Projects: Brainstorming Thread

Question

Projects: Brainstorming Thread

Opened this issue 9 years ago · 34 comments

Which projects deserve our attention?

Projects that could (or already do) impact a large number of users, or projects that could (or do) affect many particularly vulnerable users (e.g., activists, journalists, Muslims, etc).

Answer 1 · 2016-11-11T10:53:51.000Z

Signal

Improvements to Signal would help millions of people. What do you all think is most critical to add/change?
- In my experience, the iOS app could use some love; last I checked, timestamps weren't showing correctly and so the people I message didn't know when I sent them messages :-\

Answer 2 · 2016-11-11T10:55:50.000Z

Tor

Tor is at least partially blocked in several parts of the world (e.g., China). I know that Pluggable Transports try to get around this. What other anti-censorship techniques are being used?

Answer 3 · 2016-11-11T11:07:38.000Z

GPG

Usability is a gigantic hurdle to getting more people to use GPG, but I talked to a core team member and he pointed out that the UIs through which non-technical people use GPG are mail clients, and the core GPG people don't really work on mail clients.

EDIT: If we're interested in contributing to GPG directly, we can start off by checking out https://bugs.gnupg.org/ and https://lists.gnupg.org/pipermail/gnupg-devel/ .

Mailpile

Mailpile is an open source (Python + Tornado), crowd-funded mail client that integrates GPG encryption in from the start and aims to be very user-friendly.

Its core contributor recently asked for code review help here! https://www.mailpile.is/blog/2016-09-23_Rebooting_Mailpile_Development.html

Mailpile has tons of potential and is nearing a 1.0 release. I've reached out to the core dev to see how interested he is in our help!

EDIT: talked to the lead dev (Twitter convo) and he pointed me to these "Low Hanging Fruit" issues: https://github.com/mailpile/Mailpile/issues?q=is%3Aissue+is%3Aopen+label%3A%22Low+Hanging+Fruit%22

Answer 4 · 2016-11-11T21:35:43.000Z

Buoy

A free and open source technology for connecting users with friends and allies in times of need. It exists to empower you and your communities with a decentralized, customized, alternative crisis response system that does not rely on intervention by the police, other government services, or corporations.
Tech: PHP
http://buoy.maymay.net/
Code: https://github.com/betterangels/buoy
Contributor Guidelines: https://github.com/betterangels/buoy/wiki/Contributor-guidelines

Answer 5 · 2016-11-12T12:14:40.000Z

Briar/Bramble

P2P chat
- No centralized servers to block/seize/DDoS or otherwise target
Anonymous thanks to Tor
Tech: Java

Answer 6 · 2016-11-12T12:15:00.000Z

IPFS

Think HTTP + BitTorrent
Can host files and websites today
Tech: Go

Answer 7 · 2016-11-12T12:15:09.000Z

Sandstorm

Open source platform for running web apps
- Install web app as easily as a mobile app on your phone
For-profit company, though everything is open source
Tech: C++, JavaScript (Meteor)

Answer 8 · 2016-11-12T12:16:27.000Z

Secure Polling System

Keep polling/voting data private
Properties: each person can vote once, can verify their vote was counted, and can vote anonymously
Creator: Jake from Sudo Room/Noisebridge
Code: https://github.com/securepollingsystem
Tech: Go, JavaScript

Answer 9 · 2016-11-12T12:17:28.000Z

CrypTag

Created by @elimisteve (organizer of Cypherpunks Write Code)
Suite of apps + encryption framework for building e2ee apps
- "Secure apps for activists, journalists, and you"
Can write desktop apps in any language
- Apps talk to cryptagd, a local JSON API that handles encryption/decryption/fetching/storing/etc
App data can live anywhere: ownCloud, Dropbox, any file-syncing service, Sandstorm, your own server, etc
- Users invite each other to shared private folders
- Soon: IPFS, imgur(!)
- Makes all CrypTag apps almost impossible to block or censor
  - No global network with known IPs/domains/endpoints to block
- Non-technical users don't have to run a server
Optionally runs over Tor
Prototype apps built on Electron + React.js
- CrypTask (task management app)
- CPass UI (password manager)
- Backchannel (chat + file sharing)
- Very soon: CryptWiki (wiki document editing app)
Generic cryptag CLI tool
- go get github.com/cryptag/cryptag/cmd/cryptag
Code: https://github.com/cryptag
Tech: Go, JavaScript (React.js), Bootstrap

Answer 10 · 2016-11-12T12:21:43.000Z

Ricochet

Anonymous instant messaging over Tor
Code: https://github.com/ricochet-im/ricochet
Project website: https://ricochet.im/
Tech: C++

Answer 11 · 2016-11-12T22:10:24.000Z

Idea: off-device encrypted video recordings

Problem: activists want to film police in order to check for abuses, but are at risk of recording their friends doing something that could be construed as illegal or that they could otherwise get punished for.
Second problem: recording this video on smartphones using normal video recording software isn't good enough because their devices could easily be seized by police if a police abuse is recorded.
Current trade-off: activists either have to record locally and risk having their devices seized, or they publicly stream the video and risk getting other activists in trouble.
Solution we could build: a smartphone app that encrypts the video files and uploads them in real-time (perhaps to Dropbox or a server) such that those encrypted videos can only be decrypted by the person who performed the recording.

EDIT: at our first event (and afterward, but Lizzie at Noisebridge), someone mentioned the ACLU has has apps for recording the police, and they send the video footage to the ACLU. So if we added encryption to these apps, that might be the best/fastest way to solve this secure-video-recording problem for people!

Answer 12 · 2016-11-12T23:31:02.000Z

Cryptpad

End-to-end encrypted real-time document editing in the browser
- Crypto key stored in URL hash; can link people directly to a document without the server getting the key
Website: https://beta.cryptpad.fr/
Code: https://github.com/xwiki-labs/cryptpad
Tech: JavaScript

Answer 13 · 2016-11-12T23:41:59.000Z

Journalist request: encrypted audio recording mobile app

"A voice recorder app with asymmetric key encryption for mobile phones so when you record testimony, only the private key -- which is somewhere else -- can decrypt the recording"
"Can be the simplest, shittiest app ever, but the crypto has to be sane and sound"

Answer 14 · 2016-11-13T03:11:33.000Z

SecureDrop

Description: "A whistleblower submission system that media organizations can use to securely accept documents from and communicate with anonymous sources."
Website: https://securedrop.org/
Code: https://github.com/freedomofpress/securedrop
Getting started: https://docs.securedrop.org/en/latest/development/getting_started.html
Tech: Python web app, Ansible for operations.

Answer 15 · 2016-11-13T03:23:36.000Z

Orbot

Tor for Android

https://guardianproject.info/apps/orweb/

EDIT: People semi-close to Orbot tell me that Orbot could use some help!

Answer 16 · 2016-11-13T03:25:10.000Z

ObscuraCam

Automatic identity redaction for Android

https://guardianproject.info/apps/obscuracam/

Answer 17 · 2016-11-13T03:29:13.000Z

VeraCrypt

"VeraCrypt is an open-source utility used for on-the-fly encryption (OTFE). It can create a virtual encrypted disk within a file or encrypt a partition or (under Microsoft Windows except Windows 8 or GPT) the entire storage device with pre-boot authentication."
Website: https://veracrypt.codeplex.com/
Code: https://veracrypt.codeplex.com/SourceControl/latest
Tech: C

Answer 18 · 2016-11-13T03:29:21.000Z

Tails

"Tails or The Amnesic Incognito Live System is a security-focused Debian-based Linux distribution aimed at preserving privacy and anonymity. All its outgoing connections are forced to go through Tor, and non-anonymous connections are blocked. The system is designed to be booted as a live DVD or live USB, and will leave no digital footprint on the machine unless explicitly told to do so. The Tor Project has provided financial support for its development."
Website: http://tails.boum.org/
Code: https://git-tails.immerda.ch/tails/
Tech: C, Python, Bash
Contributors Guide: https://tails.boum.org/contribute/index.en.html

EDIT: In this tweet they link to the work they want done -- https://twitter.com/Tails_live/status/802521323545198592

Contribution Instructions

Here are the Tails issues marked as Easy, which is where some core Tails developers said we should start: https://labs.riseup.net/code/projects/tails/issues?query_id=112

Tails contribution guide: https://tails.boum.org/contribute/how/code/

To chat live with the Tails developers, check out https://tails.boum.org/contribute/chat/

Here are all the Tails open issues on their Redmine ticketing system (not just the Easy ones): https://labs.riseup.net/code/projects/tails/issues?query_id=108

Some non-Easy Tails tickets will require building Tails. Instructions for doing that are here: https://tails.boum.org/contribute/build/#index2h1

Answer 19 · 2016-11-13T03:31:18.000Z

Response to: off-device encrypted video recordings

Use Eye-fi card in video camera (wi-fi SD card for non-wi-fi devices)
Setup encrypted Linux laptop acting as wi-fi access point for the Eye-fi card
Laptop encrypts and records video files to hard disk.
Optionally, the laptop can upload stored video files over a MyFi-class cellular interface.
Prefer public key encryption for video files.

