38 comments

[ 3.4 ms ] story [ 81.1 ms ] thread
Amusing to see a comment mention 14 work factor and the code is 12 rounds.

Code and comments get out of sync so quickly.

Out of interest, why the static salt in addition to bcrypt?

Not the author but if I had to take a guess I'd say they might have been trying to pepper the hash: https://en.wikipedia.org/wiki/Pepper_(cryptography).

It's not particularly useful here since if someone got access to your remote encrypted file and knew it was made with sdees, the pepper is public. However if the value was configurable by the user then it could provide an extra layer of protection against someone brute forcing the hash and getting your password.

A better approach would be to not store a hash of the password at all. The author uses it to check that the user supplied the correct password when attempting decryption - instead you can decrypt the file using whatever password the user provides (getting either correct or garbage output back), and check for a magic value in the output.

Thanks! I will do that.
Almost buzzword compliant, just missing the "written in Go".
I thought it's Lisp week?
This is cool. I have been planning encrypting my personal data, but didn't realize the process of timestamping was this difficult.

Glad I found the solution with the problem.

How is this serverless when there is a server called remote in the example?

Am I the only one around here? http://i3.kym-cdn.com/entries/icons/original/000/010/856/4fc...

Even the author doesn't believe it's really serverless: https://github.com/schollz/sdees/search?q=server
Server-less is the new paradigm where the server is in the cloud. More specifically, you're not maintaining any server, you just supply callbacks written in the language of your choice, and the infrastructure figures out how to package them in containers, deploy, run, scale and dispose when no longer needed.
Can you explain what you mean with "server is in the cloud", is it like literal placing a fog machine to make some kind of cloud around your servers or placing a server inside another server, such as a raspberry pi within a PC box?

What is the cloud if not other peoples servers?

> What is the cloud if not other peoples servers?

It is, but taken literally and not helpful in infrastructure discussions.

"Serverless service" as recently coined means you're not concerned with the server layer. Either the hardware one, or the "http request server" one. What you provide is functions that execute on some action. As long as the API is preserved it doesn't matter if it's one server of one/multiple providers, cloud deployment, room filled with monkeys at keyboards, linux running unicorn, windows running iis, or anything else.

It's one level above "set up your services and upload code for specific server" PAAS. And two or so levels above "set up your own servers and services" IAAS.

PS. I don't think sdees matches the definition of serverless as it's commonly understood.

Ah I see, so serverless service is a way to say "I am so high up higher than your puny little cloud down there".

No offense to you personally, its just funny how our industry invents new words every year or so, it gets hard to keep uptodate.

> Ah I see, so serverless service is a way to say "I am so high up higher than your puny little cloud down there".

I don't believe there's any judgement in "serverless service". Depending on your requirements you may want this solution or you may prefer something else. It got a name, because when you get tired of saying "model more abstract than PAAS but based on the same principles of being independent of the infrastructure" you invent a short name - servers got abstracted, so it's "serverless".

> its just funny how our industry invents new words every year or so, it gets hard to keep uptodate.

The industry doesn't invent words. It invents new solutions. If they get popular they get names, so it's easier to communicate. That's how every industry works.

I agree completely with what you say. I don't understand what relevance it has to my comment.

sdees requires a file server, specifically it prompts the user for one and saves it to ~/.config/sdees/config.json, therefore it is not serverless.

(comment deleted)
I call it "serverless" in the sense that it doesn't require any server-side code. The "decentralized" is because it also doesn't require stable internet connections to work properly - you can edit on multiple computers simultaneously with or without internet and the edits can still all be merged correctly when they finally sync up.

Sorry to confuse folks! The original acronym actually just meant "sync down, decrypt, edit, encrypt, sync up" which is maybe less ambiguous of a description.

My Firefox web browser is serverless.

Now in a world without web servers, Firefox would not be very useful at all. The same with your tool.

Decentralized, its not, not requiring a stable internet connection is called working "offline".

Please avoid ambiguity.

I think I agree with you, but I'll just clarify my naive thinking.

Most synchronization tools (Owncloud, Synthing, Dropbox) perform similar functionality but they require server-side code of some sort. So compared to these, in my mind, sdees is "severless" (but also sdees has a tiny fraction of the actual functionality of those awesome programs).

Decentralized as defined by Rhoit Khare [1] is a system where multiple parties make individual decisions which may conflict. This, to me, is the scenario that occurs when two people edit the same document offline, but may want to merge later via a remote host. However, maybe a better term is "distributed" because in a lot of ways its similar to git, which is considered so [2], also then I can still use the same acronym :)

[1] http://isr.uci.edu/projects/pace/decentralization.html

[2] http://stackoverflow.com/questions/7212740/why-git-is-called...

(comment deleted)
As much as it pains me to say it, that ship sailed around the time AWS Lambda was announced. "Serverless" now means "a server you don't need to think about".
(comment deleted)
Friend of mine is working on Cryptpad [1] which is encrypted collaborative web editor. There are multiple connection modes, most common websockets relay server but he is also working on WebRTC transport.

Everything is modular so you can create encrypted applications as you see fit by changing transport, storage, crypto and frontend.See for example [3].

In case of using a relay server the content is encrypted so the server doesn't know what the content is.

The source is open on AGPL license.

---

[1]: https://beta.cryptpad.fr

[2]: https://github.com/xwiki-labs/cryptpad/

[3]: https://beta.cryptpad.fr/poll/#173f2db91c58169a22a005ebb85c2...

Thanks for sharing this. I had an old hackathon project that seemed cool but didn't really have a good application (essentially, end-to-end encrypted Socket.IO implemented on top of Keybase filesystem: https://github.com/lgessler/kbrpc). Maybe I'll try to get it to work with Cryptpad.
i was expecting something using IPFS :D
Yes, or something like syncthing
Why not use GPG directly? I get the wish to not add more binary dependencies, but the recent couple of issues with Go's math and crypto libraries doesn't fill me with confidence. Not to mention that there's no real benefit to adding your own wrappers around the crypto primitives when GPG already exists.
Initially I did. However, I tend to use lots of Windows computers, so I really wanted something where I didn't have to install Cygwin+GPG+rsync each time.

The Windows release also bundles vim into the binary so you don't even have to have vim installed if you're using Windows!

> "The remote computer is used only for file storage and does not require any server-side code."

And thats serverless?

You're wondering what serverless means while I'm trying to work how how a central file-store is "decentralized".
How is this "serverless"? Quite clearly I have to configure a remote...
In emacs, one could use TRAMP and EasyPG Assistant:

    C-x C-f /rsync:user@host:/path/to/file
One could of course also configure stuff such that one could type quite a bit less.
Please stop using the term serverless, it may be decentralised but it is not serverless, so if you mean decentralised please use that term instead.