Oh, I see you helped yourselves to my Secure Chat logo -<p><a href="http://dribbble.com/shots/479881-Secure-Chat" rel="nofollow">http://dribbble.com/shots/479881-Secure-Chat</a><p><a href="http://logopond.com/gallery/detail/165288" rel="nofollow">http://logopond.com/gallery/detail/165288</a><p><a href="https://www.google.ca/search?q=secure+chat+logo" rel="nofollow">https://www.google.ca/search?q=secure+chat+logo</a> - first page hit too<p>Not cool at all, "cool guys around the world".<p>--<p>(edit) Regardless of whether this was copied, over-inspired or independently conceived (but let's be realistic here), the generally accepted rule of the game is that the first to the finish line gets to keep the logo. I don't make my living with logo design, but I did kill a week of sketching, refining and re-balancing on this one and I do happen to like it a lot. For what it's worth, I wrote a P2P VPN system in the past (called Hamachi) and I am involved in p2p and crypto domains in general. So I expect you to extend some professional courtesy, change the logo and close this matter in an amicable matter.
Tox aims to be a secure replacement for Skype.<p>There's several other similar projects, but they are usually hard to set up and use for an average user.<p>Tox is FLOS software developed by community, and currently licensed under GPLv3. We are considering changing the license to something more permissive, so it would be possible to put it on the App & Win8 Stores.<p>Currently, it is in really early stages of development. But we already have basic IM, and nCurses interface. We use NaCl library for encryption and will probably add FFmpeg for video.<p>We are working on a cross-platform GUI using Qt5. Please note that the screen-shots on the main website are only mockups, and (in my opinion) should have been labeled as such.<p>Since the website is down, here's some links:<p>Subreddit: <a href="http://www.reddit.com/r/projecttox/" rel="nofollow">http://www.reddit.com/r/projecttox/</a><p>Core code: <a href="https://github.com/irungentoo/ProjectTox-Core" rel="nofollow">https://github.com/irungentoo/ProjectTox-Core</a><p>Qt GUI code: <a href="https://github.com/nurupo/ProjectTox-Qt-GUI" rel="nofollow">https://github.com/nurupo/ProjectTox-Qt-GUI</a><p>Website code: <a href="https://github.com/stal888/ProjectTox-Website" rel="nofollow">https://github.com/stal888/ProjectTox-Website</a><p>IRC Freenode chanel: #InsertProjectNameHere
So this appears to naively use DJB's NACL/crypto_box construction, which is a curious choice given the existence of OTR for messaging protocols which would handle things like session key negotiation and provide deniability.<p>First, If I'm reading the source correctly, they are doing public key encryption for every message. Which, ok, DJB was a fan of at least for DNSCurve, but is generally regarded somewhat dimly for efficiency reasons. So I guess this puts them on one extreme of the Bell Curve or the other. I wonder which?<p>[EDIT, removed point about nonce's in handshake]<p>Funnily enough, at first glance it looks like they covered at least some of the obvious issues: they do at least attempt to authenticate the session key and the crypto_box's use of a Nonce prevents replay and re-ordering attacks.<p>How do they handle video chat? Crypto_box won't work there naively sense packets will get lost and the nonce's won't be in sync.
Unconvinced.<p>* Lossless UDP? Is there a reason not to do TCP?<p>* There is no way to know if the public key is genuine, so the system is very sensitive to MITM.<p>* The key exchange is inadequate. Why not do DH if it's just to have session keys?<p>* The system is very easy to brute force as the acknowledgement is based on a known plain text. This is <i>very bad</i>.<p>A quick glance at <a href="https://github.com/irungentoo/ProjectTox-Core/blob/master/core/net_crypto.c" rel="nofollow">https://github.com/irungentoo/ProjectTox-Core/blob/master/co...</a><p>I found a potential buffer overflow at line 143. If an attacker sends a large file, what happens?<p>Making crypto software is not just a question of wrapping a crypo lib (in that case NaCl) with a GUI. There are some tricky security issues as how you use the crypto.
Github maintained by someone with a troll username?<p>Comments like this:<p>> <i>IMPORTANT: release two major sanctioned UIs, one for autists, one with inbuilt support for the previous list so that plebs can't get confused with setting it up and autists don't complain about it getting in their way. de geso > I would suggest a "Advanced options" where the autists can rejoice with all kinds of options (and it doesn't frighten the normalfags, since it's not shown by default). Also, 2 UIs would be chaos to maintain.</i><p>Talk about not needing to be an expert to use it, but then a "learn more" button sending people to github?<p>Not inspiring confidence so far.<p>It's nice to see they're using an existing crypto library. I'd be surprised if they haven't made errors implementing it.
Since you managed to kill the website:<p><a href="https://github.com/irungentoo/ProjectTox-Core" rel="nofollow">https://github.com/irungentoo/ProjectTox-Core</a><p>Tox is a completely decentralized secure messaging service which aims to replace skype.<p>It it still in heavy development.<p>So far we have IM working almost perfectly but no completed GUI yet except for a basic ncurses interface used to test the core.<p>For the detailed info on how everything works see:
<a href="https://github.com/irungentoo/ProjectTox-Core/wiki" rel="nofollow">https://github.com/irungentoo/ProjectTox-Core/wiki</a>
Minor contributor here: we've been trying to recruit help from HN multiple times with no luck. /g/ recognizes that the dev talent on the web resides here, so if you have a mastery of any of the needed skills (C, GUI design) we'd love your help.
It might be useful to mention more about how encryption is done on the website itself since that is the main selling point. As it stands I have to go through the source code.
OK, /g/entoomen, I will keep saying what I said in one of your threads.<p>I feel it's strange that your IP is shared to the world together with your public key, so it is, in this sense, anti-anonymous.<p>You cannot even use it with Tor, because it uses UDP.
As a naive potential user I am willing to take the assurance of proper crypto and forward secrecy. What needs to be addressed also is the issue of metadata. It is the broad collection and easy analysis of metadata -- NOT content -- that makes NSA monitoring so sinister. By knowing all about who you connect with, when, for how long, and with what regularity, they can know a vast amount about you.<p>What of the who/when/how-long/how-often metadata is evident when using Tox? As compared to normal skype or IM, that is?
This has been a project on 4chan's /g/ board that began after Snowden's initial leak. Its good to see that this project has developed into something substantial.
I'm glad that people familiar with security and cryptography in this thread are trying to poke holes in the product. As long as the development team uses these comments as productive criticism and fixes potential issues, everybody benefits in the end.
Questions:<p>0. How important is simplicity (modularity) to the project?<p>1. Will Tox work for user "idontrungentoo"? Will it compile on Solaris, BSD, etc.<p>2. Will the GUI be optional? If not, why is it mandatory?<p>3. Can Tox work without DHT? What if two users just want to call each other without connecting to tens, hundreds or thousands of strangers? If there are problems with the DHT, are they SOL?<p>It would be good to have competing teams all working on some similar system (a Skype alternative) and then have an open bake off, instead of just idle criticism in forums like this one. This way we could see which system actually works the best instead of just theorizing about design choices and taking random anecdotes from alleged users in forums on faith.
I hate to be the bearer of bad news, but if your intent is to get around NSA snooping this doesn't do that. All you have really done is made sure that your communications are target for closer scrutiny. Remember I don't care _what_ you say I care _who_ your saying it to. Once I know who is talking to who and which person might be a good source of information there are much easier ways to get that information then trying to break encryption[1]<p>1. <a href="http://xkcd.com/538/" rel="nofollow">http://xkcd.com/538/</a>
Can anyone convince me why I should contribute to this project when I can already use the following?:
[[bitmessage.org][Bitmessage]]
[[freenetproject.org][Freenet with a chat client]]
[[gnunet.org][GNUnet with chat]]
[[i2p2.de][I2P-Messenger]]
[[retroshare.sf.net][RetroShare]]<p>PS
You could also apply a simple Icecast and/or MPD video stream under those proctols, even [[stomp.github.io][STOMP]].
"...application that allows you to connect with friends and loved ones."<p>...who know what to do next after they click the 'download' button and are forwarded to a GitHub page. I'd like to give the app a try, but I look at that page and I don't know where to start.
Another app that is the same as good existing solutions and is an outgrowth of spying revelations. Easy secure messaging, calling, etc apps already exist and are freely available. Once Whisper Systems apps are out for iOS at the end of the summer the bases will be covered.
Apparently, we can't use the name "Tox": <a href="http://tox.readthedocs.org/" rel="nofollow">http://tox.readthedocs.org/</a><p>Here are the most liked alternatives proposed on anther thread:<p>tala<p>whispr<p>mila<p>aspis<p>orwell<p>nota<p>extasi<p>eave<p>fabula
If you're the author, you should add it to the list: <a href="https://en.wikipedia.org/wiki/Darknet_%28file_sharing%29" rel="nofollow">https://en.wikipedia.org/wiki/Darknet_%28file_sharing%29</a>
They're pushing the hell out of this on the /g/ technology board on 4chan. I wonder if large group chat rooms will be a new way of sharing files over secured/private connections.
why not exchange "proper" keys when both parties are first both online? messaging that does not let me send messages to offline peers is quite useless in many cases. I would much prefe
It's funny how many focus on what are rather trivial things, the logo and name, instead of looking at the actual things which matter: the code, the security, and the idea itself.
why not hop on the xmpp train? xmpp just lacks a great client incl. some cross device synch capabilities, but besides that is secure, decentralized, open and a standard...
Whilst we're bashing them for IP theft, can anyone tell me why they're using the Github Octocat logo for their “Freedom” point? It doesn't appear to link to Github?