BitTorrent Chat - Private instant messaging via secure, distributed technology(labs.bittorrent.com) |
BitTorrent Chat - Private instant messaging via secure, distributed technology(labs.bittorrent.com) |
To be very explicit about this, as I think this is a very subtle problem that people tend to totally misunderstand: if I wanted to distribute a chat program and have it be "evil" I would not distribute a binary with hidden behavior (if nothing else, when you find this code in my binary I'm pretty damn well screwed ;P): I'd instead distribute an open source program that involved a threaded work queue for handling multiple socket connections to peers and which had a few very subtle use-after-free race conditions that would only come up under nearly impossible timing scenarios that I knew how to trigger and exploit, giving me complete control of your client whenever I wanted.
These are the kinds of bugs people use to attack open source "secure" web browsers like Chrome year after year at Pwn2Own because people are simply bad at concurrency. In this sense, I'd thereby trust a closed source web browser that had no threads or which was implemented in a type-safe garbage collected language (executed on a simply-engineered runtime from someone separate that I trusted, which could also be closed source for all I care) a lot more than I'd trust Chrome. I'd even probably have an easier time understanding what it is doing disassembling it than reading Chrome's code. (To be clear, such a browser doesn't exist: probably you should use Chrome.)
Open source means it's not going away. I won't, ever again, buy into a network that I cannot keep alive. Which is one of the reasons I don't use Whatsapp and actively prevent my family from using it. No G+. Leaving GTalk (Sorry, 'Hangout').
BTSync? Nope, unusable. BTChat? Same. Even if some highly trusted party would explain to me that BTChat is the most secure network, period: As long as I don't see the means to keep that thing alive it is just another potential trap.
I've just documented the protocol so far, so there's no working code yet, but it's at https://github.com/jewel/clearskies.
Why do we have any reason to trust BitTorrent, Inc. over any other organisation? At best all these self-centered attempts are going to fragment the messaging market and make make even more unlikely we'll see an open, federated chat protocol reach popular use.
Not sure if bittorrent chat will be very interesting. Most secure chat clients encrypt on the client side so the server won't be able to read your messages, so not sure if not having a server is that big of a win here. I'm also guessing metadata would be exposed to various people on the bittorrent chat p2p net.
The one I'm most excited about right now is bitmessage. It is the only chat protocol that I feel is really revolutionary. It is also a p2p network, but the interesting thing about it is that everyone on the network gets every message ( obviously you have to have the correct keys to decrypt the messages that were meant for you ). So its impossible for an observer to tell even who is talking to who. Also they have the concept of public chans , which I think are a good mechanism to draw users. Bittorrent could do the same thing here.
Just telling people this so they can save signing up if it's not for them.
I feel like I just signed up for a bunch of spam.
I had many a conversation with my thesis supervisor this way, once when I was in France and he was in Japan.
PS no third party server involved, obviously. Just my box and the recipient box. I suppose one could do a man in the middle attack but we would always start the conversation with some pleasant banter anyway so it's unlikely that a third party masquerading as one of us could last long before detection.
<sarcasm>Too bad this technology no longer works, it was so simple and useful</sarcasm>
Questions for both projects still remain though: What sort of metadata can be collected from users of these programs? How can that metadata be used? Are there any security vulnerabilities that have been overlooked?
We are still a ways from having truly secure chat as the mainstream communication medium, but I'm glad Bittorent and others are helping move it in the right direction.
[1] https://github.com/irungentoo/ProjectTox-Core [2] https://news.ycombinator.com/item?id=6121225
I'd love to see them succeed, but I doubt it will. Especially with the recent falling-out among their primary developers.
If you can hide who the messages are being sent to, you can protect yourself against them spying on who your friends are, which to me, is just as important. Also, if you don't know who the recipient of an encrypted block of text is, it makes it near-impossible to brute force the private key(s) of all encrypted text coming out of a single IP.
I wonder if the broadcast approach would help there? Be constantly throwing out GPG encrypted data to the entire network, anyone with the private key can pick it up. No "to" or "from" headers, and traffic analysis is hard since the flow of traffic is constant:
https://github.com/shish/firehose (Very alpha)
The main downside there is that bandwidth requirements are huge, you can only have a few thousand people on each shard :<
I've been thinking of ways to combat this as well, and I admit it's an interesting problem. You either have to do some kind of Tor-like onion protocol (which has its own problems), or send every message to every client in the world. Sending your message to [your friend] + X random people would still allow an attacker to eventually gather a very detailed map of your friends by looking at which come up most often.
They would know:
Who talked to who
How often they talk
When they talk
How much information they exchange
Their IP addresses
In fact, the only they wouldn't know is precisely what was said, but that's often a very small, non-critical piece of the puzzle.
Distributed chat systems only are advantageous because you get away from having centralized servers, but you still have a bootstrap problem to get everything up and running.
Of course there should be a good reason for the "seed" users to get on the new platform in the first place.
even with PRISM and others, people are too lazy for that.
Just finished reading all this: http://code.google.com/p/phantom/ boringly Tor-like project.
I would not use this for anything that could send me to jail, maybe after a few years of being vetted.
" Although it is very nice that people are working on creating secure and anonymous messaging systems, I am afraid that BitMessage is weak to a variety of attacks. I fear that the people working on it do not have sufficient expertise, in the fields of security and anonymity, to design and implement a proper cryptographic communications system + anonymity network. After reading the two design .pdf documents, I have identified a variety of weaknesses and overall poor design choices in the BitMessage protocol. "
And he continues to show those weaknesses.
no. the same message does "never" encrypt to the same cypher:
$ echo lol | gpg -e -r F8669BB7 --armor
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.11 (GNU/Linux)
hQEMA2gTLr1USDZGAQf/YbbnzHvNfdqbs6hmdmIaaiZOSfW9P6Bc8tdF4MG/JbP+
RTxbLpi4W+vXs+WrD9jdik8KuDdZV54O1mb6Ido3xrYeEPBo0Vje2eVpgUy01VUa
2RM76NvsX1VN9rap6KvHuO/h7IFwDuAtvUUcDyFH+qK2UEHordFi+mWKqICocQt0
WWgpCk5BVgM/1q2c2ruWxVuZs/IMh9LQGZ1i7hpkJHAYqovhghROmGarUuJYXGDi
s6rSMpjxbXDhPMYbbhbBI4pRhgKtN2FMlKyI3XoH+LCFHsOyBmazroVYWFu+gafH
6LU2Z65OQyJWqX5CLdwab4qpUQdht6lqkUHRJB9xdtI/AfTFF7BbRP8PR+q9GVAe
r4I812VmBn3hwBHJzNiFDEGVkt/IDpd6M/X2Vi0xJx0LUaICL+swPVudenPuvlnt
=zeUd
-----END PGP MESSAGE-----
$ echo lol | gpg -e -r F8669BB7 --armor
-----BEGIN PGP MESSAGE-----
Version: GnuPG v1.4.11 (GNU/Linux)
hQEMA2gTLr1USDZGAQgAo4ZEHGWKSgwVmbC7crACvTXVtlgP4n8J/3oSohct9zrM
SqPd4L5TWsjOh+2LlG7WQbPnpn4Tcv9c4RyPNb+1C/fWRmGhV+a3QhuC+rrus5c6
/FPwsHTjO30N0AnCMzoXAaqDRRGw859BKazEZyxIHherU+o7wNRKrW6U1ikRd/Pu
BwHChUZHBRmZhomrtYPbQ5cNAJQtPMj94Z8OuZeCEzPNBr3opevoMs2j+9ysOtkF
7Cam3jTKLM3GwHSm4c7WzhdJJsXbnOn8ODYRBf++4oJChPIqeT2EssigAQuuhHlk
pDhM40zB7hAd6MJM52cZpM3UqTe/iI4vHSrQ+pw/otI/AWY6s4aIlF5AAzoM0wAR
FzobJ5Vbp7fBgA1SiOhEhSAdT/U2yy2jQcQN53yyX9Vqtunh3dNmCGaNNavszK8+
=YDLc
-----END PGP MESSAGE-----
$PS: i think asymmetric crypto is secure from such attacks anyways, though isn't that way slower than symmetric crypto?
I'm happy to see the surge of interest and new projects, but most of the offerings are between embarrassing and pathetic. Either the concept is being exploited for marketing purposes, the individuals involved just aren't appropriately skilled at what they are doing, or there are actual nefarious purposes. (I would agree, Bitmessage, and similar schemes could prove to be the best of the bunch.)
One could respond this is just paranoia, secure software doesn't really need to be open source. Or, we should trust someone because they did something very good in their past. What the NSA leak showed us is that paranoia is real.
Politics aside, and I've said this here before, this isn't just an issue of the NSA. For 99%+ of individuals, what the NSA is doing isn't going to damage them personally. However, those techniques damn well can. What the NSA is doing, other intelligence services are doing too. In some circumstances private companies are doing it as well. It doesn't matter if you aren't a terrorist, if you work on anything that could be very interesting or very profitable you are at a real risk of being targeted for electronic spying.
Standards need to be established:
a) If its closed source, it can not be audited and thus can be considered neither secure or insecure.
b) If it forces automated updates, it can not be secure.
c) If it runs on a leaky platform (all mobile devices so far) it can not be secure.
That should tell us, in my opinion, that the number one goal of secure chat would be a secure mobile platform -- that includes both operating system and hardware. If you take a look at the fine print on Replicant, the fully free version of Android, you'll notice nearly every supported phone has major potential holes, save for one really ugly looking thing.
That's what I do, as I can't think of any alternative that is equally analysis-resistant
> A few thousand bytes a second is an awful lot of text
I was planning for ~500 bytes / sec so that traffic spikes wouldn't block up the send queue, but now that I think about it you're probably right -- even at 50 bytes/sec, the network speed cap would still be a fairly small factor compared to the amount of time spent typing...
The only 'unique' thing that Bittorrent can provide although is execution, delivery & a tendency to open source their work. They have shown they can deliver by implementing usable bittorrent sync clients for the major 4 OSs (Windows, OSX, iOS, Android). That usability alone would increase the amount of the internet using encrypted communications significantly, putting a major hinderance on dragnet surveillance.
Hell we might find out that bittorrent chat uses libOTR once your in an actual conversation, since they did all the hard crypto stuff already. They'll just be adding a P2P discovery layer, since that is what they are actually specialized in. That is what I would do if I were them.
There are no usable open source OTR or PGP clients for all 4 OSs still. ChatSecure for iOS still crashes a lot. Adium/Pidgin is pretty much the only usable OTR client I know of, and they are desktop clients.
Until bitmessage is thoroughly reviewed by serious people ,and results are displayed in a prominent place, it would be hard to trust.
From the homepage: Bitmessage is in need of an independent audit to verify its security.
There was also someone who deanonimized bitmessage. They should link this too in a prominent place.
If they solved any of those problems , they should link to solutions and a possible review.
hQEMA2gTLr1USDZGAQ
At the start of each output? Is that 'lol' encrypted then followed by random bytes, or does it contain header information?edit: It's not encrypted with the primary key, but one of the subkeys.
FTFY
That doesn't invalidate the point above though that in the modern world a tool like this can only be considered "secure" if the implementation(s) are completely open. It's just a poor product decision on the part of BitTorrent.
The UI part will be in charge of converting plaintext into ciphertext and vice versa. ciphertext will be handed off to the transport module.
The transport module can remain closed source. Only the API to the transport needs to be published. People can write their own UIs.
The biggest problem with all of it was that there were a bunch of scam sites that added malware, built binaries, and bought "lime wire" keywords on google.
On the other hand, I don't think OSS is to blame for that--the scam sites could have just as easily distributed any binary.
This is where the distinction between "free" (as in freedom) and "open source" is helpful.
You can, hypothetically, release the source code of a project under a license that prohibits compilation of that source code (or, prohibits running anything other than the paid binary of the source code). This would allow people to view and theoretically vet the code; they just can run it (legally) without paying for it.
Not that I would like to encourage such behavior, or think that it's valuable. But it's an important distinction to remember.
Such a license would qualify for neither "open source" nor "free software" under the relevant official definitions though.
Yes, it would be reviewable for bugs and probably preferrable to a blob. But without the ability to verify the complication you'd have no assurance that the proprietary code was actually built with the reviewed source. Basically this would just be a stunt.
