Hacker News new | past | comments | ask | show | jobs | submit login
Cryptboard.io – Anonymous encrypted web clipboard and chat (github.com/mihanentalpo)
107 points by lioeters on Nov 26, 2022 | hide | past | favorite | 46 comments



I built something similar but it wasn't intended as a clipboard. Mostly for anonymous chat but I personally ended up using it as a clip board. The difference. We don't persist anything on the server side, it's totally in memory and you can create new streams that have shorter ttls.

Website: https://malten.xyz

Source code: https://github.com/asim/malten


I don't understand what the "Talk" button is supposed to do on the website.


It's speech to text using the web speech recognition api


>The difference. We don't persist anything on the server side, it's totally in memory

Very nice. At what point are items deleted? Obviously private data is up to the user, but what about privacy ie gdpr, and the general courtesy of deletion from your end?


Every message is deleted after 1024 seconds by default in any stream created on the fly by posting a message. New streams can be explicitly created with lower ttls that expire messages sooner. All streams cap at 1024 messages and are aged out like that if they persist longer than the ttl of the stream.


Ver


I use a local and private Dendrite (Matrix) server to exchange strings between computers through an encrypted chat to myself.


Signal also has a "note to self" feature but as this is a webpage it is undoubtedly superior to both.

No installation, instant access, have multiple users and keys per browser(profile).

Easily generate one off accounts.

This is a gloriously good idea.

So long as it works...


at this point why not just ssh to a host and use vim?

i mean, you might have better client os support than a matrix client in most cases :) and if you are running a private matrix node you already have sshd to solve all the constant annoyances and upgrades


It could also work but SSH connections time out while I can leave Element running on the background.

I’m also not aware of those constant annoyances and upgrades.


Mosh might help with that


why not just use https://chitchatter.im/ ? matrix is quite intensive for a single user and not very private by default.


How private the chat is is defined by E2E client encryption. Dendrite + Postgres uses ~320MB of my home server memory with negligible CPU and that’s while joined to a few federated rooms.


I use the special "Note to Self" address in Signal messenger for this.


The interesting thing here is that an identity is represented by an image ("avatar"). Normally you can't get enough combinations with such a scheme and still produce a distinguishable image. Perhaps those long hex numbers shown in the screenshot also represent identity?

Another interesting thing here is that the RSA keys are 1024 bits long. It is fairly unlikely that some entity like the NSA is going to expend a Manhattan Project level of effort to get the messages of one individual (it would be cheaper to use other methods) but they in theory could. Most just make RSA keys 2048 bits long and accept the wild overkill.


Avatar is a representation of first 34 bits of SHA256-hash computed on uid + public key. It's used as simple visual tool to distinguish different keys and/or uids. https://github.com/MihanEntalpo/cryptboard.io/blob/main/web-...

RSA is 1024 because with 2048 on some old devices keys would be generated for minutes, making service unusable (for the first run)


The avatars make sense as a "checksum", though perhaps not a full representation of the key.


What does this have to do with DeFi?

(Just Kidding)

Seriously though. Happy to see something that begins with "crypto-" that's not trying to push someone else's random bits on me.


Nice work!


Is there a German word for "this person is very intelligent but lacks sensibilities"?

A js-based browser app to move files between VMs in (literally any scenario where you've opt-ed into using VMs for isolating)??? The only thing feature here that seems useful, is also unmentioned and basically is an anti-feature -- a server with persistence.

so, instead of using the qemu/libvirt/vb/hyperv native way of passing in a socket/secret/etc, we're involving: javascript, a web browser, php, redis, jquery, bootstrap (probably fine, but also who knows depending on how it's included), oh I ctrl-tab back and apparently it's generating RSA keys somewhere, for me, for some reason????

Feel like XY Problem - there's probably a simpler, better solution for a slightly more specific (or even just attempted-to-be-specified-at-all) problem statement.


> Is there a German word for "this person is very intelligent but lacks sensibilities"?

Not quite the same, but there is the word "Fachidiot" ("fach" = subject) referring to someone who is book-smart on a topic, but is generally not very smart, nor able to apply their topical knowledge in ways they weren't specifically taught.


> Feel like XY Problem - there's probably a simpler, better solution for a slightly more specific (or even just attempted-to-be-specified-at-all) problem statement.

Problem:

Share content between two random devices without having to install an app, having to share the content with a third party or having to have a verified (by third party) identity.

Or alternatively, what's a quick way to share a file with a random person that I meet on the street without unnecessary friction or leaving unnecessary traces.

What's the best solution for this?


https://wormhole.app

Disclosure: I built this


Where is the file stored, I looked at the security-design page and it says hat it's uploaded to Backblaze and there's some reference to torrent creation, I'm not sure I get it


And I thank you for it! I’ve been pushing it to anyone who has a need and I use it myself to safely exchange files across machines that are behind vpns and firewalls at work.

It’s pretty fast too!

My only comment is that I wished there was a way to choose to keep the files a couple more days (had the issue with sending files to my nephew who couldn’t get them straight away and then the link expired once he was able to use it, after class, the next day).

But 24h is probably the sweet spot.


Does this use the Magic Wormhole protocol?



I’m building a serverless, ephemeral, private chat app that you could accomplish this with: https://chitchatter.im/


This is super neat!



> alternatively, what's a quick way to share a file with a random person that I meet on the street without unnecessary friction or leaving unnecessary traces.

There’s a lot of things that cumulatively make this hard. Some of them are “social” more than technical, and some are technically hard because of society. But importantly, people have made webpages that just p2p link two devices (eg wormhole).

Generally, no one wants to be the third party to facilitate anonymous, easy content sharing. Because people do bad things with such power. Due to the way most people consume the internet, everything is behind NATs and we’ve exhausted the IP(4) space, so p2p is pretty hard, but doable especially with a signaling server. It’s really hard to leave no trace because again, no one wants to be anonymous really, and pseudonymous tools like BitTorrent still leave subtle traces in the DHT.

> What's the best solution for this?

First, define “unnecessary”. But then…

Probably to change your criteria. I’ve never been in or can imagine a (legal and good for society) situation where I needed truly anonymous file sharing, without any ability to install anything, at a moments notice.

If you’re eg sharing with a journalist, you can take time to install software, or host content for download, or upload content to them, even if you needed to be anonymous.

If you need to it be on the street in a moment, no time for an app, you can probably just share an email or Google drive link.

If you can’t install anything, and you can’t use a 3rd party server, you should just hand them an SD card with the content. You already need to be in person to exchange public keys and hashes and whatnot.

The only true use case I can imagine needing so many anonymous protections is to share… bad media files that shouldn’t be shared with people who want them.

> Share content between two random devices

Easy… Dropbox, SFTP, torrents, USB drive etc

> without having to install an app

You’re limited to built in tools only. So either trust SMS or email, or use a browser. Either way, you need a third party server to relay the content or the software (email server, or server to host a webpage et ).

You can use Dropbox etc, you can use web torrent. You can email. USB drive.

> without having to share the content with a third party

Ok… less tools already available, you can still use webtorrent but you’ll need to exchange the magnet link and the content hashed would be in a DHT. Sorta a 3rd party but you can minimize actual content leak.

Knowing I’d the server (or other party) is logging a lot of data is question you might not be able to know.

Also a usb drive.

> having to have a verified (by third party) identity

I wouldn’t host a service without identities but at this point you have options already in the p2p space. IPFS, web torrent, p2p chat services, DAT, a bunch of things exist.

I don’t think the use case of this project is to share clipboard data with a VM. Especially not if you’re hosting the VM yourself (“clipboard access” implies you’re using the host). That’s an option in the readme BUT… why do all that? You don’t really need encrypted traffic, or identities, etc.

This project is probably for learning purposes of the developer, which is great, but I don’t know what actually use case I’d find for it is.


Hello! Creator of cryptobard.io here :)

> I don’t think the use case of this project is to share clipboard data with a VM. Especially not if you’re hosting the VM yourself (“clipboard access” implies you’re using the host). That’s an option in the readme BUT… why do all that? You don’t really need encrypted traffic, or identities, etc.

I have several years experience of working with contractor, who gave us access to their infrastructure by giving remote access to terminal windows server on VMWare Horizon. And there was NO clipboard sharing, files sending or folders mounting features enabled. We couldn't install any software, and user account (and all the machine) regulary was wiped and reinstalled from ground (on weekly basis). So, this service was created exactly for this situation.

Encryption is needed because of data passed into and out of VM is sensitive (passwords, logfiles, partial DB dumps), and my co-workers sometimes used insecure services, like cl1p.net for the same purpose. So, I written this tool in my free time :)

I'll add this explanation to README, as for me it looked obvious :)



I think the mention of using VMs was to show that if you had a machine hosted somewhere outside of your network, but you needed to get a file onto it and had no direct connection to it, then you could use this to host an encrypted file and then download it?

I'm sure I've seen something similar where a browser creates a tunnel of sorts, and lets you send a file or something directly from one browser to the other - which would probably be better for something like this as the file is not stored on a server.


When you are using VMWare Horizon given to you by contractor, where clipboard and all other data transfer integrations are disabled, no software could be installed, Windows inside VM gets wiped every few days, and your collegues mindlessly used dangerous services like cl1p.net to share data, this is not so stupid to write such a tool :)


> To copy and paste text/files into Remote Desktop, such as VMWare Horizon, RDP, and others where clipboard doesn't work or disabled

The URL the tool generates is very long. If you can't copy/paste, are you just retyping that URL by hand?


URL could be used if it COULD be used. If you don't have any clipboard, you can use QR-code. 1) Open first instance of app on you PC 2) Open second one in side the VM 3) Open both QR-codes by your smartphone and add keys with enabled checkbox "send all my keys" 4) Profit! You have all your three devices (with smarphone) connected with eachother


Hosted in Russia?



Github?


The website listed on their Github


But this is just the demo, right? People can download the code and host it somewhere else, so why is it relevant?


its kinda sus because russia


[dead]


Why is this written like an SEO farm blog post?


People new to the web see little else and think that’s how people write now. Also, it’s an SEO farm blog post.


When something is shared one of frequent questions is how it compares to something else. I provided information relevant to potential users.

If you had something useful to say regarding OP or my comment, that'd be fine. What are your comments (yours and the one your responded to) if not comment spam?

If you don't like a comment and have nothing to say on the topic, feel free to downvote it, hide it and/or move on.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: