Re: [lopsa-tech] Canary

2015-10-27 Thread Ryan DeShone
On Fri, 2015-10-23 at 11:16 +, Edward Ned Harvey (lopser) wrote: > > From: Ryan DeShone [mailto:r...@deshone.net] > > > > As someone else has mentioned, the (untested) hypothesis behind the > > warrant canary is that while the government can prevent you from > > disclosing something, they cann

Re: [lopsa-tech] Canary

2015-10-23 Thread Edward Ned Harvey (lopser)
I guess the "Everything's fine" canary helps avoid the TrueCrypt scenario. In the case of TrueCrypt, they put up a bunch of vague clues that something might not be ok. They told people to use BitLocker, which, prior to their implosion, they had a FAQ that says you should never use TPM. So it was

Re: [lopsa-tech] Canary

2015-10-23 Thread Edward Ned Harvey (lopser)
> From: Ryan DeShone [mailto:r...@deshone.net] > > As someone else has mentioned, the (untested) hypothesis behind the > warrant canary is that while the government can prevent you from > disclosing something, they cannot force you to lie. If the canary ever > disappears (or isn't updated) it is s

Re: [lopsa-tech] Canary

2015-10-22 Thread Ryan DeShone
On Thu, 2015-10-22 at 17:47 +, Edward Ned Harvey (lopser) wrote: > You might say, "spideroak, zero-knowledge, means they > couldn't/wouldn't hand over data, and even if they did, it would be > meaningless, because it's encrypted client-side without exposure of > passwords or keys." If this is t

Re: [lopsa-tech] Canary

2015-10-22 Thread Dave Caplinger
On Oct 22, 2015, at 1:03 PM, Edward Ned Harvey (lopser) wrote: > > ... Their canary page "everything's fine" doesn't answer the question of > whether or not they handed anything over to the feds, as a result of Snowden > using their service. Especially this week, I couldn't help but think of:

Re: [lopsa-tech] Canary

2015-10-22 Thread Edward Ned Harvey (lopser)
> From: Jerald Sheets [mailto:que...@gmail.com] > > Can we stop the "reply all" train?  My phone is about dead. That's not how mailing lists work. ;-) ___ Tech mailing list Tech@lists.lopsa.org https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech Thi

Re: [lopsa-tech] Canary

2015-10-22 Thread Edward Ned Harvey (lopser)
> From: Evan Pettrey [mailto:jepett...@gmail.com] > > Are you raising this concern for any specific reason or something you just > came across and wanted to offer your two cents about? I don't personally use spideroak, but I care about privacy. Since you ask, and full disclosure my company is a

Re: [lopsa-tech] Canary

2015-10-22 Thread Josh Smift
Maybe spideroak's canary isn't a warrant canary, but a general health / heartbeat canary. If the three signers don't check in every six months, you know something's happened to them. Or, maybe they have something else in mind. Isn't part of the point of this that you aren't allowed to say exactly

Re: [lopsa-tech] Canary

2015-10-22 Thread Jerald Sheets
Can we stop the "reply all" train? My phone is about dead. --- Jerald M. Sheets jr. On Thu, Oct 22, 2015 at 12:10 PM, Edward Ned Harvey (lopser) < lop...@nedharvey.com> wrote: > For anyone who doesn't know, a warrant canary is when a company like > Dropbox, etc, publishes their Transparency Re

Re: [lopsa-tech] Canary

2015-10-22 Thread Edward Ned Harvey (lopser)
Here, try this on for size: Snowden was using LavaBit. The feds approached Lavabit and tried to force Ladar to hand over users' information. The flaw with LavaBit was the fact that users' data, or passwords, or keys, were momentarily in server memory. That momentary exposure, the feds said, mea

Re: [lopsa-tech] Canary

2015-10-22 Thread Evan Pettrey
On Thu, Oct 22, 2015 at 1:32 PM, Edward Ned Harvey (lopser) < lop...@nedharvey.com> wrote: > > From: Evan Pettrey [mailto:jepett...@gmail.com] > > > > "SpiderOak should have a full breakdown of their new canary setup on > their > > blog shortly, but here’s the gist: every 6 months, they’ll > re-pu

Re: [lopsa-tech] Canary

2015-10-22 Thread Edward Ned Harvey (lopser)
> From: Evan Pettrey [mailto:jepett...@gmail.com] > > "SpiderOak should have a full breakdown of their new canary setup on their > blog shortly, but here’s the gist: every 6 months, they’ll re-publish this > page with an “All clear!” message. Three PGP signatures will sign the page for > authentic

Re: [lopsa-tech] Canary

2015-10-22 Thread Matt Simmons
Ah, that makes a lot of sense, then. The canary itself seems to contain three sets of signer sigs (Dawin, OpenBSD, and v1). That also explains the headline change. Nice. On Thu, Oct 22, 2015 at 9:17 AM, Evan Pettrey wrote: > The article here has a fair explanation: > http://techcrunch.com/2014/

Re: [lopsa-tech] Canary

2015-10-22 Thread Evan Pettrey
The article here has a fair explanation: http://techcrunch.com/2014/08/14/spideroak-implements-a-warrant-canary/ "SpiderOak should have a full breakdown of their new canary setup on their blog shortly , but here’s the gist: every 6 months, they’ll re-publish this page

Re: [lopsa-tech] Canary

2015-10-22 Thread Matt Simmons
So, looking at some historic updates, it didn't change for a long time, and then the entire thing got refreshed and there are several more signatures. My interpretation is that every signature is an update, and each time they get a request, the file gets updated. --Matt On Thu, Oct 22, 2015 at 9

Re: [lopsa-tech] Canary

2015-10-22 Thread Matt Simmons
Here's the archive.org history. I'm honestly not certain what to make of it https://web.archive.org/web/*/https://spideroak.com/canary On Thu, Oct 22, 2015 at 9:10 AM, Edward Ned Harvey (lopser) < lop...@nedharvey.com> wrote: > For anyone who doesn't know, a warrant canary is when a company li