[liberationtech] Encrypted Pastebins: Attack Vectors against ezcrypt.it and 0bin.net
Uncle Zzzen
unclezzzen at gmail.com
Sat Jan 18 23:28:39 PST 2014
On 19 January 2014 08:51, carlo von lynX <lynX at time.to.get.psyced.org>wrote:
> On Sat, Jan 18, 2014 at 01:52:07AM +0700, Uncle Zzzen wrote:
> > In that case, we shouldn't trust anything unless it's [hopefully]
> > hostile-player-proof P2P, then we're back to "confiscate the hard drive"
> > times.
>
> There's one acceptable compromise left.. the one that the Tor
> architecture employs... dumb relays that do useful work and
> have no idea either they are doing or who they are doing it for.
>
As I've been hearing from I2P advocates: TOR's a road I2P is a place.
If a VPS is a risk, you can only trust a PC inside a residence (not
sufficient, but mandatory).
TOR has hidden services but (from what I've heard) it's less optimized in
their architecture. What they do is take you somewhere, but there's nowhere
to go. It's all in the cloud and the cloud is poisoned. P2P is the silver
lining, it can live with netsplits, and as we've seen from Egypt to BART,
netsplits are the future :(
>
> I presume Mr Schneier is right saying that if the nation state actor
> is after *your* device, then the likelihood is high it will find its
> way in (especially if you use a collaborating operating system). This
> threat model only worries me if it could be applied against entire
> nations in a warfare situation, which it might.
>
I think the only winning strategy here is if nations (EU, Brasil, etc.)
would plan develop from scratch a standard for a "snoop-free" home
computer, where all hardware and software available on repositories.
Can also be things like freedombox, set top box, etc.
If you have millions of those all over your country, you level the
playground.
If other nations take your designs and "capitalize on your intelectual
property", even better. Each Chinese family that installs such a box,
throws away an appliance that had backdoors by their own gov and/or other
enemies of yours. Best is if they ban this and it becomes popular :)
Yes, RetroShare has HTML-compatible rich text everywhere, but no actual
> web browser. We were considering something similar for secushare, too.
> It's a pattern. Recover the spirit of the web and throw away the
> cancerogenous parts.
>
I'm happy to hear this.
> Yes, ever since the mid 90s.. but you probably never heard of them or
> of the fact they support this feature. ;-)
>
> Depends on what you mean by "this feature".
I didn't look closely, but I believe I could (and gladly would) kick uzbl
around into - say - a syndie reader (if they had python API - that is :) ).
The next level of "this feature" (if we don't want js) is to extend the 90s
html with some standard modern set of widgets.
For exmple: you decide that bootstrap (including all the data-* attributes
that are later read by js) is the standard. You ignore the JS, but the
menus would still work.
Doesn't have to be bootstrap, but should be something that has a community
developing themes etc.
Do you know about such repositories?
A higher level would be to develop a scripting language (perhaps a
not-necessarily-compatible subset of js, so that things like
onclick="this.select()" would work).
It should include a barebones minimum, but I'm not sure what it means:
Does that include ajax? What should the protocol for ajax be? How can we
build it so that there can't be XSS/CSRF? etc.
Do you know about such repositories?
The highest level of "this feature" would be if this "Mock JS" could have
full WebRTC functionality ;)
Thanks
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20140119/30c446c1/attachment.html>
More information about the liberationtech
mailing list