Tag - security

Entries feed - Comments feed

Last entries

Tue 16 Feb 2016

Open-source alternative to Trello: does it exist? Can we make it better?

I am a daily user of Trello, the visual online service to organize cards into lists. Trello is a very simple but neatly found idea: you use cards organized into lists to represent your things (e.g. to-do lists) and, more importantly, you re-organize them as you wish: moving cards, moving lists, putting colored labels, comments, due date, or check-lists on cards, ... That way, you can represent about any system and update it status very easily and visually. Trello has also filtering capabilities and, last but not least, collaborative capabilities by sharing boards of cards. Trello is visual, simple to use. You can organize both your private and professional life with it: bug tracker, to-do list, project management, holidays planning, etc. Trello is great!

Well, nearly. Trello has a big drawback: it is a proprietary product.

So, can we find an open-source alternative to Trello?

Looking for open-source Trello-like application

A friend of mine recommended me to look at AlternativeTo's suggested application for Trello. The listed applications can be classified in four categories:

  • Bug trackers and project management tools (Trac, Tuleap Open ALM, ...);
  • Kanban-like boards for Agile project management (Kanboard, TaskBoard, ...);
  • Some strange-application-in-that-category like Loomio, Agenda or ERPAL;
  • Two Trello-like applications: Restyaboard and Wekan!

Restyboard and Wekan are very similar, i.e. a very early prototype of Trello. You can create lists and cards, move them, add labels and do some filtering, share boards... and that's all! Moreover Restyboard is very slow and uneasy. So if you want a basic Trello-like open-source alternative to Trello, use Wekan.

But if you want the full power of Trello, you won't find any open-source alternative.

So we need to build it. :-)

Designing a better Free Software alternative to Trello

So, how could we improve Trello?

Firstly, take all the basics of Trello: lists, cards, due dates, filters, check-lists, board sharing, etc. Maybe some goodies like badges are not needed, but the core of our Free Software Trello should be very close to the current proprietary Trello.

Second step: make it real desktop application (and mobile App), not an online service. Why? Because in a post-Snowden era, you cannot trust any online server, not in the US, not in Europe, not even your own lovely-administrated-server. So edit your data locally, encrypt it and then upload it for sharing. For a local application, you can create a real desktop application, or a web application. The second one might be easier to create and is in the mainstream, but even if web-based application can be very powerful, there always are strange UI issues, like application "windows" not interacting similarly to your other desktop windows. So I vote for the real application.

Third step: add sharing capabilities. Data should be uploaded in encrypted form. On the server, you need a minimal platform to store pieces of data, maybe with some PHP to maximize hosting ability. That step might be a bit tricky: you need some crypto power, be astute and not re-invent the wheel (or you won't have any security) to be able to share data while keeping that data encrypted on server. But there is always a lot of fun in a technical challenge! :-) And other people are looking at this issue, like Mozilla's Firefox Sync.

Fourth step: add 2D capabilities. I always found Trello frustrating regarding list organization: I can put lists in column, but I cannot organize lists in two dimensions, as on a table. Sometimes lists are very short: I would like to group them together, one above the other. Trello does not allow that.

Fifth but not least step: add programming capabilities. You want to automatically move cards when a certain label is put on them? You want to create a card when an email is received? Take you favorite programming language (OCaml, Lua, Ruby, ...), use the API and program the behavior your want. Even better, publish the recipe online, in a public repository, that way other people can reuse your nice Agile Project Management Tool Manipulated With Only Five Keystrokes™.

With all of that, I think we'll have a better Free Software alternative to Trello.

By the way I propose its name, Tibett: Tibett is better than Trello and because with Tibbet you can go to high heights. :)

What do you think of it? Would you have other improvements to Trello?

Sat 29 Jun 2013

WE programming idea: opportunistic secure email exchanges

A long time ago, a French computer science magazine proposed programs ideas that ranges from a few hours to a complete WE. Here is an idea to elaborate on, even if it might take a little more than a WE to implement it fully. ;-)

Observation: secure email exchange with OpenPGP or S/MIME does not work

Like many others, I have tried to exchange secured (encrypted and strongly authenticated) emails with friends and other people, in my case in OpenPGP format using GnuPG free software. But, like many others, I have stopped because it simply does not work.

Why? Probably for several reasons:

  • One need to understand at least the basic principles of asymmetric cryptography: public and private keys. It is not that complicated (if you don't go into the fine details ;-) ) but it is probably already too much complicated for the average user;
  • One need to make ones key, load it into email program. If one has several computers, one needs to do this for each one of them. Making the key adds complicated steps. Loading it on each computer is cumbersome.
  • If you want to participate in the "web of trust" (for OpenPGP emails), you need to let your key signed by other people and sign other people keys. Once again, this is very complicated to understand for the average user;
  • Even if you don't want to participate in "web of trust", you need to check the fingerprint of your correspondents to gain strong authentication. Once again, a complicated step to understand and do;
  • Even if you have done all of this and understand it, each time you want to send an email you need to enter the password to unlock your private key. This is annoying.

Regarding S/MIME, you have overall the same complications. It can be a little simpler but as you need a Public Key Infrastructure (PKI), S/MIME usefulness is limited to a single administrative entity managed by trained system administrators, in other words a big company.

A proposal: opportunistic secure email exchange

The basic approach is pretty simple: make a plug-in to some email programs. The first time the plug-in is installed, it automatically creates a public and private key couple for each email address used by the user.

Then, each time a user A sends an email, the public key attached to A's email address is automatically sent with the email. Therefore, if the user communicates with another person B using the same kind of plug-in, the receiver detects that A is capable of using secure emails. At next email from B to A, the plug-in automatically attaches its own public key.

Therefore, after two emails exchanges between A and B, they both have the public key of the other person and thus can both exchange secure emails. When one sends an email, by detecting we have the public key of the correspondent, the email programs would automatically encrypt and sign the email.

Of course, with this scheme, you don't gain strong authentication of the remote party. A man-in-the-middle attack is still possible. But this does not prevent to use another cryptographic protocol to check afterwards that the remote user is really who he is pretending to be, like in ZRTP protocol.

But the danger nowadays is not man-in-the-middle-attack, is it continuous spying on servers like the USA's PRISM program. This opportunistic encryption scheme would allow the average user to use encryption. The emails would be stored encrypted on GMail, Microsoft or Yahoo servers and be in clear only on user's computer.

The WE programming idea

I think you now have understood this WE programming idea: implement such a plug-in doing opportunistic email encryption, e.g. as a Thunderbird plug-in. :-) All the libraries are there, like GnuPG's GnuPG Made Easy library to manage keys, encryption and authentication.

Anybody willing to take the challenge? ;-)

Mon 27 Jul 2009

Secure setup of DokuWiki with Lighttpd web server on Debian Lenny

Logo DokuWiki DokuWiki is a very nice wiki programmed in PHP that does not use any database. It is very simple to setup and use. As I am using the lighttpd web server instead of Apache, making a secure installation requires a configuration a bit different from the usual one.

Here is the configuration I am using. Contrary to our installation in Niadomo, I'm using the original source tarball and not the Debian package. It is heavily inspired by installation documentation and security documentation of DokuWiki. I strongly recommend to read this security documentation before doing any installation.

DokuWiki installation

We firstly download and configure DokuWiki so the installed wiki is available as example.com/mydoku, assuming example.com is the name of your web site. I am assuming /var/www is the root directory of your lighttpd server.

 $ cd /tmp
 $ wget http://www.splitbrain.org/_media/projects/dokuwiki/dokuwiki-2009-02-14b.tgz
 $ tar zxf dokuwiki-2009-02-14b.tgz
 
 $ sudo mv /tmp/dokuwiki-2009-02-14 /var/www/mydoku
 $ sudo chown -R www-data:www-data /var/www/mydoku

We then access the configuration script http://example.com/mydoku/install.php to configure it. I won't detail this part as it is up to you to choose a configuration that suites your needs. Refer to DokuWiki install.php instructions for further details.

Making DokuWiki secure

Firstly, we remove the installation script no longer necessary.

 $ sudo rm /var/www/mydoku/install.php

Secondly, we move data/ and bin/ dokuwiki's directories in a separated directory, /usr/local/installed/mydoku. You can choose any directory that suites your setting but it should be outside of the root directory of your web server, in my case /var/www.

 $ sudo mkdir -p /usr/local/installed/mydoku
 
 $ sudo mv /var/www/mydoku/bin /usr/local/installed/mydoku/
 $ sudo mv /var/www/mydoku/data /usr/local/installed/mydoku/
 
 $ sudo mv /var/www/mydoku/README /usr/local/installed/mydoku/
 $ sudo mv /var/www/mydoku/VERSION /usr/local/installed/mydoku/
 $ sudo mv /var/www/mydoku/COPYING /usr/local/installed/mydoku/

Then we configure conf/local.php so that the installed dokuwiki knows how to look for its data and binaries. We use for this the $conf['savedir'] functionnality[1]. We also configure allowdebug to 0, to avoid giving information to attackers in case of error.

 $ sudo vi /var/www/mydoku/conf/local.php

We add the following two lines:

 $conf['savedir'] = '/usr/local/installed/mydoku/data';
 $conf['allowdebug']  = 0;

We then configure lighttpd to avoid deny accesses to inc/ and conf/ directories. We use the very specific Debian way, creating a dedicated lighttpd configuration file and activating it.

$ cat > /etc/lighttpd/conf-available/11-dokuwiki.conf

Add following content:

  $HTTP["url"] =~ "^/mydoku/inc" {
    url.access-deny = ("")
  }
  else $HTTP["url"] =~ "^/mydoku/conf" {
    url.access-deny = ("")
  }

I am simply using regular expressions to deny access to the two directories.

We then enable this configuration and restart dokuwiki.

 $ sudo lighty-enable-mod dokuwiki
 $ sudo invoke-rc.d lighttpd restart

You can now check that the accesses to http://example.com/mydoku/conf/local.php or http://example.com/mydoku/inc/io.php are now denied.

Have fun with your new wiki!

Notes

[1] Some people would call that a hack. ;-)