Today I’d like to show you what Streembit, the world’s first decentralised P2P based messaging platform can do for humans (besides the IoT). Streembit uses well tested cryptographic industry standards to ensure end-to-end encryption. There are no 3rd parties, or intermediaries monetizing your data. Using a DHT, Streembit avoids the traditional pitfalls threatening the bitcoin network while remaining agnostic about the eventual outcome of the ongoing blockchain block size debate.
Another cool thing about not having a central actor controlling the network is we become resistant to attacks against subpoenas. E.g. nation states attempt to take down (or over) the network will have a bad time (see recent examples ). Subpoenas cannot be enforced to Streembit users. Because of the nature of the infrastructure as well as jurisdictions i.e. only service providers, but not individual users or end-user companies could be subject of subpoenas. With Streembit, there are by design no service providers which could be harassed with subpoenas or gag-orders.
Sitting comfortably? Then we’ll begin …
Install some dependencies (if you don’t have them already):
$> sudo install npm
Get the node-webkit (was renamed to nw.js) from http://nwjs.io/downloads/ and select your architecture from the list. In my example I’m on a 64-bit Linux installation and I want the SDK version of nw so I can debug the full stack if I have to.
$> curl http://dl.nwjs.io/v0.15.2/nwjs-sdk-v0.15.2-linux-x64.tar.gz
$> tar -xvzf ./nwjs-sdk-v0.15.2-linux-x64.tar.gz
$> git clone https://github.com/streembit/streembitui.git
$> cd ./streembitui
$> npm install
Start Streembit with node-webkit while still in the streembitui/ directory:
$> /path/to/node-webkit/nw .
After the Streembit UI is initialized you should be greeted by a chromium GUI allowing you to access the Streembit functions such as setting up a username and joining a public or private Streembit network:
After setting up a username and joining the network you can search for contacts (there are only few users world wide currently). Once you have added a contact you can make a audio, video call or send files:
If you want to talk to somebody for a test call? Give it a try by adding me or Tibor and then we’ll set up a test chat. My ID is joachim (Tibor is tzpardi) 🙂
Testing, testing …
For my actual tests I used a Linux Debian based notebook (very old model from 2005 (!!)) which I usually test new stuff with: Sony Vaio VGN-FZ31L with 3GB RAM and a less than mediocre wireless connection with ~300KB RX and ~150KB TX. I also in parallel run chrome with ~8 tabs, postfix, ntpd, a couple of ssh sessions, and a LXDE gui. Under normal circumstances the system would start thrashing if more than ~12 tabs were opened in chrome (just to give you an idea how tight memory is).
Despite my spartan spec, the audio and video quality were both fantastic throughout the call. There is much less lag on the video than I usually experience with Skype or Hangouts or facebook-messenger. There is a bug in Linux Chromium which stop re-initialising the Video/Audio: Not always, but sometimes you need to close the Streembit UI to get it going again. Something that needs to be fixed.
The full documentation about the current options and also what you can do with the IoT (I will go into this next time) is available here. In case you find any issues please raise it on github.
Also it would be a great help if security researchers could step forward willing to audit the platform.
Pseudonymity vs Anonymity
Streembit is designed for “Pseudonymity” not “Anonymity”. Let me use the words of @thegruq to explain the difference.
“Anonymity is what you want when (and only when) the CONTENT of the [message] is the only important thing. True Anonymity is when, out of the set of all possible authors, there is an equal chance it could be any one of them. You probably don’t want this for comms within your [illicit] organisation.”
“Whereas pseudonymity is what you usually want when reputation matters: We don’t know who is in the suits. But we know that pink snakeskin has come through for us a few times in the past, but blue swirly is an asshole” — @thegrugq
Streembit is pretty good in improving anonymity (it outranks Telegram, Signal, WhatsApp) in a sense that it requires neither email address nor registration. A user can have as much accounts on Streembit as they want. In fact the best practices is to use different accounts for each conversation or file transfer (that would of course requires some synchronization between users so they would know what is their daily or one time user account). And then the user with the daily Streembit account can have a connection from a cyber café or using a Mulvad proxy that users can have with Bitcoin. In this case the communication is pretty much anonymous. Streembit’s anonymity may hopefully be improved by using Tor (see below). But True Anonymity is not the aim of the project.
Things that I’d like to do next is determine the implications with torifying the service and possible meta data leaks. Obviously video and audio would have to be disabled over Tor. It should be simple with a forwarding rule on the home router or firewall to for traffic to TCP port 8905 to avoid websockets. Tor might be an useful in masking IoT sensor traffic to .
Tor maintainers say it’s not a good idea due to the traffic when discussing Tor in context with Bittorrent. Though I think this argument is not valid when we use streembit for IoT traffic which is only going to gradually increase with very low traffic. Also the more users flock to Tor, the more people with an interest to run a tor node themselves (the more tor nodes the more secure Tor is for everyone). What will happen if the Tor network suddenly gets more traffic from IoT devices. Will it kill Tor or will it make Tor stronger because there might be more users willing to run their own nodes? In this sense Tor has the same problem as the bitcoin network where both are vulnerable to Sybil attacks. So paradoxically IoT could even reduce the threat of such attacks by increasing the number of users.
What I’d personally like to see are mobile apps for it. Also as a Linux die-hard I’d love to see it one day implemented as C system libraries with solid bindings to Ruby, Python, Perl, and possibly a GTK or QT based GUI instead of the current Chromium/NW.js based stack.
Rough streembit roadmap here.
Streembit also started a standardization process within W3C WoT (see here). Our aim is to submit an IETF standard for P2P, blockchain and decentralized networks. If the industry or at least a few professionals come together and submit an IETF standard, then we have a better chance to disseminate the P2P, decentralized technology.
Let me finish with an old WWI joke a friend told me (thanks Martin): In WWI, comms were so bad messages had to be handed back via humans, so what started out as “send reinforcements we’re going to advance” by the time it got to HQ became “send three and fourpence we’re going to a dance”, now we use it to show no matter how fancy and expensive your comms are, there’s a human at each end.
Discuss it on hackernews: https://news.ycombinator.com/item?id=11875332
EDIT-1 2016/06/10: added section to illustrate pseudonymity/anonymity.
EDIT-2 2016/06/10: added info on W3C WoT standardization
Valbonne Consulting provides Research & Consulting for emerging technologies in Internet/Web of Things (WoT/IoT/M2M) and Emerging-Tech. We specialise in decentralisation, security and privacy. We work across a variety of traditional industry verticals (Telecommunications, Automotive, Energy, ...). We support Open Source and technologies built on open standards.