 I'm going to introduce, well let's first introduce Small Sister, Small Sister is a very small group of mainly Dutch citizens that know a bit about computers and they are concerned about what happens to privacy especially where computers are involved. The main thing we like to do is provide information for computer and online privacy so that people know how they can infer clearly in danger of their privacy and how they can afford things. We like to educate people about the value of encryption, learn them that there are tools available that provide them very good privacy and we also inform politicians about what the effects are of their measures. We're not only aiming at the older people but also trying to do some politics and getting those in. As a last part we are giving information about privacy solutions but we find that there are some holes in what's available. There are very good tools available and we don't feel like reinventing another wheel but there may be holes that need patching and we like to do that too. And what I'm doing, I'm just here as a developer talking about my project that I think is very interesting. The tool, it's the first tool that Small Sister is making as tool is Small Mail. The current standard email is bad for privacy and even if you use a good tool as PGP it still remains bad for privacy because as you look at the data retention directive, your provider can read those where you send them and the governments ask them either to keep it or directly send them carbon coffee copy of them, send a message to L.A.s at that time, sometimes even how many bytes and what's the tool? Well, we want to protect the ordinary citizens. Well, a lot of people already have good tools for privacy. Think the government itself, the intelligence agencies and one of the things is we like to point out and show how fatally flawed the concept is of data retention like. We take all people and collect all information about all their communications and well, I don't think it will become safer but they collect a lot of data and I think on the wrong things. What is Small Mail doing? Well, we don't really look at minimizing the people that are communicating with each other. Well, people can communicate anonymously or just only using a handle. You need a kind of email address to get an email to someone but we are looking more at privacy issues. We like to have, well, the communication secrets from third parties. Well, the government should not know I'm talking with somebody private. We want to also be able to email in private without the government having a record of every email I sent. And to achieve that, we also like to hide that communication is happening as far as possible. The moment you do some things on the internet, there will be data on your internet uplink but it doesn't have to be TCP data that goes directly to your final destination. There are some very good tools that can hide where your data is going to. Tor is a very good tool for that and I will use it. And the thing is keep it simple. Don't reinvent rules. Just add to a great body of privacy code that already is there and use it when needed. We want email. That's a client server protocol. But Small Mail is because privacy very, very different from SMTP. One thing is, well, we don't just encrypt the body of the message. We also encrypt the header. Which means that the server operator only sees someone knocking on his door. Can you dump this message in the mailbox for that person? The server operator doesn't know what the handler is, the one who sends the email. Yeah. Well, of course, if you want to get your email from a server, you have to identify to the server. But that's your one. But the server operator doesn't see the content of the email because it's encrypted. It also doesn't see, it doesn't know who sent you the email. It's anonymous to the server. You can even create your accounts on the server anonymously if the server operator allows it. And the server is simple. It's simple script. Anybody can run on his own computer and handle a server. It can be distributed. The server can be in a totally different country. So it's hard for the authorities to find out what it is. We, to achieve a privacy between the one that sends the center of the email in the server operator, we use the hidden service from Tor. Tor is a program I recommend, but most of you can use it, you will use it as web proxy, anonymizing web proxy. The normal operation is that you send a web request into Tor. In the end, it will move it through its network to a server and you'll get a web page back. Yeah, it's a very good use and I recommend everybody to install it, try it out, use it when needed. But we use a different feature in Tor, the hidden servers. We have a server and our proxy, Tor proxy is specially configured to know about that it can receive some information. What happens, this server points a computer in a network of the interaction point. All of those computers can be in totally different continents. They will be in a proxy network handling data, so it's not entirely clear that the byte that goes over this link also goes over that link. You hide a lot of your data transfer and when a client wants to make connection, it's a bit, it connects, wrong button, it connects the client proxy connects through the interaction point which connects back to the server proxy and to the server. It goes through several hops, the hops are chosen randomly and they will make it very hard for any attacker to trace how your data goes. But what happens when you start anonymizing or privatizing your email? It shows that some of the email habits are very, very, very bad. We send our confidential documents in plain text to our ISP, to another ISP, Gmail indexes it. We have to change a few habits to make private email. Use encryption, that means we have to do key management. You cannot just send an email to a small mail user, you need to have his public key so you can encrypt your email and he can decrypt it again. We made a simple fee card with the small mail address and the private key, so it's relatively easy to exchange, but it shows some of that is done at the end. There are some issues with message lists. The server hides the time that it receives the message from the person that receives, the client that downloads the message. So the client, well, it helps to remove traffic analysis, but yeah, it makes that message send times are not there. The subject of the message is encrypted, so we need to decrypt the message before we can just put a subject line in the header. It's a bit different. One thing that is open is, well, if you do a CC, you usually see, well, I send this message to the destination, my boss, his secretary, the secretary of the receiver, etc., etc. Do you want that in every email? Do you want to restrict it? Well, I don't want to have a CC list of all customers that received the promotional effort. That's something, yeah, why do this differently? Yeah. I'm getting to my closing words. Yes. First, I'd like to thank NLMAT for subsidizing me to have full time time on writing it. Try the software. I'll put URLs on the last slide. Improve it. Improve documentation. Make translations. We already have a Dutch translation ready and the English version. I'm sure there are some French-speaking people around here and German-speaking people could do it. Help to keep the world safe and safe place. Inform everybody around you about the dangers of computers when it goes with your privacy. And if you do have some service space to spare, we could use a few more servers to broaden network. And I planned sometimes for questions. So it's, there is four minutes left for questions. Anyone have a question here? Questions? Anyone? Yeah. It's, let's say it does, well, someone compared it with IMAP, but it has a message push command and it can pull message and index messages. It's, it doesn't do anything like message forwarding, because how do you send a message failure when you want to, when the server doesn't, you don't want the server to know, but in tour, all the servers are connected on the internet. So it's forwarding is not necessary anymore. That was in USP requirements, but nowadays it's, well, everybody should actually everyone. So it's, yeah, I kept it out to make the protocol simpler. Yeah. That's my, I'll say, that's my official small address. It's, I can explain it. This is the user ID that derives from my public key. This is the host name generated from the, by the Tor proxy from a encryption keys and the dot onion is the top level domain that Tor uses for hidden services. Okay. Yeah. Well, there's the address book, there's the address book in the client that works. So it's, and in, I'm just programming on, you can just say Peter, as you say, Peter in your client with this address. You haven't, you haven't seen the public key, the fee card. Yes. It's with the public, with the PGP public key. Okay. Yeah. You can spam if you want, but yeah, how, how should any server know about difference between the whistleblower or the one that's wish alone, his own Viagra shop. Okay. One, two, do another question. And I see this alarm clock will ring soon. Nobody. Okay. Thank you.