How Can We Be Sure Bleep Is Secure?

[Toxicle]

How do we know that the encryption is properly implemented? How do we know that the authorities haven't issued a court order to have a backdoor installed the way they did with Skype? How do we know that BitTorrent isn't collecting our data and selling it to the highest bidder?

 

Is there an answer other than "just trust us" or the many variations thereof?

[crash893]

simple answer is you can't

 

 

how can your trust your OS

how can you trust your CPU 

how can you turst your isp

how can you trust the chips in the Network switches

 

unless your go out the middle of the desert grab some sand and make your own cpu and program a os for it you can never be 100% Sure

[Windlasher]

simple answer is you can't

 

 

how can your trust your OS

how can you trust your CPU 

how can you turst your isp

how can you trust the chips in the Network switches

 

unless your go out the middle of the desert grab some sand and make your own cpu and program a os for it you can never be 100% Sure

Actually, he needs a different, more pure grade of sand, but yes he should take off the foil Hat.

[crash893]

the nsa could supply you pure grade silicone you have to go make your own. 

[Toxicle]

simple answer is you can't

 

 

how can your trust your OS

how can you trust your CPU 

how can you turst your isp

how can you trust the chips in the Network switches

 

unless your go out the middle of the desert grab some sand and make your own cpu and program a os for it you can never be 100% Sure

I can trust my OS by reading its code. The open source community as a whole can't be bribed or silenced, unlike private corporations.

I don't trust my ISP, which is why I use encryption.

I cannot verify the integrity of my hardware, but I can monitor its activity to see if something fishy is going on.

 

You're correct in that it's impossible to be 100% sure, however, I'd much rather be 99% sure than 50% sure. The chances of my CPU being backdoored and sending all of my data to the NSA is substantially lower than closed-source software doing the same. We already know all the big name software companies do it.

 

What's the rationale for settling for 50% when 99% is possible? If security is not one of your main concerns then this thread isn't intended for you.

[crash893]

well similarly you could monitor what goes in and out of bleep to check

 

 

but just as devils advocate here two examples

 

1) heartbleed, that was opensource and it had Tens of Thousands of independent entities reviewing that code module and no one picked up on the security flaw for i think something like 2-3 YEARS,

 

2) secondly yes the open source community can most certainly be bought off. All the nsa (i feel like they are the defacto whipping boy because there are other governments that are just as pervasive)  could most certainly introduce a less strong sudo random number(Dual_EC_DRBG)generator and weaken an entire suite of software and none would be the wiser unless you have multiple phd's in mathematics and cryptology.

 

 

I agree with you that "Perfect is the enemy of good" but 

 

1) people would like to make a profit of there hard work and intellectual property (not saying thats whats going on with bleep) so they might not be inclined to make in open source

2) making something open source is not synonymous with "Safe'

 

 

I think the pole we should be barking up is " will you make the network protocol open similar to bit torrent"  so that you can retreat to your log cabin in the woods and write your own bleep client and be sure that the NSA didn't bug your teeth while you were asleep.

[Toxicle]

well similarly you could monitor what goes in and out of bleep to check

 

 

but just as devils advocate here two examples

 

1) heartbleed, that was opensource and it had Tens of Thousands of independent entities reviewing that code module and no one picked up on the security flaw for i think something like 2-3 YEARS,

 

2) secondly yes the open source community can most certainly be bought off. All the nsa (i feel like they are the defacto whipping boy because there are other governments that are just as pervasive)  could most certainly introduce a less strong sudo random number(Dual_EC_DRBG)generator and weaken an entire suite of software and none would be the wiser unless you have multiple phd's in mathematics and cryptology.

 

 

I agree with you that "Perfect is the enemy of good" but 

 

1) people would like to make a profit of there hard work and intellectual property (not saying thats whats going on with bleep) so they might not be inclined to make in open source

2) making something open source is not synonymous with "Safe'

 

 

I think the pole we should be barking up is " will you make the network protocol open similar to bit torrent"  so that you can retreat to your log cabin in the woods and write your own bleep client and be sure that the NSA didn't bug your teeth while you were asleep.

No, you cannot monitor what Bleep does with your data. That's impossible. Once the data leaves your router it's theirs to do what they will with. We don't even know what type of encryption they use or if they have a master key.

 

1. This has been argued ad-nauseum and is not a valid point at all. The fact that heartbleed existed for 2-3 years with that many eyes on it makes me extremely scared of what sorts of bugs might be are sitting in closed-source code that only a few people look at on a regular basis, not for years, but for decades (think Windows NT kernel).

 

2. The NSA introducing a vulnerability into open source software is not the NSA "buying off" the open source community. Even if that's possible, it's still much harder for them to get away with and will ultimately fail with enough time.

 

Your attempt to paint security-concerned users as crazy paranoid cartoon characters is not doing your argument any favors. We KNOW that the NSA is spying on us, and we KNOW that there are steps we can take to mitigate their prying eyes. Why BitTorrent opts not to take these very simple steps has still not been explained by anyone, and why people like you continue to support them is even more confusing and concerning.

[crash893]

• I was asserting with a packet sniffer you could see what the local bleep client was doing with your data or at the very least you can see where its going and if the data is in plain text.  If you were super sassy you could try to decrypt the key with your private key. 

 

• the only thing your 1st statement suggestes is that neither can be trusted 

 

• Not everyone is interested in making projects open source because they want to make money off their intellectual property. Closed source exists for a reason. and that reason is people like to pay for things like food.

 

 

 

 

To that end however I do find the lack of updates pretty infuriating. if you dont want to explain the source thats fine but the Protocol should be open for others to use and documented (similar to how bit torrent works)   

[soboku]

This is all so fascinating but to keep it simple the question still stands. It can be answered like they can tell us what encryptions they are using and who's Random generator. Is video and audio encrypted both ways. This does not give away anything in how they are doing it just simple answers. We all no that one should not say or do anything on the net that they don't want to get out. I never post video or audio or txt that I would not want others to see. If its on the net someone will find a way to get it. But there are things we can do like using encryption apps that we control the keys like i just love boxcryptor for my dropbox stuff and Threema for my online communications. pgp for my email.  But this is my so so limited thoughts lol. I really don't care if the nsa see's or heres what I'm saying in one since because i say and do nothing that they would be interested in. On the other hand I will keep fighting to keep them out of my business because they have no right to be in it as long as I'm not like doing illegal stuff. Maybe I'm all wet behind the ears but I love hearing and reading everyones thoughts and learning.