Felony – An open-source PGP keychain
github.comHi I'm Henry, the creator of Felony
I’ve had a passion for politics, history, and programming since the age of 12 growing up in a suburb of Chicago. During my freshman year, I developed an interest in software. A couple of apps and hackathons (programming competitions) later, I was working on my own startups when I made the leap to drop out of high school to become a software engineer at a venture-backed tech startup.
While working there I learned that PGP encryption was the tool used by Edward Snowden to securely send messages to journalists. The immense value of encryption as a core component of our free society became clear to me. Amongst fellow coders, I had no trouble using command-line encryption to communicate. But my friends who didn’t code couldn’t easily do the same since they don’t know how to use the command-line. Given how important encryption is, I decided to build a first-rate encryption tool that could be used by anyone on any website, regardless of background.
This looks like an interesting project but has a poor name choice. If it's targeted at non technical users, it may actually prevent them from using it, out of fear that just using it is illegal.
How about "The Fourth"? The name denotes privacy and won't scare off people by sounding illegal.
I immediately know what you mean since I was born and raised in the US, but most people will be left scratching their heads unless they're really well versed in the historical legislation of other countries. (I consider myself fairly well versed in international relations, but if someone made an app referring to a specific UK Act of Parliament I'd be confused.) But I agree, Felony isn't the best name.
It would make me unwilling to use it, due to being clearly pro-American. While it's the american government that is most likely to be spying on me. Awful name, felony is better.
I'm not an American, by the way.
I'm sorry but as a non-US person it's been made very clear to me that I have zero rights, zero laws to depend on and zero expectations of privacy. Calling it "the fourth" is like rubbing that in my face, leaving a rather bad taste.
Yeah was thinking this too, as a techie I like it, but to the general user or business it screams IM DOING SOMETHING ILLEGAL!
Question: what's the memory usage like A) at idle, B) after some using and left running for a day or two?
Meanwhile, a large percentage of the population is quite happy to play a game named Grand Theft Auto...
But that's a video game that purports to celebrate grand theft auto (among other lawlessness). Is the OP's purpose to simulate the commission of a felony? Because those who believe in encryption for everyone believe that encrypted chat should not be a felony.
See also the other discussion thread on that topic:
Feline - everyone loves cats
I think in era of state being the public enemy names like this has a political purpose. :)
Then call it "Rightstarter" :)
It's not targeted at entirely non technical users. That's why it's on Hacker News ;)
"Felony is the first PGP app that's easy for anyone to use"
How about calling it "Freedom"
Chucking my naming idea, call it rights.
Everybody wants rights and nobody sane is against having rights when rights means their right the free speech, their right to a fair trial etc.
good idea!
Wow, I like this a lot!
I would consider naming it something other than a common English phrase, honestly. I know it's the big trend these days, but it's making things incredibly hard to search for. Try searching for the messaging service "matrix" and the matrix client "vector". Insane amount of namespace collision there.
Best to go with something like Freechain or something so at least people can search for it.
"Freechain" is great. It passes the cognate test (sounds like "keychain," which it is), and the "free" part gives it the multiple meanings of both FOSS and freedom from surveillance. Euphony is pretty high, and it looks fairly low-noise on Google, too.
And chain even retains some connotations to "felon" ... ;-)
Seriously, though, "freechain" strikes a nice balance between being a new term, and hinting at what the use-case is.
I agree that Freedom is a nice choice, but "Freedom" is already in use by a somewhat well-known website/social media blocker (as in "freedom from all those distractions"):
Still, other suggestions are coming up in this thread that may be of use. I really like the idea of a name that, for a non-technical user, cab be a lead in to answering "why do I want this app? what does it do for me?"
Just change the name man. Just today two of my non tech savvy friends refused to use it, they were scared by the name.
How about "Constitution".
M.Y.O.B. - Mind Your Own Business
I think folks should chill on the name. It's just a word which makes it stand out as a product. Good job !!
In that famous Goldman Sachs "theft" case, use of a tool called "Subversion" (which any IT person knows is just vanilla version control software) was taken by the FBI as evidence of malicious intent.
Just saying.
Here's the article about it I found mentioned in HN comments before: http://www.vanityfair.com/news/2013/09/michael-lewis-goldman...
Just call it Line Noise, Static, or something. No malicious intent in that.
Static is a great name.
Words have meaning and are way more important than you could even imagine. We don't think with words, we use words to think.
One example comes to mind, back in the day people used to use the word "Exploited" to talk about workers being drained of their life force. When you say exploited you assume that there is an exploiter, that someone is guilty of that worker's shitty life.
Now we mostly say the "Disenfranchised" or "Disadvantaged" which takes the "Exploiter" out of the equation entirely and put the workers plight mostly on the back of bad luck than anything else.
Words are very important.
"It's just a word which makes it stand out as a product"
So you think calling a product "nigger" is a good idea? It's just a word and it would certainly stand out.
(Before responding directly to my comment, please consider that I'm criticizing your logic, and don't actually want anyone to create a product with a hateful name)
That is a needlessly crass example. I get your point, but that's not the best way you could have made it.
I disagree. If someone has deactivated their own humanity enough to say "It's just a word" then they probably need a shocking reminder of the power of words. Making an abstract argument about words won't move the needle for a wet robot.
