The Wayback Machine - https://web.archive.org/web/20120425194510/http://www.cso.com.au:80/article/415975/cryptweet_encrypts_twitter_direct_messages/

CrypTweet encrypts Twitter direct messages

But don't use this work-in-progress software for truly secret communications just yet

Recent US attempts to obtain the communication records of people alleged to be associated with or even discussing WikiLeaks or the Occupy movement have inspired the development of encryption for Twitter messages.

CrypTweet has been put together by Mark Pesce, a Sydney-based author, futurist and educator who was also responsible for the virtual reality modelling language (VRML), a pioneering system for creating 3D interactive spaces on the web.

"I was appalled that the US government could subpoena Twitter's records in pursuit of political enemies like Julian Assange," Pesce told CSO Online.

According to the project website, "CrypTweet is a collection of Python programs designed to work together, using RSA public-key cryptography so that anyone can send you an encrypted direct message, but only you can read it."

CrypTweet is still rough at the edges and should be considered a work in progress.

Downloads are provided for Linux / OS X and Windows 7, and some command-line work is required to install and configure the software.

DMs can be sent and received from the command line, or CrypTweet can be run as a web service and accessed through a web browser.

"CrypTweet is really intended to be running entirely within your mobile," writes Pesce.

"While an Android port is under way, CrypTweet already has been tested on the Nokia N9 (running Meego, a flavour of Linux), and works flawlessly. If you have a jailbroken iPhone or iPad, you can install CrypTweet, but it requires a newer version of Python than is available from the Cydia package manager."

Initial reactions to CrypTweet have been mixed.

Commenters at Hacker News, for example, have pointed out flaws that they claim would make CrypTweet vulnerable to various attacks including a known-plaintext attack (KPA), where an attacker with samples of both the original and encrypted text could work backwards to recover the encryption keys, and the padding oracle attack.

"Don't use this for anything other than a toy. The crypto is misdesigned," wrote one.

Critics on Twitter pointed to the current lack of HTTPS encryption between CrypTweet and its public key server, and to the all-encompassing permissions that CrypTweet requires to use Twitter's API — although that's forced by that API's lack of granularity. Granting read-write access to a Twitter user's DMs automatically grants access to everything else.

The project doesn't use modern software development tools such as a source code browser like github or a documented API.

"Encrypting Tweets is like installing Linux on a toaster. I'm happy for you, though," tweeted cynical mobile developer Leslie Nassar.

Nassar has a point. Encrypting DMs wouldn't make much difference if the sender or receiver's device or the key server itself had been compromised — and mobile devices are increasingly the target of sophisticated malware.

However other commenters considered CrypTweet "a nice initial attempt" and noted that the project's "broader motivation is to bring crypto to services that people are using, not the other way round".

Pesce understands that CrypTweet has flaws, and has released the code at this early stage precisely so that experts can help improve it.

"There are bright folks who know lots more about cryptography than I do. They'll be able to spot the flaws and holes in CrypTweet. I'm hoping they can share their findings so those holes can be closed," Pesce said.

CrypTweet requires Python version 2.6 or greater, but not Python3. No additional packages are necessary.

Pesce reckons he spent around 70 to 100 hours developing CrypTweet over the past six weeks. The project was funded in part by a grant from the Shuttleworth Foundation.

Comments

1

Allen

Tue 21/02/2012 - 16:39

Encryption concepts are interesting and eager to know how the process would take place.

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CSO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
CSO Corporate Partners
  • Clear Swift
  • Trend Micro
  • Sophos
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

IT Compliance Solutions

Enforce compliance consistently and cost-effectively across your organization.

Security Awareness Tip
Clearswift tips: Guidelines for introducing and policing an effective IT Policy

1. Make it clear that the policy is not about playing ‘Big Brother’ but to ensure the security of employees, company information and data and to safeguard the company’s reputation.
2. Invest time to get buy-in from managers and their teams.
3. Convey the message of flexibility – with regard to social media, it is not about blocking staff usage but working in everyone’s interests to ensure that threats are contained.
4. Introduce a regular company-wide training programme that everyone attends at regular intervals throughout the year, not merely as part of an induction programme.
5. Within the training programme make sure that there are specific examples to demonstrate each rule or regulation, and that there is a clear explanation of the dangers of casual or careless talk on social networking sites. Again use examples, employees need to understand the consequences of raising a throwaway comment that has negative connotations for the business, as much as they need to be aware of dangers of making a more direct but ill-considered attack on a competitor, regulator or even a fellow colleague. They need to be clearly advised on any impact on the company and/or legal action or inquires that may be raised as a result.
6. Alert employees to any changes in policy through regular clear communication.
7. Reinforce the operational policy guidelines regularly, cover everything from blogging to Facebook, LinkedIn and Twitter.
8. Ensure that the rules are fair and that they apply throughout the business.
9. Enforce the rules – if there is a deliberate or malicious contravening, disciplinary action needs to be taken. A policy isn’t worth having if it is seen to be lax and unenforced.
10. Review the policy regularly to ensure you keep up to date with new systems and technology.

Phil Vasic is Regional Director, APAC, at Clearswift, the software security company www.clearswift.com
Security ABC Guides

7 Ways to Protect Your Business Printers

Can a hacker burn down your business by remotely setting one of your printers on fire? Researchers at Columbia University have recently proposed such a scenario, although HP quickly denied that it's possible. However, even if your printers can't be used as remote firestarters, there are many risks involved in networking a printer.