Pages:
Author

Topic: Suggestion to change the obsolete social media from account info (Read 632 times)

hero member
Activity: 1806
Merit: 672
We do have the option to add a "Other Contact Info" under the Forum Profile Information tab. Personally even if the admins decide to replace it from what you suggested I still wouldn't put my personal accounts in their like what I did to my email where I opt it out to remain hidden from the rest of the users. However I see this feature change very useful to members who are heavily involved in the marketplace doing business since people who are interested in talking to them would find their contacts easily.
copper member
Activity: 630
Merit: 2614
If you don’t do PGP, you don’t do crypto!
Thank you for sharing your wisdom here, nullius!

Cu plăcere, GazetaBitcoin!

Your ideas are great and I just hope theymos will read your post here. Maybe he will make a change based on your suggestion, though.

I also always hope for forum improvements.  Unfortunately, given the problem of what seems to be a bit of software misdesign:

Those fields are actually built a bit deeply into SMF for some reason, so it's not completely trivial to change, but it can be done. Low on my to-do list, though, as hugeblack mentioned.

I think that at least in the short term, a more practical hope here is to encourage people to put their PGP fingerprints in the “other contact info” field, as I do!

Perhaps a thread should be someday started to encourage that.  However, I think we first need more PGP advocacy on the forum; otherwise, we would be putting the cart before the horse.  (Perhaps another idiom with a literal Romanian equivalent?)

I posted a PSA in Beginners & Help on why people should care about PGP fingerprints.  For the how, I have a simple, forum-oriented, extremely basic PGP tutorial in the pipeline.  In the future, I also hope to contribute to such fine efforts as this (n.b. my name in the credits).  Together, we can build community efforts to help people secure their forum identities using the power of strong cryptography!

Also, what AC2 copy did you lose? What do you mean by AC2? Assassins' Creed 2? Smiley

Bruce Schneier’s Applied Cryptography, Second Edition (1996) gave me my first solid introduction to cryptography.

Besides that, I didn't know that in English exist also the saying "to not see the forest for the trees". I was sure it is a Romanian saying. Apparently, it is not. We have this saying as well, translated ad literam.

As a guess from one who should know well enough to look up the history of the phrase, my immediate hypothesis is that it may be the type of idea spread through the European upper classes, who had Latin as a common language, and then filtered down into the vernacular.

By comparison, European folk-dances show much variation; but ballet and ballroom dances were spread through Europe by the upper classes.  Many high-culture dance styles (especially, ballroom dance styles) were much influenced by local folk dances, and in turn influenced folk dances in other parts of Europe.

Consider that to be more of a demonstration of how to form such hypotheses than anything else.  The next step would be some philological research, which may show the hypothesis to be wrong.  Unfortunately, many reasonable-seeming hypotheses become wildly incorrect urban legends or “folk etymologies” that are flatly wrong, e.g., the incorrect notion that the phrase “give a damn” originated from “give a dam” with reference to a low-value coin.

I give a damn about correctness.
legendary
Activity: 1680
Merit: 6524
Fully-fledged Merit Cycler|Spambuster'23|Pie Baker
OP, good idea except for the “Telegram, Discord, Skype and Instagram” part.  The research into actual ongoing usage (or the impossibility of such usage) of the various old popular IM networks is most useful.  Unfortunately, I doubt that the forum will add, remove, or change the existing profile fields anytime soon.  Too bad.

~snip~

Now, observe that most of my focus here is on authentication of an identity, and not simply on providing a means of contact.  A comparison of the communications security of PGP to that of ICQ, AIM, and MSN Messenger would be laughable.  Placing a PGP fingerprint in one’s profile is a statement of cryptographically strong identifying information, not merely a bit of contact info.  That, indeed, is why I have kludged my PGP key fingerprint into my profile and displayed it in my forum signature, ever since I started actively posting.

Thank you for sharing your wisdom here, nullius!

Your ideas are great and I just hope theymos will read your post here. Maybe he will make a change based on your suggestion, though.

Besides that, I didn't know that in English exist also the saying "to not see the forrest for the trees". I was sure it is a Romanian saying. Apparently, it is not. We have this saying as well, translated ad literam.

