On Tue, Mar 28, 2017 at 09:43:12PM +0000, dawuud wrote:

Hey,

Cool project.

Thanks!

Yes... write unit tests with pytest. Sounds good but I would suggest writing tests earlier in the development process next time.

I completely agree (and I feel bad for that).

Does your project have a specification for this software? Otherwise I have to read the code to learn how it works.

I would not call that a specification, but we have written a few pages of documentation. I totally forgot to add these references to the post. There are currently usage instructions for the GUI [0] and the CLI [1], and also its protocol [2]. The latter basically tells how conversations are established and how the packets look like. That's what we have written so far... That does not tell everything about the app, but a very important part of it. Are there any specific aspects you would like to see? I will start writing a bit about its functioning.

Using automat for the fsm sounds like a great idea. You probably will end up making several finite state machines and connecting them together in a graph. If you end up doing that you should probably first draw a picture... it helps to clarify.

I've recently started to experiment with automat myself and I've heard good things about it from my associates.

also you could add :

• hypothesis tests (fuzzing/property based tests)

https://hypothesis.readthedocs.io/

• changes to setup.py and add a requirements.txt
• use python attrs to eliminate boiler plate code in your classes

https://attrs.readthedocs.io/

as an example here's my fork of sphinx, a mixnet crypto library with 100% unit test coverage, hypothesis fuzzing, usage of attrs and a proper setup.py and requirements.txt file:

https://github.com/applied-mixnetworks/sphinxmixcrypto

Thanks! Those are great ideas! Very interesting!

I'd be interested in collaborating with you and mentoring this project.

Thanks for the interest! From your suggestions, I believe the project would be more "developer centered" and I think that is the right way to go. The earlier we do that, the less we are going to regret when things start to grow and get more complex. That is also a great improvement to prevent bugs which can harm the UX as well as anonymity/privacy/security. Do you think that's the approach we should use for this proposal then? I am asking that because I do not know if people would expect more features than "just" code improvements for a project, if that makes sense.

I'm not sure how much time I'll have in the coming months... we'll see.

Well, let me know if there is anything I can do about that.

Thanks David! -Felipe

[0]: https://unmessage.readthedocs.io/en/latest/gui/gui.html [1]: https://unmessage.readthedocs.io/en/latest/cli/cli.html [2]: https://unmessage.readthedocs.io/en/latest/protocol.html

On Tue, Mar 28, 2017 at 11:08:29PM +0000, dawuud wrote:

I suggest making sure your UI follows the pricinples outlined here:

User Interaction Design for Secure Systems http://zesty.ca/pubs/icics-2002-uidss.pdf by Ka-Ping Yee

for example: "Path of Least Resistance. The most natural way to do any task should also be the most secure way."

Thanks David, that is a good suggestion. We did design it with security in mind, but there is certainly room for improvement and I am going to review the UIs.

Does your client support revocation? Ka-Ping Yee says:

"Revocability. The interface should allow the user to easily revoke authorities that the user has granted, wherever revocation is possible."

That will also be included in the review. An example of something that unMessage does similarly is enabling presence. By default you do not tell your contacts when you are online (i.e., you do not connect to all of your contacts on startup), but it is possible to enable which contacts you wish to notify (as well as disable).

Do you think the tasks for the project should be a mix of code/structure and UI improvements?

P.S. I opened issues for all your suggestions and mentioned you on all of them. I just realized that is probably very annoying - I'm sorry for that. Let me know if you would like to copied though.

Thanks, -Felipe

On Sun, Apr 02, 2017 at 04:51:40PM +0000, dawuud wrote:

Hi. I registered with Google to be a GSoC mentor for Tor Project. Hopefully Meejah will agree to be the backup mentor for this and register today or tomorrow before the deadline on Monday.

Let me know if there's anything else timely that I must do for this.

Thanks David!

Here is the proposal I have so far. Please let me know what you think. (It is also hosted at https://gist.github.com/felipedau/8b48c6fde875e673f62d7569a27f254a)

I intend to upload to the GSoC website tonight and add updates until the deadline.

Thanks, -Felipe

# unMessage: an anonymity enhanced instant messenger

In an age where spying, surveillance and censorship evidently became regular practices by various kinds of attackers, it is sensible to be concerned about instant messaging applications, which are very popular communication tools that handle private and identifying information. Such a scenario demands solutions to prevent users from harm these attacks might cause.

There are currently good solutions such as [Signal], [Wire] and [OMEMO] apps that make end-to-end encrypted conversations possible. Although such apps successfully provide privacy, they have a great dependency on servers and metadata in order to work and they are not able to provide anonymity. An app that solves this problem is [Ricochet], by not having such dependencies. However, it heavily relies on the transport it uses and does not offer its own encryption layer.

[unMessage] is also one of those solutions: a peer-to-peer anonymity enhanced instant messenger written in Python that I have been working on for a while with [David Andersen] - my advisor. unMessage uses on its own end-to-end encrypted [protocol] to maintain conversations, focusing in not depending on servers, metadata and transport. We have recently released an alpha version which should be easy for developers to install and test its current features such as message exchanges, authentication, and voice chat, but there is still a lot of work to do in order to achieve a mature state where users can trust it due to its properties and usability. As we believe unMessage has potential to become a great anonymity enhancing app with a code that is simple, readable and therefore easy to maintain, I propose to work on it during this year's Google Summer of Code with the support of the Tor Community to to make it closer to maturity. We expect to implement fixes, improvements and features from our discussions (on its [tracker] and [tor-dev]) in order to turn it into a maintainable, feature-rich and useful app which everyone can benefit from.

## Technologies

unMessage's features were possible with the use of the following technologies:

- Transport makes use of [Twisted], [Tor Onion Services] and [txtorcon]

- Encryption is performed using the [Double Ratchet Algorithm] implemented in [pyaxo] - which uses [PyNaCl]

- Authentication makes use of the [Socialist Millionaire Protocol] implemented in [Cryptully]

- Transport metadata is minimized by Tor and application metadata by the unMessage [protocol]

- User interfaces are created with [Tkinter] for the [GUI] and [curses] for the [CLI]

- Voice chat uses the [Opus codec] for constant bitrate encoding

## Contributions

Since its current (alpha) release, we have been discussing it with [Patrick Schleizer] and [HulaHoop] from [Whonix], who are making great contributions to help us test it, as well as suggesting new features and improvements. We are also working to run it on Whonix (which will allow it to be run on Tails as well) with help from [meejah] by adding a new feature to txtorcon to make unMessage (and all the apps that use txtorcon) "Control Port Filter friendly".

Since the introduction of this project for GSoC, [dawuud] became interested in contributing and mentoring it and assisted me on making this proposal.

## Tasks

The project is split into tasks, each assigned an ID (in parenthesis) that is used to compose the timeline. I have been generous with how much time each task will demand and I am also leaving the whole week of each evaluation to review and make sure the deliverables meet expectations. Therefore, it is possible that I am able to work on additional tasks in case they consume less time than planned.

### Improve setup script (T1)

This task will improve unMessage's `setup.py` by removing redundant package metadata, use files for the requirements and offer development requirements. This task will be tracked in [issue 35].

### Use attrs (T2)

[attrs] is used to simplify the code by removing boilerplate, make it more concise, and consequently improve its quality. Classes definitions will be modified to use attrs' declarations so that attributes have default types and values, as well as validation. This task will be tracked in [issue 34].

### Support file transfer (T3)

unMessage is able to support various elements of a conversation such as requests, messages and authentication. New elements to transmit file requests and the actual files will be added and handle by the elements parser. This task will be tracked in [issue 12].

### Add a logger (T4)

There is currently no logging being done and in order to debug, the only possible approach is using the UIs. A module will be added to send logs to the terminal and a file. This task will be tracked in [issue 30].

### Use automat (T5)

There are certain objects in unMessage that are state machines. Their implementation are very simple and limited as initially they were not designed as state machines. In order to turn them into real state machines, [automat] will be used. This task will be tracked in [issue 26].

#### Design the concept (T5A)

Before implementing, I will map the state machines to be created, draw the graphs and have a clear understanding of their transitions and behavior.

#### Use automat state machines (T5B)

With a design to follow once T5A is done, I will convert the objects into automat state machines.

### Make functions/methods asynchronous (T6)

unMessage's initial implementation did not use Twisted and it had pre-defined callbacks in order to continue the path of the action it was performing. It later migrated to Twisted but the pre-defined callbacks are still used. Such callbacks will be removed and the functions that are part of these asynchronous actions will return `Deferred`s to make an actual callback chain. This task will be tracked in [issue 21].

### Add a test suite (T7)

There is not a single test written for unMessage and that is crucial to continue its development. The test suite will be made with [pytest] and will also use [hypothesis] for fuzzing/property tests. I do not expect to achieve 100% converage, test the most important parts of unMessage (mainly the `Peer` module). Also, as I am not familiar with User Interface tests, these will not be part of the task (we are also planning to use a different framework for the GUI, so its tests will only be created after there is a decision). This task will be tracked in [issue 33].

### Offline messages (T8)

As part of unMessage's design, no servers are used to establish and maintain conversations. As a consequence, peer-to-peer communication requires users to only be able to chat while both are online. Although unMessage's protocol supports asynchronous communication, this limitation forces conversations to be synchronous. In order to solve this problem, a [Tahoe-LAFS] server will be used to temporarily store unMessage's packets for peers that were not available when they were sent and can be retrieved later once the peers are online. This task will be tracked in [issue 32].

### Timeline

Tasks/Weeks | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 ------------+---+---+---+---+---+---+---+---+---+----+----+---- T1 | X | | | | | | | | | | | ------------+---+---+---+---+---+---+---+---+---+----+----+---- T2 | X | | | | | | | | | | | ------------+---+---+---+---+---+---+---+---+---+----+----+---- T3 | X | | | | | | | | | | | ------------+---+---+---+---+---+---+---+---+---+----+----+---- T4 | | X | | | | | | | | | | ------------+---+---+---+---+---+---+---+---+---+----+----+---- T5A | | X | | | | | | | | | | ------------+---+---+---+---+---+---+---+---+---+----+----+---- Mid-term 1 | | | X | | | | | | | | | ------------+---+---+---+---+---+---+---+---+---+----+----+---- T5B | | | | X | X | | | | | | | ------------+---+---+---+---+---+---+---+---+---+----+----+---- T6 | | | | | X | X | | | | | | ------------+---+---+---+---+---+---+---+---+---+----+----+---- Mid-term 2 | | | | | | | X | | | | | ------------+---+---+---+---+---+---+---+---+---+----+----+---- T7 | | | | | | | | X | X | X | | ------------+---+---+---+---+---+---+---+---+---+----+----+---- T8 | | | | | | | | | | | X | ------------+---+---+---+---+---+---+---+---+---+----+----+---- Final | | | | | | | | | | | | X

# Background

I am a Senior studying Computer Engineering at the Federal Technological University of Parana in Brazil. In January of 2014 I went to the U.S. for an exchange program, which lasted until December. During the Summer of that same year, I joined a research project lead by David Andersen where I learned about Anonymous Communication and became so attracted to the field that I continued to be part of the project since then. We have mostly worked on [nymphemeral], [pyaxo], [nymserv] and recently, unMessage.

# Code sample

I have a few repositories on my [GitHub profile] and I recommend taking a look at the ones referenced above, but specially [unMessage] and [nymphemeral], which are the ones I have mostly worked on.

# Why The Tor Project?

As I mentioned, I have been studying Anonymous Communication for almost three years now and I intend to keep doing it not only because I enjoy it, but because it is an important field capable of helping millions of people around the world.

In my opinion, The Tor Project is the biggest organization of its kind and working with people responsible for software I run everyday is a dream of every developer.

The Tor community continues to grow every day and I believe that participating in the Google Summer of Code will also contribute to that.

# Experiences with free software development environments

Since I joined the research project, I have been mostly working with David Andersen on the projects I mentioned previously and git/GitHub make our work a lot easier to work in parallel on the same code, manage tickets to help us keep track of the development and interact with contributors interested in what we do.

Whenever I see a project which I can contribute to, even if a it is a small change, I open a ticket or make a pull request if I am able to. My [GitHub profile] lists all my contributions.

PyNaCl is one of the recent projects I contributed to. While working on pyaxo I noticed some of the encryption calls could be improved to simplify their usage by making an argument optional. The developer who reviewed the pull request was very positive about it and assisted me while updating the docs to cover this new change.

While working on unMessage I asked Patrick Schleizer and HulaHoop for help as it would be great to have it running on Whonix. We have had great discussions and contributed to both projects in order to provide this feature. Along with the development, some changes to txtorcon were appreciated and we have also been working with meejah on that.

# Commitment

I have concluded all classes for my degree and I am currently an industrial IT intern at an Engineering and Software company, which is the only commitment I will have besides GSoC throught the duration of the program. I intend to work on unMessage 5~6 hours on weekdays and the remainder of the workload on weekends.

# Post GSoC

The tasks we picked to work on GSoC are a subset of all the ones we have been discussing during unMessage's development, which means that there will be more work to be done after GSoC. Also, unMessage is quite a big project. There are lots of possibilities to explore in the instant messaging field as well as many challenges to overcome when offering an application with usability and features as good as the popular ones, while protecting users' privacy and anonymity. I intend to keep working on unMessage until we have an application that accomplishes our goals.

Also, as I have been working with anonymous communication for a while, I do not see myself going somewhere else soon, so the chances of keeping contributing the Tor community are high.

# Communication

I intend to use IRC to discuss with my mentor and other tor devs (who wish to contribute to the project) about ideas and actions to be taken.

To formalize what is discussed on IRC, I will use unMessage's tracker on GitHub to manage features/enhancements/issues to keep records and maintain an organized environment for the development of the project, as well as interact with contributors. I am suggesting this tracker as we have already been using it for a while, but I can migrate to Tor's Trac if needed.

To summarize everything, I will do what seems to have worked well for previous students: regular reports on the mailing list to keep people updated with what is happening on the project from a higher level.

