But yeah, feedback on the collaboration is welcome. Do you think editing one sentence with multiple people is necessary, and if so why? And on the other end of the spectrum, Word-style edit requests (which need to be approved before they are applied) are also sometimes necessary.
If you want a library it exists too:
The ability to make arbitrary changes is essential for this.
Maybe there are multiple reasons for that.
One is that we're not in the business of trolling coworkers and losing time, quite the opposite. However I can understand that when I was little that would be fun sometimes.
Another reason is that we often use another channel to coordinate our work, email (I'll be working on that), chat or voice calls. The risk of undoing someone's work is nil.
With the approach of Airborn it could happen that I have to say "please move your cursor somewhere else so I can show you an alternative" or fix a typo. That would be odd and make us lose time.
The only scenario where I can see this being a bad decision would be for bots. For example, if you had a spell checker loaded which ran as a separate user rather than under your own session; so the spell checker couldn't auto-correct words until you'd finished typing the sentence. Here I'm imagining something like Rosie the translator bot from the original Google Wave demo... But I don't think you have bots anyway, so this won't be a concern for the present anyway.
I have had plenty of real-world situations, with Google Docs, whereby I have fixed someone else's spelling (or vice versa) as they have been typing. Working on sheets/slides where this isn't available has always felt awkward in comparison, and I wouldn't look to get more of it.
I am a big fan of open source alternatives to Google and Facebook (see Qbix). Do you mind if I contact you?
A writing style that I try to use is that I just type ... don't look up words, just write YYY where I can't find the right word to use, then I read the text and fix all spelling errors, sentences, remove unnecessary parts etc. That way you can be in flow. But instead of you doing the fixing later, someone else can do it for you - while you are writing!
Historical note: live three way merging of HTML files, being produced by content-editable div implementations in different browsers, which like to rewrite each other's coding decisions in arbitrary ways (suddenly all your BRs become Ps, whee!) is "fun" in a way that I don't really ever need to revisit.
I'd also be interested in getting the documents to appear in my Nextcloud and vice-versa.
At the end of the day, it's mostly about having everything in a central location with a good set of backups in place.
I cannot extract that image (useful collateral) from your page on Android given page presentation.
Also a feature request: please add the ability for me to delete my account/data from your servers.
If you shoot me an email with your username, I'll delete your account and files manually.
However, the exclamation mark in the second line does not come at the end of the sentence.
This is not good:
This is good
Changing the interface language didn't seem to help:
Update 1 - I'm using Chrome 56
Example, page with no content except "This is a test" takes over 3 seconds to load.
Even without any browser involved, just curling it takes 1.5 seconds on my mac
time curl "https://airborn-usercontent.herokuapp.com/pub#?f=c8d42cd38bfc2c26/87261eeee80726bf6eb9ed886ce7517c7435b1c267e4f50b48eae9582a6ef4c8"
There are plenty of things on the web where you can upload data and they don't use machine learning algorithms to decide if your content is "valid" or "invalid". It all depends on various tradeoffs.
I'm pretty sure this isn't a DMCA takedown case here. Google scanned the content of the file, didn't like it and removed access via an algorithm. Nobody but Google knows how it works.
If the content is encrypted then it's impossible to use google docs document viewers, editors, or collaborate online on a document directly via google doc. It becomes just a dumb file host with no added value.
Which begs the question: Is doing things at Google scale really something to aspire to? Has even Google solved the problem of doing things at Google scale if they have problems they cannot solve adequately at Google scale?
1. It has a Window Manager (try it out in the demo, you can drag around windows and such)
2. It has a File System, which does encryption and compression. This makes it so that the "apps" (documents and presentations, and in the future hopefully spreadsheets) don't have to know anything about encryption. This made it very easy to port the presentations app, for example.
3. It has a Marketplace with apps (not that they are very useful).
But yeah, since many people don't seem to like the name nor the OS-like UI, I'm considering dropping both. I'm just a bit concerned because there are many other companies named simply Airborne or Airborn. Also, integrating documents and presentations into a more unified UI would be a lot of work, since they're pretty much standalone apps today.
Otherwise I really like the project. I want all my data on all sites to be locally encrypted and backed up in the cloud. Documents is the perfect start, because there is very little server-side introspection needed. I'd like my friend graphs and contacts to be next.
In terms of UI, start by copying google docs exactly, they did a fine job.
I like the name, -born (i.e. conceived) on the air - i.e. in an ethereal space. As opposed to the suggestions for "Airborne" which would be carried on the air, the use of "born" is better as it suggests genesis.
"Srsly dudes, this is what your data looks like, no one can hack it!!"
Protection from hackers comes only from reviewed and verified software and hardware. The only consumer platform that comes close is iOS.
>"Only the people you share with can read your document -- even we can't read it."
Currently you're telling me what won't happen in a very unfortunate event. I think this is wrong in 2 ways.
1. You're telling me a message "the other way around". Even if you just say "Keep your documents secure" is better than "Nobody will access your documents".
2. You're comparing w/ Google docs so, following the logic of your message, what's the probability that Google will get hacked? Tiny, right? So... you're not telling me anything useful.
You can check lastpass or 1password as examples. They implement more or less the same thing, but as you can see they don't talk about how it works, but about the benefit for me, as a customer.
It did have a positive influence on me right away. It also established this sense of trust. Enough that I began to crawl through the other pages for more info.
I also appreciated how you managed to convey, in a single image, exactly what was encrypted (ie, both document content and filename).
The first question I had was how Google Docs handled this. Do they also encrypt? If so, do they encrypt both filename and content? Considering Google's business model, I always assumed that they did less in this regard - relying instead on other mechanisms to protect user data.
I would keep the encryption message and double-down... comparing how other services handle privacy, tracking, data-mining, encryption. It's your strongest selling point.
But as a technical user I despise that and I liked the honest way this was presented. Because this is something everyone should be thinking before signing up (granted most don't, so, yeah).
I definitely get what you are trying to do though. It's so secure it doesn't matter if someone has the data.
Perhaps some clever illustration depicting the odds of cracking AES-256 (e.g. a man fishing in the ocean but there's only one fish to be caught). Visuals can be a great way to convey complex concepts.
I don't think what you have is a huge red flag but someone might read it and say "Whoa, ok, it sounds secure but what about other systems they have in place? Are they insecure, are people trying to get at my data 24/7 on their servers, etc.
All suggestions in this thread ("it is secure!") are just marketing gibberish, slogans without any meaning. If you intend to appeal to a large, stupid audience, maybe they're good, but it is a little dishonest.
While what he has is fine, you can convey the same sentiment without saying "Even if we get hacked..."
I'd choose a company that says "even if our servers get stolen, your data is safe" over "data breach? us? unpossible!"
How does that work? Isn't a service worker started by plain JS code?
Of course, it would be better to only warn the user if the Service Worker changes if it doesn't match the version on GitHub, but that's blocked on .
Furthermore, there are some very edge-case situations where the Service Worker can update when Airborn OS is not open or not visible (e.g., in a hidden iframe ). That is why, when you register and check "Notify me before updating Airborn OS", it asks you for permission to send you notifications. Those notifications are currently only used to warn you when the Service Worker updates.
: https://bugs.chromium.org/p/chromium/issues/detail?id=773307, but it's not a browser bug. I should file a spec bug, but I'm still waiting for a reply on , too.
A TWA hub sounds interesting. I think that if you have a list of web apps that
1. are a Transparent Web App
2. have had a security audit
you could then add some UI in the browser that says "this web app keeps your data private". That would be useful not just for apps that use client-side encryption, but also very simple web apps, like say word counters. It's very useful for users to know whether the word counter sends their data to the server or not.
Of course, step 2 would be quite expensive, although for simple web apps it would be manageable. It would have to be financed by either the web apps themselves, or some big entity like Mozilla (which for years has had volunteers manually check browser extensions for things like this, too).
Unless this is an extremely rare event, a hacker could easily just piggy back on a recent change and inject a worker that does not alert on "updatefound".
I never said it was easy. I said it was possible and doable.
> only paranoids and security conscious individuals will ever validate against GitHub.
The op expects this to happen anytime a user gets a message saying the code is updated. I agree that no one will do it and it'll become a click through.
> but your hypothetical case is weak. It will work for any software that auto update. Browser? OS?
I state in another post that you are always subject to this issue. However, when running local software, and not at the mercy of someone else's computer/server, you have the ability to choose when and how you update.
I can also validate all code against signatures and public logs before running it, which is not something that can be done with service workers or any website in general. twiss says as much themselves: https://github.com/w3c/ServiceWorker/issues/1208
And yes, there is normally an implicit assumption that the hardware is not spying on you simply because there are no alternatives.
It really comes down to how often I need to validate my trust and how easy it is to do so.
Web apps, under the best conditions, are hard to grab and pull all the source into external files for examination and almost impossible to do so before executing it, baring using tools like curl or wget, and running the js yourself to figure out what else needs to be downloaded. Not to mention that needs to be done every time I access the app.
With a traditional app or is, I could (not that anyone does) verify the code (which for f/oss is easy to obtain) before I compile it myself. (Where I'm trusting the compiler, yes.)
I'm not trying to argue that there is a perfect method. I'm arguing that this application isn't even in the running for a good, fairly trustable method. I don't believe it solves the fundamental issue of having to trust the code download every single time, regardless of their service worker check because it itself is not protected. We'll, protected by the vigilance of the end user, which is where we started anyway.
> A service worker is (...) intercepting and modifying navigation and resource requests
Yes, that is the intention :)
> For the fun of it, maybe throw in some blocktrain tech or something to enhance that trust model of yours.
Instead of using GitHub as a public log, it's possible to use a publicly verifiable cryptographic log: https://wiki.mozilla.org/Security/Binary_Transparency
That would move the trust from GitHub to that public log. However, GitHub provides us not just the "publicly verifiable update" part, but also the "authenticated update" part. In other words, how do you know that the person putting something in a blockchain is the owner of the website? You'd need a public key, and then not lose it, etc. But it's indeed possible.
For example, that first visit which installs the service worker can already deliver bad code.
Not saying you will do it, but it all relies on people trusting you not to do it. So statements like "we CAN'T read your stuff" are not true on the web. Luckily, most web users don't care about being hacked by the server - they care about owning their own data! :)
Yes, but that is also the case when you install a desktop app. That's why Airborn OS is open source, so that you can inspect the code.
- Your username
- Your password, encrypted with a random key.
That random key (but not your encrypted password) is sent to the server. When you request a password recovery, we send you a file by email which contains that key and with which you can decrypt your password.
- We don't have your encrypted password
- A random person / application can't grab your password from your computer
- We verify that it's you who wants a password recovery (by sending you an email).
It has all the same elements:
* window manager
* document editor
* dock widget
I wish you all the best OP!
You should consider adding word support. Support for office XML formats are simple enough to hand-roll.
As a developer, I would ideally recommend to look into using a custom internal representation for a document and developing converters that convert between your representation and various formats. This way you won't be hindered by limitations of a specific format.
However, if you lack the resources to develop and maintain these converters yourself, look into the feasibility of leveraging LibreOffice by using a preexisting format like WordProcessingML as an internal format. You can then use LibreOffice to handle the conversion between the various formats you want to support. The downside to this is that you'll eventually outgrow WordProcessingML if you want to support futures not supported by that specific format.
Of course, we're only talking about when our server gets hacked. If your computer gets hacked, you have a problem regardless of whether you're using a web app or a native app.
> To solve this, we're using a relatively new web technology (Service Workers) to install some code which can't be changed without setting off a warning to you. That code then keeps taps on all other code, and checks that it matches the publicly available version on GitHub.
I really think you need to rethink your security here, because this just makes me even more sure that I don't trust you. It's actually a good bit laughable. If an attacker has access to your server, why should I believe that they wouldn't be able to update your github repository? (Why do I know you use different keys, don't put your private key on the server, &c?)
I have to trust you _regardless_ of any of your technology, and that's the problem. If someone has your server, there is very little I won't put past them to also have access too.
In sum, I think you're in for a world of hurt if you expect anyone who actually cares about security to trust you to never, ever make any mistakes.
> Of course, we're only talking about when our server gets hacked. If your computer gets hacked, you have a problem regardless of whether you're using a web app or a native app.
You're obviously just being needlessly argumentative about this. My meaning is obvious because of the context and the situation I described.
I don't have my GitHub password/keys on the server. Why would I have them there?
> I have to trust you _regardless_ of any of your technology, and that's the problem.
Yes, but it's trust-on-first-use. There's a big difference between
1. Trusting me today when I say that the GitHub keys are not on my server,
2. Trusting me today when I say that I'm not sending your password to the server, and being able to verify that by checking the code on GitHub
1. Trusting me every time you open the web app
2. Trusting me and my hosting company that I won't ever get hacked
Because you only need an SSH key to push to github and it's not uncommon for people to leave those laying around (or to forward them with a connection!) on a server.
The better question is not "Why would you have them there?" but "How do I know you don't have them there?"
> Yes, but it's trust-on-first-use. There's a big difference between
You're showing a very fundamental misunderstanding of trust and security. I trust your code every single time I load the application. I don't care what measures you _think_ you've put into place, I will _guarantee_ you they are not fool-proof if you have a compromised system. You're insistance that it is is very disheartening and continues to degrade any trust I would have placed in you.
> 1. Trusting me today when I say that the GitHub keys are not on my server,
No, it's trust that you will never ever ever ever place them on any device you ever own where it is accessible or that said device will never ever ever be hacked.
> 2. Trusting me today when I say that I'm not sending your password to the server, and being able to verify that by checking the code on GitHub
And when this changes? Must I audit the code every single time I load the code? Because yes, I need to do that to ensure you havn't changed anything.
> 1. Trusting me every time you open the web app
I still need to do this.
> 2. Trusting me and my hosting company that I won't ever get hacked
I still need to do this too.
No. The whole point of what I've done and made is to make sure you don't have to do this. The Service Worker checks all code that is coming from the server. If you've opened Airborn OS before on a computer, and don't see a notification saying that Airborn OS has been updated, it is guaranteed that it's still the same code. If it did change, you get a notification with a nice link to GitHub, where you can inspect the commits since last time. That code is guaranteed to be identical to the new code that you will be running if you refresh Airborn OS.
What if this is my first time loading? How do I know you're not serving up new files that don't contain checks to be visitors?
Moreover, are you insinuating that you will never update any code and that expect that pop up saying you've updated the code to never appear? Do you expect people to check commits multiple times a week or a day?
So, ok, let's assume you're 100% trustworthy and a malicious actor changes the code and I get an error. Am I now forever unable to access my documents? How can I be sure that the code I'm running is really the code on GitHub after a breach? How does the code prevent changes to the initial code loaded on a request? Which could in theory manipulate the Dom before the service worker could attempt to verify the page, if I'm understanding you correctly.
But again, this all assumes that your 100% trustworthy, and you're not. You're just some person asking me to believe you'll never ever make a mistake or be coerced into a malicious action.
Also I haven't seen a mention of the aes mode you're using. Your security pages is laughably shirt given that it's literally your main selling point.
Like I said, it's trust-on-first-use. This is no different from installing a desktop app.
> How do I know you're not serving up new files that don't contain checks to be visitors?
The Service Worker is installed on your own computer, and is still there the next time you open the web app.
> How does the code prevent changes to the initial code loaded on a request? Which could in theory manipulate the Dom before the service worker could attempt to verify the page, if I'm understanding you correctly.
Also, step 7 on https://w3c.github.io/ServiceWorker/#update-algorithm says that updating the service worker bypasses the service worker. How do you then validate that new service workers haven't been meddled with?
I'm still left in a situation where I need to trust you don't mess up.
You even say it yourself:
> (Of course, we can't prevent the update, but we can at least try to convince the user to close the web app before it steals their private keys.)
At that point, the game is up.
In this case, the author is trying to take steps to make changes more visible, but at the same time they're making their own changes cause alerts as well. However, if the product stops serving such countermeasures for new users at some point, or plays a long con over say a year of really tiny, innocent changes that eventually break the system to check downloaded files, then we're no better than any other web app out there.
So unless you're inspecting and verifying the code you actually download yourself, even with these countermeasures, you're no better than any other webapp with the need to trust the code you download _every_ time.
Now, you're always trusting a lot of things like your hardware, your compiler, your package maintainer's compiler, your package maintainer, &c (http://www.win.tue.nl/~aeb/linux/hh/thompson/trust.html). The difference, however, is that I only need to verify that trust each time I update my code, which I can do when I choose to (baring any incompatible server changes) and after I perform any audit I choose to. (With a web app, there is often no (straighforward) way to audit the code _before_ it's been downloaded and executed.
I know I've been negative about all of this to OP. I'm sure he's done a tremendous amount of work. It just makes me angry when people claim they've solved one of the largest, most important problems in cryptography, when all they did is just ask me to trust them in a different way. It also makes me annoyed that for a security-focused product, there are very few details about architecture and cryptographic choices on the product's security page.
I don't mean to denigrate the work OP has done. I just feel that they're being foolish in their security-related claims.
Yes, often, but not in this case. With Service Workers, you can notify the user before the code has been executed, and in most cases prevent or delay the update as well. That's why on https://www.airbornos.com/register, there's a checkbox marked "Notify me before updating Airborn OS." If you check that, Airborn OS will literally ask you whether you want to update.
Obviously, you understand the problem and how web apps usually work, but you still don't seem to understand my proposed solution. I would appreciate it if you attempt to do so before you loudly claim that I am wrong. Please see https://developer.mozilla.org/docs/Web/API/Service_Worker_AP... for a description of Service Workers, and http://blog.airbornos.com/post/2017/08/03/Transparent-Web-Ap... for a description of my proposed solution.
First, service workers themselves are updated outside a service worker, so that is code I can't easily intercept before it is executed. (And first page load as always.)
Secondly, I still need to trust you not to make a mistake or not not be malicious over a long period of time making small tweaks that look innocent but over a year cause harm.
Third, users will become fatigued if every update you make causes them to click ok.
This is a better tag line than what I got when I loaded the website.
Their site makes it incredibly difficult to actually find out what this really is.
The only text visible on my screen when the page loads are the lines "Airborn OS", "Even if we get hacked, they can't read your documents" and "Collaborate in real time" which tells me essentially nothing about why I'm here, what this website is, or what you're trying to sell/advertise.
The only indication as to what this software actually does is in this Hacker News title.
For contrast, Google Doc's homepage, the first two things I see are "Create [persuasive/adjective] documents" followed by "With Google Docs, you can write, edit, and collaborate wherever you are. For free." This tells me basically everything I need to know, as a casual user, to understand what Google Docs is and why I might want to use it.
I hope this doesn't come across as overly critical, just some (hopefully helpful) feedback.
A bit of explanation about the name here: https://news.ycombinator.com/item?id=15596668
Reminder to myself that animations in your essential content are dangerous
I have a vaguely similar project to Airborn OS. I called my project Notanos because everyone kept on calling it an OS.
But thanks for the feedback. The UI can definitely be improved further, but it would be a lot of work to make it look similar to e.g. Google Docs.
click insert image
give it a normal 12 mpix image from my phone camera
watch image not appear on slide
try again, still no
repeat until browser tab is out of ram and crashes
image never appears on the slide
This is exactly the problem we're trying to solve, though: https://www.airbornos.com/docs/security
> Entrusting your data and your capacity to work to a third party should be avoided unless you have absolutely no other choice.
I sympathize with this concern, although in some cases, being able to read and edit documents from your phone, and collaborate on them, is very useful, and that requires some kind of cloud service. But I would very much like to implement things to alleviate these concerns – bulk export/backup, offline access, etc. If Airborn OS ever goes down, I'll make it easier and provide instructions to self-host.
Not being able to read and edit documents from your phone when the cloud locks you out of your document is also a concern (above and beyond all the concerns about security, privacy, and not being in control of your own data).
>Imagine you're working on a Google Doc when, seemingly out of nowhere, your ability to edit the online file gets revoked. What you see instead is an error message indicating that you've violated Google's terms of service.
>For anyone who stores work in the cloud, suddenly being unable to access your data — especially due to a terms of service violation — may sound scary. And it's really happening to some people, according to reports on Twitter. Rachael Bale, a wildlife crime reporter for National Geographic, said Tuesday that a draft of her story was "frozen" by Google.
>Others have reported similar errors.
Put your actions where your mouth is. Make the experience of local files better than the cloud and then we can talk.