Monday, November 4, 2013


I went to my first Hackathon this weekend.  A bunch of people, in teams of up to 5, trying to build something cool that could be the foundation for a company in just 24 hours (or just trying to build something cool or fun in the 24 hour time too.)

I'd brought an idea, for an NSA-proof messaging app.  We now know that between spying, hacking, and court orders, just about any connection over the Internet is susceptible to "man in the middle" attacks or all sorts of other monitoring techniques.

My idea, Funsa (or F.U.NSA) was that if you treat the whole Internet as compromised, then the way to communicate securely is to exchange the keys for your messages off the Internet.

I sat down at a table, and happened to get the right people there.  An Android developer and web services guy both from Amazon.  A woman joined us later who did IT security and was a great researcher and presenter for the team.

(Team website here)

We got a working demo for iOS to show.   Each device would make a new 2048 bit RSA public/private key pair for a new connection.  Then they would exchange the public keys between the two iPhones over Bluetooth.  From then on, they could use those keys to send secure messages using a server over the Internet, using the keys they'd exchanged offline.

A real app might use 4096 bit keys (but that could take several minutes to generate on an older iPhone--so we did 2048 for the demo since it "only" takes a few seconds on the new iPhone 5S.)

We talked about all sorts of next steps and other ideas.  
  • Sending the keys using QR codes on the phone screens and front cameras, even sound and squawking like a modem from the 90s.
  • Lots of features for enterprise like having full source code so they could audit and setup their own controlled messaging servers.
We got to the finals (top 6 out of about 30), but didn't get in the top 3.  But many people said that if it was on the name alone, we'd win :)

Pete, Shawn and I talked about finishing it up as a Headlight app.  Pete had some great ideas; since he's in London, the bluetooth way of exchanging keys wouldn't work :)  The craziest would be to each print out QR codes for the public keys and send them by regular snail-mail to scan on each of our devices across the world!

Offline key exchange wouldn't be new--that's one of the reasons why they invented handcuff briefcases you see in movies :)  We didn't find any apps or message systems that used it as the security method for mobile devices.

No comments: