Slashdot Mirror
Encrypted Social Network Vies For Disgruntled Facebook Users
angry tapir writes "With the look of Google Plus and Facebook-like elements, a new social network named "Syme" feels as cozy as a well-worn shoe. But beneath the familiar veneer, it's quite different. Syme encrypts all content, such as status updates, photos and files, so that only people invited to a group can view it. Syme, which hosts the content on its Canada-based servers, says it can't read it. "The overarching goal of Syme is to make encryption accessible and easy to use for people who aren't geeks or aren't hackers or who aren't cryptography experts," co-founder Jonathan Hershon said in an interview about the service." See also Diaspora.
Syme—Winston's colleague at the Ministry of Truth, whom the Party "vaporised" because he remained a lucidly thinking intellectual. He was a lexicographer who developed the language and the dictionary of Newspeak, in the course of which he enjoyed destroying words, and wholeheartedly believed that Newspeak would replace Oldspeak (Standard English) by the year 2050. Although Syme's politically orthodox opinions aligned with Party doctrine, Winston noted that "He is too intelligent. He sees too clearly and speaks too plainly". After noting that Syme's name was deleted from the members list of the Chess Club, Winston infers he became an unperson who never had existed. Goldstein's book says that "Between the two branches of the Party there is a certain amount of interchange, but only so much as will ensure that weaklings are excluded from the Inner Party and that ambitious members of the Outer Party are made harmless by allowing them to rise." It is unknown whether Syme has been killed or promoted in the Inner Party in another province.
They encrypt all of your data and keep it secret. Until the day that they don't.
That's not the fatal flaw. If you generated a private key and people you friended got a copy of a public key... it could feasibly make it so they couldn't read it. That's fine.
The real problem with that site is that all of 4 people actually care about encrypted, so their market size is negligible. And those 4 people are basement dwellers anyways, so the advertisers don't care either. Expect them to struggle to monetize it and stay in business.
I read the article expecting it to be crap, ignore meta-data etc. What I found however was a decent article discussing that the service used open source client side crypto libraries, and they even acknowledged the meta-data problem and how it makes their service not truly private. They also mentioned how its very unlikely to go big like facebook and it summed up with some reasonable example use cases. I haven't see such a non crap article in a long time!
Except that they don't encrypt your data, you do. Probably would have helped to RTFA, huh bub? =p
It is pitch black. You are likely to be eaten by a grue.
The FAQ mentions that they intend to open the source, but of course opened source doesn't really necessarily imply libre. And in the interview they talk of a paid version. So, are there ads or not?
So what's the point of a different Facebook if it's not libre? Just a different way to sell yourself to advertisers (reminder: for Facebook, you are not the customer, you are the product).
A truly free social network would have no ads, no profit motive, no logs, no intrusion; just a way for people to share as much or as little with only those they wish to share with.
Is there really no true libre social network, and if not, why not? Do I need to start one, or is it already in the works?
How dare you spy on me as i post every detail of my life online!
Why... im going to encrypt everything! that'll show you! you have no right to violate my privacy as i tell the world about everything in my entire life!
I read the article, and all I could see is that when you join a group, you get the decryption key for that group - but from whom? If it is automatically done (i.e. Syme holds the key), then it is no more secure to snooping from agencies than any other service (well, except for the fact that it is based in Canada - ah, who am I kidding). What you would need is the group/thread creator send the decryption key directly to the collaborators - which basically means they already need a secure communication medium (sending it over unsecure email is just stupid). Which would then bring me to ask why not just use that medium?
So it's a social network that "protects your data" ... and requires Google Chrome. :/
Why am I skeptical?
"Somebody has to do something. It's just incredibly pathetic it has to be us."
--- Jerry Garcia
.. with more or less everything else broken into how secure should I really feel using it?
How it works and how its contents remain "private" and "secure":
You use it, but none of your friends do.
Exactly. Reminds me of the stuff about Dropbox telling everybody their stuff was encrypted, and that even employees of Dropbox couldn't read the files. But it turned out that it wasn't true, and that files weren't actually being encrypted with the user's password, but with a single master key that was in the hands of Dropbox.
Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
So, who wants odds on how long it'll take before this becomes a haven for pæderasts to swap kiddie porn? Anyone?
I'm guessing about six months..
Fuck the children... not in that way though. This is why we can't have anything nice, there's always someone trying to save the kids.
So, who wants odds on how long it'll take before this becomes a haven for pæderasts to swap kiddie porn? Anyone?
I'm guessing about six months..
How could you tell? For that matter, would you want to tell?
Quick question: would you support banning CP if it resulted in more children getting molested?
I only ask because the best evidence we have indicates that it does. The website will change a legal framework that, despite the best intentions, promotes child abuse.
And this will not inconvenience the police in any way. If they have evidence of wrong-doing, they can get a "sneak and peek" warrant and install a bug on the suspect's computer.
This system only ensures that the police get judicial oversight, which they needed anyway.
If you aren't being charged for the product, you are the product.
This axiom has been true for a very long time and it's true for this site as well as any other such thing. How are they making money? I'm not objecting to their making money, after all they have to pay for their servers, bandwidth and admins and so on.
It's a fundamental question that you simply can't ignore and economics requires that you have to deal with it whether you want to or not. You can have sponsors that donate time and materials, you have generic ads, volunteers to a certain point, you can charge people for your service and so on.
The point is somehow or another you have to get money, and this site is claiming that they get money in ways that don't exploit your privacy. Since exploiting your privacy is how these sites normally pay your bills, this leaves serious questions on how they are monetizing their site.
I love the idea that a site can raise money without exploiting privacy in an evil manner, but before I can give them any credibility to their model I have to know their model works. I hate to rain on people's feel good parade, but you can' run a website on community goodwill, hugs and unicorn farts.
When I read the summary I immediately thought to myself that I have similar goals to these guys, in that I want to make cryptography easily accessible to a wide variety of users. I'm specifically focused on secure file transfer, and am in open beta. You guys can check it out at https://www.senderdefender.com/ and let me know what you think. Given how insecure cloud data is in general I suspect we will see a growing number of client side encrypted communication tools.
Matt
Oh! I thought it had to be yours.
Thanks for clarifying.
cheers from Canada.
Content remains scrambled as it traverses the Internet and is unreadable even to Syme, which stores the data on its servers. Co-founder Mullie authored a white paper describing Syme's use of a two-step, hybrid encryption system that is fast, secure and efficient.
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
well, if they're looking to woo disgruntled users, then slashdot is a great place to advertise!
See also Diaspora.
Right, like that's going anywhere now? See also Libertree, which has no centralized servers, sneaky profiteers, or ulterior motives behind it. Go run a node/tree yourself!
Anything that works via a browser is automatically not secure. The same reasons that Tor is not secure apply to all other things that use a web browser. This service would be interesting if it weren't for the fact that it "supports the open web."
For the purposes of security, the "open web" is completely broken. The required change is far more radical than "we can do encrypted tweet-like communications with heavily insecure and NSA-breakable applications as the framework."
My problem with all these encrypted networks are that they are all immediately taken over not by whistleblowers and political dissidents, or plain folk wanting privacy, but people I strongly don't want to be around.
Help stamp out iliturcy.
If the content's viewable in a regular Web browser without needing special plug-ins, it's not encrypted. Oh, it might be encrypted on disk somewhere, but the server has the keys to decrypt it and will decrypt it and send it in the clear (modulo SSL, which Facebook and Google+ have too). Anyone who can compromise the server can get the keys and decrypt the data. Anyone who can snoop on the connection can view the data. Anything running on the user's computer can see the data. And anyone logging in as the user, say after having obtained their password through social engineering or compromising another service where the user used the same password, will get the data just like the user would've.
There is only one potentially-secure way to encrypt data: the data is encrypted on the user's computer before being sent to the server, and is never decrypted until it arrives at the recipient's computer. The keys to encrypt and decrypt data must never be stored on the server. Anything less and all the methods currently used to get at data on Facebook and Google+ can be used to get at the data on the new service.
Relevant: https://www.youtube.com/watch?v=CQSRPMFDTSs
You're right, but personally I'm switching anyways. I'd been meaning to get rid of my FB account anyways - the only reason I still have it is that some people absolutely refuse to communicate by other methods. But part of getting people to finally switch is letting them know that you (by which I mean anyone, obviously) can't be contacted through facebook. I'm also sick that I'm promoting the continued use of their system by creating content for them. Every thing I post that gets a few likes is basically encouraging people to keep using facebook. Stop doing it.
+1 for this. Although that's not to say we shouldn't implement what can be done, but the real solution for this problem is at the social and political level rather than technological. No matter how neat a technological solution it can always be broken down through laws, bribes, threats and violence, and when the state itself does this, there's not much you can do through technology alone.
Depends only on whether those basement dwellers have the money and are willing to buy some virtual bling for their virtual pony farm.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Depends on what type of guys you're talking about. Usenet was (and is?) overwhelmingly male dominated.
So what? The threat from pedos is insignificant compared to the threat from politicians.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
This is nice and all, and I do wish more sites would do this (mega style ecmascript encryption) however it isn't foolproof; the server could be "ordered" to give you a page that steals your keys by the NSA or whoever else.
IMO a nice way to prevent that from happening in the future would be to add this as part of the W3C standards so that the browser can encrypt using native code. That way you never give your keys over for processing by any code that has been issued to you by a server, rather instead you simply hand over the data after its encrypted. Though we'll need to add some kind of virtual environment, say for example a google docs style editor that runs in the browser, only it can edit your encrypted content without the possibility of any unencrypted data making its way back to the server.
This would of course take years to figure out, standardize, and then implement, but so does everything else.
Careful with names containing L slashdot.org/~AiphaWolf_HK slashdot.org/~AlphaWoif_HK slashdot.org/~AiphaWoif_HK
I guess I'll wait for the Firefox version.
Big brother is probably a pedo if he wants to see everything from a 12 year old girl, but at any rate he's a really sick pervy peeping tom.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I'm looking at the source to Syme's Google Chrome plug-in. While I'm not a crypto expert, I've found three things that seem to weaken the encryption.
return privateKey.dh(publicKey);
},
Note the commented-out line for strengthening the key. That looks like something was done to weaken the key generation.
This is highly suspicious. This code needs a close look by a security expert before anyone trusts it.
You say "it turned out" as if that was only discovered later on, when infact it was a well known thing from day one, or at least those of us who signed up on day one knew what was going on and the "revelation" was not a surprise.
This is an attitude I wish more people would understand; Big Brother vs. Criminals ... I'll take criminals.
- Michael T. Babcock (Yes, I blog)
Harmless eccentrics? Hardly. It's a matter of magnitude, though. I don't think either is something positive, but given that it seems I only get to side with a police state or pedos, I can only side with the lesser evil.
Hey, I didn't start with the black and white game. I just know how to play it...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Except that they don't encrypt your data, you do. Probably would have helped to RTFA, huh bub? =p
I am not certain of there product is secure. After all, what they distribute are the keys for a group, or the algorithm to generate the keys. All one needs to do is join the group, and the entire group's communications will be in the clear.
I use that concept in software that I wrote. It has a header of four unsigned integers consisting of groupno,key1,key2,key3, where each field is an integer in the range 0..255.
Groupno selects a group from a previous randomly generated encryption keys.
Each individual group has 256 encryption keys (3DES) or key fragments(AES,other). It works by a) Select a group, b) select the first key, or fragment by indexing into the table to retrieve the encrypted 8 characters, do likewise with the 2nd key, and the 3rd key, and then from an divulged based table of fields, select the salt for cypher block chaining.
Yes, it is secure, no, it is not too too scalable (only 256 groups) However (256^4)*(!3) is the approximate number of individual combinations of possible encryption key combinations. Keep the group information confidential, and there you have it. You can always distribute the information as 60,36,24,35, or whatever. Is anything divulged?
Leslie Satenstein Montreal Quebec Canada