exceptional encryption for everyone

exceptional encryption for everyone

Thursday, September 24, 2015

Don't Believe the Hype

In today’s world of incessant tweets and plagiarized status updates, the over-sensationalized media engine is living in its prime. Our scrolling consumption of spoon-fed news drives attention to bold headliners and embedded buzzwords. Cluttered articles drowning in adverts often reveal little more than an ocean of regurgitated commentary masquerading as fact.

This perpetuated misinformation propaganda inevitably leads to false perceptions and misguided discussions that border more on conspiracy theory than sound technical understanding.

Let’s do a quick coherency check on some recent publications relating to the security of surespot’s private messaging service…

Media Headlines:

Spies hacked Isis phones to track British jihadists

“The drone strikes that killed British jihadists in Syria were aided by intelligence received after GCHQ and its US allies cracked encrypted Islamic State communications. The security services successfully hacked an encrypted messenger trusted by the fighters…”

The Times: Wed Sept 16, 2015

British Isis jihadists 'had phones hacked by GCHQ' before they were killed by drone strikes

“Reyaad Khan and Junaid Hussain's communications had been infiltrated. Intelligence agency GCHQ and allies in the US had hacked an encrypted messaging service used by Reyaad Khan and Junaid Hussain to track their movements. Hussain was targeted shortly after clicking what was thought to be a “poison link” sent to him on Surespot, a messenger service extremists believe has been compromised by agents.”

Independent: Wed Sept 16, 2015

Spies hacked ISIS fighters killed in controversial drone strikes.

“Government spies and US allies cracked the coded communications service – called Surespot – allowing them to follow Reyaad Khan and Junaid Hussain.”

Daily Star: Wed Sept 16, 2015

British Security Services (GCHQ) hacks phones of ISIS Britons before killing them in Syria drone strikes.

“Hussain had been targeted by a "poison link" message sent to him by a secret agent, which could have given away some of his movements.”

EXPRESS: Wed Sept 16, 2015

Hacked surespot? That’s a bold statement.

Let’s review the facts…

  • ISIS targets Reyaad Khan and Junaid Hussain published their usernames on twitter inviting the world to become their friends.
  • The two men accepted a friend invite from a stranger and exchanged messages with that stranger.
  • That stranger turned out to be an undercover agent.
  • Hussain clicked on a poison link sent to him by said undercover agent.
  • Once opened, the link sent him to an unknown web page.
  • The fraudulent web page downloaded a virus to his phone from his web browser.
  • Hussain placed a phone call from his home after his phone was infected with the virus from the false website.
  • The virus was allegedly able to track information from his phone that authorities could then use to follow him.

Although the phone was infiltrated through a malicious web site, nowhere in this scenario were surespot encrypted messages hacked.

This event has no correlation to the encryption or privacy protections of surespot. The same scenario could have taken place through email, text or any other messenger on his phone. If the GCHQ did actually hack surespot, this would mean that they would have jeopardized the ECDH 521 Bit Key Agreement Protocol, involving more than just surespot users in the process. That scenario would mean that any electronic service using the same protocol is also compromised, including certain SSL ciphers used to secure banking transactions and millions of websites.

Surespot did what it is supposed to do; send a private encrypted message.

Clicking on a link will open it in a different application such as your default web-browser, which is not your messaging app. Additionally, encrypted messaging apps are not antivirus security tools.

This is a great reminder for all of us on the importance of using good security practices to protect our own communications proactively, no differently than we would with our home computers. If one visits unknown pages or converses with strangers who send suspicious links, it’s not a matter of if, but only when one will be attacked. This is no different than receiving emails, phone calls or social media friend requests from unknown sources. If you cannot trust your own contacts or you don’t know who they are, a private messenger app cannot help protect you from them.

If any confusion exists as to the role surespot played in these events, consider a simple analogy:

If someone were to mail a box containing illegal goods to an unsuspecting recipient and that recipient was arrested by law enforcement, would that be the fault of the mail carrier? Was USPS hacked? Or, did they safely deliver the package? Mail carriers are not responsible for advising individuals on who they should trust or accept mail from.

A quick review of basic guidelines for all messaging app users:

For anyone thinking of using the app for illegal purposes…

  1. Don’t. Uninstall the app.

For everyone else…

  1. Don’t publish your username on social media.
  2. Don’t message with people you don’t know.
  3. Don’t click on links sent by people you don’t know.
    • Clicking on links opens them in different apps, such as your default web browser.
    • A web browser is not your messaging app.
    • Encrypted messaging apps are not antivirus security tools.

Due to the sensitive nature of encryption services in an era of increased terror threat, companies like surespot will always be under attack by media and those working to thwart such threats. We should all remember that media is largely influenced and often entirely controlled by governments and special interest groups. It is in the interest of authorities to project the idea that surespot was hacked in order to discourage more people from using the app, because it is so secure.

Don’t Believe the Hype.

surespot management team –

“Defending Your Right to Privacy”

Monday, September 14, 2015

Never Compromised

surespot is Today's Safest and Most Secure Private Messaging Tool.


We want to address recent inquiries from reporters and tech news journalists concerning the status of surespot as a company and technology.

As a start-up company with a lean team focused on new development and app improvements, we are focusing our time and energies on providing the most secure private messaging tool on the market today.

We have read every email and are unable to respond to each individually.

We hope the following provides greater clarity.

surespot has never been compromised

The privacy of all communications on our system is secure. The app operates and functions as it was designed to.

surespot is not being forced to shut down or build a back door for authorities to monitor user communications.

There is no Backdoor

surespot protects your privacy and security to the fullest extent possible. We employ proven technology and use the most secure methods of cryptography available today. User accounts are created with no personal information requirements and are not associated to an email or phone number.

Personal information is not needed, nor do we want it.

Collecting and storing personal information puts a company at risk as they are responsible for protecting that information, particularly in the space of privacy technologies.

One example is what happened to the encrypted webmail service, Lavabit LLC, which suspended its operations on August 8, 2013 after the US government ordered them to turn over their Secure Sockets Layer (SSL) private keys.

Surespot will never be in a similar situation for two main reasons:
  1. We don’t collect any personal information that can reveal an individual’s identity, nor does the solution have any technical means of deciphering encrypted communications between users. Therefore, with nothing existing about our users, there is nothing we can provide to an outside agency that can be used to incriminate them, even if legally compelled. The surespot solution was created to avoid these problems all together, and so, will never have to face this ethical conundrum. 
  1. We don’t have your private keys, which only reside on your personal device. Companies that store keys ultimately face a tough ethical decision when they are compelled by law enforcement to relinquish them. 
The code implemented to establish a private and secure communication mechanism uses the ECDH protocol to establish a shared secret over an insecure channel.

This means that communications are fully end-to-end encrypted and we do not hold the keys, therefore, from a technical standpoint, we have no ability to view, decipher or see plain text of any user data as it exchanges between devices.

To verify there is no man-in-the-middle (MITM) attack, a user can always compare key fingerprints with their contact by simply pressing and holding down on the user name of interest and selecting “view key fingerprints.” This brings up a list of hexadecimal letters and numbers that represent a fingerprint of the keys that can be compared with those viewed by your contact. This essentially takes the server out of the equation as the key fingerprints would not match if there was a MITM backdoor in place.

This feature, matched with our fully open source client code-base is how we say what we do, do what we say, and prove it.

We take your right to privacy very seriously and will continue to stand in front of competition with the utmost confidence that our total open-source client transparency policy speaks for itself. We believe that open source will always be the base requirement standard for solutions in this space.

The surespot client Source Code can always be reviewed on GitHub.

Further, we have not been coerced by authorities to change our source code in order to attempt a deciphering of communications, nor can they legally compel us to do so. If any agency attempts to intimidate us for this purpose they will be in direct violation of the law and setting themselves up for a losing battle in court.

Privacy vs. Functionality Decisions

The pure simplicity of surespot’s design and focus on core communication functionality is the reason why it doesn’t need personally identifiable information from users. It is what we refer to as a “zero-content system”. The app-related data we do collect is the base minimum amount required for the service and technology to function properly for the best user experience possible.

Communication technology providers must always make critical decisions in determining the right balance between privacy and in-app features. We, like all companies in the security space, have to continually determine where to draw the line between protecting privacy and what meta-data is needed to execute new functionality that improves user experience (i.e., needing an email address to offer a lost password recovery service, which for increased security, we do not do).

We encourage consumers to educate themselves on the level of privacy vs. functionality offered by each solution in the market before deciding which best fits their needs. There is no single solution that fits all and only the user can decide where their level of comfort lies.

surespot was designed for the more security-cautious consumer that demands minimal cyber exposure and maximum performance.

We believe surespot has the right balance of privacy and functionality for a seamless user experience across devices and that performance and security trump unnecessary bells and whistles. This is why we choose to run a very lean, useable and simple solution that gets the job done fast and secure, every time. These are the type of considerations that go into every decision made by surespot management.

