Silk Road forums

Discussion => Security => Topic started by: Shroomeister on August 15, 2013, 12:23 pm

Title: ...In lieu of Tormail....
Post by: Shroomeister on August 15, 2013, 12:23 pm
Without Tormail these days we have begun to look for an alternative means of communication, should The Road ever have an outtage etc.

We have begun experiments with bitmessage and encourage all of you to check it out.
Learn more at:
https://bitmessage.org/wiki/Main_Page

Decentralized, encrypted pseudo-email alternative.

You can Bitmessage us at:

BM-GtLadgVamPY81NrkPbwVu2UfbckXKQpw

and you can also join our "silkroad channel" at:

Chan name:
silkroad

Chan Address:
BM-2DBDA6UvwUSxm8WGPMoD8KBhGAowSSBa9P
Title: Re: ...In lieu of Tormail....
Post by: Shroomeister on August 15, 2013, 12:28 pm
PS if ever communicating anything deemed "sensitive" please use PGP.....as ALWAYS!

:)
Title: Re: ...In lieu of Tormail....
Post by: Bluto on August 15, 2013, 07:35 pm
Please excuse my ignorance.

If we are using a strong encryption algorithm and logging in via the Tor Network -then what is wrong with yahoo mail? Keep in mind that -again everything is encrypted and we are using Tor.

(Also a strong password but that should go without saying)
Title: Re: ...In lieu of Tormail....
Post by: astor on August 15, 2013, 07:52 pm
If we are using a strong encryption algorithm and logging in via the Tor Network -then what is wrong with yahoo mail? Keep in mind that -again everything is encrypted and we are using Tor.

Metadata. An adversary can determine which parties you are communicating with. Although those parties may also be anonymous, metadata in aggregate can sometimes tell a story. If an adversary can determine who you are communicating with and look at their accounts, he may be able to find unencrypted messages. Track down enough parties, read enough accounts, and he can infer things about you. It's less secure than an "everyone gets everything" system like BitMessage, where an adversary can't prove which messages were sent to you. Well, that would be the case if it were true:

https://bitmessage.org/forum/index.php/topic,1666.0.html

Title: Re: ...In lieu of Tormail....
Post by: DexterousDealer on August 15, 2013, 09:04 pm
Do note though, Bitmessage doesn't use tor by default - you can configure it to here (https://bitmessage.org/wiki/FAQ#How_do_I_setup_Bitmessage_to_work_with_Tor).

DD
Title: Re: ...In lieu of Tormail....
Post by: Baraka on August 16, 2013, 02:53 am
+1 for this thread.

I know Bitmessage still has its kinks that need to be worked out, but I like it and use it on the rare occasion when I need an anonymous way of communicating with someone.
Title: Re: ...In lieu of Tormail....
Post by: DexterousDealer on September 11, 2013, 11:16 pm
There's also Exploit.im or Riseup.net jabber service with OTR. Or Torchat.
Title: Re: ...In lieu of Tormail....
Post by: comsec on September 11, 2013, 11:55 pm
Bitmessage has already been proven to have fatal flaws in it. Unfortunately the guy who maintains it was completely weasely in his replies and sort of responded like a msg forum lawyer, unable to concede any points and just continually defended the pile of shit he created. It would help if he would submit a true white paper, one with clear technical specifications instead of vagueness. I would trust Bitmessage in about 2-3 years after everybody has had a chance to break it, and only if there's a real whitepaper released.

This was before everybody found out the NSA can pwn elliptic curve cryptography too. So it's double fucked. If you use it only use it over Tor and assume everything is compromised, so paste in your 4096 PGP msgs don't rely on their crypto engineering.

Make sure your PGP password is truly random, I would collect directly from /dev/random and generate a gigantic password, keep that in a password safe (Schneier's password safe or Keepass). Don't use 1Password or Lastpass, they've been broken too. Read Hashcat forums where they whittled down the entropy to hardly anything. Lastpass even refused to fix a bug, so consider it dangerous: www.tobtu.com/lastpass.php
Title: Re: ...In lieu of Tormail....
Post by: Nightcrawler on September 12, 2013, 10:07 pm
Bitmessage has already been proven to have fatal flaws in it. Unfortunately the guy who maintains it was completely weasely in his replies and sort of responded like a msg forum lawyer, unable to concede any points and just continually defended the pile of shit he created. It would help if he would submit a true white paper, one with clear technical specifications instead of vagueness. I would trust Bitmessage in about 2-3 years after everybody has had a chance to break it, and only if there's a real whitepaper released.

This was before everybody found out the NSA can pwn elliptic curve cryptography too. So it's double fucked. If you use it only use it over Tor and assume everything is compromised, so paste in your 4096 PGP msgs don't rely on their crypto engineering.

Make sure your PGP password is truly random, I would collect directly from /dev/random and generate a gigantic password, keep that in a password safe (Schneier's password safe or Keepass). Don't use 1Password or Lastpass, they've been broken too. Read Hashcat forums where they whittled down the entropy to hardly anything. Lastpass even refused to fix a bug, so consider it dangerous: www.tobtu.com/lastpass.php

Use Diceware to generate a passphrase. Because the words from the Diceware list are chosen by a random physical process (dice throws) there is no way that the order of words in the list can be determined. Even if an adversary knows that you used a 10-word Diceware passphrase, they only method they can use to attempt to break it is using brute-force. A 10-word Diceware passphrase has 129-bits of entropy. Given the fact that, a a general rule, passphrases/keys are usually found after a search of one-half of the keyspace, this means that the authorities would have to search a 128-bit keyspace to determine your passphrase.

See: http://www.diceware.com (clearnet)

Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://qtt2yl5jocgrk7nu.onion/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (IndyMedia .onion keyserver)
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090     (Silk Road Forums PGP Key Link)
PGP Key Fingerprint = 83F8 CAF8 7B73 C3C7 8D07  B66B AFC8 CE71 D9AF D2F0
Title: Re: ...In lieu of Tormail....
Post by: Shroomeister on September 19, 2013, 01:30 am
Thank you guys for all the insight and info. I have to say I have already fallen away from checkin my bitmessage because...well frankly.... just dont need email really on the dark net with SR.

I DO still look at it, but was really just playing with it when I made the original post.
Thanks again all.