Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Encrypted Social Network Vies For Disgruntled Facebook Users

timothy posted about 10 months ago | from the network-effects-are-hard-to-handwave dept.

Privacy 162

angry tapir writes "With the look of Google Plus and Facebook-like elements, a new social network named "Syme" feels as cozy as a well-worn shoe. But beneath the familiar veneer, it's quite different. Syme encrypts all content, such as status updates, photos and files, so that only people invited to a group can view it. Syme, which hosts the content on its Canada-based servers, says it can't read it. "The overarching goal of Syme is to make encryption accessible and easy to use for people who aren't geeks or aren't hackers or who aren't cryptography experts," co-founder Jonathan Hershon said in an interview about the service." See also Diaspora.

cancel ×

162 comments

Sorry! There are no comments related to the filter you selected.

Oh goody (-1)

Anonymous Coward | about 10 months ago | (#45559049)

Canadian frosty piss with a dash of maple syrup!

Promises (-1, Redundant)

2.7182 (819680) | about 10 months ago | (#45559059)

They encrypt all of your data and keep it secret. Until the day that they don't.

Re:Promises (1, Insightful)

Anonymous Coward | about 10 months ago | (#45559089)

They encrypt all of your data and keep it secret. Until the day that they don't.

That's not the fatal flaw. If you generated a private key and people you friended got a copy of a public key... it could feasibly make it so they couldn't read it. That's fine.

The real problem with that site is that all of 4 people actually care about encrypted, so their market size is negligible. And those 4 people are basement dwellers anyways, so the advertisers don't care either. Expect them to struggle to monetize it and stay in business.

Re:Promises (4, Insightful)

noh8rz10 (2716597) | about 10 months ago | (#45559377)

well, if they're looking to woo disgruntled users, then slashdot is a great place to advertise!

Re:Promises (1)

Opportunist (166417) | about 10 months ago | (#45559839)

Depends only on whether those basement dwellers have the money and are willing to buy some virtual bling for their virtual pony farm.

You sound just like a spook (-1)

Anonymous Coward | about 10 months ago | (#45559947)

Create an unflattering image of those that care for their privacy?

Well anyway, I think this social network is well on it's way to failure. Privacy shouldn't need to be talked up. That's like a parent saying they take care of thier children. Yeah moron that's what parents are supposed to do, you want a prize?

Just create an awesome social network that rivals Facebook for its features, and yeah just encrypt shit. Because that's just what you should do. No need to overstate things.

Re:Promises (4, Informative)

TheDarkener (198348) | about 10 months ago | (#45559103)

Except that they don't encrypt your data, you do. Probably would have helped to RTFA, huh bub? =p

Re:Promises (-1)

Anonymous Coward | about 10 months ago | (#45559143)

Except that they don't encrypt your data, you do. Probably would have helped to RTFA, huh bub? =p

but how else could you fail to understand it and then reply to a useless "frosty piss" post just to get your ignorance near the top of the page?

i mean he's not a miracle worker! jeez

Re:Promises (-1, Flamebait)

Anonymous Coward | about 10 months ago | (#45559181)

You know what I do when I come across a comment from someone who didn't RTFA? I insert my 10-pound dildo into my anus and, before too long, any consternation the post caused is forgotten. Maybe you should try it!

Re:Promises (0)

Anonymous Coward | about 10 months ago | (#45559211)

Can you mail it to me?

Re:Promises (0)

Anonymous Coward | about 10 months ago | (#45559279)

Try your local hardware store! At 10 pounds it's not cheap to mail. I've used a five-pounder, but it lacks the ineffable gravitas of its weightier counterpart.

Re:Promises (1)

Anonymous Coward | about 10 months ago | (#45559367)

Oh! I thought it had to be yours.

Thanks for clarifying.

cheers from Canada.

Re:Promises (0)

Anonymous Coward | about 10 months ago | (#45560103)

Try your local hardware store! At 10 pounds it's not cheap to mail. I've used a five-pounder, but it lacks the ineffable gravitas of its weightier counterpart.

Oh! I thought it had to be yours.

Thanks for clarifying.

cheers from Canada.

Silly Canadian AC is silly!

If it was his, we'd be talking *GRAMS*, not pounds!

[rimshot]

Thanks! I'll be here all week!

Don't forget to tip your hamburger, and try the waitresses!

Strat

Re:Promises (1)

AlphaWolf_HK (692722) | about 10 months ago | (#45559889)

This is nice and all, and I do wish more sites would do this (mega style ecmascript encryption) however it isn't foolproof; the server could be "ordered" to give you a page that steals your keys by the NSA or whoever else.

IMO a nice way to prevent that from happening in the future would be to add this as part of the W3C standards so that the browser can encrypt using native code. That way you never give your keys over for processing by any code that has been issued to you by a server, rather instead you simply hand over the data after its encrypted. Though we'll need to add some kind of virtual environment, say for example a google docs style editor that runs in the browser, only it can edit your encrypted content without the possibility of any unencrypted data making its way back to the server.

This would of course take years to figure out, standardize, and then implement, but so does everything else.

Re: Promises (-1)

Anonymous Coward | about 10 months ago | (#45559215)

canada based servers..really? and they expect it to be secure?

Re:Promises (3, Informative)

CastrTroy (595695) | about 10 months ago | (#45559269)

Exactly. Reminds me of the stuff about Dropbox telling everybody their stuff was encrypted, and that even employees of Dropbox couldn't read the files. But it turned out that it wasn't true, and that files weren't actually being encrypted with the user's password, but with a single master key that was in the hands of Dropbox.

Re:Promises (1)

Richard_at_work (517087) | about 10 months ago | (#45560205)

You say "it turned out" as if that was only discovered later on, when infact it was a well known thing from day one, or at least those of us who signed up on day one knew what was going on and the "revelation" was not a surprise.

Leave it to slashtards... (0, Flamebait)

Anonymous Coward | about 10 months ago | (#45559051)

Leave it to slashtards to take a story about a new social networking site and shoehorn in a Disaspora mention. "Oh hey, here's this neat new site to try and go up against Facebook, but TRY DIASPORA INSTEAD!" Face it, if Diaspora were going to catch on, it would have by now. As it stands, you're getting lumped in with Bing shouting "Please! Love me!" at anyone who will listen...

1984 reference (5, Informative)

Anonymous Coward | about 10 months ago | (#45559069)

Syme—Winston's colleague at the Ministry of Truth, whom the Party "vaporised" because he remained a lucidly thinking intellectual. He was a lexicographer who developed the language and the dictionary of Newspeak, in the course of which he enjoyed destroying words, and wholeheartedly believed that Newspeak would replace Oldspeak (Standard English) by the year 2050. Although Syme's politically orthodox opinions aligned with Party doctrine, Winston noted that "He is too intelligent. He sees too clearly and speaks too plainly". After noting that Syme's name was deleted from the members list of the Chess Club, Winston infers he became an unperson who never had existed. Goldstein's book says that "Between the two branches of the Party there is a certain amount of interchange, but only so much as will ensure that weaklings are excluded from the Inner Party and that ambitious members of the Outer Party are made harmless by allowing them to rise." It is unknown whether Syme has been killed or promoted in the Inner Party in another province.

angry tapir (0)

Anonymous Coward | about 10 months ago | (#45559093)

writes like an underpaid shill.

itsatrap! (0)

Anonymous Coward | about 10 months ago | (#45559097)

nuff said

Its reasonable! (5, Interesting)

Anonymous Coward | about 10 months ago | (#45559101)

I read the article expecting it to be crap, ignore meta-data etc. What I found however was a decent article discussing that the service used open source client side crypto libraries, and they even acknowledged the meta-data problem and how it makes their service not truly private. They also mentioned how its very unlikely to go big like facebook and it summed up with some reasonable example use cases. I haven't see such a non crap article in a long time!

So is it libre or not? (1)

Toe, The (545098) | about 10 months ago | (#45559105)

The FAQ mentions that they intend to open the source, but of course opened source doesn't really necessarily imply libre. And in the interview they talk of a paid version. So, are there ads or not?

So what's the point of a different Facebook if it's not libre? Just a different way to sell yourself to advertisers (reminder: for Facebook, you are not the customer, you are the product).

A truly free social network would have no ads, no profit motive, no logs, no intrusion; just a way for people to share as much or as little with only those they wish to share with.

Is there really no true libre social network, and if not, why not? Do I need to start one, or is it already in the works?

Re:So is it libre or not? (0)

Anonymous Coward | about 10 months ago | (#45559135)

Check out Diaspora. If you don't like it, fork it (or make your own from scratch).

Re:So is it libre or not? (4, Insightful)

rudy_wayne (414635) | about 10 months ago | (#45559305)

A truly free social network would have no ads, no profit motive, no logs, no intrusion; just a way for people to share as much or as little with only those they wish to share with.

Is there really no true libre social network, and if not, why not?

Money.

Facebook and Google don't do the things they do simply because they are evil. They do it because that;s how they get the money to pay for those giant buildings full of servers that they run, which provide the services you use.

Maybe in the 24th century when The Federation is building starships, colonizing the galaxy and zooming around the universe, all without any apparent need for money, they can also build your "no ads, no profit motive" social network.

Re:So is it libre or not? (1)

Frosty Piss (770223) | about 10 months ago | (#45559335)

Maybe in the 24th century when The Federation is building starships, colonizing the galaxy and zooming around the universe, all without any apparent need for money, they can also build your "no ads, no profit motive" social network.

USENET.

Re:So is it libre or not? (2)

Richard_at_work (517087) | about 10 months ago | (#45560213)

Paid for either as part of your ISP bill when you use their servers, or when you sign up to a USENET provider. I never saw a free provider which gave you all branches, especially alt.binary etc.

Re:So is it libre or not? (4, Insightful)

Toe, The (545098) | about 10 months ago | (#45559391)

Yeah, I understand Economics 101. I also understand that Firefox, Linux, Wikipedia, Apache, PHP, etc. are not all about the money (thought money is tied to most of them extraneously; but not really at all to Wikipedia).

There are these things called non-profits. A non-profit social network seems like a no-brainer, and I'm not sure why it doesn't exist; let alone rule them all.

A non-profit social network could show ads... to people who felt like seeing them. Money gets made (enough to buy servers & connectivity), but the profit itself isn't the core motive. And the users are not product.

Re: So is it libre or not? (0)

Anonymous Coward | about 10 months ago | (#45560081)

WRONG.

The real reason is that Facebook, Google et al. are part of the Total Information Awareness program. The program was supposedly canceled, but it was just privatized.

Google and Facebook could just ask 10 $ a month and never show ads but but but...

Re:So is it libre or not? (3, Insightful)

fyngyrz (762201) | about 10 months ago | (#45559447)

So what's the point of a different Facebook if it's not libre?

How about a "different Facebook" where they didn't censor the things you write and post, but instead, your content is judged, and viewed (or not viewed) based on the opinions of those you've invited to share your pages? How about a "different Facebook" where anyone can join? How about a "different Facebook" where you can cleanly choose ads, or paid presence? How about a "different Facebook" where you control how your personal information is accessed, instead of having control assumed by the social network?

Your focus on "libre" is incomprehensible to me. Of all the myriad things wrong with Facebook -- and by that I mean things directly harmful to its users and potential users, and unchangeable by them -- "libre" is far down any list ranked by importance.

The nerve! (1)

Anonymous Coward | about 10 months ago | (#45559121)

How dare you spy on me as i post every detail of my life online!

Why... im going to encrypt everything! that'll show you! you have no right to violate my privacy as i tell the world about everything in my entire life!

Re:The nerve! (4, Insightful)

tftp (111690) | about 10 months ago | (#45559569)

you have no right to violate my privacy as i tell the world about everything in my entire life!

The discussion here is about sharing within a controlled group.

Re:The nerve! (2, Interesting)

Anonymous Coward | about 10 months ago | (#45559705)

}}controlled group.

Impossible. If i can see it. I can copy it. No matter what. I CAN make a copy. Even going all the way to manual transcription or recording my monitor.
Your group just lost complete control. And we're back to the world.

There is always a weak link in any chain. One will always break first.
So you can pretty much guarantee anything you 'share' with a controlled group will be available to the world. Especially if there's gain to be made. Even faster among people who have no severe life punishment for 'sharing'. But even then with severe penalties such as the NSA. Who STILL can't keep control of their secret information among a controlled group.

You share. You're sharing with the world. Bet on it.

Who keeps the keys? (1)

Kwyj1b0 (2757125) | about 10 months ago | (#45559129)

I read the article, and all I could see is that when you join a group, you get the decryption key for that group - but from whom? If it is automatically done (i.e. Syme holds the key), then it is no more secure to snooping from agencies than any other service (well, except for the fact that it is based in Canada - ah, who am I kidding). What you would need is the group/thread creator send the decryption key directly to the collaborators - which basically means they already need a secure communication medium (sending it over unsecure email is just stupid). Which would then bring me to ask why not just use that medium?

Re:Who keeps the keys? (1, Funny)

Dan East (318230) | about 10 months ago | (#45559141)

Which would then bring me to ask why not just use that medium?

So by your logic Facebook or Google+ don't need to exist because we have insecure email already?

Re:Who keeps the keys? (0)

Anonymous Coward | about 10 months ago | (#45559171)

That seems pretty easy to do securely if every user can send secure messages to every other user (requires trusting that Syme is being honest about the public keys or allowing for out of band verification of them) then joining a group means sending a message to a user authortized to add you to the group and that person replying with the group key. (These would be messages handled by the software and transparent to the user.) That does require the other user to sign on so joining a group under that method might not be instant. Also, there's probably a better way to handle the encryption so every user has different keys.

Re:Who keeps the keys? (1)

93 Escort Wagon (326346) | about 10 months ago | (#45559183)

You're safe from the NSA, but the Mounties own you.

Re:Who keeps the keys? (0)

Anonymous Coward | about 10 months ago | (#45559345)

Except Canada is a 5 Eyes country.

Re:Who keeps the keys? (3, Informative)

mlts (1038732) | about 10 months ago | (#45559225)

I can see two ways to do groups:

1: The group is a collection of private keys, so when one encrypts to Alice's group, in reality, Alice, Bob, Charlie, David, Elizabeth, and Frank have a key encrypted with their public keys and stored. The good about this is that the keys are secured, and there are no intermediate steps. The bad is that if Alice boots Charlie from the group and adds Mallory, stuff encrypted to the group is still readable by Charlie and not by Mallory until the object's core unlock key [1] is unlocked, the old names removed and new ones added.

The second is having the group have its own key, which is unlocked by Alice, Bob, etc. If someone is booted from the group, their user has the key removed from it. This makes things easier in not having to partially decrypt an object to add stuff, but it means one more key generated and possibly compromisable.

[1]: Most encryption uses a core symmetric key that is randomly generated, then encrypts that core key using the user's hashed passphrase, their public key, or both. Public key crypto is very rough on the CPU, so it is only used as little as possible, and in general, symmetric key algorithms are more secure than public/private key ones.

Re:Who keeps the keys? (1)

tftp (111690) | about 10 months ago | (#45559591)

Solution 1. When Alice posts to the group, she encrypts to keys of Bob, Charlie and David. If David wants to boot Charlie, he generates a new key and sends individual copies, encrypted, to Alice and Bob. Each copy is encrypted to one key and can be only read by key holder.

Charlie can still post; however his post won't be readable by David because he changed the key, and David doesn't have it. David won't encrypt his posts to Charlie's key. Alice and Bob can either post using Charlie's key, or they can also boot him from the group. A group member who does not have keys of other members can only talk to himself.

This solution only requires a method to push new keys to members. It also implements "soft voting out" of unwanted group members, without using a moderator.

Chrome only (3, Insightful)

Curunir_wolf (588405) | about 10 months ago | (#45559175)

So it's a social network that "protects your data" ... and requires Google Chrome. :/

Why am I skeptical?

Re:Chrome only (1)

Anonymous Coward | about 10 months ago | (#45559191)

So it's a social network that "protects your data" ... and requires Google Chrome. :/

Why am I skeptical?

Because you've internalized the slashdot groupthink.

Also (2)

aliquis (678370) | about 10 months ago | (#45559209)

.. with more or less everything else broken into how secure should I really feel using it?

Re:Also (4, Informative)

aliquis (678370) | about 10 months ago | (#45559237)

They answered that themselves:
https://getsyme.com/about [getsyme.com]

So something like "not much, but at least we're trying."

Re:Chrome only (5, Interesting)

swillden (191260) | about 10 months ago | (#45559271)

So it's a social network that "protects your data" ... and requires Google Chrome. :/

Why am I skeptical?

The extension should work just fine with Chromium, I would expect. And they said Firefox is in the works.

Personally, I think the idea is an interesting one. In general, I think it's on the right track. The only way to get the masses to use encryption is to make it invisible. The flaws of SSL are well-known, but the fact is that in practice it mostly works really well, and it is used by basically everyone on the web. Making it invisible means that you have to embed key management seamlessly into the infrastructure, and making it have some hope of being secure means that it has to be pushed out to the endpoints -- including key management.

On the right track, but this is a really, really hard problem to solve fully.

One issue is that although the keys are generated in the browser plugins, they're obviously exchanged through the Syme server, putting it in an ideal position to completely subvert the claimed security. Making security both transparent and strong is hard.

Another issue is portability. I can log into Google+ or Facebook from any computer. But if my browser is holding my keys, then I can only use my browser. If the keys are stored in the cloud, well, that's great for portability, but the keys then have to be secured from whoever is holding them.

Still, I like to see initiatives like this. The only way hard problems get solved is by clever people trying.

(Disclaimer: Since this post mentions Google+ and Chrome, I should probably mention that I'm a Google engineer, but I'm not speaking for Google.)

Re:Chrome only (2)

Nerdfest (867930) | about 10 months ago | (#45559431)

These guys [trsst.com] are doing something similar, more more twitter/message based. It was a recent KickStarter,and the beta should be ready in December.

"It supports the open web" = not secure (1)

Jody Bruchon (3404363) | about 10 months ago | (#45559451)

Anything that works via a browser is automatically not secure. The same reasons that Tor is not secure apply to all other things that use a web browser. This service would be interesting if it weren't for the fact that it "supports the open web."

For the purposes of security, the "open web" is completely broken. The required change is far more radical than "we can do encrypted tweet-like communications with heavily insecure and NSA-breakable applications as the framework."

Re:Chrome only (2)

fyngyrz (762201) | about 10 months ago | (#45559461)

The flaws of SSL are well-known, but the fact is that in practice it mostly works really well

The flaws of SSL are well-known, but the fact is that [the system cripples those who object] really well [via a conspiracy among browser authorship implementing bogus scare-the-user dialogs for perfectly normal implementations of SSL]

FTFY.

Re:Chrome only (2)

swillden (191260) | about 10 months ago | (#45559517)

The flaws of SSL are well-known, but the fact is that in practice it mostly works really well

The flaws of SSL are well-known, but the fact is that [the system cripples those who object] really well [via a conspiracy among browser authorship implementing bogus scare-the-user dialogs for perfectly normal implementations of SSL]

FTFY.

It's impressive how completely you missed the point.

Re:Chrome only (1)

fyngyrz (762201) | about 10 months ago | (#45559627)

Well, It was impressive to me how the claim that SSL "work really well" was dropped as if it was actually the truth. Obviously truth is not a concern for you. That's ok. I'm not looking to change any dug-in mindsets.

Re:Chrome only (0)

Anonymous Coward | about 10 months ago | (#45559891)

Another issue is portability. I can log into Google+ or Facebook from any computer. But if my browser is holding my keys, then I can only use my browser. If the keys are stored in the cloud, well, that's great for portability, but the keys then have to be secured from whoever is holding them.

Sure, sure. But, then again... I can log into my online ebanking account from any computer. But, why would I even do such a thing unless I want someone to eventually hijack my account?

