Hacker News new | comments | show | ask | jobs | submit login
An open social media network that encrypts your posts and distributes via RSS (fastcolabs.com)
95 points by espeed on Aug 27, 2013 | hide | past | web | favorite | 55 comments

> We are building the first fully-conforming trsst server, plus an open source web client including javascript libraries for core functionality like the cryptographic functions.

Wait, wat?

From the first glance it looks like they just patched buzz words together and decided to call it bitcoin-like decentralized syndication network on a PKI

What about anonymity? Anyone who has the whole signing chain could track down the author. The anonymity of bitcoin is achieved by mixing hubs[1], you can't split a blog post in half and mix it.

[1]: https://en.bitcoin.it/wiki/Anonymity

btw what happened to Open Source today? You have to hype on Kickstarter and waiting for people throwing money at you in order to start coding?

>you can't split a blog post in half and mix it.

Hmmm. You must have never used Twitter.

Honestly, I think it is worth skipping cryptographic anonymity for doable now.

If you want anonymity, post from an Internet cafe on a laptop you bought for cash on Craiglist.

is there any internet cafe that allows you to reach the open web without asking you for identification first?

Starbucks is everywhere and only requires that you accept their TOS.

And they save your MAC address to their database.

Anyone planning to leak sensitive documents likely already knows how to change their mac address

But it's not like you can't change that...

Never found one that does ask for ID. Is that your point?

Here where I live the wide majority of cafes (and other hotspots) rely internet access service to telcos which require you to fill in a form on their website identifying yourself before you hit the web. That's why I asked. Nice to know you can browse around anonymously in Starbucks though.

All those I've seen (mostly abroad where I've used wireless in restaurants, airports, etc) allow you to use fake details. I've never registered with true information to use public wireless.

That is really great for you. Here there is not such thing. Go anywhere with public wireless, a hotspot or whatever, connect to their network and try to browse around. Bing, "please choose one of our plans: per hour, day, week or month". Type in your credit card number and you are "free" to go. Of course, you can try a stolen ID and/or credit card combination, but then you are at your own risk.

I'm not exactly fond of Bitmessage. But in this case, it seems much better alternative.

> javascript libraries for core functionality like the cryptographic functions.

Clientside JS for crypto? No. Bad idea.


Their reasons:

> Secure delivery of Javascript to browsers is a chicken-egg problem.

> Browser Javascript is hostile to cryptography.

> The "view-source" transparency of Javascript is illusory.

> Until those problems are fixed, Javascript isn't a serious crypto research environment, and suffers for it.

I spent some time working on a project to create an encrypted contact form for people to use on websites. Thought it might make for a good wordpress plugin, but I was wrong.

Having gone from a position of "why not" to "oh hell no" on javascript crypto, the fundamental problems as I see them (aside from the ones outlined in your comment):

* Each javascript engine is different, with different (or sometimes no) sources of differing (or no) levels of randomness, which is essential for crypto to work.

* Most browsers support some level of javascript introspection whether you like it or not. Sure, things like Content Security Policies can be used to limit access from other tabs or domains but it's not just secure delivery to browsers that's a problem with javascript, it's execution integrity too.

* Most of the Javascript crypto libraries I've seen are ports of C libraries using tools such as llvm. As such they were not designed with javascript's functionality in mind, and as such are unlikely to have been anywhere near as scrutinised for side channel leaks as something built from the ground up.

The final nail in the coffin for my project was the fact that I'm not supporting a set of browsers, I'm supporting a set of ecosystems. Anything from plugins and extensions to minor version changes can affect the behaviour of a javascript engine in an unexpected way with potentially dangerous outcomes. I couldn't in good faith release a tool that lets grandma contact you without having to install PGP but in reality may mean she gets black bagged regardless because she used a dodgy tablet with no randomness source.

There are some relevant considerations in that document but I found it to be very dismissive. SSL for example is not hard to implement, and going ssl-always is now quite common.

Don't get me wrong, I certainly don't want to advocate slapping some crypto lib onto a site with a bunch of marketing script. A project from scratch with these considerations might some day get it done.

For now, crypto should be done via a native client. In the case of encrypted p2p communication, clients such as http://retroshare.sourceforge.net/ get the job done nicely.

The name is absolutely horrible. And they shouldn't just re-use the RSS logo, even at this stage.

I think it's a play on "trust". Maybe capitalize on the current v for u trend and name it Trvst? It's slightly more legible and won't be a kick in the ego to change.

I believe the name is making a portmanteau of RSS and trust, hence trsst.

I won't use it - it doesn't end in .ly

Second everything you said.

Side note -- in case you're curious about the origin of the RSS logo: http://www.squarefree.com/burningedge/2004/09/26/2004-09-26-... (5th item down).

I'll leave aside the comparisons to tent.io, app.net, StatusNet, and many other services...

Considering that most Twitter users seem quite comfortable with publishing their posts for all to see, marketing a Twitter competitor as a post-Snowden measure seems somewhat opportunistic to me, especially when there are many other benefits to decentralized/open Twitter replacements.

Their whitepaper can be found here:


Can someone explain this system? I see the word decentralized thrown around, but the Kickstarter seems based around them building a server and hosting this. What is decentralized about them controlling the user ids? Basically: What am I missing here?

Yeah, I'm not sure I get it either. They call it a "syndication network" which, for me, gives the impression of a distributed network that is strictly controlled, which defeats the purpose. I hope this is just poor wording.

When I click this link I just see a picture with no text. Is this brilliant open source twitter replacement limited to zero characters instead of 140?

FastCompany server seems to have f'ed up. Here is the Kickstarter link:


I saw nothing but a picture of an RSS icon, and thought that was the joke: you can "follow" people by subscribing to their RSS feeds, and RSS already exists.

I don't see what the problem is. RSS works, why reinvent the wheel?

Twitter became popular because browsers didn't elegantly handle feeds. Tumblr blogs (or blogs in general) with post comments and following are much more open and just as usable as the Twitter platform, if you provide easy to use rss syndication and browsers support easy to use feed browsing without having to search out a google reader replacement.

It is dead for me too.

"Looks and feels like Twitter"

(actually uses screenshots from twitter to pitch product)

Why does this crap gets upvoted at all?

Everyone and their mother can build a Twitter clone in 24h. Add a week for encryption and security.

There's absolutely nothing new about this idea. Nothing. They don't even have a working prototype. All thin air.

On top of that, what's the big deal with privacy nowadays? It's the opposite of what we should aim for as a society. Transparency is not only unavoidable, it's a good thing.

Market this as a tool to organize protests in countries where privacy is a necessary evil, and maybe it will make more sense.

> Why does this crap gets upvoted at all?

Who'd have guessed? It's an article about tech on a tech site.

> What's the big deal with privacy nowadays?

We found out about wholesale global surveillance.

> It's the opposite of what we should aim for as a society.

Just as I want to poop with the door closed, I also want to discuss private matters privately. Not everything in my life should be public and I should have the final say over that. Should every start-up be subject to absolute transparency? Kinda eliminates any competitive advantage if your competitors know what you're up to.

> Transparency is not only unavoidable, it's a good thing.

Transparency of government, yes. For the rest of us, mind your own damn business.

> ... privacy is a necessary evil ...

The good thing about having the option of privacy is that it's not forced upon you. If you're not happy with your life being private, you're free to share. When that option of privacy is eliminated, however, you're forced to share everything even if you don't want to, and that's pretty much the opposite of liberty.

"On top of that, what's the big deal with privacy nowadays? It's the opposite of what we should aim for as a society."

That's what you (and Zuckerberg) think, but lots of other people disagree. For example, a journalist trying to communicate with a government whistleblower like Snowden (or any other sensitive source) requires privacy in any country. And some people just don't want the NSA/FBI/police reading everything they post to their group of friends.

Transparency is not only unavoidable, it's a good thing.

== No. Assymetry of information is unavoidable.

I wonder when people will realize that Twitter is not the enemy. I do believe in decentralized social networking, but some software package you throw on your web server doesn't seem like the solution. We need a new Internet protocol.

Even so, I wish this team luck and hope it to gain traction.

Due to their centralized nature, and the result of being located in the US as one of the largest communication platforms, Twitter has become the enemy. It was probably not their intention to become the enemy, but that's the consequence of being located on US soil and being one of the largest service providers (just as Facebook and Google have.)

When you decentralize, where providers are only responsible for a relative handful of the overall userbase, 'hoovering' is much more difficult.

I already know about its centralization and being in the US. So what? I don't put sensitive information into Twitter like I do in Google services.

Do you expect your blogging service to be encrypted and private too? I guess the private messages should be secure but oh well, I've even heard Twitter demanding warrants for giving out DM info.

Edit: I do wish we could expect "private messages" to be private.

Maybe I'm lost on the service, but why would anyone expect privacy from Twitter? After all, any company can open their wallets and get the firehose from Twitter in realtime. Why would the NSA be barred from that?

The idea behind decentralization isn't that it eliminates surveillance, but that it makes indiscriminate mass surveillance less easy, especially when combined with good cryptography.

Mass surveillance has existed in other societies without the help of today's technology, but technology, especially when it aggregates aggregates data in large hubs, makes it very easy.

It's not the protocols that are to blame (they're just contracts for how things talk to other things) for enabling mass surveillance, but the way we've structured our software and services.

Is there any intrinsic value in Twitter other than the plethora of people using it?

> Is there any intrinsic value in Twitter other than the plethora of people using it?

s/Twitter/[any social network]/

The point is the people using it.

My (not explicit) point exactly. All this fad about twitter clones makes no sense to me.

Sigh. There are so many people doing this. I couldn't access the main article but read the Kickstarter page. From what I understand this is a plea for funding for (basic) components that are already built by other teams, but with an extra layer of encryption and a copy-cat UI.

Why not just focus on encrypting content on an existing decentralized network project like pump.io or GNU social? Or any other open network? Build on some momentum that is already there rather than debug message transport for life?

It's cliché, but competition stimulates demand.

I'm not entirely sure I understand what's going on. I suggest changing the explainer video to at least a talking head - yes, old, but they have much better recall and have been proven to change brand preference (even with cigarretes)a and try to find a better synonym for 'encryption' - Good luck. Going against Twitter is a tall order.

At first glance there's stuff I like and dislike about this, but the strongest thing is probably separating out how the messages move around from how the keys move around.

Moving encrypted blobs around is easy, as long as you don't care about traffic analysis. Handling keys is a bit harder. Separating those makes sense.

Thought about this before, but there is one problem: you still leak loads of metadata just like with e-mail (whom you're communicating with, when you're communicating, how much you're communicating, and perhaps other things). Because of this, I didn't see any advantage.

Do they hope to be as successful as Diaspora? "open social media network that encrypts your posts and distributes via RSS" sounds like a great summary of a killer project that nobody will ever use.

Uh, isn't the primary purpose of Twitter to make your posts PUBLIC?

Edit: I guess the focus is on the private messaging aspect, which I never use. Perhaps this is more popular than I realize.

These people look unprofessionals, judging by their intro video.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact