I was randomly thinking a bit today about how to implement a secure, encrypted instant messaging system. One that could be so easy to use, that mere mortals wouldn't need to worry too much about public/private key pairs, and yet the system would be self-verifying and all very automatic.
The base concept I was thinking of would be that usernames on this system would be numeric, a bit like ICQ numbers. People apparently didn't mind being assigned some "random" number that they logged in with and gave out to friends. But, unlike ICQ numbers, the numeric IDs on this system would actually serve a purpose (instead of being simply the auto-incrementing primary key in ICQ's database).
Each user's client would generate an RSA public/private key pair, which is obviously the foundation for any sort of secure messaging platform. Then, you'd take the fingerprint of the public key (a short hexadecimal string, which could look for example like "45:2f:a5:d8:13:95:ba:03:51:c4:8d:ac:82:a8:4c:6a"), and you'd turn that into an integer number. Then you'd take, say, the first and last 5 digits of the number to create a 10 digit "screen name" number.
For the sake of continuing my description, let's pretend that the number came out to 567-8426-789. When setting up the chat client for the first time, it generates keys behind the scenes, and says "Your login number is 567-8426-789. You can give this out to your friends so they can add you to their buddy lists."
This idea stems from the general practice where, suppose you downloaded a Linux OS DVD, and you wanna verify the download so you look up the
sha256sum for it. You're not going to compare the two SHA-256 hashes character by character; you'll check that the first 5 or 6 digits are the same, and the last 5 or 6 too. If those are, you can reasonably assert that your copy of the DVD is the same as the intended one. The numeric login ID of this secure IM network would be similar.
By giving out your ID number to a friend, they're automatically verifying your identity, since your ID is based off your public key. If somebody was trying to impersonate you (with a completely different RSA key pair), they wouldn't likely end up with the same numeric ID so it wouldn't work.
Of course, the IM clients themselves would include features to do a more thorough verification of the friend you just added, like allowing you to see their full hexadecimal fingerprint, and also show a visual fingerprint to make it even easier to verify at a glance that your friend is who you expect them to be.
Anyway, this is just the basic idea I had. As far as syncing other devices to use the same account goes, it would probably need something like the old/current method Firefox Sync uses, i.e. needing to enter a "random" code from one device into the other so that your private key can be securely transferred between them without a third party in the middle being able to see. Alternately, the system would be federated (so you could host your own servers, like XMPP), and your local server may be trusted with an encrypted copy of your private key, encrypted using your log-in password. But these are all details to be figured out later.
The device of my dreams: a no strings attached, open Android-powered device, which is like a smartphone (touch screen etc.), but which is not a phone, but can get a data plan from any cell carrier in the same way that laptops can use 3G cards and get internet anywhere from a cell phone carrier.
It would basically be a miniature PC that resembles an Android phone, but which isn't a phone, but which you can just install Skype on if you really need to make a phone call, since it could still get cellular data service.
And, being like a miniature PC, it would be as open to operating systems as a real PC; it would be just as easy to install and reinstall Android firmwares (or any compatible OS) to it as it would reinstalling your operating system on your laptop.
I imagine Dell would be a good manufacturer for such a device; they would market it just like they market netbooks, as being just a mini PC that happens to run Android (preferably the stock vanilla Android as Google intended it, but being open you could flash any version of Android you want).
If such a device existed I would buy it as soon as it came out. I'm quite sick of the way phone carriers abuse the Android OS and wish there could just be a seriously open device.
In some cases, I don't think all spam bots post on web forums to actually get people on the forum to click the links. This is evidenced by the bot posting what looks like a large article of text about something random in the world, which is just sprinkled with completely random out-of-place links to sites that sell World of Warcraft gold or some such. Maybe the programmers behind these bots don't really think that members of the forum they just spammed are seriously going to click the links...
Maybe they just want the links to be there for Google to see... to improve the page rank of their scam site so that it comes up higher in Google search results. They just want links from the forums they spam, not necessarily clicks.
Thus an interesting idea for web forum software: add a kind of restriction on link posting. Like how some forums require that you post 10 things that aren't spam before you're allowed to send private messages to other users, or other such arbitrary restrictions... what would be useful is one that goes: you can post links immediately after signing up, but every link you post will have
rel="nofollow" attached to it, so that Google and other search spiders won't follow your link, and you won't get Pagerank credit for it. And then after posting enough on the forum, all your previous links and all future links will be linkable for search engines then.
Spam bots always seem to find ways to register and spam forums, but taking away their ability to get any Pagerank credit for their spamming would help fight back just a little bit.
/random thought of the day/