One of the world’s oldest hacker collectives, the 1984-founded Cult of the Dead Cow, re-emerged at last week’s DEF CON to make public a privacy-preserving communications framework called Veilid.
Katelyn “medus4” Bowden and Christien “DilDog” Rioux presented cDc’s work to the conference, describing Veilid as “a privacy focused communication platform and protocol for the purposes of defending human and civil rights.”
The work is cDc’s response to growing governmental attacks on cryptography worldwide, exemplified in the UK’s Online Safety Bill, which if passed would impose heavy fines on services that can’t hand unencrypted user communications to law enforcement.
That threat has prompted organisations like WhatsApp and Signal to threaten to exit the country.
Law enforcement in Australia is also increasingly hostile to encryption: in February,
Australian Border Force assistant commissioner James Watson told a parliamentary inquiry encryption technology stymied the agency’s device searches at international airports.
Law enforcement here can demand unencrypted communications using the Surveillance Legislation Amendment (Identify and Disrupt) Act, or the Telecommunications and Other Legislation Amendment (Assistance and Access) Act, but last year Home Affairs complained that platforms like Mega were rolling out encryption “without the associated consideration of safety features”.
A platform, not a company
The open-source Veilid framework is purpose-designed to defeat these government attempts to circumvent encryption: it’s a ”platform and protocol” rather than a service, so there’s no organisation to ban or harass.
In the DEF CON presentation, cDc acknowledges some similarity to the Tor network, but unlike Tor, there are no exit nodes for law enforcement to monitor for user traffic.
“Veilid allows anyone to build a distributed, private app. Veilid gives users the privacy to opt out of data collection and online tracking”, the organisation explains.
Whether someone is just using a Veilid-enabled app, or acting as a Veilid P2P node, their exposure to monitoring is minimised: the framework restricts use of the domain name system (DNS) to a single lookup, firewall workarounds like STUN aren’t needed, but for ease of use it retains the familiar UDP, TCP, and Websockets protocols.
Nodes discover each other using a private routing table, and the two “ends” of a conversation communicate without knowing each others’ IP addresses (likewise, the applications can’t see IP addresses).
Nodes are identified using a 256 bit public key, and Veilid currently supports Linux, macOS, iOS, Windows, Android and web apps.
Connections are protected against tampering or impersonation by end-to-end encryption, authentication, timestamps and digital signatures.
Encryption is provided by the XChaCha20-Poly1305 mechanism, curve25519 provides authentication and signing, and x25519 handles key exchange. BLAKE3 is used for hashing, and Argon2 provide password hashing.
The outcome is that not only are the contents of communications secured, but the communications themselves are also untraceable.
While this would mean an app developer could face penalties for using Veilid under an encryption ban, the idea is that using it should be simple enough that end users can adopt it for themselves.
The Cult of the Dead Cow first came together in 1984 in Texas, and in 1990 member Jesse “Drunkfux” Dryden founded the HoHoCon hacker conference, which held five annual events.