Questions for the Bitmessage Community

BM-2cUiqPHuQXEEkaWYoniPPFhNQksWGzxE2N
Feb 9 19:33 [raw]

I think the bitmessage concept is unique and useful. Since I am not a computer guru how can I know that bitmessage works as advertised? How can I know it really secures my messages? How can I know that there are no back doors or special loopholes in the code that allow unknown persons to pentrate the sytem? Maybe someone will say, "It's open source." That proves nothing. It would require me to get a PhD in computer science so I might examine the source. Is this what is expected of users? How does one know that bitmessage isn't just a trap? How can one know? Where is the accountability for assurance? I don't know who any of the bitmessage developers are. Who are they? Who are their fellow travellers? Why did they create bitmessage? What agendas are at play?

BM-2cWy7cvHoq3f1rYMerRJp8PT653jjSuEdY
Feb 9 19:49 [raw]

"How can one know? " one bloody doesn't.

BM-2cWy7cvHoq3f1rYMerRJp8PT653jjSuEdY
Feb 9 20:29 [raw]

use OTP to encrypt big session keys then send the encrypted keys in the postal mails. Then encrypt electronic messages with a stream cipher using these session keys. Use the last session key to encrypt a new OTP for the next round. Mail new session keys every so often and destroy the old keys. This is much more secure than any electronic key exchange protocol.

BM-2cWy7cvHoq3f1rYMerRJp8PT653jjSuEdY
Feb 9 20:31 [raw]

Are you questioning this for absolutely everything you're using? Did you question if the machine you're on can even be remotelly trusted? Do you know who EXACTLY the people that built the parts are? Did you question if there are no loopholes in the OS you're using? Can you truly trust the people that made it? Has any company given you a guarantee they will take accountability when shit hits the fan? Do you know that ALL OTHER SOFTWARE you're using is trustworthy? Do you know where each library or module from every program you have on your machine comes from? If you can't completely answer those questions, why do you aim this specifically at Bitmessage? What frees everything else from being subject to this?

BM-2cX62WCeFcUwzXWqxTBfaAzNy4j1y8yZVm
Feb 9 20:47 [raw]

> That proves nothing. It would require me to get a PhD in computer > science so I might examine the source. Is this what is expected of > users? Yea that's a great question. I'm open for suggestions. > How does one know that bitmessage isn't just a trap? How can one > know? Where is the accountability for assurance? How do you propose that would work? If you can't verify it yourself, then someone else has to verify it for you and you have to trust them. Or a tool can verify it for you, but then you have to trust the person who built the tool. Or you can post some information in a way that implies a crime and when you don't up in jail, it may mean that the law enforcement cannot identify you, or they are waiting for a bigger fish, so again there is someone you have to trust. You can also use a different implementation instead of PyBitmessage but then you have to trust the developers of these. > I don't know who any of the bitmessage developers are. Who are they? You can look me up on the internet, it's not like I'm incognito. You can look up some information on Jonathan Warren as well. The two of us probably contributed most of the code in PyBitmessage. I don't really know the other contributors other than their nicknames and sometimes real names. I do know Daniel Krawisz and Justus Ranvier slightly better, we got acquainted due to our shared interest in Bitcoin prior to our involvement in Bitmessage. Furthermore, bitmessage uses existing cryptographic standards and libraries (like openssl) and those also have developers. Many times I get bug reports or helpful tips anonymously. I really appreciate all the help and I don't really care who it comes from. Or to paraphrase the most interesting man in the world, "stay anonymous my friends". > Who are their fellow travellers? Why did they create bitmessage? Jonathan created bitmessage, and you can read about his motivations in the bitmessage whitepaper (inadequacies of existing solutions with respect to protecting metadata, and the increasing amount of mass surveillance). > What agendas are at play? I can't speak for the others, but I share the two motivations listed above. I think these issues are very important and there still aren't adequate solutions for protecting metadata. I would describe myself as a cypherpunk. Peter Surda Bitmessage core developer

BM-2cWy7cvHoq3f1rYMerRJp8PT653jjSuEdY
Feb 9 21:19 [raw]

> why do you aim this specifically at Bitmessage? Bitmessage makes specific reference to such security. "We propose a system that allows users to securely send and receive messages, and subscribe to broadcast messages, using a trustless decentralized peer ‐ to ‐ peer protocol. [ ... ] It is also designed to mask non ‐ content data, like the sender and receiver of messages, from those not involved in the communication."

BM-2cWy7cvHoq3f1rYMerRJp8PT653jjSuEdY
Feb 9 21:30 [raw]

So does every half-way modern processor containing stuff like the "TrustZone" in ARMs, or equivalents in Intel / AMD. Same with Memory protection, hardware random generators that some CPUs offer. AES-NI instruction set, the upcoming transparent RAM encryption that some CPU manufacturer announced. So does your OS when it uses these features. In things like Kernel Address Space Randomization or when it tries to isolate untrustworthy code via virtualisation. So does your webbrowser when it claims that it establishes a secure TLS connection, using a ton of libraries (not exclusive to TLS), some of which have been created in a similar environment as bitmessage has. There's a million things, all of which make claims of security, the interplay of which makes up the hardware and software you use. Sure, bitmessage makes this claim for security, but if you poke the question of "How can I trust that when it's done by people I don't know, and that don't guarantee by contracts / enforceability of laws against them, that their security works" at Bitmessage, you'll have to apply it in a similar way to everything below as well and ask if you can really trust the entire chain. Because in the end, if you can't answer the question about the stuff that BitMessage relies on, the question becomes pretty meaningless for BitMessage alone.

BM-2cWy7cvHoq3f1rYMerRJp8PT653jjSuEdY
Feb 27 08:28 [raw]

> How can I know that there are no back doors or special loopholes in the code that allow unknown persons to pentrate the sytem? Interestingly a few days after this message was posted a huge Bitmessage exploit was announced. The exploit compromised the entire filesystem of affected systems and allowed remote code execution. So the OP's question was answered: Now you know about at least one backdoor in Bitmessage.

[chan] bitmessage
BM-2cWy7cvHoq3f1rYMerRJp8PT653jjSuEdY

Subject Last Count
possible pull request -- mod for native save-as-dialog, e.g. in KDE - filter mod Feb 22 07:15 4
possible pull request -- mod for native save-as-dialog, complete /src/bitmessageqt/__init__.py Feb 21 22:01 1
possible pull request -- mod for native save-as-dialog, e.g. in KDE Feb 21 20:56 1
cool pyBM modification ! save BM as file natively, with proper KDE dialogue ! only 12 lines Feb 21 20:52 1
(no subject) Feb 21 19:32 1
The Moon Landing Was Faked and Astronauts Are Lying Feb 21 19:31 1
The Moon and the Sun are the Same Size Feb 21 19:24 1
The Earth IS flat Feb 21 19:21 1
UK Column News - 22 February 2019 Feb 21 19:12 1
UK Column News - 25th February 2019 Feb 21 19:10 3
UK Column News - 22nd February 2019 Feb 21 19:05 5
Call to murder Angela Merkel, Emmanuel Macron, Petro Poroshenko, Jens Stoltenberg etc. Feb 21 08:08 3
claws-mail + pyBM + Gtk3 - minitool Feb 19 21:05 7
claws-mail + pyBM + Gtk3. Feb 19 19:58 8
End of support for Windows XP for binary builds Feb 19 10:13 21
None of this is connectd Feb 17 23:58 1
Unextreme and unrelated fish pie Feb 17 23:53 1
Stalin - the greatest guy ever Feb 17 17:56 2
UK Column News - February 22 2019 Feb 17 17:29 1
UK Column News - 21 February 2019 Feb 17 17:27 1
UK Column News - 21st February 2019 Feb 17 17:22 1
UK Column News - February 21 2019 Feb 17 17:21 1
UK Column News - 20th February 2019 Feb 17 17:18 1
UK Column News - February 20 2019 Feb 17 17:16 1
UK Column News - 20 February 2019 Feb 17 17:15 1
UK Column News - February 19th 2019 Feb 17 17:14 1
UK Column News - 18 February 2019 Feb 17 17:10 1
UK Column News 19th - February 2019 Feb 17 17:09 1
UK Column News 19th February 2019 Feb 17 17:08 1
UK Column News - 18th February 2019 Feb 17 17:07 1
Stalin - the greatest guy ever Feb 17 15:43 1
cool BM things in the making Feb 17 12:33 9
NEW python3.7 -- this neat lil editor will kill EMACS for good ! new native dialog feature Feb 17 01:53 2
how to use mailing list...? Feb 17 01:51 4
Security Nightmares: hidden WebTorrent client in web advertisements to provoke copyright cease-and-desist fines Feb 16 21:23 1
End of support for Windows XP for binary builds -- ISO of a live distro Feb 16 08:01 1
UK Column News - 11 February 2019 Feb 10 11:07 5
come on guys, leak some more shitwarez Feb 10 07:28 14
DJ Bernstein sightings on Bitmessage Feb 10 06:57 1
UK Column News - February 12 2019 Feb 9 21:19 1
UK Column News - February 12th 2019 Feb 9 21:19 1
UK Column News - 12th February 2019 Feb 9 21:16 1
UK Column News - 11th February 2019 Feb 9 21:14 1
UK Column News - 9th February 2019 Feb 9 21:13 1
UK Column News - February 2019 7th Feb 7 07:45 2
UK Column News - 7 2019 February Feb 7 07:42 1
UK Column News - 2019 February 7th Feb 7 07:40 2
UK Column News - February 7th 2019 Feb 7 07:37 2
UK Column News - 2019 February 7 Feb 7 07:35 2
UK Column News - February 7 2019 Feb 7 07:29 1
UK Column News - 7th February 2019 Feb 7 07:26 3
UK Column News - 7 February 2019 Feb 7 07:25 1
UK Column News - 6th February 2019 Feb 2 15:57 3
UK Column News - 5th February 2019 Feb 2 15:57 4
UK Column News - 4th February 2019 Feb 2 15:57 5
what does dandelion: 90 do? Feb 1 11:42 7
stop test penis, please. it's OK Jan 30 09:39 4
dammit ! dang nigger pranked Dr. David Duke Jan 27 19:37 2
djurlite enacting Jan 27 00:00 1
Reversed shot upper value Jan 26 23:59 1
Normal drilling mud circulation buffer gas Jan 26 22:18 1
Power monitor homotopy boundary Jan 26 21:25 1
Pelerine point subtract counter Jan 26 21:25 1
Teeth misalignment country setting Jan 26 21:24 1
Crankous jam radio station Jan 26 21:23 1
Older the hyperarial Jan 26 21:23 1
Defects survey positive muon Jan 26 21:23 1
extrusion nozzle methanol treatment Jan 26 21:23 1
Townships hearth gas Jan 26 21:23 1
Salmoncoloured obtain circuit Jan 26 21:18 1
Transversal equalizer on pentalpha Jan 26 21:18 1
serializer firm support Jan 26 21:18 1
depredation for petroleum series Jan 26 21:11 1
Plotting camera the reeving system Jan 26 21:06 1
Conventional weapons for jack bar assembly Jan 26 20:59 1
operationally ready well sinking Jan 26 20:59 1
Tympan franzise Jan 26 20:58 1
Equipment status chart with frequency sounding Jan 26 20:58 1
Difference construction the alette Jan 26 20:52 1
Vitality rotten Jan 26 20:51 1
Multiloquence progressive fracture Jan 26 20:50 1
automatic backspace assemble editing continuous decomposition Jan 26 20:47 1
Summer oil level platy Jan 26 20:43 1
Approximative limit paramour Jan 26 20:43 1
Card file beddable Jan 26 20:38 1
Damage accumulation then hot leveling Jan 26 20:38 1
Frequency analysis method headless resistor Jan 26 20:38 1
Trustor with grounded sea ice Jan 26 20:38 1
Roundsman the outweigh a disadvantage Jan 26 20:38 1
Military law forest shelter belt Jan 26 20:38 1
tunnel cathode bring in evidence Jan 26 20:27 1
Vacuum melted alloy job control program Jan 26 20:19 1
Duplicate insulator string nuclear magnetic resonance log Jan 26 20:19 1
Linear parameter the underinvoicing Jan 26 20:19 1
Namesake oxygenated oil Jan 26 20:19 1
Echo chamber positive function Jan 26 20:19 1
Plasma belt amoebosis Jan 26 20:18 1
Film cartridge resign management Jan 26 20:18 1
Local optimization the equicontinuous group Jan 26 20:18 1
Approximate root hereditaments Jan 26 20:11 1