Projects: Brainstorming Thread

[elimisteve]

Which projects deserve our attention?

Projects that could (or already do) impact a large number of users, or projects that could (or do) affect many particularly vulnerable users (e.g., activists, journalists, Muslims, etc).

[elimisteve]

Signal

• Improvements to Signal would help millions of people. What do you all think is most critical to add/change?
  • In my experience, the iOS app could use some love; last I checked, timestamps weren't showing correctly and so the people I message didn't know when I sent them messages :-\

[elimisteve]

Tor

Tor is at least partially blocked in several parts of the world (e.g., China). I know that Pluggable Transports try to get around this. What other anti-censorship techniques are being used?

[elimisteve]

GPG

Usability is a gigantic hurdle to getting more people to use GPG, but I talked to a core team member and he pointed out that the UIs through which non-technical people use GPG are mail clients, and the core GPG people don't really work on mail clients.

EDIT: If we're interested in contributing to GPG directly, we can start off by checking out https://bugs.gnupg.org/ and https://lists.gnupg.org/pipermail/gnupg-devel/ .

Mailpile

Mailpile is an open source (Python + Tornado), crowd-funded mail client that integrates GPG encryption in from the start and aims to be very user-friendly.

Its core contributor recently asked for code review help here! https://www.mailpile.is/blog/2016-09-23_Rebooting_Mailpile_Development.html

Mailpile has tons of potential and is nearing a 1.0 release. I've reached out to the core dev to see how interested he is in our help!

EDIT: talked to the lead dev (Twitter convo) and he pointed me to these "Low Hanging Fruit" issues: https://github.com/mailpile/Mailpile/issues?q=is%3Aissue+is%3Aopen+label%3A%22Low+Hanging+Fruit%22

[christyleos]

Buoy

• A free and open source technology for connecting users with friends and allies in times of need. It exists to empower you and your communities with a decentralized, customized, alternative crisis response system that does not rely on intervention by the police, other government services, or corporations.
• Tech: PHP
• http://buoy.maymay.net/
• Code: https://github.com/betterangels/buoy
• Contributor Guidelines: https://github.com/betterangels/buoy/wiki/Contributor-guidelines

[elimisteve]

Briar/Bramble

• P2P chat
  • No centralized servers to block/seize/DDoS or otherwise target
• Anonymous thanks to Tor
• Tech: Java

[elimisteve]

IPFS

• Think HTTP + BitTorrent
• Can host files and websites today
• Tech: Go

[elimisteve]

Sandstorm

• Open source platform for running web apps
  • Install web app as easily as a mobile app on your phone
• For-profit company, though everything is open source
• Tech: C++, JavaScript (Meteor)

[elimisteve]

Secure Polling System

• Keep polling/voting data private
• Properties: each person can vote once, can verify their vote was counted, and can vote anonymously
• Creator: Jake from Sudo Room/Noisebridge
• Code: https://github.com/securepollingsystem
• Tech: Go, JavaScript

[elimisteve]

CrypTag

• Created by @elimisteve (organizer of Cypherpunks Write Code)
• Suite of apps + encryption framework for building e2ee apps
  • "Secure apps for activists, journalists, and you"
• Can write desktop apps in any language
  • Apps talk to cryptagd, a local JSON API that handles encryption/decryption/fetching/storing/etc
• App data can live anywhere: ownCloud, Dropbox, any file-syncing service, Sandstorm, your own server, etc
  • Users invite each other to shared private folders
  • Soon: IPFS, imgur(!)
  • Makes all CrypTag apps almost impossible to block or censor
  • No global network with known IPs/domains/endpoints to block
  • Non-technical users don't have to run a server
• Optionally runs over Tor
• Prototype apps built on Electron + React.js
  • CrypTask (task management app)
  • CPass UI (password manager)
  • Backchannel (chat + file sharing)
  • Very soon: CryptWiki (wiki document editing app)
• Generic cryptag CLI tool
  • go get github.com/cryptag/cryptag/cmd/cryptag
• Code: https://github.com/cryptag
• Tech: Go, JavaScript (React.js), Bootstrap

[elimisteve]

Ricochet

• Anonymous instant messaging over Tor
• Code: https://github.com/ricochet-im/ricochet
• Project website: https://ricochet.im/
• Tech: C++

