Thoughts on Streembit without getting too technical

I have been trying to come up with a simple explanation of Streembit. Almost like an explanation without actually explaining it:

Streembit is a peer-to-peer human and machine communication platform. Secure, peer-to-peer, decentralized network formation is a fundamental and unsolved information technology problem.

Streembit aims to solve this problem. But what exactly is the problem with how things are?

Privacy in communication is an important human right. A right that is growing harder and harder to protect, and arguably isn’t protected at all. A good example is the recent feud between Apple and the FBI. Apple attempts to secure the communication of it’s customers through encryption. In fact, they did such a good job at it that the FBI served them a court order demanding their help in cracking an iPhone. This revealed the weakest link in Apple’s security, the fact that they have the ability to create a backdoor, and could do so with their users being none the wiser.

Big data and centralized servers also pose a threat to user privacy. Having all of your personal conversations and pictures stored on a company’s server is a scary thought. Just ask Jennifer Lawrence. It’s a thought that will only grow scarier. The more connected the world becomes the more information about you will be stored on these central servers. These troves of information may be hard to properly leverage at the moment, but that is changing with recent breakthroughs in artificial intelligence.

The coming Internet-of-Things also has a great need for a secure peer-to-peer communication platform. The possibilities in an interconnected world are almost endless. Think about the revolution it would cause in healthcare. Wearable devices monitoring patient’s vitals, warning of emergencies before it is too late. Sensors reminding you to take your medicine, and making sure you take the right dose. Your house managing its own energy efficiency through the communication of the devices within it. You will be able to talk to your toaster. What a world. The devices that surround you will be able to improve your life. But just as this level of interconnectability will allow technology to assist us like never before, the consequences of bad security will threaten us like never before.

Technology should enhance our lives while preserving our right to privacy. We shouldn’t have to pick one or the other. Our goal with developing Streembit is to achieve both and sacrifice nothing.

So how does Streembit do this? To start, Streembit is a peer-to-peer decentralized network. There is no server storing your information. Your message goes straight to it’s intended recipient. That means the only way someone will get your message is if they intercept it. However, that will be problematic for them due the cryptography schemes of messages in the Streembit network. Here is what Bruce Schneier had to say about 256-bit AES symmetric encryption, the same utilized by Streembit:

These numbers have nothing to do with the technology of the devices; they are the maximums that thermodynamics will allow. And they strongly imply that brute-force attacks against 256-bit keys will be infeasible until computers are built from something other than matter and occupy something other than space.

The messages themselves are safe, but what if someone has your device and they are trying to crack your password? Lets go back to the example of the iPhone. With the latest iPhone security it would take 10,000 iterations of a brute force attack to break the security. Streembit passcode has a more complex setup that would require a minimum 3.05 trillion times the iterations it would take to break the passcode of a iPhone.

The next question is what if the FBI demanded that a backdoor be created in Streembit? Streembit is open source software, meaning that anyone can look to verify the security of Streembit, or confirm that there aren’t any backdoors. The beauty of being open source is that there will never be any need for things like “warrant canaries“, because if a backdoor is added, it will be done in plain sight.

Here is the cool part; you can try Streembit out right now. An early version is available with video, audio, and text communication, as well as screen-sharing and file sharing. Streembit is the only application in the world that does all of this in a decentralized peer-to-peer manner.

Streembit is also heavily focused on the Internet-of-Things. Any devices connected to a Streembit network benefit from the same security that a human user would. Along with complying with open security and communication standards our developers take an active role in the W3C Web of Things Initiative and mirror all WoT standards in the Streembit codebase.

Download Streembit here:
https://streembit.github.io/download

Check out the Raspberry Pi IoT implementation of Streembit here:
https://github.com/streembit/streembit-pi

Here is a guide for setting up your Streembit account:
https://deardolphinblog.wordpress.com/2016/07/05/getting-started-with-streembit/

Join our community on Gitter and chat with us!
https://gitter.im/orgs/streembit/rooms

This post was first published in the streembit-dev Google group. Come join us here

Streembit: “Hello World” My 1st Ever Video Call over a Decentralised P2P Network

Today I’d like to show you what Streembit, the world’s first decentralised P2P based messaging platform can do for humans (besides the IoT). Streembit uses well tested cryptographic industry standards to ensure end-to-end encryption. There are no 3rd parties, or intermediaries monetizing your data. Using a DHT, Streembit avoids the traditional pitfalls threatening the bitcoin network while remaining agnostic about the eventual outcome of the ongoing blockchain block size debate.

Another cool thing about not having a central actor controlling the network is we become resistant to attacks against subpoenas. E.g. nation states attempt to take down (or over) the network will have a bad time (see recent examples [1][2][3]). Subpoenas cannot be enforced to Streembit users. Because of the nature of the infrastructure as well as jurisdictions i.e. only service providers, but not individual users or end-user companies could be subject of subpoenas. With Streembit, there are by design no service providers which could be harassed with subpoenas or gag-orders.

Sitting comfortably? Then we’ll begin …

Install some dependencies (if you don’t have them already):

$> sudo  install npm

Get the node-webkit (was renamed to nw.js) from http://nwjs.io/downloads/ and select your architecture from the list. In my example I’m on a 64-bit Linux installation and I want the SDK version of nw so I can debug the full stack if I have to.

$> curl http://dl.nwjs.io/v0.15.2/nwjs-sdk-v0.15.2-linux-x64.tar.gz
$> tar -xvzf ./nwjs-sdk-v0.15.2-linux-x64.tar.gz

Get Streembit:

$> git clone https://github.com/streembit/streembitui.git
$> cd ./streembitui
$> npm install

Start Streembit with node-webkit while still in the streembitui/ directory:

$> /path/to/node-webkit/nw .

After the Streembit UI is initialized you should be greeted by a chromium GUI allowing you to access the Streembit functions such as setting up a username and joining a public or private Streembit network:

Hello World :-)

Hello World 🙂

After setting up a username and joining the network you can search for contacts (there are only few users world wide currently). Once you have added a contact you can make a audio, video call or send files:

Is this the first ever decentralized video call ever made over P2P? "Mr. Watson--come here--I want to see you."

Is this the first ever decentralized video call ever made over P2P?
“Mr. Watson–come here–I want to see you.”

If you want to talk to somebody for a test call? Give it a try by adding me or Tibor and then we’ll set up a test chat. My ID is joachim (Tibor is tzpardi) 🙂

Testing, testing …

For my actual tests I used a Linux Debian based notebook (very old model from 2005 (!!)) which I usually test new stuff with: Sony Vaio VGN-FZ31L with 3GB RAM and a less than mediocre wireless connection with ~300KB RX and ~150KB TX. I also in parallel run chrome with ~8 tabs, postfix, ntpd, a couple of ssh sessions, and a LXDE gui. Under normal circumstances the system would start thrashing if more than ~12 tabs were opened in chrome (just to give you an idea how tight memory is).

Despite my spartan spec, the audio and video quality were both fantastic throughout the call. There is much less lag on the video than I usually experience with Skype or Hangouts or facebook-messenger. There is a bug in Linux Chromium which stop re-initialising the Video/Audio: Not always, but sometimes you need to close the Streembit UI to get it going again. Something that needs to be fixed.

The full documentation about the current options and also what you can do with the IoT (I will go into this next time) is available here. In case you find any issues please raise it on github.

Also it would be a great help if security researchers could step forward willing to audit the platform.

Pseudonymity vs Anonymity

Streembit is designed for “Pseudonymity” not “Anonymity”. Let me use the words of @thegruq to explain the difference.

“Anonymity is what you want when (and only when) the CONTENT of the [message] is the only important thing. True Anonymity is when, out of the set of all possible authors, there is an equal chance it could be any one of them. You probably don’t want this for comms within your [illicit] organisation.”

pseudonymity

“Whereas pseudonymity is what you usually want when reputation matters: We don’t know who is in the suits. But we know that pink snakeskin has come through for us a few times in the past, but blue swirly is an asshole” — @thegrugq

Streembit is pretty good in improving anonymity (it outranks Telegram, Signal, WhatsApp) in a sense that it requires neither email address nor registration. A user can have as much accounts on Streembit as they want. In fact the best practices is to use different accounts for each conversation or file transfer (that would  of course requires some synchronization between users so they would know what is their daily or one time user account). And then the user with the daily Streembit account can have a connection from a cyber café or using a Mulvad proxy that users can have with Bitcoin. In this case the communication is pretty much anonymous. Streembit’s anonymity may hopefully be improved by using Tor (see below). But True Anonymity is not the aim of the project.

Pseudonymity is provided by Streembit’s design and can be used for situations where for example one would want to build a reputation system on top of Streembit. The javascript environment actually makes very easy to publish any DAP (Decentralized Application) top on Streembit by simply adding the script into the DOM. And the beauty of DHT and distributed ledger is that it can store anything. The key-value pair what we use in the distributed ledger to publish user info, device data, etc. can be used to publish any type of application information, as well as it allows us to store complex business details. For instance we could have the key like BusinessName/Usecase/AppName and then store under that key the Merkle tree (or other blockchain implementation) or the reference to the Merkle tree that stores the data of the reputation system.

Tor

Things that I’d like to do next is determine the implications with torifying the service and possible meta data leaks. Obviously video and audio would have to be disabled over Tor. It should be simple with a forwarding rule on the home router or firewall to for traffic to TCP port 8905 to avoid websockets. Tor might be an useful in masking IoT sensor traffic to .

Tor maintainers say it’s not a good idea due to the traffic when discussing Tor in context with Bittorrent. Though I think this argument is not valid when we use streembit for IoT traffic which is only going to gradually increase with very low traffic. Also the more users flock to Tor, the more people with an interest to run a tor node themselves (the more tor nodes the more secure Tor is for everyone). What will happen if the Tor network suddenly gets more traffic from IoT devices. Will it kill Tor or will it make Tor stronger because there might be more users willing to run their own nodes?  In this sense Tor has the same problem as the bitcoin network where both are vulnerable to Sybil attacks. So paradoxically IoT could even reduce the threat of such attacks by increasing the number of users.

Takaways

What I’d personally like to see are mobile apps for it. Also as a Linux die-hard I’d love to see it one day implemented as C system libraries with solid bindings to Ruby, Python, Perl, and possibly a GTK or QT based GUI instead of the current Chromium/NW.js based stack.

Rough streembit roadmap here.

Streembit also started a standardization process within W3C WoT (see here).  Our aim is to submit an IETF standard for P2P, blockchain and decentralized networks. If the industry or at least a few professionals come together and submit an IETF standard, then we have a better chance to disseminate the P2P, decentralized technology.

Let me finish with an old WWI joke a friend told me (thanks Martin): In WWI, comms were so bad messages had to be handed back via humans, so what started out as “send reinforcements we’re going to advance” by the time it got to HQ became “send three and fourpence we’re going to a dance”, now we use it to show no matter how fancy and expensive your comms are, there’s a human at each end.

Discuss it on hackernews: https://news.ycombinator.com/item?id=11875332

EDIT-1 2016/06/10: added section to illustrate pseudonymity/anonymity.

EDIT-2 2016/06/10: added info on W3C WoT standardization

Joachim Bauernberger

Passionate about Open Source, GNU/Linux and Security since 1996. I write about future technology and how to make R&D faster. Expatriate, Entrepreneur, Adventurer and Foodie, currently living near Nice, France.

Streembit: a decentralised peer-2-peer messaging platform for the IoT

Introducing Streembit: a decentralised, peer-to-peer, secure communication system for humans and machines.

The purpose of Streembit is to create a free, secure, decentralised, peer to peer, Open Source system that secures your real time communication in accordance to the currently evolving W3C’s Web of Things (WoT) standard.

You can have as many accounts on the permission less Streembit network as you want. There is no registration, no email address, and no personal details required. Instead of using one of many centralised corporate clouds, Streembit runs on a community driven, decentralised, P2P overlay network. Our system aims to implement strong security that keeps your real time data (live video chat, audio calls, text chat, file transfer) and your communication with Internet of Things devices safe from cyber criminals, industrial espionage and dragnet surveillance.

Decentralised computing and open source blockchains are supposed to be about liberating your data and transactions from proprietary, centralised systems. We share the same objectives with Streembit – To create a tool that liberates your communication and unlocks your data from proprietary, closed source clouds such as Google, Amazon AWS, and Microsoft Azure or from the platforms of communication service providers. Users will have full ownership of their data with minimal infrastructure costs.

The source code is licensed under the GNU GPL and available in our github (we do love pull-requests ;-))

We created a Raspberry Pi binding to provide developers – who develop solutions for the ARM architecture – with a reference design. Importantly, a Streembit network can be created today, allowing participants to create secure P2P decentralised networks rapidly, eliminating the risk of a unique central point of failure, while also scaling to accommodate millions of endpoints in human communication and IoT solutions.

This solution is enabling value exchange on a peer 2 peer decentralised network, which utilises the concepts of distributed ledger (blockchain & distributed hash table (DHT)) to perform secure communication and auditing of the participant’s actions. Therefore, the solution also provides inherent scalability of mass numbers of endpoints without the requirement of a centralised platform and high associated cost. Streembit can operate as a public or private network of peers and/or nodes that can support device discovery in the world of internet of things as well as the interface to support human communications video and audio within a highly secure environment.

Streembit operates to a standards-based approach, which is also underpinned by our participation and published resources in the open source community. The system is based on open security standards such as FIPS, JWT, JWS and JWE as well as directly mirrors the incoming standards from W3C WoT. Please refer to our roadmap which describes the planned software development.

Streembit has a forum at https://gitter.im/orgs/streembit/rooms so if someone has a connection problem the issues could be discussed there. The increased security, surveillance free peer-to-peer communication unfortunately requires certain configuration settings such as opening up firewall inbound/outbound rules and port forwarding (the usual tradeoff between security and user friendliness).

We try to explain in the documentation at http://streembit.github.io/documentation/ the configuration, but there is a lot more work needs to be done in the documentation area as well. So if anybody has any issue it can be raised/discussed at the forum.

Current state: Tibor is currently working on some connection issues.  The app is operational, but occasionally there is a connection issue. An underlying Node.js library that handles the TCP connection goes to idle state from time to time so he need to fix that for the upcoming release version 1.0.8 in the next few days.

In case you’d like to get involved please contact Tibor Zsolt Pardi tzpardi [at] streembit [dot] com.

We’d love to see your thoughts in this hackernews thread – ask us anything: https://news.ycombinator.com/item?id=11861945

Joachim Bauernberger

Passionate about Open Source, GNU/Linux and Security since 1996. I write about future technology and how to make R&D faster. Expatriate, Entrepreneur, Adventurer and Foodie, currently living near Nice, France.

Web of Things

The Web of Things needs your support

Are you working on backend web technologies or in the embedded sector? I’d like to get in touch with a request for your expertise around some upcoming future-technologies and projects in the Web of Things

I’m helping some friends and long time Internet pioneers at the W3C bootstrap several open source projects in the WoT/IoT domain. The W3C urgently needs contributors like you who have a background in backend or embedded technologies and interested in bridging the areas of the Web with “Things”.

We seek your help on a voluntary basis to define upcoming open standards and kick-start open source projects so the Web of Things can remain free and transparent. As with any open source project, it is an exciting opportunity to get your hands on new technologies and standards at a very early stage. These technologies are already starting to move into production and will be everywhere in a few years. It is also a chance to work with some well known names who helped shape the Internet and Web into what it is today.

The Web of Things Framework is still at a very early stage, so this is just the time where we need people who understand the vision and want to play an active role in refining it.

We want to raise awareness of the promise and challenges for the Internet of Things, and the role of Web technologies as part of the solution.

The IoT suffers from fragmentation and product silos, the W3C is one of the few organizations that can define global standards to enable discovery and interoperability of services on a world wide basis. We want to extend the Web from a Web of pages to a Web of Things.

The value proposition is enabling lowered development costs and unlocking data silos by bridging IoT platforms through the Web at a range of device scales from microcontrollers to cloud-based server farms.

We will do this via a core model of services in terms of metadata, events, properties and actions, that is bound to a variety of protocols as no one protocol will fulfil all needs. By bindings, I mean how to use the protocols to notify events and property updates, and how to invoke actions and return the results via REST based messages for each protocol.

We can provide more info of what we’re trying to do in case you’re interested, please drop me a line via email joachim at valbonne-consulting dot com.

Also if you know somebody who might have some bandwidth to contribute a few hours a week or month please do share the info. I’d very much appreciate any leads and all the help we can get to keep the Internet and Web of Things as open as the “Web of Pages” is today.

Thanks for your time;

Joachim

Joachim Bauernberger

Passionate about Open Source, GNU/Linux and Security since 1996. I write about future technology and how to make R&D faster. Expatriate, Entrepreneur, Adventurer and Foodie, currently living near Nice, France.