Hacker 10 – Security Hacker

Tag: encrypted messenger

  • Open source P2P EMP encrypted messaging

    Open source P2P EMP encrypted messaging

    Recently released for testing, EMP, is a multi-platform P2P open source messaging system with encryption. There is no central server, everything runs in your computer and the technology is similar to that of Bitmessage.

    EMP has a clean tabbed interface that opens in your Internet browser, the toolbar address is http://localhost:8080 (yourmachine:port), you will see tabs named Inbox, Outbox, Sent, MyAddresses. The Inbox tab contains a list of the messages you have sent with the timestamp and the cryptic EMP receiving address with a Status column indicating if the message has been read.

    EMP Encrypted Messaging Protocol
    EMP Encrypted Messaging Protocol

    I downloaded the Windows version of EMP in Windows Vista and I was only able to install it after right clicking on the program and running it as administrator, then you click on the desktop shortcut and your Internet browser launches asking you to enter username and password RPC credentials that “should be located” in ~/.config/emp/msg.conf .

    The notice seems tailored to Linux users, after tinkering around Windows the real place where I found the msg.conf  file was inside Program Files (x86)/EMP and editing it with Notepad shows “user = “rpcUser” pass = “rpcPass”. Another thing is that you will have to remove the software from your computer manually, I could not see any EMP uninstall in Windows control panel, if you want to delete this program from your computer go to /Program Files (x86) and erase the full EMP folder.

    The main difference in between EMP and Bitmessage appears to be that EMP has been built for performance, the client has been written with Go, also called golang, a programming language designed for simplicity and EMP purges the network of read messages, EMP is also modular, it can be embedded with other applications as part of a communication suite. Bitmessage has on its favour that they hide metadata, I can’t tell if EMP also does it, at the moment they have no documentation.

    Security wise, AES256 is used for encryption and being open source means that others can review the code to find bugs, it don’t think is a bad platform but I can’t recognize any substantial reason why an average person would want to switch from Bitmessage to this new platform.

    Visit Encrypted Messaging Protocol

  • Secure encrypted mobile and desktop messenger IONU

    Secure encrypted mobile and desktop messenger IONU

    IONU is a new messaging tool for Windows, Mac OS, Android and iPhone, the program can be used by individuals or an organization that needs central administration capabilities.

    During the Windows installation you will be given a warning that the digital signature is not valid and the publisher can not be verified, the installer will also automatically download Microsoft Visual C++ runtime libraries if they are not present in your system.

    Secure private messenger IONU
    Secure private messenger IONU

    Account creation was relatively easy, just pick a username and a passphrase. IONU will force you to utilize a minimum of 8 characters password that combines letters and numbers. You will have to add three security questions for password recovery and a link is sent to your email where you have to click to confirm that you own that inbox. If you use IONU in multiple devices, like mobile and desktop, data will be synced across them without you doing anything, a central IONU server manages the data and updates your client when you first login.

    In order for people to be able to find you in the messenger, you will have to set up an account identifier with your email address, name and phone number, if somebody wishes to connect with you they only need to search for this information and send you a friend request. It is not necessary to make visible your phone number an email, you can just use a nickname, privacy options can be managed in the client settings.

    You can only communicate with people added to your contacts list, this stops spam. Chat messages and file transfers are encrypted, IONU says that they have no way to read the chat even if they wanted to and you get delivery and read reports, with an optional “Vanish” function that sets an expiry date to your messages, after which they will no longer be readable. The program can also be used to encrypt data to the cloud, it supports Dropbox and Box.

    I could not find any detailed explanation about IONU security specs and a central server forwarding the messages is always a concern in case it is ever compromised, adding that IONU is an American company and the history that USA companies have of being subject to NSA spy gagging orders. The company says it is not viable for them to decrypt anything for anybody but I was not totally convinced that a government can not force them to mess with their server to download malware or something else to a target customer .

    Android encrypted messenger IONU
    Android encrypted messenger IONU

    Assuming you trust IONU claims that they aren’t able to read anything and you trust the encryption scheme they are using is safe, it seems like a good app to have private conversations out of the reach of malicious hackers sniffing packets on your network and a good way to protect your privacy by sending lapsing messages that can not be saved, although metadata should still be available in IONU servers, like login connection times and computer IPs.

    If your main concern is protection from criminals, IONU is a far better option than WhatsApp or Yahoo Messenger, if you are up against the NSA, I would look for another solution like the Torsion messenger for anonymous chat over Tor, or a program that has no central server managing messages.

    Visit IONU homepage

  • Encrypted video calls, group chat, notes and files with VIPole

    Encrypted video calls, group chat, notes and files with VIPole

    VIPole is a Windows, Linux, Mac and Android security suite providing encrypted file sharing, VoIP, video chat, notes, passwords and organizer. Installation is straight forward and it only requires you to provide a valid email address where you will receive a verification link, select the local folder where data should be stored and move your mouse around to generate entropy to create your private encryption key. You will have to cook up two passphrases, one to encrypt your data and another to encrypt your profile, the software makes sure that you do not reuse them but there is no strength meter. A virtual keyboard can be used to stop keyloggers.

    To be able to encrypt files in your hard drive you will have to temporarily disable your antivirus and install some drivers, I also had to disable the antivirus to update VIPole software client, I am using AVG, most modern antivirus programs will allow you to disable it for only a few minutes, this should not be a big problem as long as you trust VIPole not to do anything unacceptable to your computer.

    Encrypted messenger and video calls VIPole
    Encrypted messenger and video calls VIPole

    Encryption keys are managed exclusevly by the user, VIPole has no way to decrypt your data, calls and chats are end to end encryption with AES256/RSA 4096 bit keys and no central server that could be wire tapped, the company pledges that there is no backdoor. You can see an “History” tab in the program, chats logs can be accessed there but the data is only held in your computer and nowhere else, even then, that data is encrypted (premium version) when you close VIPole, losing the laptop will not reveal private logs without the proper password.

    Another nice feature is being able to set up a fake passphrase in case you are forced to disclosure it. Helpful in countries like the United Kingdom where you must reveal your password to the police when requested or risk criminal prosecution, but giving to the police a password to a fake encrypted container would also break the law if they find out, so not really recommended. I just could not see any other applicability other than bypassing airport staff opening up your laptop.

    I was really impressed with VIPole easy of use interface, the well organized tabs make it painless switching in between functions and information is clearly displayed in a nice clean layout with avatars that help you identify the caller and shift from the chat to notes or file manager window in no time.

    VIPole encrypted calling options
    VIPole encrypted calling options

    The only thing that made me feel unease about VIPole, besides not being open source, is that although calls do not go through their servers, passwords, notes, reminders and files are kept in VIPole servers,the reason for this is to be able to sync the data with your mobile device. It would have been valuable to have the choice not to sync data and keep everything local for those paranoid about cloud security. The good news are that it is impossible for server administrators or anybody breaking into VIPole facilities, to have access to the data in plain text, everything is encrypted with your private encryption key before leaving your device, this means that VIPole can not be compelled to produce a copy of your data even if they wanted to.

    This company security model really cares about users privacy and they should be praised for being very open about how data is stored and how they are protecting it, the company has plenty of information about their security model and businesses can get their own server to make sure that they are always in control of everything.

    I found the free VIPole plan good enough for home users, the paid version buys you more features like auto logout when idle, extra file storage space, encrypted virtual drive on desktop client and other elements that are nice to have but not a must have.

    Visit VIPole homepage