Silk Road forums
Discussion => Security => Topic started by: Shroomeister on August 15, 2013, 12:23 pm
-
Without Tormail these days we have begun to look for an alternative means of communication, should The Road ever have an outtage etc.
We have begun experiments with bitmessage and encourage all of you to check it out.
Learn more at:
https://bitmessage.org/wiki/Main_Page
Decentralized, encrypted pseudo-email alternative.
You can Bitmessage us at:
BM-GtLadgVamPY81NrkPbwVu2UfbckXKQpw
and you can also join our "silkroad channel" at:
Chan name:
silkroad
Chan Address:
BM-2DBDA6UvwUSxm8WGPMoD8KBhGAowSSBa9P
-
PS if ever communicating anything deemed "sensitive" please use PGP.....as ALWAYS!
:)
-
Please excuse my ignorance.
If we are using a strong encryption algorithm and logging in via the Tor Network -then what is wrong with yahoo mail? Keep in mind that -again everything is encrypted and we are using Tor.
(Also a strong password but that should go without saying)
-
If we are using a strong encryption algorithm and logging in via the Tor Network -then what is wrong with yahoo mail? Keep in mind that -again everything is encrypted and we are using Tor.
Metadata. An adversary can determine which parties you are communicating with. Although those parties may also be anonymous, metadata in aggregate can sometimes tell a story. If an adversary can determine who you are communicating with and look at their accounts, he may be able to find unencrypted messages. Track down enough parties, read enough accounts, and he can infer things about you. It's less secure than an "everyone gets everything" system like BitMessage, where an adversary can't prove which messages were sent to you. Well, that would be the case if it were true:
https://bitmessage.org/forum/index.php/topic,1666.0.html
-
Do note though, Bitmessage doesn't use tor by default - you can configure it to here (https://bitmessage.org/wiki/FAQ#How_do_I_setup_Bitmessage_to_work_with_Tor).
DD
-
+1 for this thread.
I know Bitmessage still has its kinks that need to be worked out, but I like it and use it on the rare occasion when I need an anonymous way of communicating with someone.
-
There's also Exploit.im or Riseup.net jabber service with OTR. Or Torchat.
-
Bitmessage has already been proven to have fatal flaws in it. Unfortunately the guy who maintains it was completely weasely in his replies and sort of responded like a msg forum lawyer, unable to concede any points and just continually defended the pile of shit he created. It would help if he would submit a true white paper, one with clear technical specifications instead of vagueness. I would trust Bitmessage in about 2-3 years after everybody has had a chance to break it, and only if there's a real whitepaper released.
This was before everybody found out the NSA can pwn elliptic curve cryptography too. So it's double fucked. If you use it only use it over Tor and assume everything is compromised, so paste in your 4096 PGP msgs don't rely on their crypto engineering.
Make sure your PGP password is truly random, I would collect directly from /dev/random and generate a gigantic password, keep that in a password safe (Schneier's password safe or Keepass). Don't use 1Password or Lastpass, they've been broken too. Read Hashcat forums where they whittled down the entropy to hardly anything. Lastpass even refused to fix a bug, so consider it dangerous: www.tobtu.com/lastpass.php
-
Bitmessage has already been proven to have fatal flaws in it. Unfortunately the guy who maintains it was completely weasely in his replies and sort of responded like a msg forum lawyer, unable to concede any points and just continually defended the pile of shit he created. It would help if he would submit a true white paper, one with clear technical specifications instead of vagueness. I would trust Bitmessage in about 2-3 years after everybody has had a chance to break it, and only if there's a real whitepaper released.
This was before everybody found out the NSA can pwn elliptic curve cryptography too. So it's double fucked. If you use it only use it over Tor and assume everything is compromised, so paste in your 4096 PGP msgs don't rely on their crypto engineering.
Make sure your PGP password is truly random, I would collect directly from /dev/random and generate a gigantic password, keep that in a password safe (Schneier's password safe or Keepass). Don't use 1Password or Lastpass, they've been broken too. Read Hashcat forums where they whittled down the entropy to hardly anything. Lastpass even refused to fix a bug, so consider it dangerous: www.tobtu.com/lastpass.php
Use Diceware to generate a passphrase. Because the words from the Diceware list are chosen by a random physical process (dice throws) there is no way that the order of words in the list can be determined. Even if an adversary knows that you used a 10-word Diceware passphrase, they only method they can use to attempt to break it is using brute-force. A 10-word Diceware passphrase has 129-bits of entropy. Given the fact that, a a general rule, passphrases/keys are usually found after a search of one-half of the keyspace, this means that the authorities would have to search a 128-bit keyspace to determine your passphrase.
See: http://www.diceware.com (clearnet)
Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://qtt2yl5jocgrk7nu.onion/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (IndyMedia .onion keyserver)
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090 (Silk Road Forums PGP Key Link)
PGP Key Fingerprint = 83F8 CAF8 7B73 C3C7 8D07 B66B AFC8 CE71 D9AF D2F0
-
Thank you guys for all the insight and info. I have to say I have already fallen away from checkin my bitmessage because...well frankly.... just dont need email really on the dark net with SR.
I DO still look at it, but was really just playing with it when I made the original post.
Thanks again all.