Answer 20 · 2016-11-13T03:33:35.000Z

Idea: Database of Signed hashes of Binaries for Reproducible OSS Projects

Brainstorming: https://github.com/samlanning/BitLantern

Answer 21 · 2016-11-13T03:36:11.000Z

Jitsi

Open-Source Encrypted Video Conferencing Software
Website: https://jitsi.org/
Code: https://github.com/jitsi

Answer 22 · 2016-11-13T03:39:57.000Z

Idea: Combining "off-device encrypted video recordings" and "encrypted audio recording mobile app" into a single mobile app.

Answer 23 · 2016-11-13T03:46:59.000Z

PirateBox/LibraryBox + Secure Voip(Mumble?)+ Anon/Priv Services

Use of a local content device to facilitate on the ground information dissemination and offer secure avenues of communication. Addons - Local FM transmission, Streaming Audio, Calibre Book Server

PirateBox - https://piratebox.cc/
LibraryBox - http://jasongriffey.net/librarybox/building.php

Anyfesto - Example project of Piratebox moded to run on a Pi or CHIP with Mumble, Local FM transmission, Streaming Audio server , Calibre Book Server and local wikimedia -
https://github.com/tomhiggins/anyfesto

Needs.

Hardening
More Anon/Priv Services
Anon Methods to protect user interactions /avoid data collection, tracking, etc

Answer 24 · 2016-11-13T03:49:11.000Z

Encrypted MicroSD cards

Proposal: (re)code firmware for a MicroSD card to provide asymmetric encryption of stored data.

Motivation: for journalists, whistleblowers and anyone wanting secure storage on SD cards, for use in devices that do not encrypt (most any A/V device).

Background: A few years back, Bunnie Huang was bringing the Chumby to production (an internet appliance), and ran into quality issues with MicroSD cards from some manufacturers.

This led to a teardown of cards to learn how they work, the discovery that all contain microcontrollers to manage the mapping of bad blocks and moving data, and finally the release of a toolchain for building a firmware for certain manufacturer's cards.

News coverage: http://boingboing.net/2010/02/16/sleuthing-uncovers-t.html

Details:
https://www.bunniestudios.com/blog/?page_id=1022
https://www.bunniestudios.com/blog/?p=2297
https://www.bunniestudios.com/blog/?p=3554

Answer 25 · 2016-11-13T03:58:26.000Z

Asymmetric encrypted browser proxy

Provides bidirectional OpenPGP encryption as a browser extension. Basically a VPN but not utilising OS VPN features. Would require a proxy server equipped with matching software.

There exists a number of "pure" JavaScript OpenPGP implementations, plus there are Node.js wrappers for pgp/gpg on the server.

https://github.com/openpgpjs/openpgpjs/wiki/Introduction

Answer 26 · 2016-11-14T00:39:26.000Z

Let's build a mixnet! A high latency network for anonymized messaging.

Lately I've been cleaning up the sphinx mixnet packet format python reference implementation written by Ian Goldberg and George Danezis:

https://github.com/david415/sphinxmixcrypto

However we recently noticed these:

https://github.com/UCL-InfoSec/sphinx
https://github.com/UCL-InfoSec/loopix

Mixnets can in theory resist the traffic corelation attacks by global passive adversaries. There's a huge amount of literature about mixnets. These are my favorite papers so far:

Answer 27 · 2016-11-14T01:35:04.000Z

ZeroNet

Basically IPFS but geared more towards websites
More popular than IPFS on Reddit, more active codebase
Website: https://zeronet.io/
Code: https://github.com/HelloZeroNet/ZeroNet
Tech: Python

Answer 28 · 2016-11-14T01:58:41.000Z

Tox

DHT-distributed E2EE chat client
Immature but in active development under TokTok project
Website: https://tox.chat/ (I guess also https://toktok.github.io/)
Code: https://github.com/TokTok
Tech: Haskell? C? Scala? C++? What's going on here

Answer 29 · 2016-11-17T00:09:09.000Z

Copperhead+Tor

https://blog.torproject.org/blog/mission-improbable-hardening-android-security-and-privacy
A hardened privacy preserving phone that supports Nexus and Pixel devices.

