[liberationtech] Encrypted Pastebins: Attack Vectors against ezcrypt.it and 0bin.net

carlo von lynX lynX at time.to.get.psyced.org
Sun Jan 19 04:23:04 PST 2014 

On Sun, Jan 19, 2014 at 02:28:39PM +0700, Uncle Zzzen wrote:
> On 19 January 2014 08:51, carlo von lynX <lynX at time.to.get.psyced.org>wrote:
> > There's one acceptable compromise left.. the one that the Tor
> > architecture employs... dumb relays that do useful work and
> > have no idea either they are doing or who they are doing it for.
> >
> As I've been hearing from I2P advocates: TOR's a road I2P is a place.

Actually with hidden services Tor's also a place while I2P is weak
in being a road...

> If a VPS is a risk, you can only trust a PC inside a residence (not
> sufficient, but mandatory).

Let's say your space at home is a better place, but it is for my
perspective of understanding a much better choice to architect
software in such a way, that no server - wherever it may be running -
is in charge of your private affairs, or - even worse - become a
pot of honey by serving unencrypted storage to dozens, hundreds,
thousands, millions of people.

> TOR has hidden services but (from what I've heard) it's less optimized in
> their architecture. What they do is take you somewhere, but there's nowhere
> to go. It's all in the cloud and the cloud is poisoned. P2P is the silver
> lining, it can live with netsplits, and as we've seen from Egypt to BART,
> netsplits are the future :(

Not all argumentation needs to be scientific, sometimes art has its
place, too. But for the sake of accuracy TorHS enable just the kind
of home servers that you were advocating - and the cloud isn't doing
a thing really, because even relay servers do not run in a cloud.
Whereas I2P is deploying relay nodes on VPS and introducing exit
nodes from what I heard, so the two technologies are converging
somewhat.

> > I presume Mr Schneier is right saying that if the nation state actor
> > is after *your* device, then the likelihood is high it will find its
> > way in (especially if you use a collaborating operating system). This
> > threat model only worries me if it could be applied against entire
> > nations in a warfare situation, which it might.
>
> I think the only winning strategy here is if nations (EU, Brasil, etc.)
> would plan develop from scratch a standard for a "snoop-free" home
> computer, where all hardware and software available on repositories.
> Can also be things like freedombox, set top box, etc.

The legislation proposal that we've put up on youbroketheinternet.org
implies that as a technical requirement for implementing constitutional
secrecy of correspondence. There shouldn't even be the need for much
of a debate considering that the current Internet is unconstitutional
and a breach of human rights. Supreme courts should establish a deadline
for upgrading the constitutionality of the Internet, otherwise it must
be shut down. Then governments would be motivated to pass the responsa-
bility of implementing this down to the industry by passing such a law.

> If you have millions of those all over your country, you level the
> playground.

Don't forget we don't have suitable software yet. All of the designs
still assume that it is reasonable to put private data on these boxes.

> If other nations take your designs and "capitalize on your intelectual
> property", even better. Each Chinese family that installs such a box,
> throws away an appliance that had backdoors by their own gov and/or other
> enemies of yours. Best is if they ban this and it becomes popular :)

Ha, you can't beat a good sense of optimism.

> > Yes, ever since the mid 90s.. but you probably never heard of them or
> > of the fact they support this feature.  ;-)
>
> > Depends on what you mean by "this feature".

Browsers allowing for other scripting languages than Javascript.
Internet Exploder is best known for this.  ;-P

> I didn't look closely, but I believe I could (and gladly would) kick uzbl
> around into - say - a syndie reader (if they had python API - that is :) ).

Is python designed to be sandboxed? Do we even want scripts
coming from remote.. anywhere remote? If not, what's the use of
having a script language for things that could be implemented
natively? Anything, which isn't native, is harder to deploy on
embedded devices.. no?

> The next level of "this feature" (if we don't want js) is to extend the 90s
> html with some standard modern set of widgets.
> For exmple: you decide that bootstrap (including all the data-* attributes
> that are later read by js) is the standard. You ignore the JS, but the
> menus would still work.
> Doesn't have to be bootstrap, but should be something that has a community
> developing themes etc.

Why not.

> Do you know about such repositories?

No.

> A higher level would be to develop a scripting language (perhaps a
> not-necessarily-compatible subset of js, so that things like
> onclick="this.select()" would work).

You could also use a WYSIWYG GUI builder tool, so you don't need to
write any code.

> It should include a barebones minimum, but I'm not sure what it means:
> Does that include ajax? What should the protocol for ajax be? How can we

No, AJAX is a dirty hack which can definitely be kicked out. If there is
a Javascript, then it can use a native communications API. We use the PSYC
protocol API. Other folks prefer handing DOM object trees around.

> build it so that there can't be XSS/CSRF? etc.

Yeah, don't allow remote execution and cross referencing.
It seemed like a cool idea at the time but it has proven to be very evil.

> Do you know about such repositories?

No.

> The highest level of "this feature" would be if this "Mock JS" could have
> full WebRTC functionality ;)

Dunno, WebRTC is so prone to MITM.
I'd rather have something secure.


-- 
	    http://youbroketheinternet.org
 ircs://psyced.org/youbroketheinternet

More information about the liberationtech mailing list