Hacktivismo launches ScatterChat

un1xl0ser writes to tell us Hacktivismo has released a new chat program known as ScatterChat. It is a friendly fork of GAIM that "provides end-to-end encryption, integrated onion-routing with Tor, secure file transfers, and easy-to-read documentation." This announcement was made at HOPE, where CDs were distributed. A torrent and several screenshots are also available."

OMG I misread that at first

[LiquidCoooled]

And thought it was some kind of poo-flinging device.

protocol level

[Anonymous Coward]

For encryption to catch on it needs to be done at protocol level, IMHO. For example the unfortunately unfree project SCIM [projectscim.com]. That's the only way to really hide it from the end user, and that's what's necessary.

Re:protocol level

[ClamIAm]

When security is hidden from the user (and therefore they don't understand it at all), they have no way to tell when they've been 0wned. For further info, see almost every incident of phishing ever.

Re:protocol level

[westlake]

When security is hidden from the user (and therefore they don't understand it at all), they have no way to tell when they've been 0wned. For further info, see almost every incident of phishing ever.

True, but meaningless.

How many users need translation to understand elementary Geek-speak?

How many posters have found themselves out over their head whenever they have tried to get past the ideology of Freenet (for example) and make an independent assessment of the network?

There is no point in exposing techno

Re:protocol level

[aliquis]

I don't know what you mean with protocol level, but if you mean some form of "application protocol" I'd rather have it on transport protocol level, let me encrypt everything to the people i know (and not aswell i suppose) and trust (with signatures) =P

Re:protocol level

[Lord Kano]

If it's hidden from the user, how can a knowledgeable user verify that it's working properly?

LK

Re:protocol level

[Albanach]

That would be just like this then? [slashdot.org]

Yes we've been able to encryp network traffic to other suitably equipped machines for some years.

Re:protocol level

[Kadin2048]

I disagree. Message-level protocols like OTR [cypherpunks.ca] are very easy to use when they're implemented correctly into the software, and don't require any particular level of geekitude in order to use.

I've handled the installation, but I know of many non-technical friends who use GAIM+OTR (or Adium, which has it built-in) to communicate, without any problems. It's just like security in a web browser: when the lock icon is closed, it's secure. Nothing else is required out of the user, unless they want to turn it off or o

Tor?

[NixLuver]

Tor is a great idea. My few forays into that dimension have been, however, somewhat disappointing, speed wise. I'm not sure how well it's going to deal with a realtime app like IM. Aside from the path obfuscation provided by tor, I'm not sure how this is significantly more ... newsworthy... than OTR ( http://en.wikipedia.org/wiki/Off-the-record_messag ing [wikipedia.org] ) messaging. OTR provides "Perfect Forward Secrecy" and "Deniable Encryption", and plugins/local proxies/native support is already available in/for current IM clients.

Re:Tor?

[Crazyscottie]

I've been using Tor with Gaim for several months now, and rarely notice any slowdowns. I do occasionally get disconnected (for no more than a few seconds), but I've yet to determine whether that's because of Tor or just my crappy wireless connection.

Re:Tor?

[jamar0303]

I think it's because of Tor. It happens to me too, and I use a direct connection to my DSL modem.

Re:Tor?

[fireboy1919]

how well it's going to deal with a realtime app like IM

Considering the paths traveled, it probably isn't that good at realtime apps. It's a good thing that IM isn't a realtime app. Its just e-mail but with the delivery mechanism being the home computer rather than an smtp server that has a different delivery mechanism.
It's unlikely that many would notice an extra quarter second of lag in an instant message. Heck, with most of my conversations, there's a good minute or two between reply and response as pe

Re:Tor?

[NixLuver]

Good point. I suppose 'realtime' varies in application somewhat; at least according to Wikipedia [wikipedia.org] it does. IM is a 'soft real-time' application in my world; the value of the response steadily declines as the delay increases. For many people who don't use it daily in the course of their jobs, that is probably not the case, although I have seen a few online flirting sessions that would have been negatively impacted in proportion to the delay - maybe the square of the delay! heh. The answer to "Do you think I'

Re:Tor?

[bram]

I've been ssh'ing over tor (fascist firewall) and although it's a bit slower, it still beats the latency of a modem or *grmpf* satellite.

Not as plugin(s)?

[AnyoneEB]

Gaim is quite modular and allows plugins to do a lot. The base Gaim with no plugins supports zero IM protocols and does not even show a system tray icon. (It comes with those plugins.) Why could this not have been implemented as a plugin? I already have twoend-to-end encryption plugins installed (gaim-encryption and gaim-otr). I would not expect secure file transfers to be difficult to do as a plugin. Really, I am just not sure about TOR, but that should be submitted as a patch to the offical Gaim source tree (or, at least a patch for a way for plugins to add proxy options).

Re:Not as plugin(s)?

[AnyoneEB]

I stated in my grandparent post that I use that plugin. It does not do everything the program in the article does, though. (TOR, for one.)

Re:Not as plugin(s)?

[Chandon Seldon]

If security is important enough to screw around with Onion routing then you want to be sure all the security options are turned on all the time, and you don't want other plugins screwing stuff up.

Offical Gaim is reasonably well built to be an insecure instant messaging app, but security isn't something that you can add with a plugin.

Oh Boy!

[Anonymous Coward]

Does it come with instructions for making you own tin-foil hat?

Re:Oh Boy!

[Bing Tsher E]

It comes with a little booklet: "Select Verses From The Koran"

So basically, it's gaim-encryption and tor

[verbatim_verbose]

I don't see anything particularly interesting here. We already have gaim-encryption. You already can use tor as a proxy for gaim. So... why is this interesting?

Re:So basically, it's gaim-encryption and tor

[Anonymous Coward]

GAIM encryption doesn't provide perfect forward secrecy, for example. And to my knowledge it doesn't do message signing to guarantee authenticity. I was in the same Crypto II class at RIT as this guy, he went over a lot of the features it contains that aren't otherwise available. He made a lot of changes to basically increase the paranoia level of the security (the key sizes are immense, the aim has been security first, speed second). Not sure if he managed to find a way to use elliptic curve DSA legall

Re:So basically, it's gaim-encryption and tor

[Kadin2048]

Okay, so how is this different than Gaim+OTR?

OTR does perfect forward secrecy -- I'm not sure about the keysize -- and already has a substantial base of users out there with it installed. (Including all the OS X users of Adium, who have but to turn it on in Preferences.)

I guess the Tor thing could be a neat feature, but it still seems like the encryption could have been done with existing plugins rather than creating a new system. The last thing we need is another, mutually-incompatible, IM encryption stand

Re:So basically, it's gaim-encryption and tor

[jp10558]

Indeed, this is a big issue - it needs to be interoperable. I like to use Trillian, some of my Friends like AIM, others use GAIM... etc. I'd like a secure setup that worked between Trillian and the others!

Trillian and OTR

[Kadin2048]

While I'll bite my tongue on your choice of clients, it seems that somebody is or was working on an OTR plugin for Trillian.

You might want to read through this thread here:
http://www.ceruleanstudios.com/forums/showthread.p hp?threadid=69580 [ceruleanstudios.com]

You can almost certainly use OTR through Trillian using OTR's proxy mode [rotz.org] (where you point Trillian to the localhost as a proxy server for AIM, and OTR encrypts the messages and then sends them out to the real AOL server -- this method is AIM-only), and there does seem to

Re:Trillian and OTR

[jp10558]

Actually, I've gotten it and tried it out. It seems pretty seamless - once you install it. It's not that it's difficult - just extract the zip file to the Trillian Pro\Downloads directory.

Cerulean didn't write this plugin, so it's not restricted by them - the forum is to paying members (as the free version of Trillian doesn't support plugins, so if you haven't bought the pro version, this won't help you anyway) - but the author's site is actually here: http://trillianotr.kittyfox.net/downloads.php [kittyfox.net]

In Trillia

Re:So basically, it's gaim-encryption and tor

[UnlikelyNerd]

You're right, but ScatterChat took it a bit farther than others have. After reviewing their docs, I don't believe it would be possible to easily break this encryption scheme, due to the random data byte and block insertion, combined with dual 1024 & 256-bit public and private key exchanges. Replay won't help, nor would sniff & capture (though you could spoof another messenger by having the keys..), one still wouldn't be able to read the captured text, even if one did successfully get that far.
Ju

Speaking of IM, is anyone else having yahoo issues

[Apoptosis66]

Does anyone know why yahoo IM hasn't worked all day?

