Trying to Connect with a Hacker Online
Karl
gmkarl at gmail.com
Mon Oct 12 08:13:46 PDT 2020
So, every hacker [s/is slowly forgetting due to global gaslighting and
abuse/knows firmly/] that plaintext, unsigned communications are
pointless because all the political influences between you and the
person you're communicating with will alter your communications. In
order to connect we have to find each other on networks that are more
reliable than e-mail.
A clue to finding these networks, people, and other exotic
information, is weird strings of numbers and letters that seem like
random gobbledygook, almost as if we were copy and pasting computer
glitches to each other. No, these confusing strings of characters are
the words of computer hackers: especially if the alphabetic characters
never exceed 'f' in the alphabet, which does not stand for 'fuck this
is confusing', but rather for 'we made computers highly efficient by
braking them into powers of two'. It's called hexadecimal.
> On 10/12/20, Stefan Claas <sac at 300baud.de> wrote:
[snip...]
>> Regards
>> Stefan
>>
>>
>> --
>> NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675
>> The computer helps us to solve problems, we did not have without him.
Here, we have a hexadecimal string associated with the phrase
'NaClbox'. 'NaCl' is a stupid-people-who-use-computers word for
encryption and verification. 'box' is the same for computer.
Let's search for it and see i we can find this random string of hexadecimal!
This time, I'm going to [s/heal my injured spine/wise up to the
manipulative marketing AIs/] just a smidge, and use a search engine
other than google. Even better would be _asking a human being_, but
we're not quite that smart yet. I'll try duckduckgo.
I typed 'naclbox' into duckduckgo and the first hit is ...
https://www.naclbox.com/ ! This has to be it, right? It has the
right domain name! A computer game thing! This hacker must have been
asking us to play computer games with them, how friendly!
Let's do some wizardry called a 'dns lookup' on that url. There's a
way, given _any url_, to get information on who purchased it and stuff
like that. If [s/you're actually part of a major corporate conspiracy
and are frequently hired to kill people who look into the origins of
coverups/you have schizophrenia from too many dns lookups/] you may
have trouble doing this important research, but it's not very hard to
do.
Searching the internet for "lookup dns purchase command line", I see a
way to copy the term that [s/gives me severe traumatic flashbacks/i
haven't learned to use yet/]: "whois". My system doesn't have "whois"
installed because I'm a normal person, not a mumbo-jumbo computer
wizard, but I can install it like any other package, and run it on
www.naclbox.com:
```
$ whois naclbox.com
Domain Name: NACLBOX.COM
Registry Domain ID: 1653881042_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.gandi.net
Registrar URL: http://www.gandi.net
Updated Date: 2020-03-27T19:42:08Z
Creation Date: 2011-05-01T15:51:02Z
Registry Expiry Date: 2021-05-01T15:51:02Z
Registrar: Gandi SAS
Registrar IANA ID: 81
Registrar Abuse Contact Email: abuse at support.gandi.net
Registrar Abuse Contact Phone: +33.170377661
Domain Status: clientTransferProhibited
https://icann.org/epp#clientTransferProhibited
Name Server: NS-1219.AWSDNS-24.ORG
Name Server: NS-1965.AWSDNS-53.CO.UK
Name Server: NS-259.AWSDNS-32.COM
Name Server: NS-544.AWSDNS-04.NET
DNSSEC: unsigned
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
>>> Last update of whois database: 2020-10-12T13:36:17Z <<<
```
This record claims that the domain was purchased on 2011 and expires
2021. It's been a really long time since I've done this, but I was
expecting to see some information on e.g. a technical contact or
something: a real human being associated with the website. Maybe I
have too look somewhere else. I tried this:
```
$ whois -h whois.gandhi.net naclbox.com
```
which just sits there and hangs.
Anyway, it sounds like the _cryptographic_ nacl project would be able
to purchase this domain in 2021 if they wanted. Farther down the
duckduckgo results is a more promising link, that leads to
https://pkg.go.dev/golang.org/x/crypto/nacl/box . Unfortunately, this
project now calls itself "package box", not "nacl box", which is
discouraging. Still, we can look it over.
Woohoo! "package box" says it is a generic frontend for NaCl
encryption, which implies that it's possible that the signature we
found is a public key for sending somebody private messages in a
reliable manner, and that any tool that does this NaCl encryption can
communicate with him. "package box" links to a central nacl website:
https://nacl.cr.yp.to/box.html .
A great way to check if we interpreted these
letters-and-numbers-mumbo-jumbo correctly is to try to use them.
We'll try to send this guy ... what's their name?
>> NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675
We'll try to send
cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 a
message ! This might mean learning to use nacl. The page I found is
a c++ interface, so I'll just use that since [s/my fingers and eyes
spazz out uncontrollably when i use the web now/it's a good exercise
for me to write a small C++ program/].
```
$ sudo yum install nacl-devel # nacl is a software development library
for secure communication that's been available on linux systems for
some time now
...
```
If you've been through [s/an abusive enslavement experience where you
suffered severe injuries and learned to dissociate from your memories
as way of life/a corporate or government training program/] you may
have difficulty forming encrypted communications with a hacker online,
but rest assured everything is fine: since the worldwide digital
coronavirus has thoroughly filled your device with malware, all the
corporate goonies can make sure everything is okay, and since this guy
is an experienced enough hacker to communicate with letters and
numbers, they'll be able to tell that you aren't one of them. That
doesn't mean they'll be able to keep themselves safe from your
oppressive surveillance and control situations! It's your job to
[s/manage those by communicating with your contacts/mourn your wake of
dead hackers after the fact/]. So please make a record of what you do
so that others can learn from it after somebody new [s/dies
horrifically or gets forcibly enslaved by a criminal corporate
dictator/gets bored and ignores the rest of us/]!
First we need to generate a naclbox of our own, to send the
communication from. It's just a set of small personal letters and
numbers.
The website has this in it:
```
#include "crypto_box.h"
std::string pk;
std::string sk;
pk = crypto_box_keypair(&sk);
```
> The crypto_box_keypair function randomly generates a secret key and a corresponding public key. It puts the secret key into sk and returns the public key. It guarantees that sk has crypto_box_SECRETKEYBYTES bytes and that pk has crypto_box_PUBLICKEYBYTES bytes.
The secret key is like your brainstem and your heart. You don't let
anybody else even get a whiff of them, _certainly_ never touch them or
see them, or you could get hurt. Since [s/I'm a corporate slave/this
is just an example/], I'll be storing my brainstem on the malware
that's infesting the system I am typing this on.
On my system, I'll have to mutate the example from the website just a
tiny bit, to get it to compile.
```
// nacl-generate.cpp
#include <nacl/crypto_box.h>
#include <fstream>
#include <iostream>
int main(int argc, char **argv) {
if (argc != 2) {
std::cerr << "Error: provide new delicate brainstem file as
first argument." << std::endl;
return -1;
}
std::string pk;
std::string sk;
pk = crypto_box_keypair(&sk);
std::string brainstem = argv[1];
std::ofstream
delicate_precious_guts_we_are_going_to_figure_out_how_to_protect(brainstem.c_str());
delicate_precious_guts_we_are_going_to_figure_out_how_to_protect << sk;
// this is a c++ way to convert from computer innards to
hexadecimal letters and numbers
std::cout << brainstem << "'s name is: " << std::hex;
for (char const * byte = pk.data(); byte != pk.data() + pk.size();
++ byte) {
std::cout << ((*byte) & 0xff);
}
std::cout << std::endl;
std::cout << "Don't lose track of it or nobody will be able to
find 'em!" << std::endl;
}
```
I actually had to work with it quite a bit while handling my issues.
```
$ g++ nacl-generate.cpp -o nacl-generate -l nacl
$ ./nacl-generate delicate
delicate's name is:
1934067c6303d231b897152a989bd905fe82b5130de209a1ddb61e118e7a477
Don't lose track of it or nobody will be able to find 'em!
$ mv delicate 1934067c6303d231b897152a989bd905fe82b5130de209a1ddb61e118e7a477
``
This file of letters and numbers is now _our_ identity. We can make
similar programs to send and receive messages with them. There are
likely tools out there already to do this automatically, and if not it
would be a problem to be solved.
Here's some code to receive messages with the file we made:
```
// nacl-receive.cpp
#include <nacl/crypto_box.h>
#include <fstream>
#include <iostream>
#include <sstream>
std::string binary2hex(std::string binary)
{
std::stringstream ss;
ss << std::hex;
for (char const * byte = binary.data(); byte != binary.data() +
binary.size(); ++ byte) {
ss << ((*byte) & 0xff);
}
return ss.str();
}
int main(int argc, char **argv) {
if (argc != 2) {
std::cerr << "Error: provide delicate private file as first
argument." << std::endl;
return -1;
}
std::string pk, pkhex;
std::string sk;
std::string n, nhex;
std::string c, chex;
std::string m;
std::ifstream skfile(argv[1]);
skfile >> sk;
std::cerr << argv[0] << " receiving." << std::endl;
// Although hackers like to share things in confusing ways, for example by
// cramming the public key, the nonce, and the ciphertext all together,
// we're separating them out here to ease my learning this new system.
// When sending the greeting to the hacker, we may want to jam all the data
// together, offering it as either a reasonably-confusing puzzle or a guess
// as to having already put the time in to learn the system, so that we
// speak their language more. Hackers tend to assume that everybody has as
// much free time as they do, and might misinterpret things if somebody
// didn't act as if they also did. This assumption would be easy
to change by
// playing their hacking games with them or preferably simply talking
// clearly and directly and publically, rather than [s/fucking up their open
// source people and projects/waiting for them to notice/]. But obviously
// we can't do that, since we're [s/a bunch of people who want to help,
// not the people in charge/too busy to get personally involved/].
std::cerr << "Enter public key of sender: " << std::flush;
std::cin >> pkhex;
pk = binary2hex(pkhex);
std::cerr << "Enter nonce: " << std::flush;
std::cin >> nhex;
n = binary2hex(nhex);
std::cerr << "Enter cyphertext: " << std::flush;
std::cin >> chex;
c = binary2hex(chex);
m = crypto_box_open(c,n,pk,sk);
/*The crypto_box_open function verifies and decrypts a ciphertext
c using the receiver's secret key sk, the sender's public key pk, and
a nonce n. The crypto_box_open function returns the resulting
plaintext m.*/
std::cout << m << std::endl;
}
```
In the next possible episode, we would either make a sourcefile to
send a message to the hacker by again copying from that same website,
or find a pre-existing tool that already does so, and then try sending
a message to see if we even interpreted their signature at all
correctly. We might also make an embarrassed reply, asking what their
signature means, or search the archives of the list to find a clear
explanation of it sitting there.
More information about the cypherpunks
mailing list