Stories
Slash Boxes
Comments

SoylentNews is people

posted by LaminatorX on Thursday September 18 2014, @02:45AM   Printer-friendly
from the mother-of-invention dept.

Wired has a story about Ricochet, a new custom IM client by John Brookes which lets users communicate over tor hidden services. From the article:

Brooks, who is just 22 and a self-taught coder who dropped out of school at 13, was always concerned about privacy and civil liberties. Four years ago he began work on a program for encrypted instant messaging that uses Tor hidden services for the protected transmission of communications. The program, which he dubbed Ricochet, began as a hobby. But by the time he finished, he had a full-fledged desktop client that was easy to use, offered anonymity and encryption, and even resolved the issue of metadata—the “to” and “from” headers and IP addresses spy agencies use to identify and track communications—long before the public was aware that the NSA was routinely collecting metadata in bulk for its spy programs. The only problem Brooks had with the program was that few people were interested in using it. Although he’d made Ricochet’s code open source, Brooks never had it formally audited for security and did nothing to promote it, so few people even knew about it.

The article goes on to explain how Ricochet got into the spotlight:

Enter Invisible.im, a group formed by Australian security journalist Patrick Gray. Last July, Gray announced that he was working with HD Moore, developer of the Metasploit Framework tool used by security researchers to pen-test systems, and with another respected security professional who goes by his hacker handle The Grugq, to craft a secure, open-source encrypted chat program cobbled together from parts of existing anonymity and messaging systems—such as Prosody, Pidgin and Tor. They wanted a system that was highly secure, user friendly and metadata-free. Gray says his primary motivation was to protect the anonymity of sources who contact journalists.

“At the moment, when sources contact a journalist, they’re going to leave a metadata trail, whether it’s a phone call record or instant message or email record [regardless of whether or not the content of their communication is encrypted],” he says. “And that data is currently accessible to authorities without a warrant.”

When Brooks wrote to say he’d already designed a chat program that eliminated metadata, Gray and his group took a look at the code and quickly dropped their plan to develop their own tool, in favor of working with Brooks to develop his.

“He writes incredible code,” Gray says, “and really thinks like a hacker, even though he doesn’t have a security background.”

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by SlimmPickens on Thursday September 18 2014, @03:12AM

    by SlimmPickens (1056) on Thursday September 18 2014, @03:12AM (#94775)

    I was considering an Ask Soylent about what everyone's doing about securing chat and other communication.

    • (Score: 0) by Anonymous Coward on Thursday September 18 2014, @03:29AM

      by Anonymous Coward on Thursday September 18 2014, @03:29AM (#94780)

      Now you don't have to! It's been dropped in your lap by a Prescient without a security background and it's open source so nothing could go wrong. Here, hear, everyone, use this.

    • (Score: 0) by Anonymous Coward on Thursday September 18 2014, @03:38AM

      by Anonymous Coward on Thursday September 18 2014, @03:38AM (#94782)

      There is no "good" (highly secure and trustable) chat software that is also broadly multiplatform (i.e. mac, win, linux, android, ios, winphone).
      Even the FAQ for invisible.im only talks about mac/win/linux but no phones.

      Part of the problem is that (so far) no one has been able to come up with a business model that lets them make money from "good" chat software for the masses. I like that Richochet is self-hosted so at least there are no on-going expenses for anyone but the users, that means the entire cost is in the development and maintenance.

      • (Score: 3, Insightful) by Hannibal on Thursday September 18 2014, @03:58AM

        by Hannibal (1589) on Thursday September 18 2014, @03:58AM (#94784)

        Part of the problem is that (so far) no one has been able to come up with a business model that lets them make money from "good" chat software for the masses.

        This is because for the "average user" they don't see a need to hide their chats in an encrypted form. Of course for soylenters there are well known arguments about stopping mass surveillance but to most users, that is less important than being able to IM pictures of their junk to someone in another country. There is also the issue that secure software almost by definition requires more work to use than Happy-Windows-Chat-Client. This may be changing now with large corporations who are more aware that they are potentially being targeted, of course, if a corporation is being targeted then this sort of security isn't much use.

        • (Score: 2) by Fnord666 on Thursday September 18 2014, @10:00PM

          by Fnord666 (652) on Thursday September 18 2014, @10:00PM (#95239) Homepage

          There is also the issue that secure software almost by definition requires more work to use than Happy-Windows-Chat-Client.

          Don't taunt Happy-Windows-Chat-Client!

      • (Score: 2) by _NSAKEY on Thursday September 18 2014, @04:36AM

        by _NSAKEY (16) on Thursday September 18 2014, @04:36AM (#94804)
        This is too true. The options I can think of are Pidgin (Desktop only) with the OTR plugin and ChatSecure (Android/iOS only; OTR is baked in). Pidgin supports almost any IM protocol you might want to throw at it, but libpurple is rather massive and the devs have apparently had to be talked down to like kindergarten students in order to be convinced to ship less vulnerable software. An alternate idea is to use bitlbee with an IRC client, but you still run into the cross-platform problem unless you decide to do something most people would never bother doing, like running irssi in screen and finding an ssh client for your OS of choice or making the bitlbee port a hidden service and connecting over tor from an IRC client on your phone or alternate desktop (At least for those times when you're on the go).

        Still, none of that solves the metadata problem. This is why the idea behind invisible.im is cool: Based on the details published so far, your username is a tor hidden service address. Technically it doesn't even need to support OTR (Although the key validation portion of OTR is useful), since hidden services encrypt everything from end to end by design. Since all the traffic is staying inside the tor network, all the spy agencies can do is watch tor traffic going to and from nodes. They can't just sniff packets and see that bob@example.com is talking to alice@example.com. With a normal IM service, they would at least know that they're talking, if not what what they're talking about. If invisible.im lives up to its promises, the spy agencies won't even be able to get that without hacking individual users and monitoring their chats that way (Expect updated XKeyscore rules [vice.com] in the future, so that they at least know who to target).
  • (Score: -1, Offtopic) by MichaelDavidCrawford on Thursday September 18 2014, @03:23AM

    by MichaelDavidCrawford (2339) Subscriber Badge <mdcrawford@gmail.com> on Thursday September 18 2014, @03:23AM (#94779) Homepage Journal

    It is very common for new articles to be posted for hours with nary a comment. That leads to a self-defeating cycle; I come for the discussion really, not the articles.

    But from time to time there are as many as eighty comments posted. That shows that we really do have some membership that _can_ be active.

    How to encourage more participation?

    --
    Yes I Have No Bananas. [gofundme.com]
    • (Score: 1, Offtopic) by Professr on Thursday September 18 2014, @04:56AM

      by Professr (1629) on Thursday September 18 2014, @04:56AM (#94806)

      It's easy to get 80 comments with a flamewar :\

      • (Score: 3, Funny) by chromas on Thursday September 18 2014, @07:01AM

        by chromas (34) Subscriber Badge on Thursday September 18 2014, @07:01AM (#94824) Journal

        I'll start.

        vim, kde, opera (before beta), archlinux, pc, qt, wtfpl, amd, nvidia, pc (for gaming), bing, pascal, star trek, ford, dr pepper, coke, innies, coke (for snorting), 'murika, kelvin, direct current, chocolate

        • (Score: 2) by mtrycz on Thursday September 18 2014, @08:54AM

          by mtrycz (60) on Thursday September 18 2014, @08:54AM (#94853)

          systemd

          --
          In capitalist America, ads view YOU!
          • (Score: 0) by Anonymous Coward on Thursday September 18 2014, @10:39AM

            by Anonymous Coward on Thursday September 18 2014, @10:39AM (#94895)

            "vim, kde, opera (before beta), archlinux, pc, qt, wtfpl, amd, nvidia, pc (for gaming), bing, pascal, star trek, ford, dr pepper, coke, innies, coke (for snorting), 'murika, kelvin, direct current, chocolate"

            Are those all the new stuff to be included in it now?

          • (Score: 3, Informative) by c0lo on Thursday September 18 2014, @10:44AM

            by c0lo (156) Subscriber Badge on Thursday September 18 2014, @10:44AM (#94898) Journal

            systemd

            There's no chance this will start a flamewar on SN: here everybody agree systemd is a dangerous evil piece of crap.

            --
            https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
        • (Score: 2) by Gaaark on Thursday September 18 2014, @04:26PM

          by Gaaark (41) on Thursday September 18 2014, @04:26PM (#95052) Journal

          'murika!!!! Theytookmuhjob!

          --
          --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
        • (Score: 2) by EvilJim on Friday September 19 2014, @03:39AM

          by EvilJim (2501) on Friday September 19 2014, @03:39AM (#95337) Journal

          You fother mucker! most of those words are evil and should be banned. Where's the Taliban when you need 'em most?

    • (Score: 3, Insightful) by nyder on Thursday September 18 2014, @08:18AM

      by nyder (4525) on Thursday September 18 2014, @08:18AM (#94839)

      Maybe if you didn't try to hijack stories with offtopic crap like this.

  • (Score: 3, Informative) by takyon on Thursday September 18 2014, @03:34AM

    by takyon (881) <reversethis-{gro ... s} {ta} {noykat}> on Thursday September 18 2014, @03:34AM (#94781) Journal

    BitTorrent's peer-to-peer chat app Bleep goes live as public alpha [theregister.co.uk]

    First released to registered pre-alpha users in July, Bleep was then in Windows versions only. Now it's gone to release, the organisation has added Android and Mac versions.

    As BitTorrent explains here, Bleep lets users sign up with e-mail or mobile numbers, or in an incognito mode with no personally identifiable information.

    By eliminating servers between communicating devices and encrypting conversations end-to-end, Bleep hopes to offer better privacy than chat applications from the big names - or, for that matter, than SMS which gets stored and forwarded by telcos.

    --
    [SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
    • (Score: 2, Informative) by nishi.b on Thursday September 18 2014, @07:12AM

      by nishi.b (4243) on Thursday September 18 2014, @07:12AM (#94830)

      Not using servers is nice but insufficient to hide metadata from massive NSA-style spying. If they can analyse/store all communications going through major internet hubs (and we now know that they do), they will still be able to see that you used bleep on septembre 17th 9:31a.m. to communicate with user Y who can be identified by his/her IP. In the article it seems to be avoided through Tor-style onion routing.

  • (Score: 1) by mj on Thursday September 18 2014, @05:12AM

    by mj (399) on Thursday September 18 2014, @05:12AM (#94809)

    I just installed wickr a few days ago, they seem to have a sane privacy policy though they still use servers so I'm guessing all that metadata is still up for grabs even if the content is as secure as they say. The interface is pretty slick on android, it's got self destructing messages and does mms, it's like an upgraded snapchat really. https://www.wickr.com/#wickr [wickr.com]

    Guess I'll check out ricochet too.. the interface seems super minimal but works so far.
    https://github.com/ricochet-im/ricochet/ [github.com]
    https://ricochet.im/releases/latest/ [ricochet.im]

    --
    The nihilists have such good imaginations.
    • (Score: 2) by Fnord666 on Thursday September 18 2014, @10:08PM

      by Fnord666 (652) on Thursday September 18 2014, @10:08PM (#95242) Homepage

      From TFA:

      Wickr, for example, is a competing encrypted chat program that doesn’t preserve the communication or metadata of users, so there’s nothing recorded by default for spy agencies or law enforcement to collect from Wickr with a court order. But unlike Ricochet, it uses central servers to transmit the communication, which Brooks says make users vulnerable to timing attacks. Anyone tapping the connections to Wickr’s servers could conceivably map the parties who are communicating and establish relationships between them.

  • (Score: 0) by Anonymous Coward on Thursday September 18 2014, @08:45AM

    by Anonymous Coward on Thursday September 18 2014, @08:45AM (#94849)

    mailto: dopey1@ff6d7yz7hdw5xoav.onion
    i will click "quote" and reply on any messages received.
    be sure to include a "reply to" address in message body if mailing with (torified) telnet:
    http://kb.mediatemple.net/questions/889/Sending+or+viewing+emails+using+telnet [mediatemple.net]
    *sigh*

  • (Score: 1) by forkazoo on Thursday September 18 2014, @08:45AM

    by forkazoo (2561) on Thursday September 18 2014, @08:45AM (#94850)

    What does Metadata Free actually mean? Given we know NSA has apparently compromised most of the security of Tor, and that so few people are running Tor, it seems like authorities would still be able to figure out who is chatting, when they are sending messages, etc. You know... Metadata. So, what is the actual win here? It's harder for ordinary LEO to get at it? I recall a recent case where a bomb threat was sent to a University over tor. There wasn't any easy way to prove who had sent it, but of all the plausible suspects who would want that day's final cancelled, only one was running tor. So, it was pretty quick to figure out who did it. The mere fact of running tor was, itself, useful metadata for the investigators.

    I'm not saying the software in the post is bad, I just see buzzwordy claims like "Metadata free" and I don't know that they really mean anything.

    • (Score: 3, Informative) by _NSAKEY on Thursday September 18 2014, @09:36AM

      by _NSAKEY (16) on Thursday September 18 2014, @09:36AM (#94864)
      First of all, there is zero proof that the tor protocol itself has been compromised by the NSA or anyone else. Tor Browser Bundle users can be fingerprinted easily enough, and the lack of NoScript lead to things like the mass-compromise of people visiting sites on Freedom Hosting. That particular drive-by only targeted Windows users of the Tor Browser Bundle (And could have been mitigated with EMET, according to friends who are much smarter than I am). Using tor doesn't mean that you can disable the usual complement of privacy-oriented add-ons (NoScript, AdBlock Plus, etc) and be fine. Other counter-measures have to be in place, or it's a waste of time and effort.

      A careful reading of all the affidavits that have gone public related to tor and hidden services would suggest that the cops (And the spooks) can't passively spy on tor users in a meaningful way (See also: The "Tor Stinks" slides). They have to engage in some form of hacking in order to get what they really want (See the recent Silk Road news stories for a current example). If you land on LE/intel radar, you're going to get targeted heavily. That being said, they can't just point some magic GUI they wrote in Visual Basic at your exit node IP at a given point in time and determine who you are/every site you've ever visited.

      As for the bomb threat you mentioned, that was solved so quickly because Harvard picked up on the fact that someone was using tor and connected their wifi network at the time of the bomb threat (The bomb threat had been done with guerillamail and tor). The feds grilled the kid until he cracked (Which didn't take long). If he had been one of those rare users who uses private bridges with obfsproxy (Or had simply committed his crime on a network that didn't belong to his target), they wouldn't have had that lead, and the case would probably be unsolved. For those who are curious, the original affidavit can be found here [wbur.org]. Again, other counter-measures have to be in place if you're going to use tor for something more sinister than protecting your privacy.
    • (Score: 0) by Anonymous Coward on Thursday September 18 2014, @12:19PM

      by Anonymous Coward on Thursday September 18 2014, @12:19PM (#94936)

      for desktop computer it means mostly: no ip.
      for mobile it would mean no imei, no location .. impossible.
      as for meta data free surfing, it is awesome and i had some crazy gripes when akamai sprang up last century.
      ip tracking and cookies were the big two things (and being a bit paranoid) that kept me awake at night.
      for me personally the meta-data free nature of tor isn't the number one selling point of tor at all, rather it is the
      distributed nature of the unique name system of tor.
      it is possible to go about using the internet (packet teleporter) without ever touching/using the oldskool DNS system.
      i dare you to try and "use" the "internet" without a configured functional DNServer.
      so, if the DNS system blows up tomorrow (for some reason whatever) all the people that can use tor will still be able to find each other.
      it is just sad how far the the regular user is removed from the real internet and is just using living in a tinseltown facade world with nice exterior and doors that lead "backstage".
      being able to name things is a great power and it has the potential to change the internet as we know it. it gets all wobbely once you realize that a descentralized "A.I" that can find anything and anyone would change the world!
      forget the crappy "seamless switch your phone call from mobile network to wifi" we want MEOR of your money advertisment.
      rather think: got tcp/ip connectivity to internet + some "A.I" (on your device) and *BOOM* use it to implement any service that needs to look-up/pin-point a unique resource!
      friend can be resources! : )
      THEY FEAR THIS! ... and 280 KB killed a billion dollar domain name "industry".

      • (Score: 1) by jm007 on Thursday September 18 2014, @01:35PM

        by jm007 (2827) on Thursday September 18 2014, @01:35PM (#94957)

        if a legit post, please provide some details and more info, pls; specifically, this part: ' tcp/ip connectivity to internet + some "A.I"'

        • (Score: 2) by Yog-Yogguth on Thursday September 18 2014, @05:01PM

          by Yog-Yogguth (1862) Subscriber Badge on Thursday September 18 2014, @05:01PM (#95074) Journal

          I think the GP AC doesn't understand that he's still using IP and routing which is more than enough rope to hang anyone with given enough resources.

          The aim is already about being in every device everywhere which is why discussions about Tor, I2P, time delays, and encryption and nearly everything else all sadly miss the point. Much of the leaked information is about shortcuts that are more efficient and come in addition to that but some of the leaks show they already had at-will or even continuous control over a significant amount of core devices (routers and servers) four years ago.

          --
          Bite harder Ouroboros, bite! tails.boum.org/ linux USB CD secure desktop IRC *crypt tor (not endorsements (XKeyScore))
          • (Score: 0) by Anonymous Coward on Thursday September 18 2014, @06:40PM

            by Anonymous Coward on Thursday September 18 2014, @06:40PM (#95123)

            It is not that they miss the point, it is that "security" has different definitions to different people and each definition is a valid one. We just don't have the language yet to be more specific and still be concise. We need to become "security eskimos" with a 100 words for different kinds of security.

  • (Score: 3, Interesting) by PizzaRollPlinkett on Thursday September 18 2014, @11:13AM

    by PizzaRollPlinkett (4512) on Thursday September 18 2014, @11:13AM (#94911)

    I wish the article explained the cryptic "dropped out of school at 13" statement. But it's Wired, so they don't. The USA has compulsory education to age 16, I think. What country is this guy from? How did he drop out of school and not get caught?

    --
    (E-mail me if you want a pizza roll!)
    • (Score: 2) by JNCF on Thursday September 18 2014, @06:49PM

      by JNCF (4317) on Thursday September 18 2014, @06:49PM (#95131) Journal

      You think wrong. I never entered the school system until I was 16. I hadn't even taken a government issued test until then, but that varies by state. The "unschooling" I went through looked very little like a traditional education, and I'm thankful for that. The key ingredient is parental consent. http://en.wikipedia.org/wiki/Homeschooling_in_the_United_States [wikipedia.org]

  • (Score: 1) by Username on Thursday September 18 2014, @11:13AM

    by Username (4557) on Thursday September 18 2014, @11:13AM (#94912)

    So he coded his encoded code?

    Anyway, didn't RTFA, but I think the best way to obscure metadata is sending messages to everyone on the system, and have the ability to filter messages client end.

  • (Score: 2) by khakipuce on Thursday September 18 2014, @12:35PM

    by khakipuce (233) on Thursday September 18 2014, @12:35PM (#94938)

    on how it completely hides metadata? Or is that just a function of using TOR, but then if your ISP is compromised by the spies can they not get the data anyway?