[ art / civ / cult / cyb / diy / drg / feels / layer / lit / λ / q / r / sci / sec / tech / w / zzz ] archive provided by lainchan.jp

lainchan archive - /cyb/ - 31432



File: 1466302306674.png (20.35 KB, 198x270, ricochet.png)

No.31432

any lainons using ricochet.im?

wanna share ricochet ids?

hmu: ricochet:xwt52enoo3plqbhx

  No.31435

>This software is an experiment. It hasn't been audited or formally reviewed by anyone.

Okay?

  No.31438

>>31435
plenty of lainons here use tox, and ricochet is very similar.

it's fun to play around with new stuff.

do you hate fun, lainon?

  No.31439

File: 1466306247394.png (192.83 KB, 200x194, ߐߜߝ߇ߍߢ.jpg)

>>31438

Can I 'like' your post?

In all seriousness though do I need to explain to you how to correctly astroturf a backdoored messenger app or do you want me to do it for you?

  No.31444

>>31439
idk what to say to make you not think this is shilling, so i'll just link the audit

https://www.opentech.fund/article/ricochet-code-audit

https://ricochet.im/files/ricochet-ncc-audit-2016-01.pdf

there's quite a few infosec dweebs that use ricochet, i figured I'd find out if some lainons that used it as well so we could chat.

  No.31449

File: 1466310009106.png (522.37 KB, 200x134, ‮▞▜▜▙▟▞.jpg)

>idk what to say to make you not think this is shilling, so i'll just link the audit

The fact that you want me think you're not shilling isn't very convincing.

This is exactly the reason you seem like a shill. Try to put more effort and quality into your posts and you'll likely be perceived as being more authentic.

Your timing in releasing this "free privacy app that's just like Tox!" is pretty awful as well, if you haven't read the news lately. TLA's getting more and more "authorization" for deeper deception every day.

Not much trust left.

  No.31450

>>31449
idk m7, that's awfully paranoid

without divulging too much personal details, but hopefully building a reputation beyond "anonymous shill poster on lainchan dot org"

me and 1 other person met with kalyx at the mn lainchan meetup.

>Your timing in releasing this "free privacy app that's just like Tox!" is pretty awful as well, if you haven't read the news lately. TLA's getting more and more "authorization" for deeper deception every day.



it's not just like tox, it's text chat only, and it's not new at all, it's been around since 2014 or at least however long Pond has been around...

it kinda peaked in popularity earlier this year/late last year.

i'm not shilling, i just want to dick around with this experimental instant messenger with fellow lainons

  No.31457

File: 1466313792791.png (165.9 KB, 200x113, ‮.jpg)

>>31450

Given the laws that are coming into effect right now the word "paranoid" doesn't mean anything of substance.

It's not just that you're proposing people subject themselves to an experiment, it's that you went so far as to make a deliberate appeal to Tox users to "come have fun" with this new "private" messenger app.

That's not a logical decision you're asking users to make, it's an emotional decision you're asking for. If you were looking for users to make logical decision in the first place you would have provided your disinfo up front.

https://en.wikipedia.org/wiki/NCC_Group
NCC group is a UK based multinational organization. The UK has recently obtained long sought after "authorization" to intercept communications without warrant.

As I mentioned before, your timing sucks.

  No.31459

File: 1466314798211.png (430.52 KB, 200x133, NETS.jpg)

>>31457
>As I mentioned before, your timing sucks.

which is why i find having to refute these paranoid theories of yours to be very annoying.

I am very late to the party in regards to ricochet. literally all i've posted is old news by nearly 4 months

I'm actually kinda flabberghasted nobody on /cyb/ has heard of ricochet

the tor project has an anonymous tipline that uses ricochet as the contact point.
tor devs use and develop ricochet

just look at the fucking contributers:
Robin Burchell, Patrick Gray, Suelette Dreyfus, Lawrence Eastland, HD Moore, The Grugq, Kevin Littlejohn, Jan Noertemann, Gabe Edwards, ivopetkovcz, Einfach, Mikkel Kroman, mijnheer, Meternalf, reviewjolla, rike, Creaprog, CrumpyGat, Jordi, franck99, Daniel James Smith, esqfax, swperman, vla8752, qualte, strel, rawtaz, taskmaster, cbolat, basarancaner, l3rixon, nergal, weedpatch2, yawnbox, and other anonymous contributors.

  No.31474

File: 1466323500777.png (2.22 MB, 200x113, cuck.webm)

>>31459

What theories? We're talking about an experimental messaging application that calls itself "private" being touted as an alternative to Tox.

You don't have any notion whatsoever that such a program might potentially have a backdoor until proven otherwise? Years ago I might not have questioned any of this at all, but state actors have turned the web from a trust-based network into a trustless network.

If you value security, you should already be used to questioning the need and legitimacy of a piece of software before using it. If those questions makes you uncomfortable you're far too insecure to be using the internet.

Trust doesn't evaporate overnight for no reason at all.

If a project is going to refer to itself as being "private", the institutional and financial backing of the project as well as the security of the client and messaging protocol deserve scrutiny, don't you think?

  No.31477

>>31439
what do you do with your anonymity that you so zealously protect?

or do you just make obstructionist posts on lainchan to try to prevent us from finding out THE TRUTH!?

>The fact that you want me think you're not shilling isn't very convincing.


So, by bayes' rule, if you have a hypothesis that will update in one direction if a boolean evidence variable is true, it HAS to update in the other direction if the boolean evidence variable is false. You can derive this in a few steps from bayes' rule.

So, if "you want me to think you're not shilling" is evidence of shilling, "you want me to think you're shilling" HAS to be evidence of not shilling. That's just math.

Reflect on that and maybe see a therapist? Paranoia is not a positive mental state to exist in permanently.

  No.31482

File: 1466326851994.png (175.88 KB, 200x123, cocainedrops.jpg)

tl;dr here's my ricochet:sdysxxjjmtnhnyft

from what is written on wikipedia it seems ricochet is like torchat, each user gets an onion id and tor is responsible for encryption and authentication.

if so then it is probably one of the most secure clients out there, due to the tiny attack surface.

the project itself is a qt project which means it is accessible much more intuitively than autotools crap.
the code itself makes use of Qt classes and signals and slots which might not be perfectly efficient but it is quite secure and produces clean code and CPU doesn't matter for desktop chat clients.

there are pull requests by different programmers which means unless they're all NSA or stupid that the program is being constantly audited.

ricochet uses /usr/bin/tor instead of shipping their own tor instance like torchat did.

but here is the funny thing. looking for backdoors i noticed a suspicious piece of code:
QByteArray AddOnionCommand::build()
{
QByteArray out("ADD_ONION");

if (m_service->privateKey().isLoaded()) {
out += " RSA1024:";
out += m_service->privateKey().encodedPrivateKey(CryptoKey::DER).toBase64();
} else {
out += " NEW:RSA1024";
}

Who the fuck in their right mind would use a 1024 bit RSA key in 2016? They were probably already outdated last millenium.
Well, turns out Tor does, and this code is just for telling tor to publish a new hidden service or whatever.
http://blog.erratasec.com/2013/09/tor-is-still-dhe-1024-nsa-crackable.html

Does anyone know what key size I2P and i2pd use by default and which ones they support? Because i think I'll consider Tor compromised from now on.

  No.31483

File: 1466327738060.png (426.54 KB, 200x85, ∇∆∇∆∇.gif)


  No.31484

>>31482
>Who the fuck in their right mind would use a 1024 bit RSA key in 2016?
All of Tor.

  No.31485

File: 1466329289488.png (1.26 MB, 200x113, ∘∀∘;.gif)

>>31484

https://pando.com/2014/07/16/tor-spooks/

Isn't it about time the unwashed masses just assume they are subject to unwarrantable surveillance at all times unless thoroughly fucking air-gapped?

That'll moralize them!

  No.31492

>>31482
>>31484
it appears i2p supports 1024 bit DSA keys. anyone knows if this is still true and if i2pd complies with this idiotic standard?
https://geti2p.net/spec/cryptography

  No.31493

File: 1466337630149.png (279.69 KB, 200x113, Ʌɏɏɏ‮.jpg)

>>31492
>https://geti2p.net/spec/cryptography

>Obsolescence


>[NIST-800-57] recommends a minimum of (L=2048, N=224) for usage beyond 2010. This may be mitigated somewhat by the "cryptoperiod", or lifespan of a given key.


The prime number was chosen in 2003 [CHOOSING-CONSTANTS], and the person that chose the number (TheCrypto) is currently no longer an I2P developer. As such, we do not know if the prime chosen is a 'strong prime'. If a larger prime is chosen for future purposes, this should be a strong prime, and we will document the construction process.

  No.31494

sident
ricochet:gze2coi7qoum7vpg

  No.31496

>>31492


>https://github.com/PurpleI2P/i2pd/wiki/tunnels.cfg

Optional parameters:
'signaturetype' means signature type for new keys. 0 - DSA, 1- ECDSA-P256, 7 -EDDSA. 1 by default.

Quick web search shows ECDSA-P256 to be somewhat depreciated.

  No.31497

>>31496
this doesn't say anything about DSA key sizes, neither yours nor those of the nodes you connect to.

and is ECDSA-P256 using secp256k1 or the NIST P-256 curve?
because secp256k1 is one of the few trustworthy curves, but NIST is evil and it seems P-256 isn't even part of my OpenSSL.

  No.31529

>>31482
>>31494
op here, added both of you :3

  No.31600

bumping for more lainons

  No.31789

File: 1466750501240.png (1.15 MB, 142x200, tmp_32156-d44eeb5b35b549137d07c0f7a6354d70582896048.png)

Bumpu

  No.31881

File: 1466907565684.png (29.46 KB, 152x200, 1450643336055.jpg)

Ricochet is in the Debian repos!

  No.31884

>>31457

Not the person you're responding to, but did you actually read the audit? Or are you just running with an assumption and going for broke trying to win this 'argument'?

  No.31976

the lainchan mumble is getting shut down, we're all switching to ricochet

  No.31980

File: 1467094922577.png (55.48 KB, 200x195, [10].jpg)

>>31976
>(USER IS FULL OF SHIT)

ayy

  No.31986

ricochet:zxygscuj4prid2my
feel free to just talk or send me stuff

  No.32033

>>31986
sent ;^)

  No.32087

To everyone who's posting IDs it would be helpful if you'd also post a nick like hmu and sident did.

  No.32089

>>32087
hmu isn't my nick, that means "hit me up" lol

just use our randomly generated names from the posts

  No.32154

File: 1467342707232.png (47.79 KB, 200x113, ‮␐.jpg)

>>31884

Private? Possible. Secure? Doubtful.

If the software is compliant with current UK legal regime it's likely insecure. What's your argument again?

You're free to trust whatever you want from wherever you want to whatever extent gives you peace of mind.

I would merely recommend you take claims of "private" software originating in the UK with a dash of salt.

You're free to participate in the "experiment" in order to conduct your own independent analysis to verify the results.

  No.32325

Bump

  No.32357

anyone know how ricochet handles tor?

does tor automatically update or does the ricochet devs have to package and push a tor update?

  No.32485

>>32357
>does tor automatically update or does the ricochet devs have to package and push a tor update?
the fuck, what distro are you on? i built from source and it uses preinstalled tor.
there is also no tor executable included in the source code so i presume you have to ask whoever packages ricochet for you.

  No.32546

>>32485

My sister is on a MacBook, she said she didn't install tor and ricochet just werked

  No.32585

>>31477
"Eliminate metadata. Nobody knows who you are, who you talk to, or what you say.
Stay anonymous. Share what you want, without sharing your identity and location.
Nobody in the middle. There are no servers to monitor, censor, or hack.
Safe by default. Security isn’t secure until it’s automatic and easy to use."
This is what it says on https://ricochet.im/ , so they are claiming full anonymity, if there is a backdoor that is not the case. Until proven otherwise his post is just in place and yours is shitposting.

  No.32646

File: 1468113049490.png (328.03 KB, 200x172, 2tsumugi4boogie.gif)

why so much FUD ITT?

  No.32654

File: 1468119704020.png (174.95 KB, 190x200, trust?‪‫.png)

>>32646

UK-based software. UK-based security audit. UK legal regime.

Similar to not trusting US-based email providers.

  No.32683

If you don't trust the implementation, you can just reimplement it yourself. The protocol is really fucking simple.
You'll still have to trust Tor, but that fact is central to ricochet's design. If you think Tor is fundamentally broken, ricochet really isn't the right software for you.

  No.32684

>>32683
Nothing will beat Cpp implementation in terms of security.
Audit was pretty good too.

  No.32814

>>32654
>UK-based software. UK-based security audit. UK legal regime.

slightly off topic. but what makes the UK so all powerful?

would you prefer your encryption made by the FSB, the US Navy, Israeli cryptographers, swiss MIT alumni, or chinese-canadian students

  No.32820

File: 1468269535397.png (1.97 MB, 200x200, hardened.gif)

>>32814

>would you prefer your encryption made by the FSB, the US Navy, Israeli cryptographers, swiss MIT alumni, or chinese-canadian students


Of the groups you've listed... my top pick would probably be the Swiss MIT alumni with German security audits (ie: https://www.sit.fraunhofer.de/).

As long as governments such as those in the UK and US remain committed to authorizing unwarrantable offensive hacking campaigns against the public, it makes more sense to consider everything hacked until proven otherwise.

Given the asymmetrical distribution of resources between governments and the public, self-censorship is the most secure thing the public can do until legal conditions improve (warrants).

Unwarrantable behavior on the part of governments acting as if they're at war with the public means there's no accountability, no due process, and no compensation for collateral damage.

  No.32828

>>32820
I'd prefer my encryption to be well-cryptanalyzed by the entire international cryptography community, like AES and RSA.

Salsa and Curve25519 are second-tier, but I'm a huge Bernstein fanboy so I like them(and ECC is more resilient than RSA, so there's that)

  No.32829

>>32828
was meant for >>32814

  No.32832

File: 1468273081703.png (14.77 KB, 154x200, release-candidate-1.png)

>>32820
> self-censorship is the most secure thing the public can do until legal conditions improve (warrants)

that's pretty circular logic tbh
if we self-censor our dissent, how will the government's change to accommodate our dissent?

https://www.youtube.com/watch?v=iwqN3Ur-wP0
https://www.youtube.com/watch?v=iY57ErBkFFE

>tl;dr: alpha centauri secret projects are always related.

  No.32836

>>32832
and maybe to disclose the reasons i'm shilling for ricochet/tor/i2p/signal/briar/et al... so hard is because the more ubiquitous cypherpunk software becomes, the more it's users benefit.

me and a small group of irl friends are slowly moving almost completely to onionspace/eepspace

but we don't want to be this hermit kingdom of cypherpunks, we want our normie friends to use tor and i2p and the best ways we found to convert people over is to get them to dip their toes in and use simple stuff like signal and ricochet and otr-xmpp with tor/i2p hidden services

  No.32841

File: 1468280300588.png (3.86 MB, 200x113, "honesty".gif)

>if we self-censor our dissent, how will the government's change to accommodate our dissent?

They fucking won't. Gov's job is to preserve the status quo on behalf of an unelected economic elite. Weren't you paying attention to OWS? Gov doesn't actually give a fuck about genuine dissent and mainstream media didn't give it fair coverage or discussion. The message from the public was pretty simple: "This game is rigged, fix it".

The result was that open dissent such as OWS resulted in inaction, suppression and oppression. Nothing changed. World class criminals are still running the world and they have more power and wealth than they had prior to OWS.

Silence, noise, or disinformation campaigns could actually be much more useful in reducing oppression and inducing systemic change than honest campaigns, because the resources spent waging suppression and oppression campaigns will be misdirected and misapplied.

  No.32849

File: 1468285307311.png (162.53 KB, 200x71, Goofy-Gommunist.png)

>>32841
>on behalf of an unelected economic elite.

They're elected sometimes.

  No.32855

File: 1468289693772.png (3.53 MB, 200x113, straya.webm)

>>32849

A-are you attempting to deceive me?!

  No.32879

File: 1468305299216.png (6.34 KB, 200x109, p-smile.gif)

>>32841
>Silence, noise, or disinformation campaigns could actually be much more useful in reducing oppression and inducing systemic change than honest campaigns, because the resources spent waging suppression and oppression campaigns will be misdirected and misapplied.

not doing anything is just that. it's doing nothing.

you *have* to do *something*. it's just that simple.

sitting on your hands acting like a conspiracy theorist who thinks the world is ruled by supernatural un-touchables who can co-opt any and every movement/project/group/idea is about as counter-productive as it gets.

  No.32884

File: 1468317390392.png (166.66 KB, 200x150, love.png)

>>32879
>sitting on your hands acting like a conspiracy theorist who thinks the world is ruled by supernatural un-touchables who can co-opt any and every movement/project/group/idea is about as counter-productive as it gets.

>muh 'conspiracy'

Blessed skynet overlords, as you're watching us carefully enough to target us on an individual basis, you should know that your obvious interference is creating a backlash. This is about as counter-productive as it gets.

If your objective is to permanently kill critical thought and freedom of expression, please continue your interference until you've created a culture of fear where no individuals feel safe discussing actual political opinions. As Snowden revealed, you've come a long way in doing so!

Unwarrantable, unaccountable mass surveillance and interference in the lives of the masses is the keystone of the modern variant of communism that you supposedly fear and oppose so much. You have the resources and knowledge available to know this better than anyone. Yet here you are perfectly emulating the communists.

So do you really want us to self-censor now? Because this is the world you're creating. You're absolutely correct in stating that it isn't productive to be extra-judicially judged for expressing opinions contrary to the mainstream, so you haven't left us much of a choice, have you?

What would be most interesting to discuss is how you think it's possible to maintain a "productive working class" when over 50% of the wealth in the world is held by 62 people.

  No.33576

Stupid question:
Do I have to install Tor before I want to use Ricochet on wIndows?

  No.33605

>>33576
>Do I have to install Tor before I want to use Ricochet on wIndows?
No. Like the Tor Browser Bundle, it comes with its own version of Tor on Windows.

  No.33606

>>33576
Installing it on Windows is a bit counterproductive don't you think?

  No.34127

so I just was at hope, and i'm the guy who also started this thread

I spoke with the ricochet developer at length

IDK where the whole "ricochet is developed in the UK" meme started, but the dev of ricochet is most definitely not from the UK

toplel

  No.34138

>>31482
I think the onion services c3 talk this year said something about a plan to move away from 1024bit RSA. I am holding off from ricochet until this is done.

  No.34141

>>34138
>I think the onion services c3 talk this year said something about a plan to move away from 1024bit RSA.
>I am holding off from ricochet until this is done.
mind posting what you are using instead?

but please don't say "clearnet", i would hate to have to file a ban request for not arguing in good faith but instead trolling, shitposting or shilling.

  No.34332

>>33605
Thanks.
>>33606
It's for my friends which are on Windows (I switched a long time ago). Being concerned about your privacy while using Windows sounds kinda stupid otherwise, I know.

Would there be any issues though? I mean specifically using a privacy respecting messenger on a not privacy respecting system. Could there be any means to deanonymize them and myself? Something like taking a screenshot of your screen and sending it to Microsoft for example. W10 probably doesn't do things like that, right?
Telling my friends to ditch Windows will not work, so I'm looking for a compromise.

  No.34334

>>31432

its a virus

  No.34336

>>34334
antivirus tend to flag any program that also installs tor as malware

  No.34615

>>34332
>Could there be any means to deanonymize them and myself?
them, yes. you, only from what is written in chat, unless carnegie mellon university receives another million dollars from the FBI.
>Something like taking a screenshot of your screen and sending it to Microsoft for example.
i think that is only done on smartphones by various apps
>W10 probably doesn't do things like that, right?
no, W10 has a keylogger, according to their TOS. it just sends everything your friends type. no idea if windows also analyzes text that they receive from you but i wouldn't be surprised.

>>34334
i guess you are kidding, but if not then fyi "tor is a virus" is a ~2012 meme created by antivirus companies in the name of NSA and KGB. kaspersky were probably even the first to do this.
and they don't call it a virus, they call it a potentially unwanted application, because it could have a vulnerability and therefore could allow malware to enter your system.
if you don't think this is retarded then you need to RTFM.

  No.34616

>>34615
>and they don't call it a virus, they call it a potentially unwanted application, because it could have a vulnerability and therefore could allow malware to enter your system.
>if you don't think this is retarded then you need to RTFM.
It isn't as retarded as you might think. Lots of botnets host their command and control servers as hidden services and use Tor to phone home. Tor activity on a normies computer might very well be an indication of malware.