Silk Road forums
Discussion => Security => Topic started by: asianboy on August 10, 2013, 08:11 pm
-
Everyone should get Bitmessage -- Safe alternative to Tormail -- Less buggy than Torchat
https://bitmessage.org/wiki/Main_Page
-
Sounds interesting, I'm guessing it works sort of like the bitcoin client? Tor Chat is more for short instant message conversations than an actual email replacement.
-
Not a good idea. https://bitmessage.org/forum/index.php/topic,1666.0.html
-
Not a good idea. https://bitmessage.org/forum/index.php/topic,1666.0.html
Astor,
do you have any alternatives to tormail that you endorse? I've switched to safe mail and naturally have one account that i only use for certain correspondence and which is always encrypted.
-
I think safe-mail is actually runned by some authorities , Can anybody confirm this ?
-
I think safe-mail is actually runned by some authorities , Can anybody confirm this ?
I wouldn't be surprised. Just like how I wouldn't be surprised if some new Tor Mail alternatives pop up claiming to be anonymous, but are actually ran by governments.
Keep safe fellow roaders, crazy times we are living in.
-
While bitmessage might have its vulnerabilities it is likely pretty safe for your average user. LEO is not going to put in any kind of time/resources into busting users or even small time vendors. Can you imagine the DEA spending even a little bit of time trying to find the IP address of someone ordering pot in the mail or even someone selling quarter ounces? No they are focusing on big catches....
If you are operating a large scale heroin operation or something similar you should be 100% sure of security.....
For email I have switched to countermail...happy with it so far...
mm
-
Not a good idea. https://bitmessage.org/forum/index.php/topic,1666.0.html
It is just a Beta version right now. I think a lot of those issues will eventually resolve either by updating the Bitmessage client or from remaking the system from scratch.
-
Not a good idea. https://bitmessage.org/forum/index.php/topic,1666.0.html
It is just a Beta version right now. I think a lot of those issues will eventually resolve either by updating the Bitmessage client or from remaking the system from scratch.
Why should people start using something that needs to be remade from scratch because it is insecure now ?
-
You can always use PGP + Tor in addition to BitMessage to maximize security
-
You can always use PGP + Tor in addition to BitMessage to maximize security
My argument then would be that you might as well use Tor + GPG + a clearnet mail provider.
-
Sure but a clearnet provider like gmail keeps all the emails. In time the pgp could eventually be cracked.
-
Sure but a clearnet provider like gmail keeps all the emails. In time the pgp could eventually be cracked.
BitMessage broadcasts all of the emails to hundreds or thousands of people.
-
Astor,
do you have any alternatives to tormail that you endorse? I've switched to safe mail and naturally have one account that i only use for certain correspondence and which is always encrypted.
I guess you can use a clearnet email provider but choose a different username, and make sure everyone else uses different usernames. Don't leak who you are talking to, and PGP encrypt all messages.
-
Using a clearnet provider is fine as long as you keep scripts disabled, use GPG and use Tor, and take all of the other security precautions possible. Something better would be nice, but I just am not aware of anything really better right now. I think BitMessage has a lot of maturation to do before it should be used for anything sensitive, Freenet has an email like thing but it requires you to communicate with other people running Freenet. It really isn't that hard to make a simple hidden service for private messaging, you could do it with a cheap VPS if you are okay with that level of security, or certainly with a bottom of the line dedicated server. Maybe people should pool some Bitcoins and have somebody trusted like Astor set it up, doesn't really matter if they turn evil in the future because you always use GPG anyway right? I don't have time to setup an private messaging server right now or else I would do it on a VPS and pay for it for a year if somebody sent me $600 worth of Bitcoin
A little harder to do something like Tor Mail (allowing actual E-mails to exit and come in, rather than internal private messaging) though, it would require two servers and some more intensive configuration.
Why not just use the forum PM system? If you just need a secondary way to communicate with vendors in case of emergency, a secondary unrelated internal PM system would work and there isn't need for E-mail, or is there some need for E-mail like talking to Chinese vendors? Hm, I guess maybe need two servers if you want something like Tor Mail, and a bit harder to configure.
-
I am not totally sold on the bitmessage system yet, but using this http://bitmailendavkbec.onion website that then gives you a email address with your created, via their site, BM address seems like a good idea. Connect through an onioin site, create an annonymous email (is a ".CH"), send PGP messages. Seems pretty safe to me.
I have been testing it for a few days and it the system seems fast and dependable.
-
Does anybody think I'm way off on this? I only accept orders from buyers who encrypt their names and addresses, however, the ratio of people who don't versus who do is still apparently more than 1.
In order to not deprive myself of a potential sale and to permit a newbie to order from me, I came on this: sending the buyer a code by SR PM that relates to his wanted item (but that only I would know what it is) and a throwaway email address from mailinator, a random set of numbers and letters@mailinator.com, never to be used again. He's to send his information (through tor) to it along with the code and NOTHING ELSE. No outside party could possibly know what that all refers to. I specifically warn against sending ANYTHING else (like, duh, this is for my SR order).
I'd get his info (using tor, naturally) and complete the order. I know that email address can't be deleted, but if it's never used again and there is no possible way to link the contents to anything incriminating, I don't see what harm there could be. Especially if my packages are very good in stealth and don't stand out.
Whattayou think, am I off on this, fellas? I will use your feedback (especially from guys like Astor or kfw... or Jack) to modify my listings to delete this option if you think it's really a bad idea.
goblin
-
Another idea I had (I'm sure somebody else musta thought of it before) is to let them send me their name and address unencrypted in the SR order box. I'd copy it and then cancel the order. This would delete the whole thing including the name and address from the SR servers (would it?) and then I'd ask them to place the order again, this time not sending anything in the way of personal information. And I would proceed with fulfilling the order.
Any thoughts?
-
Mailinator is being archived wholesale I wouldn't use it.There's lot's of sites like this which let you use client side javascript to encrypt to a public PGP key http://www.hanewin.net/encrypt/PGcrypt.htm
I wouldn't obviously use that site because of no https but search around there's many more out there. You can make your own site to do this too, and .onion host it.
-
http://www.hanewin.net/encrypt/PGcrypt.htm
I love the fact that it says at the end of its spiel: And you can trust it.
Yes, that certainly sells me. If something doesn't come out and say you can trust it, I won't touch it!
-
I was looking into Bitmessage as well and found a post were the guy basically listed all the flaws of Bitmessage and how unsafe it is. I think it was Astor that posted that link. The one thing he was saying is that the code and the explanation provided by the developers doesn't make it 100% clear what happens in certain situations. The way the developers describe how Bitmessage works it seems it would be trivial to flood and crash the whole network. I need a new email but I'll pass on Bitmessage.
-
kmf is right about Bitmessage. It still has a ways to go before it's ready to replace e-mail+PGP as a secure form of communication. That said I still like it for an emergency situation where SR is down for days on end. That happened just a few months back so it's very possible for the same electronic thugs who took down Tormail to at least knock SR offline for a while. In that event I would want people to either use a secure e-mail provider where signup and every single login thereafter was done through Tor- or Bitmessage with PGP encrypted messages.
The problem is that it's easy to fuck up when it comes to logging in to an e-mail account. I know that one hacker is doing time right now because he accidentally logged in to one e-mail account without Tor or a logless VPN. And he was very cautious. The point is that anyone can make the same mistake and it can kill you if LE is watching your account.
I definitely have my reservations about Bitmessage and greatly appreciate kmf's analysis of it but will keep Bitmessage installed and running in the background in case of an emergency. Even then I'll use PGP to encrypt my messages within the already encrypted ECC-256 that is used to transport the messages to everyone on the network. Better to have that minimal insurance than nothing at all.
-
The problem is that it's easy to fuck up when it comes to logging in to an e-mail account. I know that one hacker is doing time right now because he accidentally logged in to one e-mail account without Tor or a logless VPN. And he was very cautious. The point is that anyone can make the same mistake and it can kill you if LE is watching your account.
Whonix solves that problem. There is no way to connect to any server except over Tor. :)