back to article 'Spy-proof' IM launched: Aims to offer anonymity to whistleblowers

Security experts have teamed up to created a stealthy internet messenger client designed especially for whistleblowers. The ‪invisible.im project promises an instant messenger that leaves no trace‬. The team behind the project include Metasploit Founder HD Moore and noted infosec and opsec experts The Grugq. That's the …

  1. Valeyard

    you know your demographic

    The team behind the project include Metasploit Founder HD Moore and noted infosec and opsec experts The Grugq.

    who? are they good like?

    That's the infosec equivalent of putting together Worf and Spock to fend off starfleet enemies, so the results are sure to be worth watching.

    ah now i get it. sounds great!

    1. frank ly

      Re: you know your demographic

      Which one has the pointy ears? Can we see pics?

    2. ElReg!comments!Pierre
      Pint

      Re: you know your demographic

      And with this comment I break the 900 downvote barrier! Yay me! That's from ... before El Reg even accepted comments, so I must have typed relatively few obviously crap comments since then. That includes the Golden Sarah Bee period of Ore Shower (or sumfin; She of The Comment Yanking Leash was sorely missed). I'll drink to... all that, Please do, too!

      Pros'T

  2. ElReg!comments!Pierre

    commendable. But...

    "If a source is already the subject of targeted surveillance, Invisible.im cannot facilitate secure, anonymous chats," it concedes."

    Given that merely showing interest for the tech will tag you as a juicy target for surveillance (as seen here ), isn't that a bit pointless then?

    At least it raises the concern and perhaps leads the way. So, good anyway.

    1. Tom 35

      Re: commendable. But...

      Maybe they could add features so it becomes popular for people sending friends pictures of their food, or subscribe to the funny cat video of the day. Make it so 99% of the traffic is useless crap.

    2. Valeyard

      Re: commendable. But...

      like they needed us to be on a list to hoover up our data

      1. Don Jefe

        @Valeyard

        A list isn't required to Hoover up data. A list is required to tell you which Hoovered data to look at. I'm assuming you're in IT, but this is pretty basic stuff...

        1. Valeyard

          Re: @Valeyard

          it's basic stuff?

          Oh sorry, i'm such a rank amateur at persecuting innocents.

          1. Don Jefe

            Re: @Valeyard

            Some people are just born being good at persecution. You could be one of those people, I just don't know. But you're most certainly a rank amateur as far as information organization goes.

            1. Valeyard

              Re: @Valeyard

              you're a bit of a prick really, aren't you?

    3. This post has been deleted by its author

    4. Anonymous Coward
      Anonymous Coward

      Re: commendable. But...

      Then it's not spy-proof, then. It isn't spy-proof until it can stop spying even being actively spied on.

    5. Anonymous Coward
      Anonymous Coward

      Re: commendable. But...

      Well, let's face it - the anonymity on the Internet is no longer a given. It is now a tradeable commodity. It is effectively no different from having a fake ID and being "anonymous" in the real world. Dunno if we should celebrate or mourn - the Internet has grown up and has become equivalent to the real world.

      Once upon a time, all it took to create a fake ID was access to a laminator and some minimal investment into a couple of blank prints. It was a bit more difficult for passports and residence permits but still not particularly high tech - I remember the days when every second schoolboy knew how to copy the height of "autheniticity measures" - the wet stamp. All it took was 20p worth of supplies from the local grocery and some use of mom's kitchen. When the pressed stamps came out i the 80-es that was like a ... revelation... But still falscifiable. Just more difficult. That time is long gone - now you can no longer do a DIY job to produce a fake ID.

      You can, however, get whatever passport you want if you pay enough for it (that enough is surprisingly little in some countries): http://vimeo.com/44804266

      Same with anonymity. Pay enough to any of the black market gangs that run the darknets (best of all two competing once to boot) and you will have your traffic anonymized in a manner which no metadata dragnet will be able to trace to you. Just keep in mind that someone may have a budget larger than yours too so make sure you change your suppliers often enough.

    6. Just Enough

      Re: commendable. But...

      It's like answering a classified advert for "Whistleblowers wanted. Send CV in complete confidence to PO Box 123."

      If I was a whistleblower, the first thing I'd do is google "software for whistleblowers". Then I'd place all my trust in that software, safe in the knowledge that someone has designed it specifically for people like me.

      What could possibly go wrong?

      1. Anonymous Coward
        Anonymous Coward

        Re: commendable. But...

        "What could possibly go wrong?"

        Well, anonymity is pointless. Unless every unverified report or accusation is fully investigated, then being anonymous doesn't help one bit. And even then, the circumstantial evidence often points to one or a very small number of people.

        A bigger concern is the treatment of whistleblowers who are traced. Here in the UK PIDA isn't worth the bog roll it is printed on. Didn't help Dr David Kelly, did it? Likewise my friend and former colleague who reported a serious fraud at a listed company. As a result three directors and two others were sent to the big house, but he's not worked since, not been compensated for his actions, and a subsequent well founded allegation of malpractice at a large and dodgy Scottish bank has been repeatedly ignored, stonewalled and "long-grassed" by UK government and regulators.

        My advice to potential whistle blowers: Don't report it, you will lose out. Don't get involved, it is probably illegal. If it is the state, you're stuffed - go along with it after creating a suitable paper trail of questioning the behaviour, and then accept the official assurances that it is all above board. If it is the private sector and there's no violent criminals involved, do try and maximise your chances by asking for a golden goodbye under a comprehensive NDA if they so wish. And do stick to the NDA - why make your own life uncomfortable for no reward?

        If somebody offers you a web site for whistleblowing, just laugh and keep walking.

  3. Suricou Raven

    This seems familiar.

    It's like retroshare, but without the decentralisation.

  4. Anonymous Coward
    Anonymous Coward

    Funny

    I have some ocean front property in AZ you might be interested in if you believe this story.

  5. Anonymous Coward
    Anonymous Coward

    Compromised from the start?

    Prove it's not.

    1. Don Jefe

      Re: Compromised from the start?

      Right? I was thinking the same thing as I read the article. I have no confidence in a private entity having the resources necessary to prevent infiltration by State intelligence agencies. Officially sanctioned government intelligence operatives rarely have checkered backgrounds that flag them as risky people. Spies tend to be good at that sort of thing.

      There is great potential for comedy gold in all this you know. Suppose the entire project was a super secret government honey trap that, because of their stunning resumes and flawless background checks, ended up recruiting nothing but super secret government intelligence operatives. Each person, believing they are the only undercover agent involved, works diligently to compromise the project with clever coding trickery. It's only after general release they discover they have created to most bulletproof secure communication software in history. Hilarious!

  6. Kevin Hutchinson

    I've created something similar, but for storing/sharing files

    I've created https://uuids.net to do a similar job for whistleblowers. It's an anonymous upload site with sharing via one-time links.

  7. Kevin Hutchinson

    Don't forget crypto.cat

    There's already a pretty good secure IM out there - https://crypto.cat

  8. dindjic

    Grugq is very active on Twitter, you can figure out his credentials after following him for a while

  9. Velv
    Childcatcher

    Doomed to failure. How do you police the content? (and don't answer "the whole point is that you can't")

    By their very point of being anonymous, these services are designed to be used for illegal activity. So how do you separate the wanted illegal activity from the unwanted illegal activity?

    Whistle blowing has proven to be vital to maintaining sensible balanced order in our society, so finding ways to ensure it remains safe for the whistle to be blown are important. But that must be balanced against unwanted side effects.

    1. DanDanDan

      [Citation Needed]

      "By their very point of being anonymous, these services are designed to be used for illegal activity" - There are probably many things people want/need/like to do without people knowing about it. Nose picking is the first thing I can think of.

    2. itzman

      Re: being anonymous, these services are designed to be used for illegal activity

      Are they? that implies that the only people hacking and cracking are your own government.

      WE have just had a massive trial over phone hacking carried out by agencies employed (knowingly or unknowingly) by newspapers.

      Wouldn't every celeb buy a package that guaranteed reasonable privacy against the paparazzi? And how many would copy them just to be 'kewl' ?

      How many blackberry phones were sold to corporates on account of the security?

      Offshored hosting with zero jurisdiction by national governments and no log files is a first class business opportunity.

      Encrypt the links and the job is done.

      1. Don Jefe

        Re: being anonymous, these services are designed to be used for illegal activity

        A wise man once said: 'Jurisdiction is meaningless. That's why we have spies'.

        On a really good day it's a losing argument if it requires a government, any government, to play by the rules. Between various 'greater need' justifications and no qualms about rewriting definitions to suit their current needs most governments are quite adept at interpreting the law very differently than you or I.

        On a not really good day, which is most days, governments don't really give a shit. If there are no legal provisions for getting what they want they've got effectively limitless resources to throw at the problem in the form of your favorite state intelligence agency. If they just don't want to dick around with you they'll cut off your funds and forbid companies to do business with you.

        There's no aboveboard business potential in working around a government. Why do you think nobody does it? I can assure you, the willingness, resources and technical ability to sidestep governments is there, it's there in huge quantities. Nobody does it because it's a loser, you can't win with workarounds. You can attempt to change things through the democratic process, good luck. Or you can attempt to change things through martial process. Again, good luck. But you aren't going to change anything setting up a data center in Tonga.

        1. Anonymous Coward
          Anonymous Coward

          Re: being anonymous, these services are designed to be used for illegal activity

          So what happens when you counter state with state and associate yourself with another state whose relationship with your target is cold bordering on frosty? How will the target act without drawing the spnsor's wrath?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021