This post contains a canary message that's cryptographically signed by the official BusKill PGP release key

| [!BusKill Canary #009](https://www.buskill.in/canary-009/) | |:--:| | The BusKill project just published their Warrant Canary #009 |

For more information about BusKill canaries, see:

• <https://buskill.in/canary>

``` -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

Status: All good Release: 2025-01-14 Period: 2025-01-01 to 2025-06-01 Expiry: 2025-06-30

Statements ==========

The BusKill Team who have digitally signed this file [1] state the following:

1. The date of issue of this canary is January 14, 2025.

2. The current BusKill Signing Key (2020.07) is

   E0AF FF57 DC00 FBE0 5635 8761 4AE2 1E19 36CE 786A

3. We positively confirm, to the best of our knowledge, that the integrity of our systems are sound: all our infrastructure is in our control, we have not been compromised or suffered a data breach, we have not disclosed any private keys, we have not introduced any backdoors, and we have not been forced to modify our system to allow access or information leakage to a third party in any way.

4. We plan to publish the next of these canary statements before the Expiry date listed above. Special note should be taken if no new canary is published by that time or if the list of statements changes without plausible explanation.

Special announcements =====================

None.

Disclaimers and notes =====================

This canary scheme is not infallible. Although signing the declaration makes it very difficult for a third party to produce arbitrary declarations, it does not prevent them from using force or other means, like blackmail or compromising the signers' laptops, to coerce us to produce false declarations.

The news feeds quoted below (Proof of freshness) serves to demonstrate that this canary could not have been created prior to the date stated. It shows that a series of canaries was not created in advance.

This declaration is merely a best effort and is provided without any guarantee or warranty. It is not legally binding in any way to anybody. None of the signers should be ever held legally responsible for any of the statements made here.

Proof of freshness ==================

14 Jan 25 01:01:33 UTC

Source: DER SPIEGEL - International (https://www.spiegel.de/international/index.rss) A Miracle? Pope Francis Helps Transsexual Prostitutes in Rome Boost for the Right Wing: Why Did a German Newspaper Help Elon Musk Interfere in German Politics?

Source: NYT > World News (https://rss.nytimes.com/services/xml/rss/nyt/World.xml) What an Upended Mideast Means for Trump and U.S. Gulf Allies Russia and Ukraine Battle Inside Kursk, With Waves of Tanks, Drones and North Koreans

Source: BBC News - World (https://feeds.bbci.co.uk/news/world/rss.xml) Gaza ceasefire deal being finalised, Palestinian official tells BBC Watch: Moment man is saved from burning LA home

Source: Bitcoin Blockchain (https://blockchain.info/q/latesthash) 0000000000000000000042db9e17f012dcd01f3425aa403e29c28c0dc1d16470

Footnotes =========

[1] https://docs.buskill.in/buskill-app/en/stable/security/pgpkeys.html

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEeY3BEB897EKK3hJNaLi8sMUCOQUFAmeFuPcACgkQaLi8sMUC OQXctQ//Zv7RZXPKMMyjMjfE2LjrL6RVESIZMT2tUO/y0wx8XTXKBpgOA7fTh2eC BHkLajpU/S3LOb+wBniuo29tpGJHG5MBWDwyNUAWXqZfJ/A9YNikNYq9lOn6nKSH oHyLB8h2nP9rfQ2wXUtN6lFJVKWU5Ef5pjMQb8flJO2kbou7QpgcOzxvRqrXOUcN UumjSlDTtwIOYOX+Ee8SamI4LyApOlwxIGMbFcbRMcJNhtioS4qCGNGw1pqhvqmF pi1kIaqd79I8y1U9ufncvC+pbCEvRdo+wb7ZsXA9ZYpYfJSQJzSkdCGgkbe0b1Tx 6CNlcgoXIVaEH6/W+C2DFlyG1u4JuH22eXIrloYnjOxlqSJCd0Dw1EeO33tg3xg3 tfeO9pGOcZPOwlBL509VlE9z6W3czyKJk7Z4RwYXCFYWWi8vlHvRQg0LNu0C4Jyw fRV2LlMSeUgBz9xyE62jh/BUNZzXsD0ntprR1eRTkeW4kOGEc6Wql4lBKE08sajT YdgTi4ojrcfTdS7Sgzh1Onh5h/nF7hoyCX0lINgyTrJFMynC6qadTZtiJ2yO8GT+ Ovk9ZJMggBMNr4Vbw6CyrU/4yYMyrEd5dzXYZLZ41lMMpjwM8OBJ/yp1pcGo9vk4 NTAjUQUvOj6nrA/r3j2ywFMDZtFR/jBjXULWE77ca3iJmc/FUdg= =xahN -----END PGP SIGNATURE----- ```

To view all past canaries, see:

• <https://www.buskill.in/category/Canary/>

What is BusKill?

BusKill is a laptop kill-cord. It's a USB cable with a magnetic breakaway that you attach to your body and connect to your computer.

| [!What is BusKill? (Explainer Video)](https://www.buskill.in/#demo) | |:--:| | Watch the BusKill Explainer Video for more info youtube.com/v/qPwyoD_cQR4 |

If the connection between you to your computer is severed, then your device will lock, shutdown, or shred its encryption keys -- thus keeping your encrypted data safe from thieves that steal your device.

Chainalysis uses the fee structure to analyze monero transactions. I thought using the fees hardcoded into monero-gui should be fine, but x0.2 does not show up at all, x200 is less used than x100 (even though not available in the gui, but x200 is).

I guess these fee multipliers are used by other wallets a lot.

Is x1 the safest to use? Is the gitter in between caused by "automatic" transaction priority? Would it increase privacy to sync fee structures between different clients?

3TOFU: Verifying Unsigned Releases

By Michael Altfield License: CC BY-SA 4.0 https://tech.michaelaltfield.net

This article introduces the concept of \"3TOFU\" \-- a harm-reduction process when downloading software that cannot be verified cryptographically.

| [!Verifying Unsigned Releases with 3TOFU](https://tech.michaelaltfield.net/2024/08/04/3tofu/) | |:--:| | Verifying Unsigned Releases with 3TOFU |

> ⚠ NOTE: This article is about harm reduction. > > It is dangerous to download and run binaries (or code) whose authenticity you cannot verify (using a cryptographic signature from a key stored offline). However, sometimes we cannot avoid it. If you\'re going to proceed with running untrusted code, then following the steps outlined in this guide may reduce your risk.

TOFU

TOFU stands for Trust On First Use. It\'s a (often abused) concept of downloading a person or org\'s signing key and just blindly trusting it (instead of verifying it).

3TOFU

3TOFU is a process where a user downloads something three times at three different locations. If-and-only-if all three downloads are identical, then you trust it.

Why 3TOFU?

During the Crypto Wars of the 1990s, it was illegal to export cryptography from the United States. In 1996, after intense public pressure and legal challenges, the government officially permitted export with the 56-bit DES cipher \-- which was a known-vulnerable cipher.

| [!Photo of Paul Kocher holding a very large circuit board](https://tech.michaelaltfield.net/2024/08/04/3tofu/) | |:--:| | The EFF\'s Deep Crack proved DES to be insecure and pushed a switch to 3DES. |

But there was a simple way to use insecure DES to make secure messages: just use it three times.

3DES (aka \"Triple DES\") is the process encrypting a message using the insecure symmetric block cipher (DES) three times on each block, to produce an actually secure message (from known attacks at the time).

3TOFU (aka \"Triple TOFU\") is the process of downloading a payload using the insecure method (TOFU) three times, to obtain the payload that\'s magnitudes less likely to be maliciously altered.

3TOFU Process

To best mitigate targeted attacks, 3TOFU should be done:

1. On three distinct days
2. On three distinct machines (or VMs)
3. Exiting from three distinct countries
4. Exiting using three distinct networks

For example, I\'ll usually execute

• TOFU #1/3 in TAILS (via Tor)
• TOFU #2/3 in a Debian VM (via VPN)
• TOFU #3/3 on my daily laptop (via ISP)

The possibility of an attacker maliciously modifying something you download over your ISP\'s network are quite high, depending on which country you live-in.

The possibility of an attacker maliciously modifying something you download onto a VM with a freshly installed OS over an encrypted VPN connection (routed internationally and exiting from another country) is much less likely, but still possible \-- especially for a well-funded adversary.

The possibility of an attacker maliciously modifying something you download onto a VM running a hardened OS (like Whonix or TAILS) using a hardened browser (like Tor Browser) over an anonymizing network (like Tor) is quite unlikely.

The possibility for someone to execute a network attack on all three downloads is very near-zero \-- especially if the downloads were spread-out over days or weeks.

3TOFU bash Script

I provide the following bash script as an example snippet that I run for each of the 3TOFUs.

``` REMOTE_FILES="https://tails.net/tails-signing.key"

CURL="/usr/bin/curl" WGET="/usr/bin/wget --retry-on-host-error --retry-connrefused" PYTHON="/usr/bin/python3"

in tails, we must torify

if [[ "whoami" == "amnesia" ]] ; then CURL="/usr/bin/torify ${CURL}" WGET="/usr/bin/torify ${WGET}" PYTHON="/usr/bin/torify ${PYTHON}" fi

tmpDir=mktemp -d pushd "${tmpDir}"

first get some info about our internet connection

${CURL} -s https://ifconfig.co/country | head -n1 ${CURL} -s https://check.torproject.org | grep Congratulations | head -n1

and today's date

date -u +"%Y-%m-%d"

get the file

for file in ${REMOTE_FILES}; do wget ${file} done

checksum

date -u +"%Y-%m-%d" sha256sum *

gpg fingerprint

gpg --with-fingerprint --with-subkey-fingerprint --keyid-format 0xlong * ```

Here\'s one example execution of the above script (on a debian DispVM, executed with a VPN).

``` /tmp/tmp.xT9HCeTY0y ~ Canada 2024-05-04 --2024-05-04 14:58:54-- https://tails.net/tails-signing.key Resolving tails.net (tails.net)... 204.13.164.63 Connecting to tails.net (tails.net)|204.13.164.63|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 1387192 (1.3M) [application/octet-stream] Saving to: ‘tails-signing.key’

tails-signing.key 100%[===================>] 1.32M 1.26MB/s in 1.1s

2024-05-04 14:58:56 (1.26 MB/s) - ‘tails-signing.key’ saved [1387192/1387192]

2024-05-04 8c641252767dc8815d3453e540142ea143498f8fbd76850066dc134445b3e532 tails-signing.key gpg: WARNING: no command supplied. Trying to guess what you mean ... pub rsa4096/0xDBB802B258ACD84F 2015-01-18 [C] [expires: 2025-01-25] Key fingerprint = A490 D0F4 D311 A415 3E2B B7CA DBB8 02B2 58AC D84F uid Tails developers (offline long-term identity key) <tails@boum.org> uid Tails developers <tails@boum.org> sub rsa4096/0x3C83DCB52F699C56 2015-01-18 [S] [expired: 2018-01-11] sub rsa4096/0x98FEC6BC752A3DB6 2015-01-18 [S] [expired: 2018-01-11] sub rsa4096/0xAA9E014656987A65 2015-01-18 [S] [revoked: 2015-10-29] sub rsa4096/0xAF292B44A0EDAA41 2016-08-30 [S] [expired: 2018-01-11] sub rsa4096/0xD21DAD38AF281C0B 2017-08-28 [S] [expires: 2025-01-25] sub rsa4096/0x3020A7A9C2B72733 2017-08-28 [S] [revoked: 2020-05-29] sub ed25519/0x90B2B4BD7AED235F 2017-08-28 [S] [expires: 2025-01-25] sub rsa4096/0xA8B0F4E45B1B50E2 2018-08-30 [S] [revoked: 2021-10-14] sub rsa4096/0x7BFBD2B902EE13D0 2021-10-14 [S] [expires: 2025-01-25] sub rsa4096/0xE5DBA2E186D5BAFC 2023-10-03 [S] [expires: 2025-01-25] ```

The TOFU output above shows that the release signing key from the TAILS project is a 4096-bit RSA key with a full fingerprint of \"A490 D0F4 D311 A415 3E2B B7CA DBB8 02B2 58AC D84F\". The key file itself has a sha256 hash of \"8c641252767dc8815d3453e540142ea143498f8fbd76850066dc134445b3e532\".

When doing a 3TOFU, save the output of each execution. After collecting output from all 3 executions (intentionally spread-out over 3 days or more), diff the output.

If the output of all three TOFUs match, then the confidence of the file\'s authenticity is very high.

Why do 3TOFU?

Unfortunately, many developers think that hosting their releases on a server with https is sufficient to protect their users from obtaining a maliciously-modified release. But https won\'t protect you if:

1. Your DNS or publishing infrastructure is compromised (it happens), or
2. An attacker has just one (subordinate) CA in the user\'s PKI root store (it happens)

Generally speaking, publishing infrastructure compromises are detected and resolved within days and MITM attacks using compromised CAs are targeted attacks (to avoid detection). Therefore, a 3TOFU verification should thwart these types of attacks.

> ⚠ Note on hashes: Unfortunately, many well-meaning developers erroneously think that cryptographic hashes provide authenticity, but cryptographic hashes do not provide authenticity \-- they provide integrity. > > Integrity checks are useful to detect corrupted data on-download; it does not protect you from maliciously altered data unless those hashes are cryptographically signed with a key whose private key isn\'t stored on the publishing infrastructure.

Improvements

There are some things you can do to further improve the confidence of the authenticity of a file you download from the internet.

Distinct Domains

If possible, download your payload from as many distinct domains as possible.

An adversary may successfully compromise the publishing infrastructure of a software project, but it\'s far less likely for them to compromise the project website (eg \'tails.net\') and their forge (eg \'github.com\') and their mastodon instance (eg \'mastodon.social\').

Use TAILS

| [!TAILS Logo](https://tech.michaelaltfield.net/2024/08/04/3tofu/) | |:--:| | TAILS is by far the best OS to use for security-critical situations. |

If you are a high-risk target (investigative journalist, activist, or political dissident) then you should definitely use TAILS for one of your TOFUs.

Signature Verification

It\'s always better to verify the authenticity of a file using cryptographic signatures than with 3TOFU.

Unfortunately, some companies like Microsoft don\'t sign their releases, so the only option to verify the authenticity of something like a Windows .iso is with 3TOFU.

Still, whenever you encounter some software that is not signed using an offline key, please do us all a favor and create a bug report asking the developer to sign their releases with PGP (or minisign or signify or something).

4TOFU

3TOFU is easy because Tor is free and most people have access to a VPN (corporate or commercial or an ssh socks proxy).

But, if you\'d like, you could also add i2p or some other proxy network into the mix (and do 4TOFU).

After almost 2 years, Privacy Guides has added a new Hardware Recommendations section to their website.

Thanks to Daniel Nathan Gray and others for implementing this new hardware guide

Very insightful interview from Whitney Webb (last part of the show). We are already starting to see the same pattern that we’ve seen with Trump’s first term where Trump surrounds himself with deep state figures to advance the surveillance state agenda. At which point liberty-minded Trump supporters will start questioning the role played by Trump?

https://www.youtube.com/live/8BqVnOu1WBs

Hey everyone,

Von der Leyen just secured a second term as EC President, and I'm beyond frustrated. Let's break this down:

1. Privacy nightmare:

• Pushing for Chat Control: Goodbye, digital privacy! This move threatens to undermine end-to- end encryption, making our private conversations vulnerable.

• eID System: This essentially paves the way for mass surveillance, linking our digital identity to nearly every online activity.

• Data Retention Revival: Trying to bring back data retention ignores the EU Court of Justice's stance on its incompatibility with fundamental rights.

• Europol's Mass Data Collection: Europol gets a free pass to collect massive amounts of data without sufficient oversight. This is a dangerous precedent.

• AI Act and Biometric Surveillance: Supporting biometric mass surveillance within the framework of AI regulation is a direct path to an Orwellian society.

2. Corruption allegations:

• Shady Pfizer Vaccine Deal: A €35 billion deal with Pfizer, shrouded in secrecy. Why are we not demanding transparency here?

• Refusing to Disclose Texts with Pfizer CEO: Transparency shouldn't be optional, especially in public health matters.

• EU Courts vs. Von der Leyen: EU courts have called her out for breaking the law. Why is this not a bigger deal?

• Piepergate: The controversy surrounding the EU Envoy is troubling and raises questions about integrity and accountability.

We deserve a leader who champions our rights as non-negotiable and upholds transparency as a fundamental duty, not one who treats our freedoms as expendable and accountability as an inconvenience.

What are your thoughts on this?

What will another five years of Von der Leyen bring us?

Sources:

Privacy:

European Digital Identity

Is eID Building Trust or Invading Privacy?

Heise Article about data retention (German)

Europol's Data Retention Critique

EDRi on the AI Act

Von der Leyen Rejects Criticism on Biometric Surveillance

Corruption:

PfizerGate Vaccine Scandal

EU's Top Court Rules Against the Commission

Politico on PfizerGate

Patrick Breyer on Digital Age Misunderstandings

Corporate Europe on Piepergate

> “It is completely absurd to inflict mass surveillance on the general public under the premise of fighting theft.”

> It comes at a cost to the privacy and civil liberties of the people of Britain.

I was kind of blown away to what length the developers go to ensure your communication is as safe/secure as possible (while still delivering a very useable app).

This is an interesting article for anyone trying to navigate the banking system and KYC rules that not only affect crypto but also the ACH fiat money transfer system.

This post contains a canary message that's cryptographically signed by the official BusKill PGP release key

| [!BusKill Canary #007](https://www.buskill.in/canary-007/) | |:--:| | The BusKill project just published their Warrant Canary #007 |

For more information about BusKill canaries, see:

• <https://buskill.in/canary>

``` -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

Status: All good Release: 2024-01-10 Period: 2024-01-01 to 2024-06-01 Expiry: 2024-06-30

Statements ==========

The BusKill Team who have digitally signed this file [1] state the following:

1. The date of issue of this canary is January 10, 2024.

2. The current BusKill Signing Key (2020.07) is

   E0AF FF57 DC00 FBE0 5635 8761 4AE2 1E19 36CE 786A

3. We positively confirm, to the best of our knowledge, that the integrity of our systems are sound: all our infrastructure is in our control, we have not been compromised or suffered a data breach, we have not disclosed any private keys, we have not introduced any backdoors, and we have not been forced to modify our system to allow access or information leakage to a third party in any way.

4. We plan to publish the next of these canary statements before the Expiry date listed above. Special note should be taken if no new canary is published by that time or if the list of statements changes without plausible explanation.

Special announcements =====================

None.

Disclaimers and notes =====================

This canary scheme is not infallible. Although signing the declaration makes it very difficult for a third party to produce arbitrary declarations, it does not prevent them from using force or other means, like blackmail or compromising the signers' laptops, to coerce us to produce false declarations.

The news feeds quoted below (Proof of freshness) serves to demonstrate that this canary could not have been created prior to the date stated. It shows that a series of canaries was not created in advance.

This declaration is merely a best effort and is provided without any guarantee or warranty. It is not legally binding in any way to anybody. None of the signers should be ever held legally responsible for any of the statements made here.

Proof of freshness ==================

09 Jan 24 17:35:23 UTC

Source: DER SPIEGEL - International (https://www.spiegel.de/international/index.rss) Germany's Role in the Middle East: Foreign Minister Baerbock Sees an Opening for Mediation Assaults, Harassment and Beatings: Does the EU Share Blame for Police Violence in Tunisia?

Source: NYT > World News (https://rss.nytimes.com/services/xml/rss/nyt/World.xml) Israel-Hamas War: Blinken Calls on Israel to Build Ties With Arab Nations Gabriel Attal Is France’s Youngest and First Openly Gay Prime Minister

Source: BBC News - World (https://feeds.bbci.co.uk/news/world/rss.xml) 2023 confirmed as world's hottest year on record Gabriel Attal: Macron's pick for PM is France's youngest at 34

Source: Bitcoin Blockchain (https://blockchain.info/q/latesthash) 00000000000000000001bfe1a00ed3f660b89016088487d6f180d01805d173a3

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEeY3BEB897EKK3hJNaLi8sMUCOQUFAmWfOwAACgkQaLi8sMUC OQXHAQ/9Fqja31ypWheMkiDHNJ6orkt/1SiVCWX3dcMR8Ht2gFUBOlyAhu3Pubzl 5rEhy31KCCYKycn09ZpzsYO5HHQ2MzdVIS8lXFDpYqLbWL2z/Qa2/lU0onJVy7bj xgsJ+CheHD44/PnBmCBB1Y7mIob+gw84csaLLoUHLguM66LjFCeeukTSc7NA5r3v WVhQZ9LGz+TfQZEmwio8+KNOyXLWRyT9BMPx9tXR+G1/xOfUh6a2WJ2pC4lcscGD 2j9iWx5VfNMKOGfZvVXq70kCLcke2tkELE67u5EfypAkH0R875V7B2LNr/POQ+B+ 4cW9yNY41ARdf+wwWZscel8PI50sKQ9zMF+sZQTHVIU4e+hZtAhlhUS+Tl9WTuc6 uBTJZ7SY/hRYDT9kHJLgwuhZCbAySk/ojidZetki/N1Gyrb5sMWHUV8Xtv/c6Dge JMowbug9/brT4AkiKOIgClOJVYfDLbDnQ3sUPhhtrf8OA+7AxB285wbXVNQylZKy i0Uax+cUol691MIWv7xt+jz/NjEakVHrlpyfifv8B5APyv1wf1gRpXXNjVb7CYzT d+l2SNCH8MRF/Ijo6ub6WzzNAVROn7JSpBOztcMKw6G/vt10gHjrP45IcSZG8mdm tbroqVAorWlG6wabcTjkpmcWQlykEr7QzGMcLW3AGdUwRdOcgdg= =XpGW -----END PGP SIGNATURE----- ```

To view all past canaries, see:

• <https://www.buskill.in/category/Canary/>

What is BusKill?

BusKill is a laptop kill-cord. It's a USB cable with a magnetic breakaway that you attach to your body and connect to your computer.

| [!What is BusKill? (Explainer Video)](https://www.buskill.in/#demo) | |:--:| | Watch the BusKill Explainer Video for more info youtube.com/v/qPwyoD_cQR4 |

If the connection between you to your computer is severed, then your device will lock, shutdown, or shred its encryption keys -- thus keeping your encrypted data safe from thieves that steal your device.

> The right time to start protecting your digital privacy is before your trip […] The simplest and most reliable precaution against border searches is to reduce the amount of information that you carry across the border.

[!image](https://monero.town/pictrs/image/21c08bef-3967-4445-b9d2-9f0354ac14b7.webp "Click to Enlarge") *** > Sometimes law enforcement officials achieve so-called “consent” by being vague […] You can try to dispel this ambiguity by inquiring whether border agents are asking you or ordering you […] If an agent says it is a request only, you might politely but firmly decline to comply with the request. > > If you are a U.S. citizen, border agents cannot stop you from entering the country, even if you refuse to unlock your device, provide your device password, or disclose your social media information. However, agents may escalate the encounter if you refuse. > > If you elect to comply with a border agent’s order to unlock your device, provide your password, or disclose your social media information, you can inform the agent that you are complying under protest and that you do not consent. *** > It is possible that if you unlock your device, and agents then search your device, a court will rule that you consented to the search. […] As noted in Part 1, the best way to avoid an inadvertent “consent” to search is to decline to unlock your device, provide the device password, or provide any social media information. > > Technically, you don’t even need to admit that you know the password. > > If you believe that border agents violated your digital rights at the border, please contact EFF at borders@eff.org. *** See also:

• https://www.eff.org/document/eff-border-search-pocket-guide
• https://www.eff.org/issues/border-searches
• https://monero.town/post/402125 Fifth Circuit says law enforcement doesn’t need warrants to search phones at the border

> The fact that the issue was discovered by Google TAG suggests it was exploited by a nation-state actor or by a surveillance firm. > > As usual, Google did not publish details about the attacks exploiting the flaw in the wild.

See also: https://www.cert.europa.eu/publications/security-advisories/2023-100/ > This vulnerability also affects Chromium-based web browser such as Microsoft Edge [3], Brave, Opera, and Vivaldi.

> Bis zum Jahr 2030 will die EU allen Bürger:innen eine „European Digital Identity Wallet“ (ID-Wallet) zur Verfügung stellen. Sie soll on- wie offline bei Verwaltungsgängen und Bankgeschäften, aber auch bei Arztbesuchen, Alterskontrollen oder beim Internetshopping zum Einsatz kommen.

(By 2030, the EU wants to provide all citizens with a “European Digital Identity Wallet” (ID wallet). It is intended to be used online and offline for administrative procedures and banking as well as medical visits, age verification, and internet shopping.)

The article (in German) is mostly about eIDAS 45\ Cf. https://monero.town/post/1018961 Last Chance to fix eIDAS: Secret EU law threatens Internet security

(There are many English articles about it; see e.g.\ https://mullvad.net/en/blog/eu-digital-identity-framework-eidas-another-kind-of-chat-control )

Though not the main topic of the article, this “ID wallet” thing sounds disturbing. (EU politicians calls a normal wallet “unhosted wallet” and don’t like it very much.)

Retroshare establish encrypted connections between you and your friends to create a network of computers, and provides various distributed services on top of it: forums, channels, chat, mail... Retroshare is fully decentralized, and designed to provide maximum security and anonymity to its users beyond direct friends. Retroshare is entirely free and open-source software. It is available on Android, Linux, MacOS and Windows. There are no hidden costs, no ads and no terms of service.

>A storefront, said Ortis, is a fake business or entity, either online or bricks-and-mortar, set up by police or intelligence agencies. > >The plan, he said, was to have criminals use the storefront — an online end-to-end encryption service called Tutanota — to allow authorities to collect intelligence about them.

Tutanota (now Tuta) denies this: https://tuta.com/blog/tutanota-not-a-honeypot

> These changes radically expand the capability of EU governments to surveil their citizens by ensuring cryptographic keys under government control can be used to intercept encrypted web traffic

> This enables the government of any EU member state to issue website certificates for interception and surveillance

https://www.internetsociety.org/resources/doc/2023/qualified-web-authentication-certificates-qwacs-in-eidas/ > The browser ecosystem is global, not EU-bounded. Once a mechanism like QWACs is implemented in browsers, it is open to abuse

https://en.wikipedia.org/wiki/EIDAS > The proposal would force internet companies to place a backdoor in web browsers to let them perform a man-in-the-middle attack, deceiving users into thinking that they were communicating with a server they requested, when, in fact, they would be communicating directly with the EU government. […] If passed, the EU would be able to hack into any internet-enabled device, reading any sensitive or encrypted contents without the user's knowledge

See also: https://mullvad.net/en/blog/2023/11/2/eu-digital-identity-framework-eidas-another-kind-of-chat-control/

[Edit 2: Read the admin’s “reasoning” and comments here or see PS below. The clearnet site is up again. The onion versions = 100% up tme for me]

[Edit: As of writing this (2023-11-01) their clearnet server is down, while the onion version is working. Cock.li is exactly like this… Relatively rarely but randomly it’s down. Kind of irresponsible but it’s just like that. Interestingly, though, onion is up and clearnet is down. Usually opposite.]

Onion http://rurcblzhmdk22kttfkel2zduhyu3r6to7knyc7wiorzrx5gw4c3lftad.onion/

Cockbox on kycnot.me - https://kycnot.me/service/cockbox !“Too bad it costs $9 to send BTC. Bring Monero.”

(From their webpage) > Cock.li is your go-to solution for professional E-mail and XMPP addresses. Since 2013 cock.li has provided stable E-mail services to an ever-increasing number of users. Cock.li allows registration and usage using Tor and other privacy services (proxies, VPNs) and thanks to continued funding by its users is certain to stay free forever.

Cock.li (aka Cockmail) is a Tor-friendly, privacy-focused, soon-to-be-10-year-old free email provider (IMAP, POP, XMPP, Webmail). Although currently (since around 2021) a new registration is invite-only, the admin @vc now states on their website:

!

> E-mail is a Human Right! > > Oppressive governments are using dirty tricks to try and force e-mail providers to require phone numbers or other controlled integrations to register. We will never allow these crimes against our userbase. We will stand up for the right to register for e-mail without being surveilled, and demand this right to be recognized globally. Public registration re-opens on cock.li's 10th birthday, 20 November.

Probably people here know this service pretty well, but some important points:

• Their email addresses are sometimes blacklisted when you want to use them, because in the past the service was abused by spammers. So this provider may not be suitable for normal users/normal usage. Its “technical scores” may be low too, when checked e.g. via https://internet.nl/mail/ If you think this is sketchy and its name is weird, it is. It’s not for you, so please just ignore it.

• A cock.li account may be great to have if you want to sign up and use it anonymously always via onion (something you can’t do with Proton or Tutanota), perhaps with PGP. Maybe great to use on Tails OS too.

• Their service was not very stable in the past. In recent years, it’s been rather stable and very fast even via onion. Pop/Imap via Tor works perfectly. Cock.li onion may load 100 times faster than that of Proton.

• Custom domains are not supported! Consider Disroot or Tutanota if you need them and would like to pay with Monero.

• They are one of the earliest v3 onion providers. In contrast, Proton was so slow to migrate from v2 to v3 (even after v2 got obsolete). Cock.li is also one of the oldest mail providers that started accepting BTC and XMR donations. So probably they’re extremely well-funded (you know why).

• If you use Thunderbird, set up your account manually (its automatic setup probably doesn’t work right).

For more info, visit their webpage. Please DO NOT abuse this based cypherpunk service.

*** PS. Vincent Canfield (vc@shitposter.club) wrote on September 23, 2023: > Good morning, CISA is now calling cock.li a "Malicious E-mail Domain" and implies this is because it's not "publicly available". So, cock.li will once again open to the public on its 10th birthday, 20 November. #StopRansomware > > https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-263a > > For those who don't remember, a previous CISA advisory which recommended "service providers strengthen their user validation and verification systems to prohibit misuse of their services" shortly predated cock.li going invite only. > > https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-116a > > I'm sure if cock.li added phone number verification these joint statements would go away. Everyone sees what's happening, you want to force all providers to link to identities so you can surveil people. Cock.li is never adding that bullshit.

> 1️⃣ Completely normal photos, such as holiday pictures 🏞️ are considered suspicious.

> 2️⃣ So our private family photos or the chats and pictures from your sexting yesterday 🍑🍆 also end up on an official table. So we can throw privacy in the bin 🚮

> Chances are high that most of your European friends have never heard of chat control. So let them know about the danger and what you think about the chat control proposal.

> “The European Commission launched an attack on our civil rights with chat control. I contacted my local MEP to tell him that I oppose the proposal. You can do so too! This Website I found will help you write an e-mail to an MEP using A.I.”

> exchanges may randomly use this to freeze and block funds from users, claiming these were "flagged" […]. You are left hostage to their arbitrary decision […]. If you choose to sidestep their invasive process, they might just hold onto your funds indefinitely.

> The criminals are using stolen identities from companies that gathered them thanks to these very same regulations that were supposed to combat them.

> KYC does not protect individuals; rather, it's a threat to our privacy, freedom, security and integrity.

• For individuals in areas with poor record-keeping, […] homeless or transient, obtaining these documents can be challenging, if not impossible.

PS: Spanish speakers: KYC? NO PARA MÍ

Cloudflare-free link for Tor/Tails users: https://web.archive.org/web/20230926042518/https://balkaninsight.com/2023/09/25/who-benefits-inside-the-eus-fight-over-scanning-for-child-sex-content/

> It would introduce a complex legal architecture reliant on AI tools for detecting images, videos and speech – so-called ‘client-side scanning’ – containing sexual abuse against minors and attempts to groom children.

> If the regulation undermines encryption, it risks introducing new vulnerabilities, critics argue. “Who will benefit from the legislation?” Gerkens asked. “Not the children.”

> Groups like Thorn use everything they can to put this legislation forward, not just because they feel that this is the way forward to combat child sexual abuse, but also because they have a commercial interest in doing so.

> they are self-interested in promoting child exploitation as a problem that happens “online,” and then proposing quick (and profitable) technical solutions as a remedy to what is in reality a deep social and cultural problem. (…) I don’t think governments understand just how expensive and fallible these systems are

> the regulation has […] been met with alarm from privacy advocates and tech specialists who say it will unleash a massive new surveillance system and threaten the use of end-to-end encryption, currently the ultimate way to secure digital communications

> A Dutch government official, speaking on condition of anonymity, said: “The Netherlands has serious concerns with regard to the current proposals to detect unknown CSAM and address grooming, as current technologies lead to a high number of false positives.” “The resulting infringement of fundamental rights is not proportionate.”

> As enacted, the OSB allows the government to force companies to build technology that can scan regardless of encryption–in other words, build a backdoor.

> Paradoxically, U.K. lawmakers have created these new risks in the name of online safety.

> The U.K. government has made some recent statements indicating that it actually realizes that getting around end-to-end encryption isn’t compatible with protecting user privacy. But

> The problem is, in the U.K. as in the U.S., people do not agree about what type of content is harmful for kids. Putting that decision in the hands of government regulators will lead to politicized censorship decisions.

> The OSB will also lead to harmful age-verification systems. This violates fundamental principles about anonymous and simple access

See also: Britain Admits Defeat in Controversial Fight to Break Encryption

> In a well-intentioned yet dangerous move to fight online fraud, France is on the verge of forcing browsers to create a dystopian technical capability. Article 6 (para II and III) of the SREN [sécuriser et réguler l'espace numérique] Bill would force browser providers to create the means to mandatorily block websites present on a government provided list.

--France’s browser-based website blocking proposal will set a disastrous precedent for the open internet

[Unfortunately one should no longer trust Mozilla itself as much as one did 10 years ago. If you do sign, you might want to use a fake name and a disposable email address.]

This bill is obviously disturbing. It could be that eventually they assume that .onion sites are all suspicious and block them, or something similar might happen, which would be bad news for privacy-oriented users including Monero users, for freedom of thought, and for freedom of speech itself. Note that the EU is going to ban anonymous domains too (in NIS2, Article 28).

For a regular end user, if something like this happens and if the block is domain-name-based, then one quick workaround would be using web.archive.org (or Wayback Classic), or ANONYM ÖFFNEN of metager.de (both work without JS). If this is France-specific, of course a French user could just get a clean browser from a free country too (perhaps LibreWolf or Tor Browser, or even Tails), provided that using a non-government-approved browser is not outlawed.

Mozilla, financially supported by Google, states that Google Safe Browsing is a better solution than SREN, but that too has essentially similar problems and privacy implications; especially Gmail's Enhanced Safe Browsing is yet another real-time tracking (although, those who are using Gmail have no privacy to begin with, anyway).

If it's DNS-level blocking, you can just use a better DNS rather than one provided by your local ISP, or perhaps just use Tor Browser. Even if it's browser-side, as long as it's open-source, technically you're free to modify source code and re-compile it yourself, but that may not be easy even for a programmer, since a browser is complicated, with a lot of dependencies; security- and cryptography-related minor details tend to be extremely subtle (just because it compiles doesn't mean it's safe to use), especially given that Firefox/Thunderbird themselves really love to phone home behind the user's back.

See also: Will Browsers Be Required By Law To Stop You From Visiting Infringing Sites?

In the past I’ve recommended sms-activate for easy, quick and low cost phone verification. When you want to log in, they now force you to click on a verification link send by email, meaning you are f’ed if you used a single-use email address.

Are there any alternative options that accept monero and don’t have this restriction?

> Having free and open-source tools and a decentralized way of fighting back and reclaiming some of that power is very important. Because if we don’t resist, we’re subject to what somebody else does to us

While Tor is useful in several situations, probably we shouldn't believe in it blindly. For clearnet, LibreWolf is a great option too, and I2P might be the future.

Hello, fellow privacy enthusiasts!

I've been on a journey to find a VPN provider that aligns with my privacy values, and I wanted to share my experiences and concerns here, hoping for some insights and recommendations.

Primary Criteria:

• Outside of the 14 Eyes: Ideally, I'd prefer a provider outside of the 14 Eyes intelligence-sharing countries.

• Accepts Monero: Given its the only real privacy coin there is, I'm keen on providers that accept Monero as a payment method.

• I need port forwarding for the services I host.

Current Options: I've considered Mullvad and IVPN, both of which I trust for their privacy focus. However, they recently disabled their port forwarding support, which I need since I host services from home. SPN by Safing sounds really interesting too but they also do not offer port forwarding sadly.

ProtonVPN seemed like a close alternative, but I've come across several red flags:

• Logging Concerns: ProtonMail, under the same parent company, provided IP logs in response to a Swiss court order. This contradicts ProtonVPN's claim on their website that "we can’t be obligated to start logging" under Swiss law.

• Use of Google Analytics: Despite being a privacy-focused service, ProtonMail has used Google Analytics on their website, raising questions about their commitment to user privacy.

• No Monero Support: Proton has not added Monero as a payment option, despite numerous requests from the community over the years.

Seeking Recommendations: Given the above, I'm reaching out for advice. Are there any VPN providers you'd recommend that fit my primary criteria? Or any insights into the concerns I've raised about ProtonVPN?

Thanks in advance for your help!

>The Online Safety Bill, now at the final stage before passage in the House of Lords, gives the British government the ability to force backdoors into messaging services, which will destroy end-to-end encryption.

>Requiring government-approved software in peoples’ messaging services is an awful precedent. If the Online Safety Bill becomes British law, the damage it causes won’t stop at the borders of the U.K.

Random thoughts...

Even if platform-assisted end-to-end encryption (pseudo e2e) is censored, perhaps we could still use true user-to-user encryption. If "end" means the messenger software itself or a platform endpoint, then the following will be true e2e - "pre-end" to "post-end" encryption:

1. Alice and Bob exchange their public keys. While using a secure channel for this is ideal, a monitored channel (e.g. a normal message app) is okay too for the time being.
2. Alice prepares her plain text message locally: Alice.txt
3. She does gpg -sea -r Bob -o ascii.txt Alice.txt
4. Alice opens ascii.txt, pastes the ascii string in it to her messenger, sends it to Bob like normally.
5. So Bob gets this ascii-armored GPG message, and saves it as ascii.txt
6. gpg -d -o Alice.txt ascii.txt, and he has the original Alice.txt
7. He types his reply locally (not directly on the messenger): Bob.txt
8. gpg -sea -r Alice -o ascii.txt Bob.txt and sends back the new ascii string
9. Alice gets it, so she does gpg -d -o Bob.txt ascii.txt to read Bob.txt

In theory, scanning by government-approved software can't detect anything here: Alice and Bob are simply exchanging harmless ascii strings. Binary files like photos can be ascii-armored too.

Admittedly this will be inconvenient, as you'll have to call gpg manually by yourself. But this way you don't need to trust government-approved software at all, because encryption/decryption will be done by yourself, before and after the ascii string goes through the insecure (monitored) channel.