BreachExchange mailing list archives

Previous By Date Next
Previous By Thread Next

Dark Mail Alliance promises virtually NSA-proof email next year

From: Lee J <lee () riskbasedsecurity com>
Date: Fri, 1 Nov 2013 14:06:35 +1100
http://www.theregister.co.uk/2013/11/01/dark_mail_alliance_promises_nearly_nsaproof_email_next_year/

The Dark Mail Alliance has revealed more details of plans to build a
secure, encrypted email system that's surveillance-proof, provided the
user's machine isn’t already pwned.

Jon Callas, CTO of Silent Circle and
cofounder<http://www.theregister.co.uk/2013/10/31/lavabit_and_silent_circle_create_dark_mail_alliance_to_stop_snoops/>
of
the Dark Mail Alliance <http://www.darkmail.info/>, told *The Register* that
the idea for the service came when he met up with Ladar Levison, founder of
the now-defunct encrypted email service Lavabit, at a conference last month
– and they started discussing the current state of government eavesdropping
and what to do about it.

"It's got to be better to start from a position of near total security and
then work down as needed, rather than starting with no security and then
add on code to try and make it more secure," Callas said.

Both have the skills needed to set up such a system. Callas, and fellow
Silent Circle partner Phil Zimmermann, were members of PGP, the firm that
brought encryption to the masses in the early 1990s, and recently set
up<http://www.theregister.co.uk/2013/04/06/silent_circle_private_email_expansion/>
secure
communications biz Silent Circle.

For nearly a decade Levison ran Lavabit (formerly Nerdshack) to make sure
that email users could encrypt their messages and store them safely, before
shutting <http://www.theregister.co.uk/2013/08/08/lavabit_shuts_down/> the
service down rather than compromise his users' security.

The full details on the Dark Mail Alliance system will be published in a
white paper shortly, but in a nutshell the system uses SMTP and Extensible
Messaging and Presence Protocol (XMPP) systems. The user generates a
private key on their device and has public keys on an open server; sent
emails are encrypted and stored in the cloud for pickup as needed.
'It's as secure as it can be, we think'

"Anyone monitoring the email would be able to see the size of the message
but that's about it," Callas explained. "Of course, if the owner's device
has already been subverted by malware then the private key can be found,
but it's as secure as it can be, we think."

The team will open source all of the code and invite the community to poke
holes in it and find weaknesses. The first version of the basic code will
be out next year, Callas said, but the team also wants to build components
that would allow companies and email providers to easily add the technology
to their systems.

So far interest in the system has been high, Callas said, with many people
in the security industry getting in touch wanting either more details or
offering to help. However, no one from the government has been in contact
at this time.

Services such as this are bound to bring up the accusation that the Dark
Mail Alliance is aiding the four horsemen of the infocalypse: terrorists,
organized crime, pedophiles, and drug dealers. Callas refuted this,
pointing out that there are already many existing laws for getting access
to an individual suspect's emails that would work just fine and that the
group is "not fond of bad guys."

He pointed out that in the case of Lavabit, Levison was happy to help with
law enforcement requests for assistance. But he shut down the email service
because federal investigators looking into Edward Snowden's account wanted
full access to*everyone's* email on the site, not just their target's.

As for the name of the group, it has been reported that the inspiration for
Dark Mail Alliance is somewhat *Star Wars*-based. But Callas pointed out
that "dark" also means hidden or secret, as well as complex and rich, as in
"a dark voice."

"We had a discussion among ourselves about what to call Dark Mail, and we
one of the reasons that we decided we liked it was that it is a complex
word," he said.

"Moreover, one of the the major corrosive effects of mass surveillance is
that it causes people self-edit, to fear to do things unseemly, to be safe.
We didn't want to call it 'Shiny Happy Mail.' Dark Mail for us reflects our
dark humor as well as the dark humors that surveillance puts us in," he
said.

"I think it's sad that there's been a flutter over 'dark' because it can
mean only some things to some people. That is, however, the sort of thing
that isn't unexpected. These are dark times, and it's hard to have a dark
laugh." ®

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

# OWASP http://www.appsecusa.org
# Builders, Breakers and Defenders
# Time Square, NYC 20-21 Nov
o()xxxx[{::::::::::::::::::::::::::::::::::::::::>

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.
Previous By Date Next
Previous By Thread Next

Current thread: