The last place you might expect to find the cutting edge of secure online communications is a nondescript office in downtown Riverside, Calif. But Kam Sharifi, owner of IT consulting firm Sharmen Networks there, says he’s been testing a new, secure app called Demonsaw for a month and a half.
Sharifi, who has also been building medical-record compliance tools for 16 years, says there’s “nothing” on the market like Demonsaw.
“It’s simple, straightforward, and free,” Sharifi said.
Therein lies the value of Demonsaw. Securing online communication from prying eyes is a phenomenally difficult task that even hackers have been known to mess up. To secure e-mail, you must use a complicated, lengthy security key exchange. Securing instant messages has proven easier, but only if user effort isn’t required. And securing phone-to-phone text messaging has proven to be so difficult that one of the innovators in the space quit working on it, citing its difficulty.
Demonsaw’s founder, Eric J. Anderson, thinks that he’s about to snag this cryptographic holy grail because of what he calls the long list of failures by governments and corporations to protect their citizens and customers.
“Governments and companies get hacked because the weakest link is the individual—people like you and me who work for them, and just want to get home to their families and friends at the end of the day,” Anderson said during a conversation in Boston last month. “When they get hacked, we’re the ones who get hurt.”
“Only people who share the common knowledge can break in. That’s going to change the entire fabric of social communications.” — John McAfee, Demonsaw supporter
What makes Demonsaw unique, he said, is that the “key” to unscramble messages and other data is based on your personal knowledge. “What if I could take the geek out of security and make it acceptable to everyone?”
Anderson calls his method for creating security keys to unlock scrambled code SocialCrypto. Instead of relying on a difficult-to-memorize, lengthy string of numbers and letters, SocialCrypto is based on knowledge data sender shares with the recipient.
Perhaps you worked together at the same company, or had a memorable night out involving margaritas and karaoke. Demonsaw’s “key” is based on hard-to-guess, easy-to-know personal facts. And because it’s decentralized—there’s no central computer server that hosts all your data, unlike services such as Facebook and Google and Dropbox—Demonsaw has no control over what data you send through it.
Describing a multilayered approach users could take with Demonsaw, Anderson referred to reporter Glenn Greenwald’s assertion that using current crypto tools is so hard, he almost missed out on communicating with National Security Agency document leaker Edward Snowden.
“Reporters have been verifying whistleblower identities for more than 50 years. But this makes it simple,” Anderson said. “I could text you one URL, e-mail you another one, tell you a third over the phone, and tape a fourth to the bottom of a park bench. Somebody like Snowden might want 10 levels [of encryption], but texting your family pictures of your cat? Probably, you need just one level.”
Anderson embedded the letters NSA in the name of his app and launched Demonsaw in 2014. Since then, casual and dedicated users have transferred more than 40 terabytes of data using Demonsaw—that’s equal to about 9,300 DVD movies.
John McAfee, creator of the McAfee antivirus software, Belizean law enforcement fugitive, and 2016 U.S. presidential candidate, counts himself among Demonsaw’s fans. He described the app’s social encryption as “the smartest thing since sliced bread.”
“The beautiful thing [about] social encryption is that you don’t have to remember anything other than your social history. You don’t have to remember a single key,” he said. “Only people who share the common knowledge can break in. That’s going to change the entire fabric of social communications.”
To show how much he wants the app to succeed, McAfee sponsored an enormous party for Anderson and Demonsaw during the hacker conference DefCon in Las Vegas in August. McAfee also said he provides Anderson with an office and application developers, but “no direct cash.”
It’s cash, though, that Anderson needs. He’s planning to launch a major Demonsaw update in early 2016, with a revamped interface, an Android app, and streaming-media features. Eventually, Anderson said, he wants to release a commercial version.
But he also needs tens of thousands of dollars necessary to hire a security software firm to independently verify that Demonsaw properly implements the cryptographic software that makes it secure. Without that verification, and without his willingness to fully open-source the project so that others can use it as they wish, he’s going to have a hard time convincing security experts that it’s safe to use.
Despite its current unpolished state, Demonsaw is not vaporware. Anderson says it’s been downloaded more than 5,000 times over 18 months of public availability. He is also in talks with his employer, Rockstar Games, to build Demonsaw’s SocialCrypto tech into game-based social networking.
Even if he gains substantial financial backing, however, Anderson’s plan is fraught with potential pitfalls. For one thing, the security world is littered with the digital corpses of amazing projects that could have changed everything—if only enough people used them.
Because of Demonsaw’s anonymizing nature, it’s hard to say how many people are using it. A list of public routers published by Seth Wahle, a Ft. Lauderdale, Fla.,-based programmer who has contributed significantly to the app, says it has about 275 regular users, and it’s impossible to say how many unlisted Demonsaw routers there are.
Anderson’s plan to incorporate streaming media as a sort of free-form, anarchist, untraceable digital radio runs the same risk that nearly every streaming-media app has faced.
“Me and Eijah [Anderson’s online alias] will be brought up on charges,” Wahle predicted. “Early adopters and supporters of all file-sharing programs have always been brought up on charges at least once.”
The difference with Demonsaw is that it’s not intended to be just a file-sharing or media-streaming tool. That difference might not matter to major Hollywood studios and record labels, but Anderson said it’s not going to deter him from trying to make the Internet just a bit more private.
Correction: A previous version of this story misidentified Anderson’s employer. It is Rockstar Games.