I’ve had a passion for politics, history, and programming since the age of 12 growing up in a suburb of Chicago. During my freshman year, I developed an interest in software. A couple of apps and hackathons (programming competitions) later, I was working on my own startups when I made the leap to drop out of high school to become a software engineer at a venture-backed tech startup.
While working there I learned that PGP encryption was the tool used by Edward Snowden to securely send messages to journalists. The immense value of encryption as a core component of our free society became clear to me. Amongst fellow coders, I had no trouble using command-line encryption to communicate. But my friends who didn’t code couldn’t easily do the same since they don’t know how to use the command-line. Given how important encryption is, I decided to build a first-rate encryption tool that could be used by anyone on any website, regardless of background.
Question: what's the memory usage like A) at idle, B) after some using and left running for a day or two?
Same idea -- strong crypto that's usable for anyone. It uses the OTR Ratchet protocol which uses perfect forward secrecy. The app also provides a way to verify keys through an OOB channel.
I would recommend considering OTR Ratchet integration just like WhatsApp did recently.
PGP is not a good design choice for a messaging app as you're always using asymmetric crypto operations which are computationally intense -- not terrible on modern computers but will be dreadful on mobile devices. Also can you provide some more documentation on how the app leverages PGP? Hopefully conversation is not using the same private keys to encrypt. That is vulnerable to data or side channel leakage. The modern approach is to generate and exchange an ephemeral key. Also please provide information on key storage.
Rather than making vague security claims like "first-rate" and " Security++ to the greatest extreme" you should rather provide a threat model and explain why one can remain confidential and have authenticity against particular types of adversaries. No security tool is perfect and it's only a matter of time before an adversary breaks it. Developers are doing a disservice by claiming anything more.
Before you can claim a first-rate security tool you will need to face a lot of scrutiny first.
The OpenPGP library it uses has been audited (twice). Most of the mistakes that could have be made are avoided this way.
Edit: Yes, you lose PFS by using PGP, but it would not really be possible to negotiate PFS via, say, email.
Maybe someone could fork the application and rename it to something cool that I can use?
1. Add public keys to your buddies list— A public key is like a username - Adding someone’s public key to your buddies list lets you send them messages. You can find other public keys on markets like keybase.io and darknet.
2. Encrypt a message— Select a recipient from your buddies list and compose a message. Only your chosen recipient(s) can read the message. Encrypted messages might contain sensitive information, such as an address, document, or anything intended to be read only by intended recipients.
3. Send the encrypted message anywhere— You can send the encrypted message on any website! For example, facebook messenger, twitter direct message, or youtube. Felony is security when and where you want it.
(fwiw i say this as a college dropout who doesnt regret it at all)
I recall even Snowden dropped out of high school.
PS: I love the name. You did a good job with it creating a buzz. It made me laugh and curious enough to take a look. Maybe pointing out on your site that "privacy is a human right" and the name should remind us of that rather than succumbing to peer-pressure, in the hope of not offending the 0.01% of your non-tech savvy users.
Felony: Next Level PGP Felony: An open-source PGP keychain built on the modern web
It's the worst name since that framework called "cocaine" with tools and subprojects named after illicit drug market terms.
Yeah, "felony" and "cocaine" are not things I will put on my CV or would like to show up when someone Googles my name.
What's the joke here? That some people are incorrectly labelled felons for what they say and write?
Do you know what most "felons" did to be called that? It's not for what they said and wrote that should be constitutionally protected.[1]
[1] I don't have numbers to back this up. Maybe most people are actually felons for drug possession, but you know what? I don't want to be associated publicly with those actions either. Also do you want to be on this table? https://www.fbi.gov/about-us/cjis/ucr/crime-in-the-u.s/2015/...
Violent crime,Murder,Rape, Robbery, Property crime, Burglary, Larceny-theft,Motor vehicle theft, Arson
Exercised journalistic integrity and protected an anonymous sources?
http://uscode.house.gov/view.xhtml?path=/prelim@title18/part...
The press is free, as long as it doesn't protect sources that have leaked embarrassing information about the armed forces.
Because that's what I asked (rhetorically).
Looks great otherwise.
I hate when people hate the "if you have nothing to hide, why do you care?" question because it's a valid question. You can answer, "because I fear the creeping growth of a surveillance state like in 1984", but then again, if you do that you no longer get to claim that other "slippery slope arguments are fallacies".
I've been a bigger privacy freak than all of you since before you were born, google my somewhat unusual name, you won't even find me. But still, I enjoy making fun of the groupthink that infects these types of communities.
Oh, and it's not a slippery slope fallacy if we literally are headed towards 1984. Not even Orwell thought that social graphs would allow for automated analysis. The NSA doesn't need tele-screens when they have Facebook.
You probably shouldn't be making that claim, to be honest. It's only a slippery slope fallacy if there's no historical evidence to support it. Part of the reason we record history is so we can tell whether a slippery slope might be a real danger.
There's several instances where a historical collection of information on citizens, done under claims to protect the people, turned into an oppressive regime, sometimes leading to the deaths of innocent citizens. The SS, Stasi and OVRA are all good examples, and a more current example can be found in China.
- the app has an unintuitive and harmful name that casts aspersions on the core values it purportedly touts because the developer saw that it was an available .io domain [0]
- This app has a shitton of leftover boilerplate and dev dependencies from a bootstrap scaffold, even though AFAIK there is no testing suite. (Because we all know how safe npm dependencies are...)
- A good number of unnecessary non-dev dependencies too. It includes font-awesome, which seems unnecessary to include in its entirety already...but are there any uses of font-awesome? I did a search for "font-awesome" and "fa-" but couldn't find any.
I understand using boilerplate generators to learn the ropes of creating within a framework...I've done it to learn React and Angular. But to use a scaffold-generator for a niche and highly specialized/sensitive app like this? It can't mean that it's anything more than a toy app. And yet one in which the decision to give it the name "felony" just looks immature on the author's part, meaning that it's not even useful as a resume padder.
I know almost nothing of the above frameworks. However, Google gave me front pages for each that look more complex in implementation and dependencies than a C, Ada, or Rust app. Unnecessarily so. Secure applications should follow Lean and KISS principles every chance.
Note to author: All that said, if you're just doing it for fun or learning, then that's cool. Also a good area to learn about. :) The above applies to implementations meant to be used in field.
Your comment on image is possibly also true. I remember much of the press of another messenging app oriented toward privacy came because it advertised as "the beautiful messenger" with many nice pictures. It was Icelandic with .is site but I don't recall name. Versus competition, wasn't much to say in terms of implemented features or security. The U.I. was beautiful, though. ;)
Note: The Apple website takes this technique about as far as it can go outside a dedicated, high-def, image board.
Note 2: I could add Nim to my prior list if there's been any work evaluating it for security-critical applications. Particularly, how it helps or hinders expressing such things plus risk compiler brings in during transformations. Anything on that yet?
... built on the modern web with Electron, React, and Redux.
Building desktop applications with web frameworks should definitely count as a felony.
"The accused was even using an app named Felony!"
Security? Encryption? Privacy?
https://gigaom.com/2014/06/30/the-dark-side-of-io-how-the-u-...
In fact, the reception this name is getting is quite ironic. Just think about it, and you might just burst out laughing.
Please stop referring to non publicly open platforms as they were actually usable.
There is keys.gnupg.net, pool.sks-keyservers.net, pgp.mit.edu, etc. These are the well-known ones that had been around for a while.
There have already been trends in the mainstream and right wing media that "If you have nothing to hide, you have nothing to fear", that the NSA only monitors the communication of criminals, and that things like iPhone encryption help terrorists first.
With that in mind, can you imagine the reaction that the average lay-person will have when they see a clickbait headline or morning news report that says "A new app called Felony allows ISIS and online pedophiles to communicate in secret with ease."
It looks like a great app, and I will honestly use it.
But I don't think the name helps the cause of promoting easy and default end-to-end encryption for all to remove the implication that the only people that use it have something to hide.
I feel certain that the name was the critical factor that made his company so nervous. For a while he had two different names for the program, SATAN and SANTA, to try and reduce the stigma, but it didn't work.
[1] https://en.wikipedia.org/wiki/Dan_Farmer
[2] https://en.wikipedia.org/wiki/Security_Administrator_Tool_fo...
Now we have an effort otherwise but... cannot... resist... doing... something... to make it unfriendly...
The first picture that came to mind is this http://i.imgur.com/EyFFRsa.gifv
Patriot
Freedom
Liberty
Good Citizen
Free Speech
America
Fourth Amendment
Secure In Papers
Right To PrivacyPatriotism is something I wouldn't like either, I think that's a rather odd concept (and not related to liberty, freedom or security).
Good Citizen sounds like it comes straight from a famous book inventing doublespeak.
Even Free Speech is not a global concept - the way you capitalize it I assume you're after the US version again.
Probably the lesson is (again) that naming things is a hard problem (I agree that Felony might not be a good name too by the way)
The mental operation of inverting the word felony is kind of interesting and thought provoking, IMO.
That's the concept that encapsulates privacy, speech, etc.
The America-centric names are less appealing to me, since many equate "America" with the federal government, which is definitely not the friend of liberty / free speech / privacy.
How does the app handle encryption? Has there been a security review?How are keys handled? How are conversations persisted in the app? Does it use iCloud? Etc...
It's built on Electron, React and Redux. There is no security as it is a fundamentally insecure environment.
EDIT: He closed my issue without comment.
Five hours on HN, and the name's not changed yet? I'll check the next time this is posted with a usable name. IOW, when you start taking it seriously, so will I.
Those are taking something negative and wrap it in a positive name (positive gain for the author)
We're taking something positive and wrap it in a negative name. This will only cause negative gain. Not only for the author but also for making encryption seem like something evil. This is especially bad time when politicians are trying to ban encryption.
https://github.com/TLINDEN/pcp
(Just submitted it to hn - I thought there was an old submission, but apparently I was mistaken): https://news.ycombinator.com/item?id=12035081
If felony is PGP protocols wrapped in modern web technology, I suppose pcp is NaCl wrapped in old PGP command line and protocols...
Interesting app, and it looks cool, but it rules out usage for me. Why the JS + Electron stack?
Is it possible to use existing PGP keys with Felony?