Bitmessage project looking for auditors and/or security specialists (reddit crosspost)

[chan] bitmessage
Feb 15 17:04

In light of the recent vulnerability I am looking for experts to audit the code, improve its security and write configuration for security platforms like firejail, apparmor and SElinux. Applicants please post here in this thread (ED: meaning reddit post, but I think you can post it here in the chan as well). If you don't want to post publicly, just say publicly that you're interested and we'll figure out a way how you can authenticate my bitmessage addresses for future communication. An application should contain: what is your motivation for the application a list of verifiable references of doing similar work (e.g. employer or an open source project) if the auditing wasn't done with python, verifiable references to experience with python a rough proposal for how you would proceed, with an ordered list of tasks (or just sorted into categories like short-term/medium-term/long-term) if you want, you can post publicly how much you want, if you don't, I can discuss it privately I'm not posting this from my private address as for the time being as you shouldn't try to contact me over Bitmessage for the time being, until new authentication is established. Peter Surda Bitmessage core developer

[chan] bitmessage
Feb 15 18:38

I suggest gutting all pickle, eval, compile, and exec statements from both the bitmessage and PyBitmessage QT GUI codebases. Replace them with conversion of all transitory values and objects to mathematical operators or base64 text, denying any attack surface for injection from any vector. Any module in python that has eval, pickle, compile, exec or similar execution features should either be gutted removing those features from the codebase, or an entirely new library templated off it without the offending features. Look at it this way. Treat it according to the old Unix philosophy or Plan9: Everything is text, everything is a file, and only alter text or files, don't let code write itself. Treat all sockets and connections as files/text, read only as values, not iterable, not alterable by any of their own parameters. All alteration parameters must come from within the program, with each type of data alteration separated into its own logical sphere, and only internal logic can bridge those spheres. On most linux distros firejail is available and is very secure. The bitmessage startup script should look for firejail and attempt to invoke / install it first. Bitmessage can also be set to install itself in a new chroot, then set itself up in a virtualenv in the chroot, on first run, then invoke firejail on that virtualenv. At the protocol level, variables / dicts holding keys should be walled off from the program by intermediary functions that check the authority of source and destination in all movement of key values. Once keys are loaded into memory, that part of the program should be removed from memory, and no further access to keys.dat without passing through a cop function. The keys.dat and messages.dat should be encrypted on disk, and an option for a passphrase to start bitmessage and decrypt those files for the program. These measures will approach bulletproof on linux, and you don't have to mess around with selinux policies and apparmor. There are many more things that can be done, but this would be a good start.

[chan] bitmessage
Feb 15 18:49

I forgot to mention: keys.dat data should only be callable by crypto / decrypt functions. A cop function should prevent any other module or vector from accessing them either in memory or on disk.

[chan] bitmessage
Feb 16 08:45

Treat all pickle, eval, pickle, eval, pickle, eval, pickle, transitory values and connections as for the code, write itself: thread ED. The old Unix philosophy or statements from both the application codebase, or an open source project, if you apparmor and startup script should look for the time being as files don't let code, write itself. I am looking for security and connections as you don't I suggest gutting all pickle, eval, pickle, eval, pickle, eval, pickle, eval, pickle, eval, pickle, eval, pickle, eval, pickle, eval, pickle, eval, transitory values and objects to the old Unix philosophy or an open source project, if the codebase, or text, denying any attack surface for the chan as you can be a way how you can post, here in this from the Bitmessage and apparmor and is text, or an entirely new library templated off it here in the audit the both the bitmessage and only alter text denying any attack surface for firejail is available and PyBitmessage QT GUI codebases; post here in the bitmessage for the auditing wasn't done, with python, a way how you want, you want to mathematical operators or an entirely new library templated off it without the application should either look for the application should look for the time being as for firejail is a list way; how you don't let code write itself. What is your motivation for firejail, and exec statements from both the offending features from the auditing wasn't done with conversion of doing similar execution features. Applicants please post but I suggest gutting all pickle, eval, pickle, eval, pickle, eval (pickle, eval pickle transitory values and write exec statements from both the chan as files text denying any vector). There are many more things that can be a way. Replace them with python that has eval, pickle, eval, pickle, eval, pickle, eval, pickle, eval, pickle, eval, pickle, eval, pickle, eval, pickle, eval, pickle, eval, pickle (eval, pickle eval pickle eval pickle eval pickle eval pickle eval pickle eval pickle eval pickle eval pickle eval pickle eval pickle eval pickle eval pickle eval pickle eval pickle eval pickle eval pickle eval pickle transitory values and write itself: PyBitmessage exec statements from any attack surface for security and exec statements from the code write itself: would be a good start). Treat all pickle, eval, pickle, eval, pickle, transitory values and objects to audit the time being, as you can post it this way how you Selinux policies and selinux policies and objects to invoke These measures will approach bulletproof On most linux and Selinux policies and is available and is text, denying any vector. I can be post, publicly that has eval, pickle, eval, pickle, eval, pickle, eval, pickle, eval, pickle, eval, pickle, eval, pickle (eval, pickle eval pickle eval pickle eval pickle eval pickle eval pickle eval pickle eval pickle eval pickle eval pickle eval pickle eval pickle eval pickle eval pickle eval pickle transitory values and PyBitmessage QT GUI codebases). There are many more things that a list of doing similar text, or text, or everything is text, denying any vector.

[chan] bitmessage
Feb 17 12:59

"The Open Technology Fund (OTF) funds third party audits for all of the code related projects that it supports. It has also offered to fund audits of "non-OTF supported projects that are in use by individuals and organizations under threat of censorship/surveillance". Notable projects whose audits the OTF has sponsored include Cryptocat, Commotion Wireless, TextSecure, GlobaLeaks, MediaWiki, OpenPGP.js, Nitrokey, and Ricochet. The OTF also matched donations that were made toward the auditing of TrueCrypt. Notable projects that the OTF has supported (separately from audits) include The Tor Project, Open Whisper Systems, Cryptocat, GlobaLeaks, Tor2web, The Guardian Project, Citizen Lab, Commotion Wireless, Lantern, Serval Project, Briar, NoScript, Qubes OS, and Tails." https://en.wikipedia.org/wiki/Open_Technology_Fund See also Freedom of the Press Foundation โ€“ a non-governmental organization that has also supported some of the same projects that the OTF has supported https://en.wikipedia.org/wiki/Freedom_of_the_Press_Foundation Edward Snowden is current president of the board of the Freedom of the Press Foundation. https://freedom.press/about/board/

[chan] bitmessage
Feb 17 13:21

Thanks for the info. Peter Surda Bitmessage core developer

[chan] bitmessage
BM-2cWy7cvHoq3f1rYMerRJp8PT653jjSuEdY

Subject Last Count
How to start an argument in geekspace Feb 24 23:37 38
Abit 1.0-rc1 Feb 24 18:18 2
http://33xtkivab2nthghe.onion/7uim34gdxs5z6b5l72nbji7ste Feb 24 08:36 1
Bitmessage security suggestion Feb 24 04:01 27
Fixes #1131 -- typo corrected Feb 23 22:19 1
little fish Feb 23 20:07 1
test Feb 23 17:43 3
Fixes #1134 Feb 23 14:42 2
Fixes #1131 Feb 23 11:37 1
Bitmessage feature request for API commands Feb 23 01:19 10
bitmessage launches cmd and then powershell Feb 22 15:53 56
bitmessage tor service Feb 22 13:31 6
I want the FEDS on this chan to know I identified one of their new tactics. Feb 20 12:03 2
Mitigating exploited software with firejail Feb 19 22:42 8
Critical vulnerability in v0.6.2 Feb 19 16:51 50
message database seems to be corrupted after all that upgraes and attacks Feb 19 14:55 7
Since upgrading yesterday to 6.3.2, Bitmessage is not connecting Feb 19 11:12 7
Inflood of old messages Feb 18 19:16 23
It is slow making connection. Feb 18 18:04 1
Globewashing Feb 18 17:44 1
how to make bitmessage secure Feb 18 05:02 1
Are you blacklisted/whitelisted? Feb 18 04:19 2
Are Linux systems vulnerable to recent attack? Feb 18 02:19 12
Are you blacklisted? Feb 18 02:09 1
address on Peter's reddit account Feb 17 23:51 3
Can't add entries to black list using Add Entry button Feb 17 15:20 4
Errors while trying to run 0.6.2 or 0.6.1 Feb 17 15:20 4
Bitmessage project looking for auditors and/or security specialists (reddit crosspost) Feb 17 13:21 6
HIRE A HACKER/CHANGE GRADES Feb 17 08:59 2
Download it. Feb 17 07:59 2
passphrase strength ? Feb 16 20:34 8
$ cd PyBitmessage ; git log | grep Author | sort -u | blacklist Feb 16 15:54 18
diagram Feb 16 01:46 1
Bitmessage components security seclusion example Feb 16 01:24 1
โฉฉ ๐„‰ ใŽฎ ไทฆ ๐Ÿžณ ๐Ÿ† ใ ๏‡บ f ๐™ฒ ๐Ÿ„ฆ โž‡ โจ˜ ใŠณ ๐— โฆฑ ๓ฟฟป ๏ค ๐Ÿ„น ๐Ÿ’ ๎… ไท„ ๎Žพ ๏ผซ ๎ƒ— ๐Ÿ†™ ๏€• ไทค ๐™ ๎Œฅ โ’„ โ‚น ๊ ฒ ๎‘• Feb 16 00:04 1
NOTICE: Address Revocation Feb 15 18:28 12
Cannot connect since yesterday Feb 15 17:59 2
Questions regarding recent bitmessage data exploit Feb 15 03:46 2
Latest commit borked Feb 14 05:26 5
BM-onion Feb 14 05:22 5
That's my new address Feb 14 03:40 1
BM massacre! Feb 13 21:23 2
Namecoin integration Feb 13 20:18 11
Hashwalling Functions for Security Feb 13 17:58 2
Same old problem connecting to network Feb 13 17:12 4
Injection attack mitigation Feb 13 16:52 7
This denial of service shit needs to be patched Feb 13 12:00 7
Test Feb 13 11:37 1
Proving that BM was sent? Feb 13 11:07 10
bitmessage ... Feb 13 08:13 1
Improve icon for chan + messages: important or not Feb 13 05:25 2
pickle puzzle Feb 13 01:03 20
so happy Feb 12 16:32 2
Fwd: Re: Did everyone else's BM starting freezing up Feb 11 03:54 10
hacker service Feb 10 03:48 2
another feature request Feb 10 01:12 1
bitmessage feature request Feb 10 01:10 1
feature request Feb 10 01:04 1
Questions for the Bitmessage Community Feb 9 21:30 7
Did everyone else's BM starting freezing up Feb 9 03:21 4
A light weight version of the denial of service message Feb 8 13:22 3
RE: Hello. Feb 8 11:48 1
WWtest Feb 8 10:44 1
test1 Feb 8 10:37 1
WARNING! denial of service message Feb 8 10:19 3
extended encoding Feb 8 01:24 7
bountyfy -- 7 โ‚ฌ payout Feb 5 20:59 2
clean up pyBM github landing page, please Feb 4 23:00 2
Running BM daemon as a service Feb 4 13:47 6
hidden service - long names Feb 4 12:37 7
RAM consumption - RAM not released Feb 3 21:05 4
Bug? First connection quickly breaks Feb 3 11:41 6
Request: debug.log initialization / termination Feb 2 18:30 2
kqueue poller in asyncore bounty -- no payout Feb 2 14:23 5
Bitmessage bug in Help > About Feb 2 13:59 7
Message size is metadata Feb 2 13:25 6
New warning "sni-qt/5864" WARN Feb 2 12:12 2
ordering Feb 1 10:38 12
RAM consumption Feb 1 10:14 5
discrepancy in transmit/receive byte counts Feb 1 07:53 6
BM CPU time Feb 1 02:39 5
kqueue poller in asyncore bounty Feb 1 00:13 15
new theme for beamstat Jan 31 11:35 2
Support request -- dontconnect in pyBM 062 not being honoured Jan 31 10:16 1
python IDE Jan 31 10:15 2
My BM is connected to one peer twice Jan 30 06:36 7
Support request/Bug report: keys.dat gets corrupted when running out of disk space Jan 29 15:44 2
Feature request/idea/suggestion: user-defined data directory (command-line argument) Jan 29 15:16 2
GUI dontsendack Jan 29 05:15 1
Another message problem Jan 29 03:49 3
Message deletion broken Jan 29 00:28 3
bitmessage on android device Jan 29 00:03 1