BM-NB4UTyuEJrQBtxJfT96DVagfQo8ZaeoN
BM-NB4UTyuEJrQBtxJfT96DVagfQo8ZaeoN

Security By Obscurity
Jun 29 07:18 [raw]

A bitmessage poster wrote, "Security by obscurity is inefficient." Ever heard of "classified" or "top secret?" Since it works so bad, why do they do it? (Rhetorical question, you'll not be able to provide a reasonable or cogent answer.) One can't get these crypto-cult-koolaid drinkers to admit their ideas are wrong-headed. Some cult leader at a conference or college class said it, so it must be true. Security by obscurity is the most often employed, and most often successful security strategy in most domains from the statehouse down to the chef's secret mustard recipe. Security by obscurity works 99.99 % of the time. Because 0.01% of the time it fails or a traitor leaks something, the gatekeepers of cryptography pounce on the event as evidence that you must use their products and ideas to secure your secrets. Because obscurity fails once in a while, the crypto-cult gatekeepers lie to you and expect you to believe their crypto fails less. But in practical experience, industry standard cryptography fails much more often than security by obscurity. And when it does fail, it does not put one person's obscure secrets at risk--when cryptography fails, it risks the secrets of millions of dupes who are using the failed crypto. = zaeon = Bitmessage broadcast: BM-NB4UTyuEJrQBtxJfT96DVagfQo8ZaeoN

Double Tor Tunnel
Jun 29 05:13 [raw]

There is no feature that allows specification of longer circuit route length in torrc. https://www.torproject.org/docs/tor-manual.html.en The circuit length is hard coded into Tor source code as: "#define DEFAULT_ROUTE_LEN 3." https://gitweb.torproject.org/tor.git/tree/src/or/or.h?h=release-0.3.4#n4848 In order to build longer circuits a user must download and modify the source code, compile the source, then build a package for the target distribution. This is an unwieldy process that the average user cannot do. Average users don't know how to download, install, and use compilers, nor do they know how to build linux packages. So your criticism is uninformed. There is no published setting in torrc that allows bypassing this. The double tunnel method is much simpler. ------------------------------------------------------ This is also retarded. You can just add more hops in Tor with the torrc config. ------------------------------------------------------ How to Double Tunnel Tor through Tor One may tunnel one instance of Tor through another instance to double the length of the Tor circuit. Connecting to Tor over tor adds extra difficulty to attacks on your Tor usage. Method #1: Android Connect the Android device to the Internet and download Orbot from the app store or f-droid. In Orbot settings, enable Tor socks and adjust the port number to your desired port. Enable Internet connection sharing on your android device or tether it to the computer, while ensuring the android device is connected to the Internet. On the computer, install and configure Tor to connect via a proxy. In the proxy configuration, enter the port number and IP address of your android device. This will vary depending on whether your computer is connected directly to the Android device or to a LAN or wifi hotspot shared with the Android device. After you enter the Tor socks port from the Android device, run Tor from your computer. The Tor instance on the computer will connect to Orbot on the Android device. Orbot is already connected to Tor. Now the computer will tunnel through the Orbot circuit and create another Tor circuit beginning at the exit node of the Orbot circuit. Now instead of five hops in the Tor tunnel you should have ten hops. This will slow down the connection a bit but if security is paramount this is tops. Method #2: Virtual Machine Run a virtual machine OS with an instance of Tor running. Outside the VM on another computer, or in another VM on the same computer, run another instance of Tor. Enable Tor socks on one VM, and configure the other VM to connect to the Torsocks of the other VM, completing a double Tor tunnel. = zaeon =

Roll Your Own Crypto
Jun 28 09:50 [raw]

Polly wanna cracker? = zaeon = ------------------------------------------------------ This is dangerous nonsense and you're completely wrong. It's not gatekeeping any more than recommending that you shouldn't do your own surgery is gatekeeping. You're putting yourself and others at risk by suggesting that the insecure bullshit you come up with is better than things like AES. ------------------------------------------------------ Roll your own crypto. Roll your own crypto before the NSA-sponsored mathematicians at Stanford and MIT roll more "secure" crypto for you. When you roll your own crypto expect to be heckled and harassed by these gatekeepers. They have an agenda: keep all cryptographic standards following the same old model. Every few years the same old model proves to be insecure, requiring adjustments in key sizes and parameters without any real structural change to the way they scaffold the algorithms and infrastructures. If 24 bit crypto was broken, then 48 bit crypto was broken, then 56 bit crypto was broken, why would you ever trust any of those algorithms or their designers ever again? If a community of gatekeepers, with their standards, has repeatedly handed you products that prove insecure, isn't it stupid to keep using their products? Shouldn't you switch brands? I am glad to see that many have opened their eyes to reject standard crypto. Some people are no longer afraid to stand up to the gatekeepers of academia. These gatekeepers poison every well and shield us from progress. They are establishment hacks who benefit by keeping the rest of us amazed, dazed and ignorant. Reject their authority. They have no authority to govern our growth and understanding, or our communications. We don't need them or their gatekeeping. We don't need to apologize for rolling our own. ROLL YOUR OWN CRYPTO. ROLL IT OFTEN. RE-ROLL IT OFTEN. CHANGE IT OFTEN. HONE IT, IMPROVE IT, ATTACK IT, REWORK IT, REFINE IT--OFTEN. Share it, secrete it, share some, obscure some, piggy back it, cascade it, try everything with it that you like. If this were the norm, the deep state would have extreme difficulty trying to crack anything--it would become a per message attack, rather than a standard attack. Do not listen to the gatekeepers who tell you to only use crypto approved by "the experts." The more crypto you create, attack, and share with others for attacking, the better you will become at transcending the experts' complicated (and repeatedly broken) standards with experience and understanding of what works. Example: I invented a simple field cipher (hand encryption) that is more secure than AES or pretty much any feistel-network cipher. I know from experience, from rolling around in crypto and reconstructing the crypto of others who rolled their own, the security of this field cipher is great. If the power grid goes down, I'll still have cryptography with paper and pen because I dared to roll my own. I've got cryptography in my wallet. That's priceless. = zaeon =

Double Tor Tunnel
Jun 23 18:47 [raw]

How to Double Tunnel Tor through Tor One may tunnel one instance of Tor through another instance to double the length of the Tor circuit. Connecting to Tor over tor adds extra difficulty to attacks on your Tor usage. Method #1: Android Connect the Android device to the Internet and download Orbot from the app store or f-droid. In Orbot settings, enable Tor socks and adjust the port number to your desired port. Enable Internet connection sharing on your android device or tether it to the computer, while ensuring the android device is connected to the Internet. On the computer, install and configure Tor to connect via a proxy. In the proxy configuration, enter the port number and IP address of your android device. This will vary depending on whether your computer is connected directly to the Android device or to a LAN or wifi hotspot shared with the Android device. After you enter the Tor socks port from the Android device, run Tor from your computer. The Tor instance on the computer will connect to Orbot on the Android device. Orbot is already connected to Tor. Now the computer will tunnel through the Orbot circuit and create another Tor circuit beginning at the exit node of the Orbot circuit. Now instead of five hops in the Tor tunnel you should have ten hops. This will slow down the connection a bit but if security is paramount this is tops. Method #2: Virtual Machine Run a virtual machine OS with an instance of Tor running. Outside the VM on another computer, or in another VM on the same computer, run another instance of Tor. Enable Tor socks on one VM, and configure the other VM to connect to the Torsocks of the other VM, completing a double Tor tunnel. = zaeon =

Air Gapped Bitmessage?
Jun 23 07:12 [raw]

Hi all, I would like to run Bitmessage on air gap. Machine Charlie runs a Internet-facing bitmessage daemon with no address keys. Periodically Charlie exports all new objects to a USB drive. Machine Delta is air gapped. Delta takes the incoming objects from the USB drive and feeds them to a local PyBitmessage instance with address keys, decrypting them as if received from the Internet. Machine Delta also composes messages and encrypts the objects, exporting them to the USB drive. When the drive returns to Charlie he snarfs the USB media and sends the new objects to the network. What are some user-friendly methods to accomplish this? Has this idea already been contemplated or deployed? Are there extra security precautions that would improve a air gap setup? = zaeon =

Roll Your Own Crypto
Jun 23 02:57 [raw]

Roll your own crypto. Roll your own crypto before the NSA-sponsored mathematicians at Stanford and MIT roll more "secure" crypto for you. When you roll your own crypto expect to be heckled and harassed by these gatekeepers. They have an agenda: keep all cryptographic standards following the same old model. Every few years the same old model proves to be insecure, requiring adjustments in key sizes and parameters without any real structural change to the way they scaffold the algorithms and infrastructures. If 24 bit crypto was broken, then 48 bit crypto was broken, then 56 bit crypto was broken, why would you ever trust any of those algorithms or their designers ever again? If a community of gatekeepers, with their standards, has repeatedly handed you products that prove insecure, isn't it stupid to keep using their products? Shouldn't you switch brands? I am glad to see that many have opened their eyes to reject standard crypto. Some people are no longer afraid to stand up to the gatekeepers of academia. These gatekeepers poison every well and shield us from progress. They are establishment hacks who benefit by keeping the rest of us amazed, dazed and ignorant. Reject their authority. They have no authority to govern our growth and understanding, or our communications. We don't need them or their gatekeeping. We don't need to apologize for rolling our own. ROLL YOUR OWN CRYPTO. ROLL IT OFTEN. RE-ROLL IT OFTEN. CHANGE IT OFTEN. HONE IT, IMPROVE IT, ATTACK IT, REWORK IT, REFINE IT--OFTEN. Share it, secrete it, share some, obscure some, piggy back it, cascade it, try everything with it that you like. If this were the norm, the deep state would have extreme difficulty trying to crack anything--it would become a per message attack, rather than a standard attack. Do not listen to the gatekeepers who tell you to only use crypto approved by "the experts." The more crypto you create, attack, and share with others for attacking, the better you will become at transcending the experts' complicated (and repeatedly broken) standards with experience and understanding of what works. Example: I invented a simple field cipher (hand encryption) that is more secure than AES or pretty much any feistel-network cipher. I know from experience, from rolling around in crypto and reconstructing the crypto of others who rolled their own, the security of this field cipher is great. If the power grid goes down, I'll still have cryptography with paper and pen because I dared to roll my own. I've got cryptography in my wallet. That's priceless. = zaeon =