As part of the Thali project we are working on using BLE and Wi-Fi Direct to provide for local discovery. That is, the ability to discover who is around you using BLE/Bluetooth/Wi-Fi. This feature has enormous implications for people’s fundamental rights to privacy as well as personal security. So in this article I try to enumerate what rights I believe users of local presence software must have for such software to be considered ethical. I built these rights based on Kim Cameron’s Laws of Identity.
Continue reading A user’s bill of rights for Thali local discovery Category: Tech
Everything about technology but product reviews
Peer to Peer, ACLs and PouchDB
As part of Thali we are trying to enable people to easily build peer to peer apps on mobile devices using PouchDB. A problem we have run into is how to implement ACLs in a way that doesn’t cause developers writing on our platform to tear their hair out. I make a proposal below but I have to admit that I have no idea if it’s right or sensible. But I figure we have to start some place. What do you think? You can share your ideas on this blog or better yet, on Thali's mailing list!
Continue reading Peer to Peer, ACLs and PouchDB Picking another backlog manager for Thali
Awhile back I ran an analysis to pick a backlog manager for Thali. My winner was Pivotal Tracker and I really like it. It’s super slick. But as an open source project we need to run our backlog out of our GitHub issues so we can manage everything in one place. While Pivotal Tracker has an add-on that provides GitHub issues integration, it’s clearly an afterthought. So I’m back to look at backlog managers that run straight out of GitHub. My winner this time is Waffle
Continue reading Picking another backlog manager for Thali Looking at JXCore’s perf
Asking about a system’s performance is usually an invitation to a fight, not to useful data. But I did want some idea of how JXCore, a fork of node.js that runs on mobile OS’s, performed on iOS and Android. See here for more info on JXCore. Since the work I’m doing heavily involves PouchDB I decided to take the PouchDB performance tests and run them in six different environments and compare the results. Over all, one should expect node.js on a modern phone (Android or iOS) to be around 10x slower than on a PC. Which honestly, isn’t that bad when you think about it. I want to give a shout out to Brian Lambert for making the iOS tests happen and to Oguz Bastemur from Nubisa for helping us past various bugs. Oguz was very patient with Brian and I and we really appreciate it.
Continue reading Looking at JXCore’s perf A FAQ about JXCore, a fork of Node.js for Mobile platforms
JXCore is a fork of Node.js that introduces multi-threading support and a Javascript engine abstraction layer to plug in different Javascript engines. They have support for iOS using Spidermonkey and Android using v8 and Spidermonkey. Below I provide a FAQ about who they are and what they can do.
Continue reading A FAQ about JXCore, a fork of Node.js for Mobile platforms How do we exchange identities in Thali without making our users hate us?
In Thali identities are public keys. But typing in a 4 Kb RSA key or even a 512 bit EC key isn’t exactly easy. So how do users securely exchange their keys? Our original approach was using QRCodes. But lining up the phones, scanning the values, etc. is all a serious pain. So if ultimate security isn’t a requirement our backup plan is to use a variant of Bluetooth’s secure simple pairing with numeric comparison which itself is just an implementation of a coin-flip or commitment protocol. The main downside of this approach is that it provides a 1:1,000,000 chance of an attack succeeding.
[Updated on 3/9/2015 with a new appendix, the last two questions at the end are new.]
Continue reading How do we exchange identities in Thali without making our users hate us? Derived keys and per user encryption in the cloud
I use a program called ESPlanner to help with planning our insurance and retirement portfolio. ESPlanner wants to move to the cloud. Below I explore who I imagine would want to attack a site like ESPlanner and what sort of things cloud services like ESPlanner can do to frustrate their attackers. I especially look at using derived keys and per user encryption to potentially slow down attacks. But in the end, I'm uncomfortable with the legal protections afforded me as a service user in the US and so I really want a download version of ESPlanner.
Continue reading Derived keys and per user encryption in the cloud Thali and the Mesh Mess
Thali's base communication mechanism is Tor hidden services. This enables Thali devices to reach each other regardless of what NATs or Firewalls are in their way in a manner that is resistant to traffic analysis. But what happens when one isn’t on the Internet at all? We still want Thali devices to be able to communicate so a goal has been to support some kind of ad-hoc communication mechanism. That is, if two Thali devices are close enough to reach each other directly via a technology like Wi-Fi or Bluetooth they should be able to communicate securely and privately.
Ideally however we would go a step farther and use a technology that supports ad-hoc mesh networking. We list below some candidates but it is a bit early to jump on the mesh bandwagon. More on that in future articles.
The purpose of this article is to collect information on what appear to be the main players in the ad-hoc connectivity and mesh building contest.
[Note: This is a complete re-write of the existing Mesh Mess article.] [4/19/2017 - Updated with changes to BLE in Bluetooth 5.0]
Continue reading Thali and the Mesh Mess Thali and the Internet of Things (IoT)
The decision to switch from Java to Javascript continues to be interesting. One of the consequences of it is that it made it much easier to have conversations with the IoT community who it turns out like Node.js a lot and have problems that Thali is perfect for solving. So we are talking to potential customers who we can then leverage to get resources to build Thali. I wrote an article explaining what it is we want to build in that context. Please give it a read and let me know what you think!
Making HTML 6 Packaged Apps Happen
I’ve joked for over a year now that if there ever was a HTML 6 its marquee feature would be Node.js. In other words I should be able to write a packaged app that sits on a device that has one part running in a browser/webview and another part running a local Node.js instance that I can use to accept incoming request. Furthermore I need to be able to build and deploy HTML 6 packaged apps on at least (but not at most) - Android, iOS, Linux, OS/X, Windows desktop and Windows RT. The purpose of this article is to lay out my nefarious plan for making HTML 6 packaged apps real.
Continue reading Making HTML 6 Packaged Apps Happen