I'd been wondering when the explosive kickstarter campaign that leverages the NSA news would appear.
My feelings about projects like these are always complicated. Even though it's encouraging to see that people are excited about building secure communication platforms, my initial reaction to announcements like these is typically extreme dread.
There is a small community of people who have been working on secure mobile messaging for years, and unfortunately newcomers to secure communication generally fuck it up. Not only is that bad for users, but it's bad for those of us who have put years of effort into this, because it sets a tone where users begin to assume that all apps which attempt to provide secure communication must have done it incorrectly, so it's not worth using any of them.
I think there are probably enough apps in this space now (TextSecure, ChatSecure, Gibberbot, Silent Circle) that these folks could have probably just partnered with or contributed to an existing project in order to meet their needs. Despite the article's subtitle, this will be far from "the first secure mobile messaging system."
Anyone who knows this stuff can provide additional feedback on apps like ChatSecure and Gibberbot? Are they considered to be good crypto implementations?
Update: I installed ChatSecure on my iPad and it's very easy to set up. So easy in fact that I'm thinking there must be something wrong with it, because otherwise it would probably be recommended more often in these types of threads...
One of the things that seems problematic is that the background session expires after a few minutes, so if someone tries to just randomly message you, chances are you won't be logged in, so this can't be a replacement for IM.
Hahaha, perhaps because we don't have a fancy graphic designer, marketing budget or PR firm? Version 2.x does have some bugs that we are working out, stemming from a large refactor to use Core Data. However, we actually don't touch the crypto ourselves and delegate all of it to the official libotr library. If you want to come help improve it, come check out the source: https://github.com/chrisballinger/Off-the-Record-iOS/
One suggestion I would make: Once your things are set up, you shouldn't have to go to the settings screen to log in. Maybe there could be an 'account' button on the main screen or on the buddy list and from there you could sign in and out directly. I think that would make it more friendly to non-techies.
Time out on chatsecure is a draw back of iOS. It forces app to close after 10 minutes of inactivity. Very annoying.
I'm with moxie. There are already plenty of good encryption apps out there. That 100,000 could have gone to existing apps that do what they say they do rather than an app that might not turn out as promised.
I never quite understood this. Certainly you don't want to send an unencrypted notification message (“Matt says: here are the meeting times”) to Apple's notification servers. But do you really have to be that verbose? I'm not terribly concerned about the NSA logging “you have $n new messages!” notifications.
> I'm not terribly concerned about the NSA logging “you have $n new messages!” notifications.
But you can appreciate that as part of risk assessment some people might have a valid reason to be concerned about leaking even that much information?
GCHQ / NSA are good at finding patterns in data, so a collection of "You have $n new messages!" notifications can provide insight into the organization of a group.
Yes, I certainly understand. Most people wouldn't be concerned—and would be far more likely to use the technology if they could enable a feature like "You have $n new messages."
Gibberbot is wide open to practical mitm SSL attacks and of course timing analysis to see who you're talking to. If you use it or any other jabber w/OTR, you would want to use it tunneled through another layer of encryption like Tor, so if you and your associates use .onion XMPP servers (and they aren't traffic analysis honeypots or run by incompetent admins/badly configured) then you get an extra layer of encryption to defeat future attacks should there be found a major bug in Gibberbot's OTR implementation and agencies just go back to all the traffic they collected and archived and use the bug to decrypt your old messages.
There's also Threema http://threema.ch using NaCl for their crypto (open source). It works on iOS and Android and has a very good UI. Encryption can be verified, for those who care: http://threema.ch/validation/
(I'm not affiliated, I just really like the product and it's the first one I was able to convince family and friends to use)
we have been thinking the same thing.. the gap here is between the public that knows nothing and developers and integrators that DO. unfortunately, its all about marketing, and marketing is often a bunch of lies
One really good thing about having lots of apps though is that it makes it harder for the NSA to subvert the apps or developers and develop attacks. If there are so many of them from around the world springing up all the time, that makes it a lot more difficult for any one national agency to control the space and become omniscient, and more difficult for them to develop attacks which will work globally.
