Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Show HN: Babble – Communicate privately on state-sponsored social media (landrop.app)
100 points by yvbbrjdr on July 18, 2022 | hide | past | favorite | 23 comments
Thanks for checking out Babble! You might wonder why this app is even useful and why not just use Signal/PGP. This app's target audience is actually ordinary people in China or similar countries who are under severe government surveillance and censorship, where access to Signal and similar E2EE messaging software is blocked by nationwide firewalls, such as the Great Firewall of China (GFW).

Chinese people have been deprived of freedom of speech even before the COVID-19 pandemic. Li Wenliang, who was among the first to notice the spread of the virus and warned his colleagues about it in a private WeChat group, was admonished by the police for "spreading rumors"; his punishment was then aired on the national TV channel. After Wenliang passed away due to getting COVID-19 himself, discussions about it on China's public Internet were highly restricted; most discussions will be deleted upon being posted, which was done by some automatic keyword detection mechanism.

Things got even worse over the years and especially during the Shanghai lockdown in early 2022. Everything related to questioning the public health policy is banned. Many people posted articles about how bad Shanghai's economic and social situation is on their WeChat public accounts. None of these articles, not even their accounts, can survive for longer than a few hours. Even articles crying for help, because people were starving, got deleted.

A video called Voice from Shanghai Lockdown (https://youtu.be/38_thLXNHY8), which contains audio recordings of desperate Shanghai people during the lockdown, went viral on Chinese social media at the end of this April. Unsurprisingly, this video was immediately censored. People got angry and tried to spread this video as much as possible by re-posting it again and again, racing against the detection algorithm. But it was futile.

It's just like 1984, where the number of words available to say "legally" is decreasing. There are no tools available for people to speak out. Public social media and private messaging apps are all monitored by the government. Foreign tools such as Telegram, Signal, or anything similar are blocked by the GFW. PGP is too technical for normal people. The goal of Babble is to provide those people with a cryptographic and steganographic tool that's easy enough to use but secure enough against a censorship system. It's not perfect as of now, but we are making an effort to make it better.

Yes, Babble might get removed from the App Store in China if the Chinese government asks, but it's fundamentally different from Signal being blocked - there are a considerable number of people in China who has an overseas Apple ID so that they can download apps not on Chinese App Store, but to use Signal, you have to bypass GFW, which fewer people know how to. One of the real challenges for this project though, is how to get people aware of the situation, because our education is brainwashing and people are starting to take surveillance and censorship for granted. And it's very hard for the app to reach its intended audience because the surveillance system is designed to prevent them from accessing this kind of tool.



Maybe with the text generating models (GPT-3 etc) we can soon create steganography solution, which hides your real message inside innocent looking casual messages generated from selected topic.

Add a suitable browser extension, enter the shared secret and "read between the lines".


No need for fancy language models, I was browsing GitHub Twitter steganography apps and came upon this:

“Twitter Steganography using manual annotation and codebooks (2014)”

(https://github.com/shadowrun96/pteroglosia)

Sure it’s an academic proof of concept, but pretty cool nonetheless, and a good combination of widely accessible technologies.

But I feel that the answer to the privacy question will lean more on low tech cunning and decentralization/reduced mediation, rather than hi tech or state-backed solutions.

Like, how do you get the NSA to not snoop on your itinerary? Buy a physical agenda/day planner, think in paper, speak face to face, walk, don’t take the phone. Easy basic stuff, though you may end up speaking in a hushed voice and utter terms like “the people”, “the system”, and “off grid” more often than usual - you know, usual for sheeple. Like a conspiratorial Tourette’s. Am I missing some rabbit ears there?

And of course we will always have rebus and heraldry (allegory and memes)!

Consider this:

“The Pooh duck-stepping a Lemming path towards a cliff.”

No tech necessary (other than the Internet, a mind blowing basic amenity), but every Chinese person can get a political message, where an algorithm would get a syntactically incorrect sentence.

“Go water bags!” is what I’m saying, I guess, though I think I lost my drift a while back :)


Just add "in minecraft" to every sentence


You can say ANYTHING if you add "in Minecraft" afterwards. Good call.


You can get in lots of trouble for doing stuff "in Minecraft" https://www.rferl.org/a/russia-teenager-minecraft-terrorism/...


You just made my day


Reminds me of this very cool zero width steg project: https://github.com/vedhavyas/zwfp

I used the go code to develop an iOS app that, while I and my friends thought was very cool, Apple didn't think had enough features to publish :(

Edit: Obviously this isn't going to fly under the radar when a state actor is concerned.


Interesting project! But yeah it requires little effort to detect


Yes! I'm right now creating a steganography scheme with an NLP model.

We've actually tried implementing a browser extension before. The problem is ordinary people just don't use browser extensions..


Ordinary people can use browser extensions OK on desktop, but on mobile it's a mess. Chrome for Android doesn't support extensions, and no one uses the Android browsers that do. Installing an extension for Safari on iOS requires following many unintuitive steps. I hope mobile extensions become easier to install/use with time!


The original version was a browser extension. It was very painful to maintain support for all the different types of input fields. Most large social media sites do not use standard text areas.

https://github.com/XCF-Babble/babble


Something similar using random spaces is here. But its possible to decrypted by anyone since there is no password

https://neatnik.net/steganographr/


So I’ve had an idea for similar: make a app for chat that stores data in a multiple configurable social media/ postbin type accounts. Messages are embedded in images, videos, music, etc using steganography, and encrypted. It could be designed like RAID such that to communicate you need the key and access to 3 out of 5 (or more) of the providers. To chat with someone, the app facilitates passing the account list and a public key via a QR code or similar and posts encrypted/hidden text in normal-looking images/video/music/text etc

I’d call it horocrux.


Or, matrix, mattermost or any self hosted platform where you can control the keys and host yourself...

Biggest issue as you highlight is userbase which frankly, if you're serious about going against state media you should be talking about avoiding devices locking you down to app stores etc. People on those platforms (as unfortunate as it is) have decided that pretty asthetics are worth personal freedom so ultimately will never support true freedom of thought or opinion.


Thanks for your advice! However, there are several problems with self hosted platforms in China.

1. People are unaware of their existence due to those projects being very technical and hard to deploy/join. They also don't have a good client on mobile platforms. People will trade their privacy for all the convenience, say, WeChat brings, because all of their contacts are already using WeChat. It's hard to convince people to change to use your matrix server. 2. Cloud services are also monitored by the government. There are programs running in the background inside VPSes that monitors all processes in your server. 3. If you want to host a website, you have to register it with a state agency, so if there are any contents on your website that the government doesn't like, your website will be shut down and you'll be held responsible.

As of the walled garden Apple created, I heard that EU has passed a law mandating Apple to allow third-party app stores. It'll be very interesting to see what'll happen in the future.


As for getting people to join. LEAVE THE APPLE WALLED GARDEN. After that it's entirely as easy as sticking up QR codes of equivalent.

I'm not talking about working within the system. Buy crypto, and with it rent a self hosted NON CHINESE SERVER, not a website, and do your best to keep the box accessible to known popular not yet banned VPN used in China, for the day when the firewall gets you.

Again, with regard to getting people to join these servies, if people aren't willing to sacrifice some minor discomfort of not using the WeChat interface, they're hardly likely to stand next to you in a street protest.

Yes if you want to start a large viral movement you have to dress it up a little, improve the chinese locale or fix some UI issues, but this is massively easier than starting from a text editor or compiler on a remote box. But if you just want to go viral, use WeChat, get a knocked off account or 10 and expect that knock on the door when they turn up because you're protesting _WITHIN_ the system.

Again, VPN are massively technical but hugely popular even in mainland China (I've known enough Chinese apple users to even know this is the case). People are capable of following "click here" instructions better than most people imagined, otherwise technophobes wouldn't have social media.


I thought I had heard about this app before, but turns out that it was a similar app named Boom: https://qz.com/1822127/encryption-app-to-avoid-coronavirus-c...


Wow! This project seems to do exactly what ours does right now.. with an even better UI/UX.. but they don't seem to support any kind of nonce'ed and key'ed encryption?

For some reason it's no longer on the App Store anywhere.


It is a noble effort, but you still have the same dilemma:

* if only few people is using it, then the messages will be lost

* if somehow this gain popularity, then the authority will ban it

For a small determined group, there are already easier ways to communicate.


Yes. What I'm targeting is the mass population, and I really need to figure out a way to solve this dilemma.


>Hina protects your images posted online or sent to others by encrypting them with a password...

Like just a single word? Why wouldn't that be trivially brute forceable? Since you don't care exactly where the content comes from, why not just use some sort of public key system? There wouldn't be much chance of a MITM in this particular instance and it would simplify things for the user.


Under the hood, we used Argon2i algorithm to derive the secret key from an arbitrary-long password string. We used the term "password" because that's what ordinary people will understand (like, zip uses the same term for their secret keys). In practice, people should choose password that's long enough to prevent brute forcing, just like picking a password for your online accounts.

It's a good idea to use a public key system. But it really confuses new users who has never used PKI before. Nevertheless, we have a key exchange feature built into the app that allows 2 parties to negotiate a shared secret using X25519, for advanced users.


I thought about building something like this as a browser extension that would work on Facebook. It would not only make censorship more difficult, it would also make it harder for the algorithm to know what you're interested in.

Of course, any platform can try to ban all such posts outright.

Glad to see someone working on this!




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: