Is Surespot the Latest Crypto War Victim?

George Maschke writes: Patrick G. Eddington writes in a Christian Science Monitor op-ed about indications that the government may be snooping on users of Surespot, a free and open source encrypted messaging app for Android and iOS. Such users include, but are hardly limited to, Islamic State militants. He writes in the piece: "Has encrypted chat service Surespot been compromised by the US government? Surespot user and former Army intelligence officer George Maschke recently published a provocative theory suggesting the answer is yes. Mr. Maschke’s key pieces of evidence are intriguing. In May 2014, he e-mailed 2Fours LLC, which is Surespot’s parent company, asking whether the company had ever received a National Security Letter (NSL), a court order to provide information, or other government request to cooperate in an investigation. He was assured in writing that 2Fours had received no such requests. That changed in November 2014, when Surespot’s founder, Adam Patacchiola, told Maschke via e-mail that 'we have received an e-mail asking us how to submit a subpoena to us which we haven’t received yet.'"

it's all compromised

[turkeydance]

and we act accordingly.

Re:it's all compromised

[bill_mcgonigle]

?OTRv2?

Re:Military whistleblowers?

ignorance is bliss

Encrypted messaging app

[fustakrakich]

What a waste! The only thing even close to being secure are the Sunday classifieds and the Hollywood tabloids... Like they say, just broadcast it wide open, nobody will see it.

Proven by the Lavabit case

If they're still in business, they're compromised:

http://www.theguardian.com/commentisfree/2014/may/20/why-did-lavabit-shut-down-snowden-email

And then?

[wonkey_monkey]

If you're going to end your summary with something that happened in November 2014, you could at least hint that there are further developments to be read about in the article, even if you can't be bothered to copy-and-paste those into the summary itself.

TL;DR: no-one at Surespot is answering questions about whether or not they've had any Gubmint interference, and someone who used to work there, but doesn't any more, won't talk to anyone about it either.

Re:And then?

[Prien715]

So about a year or so ago when I was working for a company that doesn't comment on requests, I had the process explained to me.

Essentially, it's illegal to say that you have received a request -- which is something you learn when you get a request. If you haven't had a request however, there is nothing illegal about saying it hasn't happened to you. He'd suggested saying something like "We haven't received any requests this month" to alert people.

After all the BS is said and done, there's a very high likelihood they have received a request based on inability to confirm or deny. And once you get one, there's always more where that came from.

Re:And then?

I wonder if they could get away with this:

"We have received no requests which we are not allowed to talk about."

"We have received secret requests to spy on fewer than two of our users."

"We have received secret requests to spy on fewer than three of our users."

"We may or may not have received a request to spy on all of our users."

In all cases they're not actually saying that they've received any requests, as the number could be zero and all of those statements would be true. One would have to assume that they're making the statements in this way to communicate that information, but as long as they never say that, then it is merely an assumption that may not be true. For all anyone would know, the number is zero and they're just making these statements to get everyone even more upset about government surveilance.

serving subpoenas on an Internet company?

[swschrad]

hey, just tape it to the side of your computer. it'll get there if it's supposed to. trust me.

Re:serving subpoenas on an Internet company?

[R3d+M3rcury]

I gotta admit, I thought that was funny...

'we have received an e-mail asking us how to submit a subpoena to us which we haven’t received yet.

"Oh...you want to subpoena me and you don't know where to send it? Sure, I'll help. My address is 1600 Pennsylvania Avenue, Washington DC..."

They're an intelligence agency and they don't know where to send the subpoena?

Silent Alarm

[Guy+From+V]

Ironic warrant canary is ironic.

And it'd be on everyone

And if they are, wanna bet they're snooping on everyone? like with Lavabit. It's not just "we want to snoop on just these people who we think are a threat". It's "we want everyone".

Re:And it'd be on everyone

And if they are, wanna bet they're snooping on everyone? like with Lavabit. It's not just "we want to snoop on just these people who we think are a threat". It's "we want everyone".

It's only terorists like that iran leader

i'm voting for jeb to keep us safe

Endorsed

[penguinoid]

Surespot, a free and open source encrypted messaging app for Android and iOS. Such users include, but are hardly limited to, Islamic State militants.

Endorsed by people who trust it with their lives.

Surespot was compromised from the start.

The company was started by the NSA. There was never a need to breach them.

Keep your secrets off the internet

[Moof123]

No exceptions.

The really important stuff should be kept among confidants, and discussed as little as is necessary.

Important records can still be kept in hard copy if you really need to write stuff down.

Assume everything you say may be taken out of context and without including your sarcastic tone.

Re:Military whistleblowers?

[jargonburn]

I do not think "protect our freedoms" means what you think it means...

Re:Military whistleblowers?

[jthill]

That's what they're doing.

Psychological warfare

Or maybe the opposite is true... maybe Surespot is secure.. .thus an attempt to discredit it.

This is the world of "intelligence". Until people wise up their is nothing "intelligent" about the current path of spening billions destroying data security rather than creating it.. we'll get our wish of insecure systems. Not a single computer with commodity components on the Internet today is safe because of these attitudes. Wish I could point to only one country's government as being the problem but its really most of them.

Re:Psychological warfare

Remember, in any government office, there is a really stupid citizen. This is why the wholesale slaughter of civilians should be encouraged during time of war. You may not like your asshole leaders, but lets face it, any one of you stooges could sit in that office and no one would know the difference. Also murding babies in time of war should be consider3d "Pro Choice" since technically the government pays for it.
  By the way has anyone told Pope Francis to shut the fuck up lately? Seriously, were in betwe3n ice ages and this guy starts with the global warming bullshit? How stupid do you think poor people are

Re:Psychological warfare

[gweilo8888]

Exactly. There's about an equal chance it's compromised or not, and there's no way to no. It could be a double bluff, it could be a triple bluff. The only thing we know absolutely for sure is that we're not getting the whole story, because if you'd really compromised it, it'd be a valuable source of data and you wouldn't want to let the other side know. Unless, that is, you're hoping they'll think it's a double-bluff...

Re:Psychological warfare

[gweilo8888]

no way to know, even. Blast these useless sausage fingers of mine!

Poor ECC impl

[Meneth]

Surespot is most likely toast now. I see two possible attacks from someone who controls the servers:

• Send fake pubkeys (standard MitM attack, really)
• Crack the crypto directly. Surespot uses the secp521r1 Elliptic Curve, which was created by NSA and published by NIST, and may be backdoored.

Canary

Any serious security company should have one.