From bobsint at hotmail.com Tue Oct 6 04:36:55 2015 From: bobsint at hotmail.com (bob smith) Date: Tue, 6 Oct 2015 04:36:55 +0000 Subject: [General] Bulk CNE - Improve Tox threat model Message-ID: In After the Summer of Snowden Jacob Appelbaum states the following: And a lot of people I think probably would say, well targeted surveillance is okay, mass surveillance is wrong. This is a false distinction, and whenever someone presents it to you, you should reject it. Because, actually, what the British government has just come out and said, is that the future of surveillance is going to be bulk CNE, or Computer Network Intrusion, where they break into computers to extract data. So the notion of targeting a specific computer to exfiltrate data is something they want to do at mass scale. To pull data out. So everything is about mass surveillance, about bulk transfer of information. My proposal is, add "Tox (or any other software-only product for that matter) can't protect you from bulk CNE. When sending messages, be aware that you no longer need to be an "important" target to get your computer hacked, and anything you see or type may be seen by entities such as the FBI / NSA / GCHQ." either to front page, or after the "--life-or-death situation." at Tox FAQ. The end result would look like While we believe Tox is secure against attackers who want to decrypt your messages, you may wish to use a more established solution if you are in a life-or-death situation; Tox (or any other software-only product for that matter) can't protect you from bulk CNE. When sending messages, be aware that you no longer need to be an "important" target to get your computer hacked, and anything you see or type may be seen by entities such as the FBI / NSA / GCHQ. I understand that it's not the job of Tox to fix issues in host OS, but running TCB on networked OS is inherently insecure configuration. To quote Matthew Green: Each of the apps seem quite good, cryptographically speaking. But that's not the problem. The real issue is that they each run on a vulnerable, networked platform. Tox like all tools, should provide a fair warning about this. Tox is intended to be a "secure Skype replacement". There's no denying that Tox is more secure than Skype, but failure to mention Tox's limitations against the changing threat model of the average Joe, might place him under larger danger, when he assumes he's able to speak freely. -------------- next part -------------- An HTML attachment was scrubbed... URL: From email at oranges.net.nz Tue Oct 6 05:24:28 2015 From: email at oranges.net.nz (oranges) Date: Tue, 6 Oct 2015 18:24:28 +1300 Subject: [General] Bulk CNE - Improve Tox threat model In-Reply-To: References: Message-ID: <56135B0C.7080304@oranges.net.nz> I think you're bang on with your assessment, I personally advocate that we move the threat model assessment and writeup to the wiki, so we can link to it from both the main website and the binaries download page - then we can edit it really easily when information like this comes to light. Right now the process for getting new copy on the website is completely non existent so I think it would be a better solution, anyone have any thoughts? Cheers oranges From zero-one at tox.chat Tue Oct 6 05:30:44 2015 From: zero-one at tox.chat (zero-one) Date: Mon, 5 Oct 2015 22:30:44 -0700 Subject: [General] Bulk CNE - Improve Tox threat model In-Reply-To: <56135B0C.7080304@oranges.net.nz> References: <56135B0C.7080304@oranges.net.nz> Message-ID: <56135C84.8060109@tox.chat> I like the idea of having a semi-formal threat model assessment. The real question here is: who is going to do the work? As it stands, my plate is full. Adding it to an article on the wiki should do just fine. In the meantime, installgen2 is going to finish work on the new site (at some point), at which time we might put in a small link to the article on the wiki. On 10/05/2015 10:24 PM, oranges wrote: > I think you're bang on with your assessment, > > I personally advocate that we move the threat model assessment and > writeup to the wiki, so we can link to it from both the main website and > the binaries download page - then we can edit it really easily when > information like this comes to light. > > Right now the process for getting new copy on the website is completely > non existent so I think it would be a better solution, anyone have any > thoughts? > > Cheers > oranges > _______________________________________________ > General mailing list > General at lists.tox.chat > https://lists.tox.chat/listinfo/general From greg at grayhatter.com Tue Oct 6 07:27:04 2015 From: greg at grayhatter.com (Gregory Mullen) Date: Tue, 6 Oct 2015 00:27:04 -0700 Subject: [General] Bulk CNE - Improve Tox threat model In-Reply-To: <56135C84.8060109@tox.chat> References: <56135B0C.7080304@oranges.net.nz> <56135C84.8060109@tox.chat> Message-ID: I've never done one, but I'm interested to learn if anyone who knows what they're doing can do a little hand holding? Apart from that, I believe that we should aim to increase understanding, rather than the standard low effort problem -> solution. E.g. Not just here's the problem, Tox is the solution. More of a here's the problem, this is how we see it going, here are some of the the solutions/options, this is where Tox fits. That will help twice, first it'll get people/users talking/thinking about how things should work. Spawning more questions like what if this, or what happens when x. And second anyone who comes to Tox because InfoSec is actually important to their safety, will be sent along with something that will be helpful to not only why/how to use Tox, but what not to use as well. Apologies, I'm too tired to read this again so hopefully it's coherent enough that you can at least offer a question to clarify my ramblings. Either way, if you can point me in the correct direction, I can start working on it this week. On Mon, Oct 5, 2015 at 10:30 PM, zero-one wrote: > I like the idea of having a semi-formal threat model assessment. The > real question here is: who is going to do the work? As it stands, my > plate is full. > > Adding it to an article on the wiki should do just fine. In the > meantime, installgen2 is going to finish work on the new site (at some > point), at which time we might put in a small link to the article on the > wiki. > > On 10/05/2015 10:24 PM, oranges wrote: >> I think you're bang on with your assessment, >> >> I personally advocate that we move the threat model assessment and >> writeup to the wiki, so we can link to it from both the main website and >> the binaries download page - then we can edit it really easily when >> information like this comes to light. >> >> Right now the process for getting new copy on the website is completely >> non existent so I think it would be a better solution, anyone have any >> thoughts? >> >> Cheers >> oranges >> _______________________________________________ >> General mailing list >> General at lists.tox.chat >> https://lists.tox.chat/listinfo/general > > _______________________________________________ > General mailing list > General at lists.tox.chat > https://lists.tox.chat/listinfo/general From vovansystems at gmail.com Sun Oct 11 08:08:55 2015 From: vovansystems at gmail.com (VovansystemS) Date: Sun, 11 Oct 2015 11:08:55 +0300 Subject: [General] tox multi-party audio encryption Message-ID: Hi, Recently, I have figured out that WebRTC does not provide end-to-end encryption, nor does ZRTP! http://lists.jitsi.org/pipermail/dev/2014-March/020318.html https://openitp.org/design-review/open-source-secure-voice-tools-lay-of-land.html Does tox provide end-to-end encryption for multi-party audio calls? ( I've read https://wiki.tox.chat/users/techfaq and I know that "All Tox communications (text, audio, video, file transfers, etc) are encrypted", but what is an algorithm used for MP voice encryption? how does it work? ) From zetok at openmailbox.org Sun Oct 11 08:16:56 2015 From: zetok at openmailbox.org (Zetok Zalbavar) Date: Sun, 11 Oct 2015 09:16:56 +0100 Subject: [General] tox multi-party audio encryption In-Reply-To: References: Message-ID: <561A1AF8.7030802@openmailbox.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 11.10.2015 09:08, VovansystemS wrote: > Does tox provide end-to-end encryption for multi-party audio > calls? No. Every participant in the group call receives your audio, but it doesn't constitute that audio was encrypted by you. Basically, it's not really possible to make *group* calls "secure" - they are encrypted, but if you want security, call each group participant individually - only this way you can have end-to-end encryption. With that being said, someone outside of your group call wouldn't know the content. - -- Kind regards, Zetok Zalbavar - ---- My Tox ID: 29AE62F95C56063D833024B1CB5C2140DC4AEB94A80FF4596CACC460D7BAA062E0A92C34 24A0 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIcBAEBCAAGBQJWGhr4AAoJEMlT04gCEgaKCFMQAIplXvJ5eemPbWFHl87lDrMx m5uobqHUt4X9Em6zUrxACMFoaAwCtHb8aL1+un0bSizMBdhmhrwDJ4JWy4oNKjCu FhWSm2nvpqqhOcmjwsDUFlsG/fwTZ2aB41q1xGyIhnDOnYq0q5KFC4UKFCINuZXD rzad1cGN4+xy4upFiRr/7r1Y73HCrmwy/SU9U1BCbgEMEO1hg5o43YBIYv3MwnMX /NIJI/ER7mLGe/SYkXHMYdcH3bzzWeRaAaUiDpxR0MrGszcDfuGPdR3jXF07f3rs qstXJ35Y+J+NUoBXXLfLsZCfkzhBpH+rPu1n41WD6Hr9CJvUX3+KEOXA+Mj3hWfg Uurj0ERh5t92Ivg32D2vXoiKWwZfRIt0DSqnmWnL+JiGgK29Jzr/sU6DBSsFgq5g wRJqSj5TkPLeMQzr5E/a9IuhaO001zglSsg3Ip9cKcSdRx4yDlfXpLoQkQhxSUuC WNzSlFkQP4jERVIl9XhIRgqMc4QbiRnH0CgOvJD1ftUgvsIVJZUiLhlh5CLw493B 5ihrM66GG44jpXzcDjjyQZUwRIHFlAaB0HTN6p+GFw3tPdbvyQ2ynFLC2YBoCuSQ LKNwnf+ZXmzs01uW5K9JahXd7XKk7keh7HcKIKN69+Bk5YNwQCE0W7MXXS8DjDI6 +8ABAySgq+IhkK5HpGrd =XRyv -----END PGP SIGNATURE----- From daniel at pocock.pro Fri Oct 30 20:13:08 2015 From: daniel at pocock.pro (Daniel Pocock) Date: Fri, 30 Oct 2015 21:13:08 +0100 (CET) Subject: [General] [CFP] FOSDEM 2016, RTC devroom, speakers, volunteers neeeded Message-ID: <20151030201308.5AFC8321F8@daniel1.office.readytechnology.co.uk> FOSDEM is one of the world's premier meetings of free software developers, with over five thousand people attending each year. FOSDEM 2016 takes place 30-31 January 2016 in Brussels, Belgium. http://fosdem.org This email contains information about: - Real-Time communications dev-room and lounge, - speaking opportunities, - volunteering in the dev-room and lounge, - related events around FOSDEM, including the XMPP summit, - social events (including the Saturday night dinner), - the Planet aggregation sites for RTC blogs Call for participation - Real Time Communications (RTC) ======================================================= The Real-Time dev-room and Real-Time lounge is about all things involving real-time communication, including: XMPP, SIP, WebRTC, telephony, mobile VoIP, codecs, privacy and encryption. The dev-room is a successor to the previous XMPP and telephony dev-rooms. We are looking for speakers for the dev-room and volunteers and participants for the tables in the Real-Time lounge. The dev-room is only on Saturday, 30 January 2016. The lounge will be present for both days. To discuss the dev-room and lounge, please join the FSFE-sponsored Free RTC mailing list: https://lists.fsfe.org/mailman/listinfo/free-rtc Speaking opportunities ---------------------- Note: if you used Pentabarf before, please use the same account/username Main track: the deadline for main track presentations is midnight today, 30 October. Leading developers in the Real-Time Communications field are encouraged to consider submitting a presentation to the main track at https://fosdem.org/submit Real-Time Communications dev-room: deadline 27 November Please also use the Pentabarf system to submit a talk proposal for the dev-room. On the "General" tab, please look for the "Track" option and choose "Real-Time devroom". https://penta.fosdem.org/submission/FOSDEM16/ Other dev-rooms: some speakers may find their topic is in the scope of more than one dev-room. It is permitted to apply to more than one dev-room but please be kind enough to tell us if you do this. You can find the full list of dev-rooms at https://www.fosdem.org/2016/schedule/tracks/ Lightning talks: deadline 27 November The lightning talks are an excellent opportunity to introduce a wider audience to your project. Given that dev-rooms are becoming increasingly busy, all speakers are encouraged to consider applying for a lightning talk as well as a slot in the dev-room. On the "General" tab, please look for the "Track" option and choose "Lightning Talks". https://fosdem.org/submit First-time speaking? -------------------- FOSDEM dev-rooms are a welcoming environment for people who have never given a talk before. Please feel free to contact the dev-room administrators personally if you would like to ask any questions about it. Submission guidelines --------------------- The Pentabarf system will ask for many of the essential details. Please remember to re-use your account from previous years if you have one. In the "Submission notes", please tell us about: - the purpose of your talk - any other talk applications (dev-rooms, lightning talks, main track) - availability constraints and special needs You can use HTML in your bio, abstract and description. If you maintain a blog, please consider providing us with the URL of a feed with posts tagged for your RTC-related work. We will be looking for relevance to the conference and dev-room themes, presentations aimed at developers of free and open source software about RTC-related topics. Please feel free to suggest a duration between 20 minutes and 55 minutes but note that the final decision on talk durations will be made by the dev-room administrators. As the two previous dev-rooms have been combined into one, we may decide to give shorter slots than in previous years so that more speakers can participate. Please note FOSDEM aims to record and live-stream all talks. The CC-BY license is used. For any questions, please join the FSFE-sponsored Free RTC mailing list: https://lists.fsfe.org/mailman/listinfo/free-rtc Volunteers needed ================= To make the dev-room and lounge run successfully, we are looking for volunteers: - FOSDEM provides video recording equipment and live streaming, volunteers are needed to assist in this - organizing one or more restaurant bookings (dependending upon number of participants) for the evening of Saturday, 30 January - participation in the Real-Time lounge - helping attract sponsorship funds for the dev-room to pay for the Saturday night dinner and any other expenses - circulating this Call for Participation to other mailing lists FOSDEM is made possible by volunteers and if you have time to contribute, please feel free to get involved through https://volunteers.fosdem.org/ Related events - XMPP and RTC summits ===================================== The XMPP Standards Foundation (XSF) has traditionally held a summit in the days before FOSDEM. There is discussion about a similar summit taking place on 28 and 29 January 2016 http://wiki.xmpp.org/web/Summit_19 - please join the mailing list for details: http://mail.jabber.org/mailman/listinfo/summit We are also considering a more general RTC or telephony summit, potentially on 29 January. Please join the Free-RTC mailing list and send an email if you would be interested in participating, sponsoring or hosting such an event. Social events and dinners ========================= The traditional FOSDEM beer night occurs on Friday, 29 January On Saturday night, there are usually dinners associated with each of the dev-rooms. Most restaurants in Brussels are not so large so these dinners have space constraints. Please subscribe to the Free-RTC mailing list for further details about the Saturday night dinner options and how you can register for a seat: https://lists.fsfe.org/mailman/listinfo/free-rtc Spread the word and discuss =========================== If you know of any mailing lists where this CfP would be relevant, please forward this email. If this dev-room excites you, please blog or microblog about it, especially if you are submitting a talk. If you regularly blog about RTC topics, please send details about your blog to the planet site administrators: http://planet.jabber.org ralphm at ik.nu http://planet.sip5060.net daniel at pocock.pro http://planet.opentelecoms.org daniel at pocock.pro Please also link to the Planet sites from your own blog or web site. Contact ======= For discussion and queries, please join the free-rtc mailing list: https://lists.fsfe.org/mailman/listinfo/free-rtc The dev-room administration team: Daniel Pocock Ralph Meijer Sa??l Ibarra Corretg?? Iain R. Learmonth