Slashdot Mirror

← Back to Stories (view on slashdot.org)

BitTorrent Unveils Secure Chat To Counter 'NSA Dragnet Surveillance'

Posted by samzenpus on from the sheilds-up dept.

Hugh Pickens DOT Com writes "Jacob Kastrenakes reports on The Verge that as part a response to the NSA's wide-reaching surveillance programs, BitTorrent is unveiling a secure messaging service that will use public key encryption, forward secrecy, and a distributed hash table so that chats will be individually encrypted and won't be stored on some company's server. 'It's become increasingly clear that we need to devote hackathons, hours and resources to developing a messaging app that protects user privacy,' says Christian Averill, BitTorrent's director of communications. Because most current chat services rely on central servers to facilitate the exchange of messages, 'they're vulnerable: to hackers, to NSA dragnet surveillance sweeps.' BitTorrent chat aims to avoid those vulnerabilities through its encryption methods and decentralized infrastructure. Rather than checking in with one specific server, users of BitTorrent chat will collectively help each other figure out where to route messages to. In order to get started chatting, you'll just need to give someone else your public key — effectively your identifier. Exchanging public keys doesn't sound like the simplest way to begin a chat, but Averill says that BitTorrent hopes to make it easy enough for anyone interested. 'What we're going to do is to make sure there are options for how this is set up,' says Averill. 'This way it will appeal to the more privacy conscious consumer as well as the less technically inclined.' For now, it remains in a private testing phase that interested users can apply for access to. There's no word on when it'll be open to everyone, but with all of the recent surveillance revelations, it's easy to imagine that some people will be eager to get started."

10 of 111 comments (clear)

  1. Re:closed source by alphatel · · Score: 4, Insightful

    "It's become increasingly clear that we need to devote hackathons, hours and resources to developing a messaging app that protects user privacy"
    And should also become quite obvious that you need to start vetting coders who are infiltrating projects on behalf of the government. That good old warped 80's tinfoil hat paranoia is the only thing that will save you anymore because it seems it was never wrong.

    --
    When the foot seeks the place of the head, the line is crossed. Know your place. Keep your place. Be a shoe.
  2. Vulnerable to Social Engineering by mentil · · Score: 4, Interesting

    If the public/private key pair is created at account creation, then people accustomed to everything being in the cloud will frequently forget to backup their private key (which isn't stored on any central server). A common occurrence will be "Hey Alice, it's Bob. I lost my private key so this is my new account now." Potentially, Bob is in jail and a fed is masquerading as him.

    Also from my experience with DHT, it doesn't work unless you already know an IP running the protocol -- who you usually find through, yes, a centralized server. If that server were TOR-based it might work, but then that raises the question of what functionality is added by this protocol that a messaging program running thru TOR doesn't offer. Having Mixmaster-style message queueing in addition to onion routing would offer improved resistance to topology attacks as well. I'm referring to TOR's hidden services protocol, by the way, rather than the standard web proxy where an unencrypted message would be sent to a messaging server after several encrypted hops.

    --
    Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
    1. Re:Vulnerable to Social Engineering by MoonFog · · Score: 5, Interesting

      So what you're saying is that the police forces would have to use old-fashioned police work and target individuals they suspect rather than mass collect everything? Yes, clearly that proves this is a wasted effort.

    2. Re:Vulnerable to Social Engineering by Joce640k · · Score: 5, Insightful

      This is to stop mass spying/trawling.

      If your contacts are all in jail then you have bigger problems.

      --
      No sig today...
    3. Re:Vulnerable to Social Engineering by Anonymous Coward · · Score: 4, Interesting

      yes but they could not do it to everyone, only people who they had good grounds to obtain a warrant, even without the need for a warrant they would still have not acquired the full message history from everyone all the time as this would have been too much work. All this does it put this situation back how it was.

  3. Re:OTR by heypete · · Score: 5, Informative

    How is this different from OTR?

    OTR rides on top of underlying IM protocols (e.g. AIM, ICQ, XMPP, Yahoo Messenger, etc.) and encrypts the contents of communications. IM service providers can still shut down individual accounts, monitor who is accessing them, etc., even if they cannot read the contents of messages.

    With BitTorrent Chat, the service takes advantage of the DHT (similar to "trackerless torrents" that don't have any single point of failure) to provide a decentralized, fault-tolerant means of exchanging data. There's no dependence on a single service -- all users would participate in the DHT, making it an extremely robust system.

    If I read the description properly, it's similar to "OTR-over-DHT" but there's likely substantial differences in the details.

  4. Re:OTR by Stalks · · Score: 4, Informative

    DHT is very reliable. Once a node has been connected a while and established links with many other nodes, traffic is quick and you have the redundancy of many 100s of connections.

    Encrypting the data prior to transport and using DHT would be no worse off from TOR.

  5. Re:I'm just thinking out loud here.. by Anonymous Coward · · Score: 5, Informative

    This explains it very simply.

    You can exchange a piece of information without exposing the full picture to a 3rd party.

  6. Re:These types of things get a bad rep by mwvdlee · · Score: 4, Funny

    I use these services because I have nothing to hide and like our caring government.
    Since I have nothing to hide, my caring government would be wasting resources trying to monitor and read my communication.
    By making it impossible for them to do so, I'm saving them effort, time and money.

    --
    Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
  7. Re:Cryptocat? by DuckDodgers · · Score: 5, Informative

    http://www.wired.com/threatlevel/2012/08/wired_opinion_patrick_ball/all/
    This means that in practice, CryptoCat is no more secure than Yahoo chat, ... Any host-based system that delivers the encryption engine to you each time you log in, and in which your keys reside on the server, you are never secure against the host (there’s new research on this called “host-proof hosting,” but it’s a long way from being ready to use in real applications). That means that if the host attacks you, or they fail to protect themselves, your encrypted data will be available to them. Remember that the host might attack you because someone evil has taken control of the host. If you are the hypothetical dissident in the Middle East, your government might contract a hacker to break into the CryptoCat server, Hushmail, or other host-based server, and thereby get access to all your data. Or they could bribe an employee at a host-based service. Again: in host-based security, all your security rests on your personal trust for the people at the host, and their ability to protect the server. There’s no real security in a technical sense.