Feeds

How Dark Mail Alliance hopes to roll out virtually NSA-proof email next year

El Reg chats to cofounder Jon Callas

Providing a secure and efficient Helpdesk

The Dark Mail Alliance has revealed more details of plans to build a secure, encrypted email system that's surveillance-proof, provided the user's machine isn’t already pwned.

Jon Callas, CTO of Silent Circle and cofounder of the Dark Mail Alliance, told The Register that the idea for the service came when he met up with Ladar Levison, founder of the now-defunct encrypted email service Lavabit, at a conference last month – and they started discussing the current state of government eavesdropping and what to do about it.

"It's got to be better to start from a position of near total security and then work down as needed, rather than starting with no security and then add on code to try and make it more secure," Callas said.

Both have the skills needed to set up such a system. Callas, and fellow Silent Circle partner Phil Zimmermann, were members of PGP, the firm that brought encryption to the masses in the early 1990s, and recently set up secure communications biz Silent Circle.

For nearly a decade Levison ran Lavabit (formerly Nerdshack) to make sure that email users could encrypt their messages and store them safely, before shutting the service down rather than compromise his users' security.

The full details on the Dark Mail Alliance system will be published in a white paper shortly, but in a nutshell the system uses SMTP and Extensible Messaging and Presence Protocol (XMPP) systems. The user generates a private key on their device and has public keys on an open server; sent emails are encrypted and stored in the cloud for pickup as needed.

'It's as secure as it can be, we think'

"Anyone monitoring the email would be able to see the size of the message but that's about it," Callas explained. "Of course, if the owner's device has already been subverted by malware then the private key can be found, but it's as secure as it can be, we think."

The team will open source all of the code and invite the community to poke holes in it and find weaknesses. The first version of the basic code will be out next year, Callas said, but the team also wants to build components that would allow companies and email providers to easily add the technology to their systems.

So far interest in the system has been high, Callas said, with many people in the security industry getting in touch wanting either more details or offering to help. However, no one from the government has been in contact at this time.

Services such as this are bound to bring up the accusation that the Dark Mail Alliance is aiding the four horsemen of the infocalypse: terrorists, organized crime, pedophiles, and drug dealers. Callas refuted this, pointing out that there are already many existing laws for getting access to an individual suspect's emails that would work just fine and that the group is "not fond of bad guys."

He pointed out that in the case of Lavabit, Levison was happy to help with law enforcement requests for assistance. But he shut down the email service because federal investigators looking into Edward Snowden's account wanted full access to everyone's email on the site, not just their target's.

As for the name of the group, it has been reported that the inspiration for Dark Mail Alliance is somewhat Star Wars-based. But Callas pointed out that "dark" also means hidden or secret, as well as complex and rich, as in "a dark voice."

"We had a discussion among ourselves about what to call Dark Mail, and we one of the reasons that we decided we liked it was that it is a complex word," he said.

"Moreover, one of the the major corrosive effects of mass surveillance is that it causes people self-edit, to fear to do things unseemly, to be safe. We didn't want to call it 'Shiny Happy Mail.' Dark Mail for us reflects our dark humor as well as the dark humors that surveillance puts us in," he said.

"I think it's sad that there's been a flutter over 'dark' because it can mean only some things to some people. That is, however, the sort of thing that isn't unexpected. These are dark times, and it's hard to have a dark laugh." ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.