FAQ
FAQ
Before you get started we can imagine that you have a lot of questions related to the tool. Of course we want to help you understand it. So we compiled an FAQ with general, application and technical details.
General questions
1.What is Small Sister? Small Sister is a project that takes on the issue of protecting personal or business information. We want to change the online environment in such a way that private data remains private. One thing is by creating useful, well thought tools and another way is by educating people on the threats at hand.
2.What tools have you made for me? We have started with a tool that delivers a mail-like application. We have build this in such a way that we protect against data retention (see next question) and eavesdropping. It also enables anonymous communication. So we secure mails at this point. In a future version you may even expect things like instant messaging.
3.What is data rentention? Data retention means that someone stores information on who is communicating with whom. This information may be harmful when such links between organizations or people are shared too early. Since several countries in Europe have laws that force Internet Providers to store this data certain jobs have become harder and also through wiretapping this kind of information may leak. You can think of journalists that need sources, companies that want to negotiate deals in maximum privacy, people that want to tip authorities anonymously and even intelligence organizations that need to protect our safety.
4.What is eavesdropping? Eavesdropping means that someone listens in to all the traffic. That enables people to read messages and even when they mails are encrypted, it still shows who you are mailing or receiving mail from.
5.So if you protect messages what does this do for me? Well you get a tool where you can reach other people as soon as you are in touch. You can freely communicate and exchange information without the burden that you have to consider all communication completely public.
6.Who is behind this thing? Well the Small Sister Project consists of a group of concerned citizens and professionals with quite some security experience. To get the tool off the ground the Dutch Foundation has funded the project with 25,000 euro. This money has been used to design the tool, build the server software and the client-application.
7.Are you some bunch of extremists that want to help out criminals? Not really. We are law abiding citizens that need secure communication to our job and want to regain privacy for what it should be: letting us decide who gets our personal information. Even more so: we encourage law enforcement to better secure themselves with this tools, while we hope that criminals don’t use this at all.
8.Can’t terrorists use this? In theory they can and that is unfortunate. However there are known tools for terrorists to do similar things and we would like to stay away from those tools. However most technologies can be used for good and bad. Most of us use GPS every day without realizing that the attackers on September 11th. 2001 needed it to perform their attack. We focus on positive use and dislike them just as much as you do.
9. Is there a mailing list that I can join? You bet! We have a subscription page here.
About the system
1. How does the tool protect me? Well all communication will travel across the net crypted. So even if someone is listening in that doesn’t mean they can read the information. Also the server doesn’t know who is sending messages, because we use an anonymous route. The receiver is a mailbox and it is not known who owns that. Finally the server is part of an anonymous network and is only known to the users. Of course you can become part of the network and find out which servers are there, but then still it is unknown who is using what server. We deliver the server software as well.
2. Will this make me totally secure? No, nothing will. Ultimately anything can be undermined given that you have enough resources. It is an important added layer of security. Also users can make mistakes and share too much information. So it is a tool that helps, but doesn’t solve everything in this world.
3. How do you keep things anonymous? We use Tor from the client all the way to the server that operates as a Tor Hidden Service. So when communicating the data enters the Tor-network and will never ’surface’ on the ‘regular’ internet.
4. Did you reinvent the wheel? Absolutely not. We use common infrastructure and security projects that are open source. We are not about reinventing the wheel, we want to shape communication in such a way that it is safer to be in touch.
5. You are running a server what can I expect? Well in our case basically nothing. We are in the phase of testing the tools and having fun with it. Of course we aren’t planning to bring a server down for no reason, but it isn’t a business service yet a testing service. No warranties. If it works you’re lucky. If you want to be more reliable run your own server.
6. Someone else is running a server? How big are my risks of abuse? Good question. Well the thing with giving up control is that you never know for sure that the others are trustworthy. However if someone decides to copy your e-mail they get a PGP-crypted bunch of data. It is up to you to decide if you trust that or not. Let us give you two thoughts: running a server in your company means that the people know you and may be more interested in your data than strange people, while third parties are even harder to check on (especially when you have no clue who is running the server).
7. What if I really don’t trust your server? That is a positive attitude, because being vigilant is healthy. So by all means setup your own server and only tell relevant people. We envision that for instance an intelligence organization would prefer that and keep the address to themselves.
8. What operating systems will the tool run on? Basically anything goes. We have started on Linux for technical reasons, but the vision is that any operating system will work. At this point we want other systems like Windows and Mac OS X to work as well. Since the tool is written in Python porting the application shouldn’t be too much of an hassle.
9. How do you keep spammers out? At this point we don’t. That sounds scary perhaps, but shouldn’t be. In general spammers are aiming at reaching masses of people hoping that a small percentage will click links, respond, buy or are a wiling target to abuse. With Small Sister you can’t just mail masses of people. You can only reach those people who gave you their account info (or info one of their many accounts). This isn’t just an address, but it contains cryptographic information. When spaming you need that information to crypt an e-mail per message. That is quite cumbersome to reach bunches of people. Can it be done? Yes! But it isn’t all that simple.
Technical questions
1. What technologies do you use? We use Python, wxPython, Pyme, GnuPG and Tor.
2. Why on earth did you pick that? Well GnuPG and Tor are the infrastructure tools we need to get the job done. Tor helps with adding privacy to the system and letting your data be part of a bigger flow. GnuPG is more or less the open source defacto standard for secure e-mail. Python is an easy to understand language and perfectly up to the job. In combination with WX we can make nice interfaces that run platform independend. Pyme is the link between GnuPG and Python.
3. What encryption do you use? Well we have several layers of encryption. To begin with: we use GnuPG (that is OpenPGP) for encryption of the messages from the begin point until the very end. When stored on the server the data is encrypted as well. Because we use the TOR-network for anynomous communication all traffic is during transportation all the way to the server.
4. Sometimes the tool works, but is really slow. Is anything wrong? This is a known issue and we are working on that. The problem is that we use the Tor-network and that makes communication sometimes slow. It can be quick at times as well. You do have to accept the fact that the security of privacy comes with some delay. If you want to speed up the process you can help build the Tor-network by routing traffic yourself.
5. You can store messages on the client machine. Is that safe? Well we do crypt all data and store the information in an encrypted way. However at this point that is only limited security, since there is no pass-phrase in use. If you take security seriously encrypt your home-directory or disk.
6. I’ve lost my keypair can you retrieve that for me? No! That would be a major backdoor. If you fail on backup (that may be a security decision) the messages should be considered lost. Cracking the encryption is not something you should consider as trivial.
Other questions
1. What can I do to help out? You can add to the website, documentation, write code, test the software, bring in new ideas or donate money to speed up development of the toolset. We want to secure instant messaging, VoIP and other means of communication as well. Also translations of the tool in several languages is a big wish that would lower the threshold for people to use it. Finally we need innlstallers that are very very userfriendly for all platforms.
2. What is still needed? At this point a lot. The interface needs a boost, the libraries could be integrated with other mail clients so using the secure way to communicate becomes even more natural. We can always use more documentation, ideas and discussion on the security aspects.
3. Is this open source software? It absolutely is. We embrace the GPL version 3.0. All elements we use are open source. This is a big deal for us. You need to be able to verify the working, expand it and share that too! Only by doing that Small Sister will grown in size and quality. Even more so: we don’t believe in security through obscurity.
4.How much does the application cost? It’s a free download. If you need consultancy on securing your systems that would mean some costs, but really you can start yourself. NLNet, the developers and the volunteers have picked up the tab. To keep the initiative alive you could consider to pay by donating to the project or by helping out.
5. How much do I pay for hosting? None. If you want to connect to one of the servers of the volunteers than you don’t need to pay. We don’t even have an infrastructure that could deliver paid-for-service.
6. Can I run a server of my own? Absolutely and we encourage you to do so. You could even make that public through the wiki and help other people out.
7.Should I tell you I run a server? It would be nice, but no you don’t.
8. What license do you use? GPL version 3.0
9. What messages would you sent over the Small Sister Mail? Good question! Well if you plan to use it for real it is smart to use it for as many messages as you can. As soon as you decide to sent only important mails over the secure channel you make it apparent that this is a special message. If your protection fails all messages are interesting. By using it broader this changes. Someone would have to decrypt all files to find the relevant ones. That is pretty cumbersome and makes it a security measure on its own.
10. To be honest it seems that the tools aren’t fully ready yet. Is that normal? Glad you asked. The tool isn’t ready and still work in progress. That shouldn’t stop you from using it, but you have to put up with some tweaks that are still needed. Hard work has been done and is still needed. Give it some time or better: help out!
11. Can I publish my ID? Sure you can. Since SmallMail allows you to setup multiple accounts you can publish one that is no secret. The thing is that we want to protect our factual communication. So if you pubish you reach more people and thus increase the love for the tool.
12. Isn’t it stupid that you create cryptographic software to circumvent data retention? Well this may be a shock to you, but we just implemented a very basic mail systems. All the cryptography is already out there and used by hundreds of thousand if not millions of users on a daily basis. We picked up the existing tools and reused them in such a way that the project was able to do its thing. We don’t deliver cryptography, we don’t deliver anything wild. Just an e-mail system.
