Search Mailing List Archives
[liberationtech] The unbearable lightness [and abundance] of gaza care packages
unclezzzen at gmail.com
Sat Nov 17 12:28:38 PST 2012
I've seen so far 2 different forks of the zip called Gaza Care Package:
One fork is by @Crypt0nymous
Authenticity: retweeted by @BiellaColeman
It contains 2 PDF files (potential vulnerability).
The other fork is maintained by anonrelations:
http://anonrelations.net/opisrael-95/ and already has 2 versions
https://twitter.com/AnonyOps/status/269872081125134336 (v2 link is in the
Now *this* contains the windows vidalia .exe (in both versions).
I've verified it against the sig at
it's "kosher" but there are 2 questions here:
1) Why vidalia and not torbrowser? Thee's a good reason why torproject
makes it hard to download anything but torbrowser. "Barefoot Vidalia" is
enough rope for beginners to hang themselves with.
2) Why distribute a .exe (or even .pdf) without means to verify its
The 2nd question is more critical, because now there are [at least] 3 zips
called "gaza care package" going around Gaza on memory sticks, and people
get used to the fact that not all of them are the same but "don't worry.
it's got an anonymous logo png on it". Spooky.
IMHO, It's easy to create an ad-hock trusted distribution system:
You can have a wrapper zip containing the payload zip, and a README.txt
(maybe call it IMPORTANT.txt) explaining how to verify it with a clause "if
you don't understand how to do this, ask someone who does".
How to verify? Easiest would be to write "the sha1sum of the zip can be
found on the bios of @anonythis and @anonythat. we hope that you already
know and trust at least one of them". You could also do that with gpg
fingerprints but sha1 is easier to teach people (the geek who verifies the
file for you can easily teach you how to verify future versions).
Does it make sense?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the liberationtech