This is a open repository of personal ideas. Some of these are based on personal interactions, bug reports, and discussions I've had with lots of people. I've tried to give credit wherever possible. I also try to reference similar/existing projects that might relate to the idea, so if you know of something that is interesting in that space, file a PR or send me a link.
The emojis are just indicative. Make something people want is the YC motto, but sometimes you must make something for no good reason other than "just because".
There are a dozen bookmarking services out there, many of them quite well done. However, most services are focused on the idea that bookmarking is a lone-person habit, which someone does in isolation.
I've often described the idea as "dropbox for bookmarks". The core concept is to allow a bookmarking "tag/folder" to be shared with another user, two-way. This means any of the shared members can add/remove bookmarks from that folder.
All updates (addition/deletion/edits) are notified to every member in the group.
Bookmarking for Teams, in essence. Some good alternatives are [listed in this quora answer](https://www.quora.com/Hello-What-are-the-best-web-apps-for-sharing-bookmarks-across-a-team), which you should read and follow if you're interested in this.
[Lightspeed](https://www.youtube.com/watch?v=wLnSLFrQDG8) is an experimental UI design (not implemented) for Firefox that focuses on making the New Tab page more functional by giving the browser a decent way to search across bookmarks, open tabs, and history.
It is a pretty neat idea (see the video linked above). My first thought on seeing the video was that most of that stuff could be done using the Chrome APIs for Chrome as well. Chrome does offer a way for an extension to override the new tab page, after all.
_Update_: There is some progress on the WebExtension porting of Lightspeed, given the recent Firefox updates. With this in place, it should be relatively easier to port the webextension version to Chrome itself.
I like the analytics that WolframAlpha provides for Facebook. Except that they are not really that useful. I'd like an easy query interface that let me "filter" data points, and get back open-data via the Graph API. This means, for eg, getting the most liked music artist among a subset of my friends. The interface I'm thinking of right now is like Gapminder, which allows you to "play" the dataset as it evolves over time.
A recommendation engine built on top of my facebook data is a good idea, I think.
Workflowy is a cool tool that I use for note-taking. It allows infinitely nested lists with @mention and #hashtag support. One thing it lacks currently is API for me to access my own data. I think workflowy is a great tool that could become a lot better if there were a way for developers to hook into it. (For example using workflowy as a data-backend for a todo-app).
The original idea was from before Keybase had a chat feature, and I wanted to build an email service that used keybase to send and receive messages. Would have turned out similar to Keybase Chat.
How I'd approach it today is to use Keybase Social Graph for encrypting emails and make it easier via plugins/extensions. The ideal flow would be:
Use the Keybase Social Graph for encrypting emails and make it easier via plugins/extensions. The ideal flow would be:
1. Login to GMail
2. Compose an email to me@captnemo.in
3. Extension pops up: "Hey, looks like this user is on Keybase already as keybase.io/captn3m0. Would you like to encrypt this email?
4. If user clicks yes, do a keybase auth and follow the user as well, perhaps? (not sure if possible)
5. Also give user an option to "Encrypt all emails sent to users with more than X followers)" or something similar...
Doing the same thing on the receiving side is trickier though, but I like the idea of using Keybase to discover anyone's public keys instead of the standard Web of Trust.
A Keybase plugin for Thunderbird would be similar in scope.
While pen-testing, once you've gained access to the target, it is often necessary to install a backdoor to mantain the access. While this is easily done in case of root access to the machine, this is not that easy if the target is an email account, lets say.
Many online services today (with data of considerable value) offer developers programmatic access to their data by use of APIs, which are usually authenticated via OAuth tokens. What I intend to build is a suite of applications (or a single large one) that allow you to use the application as another user, just by setting up an access token.
While this is certainly possible with existing tools (such as the Facebook Graph API Explorer), it is cumbersome and not user-friendly. The application will mimic the interface, usability, and looks of the actual application to let you maintain access easily enough.
That is a good point, but one that fails in practice. A password change in most services does not trigger an automatic token revocation because that would leave a lot of developers and users unhappy. However, neither does any service warn you to check your approved applications (especially after a hacking attempt).
- [There is an existing `TelegramBridge` in RSS-Bridge](https://github.com/RSS-Bridge/rss-bridge/pull/1175) that just scrapes telegram HTML. I've enabled it on my RSS-bridge server, so you can try it out at <https://rss-bridge.bb8.fun/#bridge-Telegram>.
A simple browser extension for web developers that disable local fonts from loading. Alternatively, it raises a grave warning if a web-font was bypassed for a local font. This is helpful if you are a developer:
Based upon this [chrome bug request](https://bugs.chromium.org/p/chromium/issues/detail?id=472136), which asks for this feature.
I came to know about this because [of a comment](https://github.com/captn3m0/disable-web-fonts/issues/1#issuecomment-143665811) on my "disable-web-fonts" extension, which does the opposite. This might be handy for people who want to make sure that web-fonts are working fine for all users.
The Arch Linux User Repository is great. Except, a lot of packages rely on building-from-source since no binary releases are available. However, the build steps for these packages work very well, resulting in a working build. The idea is to create a AUR build server that takes in a AUR package name as input (it can have a whitelist of such packages), runs it in a docker container, and outputs a generated package file (`tar.xz`) that can then be directly installed on any machine.
This has some security concerns, mainly how do you trust a binary package an external server built?
Planning to solve this with attempting reproducible builds, and publishing everything. You can audit any build artifact whenever you wish. I'll likely just use the Docker ArchLinux image and build against that.
Moreover, the primary audience for this would be me. I would really like to get packages that can be installed much faster because I don't have to build them. I can just have a script that instead downloads the latest build from the server instead of AUR and then just installs the package instead of building it locally.
A bot that posts paper abstracts and links to PDF whenever a paper referencing a research paper is posted to Hacker News. Most scicomm posts that make it to HN almost always have a primary paper reference, and someone ends up posting the paper abstract along with a link to Arxiv or SciHub usually. A bot that automates this for all HN submissions would be a fun project.
All of our company has contact numbers added on Slack, but it is cumbersome to find someone's profile on Slack. A simple dialer application that does OAuth-verification on your Slack profile to get a list of the entire organization, and present a simple dialer for all the people who have contact details added.
Interface would be a simple grid of faces, click to dial, sorted by frequency. A simple search-as-you-type box at the top. Can also be done as a PWA to easily make it cross-platform.
Initial Work: https://github.com/captn3m0/gardencity.events There is also some work from @tallpants on this at <https://github.com/tallpants/meetup2ics/>
Update: There are already two such apps on the Play Store. However, they don't work any more since they were based on the old UI Scheme. See [@Oxyenyos's PR](https://github.com/captn3m0/ideas/pull/10) for some more details.
A personal finance application that tracks things automatically, but saves all data on your systems.
A overwhelmingly large percentage of my finances are online or tracked somewhere digitally. What is ditigal can be automated, but without any of the SMS-sniffing applications that currently clutter the market. The idea is to have a simple cross-platform application that:
1. Embeds a web-browser that lets you login to various online services.
2. Scrapes the order/payment history from these sites regularly.
3. And provides you with monthly budget/finance history that you can use to track your spending.
For bonus points, figure out a way to track card expenditure. The very minimum services required would be:
1. Uber (Has an API)
2. Splitwise (Has a API)
3. Paytm (Doesn't have API, but the website backend is very much a API)
4. Amazon
I've tried something similar before: [captn3m0/gringotts](https://github.com/captn3m0/gringotts), but I made a few mistakes:
While Slack calls are great, they are not the same as a Contact Entry in your phonebook.
Because with a phonebook entry, you can make outbound calls without having internet, and
you get contact details when your colleague calls you.
The idea is to run a Slack OAuth based CardDAV server, which:
1. Authenticates the user over OAuth
2. Fetches the list of all users in a team
3. Generates a CardDAV URL for the authenticated user
4. Which can then be used by the user on their phone to sync Contacts one-way (From Server to Phone)
Why one-way? You don't want changes made on the Client side to be pushed to the server.
Why CardDAV? It is an open-protocol built to exactly solve this problem.
And since you have the user's OAuth tokens, you can verify the token on every request to ensure that it is
still valid. If the token is invalid, you return an empty Contact List, thus ensuring that users can't fetch contacts
from teams they've left.
Another cool hack this enables is that for teams on Free Plans, which supports "Skype" field in your profile, but not Phone number, it allows you to use the "skype" field to build contact sync which converts the field to a mobile/telephone field as long as it is a valid telephone number.
One line pitch: Make a simple webapp that uses the Twitter UI to generate Play your own Adventures. For bonus points, add support for [Twine](https://twinery.org/) or perhaps DNML to let people create these easily.
Would be great if I could open my Calendar application and immediately look at events that are happening around me. Aim is to subscribe to "Fun Events - Bangalore (Insider)" or "Plays in Bengaluru (BookMyShow)" calendars for eg.
Insider has an API that could help with this: https://api.insider.in/home?filterBy=go-out&city=bangalore
I wanted to generate SVG images based on Social Media sharing templates that could be re-purposed as header images for any of my articles. Such a solution would help bloggers immensely, since your Open Graph images can be easily dynamically generated. Same goes for people with static sites. (Generating a static SVG is much easier than generating PNG images).
If you have a magic box that converts SVG images to PNG images just before serving them to Open Graph scrapers. You can implement such a box using CloudFlare workers for eg.
A few more links on this: [[a](https://fransdejonge.com/2018/03/twitter-and-facebook-dont-support-svg-yet/), [[b]](https://github.com/BreakOutEvent/breakout-frontend/issues/234), [[c]](https://indieweb.org/The-Open-Graph-protocol#Does_not_support_SVG_images).
Think of how powerful this could be: `<meta property="og:image" content="https://image.sv/g/https://captnemo.in/img/title-banner.svg />`
A somewhat relevant thing: https://www.bannerbear.com/. There are more details on https://github.com/captn3m0/ideas/issues/11 if this sounds interesting.
The lock/unlock address can be inferred. The service can be made public as well, since the backend just needs to be a simple/dumb storage for blobs (back it by S3 perhaps?)
### Why
- For casual projects, Terraform Enterprise is too much
- Separate Infrastructure for Terraform State store makes sense
- Not everyone has S3 available
- Just share your UUID and the encryption key with your teammates
### Backend
Needs to be a public good with restrictions:
1. Reasonable Rate limits
2. File size limits
3. Restrict by terraform-user-agent, because why not
4. Block unencrypted data from being stored
### Extras
- This needs to be Highly Available if folks are gonna use it
- Use NaCl for crypto
- Support a breakdown into `read_encryption_key` and `write_encryption_key` for key rotation
- The encryption parts can perhaps be merged to upstream
iOS 11 and above support browsing arbitary "cloud" filesystems using a ["File Provider Extension"][fpe]. This allows your application to expose a arbitary directory structure to other applications using the Files app (and file-picker dialogs).
Common use-cases include picking files from Dropbox, GDrive, iCloud etc. Here's a simple tutorial that demonstrates the idea: https://www.raywenderlich.com/697468-ios-file-provider-extension-tutorial.
The idea is to build a simple app that implements a dumb OPDS browser, along with a File Provider Extension. This magically makes all applications on your device OPDS aware, which is a Great Thing :tm:
OPDS here is the [open publication distribution system](https://en.wikipedia.org/wiki/OPDS), which allows a large number of clients to access digital libraries and publications with mostly-sane distribution and browsing semantics.
As an example, [Arxiv has a OPDS](https://arxiv-opds.herokuapp.com/) server without any authentication. You could enter this one URL in your application settings, and now all Arxiv PDFs are instantly browseable in your Files application.
OPDS support search as well, but I'm not sure of File Provider Extension does, but that would be another cool usecase. The application UI is just 2 screens:
1. List of connected OPDS Servers
2. Edit/Add screen for a OPDS Server. Includes fields for URL/Username/Password.
Brownie points for adding support for rendering ebook thumbnails, but that is optional.
## iOS \*sonic File Provider
Similarly, the [SubSonic API](http://www.subsonic.org/pages/api.jsp) is decently documented, reversed and re-implemented across a lot of clients. A single application that adds support for SubSonic File Provider will allow any other application to pick song files from a subsonic source. Not as many usecases as picking ebooks or PDFs, but good nonetheless.
The idea is a mix of 2 things: reading research papers about Monopoly, and playing a lot of boardgames. There is a lot of good research work around monopoly [0] and certain card games (Poker etc), but modern board games (Catan has a little research community) haven't been looked at much. I wanted to do simulation-based research for modern games, but found that there is no easy tooling available to do this.
CardWorld is "OpenAI Gym for boardgames". The complete idea is:
1. Have a board game framework in place that allows people to write rulesets for their favorite games. These get registered as environments in the Gym.
2. Allow anyone to submit a agent script for this environment that plays this game. This could be written in any language that the platform supports.
3. Have a runner system that runs these agents against each other.
The benefits I can see are these:
1. Crowdsource AI research on turn-based games. The easier it is to write a bot that plays Hearts, the more people will try their hand at it.
2. Improve our understanding of Card Game Modelling. There has been some research in this area earlier[1] involving languages specific to model this, but I think there is a lot of scope of improvement here.
3. Give the boardgame community the tools to simulate and understand strategies for modern board games. Everyone knows you must buy the Transports in Monopoly, but what is the optimum strategy for Settlers of Catan?
number, it only takes 37 hrs _total-compute time_,
which can easily be run in parallel to guess
any numbers which may have been ever entered
in the ledger.
The problem here is that we want repeated
numbers to hash to the same value, so as
to ensure duplicates get recorded properly.
This might be possible if all clients
can store a copy of the entire ledger,
but that doesn't sound like a good idea.
However, the mere fact that a phone
number is in the ledger isn't
as important as _when_ it was added.
A client should ideally add a random
delay (to the tune of hours) and batch
any writes to the ledger so as to
reduce chances of leak.
If A calls B, and B immediately
writes A's number to the ledger,
A can pretty much guarantee
that it was B who did it.
There is a counter-argument here to be made
about how you want honest clients and
immediate publishing would increase
transparency and hopefully get more
_actual spammers_ on the list.
Another concern is about publishing the client
identifier in the ledger, since it can
lead to the network figuring your
calling patterns. However, since an entry
is only added voluntarily, and doesn't really
have any PII, I think it is a reasonable
tradeoff to make.
### Deregistration
Phone numbers are not people. They can
be transferred, and what was a spammy
telemarketer earlier could now be your number.
There is no easy way here, other than having
a "negative" entry in the ledger, with
a far higher cost attached to it.
The client should always whitelist any
saved mobile numbers as well.
Another solution is to have a second
"verified" ledger of some sort, where
people can verify themselves as not-a-spammer
by "some means". Not sure how this could be
done in a distributed manner though.
### Cost of Computation
- Verification should be fast
- Insertions should be slow
- Client registrations should be costly
By costly, I mean the compute price, not monetary.
A nice way to equalize this would be to make
a registration as hard as 10 insertions, so
creating a client and reporting 9 further
times would be much more cheaper to do.
This helps in ensuring that there is still
a way to counter spam reports. I'm sure
there are better ideas, though.
### Terms
_Directory_: The actual data store holding a "Yes/No" filter of whether a number is spammy or not.
_Ledger_: A blockchain or ditributed log that maintains any reports.
### References
- You should totally read [Falsehoods Programmers Believe About Phone Numbers](https://github.com/googlei18n/libphonenumber/blob/master/FALSEHOODS.md)
- [bitly/dablooms](https://github.com/bitly/dablooms) - an attempt by bitly to solve spam problems with a layered bloom filter which is countable as well
Every community that I meet these days wants to use its own different app to manage things, or alternatively create its own special forum and so on.
For instance:
- The dev-s community runs its own Slack channel (which is great) but wants its own discussion forum.
- ReRoll Bangalore has its own WhatsApp/Telegram group (which is great again) but lacks a discussion forum.
The idea is to make a Chrome/Firefox extension that:
1. lets you create a community (you get a unique id + social links you can give out)
2. lets others submit their identity to the community tracker via the extension.
The extension has the following features:
1. Allows you to add "communities" you belong to
2. Allows you to add your identity handles that you own. So you can specify multiple twitter/reddit/facebook/HN/... accounts that you own
3. Link communities with your identities. So you can share your reddit handle by joining a community.
4. Highlight a community member while browsing the site. So if you are browsing hacker news and have added yourselves to the community listing, you can see other discussions highlighted from other members.
The entire extension lives in browser space and localstorage. The backend just maintains a mapping of community id to profile IDs, which is synced once in a while. A community code might be required to add yourselves to the community.
This is like Reddit flairs, but flairs only work on a single subreddit, this is intended to work across various discussion forums.
## onioncannon
Similar to [pushjet](https://pushjet.io/), but with the following idea:
- Push all app notifications to other clients
- Add/Remove clients at will
- All traffic reaches a central server
- All traffic is encrypted at source, but the uuid of the client can be used to talk to them
### Use Case
- I wanted to build a simple "auto-type OTP" Chrome Extension.
- Without using pushbullet (Should be FOSS)
- Without giving my OTP to anyone else (should be E2E)
- Without having to worry about NATs and firewalls (should be a publicly hosted service)
Somewhat related to the idea is http://github.com/decant, which allows me to build the "read SMS" part of it.
What I envision is essentially a simple client-registration protocol:
-`[Device A]` generates a UUID.
-`[Device B]` generates a UUID.
- B generates a QR code using the UUID.
- A scans the QR code to get the UUID and pushes a sample event.
- B gets the event, and can decide to push events to A if needed.
The QR code includes:
1. The UUID of a client
2. A public key fingerprint of the PGP key of the client
3. Metadata containing:
- Public Key
- URL where the public key can be found
- Misc Client Information
Any client who scans this can now start sending encrypted data to the client.
The nice thing is that you can transmit data however between these two parties, once it is encrypted. Use GCM/pusher if you wish.
A common problem in the privacy world is that when a service says: we need your data, but promise we won't store it - you have to take them at their word. This is a common problem. Signal for eg, hashes your contacts, and sends them to their cloud servers to see which of your contacts are on Signal. They manage to do that by relying on Intel SGX, which signs the code running on AWS and the Signal app validating that signature to ensure that the code that's processing your contacts isn't doing anything nefarious.
However, there is another trusted piece of infrastructure that can be used to achieve a slightly lower degree of trust. Here's how you do it:
1. AWS Lambda is "verifiable infrastructure". You can fetch the code and verify that it's the same code as what you've provided elsewhere (as a reproducible build for eg)
2. We create a lambda for trusted-code-execution (say collecting hashes of your contact list, matching them against a bloom filter). The code isn't supposed to log these contacts, or save them in any way. We also provide this exact code elsewhere, for people to validate and review.
3. You create a AWS IAM keypair that has permissions to get each revision of the lambda code, validate the corresponding API endpoint against this lambda.
4. Instead of using a custom-domain API Gateway, you instead use the AWS execute lambda endpoint (The ones that look like https://api-id.execute-api.region.amazonaws.com/STAGE). The request directly reaches the lambda - verifiably (I think).
5. Publish the keys for the AWS IAM keypair that was created above.
Anyone in the world can then call up the Lambda management API to validate the code at any time with these credentials. If you trust AWS Lambda and IAM, there is a verifiable trust in the code that is running on that lambda and that is processing your contacts. If/when AWS supports Intel SGX on Lambda (or Nitro Enclaves), additional guarantees can be provided by using that.
Not sure what the actual product here would be. Perhaps a toolkit that makes it easy to setup such infrastructure? Perhaps a global custody chain that acts as verifying nodes?
This work is licensed under a [Creative Commons Attribution 4.0 International License](https://creativecommons.org/licenses/by/4.0/). Feel free to contribute via Pull Requests, or discuss ideas in Issues. Also feel free to use these ideas in making the Next Big Thing. I promise to send you a postcard if you ship one of these.