Pirate Bay bod and pals bag $100k to craft NSA-proof mobe yammer app

Can't do anything about backdoored phones, though

5 things you didn’t know about cloud backup

Pirate Bay co-founder Peter Sunde and his pals have raised $114,000 to develop a snoop-proof mobile messaging app dubbed Hemlis.

Heml.is (which means "secret" in Swedish) is designed as an encrypted, privacy-safeguarding alternative to popular smartphone chat software, such as WhatsApp and iMessage. The plan is to build a messaging tool for iPhones and Android that will be free to use for sending texts, but will cost an unspecified amount of cash to subscribe to as-yet undefined value-added services (which might include functions like firing off encrypted multimedia messages and the like).

The hope is to make the software open source, but this too remains unconfirmed.

The project was launched this week and exceeded its fundraising target of $100k in 36 hours. Its programmers - Leif Högberg, Linus Olsson and Sunde - promise to use the donated funds only for development costs and infrastructure to support the project (as well as coffee for the coders). People who donate cash to the effort can reserve a username for the service will receive codes to unlock special features when the software is eventually released.

Heml.is was conceived in response to revelations of US spooks monitoring the world's internet communications and the tapping of fibre-optic cables by Western agents. Details of this mass surveillance by the American government were leaked by ex-NSA contractor-turned-whistleblower Edward Snowden.

The developers of Heml.is say they would rather shut down their project rather than obey orders to disclose their users' data, orders issued by a secret US court using the Foreign Intelligence Surveillance Act, which compels internet giants to share their bytes with Uncle Sam. The team stated:

Companies like Facebook, Twitter, Apple and Google have been forced to open up their systems and hand out information about their users. At the same time they have been forbidden to tell anyone about it!

We're building a message app where no one can listen in, not even us. We would rather close down the service before letting anyone in.

For now Heml.is remains purely slideware. The intended user interface looks pretty in the above publicity video, but what's more important is whether the application will be truly secure. Sunde et al promise to carry out "audits from trusted third parties on our platforms regularly, in cooperation with our community", but it's unclear whether this will include peer review of the software itself: the cryptography involved may somehow be flawed.

After all, the security bugs recently found in chat tool Cryptocat are a reminder of how subtle errors in pseudo-random number generators and other crucial code can render a program insecure: Cryptocat created weak key pairs, which left its group chat feature vulnerable to eavesdropping for months if not years.

It is understood Heml.is will be built on a foundation of proven technologies, such as Extensible Messaging and Presence Protocol (XMPP) with PGP. Messages will be deleted from the service's central computers after they are delivered, we're told. "Messages will only be stored on our end until they have been delivered to the recipient. We might add support for optional expiry times to messages, in which case messages would be stored until they had been delivered or they expire. Whichever comes first," the trio stated.

Secure mobile messaging applications, such as Silent Circle, and protocols, such as OTR (Off-the-Record Messaging, an instant messaging encryption system), already exist. Sunde and co argue there's a gap in the market for a privacy-protecting app that's nonetheless easy to use. The programmers highlight the usability shortcomings of OTR that they aim to address with a more user-friendly app"

Even though we love OTR it’s not really feasible to use in a mobile environment. The problem is that OTR needs both parties to be online for a session to start, but a normal phone would not always be online. It would not work at all for offline messages neither.

The developers of Heml.is acknowledge that the app is only secure providing the smartphone running the software is clean of malware and not compromised in some other way. The same limitation applies to every phone messaging app we've come across, including Silent Circle.

It's not clear where Heml.is's servers will be based as yet, although the developers have naturally ruled out the US as a possibility. "Our goal with HemlisMessenger is to give a safe alternative to SMS, MMS, WhatsApp, Kik etc. Technology and jurisdiction matters, we know both," Sunde said in a Twitter update on the project.

Sunde - who helped start up the wildly popular file-sharing website Pirate Bay - has some form in developing privacy-protecting internet technologies in the shape of the his consumer-focused iPredator VPN, which has been running for five years. However Swedish online payment services provider Payson recently stopped handling requests to pay for iPredator VPN and four other similar services in Sweden using either Mastercard or Visa card payments. The issue, which means iPredator VPN customers need to go through the chore of paying using either bank transfer or Bitcoin, remain unresolved, according to the latest update from iPredator.

Similar funding problems could become an issue for Heml.is although this is by no means certain and, even if it happens, workarounds might be devised. The successful funding of Heml.is perhaps shows that this might be not that much of a problem in practice. ®

Boost IT visibility and business value

More from The Register

next story
Munich considers dumping Linux for ... GULP ... Windows!
Give a penguinista a hug, the Outlook's not good for open source's poster child
The Return of BSOD: Does ANYONE trust Microsoft patches?
Sysadmins, you're either fighting fires or seen as incompetents now
Intel's Raspberry Pi rival Galileo can now run Windows
Behold the Internet of Things. Wintel Things
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
Eat up Martha! Microsoft slings handwriting recog into OneNote on Android
Freehand input on non-Windows kit for the first time
Time to move away from Windows 7 ... whoa, whoa, who said anything about Windows 8?
Start migrating now to avoid another XPocalypse – Gartner
You'll find Yoda at the back of every IT conference
The piss always taking is he. Bastard the.
prev story


5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.