## Contact info

OFTC: dau

Email: dau@riseup.net

PGP: 0xC5A49047572A0D47

# Other GSoC projects in mind?

I am only applying to this one.

# Anything else?

I encourage you to take a look at the git logs and issue trackers from [unMessage], [nymphemeral] and [pyaxo]. I think I am a very organized developer and I have been trying my best to follow the gitflow model and take advantage of the features offered by GitHub.

[attrs]: https://attrs.readthedocs.io [automat]: https://github.com/glyph/automat [cli]: https://unmessage.readthedocs.io/en/latest/cli/cli.html [cryptully]: https://github.com/shanet/Cryptully [curses]: https://docs.python.org/2/library/curses.html [david andersen]: https://github.com/rxcomm [dawuud]: https://github.com/david415 [documentation]: https://unmessage.readthedocs.io [double ratchet algorithm]: https://whispersystems.org/docs/specifications/doubleratchet [github profile]: https://github.com/felipedau [gui]: https://unmessage.readthedocs.io/en/latest/gui/gui.html [hulahoop]: https://github.com/HulaHoopWhonix [hypothesis]: https://hypothesis.readthedocs.io [issue 12]: https://github.com/AnemoneLabs/unmessage/issues/12 [issue 21]: https://github.com/AnemoneLabs/unmessage/issues/21 [issue 26]: https://github.com/AnemoneLabs/unmessage/issues/26 [issue 30]: https://github.com/AnemoneLabs/unmessage/issues/30 [issue 32]: https://github.com/AnemoneLabs/unmessage/issues/32 [issue 33]: https://github.com/AnemoneLabs/unmessage/issues/33 [issue 34]: https://github.com/AnemoneLabs/unmessage/issues/34 [issue 35]: https://github.com/AnemoneLabs/unmessage/issues/35 [meejah]: https://github.com/meejah [nymphemeral]: https://github.com/felipedau/nymphemeral [nymserv]: https://github.com/rxcomm/nymserv [omemo]: https://conversations.im/omemo [opus codec]: https://opus-codec.org [patrick schleizer]: https://github.com/adrelanos [protocol]: https://unmessage.readthedocs.io/en/latest/protocol.html [pyaxo]: https://github.com/rxcomm/pyaxo [pynacl]: https://github.com/pyca/pynacl [pytest]: http://docs.pytest.org [ricochet]: https://ricochet.im [signal]: https://whispersystems.org [socialist millionaire protocol]: https://en.wikipedia.org/wiki/Socialist_millionaire [tahoe-lafs]: https://github.com/tahoe-lafs/tahoe-lafs [tkinter]: https://docs.python.org/2/library/tkinter.html [tor onion services]: https://www.torproject.org/docs/hidden-services.html [tor-dev]: https://lists.torproject.org/pipermail/tor-dev [tracker]: https://github.com/AnemoneLabs/unmessage/issues [twisted]: https://twistedmatrix.com [txtorcon]: https://github.com/meejah/txtorcon [unmessage]: https://github.com/AnemoneLabs/unmessage [whonix]: https://whonix.org [wire]: https://wire.com

On Wed, Mar 29, 2017 at 03:57:29AM -0400, grarpamp wrote:

You may want to link unmessage into the I2P network as well.

Hi grarpamp,

Thanks for the suggestion. It should be possible to support multiple kinds of transport, but we still need to do some research on that because it might make some attacks possible/easier (e.g., partitioning attacks)? It would be great to have a discussion about that.

Thanks, -Felipe

On Thu, Mar 30, 2017 at 02:48:45AM -0400, grarpamp wrote:

It's suggested and welcome that all overlay networks publicly review, audit, analyze, each others work and offerings. Unfortunately that hasn't develop much yet in a formal dedicated as responsibility manner among even the larger opensource community, or even discussion if that is a good idea. (But there is some good work in some projects out there lately of their own work... automated code linting, and the rarer procured third party audit.)

Then shall we presume all our networks are equivalently secure?, or equivalently flawed, as each network happens to advertise now and then.

Makes sense.

This may leave the matter of partitioning up to the user to consider pursuant to any note about that in the app documentation.

I agree. Giving power of choice to the users is ideal.

The app could enable simultaneous multihome based on commandline options... --tor --i2p --cjdns --other, default [whatever] . And of course all the ports / addresses / bindings would need to be flexible.

On equivalent networks, presence is maybe a bigger issue than partitioning. This includes concept to drop the network identity off the network itself, or use new ID, not just managing announces to buddy list entries.

Interesting! I opened an issue [0] to discuss this feature (copied your post there). It might take a while to work on that as we have other tasks with a higher priority, but I intend to get back to it at some point.

Thanks, -Felipe

And here is the issue [0].

[0]: https://github.com/AnemoneLabs/unmessage/issues/40