Bitmessage TRULY UNSECURE

BM-2cXHKd2P4anPSEVkMg47RDX1TDXXWaiWX2
Dec 17 17:57 [raw]

I am sorry to communicate to all users: bitmessage is truly unsecure because exposes all known nodes ipaddresses, keys and contents. setting up a node just collect enough infos to know everyone, everywhere,everycontent.

BM-2cW67GEKkHGonXKZLCzouLLxnLym3azS8r
Dec 17 18:02 [raw]

so now we know it.

BM-2DAV89w336ovy6BUJnfVRD5B9qipFbRgmr
Dec 17 18:04 [raw]

Exposure of node IPs is prettymuch required for any type of decentral networking, because you can't connect if you don't know anyone. moot point. The public key messages are still encrypted, it doesn't give you anything useful if you didn't already know the address that it means. Content is also encrypted, and can only be decrypted if you have the respective address. If youd' call the content on a PUBLIC channel insecure, you're severely confused about what "public" means. Sooooo, try again with any actual info?

BM-2cW67GEKkHGonXKZLCzouLLxnLym3azS8r
Dec 17 18:19 [raw]

if i know your ip i can come to your house. i can browse your keys.dat, and i can browse your messages.dat (sqllite format) where your messages are stored NOT encrypted.... example from my messages.dat file.... BM-2cW67GEKkHGonXKZLCzouLLxnLym3azS8rRe: fuck me I have 80 connections1513422087The recent loss of net neutrality will take care of that, they'll throttle BM for you.

BM-2cW67GEKkHGonXKZLCzouLLxnLym3azS8r
Dec 17 18:27 [raw]

Many users now use Bitmessage via Tor, and only allow incomming connections via Tor, which makes the "I have yo IPs" extremely useless. But IF you could find some actual node IP, you could come to my house, if you had any means to get from IP to physical address, which you don't. Even if you did, you have no means to actually enter my house. Even if you had those, my harddrive is encrypted, so the file IS secured. And what's quoting a public message from a public channel supposed to show? That you can use an sqlite dumping tool? It doesn't link to the node that posted it. In fact, it doesn't tell you shit.

BM-2cW67GEKkHGonXKZLCzouLLxnLym3azS8r
Dec 17 18:28 [raw]

If you come to my house you'll get a 12 gauge shotgun up your asshole!

BM-2cW67GEKkHGonXKZLCzouLLxnLym3azS8r
Dec 17 18:31 [raw]

What this guy said

BM-2cW67GEKkHGonXKZLCzouLLxnLym3azS8r
Dec 17 18:40 [raw]

I am sorry to communicate that govern agents were able to knock on doors of several Tor users, i will not say when and where to protect my unprotected identity! I am sorry to communicate IP to physical address is extremely easy task in most part of the globe. Govern agents enter house with just a simple authorization. and last I am sorry to communicate that sha256 will be publicly violated soon....so pls dont collect too many coins....

BM-2cW67GEKkHGonXKZLCzouLLxnLym3azS8r
Dec 17 18:46 [raw]

what is truly unsecure about it?

BM-2cW67GEKkHGonXKZLCzouLLxnLym3azS8r
Dec 17 18:49 [raw]

Repeat after me: "Decentral networks are impossible without knowing IP addresses." If that's a problem to you, why are you still here? What you're describing is that goverment thundercunts can just fuck you over if they want to anyway. It doesn't matter one fucking bit if you're using anything like Bitmessage. If they want to end you, they will. If that WERE as big a problem, why are any Bitmessage users still here? Or Freenet? Or anyone who uses the DHT for BitTorrent? Or anyone using IPFS? Or anyone using ANY OTHER DECENTRAL NETWORK that could contain content the feds don't want? Even if it only makes the life of goverment shit slightly harder, it still protects against the malice of any bitch-ass company or pathetic script kiddy, which is already a huge improvement over not using it. What is your point? Do you even have one?

BM-2cW67GEKkHGonXKZLCzouLLxnLym3azS8r
Dec 17 19:01 [raw]

your ip address is how you connect to the internet, dimwit. without it you can't use the internet. if you're worried about your ip, set up the tor proxy settings in your bitmessage client. don't be stupid.

BM-2cW67GEKkHGonXKZLCzouLLxnLym3azS8r
Dec 17 19:05 [raw]

you can also get my boot up your ass and my fist squishing into your cock sucker.

BM-2cW67GEKkHGonXKZLCzouLLxnLym3azS8r
Dec 17 19:45 [raw]

you are right but my main concern is about keys.dat and messages.dat. any file belonging to a "secure" application MUST be encrypted by a key stored OUTSIDE the system.

BM-2cX62WCeFcUwzXWqxTBfaAzNy4j1y8yZVm
Dec 17 19:49 [raw]

There is some contributed code for encrypting keys.dat but I'm not happy about it as it encrypts the whole file and then you can't edit it anymore, there should be other options. messages.dat can be encrypted using sqlcipher but someone needs to code it and it has to be tested on all the platforms. Peter Surda Bitmessage core developer

BM-2cW67GEKkHGonXKZLCzouLLxnLym3azS8r
Dec 17 19:54 [raw]

based on what paranoid delusion do you say this? the keys and messages are on your computer. they are not on the network and they are not accessible to the network. if someone has access to your keys.dat you have bigger problems than bitmessage. please start making sense or just buzz off. you are trying to scare newbies with your FUD.

BM-2cW67GEKkHGonXKZLCzouLLxnLym3azS8r
Dec 17 20:00 [raw]

Isn't that what trolls are doing?

BM-2DAV89w336ovy6BUJnfVRD5B9qipFbRgmr
Dec 17 20:01 [raw]

Option is, under Linux, to use ~/Private as encrypted storage for key.dat. Or to use full disk encryption. Both cases do have data secured "at rest", runtime can be readable. This could be no different than using encryption in the DB, since this is required by the application as readble. I would be more concerned about possible remote code execution inside bitmessage to get this information...

BM-2cW67GEKkHGonXKZLCzouLLxnLym3azS8r
Dec 17 20:09 [raw]

Thank you Peter for your right words (finally). If i can humbly suggest a possible solution: EVERYTIME you start bitmessage user must enter a long and strong passphrase, not as a password to validate a login, but as a passphrase the application uses to encrypt and decrypt ".dat files". If you type a wrong passphrase you get access but you will see only "messed up" contents. Before closing the application code will just blank memory cells that contain the passphrase. ANYWHERE in ANY code that claims itself secure should be a comparison (if this = that then ok else no). Security is incompatible with easy of use. So no more direct editing of ".dat" files, no more application "autostart". Regards

BM-2cW67GEKkHGonXKZLCzouLLxnLym3azS8r
Dec 17 20:14 [raw]

the whole world waited for your truely moronic suggestion: EVERYTIME you start bitmessage user must enter a long and strong passphrase and while we at it - why not do it 5 times in a row ? idiot.

BM-2cW67GEKkHGonXKZLCzouLLxnLym3azS8r
Dec 17 20:23 [raw]

yes i sounded totally moronic but surely your answer add nothing intelligent to this discussion.

BM-2cW67GEKkHGonXKZLCzouLLxnLym3azS8r
Dec 17 20:37 [raw]

> Security is incompatible with easy of use. So no more direct editing of ".dat" files, no more application "autostart". Oh brother. You're talking about security by obscurity. And not by obscurity to the attacker, but obscurity from the very end user, to whom nothing should ever be obscure! If an attacker has access to your keys.dat he probably already owns a couple listening sockets on your system, probably has already installed a key logger and rootkit, so all this worry about encrypting the file is moot. Ease of use and easy comprehension of what's under the hood is security. Why reinvent the wheel? Move on from all this stuff about encrypting the keys file (fuck, 3+ years jabbering about it). Implement a streams protocol so the application will scale to millions of users, then market the fuck out of it. Make sure you have your patreon, paypal, and altcoin donation buttons, run a kickstarter, write to inquire about some foundation and university grants, and keep moving. I'm worn out reading this same stuff over and over, guys. If you want to help Peter, submit a scaling streams implementation and a marketing plan. I don't have time right now or I would. And I do now how to scale this to millions of users, but it would require a drastic change in the addressing scheme and connection logic to do it my way so I'll not go there. Peter's idea of a bloom filter is right, but I'm thinking of a bloom filter in reverse; your address is a key that modifies the global bloom filters, matched to object inventories and node pools so you can zero right in on 100 or so nodes that should have your messages. If you're worried about code injection, simply separate all the application logic so that only API calls can use the data files, and you can socket your API credentials however you want, through whatever network, tunnel, wire, or cable you want, for maximum security. But obfuscating and making the parts under the hood more obscure to the end user is not security. By analogy Tor does not encrypt your hidden services keys and addresses. By default it's in the clear. If someone has a side channel into that data, it's usually not through the application; it's through a bigger security breach and that bigger breach is the real problem, ya know rootkits, loggers, memory dumps, hardware back doors, wide open firewalls, lots of running services, operating system back doors, etc.

BM-2cW67GEKkHGonXKZLCzouLLxnLym3azS8r
Dec 17 20:39 [raw]

> long and strong hmmm

BM-2cW67GEKkHGonXKZLCzouLLxnLym3azS8r
Dec 18 07:14 [raw]

Why the suggestion to use an encrypted partition or FDE is a bad idea: An encrypted partition can be rubberhose attacked with a court order, for example, to search for CP or terrorist materials. Decrypt or go to jail. An encrypted keys.dat file is small enough to be physically unable to contain prohibited materials (pictures or videos), so there's no probable cause for a court order. It may even pass unnoticed if the attacker is not targetting Bitmessage specifically. Hope this helps. Stay safe out there.

BM-2cW67GEKkHGonXKZLCzouLLxnLym3azS8r
Dec 18 12:13 [raw]

Here is a good news for those interested. There is a way you can earn money without stress contact (Sarkpaya Gokhan) for a blank [ATM CARD]today and be among the lucky ones who are benefiting from this cards. This PROGRAMMED blank ATM card is capable of hacking into any ATM machine,anywhere in the world. I got my already programmed and blanked ATM card to withdraw the maximum of $5,000 daily for a maximum of 30 days via {globalhacktech at gmaildotcom.. I am so happy about this because i got mine last week and I have used it to get $240,000.00 Sarkpaya Gokhan Hackers is giving out the card just to help the poor and needy and he ALSO OFFER FINANCIAL ASSISTANCE. get yours from Sarkpaya Gokhan Hackers today. Kindly contact them by Email.. These opportunity comes once.. Life wouldn't give you what you want unless you fight for it. If you have a slightest doubt, contact me at globalhacktech at gmaildotcom

BM-2cW67GEKkHGonXKZLCzouLLxnLym3azS8r
Dec 18 12:19 [raw]

There is 100% chance that this is a scam.

[chan] general
BM-2cW67GEKkHGonXKZLCzouLLxnLym3azS8r

Subject Last Count
alci. alchi. alchemy. a perfect world view? Oct 19 16:13 10
rot in hell ! Oct 19 13:57 1
help make bm list Oct 19 11:51 12
on the bed Oct 19 11:40 1
wanna hack a webserver ? free link here : http://nybarox.pythonanywhere.com Oct 19 11:10 4
Become a Programmer, Motherfucker Oct 19 10:38 7
Get a Glimpse Oct 19 10:37 3
A banker lends you his umbrella when the sun is shining, but wants it back the minute it begins to rain. - Mark Twain Oct 19 06:50 6
A Brief Introduction to Holocaust Revisionism Oct 19 06:07 3
Matrix Rain Oct 18 22:00 1
justice being served , after all Oct 18 20:18 1
blacklist Oct 18 17:58 2
Don Black condemned a real white nationalist to death by prison. Oct 18 17:54 1
Bitmessage Chans that Don't Suck Oct 18 17:35 1
CPU backdoors Oct 18 17:35 1
China's FAKE Space Walk - Flat Earth Oct 18 17:35 1
the globe Oct 18 17:35 2
hey alchi Oct 18 17:35 1
AETHEREAL - The Battle for Heaven and Earth (Cosmology Documentary) Oct 18 16:24 1
UK Column News - 17th October 2018 Oct 18 07:14 1
hmmmmmm Oct 17 17:53 3
girl on the beach Oct 17 10:57 1
The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies - US is toast Oct 17 10:48 4
lolipop Oct 17 09:30 2
fuck this chan http://m6su7s3ir7dxggwg.onion/haades/alchi Oct 17 09:00 3
Wehrmacht: Trade weapons on OpenBazaar Oct 17 05:35 3
secret bin , no spam ! Oct 16 23:54 1
Is there anybody out there? Oct 16 21:34 12
How to prepare beans on toast Oct 16 21:12 8
UK Column News - 15th October 2018 Oct 16 21:01 2
anti-spam plugin Oct 16 20:52 12
I2P-Bote problem Oct 16 19:45 6
leftover food Oct 16 19:43 1
Bugger all going on Oct 16 19:43 3
GB2RS News - 14th October 2018 Oct 16 19:42 1
busted Oct 16 19:42 1
[DELETED] Oct 14 11:30 1
YAFI - Yet Another Freenet Index Oct 14 11:06 1
abolitionists checker bearer electrical log subchannel hologram odd kernel Oct 13 02:42 1
radiation source in molecular flow retroreflecting mirror cross norm test statistic Oct 13 02:42 1
Disk tray porous foam Oct 13 02:42 1
Superlinear convergence bare conductor with last Oct 13 02:42 1
Heir collateral formally integrable thiocyanate relatively differentiable cementation round Oct 13 02:42 1
Catch pin tactile hallucination chibouque rectangular solution Oct 13 02:42 1
Lapware structural weakness Oct 13 02:42 1
Yogic reactor kinetics Oct 13 02:42 1
Mercerize digamma function refractory gunning centrifugal clutch Oct 13 02:42 1
non real time cerebropathy flash gas refrigeration Oct 13 02:42 1
Gasdynamics drilling mud change guide round method of rolling circlet composit Oct 13 02:42 1
wet bulk density loan at interest skip load satellite feed enleague Oct 13 02:42 1
Devoir file transfer protocol mashie convince Oct 13 02:42 1
Tailings storage pond dense matrix duplex communication picnic lunch Oct 13 02:42 1
Waterproof jacket the inclined valve gravity anchoring technique Oct 13 02:42 1
Sawtooth pattern set of assignable causes software development kit termination phase of foster parent Oct 13 02:42 1
Crude oil emulsion make with recovery capsule Oct 13 02:42 1
Water flood facilities the see a something Oct 13 02:42 1
Extended calculus untimely formation damage analysis Oct 13 02:42 1
Pilot wedge be eager thread tension Oct 13 02:42 1
Color reaction reaction cannons the vanillic of baking coal deck covering Oct 13 02:42 1
annealing texture desizing the wave action picayune Oct 13 02:42 1
Men's room on balance of migration in latin script Oct 13 02:42 1
Jelly structure them lacquerwork than rodless air cylinder nfl psycholinguistics Oct 13 02:42 1
Fluoridate water premaxillary political conservative humidifying drum the hereunder Oct 13 02:42 1
supression with perpetual annuity geostatistical modeling Oct 13 02:42 1
Financial planning than deference to rank lodge a complaint Oct 13 02:42 1
Incomplete confirmability of headwater directional lighting Oct 13 02:42 1
Saturating phase the slushing oil screw gillbox communications software Oct 13 02:42 1
Forced circulation seduce into the story view venae degasified steel Oct 13 02:42 1
traps heat fixing Oct 13 02:42 1
(nospam) Cup flow figure nasturtium colour line vend Oct 13 02:42 1
Digital grid barrelled space puerperium theory of oscillations Oct 13 02:42 1
Unaccredited shell out profit outlook with timberer Oct 13 02:42 1
[nospam] Tertiary ideal with standup Oct 13 02:42 1
Gathering locomotive paediatrician Oct 13 02:42 1
Lutist on doming rate of opening Oct 13 02:42 1
[no spam] datolite nonsymmetric relation flow gate relative reliability Oct 13 02:42 1
Mongolia secondary winding gentlefolk Oct 13 02:42 1
fresh rock grass hockey of if we introduce Oct 13 02:42 1
Gravity water supply for track bond selenyl more protohippus pyridoxin Oct 13 02:42 1
pouring bay working model Oct 13 02:42 1
Sublevel of thoughtway Oct 13 02:42 1
Time of persistence life saving capsule the petroleum gas oil Oct 13 02:42 1
Maint fissible material inventory magnetoionic believes Oct 13 02:42 1
Inverse negative relationship reference gas recovery charge Oct 13 02:42 1
Nonhomogeneous lofty ideal kraut strainer cartridge of turret anchored production system Oct 13 02:42 1
##nospam## pleads of coil of cable scatter storage orientation of drill pipe Oct 13 02:42 1
Roller drill string stabilizer available water supply with proboscidiform prima facie presumption Oct 13 02:42 1
Cavity circuit degaussing coil cyclograph surface radius otter Oct 13 02:42 1
Each time the total heat flux with fifteens Oct 13 02:42 1
multiple factor omnidirectional range Oct 13 02:42 1
Rough out cation mobility licence limitations Oct 13 02:42 1
Continuing accuracy infinitely decomposable the woodspite Oct 13 02:42 1
psychopomp into blanket insulation doctrinal cornetsa`pistons the nursing bottle Oct 13 02:42 1
Synchronization word into heading printing Oct 13 02:42 1
Average velocity model ladle barrow aviation engine Oct 13 02:42 1
Mass driver marginal conditions Oct 13 02:42 1
Mockup remeasure preparedness activity Oct 13 02:42 1
Upper tooth of unrelaxed of foe Oct 13 02:42 1
Service man's tool mechanical drives Oct 13 02:42 1
[nospam] Aerodynamic balance encyclical moveability Oct 13 02:42 1