[elimisteve]

Idea: off-device encrypted video recordings

• Problem: activists want to film police in order to check for abuses, but are at risk of recording their friends doing something that could be construed as illegal or that they could otherwise get punished for.
• Second problem: recording this video on smartphones using normal video recording software isn't good enough because their devices could easily be seized by police if a police abuse is recorded.
• Current trade-off: activists either have to record locally and risk having their devices seized, or they publicly stream the video and risk getting other activists in trouble.
• Solution we could build: a smartphone app that encrypts the video files and uploads them in real-time (perhaps to Dropbox or a server) such that those encrypted videos can only be decrypted by the person who performed the recording.

EDIT: at our first event (and afterward, but Lizzie at Noisebridge), someone mentioned the ACLU has has apps for recording the police, and they send the video footage to the ACLU. So if we added encryption to these apps, that might be the best/fastest way to solve this secure-video-recording problem for people!

[elimisteve]

Cryptpad

• End-to-end encrypted real-time document editing in the browser
  • Crypto key stored in URL hash; can link people directly to a document without the server getting the key
• Website: https://beta.cryptpad.fr/
• Code: https://github.com/xwiki-labs/cryptpad
• Tech: JavaScript

[elimisteve]

Journalist request: encrypted audio recording mobile app

• "A voice recorder app with asymmetric key encryption for mobile phones so when you record testimony, only the private key -- which is somewhere else -- can decrypt the recording"
• "Can be the simplest, shittiest app ever, but the crypto has to be sane and sound"

[ajvb]

SecureDrop

• Description: "A whistleblower submission system that media organizations can use to securely accept documents from and communicate with anonymous sources."
• Website: https://securedrop.org/
• Code: https://github.com/freedomofpress/securedrop
• Getting started: https://docs.securedrop.org/en/latest/development/getting_started.html
• Tech: Python web app, Ansible for operations.

[lazzarello]

Orbot

Tor for Android

https://guardianproject.info/apps/orweb/

EDIT: People semi-close to Orbot tell me that Orbot could use some help!

[lazzarello]

ObscuraCam

Automatic identity redaction for Android

https://guardianproject.info/apps/obscuracam/

[ajvb]

VeraCrypt

• "VeraCrypt is an open-source utility used for on-the-fly encryption (OTFE). It can create a virtual encrypted disk within a file or encrypt a partition or (under Microsoft Windows except Windows 8 or GPT) the entire storage device with pre-boot authentication."
• Website: https://veracrypt.codeplex.com/
• Code: https://veracrypt.codeplex.com/SourceControl/latest
• Tech: C

[ajvb]

Tails

• "Tails or The Amnesic Incognito Live System is a security-focused Debian-based Linux distribution aimed at preserving privacy and anonymity. All its outgoing connections are forced to go through Tor, and non-anonymous connections are blocked. The system is designed to be booted as a live DVD or live USB, and will leave no digital footprint on the machine unless explicitly told to do so. The Tor Project has provided financial support for its development."
• Website: http://tails.boum.org/
• Code: https://git-tails.immerda.ch/tails/
• Tech: C, Python, Bash
• Contributors Guide: https://tails.boum.org/contribute/index.en.html

EDIT: In this tweet they link to the work they want done -- https://twitter.com/Tails_live/status/802521323545198592

Contribution Instructions

Here are the Tails issues marked as Easy, which is where some core Tails developers said we should start: https://labs.riseup.net/code/projects/tails/issues?query_id=112

Tails contribution guide: https://tails.boum.org/contribute/how/code/

To chat live with the Tails developers, check out https://tails.boum.org/contribute/chat/

Here are all the Tails open issues on their Redmine ticketing system (not just the Easy ones): https://labs.riseup.net/code/projects/tails/issues?query_id=108

Some non-Easy Tails tickets will require building Tails. Instructions for doing that are here: https://tails.boum.org/contribute/build/#index2h1

[Kevin-Prichard]

Response to: off-device encrypted video recordings

1. Use Eye-fi card in video camera (wi-fi SD card for non-wi-fi devices)
2. Setup encrypted Linux laptop acting as wi-fi access point for the Eye-fi card
3. Laptop encrypts and records video files to hard disk.
4. Optionally, the laptop can upload stored video files over a MyFi-class cellular interface.
5. Prefer public key encryption for video files.

