Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Heml.is, New Encrypted Messaging Service From Brokep of the Pirate Bay

Unknown Lamer posted 1 year,21 days | from the trust-us-we're-pirates dept.

Communications 144

First time accepted submitter freddej writes "Heml.is ("secret" in Swedish), is a new peer encrypted messaging service from some of the guys behind TPB and Flattr. They describe it as this: 'Our focus is your privacy so we are building everything from software to company structure to protect that. The others are focused on maximizing profit.' So if you agree on the mantra that 'if you're not paying, you're the product' then you might want to check them out." Caveats: they are begging for money and there is no mention whether this will be Free Software or some kind of proprietary service (in which case, how can you really trust it?). It looks more likely it will be a closed application/service: "We're building a message app where no one can listen in, not even us. We would rather close down the service before letting anyone in ... [what will codes unlock?] It will give you access to extended features of Heml.is like sending image messages and other stuff in the future. Pre-register username will let you register your username before the app is released."

cancel ×

144 comments

Sorry! There are no comments related to the filter you selected.

no crystal ball required (0)

Anonymous Coward | 1 year,21 days | (#44236817)

Predicted this. First of many products that will try to offer security in lieu of ads after the Snowden leaks. I feel smart today. It's funding faster than a kickstarter... this gives me a page to refresh today instead of the dislikes on that Miley Cyrus video - good times that one.

No Crystal Ball? (4, Interesting)

DavidClarkeHR (2769805) | 1 year,21 days | (#44236895)

Predicted this. First of many products that will try to offer security in lieu of ads after the Snowden leaks. I feel smart today. It's funding faster than a kickstarter... this gives me a page to refresh today instead of the dislikes on that Miley Cyrus video - good times that one.

Without going all "conspiracy theory" here, what if this is part of a secret arrangement with the secret police for each of the founders to get out of secret jail avoid the secret prosecution and additional secret jail time?

To paraphrase Admiral Ackbar, this could be an elaborate ruse. Realistically though? Its an excellent idea to cash in on the concept of the right to privacy.

Re:No Crystal Ball? (4, Insightful)

poetmatt (793785) | 1 year,21 days | (#44237021)

If anyone knows something about how to make a resilient private service, it's probably the TPB crew. Considering how strong the site is running even though countries around the world (namely the US) are going to great lengths trying to take it down.

Re:No Crystal Ball? (2)

cgt (1976654) | 1 year,21 days | (#44237245)

I don't understand why they don't make TPB a Tor hidden service. Why go to all the trouble of changing domain names all the time when they could just get an .onion/.tor2web.org address?

Re:No Crystal Ball? (2, Insightful)

SuricouRaven (1897204) | 1 year,21 days | (#44237655)

User numbers. Tor takes effort to set up, while the greatest appeal of piracy is the speed and convenience.

Re:No Crystal Ball? (0)

Anonymous Coward | 1 year,21 days | (#44237869)

User numbers. - this

There are torrent trackers that operate completely inside i2p that are pretty cool, but they don't have anywhere the number of users as more visible services.

Re:No Crystal Ball? (1)

Anonymous Coward | 1 year,21 days | (#44239581)

I2P is damn simple to install and use though and seems technically superior to most things / for most uses, keep spreading the word :)

I think I2P will become the new web. Wikipedia, GNU sites, EFF sites, F/OSS sites & collaboration, Linux nad BSD system sites etc. should establish their presence there and help route around the damage.

Re:No Crystal Ball? (1)

cgt (1976654) | 1 year,21 days | (#44238263)

I explicitly mentioned tor2web.

Re:No Crystal Ball? (0)

Anonymous Coward | 1 year,21 days | (#44238833)

Pirate Bay makes a loooooot of money from ads, sacrificing any userbase isn't really worth it to hide the server IP. Are TOR sites even search engine discoverable? I know if you type in "ThePirateBay" to google, you get one of their active domains, would that likely work as a TOR address?

If you want privacy just use TOR as an end user. TOR-to-TOR doesn't offer you any extra protection.

Re:No Crystal Ball? (1)

Anonymous Coward | 1 year,21 days | (#44239347)

TPB as hidden service

http://jntlesnev5o7zysa.onion/

Re:No Crystal Ball? (0)

Anonymous Coward | 1 year,21 days | (#44239405)

Resilience and security are two different things.

Re:No Crystal Ball? (1)

oodaloop (1229816) | 1 year,21 days | (#44237293)

You can't repell tinfoil-hattery of that magnitude!

Re:No Crystal Ball? (0)

Anonymous Coward | 1 year,21 days | (#44237725)

Ancient Chinese Secret huh ( http://www.youtube.com/watch?v=ZjNRXfRXnoc )

Re:No Crystal Ball? (1)

Vintermann (400722) | 1 year,21 days | (#44239747)

It's not so easy to turn a genuine idealist, and The Pirate Bay folks were in fact that. Greedy maybe, but not willing to compromise on certain things.

Re:no crystal ball required (2)

FriendlyLurker (50431) | 1 year,21 days | (#44237047)

Predicted this. First of many products that will try to offer security in lieu of ads after the Snowden leaks.

True. I am looking forward to more focus on security plugins and extensions to existing products. Been waiting years for mozilla Thunderbrid chat to get OTR up and running. Also, if any semi decent email encryption method that wants to be even moderately adopted really needs to be next to zero configuration for up-front use or it just wont catch on *at all* (like OTR is a good example, and Enigmail/GPG are defiantly not good examples). Let the ones that really care be able to dive into the configs, check fingerprints, confirm there is no MITM etc... I mean, it cant get any worse than what we have now - 99.999% plain text email traffic, now can it.

Re:no crystal ball required (1)

Fnord666 (889225) | 1 year,21 days | (#44237759)

. I mean, it cant get any worse than what we have now - 99.999% plain text email traffic, now can it.

Sure it can. If this is compromised or backdoored, it gives users a false sense of security. At least right now they know their email is wide open. If they chose to not care, then so be it.

Re:no crystal ball required (1)

FriendlyLurker (50431) | 1 year,21 days | (#44237855)

Lets turn that logic around and throw it right back at you: Anybody who cares about a high level of security will bother following the simple procedure to check that they do indeed have a secure, non MITM compromised connection. If they chose not to care, then so be it (but their connection is still encrypted, raising security bar vs the solution your logic proposes.

If we followed the logic you presented then OTR would not exist, dismissed as giving users a false sense of security.

Re:no crystal ball required (0)

Anonymous Coward | 1 year,21 days | (#44237957)

> it gives users a false sense of security

I am so tired of seeing this phrase. Most users have exactly ZERO sense of security. Some don't have any! And for those people it doesn't matter anyway because they don't give a shit about how something is sent or who reads it!

Besides, there is no such thing as "real" security! Even the most security-conscious person can be subject to a number of side-channel attacks, burglaries etc., that will render any security implementations a moot point!

So enough of that crap of "sense of security"! Make the options available for those, who want to go the extra mile and keep it simple (bubt encrypted!) for those, who don't!

Re:no crystal ball required (1)

Vintermann (400722) | 1 year,21 days | (#44240205)

No, they don't generally know that their email is wide open. I guarantee you, if a large batch of random intercepted emails was suddenly published, regular people would be shocked.

And not all compromising is equal. If it takes even a modest effort for NSA to read my mail, that's better than nothing. That ultimately limits how much they can do.

Re:no crystal ball required (2, Insightful)

dc29A (636871) | 1 year,21 days | (#44237127)

This is borderline useless for the following reason, all the NSA needs is metadata. With metadata they can know a lot about you. They don't need the content of the message when they know who do you communicate with, what frequency, and whatnot. You already use the internet, they should be able easily to associate your IP with your identity. Unless you stop using cloud based services, this alone won't keep NSA in the dark about you.

Re:no crystal ball required (3, Insightful)

Lumpy (12016) | 1 year,21 days | (#44237621)

"You already use the internet, they should be able easily to associate your IP with your identity. "

only if you are a complete fool and use your home internet for most things.

they cant find me in the noise of a starbucks connection.

Re:no crystal ball required (1)

fustakrakich (1673220) | 1 year,21 days | (#44237733)

they cant find me in the noise of a starbucks connection.

Wanna bet?

Re:no crystal ball required (1)

Lumpy (12016) | 1 year,21 days | (#44238045)

Yup I'll bet a bunch. It is not hard if you have a clue as to what you are doing to hide in a public net connection.

Professional hackers do it every single day. And yes it takes more knowledge about networking and computers than 80% of the population has to do it, bit it certainly can be done.

Re:no crystal ball required (1)

rvw (755107) | 1 year,21 days | (#44238419)

Yup I'll bet a bunch. It is not hard if you have a clue as to what you are doing to hide in a public net connection.

Professional hackers do it every single day. And yes it takes more knowledge about networking and computers than 80% of the population has to do it, bit it certainly can be done.

Please give a link to a tutorial! I'm pretty sure I know more about networking and computers than 80% of the population, probably 90% or even 98% (and still I don't consider myself a system or network admin), but I don't know how to do this.

Re:no crystal ball required (1)

Em Adespoton (792954) | 1 year,21 days | (#44239679)

Only thing I can think of is to run one of those utilities that sniffs the WiFi channel for MAC IDs and randomly switches to one that's been seen but isn't currently on the network. Of course, you'd also have to be clearing all your tracking markers continuously, and not log in to any cloud-based services (including webmail, social network, etc.).

Hopping from the WiFi to an anonymous VPN service /could/ add an extra layer of misdirection, *if* you trust the service. Over this, you run TOR.

So the end result is:
Trackable web apps purged regularly
Using Ghostery and/or Albine and NoScript and AdBlockPlus
Over TOR
Over Anonymous VPN
Via shared but traceable Starbucks IP
Via Spoofed MAC ID pool

Did I miss a step? There's of course the entire DNS issue (ISP and Google DNS are tracked), so you really want a DNS somewhere under a jurisdiction that you don't mind tracking you (don't assume they're not tracking you). I suppose you could limit yourself to the i2p network to mitigate this issue.

Re:no crystal ball required (1)

Anonymous Coward | 1 year,21 days | (#44237833)

You mean the font order that your machine reports to places changes? I'd check with EFF's panopticlick before I say that you can't be found... most machines out there have a unique fingerprint.

Re:no crystal ball required (3, Insightful)

trifish (826353) | 1 year,21 days | (#44237845)

Is this a joke?

If what you do in the various Starbucks venues is even slight statistically related, you can rest assured that there are automated methods to identify you.

Re:no crystal ball required (1)

Anonymous Coward | 1 year,21 days | (#44239787)

I'm totally anonymous and posting from Starbucks!

BRB, buying another drink with my credit card/debit card/cash from the cashpoint nearby/totally anonymous cash that doesn't matter because if they really want me, they have security camera footage.

Re:no crystal ball required (0)

Anonymous Coward | 1 year,21 days | (#44239847)

Is this a joke?

If what you do in the various Starbucks venues is even slight statistically related, you can rest assured that there are automated methods to identify you.

Only if you go to the Starbucks, and not sit far away with a (concealed) directional antenna.

Of course you should turn off your mobile phone so they can't track you down via that as well. And manually override the MAC address of your computer.

Re:no crystal ball required (3, Insightful)

chuckinator (2409512) | 1 year,21 days | (#44238155)

Unless you go to the trouble of changing your wifi mac address and many other uniquely identifying signatures of your computer and the software it runs, you can very easily be found and tracked inside your starbucks. Considering you probably have a smartphone in your pocket with an always on wifi radio, too, you can probably be very easily tracked all around town all the way back to your house for someone with the resources and determination to do so.

Re:no crystal ball required (0)

Anonymous Coward | 1 year,21 days | (#44238923)

My KDE desktop supports random number generated mac addresses for connection with essids of my choice. I usually use that for starbucks. I use a firewall that prevents OS fingerprinting and rotate my browser user-agents. Also, I do not have a cell phone.

And I am not even trying to be anonymous (I would probably use several anon proxies if I wanted to)!

Re:no crystal ball required (0)

Anonymous Coward | 1 year,21 days | (#44239833)

It's "seven" proxies, not "several."

Re:no crystal ball required (1)

Vintermann (400722) | 1 year,21 days | (#44240337)

You have an account with five digits, and you're still using it after all these years? Yeah, I think they can find you.

In Soviet Russia, the iron solders YOU! (4, Insightful)

Thor Ablestar (321949) | 1 year,21 days | (#44237623)

I agree 100 per cent. And I must add that all these so called crypto or secure apps that don't hide the fact of connections are absolutely unsafe. If the FSB (KGB, Russian equivalent of NSA) can compile my contact list they can just torture the content out of them. There is a specific Russian term - "rectothermal cryptoanalyzer" (meaning the hot soldering iron to suspect's anus).

BTW: Hemlis is suspicious because the usernames must be preregistered. The really secure app should have no any central server for the registration info. The admins of such server can be too easily tortured to disclose or stop everything.

Re:In Soviet Russia, the iron solders YOU! (0)

Anonymous Coward | 1 year,21 days | (#44239801)

Good comment, I'll add that in I2P they would have to rectally solder a significant number of people before they even know if there's anything to look for (there might be absolutely nothing). Far easier to do old style surveillance directly on the person in question thus the "surveillance efficiency" of old style unprotected internet is defeated.

I hope I2P becomes common, I think it will. Use it even if you don't actually use it much, keep it up and running as much as possible like I do.

Re:no crystal ball required (1)

Sloppy (14984) | 1 year,21 days | (#44239255)

all the NSA needs is metadata. With metadata they can know a lot about you.

NSA is merely the excuse/cover for people securing the things that have always needed securing. Don't look at things from the PoV of the NSA or the kinds of people they're supposedly supposed to (?) be peeking at. Look at it from your own PoV.

When a burglar sees you send a mundane message to your friend, it matters to you whether or not he is able to tell the difference between

Come check out my new pump shotgun. I can't wait for someone to break in and give me an excuse to use it. God damn I have wanted to kill someone, anyone, for so so long. Blood! I MUST HAVE BLOOD!

or

I'll be right over in a few minutes and we can begin our long night of drinking, as part of the wake for my recently-deceased guard dog. I can crash at your place, right? No, I don't want to carry over my solid gold food bowl; that'll just remind me of him. OMG, he'll never eat out of that bowl again. I'm going to have a cry now... you have tissues?

These are the kind of messages which are important to 99.999% of people, the kind of info that we're constantly leaking to fuck-knows-who, which needs to be transmitted securely.

Re:no crystal ball required (1)

Vintermann (400722) | 1 year,21 days | (#44240311)

You can extract metadata from the content of your message too. They can't automatically understand it yet, but they can probably guess whether you're talking about something political, whether you're angry, certainly what languages you speak...

It can also enhance their understanding of your social connections. If there are certain words that show up in mails to recipient A which never shows up in any other mail (say, like the words "your body"), that's valuable to them, that can tell you something about what kind of relationship you have to A. Now if those words suddenly start turning up in messages to someone else... whoops, automatically collected blackm.. I mean opposition research material!

Re:no crystal ball required (2)

Sloppy (14984) | 1 year,21 days | (#44237929)

I predict most of them will be broken, and not generate or exchange keys competently.

Invalid certificate :-| (1)

BrokenHalo (565198) | 1 year,21 days | (#44236841)

Hmmm. Link in first line spits an issue with an invalid certificate:

The certificate is not trusted because no issuer chain was provided.

Re:Invalid certificate :-| (0)

Anonymous Coward | 1 year,21 days | (#44237031)

Hmmm. Link in first line spits an issue with an invalid certificate:

The certificate is not trusted because no issuer chain was provided.

So they're keeping everthing encrypted, but aren't paying some company like Verisign to look things over and say "yup, it's really encrypted."

It fucking sickens me that browsers display huge and scary messages about "bad" certs. but do practically NOTHING when there is no cert. at all.....

Re:Invalid certificate :-| (0)

Anonymous Coward | 1 year,21 days | (#44237159)

If there's no certificate, then there's no encryption. Are you wanting browsers to warn you about every non-encrypted website you visit? Because I'd wager that that'd make you sick even more quickly.

Re:Invalid certificate :-| (2, Informative)

Anonymous Coward | 1 year,21 days | (#44237311)

You can encrypt it without a cert. You just can't be sure of a man in the middle attack.

Re:Invalid certificate :-| (0)

Anonymous Coward | 1 year,21 days | (#44237611)

> Are you wanting browsers to warn you about every non-encrypted website you visit?

Yes!

Re:Invalid certificate :-| (0)

Anonymous Coward | 1 year,21 days | (#44237305)

The certification company doesn't say "this is encrypted" but "this certificate belongs to who it claims to belong to." So if you trust VeriSign to only issue certificates to the owners of the corresponding site, the fact that VeriSign issued that certificate tells you that the site you contacted is likely the real site (you cannot be completely sure because someone might have managed to get the private key). If you do not trust VeriSign, you should remove their root certificate from your browser. Then the browser will start giving security alerts for VeriSign issued certificates as well.

Also, technically everyone can create a root certificate, and everyone can add any root certificate to his browser. The only difference is that the root certificates of the big certification agencies are preloaded in your browser, and companies are going to get their certificates from them exactly for this reason. But in principle nobody stops you from generating a root certificate and issuing certificates from that. Anyone who trusts you then can add that root certificate to their browser and won't get warnings any more for any certificate issued from that root certificate.

Re:Invalid certificate :-| (1)

gl4ss (559668) | 1 year,21 days | (#44237065)

didn't do that for me. a reload did a 500 error.
"the beautiful secure com-blabalbalbalblalbalbal". and a pretty picture on iphone.

how can it be secure if it is to be distributed through a company potentially under secret orders? just make it work - and multi platform. don't care for the beautiful part.

Re:Invalid certificate :-| (1)

MickLinux (579158) | 1 year,21 days | (#44239127)

This is key -- but full of irony. The only thing worse than no security, is security that you don't know, but only think is secure.

So if you really want security, you have to abandon -- first and foremost -- these certificates. You don't know how they run.

You can forget about Linux -- you didn't program it, and you don't know what code obfusciation might do.

For sure you can forget Microsoft, Android, and whatnot. You'd be more secure speaking in person.

For those for whom relative security is enough -- for example, those who want to pay by credit card and be reasonably secure against loss, that's easier. Then you can go with all those established security procedures.

More to the point... now that the Transparent President has issued orders for government employees to spy on each other, lest the misdeeds of the powerful be leaked, more at issues is whom might you annoy?

(Caveat: I have nothing for Obama; but I have nothing for any Republican candidate either. I'd say I have nothing against them, but it's more like I have nothing for them. In my book, they're equally evil and undeserving of votes.)

Re:Invalid certificate :-| (0)

Anonymous Coward | 1 year,21 days | (#44240135)

You've misunderstood what encryption is.

Encryption is not a security guarantee no matter what, all encryption including OTPs can be broken or similar even if some ways of doing it are supposedly impossible.

The solution is to use encryption and any encryption is better than none because you should know and act as if it is already compromised.

If it isn't compromised you've gained something, possibly privacy, possibly a layer of security, possibly something else.

If it is compromised you have lost nothing (and in addition you might actually have lost less than you would lose if you didn't use anything at all but I'll stop here).

TL;DR: you lose when you don't try

OTOH... (1)

BrokenHalo (565198) | 1 year,21 days | (#44237093)

On the other hand, such a certificate may be redundant in the case of a properly P2P process, as TFS suggests re their app. However, I can't see any reason why they need one for their homepage, which (from having looked at the content in Links [jikos.cz] ) shouldn't need https at all.

Re:Invalid certificate :-| (1)

Barefoot Monkey (1657313) | 1 year,21 days | (#44237147)

I got a valid certificate verified by Thawte.

Wait, what!? (4, Insightful)

Anonymous Coward | 1 year,21 days | (#44236885)

Sorry but I threw out all of my iOS/Android devices when Snowden blew that whistle.

Re:Wait, what!? (1)

Lumpy (12016) | 1 year,21 days | (#44237641)

That was stupid. You should have sold them on Ebay for top dollar. only a complete idiot would throw them away.

Re:Wait, what!? (1)

wmac1 (2478314) | 1 year,21 days | (#44237737)

I hope I can have the courage to do the same. I even think of carrying only a dumb phone (and its battery separately) just in case I need to use it for an emergency call.

I guess people had a more happy life with land-line phones.

Re: Wait, what!? (1)

nospam007 (722110) | 1 year,21 days | (#44238413)

"I guess people had a more happy life with land-line phones."

Yes, the NSA thought they stayed always at home.

Re: Wait, what!? (0)

Anonymous Coward | 1 year,21 days | (#44239977)

Leave your cell phone at home 90% of the time. trade it with others when you actually take it somewhere.

Re:Wait, what!? (0)

Anonymous Coward | 1 year,21 days | (#44238423)

For however long that lasts. http://newyork.cbslocal.com/2013/07/09/verizon-using-fire-island-to-test-getting-rid-of-landline-phones/

Re:Wait, what!? (0)

Anonymous Coward | 1 year,21 days | (#44239209)

I guess people had a more happy life with land-line phones.

The NSA sure did, they were way easier to tap.

Re:Wait, what!? (1)

loufoque (1400831) | 1 year,21 days | (#44238101)

That's stupid. The tracking in Android in software-only, and you can change the software.

Threema Messaging App (0)

Anonymous Coward | 1 year,21 days | (#44236965)

This one already exists and looks pretty decent:

https://threema.ch/en/

Re:Threema Messaging App (1)

TheP4st (1164315) | 1 year,21 days | (#44237229)

If I would have a need for encrypted mobile communications I'd probably opt for the open source options from WhisperSystems, rather than a closed source option. Incidentally I asked on the heml.is blog if the source would be open and under what license terms the software would be released and 4 hours later my post is still awaiting an answer.

Re:Threema Messaging App (0)

Anonymous Coward | 1 year,21 days | (#44237323)

> WhisperSystems

Agree that OSS is preferable. Threema has the advantage, though, of having both Android and iOS covered.

Re:Threema Messaging App (1)

mwvdlee (775178) | 1 year,21 days | (#44237557)

and 4 hours later my post is still awaiting an answer.

Those darn other-timezonians!

Re:Threema Messaging App (0)

Anonymous Coward | 1 year,21 days | (#44237679)

> If I would have a need for encrypted mobile communications

You do! ;-)

> I'd probably opt for the open source options from WhisperSystems

Just looked at it. Not the same thing.
Threema is essentially messaging over IP/data connection, whereas TextSecure is a secure SMS app (over Telco), as far as I see.

Dat swedish! (0)

Anonymous Coward | 1 year,21 days | (#44237005)

Helmis is not secret in swedish. Hemlig is. Hemlis is a slang version used by tots.

OS backdoors (3, Insightful)

Keruo (771880) | 1 year,21 days | (#44237013)

What good will this do if they've backdoored your device and are reading the keyboard input and taking screenshots?

Re:OS backdoors (1)

onceuponatime (821046) | 1 year,21 days | (#44237107)

Exactly! If the device itself is compromised you simply can't build a secure service on top of it. End of story.

At least. That is what I believe I'd like to see a compelling argument as to this is not the case. The same comment applies to the whisper systems app, what is the argument that implies that the platform itself is safe?

Re:OS backdoors (0)

Anonymous Coward | 1 year,21 days | (#44238485)

How do you suggest that they transfer the screenshots/keyboard data from the compromised device?
We know that they are monitoring the communication so encrypting the messages makes sure that they can't spy on you that way. You can't be sure that they don't monitor the rest of the device but you can check the network communication to make sure that any gathered data stays in the device and isn't sent anywhere. (Yes, you can buy your own base station/repeater for $500 and even make sure that nothing odd is sent over GPRS.)

Re:OS backdoors (4, Insightful)

FriendlyLurker (50431) | 1 year,21 days | (#44237133)

That takes more effort, targeting you more specifically. Very different from always on dragnet slurping up everyones communication all the time.

Re:OS backdoors (0)

Anonymous Coward | 1 year,21 days | (#44237719)

What good will this do if they've backdoored your device and are reading the keyboard input and taking screenshots?

Well Duh. None.

Same as if 'they' have already got secret cameras and bugs in your house.

What's your point? Surely not the retarded "It doesn't do everything so it's worth nothing" crap?

Re:OS backdoors (0)

Anonymous Coward | 1 year,21 days | (#44240201)

Keyboard input could be covered by clicking on words instead of them being typed. Surely there are a list of commonly used words. Wheel of Fortune taught us RSTLNE so that's a start. Screenshots, no clue unless you put noise on the screen like a Captcha so that the glyphs can't be easily counted by color difference from their background. Oh, that's a plan, any glyphs are in colors that match the background and only show if highlighted or something like lemon on paper for kids secret messages that you derive from heating. They could also randomly cut parts of the letters off so it's mangled and must be reconstructed. Instead of being real text, make them pixels or shapes in a graphic language. Larger message probably but more to sort on the other side too.

What's wrong with OTR? (5, Informative)

knopf (894888) | 1 year,21 days | (#44237017)

Off-the-Record messaging already provides encryption of chat messages, works on top of existing IM services, and you get the bonus that you can get the warm fuzzy feeling from sticking it to the man by using a company's service (like Google talk) that tries to log/mine data, but they can't use your data.

Many clients already support OTR: http://en.wikipedia.org/wiki/Off-the-Record_Messaging#Native [wikipedia.org]
Many clients have plugins for OTR: http://www.cypherpunks.ca/otr/ [cypherpunks.ca]

Re:What's wrong with OTR? (1)

FriendlyLurker (50431) | 1 year,21 days | (#44237175)

Exactly. OTR is excellent. If only email encryption was as easy and straight forward for non technical, "security... meh", people to use. Zero configuration it just works.

Re:What's wrong with OTR? (1)

cryptizard (2629853) | 1 year,21 days | (#44240223)

Unless you are using an out of band channel to compare public key fingerprints, it is not "just working" and you are vulnerable to a man in the middle attack. It has the same problem as secure mail, only people ignore it.

Re:What's wrong with OTR? (0)

Anonymous Coward | 1 year,21 days | (#44237803)

AFAIK, you can't use OTR for 'disconnected' messaging, where one user is offline atm.

Re:What's wrong with OTR? (1)

loufoque (1400831) | 1 year,21 days | (#44238127)

That's useless. My facebook contacts don't have such sophisticated software installed, and they will not install it just to avoid wiretapping.

Re:What's wrong with OTR? (1)

Hatta (162192) | 1 year,21 days | (#44239861)

Then its your facebook contacts who are useless.

Email OTR wouldn't need it (0)

Anonymous Coward | 1 year,21 days | (#44239873)

If the email client simply generated a private/public key pair, and attacked the public key, tracking an building up confidence in the public key associated with each email address, then your Facebook friends wouldn't care.

It would just work, as OTR does now.

As Skype use to work, before MS bought them and backdoored it.

Re:What's wrong with OTR? (0)

Anonymous Coward | 1 year,21 days | (#44238765)

According to police forces, they.re not really interested in the *content*. The metadata/headers are far more useful, and easily allow them to create a social graph and even data on your habits easily.

OTR only protects the contents.

And btw: Unless you physically checked if the key is only in control of the person you think it is, it's all pointless or even more dangerous anyway.

Re:What's wrong with OTR? (1)

cryptizard (2629853) | 1 year,21 days | (#44240153)

OTR only works if you either:

1) Trust the network
2) Have a shared secret between the users or
3) Have an out of band channel to compare public key fingerprints

Now, this service is probably going to use the same (or a similar) protocol but fall under category 1 by distributing everyone's public keys. If you trust them to give you the correct key then the system can be secure.

Connect to IRC via Loopback (0)

Anonymous Coward | 1 year,21 days | (#44237019)

How is this any more secure than a locked down SSH server (& Locked down user accounts) that runs an IRC Client when bash is called and connects via loopback/SSL to an IRC server?

If this is a serious contender to say a darknet, or to Retroshare, then I might be interested.

"That which does not kill us makes us stronger." (5, Insightful)

seoras (147590) | 1 year,21 days | (#44237053)

When you try to eradicate anything and fail you only succeed in make it stronger and more menacing.
It's true in medicine with antibiotics and bacteria, it's true in nature with mosquitoes and the various failed attempts to defeat their spread of malaria.

Skype was born from the technology to evade detection and network filtering (Kazaa).
First time I fire up Skype I couldn't believe the complexity of the networking it got into.
A close friend, who worked in networking with me, un-installed it immediately as it looked like a trojan at the network layer.

TPB people have learned some very hard lessons about evasion, law and staying alive online under extreme hostilities.

It'll be interesting to see what the next "Skype" will be and this could be either it, or one more step towards it.

Fast??? (1)

Thor Ablestar (321949) | 1 year,21 days | (#44237783)

The fundamental problem of the next Skype is that any attempt to produce a really anonymous network will need lots of nodes in delivery chain and will correspondingly produce too long delays, but texting-only app suffers at least since users cannot verify their correspondents by known voice. And you should not trust a network where the intermediary nodes are not under direct control of participants since they all may belong to FSB (KGB, NSA, aso).

Re:"That which does not kill us makes us stronger. (0)

Anonymous Coward | 1 year,21 days | (#44239201)

A close friend, who worked in networking with me, un-installed it immediately as it looked like a trojan at the network layer.

What kind of logic is that? I look like a Mexican AND like an Arab too. Doesn't mean I go suicide-bomb some pools or crops </stereotypes>. :P
If you know what I mean...

Your "trojan" detection clearly is off.

Re:"That which does not kill us makes us stronger. (1)

seoras (147590) | 1 year,21 days | (#44239379)

I worked in Cisco System R&D on IOS for 12 years (1994-2006).
I have patents on network monitoring specific to NetFlow (or Flexible NetFlow) which came from being on the team that redesigned Cisco's netflow on IOS.

That's how I spotted what Skype was doing, and so did my colleague.
We had Cisco routers at home, running our own dev code, watching our own home network traffic.

He thought the skype traffic looked like something a Trojan would do, but since neither of us worked in Anti-virus software or hacking, what would we know?
I, being less paranoid, stuck with Skype as I figure it was just being clever in avoiding network filtering.
After all why would the telco's, who provide our networks, let some hackers from Sweden steal all their long distance voice calls...? :)

Official communication tool for the EU-parliament? (0)

colordev (1764040) | 1 year,21 days | (#44237141)

Peter Sunde will run for European Parliament in 2014 election with Pirate Party of Finland. Quite impossible to think any intelligent person not voting for him.

Re:Official communication tool for the EU-parliame (0)

Anonymous Coward | 1 year,21 days | (#44237417)

So it's impossible to think there are intelligent people outside of Finland?

Re:Official communication tool for the EU-parliame (1)

colordev (1764040) | 1 year,21 days | (#44238701)

oh, quite the opposite

Re:Official communication tool for the EU-parliame (3, Funny)

mwvdlee (775178) | 1 year,21 days | (#44237599)

Peter Sunde will run for European Parliament in 2014 election with Pirate Party of Finland. Quite impossible to think any intelligent person not voting for him.

Indeed his ideas on medical healthcare, social welfare, military spending and road infrastructure are renowned and undeniable.
Quite impossible to think any intelligens person would care for anything besides those particular issues.

Re:Official communication tool for the EU-parliame (0)

Anonymous Coward | 1 year,21 days | (#44238591)

Indeed his ideas on medical healthcare, social welfare, military spending and road infrastructure are renowned and undeniable.
Quite impossible to think any intelligens person would care for anything besides those particular issues.

Well, look at the alternatives. Every other candidate is all about removing your rights. What good is roads if you can't travel freely? What good is the military if it is used against you?
None of the other issues matters at all until the freedom part is fixed.

Also I wouldn't call his ideas on those subjects renowned. They are just not very radical. Pretty much like the other candidates.

Proprietary AND for money!? (0)

Anonymous Coward | 1 year,21 days | (#44237365)

So let me get this straight: it's closed source, will have "premium features" for paid apps, AND they want $100k? Yeah, no, they can go shove it up their ass.

So, "don't be evil" Heard that before. (1)

stevegee58 (1179505) | 1 year,21 days | (#44237579)

It all boils down to trusting a company once again.

Torchat (0)

Anonymous Coward | 1 year,21 days | (#44237843)

What about torchat, it is supposed to be encrypted, anonymous, decentralized and open source, does not anyone use it?

Then there's Serval Mesh... (1)

complete loony (663508) | 1 year,21 days | (#44237891)

... which works for local communications even when the internet itself is down. Importantly, this is an application that already exists [google.com] . Plus everything we're doing is open source [github.com] and we'll never lock any features behind a paywall.

I've been working on Serval's software for a couple of years now building the core feature set; encrypted calling and messaging, distributed phone number lookups, file distribution, software updates and installs in the field...

But since we're initially targeting android phones, we're stuck with the range limitations of Wi-Fi. So we're trying to fund [igg.me] the design and manufacture of a pocket sized device with much longer range (totally shameless plug).

There's still a few missing features in our software that we'll need to finish before we call it version 1.0. But with a enough funding I could easily build a P2P directory to provide services across the internet. With no centrally controlled servers at all.

Cryptocat (1)

bemasher (1610233) | 1 year,21 days | (#44237893)

Is this any better or more useful than the service Cryptocat (https://crypto.cat/)? Seems like a duplication of efforts to me.

Re:Cryptocat (1)

krenaud (1058876) | 1 year,21 days | (#44238511)

It is difficult to comment on differences since Heml.is doesn't actually exist yet. But, one major difference is that Heml.is will exist as phone apps and there will be secure syncing of keys between devices. CryptoCat is a web-based solution which doesn't sync private keys between devices.

Re:Cryptocat (1)

Pike (52876) | 1 year,21 days | (#44239371)

I'd say we definitely need something besides Cryptocat [tobtu.com] :

"Cryptocat is run by people that don't know crypto, make stupid mistakes, and not enough eyes are looking at their code to find the bugs. Cryptographers know the minimums or at least know you should look them up. Cryptocat tried PBKDF2, RSA, Diffie-Hellman, and ECC and managed to mess them all up because they used iterations or key sizes less than the minimums. There was a bug in the generation of ECC private keys that went unchecked for 347 days."

(As far as the competence of the people behind heml.is, I can't say one way or the other.)

Skeptical (1)

IamTheRealMike (537420) | 1 year,21 days | (#44237953)

Any application intended to resist modern government surveillance is going to be extremely difficult to write, because it has to be resistant to bogus secret "court orders". The only way I know to do that is to have many independent developers engage in multi-party signatures of reproducible builds based on audited and reviewed open source code. If they're just going to run a company that develops it in a proprietary manner how will they achieve that?

I am more interested in Pond [github.com] . It's being written by an actual cryptographer and he already has real, working code (though it's nowhere near releasable). It's up front about its security model and which threats can break it. It's built on top of Tor and even supports using the TPM chip so that when you press delete, the data is really really gone beyond the ability of any forensics tools to recover. It's even designed to resist traffic analysis. Anyone can run a server.

The main differences are that, obviously, Pond is not developed by a company, and it is focussed on asynchronous email style messaging rather than instant messaging. It's also got a very strong threat model that means it compromises on usability - for instance, there are no addresses in Pond, instead you are expected to hand out small files (perhaps on NFC tags?) to people who you want to be able to receive messages from (this is an anti-spam measure).

Despite all that it's a very interesting piece of research.

tormail anyone? (1)

slashmydots (2189826) | 1 year,21 days | (#44238583)

Tormail is free and already well established.

Surespot - Free as in beer, free as in freedom. (0)

Anonymous Coward | 1 year,21 days | (#44239899)

This android app (currently under development for iOS) is open source (github.com/surespot) and gaining momentum. "Exceptional encryption for everyone."

https://www.surespot.me/

Disclaimer: I know the developer.

Surespot.me - Free as in beer, free as in freedom (1)

bwhaley (410361) | 1 year,21 days | (#44239933)

This android app (currently under development for iOS) is open source (github.com/surespot) and gaining momentum. "Exceptional encryption for everyone."

https://www.surespot.me/ [surespot.me]

Disclaimer: I know the developer.

If it's not open, forget - don't kid yourself (1)

Kimomaru (2579489) | 1 year,21 days | (#44240139)

It's a proprietary service, so you don't know if they're doing what they say they are. Forget it. Absolutely rediculous - it's the same problem we have now in that few people really know what's going on. Let the project drown.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>