Ignoring that small detail... it's always possible to store the crypto keys as a file in a USB pen, no? (I mean... if you are logging to your accounts from another computer, it's implicit you already trust that computer to not be full of malware/keyloggers and whatnot that would steal your password file). You guys at Google do know that there are alternatives to storing all your crap on Google Drive, right? Just checking...

PS: Google+ is shite. And, even if it wasn't, I'd never join simply for the fact that Google keeps NAGGING (and downright trying to trick) people into making a Google+ account. Just fuck off already. Facebook is as shitty as your shite, but at least it contains ACTUAL PEOPLE, so it's marginally more useful than your piece of shit.

Have a nice day :)

What could go wrong? (0, Flamebait)

ExecutorElassus (1202245) | about 10 months ago | (#45559229)

So, who wants odds on how long it'll take before this becomes a haven for pæderasts to swap kiddie porn? Anyone?
I'm guessing about six months..

Re:What could go wrong? (0)

Anonymous Coward | about 10 months ago | (#45559263)

No need to wait, "pedophile", "terrorist", "drug dealer", and "money launderer" are standard accusations, and if you suggest they are BS, you must be a co-conspirator.
Essentially they are for snoops what, "he attacked me with his vehicle" is for a cop with a dead body to explain.

Re:What could go wrong? (0)

Anonymous Coward | about 10 months ago | (#45559445)

you're joking right? this is clearly a forum for politicians to do business

Re:What could go wrong? (1, Insightful)

Anonymous Coward | about 10 months ago | (#45559275)

So, who wants odds on how long it'll take before this becomes a haven for pæderasts to swap kiddie porn? Anyone?
I'm guessing about six months..

Fuck the children... not in that way though. This is why we can't have anything nice, there's always someone trying to save the kids.

How could you tell? (1)

Okian Warrior (537106) | about 10 months ago | (#45559291)

So, who wants odds on how long it'll take before this becomes a haven for pæderasts to swap kiddie porn? Anyone?
I'm guessing about six months..

How could you tell? For that matter, would you want to tell?

Quick question: would you support banning CP if it resulted in more children getting molested?

I only ask because the best evidence we have indicates that it does. The website will change a legal framework that, despite the best intentions, promotes child abuse.

And this will not inconvenience the police in any way. If they have evidence of wrong-doing, they can get a "sneak and peek" [wikipedia.org] warrant and install a bug on the suspect's computer.

This system only ensures that the police get judicial oversight, which they needed anyway.

Re:How could you tell? (0)

Anonymous Coward | about 10 months ago | (#45559525)

And how would they get evidence of wrongdoing if they can't have computer software monitoring the files in the first place? You just get a guilty until proven innocent type of system like Tor.

We need to have a discussion about what we feel should be blocked in this society. Nuclear bomb plans, CP, 3D printed guns, zero-day hacks, drug deals, etc...

Re:How could you tell? (1)

Okian Warrior (537106) | about 10 months ago | (#45559647)

We need to have a discussion about what we feel should be blocked in this society. Nuclear bomb plans, CP, 3D printed guns, zero-day hacks, drug deals, etc...

I agree completely. Here's my position [wikipedia.org] .

What's yours?

Re:How could you tell? (1)

Opportunist (166417) | about 10 months ago | (#45559859)

Information must not be illegal. Acting on that information, ok. But outlawing information itself is dangerous, at best.

Re:How could you tell? (0)

Anonymous Coward | about 10 months ago | (#45559951)

Oh no, the illegal bits! Show them a picture, and arrest them for remembering forbidden information! Remembering illegal information is both possession of illegal information, and violation of the copyright on said information (your memory is a copy, and the EULA does not permit remembering this material).

Now stop remembering my post, or I'll sue you for damages! I own this information!

Re:How could you tell? (1)

Opportunist (166417) | about 10 months ago | (#45559965)

See what I mean?

Re:How could you tell? (1)

ExecutorElassus (1202245) | about 10 months ago | (#45560221)

sigh ... I wish folks hadn't read more into my initial comment than I intended, but I suppose its my own fault.
I wasn't actually stating an opionion on whether people trading pictures online was in itself a bad thing-- in fact, I suspect the other commentor up above is probably right, that "won't anybody think of the children??!!" is a bullshit argument that probably does more harm than good.
But any service that explicitly advertises itself as beyond the reach of surveillance will be, I suspect, very quickly populated with people circulating things that are, for better or worse, illegal.
An unintended consequence of trying to avoid the NSA and Facebook's marketing bullshit quickly gets known as a haven for perverts, rather than the actual good it might do (and yes,, it may very well -- though I don't know nearly enough to have an opinion on the matter -- thus provide a safe outlet for people who might otherwise act out on their urges in more harmful ways).
Just look at Tor: what started out as a means for dissidents to escape surveillance is now known to most laypeople as "that place where drug dealers meet with money launderers and identity thieves and hackers to trade with impunity."

Re:What could go wrong? (0)

Anonymous Coward | about 10 months ago | (#45559697)

They specifically state their service does not offer anonymity or protect metadata. The relationship graph is not well protected (well, not quite as public as bitcoin though!). You would have to be stupid to use it for that kind of thing. What you need instead is something like Tor (which they specifically direct you to in their FAQ page). Yes, you also need some host (any host), but once behind something like Tor, it does not matter what host you use.

So in short: we already have all the tools to hide transition of information from the cops if you want. Its not hard. This site could help the naive users reach a semblance of security previously only enjoyed people who really put in the efforts to hide (get a pseudonym, protect it with Tor, hide its data in Syme). I see that as a good thing. It might be more likely to persist given that they have plausible deniability and are outside the US. Same is true for Mega though.

Re:What could go wrong? (3, Informative)

Opportunist (166417) | about 10 months ago | (#45559855)

So what? The threat from pedos is insignificant compared to the threat from politicians.

Re:What could go wrong? (0)

Anonymous Coward | about 10 months ago | (#45559919)

So what? The threat from pedos is insignificant compared to the threat from politicians.

The threat from pedos that successfully hide their disorder from everyone online is especially low compared to politicians who successfully prevent anyone from hiding anything. I'd take well behaved pedophiles over big-brother any day.

That's a value judgement: its just my opinion. Being me though, I think my opinion is better than those that disagree with it.

If the government wants to see everything, it makes me wonder if the government is a pedophile... (if you got nothing to hide, put a webcam in your kid's pants?)

Re:What could go wrong? (1)

Opportunist (166417) | about 10 months ago | (#45559961)

Big brother is probably a pedo if he wants to see everything from a 12 year old girl, but at any rate he's a really sick pervy peeping tom.

Do my friends use it? (0)

Anonymous Coward | about 10 months ago | (#45559249)

Do my friends use it? No.
Will they use it? No.
Who will I be social with using this new social network? No one.

Because they will all be on Facebook using what works for them, where all their pictures are, where all their friends and family are and where they can access all this from their nifty mobile apps for their various mobile devices.

Re:Do my friends use it? (1)

symbolset (646467) | about 10 months ago | (#45559595)

My problem with all these encrypted networks are that they are all immediately taken over not by whistleblowers and political dissidents, or plain folk wanting privacy, but people I strongly don't want to be around.

Re:Do my friends use it? (1)

Confusedent (1913038) | about 10 months ago | (#45559751)

Relevant: https://www.youtube.com/watch?v=CQSRPMFDTSs [youtube.com]

You're right, but personally I'm switching anyways. I'd been meaning to get rid of my FB account anyways - the only reason I still have it is that some people absolutely refuse to communicate by other methods. But part of getting people to finally switch is letting them know that you (by which I mean anyone, obviously) can't be contacted through facebook. I'm also sick that I'm promoting the continued use of their system by creating content for them. Every thing I post that gets a few likes is basically encouraging people to keep using facebook. Stop doing it.

Ah ha: I see how it works! (1)

Zanadou (1043400) | about 10 months ago | (#45559267)

How it works and how its contents remain "private" and "secure":

You use it, but none of your friends do.

Sniff test (3, Insightful)

onyxruby (118189) | about 10 months ago | (#45559321)

If you aren't being charged for the product, you are the product.

This axiom has been true for a very long time and it's true for this site as well as any other such thing. How are they making money? I'm not objecting to their making money, after all they have to pay for their servers, bandwidth and admins and so on.

It's a fundamental question that you simply can't ignore and economics requires that you have to deal with it whether you want to or not. You can have sponsors that donate time and materials, you have generic ads, volunteers to a certain point, you can charge people for your service and so on.

The point is somehow or another you have to get money, and this site is claiming that they get money in ways that don't exploit your privacy. Since exploiting your privacy is how these sites normally pay your bills, this leaves serious questions on how they are monetizing their site.

I love the idea that a site can raise money without exploiting privacy in an evil manner, but before I can give them any credibility to their model I have to know their model works. I hate to rain on people's feel good parade, but you can' run a website on community goodwill, hugs and unicorn farts.

Re:Sniff test (0, Offtopic)

Anonymous Coward | about 10 months ago | (#45559351)

> If you aren't being charged for the product, you are the product.

Why is it that in every single damn post to /. that mentions Facebook, some paranoid right winger spouts that nonsense. It isn't true despite what you Republicans want to believe. Also, stop trying to make everything about politics. It's so tiresome how you can't even make a post to a technical site without bringing politics into it.

Re:Sniff test (0)

Anonymous Coward | about 10 months ago | (#45559701)

Why is it that in every single damn post to /. that mentions Facebook, some paranoid right winger spouts that nonsense

stop trying to make everything about politics.

Making money is not about "politics." Just economics.

Instead of for-profit corporations, the vast majority of www sites used to be operated by universities and hobbyists. They could afford to pay out of pocket. They were just serving low volumes of simple files that did not involve much bandwidth, compared to the billions of pageviews of today's connected world. But that was twenty years ago in an era before scripting browsers and flash, and tracking was limited to those [now defunct] pageview counters.

Re:Sniff test (0)

Anonymous Coward | about 10 months ago | (#45559713)

If you aren't being charged for the product, you are the product.

This seems like a philosophical statement to me. I think you are the one bringing in politics.

SenderDefender (2)

BitcoinBenny (3025373) | about 10 months ago | (#45559365)

When I read the summary I immediately thought to myself that I have similar goals to these guys, in that I want to make cryptography easily accessible to a wide variety of users. I'm specifically focused on secure file transfer, and am in open beta. You guys can check it out at https://www.senderdefender.com/ [senderdefender.com] and let me know what you think. Given how insecure cloud data is in general I suspect we will see a growing number of client side encrypted communication tools.

Matt

Re:SenderDefender (0)

Anonymous Coward | about 10 months ago | (#45559407)

Neat software, but your home page scared the shit out of me. I was not ready for that eye ball...

Re:SenderDefender (1)

BitcoinBenny (3025373) | about 10 months ago | (#45559415)

Hah, yeah. I've had mixed reactions to that. :-) I'll probably replace it with something a little less threatening that still gets the point across.

Re:SenderDefender (1)

flargleblarg (685368) | about 10 months ago | (#45559869)

Maybe you could have the eyeball explode or get shot with a bullet or poked with a sharp stick after two seconds? That would get the point across that you're shutting down the eye so it can't see anymore.

Re:SenderDefender (1)

flargleblarg (685368) | about 10 months ago | (#45559861)

That eyeball freaks me out. When I see your web page, I immediately think you're saying: "Install my software and I can watch you just like I'm looking through this peephole."

Re:SenderDefender (1)

BitcoinBenny (3025373) | about 10 months ago | (#45560219)

This is totally valid. Obviously not the point I'm trying to make. The suggestion you had above of making some kind of event that shuts it down is a good one, I'lll have to give it some thought. :)

How it works (1)

Fnord666 (889225) | about 10 months ago | (#45559375)

Content remains scrambled as it traverses the Internet and is unreadable even to Syme, which stores the data on its servers. Co-founder Mullie authored a white paper [github.com] describing Syme's use of a two-step, hybrid encryption system that is fast, secure and efficient.

Add another to the list of secure social platforms (0)

Anonymous Coward | about 10 months ago | (#45559413)

ravetree.com

similar idea

See also.... (1)

macraig (621737) | about 10 months ago | (#45559423)

See also Diaspora.

Right, like that's going anywhere now? See also Libertree [libertreeproject.org] , which has no centralized servers, sneaky profiteers, or ulterior motives behind it. Go run a node/tree yourself!

Will do nothing against government interception (0)

Anonymous Coward | about 10 months ago | (#45559437)

A JavaScript-based browser extension encrypts content with a person's Web browser before it leaves the computer.

I can only imagine that this browser extension is supplied by Syme themselves. If they were ever served with government demands for some or all of their users' data, they would be compelled to comply. They would be able to comply by issuing an update to those users, and that update would then upload the encryption keys. That's probably why they even point out in the story that they aren't trying to protect you from government attacks - because no one can do that. There is no way. Even air gaps inside a secure facility won't save you - ask the Iranians how that worked out for them. The fundamental problem is that information is far easier to obtain than it is to prevent access to it. The point is that if information positively needs to remain secret, it must never leave your brain and it most certainly cannot be stored in any electronic form.

If you have information that you have told to anyone or have stored in any form outside your brain, you need to consider your options if that information were on the front page of a newspaper. Even just storing it in your brain isn't entirely secure, because you might be compelled to disclose that information, you might disclose it by accident or you might be tricked into disclosing it. You are likely not trained to withstand interrogation by a professional, and even if you are, the legal or physical consequences might not be worth it. You will never have a guarantee that anything you know will remain secret. You need to consider that kind of thing as cost versus risk, not as "how do I *ensure* the security of this information?" The easier road is to have no secrets.

Re:Will do nothing against government interception (1)

santosh.k83 (2442182) | about 10 months ago | (#45559837)

+1 for this. Although that's not to say we shouldn't implement what can be done, but the real solution for this problem is at the social and political level rather than technological. No matter how neat a technological solution it can always be broken down through laws, bribes, threats and violence, and when the state itself does this, there's not much you can do through technology alone.

As secure as the weakest link (0)

Anonymous Coward | about 10 months ago | (#45559471)

-nt-

Who encrypts (0)

Anonymous Coward | about 10 months ago | (#45559563)

Does syme encrypt or do the users encrypt? Not a trivial distinction. Does syme have access to the encryption keys?

It's the girls, stupid (0)

Anonymous Coward | about 10 months ago | (#45559617)

If the girls don't use it, you'll never get the guys to use it.

Re:It's the girls, stupid (1)

santosh.k83 (2442182) | about 10 months ago | (#45559841)

Depends on what type of guys you're talking about. Usenet was (and is?) overwhelmingly male dominated.

Brower = not encrypted (1)

Todd Knarr (15451) | about 10 months ago | (#45559659)

If the content's viewable in a regular Web browser without needing special plug-ins, it's not encrypted. Oh, it might be encrypted on disk somewhere, but the server has the keys to decrypt it and will decrypt it and send it in the clear (modulo SSL, which Facebook and Google+ have too). Anyone who can compromise the server can get the keys and decrypt the data. Anyone who can snoop on the connection can view the data. Anything running on the user's computer can see the data. And anyone logging in as the user, say after having obtained their password through social engineering or compromising another service where the user used the same password, will get the data just like the user would've.

There is only one potentially-secure way to encrypt data: the data is encrypted on the user's computer before being sent to the server, and is never decrypted until it arrives at the recipient's computer. The keys to encrypt and decrypt data must never be stored on the server. Anything less and all the methods currently used to get at data on Facebook and Google+ can be used to get at the data on the new service.

Re:Brower = not encrypted (2)

EvilSS (557649) | about 10 months ago | (#45559711)

If the content's viewable in a regular Web browser without needing special plug-ins...

It is not. It requires a browser plugin.

Tor Hidden Service Discussion Forums (0)

Anonymous Coward | about 10 months ago | (#45559749)

NT

And here I am... (0)

Anonymous Coward | about 10 months ago | (#45559867)

Still not giving a damn about social networks. I've never registered to Facebook, myspace, twitter or whatever else before, the only one I "registered" to, is google+, because Youtube. Doesn't mean I use the service though.
So I see no need for more of these so called "social network" that seems to bring more dispute in my family than anything else. (From dumb cousin posting everything about anything to aunts/uncles going at war with each other online "in front" of everybody, instead of just using the phone or seeing each other in person)

Oh look, more false promises and utter bullshit! (0)

Anonymous Coward | about 10 months ago | (#45559911)

These people must really think we're all stupid. What the fuck does it matter if they encrypt everything when they hold all the keys and can still mine whatever data they want for whatever reasons they want? It's probably all total and utter bullshit, they probably rip you of and use your data even worse than Failbook does, and furthermore anyone who knowingly participates in so-called "social media" anymore is a total atavist and probably shouldn't be allowed to run around loose in the world or be allowed near a computer.

Ma83 (-1)

Anonymous Coward | about 10 months ago | (#45559927)

Then Jordan Huubard WASTE OF BITS AND so on, FreeBSD went The reaper BSD's

Well, I'm also a disgruntled Chrome user, so... (2)

Max Threshold (540114) | about 10 months ago | (#45559941)

I guess I'll wait for the Firefox version.

Re:Well, I'm also a disgruntled Chrome user, so... (1)

Windwraith (932426) | about 10 months ago | (#45560085)

Word. I thought the days of browser lock-in were a thing of the past, but apparently it's not. Stumbling into way too many Chrome-only things recently.
I just don't want to need to have Chrome installed for such a thing, so I think this won't be tested anytime soon.

Crypto in Syme may be unsound (4, Interesting)

Animats (122034) | about 10 months ago | (#45560007)

I'm looking at the source to Syme's Google Chrome plug-in. While I'm not a crypto expert, I've found three things that seem to weaken the encryption.

  • In "crypto.js", lines 262-270: diffieHellman: function (privateKey, publicKey) {
    // Calculate the Diffie-Hellman shared key.
    return privateKey.dh(publicKey);
    // Strengthen the key by running through PBKDF2.
    //return this.deriveKey(symKey, salt);
    },
    Note the commented-out line for strengthening the key. That looks like something was done to weaken the key generation.
  • Syme uses the Stanford JavaScript crypto library, which has a crypo-grade random number generator. But it only works if you turn on its entropy collector before asking for random bits. [github.com] Otherwise you just get a function of the current time, which is easy to guess. The enthropy collector is turned on by calling startCollectors(). There is no call to startCollectors() in the add-on.
  • There are two copies of the "sjcl" crypto library, one in "sjcl.jh" and one in "app.js". They may be different. One of them is dead code. Not clear which one.

This is highly suspicious. This code needs a close look by a security expert before anyone trusts it.

Re:Crypto in Syme may be unsound (5, Informative)

Kjella (173770) | about 10 months ago | (#45560217)

Note the commented-out line for strengthening the key. That looks like something was done to weaken the key generation.

More like the commented out code was done by someone who doesn't understand crypto and replaced by someone who did. PBKDF2 has a single purpose and that is to make password recovery from a hash difficult, this looks like it is negotiating a session key where it would be totally pointless since it's not based on a password at all.

To give you a very brief primer on PBKDF2:
In the beginning, people stored passwords in plaintext. That was stupid so they started hashing them with for example MD5, so instead of storing $password they'd store md5( $password ). Of course since the same password would end up having the same MD5 sum in every system, leading to rainbow tables. To counter this you add a salt and store md5( $password + $salt ). However, short passwords are quite few so it was still possible to loop through all of them in a short amount of time. So someone thought hey, why don't we just MD5 it again many times and store md5(md5(....(md5(md5($password + $salt))...)). PBKDF2 is basically a system for this, where you pick the hash function and number of iterations. Now testing a single password takes much longer, which is feasible to do on a single login but takes far too long to recover the passwords from a hash table by looping through all of them. So it is useful, but only for this specific purpose.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>