Please review our Threat Analysis to see what information in the form of meta-data is currently used by surespot for the app to function properly.

surespot does not know or collect any information about users that would identify them, their age, gender, location, devices, or any personal contact information. You can deactivate/delete your surespot identity at any time. Once deleted, all messages sent by you will be permanently deleted from the server. Deleted messages and identities cannot be recovered. Deleting messages will also eliminate all cipher text and associated meta-data permanently from the server. This process also automatically deletes the messages from all your contacts’ devices, insuring a true zero-trace privacy experience.

Using surespot for Illegal Activities

We strictly prohibit any use of our app for illegal purposes of any kind.

We ask anyone doing so to immediately find another means of communication.

However, due to the nature of encryption, it is impossible for anyone to monitor or verify allegations or suspicion of unethical or illegal activity. With no ability to monitor the content of user communications, any misuse would have to be determined by speculation or a person’s involvement in some other illegal activity unrelated to the surespot service. This total lack of user oversight is also why the surespot solution cannot be shut down by authorities, as there is no means to verify how the app is being used or by whom.

If one does use the service for illegal activities or if one is suspected of participating in illegal activities, there is always a chance that law enforcement officials may come to us with a court ordered subpoena demanding that we meet our obligations as required by applicable laws to disclose what little data may exist on our servers.

Law Enforcement Guidelines

Our open source policy will always show our commitment to operating in an environment of complete transparency. This policy holds the same for our requirements of law enforcement officials and the outlined procedures that must be followed in requesting information from our company, particularly about users.

Any and all inquiries must be directed to our legal team by emailing our attorneys at legal@surespot.me.

surespot will only respond to valid legal inquiries issued in compliance with U.S. law and no voluntary information about our company or users will be released to anyone including law enforcement agencies, except in response to a grand jury subpoena, warrant or other valid legal process that is supported by probable cause and delivered from an agency with proper jurisdiction over surespot.

We do not respond to foreign authorities as they do not have jurisdiction over U.S. companies. We will never respond to a request voluntarily.

Government Interest

The sophisticated level of cryptography used to protect and execute surespot communications, coupled with the company’s total open source client policy that allows it to be independently verified, positions surespot as the obvious choice for users who are serious about keeping their communications private. This positioning, however, also puts us in the spotlight as a tool of potential interest to any authority wishing to track similar individuals. This is an expected reality.

As a company we have no reservations about the prospect of being contacted by law enforcement. Likewise, surespot users have nothing to worry about, as the app is working exactly as it was designed. surespot was specifically built anticipating this eventual possibility. If we ever are contacted it only reassures the following truths:
  1. The app is popular and being used by people of all walks of life.
  2. The app is trusted by its users.
  3. The app is secure, and continually poses a dead end for law enforcement.
If contacted, we will always comply with applicable United States law according to our responsibilities and have no wishes to be in contempt of court. Your communications will always remain safe and secure in all instances, as the technology was designed so that we would be entirely limited in what we have available to provide should we be ordered. You can verify this by reviewing the Threat Analysis on our website.

Transparency Policy

With the rising number of savvy malintent hackers, the vast increase in identity theft victims, and the rampant expanding of government spying and surveillance programs, personal security, privacy and protection have become major issues challenging the most basic of human rights in the modern day. By combating this information free-for-all, surespot is able to return to the individual their due right to privacy. This privacy is what people have entrusted in surespot to keep secure and we intend to honor that trust without compromise.

surespot is the world’s most secure encrypted messaging app available, operating in over 100 countries with upwards of a half million users who have sent over 100 million secured messages.

Our proprietary technology provides iron clad means for people to protect the content of their mobile communications with one another by using the industry’s only zero-content system that is also backed and verifiable through an open source client code base. This approach creates full transparency and invites peer reviewed scrutiny and inspection of security features so you can be confident in our claims.

It is our strong belief that this open source policy should be added to the list of evaluation criteria used by the Electronic Frontier Foundation (EFF) in their annual report, Who Has Your Back. Should surespot have been evaluated in this most recent report, we would have obtained a perfect score earning stars in every applicable category.

For the sake of transparency, please review those report categories and how they relate to surespot on our Transparency Policy.

Back to work

We anticipate this statement will return comfort to our many loyal users and put to rest any rumors that may have raised temporary concerns.

surespot is here to stay!
The company is growing in size, hiring more developers, improving usability and preparing new functionality. The surespot management team is speaking to private investors and several large corporations interested in custom desktop versions of the technology in addition to private labeling opportunities. Time is tight, but we are very passionate about what we do and very encouraged by the progress of our team and industry at large. We look forward to sharing more updates soon and appreciate all of your ongoing support.

We are not honoring requests for interviews at this time as we need to stay focused on meeting new feature release dates, which we are very excited to announce soon.

It is our promise to be here day after day working hard to protect and defend your right to free and private communications!

surespot management team