Hacker News new | past | comments | ask | show | jobs | submit login
Lulzlabs AirChat: Free Communications For Everyone. (github.com)
86 points by jamesbritt on May 2, 2014 | hide | past | web | favorite | 62 comments

As a radio amateur may I say... ugh. Most amateur radio licenses prohibit encrypted communications. And for good reason: the ham bands are a shared resource, they are not there for private conversations.

Here's the relevant regulation in the UK license: "11(2) The Licensee shall only address Messages to other Amateurs or to the stations of those Amateurs and shall not encrypt these Messages for the purpose of rendering the Message unintelligible to other radio spectrum users."

The idea, in the AirChat proposal, that institutions like the FCC, OFCOM, etc. are 'evil' because they regulate spectrum is ridiculous. The only reason we can communicate successfully on radio is because someone is regulating who gets to use what and how. The AirChat proposal mentions using the Yaesu FT-897D for test transmissions. That's a ham radio operating in the specific bands licensed for hams to use. So, these guys are (a) breaking the law (which they don't care about) and (b) messing things up for other radio users.

Amateur radio (I'm W6OCT) is for experimenting with technology ("advancing the radio art") and teaching people how to use the technology. I'd argue encryption is now a fundamental enough technology that banning it hinders advancements to the radio art, and fails to teach people key skills.

There was a practical reason to prevent coded transmissions during the cold war -- by doing so, it allowed cross-border communications which countries otherwise would have banned. Bilateral communications between individuals made war less likely and peace more possible. It wasn't to keep the radio spectrum safe from commercial use (since commercial users didn't use crypto, either, at the time).

There are other whole classes of amateur radio use which are precluded or seriously hindered by lack of encryption -- disaster work which communicates PII in a medical context, certain police or security backup use.

I'd like to see encryption permitted on certain bands; some where the keys are required to be exchanged in the clear (for protocol development), and some where people can use real keys but still tag the communications with their callsign and be aware of and responsive to any interference.

ISM is inadequate due to frequency bands; if the proposal is to open up dramatically larger parts of the spectrum to ISM-type use, then I could be fine with that too.

I'd like to see encryption permitted on certain bands; some where the keys are required to be exchanged in the clear (for protocol development), and some where people can use real keys but still tag the communications with their callsign and be aware of and responsive to any interference.

That would make sense if it was clearly on the band plan.

> ... shared resource ..

I don't understand this. Roads are a common resource but (so far) we're not forced to ride only in buses. Also, one can have a conversation in a 'cryptic' language, or is that prohibited as well ? :)

Yes, one can have a conversation using 'cryptic' language. For example, it's common to hear Q-codes used (http://en.wikipedia.org/wiki/Q_code); they are cryptic unless you know what they are. They are not, however, secret.

I fail to understand your analogy about buses and cars.

Amateur radio is about amateurs learning about, improving and using radio. It is not about private conversations. If you allow encryption on the amateur bands then you are de facto excluding others. Part of the joy of amateur radio is picking a transmission out of the air, listening to it or 'decoding' (not in the cryptographic sense) the transmission scheme used.

I would suggest that Lulzlabs people look at not using an amateur radio band. There are unlicensed bands that they could use for this purpose. e.g. http://en.wikipedia.org/wiki/ISM_band

Most major highways don't allow pedestrian or bicycle traffic (among other things). Most roadways don't allow unlicensed vehicles. You can't go start up a pickup hockey game in the middle of a major road. This is all regulated. You can't just go use a road for any old reason, just because it's perfectly capable of being used for that reason.

Completely unregulated spectrum would probably be intentionally filled with garbage and the remainder sold back at the highest possible prices. In other words, some ass(es) would DDOS the spectrum to create scarcity.

If encrypted comms were allowed on open bands, commercial users would probably use the free spectrum and it would be difficult/impossible to get them not to.

Considering the laudable intended user cases I think limiting the argument to spectrum policies in the UK or USA is a bit unfair.

