IRCaBot 2.1.0
GPLv3 © acetone, 2021-2022
#saltr
/2022/04/12
GalaxyNova heyo :D
dr|z3d hello GalaxyNova
GalaxyNova what does voice do?
dr|z3d ensures you're not muted if the channel gets a +m
dr|z3d happens from time to time, because troll(s).
term99 trolls nuts get squished quickly :)
GalaxyNova are all the eepsites in the channel topic run by the I2P+ team?
dr|z3d no, though mostly they do run on i2p+
GalaxyNova oh i see
dr|z3d they're just sites that are recommended.
GalaxyNova yeah they're really high quality
dr|z3d are you an I2P+ user, GalaxyNova?
GalaxyNova i use notbob.i2p and libreddit.i2p a lot
GalaxyNova I used it for a bit when I ran Linux
GalaxyNova i2pd works much better on FreeBSD from my experience
GalaxyNova which is the OS that I currently use
dr|z3d oh, that's curious. what was the issue with I2P+ on freebsd?
GalaxyNova well I wasn't able to get the java i2p working correctly
GalaxyNova i should attempt setting it up again
GalaxyNova maybe I'll have more luck
dr|z3d what that the normal i2p, or i2p+ ?
GalaxyNova the normal i2p
dr|z3d maybe try from the getgo with the i2p+ installer. I think term99 may have done some bsd work on i2p+
GalaxyNova thanks I'll check it out
dr|z3d that's probably what you want, that's a global installer.
dr|z3d java -jar ./install.jar or 'java -jar ./install.jar -console' for headless install (remember to specify the install dir if you install this way, usually /home/user/i2p/)
GalaxyNova oh wow it works so painlessly!
GalaxyNova i had to do some tricks to even get to the normal i2p to run
dr|z3d oh, fantastic.
dr|z3d happy days \o/
GalaxyNova dr|z3d: yeah so the scripts the I2P+ ./i2prouter installer ar kind of broken
dr|z3d GalaxyNova: you mean for systemd?
GalaxyNova they're in /etc instead of /usr/local/etc >:(
GalaxyNova no for FreeBSD
dr|z3d i2prouter install ?
dr|z3d ok, I'll nudge term99 to look at those. there are other methods you can use for autostart, check skank.i2p
mesh GalaxyNova: you know you really don't need to "install" the i2p router at all. At the end of the day it's just a normal java program.
GalaxyNova yeah it's just convenient for autostart
GalaxyNova so i don't have to do it at each boot
mesh (at least that's what I do instead of fighting the I2P installer to run the router)
dr|z3d elif [ "$DIST_OS" = "freebsd" ] ; then
dr|z3d echo 'Detected FreeBSD:'
dr|z3d if [ -f "/etc/rc.d/$APP_NAME" ] ; then
dr|z3d eval echo " `gettext 'The $APP_LONG_NAME daemon is already installed.'`"
dr|z3d exit 1
dr|z3d eval echo " `gettext 'Installing the $APP_LONG_NAME daemon'`.."
dr|z3d sed -i .bak "/${APP_NAME}_enable=\"YES\"/d" /etc/rc.conf
dr|z3d if [ -f "${REALDIR}/${APP_NAME}.install" ] ; then
dr|z3d ln -s "${REALDIR}/${APP_NAME}.install" "/etc/rc.d/$APP_NAME"
dr|z3d echo '#!/bin/sh' > "/etc/rc.d/$APP_NAME"
dr|z3d echo "#" >> "/etc/rc.d/$APP_NAME"
dr|z3d does freebsd use rc.local, GalaxyNova?
mesh GalaxyNova: you can usuually set that up manually well enough but yeah. I think the problem with the installer is exactly this, every distribution out there is just a lil bit different...
GalaxyNova dr|z3d: there's /etc/rc.conf.local
GalaxyNova /etc/rc.local*
dr|z3d > Add /bin/su yourusername -c "/home/yourusername/i2p/i2prouter start" to your /etc/rc.local file
dr|z3d that should work, or some variation thereof that's bsd friendly.
