Slashdot Mirror
Wired Profiles John Brooks, the Programmer Behind Ricochet
wabrandsma writes with this excerpt from Wired: John Brooks, who is just 22 and a self-taught coder who dropped out of school at 13, was always concerned about privacy and civil liberties. Four years ago he began work on a program for encrypted instant messaging that uses Tor hidden services for the protected transmission of communications. The program, which he dubbed Ricochet, began as a hobby. But by the time he finished, he had a full-fledged desktop client that was easy to use, offered anonymity and encryption, and even resolved the issue of metadata—the "to" and "from" headers and IP addresses spy agencies use to identify and track communications—long before the public was aware that the NSA was routinely collecting metadata in bulk for its spy programs. The only problem Brooks had with the program was that few people were interested in using it. Although he'd made Ricochet's code open source, Brooks never had it formally audited for security and did nothing to promote it, so few people even knew about it.
Then the Snowden leaks happened and metadata made headlines. Brooks realized he already had a solution that resolved a problem everyone else was suddenly scrambling to fix. Though ordinary encrypted email and instant messaging protect the contents of communications, metadata allows authorities to map relationships between communicants and subpoena service providers for subscriber information that can help unmask whistleblowers, journalists's sources and others.
Then the Snowden leaks happened and metadata made headlines. Brooks realized he already had a solution that resolved a problem everyone else was suddenly scrambling to fix. Though ordinary encrypted email and instant messaging protect the contents of communications, metadata allows authorities to map relationships between communicants and subpoena service providers for subscriber information that can help unmask whistleblowers, journalists's sources and others.
That's a different project. This one is written in C++ and it uses Qt for the GUI: https://github.com/ricochet-im...
Keep in mind that there are two distinct use-cases for surveillance:
1) An entity "encounters" your traffic on the wider internet and wants to track/trace it back to a physical person.
2) An entity knows who and where you are and wants to know what you do on the wider internet.
The way you work around these two cases are fundamentally different and require different tools.
For example, a good VPN connection will help you defeat (2), assuming the entity is unable to escalate to monitoring your VPN. Think workplace, school or college monitoring of traffic.
In contrast, a VPN doesn't help so much with (1) since all of the major players will track you back to the VPN exit point and then apply appropriate pressure to extract your real identity/location from the VPN provider. Not to mention the very real and prevalent cookie tracking practices: lodge cooking in browser while user is using VPN, then recover the cookie the next time the user is not using their VPN...join the dots.
A possible solution, only practical for small messages, would be a merge of a public message board with encryption. You would be able to decrypt only the messages sent to you, among the hundreds that you would have to download - just to verify which ones you can decrypt.
In such environment there is no open metadata identifying "To" and "From." You encrypt the message to "To" and it is added to a group of messages.
Of course there must be methods to limit the groups sizes, and to allow you to find which group to access. Both doesn't seems to be that difficult.