Tor Is Building an Anonymous Instant Messenger 109
An anonymous reader writes in with news about a new anonymous instant messenger client on the way from Tor. "Forget the $16 billion romance between Facebook and WhatsApp. There's a new messaging tool worth watching. Tor, the team behind the world's leading online anonymity service, is developing a new anonymous instant messenger client, according to documents produced at the Tor 2014 Winter Developers Meeting in Reykjavik, Iceland."
Joy of joys! (Score:5, Insightful)
Slashdot is doomed.
Re: (Score:1, Insightful)
Re: (Score:2)
Re: (Score:1)
That might be the case, but it might also not be the case.
Re: (Score:2)
yeah. Basically, there are two use-cases. Civil Defense alerts. And spam.
Re: (Score:2)
"I'm having a hard time understanding how an anonymous instant messenger can be useful.
One of the main things when using one of these is that you know who you're talking to isn't it?"
If you do it Old-style you have to know the secret string of digits of the person you want to send messages to.
It's called a 'Phone-number'.
There you also don't know if the sexting is done by your girlfriend or her brother who found the phone.
This is similar, just the number will be a bit longer.
"Not traceable" (Score:2)
It would be better to call it "not traceable".
Here the meaning of "anonymous" being that NSA can't tie an actual identity to the peers of a chat (by using the already well tested Tor network), and that they can't eavesdrop into the conversation (by using the already well tested OTR standard).
i.e.: Bob1983 and Alice_696969 happily chat to each other about how much they dislike the current political situation in Kiev or brainstrom about better methods to circumvent the Chinese Great Firewall.
They might know e
mmmmmm, spam! (Score:2)
Re: (Score:3)
Now I'll be able to communicate with some random, anonymous Internet person.
Yeah, first thing I thought was chats like this:
SPARTACUS19982: YO!
SPARTACUS4x9: 'Sup?
SPARTACUS12: U rite?
SPARTACUS19982: Wait, who said that?
SPARTACUS4x9: Said what?
SPARTACUS12: What?
SPARTACUS19982: That!
SPARTACUS12: What?
SPARTACUS19982: Yeah, what!
SPARTACUS12: Wait - which what?
SPARTACUS4x9: Dude, being Spartacus is starting to suck, ya know..?
SPARTACUS4x9: I mean, I don't even know who I am any more...
SPARTACUS@X0®: DISREGARD THAT I SUCK C0CKS!!!!
Re: (Score:1)
Tor? (Score:1, Interesting)
Tor? The 'dark net' who's largest nodes are run by the NSA doing traffic analysis? That Tor?
The one that brought down silkroad?
Re: (Score:3)
All is proceeding as Gordon Dickson foresaw (Score:2)
Re:Tor? (Score:5, Funny)
If I want to keep something secret from the US, I'll just use ICQ, since it's owned by russians. Of course, the downside of using ICQ in 2014 is that my messages will stay too confidential for the purposes of communicating.
Re: (Score:1)
Are you kidding me? You don't think the US and Russia share intelligence? (And that's assuming the US hasn't hacked ICQ.)
International espionage isn't like a child's playground, where you're either friends or foes. You cooperate when it's in your interest, and you don't when it's not. Why would it not be in the FSB's best interest to allow the NSA to tap ICQ, particularly for identified individuals, and especially if the NSA reciprocates in kind.
You don't think the FSB calls up the CIA or NSA every once in
Re: (Score:2)
ppp chat. It's the only way to be sure. Unless. . . TEMPEST. . . .
Re: (Score:3, Insightful)
yep that's the one. I wouldn't trust Tor network as an anonymity service for anything, let alone something I really wanted to keep secret.
Tor is solid, are you and the GP trying to deceive, or have you been decieved?
Would you like to know more? "How Covert Agents Infiltrate the Internet to Manipulate, Deceive, and Destroy Reputations"
https://firstlook.org/theinter... [firstlook.org]
Re:Tor? (Score:5, Informative)
Tor? The 'dark net' who's largest nodes are run by the NSA doing traffic analysis? That Tor?
The one that brought down silkroad?
Nope wrong wrong and wrong.
Tor is has had about very few highly throttled node running on amazon cloud for a couple of weeks run by the NSA according to head TOR developer Jacob Applebaum at 30c3 about a month ago. Additionally the NSA's own documents released by Edward Snowden showed that the NSA can't break current TOR releases.
Secondly silkroad was brought down by Dread Pirate Roberts mixing his darknet identity and his clearnet identity by using the same email address and handles. Another break in the case was when a package with fake ID's was intercepted at a Canadian border check.
Re: (Score:1)
Parent evidently hasn't heard of parallel construction...
Re: (Score:1)
"Secondly silkroad was brought down by Dread Pirate Roberts mixing his darknet identity and his clearnet identity by using the same email address and handles. Another break in the case was when a package with fake ID's was intercepted at a Canadian border check."
Maybe. It's also possible that those pieces of evidence were discovered _after_ some other, illegal methods were used. It's called parallel construction, and it's regularly employed to launder chains of evidence for trial.
Not "Illegal". (Score:2)
It's also possible that those pieces of evidence were discovered _after_ some other, illegal methods were used.
Except that, in this case it wouldn't have required any *illegal* method (1) (2).
It would have required method which go against anything that is currently known in cryptography.
The cryptographic methods which form the basis of Tor are sound and unbroken as of yet.
Tor is sufficiently well designed to avoid bugs and exploits that might lead to leaks (Side-channels, etc.)
To actual crack Tor open, you need to beat modern cryptography.
And the NSA doesn't have a monopoly on brains, and modern research is (as alwa
Re: (Score:2)
You don't understand traffic analysis.
Re: (Score:2)
How did you reach this conclusion? The guy has been a lying "me-too" since at least 14. Anyone who grew up with him knows how full of shit he is. He also is just a fucking cheerleader, can't code for shit. Look at his commits.
Looks like we got ourselves a JTRIG attack here. What is JTRIG?
As reported on earlier on slashdot;
Advocatus Diaboli writes with this excerpt from an article by Glenn Greenwald on the pervasiveness of shills poisoning web forums: "One of the many pressing stories that remains to be told from the Snowden archive is how western intelligence agencies are attempting to manipulate and control online discourse with extreme tactics of deception and reputation-destruction. It's time to tell a chunk of that story, complete with the relevant documents.. ... Among the core self-identified purposes of JTRIG are two tactics: (1) to inject all sorts of false material onto the Internet in order to destroy the reputation of its targets; and (2) to use social sciences and other techniques to manipulate online discourse and activism to generate outcomes it considers desirable. To see how extremist these programs are, just consider the tactics they boast of using to achieve those ends: 'false flag operations' (posting material to the Internet and falsely attributing it to someone else), fake victim blog posts (pretending to be a victim of the individual whose reputation they want to destroy), and posting 'negative information' on various forums." I guess Cryptome was right. Check out the the training materials provided to future forum spies.
I Smell A Shill.
Re: (Score:3)
Tor is solid.
The feds ability to connect the dots of people too dumb to cover their tracks != Tor insecurity.
Re:Tor? (Score:4, Insightful)
>> Additionally the NSA's own documents released by Edward Snowden showed that the NSA can't break current TOR releases.
That was 2007.
Other things you couldn't do in 2007:
* Use an iPhone
* Use a Samsung Galaxy
* Use What's App
* Read anything except "this housing boom will go on forever!" in the news
In other words, that was forever ago.
Where is a more recent credible assessment of adversary capabilities specifically to the TOR network?
Academics (Score:2)
Where is a more recent credible assessment of adversary capabilities specifically to the TOR network?
The fact that NSA dosn't have a monopoly on brains. The fact that research is done by advancing previous research (and rarely appearing out of the blue), and universities have access to the same historical previous research that secret researcher hidden in the NSA do.
And despite this, none of the academics working on it has been able to demonstrate any actual failure of principles behind Tor.
There *is* a prestige incentive to be the first research group to demonstrate an actual good failure. But until now,
Re: (Score:2)
The most obvious attack is control of a majority of the network, and of course correlations attacks which require access to many ISPs.
These, in addition "ownership" of VPNs, are feasibly within the capabilities of intelligence agencies.
Practical problem (Score:2)
The most obvious attack is control of a majority of the network, and of course correlations attacks which require access to many ISPs.
The *owning* itself might be achievable (and even that is going to be complicated because you need to own significantly more than other governments trying to achieve the same and non-governmental legitimate users)
*BUT* even then extracting any meanfingful data is complicated. The more people use tor for anything else beside what you're targetting, the higher the noise level among which you're searching for signal, and thus the lower significance of anything you might try to analyse.
Beyond some point
Re: (Score:3)
No Navy intelligence wrote the original tor software they then open sourced it and gave it to the community. It is now run by the TOR project most of the members of which are regularly harassed and spied on by the US government. Jaccob Applebaum head developer had is flat broken into and computers tampered, another tor developer, Andrea Shepard, have had her computer she ordered via amazon "redirected" mid shipment to NSA facilities in Alexandria Virginia. TOR devs have been pressured by homeland and have
Re: (Score:2)
Let me remind you that the Silk Road mantainer was tracked by an inpected postal package, not through tor.
Re: (Score:2)
Let me remind you that the Silk Road mantainer was tracked by an inpected postal package, not through tor.
...as far as we know...
http://en.wikipedia.org/wiki/P... [wikipedia.org]
Re: (Score:2)
Apparently, nobody on this thread understands what 'traffic analysis' means. Nor how it was used to track dread pirate roberts location (also the Chester that was busted a week or so prior to DPR).
Tor is still secure, provided you don't send or receive a lot of data. If you send or receive a lot of data, traffic analysis will lead the feds to your physical location, they will own your server. After that you are as good as busted.
Re:OTR (Score:5, Insightful)
That hides the content of your communication, but it still shows that you're communicating, and with whom. So the "metadata" that the NSA and/or FB are interested in is still available...
Ostensibly using TOR hides the fact that you're the one communicating, and who you're communicating with... (Whether that's still true in practice is another question...)
Re: (Score:2)
(By which I mean: you need both... OTR and TOR aim to protect you from different threats.)
Re: (Score:2)
Re:OTR (Score:4, Funny)
This is why I encrypt all my conversations and embed the message in the background noise of cat videos.
Re: (Score:2)
So that's why I want to kill all humans.
Re: (Score:1)
Re: (Score:1, Funny)
Thats why I send all my communications in binary as a box of donuts. To confuse people even more the donuts are 1s and the holes are 0s.
Re: (Score:2)
There is no "strong steganography", but if "not drawing attention" is the goal, that's probably your best bet.
That's the plan (Score:2)
That's actually their plan:
- Use Tor for network anonymity
- Use OTR for content protection.
And they also have a 3rd step:
- Use the open source InstantBird. It's opensource so it's possible to make it secure.
(basically, yet another chat system that relies on Pidgin's libPurple. Like Adium and co)
(except that one runs on mozilla's xul, so there some code share with firefox, the other software that is bundled next to tor in their bundle)
And probably (not mentioned yet but likely to happen):
- Deploy some Jabber
As seen on.. (Score:1)
As seen spammed in every other story posted today...
Re: (Score:2)
Did you know EVERY IM service commonly in use requires your text messages to pass through their servers, before they reach the recipient?
One can debate 'commonly used', but regardless there are options to either avoid that, or endpoint encryption so it wont really matter if you do pass thru a 3rd party server along the way. One option is Jabber.
Re: (Score:2)
I've often wondered why there aren't more apps that can encrypt your voice during a call.
Re: (Score:2)
The small
Re why there aren't more apps that can encrypt your voice during a call?
Why where so few encryption machines offered with hardware safe from the NSA and GCHQ in the 1950-80's?
Standards and price.
So in 2014 using a big software or telco firms offerings or bee
Re: (Score:2)
I was using red-phone on the Android for 'special' conversations. I am pretty sure you can encrypt XMPP voice chats too.
Of course that doesn't address both ends if you want to call another cell phone user that has nothing special installed.
Re: (Score:3)
The real question, however, is why every user effectively engaged in P2P communication (like webchat, IM, or Skype), allows a man-in-the-middle attack to collect and process their personal data, when the ONLY useful aspect of the service is connecting the users together in the first place.
Apparently, because doing that is patented. No, really! Apple tried it with Facetime, and got sued by a troll*, VirnetX. Initially that's how Facetime worked, Apple's servers authenticated you and connecting you together, but then the 2 devices connected directly for the content of the video/call, not through Apple's servers. They lost a $368million verdict and they were forced to change it so everything has to get relayed through their servers.
*I don't know much else about the company, but in this case
Re: (Score:1)
Its really hard to see how Apple lost when you have FTP as prior art, as just one example of doing it over the Internet.
