Slashdot Mirror

← Back to Stories (view on slashdot.org)

Wired Profiles John Brooks, the Programmer Behind Ricochet

Posted by timothy on from the bouncy-bouncy dept.

wabrandsma writes with this excerpt from Wired: John Brooks, who is just 22 and a self-taught coder who dropped out of school at 13, was always concerned about privacy and civil liberties. Four years ago he began work on a program for encrypted instant messaging that uses Tor hidden services for the protected transmission of communications. The program, which he dubbed Ricochet, began as a hobby. But by the time he finished, he had a full-fledged desktop client that was easy to use, offered anonymity and encryption, and even resolved the issue of metadata—the "to" and "from" headers and IP addresses spy agencies use to identify and track communications—long before the public was aware that the NSA was routinely collecting metadata in bulk for its spy programs. The only problem Brooks had with the program was that few people were interested in using it. Although he'd made Ricochet's code open source, Brooks never had it formally audited for security and did nothing to promote it, so few people even knew about it.

Then the Snowden leaks happened and metadata made headlines. Brooks realized he already had a solution that resolved a problem everyone else was suddenly scrambling to fix. Though ordinary encrypted email and instant messaging protect the contents of communications, metadata allows authorities to map relationships between communicants and subpoena service providers for subscriber information that can help unmask whistleblowers, journalists's sources and others.

49 comments

  1. American coder, not interested by Anonymous Coward · · Score: 2, Insightful

    Any software developer working in the United States on secure communications can too easily be compromised with an NSL. If you want your project to be trustworthy, not only does it need to be rigorously audited, but all developers and hosting should be based outside the US as well.

    1. Re:American coder, not interested by Anonymous Coward · · Score: 0, Insightful

      > If you want your project to be trustworthy, not only does it need to be rigorously audited, but all developers and hosting should be based outside the US as well.

      The OP is right and should be modded 5, Insightful.

    2. Re:American coder, not interested by FatdogHaiku · · Score: 3, Funny

      The OP is right and should be modded 5, Insightful.

      Just as soon as we figure out who he is...

      --
      You have the right to remain sentient. If you give up the right to remain sentient, you will be elected to public office
    3. Re: American coder, not interested by Anonymous Coward · · Score: 0

      Right. Try working on the openbsd kernel from inside the US. I used to think this was just a commerce department Munitions Export Control Act issue and maybe Theo was being too paranoid in not accepting the waiver letter offered. Oh well.

  2. Why is this on my Slashdot? by Anonymous Coward · · Score: 0, Troll

    “John writes good code, so we’re not expecting a horror show,” Gray says.

    Golly. Good for John.

    1. Re:Why is this on my Slashdot? by tomhath · · Score: 1

      As far as he knows, his program is secure.

    2. Re:Why is this on my Slashdot? by Anonymous Coward · · Score: 0

      As far as he knows, his program is secure.

      If only there was some way in which he could share the code, the human readable code that is the source for the machine code of his program, so that others could look for flaws. Such a pity.

    3. Re:Why is this on my Slashdot? by Anonymous Coward · · Score: 0

      I agree, but would also like to add that the Heartbleed circus showed us that we must also make sure that the actual code audit happens.

  3. Re:Awful Summary...as usual... by stefantalpalaru · · Score: 3, Informative

    That's a different project. This one is written in C++ and it uses Qt for the GUI: https://github.com/ricochet-im...

  4. Metadata by sexconker · · Score: 4, Insightful

    How exactly do you solve the problem of metadata on TCP/IP networks? Metadata is how these networks operate.

    Every packet has an origin that will be traceable to the source ISP. If you're on your own connection, you're fucked.
    If you're on your own connection and you VPN to some other connection it's just a matter of how much effort the powers that be want to waste tracking you down. Any schlub can run a Tor node, so you get nothing there. And of course, you have to initiate that connection from somewhere.

    The only way to truly hide is to use someone else's connection (without their knowledge), with a different spoofed MAC every time. Everything else is just obfuscation. We already know every fucking packet touching a major telecom is logged in the US, and we have damned good reason to believe it's true world-wide.

    1. Re:Metadata by ledow · · Score: 4, Interesting

      There isn't a solution to that. You have to talk to other points, and you have to do so from a connection you are on. That information, on ANY network in the world, is inevitable.

      The only thing you can do is obscure it as much as possible so that people can't tell WHAT you did over the connection, or WHAT you passed to those others. They will be able to know who they were, but unless you can introduce sufficient plausible deniability (with Tor, that's just by using random people as the next hop), you can't do anything about that.

      I don't think that's a problem we should waste time trying to solve. You aren't going to be able to obscure your endpoint's knowledge when 100% of the time someone is paying money for that endpoint to be connected to other endpoints. We do not have a darknet.

      But it's also not that big a deal. With proper encryption and enough fake / routing data running through your connection with that encryption (and PFS), it's meaningless. All that can happen is someone can say "you were online, and so was John". If that's enough to convict you, you have bigger problems than the protocol of the network you used.

    2. Re:Metadata by SuricouRaven · · Score: 1

      The MAC spoofing isn't important unless you believe the router is being monitored*. It doesn't go beyond the router. Segment only.

      *If you use any commercial wifi point, it probably is for legal reasons.

    3. Re:Metadata by Charliemopps · · Score: 1

      Solve isn't the best word... It's more like a good fix. As long as your encryption is good, it's secure. If the NSA has secret quantum computers or something you're doomed.

      The way tor works, there are 3 proxies you go through.
      Entry node
      Middle node
      Exit node

      The entry node knows who you are, but not what you want to do or what your exit node is. It sends your request to the middle node.
      The middle node knows your entry and exit nodes, but not your identity or where you want to go. It forwards what you want to do on to the exit node.
      The exit node knows your target but not who you are or what your entry node is.

      Because of that, no info from any combination of nodes will give you any information about you other than that you connected to TOR. To compromise the connection the attacker would have to either break 3 levels of encryption (not physically possible given current tech) or have control over all 3 nodes. If the NSA has broken Tor, this is likely how they've done it. Running their own nodes.

      This Chat seems to use that network and then use that sole bit of info it can get (that you are indeed connect) to send a request for a connect. If you accept, it uses the same onion framework to connect the 2 of you. There is metadata, but it's encrypted 3x (at least) and none of the connections have all of the keys.

      This is also why Tor is slow as hell.

      Anyone feel free to correct anything I erred on. This is not my specialty.

    4. Re:Metadata by Anonymous Coward · · Score: 2, Informative

      Keep in mind that there are two distinct use-cases for surveillance:

      1) An entity "encounters" your traffic on the wider internet and wants to track/trace it back to a physical person.

      2) An entity knows who and where you are and wants to know what you do on the wider internet.

      The way you work around these two cases are fundamentally different and require different tools.

      For example, a good VPN connection will help you defeat (2), assuming the entity is unable to escalate to monitoring your VPN. Think workplace, school or college monitoring of traffic.

      In contrast, a VPN doesn't help so much with (1) since all of the major players will track you back to the VPN exit point and then apply appropriate pressure to extract your real identity/location from the VPN provider. Not to mention the very real and prevalent cookie tracking practices: lodge cooking in browser while user is using VPN, then recover the cookie the next time the user is not using their VPN...join the dots.

    5. Re:Metadata by funny_smell · · Score: 3, Informative

      A possible solution, only practical for small messages, would be a merge of a public message board with encryption. You would be able to decrypt only the messages sent to you, among the hundreds that you would have to download - just to verify which ones you can decrypt.
      In such environment there is no open metadata identifying "To" and "From." You encrypt the message to "To" and it is added to a group of messages.

      Of course there must be methods to limit the groups sizes, and to allow you to find which group to access. Both doesn't seems to be that difficult.

    6. Re:Metadata by Anonymous Coward · · Score: 0

      If the NSA has broken Tor, this is likely how they've done it. Running their own nodes.

      PRISM-level metadata collection makes it possible to identify everyone on tor simply by watching the packet go from me to the entry node to the middle node to the exit node to the webserver. If they have the webserver's log that says the exit node posted whatever bit of sedition at x time, they simply have to play the packet log backwards to figure out the path the packet took through the onion.

      Works great on .onion sites too. It's almost certainly how they found the tormail server, and likely how they found the silk road server too (what captcha system includes the server's IP address anyway?). Once you find the participants, easy enough to tip off Ireland or your agent in Canada to mail a box of fake IDs to the mounties^WDread Pirate.

    7. Re:Metadata by K.+S.+Kyosuke · · Score: 1

      There isn't a solution to that. You have to talk to other points, and you have to do so from a connection you are on. That information, on ANY network in the world, is inevitable.

      Hmm. Depending on the kind of traffic, and provided that public key encryption were used in a way similar to PGP, wouldn't a multi-hop transfer offer a solution? Provided that the level of traffic would be sufficient to scramble the time correlation of messages exchanged...

      --
      Ezekiel 23:20
    8. Re:Metadata by Anonymous Coward · · Score: 0

      Wrong. Dread Pirate was de-anonymized because his real-life postings outside of tor were correlated with his activity on Silk Road. That isn't doubted afaik, he was pretty naive.

      There was however a successful launch of many poison tor nodes by unknown person(s) not that long ago - see the tor project site for information. Tor was patched to prevent the particular exploit working in future but it points to the future.

      I haven't read that there is evidence of prism mapping a whole-of-internet view of tor circuits - yet. Do you have a link?

    9. Re:Metadata by Anonymous Coward · · Score: 0

      And tormail was found because Freedom Hosting, whose business was openly providing hosting for hidden sites on a no-questions-asked basis, was compromised by the FBI.

    10. Re:Metadata by Anonymous Coward · · Score: 0

      That's basically how TOR works.

    11. Re:Metadata by K.+S.+Kyosuke · · Score: 1

      Tor creates networks of trust by people physically sharing keys?

      --
      Ezekiel 23:20
    12. Re: Metadata by Anonymous Coward · · Score: 0

      Yes, for a loose definition of physically.

      They use Diffe-Hellmam to approximate the security of physically exchanging a secret key.

  5. dropped out of school at 13 by Anonymous Coward · · Score: 0

    John Brooks, who is just 22 and a self-taught coder who dropped out of school at 13

    Wow. That's nothing to be proud of. Here's hoping he goes back to finish up, and before he gets too old. Outside of book learning, there's a lot to be said for the social development one makes in high school and college.

    1. Re:dropped out of school at 13 by amiga3D · · Score: 2, Insightful

      Judging by the average high school graduate I don't think there really is all that much to be said for the social development potential of public schools.

    2. Re:dropped out of school at 13 by Anonymous Coward · · Score: 0

      Really? At 22 years old, he's going to go back to high school for "social development"? I'm not sure what being shut in all day with a bunch of teenagers is supposed to do for his social development.

    3. Re:dropped out of school at 13 by I'm+New+Around+Here · · Score: 2

      He can score with the chicks who want to date someone old enough to buy beer.

      --
      If you think I voted for Trump because of this post, you're wrong. I voted for Dr. Jill Stein of the Green Party. Again.
    4. Re:dropped out of school at 13 by Anonymous Coward · · Score: 0

      He needs neither and the guy is obviously very smart when it comes to code which leads to me believe he's probably well educated in other subjects as well. People like that usually soak up just about everything they see. You don't need high school or college for social development you need friends and just because someone dropped out does not mean they fell off the face of the earth. Dropping out is generally bad, but there are exceptions to the rule when it comes to very smart people.

    5. Re:dropped out of school at 13 by Fjandr · · Score: 1

      I doubt he's going to get much out of the "social development" of middle and high school now that he's in his 20s. He's either got it by now, or he doesn't.

  6. Oh, that Ricochet... by gregthebunny · · Score: 2

    I thought maybe he was the guy behind the Half-Life mod Ricochet.

    1. Re:Oh, that Ricochet... by mr.gson · · Score: 1

      I though maybe he was the guy behind Ricochet, but then I figured it probably wasn't created by a two year old...

    2. Re: Oh, that Ricochet... by Anonymous Coward · · Score: 0

      Here was me hoping for some information on the most anticipated sequels of all time... :(

    3. Re:Oh, that Ricochet... by Animats · · Score: 1

      Or the right wing social network..

      Or Ricochet wireless networks.

      Besides, most Tor exit nodes are monitored. Using Tor is like screaming "I'm hiding".

