RN
Lol
HaruCode
yeah, this is a serious business^Wproblem. but I think I found a solution: we need to raid imageboards in clearnet, forcing a picture of a klysmaphile as a "meme". when enough of stupid middle-schoolers will catch the new trend, we will replace the problematic picture with said "meme". enemas are good for your health and don't jail people who take them, everyone is happy
mesh
zzz: anything that can be done to improve Lease Distribution time?
HaruCode
zzz (or str4d), sublime wants to ask a question. can you give them voice?
zzz
sublime, how may we help you?
sublime
good morning, zzz.
sublime
i'm sure you saw this around already, but i have my questions in this js-free pastebin. paste.idk.i2p/TardiveTermite/read
sublime
TLDR:is bootstrapping the point of failure where ISP's can determine i2p protocol?
sublime
and, can manually uploading the netDb circumvent that
dr|z3d
sublime: copy routerinfo files to your netDb dir and you're bootstrapped, if you're having issues doing it via the reseed servers.
dr|z3d
~/.i2p/netDb/ on linux and friends.
mesh
zzz: Can anything be done to uh extend the life of a LeaseSet? I hit a service, then try to hit a few minutes later... and it's gone, LeaseSet unavailable.
zzz
well, we use DoH to lookup the reseed IPs, and https to fetch the file, so it's not easy for an ISP to identify but it is possible
zzz
mesh, you're going to have to decide if you're a serious person in this channel or a troll, you can't be both
sublime
i am having issues, but not with the reseed servers. i am in a position where to be safe, i must choose between our network and tor.
sublime
no details are required for that, but i can say this
mesh
zzz: it's a serious question. I'm just wandering if there's anything I can do, any kind of configuration switch or whatever, that might help this situation
sublime
i have to essentially choose between a very loud fingerprint on an average protocol, but is very popular. or a very quiet fingerprint, on a great protocol, but barely has any users.
sublime
if i pick incorrectly, game over.
sublime
obviously, the quiet finger print with a better protocol is ideal..but if there ends up only being 2 people in my state who uses it, and ISP can still pin point it..
zzz
sublime, it's your use case and your threat model, we can't do that analysis for you, and I'm not going to push you one way or the other
sublime
correct. and my use case relies on knowing whether the ISP does determine i2p network at that point, and if manually uploading circumvents that issue.
zzz
sure, if you're concerned about reseeding, then don't reseed. By definition, that circumvents the issue
sublime
im not asking for philosophy on which network is better, just whether boot strapping through router info is good enough to circumvent
sublime
okay, awesome. is there anywhere else the ISP can definitely pin point i2p?
dr|z3d
it circumvents the issue wrt the isp not seeing the initial seeding request, but the isp will still be able to determine you're running i2p if they're doing DPI or whatever.
sublime
not including the various ranges of attacks, just with immediate traffic analysis
sublime
right, thank you. thats good enough for me.
dr|z3d
if you want to be invisible to your isp, you'd probably want to run i2p over a vpn, or use i2pd and router all tcp traffic over tor, but that has performance penalties.
zzz
traffic analysis isn't easy but neither is protocol obfuscation. We're working on improvements to our UDP protocol that will be out soon
mesh
sublime: look up hidden mode. though if you think they're actively looking for i2p though it's probably a matter of time
mesh
tor is probably a bigger red flag than i2p
zzz
we won't ever say it's undetectable. but we have very few if any reports of blocking
sublime
although they could dpi every piece of traffic..ever, its more unlikely to cause reason to look deeper by bootstrapping from router info than catching my dns.
zzz
one other thing people are trying: ipv6-only mode using route48 ipv6 tunnel broker with wireguard to hide traffic and IP
sublime
i do not support vpns personally, but thank you. they are good at specfic places and times. this use case would not be one of them'
dr|z3d
regarding bootstrapping, that issue is easily rectified by using Tor as your socks proxy.
mesh
sublime: What I recommend: You can run an i2p router on a remote computer in a safe country like Singapore. Then you configure your computer to essentially proxy everything through the router.
HaruCode
theh he won't need i2p at all
mesh
sublime: this will make I2P truly undetectable but it will be slow
dr|z3d
(or some other encrypted proxy)
mesh
HaruCode: he will need i2p if he wants to communicate with others over i2p
mesh
the point is, you don't actually have to run i2p on your computer
HaruCode
that's unexpected
mesh
HaruCode: not really
sublime
dr|z3d: that is an option, including tor in the mix. but i am not educated enough on how all that traffic looks when its been passed through each protocol, and im weary of adding more hops than needed.
zzz
mesh, re: leasesets, no, there is no config. I'm working with obscuratus on some lookup bugs that may be contibuting
HaruCode
as for using some remote machine, the problem is they are not free, and your credit card is a tag
mesh
tor is far easier to detect and block than i2p. If you are really concerned about i2p use being observed, def don't use tor
HaruCode
or they're free and sying on you, which defeats the purpose
HaruCode
*spying
mesh
you can rent a vps in singapore for $5/mo but yes they will want a credit card
HaruCode
but if you want to hide from your ISP _only_, the remote site hosting tor or i2p or whatever is a solution
mesh
you can also ask a friend to give you access to their i2p router running in singapore
sublime
i've played this game, lol. every point you could possibly begin with, has to know something about you by default. Thats why instead of adding more complexity to attempt to obfuscate, i was hoping to be able to do that and look just like a normal..(REDACTED) encrypted protocol user. i guess
HaruCode
but I guess it's not the case
HaruCode
remote friend is better. or not, depending on whether you can trust them
mesh
sublime: In my experience, you have three options (1) Use a vpn (2) Create your own vpn
mesh
sublime: (3) stop whatever it is you're doing
sublime
one thing i have learned, no one will go to prison for you. i'd like to leave people out of this instead of trust in their "good will".
mesh
sublime: certainly don't count on i2p or tor use being undetectable. Both these protocols, at the most fundamental level, will exhibit "abnormal" network usage. Though everything's encrypted, they're far from undetectable imho
sublime
whether i am truly hidden, shouldn't really matter. i'm hoping to get by with just enough cover to prevent any reason to look deeper.
HaruCode
I didn't see any DPI which go past the VPN layer so far, since it's very cpu-expensive. but it doesn't actually prove anything
sublime
naturally.
sublime
theres lots of ways to determine you are trying to hide. my concern is if they pinpoint the sepecific protocol i'm using to hide, and find a very small amount of users in this area,
HaruCode
but the thing in general is that any traffic that DPI is unable to parse can be considered "suspicious", so you'll get attention anyway
HaruCode
so, it's steganography time, with your data being second or even third layer
sublime
other than this one specific case, i wear i2p shirts when going to walmart
HaruCode
cool, dude. totally anonymous
mesh
sublime: option 2 is your best bet. Create your own vpn. Setup a router in a safe country and proxy traffic through that. The nice thing about that solution is that (1) you're not using a well-known vpn service or well-known vpn protocol and (2) you don't have i2p installed on your computer and (3) it looks like a normal ssl/ssh connection depending on what you do
mesh
zzz: alright thanks
sublime
HaruCode: haha, i have a public profile of being involved with these tools. But with all the garbage information out there, and happen to stumble upon this usecase, thats why this one specific issue matters so deeply.
mesh
sublime: with 2 browsers installed, firefox and chrome, you can continue to generate "normal" http traffic and only use i2p when you need it, which is also important imo
sublime
being a privacy advocate is my deal, (which also helps provide reasons for why i am invovled with these tools), but i need to actually utilze it, soon
sublime
mesh: really?
mesh
sublime: yeah. you don't want to tunnel all your http traffic through i2p or tor or a vpn imo
sublime
oh, right. i misunderstood.
mesh
sublime: I've got friends who take real risks using i2p. Let's just say I've done the same dance, hounding zzz about how easy it is to detect i2p. My research has led to a protocol
sublime
i thought you meant i could somehow turn my i2p traffic into looking like normal https traffic just by using 2 browsers, not to just use 2 browsers to help blend in your traffic
mesh
sublime: that involves either running i2p from a portable usb drive and configuring the router to run in hidden mode and change its keys when your ip changes and some other stuff or simply connecting to a remote router
mesh
sublime: and continuing, when possible, to generate normal traffic
sublime
well, i wouldn't say i "hounded him" (:
sublime
okay, thank you. you being in a similar-enough sitaution helps
sublime
i am a qubes user so utilizing small devices like usb drives normally seems useless, i'll just destroy the disposable vm and be omw
sublime
but i can certainly see how the "tails" route is more beneficial than the "whonix route", if you will, in this case
mesh
sublime: no. I mean I don't even recommend people install i2p. Fortnuately I2P is just a normal java app. You can run it from a command line with a jdk. You combine it with a portable firefox all sitting on an encrypted usb drive. The only time you use i2p is when you actually need to communicate with people on i2p
mesh
sublime: yeah exactly. because let's just say in certain parts of asia just having i2p or tor installed on a device is enough to catch a prison sentence
sublime
right. thankfully my adversary is more "free" than that, but still nothing to fuck with.
sublime
and this should (hopefully) be a one time deal.
sublime
then i'll forget it ever was a problem. imagine a random whistlebower of some kind. or leaving a one time tip that something unwanted will happen.
sublime
hell, if my threat model was that deep, i would avoid encryption all together to blend in like a normal socker mom.
sublime
okay, thank you for everyone's input.
mesh
sublime: but using a encrypted usb drive, combined with certain configuration values you can set to the router, combined with using i2p only when you need to, and then using i2p not on your home network but on public networks like coffee shops ... can bring you close to a place where your use of i2p is undetectable
mesh
sublime: howto run a portable i2p: q5bxz332nvoesj54jxyhks6mq7odzmhyx5uyt7oa4nu4oj2g2uxa.b32.i2p/entries/Sk8F3B33MRK1wLvYaRtcJg
mesh
I'll probably write stuff about hidden mode and other stuff in a bit
mesh
sublime: q5bxz332nvoesj54jxyhks6mq7odzmhyx5uyt7oa4nu4oj2g2uxa.b32.i2p/entries/Sk8F3B33MRK1wLvYaRtcJg <-- how to run a portable i2p router
sublime
I'm walking away with the general consensus being, manually loading the netDb does circument any deanonymizatoin from DNS, but there are still very specific signatures that could deanonymize me anyway.
sublime
My best plan is to try to obfuscate as much as reasonably possible, without comporimsing myself in a different way, and to only try to hide as deep as required to avoid any deep inspection.
sublime
its not fool proof but its better than slapping a vpn on my tor relay and feeling like god.
sublime
lol
mesh
sublime: I'll probably write about hidden mode and other stuff next week
sublime
sublime: thank you for the link, i will be reading this thorughly.
sublime
and i look forward to your future post about hidden mode.
sublime
seems like it would help some, but it would be more like a bandaid than a solution.
sublime
which, to be fair, is kind of exactly what i got going on now.
mesh
sublime: if you want to send a one time drop of info you should pay a homeless guy to drop a usb drive in the maildrop with no return address hehe
mesh
encrypted usb drive of course
sublime
mesh: if they got a blank usb drive in the mail today, they would move to dc3 and evacuate all critical personel haha
sublime
i considered pasting together a flyer out of cut up magazine letters
mesh
sublime: I'm working on a system which sorta kinda solves this problem of, let's call it, secure collaboration under adverse conditions
sublime
really? working, as in coming up with a solution? like spitballing? or do you have something to play with?
mesh
sublime: nothing to play with. the code is basically open source. can be seen at nquoczl5wbgbtsxrc77khmvsntawy5pflyxfafq5o6yqsl6krzvq.b32.i2p . of course it's not really usable yet
mesh
sublime: but the point is, you kind of have three problems: (1) running the code on a secure device (2) connecting to your collaborators and (3) proving you are who you say you are
mesh
1 can be basically solved with a encrypted usb drive . 2 can be mostly solved with i2p configured for minimum observability... 3 is actually rather tricky
mesh
but you can get pretty far running i2p in coffee shops based on my analysis. you might even go further and run it on a shared computer like at a net cafe... though I personally think it's not a good idea to use devices that you don't physically control
mesh
that will certainly protect you from your isp
mesh
it won't protect you from government agents following you following you, detaining you, finding the encrypted usb drive, and beating you senseless until you confess everything
obscuratus
I was looking at some issues in libsam3 with respect to handling the new-ish larger key sizes. Is there a recommendation for a maximum key size?
obscuratus
libsam3 still has a few spots that assume 516 bytes is the maximum.
zzz
that's in b64? I think we say 387+100 in binary, which is plenty until PQ
obscuratus
387... I recall running across that number somewhere recently, while trying to run down key length info.
dr|z3d
> router/java/src/net/i2p/router/transport/ntcp/EstablishBase.java: protected static final int MIN_RI_SIZE = 387;
dr|z3d
> router/java/src/net/i2p/router/transport/udp/SSU2Util.java: * It has a minimum 387 byte ident and 40 byte sig, neither is compressible.
obscuratus
OK, thanks. I probably throw 650 at it ~(516 + 100*1.3333)