#Jakegate Becomes #Torgate

Since things seem to be falling apart at the Tor Project, and also in the campaign against Jacob Appelbaum (@ioerror), I’m beginning a list (for my own convenience) of leaked documents. They tell quite a different story from the highly organized smear campaign that has been dominating news reports, the blogosphere, and teh Twitterz.

These documents are anonymously created and/or leaked primary sources that journalists mostly won’t touch. They should, of course, be read in the context of the many related public statements with names attached to them. Those are readily available elsewhere, as are the anonymously operated website http://jacobappelbaum.net and the anonymous Twitter account @VictimsOfJake (aka @TimeToDieJake). This archive only deals with the scurrilous shadow campaign that is being waged around Tor.

[Most recently updated: Sun Jul 17 15:52:11 PDT 2016]

Leaked 17 July 2016
Reaction on tor-internal list to defection of bridge directory operator
https://cryptome.org/2016/07/lucky-green-shuts-tor-tonga.htm
http://pastebin.com/w5WFMBXg
Archived: PDF

Publicized 16 July 2016
Trusted operator of critical Tor infrastructure quits over treatment of Jacob Appelbaum
https://trac.torproject.org/projects/tor/ticket/19690
Archived: TXT

Leaked 28 June 2016
David Chasteen timeline at Tor
https://cryptome.org/2016/06/david-chasteen-tor-timeline.pdf
Archived: PDF

Leaked 28 June 2016
David Chasteen biography
https://twitter.com/Cryptomeorg/status/747771009185480705
http://iava.org/people/david-chasteen/

Archived: Internet Archive

Leaked 27 June 2016; dated 2 June 2016
Dingledine letter
https://0bin.net/paste/3hEqvnX7aW0UYe4E#qFJM18pzh+LKfDeU8aCfykHPCEaFDd327UAULydBQ4R
https://cryptome.org/2016/06/dingledine-appelbaum-16-0602.pdf
https://twitter.com/Sanguinarious/status/747467497259958272
https://twitter.com/Sanguinarious/status/747469195554652161
Archived: PDF TXT

Publicized 27 June 2016
Anonymous rebuttal of “Background” document
https://twitter.com/Cryptomeorg/status/747463244323889152
https://0bin.net/paste/YHu4ba-vkJ+8hsbB#RI8qkNohpo1tTT4x+XuBuDUYvCqtz3i1TSZKXFbfsmZ [original expired]
Archived: ODT TXT

Publicized 26 June 2016; created 29 August 2015
Chat log: Internal debate about hiring a CIA-contractor to lead Tor Project
http://pastebin.com/WPAmqkW8
Archived: ODT TXT

Leaked 9 June 2016; dated 18 march 2015
Appelbaum suspension letter from Tor (2015)
https://cryptome.org/2016/06/appelbaum-suspension-2015.pdf
Archived: PDF

Leaked 8 June 2016; dated 27 May 2016
Tor/Appelbaum separation agreement (never executed)
https://cryptome.org/2016/06/tor-appelbaum-separation.pdf
Archived: PDF

Posted in Computing, Foolishness, Politics, The Surveillance State | 5 Comments

My Broken Novena Front-Panel Board

Here is a healthy board with a ribbon connector attached to it. The socket I broke on the other board is identified by the arrow.
connector

This shows the damaged board, with the socket missing and the solder visible.
damaged_board

Posted in Computing | 3 Comments

That Moment When the [Secret] Police Take an Interest in You

The Seattle Police Department and the Postal Service (I am not making this up) recently raided my home to search for digital contraband. There was none, so eventually they went away. Whether it was the Tor exit relay, or the annoying association with the Seattle Privacy Coalition, or my shadowy connections with international persons of mystery and intrigue, I got the impression they don’t like me.

The last time I had this impression was 28 years ago in the German Democratic Republic. The secret police, it turned out, opened a file on me along with the other Fulbrighters. I never got raided, but I did get spied on. Later I got hold of the file: The shortest and most boring Stasi file in East German history.

Cover materials from the Gauck Behörde (1)
Cover materials from the Gauck Behorde

Cover materials from the Gauck Behörde (2)
Cover materials from the Gauck Behoerde

Cover materials from the Gauck Behörde (3)
Cover materials from the Gauck Behoerde

Cover materials from the Gauck Behörde (4)
Cover materials from the Gauck Behoerde

Cover materials from the Gauck Behörde (5)
Cover materials from the Gauck Behoerde

Stasi file (1)
Stasi file P. 1

Stasi File (2)
Stasi file P. 2

Posted in Communism, Fascism, Seattle, The Surveillance State | 1 Comment

Please take me, Lord

[Updated 27 Feb. 2016]

Documentation for installing the Roundcube webmail client on my Debian system was horrible. This is the more ridiculous because it turned out to be extremely simple (by Linux sysadmin standards).

  1. Install the packages roundcube, roundcube-core, roundcube-mysql, and roundcube-plugins.
  2. If configuration doesn’t kick off automatically (it didn’t for me), run
    dpkg-reconfigure roundcube-core

    Provide the requested configuration data for the IMAP server and MySQL. (Notice something missing here? See Step 6.)

  3. I was not told this, but the Apache configuration was 99.9% completed by the install scripts. All that remained was to navigate to /etc/apache2/conf-available/, open roundcube.conf, and uncomment the alias line near the top of the file.
  4. Restart Apache.
  5. Open the client at https://www.1helloworld!.com/roundcube. The dialog asks for IMAP user name, IMAP password, and IMAP server.
  6. Unfortunately, it DOES NOT ask for the SMTP server and its login information. To supply that, edit /etc/roundcube/config.inc.php. What IS this bullshit? Either script it or point me to instructions. Hunting through the forums and grepping around in /etc is NOT acceptable.
  7. SSL/TLS now works on remote Courier IMAP and STARTTLS now works on remote Exim4. Thanks. Roundcube has a very pretty interface.
  8. I am too old for this.
  9. FOOTNOTE: Why is trac.roundcube.net utterly messed up, that is to say, not consistently accessible via Google search results? Why? WHY?
  10. I am not done complaining.
  11. http://trac.roundcube.net/wiki/Dev_Encryption — much guffing about not trusting the server as a repository for keys, but in my case I on the server. Just shoot me now, again.

[UPDATE 27 Feb. 2016]

12. The initial login screen (with no default login server declared yet, so you are prompted for it) is a more reliable way to set the server correctly than to do it by hand. However, the only way to REset it this way is the remove the previously submitted setting manually from the config file. One struggles in vain to find the screen one remembers solely via the UI.

13. Plugins — what a mess.

14. Debian packages — what a mess (see #13). There is no correlation between any two of the following:

  • Information in Debian Stretch (testing)  /usr/share/doc/roundcube*
  • The names of the distro’s actual config files and the variable names contained in them (in reference to plugins at least)
  • Information in http://trac.roundcube.net/wiki/Plugin_Repository
  • The status message in running Roundcube under “About”, which lists several allegedly activated plugins

What is the meaning of this? According to “About,” the following plugins are active:

archive 2.3 GPLv3+
filesystem_attachments 1.0 GPLv3+
jqueryui 1.10.4 GPLv3+
zipdownload 3.0 GPLv3+

In fact, none appear to be. However, two interesting errors are appearing in /var/log/roundcube/errors:

[27-Feb-2016 15:40:10 -0800]: <vdbtquql> PHP Error: Failed to load config from /var/lib/roundcube/plugins/zipdownload/config.inc.php in /usr/share/roundcube/program/lib/Roundcube/rcube_plugin.php on line 157 (POST /roundcube/?_task=mail&_action=refresh?_task=&_action=)

and

[27-Feb-2016 15:43:00 -0800]: <vdbtquql> PHP Error: Failed to load config from /var/lib/roundcube/plugins/jqueryui/config.inc.php in /usr/share/roundcube/program/lib/Roundcube/rcube_plugin.php on line 157 (GET /roundcube/?_task=mail&_mbox=INBOX)

Only those two, without word on archive or filesystem_attachments, but it’s a start. The rcube_plugin.php file contains an abstract class extended by all plugins. When loaded, a plugin calls its config file, which it expects to find in /var/lib/roundcube/plugins/<plugin_name>/config.inc.php. In the Debian arrangement, however, the /var/lib/roundcube/plugins/<plugin_name>/ directory contains only a config.inc.php.distro file (a sample config) and a link to the proper config file at /etc/roundcube/plugins/<plugin_name>/config.inc.php. Thus there are three quasi-parallel Roundcube directories, under /etc/, /usr/, and /var/; the actual code is under /usr/, with /var/ containing configuration files except that it doesn’t. You are apparently expected to copy *.distro into /etc/… and leave the link arrangement in place, which means that either Roundcube or the Debian package owner decided to route us through two links to get to the config file.

After the two error-producing plugins have been configured via /etc/, the errors stop, but nothing changes in the behavior of Roundcube, though it’s possible I haven’t correctly triggered them as yet. There is still no clue about those other two plugins (neither of which is even present in the /usr/ tree).

Unsurprisingly, configuring a completely new plugin, enigma, also results in absolutely no effect. Opening a compose window, where you might expect to see the plugin’s effects, doesn’t trigger anything.

Configuring *all* of the available plugins (those at least that included a config.inc.php file) also failed to have any effect.

[UPDATE 28 Feb. 2016]

I had forgotten to add the plugins to the plugins array in /etc/roundcube/config.inc.php:

// List of active plugins (in plugins/ directory)
$config['plugins'] = array( 
'archive',
'acl',
'additional_message_headers', 
'archive', 
'autologon',
'database_attachments', 
'enigma',
'help',
'http_authentication', 
'jqueryui',
'managesieve', 
'newmail_notifier', 
'new_user_identity',
'zipdownload', 
);

Not all of them show signs of working, but some do. Now it’s a matter of per-plugin configuration, most likely.

[UPDATE 1 March 2016]

The nightmare continues, now via manual install from source. A missing library makes it more interesting:

root@paoha:/home/httpd/html/roundcubemail/installer# pear install Net_IDNA2
 Failed to download pear/Net_IDNA2 within preferred state "stable", latest release is version 0.1.1, stability "beta", use "channel://pear.php.net/Net_IDNA2-0.1.1" to install
 install failed
 root@paoha:/home/httpd/html/roundcubemail/installer# pear install channel://pear.php.net/Net_IDNA2-0.1.1
 downloading Net_IDNA2-0.1.1.tgz ...
 Starting to download Net_IDNA2-0.1.1.tgz (24,428 bytes)
 ........done: 24,428 bytes
 install ok: channel://pear.php.net/Net_IDNA2-0.1.1
Posted in Computing, Disasters, Foolishness, Linux | 1 Comment

“State-sponsored actors” take an interest in my Twitter account

It’s good to know people care.

shot-2015-12-11_16-51-45

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

This was part of a burst of similar messages:

http://motherboard.vice.com/read/twitter-told-a-bunch-of-users-they-may-be-targets-of-a-state-sponsored-attack

http://www.techinsider.io/twitter-state-sponsored-2015-12

http://www.theverge.com/2015/12/12/9931178/twitter-state-sponsored-attack

https://netzpolitik.org/2015/tor-und-twitter-du-wirst-staatlich-gehackt-weil-sie-es-koennen/

Why is the German site the only one with HTTPS?

UPDATE

Here is an example of the German version of the notice (courtesy of https://cdn.netzpolitik.org):

twitter-d

Posted in Computing | Leave a comment