Would Briar be a good alternative?
edit: How it works: https://briarproject.org/how-it-works/
Would Briar be a good alternative?
edit: How it works: https://briarproject.org/how-it-works/
Hi there, I am on developement team of Newnode, a successor of FireChat founded by two of the same people (https://www.newnode.com/). We now provide both, a VPN and a Messenger, with purpose to help people evade censorship and enable device-to-device connectivity. You can find the source code at https://github.com/clostra/newnode
I think the obvious question is: can you shed any light or provide context on why the service was shut down?
And if not, it seems unrealistic to expect people to adopt / trust your alternative.
The timeline is possibly informative.
The timeline is possibly informative.
Where is a link to the timeline?
"Then, one day in February 2020, as COVID-19 swept the globe, access to FireChat was completely cut off without explanation."
That is… not very informative at all.
Hong Kong now being part of China, and not an independent regime anymore?
[1] https://en.m.wikipedia.org/wiki/Timeline_of_the_2019%E2%80%9...
I think it's oddly telling or suspicious at the very-least that this dev isn't giving you a straight answer to your question.
Well now we can put the speculation to rest, exactly how many CIA agents visited to shut down your radical operation??
The other option given the surprisingly one-sided list of protest movements they brag about: how many CIA agents were involved in its genesis?
So hypothetically the CIA benefited from an anonymous decentralized non-internet based chat app? I guess that's two things (protest movements and a intelligence agency) can agree on....
It seems obvious to me that protest movements in certain countries serve US security state interests and other protest movements in other countries do not. It would make sense in this context if you have e.g. a backdoored chat app which is otherwise secure that it would serve US security state interests for some protestors to have access to that app, and no harm if the protestors you don't like use it.
Recall that it is public information that USAID created a Twitter clone called Zunzuneo to be used in Cuba. It's not out of the realm of possibility that they have also made some "secure" chat app.
this is valid, the fbi had anom for drug dealers
https://hachyderm.io/@josephcox@infosec.exchange/11232112693...
Is it open source? Will it one day mysteriously disappear from the internet too?
Why the snark? Even if it disappeared, that's better than never existing (helping people) at all.
It seems to me like they didn’t learn anything. You can’t have a business whose product is meant to overcome state censorship, unless, perhaps, you work for another government. It can work as an open source project though as there’s no legal entity to coerce, just a diffuse and ever changing group of contributors. Plus of course the trust question. As a closed source project, they could be paid or forced to add a backdoor. It’s possible that they didn’t help anyone at all.
They have a GH repository, but it is not clear to me if it contains everything.
I downloaded your app just now from App Store.
When I get to the phone number step, it briefly shows a captcha screen but then transitions to the phone number screen.
When I enter my phone number. Country code +47. I don’t get any sms at all.
When I switch to the sms app to see if an sms arrived (it didn’t), and I switch back to your app, the counter on the screen that is counting down to allow resending code resets to 00:59 although it was at like 00:30 when I switched away from the app.
When after waiting for another full minute and occasionally touching the screen to prevent it from locking I am presented with the following options when clicking “I didn’t get a code”:
- Contact NewNode Support
- Resend code
- Call me instead
- Cancel
I tried resend code. No code arrives still.
Great, now I have to wait another full minute with your app in focus before I can try another option.
After waiting another full minute, I click “call me instead”. No call comes.
Same exact experience, uninstalled it.
same
If they are on Twilio or other VoIP provider need to enable other countries. My USA based business had that issue with international, check a bunch of boxes in the (Twilio) UI and click save.
Is the new product funded by In-q-tel as well?
You do know In-q-tel has invested in things that people use in the day to day, including Google Earth (originally created by Keyhole). DARPA kick-started the semi-autonomous vehicle industry with two of their Grand Challenges in the 2000s. The US Navy helped develop what would become Tor also in the early 2000s....
Yes. What is your point, other than trying to justify the bloated budget of the security state? As if we couldn't get better outcomes by investing directly in primary research and education without spook middlemen.
I'm just curious, why not build ontop of another app like Signal?[0] My understanding is that there's nothing stopping anyone from using the same app and creating their own server and nodes. My understanding is that you can even hook into multiple nodes with a custom fork of the app. Wouldn't this give a big advantage of not requiring people to have a whole new app and you can work synergistically with a company with similar/compatable goals?
The thing I see is that if you really want to make a huge P2P network, you need a reason to have the app installed for reasons other than P2P. The problem I've always seen with FireChat was that I'd never get anyone to talk to me and then when there was an emergency no one would be able to download. So we need to have the features built into something with more normal day-to-day utility.
[0] https://community.signalusers.org/t/signal-airdrop/37402
Not up, but most of the times it is a lot easier to build something from scratch. Signal is notoriously hard extend and use - they have a lot of custom tech. I gave up looking through their documentation. Now, the reason is that they actually have end-to-end encryption and most do not implement it in a secure and nice way. They basically had to build everything from scratch themselves.
TLDR it is often harder to reuse
Hey there thank you for taking the time to respond. I have a few questions:
The sign up process is surprisingly difficult and doesn't appear to be working.
The CAPTCHA is VERY thorough. I couldn't seem to get it to agree that I was human. When I finally solved it, the submit button is hidden (you have to scroll for some reason).
When I enter my phone number it prompts me to enter a code that never arrived. When I click "I didn't receive a code" the app sends me back to the CAPTCHA (lol). I complete the captcha again and request the code.
I went through this process three or four times before I gave up. This seems like an ongoing issue[1]
Does the app have many users? Any users?
The last blog post on the NewNode site was July of last year.
According to the App Store there has been three minor updates- 3, 9 and 12 months ago. No notes on the updates.
Does NewNode have a road map?
I couldn't find any write ups about the app anywhere. No press coverage.
So, why did FireChat close down?
Edit: I just completed 10 CAPTCHAs in a row.
Can you go into any additional detail about why firechat shut down?
It requires phone number for registration. Site explain this as it is unique and hard to obtain en masse.
But it is not so. Phone numbers are controlled effectively by governments if needed, they are re-used, and they cheap-dirt in some countries (like, I could get SIM card in Serbia or Laos for about 1 Euro on the street).
About re-use: When I get new number in Serbia Is tarted to get a lot of SMSes and later WhatsApp messages about my debts, from very aggressive people. It was not scam, but this number only 3 months before that was used by some local guy who got into big troubles with loan sharks. They were Ok when I explained that I'm expat with SIM card bought in the newspaper stand, but I needed to explain it something like 50 times!
Sorry, but phone number is BAD ID and SMS is TERRIBLE 2FA / confirmation media.
If you really want a chat tool to start a revolution, meet in person with people you trust and don't bring any electronic devices with you. And only talk to people who you really trust. Forget phones.
"just know who to trust".
a super power I wish I had.
A revolution is all about subterfuge, intelligence, and trust. If you don't hone those skills, you might not be suited for one. Conversely, technology is an attack vector.
Not really, for example, the current one is about money:
https://en.wikipedia.org/wiki/Qatari_involvement_in_higher_e...
No amount of technology can solve this.
A antifa relative does not carry their phone with them when they meet, nor do they carry it in their person when attending a rally - they have a friend/lawyer name/number written in a paper with them, just in case some one has to be contacted.
At rallies, masked, sun glasses, baseball hat and a couple of shirts
What a waste of time and effort focusing on the dumb thing.
I agree that fascists are dumb.
Revolutionaries definitely had problems with surveillance and infiltration before electronics.
Indeed, and they have more problems after. Especially since the next revolution will likely be one against capitalism itself.
When four men sit down to discuss revolution, three are fools and the fourth is a police spy.
Everything is trade-offs. Meeting in person is great, until you're in the middle of a protest and everyone has to scatter because the police are firing tear gas at your skull. At that point, you rather do need to either have had a plan, or you need some way to communicate that isn't face-to-face.
Yes. My advice is a general one to be used as far as possible.
Not having any communications at all puts you at a massive disadvantage when opposing people who do. Absolutely no revolutions were ever accomplished by improvisational means.
Yet communicating in person is communicating.
Anyhow, a combination of the two is likely best. It won't really help though, "back in the day" every movement had a few police informants in the mix. There's less of that now with electronic monitoring, and 24x7 tracking, but a totalitarian state likely has more of that mix.
Heck a bunch of crooks tried to rob my house, and were caught not only due to having their phones on them, but ALSO due to sending SMS messages about houses they were examining "This house looks empty!", but also because they dropped a phone outside my house, when fleeing when the alarm went off... and the phone wasn't even locked!
Just imagine in a police state. I think a lot of revolutions get stopped before conspirators even get to the "protect our comms" point.
haha the best reply on the Internet
It was quite remarkable how Jan 6 proceeded entirely in the open with people posting selfies of themselves saying "off to overthrow the government today!", but because that kind of thing is entirely normalized from rightwing sources it wasn't important until those arrested eventually made it to court.
Stochastic terror and the stochastic coup work great precisely because there are no clear unambiguous two-way communication trails between the instigator and the accomplices; just a lot of "wouldn't it be great if somebody did something". Fell apart afterwards because there was no further planning.
It is endlessly depressing to me that the 'revolutionary' tools that so often catch on aren't free and open source.
they are just failed business with above average marketing budgets. It would have sold to facebook just the same if it took over market as whatsapp did.
That seems very likely. My point wasn't to say that they were looking to make a revolutionary tool to fight a state, more that it makes me sad that the ones that catch on are rarely open source ones that have existed.
because open source have the worst marketing budget, always. by definition.
Do you know of any projects that tried to advertise how much it helps? Obviously quite a limited set of projects that would even have a budget to advertise, but I wonder if there is data on how much it helps to show folks there are other options.
there's ton of data. that's why most project want to use MIT. They dream with vc money so they can just dump it all in marketing and make bank. like moby, i mean docker. npm. etc.
hence why you either go GPLv3 or don't bother calling it open source.
Not only marketing but also the worst engineering, testing, design, accessibility ... budgets.
Financing open-source projects is hard because anybody can take them and build stuff on top of them to sell at a way higher margin (or they are restrictive i.e. AGPL so nobody builds anything on top of them)
Only well-financed major open source projects are the ones that existed at critical points of time where no strong proprietary alternative with abundant features existed (e.g. Linux kernel, GCC, Apache Web Server) or the ones that are created by major companies as part of their infrastructure and released as a way to shape markets (e.g. Kubernetes, Chromium, PyTorch, React, .NET Core) for the worse or the better.
They almost always start out this way then slowly become figured out and integrated into the corporate machine. And the ones that are centralization-resistant become demonized and/or suppressed by the media. Tor, bitcoin, etc.
The entire history of the internet is basically decentralized protocols being slowly transformed into corporate walled-gardens.
It's gone because it was barely usable.
isn't that the exact opposite take from the article and anecdotes it contains?
I never used it, but remember the hype. It didn't get there by not working.
I've tried it, and it was pretty bad.
This type of service needs Apple and Google support to go anywhere, given how restricted access to radio hardware and background processing is on iOS and Android, and they're clearly not interested.
Apple has even rolled back AirDrop functionality, supposedly because of people receiving unwanted photos (which I don't doubt happened, but changing the defaut could address that – just outright removing the option to receive from anybody seems wrong).
There's absolutely no reason we shouldn't at least have a P2P Wi-Fi based chat client preinstalled on every iOS and Android phone, with a default of being able to message only known contacts. I mean, even the Nintendo DS could do it in 2004!
the eulogy also forgets it was a mesh-tweeter public and all, not a mesh end to end private comunication solution people should have been using on those situations.
This critcism is about a decade out of date:
In 2014, after Hong Kong protesters demonstrated to the world how effective a tool it was, news blogs quickly pointed out that FireChat messages were not secure. By 2015, Open Garden updated the app to include end-to-end encryption,
It's been years since I had it, but I uninstalled it when I figured out it was breaking my phones wifi connectivity. I don't know how or why, but when it was installed, my wifi was inconsistent and would frequently drop. I would uninstall it, and the problem would go away. This was on Android at least 5 years, and maybe as many as 10.
Then, one day in February 2020, as COVID-19 swept the globe, access to FireChat was completely cut off without explanation.
If it could be shut off from one place like that, it doesn't sound very "decentralized". Anyway, are there significant obstacles to re-implementation?
Someone above mentioned an alternative that uses LoRa. That's nice but it sounds like the attraction of Firechat was that it used ordinary phones that everyone already has. LoRa by comparison is special hardware that is already a bit suspicious.
If you're willing to use special purpose radios and live with low bandwidth text communication, you can do quite a bit better than LoRa, such as with JS8CALL and HF radios. But, a sad "theorem" tells us that any communications medium will be beaten into carrying video....
Once you realize that the ability to update code, obviously, negates any advantage "end-to-end encryption" brings, or any other form of security, you'll quickly find there is not a single secure messenger.
This is an argument I've never been able to successfully make to anyone except a military colonel.
This can be amplified by saying 'No end-to-end security without top-to-bottom security'.
Is there really no way on an Android to keep an app forever without taking updates? Of course maybe the OS needs to be updated which then breaks the app and necessitates updating the app, but the distinction of a forced update seems important.
FireChat was never going to be resilient enough because it was installed on Apple and Google controlled devices.
This kind of system needs a dedicated or at least 'open' device with adequate hardware to support wireless mesh networks.
I would love to see something like this, because we (even, or rather, especially; Western countries) currently have no decentralized fallback for emergency communication. If the electric grid and cellphone network go... most people don't even have AM radios at this point.
If the electric grid and cellphone go, what would be the problem with devices being Apple- and Google-controlled?
It seems like you're talking about two related but ultimately distinct concerns, i.e. reliance against infrastructure failures and reliance against organizational failures.
Yeah, you're mostly right. I mean, these centralized entities could still sign and release instructions over the mesh network propagation (unlikely though).
Having an overall culture/goal of decentralization, can inform decisions on multiple levels/concerns (infra, energy, org). Basically, if I'm trying to be resilient to infra problems, it won't be that much effort in changing the design to also be resilient from centralized control.
Tangential story time!
Several years ago (circa 2015) I was asked to build an app like FireChat by just the _oddest_ couple of guys I've ever met. They wanted an app where you could connect to other folks just by being near them. I never could get them to agree on what exactly the app was supposed to be beyond that.
The first gentleman was a VP-type for a large company. He insisted that the app (nicknamed "Pals" at the time) was for people with similar interests to find each other and connect based on just being near the same place at the same time.
The second partner was a well-known lawyer in my city. When I mentioned their app sounds like a dating app, this guy says to the first man, "SEE! It's a dating app." And then he proceeds to tell me (in graphic detail) his proposed strategy to build a dating app that would tell you where the other person is when you go to meet them in person. He essentially wanted to be able to spy on them to see if the person matched their online description or not before committing to the date.
I thought the idea, while clever, was also super creepy but offered to build it for them. I thought if they pivoted to something like large-scale live events they might have something. Imagine going to a sporting event and having a group chat with everyone else at the stadium. Great way to make new friends/contacts to hang out with later.
They hired a marketing firm to build it instead, and last I heard they had given up on the idea. I guess the only good that really came out of it was that I had a lawyer to call when I had to go to traffic court a few years later. Turns out he was actually pretty good at his job.
So they wanted Grindr from before they started fudging the distance numbers.
Meshtastic is alive https://meshtastic.org/
While I quite like Meshtastic and have literally dozens of t-beams, they serve fairly different usecases. Meshtastic is great for keeping in touch with your preorganized paragliding group or whatever, but the need for special hardware will always limit adoption in emergent scenarios vs. FireChat's "we're going to the protest; install this app".
FireChat is gone because apparently it wasn't open source, otherwise it would still be here
Very suspicious ending, which calls into question the real origin story.
This sounds like a scam. The was something similar a few years ago in Germany, a messenger advertised to criminals. Turned out to be a trap.
someone/some team can easily recreate this app.
I'm surprised that no one mentioned quaul – https://qaul.net/
It seems very nice.
To be clear, FireChat was a proprietary and closed source app which went away for reasons that only the people controlling it truly understand. That immediately suggests to me more of a "the money ran out" situation vs the more salacious "the CIA had a word" style implication at the end of the parent.
The article mentions Singaporeans, so I was very curious to find out how they were involved. But the word (erroneously?) links to the Hong Kong protests movement.
It didn't quite disappear. AFAICT, the core team is working on NewNode now: https://www.newnode.com/firechat
The text mentions an anodyne "for business reasons", so that should leave the door wide open for any conspiracy theories ;)
FireChat is gone because FireChat was a threat to the systems it circumvented.
This seems needlessly conspiratorial. Apps and companies disappear all the time and it's usually for boring reasons.
I applied to open garden many years ago, solved their coding challenges but after back and forth it didn't go anywhere.
It seem Stas has since then started clostra.com The fireside chat messenger just rebranded. https://www.newnode.com/download.
I love a good conspiracy but shows little evidence.
Huh, I've had the mesh network concept rolling around in the back of my head for years specifically due to FireChat. I had no idea it was gone - guess I took it for granted.
Wonder if anybody's got more info on what happened?
Android only? Ugh
Seriously though, if you are going to take a phone to a protest, buy an Android used at a bodega and don't put anything personal on it. Expect to lose it.
Even then, most burner phones have serial numbers they can track to the sale.
I've bought a fair number of test devices. Nobody at a corner shop or mall phone repair kiosk has ever ID'ed me or kept track of the IMEI of a device I bought.
Interesting. My understanding was that IMEI could be traced to what vendor it was sold to, then they could pull the purchases and either see the card used to buy it, or find the video when the transaction occurred. Guess it depends on whether there is a method to pin which the exact phone without needing to scrub the purchases records.
You are significantly overestimating the level of recordkeeping by random sellers of used and/or ultra-cheap phones. Manufacturers, major retailers, and carriers may keep this information, but bodegas and street vendors certainly do not.
This is certainly approaching murder investigation levels of effort by law enforcement, but I don't think it's ridiculous to imagine a POS system being used that keeps transaction records for a year or two.
plenty of say disposable people to buy disposable phones for you.
Pay cash and wait 90+ days for video records to roll over.
But, at least in the country I live in, this is excessive for a typical protest burner.
This is literally a plotline in the "the wire".
There are so many links in that chain that need to line up, from the manufacturer keeping track of it to the distribution system to keep track of what batch goes where to the vendor keeping track of what phone IMEI is sold when or to who. Even if all those link up you need to get at the video within the rotation time for their video storage or link to their financial transaction data.
I would not be surprised if it is still as easy to evade as shown in the show (and as easy to get wrong).
US is one of the few nations where you can buy a phone and sim card without exposing your ID. You can even wear a full face mask when you do it if you're paranoid.
New burner phones, probably, but one could exit from a flea market or 2nd hand shop with a €100 bagful of phones not linked to anyone, at least until one puts personal data inside them or creates a potential association by using the same phones along personal ones on the same WiFi/cell tower/position or calling the same numbers.
You chose the walled garden.
It's annoying, but open source projects tend to prefer more open platforms. I assume that many Briar users use a deGoogled custom ROM instead of the stock Android ROM and a privacy focused app store like F-Droid.
I think a combination of LoRa, bluetooth, and WiFi might be the alternative. I've seen videos of LoRA functioning below the noise floor (perfect for evading RF triangulation), and at 200km (perfect for reaching past physical borders). The major weakness is line of sight (and availability), but bluetooth and WiFi can help there.
Theoretically it can't be below the noise floor right? I don’t know much about radio stuff fwiw that just seems impossible by definition
Other posters have pointed out that this is incorrect, but I wanted to give a bit of intuition as to how signals can be received when they are below the noise floor.
First, as a definition, below the noise floor means that the power of my signal at any given time is smaller than the power of the ambient noise in my channel, and usually this implies that you're only interested in a particular segment of frequency spectrum (e.g. within the 10MHz band centered at 1.8GHz). If we were doing a simple frequency-shift keying or amplitude-modulated signal, once the noise power exceeds the signal power, there is basically no hope of recovering anything useful, as those are both demodulation schemes that rely upon obtaining instantaneous estimates of the frequency or amplitude of the signal of interest.
However, spread-spectrum methods make a time/frequency tradeoff, where the signal of interest is "spread" across multiple points in time and frequency. A very simple example of this is to say "if I want to transmit a 1, instead of transmitting one cycle of a sinusoid at 18.GHz, I will transmit 10 cycles". Then, at the decoder stage, you average across 10 cycles of your carrier in order to detect whether a signal was sent or not. By doing this averaging across time, you get a 10x gain versus the noise which is expected to cancel itself out as often as not.
True spread-spectrum techniques are more advanced than this, they actually use wave shapes that are more complicated than just a sinusoid to make it easier to detect when they start and stop (whereas with a sinusoid there's a fair amount of ambiguity if you shift one period to the left or right) but the fundamental idea of averaging across time is the same.
Through this mechanism we are able to rescue out signals from far below the noise floor, although it reduces your maximum transmission rate. When dealing with digital radio systems we can even rescue out signals from below our quantization floor, although not too much lower, as eventually you lose the ability to average out a signal that is fluctuating by significantly less than a single bit.
Whenever I talk about making tradeoffs in transmission speed to aid in reception, I am reminded of the ELF systems in submarines [0]. While they did not use spread-spectrum techniques, (they just jumped between two frequencies, 76Hz and 80Hz) they still correlated across time to boost up their effective SNR. [0] https://en.wikipedia.org/wiki/Communication_with_submarines#...
Or an even more concise example: fountain codes
https://www.thethingsnetwork.org/docs/lorawan/rssi-and-snr/
Simplest explation is: If you take a closer look to Shannon–Hartley theorem https://en.wikipedia.org/wiki/Shannon%E2%80%93Hartley_theore... you can see, that in theory you can have arbitrarly low signal/nose ratio for message to get trough.
Communication protocols that incorporate spread spectrum (code/direct sequence for GPS and chirp spread spectrum for LoRa) get a "processing gain" at the stage of the receiver where the signal is despreaded. The resulting signal will have an SNR roughly equivalent to a narrow band (non spread spectrum) signal with otherwise the same parameters. You will have a generally equivalent bit error rate for the same SNR.
It's also possible to receive non spread-spectrum signals below the noise floor, if you can observe it over longer time and get additional "processing gain" that way
Additionally, it is a bad idea to use spread spectrum as a means of concealment because if the adversary is physically near enough, your signal will show up above the noise floor. Due to the inverse square law etc, you have a narrow zone of enough power to be received by your remote recipient, but not enough power for closer adversaries to detect you. You are also reliant on the unlikely situation of an adversary without more advanced RF hardware with lower noise receivers.
GPS signals are below the noise floor when they arrive at your phone.
If you know where to look for the signal, you can often find it
It looks like this allows short range communication, but doesn't set up a meshnet. So wouldn't be great for anything more than a couple hundred feet.
Beyond that though, at this point for protests (in the US at least), the suggested opsec is to leave your phone at home.
Not exactly. Briar uses bluetooth or wifi when peers are close, but also tor (over standard internet) when not, so it's possible to use it at wide scale.
Briar actually does set up a meshnet for groups and forums, so long as people are contacts of each other. See the diagram here: https://briarproject.org/img/howitworks3(mobile).svg
I would think that a meshnet only over contacts would have too many holes to really be helpful in the hypothetical protest setting that's being described. Definitely a cool way to do it! Do you happen to know if it's XMPP or something, or it's own protocol?
No, they're using their own protocol: https://code.briarproject.org/briar/briar/-/wikis/home
There are still holes of course, connecting only to contacts limits the spread of messages but ensures you don't leak too much information if your device is compromised
It's getting so "and he left his phone at home" has been brought up as evidence in many trials.
Has it?! That's distressing...
Briar is awesome. Ive used it to talk to my wife when we are seated away from each other in planes or trains and cant get up, via bluetooth due to lack of service, wifi, or because of airplane mode.
Is that on Android or iOS?
I continue to be frustrated by having to use the plane's satellite internet connection (not always free) to message somebody sitting two rows away from me, so this would be great.
Android, in my case
In theory maybe, but I have never gotten Briar to work in practice without Internet.
TIL Briar does "offline messaging". This is news to me, though I've never used it.
That said, I am curious to hear more about the offline messaging. If it only is able to exchange when the two people who are trying to communicate with eachother are directly nearby it isn't so much a mesh network, right? A mesh network would be able to route across other nodes to get to its destination. Does Briar do that? The "How it works" page doesn't really seem to answer much, so I am assuming not.