Re: [tor-talk] Most Security Assertions Dangerous [Re: YouTube via Onion Services]

[grarpamp]

> Tutanota open sourced their client. You could use the source and run your
> own version of the Tutanota client if that's your threat model. It's true
> the email provider could serve different users different versions of the app
> and there is no possible way to audit it in real time

A standalone app can give at least some distance and pinnable code.
And a bit more if served up from a "neutral" third party like github,
f-droid, or allowing tor or vpn to get it in some masked user fashion.


> 2) You are running unknown code every day. Do you trust the vendors?

Probably not wise until the world changes some more
towards those hashtags. Shall we add #SharedAudit .


> It's unfair [...] They're trying to
> solve a complicated problem, inside a web browser, with no easy solution :-/

Yes of course, they're at least trying something new,
that's important, so kudos.

> It's unfair [...] to call [out] encrypted email providers

But is it... just look at most of their own front page
advertising statements that often go like...

"Secure Encrypted Email in your Browser"

Without weasel words, those statements can end up
being fake.

Does what net benefit the service may have for [most] users
offset potential damage arising from such statements?

There's a bunch of front page statements here too
that also have more holes than a block of Swiss Cheese...

https://www.torproject.org/

Who is parsing and calling them out, and or proffering
page updates that use suitably accurate weasel words?

> inside a web browser, with no easy solution :-/

If the world is still stupidly insisting on the derelict spy exploited
relic of SMTP transport, instead of say fully encrypted P2P
overlay transports with legacy SMTP / POP / IMAP frontends
for the old timey feels, they should at least be directly extending
browser functionality to load and exec user selected third party
provided and fourth party audited message crypting code modules
from local disk.

Or should be using actual properly stood at a distance
tools like GPG, Enigmail, Mailpile, NeoMutt, whatever,
while replacement distributed P2P messaging and storage
systems gain marketshare.

If user can locally compile and use Tutanota from Github
with no blobs, that's interesting, perhaps consider dropping
them some coin if so.

Re: [tor-talk] comparison of Tor and Kovri in regards to deanonymization attacks

[grarpamp]

> - I2P can be attacked with far less resources than Tor;

Moot when $10k is probably enough to Sybil at least
some small fraction of either of them.

> - Tor is deeply researched and various attack types and problems have
> already been solved;

So if Tor is done, why don't you start writing grants to reseach,
advance, and solve some of the undone, equally applicable,
and necessary problem space of mixnets and other potential
designs, instead of continuing to throw [government] money
at Tor's curve of diminishing returns.

> - Tor is larger as a network with more capacity, and more diversity;

Start advertising, using, analysing other types of networks then.

> They also have different purposes so they cannot be directly compared on
> absolutely every feature

Why do so many reviews keep implying this copout,
"B network doesn't have X feature therefore B sucks"...
of course networks are different, unique features are
not detractions they're just incomparable items,
go compare and analyse the similar features then.

Both Tor and I2P generally claim their non-exit modes
to be anonymous advanced designs resistant to attack.
Go compare and analyze that. If you don't like the results,
go start new designs.

Reviews can even conform features... users can
actually torrent internally over both, and exit over
both... analyze that.

Many orthagonal features are modular ideas embeddable
in any decent network anyway, so they're not necessarily
unique, only a matter of doing it, if sensible of course.

> - I2P is more oriented for traffic inside the I2P network (e.g. you
> cannot browse cnn.com anonymously via I2P).

Yes you can, you just have to find or be an exit outproxy service
and configure it manually.

>> I would summaries the success of Tor over I2P with these points:

Government: Initialed the Tor design, put in Decades of $Millions
of controlling interest funding, and programmed Marketing.

Throw those kind of resources at I2P or any other network
and they would be relatively equal contenders too.

Throw Voluntary versions of those kinds of resources
at any network, and it might be a bit more novel and free
to go up against the backer of the "successful" one above.

>> - Tor has a modified browser which is a fork of firefox-esr called Tor
>> Browser Bundle which is easy to click and run with Tor. I2P until now
>> there is no official browser supporting it and user needs to do the
>> configurations manually.

So stuff I2P inside TBB's work and call it IBB.

Re: Facebook’s internal documents show its ruthlessness

[Steven Schear]

Seems like normal competitive business practices.

On Thu, Dec 6, 2018, 4:13 PM jim bell 
> https://www.engadget.com/2018/12/05/facebook-internal-emails-documents-mark-zuckerberg-uk-parliament/
>
> [partial quote follows]
>
> As expected, the UK Parliament has released a set of internal Facebook
> emails that were seized as part of its investigation into the company's
> data-privacy practices. The 250-page document, which includes conversations
> between Facebook CEO Mark Zuckerberg and other high-level executives, is a
> window into the social media giant's ruthless thinking from 2012 to 2015 --
> a period of time when it was growing (and collecting user data) at an
> unstoppable rate. While Facebook was white-listing companies like Airbnb,
> Lyft and Netflix to get special access to people's information in 2013, it
> went out of its way to block competitors such as Vine from using its tools.
>
> When Twitter launched Vine, the app had access to Facebook's Friends API,
> which let Vine users see which of their Facebook friends were using the
> then-new app. But after approval from Zuckerberg himself, that access was
> cut off. "Unless anyone raises objections, we will shut down their [Vine's]
> Friends API access today. We've prepared reactive PR, and I will let Jana
> know our decision," Justin Osofsky, Facebook's vice president of global
> operations and media partnerships, said in an email at the time. Zuckerberg
> replied, "Yup, go for it."
> [end of partial quote]
>
> Jim Bell
>

Facebook’s internal documents show its ruthlessness

[jim bell]

https://www.engadget.com/2018/12/05/facebook-internal-emails-documents-mark-zuckerberg-uk-parliament/

[partial quote follows]

As expected, the UK Parliament has released a set of internal Facebook emails 
that were seized as part of its investigation into the company's data-privacy 
practices. The 250-page document, which includes conversations between Facebook 
CEO Mark Zuckerberg and other high-level executives, is a window into the 
social media giant's ruthless thinking from 2012 to 2015 -- a period of time 
when it was growing (and collecting user data) at an unstoppable rate. While 
Facebook was white-listing companies like Airbnb, Lyft and Netflix to get 
special access to people's information in 2013, it went out of its way to block 
competitors such as Vine from using its tools.

When Twitter launched Vine, the app had access to Facebook's Friends API, which 
let Vine users see which of their Facebook friends were using the then-new app. 
But after approval from Zuckerberg himself, that access was cut off. "Unless 
anyone raises objections, we will shut down their [Vine's] Friends API access 
today. We've prepared reactive PR, and I will let Jana know our decision," 
Justin Osofsky, Facebook's vice president of global operations and media 
partnerships, said in an email at the time. Zuckerberg replied, "Yup, go for 
it."
[end of partial quote]

            Jim Bell

Re: snowden and the billionaire monkeys on our back

[Razer]

On December 5, 2018 4:47:55 PM PST, Steve Kinney  wrote:
>
>
>On 12/5/18 3:20 PM, John Newman wrote:
>> 
>> Long interview with guy who just wrote a book about
>faux-philanthropic
>> leaders of the new gilded age (or something ;) 
>> 
>>
>https://www.truthdig.com/articles/silicon-billionaires-are-the-lethal-monkey-on-the-back-of-the-american-public/
>> 
>> 
>> Interesting part where he described Snowden talking to a bunch of
>> these people, this "clash of ideals"  - 
>
>> [... snip ...] 
>
>> It was a very interesting vision, and as he started describing, well,
>> the way I’m going to do that is I’m going to build all these tools
>that
>> would allow dissidents to actually operate more freely. A
>communication
>> tool so you can message without getting caught, a Facebook “like”
>tool
>> so you can socially network without losing your privacy, some kind of
>> tokenized identity so you can make clear to different websites that
>> you’re the same person without revealing which person you are–various
>> things. Snowden was describing the creation of all these things
>because
>> he wanted to live in a world in which dissent of the kind that he
>made
>> is possible, in which it’s possible to go up against power and not be
>> interrupted in that quest; that’s his motivation, his goal. 
>
>
>> And it’s like they couldn’t process him; they couldn’t process his
>set
>> of motivations. And so Chris Sacca says, wow, you sound like you’re
>> designing a lot of tools that, they sound like apps, or startup–do
>you
>> want to build a startup? I mean, there’s a lot of people here who
>would
>> like to be your investor. Snowden just looked at him, puzzled,
>like–what
>> are you talking about? I’m talking about freedom and heresy and
>truth,
>> and being a dissident, and how a society corrects itself from
>manifest
>> injustices through allowing people who have an uncomfortable truth to
>> tell it. And you’re talking about startups? And it was just this
>> wonderful collision between someone who believes in real changes, and
>> these people who kind of believe in the pseudo-change that lines
>their
>> own pockets."
>
>Um, that's not what it reads like to me.  I see Snowden saying he wants
>to accomplish all these wonderful things that enable political dissent
>and freedom via network technology.  Then he refuses to have anything
>to
>do with implementing that vision, going so far as to pretend that he
>does not understand that building and distributing software and
>infrastructure is HOW to achieve goals like the ones he mentioned.  It
>sounds like he chose to literally "play dumb" when presented with a
>room
>full of people who wanted a shot at implementing his ideas (vs.
>memorized talking points) in real life.
>
>The more I look at Snowden, the less sense he makes:  Both in terms of
>what he says (see above), and in terms of a biography and current
>public
>presentation that more or less defy explanation.
>
>To date, the only Snowden scenario that makes sense to me portrays him
>as a spokesmodel:  In effect a sock puppet passed from hand to hand.
>Did he have anything at all to do with "borrowing" certain documents
>and
>handing them off to Glen Greenwald?  I have no opinion on that.  The
>documents Greenwald released triggered a massive controversy over a
>small set of political / legal issues that all ended with decisive wins
>for the U.S. intelligence community.  In my view whether that means
>Snowden failed or succeeded remains an open question.
>
>Pending additional information, I would more likely trust a guy named
>"Mendax" than him.
>
>:o/


> "The documents Greenwald released triggered a massive controversy over a
small set of political / legal issues that all ended with decisive wins for the 
U.S. intelligence community."


Publicly. Snowden PUBLICIZED it.

That seems to have been his role. Publicist.

Rr
Sent from my Androgyne dee-vice with K-9 Mail

Re: Scientific American: Is the U.S. Lagging in the Quest for Quantum Computing?

[Steve Kinney]

On 12/6/18 12:55 PM, jim bell wrote:
> Scientific American: Is the U.S. Lagging in the Quest for Quantum Computing?.
> https://www.scientificamerican.com/article/is-the-u-s-lagging-in-the-quest-for-quantum-computing/

I would find it hard to believe that the U.S. "lags" any other country
in its quest for quantum computer technology, given that the NSA can
make an ironclad case demanding blank checks for QC R:  Whoever gets
there first, preferably in secret, will make giant strides toward world
domination.  In addition to breaking PKI ciphers, QC would probably
enable breakthroughs in modeling complex systems, reducing many physical
problems presently requiring massively parallel, massively iterated
digital computation to de facto analog computations yielding nearly
instant answers.

"World domination" through QC would not include the ability to read all
of everyone's message traffic.  To date I have not heard anything
indicating that QC will break modern symmetric ciphers, but I have
information from unpublished sources indicating that the U.S. (therefore
probably others as well) still uses one time pads, and/or large single
use symmetric ciphers keys, for its most sensitive military
communications.  Scaling the activities in question up to cover all
sensitive State communications presents no technical challenges, only
financial ones.  Naturally, private individuals will be out in the cold
except for a handful of crypto geeks talking among themselves.








signature.asc
Description: OpenPGP digital signature

Re: snowden and the billionaire monkeys on our back

[John Newman]

On Thu, Dec 06, 2018 at 05:39:41PM -0300, juan wrote:
> On Thu, 6 Dec 2018 21:17:12 +1100
> Zenaan Harkness  wrote:
> 
> > On Wed, Dec 05, 2018 at 07:47:55PM -0500, Steve Kinney wrote:
> > > 
> > > 
> > > On 12/5/18 3:20 PM, John Newman wrote:
> > > > 
> > > > Long interview with guy who just wrote a book about faux-philanthropic
> > > > leaders of the new gilded age (or something ;) 
> > > > 
> > > > https://www.truthdig.com/articles/silicon-billionaires-are-the-lethal-monkey-on-the-back-of-the-american-public/
> 
> 
>   is there a snowden video in that page? If so can I have a direct link? 
> =) Thanks!

No video in the truthdig article that I saw, no. I'd be curious to see
it too :)

I did a very quick search - it was the 2015 Summit of the Sea, there's a
pretty crass article I found here -

https://www.dailymail.co.uk/news/article-3328277/Silicon-Valley-sea-Titans-tech-pay-10-000-party-networking-cruise-offers-sunrise-yoga-world-class-cuisine-live-talk-Edward-Snowden-no-Wi-Fi.html

And no doubt more shit about it online, maybe a video of the Snowden
talk somewhere... if you find it, send me a link.


-- 
GPG fingerprint: 17FD 615A D20D AFE8 B3E4  C9D2 E324 20BE D47A 78C7


signature.asc
Description: PGP signature

Re: Hand over encrypted data.

[jd.cypherpunks]

Yes - that's the way it is.

 Ursprüngliche Nachricht Von: John Young  
Datum: 06.12.18  14:40  (GMT+01:00) An: cypherpunks@lists.cpunks.org Betreff: 
Re: Hand over encrypted data. 
Hasn't it been the case almost since day one of crypto wars to expect 
authorities to limit its use, adjusting prohibitions, warnings, dire 
threats, legislation as new means of crypto are deployed?

And "new" means are continually being developed, and many of them 
quickly expropriated by contracts with authorities.

Coders and developers switch sides from being poor to be rather well 
to do. Quite a few cypherpunks have followed this path, and why not 
"get real," with aging, families, debts and envy of the success of 
those who switch sides, get bought out, sign up for lucrative 
speaking fees, promulgate reasons for being cooperative rather than 
confrontational.

Is there any currently popular crypto/comsec/infosec product not 
subject to this "go along to get along?"

Cybersecurity coupld with cyberfailure are fantastic cash cows, 
golden gooses, gold rushes. Assange has reportedly become a 
millionaire twice over, and a large portion of that is assumed to be 
laundered official money, as tax write-off or simply dirty.

But that is the industry standard of security in all it versions. 
Keep it secret, blow theats and safety at consumers and citizenry.

Smartest cybersecurity developers are working for totalizing "smart" 
to every spot on online and on earth, in every head and home. While 
preaching privacy protection with latest porous prophylactics, once 
called backdoors, confessionals, prayers, trust in deity. Now called 
upgrades and sure-fire, ever better, ways to excuse failure, maintain 
faith in a reputation in a brand.

Built-in failure by the most trusted, surely not that. Send 
conributions here to keep up the fight.

And don't ever go off on your own, experts must review your shit for 
golden nuggets. Do expose your best to conferences, believe in open 
source review, seek investors, crowd-fund, stay fucked.





At 09:25 PM 12/5/2018, you wrote:

>Australia poised to force tech firms to hand over encrypted data
>https://finance.yahoo.com/news/australia-poised-force-tech-firms-hand-over-encrypted-224740050--finance.html

Re: Scientific American: Is the U.S. Lagging in the Quest for Quantum Computing?

[juan]

On Thu, 6 Dec 2018 17:55:01 + (UTC)
jim bell  wrote:

> Scientific American: Is the U.S. Lagging in the Quest for Quantum Computing?.
> https://www.scientificamerican.com/article/is-the-u-s-lagging-in-the-quest-for-quantum-computing/


pure and undiluted pentagon propaganda ^^

just like anything coming from the 'mainstream media' 

translation : the US military wants MORE MONEY for 'R' into the 
complete enslavement of the human race. 

Re: snowden and the billionaire monkeys on our back

[juan]

On Thu, 6 Dec 2018 21:17:12 +1100
Zenaan Harkness  wrote:

> On Wed, Dec 05, 2018 at 07:47:55PM -0500, Steve Kinney wrote:
> > 
> > 
> > On 12/5/18 3:20 PM, John Newman wrote:
> > > 
> > > Long interview with guy who just wrote a book about faux-philanthropic
> > > leaders of the new gilded age (or something ;) 
> > > 
> > > https://www.truthdig.com/articles/silicon-billionaires-are-the-lethal-monkey-on-the-back-of-the-american-public/


is there a snowden video in that page? If so can I have a direct link? 
=) Thanks!

Scientific American: Is the U.S. Lagging in the Quest for Quantum Computing?

[jim bell]

Scientific American: Is the U.S. Lagging in the Quest for Quantum Computing?.
https://www.scientificamerican.com/article/is-the-u-s-lagging-in-the-quest-for-quantum-computing/

Re: Most Security Assertions Dangerous [Re: YouTube via Onion Services]

[Zenaan Harkness]

On Thu, Dec 06, 2018 at 03:25:05AM -0500, grarpamp wrote:
> [1] You can't even say those for the release iso's of
> OpenBSD, FreeBSD, the Linux's, etc... back
> to their claimed source code repos... because
> either those repos have no internal cryptographic
> roots or hashes to sign over or with in the first place,
> or some process in the path from there to the iso's
> is not reproducible or cryptographically chained.

Git style signed content hash chains and reproducible builds FTW
muffaluggerahs!

So Debian Buster is over 90%, yay!

>From 2015 80%:
 
 Lots of progress for Debian's reproducible builds
 https://lwn.net/Articles/630074/

To Buster ~92.4%:
 https://isdebianreproducibleyet.com/
 “NO! … but buster on amd64 is 92.4% reproducible right now!”

To pretty dang gud bruh!:
 Debian reproducible builds project update, 2017-07-23,
 Stretch/amd64 reaching 94%
 https://lwn.net/Articles/728599/

 And some nice summary sheetskis and chartskis:
 https://tests.reproducible-builds.org/debian/reproducible.html

 https://wiki.debian.org/ReproducibleBuilds



> Same goes for Apple, Microsoft, Intel, AMD, ARM,
> Government, etc...
> You're all still woefully fucked therein because you keep
> buying the Kool-Aid, and refusing to demand, fix,
> ignore, or eliminate them and their issues.
> 
> #OpenFabs , #OpenHW , #OpenSW , #OpenDev , #OpenBiz , #CryptoCurrency
> , #Anarchism

Indeed.


> The list of requisites to even get close to improving
> the situation grows...

Improvement in problem definition is necessary, and is not an
"increase" in the requisites to e.g. security of personal
communications, simply a fuller understanding of the problem.

Alt: we are rising from ignorance. Painful but necessary awareness.

Let's add to the above list another obvious in hindsight:
#StackMinimization - including HW - i.e. trust boundaries (nee attack
surfaces) must be seriously minimized to reach something we can
collectively reason about in its elements (hw/ sw).

Re: Hand over encrypted data.

[John Young]

Hasn't it been the case almost since day one of crypto wars to expect 
authorities to limit its use, adjusting prohibitions, warnings, dire 
threats, legislation as new means of crypto are deployed?


And "new" means are continually being developed, and many of them 
quickly expropriated by contracts with authorities.


Coders and developers switch sides from being poor to be rather well 
to do. Quite a few cypherpunks have followed this path, and why not 
"get real," with aging, families, debts and envy of the success of 
those who switch sides, get bought out, sign up for lucrative 
speaking fees, promulgate reasons for being cooperative rather than 
confrontational.


Is there any currently popular crypto/comsec/infosec product not 
subject to this "go along to get along?"


Cybersecurity coupld with cyberfailure are fantastic cash cows, 
golden gooses, gold rushes. Assange has reportedly become a 
millionaire twice over, and a large portion of that is assumed to be 
laundered official money, as tax write-off or simply dirty.


But that is the industry standard of security in all it versions. 
Keep it secret, blow theats and safety at consumers and citizenry.


Smartest cybersecurity developers are working for totalizing "smart" 
to every spot on online and on earth, in every head and home. While 
preaching privacy protection with latest porous prophylactics, once 
called backdoors, confessionals, prayers, trust in deity. Now called 
upgrades and sure-fire, ever better, ways to excuse failure, maintain 
faith in a reputation in a brand.


Built-in failure by the most trusted, surely not that. Send 
conributions here to keep up the fight.


And don't ever go off on your own, experts must review your shit for 
golden nuggets. Do expose your best to conferences, believe in open 
source review, seek investors, crowd-fund, stay fucked.






At 09:25 PM 12/5/2018, you wrote:


Australia poised to force tech firms to hand over encrypted data
https://finance.yahoo.com/news/australia-poised-force-tech-firms-hand-over-encrypted-224740050--finance.html

Re: snowden and the billionaire monkeys on our back

[Zenaan Harkness]

On Wed, Dec 05, 2018 at 07:47:55PM -0500, Steve Kinney wrote:
> 
> 
> On 12/5/18 3:20 PM, John Newman wrote:
> > 
> > Long interview with guy who just wrote a book about faux-philanthropic
> > leaders of the new gilded age (or something ;) 
> > 
> > https://www.truthdig.com/articles/silicon-billionaires-are-the-lethal-monkey-on-the-back-of-the-american-public/
> > 
> > 
> > Interesting part where he described Snowden talking to a bunch of
> > these people, this "clash of ideals"  - 
> 
> > [... snip ...] 
> 
> > It was a very interesting vision, and as he started describing, well,
> > the way I’m going to do that is I’m going to build all these tools that
> > would allow dissidents to actually operate more freely. A communication
> > tool so you can message without getting caught, a Facebook “like” tool
> > so you can socially network without losing your privacy, some kind of
> > tokenized identity so you can make clear to different websites that
> > you’re the same person without revealing which person you are–various
> > things. Snowden was describing the creation of all these things because
> > he wanted to live in a world in which dissent of the kind that he made
> > is possible, in which it’s possible to go up against power and not be
> > interrupted in that quest; that’s his motivation, his goal. 
> 
> 
> > And it’s like they couldn’t process him; they couldn’t process his set
> > of motivations. And so Chris Sacca says, wow, you sound like you’re
> > designing a lot of tools that, they sound like apps, or startup–do you
> > want to build a startup? I mean, there’s a lot of people here who would
> > like to be your investor. Snowden just looked at him, puzzled, like–what
> > are you talking about? I’m talking about freedom and heresy and truth,
> > and being a dissident, and how a society corrects itself from manifest
> > injustices through allowing people who have an uncomfortable truth to
> > tell it. And you’re talking about startups? And it was just this
> > wonderful collision between someone who believes in real changes, and
> > these people who kind of believe in the pseudo-change that lines their
> > own pockets."
> 
> Um, that's not what it reads like to me.  I see Snowden saying he wants
> to accomplish all these wonderful things that enable political dissent
> and freedom via network technology.  Then he refuses to have anything to
> do with implementing that vision, going so far as to pretend that he
> does not understand that building and distributing software and
> infrastructure is HOW to achieve goals like the ones he mentioned.  It
> sounds like he chose to literally "play dumb" when presented with a room
> full of people who wanted a shot at implementing his ideas (vs.
> memorized talking points) in real life.
> 
> The more I look at Snowden, the less sense he makes:  Both in terms of
> what he says (see above), and in terms of a biography and current public
> presentation that more or less defy explanation.
> 
> To date, the only Snowden scenario that makes sense to me portrays him
> as a spokesmodel:  In effect a sock puppet passed from hand to hand.
> Did he have anything at all to do with "borrowing" certain documents and
> handing them off to Glen Greenwald?  I have no opinion on that.  The
> documents Greenwald released triggered a massive controversy over a
> small set of political / legal issues that all ended with decisive wins
> for the U.S. intelligence community.  In my view whether that means
> Snowden failed or succeeded remains an open question.
> 
> Pending additional information, I would more likely trust a guy named
> "Mendax" than him.

Indeed.

The very first "fundamental" step (besides, supposedly, choosing to
leak/ whistleblow) was how to leak, or in his rather pathetic (from
op sec pov) case, who to leak to and choosing to "leak" to only one
person, Greenwald.

Firstly he failed to also leak through any dark network means, and
chose meat space leakee "sneaker net".

Secondly he chose to leak to ONE person only.

Thirdly, and fatally from before he even took the action of leaking,
he chose an MSM publisher in the face of YEARS of problems that the
likes of Assange had already experienced.

"Bloody idiot" springs to mind, but why attribute to stupidity when
"compromised bastard" comes to mind... and by the looks of all the
silliness around his flight to our Russkie bros, he was not only
literally "granted safe passage" (witness Putin's personal quotes on
the incoming flight) but likely had a death threat on his arse in the
first place - enough motivation to get him moving away from home base
(deep state cannot have a leaker appear to be allowed to leak and
live, or live a normal life, you see).

Stinks, stinks and oh, by the way, it all stinks.

Did I mention the Snowden saga stinks?

Most Security Assertions Dangerous [Re: YouTube via Onion Services]

[grarpamp]

In a thread...
https://lists.torproject.org/pipermail/tor-talk/2018-December/044709.html

on...
> http://kgg2m7yk5aybusll.onion/
> http://axqzx4s6s54s32yentfqojs3x5i7faxza6xo3ehd4bzzsg2ii4fv2iid.onion

(noting that all onions can be physically located by determined
adversaries, thus failing another commonly sold security assertion)

> https://github.com/omarroth/invidious


> - Its free software and the code is available for install/checkup.

That assertion is irrelevant in the security context
of the thread so far, and it's dangerous advice.

As with protonmail and all the other fakeass encrypted email
websites... the JS code is loaded by the browser from the web
service itself, there is currently NO trusted way for the user to
independantly audit that the code they end up executing in
real time *from* the service matches the code *in* any repo,
or for the user to choose to ignore the service code and load
and execute any repo code of their choosing instead.

> Youtube is made by a dick company to humanity called Google, which is
> funding their services by stealing/collecting users data. So the JS

The current code load model is a nasty exploit waiting to happen,
does happen (Hushmail, NIT's, etc), and simply should not be trusted,
no more than GOOG and FB the dicks, themselves, indeed.
Or Java, ActiveX, Flash, and whatever other "secure" crap some
scam tries to push into your pathetically insecure and
untrusted exec platform.

Sure Invidious Onion is fun, probably has some merits and
use cases, and even simple html could be an exploit, and
users can run it all in a sandbox, etc.
But let's not say there's any trusted link between the running
and repo codes, nor that any sufficient set of people have looked
at, and signed over, most codes, or are even allowed to... [1].

Also, clicking on any video listed on the onion frontpage
index initiates at least three connections straight to google
instead of the proxy onion. That's not clean.

> Plus you can watch the videos without the need to allow any JS.

> this particular YouTube frontend/proxy seems to be
> more focused on offering an alternative viewing experience rather than
> privacy.

https://github.com/mps-youtube/mps-youtube
https://github.com/rg3/youtube-dl

... those and a few others readers can find and post here.


[1] You can't even say those for the release iso's of
OpenBSD, FreeBSD, the Linux's, etc... back
to their claimed source code repos... because
either those repos have no internal cryptographic
roots or hashes to sign over or with in the first place,
or some process in the path from there to the iso's
is not reproducible or cryptographically chained.
Same goes for Apple, Microsoft, Intel, AMD, ARM,
Government, etc...
You're all still woefully fucked therein because you keep
buying the Kool-Aid, and refusing to demand, fix,
ignore, or eliminate them and their issues.

#OpenFabs , #OpenHW , #OpenSW , #OpenDev , #OpenBiz , #CryptoCurrency
, #Anarchism

The list of requisites to even get close to improving
the situation grows...