Picocrypt is Moving, AMA

Hi all! I’m the developer of Picocrypt and I have some cool news to share. Picocrypt will now be moving from HACKERALERT/Picocrypt (funny name, I know) to Picocrypt/Picocrypt. This will allow the community to make code contributions in the future and ensure that the project continues to live on and be maintained, even without my guidance eventually. You can read more in detail about the migration here but here are some key points:

  • Moving to a GitHub organization called Picocrypt
  • Anyone can contribute code in the future. To ensure security, the main branch is protected and PRs to the main branch require 3 reviews in order to merge. Workflows are code owned by me and no one can modify them without my approval.
  • Releases are now done nightly by GitHub actions! You can stop worrying about me backdooring releases now :slight_smile:

Onto the main point of this thread. Is it time to update the link to Picocrypt in Privacy Guides from HACKERALERT/Picocrypt to Picocrypt/Picocrypt? There are some things to consider, such as the old code is access locked to me and if you trust me, you can trust the code (kinda like TrueCrypt vs VeraCrypt) and the old code has more stars, issues, and a full commit history. The new repository is cleaner and things are split out into separate repos (GUI, CLI, web), but there are much less stars and commit history which might be “untrusty” from some peoples’ perspectives. Ultimately, up to the PG maintainers, but I personally think it’s time to update the link as the future of Picocrypt will be in this new repo and organization.

Now that we’re here, I might as well do a AMA. AMA in the next 3 days and I’ll do my best to reply. After that though, I gotta run and do other things. Ask away :slight_smile:

Proof that I am who I claim to be: https://\github.com/Picocrypt/Picocrypt/issues/17 (new users can only have two links in a post lol)

12 Likes

Thanks for making picocrypt!

  • Is there progress on the audit?
  • Has there been a code review or informal audit by any individual or group so far?
1 Like

Raised $2k/$5k. Inching toward the goal slowly although even slower than before :sweat_smile: . The good news is that the crypto library \golang.org/x/crypto is going to be merged into the standard library soon, so that’s one component that probably doesn’t need auditing anymore and will be maintained by the Go team. I asked cure53 if this would decrease the audit price, but they somehow quoted me more than before :slightly_frowning_face: . Might have to look to other audit firms, suggestions welcome.

No code review or audit of any type so far, although no security issues reported either, ever. Could be due to lack of eyes on the code, or could be a good sign :person_shrugging:

2 Likes

Picocrypt looks like a very useful tool. Are there any plans to make a flatpak version of it. That would probably appeal to many people in the privacy community

1 Like

Welcome to the forum Evan! As formality do you have a way to verify yourself as the real developer so i can give you your tag? :slight_smile:

(As post from social media/github/project email etc will do)

EDIT: somehow missed the last sentence of your post, approved.

1 Like

Not gonna lie, I find the original name HACKERALERT to be fun, if a little bit juvenile and mildly unsettling :laughing::rofl:. Hopefully with a more formal name you can get better recognition and funding.

I have liked and used your app in the recent past but I have lost the use case but the app remains.

Thank you for your work!

1 Like

Can we get an android app pretty please?

Trails of Bits and Quarkslab, well known but probably expensive. Doesn’t hurt to take your chance and contact them tho!

Others:

I cannot personally give a specific recommendation take a look at radicallyopensecurity :eyes:, it would be great if others share their thoughts/recommendations.

I found this from a Brave Search, not sure if legit or some BS SEO-optimised shadow site.

Edit : for grants, you could look at https://futo.org/grants/

I’ve tried in the past, kinda difficult which lead me to use Snapcraft instead, which obviously is not the sort of thing privacy enthusiasts would use lol. I’ll make a issue for it and take a look again. Maybe things have changed and I can get something working… and if not, I’m sure someone eventually will find a way to make it work. Thanks for the suggestion/reminder.

1 Like

Also would be cool to get the .deb into official Debian repos! Difficult for sure given the scrutiny those packages go through, but if anyone knows a maintainer who might be willing, please lmk!

1 Like

Yeah, I picked the name a long time ago… too many things depend on it (like Go package imports) to change :slight_smile:

Good to hear you’ve enjoyed the app! Feel free to use whatever floats your boat, but Pico will be here if you ever need a simple fallback.

2 Likes

This has been a common request. As someone who gets headaches trying to get Android Studio to work, I don’t think I’ll be the one to put together a mobile app. There are some Go packages like fyne and gioui that could work, but it’ll take some time to do that I currently don’t have. Of course, now that Pico is more open to contributors, there’s always the chance that someone pops in with a prototype and we can work from there. For now, you can use the web interface which is minimal but sufficient, or the CLI via Termux which is much more powerful.

1 Like

This is awesome, thanks so much for sharing. I’ll contact all of them over the upcoming weekend to see if we can find a reasonable price. Still open to more suggestions, so feel free to keep them coming.

1 Like

Thanks, will look into them.

Hello Evan,

thank you for your app, I’m really enjoying it - especially because it’s a tiny all-in-one solution.

One thing I would love to see is bringing more of the app features to the browser version, ideally all the features. :wink:

Is that feasible or something you plan to do some day perhaps?

2 Likes

Feasible? Yup absolutely, it can be done. I haven’t done it yet because the original motivation for the web app is to be a future proof backup for if all of the desktop apps stopped working somehow. But I recently revamped the CLI to a very usable state with support for advanced features, and since the CLI has no GUI component, it uses very vanilla Go code and compiles wherever Go compiles, which is basically everywhere. And since Go is an incredibly stable and compatible language, the CLI will function on all three major desktop OSes for the foreseeable future, removing the original motivation for the web app. Of course, the web app is still pretty cool and useful on mobile systems until a mobile app is made, so I agree we can try to add at least the advanced features to the web app. I’ve created an issue in the Web repo, but I don’t expect to be working on this as there are some other higher priority things imo like figuring out Flatpak.

2 Likes

Hey, just wanted to chime in as well that I would love to see a more feature rich web app as well, similar to the desktop app. I think it is unfortunate that there is a lack of good web encryption tools right now, so it would be really cool to have one!

Thank you for your tool. I’m using Picocrypt to encrypt some of my backups daily. I really like the HTML file too since it’s convenient for mobile in case of emergency as you don’t need to install any app nor internet to load any website.

However, I still can’t used Reed-Solomon for my files as the HTML could not decrypt files with it yet, so would be great to see that feature one day.

Looks like y’all really want a better web app! For the time being, though, I don’t think I’ll work on it as the desktop apps and CLI work fine. But with the revamped CLI, the foundation for adding advanced features into the web app is there. Maybe someone could find a way to run the CLI in a web browser even :person_shrugging: . Don’t worry, we’ll get advanced features into the web app at some point, just a matter of time. :slight_smile:

2 Likes