The source file is a big mess, 4chan slang everywhere, twitter authentication code, rss reader code (WTF? Why?), random commented code, "nones" and "yeah" strings instead of booleans, random HTML scattered everywhere, I could go on.

This just seems silly and insecure. Noone in their right mind would use this for any kind of serious secure communication. Personally I'd wait for someone to remove all the extraneous stuff, make a real protocol definition and make this modular (for example, split the web-interface from the server).

Great idea though, and a nice proof-of-concept, I'd give them that. There might be a real need for something like this when governments shut down or block internet connectivity.

I'm viewing it as intentional, a childish meta "fuck you" towards the various government agents that they imagine will be forced to spend hours deciphering the code.

It totally flies in the face of open collaboration however.

If you watch the video you can see that the RSS code is used to receive RSS feeds (I guess for those people who don't have internet access) and the Twitter auth is used similarly to receive Twitter updates (e.g. they show :twittersearch=#syria)

The video is quite interesting, it shows the proof of concept.

I agree about the source code though, they have tried too hard being "lulz" at the expense of readability.

This project is very, very interesting. Unfortunately it requires some investment in the radio equipment, but I can see in a few months some Arduino bundles with this code and the radio antenna...

I may have been too harsh in my original reply also; the author has some comments on github about a code review that was done: http://cl.ly/2A0b093d3i3N

The amount of evals in the code is troubling too...

    eval{$penis = $cgi->param('postfield')};
    eval{$penispenis = $cgi->param('postfield')};

That's a block eval, not a string eval. Block evals are the equivalent of a catch block in Java or the like, so this is perfectly safe (modulo correct exception checking and such, of course..

Although this isn't exactly a case of great eval use – the exceptions are effectively swallowed after printing (at least use warn?), and the $@ isn't being properly localized

Just because the code doesn't confirm to your latest language standards and flavor-of-the-month Javascript-framework doesn't mean it is silly or insecure.

In fact you even acknowledge this in the last paragraph. This sounds like a cheap stab at Perl.

No need to be defensive, this really is crappy code. It's just one big file of hot mess.

Clearly, the author is better at home breaking software than making it. And it's fine. He or she also has certain amount of artistic leeway in expression, but not excuse from secure programming.

Have you ever looked at the Linux kernel source files? ViM? Just because the code is bad doesn't mean the application is bad.

Have you? Linux is gorgeous!

Plus this thing is meant to evade governments; you can't expect something this hideous to be audited, and used, and for others to trust their lives with.

Wait, gorgeous? Since when?

This honestly is not an example of very readable code: https://github.com/lulzlabs/AirChat/blob/master/airchat.pl#L...

Why so many regular expressions everywhere? 0_o

You lost me at .pl ..

There's a lot of problems with using radios (particularly ham radios) for this:

1) "over-regulated by evil organizations like the FCC and similars shits around the world" yet using technology that is only available for use because of the FCC. If the FCC didn't set aside radio frequency bands for non-commercial use, this project would be infeasible because the radio bands would be in use already. The FCC and its ilk is the only real reason that ham operators can operate - the frequencies have been set aside for licensed amateur use.

2) "transmissions are anonymous" but only in data - radio location is as old a location technology as radio itself. Many GA aircraft still use radio beacons as fallback when GPS and VOR signals go down. It's simple, anybody can do it, and unless you're on the move, you will be found.

3) "We don't give a fucking shit about prohibitions over the use of encryption. fuck you NSA." And yet it's probably not the NSA who will care the most, but the FCC (ironically the group with the specialized equipment vans capable of finding you). Worse, if too much non-licensed, encrypted communication happens over radio (especially the frequencies reserved for ham radio), it's possible that the FCC will revoke the non-commercial use of the airspace, which would cause a whole host of other problems. That frequency space (which includes a number of harmonic frequencies throughout the radio spectrum from ULF to UHF) is ridiculously valuable, because it's a finite and highly contested resource.

I applaud the concept and idea, and cringe over the consequences and ignorance thereof.

I have been wanting to create something similar for years. Before I had access to the Internet, I used "packet radio", a CB-radio based network (there were/are amateur radio band versions too). The whole Netherlands, as well parts of Europe, were wireless connected (at 1200 baud) and one could send messages via the network of nodes from one side of the country to the other side, usually within days. Or chat with people one could contact directly (usually within ~10 km iirc).

At that moment I didn't realise how awesome it was, but in retrospect it was pure self-organised anarchy, without any commercial or governmental interference.

Regarding this AirChat, it is sad that they, as it appears to me, did not make usage of the expertise from the amateur radio community. Still, I believe that it has potential.

I can't speak for Netherlanders but over here in the US, all forms of encryption on the amateur radio bands are illegal. (Of course if you're trying to topple your government, arab spring style, I guess that doesn't matter so much.)

Be careful kids, you're playing with fire.

There is a good initial code review which points out the alarming bug that keys are _hardcoded_ in the symmetrical encoding mode, and can be found in the source!

"Basically the script encrypts a randomly generated ephemeral key using RSA but then ignores it and uses the above hardcoded key for symmetric encryption."

[1] http://www.daemon.de/blog/2014/04/25/351/code-review-lulzlab...

Here's a link to the PDF[1] which contains some details about what this does and how it works. And here's an excerpt:

"We ended up with a simple protocol packet: the Lulzpacket. This simple packet contains information to verify there was no corruption during the transmission and a random code to pseudo-identify the packet. We define the addresses of nodes in the net by their ability to decrypt a given packet. Addresses are derived from the hashes of asymmetric encryption keys, Every radio node defines its own address by the pair of keys it has generated for itself and the addresses change if users choose to regenerate their keys. Each node only cares for what is being received. No hardware identification, no transmitter plain identification. only packets matter. transmissions are anonymous. whenever an address is needed to reply to a packet, it is encrypted inside the packet. Packets targeting specific addresses are encrypted and they must be decrypted by the private key only the target possesses. Anyone trying to spoof an address will not be able to decrypt the packet."


This is a lol beginning of something big - imagine a hardware startup making $50 radio dongles that create encrypted p2p mesh network. It would be slow, but with 20+km range, it could be really useful really fast and almost worldwide.

Big part of this would need to be software stack that would replace DNS (centralized, single source of truth) with something distributed (every P2P mesh can have it's own 'domains' - let's just assume there is no way to coordinate globally except each subnet having different random prefix).

Combine with encrypted tunnels over the old compromised internet to link the cities together.

Fck ISPs, fck mobile operators and their builtin surveillance. Impossible to turn off, government-proof, apocalypse-proof...

So, living in a "democracy", can we petition / make the gov allow us that? "We, the people, want this spectrum for our own uses." Can we?... Lol. Sad lol.

Nifty, but looks a bit cluttered. There's stuff in there for twitter, webservers, etc. etc., and it's all in one giant file.

This is probably not super useful for anyone who wants to deploy practical infrastructure with audio transceivers. See tools like dsptunnel for IP-over-audio solutions.

The guy who made this is one of the Lulzsec guys, and recently got out of jail: @APT1337

>I want to cyber my girlfriend (who lives 20 miles away) without having NSA agents fapping to it, can I use this for it?

>ofc, man. thou we require your girlfriend to deliver tits or gtfo. (sorry but it's needed to help us on the datamining of frequencies usage and transmission mode performance raw data through our Hadoop cluster of ARM servers, all those pix will be used for the datalink test.. err...derp)

This is sexist filth.

edit: maybe sexist is the wrong word? But for a project that wants "to build up our sense of community and stand up for our future and rights" the tone of the entire readme is overly sexualised and just unnecessary.

Honestly I am mostly just shocked that at no point was there an ASCII hello.jpg

The code, the readme, and all the other bits are in standard "lulzsec" tone. There is no dissemblance to feign respect for your sensibilities, they don't care. At least they're honest.

Topiary aka Jake Davis from Lulzsec had funnier and more tasteful writing than this. HN back in their defacement days always commented on the quality of the writing. This sounds a bit wannabe, which is a shame since 4chan tends to be obsessed with not rehashing tired content.

Maybe the word your searching for is immature.

What is sexist about that? It seems just sexual to me. Someone who is sexually interested in women talking in a funny offensive way about how they want to see breasts.

Well it's unpleasant and vaguely misogynistic, but I'm sure they're just trying to be funny.

What is misogynistic about it?

Crass yes but sexist, whats sexist about this?

It's crass but not sexist. Lets not pander to A over B discrimination when no such thing is being presented.

Please see definition of sexism.

Between the lulzspeak and the over-my-head jargon I'm not completely clear, but is this sms/twitter/email for ham radio? .... Because that's potentially amazing. Beyond what this could do for communication in the situations it suggests I can think of a lot of fun stuff to do with something like that.

This is still incredibly DF-able, as well as RF fingerprinting of the transmitter.

I'd be very interested in an SDR application which strove for undetectable communications, either super high chirp rate FHSS or UWB.

In practice, you're probably best off by masquerading as another communications technology and hiding your traffic within that, rather than trying to use long-haul broadcast RF to hide your location. A common technique if you do need to radiate a lot of RF and don't want to be DF'd is to remote the transmitter from yourself over some other protocol -- a separate point to point radio link, or stored communications, or an IP/PSTN/etc. link. This is how a lot of pirate radios, military radios and radars, etc. work -- the emitter is at risk, but as long as you can break the link between emitter and controller, that's not the end of the world.

so, where do these people hang out on the depths of the web? any forums that actively discuss this type of stuff? i'm dead serious, haven't looked at that side of things for a long time, just curious what has changed.

Can someone touch on the legalities of using a radio band frequency in the U.S.? I didn't skim the source, so my presumption was it's within a reserved band.

I wonder if this algorithm could be used to avoid collision if many send at the same time:


It assigns time slots to users without the involvement of a central station.

They're really re-inventing the wheel here, there's nothing there that fldigi or soundmodem doesn't do better. AX.25 is built into linux. With that, soundmodem, and a radio you can route whatever traffic want over a radio link.

On the bright side maybe this will help encryption become legal for ham radio.

Why radio, which needs extra equipment, and not wifi which comes built in to every laptop?

Not to nitpick, but wifi is radio. The propagation of radio waves depends on their frequency. The frequency wifi operates on is in the GHz, which mostly is line-of-sight only. This is not always practical. See [1] for an overview of frequency and propagation.

[1]: http://en.wikipedia.org/wiki/Radio_propagation

Ever tried to communicate with wifi at a distance longer than 50 meters? Yeah. You won't get good results.

Beautiful. I'll be playing with this on the weekend.

"Lulzlabs", really?

What's wrong with it? (Seriously)

Programmers seem naturally inclined to name their projects or companies inappropriate names. I once thought about writing an open source Bitcoin exchange focused on security. When I was trying to think of what to call the software, I named it the "s-exchange" library (short for "secure exchange"). Eventually I shortened the name to "sexchange," did a double-take, burst out laughing, then debated whether or not to keep it. The temptation was strong.

I'm not one to really care about what other people think, but on the other hand, there's no reason to portray yourself in a negative light needlessly. It'll just alienate people from your goals for no reason.

So, wait, it's OK when you switch the gender?

It's OK cyber with anyone. Do whatever your sexual desires are (as long as they are legal).

before stackoverflow became popular, there was a site named 'experts-exchange'.. well, I don't think their domain name had the hyphen.

It is hard to take it seriously since it is connected to "4chan", internet-mischievous-thing and generally immature kids.

Negative connotations

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact