Slashdot Mirror
Encrypted Social Network Vies For Disgruntled Facebook Users
angry tapir writes "With the look of Google Plus and Facebook-like elements, a new social network named "Syme" feels as cozy as a well-worn shoe. But beneath the familiar veneer, it's quite different. Syme encrypts all content, such as status updates, photos and files, so that only people invited to a group can view it. Syme, which hosts the content on its Canada-based servers, says it can't read it. "The overarching goal of Syme is to make encryption accessible and easy to use for people who aren't geeks or aren't hackers or who aren't cryptography experts," co-founder Jonathan Hershon said in an interview about the service." See also Diaspora.
Leave it to slashtards to take a story about a new social networking site and shoehorn in a Disaspora mention. "Oh hey, here's this neat new site to try and go up against Facebook, but TRY DIASPORA INSTEAD!" Face it, if Diaspora were going to catch on, it would have by now. As it stands, you're getting lumped in with Bing shouting "Please! Love me!" at anyone who will listen...
Syme—Winston's colleague at the Ministry of Truth, whom the Party "vaporised" because he remained a lucidly thinking intellectual. He was a lexicographer who developed the language and the dictionary of Newspeak, in the course of which he enjoyed destroying words, and wholeheartedly believed that Newspeak would replace Oldspeak (Standard English) by the year 2050. Although Syme's politically orthodox opinions aligned with Party doctrine, Winston noted that "He is too intelligent. He sees too clearly and speaks too plainly". After noting that Syme's name was deleted from the members list of the Chess Club, Winston infers he became an unperson who never had existed. Goldstein's book says that "Between the two branches of the Party there is a certain amount of interchange, but only so much as will ensure that weaklings are excluded from the Inner Party and that ambitious members of the Outer Party are made harmless by allowing them to rise." It is unknown whether Syme has been killed or promoted in the Inner Party in another province.
They encrypt all of your data and keep it secret. Until the day that they don't.
That's not the fatal flaw. If you generated a private key and people you friended got a copy of a public key... it could feasibly make it so they couldn't read it. That's fine.
The real problem with that site is that all of 4 people actually care about encrypted, so their market size is negligible. And those 4 people are basement dwellers anyways, so the advertisers don't care either. Expect them to struggle to monetize it and stay in business.
writes like an underpaid shill.
nuff said
I read the article expecting it to be crap, ignore meta-data etc. What I found however was a decent article discussing that the service used open source client side crypto libraries, and they even acknowledged the meta-data problem and how it makes their service not truly private. They also mentioned how its very unlikely to go big like facebook and it summed up with some reasonable example use cases. I haven't see such a non crap article in a long time!
Except that they don't encrypt your data, you do. Probably would have helped to RTFA, huh bub? =p
It is pitch black. You are likely to be eaten by a grue.
The FAQ mentions that they intend to open the source, but of course opened source doesn't really necessarily imply libre. And in the interview they talk of a paid version. So, are there ads or not?
So what's the point of a different Facebook if it's not libre? Just a different way to sell yourself to advertisers (reminder: for Facebook, you are not the customer, you are the product).
A truly free social network would have no ads, no profit motive, no logs, no intrusion; just a way for people to share as much or as little with only those they wish to share with.
Is there really no true libre social network, and if not, why not? Do I need to start one, or is it already in the works?
How dare you spy on me as i post every detail of my life online!
Why... im going to encrypt everything! that'll show you! you have no right to violate my privacy as i tell the world about everything in my entire life!
I read the article, and all I could see is that when you join a group, you get the decryption key for that group - but from whom? If it is automatically done (i.e. Syme holds the key), then it is no more secure to snooping from agencies than any other service (well, except for the fact that it is based in Canada - ah, who am I kidding). What you would need is the group/thread creator send the decryption key directly to the collaborators - which basically means they already need a secure communication medium (sending it over unsecure email is just stupid). Which would then bring me to ask why not just use that medium?
So it's a social network that "protects your data" ... and requires Google Chrome. :/
Why am I skeptical?
"Somebody has to do something. It's just incredibly pathetic it has to be us."
--- Jerry Garcia
.. with more or less everything else broken into how secure should I really feel using it?
Can you mail it to me?
So, who wants odds on how long it'll take before this becomes a haven for pæderasts to swap kiddie porn? Anyone?
I'm guessing about six months..
Do my friends use it? No.
Will they use it? No.
Who will I be social with using this new social network? No one.
Because they will all be on Facebook using what works for them, where all their pictures are, where all their friends and family are and where they can access all this from their nifty mobile apps for their various mobile devices.
How it works and how its contents remain "private" and "secure":
You use it, but none of your friends do.
Exactly. Reminds me of the stuff about Dropbox telling everybody their stuff was encrypted, and that even employees of Dropbox couldn't read the files. But it turned out that it wasn't true, and that files weren't actually being encrypted with the user's password, but with a single master key that was in the hands of Dropbox.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
Try your local hardware store! At 10 pounds it's not cheap to mail. I've used a five-pounder, but it lacks the ineffable gravitas of its weightier counterpart.
So, who wants odds on how long it'll take before this becomes a haven for pæderasts to swap kiddie porn? Anyone?
I'm guessing about six months..
How could you tell? For that matter, would you want to tell?
Quick question: would you support banning CP if it resulted in more children getting molested?
I only ask because the best evidence we have indicates that it does. The website will change a legal framework that, despite the best intentions, promotes child abuse.
And this will not inconvenience the police in any way. If they have evidence of wrong-doing, they can get a "sneak and peek" warrant and install a bug on the suspect's computer.
This system only ensures that the police get judicial oversight, which they needed anyway.
If you aren't being charged for the product, you are the product.
This axiom has been true for a very long time and it's true for this site as well as any other such thing. How are they making money? I'm not objecting to their making money, after all they have to pay for their servers, bandwidth and admins and so on.
It's a fundamental question that you simply can't ignore and economics requires that you have to deal with it whether you want to or not. You can have sponsors that donate time and materials, you have generic ads, volunteers to a certain point, you can charge people for your service and so on.
The point is somehow or another you have to get money, and this site is claiming that they get money in ways that don't exploit your privacy. Since exploiting your privacy is how these sites normally pay your bills, this leaves serious questions on how they are monetizing their site.
I love the idea that a site can raise money without exploiting privacy in an evil manner, but before I can give them any credibility to their model I have to know their model works. I hate to rain on people's feel good parade, but you can' run a website on community goodwill, hugs and unicorn farts.
When I read the summary I immediately thought to myself that I have similar goals to these guys, in that I want to make cryptography easily accessible to a wide variety of users. I'm specifically focused on secure file transfer, and am in open beta. You guys can check it out at https://www.senderdefender.com/ and let me know what you think. Given how insecure cloud data is in general I suspect we will see a growing number of client side encrypted communication tools.
Matt
Oh! I thought it had to be yours.
Thanks for clarifying.
cheers from Canada.
Content remains scrambled as it traverses the Internet and is unreadable even to Syme, which stores the data on its servers. Co-founder Mullie authored a white paper describing Syme's use of a two-step, hybrid encryption system that is fast, secure and efficient.
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
well, if they're looking to woo disgruntled users, then slashdot is a great place to advertise!
ravetree.com
similar idea
See also Diaspora.
Right, like that's going anywhere now? See also Libertree, which has no centralized servers, sneaky profiteers, or ulterior motives behind it. Go run a node/tree yourself!
A JavaScript-based browser extension encrypts content with a person's Web browser before it leaves the computer.
I can only imagine that this browser extension is supplied by Syme themselves. If they were ever served with government demands for some or all of their users' data, they would be compelled to comply. They would be able to comply by issuing an update to those users, and that update would then upload the encryption keys. That's probably why they even point out in the story that they aren't trying to protect you from government attacks - because no one can do that. There is no way. Even air gaps inside a secure facility won't save you - ask the Iranians how that worked out for them. The fundamental problem is that information is far easier to obtain than it is to prevent access to it. The point is that if information positively needs to remain secret, it must never leave your brain and it most certainly cannot be stored in any electronic form.
If you have information that you have told to anyone or have stored in any form outside your brain, you need to consider your options if that information were on the front page of a newspaper. Even just storing it in your brain isn't entirely secure, because you might be compelled to disclose that information, you might disclose it by accident or you might be tricked into disclosing it. You are likely not trained to withstand interrogation by a professional, and even if you are, the legal or physical consequences might not be worth it. You will never have a guarantee that anything you know will remain secret. You need to consider that kind of thing as cost versus risk, not as "how do I *ensure* the security of this information?" The easier road is to have no secrets.
Anything that works via a browser is automatically not secure. The same reasons that Tor is not secure apply to all other things that use a web browser. This service would be interesting if it weren't for the fact that it "supports the open web."
For the purposes of security, the "open web" is completely broken. The required change is far more radical than "we can do encrypted tweet-like communications with heavily insecure and NSA-breakable applications as the framework."
-nt-
Does syme encrypt or do the users encrypt? Not a trivial distinction. Does syme have access to the encryption keys?
If the girls don't use it, you'll never get the guys to use it.
If the content's viewable in a regular Web browser without needing special plug-ins, it's not encrypted. Oh, it might be encrypted on disk somewhere, but the server has the keys to decrypt it and will decrypt it and send it in the clear (modulo SSL, which Facebook and Google+ have too). Anyone who can compromise the server can get the keys and decrypt the data. Anyone who can snoop on the connection can view the data. Anything running on the user's computer can see the data. And anyone logging in as the user, say after having obtained their password through social engineering or compromising another service where the user used the same password, will get the data just like the user would've.
