Tag Archives: cryptography

Walkthrough of Heml.is crowdfunding and nonsense

Here’s what you need to do a successful crowdfunding. Let’s take a newly born project for a “security” and “privacy focused” communication tool called Heml.is as an example. We’ll start by visiting their website, “secured” by a COMODO SSL certificate (despite Comodo’s history).

(Please note that I haven’t seen the video on the top, due to blocking javascript and Google domains. But I guess it matches the other cliches and non-informative wording.)

hemlis_app_handBig-ass iPhone picture. This tells you not only that it’s a handicapped application (an “app”) and that the designers and programmers enjoy promoting a locked-down, untrustworthy environment renowned for despising its own users.

Everyone knows a crowdfunding campaign will be more successful if you turn to the people who have no idea what their computers are actually doing. I guess because Apple users don’t question their faith in The Designer.

hemlis_ui_mocksMore iPhones. Remember, it’s not really the functionality or the interface of the software we want to portray. It’s that the producers love Apple and their locked-down platform. Nothing says “I don’t care about user rights and privacy” like promoting the iOS platform.

I didn’t even notice this “feature” until I started writing this: “Notifications > When friends join heml.is”. Wait, so they’re going to analyze and correlate of my friend list? While saying it’s a secure and privacy oriented backend?

dudesHappy, wild & crazy faces. Even better, the picture even represents the people behind the campaign. And because I see they’re happy people, of course they can be trusted! Because it’s not actually the software they say is designed for secure communication I have to trust – it’s them. Because they don’t look like suspicious government or business guys!

(waht is this i dont even)

We’re building a message app where no one can listen in, not even us. We would rather close down the service before letting anyone in.

Now finally, actual words rather than buzzwordy, fancy phrases and mockups. But wait, they’d rather “close down the service” before letting anyone in? … Granted, they (say they) can’t listen in on my communication – but it still has to pass their servers? And they can shut my communication down? Why’d I use something like that for secure communication, if I can’t even use alternative message paths?

Secrets are only secrets if they are secret.

Oh, haha, I get it! You’re being funny. Please, take my money to your no-strings-attached Paypal account. You had such pretty pictures.

Your server only?

Yes! The way to make the system secure is that we can control the infrastructure.

So please let the user control the infrastructure! Otherwise there’s no difference from using the internet in general. If I as a Swede have to pass NSA and FRA spy machines to get to your server, what’s the point of letting you run the infrastructure? Whenever I connect to the internet – whatever infrastructure the third party in the communication runs is irrelevant. The only thing that matters is my personal setup – and the person I’m communicating with – verified by genuine cryptography.

What technology will Heml.is use?

We are building Heml.is on top of proven technologies, such as XMPP with PGP.

Alright, so that’s the cryptography part? Open technology with federation built-in? But still you’re going to require users use Heml.is servers – perhaps even with a custom-designed, probably closed source, client… And then use PGP? A system designed for a web of trust model where users verify authenticity of each other and not the infrastructure. So why lock it down to your own network? And how will the age-old problem of key (and subkey) signing and trust verification be solved in the “user friendly” manner?

Will Heml.is really be anything else than an e-mail client with GPG? I doubt it. Except that crucial bits of security – i.e. user control – is stripped out.

Oh. And if you’re using PGP for the application… It was pointed out in Umeå Hackerspace’s IRC channel that there’s no public key published on any well-known keyserver for any address on the project’s domain (and of course not on the website itself either):

gpg: key “heml.is” not found on keyserver

I’ll finish up with this quote:

<zash> vaporware
<zash> until proven otherwise

#grill-bit @ irc.umeahackerspace.se