Pirate Bay bod and pals bag $100k to craft NSA-proof mobe yammer app

Can't do anything about backdoored phones, though

Combat fraud and increase customer satisfaction

Pirate Bay co-founder Peter Sunde and his pals have raised $114,000 to develop a snoop-proof mobile messaging app dubbed Hemlis.

Heml.is (which means "secret" in Swedish) is designed as an encrypted, privacy-safeguarding alternative to popular smartphone chat software, such as WhatsApp and iMessage. The plan is to build a messaging tool for iPhones and Android that will be free to use for sending texts, but will cost an unspecified amount of cash to subscribe to as-yet undefined value-added services (which might include functions like firing off encrypted multimedia messages and the like).

The hope is to make the software open source, but this too remains unconfirmed.

The project was launched this week and exceeded its fundraising target of $100k in 36 hours. Its programmers - Leif Högberg, Linus Olsson and Sunde - promise to use the donated funds only for development costs and infrastructure to support the project (as well as coffee for the coders). People who donate cash to the effort can reserve a username for the service will receive codes to unlock special features when the software is eventually released.

Heml.is was conceived in response to revelations of US spooks monitoring the world's internet communications and the tapping of fibre-optic cables by Western agents. Details of this mass surveillance by the American government were leaked by ex-NSA contractor-turned-whistleblower Edward Snowden.

The developers of Heml.is say they would rather shut down their project rather than obey orders to disclose their users' data, orders issued by a secret US court using the Foreign Intelligence Surveillance Act, which compels internet giants to share their bytes with Uncle Sam. The team stated:

Companies like Facebook, Twitter, Apple and Google have been forced to open up their systems and hand out information about their users. At the same time they have been forbidden to tell anyone about it!

We're building a message app where no one can listen in, not even us. We would rather close down the service before letting anyone in.

For now Heml.is remains purely slideware. The intended user interface looks pretty in the above publicity video, but what's more important is whether the application will be truly secure. Sunde et al promise to carry out "audits from trusted third parties on our platforms regularly, in cooperation with our community", but it's unclear whether this will include peer review of the software itself: the cryptography involved may somehow be flawed.

After all, the security bugs recently found in chat tool Cryptocat are a reminder of how subtle errors in pseudo-random number generators and other crucial code can render a program insecure: Cryptocat created weak key pairs, which left its group chat feature vulnerable to eavesdropping for months if not years.

It is understood Heml.is will be built on a foundation of proven technologies, such as Extensible Messaging and Presence Protocol (XMPP) with PGP. Messages will be deleted from the service's central computers after they are delivered, we're told. "Messages will only be stored on our end until they have been delivered to the recipient. We might add support for optional expiry times to messages, in which case messages would be stored until they had been delivered or they expire. Whichever comes first," the trio stated.

Secure mobile messaging applications, such as Silent Circle, and protocols, such as OTR (Off-the-Record Messaging, an instant messaging encryption system), already exist. Sunde and co argue there's a gap in the market for a privacy-protecting app that's nonetheless easy to use. The programmers highlight the usability shortcomings of OTR that they aim to address with a more user-friendly app"

Even though we love OTR it’s not really feasible to use in a mobile environment. The problem is that OTR needs both parties to be online for a session to start, but a normal phone would not always be online. It would not work at all for offline messages neither.

The developers of Heml.is acknowledge that the app is only secure providing the smartphone running the software is clean of malware and not compromised in some other way. The same limitation applies to every phone messaging app we've come across, including Silent Circle.

It's not clear where Heml.is's servers will be based as yet, although the developers have naturally ruled out the US as a possibility. "Our goal with HemlisMessenger is to give a safe alternative to SMS, MMS, WhatsApp, Kik etc. Technology and jurisdiction matters, we know both," Sunde said in a Twitter update on the project.

Sunde - who helped start up the wildly popular file-sharing website Pirate Bay - has some form in developing privacy-protecting internet technologies in the shape of the his consumer-focused iPredator VPN, which has been running for five years. However Swedish online payment services provider Payson recently stopped handling requests to pay for iPredator VPN and four other similar services in Sweden using either Mastercard or Visa card payments. The issue, which means iPredator VPN customers need to go through the chore of paying using either bank transfer or Bitcoin, remain unresolved, according to the latest update from iPredator.

Similar funding problems could become an issue for Heml.is although this is by no means certain and, even if it happens, workarounds might be devised. The successful funding of Heml.is perhaps shows that this might be not that much of a problem in practice. ®

3 Big data security analytics techniques

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Inside the Hekaton: SQL Server 2014's database engine deconstructed
Nadella's database sqares the circle of cheap memory vs speed
Oh no, Joe: WinPhone users already griping over 8.1 mega-update
Hang on. Which bit of Developer Preview don't you understand?
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
IRS boss on XP migration: 'Classic fix the airplane while you're flying it attempt'
Plus: Condoleezza Rice at Dropbox 'maybe she can find ... weapons of mass destruction'
Ditch the sync, paddle in the Streem: Upstart offers syncless sharing
Upload, delete and carry on sharing afterwards?
New Facebook phone app allows you to stalk your mates
Nearby Friends feature goes live in a few weeks
prev story


Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.