So, every hacker [s/is slowly forgetting due to global gaslighting and abuse/knows firmly/] that plaintext, unsigned communications are pointless because all the political influences between you and the person you're communicating with will alter your communications. In order to connect we have to find each other on networks that are more reliable than e-mail. A clue to finding these networks, people, and other exotic information, is weird strings of numbers and letters that seem like random gobbledygook, almost as if we were copy and pasting computer glitches to each other. No, these confusing strings of characters are the words of computer hackers: especially if the alphabetic characters never exceed 'f' in the alphabet, which does not stand for 'fuck this is confusing', but rather for 'we made computers highly efficient by braking them into powers of two'. It's called hexadecimal.
On 10/12/20, Stefan Claas <sac@300baud.de> wrote: [snip...]
Regards Stefan
-- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him.
Here, we have a hexadecimal string associated with the phrase 'NaClbox'. 'NaCl' is a stupid-people-who-use-computers word for encryption and verification. 'box' is the same for computer. Let's search for it and see i we can find this random string of hexadecimal! This time, I'm going to [s/heal my injured spine/wise up to the manipulative marketing AIs/] just a smidge, and use a search engine other than google. Even better would be _asking a human being_, but we're not quite that smart yet. I'll try duckduckgo. I typed 'naclbox' into duckduckgo and the first hit is ... https://www.naclbox.com/ ! This has to be it, right? It has the right domain name! A computer game thing! This hacker must have been asking us to play computer games with them, how friendly! Let's do some wizardry called a 'dns lookup' on that url. There's a way, given _any url_, to get information on who purchased it and stuff like that. If [s/you're actually part of a major corporate conspiracy and are frequently hired to kill people who look into the origins of coverups/you have schizophrenia from too many dns lookups/] you may have trouble doing this important research, but it's not very hard to do. Searching the internet for "lookup dns purchase command line", I see a way to copy the term that [s/gives me severe traumatic flashbacks/i haven't learned to use yet/]: "whois". My system doesn't have "whois" installed because I'm a normal person, not a mumbo-jumbo computer wizard, but I can install it like any other package, and run it on www.naclbox.com: ``` $ whois naclbox.com Domain Name: NACLBOX.COM Registry Domain ID: 1653881042_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.gandi.net Registrar URL: http://www.gandi.net Updated Date: 2020-03-27T19:42:08Z Creation Date: 2011-05-01T15:51:02Z Registry Expiry Date: 2021-05-01T15:51:02Z Registrar: Gandi SAS Registrar IANA ID: 81 Registrar Abuse Contact Email: abuse@support.gandi.net Registrar Abuse Contact Phone: +33.170377661 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Name Server: NS-1219.AWSDNS-24.ORG Name Server: NS-1965.AWSDNS-53.CO.UK Name Server: NS-259.AWSDNS-32.COM Name Server: NS-544.AWSDNS-04.NET DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
Last update of whois database: 2020-10-12T13:36:17Z <<<
This record claims that the domain was purchased on 2011 and expires
2021. It's been a really long time since I've done this, but I was
expecting to see some information on e.g. a technical contact or
something: a real human being associated with the website. Maybe I
have too look somewhere else. I tried this:
$ whois -h whois.gandhi.net naclbox.com ``` which just sits there and hangs. Anyway, it sounds like the _cryptographic_ nacl project would be able to purchase this domain in 2021 if they wanted. Farther down the duckduckgo results is a more promising link, that leads to https://pkg.go.dev/golang.org/x/crypto/nacl/box . Unfortunately, this project now calls itself "package box", not "nacl box", which is discouraging. Still, we can look it over. Woohoo! "package box" says it is a generic frontend for NaCl encryption, which implies that it's possible that the signature we found is a public key for sending somebody private messages in a reliable manner, and that any tool that does this NaCl encryption can communicate with him. "package box" links to a central nacl website: https://nacl.cr.yp.to/box.html . A great way to check if we interpreted these letters-and-numbers-mumbo-jumbo correctly is to try to use them. We'll try to send this guy ... what's their name?
NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675
We'll try to send cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 a message ! This might mean learning to use nacl. The page I found is a c++ interface, so I'll just use that since [s/my fingers and eyes spazz out uncontrollably when i use the web now/it's a good exercise for me to write a small C++ program/]. ``` $ sudo yum install nacl-devel # nacl is a software development library for secure communication that's been available on linux systems for some time now ... ``` If you've been through [s/an abusive enslavement experience where you suffered severe injuries and learned to dissociate from your memories as way of life/a corporate or government training program/] you may have difficulty forming encrypted communications with a hacker online, but rest assured everything is fine: since the worldwide digital coronavirus has thoroughly filled your device with malware, all the corporate goonies can make sure everything is okay, and since this guy is an experienced enough hacker to communicate with letters and numbers, they'll be able to tell that you aren't one of them. That doesn't mean they'll be able to keep themselves safe from your oppressive surveillance and control situations! It's your job to [s/manage those by communicating with your contacts/mourn your wake of dead hackers after the fact/]. So please make a record of what you do so that others can learn from it after somebody new [s/dies horrifically or gets forcibly enslaved by a criminal corporate dictator/gets bored and ignores the rest of us/]! First we need to generate a naclbox of our own, to send the communication from. It's just a set of small personal letters and numbers. The website has this in it: ``` #include "crypto_box.h" std::string pk; std::string sk; pk = crypto_box_keypair(&sk); ```
The crypto_box_keypair function randomly generates a secret key and a corresponding public key. It puts the secret key into sk and returns the public key. It guarantees that sk has crypto_box_SECRETKEYBYTES bytes and that pk has crypto_box_PUBLICKEYBYTES bytes.
The secret key is like your brainstem and your heart. You don't let anybody else even get a whiff of them, _certainly_ never touch them or see them, or you could get hurt. Since [s/I'm a corporate slave/this is just an example/], I'll be storing my brainstem on the malware that's infesting the system I am typing this on. On my system, I'll have to mutate the example from the website just a tiny bit, to get it to compile. ``` // nacl-generate.cpp #include <nacl/crypto_box.h> #include <fstream> #include <iostream> int main(int argc, char **argv) { if (argc != 2) { std::cerr << "Error: provide new delicate brainstem file as first argument." << std::endl; return -1; } std::string pk; std::string sk; pk = crypto_box_keypair(&sk); std::string brainstem = argv[1]; std::ofstream delicate_precious_guts_we_are_going_to_figure_out_how_to_protect(brainstem.c_str()); delicate_precious_guts_we_are_going_to_figure_out_how_to_protect << sk; // this is a c++ way to convert from computer innards to hexadecimal letters and numbers std::cout << brainstem << "'s name is: " << std::hex; for (char const * byte = pk.data(); byte != pk.data() + pk.size(); ++ byte) { std::cout << ((*byte) & 0xff); } std::cout << std::endl; std::cout << "Don't lose track of it or nobody will be able to find 'em!" << std::endl; } ``` I actually had to work with it quite a bit while handling my issues. ``` $ g++ nacl-generate.cpp -o nacl-generate -l nacl $ ./nacl-generate delicate delicate's name is: 1934067c6303d231b897152a989bd905fe82b5130de209a1ddb61e118e7a477 Don't lose track of it or nobody will be able to find 'em! $ mv delicate 1934067c6303d231b897152a989bd905fe82b5130de209a1ddb61e118e7a477 `` This file of letters and numbers is now _our_ identity. We can make similar programs to send and receive messages with them. There are likely tools out there already to do this automatically, and if not it would be a problem to be solved. Here's some code to receive messages with the file we made: ``` // nacl-receive.cpp #include <nacl/crypto_box.h> #include <fstream> #include <iostream> #include <sstream> std::string binary2hex(std::string binary) { std::stringstream ss; ss << std::hex; for (char const * byte = binary.data(); byte != binary.data() + binary.size(); ++ byte) { ss << ((*byte) & 0xff); } return ss.str(); } int main(int argc, char **argv) { if (argc != 2) { std::cerr << "Error: provide delicate private file as first argument." << std::endl; return -1; } std::string pk, pkhex; std::string sk; std::string n, nhex; std::string c, chex; std::string m; std::ifstream skfile(argv[1]); skfile >> sk; std::cerr << argv[0] << " receiving." << std::endl; // Although hackers like to share things in confusing ways, for example by // cramming the public key, the nonce, and the ciphertext all together, // we're separating them out here to ease my learning this new system. // When sending the greeting to the hacker, we may want to jam all the data // together, offering it as either a reasonably-confusing puzzle or a guess // as to having already put the time in to learn the system, so that we // speak their language more. Hackers tend to assume that everybody has as // much free time as they do, and might misinterpret things if somebody // didn't act as if they also did. This assumption would be easy to change by // playing their hacking games with them or preferably simply talking // clearly and directly and publically, rather than [s/fucking up their open // source people and projects/waiting for them to notice/]. But obviously // we can't do that, since we're [s/a bunch of people who want to help, // not the people in charge/too busy to get personally involved/]. std::cerr << "Enter public key of sender: " << std::flush; std::cin >> pkhex; pk = binary2hex(pkhex); std::cerr << "Enter nonce: " << std::flush; std::cin >> nhex; n = binary2hex(nhex); std::cerr << "Enter cyphertext: " << std::flush; std::cin >> chex; c = binary2hex(chex); m = crypto_box_open(c,n,pk,sk); /*The crypto_box_open function verifies and decrypts a ciphertext c using the receiver's secret key sk, the sender's public key pk, and a nonce n. The crypto_box_open function returns the resulting plaintext m.*/ std::cout << m << std::endl; } ``` In the next possible episode, we would either make a sourcefile to send a message to the hacker by again copying from that same website, or find a pre-existing tool that already does so, and then try sending a message to see if we even interpreted their signature at all correctly. We might also make an embarrassed reply, asking what their signature means, or search the archives of the list to find a clear explanation of it sitting there.