Major Advancements in Deniable Encryption Arrive in Espionage 3.6

Four months ago, we previewed Major improvements to plausible deniability in Espionage 3.6. Today we’re delivering those improvements, and many more!

Overview of Significant Features

1. Plausible Deniability

Espionage 3.6 enhances the deniable encryption of previous versions by creating a random number of convincing fake encrypted disk images and a random number of fake Folder Sets (a Folder Set is a group of encrypted folders protected by a master password. You can have as many of these as you want, each having a unique password).

Fake disk images and fake Folder Sets have the potential to make it virtually impossible to tell whether a user has shown you all of their encrypted data. The fake data looks just like the real data, and we’ve even taken pains to ensure that all of the files inside of the fake disk images have random (and convincing) timestamps on them.

Update October 7, 2014: However, as of this release, the timestamps on the fake disk images are not sufficient to fool all infosec professionals. We are researching methods that will fool infosec researchers while still being respectful of our user’s backup systems (like Apple’s Time Machine, SpiderOak, etc.). Users might end up having to choose between super-convincing deniability and having to backup fake data periodically. We thank Steve Weis, Collin Anderson, and the [LiberationTech] community for pointing out that we should have made this clear here, and apologize for not having done so originally.

After updating to 3.6, existing users are encouraged to verify that all their folders unlock without problems, and then delete the old database backups in this folder:

~/Library/Application Support/com.taoeffect.Espionage3/Backups/

Copy and paste that path into the dialog that appears when you choose Go to Folder… from the Finder’s Go menu:

Go to Folder...
We recommend deleting these old database backups because they can give away which copies of your database are filled with fake folder sets and which aren’t (because of the file size difference). The super-paranoid might also want to clear out their system’s log files after the update.

Why do we care about such features? Because encrypting data isn’t enough to protect you from all threats, as this XKCD so elegantly illustrates:

2. Partial support for TEN new languages (to-be-finished soon!)

Remember our Pootle blog post and call for translators? Well, their hard work is being previewed in this release with the addition of ten new languages (in addition to English, Spanish, and Brazilian Portuguese):

  • Arabic
  • Chinese (Simplified)
  • Czech
  • French
  • German
  • Italian
  • Japanese
  • Korean
  • Russian
  • Tagalog

We expect to release another update with completed translations for the languages above in the next update (or soon after it).

And much much more!

This release involved almost the same the level of effort as a major release, but we’re releasing it as a free update for all Espionage 3 users.

Explore the complete list of changes:

  • New Features!
    • Fake folder sets and fake disk images to mask how many you really have.
    • Holding Shift when unlocking folder opens it (plus preference to make default behavior)
    • Set the default image disk location via Preferences.
    • Double-click license to register Espionage (although we don’t want to encourage double-clicking email attachments, too many weren’t reading the instructions).
  • Security Enhancements!
  • Updated Localizations!
    • Updated:
      • Spanish, Brazillian Portuguese
    • Partial (to-be-finished) support for:
      • Arabic, Chinese (Simplified), Czech, French, German, Italian, Japanese, Korean, Russian, Tagalog
    • Want your language here? Get in touch!
  • Improvements!
    • Multiple monitor support.
    • No longer brings up the scary OS X prompt for Contacts access during install (users must now manually type email to subscribe to newsletter).
    • Updated Sparkle to 1.7.1.
    • Close Espionage window when Escape key is pressed.
    • Quit if database newer than what Espionage expects.
    • Encrypted folders on Desktop stay visible when unlocked.
    • Better architecture for handling of disk images on external drives.
    • All XIBs upgraded to Xcode 5.
    • Sparkle updates from updates.taoeffect.com to avoid scaring Little Snitch users.
  • Bug fixes!
    • Crash in OS X 10.7 resizing the disk image.
    • Fixed potential crashes in certain error-handling situations.
    • Multiple Screen in OS X 10.9
    • Autounlock now properly updated for folders that were forcibly removed from the database (via the contextual menu).
    • Disk image’s password is now saved in the same folder as the disk image when restoration fails (instead of always on the Desktop).
    • When using Window mode, open Espionage window when Dock icon is clicked
    • In folder list, filter by folder name instead of folder path
    • Removed misplaced warning when sparsebundle is imported from Desktop
    • Fixed email validator in newsletter setup assistant.
    • Better error handling and error messages during encryption and decryption.
    • Autounlock dialog staying open too long.
    • Removed deprecated API use (and therefore the Console messages).
    • Misceallaneous fixes and improvements. Over 100 tickets closed in this release!

And as promised, we’ll be signing all our releases. The signature for Espionage.dmg is here and also here. Also,  starting in 3.6, Sparkle will verify updates using a pinned 4096-bit DSA key. The SHA256 of the main binary is also noted below.

Enjoy! 😀

% openssl dgst -sha256 Espionage.app/Contents/MacOS/Espionage
SHA256(Espionage.app/Contents/MacOS/Espionage)= 2d1c3ffdf129060f00729893b20db26b34bcc56d8197889720cbe191b4d38081

Giving away commercial iSpy licenses

iSpy is the low-level tech that powered Espionage versions 1 and 2. It is unique, there are no competing technologies that can do what it does (to my knowledge): monitor and intercept file-system events based on arbitrary filters. It’s how Espionage 2 could display a password-prompt when a user double-clicked on a folder and “pause” the Finder while it tried to open the folder.

Today we’re announcing that we’re giving commercial licenses to iSpy to anyone who wants one in exchange for 20% of the revenue generated from any sale of such software.

If you’re interested, contact us: contact@taoeffect.com (or id/greg on Namecoin)

Pootle Tutorial: Guide for translators and developers

We’re working on localizing Espionage into many languages, so we installed Pootle, an excellent free and open source web-based localization platform that developers and translators can use for that purpose.

To help our translators, I’ve put together what I hope if an easy-to-follow guide on how to use Pootle (partly because Pootle’s documentation on actually using Pootle is virtually non-existent at the moment).

In the event that it’s helpful to others, I’ve decided to share it publicly:

Pootle Tutorial

Hiring translators for these languages:

  • Korean
  • Persian
  • Arabic
  • Hindi
  • <Your Favorite Language Here!>

Already Have:

  • English (duh :P)
  • Spanish
  • Brazilian Portuguese
  • German
  • French
  • Russian
  • Mandarin
  • Japanese
  • Italian
  • Polish

If you’d like to help us translate Espionage into *your* favorite language, send us an email (replace the stuff in brackets as appropriate):

support [at] taoeffect [.] com

Enjoy! 🙂

Major improvements to plausible deniability in Espionage 3.6

UPDATE July 19, 2014: Espionage 3.6 is out! Go get it! 🙂


Plausible deniability (in cryptography) refers to methods of protecting users (and their encrypted data) from so-called gun-to-the-head scenarios”:

Any situation that involves some type of coercion stands to benefit from plausible deniability. Although unlikely, some users may find themselves threatened into giving up their encryption keys through physical force, or by the threat of loss of freedom (examples here, here, and here).

It is quite unfortunate, therefore, that it’s possible to count on one hand the number of data security applications that attempt to do anything to address this issue.

Data security does not stop at encryption

We believe that “security” which protects users in some circumstances (but not others), from some adversaries (but not all), is inferior to security that has no exceptions.

When we designed Espionage 3, we decided to focus on plausible deniability as a core feature. It was never an afterthought. We discovered, that In order to do plausible deniability correctly we had to build the entire app around the concept.

When we released Espionage 3 in 2012, it was (to our knowledge) the first data security app to sport not one but two types of plausible deniability:

  1. Unlimited isolated master passwords, each protecting a unique Folder Set.
  2. Multi-faced folders that can show different data depending on whether or not they are locked, and which master password was used to unlock them. This resulted in some fascinating possibilities (like having different versions of your email).

Plausible deniability is Hard

An operating system like OS X has thousands of moving parts, many of which are out of the control of users and third-party developers (like us). This makes hiding the existence of encrypted data a significant challenge.

For example, try observing your system’s primary log file by opening the Console application (located in /Applications/Utilities/Console.app ) while you lock and unlock your encrypted folders. Depending on your version of OS X, you’ll see different types of information about your encrypted folders logged (like the path to the folder).

It is close to impossible to prevent this type of information leakage because it is created by applications and system components that are out of Espionage’s control (and shouldn’t be under its control). It is possible, however, to mitigate it by various means:

  • Periodically scrubbing your log files using utilities like OnyX.
  • By creating Folder Sets with different data using the same mountpoint
  • Etc.

One piece of data leakage, however, cannot be mitigated by users, and that is the number of user-created Folder Sets in Espionage’s database. This, however, is something we can fix (and do fix) in Espionage 3.6. We’d like to thank user tzugo for bringing this issue to our attention.

Fake Folder Sets are coming in Espionage 3.6

By having Espionage create a random number of fake Folder Sets, and then creating a user-specified-but-quickly-forgotten number of encrypted sparsebundles (each with a random number of files containing random data), we are able to restore the plausible deniability impacted by this information leakage.

Now, it still remains possible to check how many Folder Sets exist in Espionage’s database, but that information does not reveal the actual number of user-created Folder Sets! They might have one, five—even zero “real” Folder Sets! 🙂

The number of encrypted disk images on a user’s computer, also, does not give away the number of real encrypted disk images that the user has. It is even possible that none of the encrypted disk images contain any meaningful or user-created data (those might be on an external drive, for example).

When users update to Espionage 3.6 (or install anew), they will be taken through a setup assistant that creates all of these faux Folder Sets and disk images. Here’s a sneak peak at what it looks like:

PDAssistant

Important notes and considerations

Because Espionage 3.6 is a significant update that makes many changes to Espionage’s database, Espionage will backup the database prior to running the setup assistant and add a “-v2migration” suffix to it. It will be placed in the standard database backups folder, located here:

/Users/[your username]/Library/Application Support/com.taoeffect.Espionage3/Backups

Note that these old backup databases can be used to compromise your plausible deniability (because they show an accurate count of the Folder Sets you created).

Once the assistant finishes successfully, and you’ve verified that you can unlock all your Folder Sets and encrypted folders, you may then delete all of the old backups in that folder to restore your plausible deniability.

Also: starting with version 3.6, we will be signing all Espionage releases with our public key. Espionage 3.6 will also include a pinned 4096-bit public DSA signing key for Sparkle updates (instead of relying solely on HTTPS for securing updates).

Remember: plausible deniability is ultimately *YOUR* responsibility!

Espionage can only do so much for you. It is ultimately *your* responsibility to create convincing enough Folder Set(s) to protect you from gun-to-the-head-scenarios.

Most users won’t need to worry about this at all. For some, however, failure to take due diligence in this regard can result in undesirable consequences. If you think this applies to you, please make sure to do your homework!

Espionage 3.6 is currently getting its finishing touches and final testing. As per usual, it will be released “when it’s ready.” 🙂

Espionage 3.5.3 Released!

Version 3.5.3 addresses an important data leak introduced in 3.5.2, improves Mavericks compatibility, and adds other important bug fixes, please update right away!

If you’d like to localize Espionage into your language, please contact us.

  • SECURITY: Bug introduced in 3.5.2 that resulted in all folder paths of an unlocked Folder Set being logged to the system log. After several days (or weeks) these messages will disappear from the log files, but you can force their removal using a tool like OnyX. For OnyX, use these settings.
  • IMPROVED: Added retina support for lock/unlock slider. Retina support for other graphics coming too.
  • FIXED: Removed several instances of unnecessary folder path logging (on folder lock/unlock) to help with plausible deniability. This is a losing battle because folder names and paths are logged to the system log by other background processes that Espionage does not have control over. Logging folder paths is also necessary if an error occurs.
  • FIXED: (Mavericks) Wrong folder icon.
  • FIXED: (Mavericks) Error decrypting a folder.
  • FIXED: (Mavericks) Problem unlocking folders for anyone who enabled the hidden setting “enableDiskArbitrationMethod”.

Enjoy! 😀

SHA1(Espionage.dmg)= 5d02150ca6da3fd4017a244d83db33aa536f9edc
SHA1(Espionage.app/Contents/MacOS/Espionage)= 8e92c0b2ab730c4ddd62358d3f59f818126e9d53

Phasing out support for Espionage 2 + Last chance to upgrade!

It has been almost five years since we announced Espionage to the world. Since then, we’ve gone through three major versions. I would like to sincerely thank all of our customers, and everyone who has supported our work in any way, whether it was by purchasing a license to Espionage, writing a review, or just taking the time to send us an email or a tweet. Thank you.

