NSA-resistant Android App 'Burns' Sensitive Messages

angry tapir writes "Phil Zimmermann's Silent Circle, which halted its secure mail service shortly after Lavabit, has released a messaging application for Android devices that encrypts and securely erases messages and files. The application, called Silent Text, lets users specify a time period for which the receiver can view a message before it is erased. It also keeps the keys used to encrypt and decrypt content on the user's device, which protects the company from law enforcement requests for the keys." Seems similar to pieces of the Guardian Project.

Very little utility here

[wbr1]

I think this gives a false sense of security. Sure it encrypts messages on my device. And helpfully auto deletes them after the expiry has passed. However, if the person you are worried about gaining access to the messages can silently coerce the transport company (in this case your mobile provider), to release the contents of messages they have stored, of what use it?

Re:Very little utility here

[wbr1]

Well, after writing that based on the fairly poor TFS, I broke /. canon and scanned TFA. It seems the messages are sent encrypted with a temporary key. Not being an encryption expert, I would presume that you would have to transmit the temporary key to the recipient though, and that would be subject to attack. Not to mention the fact that you are sending encrypted message bringing more attention to you.

Re:Very little utility here

[oodaloop]

The mobile provider would only have encrypted messages, and the only way to decrpypt woulf be brute force or getting the keys on your device. I'm no expert though; I just read TFA.

Re:Very little utility here

[gl4ss]

yeah it's the recipient who can copy the message.

he can read it, he can copy it.

this is just copying a feature from a popular teens chat program..

Re:Very little utility here

1. The messages are not actual text messages. Silent Text's servers will delete them when the timer expires. Mobile carrier isn't storing them like emails, it's just a data stream requested by an app to them so they're not keeping it unless they're keeping all the data that goes to your phone all the time.

2. The data they have is encrypted so it's not quite an open book should someone get a hold of a message. Remember the keys are locally stored so it would have to be decrypted in a more intensive manner.

It isn't perfect and there are ways to intercept messages or coerce them from the middle providers but compare that to standard text messaging and you have an improvement.

Captcha: hostage

Re:Very little utility here

[GameboyRMH]

Came here to say this. Without using shared secret encryption it either requires a (potentially coercible) central authority or is vulnerable to MITM attacks. And any kind of "time deletion" is only good for security on the receiver's device, not security of the message sent - the important thing to remember with computers is that if you can see it on your screen or hear it through your speakers, you can own it forever. No exceptions.

Re:Very little utility here

[Rockoon]

I think this gives a false sense of security.

All senses of security are false.

Re:Very little utility here

[LWATCDR]

I am still trying to figure out what everybody is texting and messaging that is so private?
I kind of work on the idea that anything that private I say face to face.
I wonder just how much of this worry about the NSA is some form of narcissism. Frankly I am not important enough or interesting enough for the NSA to spy on me.
 

Re:Very little utility here

[RoboJ1M]

There's a button on my Ubuntu PC for creating private/public key pairs and uploading the public key to a ring of public key servers.
Then, people can encrypt emails that only I can read because only I have the private key.
I've always wondered why this isn't better integrated/more automatic when it comes to email systems (gmail?)

Why not just leverage that type of mechanism?
1) Install app
2) it creates a key pair for your phone number
3) It uploads the public key to one of these servers
4) Anybody who texts you using a compatible app, it looks up your private key and encrypts the message only for you.

Job done.

If you can't fit the encrypted message in 120chars, it uploads the encrypted data to a 3rd party and all it sends is a message ID.
Or it uses IP only (like imessage/whatsapp)
Or is uses email as the bulk carrier
All those IP messaging systems must use a 3rd party anyway as you're always NAT'ed behind a real IP address anyway on a mobile connection.
I'm always on a 10.x.x.x address.

Re:Very little utility here

[RoboJ1M]

Or public key encryption.
Private key on your phone, public key on that key server network that's used for encrypting and authenticating emails.

Re: Very little utility here

Gmail by design wants to read your email. Google isn't going to implement a public/private key system into Gmail as a built in feature.

Re: Very little utility here

The vulnerability they are trying to address is coercion of the central authority. All the NSA needs to do in your scenario is to get the directory to give out a false public key.

Re:Very little utility here

[Dr.+Sheldon+Cooper]

"...unless they're keeping all the data that goes to your phone all the time."

Which is exactly what they appear to be doing.

Re:Very little utility here

Yeah and the keys are on your device. So all they have to do is record or otherwise acquire all the encrypted messages, then grab the phone.

So in the end it's not that different than if they just got your phone and there were unencrypted texts on it. The encryption and erasing aspects of this are useless which means the entire app is useless.

False sense of security.

Re:Very little utility here

[Shompol]

People with sensitive correspondence should worry about this, such as: political activists, lawyers, company execs, gangsters, politicians. They already utlize "face to face" to the maximum extent, but by deploying a blanket wiretap the government is giving them a dilemma: become a luddite or risk your communication compromised.

Less likely, but even if you do not belong to one of the above groups then the government might be out to get you for any personal or political reason,they just need to mine your messages for anything that looks compromising to make an arrest. Or sometimes they need a poster child to show that their ter ror watch was fruitful, like the guy in Canada arrested for using word "blow" in his text message.

Re:Very little utility here

[GameboyRMH]

Nope this can't work. Unless you physically control the server it could be accessed through coercion. If you send the public key to the server through the Internet using anything less than symmetric key encryption with a key that only you have, and have never sent through the Internet, that's at risk of being snooped by the NSA.

For a while I thought high-level ECDH SSL, if self-generated, might work as NSA-proof encryption but after reading this article I'm not so sure.

Re:Very little utility here

[LWATCDR]

Political activist? No thanks they all seem to want to cause problems not solve them. They make money when people are upset. Left and Right.
Company Exec. Been there but the NSA is not an issue for that. Other companies and or your own people being dumb is the issue there.
Gangsters. Good bust them
Politicians. Good bust them.
Again not really an issue. I chalk it to narcissism. at this point.

Re:Very little utility here

"If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him." - Cardinal Richelieu

This app is maybe a good idea, we only need to find cellphones whose modem hasn't access to the whole addressable memory, like some models do, which forfeits all security of the app or the OS.

Re:Very little utility here

it is not about the individual messages, it is about the profile one can create about you (and anybody else) in the long term with just a mouse click. Everybody becomes completely transparent to forces behind the curtain.

No, it is not about narcissism, it is about a huge threat to democracy. Just look upon European history and see how mass surveillance of everybody and everything has oppressed people and their freedom of expression. People are not free when they are under surveillance.

Re:Very little utility here

[MightyYar]

It isn't useless. A careful person could remove the keys every time they finish with the application. The application is simply a way to guarantee that your communication will not be intercepted, limiting what you need to worry about to the endpoints.

Re:Very little utility here

So the two phones would have had to be next to each other and exchanged a permanent set of keys to bootstrap the key management.
      Or exchanged some sort of physical media.
      Or trust a third party which as you point out seems less secure than where they are headed.

Once they have the permanent key, the receiver can use it to make a temporary public/private key pair to transfer the message.
    Deleting the temporary keys along with the messages prevents future physical access to the phones combined with the intercepted encripted message from working.

Why is there no utility here?

Re:Very little utility here

[LordLimecat]

If only there were some sort of secure way of exchanging keys over an insecure medium...

Re:Very little utility here

I'm no expert though; I just read TFA.

FAIL!!!!

First off, everyone that posts here is an expert. Sometimes self proclaimed but expert none the less. Secondly, reading TFA is strictly forbidden.

Re:Very little utility here

[thoromyr]

this got modded insightful?

Hint, the more broad and absolute a statement is ("all" and "false") the less likely there is to be any truth to it.

I could see it being interpreted as "funny", but it doesn't really get past the joke stage.

Re:Very little utility here

[Gilmoure]

So much for updating the decor of my secret volcano lair. I dont want my arch nemesis stealing my interior designer's plans. Guess we'll just paint the walls beige.

Re:Very little utility here

There has not been a single case of the government using any of it's data to target and harm political groups in the country. There are also no cases of journalists critical of the government being arrested or disappeared because of their political leanings. Now they are people who have been arrested for leaking confidential data illegally but even in these cases the prosecutors have obtained legal search warrants to collect their evidence they plan to use in court. In fact there is not even any verifiable reports of any private citizens being harmed by the government using any of the data collected by the NSA, The only real threat is to companies trying to protect trade secrets or other confidential data from competitors. With all the screaming and hand waving over people having their privacy violated there doesn't seem to be any proof that they are being harmed in any fashion. People tend to use the words "In the future..", "slippery slope", and "possibly could" when describing the potentials for abuse but nobody seems to be able to find these great affronts to human dignity.

Re:Very little utility here

[ceoyoyo]

Yeah and the keys are on your device.

The encryption and erasing aspects of this are useless which means the entire app is useless.

Put two and two together. Presumably the erasing aspect is less for erasing the encrypted message than it is for erasing the private key. That way the NSA can get a copy of the encrypted message and a copy of the public key, but they can't get the private key unless they happen to nab you and apply phone books and rubber hoses before your phone erases it.

Zimmerman is a pretty smart guy.

Re:Very little utility here

[pla]

If only there were some sort of secure way of exchanging keys over an insecure medium...

Saaay, someone should tell Phil Zimmerman about that - I'll bet he could really put it to some good use!

Re:Very little utility here

[sl4shd0rk]

I've always wondered why this isn't better integrated/more automatic when it comes to email systems

The extra step needed (entering passphrase to use private key) are too cumbersome for most people. Implementing a work-around to make it "easier" negates the whole point of protecting the key in the first place.

It can't get much easier than Enigmail in Thunderbird yet still nobody will use it. We live in the times of patheticosis.

Re:Very little utility here

[cool_arrow]

Why you should worry about surveillance: http://www.harvardlawreview.org/symposium/papers2012/richards.pdf

Re:Very little utility here

[cool_arrow]

agree. I've often wondered how it is the nice people who put out "secure" apps and recommend them to dissidents, journalists, etc in oppressive regimes have never heard of baseband (radio) exploits. Also, apps can be run in the sim. The sim and baseband can be updated/programmed remotely. One doesn't know what's going on inside the sim or baseband.

Re:Very little utility here

[vux984]

I've always wondered why this isn't better integrated/more automatic when it comes to email systems (gmail?)

3 reasons

1) Technical - gmail needs to have your private key to decrypt messages sent to you with your public key. Or to sign messages sent by you with your private key. They absolutely cannot offer a webmail service, if they can't descrypt your mail to show it to you over the web. If gmail has your private key, its not a very private key. The NSA can just quietly ask google for the key.

2) Business - gmail wants to mine your data. They can't do that if they can't read it. The business model of gmail is incompatible with providing a service where they can't read your data.

3) Conveniencel - having to enter pass phrases all the time is a chore. Nobody wants to do it.

Re:Very little utility here

[IamTheRealMike]

Er, what? We just learned this summer that governments are sucking up EVERYTHING and storing it for god knows how long, and you think it's useless because you would need to obtain the device to read the content?

No way! At this point any kind of crypto, even the unauthenticated kind, is a good step forward.

Re:Very little utility here

[Bill,+Shooter+of+Bul]

I'm not confident that the NSA hasn't already solved the discrete logarithm problem at the heart of that method.

http://arstechnica.com/security/2013/08/crytpo-experts-issue-a-call-to-arms-to-avert-the-cryptopocalypse/

Even if the security is perfect, I have a hard time understanding why people would need it. If you were discussing something that were merely private that you didn't want anyone to ever know you'd have to convince the other person to install the app as well. Hey Dave, I have a secret I would like to share with you, but only if you install this app... You have to be really paranoid, or have a really valuable secret to divulge. I just don't see that many legitimate uses.

If you integrated it into android, where every text between two android users did the same thing, that would be valuable. So things would be secure and private by default.

Re:Very little utility here

[arth1]

It doesn't matter how secure the key exchange is, if the hacker has access to your keys, for instance by having a backdoor into the OS or app that uses the keys.
Or in other words, a public key from a key pair isn't worth shat if the private key can be compromised.

Re:Very little utility here

[Dixie_Flatline]

I think what you're forgetting is that the content of the message is really only useful (from a big brother standpoint) if you can definitively pin the message on someone.

Sure, if a message appears on my phone, I can write it down and SAY it's from you, but without that transaction log, it's just your word against mine. There's no paper trail except a message you claim I sent you. A picture of the message or anything else that doesn't include that signature is meaningless.

So the REAL question is whether or not this is sufficient to sever the link between sender and message when the message is 'burnt'.

Re:Very little utility here

[mcrbids]

Job done.

Except it's not even close to done. This protocol is far more secure than no security at all, but is vulnerable to a number of different attacks. If you think the solution is simple, it's because you don't really understand the scope of the problem.

1) How do you trust that the keys posted on the public key servers? Say I wanted to send you a message, How do I know that the key posted on the key server is in fact, from you? (See Certificate Authority) If a malicious party could intercept messages to you and decrypt them (using the bogus public/private key pair) and then re-encrypt the message to you using your formerly available public key, you'd receive the message and have no knowledge of the MITM attack.

2) Given today's environment for gag orders, how do I know that the Certificate Authority is trustworthy? (I don't) Thus, even when signed by a CA, I have little assurance that scenario #1 isn't happening even if protected by CA.

3) A simple DOS of the Key server will prevent anybody from knowing that you are, in fact, using a public key anyway.

4) Which of the numerous Key exchange protocols are YOU using to protect your email? Assume I'm a whistleblower and you are a media rep, and I have some important stuff that you should know. How am I supposed to discover which of the various security mechanisms that you are using? Publishing incorrect information about how you are securing your exchange allows for another type of MITM attack, even when you are doing everything right.

The reality is that the NSA's action and the USA's current legal structure create an environment where literally nothing can truly be trusted. As long as laws that allow for demanding information from a company in conjunction with a gag order preventing disclosure, we can literally not trust a single US Internet company with any type of cryptographic protection. Not just Google/Yahoo/Microsoft, but also any and all CAs, and anybody that depends on CAs to do their job.

So, use a CA from oversees, right? Not subject to US law? Sorry, but that doesn't do it either. Most browsers/email clients are configured with dozens to hundreds of "trusted" CAs. Somebody impersonating you only needs to get a public/private key signed by *any* "trusted" CA in order to not have your browser/email client complain about a MITM attack. In order to properly secure my web-based product with SSL, I not only have to ensure that I'm doing business with a secure CA, but I also have to ensure that every CA trusted by anybody, anywhere is similarly secured. Since there is no way to validate this, and laws exist that prohibit me from knowing if the CA's root key has been given to the NSA, I have no way to do this.

So, in reality, with the security mechanisms in place to protect trust on the Internet, we have an attack footprint that is long, wide, and deep. To call this situation "bad" is a tremendous understatement. The NSA and the United States government have eradicated any actual ability to trust anything online with the current infrastructure. Only with the addition of additional layers of "trustability" can we truly protect ourselves. Tools such as Certificate Patrol at least alert you when certificates change.

Re:Very little utility here

You don't seem to understand how PKI encryption works. The private keys are ON THE DEVICE. Therefor it's impossible for the transport to read them.

Re:Very little utility here

[tqk]

I'm no expert though; I just read TFA.I'm no expert though; I just read TFA.

FAIL!!!!

First off, everyone that posts here is an expert. Sometimes self proclaimed but expert none the less. Secondly, reading TFA is strictly /forbidden.

Would you please go play in traffic? Thanks.

Re:Very little utility here

[jiriki]

1.) This is not true. You can design a mail system to store the private key on the client (html5 local storage). See https://encmail.eu/ (shameless plug: Still in its infancy, but it will get there) or mega mail (if it will ever happen). Of course implementing everything on the client makes things harder. And losing the key is an issue for the user. And it will only be secure once the Webcrypto API is released and the Javscript code cannot access the keys anymore. But countries other than the U.S. usually cannot force you to hand over your keys and manipulate your server.

2.) True.

3.) Not true. See 1. If you authenticate using a private key you only need the password to decrypt the key and no username anymore.

Re:Very little utility here

Maybe (this is a guess of course) it got modded insightful because of this-is-not-providing-full-security-so-it-is-another-useless-shit sort of attitude that prevails here. I guess it is not funny but it is sarcastic. /. does not get better than this (usually).

Re:Very little utility here

[camperdave]

You can send the public key any way you like. The entire point behind having a public key is that it is public. That's why they call it a public key. Encrypting it defeats its purpose.

Re:Very little utility here

You are a fucking liar. And I know you are not just ignorant, because you'd have to have been living under a rock, singing "lalalalalalala" with your fingers stuck in your ears, to believe what you wrote.

Re:Very little utility here

[vux984]

1.) This is not true. You can design a mail system to store the private key on the client (html5 local storage).

Until I have some sort of assurance that the key stored in local storage, can't be sent up to the server by javascript then this gets me no where.

The NSA asks your mail service for the keys. The mail service says we don't have them... html5 local storage. NSA says ... add this line of javascript to your site. Next time I log in they have my key, and everyone else who accessed the site during that interval.

And even if we build a whole new spec with a wall of protection around the key, so the javascript just sends the encrypted text in and gets the decrypted key out and never gets its hand on the keys only then will the key be safe.

But any messages I access still are not. Because as long as I'm relying on javascript downloaded from the service to display the messages, I am vulnerable to that javascript being updated and sending that message back up to the server.

The client cannot be provided on demand by the server to have a hope in hell of being safe. Really it needs to be 3rd party, open source, audited by more 3rd parties, and the binaries I install.. well I don't... I download the source and compile it myself after checking that the hashes match the original and the 3rd party auditors. And even then, I have to trust that the NSA didn't get to everyone and conspire to publish malicious source. So to be truly safe, I have to audit it myself.

Real security from the likes of the NSA is HARD.

3.) Not true. See 1. If you authenticate using a private key you only need the password to decrypt the key and no username anymore.

True but you underestimate how little tolerance the average person has for passwords. An awful large number of people don't have login passwords to their computers and fewer still on their phones. And their mail passwords are remembered by the software so they don't have to enter them.

Re:Very little utility here

There is nothing better than own words that can be used against you - now NSA and others have the means for that. Saving your digital life forever or for a time long enough means anything can be found in your communications that can be used during loyalty review. This has not much to do with NSA actually but with broader insensitivity of the population to the information traces they leave in internet. Before it was only individuals that could reveal anything. Now it is NSA that knows everything you ever cared to type and share with anybody. The situation gets complicated when privately done loyalty review has to be redone because officially accepted royalty has changed. This may happen to you too - after all McCarthy was a senator in a democratic country.

