Bitcoin Forum
September 22, 2019, 02:44:51 AM *
News: Latest Bitcoin Core release: 0.18.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 ... 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 [83] 84 85 »
  Print  
Author Topic: [ANN] ChipMixer.com - Bitcoin mixer / Bitcoin tumbler - mixing reinvented  (Read 59295 times)
LoyceV
Legendary
*
Offline Offline

Activity: 1610
Merit: 4645


Largest Merit Circle on BPIP!


View Profile WWW
September 11, 2019, 10:50:39 AM
 #1641

So now the only thing you need to do, is prove the "communication key" was generated by the program.
This goes far above my technical knowledge, but I'm very interested to see how this would actually work. Would this still work if the owner of the website can create an exact clone of the RAM and read everything (including encryption keys) in there?

1569120291
Hero Member
*
Offline Offline

Posts: 1569120291

View Profile Personal Message (Offline)

Ignore
1569120291
Reply with quote  #2

1569120291
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1569120291
Hero Member
*
Offline Offline

Posts: 1569120291

View Profile Personal Message (Offline)

Ignore
1569120291
Reply with quote  #2

1569120291
Report to moderator
1569120291
Hero Member
*
Offline Offline

Posts: 1569120291

View Profile Personal Message (Offline)

Ignore
1569120291
Reply with quote  #2

1569120291
Report to moderator
DireWolfM14
Hero Member
*****
Offline Offline

Activity: 518
Merit: 765



View Profile WWW
September 11, 2019, 04:39:38 PM
 #1642

It would seem to me to be negligent of intelligence-agencies to not be running their own mixing services.

I agree, but that discussion should be held in a topic of it's own.


One feasible way (AFAICT) of proving you aren't logging would be making-public the program that runs on the server. That program would not log (which people can check by looking at the source code) and it would generate a "communication key". Which would be an asymmetric encryption key that can be used to securely talk to the program. Then on your website you make a little light js client which serializes/deserializes encrypted messages from server-side program.

So now the only thing you need to do, is prove the "communication key" was generated by the program. If we know the communication key was generated by the program, then we know anything encrypted to that key can only be read by the program, and we know that program does not log. Now the cool thing is we can use Intel's SGX and remote attestation to actually prove this key was generated by this particular program.

I don't know that this would prove anything.  Regardless of the encryption method you suggest, we must still trust that ChipMixer's code running on their server is the same code made available for public audit.  Without being granted access rights to their server (which I can't imagine happening) we're left taking their word for it.  Like we're taking them at their word that they are not logging.

jackg
Copper Member
Legendary
*
Offline Offline

Activity: 1498
Merit: 1305


https://bit.ly/2FR9nyn - free python tutorials


View Profile
September 11, 2019, 05:17:47 PM
 #1643



I don't know that this would prove anything.  Regardless of the encryption method you suggest, we must still trust that ChipMixer's code running on their server is the same code made available for public audit.  Without being granted access rights to their server (which I can't imagine happening) we're left taking their word for it.  Like we're taking them at their word that they are not logging.

Yeah as I interpret it, this would be more of a release of the frontend (mostly) and might not go very far towards proving openness as you'd still have to trust ChipMixer's daemon thats running on the same and the different server.

A mixer shouldn't be the only place you go to mix your coins in order to make it more private, sending funds to certain exchanges, mining rentals and gambling sites are often good additions after and between mixing. There are probanly better ideas others have come up with that I've missed, large companies holding bitcoin on a large scale aren't going to care too much if a few bitcoin go in and out every so often - some exchanges are better than others will be so remember to research if you want a good strategy.



On the Ddos issue if ChipMixer were to put into development a system where you download something and get a public private key pair you can then use to connect to the site over cloudflaee so it's still encrypted however there are a few main issues with this: most people mixing don't want people to know who they're connected to and that they're using a mixer, why should you download something from an anonymous source (even if you trust them it's still a bit risky) most devs in bitcoin for example have compromised their identity this can't be done here... If a decentralised anti ddos system gets put into place then these problems can be vastly mitigated but even bitcointalk goes down when it's heavily ddosed and behind a cloudflare package so it might not actually do much...

RHavar
Legendary
*
Offline Offline

Activity: 1778
Merit: 1410



View Profile
September 11, 2019, 06:05:47 PM
Merited by LoyceV (2), hugeblack (1), DireWolfM14 (1)
 #1644

Would this still work if the owner of the website can create an exact clone of the RAM and read everything (including encryption keys) in there?

Yeah, that doesn't matter. That's actually the attack vector Intel SGX is designed for. It protects against it by encrypting the entire memory space of the application. There's a bit of a performance hit to this (say 15% slower than a program not running in an enclave) but it's surprisingly reasonable. Although your CPU actually does physically contain that decryption key, which in theory could be extracted with physical access. As I understand it though, it's extremely hard to do so with any attempt to physically extract should destroy the data before you can do so.


Regardless of the encryption method you suggest, we must still trust that ChipMixer's code running on their server is the same code made available for public audit.

No, Intel SGX provides something called "remote attestation" which you can think of Intel signing a message saying "This specific program, generated this specific value when run in a secure enclave". So if that program (which you verify matches, and doesn't log) generated a public key. You know you can now communicate with that program in a way no one else can intercept the messages.


The two immediately obvious pitfalls:

a) Intel could potentially be compelled into signing a false-attestation.
b) There's security vulnerabilities in SGX which nullify their guarantees (which has happened several times before).

Either way though, Intel has probably invested billions (?) into their secure computing so they would be extremely unhappy to see their guarantees fail in the wild.


Quote
On the Ddos issue if ChipMixer were to put into development a system where you download something and get a public private key pair you can then use to connect to the site over cloudflaee so it's still encrypted however there are a few main issues with this:


Users wouldn't need to download anything other than the webpage, which contains a few hundred lines of javascript to serialize/deserialize encrypted messages to the known public key. Then you'd verify the public key matches what people have said actually matches the remotely attested to one.
agreen99
Newbie
*
Offline Offline

Activity: 11
Merit: 0


View Profile
September 11, 2019, 06:13:56 PM
 #1645

 Am  I  the only one who noticed that their website is down for 2 days now?

malevolent
can into space
Staff
Legendary
*
Offline Offline

Activity: 2324
Merit: 1218



View Profile
September 11, 2019, 11:53:04 PM
Last edit: September 12, 2019, 12:26:49 AM by malevolent
 #1646

No, Intel SGX provides something called "remote attestation" which you can think of Intel signing a message saying "This specific program, generated this specific value when run in a secure enclave". So if that program (which you verify matches, and doesn't log) generated a public key. You know you can now communicate with that program in a way no one else can intercept the messages.

The two immediately obvious pitfalls:

a) Intel could potentially be compelled into signing a false-attestation.
b) There's security vulnerabilities in SGX which nullify their guarantees (which has happened several times before).

Either way though, Intel has probably invested billions (?) into their secure computing so they would be extremely unhappy to see their guarantees fail in the wild.

Is it possible to avoid using Intel's Attestation Service? (since that requires registering with Intel and so on as far as I understand how it works.)



Am  I  the only one who noticed that their website is down for 2 days now?

I don't know if it's 2 days already (last time I checked the website was a couple days ago), but at least for the past several hours both their regular and the .onion site have been down for some reason.

If it's actually been down for 2 days, then that doesn't sound good, as ChipMixer hasn't posted any info, nor has he logged into his account in the past 24h.



RHavar
Legendary
*
Offline Offline

Activity: 1778
Merit: 1410



View Profile
September 12, 2019, 02:59:22 AM
 #1647

Is it possible to avoid using Intel's Attestation Service? (since that requires registering with Intel and so on as far as I understand how it works.)

I think you really need that remote attestation to make it useful. I'm not sure, but I suspect AMD/ARM probably have similar things, but not sure about the process. For Intels you need to register, but I don't think that's an issue (and it's free)


Quote
If it's actually been down for 2 days, then that doesn't sound good, as ChipMixer hasn't posted any info, nor has he logged into his account in the past 24h.

Actually seems up for me, just supppppper slow. So probably a big long-lasting DDoS (ugh, fuck the internet Sad)
btctaipei
Jr. Member
*
Offline Offline

Activity: 38
Merit: 6


View Profile
September 12, 2019, 05:47:13 AM
Last edit: September 12, 2019, 06:08:09 AM by btctaipei
Merited by LoyceV (1)
 #1648

Am  I  the only one who noticed that their website is down for 2 days now?

Site not down but not usable at the moment.  
Here is my unbiased analysis to current chipmixer's situation (time will tell if this is true):

1) Attack against Chipmixer isn't all that volumetrically significant.
2) Chipmixer had been watched and targeted by state level adversaries with assistance by deep state and related big data entities can do mass surveillance on hosting providers /CDN entites with AWS/Google/Cloudflare user data exfiltration to facilitate necessary traffic and data correlation attack.
3) major transit providers to datacenter hosting clear web probably now had span port enabled for quite site time on their switch to log, spoof and identify the .onion site's origin.  This isn't likely to change.
4a) DDoS is necessary to attempt to trick browser to leak information related to chipmixer session key over TLS/SSL (that can be restored / steal privatekey and chips) but since chipmixer uses minimal .js was the likelihood of success in this side-channel SSL content scrubbing trick isn't all that great.
4b) sustained DDoS would be necessary since it would compel site under DDoS (unfortunately for the adversaries Chipmixer isn't clueless) to reconsider use DDoS CDN services like Cloudflare.
4c) Once Cloudflare or similar CDN is used, all chips, sessions, and private keys can be monitored and logged by deep state, since now the privatekey is available for the SSL Cert (on *.cloudflare domains) used to serve up and fetch content proxy to chipmixer web site.  This is done with special SSL pinning appliance with cloudflare's private key tapping (span) Chipmixer scrubbed/clear traffic channel and exfiltrate IP, User Log (session), and even private key and bitcoin address of all transactions or activities involved.
5) Chipmixer Admin realize the above situation and quietly re-architect the server infrastructure to parallel a dozen of .onion mirror site with different Host/transit ISP to survive similar deep state surveillance attack in the future.  How much help Chipmixer from expert in this area forum and resources such as bitcointalk would likely determine how soon site returns to normal service.
agreen99
Newbie
*
Offline Offline

Activity: 11
Merit: 0


View Profile
September 13, 2019, 10:35:27 AM
 #1649

I studies Law and even worked for Law Enforcement. LA will never do something like that. Illegal obtained proofs can not eve be used in court + they can't break the law as they want. we are not even allowed to use hacking software/guess somebody password without a warrant. if we wanted to get somebodies account details we had to obtain a warrant. (for facebook , for google/yahoo it was more 1000 times more complicated, he had to  use an international mechanism - call our ministry to ask a prosecutor from US to call a judge from US to give us an order.).
DireWolfM14
Hero Member
*****
Offline Offline

Activity: 518
Merit: 765



View Profile WWW
September 13, 2019, 03:45:16 PM
 #1650

Espionage isn't subject to the same restrictions as domestic law enforcement.  A bitcoin obfuscator that's actually a NSA honeypot wouldn't be able to be used as evidence against a domestic tax cheat because of anti-entrapment laws.  But if they're tracking an international drug cartel or a terrorist cell (domestic or not) those anit-entrapment laws are not applicable.  

malevolent
can into space
Staff
Legendary
*
Offline Offline

Activity: 2324
Merit: 1218



View Profile
September 13, 2019, 05:20:17 PM
Last edit: September 13, 2019, 06:43:55 PM by malevolent
 #1651

I studies Law and even worked for Law Enforcement. LA will never do something like that. Illegal obtained proofs can not eve be used in court + they can't break the law as they want. we are not even allowed to use hacking software/guess somebody password without a warrant. if we wanted to get somebodies account details we had to obtain a warrant. (for facebook , for google/yahoo it was more 1000 times more complicated, he had to  use an international mechanism - call our ministry to ask a prosecutor from US to call a judge from US to give us an order.).

It might be illegal in your country, but legal in another country. Parallel construction may also be used and you won't even know if any laws were broken when gathering the evidence.



BTW, I can load the clearnet website only with a VPN but it loads immediately, the .onion site works without any issues.

RHavar
Legendary
*
Offline Offline

Activity: 1778
Merit: 1410



View Profile
September 13, 2019, 06:30:05 PM
 #1652

A bitcoin obfuscator that's actually a NSA honeypot wouldn't be able to be used as evidence against a domestic tax cheat because of anti-entrapment laws.

That's absolutely not how entrapment laws works or are intended to work. Firstly (although the specifics vary per country) you almost universally you have to demonstrate you would not normally have done the crime if it wasn't for the persuasion or trickery of the police. No joke, the police have quite literally operated a child-pornography site as a honeypot and without extenuating circumstances entrapment is simply not a defense.

But more importantly, if it was a honeypot it would be used for evidence gathering, rather than charging you with a crime per se.
malevolent
can into space
Staff
Legendary
*
Offline Offline

Activity: 2324
Merit: 1218



View Profile
September 13, 2019, 09:31:52 PM
 #1653

The devil is in the details, the differences between different jurisdictions are considerable enough that what in one country will be a legal sting, in another will be an illegal entrapment, or looked at as manufacturing criminals.

agreen99
Newbie
*
Offline Offline

Activity: 11
Merit: 0


View Profile
September 14, 2019, 07:16:20 AM
 #1654

Now everybody who haven't managed to withdraw their coins, will loose them! for ever! as the sessions expires in 7 days.
LoyceV
Legendary
*
Offline Offline

Activity: 1610
Merit: 4645


Largest Merit Circle on BPIP!


View Profile WWW
September 14, 2019, 08:31:39 AM
 #1655

Now everybody who haven't managed to withdraw their coins, will loose them! for ever! as the sessions expires in 7 days.
I'm think this applies again:
Our Tor service is under DOS attack. We are working to resolve this issue.
All existing sessions will be extended for another 7 days.

btctaipei
Jr. Member
*
Offline Offline

Activity: 38
Merit: 6


View Profile
September 14, 2019, 06:49:46 PM
Last edit: September 14, 2019, 08:23:23 PM by btctaipei
 #1656

Now everybody who haven't managed to withdraw their coins, will loose them! for ever! as the sessions expires in 7 days.

it does appear that chipmixer.com over clear net having reachability issues.  The .onion over Tor now seems reasonably responsive and after trying multiple mixing sessions no issue were evident.  This to exchange voucher and get a list of private key at all for current or previous BTC deposits over http://chipmixerwzxtzbw.onion
filipwx
Sr. Member
****
Offline Offline

Activity: 490
Merit: 250



View Profile
September 14, 2019, 09:39:42 PM
 #1657

Now everybody who haven't managed to withdraw their coins, will loose them! for ever! as the sessions expires in 7 days.

it does appear that chipmixer.com over clear net having reachability issues.  The .onion over Tor now seems reasonably responsive and after trying multiple mixing sessions no issue were evident.  This to exchange voucher and get a list of private key at all for current or previous BTC deposits over http://chipmixerwzxtzbw.onion

So did you manage to get your list of keys?

I wonder why there is statement of chipmixer itself.
btctaipei
Jr. Member
*
Offline Offline

Activity: 38
Merit: 6


View Profile
September 14, 2019, 10:20:45 PM
 #1658

So did you manage to get your list of keys?

I wonder why there is statement of chipmixer itself.

imported it 100% and moved and combined with dozen of utxo bc1 (bech32) addresses trickle thru multiple lightening channel and doing massive coinjoin createrawtransaction on tor only bitcoincore node for even better privacy. Keep chips size between most common 0.008 - 0.064 btc to make things more difficult for chain analysis.

There should be an option to get bech32 privatekeys from chipmixer for privacy and lower fees (some 50%+ fewer satoshi paid when bitcoin network gets congested).  This should not be difficult, just need a bit of update with sufficient regression testing on the back office of chipmixing.

you can defeat chain analysis with very large pool of private key spread out randomly over period of several month (years in my case) and move it with huge coinjoins to obfusticate those transactions.  Affording this, however, to do this it isn't exactly cheap.
TryNinja
Legendary
*
Online Online

Activity: 1134
Merit: 1469



View Profile
September 14, 2019, 10:25:29 PM
 #1659

Now everybody who haven't managed to withdraw their coins, will loose them! for ever! as the sessions expires in 7 days.
Along with what Loyce said above, keep in mind that you can always send them an email asking them to extend your session.

1Referee
Legendary
*
Offline Offline

Activity: 2002
Merit: 1347

Segwit please.


View Profile
September 15, 2019, 09:19:31 AM
 #1660

There should be an option to get bech32 privatekeys from chipmixer for privacy and lower fees (some 50%+ fewer satoshi paid when bitcoin network gets congested).  This should not be difficult, just need a bit of update with sufficient regression testing on the back office of chipmixing.

I don't think it's much of a problem on Chipmixer's end, but more so a problem when it comes to the adoption of bech32 that needs to be more widely deployed.

Bitcoin's lowering fees made people pretty comfortable with how the situation is, hence the majority of the clients don't see much need to add it, though I would have preferred them to be more active and give people that option anyway. The trend within crypto seems to be to only act when its needed, and not make sure you're ready to onboard more use beforehand.  Undecided

I personally don't have much of a problem with Chipmixer not offering bech32 support yet. Even the legacy fees aren't usually topping $1 per transaction.

Pages: « 1 ... 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 [83] 84 85 »
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!