[freenet-chat] Re: [freenet-support] Freenet 0.7
Matthew Toseland wrote: > It's unnecessary anyway because it only applies to TCP. It does however > tell us something very interesting and useful: The firewall is stateless !! heh, it would be damn expensive to do that in a stateful way. let's see: >1. Timing. >2. Packet size. >3. It's not a known protocol, therefore it must be bad. >4. Flow analysis. either way it might be too expensive or require a stateful filter
[freenet-chat] Re: [freenet-support] Freenet 0.7
On 08/31, Matthew Toseland wrote: > > > Have you thought about that ignoring reset packets thing that was > > > shown to make it possible to bypass The Great Firewall? I mean, I > > > don't know too much about it, or if it'd be possible for > > > freenetbut it might be worth looking in to. > > That would involve platform-specific code, there's no way to do that in > > java. > It's unnecessary anyway because it only applies to TCP. It does however > tell us something very interesting and useful: The firewall is stateless !! > They pick up forbidden keywords on a packet and then send a reset > packet, they don't even delete later packets on the same connection > because *they don't track connections at all* ! But they will do that, sooner or later. It's just a matter of time. Another chunk of money for Cisco I guess...
[freenet-chat] Re: [freenet-support] Freenet 0.7
On Thu, Aug 31, 2006 at 06:01:45PM +0400, Roman V. Isaev wrote: > On 08/31, Matthew Toseland wrote: > > > > Have you thought about that ignoring reset packets thing that was > > > > shown to make it possible to bypass The Great Firewall? I mean, I > > > > don't know too much about it, or if it'd be possible for > > > > freenetbut it might be worth looking in to. > > > That would involve platform-specific code, there's no way to do that in > > > java. > > It's unnecessary anyway because it only applies to TCP. It does however > > tell us something very interesting and useful: The firewall is stateless !! > > They pick up forbidden keywords on a packet and then send a reset > > packet, they don't even delete later packets on the same connection > > because *they don't track connections at all* ! > > But they will do that, sooner or later. It's just a matter of time. Another > chunk of money for Cisco I guess... The interesting thing is you can connect to IRC and discuss forbidden keywords... Also that study is curious because I heard they block the whole page, rather than just interrupt it in the middle... -- Matthew J Toseland - toad at amphibian.dyndns.org Freenet Project Official Codemonkey - http://freenetproject.org/ ICTHUS - Nothing is impossible. Our Boss says so. -- next part -- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: <https://emu.freenetproject.org/pipermail/support/attachments/20060831/5e6e18ee/attachment.pgp>
[freenet-chat] Re: [freenet-support] Freenet 0.7
On Wed, Aug 30, 2006 at 11:52:23PM +0200, David 'Bombe' Roden wrote: > On Wednesday 30 August 2006 23:47, urza9814 at gmail.com wrote: > > > Have you thought about that ignoring reset packets thing that was > > shown to make it possible to bypass The Great Firewall? I mean, I > > don't know too much about it, or if it'd be possible for > > freenetbut it might be worth looking in to. > > That would involve platform-specific code, there's no way to do that in > java. It's unnecessary anyway because it only applies to TCP. It does however tell us something very interesting and useful: The firewall is stateless !! They pick up forbidden keywords on a packet and then send a reset packet, they don't even delete later packets on the same connection because *they don't track connections at all* ! > > David -- Matthew J Toseland - toad at amphibian.dyndns.org Freenet Project Official Codemonkey - http://freenetproject.org/ ICTHUS - Nothing is impossible. Our Boss says so. -- next part -- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: <https://emu.freenetproject.org/pipermail/support/attachments/20060831/23a66874/attachment.pgp>
[freenet-chat] Re: [freenet-support] Freenet 0.7
Hundreds of projects? Such as? None of them comes anywhere near to our techology; most of them are either easily harvestable and blockable proxy networks, or WASTE clones. On Wed, Aug 30, 2006 at 05:47:43PM -0400, urza9814 at gmail.com wrote: > Have you thought about that ignoring reset packets thing that was > shown to make it possible to bypass The Great Firewall? I mean, I > don't know too much about it, or if it'd be possible for > freenetbut it might be worth looking in to. > > Also just wanna add that I fully support the desire to help get around > the chinese firewalls and stuffbut you're one of hundreds of > projects working on that same goaland personally, I'm not using > 0.7 until there's a working opennet. As much as it may seem like I'm > totally against darknetsit's not so much what you're working on, > it's how. I still feel quite strongly that the main page should send > new users to a download page for 0.5, not 0.7. As for the issue of > getting a working opennet...I'll join the other people in backing > offI suppose I can wait another year or so for a new versionI > just hope 0.5 will last that long without any fresh users. > > On 8/30/06, David 'Bombe' Roden wrote: > >On Wednesday 30 August 2006 22:35, inverse wrote: > > > >> beyond harvesting the connected IP addresses to raid their owner's > >> homes, one big concern with encrypted protocols is that they can be > >> filtered out by application-level scanning firewalls. I think this is > >> exactly what's happening in China. > > > >Yes, the session bytes that are used to initiate connections are > >typical. > > > > > >> Public-key encrypted communications show constant patterns the moment > >> a public key is exchanged between hosts. > > > >Communication between 0.7 nodes doesn't have to exchange public keys, > >those are already known as they are contained in the node reference. > > > > > >David > > > > > >___ > >Support mailing list > >Support at freenetproject.org > >http://news.gmane.org/gmane.network.freenet.support > >Unsubscribe at > >http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support > >Or mailto:support-request at freenetproject.org?subject=unsubscribe > > > > > > > > > -- > > http://www.spreadfirefox.com/?q=affiliates&id=0&t=57";> border="0" alt="Get Firefox!" title="Get Firefox!" > src="http://sfx-images.mozilla.org/affiliates/Buttons/180x60/blank.gif"/> > ___ > Support mailing list > Support at freenetproject.org > http://news.gmane.org/gmane.network.freenet.support > Unsubscribe at > http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support > Or mailto:support-request at freenetproject.org?subject=unsubscribe > -- Matthew J Toseland - toad at amphibian.dyndns.org Freenet Project Official Codemonkey - http://freenetproject.org/ ICTHUS - Nothing is impossible. Our Boss says so. -- next part -- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: <https://emu.freenetproject.org/pipermail/support/attachments/20060831/a988b58a/attachment.pgp>
[freenet-chat] Re: [freenet-support] Freenet 0.7
0.7 has no predictable or repeated bytes whatsoever. It can probably be identified by several more expensive, less reliable techiques at present: 1. Timing. 2. Packet size. 3. It's not a known protocol, therefore it must be bad. 4. Flow analysis. On Wed, Aug 30, 2006 at 10:35:32PM +0200, inverse wrote: > Matthew Toseland wrote: > >Well on the most trivial level, 0.5 doesn't work in china. > > > yo, > > beyond harvesting the connected IP addresses to raid their owner's > homes, one big concern with encrypted protocols is that they can be > filtered out by application-level scanning firewalls. I think this is > exactly what's happening in China. > > > Application-level scanning can be implemented via ASIC technology > directly in hardware thus being extremely fast, and we know this works > very well. > Public-key encrypted communications show constant patterns the moment a > public key is exchanged between hosts. > > Such system can work until there's enough processing power available to > make them run without compromising the overal network performance, so to > defeat them (they are intended to simply drop forbidden connections) you > have to design a protocol > which shows no recognisable patterns at any level. > Nested symmetric encryption of each packet with multiple randomly > selected pre-shared keys? > To decode each packet a firewall will have to: > 1) try at least half the known pre-shared keys on each packet > 2) do the above for each level of encryption used. > > given the number of keys n and the number of levels l the total number > of decryption passes k before you extract usable data (which may be > further asymmetrically encrypted) is k = (n/2)^l. This is true for > each packet and you cannot avoid doing this if you want to confirm the > contents. > While this might not be so demanding for a single CPU and few > connections, a core firewall won't be happy to discover that a simple > scan no longer suffices and you have to actually process a VERY large > number of packets coming from a number of sources with random ports > trough a custom designed and frequently updated cryptographic ASIC > multiple times. > > The idea is not to design a virtually unstopplable protocol: there > might come a day when only pure HTTP to port 80 is allowed, the idea > instead is to make it a bit more unstoppable in places like China, > probably France and EU and next in the US. > > Also, this won't be a solution in places that trace social network > connections (like the current US), this however will make the process > somewhat harder. > > Just a suggestion.. > > > > > ___ > Support mailing list > Support at freenetproject.org > http://news.gmane.org/gmane.network.freenet.support > Unsubscribe at > http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support > Or mailto:support-request at freenetproject.org?subject=unsubscribe > -- Matthew J Toseland - toad at amphibian.dyndns.org Freenet Project Official Codemonkey - http://freenetproject.org/ ICTHUS - Nothing is impossible. Our Boss says so. ------ next part -- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: Digital signature URL: <https://emu.freenetproject.org/pipermail/support/attachments/20060831/6b68e29f/attachment.pgp>
[freenet-chat] Re: [freenet-support] Freenet 0.7
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I was in China last year. I was able to create a VPN connection in the US with no problem. Most of the web didn't work, even SSL. SSH was completely blocked as well, which is why I was surprised that I could connect via VPN with no problems. This was in Beijing. :brian ++ 31/08/06 15:31 +0100 - Matthew Toseland: >On Thu, Aug 31, 2006 at 06:01:45PM +0400, Roman V. Isaev wrote: >> On 08/31, Matthew Toseland wrote: >> > > > Have you thought about that ignoring reset packets thing that was >> > > > shown to make it possible to bypass The Great Firewall? I mean, I >> > > > don't know too much about it, or if it'd be possible for >> > > > freenetbut it might be worth looking in to. >> > > That would involve platform-specific code, there's no way to do that in >> > > java. >> > It's unnecessary anyway because it only applies to TCP. It does however >> > tell us something very interesting and useful: The firewall is stateless !! >> > They pick up forbidden keywords on a packet and then send a reset >> > packet, they don't even delete later packets on the same connection >> > because *they don't track connections at all* ! >> >> But they will do that, sooner or later. It's just a matter of time. Another >> chunk of money for Cisco I guess... > >The interesting thing is you can connect to IRC and discuss forbidden >keywords... Also that study is curious because I heard they block the >whole page, rather than just interrupt it in the middle... >-- >Matthew J Toseland - toad at amphibian.dyndns.org >Freenet Project Official Codemonkey - http://freenetproject.org/ >ICTHUS - Nothing is impossible. Our Boss says so. >___ >Support mailing list >Support at freenetproject.org >http://news.gmane.org/gmane.network.freenet.support >Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support >Or mailto:support-request at freenetproject.org?subject=unsubscribe - -- - Freedom is slavery. Ignorance is strength. War is peace. -- George Orwell -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.7 (GNU/Linux) iD8DBQFE9yabSMrcfZpjDKERAhAaAKCsTD/S/I1eM/3VEd740nYZPhj6KgCgo/Mo JZ+MtJuu0elkY8pTZLtdMSM= =G9+A -END PGP SIGNATURE-
Re: [freenet-chat] Re: [freenet-support] Freenet 0.7
Matthew Toseland wrote: It's unnecessary anyway because it only applies to TCP. It does however tell us something very interesting and useful: The firewall is stateless !! heh, it would be damn expensive to do that in a stateful way. let's see: 1. Timing. 2. Packet size. 3. It's not a known protocol, therefore it must be bad. 4. Flow analysis. either way it might be too expensive or require a stateful filter ___ Support mailing list Support@freenetproject.org http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:[EMAIL PROTECTED]
Re: [freenet-chat] Re: [freenet-support] Freenet 0.7
On Thu, Aug 31, 2006 at 06:01:45PM +0400, Roman V. Isaev wrote: > On 08/31, Matthew Toseland wrote: > > > > Have you thought about that ignoring reset packets thing that was > > > > shown to make it possible to bypass The Great Firewall? I mean, I > > > > don't know too much about it, or if it'd be possible for > > > > freenetbut it might be worth looking in to. > > > That would involve platform-specific code, there's no way to do that in > > > java. > > It's unnecessary anyway because it only applies to TCP. It does however > > tell us something very interesting and useful: The firewall is stateless !! > > They pick up forbidden keywords on a packet and then send a reset > > packet, they don't even delete later packets on the same connection > > because *they don't track connections at all* ! > > But they will do that, sooner or later. It's just a matter of time. Another > chunk of money for Cisco I guess... The interesting thing is you can connect to IRC and discuss forbidden keywords... Also that study is curious because I heard they block the whole page, rather than just interrupt it in the middle... -- Matthew J Toseland - [EMAIL PROTECTED] Freenet Project Official Codemonkey - http://freenetproject.org/ ICTHUS - Nothing is impossible. Our Boss says so. signature.asc Description: Digital signature ___ Support mailing list Support@freenetproject.org http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:[EMAIL PROTECTED]
Re: [freenet-chat] Re: [freenet-support] Freenet 0.7
On 08/31, Matthew Toseland wrote: > > > Have you thought about that ignoring reset packets thing that was > > > shown to make it possible to bypass The Great Firewall? I mean, I > > > don't know too much about it, or if it'd be possible for > > > freenetbut it might be worth looking in to. > > That would involve platform-specific code, there's no way to do that in > > java. > It's unnecessary anyway because it only applies to TCP. It does however > tell us something very interesting and useful: The firewall is stateless !! > They pick up forbidden keywords on a packet and then send a reset > packet, they don't even delete later packets on the same connection > because *they don't track connections at all* ! But they will do that, sooner or later. It's just a matter of time. Another chunk of money for Cisco I guess... ___ Support mailing list Support@freenetproject.org http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:[EMAIL PROTECTED]
Re: [freenet-chat] Re: [freenet-support] Freenet 0.7
On Wed, Aug 30, 2006 at 11:52:23PM +0200, David 'Bombe' Roden wrote: > On Wednesday 30 August 2006 23:47, [EMAIL PROTECTED] wrote: > > > Have you thought about that ignoring reset packets thing that was > > shown to make it possible to bypass The Great Firewall? I mean, I > > don't know too much about it, or if it'd be possible for > > freenetbut it might be worth looking in to. > > That would involve platform-specific code, there's no way to do that in > java. It's unnecessary anyway because it only applies to TCP. It does however tell us something very interesting and useful: The firewall is stateless !! They pick up forbidden keywords on a packet and then send a reset packet, they don't even delete later packets on the same connection because *they don't track connections at all* ! > > David -- Matthew J Toseland - [EMAIL PROTECTED] Freenet Project Official Codemonkey - http://freenetproject.org/ ICTHUS - Nothing is impossible. Our Boss says so. signature.asc Description: Digital signature ___ Support mailing list Support@freenetproject.org http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:[EMAIL PROTECTED]
Re: [freenet-chat] Re: [freenet-support] Freenet 0.7
Hundreds of projects? Such as? None of them comes anywhere near to our techology; most of them are either easily harvestable and blockable proxy networks, or WASTE clones. On Wed, Aug 30, 2006 at 05:47:43PM -0400, [EMAIL PROTECTED] wrote: > Have you thought about that ignoring reset packets thing that was > shown to make it possible to bypass The Great Firewall? I mean, I > don't know too much about it, or if it'd be possible for > freenetbut it might be worth looking in to. > > Also just wanna add that I fully support the desire to help get around > the chinese firewalls and stuffbut you're one of hundreds of > projects working on that same goaland personally, I'm not using > 0.7 until there's a working opennet. As much as it may seem like I'm > totally against darknetsit's not so much what you're working on, > it's how. I still feel quite strongly that the main page should send > new users to a download page for 0.5, not 0.7. As for the issue of > getting a working opennet...I'll join the other people in backing > offI suppose I can wait another year or so for a new versionI > just hope 0.5 will last that long without any fresh users. > > On 8/30/06, David 'Bombe' Roden <[EMAIL PROTECTED]> wrote: > >On Wednesday 30 August 2006 22:35, inverse wrote: > > > >> beyond harvesting the connected IP addresses to raid their owner's > >> homes, one big concern with encrypted protocols is that they can be > >> filtered out by application-level scanning firewalls. I think this is > >> exactly what's happening in China. > > > >Yes, the session bytes that are used to initiate connections are > >typical. > > > > > >> Public-key encrypted communications show constant patterns the moment > >> a public key is exchanged between hosts. > > > >Communication between 0.7 nodes doesn't have to exchange public keys, > >those are already known as they are contained in the node reference. > > > > > >David > > > > > >___ > >Support mailing list > >Support@freenetproject.org > >http://news.gmane.org/gmane.network.freenet.support > >Unsubscribe at > >http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support > >Or mailto:[EMAIL PROTECTED] > > > > > > > > > -- > > http://www.spreadfirefox.com/?q=affiliates&id=0&t=57";> border="0" alt="Get Firefox!" title="Get Firefox!" > src="http://sfx-images.mozilla.org/affiliates/Buttons/180x60/blank.gif"/> > ___ > Support mailing list > Support@freenetproject.org > http://news.gmane.org/gmane.network.freenet.support > Unsubscribe at > http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support > Or mailto:[EMAIL PROTECTED] > -- Matthew J Toseland - [EMAIL PROTECTED] Freenet Project Official Codemonkey - http://freenetproject.org/ ICTHUS - Nothing is impossible. Our Boss says so. signature.asc Description: Digital signature ___ Support mailing list Support@freenetproject.org http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:[EMAIL PROTECTED]
Re: [freenet-chat] Re: [freenet-support] Freenet 0.7
0.7 has no predictable or repeated bytes whatsoever. It can probably be identified by several more expensive, less reliable techiques at present: 1. Timing. 