/qa/ - Questions and Answers

Keeping the community together by giving you a voice


If you want to see the latest posts from all boards in a convenient way please check out /overboard/


Archived thread


1200px-Tor-logo-2011-flat.svg[1].png
The Future of Tor
Sapphire_Star
Admin
!!D3VvbJBKFo
No.845
851 852 870 947 978
As you all may (or may not) have noticed, we've got a few undesirables in our midst. Some post with private VPNs, the vast majority post through tor exit nodes. Its been discussed among the site staff quite a bit and the overwhelming consensus is we shouldn't ban tor. While I don't agree with that 100% (I don't believe tor is anywhere near as secure as most people seem to think) I do agree that those outside of burgerland should have a safer way of posting without violating local laws against freedom, without moving to a real first world country.

That said, unfortunately for those of you who choose to post through tor, you will have some curtailed rights. We as admins (and soon to be the entire moderation staff) have the ability to turn off torposting at will, and quickly. We will do this as we deem necessary. If you have concerns (or notice a node has been manually banned) let us know, either through this thread or via email at [email protected]
Anonymous
No.846
847
You mean to tell me that you can stop all of the shills by a single change???
Sapphire_Star
Admin
!!D3VvbJBKFo
No.847
>>846
not all of them, but a decent amount. Its a fairly recent addition to the armaments and we're still working on making it more friendly (right now it takes an admin getting pretty intimate with the settings)
Anonymous
No.851
>>845
Sounds like great solution.
Anonymous
No.852
>>845
What exactly has been changed to posting through tor? While I definitely care about users who don't have freedom in their home countries, do we know for sure even a single mlpol user needs tor? (I know that alt brony used it before he was kicked off the site). And if we can stop 80% of shills from even being able to post, I'm not sure why not do it
No.853
857
Taking out your own freedoms while you roleplay as soldiers
Are you guys fans of George W. Bush?


USER WAS BANNED FOR THIS POST
No.854
855
Taking out your own freedoms while you roleplay as soldiers
Are you guys fans of George W. Bush?
Anonymous
No.855
856
1492896465988m.jpg
>>854
Have you considered not gobbling cocks for a few minutes? When a specific entry method is getting absurd of course we should do something about it. So we might have to TSA the tor users in the booty hole. It's a shame but if the shills would stop smuggling in there bullshit wouldn't have to deal with it.
No.856
857 858 862
>>855
Do you not remember the "mission accomplished" thing and the Patriot Act? Well, I guess there's a good chance you're too young to remember these things. I thought it was a pretty good reference. You guys will quickly lose yourselves to paranoia-fueled infighting if a joke like that will earn a ban.
Look forward to it.
Anonymous
No.857
860
>>853
>>856

Unironically kys /jp/.

Also I meant to ask this earlier but I kept fucking up my post - aren't most of these things compromised anyways?
Anonymous
No.858
1492352203005.jpg
>>856
The better analogy would be immigration control. Abuse one visa program, were gonna go review that program. Also a good chance I'm the oldest old fag on this board. I got your reference clear. Your joke screams shill is the issue.
No.860
861
>>857
>Unironically kys /jp/.
lol

>aren't most of these things compromised anyways?
What do you mean? Imageboards? Of course they're compromised in that some guy made them and distributed the software and the knowledge of exactly how it works for free. If anyone wanted even an illusion of control they'd write their own from the ground-up.
It's a farce to think there's any protection here. This is some kid's afterschool project and you should remember it as such.

Anonymous
No.861
863
>>860
no retard I'm talking about TOR and anything else that does what it does. Sorry you don't get to feel like a super special l337 master hacker anymore.

also

>lol

Dropping a huffpost-tier line like "Are you guys fans of George W. Bush?" immediately tells me your an outsider. Now fuck off.

Anonymous
No.862
>>856
The poster referred to mlpol in the second person, identifying himself as not a member of it, and insulted all of mlpol as "roleplaying as soldiers." The user was obviously not mlpol and had no pretensions of it
No.863
864 865
>>861
TOR is only partially comprised depending on exit nodes. Most people that are caught fall to honeypots. TOR is a huge boogeyman to people that invoke images of the "dark internet" and all that other garbage that frightens grandma on the evening news.
>your an outsider. Now fuck off.
Of course I'm outsider; would any of you know any of these things? I've had my fun for the day. If I actually wanted to offend or mess with you I wouldn't just talk to you guys in a civil manner in a single thread. I wouldn't want to be like you, after all.
Good luck with your continued "raid". It's pretty epic as heck.
Anonymous
No.864
>>863
Wait, which raid?
Anonymous
No.865
>>863
Well we are some pretty epic dudes.
Anonymous
No.870
872
>>845
Was tor ever actually disabled? because it looks like they are still using it
Anonymous
No.872
>>870
Personally I welcome some Tor throttling. I did not fully understand why you let it be used in the first place but I accept some people have a legit reason for using it. Do you guys have the ability to see the original/real IP`s of these people? If not just say and maybe I can contact some old friends to help you. Would take time though.
Anonymous
No.873
So this is how the cookie crumbles.
Anonymous
No.882
mlfw10863_medium.jpg
>>881
Oh hi there fageddit. Btw I am posting pic rel freely on /pol/ get on my level u filth ;^).
Anonymous
No.903
950 952 955
>I don't believe tor is anywhere near as secure as most people seem to think

Can you elaborate on this? If it's to do with NSA-owned exit nodes, I'd like to say that you're probably wrong about that.

Now, I'll propose a couple of solutions to this problem:
1) You can implement an account registration system for users which plan to use Tor that works as follows:

A user would register for tor-authorization. This person provides the following information:

e-mail address
automatically generated username
and a password

The user's IP is hashed (the account can only be made off-tor) and then the user is given the go-ahead to use Tor. Each torpost is given a unique ID which is attached to the user's IP hash. If the user fucks up, they can be banned using this system. This prevents quick-and-fast ban evasion using Tor, and allows you to effectively moderate the use of Tor, while maintaining the freedom and privacy of the user. The downside of the this system is that it requires a fair bit of development overhead, and I'm not sure if you have a developer which is capable of implementing this system. I would like to make the following very clear: You *must* make the source code for both your instance of vichan, and this account system open source. If you don't, no smart Tor user will trust you or your software.

2) You can turn on captchas for every post (only for Tor users)
implementing this should be trivial. If an IP matches that of a Tor user, show them a CAPTCHA (I would NOT advice ReCaptcha at all. They bully us Tor users, use a PHP captcha instead)

This will probably piss off Tor users, but is a fair solution to stopping spam.

3) Make it so users don't *need* Tor to feel secure
You can do the following to help increase my trust in you, as a Tor regular on the Internet.
1. Release your source code on Github or Gitlain (preferably gitlain)
2. State your IP logging policy, and preferably do away with all IP logging, and switch to a hash-based system.
3. Tell us what data you keep, if any, and for how long that data is kept. Preferably stop all data collection wherever possible, except for error logs, and prune those error logs.
4. Tell us where the server is hosted
5. Tell us what OS is the server is running
6. How is the OS configured? Does it get security updates automatically?
7. Where did you buy the server from? Did you buy it in bitcoins, a giftcard, paypal? (this is relevant because this tells us if an adversary who got in touch with the server company would be able to quickly trace the transaction back to the administrator)
8. Release your congiruation files for NGINX if you use it, or Apache.
9. How is your SSHD configured? Do you use passwords, or do you use keys?
10. Is there *any* proprietary software installed on the server?
11. What hardware is the server running on (relevant because Intel has had some privacy concerns with their management engine)
12. Who in the staff team has administrative access to the server, and why do they have it?

Compile all of this information into a transparency page. The transparency page doesn't have to be neat with a big-ass stylesheet and javascript effects. It just needs to detail the above information.

Those are my ideas for solving the Tor problem. I would to hear ideas and comments from the administration.
Anonymous
No.947
>>845
We are STILL not secure from tor posting. Another one got through
Anonymous
No.950
>>903
I'll also add in that you shouldn't go around parading the fact that you have access to the post history of an IP address. It is a huge violation of privacy to view every post that an IP address has made.

Still waiting for a response
Sapphire_Star
Admin
!!D3VvbJBKFo
No.952
953
>>903
>The NSA doesn't have its claws in most computing devices existent today
[citation needed] its not that the NSA controls exit nodes, its that exit nodes are computers.

as for the rest of your questions, I'll leave that to Fallen as he's the lead developer.
Anonymous
No.953
>>952
>The NSA doesn't have its claws in most computing devices today

We can assume that it does. Even if this is the case, you have to take threat modeling into account. Are you trying to hide from the NSA?

There is no reason to need to hide from the NSA if you have done nothing illegal. You do have a couple of people you may want to hide from though, for privacy / security reasons:

1) Your ISP
2) Data brokers
and 3) (no offense) You

It doesn't appear that you're running any sort of analytic tracking software from Google or so here, so that scratches 2 off, at least for now.

There are many reasons to use Tor to hide from your ISP. For example, do you really want them to know that you're connecting to this type of site? Sure, you can change your DNS server, but they still know what site you're going to.

Also, if you're using Tor, it doesn't matter if another machine in the chain is compromised, because data is end-to-end encrypted. If you're not compromised, Mr. NSA has no idea who you are, and simply cannot know who you are. The responsibility of not being compromised lies in the user.

This is a public forum, so there is no worries for secret information, like private conversations, being leaked.

As for not being compromised, I always recommend an OpenBSD laptop running with Libreboot using softraid encryption for the disks. It doesn't get much more secure than that, honestly.
fallenPineapple
Admin
No.955
>>903
You bring up many valid points. Ill hit you with some answers.
1. Release your source code on Github or Gitlain (preferably gitlain)

https://github.com/fallenPineapple/vichan
What is there is what is running here

2. State your IP logging policy, and preferably do away with all IP logging, and switch to a hash-based system.
3. Tell us what data you keep, if any, and for how long that data is kept. Preferably stop all data collection wherever possible, except for error logs, and prune those error logs.

IPs are not currently hashed, they are stored in the database attached to the post associated with them. Once a thread or post is removed by any means that info is deleted. The exception being bans, that info sticks around till someone clears it out. We are hoping to move to a hashed system soon.

4. Tell us where the server is hosted
5. Tell us what OS is the server is running
6. How is the OS configured? Does it get security updates automatically?
7. Where did you buy the server from? Did you buy it in bitcoins, a giftcard, paypal? (this is relevant because this tells us if an adversary who got in touch with the server company would be able to quickly trace the transaction back to the administrator)
10. Is there *any* proprietary software installed on the server?
11. What hardware is the server running on (relevant because Intel has had some privacy concerns with their management engine)

The server is from soyoustart a division of OVH, It is in NA but leaf territory. AMD Opteron system running a bare bones install of Ubuntu 16.04.2 LTS. Just running a LEMP stack. Security updates are auto installed. I assume the server is payed through CC or Paypal.

8. Release your congiruation files for NGINX if you use it, or Apache.
https://ghostbin.com/paste/gvwug

9. How is your SSHD configured? Do you use passwords, or do you use keys?
Currently passwords (yes insecure I know) This will be changed to keys very soon.

12. Who in the staff team has administrative access to the server, and why do they have it?

Me: I am the one who set everything up on this server and the one that has to fix things related to it.

Atlas: He is the owner

I will try and get a page up that goes into more detail. But a post here is better then nothing at the moment.
Anonymous
No.977
978 979
fuck'n niggers.png
So we gonna turn this shit off once and for all now or what?
Anonymous
No.978
979
>>845
>>977
This.
Fuck it.
Anonymous
No.979
997
>>978
>>977
Is there a way to limit posting by proxies generally?
Anonymous
No.997
>>979
You can block the bulk of proxies that identify themselves as proxies, but some "Anonymous" proxies don't send the headers that identify themselves as proxies.
Anonymous
No.4514
Can you unblock tor? Zald is going to get around bans no matter what we do. Don't punish the rest of us for that one moron.
;