Slashdot Mirror
Tor Is Building an Anonymous Instant Messenger
An anonymous reader writes in with news about a new anonymous instant messenger client on the way from Tor. "Forget the $16 billion romance between Facebook and WhatsApp. There's a new messaging tool worth watching. Tor, the team behind the world's leading online anonymity service, is developing a new anonymous instant messenger client, according to documents produced at the Tor 2014 Winter Developers Meeting in Reykjavik, Iceland."
Now I'll be able to communicate with some random, anonymous Internet person.
Slashdot is doomed.
"National Security is the chief cause of national insecurity." - Celine's First Law
yep that's the one. I wouldn't trust Tor network as an anonymity service for anything, let alone something I really wanted to keep secret.
That hides the content of your communication, but it still shows that you're communicating, and with whom. So the "metadata" that the NSA and/or FB are interested in is still available...
Ostensibly using TOR hides the fact that you're the one communicating, and who you're communicating with... (Whether that's still true in practice is another question...)
"Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco
If I want to keep something secret from the US, I'll just use ICQ, since it's owned by russians. Of course, the downside of using ICQ in 2014 is that my messages will stay too confidential for the purposes of communicating.
Tor? The 'dark net' who's largest nodes are run by the NSA doing traffic analysis? That Tor?
The one that brought down silkroad?
Nope wrong wrong and wrong.
Tor is has had about very few highly throttled node running on amazon cloud for a couple of weeks run by the NSA according to head TOR developer Jacob Applebaum at 30c3 about a month ago. Additionally the NSA's own documents released by Edward Snowden showed that the NSA can't break current TOR releases.
Secondly silkroad was brought down by Dread Pirate Roberts mixing his darknet identity and his clearnet identity by using the same email address and handles. Another break in the case was when a package with fake ID's was intercepted at a Canadian border check.
---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
Okay, first off, the nature of instant messaging is such that you can't truly have an anonymous system. After all, while "the network" may not know Alice, Bob, and Carole, the three of them must know each other and be able to distinguish between them...otherwise you've simply got ChatRoulette and the purpose of IM is largely moot.
Retroshare provides fully decentralized IM, pseudo-email, and file transfers. It's a wonderful tool in this regard. It solves the problem of $IM_SERVICE keeping a record of your chats, because there isn't one. It solves the problem of packet sniffing, because it's all PGP based and thus there is no such thing as an unencrypted packet that enters or leaves the software. It solves the problem of needing a server, because everyone is a peer. All of the things that this Tor program seems to solve, has already been solved, and then some. "Well then,why doesn't everyone use it?" Well, the nature of Retroshare makes it difficult to gain critical mass. You have to understand, at some level, how PGP works - instead of a 'friend request' with that person's actual name, you get to share public keys to 'add' them. This is fine and dandy, but opens up a few new problems. First, even cutting-and-pasting something the size of a PGP key and then reciprocating it to the other person is going to cause the eyes of most people to glaze over. Second, you'll need to exchange keys somehow; if you're e-mailing keys back and forth, most people would say "...so just e-mail the damn message". This is where the file sharing half comes into play, since users can trade files directly without having to do much else. However, with Dropbox/Gdrive/1Drive/etc making transfers stupid simple, the practical application for Retroshare in the eyes of Facebook Chat and Whatsapp users starts to wane significantly when put up against "use an already-functional communication medium to do a PGP exchange that will facilitate another communication medium." Bonus points for Retroshare being a smidge petulant when it comes to port forwarding, and not having a mobile version for any platform.
Conversely, we have IRC. it's ancient, and the UI of mIRC doesn't jive well with the Instagram crowd, but anyone with some semblance of tech skills can run an IRC server. Set that up with SSL and your communications are encrypted, with nothing more than a generic handle to identify you with. The problem is that you'll need someone who can set up such a protected server, and by definition, you have a single point of failure. IRC's other failure (which may apply to Retroshare as well) vs Tor is that IRC does involve IP addresses, so you'll still need a proxy of some kind (or Tor itself) to obfuscate that little nugget.
Tor routing communications through other users as a part of the protocol is the one problem it solves. Secure transmission of text-based messages has been solved pretty well already, "Anonymous IM" is an oxymoron based on the fact that IM in itself usually assumes a prior relationship of some kind between the two parties, and even if it didn't, each user will need *some* sort of unique identifier to ensure that Alice gets messages meant for her, Bob gets his, and Carole gets hers.
The real question, however, is why every user effectively engaged in P2P communication (like webchat, IM, or Skype), allows a man-in-the-middle attack to collect and process their personal data, when the ONLY useful aspect of the service is connecting the users together in the first place.
Apparently, because doing that is patented. No, really! Apple tried it with Facetime, and got sued by a troll*, VirnetX. Initially that's how Facetime worked, Apple's servers authenticated you and connecting you together, but then the 2 devices connected directly for the content of the video/call, not through Apple's servers. They lost a $368million verdict and they were forced to change it so everything has to get relayed through their servers.
*I don't know much else about the company, but in this case I call VirnetX a troll because a) they didn't invent it themselves, b) they don't practice the invention, and c) it's so fucking obvious even a Slashdot Anonymous Coward came up with it independently.
This is why I encrypt all my conversations and embed the message in the background noise of cat videos.
There are networks that protect against timing attacks, but the nature of the protection makes them unsuitable for IM or other near-realtime communication. Basically, they operate by having nodes send constant-size data blocks on a regular schedule regardless of how much data needs to be transmitted. This increases latency -- sometimes to hours or days -- and puts a cap on the amount of data the network can transfer. It also wastes bandwidth when the network is operating at less than full capacity, since blocks with random noise need to be transfered to keep lulls in activity from being visible.
"They redundantly repeated themselves over and over again incessantly without end ad infinitum" -- ibid.
No Navy intelligence wrote the original tor software they then open sourced it and gave it to the community. It is now run by the TOR project most of the members of which are regularly harassed and spied on by the US government. Jaccob Applebaum head developer had is flat broken into and computers tampered, another tor developer, Andrea Shepard, have had her computer she ordered via amazon "redirected" mid shipment to NSA facilities in Alexandria Virginia. TOR devs have been pressured by homeland and have told them to F*** off consistently. The there was the TORStinks ppt from the NSA that Ed Snowden releasedvshowing they cant crack TOR.
---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
yep that's the one. I wouldn't trust Tor network as an anonymity service for anything, let alone something I really wanted to keep secret.
Tor is solid, are you and the GP trying to deceive, or have you been decieved?
Would you like to know more? "How Covert Agents Infiltrate the Internet to Manipulate, Deceive, and Destroy Reputations"
https://firstlook.org/theinter...
More than anywhere else, this is not a problem geeks alone can solve. The perfect chat client is worthless if none of your friends use it. WhatsApp was huge because everyone used it - network effect.
So Tor - yes, definitely a good step. But you need a good client, ease-of-use is as important as cryptography, and details such as automatically finding your friends who also use it. Threema has a nice solution for that with their hashed address books.
So please look beyond the backend code.
Assorted stuff I do sometimes: Lemuria.org
You want security at the expense of usability? build layers!
A single system can be hacked, a single OS has bugs, a single app has backdoors, a single protocol has explots etc etc
Use LESS popular services in combination with layers of security. For instance; You can use the Tor Network to SSH into a proxy to tunnel chat with pidgin & OTR plugin. If you're even more paranoid assume your OS is already hacked, use some exotic image like Qubes, create temporary destructible VMs to carry information...there are options and many of them make basic functionality a nightmare.
If you really care that much about having your idle chitchat being "secure" you can always assume everything is being listened to. Good old fashion message encryption is probably much better than a special app.
I am quite happy there's more focus on security but let's be serious here, Tor is a target for snoops. they will find a way in because they already proved they can.
A 'singular oddity' is an event that cannot be explained and only happens when you are alone.
I wish I could mod you up to 1000.
Tor is solid.
The feds ability to connect the dots of people too dumb to cover their tracks != Tor insecurity.
>> Additionally the NSA's own documents released by Edward Snowden showed that the NSA can't break current TOR releases.
That was 2007.
Other things you couldn't do in 2007:
* Use an iPhone
* Use a Samsung Galaxy
* Use What's App
* Read anything except "this housing boom will go on forever!" in the news
In other words, that was forever ago.
Where is a more recent credible assessment of adversary capabilities specifically to the TOR network?
-- I was raised on the command line, bitch