
Felony – An open-source PGP keychain - henryboldi
https://github.com/henryboldi/felony
======
henryboldi
Hi I'm Henry, the creator of Felony

I’ve had a passion for politics, history, and programming since the age of 12
growing up in a suburb of Chicago. During my freshman year, I developed an
interest in software. A couple of apps and hackathons (programming
competitions) later, I was working on my own startups when I made the leap to
drop out of high school to become a software engineer at a venture-backed tech
startup.

While working there I learned that PGP encryption was the tool used by Edward
Snowden to securely send messages to journalists. The immense value of
encryption as a core component of our free society became clear to me. Amongst
fellow coders, I had no trouble using command-line encryption to communicate.
But my friends who didn’t code couldn’t easily do the same since they don’t
know how to use the command-line. Given how important encryption is, I decided
to build a first-rate encryption tool that could be used by anyone on any
website, regardless of background.

~~~
cdnsteve
This looks like an interesting project but has a poor name choice. If it's
targeted at non technical users, it may actually prevent them from using it,
out of fear that just using it is illegal.

~~~
bwghughes
I think folks should chill on the name. It's just a word which makes it stand
out as a product. Good job !!

~~~
peterbonney
In that famous Goldman Sachs "theft" case, use of a tool called "Subversion"
(which any IT person knows is just vanilla version control software) was taken
by the FBI as evidence of malicious intent.

Just saying.

~~~
petre
Just call it Line Noise, Static, or something. No malicious intent in that.

~~~
rmchugh
Static is a great name.

------
michaelmior
Mods, could we have something descriptive added to the title? This single word
doesn't really give me any idea what this about. Suggestions (taken from the
link)

Felony: Next Level PGP Felony: An open-source PGP keychain built on the modern
web

~~~
MilnerRoute
Also, here's the link to the README file. (Nicely done!)

[https://github.com/henryboldi/felony/blob/master/README.md](https://github.com/henryboldi/felony/blob/master/README.md)

~~~
masklinn
Github's index page (TFA) shows the readme below the files listing.

~~~
oneeyedpigeon
But the direct link to the README.md file is ‘better’.

~~~
michaelmior
Personally I prefer a link to the repository instead of the README. I like to
scan the project structure as I scroll down to the README and it also gives me
a chance to see how active the project is since GH shows when each file/folder
was lost modified.

------
knorker
This name is awful. I would never want to contribute to it, nor use it. Nor
suggest it to anyone as a solution to anything.

It's the worst name since that framework called "cocaine" with tools and
subprojects named after illicit drug market terms.

Yeah, "felony" and "cocaine" are not things I will put on my CV or would like
to show up when someone Googles my name.

What's the joke here? That some people are incorrectly labelled felons for
what they say and write?

Do you know what most "felons" did to be called that? It's not for what they
said and wrote that should be constitutionally protected.[1]

[1] I don't have numbers to back this up. Maybe most people are actually
felons for drug possession, but you know what? I don't want to be associated
publicly with those actions either. Also do you want to be on this table?
[https://www.fbi.gov/about-us/cjis/ucr/crime-in-
the-u.s/2015/...](https://www.fbi.gov/about-us/cjis/ucr/crime-in-
the-u.s/2015/preliminary-semiannual-uniform-crime-report-
januaryjune-2015/tables/table-4/table-4-state-
pieces/table_4_january_to_june_2015_offenses_reported_to_law_enforcement_by_state_alabama_through_california.xls)

Violent crime,Murder,Rape, Robbery, Property crime, Burglary, Larceny-
theft,Motor vehicle theft, Arson

~~~
Sir_Substance
>Do you know what most "felons" did to be called that? It's not for what they
said and wrote that should be constitutionally protected.

Exercised journalistic integrity and protected an anonymous sources?

[http://uscode.house.gov/view.xhtml?path=/prelim@title18/part...](http://uscode.house.gov/view.xhtml?path=/prelim@title18/part1/chapter37&edition=prelim)

The press is free, as long as it doesn't protect sources that have leaked
embarrassing information about the armed forces.

~~~
knorker
Is that how _most_ felons earned their felony conviction?

Because that's what I asked (rhetorically).

------
callumlocke
Although the name is ironic, it will reinforce the common vague notion that
encryption is something politicized/controversial/illegal, and that's not a
good thing for infosec.

Looks great otherwise.

~~~
brashrat
the name may be intended to be ironic, but the irony of the irony is that if
you are interested in communicating about conducting one or more felonies, I
would in fact urge you to use encryption.

I hate when people hate the "if you have nothing to hide, why do you care?"
question because it's a valid question. You can answer, "because I fear the
creeping growth of a surveillance state like in 1984", but then again, if you
do that you no longer get to claim that other "slippery slope arguments are
fallacies".

I've been a bigger privacy freak than all of you since before you were born,
google my somewhat unusual name, you won't even find me. But still, I enjoy
making fun of the groupthink that infects these types of communities.

~~~
cyphar
Ignoring the arrogance, "If you have nothing to hide" isn't a valid question
because everyone has something to hide. People have curtains and doors for
good reasons, and everyone expects a certain amount of privacy in their lives
-- but they don't realise how much they care about it until after they get
screwed.

Oh, and it's not a slippery slope fallacy if we literally are headed towards
1984. Not even Orwell thought that social graphs would allow for automated
analysis. The NSA doesn't need tele-screens when they have Facebook.

~~~
brashrat
no slippery slope argument is a fallacy when the underlying process can best
be described as a slippery slope. "Slippery slope" is not a fallacy, it's an
analogy.

I'm in favor of crypto, privacy and the same things you are... I just don't
lie about it: criminals are more interested in crypto than the average
citizen, so are kiddy pornographers (for those of you who don't think that's a
crime). So are "chinese dissidents", but seriously, there are more criminals
out there.

my arrogance comes from my ability to be both smart and honest rather than a
propagandist.

~~~
cyphar
> criminals are more interested in crypto than the average citizen

That is the problem that should be solved. Everyone should be interested in
crypto. You're just spouting arrogance and irrelevant information.

------
danso
I've heard about optimizing for developer happiness, but this is kind of
silly.

\- the app has an unintuitive and harmful name that casts aspersions on the
core values it purportedly touts because the developer saw that it was an
available .io domain [0]

\- This app has a shitton of leftover boilerplate and dev dependencies from a
bootstrap scaffold, even though AFAIK there is no testing suite. (Because we
all know how safe npm dependencies are...)

\- A good number of unnecessary non-dev dependencies too. It includes font-
awesome, which seems unnecessary to include in its entirety already...but are
there any uses of font-awesome? I did a search for "font-awesome" and "fa-"
but couldn't find any.

I understand using boilerplate generators to learn the ropes of creating
within a framework...I've done it to learn React and Angular. But to use a
scaffold-generator for a niche and highly specialized/sensitive app like this?
It can't mean that it's anything more than a toy app. And yet one in which the
decision to give it the name "felony" just looks immature on the author's
part, meaning that it's not even useful as a resume padder.

[0]
[https://news.ycombinator.com/item?id=12030422](https://news.ycombinator.com/item?id=12030422)

------
nickpsecurity
Most are focused on the name, which is terrible, while only one other (so far)
noticed the big problem: Electron, React, and Redux. A secure messenger needs
to have strong endpoint security. Easiest way to do that is using safe, system
languages with simple implementation, as few dependencies as possible, and
isolation of app from rest of the system. That's one of safe C's, restricted
C++, SafeD, Ada/SPARK, Component Pascal, Rust... any of those with portable
code for main library plus modules for OS-specific stuff (esp GUI &
filesystem). That would have a chance of surviving hackers, esp good ones.

I know almost nothing of the above frameworks. However, Google gave me front
pages for each that look more complex in implementation and dependencies than
a C, Ada, or Rust app. Unnecessarily so. Secure applications should follow
Lean and KISS principles every chance.

Note to author: All that said, if you're just doing it for fun or learning,
then that's cool. Also a good area to learn about. :) The above applies to
implementations meant to be used in field.

~~~
dom96
Agreed. Although I think that the name is also a problem. It feels like most
of the upvotes are coming in because of the pretty image in the readme...

~~~
nickpsecurity
I mention the name in passing as others wrote on it. A _lot_ on it haha.

Your comment on image is possibly also true. I remember much of the press of
another messenging app oriented toward privacy came because it advertised as
"the beautiful messenger" with many nice pictures. It was Icelandic with .is
site but I don't recall name. Versus competition, wasn't much to say in terms
of implemented features or security. The U.I. was beautiful, though. ;)

Note: The Apple website takes this technique about as far as it can go outside
a dedicated, high-def, image board.

Note 2: I could add Nim to my prior list if there's been any work evaluating
it for security-critical applications. Particularly, how it helps or hinders
expressing such things plus risk compiler brings in during transformations.
Anything on that yet?

~~~
dom96
> Note 2: I could add Nim to my prior list if there's been any work evaluating
> it for security-critical applications. Particularly, how it helps or hinders
> expressing such things plus risk compiler brings in during transformations.
> Anything on that yet?

Afraid not. Would be awesome to see somebody that is security conscious taking
a look at Nim and verifying these things :)

------
rxlim
After reading the README I think that "Felony" is a very appropriate name:

 _... built on the modern web with Electron, React, and Redux._

Building desktop applications with web frameworks should definitely count as a
felony.

------
imjustsaying
Guess what the prosecutor will say to the jury in every case involving a
defendant who uses this?

"The accused was even using an app named Felony!"

------
fdomig
> built on the modern web with Electron, React, and Redux.

Security? Encryption? Privacy?

~~~
elcapitan
That's the old web! Use the modern web!

------
gort
I'm not sure this is the name to use if you want people of only average
political commitment to use your app. Although at least it's a striking name.

~~~
henryboldi
Thanks! We found it randomly by searching available .io domain names.

~~~
frakkingcylons
The satire writes itself. What's wrong with .org/.net?

~~~
pmlnr
Not trendy. I would always prefer .net over .io though, but I'm oldschool.

~~~
ghrifter
Clearly you are just another corporate Java and Microsoft drone!

------
runj__
Awesome! I'll finally be able to stop using the horrible GPG Keychain app I
used to use which didn't even allow pasted public keys.

~~~
henryboldi
YES EXACTLY!!!

------
K0nserv
Really cool, it'd be nice to have a few more screenshots or maybe a video of
the usage. It's not fully clear if Felony actually sends the message or only
encrypts it and allows you to send the encrypted message in another medium.

~~~
henryboldi
Felony only encrypts messages and allows you to send the encrypted message on
another medium. Hope that clears this up. Also, I agree more screenshots would
be great. Screenshots++

------
SNvD7vEJ
The members page of the github page looks like some sort of criminal record

[https://github.com/henryboldi/felony/network/members](https://github.com/henryboldi/felony/network/members)

------
deftnerd
App doesn't appear to work for me. I downloaded the precompiled windows app,
and it loads a window that says "Hello React" and gives error popups too.

~~~
henryboldi
I haven't had time to fully test it on Windows, only Mac. The app is still in
pre-release. I would love any PRs fixing this issue!

~~~
mathiasrw
This information should really go into the README

~~~
henryboldi
Already added :)

------
tejasmanohar
Ah, neat- OpenPGP.js! Stumbled upon this the other day and was impressed that
it's already been audited (Cure53).

~~~
jscheel
Hey Tejas, I see your name is in the screenshot ;)

------
spriggan3
Poor name for an app. And yes it matters.

------
j1vms
I understand other posters' concerns about the name, but I have to admit it
evokes almost the same level of wry wit of Linus, when he christened 'git'.

In fact, the reception this name is getting is quite ironic. Just think about
it, and you might just burst out laughing.

------
brian_cloutier
It's not obvious from the readme, how does key exchange work?

~~~
henryboldi
Once your key is generated you can click the 'copy' icon to the right of your
name in the header. After that you can share the key on any platform you like,
including Keybase.io :)

~~~
pmlnr
keybase.io... right. I've been waiting for an invite letter for a year.

Please stop referring to non publicly open platforms as they were actually
usable.

There is keys.gnupg.net, pool.sks-keyservers.net, pgp.mit.edu, etc. These are
the well-known ones that had been around for a while.

~~~
corndoge
What's your username? I have a couple invites.

Should note that I never use the thing since in practice it's easier to fetch
my key via traditional methods, a la pgp.mit.edu...

------
deanCommie
Okay, I'll be the contrarian one: I HATE the name.

There have already been trends in the mainstream and right wing media that "If
you have nothing to hide, you have nothing to fear", that the NSA only
monitors the communication of criminals, and that things like iPhone
encryption help terrorists first.

With that in mind, can you imagine the reaction that the average lay-person
will have when they see a clickbait headline or morning news report that says
"A new app called Felony allows ISIS and online pedophiles to communicate in
secret with ease."

It looks like a great app, and I will honestly use it.

But I don't think the name helps the cause of promoting easy and default end-
to-end encryption for all to remove the implication that the only people that
use it have something to hide.

~~~
mildavw
Suggestions and/or concepts you (OP) want to evoke:

    
    
      Patriot
      Freedom
      Liberty 
      Good Citizen
      Free Speech
      America
      Fourth Amendment
      Secure In Papers
      Right To Privacy

~~~
programmarchy
I'll add a counter point and say that I like the name. Politicians have a
history of inverting meanings, e.g. Patriot Act, Affordable Health Care Act,
etc. -- the public is almost conditioned to invert logic to understand things
at this point. Personally, I find the terms above to be patronizing and even
suspicious in the political context.

The mental operation of inverting the word felony is kind of interesting and
thought provoking, IMO.

~~~
mysterypie
> the public is almost conditioned to invert logic

Only a Hacker News type of person will invert the logic. The general public
won't.

Ask your neighbor to guess the purpose of the Banking Secrecy Act [1]. Does it
protect your money and your financial privacy, or does it make banks snitch on
you and strip away financial privacy?

Even I was surprised that the name of the law and the actual text are exact
opposites.

[1]
[https://en.wikipedia.org/wiki/Bank_Secrecy_Act](https://en.wikipedia.org/wiki/Bank_Secrecy_Act)

------
e12e
On a related note, has anyone had a look at "Pretty Curved Privacy" ?

[https://github.com/TLINDEN/pcp](https://github.com/TLINDEN/pcp)

(Just submitted it to hn - I thought there was an old submission, but
apparently I was mistaken):
[https://news.ycombinator.com/item?id=12035081](https://news.ycombinator.com/item?id=12035081)

If _felony_ is PGP protocols wrapped in modern web technology, I suppose _pcp_
is NaCl wrapped in old PGP command line and protocols...

------
tokenizerrr
The Gnu Privacy Assistant (GPA,
[https://www.gnupg.org/(en)/related_software/gpa/screenshots....](https://www.gnupg.org/\(en\)/related_software/gpa/screenshots.html),
bundled with [https://www.gpg4win.org/](https://www.gpg4win.org/)) is also
pretty good. Though it does require you to already know the right words and a
basic knowledge of GPG.

------
macawfish
Call it "privatebits" or something more suggestive that personal informational
boundaries and privacy can be healthy for everyone, rather than the highest
criminal offense. I understand that there's some irony or sarcasm there, but
trust me, those are not timeless, even for people who "get it". Bitter humor
is not sustainable in the long run, so relying on that kind of energy probably
won't help the cause.

------
itschekkers
I like the idea of this, and would love to give it a try. I would say,
however, that the documentation/instructions are a little bit barebones. I
know its just early days, but as a newcomer to node it is pretty difficult to
know how to use this. You may also want to include a PGP 101 (or a link to a
good get-started guide) because it isn't really common knowledge either

------
givinguflac
Could have used a hyperbolic name in the other direction. "FreedomKeyper"
comes to mind.

------
dkarapetyan
This is fantastic. Now all you have to do is add a share button and an
extension to the site being shared to. Imagine if all status updates where PGP
encrypted, what a wonderful world that would be.

------
mugsie
From what I can see, the underlying openpgp js lib does not support GPG Cards
(smartcards / newer Yubikeys + others).

Interesting app, and it looks cool, but it rules out usage for me. Why the JS
+ Electron stack?

------
thinkMOAR
Looks like neat little app, read the website, but couldn't find a question i
had which popped up instantly when i launched the app.

Is it possible to use existing PGP keys with Felony?

------
peterkshultz
What are the benefits of this over something like Keybase?

~~~
everfree
Nice user interface and packaged in a desktop app, I would assume. You can use
it in tandem with Keybase for the key discovery.

------
esafwan
Really great app. I was alway in search for open-source tool as this. Didn't
get time to check yet. But have to soon.

------
luke-stanley
Would be better to use a small GUI library, avoiding Webkit / Chromium, for
memory usage and security.

------
unimpressive
Change the name.

------
cm3
What's the state of WebCrypto APIs, and is it already possible to avoid
ciphers written and deployed in JS?

------
bbcbasic
Attackable via dependencies

------
bbcbasic
Call it Enigma

------
reviseddamage
committing felony. it's a github pun meta isn't it.

