Results 1 to 7 of 7

Thread: facebook.com + encryption + anonymity = devicecode.net? is it secure?

  1. #1
    Junior Member
    Join Date
    Dec 2008
    Posts
    2

    Question facebook.com + encryption + anonymity = devicecode.net? is it secure?

    i am new in the it security. so maybe some expert can help me.

    i used for a while enigmail (http://enigmail.mozdev.org/home/index.php). it's a gpg plugin for thunderbird. but i hate this key-ring management. most of the public-keys become out of date, and i switch to hushmail.com - a crappy and ugly webmail solution with email encryption. i am idiot - i used it over two months and then i read this article http://en.wikipedia.org/wiki/Hushmail - they have backdoors in their encryption and worked with the feds.

    now i test device code (http://www.devicecode.net/). it's a kind of social network, but only with the basic features - contacts and profile management. But the real feature is the messaging encryption - they used a javascirpt encryption library (with rsa, aes and stuff) and encrypt your messages end-2-end. it's a mixture of facebook.com and hushmail.com. short: facebook.com - girls - pictures (you cannot upload a picture of you??)+ ugly design (colors?)+ encryption + anonymity + ajax + javascript rsa 1024 bit key-generation (crazy and super slow :/ - works only good with chrome!).
    i try to debug the library with firebug to find a security issue (http://www.devicecode.net/about.php?topic=security), or just a chance to leak some information, but my javascript skills are too low. I cannot find any information about this service.

    Have someone of you use it? If you look inside, there are only some people - but at irc i hear, that some warez groups use it for their communication. Is it really possible to encrypt SECURE with Javascript (i don't mean Vigenere/i talk about RSA)? Is there a way with XSS?

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Why try to debug it?................ just look at their privacy policy:

    We are commited to collaboration with authorities, especially prosecuting authorities and courts and can in this context be forced to pass on personal data.
    Whilst I have never looked at the issue in depth I have always had a suspicion about these "one stop shop" encryption and delivery services. At the very least you must implicitly trust the provider? Pretty similar to anonymous proxy services IMO.

    The most secure system I would imagine to be independently encrypting the message yourself before sending it. At least you wouldn't have to worry about backdoors.

    Having said that, if the content is really sensitive, you shouldn't be using the internet anyway.

  3. #3
    Junior Member
    Join Date
    Dec 2008
    Posts
    2

    Question

    The most secure system I would imagine to be independently encrypting the message yourself before sending it. At least you wouldn't have to worry about backdoors.
    word. but this is the point: the message you send are encrypting in YOUR BROWSER, before it send per ajax to the service.

  4. #4
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Yes but using their format/methodology or whatever. If you used something like 256 or 512 bit AES from an independent source, and then fire it off, it wouldn't really matter if the transporting layer had a backdoor? It would take an unreasonable amount of time to break the core encryption?

  5. #5

  6. #6
    Sheeps... do a traceroute to hushmail or even facebook. Who and what are all those servers? Why would anyone in the first place go to a Free website to publish their public key where your hostname is recorded along with the Mac Address? Why fall for the Verisign scam sceme where they can snitch out encrypted communi from your victims traced back to you. Use your own encryption, store your keys local but encrypted, and install your own email server. That way you can monitor _back_ on who is snooping on you. Java is not your friend... you do not know the programmer or the complete sceme of things. Do your dirt in the streets.
    Last edited by Linen0ise; December 8th, 2008 at 04:32 PM.

  7. #7
    or create a ftp or web service.....place a picture bug in your email that when it is open will goto your server where you can log their ip, the time they viewed and what program they used. If you write to 1 person but the trap was baited 7 times with 6 different locations, something is wrong

Similar Threads

  1. Port List
    By ThePreacher in forum Miscellaneous Security Discussions
    Replies: 17
    Last Post: December 14th, 2006, 09:37 PM
  2. An Introduction to Cryptography, and Common Electronic Cryptosystems – Part I
    By 576869746568617 in forum Cryptography, Steganography, etc.
    Replies: 1
    Last Post: July 10th, 2006, 10:38 PM
  3. Encryption Algorithms - Basics
    By kruptos in forum The Security Tutorials Forum
    Replies: 0
    Last Post: January 29th, 2005, 01:01 AM
  4. Security Basics by Sharepro
    By Zato in forum Newbie Security Questions
    Replies: 3
    Last Post: December 24th, 2003, 08:25 PM
  5. Anonymity on the web
    By E5C4P3 in forum The Security Tutorials Forum
    Replies: 4
    Last Post: March 1st, 2002, 06:34 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •