Geek Excursions: BitMessage

Along with my curiosity surrounding Bitcoin, there is a similar technology that has been released for public use called BitMessage. This system is a really neat way to securely communicate in a secure method that involves absolutely no trust whatsoever. It’s a completely decentralized email infrastructure and has captured a lot of my spare attention. BitMessage works a lot like how Bitcoin does, you can create email addresses on the fly, they are a long sequence of random characters that your system can display because you have both a public key and a private key. In a lot of ways BitMessage deals with the biggest problem surrounding PGP/GPG, which is key management. Nobody really wants to manage keys or use the system because it’s extra work. Plus even with PGP/GPG, your identity is written on your keys for everyone to see.

Getting started with BitMessage is a snap. First you need to download the BitMessage client, and you can get that at bitmessage.org. There’s a Windows and Mac client available, you can start it and be instantly attached to the BitMessage network, ready to create new “BitMessage Addresses” and throw them away just as easily. So, for example, you could reach me by sending me a BitMessage to this address: BM-2cWAk99gBxdAQAKYQGC5Gbskon21GdT29X. When you send a message using BitMessage, its to this address and from an address that your client makes, so the conversation occurs securely and since every node has a copy of the data it’s impossible to tell who is getting what information. I think an even more secure method would be to cross BitMessage with a PGP/GPG key. The only problem with a key like that is that classically PGP/GPG keys require that you include your email address as a subkey so that you can be identified by a human-readable email address when looking for your public key or when someone else is looking for it, to verify a signature for example. The PGP/GPG system doesn’t require an email address, you can of course create a public and private keypair using PGP/GPG and make the email address up from whole cloth, and instead just let people know the key ID that you want them to use. So technically if Alice wanted to secretly communicate with me, we could give each other our public keys to start and then use BitMessage as the messaging mule. I don’t see how any eavesdropper could make sense out of any of that data flow. It’s unclear what the contents are, the PGP/GPG encryption keeps the contents of the message secure, and BitMessage itself seriously obfuscates if not outright eliminates being able to tell where the messages are ultimately going to or coming from.

I have to admit that BitMessage is very user friendly and very handy to have. My only issue with it is that I don’t know anyone who uses it, but perhaps this blog post will change that. If you are interested in this bleeding-edge crypto/privacy software, I encourage you to chat me up on BitMessage for serious matters or for fun.

Encrypt Everything

Lavabit and Silent Circle have given up when it comes to providing encrypted email communications. Mega plans on providing something to cover the gap and in general the only real way to deal with privacy-in-email is end-to-end encryption. There was talk that at some point email might give way to writing letters and using the US Postal Service but there as well you’ve got Postmasters writing commands taped to mail about how everything has to be photocopied and stored – so even the US Postal Service is full of spies, the only thing the US Postal Service can be trusted to carry is junk mail.

What is the answer? Pretty Good Privacy. PGP, or rather, the non-Symantec version of it which is the GNU one, the GPG. If you really want to keep what you write private when you send it to someone else, the only way to do that is for everyone to have GPG installed on their email system so you can write email using their public key, which converts your email to cyphertext, secure from even the NSA’s prying eyes, and requires your recipient to unlock the message using their secret key, which they have.

I’ve been playing with PGP and GPG now for a very long time and I decided I would at least make a route available if anyone wanted to contact me with privacy intact – my public keys are on my blog, they are also on all the keyservers including the one hosted and run by MIT and the GPG Keyserver as well. To send me a private message via email all you need to do is get GPG, set it up, create your secret and public key, get my public key, use it to write me an email and only I’ll be able to read it. The NSA will just flag the encrypted contents for later analysis and thanks to AES–256, they’ll be hard pressed to get to the plaintext in your message.

That’s the way around all of this. GPG for everything. GPG public keys for email, for chat, for VPN, for files, and HTTP-in-GPG. Everything pumped through GPG. Since the government won’t stop spying on us, it’s our duty as citizens to secure our own effects against illegal search and siezure, and technology exists to do so.

Encrypt everything.