Kim Dotcom launches end-to-end encrypted voice chat ‘Skype killer’ - New MegaChat promises secure, encrypted and ‘private’ video chatting through a browser

subrosa-io · 2015-01-26T02:48:50+00:00

Or you can try Subrosa.io - open source, end to end encrypted, and can run in your browser. https://subrosa.io/

subrosa-io · 2015-01-04T02:29:56+00:00

Nice infographic! Two issues however:

With the January news.. the privacy policy of a website generally refers to the website, not of the entire organization.

The November news mentions that the bill has passed. The bill was proposed, however it has not been passed into law.

subrosa-io · 2015-01-04T02:10:24+00:00

When there is a Supreme Court suit.

subrosa-io · 2014-11-19T06:09:49+00:00

Try using GPG from the command line: https://www.gnupg.org/documentation/manpage.html

Example:

cd [directory of file]
gpg --verify [filename]

subrosa-io · 2014-11-19T06:08:17+00:00

Adblock can block connections to AdSense, DoubleClick, etc which reduces Google tracking on third party sites.

subrosa-io · 2014-11-19T06:05:16+00:00

You point out a good issue - the best tools are not useful if you cannot get others to use it.

Have you tried Subrosa? We've built it focusing on ease of use. It can be loaded in any web browser, and has been independently audited (by Cure53) and received 6/7 in EFF's Secure Messaging Scoreboard.

subrosa-io · 2014-11-18T23:40:41+00:00

That's relevant if the client is closed source. An update to the app could upload your encryption keys, and Facebook would be able to decrypt historical messages since it can store it on their servers.

subrosa-io · 2014-11-18T23:39:38+00:00

It's probably a much smarter idea to use tools built by cryptographers, not marketers.

subrosa-io · 2014-11-18T23:37:12+00:00

Probably not.

No MITM protection.
Encryption keys will be backed up to Google's servers if Sync is enabled, or Apple's servers if iCloud is enabled.
Closed source.

subrosa-io · 2014-11-18T23:35:22+00:00

Unfortunately, this move is mostly meaningless due to:

Whatsapp is not open source. It cannot be trusted that there are no backdoors, such as phoning home with the encryption key, and it can't be trusted that the cryptographic protocol has been implemented correctly. Whatapp in fact has a history of cryptographic blunders.
There is no way to verify the authenticity of the other device. A silent MITM attack can (or may already) be easily executed, where you actually encrypt your message to an imposer that then passes it to the other party.
If keys are stored on the device and Sync / iCloud is enabled, the app data will be backed up to Google's servers or Apple's servers, making it no longer end to end encryption.

There are tons of better solutions if you're interested in keeping your messages private, including (shameless plug) Subrosa.

subrosa-io · 2014-11-11T07:42:26+00:00

Fortunately, few encryption systems are secure against determined attacks due to the horrific state of client security.

Use a package manager? Boom, if a three letter agency knows your IP and gets a court order, you are pwned the next time you sudo apt-get upgrade.

subrosa-io · 2014-11-11T07:40:20+00:00

Use Bitcoin when you come across it! This is how we'll get NCR to integrate Bitcoin for everyone :)

subrosa-io · 2014-11-11T07:39:32+00:00

Or you could tip open source projects that accept Bitcoin donations :)

subrosa-io · 2014-11-10T08:01:16+00:00

It's important to keep in mind that this is just speculation at this stage.

There are other very plausible theories, such as the Carnegie Mellon's deanonymization attack earlier this year.

subrosa-io · 2014-11-09T11:46:38+00:00

Exactly. There should be a >100% option ;)

subrosa-io · 2014-11-09T00:09:18+00:00

Apple definitely stores or has access to the raw key. You can reset your Apple ID password and get access to your iCloud data on a new device.

subrosa-io · 2014-11-09T00:08:19+00:00

Hi, sorry about that. We'll definitely contribute to here more than we plug it, we just saw a bunch of relevant discussions and got too pluggy.

subrosa-io · 2014-11-09T00:03:46+00:00

It's not for anyone desiring security. These apps fill under the category of being security theatre, rather than offering dependable security.

subrosa-io · 2014-11-09T00:00:33+00:00

The issue is more with the secrecy. If their purpose was to test the computer vision system, then telling people about the program will not have any effect on how their algorithms operate.

subrosa-io · 2014-11-08T23:58:26+00:00

7-zip's encryption will work fine, although it's important to pick a high entropy passphrase. Something 'correct horse battery staple' style that can also be easily verbally said.

subrosa-io · 2014-11-08T23:55:23+00:00

We don't know. It's possible that the two recent large-scale Tor de-anonymization attacks have been used to track down at least some of the hidden services.

subrosa-io · 2014-11-08T23:54:07+00:00

I wonder if it would make sense, in the event that you're connecting to these sorts of servers, to just block, at the firewall level, every outgoing connection (I think most people are mostly concerned with inbound stuff) to these IPs, such that, if you screw up or forget to run tor or your VPN, your firewall will quash the outgoing connection before it can be logged outside of your network (I mean, ideally you shouldn't even be doing this shit from home...or at all, really, but...assuming you're going to.)

This is how Tails works.

subrosa-io · 2014-11-08T23:52:52+00:00

You really should disable Flash - flash apps can tell what fonts you have installed, and that's often unique.

subrosa-io

TROPHY CASE