Espionage 2 was a remarkable application, but its time has passed. It taught us many lessons. We took those lessons and used them to create Espionage 3, a product that not only provides significant security improvements, but a more intuitive user experience. We will continue to listen to our customers, to read your emails, your forum posts, your reviews, your tweets, and use that to make Espionage even better.

Espionage 3 is our focus now. Therefore, we are redirecting traffic to Espionage 2’s homepage to Espionage 3.

December 31st, 2013, will be the last day we provide support for Espionage 2.

The community support forums for Espionage 2 will remain online. Zsolt, Ernesto, or myself may choose to respond to threads in that forum, but we will do that on our own time, and at our discretion.

One more chance to upgrade at a discount

We know that some of our users are still using Espionage 2. We want to make it easy for you to upgrade to Espionage 3 so that you have the security improvements and bugfixes found in Espionage 3.

When we announced Espionage 3, we released it on the Mac App Store, which made it difficult for us to offer discounted upgrades. To get around this, we lowered the price of Espionage 3 to $9.99 for one week, and sent an email to all Espionage users, letting them know that this was their opportunity to upgrade at a discount.

Many users upgraded at that point in time, but some did not. To those that missed out, we’re offering you one more opportunity to upgrade at a discount. We also want to be fair to everyone who decided to purchase Espionage 3 at full price, and so the discount will not be the same as it was the first time.

If you’re a current Espionage 2 user and would like to upgrade to Espionage 3, send us an email (see below) and we’ll send you a code that’s good for 15% off Espionage 3. Update: This offer expired December 31st, 2013. You can still follow the instructions below to receive 10% off Espionage.

To qualify, send an email to:

Your email MUST:

  1. Contain the name and email of your Espionage 2 license
  2. Contain the name and email you’d like for your Espionage 3 license
  3. Do one of the following before December 31st, 2013:
    • Be sent from the same email address that your Espionage 2 license is registered with. (preferred!)
    • Or, include your PayPal receipt for Espionage 2 to the email.
    • Or, have your Espionage 2 license attached to the email. (Not recommended. Will likely delay your license.)

Remember that Espionage 3 needs at least Mac OS X 10.7 to run!

Thank you for helping us make Espionage the best encryption software for the Mac! 🙂

“The FBI has not been here” as it applies to Espionage

Some smart librarians figured out a way to get around FBI gag orders through an interesting technicality:

The FBI has not been here (watch closely for the removal of this sign).

Taking cue from the librarians, we’ve updated Espionage’s homepage with the the following blurb:

We have not placed any backdoors into our software and have not received any requests for doing so. Pay close attention to any modications to the previous sentence, and verify the signature of this

Viewing the source for Espionage’s homepage reveals a signed section that explains the types of changes that can and cannot be made to the text itself:

Espionage 3 — Source Code Available to Security Professionals

Oh boy, we’re really excited about this!

Not only do we have an update for you today, but we’re super thrilled to announce that as of today, security professionals can obtain access to Espionage 3’s source code! 😀

I’ve wanted to do this for a while, but I never felt comfortable releasing the code for Espionage 2 for a variety of reasons having to do with complexity of the code. Now, thanks to the rewritten Espionage 3, I can say with confidence that Espionage is as beautiful on the inside as it is on the outside, and so I have no problems letting others have a peak inside. In fact, I believe Tao Effect has a duty to its customers to do so.

Espionage’s homepage now has a new section that explains what we’ve done and how to get the source:

We know that for software to provide any meaningful security guarantees, its source code must be available to third-parties for inspection. We also recognize that releasing Espionage’s source code can hurt Espionage and its users because of software piracy.

We want to continue giving you stellar customer support and timely updates, so we follow a middle-path by giving security experts access to Espionage’s code so that they can verify its security. We’re also allowing them to distribute unmodified copies of Espionage that they’ve built themselves, so that anyone who doesn’t trust our copy can download it from them. Apply here.

Espionage 3.5.1 Released!

Also on today’s menu, an update! (With more to come!):

  • NEW: Source code access for security professionals!
  • NEW: Autolock on screensaver and screen lock!
  • FIXED: Failure to execute folder actions after folder autolock while Espionage is locked.
  • FIXED: Don’t unlock folder if an application for a folder action is already running.
  • FIXED (3.5.2): Crash on startup related to Folder Actions.
  • FIXED (3.5.2): Updated Growl to (hopefully) fix a Growl-related crash.

Enjoy! 😀

EDIT: Thanks to “Red H.” for pointing out that “source code available” != “open source”. The two are quite different, as for something to qualify as open source software, it must be distributed for free. My apologies for the error, we will update all references accordingly, and if we miss one please let us know!

The Apache (Contributor’s) License Agreement Is Very Dangerous

EDIT: All of this applies to the regular Apache License (v2) as well, and any other licenses that use its language. I’ve contacted Apache on their legal list about this and am waiting to hear back.

UPDATE 2 3: Apache’s last reply on September 15, 2013“In response to your request for a formal answer to your question. I will say, as President of the ASF, please give us a little time to consider your comments.”

I recently published a paper1 about my experiences exploring and contributing to Numenta’s open source NuPIC project, during which I discovered a very concerning clause in their Contributor’s License Agreement (emphasis mine):

Subject to the terms and conditions of this Agreement, You hereby grant to Numenta and to recipients of software distributed by Numenta a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by You that are necessarily infringed by Your Contribution(s) alone or by combination of Your Contribution(s) with the Work to which such Contribution(s) was submitted.

In brief, I let Numenta know that I couldn’t sign the agreement because:

[..] it appears to allow an interpretation that states that I’m potentially giving away royalty-free licenses to all the software patent claims I ever make should I make a single contribution to NuPIC, whatever it may be.

For a complete understanding of how such an interpretation is possible, please read part of the email exchange.

I was told that it was a word-for-word copy of the same section in the Apache CLA (v2) (a very common CLA with a long history of use), and therefore it would not be changed. However, after some additional poking, they brought up the issue with their legal team and discussed it internally. Eventually, they agreed to add a few clarifying words that would address the issue completely.

Of significance, Numenta announced the changes via their blog, and stated that they would allow existing contributors to sign the updated version. Matt Taylor, Numenta’s “Community Flag-Bearer”, explained the essence of what was clarified in the update:

This addition bounds the rights of Numenta, preventing us from exercising a royalty-free license to any patents a contributor creates in the future unassociated with the NuPIC project.

I am quite grateful for Matt’s help in addressing this issue. I have no doubt that his professionalism played an important role in Numenta’s decision.

Regarding the resolution, a good friend of mine remarked:

No small feat, getting a company to understand the implications of a contract its executives probably didn’t actually read closely in the first place, and then to send the document back to their lawyers to make it reasonable.

[..] a sympathetic stance would entail understanding that virtually no one reads this boilerplate stuff, that “bad code” gets passed along from one attorney and one organization to others, and then it gets defended for the surface-defensible reason that ‘standard contracts’ allow for legal interoperability. None of that sympathy is to endorse the going ‘standard’ — and it takes something like what [happened] to put things in better stead.

Significance for the Open Source Community

That a fairly large and well known company took these steps to clarify the Apache CLA has fairly significant consequences for the entire Open Source community.

In effect, Numenta’s actions legitimize the concerns that were raised, which sends a strong signal to every other company out there that uses the Apache CLA. It also sends a strong signal to every single developer who has ever signed a CLA that contains an identical (or similar) patent license clause.

The group most affected, however, are developers who have not yet signed an Apache-based CLA and have become aware of this issue (either through this paper or some blog post). The reason for this is that even if most companies would never abuse the CLA in the manner that the original language allows, the mere awareness of the possibility implies consent.

Why? Because if you are aware of the potential consequences that signing a legal document can have, and you still put your signature on it, then you cannot even use ignorance as a defense should the issue ever arise. That was the reason it became impossible for me to sign Numenta’s original CLA:

Given that multiple individuals now have (in written form) my understanding of what the document allows for, I cannot in good faith sign such a document as-is, because written as-is, it appears to allow an interpretation that states that I’m potentially giving away royalty-free licenses to all the software patent claims I ever make should I make a single contribution to NuPIC, whatever it may be.

At the time of publishing, the Apache CLA was at version 2.0. Hopefully, the Apache Foundation can amend their CLA in a future update.


1 Hierarchical Temporal Memory, NuPIC, and Numenta’s Commendable Behavior