> >>> to read a hash before a camera?
> >> >>>
> >> >>> Thanks a million!
> >> >>>
> >> >>> --
> >> >>> Francisco Ruiz
> >> >>> Associate Professor
> >> >>> MMAE department
> >> >>> Illinois Institute of Technology
> >> >>>
> >> >>>
> >> >>>
> >>
> >>PL13lok=WsH3zTgZn8V3hnIqjdbfPus+5YF5n+LBRPuH9USMMp8izPv+hsLoZKv+jaCFMapJF
> >>fiA11Q9yJU1K1Wo0TbjXK/=PL13lok
> >> >>>
> >> >>> get the PassLok privacy app at: http://passlok.com
> >> >>>
> >> >>> --
> >> >>> Liberationtech is a public list whose archives are searchable on
> >> Google.
> >> >>> Violations of list guidelines will get you moderated:
> >> >>> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> >> Unsubscribe,
> >> >>> change to digest, or change password by emailing moderator at
> >> >>> companys at stanford.edu.
> >> >>
> >> >>
> >> >> --
> >> >> Liberationtech is a public list whose archives are searchable on
> >>Google.
> >> >> Violations of list guidelines will get you moderated:
> >> >> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> >> Unsubscribe,
> >> >> change to digest, or change password by emailing moderator at
> >> >> companys at stanford.edu.
> >> >
> >> >
> >> >
> >> >
> >> > --
> >> > Collin David Anderson
> >> > averysmallbird.com | @cda | Washington, D.C.
> >> >
> >> > --
> >> > Liberationtech is a public list whose archives are searchable on
> >>Google.
> >> > Violations of list guidelines will get you moderated:
> >> > https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> >> Unsubscribe,
> >> > change to digest, or change password by emailing moderator at
> >> > companys at stanford.edu.
> >>
> >>
> >>
> >> --
> >> @kylemaxwell
> >> --
> >> Liberationtech is a public list whose archives are searchable on Google.
> >> Violations of list guidelines will get you moderated:
> >> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> >> Unsubscribe, change to digest, or change password by emailing moderator
> >>at
> >> companys at stanford.edu.
> >>
> >
> >
> >
> >--
> >Francisco Ruiz
> >Associate Professor
> >MMAE department
> >Illinois Institute of Technology
> >
> >PL13lok=WsH3zTgZn8V3hnIqjdbfPus+5YF5n+LBRPuH9USMMp8izPv+hsLoZKv+jaCFMapJFf
> >iA11Q9yJU1K1Wo0TbjXK/=PL13lok
> >
> >get the PassLok privacy app at: http://passlok.com
> >-------------- next part --------------
> >An HTML attachment was scrubbed...
> >URL:
> ><
> http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130813
> >/5cd95e3b/attachment-0001.html>
> >
> >------------------------------
> >
> >Message: 46
> >Date: Tue, 13 Aug 2013 15:37:19 -0500
> >From: Francisco Ruiz <ruiz at iit.edu>
> >To: liberationtech <liberationtech at lists.stanford.edu>
> >Subject: Re: [liberationtech] Does anyone know a celebrity who feels
> > strongly about privacy issues?
> >Message-ID:
> > <CAAO5Wsxz95TRJwFAs1aH=udxZ1J6qmRDGbF+qd3P7xC=
> Jg68EQ at mail.gmail.com>
> >Content-Type: text/plain; charset="iso-8859-1"
> >
> >Hi Guido,
> >
> >This looks very interesting, but I have trouble understanding it. Can you
> >give me a sample URL where this is being shown in action?
> >
> >Many thanks.
> >
> >On Mon, Aug 12, 2013 at 4:34 PM, Guido Witmond <guido at witmond.nl> wrote:
> >
> >> Dear professor Ruiz.
> >>
> >>
> >> The real issue is to create an *easy* way to do hash validation
> >> correctly. Reading a hash on youtube is not going to make it.
> >>
> >> You use HTTPS without DNSSEC and DANE. Please use those first. It solves
> >> a lot of your server validation issues. At least it allows your users'
> >> browsers to validate code44.com.
> >>
> >> I repeat: Hashes are for computers, not for people.
