zzz.i2p

Development discussions
 
Sun, 22 Mar 2020, 06:29pm #1
fredericomba
Lurker

COVER LETTER FOR THE POSITION OF SECURITY RESEARCHER

Hello, I'm Frederico Miranda Brandão Alves, and my e-mail is "frederico.miranda.brandao@gmail.com". I'm networking, so let's stay in touch even if you are not looking for developers right now.

I began with web development as a hobby in the early 2000’s and still treated it as a hobby in the next years, because the browser wars were ongoing and the technology wasn’t stable. Even though I wasn’t participating as a professional in the field, I’ve been continuously paying attention to the trends by reading articles and watching videos from developers, where they discussed the existing problems of the web standards and how these problems were being addressed, and also the emerging best practices regarding software development. However, the web technology has improved noticeably in recent years, and the prospect of earning foreign currency by working remotely has encouraged me to get into web development professionally.

After experimenting with programming using JavaScript, I became keen on fully understanding how that marvelous machine that is the computer works, and proceeded to study as much as possible about it. A nearby library enabled me to study about x86 Assembly and the C programming language, and I spent the next years getting all the information possible from the Internet. In 2011, I enrolled on a course for studying to become an electronic technician, and the knowledge acquired there enabled me to finally fully understand how computers work. I have written software for micro-controllers (ATmega328, PIC18FXX) while enrolled there. You can read more about my walk with software development so far in an article that I’ve written recently:

The Rise and Fall of Sloppy Programming
https://frederico-miranda.github.io/article-wri...

I have studied cryptography around 2014, and became excited about the possibilities that it provides. Banks in the country where I live force users to install unwanted software on their computers if they want to have the comfort of banking services from home. However, I realized that digital signatures could be a way for me to send secure, authentic, signed statements to banks (like commands for money transfer) without the need to install anything on my computer at all. All that was required is that I send my public, verifying key to the bank (while keeping my private, signing key in secret) and the bank would have a way to verify that all digital checks I’ve signed and sent are indeed from me (and the non-repudiation of digital signatures would protect the bank from claims of fraud). I have read books about Abstract Algebra and Number Theory, so I understand the mathematical jargon (groups, fields, generators) and I can also understand and write mathematical proofs to some extent. It was also around this time that I became familiar with challenges associated with security and approaches to address them. I have recently written an article demystifying cryptography:

Introduction to ElGamal Cryptography
https://frederico-miranda.github.io/article-wri...

ElGamal Calculator
https://frederico-miranda.github.io/elgamal-cal...

MY RELATION WITH I2P

My first contact with the I2P project was in 2013. There is a user here named quark[#1][#2], which reminds of my past self of seven years ago. At that point in time, I was enrolled in college and did not value my time as much as I do today. I was a newcomer at software development at that time, so I had decided to contribute to I2P as a way to be helpful to others and improve my own reputation in the software development community. However, I had underestimated the complexity of the code base of I2P, because I was mislead by the simplicity of the introductory explanation (the core concepts of I2P are easy to understand, and I can think of simple implementations of them).

At first, I tried to use the existing APIs (BOB, SAM), but they require string manipulation (parsing, rendering) to be used, so that demotivated me from the start. So I decided to go one level deeper in the software stack, and reached the documentation for I2CP messages for handling I2P routers (can't find it now). It was at this time frame that I began to wonder: "Can I make my own compliant implementation of I2P? How hard would that be?" - I peeked at the Java source code and found out that the network database (netDB) is downloaded from a hard-coded source. This centralization led me to think: 'The one that controls this address has a censorship power, because it can simply reject routers from being added to the netDB. The one that would have the easiest time creating a Sybil attack would be the one that holds this address'.

zzz writes[#3]: I don't understand the "I don't want to maintain X but I'd be happy to rewrite it from scratch" mentality but it is common.

zzz, because you are a long-time developer of I2P, you are likely already used to everything about its infrastructure. You don't have a cultural shock when looking at your own code. But what newcomers see are a code base that is painful to read, understand and implement to the point that it would be easier to start from scratch rather than continue to maintain the project. To add insult to injury, to maintain a painful project without being allowed to change what makes it painful means creating more pain for the future, which further demotivates developers.

I honestly mean no harm or insult, and I do hope that I2P improves so that Libertarians have more tools available to them. However, the core I2P developers have a monopoly over I2P and have an attitude of not letting go of said monopoly, which wards off potential contributors and breaks trust. **Trust is not cheap. If third parties cannot examine your code and cannot make independent implementations, you will not get any trust**. This is the major reason why the protocol must be lightweight, easy to understand and easy to implement. This may also make it easier to attract investors in order to make this project into a product.

I have considered the possibility of simply ignoring I2P and developing my own project (named "A2A protocol"), but bigger anonymity networks provide better anonymity and are more resilient against denial-of-service attacks. Cooperation works better than competition in this scenario.

I have stayed in silence for seven years, so there is a lot I'd like to communicate and conversations I'd like to have, but I won't make this letter longer than it already is. Thanks for taking your time for reading this.

LINKS:

#1: http://zzz.i2p/users/3342-quark

#2: https://i2pforum.net/memberlist.php?mode=viewpr...

#3: http://zzz.i2p/topics/2853-rip-bote

Mon, 23 Mar 2020, 12:55pm #2
zzz
Administrator
Zzz

Welcome! We're always looking for help. The best place to continue the conversation is on IRC #i2p-dev

Mon, 23 Mar 2020, 04:05pm #3
Qubes
I2P Legend

Welcome and thanks for being here!

This is from 4 decades of experience. Aside from the politics of handouts and corruption you live and die in this business by your own code and/or integration of others code.

I have no idea how much free time you have on your hands or other restrictions (mine are stringent) but the best way to start is by project. Join one or create one. This will showcase your talents.

About other people's code. It is always a "mind funcked". Troubleshooted German, Jap etc... that was not done by templates and standards. At least the Germans are suppose to be somewhat standard because there is a specific way they teach in schools... Pardon my French gelerne gelerned (=you do as you were toughed).

Since your name sounds Brazilian... were you the guy that maintained the electrical worker i2p site?

Anyway... welcome aboard and try Parrot people too (Latin speak and i2p included).

Fri, 03 Apr 2020, 01:58am #4
fredericomba
Lurker

Qubes wrote:

Since your name sounds Brazilian... were you the guy that maintained the electrical worker i2p site?

No, I am not.