Snowden's New App Haven Uses Your Smartphone To Physically Guard Your Laptop (theintercept.com) 134
An anonymous reader shares a report: The NSA whistleblower and a team of collaborators have been working on a new open source Android app called Haven that you install on a spare smartphone, turning the device into a sort of sentry to watch over your laptop. Haven uses the smartphone's many sensors -- microphone, motion detector, light detector, and cameras -- to monitor the room for changes, and it logs everything it notices. The first public beta version of Haven has officially been released; it's available in the Play Store and on F-Droid, an open source app store for Android.
so... (Score:1)
the "bad guys" have to steal your phone AND your laptop now to get away with their cunning plan?
Re: (Score:2)
Re: (Score:2)
Stop Blackaddering.
Re: (Score:1)
If you install this, the bad guys already have control of your phone and your laptop
No! It cannot be! The app is signed by Snowden's benevolent host: Putin!
Re: (Score:1)
Didn't you pay attention? It's on F-Droid. Unless Putin has somehow "On Trusting Trust"-ed F-Droid's compiler, you can calm down.
Even if they did use Ken Thompson's Trusting Trust Attack [cmu.edu], there is David Wheeler's Diverse Double-Compiling [dwheeler.com] that can fully counter it.
Re: so... (Score:2)
Re: so... (Score:2)
Re: (Score:1)
Citation of it actually working needed
Wheeler demonstrates it as part of his PhD thesis defense.
There is a video of the defense, look at the 47:40 mark.
Or, you could read his paper and reproduce the results yourself.
Look at the linked page for the section "Detailed data to duplicate the experiments".
Re: (Score:1)
Re: so... (Score:1)
Re: (Score:2)
If you install this, the bad guys already have control of your phone and your laptop
Sounds like hiring a family of hyenas to guard your sheep!
Re: (Score:3)
The idea is you use a spare phone and put it somewhere that it hopefully won't be taken.
Re:so... (Score:5, Interesting)
nah, the phone can be taken. The example given is phone placed on top of lappy in safe. Once phone sees evidence of tampering (movement, light level change, etc.) it starts taking pics and audio, and sends them to you over a Signal channel, SMS, or .onion host.
This isn't to prevent access to your devices (hard), it is to tattle tale that access has happened (easy).
Re: (Score:1)
Nah. Ole Pootin will have a direct backdoor to the app.
or just wait for the battery to die (Score:2)
or just wait for the battery to die
Re: (Score:2)
That is not what this is about. Common thieves steal the laptop. Actual "bad guys" do _not_ steal it, they tamper with it.
Sweet irony (Score:2)
Very interesting use case and development, but this is somewhat amusing to see that Snowden is posting his privacy apps to Google Play (in addition to F-droid)... It's not a good message sent to people in my opinion.
I think it's time that we get something alternative to Google and Apple, like project eelo.io seems to be starting [kickstarter.com].
Collaborators? (Score:2, Interesting)
Re: (Score:2, Interesting)
In a perfect world, the open source community will drag a fine tooth comb through the code and we could be sure there was nothing malicious, but I don't believe in that world yet.
I think you are wise not to. [ioccc.org]
Over the years that contest has produced some stunning entries, including some that had as many as three different unrelated major functions contained in the same body of code. There is more than one way to hide secondary functionality of a program, some of which you would have to be quite clever to detect. The fact that Snowden is involved would serve to cause many people to drop their guard even if they had the skill and mindset to detect such obfuscated functionality.
Re: (Score:1)
You're wise not to, but not for the stupidity you posted. It's wise not to believe it simply by the fact that the open source community has already shown that almost no code gets regularly audited and most members don't have the ability to audit code even if they were doing so on a regular basis. OpenSSL isn't an IOCCC entry and yet was chock full of security holes despite the supposed "many eyes" constantly looking over the source code.
Re: (Score:2)
True, but...
OpenSSL was full of [assumed] accidental holes.
IOCCC proves it's trivially possible to make those accidental holes intentionally.
Re: (Score:2)
You give them access to the sensors on an old phone that you're not using anymore. It repurposes the phone as a security device.
