Спрашиваю для друга в Москве.  Надо менять ежемесячно крипту на фиат (наличкой), объем примерно $500 - $1000 в месяц.   Рассмотрю рекомендации только от людей со статусом на bitcointalk.org -- пишите тут или сразу в личку.

Any tips on a reasonable way to gain a Twitter audience in less than a year?

Moved topic to "Scam Accusations," thanks.

>  By the way, why would someone send $50 to an account with 52k followers only? I think you will have to understand that many people on twitter have more than 52k followers and they might charge you less then $50 for a retweet.

I am only starting looking for marketing, don't really know when I'm being taken for a ride.  Thanks for the tip.


Sending.

This topic has been moved to Scam Accusations.

https://bitcointalk.org/index.php?topic=5471964.0

Ok, someone on Twitter stepped in and talked to the girl. She apologized and offered to do 2RT for the price of 1 that I paid her. So I told her that once the order follows through I will clear her name.
Also, maybe it's a guy, but I just assumed its a girl based on the photo.

This is about account @xiadefi on X / Twitter. She scammed me for $50.  Here is a record of our exchange,

I sent her 0.03 ETH as we agreed for a retweet, but instead of performing the task, she demanded another $200.
She also threatened me that if I don't pay, she will use her account with many followers to discredit my account.

Yes, I have added alerts to handle the case when Google Play services are either not installed, or Play Integrity returns an error.  Even if you install Play Services in the emulator, it won't pass the further checks, since Play Services verifies whether you have a real device (this is called Play Integrity API).



I found a product that works on the Desktop, and which is similar to Crosspass in concept.  It is called Magic Wormhole, and it was created in 2006.

https://github.com/magic-wormhole/magic-wormhole

The fact that it is not widely used is saying something, namely that it is too technical and too real-time.


This is a summary of advantages of Crosspass stated earlier, and they apply to images as much as text. The difference is that Crosspass enforces key verification as part of the natural flow, via the PIN which looks just like an OTP familiar to users. All other services rely on public keys being managed by an untrusted party (a server).  This allows the third party to MITM you at will.   The other issue is JavaScript backdoors which become a problem with webmail (ProtonMail), or anything inside the web browser.

Furthermore, if you are sending a Driving Licence or a Passport, most likely the recipient is some clerk in some company. He will not jump through hoops to receive your encrypted image. He will not signup with ProtonMail. And he will not give you his private phone number for Signal or WhatsApp.

Do I understand correctly that you want to send your paper wallet key to someone else? Further, is it the case that you don't want you or him to use the clipboard?
Does his wallet software have an ability to import a key from a text file?

I can add to Crosspass an ability to save text into a file, or read from file, instead of relying on the clipboard.  Does that help you? You can work with files and your phone without Internet or LAN, by USB cable or NFC.

A sender does not want to use encryption if it puts an out-of-proportion burden on the recipient to learn how to decrypt.  I tried to make Crosspass easy on the recipient. It's on the App Store and Play Store, it's free, and as soon as the app opens the user is asked to type the access code to receive a shared note.

There are already services for sharing passwords and text notes. Most of them are web-based and therefore insecure. But the fact that they exist, shows that there is demand.

privenote.com
onetimesecret.com

Found these guys recently: sharepass.com

If you can send a password, you can send anything, because you can Zip files with AES encryption using 7-zip. No special software is needed on the receiving end to unzip.

Update: I have released a new version of Crosspass for Android that fixes many stability issues it had.

# Oct 9, 2023
- Auto-correction of text when composing notes
- Improved handling of Play Integrity verification
- Fix right-to-left language locale
- Improved handling of no Internet connection
- Bug fixes related to navigation within the app

I have also released an updated version for iOS, which primarily improved the Paste functionality.

I am now handling the case when the sending side has a bad cellular data connection or the sender is offline (e.g. on an airplane flight).

I also began planning to add a feature to send images, not just text. This is useful if you need to send someone your driving license or a passport photo.

If you want to see this take off, you can help by following me on social media:

https://twitter.com/entelecheia_inc
https://www.linkedin.com/company/entelecheia-inc
https://www.facebook.com/crosspassapp

Once we implement CAPTCHA for the cases when many phones appear to come from the same public IP (I saw this with a Telecom in South America), I can make it that if the device is does not pass the Play Integrity check, the server will also request a CAPTCHA.

The Crosspass app requires a real device, not a simulator. Here is an excerpt from the white paper that explains the reason,

Crosspass discussed on Reddit:

https://www.reddit.com/r/crypto/comments/16fntuc/crosspass_a_mobile_app_to_exchange_passwords_and/

Re bugs, I have now hired a QA. Hopefully we will reproduce this bug and will catch new bugs before users do.  I plan to release an update by Oct 15.

Please note that Apple is using the same 4 digit code system to end-to-end encrypt your iCloud data, when it is synched with your phone. They are not using OPAQUE, they are using Secure Remote Password (SRP) protocol which is conceptually just like OPAQUE but has an extra leg of communication and does not have a security proof. I could have used SRP too, but I chose to use the newer OPAQUE which is still in an RFC draft, now in 11th iteration.

See page 35,36 of this document, which describes Apple security in 2014:
https://www.apple.com/mx/privacy/docs/iOS_Security_Guide_Oct_2014.pdf


In summary, Apple considers 4 digits to be secure enough, just like a bank.

When you argue that a 4 digit PIN is too short, are you arguing that a conventional password in its place would also be too weak? In that case, you are challenging the security of SRP and OPAQUE protocols, not merely Crosspass.

If you are not comfortable with 4 digits, then you can transfer 3 random keys, then combine them (by e.g. SHA or XOR) to get a new key. This way you increase the difficulty of guessing to a 12 digits password. That's 11.5 x 3 = 35 coin flips which the MITM must guess in 1 attempt. Using Crosspass 3 times in a row, is still easier than PGP or Diffie-Hellman.

If you want an open source tool implementing OPAQUE, my patent would not stop you. My patent, in fact, does not limit to OPAQUE use, but says that any PAKE (Password Authenticated Exchange) can be used. So what is my innovation then, and why was I given a patent? My innovation is that I put it into a mobile phone form-factor. From the patent's abstract,


About the bugs:


- Crosspass is still Beta.
- The iOS version is more stable than the Android version. 
- We are working on the bug found by @dkbit98 to improve error message, so that we can see what actually happened (I suspect it was related to app permissions).
- Known bugs are likely UI only and have no security implications. The encryption itself is implemented in Go and is plugged into both iOS and Android apps as a library.  Doing it this way allows to test the encryption offline, outside the app by unit tests.

If you want an open source tool, then you can use this free Diffie-Hellman exchange tool I made three years ago. It is a webpage that can be run locally as `file://` to protect from Javascript backdoors. Simply use "Save As (Webpage, Complete)" in the browser and save it. It's designed to be run locally.  The code is simple to review fully, since it merely wraps browser's native libraries.

https://borisreitman.com/privacy.html

I have made Crosspass because as simple as that tool is, it is still too difficult for non-techies.

By public I meant an insecure channel between two people, but not tweeting it. (If it's tweeted, then some jerk can try to access it with 3 invalid PINs and lock the note.) I have updated the website with a clearer explanation to the question "Do I need to send the PIN by another channel?"

Lavamail chose to shutdown instead of fooling its users and keep silent under a gag order. It was a USA corporation. Can't this happen in Switzerland? I think it can, because USA forced Swiss banks to close American accounts and to reveal all account activity to American authorities.

Also, as much as I value privacy, I value and respect the judicial system. The reason? Civilized society is setup to protect privacy, at least in principle. So if police wants data on someone and they come to me with a court order, it is my principle to respect the law and to comply with the request.  However, if I simply can't help because of the way the protocol is implement, I do well by both the law and by privacy of clients.  In contrast, Protonmail, Signal, WhatsApp, et. al. could MITM any user by issuing rogue public keys. Crosspass is safer because in order for the Crosspass server operator to MITM a client, he would have to guess the PIN, which is as hard as guessing 12 coin flips.


What's the difference, if in total only three attempts are permitted? Does it matter which three people use up these attempts? The bank is happy with a 4 digits PIN because it can limit the number of attempts.  Long passwords are needed only when a brute force attack cannot be prevented (when password hashes are leaked). 

Crosspass is relying on the OTP model for authentication. In common usage OTPs are short and yet they unlock a person's account. Why is this safe? The time limit on the OTPs prevents theft through shoulder surfing or internet traffic harvesting.  The limit on tries prevents brute forcing. (You can achieve the former with Crosspass by deleting a share after 5 minutes.)


I understand this, but the recipient to whom your are sending sensitive stuff most likely will not. It takes two to tango. If the recipient is a busy accountant, realtor, or a lawyer, he will not do all this work. So if we are to have any adoption of secure practices, we need to package it in a form-factor they will use without friction.

The other issue is: are you willing to keep your laptop online until you establish a shared key by Diffie-Hellman? The choice to put Crosspass on a smartphone was made because it is always online, like a personal server in a pocket. Twenty years ago people kept their desktops online, serving a website from it. With the prevalence of laptops this ended while computers which are always online had moved to the cloud.

• Not just any someone, it would have to be someone who is a MITM. Otherwise, you will know the key was stolen if your friend has not received it. Crosspass will release the shared secret only once, and expire the PIN.
• Then send a public key, not a private key: establish a private key by Diffie-Hellman (DH) and verify the public keys by Crosspass to ensure that there was no MITM in the Diffie-Hellman exchange. (You can do this in practice with the Signal app by sending Signal's Safety Numbers by Crosspass.) 
  
  In any case, if you do transfer a private key by Crosspass and it is used to initialize a Signal protocol chat, then one chat round (e.g. "Hello Alice" and "Hello Bob") are sufficient to establish a new Diffie-Hellman key, essentially using the original private key only for authentication.
  

Crosspass one day will be a free of charge CLI which you can install with Apt or Brew, from source. That will cover the cool cats, but what about laymen? As mentioned above, most other people who receive or send stuff to you will not be able to use it in this form.

End-to-end encryption was almost non-existent in adoption until WhatsApp. In order to make encryption habitual, it must be put into a form that everyone can use. This was my design goal with Crosspass.

Apple and Google do not allow this for mobile apps. They also don't allow cheating (i.e. charging off the app and then using some kind of coupons).  But if they will eventually add a feature to pay for in-app purchase by crypto, then you will be able to.

This won't be an issue when Crosspass is released as a desktop app, and in this case it would accept directly a crypto payment.

This happens rarely in iOS and with time Play store will up its game.


Yes, I am also exploring this direction. But the standalone app will continue to exist in any case.

End-to-end encryption in web browser is not possible. Protonmail, Hushmail etc. are subject to Javascript backdoors. Hushmail actually backdoored itself and documented it. https://www.wired.com/2007/11/hushmail-to-war/



Besides the web issue, the same critique I have in the FAQ on WhatsApp applies to Protonmail. You have to trust the public key that Protonmail gives you for the recipient, and so it can easily position itself as a MITM.  That, unless you check key fingerprints against the recipient's. But if you have to do this, it is no longer an easy process. (How would you check them? You would need something like Crosspass for that.)


Yet, you would expect the recipient to sign up with Protonmail? I think that a recipient is more likely to install an app than create an account online somewhere. He knows that he can easily delete it as soon as he is done using it. Also, you would need to wait for the recipient to sign up with Protonmail before you can compose a message to him.


3 out of 10,000 is like 1 out of 3333, is harder than guessing a sequence of 11 flips of a coin.  I though that if it's good enough for a bank, it's good enough for Crosspass. I could have made the PIN 6 digits long and it would still be user friendly because OTPs now are commonly a pair of 3 digits. But I am not convinced it's necessary.  (If there is real demand for a six digit PIN, I could incorporate it as a future feature.)


Every version will be reviewed just before it's published to the App store and Play store. There would not be a need to review everything from scratch, just need to review the changes to source code since previous release.

Crosspass does not compete with WhatsApp, Signal, Telegram Secure Chat or Protonmail, Hushmail.  Keep using those systems, but use Crosspass to verify the public keys in order to secure those systems.

I have just open-sourced the code that deals with persistence of data locally on the phone. All sensitive data is stored in encrypted form. The encryption key never leaves the device because it is stored in Secure Enclave.  This is necessary so that the data doesn't leak through iOS / Android recovery backups.

https://github.com/entelecheia-inc/ios-excerpts
https://github.com/entelecheia-inc/android-excerpts

Of course these excerpts do not guarantee that I call these functions consistently, but it will give you an indication of what is going on.

Also, I blank the screen when the app is swiped, so that iOS/Android doesn't grab in the optimization screenshot displayed sensitive text.

@NotATether: I am sending you a PM about arranging the code review.