Self-destructing digital data
p2pnet news view Freedom | P2P:- One of the ‘rules’ of the net is: once something is online, potentially, it’s there forever.
But that ain’t necessarily so any more, say Roxana Geambasu, Yoshi Kohno, Amit Levy and Hank Levy.
That’s because their University of Washington Vanish project makes stuff, well, vanish, they say.
Permanently.
And it’s “ahead of the law”.
It’s a research system, “designed to give users control over the lifetime of personal data stored on the web or in the cloud. Specifically, all copies of Vanish encrypted data — even archived or cached copies — will become permanently unreadable at a specific time, without any action on the part of the user or any third party or centralized service,” they say.
“For example, using the Firefox Vanish plugin, a user can create an email, a Google Doc document, a Facebook message, or a blog comment — specifying that the document or message should “vanish” in 8 hours.
“Before that 8-hour timeout expires, anyone who has access to the data can read it; however after that timer expires, nobody can read that web content — not the user, not Google, not Facebook, not a hacker who breaks into the cloud service, and not even someone who obtains a warrant for that data. That [sic] data — regardless of where stored or archived prior to the timeout — simply self-destructs and becomes permanently unreadable.”
Users need to install: the Vanish system, which captures the entire Vanish functionality; and, a plugin for Firefox 3, which allows them to create and read self-destructing messages on and from Web pages.
Say Roxana, Yoshi, Amit and Hank »»»
To install Vanish, please follow these steps in order:
- Install the Vanish System;
- Install the Vanish Firefox Plugin;
- Wait for ~5 minutes for Vanish to bootstrap.
After installing Vanish, you can start using the Vanish plugin.
Says their FAQ »»»
This prototype is based on a paper that will appear at the 18th USENIX Security Symposium, a top peer-reviewed publication in computer security.
Since Vanish is a research prototype, we ask that you treat it as such. We encourage you to use it, read the source, read the research paper, test it out, and provide feedback. But please don’t trust it to the same degree that you would trust a supported product vetted for many years.
There is also another issue to be aware of.
Lawyers have told us that Vanish is ahead of the law.
Specifically, the use of Vanish in some commercial or government settings may raise interesting issues related to eDiscovery and public record retention laws.
Now you see it.
Now you don’t.
First they ignore you, then they laugh at you, then they fight you, then you win ~ Mahatma Gandhi
August, 2009
Use free p2pnet newsfeeds for your site. It`s really easy!
Subscribe to p2pnet.net | | rss feed: http://p2pnet.net/p2p.rss | | Mobile – http://p2pnet.net/index-wml.php
Net access blocked by government restrictions? Use Psiphon from the Citizen Lab at the University of Toronto. Go here for details.
August 13th, 2009 at 10:40 am
Just another form of DRM. And just like all the others it will fail.
August 13th, 2009 at 11:01 am
I found the ideia interesting, “if used right” (I know…lol…) Although the usage scenarios presented are practical. Yes, it is a kind of “Digital Rights Mgmt”, but with good applications to the end-user in matters of privacy and some kind-of “Plausible deniability”.
But it is also true that if someone really don’t want personal stuff on the web, DON’T PUT IT THERE at all
August 13th, 2009 at 11:48 am
@ EE:
I had to delete your comment because the code was interfering with the WordPress page formatting.
Sorry.
“This message will self destruct by Thu, 13 Aug 2009 23:21:47 GMT,” EE had posted.
Not any more.
Cheers!
August 13th, 2009 at 11:53 am
lol
August 13th, 2009 at 1:43 pm
No problem Jon, it happens.
I just said that I like the concept, even if its not a perfect system.
lol
August 13th, 2009 at 2:41 pm
So, thats why the last time i looked at p2pnet the format was crap, wtg EE!!
And if youre going to fool with it, let us know how it works out, please!
stw
August 13th, 2009 at 6:49 pm
I honestly don’t see how this could actually “work”:
1. Let’s assume for a moment, that it actually CAN create self-destructing data.
Except that — oops — anytime during the “lifetime” of the data, anybody can access it.
Y’all ever heard of “copy and paste?”
Or screen-captures?
Or (in the case of audio data) D-to-a conversion and “re-recording” the analog version of the audio back in?
2. Another issue is the “regardless of where it is stored” aspect:
File-permissions (at least in systems like Linux) HAVE to be able to be “recognized” by the software in question. Same with other DRM schemes. So, presumably, let’s say you use an email client with this capacity, and design a self-terminating email for twelve hours later.
So the email goes skittering off across the net, copied and recopied across a myriad of systems (which is, after all, how all file “transfers” actually work). It arrives at the destination, and its intdended recipient views it (because his email client is capable of doing so.)
But what if he’s using an email client that doesn’t “recognize” the self-termination code?
Presto: it doesn’t delete.
(or have they created something that magically transcends such boundaries?)
In any case, if even a low-tech halfwit like me could think up some (admittedly-crude) ways around this, it’s pretty clear that genuinely dedicated people could really easily do better.
After all, the only reason that region-coding bullshit “works” as DRM, is because consumer-grade DVD machines are built to be able to “understand” it, and act accordingly. Same with CSS, same with the Sony Rootkit bullshit.
(Also, same reason computer virii are Operating-system specific, in most cases:
Every instance of this needs the victim’s systems to be able to “understand” how to work with the DRM.
I’m ALSO suspicious as to why they’d design this as a “plugin”, but also require five minutes for it to “bootstrap”.
Just smacks of malware to me — for it to be able to do stuff outside of Firefox, it would have to have much deeper access to your system (so it could, for example, forcibly prevent your other browsers from “seeing” the data that supposedly self-destructed, or — more importantly — keep data-recovery software from “seeing” it, either.
3. Also, this just smacks of the RIAA’s ultimate wetdream: not only will they want you to “license” the data, but if you don’t, it self-destructs. Needless to say, unless they’ve come up with something that violates every aspect of how digital data actually works, this’ll be defeated within weeks — days, if they include any technical details in that paper.
I just don’t see how anything like this could have any effect on a system (hardware/software/firmware, whatever) that isn’t designed to “obey” it. Program code is, after all, just instructions telling the system “what to do”. So unless they’ve invented something that magically teaches everything “what to do” irrespective of hardware architecture, Operating system, what program you’re using to access it — well, you get the idea.
Anybody here used second-life? Their whole “economy” depends on people treating digital like analog, by interfering with the most basic attribute of digital data: ease of copying.
Epic fail.
Really, this doesn’t impress me much: either as a “threat” if deployed by the corporate media oligarchy, or even as a minimally-viable concept. Really, it smacks of Clousseau.
But then again, I’m not high-tech.
August 13th, 2009 at 7:39 pm
Well, looking at their technical data give some interesting insight:
“Instead, we leverage an unusual storage media in a novel way: namely, global-scale peer-to-peer networks. Vanish creates a secret key to encrypt a user’s data item (such as an email), breaks the key into many pieces and then sprinkles the pieces across the P2P network. As machines constantly join and leave the P2P network, the pieces of the key gradually disappear. By the time the hacker or someone with a subpoena actually tries to obtain access to the message, the pieces of the key will have permanently disappeared.”
Basically, it looks like a “one-time pad” encryption scheme, with the pad-key scattered all over the network.
http://en.wikipedia.org/wiki/One-time_pad
Further, reading about the “encapsulating” and “decapsulating” data:
http://vanish.cs.washington.edu/concepts.html
indicates that what you upload to websites or send in email is “scrambled data”, such that the data isn’t what self-destructs, but the decryption key does. Thus, to decrypt the data, you’d need access to the key, which is distributed across the network.
Now, THIS is the important bit, here:
“Decapsulation
While the VDO has not yet self-destructed, the cleartext data encapsulated in it is available for reading via a process called decapsulation. The VDO contains all metadata necessary to decapsulate it and reconstruct the plaintext. More precisely, this metadata tells Vanish how to get to an ephemeral decryption key.”
So you need the Vanish thing to be able to decapsulate the data at all, even during the “lifetime” of the key.
So, it’s at least technically incorrect for them to say that during the lifetime of the message, “anyone” can read it:
Actually — at least according to their own docs — ONLY those with vanish would be able to read it, during the time when the decryption key is still recoverable. They’ve used “vuze” as a back-end, which imposes 9-hour time limits.
Their own implementation says it would require a dedicated Vanish server to handle refreshes (so as to allow for longer times), but that means that the “key” is then only as secure as the vanish server itself.
(Interestingly — would this be useful to make a self-encrypting p2p network? If everything from search strings to the torrents themselves were using something like this, there’d be no usable data-trail for pigs like Mediasentry to find.)
AND, it still leaves the fact that if the data is “decapsulated” during it’s “lifetime”, it could easily be copied to an unencumbered format.
(Same problem as besets ALL forms of DRM: if it’s “readable” it’s copyable.)
Interesting personal security potential, but I really don’t see how this would be useful on “social networking” sites — unless everybody has the vanish-key, which makes the data only as secure as the first person who cuts and pastes it to an insecure format, like I said.
Any thoughts?
August 13th, 2009 at 11:32 pm
It won’t work. Skynet, anyone?
August 13th, 2009 at 11:45 pm
Henry, I’ve read some of the data they give on the site, and it does have some interesting attributes. And I would have to agree thats its only going to be as good as the people using are careful about it. The implications
of using this on top of PGP as they discuss could bring a whole new level (IMHO) of security to data transmission
on the internet, and I’m not sure we are really looking at the depth that can potentialy be done here. The idea
of being able to basicly double encrypt data, then push it through a VPN, would be verging on seemingly
perfect security, again given that the user doesnt do something to compromise the system. The uses, both legal
and non, for something this strong can be staggering, when properly applied. I plan to follow the dev on this one
and when they get a decent release candidate, I’m all over it.