A ZDNet AnchorDesk column follows up on earlier column saying Linux wasn’t ready for the desktop. The column names several issues of concern — too many Linux distro, community doesn’t speak the language of the “average user” — and a couple of “insurmountables” for Linux to work on the desktop. Among the insurmountables: Customers are sheep who are used to Micrsoft.

– By Grant Gross –

A quiet project hosted on SourceForge.net is attempting to give Internet users a level of anonymity that hasn’t yet been achieved. Founders of the CryptoBox project are dedicating it to Internet users in censorship-happy countries who face getting prosecuted for sharing their beliefs.

The CryptoBox developers are working on an ultra-secure, decentralized instant messaging application that could also be used to encrypt other types of online transmissions, such as email and file sharing. Project founder Nikola Bobic, a graduate student and part-time instructor at the University of Ottawa’s School of Information Technology and Engineering, makes no guarantees that his software will be perfectly secure — like many security experts, he admits there is no such thing — but his goal is to make the program as secure as humanly possible.

“An attacker would need extraordinary resources to read your messages,” he writes in the project FAQ.

“Anonymity, when talking in CryptoBox’s context, refers to the fact that no one is able to tell with a certain degree of certainty, whether you are sending messages or receiving them.”

Unlike email using PGP or anonymous remailers, where the identity of the person receiving the message can be seen by snooping parties, CyptoBox uses two-way anonymity. “When you send an encrypted message to someone (using email with PGP), an attacker maybe can’t break the message, but she sure knows that you are communicating with that other person,” Bobic writes. “If that other person is someone who the government does not like, this fact alone can be enough, in some countries, to imprison you for conspiracy and treason against a regime.”

Bobic started CryptoBox as a research project, an extension of his research into wireless networking. CryptoBox’s peer-to-peer foundation is similar to the ad-hoc networks that serve as the basis for wireless communication, Bobic says.

“Another influence was the general lack of any quality security
toolkit out there as well as the social and political issues,” he says. “Since we
firmly believe in freedom of speech, it is disheartening to see how
many people are imprisoned around the world simply because they have
conflicting views and ideas from the regime currently in charge. We
would like to provide those people with means of safe, private and
effective communication so that they can disseminate their views freely
with the rest of the world and finally bring democracy to their people.”

CryptoBox is a security layer that “can be interfaced with any application that needs to communicate securely,” according to the project’s about page. It uses its own XML-based Internet protocol, which is relayed to a transport, which can be TCP/IP, SSH, etc., and it can be piggybacked onto communication protocols of other applications, such as Freenet. Most of the protocols and standards in CryptoBox use public key infastructure.

The infant project, started in late 2000, is concentrating right now on instant messaging functions, but developers plan to offer other plug-ins for functions such as sharing small files and voice over IP. Bobic does not plan to write a plug-in to trade MP3s. “You can, if you want to spend 45 minutes of your time, build one quickly on your own,” he writes.

The two-person (at least until recently) CryptoBox team has switched the programming language for CryptoBox from MS DCOM architecture in C++ to Java. [For an explanation of why MS DCOM, see the FAQ.] Since then, the team has been working on some problems with the code.

“Since then, we have managed to solve a vast majority of [the problems] and the only
thing left now is to optimize node optimization and connection
protocols,” he says. “One of the most complex parts of the system is the dynamic
optimization algorithm which is the heart and soul of the mobile
network agent and it is extremely tricky to specify it completely. We
have a lot of code which was written for testing and simulation
purposes and that will have to be converted slowly over to Java.”

The project, which has only released the old C++ version of the code, got a recent boost from a posting on InfoAnarchy.org. The post generated some questions and criticisms — Bobic says he wasn’t quite ready for the exposure yet — but since the article, he says he’s gotten offers to help from eight developers and one person has already started working on the project documentation. The post also generated about 30 encouraging emails, he says.

One of the next projects for the CryptoBox team is picking which Open Source/Free Software license they want to use. Bobic says he’s considering the GPL, but he doesn’t want to require programmers who make derived work from CryptoBox to also release that work under the GPL. “Since we would like the protocols/layers that we
implement to be useable in any commercial application as well (without any
royalties), we run into some conflicts,” he says. “The solution would then be to
release it under LGPL; however, we then have to separate the layers and
protocols into one section (LGPL) and applications (plug-ins) into the
GPL section. This can be very tricky and could dictate the development
plan as well (something that we’d like to avoid at all costs).”

Another licensing hurdle, Bobic says, is what to do if the project wants to patent a particular algorithm.

“We would like the patent to be free for everyone who releases code under GPL and
charge those who would like to use it for commercial applications,” he says. “I
see the uncertainty of what exactly has the higher authority: GPL or a
patent law and I am unsure at this point what would be the best step to
take.”

The project’s design philosophy states that the “whole application (or at least the most critical parts of it) has to be open-sourced. This is the ONLY way to give users complete confidence of app’s inner workings.”

Bobic says he has several goals for the young project, most of all to provide a “thin, easy-to-use security and anonymity” for the Internet. “The main goal
is to provide a commercial-quality and strength API which anyone who wants
to add to their application will be able to do so. There are a
lot of anonymity and security related applications out there but none
of them are extensible and are tuned for a particular task such as
emailing and file sharing, for example. We wanted to …
create something that requires very little to none user input and is
also general enough so that it can be used for any specific purpose.”

From Net-Security.org:

LPRng fails to drop supplemental group membership at init time, though it
does properly setuid and setgid. The result is that LPRng, and its
children, maintain any supplemental groups that the process starting LPRng
had at the time it started LPRng. This is a security risk.

Anonymous Reader writes, “MP3Pro, the update to the MP3 format, has finally arrived. RCA today posted the first MP3Pro Encoder/Decoder to rip CD tracks into the new high quality compression format. Details and download here.” The

story is at MP3newswire.net.

ZDNet has a column asking why computer-based home media networks and routers are so difficult to create. The column uses the Linux-based TiVO as an example of someone doing something right.

Linux Journal has the review. “It’s astonishing to think of the strides Linux has made as a desktop operating system over the past few years, and the latest offering from the
KDE camp is indeed a testament to this progress. With the emergence of new companies, as well as older, more established ones, focusing
on improving and providing applications for the Linux desktop, greater acceptance is likely not far behind.”

Open Source advocate Bruce Perens has a column on ZDNet: “It’s entertaining to watch the effect that open source seems to have on Microsoft executives. In
February, Jim Allchin called us un-American. Recently, Steve Ballmer said Linux is a cancer!
These are not the words of calm people. What is it about open source that makes Microsoft
executives so uneasy? Could it be that after all of these years, competition has become so
foreign an idea to them that they react with horror?”

The Wall Street Journal (on ZDNet) reports. Micrsoft’s recent anti-Open Source, anti-GPL campaign is drawing criticism from legal experts and it’s “unifying the
movement’s often-fractious group of leaders.” Legal experts are jumping in by saying Microsoft is twisting the way the GPL works.

Patrick Mullen writes: “The Duke of URL has just posted its reviews of XFree86 4.1.0. The review takes a look at its performance (2D and 3D), new features, bug fixes, and takes a look at the performance improvements on ATI, NVIDIA, 3dfx, and Matrox drivers.”

“Paul Leroux is a technology analyst with QNX Software Systems, where he has served in various roles since 1989. Paul
undertakes research on OS architecture issues, with an emphasis on applications for information appliances and
networking equipment. In this interview, he explains how QNX is different from other operating systems, how it compares
with linux and talks about the company’s future plans.” More at FreeOS.com.