Slashdot Mirror
NSA-resistant Android App 'Burns' Sensitive Messages
angry tapir writes "Phil Zimmermann's Silent Circle, which halted its secure mail service shortly after Lavabit, has released a messaging application for Android devices that encrypts and securely erases messages and files. The application, called Silent Text, lets users specify a time period for which the receiver can view a message before it is erased. It also keeps the keys used to encrypt and decrypt content on the user's device, which protects the company from law enforcement requests for the keys."
Seems similar to pieces of the Guardian Project.
1. Send order to Google saying, "give us unrestricted read/write access to the persistent storage of all android devices. Oh, and you cannot tell anybody about it."
2. Download the contents of all devices, including the keys.
3. Install keylogger to capture any necessary passwords.
4. Profit!
The mobile provider would only have encrypted messages, and the only way to decrpypt woulf be brute force or getting the keys on your device. I'm no expert though; I just read TFA.
Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
No, it can't. The recipient could be using a tampered application that ignores the timeout directive. Or it could modify the JVM to lie to the executable about the time or refuse to fire timers. Or modify the JVM to write all the memory transactions to disk (or host) even after the application frees (or GCs) it. Or modify the screen rendering APIs to capture the rendering. Or attach with JDB over ADB and halt the executable while the plaintext is in memory and slurp it out. And, of course, there are apps in the store that will just take a video of the screen.
FWIW, I support the app and I believe the encryption-in-transit is a very worthwhile feature. But the "Burn Notice" is, from a security point of view, useless. If you trust the recipient with the plaintext, you trust the recipient with the plaintext, end of story. Anything else is DRM-esque attempts to put restrictions on a device that you do not own.
When the hardware, the software, and the transport medium are all compromised it is moronic to continue this "security" game.
Came here to say this. Without using shared secret encryption it either requires a (potentially coercible) central authority or is vulnerable to MITM attacks. And any kind of "time deletion" is only good for security on the receiver's device, not security of the message sent - the important thing to remember with computers is that if you can see it on your screen or hear it through your speakers, you can own it forever. No exceptions.
"When information is power, privacy is freedom" - Jah-Wren Ryel
There's a button on my Ubuntu PC for creating private/public key pairs and uploading the public key to a ring of public key servers.
Then, people can encrypt emails that only I can read because only I have the private key.
I've always wondered why this isn't better integrated/more automatic when it comes to email systems (gmail?)
Why not just leverage that type of mechanism?
1) Install app
2) it creates a key pair for your phone number
3) It uploads the public key to one of these servers
4) Anybody who texts you using a compatible app, it looks up your private key and encrypts the message only for you.
Job done.
If you can't fit the encrypted message in 120chars, it uploads the encrypted data to a 3rd party and all it sends is a message ID.
Or it uses IP only (like imessage/whatsapp)
Or is uses email as the bulk carrier
All those IP messaging systems must use a 3rd party anyway as you're always NAT'ed behind a real IP address anyway on a mobile connection.
I'm always on a 10.x.x.x address.
We need an organization whose mandate is similar to the NSA. When the FBI, for instance, lawfully obtains evidence that gives them probable cause to get a warrant to invasively follow a chain of evidence, we need this information-gathering capability.
But the NSA over-stepped their bounds, broke the law, and betrayed all Americans and their allies. As a result, people are now more motivated to produce tools to evade organizations like the NSA. Because American citizens have the right to privacy, and they now have to go out of their way to get it, criminals are now gaining more sophisticated tools they can also use to evade the NSA. Looking at the other comments, the app mentioned in particular here isn't necessarily all that effective, but give it time. Pretty soon, you'll be able to put up an impenetrable wall around your data that the NSA can't break through.
The "problem" with this is that there are only two groups who will use these tools. Innocent privacy enthusiasts and criminals. The NSA will be unable to distinguish between them, essentially making rationally paranoid people targets of criminal investigations. And the NSA will be stupid about everyone else, seeing people NOT using encryption as low-hanging fruit, criminalizing countless innocent citizens merely in an effort to show that the NSA is catching *someone*, justifying their enormous budget. (In other words, they will make up criminals to justify their existance.)
If the NSA had obeyed the law, we wouldn't be in this mess, where it is inevitable that we can no longer spy on real criminals, probable cause or not.
It isn't useless. A careful person could remove the keys every time they finish with the application. The application is simply a way to guarantee that your communication will not be intercepted, limiting what you need to worry about to the endpoints.
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
If only there were some sort of secure way of exchanging keys over an insecure medium...
If only there were some sort of secure way of exchanging keys over an insecure medium...
Saaay, someone should tell Phil Zimmerman about that - I'll bet he could really put it to some good use!
I'm not confident that the NSA hasn't already solved the discrete logarithm problem at the heart of that method.
http://arstechnica.com/security/2013/08/crytpo-experts-issue-a-call-to-arms-to-avert-the-cryptopocalypse/
Even if the security is perfect, I have a hard time understanding why people would need it. If you were discussing something that were merely private that you didn't want anyone to ever know you'd have to convince the other person to install the app as well. Hey Dave, I have a secret I would like to share with you, but only if you install this app... You have to be really paranoid, or have a really valuable secret to divulge. I just don't see that many legitimate uses.
If you integrated it into android, where every text between two android users did the same thing, that would be valuable. So things would be secure and private by default.
Well.. maybe. Or Maybe not. But Definitely not sort of.
1.) This is not true. You can design a mail system to store the private key on the client (html5 local storage).
Until I have some sort of assurance that the key stored in local storage, can't be sent up to the server by javascript then this gets me no where.
The NSA asks your mail service for the keys. The mail service says we don't have them... html5 local storage. NSA says ... add this line of javascript to your site. Next time I log in they have my key, and everyone else who accessed the site during that interval.
And even if we build a whole new spec with a wall of protection around the key, so the javascript just sends the encrypted text in and gets the decrypted key out and never gets its hand on the keys only then will the key be safe.
But any messages I access still are not. Because as long as I'm relying on javascript downloaded from the service to display the messages, I am vulnerable to that javascript being updated and sending that message back up to the server.
The client cannot be provided on demand by the server to have a hope in hell of being safe. Really it needs to be 3rd party, open source, audited by more 3rd parties, and the binaries I install.. well I don't... I download the source and compile it myself after checking that the hashes match the original and the 3rd party auditors. And even then, I have to trust that the NSA didn't get to everyone and conspire to publish malicious source. So to be truly safe, I have to audit it myself.
Real security from the likes of the NSA is HARD.
3.) Not true. See 1. If you authenticate using a private key you only need the password to decrypt the key and no username anymore.
True but you underestimate how little tolerance the average person has for passwords. An awful large number of people don't have login passwords to their computers and fewer still on their phones. And their mail passwords are remembered by the software so they don't have to enter them.
Saaay, someone should tell Phil Zimmerman about that - I'll bet he could really put it to some good use!
I can imagine that the result would be some pretty good privacy for the ordinary user.
Ezekiel 23:20