Also, what AC2 copy did you lose? What do you mean by AC2? Assassins' Creed 2? Smiley
Vod
legendary
Activity: 3668
Merit: 3010
Licking my boob since 1970
My ICQ number is seven digits long

Lower or higher than 808xxxx?
legendary
Activity: 3318
Merit: 2008
First Exclusion Ever
IMO we need to go the other direction. Turn Bitcointalk into a classic dial up BBS.
copper member
Activity: 630
Merit: 2614
If you don’t do PGP, you don’t do crypto!
OP, good idea except for the “Telegram, Discord, Skype and Instagram” part.  The research into actual ongoing usage (or the impossibility of such usage) of the various old popular IM networks is most useful.  Unfortunately, I doubt that the forum will add, remove, or change the existing profile fields anytime soon.  Too bad.

This thread caught my attention because I was involved in a similar thread in December of 2017—when I was a Newbie actively posting for two weeks, as noted below.  At the time, I suggested a PGP fingerprint field.  Now, I must address something that theymos apparently said whilst nullius slept.



An important security message from Mr 0xC2E91CD74A4C57A105F6C21B5A00591B2F307E0C, a.k.a. “nullius” #976210:

I’ve long thought there should be a spot for PGP fingerprint.

PGP fingerprints are SHA-1, which is insecure. The OpenPGP standard really needs a complete new revision...

theymos is wrong here, and he should not be FUDding the security of PGP fingerprints whilst a revised standard is slowly grinding its way through the IETF process.

SHA-1 is badly broken against collision attacks.  SHA-1 MUST NOT be trusted for any purpose requiring security against a collision attack, period.  (Now, where is SHA-1’s trust page?)

An attacker who did a SHA-1 collision attack against PGP key fingerprints could generate two different keys that have the same fingerprint.  That’s it.  He could not determine in advance what the fingerprint will be; and he could not by thus means generate a key matching somebody else’s already-existing fingerprint.

There are many uses of hashes where collision attack resistance is important—especially, any scenario where an attacker can generate benign and malicious versions of a message (a contract, a CA certificate request, etc.), induce an innocent party to sign the benign version using a digital signature based on SHA-1, and then apply the same digital signature to the malicious version.  Git is also vulnerable to an attacker generating benign and malicious versions of a commit, although as a practical matter, the attack seems difficult to carry off with a plaintext source code commit.  Regardless, as a precaution, Bitcoin Core uses custom commit-hook script generate a SHA-512 tree hash, and also makes use of signed commits.  Generally, I would be much more wary of images, PDFs, and other blobs committed to a git repository, in any scenario where a malicious committer could benefit by sneaking in a bad version.

Whereas a PGP fingerprint is not such a scenario.

A PGP fingerprint needs resistance to preimage attacks, not collision attacks.  SHA-1 still provides a 160-bit security level* against a preimage attack.

(* Simplified for the sake of explanation.  Please don’t counterargue with some research paper shaving two or three bits off the security margin, or whatever; I would not consider SHA-1 to be “broken” against preimage attacks, unless someone shaved it down significantly below the approximately 2128 amount of work needed to break other some cryptographic primitives used by PGP, e.g., the best known attacks against Curve 25519.)

As specified in the current version of the OpenPGP standard, at RFC 4880 § 12.2, a v4 key’s fingerprint uses SHA-1.  The way that it uses SHA-1, an attacker would need to carry off a full* preimage attack to make himself a key matching someone else’s PGP fingerprint.  That is infeasible.

(* “Full”, in contradistinction to the partial preimage attack that Bitcoin mining uses for proof of work.  Similarly, it is trivial to make a key matching a 32-bit PGP “short” keyid, and not-infeasible to do the same attack against a 64-bit “long” keyid.  That is why I have always listed my full PGP fingerprint in my forum signature.)

The “RFC4880bis” draft revision of the OpenPGP standard prospectively adds v5 keys, with fingerprints using SHA-256.  Those will provide a 256-bit security level against preimage attacks on the fingerprint.

My root-of-trust PGP identity key fingerprint is based on an Ed25519 key.  A Pollard’s rho attack could solve the DLP for my key with about 2126 work (← note: 126)—to say nothing of a hypothetical future attacker with a large, efficient quantum computer.

(I don’t think that’s a significant practical concern to Bitcoin now; but an identity key should be able to last a lifetime, at least.)

I am certainly interested in better options for my identity key*.  But whilst those are yet unavailable, it seems pointless for me to quibble over the security level of a v4 fingerprint with its 160 bits of preimage attack resistance.

(* Linked post is by nullc, who is not me.  Oops.)

Now, observe that most of my focus here is on authentication of an identity, and not simply on providing a means of contact.  A comparison of the communications security of PGP to that of ICQ, AIM, and MSN Messenger would be laughable.  Placing a PGP fingerprint in one’s profile is a statement of cryptographically strong identifying information, not merely a bit of contact info.  That, indeed, is why I have kludged my PGP key fingerprint into my profile and displayed it in my forum signature, ever since I started actively posting.  I am 0xC2E91CD74A4C57A105F6C21B5A00591B2F307E0C; 0xC2E91CD74A4C57A105F6C21B5A00591B2F307E0C is me; and if you want to authenticate my identity, I explicitly request that you verify digital signatures rooted in 0xC2E91CD74A4C57A105F6C21B5A00591B2F307E0C.

Merited by nullius (10)
Kek, only one interesting thing: i can't find any pgp signature or bitcoin signature from nullius after his return (since 2nd January).

His pgp keys is well known - https://bitcointalksearch.org/topic/pgp-256-airdrop-bounty-signature-spam-campaign-old-school-crypto-3107429

Are you sure this is real nullius?

Code:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

PSA: *Always* verify digital signatures.

If somebody claims to be me, and he refuses produce
a fresh signed statement signed with a key certified by
0xC2E91CD74A4C57A105F6C21B5A00591B2F307E0C (whether as a subkey,
or through proper rollover(s) to a new master key), then you must
conclusively presume that he is an imposter and an *identity thief*.

Signed,

nullius (2020-02-14)

In homage to Grand Duchess Anastasia and Satoshi Nakamoto:
https://bitcointalk.org/index.php?topic=5215128.0

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQSNOMR84IlYpr/EF5vEJ5MVn575SQUCXkbeaQAKCRDEJ5MVn575
SYTHAQD3Qu3qQSrTgO4PTuHtyUnevNEvy6EELXz6I+iGEV8sxAD/UG+ulc0Jrd7j
LjL18mAodvlGIaPppfCGldxHwseNJwg=
=4VkN
-----END PGP SIGNATURE-----

Control of a forum account is not cryptographic evidence of identity.  Control of an e-mail address is also not cryptographic evidence of identity.  With my large boldface supplied:

Topic: [email protected] is compromised
Today I received an email from [email protected] (Satoshi's old email address), the contents of which make me almost certain that the email account is compromised. The email was not spoofed in any way. It seems very likely that either Satoshi's email account in particular or gmx.com in general was compromised, and the email account is now under the control of someone else. Perhaps [email protected] expired and then someone else registered it.

Don't trust any email sent from [email protected] unless it is signed by Satoshi. (Everyone should have done this even without my warning, of course.)

I wonder when the email was compromised, and whether it could have been used to make the post on p2pfoundation.ning.com. (Edit: I was referring here to the Dorian Nakamoto post. After I posted this, there was another p2pfoundation.ning.com post.)

* nullius asks, “But what is Satoshi’s PGP key fingerprint?  If I download that key from your link, how do I know it is the same key that Satoshi used before?”

The email said:
Quote from: [email protected]
Michael, send me some coins before I hitman you.

Not exactly Satoshi's normal style. Wink

* nullius asks, “The key that I just downloaded from your link lacks any Web of Trust signatures.  Anyway, suppose that I don’t already have verified keys from anyone who knew Satoshi.  What then?  Does this look right to you?”

Code:
$ gpg Satoshi_Nakamoto.asc 
gpg: WARNING: no command supplied.  Trying to guess what you mean ...
pub   dsa1024 2008-10-30 [SC]
      DE4EFCA3E1AB9E41CE96CECB18C09E865EC948A1
uid           Satoshi Nakamoto
sub   elg2048 2008-10-30 [E]

https://3g2upl4pq6kufc4m.onion/html?q=DE4EFCA3E1AB9E41CE96CECB18C09E865EC948A1

Whereas in the context of what is really a discussion of forum identity, theymos’ deprecation of PGP fingerprints is not seeing the forest for the trees.  As its primary means of authenticating identity, the forum relies on plain-old password authentication!  (And it has been hacked in the past.)  Even a totally obsolete v3 PGP fingerprint using MD5 would be incomparably more secure than the forum’s login system for the purpose of securing user identities!

https://www.schneier.com/crypto-gram/archives/2001/0315.html#6
I really don't believe in willingly putting a man-in-the-middle in your HTTPS like this, […]

The security implications are that Cloudflare can read everything you send to or receive from the server, including your cleartext password and any PMs you send or look at.

Thank you, theymos, for honestly disclosing and discussing the facts about Cloudflare.

(I seem to also remember a Schneier quote about attackers climbing in through the window, after you secure your door with an unbreakable lock.  I can’t find it now.  It may have been in AC2; I lost my copy of AC2 whilst fleeing the CIA due to undisclosed personal difficulties adventures circa 2011.  Help?)



My Newbie suggestion

Let’s google first to see if things have been suggested before. Tongue

Yes, but you missed an earlier suggestion on a thread whereby I myself replied, when I was a Newbie.  Well, from your above quote, it looks like Mr Nasty was a fan of my Newbie posts. ;-)

Or what's most secure that we would want to advocate people use?

I might say Keybase, as long as people use their own PGP keys & not the ones Keybase generates.

For chat:  Jabber (for OTR), Ricochet, Tox.

Simply for use of the fields:  Straight-up PGP key fingerprints!  Please.  If possible, with means to time-lock them instead of pasting ad hoc messages into the “stake your address” thread.  That could solve so many problems.

Keybase users could also post their PGP key fingerprints, of course.  But that way, the fields would not be Keybase-specific.

[...]

Besides having suggested profile PGP fingerprints when I had been posting for but a fortnight, I believe that I was the first person to ever suggest time-locking a commitment of a PGP fingerprint in a forum profile.

It is actually not the best solution.  A much better idea would be to give pseudonymous cypherpunk users the option to irrevocably commit an account to be bound to PGP fingerprints, TOFU as for the first committed key, with a strict key-rollover rule requiring bidirectional cross-certification between the old key and the new key.  That idea has some subtleties, obvious failure modes, and nonobvious edge cases that I don’t think I should discuss at length here, when the chance of it being implemented Any Time Soon on the forum is effectually nil.



P.S., please never tie anything into Keybase!  The stupidly misdesigned verification procedure in their web app makes it impractical to keep a profile updated without installing their software, and entrusting one’s keys to their software on a network-connected computer—or else blindly copypasting their shell scripts into a network-connected machine that has both gpg and curl (!).  This is unacceptable to me.  I have a warning posted on my long-disused Keybase account; and I may perhaps delete the account entirely, due to the impracticality of keeping my key updated there.
legendary
Activity: 1680
Merit: 6524
Fully-fledged Merit Cycler|Spambuster'23|Pie Baker
Well, let's just hope that at some point theymos will look into it Smiley Most likely, it is not something very important but we can say it is a "nice to have" feature.
legendary
Activity: 1722
Merit: 2213
- ICQ is not used anymore or is used only by a few people. Its servers were shut down in December 2018.
- AIM was shut down in December 2017 but even before this date it wasn't used anymore.
- MSN desn't exist anymore under this name since 2005 when it was rebranded as Windows Live Messenger, but even this new form of MSN was shut down in 2013.
-YIM was shut down in July 2018.

Nice research, I think you proved these social media platforms are dead without any doubt. Liking the references too  Cheesy

Maybe they can be replaced with Telegram, Discord, Skype and Instagram, for example.

I think you're right with your suggestion, although this also goes to show the top social media platforms in one decade can be completely different by the next. Maybe this has stabilized a lot more since the days of facebook, but I imagine it will continue to change over the years, not something theymos would want to keep up-to-date with imo. I also think it's safe to assume there hasn't been any changes to these social media account details since 2005 (when MSN was shutdown), so I also doubt there will be any changes in the near future. I'd also agree with simpy removing all these, and having 4 "blank" social media account options (that recognizes the relevant platforms with data input), so users can chose their own.
legendary
Activity: 3696
Merit: 2219
💲🏎️💨🚓
Was that program's name Trillian perhaps? Smiley

BINGO! Yes, that's the one!
hero member
Activity: 2240
Merit: 537
FREE passive income eBook @ tinyurl.com/PIA10
Hehe that's a long time history here... I am glad I was around that time. I used to be a fan of YIM that time Smiley

Haven't used YIM since my circle of friends were more aligned to MSN, but it's quite spectacular to see a gradual shift of trend to current IMs. Imagine what are the next-gen apps in like 5 years time Cheesy
legendary
Activity: 1680
Merit: 6524
Fully-fledged Merit Cycler|Spambuster'23|Pie Baker
My ICQ number is seven digits long and I know someone who's number was six digits long.  I had been using it via a third party application enabling me to use other ICQ style chat channels on my laptop (the names were in one list and in the background they were processed via the various applications (ICQ mIRC etc)).

Was that program's name Trillian perhaps? Smiley I remember that one used to work at that time for more chat softwares at one (mIRC, YIM, MSN). I remember I used it for a little while as well Smiley
legendary
Activity: 3696
Merit: 2219
💲🏎️💨🚓
My ICQ number is seven digits long and I know someone who's number was six digits long.  I had been using it via a third party application enabling me to use other ICQ style chat channels on my laptop (the names were in one list and in the background they were processed via the various applications (ICQ mIRC etc)).

I downloaded the ICQ program about 18 months ago, but didn't get around to installing it.  I did read at the time that their focus was changing, or something or other.

I'll definately miss ICQ.



Removing those links list a simple matter of a couple of mouse clicks - I suspect NO ONE has enough clearance to do that hence it and a number of other features that can be modified haven't been.



There's another thread concerning splitting a thread into two new topics, this is also a feature of SMF that is rarely used here.
legendary
Activity: 1680
Merit: 6524
Fully-fledged Merit Cycler|Spambuster'23|Pie Baker
Hehe that's a long time history here... I am glad I was around that time. I used to be a fan of YIM that time Smiley
hero member
Activity: 2240
Merit: 537
FREE passive income eBook @ tinyurl.com/PIA10
The 90s kid will remember how MSN used to be the bomb. All those nudges and emojis Cheesy
legendary
Activity: 2296
Merit: 2262
BTC or BUST
legendary
Activity: 2114
Merit: 2248
Playgram - The Telegram Casino
I agree with you. Profile page of users should be kept as simple and clean as possible. It is not good if the forum allows 10-20-50 lines to add external platforms' links. Now we have Facebook, Twitter, Instagram, Telegram,etc. But the list will become longer.
It's also unlikely that one would want to link their bitcointalk account to their Facebook, Twitter or Instagram. These platforms are not geared towards privacy rather exposure and would compromise a lot of accounts. It's a choice however and some users may want then available, but I don't think it's sufficient incentive tmfir the admins to implement considering the hint at how difficult it is.
hero member
Activity: 1372
Merit: 783
better everyday ♥
Oh well...it seems this has been discussed before, but I didn't see the topic prior writing this one. My bad.
But, as far as I see, it past almost an year since then... Maybe theymos forgot about that suggestion. Maybe after seeing this thread he will decide to make the change Smiley
I don't think they forgot that suggestion. Simply, they consider it a normal proposal, not of importance, so it is not a priority to make. This forum has thousands of things to do, an unnecessary offer that won't be considered. Morever, we can provide some other information through the website section in the profile and name it arbitrary, it's completely enough to assist in communication. This proposal was put with low priority
legendary
Activity: 3234
Merit: 1375
Slava Ukraini!
Yeah, these social networks is outdated, or doesn't works at all anymore. Personally, I haven't ever used most of them in my life Cheesy. I only remember having MSN account.
Probably it would be good thing to remove them, but I think it's not big issue. Probably in new forum software it will be removed, so I think it's worth all hassle to remove them now.
But personally, I don't think that these things is really needed. If new social networks would be added, I wouldn't upload links to it for privacy reasons. Maybe it's enough to have email, Telegram and Discord fields.
BTW, OP, one of your mentioned services - Skype is already available here for long time, maybe since launch of Bitcointalk.
hero member
Activity: 2352
Merit: 905
Metawin.com - Truly the best casino ever
Does any of you know which of these social media have been included in the new update of the forum? Are there plans to include specific one, or will they be ignored?

In general, I did not pay attention to them and I think there is no point in adding them, as it increases the confusion of a forum that focus on texting.
At the moment none of them, you can only fill the bars of 1. Your website and 2nd - Your BTC adress.
I think they will be ignored because there is none talk about that and if you are interested with planned features, here it is: http://epochtalk.org/map.html#planned
New forum will have better communication possibilities like notification on hashtag and etc so...
sr. member
Activity: 854
Merit: 424
I stand with Ukraine!
In general, I did not pay attention to them and I think there is no point in adding them, as it increases the confusion of a forum that focus on texting.
I agree with you. Profile page of users should be kept as simple and clean as possible. It is not good if the forum allows 10-20-50 lines to add external platforms' links. Now we have Facebook, Twitter, Instagram, Telegram,etc. But the list will become longer.
Pages:
Jump to: