I sent this earlier but it disappeared from my outbox before uploading completed. I was asking, are these the files you intended to send? Each one seems like a small fluff document and no primary source documents are included.

Their own self-delegitimizing and self-disreputating actions forever precede whatever their code may or may not be. Those wishing to know what those [and indeed all] codes may or may not be, should audit them to their own satisfaction, preferably publicly. That applies to everything from the CPU to "Hello, World"... as surely many exploitable things lie waiting inside them all. And operations surely behind some of those.

archives, search: goldbug

Hi Randolph, I saw in 2013 you shared a press release from GoldBug 0.1 with different communities. I'm afraid at this point your shares are the only web results I'm getting for that press release. I understand you're not affiliated with GoldBug yourself, but were simply interested in people's opinions. If you're still around, do you recall at all where you found the press release? We're having a discussion on the cypherpunks list regarding the trustworthiness of GoldBug, and of course one question is the claim of being endorsed by the CCC and the EFF in the press release that came from you. Thanks so much for any reply at all, K

I presently am seeing this commit for https://github.com/textbrowser/spot-on.git f7cf61dc5ee25b4b5b9184926a81711e6ae037db master 2021-06-07T09:52:12-04:00 The repository starts in 2015, so does not include the svn data from the 2013 press release.

My emails are unsigned and I handed the has

*handtyped the hashes, autocorrect

I see things change on me a lot due to my different states of mind, so hashes are really helpful. I'm not sure how to quickly and reproducible hash the history of an svn repo offhand any more, so I'm importing it to git. My steam for this is running out a little. It sounds somebody may have lied about an endorsement and grarpamp won't let the project live it down. These repos demonstrate continuous transparent public activity, but I haven't looked at the code yet.

svn update -r 1571 # took me a while to find this find */ -type f -exec cat {} + | sha256sum d54a76bbf8df1b577a0e070fb6144e6bd33211cbcebe65c18d974f35ca76f027

(it doesn't look like geoip was used for another yet then. pretty sure I am looking at the wrong thing and this is just a draft of something, but not certain)

Okay! The goldbug source is inside branches/trunk . The tree was never normalised since svn and use of it continued. It's not about encrypting to a tiny sqlite database.

I'm having trouble working with the svn branches, which I have not uploaded to github, but the associated commits are likely there. Here are some extracts: 0.01 43d1d9a939b9a08dc3afa0d05704e33f0077ae4f 0.10 6afb5031b1caedc3be6a341d9218f79d589a9491 0.x 2fd439c7f69fbf9421e857481ed723461fdc07f4 1.x 5be0b65e0d9573adac9b2c27053e0b41a2482827 trunk 975df40782c5d413361115abcd2164fecb41865b

v0.01 is dated Sep 7, 2013. The press release said "V0.1" and was re-shared a few weeks later. Goldbug is a fully open-source Qt project.

Instructions on how to build the 2013 pre-release version of spot-on are in Documentation/COMPILING There is also a file there called RELEASE-NOTES, where the version is described as 0.01, not 0.1 as the purported press-release did. The release notes are short and to the point: "Version 0.01 of Spot-On is now available." There is also a TO-DO file under Documentation which shows the parts of the software being developed by the author.

goldbug project files were introduced to the repository in 2014 168713d0dd goldbug strings added to ui Jul 26 2013 e54980a10cbc That's 1 commit prior to 0.x Previously, "goldbug" is used throughout the source as a string that replaces a symmetric aes256 key, possibly with other meaning, unsure ... I infer that goldbug used to build as a project simply called spot-on

I'm probably going to tell grarpamp I disgree because the press release uses the wrong version format. I'll also want to see if I can check the binary hashes. But now I want to try to compile it ;p

It looks like the repo I ported to github expects to be a subfolder of the svn repo I was looking at earlier. Maybe I typed something wrong when importing it.

svnadmin --version # svnadmin, version 1.10.4 (r1850624) svnadmin create spot-on-svn-mirror cd spot-on-svn-mirror # for digest to match, set to my uuid svnadmin setuuid . 6c93ff20-5766-4f58-8b6a-37614513fa33 # svnsync needs this change to function echo '#!/bin/true' > hooks/pre-revprop-change chmod +x hooks/pre-revprop-change # mirror svnsync init file://"$(pwd)" https://svn.code.sf.net/p/spot-on/code svnsync sync file://"$(pwd)" # lots of mirroring happens through revision 4133 # checksum svnadmin dump . | b2sum -l 256 # lots of dumping happens through revision 4133 0f5c6bf5b334c2570dae9384255b60eeeff435db903afbd28f4be4c07d2ccaf7 The synced svn repository that dumps to that b2sum for me is at: https://github.com/xloem/spot-on-svn.git commit 6d869cce8caf2329001fb4a70faa1a4e95b3a48c

- [ ] loosely find what possible is the software can connect to - [ ] compile and run it, see if it is easy to contact the dev via it - [ ] see what os calls it performs, verify nothing is blatantly put on network - [ ] compare checksums of included binaries or - use argument with grarpamp: argument against software has as many or more sketchy parts as the points it is making against the software

I attempted 3 times to visit http://web.archive.org/web/*/https://torbrowser.sourceforge.net/ so as to find it appearing as a clone of the tor website. I received an internal server error each time. I did not try from different networks, due to it being a server error, apparently via ajax, but it is possible doing that could change things.

I revisited the archive.org link from the same device, and received a 503 for the whole http request, rather than a 503 or 500 via ajax.

On Sat, Jun 12, 2021, 4:16 PM Karl Semich <0xloem@gmail.com> wrote:

I'm looking through the goldbug audit a little.

On page 8 they describe a feature of "Instant Perfect Forward Secrecy (IPFS)". I'm not a cryptographer and haven't learned about cryptographic primitives since before forward secrecy was a thing, but I don't get any website for this and it has a misleading

*any webhits for this

acronym, so I'm wondering if they made it up to align with the popularity of the IPFS project to readers. Such behavior is similar to the claim of being endorsed by the CCC and EFF, or the claims for all the developers and projects being suspicious after one suspicious thing happened.

It's notable that in the work they actually gave their own made up names to a lot of things, and this is documented in their manual. It's probably helped them be able to share their work longer, to have it less recognisable for people who might not want it.

So, most of my visual cortex doesn't work for me. I see text in little clumps, like looking through a cardboard tube that moves around on its own. It's hard to get a general sense of things, for me. When I think of "audit", I want to know what the avenues are for compromising the various kinds of security a system has, so that people know how to continue using it and developing it, so that they are informed when doing so. I have no idea what an audit formally is. But these people know. They have all the sections and followed all the manuals. It looks like the result of being self-taught and putting incredible hours in, to me. It doesn't look like a deep fake. I don't know where to look to find information on security weaknesses. Glancing around the beginning, I mostly find verbiage about software features. I'm guessing this was written by developers of the project, laboriously, to support the project. It doesn't look independent.

Fyi for people still using svn, dump full backups from remote to disk... svnrdump dump https://remote > dumpfile

...

archives, search: goldbug

Why should people you don't believe bother rehashing it all for you when you can pull it all out of the archives of all the lists involved yourself. If that's too hard for you to do, then go ask both the EFF and CCC separately for a copy of their GoldBug announcement and post the text of their replies here. " From: Randolph D. Date: 2013/7/26 Subject: Fwd: Goldbug.sf.net - Secure Multi-Crypto-Messenger v0.1 released the EFF in conjunction with the Chaos Computer Club announced a new secure Instant Messenger called: GoldBug.sf.net (http://goldbug.sf.net) "

To clarify here: - Experienced software developers don't find it hard to scan through code. - People usually hide because they are in danger, not because they are untrustworthy.

I found naif's chatlogs with Randolph in his google drive folder. Randolph seemed to only partly understand the project and seemed to not respond to all the words that were said in english. I misrepresented the investigation by naif because I didn't understand how little information there was. It sounds like nobody reached out to the real devs. It reads like Randolph had an unspoken goal involving encrypted communication and wanted to form a communication path with somebody. I'm not sure if that ever happened. It's notable that they somehow found out about goldbug before its initial release. Goldbug presently is still downloaded on a daily basis.

On Wed, Jun 9, 2021, 6:53 AM Karl wrote:

[appropriate joke]

PGP seems pretty suspicious, too, no? Also POSIX?

[/appropriate joke]

I don't know why I'm receiving expression from you guys of such poor information.

What can this cypherpunks list do for either you, or your mitm if that is the reason for the poor information?

So, the reason I responded this way was because the information didn't show anything suspicious to me. The reasons for suspicion were a press release that wasn't included, and various behaviors that seem tiny to me. Meanwhile a lot of people's personally identifying information was being shared, when these people were running, using, and advocating an open source encrypted network . Most of the documents are sharing personal details on the people found related to the network. This can get people very hurt in my opinion; but I infer it is just there so that other people can continue the work and figure out what is real. It seems to hard to figure out if that press release is real unless the dev says it is.

On Sun, Jun 13, 2021, 7:24 AM grarpamp wrote:

...

It seems to hard to figure out if that press release is real

Go ask both the EFF and CCC separately for a copy of their GoldBug PR announcement and post the text of their replies here.

This seems to be something that you care about. Has it been done before? I don't think it will discern whether the project actually made the press release, but it looks like the developers might bend the truth harmlessly sometimes and I think that's human and normal. The software looks to be a convenience messaging wrapper for openssl written by dedicated non-experts, in need of experienced review. A user from their community asked the list for an experienced opinion 8 years ago and as far as I can tell were rejected due to suspicion. Trustworthiness here could be discerned by - can we reach the actual devs - do they respond to learning of problems in their software, by fixing those problems - do they accept contributions containing fixes to problems in their software That's probably been tested some time ago in the archives. Randolph does behave really funny. Never did they say they were affiliated with the project. Your reply regarding the rooftop monitoring system was really cool, I'm having some issues directing my replies and this comment ended up in this thread, sorry.

On Tue, Jun 15, 2021, 11:10 PM grarpamp wrote:

re broken thread Subject: Evidence of Enforcement Workers Portraying Activists as Criminal

You have to audit the code to claim it is clean.

That goes both ways. You have to audit the code to claim it is faulty. As with everything else, use at your own risk.

On Wed, Jun 16, 2021, 6:24 PM grarpamp wrote:

"rdohm: the EFF in conjunction with the Chaos Computer Club announced a new secure Instant Messenger called: GoldBug"

"rdohm: We all need to evaluate this and will come back to you"

...

You have to audit the code to claim it is faulty.

No one ever claimed the code was faulty, only that the group was and is still doing things that are disreputable... lying about nonexistent press

??? if the code is not faulty then why are you talking about unsigned messages as if they are related to anything? go get an signed message, and then talk about what you are talking about -- people, not software -- once you can demonstrate they actually did what you say. releases to con users into using it, censoring user

inquiries, refusing to code signing reproducibility, dodging and faux-assert-confirm based redirecting tactics instead of simply answering simple questions, and questionable actions and methods irregular to usual work in the field... all documented on the internet, which people are too lazy to follow, to lazy to even get a copy of the PR from the EFF CCC.

The advice has always been to audit code. Many people won't bother using or auditing any codes that come from groups that have disreputed themselves... that works for them.

It is well known that disruptors disrepute groups for no fault of their own. I will be reading 1 more reply from your email address for now. Regardless... Expect Ops.

People will protect themselves when you can use cryptographic signatures to get through the ones shilling us to you.

On Fri, Jun 18, 2021, 4:12 AM grarpamp wrote:

...

??? if the code is not faulty

No one ever claimed the code was not faulty either.

Hope you are well, grarpamp. It's true, I wasn't there. Regardless, we need software that works, not rumors and conflict.

https://en.wikipedia.org/w/index.php?fulltext=1&search=goldbug+messenger Pick any of their names as search strings, they've inserted themselves all over the place.

I saw quickly on wikipedia that the socialist millionaire protocol might be insecure in the face of mitm attacks. Is this true or relevant?