I’ve had a passion for politics, history, and programming since the age of 12 growing up in a suburb of Chicago. During my freshman year, I developed an interest in software. A couple of apps and hackathons (programming competitions) later, I was working on my own startups when I made the leap to drop out of high school to become a software engineer at a venture-backed tech startup.
While working there I learned that PGP encryption was the tool used by Edward Snowden to securely send messages to journalists. The immense value of encryption as a core component of our free society became clear to me. Amongst fellow coders, I had no trouble using command-line encryption to communicate. But my friends who didn’t code couldn’t easily do the same since they don’t know how to use the command-line. Given how important encryption is, I decided to build a first-rate encryption tool that could be used by anyone on any website, regardless of background.
This looks like an interesting project but has a poor name choice. If it's targeted at non technical users, it may actually prevent them from using it, out of fear that just using it is illegal.
I immediately know what you mean since I was born and raised in the US, but most people will be left scratching their heads unless they're really well versed in the historical legislation of other countries. (I consider myself fairly well versed in international relations, but if someone made an app referring to a specific UK Act of Parliament I'd be confused.) But I agree, Felony isn't the best name.
It would make me unwilling to use it, due to being clearly pro-American. While it's the american government that is most likely to be spying on me. Awful name, felony is better.
I'm sorry but as a non-US person it's been made very clear to me that I have zero rights, zero laws to depend on and zero expectations of privacy. Calling it "the fourth" is like rubbing that in my face, leaving a rather bad taste.
But that's a video game that purports to celebrate grand theft auto (among other lawlessness). Is the OP's purpose to simulate the commission of a felony? Because those who believe in encryption for everyone believe that encrypted chat should not be a felony.
I would consider naming it something other than a common English phrase, honestly. I know it's the big trend these days, but it's making things incredibly hard to search for. Try searching for the messaging service "matrix" and the matrix client "vector". Insane amount of namespace collision there.
Best to go with something like Freechain or something so at least people can search for it.
"Freechain" is great. It passes the cognate test (sounds like "keychain," which it is), and the "free" part gives it the multiple meanings of both FOSS and freedom from surveillance. Euphony is pretty high, and it looks fairly low-noise on Google, too.
I agree that Freedom is a nice choice, but "Freedom" is already in use by a somewhat well-known website/social media blocker (as in "freedom from all those distractions"):
Still, other suggestions are coming up in this thread that may be of use. I really like the idea of a name that, for a non-technical user, cab be a lead in to answering "why do I want this app? what does it do for me?"
In that famous Goldman Sachs "theft" case, use of a tool called "Subversion" (which any IT person knows is just vanilla version control software) was taken by the FBI as evidence of malicious intent.
Words have meaning and are way more important than you could even imagine. We don't think with words, we use words to think.
One example comes to mind, back in the day people used to use the word "Exploited" to talk about workers being drained of their life force. When you say exploited you assume that there is an exploiter, that someone is guilty of that worker's shitty life.
Now we mostly say the "Disenfranchised" or "Disadvantaged" which takes the "Exploiter" out of the equation entirely and put the workers plight mostly on the back of bad luck than anything else.
"It's just a word which makes it stand out as a product"
So you think calling a product "nigger" is a good idea? It's just a word and it would certainly stand out.
(Before responding directly to my comment, please consider that I'm criticizing your logic, and don't actually want anyone to create a product with a hateful name)
I disagree. If someone has deactivated their own humanity enough to say "It's just a word" then they probably need a shocking reminder of the power of words. Making an abstract argument about words won't move the needle for a wet robot.
Same idea -- strong crypto that's usable for anyone. It uses the OTR Ratchet protocol which uses perfect forward secrecy. The app also provides a way to verify keys through an OOB channel.
I would recommend considering OTR Ratchet integration just like WhatsApp did recently.
PGP is not a good design choice for a messaging app as you're always using asymmetric crypto operations which are computationally intense -- not terrible on modern computers but will be dreadful on mobile devices. Also can you provide some more documentation on how the app leverages PGP? Hopefully conversation is not using the same private keys to encrypt. That is vulnerable to data or side channel leakage. The modern approach is to generate and exchange an ephemeral key. Also please provide information on key storage.
Rather than making vague security claims like "first-rate" and " Security++ to the greatest extreme" you should rather provide a threat model and explain why one can remain confidential and have authenticity against particular types of adversaries. No security tool is perfect and it's only a matter of time before an adversary breaks it. Developers are doing a disservice by claiming anything more.
Before you can claim a first-rate security tool you will need to face a lot of scrutiny first.
PGP is a great choice when you want to be able to send encrypted messages over any channel you want. It sounds like you do not understand how PGP works -- you exchange public keys over a trusted medium and then use public key cryptography to encrypt the AES key used to encrypt the rest of the message.
The OpenPGP library it uses has been audited (twice). Most of the mistakes that could have be made are avoided this way.
Edit: Yes, you lose PFS by using PGP, but it would not really be possible to negotiate PFS via, say, email.
> PGP is a great choice when you want to be able to send encrypted messages over any channel you want.
That has nothing to do with PGP. You could do the same by base64-ing an OTR session (in fact, people do that all the time).
I don't like the choice of PGP because it has non-repudability. If you send me a message, I can prove to anyone in the world that you sent me the message. OTR and Axolotl don't have this problem (only I can be sure you sent me the message and I cannot prove that I didn't fake it to anyone else).
> That has nothing to do with PGP. You could do the same by base64-ing an OTR session (in fact, people do that all the time).
But PGP also works for printing stuff on a post-card (or you know, email) - asynchronous communication. While Axolotl does push OTR-like modes towards asynchronous use - they do involve a lot more than getting hold of a public key (say, one published in a magazine, or shown in a frame of a movie, or...).
There's been an argument since the early crypto-wars about whether gpg/pgp could (should) be made easier to use. And I absolutely think it could (and should).
Key distribution is still hard, but it's not helped by a silly cli app, and no great recommendations on how to manage trust (I suppose the gist is: get a hw token for your key, print a backup and store a revocation order in a safe, sign keys you trust and upload them to the keyservers. But even if that list seems easy, users are left with questions like: which hw tokens should I use? When I lose it, "re-trusting" keys? How big a problem is it that I've just exported meta-data about who I communicate with? Which clients easily integrates with my hw token so that I can use gpg on my smart phones, my laptop and my desktop? What if my phone lacks NFC? Can't use USB host? And last, but certainly not least -- why isn't there a fork of gpg2 that does "the right thing(tm)" out of the box -- and make this "best of breed" flow easy, rather than making all kinds of sub-key shenanigans equally cryptic?)
If you don't need PFS (which you should need) then you can use DH to create the shared key you use for the HMAC. Maybe you could even do an original OTR-like ratchet scheme (only change the key once the recipient shows that they are using the new key) to get PFS. But in principle if you assume that key distribution is "solved" then you can implement the unique parts of OTR.
I'm not sure, you're saying the format and message standards of PGP of providing machine-readable signed keys aren't worth anything, because you can just memorize some base64 coded secrets and run with it?
That's how you'd prefer to bootstrap secure communication with a journalist, or for recruiting people to demonstrate against the current regime in Egypt?
> But in principle if you assume that key distribution is "solved" then you can implement the unique parts of OTR.
How can it make sense to think of it as solved? How do you backup your keys? Your list of trusted keys? Protect them against theft? Alert others to their compromise? Get alerted when keys are compromised?
Key distribution really is the only really interesting problem in secure, trusted, communication (with secure one time pads, most problems go away. The trick is to make sure you have secure one time pads, shared only with the person(s) you want to communicate with...).
Public key encryption opens up some new ways to make the problem easier, but it's just one step in the right direction.
My point was that if PGP was suitable for "usable" encryption (which is the whole point of this program), then you could use the same key distribution methods but use Axolotl.
Hi! The app looks great. Can you speak a bit more about the interaction? How would two people who just downloaded Felony send an encrypted message to each other?
1. Add public keys to your buddies list—
A public key is like a username - Adding someone’s public key to your buddies list lets you send them messages. You can find other public keys on markets like keybase.io and darknet.
2. Encrypt a message—
Select a recipient from your buddies list and compose a message. Only your chosen recipient(s) can read the message. Encrypted messages might contain sensitive information, such as an address, document, or anything intended to be read only by intended recipients.
3. Send the encrypted message anywhere—
You can send the encrypted message on any website! For example, facebook messenger, twitter direct message, or youtube. Felony is security when and where you want it.
1. Why did you choose PGP, when we have OTR and Axolotl -- which are specifically designed for informal communication where repudiation (recipient Y not being able to prove to others that X sent the original message) matters.
2. How are the public keys securely distributed? You say that "a public key is like a username", but without a central authority you hit a lot of issues (essentially the CAP tradeoff, but for user IDs). And with a central authority, you have no trustworthiness. Or are the users just meant to find public keys themselves (in which case you're back to the current state of affairs).
3. The name choice is stupid. Why on earth would anyone sane in this political climate call an encryption program "Felony"?
Schools are a way for parents to send their kids to a reliable daycare service. At a certain level, some don't really learn anything there. I did as much as I did (college) to pass among the clueless as normal but wish I had more opportunities to avoid it altogether.
I dropped out after my sophomore year - I had recently moved to the States from Europe, and school was teaching things that I had learned already been taught a few years prior to that. I was completely bored and decided I was done with school. Getting my GED was really easy, and from there I have had a great career - while it may have hurt me in the beginning, I now have 20 years of relevant work experience behind me, it's generally not a concern to myself or any of my past employers - and if I were to interview somewhere that took issue with it, it's probably not somewhere I would want to work.
Is it geared to mobile devices? The screenshot looks very much like one from a mobile. I wouldn't trust my phones underlying security architecture enough to store a PGP private key on the device.
PS: I love the name. You did a good job with it creating a buzz. It made me laugh and curious enough to take a look. Maybe pointing out on your site that "privacy is a human right" and the name should remind us of that rather than succumbing to peer-pressure, in the hope of not offending the 0.01% of your non-tech savvy users.
So many comments about the name. All of a sudden I have a strange urge to see the next big open source project name themselves fjoi43isoitoei. Because names of technology projects only have as much importance as the reader attributes to them. If you can't see beyond that, and if your primary focus is what others might think of you because of what you named your project, I don't know what to say to you.
Just curious: Are you running on a Raspberry Pi or other machine with constrained resources? 130MB is less than 4% of the memory in most modern computers, and less than 10% of most mid-range phones.
Just to be nice i'll assume you ask earnestly and answer earnestly: I have 16 GB of RAM. However i also always have more than one app running at any given time. In fact, my system usually has 200+ things running. I also don't mind if things use a lot of memory if: They either use it to give me a lot of bang for my buck, or are not long-running processes. Felony ticks neither of these boxes.
Also do keep in mind that the 130MB number is right after start without even logging in or using it at all. Due to memory usage by actual feature usage, and creep due to leaks, i can expect that number to easily double and more.
I'm not sure that the doubling guess is going to be accurate. The majority of that 130MB is going to be in the overhead of keeping a seperate copy of Chromium in memory, not in the implementation of current features.
My experience with Web browsers is they expand to fill all available memory and then some. This Firefox process has grown more than 50% since launch, and will stay mostly that big even if I close all but one new tab.
Chrome does a better job of containing the damage to individual tabs, but I'm not how much that really helps with something like this. And of course, eventually I still end up killing Chrome periodically to get RAM back for real work, like running VMs without the host thrashing.
Not the parent, but that stuff adds up when just about everything's written as if it owns the machine and the machine's guaranteed to be blatant overkill.
Disclaimer: it's not my only machine, but I'm posting from a Pi 3. 1GB RAM is roomy for most things that aren't Web browsers and apps that embed Web browsers.
Did you really have a passion for politics at age 12? This coupled with "I had no trouble using command-line encryption to communicate." makes this read like a farce. First you act like ultimate prodigy that peaked at tender age of 12 and then go boast with mad skills of running a cli command.
Mods, could we have something descriptive added to the title? This single word doesn't really give me any idea what this about. Suggestions (taken from the link)
Felony: Next Level PGP
Felony: An open-source PGP keychain built on the modern web
Personally I prefer a link to the repository instead of the README. I like to scan the project structure as I scroll down to the README and it also gives me a chance to see how active the project is since GH shows when each file/folder was lost modified.
This name is awful. I would never want to contribute to it, nor use it. Nor suggest it to anyone as a solution to anything.
It's the worst name since that framework called "cocaine" with tools and subprojects named after illicit drug market terms.
Yeah, "felony" and "cocaine" are not things I will put on my CV or would like to show up when someone Googles my name.
What's the joke here? That some people are incorrectly labelled felons for what they say and write?
Do you know what most "felons" did to be called that? It's not for what they said and wrote that should be constitutionally protected.[1]
[1] I don't have numbers to back this up. Maybe most people are actually felons for drug possession, but you know what? I don't want to be associated publicly with those actions either. Also do you want to be on this table? https://www.fbi.gov/about-us/cjis/ucr/crime-in-the-u.s/2015/...
Although the name is ironic, it will reinforce the common vague notion that encryption is something politicized/controversial/illegal, and that's not a good thing for infosec.
the name may be intended to be ironic, but the irony of the irony is that if you are interested in communicating about conducting one or more felonies, I would in fact urge you to use encryption.
I hate when people hate the "if you have nothing to hide, why do you care?" question because it's a valid question. You can answer, "because I fear the creeping growth of a surveillance state like in 1984", but then again, if you do that you no longer get to claim that other "slippery slope arguments are fallacies".
I've been a bigger privacy freak than all of you since before you were born, google my somewhat unusual name, you won't even find me. But still, I enjoy making fun of the groupthink that infects these types of communities.
Ignoring the arrogance, "If you have nothing to hide" isn't a valid question because everyone has something to hide. People have curtains and doors for good reasons, and everyone expects a certain amount of privacy in their lives -- but they don't realise how much they care about it until after they get screwed.
Oh, and it's not a slippery slope fallacy if we literally are headed towards 1984. Not even Orwell thought that social graphs would allow for automated analysis. The NSA doesn't need tele-screens when they have Facebook.
no slippery slope argument is a fallacy when the underlying process can best be described as a slippery slope. "Slippery slope" is not a fallacy, it's an analogy.
I'm in favor of crypto, privacy and the same things you are... I just don't lie about it: criminals are more interested in crypto than the average citizen, so are kiddy pornographers (for those of you who don't think that's a crime). So are "chinese dissidents", but seriously, there are more criminals out there.
my arrogance comes from my ability to be both smart and honest rather than a propagandist.
>if you do that you no longer get to claim that other "slippery slope arguments are fallacies".
You probably shouldn't be making that claim, to be honest. It's only a slippery slope fallacy if there's no historical evidence to support it. Part of the reason we record history is so we can tell whether a slippery slope might be a real danger.
There's several instances where a historical collection of information on citizens, done under claims to protect the people, turned into an oppressive regime, sometimes leading to the deaths of innocent citizens. The SS, Stasi and OVRA are all good examples, and a more current example can be found in China.
I've heard about optimizing for developer happiness, but this is kind of silly.
- the app has an unintuitive and harmful name that casts aspersions on the core values it purportedly touts because the developer saw that it was an available .io ___domain [0]
- This app has a shitton of leftover boilerplate and dev dependencies from a bootstrap scaffold, even though AFAIK there is no testing suite. (Because we all know how safe npm dependencies are...)
- A good number of unnecessary non-dev dependencies too. It includes font-awesome, which seems unnecessary to include in its entirety already...but are there any uses of font-awesome? I did a search for "font-awesome" and "fa-" but couldn't find any.
I understand using boilerplate generators to learn the ropes of creating within a framework...I've done it to learn React and Angular. But to use a scaffold-generator for a niche and highly specialized/sensitive app like this? It can't mean that it's anything more than a toy app. And yet one in which the decision to give it the name "felony" just looks immature on the author's part, meaning that it's not even useful as a resume padder.
Most are focused on the name, which is terrible, while only one other (so far) noticed the big problem: Electron, React, and Redux. A secure messenger needs to have strong endpoint security. Easiest way to do that is using safe, system languages with simple implementation, as few dependencies as possible, and isolation of app from rest of the system. That's one of safe C's, restricted C++, SafeD, Ada/SPARK, Component Pascal, Rust... any of those with portable code for main library plus modules for OS-specific stuff (esp GUI & filesystem). That would have a chance of surviving hackers, esp good ones.
I know almost nothing of the above frameworks. However, Google gave me front pages for each that look more complex in implementation and dependencies than a C, Ada, or Rust app. Unnecessarily so. Secure applications should follow Lean and KISS principles every chance.
Note to author: All that said, if you're just doing it for fun or learning, then that's cool. Also a good area to learn about. :) The above applies to implementations meant to be used in field.
I mention the name in passing as others wrote on it. A lot on it haha.
Your comment on image is possibly also true. I remember much of the press of another messenging app oriented toward privacy came because it advertised as "the beautiful messenger" with many nice pictures. It was Icelandic with .is site but I don't recall name. Versus competition, wasn't much to say in terms of implemented features or security. The U.I. was beautiful, though. ;)
Note: The Apple website takes this technique about as far as it can go outside a dedicated, high-def, image board.
Note 2: I could add Nim to my prior list if there's been any work evaluating it for security-critical applications. Particularly, how it helps or hinders expressing such things plus risk compiler brings in during transformations. Anything on that yet?
> Note 2: I could add Nim to my prior list if there's been any work evaluating it for security-critical applications. Particularly, how it helps or hinders expressing such things plus risk compiler brings in during transformations. Anything on that yet?
Afraid not. Would be awesome to see somebody that is security conscious taking a look at Nim and verifying these things :)
i don't think it's worth naming a product based on available ___domain names. It helps in the branding sure, but it doesn't make up for diastarous names.
Really cool, it'd be nice to have a few more screenshots or maybe a video of the usage. It's not fully clear if Felony actually sends the message or only encrypts it and allows you to send the encrypted message in another medium.
Felony only encrypts messages and allows you to send the encrypted message on another medium. Hope that clears this up. Also, I agree more screenshots would be great. Screenshots++
I understand other posters' concerns about the name, but I have to admit it evokes almost the same level of wry wit of Linus, when he christened 'git'.
In fact, the reception this name is getting is quite ironic. Just think about it, and you might just burst out laughing.
Once your key is generated you can click the 'copy' icon to the right of your name in the header. After that you can share the key on any platform you like, including Keybase.io :)
If you ask on /r/keybase you should get an invite pretty quickly, or check to see if there are any people offering invites. Currently I see at least 39 available.
Okay, I'll be the contrarian one: I HATE the name.
There have already been trends in the mainstream and right wing media that "If you have nothing to hide, you have nothing to fear", that the NSA only monitors the communication of criminals, and that things like iPhone encryption help terrorists first.
With that in mind, can you imagine the reaction that the average lay-person will have when they see a clickbait headline or morning news report that says "A new app called Felony allows ISIS and online pedophiles to communicate in secret with ease."
It looks like a great app, and I will honestly use it.
But I don't think the name helps the cause of promoting easy and default end-to-end encryption for all to remove the implication that the only people that use it have something to hide.
An "edgy" name can get you in real trouble. The brilliant programmer Dan Farmer [1] who developed the security tool that he named SATAN [2] was fired from his job when he published his program. If you haven't heard of SATAN, it was the most important network security analysis tool in the late 1990s.
I feel certain that the name was the critical factor that made his company so nervous. For a while he had two different names for the program, SATAN and SANTA, to try and reduce the stigma, but it didn't work.
Artists and musicians can get away with invoking (haha) such names for effect. But tech despite its abandonment of the suit is still pretty straight laced and Ivy League at heart and interfaces with a high corporate and financial world that is even more so.
It's okay if your audience is strictly other tech people, but this is built for general use.
> The Web site Serge had used (which has the word “subversion” in its name) as well as the ___location of its server (Germany) McSwain clearly found highly suspicious.
Absolutely horrible choice of a name. There's so much BS regarding the use of encryption and it keeps coming up in criminal cases, that normal folks are going to avoid using a think that might somehow be linked with a felony.
I really dislike this attitude. Sure, you can change the name (or do whatever you want) by forking, but what would that really achieve? Forking for a reason like this without a conversation isn't polite, nor will it likely achieve the best outcome.
What it could achieve is a clone that simply replaces the names and requires very little maintenance. If the community agrees and adopts, then politeness be damned.
Edit: To put the converse: If it's a shitty idea, then no one will use it and it didn't matter that you were polite anyways.
To be fair, this did happen with GCC. But everyone hated everyone else for years as a result. Forking fractures a community -- for something as trivial as this it isn't worth it. But it is worth DoSing the maintainer until they realise that making an encryption program called "Felony" is a brain-dead idea.
> It may be a braindead idea but it's their idea. If you don't like it, fork it.
Because that's how PR works. The problem is that it's a publicity problem, not a technical problem. Technical problems are solved by forks, but publicity problems have to be solved by the community.
> But don't complain because someone wrote some software and kindly published it for all to use for free.
And then decided to give it a name that actively bombards the crypto community's efforts to bring encryption to the masses. Sure, it's free software and that's fine. But it's free software that will cause a PR nightmare for no good reason. "Hackers and terrorists are using a new app called 'Felony' to steal your money and freedom." -- That's the headline here.
Yeah, hostile forks for minor reasons go over real well in the open source community. Don't welcome people to a community you obviously don't have much experience in please!
That doesn't solve the problem. Now your problem is you use "X" and nobody knows what that is unless you're going to say "it's a fork of Felony," which puts you back at square one.
You might as well just be offering to not refer to it at all by any name.
Agree. Epithets like "darknet", "dark mail", "underground net" etc. along with names like this certainly doesn't help to improve encryption and privacy promoting software image to general public and media. I understand that it's a joke, but only a handful people will get that, for most others it will be another app that enables pedophiles and terrorist to get away with their crimes.
This is one of my pet peeves, calling it felony is utterly stupid and childish. Encryption and the use of encryption are serious matters and their PR should be handled with the utmost seriousness.
Other names have a funny coincidence: Secure In Papers and Right To Privacy. Both SIP and RTP are existing protocols for chat/calls/presence on the internet. Most voip phones use them, so if people started using the initialisms, it could confuse some people in the context of internet message exchange.
I'll add a counter point and say that I like the name. Politicians have a history of inverting meanings, e.g. Patriot Act, Affordable Health Care Act, etc. -- the public is almost conditioned to invert logic to understand things at this point. Personally, I find the terms above to be patronizing and even suspicious in the political context.
The mental operation of inverting the word felony is kind of interesting and thought provoking, IMO.
> the public is almost conditioned to invert logic
Only a Hacker News type of person will invert the logic. The general public won't.
Ask your neighbor to guess the purpose of the Banking Secrecy Act [1]. Does it protect your money and your financial privacy, or does it make banks snitch on you and strip away financial privacy?
Even I was surprised that the name of the law and the actual text are exact opposites.
If you're going to invert meanings, you need to be careful about the polarity. The way politicians (and corporations) do it is, as you observe, to take something bad (that they want to support) and put a good label on it; for obvious reasons, this is a winning move. What's going on here is taking something good and putting a bad label on it; for reasons which should be equally obvious, this is a losing move.
I hear ya. And I'm sure most HN readers understand and share your cynicism. But I think naming it something satirical and anti-double-speak ultimately increases your odds of being misunderstood.
The OP is honestly interested in furthering the right to privacy. State it plainly and simply. (It doesn't inoculate the app from being painted as a terrorist abetter, but it's the best you can do.)
That's the concept that encapsulates privacy, speech, etc.
The America-centric names are less appealing to me, since many equate "America" with the federal government, which is definitely not the friend of liberty / free speech / privacy.
I wouldn't say it belongs to any nation, though if it had to belong to one it'd probably be France. The first two things that come to mind when I think of the word 'liberty' are both of French origin:
You're right re: France, but people in the UK, Ireland, Germany and Australia talk much less about liberties than they do about privacy.
Oddly, this government minister [http://news.sky.com/story/1675276/conservative-mp-calls-for-...] was so shocked and outraged about requests for leaders to reveal their tax returns he suggested banning curtains as a equivalent. He's from the same government that collects and reads all email of all citizens.
Currently, the trending HN commentry is focused on this name, and as much I like a good naming debate, I feel it is distracting from more "significant" concerns, such as...
How does the app handle encryption?
Has there been a security review?How are keys handled?
How are conversations persisted in the app? Does it use iCloud?
Etc...
Running a large list of dependencies controlled by someone else. Stores data on disk unencrypted. Stores code that gets executed, on disk in text form unencrypted and unsigned. Executes code while running directly from a website (github).
All in all an order of magnitude less security then a native app to put it mildly.
Security is very hard. You need carefully constructed apps with carefully chosen dependencies, and generally you want the number of lines of code to be very small.
Anything webkit based is going to lose on all of those points almost immediately. Anything nodejs based is also going to lose on all of those points, because nodejs has a culture of massive dependency stacks run by whomever. Javascript in general is a pretty insecure language, unless you are using explicit subsets but even then javascript has a horrible reputation for security.
Something is better than nothing. I'd rather people use Telegram (pretty well known for terrible crypto) than people use nothing at all. Same with Felony. I'd rather people use bad crypto than no crypto.
But in general it would seem likely that anything built on a webstack has a low chance of passing a security audit. The cultures surrounding the webstack technologies prioritize shipping product and doing cool things over shipping bug-free or secure code. It's one of the reasons that the webstack is so popular. It's easy, and if you ship something buggy it's generally not too bad to go back and fix it later, especially for something like a webpage, because your users will get your updates immediately.
Unfortunately, these endless tangents are becoming increasingly common on HN. I guess these are people who want to show off how smart they are but really don't have anything interesting to say about the topic at hand, so they go for the low-hanging fruits like spelling, layout, titles, and so on.
Calling a "user friendly" encryption program "felony" feels like an attack on encryption. Yes it will evoke a reaction, because if the author didn't do it deliberately to sabotage the PR of the crypto community then they need to be made aware of their mistake.
Of course, there are other concerns (why PGP and not Axolotl or OTR, how on earth does "your key is your username" work without causing other CAP-like issues, etc). But I'm not going to spend any time trying to improve a project that is working against encryption for everyone.
The name is an actual show stopper, and the author is being intransigent about changing it so it's only natural for it to be the lions share of the discussion.
I just put in an issue to change the name. Looks like one was put in prior and closed without comment by the repo owner. I hope he doesn't think this is some edgy way to be "cool"
Agreed. There is real irresponsibility in choosing this name. Thinking that this wont be used against the encryption community is naive and short-sided.
Agreed. I understand the choice, but for the same effect at least pick "no felony" or "NotAFelony" or "Constitutional" just to hope that it gets debated in court whether "Constitutional" is illegal and used by IS*.
I will be the contra-contrarian. I agree that the name makes the app sound illegal. At the same time notoriety could work as a marketing strategy for the app. The clickbait headlines could get the word out there that this app exists. The more people know about the more are likely to use it.
Five hours on HN, and the name's not changed yet? I'll check the next time this is posted with a usable name. IOW, when you start taking it seriously, so will I.
Those are taking something negative and wrap it in a positive name (positive gain for the author)
We're taking something positive and wrap it in a negative name. This will only cause negative gain. Not only for the author but also for making encryption seem like something evil. This is especially bad time when politicians are trying to ban encryption.
Call it "privatebits" or something more suggestive that personal informational boundaries and privacy can be healthy for everyone, rather than the highest criminal offense. I understand that there's some irony or sarcasm there, but trust me, those are not timeless, even for people who "get it". Bitter humor is not sustainable in the long run, so relying on that kind of energy probably won't help the cause.
I like the idea of this, and would love to give it a try. I would say, however, that the documentation/instructions are a little bit barebones. I know its just early days, but as a newcomer to node it is pretty difficult to know how to use this. You may also want to include a PGP 101 (or a link to a good get-started guide) because it isn't really common knowledge either
This is fantastic. Now all you have to do is add a share button and an extension to the site being shared to. Imagine if all status updates where PGP encrypted, what a wonderful world that would be.
I’ve had a passion for politics, history, and programming since the age of 12 growing up in a suburb of Chicago. During my freshman year, I developed an interest in software. A couple of apps and hackathons (programming competitions) later, I was working on my own startups when I made the leap to drop out of high school to become a software engineer at a venture-backed tech startup.
While working there I learned that PGP encryption was the tool used by Edward Snowden to securely send messages to journalists. The immense value of encryption as a core component of our free society became clear to me. Amongst fellow coders, I had no trouble using command-line encryption to communicate. But my friends who didn’t code couldn’t easily do the same since they don’t know how to use the command-line. Given how important encryption is, I decided to build a first-rate encryption tool that could be used by anyone on any website, regardless of background.