Announcement

binary stream

https://lookingglass.email

What is the big idea?
Crazy strong email security that is crazy easy to roll out.
Everything else either requires a pair of computer geniuses, or
does not offer the same level of security.

Why this instead of regular email?
Because you have tried to get crypto working in the past and it
has been an enormous pain in the ass.
Because you want your communications to go dark but don’t have
time for hours of training.

How crazy easy?
The tradeoff right now is either spend a few bucks (under fifty)
for the hardware, or learn enough to install the software on your
machine.
Once you get it running, it is just like webmail – you go to a
local website with your browser.

Who are you?
Somebody that’s been around the community a few years, trying to
train people up on secure online communications.

How much?
Code is free, under ten minutes to set up once that has been
downloaded.

Anything else?
LookingGlass is a platform we can grow: software radio mux,
online reputation broker, whatever the community wants to see.

28 responses to “Announcement

  1. Thank you, CA.
    Worked hard on this – those that were in the beta tests have been giving very positive feedback.
    I’ll lurk if anyone has Qs.

  2. Grenadier1

    Maybe encourge people to purchase the Pi and other materials then meet face to face to load the stuff up and set up.

    I think this is really awesome but I think some folks are still going to have a hurdle to get over. If someone can walk them through the set ups that would be helpful for the less IT inclined.

    • If there is genuine interest I can get the logistics going to snail mail preformatted SD cards / complete Pi packages.

      Running this thing with virtualbox (which is also free) probably won’t be rocket surgery to someone that can run a smartphone. If we want to fire up a cryptocat classroom, I’m more than willing.

      Making this easy to use is where 80% of the sweat went. You exchange covernames with your contact, and it negotiates the rest. This isn’t just GPG, either – it’s forward secret.

      https://lookingglass.email/technical-brief.html

  3. looks good, Does it matter which model rasberry pi?

    • I do the dev work on a B which means it should be compatible with all the others.
      The VMDK disk image is the same code, with a different kernel to run virtualized – all my code is exactly the same.
      The Pi does have a HWRNG, which gets used if it’s detected – that’s it.
      I have not tried this on a Pi2 – waiting for the brown truck of happiness.

  4. Friend of Mosby

    Can thiis be set up on Android devices?

  5. This stuff really isn’t THAT complicated, don’t fear a few extra steps to cover your tracks and keep your wife finding out about your mistresses. A few iterations of this, and you and your mistress will be able to share intimate pictures of your favorite vacation destinations, unmentionables, and acquisitions without fear of casual observation.

    – grab a tiny cheap thumb drive, pay cash
    – download “openssl”

    – type your email in a text editor
    – save it to the thumb drive, name it “email.txt”
    – run this to encrypt it:
    openssl aes-256-cbc -a -salt -in email.txt -out email.txt.enc -e
    – enter a long and complicated passphrase twice that you’ve previously shared with your partner
    – attach the file “email.txt.enc” to your email note and send it away.
    – rinse and repeat for any other files in the payload, even pictures and movies
    – delete the original files and the encrypted versions of them
    – wipe the free space on the drive to eliminate the email.txt file and other files from disk (deleting a file is not wiping it off disk!)
    – Your partner receives the email, saves the attachment to her tiny thumb drive, runs:
    openssl aes-256-cbc -a -out email.txt -in email.txt.enc -d
    – read the resulting clear text message
    – delete both the email.txt and email.txt.enc
    – wipe the free space on the drive
    – both of you reboot

    You wipe a disk clean by overwriting every free block with data at least three times. In truth, once is usually enough, twice is as good as once, and three times’ the charm. Formatting often isn’t enough. Stuff like FreeEraser (can overwrite 35 times 😉 ) or Eraser, or any number of other applications works IF you trust the publisher.

    As for this product, looks interesting, downloaded the VMDK and will give it a try.

    • That scheme has numerous gotchas – it is a far sight better than plaintext emails, but we can do much better with more user-friendliness.
      At the very least, symmetric encryption is not good for long term contacts. Please don’t do this. Key compromise will undo all that work.

  6. Three people can keep a secret if 2 of them are dead and no one used email, ever.

    Do appreciate the effort though and I’ll confess I like the end to end concept but man, I would not be willing to bet a drone strike on it. That’s just me old paranoid asshole who’s already marked for death by the regime anyway for spouting off his mouth and showing up at protests.

  7. Will it run under Wine in a Linux box?
    The Pi is running Linux isn’t it?

    • The Pi distro is a stripped-down Raspbian, yes.
      You can run it under Virtualbox which has packages for most distros.

  8. Alfred E. Neuman

    Reblogged this on The Lynler Report.

  9. Great idea LastBox. Check in with informops too. And SC III too.

  10. outlawpatriot

    I wish I understood this stuff.

    I don’t.

    But I can work an AR.

    Hope that’s enough. 🙂

  11. how opportune! i’m just pulling together things to make a little server for my own nefarious needs from my big box of unused computer crap. was going to throw in “mail-in-a-box” (https://mailinabox.email/) onto mint because i’m such a lazy bastard when it comes to playing console cowboy. “proof of concept” project, but this might be a good excuse for my first rasberry project. probably try the vm version first because that might be quick and dirty. everybody has time for concurrent projects on the side, right? we all should be exploring things we can do to decentralize the web while it is still legal to do so. making and running your own server isn’t as painful as a weekend visit from the in-laws. plus it’s got that little plug on the back when you get tired of it. the enforcement board for net neutrality probably won’t be happy with us though. not going to worry too much about that though untill i see them seize hillary’s little server.

    • There’s a .deb package as well, but it’s a much bigger pain in the ass to install – I make the disk images to save people that.
      Virtualbox would probably be the best for dedicated hardware like that, at present.
      If you need an assist, ping me, please.

  12. NightWatcher

    LB:
    I got VirtualBox running, but when I “boot” from the Virtual Machine Disk, I get a GRUB error:

    error: hd0 read error
    Entering rescue mode…
    grub rescue>

    Any suggestions?

    • Sorry for the bother – seen that happen a few times when something hiccuped with the download.
      Check VM checksum and possibly re-download. Sounds like the image got hosed in transit.
      Next go round take a snapshot before boot, so you can recover should things go sideways.

      • NightWatcher

        LB:
        Thanks for the reply. I figured as much, and re-downloaded the VMDK (takes about 3hrs via Tor).

        The new copy seems to boot, now the fun begins.

  13. Different Anonymous

    Congratulations on your accomplishment!

    Please don’t take this personally, but Snowdon showed there are Bad People in the computer field who are both competent and patient. Suppose you are one of them? Suppose at boot your distribution synchronized time with an NTP server no one else used. Suppose you leaked the ethernet address of the Raspberry Pi by hiding it in the time fields of the first few NTP packets. That gives you a list of dissidents with super-secret computers. This could be more compromising than if there were no super-secret computer at all. If the Bad People want, they can simply smear those dissidents for having a Terrorist Secret Communications Device until the press, public, and most juries will convict.

    A counter is to demonstrate you had no opportunities to sneak in bad stuff. Publicize your distribution build process, and release a script that changes some widely-known distribution into your super-secret distribution. Show that bad stuff would have had to be dropped in far upstream, which increases the cost of the attack.

    http://cm.bell-labs.com/who/ken/trust.html

    https://www.schneier.com/blog/archives/2006/01/countering_trus.html

    • Different Anonymous

      Oops, in re-reading that I think I overstated the de-anonymizing threat of a Raspberry Pi ethernet address; I don’t think it points back to a person very well. It’s not a wireless ethernet so it isn’t gathered by google and starbucks; you aren’t running a browser on the Pi to give the ethernet to advertisers; and a Pi is not a business class machine that the manufacturer wants to remember the ethernet for remote management.

    • Different Anonymous

      If you plug the Pi into a business or a university, the Pi ethernet address will be noted as yours:

      http://its.yale.edu/services/wifi-and-networks/registration-devices

      Question is, do the mainstream home Internet cable and dsl modems make the customer-side ethernet addresses centrally searchable?

      Maybe the Pi’s hardware allows the ethernet address to change, then it could be changed every hour to something random. Chaff is an improvement.