Re:Speaking of IM, is anyone else having yahoo iss

[Anonymous Coward]

Someone at Yahoo deleted "The Internet" (icon) again!

Re:Speaking of IM, is anyone else having yahoo iss

[Anonymous Coward]

Someone at Yahoo deleted "The Internet" (icon) again!

I just hope he read the internet before he took it out of the tube.

Yes, Yahoo! msgr server is down

[JemVai777]

Read more: And the Yahoo! Server goes down... [bigblueball.com]

Re:Speaking of IM, is anyone else having yahoo iss

[macadamia_harold]

Does anyone know why yahoo IM hasn't worked all day?

My guess would be that the tubes are clogged.

What About Semaphore?

[Doomedsnowball]

If I have something really important to communicate, I communicate by semaphore, you know, flag waving. Because lord knows it's more fun to communicate in awkward, clumsy ways that slow down our train of thought to a trickle. I hate to bash chatting, but it's used too often when a simple phone call would do. People spend hours chatting to communicate what could have been said in a few minutes verbally. I'm sure there are people that would argue that IM'ing allows them to keep their anonymity. But we've

Re:What About Semaphore?

[LiquidCoooled]

IM is like a face to face conversation, except usually you don't meet up with people wearing your underpants and picking your nose.

Re:What About Semaphore?

[NixLuver]

Oh, see, I think that FAR too often, people pick up the PHONE and CALL me when a tiny IM would have done the trick. I could do with a little less of that direct communication, thank you; most people talk, and talk, and talk, and say so very little; IM is asynchronous. I can address it when I feel like it, or if I'm in the middle of figuring out a particularly knotty problem with seven xterms running snoop and tcpdump on six different machines, I can IGNORE it.

Lots of people use OTR or other IM-encryption to

Re:What About Semaphore?

[Doomedsnowball]

Oh, see, I think that FAR too often, people pick up the PHONE and CALL me when a tiny IM would have done the trick.

So a tiny IM is called an email? Get off it. You didn't even grok my post. Sending a one-way communication that you can encrypt, ignore, whatever, is why we use email. Having a conversation would best be served by a phone call. Having a conversation in real-time by typing is awkward, clumsy, and basically retarded. Just because you belong to the one percent of the population that uses I

Re:What About Semaphore?

[Achromatic1978]

if I'm in the middle of figuring out a particularly knotty problem with seven xterms running snoop and tcpdump on six different machines, I can IGNORE it.

Hmmm, snoop and tcpdump - is your knotty problem working out who in the typing pool is shagging which manager?

people pick up the PHONE and CALL me when a tiny IM would have done the trick

Spoken like a true geek, "Ack, human interaction! It burns! It burns!"

The oddity of combining Tor and a keys

[gnoshi]

This strikes me as a little odd, as the use of Tor in this context seems somewhat redundant given that public/private keypairs are being used for the communication, meaning that a the participants can be easily identified in a conversation as being user A and user B. That said, the use of Tor may make it more difficult to track that back to Person A and Person B.

The problem is that because the key pairs are persistant, a user need only connect without Tor once, and suddenly it is possible to identify the person demonstratably responsible for a potentially large number of conversations.
As another person here has mentioned, OTR would have probably been a better choice due to the deniability aspect. In conjuction with Tor, this would mean that tracking (and proving) a conversation is connected to a person would be more difficult. The exception may be if users had already exchanged public keys, in which case the ability to use those public keys may be conventient. Of course, those keys can still be taken advantage of in the first-step verification of the user for OTR communication.

It seems like a good idea, just the choice of method of encrypted communication of messages seems a strange.

Re:The oddity of combining Tor and a keys

[gnoshi]

You make a valid point - encryption != digital signature.

When the system is initially setting up encryption, the public key for the user's signing key is sent.
Unless the signature keys are single-use, this reveals the user's identity. Sure, the session key protects the conversation itself, but it reveals with certainty who is involved in the conversation. Furthermore, should the conversation encryption be broken, there is no deniability.

That is my understanding based on: http://www.scatterchat.com/docs/crypto_protocol.tx t [scatterchat.com]

I've got the CD

[murph]

But am I willing to put a CD from cDc in my machine? I think not.

Re:I've got the CD

[murph]

What exactly do you think is going to happen if you do?
I'm not a good enough coder to look at the code and check for backdoors, etc. for Linux. In OSX, it'll probably ask for the admin password, whcih I won't give it. In my Windows box, I'd have to assume that it would be pwn'ed if I forgot to turn off autorun.

Trogdor?

[mr_tenor]

Erm, WTF is the Trogdor button for? (Besides burnination, obviously)

Re:Trogdor?

[ClamIAm]

trogdor was a cipher
maybe he was a cipher...key
or maybe he was just a key

but he was still TROGDOOOOR

Re:Trogdor?

[TheOneBiscuit]

You got my first laugh of the morning. =)

Re:Trogdor?

[daeg]

It's the dude's AIM icon.

One small concern

[grcumb]

I don't often flame people who do this kind of work. On the contrary, I admire, support and participate in online activism in places where dissent can be uncomfortable, to say the least. I'm normally the first to applaud and embrace these technologies. BUT:

I hope their code is better than their understanding of HTML. Their User's Guide [scatterchat.com] goes miles out of its way to break basic web functionality. It's like they're punishing the reader for not choosing PDF in the first place.

Seriously, this is more than a nitpick. If I'm going to trust these folks with information important - possibly dangerous - enough that I have a serious need to protect it, then for heaven's sake I want to know that they know what they're doing. I mean, honestly, this is emphatically not the place where anyone should tolerate hand-waving and pooh-poohing of 'minor' details.

In their own words:

ScatterChat is a HACKTIVIST WEAPON designed to allow non-technical human rights activists and political dissidents to communicate securely and anonymously while operating in hostile territory.

If you really mean this, don't you think you should fix your documentation?

Re:One small concern

[Turn-X Alphonse]

Hate to be a dick and I'm not taking sides but.

Maybe it's that way so it'll trick these evil people tracking them. I mean with a name like Hacktivist weapon it's got to be super complex so they can't give out documentation incase it gets cracked because of it!

Yes it sounds silly, but these guys seem to be in lala land so I'm guessing that maybe their excuse.

Re:One small concern

[Anonymous Coward]

They didn't go out of their way.

They did what any office drone would do for a quick html fix. Except that since they're cool, they used a cool tool.

META NAME="GENERATOR" CONTENT="OpenOffice.org 2.0 (Linux)"

So the moral of the story is: Don't use your word processor to write your hypertext markup, kids. Every time you do, God Kills a Kitten.

Re:One small concern

[killjoe]

Maybe the same people who programmed the thing didn't create the web site.

Anyway it seems like an opportunity for you to get involved and pitch in. How hard would it be to take their web page and jazz it up a little?

Re:One small concern

[linvir]

It's obvious that that HTML was generated from the PDF or some other source, meaning that their HTML skills have nothing to do with it.

<P STYLE="margin-bottom: 0in"><BR>
</P>
<P STYLE="margin-bottom: 0in"><BR>
</P>
<P STYLE="margin-bottom: 0in"><BR>
</P>
<P STYLE="margin-bottom: 0in"><BR>
</P>
<P STYLE="margin-bottom: 0in"><BR>
</P>
<P STYLE="margin-bottom: 0in"><BR>
</P>

Besides, it really [w3.org] doesn't [w3.org] matter [w3.org].

Re:One small concern-activism can be dangerous..

[UnlikelyNerd]

I concur with your comments about ScatterChat's docs, but give 'em a break; most good coders aren't the right people to document their own work. To be honest, I'm more concerned that these guys who wrote this secure IM client don't know how dangerous posting stuff like that is on their website.

This quote from their press release says it all: "...Please don't use these torrents if you are residing in America or another country where strong cryptography is considered a dangerous weapon that shouldn't be

I made something like this about a year ago...

[Afecks]

http://freehaven.net/~aphex/torch/torch.png [freehaven.net]

It is more like jabber. It uses .onion addresses to identify buddies. It is very secure.

Why a fork?

[pembo13]

I don't use Gaim myself. But I don't understand why those involved found it necessary to fork Gaim. Anyone knows?

Re:Why a fork?

[BamBamboo]

...the same to you

Encrypted IM is flawed

[NightHwk1]

I haven't installed ScatterChat yet, but I bet it suffers from the same problem as all the other encrypted IM apps. That is, it doesn't work for multiple computers that share the same accounts.

When I'm at home, if I turn on encryption for AIM, it works great. But then when I go to work and use that AIM account, everyone I talked to earlier is sending messages based on my home key, making it impossible to communicate.

The key needs to be exportable, so I can use the same key everywhere. Or, maybe there could

Re:Encrypted IM is flawed

[Lehk228]

in gaim it is easy to do that with gaim-encryption

Re:Encrypted IM is flawed

[Lehk228]

just copy your application data/gaim folder to the new computer or profile

Encryption opinion

[Black-Six]

In my opinion, the only way encryption would catch on is if it did three things:

1. Securly encrypt file data to prevent hacking at least 60% of the time.

2. Didn't consume so many resources and reduce system performance and speed to a crawl (this has been a recuring theme when stuff is encryted on my PC).

3. Could mask what is going on and make it appear as background traffic i.e. break up the data stream into several bits to speed up transfer and reduce chance of someone of figuring out what is beinging m

missing the point

[Anonymous Coward]

You guys are all missing the point, but thats alright since the article didn't tell it to you and none of you were there.

I was, so I'll be kind enough to point it out.

ScatterChat was designed for people who have reason to fear their conversations being watched. Specifically political dissadents and activists in countries where censorship is common, such as in the middle east or channel. This is to be used for them, and for reporters, and for people who are, in some way or another, are trying to save the world but don't have the time to learn about computers.

Along these lines, Hacktivismo developed a tool that runs out of the box encryption and anonomizer. They have already met with activists to help learn what the tool should do (from a user end) and to teach them how to use it. They're also working on the next version. They mentioned that they are looking for people to help with the documentation, and for the translation into other languages (mainly, Chinese and Arab).

So, don't be so harsh. While you're all here whining about how this program isn't 1337 enough for you, these guys are working on a program that will keep people out of jail just because those people have thoughts of freedom. You think it could be better? Email them and help.

tedivm

Re:missing the point

[Aladrin]

I (finally) understand WHY you guys went through the trouble to do this, but that still doesn't explain why you bothered to fork.

Why not release patches and plugins for GAIM?

And just ignore all the trolls that can't understand that some countries don't guarantee free speech. If they haven't got a clue by now, there's nothing you can do to open their eyes.

Hacktivismo to become the next superpower?

[Knights who say 'INT]

1. Develop "ScatterChat" encrypted chat.
2. Get "Visual Radio".
3. ???
4. Superpower!

Re:Hacktivismo to become the next superpower?

[redguy]

do you really really think it's funny? [mod me as "funny"]

Screenshots

[phasm42]

I like the use of "Lord Spankatron" in the screen shots.

Paranoia

[Chrax]

I'm a bit paranoid about my privacy, but damn are the guys at Hacktivismo dramatic about it. They seem to think that everything they make is a tool that will assuredly be used in a rebellion against an oppressive regime, and boy are they ever sticking it to the Man!

"ScatterChat is a HACKTIVIST WEAPON designed to allow non-technical human rights activists and political dissidents to communicate securely and anonymously while operating in hostile territory."

Hostile territory? Political dissidents? HACKTIVIST WEAPON? It's a goddamn instant messenger. Useful? Sure it would be if there weren't already GAIM plugins for encrypting your messages. But even if they weren't, it's hardly a revolutionary weapon that will stamp out tyranny.

And their Hacktivismo License? That cracks me up. "If you use this software, and you commit human rights abuses, we can sue your ass!"

Don't get me wrong, I agree with these guys on a lot of points. But with the level of drama, you'd think an allegorical The Man should be wearing a black mask over his eyes and tiptoeing around the stage stealing food from starving children and shocking prisoners' testicles.

Re:Paranoia

[mossico]

While it's a little over the top outside your cosy world there are places were censorship issues are a little more serious. While it's hardly the first encrypted IM tool it is one that doesn't require a high level of computer knowledge to get going and that is the difference.

Re:Paranoia

[TheHornedOne]

If you live in the United States, quite frankly, The Man does all but wear the monster mask.

You're only paranoid if you're wrong.

[supercrisp]

I picked up the Chicago Tribune this week. It's finally been established conclusively--after it was established no one would go to jail for it--that Chicago cops have been tying people to radiators, beating them, and (natch) shocking their balls for years. No one is going to jail. Now there's Gitmo and extraordinary rendition and telcos with big old Matrix hoses coming out the back of their heads. Journalists are disappearing in battle zones, being imprisoned. CIA agent "outed." Missing weapons of mass dece

You want drama? Here's your fucking drama:

[foreverdisillusioned]

http://upload.wikimedia.org/wikipedia/en/d/d8/Tia n asquare.jpg [wikimedia.org]

I think they have a right to be a tad dramatic.

But even if they weren't, it's hardly a revolutionary weapon that will stamp out tyranny.

If they eventually create a tool that Chinese dissedents can use to easily communicate with one another without being tracked, it could very well be such a tool.

Re:Paranoia

[Chrax]

In case any of the previous commenters check back, this is a general reply:

I'm not saying they have no legitimate complaints. I even agree with a great many of them. I just find their overly dramatic style amusing.

Did they fix Password storage?

[aknowles]

I couldn't find any reference in the 'easy to read manual' that said if they've fixed the atrocious password management in GAIM. Storing your passwords in pain text in a file is ridiculous. The gaim folks seems to spend more time defending this decision (they even made a special page about it) that they could have fixed the problem in this time. What's up with an encrypted file and ask you for your password once just like firefox does?

it's from a myspace.com user

[aknowles]

under contact on scatterchat.com the maintainer link is a myspace account

http://www.myspace.com/j_testa [myspace.com]

If a myspace page is your way of telling the world about yourself (and telling us WAY too much) then I'm not sure I want to run your software.

Secure Web Chat

[Max_W]

I developed the secure chat, which uses the JavaScript implementation of David Wheeler & Roger Needham's Block TEA (Tiny Encryption Algorithm) by Chris Veness.

The message is encrypted by the TEA algorithm, before being sent to server at the browser. The password remains only in the browser window.

The TEA is the strong encryption. Besides the source code of the Secure Chat can be viewed easily. And the data sent and received can be checked easily.

You can check it here:

http://www.enetplanet.com/sc [enetplanet.com]

Re:Secure Web Chat

[gnoshi]

That's fine and all, but your 'secure chat' uses symmetric rather than asymmetric encryption (which relies on a pre-shared key), doesn't hide the endpoints of the conversation, and provides no authentication of the other user, or any of the array of features that this tool has. Your implementation is a nice curiosity, but in the context being discussed, I don't think it is any more than that.

Re:Secure Web Chat

[Max_W]

Still this Secure Web Chat is the only chat that I trust, as I can view the JavaScript source code, I can view the data which leaves my computer in the POST variable with, for example, the Firefox extension Tamper Data.

Actually the strong encryption is done with the JavaScript until the form is submitted. And decryption is done after the data arrived to the browser.

I plan to add some more features, such as starting a new chat, etc.

It is true, it is symmetrical only. It means that the password should b

Crash galore

[Phasys]

I've been testing out this Scatterchat on a Windows XP machine, and it crashed like 10 times in 6 hours already. Not something I would use when I would want to take over the world.

Re:and how many backdoors?

[VoiceOfAnarchy]

A million. You see, despite Hacktivismo being an offshoot of the cDc focused on information rights, they are specifically interested in the contents of YOUR computer. Sure, putting backdors in would undermine the progress that has been made with Camerashy and 6/4, but archived hatemail you sent to your ex will be theirs, GODDAMIT. And afterwords, they will use it to hack China. ALL of china.