Re: (Score:2)
And possibly repurposes your cellular and/or wifi network as a covert communications channel; but for whom?
Re: (Score:1)
In a perfect world, the open source community will drag a fine tooth comb through the code and we could be sure there was nothing malicious, but I don't believe in that world yet.
The open source community can't even do that for libraries already known to not be malicious. In fact, the open source community lazily introduces bugs and then doesn't fix them for years. [schneier.com]
Re: (Score:2)
I doubt anyone in the "open source community" ever analyzed an piece of open source and combed over the source code.
I don't even compile stuff myself, but download the binaries.
The last thing I cloned from github was the source code of the groovy language. Close to 270k files ... who will ever review them?
Completely safe and secure (Score:2, Insightful)
I'm sure that after requiring full access to all your phone's sensors, the app would never share that data with Russian hackers.
Re:Completely safe and secure (Score:4, Informative)
Re: (Score:1)
Strange as it may seem to you that isn't a guarantee that it is:
- Free of bugs
- Has no subversive behavior
- Has no hidden or obscured features
Even if you want to trust the contributors of that code, has either their development environment or the distribution means been compromised?
Has anyone publicly stated that they have audited and tested the code? I might trust the OpenBSD project contributors.
Re:Completely safe and secure (Score:4, Informative)
I'm sure too. The source code is here: https://github.com/guardianpro... [github.com]
Re: (Score:2)
Why would you trust people rather than trust code? The pope himself could sign it. Makes no difference.
A fool and his privacy (Score:2)
... are easily separated.
DA! (Score:3, Insightful)
KGB Phone!
Physical vs network (Score:2)
They know the room the interesting person is in due to the hotel, CC, ID used.
Everything networked in the room can be set to collect it all during your stay.
Sooner or later that secure laptop on average under the cell phone is going to be online again.
Having a need to use such software just makes the security services more sure the person is worth collecting on.
Once the security service know a person has such software their hotel
Re: (Score:2)
The word hotel is mentioned a few times
"You lock your laptop in a hotel safe"
"like the hotel’s network"
"phone in a hotel safe"
" considering hotel safes are not very secure"
If you want to know about the smart TV part AC try Weeping Angel "CIA, MI5 hacked smart TVs to eavesdrop on private conversations"
http://www.zdnet.com/article/h... [zdnet.com]
So it's a nannycam? (Score:2)
Here, have another one! [google.com]
Snowden and Fancy Bear (Score:2)
So Snowden releases a 'spy app' on the same day the scope of Fancy Bear operations against journalism are exposed.
Um, no connection here, nothing to see, move on.
Disk is encrypted? (Score:1)
If that's the case, you're not doing "encrypted" properly.
Comment removed (Score:5, Insightful)
Re: (Score:2)
check wikipedia or the guardian project to figure out what this man actually did and who he worked for.
That's really good advice. I believed the original reports about Snowden and let's just say that they ended up being very far from the truth. Some time ago I did exactly what you suggest and I was very surprised to find out that Snowden's life was actually quite different from what some reports claimed.
he should make an app that detect activities that (Score:1)
he should make an app that detects activities that we like to keep private and alert the user whenever they are detected to make them more aware of the privacy implications of have a computer with so many sensors in your pocket all the time.
And where iare Snowden and his friends living now? (Score:2)
I know, they are living in a freedom loving country that offered asylum because of its long standing commitment to open culture, citizen privacy, and free speech, so they felt it was important to protect the noble whistleblower. A country that leads the world in its protection of open journalism and has for centuries, well decades anyway, led the struggle against state surveillance of citizens.
Apparently they were so impressed with Snowden's nobili
Re: (Score:1)
HE IS HERO FOR ALL PEOPLES
Re: (Score:1)
Hero of the Soviet Union!
Re: (Score:2)
Isn't HERO FOR ALL PEOPLES == Hero of the Soviet Union?
Re: Who was Haven written by? (Score:2, Funny)
He has skills. He wrote his own WordPress theme.
Re: (Score:2)
Ooooh... a wordpress theme! Wow! Knowing that really makes me think he could code a secure application on Android without screwing it up!
Re: (Score:3, Insightful)
That was my thoughts as well, however despite the ego of software developers, making an app like that doesn't take super programming abilities, just some time and effort.
But my main worry is why should I trust an App built by a guy who admitted stealing NSA data? It is like getting your keys duplicated by an admitted house burglar.
Re: (Score:2, Flamebait)
... who is living in Russia at the pleasure of the Russian Government. Do you REALLY want to give a Russian-supplied application access to all the device's sensors? I know it's open source, but a lot of stuff can get hidden in code...
Re: (Score:2)
I know it's open source, but a lot of stuff can get hidden in code...
Because we're all running background checks on the authors of the OSS we use, right? Or maybe you are looking to see if they use words like "comrade" in their comments. That's probably good enough.
Re: (Score:2)
Because:
1) he did not steal the data
2) he published it, and that is his crime
3) he is concerned about your privacy and gives you a tool to protect/warn you from/about NSA and other guys putting surveillance devices into your room
Re: (Score:3)
It depends on whether you think that he stole data from the NSA, or that he took data from the NSA gathered from the people it was supposed to serve as proof of their illicit activities.
There is a big difference between a selfish coward and someone who risks everything for what is right. It would be nice if people had enough attention span to discern between the two, but it could also be because most people cannot relate to sacr
Re: (Score:2)
making an app like that doesn't take super programming abilities, just some time and effort\
Sooo.... like most software?
But my main worry is why should I trust an App built by a guy who admitted stealing NSA data?
It's OSS. I guess you hope that not a few people will be pouring over the code looking for issues.
https://github.com/guardianpro... [github.com]
I seriously doubt Snowden had much to do with this other than giving it his stamp of approval. The primary (only?) contributor is not Snowden (obviously).
Re:Who was Haven written by? (Score:5, Insightful)
He is a whistleblower because he published documents proving that the US government agency he was contracted to work for violated the law. I'm not sure why you are directing your anger at him.
Re: (Score:2)
You really freaking don't get Snowden or why some of us appreciate him. There's not been any soup. I don't even know what you're comparing to the soup, and I actually don't think you do either. You couldn't even explain that payoff or gratifying factor.
It doesn't take much historical or political theory to see why what the NSA is doing fundamentally breaks the contract between the government and citizens that characterizes the USA. If you're an authoritarian and might makes right, well... you don't unde
Re: (Score:1)
Even if he did go searching for something and even if he did do it for fame (I dont believe so, given all he sacrificed. And his demeanor did not suggest that -- watch Laura Poitras' film.), he IS in fact a whistleblower who outed the US government for illegal activity. He did America and all Americans a favor.
Re: (Score:2)
And second of all I don't know how much it did benefit me. Do you think the government stopped those programs and didn't replace them? I'm certainly not sure.
And your opinion of his performance in a movie is truly irrelevant.
Re: (Score:2)
His motivation is as irrelevant as whether he parts his hair on the left or right. Nor, for that matter, does his seeking asylum in Russia. What is relevant is not Snowden; what is relevant is the illegal and unconstitutional practices of agencies of the USA government that Snowden exposed.
Your comments, Sir, have as much value as the food critic who damns the pastry chef for wearing a plaid apron over a striped shirt.
This is not an ad hominem attack. I don't know you well enough for that. This is an atta
Re: (Score:1)
Re: (Score:2)
You are failing to recognise that Snowden's actions and motivations are only germane to a very minor distraction from the major story that concerns the contents of the data he released. Why is this distraction so important? Does the color of the envelope affect the meaning of the message in the letter?
I think not.
I don't much care why Snowden did what he did or whether he was a heroic patriot or a snivelling traitor. I don't think anyone outside his circle of family and acquaintances should care very much
Re: (Score:2)
Re: (Score:1)
(I dont believe so, given all he sacrificed. And his demeanor did not suggest that -- watch Laura Poitras' film.),
CNN headline: Snowden to newspaper: I took contractor job to gather evidence [cnn.com]
Laura Poitras was a collaborator with Snowden [theintercept.com]. Why would you think she would portray him in a bad light?
Re: (Score:1)
Chris, people are now openly and proudly mocking you. You and your 6 YouTube subscribers.
Re: (Score:2)