Slashdot Mirror

← Back to Stories (view on slashdot.org)

Encrypted Social Network Vies For Disgruntled Facebook Users

Posted by timothy on from the network-effects-are-hard-to-handwave dept.

angry tapir writes "With the look of Google Plus and Facebook-like elements, a new social network named "Syme" feels as cozy as a well-worn shoe. But beneath the familiar veneer, it's quite different. Syme encrypts all content, such as status updates, photos and files, so that only people invited to a group can view it. Syme, which hosts the content on its Canada-based servers, says it can't read it. "The overarching goal of Syme is to make encryption accessible and easy to use for people who aren't geeks or aren't hackers or who aren't cryptography experts," co-founder Jonathan Hershon said in an interview about the service." See also Diaspora.

12 of 162 comments (clear)

  1. 1984 reference by Anonymous Coward · · Score: 5, Informative

    Syme—Winston's colleague at the Ministry of Truth, whom the Party "vaporised" because he remained a lucidly thinking intellectual. He was a lexicographer who developed the language and the dictionary of Newspeak, in the course of which he enjoyed destroying words, and wholeheartedly believed that Newspeak would replace Oldspeak (Standard English) by the year 2050. Although Syme's politically orthodox opinions aligned with Party doctrine, Winston noted that "He is too intelligent. He sees too clearly and speaks too plainly". After noting that Syme's name was deleted from the members list of the Chess Club, Winston infers he became an unperson who never had existed. Goldstein's book says that "Between the two branches of the Party there is a certain amount of interchange, but only so much as will ensure that weaklings are excluded from the Inner Party and that ambitious members of the Outer Party are made harmless by allowing them to rise." It is unknown whether Syme has been killed or promoted in the Inner Party in another province.

  2. Its reasonable! by Anonymous Coward · · Score: 5, Interesting

    I read the article expecting it to be crap, ignore meta-data etc. What I found however was a decent article discussing that the service used open source client side crypto libraries, and they even acknowledged the meta-data problem and how it makes their service not truly private. They also mentioned how its very unlikely to go big like facebook and it summed up with some reasonable example use cases. I haven't see such a non crap article in a long time!

  3. Re:Promises by TheDarkener · · Score: 4, Informative

    Except that they don't encrypt your data, you do. Probably would have helped to RTFA, huh bub? =p

    --
    It is pitch black. You are likely to be eaten by a grue.
  4. Re:Also by aliquis · · Score: 4, Informative

    They answered that themselves:
    https://getsyme.com/about

    So something like "not much, but at least we're trying."

  5. Re:Chrome only by swillden · · Score: 5, Interesting

    So it's a social network that "protects your data" ... and requires Google Chrome. :/

    Why am I skeptical?

    The extension should work just fine with Chromium, I would expect. And they said Firefox is in the works.

    Personally, I think the idea is an interesting one. In general, I think it's on the right track. The only way to get the masses to use encryption is to make it invisible. The flaws of SSL are well-known, but the fact is that in practice it mostly works really well, and it is used by basically everyone on the web. Making it invisible means that you have to embed key management seamlessly into the infrastructure, and making it have some hope of being secure means that it has to be pushed out to the endpoints -- including key management.

    On the right track, but this is a really, really hard problem to solve fully.

    One issue is that although the keys are generated in the browser plugins, they're obviously exchanged through the Syme server, putting it in an ideal position to completely subvert the claimed security. Making security both transparent and strong is hard.

    Another issue is portability. I can log into Google+ or Facebook from any computer. But if my browser is holding my keys, then I can only use my browser. If the keys are stored in the cloud, well, that's great for portability, but the keys then have to be secured from whoever is holding them.

    Still, I like to see initiatives like this. The only way hard problems get solved is by clever people trying.

    (Disclaimer: Since this post mentions Google+ and Chrome, I should probably mention that I'm a Google engineer, but I'm not speaking for Google.)

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  6. Re:So is it libre or not? by rudy_wayne · · Score: 4, Insightful

    A truly free social network would have no ads, no profit motive, no logs, no intrusion; just a way for people to share as much or as little with only those they wish to share with.