If there is one thing I'd take from this NSA/GCHQ debacle it's that encryption is the only way to stop numerous agencies from accessing the content of your communications and storing them indefinitely. They already want to store everything. If you encrypt they'll have to decrypt first before parsing and your messages, and that's impractical for them on a large scale. I'd love to see a replacement for email that used local encryption to send information completely encrypted (including metadata) from point to point, with no keys on the server, or perhaps no server at all.
Encryption is a way to keep things secret for some time, not forever, it won't keep things safe forever even if it is considered perfect at point of use, as usually flaws are found in protocols eventually, and new ones adopted for that reason. Even if there is an established attack on a given chat program, agencies would have to take the time to attack and decrypt communications specifically, rather than just intercepting them at providers or with line taps. It would prevent a great deal of casual snooping and make things considerably more difficult. So the more protocols and apps the better I think.
In addition to this, I don't think there's anything wrong with people developing chat or encryption front-ends as long as they use established encryption programs to do their actual encryption. That should be the message that is given to people, not that they shouldn't bother using encryption in their products at all, because they're idiots and will get it wrong. Many will get it wrong, but some won't. I wouldn't trust this particular program (no source for a start), but other new entrants might be trustworthy. I don't think there are enough apps in this space now, the more the merrier, and if some of them are broken, that doesn't make it any harder to evaluate a good one if you are an expert in the field, and it will still make things more difficult for security agencies.
If you're not an expert, you'll have to rely on the opinions of people you respect about which programs are trustworthy. I'd love to hear Binney speak for example on which encryption methods he would trust nowadays, as he's likely to have very good knowledge of which ones are harder to break. The most I've seen from him is that they are
"on the verge of breaking a key encryption algorithm."
which just underlines that what is considered trustworthy today will not be tomorrow. So I think that security is a graded scale, not binary, and to insist that only experts should ever get involved with encryption just narrows the field to a small number of companies/experts that government agencies hostile to you can easily subvert.
PS Just seen downthread that you're responsible for this app - https://whispersystems.org/ Looks great and I'll be trying it out when it comes to iOS. Thanks for helping people stay secure.
having lots of apps though is that it makes it harder for the NSA to subvert the apps or developers
The NSA has had several 10s of $B a year, every year, basically since World War II. This is far greater than the entire public data security sector.
By now they likely have sophisticated internal tools for reversing and analysis. I doubt that it would take long at all for them to develop an exploit for an buggy amateur crypto app. They probably have plenty of new hires and contractors looking for trivial projects to practice on.
Don't get into a war of resource attrition with the most well-funded military on the planet.
I think we should all just create random sized files of random numbers, encrypt them with reasonably strong encryption, and email them to each other. Asymmetric warfare can work in the digital world too.
Don't get into a war of resource attrition with the most well-funded military on the planet.
Wars of attrition seem to have worked very well for a lot of people opposed to the best equipped military on the planet. Actually I think asymmetric warfare is a great analogy here; it's far harder to defeat a war amongst the people than to defeat a standing army, and part of what makes it difficult is there is no central point to attack, no clear lines of control, and no organisation(s) which you can shut down.
Re a buggy amateur crypto app, I'm sure some of them will be buggy, and some of them will be hard to break or use existing crypto which is hard to break. It's a tough subject and not one I'd like to tackle, but I absolutely don't object to others trying, because the alternative is for us to use products from large companies who we have seen will do whatever the US government asks them and call it legal.
Your attitude seems to be that we should just roll over and let the NSA/GCHQ/etc take whatever they want. I disagree.
> the alternative is for us to use products from large companies who we have seen will do whatever the US government asks them and call it legal.
> Your attitude seems to be that we should just roll over and let the NSA/GCHQ/etc take whatever they want. I disagree.
That's not at all what is being said. Many good cryptography products are open source. They have companies behind them because crypto is expensive - you need programmers and researchers and attackers and people to respond to security advisories.
"Don't use crappy kludgey crypto for serious uses; use established products instead" is not at all "Roll over and let GCHQ / NSA do what they want".
You can hardly compare a glut of crappy crypto apps on some app store to the Vietnam War where it took 70,000 body bags on the nightly news (and much higher losses on the other side) to finally get the US to withdraw.
This is basically the ignorant old "NSA has so much data they won't know what to do with it" argument in a slightly different form.
My attitude is that a handful of secure apps is infinitely better than a plethora of bad ones. I'm pretty sure the NSA would prefer the latter.
the Vietnam War where it took 70,000 body bags on the nightly news
I was thinking of Afghanistan (21stC, 19thC), but Vietnam would serve. It was your analogy, and the only valid comparison is tactical, not concrete.
I'm not supporting this particular app and wouldn't use it myself (I just use GPG on trust), but do think it's important we have a lot of people trying to work in this space, if only to have sufficient choice to prevent the field narrowing. The worst possible outcome from my point of view is to have just a few apps worldwide for crypto, not just for technical reasons but for political ones.
My attitude is that a handful of secure apps is infinitely better than a plethora of bad ones. I'm pretty sure the NSA would prefer the latter.
I'm not sure that's really the choice we have (a few secure apps OR lots of insecure ones, I'd have an AND in there and some grey area between secure and insecure), and how many crypto apps is too many? 200? 20? 10? 1?
Given the evidence from the PRISM program, which relies on tech infrastructure being localised in a few prominent US companies to give the NSA easy access which they have found very useful, I disagree about a handful of apps being the worst outcome for the NSA. Ultimately the security of cryptography is also dependent on things outside the cryptographers' control (politics, laws, corporate policies in a specific country), and I'd rather have too many cryptographers than too few in the world. Crappy amateur apps, as you put it, is part of that because some of those people might then learn why and how their apps are insecure and make better ones.
> but do think it's important we have a lot of people trying to work in this space, if only to have sufficient choice to prevent the field narrowing
Yes, I agree with that. As long as we aren't encouraging people to actually use experimental learning projects for critical stuff, or thinking that a diversity of half-baked crypto apps is anything but a birthday party at Chuck E. Cheese for the NSA.
This isn't a war of attrition, or asymmetric warfare, this is playing the exact game the NSA is meant to fight. It's like building MIG-21s to take on our F-22. A loser's fight.
I don't think there's any harm in pursuing this as long as expectations are realistic.
My impression was that guerilla warfare is based upon retreating in to relative anonymity following battles that you pick and win. Unfortunately, using most (any? I don't see any steganography, non-appstore distribution models) of these applications is likely to throw up huge flags on any public communications dragnet...
Two e-mail replacements that aspire toward secure communication with little actionable metadata are Bitmessage and I2pbote (runs over i2p net). Both are very much alpha, and Bitmessage has some significant work to do on how to scale up. But both are also p2p, and both automatically encrypt and decrypt all messages by default. If there are any other e-mail replacements that aspire toward security and anonymity, I'd love to hear about them.
I'm really interested in seeing one of the recently peer-reviewed secure, anonymous DHT e-mail systems (such as [1]) brought to life beyond an academic paper. I think such systems are pretty promising (i2pbote is similar).
EDIT: It occurs to me that I don't know enough about i2pbote to confidently call it "alpha" or "beta". So on retrospect, I'll just call it relatively new. But both i2pbote and bitmessage are definitely worth keeping an eye on.
> In addition to this, I don't think there's anything wrong with people developing chat or encryption front-ends as long as they use established encryption programs to do their actual encryption. That should be the message that is given to people, not that they shouldn't bother using encryption in their products at all, because they're idiots and will get it wrong. Many will get it wrong, but some won't. I wouldn't trust this particular program (no source for a start), but other new entrants might be trustworthy. I don't think there are enough apps in this space now, the more the merrier, and if some of them are broken, that doesn't make it any harder to evaluate a good one if you are an expert in the field, and it will still make things more difficult for security agencies.
I mostly agree. I'm not so keen on the idea of some broken programs being around. Look at the number of people who install spyware browser toolbars or purple monkeys or etc.
But if people are going to do anything creating front ends for existing software, or creating much better easier documentation for existing software would be good.
> So I think that security is a graded scale, not binary,
This is sort of true. People need to risk assess. If they just want to protect their angsty poetry they don't need to do as much work as they would if they were protecting a stash of images of child sexual abuse.
> That should be the message that is given to people, not that they shouldn't bother using encryption in their products at all, because they're idiots and will get it wrong.
The message isn't "avoid all crypto all the time", but "don't kludge together some crypto project and push it into production".
The message isn't "avoid all crypto all the time", but "don't kludge together some crypto project and push it into production".
I think we can all agree on that, however because all the big companies who hire experts and provide cryptography services, like Microsoft, Blackberry, Apple and Google, seem willing to give back doors to intelligence services in many countries and undermine the point of using cryptography, there are not many open choices left. I wouldn't really trust a project like the one linked, and see why people have reservations about it. Which projects would you recommend, as I'm genuinely interested? I use GPG for my own limited use, but would love to see a project for end to end encryption for email for example which also handles plain emails. The trick is in getting other people to use it, and that's all in the interface I think, not the cryptography.
I do think (as a sometime user of cryptography for mundane uses) it's worth having other options, and that will mean quite a few partially broken offerings as it's apparently a very subtle and complex topic and very easy to get wrong - I don't see any way round that if use becomes widespread - even the users will undermine it by mistake by not protecting keys etc. However without widespread adoption and easier interfaces for open cryptography, we won't have any choices but very secure encryption which is pre-signed with an NSA_KEY or otherwise backdoored for the NSA's convenience.
Don't trust this any more than any other closed-source "encrypted" communication product (like Skype). If they control both the source and the backend, how can you be sure it isn't compromised? How can you be sure it won't eventually be sold to the highest bidder?
Disclosure: I am the original author of ChatSecure, the only open source OTR+XMPP app for iOS devices.
If the client source proves that the message is properly encrypted though (they're using PGP), the servers can be as insecure as the open internet and it should be ok
Port bitmessage to Android then release it alpha and then wait 2-3 years to see if anything goes wrong. Then release it beta with gigantic warnings.
I hope this isn't another Jabber/OTR implementation because those would be full of metadata the NSA wants in order to identify social networks. Once identified, and if they look interesting enough they want to listen in, they would then go to town on your device, car, or home with surveillance equip to read your screen as you type, or just sneak inside the project's servers using nginx shell exploits or linux/bsd exploits none of us know about yet to inject code into the apk for download which will still pass signature tests. http://www.pcworld.idg.com.au/article/512362/proof-of-concep...
Another problem is most devices are carrier built so can't be trusted not to have a new CarrierIQ-like rootkit, and they can just send an OTA update that can basically do whatever it is they want it to do including recording the screen whenever this app get's turned on. Maybe these carriers leave their build keys lying around and the NSA gets a hold of them and sends you their own OTA update. Or maybe their agents volunteer to work on this project and sabotage it like the NIST Special Publication 800-90 that recommended an inferior deterministic random bit generator that researchers assumed were deliberately made standard so a federal skeleton key could determine the random numbers and unlock the encryption.
The best NSA proof cell accessory is thermite to melt your phone so you stop using it to communicate stuff the NSA might want to find out. If you're not a terrorist, Snowden, or Assange then you can use Gibberbot only with a .onion jabber server because of SSL problems, and even then your device is still wide open, and Tor sacrifices traffic analysis timing prevention for usability so technically still vuln to metadata analysis by gigantic spy agencies like the NSA
there is no such thing as a secure cellphone platform, at least for us non-govt folk. expecting your comms to be secure on a cellphone because you use some app is super naive. as dobbsbob points out, your phone is likely ownable/backdoored by (1) the manufacturer, (2) the OS maker, (3) the ISP and (4) the local intelligence services.
the best way to keep anything secure as it relates to your phone is to not use it. in fact, keep your phone well away from where you work and have important conversations. there is a reason certain ppl are not allowed to bring their cellphones to work: it's because they're not even remotely secure.
