encryption – nathan's open ideals

Getting Signal on a PocketCHIP

I’m a big fan of the NextThingCo and their $9 CHIP computer for the simultaneously radical and practical approach to hardware manufacturing and low cost computing. Being a fairly early backer of their crowdfunding effort, I was able to get the super fun PocketCHIP dock/case/shell, as well, which looks like a cross between a Blackberry and a Gameboy, with all the circuitous guts exposed. The PocketCHIP is an open-source, handheld, portable computing device, with built-in Wifi and Bluetooth, a hilariously difficult keyboard, and a not so terrible battery. While I have tried to find legitimate uses for it in my day to day toolkit, including as an IoT monitoring terminal for a car’s ODB2 port, I have mostly just carried it to remind myself that the future of mobile computing could be one based on open-source hardware, software and an infinite variety of 3D-printed form factors.

Now, in the last few days, I have become a big fan of Signal-CLI, a Java-based command line interface to the Signal Messenger service. On this very blog, I wrote post on how you can easily send batched encrypted broadcast messages from a terminal shell using it. Then, tonight, I was looking at my PocketCHIP, and I had a moment of inspiration, when I realized that I could easily “apt-get install” java onto it, and by extension run Signal-CLI. This means that I could turn my underused PocketCHIP into a portable, open device upon which to send and receive encrypted messages to anyone in the world who also had Signal.

To make a long story short, it works! I installed Java (“apt-get install openjdk-7-jre-headless”), I downloaded the latest Signal-CLI releases (“wget https://tinyurl.com/signalcli035”), unpacked it (“tar xzvf… ” yada yada), and then ran the signal-cli command line. From there, you just follow the simple instructions provided on Github for registering and verifying, and away you go! I used a Google Voice number to handle receiving the SMS verification code. You could also use any landline or payphone – you just need something that can receive a text or voice call. Make sure to follow all the Signal safety tips, as well!

With Signal-CLI, you can send and receive messages, create and manage groups, and even list and verify safety number “keys”. The limited processing power and memory on the PocketCHIP does cause each command to take a few seconds, but that can be worked around. I can easily imaging an ELM or PINE style user interface for this, that would hide all of that fetching and receiving in a background process.

So, now my PocketCHIP is on Signal, and it has become infinitely more useful. Oh, and did I mention, it also runs Tor? Who is up for writing Ricochet-CLI?

Sending Secure Broadcast Messages with Signal

I have a created a simple Signal batch sending script (signal-batch.sh), which works with the fantastic Signal-CLI (Command Line Interface) project.

Now, you might be asking, why is this needed, or why wouldn’t I just use a group? Well, there are many cases where a person may want to send an alert or update message to a large group of people, who don’t otherwise want to be associated with each other. This is a one-to-many use case, not a many-to-many. For situations of high risk related to human rights, activism, living under a police state, or these days, even just being a U.S. born NASA scientist, it is a very real threat that your phone might be physically taken from you, and forced to be unlocked. In that case, anyone in any groups you are in would then also be exposed and put at risk, as happened in the tragic story of a Mexican activist.

In some cases, you may want to send messages out to 10,000s of people, for protests, events, concerts, emergencies, and so on. This is a use cases that goes back to the early, pre-Twitter TXTMob and RNC2004 systems I was involved in , except we were just using plain old SMS then, which was expensive and risky. Now, you can do this with fully encrypted messages, sent freely anywhere on the globe, right from your laptop. Neato!

Okay, so how does the script work? Here’s a quick run-down with instructions for any Linux or MacOS system. (This can work for Windows, but someone needs to rewrite the script as a BAT script).

Download Signal-CLI and unpack it somewhere
Download the signal-batch.sh script and put it into the “bin” folder for Signal-CLI
Create a text file with all of the numbers you want to send to, one per line, with country code (+12125551212)
Open a terminal, and follow, the excellent signal-cli readme instructions on how to register your number (or a new, clean number) with Signal
Once you complete the registration and verification, you are ready to run signal-batch.sh!
In the terminal type > ./signal-batch.sh to see the usage info below

usage: ./signal-batch yourSignalNumber yourBatchList “Your message goes here!”
example: ./signal-batch +12125551212 mygrouplist.txt “This is the broadcast message you requested!”

Before I go, I must state this: DO NOT ABUSE THIS SCRIPT FOR SPAM, DoS OR OTHER MALICIOUS PURPOSES. I am sure your Signal account will be shutdown if you do, and the “this is why we can’t have nice things” bad karmic spirits will reign down on you.

Finally, if you are promoting the use of Signal to high risk communities, please read some of these excellent guides below and making it as safe as possible:

EFF Surveillance Self Defense: Signal iOS Guide Signal Android Guide
The Intercept: Security Tips Every Signal User Should Know
DeepDotWeb: Tips for using Signal Safely as possible

Guardian Project: SMS Encryption (non-)Options for Android

My first post was titled “Guardian Approved” as I did want to highlight applications that were of a certain quality or caliber. Unfortunately, in the realm of secure, private, encrypted short messaging (SMS), I can’t really say I have anything to approve! The best, most trusted solution out there (from CryptoSMS.org) hasn’t been ported to Android yet, and the rest of the offerings either cost too much, aren’t targeted directly at SMS, are closed source or generally poorly written alpha quality applications.

I’ve quickly realized that a quality SMS encryption application for Android (along with interoperability with other mobile phone platforms) is a critical application for the Guardian Project to focus on. One of the really cool aspects of building apps for Android is that you can completely replace the core applications on the device, meaning that an encryption-enabled SMS application isn’t relegated to a third-party status within the device. It can actual take over and replace the built in “Messaging” application and seamlessly handle SMS traffic and transparently handling encryption of messages to and from those addresses you have done a key exchange with.

Where Its At

In the meantime, here is a quick breakdown of what is available on Android today:

While not used for encryption, ChompSMS represents an excellent example of a “power-up” replacement for the built-in Android messaging application. It does offer an ability to send SMS through their Internet-based SMSC gateway. This means that as long as you have an mobile Internet data connection, you can send SMS messages without being monitored by the local mobile carrier, and even send SMS over a WIFI connection.

Encrypted SMS – $1.99 – “Parents Spy Much? Here’s your solution!” – This app is clearly targeted at the “passing secret notes in class” audience and not meant for anything serious. The encryption used seems to be of the basic letter substitution pig-latin variety, which could be cracked in about two seconds by someone with a pencil and paper.
Platinum RSA SMS – Free – “Encrypted text messaging service for your Android device. 1024 bit RSA math” – While the potential for this app seems good and the heavy use of the phrase “RSA math” indicates they know SOMETHING about encryption, the user interface is very confusing, even for me a seasoned user of terrible mobile user interfaces.
TXTCrypt – $9.99!

“With TXTcrypt just enter your message and a password for it , now the encrypted message can only be decoded with that password , just tell it to someone , and send them message encrypted with it , they can use TXTcrypt to decode it..”. This application is very powerful and well written. However, it costs way too much for what it offers. No key change, no proper integration with SMS… it is just a basic password-based plain text encryption tool.

CryptoSMS

As mentioned before, there is a quality, open-source solution available called
CryptoSMS. From their site: “Cryptosms provides public/private key encryption, key generation and key management. it sends and receives encrypted sms and public keys, de- and encrypts files, offers key verification via fingerprints and provides a secure login. ”

Unfortunately, CryptoSMS is only available for J2ME-based phones today, which Android is not. There is a J2ME emulation app for Android, but it is a terrible user experience. What this is all adding up to is that the Guardian Project must/will plan to contribute to and otherwise support porting efforts of CryptoSMS to Android… while the user experience and integration with Android OS concepts like intents and content providers will take some work, the core engine of CryptoSMS appears to be just what is needed.

If you are in the New York area, and would like to learn more about CryptoSMS, you can attend a workshop this Thursday evening, August 13th, at The Change in Williamsburg, Brooklyn. More information available here…