    4. Re:Oh, that Ricochet... by Anonymous Coward · · Score: 0

      Besides, most Tor exit nodes are monitored.

      Evidence please. There's a lot of NSA/GCHQ shills here today.

    5. Re:Oh, that Ricochet... by Anonymous Coward · · Score: 0

      Me too.
      I've never heard of the other one, and I'm not sure how this isn't just running jabber over a TOR proxy.

  7. How'd he drop out of school? by Anonymous Coward · · Score: 2, Interesting

    How did dude drop out of school at age 13 when education is compulsory to age 16? I wish the story had explained that detail. What country is this dude a citizen of?

    1. Re:How'd he drop out of school? by Anonymous Coward · · Score: 0

      18 where I live.

    2. Re:How'd he drop out of school? by Anonymous Coward · · Score: 0

      Posting AC as I was modding comments earlier in this discussion.

      I don't know about his circumstances, but there are loopholes. First, someone has to notice. Moving and not registering can help obfuscate the issue. A lot of teenagers aren't in school for one reason or another. It's generally not legal, but that's not always particularly enforceable.

      There are also situations no one really knows what to do with. I entered the university at thirteen. At fifteen, my father stopped paying tuition and child support, and I moved out on my own (and as it happens into another district, though not really intentionally). So I wasn't really on anyone's radar, and what were they going to do, make me go to highschool? I was far more concerned with the important business of keeping myself fed and my rent paid.

      And then a bit before I turned seventeen, I sued my father, won back child support, paid to me, with interest, continuing college tuition, was granted most of the privileges of emancipation... and some serious catharsis. Seriously, probably saved myself years of therapy ;-) (And yeah, the whole situation is much more complicated, not to mention icky and sordid. But it had its moments.)

  8. What percent of the users are troublemakers? by Anonymous Coward · · Score: 0

    The evil people in the world would like to thank him for making it easier to get around communication issues.

    The civil libertarians have no answer on how to prevent criminals and evil people from using technology against us. Yet, they claim that the 'government' is the problem and present no solutions to the problem except for these programs that you never are sure about.

    1. Re:What percent of the users are troublemakers? by Fjandr · · Score: 1

      They have no answer because there is no answer when people are relatively free.

  9. Take care of potential troublemakers by Anonymous Coward · · Score: 1

    The good people in the world would like to thank him for making it easier to communicate freely and privately.

    The network logging spy machine itself has no answer on how to prevent criminals and evil people from using technology against us. They just want to do it themselves more easily.

    Enterprising misanthropes will always be able to find a way, no matter how thick PRISM and it's ilk are layed on, to harm others. No matter what. You can't change that with any budget, or any quantity of draconian tactics. Motivated humans are too creative to be stopped entirely from pursuing particular goals effectively, unless all humans are stopped from pursuing independent goals effectively.

    Instead of launching witch hunts for dangerous misanthropes, let's instead address and ameliorate the conditions that cause violent misanthropy. Humans are dangerous primarily when their basic needs are unmet, especially related to essential financial and social well-being.

    The solution to terror and troublemaking is to provide a guaranteed basic income for _all_ people, and universal access to free speech and social media.

    In these conditions basic needs are met, and justice can be crowdsourced organically via free engagement with social media. No one would have essential reasons to harm others, and the economy would flourish as millions of creatives become free to find ways to contribute in any way that inspires them, and to focus on what they themselves believe would be most useful to themselves and others.

    The countries that do this will lead the world in happiness and economic measures in the coming decades, and likely centuries. They will not be sources of significant strife and terror. There is a growing trail of global evidence to support the effectiveness of these claims, as more and more areas run pilot or nationalized programs along these lines.

    Let's create this!

  10. Richochet by YoungManKlaus · · Score: 1

    I was thinking about the epic ego platform shooter based on Goldsrc

  11. This is not the ricochet i was picturing by Anonymous Coward · · Score: 0

    ..

  12. Re:Awful Summary...as usual... by rolandw · · Score: 1

    Stefantalpalaru writes:

    That's a different project. This one is written in C++ and it uses Qt for the GUI

    Which is why John is doing work for Jolla.

    Am looking forward to Richochet appearing on my favourite, very open and secure, full featured smart phone.