Thread by L0la L33tz

twitter.com
1 Recommender
1 Mention
Recommend
Post
Save
Complete
Collect
Thread
For months people have voiced concerns around #PLEBNET’s privacy infringing practices. Since all concerns have been downplayed as FUD, here’s an in-depth data analysis instead. A mega thread
#PLEBNET encourages the use of the Telegram bot #CheeseRobot in order to create pretty graphs of connectivity. For example, we all know this pretty graph of which #PLEBNET is extremely proud.
Unfortunately #CheeseRobot saves all graphs, userIDs, GroupIDs and NodeIDs on a database which is not „internal“, as claimed by the #PLEBNET wiki, but *public*; This allowed us to make some pretty graphs of our own.
Below is an anonymized graph of *ALL* #Cheeserobot users *incl. private groups*., including TG handles, UserIDs, NodeIDs and groupIDs. Yellow dots represent groups, dark blue dots represent users, light blue dots represent nodes.
By correlating UserIDs, Group IDs and NodeIDs, we were able to build graphs of *every* #PLEBNET #Cheeserobot user, showing us what other (*PRIVATE*) groups that use #Cheeserobot these users are in. Here’s an anonymized example of one users group activity.
Having established who is in what groups with whom, we were also able to correlate what users have strong social connections with each other, allowing us to guess for private channels, if no public ones exist.
We further not only have access to all users NodeIDs, GroupIDs and UserIDs, but also to all users Telegram handles, as #Cheeserobot resolves IDs; Bypassing the Telegram API’s restrictions in place for, you guessed it, *privacy reasons*.
Connecting your node to your TG connects it to your phone number. The feature exists to hide your phone # on Telegram but it's likely to assume that governments are in possession of it nevertheless; And with #PLEBNET and #Cheeserobot, they’re now also in possession of your NodeID
The argument could be made that Telegram features end-to-end encryption, but groups are not end-to-end encrypted. In addition, the server encryption of telegram is not open source, so it’s unclear wether stored info is encrypted as promised.
The concern of #PLEBNET’s terrible privacy practices, however, does not stop here. For example, sharing NodeIDs and invoices in public channels also provide third parties with insights into your node behavior…
…and give the option of path probing: sending intentionally failing invoices to see the distribution of funds between the parties transacting. Then there’s the concern of opening channels with random people you’ve met on the Internet, because
In #PLEBNET, nobody knows you’re chainalysis.


Another is recommending the use of closed source software as the #Cheeserobot, as we do not know what else #Cheeserobot is up to in the mean time…
While claiming that TOR fully deanonymizes your Internet traffic, not knowing that global passive adversaries as nation states are still able to resolve your communication paths via timing analysis; But these concerns may be subjects for another tweet storm in the future.
Why are we sharing all this information with you? Because if we don’t have privacy in #Bitcoin, #Bitcoin will end up being a a highly efficient financial surveillance technology. It’s essential for new users to be educated on the risks of data analysis practices.
#Bitcoin may be the only chance we get to shift power to the people. New outlets teaching people about #Bitcoin and #Lightning must be held responsible to add emphasis on privacy concerns, which #PLEBNET is continuously failing to do.
Instead, #PLEBNET exposes its members to a whole variety of security risks while engaging in the most irresponsible adoption-at-all-costs marketing campaign to get rekt on the internet which we have seen since the dawn of #Lightning.
We hope this thread has opened at least some peoples eyes to the privacy concerns around #PLEBNET and #Cheeserobot, and that community members will begin to foster serious discussion around the privacy implications of their undertakings.
The Public index of the #CheeseRobot server has been set private after we engaged in ethical disclosure, but the data remains online. The owner of #CheeseRobot has not closed the privacy leak since, and it is unclear wether he will in the upcoming version.
Muchas gracias to my anon co-conspirators, this was a lot of fun 🧡
Mentions
See All