[liberationtech] Peer-review required: SwaTwt and TweedleDH
Uncle "The Dod" Zzzen
unclezzzen at gmail.com
Tue Sep 28 10:52:08 PDT 2010
I've lately developed 2 nomadic-crypto tools (based on 2002 work by
magaf.org RIP):
* SwaTwt (sealed with a Tweet) - symmetric encryption in JavaScript,
with pastebin and [optional] Twitter integration.
Source: http://github.com/thedod/SwaTwt
Working site: http://SwaTwt.com
* TwiddleDH - a desktop app for creating a shared secret with a peer
(Diffie-Hellman key exchange) over IM or Twitter.
Source: http://github.com/thedod/tweedledh/
There's also a tutorial at http://j.mp/privacy4dummies
Goals:
1) The system tries to be as nomadic as possible: zero installation for
SwaTwt, zero configuration for TweedleDH, no keys are stored. It tries
to keep the code small and simple enough for review (no binaries - of
course).
2) It also tries to address laypeople. Now that is a risky thing to do,
since - as Bruce Schnier says - "If you think technology can solve your
security problems, then you don't understand the problems and you don't
understand the technology". Still - the goal should be that any sensible
person who reads the documentation would be able use all this rope
without ending up hanging from it. We can expect some people not to use
the system wisely, but they also contribute to the signal-to-noise
ratio :) On the other hand - the documentation shouldn't be
prohibitively long or too complicated. Bottom line - feedback on
documentation (or alternative documentation) is especially important in
this case.
3) Another goal of the system is integration with twitter (although you
can use it for one-on-one communication over IM without worrying about
all this). One of the reasons is not to pursue joindiaspora's idea of
making an alternative to an existing social network (facebook), but to
provide an 3rd party tool (like twitpic or twitlonger) to solve a small
ad-hoc need. Less code, less bugs, less configuration errors, less
vulnerabilities. SwaTwt does a lot less than what diaspora intends to do
(the day my mom gets to run a node on *her* PC), but it runs on my cheap
J2ME phone today.
There's a lot of experimenting to be done with this unstable mixture of
privacy and social networking, and it's bound to produce leaks (of
secrets and even keys), but we need (both as individuals and as
societies) to learn these skills, and to restore the privacy awareness
socnet moguls keep urging us to forget.
Cheers,
Nimrod @TheRealDod Kerrett,
Thailand
More information about the liberationtech
mailing list