http://dribbble.com/shots/479881-Secure-Chat
http://logopond.com/gallery/detail/165288
https://www.google.ca/search?q=secure+chat+logo - first page hit too
Not cool at all, "cool guys around the world".
--
(edit) Regardless of whether this was copied, over-inspired or independently conceived (but let's be realistic here), the generally accepted rule of the game is that the first to the finish line gets to keep the logo. I don't make my living with logo design, but I did kill a week of sketching, refining and re-balancing on this one and I do happen to like it a lot. For what it's worth, I wrote a P2P VPN system in the past (called Hamachi) and I am involved in p2p and crypto domains in general. So I expect you to extend some professional courtesy, change the logo and close this matter in an amicable matter.
EDIT: The logo was originally made in /gd/ (4chan's graphic design board), and since the board is archived I managed to track down the thread it was made in.
Here's a somewhat different version that people were playing around with at first (which also featured a lock, a speech bubble and a keyhole doubling as a person):
https://archive.foolz.us/gd/thread/86081/#86375
Then someone thought about moving the speech bubble to the keyring here:
https://archive.foolz.us/gd/thread/86081/#87186
And then after some iteration they got to the current version:
EDIT: and now I remember where I've heard that name before, as well: http://testrun.org/tox
Perhaps a rebranding effort is in order? That sort of work seems to be right up /g/'s alley? Google is your friend!
[+] [137 messages] "Bunch of people arguing about logo copyright & design for an open-source project."
This is still a pretty heavy argument about it on the 4Chan threads.
1.) Using a padlock to represent computer security.
2.) Using a cartoon chat bubble to represent a way to chat on your computer.
3.) Using a little oval on top of a bigger oval to represent a person.
Is it really that much of a stretch to combine the three? I would think that this concept would be pretty standard output from someone with even a moderate amount of visual communication skills.
It's a rather simple visual sentence and I can easily imagine quite a few people having come up with this concept.
Please realize that both logos are built on top of an already existing visual language and that neither of you are really all that original to begin with.
What matters is how similar the precise combination of visual elements are in the two logos.
Yes, it is possible that they were created independently. However, after looking at the "evidence" provided by Daiz, it seems more likely that an anonymous channer borrowed the design without crediting it.
Perhaps the person who made the logo for this project had the same idea as this commenter.
Is it possible that they simply had a similar idea? It doesnt appear that they lifted the logo as is. Look at the person in their logo; it looks quite different (it doesnt stop at the shoulders like yours does). Other things are also slightly different. These differences lead me to believe that they at least made their logo by hand. Now if it was inspired by yours i dont know. To be fair, that google link does NOT show me your logo anywhere on the page. Furthermore, I tend to go with the principle of Hanlon's razor[1].
Besides, the icon was made by an anonymous person so it's not really like we can blame anyone.
Isn't that convenient?
This will remove the unnecessary distraction for you. Note that this is not without precedent. Mozilla renamed Firebird to Firefox because of the community's opinion.
Respectfully disagree. The generally accepted law is clear enough, as I understand it: that you have (automatic) copyright over your own design work, but not your idea. (Bad Analogy: I am free to make a for-profit game about flinging red birds at pigs, but I can't use Rovio's code or the Red Bird graphic) If you work as a graphic designer, you need to understand how this impacts on your work.
If you wish to protect your design any further, you need to specifically register a trademark to prevent confusion between businesses in the same industry.
It's clear that they haven't copied your design - the appearance of the work is quite different - and besides it seems plausible or even likely they came up with the (very nice) idea independently.
This is also important to understand for people hiring graphic designers for freelance work - in the UK at least, the designer maintains the copyright for commissioned work unless contractually agreed otherwise (even though the business can still trademark it). In theory, the designer can later prevent you from repurposing one of their designs. For example, if you later decide to start selling merch for your brand, you may have to renegotiate with the designer.
Edited to carefully note: IANAL, take this as advice at your own risk.
Further international edit, from wikipedia, emphasis mine: The United States, Canada and other countries also recognize common law trademark rights, which means action can be taken to protect an unregistered trademark if it is in use.
1) Intellectual property laws state that the TOX project is not infringing on any copyright unless it directly takes assets from your logo. As you can plainly see, the TOX logo was created from scratch. 2) Even if intellectual property laws did work that way (again, they don't) it's also incredibly obvious that the TOX logo concept was arrived upon totally independently of your logo.
You have no legal ground to stand on in this regard, and a shaky ethical ground considering that you somehow think you're entitled to exclusive rights to this really quite generic idea. ESPECIALLY considering you've been sitting on this idea for well over a year - as far as I know, there's no risk of this project being confused with an existing brand or idea, and there are no actual pieces of software that use this logo.
I'm sorry that you feel like this TOX logo has violated your 'generally accepted rules'. Perhaps they aren't as general as you assume?
It is far from obvious. Linked posts show how they were stomping around a simpler logo for a long time busy with minor adjustments until someone posted a much improved logo, which just happened to be almost identical to the OP's. That was not an evolution.
But even that aside, you are viewing this situation all wrong. "Legalities", "legal ground to stand on", etc. The way Tox handled this is nothing short of peeing in a community pool. How do you envision Tox replacing Skype if the project leadership can't handle a simple dispute over a logo in a civilized manner? Look at latitude's creds, they should be wanting him on their side, but, no, let's mix him with a barrel of shit, because he dared to suggest that /gd/ might've ripped his work. Right on.
Either way - hope you and Tox come to an agreeable solution. For what it's worth I like your spin on it better :-)
Nice logo by the way.
The current Tox logo wasn't even the first proposed logo with the chat bubble/padlock idea. There were a lot of other ones. People were taking the idea from other logos and improving it. That's innovation.
You weren't the first one to come up with the idea; and even if you were, that doesn't give you exclusive rights to it.
Grow a pair and show some "professional courtesy" yourself by not giving a fuck.
Are you associated with them?
How could these guys have known it was "yours" ?
There's several other similar projects, but they are usually hard to set up and use for an average user.
Tox is FLOS software developed by community, and currently licensed under GPLv3. We are considering changing the license to something more permissive, so it would be possible to put it on the App & Win8 Stores.
Currently, it is in really early stages of development. But we already have basic IM, and nCurses interface. We use NaCl library for encryption and will probably add FFmpeg for video.
We are working on a cross-platform GUI using Qt5. Please note that the screen-shots on the main website are only mockups, and (in my opinion) should have been labeled as such.
Since the website is down, here's some links:
Subreddit: http://www.reddit.com/r/projecttox/
Core code: https://github.com/irungentoo/ProjectTox-Core
Qt GUI code: https://github.com/nurupo/ProjectTox-Qt-GUI
Website code: https://github.com/stal888/ProjectTox-Website
IRC Freenode chanel: #InsertProjectNameHere
You guys should really look into the WebRTC project ( http://code.google.com/p/webrtc/ ) so you don't re-invent the wheel with video conferencing with just raw ffmpeg. You could also make web browser clients in the future possibly. It takes quite a bit of QoS and other work to make video conferencing work right! Take advantage of the PhDs that google & co hire and re-use their full time jobs!
Would love to see a community project analogous to this one develop in the e-mail space since too many users find PGP to be cumbersome, despite some very nice implementations. Bitmessage and I2P's bote are both very interesting, but the prior project needs more experienced security people working on it (and some serious refactoring), and the latter suffers from the perceived issues of the "darknet" (not an issue for me, but...).
We're on it! https://parley.co will be entering pre-beta later this week. Maybe not technically a "community project" because it's being built by a company that is at least partly motivated by profit, but the whole thing is BSD-licensed so people can do whatever they want with it.
You're right that iOS isn't a completely secure OS.. But using a secure app on iOS is better than using regular SMS going through AT&T.
Perfect is very difficult to achieve here- Most PCs have nonfree a BIOS, and even then, many CPUs can be updated by encrypted updates from the manufacturer.
It very well might be possible to ensure that your machine isn't vulnerable... But you're not going to have many people to talk to.
I think the tradeoff for having an iOS app is worth it. It puts the users of the iOS app (and those talking to them) a bit more at risk, but doesn't compromise the whole network.
Let them make that tradeoff. It's better than talking to an empty room.
If we went with your way of thinking, most of my friends would never use Tox, thus making it useless to me, thus meaning I'd have to use a non-end-to-end-encrypted messaging protocol such as SMS or Facebook Chat.
I use a mac, and if it's compromised, I'd like to stop using it.
I'd consider changing the license for other reasons. What is the GPL getting you? If your desire is to have the most people using this software to increase security, you should follow openssh's lead and use an actually free license, or even public domain.
First, If I'm reading the source correctly, they are doing public key encryption for every message. Which, ok, DJB was a fan of at least for DNSCurve, but is generally regarded somewhat dimly for efficiency reasons. So I guess this puts them on one extreme of the Bell Curve or the other. I wonder which?
[EDIT, removed point about nonce's in handshake]
Funnily enough, at first glance it looks like they covered at least some of the obvious issues: they do at least attempt to authenticate the session key and the crypto_box's use of a Nonce prevents replay and re-ordering attacks.
How do they handle video chat? Crypto_box won't work there naively sense packets will get lost and the nonce's won't be in sync.
We know.
Putting the nonces in the handshake along with the session public key was simple.
In the NaCl docs it is advised that if you can keep the nonces secret that you do so.
* Lossless UDP? Is there a reason not to do TCP?
* There is no way to know if the public key is genuine, so the system is very sensitive to MITM.
* The key exchange is inadequate. Why not do DH if it's just to have session keys?
* The system is very easy to brute force as the acknowledgement is based on a known plain text. This is very bad.
A quick glance at https://github.com/irungentoo/ProjectTox-Core/blob/master/co...
I found a potential buffer overflow at line 143. If an attacker sends a large file, what happens?
Making crypto software is not just a question of wrapping a crypo lib (in that case NaCl) with a GUI. There are some tricky security issues as how you use the crypto.
Hole punching.
>There is no way to know if the public key is genuine, so the system is very sensitive to MITM.
If you want to add someone you need their public key (their id) which is 32bytes (It's small because we use ECC instead of RSA). Unless someone somehow replaces the key (your id) when you give it to your friend the system should be secure.
>The key exchange is inadequate. Why not do DH if it's just to have session keys?
The key exchange is designed that way because we want forward secrecy.
>The system is very easy to brute force as the acknowledgement is based on a known plain text. This is very bad.
Can you please elaborate on this. If you are speaking about the the second part of the crypto handshake I can assure you that the fact that the plaintext is known is not a problem.
>I found a potential buffer overflow at line 143. If an attacker sends a large file, what happens?
The function read_packet is hard coded to never return something bigger than MAX_DATA_SIZE.
I ask why you don't use DH and you answer "because we want forward secrecy". DH has been designed for perfect forward secrecy. Therefore I fear we might have some sort of misunderstanding here.
You don't want to permit known plain text attack as "in depth defense" approach. If there is ever any weakness in your software, you want to make it very hard to exploit it. Known plaintext will make exploiting weaknesses in your PRNG very easy for example.
As for your last comment... If someone ever changes the behavior of read_packet, you're dead. So I'm sorry, but you have potential buffer overflow. Think in 4 dimensions Marty! :)
edit Shit, i'm wrong. I missed this line 599 of Lossless_UDP.c:
if (size > MAX_DATA_SIZE)
return 1;
I will give you a high level example of what he is talking about. your software displays a public key to perform encryption. what 'the NSA' can do is put a proxy (or use your isp) in between you and the person you are sending data to. Then they can pose as the person you are sending data to by hosting their own public key to both you and the person you want to send data to. now they can decrypt information that you send, and then encrypt it with their private key and send it to the other person. NOW THE NSA CAN SPY ON YOU USING YOUR APP.
man in the middle attacks can get much more complex than that, but this should help you understand what is going on.
If you are attempting to write security software you should really at least learn crypto AND networking. it seems like you have not accomplished either of these.
You should have posted this at the chans, where I voiced some similar objections.
(Note that I said real-time. Buffering is fine for one-way communication, lousy for conversations)
Comments like this:
> IMPORTANT: release two major sanctioned UIs, one for autists, one with inbuilt support for the previous list so that plebs can't get confused with setting it up and autists don't complain about it getting in their way. de geso > I would suggest a "Advanced options" where the autists can rejoice with all kinds of options (and it doesn't frighten the normalfags, since it's not shown by default). Also, 2 UIs would be chaos to maintain.
Talk about not needing to be an expert to use it, but then a "learn more" button sending people to github?
Not inspiring confidence so far.
It's nice to see they're using an existing crypto library. I'd be surprised if they haven't made errors implementing it.
>Comments like this
>> IMPORTANT: release two major sanctioned UIs, one for autists, one with inbuilt support for the previous list so that plebs can't get confused with setting it up and autists don't complain about it getting in their way. de geso > I would suggest a "Advanced options" where the autists can rejoice with all kinds of options (and it doesn't frighten the normalfags, since it's not shown by default). Also, 2 UIs would be chaos to maintain.
The project originated from 4chan's /g/ (technology) board. It works differently from Reddit and HN, since there's no karma, and the comments are anonymous.
This caused it to develop a unique culture. On one hand, it enables people to express their real opinions without being afraid of getting downvoted by hivemind. On the other hand, it attracts trolls and causes a lot of rudeness and offensive behaviour.
I like the website, because you can see the true nature of people, and you don't feel the pressure to say what everyone else wants you to say.
>Talk about not needing to be an expert to use it, but then a "learn more" button sending people to github?
We were working on this for only about a month, and Tox is not even in the alpha stage yet. Once we get the GUI working properly, we will surely upload binaries to the website.
Thanks for this.
I was there in rec.arts.anime.misc with m00t in 2002 when he decided to set up 4chan.
"User was banned for this post", in red, is my idea. "Bring back snacks" is my meme. I had the 10,000 GET. I created the first C-C-C-Combo! post, but not the first C-C-C-Combo Breaker! post. I'm still in contact with Cracky-Chan. I am a BBCode master, and I have read my SICP today. I helped keep the pool closed; I hate GaiaFusers nearly as much as I hate furries. I don't visit 4chan much anymore because, you know, newfguys, but I hope you kids are enjoying the place and not stinking it up too much. :-p
> We were working on this for only about a month,
I tend to be really harsh on crypto projects. Please, ignore anything I say. There are, however, some experts posting in this thread and I hope their advice is useful.
https://github.com/irungentoo/ProjectTox-Core
Tox is a completely decentralized secure messaging service which aims to replace skype.
It it still in heavy development.
So far we have IM working almost perfectly but no completed GUI yet except for a basic ncurses interface used to test the core.
For the detailed info on how everything works see: https://github.com/irungentoo/ProjectTox-Core/wiki
I feel it's strange that your IP is shared to the world together with your public key, so it is, in this sense, anti-anonymous.
You cannot even use it with Tor, because it uses UDP.
Eg in XMPP, only your server sees your IP address until you initiate some out-of-band p2p thing such as file transfer. Federated client-server architectures such as email and XMPP are also pretty well understood by now, especially email has been around a long time.
Trade-offs, trade-offs everywhere!
What of the who/when/how-long/how-often metadata is evident when using Tox? As compared to normal skype or IM, that is?
0. How important is simplicity (modularity) to the project?
1. Will Tox work for user "idontrungentoo"? Will it compile on Solaris, BSD, etc.
2. Will the GUI be optional? If not, why is it mandatory?
3. Can Tox work without DHT? What if two users just want to call each other without connecting to tens, hundreds or thousands of strangers? If there are problems with the DHT, are they SOL?
It would be good to have competing teams all working on some similar system (a Skype alternative) and then have an open bake off, instead of just idle criticism in forums like this one. This way we could see which system actually works the best instead of just theorizing about design choices and taking random anecdotes from alleged users in forums on faith.
0: it's a lib, and there are at least 2 client being developed (ncurse and qt)
1: it currently compile on linux/os x/window
2: see 0.
3: no, but you could potentially host a "private" boostrap node and have a separate network.
Well, congratulations.
If the NSA is collecting everything, then it's possible to go back in time once you become a person of interest. This doesn't necessarily help you if you are actively planning something that the government is interested in, but if you become a political opponent to the NSA, they could look into your past for skeletons to blackmail you with. Who you are talking to may not give them enough information to do anything without the content of the conversations.
""" I see in 2013 you had many long encrypted conversations with someone we now know to be a pedophile, what were you talking about exactly """
PS You could also apply a simple Icecast and/or MPD video stream under those proctols, even [[stomp.github.io][STOMP]].
...who know what to do next after they click the 'download' button and are forwarded to a GitHub page. I'd like to give the app a try, but I look at that page and I don't know where to start.
Here are the most liked alternatives proposed on anther thread:
tala
whispr
mila
aspis
orwell
nota
extasi
eave
fabula
I'm guessing you know it means 'lock' in Hindi? http://translate.google.com/#en/hi/lock
[1] it's complicated.
What about the technical merits of Tox?
EDIT: It's done.
You would rather trust a huge corporation instead of a community-developed project?