28 comments

[ 3.2 ms ] story [ 67.6 ms ] thread
It's email transported and authenticated using combination of Tor, Axolotl, and socialist millionaire. Unfortunately:

> LookingGlass is meant to be run on a local, headless (without monitor), always-on computer. Installation consists of copying a disk image to an SD card, inserting that into a Raspberry Pi, and plugging it into your local network (preferably behind a router).

Appliance designs such as this have 0 chance of gaining significant use.

The author should consider rolling this solution into software packages that run on operating systems people actually have.

I guess thats what the virtualbox image is for?
He said "normal people". Virtual machines are not something the general population is fluent with.

Perhaps you can't expect "normal people" to be the target group for everything though. First class security often comes at a price, in some cases this is fine.

If I wanted to talk securely to any of you guys I could just setup a hidden SSH server on Tor. None of you would have any problem using sftp to give me messages and files or use talk to chat.

As long as we used the latest OpenSSH and picked the better algorithms we'd stand a better chance of resisting a skilled attacker than using this project.

The problem is we have nothing to say to each other. We all have sensitive conversations with our lawyers, doctors, immediate family, and the like. And those people cannot make use of solutions that require knowledge of how to actually use a computer.

This is such a good point. There's a chicken / egg problem here where you need a critical mass of activity for anything interesting / useful to emerge but the barrier to entry getting to these places is high enough, and the pain / friction involved with spending time there is significant enough, that communities have a difficult time forming. I think LookingGlass is meant to try to overcome some of these problems. That said, strolling down darknet alley sure does feel a lot like wandering around Chernobyl.
There are 5+ million RPi's out there and I bet there's significant overlap in the types of propellerheads (read: early adopters) that have gotten one for other reasons or just for kicks, and who might be interested in this.

Running this 24/7 on your power guzzling worm infested Windows box is not really the best match.

Then what do you suggest people use to connect to the headless appliance?
Tablet or laptop for example?
How are those any different?
Something behind a firewall for sure and with the browser locked down.
Is this the physical analogue of the "curl | sudo sh" strategy? Just take this image from our site, toss it on a headless server, plug it into your network and let it do whatever we set it up to do!

</tinfoil>

"Unfortunately..."

Can you be more specific? Irrespective of this project and its goals, I agree with the installation approach.

What is the impassable step?

Purchasing a RPi?

Using a program to copy an image to an SD Card? What if SD Cards with the image pre-installed were also available?

The RPi stays on unless someone unplugs it, so I trust that no one is going to claim "always on" is an issue. It does not even have a reset button like most consumer routers.

Setting up consumer routers involves plugging into a local network so I cannot imagine that is an issue either.

So what is it?

This image is a whopping 1GB and there is no link to source code. Without source code this is all but worthless. However I agree 100% with the distribution and installation method.

All computers, including routers, should boot from removable media. And users should get to choose what OS they run. Control. Who has it? Users have very little and what they have is continually being eroded.

If users want more control over what internet companies are allowed to do, then this is the way forward.

What do others think?

The author of this project notes, "Freenet is stillborn."

I agree. And it's pretty obvious the reason why is that Freenet presents itself as a web server. Any privacy project packaged as a web app is doomed. The local web app is a shitty interface. If Freenet had an interface more like Bittorrent, its fate may have been different.

There is a market for appliances sporting web interfaces, but that's only because it's the cheapest way to have a graphical interface that's cross platform. Only technical people use such things, and even they have to want the benefits of the appliance pretty badly to put up with the hassle of deployment. The average consumer will never touch that crap, and I don't blame them.

You mention consumer routers. Yes, those are appliances with web interfaces. But the benefit of deploying one is ACCESS TO THE INTERNET! That's a pretty compelling reason. Even if LookingGlass was sold pre-configured like a router, it's not even close to compelling enough to gain traction.

Besides how inconvenient the web appliance is to use, it's also pretty weak from a security perspective. You want to have all the encryption happening as close to the endpoints as possible. To reduce attack surface it's also best that the architecture is as simple as possible, with minimal dependencies. The LookingGlass approach follows neither of those best practices. The project even recommends deployment behind a firewall.

I don't want to shit on LookingGlass here. I haven't looked too hard at it and I support any experimentation with new protocol ideas in this space.

It's just that to be successful it needs to be natively written for every platform, especially the mobile ones. Making the core implementation portable by using C or C++ is acceptable. Just getting it going on Linux and asking users to run a server - especially a physical server - is totally not.

These are good points. I feel the same way as another poster who commented that the maintainer is going after the raspberry pi crowd so during this nascent phase only the techie "masses" are going to use such a thing. Frankly, I see a lot of issues with this project but if the fundamentals were solid I could imagine overlooking them to bring it closer to the broader community space. I suppose if I were a Chinese dissident I might have a compelling reason to go for a turn-key solution but previous commenters nailed it that this thing requires too much trust to be more than an experiment. If I were to run it on a pi I'd be prepared to ditch the pi and attach it only to some open wi-fi network.
Well, I never said anything about web interfaces. I do not like them. If the system is preconfigured, then no interface is required. "The best interface is no interface."

If there needs to be configuration while the system is running, then I prefer SSH or serial console. The images I use on my RPi are configured with an sshd listening on a loopback interface.

My analogy to consumer routers was only to remind readers that consumers plug these computers (routers) into their networks all by themselves without any assistance. This makes any argument that consumers cannot plug things into their network hard for me to believe.

Setting up those crappy routers is another issue unrelated to my comment. I don't know how consumers get it done, but they do. I find web interfaces annoying and unnecessary but I know many users love them. Again, this has nothing to do with my comment, which concerns preconfigured images and booting from external media (as on the RPi).

I don't understand how burn-on-view is supposed to work. In my world, if you can see something, you can copy it. (Analog hole, clipboard, screenshot...)
I think the idea is that it does not promise that the email will necessarily be deleted, but that it can be securely deleted (by forgetting the key for it) such that it can not be recovered later by compromising the users computer. So if I understand this correctly, it is synonymous with forward secrecy.
That's my interpretation as well. It might be a bit of a stretch to label it as a "forward-secure platform", as you can't know anything about what the receiver will do with the mail/(session)keys.

As a general system, I don't really see the attraction of forward secrecy for asynchronous, "email-like", communication -- I'm sure I'm not the only one that likes having a record of things I've said, or things others have said to me (good ideas, tips about everything from food to trips, not to mention the general "letter"-type things -- the stuff that can partially make up for not keeping a diary etc). The danger of being convicted for plotting to kill the president based on the contents of digital letters must be balanced against the historic value of having such records available for further students of history, so to speak.

But it just occurred to me that a system like looking glass could easily accommodate both: have the system automatically archive a copy of incoming and outgoing email, both encrypted to the (gpg-)key belong to the system owner. Such a system might retain "cryptological" plausible deny-ability (the owner, having the key, could fabricate a fake archive) -- but it would probably loose any "legal" equivalent. (eg: anyone can fake their browser history log files, but they're still used as evidence etc).

It would be easy to automate what should be archived, and it would also remain possible to shred certain things from the archive, if wanted. It might even be possible to store an archive in a git-like fashion, so that it will be easy to see if something had been deleted -- while hard to prove that a certain deleted plain-text was what was deleted.

[ed: to add: To misquote a common Internet meme: "I don't always plan a revolution, but when I do, I use a forward-secure platform". But I mostly don't plan revolutions.]

I tried to download the RPi image, but; how can I trust 10+ GB worth of software not to have some kind of flaw?
Good point. I had exactly the same thought. There's no way I'm downloading and installing anything off random darkweb site. I might build it myself and see how that goes but there's certainly still risk for sure. A more vibrant community built around software like this would provide a greater level of comfort, not to mention an independent security audit. Certainly anyone seeking to help this project might start with solving this important problem. I'll be putting some thought into it.