dragorn wrote:
> Posted this on irc, but:
>
> "Security is hard"
> "Cryptography is harder."
>
> http://secupost.net/2325962497/bitmessage-security
>
> Bitmessage extremely vulnerable and insecure.
The attack in question (from what I could glean from this post):
The attacker ("Robert White") sent bitmessages to 15000 addresses. Each
contained a URL with a unique identifier that was a hash of the recipient
address. When the recipient clicked on the link, White's server sent back a
500 (HTTP application error) and logged the URL (with the unique identifier)
and the IP address that sent the request.
With the unique identifier he was able to obtain the original bitmessage
address, so the log allowed him to construct a mapping from bitmessage
addresses (which are intended to be pseudonymous) to IP addresses (which are
typically identifiable).
This is extremely bad. But it's not specifically a bitmessage problem.* You
can do the same thing with TOR or I2C or any other protocol designed to hide
communication endpoints. In fact, an unknown number of TOR users recently got
owned just this way - through a browser exploit that reported their IP and
MAC addresses to a central server.
I can't vouch for the security of bitmessage, but I don't see this incident as
detracting from it.
*If the bitmessage UI lets you click on a link in a message in bring it up in
a browser that's not TOR protected (it probably does, but I haven't used the
UI) then I'd say this is a problem with the bitmessage client - it shouldn't
make it easy to do that. But like Mike said, security is hard.
>
> -m
>
> On Tue, Aug 20, 2013 at 09:17:32AM -0400, Michael Muller wrote:
> >
> > Mark and Wilma Wallace wrote:
> > > I agree but judges with subpoena powers won't feel in a catch 22 no
> > > matter how much security you have. The minimum sentence for possessing
> >
> > Yes, but if you're using good encryption end to end, then that judge has to
> > subpoena a party in the conversation. And the jury is still out on whether
> > you can be compelled to decrypt your own data in response to a court order:
> >
> > https://www.eff.org/deeplinks/2013/07/new-eff-amicus-forced-decryption-unconstitutional
> >
> > But the point is to force that conversation. If someone is reading your
> > e-mail you should at least know about it.
> >
> > > child pornography is five years and and the McDonald's router would find
> > > it so fast that your head would spin. A McDonald's manager told me that
> > > the router gives off a signal and he has orders from on high to walk the
> > > dining area and see who is surfing for what.
> >
> > If a McDonald's router can sniff Tor, I will leave my current job and go
> > work
> > at McDonald's :-)
> >
> > >
> > > Mark
> > >
> > >
> > > On Tuesday, 20 August, 2013 06:24 AM, Chris Knadle wrote:
> > > > On 2013-08-19 18:14, Mark and Wilma Wallace wrote:
> > > >> The only truly secure way to transmit something is to walk over to
> > > >> the guy
> > > >> and whisper in his ear. I was told to never send anything in an
> > > >> email or
> > > >> post anything on the internet that you wouldn't want to see on page
> > > >> one of
> > > >> the New York Times.
> > > >
> > > > If you know ahead of time that each system your email is going to pass
> > > > through supports ESMTPS then you can at least have an idea that the
> > > > email
> > > > isn't going to be _easily_ "snooped".
> > > >
> > > > -- Chris
> > > >
> > >
> > >
> > > --
> > > Robert Mark Wallace
> > > 60 Delaware Road
> > > Newburgh, NY 12550-3802
> > > Telephone: (845) 541-7396
> > >
> > > _______________________________________________
> > > Mid-Hudson Valley Linux Users Group http://mhvlug.org
> > > http://mhvlug.org/cgi-bin/mailman/listinfo/mhvlug
> > >
> > > Upcoming Meetings (6pm - 8pm) Vassar College
> > > Sep 4 - NoSQL and MongoDB
> > > Oct 2 - OpenFlow: Open Standard for Networking Hardware
> > > Nov 6 - November Meeting
> > >
> >
> >
> > =============================================================================
> > michaelMuller = [email protected] | http://www.mindhog.net/~mmuller
> > -----------------------------------------------------------------------------
> > We are the music-makers, and we are the dreamers of dreams
> > - Arthur O'Shaughnessy
> > =============================================================================
> > _______________________________________________
> > Mid-Hudson Valley Linux Users Group http://mhvlug.org
> > http://mhvlug.org/cgi-bin/mailman/listinfo/mhvlug
> >
> > Upcoming Meetings (6pm - 8pm) Vassar College
> > Sep 4 - NoSQL and MongoDB
> > Oct 2 - OpenFlow: Open Standard for Networking Hardware
> > Nov 6 - November Meeting
>
> --
>
=============================================================================
michaelMuller = [email protected] | http://www.mindhog.net/~mmuller
-----------------------------------------------------------------------------
If you are not willing to control your own mind, there are plenty of other
people who are willing to do it for you.
=============================================================================
_______________________________________________
Mid-Hudson Valley Linux Users Group http://mhvlug.org
http://mhvlug.org/cgi-bin/mailman/listinfo/mhvlug
Upcoming Meetings (6pm - 8pm) Vassar College
Sep 4 - NoSQL and MongoDB
Oct 2 - OpenFlow: Open Standard for Networking Hardware
Nov 6 - November Meeting
