Jul 09, 2023
Cult of Dead Cow hacktivists design encryption system for mobile apps
SAN FRANCISCO — Once known for distributing hacking tools and shaming software companies into improving their security, a famed group of technology activists is now working to develop a system that
SAN FRANCISCO — Once known for distributing hacking tools and shaming software companies into improving their security, a famed group of technology activists is now working to develop a system that will allow the creation of messaging and social networking apps that won’t keep hold of users’ personal data.
The group, Cult of the Dead Cow, has developed a coding framework that can be used by app developers who are willing to embrace strong encryption and forsake revenue from advertising that is targeted to individuals based on detailed profiles gleaned from the data most apps now routinely collect.
The team is building on the work of such free products as Signal, which offers strong encryption for text messages and voice calls, and Tor, which offers anonymous web surfing by routing traffic through a series of servers to disguise the location of the person conducting the search.
The latest effort, to be detailed at the massive annual Def Con hacking conference in Las Vegas next week, seeks to provide a foundation for messaging, file sharing and even social networking apps without harvesting any data, all secured by the kind of end-to-end encryption that makes interception hard even for governments.
Called Veilid, pronounced vay-lid, the code can be used by developers to build applications for mobile devices or the web. Those apps will pass fully encrypted content to one another using the Veilid protocol, its developers say. As with the file-sharing software BitTorrent, which distributes different pieces of the same content simultaneously, the network will get faster as more devices join and share the load, the developers say. In such decentralized “peer-to-peer” networks, users download data from one another instead of from a central machine.
As with some other open-source endeavors, the challenge will come in persuading programmers and engineers to devote time to designing apps that are compatible with Veilid. Though developers could charge money for those apps or sell ads, the potential revenue streams are limited by the inability to collect detailed information that has become a primary method for distributing targeted ads or pitching a product to a specific set of users.
The team behind Veilid has not yet released documentation explaining its design choices, and collaborative work on an initial messaging app, intended to function without requiring a phone number, has yet to produce a test version.
But the nascent project has other things going for it.
It arrives amid disarray, competition and a willingness to experiment among social network and chat users resentful of Twitter and Facebook. And it buttresses opposition to increasing moves by governments, lately including Britain, to undercut strong encryption with laws requiring disclosure on demand of content or user identities. Apple, Facebook parent Meta and Signal recently threatened to pull some services in Britain if that country’s Online Safety Bill is adopted unchanged.
Civil rights activists and abortion rights supporters have also been alarmed by police use of messages sent by text and Facebook Messenger to investigate abortions in states that have restricted the procedure.
“It’s great that people are developing an end-to-end encryption framework for everything,” said Cindy Cohn, executive director of the nonprofit Electronic Frontier Foundation. “We can move past the surveillance business model.”
The FBI did not respond to a request for comment, but law enforcement agencies often complain that end-to-end encryption makes it hard to scan messages for criminal plots and for police to recover evidence after the fact.
After three years of coding, Veilid enters the world bearing a pedigree like few others in the world of hacking and security.
Veilid is the most significant release in more than a decade from Cult of the Dead Cow, the longest-running and most influential U.S. hacking group and the originators of the word hacktivism, combining hacking and activism. The group, which styles its acronym cDc, takes its name from an early hangout, an abandoned slaughterhouse in Lubbock, Tex.
After modest beginnings writing stories for the online bulletin boards of the pre-web 1980s, when a teenage Beto O’Rourke was active in the group, Cult of the Dead Cow now includes some of the biggest names in cybersecurity.
Two were among the first people to issue public warnings about security flaws in widely used software and to coordinate disclosures with the vendors as they patched the programs.
That pair includes Peiter Zatko, widely known as Mudge, who was a program manager at the Pentagon’s Defense Advanced Research Projects Agency, or DARPA, and the head of security for the online payments facilitator Stripe. He was later hired by Twitter founder Jack Dorsey to oversee security there. He testified to Congress last year that Twitter’s practices were so bad that they violated the company’s previous settlements with the Federal Trade Commission. The FTC is now investigating.
Another, Christien Rioux, wrote an open-source tool for hacking Windows machines, Back Orifice 2000, that was released at Def Con in 1999. Rioux later co-founded Veracode, which made programs to scan software for buried security failings: That company is now worth more than $2 billion.
Rioux and Zatko also belonged to a group called the L0pht, which famously warned Congress 25 years ago that the internet’s infrastructure was disastrously unsafe.
Rioux wrote the vast majority of the more than 100,000 lines of code in the Veilid framework, while other members of cDc have been involved in testing and critiquing it and working on policies, documentation and the first apps.
“You can think of Tor as a privacy system for accessing websites. It anonymizes your source IP,” Rioux told The Washington Post, referring to the numerical designation often assigned to a traceable single computer. But Tor is complicated to use, Rioux said, “not very mobile-friendly and not very modern in how it’s constructed.”
“This is sort of like Tor, but for apps. Everybody’s got supercomputers in their pockets. Why not make the cloud everyone’s computers?”
Rioux and others working on Veilid said the key was to make it easy for developers and users, as easy as something like Facebook. Existing apps could make a version that works with Veilid and have their users be able to communicate without any third party being the wiser.
The project is run by a foundation that has applied for nonprofit 501c(3) status. The three directors are Rioux, a more recent cDc inductee named Katelyn Bowden, and a fellow traveler who was active in the 1990s hacking scene and has worked in security since then, Paul Miller.
Bowden, who has spent years advocating for victims of revenge porn, said she was motivated to help those with little money or power have the same secure communications as billionaires and experts. That includes girls and women seeking abortion information, who can be betrayed by common messaging apps.
“It’s very rare you come across something that isn’t selling your data,” Bowden said. “We are giving people the ability to opt out of the data economy. … Give the power back to the users, give them agency over their data, and screw these people that have made millions selling period information.”
Some veteran engineers who have tested the project’s code said it performed well.
One of them, Kirk Strauser, said he was glad that Rioux incorporated proven protocols for encryption rather than trying to invent everything from scratch.
He compared Veilid to peer-to-peer pioneer Napster — something revolutionary constructed mainly from technologies that were already out in the world.
“It’s a new way of combining them to work together,” said Strauser, who is the lead security architect at a digital health company.
One of the most complex issues for Veilid is content moderation, which has been among the biggest problems at Twitter and Facebook.
Some new rivals to those established companies, such as Mastodon, have opted for what is known as federation, in which groups with their own rules connect loosely with other groups.
Facebook parent Meta says it will make its new Twitter rival, Threads, compatible with Mastodon and others. Informal Veilid adviser Micah Schaffer said that shows that big companies plan to use federation to “provide this illusion of choice. They embrace federation in a way that deflects accountability for their moderation decision — you can just go to another server.”
Full encryption means that moderators won’t be able to see interactions that are harmful, which is one reason that Veilid’s own networking app will have users invite specific followers.
“Veilid opens the door for a new generation of social apps that are safer by design,” said Schaffer, who built YouTube’s first safety team and later led public policy at Snap.
Rioux said he hopes his talk with Bowden opening the first full day of Def Con, along with a technical workshop and a party, will inspire the critical mass of enthusiasts Veilid needs to succeed.
“Def Con is a breeding ground of privacy-centric users and developers,” he said. “We’re launching at the right place to get out a batch of very interested people.”
The privacy and security establishment will be watching what happens closely.
“I am delighted that they are taking this bull by the horns,” said inventor Jon Callas, who co-founded PGP Corp. and the secure communications companies Silent Circle and Blackphone. “I look forward to seeing the details.”