Derived keys and per user encryption in the cloud

I use a program called ESPlanner to help with planning our insurance and retirement portfolio. ESPlanner wants to move to the cloud. Below I explore who I imagine would want to attack a site like ESPlanner and what sort of things cloud services like ESPlanner can do to frustrate their attackers. I especially look at using derived keys and per user encryption to potentially slow down attacks. But in the end, I'm uncomfortable with the legal protections afforded me as a service user in the US and so I really want a download version of ESPlanner.
Continue reading Derived keys and per user encryption in the cloud

Thali and the Mesh Mess

Thali's base communication mechanism is Tor hidden services. This enables Thali devices to reach each other regardless of what NATs or Firewalls are in their way in a manner that is resistant to traffic analysis. But what happens when one isn’t on the Internet at all? We still want Thali devices to be able to communicate so a goal has been to support some kind of ad-hoc communication mechanism. That is, if two Thali devices are close enough to reach each other directly via a technology like Wi-Fi or Bluetooth they should be able to communicate securely and privately.
Ideally however we would go a step farther and use a technology that supports ad-hoc mesh networking. We list below some candidates but it is a bit early to jump on the mesh bandwagon. More on that in future articles.
The purpose of this article is to collect information on what appear to be the main players in the ad-hoc connectivity and mesh building contest.
[Note: This is a complete re-write of the existing Mesh Mess article.] [4/19/2017 - Updated with changes to BLE in Bluetooth 5.0]
Continue reading Thali and the Mesh Mess

Thali and the Internet of Things (IoT)

The decision to switch from Java to Javascript continues to be interesting. One of the consequences of it is that it made it much easier to have conversations with the IoT community who it turns out like Node.js a lot and have problems that Thali is perfect for solving. So we are talking to potential customers who we can then leverage to get resources to build Thali. I wrote an article explaining what it is we want to build in that context. Please give it a read and let me know what you think!

Making HTML 6 Packaged Apps Happen

I’ve joked for over a year now that if there ever was a HTML 6 its marquee feature would be Node.js. In other words I should be able to write a packaged app that sits on a device that has one part running in a browser/webview and another part running a local Node.js instance that I can use to accept incoming request. Furthermore I need to be able to build and deploy HTML 6 packaged apps on at least (but not at most) - Android, iOS, Linux, OS/X, Windows desktop and Windows RT. The purpose of this article is to lay out my nefarious plan for making HTML 6 packaged apps real.
Continue reading Making HTML 6 Packaged Apps Happen

Picking a backlog manager for Thali

I evaluate below a bunch of backlog managers. I picked them based on what looked interesting. Not an ideal methodology but there are so many of these I had to narrow it down. The one that did everything I wanted was YouTRACK by IntelliJ, even the pricing was outstanding. But I rejected that option (for now anyway) because their UX is just too confusing for me. I actually had settled on Flying Donut and started to use them but I quickly realized that they were too simplistic. They didn’t do a good job of allowing me to manage iterations, epics and releases separately. So Tim Park had mentioned he had used Pivotal Tracker at his previous company and I tried them out. They aren’t perfect and their beta has some bugs but they had a really great balance between simplicity and flexibility. So hop on over to our new tracker and see how we are using them!
Continue reading Picking a backlog manager for Thali

Zooko’s triangle – I don’t think it’s solved in the real world

Zooko’s triangle proposes that a global naming system can be human meaningful, distributed or impersonation proof - pick 2. Below I look at Pet Names, the traditional way of handling Zooko’s triangle. Then I look at proposals that claim to actually solve Zooko’s triangle and show several attacks that these systems don’t appear to solve and so argue that Zooko’s triangle still stands.
Continue reading Zooko’s triangle – I don’t think it’s solved in the real world

Why Google’s support of PGP Mail might not be such a brilliant idea – Or, why I don’t like digital signatures for social networking and how Thali addresses this

Google announced that they may (the code is not officially supported yet) support PGP Mail in GMail. This might seem like an unabashed win for user privacy since it would make it impossible for Google to read their user’s mail. This article points out a number of problems with Google’s actions (I still think Google should be commended for doing this work) but I’d like to focus on a different issue than covered in the article - why digital signatures are a bad idea in general for social networking/email and how Thali deals with this problem.
Continue reading Why Google’s support of PGP Mail might not be such a brilliant idea – Or, why I don’t like digital signatures for social networking and how Thali addresses this

Making HTML5 peer to peer web friendly

HTML5 is built on the assumption of a client/server web. Below I walk through the issues this raises for the peer to peer web. The good news is that we really don’t need terribly many changes to HTML5 to make it peer to peer friendly. Basically we need a new same origin policy that is based on certs rather than hosts, a way to handle mutual auth requests, standardized support for node.js (or equivalent) and a few other minor things.
Continue reading Making HTML5 peer to peer web friendly