Silk Road forums
Discussion => Security => Topic started by: astor on September 17, 2013, 04:29 am
-
Looks like this was both a DOS and enumeration attack. We need something better.
http://www.reddit.com/r/onions/comments/1mdlre/tormail_is_down_so_now_we_have_this_new_one/cc8g4bx
Bitmessage relies of Proof Of Work to "control spam". In order to send a message you need to do computational work. Everyone gets a copy of every message ever sent too, you just can't read them all.
This design decision is objectively horrible. If you have a cluster or even a CUDA Enabled Graphics card, you have more message sending capacity, you can spam and the rest of the network cannot keep up and basically will eventually only be sending your messages. Basically it's incredibly weak to network wide denial of service. In addition if you have lots of people that need to send messages, i.e. it would attempt to replace email, everyone would have a copy of every encrypted message.
Bitmessage simply will never scale and is incredibly weak to DoS.
http://secupost.net
Alright, the messages sent out a few days ago are starting to expire now. It's time for everyone to learn what the purpose of secupost.net is.
As many of you guessed, this is indeed a Bitmessage address to IP address mapper. Yes, the only thing that webserver would send was a 500 message.
It did alright too, gathering nearly 500 bitmessage users information after sending 15000 messages. Double what I expected.
I've included both a log of each address detected and the first thing to hit it including IP, reverse DNS and useragent as well as raw logs for every valid request. If you need to confirm this signature so you can verify messages from me when bitmessage is down, please see the bitmessage general chan for a copy from my bitmessage address.
So, future lessons:
- - - Yes, all bitmessage addresses are public and can be read from your messages.dat file using a small script.
- - - Don't click links. Even if it looks like a security-related site and uses some technical terms. I am not a nice person, I will publish any information I can gather about you and I don't care if you get lit on fire by terrorists because of it.
- - - Bitmessage does _not_ scale. It took me around 3.5 hours to send ~15k messages but it took the bitmessage network over 18 hours to fully propogate them.
Some of you were smart enough to use tor or VPN providers, but many of these are direct home or server IPs. The information below is more than enough for any government to come after you or any script kiddie to DDoS you. Be more careful next time.
Some of you tried to use scripts to claim addresses which weren't yours and skew the data, of course, you didn't even change your user-agent.
Even without accouting for that your attacks were ineffective because the IDs were generated in a non-linear fashion using a cropped HMAC-SHA256. To find your id:
def gen_mac(addr):
mac = hmac.new("fuck you", addr, hashlib.sha256).digest()
return unpack('>I', mac[0:4])[0]
This simple deterministic method means that you would have had to try... (2^32/15000)/2 = 143165 times on average just to get a single collision. Thanks for playing, but no luck this time.
This service has been operated completely anonymously thanks to Tor and Bitcoin. I hope you enjoy the result.
-
was destined to not scale from the day it was thought of. There have been years and years of research into making it so PIR scales, everybody gets everything is least scalable possible. BitMessage has problems from the bottom to the top, and some of the problems it used to have were so bad that it obviously wasn't made by people who have a clue what they are doing. Even now that they don't encrypt the entire message with RSA they still have tons of traffic analysis issues etc. Pretty much the problem area they are working in has had truck loads of research into it for the past fifty or so years and they obviously didn't read any of it. I learned the same lesson some years ago, don't try to invent your own secure communications system if you are not an expert, and you are probably not an expert if you don't have a Ph.D or at least masters degree in a related science, or if you have not spent 5-8 years researching on your own, while having a solid understanding of advanced math as well. There already are hundreds if not thousands of whitepapers out there from people who are experts on such things, if you want to make a system read their whitepapers and spend your efforts implementing them (which is hard enough in itself) and thinking of ways to make their systems work together (because a complete system for secure anonymous communications is going to involve several different parts, and each part will have its own whitepaper). The less that you need to invent yourself the better.
They took Bitcoin and tried to make it a message system, so they didn't totally reinvent the wheel. But they thought that everybody gets everything was a good idea for messaging systems to maintain anonymity, and theoretically it is, but having that thought without knowing what Private Information Retrieval is will lead to ignoring the fact that there are decades of research into having the same anonymity properties while using orders of magnitude less bandwidth.
-
Everyone gets a copy of every message ever sent
Bad Idea? You don't say? <sarcasm>
I could have told you that!
-
Crypto engineering is incredibly difficult to get right. It typically takes years of testing before you can claim it's reliable. Read this guy's blog http://blog.cryptographyengineering.com/ on a regular basis he's apparently working on a PGP replacement but it's been 1.5 years in the making and still being tested. Probably won't see it for another year or so.
-
Read this guy's blog http://blog.cryptographyengineering.com/ on a regular basis
Isn't that the same guy who was involved in developing Zerocoin?
http://blog.cryptographyengineering.com/2013/04/zerocoin-making-bitcoin-anonymous.html