Hacker News new | past | comments | ask | show | jobs | submit login
Slur, a decentralized, anonymous, Bitcoin-based marketplace for information (slur.io)
125 points by pervycreeper on Dec 24, 2014 | hide | past | web | favorite | 53 comments



This is really disappointing and almost seems engineered to proliferate Bitcoin's reputation as a technology to service criminals.

I also think that they misunderstand the needs of their potential customers. They are trying to introduce a public, crowd-funded service to a market for covert information without any sense of irony. In broad strokes, a third of the value of a stolen secret is in knowing it; another third is having exclusive access; and the last third is that your competition does not know they've been robbed. When they realize that you have their IP, they will pour money into R&D. Since they are already familiar with their work -- and you are not yet -- they are likely to beat you to market.

For that reason I'm skeptical this venture can compete with existing black markets.


fabulist, I kind of agree with you that this tool has a low chance of success, but...

...all I see is a tool that allows secure communication and protects people's privacy. If we want to avoid living in a future where a police state monitors everything people do and say at all times, we have to somehow allow for people to maintain privacy and communicate privately.

Your attitude seems like a really slippery slope: If I write an email to someone and PGP encrypt it, as many people do today, would you similarly say that I'm being "covert" and "dark"? Where do we draw the line?


Have you read the linked page? "Trade secrets", "stolen databases", and "military intelligence relevant to real-time conflicts" are listed as examples of types of information they "expect to see on the Slur marketplace". I think "covert" and "dark" can safely be used to describe this service.


Shoot, I hate having to admit it, but I didn't see the list you're quoting from at the very end of the site- You are correct that they are explicitly targeting covert/dark applications, and I should have seen that before commenting.


I missed it at first, too; I saw comments referencing it, and checked the article again.

I'm all for having secure, private means of communication; it is essential for our liberty and a healthy democracy. Inevitably, these will be used to create black markets. Freedom is expensive, and that is just another cost.


it will end up full of carding dumps and financial fraud, secret service will likely be interested in the developers since they openly promote stolen dB's should be sold with their platform. they should have said nothing the black market would have discovered it on their own now they are complicit/conspiring


How are they going to enforce the exclusive sale model?

I can think of three or four ways to defeat even a relatively sophisticated attempt to do so in an automated manner. And if you're going to make money off selling secrets, what could be better than selling the same thing to a dozen purchasers each of whom thinks that they have an exclusive on the deal.


They can't enforce it. It's impossible.


It would probably be more intelligent for them to give up, and focus on the crowd-funding aspect of their idea.


It looks to me like that's what they've done.


The most straightforward way of enforcing the exclusive sale model I can think of is to use reputation and reviews similar to how the online drug sales sites work. Create a financial incentive for the seller to build a positive reputation and deliver on their products quality and promises (exclusivity in this case). If the seller creates a name for themselves and they can be trusted to sell information exclusively then that will add value to the information (buyers would pay extra to ensure it's exclusive). That model will incentivize sellers to hold up their end of the bargain and prevent duplicate sales.


That makes the sellers identifiable through their previous leaks/auctions.


Judging by their github, they have a lot of work to do.

https://github.com/u99/slur/


How would you arbitrate unverifiable data? How about if I auction "I know who hacked Sony" and the "data" is simply a name and address, without (or with fickle) proof? Or "Identities of 5 CIA agents in $region"? In fact, most military secrets.

And - how would you arbitrate misleading data? "0-day Flash Exploit For Windows", "...NT4".

Maybe we're missing the irony.

edit: more ranting (won't dupe) https://news.ycombinator.com/item?id=8795427


I see comments talking about protecting privacy and fighting the police state. Is it not immediately obvious that the whole point of this service is to facilitate blackmail? I mean, they named the thing "Slur."

"Zero day exploits. For the market defined value rather than a price determined by the corporations under the guise of a bounty with the veiled threat of legal action should the researcher choose to sell elsewhere."

"Stolen databases. Corporations will no longer be able to get away with an apology when they fail to secure their customers confidential data. They will have to pay the market value to suppress it."

This isn't about exposing corrupt secrets for the public good. This is about giving data thieves a way to squeeze more money from their victims (deserving or not) by letting others bid against them. They're not trying to hide it, guys.


There will always be data thieves. The real criminals are the lazy developers that make apps without full client side encryption. This would claim to make that obvious.

If you put together an app that professes to send messages that are private to one other user, when in fact they are visible to anyone with access to your servers, you have sold your users down the river just because you are not a competent developer. This is widespread right now, but it doesn't mean it isn't true.

However, as other people have pointed out, this particular idea looks like BS. Even so, I think it will be implemented in some form in a few years. It's time to end the "fingers in the ears, la la la" approach to data security that your post exemplifies.


So your argument is that, if Bob scams you into buying an "unpickable" lock and Steve picks it easily and steals all your stuff, only Bob is at fault and Steve is innocent? You seem to think that there can only be one villain in any given situation. I'm perfectly comfortable assigning blame to both of them.

And none of this explains why you think a service that helps Steve get top dollar for your stolen stuff is a good thing.


I think you are quite unfairly placing blame for a systemic issue on the people least responsible.


They seem to believe they are more revolutionary and disruptive then perhaps they are.

We already have darknets and assassination markets and... and places to find scandalous celebrity photos and dox. The amount of ego they throw into their copy doesn't inspire a lot of confidence to me.


Rob Graham (@ErrataRob) gave a (joking) talk about the "fail-peen"; it is the measurement of how susceptible an organization is to compromise, and is calculated by taking the inverse of their epeen ("the ego of your online persona", for the initiated).

Edited to add:

The talk is linked below.

https://www.youtube.com/watch?v=Qnqyxjtm9RA


Starting a project like this in C seems like a dangerous proposition. Anonymity would be essential for all parties in the operation, and starting a project in a memory unsafe language doesn't seem like the strongest foundation to build on. It sounds like all of the people involved are experienced, but it still seems like unnecessary risk. Especially as I don't see which part of this would need to be so performant that C is the only option.

However the people behind this have been thinking about it far more than I have so I'm sure they have their reasons for doing it in C.


It sounds like all of the people involved are experienced

It says nothing about the people involved or their experience. It claims they are "9 cryptographers" and says nothing more. They also appear to be trying to raise money for this:

http://coinmesh.io/

I agree that using C is a really dumb idea for anything security sensitive.

However the people behind this have been thinking about it far more than I have

I see no evidence of this either.

In fact all I see is an attempt to grab money from people for a product that does not exist, has no prototype and quite possibly never will exist.

As to their identities, I suspect it's the same people (Amir Taaki and friends) who are doing Dark Wallet, given that they're the only people who use libbitcoin as far as I know, they explicitly recommend Dark Wallet although it has almost no users, and both sites very much match their writing style and general way of thinking. It's exactly the sort of thing that they'd think was a good idea.


I agree that using C is a really dumb idea for anything security sensitive.

It's rather curious the website says it's written in C against the libbitcoin library, as libbitcoin is a C++ library that doesn't even export C headers.

As to their identities, I suspect it's the same people (Amir Taaki and friends) who are doing Dark Wallet.

I rather doubt that as I haven't heard anything about Slur from that group - as Dark Wallet Chief Scientist they pretty much always run new ideas past me. Secondly they already have a better protocol for paying for information that that I and Amir Taaki developed: https://github.com/unsystem/paypub PayPub uses a non-interactive revealing stage to avoid the need for the trusted escrow agents that Slur claims to use.

re: Dark Wallet, keep in mind it's still officially an alpha undergoing testing prior to release, but its CoinJoin mixer gets regular usage, mixing what seems to be in the region of a few thousand dollars worth of bitcoins every day on average. It is the only CoinJoin implementation I know of with any usage, other than the known to be badly broken blockchain.info one that doesn't provide any privacy. Recommending people use it to donate anonymously is quite reasonable.


I'm not sure how the exclusive sale model would work with information. Some problems I see are:

1. You can't prove a negative. The seller cannot prove that there's not a copy of the same information elsewhere.

2. If you prevent the same data from being sold again, the exclusive owner is also prevented from selling. What if that person wants to sell bits and pieces of the information as an arbitrage play?

3. Doesn't this obligate the police to bid for any child pornography whatever the cost?


Also: Bitmarkets http://voluntary.net/bitmarkets/

It uses Bitmessage and two party escrow Bitcoin transactions.


I wonder if the hardening of cyberspace requires concepts like this? In the absense of sensational threats pervasive vulnerabilities in areas like usb, wireless routers, HDD/SSD microcontrollers, etc. may remain unresolved. It would be nice if some of the same regulatory effort that goes into food and drug safety were apllied to commercial information security.


Is slur really a good name for this type of thing? I generally want my information to be clearly spoken, not slurred speech.


There are a few different definitions for that word, so I presume they're going for the "to harm someone's reputation by criticizing them" definition, rather than "to pronounce the sounds of a word in a way that is wrong or not clear"


That was also my impression. One of my first thoughts was "They may as well have just called it Libel".

Personally, I think it is a pretty stupid name given either interpretation. Slur does not denote reliability of information.


Agreed. Whichever meaning it invokes, it's not a good name.


This is a good place to reference cypherpunk co-founder Tim May's email from 1992: http://www.activism.net/cypherpunk/crypto-anarchy.html

Took the world long enough to catch up.


It's a bit easier to imagine than create.


In a product or marketing sense?

Sounds like the product side has been figured out... the essay is pretty thorough.


Far from it; it is full of holes.

Various issues: C used (huge flag), little progress yet, arbitration can't help in subjective/unverifiable/misleading data situations, anynomity will drag in the trash-sellers by the dozens, entirely unsourced data -even when true- is not as useful as sourced stuff (which you'd call "actionable"), de-duping information is impossible, what's the arbiters' motivation to be honest and not attempt to contact either side for bribes (or vote against "truth" for lolz), etc.

But mostly: Just think of the Signal/Noise ratio. Everyone will be trying to abuse this.

Even the dumbest, shotgun, numbers-game approach would have returns: Keep listing seemingly interesting stuff that is actually misleading/incomplete/bad/resold/... and eventually some of your transactions will not be reverted by arbitration.

And this is anonymous crowd-funding, you say?


Yup, and does Slur take a fee from each transaction.. ?


Not according to their website, no. If they're looking to turn a profit, its probably by acting as sellers.


> If they're looking to turn a profit, its probably by ...

...anonymously crowdfunding this half-thought idea with bitcoin.


With so much skepticism in this thread I am inclined to bet on their success :) I am also very skeptical...but ideas like this rarely get any love until it's actively disrupting.

For what it's worth, the potential for the internet to even out the knowledge gap in the business world has barely grazed the surface of where it's headed.

I am not talking about getting cokes recipe but knowing the cost basis of vendors so they can't rip you off. Every industry will eventually have a winner that decided to be completely upfront and transparent accept smaller but healthy margins and eliminate the fear consumers have of looking foolish by getting a worse deal than their brother in law.


I wish this was "Slur, a decentralized, anonymous repository for information".

Incentivising leakers to leak to agents with the most power and wealth does not make much sense.


I wish they hadn't used illegal example use cases (stealing trade secrets, etc). I would have donated :-/


What Snowden did was illegal, too. Illegal != immoral. Lawmakers do not have legitimate moral authority.


Completely agreed, hence wanting to donate. There are a lot of cool uses for what's essentially a kickstarter for digital goods... however by explicitly saying the illegal possibilities are a goal, all their funders are (I think / not a lawyer) committing a crime. It's illegal in most countries to knowingly help people break the law.


This is explicitly a tool for monetizing blackmail. Illegal use cases are the intended use cases.


Out of curiosity, not criticism, why would you want to?


This is basically kickstarter for digital goods... with shady marketing :/


Woa, when I visited the link Chrome downloaded a file called FQwWHM735zm and then prompted me "this site is trying to download multiple files". ???


It seems completely wrong that arbitration requires revealing the content of the secret.


Well, the ones who purchased the secrets are the ones who can request arbitration; if they do, presumably the information is false and worthless, or they are attempting to cheat the system to have their cake and eat it too.


How will anyone verify that the information being sold is valid?


So there is an incentive for volunteers to decline the content?


Downvote. This is a waste of energy/time that could be put to making the world a better place than tearing it down. I dont understand how people with technical talent want to do something so negative with their limited time on earth.


I'm not endorsing this project but I take exception with your response. This type of project belongs on Hacker News and if we are going to take the time to respond it might as well provide more feedback than telling someone they are wasting their limited time on earth.

Buyer/seller privacy would be a fantastic development but blackmailing people is definitely in scumbag territory. I would like to see this project change its name, messaging, and even reevaluate its motives. That said, I don't see anything wrong with the core principle which is a free market with privacy. Which shouldn't be interpreted as "go break the law!".

We need more people developing systems that emphasize privacy. Lets encourage those who are doing so by explaining what aspects we like/dislike.


So basically you're arguing it has merit by containing cryptography, but let's not forget that it was designed specifically for illicit use to VIOLATE people's privacy. And did you even read their bit about how this is geared towards PSYCHOPATHS?! That's their own word choice! I feel like it's hard to reason with anyone who is gearing their product towards the psychopath market!

However for arguments sake, let's strip away the reality of what they're encouraging and find merits in non-illicit contexts.

What can be productively sold in this way? Source code licensing, music and movies come to mind, but do they offer over iTunes or Shopify? I can only find cons.

Let's look at the core principals that they're advertising and see how they apply:

  "Sellers encrypt, upload and then list their data on the digital market with the ease a user might list an item on eBay. They do so with full anonymity and there are no restrictions on the content of the data."
So they let you upload to them, but most legitimate entities don't have storage costs as something that prevents them from entering the market. In fact they might be concerned about losing the control, not just in terms of proprietary nature but also being able to fine control the streaming quality, bandwidth, availability guarantees, etc.

Legitimate sales interests also rarely need to be anonymous. Having their own marketplace (iTunes store, etc) also let's them restrict the privacy in the way that best favors them. The exceptions -- journalists or people under repressive regimes -- could benefit from such a marketplace if it weren't for the fact that they can't prevent the enemy from buying the information (they're anonymous, too), let alone sell it to many news outfits or many rebels over time (data can only be sold once).

   "Exclusive bidders attempt to purchase the data for their own use and / or prevent other parties from acquiring a copy. Should an exclusive bidder win the auction they alone will receive the decryption keys. The same data cannot be auctioned a second time on the Slur marketplace."
Media companies and others that sell goods want to sell it in large numbers. This goal runs counter to exclusive bidders. Movies & music are out unless each copy has DRM watermarking which changes the binary enough, but that kind of stuff should probably be integrated into the market somehow (no small feat and runs counter to many "free software purist" ideals).

   "Crowd bidders pool their funds into a single bid. Should they win the auction the network will release the decryption keys to all users on the Slur marketplace and the information will therefore become public."
I'm not even sure I fully understand this -- is this then a kickstarter for information? I thought the marketplace was about keeping things private? What ends up in public? If anything they should better explain what stays private and what ever goes into the public better.

   "Arbitrators are randomly selected users who agree to weigh in on a dispute should the winner of an auction claim that the decrypted contents do not match the sellers description."
Or you could just phone visa and say hey can you remove this fraudulent charge please? Again good for journalists but what about everyday?

   "Public key cryptography ensures the data being sold can only be decrypted by the winner of the auction."
As does SSL and DRM watermarking.

-----

Look, there might be some legitimate amazing use that I'm ignorant towards, but it has to fight a lot of restrictions with this premise. It seems really geared towards illicit use in both design and message. I also can't get behind advocating for psychopaths. YES THOSE WITHOUT CAPACITY FOR EMPATHY LETS PICK THEM.




Applications are open for YC Winter 2020

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: