About options for encrypted/secure communications – a tiny addendum

23142 Views May 24, 2017 Sandbox The Saker

Dear friends,

I just wanted to let you know that a reader and a member of the Saker community has pointed me to two other products which we can trust with a relatively high degree of confidence:

Jitsi Meet: https://meet.jit.si/ (secure video conferencing through the browser)

Open Whisper: https://whispersystems.org/ (secure messaging and calling)

I won’t discuss these here other than to recommend that you look into these options.

Kind regards,

The Saker

9 Comments

Dave on May 24, 2017 · at 8:53 pm EST/EDT

Open Whisper Systems (makers of Signal) is an US based company (San Francisco). I’m sure they’re nice people and all but they live in a country which makes it impossible to trust them. See for example https://www.rt.com/usa/389483-apple-transparency-report-nsl/ on how the government can force any company to reveal information about their customers (National Security Letters or NSLs) *and* keep quiet about it.

From the article: “NSLs include gag orders that restrict companies from divulging the request or even notifying the customer whose account was the subject of the order”. I really doubt Open Whisper Systems would break this and risk having their company shut down or, worse… go to prison.

The content of the conversations are end to end encrypted but metadata (contact names, calls, durations, …) is sent to their servers.
- fedor on May 24, 2017 · at 9:19 pm EST/EDT
  
  This is also remind me about what Pavel Durov once said :
  http://telegramgeeks.com/2015/11/nsa-tried-to-recruit-telegram-developers-as-spies/
- The Saker on May 25, 2017 · at 3:18 am EST/EDT
  
  but they live in a country which makes it impossible to trust them.
  
  By that logic I ought to distrust myself.
  And Richard Stallman
  And Phil Zimmerman
  and about 80% or so of the free and open source software out there.
  dunno about you, but even I am not that paranoid ;-)
  - ossie on May 25, 2017 · at 4:59 am EST/EDT
    
    Even if the developers can be trusted, the platforms on which the app is offered don’t inspire much trust at all (just micro$uxx is missing). Before encryption, all data is fully accessible to the OS, and any uninvited guest lurking around.
- Fedor on June 13, 2017 · at 4:37 pm EST/EDT
  
  /Despite all the FBI talk against encryption software, public records show that Radio Free Asia, a broadcaster funded by the United States Congress to help advance their foreign policy in East Asia, in 2012 created the Open Technology Fund, which in turn gave over a million dollars to Open Whisper Systems, the company responsible for developing the iOS and Android encryption apps Signal, Redphone and TextSecure, apps recommended in Twitter by various Islamic State members.
  
  It is very bizarre that American taxpayers are financing development of the same encryption software that American officials say are helping terrorists evade surveillance and supposedly threatening intelligence services of “going dark“.
  
  Some cybersecurity experts suggest that the NSA could be behind the funding to try to stay one step ahead of the game, presumably by influencing the development of the apps or gaining internal knowledge//…
  
  http://www.hacker10.com/other-computing/u-s-government-funding-encryption-apps-used-by-the-islamic-state/
Apple Freak on May 24, 2017 · at 11:57 pm EST/EDT

For those who’s privacy is a necessity or plainly a RIGHT I would recommend “own solution” instead: a mixture of AES with “Security through obscurity”.

To give you idea what I am talking about below is a screenshot that I took it a moment ago:

https://postimg.org/image/xwbml7x6b/

It’s a common bash script that has embedded internally keys, and is stored externally on USB stick ( Each person needs to have it, so physical contact is required to avoid any risks of disclosures )
When you need it you simply plug-in and then a file or message is passed to receiver by any means like in forums as a private message … etc )
So make yourself a similar solution ( Internet offers hips of samples to start with ), or if Saker permits I could upload and share it with you ( however I would need to make some modifications before; remove my private stuff and substitute it with some sort of template ).
- The Saker on May 25, 2017 · at 3:16 am EST/EDT
  
  if Saker permits I could upload and share it with you
  
  I have no objections to that, but I would recommend that you use a pastebin and not try to upload code here as WordPress might intercept it (dunno)
  Cheers!
  - Apple Freak on May 26, 2017 · at 8:44 am EST/EDT
    
    I will post a link to zipped files, it’s better that way for newcomers to Linux.
  - Apple Freak on May 30, 2017 · at 8:58 pm EST/EDT
    
    My apologies for being late.
    Below is a link to a bash script I made as a template.
    
    http://www43.zippyshare.com/v/dEzCNqvd/file.html
    
    I decided to go with openSSL, because most systems have it installed.
    The SCRIPT is fully working, however the true purpose of it is to give newcomers a start and idea of “own solution” ( even the simplest solution is a step forward ).
    You can change it to anything ( incl. OpenPGP ), but my recommendation is to go even further – make your own unique “wrapper” or AES based engine that is unique and not compatible with AES at all.
    
    Copy this script ( and keep it ) on USB stick. When you need it ( in the Office ), run it, and make sure that your friend have the same script on another USB. Both of you MUST keep it SAFE at all times.
    The SCRIPT clears the clipboard and history upon EXIT.
    
    Terms of Use:
    
    You can use it, edit …. etc … however I do NOT take any responsibility, so if you disagree with me – DO NOT USE IT. DO NOT DOWNLOAD IT. This post ( and script ) have an educational character only.
    
    Final word:
    Make it bigger and better for your own use !