browser changes have broken this... will get back to it, but mostly ignore for now...
if my day job allows, I've redesigned and simplified the concept to 10% of its size.
Welcome to the home of the d3ck.
The d3ck is my attempt at making a confidential (e.g. encrypted) pure p2p communication tool.
The problem, as I see it:
If you and I wanted to have a private voice or Skype-like
conversation, share data, instant message, etc - it's pretty rough
unless we involve a 3rd party or use PGP (which is even rougher,
god, what a user experience!) Lately we haven't had much luck with
those 3rd parties keeping our data and activities confidential,
hence this effort.
Basic features/capabilities
- Tiny Appliance that runs on can sit on a Raspberry Pi (a small $20+
computer), a virtual machine (VMware/Amazon's EC2/etc.), etc.
- P2P communication - no central server
- Fairly easy to use... at least it beats PGP in usability... yeah, high bar, I know.
- UI allows voice/video, drag-n-drop file transfer, etc. with another d3ck user
- If you share a d3ck with another, gives near-trivial to use video
- Web interface works on modern browsers - including recent android
phones (uses WebRTC). Older/broken browsers will still connect,
just not support nifty video/etc.
- Strong encryption
- Under the hood: Linux, OpenVPN, OpenSSL, Node.js, and more
- Easily generate OpenVPN keys (at long last I can run VPN on laptops
and ipad w/o having to figure out how to use it, what a concept.)
- Open source
The d3ck is collection of software I've written that allows you to
communicate (voice, video, IM, file transfers, etc.) with confidentiality
(e.g. it uses encryption) to someone else who has the same software
(or uses yours.) It's sort of a clumsy cryptohammer, and can be used
for all sorts of things.
This site is basically the d3ck UI, minus all personalized bits...
you can see some of it in action by checking out the webRTC
based video sharing (instructions on that),
but there is more....
If nothing else, it could help with this eternal problem:
It's browser based, so in theory can be used from almost any computer
with a modern browser (you simply point your browser at your d3ck.)
The d3ck itself on linux; it can sit on a Raspberry Pi (a small $20+
computer), a virtual machine inside VMware or Amazon's EC2, or your
random basic linux system.
While it's fairly simple to use (really!), this is the first release
and it has pressing issues that would preclude it from being used
in life-or-death situations. I've a long list of issues, overdue
enhancements/features, etc. at [TODO](/dox/TODO.md).
Installation
I've started
on what are some hopefully clear instructions to get it up and running.
UI and Examples
The web based interface is somewhat demonstrated on this site... you can find quick instructions
on github.),
Architecture
There's a description on data flow and server architecture
on github as well.),
Cryptography
Note: the d3ck is meant to provide CONFIDENTIALITY,
not ANONYMITY! That is, someone (NSA, China,
whomever) might see you talking, and possibly to
whom, but the goal is to make it difficult for them
to glean what was said (unless they're standing
behind you listening, have bugged your computer,
etc, etc....)
The d3ck uses client-side certs and OpenVPN primarily
for its communications.
TBD
So much. Next to do - automatic port blocking
(code written, but not tested), encrypted at-rest
(e.g. on the disk) file storage (actually very
simple on a Raspberry Pi, I simply haven't gotten
to it,), a self-destruct button (vaporizes keys,
bye-bye data), and final Linux security lockdown
on d3ck distro.
Redo UI listing of remote d3cks... grumble... have
to get it out the door... must not continue
to tinker.
Port forwarding - code works, just isn't hooked
up to UI.
Putting an ICE/STUN server on a d3ck will happen,
just a pain to do ('cuz the arch, not the install....)
I actually started with SIP (a telephone
protocol) and had that working, but that's
been put on the backburner.
I've also used this as a mail server that
can mail to other d3cks using a standard mail
server and IMAP; pretty nifty to send email
with zero special software that's encrypted
and authenticated to other d3ck users. This
works, but is sitting in piles of code in
my vast TBD folder.
Multiuser d3cks are something I dismissed early
on, but given it's so easy to do video on a single
d3ck, I may well revisit this... pondering. Ditto
with many users on the same video.
Really Big Issues
No one has really used it seriously other than me. That should say something.
It needs an examination of the architecture. Some
parts are good, some not so. This is not a production
release.
It's been rewritten and revamped so many times that there is code and stuff
in it that don't make sense anymore. Presumably this will change over time.
Incoming network traffic/ports should be automatically blocke, and
they aren't (TBD!) DO NOT RUN THIS NAKED ON THE INTERNET or you'll
be pretty darn sorry, I'd think. For now, ensure that it's either
behind a firewall or you've locked down the ports manually.
In the same vein, if your d3ck is talking to someone else's d3ck, it's probably
vulnerable to the other until I (or you!) put in place some firewall rules
on the VPN interface (easy to do, just so many things.....)
It's meant for 1-to-1 communication. It was only at the last minute
that I realized how to do 1-N, but you're stuck with artificial
limitations for now.
I said pure P2P - I lied. For webRTC I
currently leverage the STUN/ICE server @
stun:stun.services.mozilla.com. That'll change -
it's not difficult to toss a server on the d3ck,
but because of my architecture it's actually a
bit tricky to make all the traffic flow through
one's d3ck. Feel free to drop me a line if you're
a l33t SDP haxx0r. Everything else is P2P except
DNS, if you use it.
Usage Requirements
You need to be fairly techie at this stage - not
to use it (that's actually pretty simple), but to
install it.
You'll need a linux box - a cheap raspberry
pi works fine, as does VMware, Amazon's EC2, etc.
It works in multiple linuxes, but ubuntu is probably
the safest bet (if the distro doesn't have the
"services" command it'll be a bit painful, but I've
gotten it working even then.)
You will probably need your own network (not
sure who doesn't these days, but...) and be able to
open a network port to the inside.
Patience. The stuff will work some and break
some.
Time to write or talk to me and tell me what
(a) went wrong, (b) went right (if anything!), and
(c) how you think it could be improved upon.