
Slur, a decentralized, anonymous, Bitcoin-based marketplace for information - pervycreeper
http://slur.io/
======
fabulist
This is really disappointing and almost seems engineered to proliferate
Bitcoin's reputation as a technology to service criminals.

I also think that they misunderstand the needs of their potential customers.
They are trying to introduce a public, crowd-funded service to a market for
covert information without any sense of irony. In broad strokes, a third of
the value of a stolen secret is in knowing it; another third is having
exclusive access; and the last third is that your competition does not know
they've been robbed. When they realize that you have their IP, they will pour
money into R&D. Since they are already familiar with their work -- and you are
not yet -- they are likely to beat you to market.

For that reason I'm skeptical this venture can compete with existing black
markets.

~~~
drcode
fabulist, I kind of agree with you that this tool has a low chance of success,
but...

...all I see is a tool that allows secure communication and protects people's
privacy. If we want to avoid living in a future where a police state monitors
everything people do and say at all times, we have to somehow allow for people
to maintain privacy and communicate privately.

Your attitude seems like a really slippery slope: If I write an email to
someone and PGP encrypt it, as many people do today, would you similarly say
that I'm being "covert" and "dark"? Where do we draw the line?

~~~
mintplant
Have you read the linked page? "Trade secrets", "stolen databases", and
"military intelligence relevant to real-time conflicts" are listed as examples
of types of information they "expect to see on the Slur marketplace". I think
"covert" and "dark" can safely be used to describe this service.

~~~
drcode
Shoot, I hate having to admit it, but I didn't see the list you're quoting
from at the very end of the site- You are correct that they are explicitly
targeting covert/dark applications, and I should have seen that before
commenting.

~~~
fabulist
I missed it at first, too; I saw comments referencing it, and checked the
article again.

I'm all for having secure, private means of communication; it is essential for
our liberty and a healthy democracy. Inevitably, these will be used to create
black markets. Freedom is expensive, and that is just another cost.

------
olefoo
How are they going to enforce the exclusive sale model?

I can think of three or four ways to defeat even a relatively sophisticated
attempt to do so in an automated manner. And if you're going to make money off
selling secrets, what could be better than selling the same thing to a dozen
purchasers each of whom thinks that they have an exclusive on the deal.

~~~
fragsworth
They can't enforce it. It's impossible.

~~~
fabulist
It would probably be more intelligent for them to give up, and focus on the
crowd-funding aspect of their idea.

~~~
MrHyde
It looks to me like that's what they've done.

------
runn1ng
Judging by their github, they have a _lot_ of work to do.

[https://github.com/u99/slur/](https://github.com/u99/slur/)

------
yourad_io
How would you arbitrate unverifiable data? How about if I auction "I know who
hacked Sony" and the "data" is simply a name and address, without (or with
fickle) proof? Or "Identities of 5 CIA agents in $region"? In fact, most
military secrets.

And - how would you arbitrate misleading data? "0-day Flash Exploit For
Windows", "...NT4".

Maybe we're missing the irony.

edit: more ranting (won't dupe)
[https://news.ycombinator.com/item?id=8795427](https://news.ycombinator.com/item?id=8795427)

------
PhasmaFelis
I see comments talking about protecting privacy and fighting the police state.
Is it not immediately obvious that the whole point of this service is to
facilitate blackmail? I mean, they named the thing "Slur."

 _" Zero day exploits. For the market defined value rather than a price
determined by the corporations under the guise of a bounty with the veiled
threat of legal action should the researcher choose to sell elsewhere."

"Stolen databases. Corporations will no longer be able to get away with an
apology when they fail to secure their customers confidential data. They will
have to pay the market value to suppress it."_

This isn't about exposing corrupt secrets for the public good. This is about
giving data thieves a way to squeeze more money from their victims (deserving
or not) by letting others bid against them. They're not trying to hide it,
guys.

~~~
woah
There will always be data thieves. The real criminals are the lazy developers
that make apps without full client side encryption. This would claim to make
that obvious.

If you put together an app that professes to send messages that are private to
one other user, when in fact they are visible to anyone with access to your
servers, you have sold your users down the river just because you are not a
competent developer. This is widespread right now, but it doesn't mean it
isn't true.

However, as other people have pointed out, this particular idea looks like BS.
Even so, I think it will be implemented in some form in a few years. It's time
to end the "fingers in the ears, la la la" approach to data security that your
post exemplifies.

~~~
PhasmaFelis
So your argument is that, if Bob scams you into buying an "unpickable" lock
and Steve picks it easily and steals all your stuff, only Bob is at fault and
Steve is innocent? You seem to think that there can only be one villain in any
given situation. I'm perfectly comfortable assigning blame to both of them.

And none of this explains why you think a service that helps Steve get top
dollar for your stolen stuff is a good thing.

------
krapp
They seem to believe they are more revolutionary and disruptive then perhaps
they are.

We already have darknets and assassination markets and... and places to find
scandalous celebrity photos and dox. The amount of ego they throw into their
copy doesn't inspire a lot of confidence to me.

~~~
fabulist
Rob Graham (@ErrataRob) gave a (joking) talk about the "fail-peen"; it is the
measurement of how susceptible an organization is to compromise, and is
calculated by taking the inverse of their epeen ("the ego of your online
persona", for the initiated).

Edited to add:

The talk is linked below.

[https://www.youtube.com/watch?v=Qnqyxjtm9RA](https://www.youtube.com/watch?v=Qnqyxjtm9RA)

------
dantiberian
Starting a project like this in C seems like a dangerous proposition.
Anonymity would be essential for all parties in the operation, and starting a
project in a memory unsafe language doesn't seem like the strongest foundation
to build on. It sounds like all of the people involved are experienced, but it
still seems like unnecessary risk. Especially as I don't see which part of
this would need to be so performant that C is the only option.

However the people behind this have been thinking about it far more than I
have so I'm sure they have their reasons for doing it in C.

~~~
mike_hearn
_It sounds like all of the people involved are experienced_

It says nothing about the people involved or their experience. It claims they
are "9 cryptographers" and says nothing more. They also appear to be trying to
raise money for this:

[http://coinmesh.io/](http://coinmesh.io/)

I agree that using C is a really dumb idea for anything security sensitive.

 _However the people behind this have been thinking about it far more than I
have_

I see no evidence of this either.

In fact all I see is an attempt to grab money from people for a product that
does not exist, has no prototype and quite possibly never will exist.

As to their identities, I suspect it's the same people (Amir Taaki and
friends) who are doing Dark Wallet, given that they're the only people who use
libbitcoin as far as I know, they explicitly recommend Dark Wallet although it
has almost no users, and both sites very much match their writing style and
general way of thinking. It's exactly the sort of thing that they'd think was
a good idea.

~~~
petertodd
_I agree that using C is a really dumb idea for anything security sensitive._

It's rather curious the website says it's written in C against the libbitcoin
library, as libbitcoin is a C++ library that doesn't even export C headers.

 _As to their identities, I suspect it 's the same people (Amir Taaki and
friends) who are doing Dark Wallet._

I rather doubt that as I haven't heard anything about Slur from that group -
as Dark Wallet Chief Scientist they pretty much always run new ideas past me.
Secondly they already have a better protocol for paying for information that
that I and Amir Taaki developed:
[https://github.com/unsystem/paypub](https://github.com/unsystem/paypub)
PayPub uses a non-interactive revealing stage to avoid the need for the
trusted escrow agents that Slur claims to use.

re: Dark Wallet, keep in mind it's still officially an alpha undergoing
testing prior to release, but its CoinJoin mixer gets regular usage, mixing
what seems to be in the region of a few thousand dollars worth of bitcoins
every day on average. It is the only CoinJoin implementation I know of with
any usage, other than the known to be badly broken blockchain.info one that
doesn't provide any privacy. Recommending people use it to donate anonymously
is quite reasonable.

------
altoz
I'm not sure how the exclusive sale model would work with information. Some
problems I see are:

1\. You can't prove a negative. The seller cannot prove that there's not a
copy of the same information elsewhere.

2\. If you prevent the same data from being sold again, the exclusive owner is
also prevented from selling. What if that person wants to sell bits and pieces
of the information as an arbitrage play?

3\. Doesn't this obligate the police to bid for any child pornography whatever
the cost?

------
tlrobinson
Also: Bitmarkets
[http://voluntary.net/bitmarkets/](http://voluntary.net/bitmarkets/)

It uses Bitmessage and two party escrow Bitcoin transactions.

------
rrggrr
I wonder if the hardening of cyberspace requires concepts like this? In the
absense of sensational threats pervasive vulnerabilities in areas like usb,
wireless routers, HDD/SSD microcontrollers, etc. may remain unresolved. It
would be nice if some of the same regulatory effort that goes into food and
drug safety were apllied to commercial information security.

------
ademarre
Is slur really a good name for this type of thing? I generally want my
information to be clearly spoken, not slurred speech.

~~~
conchy
There are a few different definitions for that word, so I presume they're
going for the "to harm someone's reputation by criticizing them" definition,
rather than "to pronounce the sounds of a word in a way that is wrong or not
clear"

~~~
lotsofmangos
That was also my impression. One of my first thoughts was _" They may as well
have just called it Libel"_.

Personally, I think it is a pretty stupid name given either interpretation.
Slur does not denote reliability of information.

~~~
ademarre
Agreed. Whichever meaning it invokes, it's not a good name.

------
declan
This is a good place to reference cypherpunk co-founder Tim May's email from
1992: [http://www.activism.net/cypherpunk/crypto-
anarchy.html](http://www.activism.net/cypherpunk/crypto-anarchy.html)

Took the world long enough to catch up.

~~~
kbody
It's a bit easier to imagine than create.

~~~
dmix
In a product or marketing sense?

Sounds like the product side has been figured out... the essay is pretty
thorough.

~~~
yourad_io
Far from it; it is full of holes.

Various issues: C used (huge flag), little progress yet, arbitration can't
help in subjective/unverifiable/misleading data situations, anynomity will
drag in the trash-sellers by the dozens, entirely unsourced data -even when
true- is not as useful as sourced stuff (which you'd call "actionable"), de-
duping information is impossible, what's the arbiters' motivation to be honest
and not attempt to contact either side for bribes (or vote against "truth" for
lolz), etc.

But mostly: Just think of the Signal/Noise ratio. Everyone will be trying to
abuse this.

Even the dumbest, shotgun, numbers-game approach would have returns: Keep
listing seemingly interesting stuff that is actually
misleading/incomplete/bad/resold/... and eventually some of your transactions
will not be reverted by arbitration.

And this is anonymous crowd-funding, you say?

~~~
hellbanner
Yup, and does Slur take a fee from each transaction.. ?

~~~
fabulist
Not according to their website, no. If they're looking to turn a profit, its
probably by acting as sellers.

~~~
yourad_io
> If they're looking to turn a profit, its probably by ...

...anonymously crowdfunding this half-thought idea with bitcoin.

------
davemel37
With so much skepticism in this thread I am inclined to bet on their success
:) I am also very skeptical...but ideas like this rarely get any love until
it's actively disrupting.

For what it's worth, the potential for the internet to even out the knowledge
gap in the business world has barely grazed the surface of where it's headed.

I am not talking about getting cokes recipe but knowing the cost basis of
vendors so they can't rip you off. Every industry will eventually have a
winner that decided to be completely upfront and transparent accept smaller
but healthy margins and eliminate the fear consumers have of looking foolish
by getting a worse deal than their brother in law.

------
dil8
I wish this was "Slur, a decentralized, anonymous repository for information".

Incentivising leakers to leak to agents with the most power and wealth does
not make much sense.

------
dlss
I wish they hadn't used illegal example use cases (stealing trade secrets,
etc). I would have donated :-/

~~~
programmarchy
What Snowden did was illegal, too. Illegal != immoral. Lawmakers do not have
legitimate moral authority.

~~~
dlss
Completely agreed, hence wanting to donate. There are a lot of cool uses for
what's essentially a kickstarter for digital goods... however by explicitly
saying the illegal possibilities are a goal, all their funders are (I think /
not a lawyer) committing a crime. It's illegal in most countries to knowingly
help people break the law.

------
hellbanner
Woa, when I visited the link Chrome downloaded a file called FQwWHM735zm and
then prompted me "this site is trying to download multiple files". ???

------
ntonozzi
It seems completely wrong that arbitration requires revealing the content of
the secret.

~~~
fabulist
Well, the ones who purchased the secrets are the ones who can request
arbitration; if they do, presumably the information is false and worthless, or
they are attempting to cheat the system to have their cake and eat it too.

------
mb0
How will anyone verify that the information being sold is valid?

------
obilgic
So there is an incentive for volunteers to decline the content?

------
azinman2
Downvote. This is a waste of energy/time that could be put to making the world
a better place than tearing it down. I dont understand how people with
technical talent want to do something so negative with their limited time on
earth.

~~~
sintaxi
I'm not endorsing this project but I take exception with your response. This
type of project belongs on Hacker News and if we are going to take the time to
respond it might as well provide more feedback than telling someone they are
wasting their limited time on earth.

Buyer/seller privacy would be a fantastic development but blackmailing people
is definitely in scumbag territory. I would like to see this project change
its name, messaging, and even reevaluate its motives. That said, I don't see
anything wrong with the core principle which is a free market with privacy.
Which shouldn't be interpreted as "go break the law!".

We need more people developing systems that emphasize privacy. Lets encourage
those who are doing so by explaining what aspects we like/dislike.

~~~
azinman2
So basically you're arguing it has merit by containing cryptography, but let's
not forget that it was designed specifically for illicit use to VIOLATE
people's privacy. And did you even read their bit about how this is geared
towards PSYCHOPATHS?! That's their own word choice! I feel like it's hard to
reason with anyone who is gearing their product towards the psychopath market!

However for arguments sake, let's strip away the reality of what they're
encouraging and find merits in non-illicit contexts.

What can be productively sold in this way? Source code licensing, music and
movies come to mind, but do they offer over iTunes or Shopify? I can only find
cons.

Let's look at the core principals that they're advertising and see how they
apply:

    
    
      "Sellers encrypt, upload and then list their data on the digital market with the ease a user might list an item on eBay. They do so with full anonymity and there are no restrictions on the content of the data."
    

So they let you upload to them, but most legitimate entities don't have
storage costs as something that prevents them from entering the market. In
fact they might be concerned about losing the control, not just in terms of
proprietary nature but also being able to fine control the streaming quality,
bandwidth, availability guarantees, etc.

Legitimate sales interests also rarely need to be anonymous. Having their own
marketplace (iTunes store, etc) also let's them restrict the privacy in the
way that best favors them. The exceptions -- journalists or people under
repressive regimes -- could benefit from such a marketplace if it weren't for
the fact that they can't prevent the enemy from buying the information
(they're anonymous, too), let alone sell it to many news outfits or many
rebels over time (data can only be sold once).

    
    
       "Exclusive bidders attempt to purchase the data for their own use and / or prevent other parties from acquiring a copy. Should an exclusive bidder win the auction they alone will receive the decryption keys. The same data cannot be auctioned a second time on the Slur marketplace."
    

Media companies and others that sell goods want to sell it in large numbers.
This goal runs counter to exclusive bidders. Movies & music are out unless
each copy has DRM watermarking which changes the binary enough, but that kind
of stuff should probably be integrated into the market somehow (no small feat
and runs counter to many "free software purist" ideals).

    
    
       "Crowd bidders pool their funds into a single bid. Should they win the auction the network will release the decryption keys to all users on the Slur marketplace and the information will therefore become public."
    

I'm not even sure I fully understand this -- is this then a kickstarter for
information? I thought the marketplace was about keeping things private? What
ends up in public? If anything they should better explain what stays private
and what ever goes into the public better.

    
    
       "Arbitrators are randomly selected users who agree to weigh in on a dispute should the winner of an auction claim that the decrypted contents do not match the sellers description."
    

Or you could just phone visa and say hey can you remove this fraudulent charge
please? Again good for journalists but what about everyday?

    
    
       "Public key cryptography ensures the data being sold can only be decrypted by the winner of the auction."
    

As does SSL and DRM watermarking.

\-----

Look, there might be some legitimate amazing use that I'm ignorant towards,
but it has to fight a lot of restrictions with this premise. It seems really
geared towards illicit use in both design and message. I also can't get behind
advocating for psychopaths. YES THOSE WITHOUT CAPACITY FOR EMPATHY LETS PICK
THEM.

