Looking for Rubyists interested in P2P and privacy

Hey there, excuse the spam Hopefully this is relevant enough.

The recent NSA scandals have done a lot to promote a public interest in
improving privacy software. This has resulted in a litany of “me too!”
style encrypted IM apps. I’m trying to build something better: a
“Cryptosphere”

It’s written in Ruby and JS, and I need your help:

http://cryptosphere.org/

I’m working on an end-to-end security model for the web, where content
goes
in one end (via git), is encrypted end-to-end from the publisher’s
computer
to the end user’s computer, and comes out the other side in the form of
cryptographically authenticated HTML5/JS applications.

These applications are stored on a P2P grid in a decentralized manner
and
fully encrypted/authenticated manner, preventing the compromise of a
hosting provider from manipulating the content. This sort of thing
happened
just recently when Freedom Hosting was compromised, exposing large
numbers
of users of the Tor anonymizing network to malware:

If this sort of thing seems interesting to you, consider joining our
Google
Group:

https://groups.google.com/forum/#!forum/cryptosphere

On 08/07/2013 07:09 AM, Tony A. wrote:

I’m working on an end-to-end security model for the web, where content goes in
one end (via git), is
encrypted end-to-end from the publisher’s computer to the end user’s computer,
and comes out the other side
in the form of cryptographically authenticated HTML5/JS applications.

looks nice, but AFAIK one of the main issue with PRISM-like stuff is not
(only) missing encryption, but
missing anonymity. How do you plan to take care of this (I did not find
anything on your site)?

regards
ralf

On Wed, Aug 7, 2013 at 6:43 AM, Ralf M. [email protected]
wrote:

looks nice, but AFAIK one of the main issue with PRISM-like stuff is not
(only) missing encryption, but missing anonymity. How do you plan to take
care of this (I did not find anything on your site)?

The Cryptosphere provides pseudonymous publishing (it’s impossible to
tell
someone publishing content from someone repairing content, for example).
It
punts on a Freenet/GNUnet-style overlay network since these sorts of
services are already implemented by Tor and I2P and are thus considered
out-of-scope for this project. This is answered in the FAQ. Perhaps it
could be clearer?

On Tue, Aug 06, 2013 at 10:09:15PM -0700, Tony A. wrote:

Hey there, excuse the spam Hopefully this is relevant enough.

The recent NSA scandals have done a lot to promote a public interest in
improving privacy software. This has resulted in a litany of “me too!”
style encrypted IM apps. I’m trying to build something better: a
“Cryptosphere”

It’s written in Ruby and JS, and I need your help:

http://cryptosphere.org/

I’ll give it a look tomorrow. Sounds interesting so far.

of users of the Tor anonymizing network to malware:

If this sort of thing seems interesting to you, consider joining our Google
Group:

Redirecting to Google Groups

Does anyone else find it ironic that, given the revelations about PRISM,
people are using Google to promote and organize privacy projects?

Even aside from that, though, I try to avoid the agonies of using Google
Groups without using a GMail account.

On Tue, Aug 06, 2013 at 10:09:15PM -0700, Tony A. wrote:

It’s written in Ruby and JS, and I need your help:

http://cryptosphere.org/

From there, I followed the GitHub menu link (which is inaccessible
without JavaScript for some reason that escapes me*), and from there the
libsodium link, then GitHub gave me a 404. The link URI in the README
is:

https://github.com/libsodium/libsodium

I found it here:

https://github.com/jedisct1/libsodium

Should the link be changed to that target?

I’m working on an end-to-end security model for the web, where content goes
in one end (via git), is encrypted end-to-end from the publisher’s computer
to the end user’s computer, and comes out the other side in the form of
cryptographically authenticated HTML5/JS applications.

I like the idea of a distributed, version controlled, encrypted web, and
that general idea has been on my mind a lot for the last half dozen
years. I really do think this is a worthy project, and even if I do not
find a way to contribute I hope it achieves some kind of success, and
wish you luck.

These applications are stored on a P2P grid in a decentralized manner and
fully encrypted/authenticated manner, preventing the compromise of a
hosting provider from manipulating the content. This sort of thing happened
just recently when Freedom Hosting was compromised, exposing large numbers
of users of the Tor anonymizing network to malware:

I think the biggest surprise about this was the fact so many
security-conscious privacy advocates were surprised by a major
compromise of Tor resources. One of my first thoughts when I
encountered Tor was that a surveillance society government could
probably just set up a lot of Tor nodes and correlate traffic.

Even worse, there are built-in disincentives for people to host Tor
nodes, because of the fear of being blamed for the traffic coming
through an exit node. While that does not seem to have so far been
problematic in the US, at least, we’re only a Congressional bill or
policy change away from that changing.

A better architecture is overdue. I hope this project will be a
significant step in that direction. I’ll be looking at it more, and
will share it with smart people I know who don’t follow this list.

If this sort of thing seems interesting to you, consider joining our Google
Group:

Redirecting to Google Groups

I don’t really see any other way to get involved apart from GitHub pull
requests, unfortunately. I’ll see if I get that far with this.

*: Yes, I’m aware that JavaScript is not always malicious, but it often
is, and it seems to me that we should try to cater to people who
therefore quite rationally try to avoid running JavaScript in their
browsers. This seems particularly important for a privacy-oriented tool
that is meant to appeal to security-conscious geeks.

On Aug 9, 2013, at 10:47 AM, Chad P. [email protected] wrote:

*: Yes, I’m aware that JavaScript is not always malicious, but it often
is

I do not think that word means what you think it means.

On 9 Αυγ 2013, at 11:04 , Chad P. [email protected] wrote:

http://cryptosphere.org/

I’ll give it a look tomorrow. Sounds interesting so far.

I was looking for an open source project to get involved, but
translations apart, I might be seriously out of skills since I don’t do
crypto and still learning programming. I’ll have a look to the source
code and see what I can do with it. Anything that will improve my ruby
interests me.

hosting provider from manipulating the content. This sort of thing happened
Does anyone else find it ironic that, given the revelations about PRISM,
people are using Google to promote and organize privacy projects?

Yes. Totally. And (as in this case) often happens from really skilled
people who ought to care about these things more. We’re not talking
about regular Joe who upon giving up Facebook will have to decide if
(essentially) he is going to be part of the society or not. Because
let’s face it, in most of the western internet world, if you don’t have
a FB/Twitter account you’re practically out of reach. But when it comes
to hackers, it really beats me. Most people here have the means to find
private space or to host a project at an open source community and
avoid Google or even Github for example (which is not targeted but a big
corp with servers in US soil, etc.). Jesus we could even host these
project on Tor Hidden Services with a mirror to the open internet.
Maybe we’re just to paranoid, but to me looks more like thinking
straight.

Even aside from that, though, I try to avoid the agonies of using Google
Groups without using a GMail account.

That’s why I kept my gmail account so far, to have access to google
groups. Blah.

–
Chad P. [ original content licensed OWL: http://owl.apotheon.org ]

Panagiotis (atmosx) Atmatzidis

email: [email protected]
URL: http://www.convalesco.org
GnuPG ID: 0x1A7BFEC5
gpg --keyserver pgp.mit.edu --recv-keys 1A7BFEC5

On Fri, Aug 9, 2013 at 1:04 AM, Chad P. [email protected] wrote:

Does anyone else find it ironic that, given the revelations about PRISM,
people are using Google to promote and organize privacy projects?

You are not the only one Several people have expressed this concern.
It’s a problem I’d like to fix… but we need to write the software
first!

Perhaps something like librelist would’ve been a better choice, but I
like
the Google G. web UI better personally.

Even aside from that, though, I try to avoid the agonies of using Google

Groups without using a GMail account.

Is it really that problematic? You should be able to use it with any
email
account

On Aug 9, 2013, at 10:54 AM, Tony A. [email protected]
wrote:

Is it really that problematic? You should be able to use it with any email
account

Yes, I’m actually using it with non-gmail account without any problems
(it’s not
different at all from using a GMail account). However, I think he meant
problems
of using google groups without registering in GMail, which I think is
not possible.

On Aug 9, 2013, at 11:38 AM, Chad P. [email protected] wrote:

“Yes, I’m aware that JavaScript is not always written with malicious
intent, but it often is”

Is that better? Were you objecting to the anthropomorphism of
describing source code as “malicious”? What exactly is the reason for
your condescension in this case? Please elaborate.

“Often”

On Fri, Aug 09, 2013 at 11:00:24AM -0500, Tamara T. wrote:

On Aug 9, 2013, at 10:47 AM, Chad P. [email protected] wrote:

*: Yes, I’m aware that JavaScript is not always malicious, but it often
is

I do not think that word means what you think it means.

Okay . . .

“Yes, I’m aware that JavaScript is not always written with malicious
intent, but it often is”

Is that better? Were you objecting to the anthropomorphism of
describing source code as “malicious”? What exactly is the reason for
your condescension in this case? Please elaborate.

On Fri, Aug 09, 2013 at 04:28:47PM -0500, Tamara T. wrote:

Okay . . .

“Yes, I’m aware that JavaScript is not always written with malicious
intent, but it often is”

Is that better? Were you objecting to the anthropomorphism of
describing source code as “malicious”? What exactly is the reason for
your condescension in this case? Please elaborate.

“Often”

I suspect, then, that it is you who does not understand the word.

Hint: “Often” does not mean “a majority of the time”. If you disagree
that it is often, that is a matter of personal perspective on scale or
of lacking knowledge of its frequency, rather than of me using the wrong
definition of the term.

On Fri, Aug 09, 2013 at 01:39:33PM -0700, Stanislav S. wrote:

On Aug 9, 2013, at 10:54 AM, Tony A. [email protected] wrote:

Is it really that problematic? You should be able to use it with any email
account

Yes, I’m actually using it with non-gmail account without any problems (it’s not
different at all from using a GMail account). However, I think he meant
problems
of using google groups without registering in GMail, which I think is not
possible.

Yeah, I was basically talking about the agonies of maintaining a GMail
account and linking my non-GMail accounts to it, then keeping track of
which accounts are linked to a GMail account and which are not, and so
on.

On Fri, Aug 9, 2013 at 5:46 PM, Chad P. [email protected] wrote:

Yeah, I was basically talking about the agonies of maintaining a GMail
account and linking my non-GMail accounts to it, then keeping track of
which accounts are linked to a GMail account and which are not, and so
on.

Okay, perhaps this is a bigger problem than I realized: it used to be
you
could join any Google Group as if it were any other mailing list in the
world. You subscribe by sending an email message, it sends you a
confirmation, you confirm and you’re good to go.

Taking a look at it now I guess that’s no longer the case? You really
NEED
a GMail address to join the group?

Is that really the case? If so, I think getting off Google immediately
is a
good idea.

On Fri, Aug 09, 2013 at 05:59:44PM -0700, Tony A. wrote:

world. You subscribe by sending an email message, it sends you a
confirmation, you confirm and you’re good to go.

Taking a look at it now I guess that’s no longer the case? You really NEED
a GMail address to join the group?

Is that really the case? If so, I think getting off Google immediately is a
good idea.

I haven’t actually looked at it lately, but last year I tried to sign up
for a Google Group with a non-GMail account, and it required me to link
it to a GMail account to get it to work. As a result, I didn’t join the
Google Group.

Subject: Re: Looking for Rubyists interested in P2P and privacy
Date: sab 10 ago 13 06:41:52 +0000

Quoting Eric W. ([email protected]):

The real paranoids among us are too scared to run GUIs anymore, much
less new-fangled HTML5/JS/CSS

I have seen the smiley, but I would be careful about the words,
anyway. The word, ‘paranoid’, defines a clinical condition that modern
medicine is only too happy to offer psychotropic ‘medicines’ to
‘cure’.

I have had recent brief stints of peeking behind the covers of both
the Android world and more or less modern HTML-based data channels. I
can comfortably state that both layers are carefully engineered to
make it more and more automatic for huge rivers of consistent data
about our private lives to flow towards data hoarders - google is
no. 1, but several private/public concerns (the border becomes fuzzy)
are busy hoarding - and unavoidably they are busy data-mining.

Those who are pointed at as paranoids are just realists.

My recipe is 1) to dissipate fear of course, and 2) to try and have a
picture of what data I give out. Then, 3): I consciously renounce
innovations that would only make me lazier, no matter how trendy, and
4): I try never to forget that I am a son of this planet, and Mother
Nature has the last word about what is really important. Internet is
fragile, it can fold up as happened to the network of Roman roads a
couple of thousand years ago.

Then, I am conscious that the movement towards a one-world government
where the freedom to think independently is to be heavily limited has
too much mass behind: supernational finance wants that, and politics
needs money, so no effective contrast can come from governments. And
individuals get quickly minced if they happen to devise effective
methods to throw sand into the cogs of the mechanism.

What I do: I face my challenges one by one, and I find satisfaction
and serenity in my achievements. It is hopeless and wrong to force
others to renounce their laziness and start caring about their
personal growth. It is hopeless to dream about a free world. This
world is illusion, a mechanism to allow us to face and eventually
overcome our personal challenges, and it is exactly everyone of us
needs…

Really off-topic, eh? But it is Saturday morning…

Carlo

On Sat, Aug 10, 2013 at 3:04 AM, Carlo E. Prelz [email protected]
wrote:

    Subject: Re: Looking for Rubyists interested in P2P and privacy
    Date: sab 10 ago 13 06:41:52 +0000

Those who are pointed at as paranoids are just realists.

My recipe is

Mine is to just segregate everything. I think I’ve inadvertently become
something like 5 almost mutually exclusive people now. There’s a Kernel
in
there somewhere, but it’s rather illusive, because even the private
methods
change on the fly

Todd

Tony A. [email protected] wrote:

I’m working on an end-to-end security model for the web, where content goes
in one end (via git), is encrypted end-to-end from the publisher’s computer
to the end user’s computer, and comes out the other side in the form of
cryptographically authenticated HTML5/JS applications.

The real paranoids among us are too scared to run GUIs anymore, much
less new-fangled HTML5/JS/CSS

Anyways, I wish you the best of luck, but I’m very much lost in the
world of GUI pointy-clicky things.