Tons of projects are possible, involving the following skills:

New Device Support (bash scripting, light python hacking.. No firmware knowledge needed)
Helping to keep up with new Android filesystem features, like FEC (light python hacking)
Fixing OrWall bugs/UI issues (Java)
Building standalone build systems or independent versions of required portions of the build tree (Java, gradle, Makefile maze wrangling)
Plenty more. See the blog post and https://github.com/mikeperry-tor/mission-improbable/blob/master/README.md

EDIT: Lizzie contacted a core Copperhead developer for us and he pointed us toward these issues that we could contribute to -- https://github.com/copperhead/bugtracker/issues?q=is%3Aopen+is%3Aissue+label%3Aproject

EDIT: A Copperhead developer said that ^^Lizzie's^^ link is still a great place to start, and that we can join them in IRC: https://twitter.com/_copperj/status/804489672093270016 .

Answer 30 · 2016-11-17T09:32:23.000Z

pretty Easy privacy (p≡p)

A peer-to-peer cross-platform approach with an engine and adapters to automatically drive different crypto standards (including automatic key management & peer-to-peer key synchronization across devices) in a way that for a user no special steps need be taken to use end-to-end crypto and such that trust can easily be checked by strings in the user's natural language ("Trustwords") instead of hexadecimal fingerprints. The principle is that of Privacy by Default.

The software is to be integrated in existing software or to be the crypto base for new applications. Currently GnuPG and NetPGP are used for crypto (PGP). The plan is to easily encrypt everything text-based, including meta-data encryption (encryption for XMPP/OTR, with Axolotl, over Tox and GNUnet to be supported anytime soon).

Everything is Free Software under the GNU GPL v3.

Code
- p≡p core / base code (engine, adapters & libs): https://letsencrypt.pep.foundation/trac/
  - p≡p adapters: Java (JNI), JavaScript (JSON), Objective-C/Swift/iOS, Python, Qt, Windows (COM).
- K-9 (fork) integration (Android) beta: https://cacert.pep-security.lu/gitlab/android/k9-pep (CAcert)
- Outlook add-in stable: https://cacert.pep-security.lu/trac/ (CAcert)
- Enigmail integration ongoing (cf. for "pEp" commits): https://sourceforge.net/p/enigmail/source/ci/master/tree/
- There's further active work undergoing to bring p≡p to KMail and iOS (own app): source code yet to be released.
p≡p Whitepaper outlining the general idea: https://pep.foundation/docs/pEp-whitepaper.pdf
p≡p engine code audit: https://pep.foundation/blog/press-release--pep-releases-first-code-audit-of-the-pep-engine/index.html
- Code audits for other p≡p code (including the app-side) are being carried out.
Foundation site: https://pep.foundation/ (Twitter: https://twitter.com/pEpCouncil)
Corporation site: https://prettyeasyprivacy.com/ (Twitter: https://twitter.com/pEp4privacy)
Tech: ASN.1, C, C#, C++, Objective-C, Java, JavaScript, Python, Swift, SQL, YML2

Answer 31 · 2016-11-30T03:02:22.000Z

Idea: Canary Check

Website that checks various warrant canaries on various websites (e.g., Riseup.net) to see if they've been updated on time
- If they haven't been, this company may have been served a search warrent/given a gag order/etc

Answer 32 · 2018-03-12T12:51:23.000Z

neosphere

A concept for a crypto based social network that allows groups of people to disappear off of the internet ;)
The crypto techniques are highly original and maybe being used by some on the internet but no one is known to know ;)
Contact me if you have the first stage of this process and we can work on implementing it aaronngray@gmail.com

Answer 33 · 2018-03-12T12:57:18.000Z

No passwords

I am looking for fellow Crypto Programmers would like to work on the ultimate Internet password manager that means people dont need remember or create internet passwords anymore !
This would be a an unpaid side project but would lead to a making money via a commercial version
I am looking for Google Chome (Microsoft Edge) App programmers who are Crypto aware.
JavaScript and Node.js Programmers who are Node.js aware.
Familurity with Bruce Schneier's Password Safe code or simular projects.
Knowledge of X.509, RSA, and AES.

Contact me aaronngray@gmail.com if you are interested

Answer 34 · 2018-03-12T16:06:00.000Z

current mixnet project, enjoy!
https://github.com/katzenpost