/tech/ - Technology★

brb, uninstalling Tor Browser, installing Google Chrome instead, to be safe

>ever trusting (((Tor))) in the first place

Search "PTHC" on Google Chrome and wait for the glow-in-the-darks to show up and fuck your ass

Anything using C can't be related to performance or security. If this check is really unnecessary, 1970s optimization techniques would be able to turn that check into "true" at compile time, but this is written in C and the semantics of C are "gee, I don't know, whatever the PDP-11 compiler did." This is another example of C and UNIX weenies taking a big shit on decades of computer science. Browsers are also tens of millions of lines of code because web "standards" are made in the UNIX style of hacks and kludges instead of being designed by smart people.

https://github.com/nmathewson/tor/blob/68c52f2e7c202782c67479d489bd30f5466fe1b3/src/lib/crypt_ops/crypto_dh_openssl.c#L53

Looking at the code, it's just a simple usage of bignums, which Lisp could evaluate at compile time. This could even be a compile-time error if it's false.

Speaking of C and UNIX sucking, I got this error when looking at those links.

>The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.

>Apache Server at trac.torproject.org Port 443

Subject: Think how much faster and more efficiently this
   smaller program is able to trash the filesystem compared
   to a bloated AI-weenie one (which would all its time
   checking for uninitialised variables, doing bounds
   checking, allocating and freeing storage, actually caring
   about exceptional cases, signalling errors, etc.)


Sender: MY

From: KB
Newsgroups: comp.bugs.4bsd.ucb-fixes
Subject: V1.92 (4.3BSD-Reno fsck fix)
Date: 14 Dec 90 00:10:24 GMT
Organization: University of California at Berkeley
Subject: 4.3BSD-Reno fsck fix


Description:
	There is an uninitialized variable in the version of fsck(8)
	distributed with 4.3BSD-Reno which can cause fsck to destroy
	the file system instead of repair it.  Note, this problem is
	ONLY found in 4.3BSD-Reno systems.

Fix:
	Apply the following patch:

[...]

>>1022922

>I got this error when looking at those [OP] links

http://archive.fo/ufZH4

https://archive.vn/8Njlu

All up for me.

>>1022922

Lisp users are like a cuck of the computing world. You sit in the corner whining with your little weenies while C programmers dominate your computers.

>>1022948

You know I shouldn't have said Lisp users because most of you don't even use any software written in Lisp. Lisp fanboys it is.

>>1022889 (OP)

So whats the alternative? A botnet browser that has completely unique fingerprint? No thanks, not going to go to something even worse.

Use i2p? I've been using it for some time now, mostly to listen to pirate radio and get some free shit, but I would reccomend it if TOR has gotten too gay for you

I was screwing around with ipfs yesterday - I think that its just a file brotocol sysdem, but to have a larger and larger user-base would basically negate the need for what was intended by tor.

using i2p in conjunction with ipfs sounds redundant to me, but it breddy much guarantees anonymity imo

amirite?

>>1022952

QmS3Yg1BJM5Y6c97VjqLE2Ua9DsMfMrPPnxHcuLR3ZpeBs very_important

>>1022889 (OP)

>another proofs of Tor Project being owned by CIA

It's no such thing.

>they trade performance over security. they implement tiny performance gains at expense of security, privacy of users

Nothing about these changes compromises the security or privacy of users. Do you even understand the changes that were made? If not, you have no basis for making the claims you have. If you do, please explain, with details from the code, how these changes decrease the security and privacy of users.

Or fuck off, LARPer.

>>1022951

I was talking about browser/device fingerprinting. At bare minimum if I were to use another browser I would have to have javascript disabled 24/7 yet I still could be fingerprinted to specific browser, on specific os, connecting from specific anonymity network at certain times. And that would be a sample of max few thousand users in best case scenario. Now if I install browser plugins or use a browser that is not common, or visit sites/content that aren't common I have completely unique fingerprint.

Also browsers like firefox by default send your browsing history to OCSP servers and unique hash of downloads to google. It's a game of whack-a-mole with you never knowing how firefox will try to fuck you over next time.

>>1022922

>Anything using C can't be related to performance or security.

Found the rust shill

>>1022948

XPde is a good lisp program...

but 1/2 the functionality is broken on 64 bit systems... somehow

Reminds me of the time, for years, a game engine would load the same assets on connect and mapload. 2x the time for no reason. Was eventually fixed.

>>1022955

I do think not verifying the hard coded DH params at boot could be a security risk, what if spooks manage to change them to weaken encryption and there's nothing checking that?

>>1022889 (OP)

>they trade performance over security

Not using 1GB keys is "trading performance over security".

You need to make a cutoff somewhere.

>>1022957

Learn to read nigger, absence of proof is not proof of absence.

>>1023028

>what if spooks manage to change them

At that point they could also hex edit the validation code to always return true.

>>1023028

>What if spooks manage to change them?

Then your fucked, kiddo. At that point they could modify arbitrary code, and wouldn't even bother messing around with tor.

>>1022889 (OP)

>tor is fucked

TorFork or I2P migration.

Any Tor forks or better, anons?

>>1022958

>OCSP privacy issue

Disable OCSP. That's what Tor does.

>>1023074

>Disable OCSP

Then the Certificate Authorities (CAs) know your metadata instead, you dumb fag.

>>1023085

>Disable OCSP

>Then the Certificate Authorities (CAs) know your metadata instead, you dumb fag.

How? Can you explain?

and whats OCSP?

>>1023366

Yeah nigga, FUCK WHITE PEOPLE!

>>1023419

you stupid newfag that song is called OPP it's about hacking that's why they sing "you down with OPP?" because it means Other People's Pc's which is what they are hacking

I don't trust Tor Project

>>1023445

Didn't watch the vid.

But it sounds like you're talking about McHawkings

>>1022889 (OP)

>Since our diffie hellman parameters are hardcoded, maybe we don't actually need to validate them on every startup

>at expense of security

how?

>>1022893

they showed up and watch me fuck my own ass instead

>>1022889 (OP)

>autistic thread about how Tor is compromised

>>1022922

>anti-Unix fag comes in and drops a huge derailment shitpost

so Tor is compromised now?

>>1025758

no, learn2read

TOR is staffed by ex-NSA employees with falsified identities

>>1026554

>says the NSA shill

>>1022889 (OP)

>startup time

so no real visible performance improvements then.

LOOK AT THIS /pol/TARD

http://archive.fo/7nKHe

>>1022889 (OP)

No shit.

>doesn't ship with uBlockOrigin

>doesn't ship with uMatrix instead of noscript

>has js enabled by default

This thread was shit in January, it was shit in February, and now somebody has managed to drag the shit into March. Neato. It was frozen shit before. Soon, spring will arrive, and the shit will melt and smell up the whole place. April here we come!

>>1036987

Not to mention

>instead of disabling JS by default, they patch 192857192487 little leaks in the JS engine

Why do the simple and correct thing when you can do busy work, right?

>>1037064

Patching leaks is still a good thing, but yes they should enable the highest privacy profile by default.

>>1036985

can you say what is wrong with his claims?

>>1037075

Patching leaks in a sieve is a complete waste of time on par with maintaining a malware blacklist and it easily eats up most of their development. Ironically, I'm pretty sure Appelbaum criticized exactly that (something like "most of our time is spent on a firefox fork while hidden services still don't work"), but I can't find the log pastebin now, years later. Always save everything.

>>1022958

>browser fingerprinting

Just accept a different browser fingerprint for each persona and never cross them.

>>1036987

>>1037064

Ironically, they could just remove noScript and add uBlock Origin but have it pre-configured so that it disables JavaScript by default and has the "advanced features" enabled to let users unblock specific JavaScript sources. uBlock is then essentially noScript+ad block+domain blocker, just with an easier interface. Tor devs said once that the only reason they aren't including uBO in the bundle is because it updates hosts files automatically and has multiple sources, which is an easy to solve problem.

>>1036987

Tor Browser is also used to evade censorship in certain countries to access websites such as youtube, facebook etc. so javascript needs to be turned on by default. This is the official rationale for keeping javascript on by default:

> The existing way that the user expects to use a browser must be preserved. If the user has to maintain a different mental model of how the sites they are using behave depending on tab, browser state, or anything else that would not normally be what they experience in their default browser, the user will inevitably be confused. They will make mistakes and reduce their privacy as a result. Worse, they may just stop using the browser, assuming it is broken.

>User model breakage was one of the failures of Torbutton: Even if users managed to install everything properly, the toggle model was too hard for the average user to understand, especially in the face of accumulating tabs from multiple states crossed with the current Tor-state of the browser.

>>1037970

but wont increasing the security level to turn off javascript change your fingerprint to a much less common one? im sure that most people use it with the default setting that has js enabled so the paranoid people here would have a different fingerprint

>>1038048

What is the meaning of having a unique browser fingerprint when nobody knows who you could possibly be when you are using Tor?

>>1037970

>the users have come to expect being fucked in the ass in the name of convenience, so better not change that

>even though he went out of his fucking way to install tor

I hate this meme.

>>1038048

No, because the vast majority of fingerprinting techniques only work because of Javascript. Without it, you have much less to go by.

>>1038048

Without JavaScript you're just a generic <insert OS here> user. With JavaScript there's a lot more information given, plus js exploits can be used to not only identify you but also infect you with malware.

>>1038116

Note that even the OS part can be hidden easily if you disable/replace the user agent string, though note that if you replace it with something dumb, you obviously stand out more. Also some sites break/block clients without UAS. I can recommend HTTP Header Mangler for this.

>>1038119

Reminder that your actual OS/architecture can be detected even if you spoof the user agent, but only if you have js enabled.

https://panopticlick.eff.org

https://browserleaks.com/

The only problem I see here is that DH params are hardcoded.

I hope tor devs change them regularly.

https://weakdh.org/

>>1022889 (OP)

>we should check 3 numbers at runtime for no reason because we're too retarded to be trusted to get it right at compile time

damnit /pol/

>>1022922

Uhh what does DH_set0_pqg do? Is this like RSA where you have to check if numbers are coprime and shit? I don't think any optimizer can remove these. If you're just thinking of some retarded shit like evaluating it at compile time, that will just transfer runtime delay to compile time delay (which could be hours depending on the application).

Next, you'll tell us that we shouldn't get VPNs because that's what the NSA wants.

>>1046998

Not sure if sarcasm or reddit.

>>1047029

Reddit totally

>>1022889 (OP)

you chose performance over security by posting this on pigchan, cuck

>300 posts of spam ITT

>mods do nothing

LMAO @ the absolute state of 8cucks

>>1022889 (OP)

>tor browser

The sole purpose of that bloatware is for the masses to make noise on the Tor network, while people who know what the fuck they are doing use a Tor gateway on a hardened network with DPI and proper firewall settings.

>>1047107

do you even know what half of those words mean?

also: can the admin delete the spam ITT?

>>1047109

all of them combined means you're a fucking idiot that cannot formulate a technical argument.

also: mode please ban that poster

>>1047110

mod*

>>1047110

Mods, can you ban this guy instead?

I say that Tor Project is the say shit like ussing a clearnet firefox with addons, same shit.

Do you know that Tor Project have implemented Tor Guards, wich is the first server in your tor network wich always will know your real ip adress because when you connect in tor network you connect like so:

Your Real IP (Your PC) connect to --> Tor Guard wich connect to--> Tor Relay wich connect to --->Another tor relay wich connect to --->Another tor relay wich conect to -->Tor exit relay.

Tor Guard know your real ip and exit relay know what you do, anyway i talk with tor project staff on freenode and asked them if this tor guards log us in any way.

The official answer from tor project dev team was that tor guards yes it log you but not to affect you in anyway.

I say it is bullshit, when you log me even 1kb it is logs, and i don`t belive that Tor Guards are not log all, I say that tor guards are loging all what us do inside tor network, a tor guard can log anything about you, almost anything like, when you connect, when you disconnect, your real ip, what sites you visit, you know tor guard first server and last server in tor network the tor exit relay know anything about you, i mean tor guard know who you are, your real ip, date when you connect/disconnect, real ip etc. and exit relay don`t know your real ip but know what you do, all tor guards ip servers are public same as tor exit relay servers ip are public. So ... anybody who have access to this tor guards public ip servers, have access to anything you did/do on tor network and to put you in jail they have logs files wich they take this logs from tor guards and compare with the logs files from the exit tor relays, and you go to jail, this tor guards never change in a period of 3 months, they are the same for 3 months this is how much the NSA made to log you, after this 3 months they take and verify the logs, and you get another tor guards.

TO USE TOR BROWSER/NETWORK IS SAME SHIT AS USSING A FIREFOX ON CLEARNET WITH ADDONS WITH YOUR REAL IP! SAME SHIT! GOOD LUCK ! Start ussing i2p or i2pd or freenet project and connect to your friends not to strangers for extrem higly security! But best is i2p!

Use https://www.tixati.com or https://www.fopnu.com or https://www.supersimpleserver.com

or https://www.geti2p.net or https://www.freenetproject.org

Anything but not tor! Tor is not safe, I belive more than half of tor project devs team are NSA undercover agents! Fuck NSA!

>>1047165

this is a known attack and doesn't work very well as tor has taken precautions against this, especially when it was analyzed in depth in like 2008 or so.

if you know of a way to do it better, please share.

>>1022952

>using i2p in conjunction with ipfs sounds redundant to me

>I'm a retard that think ipfs offers anonymity and security, when it doesn't and has never claimed to.

>>1047180

how would it even work if they dont know what address you want to access?

>>1047320

I think the tl;dr guy said that when NSA owns entry and exit relay they can do time and size correlation to guess that it was you who visited penisland.net

But with packet padding and a shitton of people using tor all the time this attack is pretty impractical irl.

Some pretty leet security guy did some research on this back in the day and the deep state shills spread a plethora of FUD articles based on his findings so the tor devs blogged their reply and the study's author posted a comment confirming angrily that indeed this was just FUD and not at all what he had written.

the new sha4 is superior to sha3

nigger monkey