I disagree. Associating cryptography to a criminal term is not wise.
Exactly. How many future whistleblowers would consider using a tool named 'felony'.
I'm guessing exactly zero.
It is also bad PR. And encryption now needs more good PR than ever.
Have you heard of or used signal?
Same idea -- strong crypto that's usable for anyone. It uses the OTR Ratchet protocol which uses perfect forward secrecy. The app also provides a way to verify keys through an OOB channel.
I would recommend considering OTR Ratchet integration just like WhatsApp did recently.
PGP is not a good design choice for a messaging app as you're always using asymmetric crypto operations which are computationally intense -- not terrible on modern computers but will be dreadful on mobile devices. Also can you provide some more documentation on how the app leverages PGP? Hopefully conversation is not using the same private keys to encrypt. That is vulnerable to data or side channel leakage. The modern approach is to generate and exchange an ephemeral key. Also please provide information on key storage.
Rather than making vague security claims like "first-rate" and " Security++ to the greatest extreme" you should rather provide a threat model and explain why one can remain confidential and have authenticity against particular types of adversaries. No security tool is perfect and it's only a matter of time before an adversary breaks it. Developers are doing a disservice by claiming anything more.
Before you can claim a first-rate security tool you will need to face a lot of scrutiny first.
PGP is a great choice when you want to be able to send encrypted messages over any channel you want. It sounds like you do not understand how PGP works -- you exchange public keys over a trusted medium and then use public key cryptography to encrypt the AES key used to encrypt the rest of the message.
The OpenPGP library it uses has been audited (twice). Most of the mistakes that could have be made are avoided this way.
Edit: Yes, you lose PFS by using PGP, but it would not really be possible to negotiate PFS via, say, email.
> PGP is a great choice when you want to be able to send encrypted messages over any channel you want.
That has nothing to do with PGP. You could do the same by base64-ing an OTR session (in fact, people do that all the time).
I don't like the choice of PGP because it has non-repudability. If you send me a message, I can prove to anyone in the world that you sent me the message. OTR and Axolotl don't have this problem (only I can be sure you sent me the message and I cannot prove that I didn't fake it to anyone else).
> If you send me a message, I can prove to anyone in the world that you sent me the message.
Only if you sign the message, right? But you can use PGP to send encrypted messages without signing them.
And then if the message is corrupted you have know way of knowing. Not to mention that essentially nobody uses those modes.
Axolotl and OTR provide signatures, just that they are "non-transferrable" (so to speak). Not to mention that the actual crypto is more modern.
> That has nothing to do with PGP. You could do the same by base64-ing an OTR session (in fact, people do that all the time).
But PGP also works for printing stuff on a post-card (or you know, email) - asynchronous communication. While Axolotl does push OTR-like modes towards asynchronous use - they do involve a lot more than getting hold of a public key (say, one published in a magazine, or shown in a frame of a movie, or...).
There's been an argument since the early crypto-wars about whether gpg/pgp could (should) be made easier to use. And I absolutely think it could (and should).
Key distribution is still hard, but it's not helped by a silly cli app, and no great recommendations on how to manage trust (I suppose the gist is: get a hw token for your key, print a backup and store a revocation order in a safe, sign keys you trust and upload them to the keyservers. But even if that list seems easy, users are left with questions like: which hw tokens should I use? When I lose it, "re-trusting" keys? How big a problem is it that I've just exported meta-data about who I communicate with? Which clients easily integrates with my hw token so that I can use gpg on my smart phones, my laptop and my desktop? What if my phone lacks NFC? Can't use USB host? And last, but certainly not least -- why isn't there a fork of gpg2 that does "the right thing(tm)" out of the box -- and make this "best of breed" flow easy, rather than making all kinds of sub-key shenanigans equally cryptic?)
If you don't need PFS (which you should need) then you can use DH to create the shared key you use for the HMAC. Maybe you could even do an original OTR-like ratchet scheme (only change the key once the recipient shows that they are using the new key) to get PFS. But in principle if you assume that key distribution is "solved" then you can implement the unique parts of OTR.
I'm not sure, you're saying the format and message standards of PGP of providing machine-readable signed keys aren't worth anything, because you can just memorize some base64 coded secrets and run with it?
That's how you'd prefer to bootstrap secure communication with a journalist, or for recruiting people to demonstrate against the current regime in Egypt?
> But in principle if you assume that key distribution is "solved" then you can implement the unique parts of OTR.
How can it make sense to think of it as solved? How do you backup your keys? Your list of trusted keys? Protect them against theft? Alert others to their compromise? Get alerted when keys are compromised?
Key distribution really is the only really interesting problem in secure, trusted, communication (with secure one time pads, most problems go away. The trick is to make sure you have secure one time pads, shared only with the person(s) you want to communicate with...).
Public key encryption opens up some new ways to make the problem easier, but it's just one step in the right direction.
My point was that if PGP was suitable for "usable" encryption (which is the whole point of this program), then you could use the same key distribution methods but use Axolotl.
Yes you're right.
It's hard to say that most mistakes are avoided from two audits. Especially in a browser; there's a lot of attack vectors.
>you exchange public keys over a trusted medium and then use public key cryptography to encrypt the AES key used to encrypt the rest of the message.
What do you consider a "trusted medium?"
Please change the name of the app. I'm Swedish, and to me the name sounds really repelling.
Maybe someone could fork the application and rename it to something cool that I can use?
What do you think the app should be named?
How about "PGPal"?
You seriously can't do this yourself? Clone the repo and change the name using find-and-replace and run install. No need to insult.
That won't mitigate the PR damage involved. A fork would need to actually just plain outcompete the original app.
Sorry, did not mean to insult. Just stating how I interpreted the name.
There seems to be a number of forks already (currently 12).
Many people will fork just to keep a backup.
Hi! The app looks great. Can you speak a bit more about the interaction? How would two people who just downloaded Felony send an encrypted message to each other?
Here's how it works...
1. Add public keys to your buddies list— A public key is like a username - Adding someone’s public key to your buddies list lets you send them messages. You can find other public keys on markets like keybase.io and darknet.
2. Encrypt a message— Select a recipient from your buddies list and compose a message. Only your chosen recipient(s) can read the message. Encrypted messages might contain sensitive information, such as an address, document, or anything intended to be read only by intended recipients.
3. Send the encrypted message anywhere— You can send the encrypted message on any website! For example, facebook messenger, twitter direct message, or youtube. Felony is security when and where you want it.
1. Why did you choose PGP, when we have OTR and Axolotl -- which are specifically designed for informal communication where repudiation (recipient Y not being able to prove to others that X sent the original message) matters.
2. How are the public keys securely distributed? You say that "a public key is like a username", but without a central authority you hit a lot of issues (essentially the CAP tradeoff, but for user IDs). And with a central authority, you have no trustworthiness. Or are the users just meant to find public keys themselves (in which case you're back to the current state of affairs).
3. The name choice is stupid. Why on earth would anyone sane in this political climate call an encryption program "Felony"?
As for #3 I would think that it makes fun of the idea that encryption is somehow a crime. That's how I read it at least.
I get the joke, it's just not funny. And literally nobody outside of our community would get the joke.
You dropped out of high school your freshman year? i mean you seem smart enough to get by but uh, wow.
(fwiw i say this as a college dropout who doesnt regret it at all)
Schools are a way for parents to send their kids to a reliable daycare service. At a certain level, some don't really learn anything there. I did as much as I did (college) to pass among the clueless as normal but wish I had more opportunities to avoid it altogether.
I recall even Snowden dropped out of high school.
I dropped out after my sophomore year - I had recently moved to the States from Europe, and school was teaching things that I had learned already been taught a few years prior to that. I was completely bored and decided I was done with school. Getting my GED was really easy, and from there I have had a great career - while it may have hurt me in the beginning, I now have 20 years of relevant work experience behind me, it's generally not a concern to myself or any of my past employers - and if I were to interview somewhere that took issue with it, it's probably not somewhere I would want to work.
Why are all dropouts who "made it" making such a big deal out of it.
after sophomore year. yay dropouts!
dropouts ftw!
yee!
Really love the name on a lot of levels. Do y'all get a laugh every time you do a git commit?
.... maybe )))
Is it geared to mobile devices? The screenshot looks very much like one from a mobile. I wouldn't trust my phones underlying security architecture enough to store a PGP private key on the device.
PS: I love the name. You did a good job with it creating a buzz. It made me laugh and curious enough to take a look. Maybe pointing out on your site that "privacy is a human right" and the name should remind us of that rather than succumbing to peer-pressure, in the hope of not offending the 0.01% of your non-tech savvy users.
So many comments about the name. All of a sudden I have a strange urge to see the next big open source project name themselves fjoi43isoitoei. Because names of technology projects only have as much importance as the reader attributes to them. If you can't see beyond that, and if your primary focus is what others might think of you because of what you named your project, I don't know what to say to you.
Will this thing ever use less than 130MB of RAM? If so, how do you plan to do that?
Just curious: Are you running on a Raspberry Pi or other machine with constrained resources? 130MB is less than 4% of the memory in most modern computers, and less than 10% of most mid-range phones.
Just to be nice i'll assume you ask earnestly and answer earnestly: I have 16 GB of RAM. However i also always have more than one app running at any given time. In fact, my system usually has 200+ things running. I also don't mind if things use a lot of memory if: They either use it to give me a lot of bang for my buck, or are not long-running processes. Felony ticks neither of these boxes.
Also do keep in mind that the 130MB number is right after start without even logging in or using it at all. Due to memory usage by actual feature usage, and creep due to leaks, i can expect that number to easily double and more.
I'm not sure that the doubling guess is going to be accurate. The majority of that 130MB is going to be in the overhead of keeping a seperate copy of Chromium in memory, not in the implementation of current features.
My experience with Web browsers is they expand to fill all available memory and then some. This Firefox process has grown more than 50% since launch, and will stay mostly that big even if I close all but one new tab.
Chrome does a better job of containing the damage to individual tabs, but I'm not how much that really helps with something like this. And of course, eventually I still end up killing Chrome periodically to get RAM back for real work, like running VMs without the host thrashing.
I didn't realize Felony was a long-running process. I thought you just open it when you want to process some messages, then close it when you're done.
Not the parent, but that stuff adds up when just about everything's written as if it owns the machine and the machine's guaranteed to be blatant overkill.
Disclaimer: it's not my only machine, but I'm posting from a Pi 3. 1GB RAM is roomy for most things that aren't Web browsers and apps that embed Web browsers.
Nice. How do you encrypt something? I see Add Key, Verify, Sign, Decrypt as options. I don’t see Encrypt.
Ok. I get it. You need to add someone else’s key before you can encrypt. It would be nice if I could encrypt messages to myself.
Might I suggest "FreedomKeyper" as an alternate name? Great project!
Did you really have a passion for politics at age 12? This coupled with "I had no trouble using command-line encryption to communicate." makes this read like a farce. First you act like ultimate prodigy that peaked at tender age of 12 and then go boast with mad skills of running a cli command.
Mods, could we have something descriptive added to the title? This single word doesn't really give me any idea what this about. Suggestions (taken from the link)
Felony: Next Level PGP Felony: An open-source PGP keychain built on the modern web
Also, here's the link to the README file. (Nicely done!)
Github's index page (TFA) shows the readme below the files listing.
But the direct link to the README.md file is ‘better’.
Personally I prefer a link to the repository instead of the README. I like to scan the project structure as I scroll down to the README and it also gives me a chance to see how active the project is since GH shows when each file/folder was lost modified.
I could see your point, for sure
I personally like it like this, but if it had to be renamed, that would be the title for sure!
This name is awful. I would never want to contribute to it, nor use it. Nor suggest it to anyone as a solution to anything.
It's the worst name since that framework called "cocaine" with tools and subprojects named after illicit drug market terms.
Yeah, "felony" and "cocaine" are not things I will put on my CV or would like to show up when someone Googles my name.
What's the joke here? That some people are incorrectly labelled felons for what they say and write?
Do you know what most "felons" did to be called that? It's not for what they said and wrote that should be constitutionally protected.[1]
[1] I don't have numbers to back this up. Maybe most people are actually felons for drug possession, but you know what? I don't want to be associated publicly with those actions either. Also do you want to be on this table? https://www.fbi.gov/about-us/cjis/ucr/crime-in-the-u.s/2015/...
Violent crime,Murder,Rape, Robbery, Property crime, Burglary, Larceny-theft,Motor vehicle theft, Arson
>Do you know what most "felons" did to be called that? It's not for what they said and wrote that should be constitutionally protected.
Exercised journalistic integrity and protected an anonymous sources?
http://uscode.house.gov/view.xhtml?path=/prelim@title18/part...
The press is free, as long as it doesn't protect sources that have leaked embarrassing information about the armed forces.
Is that how most felons earned their felony conviction?
Because that's what I asked (rhetorically).
Although the name is ironic, it will reinforce the common vague notion that encryption is something politicized/controversial/illegal, and that's not a good thing for infosec.
Looks great otherwise.
Thanks for the feedback)
the name may be intended to be ironic, but the irony of the irony is that if you are interested in communicating about conducting one or more felonies, I would in fact urge you to use encryption.
I hate when people hate the "if you have nothing to hide, why do you care?" question because it's a valid question. You can answer, "because I fear the creeping growth of a surveillance state like in 1984", but then again, if you do that you no longer get to claim that other "slippery slope arguments are fallacies".
I've been a bigger privacy freak than all of you since before you were born, google my somewhat unusual name, you won't even find me. But still, I enjoy making fun of the groupthink that infects these types of communities.
Ignoring the arrogance, "If you have nothing to hide" isn't a valid question because everyone has something to hide. People have curtains and doors for good reasons, and everyone expects a certain amount of privacy in their lives -- but they don't realise how much they care about it until after they get screwed.
Oh, and it's not a slippery slope fallacy if we literally are headed towards 1984. Not even Orwell thought that social graphs would allow for automated analysis. The NSA doesn't need tele-screens when they have Facebook.
no slippery slope argument is a fallacy when the underlying process can best be described as a slippery slope. "Slippery slope" is not a fallacy, it's an analogy.
I'm in favor of crypto, privacy and the same things you are... I just don't lie about it: criminals are more interested in crypto than the average citizen, so are kiddy pornographers (for those of you who don't think that's a crime). So are "chinese dissidents", but seriously, there are more criminals out there.
my arrogance comes from my ability to be both smart and honest rather than a propagandist.
> criminals are more interested in crypto than the average citizen
That is the problem that should be solved. Everyone should be interested in crypto. You're just spouting arrogance and irrelevant information.
>if you do that you no longer get to claim that other "slippery slope arguments are fallacies".
You probably shouldn't be making that claim, to be honest. It's only a slippery slope fallacy if there's no historical evidence to support it. Part of the reason we record history is so we can tell whether a slippery slope might be a real danger.
There's several instances where a historical collection of information on citizens, done under claims to protect the people, turned into an oppressive regime, sometimes leading to the deaths of innocent citizens. The SS, Stasi and OVRA are all good examples, and a more current example can be found in China.
I've heard about optimizing for developer happiness, but this is kind of silly.
- the app has an unintuitive and harmful name that casts aspersions on the core values it purportedly touts because the developer saw that it was an available .io domain [0]
- This app has a shitton of leftover boilerplate and dev dependencies from a bootstrap scaffold, even though AFAIK there is no testing suite. (Because we all know how safe npm dependencies are...)
- A good number of unnecessary non-dev dependencies too. It includes font-awesome, which seems unnecessary to include in its entirety already...but are there any uses of font-awesome? I did a search for "font-awesome" and "fa-" but couldn't find any.
I understand using boilerplate generators to learn the ropes of creating within a framework...I've done it to learn React and Angular. But to use a scaffold-generator for a niche and highly specialized/sensitive app like this? It can't mean that it's anything more than a toy app. And yet one in which the decision to give it the name "felony" just looks immature on the author's part, meaning that it's not even useful as a resume padder.
Most are focused on the name, which is terrible, while only one other (so far) noticed the big problem: Electron, React, and Redux. A secure messenger needs to have strong endpoint security. Easiest way to do that is using safe, system languages with simple implementation, as few dependencies as possible, and isolation of app from rest of the system. That's one of safe C's, restricted C++, SafeD, Ada/SPARK, Component Pascal, Rust... any of those with portable code for main library plus modules for OS-specific stuff (esp GUI & filesystem). That would have a chance of surviving hackers, esp good ones.
I know almost nothing of the above frameworks. However, Google gave me front pages for each that look more complex in implementation and dependencies than a C, Ada, or Rust app. Unnecessarily so. Secure applications should follow Lean and KISS principles every chance.
Note to author: All that said, if you're just doing it for fun or learning, then that's cool. Also a good area to learn about. :) The above applies to implementations meant to be used in field.
This was also my first reaction. The PGP part might have been audited... but what about the rest of the code? I highly doubt Electron is bullet proof.
Agreed. Although I think that the name is also a problem. It feels like most of the upvotes are coming in because of the pretty image in the readme...
I mention the name in passing as others wrote on it. A lot on it haha.
Your comment on image is possibly also true. I remember much of the press of another messenging app oriented toward privacy came because it advertised as "the beautiful messenger" with many nice pictures. It was Icelandic with .is site but I don't recall name. Versus competition, wasn't much to say in terms of implemented features or security. The U.I. was beautiful, though. ;)
Note: The Apple website takes this technique about as far as it can go outside a dedicated, high-def, image board.
Note 2: I could add Nim to my prior list if there's been any work evaluating it for security-critical applications. Particularly, how it helps or hinders expressing such things plus risk compiler brings in during transformations. Anything on that yet?
> Note 2: I could add Nim to my prior list if there's been any work evaluating it for security-critical applications. Particularly, how it helps or hinders expressing such things plus risk compiler brings in during transformations. Anything on that yet?
Afraid not. Would be awesome to see somebody that is security conscious taking a look at Nim and verifying these things :)
After reading the README I think that "Felony" is a very appropriate name:
... built on the modern web with Electron, React, and Redux.
Building desktop applications with web frameworks should definitely count as a felony.
Guess what the prosecutor will say to the jury in every case involving a defendant who uses this?
"The accused was even using an app named Felony!"
> built on the modern web with Electron, React, and Redux.
Security? Encryption? Privacy?
That's the old web! Use the modern web!
I'm not sure this is the name to use if you want people of only average political commitment to use your app. Although at least it's a striking name.
Thanks! We found it randomly by searching available .io domain names.
The satire writes itself. What's wrong with .org/.net?
Not trendy. I would always prefer .net over .io though, but I'm oldschool.
Clearly you are just another corporate Java and Microsoft drone!
Don't forget to send offset money to Chagos for the social injustice in the IO domain names.
https://gigaom.com/2014/06/30/the-dark-side-of-io-how-the-u-...
i don't think it's worth naming a product based on available domain names. It helps in the branding sure, but it doesn't make up for diastarous names.
Awesome! I'll finally be able to stop using the horrible GPG Keychain app I used to use which didn't even allow pasted public keys.
YES EXACTLY!!!
Really cool, it'd be nice to have a few more screenshots or maybe a video of the usage. It's not fully clear if Felony actually sends the message or only encrypts it and allows you to send the encrypted message in another medium.
Felony only encrypts messages and allows you to send the encrypted message on another medium. Hope that clears this up. Also, I agree more screenshots would be great. Screenshots++
The members page of the github page looks like some sort of criminal record
App doesn't appear to work for me. I downloaded the precompiled windows app, and it loads a window that says "Hello React" and gives error popups too.
I haven't had time to fully test it on Windows, only Mac. The app is still in pre-release. I would love any PRs fixing this issue!
This information should really go into the README
Already added :)
yeah same here I get Javascript errors.
Ah, neat- OpenPGP.js! Stumbled upon this the other day and was impressed that it's already been audited (Cure53).
Hey Tejas, I see your name is in the screenshot ;)
Poor name for an app. And yes it matters.
I understand other posters' concerns about the name, but I have to admit it evokes almost the same level of wry wit of Linus, when he christened 'git'.
In fact, the reception this name is getting is quite ironic. Just think about it, and you might just burst out laughing.
It's not obvious from the readme, how does key exchange work?
Once your key is generated you can click the 'copy' icon to the right of your name in the header. After that you can share the key on any platform you like, including Keybase.io :)
keybase.io... right. I've been waiting for an invite letter for a year.
Please stop referring to non publicly open platforms as they were actually usable.
There is keys.gnupg.net, pool.sks-keyservers.net, pgp.mit.edu, etc. These are the well-known ones that had been around for a while.
What's your username? I have a couple invites.
Should note that I never use the thing since in practice it's easier to fetch my key via traditional methods, a la pgp.mit.edu...
If you ask on /r/keybase you should get an invite pretty quickly, or check to see if there are any people offering invites. Currently I see at least 39 available.
How does it integrate into the web of trust?
Okay, I'll be the contrarian one: I HATE the name.
There have already been trends in the mainstream and right wing media that "If you have nothing to hide, you have nothing to fear", that the NSA only monitors the communication of criminals, and that things like iPhone encryption help terrorists first.
With that in mind, can you imagine the reaction that the average lay-person will have when they see a clickbait headline or morning news report that says "A new app called Felony allows ISIS and online pedophiles to communicate in secret with ease."
It looks like a great app, and I will honestly use it.
But I don't think the name helps the cause of promoting easy and default end-to-end encryption for all to remove the implication that the only people that use it have something to hide.
Nor does it help the cause of explaining to the general public that encryption is something they do use and should use in their own lives.
An "edgy" name can get you in real trouble. The brilliant programmer Dan Farmer [1] who developed the security tool that he named SATAN [2] was fired from his job when he published his program. If you haven't heard of SATAN, it was the most important network security analysis tool in the late 1990s.
I feel certain that the name was the critical factor that made his company so nervous. For a while he had two different names for the program, SATAN and SANTA, to try and reduce the stigma, but it didn't work.
[1] https://en.wikipedia.org/wiki/Dan_Farmer
[2] https://en.wikipedia.org/wiki/Security_Administrator_Tool_fo...
Artists and musicians can get away with invoking (haha) such names for effect. But tech despite its abandonment of the suit is still pretty straight laced and Ivy League at heart and interfaces with a high corporate and financial world that is even more so.
It's okay if your audience is strictly other tech people, but this is built for general use.
http://www.vanityfair.com/news/2013/09/michael-lewis-goldman...
> The Web site Serge had used (which has the word “subversion” in its name) as well as the location of its server (Germany) McSwain clearly found highly suspicious.
Absolutely horrible choice of a name. There's so much BS regarding the use of encryption and it keeps coming up in criminal cases, that normal folks are going to avoid using a think that might somehow be linked with a felony.
And it seems the author is refusing to even have a discussion on the name choice, closing any issues that are opened to address it without comment.
What a great missed opportunity...
Fork it, name it whatever you want.
Problem solved, welcome to open source.
I really dislike this attitude. Sure, you can change the name (or do whatever you want) by forking, but what would that really achieve? Forking for a reason like this without a conversation isn't polite, nor will it likely achieve the best outcome.
What it could achieve is a clone that simply replaces the names and requires very little maintenance. If the community agrees and adopts, then politeness be damned.
Edit: To put the converse: If it's a shitty idea, then no one will use it and it didn't matter that you were polite anyways.
To be fair, this did happen with GCC. But everyone hated everyone else for years as a result. Forking fractures a community -- for something as trivial as this it isn't worth it. But it is worth DoSing the maintainer until they realise that making an encryption program called "Felony" is a brain-dead idea.
I don't think you get the point.
It may be a braindead idea but it's their idea. If you don't like it, fork it.
If you don't like it, write your own.
But don't complain because someone wrote some software and kindly published it for all to use for free.
> It may be a braindead idea but it's their idea. If you don't like it, fork it.
Because that's how PR works. The problem is that it's a publicity problem, not a technical problem. Technical problems are solved by forks, but publicity problems have to be solved by the community.
> But don't complain because someone wrote some software and kindly published it for all to use for free.
And then decided to give it a name that actively bombards the crypto community's efforts to bring encryption to the masses. Sure, it's free software and that's fine. But it's free software that will cause a PR nightmare for no good reason. "Hackers and terrorists are using a new app called 'Felony' to steal your money and freedom." -- That's the headline here.
Yeah, hostile forks for minor reasons go over real well in the open source community. Don't welcome people to a community you obviously don't have much experience in please!
That doesn't solve the problem. Now your problem is you use "X" and nobody knows what that is unless you're going to say "it's a fork of Felony," which puts you back at square one.
You might as well just be offering to not refer to it at all by any name.
An idea which creates a new social problem. Welcome to open source!
There's been a rule: encryption must have terrible UX. Most encryption stuff even has awful UX by command line Linux hacker standards.
Now we have an effort otherwise but... cannot... resist... doing... something... to make it unfriendly...
Luksus begs to differ. http://thomasfrivold.github.io/luksus
It's been 2 years since the author last committed to it: https://github.com/thomasfrivold/luksus
And then?
Agree. Epithets like "darknet", "dark mail", "underground net" etc. along with names like this certainly doesn't help to improve encryption and privacy promoting software image to general public and media. I understand that it's a joke, but only a handful people will get that, for most others it will be another app that enables pedophiles and terrorist to get away with their crimes.
You forgot Bitcoin.
crimes and misdemeanors, i guess, but that's not the goal
This is one of my pet peeves, calling it felony is utterly stupid and childish. Encryption and the use of encryption are serious matters and their PR should be handled with the utmost seriousness.
The first picture that came to mind is this http://i.imgur.com/EyFFRsa.gifv
Suggestions and/or concepts you (OP) want to evoke:
Patriot Freedom Liberty Good Citizen Free Speech America Fourth Amendment Secure In Papers Right To PrivacyI disagree that "America" and "Fourth Amendment" are a good concept, unless you target a very limited subset of humanity.
Patriotism is something I wouldn't like either, I think that's a rather odd concept (and not related to liberty, freedom or security).
Good Citizen sounds like it comes straight from a famous book inventing doublespeak.
Even Free Speech is not a global concept - the way you capitalize it I assume you're after the US version again.
Probably the lesson is (again) that naming things is a hard problem (I agree that Felony might not be a good name too by the way)
Other names have a funny coincidence: Secure In Papers and Right To Privacy. Both SIP and RTP are existing protocols for chat/calls/presence on the internet. Most voip phones use them, so if people started using the initialisms, it could confuse some people in the context of internet message exchange.
I'll add a counter point and say that I like the name. Politicians have a history of inverting meanings, e.g. Patriot Act, Affordable Health Care Act, etc. -- the public is almost conditioned to invert logic to understand things at this point. Personally, I find the terms above to be patronizing and even suspicious in the political context.
The mental operation of inverting the word felony is kind of interesting and thought provoking, IMO.
> the public is almost conditioned to invert logic
Only a Hacker News type of person will invert the logic. The general public won't.
Ask your neighbor to guess the purpose of the Banking Secrecy Act [1]. Does it protect your money and your financial privacy, or does it make banks snitch on you and strip away financial privacy?
Even I was surprised that the name of the law and the actual text are exact opposites.
If you're going to invert meanings, you need to be careful about the polarity. The way politicians (and corporations) do it is, as you observe, to take something bad (that they want to support) and put a good label on it; for obvious reasons, this is a winning move. What's going on here is taking something good and putting a bad label on it; for reasons which should be equally obvious, this is a losing move.
I hear ya. And I'm sure most HN readers understand and share your cynicism. But I think naming it something satirical and anti-double-speak ultimately increases your odds of being misunderstood.
The OP is honestly interested in furthering the right to privacy. State it plainly and simply. (It doesn't inoculate the app from being painted as a terrorist abetter, but it's the best you can do.)
It's almost satirical, which I'm fine with.
That's not ironic inversion of meaning. That's straight up deception.
+1 for Liberty
That's the concept that encapsulates privacy, speech, etc.
The America-centric names are less appealing to me, since many equate "America" with the federal government, which is definitely not the friend of liberty / free speech / privacy.
+1 for 'Privacy'. Liberty is America centric. And privacy is more specific.
> "Liberty is America centric."
I wouldn't say it belongs to any nation, though if it had to belong to one it'd probably be France. The first two things that come to mind when I think of the word 'liberty' are both of French origin:
You're right re: France, but people in the UK, Ireland, Germany and Australia talk much less about liberties than they do about privacy.
Oddly, this government minister [http://news.sky.com/story/1675276/conservative-mp-calls-for-...] was so shocked and outraged about requests for leaders to reveal their tax returns he suggested banning curtains as a equivalent. He's from the same government that collects and reads all email of all citizens.
Hence launching on the 4th of july ;)
Should've called it Liberty. :)
4th Of July
IMO liberty is probably the best name from that list.
Disagree with all of these. Why politicise it at all? Why not just allude to security or communication?
Patriot Paper
Currently, the trending HN commentry is focused on this name, and as much I like a good naming debate, I feel it is distracting from more "significant" concerns, such as...
How does the app handle encryption? Has there been a security review?How are keys handled? How are conversations persisted in the app? Does it use iCloud? Etc...
> How does the app handle encryption? Has there been a security review?
It's built on Electron, React and Redux. There is no security as it is a fundamentally insecure environment.
It's fashionable around here to criticize that tech stack, but do you have anything to back up that claim?
Running a large list of dependencies controlled by someone else. Stores data on disk unencrypted. Stores code that gets executed, on disk in text form unencrypted and unsigned. Executes code while running directly from a website (github).
All in all an order of magnitude less security then a native app to put it mildly.
http://blog.scottlogic.com/2016/03/09/As-It-Stands-Electron-...
Security is very hard. You need carefully constructed apps with carefully chosen dependencies, and generally you want the number of lines of code to be very small.
Anything webkit based is going to lose on all of those points almost immediately. Anything nodejs based is also going to lose on all of those points, because nodejs has a culture of massive dependency stacks run by whomever. Javascript in general is a pretty insecure language, unless you are using explicit subsets but even then javascript has a horrible reputation for security.
Something is better than nothing. I'd rather people use Telegram (pretty well known for terrible crypto) than people use nothing at all. Same with Felony. I'd rather people use bad crypto than no crypto.
But in general it would seem likely that anything built on a webstack has a low chance of passing a security audit. The cultures surrounding the webstack technologies prioritize shipping product and doing cool things over shipping bug-free or secure code. It's one of the reasons that the webstack is so popular. It's easy, and if you ship something buggy it's generally not too bad to go back and fix it later, especially for something like a webpage, because your users will get your updates immediately.
Unfortunately, these endless tangents are becoming increasingly common on HN. I guess these are people who want to show off how smart they are but really don't have anything interesting to say about the topic at hand, so they go for the low-hanging fruits like spelling, layout, titles, and so on.
Calling a "user friendly" encryption program "felony" feels like an attack on encryption. Yes it will evoke a reaction, because if the author didn't do it deliberately to sabotage the PR of the crypto community then they need to be made aware of their mistake.
Of course, there are other concerns (why PGP and not Axolotl or OTR, how on earth does "your key is your username" work without causing other CAP-like issues, etc). But I'm not going to spend any time trying to improve a project that is working against encryption for everyone.
The name is an actual show stopper, and the author is being intransigent about changing it so it's only natural for it to be the lions share of the discussion.
I don't think that's it. Sure, the name is low-hanging fruit, but it's important low-hanging fruit.
Criticizing a name is hardly something that "shows off" smarts. Dismissing everyone for having nothing interesting to say, on the other hand...
A comment about the name is ok, but an endless discussion about it hardly.
At Aleynikov's trial, prosecutors used the name of Subversion to imply nefarious intent.
I just put in an issue to change the name. Looks like one was put in prior and closed without comment by the repo owner. I hope he doesn't think this is some edgy way to be "cool"
EDIT: He closed my issue without comment.
fork it and maintain your own name if you feel strongly about it.
Or maybe he shouldn't be giving opponents of strong encryption a PR gift on a platter.
Agreed. There is real irresponsibility in choosing this name. Thinking that this wont be used against the encryption community is naive and short-sided.
Fully agreed. The name sounds 'cool,' but may end up being the thing that leads to the project's early death. Completely counter-productive.
It doesn't even sound cool to me. "Felony" is an ugly word, meaning aside.
Agreed. I understand the choice, but for the same effect at least pick "no felony" or "NotAFelony" or "Constitutional" just to hope that it gets debated in court whether "Constitutional" is illegal and used by IS*.
I don't think "no felony" has the same ring to it though! ;)
I suggest "Nofello"
I will be the contra-contrarian. I agree that the name makes the app sound illegal. At the same time notoriety could work as a marketing strategy for the app. The clickbait headlines could get the word out there that this app exists. The more people know about the more are likely to use it.
Fair points. The title was kinda a joke originally and then it just stuck.
There's a "rename" button on Github. It will handle redirects for you. Fixing a future PR nightmare couldn't be easier.
It's still a joke.
Five hours on HN, and the name's not changed yet? I'll check the next time this is posted with a usable name. IOW, when you start taking it seriously, so will I.
Says the guy with "Commie" in his nick ;p
Although I think anyone can fork it and rebrand it and always keep the fork up to date. It would be an exact replica, just with a different name.
Fork and rename?
Yeah, and on the other side we have propaganda-names like "USA PATRIOT Act" or "Privacy Shield".
As someone here mentioned:
Those are taking something negative and wrap it in a positive name (positive gain for the author)
We're taking something positive and wrap it in a negative name. This will only cause negative gain. Not only for the author but also for making encryption seem like something evil. This is especially bad time when politicians are trying to ban encryption.
Besides, the name suggests a new Scheme implementation rather than cryptographic software.
On a related note, has anyone had a look at "Pretty Curved Privacy" ?
https://github.com/TLINDEN/pcp
(Just submitted it to hn - I thought there was an old submission, but apparently I was mistaken): https://news.ycombinator.com/item?id=12035081
If felony is PGP protocols wrapped in modern web technology, I suppose pcp is NaCl wrapped in old PGP command line and protocols...
The Gnu Privacy Assistant (GPA, https://www.gnupg.org/(en)/related_software/gpa/screenshots...., bundled with https://www.gpg4win.org/) is also pretty good. Though it does require you to already know the right words and a basic knowledge of GPG.
Call it "privatebits" or something more suggestive that personal informational boundaries and privacy can be healthy for everyone, rather than the highest criminal offense. I understand that there's some irony or sarcasm there, but trust me, those are not timeless, even for people who "get it". Bitter humor is not sustainable in the long run, so relying on that kind of energy probably won't help the cause.
I like the idea of this, and would love to give it a try. I would say, however, that the documentation/instructions are a little bit barebones. I know its just early days, but as a newcomer to node it is pretty difficult to know how to use this. You may also want to include a PGP 101 (or a link to a good get-started guide) because it isn't really common knowledge either
Could have used a hyperbolic name in the other direction. "FreedomKeyper" comes to mind.
This is fantastic. Now all you have to do is add a share button and an extension to the site being shared to. Imagine if all status updates where PGP encrypted, what a wonderful world that would be.
From what I can see, the underlying openpgp js lib does not support GPG Cards (smartcards / newer Yubikeys + others).
Interesting app, and it looks cool, but it rules out usage for me. Why the JS + Electron stack?
Looks like neat little app, read the website, but couldn't find a question i had which popped up instantly when i launched the app.
Is it possible to use existing PGP keys with Felony?
What are the benefits of this over something like Keybase?
Nice user interface and packaged in a desktop app, I would assume. You can use it in tandem with Keybase for the key discovery.
Really great app. I was alway in search for open-source tool as this. Didn't get time to check yet. But have to soon.
Would be better to use a small GUI library, avoiding Webkit / Chromium, for memory usage and security.
Change the name.
What's the state of WebCrypto APIs, and is it already possible to avoid ciphers written and deployed in JS?
Attackable via dependencies
Call it Enigma
committing felony. it's a github pun meta isn't it.