Pirate Bay bod and pals bag $100k to craft NSA-proof mobe yammer app

Can't do anything about backdoored phones, though

Security for virtualized datacentres

Pirate Bay co-founder Peter Sunde and his pals have raised $114,000 to develop a snoop-proof mobile messaging app dubbed Hemlis.

Heml.is (which means "secret" in Swedish) is designed as an encrypted, privacy-safeguarding alternative to popular smartphone chat software, such as WhatsApp and iMessage. The plan is to build a messaging tool for iPhones and Android that will be free to use for sending texts, but will cost an unspecified amount of cash to subscribe to as-yet undefined value-added services (which might include functions like firing off encrypted multimedia messages and the like).

The hope is to make the software open source, but this too remains unconfirmed.

The project was launched this week and exceeded its fundraising target of $100k in 36 hours. Its programmers - Leif Högberg, Linus Olsson and Sunde - promise to use the donated funds only for development costs and infrastructure to support the project (as well as coffee for the coders). People who donate cash to the effort can reserve a username for the service will receive codes to unlock special features when the software is eventually released.

Heml.is was conceived in response to revelations of US spooks monitoring the world's internet communications and the tapping of fibre-optic cables by Western agents. Details of this mass surveillance by the American government were leaked by ex-NSA contractor-turned-whistleblower Edward Snowden.

The developers of Heml.is say they would rather shut down their project rather than obey orders to disclose their users' data, orders issued by a secret US court using the Foreign Intelligence Surveillance Act, which compels internet giants to share their bytes with Uncle Sam. The team stated:

Companies like Facebook, Twitter, Apple and Google have been forced to open up their systems and hand out information about their users. At the same time they have been forbidden to tell anyone about it!

We're building a message app where no one can listen in, not even us. We would rather close down the service before letting anyone in.

For now Heml.is remains purely slideware. The intended user interface looks pretty in the above publicity video, but what's more important is whether the application will be truly secure. Sunde et al promise to carry out "audits from trusted third parties on our platforms regularly, in cooperation with our community", but it's unclear whether this will include peer review of the software itself: the cryptography involved may somehow be flawed.

After all, the security bugs recently found in chat tool Cryptocat are a reminder of how subtle errors in pseudo-random number generators and other crucial code can render a program insecure: Cryptocat created weak key pairs, which left its group chat feature vulnerable to eavesdropping for months if not years.

It is understood Heml.is will be built on a foundation of proven technologies, such as Extensible Messaging and Presence Protocol (XMPP) with PGP. Messages will be deleted from the service's central computers after they are delivered, we're told. "Messages will only be stored on our end until they have been delivered to the recipient. We might add support for optional expiry times to messages, in which case messages would be stored until they had been delivered or they expire. Whichever comes first," the trio stated.

Secure mobile messaging applications, such as Silent Circle, and protocols, such as OTR (Off-the-Record Messaging, an instant messaging encryption system), already exist. Sunde and co argue there's a gap in the market for a privacy-protecting app that's nonetheless easy to use. The programmers highlight the usability shortcomings of OTR that they aim to address with a more user-friendly app"

Even though we love OTR it’s not really feasible to use in a mobile environment. The problem is that OTR needs both parties to be online for a session to start, but a normal phone would not always be online. It would not work at all for offline messages neither.

The developers of Heml.is acknowledge that the app is only secure providing the smartphone running the software is clean of malware and not compromised in some other way. The same limitation applies to every phone messaging app we've come across, including Silent Circle.

It's not clear where Heml.is's servers will be based as yet, although the developers have naturally ruled out the US as a possibility. "Our goal with HemlisMessenger is to give a safe alternative to SMS, MMS, WhatsApp, Kik etc. Technology and jurisdiction matters, we know both," Sunde said in a Twitter update on the project.

Sunde - who helped start up the wildly popular file-sharing website Pirate Bay - has some form in developing privacy-protecting internet technologies in the shape of the his consumer-focused iPredator VPN, which has been running for five years. However Swedish online payment services provider Payson recently stopped handling requests to pay for iPredator VPN and four other similar services in Sweden using either Mastercard or Visa card payments. The issue, which means iPredator VPN customers need to go through the chore of paying using either bank transfer or Bitcoin, remain unresolved, according to the latest update from iPredator.

Similar funding problems could become an issue for Heml.is although this is by no means certain and, even if it happens, workarounds might be devised. The successful funding of Heml.is perhaps shows that this might be not that much of a problem in practice. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
'Windows 9' LEAK: Microsoft's playing catchup with Linux
Multiple desktops and live tiles in restored Start button star in new vids
iOS 8 release: WebGL now runs everywhere. Hurrah for 3D graphics!
HTML 5's pretty neat ... when your browser supports it
Mathematica hits the Web
Wolfram embraces the cloud, promies private cloud cut of its number-cruncher
Google extends app refund window to two hours
You now have 120 minutes to finish that game instead of 15
Intel: Hey, enterprises, drop everything and DO HADOOP
Big Data analytics projected to run on more servers than any other app
Mozilla shutters Labs, tells nobody it's been dead for five months
Staffer's blog reveals all as projects languish on GitHub
SUSE Linux owner Attachmate gobbled by Micro Focus for $2.3bn
Merger will lead to mainframe and COBOL powerhouse
prev story


Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.