Questions for the Bitmessage Community

BM-2cUiqPHuQXEEkaWYoniPPFhNQksWGzxE2N
Feb 9 19:33 [raw]

I think the bitmessage concept is unique and useful. Since I am not a computer guru how can I know that bitmessage works as advertised? How can I know it really secures my messages? How can I know that there are no back doors or special loopholes in the code that allow unknown persons to pentrate the sytem? Maybe someone will say, "It's open source." That proves nothing. It would require me to get a PhD in computer science so I might examine the source. Is this what is expected of users? How does one know that bitmessage isn't just a trap? How can one know? Where is the accountability for assurance? I don't know who any of the bitmessage developers are. Who are they? Who are their fellow travellers? Why did they create bitmessage? What agendas are at play?

BM-2cWy7cvHoq3f1rYMerRJp8PT653jjSuEdY
Feb 9 19:49 [raw]

"How can one know? " one bloody doesn't.

BM-2cWy7cvHoq3f1rYMerRJp8PT653jjSuEdY
Feb 9 20:29 [raw]

use OTP to encrypt big session keys then send the encrypted keys in the postal mails. Then encrypt electronic messages with a stream cipher using these session keys. Use the last session key to encrypt a new OTP for the next round. Mail new session keys every so often and destroy the old keys. This is much more secure than any electronic key exchange protocol.

BM-2cWy7cvHoq3f1rYMerRJp8PT653jjSuEdY
Feb 9 20:31 [raw]

Are you questioning this for absolutely everything you're using? Did you question if the machine you're on can even be remotelly trusted? Do you know who EXACTLY the people that built the parts are? Did you question if there are no loopholes in the OS you're using? Can you truly trust the people that made it? Has any company given you a guarantee they will take accountability when shit hits the fan? Do you know that ALL OTHER SOFTWARE you're using is trustworthy? Do you know where each library or module from every program you have on your machine comes from? If you can't completely answer those questions, why do you aim this specifically at Bitmessage? What frees everything else from being subject to this?

BM-2cX62WCeFcUwzXWqxTBfaAzNy4j1y8yZVm
Feb 9 20:47 [raw]

> That proves nothing. It would require me to get a PhD in computer > science so I might examine the source. Is this what is expected of > users? Yea that's a great question. I'm open for suggestions. > How does one know that bitmessage isn't just a trap? How can one > know? Where is the accountability for assurance? How do you propose that would work? If you can't verify it yourself, then someone else has to verify it for you and you have to trust them. Or a tool can verify it for you, but then you have to trust the person who built the tool. Or you can post some information in a way that implies a crime and when you don't up in jail, it may mean that the law enforcement cannot identify you, or they are waiting for a bigger fish, so again there is someone you have to trust. You can also use a different implementation instead of PyBitmessage but then you have to trust the developers of these. > I don't know who any of the bitmessage developers are. Who are they? You can look me up on the internet, it's not like I'm incognito. You can look up some information on Jonathan Warren as well. The two of us probably contributed most of the code in PyBitmessage. I don't really know the other contributors other than their nicknames and sometimes real names. I do know Daniel Krawisz and Justus Ranvier slightly better, we got acquainted due to our shared interest in Bitcoin prior to our involvement in Bitmessage. Furthermore, bitmessage uses existing cryptographic standards and libraries (like openssl) and those also have developers. Many times I get bug reports or helpful tips anonymously. I really appreciate all the help and I don't really care who it comes from. Or to paraphrase the most interesting man in the world, "stay anonymous my friends". > Who are their fellow travellers? Why did they create bitmessage? Jonathan created bitmessage, and you can read about his motivations in the bitmessage whitepaper (inadequacies of existing solutions with respect to protecting metadata, and the increasing amount of mass surveillance). > What agendas are at play? I can't speak for the others, but I share the two motivations listed above. I think these issues are very important and there still aren't adequate solutions for protecting metadata. I would describe myself as a cypherpunk. Peter Surda Bitmessage core developer

BM-2cWy7cvHoq3f1rYMerRJp8PT653jjSuEdY
Feb 9 21:19 [raw]

> why do you aim this specifically at Bitmessage? Bitmessage makes specific reference to such security. "We propose a system that allows users to securely send and receive messages, and subscribe to broadcast messages, using a trustless decentralized peer ‐ to ‐ peer protocol. [ ... ] It is also designed to mask non ‐ content data, like the sender and receiver of messages, from those not involved in the communication."

BM-2cWy7cvHoq3f1rYMerRJp8PT653jjSuEdY
Feb 9 21:30 [raw]

So does every half-way modern processor containing stuff like the "TrustZone" in ARMs, or equivalents in Intel / AMD. Same with Memory protection, hardware random generators that some CPUs offer. AES-NI instruction set, the upcoming transparent RAM encryption that some CPU manufacturer announced. So does your OS when it uses these features. In things like Kernel Address Space Randomization or when it tries to isolate untrustworthy code via virtualisation. So does your webbrowser when it claims that it establishes a secure TLS connection, using a ton of libraries (not exclusive to TLS), some of which have been created in a similar environment as bitmessage has. There's a million things, all of which make claims of security, the interplay of which makes up the hardware and software you use. Sure, bitmessage makes this claim for security, but if you poke the question of "How can I trust that when it's done by people I don't know, and that don't guarantee by contracts / enforceability of laws against them, that their security works" at Bitmessage, you'll have to apply it in a similar way to everything below as well and ask if you can really trust the entire chain. Because in the end, if you can't answer the question about the stuff that BitMessage relies on, the question becomes pretty meaningless for BitMessage alone.

BM-2cWy7cvHoq3f1rYMerRJp8PT653jjSuEdY
Feb 27 08:28 [raw]

> How can I know that there are no back doors or special loopholes in the code that allow unknown persons to pentrate the sytem? Interestingly a few days after this message was posted a huge Bitmessage exploit was announced. The exploit compromised the entire filesystem of affected systems and allowed remote code execution. So the OP's question was answered: Now you know about at least one backdoor in Bitmessage.

[chan] bitmessage
BM-2cWy7cvHoq3f1rYMerRJp8PT653jjSuEdY

Subject Last Count
Support request -- GPUs (Intel(R) HD Graphics IvyBridge M GT1) did not calculate correctly Nov 14 19:22 1
Ebola on the rampage in USA again Nov 13 06:47 1
ending the waffle Nov 13 04:56 7
Vuvuzela - anonymous messaging that scales to millions of users Nov 12 16:07 6
forwarding in BM Nov 12 15:04 5
Dear Freemasons Nov 12 07:13 2
CSS3 in Bitmessage interface Nov 12 06:56 1
Pastwatch & Aqua Distributed Version Control Nov 11 11:56 1
SOLUTION for spam Nov 11 11:56 23
Vuvuzela - Metadata-private messaging Nov 11 11:56 1
tes Nov 9 11:19 2
I'm back Nov 9 03:35 8
Bitmessage Network Health Report Nov 7 23:48 12
nodejs clientr KEWLIO Nov 7 07:26 4
Scalability Idea Nov 7 07:24 7
Do NOT spam Nov 7 03:09 8
here is the trick to run pyBM on a server without trouble Nov 5 18:41 8
Scalability Question?? Nov 5 09:09 3
re Re: Scalability Question?? Nov 5 08:21 1
aaa Nov 5 02:48 1
Bitmessage Plugins Nov 3 21:33 3
Any nodejs interface to the bitmessage api yet? Nov 3 19:12 2
Recent API status bug Nov 2 12:38 9
zero bundle -- 0net Nov 2 10:41 4
zero git on 0net Nov 1 12:43 6
(no subject) Nov 1 02:48 6
greetings Oct 31 23:05 3
Re: Oct 31 22:25 1
{ ^ } break { ^ } Oct 31 22:11 1
(no subject) Oct 31 14:33 4
INVALID FORMAT Oct 31 12:12 6
hello world Oct 31 07:40 1
Is there anybody out there? Oct 30 08:03 3
join the darknet - be badass at leakswldjpesnuvn.onion Oct 29 20:33 5
more cores, slower pyBM Oct 29 01:36 15
new bitboard thread Oct 27 17:17 3
http://leakswldjpesnuvn.onion seems stable Oct 27 16:36 1
spot the spammer Oct 27 09:37 3
oniontkryve46opu.onion Oct 27 09:01 2
3 BM websites and all fucked Oct 26 21:00 12
Newcomer Oct 26 18:36 10
135453 Oct 25 22:06 1
Stay in touch Oct 25 13:06 1
new BM site online Oct 25 10:39 3
134730 Oct 25 09:59 1
BM is flatlining : https://beamstat.com/obj Oct 25 08:13 9
a new bitboard went online Oct 25 02:10 4
BM is flatlining : https://beamstat.com/obj Oct 25 00:23 1
sql Oct 24 22:44 1
how I hacked BM Oct 24 22:11 3
--curses mode with bitboard crashy Oct 24 21:30 5
BMF bug Oct 24 04:21 1
onion4442sx7tvvk.onion ONION 444 new website for BM ! hot shit ! Oct 24 04:21 5
running pyBM as daemon on a remote server Oct 24 04:21 11
post with \ backskash Oct 24 04:21 1
how I hacked BM Oct 24 04:17 3
BM is flatlining : https://beamstat.com/obj 1200 bytes the average object Oct 24 04:17 2
secret bin for Bitmessage people Oct 24 04:16 19
post with \ backskash Oct 24 04:11 1
anti-crash loop for BM Oct 22 06:53 2
actually, Oct 22 03:45 1
onion4442sx7tvvk.onion ONION 444 new website for BM ! hot shit ! Oct 21 21:49 1
magnet link publishing Oct 21 19:11 4
wanna hack a webserver ? free link here : http://nybarox.pythonanywhere.com Oct 21 07:16 17
cypherpunk Oct 21 06:54 5
leakswldjpesnuvn.onion relaunched and works like a charm ! Oct 20 22:49 1
leakswldjpesnuvn.onion relaunched and works like a charm ! Oct 20 20:44 1
new chan for BM site: http://leakswldjpesnuvn.onion/board/?chan=BM-2cVDWbAj3oftfGD1saBukfgGHDeUFKzNHc Oct 20 19:08 1
http://leakswldjpesnuvn.onion hot !!!! Oct 20 18:49 5
feature request Oct 20 08:04 3
http://leakswldjpesnuvn.onion Oct 20 04:36 1
new beamstat-like BM site online! read + write ! http://leakswldjpesnuvn.onion Oct 20 04:29 5
broadcast ===> BM-2cSmA3nNy2CnKN2Jmcexg6Eytgn9vLiDJg Oct 20 02:13 2
broadcast ===> BM-2cWPwaFc4LecJgQRfa4HHbC88yKxiUMKdv Oct 20 01:18 1
more badassy shit Oct 20 00:51 1
feature request Oct 19 23:28 1
badass shit Oct 19 21:14 1
bitboard thread Oct 19 21:14 17
working pic converter Oct 19 21:11 1
working pic converter Oct 19 19:20 5
badass shit Oct 19 17:43 1
wanna hack a webserver ? free link here : http://nybarox.pythonanywhere.com Oct 19 15:38 1
total badass shit Oct 19 14:56 2
working pic converer Oct 19 11:41 2
help make bm list Oct 19 11:24 4
justice being served , after all Oct 18 20:26 1
paste videos safely ! no install necessary Oct 18 18:44 1
I rented a 1 € v-server Oct 18 17:58 1
secret bin for Bitmessage people Oct 18 17:19 1
boring news Oct 18 17:10 1
bitmessage-address-lowercase.py Oct 18 16:35 3
babe Oct 18 16:29 1