Bitmessage TRULY UNSECURE

BM-2cXHKd2P4anPSEVkMg47RDX1TDXXWaiWX2
Dec 17 17:57

I am sorry to communicate to all users: bitmessage is truly unsecure because exposes all known nodes ipaddresses, keys and contents. setting up a node just collect enough infos to know everyone, everywhere,everycontent.

[chan] general
Dec 17 18:02

so now we know it.

[chan3] general
Dec 17 18:04

Exposure of node IPs is prettymuch required for any type of decentral networking, because you can't connect if you don't know anyone. moot point. The public key messages are still encrypted, it doesn't give you anything useful if you didn't already know the address that it means. Content is also encrypted, and can only be decrypted if you have the respective address. If youd' call the content on a PUBLIC channel insecure, you're severely confused about what "public" means. Sooooo, try again with any actual info?

[chan] general
Dec 17 18:19

if i know your ip i can come to your house. i can browse your keys.dat, and i can browse your messages.dat (sqllite format) where your messages are stored NOT encrypted.... example from my messages.dat file.... BM-2cW67GEKkHGonXKZLCzouLLxnLym3azS8rRe: fuck me I have 80 connections1513422087The recent loss of net neutrality will take care of that, they'll throttle BM for you.

[chan] general
Dec 17 18:27

Many users now use Bitmessage via Tor, and only allow incomming connections via Tor, which makes the "I have yo IPs" extremely useless. But IF you could find some actual node IP, you could come to my house, if you had any means to get from IP to physical address, which you don't. Even if you did, you have no means to actually enter my house. Even if you had those, my harddrive is encrypted, so the file IS secured. And what's quoting a public message from a public channel supposed to show? That you can use an sqlite dumping tool? It doesn't link to the node that posted it. In fact, it doesn't tell you shit.

[chan] general
Dec 17 18:28

If you come to my house you'll get a 12 gauge shotgun up your asshole!

[chan] general
Dec 17 18:31

What this guy said

[chan] general
Dec 17 18:40

I am sorry to communicate that govern agents were able to knock on doors of several Tor users, i will not say when and where to protect my unprotected identity! I am sorry to communicate IP to physical address is extremely easy task in most part of the globe. Govern agents enter house with just a simple authorization. and last I am sorry to communicate that sha256 will be publicly violated soon....so pls dont collect too many coins....

[chan] general
Dec 17 18:46

what is truly unsecure about it?

[chan] general
Dec 17 18:49

Repeat after me: "Decentral networks are impossible without knowing IP addresses." If that's a problem to you, why are you still here? What you're describing is that goverment thundercunts can just fuck you over if they want to anyway. It doesn't matter one fucking bit if you're using anything like Bitmessage. If they want to end you, they will. If that WERE as big a problem, why are any Bitmessage users still here? Or Freenet? Or anyone who uses the DHT for BitTorrent? Or anyone using IPFS? Or anyone using ANY OTHER DECENTRAL NETWORK that could contain content the feds don't want? Even if it only makes the life of goverment shit slightly harder, it still protects against the malice of any bitch-ass company or pathetic script kiddy, which is already a huge improvement over not using it. What is your point? Do you even have one?

[chan] general
Dec 17 19:01

your ip address is how you connect to the internet, dimwit. without it you can't use the internet. if you're worried about your ip, set up the tor proxy settings in your bitmessage client. don't be stupid.

[chan] general
Dec 17 19:05

you can also get my boot up your ass and my fist squishing into your cock sucker.

[chan] general
Dec 17 19:45

you are right but my main concern is about keys.dat and messages.dat. any file belonging to a "secure" application MUST be encrypted by a key stored OUTSIDE the system.

BM-2cX62WCeFcUwzXWqxTBfaAzNy4j1y8yZVm
Dec 17 19:49

There is some contributed code for encrypting keys.dat but I'm not happy about it as it encrypts the whole file and then you can't edit it anymore, there should be other options. messages.dat can be encrypted using sqlcipher but someone needs to code it and it has to be tested on all the platforms. Peter Surda Bitmessage core developer

[chan] general
Dec 17 19:54

based on what paranoid delusion do you say this? the keys and messages are on your computer. they are not on the network and they are not accessible to the network. if someone has access to your keys.dat you have bigger problems than bitmessage. please start making sense or just buzz off. you are trying to scare newbies with your FUD.

[chan] general
Dec 17 20:00

Isn't that what trolls are doing?

[chan3] general
Dec 17 20:01

Option is, under Linux, to use ~/Private as encrypted storage for key.dat. Or to use full disk encryption. Both cases do have data secured "at rest", runtime can be readable. This could be no different than using encryption in the DB, since this is required by the application as readble. I would be more concerned about possible remote code execution inside bitmessage to get this information...

[chan] general
Dec 17 20:09

Thank you Peter for your right words (finally). If i can humbly suggest a possible solution: EVERYTIME you start bitmessage user must enter a long and strong passphrase, not as a password to validate a login, but as a passphrase the application uses to encrypt and decrypt ".dat files". If you type a wrong passphrase you get access but you will see only "messed up" contents. Before closing the application code will just blank memory cells that contain the passphrase. ANYWHERE in ANY code that claims itself secure should be a comparison (if this = that then ok else no). Security is incompatible with easy of use. So no more direct editing of ".dat" files, no more application "autostart". Regards

[chan] general
Dec 17 20:14

the whole world waited for your truely moronic suggestion: EVERYTIME you start bitmessage user must enter a long and strong passphrase and while we at it - why not do it 5 times in a row ? idiot.

[chan] general
Dec 17 20:23

yes i sounded totally moronic but surely your answer add nothing intelligent to this discussion.

[chan] general
Dec 17 20:37

> Security is incompatible with easy of use. So no more direct editing of ".dat" files, no more application "autostart". Oh brother. You're talking about security by obscurity. And not by obscurity to the attacker, but obscurity from the very end user, to whom nothing should ever be obscure! If an attacker has access to your keys.dat he probably already owns a couple listening sockets on your system, probably has already installed a key logger and rootkit, so all this worry about encrypting the file is moot. Ease of use and easy comprehension of what's under the hood is security. Why reinvent the wheel? Move on from all this stuff about encrypting the keys file (fuck, 3+ years jabbering about it). Implement a streams protocol so the application will scale to millions of users, then market the fuck out of it. Make sure you have your patreon, paypal, and altcoin donation buttons, run a kickstarter, write to inquire about some foundation and university grants, and keep moving. I'm worn out reading this same stuff over and over, guys. If you want to help Peter, submit a scaling streams implementation and a marketing plan. I don't have time right now or I would. And I do now how to scale this to millions of users, but it would require a drastic change in the addressing scheme and connection logic to do it my way so I'll not go there. Peter's idea of a bloom filter is right, but I'm thinking of a bloom filter in reverse; your address is a key that modifies the global bloom filters, matched to object inventories and node pools so you can zero right in on 100 or so nodes that should have your messages. If you're worried about code injection, simply separate all the application logic so that only API calls can use the data files, and you can socket your API credentials however you want, through whatever network, tunnel, wire, or cable you want, for maximum security. But obfuscating and making the parts under the hood more obscure to the end user is not security. By analogy Tor does not encrypt your hidden services keys and addresses. By default it's in the clear. If someone has a side channel into that data, it's usually not through the application; it's through a bigger security breach and that bigger breach is the real problem, ya know rootkits, loggers, memory dumps, hardware back doors, wide open firewalls, lots of running services, operating system back doors, etc.

[chan] general
Dec 17 20:39

> long and strong hmmm

[chan] general
Dec 18 07:14

Why the suggestion to use an encrypted partition or FDE is a bad idea: An encrypted partition can be rubberhose attacked with a court order, for example, to search for CP or terrorist materials. Decrypt or go to jail. An encrypted keys.dat file is small enough to be physically unable to contain prohibited materials (pictures or videos), so there's no probable cause for a court order. It may even pass unnoticed if the attacker is not targetting Bitmessage specifically. Hope this helps. Stay safe out there.

[chan] general
Dec 18 12:13

Here is a good news for those interested. There is a way you can earn money without stress contact (Sarkpaya Gokhan) for a blank [ATM CARD]today and be among the lucky ones who are benefiting from this cards. This PROGRAMMED blank ATM card is capable of hacking into any ATM machine,anywhere in the world. I got my already programmed and blanked ATM card to withdraw the maximum of $5,000 daily for a maximum of 30 days via {globalhacktech at gmaildotcom.. I am so happy about this because i got mine last week and I have used it to get $240,000.00 Sarkpaya Gokhan Hackers is giving out the card just to help the poor and needy and he ALSO OFFER FINANCIAL ASSISTANCE. get yours from Sarkpaya Gokhan Hackers today. Kindly contact them by Email.. These opportunity comes once.. Life wouldn't give you what you want unless you fight for it. If you have a slightest doubt, contact me at globalhacktech at gmaildotcom

[chan] general
Dec 18 12:19

There is 100% chance that this is a scam.

