Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Vanish' Makes Sensitive Data Self-Destruct

Posted by Soulskill on from the also-doesn't-appear-to-be-a-fire-hazard dept.

Hugh Pickens writes "The NY Times reports on new software called 'Vanish,' developed by computer scientists at the University of Washington, which makes sensitive electronic messages 'self destruct' after a certain period of time. The researchers say they have struck upon a unique approach that relies on 'shattering' an encryption key that is held by neither party in an e-mail exchange, but is widely scattered across a peer-to-peer file sharing system. 'Our goal was really to come up with a system where, through a property of nature, the message, or the data, disappears,' says Amit Levy, who helped create Vanish. It has been released as a free, open-source tool that works with Firefox. To use Vanish, both the sender and the recipient must have installed the tool. The sender then highlights any sensitive text entered into the browser and presses the 'Vanish' button. The tool encrypts the information with a key unknown even to the sender. That text can be read, for a limited time only, when the recipient highlights the text and presses the 'Vanish' button to unscramble it. After eight hours, the message will be impossible to unscramble and will remain gibberish forever. Tadayoshi Kohno says Vanish makes it possible to control the 'lifetime' of any type of data stored in the cloud, including information on Facebook, Google documents or blogs."

10 of 171 comments (clear)

  1. Copypaste by sopssa · · Score: 5, Insightful

    'Our goal was really to come up with a system where, through a property of nature, the message, or the data, disappears,'

    And yet after a copypaste or screenshot it wont disappear anywhere.

    1. Re:Copypaste by Anonymous Coward · · Score: 5, Informative

      That's not what this is intended to prevent. Of course the intended recipiant can read it. They could even write it down on a piece of paper.

      The same message however, may have been cached in many other places. This scheme is intended to prevent it's retrieval by other parties at a later date.

  2. Let's not kid ourselves by Bruce+Perens · · Score: 5, Insightful

    If the decryption key is ever available to the browser, a modified version of the tool could store it and decode the document forever.

    --
    Bruce Perens.
    1. Re:Let's not kid ourselves by Eevee · · Score: 5, Insightful
      No disrespect, but read the article. It explicitly states that this is not designed to keep the parties from saving the information.

      It is technically possible to save information sent with Vanish. A recipient could print e-mail and save it, or cut and paste unencrypted text into a word-processing document, or photograph an unscrambled message. Vanish is meant to protect communication between two trusted parties, researchers say.

    2. Re:Let's not kid ourselves by mlts · · Score: 5, Interesting

      One advantage I see is that after the Alice sends Bob the message and Bob has it stored, then the copies of the message floating around on the Internet become completely non-decryptable after the time limit has expired. Even if a third party manages to decode or obtain Bob's private key, it won't do them any good in obtaining the text; the attacker would have to attack either Alice or Bob's endpoint, which is a lot harder than just passively sifting stuff sitting on a server with unknown security.

      Vanish does the same thing that cryptographic tokens do. Both limit the window of attack on something. Where a smart card would limit guesses of a key's PIN to 3-5, Vanish limits the time of attack of a message to 8-12 hours.

  3. Obvious application by Dice · · Score: 5, Funny

    Dear Alice,

    Do you want to go to the dance with me?

    [ ] YES
    [ ] NO

    Love,
    Bob

    (Message will self-desctruct 1 minute after dance starts.)

    1. Re:Obvious application by bluefoxlucid · · Score: 5, Funny

      How about a 3-way with both Alice and Eve?

      Oh yeah. I had the balls to ask.

      --
      Support my political activism on Patreon.
  4. So that's what's been happening by hwyhobo · · Score: 5, Funny

    After eight hours, the message will be impossible to unscramble and will remain gibberish forever

    I think corporate VPs have been using this tool for years, with the delay trigger set to "0".

    --
    End anonymous moderation and posting on /.
  5. Corporate crimes by wjousts · · Score: 5, Insightful

    I can see this being useful for corporations that want e-mails to be destroyed before they can be used against them in court. Sure you could take a screen shot or copy/paste the text before the e-mail is permanently destroyed, but can you prove that your copy wasn't tampered with? Can you prove that was what the e-mail originally said? Plausible deniability!

  6. Cute. Here's how it works. by Animats · · Score: 5, Informative

    First, as is typical, the Slashdot article is three steps removed from the actual paper, which is worth reading.

    It's kind of cute. What makes it work is that the indexing part of the Vuze platform, which is distributed over a few million user machines, has an 8-hour timeout. After eight hours, otherwise unused entries are purged from cache, like DNS cache expiration. So it's possible to use Vuze for unreliable short-term storage of key-value pairs.

    (Normally, the Vuze hash is used as a index to BitTorrent blocks, and if there's a block on a server, the server puts it into the hash and refreshes it periodically, so the block stays indexed. But it's possible to put arbitrary key-value pairs into the distributed hash that have no relationship to BitTorrent blocks. If you put info in the hash and don't refresh it, it goes away after eight hours.)

    So the sender generates a key, encrypts the message, spreads the key across some number of key-value pairs on random Vuze clients, sends a message telling what key-value pairs in Vuze contain the crypto key, and deletes the local copy of the key. The receiver gets the message, looks up the key-value pairs specified in the Vuze hash, reconstructs the key, decrypts the message, displays it, and deletes the local copy of the key. The receiving client has to do this every time the message is viewed.

    This violates the Vuze terms of service, incidentally.