This does not, however, contradict my argument: as we can take a binary and generate really horrible C code from it (by just emulating via C, unrolling the instructions) the same result is true of source code; however, we would find that block of code highly suspicious ;P.
Again: if I wanted to give myself a backdoor into a chat program, I wouldn't distribute a backdoor into a binary, I'd provide open source code with subtle bugs that would take people years to find and that when found would look like honest "concurrency is hard" mistakes.
I am not saying that whether something is open source or not is totally irrelevant, but the people I'm responding to seem to be having this gut reaction "if it isn't open source it can't be trusted", so I'm attempting to provide enough context to show that it isn't that simple.
Personally, I'm running BTSync - and even though I've got it syncing EncFS encrypted data, the app has enough privileges to read the unencrypted versions of those EncFS filesystems if it were instructed to.
I'd feel happier if a few trusted security experts from a few different countries/jurisdictions had blogged about their analysis of the source code and the likelyhood of the binary produced from the source being either intentionally or unintentionally compromised.
Having said that, as you point out, we've got the Chrome source, lots of people look very hard at it, and it _still_ fails year after year… Hopefully, BTSync and BTChat (or my hypothetical Open Source reimplemetations) are significantly less complex than a full featured browser, and not would not require nearly so much focus on performance that "provably secure" or perhaps just "significantly less likely to have obscure bugs" coding techniques could be used in spite of speed penalties - browser vendors have significant motivation to optimise for speed above all else, hopefully the much smaller subject domains of sync or chat clients would allow security to sensibly be prioritised instead.
A program might be open source, still the binaries offered for download might be compromised. Who is able to notice that now?
You might compile the software yourself, but the majority of users wont.
You might have reverse engineered a closed source software, but I guess you won't do that for the OSS binaries.
I don't think many people are worried that BT will be evil. I think many more people are worried that they'll be incompetent, and it's very hard to be competent at cryptography. That's why we want the source.
It may be possible, but it's not easy.
Company Overview
BitTorrent Inc. is an Internet technology company based in San Francisco.
And immediately I've got _two_ things to worry about - 1) "will BT be evil/incompetent?", and 2) "will BT be leaned on by the NSA and be coerced into being evil?"If you're a US company (or individual, or a company with US based management, developers, investors, or infrastructure) who are promoting security-related products in the post-Snowden era – many of us outside the US now have very good reasons to apply extra scrutiny to those products. Opening your source will make a _big_ difference in how readily suspicions of evilness can be allayed. As saurik points out upthread, having the source available doesn't guarantee the rest of the open source community will find and fix any carefully-enough-crafted backdoors, but keeping the source closed sends a strong message…
Unless you've got unbreakable security the NSA is well funded enough that it's irrelevant where you do business.
I mean, I could also say the argument "you can't trust closed source software for this stuff" is also "a bit disingenuous" via the analogous argument that that open vs. closed is a "false dichotomy": a single-threaded/type-safe/un-obfuscated X-source program "is always more easily auditable" than a multi-threaded/type-unsafe/obfuscated X-source program. Now, the question becomes "what variables are more important to you, and will your reactions be 'knee jerk' or rational"?
You can audit a multithreaded open source program much more easily than you can audit a single-threaded closed source program. Merely compiling it adds more obfuscation than making it needlessly, complicated will, and making it needlessly complicated will immediately raise red flags.
You don't need to analyze an open-source program to see that it's been obfuscated, and, if it claims to do anything that requires security, that would probably be enough to make you suspicious.
My ultimate point is that compiling is a form of obfuscation that has extreme plausible deniability. There's no form of obfuscation that will complicate the code of an open source program as much as compiling it will, while still looking as innocuous as compiling does.
I recall Transgaming Wine had a model that was effectively this, it was difficult for a laymen to build the source and binaries couldn't be distributed freely but the source was still available.
http://stackoverflow.com/questions/1180852/deterministic-bui...
I think this is our core disagreement, as I've been pretty clear about how I don't just accept this statement at face value given the large class of subtle bugs that can and do occur constantly in multi-threaded systems. I find reading through and finding bugs in complex binary-only buffer-management or even cryptographic systems "easy" (time consuming, but not requiring much brain function; even obfuscation just adds time and effort, it doesn't require greater intelligence); yet, I have never managed to remove every single concurrency bug from an open-source project I maintain that only actually uses threads to separate tasks like "searching" from "downloading update" (of course, I likely didn't put as much effort into it, so this doesn't prove anything of course: but I hope it makes you think), and I've seen people "much smarter than me" (working at Google and Apple) fail at doing so in systems that are "much more important" (working on Chromium and WebKit).
You might then just say that I'm probably just stupid and that a more reasonable programmer wouldn't have the same kinds of issues, but "concurrency is hard" I had assumed was a well-known issue. (And again, I think that this all becomes more more interesting to think about once you realize that a "backdoor" left by an intelligent opponent is going to be nearly indistinguishable from a "bug". At least once a year there is some obscure privilege escalation bug found in the Linux kernel: I think it is interesting to at least consider momentarily that any of those might have been a backdoor, and not a bug; the concept of what constitutes purposely malicious code updates tends to be way too narrow in my view, and leads people to only consider back doors that are easy to see when you print out the source code.)
> There's no form of obfuscation that will complicate the code of an open source program as much as compiling it will, while still looking as innocuous as compiling does.
Yeah, no: I seriously read through compiled code every day. I was doing a lot of reading through compiled code yesterday while working on figuring out why Substrate isn't working on iOS 7 for example. I am much much much more afraid of the bugs that are latent in a large multi-threaded project that has "lots of hands in the cookie jar" so-to-speak than of a simpler implementation distributed as a closed-source binary. I'm likewise more afraid of open-source projects that accept patches from large numbers of people (which means more people who might be actively /trying/ to add difficult-to-see exploitable bugs), or of projects that are implemented to run as native code versus ones that run inside of type-safe virtual machines (especially if the virtual machine is coded to a spec and I get to select the one it runs on).
Cryptosystem security isn't the same as binary security (i.e. against exploits). You can have a very insecure binary (in the exploit sense) but still have valid, strong cryptography (e.g. in its output).
Sure, with something like this, you want the binary to also not be easily exploitable, but I think that getting the cryptography right is more important.
Given these two points (malice vs incompetence and cryptography vs security), I think it is more important for the program to be open source, even if it's complicated, than the other way around.
There aren't many expert cryptographers who are also expert reversers, sadly.
Easy and time consuming are mutually exclusive in this context. It's about cost, and time is money. Its hard in the sense that the traveling salesman problem is hard, even if the logic for the naive solution is straightforward.
Again, differently, you are again falling into the same problem of looking at this as a "single issue voter": open-source X vs. closed-source X. My complaint is that people go "omg, no source code, I can't trust this" as this knee jerk reaction, as if this is the only variable by which you should be evaluating your potential risks. In the real world, you are going to be comparing using this to other solutions, some open source, some closed source, and attempting to decide which one is more or less secure. Does being closed source affect your guess as to its security? Sure. But does it affect your guess more than some other key variables? I argue not.
That people then outright dismiss something closed source like "lolololololo" are being ludicrously over-simplistic in their view of where security comes from and how people audit systems, and the people like "Karunamon" who decide that it is "suspect", which assigns direct motives to the idea that they are somehow attempting to hide something in their closed source binary, don't understand the threat model.
Other people on this thread, like "bigiain", are even talking about the NSA leaving some kind of detectable backdoor in this closed source binary: that's insane... if the NSA were actually going to leave a backdoor, it wouldn't be something you'd ever look be able to look at, even with complete source code, and realize that it gives them complete control. At best, you'll find it as a "bug", assume it was a "mistake", and fix it, and they'll already have others as backup.
"It's open source, therefore trustworthy" is not valid, I agree. But "it is closed source, therefore untrustworthy" is valid, and that's what most people are saying.
Most of what they do probably is just exploiting known bugs since they commit the resources to finding them as a basic part of their mission. You talk about a threat model, but you're proposing one which assigns a ludicrous amount of capability to an organization which, fundamentally, is still staffed and draws upon the same pool of human-talent that everyone else does (that is, graduates of universities principally in the western world).
But I wouldn't really be worried about backdoors for something like this, just incompetence. I don't think anyone is taking it seriously anyway.