Donate for the Cryptome archive of files from June 1996 to the present

16 October 2013

NSA Hysteria Is Internet Comsec Duplicity Cover-up


https://cpunks.org//pipermail/cypherpunks/2013-October/001489.html

[liberationtech] RiseUp

Eugen Leitl eugen at leitl.org
Wed Oct 16 02:22:38 EDT 2013


----- Forwarded message from elijah <elijah at riseup.net> -----

Date: Tue, 15 Oct 2013 15:47:15 -0700
From: elijah <elijah at riseup.net>
To: liberationtech <liberationtech at lists.stanford.edu>
Subject: Re: [liberationtech] RiseUp
Message-ID: <525DC5F3.8010604 at riseup.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0
Reply-To: liberationtech <liberationtech at lists.stanford.edu>

On 10/15/2013 03:07 PM, Yosem Companys wrote:

> If you have any thoughts about Riseup, whether
> security/privacy-related or otherwise, I'd love to hear them.

I think I am the only person from the Riseup collective who is
subscribed to liberationtech, so I will reply, although what follows is
not an official position or response from the collective.

We started when it was impossible to get even simple IMAP service that
was affordable. Very early on, it became apparent that one of the
primary issue facing our constituency (social justice activists) was the
rapid rise in abusive surveillance by states and corporations.

Riseup does the best it can with antiquated 20th century technology.
Without getting into any details, we do the best that can be done,
particularly when both sender and recipient are using email from one of
service providers we have special encrypted transport arrangements with.
Admittedly, the best we can do is not that great. And, of course, our
webmail offering is laughably horrible.

Riseup is not really a "US email provider". The great majority of our
users live outside the United States, and email is just one of many
services we provide.

There has been much discussion on the internets about the fact that
Riseup is located in the US, and what possible country would provide the
best "jurisdictional arbitrage". Before the Lavabit case, the US
actually looked pretty good: servers in the US are not required to
retain any customer data or logs whatsoever. The prospect of some shady
legal justification for requiring a provider to supply the government
with their private TLS keys seems to upend everything I have read or
been told about US jurisprudence. Unfortunately, no consensus has
emerged regarding any place better than the US for servers, despite
notable bombast the the contrary.

As a co-founder of Riseup, my personal goal at the moment is to destroy
Riseup as we know it, and replace it with something that is based on
21st century technology [1]. My hope is that this transition can happen
smoothly, without undo hardship on the users.

As evidence by the recent traffic on this list, many people are loudly
proclaiming that email can never be secure and it must be abandoned. I
have already written why I feel that this is both incredibly
irresponsible and technically false. There is an important distinction
between mass surveillance and being individually targeted by the NSA.
The former is an existential threat to democracy and the latter is
extremely difficult to protect against.

It is, however, entirely possible to layer a very high degree of
confidentially, integrity, authentication, and un-mappability onto email
if we allow for opportunistic upgrades to enhanced protocols. For
example, we should be able to achieve email with asynchronous forward
secrecy that is also protected against meta-data analysis (even from a
compromised provider), but it is going to take work (and money) to get
there. Yes, in the long run, we should all just run pond [2], but in the
long run we are all dead.

-elijah

[1] https://leap.se/email
[2] https://pond.imperialviolet.org/
-- 
Liberationtech is public & archives are searchable on Google. Violations
of list guidelines will get you moderated: 
https://mailman.stanford.edu/mailman/listinfo/liberationtech. 
Unsubscribe, change to digest, or change password by emailing moderator 
at companys at stanford.edu.

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5


https://cpunks.org//pipermail/cypherpunks/2013-October/001495.html

[liberationtech] RiseUp

John Young jya at pipeline.com
Wed Oct 16 04:27:24 EDT 2013


Finally, Elijah, a voice of sanity among the hysteria about way
over-hyped small number of NSA revelations magnifying and
exposing the unexceptional Lavabit scam.

Online insecurity has been well understood since online was invented.
probably the worst ever of any means of technological communication.

Cryptographic protecton for a porous infrastructure appears the most
likely cause of the delusion, a favorite export of this list and other
crypto fora. Only recently has the fundamental weakness of online
communications has this delusion received adequate attention
and for the weakness of NSA infosec can be thanked for that.

Attention is not yet adequate for this commercial exploitation of
what comsec wizards have kept far too quiet about, although this
list raised alarms from the gitgo of encryption boosterism.

Commercial and non-official exploitation of the comsec delusion
remains far greater than that of official spies, including essential
undergirding of official spying.

Privacy policies in particular were invented as a ruse to divert
attention from ubiquitous spying on the public by online services
whether of governmental, commercial, institutional, non-profit,
personal, anonymizing, traffic hiding, the gamut of Internet
opportuniism pretty well demolished by Mozorov and others,
especially on this list, but not so much on other lists and
fora which ban incredulity, doubt, skepticism and "off-topics"
concerning comsec.

Time for more than shutting down enterprises that have
betrayed the public for two decades, that only allows the perps to
escape full accountability by governmental, commercial, institutional,
non-profit, personal, anonymizing, traffic hiding, the gamut of
Internet opportuniism.

Anonymity and leak exploiters deserve special attention for
running bait and switch operations which have led the public
to believe in shitty security for submissions, media coverage,
honesty and nobility of purpose indistinguishable from
the gov-com-org kind of hucksterism pushed as a target.

Greenwald and Assange, what have you done to Manning
and Snowden. 

Coda:

Anonymous and Tor, what have you done to imprison dozens and 
breed snitches. For the answer, read cypherpunks archives on 
comsec delusion:

http://en.wikipedia.org/wiki/Cypherpunk
http://www.mail-archive.com/cypherpunks@cpunks.org/msg00616.html
http://cryptome.org/0001/assange-cpunks.htm
http://cryptome.org/2013/08/callas-nsa-smtp.htm
http://cryptome.org/2013/09/cpunks-crypto.htm And Evgeny Morosov on net delusion and technological solutionism favored by deep-pocketed cyber profiteers: http://cryptome.org/2013/10/omidyar-tax-2011.pdf And those out to delude cyber profiteers: http://cryptome.org/wikileaks/wikileaks-leak2.htm To: John Young <jya[a t]pipeline.com> From: Wikileaks <wikileaks[a t]wikileaks.org> Subject: martha stuart pgp Date: Sun, 7 Jan 2007 12:20:25 -0500 -----BEGIN PGP MESSAGE----- Version: None J. We are going to fuck them all. Chinese mostly, but not entirely a feint. Invention abounds. Lies, twists and distorts everywhere needed for protection. Hackers monitor chinese and other intel as they burrow into their targets, when they pull, so do we. Inxhaustible supply of material. Near 100,000 documents/emails a day. We're going to crack the world open and let it flower into something new. If fleecing the CIA will assist us, then fleece we will. We have pullbacks from NED, CFR, Freedomhouse and other CIA teats. We have all of pre 2005 afghanistan. Almost all of india fed. Half a dozen foreign ministries. Dozens of political parties and consulates, worldbank, apec, UN sections, trade groups, tibet and fulan dafa associations and... russian phishing mafia who pull data everywhere. We're drowing. We don't even know a tenth of what we have or who it belongs to. We stopped storing it at 1Tb.