> >>
> >>
> >>
> >> Plugging my own warez: I believe I've come up with a way to do DNSSEC
> >> and DANE in combination with a certificate repository. It allows the
> >> browser to validate the authenticity of a server certificate.
> >>
> >> When validated it can be sure that the javascript found at a page is
> >> indeed that what the page-author wanted. Please see:
> >>
> >>
> >>
> http://eccentric-authentication.org/blog/2013/03/23/Cryptographic-same-or
> >>igin-policy.html
> >>
> >>
> >> And please ask if anything is unclear. I love to receive comments on
> >> where I'm right or wrong.
> >>
> >> Regards, Guido.
> >>
> >>
> >> --
> >> Liberationtech is a public list whose archives are searchable on Google.
> >> Violations of list guidelines will get you moderated:
> >> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> >> Unsubscribe, change to digest, or change password by emailing moderator
> >>at
> >> companys at stanford.edu.
> >>
> >
> >
> >
> >--
> >Francisco Ruiz
> >Associate Professor
> >MMAE department
> >Illinois Institute of Technology
> >
> >PL13lok=WsH3zTgZn8V3hnIqjdbfPus+5YF5n+LBRPuH9USMMp8izPv+hsLoZKv+jaCFMapJFf
> >iA11Q9yJU1K1Wo0TbjXK/=PL13lok
> >
> >get the PassLok privacy app at: http://passlok.com
> >-------------- next part --------------
> >An HTML attachment was scrubbed...
> >URL:
> ><
> http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130813
> >/08d00b6d/attachment-0001.html>
> >
> >------------------------------
> >
> >Message: 47
> >Date: Tue, 13 Aug 2013 22:37:14 +0100
> >From: Bernard Tyers - ei8fdb <ei8fdb at ei8fdb.org>
> >To: liberationtech <liberationtech at lists.stanford.edu>
> >Subject: Re: [liberationtech] [Dewayne-Net] Are Hackers the Next
> > Bogeyman Used to Scare Americans Into Giving Up More Rights?
> >Message-ID: <74F5DB36-8061-457D-8177-9E7ADCE31FE6 at ei8fdb.org>
> >Content-Type: text/plain; charset="us-ascii"
> >
> >Haven't "hackers" always been portrayed in a way to scare people? * If
> >it's not dDoSing script kiddies, its zombie network owning Latvian
> >mafias..
> >
> >If this *is* the case, how can General Alexander go to Blackhat 2013 and
> >say (paraphrasing) "we (CIA) use the same tools as you do. Help us
> >protect America by teaching us rad haxoring skills."?
> >
> >
> >*: I still have a problem with the incorrect use of the word hacker
> >here..but it's already passed into common usage.
> >
> >
> >
> >On 12 Aug 2013, at 22:55, michael gurstein <gurstein at gmail.com> wrote:
> >
> >> -----Original Message-----
> >> From: dewayne-net at warpspeed.com [mailto:dewayne-net at warpspeed.com] On
> >>Behalf
> >> Of Dewayne Hendricks
> >> Sent: Tuesday, August 13, 2013 4:32 AM
> >> To: Multiple recipients of Dewayne-Net
> >> Subject: [Dewayne-Net] Are Hackers the Next Bogeyman Used to Scare
> >>Americans
> >> Into Giving Up More Rights?
> >>
> >> Are Hackers the Next Bogeyman Used to Scare Americans Into Giving Up
> >>More
> >> Rights?
> >> Has "terrorism" grown a little stale as an all purpose boogeyman?
> >> By Digby
> >> Aug 12 2013
> >>
> >><
> http://www.alternet.org/are-hackers-next-bogeyman-used-scare-americans-g
> >>ivi
> >> ng-more-rights>
> >>
> >> Marcy Wheeler has been speculating for a very long time that the real
> >> purpose of all this NSA collection isn't terrorism, it's hacking. These
> >> comments last week from Michael Hayden lend a lot of credence to that
> >>theory
> >> in my eyes:
> >>
> >> "If and when our government grabs Edward Snowden, and brings him back
> >>here
> >> to the United States for trial, what does this group do?" said retired
> >>air
> >> force general Michael Hayden, who from 1999 to 2009 ran the NSA and
> >>then the
> >> CIA, referring to "nihilists, anarchists, activists, Lulzsec, Anonymous,
> >> twentysomethings who haven't talked to the opposite sex in five or six
> >> years".
> >> "They may want to come after the US government, but frankly, you know,
> >>the
> >> dot-mil stuff is about the hardest target in the United States," Hayden
> >> said, using a shorthand for US military networks. "So if they can't
> >>create
> >> great harm to dot-mil, who are they going after? Who for them are the
> >>World
> >> Trade Centers? The World Trade Centers, as they were for al-Qaida."
> >>
> >> That's just a tiny bit overwrought for an allegedly serious expert,
> >>don't
> >> you think? In fact, it sounds like the kind of thing we heard from
> >>various
> >> members of the Bush administration during the early days after 9/11.
> >>And it
> >> certainly indicates, as Wheeler has been speculating, that the
> >>government is
> >> stretching the terrorism laws to include hacking. They certainly are
> >>using
> >> the same histrionic language to describe it.
> >>
> >> Under Hayden, the NSA began to collect, among other things, the phone
> >> records and internet data of Americans without warrants after 9/11, a
> >> drastic departure from its traditional mission of collecting foreign
> >> intelligence. A variety of technically sophisticated collection and
> >>analysis
> >> programs, codenamed Stellar Wind, were the genesis of several of the NSA
> >> efforts that Snowden disclosed to the Guardian and the Washington Post.
> >>
> >> [snip]
> >>
> >> Dewayne-Net RSS Feed: <http://www.warpspeed.com/wordpress>
> >>
> >>
> >>
> >> --
> >> Liberationtech is a public list whose archives are searchable on
> >>Google. Violations of list guidelines will get you moderated:
> >>https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> >>Unsubscribe, change to digest, or change password by emailing moderator
> >>at companys at stanford.edu.
> >
> >--------------------------------------
> >Bernard / bluboxthief / ei8fdb
> >
> >IO91XM / www.ei8fdb.org
> >
> >
> >------------------------------
> >
> >Message: 48
> >Date: Tue, 13 Aug 2013 17:54:14 -0400
> >From: Joseph Lorenzo Hall <joe at cdt.org>
> >To: liberationtech <liberationtech at lists.stanford.edu>
> >Subject: [liberationtech] Speculation as to what the US government
> > ordered Lavabit to do?
> >Message-ID: <520AAB06.3090804 at cdt.org>
> >Content-Type: text/plain; charset=ISO-8859-1
> >
> >I don't think I've seen educated speculation here about what the court
> >order that Lavabit received actually ordered them to do. Here is my own
> >guess and I'm wondering if people have thoughts.
> >
> >First, from an interview with Ladar Levison (
> >http://possibility.com/LavabitArchitecture.html ) it seems clear that
> >they wrote ciphertext to disk for each message in a users' account:
> >
> >"* Do you use any particularly cool technologies or algorithms?
> >
> >The way we encrypt messages before storing them is relatively unique.
> >We only know of one commercial service, and one commercial product that
> >will secure user data using asymmetric encryption before writing it to
> >disk. Basically we generate public and private keys for the user and
> >then encrypt the private key using a derivative of the plain text
> >password. We then encrypt user messages using their public key before
> >writing them to disk. (Alas, right now this is only available to paid
> >users.)"
> >
> >So, in excruciating detail I read this to mean:
> >
> >1. When a user signs-up, they create a log-in password.
> >2. The system creates a key pair.
> >3. The private key is encrypted symmetrically using some hard variant of
> >the log-in password.
> >4. Both keys stored to disk. Clear private key wiped from memory on
> >log-out.
> >6. Whenever a message is stored for the user (regardless of login
> >state), the system encrypts it with the public key.
> >5. When a user logs in, their login password is turned into the hard
> >variant and used to symmetrically decrypt the private key. This private
> >key is placed in secure memory, etc.
> >7. When the user views a message (or presumably searches an encrypted
> >index of messages), it uses the private key in memory to decrypt it.
> >7. When the user logs out, the private key in memory is wiped.
> >
> >This means that access to decrypted message content was only
> >available when a user was logged in. From a surveillance perspective,
> >this means that the private key would have to be read from memory or
> >during the write to memory. (I still don't know how password changes
> >would work here... maybe they just re-encrypt the private key with the
> >new hard variant?)
> >
> >This is all to say that I suspect the government's order requested
> >ongoing access to the private key(s) in memory for some subset of
> >Lavabit users, such that they could ask in the future for the encrypted
> >contents of those users' accounts and easily look up these private keys
> >to get the message cleartext.
> >
> >It's unclear to me if this would require an order that ordered Lavabit
> >to write software to do this (e.g., a backdoor), but it sounds like
> >that's the case. And it seems clear that by shutting down the service
> >last week, no one can log-in again such that their ciphertext is safe.
> >
> >best, Joe
> >
> >--
> >Joseph Lorenzo Hall
> >Senior Staff Technologist
> >Center for Democracy & Technology
> >1634 I ST NW STE 1100
> >Washington DC 20006-4011
> >(p) 202-407-8825
> >(f) 202-637-0968
> >joe at cdt.org
> >PGP: https://josephhall.org/gpg-key
> >fingerprint: BE7E A889 7742 8773 301B 4FA1 C0E2 6D90 F257 77F8
> >
> >
> >
> >
> >------------------------------
> >
> >Message: 49
> >Date: Tue, 13 Aug 2013 16:54:54 -0500
> >From: Francisco Ruiz <ruiz at iit.edu>
> >To: liberationtech <liberationtech at lists.stanford.edu>
> >Subject: Re: [liberationtech] In defense of client-side encryption
> >Message-ID:
> > <
> CAAO5WsyPOCvaE8HY9MWwMMfVpz9V_D3XdOPKMCSxZTQ8NJe9OQ at mail.gmail.com>
> >Content-Type: text/plain; charset="iso-8859-1"
> >
> >Hi Steve. I want to thank you for taking your time to help me. Your
> >comments are awesome. May I follow up with some short questions, right
> >after some of your comments?
> >
> >Many thanks in advance.
> >
> >On Mon, Aug 12, 2013 at 7:18 PM, Steve Weis <steveweis at gmail.com> wrote:
> >
> >> Francisco, you assume that all browsers will save a static version of
> >>the
> >> page identically. This is not the case.
> >>
> >> I ran a test using 'wget https://passlok.site44.com' and Chrome's "Save
> >> As". The former will actually match the hash value you've posted, but
> >>the
> >> latter does not.
> >>
> >> I spotted at least 5 differences in Chrome's saved output:
> >> 1. Unicode: wget returned escaped Unicode characters. Chrome saved
> >>output
> >> containing actual Unicode characters. Your suggested method of cutting
> >>from
> >> view-source and pasting into a text editor may be unpredictable, and
> >> dependent on a user's OS and locale.
> >>
> >
> >I think the Unicode characters got in when I added the qr.js code, which
> >had comments in Korean ;-) Do you think it's maybe best to get rid of
> >anything that is not strict ASCII? The code doesn't need any special
> >characters.
> >
> >
> >> 2. Relative link re-writing: wget returned relative links. Chrome
> >>replaced
> >> them with absolute links, so that links work locally.
> >>
> >
> >I've toyed with the idea of making absolute the couple relative links in
> >there: the png for making a mobil icon, and the help page. Maybe it's
> >better if they are absolute so the browser doesn't change them, uh?
> >
> >
> >> 3. Whitespace: Chrome stripped out some whitespace.
> >>
> >
> >I've tried to make super-sure that the code has no leading and no trailing
> >spaces or linefeeds, so maybe wget is adding spaces?
> >
> >4. Style rewriting: Chrome replaced some style elements like
> >> "background-color: #FFA0A0" with "rgb(230, 255, 230);".
> >> 5. Chrome extensions: I have locally installed extensions that modify
> >>page
> >> contents, e.g. AdBlock and DoNotTrackMe. My locally saved copy of
> >>Passlok
> >> had elements that were injected into it by some extensions.
> >>
> >> Any of these will break your manual hash validation. These are specific
> >>to
> >> my version of Chrome, but other browsers may alter saved content
> >>similarly.
> >>
> >
> >I've spent a lot of time making the code run nice and polishing the user
> >interface. I didn't suspect code validation was going to be this
> >difficult.
> >Truth is, most users are never going to bother with validating the code,
> >but a few will care intensely about this.
> >
> >
> >>
> >> To work, you must assume that your user has a local client (say wget or
> >> curl) that can save a canonical copy of your page without modification.
> >> Browsers do not guarantee this. Then you must assume the user has a
> >>locally
> >> installed tool to compute the hash, like sha256sum or openssl. Then they
> >> would need to point their browser at the locally downloaded file to
> >> actually use it.
> >>
> >> If you depend on locally installed software outside the browser and use
> >> local storage, the user is better off just using locally installed
> >>software
> >> to do the crypto.
> >>
> >> PS - I noticed some oddness glancing through the source. For example,
> >>the
> >> makepub() function strips 6 bits of a Base64-encoded leading 0 for no
> >> apparent reason. The rest of the code has to remember to keep adding
> >>back
> >> in the missing Base64 character or else it will break. The only reason I
> >> can think of someone doing this is because they didn't understand why
> >>the
> >> randomly generated Base64 value always started with 'A'.
> >>
> >
> >Ah, you saw that. It's the elliptic curve output. SJCL handles points and
> >exponents as complex recursive objects. In order to display them for the
> >user, I extract the data and convert it into base64. For reasons that I
> >don't fully understand (probably having to do with 521, the true bit
> >length
> >of the elliptic curve numbers, not being divisible by 6), those strings
> >always start with "A". Since I intensely dislike displaying supposedly
> >random-looking strings that always begin with the same character, I strip
> >it, but instruct the functions that read those strings from the interface
> >to add it again before they do any calculations.
> >
> >Thanks again, Steve!
> >
> >
> >>
> >> On Sun, Aug 11, 2013 at 7:37 PM, Francisco Ruiz <ruiz at iit.edu> wrote:
> >>
> >>> I still have to read through the references you supply, but I can
> >>>already
> >>> see a misconception. They refer to the dangers of carrying out
> >>>cryptography
> >>> with javascript-containing dynamic pages. My previous posting referred
> >>>to
> >>> _perfectly static_ pages, which are supposed to be always the same
> >>>coming
> >>> from the server, not modified by the browser in any way, and which, in
> >>> fact, you can save and store somewhere safe and never again have to get
> >>> from the server. I believe the intrinsic security of this kind of
> >>> javascript code is no different from that of compiled code, which also
> >>> should be checked for tampering, so long as it uses standard functions
> >>>that
> >>> are not likely to be modified in browser updates. Sorry about the
> >>>confusion.
> >>>
> >>>
> >> --
> >> Liberationtech is a public list whose archives are searchable on Google.
> >> Violations of list guidelines will get you moderated:
> >> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> >> Unsubscribe, change to digest, or change password by emailing moderator
> >>at
> >> companys at stanford.edu.
> >>
> >
> >
> >
> >--
> >Francisco Ruiz
> >Associate Professor
> >MMAE department
> >Illinois Institute of Technology
> >
> >PL13lok=WsH3zTgZn8V3hnIqjdbfPus+5YF5n+LBRPuH9USMMp8izPv+hsLoZKv+jaCFMapJFf
> >iA11Q9yJU1K1Wo0TbjXK/=PL13lok
> >
> >get the PassLok privacy app at: http://passlok.com
> >-------------- next part --------------
> >An HTML attachment was scrubbed...
> >URL:
> ><
> http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130813
> >/f54136e4/attachment.html>
> >
> >------------------------------
> >
> >--
> >Liberationtech is a public list whose archives are searchable on Google.
> >Violations of list guidelines will get you moderated:
> >https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> >Unsubscribe, change to digest, or change password by emailing moderator
> >at companys at stanford.edu.
> >
> >End of liberationtech Digest, Vol 168, Issue 2
> >**********************************************
>
> --
> Liberationtech is a public list whose archives are searchable on Google.
> Violations of list guidelines will get you moderated:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech.
> Unsubscribe, change to digest, or change password by emailing moderator at
> companys at stanford.edu.
>
--
Tony Arcieri
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130814/811f572e/attachment.html>
More information about the liberationtech
mailing list