🆕 Software Suggestion | BCM #1641

New Issue

2020-01-09T04:14:25Z

Tamnac commented

2020-01-09 04:14:25 +00:00

(Migrated from github.com)

Basic Information

Name: BCM - Blockchain Messenger
Category: Real Time Communication
URL: https://github.com/bcmapp, https://bcm.social/index.html

Description

A supposedly secure and private messenger. Uses 256 AES encryption and apparently blockchain. Does not require an account to use

I am aware this has been suggested before before the source code was available and when their privacy policy was hard to access. It is now open source (linked above). Privacy Policy: https://bcm.social/license/policy.html (Available from app and website)

## Basic Information **Name:** BCM - Blockchain Messenger **Category:** Real Time Communication **URL:** https://github.com/bcmapp, https://bcm.social/index.html ## Description A supposedly secure and private messenger. Uses 256 AES encryption and apparently blockchain. Does not require an account to use I am aware this has been suggested before before the source code was available and when their privacy policy was hard to access. It is now open source (linked above). Privacy Policy: [https://bcm.social/license/policy.html](url) (Available from app and website)

fee commented

2020-01-09 21:44:57 +00:00

(Migrated from github.com)

They collect info from 3rd parties, couldn't that be a bad thing?
I do not really like there privacy policy that much, for me something I wont use!

They collect info from 3rd parties, couldn't that be a bad thing? I do not really like there privacy policy that much, for me something I wont use!

Tamnac commented

2020-01-10 02:03:50 +00:00

(Migrated from github.com)

Could be. The only data they seem to collect is "information about how many users are active in the products and what feature they use more", which doesn't seem too bad.

Mikaela commented

2020-01-11 22:02:30 +00:00

(Migrated from github.com)

I am not looking into this further at the moment, but my previous comment from #1059:

I am worried about it being a "blockchain based messenger" which by definition means that all messages are stored forever and are also publicly available just waiting for the day, its encryption can be broken.

The privacy policy also doesn't reassure me, I am not going to register an account without seeing it.

Q: Does BCM have a privacy policy?
You can view our detailed Privacy Policy when registering for a BCM account.

Q: Will BCM open source?
BCM is planning to open source, and we will gradually disclose source code of BCM to the public.
* https://bcm-im.com/keys_faq/index.html
Please request reopening after at least these two issues are fixed, Telegram has also been promising open sourcing their server for years.

I am not looking into this further at the moment, but my previous comment from #1059: > I am worried about it being a "blockchain based messenger" which by definition means that all messages are stored forever and are also publicly available just waiting for the day, its encryption can be broken. > > The privacy policy also doesn't reassure me, I am not going to register an account without seeing it. > > > Q: Does BCM have a privacy policy? > > You can view our detailed Privacy Policy when registering for a BCM account. > > > Q: Will BCM open source? > > BCM is planning to open source, and we will gradually disclose source code of BCM to the public. > > * https://bcm-im.com/keys_faq/index.html > > > Please request reopening after at least these two issues are fixed, Telegram has also been promising open sourcing their server for years.

👍 1

Mikaela commented

2020-01-15 15:50:00 +00:00

(Migrated from github.com)

BCM appears to be unavailable through F-Droid. https://github.com/bcmapp/bcm-android/issues/2
Their git repository is as poor quality as Telegram Android. https://github.com/bcmapp/bcm-android/commits/master , they appear to use git commit as git tag so I don't think anyone can reasonably audit their code, especially if they are going to keep up doing changes of over a thousand line in one commit.
- They have a link to iOS app, where is its source code?
Their download page has MD5 checksum (broken ages ago) https://bcm.social/download.html while SHA1 (which is a step up) has been broken recently too. They also haven't signed the hashsum that I can see.

I am not going to read their privacy policy right now, but I recommend avoiding BCM and not listing them on PrivacyTools. Based on all the times I have looked into it, I advice waiting for them to get an indepedent security audit before considering listing them again.

* BCM appears to be unavailable through F-Droid. https://github.com/bcmapp/bcm-android/issues/2 * Their git repository is as poor quality as Telegram Android. https://github.com/bcmapp/bcm-android/commits/master , they appear to use `git commit` as `git tag` so I don't think anyone can reasonably audit their code, especially if they are going to keep up doing changes of over a thousand line in one commit. * They have a link to iOS app, where is its source code? * Their download page has MD5 checksum (broken ages ago) https://bcm.social/download.html while SHA1 (which is a step up) has been broken recently too. They also haven't signed the hashsum that I can see. I am not going to read their privacy policy right now, but I recommend avoiding BCM and not listing them on PrivacyTools. Based on all the times I have looked into it, I advice waiting for them to get an indepedent security audit before considering listing them again.

Perelandra0x309 commented

2020-01-25 13:24:10 +00:00

(Migrated from github.com)

I am worried about it being a "blockchain based messenger" which by definition means that all messages are stored forever and are also publicly available just waiting for the day, its encryption can be broken.

The messages are not stored in the blockchain at all. The underlying server infrastructure runs on blockchain, and blockchain tokens are used as "payment" for the BCM app to interact with the servers. These payments are strictly transactional, they allow the BCM app to send and receive messages. The actual messages themselves never interact with the blockchain.

For details you can read chapter 7 of their whitepaper, and specifically sections 7.3.3 and 7.4.1.
https://arxiv.org/abs/1812.08017

> I am worried about it being a "blockchain based messenger" which by definition means that all messages are stored forever and are also publicly available just waiting for the day, its encryption can be broken. The messages are not stored in the blockchain at all. The underlying server infrastructure runs on blockchain, and blockchain tokens are used as "payment" for the BCM app to interact with the servers. These payments are strictly transactional, they allow the BCM app to send and receive messages. The actual messages themselves never interact with the blockchain. For details you can read chapter 7 of their whitepaper, and specifically sections 7.3.3 and 7.4.1. https://arxiv.org/abs/1812.08017

5a384507-18ce-417c-bb55-d4dfcc8883fe commented

2020-02-24 13:31:38 +00:00

(Migrated from github.com)

BCM is dead.

https://postimg.cc/3dWTwGmp

BCM is dead. https://postimg.cc/3dWTwGmp

😆 1

Mikaela commented

2020-02-24 16:08:22 +00:00

(Migrated from github.com)

BCM is dead.

https://postimg.cc/3dWTwGmp

reupload on GitHub in case the link goes down. I am a bit surprised about this development, but I guess this is good news so I don't have to post the same critique every time someone mentions it although it would probably have been preferable if they had fixed the complaints instead.

> BCM is dead. > > https://postimg.cc/3dWTwGmp ![IMG-20200224-044153-817](https://user-images.githubusercontent.com/831184/75168993-761ed400-5730-11ea-88ef-014c2a8f0235.jpg) reupload on GitHub in case the link goes down. I am a bit surprised about this development, but I guess this is good news so I don't have to post the same critique every time someone mentions it although it would probably have been preferable if they had fixed the complaints instead.

This repo is archived. You cannot comment on issues.