#i2p-dev (irc2p) | dev build 2.5.0-4 | please test!

RN Lol

HaruCode yeah, this is a serious business^Wproblem. but I think I found a solution: we need to raid imageboards in clearnet, forcing a picture of a klysmaphile as a "meme". when enough of stupid middle-schoolers will catch the new trend, we will replace the problematic picture with said "meme". enemas are good for your health and don't jail people who take them, everyone is happy

mesh zzz: anything that can be done to improve Lease Distribution time?

HaruCode zzz (or str4d), sublime wants to ask a question. can you give them voice?

zzz sublime, how may we help you?

sublime good morning, zzz.

sublime i'm sure you saw this around already, but i have my questions in this js-free pastebin. paste.idk.i2p/TardiveTermite/read

sublime TLDR:is bootstrapping the point of failure where ISP's can determine i2p protocol?

sublime and, can manually uploading the netDb circumvent that

dr|z3d sublime: copy routerinfo files to your netDb dir and you're bootstrapped, if you're having issues doing it via the reseed servers.

dr|z3d ~/.i2p/netDb/ on linux and friends.

mesh zzz: Can anything be done to uh extend the life of a LeaseSet? I hit a service, then try to hit a few minutes later... and it's gone, LeaseSet unavailable.

zzz well, we use DoH to lookup the reseed IPs, and https to fetch the file, so it's not easy for an ISP to identify but it is possible

zzz mesh, you're going to have to decide if you're a serious person in this channel or a troll, you can't be both

sublime i am having issues, but not with the reseed servers. i am in a position where to be safe, i must choose between our network and tor.

sublime no details are required for that, but i can say this

mesh zzz: it's a serious question. I'm just wandering if there's anything I can do, any kind of configuration switch or whatever, that might help this situation

sublime i have to essentially choose between a very loud fingerprint on an average protocol, but is very popular. or a very quiet fingerprint, on a great protocol, but barely has any users.

sublime if i pick incorrectly, game over.

sublime obviously, the quiet finger print with a better protocol is ideal..but if there ends up only being 2 people in my state who uses it, and ISP can still pin point it..

zzz sublime, it's your use case and your threat model, we can't do that analysis for you, and I'm not going to push you one way or the other

sublime correct. and my use case relies on knowing whether the ISP does determine i2p network at that point, and if manually uploading circumvents that issue.

zzz sure, if you're concerned about reseeding, then don't reseed. By definition, that circumvents the issue

sublime im not asking for philosophy on which network is better, just whether boot strapping through router info is good enough to circumvent

sublime okay, awesome. is there anywhere else the ISP can definitely pin point i2p?

dr|z3d it circumvents the issue wrt the isp not seeing the initial seeding request, but the isp will still be able to determine you're running i2p if they're doing DPI or whatever.

sublime not including the various ranges of attacks, just with immediate traffic analysis

sublime right, thank you. thats good enough for me.

dr|z3d if you want to be invisible to your isp, you'd probably want to run i2p over a vpn, or use i2pd and router all tcp traffic over tor, but that has performance penalties.

zzz traffic analysis isn't easy but neither is protocol obfuscation. We're working on improvements to our UDP protocol that will be out soon

mesh sublime: look up hidden mode. though if you think they're actively looking for i2p though it's probably a matter of time

mesh tor is probably a bigger red flag than i2p

zzz we won't ever say it's undetectable. but we have very few if any reports of blocking

sublime although they could dpi every piece of traffic..ever, its more unlikely to cause reason to look deeper by bootstrapping from router info than catching my dns.

zzz one other thing people are trying: ipv6-only mode using route48 ipv6 tunnel broker with wireguard to hide traffic and IP

sublime i do not support vpns personally, but thank you. they are good at specfic places and times. this use case would not be one of them'

dr|z3d regarding bootstrapping, that issue is easily rectified by using Tor as your socks proxy.

mesh sublime: What I recommend: You can run an i2p router on a remote computer in a safe country like Singapore. Then you configure your computer to essentially proxy everything through the router.

HaruCode theh he won't need i2p at all

mesh sublime: this will make I2P truly undetectable but it will be slow

dr|z3d (or some other encrypted proxy)

mesh HaruCode: he will need i2p if he wants to communicate with others over i2p

mesh the point is, you don't actually have to run i2p on your computer

HaruCode that's unexpected

mesh HaruCode: not really

sublime dr|z3d: that is an option, including tor in the mix. but i am not educated enough on how all that traffic looks when its been passed through each protocol, and im weary of adding more hops than needed.

zzz mesh, re: leasesets, no, there is no config. I'm working with obscuratus on some lookup bugs that may be contibuting

HaruCode as for using some remote machine, the problem is they are not free, and your credit card is a tag

mesh tor is far easier to detect and block than i2p. If you are really concerned about i2p use being observed, def don't use tor

HaruCode or they're free and sying on you, which defeats the purpose

HaruCode *spying

mesh you can rent a vps in singapore for $5/mo but yes they will want a credit card

HaruCode but if you want to hide from your ISP _only_, the remote site hosting tor or i2p or whatever is a solution

mesh you can also ask a friend to give you access to their i2p router running in singapore

sublime i've played this game, lol. every point you could possibly begin with, has to know something about you by default. Thats why instead of adding more complexity to attempt to obfuscate, i was hoping to be able to do that and look just like a normal..(REDACTED) encrypted protocol user. i guess

HaruCode but I guess it's not the case

HaruCode remote friend is better. or not, depending on whether you can trust them

mesh sublime: In my experience, you have three options (1) Use a vpn (2) Create your own vpn

mesh sublime: (3) stop whatever it is you're doing

sublime one thing i have learned, no one will go to prison for you. i'd like to leave people out of this instead of trust in their "good will".

mesh sublime: certainly don't count on i2p or tor use being undetectable. Both these protocols, at the most fundamental level, will exhibit "abnormal" network usage. Though everything's encrypted, they're far from undetectable imho

sublime whether i am truly hidden, shouldn't really matter. i'm hoping to get by with just enough cover to prevent any reason to look deeper.

HaruCode I didn't see any DPI which go past the VPN layer so far, since it's very cpu-expensive. but it doesn't actually prove anything

sublime naturally.

sublime theres lots of ways to determine you are trying to hide. my concern is if they pinpoint the sepecific protocol i'm using to hide, and find a very small amount of users in this area,

HaruCode but the thing in general is that any traffic that DPI is unable to parse can be considered "suspicious", so you'll get attention anyway

HaruCode so, it's steganography time, with your data being second or even third layer

sublime other than this one specific case, i wear i2p shirts when going to walmart

HaruCode cool, dude. totally anonymous

mesh sublime: option 2 is your best bet. Create your own vpn. Setup a router in a safe country and proxy traffic through that. The nice thing about that solution is that (1) you're not using a well-known vpn service or well-known vpn protocol and (2) you don't have i2p installed on your computer and (3) it looks like a normal ssl/ssh connection depending on what you do

mesh zzz: alright thanks

sublime HaruCode: haha, i have a public profile of being involved with these tools. But with all the garbage information out there, and happen to stumble upon this usecase, thats why this one specific issue matters so deeply.

mesh sublime: with 2 browsers installed, firefox and chrome, you can continue to generate "normal" http traffic and only use i2p when you need it, which is also important imo

sublime being a privacy advocate is my deal, (which also helps provide reasons for why i am invovled with these tools), but i need to actually utilze it, soon

sublime mesh: really?

mesh sublime: yeah. you don't want to tunnel all your http traffic through i2p or tor or a vpn imo

sublime oh, right. i misunderstood.

mesh sublime: I've got friends who take real risks using i2p. Let's just say I've done the same dance, hounding zzz about how easy it is to detect i2p. My research has led to a protocol

sublime i thought you meant i could somehow turn my i2p traffic into looking like normal https traffic just by using 2 browsers, not to just use 2 browsers to help blend in your traffic

mesh sublime: that involves either running i2p from a portable usb drive and configuring the router to run in hidden mode and change its keys when your ip changes and some other stuff or simply connecting to a remote router

mesh sublime: and continuing, when possible, to generate normal traffic

sublime well, i wouldn't say i "hounded him" (:

sublime okay, thank you. you being in a similar-enough sitaution helps

sublime i am a qubes user so utilizing small devices like usb drives normally seems useless, i'll just destroy the disposable vm and be omw

sublime but i can certainly see how the "tails" route is more beneficial than the "whonix route", if you will, in this case

mesh sublime: no. I mean I don't even recommend people install i2p. Fortnuately I2P is just a normal java app. You can run it from a command line with a jdk. You combine it with a portable firefox all sitting on an encrypted usb drive. The only time you use i2p is when you actually need to communicate with people on i2p

mesh sublime: yeah exactly. because let's just say in certain parts of asia just having i2p or tor installed on a device is enough to catch a prison sentence

sublime right. thankfully my adversary is more "free" than that, but still nothing to fuck with.

sublime and this should (hopefully) be a one time deal.

sublime then i'll forget it ever was a problem. imagine a random whistlebower of some kind. or leaving a one time tip that something unwanted will happen.

sublime hell, if my threat model was that deep, i would avoid encryption all together to blend in like a normal socker mom.

sublime okay, thank you for everyone's input.

mesh sublime: but using a encrypted usb drive, combined with certain configuration values you can set to the router, combined with using i2p only when you need to, and then using i2p not on your home network but on public networks like coffee shops ... can bring you close to a place where your use of i2p is undetectable

mesh sublime: howto run a portable i2p: q5bxz332nvoesj54jxyhks6mq7odzmhyx5uyt7oa4nu4oj2g2uxa.b32.i2p/entries/Sk8F3B33MRK1wLvYaRtcJg

mesh I'll probably write stuff about hidden mode and other stuff in a bit

mesh sublime: q5bxz332nvoesj54jxyhks6mq7odzmhyx5uyt7oa4nu4oj2g2uxa.b32.i2p/entries/Sk8F3B33MRK1wLvYaRtcJg <-- how to run a portable i2p router

sublime I'm walking away with the general consensus being, manually loading the netDb does circument any deanonymizatoin from DNS, but there are still very specific signatures that could deanonymize me anyway.

sublime My best plan is to try to obfuscate as much as reasonably possible, without comporimsing myself in a different way, and to only try to hide as deep as required to avoid any deep inspection.

sublime its not fool proof but its better than slapping a vpn on my tor relay and feeling like god.

sublime lol

mesh sublime: I'll probably write about hidden mode and other stuff next week

sublime sublime: thank you for the link, i will be reading this thorughly.

sublime and i look forward to your future post about hidden mode.

sublime seems like it would help some, but it would be more like a bandaid than a solution.

sublime which, to be fair, is kind of exactly what i got going on now.

mesh sublime: if you want to send a one time drop of info you should pay a homeless guy to drop a usb drive in the maildrop with no return address hehe

mesh encrypted usb drive of course

sublime mesh: if they got a blank usb drive in the mail today, they would move to dc3 and evacuate all critical personel haha

sublime i considered pasting together a flyer out of cut up magazine letters

mesh sublime: I'm working on a system which sorta kinda solves this problem of, let's call it, secure collaboration under adverse conditions

sublime really? working, as in coming up with a solution? like spitballing? or do you have something to play with?

mesh sublime: nothing to play with. the code is basically open source. can be seen at nquoczl5wbgbtsxrc77khmvsntawy5pflyxfafq5o6yqsl6krzvq.b32.i2p . of course it's not really usable yet

mesh sublime: but the point is, you kind of have three problems: (1) running the code on a secure device (2) connecting to your collaborators and (3) proving you are who you say you are

mesh 1 can be basically solved with a encrypted usb drive . 2 can be mostly solved with i2p configured for minimum observability... 3 is actually rather tricky

mesh but you can get pretty far running i2p in coffee shops based on my analysis. you might even go further and run it on a shared computer like at a net cafe... though I personally think it's not a good idea to use devices that you don't physically control

mesh that will certainly protect you from your isp

mesh it won't protect you from government agents following you following you, detaining you, finding the encrypted usb drive, and beating you senseless until you confess everything

obscuratus I was looking at some issues in libsam3 with respect to handling the new-ish larger key sizes. Is there a recommendation for a maximum key size?

obscuratus libsam3 still has a few spots that assume 516 bytes is the maximum.

zzz that's in b64? I think we say 387+100 in binary, which is plenty until PQ

obscuratus 387... I recall running across that number somewhere recently, while trying to run down key length info.

dr|z3d > router/java/src/net/i2p/router/transport/ntcp/EstablishBase.java: protected static final int MIN_RI_SIZE = 387;

dr|z3d > router/java/src/net/i2p/router/transport/udp/SSU2Util.java: * It has a minimum 387 byte ident and 40 byte sig, neither is compressible.

obscuratus OK, thanks. I probably throw 650 at it ~(516 + 100*1.3333)