    Is there really no true libre social network, and if not, why not?

    Money.

    Facebook and Google don't do the things they do simply because they are evil. They do it because that;s how they get the money to pay for those giant buildings full of servers that they run, which provide the services you use.

    Maybe in the 24th century when The Federation is building starships, colonizing the galaxy and zooming around the universe, all without any apparent need for money, they can also build your "no ads, no profit motive" social network.

  7. Re:Promises by noh8rz10 · · Score: 4, Insightful

    well, if they're looking to woo disgruntled users, then slashdot is a great place to advertise!

  8. Re:So is it libre or not? by Toe,+The · · Score: 4, Insightful

    Yeah, I understand Economics 101. I also understand that Firefox, Linux, Wikipedia, Apache, PHP, etc. are not all about the money (thought money is tied to most of them extraneously; but not really at all to Wikipedia).

    There are these things called non-profits. A non-profit social network seems like a no-brainer, and I'm not sure why it doesn't exist; let alone rule them all.

    A non-profit social network could show ads... to people who felt like seeing them. Money gets made (enough to buy servers & connectivity), but the profit itself isn't the core motive. And the users are not product.

  9. Re:The nerve! by tftp · · Score: 4, Insightful

    you have no right to violate my privacy as i tell the world about everything in my entire life!

    The discussion here is about sharing within a controlled group.

  10. Crypto in Syme may be unsound by Animats · · Score: 4, Interesting

    I'm looking at the source to Syme's Google Chrome plug-in. While I'm not a crypto expert, I've found three things that seem to weaken the encryption.

    • In "crypto.js", lines 262-270: diffieHellman: function (privateKey, publicKey) {
      // Calculate the Diffie-Hellman shared key.
      return privateKey.dh(publicKey);
      // Strengthen the key by running through PBKDF2.
      //return this.deriveKey(symKey, salt);
      },
       Note the commented-out line for strengthening the key. That looks like something was done to weaken the key generation.
    • Syme uses the Stanford JavaScript crypto library, which has a crypo-grade random number generator. But it only works if you turn on its entropy collector before asking for random bits. Otherwise you just get a function of the current time, which is easy to guess. The enthropy collector is turned on by calling startCollectors(). There is no call to startCollectors() in the add-on.
    • There are two copies of the "sjcl" crypto library, one in "sjcl.jh" and one in "app.js". They may be different. One of them is dead code. Not clear which one.

    This is highly suspicious. This code needs a close look by a security expert before anyone trusts it.

    1. Re:Crypto in Syme may be unsound by Kjella · · Score: 5, Informative

      Note the commented-out line for strengthening the key. That looks like something was done to weaken the key generation.

      More like the commented out code was done by someone who doesn't understand crypto and replaced by someone who did. PBKDF2 has a single purpose and that is to make password recovery from a hash difficult, this looks like it is negotiating a session key where it would be totally pointless since it's not based on a password at all.

      To give you a very brief primer on PBKDF2:
      In the beginning, people stored passwords in plaintext. That was stupid so they started hashing them with for example MD5, so instead of storing $password they'd store md5( $password ). Of course since the same password would end up having the same MD5 sum in every system, leading to rainbow tables. To counter this you add a salt and store md5( $password + $salt ). However, short passwords are quite few so it was still possible to loop through all of them in a short amount of time. So someone thought hey, why don't we just MD5 it again many times and store md5(md5(....(md5(md5($password + $salt))...)). PBKDF2 is basically a system for this, where you pick the hash function and number of iterations. Now testing a single password takes much longer, which is feasible to do on a single login but takes far too long to recover the passwords from a hash table by looping through all of them. So it is useful, but only for this specific purpose.

      --
      Live today, because you never know what tomorrow brings
  11. Re:The nerve! by mellon · · Score: 4, Interesting

    It is impossible to control the dissemination of information that you make available to other people. But it is not impossible to make it expensive to crack an entire social network and feast on the gooey interior. Best is the enemy of good enough. Right now it is clearly the case that everything that happens on Facebook and Google is visible and mineable at least by Facebook and Google, and possibly by interested governments. A peer-to-peer social network makes that kind of data mining much more expensive.