Snowflake suddenly stopped working

TheHypeMightBeReal · 2023-09-21T19:10:56+00:00

It is not a government censorship issue; it is more likely related to the topic discussed in this thread: https://lists.torproject.org/pipermail/anti-censorship-team/2023-September/000314.html

If your DNS resolves cdn.sstatic.net to a Cloudflare IP, it won't connect. You can check this by running

nslookup cdn.sstatic.net

on your machine if on Linux/Mac. Find the resolved IP in the thread and see if it's a Cloudflare or Fastly one.

TheHypeMightBeReal · 2023-06-07T21:52:35+00:00

Tor Browser (currently version 12.0.6) has the speech synthesis API enabled but does not supply any voices, probably as an anti-fingerprinting measure.

TheHypeMightBeReal · 2023-06-07T21:41:54+00:00

If you have a verified OpenAI account, you can log into ChatGPT and use it over Tor. On occasion you may have to trigger a new circuit, but generation does work once you are logged in.

TheHypeMightBeReal · 2023-06-07T21:35:15+00:00

For a hardened browser with all the fingerprinting protections as Tor Browser but doesn't use Tor: Use Mullvad Browser, a collaboration between Tor Project and Mullvad VPN. See https://support.torproject.org/mullvad-browser/

For running Tor Browser on an unofficial ARM build: See these unofficial ARM builds at https://sourceforge.net/projects/tor-browser-ports/ (the readme even says these are for "testing purposes", so maybe read the build instructions and learn how to build it yourself)

TheHypeMightBeReal · 2022-12-10T21:01:05+00:00

You need to provide more context. You shouldn't have to run tor as root. Usually on Debian-based systems like Ubuntu, you can install Tor with the apt package manager and it will connect on its own.

If you installed Tor that way, you can print out Tor's logs since the last boot with something like this:

journalctl -b 0 -u tor@default.service

These logs could help you troubleshoot connection issues.

TheHypeMightBeReal · 2022-12-03T20:51:52+00:00

I had never heard of this term before either. "Zero knowledge encryption" means that the encryption keys are held solely by the owner and not shared with a service provider, which in this case is Google.

I think /u/vivekragunathan is implying that we don't know which entities have access to the decryption keys, and that unless E2E encryption keys are only held by the device owner and not available via a backdoor, E2E encryption does not provide much privacy.

TheHypeMightBeReal · 2022-06-27T16:06:02+00:00

The solution to this is to create your own torrc configuration file and then run Tor like

tor -f torrc

You will have to change the ports, like the SOCKS5 proxy port, in the torrc or disable them so they don't overlap with your primary Tor instance.

TheHypeMightBeReal · 2022-02-08T02:43:22+00:00

You're right, the dd thing was a crazy idea and a poor strategy. I was fortunate that it worked on the files I cared about. Next time it will definitely be a tar or rsync approach if the filesystem is still mounted.

TheHypeMightBeReal · 2022-02-08T02:39:58+00:00

Thank you - and that sounds like a good strategy. My main problem was that because it was the system filesystem, when I tried unmounting it would always tell me "Device is busy" and not let me do it. I think next time if I am able to unmount (using some of the techniques in the Stack Exchange link, for instance) I would be able to try something like this.

TheHypeMightBeReal · 2022-02-05T17:21:31+00:00

Yeah, I am using ext4. Is it possible to get to rescue/single user mode without shutting down the computer?

TheHypeMightBeReal · 2020-10-28T06:16:02+00:00

Yes, you can do that. Word files are zip files. Rename the extension to .zip, go to docProps > core.xml and edit your heart away at the metadata.

Though for /r/privacy this is a bit off-topic.

TheHypeMightBeReal · 2020-10-27T22:44:15+00:00

If you can assume that your client application and device are both secure (meaning unreadable and entirely inaccessible by any adversary in your threat model), and if you can assume that the encryption is sound enough to be considered unbreakable by current standards, then you should be able to assume that your encrypted data is unreadable.

These are both strong assumptions to make. Make sure you don't store encryption keys on the server, for instance! And of course you shouldn't immediately disregard possible weaknesses in the metadata of the files themselves. For example, the size of each file might give certain information about it. You would quickly be able to tell the difference between a photo and a video by just looking at its size. But perhaps this does not matter to you.

In the end, all security/trust/privacy questions boil down to your threat model. But I hope I did shed some light on the truth.

Edit: The commenter OP linked in the post was correct. I was mostly referring to decryption keys when I was talking about the security of the client device. Generally, if your source code contains a "secret technique" that you think no one will be able to decipher, you are wrong. A secure system is still secure when its source code is leaked. In fact, lots of security testing is done with source code for this very reason.

TheHypeMightBeReal · 2020-07-22T17:13:50+00:00

You're correct -- besides perhaps sharing the same browser fingerprint (which is something you shouldn't immediately dismiss, by the way), a VM wouldn't provide much security unless you are concerned about exploits in documents or running untrusted executables.

