Untraceable Messaging Service Raises a Few Eyebrows

netbuzz writes "A messaging service called VaporStream announced today at DEMOfall will allow any two parties to communicate electronically without leaving any record of their interaction on any computer or server. Messages cannot be forwarded, edited, printed or saved. After they're read, they're gone."

There's always a way.

[SomeGuyFromCA]

Screenshots, anyone?

Re:

[vga_init]

http://en.wikipedia.org/wiki/Analog_hole [wikipedia.org] Always.

How "Disappearing Inc" solved this N years ago

[billstewart]

Back during the boom, a startup called Disappearing Inc made a similar system for email.
Their tech guy explained that it was really important to define the problems you're trying to solve and the problems you're *not* trying to solve. If you're trying to help cooperating users communicate privately, you can do it, but if you're trying to prevent uncooperative users from getting around it, that's probably impossible and certainly snake oil at best. They weren't trying to keep the users from breaking the system with some kind of DRM nonsense - they were building something that would let the users make sure that they didn't keep records of their email that they weren't deliberately trying to keep. It's the Ollie North email backups problem, not the Mr. Phelps problem.

Re:There's always a way.

[edmac3]

Sceenshots can be so easily be faked; who would accept screenshots as proof of anything?

Re:

[Korin43]

Logs can be faked even easier. Your point?

Re:

[Anonymous Coward]

I think it's wonderful that courts take email as valid communication, and I know from expereince that logs are almost never checked.

For those people who understand deeply SMTP and how email MTA and clients work - this gives them much power in the current legal system.

I wonder, does /. track anon post ids? Would they turn them over to the feds if were asked to?

Re:There's always a way.

[xQx]

shhhh! don't tell anyone!

I've got off three copyright cases so far by forging emails giving me express permission from the author to use the software.

And I'm halfway through a settlement case for my last de-facto relationship relying on an email 'she sent me' which explains that I can have everything!

I figure if the RIAA can do it, it's not imorral for me to do it. Besides, this Bitch deserves it.

Re:

[Thuktun]

I can't believe you dated the RIAA. [...] Was the sex any good?

Only if one likes it unwilling, bent over, and without any lube.

Re:

[afabbro]

I think it's wonderful that courts take email as valid communication, and I know from expereince that logs are almost never checked. For those people who understand deeply SMTP and how email MTA and clients work - this gives them much power in the current legal system.

I find this amazing (not that I doubt you). So you're saying if I bring a bunch of email printouts to court, they're generally accepted? My first move as the other side would be to say...

• No header? No proof.
• You have a header? Then l

Usually they grab the drives when they grab you.

[Kadin2048]

Other than cases where laptops are seized in raids (it's hard to argue you didn't type something in your own personal copy of Outlook) or the feds haul every hard drive out of a building, why does email have any value in courts at all?

I think you'll find that this is basically SOP as part of the discovery process. If you're under suspicion of anything that even remotely involves a computer, expect to have every computer seized.

That's where most of the email evidence comes from; it's not from people voluntar

no. it doesn't work like that in court

[CFD339]

I have been an expert witness in a court case related to computer logs and emails. As it happens, I was hired by the plaintiff who was suing a company who made public accusations against him. Through careful use of logs and an understanding of the technology involved, I was able to prove conclusively that what they accused him of could not be proved with the logs, and most likely did not happen (though it would have also been impossible to prove that he did not do it strictly through this data). I was a

Re:

[plague3106]

This is why I have a digital certificate and use it to sign emails I send out.

Re:

[ObiWanKenblowme]

Maybe, maybe not - it could be set up such that when you're logged in and post anonymously, an entry goes into a table with your user ID and the article ID. It would know you posted to this article, but not which post was yours. Not saying this is how it DOES work, just that there are ways to prevent you from moderating without specifically tracking your anonymous posts.

Re:

[TibbonZero]

Sceenshots can be so easily be faked; who would accept screenshots as proof of anything?
Well the judges that the RIAA has in their pocket I suppose...

^^ Mod funny!

[stunt_penguin]

That's the slickest backhanded RIAA joke i've seen here in a while. Bravo! :0)

Re:

[Anonymous Coward]

And the first time anyone anonymously threatens the President using this service, it will end up SO busted... although it will be hard to trace all 4 million of the submitted threats.

Re:There's always a way.

[firewood]

Screenshots, anyone?

Better yet. Run the whole process on virtual machines on a virtual network. Record the virtual state and I/O from outside the virtual machine/network and replay the whole process (including message display and "deletion") at your convenience.

DRM can make screenshots impossible

[roystgnr]

So all this program has to do is encrypt itself with a private key only available to DRM operating systems which support the "no screenshots of me" API. Hole plugged.

No, the real threat here is from Muslim extremists. I've heard rumors that an Egyptian named Abu Ali Al-Hasan Ibn al-Haitham is working on technology to foil such electronic protection mechanisms. If his "qamara" experiments succeed, all hope of being able to send unsavable or unforwardable messages may be lost.

Re:

[dave1791]

Cameras anyone?

Re:

[drDugan]

I'm sure what roystgnr meant was the "DRM HEAD(TM)" surgical bio-implant that is now installed by default on all new human models. This feature rich, obligatory, add-on (installed before birth) has the RJX9000 bi-directional A/V control system where external images are implanted directly onto the retinal system. Of course, due to glacactic imperitive 358947659348567 (like all legal tecxhnology systems) the DRM HEAD (TM) includes the very latest DRM from Microsoogledobepple, Inc. and responds only to veri

Re:

[Arcturax]

DRM still doesn't stop you from scribbling down the note in your death throes using your own intestines!

Re:There's always a way.

[Tim C]

Screenshots, RAM dumps, network packet dumps, video RAM dumps, running the client (or server, if I'm a rogue admin) in a VM and dumping its RAM, network data, etc; if data enters the RAM of a machine under my control, there's not a whole lot you can do to prevent me from gaining access to it. That might change with trusted computing, secure paths, etc, but even then if I'm determined and skilled enough I can hack the monitor's hardware to intercept the data at the point of display.

Or hell, I could just take photos of the screen.

This might well be secure from the average end user, but there will always be someone who can circumvent it, and in the case of a software hack, it only takes one.

Photos?

[cgenman]

Photos? Just open emacs, and write it down. Boom, bit for bit copy of the decoded message.

Somehow I don't think this a form of DRMIM.

Screenshot proves identity?

[Bayoudegradeable]

How can a screenshot prove who you're communicating with? Oh noes! Someone saved a screenshot of a chat between dudethisiscool0342 and Whistleblower45345. Whistleblower can go on and on about having a screenshot that proves! the company is hiding money for its board members... Yeah? And what good will that screenshot be? "You honor, clearly dudethisiscool10342 is the company president... because we've got a screenshot!" Good luck connecting the user with the real person.

Re:

[Matt Perry]

Screenshots, RAM dumps, network packet dumps, video RAM dumps, running the client (or server, if I'm a rogue admin) in a VM and dumping its RAM, network data, etc; if data enters the RAM of a machine under my control, there's not a whole lot you can do to prevent me from gaining access to it.

All very complicated. What about just videotaping the monitor?

Re:

[Tim C]

Which will be why I said Or hell, I could just take photos of the screen.... :)

Re:

[Mythrix]

Obviously they're going to put the message over the goatse.cx image. No one will *want* to keep the message after reading it, if they even read it.

Re:

[Rogerborg]

The thin film of snake oil coating the message reflects the light from Venus and diffracts it through swamp gas, making screenshots unpossible.

Re:

[jbert]

Just had an interesting thought.

Scanners, photocopiers and printers already (so I understand) refuse to scan/copy/print images containing the eurion constellation [wikipedia.org].

If DRM'd images were displayed with a similar type of watermarking, which digital cameras could detect, then that could close off taking photos. (Screenshots themselves won't be possible with the DRM operating system in control - the DRM'd content won't display on screen with an app capable of taking a screenshot).

OK, so you could get away with fi

In a VM?

[Grendel Drago]

Can't you get around that by running the software in a VM and screenshotting that? I'd think that would get past any tomfoolery on the guest system.

Re:

[19thNervousBreakdown]

So, the server sends you a public key. You send the server a public key. You both encrypt the data you send to the other with their public key. That data can't be decrypted without the private key that matches the public key, which never traverses the network. How exactly do you break that, short of a vulnerability in the encryption scheme or a computer the size of the Earth?

Re:

[PeterBrett]

Even "current top-of-the-line encryption schemes" are vulnerable to man-in-the-middle attacks, especially SSL and SSH (unless you're really paying attention to signature validation, which I would argue that less than 0.001% of people do).

Re:

[Kevin DeGraaf]

Please explain to me how your ISP is going to magically decrypt a message encrypted in any decent algorithm that it doesn't have the private keys for?

He/she apparently knows dick-all about cryptography and was just trolling. His/her usage of the bogus term "unencrypt" gave this away even before the BS claim itself.

Screen capture?

[rjamestaylor]

Come on. If it can be displayed or played it can be captured and preserved. Except for the money spent on such schemes, of course.

Re:

[The Great Pretender]

Bottom line is what do the producers of the service define as record. If they define the header and message being together as 'record' then separating the two destroys that 'record'. It doesn't mean that the message can't be recorded in some fashion. It's all about the advertising.

Use colours that can't be captured.

[EmbeddedJanitor]

Use colour combos that can't be captured. eg. black on black. Jeez, must I think of everything around here?

Re:

[Jesus_666]

Much easier: User DRM to ensure that the software only runs on systems without any kind of user I/O. No I/O present, no I/O can be captured.

Re:

[Anonymous Coward]

Depends on the level of your party's thief.

ScatterChat

[dshaw858]

I somehow thing that this wouldn't be totally secure. Man in the middle attacks? DNS attacks, spoofing the "web based chat"'s interface? There are lots of ways to mess this up. If I was going for anonymity and protection, I'd use Cult of the Dead Cow's newly released "hacktivism" tool, ScatterChat. It basically uses strong encryption plus Tor (optionally, I think) to make chats as close to perfectly secure as a major chat appliance has come. It's a great idea, many years in the making. I'd go with that, myself.

- dshaw

PS: No, I'm neither affiliated with ScatterChat or CDC in any way.

Re:ScatterChat

[BoRegardless]

If I want security, I will be in a noisy open Jeep at 50 mph discussing the secrets with the other person I am communicating with.

Re:

[slack-fu]

Yes but then they can at least see who you are talking to.

Re:

[ad0gg]

Thats the point of driving a jeep 50 miles an hour. No mic is going to pick it up with the wind noise.

Re:

[QuantumFTL]

If I want security, I will be in a noisy open Jeep at 50 mph discussing the secrets with the other person I am communicating with.

Unless you want the fact that you spoke to a certain person to be secret...

Re:

[kabocox]

If I want security, I will be in a noisy open Jeep at 50 mph discussing the secrets with the other person I am communicating with.

I CAN'T HEAR YOU. CAN YOU SPEAK UP!

Re:

[camt]

Sweet! Another advantage to alternative keyboard layouts!

The NSA would have only recorded: :,ddk! Alskjdo ah.alkaud ks apkdolakg.d vdtnsaoh patsfk;!

Re:

[dhasenan]

Look for it on Make next week.

Faraday Cage

[Kadin2048]

Well, generally to be effective, the holes in a Faraday cage should be less than half of the wavelength of the highest frequency that you want to block.

So if you wanted to block visible light (lambda ~= 400nm) you would have to make sure that your sheeting didn't have any holes bigger than around 200 nm.

I think sheet metal would probably work fine.

Re:

[Dekortage]

You're missing the point. VaporStream is ScatterChat, but they are going to change the splash screen.

Ctrl + C, Ctrl + V

[Sneaky G]

How do they know it's been read? Like the others, I'm sure where there's a will, there's a way, through screenshots or something. It's a nice thought, but my mama always told me never to write down anything I didn't want to be shown. You can't always prove what someone said but you can show what someone has written. I know I'm saving a few choice words that could conceivably come back and bite the person who sent the email to me.

Re:

[Just Some Guy]

It's a nice thought, but my mama always told me never to write down anything I didn't want to be shown.

My mama always told me to eat my vegetables. What exactly did your mama do for a living?

majjjjjjjy'a p

[finiteSet]

got vim?

ggyG p

[stoborrobots]

majjjjjjjy'a p
got vim?

If you're using vim, you can save yourself three keystrokes:
Vjjjjjjjy p
And if you're grabbing the whole document, you can further shorten this to:
Gygg p

One word:

[StikyPad]

Vaporware.

Er..

Bending over for a second . . .

[Orange Crush]

. . . because I'm not sure if it's easy enough to blow this smoke up my butt. Is this massively encrypted? One-time pad? The article says nothing except "no records are kept." Every machine along the path keeps a log of something. At the very least, it can be researched that two machines shouted garbled stuff at each other. How is this any more secure than current encryption methods in place? Do the relevant machines do a secret handshake via gumbyspace?

Re:

[mrex]

Well said...this article was way too light on the technical details, and I'm skeptical that this company is just hiding insecurities behind their corporate buzzword. If the system is as secure as they claim, let them tell us how it works.

not recordable

[dretay]

If I don't want there to be a record then I talk to the person... in person. Anything else, from phone calls, to letters, to "super secure one time read only" e-mails I assume will be kept for future reference somehow.

Re:not recordable

[mctk]

I just make sure both parties are really wasted. Cause if you don't remember it, it never happened. Right? ...RIGHT??

Re:

[rts008]

How can I get you as "middle-man" or mediator?
BTW-I have REALLY high tolerances, and REALLY expensive tastes!

LOL!
I like yer style!

obligatory

[CrazyJim1]

A messaging service called VaporStream

Oh, I thought it said VaporSteam, the gaming service that would allow you to play Duke Nukem Forever.

Re:

[ronanbear]

Well you can play Duke Nukem Forever but because there's no record of it you can't prove that you played it or that it's ready.

message gone!

[themushroom]

Gee, sounds like text messages and email that your average tech support person sends their customer...

*ding* "I just received my password! Er, now I can't find it."

insecure.

[cranesan]

Key to Void's Web-based VaporStream service is the fact that at no time does the body of the message and the header information appear together, thus leaving no record of the interaction on any computer or server. The message cannot be forwarded, edited, printed or saved, and, once it's been read, it disappears; nothing is cached anywhere. No attachments allowed. nothing is cached anywhere It might not be cached by the VaptoStream provider, but the ISP (or anyone with a sniffer at the service provider's ISP) can cache both the headers and message informations of all the messages and correlate them later at their leisure. Only an idiot would believe this service gives them "an electronic communications channel that leaves not a trace of its contents or the identities of the participants."

Re:

[rts008]

I was wondering about that also.
(disclaimer: I'm a n00b and all-unknowing!)
When I check my e-mail with either evolution (for my cox.net account) or hotmail, I always see who it is from, who/if it has been cc'd or bcc'd, the subject line, and whether there were attatchments.
So, isn't this all stored together at least at one point?
With the number of people running Win IE and Outlook, does this null teh whole works at a weak point?
G-mail and Google Desktop tied in with the above?

I'm not trying to flame, just a

Re:

[ShaunC]

It might not be cached by the VaptoStream provider, but the ISP (or anyone with a sniffer at the service provider's ISP) can cache both the headers and message informations of all the messages and correlate them later at their leisure.

It's not like this stuff is going to be traversing the wire in the clear. If your ISP can break SSL, you're probably using the wrong ISP...

Still traceable?

[mr_neke]

FTA:

at no time does the body of the message and the header information appear together

So, forgive me for sounding naive, but... how is the system supposed to know where the body of the message is supposed to go without a header attached? There'd have to be some kind of link between the two, and even a tenuous link can be used to track where things are going.

I hereby claim this to still be traceable, even if it is a little more difficult than you would otherwise expect.

Re:

[Jesus_666]

The body is sent to every IP address. The receiver is bound to be somewhere in there.

Re:

[camperslo]

After being used secretly for years, the RFID chips used by Wal-Mart have leaked from the landfills into the water and from there into our food supply. Now they are in all of our bodies. The current generation of RFIDs has greatly extended range through power derived from use of a coating that functions as a bio-electric fuel cell in the body. RFIDs attached to the optic nerve have been receiving firmware updates from subliminal noise data contained in network television broadcasts and online images. T

Re:

[rnelsonee]

Well yeah, but they're still technically correct. You enter the user's email address, which then gets sent to VaporStream's servers. They send you back a unique ID, which then gets sent along with your message. So the message and header are kept separate on transmission, and could be on seperate physical servers. That ID is still used to get the message to the recipiant, but the data never appears "together" on a network stream.

Making the news

[sporkme]

The article assumes (US govenrment) suspicion and pressure to kill off the project, but neither is cited. This is not news (yet anyway).
TFA:

"Good guys need confidentiality, too," notes DEMO Executive Producer Chris Shipley.

This software sounds pretty damned cool. The article does not discuss specifically end user concern over the loose security (or even outright disclosure) practices of service providers (for profit, etc.) here lately, and I think that this user is the market for this software. People just aren't tickled by the idea of companies databasing and exploiting private conversations for the purpose of ad display. While this is certainly not the first software that is able to address these concerns, this is the first time I have seen it discussed in the context of who may not like it instead of the opposite. No specific information about the mechanics of the system is given.

While the idea of governmental interest in the personal conversations is not exactly preposterous, there is an awful lot of political hype on the subject. I think that the article could have given some more insight and a lot less innuendo. Potential for controversy does not controversy make. The article is actually bracketed by assumptions.

Void Communications had better be ready for a call from Department of Homeland Security.

and

...but that's not going to stop people from raising concerns.

Could not a software roundup have given a little pertintent information in place of all the speculation?

look at it but don't blink

[icepick72]

I've tried the service and it's so advanced that if I blink it diaappears. Try reading a long letter and it's like having staring contest with a fish. I hope they have patents. This thing is awesome.

Re:

[Thisfox]

Yeah I was worried about that. What if you're a slow reader?

Microsoft has been shipping this since 2003

[Animats]

This is just another document DRM system. Microsoft has been shipping this in Office since 2003. They call it "Trustworthy Messaging [microsoft.com]. It includes 128-bit encryption and "content expiration", as Microsoft puts it.

Nothing new here.

Re:Microsoft has been shipping this since 2003

[sporkme]

Yeah, the flash demo basically states that it is headerless email, deleted on the sender system when sent, deleted on the server when downloaded, and deleted on the receiver when closed. Stripped headers mean that the sender/recipient combo is not included in the message, but exist temporarily and separately. The message can be compromised but the source cannot be determined at the recipient end, and vice-versa. The article leads one to believe that it is an instant messenger. This sort of thing was done before via anon email. Basically, it seems to be ~post as AC~ then lurk, but for your email. It has always been amusing to me when the word 'trustworthy' appears in a Microsoft title, though.

First quiery

[Anonymous Coward]

My friend, our organization has great need of your service. Will it work in middle eastern countries? How about the mountains of Pakistan? Is there a problem with arabic? We are very excited about your service and look forward to hearing from you are soon as possible. I wish we had access to it several months ago. An unfortunate incident in England could have been avoided.

Re:

[foniksonik]

This is /. if you're asking if it supports Unicode then just come right out and say it! No need to be all secretive and obtuse....

Re:

[Joe the Lesser]

Funny, but the fact remains that this provides freedom to all groups, including the pro-democracy ones in say China or Iran. I would rather give the people the power to fight for the right cause then give governments the power to suppress what they think is the wrong one.

Oh, that's easy...

[Pig Hogger]

Oh, that's easy to implement. The website calls for a Windoze vulnerability, and 10 seconds after the message is displayed, the computer BSODs...

How it works...

[chill]

"How does it work? Using your existing e-mail address, Void says its technology automatically separates the sender's and receiver's names and the date from the body of the message, never allowing them to be seen together: "VaporStream messages cannot be printed, cut and pasted, forwarded or saved, helping promote open and collaborative communications. Once read, VaporStream stream messages are gone forever." The instant a VaporStream stream message is sent, the company says, it is placed in a temporary storage buffer space. "When the recipient logs in to read their message, the message is removed from the buffer space. By the time the recipient opens it, the complete stream message no longer exists on the server or any other computer."

Anyone can go to the company's web site and sign up for the service at $39.95 per year. It is Web-based, meaning that no hardware or software purchases are required. The company also says that VaporStream is completely immune to spam and viruses."

I guess their angle is to defend against MITM attacks. If it is web based, it sounds like the sender (Adam) logs in via HTTPS and sends a message to the recipient (Betty). The service adds a unique ID to the message, strips the headers and forwards it on to Betty.

Security problems that keep the bad guys from using it? The first is the $39.95 per month fee. No sense registering with that credit card 'cause that is tracable. How about sniffing one step upstream from Void's servers for originating IPs. That'll give you who is using it. Then traffic analysis watching for outgoing e-mail messages. If it works with your existing e-mail address then it uses SMTP, which is quite possibly plain text. You can sniff the contents of the message and the recipient. Statistical analysis of the HTTPS traffic just before the SMTP intercept can probably tell you who the sender was.

Let's not even get into the whole "recent hole in OpenSSL", staging a MITM/DNS poising attack with a proxy or phishing site.

  Charles

Hardly novel technology

[saforrest]

I don't understand all the hype about this here, of all places. Obviously this is well-marketed, but unless I'm deeply misunderstanding something, it would be damned easy to achieve the same result this using various open-source tools. Something like:

1. Get a Linux box with Apache and some database engine (PostgreSQL or MySQL)
2. Make a database for user accounts and user messages.
3. Throw together some web form for users to leave messages for one another. Use SSL for all HTTP requests.
4. Write a client-side script (Java, maybe even Javascript) for user's machines that
   
   1. checks for the existence of a new message
   2. displays it when the user is ready, confirming sender using senders's public key
   3. sends authentication to the server that the message was received.
   4. prompts for a response back to the original sender, signing any response using local user's private key
   
   
5. When the server receives authentication of message receipt, delete M.

Now, there is the issue that the server database is still presumably storing messages on disk, so we aren't matching up to the featured product's boast of never writing messages to disk. Offhand, I don't see a problem with this, since I think we have to trust in the physical integrity of the server. However, there's a simple solution: keep the database on a RAM disk.

In any case, I think this whole boast of the message never being written to disk is ridiculous, because you have absolutely no assurance that some intermediate machine is not caching it in transit.

Re:

[Ant P.]

With most database software you don't even need a RAM disk. You can tell MySQL to store certain tables/DBs in RAM, dunno about Postgres but even SQLite can do it. You'd probably want to wipe the address space afterwards though.

Did I read the right article?

[Alric]

Most of you seem to be missing the point of this system. This is basically a bulletin board system with a special emphasis on deleting all traces of a message as soon as it is read by the recipient.

This is not a DRM system.

This system assumes that the sender and the recipient both want to keep the message a secret. Of course somebody can take a screenshot. Or they could just photograph the screen. Or use their brain to remember the message and then their mouth to repeat it. If your big criticsm is that this system doesn't prevent the recipient from reproducing the message, well, please just stop typing.

The point of this system is that the message itself leave no trail, unlike email or instant messaging. After the message is read, there's no ability to trace the message from the sender to the recipient, and there's very little ability to intercept the message. Sure it can be done, but the right combination of SSL and other precautionary measures should make this a fairly secure experience.

As I said, this seems to be just a suped-up BBS system. Unless I'm missing something, the technology is really nothing new or exciting. The only new thing here seems to be the marketing package, but they seem to be doing a pretty good job of providing a new service using existing technology.

Re:

[Tim C]

If your big criticsm is that this system doesn't prevent the recipient from reproducing the message, well, please just stop typing.

I did read the article, in particular this bit:

The message cannot be forwarded, edited, printed or saved, and, once it's been read, it disappears; nothing is cached anywhere.

Those of us that you're complaining about are simply pointing out that that claim is incorrect. The message most certainly *can* be saved, it just isn't by default.

I like this quote

[DK]

"The company doesn't see VaporStream being a useful tool for terrorists because it's built for one-to-one conversations, not one to a group."

Now THAT's a convincing argument.

we've had this for years

[oohshiny]

We've had this form of communication for years: it's called "number stations". And that's what you need: an encryption system that the two communicating parties know and understand, together with a public channel that you can broadcast to without being traced.

Relying on any kind of proprietary service for secure communications is achieving the exact opposite: you have no way of knowing whether these people play by the rules.

Oh nos another Dan Brown novel

[EvilMoose]

Digital Fortress... I suppose.
That book sucked. All Dan Brown books are the same but it's weird that things out of his books happen to make news years later such as this and the mechanical fly incident.

Questionable...

[mcbutterbuns]

You ever wonder if the NSA or CIA is partly behind this? How many backdoors are built into it for the to listen in. Is it open? Can I see? If not, not trustworthy

Let's do it!

[suv4x4]

Tie 'em up, transport them abroad and beat 'em up!

I mean, why *untraceable* messages unless they're terrorists that ALSO wanna distribute child porn! Sick!

------------------

Now, I've another question: you can't trace the messages, but can you trace the service was used (a protocol, a port? whatever?).

Because, since you are obviously hiding stuff from CIA and FBI, we plan to make your life a misery, y'know?

IM + Firewall = Bugz

[ThePhilips]

From RTFA:

The message cannot be forwarded, edited, printed or saved, and, once it's been read, it disappears; nothing is cached anywhere. No attachments allowed.

OMG! I'm already using it!! It's my IM client behind our corporate firewall!!!

Is it secure? One way to find out

[ajs318]

Whether or not the system is secure, can be determined by (1) reading the source code and (2) ensuring that the object code you are actually running matches the source code you read. Closed source software can never be considered secure; but neither can open source software when it is running on an untrusted third party's server.

I call "Snake oil"

[querist]

I have (just completed) a Ph.D. in Information Security (*), and I have to call "snake oil" on this one. Unless they've managed to re-write TCP and IP or have somehow managed to coordinate a one-time pad encryption key exchange (which, itself, would be loaded with security issues) I cannot see how this will work.

I suspect that this is intended to give a false sense of security while providing Big Brother a way to watch people who _think_ that their communications are secure. Digital cell phones, anyone? Yes, it is illegal to listen in on the cell phone frequencies in the USA unless you are in law enforcement, but since when are criminals interested in obeying the law except to prevent drawing attention to themselves (e.g. -- don't speed on your way _to_ commit a crime, and don't speed on the way out unless you are already fleeing from someone who spotted you).

I also suspect that the hype about the government not being pleased with this is inteded to further the false image that this is secure.

There are ways to communicate securely in the digital age, depending on how you define "securely". The longgevity of the data is critical. Being able to decrypt today's troop movement orders for tomorrow morning after six months' time is not very useful because the data will be useless after tomorrow morning. Being able to decrypt, for example, today's communication about a terror plot to take place on January 20, 2009 (the day the next new President will be sworn into office in the USA for our non-US readers) in six months would be very valuable.

You cannot make a blanket statement that a system is "secure". A system is only secure for a given use in a given context.

Again, I have to call "Snake oil" on this one.

(*) This note was added in response to a comment in the Capacitor thread yesterday about people wanting information from "qualified" individuals, therefore I felt it appropriate to state my qualifications in this area.

The perfect secret medium

[iambarry]

Sure, almost anything can be traced and tapped. If it gets translated into electronic signal, transmitted sound, or printed word, someone could intercept it. But if its transmitted via vaporware there's nothing to intercept.

Its perfectly untraceable because it doesn't exist.

Re:

[neoform]

Hmm, i would assume they've thought of that.. prehaps the chat is encrypted?

Re:

[Skrynesaver]

From their site [vaporstream.com]
Over the Internet: Your connection to VaporStream uses secure SSL technology, creating a secure line between your computer and our network.

They claim you send your destination mail address first, then separately the message, the recipient gets a notification with your address, this is discarded when the message is opened.

Nothing you'd actually call a new technology anywhere in sight but patant pending notices left and right!

Re:

[imemyself]

It could go through the company's servers. They could just not be logging anything about it.

Re:False

[Maniakes]

That's the clever bit. See, since humans are generally the weak link in security setups (see Rubber Hose Cryptanalysis [wikipedia.org]), the system doesn't show the information to any humans. In fact, it never leaves the sender's computer! It's transcribed directly into write-only memory [catb.org].

Re:

[McFadden]

Even if they try and make it more difficult to do a screen grab (disabling built in functionality like alt-print screen), what's to stop you taking out your pocket camera and just taking a quick snap of the screen in front of you? Any idiot can manage that.

Re:

[surprise_audit]

unless you're worried about Big Brother sneaking up behind you and mashing the PRNTSCRN button every five seconds or so, screenshots are NOT an issue.

What was the name of that dohickey some guy built out of parts from Radio Shack that could read the emissions from a CRT across the street and display an accurate image?? Dunno. Anyway, unlikely as it may be that this technology would be used much, it was proven that a CRT could be read remotely without even being visible.

Re:

[ajs318]

Oi! I'll have you know, I invented message tapes that self-destructed in the 1970s. The following day, I realised why they were useless.

Re:

[ajs318]

No -- that will actually happen [wikipedia.org] at 2038-01-19 03:14:07. So a bit less than 22 years to go.

Re:

[Ant P.]

Don't be stupid. My camera's LCD screen has way better contrast than my desktop.

Besides, the desktop one won't fit in my scanner...