It's a detailed look at the failure of Diaspora, the secure, privacy-preserving app that raised $200K during the height of Facebook privacy concerns, but fell apart, with the founder eventually committing suicide.
I bring it up not because I think hemlis is doomed to the same fate, but precisely because the differences between what the OP aims to achieve compared to Diaspora makes it much more likely to succeed...if it's just a messaging app, rather than a social network that has certain infrastructure challenges, then it should definitely be doable (it goes without saying that the Pirate Bay co-founder probably has a lot more experience than the Diaspora founders)
"The way to make the system secure is that we can control the infrastructure."
This is an incredibly narrow vision of the future. We need an interoperable network that supports a variety of encryption technologies. Users should be able to select the apps they prefer with the features they need.
Locking the social graph into a single service and a single app which like most applications will eventually have vulnerabilities is a tremendous liability.
Encryption is only half the battle. NSA et al. could still get metadata - whom is communicating with whom and when. Unless they carefully engineer a solution to this problem into their app, it's useless.
NSA proof app for Apple and similar devices is oxymoron. Until you know what exactly the vendor can do remotely with your device you cannot assume security.
These devices and OS-s are provided by companies that are part of PRISM so they have a track record of collaboration with law enforcement.
So running secure software on them is like putting a steel lock on a mosquito net.
All carrier locked phones, including Android and Firefox OS, can receive ota updates without knowledge or consent. Any open source phone OS can and will be modified to benefit the carrier before reaching consumers.
Deep Packet Inspection (DPI) (also called complete packet inspection and Information eXtraction - IX -) is a form of computer network packet filtering that examines the data part (and possibly also the header) of a packet as it passes an inspection point, searching for protocol non-compliance, viruses, spam, intrusions, or defined criteria to decide whether the packet may pass or if it needs to be routed to a different destination, or, for the purpose of collecting statistical information. There are multiple headers for IP packets; network equipment only needs to use the first of these (the IP header) for normal operation, but use of the second header (TCP, UDP etc.) is normally considered to be shallow packet inspection (usually called Stateful Packet Inspection) despite this definition.
There are multiple ways to acquire packets for deep packet inspection. Using port mirroring (sometimes called Span Port) is a very common way, as well as optical splitter.
Deep Packet Inspection (and filtering) enables advanced network management, user service, and security functions as well as internet data mining, eavesdropping, and internet censorship. Although DPI technology has been used for Internet management for many years, some advocates of net neutrality fear that the technology may be used anticompetitively or to reduce the openness of the Internet.
DPI is currently being used by the enterprise, service providers, and governments in a wide range of applications.
With DPI encrypted comms can be routed to storage, from there the encrypted data can be sent to the supercomputers for further analysis.
Just what can, and can not, be cracked is open to conjecture, as I don't really know the specific capabilities of the supercomputers in use by the alphabet gang.
However, with the rapid decline of storage prices it would be safe to assume that what cannot be cracked today, may be broken in the not too distant future.
I'm wondering if there actually is any currently known encryption which cannot be broken in the unforeseeable future...
Whichever way it is, I wish this venture luck and success.
Like that has stopped NSA or any other spy agency before. But I guess what you mean is that it won't be legal for them to do it, not that it will "stop" them from doing it, necessarily.
I guess its safe to presume they wouldn't sell it. Otherwise, the simplest way to deal with the "piracy problem" would be to buy piratebay and shut it down.
My feelings about projects like these are always complicated. Even though it's encouraging to see that people are excited about building secure communication platforms, my initial reaction to announcements like these is typically extreme dread.
There is a small community of people who have been working on secure mobile messaging for years, and unfortunately newcomers to secure communication generally fuck it up. Not only is that bad for users, but it's bad for those of us who have put years of effort into this, because it sets a tone where users begin to assume that all apps which attempt to provide secure communication must have done it incorrectly, so it's not worth using any of them.
I think there are probably enough apps in this space now (TextSecure, ChatSecure, Gibberbot, Silent Circle) that these folks could have probably just partnered with or contributed to an existing project in order to meet their needs. Despite the article's subtitle, this will be far from "the first secure mobile messaging system."