It is also normal that majority of the population does not see this as a problem. It may become one but it does not have to. When it does however the said majority will form nice chorus about evil coming from this scum of the earth etc for instance these evil people that were posting on /. - perverts I'd say - hang'em /.ers! Hang'em higher!

This all has happened many times before only the technology was not as good as it is today and I am sure it will improve.

This said I am not really against having this information stored for some time and available under court order. The point is that right now there are no limits and the information is processed and stored without anybody knowing. The perversion of justice can escape public attention if law does not allow anybody to talk about it in public.

Re:Very little utility here

[0111+1110]

I just don't see that many legitimate uses.

What about illegitimate uses? Those are the only kind that domestic extremists like myself care about.

If you were discussing something that were merely private that you didn't want anyone to ever know you'd have to convince the other person to install the app as well.

This would seem to be the case for every form of private communication. Is there any way to communicate securely with someone who doesn't care about private communication?

Hey Dave, I have a secret I would like to share with you, but only if you install this app...

I had this problem with my defense attorney. I wanted to discuss some aspects of my case with him via email, which I rightfully didn't trust. So I asked him if he would be willing to install and use gpg4win or at least sign up for Hushmail, but that went over like a lead balloon. So in the end I had to wait to discuss the case with him in person.

Re:Very little utility here

[GameboyRMH]

Well you're right that I got the two sides messed up...but it doesn't solve the physical access problem.

Re:Very little utility here

[jiriki]

Until I have some sort of assurance that the key stored in local storage, can't be sent up to the server by javascript then this gets me no where.

The NSA asks your mail service for the keys. The mail service says we don't have them... html5 local storage. NSA says ... add this line of javascript to your site. Next time I log in they have my key, and everyone else who accessed the site during that interval.

It does not get you the whole way there. But I sure makes it harder for the NSA.

So on a technological level you can simply increase the time the javscript files are cached and have some external monitoring for changes. Since the whole page is static and the only dynamic element are REST Service calls this is not a big issue. Then malicious JavaScript will have to stay on the page much longer to be effective and will more likely be spotted.

On a political level: I live in Germany. The NSA cannot tell me anything. And Germany had two of the worst terror regimes in the last century. I don't think people here would tolerate being treated like you are now. There is e-mail monitoring in Germany, but it's based on laws and courts that are not secret. While running an service like this would not work in the U.S. it certainly works in most of Europe (probably excluding the U.K.)

So to be truly safe, I have to audit it myself.

Real security from the likes of the NSA is HARD.

Well, it is. But there is still a way between not trusting anyone and auditing everything yourself and sending unencrypted mails that everybody can read. If the NSA, BND or whoever wants to see especially my emails, they will. But most of my mails are really boring for everone to read and nobody cares about them. And what I'm writing to my tax advisor isn't really secret, too. Still I don't want anybody to read them. So for me its just important to make reading my mails enough hassle for the NSA to not do it.

Getting paranoid does not help anybody. It just prevents you from acting, because there is no completely safe way to communicate.

Re:Very little utility here

[Acid-Duck]

I just don't see that many legitimate uses.

How about a politician traveling to a less than friendly country?

Re:Very little utility here

[vlueboy]

With the power NSLs have, why is is so hard to conclude that television and papers can be gagged IN ADVANCE just as readily as your friendly beighborhood ISP?
It is not like disappearing and poisoning of persona non-gratta needs to be done every day, and they can precision-target the Snowdens we haven't heard from yet

Re:Very little utility here

[K.+S.+Kyosuke]

Saaay, someone should tell Phil Zimmerman about that - I'll bet he could really put it to some good use!

I can imagine that the result would be some pretty good privacy for the ordinary user.

Re:Very little utility here

[quarterbuck]

OK. What about
All absolute statements about security are false
If the above is a statement about security, it is false.Hence it is true.

Re:Very little utility here

Except for the OTR-style PFS per-message encryption.

Re:Very little utility here

[Bill,+Shooter+of+Bul]

A politician isn't going to be savy enough to install the app, and have everyone he's communicating with install the app. interTubes are not their friends. It has to be secure by default.

Re:Very little utility here

[thoromyr]

Nice try. I never made the broad and absolute statement that you seem to be implying. "the more it is..." leads to "...the less likely". But I'm guessing you knew that.

Re:Very little utility here

[Flere+Imsaho]

I've always wondered why this isn't better integrated/more automatic when it comes to email systems (gmail?)

If you encrypt your email it will prevent Google from parsing the text and shovelling targeted ads at you.

Re:Very little utility here

[ceoyoyo]

Who cares if the NSA gets the public key?

I want to send you a message so I ask you for a key. You generate a public/private key pair and send me the public one. NSA gets it. I then encrypt my message with the public key and send it to you. NSA gets it. You then receive the message and read it. The NSA is SOL because they've got the public key, not the private one. They COULD still impersonate me though, so to avoid that we do a key exchange in the opposite direction and I sign my message with my private key, which you check using my public key. Which tells the NSA only that I sent the message (which they knew already).

The current weakness, and the one that's exploited, is that the NSA can snatch you off the street, apply rubber hoses, and get you to give them the decyrpted message and/or your private keys. With a time-limited system both the message and the keys get wiped, hopefully before the NSA has time to get their snatch squad on site. Without your one-time use private key, the encrypted message cannot be decrypted by anyone.

The auto-deleting is no protection if I don't trust you, but it's not meant to be. It's a convenience feature so you don't need to remember to delete the private key. Plus the app presumably takes care of generating the keys and exchanging them for each message, which would be a huge pain in the ass if you had to do it manually, which explains why nobody ever does.

Re:Very little utility here

[ceoyoyo]

This kind of system should be integrated into messaging systems. It would wipe out spam as well as keeping away snoops. The overhead for this would be fairly small - essentially it would require doing similar negotiation to what WPA does when you make a connection. People switch messaging networks all the time, and the timed-destruction feature is something that's in demand. My teenage cousin is all over Snapchat.

Re:Very little utility here

[ceoyoyo]

Which is why you create a private key for the message exchange, then delete it. If your OS is compromised you're hooped regardless, but it avoids the "sir, I pulled you over because you have a broken tail light. Now, let me see your license, registration and cell phone" situation.

Re:Very little utility here

[ceoyoyo]

It IS funny. It's not quite as funny as saying "who says?" to an anarchist wearing a question authority t-shirt, but it's not horrible. It says something about the average Slashdotter that it's modded insightful though.

Re:Very little utility here

[ceoyoyo]

In lots of places in the world you can be arrested for saying or writing things that most of us would consider perfectly harmless, never mind saying things that are unflattering to a government that would do things like that to it's citizens. In those places unsnoopable communications are extremely valuable.

In places that currently aren't in such a situation, the existence of secure communications are essential to keeping it that way. Assuming you're American, your constitution has an amendment that makes it a right to own a firearm. The usual justification for that is that free ownership of firearms makes it more difficult for oppressive regimes to gain or hold power. Secure communications are MUCH more important to that goal than a bunch of yahoos with rifles. There's nothing so dangerous as a man with a radio.

Re:Very little utility here

[ceoyoyo]

Because I can grab you and torture you until you give me your private key. Then I've got all the messages you've sent or received.

With this system, each message gets it's own private key that's deleted after a specified time period. If that time period is short enough I won't have time to grab and torture you. Even if I do, I'll only get the most recent messages.

This system is less convenient than a persistent key pair because you can't keep an archive of messages. On the other hand, it's much more secure, because you can't keep an archive of messages.

Re:Very little utility here

[chihowa]

One solution to quite a few of these problems is a USB dongle that holds the keys and handles the actual encryption. This would be perfectly feasible with PKCS #11, if it didn't suck so very much. HSM and smart cards are so incredibly disappointing in that the potential is squandered by a poorly designed API, massive fragmentation, and the overabundance of not-interoperable devices.

Fixing that mess would go a long way toward making key management simpler and more secure.

Re:Very little utility here

[vux984]

It does not get you the whole way there. But I sure makes it harder for the NSA.

For a service outside the jurisdiction of the NSA or other opressive govt agency yes, I agree, but its not just the NSA.

At the end of the day, client side keys manipulated by javascript via local storage require trusting the service provider not to slurp them from me. I want a solution that doesn't require that trust.

So on a technological level you can simply increase the time the javscript files are cached and have some external monitoring for changes.

Again, the service provider controls this. I have to trust the service provider.

But there is still a way between not trusting anyone and auditing everything yourself and sending unencrypted mails that everybody can read.

Agreed. And the way to that is to separate the client doing the encryption/decryption and message presentation and editing from service provider doing the transport and remote storage.

Just as I don't need to trust my ISP to make a certificates based HTTPS SSL/TLS connections to a remote server with offline key exchange done in advance. The ISP don't hold the private keys. They can't MITM me. They can't slurp data from out of the browser via javascript unless they can get me to download a maliciously altered browser. The NSA can tap my ISP all they want, but unless they compromise me or the remote server or have cracked the encryption itself they can store all the gibberish they like. That is the reasonable compromise.

HTML5 local storage of private keys accessed by a web app is not. That's the equivalent of not trusting the cleaning service to have a copy of your front door keys... so you have them use a key you leave under the welcome mat instead, and tell them not to take it or make copies. If you don't trust the cleaning service... this is not a step "forward".

On a political level: I live in Germany. The NSA cannot tell me anything. And Germany had two of the worst terror regimes in the last century. I don't think people here would tolerate being treated like you are now.

I'm not an American either, nor am I in America. As far as the NSA is concerned, that makes my communications completely fair game... even if the USA gets its act together in terms of warrants and secret courts that's just "domestic surveillance of American citizens" you and I are the "legitimate targets of the NSA" in the sense that the NSA doesn't even have the perfunctory hassle of even hypothetically needing a pretense to monitor everything we say.

There is e-mail monitoring in Germany, but it's based on laws and courts that are not secret.

Unless its not. Because if its being done in secret, then by definition you don't know.

Getting paranoid does not help anybody. It just prevents you from acting, because there is no completely safe way to communicate.

Except there is. We already have the technology. HTTPS with SSL/TLS using self-signed certificates exchanged via offline channels.

And it works because of the division of responsibility. Our ISP is not our client (browser in that case) provider. If we were all AOL subscribers, using AOL browser, then we'd be boned.

Re:Very little utility here

[vux984]

One solution to quite a few of these problems is a USB dongle that holds the keys and handles the actual encryption.

aka... TPM / Trusted Computing. you don't even need the usb device.

That would indeed go a long way towards solving the problem, provided we get to control the keys. Alas TPM / TC is subverted by the content creation industry... so they "own" the platform instead of us for the most part. But in terms of the tech itself, its a solution that already exists if we just had the willpower to take control of it.

But even a usb based encryption solution doesn't render using a web app / web service safe, because the javascript can just slurp the decrypted content coming out of the device and pass it up to whoever. Using a web app REQUIRES trust of the service provider, because they control the client.

You can use a service provider without trusting them, provided you can supply your own client. Its not enough to provide your own usb/hardware encryption ... you have to control the client itself. The decrypted content must not enter the control of something the service provider controls.

Re:Very little utility here

[citizenr]

I'm not confident that the NSA hasn't already solved the discrete logarithm problem at the heart of that method.

http://arstechnica.com/security/2013/08/crytpo-experts-issue-a-call-to-arms-to-avert-the-cryptopocalypse/

I think its about NSA submarining vulnerable elliptic curve keys into the standard

Re:Very little utility here

[chihowa]

Well, I was thinking more about smart cards, USB tokens, and generally what is covered by PKCS #11 than TPM. There's no reason to use TPM for this, and it has the additional downside of being tied to a single computer and not a single user.

PKCS is implemented in the browser and/or the OS, so you wouldn't need to rely on some sites's javascript to render the decoded text. The idea behind it is good, but the implementation is horrible. The fact that it's been around for 20 years and nobody really uses it or knows what it is is a testament to how poorly designed it was.

Re:Very little utility here

[bored]

I want to send you a message so I ask you for a key. You generate a public/private key pair and send me the public one. NSA gets it.

And generates their own public/private key pair. They then forward their public key to you instead of mine. You encrypt a message using it and the NSA gets it, decrypts it, and recrypts it using the public key I sent you, then forwards it to me.

MITM works for public keys too if you can't trust the public key exchange. That is why before you sign a 3rd party key (outside of your trust circle), you should verify in an out of band method, that the key your are signing matches the key identity of the 3rd party. Aka, pick up the phone and ask them what the key fingerprint is.

Re:Very little utility here

[jiriki]

Except there is. We already have the technology. HTTPS with SSL/TLS using self-signed certificates exchanged via offline channels.

And it works because of the division of responsibility. Our ISP is not our client (browser in that case) provider. If we were all AOL subscribers, using AOL browser, then we'd be boned.

I am not sure I understand. HTTPS with SSL/TLS only gives you transport level security. So nobody can listen on the wire. This might be enough if you manage/truest your own server, but for most people this is not the case. Then your mail is saved unencrypted on the mail server and can be accessed by anyone with access to the server (that probably includes government agencies).

Also using an "offline channel" is more hassle than most people are willing to accept.

Re:Very little utility here

[bored]

How do you trust that the keys posted on the public key servers? Say I wanted to send you a message, How do I know that the key posted on the key server is in fact, from you? (See Certificate Authority) If a malicious party could intercept messages to you and decrypt them (using the bogus public/private key pair) and then re-encrypt the message to you using your formerly available public key, you'd receive the message and have no knowledge of the MITM attack.

You are, of course correct, but that is what key signing and webs of trust are all about. The "hard" part is finding an out of band communication method that can be trusted to verify the key signature. Its actually pretty "easy" if your willing to pick up the phone and call someone and say "hey, am about to sign your key, can you tell me what its fingerprint is".

You do get _SECURITY_ this way, what you don't get is anonymity.

Re:Very little utility here

[RoboJ1M]

OK, so assuming the intelligence agencies have the power to secretly coerce all of those public key servers to do their bidding.
Which they probably do.
Is the only solution out of band?
What about authentication?
A way to encrypt a message in a way that the recipient know that you encrypted it.
Which probably doesn't work because they have that guy's public keys too.
There's got to be *some* trusted 3rd party they can leverage.
Wait a minute.

Why can't you just check the public key on the server is equal to your own?

Re:Very little utility here

[petermgreen]

The problem is by adding centralisation and automation you help the spooks subvert the system. Centralisation helps them because they can attack the central authority. Automation helps them because automatons behave predictablly. It's much harder to quietly MITM a process with humans in the loop because those humans may be cross-checking in ways you don't know about.

Re:Very little utility here

[RoboJ1M]

True.

However at the moment we have default blanket unencrypted everything.

So it certainly can't get any worse, unless you consider false sense of anonymity worse.

One advantage of automation is adoption, people will do something if it's easy.
They won't do it if it requires effort of their part.

Another thing to consider is they probably really aren't interested in what you are I are doing/saying/thinking,.
It's the casual collection of everything that seems to get peoples backs up.
If you put in place a system that was a bit tricky to bypass, would they bother?

Er, yes, I guess they probably would wouldn't they?
You could always fight them the capitalist way, make it too expensive to try.

So, centralisation. Decentralise then. How could you have a decentralised trusted third party?

They could MITM your public key, substituting their own.
But it you look up your public key and see that it's != yours, you know you're been breached.
You'd need a 3rd party to do the validation because you can't trust your own connection back to them.
VPN providers. They have to return the bogus key to everybody except you, but they don't know who you are.
Or use TOR to anonymity the check.

It doesn't seem that difficult to make it cost way more than it's worth to discover what you've been saying/doing. ...hang on there's a someone knocking at the door, back in a minute...

Re:Very little utility here

[ceoyoyo]

Sure, you need to follow standard procedures for avoiding man in the middle. So you can exchange keys using a pre-exchanged symmetric key, or a trusted public key. Or I could send you a key signature (or a key) out of band. Or any other method you like.

Avoiding MITM is orthogonal to the technique described in the article.

Re:Very little utility here

[ceoyoyo]

Why would you trust a key server anyway? Last time I made keys and uploaded them to a key server it just believed I was who I said I was.

Re:Very little utility here

[RoboJ1M]

You can make better, more trusted, keys, ones that are proof beyond your word.
But think of it like this:

You tell your friend that you email address is dan@mud.com
You create a key pair and upload the public part to a key server.
Your friend now sends you encrypted emails.
Somebody could indeed pretend to be you.
But you own mud.com, including dan@mud.com.
Those emails are going to your address, which you could host at home on your own server.

At this point in order to hijack that somebody must hijack an awful lot of stuff.
And we're talking about groups that, in essence, trawl the unencrypted 'net and coerce public sites into giving your information to them.
If you really want to have a private conversation, it appears to be pretty simple to have one.

A whatsapp like application that leveraged such a network would create such a volume a pretty-well-secured information that IMO it would be *too expensive* to intercept in any useful way.

The blocker to this I think is there's no button on a smartphone that sets it up for normal people.

Re:Very little utility here

[ceoyoyo]

Why bother with the key server? Just send him the key. Or post it on my web page at i.am.me.mud.com. The keyserver doesn't add anything.

A key server can do two things (IF you trust the server) that you might not be able to. It can verify the age of the key it's serving and the company running it can do things like check that I have a valid credit card number (I hear you can get someone else's for a few bucks these days).

Every step of the process is subject to man in the middle attacks plus strong-arming of the keyserver owners. If you're not worried about MITM a better solution is to just exchange a key pair every messaging session. That's more or less what https, WPA, and this app do, and it has the advantage that if the NSA gets hold of a private key somehow they can only decrypt one session, not all of them. If you ARE worried about MITM, or verifying someone's identity for other reasons, you need to exchange keys with them by some means that satisfies you. If that's a keyserver, great, but it's usually not really any better from a security standpoint than just downloading their key off their web page.

Interestingly, some of the messaging protocols do use encryption and transparent-to-the-user key exchanges. BBM, iMessage, probably others. I don't know if they use session keys or per-user keys, or how those keys are exchanged, but there are existing, popular messaging systems that don't even need a button to set things up.

Re:Very little utility here

[RoboJ1M]

True: http://www.whatsapp.com/faq/general/21864047

It's not so much about the key server, as I was musing that it there appears to be systems in place to have private email conversation that don't rely on manual processes or the service (email) or service provider (insert ISP here) themselves.

One problem that does spring to mind here is NAT'ing.
All phones (don't own an LTE one yet, maybe they're IPv6?) have an RFC1918 address, natted behind the ISP.
Unless magic is happening, or there's some knowledge I don't have, two phones can't connect to each other, not without a trusted 3rd party.
whatsapp may encrypt your communications, but what's actually happening is you're routing all your traffic through a single party who, if they wanted to, could divulge everything.

Could you handshake a set of keys that couldn't be compromised even though the entire conversation is being routed through your messaging app of choice's parent servers?
Is that analogous to an SSL handshake over the public internet?

Re: Very little utility here

Please do not post on this topic again until you have read at least a one pager on Off the Record messaging and perfect forward encryption.

Thank you for your cooperation.

Re:Very little utility here

[RockDoctor]

I just don't see that many legitimate uses.

How about a politician traveling to a less than friendly country?

The politician's actions may well be legitimate in his own country, but illegitimate in the country that they're visiting. Which make the politician a criminal. for a non-hysterical example, consider an American politician who goes to Germany to give a talk advocating the unreality of the Holocaust ; the politician may believe that the US's constitutional protection of free speech covers him, and he could carry on thinking that as the doors of the jail slam shut on his arse.

"Legitimacy" is a slippery concept, particularly once you get more than one jurisdiction involved. Try crossing the (unguarded) border between Scotland and England one day for further examples.

How to crack:

1. Send order to Google saying, "give us unrestricted read/write access to the persistent storage of all android devices. Oh, and you cannot tell anybody about it."
2. Download the contents of all devices, including the keys.
3. Install keylogger to capture any necessary passwords.
4. Profit!

Re:How to crack:

[X0563511]

You don't even need to do the whole device. Apps run as their own user, so all you need to do is grab files owned by that user.

The only way around this is for an app to use 'su' to escalate it's privileges, which requires a rooted device.

Re:How to crack:

[Lumpy]

5. hacked rom authors discover this, post the information to their forums.
6. news picks it up.
7. Public outrage until some teen star twat shakes her butt on stange...
8 Rinse
9 repeat.

Re:How to crack:

True, Miley's butt has mystical powers capable of calming a public outrage and uniting the menkind behind it!

Re:How to crack:

The only way around this is for an app to use 'su' to escalate it's privileges, which requires a rooted device.

Why not go full paranoid and imagine that some of the custom ROMs out there are from the NSA?

Re:How to crack:

[Jartan]

That's incorrect. On Android every app is a separate user. Only files stored in the "SD Card" area are visible to other apps. So in theory you need a root exploit to get at this data.

Re:How to crack:

[thoromyr]

no, no, they will need the entire file system just in case there was something else they needed. Once you've read government requests (I'm not talking the secret ones, just regular investigatory) the fishing expedition methodology employed quickly becomes apparent.

Re:How to crack:

[cool_arrow]

If you can own the baseband you can own it all: http://vimeo.com/25806106

Re:How to crack:

[X0563511]

That's what I just said?

Re:How to crack:

[briancox2]

My steps:

1. Opt out completely by first installing Cyanogen.

Re:How to crack:

[IamTheRealMike]

I think this speaks to the fact that post-Snowden, the game has entered a new stage.

Pre-Snowden the NSA or whoever would not have been willing to do such a thing, due to the very high likelyhood of detection. Yes, 99.9% of people aren't going to notice their phone doing something unexpected. But if you apply it to everyone because you want the ability to grep their communications for keywords a.k.a. selectors then you need all of it, all the time. There are over a billion Android activations now. Even 0.01% of users being tech savvy and using custom/modified ROMs or analyzing their phone more carefully would notice what's up, and then their secrecy (the most prized asset) is blown. Secrecy is a double edged sword, it protects them but also limits them. So - not feasible.

Unfortunately, post-Snowden, the intelligence agencies know two things. Firstly, their secrecy is blown. Everyone knows they spy on every person alive, all the time. Most of their secrets are now ex-secrets. There's nothing to defend anymore there. The second thing they know is that it seems people don't give a shit. There were no protests in the streets. There were no diplomatic repercussions. It went in front of Congress and got voted down. The UK didn't even get to have a vote, the government just went full Orwell and other than some angry newspaper columns jack shit happened. Time to invade Syria? Parliamentary recall. Journalists have their materials seized? Stay on vacation. Generally they learned, totalitarian surveillance ranks lower in the priority stack than whether to invade Syria or not.

The combination of these two things means they're going to get really aggressive now. Automatically MITM every SSL connection using a FISAd CA? Unthinkable before, too easily detected. Post-Snowden, why not, it's just another way to do what people already know about. Force Google to back door every Android? Why not! They already track peoples movements everywhere, including people who switch phones to try and avoid detection. They apparently have the ability to turn phones into bugs, even if they appear to be switched off. Automatic, global backdooring of every mobile device wouldn't surprise people.

In short I think we may have lost as much as we gained from Snowden's leaks. Sure, the veil of secrecy was torn down. But society failed to rise up. The secret police have won. Now they can do anything without fear, and there's literally nothing to stop them.

Re:How to crack:

Do the mass SSL interception and watch the rise of a new internet not so easily broken.

Re:How to crack:

Not if baseband's separated from application processor, you can't. Easily listening in on you's pretty scary by itself, though.

Re:How to crack:

Google's access to your phone is already root access. What part of your phone's hardware or memory is off-limits to Google?

You can't even keep them out, either. Try sniffing the traffic coming from your device sometime: it's in constant communication with the mothership.

Didn't we just talk about this?

Even below the obvious design flaws, you're still running on an untrusted, if not downright hostile, platform. The simple fact is that nothing is stopping Silent Circle from betraying you or Google from undermining their efforts.

Nothing is 3letter agencies resistent

They will hang you upside down or send pictures of your family until keys are revealed. Don't be people naive. They own you and the country.

Re:Nothing is 3letter agencies resistent

Pretty soon they will just be able to use Van Eck phreaking on your head and see all your thoughts anyway.

Re:Nothing is 3letter agencies resistent

[camperdave]

They will hang you upside down or send pictures of your family until keys are revealed.

Tell us the key or we'll make you look at your sister again!

Re:Nothing is 3letter agencies resistent

[ceoyoyo]

You can't reveal a key that deleted itself five minutes after you received the message. That's kind of the point.

You still can't control recipient devices

[Wrath0fb0b]

The "Burn Notice" feature lets the sender set a time for a text, video, voice recording or picture to be erased from the recipient's device.

No, it can't. The recipient could be using a tampered application that ignores the timeout directive. Or it could modify the JVM to lie to the executable about the time or refuse to fire timers. Or modify the JVM to write all the memory transactions to disk (or host) even after the application frees (or GCs) it. Or modify the screen rendering APIs to capture the rendering. Or attach with JDB over ADB and halt the executable while the plaintext is in memory and slurp it out. And, of course, there are apps in the store that will just take a video of the screen.

FWIW, I support the app and I believe the encryption-in-transit is a very worthwhile feature. But the "Burn Notice" is, from a security point of view, useless. If you trust the recipient with the plaintext, you trust the recipient with the plaintext, end of story. Anything else is DRM-esque attempts to put restrictions on a device that you do not own.

Re:You still can't control recipient devices

[X0563511]

AFAIK an app could execute binaries that it packages. They just execute within that user's context. It doesn't have to be done via the JVM.

Re:You still can't control recipient devices

[Yvanhoe]

Exactly. I can't understand why anyone in technical circle would not scream SCAM! at this claim to be NSA resistant.

Re:You still can't control recipient devices

"Three people can keep a secret if two of them are dead,"
                    -Benjamin Franklin

Re:You still can't control recipient devices

Oh, but you can put up a lot of barriers. The application can let its temporary message key require one level of decryption from a central time-aware server that periodically forgets its private keys. Now "central time-aware" sounds bad, so you use a series of secret keys distributed across a network, and just where the route ends up depends on the encrypted key. Now you need to infiltrate the whole network and keep _all_ servers from forgetting any keys. But they have limited storage each, so... To be resistant against single servers getting taken down, one can work with a bit (but not too much) of cryptographical redundancy.

Of course, once upstream is in the hands of the NSA, it is a question of time before the whole thing falls apart, but the falling apart will
a) be noticeable
b) not be fast enough to satisfy any particular eavesdropping request in time to get a hand on the message.

Of course, the way to go here is keyloggers etc. The way against that is dedicated devices not doing anything else, and not having enough storage capacity to do anything else.

If you are serious about this, you can do a lot that is not easy to bypass without physical access to the sending/receiving device.

Re:You still can't control recipient devices

[PointyShinyBurning]

You trust the recipient to use the software correctly so that it protects the plain text from anyone who might later take his device off him.

Re:You still can't control recipient devices

You guys screaming about the recipient being able to keep a copy of the message are looking at it from the mindset of a teenaged boy worried about the picture of your undersized junk you sent to your ex-gf being able to be forwarded to the whole school after she gets long boned by the captain of the football team, and dumps you.

Think about it from the POV of two people colluding together. If either gets caught, the other is safe(r)- as long as they set up timed self-destruct of messages. They have no reason to circumvent those controls. It's not perfect, but better than clear text and/or a central repository.

Re:You still can't control recipient devices

[girlintraining]

No, it can't. The recipient could be using a tampered application that ignores the timeout directive.

Now is probably a bad time to point out that all phones have the ability to have their firmware rewritten and software updated silently, and this functionality is enabled by, er... turning it on. Any data stored on a mobile phone is inherently, by design, enforced by hardware mandate... insecure.

You cannot secure a mobile phone anymore than you can build a bull pen using construction paper and string and expect it to hold an angry bull. Stop trying people. Fix the fucking hardware, then maybe all your "There's an app for that" nonsense might mean half a shit. And while we're at it... rapid frequency shifting spread spectrum technologies and mesh networking. Look it up. Put THAT in the phones. Then we'll see about telling the NSA how many different ways they can go fuck themselves.

Re:You still can't control recipient devices

all phones have the ability to have their firmware rewritten and software updated silently, and this functionality is enabled by, er... turning it on

[Citation (badly) needed]

Truthiness is strong with this one.

Re:You still can't control recipient devices

[zzsmirkzz]

If you don't trust the recipient, why would you send them encrypted messages? The point of this feature is to close the "I forgot to delete it" hole that exists and represents the "this message will self-destruct in xxx time" concept. Of course I understand you may be referring to the ISP installing or modifying the phone's software so as to get a copy of the plain-text and this is a valid, although unlikely, concern. The fix (and only fix) is to make sure the plain-text is also encrypted in some form so that only the true recipient can read/understand it. The stronger encryption protects it in transit, the weaker encryption protects it from those with access to the device.

Re:You still can't control recipient devices

I've always wondered what living under a rock is like. Would you be so kind to share your experience with me?

Re:You still can't control recipient devices

[cellocgw]

The "Burn Notice" feature lets the sender set a time for a text, video, voice recording or picture to be erased from the recipient's device.

No, it can't. The recipient could be using a tampered application that ignores the timeout directive

Ok, the solution is obvious: don't depend on recipient software to do the deletion. Rewrite the sending app so it sends ,instead of standard IP ones and zeroes, nanobot-bits which are preprogrammed to self-destruct after a set period of time. Being nanobot-bits, they can't be copied either, due to the Sokal Lemma modification to the Post-Hermaneutic Uncertainty Principle.

Re:You still can't control recipient devices

[cool_arrow]

google "baseband exploit" http://vimeo.com/25806106 Also, there is something called STK or simtoolkit ( a gsm standard protocol). Big business like banks can make deals with carriers to run apps securely with the sim card. It isn't used so much in the usa but the capability is there. The way the sim card gets programmed via specially formatted sms with the proper keys etc.

Re:You still can't control recipient devices

Interesting and scary, thanks, but pretty far from initial omgwe'redoomed claim, especially in relation to the article's subject. As long as access to apps processor memory space from baseband processor is not a rule, spooks aren't getting those messages from your phone.

PS: Buy chinese! They have lower incentives to leave backdoors for NSA. Also, the talk mentions GPL'd open source baseband solutions, who's up for a kickstarter?

Re:You still can't control recipient devices

You may trust the recipient, but recepient may currently have to enter the password one-handed - you know, on account of adversary sticking his other hand in a vice-grip and slowly turning the handle.

What most(all?) of software like this lacks is "under duress" option - like TrueCrypt's hidden volumes, for example - to make the software seemingly work, but alerting the other side in some way.

IOW, this is protection from generic "I have a feeling somebody out there might want to read my messages, so I don't want to leave logs", not a secure solution for someone who really might expect hostile party on the other end of conversation.

Re:You still can't control recipient devices

[JanneM]

Nobody said it'd be the user of the device that employs those circumvention methods.

Re:You still can't control recipient devices

[ceoyoyo]

The point is not to force the recipient to delete messages, it's to delete messages for the recipient. It's a convenience feature. You and I could send each other e-mail, exchanging one-time use public keys each time and dutifully deleting both the plain text and private keys as soon as we'd read the messages. OR, we could use this app, that does all that work for us.

Yes, if the person you're sending messages to is compromised you're screwed. But if he's merely imperfect, a timed auto-destruct prevents the bad guys from getting any old messages he forgot to burn after he's captured (i.e. stopped at a border or pulled over by a cop for not stopping long enough at a stop sign).

How do you securely remove on android ?

[Alain+Williams]

You might try overwriting the data, but that makes the assumption that a write is to the same place as the data was a second ago. Ext3 does not guarantee that and SD cards avoid it to ensure wear levelling. It is harder than you think.

Re:How do you securely remove on android ?

You don't commit unencrypted data to persistent storage and overwrite data in RAM before you remove references and allow the garbage collector to free it. No protection against the darn screenshots that Androids takes every other corner to fake responsiveness.

WTF, PRZ?

[Cajun+Hell]

TFA makes it sounds like the sender can make decisions about what the receiver's machine does. That is insane (and also impossible, or it's irresponsible to lead users to believe they'll get that). I hope I am misreading the claim.

If the receiver has that control, or if the sender gets to specify advisory info in the hopes that the receiver uses it, ok. If not, then I think one of the most respected programmers ever (PZ) has left the path of wisdom.

Re:WTF, PRZ?

[will_die]

No, you the receiver can make the decisions.

Software like this is old, even Microsoft sell software with similar options.

Instead of using the normal mail you have to you their software. Since the email only unencrypts in that software it can control how long it is kept, if you can forward it, if you can save it, etc. So unless you do screen captures if the sender only wants you to be able read it once that is all the software is going to allow you to do.

Re:WTF, PRZ?

[Khashishi]

It's possible that Silent Circle has been compromised by the NSA.

Re:WTF, PRZ?

[grumpy_old_grandpa]

Relax. What he's advocating is an expiry date for information. That's an old concept, already implemented in many systems and companies. If you work for a shop big enough to employ one or two in-house lawyers, chances are you are not allowed to keep your e-mail around indefinitely. In his 2009 book, "Delete: The Virtue of Forgetting in the Digital Age", Viktor Mayer-Schönberger concluded that an expiry date on data was the only feasible solution to the security and privacy nightmares we find ourselves in today.

Now, can this kind of system be circumvented? Well, but of course it can. However, just like ignoring the expiry date on food-stuff you buy, you would do so at your, and possibly other's, peril. Viewed as a recommendation from somebody with your best interests in mind (just like the pack of beef you buy at the supermarket), it is actually a very good idea.

Re:WTF, PRZ?

The Sender is making 'strong suggestions' to the Receiver's machine. If the Receiver's machine is behaving itself (a key assumption), it will obey the Sender's imperative. If the Receiver has modified his machine to subvert the request, however, the imperative can be ignored.

A key component of this is obviously making modification by a receiver to his machine difficult, but then we are back to the futility of DRM.

Re:WTF, PRZ?

[Cajun+Hell]

DRM

I didn't really want to use such profanity in the context of Phil Zimmerman, but I have to sadly admit: if the shoe fits...

Why not have the NSA rm -rf your messages for you

[BreakBad]

I randomly insert the string "Lindsey Lohan" into my text messages.

this does not decrease incarceration

[nimbius]

in rare cases NSA wiretaps reveal information about terrorist plots. in most cases of warrantless NSA spying however they do not. the purpose of NSA wiretaps is often used as a guilt generation and conviction assurance mechanism. Yet when it fails to produce any satisfactory outcomes, as this device would preclude it from doing so, the laws can and are frequently adjusted accordingly to suit the prosecutiorial entity. expect the installation or presence of this software to be acceptable grounds for the confiscation of your phone and further investigation of you and your property.

Re:this does not decrease incarceration

Fears of incarceration add up to [pull number from ass] 5% of privacy concerns. That's the reason that installation of privacy software won't ever be a red flag meaning "investigate me." Even the blandest whitebread law-abider worries about his credit card # being copied by someone when shopping.

Law Enforcement is an excellent example to use as an attacker, because in some cases they are so incredibly powerful. The have more resources than most opponents for making the attack, and they generally intend fairly extreme harm (usually they're not looking to kill you, though they might, but even a mere week of imprisonment would seen by most people as being a worse thing to happen to them, than having a few hundred dollars lost of fraud).

But the fact that LE (with NSA as being an upper bound) is used as the example, doesn't really tell anyone anything about the people who use or design software. Computers made some forms of overkill (e.g. huge keys) cheap, so if you've got an application where it's reasonably cheap to defend against NSA, you will probably use that same defense against all adversaries.

Re:this does not decrease incarceration

[houghi]

And even if they are unable to understand what you send (John has a large beard. I repeat: John has a large beard) they will be interested to see that there is a connection between you two.

Re:this does not decrease incarceration

[jbssm]

Well, not everyone lives in the USA so we don't really care about the part:

acceptable grounds for the confiscation of your phone and further investigation of you and your property.

It's still important for all of us outside to prevent NSA from snooping on us. I have a startup company - ok, it's not about a completely world changing idea, but imagine it was - what is to say that the NSA was not going to monitor our conversations, take the best of our idea and sell/distribute it to some entrepreneurial heavy players in the USA? The same goes about any new creation for industry.

These people that come here and say they don't see any problem in the NSA checking all their communications because they don't do anything wrong, are just some very dumb people that never had a great idea in their life, so they don't really see any problem in others to know everything they are working on.

now we just have to trust google

Now we just need to trust that the App store is hosting an uncompromised version of the app and that your phone has an uncompromised OS.

Re:now we just have to trust google

But Google's motto is "don't be evil" so obviously they would not do something like that, besides even if they did they would probably use Linux which makes it neat!

Re:now we just have to trust google

[camperdave]

But Google's figured out that they can just tack AND NOT($EvilBit) onto all of their outbound traffic, and they can be as evil as they wish while appearing all good and shiny.

Just Stop..

[SuperCharlie]

When the hardware, the software, and the transport medium are all compromised it is moronic to continue this "security" game.

Re:Just Stop..

[Princeofcups]

When the hardware, the software, and the transport medium are all compromised it is moronic to continue this "security" game.

Or encode your messages OUTSIDE of the technology. At one time codes and cyphers were used for secret correspondences before creation (writing on paper) and transmission (hand carried by courier), but of course that takes effort at both ends.

Not just Google.

And that devs didn't submit a compromised version of the app, and that the key escrow/exchange was not compromised on Silent Text's or ISP's level, and that the other side doesn't run a compromised version, intentionally or not.

Other than that, yeah, it's bulletproof.

How long before ...

[gstoddart]

Sadly, I'm forced to wonder how long before it will be illegal to do anything which would prevent the NSA from spying on you.

Because, after all, if you have nothing to hide you have nothing to fear.

Trust No One

[Lawrence_Bird]

It is closed source right? And even if it is not, you need to be able to build the binary from a vetted copy of the source and associated libraries.

Re:Trust No One

With a vetted compiler that was compiled on a vetted compiler ...........

Re:Trust No One

It's from Phil Zimmermann, so of course it's closed source. For someone who seems to understand security pretty well, he sure does lean on the "Trust me" line quite a lot.

Incoming...

NSA takedown on this small app companie in 3 2 1....

That or the owner of the company caught with 10 tons of cocaine while writing on the wall F... AMERICA with the blood of a child.

Re:Incoming...

Takedown? Don't be daft, a NSL (National Security Letter) ordering them to mod the app to CC all traffic (unencrypted) to us is more efficient..
If people are trying to hide it, we definitely want it (even more than we want everything anyway).

Best regards,
/NSA

Yocals

I think this gives a false sense of security. Sure it encrypts messages on my device. And helpfully auto deletes them after the expiry has passed. However, if the person you are worried about gaining access to the messages can silently coerce the transport company (in this case your mobile provider), to release the contents of messages they have stored, of what use it?

Yocal grunts who want to sift through your phone at a stop?

The host is compromised

Don't tell people you can provide security if the host is already compromised. With Google able to replace software on the device any time and authorities able to copy every bit by just plugging the device into their forensic system, there's no defense against remote or local attacks. You're giving people a false sense of security.

Can we get first time key exchange for email?

A positive step, but I'd like to simply have encryption for email. Currently Thunderbird supports SMIME, but the certificate authorities are not trust-worthy. Either they're US based, or in one case an Israel PO-Box number.

We just need a certificate authority that is genuinely independent of the Stasi, and issues certificates automatically per email. Many of them want ID information or claim to generate the key in the browser, but yet send a packet back to their own server with a big chunk of data which might contain enough info on the private key and ID info. Comodo I do not trust. That other free one, is clearly a trap.

If I could set Thunderbird to only trust *my* chosen certificate authority and it truely could be trusted, then S-MIME would be fine.

Really we need someone like Zimmerman (a trusted reputation), but not subject to US based sanctions and NSA surveillance/attack/coercion/bribe to set up such an authority and email clients like Thunderbird to generate the private key when you set up the email address in a nice friendly way.

Re:Can we get first time key exchange for email?

[cool_arrow]

You don't have to use a certificate authority with thunderbird. Any openPGP compatible software allows you to use a "web-of-trust" type model. no centralized authority.

Encryption is NOT MAGIC

[SirGarlon]

What people seem to fail to recognize about encryption is that it's not some kind of magic that makes the data perfectly "secure" forever. All it does is vastly increase the work factor for an attacker to read the data, because he first has to reconstruct the key.

Moore's law, GPU programming, and elastic clusters are radically lowering the costs of brute force attacks. An organization with the nigh-unlimited resources of the NSA is going to be able to crack your file a lot faster than J. Random Hacker. I imagine they have thousand-node GPU clusters. One cannot rule out the possibility that the NSA also has introduced or discovered shortcuts that weaken common crypto algorithms/implementations.

Not just your average Slashot poster, but Snowden himself seems to have fallen into the misconception that encryption is forever. Both China and Russia have access to the ciphertext of his full stash of documents. It is probably a matter of a few years, tops, before their best experts and supercomputers get their hands on the clear text.

The bottom line is, encryption can protect your data for a while, but the only way to protect it forever is to keep it from being intercepted.

Re:Encryption is NOT MAGIC

I disagree. If I send my travel plans to my son, that's none of the NSA's fucking business. If encryption can keep my travel plans secret from the NSA's wanna-be Putin till after I've done my travels then how does it matter?

I don't need encryption to protect something forever, I need it to protect me from an NSA General who wants to be Putin-of-the-USA. For that it only needs to protect me till the info becomes stale and of no value to General Alexander/Putin.

Re:Encryption is NOT MAGIC

Because when the place you visited becomes loosely associated with some sort of trouble ten or twenty years later, you're now at the top of the list of suspicious persons for having used encryption to hide the fact that you were there. Enjoy your sudden mandatory Caribbean vacation.

Re: Encryption is NOT MAGIC

Back in the day, we used to differentiate between what we called tactical security, and strategic security. You are again pointing out that tactical security is a lot easier to do.

Re:Encryption is NOT MAGIC

One. Time. Pad.

Provable perfect security. They can forge a message easier than crack one, and everybody who knows crypto knows it.

Re:Encryption is NOT MAGIC

[camperdave]

How can the NSA know that an encrypted piece of traffic is none of their business unless they decrypt it?

Re:Encryption is NOT MAGIC

[ceoyoyo]

That fact that we've adhered so closely to Moore's law makes encryption more secure. Someone in the early 80's, at the invention of RSA, could have accurately predicted how much it would cost today to break a message encrypted with a given key size. You could have picked your key size accordingly, including one that would make your message essentially impossible to decrypt at any time in your lifetime (or the lifetime of the Earth) using all the theoretical computing resources of the solar system.

In fact, more available computing power makes digital encryption MORE secure. Encryption is designed to be easier than decryption. However, in 1985, with limited computing power, I might choose to encrypt a message with a short key, offering low security, because encryption was not a trivial operation. Today I have much more computing power and I can use a much longer key without inconvenience. That longer key means it takes much, MUCH longer to decrypt my message using present day technology (or present day + X years technology) than it took to decrypt the 1985 message with 1985(+X) technology.

The danger to competent encryption comes from breakthroughs, either in hardware, such as quantum computing, or in algorithms. Not from just piling up more transistors. No, every Slashdotter's favourite solution (OMG, GPU!11!) doesn't count.

The idea of a secure phone app is laughable

[Marrow]

The only way to win is not to play.

Re:The idea of a secure phone app is laughable

[SuperCharlie]

Exactly. Either that, or realize that it is unsecure and treat it as such.

The NSA screwed themselves and everyone else

[Theovon]

We need an organization whose mandate is similar to the NSA. When the FBI, for instance, lawfully obtains evidence that gives them probable cause to get a warrant to invasively follow a chain of evidence, we need this information-gathering capability.

But the NSA over-stepped their bounds, broke the law, and betrayed all Americans and their allies. As a result, people are now more motivated to produce tools to evade organizations like the NSA. Because American citizens have the right to privacy, and they now have to go out of their way to get it, criminals are now gaining more sophisticated tools they can also use to evade the NSA. Looking at the other comments, the app mentioned in particular here isn't necessarily all that effective, but give it time. Pretty soon, you'll be able to put up an impenetrable wall around your data that the NSA can't break through.

The "problem" with this is that there are only two groups who will use these tools. Innocent privacy enthusiasts and criminals. The NSA will be unable to distinguish between them, essentially making rationally paranoid people targets of criminal investigations. And the NSA will be stupid about everyone else, seeing people NOT using encryption as low-hanging fruit, criminalizing countless innocent citizens merely in an effort to show that the NSA is catching *someone*, justifying their enormous budget. (In other words, they will make up criminals to justify their existance.)

If the NSA had obeyed the law, we wouldn't be in this mess, where it is inevitable that we can no longer spy on real criminals, probable cause or not.

Re:The NSA screwed themselves and everyone else

The "problem" with this is that there are only two groups who will use these tools. Innocent privacy enthusiasts and criminals. The NSA will be unable to distinguish between them, essentially making rationally paranoid people targets of criminal investigations. And the NSA will be stupid about everyone else, seeing people NOT using encryption as low-hanging fruit, criminalizing countless innocent citizens merely in an effort to show that the NSA is catching *someone*, justifying their enormous budget. (In other words, they will make up criminals to justify their existance.)

Exactly this - use of encryption for everyday communication has to become ubiquitous. As it is, anybody using encryption becomes a target on that basis alone. It's a shame there aren't any tech giants with the influence & market share to make this happen who aren't already damaged goods WRT privacy issues.

Legislation will surely prevent this though - if it starts to become a problem, there will be further laws banning/restricting strong encryption, or requiring that the keys have to be available if requested by the government, etc.

And it still does nothing about collection of metadata.

Re:The NSA screwed themselves and everyone else

[0111+1110]

We need an organization whose mandate is similar to the NSA.

For a second there I thought you were going to propose an anti-NSA organization: a government agency whose mandate and sole purpose is to protect Americans from NSA spying.

The "problem" with this is that there are only two groups who will use these tools. Innocent privacy enthusiasts and criminals. The NSA will be unable to distinguish between them

Are you implying that they can distinguish between them now? I don't think they particularly care. They are just building a database they can search, a private NSA Google.

Re:The NSA screwed themselves and everyone else

[Theovon]

We need an organization whose mandate is similar to the NSA.

For a second there I thought you were going to propose an anti-NSA organization: a government agency whose mandate and sole purpose is to protect Americans from NSA spying.

I feel dumb for not having thought of this. Mind you, protecting us from violations of our rights in general should be the job of the executive branch. The law is that we're not to be spied on without a clear chain of evidence constituting probable cause. The executive branch is supposed to enforce the law. Too bad they don't.

The "problem" with this is that there are only two groups who will use these tools. Innocent privacy enthusiasts and criminals. The NSA will be unable to distinguish between them

Are you implying that they can distinguish between them now? I don't think they particularly care. They are just building a database they can search, a private NSA Google.

True. And as someone who knows just enough about information retrieval to be dangerous, I can assure you that what they get out will be almost entirely garbage. Look up "precision" and "recall." It's like Heisenberg. If they increase precision, recall will plummet, and even real criminals won't be found. If they increase recall, their precision will be terrible, and they'll indict basically only innocent people.

Re:The NSA screwed themselves and everyone else

[ToddInSF]

Dueling massive federally funded organizations is not the answer to the problem of corrupt and unchecked federally funded mega organizations.

The solution is to build transparency and independent monitoring into such organizations, and if that can not be accomplished, to at least properly protect whistle-blowers who point out when said organizations show contempt for the general public and The Constitution.

The solution to statist tyranny is not to create more of it.

Re:The NSA screwed themselves and everyone else

[currently_awake]

Why would you want a second NSA? The problem is the USA has so many intelligence organizations, all competing with each other. So to get more funding they have to do more and worse spying and snooping. You want 1 external spying agency (CIA), one internal spying agency (FBI), and that's it. Any more than that and you have them playing games and fighting each other instead of doing their job.

Re:The NSA screwed themselves and everyone else

[Theovon]

Any more than that and you have them playing games and fighting each other instead of doing their job.

Isn't that what the Republicans and Democrats in congress already do?

Protecting the company ..

The subject says :

"which protects the company from law enforcement requests for the keys."

Actually no, it does not. Thats not the way the laws actually work. If you are company in the US making software, you are subject to a number of laws, and one of them is ( Pub. L. No. 103-414, 108 Stat. 4279, codified at 47 USC 1001-1010 ). You either start complying ( i.e. change your software so you can fulfill the requirements ) , or you cease to be a company in US.

Would a robust firewall help?

[Belteshazzar]

Does robust firewall software exist that can fully lock down a phone to only allow voice stuff over the radio and restrict data in/out to certain protocols and apps? Or by using a phone do you have to accept the fact that Google/Apple/Microsoft or your service provider have full access to your device at will?

Re:Would a robust firewall help?

Root your phone and install AFWall+. It's a ruleset builder for iptables which lets you select access to different network interfaces on a per app basis (white- or blacklist)

It is however no use against backdoors in kernel space or on the hardware level.

Want NSA Proof?

[Lumpy]

Then use a 1 time pad book and hand encrypt and decrypt your text messages. The NSA will never EVER decrypt your communications. Why has nobody made that simple app? a 1 time pad file that you pre-share out of band and then have it send and receive your text messages. Under Android this would be trivial.

Re:Want NSA Proof?

QR Code to share the book might be intresting.

Re:Want NSA Proof?

[Lumpy]

and also easy to do. but not automatic. if you had a flatfile you can automatically have the app auto increment the pad for every message sent to make it nearly invisible.

Then when you are to the last 10 it warns you to get a new PAD file.

you just have to be able to share the pad file out of band.

Re: Want NSA Proof?

A one-time pad could be something quite subtle. For example, a link to a YouTube video or some online jpeg file. Lots of ways to exchange a key that should fly under the radar...

Re: Want NSA Proof?

[ceoyoyo]

That's not a one-time pad. A one-time pad is random and shared securely. A link to a YouTube video is a form of encryption using a key generator. It's not random and, in this case, relies on obscurity.

A little safer than a computer in a hotel lobby

[Marrow]

Thats how I would treat any computer (or phone) that I did not install myself. And frankly, I think even the cpus might have backdoors now.

Re:A little safer than a computer in a hotel lobby

[cool_arrow]

Sandy bridge processors have those cool cell phones built right in. But that kill switch will only be used in the event that your wonderful computer is stolen :D http://www.tgdaily.com/opinion-features/53108-analysis-intel-to-introduce-processor-with-remote-kill-switch

not nsa proof at all

[dan_in_dublin]

even if the message is sent encrypted thus preventing attacks from the network under govt coercion.. which would be a step forward, does android let you do this ? technically it wouldnt be hard but is there a way to say to android that this type of sms should be opened with this application ?

however, security wise - the keys to decode the message and the messages are on the device. so when the app does to delete the message does it really delete ? probably not, the underlying os may well leave the message and just delete the filesystem reference. similarly for the keys. so if the device is confiscated, there's a good chance all the encrpyted messages can be recovered. also if the nsa dont run the app after confiscating the device then the app wont be able to delete its data store

with respect to the sender specifying how long the message can remain without being deleted. this depends on the receiving app honouring the 'delete after n days' part of the message. if the receiver installs a clone silent sms program which doesnt honour such requests they'll never get deleted. so the security offered to a sender is assured by the difficulty of creating a clone app. this difficulty depends on the effort silent message makes, if they dont explicitly engineer for that kind of security it will be trivial, if they do explictly engineer for that then it'll be medium difficulty. more than this cant be achieved with this architecture

Re:not nsa proof at all

with respect to the sender specifying how long the message can remain without being deleted. this depends on the receiving app honouring the 'delete after n days' part of the message. if the receiver installs a clone silent sms program which doesnt honour such requests they'll never get deleted. so the security offered to a sender is assured by the difficulty of creating a clone app. this difficulty depends on the effort silent message makes, if they dont explicitly engineer for that kind of security it will be trivial, if they do explictly engineer for that then it'll be medium difficulty. more than this cant be achieved with this architecture

If you don't trust the receiver of the message, none of this matters at all.

Re:not nsa proof at all

You are being too pessimistic. In a business setting, one will correspond with someone one trusts, not a criminal, and one is not always communicating with the same person. The purpose of these apps is to raise the bar and make the NSA's life more difficult. Deleting old messages ensure that the NSA cannot recover all emails many years later - they can only recover a much smaller set.

Re:WTF, PRZ? / private key weakness

[Aguazul2]

Also, what about the weakness that an update of the app (forced on them by NSA/etc) may send your private keys upstream. Like Mega they claim it is hands-off, but in reality there is a mechanism through which they could obtain the private key if pressured/blackmailed/waterboarded/whatever.

So the NSA can read it...

[bugs2squash]

Not that I'm a fan of that, but there are far worse regimes. The NSA, GCHQ etc. should each host secure email systems that of course they can read, but Bashar al Assad, Hosni Mubarak, Robert Mugabe etc. (in fact anyone other than the country that runs it) should be denied access, even if they are an ally. That way a dissident could pick a secure email service from a country they trust. It's not an option you have to use, but it would be an interesting option to have.

Demand Privacy Now

[SmaryJerry]

This is an amazing development. Honestly no one should be able to read your e-mail ever, even law enforcement, unless the recipient or owner of the e-mail is the one reporting a crime. The fact the government has had power over the post office for a long time and used the threat of mailbombs, anthrax, trafficking as an excuse to open it is no longer an excuse for law enforcement to be able to simply read anyone's digital message. Communication alone isn't going to harm anyone. Start going after people for actual crimes, not future crimes or misinterpreted e-mails. Everyone needs privacy and we need it now. There is no freedom in being monitored.

What exactly does this protect against?

[Minwee]

There are several complicated, high-tech computer forensics applications which can circumvent any type of message burning or self-destructing images. If you think that you can send a message to someone and prevent them or someone spying on them directly from keeping a copy, then you're doing it wrong.

Re:What exactly does this protect against?

[ceoyoyo]

Hight-tech computer forensics applications can't retrieve a copy of a message that was deleted long ago, along with it's decryption key. That's the point.

In other news

[slash.jit]

NSA has requested DMCA to shutdown SilentText service stating the service pose a threat to national security.

Metadata

[Hypotensive]

The metadata about who contacted who and when (arguably the most interesting thing to the security agencies) is still completely up for grabs.

WoW

[Dabido]

So it does what the mail service does in World of Warcraft. Deletes it after a time, even if unread.