Torsion IM (renamed Ricochet in June 2014) is a decentralized real time instant messenger alternative to TorChat that runs on the Tor network. Available for Windows, Mac and Linux, during installation you will be given the option to connect directly to the Tor network or if you are behind a restrictive firewall or in a country that filters the Internet and blocks Tor nodes, you can arrange your network settings.
Inside Torsion Ricochet network settings you can specify any open port that is not blocked by your firewall, or, enter a Tor bridge address that will get around ISP censorship. Tor bridge relays are not listed anywhere, you can only get them via email following the instructions described in the Tor project website.
Tor proxy instant messenger Torsion
There is no need to create an account, a Torsion IM Ricochet contact address will be automatically created for you when you install the software, in the form of “ricochet:hslmfsg47dmcqctb“, this will also be your login credentials, no need for a password, registration details are virtually zero, no email, no nothing, just a cryptic torsion:address (changed to ricochet: in June 2014) and the nick of your choice. The messenger interface is easy as pie, it has two buttons, a plus sign where you add a torsion ID contact address to chat with that person and a settings button that lets you see your list of contacts and remove them.
You will not have to separately install Tor software to get the Torsion IM Ricochet running, the program automatically connects to the Tor network. You can browse the Internet with your real computer IP while the messenger chat is anonymously routed through Tor. I tried to run Torsion IM Ricochet from behind a VPN (LT2P) and it worked smoothly, with no lagging time and no network trouble.
This is a marvellous metadata free instant messenger that gets the job done, no emoticons or sounds or distractions of any kind, just plain text to get to the point when planning the next revolutionary action over the Tor network, without any central server that could be compromised and with data encrypted over the wire, it can resist censorship and monitoring.
Torsion IM Ricochet has not been audited by anybody but it is open source and fairly well documented. The messenger will not interoperate with other protocols and both parts need to be using the same program, to convince your friends to stop using insecure Windows Live Messenger and Yahoo, you count with the wonderful benefit of not having to explain to them what Tor is, Torsion IM Ricochet will configure itself to use the Tor network during installation and it will enable people to use it straight away without reading any manual and not affecting their browser settings.
Note: Experimental and not endorsed by the Tor project.
SNOW is a free program to hide messages inside ASCII text, for those who don’t know ASCII stands for American Standard Code for Information Interchange, a binary scheme to represent English characters in computer language that can be read by nearly all text editors although UTF-8 is replacing ASCII as the world wide web language, ASCII is the default format to save text in Unix and DOS operating systems.
The program is a tiny command line based utility of just 60Kb, downloadable as Windows executable or Java applet to work with other operating systems like Linux. SNOW comes with a manual listing the available commands and real examples. Do not be scared of the command line, it is not hard to use. The source code is also available for download so that others can review it.
SNOW ASCII text steganography tool
SNOW steganography takes advantage of white spaces found in text messages and hides invisible text inside them, this keeps the visual embodiment and does not raise any suspicious to watchful eyes. Security is heightened with compression to fit more text inside the white spaces and text encrypted with ICE, an open source symmetric 64-bit block cipher designed by the same author to withstand cryptanalysis and guard from detection.
This is a superb unexpected way to send secret messages to other people with the only downside being that, unlike messages hidden in photos that can be distributed uploading them to public online photo albums, you can not copy and paste steganographic SNOW text messages on a website because the data is hidden inside the white spaces. You will have to necessarily send the full ASCII file text to your contact, revealing metadata, like who is talking with who. But you could upload an innocuous compressed file, e.g. video, with ASCII text instructions included and hide the message inside the text white spaces, this would waive the need of emailing anybody and it would not ascent mistrust.
SNOW has been around since the nineties and has recently been released under the Apache license, it is a very well documented tool with technical cryptanalysis information about its design as well as benchmarks.
Firefloo Communicator is a portable open source instant messenger that secures communications with public and private encryption keys. The program can interact with any other messenger using the standard Extensible Messaging and Presence Protocol (XMPP). Jabber based messengers like Pidgin, Trillian, Gmail Chat, Coccinella and Jitsi will all be able to exchange mesh in between. FireFloo Communicator will not connect with the proprietary Yahoo or Windows Live messengers. Since Yahoo messenger has been proved vulnerable to spying by leaked Snowden’s secret documents, there is nothing you will be missing anyway.
One of the strengths of the XMPP network in which FireFloo Communicator flows is that there is no central server, anybody can run an XMPP server. Its decentralization makes it impossible to take the whole network down, if a public server is under attack you can connect to different server or roll down your own, this also makes wiretapping harder as the network is comprised of multiple nodes with no single point of failure, and the echo protocol for multi-encrypted messaging takes care of packet sniffing.
Encrypted instant messenger FireFloo Communicator
FireFloo Communicator is one of the few instant messengers that does not require you to enter an email address to create an account, you only have to pick an username and password to start chatting with your friends. After extracting FireFloo Communicator files to a folder, clicking on the FireFloo.exe file will start the chat straight away, I wasn’t asked for administrator rights when running it in Windows Vista.
During account creation security preferences can be tweaked changing your encryption key size from 2048bits to 15369bits, which is clearly an overkill, but paranoid types should welcome it. Other security configurations include changing the RSA default key to ElGamal and changing the AES256bit cipher to Serpent256, Camellia256 or Twofish. The default security options looked fine to me, I don’t think it is needed to modify anything but you will not break the program if you do, it might just change software performance, like a slighter lagging time.
FireFloo Communicator server settings
FireFloo Communicator interface is simple but functional, you have five tabs from where to access FriendsList, Group Chat, Add a friend, Settings and Cryptopad, an encryption notepad where you can copy and paste encrypted text to send via insecure means, like email. The Rosetta CryptoPad also has cipher and hashing configuration options for you to customize at will, I found this additional tool a genial extension as it only takes one extra tab and covers email encryption without needing another program for that.
This is a program that has only been recently released, still in beta and it has some bumps to fix, the help manual is one of them, it doesn’t come with one. There is no mobile or Linux version but the source code is ready to compile and one can be created. A promising instant messenger to keep an eye for, the best part being its Jabber compatibility and security, with the low points being the lack of a help manual and basic chat features.
Even if you take care of your personal privacy the people you are communicating with might not be as privacy conscious or knowledgeable. If one of your contacts misplaces their phone with your private pictures and messages you would also be compromised, or if they stop being your friends and become your enemies anything you have previously sent, could be used against you.
The following smartphone apps will make it hard for others to permanently store text, photos and videos you send to them.
Confide: It sends end to end encrypted messages that will disappear after reading and you will get a receipt once the message has been opened. There is built-in screenshot protection that makes it difficult to take a screenshot by concealing the message until somebody swipes the screen.
Confide smartphone app
Telegram: Cloud based encrypted self-destructing messages, you can create private group chats to share files and store data on the cloud that is available across devices. For higher security is best to adopt Telegram “Secret Chats” option, where encryption is end to end without going across any intermediary server.
Whisper: This app will post messages and photos to your social network without revealing who you are. The idea is to allow people to share thoughts and information with people they known through a nickname. Whisper provides a huge amount of photos you can customize with your own feelings before posting, you can use it to vent frustration, people reading the messages can then choose to have a one to one private chat with you.
Wickr: This is an app targeted at those really serious about security, it encrypts all communications, you can send texts, videos, photos and make calls in total privacy, with an expiration date. The app has security audit to make sure there are no flaws, and it is used by businesses to hide their trade secrets as well as people who want a private life, the app allows you to choose who has access to your messages and how long for.
Self-destructing messages app Wickr
Dust: Available for Android and iPhone, this app can send messages that will self-destruct after a set number of days or hours, no data touches the memory card, nothing can be recovered and it warns you if anybody takes a screenshot of a message you sent. You can create discussion groups and invite other Dust users.
DontTalk: If you make a mistake sending something the app allows you to recall messages before your friends see them, set up group chats, whispers and self-destructing pop messages. This app is appropriate for those trying to protect from pseudofriends leaking the information you send, but it will not serve as protection from a law enforcement agency although no doubt it will make their job harder.
Mumble is an open source VoIP program for group or P2P chat that runs in Windows, Mac and Linux, with iPhone and Android versions in beta. Mumble encryption is implemented with public/private key authentication and unlike Microsoft owned Skype, which supposedly also encrypts calls, in Mumble cryptography experts can scrutinise the code to make sure that the NSA has not inserted a backdoor or weakened the algorithm.
Mumble is widely used by gamers due to its low latency and background noise reduction resulting in superb audio quality, but you can use it for any kind of communication. Ninety per cent of the public chatrooms I visited where gaming clans and I had to manually add activist related Mumble servers like occupytalk. For high privacy group calls you have got to manage everything yourself, including the server, otherwise a rogue operator could carry out a man-in-the-middle attack to eavesdrop on you.
Mumble server encryption details
When you first install Mumble you will be prompted if you would like to run your own server (called Murmur) this will give you total control over who can access the chatroom but it requires staff and time. The other option is to join one of the dozens of public Mumble servers classified by countries and create there your own chatroom or rent a Mumble server from a specialist provider, they can be easily found with an Internet search for Mumble server hosting.
The Mumble client Audio Tuning Wizard helps you correctly set input levels for your sound card with voice activity detection and sound quality as well as optional text to speech to read typed in messages. Messages are read with a metallic voice but you have the option of buying a professional text to speech package from a third party and add it if you are going to use the feature a lot. The second Mumble client step creates a digital certificate to authenticate with servers. The most likely is that the servers you visit will have a free self-signed digital certificate poping up a warning window that you will have to accept before joining, this is not a huge security risk if you examine the certificate before accepting it and it only has to be done once.
Besides AES256-bit encryption Mumble has the edge over other VoIP tools because it can communicate with the TCP protocol, this is absolutely necessary for any program to be tunnelled in Tor and most VoIP programs only work with UDP, Mumble also has very low bandwidth needs, it will not clog Tor nodes and it works as Push to talk (PTT), you need to push a button to transmit voice, instead of an always on call connection.
You can either connect directly to Tor running it in your computer and configure Mumble by going to Configuration>Network tick the checkbox that says “Force TCP Mode” and fill in the SOCKS5 proxy settings with localhost and 9050 for the port, or roll your own anonymous Mumble server for your friends renting a VPS, installing the Mumble server software in the VPS, configuring the server firewall to accept incoming connections in Mumble’s default port 64738, installing Tor in the VPS and from then on all voice calls made using that server will be encrypted and anonymous.
Taking advantage of a free three day trial for prospective customers that I found in Reddit self-edit, I decided to look into IAPS Security Services (intl-alliance) VPN provider. I was really looking forward to see for myself if IAPS claims of being able to provide VPN servers in places as unique and paradoxical as the Vatican Holy City and Mecca in Saudia Arabia were for real.
To start with, IAPS intl-alliance website could do with a redesign, you will find it confusing, not mobile friendly and messy, but what matters most is the quality of their services, so let’s not judge them for that alone. IAPS intl-alliance VPN monthly prices aren’t cheap but annual subscriptions work out at a reasonable rate if they really provided the over 140 worldwide countries and more than 190 VPN servers they say they have. IAPS also has dedicated packages to watch USA or Canadian TV from abroad and packages to be able to play poker with a VPN.
After signing up I quickly received a friendly email from Jared Twyler, IAPS Chief Executive Officer whose LinkedIn page lists education in the highly regarded Massachusetts Institute of Technology. I had previously informed Jared that I would be reviewing their VPN services on hacker10 blog and he was confident enough to say that “I’ve been a vpn supplier since 2007 and have been judged since then. Seeing another site pass judgement isn’t anything new.”
IAPS OpenVPN VPN Andorra
The welcome email contained a username and password with 192 links to VPN servers in locations that no other VPN provider can give you. Iraq, Falkland Islands, Palestinian Territory, Qatar, Bhutan, Uganda, Uzbekistan, Algeria, Kuwait, nearly all European countries and at least a dozen USA servers. IAPS intl-alliance does not have any propietary VPN client, you are given a link to the official OpenVPN client, this makes it a little difficult to manage all of the over 190 servers but not a big deal. When you click on any of the links on the email an .ovpn certificate will be automatically downloaded to the OpenVPN folder and permanently added, it was very easy to set it up.
I decided to start the VPN testing with the server in Saudi Arabia, the first thing I noticed is that there was very little lagging and the speed was excellent. I checked my location using ip-score.com and a couple of other sites that check your computer IP online, sure enough they identified my computer as being in Saudi Arabia (Mecca), however Google advertisements were being shown in my local language. I then decided to visit an Israeli website, knowing that all Israeli pages are blocked by Saudi Arabia Internet filtering, I expected not to be able to access it but I had no trouble viewing the page. I decided to visit a porn website to see if it was blocked, and again, I had no problem looking at online porn with what it supposedly was a Saudi VPN in Mecca.
This was puzzling, I carried out similar testing with other servers, all with similar results, the whatismyip websites would indicate that I was in the location IAPS intl-alliance said the VPN was, and extraordinarily, my VPN connection did not have any kind of lagging or speed cutback while connected to far away countries like Bhutan or South Sudan.
I suspected something wasn’t right when I found no ping or speed differences in between the VPN in Italy and China. I also noticed that virtually all computer IPs assigned by the VPN started with 46.36.*.*.*, it just happenned that Saudi Arabia and the VPN in the Vatican had both assigned me computers IPs in the same range. After a few traceroutes and whois lookups I realised that IAPS was always listed as an Internet Service Provider in the whois and the contact address was always listed as a local address.
That is how I believe they fool the websites about your geolocation, by IAPS listing the network operator address as being in Mecca, the websites checking your location assume that your ISP is also in Mecca since that is where the network is theoretically being operated from. IAPS owns the 46.35.*.*.* IP range and they assign it as they see fit only changing the local address of the network operator to fool websites into believing the visitor comes from that particular country.
IAPS intl-alliance OpenVPN client
IAPS intl-alliance server provider is listed in the “mnt-by” records of the whois is IP as RackSRV, a United Kingdom based company selling VPS and dedicated servers, I am inclined to believe that Jared Twyler, listed as the server administrator based in the United States, has rented one or more servers with RackSRV and is masking them as being located in all of those exotic locations he is selling VPN services for when in reality he does not own any server in any of those countries.
I tried IAPS intl-alliance servers in the USA and they can fool Hulu and Pandora, if you wish to watch USA TV it will work, nothing wrong with that, but I am calling this company a scam because they are advertising their services as having physical servers in over 190 countries and in all likehood they only have a single server in the United Kingdom.
I gave IAPS Intl-alliance the opportunity to prove me wrong, I asked IAPS Chief Officer Jared to name me the datacentre he is using in the Vatican city and in Saudi Arabia and his one line reply was “They are all private networks owned by IAPS.” I emailed back enquiring if IAPS really owned a VPN server in the Vatican and in Saudi Arabia and Jared’s response was a single word with a period “Multiple.” Fantastic explanation!
I don’t think it is wrong providing VPN servers the way they do except that they are lying to customers about how many servers they own and how they manage to achieve a Saudi computer IP without having any server in Saudi Arabia, and I would not feel confidence in trusting my valuable privacy to a lying and cheating company.
UPDATE: I sent a link about this post to IAPS Chief Officer Jared, mentioning that he is welcome to reply in the comments sections. It appears that IAPS does not wish to make any comment.
VIPole is a Windows, Linux, Mac and Android security suite providing encrypted file sharing, VoIP, video chat, notes, passwords and organizer. Installation is straight forward and it only requires you to provide a valid email address where you will receive a verification link, select the local folder where data should be stored and move your mouse around to generate entropy to create your private encryption key. You will have to cook up two passphrases, one to encrypt your data and another to encrypt your profile, the software makes sure that you do not reuse them but there is no strength meter. A virtual keyboard can be used to stop keyloggers.
To be able to encrypt files in your hard drive you will have to temporarily disable your antivirus and install some drivers, I also had to disable the antivirus to update VIPole software client, I am using AVG, most modern antivirus programs will allow you to disable it for only a few minutes, this should not be a big problem as long as you trust VIPole not to do anything unacceptable to your computer.
Encrypted messenger and video calls VIPole
Encryption keys are managed exclusevly by the user, VIPole has no way to decrypt your data, calls and chats are end to end encryption with AES256/RSA 4096 bit keys and no central server that could be wire tapped, the company pledges that there is no backdoor. You can see an “History” tab in the program, chats logs can be accessed there but the data is only held in your computer and nowhere else, even then, that data is encrypted (premium version) when you close VIPole, losing the laptop will not reveal private logs without the proper password.
Another nice feature is being able to set up a fake passphrase in case you are forced to disclosure it. Helpful in countries like the United Kingdom where you must reveal your password to the police when requested or risk criminal prosecution, but giving to the police a password to a fake encrypted container would also break the law if they find out, so not really recommended. I just could not see any other applicability other than bypassing airport staff opening up your laptop.
I was really impressed with VIPole easy of use interface, the well organized tabs make it painless switching in between functions and information is clearly displayed in a nice clean layout with avatars that help you identify the caller and shift from the chat to notes or file manager window in no time.
VIPole encrypted calling options
The only thing that made me feel unease about VIPole, besides not being open source, is that although calls do not go through their servers, passwords, notes, reminders and files are kept in VIPole servers,the reason for this is to be able to sync the data with your mobile device. It would have been valuable to have the choice not to sync data and keep everything local for those paranoid about cloud security. The good news are that it is impossible for server administrators or anybody breaking into VIPole facilities, to have access to the data in plain text, everything is encrypted with your private encryption key before leaving your device, this means that VIPole can not be compelled to produce a copy of your data even if they wanted to.
This company security model really cares about users privacy and they should be praised for being very open about how data is stored and how they are protecting it, the company has plenty of information about their security model and businesses can get their own server to make sure that they are always in control of everything.
I found the free VIPole plan good enough for home users, the paid version buys you more features like auto logout when idle, extra file storage space, encrypted virtual drive on desktop client and other elements that are nice to have but not a must have.
