From nathan at guardianproject.info  Fri Mar  4 14:18:36 2011
From: nathan at guardianproject.info (Nathan of Guardian)
Date: Fri, 04 Mar 2011 14:18:36 -0500
Subject: [OTR-users] Fwd: [guardian-alpha] Gibberbot 0.0.3 RC 3 (201100304b)
Message-ID: <4D713B0C.8090009@guardianproject.info>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hey everyone,

The Guardian Project is looking both for end-user feedback, as well, as
technical review of our OTR implementation for Gibberbot, an open-source
XMPP messaging app for Android which aims to be as secure as possible by
default.

We are using the OTR4J project on Android:
http://code.google.com/p/otr4j/

You can find the custom bits of our implementation here:
https://github.com/guardianproject/Gibberbot/tree/master/src/info/guardianproject/otr

We've got some fun twists on things including support for QRCode
scanning as way to quickly verify keys in person (screenshots here:
https://guardianproject.info/apps/gibber/)

Currently, the keys and verified fingerprints are stored on the file
system via a Java Properties class. With Android, each app has its own
internal storage space protected by user permissions, and this gives us
some amount of security there. However, we are moving the entire app to
sit on top of a symmetric key encrypted SQLite database shortly.

Best,
 Nathan


- -------- Original Message --------
Subject: [guardian-alpha] Gibberbot 0.0.3 RC 3 (201100304b)
Date: Fri, 04 Mar 2011 13:50:33 -0500
From: Nathan of Guardian <nathan at guardianproject.info>
Organization: The Guardian Project
To: guardian-dev <guardian-dev at lists.mayfirst.org>,
guardian-alpha at lists.mayfirst.org


We've got a new release candidate worthy build ready for you to test!

You can find it in the Android Market or download it directly here:
https://github.com/guardianproject/Gibberbot/Gibberbot-0.0.3-RC3-20110304b.apk/qr_code

To provide feedback or report issues, you have three options:
1) Reply to this email (easy)

2) Fill out this form (a little more involved):
https://guardianproject.info/contact/feedback/

3) Enter issues into Github (the best, but a little more complex):
https://github.com/guardianproject/Gibberbot/issues


****
Here's a short list of what has been fixed:

- - Wizard UI should now work better on landscape mode and smaller
screens.... no more hidden buttons!

- - Included an updated build of the ASmack XMPP library that powers the
chat protocol bit of our app. This has the latest patches from the core
Smack library.

- - Improved TLS certification verification process and properly tied into
Settings menu; added support for Android BKS keystore and cacerts

- - Added support for controlling whether SRV DNS record lookup is done or
not (it is better NOT too for privacy reasons, especially when running
over Tor)

- - Began the localization process into all supported Android SDK
languages (starting automated, will bring humans in later to edit)

- - Turned off inappropriate autocomplete/suggest where possible

- - Cleaned up graphics and text copy
_______________________________________________
Guardian-alpha mailing list

Post: Guardian-alpha at lists.mayfirst.org
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-alpha

To Unsubscribe
        Send email to:  Guardian-alpha-unsubscribe at lists.mayfirst.org
        Or visit: %(user_optionsurl)s

You are subscribed as: %(user_address)s
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iF4EAREIAAYFAk1xOwsACgkQ0qzSA7N0y9J3OgD+IHFmmpKJEcOEidjm+oisf+/c
oP5yl1RDjpkRIR+m/eMA/2zF2Fkj0DVhxh/qcHZkQ/Bg0uyCjWNoDke68D2ZZrlS
=IpI+
-----END PGP SIGNATURE-----


From Katie at critpath.org  Wed Mar  9 23:03:31 2011
From: Katie at critpath.org (Katharine Krauss)
Date: Wed, 9 Mar 2011 23:03:31 -0500
Subject: [OTR-users] help.
Message-ID: <1F3C40C0-2FCC-4322-B538-450AD26E8C9C@critpath.org>

Hi,

I'm new here. Really new. The typical question on this list is labeled something like this:  Request: Pidgin plugin should request refresh if other user offline

Here's my question: Which version of the software should I download and install? Because I've read everything pretty carefully and I still have no idea. 

Is there something else I should read? I read the FAQ and it looks a lot like the Pidgin plugin situation. Could someone talk me through it by phone or, you know, Skype? 

I'm learning to use this software so I can teach it to a group of people who really need it. And yes, they are stuck with me.

Kate

ps: Thanks for writing this software, whoever you are.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cypherpunks.ca/pipermail/otr-users/attachments/20110309/544bfc29/attachment.html>

From aaron.toponce at gmail.com  Thu Mar 10 01:37:01 2011
From: aaron.toponce at gmail.com (Aaron Toponce)
Date: Wed, 09 Mar 2011 23:37:01 -0700
Subject: [OTR-users] help.
In-Reply-To: <1F3C40C0-2FCC-4322-B538-450AD26E8C9C@critpath.org>
References: <1F3C40C0-2FCC-4322-B538-450AD26E8C9C@critpath.org>
Message-ID: <4D78718D.7010605@gmail.com>

On 03/09/2011 09:03 PM, Katharine Krauss wrote:
> Here's my question: Which version of the software should I download and
> install? Because I've read everything pretty carefully and I still have
> no idea. 

The most recent stable version.

-- 
. o .   o . o   . . o   o . .   . o .
. . o   . o o   o . o   . o o   . . o
o o o   . o .   . o o   o o .   o o o

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 591 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cypherpunks.ca/pipermail/otr-users/attachments/20110309/c2945e6f/attachment.pgp>

From kat at paip.net  Thu Mar 10 17:05:17 2011
From: kat at paip.net (Kat Hanna)
Date: Thu, 10 Mar 2011 17:05:17 -0500 (EST)
Subject: [OTR-users] help.
In-Reply-To: <1F3C40C0-2FCC-4322-B538-450AD26E8C9C@critpath.org>
References: <1F3C40C0-2FCC-4322-B538-450AD26E8C9C@critpath.org>
Message-ID: <alpine.DEB.2.00.1103101650310.21319@marshall.paip.net>

Hi Kate,

On Wed, 9 Mar 2011, Katharine Krauss wrote:
> I'm new here. Really new. The typical question on this list is labeled
> something like this:  Request: Pidgin plugin should request refresh if
> other user offline
>
> Here's my question: Which version of the software should I download
> and install? Because I've read everything pretty carefully and I still
> have no idea.

It depends on your operating system and IM client.

If you are using Windows, the easiest thing is to download and install
pidgin (http://www.pidgin.im/download/), which is an IM client that
works on most IM networks. Then download and install the OTR plugin
(http://www.cypherpunks.ca/otr/ just above the News section). Each of
these installations should just require you to run the installer.

To enable OTR, start pidgin and open your Buddy List. Go to Tools >
Plugins. In the Plugins dialog check Off-the-Record Messaging and click
Close.

Help on setting up pidgin, adding IM accounts, etc is at
http://www.pidgin.im/support/.

If you are using Mac OS X, the easiest thing is to download and install
Adium (http://adium.im/). OTR is built into Adium, so you don't need a
plugin.

Adium help is at http://adium.im/help/.

If you are using Linux, it will depend on your distribution.

> Is there something else I should read? I read the FAQ and it looks a
> lot like the Pidgin plugin situation. Could someone talk me through it
> by phone or, you know, Skype?

Let me know how you do with the info above. If you still need help, I
can make time on Saturady for a phone call.

> I'm learning to use this software so I can teach it to a group of
> people who really need it. And yes, they are stuck with me.
>
> Kate
>
> ps: Thanks for writing this software, whoever you are.

Good luck!

  -Kat


From Katie at critpath.org  Thu Mar 10 17:15:29 2011
From: Katie at critpath.org (Katharine Krauss)
Date: Thu, 10 Mar 2011 17:15:29 -0500
Subject: [OTR-users] help.
In-Reply-To: <alpine.DEB.2.00.1103101650310.21319@marshall.paip.net>
References: <1F3C40C0-2FCC-4322-B538-450AD26E8C9C@critpath.org>
	<alpine.DEB.2.00.1103101650310.21319@marshall.paip.net>
Message-ID: <7DF1DAD4-FCA0-45AE-ACAA-76082C7C9EE7@critpath.org>

Wow, super helpful. Thank you! I'm on a Mac and will try these things out and get back to you. 

I also need to know how to install this on Windows machines, so this is also helpful with that.

Many thanks,

Kate

On Mar 10, 2011, at 5:05 PM, Kat Hanna wrote:

> Hi Kate,
> 
> On Wed, 9 Mar 2011, Katharine Krauss wrote:
>> I'm new here. Really new. The typical question on this list is labeled
>> something like this:  Request: Pidgin plugin should request refresh if
>> other user offline
>> 
>> Here's my question: Which version of the software should I download
>> and install? Because I've read everything pretty carefully and I still
>> have no idea.
> 
> It depends on your operating system and IM client.
> 
> If you are using Windows, the easiest thing is to download and install
> pidgin (http://www.pidgin.im/download/), which is an IM client that
> works on most IM networks. Then download and install the OTR plugin
> (http://www.cypherpunks.ca/otr/ just above the News section). Each of
> these installations should just require you to run the installer.
> 
> To enable OTR, start pidgin and open your Buddy List. Go to Tools >
> Plugins. In the Plugins dialog check Off-the-Record Messaging and click
> Close.
> 
> Help on setting up pidgin, adding IM accounts, etc is at
> http://www.pidgin.im/support/.
> 
> If you are using Mac OS X, the easiest thing is to download and install
> Adium (http://adium.im/). OTR is built into Adium, so you don't need a
> plugin.
> 
> Adium help is at http://adium.im/help/.
> 
> If you are using Linux, it will depend on your distribution.
> 
>> Is there something else I should read? I read the FAQ and it looks a
>> lot like the Pidgin plugin situation. Could someone talk me through it
>> by phone or, you know, Skype?
> 
> Let me know how you do with the info above. If you still need help, I
> can make time on Saturady for a phone call.
> 
>> I'm learning to use this software so I can teach it to a group of
>> people who really need it. And yes, they are stuck with me.
>> 
>> Kate
>> 
>> ps: Thanks for writing this software, whoever you are.
> 
> Good luck!
> 
> -Kat



From Katie at critpath.org  Thu Mar 10 19:56:45 2011
From: Katie at critpath.org (Katharine Krauss)
Date: Thu, 10 Mar 2011 19:56:45 -0500
Subject: [OTR-users] Using OTR with Tor on a Mac?
In-Reply-To: <alpine.DEB.2.00.1103101650310.21319@marshall.paip.net>
References: <1F3C40C0-2FCC-4322-B538-450AD26E8C9C@critpath.org>
	<alpine.DEB.2.00.1103101650310.21319@marshall.paip.net>
Message-ID: <91F6B4B5-6D05-4545-8DF6-EE44C917A09E@critpath.org>

Hi,

I'm moving along better thanks to Kat's help; I appreciate the help of other members of the group as well. 

My goal is to use OTR chat with Tor. 

I've never used Tor as a user, only making a relay & bridge.


So, is this correct?

I open up Tor,

Click on "run as a client only" (do I need to configure anything else to use Tor as a user & not a relay or bridge?)

a browser (?) named Namoroka opens In Tor. Is it OK to allow a few scripts:

www.google.com, www.ig.gmodules.com ?

Is it ok for me to allow Javascript? I can't actually see how, though. Browser preferences says it's already available, but it doesn't show up in Namoroka so no Gmail, no Google chat.

Then I go to Adium, and chat in Google Chat through Adium. 

Here's the thing: I don't understand the relationship between Adium and Tor. Exactly how do should use Adium under Tor?

If you can help--thank you.  Plain, plain English works best. 

I have a Mac & use 10.6.6
Firefox 3.6.15 plus this Namoroka thingy (browser?).

Many thanks,

Kate



On Mar 10, 2011, at 5:05 PM, Kat Hanna wrote:

> Hi Kate,
> 
> On Wed, 9 Mar 2011, Katharine Krauss wrote:
>> I'm new here. Really new. The typical question on this list is labeled
>> something like this:  Request: Pidgin plugin should request refresh if
>> other user offline
>> 
>> Here's my question: Which version of the software should I download
>> and install? Because I've read everything pretty carefully and I still
>> have no idea.
> 
> It depends on your operating system and IM client.
> 
> If you are using Windows, the easiest thing is to download and install
> pidgin (http://www.pidgin.im/download/), which is an IM client that
> works on most IM networks. Then download and install the OTR plugin
> (http://www.cypherpunks.ca/otr/ just above the News section). Each of
> these installations should just require you to run the installer.
> 
> To enable OTR, start pidgin and open your Buddy List. Go to Tools >
> Plugins. In the Plugins dialog check Off-the-Record Messaging and click
> Close.
> 
> Help on setting up pidgin, adding IM accounts, etc is at
> http://www.pidgin.im/support/.
> 
> If you are using Mac OS X, the easiest thing is to download and install
> Adium (http://adium.im/). OTR is built into Adium, so you don't need a
> plugin.
> 
> Adium help is at http://adium.im/help/.
> 
> If you are using Linux, it will depend on your distribution.
> 
>> Is there something else I should read? I read the FAQ and it looks a
>> lot like the Pidgin plugin situation. Could someone talk me through it
>> by phone or, you know, Skype?
> 
> Let me know how you do with the info above. If you still need help, I
> can make time on Saturady for a phone call.
> 
>> I'm learning to use this software so I can teach it to a group of
>> people who really need it. And yes, they are stuck with me.
>> 
>> Kate
>> 
>> ps: Thanks for writing this software, whoever you are.
> 
> Good luck!
> 
> -Kat

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cypherpunks.ca/pipermail/otr-users/attachments/20110310/985c681d/attachment.html>

From dap56 at cornell.edu  Thu Mar 10 21:41:10 2011
From: dap56 at cornell.edu (Daniel Perelman)
Date: Thu, 10 Mar 2011 18:41:10 -0800
Subject: [OTR-users] Using OTR with Tor on a Mac?
In-Reply-To: <91F6B4B5-6D05-4545-8DF6-EE44C917A09E@critpath.org>
References: <1F3C40C0-2FCC-4322-B538-450AD26E8C9C@critpath.org>
	<alpine.DEB.2.00.1103101650310.21319@marshall.paip.net>
	<91F6B4B5-6D05-4545-8DF6-EE44C917A09E@critpath.org>
Message-ID: <AANLkTinrduG693JuNa0ZekrP0VehPionz0+KsgvYFRRZ@mail.gmail.com>

Replies inline.

On Thu, Mar 10, 2011 at 16:56, Katharine Krauss <Katie at critpath.org> wrote:
> Hi,
> I'm moving along better thanks to Kat's help; I appreciate the help of other
> members of the group as well.
> My goal is to use OTR chat with Tor.
> I've never used Tor as a user, only making a relay & bridge.
>
> So, is this correct?
> I open up Tor,
> Click on "run as a client only" (do I need to configure anything else to use
> Tor as a user & not a relay or bridge?)

I have not used Tor on OS X, so I cannot comment on the details of the
interface. In my experience, Tor offers a SOCKS proxy that other
applications can use by going into each application's network settings
and putting in the proxy location which should be your computer
("localhost") and whatever port number Tor is using. Then all of the
application's traffic except DNS requests (see:
https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorFAQ#IkeepseeingthesewarningsaboutSOCKSandDNSandinformationleaks.ShouldIworry
) will travel through Tor. I believe on OS X there is a global proxy
settings option in the network settings that you could also use (which
your Tor client may already be setting for you).

>
> a browser (?) named Namoroka opens In Tor.

Namoroka is just the development codename for Firefox 3.6, as Firefox
3.6 was released a while ago, I am not sure why your browser would be
identifying itself as a development build.

> Is it OK to allow a few scripts:
>
> www.google.com,?www.ig.gmodules.com ?
>
> Is it ok for me to allow Javascript?
That's a complicated question. Tor hides only which computer you are
sitting at. Your browser (even without Javascript) may be giving
enough information to identify you by. See:
https://www.eff.org/deeplinks/2010/01/help-eff-research-web-browser-tracking
. Truly anonymous web browsing is not an easy problem.

> I can't actually see how, though.
> Browser preferences says it's already available, but it doesn't show up in
> Namoroka so no Gmail, no Google chat.
Sorry, I cannot help you there without more information. Try the
Firefox's help / discussion boards.

>
> Then I go to Adium, and chat in Google Chat through Adium.
>
> Here's the thing: I don't understand the relationship between Adium and Tor.
> Exactly how do should use Adium under Tor?
I believe I answered this above. Basically, Adium's proxy settings
have to be set to use the proxy Tor is providing.

> If you can help--thank you. ?Plain, plain English works best.
>
> I have a Mac & use 10.6.6
> Firefox 3.6.15 plus this Namoroka thingy (browser?).
>
> Many thanks,
>
> Kate

I am not entirely sure what you are trying to gain by using OTR over
Tor. I suspect most IM protocols already used SSL between the client
and the IM server (I know Google Talk and AIM do, at least), so all
Tor adds there is that an eavesdropper won't be able to tell you are
on Google Talk (although they will probably be able to guess that you
are using some IM protocol by noticing that you are sending small
messages at irregular intervals that look vaguely like the response
time in a conversation). Google will, of course, still know you are on
Google Talk, but will not know what computer you are using (so they
will not be able to, for example, guess your physical location).

  - Daniel