[cryptography] OTR algos for multi-user chat

Kevin W. Wall kevin.w.wall at gmail.com
Thu Dec 30 15:01:56 EST 2010

On 12/30/2010 12:14 PM, travis+ml-rbcryptography at subspacefield.org wrote:
> On Tue, Dec 21, 2010 at 07:33:23PM -0500, Kevin W. Wall wrote:
>> On 12/21/2010 04:28 PM, travis+ml-rbcryptography at subspacefield.org wrote:
>>> PS: If you know any coders who are bored,
>>> http://www.subspacefield.org/~travis/good_ideas.txt
>> Or maybe I should have said, if I respond to those that *HAVE* been
>> done, would you update your list?
> To everyone who might do so, the answer is an unqualified yes.
> Finding out they're already done might solve a need I have.
> You may reply directly to this to get it seen and not mixed up 
> with list mail
> Thanks :-)


I've commented on the stuff that I know about, so hope this helps a bit.
See below and look for lines prefixed by 'kww> '.
Kevin W. Wall
"The most likely way for the world to be destroyed, most experts agree,
is by accident. That's where we come in; we're computer professionals.
We cause accidents."        -- Nathaniel Borenstein, co-creator of MIME

========== http://www.subspacefield.org/~travis/good_ideas.txt ==========

Often I hear from people, especially younger ones, that they don't know what
to do.  I have compiled a list of ideas that I think would be great for someone
to work on.  Next time someone says they can't think of something to do, or
that they are bored, point them to this page.

This page is kinda old so check around and make sure the problem hasn't
already been solved.

# Programming and development ideas:

Create a tool that figures out (like make) in what order to run the
startup scripts on Linux.  Get rid of /etc/rcN.d altogether.  Cheat by
checking on how other OSes do it, NetBSD had a tool like this IIRC.

kww> For starters, this might help:
kww>    http://en.wikipedia.org/wiki/Init#Other_styles
kww> Of those listed here, I have read that Ubuntu's "upstart" and
kww> Fedora's "systemd" are gaining quite a following. I believe that
kww> systemd is scheduled to be the default mechanism in FC15 and
kww> that upstart has already replaced the old SysV style init under
kww> the hood for Ubuntu (and I think for Fedora as well). Not sure
kww> it that's what you are getting at or not.

Create a web front-end for managing asterisk.

Create a web front-end for a firewall like OpenBSD's pf or Linux's
iptables.  Show the last N blocked packets, the top N destination
ports of blocked packets over different periods of time, the top N
source IPs of blocked packets, etc.  This is open-ended; you can get
creative with graphics, such as the gd library for PERL, or even
visualization packages like graphviz, LGL, VolSuite, OpenQVIS, etc.

kww> Some of the GUI-based firewalls that use iptables or pf provide
kww> some of these things and others are provided by add-ons. I am quite
kww> happy with IPCop (mostly because it works well on ancient hardware)
kww> and it's add-ons. I've also heard good things about Smoothwall and
kww> PfSense. You can find a more complete list here:
kww>    http://en.wikipedia.org/wiki/List_of_Linux_router_or_firewall_distributions
kww> Finally, the 'ntop' and 'ngrep' programs might provide you with some
kww> of these things as well.

Create a secure and standard way to tell routers and firewalls
(e.g. my DFD) to open up a port to a particular machine.  See SPA, uPNP.

kww> IIRC, there is an emerging standard for this that I think that
kww> Ivan Ristic and a few others have been pushing for and that has been
kww> adopted by some of the commercial firewall vendors, but for the life
kww> of me, I can't recall what the "standard" is named. I think it uses
kww> some XML format (but what doesn't now days).

Create a FLOSS standard, possibly based on XML, for calendar entries
that works with cell phones, and a format for mailing meeting
invitations to people, and MUA plug-ins or helpers to add them to your
calendar.  Also let it scrape sites (like RSS aggregators) for import
into your own calendar. Like Google Calendar, but on your own systems.
I think Google calendar uses ical, so maybe look at that.  Also look at:
    * Chandler
    * Citadel
    * Claws Mail (vCalendar plugin is required to handle iCalendar in Claws Mail)
    * Darwin Calendar Server
    * Drupal with its event module
    * Evolution the Gnome email/calendar client
    * Horde
    * Kontact (namely KOrganizer and KMail)
    * Lightning (a Mozilla extension for Thunderbird)
    * Moodle will export iCalendar data or let you subscribe to a Moodle
iCalendar feed
    * Mulberry
    * OLAT - LMS supporting import and export of personal and shared calendars
via iCal
    * OpenCRX
    * Opengroupware.org
    * Open-Xchange
    * PHP iCalendar web based display of shared calendars
    * Plone open source content management system
    * Simple Groupware
    * SPIP a CMS that allows the export of its site calendar in the iCal format
    * Sunbird (a Mozilla stand-alone application)
    * TYPO3 via its Calendar Base Extension
    * WebCalendar
    * WebGUI
    * Webical
    * Zimbra Collaboration Suite

Linux programmer to take over dynamic firewall daemon from me.
Look for link to dfd_tbk

Write a graphical password entry program for a cell phone platform.
Then write an app to keep data encrypted, using the graphical
password.  Consider interoperating with gnukeyring.

