Wired has a story about Ricochet, a new custom IM client by John Brookes which lets users communicate over tor hidden services. From the article:
Brooks, who is just 22 and a self-taught coder who dropped out of school at 13, was always concerned about privacy and civil liberties. Four years ago he began work on a program for encrypted instant messaging that uses Tor hidden services for the protected transmission of communications. The program, which he dubbed Ricochet, began as a hobby. But by the time he finished, he had a full-fledged desktop client that was easy to use, offered anonymity and encryption, and even resolved the issue of metadata—the “to” and “from” headers and IP addresses spy agencies use to identify and track communications—long before the public was aware that the NSA was routinely collecting metadata in bulk for its spy programs. The only problem Brooks had with the program was that few people were interested in using it. Although he’d made Ricochet’s code open source, Brooks never had it formally audited for security and did nothing to promote it, so few people even knew about it.
The article goes on to explain how Ricochet got into the spotlight:
Enter Invisible.im, a group formed by Australian security journalist Patrick Gray. Last July, Gray announced that he was working with HD Moore, developer of the Metasploit Framework tool used by security researchers to pen-test systems, and with another respected security professional who goes by his hacker handle The Grugq, to craft a secure, open-source encrypted chat program cobbled together from parts of existing anonymity and messaging systems—such as Prosody, Pidgin and Tor. They wanted a system that was highly secure, user friendly and metadata-free. Gray says his primary motivation was to protect the anonymity of sources who contact journalists.
“At the moment, when sources contact a journalist, they’re going to leave a metadata trail, whether it’s a phone call record or instant message or email record [regardless of whether or not the content of their communication is encrypted],” he says. “And that data is currently accessible to authorities without a warrant.”
When Brooks wrote to say he’d already designed a chat program that eliminated metadata, Gray and his group took a look at the code and quickly dropped their plan to develop their own tool, in favor of working with Brooks to develop his.
“He writes incredible code,” Gray says, “and really thinks like a hacker, even though he doesn’t have a security background.”
(Score: 2) by SlimmPickens on Thursday September 18 2014, @03:12AM
I was considering an Ask Soylent about what everyone's doing about securing chat and other communication.
(Score: 0) by Anonymous Coward on Thursday September 18 2014, @03:29AM
Now you don't have to! It's been dropped in your lap by a Prescient without a security background and it's open source so nothing could go wrong. Here, hear, everyone, use this.
(Score: 2) by SlimmPickens on Thursday September 18 2014, @04:31AM
Thanks AC. What are you using?
(Score: 2) by GreatAuntAnesthesia on Thursday September 18 2014, @08:11AM
More like, what is s/he smoking?
(Score: 0) by Anonymous Coward on Thursday September 18 2014, @03:38AM
There is no "good" (highly secure and trustable) chat software that is also broadly multiplatform (i.e. mac, win, linux, android, ios, winphone).
Even the FAQ for invisible.im only talks about mac/win/linux but no phones.
Part of the problem is that (so far) no one has been able to come up with a business model that lets them make money from "good" chat software for the masses. I like that Richochet is self-hosted so at least there are no on-going expenses for anyone but the users, that means the entire cost is in the development and maintenance.
(Score: 3, Insightful) by Hannibal on Thursday September 18 2014, @03:58AM
This is because for the "average user" they don't see a need to hide their chats in an encrypted form. Of course for soylenters there are well known arguments about stopping mass surveillance but to most users, that is less important than being able to IM pictures of their junk to someone in another country. There is also the issue that secure software almost by definition requires more work to use than Happy-Windows-Chat-Client. This may be changing now with large corporations who are more aware that they are potentially being targeted, of course, if a corporation is being targeted then this sort of security isn't much use.
(Score: 2) by Fnord666 on Thursday September 18 2014, @10:00PM
Don't taunt Happy-Windows-Chat-Client!
(Score: 2) by _NSAKEY on Thursday September 18 2014, @04:36AM
Still, none of that solves the metadata problem. This is why the idea behind invisible.im is cool: Based on the details published so far, your username is a tor hidden service address. Technically it doesn't even need to support OTR (Although the key validation portion of OTR is useful), since hidden services encrypt everything from end to end by design. Since all the traffic is staying inside the tor network, all the spy agencies can do is watch tor traffic going to and from nodes. They can't just sniff packets and see that bob@example.com is talking to alice@example.com. With a normal IM service, they would at least know that they're talking, if not what what they're talking about. If invisible.im lives up to its promises, the spy agencies won't even be able to get that without hacking individual users and monitoring their chats that way (Expect updated XKeyscore rules [vice.com] in the future, so that they at least know who to target).
(Score: -1, Offtopic) by MichaelDavidCrawford on Thursday September 18 2014, @03:23AM
It is very common for new articles to be posted for hours with nary a comment. That leads to a self-defeating cycle; I come for the discussion really, not the articles.
But from time to time there are as many as eighty comments posted. That shows that we really do have some membership that _can_ be active.
How to encourage more participation?
Yes I Have No Bananas. [gofundme.com]
(Score: 1, Offtopic) by Professr on Thursday September 18 2014, @04:56AM
It's easy to get 80 comments with a flamewar :\
(Score: 3, Funny) by chromas on Thursday September 18 2014, @07:01AM
I'll start.
vim, kde, opera (before beta), archlinux, pc, qt, wtfpl, amd, nvidia, pc (for gaming), bing, pascal, star trek, ford, dr pepper, coke, innies, coke (for snorting), 'murika, kelvin, direct current, chocolate
(Score: 2) by mtrycz on Thursday September 18 2014, @08:54AM
systemd
In capitalist America, ads view YOU!
(Score: 0) by Anonymous Coward on Thursday September 18 2014, @10:39AM
"vim, kde, opera (before beta), archlinux, pc, qt, wtfpl, amd, nvidia, pc (for gaming), bing, pascal, star trek, ford, dr pepper, coke, innies, coke (for snorting), 'murika, kelvin, direct current, chocolate"
Are those all the new stuff to be included in it now?
(Score: 3, Informative) by c0lo on Thursday September 18 2014, @10:44AM
There's no chance this will start a flamewar on SN: here everybody agree systemd is a dangerous evil piece of crap.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by WizardFusion on Thursday September 18 2014, @11:34AM
That also goes for Windows 8.x too :)
(Score: 2) by chromas on Thursday September 18 2014, @12:46PM
sudo systemctl throw shoe
(Score: 2) by redneckmother on Thursday September 18 2014, @04:13PM
Quick! Call the Farrier!
Mas cerveza por favor.
(Score: 2) by Gaaark on Thursday September 18 2014, @04:26PM
'murika!!!! Theytookmuhjob!
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2) by EvilJim on Friday September 19 2014, @03:39AM
You fother mucker! most of those words are evil and should be banned. Where's the Taliban when you need 'em most?
(Score: 3, Insightful) by nyder on Thursday September 18 2014, @08:18AM
Maybe if you didn't try to hijack stories with offtopic crap like this.
(Score: 3, Informative) by takyon on Thursday September 18 2014, @03:34AM
BitTorrent's peer-to-peer chat app Bleep goes live as public alpha [theregister.co.uk]
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2, Informative) by nishi.b on Thursday September 18 2014, @07:12AM
Not using servers is nice but insufficient to hide metadata from massive NSA-style spying. If they can analyse/store all communications going through major internet hubs (and we now know that they do), they will still be able to see that you used bleep on septembre 17th 9:31a.m. to communicate with user Y who can be identified by his/her IP. In the article it seems to be avoided through Tor-style onion routing.
(Score: 1) by mj on Thursday September 18 2014, @05:12AM
I just installed wickr a few days ago, they seem to have a sane privacy policy though they still use servers so I'm guessing all that metadata is still up for grabs even if the content is as secure as they say. The interface is pretty slick on android, it's got self destructing messages and does mms, it's like an upgraded snapchat really. https://www.wickr.com/#wickr [wickr.com]
Guess I'll check out ricochet too.. the interface seems super minimal but works so far.
https://github.com/ricochet-im/ricochet/ [github.com]
https://ricochet.im/releases/latest/ [ricochet.im]
The nihilists have such good imaginations.
(Score: 2) by Fnord666 on Thursday September 18 2014, @10:08PM
From TFA:
(Score: 0) by Anonymous Coward on Thursday September 18 2014, @08:45AM
mailto: dopey1@ff6d7yz7hdw5xoav.onion
i will click "quote" and reply on any messages received.
be sure to include a "reply to" address in message body if mailing with (torified) telnet:
http://kb.mediatemple.net/questions/889/Sending+or+viewing+emails+using+telnet [mediatemple.net]
*sigh*
(Score: 1) by forkazoo on Thursday September 18 2014, @08:45AM
What does Metadata Free actually mean? Given we know NSA has apparently compromised most of the security of Tor, and that so few people are running Tor, it seems like authorities would still be able to figure out who is chatting, when they are sending messages, etc. You know... Metadata. So, what is the actual win here? It's harder for ordinary LEO to get at it? I recall a recent case where a bomb threat was sent to a University over tor. There wasn't any easy way to prove who had sent it, but of all the plausible suspects who would want that day's final cancelled, only one was running tor. So, it was pretty quick to figure out who did it. The mere fact of running tor was, itself, useful metadata for the investigators.
I'm not saying the software in the post is bad, I just see buzzwordy claims like "Metadata free" and I don't know that they really mean anything.
(Score: 3, Informative) by _NSAKEY on Thursday September 18 2014, @09:36AM
A careful reading of all the affidavits that have gone public related to tor and hidden services would suggest that the cops (And the spooks) can't passively spy on tor users in a meaningful way (See also: The "Tor Stinks" slides). They have to engage in some form of hacking in order to get what they really want (See the recent Silk Road news stories for a current example). If you land on LE/intel radar, you're going to get targeted heavily. That being said, they can't just point some magic GUI they wrote in Visual Basic at your exit node IP at a given point in time and determine who you are/every site you've ever visited.
As for the bomb threat you mentioned, that was solved so quickly because Harvard picked up on the fact that someone was using tor and connected their wifi network at the time of the bomb threat (The bomb threat had been done with guerillamail and tor). The feds grilled the kid until he cracked (Which didn't take long). If he had been one of those rare users who uses private bridges with obfsproxy (Or had simply committed his crime on a network that didn't belong to his target), they wouldn't have had that lead, and the case would probably be unsolved. For those who are curious, the original affidavit can be found here [wbur.org]. Again, other counter-measures have to be in place if you're going to use tor for something more sinister than protecting your privacy.
(Score: 0) by Anonymous Coward on Thursday September 18 2014, @12:19PM
for desktop computer it means mostly: no ip.
for mobile it would mean no imei, no location .. impossible.
as for meta data free surfing, it is awesome and i had some crazy gripes when akamai sprang up last century.
ip tracking and cookies were the big two things (and being a bit paranoid) that kept me awake at night.
for me personally the meta-data free nature of tor isn't the number one selling point of tor at all, rather it is the
distributed nature of the unique name system of tor.
it is possible to go about using the internet (packet teleporter) without ever touching/using the oldskool DNS system.
i dare you to try and "use" the "internet" without a configured functional DNServer.
so, if the DNS system blows up tomorrow (for some reason whatever) all the people that can use tor will still be able to find each other.
it is just sad how far the the regular user is removed from the real internet and is just using living in a tinseltown facade world with nice exterior and doors that lead "backstage".
being able to name things is a great power and it has the potential to change the internet as we know it. it gets all wobbely once you realize that a descentralized "A.I" that can find anything and anyone would change the world!
forget the crappy "seamless switch your phone call from mobile network to wifi" we want MEOR of your money advertisment.
rather think: got tcp/ip connectivity to internet + some "A.I" (on your device) and *BOOM* use it to implement any service that needs to look-up/pin-point a unique resource!
friend can be resources! : )
THEY FEAR THIS! ... and 280 KB killed a billion dollar domain name "industry".
(Score: 1) by jm007 on Thursday September 18 2014, @01:35PM
if a legit post, please provide some details and more info, pls; specifically, this part: ' tcp/ip connectivity to internet + some "A.I"'
(Score: 2) by Yog-Yogguth on Thursday September 18 2014, @05:01PM
I think the GP AC doesn't understand that he's still using IP and routing which is more than enough rope to hang anyone with given enough resources.
The aim is already about being in every device everywhere which is why discussions about Tor, I2P, time delays, and encryption and nearly everything else all sadly miss the point. Much of the leaked information is about shortcuts that are more efficient and come in addition to that but some of the leaks show they already had at-will or even continuous control over a significant amount of core devices (routers and servers) four years ago.
Bite harder Ouroboros, bite! tails.boum.org/ linux USB CD secure desktop IRC *crypt tor (not endorsements (XKeyScore))
(Score: 0) by Anonymous Coward on Thursday September 18 2014, @06:40PM
It is not that they miss the point, it is that "security" has different definitions to different people and each definition is a valid one. We just don't have the language yet to be more specific and still be concise. We need to become "security eskimos" with a 100 words for different kinds of security.
(Score: 3, Interesting) by PizzaRollPlinkett on Thursday September 18 2014, @11:13AM
I wish the article explained the cryptic "dropped out of school at 13" statement. But it's Wired, so they don't. The USA has compulsory education to age 16, I think. What country is this guy from? How did he drop out of school and not get caught?
(E-mail me if you want a pizza roll!)
(Score: 2) by JNCF on Thursday September 18 2014, @06:49PM
You think wrong. I never entered the school system until I was 16. I hadn't even taken a government issued test until then, but that varies by state. The "unschooling" I went through looked very little like a traditional education, and I'm thankful for that. The key ingredient is parental consent. http://en.wikipedia.org/wiki/Homeschooling_in_the_United_States [wikipedia.org]
(Score: 1) by Username on Thursday September 18 2014, @11:13AM
So he coded his encoded code?
Anyway, didn't RTFA, but I think the best way to obscure metadata is sending messages to everyone on the system, and have the ability to filter messages client end.
(Score: 2) by khakipuce on Thursday September 18 2014, @12:35PM
on how it completely hides metadata? Or is that just a function of using TOR, but then if your ISP is compromised by the spies can they not get the data anyway?