Is Surespot the Latest Crypto War Victim?

George Maschke writes: Patrick G. Eddington writes in a Christian Science Monitor op-ed about indications that the government may be snooping on users of Surespot, a free and open source encrypted messaging app for Android and iOS. Such users include, but are hardly limited to, Islamic State militants. He writes in the piece: "Has encrypted chat service Surespot been compromised by the US government? Surespot user and former Army intelligence officer George Maschke recently published a provocative theory suggesting the answer is yes. Mr. Maschke’s key pieces of evidence are intriguing. In May 2014, he e-mailed 2Fours LLC, which is Surespot’s parent company, asking whether the company had ever received a National Security Letter (NSL), a court order to provide information, or other government request to cooperate in an investigation. He was assured in writing that 2Fours had received no such requests. That changed in November 2014, when Surespot’s founder, Adam Patacchiola, told Maschke via e-mail that 'we have received an e-mail asking us how to submit a subpoena to us which we haven’t received yet.'"

Re:Military whistleblowers?

[jargonburn]

I do not think "protect our freedoms" means what you think it means...

Re:Military whistleblowers?

[jthill]

That's what they're doing.

it's all compromised

[turkeydance]

and we act accordingly.

Proven by the Lavabit case

[Anonymous Coward]

If they're still in business, they're compromised:

http://www.theguardian.com/commentisfree/2014/may/20/why-did-lavabit-shut-down-snowden-email

Re:

[bill_mcgonigle]

?OTRv2?

Encrypted messaging app

[fustakrakich]

What a waste! The only thing even close to being secure are the Sunday classifieds and the Hollywood tabloids... Like they say, just broadcast it wide open, nobody will see it.

And then?

[wonkey_monkey]

If you're going to end your summary with something that happened in November 2014, you could at least hint that there are further developments to be read about in the article, even if you can't be bothered to copy-and-paste those into the summary itself.

TL;DR: no-one at Surespot is answering questions about whether or not they've had any Gubmint interference, and someone who used to work there, but doesn't any more, won't talk to anyone about it either.

Re:

[Prien715]

So about a year or so ago when I was working for a company that doesn't comment on requests, I had the process explained to me.

Essentially, it's illegal to say that you have received a request -- which is something you learn when you get a request. If you haven't had a request however, there is nothing illegal about saying it hasn't happened to you. He'd suggested saying something like "We haven't received any requests this month" to alert people.

After all the BS is said and done, there's a very high like

serving subpoenas on an Internet company?

[swschrad]

hey, just tape it to the side of your computer. it'll get there if it's supposed to. trust me.

Re:

[R3d M3rcury]

I gotta admit, I thought that was funny...

'we have received an e-mail asking us how to submit a subpoena to us which we haven’t received yet.

"Oh...you want to subpoena me and you don't know where to send it? Sure, I'll help. My address is 1600 Pennsylvania Avenue, Washington DC..."

They're an intelligence agency and they don't know where to send the subpoena?

Silent Alarm

[Guy From V]

Ironic warrant canary is ironic.

Endorsed

[penguinoid]

Surespot, a free and open source encrypted messaging app for Android and iOS. Such users include, but are hardly limited to, Islamic State militants.

Endorsed by people who trust it with their lives.

Surespot was compromised from the start.

[Anonymous Coward]

The company was started by the NSA. There was never a need to breach them.

Keep your secrets off the internet

[Moof123]

No exceptions.

The really important stuff should be kept among confidants, and discussed as little as is necessary.

Important records can still be kept in hard copy if you really need to write stuff down.

Assume everything you say may be taken out of context and without including your sarcastic tone.

Psychological warfare

[Anonymous Coward]

Or maybe the opposite is true... maybe Surespot is secure.. .thus an attempt to discredit it.

This is the world of "intelligence". Until people wise up their is nothing "intelligent" about the current path of spening billions destroying data security rather than creating it.. we'll get our wish of insecure systems. Not a single computer with commodity components on the Internet today is safe because of these attitudes. Wish I could point to only one country's government as being the problem but its really mo

Re:

[gweilo8888]

Exactly. There's about an equal chance it's compromised or not, and there's no way to no. It could be a double bluff, it could be a triple bluff. The only thing we know absolutely for sure is that we're not getting the whole story, because if you'd really compromised it, it'd be a valuable source of data and you wouldn't want to let the other side know. Unless, that is, you're hoping they'll think it's a double-bluff...

Re:

[gweilo8888]

no way to know, even. Blast these useless sausage fingers of mine!

Poor ECC impl

[Meneth]

Surespot is most likely toast now. I see two possible attacks from someone who controls the servers:

• Send fake pubkeys (standard MitM attack, really)
• Crack the crypto directly. Surespot uses the secp521r1 Elliptic Curve [github.com], which was created by NSA and published by NIST, and may be backdoored [stackexchange.com].