Major improvements to plausible deniability in Espionage 3.6

UPDATE July 19, 2014: Espionage 3.6 is out! Go get it! 🙂


Plausible deniability (in cryptography) refers to methods of protecting users (and their encrypted data) from so-called gun-to-the-head scenarios”:

Any situation that involves some type of coercion stands to benefit from plausible deniability. Although unlikely, some users may find themselves threatened into giving up their encryption keys through physical force, or by the threat of loss of freedom (examples here, here, and here).

It is quite unfortunate, therefore, that it’s possible to count on one hand the number of data security applications that attempt to do anything to address this issue.

Data security does not stop at encryption

We believe that “security” which protects users in some circumstances (but not others), from some adversaries (but not all), is inferior to security that has no exceptions.

When we designed Espionage 3, we decided to focus on plausible deniability as a core feature. It was never an afterthought. We discovered, that In order to do plausible deniability correctly we had to build the entire app around the concept.

When we released Espionage 3 in 2012, it was (to our knowledge) the first data security app to sport not one but two types of plausible deniability:

  1. Unlimited isolated master passwords, each protecting a unique Folder Set.
  2. Multi-faced folders that can show different data depending on whether or not they are locked, and which master password was used to unlock them. This resulted in some fascinating possibilities (like having different versions of your email).

Plausible deniability is Hard

An operating system like OS X has thousands of moving parts, many of which are out of the control of users and third-party developers (like us). This makes hiding the existence of encrypted data a significant challenge.

For example, try observing your system’s primary log file by opening the Console application (located in /Applications/Utilities/Console.app ) while you lock and unlock your encrypted folders. Depending on your version of OS X, you’ll see different types of information about your encrypted folders logged (like the path to the folder).

It is close to impossible to prevent this type of information leakage because it is created by applications and system components that are out of Espionage’s control (and shouldn’t be under its control). It is possible, however, to mitigate it by various means:

  • Periodically scrubbing your log files using utilities like OnyX.
  • By creating Folder Sets with different data using the same mountpoint
  • Etc.

One piece of data leakage, however, cannot be mitigated by users, and that is the number of user-created Folder Sets in Espionage’s database. This, however, is something we can fix (and do fix) in Espionage 3.6. We’d like to thank user tzugo for bringing this issue to our attention.

Fake Folder Sets are coming in Espionage 3.6

By having Espionage create a random number of fake Folder Sets, and then creating a user-specified-but-quickly-forgotten number of encrypted sparsebundles (each with a random number of files containing random data), we are able to restore the plausible deniability impacted by this information leakage.

Now, it still remains possible to check how many Folder Sets exist in Espionage’s database, but that information does not reveal the actual number of user-created Folder Sets! They might have one, five—even zero “real” Folder Sets! 🙂

The number of encrypted disk images on a user’s computer, also, does not give away the number of real encrypted disk images that the user has. It is even possible that none of the encrypted disk images contain any meaningful or user-created data (those might be on an external drive, for example).

When users update to Espionage 3.6 (or install anew), they will be taken through a setup assistant that creates all of these faux Folder Sets and disk images. Here’s a sneak peak at what it looks like:

PDAssistant

Important notes and considerations

Because Espionage 3.6 is a significant update that makes many changes to Espionage’s database, Espionage will backup the database prior to running the setup assistant and add a “-v2migration” suffix to it. It will be placed in the standard database backups folder, located here:

/Users/[your username]/Library/Application Support/com.taoeffect.Espionage3/Backups

Note that these old backup databases can be used to compromise your plausible deniability (because they show an accurate count of the Folder Sets you created).

Once the assistant finishes successfully, and you’ve verified that you can unlock all your Folder Sets and encrypted folders, you may then delete all of the old backups in that folder to restore your plausible deniability.

Also: starting with version 3.6, we will be signing all Espionage releases with our public key. Espionage 3.6 will also include a pinned 4096-bit public DSA signing key for Sparkle updates (instead of relying solely on HTTPS for securing updates).

Remember: plausible deniability is ultimately *YOUR* responsibility!

Espionage can only do so much for you. It is ultimately *your* responsibility to create convincing enough Folder Set(s) to protect you from gun-to-the-head-scenarios.

Most users won’t need to worry about this at all. For some, however, failure to take due diligence in this regard can result in undesirable consequences. If you think this applies to you, please make sure to do your homework!

Espionage 3.6 is currently getting its finishing touches and final testing. As per usual, it will be released “when it’s ready.” 🙂

Espionage 3.5.3 Released!

Version 3.5.3 addresses an important data leak introduced in 3.5.2, improves Mavericks compatibility, and adds other important bug fixes, please update right away!

If you’d like to localize Espionage into your language, please contact us.

  • SECURITY: Bug introduced in 3.5.2 that resulted in all folder paths of an unlocked Folder Set being logged to the system log. After several days (or weeks) these messages will disappear from the log files, but you can force their removal using a tool like OnyX. For OnyX, use these settings.
  • IMPROVED: Added retina support for lock/unlock slider. Retina support for other graphics coming too.
  • FIXED: Removed several instances of unnecessary folder path logging (on folder lock/unlock) to help with plausible deniability. This is a losing battle because folder names and paths are logged to the system log by other background processes that Espionage does not have control over. Logging folder paths is also necessary if an error occurs.
  • FIXED: (Mavericks) Wrong folder icon.
  • FIXED: (Mavericks) Error decrypting a folder.
  • FIXED: (Mavericks) Problem unlocking folders for anyone who enabled the hidden setting “enableDiskArbitrationMethod”.

Enjoy! 😀

SHA1(Espionage.dmg)= 5d02150ca6da3fd4017a244d83db33aa536f9edc
SHA1(Espionage.app/Contents/MacOS/Espionage)= 8e92c0b2ab730c4ddd62358d3f59f818126e9d53

Phasing out support for Espionage 2 + Last chance to upgrade!

It has been almost five years since we announced Espionage to the world. Since then, we’ve gone through three major versions. I would like to sincerely thank all of our customers, and everyone who has supported our work in any way, whether it was by purchasing a license to Espionage, writing a review, or just taking the time to send us an email or a tweet. Thank you.

Espionage 2 was a remarkable application, but its time has passed. It taught us many lessons. We took those lessons and used them to create Espionage 3, a product that not only provides significant security improvements, but a more intuitive user experience. We will continue to listen to our customers, to read your emails, your forum posts, your reviews, your tweets, and use that to make Espionage even better.

Espionage 3 is our focus now. Therefore, we are redirecting traffic to Espionage 2’s homepage to Espionage 3.

December 31st, 2013, will be the last day we provide support for Espionage 2.

The community support forums for Espionage 2 will remain online. Zsolt, Ernesto, or myself may choose to respond to threads in that forum, but we will do that on our own time, and at our discretion.

One more chance to upgrade at a discount

We know that some of our users are still using Espionage 2. We want to make it easy for you to upgrade to Espionage 3 so that you have the security improvements and bugfixes found in Espionage 3.

When we announced Espionage 3, we released it on the Mac App Store, which made it difficult for us to offer discounted upgrades. To get around this, we lowered the price of Espionage 3 to $9.99 for one week, and sent an email to all Espionage users, letting them know that this was their opportunity to upgrade at a discount.

Many users upgraded at that point in time, but some did not. To those that missed out, we’re offering you one more opportunity to upgrade at a discount. We also want to be fair to everyone who decided to purchase Espionage 3 at full price, and so the discount will not be the same as it was the first time.

If you’re a current Espionage 2 user and would like to upgrade to Espionage 3, send us an email (see below) and we’ll send you a code that’s good for 15% off Espionage 3. Update: This offer expired December 31st, 2013. You can still follow the instructions below to receive 10% off Espionage.

To qualify, send an email to:

Your email MUST:

  1. Contain the name and email of your Espionage 2 license
  2. Contain the name and email you’d like for your Espionage 3 license
  3. Do one of the following before December 31st, 2013:
    • Be sent from the same email address that your Espionage 2 license is registered with. (preferred!)
    • Or, include your PayPal receipt for Espionage 2 to the email.
    • Or, have your Espionage 2 license attached to the email. (Not recommended. Will likely delay your license.)

Remember that Espionage 3 needs at least Mac OS X 10.7 to run!

Thank you for helping us make Espionage the best encryption software for the Mac! 🙂

“The FBI has not been here” as it applies to Espionage

Some smart librarians figured out a way to get around FBI gag orders through an interesting technicality:

The FBI has not been here (watch closely for the removal of this sign).

Taking cue from the librarians, we’ve updated Espionage’s homepage with the the following blurb:

We have not placed any backdoors into our software and have not received any requests for doing so. Pay close attention to any modications to the previous sentence, and verify the signature of this

Viewing the source for Espionage’s homepage reveals a signed section that explains the types of changes that can and cannot be made to the text itself:

Espionage 3 — Source Code Available to Security Professionals

Oh boy, we’re really excited about this!

Not only do we have an update for you today, but we’re super thrilled to announce that as of today, security professionals can obtain access to Espionage 3’s source code! 😀

I’ve wanted to do this for a while, but I never felt comfortable releasing the code for Espionage 2 for a variety of reasons having to do with complexity of the code. Now, thanks to the rewritten Espionage 3, I can say with confidence that Espionage is as beautiful on the inside as it is on the outside, and so I have no problems letting others have a peak inside. In fact, I believe Tao Effect has a duty to its customers to do so.

Espionage’s homepage now has a new section that explains what we’ve done and how to get the source:

We know that for software to provide any meaningful security guarantees, its source code must be available to third-parties for inspection. We also recognize that releasing Espionage’s source code can hurt Espionage and its users because of software piracy.

We want to continue giving you stellar customer support and timely updates, so we follow a middle-path by giving security experts access to Espionage’s code so that they can verify its security. We’re also allowing them to distribute unmodified copies of Espionage that they’ve built themselves, so that anyone who doesn’t trust our copy can download it from them. Apply here.

Espionage 3.5.1 Released!

Also on today’s menu, an update! (With more to come!):

  • NEW: Source code access for security professionals!
  • NEW: Autolock on screensaver and screen lock!
  • FIXED: Failure to execute folder actions after folder autolock while Espionage is locked.
  • FIXED: Don’t unlock folder if an application for a folder action is already running.
  • FIXED (3.5.2): Crash on startup related to Folder Actions.
  • FIXED (3.5.2): Updated Growl to (hopefully) fix a Growl-related crash.

Enjoy! 😀

EDIT: Thanks to “Red H.” for pointing out that “source code available” != “open source”. The two are quite different, as for something to qualify as open source software, it must be distributed for free. My apologies for the error, we will update all references accordingly, and if we miss one please let us know!

The Apache (Contributor’s) License Agreement Is Very Dangerous

EDIT: All of this applies to the regular Apache License (v2) as well, and any other licenses that use its language. I’ve contacted Apache on their legal list about this and am waiting to hear back.

UPDATE 2 3: Apache’s last reply on September 15, 2013“In response to your request for a formal answer to your question. I will say, as President of the ASF, please give us a little time to consider your comments.”

I recently published a paper1 about my experiences exploring and contributing to Numenta’s open source NuPIC project, during which I discovered a very concerning clause in their Contributor’s License Agreement (emphasis mine):

Subject to the terms and conditions of this Agreement, You hereby grant to Numenta and to recipients of software distributed by Numenta a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by You that are necessarily infringed by Your Contribution(s) alone or by combination of Your Contribution(s) with the Work to which such Contribution(s) was submitted.

In brief, I let Numenta know that I couldn’t sign the agreement because:

[..] it appears to allow an interpretation that states that I’m potentially giving away royalty-free licenses to all the software patent claims I ever make should I make a single contribution to NuPIC, whatever it may be.

For a complete understanding of how such an interpretation is possible, please read part of the email exchange.

I was told that it was a word-for-word copy of the same section in the Apache CLA (v2) (a very common CLA with a long history of use), and therefore it would not be changed. However, after some additional poking, they brought up the issue with their legal team and discussed it internally. Eventually, they agreed to add a few clarifying words that would address the issue completely.

Of significance, Numenta announced the changes via their blog, and stated that they would allow existing contributors to sign the updated version. Matt Taylor, Numenta’s “Community Flag-Bearer”, explained the essence of what was clarified in the update:

This addition bounds the rights of Numenta, preventing us from exercising a royalty-free license to any patents a contributor creates in the future unassociated with the NuPIC project.

I am quite grateful for Matt’s help in addressing this issue. I have no doubt that his professionalism played an important role in Numenta’s decision.

Regarding the resolution, a good friend of mine remarked:

No small feat, getting a company to understand the implications of a contract its executives probably didn’t actually read closely in the first place, and then to send the document back to their lawyers to make it reasonable.

[..] a sympathetic stance would entail understanding that virtually no one reads this boilerplate stuff, that “bad code” gets passed along from one attorney and one organization to others, and then it gets defended for the surface-defensible reason that ‘standard contracts’ allow for legal interoperability. None of that sympathy is to endorse the going ‘standard’ — and it takes something like what [happened] to put things in better stead.

Significance for the Open Source Community

That a fairly large and well known company took these steps to clarify the Apache CLA has fairly significant consequences for the entire Open Source community.

In effect, Numenta’s actions legitimize the concerns that were raised, which sends a strong signal to every other company out there that uses the Apache CLA. It also sends a strong signal to every single developer who has ever signed a CLA that contains an identical (or similar) patent license clause.

The group most affected, however, are developers who have not yet signed an Apache-based CLA and have become aware of this issue (either through this paper or some blog post). The reason for this is that even if most companies would never abuse the CLA in the manner that the original language allows, the mere awareness of the possibility implies consent.

Why? Because if you are aware of the potential consequences that signing a legal document can have, and you still put your signature on it, then you cannot even use ignorance as a defense should the issue ever arise. That was the reason it became impossible for me to sign Numenta’s original CLA:

Given that multiple individuals now have (in written form) my understanding of what the document allows for, I cannot in good faith sign such a document as-is, because written as-is, it appears to allow an interpretation that states that I’m potentially giving away royalty-free licenses to all the software patent claims I ever make should I make a single contribution to NuPIC, whatever it may be.

At the time of publishing, the Apache CLA was at version 2.0. Hopefully, the Apache Foundation can amend their CLA in a future update.


1 Hierarchical Temporal Memory, NuPIC, and Numenta’s Commendable Behavior

Humans are basically blind

AlmostBlind

In searching for “what percent of the light spectrum can humans see” I found answers varying from 0% to a maximum of 2.3%, depending on your definition of “light spectrum,” whether you’re asking in terms of a linear scale or a logarithmic scale, and whether you’re using wavelength or frequency [1] [2].

Painfully slow frame rate

The problem doesn’t stop there, however. Searching for “frame rate of human eye” suggests and upper bound of 60 fps.

When someone drops a piece of gelatin, is this what you see?

Dark matter + Dark energy

The above image is a screenshot of the universe’s virtual machine as it existed approximately 13.7 billion years ago. From it, we learned that:

It also constrained the content of the present-day universe; 4.6% atoms, 23% dark matter and 72% dark energy.

That means that everything you learned in school about the world, and everything our scientific instruments can see, only deals with just 4.6% of the universe. And that’s just what our scientific instruments can directly see. Of that, we only see a fraction (0% to 2.3%) with the naked eye, and only at about 60 frames per second (when you’re really paying attention).

Conclusion: don’t make fun of schizophrenics

Perhaps they can simply see more of the universe than you can.

On Integrity, and why we are not joining Fight for the Future’s “Internet Defense League”

TLDR: Using deception to promote a noble cause undermines you and the cause.

Yesterday the organization “Fight for the Future” attempted to organize a “massive online protest” against the NSA’s constitutional transgressions. It seems like many people are upset at the deception surrounding the NSA and the companies who bend over backwards to service their various voyeuristic desires.

So then, does it not seem perhaps a tad hypocritical that Fight for the Future used various deceptive tactics of its own to fool and mislead the public about the size and nature of its “massive online protest”?

bullshit

Here is a quote from a hype piece written by Tiffiniy Cheng, one of the organizers working with Fight to the Future, that ran on the Huffington Post the morning the protests were supposed to happen (some emphasis added):

To amplify the street protests, the Internet Defense League, which is the formidable network of websites that emerged victorious from the now-infamous SOPA blackout, has raised the “Cat Signal” — its warning beacon for the Internet. Thousands of websites, celebrities, and organizations will be posting the 4th Amendment on the web, including some of the biggest names on the web: WordPress (which serves up 18% of all websites), 4chan, Imgur, Reddit, Mozilla, Internet Association, Fark, TOR Project, Cheezburger, Namecheap, O’Reilly Media, MoveOn, Avaaz, Upworthy, ACLU, and EFF.

We liken today to the first protests that got us to the SOPA blackout and ultimately, the shelving of SOPA and PIPA; American Censorship Day took place 2 months before the blackout and was responsible for making SOPA a household term. It took a lot to defeat SOPA, but it was just one law.

http://www.huffingtonpost.com/tiffiniy-cheng/restore-the-fourth-amendment_b_3544740.html

Exciting! I remember participating in the SOPA blackout! Thousands of organizations, including heavy hitters like Wikipedia, succeeded in blocking the legislation by blacking out large portions of their site in protest. That was a spectacular moment of global unity that I, and many others, remember to this day.

Would this be something like that?

Cheng’s pieces seemed to suggest it would be, but with the twist that visitors would see the text of the 4th Amendment instead of a blacked out page. This CNET piece, prominently linked to from Fight for the Future’s campaign website, gave more details:

Reddit, Mozilla, EFF and more join July 4th anti-NSA protests

Rather than going black, like many sites did during the 2012 protests of Congress’ Stop Online Privacy Act, or SOPA, these sites will prominently display a Fourth Amendment banner. The banner will quote the text of the amendment, which says, “The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated.”

Additionally, site visitors will be asked to sign an online petition, e-mail Congress, or join street protests. A group called Restore the Fourth is organizing the street demonstrations in nearly 100 U.S. cities, including New York, Washington, D.C., and San Francisco.

http://news.cnet.com/8301-1023_3-57592268-93/reddit-mozilla-eff-and-more-join-july-4th-anti-nsa-protests/

Indeed, some websites listed on Fight for the Future’s campaign site displayed some sort of prominent banner to visitors in a show of solidarity with the campaign (e.g. 4chan).

Missing Participants

Although the campaign positioned itself as “the largest online protest since SOPA,” fully HALF of the “heavy hitters” did not modify their websites for the campaign. Among the non-participants, Reddit and Imgur apparently had an ad cycling through their adbox referencing the campaign, but that’s certainly not an indication of participation in the campaign as it was presented by Fight for the Future.

These were the heavy hitters listed as participating and endorsing the campaign on Fight for the Future’s website:

Misleading

And this is who actually participated:

Accurate

Fight for the Future may be forgiven for their pie-in-the-sky article on the HuffPo that promised the participation of organizations who ended up sitting on the sidelines. There may in fact have been agreements or implied (mis)understandings to that effect before the campaign started. However, as the day wore on, it should have become clear to them that half of their star participants weren’t participating, and therefore continuing to list them on the campaign site was the wrong thing to do.

I shot them an email requesting that they remove the non-participating sites, but they refused.

OK, but so what?

If you run an organization that purports to stand for a noble and “good” cause, then acting in a deceptive and manipulative way (read: “non-noble”) reeks of hypocrisy. It’s always in your best interest to behave with integrity. Any failure to do so will result in disillusionment, finger-pointing from the other side (or your own), and will undermine your ability to lead, because leadership demands respect. Few people respect you when you use deception to try to get them to join your group, or to take some action.

This disrespect and disillusionment weakens the organization and its cause. People stop taking it seriously, whether they support the cause or not.

It would’ve been better, I think, for FFTF to present their campaign honestly and with integrity.

In the end, it seems FFTF might have tried to redeem themselves a bit. In an email sent out to their mailing list at the end of the day, they refrained from mentioning Reddit, Mozilla, WordPress, or any of the other star non-participants:

FTFF campaign email

The campaign site, however, remains unchanged.

What impression will people who see this campaign walk away with? Some might be fooled, however others will focus on the missing “star participants,” and then turn away from the stench of a campaign full of manipulation and dishonesty that tries to hijack the reputation of other organizations to bolster its cause, instead of allowing the cause to stand on its own merit.

As much as I support this cause, I don’t want to associate Tao Effect with an organization that would mislead and lie to its own base. That’s why I took down their banner code from our websites, and why you won’t see any of the “Internet Defense League” badges on our site.

Espionage 3.5 — Introducing Folder Actions!

Big release today! We know you’ve all missed application associations, and while those have been deprecated, today’s release introduces Folder Actions to replace them!

This time, instead of giving you a description of the new features (in text), we’ve made a 720p screencast ! A picture is worth a thousand words. We hope you enjoy it! The summary of changes is:

  • NEW: Folder Actions! Make magic happen when you lock or unlock folders!
  • IMPROVED: UI transitions in folder details view
  • IMPROVED: Now uses Lion’s invisible scrollbar in the folder list
  • FIXED: Folders appearing as white disk images
  • FIXED: Custom folder icons not showing up
  • FIXED: Preferences shouldn’t be visible after autolock
  • FIXED: Focus ring issues when the modal panel is up
  • FIXED: Overwriting a folder set by changing password to an already used one
  • FIXED: Keyboard focus issues in the modal dialog.

Enjoy! 😀