Compile programs and create packages for them for your favorite distro.
For example:
OS			package
OpenBSD 3.7		apcupsd
FC3 source		apcupsd
OpenBSD 3.7		Twisted (www.twistedmatrix.com)
OpenBSD 3.7		ZopeInterface (www.zope.org)

kww> These are pretty old OS versions. (FC3 ?? Last I checked, FC14 had
kww> been released.) Also, FWIW, it seems as though the Packman repository
kww> has pretty much everything that I had ever wanted. You might check it
kww> out. I thnk it only handles RPM format, but there are other similar
kww> repositories that do the Debian package format.

Write regression tests for your favorite distro.  That's where you write a
test for every fixed bug to make sure it doesn't get re-introduced.

kww> Its hard to write unit tests for some bugs, so while I like this as an
kww> ideal, it's probably not terribly pragmatic. Having been involved in
kww> OWASP ESAPI, I know that even getting this concept across for security
kww> bugs was not well accepted at first and as much as I'd like to see
kww> such a practice adopted there, I can tell you that with most FOSS
kww> projects, it's just not ever going to happen. It's hard to get non-paid
kww> developers to do write unit tests at all, but for ones where the bugs
kww> require some specific context and requires the use of "mock interfaces"
kww> to a large degree, I just don't see that happening in the general FOSS
kww> community.

C program or PERL script that takes an image or other file and
converts it into an array for use embedded within a program.

kww> There's a command-line utility called "convert" that comes with
kww> most Linux distros and does much of what you ask.

Write a version of "the bodyguard" that logs you out when root logs
in.  The idea is if you're tunnelled through a system and interacting
with the next hop, if root logs in and starts poking his nose around,
you disappear.  For extra credit, re-establish the tunnel around the
node where root logged in.

Write a good [security/auditing] footprinting tool.  Make it modular,
and write it in python or ruby.

Write a replacement for TITAN, the system tightening script.  Make it
modular, and write it in python or ruby.  Allow the user to say things
	mailman module: "list such-and-such should never be open to public"
	DNS server module: "no recursive resolutions, except for XXX"
	postfix module: "all traffic should be secured with TLS"

Write a replacement for the old Kuang expert system.
Make it modular, and written in python or ruby.

Write something like tcpdump or wireshark, but write the protocol
decoding routines in a safer language.  ruby and python come to mind,
but ocaml might be faster.

Write a version of the old AT&T PathServer, but integrate it with a
keyserver and support new GPG keys.

kww> Question: Do you *know* of any good FOSS keyservers? I've not seen many
kww> and those that I have seen seem to be slapped together without having any
kww> explicit threat model. But I'm looking for one to integrate with a
kww> future version OWASP ESAPI crypto, so if you have any recommendations,
kww> I'd be much obliged.

Write a network daemon in a "safer" language than C (java, perl,
python, ML).  See privilege.py for examples of how to drop privs:

When you subscribe to a mailing list, they often send you a
verification message.  Write a tool that sends the subscription
request, and automatically responds to the verification message.
Optionally, have it respond to ANY verification message it receives
(less safe, but convenient).

When you receive an email from a list, you have to examine RFC 822
headers to see how to filter it (unless you like all copies of
messages cross-posted to 2 or more lists to end up in the first
mailing list's folder).  Write a tool which automatically figures this
out and creates a .procmailrc entry for the new list.

Write something like password-gorilla, but not in TCL.
It's too slow.
Maybe python.
Come up with a better GUI, that allows you to copy nodes, move subtrees, etc.

Take over maintenance of an abandoned software project.

Write a user/directory service that is:
Like NIS but doesn't use portmapper/RPC, and is secure
Like LDAP but without the x.500 baggage and for just one thing

Write a secure replacement for NFS.  It should not be limited to
8 supplemental groups, and it should use soemthing like SSH keys
for authentication.

Work with the FSF on a Skype replacement.

Do something like rdiff/rsnapshot that can back up multiple machines
without creating new config files for every machine.  Or look at
duplicity and try doing something similar to that.

Create a PDF replacement format that's open and not full of security

A better make:

	The Makefile language is difficult to read and obtuse (GNU
	make moreso, BSD make less so).  Perhaps it is time to make
	something better than make.  In fact, it might be a great idea
	to write it as python, because python's syntax is so clean and
	simple that most programmers can use it, even if they haven't
	learned python.  Plus, it will be so extensible; imagine the
	difficulty of modifying how GNU make worked, and compare that
	to modifying a python program.

kww> Have you tried Glenn Fowler's nmake, out of AT&T Research Labs?
kww> It's part of the 'ast-base'. Check it out at:
kww>    http://www2.research.att.com/sw/download/
kww> but there's other packages there that are related to it as well.
kww> Of course, most people try to tell me that 'ant' is the answer to
kww> this, but if Makefile language is difficult, well, just don't get
kww> me started with XML. It's easy to read, but a bitch to write.

	When generating a HTML file via a program like lyx, you get a
    number of output files:
	- foo.html
	- various GIF/JPG/PNG files
	- some crap, like latex log files
	Problem is, you don't want the crap files on your web server,
	and specifying the many-to-many relationship of input files
	(lyx plus images) to output files (html plus images) is nearly
	impossible in traditional make.  Figure out a better way.

Create a way to synchronize bookmarks between multiple machines
without relying on someone else's servers.  It should be FLOSS, and
could do neat things like de-dup, update when hitting permanent
redirects, show bar graphs of reachability, automatically redirect
to archive.org when the page disappears, etc.

Write a firefox plug-in or web proxy that allows you to seamlessly
navigate through archive.org's archives.

Learn IDA Pro very well, and then write something better, preferably
in a better/safer language, possibly python or ruby (or maybe ocaml,
java, clojure, etc.)  First review ollydbg and see if it's a good
base, or whether it needs to be a rewrite-from-scratch.

Make something with all the functionality of OpenSSL, but in OOPL.
  - error conditions are handled really strangely
  - code is obscure
  - API keeps changing
  - make sure it gets in Ubuntu repos

Make a better CA program than TinyCA.
  - UI is weird
  - write it in python/ruby to make it easy to fix
  - investigate XCA
  - make sure it gets in Ubuntu repos

Write a new, secure version of torrentflux
  - do NOT use PHP (and def no allow_url_fopen!)
  - do NOT have RFI vulns
  - use python web frameworks

Some kind of tool that reminds you of things just before
you'll forget:
And then remind you at expoentially increasing intervals:

Write some kind of rsync-like algorithm
  - possibly as a C library
  - or maybe as an OO framework (python, ruby)
The nice part about OO framework is that you can customize
parts of it quite easily.
This would be useful for my HDB project:

Write a secure replacement protocol for IRC
 possibly use SILC as a baseline
 then write a secure server in e.g. java, ruby, python
 consider an asynchronous server for scalability

A better archival framework
 maybe something like an OO tar to avoid complex logic

A modular compression framework
 design the predictors, encoders, dictionaries as replaceable components

# Creating Unix distros

Create a distro that specializes in anonymity services, crypto,
defensive network security.

kww> BackTrack has some of this, but probably not quite what you are
kww> looking for. There are quite a few "DIY custom Linux distro builders"
kww> out there now, so if you want this built, you'd probably at least
kww> need to specify the packages you are looking for. (No, I'm not
kww> volunteering! :)

Create a distro that specializes in p2p and filetrading

Create a distro for kick-ass anti-spam mail servers

Create a distro for a dedicated email server.  Be sure to include tons
of anti-spam measures, so that the spammers don't have a single target
to optimize against.

Create a Linux distro specifically for gaming.  Include as many games
as you legally can.  Include Wine and Windows games, if you can.

kww> You thinking of something like this?
kww>    http://live.linux-gamers.net/

Create a distro specifically for game development, and/or a slim
run-time that can run easily under any OS (e.g. via VMWare or Xen or
Virtualbox).  Wouldn't it be cool to pop in a CD/DVD and boot directly
into a OS optimized for the game, or run it efficiently in a VM?

# Writing and/or documentation ideas:

Summarize conversations on mailing lists.  There's one like this
for LKML, which is just too high traffic.  Someone needs to do
this for full disclosure and BUGTRAQ.

Summarize conference proceedings (DEFCON, Black Hat, etc.)

Write a better RAID FAQ.

Write a homepage for the mdadm tools with good usage info.

Write some documentation on bluetooth network stacks in Linux.  You
may even dive into bluetooth networking models and basics.  But please
create documentation on hidd and other userland tools.

Write some documentation on USB.  Answer the question: If I have an
arbitrary USB device that only comes with windows software, how do I
make it work on Linux?

Document ACPI well.  For example, if my laptop's sound and wireless
don't work after closing the lid, how do I fix it?

Write a HOWTO on SELinux that isn't super boring.

kww> I'd settle for one that is a bit more lucid. :) Of course, last time
kww> I tried this was on Engarde Linux about 4 yrs ago and they had their
kww> own set of rules that no one else used, so that was part of the problem.

Start archiving and indexing email lists and sell CDs as reference

Create a web site comparing and archiving various software licenses.
Explain what kind of situations demonstrate the advantages of one over
the other. (probably done)

Write a book for O'Reilly on build systems.  Not just GNU make, but
how to structure your source code repositories to build programs,
documents, etc. quickly, consistently, easily.

More information about the cryptography mailing list