The Making of a Secure Open Source Password Keeper
From the Electronics to the High Level Software...
The Mooltipass Offline Password Keeper project was started three years ago by a small community to provide a safe and offline way of storing credentials.
Since then, about 50 individuals from around the globe have contributed to the project, bringing two models of the Mooltipass device to market.
Mooltipass devices are currently used by thousands of people, several major companies, and government agencies. This talk will describe the Mooltipass hardware, firmware and software architectures with a focus on what it took to move from idea to commercial product, while having all the development and production files publicly available on GitHub.
While writing for Hack-a-Day, in December 2013 project creator Mathieu Stephan had the crazy idea of creating an open hardware device using a team spread all over the globe. He posted a call for developers on hackaday.com, which resulted in a team of 20 individuals. Over the course of three years, using a variety of free (Trello, Google groups, IRC) and open source (KiCad, Gimp, GCC) tools the Mooltipass team developed a complete solution composed of:
Firmware for the devices (AES encryption, storage management, graphics, random number generation, smartcard management)
Two models of physical device each composed of a PCB, case, screen, usb and smartcard connectors
Several open source software solutions to provide computer integration with the device, depending on the users' preferences: a cross platform daemon (Windows, Linux, Mac) [moolticute], a python management tool [mooltipy], a chrome and firefox extension, and a chrome app to provide native integration with websites
Having a complete, unremunerated teamworking on the Mooltipass project during their spare time created interesting management challenges, particularly with respect to establishing and enforcing coding rules and commenting practices. The first crowdfunding campaign successfully raised $125k in December 2014, which was more than sufficient to start the ball rolling. The second crowdfunding campgin for the Mooltipass Mini raised $168k last October.