GalaxyNova that's probably what I'm going to end up doing
dr|z3d you also probably want to enable unsigned dev updates to keep abreast of i2p+, and keep notify only enabled on /configupdate so you don't inadvertently get updated to vanilla i2p.
dr|z3d you'll then get notified when there's a new dev build available.. entirely up to you if you download & install it.
dr|z3d *want to
dr|z3d and given you're on freebsd, you probably also want to add the line: routerconsole.advanced=true to your ~/.i2p/router.config file. :)
RN I have /user/local/etc/rc.conf
RN ahh
RN similar
GalaxyNova hardenedbsd is great :)
RN I would have tried that, but went with free
mesh a heroic effort certainly
GalaxyNova the lack of developers working on hardenedbsd is holding me back
GalaxyNova from switching
mesh at the end of the day freebsd, like most os', is a big pile of C code
GalaxyNova once of the better piles of C code
GalaxyNova OpenBSD is also great
GalaxyNova I think the BSDs generally have pretty good auditing / security strategies, especially OpenBSD
GalaxyNova I still use OpenBSD on my NAS
mesh openbsd is probably better than most but it's still full of bugs I think eg csoonline.com/article/3250653/is-the-bsd-os-dying-some-security-researchers-think-so.html
GalaxyNova "It is official; Netcraft now confirms: BSD is dying"
GalaxyNova but yeah there's a real lack of developers :(
GalaxyNova which is a shame, they're both great operating systems
mesh I've been told by people who would know that redhat is actually the most secure os. A lot of time and money gets invested in actually securing it
mesh but yeah OpenBSD at least in theory is obsessed with security
mesh but at the end of the day all these OSes, being big piles of C code, are probably just full of holes
GalaxyNova We'll have to wait for hurd to release and then we'll be saved
mesh we might get a rust-based linux kernel
GalaxyNova Rust's safety is pretty nice
GalaxyNova crates.io is a shithole though
GalaxyNova have you ever compiled a rust program before
mesh yeah it's very slow
GalaxyNova even the simplest program pulls in 100s of dependencies
GalaxyNova it's like npm but with the added compile time
mesh yeah I don't know how serious the rust guys are about security
mesh the idea that one language can do everything is probably misguided. we need a language that's just for security probably. But it would require so much work... sel4 is 10+ years old and still can't run a browser
mesh android is also apparently very secure. I've always liked the idea of having lots of little android servers running around
mesh and you can already run java+i2p on it hehe
GalaxyNova is there an easy way to connect a bouncer like znc to an irc server served over i2p?
dr|z3d sure, just have znc connect to the irc client tunnel.
dr|z3d 127.0.0.1:6668 by default.
mesh GalaxyNova: why would you want a bouncer? your connection is already anonymous
GalaxyNova because i want to see messages that are sent when I'm offline :P
dr|z3d bouncers maintain a persistent connection, mesh, and do other useful things. like log.
mesh GalaxyNova: you really want to know the terrible things people say about you when you're not here?
mesh dr|z3d: I know... though I always assumed most of their value was anonymity.
dr|z3d and they also mask when you're not around.. client disconnects, bouncer remains connected. better for anonymity.
dr|z3d useful when you run i2p on a different box than your client, too.
mesh dr|z3d: maybe... it's a stretch
dr|z3d not at all. common sense.
mesh connection times aren't a good signal anyways
mesh you would look for activity, so unless your bouncers are generating random messages I don't think it would help much
dr|z3d run a bouncer, see how it helps, then come back.
dr|z3d evidently you know about bouncers but haven't actually run one.
mesh I doubt. If anything I think keeping your Destination around for a long time is only a risk.
GalaxyNova Do you guys have any ideas for useful i2p websites I could make
GalaxyNova It's so fustrating that 90% of the i2p network is just personal sites or useless websites
mesh GalaxyNova: but that's the whole point
mesh everybody is free to easily host the most personal and useless stuff
GalaxyNova I'm not saying personal sites are bad.. they are really fun to explore
GalaxyNova but i'd love to have more practical things too
GalaxyNova I've noticed there's a lack of video sharing platforms on i2p
mesh it's interesting to think about what kind of business model would work over i2p but for most business transactions anonymity is a big bug
GalaxyNova woudn't it be cool to have something like that specifically on i2p
mesh so you may not find any real businesses
GalaxyNova maybe get people to pay through gostcoin?
GalaxyNova I'm not really looking for turning a profit
mesh GalaxyNova: video sharing platforms cost a lot of money. Gotta get people to pay
GalaxyNova rample.i2p is dead AF
GalaxyNova ramble*
mesh I was wondering if there was even i2p proxy-mirrors of wikipedia or archive.org
GalaxyNova there is a mirror of wikipedia
mesh I GalaxyNova address?
RN there is also a youtube
RN tube.i2p I think. if it is still up
GalaxyNova tube.i2p is very nice
GalaxyNova but it's just a mirror of youtube
mesh I mean you can reach wikipedia.org through an outproxy but this requires you to trust the outproxy
mesh or does it? outproxies do the ssl mitm thing
GalaxyNova I've heard people complain on reddit that wikipedia blocks i2p
GalaxyNova or something
mesh actually when I go to wikipedia.org I get a valid ssl cert and an encrypted connection
GalaxyNova oh a thing i just realized about hosting a video sharing platform on i2p...
GalaxyNova it's going to be really difficult to keep illegal things out
mesh GalaxyNova: you're better off writing a program that lets people host their own video sharing content and selling that
mesh for some reason I thought outproxies couldn't mitm ssl but when I go google.com and wikipedia.org I get "secure" connections
mesh that's kinda scary
dr|z3d ramble.i2p will soon be resurrected.
term99 its not a mitm
dr|z3d it's dead because tor.
mesh GalaxyNova: what you really want is somebody who downloads (crypto-signed) wikipedia every night and then serves it over i2p
mesh term99: how is it not?
dr|z3d how would the outproxy mitm wikipedia?
term99 wouldnt you need the certificate trust in your /etc/ssl for it to register?
mesh I mean, if you go through the outproxy to wikipedia.org you get a secure connection
dr|z3d you'd need to install an ssl cert to allow the outproxy to mitm.
term99 trace the connection using nmap
RN check the cert you get, then compare to the cert you get in an unproxied browser
mesh so the outproxy is definitely mitm'ing the ssl connection
term99 how do you get that idea?
RN they could just be, proxying it?
dr|z3d no, you would need to *install a cert* to allow the outproxy to mitm. and that's not going to happen. there is NO MITM.
mesh RN: the cert is alright, firefox trusts it
RN if you actually inspect it I propose it will be identical to the one you get without a proxy
term99 solid reasoning there, check from local and from remote
mesh dr|z3d: maybe mitm is the wrong term, but the outproxy is proxing an ssl connection
dr|z3d if an outproxy asks you to install an ssl cert, then you'll know something's not right. otherwise, the outproxy cannot intercept, read, or otherwise mess with SSL traffic.
mesh dr|z3d: would it be possible for the outproxy to return a different cert that was signed by a valid CA but wasn't actually google's cert?
dr|z3d not without your manual intervention to allow the outproxy to use a different cert.
RN someone needs to read up on cryptographic protocols...
term99 you would need access to the key file to generate a valid cert in your cert trust
mesh term99: it's just trust though
term99 then remove your trust
mesh term99: what's to stop the outproxy from replacing google's cert with a cert of its own?
mesh (assuming the cert of its own is a trusted cert by firefox)
term99 does the outproxy have the google key to generate that trust file?
mesh term99: that's not what I'm saying. the outproxy can't fake google's cert. But it can supply a (trusted) cert of its own. I wouldn't even realize it unless I clicked on the lock icon in the address bar and saw that it wasn't google's cert
term99 well your system normally keeps your trusts up to date when you do a system update via update system
RN if they do, Google's got big problems
dr|z3d >> if an outproxy asks you to install an ssl cert, then you'll know something's not right. otherwise, the outproxy cannot intercept, read, or otherwise mess with SSL traffic.
dr|z3d If I have to repeat myself one more time, someone's getting hurt :)
RN I'm selling tickets
mesh dr|z3d: I'm not talking about the case where the outproxy asks you to install a CA
term99 mesh you really should do some research on how it works OR setup your own outproxy on your own VPS and use that as your TRUSTED outproxy
mesh dr|z3d: I'm talking about the case where the outproxy has a cert signed by a CA you already trust
RN but that cert won't match the tld
RN er...
RN s/tld/url/
dr|z3d I'll be sure to let you know when I'm in possession of a valid *.google.com cert, mesh.
term99 w00t, hook me up bro!
mesh RN: I guess that's what you'd hope. That firefox would look at the outproxy's cert and say the domains don't match
term99 you're in control of your browser
mesh maybe all you have to do is run a malicious outproxy and wait for somebody to mistype an address, or send somebody a bad link
term99 its up to you to trust it, its just like a tor outproxy
term99 when you torsocks wget <file> do you trust that the file is good? well you checksum it, do you trust the assigned checksums, entirely up to you
mesh term99: I know that
mesh what I realize now is that the domain checking of ssl certs isn't driven by dns
mesh because https proxies are a thing
mesh the browser must compare it against whatever you type in the address bar
term99 don't forget about CSP, it helps secure the site too as long as you're being fed good headers but as you said https proxies exist so you get good headers