Really its mind numbing that you can basically add 'on the Internet' and get a patent for something someone ELSE has already done.
They didn't event switched virtual circuits.
Voice? (Score:2)
Will need that too, to compete. Plus a useful directory.. And most average people want to talk to people they know, sort of blows staying anonymous on a large scale.
A new instant messanger from Tor? (Score:2)
Is this to replace Facebook's?
Tor isn't the NSA despite stupid people's claims (Score:1)
Tor users are being attacked by government agencies and those whom haven't followed the advice of the project are becoming victims of there own stupidity. It has nothing to do with Tor having backdoors in it. Neither the Tor Browser Bundle nor Tails were vulnerable to the attacks by governments agents for users who maintained there system and updated daily.
Now the freedom hosting bust may have been different. I don't think we know in regards to that bust how the guy in charge of freedom hosting got caught.
Re: (Score:2)
Tor isn't the NSA.
But some Tor nodes have six figure monthly bandwidth bills, and the feds have used traffic analysis to bust some Tor users.
Nobody can prove the Tor nodes are operated by the NSA, but the NSA would need such nodes to do the traffic analysis they have been doing.
Retroshare solved this half, IRC the other (Score:5, Informative)
Okay, first off, the nature of instant messaging is such that you can't truly have an anonymous system. After all, while "the network" may not know Alice, Bob, and Carole, the three of them must know each other and be able to distinguish between them...otherwise you've simply got ChatRoulette and the purpose of IM is largely moot.
Retroshare provides fully decentralized IM, pseudo-email, and file transfers. It's a wonderful tool in this regard. It solves the problem of $IM_SERVICE keeping a record of your chats, because there isn't one. It solves the problem of packet sniffing, because it's all PGP based and thus there is no such thing as an unencrypted packet that enters or leaves the software. It solves the problem of needing a server, because everyone is a peer. All of the things that this Tor program seems to solve, has already been solved, and then some. "Well then,why doesn't everyone use it?" Well, the nature of Retroshare makes it difficult to gain critical mass. You have to understand, at some level, how PGP works - instead of a 'friend request' with that person's actual name, you get to share public keys to 'add' them. This is fine and dandy, but opens up a few new problems. First, even cutting-and-pasting something the size of a PGP key and then reciprocating it to the other person is going to cause the eyes of most people to glaze over. Second, you'll need to exchange keys somehow; if you're e-mailing keys back and forth, most people would say "...so just e-mail the damn message". This is where the file sharing half comes into play, since users can trade files directly without having to do much else. However, with Dropbox/Gdrive/1Drive/etc making transfers stupid simple, the practical application for Retroshare in the eyes of Facebook Chat and Whatsapp users starts to wane significantly when put up against "use an already-functional communication medium to do a PGP exchange that will facilitate another communication medium." Bonus points for Retroshare being a smidge petulant when it comes to port forwarding, and not having a mobile version for any platform.
Conversely, we have IRC. it's ancient, and the UI of mIRC doesn't jive well with the Instagram crowd, but anyone with some semblance of tech skills can run an IRC server. Set that up with SSL and your communications are encrypted, with nothing more than a generic handle to identify you with. The problem is that you'll need someone who can set up such a protected server, and by definition, you have a single point of failure. IRC's other failure (which may apply to Retroshare as well) vs Tor is that IRC does involve IP addresses, so you'll still need a proxy of some kind (or Tor itself) to obfuscate that little nugget.
Tor routing communications through other users as a part of the protocol is the one problem it solves. Secure transmission of text-based messages has been solved pretty well already, "Anonymous IM" is an oxymoron based on the fact that IM in itself usually assumes a prior relationship of some kind between the two parties, and even if it didn't, each user will need *some* sort of unique identifier to ensure that Alice gets messages meant for her, Bob gets his, and Carole gets hers.
Re: (Score:3)
Retroshare's problem is that it sucks donkey balls. I tried setting it up with a friend swapping PGP keys - that part wasn't so hard, but setting up a private share my friend he couldn't download at 1/10th the speed I can through HTTPS/SFTP/FTPS/any other secure file transfer mechanism. I don't know what they're doing wrong but it just seemed utterly amateurish so I uninstalled it and hasn't given it a second look since.
Isn't TOR outdated? (Score:2)
TOR not only attract the watchers with black helicopters and black vans, it's said to be vulnerable to timing attacks esp. by those same entities with extremely large means. So why isn't this news about anonymous IM on a garlic routing network or something?, either switch to a new network or upgrade TOR and call it TOR 2.0 or TOR 1.1 or something but please, something has to be done.
Re: (Score:1)
TOR not only attract the watchers with black helicopters and black vans, it's said to be vulnerable to timing attacks esp. by those same entities with extremely large means. So why isn't this news about anonymous IM on a garlic routing network or something?, either switch to a new network or upgrade TOR and call it TOR 2.0 or TOR 1.1 or something but please, something has to be done.
Why the hell you feel your software could ever protect you from the NSA is beyond me. We used to be worried about script kiddies and malware delivered via spam. Now, all we worry about is if our software is unbreakable by a State-sponsored agency with billions of dollars, hundreds of personnel, millions in computing resources, and no laws to follow. Even if someone claimed it was unbreakable, I'd love to know how the hell they're going to prove it.
Just stop with the new fucking golden metric of software
Re: (Score:3)
There are networks that protect against timing attacks, but the nature of the protection makes them unsuitable for IM or other near-realtime communication. Basically, they operate by having nodes s
Re: (Score:2)
Thanks. That feels severe, and I find it funny. It has built-in flooding, but can you even flood it furthermore with crap so it becomes damn near unusable to your unlucky "peers"?
Re: (Score:2)
LOL! I2P literally calls their protocol "garlic routing".
You could certainly call it "TOR 2.0" IF you assume a general trend to using darknets for most networking. This is because even while I2P can handle full bittorrent and comes with a decentralized messenger, exit nodes (outproxies) are the exception... I2P is designed to be used mainly between I2P users.
Re: (Score:2)
I should have been clearer in my wording - I wished for TOR to evolve, or for attention to shift to another network e.g. the network you're speaking of. I thought that maybe that new IM client should have been announced for I2P.
Then again TOR has the users and I suppose speed and latency for it.
Can I just run TOR without ever leaving TOR?
Mmm Anonymous Social Network (Score:1)
Vole (Score:2)
This is similar to vole:
http://vole.cc/ [vole.cc]
https://github.com/vole/vole [github.com]
TAILS 'other' anon network already has this! (Score:2)
Its called I2P-Bote, a messaging system based on DHT. Its a part of I2P which is included in the TAILS distro along with Tor.
Once the I2P bittorrent clients experimented with DHT and succeeded, some people figured they could pull off a messenger that was truly decentralized.
And speaking of decentralization, Tor's underlying protocol and topology may not have enough of it to remain viable for too long. OTOH, I2P users contribute to routing bandwidth by default, and nodes recognize each others' contribution t
clients matter (Score:3)
More than anywhere else, this is not a problem geeks alone can solve. The perfect chat client is worthless if none of your friends use it. WhatsApp was huge because everyone used it - network effect.
So Tor - yes, definitely a good step. But you need a good client, ease-of-use is as important as cryptography, and details such as automatically finding your friends who also use it. Threema has a nice solution for that with their hashed address books.
So please look beyond the backend code.
Layers (Score:3)
You want security at the expense of usability? build layers!
A single system can be hacked, a single OS has bugs, a single app has backdoors, a single protocol has explots etc etc
Use LESS popular services in combination with layers of security. For instance; You can use the Tor Network to SSH into a proxy to tunnel chat with pidgin & OTR plugin. If you're even more paranoid assume your OS is already hacked, use some exotic image like Qubes, create temporary destructible VMs to carry information...there are options and many of them make basic functionality a nightmare.
If you really care that much about having your idle chitchat being "secure" you can always assume everything is being listened to. Good old fashion message encryption is probably much better than a special app.
I am quite happy there's more focus on security but let's be serious here, Tor is a target for snoops. they will find a way in because they already proved they can.
Re: (Score:2)
I think the idea here is to be able to say "hello world" to your Tor proxy, and have it communicate with the network such that "n" recipients get the message, but no one knows that you just did that, and definitely don't know what you just said. You don't know who or where those recipients are, you don't know anything about them, other than you're communicating with them.
If you imagine a way where I can tell you I'm on the Tor Chat Net - I don't tell you anything about myself, but instead I generate some so
Not interested . . . (Score:2)