Slashdot Mirror
Anonymous, People's Liberation Front Build Anonymous Data-Sharing Site
suraj.sun writes with these snippets from an article at Ars Technica: "Hacker group Anonymous and the People's Liberation Front have created a data-sharing site called AnonPaste.tk, meant to host pastes of code and other messages without any moderation or censorship of the information posted. The new site, which uses a free .tk web address, allows users to set a time for the paste to expire. It claims that data is encrypted and decrypted in the browser using 256 bit AES, so the server doesn't see any of the information included in the paste.The site says it's taking donations in the form of WePay or BitCoins. ... AnonPaste is built using open-source software called ZeroBin, created by French developer Sebastien Sauvage. According to Infoweek Sauvage has experience in creating online authentication systems for French banks, suggesting the creator knows a thing or two about encryption of data. Still, on the software's information page, Sauvage reminds potential users that ZeroBin software can not protect against potential Javascript attacks. 'Users still have to trust the server regarding the respect of their privacy,' he says. 'ZeroBin won't protect the users against malicious servers.'"
This site will get it's domain removed faster than I can post this comment. The .tk admins have a long history of blatantly removing anything that might cause trouble, are porn and/or hijacking domains that are popular. Great choice there, indeed.
I am NOT about to let you or your anonymous friends run JavaScript in my browser. No. That would compromise my security. The idea outlined in the summary sounds good, but the JavaScript-based implementation is bad. EPIC FAIL. Think of the Tor-users! They are not about to let their anonymity go by submitting to the evil JavaScript World Order.
9/11: Never forget it was a false-flag operation
...we already have lots of ways to do this. We can encrypt and post to Usenet. We can use extensions like FireGPG to encrypt on post to websites. So why use a system where we place all our trust in the service provider, which is both theoretically risky and has failed in the past:
http://www.wired.com/threatlevel/2007/11/encrypted-e-mai/
Palm trees and 8
Okay, I take it back. It seems that the reading URL contains the decryption key. That's actually quite nice.
The key seems to be stored in the in-page bookmark (the part after the "#"), so there is even a chance it won't be available through the server's logs. I have not checked whether it is the client or the server that produces the URL for reference. That might mean a trip to the server after all, but given the design of the rest, there is hope it was done properly after all.
Shachar
Well, Anonymous is going to start their OWN pastebin! With hookers! And blackjack!
Sorry, the whole story doesn't make much sense. If anyone can access the pastebin, then anyone can see its contents, including the server, no matter how encrypted the data is stored on it. If not anyone can access the server then it's not a public pastebin, but an encrypted fileserver and whoever accesses it would need to password first.
The smart way is just to encrypt your data with PGP or AES and then upload it to piratepad.
This Anonpaste wont be useful unless you connect to it anonymously. What they are promising is they wont censor your shit if you post something tragic.
According to what Pastebin says about Anonpaste just using Anonpaste could mean you have something to hide and if you have something to hide it means you need to be investigated.
Although Anonymous has used the news of AnonPaste to taunt Pastebin, Vader isn't worried about the popularity of his own site. He does see problems with the general idea of the new paste site though. "Having this new anonymous paste service online will most likely mean that less 'sensitive information' is posted on Pastebin.com, which we like," Vader told Ars, "But we think this new totally anonymous Paste site will be used mainly by people who have something to hide, people who are posting things that really shouldn't be posted. We see no benefit for normal legitimate users to use it over the currently existing paste websites. We are afraid that this site will be bombarded with people's personal information, credit-card details, and things such as child pornography."
If you use Anonpaste then the governments will claim you're a credit card thief, a child pornography, or a terrorist, because why else would you want to use something like Anonpaste?
My advice is don't post on Anonpaste. Read Anonpaste but don't post a damn thing. If someone really knows what they are doing they probably don't need Anonpaste but if they somehow did then they weighed the risks already.
Would that be the Peoples Liberation front of Judea or the Judean Peoples Liberation Front?
It runs on ZeroBin, which uses client side javascript to generate a random 256bit AES key, then compress and encrypt the text before sending it to the server. Comments are also compressed and encrypted. The key is never seen by the server, so the server can't decrypt your data.
It uses the Stanford Javascript Crypto Library for its AES code, and its codebase is available on github.
The system is vulnerable to an MITM attack, also a server admin may be able to reveal the poster's identity, but not the post's content
The server operator could modify the javascript it sends to the client, so that the client sends either the key or the plaintext to a place of the operator's choosing.
That would fall under the same category as MITM in this case. You still need to trust the server (or a server, if you prefer)
You could move the client side code to a browser addon/extension, but you'd still have the problem of trusting the extension to behave
Woao. My name on the front page of Slashdot. Now I can die. :-D
If you don't trust AnonPaste, you can just install ZeroBin (the opensource software AnonPaste is based on) on your own website.