librelist archives

« back to archive

Remailer Lists, The Crypto Project, and Len

Remailer Lists, The Crypto Project, and Len

From:
Sir Valiance
Date:
2011-07-07 @ 09:37
Hi Everyone,

As I am sure most have heard, it is so very sad to have lost Len Sassaman.
I cannot think of a better way to honor the man and his work than to try 
and continue it.  I really admired Len and his work and lost one of my 
heroes. 

It is great to hear that Lance Cottrell is back and would like to begin 
working on remailers again.  In response to Tom Ritter, I agree that the 
fragmentation of mailing lists is an issue, especially since most are 
fairly low traffic.  I don't know if ending this list just yet is the 
right approach (depends on what everyone else thinks).  I have double 
checked my subscriptions to the lists that Tom had posted.

A few weeks back I started working on an idea for a non-profit 
organization called "The Crypto Project" which the proposal of the idea 
can be found at http://crypto.is/  (mind you this site was just an initial
skeleton of an idea to show individuals who I was asking to be a director 
to the non-profit).  I hammered the site out over a ~24 hour period, so 
please think of the text as mostly filler for the design.

The idea for the project is to create a non profit that supports 
cypherpunk research, development, and support the running of servers 
(remailers, tor exits nodes, nymservers, etc). I created the site and sent
emails to Zooko, Patrick McDonald, and Len Sassaman asking there thoughts 
on the idea and if they would like to become Directors to the non-profit.
Zooko, replied with his thoughts but would wait on making a decision, 
Patrick expressed interest in the project, and Len's response from Twitter
was this:

> Read it; need time to form a serious reply. In short, I like the idea, 
and actually called for something like this a few years back. Would have 
to be careful to avoid failing the way CryptRights Foundation did, though.
Might talk to the Tor Project folks about their experiences running a 
successful 501c3 in this area; also, the Privatera folks? But yeah, really
I'd like to see an independent institute for PETS research, kind of like a
formal version of what FreeHaven became. If you do it right...

I think Len's response nailed the idea I had in mind.  I was starting to 
have second thoughts on the project until Len's death.  I have now decided
to move forward again with it and will be looking for more individuals to 
become directors to get the project off the ground.  Since Len can no 
longer become a director, I will dedicate the project to the memory of 
him. 

Part of the idea behind The Crypto Project is to revive the mailing lists 
and Cypherpunk movement.  By doing this, hopefully that will solve the 
list fragmentation issue.  I recently took the code that this list runs on
(http://lamsonproject.org) and will be creating a mailing-list and 
web-application hybrid tool for the project.  I would like 
http://crypto.is/ to become the new home for Cypherpunks and their lists.

I also don't think it would be a bad idea to meet in a designated IRC 
chatroom for remailer and cypherpunk issues.  On Freenode, I have 
registered ##cypherpunks and #remailer.  If we get a group together we can
try and get #cypherpunks or move to another IRC location.  You can find me
in those rooms right now.

I would love to hear all of your thoughts on the The Crypto Project and I 
will post again a more detailed plan of what I am thinking for it if 
anyone is interested.  I think a project like this could do wonders for 
the research and development of remailer software as well as other 
Cypherpunk projects.

Thank You for Your Time,
Sir Valiance

Re: [remailer] Remailer Lists, The Crypto Project, and Len

From:
Tom Ritter
Date:
2011-07-07 @ 11:53
Don't take this email as discouragement, I'm going to RECon for the
weekend - I will get into IRC when I return.  My initial thoughts of the
idea are:

 - love the domain name

 - The site is very pretty, much better than I could design.

 - It needs to be rethought from a privacy perspective.
  - SSL-only
  - DNSSEC
  - public third party (e.g. twitter) postings of the SSL key,
certificate chain
  - HSTS
  - Key pinning/all the chrome options agl builds[0]
  - no 3rd party includes (google? come on....)
  - available via tor and possible i2p

 - And a security perspective.  The server would have to be so locked
down it's comical.  IP-stripped-log-shipping, whether it runs OpenBSD or
Linux, grsecurity/PaX, two, three, or four factor authentication,
physical access, every service chosen carefully, logs audited for
personal information, the hosting provider and geographical location
considered carefully, the DNS chain considered, the DNS provider
selected, the IP used, the CA the SSL cert is obtained from, the
public/private keys used, whether the SSL cert should even be stored on
disk w/o a passphrase, the list goes on and on.  I recently had to
consider this, and it's a looooooot of work.  Threat modeling on an
insane scale.  It's the type of thing I'd consider begging/paying an
expert like Rosenberg or Oberheide to build/audit parts of.  Of course
then you have to trust them, etc etc.

 - The IRC network should be reconsidered.  One that allows tor
connections, etc.  I think OFTC is a more privacy minded server, but I
am not positive.  Patrick might know more

 - Nearly any Mailing Lists with the addition of GMane.org becomes a web
interface - maybe not web posting, but web reading, and RSS.  any
mailing list we use should accept messages from remailers (probably
moderated first).

 - I am immediately distrustful of work done for organizational purposes
rather than work done for the purpose of the organization.  I think
organizations should grow naturally out of a need for them; rather than
made in the beginning hoping people will put work into both them and the
causes they support.  Especially an organization in the legal sense.
Legal stuff is hard.  I don't want anyone to deal with paperwork. I plan
to put my effort towards remailer software or things an end-user gets
immediate value from.

 - I haven't seen any reason why http://www.torservers.net should be
competed with (and I define any actions taken in the same space as
competition, even though we all know we're not literally competing with
them). I _think_ any effort towards supporting tor servers should be
towards supporting them.

 - Something I think the project/foundation/whatever could do very well,
especially with such a beautiful site, is provide easy documentation,
easy guides, easy use, easy use cases.  Bring these projects to the
masses.  Should how to use Thunderbird+Enigmail, mutt+gpg, remailers,
tor, and so on.  And more esoteric things like your own mailserver [1]
and public key pinning [2].

 - Another thing the organization could conceivably support is code
audits.  I don't know how we could convince people like Marsh Ray to
audit projects like remailers or Enigmail or Truecrypt (we probably
couldn't afford him outright) - but setting up tracking on project
commits [3] and making them available in a centralized, easy to read
fashion could encourage people to find issues.  I happened to watch the
libgcrypt commit log, saw they committed code on something I knew
something about, and was able to audit it and find an issue [4].  Never
would have happened if I hadn't gone out of my way to jump through hoops
and read really annoying -commits mailing list messages.

 - Whats more, those last two points I made can be done by people
*without security/cryptographic skill*.  You don't really need to write
ultra-secure code to aggregate RSS and mailing list feeds, filter them,
and present them in a new/better format.  It's a way to involve the lots
of people and developers who care about security/privacy/anonyminity but
don't know how to write C. Of course it'd involve a staging server, and
a code audit, and maybe a penetration test; etc - but those are problems
that can be solved.


I'm heavily encouraged by all this.  I'm beginning work (with my
voluminous free time </sarcasm>) on some remailer-related things
(because cypherpunks write code).  I don't enjoy talking about things
until I have a non-trivial amount of code written though.

I'm also a little nervous that the cypherpunks will look at us and see
us 'playing at being cypherpunks' by not doing our due diligence with
regards to securing/anonymizing the server, practicing what we preach,
and in general just not thinking things through carefully.  I want us to
move forward, but I want it to be methodical and careful.

We have to remember, as @ioerror points out on twitter occasionally -
for most of us this is a passion but for some this is a necessity.  We
can impact peoples lives by getting it wrong.

-tom

[0] http://www.imperialviolet.org
[1] https://grepular.com/Automatically_Encrypting_all_Incoming_Email
[2] http://www.imperialviolet.org/2011/05/04/pinning.html
[3] http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=summary
[4] http://www.gdssecurity.com/l/b/2011/06/02/mangers-oracle/

Re: [remailer] Remailer Lists, The Crypto Project, and Len

From:
Sir Valiance
Date:
2011-07-07 @ 20:19
On Jul 7, 2011, at 6:53 AM, Tom Ritter wrote:

> Don't take this email as discouragement, I'm going to RECon for the
> weekend - I will get into IRC when I return.  My initial thoughts of the
> idea are:

Don't worry about discouragement, I can handle it!  ;)  Open, constructive
criticism for these types of projects is the best way to communicate.


> - love the domain name
> 
> - The site is very pretty, much better than I could design.
> 
> - It needs to be rethought from a privacy perspective.
>  - SSL-only
>  - DNSSEC
>  - public third party (e.g. twitter) postings of the SSL key,
> certificate chain
>  - HSTS
>  - Key pinning/all the chrome options agl builds[0]
>  - no 3rd party includes (google? come on....)
>  - available via tor and possible i2p

As for all of the listed issues, I agree completely.  I built the site 
only as a "demo" to express the thoughts and ideas for the project to 
Zooko, Patrick, and Len.  I wasn't even sure when I built it if I was 
going to go through with the project.  I figured I would wait before 
making more investments like purchasing an SSL cert.  I am still going to 
wait until the ideas are more fleshed out and decisions (like the ones 
addressed in your next paragraph like SSL cert, hosting, etc) are made.


> - And a security perspective.  The server would have to be so locked
> down it's comical.  IP-stripped-log-shipping, whether it runs OpenBSD or
> Linux, grsecurity/PaX, two, three, or four factor authentication,
> physical access, every service chosen carefully, logs audited for
> personal information, the hosting provider and geographical location
> considered carefully, the DNS chain considered, the DNS provider
> selected, the IP used, the CA the SSL cert is obtained from, the
> public/private keys used, whether the SSL cert should even be stored on
> disk w/o a passphrase, the list goes on and on.  I recently had to
> consider this, and it's a looooooot of work.  Threat modeling on an
> insane scale.  It's the type of thing I'd consider begging/paying an
> expert like Rosenberg or Oberheide to build/audit parts of.  Of course
> then you have to trust them, etc etc.

I also agree with this and I am prepared for the work.  The code for the 
entire site, including the automated build scripts I created are open 
source and will continue to be open source.  Obviously none of the things 
listed have been added to the project.  Hopefully this is something that 
can grow somewhat organically, or as the needs/features are added.


> - The IRC network should be reconsidered.  One that allows tor
> connections, etc.  I think OFTC is a more privacy minded server, but I
> am not positive.  Patrick might know more
> 

Sure, I am open to ideas.  I was just thinking of a quick way to allow 
everyone to hang out on irc.  It is a little more a pain to use tools like
Tor on Freenode (I am using as we speak) than OFTC.


> - Nearly any Mailing Lists with the addition of GMane.org becomes a web
> interface - maybe not web posting, but web reading, and RSS.  any
> mailing list we use should accept messages from remailers (probably
> moderated first).
> 

Sure, sounds good.  By web interface, I have been playing with ideas that 
are more like Hacker News / Reddit mixed with a mailing list, not just a 
web based interface to a mailing list.  Not fully thought out but that is 
what I was going for.

> - I am immediately distrustful of work done for organizational purposes
> rather than work done for the purpose of the organization.  I think
> organizations should grow naturally out of a need for them; rather than
> made in the beginning hoping people will put work into both them and the
> causes they support.  Especially an organization in the legal sense.
> Legal stuff is hard.  I don't want anyone to deal with paperwork. I plan
> to put my effort towards remailer software or things an end-user gets
> immediate value from.
> 

I agree here as well, although I do think there *is* a need for this type 
of organization.  Most individuals cannot devote significant portions of 
their time to developing, researching, and working on such projects and 
hopefully this can solve that issue.  I really think there needs to be an 
organization out there that makes privacy, anonymity, and security 
accessible to everyone.  I have always said I don't think you should need 
to know your way around a command like to achieve those 3 goals.  To me 
that is ultimately what the goal of the project should be. 

> - I haven't seen any reason why http://www.torservers.net should be
> competed with (and I define any actions taken in the same space as
> competition, even though we all know we're not literally competing with
> them). I _think_ any effort towards supporting tor servers should be
> towards supporting them.

While I agree that it is not competition, I don't think running an exit 
node or two is a negative thing, is it?  I think diversity amongst exit 
nodes is quite a good thing, no matter who runs them.  Also this would 
include running more than just Tor nodes (as I am sure you know, just 
clarifying).


> 
> - Something I think the project/foundation/whatever could do very well,
> especially with such a beautiful site, is provide easy documentation,
> easy guides, easy use, easy use cases.  Bring these projects to the
> masses.  Should how to use Thunderbird+Enigmail, mutt+gpg, remailers,
> tor, and so on.  And more esoteric things like your own mailserver [1]
> and public key pinning [2].

Oh most definitely! This is what I meant by adding a tutorials and 
documentation.  Most projects are severely lacking in this regard and it 
would be great to have a home for such information.  I really think  it 
could be a good idea to offer services for the less technically inclined 
to setup and learn these tools. I believe Tor does this by helping 
individuals around the world setup and use Tor.


> 
> - Another thing the organization could conceivably support is code
> audits.  I don't know how we could convince people like Marsh Ray to
> audit projects like remailers or Enigmail or Truecrypt (we probably
> couldn't afford him outright) - but setting up tracking on project
> commits [3] and making them available in a centralized, easy to read
> fashion could encourage people to find issues.  I happened to watch the
> libgcrypt commit log, saw they committed code on something I knew
> something about, and was able to audit it and find an issue [4].  Never
> would have happened if I hadn't gone out of my way to jump through hoops
> and read really annoying -commits mailing list messages.

I don't see why not.

> 
> - Whats more, those last two points I made can be done by people
> *without security/cryptographic skill*.  You don't really need to write
> ultra-secure code to aggregate RSS and mailing list feeds, filter them,
> and present them in a new/better format.  It's a way to involve the lots
> of people and developers who care about security/privacy/anonyminity but
> don't know how to write C. Of course it'd involve a staging server, and
> a code audit, and maybe a penetration test; etc - but those are problems
> that can be solved.
> 
> 
> I'm heavily encouraged by all this.  I'm beginning work (with my
> voluminous free time </sarcasm>) on some remailer-related things
> (because cypherpunks write code).  I don't enjoy talking about things
> until I have a non-trivial amount of code written though.
> 
> I'm also a little nervous that the cypherpunks will look at us and see
> us 'playing at being cypherpunks' by not doing our due diligence with
> regards to securing/anonymizing the server, practicing what we preach,
> and in general just not thinking things through carefully.  I want us to
> move forward, but I want it to be methodical and careful.

I definitely do not want the project to come off as an org of poseurs.  I 
would love to have this project be the textbook example of an open, 
secure, and anonymous, and automated server setup.  A setup people can 
learn from.  Sort of like taking Kerckhoff's Principle and applying it to 
webserver setups.  Why not?



> 
> We have to remember, as @ioerror points out on twitter occasionally -
> for most of us this is a passion but for some this is a necessity.  We
> can impact peoples lives by getting it wrong.
> 

Agreed.  Best to be as forward and open as possible about any risks.

Thank you for the response! 


> -tom
> 
> [0] http://www.imperialviolet.org
> [1] https://grepular.com/Automatically_Encrypting_all_Incoming_Email
> [2] http://www.imperialviolet.org/2011/05/04/pinning.html
> [3] http://git.gnupg.org/cgi-bin/gitweb.cgi?p=libgcrypt.git;a=summary
> [4] http://www.gdssecurity.com/l/b/2011/06/02/mangers-oracle/
> 

Re: [remailer] Remailer Lists, The Crypto Project, and Len

From:
Patrick R McDonald
Date:
2011-07-07 @ 14:02
On Thu, Jul 07, 2011 at 07:53:37AM -0400, Tom Ritter wrote:
> Don't take this email as discouragement, I'm going to RECon for the
> weekend - I will get into IRC when I return.  My initial thoughts of the
> idea are:

Everyone gets to go somewhere fun but me.

>  - love the domain name
> 
>  - The site is very pretty, much better than I could design.
> 
>  - It needs to be rethought from a privacy perspective.
>   - SSL-only
>   - DNSSEC
>   - public third party (e.g. twitter) postings of the SSL key,
> certificate chain
>   - HSTS
>   - Key pinning/all the chrome options agl builds[0]
>   - no 3rd party includes (google? come on....)
>   - available via tor and possible i2p
> 
>  - And a security perspective.  The server would have to be so locked
> down it's comical.  IP-stripped-log-shipping, whether it runs OpenBSD or
> Linux, grsecurity/PaX, two, three, or four factor authentication,
> physical access, every service chosen carefully, logs audited for
> personal information, the hosting provider and geographical location
> considered carefully, the DNS chain considered, the DNS provider
> selected, the IP used, the CA the SSL cert is obtained from, the
> public/private keys used, whether the SSL cert should even be stored on
> disk w/o a passphrase, the list goes on and on.  I recently had to
> consider this, and it's a looooooot of work.  Threat modeling on an
> insane scale.  It's the type of thing I'd consider begging/paying an
> expert like Rosenberg or Oberheide to build/audit parts of.  Of course
> then you have to trust them, etc etc.

I think if we establish what threat model the site is protecting against
and what attacks we can't/won't cover we should be alright.  I find Tor
and PrivacyBox provide good examples of this.

>  - The IRC network should be reconsidered.  One that allows tor
> connections, etc.  I think OFTC is a more privacy minded server, but I
> am not positive.  Patrick might know more

I know both Freenode and OFTC support Tor, however the OFTC hidden
service appears to be down.  I will check into this.

>  - Nearly any Mailing Lists with the addition of GMane.org becomes a web
> interface - maybe not web posting, but web reading, and RSS.  any
> mailing list we use should accept messages from remailers (probably
> moderated first).


>  - I am immediately distrustful of work done for organizational purposes
> rather than work done for the purpose of the organization.  I think
> organizations should grow naturally out of a need for them; rather than
> made in the beginning hoping people will put work into both them and the
> causes they support.  Especially an organization in the legal sense.
> Legal stuff is hard.  I don't want anyone to deal with paperwork. I plan
> to put my effort towards remailer software or things an end-user gets
> immediate value from.

I think there is a need for this organization and I believe Len's
comment articulates it far better than I ever could.  Given my work with
other non-profits (Open Security Foundation), I would be willing to help
take this on.  If Nick or other members of the Tor Project wouldn't mind
connecting me off-list with friendly advice about working/running a
non-profit, I would appreciate it.

>  - I haven't seen any reason why http://www.torservers.net should be
> competed with (and I define any actions taken in the same space as
> competition, even though we all know we're not literally competing with
> them). I _think_ any effort towards supporting tor servers should be
> towards supporting them.

Agreed.  I believe what we can do here is raise awareness and provide
pointers for projects TorServers, which provide this functionality.

>  - Something I think the project/foundation/whatever could do very well,
> especially with such a beautiful site, is provide easy documentation,
> easy guides, easy use, easy use cases.  Bring these projects to the
> masses.  Should how to use Thunderbird+Enigmail, mutt+gpg, remailers,
> tor, and so on.  And more esoteric things like your own mailserver [1]
> and public key pinning [2].

This is the piece which I feel is missing from many crypto projects.
People like us understand the use cases and the howto, however these
projects will never expand past a niche market unless we get it so Mom
and Dad can and do implement them.  I am currently working on this as
part of the Tahoe-LAFS project.

>  - Another thing the organization could conceivably support is code
> audits.  I don't know how we could convince people like Marsh Ray to
> audit projects like remailers or Enigmail or Truecrypt (we probably
> couldn't afford him outright) - but setting up tracking on project
> commits [3] and making them available in a centralized, easy to read
> fashion could encourage people to find issues.  I happened to watch the
> libgcrypt commit log, saw they committed code on something I knew
> something about, and was able to audit it and find an issue [4].  Never
> would have happened if I hadn't gone out of my way to jump through hoops
> and read really annoying -commits mailing list messages.

I really like the centralized tracking of commits.  Bloody brilliant.
As for hiring Marsh Ray, I can't comment.  However, I feel if we open
our code to audits similar to Nadim's cryptbin, we can get pretty solid
input.

>  - Whats more, those last two points I made can be done by people
> *without security/cryptographic skill*.  You don't really need to write
> ultra-secure code to aggregate RSS and mailing list feeds, filter them,
> and present them in a new/better format.  It's a way to involve the lots
> of people and developers who care about security/privacy/anonyminity but
> don't know how to write C. Of course it'd involve a staging server, and
> a code audit, and maybe a penetration test; etc - but those are problems
> that can be solved.

Already on it.  I should have something later this month for us to use a
staging server.  Plus I really like the idea of including those of us
who aren't yet coders.

> I'm heavily encouraged by all this.  I'm beginning work (with my
> voluminous free time </sarcasm>) on some remailer-related things
> (because cypherpunks write code).  I don't enjoy talking about things
> until I have a non-trivial amount of code written though.
> 
> I'm also a little nervous that the cypherpunks will look at us and see
> us 'playing at being cypherpunks' by not doing our due diligence with
> regards to securing/anonymizing the server, practicing what we preach,
> and in general just not thinking things through carefully.  I want us to
> move forward, but I want it to be methodical and careful.

I think the best advice I can provide here is to simply learn from our
mistakes and solicit advice when we are unsure on how to proceed.  We
are bound to make mistakes.  How we react to them is what will determine
how we are perceived.  I will once again reference Nadim's reaction to
the audit of cryptbin.  His reaction to constructive criticism is what
brought him down in people's eyes, not cryptbin's issues.

> We have to remember, as @ioerror points out on twitter occasionally -
> for most of us this is a passion but for some this is a necessity.  We
> can impact peoples lives by getting it wrong.

Precisely.  This is why we should be transparent and upfront.  If we
define what we can control and what we can't, we should be in good
shape.  This plus timely action to issues raised should keep us covered.

-- 
----------------------------------------------------------------                
| Patrick R. McDonald                       GPG Key: 668AA5DF  |                
| https://www.antagonism.org/         <marlowe@antagonism.org> |                
|                               <mcdonald.patrick.r@gmail.com> |                
|                         <patrick@opensecurityfoundation.org> |                
----------------------------------------------------------------                
| Malo periculosam libertatem quam quietum servitium           |                
----------------------------------------------------------------

Re: [remailer] Remailer Lists, The Crypto Project, and Len

From:
Sir Valiance
Date:
2011-07-07 @ 20:30
On Jul 7, 2011, at 9:02 AM, Patrick R McDonald wrote:

> On Thu, Jul 07, 2011 at 07:53:37AM -0400, Tom Ritter wrote:
>> Don't take this email as discouragement, I'm going to RECon for the
>> weekend - I will get into IRC when I return.  My initial thoughts of the
>> idea are:
> 
> Everyone gets to go somewhere fun but me.
> 
>> - love the domain name
>> 
>> - The site is very pretty, much better than I could design.
>> 
>> - It needs to be rethought from a privacy perspective.
>>  - SSL-only
>>  - DNSSEC
>>  - public third party (e.g. twitter) postings of the SSL key,
>> certificate chain
>>  - HSTS
>>  - Key pinning/all the chrome options agl builds[0]
>>  - no 3rd party includes (google? come on....)
>>  - available via tor and possible i2p
>> 
>> - And a security perspective.  The server would have to be so locked
>> down it's comical.  IP-stripped-log-shipping, whether it runs OpenBSD or
>> Linux, grsecurity/PaX, two, three, or four factor authentication,
>> physical access, every service chosen carefully, logs audited for
>> personal information, the hosting provider and geographical location
>> considered carefully, the DNS chain considered, the DNS provider
>> selected, the IP used, the CA the SSL cert is obtained from, the
>> public/private keys used, whether the SSL cert should even be stored on
>> disk w/o a passphrase, the list goes on and on.  I recently had to
>> consider this, and it's a looooooot of work.  Threat modeling on an
>> insane scale.  It's the type of thing I'd consider begging/paying an
>> expert like Rosenberg or Oberheide to build/audit parts of.  Of course
>> then you have to trust them, etc etc.
> 
> I think if we establish what threat model the site is protecting against
> and what attacks we can't/won't cover we should be alright.  I find Tor
> and PrivacyBox provide good examples of this.

Agree.

> 
>> - The IRC network should be reconsidered.  One that allows tor
>> connections, etc.  I think OFTC is a more privacy minded server, but I
>> am not positive.  Patrick might know more
> 
> I know both Freenode and OFTC support Tor, however the OFTC hidden
> service appears to be down.  I will check into this.
> 
>> - Nearly any Mailing Lists with the addition of GMane.org becomes a web
>> interface - maybe not web posting, but web reading, and RSS.  any
>> mailing list we use should accept messages from remailers (probably
>> moderated first).
> 
> 
>> - I am immediately distrustful of work done for organizational purposes
>> rather than work done for the purpose of the organization.  I think
>> organizations should grow naturally out of a need for them; rather than
>> made in the beginning hoping people will put work into both them and the
>> causes they support.  Especially an organization in the legal sense.
>> Legal stuff is hard.  I don't want anyone to deal with paperwork. I plan
>> to put my effort towards remailer software or things an end-user gets
>> immediate value from.
> 
> I think there is a need for this organization and I believe Len's
> comment articulates it far better than I ever could.  Given my work with
> other non-profits (Open Security Foundation), I would be willing to help
> take this on.  If Nick or other members of the Tor Project wouldn't mind
> connecting me off-list with friendly advice about working/running a
> non-profit, I would appreciate it.

Great!  That would be great if the Tor guys were willing to help give advice.

> 
>> - I haven't seen any reason why http://www.torservers.net should be
>> competed with (and I define any actions taken in the same space as
>> competition, even though we all know we're not literally competing with
>> them). I _think_ any effort towards supporting tor servers should be
>> towards supporting them.
> 
> Agreed.  I believe what we can do here is raise awareness and provide
> pointers for projects TorServers, which provide this functionality.
> 
>> - Something I think the project/foundation/whatever could do very well,
>> especially with such a beautiful site, is provide easy documentation,
>> easy guides, easy use, easy use cases.  Bring these projects to the
>> masses.  Should how to use Thunderbird+Enigmail, mutt+gpg, remailers,
>> tor, and so on.  And more esoteric things like your own mailserver [1]
>> and public key pinning [2].
> 
> This is the piece which I feel is missing from many crypto projects.
> People like us understand the use cases and the howto, however these
> projects will never expand past a niche market unless we get it so Mom
> and Dad can and do implement them.  I am currently working on this as
> part of the Tahoe-LAFS project.

I so agree with this.  It is a huge issue amongst these types of project.
Sorry if I stepped on this point in my last post.


> 
>> - Another thing the organization could conceivably support is code
>> audits.  I don't know how we could convince people like Marsh Ray to
>> audit projects like remailers or Enigmail or Truecrypt (we probably
>> couldn't afford him outright) - but setting up tracking on project
>> commits [3] and making them available in a centralized, easy to read
>> fashion could encourage people to find issues.  I happened to watch the
>> libgcrypt commit log, saw they committed code on something I knew
>> something about, and was able to audit it and find an issue [4].  Never
>> would have happened if I hadn't gone out of my way to jump through hoops
>> and read really annoying -commits mailing list messages.
> 
> I really like the centralized tracking of commits.  Bloody brilliant.
> As for hiring Marsh Ray, I can't comment.  However, I feel if we open
> our code to audits similar to Nadim's cryptbin, we can get pretty solid
> input.
> 
>> - Whats more, those last two points I made can be done by people
>> *without security/cryptographic skill*.  You don't really need to write
>> ultra-secure code to aggregate RSS and mailing list feeds, filter them,
>> and present them in a new/better format.  It's a way to involve the lots
>> of people and developers who care about security/privacy/anonyminity but
>> don't know how to write C. Of course it'd involve a staging server, and
>> a code audit, and maybe a penetration test; etc - but those are problems
>> that can be solved.
> 
> Already on it.  I should have something later this month for us to use a
> staging server.  Plus I really like the idea of including those of us
> who aren't yet coders.

Cool!

> 
>> I'm heavily encouraged by all this.  I'm beginning work (with my
>> voluminous free time </sarcasm>) on some remailer-related things
>> (because cypherpunks write code).  I don't enjoy talking about things
>> until I have a non-trivial amount of code written though.
>> 
>> I'm also a little nervous that the cypherpunks will look at us and see
>> us 'playing at being cypherpunks' by not doing our due diligence with
>> regards to securing/anonymizing the server, practicing what we preach,
>> and in general just not thinking things through carefully.  I want us to
>> move forward, but I want it to be methodical and careful.
> 
> I think the best advice I can provide here is to simply learn from our
> mistakes and solicit advice when we are unsure on how to proceed.  We
> are bound to make mistakes.  How we react to them is what will determine
> how we are perceived.  I will once again reference Nadim's reaction to
> the audit of cryptbin.  His reaction to constructive criticism is what
> brought him down in people's eyes, not cryptbin's issues.

Agree here as well, mistakes will be made.  Nadim should not have gotten 
so defensive.  Crypto is not  and should not be personal.

> 
>> We have to remember, as @ioerror points out on twitter occasionally -
>> for most of us this is a passion but for some this is a necessity.  We
>> can impact peoples lives by getting it wrong.
> 
> Precisely.  This is why we should be transparent and upfront.  If we
> define what we can control and what we can't, we should be in good
> shape.  This plus timely action to issues raised should keep us covered.

I agree with most of this and sorry if I stepped on your points with my 
last post, should have read yours first.  

Thanks For Input!


> 
> -- 
> ----------------------------------------------------------------                
> | Patrick R. McDonald                       GPG Key: 668AA5DF  |                
> | https://www.antagonism.org/         <marlowe@antagonism.org> |                
> |                               <mcdonald.patrick.r@gmail.com> |                
> |                         <patrick@opensecurityfoundation.org> |                
> ----------------------------------------------------------------                
> | Malo periculosam libertatem quam quietum servitium           |                
> ----------------------------------------------------------------

Re: [remailer] Remailer Lists, The Crypto Project, and Len

From:
Nick Mathewson
Date:
2011-07-07 @ 22:31
On Thu, Jul 7, 2011 at 5:37 AM, Sir Valiance <sir@sirvaliance.com> wrote:
> Hi Everyone,
>

Hi!

I don't have time right now to comment on everything right away, but
I'll try to come back later to talk about the things I haven't had a
chance to look at yet.

I like the idea of trying to get together to make more things happen
with remailers and anonymity tech.  There are lots of places where
different conversations are going on now.  I think that's a fine
thing, but it'd be good to keep abreast of what everybody's doing, and
try to coordinate behind efforts that seem to be making  progress.

I am *against* trying to coordinate behind any *particular* effort
that is not yet making progress.

A brief rant: Since I stopped doing active mixminion development, I
have had no less than 4 teams of people come up to me and declare that
they were going to pick up remailer development, but never actually
get any development done: they spent all of their time making a plan
for forming a group to make a consensus to make a team to ... etc,
etc, etc, and they never actually got around to coding.

So let's not do that.  I would so much rather spend my time talking
about anonymity tech than about how to organize an organization to
encourage people to do anonymity tech that it isn't even funny. :)

Please don't take this as discouragement; please instead take it as
encouragement to get designs and code written up.



Now, on to the non-profit corporation issues.

(Obligatory disclaimer: I am not a lawyer, this is not legal advice.)

Our experience at Tor was that we survived for a few years with just
me and Roger paid to work on the software.  At that time, we were
unincorporated: Roger received the money that we were paid, and paid
me directly.  Whatever he didn't pay me, he had to declare as income.
We didn't incorporate as a 501c3 until we finally got a grant large
enough that we couldn't spend it all in one year: our choices would
have been to either pay taxes on all the money in one year, or to
incorporate and have the company keep the money and pay us.  Because
we're working for the public good, and because corporate income taxes
are no fun, and because we were pretty sure that we'd do badly
starting a for-profit anonymity company, we decided to incorporate as
a 501c3 tax-exempt charity.

Having a 501c3 nonprofit (in US law, at least) lets you do a bunch of
things, and requires you to do a bunch of things.  On the things that
it lets you do:
  * Since it's a corporation, the corporation's liabilities aren't your own.
  * Since it's a nonprofit, it doesn't need to pay income tax.  (Its
employees and contractors still need to pay taxes, of course.)
  * Since it's a 501c3 charity, people who donate to it can deduct
their donations on their income taxes.

On the things that it forces you to do:
  * There is a lot of overhead.  It is approximately 1 person's
full-time job to keep all the financial paperwork straight.
  * You have to have a board, and regular board meetings.
  * You have to file some fairly complex paperwork and face regular audits.
  * If you expect to be doing anything that people might one day
object to -- like, say, providing anonymous communications for
unpopular groups -- you'd better make sure that all the paperwork is
perfect.  This will require lawyers.  It is almost impossible to find
specialists in nonprofit law who are willing to work pro bono.

On the things that it does not actually do:
  * It doesn't actually cause you to get donations on its own.  Only a
proven record of accomplishing things that people want to support does
that, and donors seem to only care a certain amount about whether they
can deduct their contributions.

In summary, a 501c3 nonprofit or similar legal entity is mainly a way
for a charitable cause to manage its money.  It's a good idea if
you're getting a lot of money for your charitable cause, and not so
much if you aren't.  It is not a good vehicle for *getting* donations:
that is, having one doesn't make money show up.

So IMO, it's a good idea to think of going 501c3 in the future, and
plan for that end, but I'd suggest that you don't think too hard about
it until there are some actual assets or income for the nonprofit to
handle.



Some random thoughts on crypto.is:

Until you've got a research papers page, you might as well put up a
link to freehaven.net/anonbib.  (Full disclosure: I'm one of the
maintainers for that.)

It would be good to have a directory of places where mixnet
development discussion is happening.



So yeah!  Let's pick something to design and code and get to work on
it.  Who feels like a remailer? :)


my inflationary two cents,
-- 
Nick

Re: [remailer] Remailer Lists, The Crypto Project, and Len

From:
Sir Valiance
Date:
2011-07-08 @ 22:27
On Jul 7, 2011, at 5:31 PM, Nick Mathewson wrote:

> On Thu, Jul 7, 2011 at 5:37 AM, Sir Valiance <sir@sirvaliance.com> wrote:
>> Hi Everyone,
>> 
> 
> Hi!
> 
> I don't have time right now to comment on everything right away, but
> I'll try to come back later to talk about the things I haven't had a
> chance to look at yet.
> 
> I like the idea of trying to get together to make more things happen
> with remailers and anonymity tech.  There are lots of places where
> different conversations are going on now.  I think that's a fine
> thing, but it'd be good to keep abreast of what everybody's doing, and
> try to coordinate behind efforts that seem to be making  progress.
> 
> I am *against* trying to coordinate behind any *particular* effort
> that is not yet making progress.
> 

I can agree with that.  Why would anyone support or donate to an 
organization that is not doing anything yet anyway?

> A brief rant: Since I stopped doing active mixminion development, I
> have had no less than 4 teams of people come up to me and declare that
> they were going to pick up remailer development, but never actually
> get any development done: they spent all of their time making a plan
> for forming a group to make a consensus to make a team to ... etc,
> etc, etc, and they never actually got around to coding.
> 
> So let's not do that.  I would so much rather spend my time talking
> about anonymity tech than about how to organize an organization to
> encourage people to do anonymity tech that it isn't even funny. :)
> 
> Please don't take this as discouragement; please instead take it as
> encouragement to get designs and code written up.
> 
> 

That is good to hear that you have seen that from experience.  I know I 
have seen plenty of people mention they are going to start working on open
source projects and never get around to it (I have done it myself as 
well).  It is very clear that the time available should be invested in 
code, results, and progress rather than organizational tasks.


> 
> Now, on to the non-profit corporation issues.
> 
> (Obligatory disclaimer: I am not a lawyer, this is not legal advice.)
> 
> Our experience at Tor was that we survived for a few years with just
> me and Roger paid to work on the software.  At that time, we were
> unincorporated: Roger received the money that we were paid, and paid
> me directly.  Whatever he didn't pay me, he had to declare as income.
> We didn't incorporate as a 501c3 until we finally got a grant large
> enough that we couldn't spend it all in one year: our choices would
> have been to either pay taxes on all the money in one year, or to
> incorporate and have the company keep the money and pay us.  Because
> we're working for the public good, and because corporate income taxes
> are no fun, and because we were pretty sure that we'd do badly
> starting a for-profit anonymity company, we decided to incorporate as
> a 501c3 tax-exempt charity.

Was this early funding (pre 501) from donations, grants? Was it enough for
you both to just work on your projects and get by (not have a day job)?

> 
> Having a 501c3 nonprofit (in US law, at least) lets you do a bunch of
> things, and requires you to do a bunch of things.  On the things that
> it lets you do:
>  * Since it's a corporation, the corporation's liabilities aren't your own.
>  * Since it's a nonprofit, it doesn't need to pay income tax.  (Its
> employees and contractors still need to pay taxes, of course.)
>  * Since it's a 501c3 charity, people who donate to it can deduct
> their donations on their income taxes.
> 
> On the things that it forces you to do:
>  * There is a lot of overhead.  It is approximately 1 person's
> full-time job to keep all the financial paperwork straight.
>  * You have to have a board, and regular board meetings.
>  * You have to file some fairly complex paperwork and face regular audits.
>  * If you expect to be doing anything that people might one day
> object to -- like, say, providing anonymous communications for
> unpopular groups -- you'd better make sure that all the paperwork is
> perfect.  This will require lawyers.  It is almost impossible to find
> specialists in nonprofit law who are willing to work pro bono.
> 
> On the things that it does not actually do:
>  * It doesn't actually cause you to get donations on its own.  Only a
> proven record of accomplishing things that people want to support does
> that, and donors seem to only care a certain amount about whether they
> can deduct their contributions.
> 
> In summary, a 501c3 nonprofit or similar legal entity is mainly a way
> for a charitable cause to manage its money.  It's a good idea if
> you're getting a lot of money for your charitable cause, and not so
> much if you aren't.  It is not a good vehicle for *getting* donations:
> that is, having one doesn't make money show up.
> 
> So IMO, it's a good idea to think of going 501c3 in the future, and
> plan for that end, but I'd suggest that you don't think too hard about
> it until there are some actual assets or income for the nonprofit to
> handle.
> 
> 

I appreciate, trust, and respect your experience and knowledge on the 
topic and it is clear waiting is the way to go.  I wasn't exactly sure on 
the legality in the U.S. of accepting donations without forming as a 
non-profit first (and I didn't know if it was necessary for credibilities 
sake). I am not even sure whether a U.S. based organization is what will 
be best in the end.  I think first the goals must be clearly defined, then
figure out the appropriate location and setup there.


> 
> Some random thoughts on crypto.is:
> 
> Until you've got a research papers page, you might as well put up a
> link to freehaven.net/anonbib.  (Full disclosure: I'm one of the
> maintainers for that.)

Don't worry about the disclosure, I am aware and it is a great idea!


> 
> It would be good to have a directory of places where mixnet
> development discussion is happening.
> 
> 
> 
> So yeah!  Let's pick something to design and code and get to work on
> it.  Who feels like a remailer? :)

Awesome...

> 
> 
> my inflationary two cents,
> -- 
> Nick
> 

Taking this advice into consideration (and knowing now that I will move 
forward with the project) I will hold off on the organizational aspect and
start to update the site and make it usable for others.  I will try and 
figure out a decent way for anyone to contribute tutorials, docs, or web 
content, and code.

Thank You,
Sir Valiance

Re: [remailer] Remailer Lists, The Crypto Project, and Len

From:
Nick Mathewson
Date:
2011-07-12 @ 04:51
On Fri, Jul 8, 2011 at 6:27 PM, Sir Valiance <sir@sirvaliance.com> wrote:
> On Jul 7, 2011, at 5:31 PM, Nick Mathewson wrote:
 [...]
>>
>> Now, on to the non-profit corporation issues.
>>
>> (Obligatory disclaimer: I am not a lawyer, this is not legal advice.)
>>
>> Our experience at Tor was that we survived for a few years with just
>> me and Roger paid to work on the software.  At that time, we were
>> unincorporated: Roger received the money that we were paid, and paid
>> me directly.  Whatever he didn't pay me, he had to declare as income.
>> We didn't incorporate as a 501c3 until we finally got a grant large
>> enough that we couldn't spend it all in one year: our choices would
>> have been to either pay taxes on all the money in one year, or to
>> incorporate and have the company keep the money and pay us.  Because
>> we're working for the public good, and because corporate income taxes
>> are no fun, and because we were pretty sure that we'd do badly
>> starting a for-profit anonymity company, we decided to incorporate as
>> a 501c3 tax-exempt charity.
>
> Was this early funding (pre 501) from donations, grants? Was it enough 
for you both to just work on your projects and get by (not have a day 
job)?

Contracts.  And not at first.

Basically, Roger got on board because there was an existing Onion
Routing research project of Paul Syverson's that needed a really good
programmer to finish up its in time for a deadline.  The work was
successful; Paul's research remained funded, and eventually Roger
could afford to bring me on too, and we could look for additional
funding on our own.

Before that, though, we'd both been working other jobs, and doing
anonymity stuff in our spare time.  I was working at an ill-fated
internet startup when I did most of my Mixminion coding.  To date,
nobody's paid me to hack on Mixminion, but I think that the time I
spent working on it with Roger convinced me that I was somebody he
wanted to bring on for Tor work in the early days.

Obviously, this isn't a replicable path to making an R&D organization
solvent: I wouldn't tell anybody, "Look around for research projects
to do what you're trying to do that are nearing the end of their
grants and offer to finish everything up heroically in the last
possible minute so that they can get another grant, and ramp this up
until you're doing R&D for multiple researchers and you can negotiate
deliverables so that you can build the features _you_ want."  Instead
I'd suggest more generally that doing R&D for a new anonymity project
or set of projects is likely to have a longish ramp-up phase before it
produces enough money to pay the programmers -- if it ever does.
Therefore, I think it's best to seek people who want to work on
anonymity software _so that it will exist_, and who don't need to get
a steady paycheck out of it any time soon.

[...]
>> So IMO, it's a good idea to think of going 501c3 in the future, and
>> plan for that end, but I'd suggest that you don't think too hard about
>> it until there are some actual assets or income for the nonprofit to
>> handle.
>>
>>
>
> I appreciate, trust, and respect your experience and knowledge on the 
topic and it is clear waiting is the way to go.  I wasn't exactly sure on 
the legality in the U.S. of accepting donations without forming as a 
non-profit first (and I didn't know if it was necessary for credibilities 
sake).

(Still not a lawyer, still not offering legal advice.)

Under US law, you can accept donations.  You can't deceive people
about what the donations are for, of course, and you can't say you're
a charity when you're not, and you need to pay taxes on donations as
income, but accepting donations per se is as legal as getting birthday
presents from your friends.

> I am not even sure whether a U.S. based organization is what will be 
best in the end.  I think first the goals must be clearly defined, then 
figure out the appropriate location and setup there.

Right.  Also, the goals of the organization are not necessarily the
same as the reasons for incorporating.  You don't need a corporation
to host discussions and research efforts by like-minded volunteers:
it's when you start handling money and assets that incorporation
becomes IMO more worth thinking about.

peace,
-- 
Nick

Re: [remailer] Remailer Lists, The Crypto Project, and Len

From:
Tom Ritter
Date:
2011-07-12 @ 23:52
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> Taking this advice into consideration (and knowing now that I will move 
forward with the project) I will hold off on the organizational aspect and
start to update the site and make it usable for others.  I will try and 
figure out a decent way for anyone to contribute tutorials, docs, or web 
content, and code.

I've forked it on github, set up a test server on an unused domain name,
edited it considerably, and sent a pull request (which you don't have to
honor).  You can preview the changes here: http://utternoncesense.com/

I got lazy with the copytext after a short bit.  But the idea was to
change the concept from a central organization that can fund lots of
projects to a central star in a sky of software.  The projects page is
most fleshed out:

Code Audit Feed
    Writing secure code is hard. But if everyone is intimidated by the
prospect, no secure code would be written. The Code Audit Feed seeks to
be a single feed of commits to crypto and anonyminity tools. It is the
hope that a easy to skim feed of changes will encourage people to watch
projects for changes relating to their area of expertise, so they can
audit and prehaps become involved in the project.

Intro to Crypto
    These series of articles aim to show the layperson what benefits
using cryptography and anonyminity software can provide them, how to
install and use the software, and finally how to give back to the
community by running services of their own.

Code Clearing House
    It can be a wide internet out there. This project aims to group
security and anonyminity software, provide an overview of what it does
and doesn't provide, and links to further resources.

Bleeding Edge
    This area is meant to be a testbed of bleeding edge technologies
like Strict Transport Security. While not a comprehensive walkthrough -
we hope to provide enough information for experienced sysadmins to set
up bleeding edge features, as well as link to existing implementations.

And then the individual boxes like remailers, tor, etc that previously
Crypto.is was 'funding, supporting, etc' will be items that the site
provides limited information about, support for, etc.

Also, I have it on good authority that the cypherpunk movement will be
picking up steam shortly - it would be very nice to coordinate a launch.
 I'm hoping a new individual joins the list shortly and gets back in
contact.

- -tom
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)

iEYEARECAAYFAk4c3iIACgkQJZJIJEzU09sZ5QCdG1ErxszmdoeCp8SRsGAPGvyL
GP0AoLBQhZJ2ncHG0EVA44TYQHMRXiwv
=PU7x
-----END PGP SIGNATURE-----

Re: [remailer] Remailer Lists, The Crypto Project, and Len

From:
Sir Valiance
Date:
2011-07-13 @ 18:11
On Jul 12, 2011, at 6:52 PM, Tom Ritter wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
>> Taking this advice into consideration (and knowing now that I will move
forward with the project) I will hold off on the organizational aspect and
start to update the site and make it usable for others.  I will try and 
figure out a decent way for anyone to contribute tutorials, docs, or web 
content, and code.
> 
> I've forked it on github, set up a test server on an unused domain name,
> edited it considerably, and sent a pull request (which you don't have to
> honor).  You can preview the changes here: http://utternoncesense.com/

Awesome! This is exciting and I am glad you took the initiative to 
jumpstart the changes.  I made a comment on the pull request.  It would be
much appreciated if you could change the pull request to "ritter_updates" 
rather than "master" so I can pull the changes, make additions and 
updates, then merge to master.  If not I can work my way around it.

One thing I noticed is that your changes seem to diminish the call for 
donations, or at least aim to direct funding for other projects.  I am 
curious if you object to the idea of donations, and if so, why? I 
personally see nothing wrong with taking donations (or directing to the 
donations pages for other projects) if people feel that they would like to
contribute. Some would like to contribute to projects but don't have the 
time, therefore give money.  I would really like to collect funding to pay
for and setup servers for the various anonymity, security and privacy 
projects for people that wish to use those services.  Some individuals 
would prefer not to have the liability of running an exit node, remailer, 
etc. and I think it would be great to place that burden on crypto.is.  
Long term, if there is sufficient funding, I would also see no problem 
with paying developers and researcher to work full time on anonymity 
projects.  I just don't see the negatives of donations.

> 
> I got lazy with the copytext after a short bit.  But the idea was to
> change the concept from a central organization that can fund lots of
> projects to a central star in a sky of software.  The projects page is
> most fleshed out:
> 
> Code Audit Feed
>    Writing secure code is hard. But if everyone is intimidated by the
> prospect, no secure code would be written. The Code Audit Feed seeks to
> be a single feed of commits to crypto and anonyminity tools. It is the
> hope that a easy to skim feed of changes will encourage people to watch
> projects for changes relating to their area of expertise, so they can
> audit and prehaps become involved in the project.

I like the concept, but any idea on the best way to implement this?  I 
have forked any of the newer projects or updated projects that list 
members are working on at:

https://github.com/organizations/cryptodotis

I am not exactly sure on the best way to find and aggregate all of this 
information.  Any ideas would be nice.

> 
> Intro to Crypto
>    These series of articles aim to show the layperson what benefits
> using cryptography and anonyminity software can provide them, how to
> install and use the software, and finally how to give back to the
> community by running services of their own.
> 

I love this and was hoping it would be one of the main results of the 
project.  Looking back, the first Cypherpunk movement made an effort to 
prove cryptography and cryptographic software could be used for social 
change.  They created brilliant tools from innovative concepts.  I believe
the next movement will make these tools so pervasive and easy to use that 
anyone and everyone can and will use them.  It is at that point we will 
really see the change.  I always have said that I don't think you should 
have to know your way around a command line to get the privacy, security, 
and anonymity that all individuals deserve.

> Code Clearing House
>    It can be a wide internet out there. This project aims to group
> security and anonyminity software, provide an overview of what it does
> and doesn't provide, and links to further resources.
> 

Most definitely.


> Bleeding Edge
>    This area is meant to be a testbed of bleeding edge technologies
> like Strict Transport Security. While not a comprehensive walkthrough -
> we hope to provide enough information for experienced sysadmins to set
> up bleeding edge features, as well as link to existing implementations.

Most definitely.

> 
> And then the individual boxes like remailers, tor, etc that previously
> Crypto.is was 'funding, supporting, etc' will be items that the site
> provides limited information about, support for, etc.

I agree, writing copy can be a dull task but I am glad you started to make
these changes.  I was trying to come up with the best way for everyone to 
contribute.  First thought is a wiki based system, but I would like to not
depend on a database or bring in potential security issues.  I would also 
like the website content to be available to users without web access or 
would prefer not to use the browser.  

I think the route I am going to go is to setup a repository of human 
readable, yet parsable into HTML  files.  It looks like a directory of 
reStructuredText or Markdown files is the way to go.  From this point, the
web server can simply render these pages from the repo.

https://secure.wikimedia.org/wikipedia/en/wiki/ReStructuredText
https://secure.wikimedia.org/wikipedia/en/wiki/Markdown

I will setup a template for people to use and follow for pages, turorials,
etc. and setup them up to fit the look of the site.  I think using this 
format will make it easiest for the greatest number of people to 
contribute and edit content for the site. Ultimately I think the 
site/server will grow into something along the lines of Jekyll 
(https://github.com/mojombo/jekyll)

> 
> Also, I have it on good authority that the cypherpunk movement will be
> picking up steam shortly - it would be very nice to coordinate a launch.
> I'm hoping a new individual joins the list shortly and gets back in
> contact.

This is great to hear!   That was my hope, to bring together everyone who 
was interested, is interested, or could be interested together and begin 
collaborating and working on cypherpunk-esque projects, software, and 
research.  

My goal today is to take your changes, add more content, and then 
hopefully put enough content on the site to make it presentable and 
public.

Thanks You,
Sir Valiance


> 
> - -tom
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (Cygwin)
> 
> iEYEARECAAYFAk4c3iIACgkQJZJIJEzU09sZ5QCdG1ErxszmdoeCp8SRsGAPGvyL
> GP0AoLBQhZJ2ncHG0EVA44TYQHMRXiwv
> =PU7x
> -----END PGP SIGNATURE-----
> 

Re: [remailer] Remailer Lists, The Crypto Project, and Len

From:
Tom Ritter
Date:
2011-07-13 @ 19:06
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> One thing I noticed is that your changes seem to diminish the call for
> donations, or at least aim to direct funding for other projects.  I am
> curious if you object to the idea of donations, and if so, why? I
> personally see nothing wrong with taking donations (or directing to the
> donations pages for other projects) if people feel that they would like
> to contribute. Some would like to contribute to projects but don't have
> the time, therefore give money.  I would really like to collect funding
> to pay for and setup servers for the various anonymity, security and
> privacy projects for people that wish to use those services.  Some
> individuals would prefer not to have the liability of running an exit node,
> remailer, etc. and I think it would be great to place that burden on
> crypto.is.  Long term, if there is sufficient funding, I would also see no
> problem with paying developers and researcher to work full time on
> anonymity projects.  I just don't see the negatives of donations.

Let's put it this way.  You will not recieve any donations for
crypto.is.  For a long time.  People don't donate to projects often.
I know things like kickstarter and truecrypt's 150K drive makes you
think they do - but they don't.  If someone really wants to donate
crypto.is, having a one-liner at the bottom of the site saying 'E-mail
us' will be sufficient.

If someone wants to donate to a project - they will donate to the
project directly.  And because the project *did something*, not
because they *want* to do something.  I have a page "Donate - Money"
that I intended to point to individual projects in different spaces.
There's no reason for crypto.is to be a clearinghouse to redonate
money around to different projects, and there's all sorts of reasons
it *shouldn't* be.

Down-the-road funding developers would be *awesome*.  It will almost
certainly come from grants though - not donations.  Donations don't
make a stable source of income for someone.  A project that says
"We're a new organization but we want to collect money, and put it in
a pot for 4 years from now..." - that's not kosher.

The one legitimate aspect for donations I could see would be wanting
to fund a tor node, or a remailer.  We can point to torservers for
sponsoring a tor node though.  They'd be able to run it better than
us.  As far as sponsoring a remailer - let's cross that bridge when we
come to it.  I _really_ like the idea, but we don't need an
infrastructure in place for that immediately.  Let's sit on it for a
couple months, and revisit it in context.  There's lot of things to
consider - who will run them, how can we make them geographically and
ISP-diverse, etc.  There are indeed a few remops on the list, so this
is a real possibility for a service for us to offer.  I love the idea.
 I want to explore it in another thread though.  I also want to pore
through the remailer code more, personally.

The negatives of donations is that it looks bad.  The best-looking
organization looks bad when there's a bunch of "Aren't we awesome!
Donate!" all around.

I would, and specificaly noted a place to, encourage direct donations
to other projects.  And I even left a one-liner in for donations for
crypto.is expenses (which shouldn't be more than $200/year for a VPS
and domain - easily coverable by anyone commited to the project, I
could run it myself off my server if needed.)  But I find any more
encouragement for peope to donate money to an untested, unestablished,
fledging organization that hasn't *done* anything yet... distasteful.
I think it looks bad, and I know I would be put off by an organization
like that.

Time, involvement, code, and copy-writing is much more valuable to us
at this stage than money.  What would even $5000 do for us?  It'd get
us a nice rackmount server we don't need, or it'd be re-donated.

>> Code Audit Feed
> I like the concept, but any idea on the best way to implement this?

It's my hope that a small push by me will introduce another developer
to the idea and they will flesh it out more.  That's probably
unlikely.  But basically, it's not that difficult.

   +--+                                                        +--+
   |  |RSS Feeds+----------------+                           ->+  |
   +--+                          |                           | +--+
                                 |                           | Web Frontend
   +--+                          |                           |
   |  |SVN Logs+                 |   +--------------------+  |
   +--+        |                 |   |                    |  |
               +-----------------+-->| Aggregation Engine +--+
   +--+        |                 |   |                    |  |
   |  |git Logs+                 |   +--------------------+  |
   +--+                          |                           | +--+
                                 |                           ->|  |
   +--+                          |                             +--+
   |  |-announce Mailing Lists+--+                             RSS Feed
   +--+



Write services that parse different inputs: rss feeds, subversion
logs, posts to -announce lists - whatever projects are using to track
changes and releases.  Aggregate that for a bunch of projects into a
database.  Output the database to a feed and a frontend.  Basically
it's the same thing each individual project makes available, but we're
going to make it available for all of them.  And then we can create
custom rss feeds:

  /auditfeed/feeds/keywords/rsa+elgamal+assymmetric

Add that feed to your feedreader, and instead of seeing every commit
on every project, you'll only see ones relating to public key crypto.
Of course that's a v2 feature, but there's a lot that can be done
there, and there's clear milestones.  v0.1 will check one type of
source for one project, and republish the information.  v0.2 checks
one type of source for two projects, and so on.

> https://github.com/organizations/cryptodotis

I can't see this organization.

> I think the route I am going to go is to setup a repository of human
> readable, yet parsable into HTML  files.  It looks like a directory
> of reStructuredText or Markdown files is the way to go.  From this
> point, the web server can simply render these pages from the repo.

> I will setup a template for people to use and follow for pages,
> turorials, etc. and setup them up to fit the look of the site.  I think
> using this format will make it easiest for the greatest number of people
> to contribute and edit content for the site. Ultimately I think the
> site/server will grow into something along the lines of Jekyll

Markdown Markdown Markdown.  It's pretty awesome.  Use Markdown.  I
use python-markdown with a custom extension to remove images on my
website for comments.  For now, I think github+markdown for the
content pages would be good.  Later we can try and remove github from
the equation, but for now I think anyone likely to contribute will be
able to fork, edit, commit, push, and issue a pull request.

- -tom
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)

iEYEARECAAYFAk4d7LMACgkQJZJIJEzU09v0JQCfQhLB/k/MGVKL97dQvm/SbsxR
/c8AoK2jHUGRS/8S4oJbEmyllxBtK4Po
=3jLN
-----END PGP SIGNATURE-----

Re: [remailer] Remailer Lists, The Crypto Project, and Len

From:
Patrick R McDonald
Date:
2011-07-08 @ 13:36
> On Thu, Jul 7, 2011 at 5:37 AM, Sir Valiance <sir@sirvaliance.com> wrote:
> Now, on to the non-profit corporation issues.
>
> (Obligatory disclaimer: I am not a lawyer, this is not legal advice.)
>
> Our experience at Tor was that we survived for a few years with just
> me and Roger paid to work on the software.  At that time, we were
> unincorporated: Roger received the money that we were paid, and paid
> me directly.  Whatever he didn't pay me, he had to declare as income.
> We didn't incorporate as a 501c3 until we finally got a grant large
> enough that we couldn't spend it all in one year: our choices would
> have been to either pay taxes on all the money in one year, or to
> incorporate and have the company keep the money and pay us.  Because
> we're working for the public good, and because corporate income taxes
> are no fun, and because we were pretty sure that we'd do badly
> starting a for-profit anonymity company, we decided to incorporate as
> a 501c3 tax-exempt charity.
>
> Having a 501c3 nonprofit (in US law, at least) lets you do a bunch of
> things, and requires you to do a bunch of things.  On the things that
> it lets you do:
>   * Since it's a corporation, the corporation's liabilities aren't your
> own.
>   * Since it's a nonprofit, it doesn't need to pay income tax.  (Its
> employees and contractors still need to pay taxes, of course.)
>   * Since it's a 501c3 charity, people who donate to it can deduct
> their donations on their income taxes.
>
> On the things that it forces you to do:
>   * There is a lot of overhead.  It is approximately 1 person's
> full-time job to keep all the financial paperwork straight.
>   * You have to have a board, and regular board meetings.
>   * You have to file some fairly complex paperwork and face regular
> audits.
>   * If you expect to be doing anything that people might one day
> object to -- like, say, providing anonymous communications for
> unpopular groups -- you'd better make sure that all the paperwork is
> perfect.  This will require lawyers.  It is almost impossible to find
> specialists in nonprofit law who are willing to work pro bono.
>
> On the things that it does not actually do:
>   * It doesn't actually cause you to get donations on its own.  Only a
> proven record of accomplishing things that people want to support does
> that, and donors seem to only care a certain amount about whether they
> can deduct their contributions.
>
> In summary, a 501c3 nonprofit or similar legal entity is mainly a way
> for a charitable cause to manage its money.  It's a good idea if
> you're getting a lot of money for your charitable cause, and not so
> much if you aren't.  It is not a good vehicle for *getting* donations:
> that is, having one doesn't make money show up.
>
> So IMO, it's a good idea to think of going 501c3 in the future, and
> plan for that end, but I'd suggest that you don't think too hard about
> it until there are some actual assets or income for the nonprofit to
> handle.

Thanks, that info was very helpful.

> So yeah!  Let's pick something to design and code and get to work on
> it.  Who feels like a remailer? :)

As a non-coder, looking for ways I can help.  A couple things I noticed.

1) The bug tracker link points to bug.noreply.org which redirects to Tor's
Trac page
2) The current source is stored in CVS
3) Vaguely remember someone (sirvaliance?) who updated Mixminion to run
with the latest Python which is not on the site.

I would be happy to assist in moving/running the bug tracker and
transferring the source to a preferable VCS.  Does anyone have access to
the current site to help facilitate these changes?  Also might we want to
add the issues listed at https://github.com/sirvaliance/mixminion/issues
to the bug tracker?

Re: [remailer] Remailer Lists, The Crypto Project, and Len

From:
Sir Valiance
Date:
2011-07-08 @ 21:21
On Jul 8, 2011, at 8:36 AM, Patrick R McDonald wrote:

>> On Thu, Jul 7, 2011 at 5:37 AM, Sir Valiance <sir@sirvaliance.com> wrote:
>> Now, on to the non-profit corporation issues.
>> 
>> (Obligatory disclaimer: I am not a lawyer, this is not legal advice.)
>> 
>> Our experience at Tor was that we survived for a few years with just
>> me and Roger paid to work on the software.  At that time, we were
>> unincorporated: Roger received the money that we were paid, and paid
>> me directly.  Whatever he didn't pay me, he had to declare as income.
>> We didn't incorporate as a 501c3 until we finally got a grant large
>> enough that we couldn't spend it all in one year: our choices would
>> have been to either pay taxes on all the money in one year, or to
>> incorporate and have the company keep the money and pay us.  Because
>> we're working for the public good, and because corporate income taxes
>> are no fun, and because we were pretty sure that we'd do badly
>> starting a for-profit anonymity company, we decided to incorporate as
>> a 501c3 tax-exempt charity.
>> 
>> Having a 501c3 nonprofit (in US law, at least) lets you do a bunch of
>> things, and requires you to do a bunch of things.  On the things that
>> it lets you do:
>>  * Since it's a corporation, the corporation's liabilities aren't your
>> own.
>>  * Since it's a nonprofit, it doesn't need to pay income tax.  (Its
>> employees and contractors still need to pay taxes, of course.)
>>  * Since it's a 501c3 charity, people who donate to it can deduct
>> their donations on their income taxes.
>> 
>> On the things that it forces you to do:
>>  * There is a lot of overhead.  It is approximately 1 person's
>> full-time job to keep all the financial paperwork straight.
>>  * You have to have a board, and regular board meetings.
>>  * You have to file some fairly complex paperwork and face regular
>> audits.
>>  * If you expect to be doing anything that people might one day
>> object to -- like, say, providing anonymous communications for
>> unpopular groups -- you'd better make sure that all the paperwork is
>> perfect.  This will require lawyers.  It is almost impossible to find
>> specialists in nonprofit law who are willing to work pro bono.
>> 
>> On the things that it does not actually do:
>>  * It doesn't actually cause you to get donations on its own.  Only a
>> proven record of accomplishing things that people want to support does
>> that, and donors seem to only care a certain amount about whether they
>> can deduct their contributions.
>> 
>> In summary, a 501c3 nonprofit or similar legal entity is mainly a way
>> for a charitable cause to manage its money.  It's a good idea if
>> you're getting a lot of money for your charitable cause, and not so
>> much if you aren't.  It is not a good vehicle for *getting* donations:
>> that is, having one doesn't make money show up.
>> 
>> So IMO, it's a good idea to think of going 501c3 in the future, and
>> plan for that end, but I'd suggest that you don't think too hard about
>> it until there are some actual assets or income for the nonprofit to
>> handle.
> 
> Thanks, that info was very helpful.
> 
>> So yeah!  Let's pick something to design and code and get to work on
>> it.  Who feels like a remailer? :)
> 
> As a non-coder, looking for ways I can help.  A couple things I noticed.
> 
> 1) The bug tracker link points to bug.noreply.org which redirects to Tor's
> Trac page
> 2) The current source is stored in CVS
> 3) Vaguely remember someone (sirvaliance?) who updated Mixminion to run
> with the latest Python which is not on the site.
> 
> I would be happy to assist in moving/running the bug tracker and
> transferring the source to a preferable VCS.  Does anyone have access to
> the current site to help facilitate these changes?  Also might we want to
> add the issues listed at https://github.com/sirvaliance/mixminion/issues
> to the bug tracker?
> 


Yes, that link is to the updates I did to Mixminion.  Nothing special, 
just ran the tests on my linux an mac machines and fixed the errors until 
it passed all of the tests.  The "Issues" on Github are just me taking 
everything that was listed on TODO.txt to reach 0.0.8.  After doing some 
review and getting used to the code, I decided to go back and do some more
researching and reading papers before going back to it.  Sadly I got 
somewhat sidetracked with work to pay the bills and didn't to it.  Hoping 
to do so very soon.

I set up a Github organization at https://github.com/cryptodotis if we 
wanted to use that for managing projects.  I can start adding repositories
and people/teams to the project if wanted. It might reduce the overhead of
worrying about source control and project management.  Let me know what 
you guys think.

Thank You,
Sir Valiance

Re: [remailer] Remailer Lists, The Crypto Project, and Len

From:
Meredith L. Patterson
Date:
2011-07-08 @ 13:46
Hi folks,

Just dropping in quickly to say that I'm following this discussion as
avidly as I can at the moment, and am looking forward to contributing
as I can once some of the current chaos has settled to a duller roar.
Regarding source control, I can provide space on one of Len's boxes if
someone else will tackle the importing; I'll provide whoever does it
with a shell account on the machine.

I'd also made some headway on porting Mixmaster to Android and am
hoping to pick that back up as one of the first things I do; if anyone
is interested in pushing forward on that, I can tell you what I was
planning to do next. Feel free to email me offlist or on.

best,
--mlp

On Fri, Jul 8, 2011 at 3:36 PM, Patrick R McDonald
<marlowe@antagonism.org> wrote:
>> On Thu, Jul 7, 2011 at 5:37 AM, Sir Valiance <sir@sirvaliance.com> wrote:
>> Now, on to the non-profit corporation issues.
>>
>> (Obligatory disclaimer: I am not a lawyer, this is not legal advice.)
>>
>> Our experience at Tor was that we survived for a few years with just
>> me and Roger paid to work on the software.  At that time, we were
>> unincorporated: Roger received the money that we were paid, and paid
>> me directly.  Whatever he didn't pay me, he had to declare as income.
>> We didn't incorporate as a 501c3 until we finally got a grant large
>> enough that we couldn't spend it all in one year: our choices would
>> have been to either pay taxes on all the money in one year, or to
>> incorporate and have the company keep the money and pay us.  Because
>> we're working for the public good, and because corporate income taxes
>> are no fun, and because we were pretty sure that we'd do badly
>> starting a for-profit anonymity company, we decided to incorporate as
>> a 501c3 tax-exempt charity.
>>
>> Having a 501c3 nonprofit (in US law, at least) lets you do a bunch of
>> things, and requires you to do a bunch of things.  On the things that
>> it lets you do:
>>   * Since it's a corporation, the corporation's liabilities aren't your
>> own.
>>   * Since it's a nonprofit, it doesn't need to pay income tax.  (Its
>> employees and contractors still need to pay taxes, of course.)
>>   * Since it's a 501c3 charity, people who donate to it can deduct
>> their donations on their income taxes.
>>
>> On the things that it forces you to do:
>>   * There is a lot of overhead.  It is approximately 1 person's
>> full-time job to keep all the financial paperwork straight.
>>   * You have to have a board, and regular board meetings.
>>   * You have to file some fairly complex paperwork and face regular
>> audits.
>>   * If you expect to be doing anything that people might one day
>> object to -- like, say, providing anonymous communications for
>> unpopular groups -- you'd better make sure that all the paperwork is
>> perfect.  This will require lawyers.  It is almost impossible to find
>> specialists in nonprofit law who are willing to work pro bono.
>>
>> On the things that it does not actually do:
>>   * It doesn't actually cause you to get donations on its own.  Only a
>> proven record of accomplishing things that people want to support does
>> that, and donors seem to only care a certain amount about whether they
>> can deduct their contributions.
>>
>> In summary, a 501c3 nonprofit or similar legal entity is mainly a way
>> for a charitable cause to manage its money.  It's a good idea if
>> you're getting a lot of money for your charitable cause, and not so
>> much if you aren't.  It is not a good vehicle for *getting* donations:
>> that is, having one doesn't make money show up.
>>
>> So IMO, it's a good idea to think of going 501c3 in the future, and
>> plan for that end, but I'd suggest that you don't think too hard about
>> it until there are some actual assets or income for the nonprofit to
>> handle.
>
> Thanks, that info was very helpful.
>
>> So yeah!  Let's pick something to design and code and get to work on
>> it.  Who feels like a remailer? :)
>
> As a non-coder, looking for ways I can help.  A couple things I noticed.
>
> 1) The bug tracker link points to bug.noreply.org which redirects to Tor's
> Trac page
> 2) The current source is stored in CVS
> 3) Vaguely remember someone (sirvaliance?) who updated Mixminion to run
> with the latest Python which is not on the site.
>
> I would be happy to assist in moving/running the bug tracker and
> transferring the source to a preferable VCS.  Does anyone have access to
> the current site to help facilitate these changes?  Also might we want to
> add the issues listed at https://github.com/sirvaliance/mixminion/issues
> to the bug tracker?
>

Re: [remailer] Remailer Lists, The Crypto Project, and Len

From:
Patrick R McDonald
Date:
2011-07-08 @ 16:10
On Fri, Jul 08, 2011 at 03:46:54PM +0200, Meredith L. Patterson wrote:
> Hi folks,
> 
> Just dropping in quickly to say that I'm following this discussion as
> avidly as I can at the moment, and am looking forward to contributing
> as I can once some of the current chaos has settled to a duller roar.
> Regarding source control, I can provide space on one of Len's boxes if
> someone else will tackle the importing; I'll provide whoever does it
> with a shell account on the machine.

I will volunteer to handle the importing.  Assuming everyone would
prefer to use git.  If not, please let me know.  Meredith, feel free to
contact me off list at your convenience.

-- 
----------------------------------------------------------------                
| Patrick R. McDonald                       GPG Key: 668AA5DF  |                
| https://www.antagonism.org/         <marlowe@antagonism.org> |                
|                               <mcdonald.patrick.r@gmail.com> |                
|                         <patrick@opensecurityfoundation.org> |                
----------------------------------------------------------------                
| Malo periculosam libertatem quam quietum servitium           |                
----------------------------------------------------------------

Re: [remailer] Remailer Lists, The Crypto Project, and Len

From:
Lance Cottrell
Date:
2011-07-13 @ 04:04
I agree on the trap of focusing on organization. Mixmaster 1.0 and 2.0 got
written because I was frustrated by the lack of progress on the Mixmaster 
style remailers and just sat down and started banging out code. There is 
nothing like a project that is actually making progress and doing 
something to attract energy and attention. It is hard to get people 
motivated with just ideas and talk.

	-Lance


On Jul 7, 2011, at 3:31 PM, Nick Mathewson wrote:

> On Thu, Jul 7, 2011 at 5:37 AM, Sir Valiance <sir@sirvaliance.com> wrote:
>> Hi Everyone,
>> 
> 
> Hi!
> 
> I don't have time right now to comment on everything right away, but
> I'll try to come back later to talk about the things I haven't had a
> chance to look at yet.
> 
> I like the idea of trying to get together to make more things happen
> with remailers and anonymity tech.  There are lots of places where
> different conversations are going on now.  I think that's a fine
> thing, but it'd be good to keep abreast of what everybody's doing, and
> try to coordinate behind efforts that seem to be making  progress.
> 
> I am *against* trying to coordinate behind any *particular* effort
> that is not yet making progress.
> 
> A brief rant: Since I stopped doing active mixminion development, I
> have had no less than 4 teams of people come up to me and declare that
> they were going to pick up remailer development, but never actually
> get any development done: they spent all of their time making a plan
> for forming a group to make a consensus to make a team to ... etc,
> etc, etc, and they never actually got around to coding.
> 
> So let's not do that.  I would so much rather spend my time talking
> about anonymity tech than about how to organize an organization to
> encourage people to do anonymity tech that it isn't even funny. :)
> 
> Please don't take this as discouragement; please instead take it as
> encouragement to get designs and code written up.
> 
> 
> 
> Now, on to the non-profit corporation issues.
> 
> (Obligatory disclaimer: I am not a lawyer, this is not legal advice.)
> 
> Our experience at Tor was that we survived for a few years with just
> me and Roger paid to work on the software.  At that time, we were
> unincorporated: Roger received the money that we were paid, and paid
> me directly.  Whatever he didn't pay me, he had to declare as income.
> We didn't incorporate as a 501c3 until we finally got a grant large
> enough that we couldn't spend it all in one year: our choices would
> have been to either pay taxes on all the money in one year, or to
> incorporate and have the company keep the money and pay us.  Because
> we're working for the public good, and because corporate income taxes
> are no fun, and because we were pretty sure that we'd do badly
> starting a for-profit anonymity company, we decided to incorporate as
> a 501c3 tax-exempt charity.
> 
> Having a 501c3 nonprofit (in US law, at least) lets you do a bunch of
> things, and requires you to do a bunch of things.  On the things that
> it lets you do:
>  * Since it's a corporation, the corporation's liabilities aren't your own.
>  * Since it's a nonprofit, it doesn't need to pay income tax.  (Its
> employees and contractors still need to pay taxes, of course.)
>  * Since it's a 501c3 charity, people who donate to it can deduct
> their donations on their income taxes.
> 
> On the things that it forces you to do:
>  * There is a lot of overhead.  It is approximately 1 person's
> full-time job to keep all the financial paperwork straight.
>  * You have to have a board, and regular board meetings.
>  * You have to file some fairly complex paperwork and face regular audits.
>  * If you expect to be doing anything that people might one day
> object to -- like, say, providing anonymous communications for
> unpopular groups -- you'd better make sure that all the paperwork is
> perfect.  This will require lawyers.  It is almost impossible to find
> specialists in nonprofit law who are willing to work pro bono.
> 
> On the things that it does not actually do:
>  * It doesn't actually cause you to get donations on its own.  Only a
> proven record of accomplishing things that people want to support does
> that, and donors seem to only care a certain amount about whether they
> can deduct their contributions.
> 
> In summary, a 501c3 nonprofit or similar legal entity is mainly a way
> for a charitable cause to manage its money.  It's a good idea if
> you're getting a lot of money for your charitable cause, and not so
> much if you aren't.  It is not a good vehicle for *getting* donations:
> that is, having one doesn't make money show up.
> 
> So IMO, it's a good idea to think of going 501c3 in the future, and
> plan for that end, but I'd suggest that you don't think too hard about
> it until there are some actual assets or income for the nonprofit to
> handle.
> 
> 
> 
> Some random thoughts on crypto.is:
> 
> Until you've got a research papers page, you might as well put up a
> link to freehaven.net/anonbib.  (Full disclosure: I'm one of the
> maintainers for that.)
> 
> It would be good to have a directory of places where mixnet
> development discussion is happening.
> 
> 
> 
> So yeah!  Let's pick something to design and code and get to work on
> it.  Who feels like a remailer? :)
> 
> 
> my inflationary two cents,
> -- 
> Nick
> 

--
Lance Cottrell
loki@obscura.com


Re: [remailer] Remailer Lists, The Crypto Project, and Len

From:
Sir Valiance
Date:
2011-07-13 @ 19:29
On Jul 12, 2011, at 11:04 PM, Lance Cottrell wrote:

> I agree on the trap of focusing on organization. Mixmaster 1.0 and 2.0 
got written because I was frustrated by the lack of progress on the 
Mixmaster style remailers and just sat down and started banging out code. 
There is nothing like a project that is actually making progress and doing
something to attract energy and attention. It is hard to get people 
motivated with just ideas and talk.
> 
> 	-Lance
> 
> 

Hi Lance,

I am glad to see you posting on the list! I agree with not focusing so 
much on organizing or the organization of the project, I just want to 
start and build a big enough fire that anyone can huddle around.  Reducing
fragmentation (whether it is on the mailing lists or across the various 
projects) and getting people excited about working on the this type of 
software again (and getting some new contributors) would be great.  
Generating conversation and excitement will help get people together and 
collaborating on such projects (I hope).  

I agree we need to start writing more code and so far people are making 
some steps forward. Yes, Cypherpunks write code, but we do have to start 
somewhere.  I hope that once I get http://crypto.is into a state that is 
viewable to the public (or has any content worth showing) we can get some 
more people interested in this type of work  and inspire some coding.

Thank You,
Sir Valiance



> On Jul 7, 2011, at 3:31 PM, Nick Mathewson wrote:
> 
>> On Thu, Jul 7, 2011 at 5:37 AM, Sir Valiance <sir@sirvaliance.com> wrote:
>>> Hi Everyone,
>>> 
>> 
>> Hi!
>> 
>> I don't have time right now to comment on everything right away, but
>> I'll try to come back later to talk about the things I haven't had a
>> chance to look at yet.
>> 
>> I like the idea of trying to get together to make more things happen
>> with remailers and anonymity tech.  There are lots of places where
>> different conversations are going on now.  I think that's a fine
>> thing, but it'd be good to keep abreast of what everybody's doing, and
>> try to coordinate behind efforts that seem to be making  progress.
>> 
>> I am *against* trying to coordinate behind any *particular* effort
>> that is not yet making progress.
>> 
>> A brief rant: Since I stopped doing active mixminion development, I
>> have had no less than 4 teams of people come up to me and declare that
>> they were going to pick up remailer development, but never actually
>> get any development done: they spent all of their time making a plan
>> for forming a group to make a consensus to make a team to ... etc,
>> etc, etc, and they never actually got around to coding.
>> 
>> So let's not do that.  I would so much rather spend my time talking
>> about anonymity tech than about how to organize an organization to
>> encourage people to do anonymity tech that it isn't even funny. :)
>> 
>> Please don't take this as discouragement; please instead take it as
>> encouragement to get designs and code written up.
>> 
>> 
>> 
>> Now, on to the non-profit corporation issues.
>> 
>> (Obligatory disclaimer: I am not a lawyer, this is not legal advice.)
>> 
>> Our experience at Tor was that we survived for a few years with just
>> me and Roger paid to work on the software.  At that time, we were
>> unincorporated: Roger received the money that we were paid, and paid
>> me directly.  Whatever he didn't pay me, he had to declare as income.
>> We didn't incorporate as a 501c3 until we finally got a grant large
>> enough that we couldn't spend it all in one year: our choices would
>> have been to either pay taxes on all the money in one year, or to
>> incorporate and have the company keep the money and pay us.  Because
>> we're working for the public good, and because corporate income taxes
>> are no fun, and because we were pretty sure that we'd do badly
>> starting a for-profit anonymity company, we decided to incorporate as
>> a 501c3 tax-exempt charity.
>> 
>> Having a 501c3 nonprofit (in US law, at least) lets you do a bunch of
>> things, and requires you to do a bunch of things.  On the things that
>> it lets you do:
>> * Since it's a corporation, the corporation's liabilities aren't your own.
>> * Since it's a nonprofit, it doesn't need to pay income tax.  (Its
>> employees and contractors still need to pay taxes, of course.)
>> * Since it's a 501c3 charity, people who donate to it can deduct
>> their donations on their income taxes.
>> 
>> On the things that it forces you to do:
>> * There is a lot of overhead.  It is approximately 1 person's
>> full-time job to keep all the financial paperwork straight.
>> * You have to have a board, and regular board meetings.
>> * You have to file some fairly complex paperwork and face regular audits.
>> * If you expect to be doing anything that people might one day
>> object to -- like, say, providing anonymous communications for
>> unpopular groups -- you'd better make sure that all the paperwork is
>> perfect.  This will require lawyers.  It is almost impossible to find
>> specialists in nonprofit law who are willing to work pro bono.
>> 
>> On the things that it does not actually do:
>> * It doesn't actually cause you to get donations on its own.  Only a
>> proven record of accomplishing things that people want to support does
>> that, and donors seem to only care a certain amount about whether they
>> can deduct their contributions.
>> 
>> In summary, a 501c3 nonprofit or similar legal entity is mainly a way
>> for a charitable cause to manage its money.  It's a good idea if
>> you're getting a lot of money for your charitable cause, and not so
>> much if you aren't.  It is not a good vehicle for *getting* donations:
>> that is, having one doesn't make money show up.
>> 
>> So IMO, it's a good idea to think of going 501c3 in the future, and
>> plan for that end, but I'd suggest that you don't think too hard about
>> it until there are some actual assets or income for the nonprofit to
>> handle.
>> 
>> 
>> 
>> Some random thoughts on crypto.is:
>> 
>> Until you've got a research papers page, you might as well put up a
>> link to freehaven.net/anonbib.  (Full disclosure: I'm one of the
>> maintainers for that.)
>> 
>> It would be good to have a directory of places where mixnet
>> development discussion is happening.
>> 
>> 
>> 
>> So yeah!  Let's pick something to design and code and get to work on
>> it.  Who feels like a remailer? :)
>> 
>> 
>> my inflationary two cents,
>> -- 
>> Nick
>> 
> 
> --
> Lance Cottrell
> loki@obscura.com
> 
> 
> 
>