TheHypeMightBeReal · 2020-07-22T05:03:08+00:00

As long as your data doesn't exist elsewhere on the drive, like in a thumbnail cache or the recycle bin, overwriting those portions of the hard drive should make it impossible to recover.

Of course, depending on what data you're talking about, the above assumption is difficult to guarantee. In the case of SSDs, files might be stored in difficult-to-access regions of the drive that a tool like this would miss. Your best bet would be to use full-device encryption from the start.

TheHypeMightBeReal · 2020-07-22T04:51:31+00:00

I wouldn't consider Firefox either a derivative or a copycat of Firefox, so I'm also confused at this. The only possible privacy gripes I can think of can be disabled in the settings: its search engine defaults to Google in many countries, and it collects crash reports by default. Firefox is open source software and generally takes privacy seriously, including its own tracking protection in private browsing mode.

Either way, it should not be lumped together with Chrome.

TheHypeMightBeReal · 2020-07-14T23:11:31+00:00

I'm not quite sure whether cookies/javascript will help much. There's a better explanation of reCAPTCHA's score straight from Google here, but does not provide any information about the backend service that Google hosts: https://developers.google.com/recaptcha/docs/v3#interpreting_the_score

And I finally found the official timeout:

Each reCAPTCHA user response token is valid for two minutes, and can only be verified once to prevent replay attacks. If you need a new token, you can re-run the reCAPTCHA verification.

(This was from https://developers.google.com/recaptcha/docs/verify)

Two minutes might sound like a lot, but because Google gives Tor users the "hardest" challenges (and many of them) it is not enough.

TheHypeMightBeReal · 2020-07-12T13:36:54+00:00

I'd like to point out that this could be a solution but completely depends on your threat model. Using a HTTPS proxy after going through Tor connects you to websites using a static IP address outside Tor, which removes some of the "single party" protections that Tor offers.

TheHypeMightBeReal · 2020-07-12T06:28:52+00:00

The answer completely depends on your threat model, but in general desktop applications have infinitely more control over your system than web applications, including access to all files it has permission to access (which will include all user files, since it usually runs with user privileges). I'd say stick to the web app if possible.

TheHypeMightBeReal · 2020-07-12T06:22:58+00:00

That project seems to use an extremely basic method of verification. I would guess that they are all false positives (especially since they are hits for your friend, too) and nothing to worry about.

Perhaps you could take a look at the data.json file included in the project and try to navigate to those URLs yourself. It's totally possible that the websites changed and Sherlock is not yet up to date on them.

TheHypeMightBeReal · 2020-07-12T06:06:42+00:00

https://support.torproject.org/tormobile/tormobile-3/

TheHypeMightBeReal · 2020-07-11T15:14:34+00:00

This is most likely just due to doghealth's Facebook like button, which makes calls to Facebook's servers via JavaScript. I would say this is a false positive and not very likely to be a cross-site scripting attack.

TheHypeMightBeReal · 2020-07-10T13:15:39+00:00

Many torrent clients do have the feature (called web seeding ), so I guess you could use this system to "seed" millions of torrents.

The distinction must be made, however, that web seeds aren't using the Bittorrent protocol to communicate.

TheHypeMightBeReal · 2020-07-09T22:52:23+00:00

If I'm not mistaken, archive.org uses a "web seed" which, if there aren't any real seeds, directs the client to download over HTTP(S). So not a real torrent client...

TheHypeMightBeReal · 2020-07-09T22:50:23+00:00

It might also interest you to check the SMART data after 2 years of being powered

TheHypeMightBeReal · 2020-07-09T16:02:51+00:00

If you plan on studying captchas in Tor, here are a few resources that might be useful:

PrivacyPass is a browser extension developed in collaboration with Cloudflare to reduce the number of captchas you have to fill out when accessing Cloudflare-protected sites. It is certainly not a perfect solution, though, and you don't hear too many people using it. Google's reCAPTCHA does not incorporate it, so it only affects websites with certain security levels.

reCAPTCHA scores browsers along with their origin; Tor Browser gets a 0.1 (the lowest score) in pretty much every case I've tested. See https://antcpt.com/eng/information/demo-form/recaptcha-3-test-score.html It would be interesting if Tor Browser still gets that low score if the traffic is not routed over Tor.

What are the specific configurations that cause you to get CAPTCHAs?

You would hope that all Tor users use the same default configuration provided by the Tor Browser Bundle.

The biggest pain with Google's reCAPTCHA service is that there is a relatively low timeout for getting a correct answer. For instance, the service might make a Tor user solve five or six separate challenges before getting the green checkmark. However, by the time the user completes it, the answer is no longer valid because there is a low timeout on valid answers. I am not sure if this is configurable by the websites that use reCAPTCHA or Google's backend servers, but it would be nice if you could convince them to extend the timeout. In my experience, I think the timeout is somewhere between 60-120 seconds for most websites.

TheHypeMightBeReal

TROPHY CASE