Feeds

How Dark Mail Alliance hopes to roll out virtually NSA-proof email next year

El Reg chats to cofounder Jon Callas

Protecting against web application threats using SSL

The Dark Mail Alliance has revealed more details of plans to build a secure, encrypted email system that's surveillance-proof, provided the user's machine isn’t already pwned.

Jon Callas, CTO of Silent Circle and cofounder of the Dark Mail Alliance, told The Register that the idea for the service came when he met up with Ladar Levison, founder of the now-defunct encrypted email service Lavabit, at a conference last month – and they started discussing the current state of government eavesdropping and what to do about it.

"It's got to be better to start from a position of near total security and then work down as needed, rather than starting with no security and then add on code to try and make it more secure," Callas said.

Both have the skills needed to set up such a system. Callas, and fellow Silent Circle partner Phil Zimmermann, were members of PGP, the firm that brought encryption to the masses in the early 1990s, and recently set up secure communications biz Silent Circle.

For nearly a decade Levison ran Lavabit (formerly Nerdshack) to make sure that email users could encrypt their messages and store them safely, before shutting the service down rather than compromise his users' security.

The full details on the Dark Mail Alliance system will be published in a white paper shortly, but in a nutshell the system uses SMTP and Extensible Messaging and Presence Protocol (XMPP) systems. The user generates a private key on their device and has public keys on an open server; sent emails are encrypted and stored in the cloud for pickup as needed.

'It's as secure as it can be, we think'

"Anyone monitoring the email would be able to see the size of the message but that's about it," Callas explained. "Of course, if the owner's device has already been subverted by malware then the private key can be found, but it's as secure as it can be, we think."

The team will open source all of the code and invite the community to poke holes in it and find weaknesses. The first version of the basic code will be out next year, Callas said, but the team also wants to build components that would allow companies and email providers to easily add the technology to their systems.

So far interest in the system has been high, Callas said, with many people in the security industry getting in touch wanting either more details or offering to help. However, no one from the government has been in contact at this time.

Services such as this are bound to bring up the accusation that the Dark Mail Alliance is aiding the four horsemen of the infocalypse: terrorists, organized crime, pedophiles, and drug dealers. Callas refuted this, pointing out that there are already many existing laws for getting access to an individual suspect's emails that would work just fine and that the group is "not fond of bad guys."

He pointed out that in the case of Lavabit, Levison was happy to help with law enforcement requests for assistance. But he shut down the email service because federal investigators looking into Edward Snowden's account wanted full access to everyone's email on the site, not just their target's.

As for the name of the group, it has been reported that the inspiration for Dark Mail Alliance is somewhat Star Wars-based. But Callas pointed out that "dark" also means hidden or secret, as well as complex and rich, as in "a dark voice."

"We had a discussion among ourselves about what to call Dark Mail, and we one of the reasons that we decided we liked it was that it is a complex word," he said.

"Moreover, one of the the major corrosive effects of mass surveillance is that it causes people self-edit, to fear to do things unseemly, to be safe. We didn't want to call it 'Shiny Happy Mail.' Dark Mail for us reflects our dark humor as well as the dark humors that surveillance puts us in," he said.

"I think it's sad that there's been a flutter over 'dark' because it can mean only some things to some people. That is, however, the sort of thing that isn't unexpected. These are dark times, and it's hard to have a dark laugh." ®

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.