[s0]

Idea: Database of Signed hashes of Binaries for Reproducible OSS Projects

• Brainstorming: https://github.com/samlanning/BitLantern

[ajvb]

Jitsi

• Open-Source Encrypted Video Conferencing Software
• Website: https://jitsi.org/
• Code: https://github.com/jitsi

[ajvb]

Idea: Combining "off-device encrypted video recordings" and "encrypted audio recording mobile app" into a single mobile app.

[tomhiggins]

PirateBox/LibraryBox + Secure Voip(Mumble?)+ Anon/Priv Services

Use of a local content device to facilitate on the ground information dissemination and offer secure avenues of communication. Addons - Local FM transmission, Streaming Audio, Calibre Book Server

PirateBox - https://piratebox.cc/ LibraryBox - http://jasongriffey.net/librarybox/building.php

Anyfesto - Example project of Piratebox moded to run on a Pi or CHIP with Mumble, Local FM transmission, Streaming Audio server , Calibre Book Server and local wikimedia - https://github.com/tomhiggins/anyfesto

Needs.

• Hardening
• More Anon/Priv Services
• Anon Methods to protect user interactions /avoid data collection, tracking, etc

[Kevin-Prichard]

Encrypted MicroSD cards

Proposal: (re)code firmware for a MicroSD card to provide asymmetric encryption of stored data.

Motivation: for journalists, whistleblowers and anyone wanting secure storage on SD cards, for use in devices that do not encrypt (most any A/V device).

Background: A few years back, Bunnie Huang was bringing the Chumby to production (an internet appliance), and ran into quality issues with MicroSD cards from some manufacturers.

This led to a teardown of cards to learn how they work, the discovery that all contain microcontrollers to manage the mapping of bad blocks and moving data, and finally the release of a toolchain for building a firmware for certain manufacturer's cards.

News coverage: http://boingboing.net/2010/02/16/sleuthing-uncovers-t.html

Details: https://www.bunniestudios.com/blog/?page_id=1022 https://www.bunniestudios.com/blog/?p=2297 https://www.bunniestudios.com/blog/?p=3554

[Kevin-Prichard]

Asymmetric encrypted browser proxy

Provides bidirectional OpenPGP encryption as a browser extension. Basically a VPN but not utilising OS VPN features. Would require a proxy server equipped with matching software.

There exists a number of "pure" JavaScript OpenPGP implementations, plus there are Node.js wrappers for pgp/gpg on the server.

https://github.com/openpgpjs/openpgpjs/wiki/Introduction

[david415]

Let's build a mixnet! A high latency network for anonymized messaging.

Lately I've been cleaning up the sphinx mixnet packet format python reference implementation written by Ian Goldberg and George Danezis:

https://github.com/david415/sphinxmixcrypto

However we recently noticed these:

https://github.com/UCL-InfoSec/sphinx https://github.com/UCL-InfoSec/loopix

Mixnets can in theory resist the traffic corelation attacks by global passive adversaries. There's a huge amount of literature about mixnets. These are my favorite papers so far:

• http://freehaven.net/anonbib/cache/DBLP:conf/sp/DanezisG09.pdf
• http://freehaven.net/anonbib/cache/danezis:wpes2003.pdf
• http://freehaven.net/anonbib/cache/mix-acc.pdf
• http://freehaven.net/anonbib/cache/trickle02.pdf

[brandones]

ZeroNet

• Basically IPFS but geared more towards websites
• More popular than IPFS on Reddit, more active codebase
• Website: https://zeronet.io/
• Code: https://github.com/HelloZeroNet/ZeroNet
• Tech: Python

[brandones]

Tox

• DHT-distributed E2EE chat client
• Immature but in active development under TokTok project
• Website: https://tox.chat/ (I guess also https://toktok.github.io/)
• Code: https://github.com/TokTok
• Tech: Haskell? C? Scala? C++? What's going on here

[mikeperry-tor]

Copperhead+Tor

https://blog.torproject.org/blog/mission-improbable-hardening-android-security-and-privacy A hardened privacy preserving phone that supports Nexus and Pixel devices.

Tons of projects are possible, involving the following skills:

• New Device Support (bash scripting, light python hacking.. No firmware knowledge needed)
• Helping to keep up with new Android filesystem features, like FEC (light python hacking)
• Fixing OrWall bugs/UI issues (Java)
• Building standalone build systems or independent versions of required portions of the build tree (Java, gradle, Makefile maze wrangling)
• Plenty more. See the blog post and https://github.com/mikeperry-tor/mission-improbable/blob/master/README.md

EDIT: Lizzie contacted a core Copperhead developer for us and he pointed us toward these issues that we could contribute to -- https://github.com/copperhead/bugtracker/issues?q=is%3Aopen+is%3Aissue+label%3Aproject

EDIT: A Copperhead developer said that ^^Lizzie's^^ link is still a great place to start, and that we can join them in IRC: https://twitter.com/_copperj/status/804489672093270016 .

[2mh]

pretty Easy privacy (p≡p)

A peer-to-peer cross-platform approach with an engine and adapters to automatically drive different crypto standards (including automatic key management & peer-to-peer key synchronization across devices) in a way that for a user no special steps need be taken to use end-to-end crypto and such that trust can easily be checked by strings in the user's natural language ("Trustwords") instead of hexadecimal fingerprints. The principle is that of Privacy by Default.

The software is to be integrated in existing software or to be the crypto base for new applications. Currently GnuPG and NetPGP are used for crypto (PGP). The plan is to easily encrypt everything text-based, including meta-data encryption (encryption for XMPP/OTR, with Axolotl, over Tox and GNUnet to be supported anytime soon).

Everything is Free Software under the GNU GPL v3.

• Code
  • p≡p core / base code (engine, adapters & libs): https://letsencrypt.pep.foundation/trac/
  • p≡p adapters: Java (JNI), JavaScript (JSON), Objective-C/Swift/iOS, Python, Qt, Windows (COM).
  • K-9 (fork) integration (Android) beta: https://cacert.pep-security.lu/gitlab/android/k9-pep (CAcert)
  • Outlook add-in stable: https://cacert.pep-security.lu/trac/ (CAcert)
  • Enigmail integration ongoing (cf. for "pEp" commits): https://sourceforge.net/p/enigmail/source/ci/master/tree/
  • There's further active work undergoing to bring p≡p to KMail and iOS (own app): source code yet to be released.
• p≡p Whitepaper outlining the general idea: https://pep.foundation/docs/pEp-whitepaper.pdf
• p≡p engine code audit: https://pep.foundation/blog/press-release--pep-releases-first-code-audit-of-the-pep-engine/index.html
  • Code audits for other p≡p code (including the app-side) are being carried out.
• Foundation site: https://pep.foundation/ (Twitter: https://twitter.com/pEpCouncil)
• Corporation site: https://prettyeasyprivacy.com/ (Twitter: https://twitter.com/pEp4privacy)
• Tech: ASN.1, C, C#, C++, Objective-C, Java, JavaScript, Python, Swift, SQL, YML2

[elimisteve]

Idea: Canary Check

• Website that checks various warrant canaries on various websites (e.g., Riseup.net) to see if they've been updated on time
  • If they haven't been, this company may have been served a search warrent/given a gag order/etc

[AaronNGray]

neosphere

A concept for a crypto based social network that allows groups of people to disappear off of the internet ;) The crypto techniques are highly original and maybe being used by some on the internet but no one is known to know ;) Contact me if you have the first stage of this process and we can work on implementing it aaronngray@gmail.com

[AaronNGray]

No passwords

I am looking for fellow Crypto Programmers would like to work on the ultimate Internet password manager that means people dont need remember or create internet passwords anymore ! This would be a an unpaid side project but would lead to a making money via a commercial version I am looking for Google Chome (Microsoft Edge) App programmers who are Crypto aware. JavaScript and Node.js Programmers who are Node.js aware. Familurity with Bruce Schneier's Password Safe code or simular projects. Knowledge of X.509, RSA, and AES.

Contact me aaronngray@gmail.com if you are interested

[david415]

current mixnet project, enjoy! https://github.com/katzenpost