There is only one potentially-secure way to encrypt data: the data is encrypted on the user's computer before being sent to the server, and is never decrypted until it arrives at the recipient's computer. The keys to encrypt and decrypt data must never be stored on the server. Anything less and all the methods currently used to get at data on Facebook and Google+ can be used to get at the data on the new service.
NT
Depends only on whether those basement dwellers have the money and are willing to buy some virtual bling for their virtual pony farm.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Still not giving a damn about social networks. I've never registered to Facebook, myspace, twitter or whatever else before, the only one I "registered" to, is google+, because Youtube. Doesn't mean I use the service though.
So I see no need for more of these so called "social network" that seems to bring more dispute in my family than anything else. (From dumb cousin posting everything about anything to aunts/uncles going at war with each other online "in front" of everybody, instead of just using the phone or seeing each other in person)
This is nice and all, and I do wish more sites would do this (mega style ecmascript encryption) however it isn't foolproof; the server could be "ordered" to give you a page that steals your keys by the NSA or whoever else.
IMO a nice way to prevent that from happening in the future would be to add this as part of the W3C standards so that the browser can encrypt using native code. That way you never give your keys over for processing by any code that has been issued to you by a server, rather instead you simply hand over the data after its encrypted. Though we'll need to add some kind of virtual environment, say for example a google docs style editor that runs in the browser, only it can edit your encrypted content without the possibility of any unencrypted data making its way back to the server.
This would of course take years to figure out, standardize, and then implement, but so does everything else.
Careful with names containing L slashdot.org/~AiphaWolf_HK slashdot.org/~AlphaWoif_HK slashdot.org/~AiphaWoif_HK
These people must really think we're all stupid. What the fuck does it matter if they encrypt everything when they hold all the keys and can still mine whatever data they want for whatever reasons they want? It's probably all total and utter bullshit, they probably rip you of and use your data even worse than Failbook does, and furthermore anyone who knowingly participates in so-called "social media" anymore is a total atavist and probably shouldn't be allowed to run around loose in the world or be allowed near a computer.
I guess I'll wait for the Firefox version.
I'm looking at the source to Syme's Google Chrome plug-in. While I'm not a crypto expert, I've found three things that seem to weaken the encryption.
return privateKey.dh(publicKey);
},
Note the commented-out line for strengthening the key. That looks like something was done to weaken the key generation.
This is highly suspicious. This code needs a close look by a security expert before anyone trusts it.
Silly Canadian AC is silly!
If it was his, we'd be talking *GRAMS*, not pounds!
[rimshot]
Thanks! I'll be here all week!
Don't forget to tip your hamburger, and try the waitresses!
Strat
You say "it turned out" as if that was only discovered later on, when infact it was a well known thing from day one, or at least those of us who signed up on day one knew what was going on and the "revelation" was not a surprise.
Sounds like a good marketing strategy to me, considering the times and that people don't really understand cryptography as a general rule. The only one who sounds spooky is the one who us discouraging use of theoretically more secure system in favor of those which are already known to be compromised (both ethically and technologically.)
Where is the comment I replied too, and why is it now under this one? /. commenting system is too confusing.
Too late for anyone to ever see this comment, but I've seen http://www.ravetree.com/ spamming job boards for a mobile developer. Too many players and not enough momentum behind any one play. Will a winner emerge?
Yeah, RaveTree, ready - fire - aim. You sort of need the mobile developer first, then launch, but whatever works.
It was done a while ago without even having to create a new social network: the browser extension is https://priv.ly It encrypts the content you want before it is posted on ANY social network (or anywhere else on the Internet for that matter). Seems like that would be an easier thing to convince people to use than an entirely new network.
Except that they don't encrypt your data, you do. Probably would have helped to RTFA, huh bub? =p
I am not certain of there product is secure. After all, what they distribute are the keys for a group, or the algorithm to generate the keys. All one needs to do is join the group, and the entire group's communications will be in the clear.
I use that concept in software that I wrote. It has a header of four unsigned integers consisting of groupno,key1,key2,key3, where each field is an integer in the range 0..255.
Groupno selects a group from a previous randomly generated encryption keys.
Each individual group has 256 encryption keys (3DES) or key fragments(AES,other). It works by a) Select a group, b) select the first key, or fragment by indexing into the table to retrieve the encrypted 8 characters, do likewise with the 2nd key, and the 3rd key, and then from an divulged based table of fields, select the salt for cypher block chaining.
Yes, it is secure, no, it is not too too scalable (only 256 groups) However (256^4)*(!3) is the approximate number of individual combinations of possible encryption key combinations. Keep the group information confidential, and there you have it. You can always distribute the information as 60,36,24,35, or whatever. Is anything divulged?
Leslie Satenstein Montreal Quebec Canada