• sylver_dragon
    link
    English
    57 months ago

    So, we have a log form ad for PrivateLine. While they do raise some interesting points, there their argument is largely around the collection of metadata (which is a privacy issue) and calls/text transiting the “open internet”. They then try to pull a bit of a slight-of-hand talking about their own service using a “private network”. So, what are they selling? Let’s take a look at the site for their app. Specifically, I’m looking at the FAQ (retrieved 2024-06-01).

    I’m not familiar with some of these tech concepts. How does PL work? The concept is simple. We can offer much greater privacy and security because with privateLINE, your data travels on our private network that we have designed to operate separately from the internet. To protect your data, just install our secure tunnel software and create an account. The people you want to communicate with will also need the PL app to tunnel into our data center. Once you log in, you are in our enclave and you can communicate with anyone you are connected with on privateLINE.

    So, it’s a VPN. There’s a bit of extra “secret sauce” here in that they have applications which utilize the servers they are hosting in their own data center, but the " just install our secure tunnel software and create an account" gives the game away. That’s a VPN. Now, for some threat models, a VPN van be incredibly useful. If a nation state actor has a reason to care about you and track what you are doing on the internet (e.g. tracing contact), using a VPN makes sense. For those of us just arguing on internet forums and browsing porn, that sort of threat model doesn’t make sense.

    They also make a lot of hay about using “private networks”. So, how are they defining that? Thankfully they answer that one:

    Are private cell networks really private? What about Starlink?
    Truly private cell networks have their own IP space and are not connected to the internet. We have a contract with AT&T, who is building out our private network. Starlink is also a private network that also connects to the internet through ground stations. Our plan for Starlink is to use commercial dishes at our data center to connect directly to satellites, and routing permitting, to never touch the ground between your Starlink dish and our data center. This will provide an extremely resilient communications channel. With PL, you will have three options; terrestrial internet connection with isolated secure tunnel, private cellular data and satellite.

    Let me emphasize something in there “We have a contract with AT&T, who is building out our private network.” The same AT&T which operated Room 641A, the room the NSA was using to spy on people. Seriously, they go on and on about Signal using Amazon/Google/Microsoft infrastructure, and then have their “private network” built out by the very company which was responsible for running an actual metadata collection operation for the NSA? Whiskey, Tango, Foxtrot, over?

    I also want to pick up on another red flag, because it stuck out to me like a 20 mile square red flag:

    What kind of encryption do you use?
    We currently use a number of standard classic encryption schemes including SSL, RSA, and AES. We have a post-quantum cryptographic solution in the works and hope to be able to share more information in the near future. We aim to give you the strongest protection available to private individuals and businesses.

    This starts off good, “We currently use a number of standard classic encryption schemes including SSL, RSA, and AES.” Good, good, good… “We have a post-quantum cryptographic solution in the works” DANGER Will Robinson, DANGER! DO NOT roll your own crypto. Crypto is hard, really, really hard. Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can’t break. There are already several recognized quantum resistant algorithms. Yes, the US Government was involved in their selection. And yes, the NSA is a known threat actor in this space. The irony being that the very same public process which NIST uses to identify new algorithms was partly responsible for finding the NSA’s attacks on encryption. Good encryption algorithms work because they are public and have faced down examination by the folks who are actually good at cryptography and cryptanalysis. Unless and until an algorithm has been put through that sort of examination, trusting is dumb. Trusting one which was put out by an amateur (or group of amateurs) in cryptography is “shit covered pants on head” dumb.

    So, the next question is, how good is their code? Signal is Open Source and the code can be reviewed and audited. Now, this doesn’t mean that it’s de facto secure. But, it does provide a level of assurance that it can be reviewed and it’s security validated. Ironically, I think one of PrivateLine’s complaints about Signal is actually a strength. The CIA has had some involvement in Signal. You know who would want a really secure way for people to communicate in a hostile network? Ya, the CIA. This is a lot like the US Navy’s involvement in Tor. Various parts of the US Government have very good reasons to want secure, private communication to exist. Sure, it frustrates the hell out of other parts of the US Government, but the existence of those networks and the ability of the spooks to hide in the noise created by the rest of us, is a positive outcome for the spooks. These groups have an interest in ensuring the code for Signal stays secure. Code which is available for anyone to review to check for USG back doors. Could they exist? Sure, it’s possible, but it’s going to be very hard to pull off.

    By contrast, I can find very little about PrivateLine’s code. It seems to be closed source; so, it might be the best thing in the world; or, it could be a bug riddled nightmare. But, we will never know and never be able to validate how it works. One thing they do show is how they create a VPN. And this is nothing magic, it’s WireGuard. Which is free and open source software. It’s also pretty well respected as a VPN solution. So ya, if you actually need a VPN (very few people do) I guess this is a good start. The source of the WireGuard claim is from here (retrieved 2024-06-01).

    privateLINE App Client Software uses a WireGuard© end-to-end encrypted tunnel from your device to our secure servers over your existing internet connection (wired/wifi) or your existing cellular data connection.

    Ultimately, PrivateLine is trying to sell you a VPN service and a messaging app of unknown quality, the servers of which run in their own data center. If this is what you need, Signal is completely open source, including the server code. You could stand up your own Signal server, with your own Signal apps connecting to it and run it all from your own data center which you connect to via WireGuard. You now have a more trustworthy version of what PrivateLine is doing, all without involving FSM knows what they have in their code.