[HN Gopher] Show HN: Zoldy - Protect your information while in d...
___________________________________________________________________
Show HN: Zoldy - Protect your information while in danger or at
risk
Author : rmoon
Score : 17 points
Date : 2021-11-11 13:12 UTC (9 hours ago)
(HTM) web link (www.zoldyapp.com)
(TXT) w3m dump (www.zoldyapp.com)
| dna_polymerase wrote:
| If you are wondering what this is about and figure it out from
| the website, they basically want to sell you a dead man's switch
| as an app.
|
| It would be clearer if they'd replace confidential information
| with the word kompromat.
| rmoon wrote:
| Sorry you take that impression at first view, although I do
| understand it living in the world we live. This is not a dead
| man, I am really alive -ironic just in case :P, it is only me
| behind this idea, not they. If you want to know anything about
| how data flows, have a look, please, if you did not
| https://www.zoldyapp.com/legal-info#privacy. This is how it is,
| none in the middle, you and the machine.
| InGoodFaith wrote:
| > This is not a dead man, I am really alive
|
| Hi there! Just a friendly note since it appears that there
| might be a slight misunderstanding (perhaps ESL?)
|
| The "deadman's switch" [1] is not in reference to you (the
| creator) being a literal dead person, but rather to the
| definition of your service being built to operate in the
| event something (like being kidnapped/killed/incapacitated)
| happens to the user.
|
| Hope that helps clear up the confusion.
|
| 1: https://en.wikipedia.org/wiki/Dead_man%27s_switch
| rmoon wrote:
| Hey there :), I tried to joke about it and I did it really
| badly, sorry, thats why I said I am really alive, trying to
| say that there is no switch for me, not yet.
|
| Thank you!
| bierjunge wrote:
| Yeah, a dead man switch which you can't control if your battery
| dies or you have no reception. It's way too unreliable for
| serious use.
| rmoon wrote:
| If your battery dies or you have no reception there wont be
| any app working for you, at least not internet based, if this
| happens and you have activated the Notifications Service in
| your Zoldy you wont be able of replying back to those
| Notifications and with 3 consecutive times Zoldy will run
| your settings sending emails, the same if you uninstall the
| app with this activated. Sorry you have this perception.
| bierjunge wrote:
| I'm not saying the app is useless, I'm only saying that
| it's not as easy as the website states. I personally
| wouldn't use a mobile app for that, because it's too risky
| in my opinion.
|
| Let's say we have a scenario where someone has confident
| information incriminating one of my theoretical adversaries
| and configured Zoldy with the data. What if I hire a thug
| to steal and destroy the phone? Will the owner be able to
| stop the messages which he does not want to be sent?
|
| Can the app be restored to a functional state on a
| different device? If yes, then a malicious third party
| would be able to get access to the Google/Apple account and
| restore it gaining control of the sensitive information.
|
| The website states, the data is stored in Firebase. But how
| does the app access it? Is there a gateway server you
| control? If yes, I wouldn't even bother with the previous
| scenarios, but attack that server and get ALL the data. Not
| only from one target, but from all, which would be pretty
| much a disaster (for you, the app and all the customers).
| rmoon wrote:
| > I'm not saying the app is useless, I'm just saying it's
| not as easy as the website says. I personally wouldn't
| use a mobile app for that, because it's too risky in my
| opinion.
|
| It is assumed that you are in a risky situation, or you
| want to have control of the information if something were
| to happen, I honestly think it is easy or maybe I should
| try harder to explain it better, you upload the files,
| configure the emails and activate or deactivate the
| different functionalities it offers which yes it is true
| they are varied and nonexistent in the market. I thought
| of this service for smartphones because it is what you
| carry with you almost always, I never thought, sincerely
| in a web service.
|
| > Suppose we have a scenario where someone has
| confidential information incriminating one of my
| theoretical adversaries and sets up Zoldy with the data.
| What if I hire a thug to steal and destroy the phone?
| Will the owner be able to stop the messages he doesn't
| want sent?
|
| I suppose in this situation a person has the phone and is
| being attacked to destroy it in order to stop the service
| so that the emails are not sent, however in the above
| reasoning something escapes me, you see, if I have the
| service activated it is because I want to use it in case
| something happens to me, why would I want to stop it. If
| the phone is destroyed without the service being
| Notifications On, when the service time is over
| everything will be automatically erased, which links to
| the next question...
|
| > Can the application be restored to a functional state
| on another device? If so, then a malicious third party
| could access the Google/Apple account and restore it by
| gaining control of sensitive information.
|
| No, the app only works on a single device, in fact, it is
| tied to it, the device is the "user". You can't move it
| between devices or share it.
|
| > According to the website, the data is stored in
| Firebase. But how does the application access them, is
| there a gateway server that controls? If so, I wouldn't
| even bother with the above scenarios, but attack that
| server and get ALL the data. Not just from one target,
| but from all, which would be pretty much a disaster (for
| you, the app and all clients).
|
| Your files go from your terminal to Firebase directly,
| they don't go anywhere else, the app doesn't access them
| just upload them, you can delete them of course, you can
| attach those files to any email and they stay there for
| the duration of the service and if the emails are sent
| they stay there for 15 days so the recipients can
| download them, then everything is automatically deleted,
| files, emails and messages.
|
| That way your files go from your terminal to Firebase and
| if for any reason the emails were sent, only go to the
| recipients you have previously defined.
| vorpalhex wrote:
| Yeah, a smartphone based deadman is not great for the
| reasons listed. Ideally you would have key escrow running
| in a few places ala Shamir and then already have the data
| widely distributed (bittorrent, ipfs) but encrypted.
|
| You can still handle check-in via device but you need a
| 2nd factor of something only you know, with false values
| that will trigger a dispersal.
| rmoon wrote:
| I guess we are all rightly used to seeing the dangers
| first, there is no deadman, there is one very important
| reason for me that made me see how difficult it is for
| some people to defend themselves when all you have is
| information.
| rmoon wrote:
| I reply myself, yes!, it could also be used as a Dead
| man's switch. Sorry, my bad!
| imwillofficial wrote:
| Awesome idea, looks like a decent execution, however, you are in
| dire need of a copy editor. I had to read through 3 pages to
| figure out what your service does. Good luck!
| rmoon wrote:
| I know I need to improve this, now I know better, sorry you had
| to take that time only to understand the service. I take this
| really seriously and will review ways to explain better and
| simpler what it does.
|
| Thank you!
| KennyBlanken wrote:
| Extremely verbose while remaining overly vague about what it
| does and how it works.
|
| Pushes me repeatedly to install it, even if I don't use it, in
| case I might need it.
|
| Poor copywriting.
|
| Cringy clipart.
|
| No explanation for who this dude is, what his qualifications
| are, and why I should trust him? Check.
|
| No assurance the app has been reviewed by any respected third
| parties.
|
| Yeaaaaaah, no.
|
| The long, rambling, incoherent "sell" that is pinned at the top
| here really doesn't help (why does HN allow people to do this?
| It's license to gish-galop.) He's extremely wordy in a way that
| really reminds me of confidence artists; lots of focus on vague
| storytelling style language, zero substance.
|
| If you install this app you don't have any business being near
| confidential information. If the CI belongs to your employer,
| then have personal and organization devices, with the org
| device managed by their mobile device management system. Let
| them worry about it.
|
| OP: go look at Signal and how they market themselves, but note
| that someone like Moxie Marlinspike gets to say "I made this"
| and be generally trusted.
|
| You're just Some Dude.
|
| With, as far as I can tell, _zero_ experience in digital
| /network privacy, security, cryptography, etc.
|
| Go make a name for yourself in security and privacy, then
| release an app like this. Or at least find people to
| collaborate with, evaluate your app, etc.
|
| Far as I can tell the biggest problem with this app is that it
| probably makes whatever CI you upload to its cloud service or
| load into the app on your device, more vulnerable (for example,
| apps like Signal try to protect on-device information so data-
| scarfing tools can't grab it.)
| rmoon wrote:
| Hello, I do not know any service page selling services that
| do not push you to use it, there is no popups, no ads, no
| cookies or trackers, I agree, a lot of things to improve,
| copywriting.., and yes I am just some dude, nobody, like the
| one you mention at his first post, not saying I am like
| him.., we all start with one step, here you can read some of
| my background, it is a public interview at the University I
| used to work, https://www.uoc.edu/portal/es/news/entrevistes/
| 2009/roberto_... the link is in Spanish, you can use any
| translator to read about me, the dude.
|
| I do understand how difficult it is to trust, I did not
| developed Zoldy if you mean that by telling about my
| experience about digital/network privacy, security,
| cryptography is zero, if it is important Zoldy has been
| developed in Spain, and even giving you 3rd parties names
| that tested the app you will be still in doubts, with reasons
| to, but no because of me or my knowledge.
| KennyBlanken wrote:
| How do you protect on-device data loaded into the app -
| specifically from many digital forensics tools used by security
| consultants, law enforcement, customs, intelligence agencies, and
| organized crime?
|
| How do you protect data uploaded into your optional cloud
| service?
|
| How are you poised to protect yourself from potentially nation-
| state-level actors attempting to control, subvert or compromise
| this app/service?
|
| Did you develop this app in concert with, or consulting with, any
| organizations that advise/train high-risk individuals in personal
| safety? Do they confirm this somewhere publicly?
|
| Why can't I find your name in a google search on anything related
| to privacy, security, encryption, etc? You barely appear in an
| google results at all...
|
| What is your education and experience in relation to app
| development, security, encryption digital privacy? Have you done
| any research, published anything in peer-reviewed journals,
| appeared in any conferences, professional or otherwise - in those
| fields?
|
| Has your app been audited by any established, respected,
| qualified groups or organizations?
|
| Will anyone established in the fields of security, encryption, or
| digital privacy vouch for you?
| rmoon wrote:
| > How do you protect on-device data loaded into the app -
| specifically from many digital forensics tools used by security
| consultants, law enforcement, customs, intelligence agencies,
| and organized crime?
|
| Data is not loaded into the app, you upload your data, and
| taking in consideration your question, you could delete your
| data in your device, and if need it use the service to send the
| files, even to yourself.
|
| > How do you protect data uploaded into your optional cloud
| service?
|
| Files in the cloud are only accesible by your device, they are
| encrypted and saved into an unreadable folder linked to your
| device. You cannot know how and where is a file, or how it is
| named, for example, using the folder system to keep files in
| Firebase makes that when you are trying to get one of them name
| changes because the folder is part of that name (virtual
| folders), so metadata with the name is saved and when a
| recipient receives an email the download is exactly with the
| same name as you uploaded, this way files are protected in
| different ways, including name. What are you going to search if
| you do not know what to search, or where?.
|
| > How are you poised to protect yourself from potentially
| nation-state-level actors attempting to control, subvert or
| compromise this app/service?
|
| Very good question, ToS were redacted by a group of lawyers
| dedicated to the digital law, the service is working in Europe
| and I use the same rules to protect the idea. Information will
| be 15 days available since the emails were sent, that seems to
| be very little time to react against. And how nation-state-
| level actors will know about someone using the service?, or you
| mean like something to shut down, if this is the case I trust
| the lawyers behind me, or I hope so.
|
| > Did you develop this app in concert with, or consulting with,
| any organizations that advise/train high-risk individuals in
| personal safety? Do they confirm this somewhere publicly?
|
| No, I did it myself because see the link I posted before
| https://www.uoc.edu/portal/es/news/entrevistes/2009/roberto_...
| in Spanish, please use any translator service, I was a Lecturer
| in there and saw lots of times how a service like this could
| have helped a lot of different people, this and that and all
| made me to go ahead. They know about.
|
| > Why can't I find your name in a google search on anything
| related to privacy, security, encryption, etc? You barely
| appear in an google results at all...
|
| Because I am 51 and I have been here since this started
| (internet) and I took always seriously my privacy, no facebook,
| twitter.. I like not to be in google, I prefer my ideas to be
| there, not me.
|
| > What is your education and experience in relation to app
| development, security, encryption digital privacy? Have you
| done any research, published anything in peer-reviewed
| journals, appeared in any conferences, professional or
| otherwise - in those fields?
|
| In relation to app development, security, encryption digital
| privacy my education will never be enough that is why I
| counted/payed on a developers team, in Spain. I planned the
| app, hows, services to use, and they developed, a year and a
| half including testing. This is not the firt time I startup
| something, here years ago I tried an Ecommerce platform in
| Canary Islands, (one of them La Palma where a volcano is
| actually working), it is in Spanish, I think that you are
| searching in English and thats why you have no results,
| https://www.diariodeavisos.com/2011/12/un-emprendedor-canari...
|
| > Has your app been audited by any established, respected,
| qualified groups or organizations? Will anyone established in
| the fields of security, encryption, or digital privacy vouch
| for you?
|
| Nope, I did not contact anybody, I had the idea 25 years in my
| head, I lastly found how to build it and here I am. I
| understand that this point is important, really important for
| the idea to have more credibility.
|
| Thank you!
| rmoon wrote:
| Hello HN, hello showHNers,
|
| You know when an idea is in your head pushing, even annoying
| sometimes?, when after years it is still there and still
| pushing?, this is Zoldy, my creation, about 25 years pushing till
| get real. Zoldy is a service (app) whose objective is to provide
| capabilities to protect any confidential information and its
| holders, especially if they are in a situation of risk, threat or
| danger due to the possession of that information.
|
| I came to this idea when I needed this service back in 1995, at
| that time there were no smartphones nor internet,.., only
| floppies. At that time the only thing you could do holding
| confidential information were copies from those floppies and give
| them to friends with instructions. I lived one of those
| situations and did not want my friends to be involved. From that
| time I have spent lots of time developing the concept. By 2010
| technology was almost there to have Zoldy working but prices to
| develop it were too high, at last, in 2021 the idea became real.
|
| The app is free to download to have the tool ready to use, when
| you need it up and running you pay for time of service, 30 days,
| 7 or 1 day and set your Zoldy up, upload your confidential files,
| set emails (5 max.) and messages, attach those files to any
| email. If something should happen to you or you are under a
| direct threat the app can help you to take control giving you
| options of negotiating with the information you hold and/or
| delivering the files to your pre-set email recipients along with
| their messages, even if you become unresponsive.
|
| No registration is required, the service does not work with
| username and password. You get time of service and the app starts
| it automatically, not even email or number. Privacy from the
| first step.
|
| Negotiator mode, you have uploaded your confidential files, you
| have set up emails and messages and if you are under a direct
| threat this screen gives you options to negotiate with the
| information you hold, if you touch this screen your Zoldy runs
| your settings, sending messages and links to files for
| downloading to the recipients you have defined. This is for real
| danger situations where the threat is direct and it is important
| what is going to happen with that information, it gives you
| options to negotiate at the same time that it ensures the sending
| of emails if necessary.
|
| In real house alarms there is a secret password so that if you
| are under a direct threat and you turn your alarm off with this
| password, the alarm goes off but in the central controlling your
| alarm know you are in troubles because you used this password and
| call the police, In the app there is a panic pass simulating
| this. If you use it Zoldy runs your setting in the background -
| sending emails, messages and files -. There is also a
| Notification Service: if you activate it and you do not reply to
| 3 consecutive notifications your Zoldy reacts by sending messages
| and links to files to the recipients you defined. So even
| unresponsive you can count on the service to deliver them, the
| same happens if you uninstall the app with the Notifications
| Service activated, preventing this way attempts to stop the
| service through uninstallation.
|
| No humans behind, the service is completely autonomous, no admin
| tool or anything like that. I had to put a "Single Clause" about
| it in the legal Terms and Conditions of the service.
|
| Files, emails, messages are automatically deleted once the
| service has finished. Track is not possible more than the invoice
| from the official Stores that says Zoldy Services. Yes,
| everything is encrypted.
|
| No cookies, no ads, no tracking tools, I wrote myself the website
| line by line, with the help of Bulma
| (https://github.com/jgthms/bulma -CSS only framework-). I really
| enjoy writing from scratch, I have some control and site flies
| from my end point. Server in Europe.
|
| I will be happy answering any question or comment you may have.
| All the best.
|
| P.S.1 - If you are curious about data have a look to
| https://www.zoldyapp.com/legal-info#privacy, there it is
| described publicly how the information you send through Zoldy is
| processed, used and deleted.
|
| P.S.2 - One man and his idea, no corporation, no agency, the one
| showHNing.
| eganist wrote:
| Gonna go out on a limb and speculate that information _that
| sensitive_ shouldn 't be entrusted to SaaS.
|
| But if you're that serious about it...
|
| ...your pricing is way off. At current pricing, I'd guess that
| there's probably at least one other revenue source, one that
| would probably scare a potential customer. The pricing and
| guarantees should probably be absurd to align with the value
| proposition (saving one's own life).
|
| ---
|
| But the fact that this service immediately enables blackmail
| would probably need to be resolved first.
| rmoon wrote:
| Yes, for me it is serious, I am the one behind Zoldy legally so
| yes it is serious. As I said it's me and my idea that I founded
| and financed on my own and I'm still at it.
|
| Those prices try to make really expensive that blackmail you
| are referring to, in the app you can't put 2 mails the same, so
| I think there are cheaper ways for that.
|
| And yes considering the situation, these circumstances in most
| cases generate very strong feelings and emotions; fear,
| distrust, anxiety, excessive worry, stress ... if on top of
| that there is a real danger, a huge feeling of loneliness and
| lack of control is added to the situation, prices take a back
| seat.
___________________________________________________________________
(page generated 2021-11-11 23:03 UTC)