Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×
Encryption Communications Government Privacy Your Rights Online

Wired Profiles John Brooks, the Programmer Behind Ricochet 49

wabrandsma writes with this excerpt from Wired: John Brooks, who is just 22 and a self-taught coder who dropped out of school at 13, was always concerned about privacy and civil liberties. Four years ago he began work on a program for encrypted instant messaging that uses Tor hidden services for the protected transmission of communications. The program, which he dubbed Ricochet, began as a hobby. But by the time he finished, he had a full-fledged desktop client that was easy to use, offered anonymity and encryption, and even resolved the issue of metadata—the "to" and "from" headers and IP addresses spy agencies use to identify and track communications—long before the public was aware that the NSA was routinely collecting metadata in bulk for its spy programs. The only problem Brooks had with the program was that few people were interested in using it. Although he'd made Ricochet's code open source, Brooks never had it formally audited for security and did nothing to promote it, so few people even knew about it.

Then the Snowden leaks happened and metadata made headlines. Brooks realized he already had a solution that resolved a problem everyone else was suddenly scrambling to fix. Though ordinary encrypted email and instant messaging protect the contents of communications, metadata allows authorities to map relationships between communicants and subpoena service providers for subscriber information that can help unmask whistleblowers, journalists's sources and others.
This discussion has been archived. No new comments can be posted.

Wired Profiles John Brooks, the Programmer Behind Ricochet

Comments Filter:
  • by Anonymous Coward
    Any software developer working in the United States on secure communications can too easily be compromised with an NSL. If you want your project to be trustworthy, not only does it need to be rigorously audited, but all developers and hosting should be based outside the US as well.
  • Metadata (Score:5, Insightful)

    by sexconker ( 1179573 ) on Sunday September 21, 2014 @01:32PM (#47959539)

    How exactly do you solve the problem of metadata on TCP/IP networks? Metadata is how these networks operate.

    Every packet has an origin that will be traceable to the source ISP. If you're on your own connection, you're fucked.
    If you're on your own connection and you VPN to some other connection it's just a matter of how much effort the powers that be want to waste tracking you down. Any schlub can run a Tor node, so you get nothing there. And of course, you have to initiate that connection from somewhere.

    The only way to truly hide is to use someone else's connection (without their knowledge), with a different spoofed MAC every time. Everything else is just obfuscation. We already know every fucking packet touching a major telecom is logged in the US, and we have damned good reason to believe it's true world-wide.

    • Re:Metadata (Score:5, Interesting)

      by ledow ( 319597 ) on Sunday September 21, 2014 @01:42PM (#47959585) Homepage

      There isn't a solution to that. You have to talk to other points, and you have to do so from a connection you are on. That information, on ANY network in the world, is inevitable.

      The only thing you can do is obscure it as much as possible so that people can't tell WHAT you did over the connection, or WHAT you passed to those others. They will be able to know who they were, but unless you can introduce sufficient plausible deniability (with Tor, that's just by using random people as the next hop), you can't do anything about that.

      I don't think that's a problem we should waste time trying to solve. You aren't going to be able to obscure your endpoint's knowledge when 100% of the time someone is paying money for that endpoint to be connected to other endpoints. We do not have a darknet.

      But it's also not that big a deal. With proper encryption and enough fake / routing data running through your connection with that encryption (and PFS), it's meaningless. All that can happen is someone can say "you were online, and so was John". If that's enough to convict you, you have bigger problems than the protocol of the network you used.

      • Re: (Score:2, Informative)

        by Anonymous Coward

        Keep in mind that there are two distinct use-cases for surveillance:

        1) An entity "encounters" your traffic on the wider internet and wants to track/trace it back to a physical person.

        2) An entity knows who and where you are and wants to know what you do on the wider internet.

        The way you work around these two cases are fundamentally different and require different tools.

        For example, a good VPN connection will help you defeat (2), assuming the entity is unable to escalate to monitoring your VPN. Think workpla

      • There isn't a solution to that. You have to talk to other points, and you have to do so from a connection you are on. That information, on ANY network in the world, is inevitable.

        Hmm. Depending on the kind of traffic, and provided that public key encryption were used in a way similar to PGP, wouldn't a multi-hop transfer offer a solution? Provided that the level of traffic would be sufficient to scramble the time correlation of messages exchanged...

    • The MAC spoofing isn't important unless you believe the router is being monitored*. It doesn't go beyond the router. Segment only.

      *If you use any commercial wifi point, it probably is for legal reasons.

    • Solve isn't the best word... It's more like a good fix. As long as your encryption is good, it's secure. If the NSA has secret quantum computers or something you're doomed.

      The way tor works, there are 3 proxies you go through.
      Entry node
      Middle node
      Exit node

      The entry node knows who you are, but not what you want to do or what your exit node is. It sends your request to the middle node.
      The middle node knows your entry and exit nodes, but not your identity or where you want to go. It forwards what you want to d

    • Re: (Score:3, Informative)

      A possible solution, only practical for small messages, would be a merge of a public message board with encryption. You would be able to decrypt only the messages sent to you, among the hundreds that you would have to download - just to verify which ones you can decrypt.
      In such environment there is no open metadata identifying "To" and "From." You encrypt the message to "To" and it is added to a group of messages.

      Of course there must be methods to limit the groups sizes, and to allow you to find which group

  • by gregthebunny ( 1502041 ) on Sunday September 21, 2014 @02:05PM (#47959735) Journal
    I thought maybe he was the guy behind the Half-Life mod Ricochet [wikipedia.org].
  • by Anonymous Coward

    How did dude drop out of school at age 13 when education is compulsory to age 16? I wish the story had explained that detail. What country is this dude a citizen of?

  • I was thinking about the epic ego platform shooter based on Goldsrc

The following statement is not true. The previous statement is true.