2. Packet size. 3. It's not a known protocol, therefore it must be bad. 4. Flow analysis. On Wed, Aug 30, 2006 at 10:35:32PM +0200, inverse wrote: > Matthew Toseland wrote: > >Well on the most trivial level, 0.5 doesn't work in china. > > > yo, > > beyond harvesting the connected IP addresses to raid their owner's > homes, one big concern with encrypted protocols is that they can be > filtered out by application-level scanning firewalls. I think this is > exactly what's happening in China. > > > Application-level scanning can be implemented via ASIC technology > directly in hardware thus being extremely fast, and we know this works > very well. > Public-key encrypted communications show constant patterns the moment a > public key is exchanged between hosts. > > Such system can work until there's enough processing power available to > make them run without compromising the overal network performance, so to > defeat them (they are intended to simply drop forbidden connections) you > have to design a protocol > which shows no recognisable patterns at any level. > Nested symmetric encryption of each packet with multiple randomly > selected pre-shared keys? > To decode each packet a firewall will have to: > 1) try at least half the known pre-shared keys on each packet > 2) do the above for each level of encryption used. > > given the number of keys n and the number of levels l the total number > of decryption passes k before you extract usable data (which may be > further asymmetrically encrypted) is k = (n/2)^l. This is true for > each packet and you cannot avoid doing this if you want to confirm the > contents. > While this might not be so demanding for a single CPU and few > connections, a core firewall won't be happy to discover that a simple > scan no longer suffices and you have to actually process a VERY large > number of packets coming from a number of sources with random ports > trough a custom designed and frequently updated cryptographic ASIC > multiple times. > > The idea is not to design a virtually unstopplable protocol: there > might come a day when only pure HTTP to port 80 is allowed, the idea > instead is to make it a bit more unstoppable in places like China, > probably France and EU and next in the US. > > Also, this won't be a solution in places that trace social network > connections (like the current US), this however will make the process > somewhat harder. > > Just a suggestion.. > > > > > ___ > Support mailing list > Support@freenetproject.org > http://news.gmane.org/gmane.network.freenet.support > Unsubscribe at > http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support > Or mailto:[EMAIL PROTECTED] > -- Matthew J Toseland - [EMAIL PROTECTED] Freenet Project Official Codemonkey - http://freenetproject.org/ ICTHUS - Nothing is impossible. Our Boss says so. signature.asc Description: Digital signature ___ Support mailing list Support@freenetproject.org http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:[EMAIL PROTECTED]
[freenet-chat] Re: [freenet-support] Freenet 0.7
urza9814 at gmail.com wrote: > Have you thought about that ignoring reset packets thing that was > shown to make it possible to bypass The Great Firewall? I mean, I > don't know too much about it, or if it'd be possible for > freenetbut it might be worth looking in to. it's possible to do it, but only under linux at the moment. You just set an iptables prerouting rule that drops incoming tcp RST packets. This a kernel side level 4 setting that's perfectly transparent to the application level, the only side effect being that any incoming connection will end with a timeout in place of a graceful reset. Under windows I suppose you simply lack the instruments and support to do something clever like that.
[freenet-chat] Re: [freenet-support] Freenet 0.7
David 'Bombe' Roden wrote: > Communication between 0.7 nodes doesn't have to exchange public keys, > those are already known as they are contained in the node reference. nice! I definitely need to install 0.7 and capture some packets for testing
[freenet-support] Re: [Tech] Freenet 0.7 build 953
Thank you. I must search for Ed. Nick > [Original Message] > From: Anonymous via Panta Rhei > To: Nicholas Sturm > Date: 8/31/2006 3:40:52 AM > Subject: Re: [freenet-support] Re: [Tech] Freenet 0.7 build 953 > > On Wed, 30 Aug 2006 01:42:42 -0400, you wrote: > > > > > "There are four boxes to use in the defense of liberty: soap, ballot, > > jury, > > > ammo. Use in that order." -Ed Howdershelt > > > > I'm quite familiar with the other folks mentioned. As a genealogist, this > > Ed Howdershelt interests me very much. Could you point me to more > > information regarding him? One of his cousin seems to have lived a few > > hundred yards from where my mother was born and raised. And I've heard the > > surname (and several variants) since I was perhaps eight to ten years of > > age. > > Sorry, I saw it used in somebody's message on usenet (alt.privacy I think), > liked it and decided to add it to my collection. > > details of it's origin or the credited author are unknown to me. > > > -- > "An evil exists that threatens every man, woman, and child of this great > nation. We must take steps to ensure our domestic security and protect our > homeland." > > - Adolf Hitler, proposing the creation of the Gestapo in Nazi Germany. > - George Bush, Talking about the Homeland Security Act and the Patriot Act. > > "The means of defense against foreign danger historically have become > the instruments of tyranny at home." > > James Madison, fourth president of > the United States > > I may disagree with what you have to say, but I shall defend, to the > death, your right to say it. - Voltaire > > "There are four boxes to use in the defense of liberty: soap, ballot, jury, > ammo. Use in that order." -Ed Howdershelt > >