[chan] general
BM-2cW67GEKkHGonXKZLCzouLLxnLym3azS8r

Subject Last Count
cp Jan 20 06:45 1
wtf Jan 20 05:11 2
Advertisement: MeinCoin Crypto Research Jan 20 01:03 1
Soviet ancient astronaut propaganda Jan 19 23:18 1
Security questions Jan 19 23:17 1
Cthulhu-Ancient Astronaut Connection Jan 19 23:17 1
I don't remember eating that! Jan 19 22:38 2
The Protocols of the Learned Elders of Zion Jan 19 21:41 2
Political Truth Jan 19 20:05 2
UK Column News - 19th January 2018 Jan 19 19:58 9
Wikileaks is a Front for Russian Intelligence Jan 19 19:58 2
UK Column News - 19th January 2018 Jan 19 19:58 5
It’s a coincidence … that Snowden got in contact with Wikileaks. Jan 19 19:58 2
- Dimitry Z. Manuilsky, Soviet Chairman of U.N. Security Council, 1949 Jan 19 19:58 2
From The Washington Times, 9/11/01: Jan 19 19:58 2
On Snowden and Coincidences Jan 19 19:58 2
What do we know about the new head of al-Qaeda, Ayman al-Zawahiri? Jan 19 19:58 2
Legacy Jan 19 19:58 4
From NTI, September 2001: Jan 19 19:58 2
From Aviation Week & Space Technology, 6/3/2002: Jan 19 19:58 2
Against the United States Jan 19 19:58 4
UK Column News - 19th January 2018 Jan 19 19:57 6
Active measures Jan 19 19:57 2
Or individual Jan 19 19:56 2
STFU why doncha: I'm sick of seeing this bollox continually reposted Jan 19 19:56 2
IDIOT(s) Jan 19 19:56 2
some jackass has copypasta syndrome Jan 19 19:56 2
chan Procedure Nazi Dumb Blonde SuperDick Jan 19 19:56 2
The Operating procedures of the alleged "many" are not dictated by the few Jan 19 19:56 2
Active measures Jan 19 19:55 2
More rejection of tribalism in the bible: Jan 19 19:54 8
God has been building his kingdom right under your nose and you can't see it! Jan 19 19:54 4
Stop quoting this old tribal stories of hope. We have a better God now. Jan 19 19:54 4
Jan 19 19:54 25
If the world hate you, ye know that it hated me before it hated you. Jan 19 19:54 4
You are a mental midget. Jan 19 19:54 4
John 7:7 Jan 19 19:54 4
But the Shepherd will return and destroy them. Jan 19 19:54 4
Just think how upset you will be when you find out that there is no god. Jan 19 19:54 7
Are there any Christians here or channels for Christian discussion? Jan 19 19:54 7
Christians Jan 19 19:54 9
You need urgent psychiatric help, dude. Jan 19 19:54 4
That's all you got? Ad hominem? Jan 19 19:54 4
> Quotes from my holy book I'm writing right now: Jan 19 19:54 1
You have the mental illness of religious mania. Jan 19 19:54 6
"The quick brown fox jumps over the lazy dog" (Joe Public 3:14) Jan 19 19:54 2
You hate your brother. You a heartless murderer. (John 8:44) Jan 19 19:54 4
The Greek New Testament rejected tribal distinctions: Jan 19 19:54 4
We are tired of your retarded crap. Jan 19 19:54 3
"Federal Government" means "Directing the mind of the flocks": Jan 19 19:54 4
John 15:18 Jan 19 19:54 4
Quotes from my holy book I'm writing right now: Jan 19 19:54 2
No, dude. Ad monkey. Jan 19 19:54 4
"Lorem ipsum dolor sit amet" (Jane Doe 6:66) Jan 19 19:54 2
Are you willing to die for your "holy book?" Jan 19 19:54 1
1 Corinthians 6:9-10 Jan 19 19:54 1
Are you willing to be crucified for your "holy book?" Jan 19 19:54 1
IAUZIA== Jan 19 18:38 1
farmapram@protonmail.com Jan 19 18:32 1
Eric Dubay: Dinosaurs Never Existed! Jan 19 18:19 4
Christians Jan 19 18:16 35
Dinosaurs! Jan 19 17:35 2
Customer complaint Jan 19 17:12 1
Richard Spencer's Anti-White Wife Jan 19 17:05 6
proximity Jan 19 16:36 2
enmity Jan 19 16:36 2
self-denial Jan 19 16:36 2
secret Jan 19 16:36 2
justification Jan 19 16:35 2
confession Jan 19 16:35 2
IPFS test Jan 19 15:55 10
force all connections through tor Jan 19 15:50 5
camlistore / perkeep Jan 19 14:27 1
argument heard Jan 19 11:54 1
(no subject) Jan 19 08:01 21
UK Column News - 18th January 2018 Jan 19 07:59 1
n00b Jan 19 04:37 16
to boldly go Jan 19 04:36 1
Updated Broadcast List (2017.12.25) Jan 19 02:00 2
Richard Spencer's Jewish Ancestry Jan 18 21:50 1
ALT RIGHT IS 1000% Jewish. Jan 18 21:37 1
face-id -> humanity sunset Jan 18 20:45 1
The UnaBomber was a psyop Jan 18 10:01 2
lucky boy Jan 18 08:58 10
The 411 on Charles Manson Jan 18 04:43 1
forbidden information & darknet directory assistance Jan 18 04:06 1
strong password Jan 18 00:08 5
Active measures (Russian: активные мероприятия) Jan 18 00:08 2
Hacking 101 Jan 18 00:08 2
UK Column News - 17th January 2018 Jan 18 00:08 7
Can Anyone Send Me A test Text to my Address? Jan 18 00:08 5
DDOS nuke response... Jan 18 00:08 3
Beat the NSA! Jan 18 00:08 16
Sattolo Latin Square Jan 18 00:08 7
Victim code Jan 17 19:18 1
Public announcement Jan 17 05:19 9
We are already at war: The most dangerous Libertarian in America Jan 17 01:13 1
[chan] 411 BM-2cW53MzWqtod8TA6vybdUeqd2LhTuXCX3L Jan 16 23:37 5
Suppose that a professor Jan 16 19:14 1
does anyone read here. Jan 16 19:06 10