Hi, Am Freitag, 27. November 2015, 18:07:50 schrieb salutarydiacritica...@ruggedinbox.com: > There was a Sybil attack for 4 years. The Freenet 0day has been around > for so long that LE contractors have built a kit around it.
It’s not a zeroday. According to the article, they used a known
vulnerability which takes time and careless behavior of the users to
exploit.
> Before anyone gets started: "But, but.. Tor was also attacked!"
>
> Yes, but responses are very different from what's going on here. They
> immediately fixed the hole and evicted the Sybil nodes. They are
> implementing code that will make future attempts much more difficult.
> They did not add a line to the FAQ that said "shit happens" and shrug
> their shoulders.
If that’s what you got the feeling was happening, we botched our
communication.
First, the difference between Tor and Freenet: Tor has ~20
employees. Freenet has a dozen volunteers. Due to that, our response
cannot be as fast as the response of the Tor folks.
Second, we are trying to find out what they actually did. The news
report is unclear and partially dubious. An ex-cop caught in the
process of downloading 10 images from Freenet — after the cops first
talked to him. Either these downloads did not work (no longer
available), or it’s a fake. Freenet may be slow, but not that slow.
Third, adding Darknet connections is part of the solution, and it is
already implemented. Not doing that if you can is similar to using
Internet Explorer with Tor.
> "Securing Opennet is impossible, go Darknet mode or shut up!"
There is only a single developer who does not work on Opennet, because
he considers it as prolonging an inherently insecure
situation. However, all understand that it is impossible to get
state-department-level security with Opennet. Getting many users to
add at least some Darknet connections is one important step to fix the
vulnerability.
> Going Darknet mode only is not a real fix.
It is the only real fix which exists. It will be the only real fix for
Tor on the long run.
It is still much to hard to use, however, and I consider this the
greatest failure of the development the past years. We know that
Darknet is important, so anything connected to connecting via Darknet
and making Darknet more valuable to our users should take priority.
I did a small step in that direction: Node-to-node messages should be
sorted newest-first in the next release. Trivial fix, but no one did
that before.
> Its like suggesting to people to limit internet access only to their
> LAN to stay safe. The value of the network becomes diminished.
This is an unfitting analogy. Freenet is built around providing full
access using only friend-to-friend connections as routing layer.
It’s rather like connecting to a neighborhood mesh network which is
not dependent on a single internet provider for connectivity.
> Darknet mode also exposes people's social network to anyone watching
> enough of the internet. Its a dangerous liability.
If they already watch enough of the network to detect encrypted
communication without central server, they already know far more of
your social network than what they can get from darknet
connections. It does not add any new information, especially since the
trust requirement for a Darknet connection is much less than what you
see from regularly exchanged emails, tracking mobile phones,
monitoring telephony, social networks, and so forth — all of that is
data which many states already store and which every state can access
in targeted surveillance.
You might not want to connect with Darknet to the super secret
we-only-meet-in-the-woods-at-randomized-times contact. For all others,
an attacker with the power to get social network information from
darknet connections already knows everything which could be gleaned
from these. But once you have the darknet connection, you have one
channel the attacker cannot watch.
> Questions:
>
> Does making it impossible versus very hard, to know what a user have in
> their datastore make attacks harder?
You cannot make it impossible without making it impossible for Freenet
nodes to exchange data with other Freenet nodes.
> As we saw, plausible deniability
> wasn't much help. Without disk encryption it's over.
If they catch you red-handed, with your laptop running and Freenet
open, as was claimed in the news article, then nothing can help
you. Freenet has a panic button. Two mouse clicks would have
eradicated all the evidence named in the article — that’s in normal
security mode.
> Say you need more funds to introduce
> PISCES tunnels, some notion of node pinning, limiting the number of
> nodes from address spaces, adding Tor transport support and updating
> crypto primitives.
I just had a funding proposal turned down which included transport
plugins and easy darknet introductions with one-time tokens. Florent
is constantly working on keeping the crypto state-of-the-art. So, no,
we’re not inactive. We’re just restricted in our available volunteer
work time.
Some of the time is spent on stuff others could do. For example work
on fixing the wording on the website does not require any programming
ability. We’re doing it, because there isn’t anyone else doing it. If
you improve the wording and spend the time to really polish it, bit by
bit (and send small and clean enough pull-requests that we can review
it with little effort), then we have more time for other parts you
might not be able to do.
There are lots of things which can be done by dedicated people without
programming skills. All of them are hard work, but they are very
important to improve Freenet. For example the translators are pretty
active and doing a great job making Freenet accessible to more people.
So consider this an invitation.
Best wishes,
Arne
--
A man in the streets faces a knife.
Two policemen are there it once. They raise a sign:
“Illegal Scene! Noone may watch this!”
The man gets robbed and stabbed and bleeds to death.
The police had to hold the sign.
…Welcome to Europe, citizen. Censorship is beautiful.
( http://draketo.de/stichwort/censorship )
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ Devl mailing list Devl@freenetproject.org https://emu.freenetproject.org/cgi-bin/mailman/listinfo/devl
