BitMessage Secure Station open-hardware project.

May 22 15:25

I am Stman, working on a Secure End-point open-hardware low cost project for BitMessage, solving many important privacy issues : Keyloggers, Keyescrow, screen dumpers, and rising the level of anonymity when using TOR or other IP maskerading technologies like VPN's. I have discussed with Peter Surda about the project. If some developpers on the BitMessage software are interested, feel free to contact me. The details on the project have been published on the Crypto-Anarchist Federation channel on BitMessage. Chan Name: Crypto-Anarchist Federation Chan address : BM-2cWdaAUTrGZ21RzCpsReCk8n86ghu2oY3v ------ Indeed, this project we are developping is aiming at solving the best as we can (Military grade) the issues Snowden perfectly described and reminded us about End-Points (Computers) weaknesses when connected to the internet, and we do it radicaly using the best state of the art known technics, consisting in using a double-computer architecture : The draft "BitMessage Secure Station" hardware is detailed here : As you will understand, this add-on project is not about, at least for the moment, doing any major change to the BitMessage software, but to create a dedicated hardware that solves security issues that cannot be solved with a "Mono-processor" architecture : In the architecture we are designing, we are using a 2 microprocessors + 1 microcontroller model : • A first computer (Low cost Raspberry Pi, accessible to everybody for 30$) connected to the internet, that must considered compromized. • A second computer fully air gapped from the internet, you will use this one to read/enter your messages securely. • Interconnectiong both with a serial port, but for added security, this serial port goes through a "firewall" (Made out of a PIC microcontroller) that checks no side channels exist by ensuring the protocol defined for transfering data between the 2 computers is strictly respect, fitering at the same time time-based side channels on the serial port. • The PIC Microcontroller handling two serial ports and relayings data between each port bidirectionnaly, with its software higly secured (coded in assembly language, with NO OS and NO Libraries). For future versions, more secure ones, this microcontroller will be replaced by a low cost FPGA (Xilinx Spartan 6 LX 9), and all what was implemented in assembly language on the PIC microcontroller will be implemented as wired states machines into the FPGA : No more processor, no more software, meaning the software atack surface of this little "firewall" on the SPI port will be garanteed to be zero. We are simply taking in account the best state of the art knowledge in defensive cyber security in order to build an "hardend end-point", that can resist "NSA & friends" or "competitors" grade military attacks, therefore truly and proovenly protecting you from : ► Keyloggers malware protection : It is achieved architecturaly by having a double processor system, with one computer being compromized and connected to the internet, and another one air-gapped and not connected to the internet : The messages in clear text are being entered on the computer not connected to the internet : Assuming that there is no side channel or hidden channel on the serial port connecting the two processors (Will be discussed below), even if there is a keylogger installer on the air gapped computer, it will not be able to transfer its data if we can ensure there is no side channel or hidden channels between the two computers. ► Keyescrow malware protection (Protection of KEYS.DAT and MESSAGES.DAT): Same as above. (Prevent the private keys used by BitMessage from being stolen by agencies/hackers) ► Hardware integrated circuits serial numbers fingerprinting identification technic protection when using TOR or VPNs : This problem is solved by dedicating a new hardware for the first computer, connected to the internet and that will be compromized, whose serial numbers where never associated to the user identity before : A brand new Raspberry Pi bought in cash in an electronic store is the perfect way to achieve this. It also mean dedicating this hardware exclusively for this usage, and never connect to it any device : Exemple : Never connect USB Flashdisc key to it, whose serial number, already associated to the user's identity, to it, because it would allow to extrapolate the identity to associate to the Raspbery serial number to the identity already associated with the USB Flashdisc key. Same thing for LCD screen : They transmit serial number (VGA, DVI, or HDMI) to the graphic card, and can have the same terrible effect as a USB flashdisc key. We will have to give the user a list I have already been working on for years, of all the parts or subsystems known in a computer to have serial numbers. Let's say this issue is a matter of respecting a strict security procedure. ► Hardware characteristics (Speed of each processor analysis) fingerprinting identification technic protection when using TOR or VPNs : Same as above. ► Keystroke timing fingerprinting identification technic protection when using TOR or VPNs : This problem is solved architecturaly exactly like the Keylogger protection above. ► Phrasing and wording fingerprinting identification technic protection when using TOR or VPNs : We can use a trick many hackers know, and implement a kind of wording and rephrasing system : Using a translator for exemple, from english to french, and back french to english.... But there are other programs that do exist and to the job, There are many ways to do it indeed. This issue is also solved architecturaly as the Keylogger protection mecanism described above. ► Side channel & hidden channels protection between the first and the second computers, interconnected through a serial port : This problem is solved by inserting a microcontroller having two serial ports, on the serial link between the two computers : If the technic of using two microprocessor conected with a serial port that offers the lowest attack surface possible, it can be improved greatly inserting a microcontroller that will do the following : • Check that the little protocol we will have to invent and implement (And design as much hidden channel proof as possible) is correctly implemented, and that no other unwanted data are transmitted on the serial link. • Fight the timing side channel attack surface on the serial port : Serial ports offer the lowest attack surface regarding side & hidden channels, but it is still vulnerable to timing-between-each-byte-sent-on-the-serial-port side channel. The microcontroller code can "filter" these timings by buffering and normalizing them. Time based side channels are well known, and must be & can be fighted.

[chan] general
May 22 21:37

It is good to see devs with a dream. Do you guys have a github repo? I would like to clone it and follow it if you have one.

[chan] general
Jun 17 15:03

If you go through the Snowden docs you will find that in most cases where systems are compromised it is because spooks had physical access to a machine, or an exploit of common software like shitty firefux or flash. Tor is another spyware that allows the owners of the directory servers to track you.

[chan] general

Subject Last Count
developers control few nodes, and hardcode their IPs into client Aug 23 10:22 3
where does pybitmessage get peers IPs from? Aug 23 10:06 2
fuck you retard Aug 23 09:54 4
FBI Arrests Hacker Who Hacked No One (new american "democracy") Aug 23 08:23 1
all of them? Aug 23 08:20 6
How To Build A ProxyHam Aug 23 07:35 1
Highlighting Titan's Hazes Aug 23 07:07 15
pretty teen girl Aug 23 06:59 13
Tesla vs. Einstein Aug 23 02:33 2
bitcoin giveaway Aug 22 20:12 3
Your privacy - VPN & FireFox (+ other Gecko browsers)* rev. 0.3.3 Aug 22 15:44 1
Hidden services Aug 22 15:35 10
Firefox :D Aug 22 14:09 1
DuckDuckGo Aug 22 13:04 1
HWRNG - /dev/random is a good entropy source Aug 22 07:46 4
NSA is in the right Aug 22 06:48 3
BM-2c Aug 22 01:09 1
gostcoin transaction Aug 21 20:26 11
لا إله إلا الله Aug 21 14:28 5
test Aug 21 13:43 2
then and now Aug 21 08:30 1
non-mathematical crypto Aug 21 07:48 12
UNIX Textbook Collection Aug 21 06:52 1
Hash the Bible to check for tampering Aug 21 04:34 2
fighting fascism? Aug 21 04:14 1
Hmmmm.... Aug 21 04:01 1
Outlaw Cryptography! Aug 21 03:57 1
Cool Aug 20 18:59 1
Solar eclipse Aug 20 18:03 4
What if? Aug 20 18:02 3
Hello to you all Aug 20 16:28 2
just to say hi Aug 20 15:19 4
address nuked Aug 20 12:28 6
Can someone please help me with bitmessage?? Aug 20 10:06 26
how many use this? Aug 20 09:05 15
Crypto math question Aug 20 07:21 3
Is anyone even online at this moment? Aug 20 05:26 3
Next-Level Metasploit Aug 19 22:18 1
hi Aug 19 19:16 2
a BM in the raw Aug 19 05:38 2
How to evade taxes? Aug 19 05:35 7
The world is an illusion Aug 19 02:42 3
any body help me? Aug 18 19:51 39
YAFI - Yet Another Freenet Index Aug 18 12:20 2
Chloë Grace Moretz Aug 18 10:34 1
Charlottesville Aug 18 05:21 3
sisters Aug 17 06:55 1
Find someone to rape Aug 17 02:50 14
0.0005 BTC Aug 16 20:49 8
Peachkisser's Erotic Stories and Blog Aug 16 15:07 4
Nara Aug 16 12:55 1
Alika Aug 16 12:39 1
[DELETED] Aug 16 11:01 1
[DELETED] Aug 16 10:50 1
btc-e Aug 16 10:47 3
[DELETED] Aug 16 10:09 1
[DELETED] Aug 16 09:37 4
Sally and her daughter Flea Aug 15 20:15 12
I've been here Aug 15 12:42 1
Learn from the former commies Aug 15 10:07 2
Kat Aug 15 10:00 1
Aktie 0.5.19 Aug 15 07:17 1
decss.c Aug 14 20:13 2
YOU FUCKERS !!!!!!!! Aug 14 19:36 8
HELP I NEED 400$ CC DUMPS Aug 14 19:08 3
[DELETED] Aug 14 16:34 2
a question for pythonistas about securely wiping a file Aug 14 10:09 9
Aktie 0.5.18 Aug 14 07:54 2
The Government Siezed two truckloads of Tesla's Papers and Inventions Aug 14 05:00 3
Hacking emails Aug 14 04:57 2
NNTP over tor Aug 13 19:01 4
free cc Aug 13 16:40 3
The Gravity Myth Aug 13 16:15 1
Need cc cashout guide Aug 13 15:08 4
Your privacy - VPN & FireFox (+ other Gecko browsers)* rev. 0.3.2 Aug 13 14:04 2
Your privacy - VPN & FireFox (+ other Gecko browsers)* rev. 0.3.1 Aug 13 13:36 2
Where? Aug 13 12:46 3
Video Course and Tutoring on Carding and whatnot Aug 13 12:03 2
Make USD94 PER HOUR working from home. Aug 13 08:39 10
A Cypherpunk's Manifesto Aug 13 05:42 1
Bitmessage announcement Aug 13 05:42 4
Battle for sanity. Aug 13 02:50 3
Lift the nation up Aug 12 22:50 4
forbid the sending of acks Aug 12 21:14 2
Query for Crypto Junkies Aug 12 16:56 18
No real privacy apps Aug 12 14:54 16
cp Aug 12 14:41 4
Safe OTP over a wire Aug 12 13:58 1
a question for pythonistas about securely wiping a virus Aug 12 12:20 2
Virtuous Aug 12 11:31 1
Help with altcoins Aug 12 08:22 2
Blue whale game Aug 11 11:53 1
Francesco Scavullo - Brooke Shields 1975 Aug 11 11:51 1
Your privacy - VPN & Firefox (+ other Gecko browsers)* [Updated] Aug 11 10:17 1
Your privacy - VPN & Firefox (+ other Gecko browsers)* Aug 11 08:01 5
Stop sending these shits Aug 11 07:08 1
Profit. Aug 10 22:04 1