Hacker10

Android encrypted video recording app Strongbox

Strongbox is a free open source app for human rights and privacy activists to be able to record video with their phones without having to worry about the device being lost or seized, although in some countries you can be charged for not revealing your password to law enforcement.

The app is really simple to use, when you launch it for the first time you will be prompted to compose a passphrase to locally encrypt the videos, if you forget the passphrase, all data will be unrecoverable and lost.

Straight away after login you enter the video mode with two big buttons at the bottom of the screen, the one represented by a camera logo starts the recording when tapped, the other button represented by a memory card logo gives you access to the video library.

Stored videos have timestamps next to them, you can view the video on your phone, delete it or upload it to a server. Strongbox gives an internal IP address where the video should he uploaded, I found it confusing, being an internal IP many people will not realise it is their own computer IP, another thing is that when you erase a video no confirmation is asked for and files can be deleted by mistake.

Android encrypted video recorder Strongbox

Footage is encrypted on the fly as you film, files never touch the memory card, videos are stored inside the encrypted container in Strongbox. The encryption algorithm used is AES256bit in GCM mode, this provides confidentiality and integrity, a lock allows you to instantly close down the app preventing access to the videos with one tap.

I would use this app to keep my own videos private and not much more, I found the sharing options lacking, that is a problem if your phone is seized. An oppressive law enforcement agency will not be able to view the recordings but you will have lost access to what could be indispensable footage of abuse, I wish there was an easy way to quickly get the videos out of the phone.

This is a basic app with basic functions using standard encryption that can be checked for bugs and backdoors, probably useful to keep video clips of your girlfriend intended for personal viewing encrypted.

Visit Strongbox in Google Play

13 April, 2015
Top anonymous digital currencies for untraceable payments

The aim of the currencies below is to make it impossible for an investigator to analyze a public ledger, known as block chain in Bitcoin, and to hide the identities of those making and receiving payments. Other advantages are that the money can not be seized and transaction fees are very low or non existent.

WARNING! The world of cryptocurrencies contain elaborate scams, pump and dump and pyramid schemes. I am not endorsing any of the currencies below, it is your duty to double check claims about anonymity and trust.

Dash (DASH): One of the most popular, Digital Cash is a Bitcoin based electronic currency focused in privacy. The wallet contains a coin mixer, you have the choice to make your financial operations public or anonymous, using a decentralized network of servers called masternodes that anonymize the transaction, the level of anonymity can be configured to in between 2 or 8 node hops. Digital Cash coins can be earned if you help the network running a masternode but this is not necessary.

CloakCoin (CLOAK): Every CloakCoin user becomes part of the network which increases anonymity, in exchange for keeping your wallet open and helping others be anonymous, you earn interest on the CloakCoins you hold. A built in decentralized market called OneMarket can be used to spend your currency anonymously, anybody can advertise and buy services or goods in OneMarket, or you can exchange your coins in CloackTrade.

anonymous cryptocurrency cloakcoin

ShadowCash (SDC): Decentralised cryptocurrency with the choice of making public or private anonymous payments. When you open your wallet it will help run the peer to peer network and you will be compensated with electronic cash. ShadowCash comes with an embedded private messenger that encrypts communications and allows you to talk with other users on the network.

LEOCoin (LEO): The Learning Enterprise Organisation coin has a focus on being user friendly, it has a decentralized peer to peer payment system with proof of work and proof of stake validation. The public ledger is encrypted. An article in Coindesk has scam accusations against the developers of this currency, I would be very careful with it, the accusations are somehow substantiated with real facts.

AnonCoin (ANC): Anonymous cryptocurrency with native support for the I2P network, it can also be used over Tor, AnonCoin will not only decentralized operations but it also anonymizes computer IPs when you connect to a client. This currency has been around for two years and development is very active, with good documentation, a Wiki and discussion forum, it can be traded in various exchanges.

Anoncoin wallet

Monero (XMR): Open source untraceable currency using peer to peer transactions and a distributed public ledger, receipts and money transfers remain private by default. Ring signatures add a degree of ambiguity to make it harder to link a transaction with an individual computer. This currency can be integrated in the I2P anonymous network and you can run a full node if you want to, another choice is to use a web based Monero account.

BitcoinDark (BTCD): It has a very novel unproven approach to currency anonymity, BitcoinDark uses what they call Teleport to clone and exchange currency denominations out of the block chain. A hard to understand technology, first generation cryptocurrency. BitcoinDark is part of SuperNET, a decentralized currency exchange that makes it very difficult to steal digital currency by storing it in multiple nodes.

9 April, 2015
Zendo a One Time Pad encryption messaging app

Zendo is a free iPhone and Android app for encrypted chat, users communicate directly with each other using One Time Pad encryption keys that will have previously exchanged in person.

After installing the app you will see two options on the screen, one displaying a QR code and a second button to scan other people’s codes. Pointing your camera phone to the QR code seen on the screen of your friend’s phone authenticates both devices via Wi-fi direct and encrypts the connection with AES256, it then exchanges multiple One Time Pad encryption keys (o.5MB). If anybody listened nearby and captured the exchange you would not have to worry as the connection was initially encrypted.

The strength of One Time Pad encryption is that a new key is used for each one of your messages, this is why you need multiple keys, and why if anybody managed to crack one of the keys they would only be able to read a single message, to be able to decipher a whole conversation taking place your adversary would have to crack hundreds or thousands of encryptions keys.

smartphone encrypted chat Zendo

Another security feature is that the messages and photos you send are encrypted before they leave your phone, to extend the longevity of One Time Pad encryption keys, photos are encrypted with AES256bit.

In advanced settings an “Out-of-Band Messaging” option enables you to send encrypted Zendo messages via email or SMS, you are not required to use Zendo servers to deliver messages to other users you have exchanged keys with, another option deletes all messages on close, ticking the box will automatically erase all messages and photos when you close the app while keeping your contacts and encryption keys you have exchanged, and a third option steps up security to paranoid level allowing you to exchange large encryption keys, this choice will reduce phone performance in low end devices.

For privacy, Zendo servers do not log any IP, they are quickly erased, and you never facilitate the company any email address or phone number, contact list, messages and photos remain in your phone and not in Zendo servers. The company can’t spy or help anybody spy on you with the information and capabilities they have.

One Time Pad encryption app Zendo

When you run out of One Time Pad encryption keys you will have to meet again in person and top up, this will seem annoying to many people but it is a good excuse to have a face to face meeting with somebody, there is a certain social element in Zendo. This is an app to communicate with people you know in real life and are close to you. The biggest downside of high security is usability as Zendo proves, you can’t use this app to chat with people you just met, keys can not be sent over the Internet.

Zendo is a niche app where the person you are chatting with will be as overtly suspicious about privacy and security as you are, I see next to zero options to convince my friends to use it otherwise. The app is not open source but the code was opened for an independent audit. The developers say that Zendo will always be free, monetization will be made in the form of premium features to be added in the future.

Before using this app remember that, no matter how secure your messaging app is, if somebody manages to introduce a virus in your smartphone, they will be able to read everything, security has to be implemented all over the device.

Visit Zendo in the Apple Store or Visit Zendo in Google play

7 April, 2015
Encrypt and hide messages in pictures with SecretLayer

SecretLayer is a Windows program to encrypt and hide messages inside a photograph (jpg, png, gif, bmp), this is known as steganography. The program tweaks photo pixels and embeds tiny pieces of extra information in them without changing how the pictures look to the human eye.

The tests I performed made the carrier photos indistinguishable from the original files except for being slightly bigger in size, a few Kilobytes more, depending on the size of the secret message. You will be told by SecretLayer how much data you can hide inside each photograph, a progression bar indicates how many bytes you can hide as you type. Or if you add an attachment, you are told what the maxium size can be. This is the kind of program that computer beginners can use, it comes with a video tutorial and a wizard allowing you to learn how all works in under 5 minutes.

With SecretLayer you can send covert messages sidestepping email by uploading images with hidden data to a personal photo album or website, the receiver will only have to visit the website and save the photo. With one small caveat, the person decrypting the message has to know what encryption algorithm and key length were used, you will have to transmit this one way or another, just once if you don’t change the arrangement.

SecretLayer steganography program with encryption

This is a very easy to use program with a wizard guiding novices step by step and an advanced function that lets you choose encryption algorithm of in between AES, Blowfish, IDEA, CAST, DES and RC5. Secret Layer displays information about the security level of each encryption method and keybit length, there are also security tips in the password window so that you do not enter anything that could be guessed or easily broken. A small improvement I feel the developer could make is adding a password strength meter.

After encrypting a file you can choose where to save the image, ticking a box tells SecretLayer that you would like to shred the original picture, something I would advice you to do. Wiping the original picture will make it nearly impossible for somebody to find out if the resulting photograph contains hidden data inside or not. To discover steganography in a digital photo the original is needed to make a comparison.

SecretLayer can also wipe the data you are hiding when you are done. The integrated file wiping utility is much appreciated, eliminating secret messages in plain text considerably increases your security.

Steganography software Secret Layer

I always liked steganography because it is very hard to detect and if you add to that encryption, mass surveillance loses capabilities, the powers that be can’t scan every single picture on the Internet looking for hidden data. Of course I would have preferred an open source tool, other than that, I liked SecretLayer and I am convinced that if PGP was as easy to use there would be many more users.

To your attention, the free version of Secret Layer, called Light, does not encrypt data, it only hides it, if you want encryption and be able to split and hide data in between multiple photos, which allows for bigger files to be hidden, you will have to buy this program and, steganography without encryption might fool your room mate but not somebody who has the right tools to extract data. For a, not so easy to use free alternative check out OpenPuff Steganography.

As it is usual in these programs, the person you communicate with will need to have it installed too.

Visit SecretLayer homepage

5 April, 2015
Anonymous online payments with Shadow Cash

ShadowCash (SDC) is a decentralised crypto currency with a focus on privacy and anonymity, one of the beautiful things of ShadowCash is that you can have two addresses, one that works like Bitcoin, with the operation recorded on a public blockchain called shadowchain, and a second stealth address for anonymous payments where the cryptographic transactions are untraceable to the source.

A P2P encrypted messenger called ShadowChat comes integrated with the software, conversations are secured with AES256 bit without any central server that could be compromised. The existance of ShadowChat gets rid of the need for email or phone calls outside de client, you don’t have to learn PGP or beg the other part to use encrypted means of communication, ShadowCash software is all that is needed to negotiate deals and send money securely. The messenger is text only but audio, video and sending of attachments are in the road map for the next version.

I can’t see myself using video chat not knowing who is at the other end of an anonymous payment but the attachments option is definitely welcome. Even if you don’t make any financial transaction, ShadowChat could be used for day to day chatting and anonymously trading of files.

anonymous electronic currency ShadowCash

There are dozens of alternative currencies out there but ShadowCash offers something that is in high demand and very few can fulfil, real anonymous payments. The software is well documented, available for Windows, Mac, Linux and mobile device wallet (ShadowGo). Initially ShadowCash has to be bought with Bitcoins, after that it can be traded in major exchanges like Cryptsy and Poloniex. A fairly active community using ShadowCash provides you with support, this currency looks like it is here to stay.

You can get free SDC coins running the ShadowCash client contributing to process parts of the P2P shadowchain. If you do you will see a message saying “Staking expected time” this let’s you know when and how many SDC coins will be awarded to you.

A marketplace software called ShadyBay (sbay) is also being developed, currently in alpha, when fully completed you will be able to set up your own online shop to sell goods and services with anonymity.

After seeing all that ShadowCash has to offer, I have decided that I will make payments with it whenever possible. I have used Bitcoin before and without a bitcoin tumbling service, that takes a commission and carries risk of the bitcoins going missing, anonymity does not exist.

I believe ShadowCash to be superior to Bitcoin in many aspects, my favourite feature being the included encrypted messenger that saves me of having to send insecure emails, which is often necessary when selling and buying. I loved this project, however, the Windows version crashed a couple of times in my computer, since ShadowCash is still new, I will be giving them another try soon.

Visit Shadow homepage

29 March, 2015
List of the best encrypted chatroom services

When your access to secure communication tools is limited in a shared environment or your are on the go, the services below can be used to set up a makeshift secure chat without any technical knowledge

These websites can create an encrypted chatroom with minimal registration details and they can be accessed by anybody with a web browser in their computer or mobile device, but the websites also require you to trust the server operator, hence, you should not use them for high security unless you host the chat software.

I have used a few of the sites below with a VPN proxy to hide my computer IP and I didn’t have any kind of problem to do this, the only condition is that javascript always has to be enabled since this is what is used to encrypt the messages in your browser.

Otr: Peer to peer chat in your browser with no central server and no need to register or install anything, you simply open a chatroom and send or post the link somewhere for your contacts to access it, but remember that once everybody leaves the chatroom it ceases to exist.

Cyph: Encrypted group messenger and video calling that works in the browser and smartphone with encrypted cloud storage. Cypth uses quantum resistant cyphers and has been independently audited by Cure 53 a German cybersecurity firm.

Teleguard: Swiss based instant messenger that does not require you to register a phone number to use ti, Teleguard can be used in smartphones, Linux, Windows and Mac computers but you have to download their application it won´t work in the browser.

Brave Talk: From the makers of the privacy focused Brave browser, Brave talk allows you for free encrypted video chats right in your browser, one of the callers needs to be using the Brave browser to create the chatroom but the others can use any browser they want and connect by clicking on a link.

ChatCrypt: It allows you to create an encrypted chatroom entering a name for the room, a username and a password. People who want to join in will have to visit ChatCrypt and enter the room name and password you have given them. ChatCrypt rooms are not listed anywhere, they can only be found if you let other people know that they have been created. All messages are encrypted in your browser with AES256 bit in CTR mode before transmission.

ChatCrypt is funded with advertising and you will see a banner on top of the chatroom, Google and their NSA friends, perhaps can’t read the messages but they should still be able to track the IP of people in the chatroom using the advertising banner.

25 March, 2015
Open source mobile phone app SureSpot for encrypted chat

SureSpot is an Android and iPhone open source app for encrypted end to end chat, you can send pictures and text,nobody can decrypt the messages, not even the app delelopers. AES256 bit encryption keys are created in your phone and the Diffie-Hellman key agreement protocol is used to exchange them securely without having to grant private keys access to a third party, only the person you are communicating with is able to read the messages and view the photos you send.

An spy agency attempting to wiretap Surespot will find that there is not a single server they can attack for mass surveillance, they would have to hack all the end point phones to listen in, this would be impossible to do if Surespot became popular. For further privacy, Surespot can create multiple identities to chat with different contacts, your identity can be backed up, restored or permanently erased and the paranoid person can create new encryption keys as often as needed.

Another nifty feature is that you can delete the messages you have sent from the receiver’s inbox and lock attached images to stop them from being saved outside the app, Surespot also locks itself after a few minutes of inactivity to stop impersonation in case your phone is taken while still on.

SureSpot encrypted mobile phone chat

Unlike WhatsApp and other privacy invasive chat apps, people in your contact list will not get automatically notified when you install Surespot, before a chat can take place you need to know the nickname of the person you would like to communicate with and that person will have to accept the invitation. The app is free for chat, paying a small fee will add voice messaging so that instead of typing in you can talk to your mic, record a message and send it encrypted to your contact, another tab in the app allows you for an optional Paypal or Bitcoin donation.

This privacy app earned of the highest marks in the Electronic Frontiers Foundation score card, the only downside the EFF highlighted were that Surespot code has not been audited and the possibility of somebody getting access to your phone. The common auditing problem comes down to raising enough money, it is not the developers fault, and the danger of having your phone stolen, it can be partially fixed fully encrypting the phone.

I liked this app a lot, it has all I want from a secure mobile chat app, the most important factors being that Surespot is based on trusted encryption algorithms, it is open source which allows experts to peek in and check for bugs or backdoors, and the app does not use your phone number as a contact, the person you are chatting will not find it out unless you tell him, the only missing feature is that you can’t set up a group chat, which I don’t currently use. I am adding Surespot to my list of favourite apps.

Visit Surespot homepage

20 March, 2015