From the website:
ScatterChat is a HACKTIVIST WEAPON designed to allow non-technical human rights activists and political dissidents to communicate securely and anonymously while operating in hostile territory. It is also useful in corporate settings, or in other situations where privacy is desired.
Its security features include resiliency against partial compromise through perfect forward secrecy, immunity from replay attacks, and limited resistance to traffic analysis... all reinforced through a pro-actively secure design.
So the client is a "friendly-fork" of Gaim, it uses Tor to achieve anonymity, and for the crypto parts (secure messaging, secure file transfer) ScatterChat uses libgcrypt.
It's a cross-platform application available for Linux, Windows; support for other OSes is planned (Mac OS X, others).
You can always download the source code, of course, as it's free software. Actually, not quite. While ScatterChat itself is based on the GPL'd Gaim, it has to be GPL'd, too. However, the scatterchat-module package, which seems to contain the crypto-parts, is licensed under a custom "Hacktivismo Enhanced-Source Software License Agreement" (HESSLA) right now, which is so horribly long I didn't even bother reading it.
However, the README says:
I am open to the possibility of re-licensing parts of this library to GPL, BSD, public domain, or some other license. I cannot make any promises, but I will try to accomodate reasonable requests.
I'm going to do just that, email the author and ask him nicely to change the license to some sane, well-known free software license. If you feel similar, please let the author know (hint, hint). Depending on what the HESSLA really says, it might prevent ScatterChat from entering Debian, for example.
I haven't yet tried to use the application, but it sure looks like it has a lot of potential. It also seems do most security-related things right:
Of course that's no guarantee that it's secure; I hope some crypto-gurus look over it soon. But at least they didn't make obvious stupid mistakes we've all seen in many other pieces of software.
Anyways, I feel this is a real important project which will help lots of people (activists, political dissidents, normal people like me and you who value their privacy). Go check it out!
(via Boing Boing)
I'm probably not the first one to notice this, but you can actually use Google Earth anonymously (upon first glance at least) over Tor. It seems all the traffic (downloads of maps and textures etc.) goes over port 80 (http) and 443 (https), which can easily be anonymized with Tor (read an older post of mine for details on Tor).
export http_proxy=http://127.0.0.1:8118/ export HTTP_PROXY=http://127.0.0.1:8118/
and set up Privoxy and Tor correctly, then start Google Earth in the same xterm and you're done. I haven't looked closely at the protocol Google Earth uses (any articles available on that?) but upon a quick glance in Ethereal / Wireshark all traffic is torified, not even DNS requests are leaked. Technical explanation: the Google Earth binary uses libcurl internally, which honors the
http_proxy environment variable.
However, that's not a guarantee that you're 100% anonymous, as Goole Earth could send some unique identifier (e.g. MAC address, hard drive ID etc.) to their servers which would spoil your anonymity.
Btw, I actually discovered this accidentally because I have the above HTTP_PROXY lines in my
.bashrc, so most of my HTTP traffic is anonymized by default...
OK, so Goole has finally released a first version of Google Earth for Linux (beta, of course).
~/.lokidirectory is created with some stuff in it.
~/.googleearth/crashlogsdirectory contains log files which are generated when the application crashes, and sent to Google upon the next restart of the application automatically. The README says that you should basically
chmod 000 ~/.googleearth/crashlogsif you don't want that. They say these files don't contain personal information. I haven't seen one yet (didn't crash, yet), so I cannot tell if that's true.
I'll have to play around with it a bit more, maybe it's an issue with the NVIDIA drivers or something. But as I don't have the source I can basically just make stupid guesses...
(via Golem, and a bunch of other sites)
Both exploits are possible because the input of the programs is not properly (or at all) sanitized. Basically, they call
$wget_cmd is shell (/bin/sh) code which shall download a file via wget. As the
$wget_cmd string contains contents from an untrusted source (HTML/XML on some random server), this results in an "arbitrary code execution" vulnerability, the worst-case scenario you could imagine.
If someone is naive enough to even run such a podcatcher as root, this means a remote root exploit!
Anyways, the RedTeam is definately correct in saying that more and more people start listening to podcasts, and more and more podcatchers are written. But few of them are written with security in mind, which leaves many listeners at risk... I wonder how popular closed-source podcatchers such as iTunes are affected here. Are there any published audits/audit-results (black-box auditing, obviously, as you don't have the source code) for iTunes?
As for Free Software implementations... consider this a call for reviews and audits! If you know/use one of the many podcatchers (or an RSS feed aggregator, which are affected by similar issues), and have some knowledge on secure programming, get the source and review the application. Make the software you use, and the world at large, a little safer.
I'll definately have a look at the programs I'm using soonish...
This is just too funny not to blog about it...
You might have heard that the mafia boss Bernardo Provenzano has been arrested recently. Now people found out that he used some "cryptography" in his messages to relatives and so on. They were decrypted pretty fast: Mafia Boss's Encrypted Messages Deciphered.
"Looks like kindergarten cryptography to me. It will keep your kid sister out, but it won't keep the police out. But what do you expect from someone who is computer illiterate?" security guru Bruce Schneier, author of several books on cryptography, told Discovery News.
(via Bruce Schneier)