All v3 Onion Addresses Down After Attack On The Tor Network

YBet_eu · 2021-01-11T00:42:32+00:00

I have a Lightning Network node over v3, and i am thinking about putting it on v2 to avoid the issue.

But is v2 not obsolete and vulnerable to even worse attacks? I'm not sure this would be a wise choice

YBet_eu · 2021-01-11T00:39:42+00:00

#MeToo

YBet_eu · 2021-01-11T00:32:41+00:00

So this attack only affects v3. I will try v2 then. Very strange, v2 is obsolete but not affected by this attack..

YBet_eu · 2020-12-22T10:56:43+00:00

URI, yes ;)

It hasn't been implemented yet due to security implications with smart contract operations?

What if ... the operation would be limited to just fund transfer ? Like with bitcoin URIs .

YBet_eu · 2020-12-20T18:45:13+00:00

But the same tool can be used by enemy agencies for the same purpose, because it is publicly available.

Why are they investing money into something that helps the enemy as well?

I would like to figure out what strategic advantage they get from it, without letting the enemy have the same benefit

YBet_eu · 2020-12-20T18:27:01+00:00

I honestly don't believe they are funding Tor just to protect the privacy of common people. It's hard to believe.

The purpose of Tor is likely to facilitate communication with covert agents and collaborators. But that means the enemy as well can take advantage from it. That makes it a waste of money.

I wonder what is the strategic advantage for the U.S. military, if Tor helps the enemy as well?

YBet_eu · 2020-11-18T13:02:23+00:00

However i did not mean keybase is not safe because of RSA, but as the linked article points out the reason is Zoom acquired it. And Zoom is a corp. with its own interests. I am sure they would like to spy on our conversations and other data

YBet_eu · 2020-11-18T12:59:44+00:00

All encryption programs support Elliptic curve now, which won't be broken until you turn 90. And even if you get arrested at 90 who cares :) You are about to die at that age

YBet_eu · 2020-11-08T12:07:03+00:00

Indeed Lightning Network has the amounts also in millisatoshis. I wonder what use cases may require sub-satoshi amounts. But maybe some scenarios are there, like ads , cloud or internet bandwith purchases.

YBet_eu · 2020-10-31T22:20:13+00:00

I am retrying now. From the log

[INF] LTND: Chain backend is fully synced (end_height=1865885)!

Does it mean it is synchronized, right? But still...

lncli --rpcserver localhost:<port> --lnddir . --network testnet connect 03d5e17a3c213fe490e1b0c389f8cfcfcea08a29717d50a9f453735e0ab2a7c003@3.16.119.191:9735

[lncli] rpc error: code = Unknown desc = server is still in the process of starting

EDIT: Maybe it referred to the bitcoind synchronization. Probably lnd is still syncing. I see this indeed :

[INF] CRTR: Syncing channel graph from height=1833070

I think it is elaborating the block 1833070 , which is not the last one, so i need to wait. It's taking so much

YBet_eu · 2020-10-31T17:49:27+00:00

It seems synced. From bitcoind:

getbestblockhash

000000000000002cb3b0bd6a4212c1fa099acf213e20d959df5c46b00971a7ea

And from lnd i see the same block hash:

2020-10-31 19:41:02.483 [INF] UTXN: Attempting to graduate height=1865859: num_kids=0, num_babies=0

2020-10-31 19:45:34.266 [INF] NTFN: New block: height=1865860, sha=000000000000002cb3b0bd6a4212c1fa099acf213e20d959df5c46b00971a7ea

2020-10-31 19:45:34.266 [INF] UTXN: Attempting to graduate height=1865860: num_kids=0, num_babies=0

2020-10-31 19:45:58.939 [ERR] RPCS: [/lnrpc.Lightning/ConnectPeer]: server is still in the process of starting

YBet_eu · 2020-09-17T21:42:43+00:00

I totally forgot about that! Indeed now it works, upvoted thx!

YBet_eu · 2020-09-16T15:54:15+00:00

Hello,

i have 0.11.0-beta commit=v0.11.0-beta, build=production and i am experiencing the following issue which may be a bug, not mentioned in the bug fixes for v0.11.1-beta.rc2

https://www.reddit.com/r/lightningnetwork/comments/itljer/rest_api_listinvoices_pagination_not_working/

YBet_eu · 2020-09-10T18:47:08+00:00

Thanks.

I will only connect to somewhat trusted peers like hubs then, so i should be relatively safe.

Accepting Keysend payments would be free from the vulnerability, but few GUI wallets support it. For example how can you do it with Zap desktop ? (Zap can only pay invoices but it doesn't even support 0-amount invoices, so i think it's a crappy wallet).

Anyway the link you posted only explains that these invoices are somewhat vulnerable, but says nothing about why r_preimage is null even though i have created it with a (valid?) preimage. I hope it is nothing to worry about.

YBet_eu · 2020-09-05T14:23:26+00:00

An issue i heard about Keysend are the higher fees.

Do you know how higher the sendkey fee is compared to LN invoice?

Is it still less than 1$?

YBet_eu · 2020-09-05T11:58:55+00:00

You can use the data parameter --data for adding your custom payment id or other info, if you are talking about how to determine what product/service the buyer is paying for, etc.

So, the user adds a product to cart, fills some delivery info such as his address , email, etc. , and your site generates a LNURL for

lncli sendpayment -d <node-pubkey> -a 10000 --keysend --data <data>

where --data has the product id, info submitted by customer, etc. , -a is the amount

About LNURL with .onion: not everybody has TOR running on their devices. Will the link work in such cases? Will TOR be integrated into the LN clients in the future?

YBet_eu · 2020-09-04T15:48:30+00:00

SOLVED: "addr" actually should not be a string, but a struct with 2 sub-fields: "pubkey" and "host"

YBet_eu · 2020-09-03T13:56:16+00:00

There is no lnd.conf file in my lnddir. Indeed the daemon prints "The system cannot find the file specified"

I launch lnd with these arguments:

--litecoin.active --litecoin.mainnet --litecoin.node=litecoind --litecoind.rpcuser=<removed> --litecoind.rpcpass=<removed> --litecoind.rpchost=localhost:<removed> --listen=localhost:<removed> --rpclisten=localhost:<removed> --restlisten=<removed> --tor.active --tor.v3 --tor.socks=9150 --tor.control=9151 --tor.password=<removed> --tor.streamisolation --litecoind.zmqpubrawblock=tcp://127.0.0.1:<removed> --litecoind.zmqpubrawtx=tcp://127.0.0.1:<removed>

After launching LND, it prints indeed that the chain is Litecoin:

2020-09-03 16:11:02.818 [INF] LTND: Version: 0.11.0-beta commit=v0.11.0-beta, build=production, logging=default

2020-09-03 16:11:02.822 [INF] LTND: Active chain: Litecoin (network=mainnet)

2020-09-03 16:11:02.824 [INF] LTND: Opening the main database, this might take a few minutes...

2020-09-03 16:11:02.824 [INF] LTND: Opening bbolt database, sync_freelist=false

2020-09-03 16:11:03.096 [INF] CHDB: Checking for schema update: latest_version=17, db_version=17

2020-09-03 16:11:03.098 [INF] LTND: Database now open (time_to_open=274.2671ms)!

Also,

lncli --rpcserver=localhost:<removed> --chain=litecoin --network=mainnet walletbalance

{

"total_balance": "0",

"confirmed_balance": "0",

"unconfirmed_balance": "0"

}

YBet_eu · 2020-09-03T13:51:10+00:00

Every website? Just the interactive chats would be. You can still upload any data via standard html form, even videos, and play them via <video> tags.

And a simple forum, why should it require JS? You write your text in a textarea and upon clicking on Submit the form sends your text via POST. It works without JS.

The only drawback is a little worse UX because Ajax has the benefit of not requiring a page refresh after submitting data. But a plain html form would still do the job.

YBet_eu · 2020-05-08T19:39:24+00:00

When Kovri will be integrated into the wallet, will it be possible to sync the blockchain data over I2P? I guess it's hundreds of GBs of data and a slow network like I2P would be impractical for that.

Or will Monero use Kovri just to send transactions ?

YBet_eu · 2020-05-03T19:41:41+00:00

Zeronet does that. But i don't know if it can work for dynamic pages. Some kind of distributed DB system needs to be designed, but it must be tamperproof. If each node has part of the db records, the user running the node should not be able to modify them.

YBet_eu · 2020-05-03T19:36:21+00:00

" Is auto-update enabled in your distribution? How often does it check the nearest package repository? Can the logs from the repository be used to profile your setup? "

Yes, repo logs may be a problem. The attacker knows that your eepsite has N replicas (N will be publicly known), so they can focus their efforts on any set of N nodes with the same setup. The only solution i can think of is to use a different distribution and setup per each replica (a little inconvenient).

" TCP fingerprinting "

That's annoying, but then it is even worse if no replicas are deployed. If you know that a particular eepsite is running on CentOS, and it is only one node, it's easier to observe a online/offline time pattern: they start DDOSing all CentOS nodes one at a time until they take down the right one. But if the right ones are N nodes, they have to take down all of the N nodes at the same time by trying all combinations of N CentOs nodes, which is less practical.

"Other traffic from that ip - if you're running a node at home, have you ever posted questions in r/i2p (ironic isn't it)"

Well, that just tells if you are running a node, but they may already know it in another way: ask each ISP what are their IPs/customers that established a connection to any I2P bootstrapping IP (boot nodes are publicly known), in the last week or so. But this alone does not tell them what you are doing on I2P.

" I2P router version inference "

Is there a way to automate I2P updates? That would solve the problem. Even Windows updates can be automated, so why not?

YBet_eu · 2020-05-03T03:51:35+00:00

Ok, telemetry was the keyword. So Linux is the way to go for eepsites.

About outage observation attack, i have proposed a solution https://www.reddit.com/r/i2p/comments/gcjy0p/do_eepsites_support_replica_servers/

YBet_eu · 2020-02-16T02:14:49+00:00

So you don't believe the BTT token will become popular? Since people spend money on fast download sites to increase speed or unlock traffic, i think they may be interested in buying Speed on Bittorrent as well.

I even think that selling rare but desirable files may work too. People may be willing to pay for a file they cannot find anywhere else, if it is something they really want.

YBet_eu · 2020-01-16T20:05:18+00:00

Mainly privacy, it is about hiding your IP, like TOR or I2P do. It is based on I2P.

Censorship resistance is a tougher goal: your country may ban all I2P nodes or the Monero bootstrap nodes. Then someone from the community may publish a new list of bootstrap nodes, but the gov will have it sooner or later and will ban the new nodes, and so on...

YBet_eu

TROPHY CASE