subject:"\[freenet\-chat\] Re\: \[freenet\-support\] Freenet 0.7"

[freenet-chat] Re: [freenet-support] Freenet 0.7

2006-09-01 Thread Matthew Toseland

On Thu, Aug 31, 2006 at 01:12:53PM -0500, GeckoX wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> I was in China last year. I was able to create a VPN connection in the US 
> with no problem. Most of the web didn't work, even SSL. SSH was completely 
> blocked as well, which is why I was surprised that I could connect via VPN 
> with no problems. This was in Beijing.

I'm surprised SSL doesn't work - don't they _want_ to do business with
the West?
> 
> :brian
> 
> ++ 31/08/06 15:31 +0100 - Matthew Toseland:
> >On Thu, Aug 31, 2006 at 06:01:45PM +0400, Roman V. Isaev wrote:
> >> On 08/31, Matthew Toseland wrote:
> >> > > > Have you thought about that ignoring reset packets thing that was
> >> > > > shown to make it possible to bypass The Great Firewall? I mean, I
> >> > > > don't know too much about it, or if it'd be possible for
> >> > > > freenetbut it might be worth looking in to.
> >> > > That would involve platform-specific code, there's no way to do that 
> >> > > in 
> >> > > java.
> >> > It's unnecessary anyway because it only applies to TCP. It does however
> >> > tell us something very interesting and useful: The firewall is stateless 
> >> > !!
> >> > They pick up forbidden keywords on a packet and then send a reset
> >> > packet, they don't even delete later packets on the same connection
> >> > because *they don't track connections at all* !
> >> 
> >> But they will do that, sooner or later. It's just a matter of time. Another
> >> chunk of money for Cisco I guess...
> >
> >The interesting thing is you can connect to IRC and discuss forbidden
> >keywords... Also that study is curious because I heard they block the
> >whole page, rather than just interrupt it in the middle...
> >-- 
> >Matthew J Toseland - toad at amphibian.dyndns.org
> >Freenet Project Official Codemonkey - http://freenetproject.org/
> >ICTHUS - Nothing is impossible. Our Boss says so.
> 
> 
> 
> >___
> >Support mailing list
> >Support at freenetproject.org
> >http://news.gmane.org/gmane.network.freenet.support
> >Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support
> >Or mailto:support-request at freenetproject.org?subject=unsubscribe
> 
> - -- 
> - 
> Freedom is slavery.
> Ignorance is strength.
> War is peace.
> -- George Orwell
> 
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.2.7 (GNU/Linux)
> 
> iD8DBQFE9yabSMrcfZpjDKERAhAaAKCsTD/S/I1eM/3VEd740nYZPhj6KgCgo/Mo
> JZ+MtJuu0elkY8pTZLtdMSM=
> =G9+A
> -END PGP SIGNATURE-
> ___
> Support mailing list
> Support at freenetproject.org
> http://news.gmane.org/gmane.network.freenet.support
> Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support
> Or mailto:support-request at freenetproject.org?subject=unsubscribe
> 

-- 
Matthew J Toseland - toad at amphibian.dyndns.org
Freenet Project Official Codemonkey - http://freenetproject.org/
ICTHUS - Nothing is impossible. Our Boss says so.
-- next part --
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL:

Re: [freenet-chat] Re: [freenet-support] Freenet 0.7

2006-09-01 Thread GeckoX

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I was in China last year. I was able to create a VPN connection in the US with 
no problem. Most of the web didn't work, even SSL. SSH was completely blocked 
as well, which is why I was surprised that I could connect via VPN with no 
problems. This was in Beijing.

:brian

++ 31/08/06 15:31 +0100 - Matthew Toseland:
On Thu, Aug 31, 2006 at 06:01:45PM +0400, Roman V. Isaev wrote:
 On 08/31, Matthew Toseland wrote:
Have you thought about that ignoring reset packets thing that was
shown to make it possible to bypass The Great Firewall? I mean, I
don't know too much about it, or if it'd be possible for
freenetbut it might be worth looking in to.
   That would involve platform-specific code, there's no way to do that in 
   java.
  It's unnecessary anyway because it only applies to TCP. It does however
  tell us something very interesting and useful: The firewall is stateless !!
  They pick up forbidden keywords on a packet and then send a reset
  packet, they don't even delete later packets on the same connection
  because *they don't track connections at all* !
 
 But they will do that, sooner or later. It's just a matter of time. Another
 chunk of money for Cisco I guess...

The interesting thing is you can connect to IRC and discuss forbidden
keywords... Also that study is curious because I heard they block the
whole page, rather than just interrupt it in the middle...
-- 
Matthew J Toseland - [EMAIL PROTECTED]
Freenet Project Official Codemonkey - http://freenetproject.org/
ICTHUS - Nothing is impossible. Our Boss says so.



___
Support mailing list
Support@freenetproject.org
http://news.gmane.org/gmane.network.freenet.support
Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support
Or mailto:[EMAIL PROTECTED]

- -- 
- 
Freedom is slavery.
Ignorance is strength.
War is peace.
-- George Orwell

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.7 (GNU/Linux)

iD8DBQFE9yabSMrcfZpjDKERAhAaAKCsTD/S/I1eM/3VEd740nYZPhj6KgCgo/Mo
JZ+MtJuu0elkY8pTZLtdMSM=
=G9+A
-END PGP SIGNATURE-
___
Support mailing list
Support@freenetproject.org
http://news.gmane.org/gmane.network.freenet.support
Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support
Or mailto:[EMAIL PROTECTED]

Re: [freenet-chat] Re: [freenet-support] Freenet 0.7

2006-09-01 Thread Matthew Toseland

On Thu, Aug 31, 2006 at 01:12:53PM -0500, GeckoX wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 I was in China last year. I was able to create a VPN connection in the US 
 with no problem. Most of the web didn't work, even SSL. SSH was completely 
 blocked as well, which is why I was surprised that I could connect via VPN 
 with no problems. This was in Beijing.

I'm surprised SSL doesn't work - don't they _want_ to do business with
the West?
 
 :brian
 
 ++ 31/08/06 15:31 +0100 - Matthew Toseland:
 On Thu, Aug 31, 2006 at 06:01:45PM +0400, Roman V. Isaev wrote:
  On 08/31, Matthew Toseland wrote:
 Have you thought about that ignoring reset packets thing that was
 shown to make it possible to bypass The Great Firewall? I mean, I
 don't know too much about it, or if it'd be possible for
 freenetbut it might be worth looking in to.
That would involve platform-specific code, there's no way to do that 
in 
java.
   It's unnecessary anyway because it only applies to TCP. It does however
   tell us something very interesting and useful: The firewall is stateless 
   !!
   They pick up forbidden keywords on a packet and then send a reset
   packet, they don't even delete later packets on the same connection
   because *they don't track connections at all* !
  
  But they will do that, sooner or later. It's just a matter of time. Another
  chunk of money for Cisco I guess...
 
 The interesting thing is you can connect to IRC and discuss forbidden
 keywords... Also that study is curious because I heard they block the
 whole page, rather than just interrupt it in the middle...
 -- 
 Matthew J Toseland - [EMAIL PROTECTED]
 Freenet Project Official Codemonkey - http://freenetproject.org/
 ICTHUS - Nothing is impossible. Our Boss says so.
 
 
 
 ___
 Support mailing list
 Support@freenetproject.org
 http://news.gmane.org/gmane.network.freenet.support
 Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support
 Or mailto:[EMAIL PROTECTED]
 
 - -- 
 - 
 Freedom is slavery.
 Ignorance is strength.
 War is peace.
 -- George Orwell
 
 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.2.7 (GNU/Linux)
 
 iD8DBQFE9yabSMrcfZpjDKERAhAaAKCsTD/S/I1eM/3VEd740nYZPhj6KgCgo/Mo
 JZ+MtJuu0elkY8pTZLtdMSM=
 =G9+A
 -END PGP SIGNATURE-
 ___
 Support mailing list
 Support@freenetproject.org
 http://news.gmane.org/gmane.network.freenet.support
 Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support
 Or mailto:[EMAIL PROTECTED]
 

-- 
Matthew J Toseland - [EMAIL PROTECTED]
Freenet Project Official Codemonkey - http://freenetproject.org/
ICTHUS - Nothing is impossible. Our Boss says so.


signature.asc
Description: Digital signature
___
Support mailing list
Support@freenetproject.org
http://news.gmane.org/gmane.network.freenet.support
Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support
Or mailto:[EMAIL PROTECTED]

Re: [freenet-chat] Re: [freenet-support] Freenet 0.7

2006-09-01 Thread urza9814


Meh...depends where you're at. It's not one giant firewallit's a
regional thing. Beijing must just have high security. Seems odd that
they'd block out SSHbut I suppose SSH is a good way to hide what
you're doing.

On 9/1/06, Matthew Toseland [EMAIL PROTECTED] wrote:

On Thu, Aug 31, 2006 at 01:12:53PM -0500, GeckoX wrote:
 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1

 I was in China last year. I was able to create a VPN connection in the US 
with no problem. Most of the web didn't work, even SSL. SSH was completely blocked 
as well, which is why I was surprised that I could connect via VPN with no 
problems. This was in Beijing.

I'm surprised SSL doesn't work - don't they _want_ to do business with
the West?

 :brian

 ++ 31/08/06 15:31 +0100 - Matthew Toseland:
 On Thu, Aug 31, 2006 at 06:01:45PM +0400, Roman V. Isaev wrote:
  On 08/31, Matthew Toseland wrote:
 Have you thought about that ignoring reset packets thing that was
 shown to make it possible to bypass The Great Firewall? I mean, I
 don't know too much about it, or if it'd be possible for
 freenetbut it might be worth looking in to.
That would involve platform-specific code, there's no way to do that in
java.
   It's unnecessary anyway because it only applies to TCP. It does however
   tell us something very interesting and useful: The firewall is stateless 
!!
   They pick up forbidden keywords on a packet and then send a reset
   packet, they don't even delete later packets on the same connection
   because *they don't track connections at all* !
 
  But they will do that, sooner or later. It's just a matter of time. Another
  chunk of money for Cisco I guess...
 
 The interesting thing is you can connect to IRC and discuss forbidden
 keywords... Also that study is curious because I heard they block the
 whole page, rather than just interrupt it in the middle...
 --
 Matthew J Toseland - [EMAIL PROTECTED]
 Freenet Project Official Codemonkey - http://freenetproject.org/
 ICTHUS - Nothing is impossible. Our Boss says so.



 ___
 Support mailing list
 Support@freenetproject.org
 http://news.gmane.org/gmane.network.freenet.support
 Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support
 Or mailto:[EMAIL PROTECTED]

 - --
 - 
 Freedom is slavery.
 Ignorance is strength.
 War is peace.
 -- George Orwell

 -BEGIN PGP SIGNATURE-
 Version: GnuPG v1.2.7 (GNU/Linux)

 iD8DBQFE9yabSMrcfZpjDKERAhAaAKCsTD/S/I1eM/3VEd740nYZPhj6KgCgo/Mo
 JZ+MtJuu0elkY8pTZLtdMSM=
 =G9+A
 -END PGP SIGNATURE-
 ___
 Support mailing list
 Support@freenetproject.org
 http://news.gmane.org/gmane.network.freenet.support
 Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support
 Or mailto:[EMAIL PROTECTED]


--
Matthew J Toseland - [EMAIL PROTECTED]
Freenet Project Official Codemonkey - http://freenetproject.org/
ICTHUS - Nothing is impossible. Our Boss says so.


-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFE+FNAOHFIJVywduQRAkF9AJ4xeRLBj2Keu9oni0oe7zCl9VzjVgCfWpe0
aPwdgysdq2Maes3Xc4Rm+bE=
=UKNu
-END PGP SIGNATURE-


___
Support mailing list
Support@freenetproject.org
http://news.gmane.org/gmane.network.freenet.support
Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support
Or mailto:[EMAIL PROTECTED]





--
HTML
a href=http://www.spreadfirefox.com/?q=affiliatesamp;id=0amp;t=57;img
border=0 alt=Get Firefox! title=Get Firefox!
src=http://sfx-images.mozilla.org/affiliates/Buttons/180x60/blank.gif//a
___
Support mailing list
Support@freenetproject.org
http://news.gmane.org/gmane.network.freenet.support
Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support
Or mailto:[EMAIL PROTECTED]

[freenet-chat] Re: [freenet-support] Freenet 0.7

2006-08-31 Thread inverse

Matthew Toseland wrote:

> It's unnecessary anyway because it only applies to TCP. It does however
> tell us something very interesting and useful: The firewall is stateless !!
heh, it would be damn expensive to do that in a stateful way.

let's see:

>1. Timing.
>2. Packet size.
>3. It's not a known protocol, therefore it must be bad.
>4. Flow analysis.

either way it might be too expensive or require a stateful filter

[freenet-chat] Re: [freenet-support] Freenet 0.7

2006-08-31 Thread Roman V. Isaev

On 08/31, Matthew Toseland wrote:
> > > Have you thought about that ignoring reset packets thing that was
> > > shown to make it possible to bypass The Great Firewall? I mean, I
> > > don't know too much about it, or if it'd be possible for
> > > freenetbut it might be worth looking in to.
> > That would involve platform-specific code, there's no way to do that in 
> > java.
> It's unnecessary anyway because it only applies to TCP. It does however
> tell us something very interesting and useful: The firewall is stateless !!
> They pick up forbidden keywords on a packet and then send a reset
> packet, they don't even delete later packets on the same connection
> because *they don't track connections at all* !

But they will do that, sooner or later. It's just a matter of time. Another
chunk of money for Cisco I guess...

[freenet-chat] Re: [freenet-support] Freenet 0.7

2006-08-31 Thread Matthew Toseland

On Thu, Aug 31, 2006 at 06:01:45PM +0400, Roman V. Isaev wrote:
> On 08/31, Matthew Toseland wrote:
> > > > Have you thought about that ignoring reset packets thing that was
> > > > shown to make it possible to bypass The Great Firewall? I mean, I
> > > > don't know too much about it, or if it'd be possible for
> > > > freenetbut it might be worth looking in to.
> > > That would involve platform-specific code, there's no way to do that in 
> > > java.
> > It's unnecessary anyway because it only applies to TCP. It does however
> > tell us something very interesting and useful: The firewall is stateless !!
> > They pick up forbidden keywords on a packet and then send a reset
> > packet, they don't even delete later packets on the same connection
> > because *they don't track connections at all* !
> 
> But they will do that, sooner or later. It's just a matter of time. Another
> chunk of money for Cisco I guess...

The interesting thing is you can connect to IRC and discuss forbidden
keywords... Also that study is curious because I heard they block the
whole page, rather than just interrupt it in the middle...
-- 
Matthew J Toseland - toad at amphibian.dyndns.org
Freenet Project Official Codemonkey - http://freenetproject.org/
ICTHUS - Nothing is impossible. Our Boss says so.
-- next part --
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL:

[freenet-chat] Re: [freenet-support] Freenet 0.7

2006-08-31 Thread Matthew Toseland

On Wed, Aug 30, 2006 at 11:52:23PM +0200, David 'Bombe' Roden wrote:
> On Wednesday 30 August 2006 23:47, urza9814 at gmail.com wrote:
> 
> > Have you thought about that ignoring reset packets thing that was
> > shown to make it possible to bypass The Great Firewall? I mean, I
> > don't know too much about it, or if it'd be possible for
> > freenetbut it might be worth looking in to.
> 
> That would involve platform-specific code, there's no way to do that in 
> java.

It's unnecessary anyway because it only applies to TCP. It does however
tell us something very interesting and useful: The firewall is stateless !!
They pick up forbidden keywords on a packet and then send a reset
packet, they don't even delete later packets on the same connection
because *they don't track connections at all* !
> 
>   David
-- 
Matthew J Toseland - toad at amphibian.dyndns.org
Freenet Project Official Codemonkey - http://freenetproject.org/
ICTHUS - Nothing is impossible. Our Boss says so.
-- next part --
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL:

[freenet-chat] Re: [freenet-support] Freenet 0.7

2006-08-31 Thread Matthew Toseland

Hundreds of projects? Such as? None of them comes anywhere near to our
techology; most of them are either easily harvestable and blockable
proxy networks, or WASTE clones.

On Wed, Aug 30, 2006 at 05:47:43PM -0400, urza9814 at gmail.com wrote:
> Have you thought about that ignoring reset packets thing that was
> shown to make it possible to bypass The Great Firewall? I mean, I
> don't know too much about it, or if it'd be possible for
> freenetbut it might be worth looking in to.
> 
> Also just wanna add that I fully support the desire to help get around
> the chinese firewalls and stuffbut you're one of hundreds of
> projects working on that same goaland personally, I'm not using
> 0.7 until there's a working opennet. As much as it may seem like I'm
> totally against darknetsit's not so much what you're working on,
> it's how. I still feel quite strongly that the main page should send
> new users to a download page for 0.5, not 0.7. As for the issue of
> getting a working opennet...I'll join the other people in backing
> offI suppose I can wait another year or so for a new versionI
> just hope 0.5 will last that long without any fresh users.
> 
> On 8/30/06, David 'Bombe' Roden  wrote:
> >On Wednesday 30 August 2006 22:35, inverse wrote:
> >
> >> beyond harvesting the connected IP addresses to raid their owner's
> >> homes, one big concern with encrypted protocols is that they can be
> >> filtered out by application-level scanning firewalls. I think this is
> >> exactly what's happening in China.
> >
> >Yes, the session bytes that are used to initiate connections are
> >typical.
> >
> >
> >> Public-key encrypted communications show constant patterns the moment
> >> a public key is exchanged between hosts.
> >
> >Communication between 0.7 nodes doesn't have to exchange public keys,
> >those are already known as they are contained in the node reference.
> >
> >
> >David
> >
> >
> >___
> >Support mailing list
> >Support at freenetproject.org
> >http://news.gmane.org/gmane.network.freenet.support
> >Unsubscribe at 
> >http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support
> >Or mailto:support-request at freenetproject.org?subject=unsubscribe
> >
> >
> >
> 
> 
> -- 
> 
> http://www.spreadfirefox.com/?q=affiliatesid=0t=57;> border="0" alt="Get Firefox!" title="Get Firefox!"
> src="http://sfx-images.mozilla.org/affiliates/Buttons/180x60/blank.gif"/>
> ___
> Support mailing list
> Support at freenetproject.org
> http://news.gmane.org/gmane.network.freenet.support
> Unsubscribe at 
> http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support
> Or mailto:support-request at freenetproject.org?subject=unsubscribe
> 

-- 
Matthew J Toseland - toad at amphibian.dyndns.org
Freenet Project Official Codemonkey - http://freenetproject.org/
ICTHUS - Nothing is impossible. Our Boss says so.
-- next part --
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL:

[freenet-chat] Re: [freenet-support] Freenet 0.7

2006-08-31 Thread Matthew Toseland

0.7 has no predictable or repeated bytes whatsoever. It can probably be
identified by several more expensive, less reliable techiques at present:
1. Timing.
2. Packet size.
3. It's not a known protocol, therefore it must be bad.
4. Flow analysis.

On Wed, Aug 30, 2006 at 10:35:32PM +0200, inverse wrote:
> Matthew Toseland wrote:
> >Well on the most trivial level, 0.5 doesn't work in china.
> >  
> yo,
> 
> beyond harvesting the connected IP addresses to raid their owner's 
> homes, one big concern with encrypted protocols is that they can be 
> filtered out by application-level scanning firewalls. I think this is 
> exactly what's happening in China.
> 
> 
> Application-level scanning can be implemented via ASIC technology 
> directly in hardware thus being extremely fast, and we know this works 
> very well.
> Public-key encrypted communications show constant patterns the moment a 
> public key is exchanged between hosts.
> 
> Such system can work until there's enough processing power available to 
> make them run without compromising the overal network performance, so to 
> defeat them (they are intended to simply drop forbidden connections) you 
> have to design a protocol
> which shows no recognisable patterns at any level.
> Nested symmetric encryption of each packet with multiple randomly 
> selected pre-shared keys?
> To decode each packet a firewall will have to:
> 1) try at least half the known pre-shared keys on each packet
> 2) do the above for each level of encryption used.
> 
> given the number of keys n and the number of levels l the total number 
> of decryption passes k before you extract usable data (which may be 
> further asymmetrically encrypted)  is  k = (n/2)^l. This is true for 
> each packet and you cannot avoid doing this if you want to confirm the 
> contents.
> While this might not be so demanding for a single CPU and few 
> connections, a core firewall won't be happy to discover that a simple 
> scan no longer suffices and you have to actually process a VERY large 
> number of packets coming from a number of sources with random ports 
> trough a custom designed and frequently updated cryptographic ASIC 
> multiple times.
> 
> The idea is not to design a virtually unstopplable protocol:  there  
> might come a day when only  pure HTTP  to port 80 is  allowed,  the idea 
> instead is to make it a bit more unstoppable in places like China, 
> probably France and EU and next in the US.
> 
> Also, this won't be a solution in places that trace social network 
> connections (like the current US), this  however will make  the process 
> somewhat harder.
> 
> Just a suggestion..
> 
> 
> 
> 
> ___
> Support mailing list
> Support at freenetproject.org
> http://news.gmane.org/gmane.network.freenet.support
> Unsubscribe at 
> http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support
> Or mailto:support-request at freenetproject.org?subject=unsubscribe
> 

-- 
Matthew J Toseland - toad at amphibian.dyndns.org
Freenet Project Official Codemonkey - http://freenetproject.org/
ICTHUS - Nothing is impossible. Our Boss says so.
-- next part --
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL:

[freenet-chat] Re: [freenet-support] Freenet 0.7

2006-08-31 Thread GeckoX

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

I was in China last year. I was able to create a VPN connection in the US with 
no problem. Most of the web didn't work, even SSL. SSH was completely blocked 
as well, which is why I was surprised that I could connect via VPN with no 
problems. This was in Beijing.

:brian

++ 31/08/06 15:31 +0100 - Matthew Toseland:
>On Thu, Aug 31, 2006 at 06:01:45PM +0400, Roman V. Isaev wrote:
>> On 08/31, Matthew Toseland wrote:
>> > > > Have you thought about that ignoring reset packets thing that was
>> > > > shown to make it possible to bypass The Great Firewall? I mean, I
>> > > > don't know too much about it, or if it'd be possible for
>> > > > freenetbut it might be worth looking in to.
>> > > That would involve platform-specific code, there's no way to do that in 
>> > > java.
>> > It's unnecessary anyway because it only applies to TCP. It does however
>> > tell us something very interesting and useful: The firewall is stateless !!
>> > They pick up forbidden keywords on a packet and then send a reset
>> > packet, they don't even delete later packets on the same connection
>> > because *they don't track connections at all* !
>> 
>> But they will do that, sooner or later. It's just a matter of time. Another
>> chunk of money for Cisco I guess...
>
>The interesting thing is you can connect to IRC and discuss forbidden
>keywords... Also that study is curious because I heard they block the
>whole page, rather than just interrupt it in the middle...
>-- 
>Matthew J Toseland - toad at amphibian.dyndns.org
>Freenet Project Official Codemonkey - http://freenetproject.org/
>ICTHUS - Nothing is impossible. Our Boss says so.



>___
>Support mailing list
>Support at freenetproject.org
>http://news.gmane.org/gmane.network.freenet.support
>Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support
>Or mailto:support-request at freenetproject.org?subject=unsubscribe

- -- 
- 
Freedom is slavery.
Ignorance is strength.
War is peace.
-- George Orwell

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.7 (GNU/Linux)

iD8DBQFE9yabSMrcfZpjDKERAhAaAKCsTD/S/I1eM/3VEd740nYZPhj6KgCgo/Mo
JZ+MtJuu0elkY8pTZLtdMSM=
=G9+A
-END PGP SIGNATURE-

[freenet-chat] Re: [freenet-support] Freenet 0.7

2006-08-31 Thread inverse

urza9814 at gmail.com wrote:
> Have you thought about that ignoring reset packets thing that was
> shown to make it possible to bypass The Great Firewall? I mean, I
> don't know too much about it, or if it'd be possible for
> freenetbut it might be worth looking in to. 

it's possible to do it, but only under linux at the moment.

You just set an iptables prerouting rule that drops incoming tcp RST 
packets.
This a kernel side level 4 setting that's perfectly transparent to the 
application level, the only side effect being that any incoming 
connection will end with a timeout in place of a graceful reset.
Under windows I suppose you simply lack the instruments and support to 
do something clever like that.

[freenet-chat] Re: [freenet-support] Freenet 0.7

2006-08-31 Thread inverse

David 'Bombe' Roden wrote:

> Communication between 0.7 nodes doesn't have to exchange public keys, 
> those are already known as they are contained in the node reference.
nice!

I definitely need to install 0.7 and capture some packets for testing

[freenet-chat] Re: [freenet-support] Freenet 0.7

2006-08-31 Thread David 'Bombe' Roden

On Wednesday 30 August 2006 23:47, urza9814 at gmail.com wrote:

> Have you thought about that ignoring reset packets thing that was
> shown to make it possible to bypass The Great Firewall? I mean, I
> don't know too much about it, or if it'd be possible for
> freenetbut it might be worth looking in to.

That would involve platform-specific code, there's no way to do that in 
java.


David
-- next part --
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
URL:

[freenet-chat] Re: [freenet-support] Freenet 0.7

2006-08-31 Thread David 'Bombe' Roden

On Wednesday 30 August 2006 22:35, inverse wrote:

> beyond harvesting the connected IP addresses to raid their owner's
> homes, one big concern with encrypted protocols is that they can be
> filtered out by application-level scanning firewalls. I think this is
> exactly what's happening in China.

Yes, the session bytes that are used to initiate connections are 
typical.


> Public-key encrypted communications show constant patterns the moment
> a public key is exchanged between hosts.

Communication between 0.7 nodes doesn't have to exchange public keys, 
those are already known as they are contained in the node reference.


David
-- next part --
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
URL:

Re: [freenet-chat] Re: [freenet-support] Freenet 0.7

2006-08-31 Thread Matthew Toseland

0.7 has no predictable or repeated bytes whatsoever. It can probably be
identified by several more expensive, less reliable techiques at present:
1. Timing.
2. Packet size.
3. It's not a known protocol, therefore it must be bad.
4. Flow analysis.

On Wed, Aug 30, 2006 at 10:35:32PM +0200, inverse wrote:
 Matthew Toseland wrote:
 Well on the most trivial level, 0.5 doesn't work in china.
   
 yo,
 
 beyond harvesting the connected IP addresses to raid their owner's 
 homes, one big concern with encrypted protocols is that they can be 
 filtered out by application-level scanning firewalls. I think this is 
 exactly what's happening in China.
 
 
 Application-level scanning can be implemented via ASIC technology 
 directly in hardware thus being extremely fast, and we know this works 
 very well.
 Public-key encrypted communications show constant patterns the moment a 
 public key is exchanged between hosts.
 
 Such system can work until there's enough processing power available to 
 make them run without compromising the overal network performance, so to 
 defeat them (they are intended to simply drop forbidden connections) you 
 have to design a protocol
 which shows no recognisable patterns at any level.
 Nested symmetric encryption of each packet with multiple randomly 
 selected pre-shared keys?
 To decode each packet a firewall will have to:
 1) try at least half the known pre-shared keys on each packet
 2) do the above for each level of encryption used.
 
 given the number of keys n and the number of levels l the total number 
 of decryption passes k before you extract usable data (which may be 
 further asymmetrically encrypted)  is  k = (n/2)^l. This is true for 
 each packet and you cannot avoid doing this if you want to confirm the 
 contents.
 While this might not be so demanding for a single CPU and few 
 connections, a core firewall won't be happy to discover that a simple 
 scan no longer suffices and you have to actually process a VERY large 
 number of packets coming from a number of sources with random ports 
 trough a custom designed and frequently updated cryptographic ASIC 
 multiple times.
 
 The idea is not to design a virtually unstopplable protocol:  there  
 might come a day when only  pure HTTP  to port 80 is  allowed,  the idea 
 instead is to make it a bit more unstoppable in places like China, 
 probably France and EU and next in the US.
 
 Also, this won't be a solution in places that trace social network 
 connections (like the current US), this  however will make  the process 
 somewhat harder.
 
 Just a suggestion..
 
 
 
 
 ___
 Support mailing list
 Support@freenetproject.org
 http://news.gmane.org/gmane.network.freenet.support
 Unsubscribe at 
 http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support
 Or mailto:[EMAIL PROTECTED]
 

-- 
Matthew J Toseland - [EMAIL PROTECTED]
Freenet Project Official Codemonkey - http://freenetproject.org/
ICTHUS - Nothing is impossible. Our Boss says so.


signature.asc
Description: Digital signature
___
Support mailing list
Support@freenetproject.org
http://news.gmane.org/gmane.network.freenet.support
Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support
Or mailto:[EMAIL PROTECTED]

Re: [freenet-chat] Re: [freenet-support] Freenet 0.7

2006-08-31 Thread Matthew Toseland

Hundreds of projects? Such as? None of them comes anywhere near to our
techology; most of them are either easily harvestable and blockable
proxy networks, or WASTE clones.

On Wed, Aug 30, 2006 at 05:47:43PM -0400, [EMAIL PROTECTED] wrote:
 Have you thought about that ignoring reset packets thing that was
 shown to make it possible to bypass The Great Firewall? I mean, I
 don't know too much about it, or if it'd be possible for
 freenetbut it might be worth looking in to.
 
 Also just wanna add that I fully support the desire to help get around
 the chinese firewalls and stuffbut you're one of hundreds of
 projects working on that same goaland personally, I'm not using
 0.7 until there's a working opennet. As much as it may seem like I'm
 totally against darknetsit's not so much what you're working on,
 it's how. I still feel quite strongly that the main page should send
 new users to a download page for 0.5, not 0.7. As for the issue of
 getting a working opennet...I'll join the other people in backing
 offI suppose I can wait another year or so for a new versionI
 just hope 0.5 will last that long without any fresh users.
 
 On 8/30/06, David 'Bombe' Roden [EMAIL PROTECTED] wrote:
 On Wednesday 30 August 2006 22:35, inverse wrote:
 
  beyond harvesting the connected IP addresses to raid their owner's
  homes, one big concern with encrypted protocols is that they can be
  filtered out by application-level scanning firewalls. I think this is
  exactly what's happening in China.
 
 Yes, the session bytes that are used to initiate connections are
 typical.
 
 
  Public-key encrypted communications show constant patterns the moment
  a public key is exchanged between hosts.
 
 Communication between 0.7 nodes doesn't have to exchange public keys,
 those are already known as they are contained in the node reference.
 
 
 David
 
 
 ___
 Support mailing list
 Support@freenetproject.org
 http://news.gmane.org/gmane.network.freenet.support
 Unsubscribe at 
 http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support
 Or mailto:[EMAIL PROTECTED]
 
 
 
 
 
 -- 
 HTML
 a href=http://www.spreadfirefox.com/?q=affiliatesamp;id=0amp;t=57;img
 border=0 alt=Get Firefox! title=Get Firefox!
 src=http://sfx-images.mozilla.org/affiliates/Buttons/180x60/blank.gif//a
 ___
 Support mailing list
 Support@freenetproject.org
 http://news.gmane.org/gmane.network.freenet.support
 Unsubscribe at 
 http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support
 Or mailto:[EMAIL PROTECTED]
 

-- 
Matthew J Toseland - [EMAIL PROTECTED]
Freenet Project Official Codemonkey - http://freenetproject.org/
ICTHUS - Nothing is impossible. Our Boss says so.


signature.asc
Description: Digital signature
___
Support mailing list
Support@freenetproject.org
http://news.gmane.org/gmane.network.freenet.support
Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support
Or mailto:[EMAIL PROTECTED]

Re: [freenet-chat] Re: [freenet-support] Freenet 0.7

2006-08-31 Thread Matthew Toseland

On Wed, Aug 30, 2006 at 11:52:23PM +0200, David 'Bombe' Roden wrote:
 On Wednesday 30 August 2006 23:47, [EMAIL PROTECTED] wrote:
 
  Have you thought about that ignoring reset packets thing that was
  shown to make it possible to bypass The Great Firewall? I mean, I
  don't know too much about it, or if it'd be possible for
  freenetbut it might be worth looking in to.
 
 That would involve platform-specific code, there's no way to do that in 
 java.

It's unnecessary anyway because it only applies to TCP. It does however
tell us something very interesting and useful: The firewall is stateless !!
They pick up forbidden keywords on a packet and then send a reset
packet, they don't even delete later packets on the same connection
because *they don't track connections at all* !
 
   David
-- 
Matthew J Toseland - [EMAIL PROTECTED]
Freenet Project Official Codemonkey - http://freenetproject.org/
ICTHUS - Nothing is impossible. Our Boss says so.


signature.asc
Description: Digital signature
___
Support mailing list
Support@freenetproject.org
http://news.gmane.org/gmane.network.freenet.support
Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support
Or mailto:[EMAIL PROTECTED]

Re: [freenet-chat] Re: [freenet-support] Freenet 0.7

2006-08-31 Thread Roman V. Isaev

On 08/31, Matthew Toseland wrote:
   Have you thought about that ignoring reset packets thing that was
   shown to make it possible to bypass The Great Firewall? I mean, I
   don't know too much about it, or if it'd be possible for
   freenetbut it might be worth looking in to.
  That would involve platform-specific code, there's no way to do that in 
  java.
 It's unnecessary anyway because it only applies to TCP. It does however
 tell us something very interesting and useful: The firewall is stateless !!
 They pick up forbidden keywords on a packet and then send a reset
 packet, they don't even delete later packets on the same connection
 because *they don't track connections at all* !

But they will do that, sooner or later. It's just a matter of time. Another
chunk of money for Cisco I guess...

___
Support mailing list
Support@freenetproject.org
http://news.gmane.org/gmane.network.freenet.support
Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support
Or mailto:[EMAIL PROTECTED]

Re: [freenet-chat] Re: [freenet-support] Freenet 0.7

2006-08-31 Thread Matthew Toseland

On Thu, Aug 31, 2006 at 06:01:45PM +0400, Roman V. Isaev wrote:
 On 08/31, Matthew Toseland wrote:
Have you thought about that ignoring reset packets thing that was
shown to make it possible to bypass The Great Firewall? I mean, I
don't know too much about it, or if it'd be possible for
freenetbut it might be worth looking in to.
   That would involve platform-specific code, there's no way to do that in 
   java.
  It's unnecessary anyway because it only applies to TCP. It does however
  tell us something very interesting and useful: The firewall is stateless !!
  They pick up forbidden keywords on a packet and then send a reset
  packet, they don't even delete later packets on the same connection
  because *they don't track connections at all* !
 
 But they will do that, sooner or later. It's just a matter of time. Another
 chunk of money for Cisco I guess...

The interesting thing is you can connect to IRC and discuss forbidden
keywords... Also that study is curious because I heard they block the
whole page, rather than just interrupt it in the middle...
-- 
Matthew J Toseland - [EMAIL PROTECTED]
Freenet Project Official Codemonkey - http://freenetproject.org/
ICTHUS - Nothing is impossible. Our Boss says so.


signature.asc
Description: Digital signature
___
Support mailing list
Support@freenetproject.org
http://news.gmane.org/gmane.network.freenet.support
Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support
Or mailto:[EMAIL PROTECTED]

Re: [freenet-chat] Re: [freenet-support] Freenet 0.7

2006-08-31 Thread inverse


Matthew Toseland wrote:


It's unnecessary anyway because it only applies to TCP. It does however
tell us something very interesting and useful: The firewall is stateless !!

heh, it would be damn expensive to do that in a stateful way.

let's see:


1. Timing.
2. Packet size.
3. It's not a known protocol, therefore it must be bad.
4. Flow analysis.


either way it might be too expensive or require a stateful filter


___
Support mailing list
Support@freenetproject.org
http://news.gmane.org/gmane.network.freenet.support
Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support
Or mailto:[EMAIL PROTECTED]

[freenet-chat] Re: [freenet-support] Freenet 0.7

2006-08-30 Thread inverse

Matthew Toseland wrote:
> Well on the most trivial level, 0.5 doesn't work in china.
>   
yo,

beyond harvesting the connected IP addresses to raid their owner's 
homes, one big concern with encrypted protocols is that they can be 
filtered out by application-level scanning firewalls. I think this is 
exactly what's happening in China.

Application-level scanning can be implemented via ASIC technology 
directly in hardware thus being extremely fast, and we know this works 
very well.
Public-key encrypted communications show constant patterns the moment a 
public key is exchanged between hosts.

Such system can work until there's enough processing power available to 
make them run without compromising the overal network performance, so to 
defeat them (they are intended to simply drop forbidden connections) you 
have to design a protocol
which shows no recognisable patterns at any level.
Nested symmetric encryption of each packet with multiple randomly 
selected pre-shared keys?
To decode each packet a firewall will have to:
1) try at least half the known pre-shared keys on each packet
2) do the above for each level of encryption used.

given the number of keys n and the number of levels l the total number 
of decryption passes k before you extract usable data (which may be 
further asymmetrically encrypted)  is  k = (n/2)^l. This is true for 
each packet and you cannot avoid doing this if you want to confirm the 
contents.
While this might not be so demanding for a single CPU and few 
connections, a core firewall won't be happy to discover that a simple 
scan no longer suffices and you have to actually process a VERY large 
number of packets coming from a number of sources with random ports 
trough a custom designed and frequently updated cryptographic ASIC 
multiple times.

The idea is not to design a virtually unstopplable protocol:  there  
might come a day when only  pure HTTP  to port 80 is  allowed,  the idea 
instead is to make it a bit more unstoppable in places like China, 
probably France and EU and next in the US.

Also, this won't be a solution in places that trace social network 
connections (like the current US), this  however will make  the process 
somewhat harder.

Just a suggestion..

[freenet-chat] Re: [freenet-support] Freenet 0.7

2006-08-30 Thread Ortwin Regel

It wasn't safe enough, though, I suppose.

On 30 Aug 2006 03:27:04 -, Crash at remailer-debian.panta-rhei.eu.org <
Crash at remailer-debian.panta-rhei.eu.org> wrote:
>
> On Tue, 29 Aug 2006 22:01:06 +0100, you wrote:
> >
> > Freenet 0.5 had opennet, and yet it was a failure.
> >
>
> Ok, I gotta know this.  How is 0.5 considered a failure. I use it daily
> and
> it works flawlessly, Frost messages flow as well as ever, as do downloads
> of
> splitfiles.  Yesterday I retrieved a freesite that had not been updated in
> two years and it was 100% intact.  To me, that spells success.
>
> "And now back to Frost"
>
> > On Mon, Aug 28, 2006 at 08:44:42PM -, Hartmut Folter wrote:
> > > Freenet 0.7 is nothing more than yet another in a series of Freenet
> > > failures-in-waiting until it proves itself, IMHO, by emerging out of
> alpha
> > > with open-net.
> > --
> > Matthew J Toseland - toad at amphibian.dyndns.org
> > Freenet Project Official Codemonkey - http://freenetproject.org/
> > ICTHUS - Nothing is impossible. Our Boss says so.
>
>
> Crash Override at OjOMetJJ+IpWf92awrR+leXmIaY
>
>
> ___
> Support mailing list
> Support at freenetproject.org
> http://news.gmane.org/gmane.network.freenet.support
> Unsubscribe at
> http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support
> Or mailto:support-request at freenetproject.org?subject=unsubscribe
>
-- next part --
An HTML attachment was scrubbed...
URL:

[freenet-chat] Re: [freenet-support] Freenet 0.7

2006-08-30 Thread Matthew Toseland

Well on the most trivial level, 0.5 doesn't work in china.

On Wed, Aug 30, 2006 at 08:51:32PM +0200, Ortwin Regel wrote:
> It wasn't safe enough, though, I suppose.
> 
> On 30 Aug 2006 03:27:04 -, Crash at remailer-debian.panta-rhei.eu.org <
> Crash at remailer-debian.panta-rhei.eu.org> wrote:
> >
> >On Tue, 29 Aug 2006 22:01:06 +0100, you wrote:
> >>
> >> Freenet 0.5 had opennet, and yet it was a failure.
> >>
> >
> >Ok, I gotta know this.  How is 0.5 considered a failure. I use it daily
> >and
> >it works flawlessly, Frost messages flow as well as ever, as do downloads
> >of
> >splitfiles.  Yesterday I retrieved a freesite that had not been updated in
> >two years and it was 100% intact.  To me, that spells success.
> >
> >"And now back to Frost"
> >
> >> On Mon, Aug 28, 2006 at 08:44:42PM -, Hartmut Folter wrote:
> >> > Freenet 0.7 is nothing more than yet another in a series of Freenet
> >> > failures-in-waiting until it proves itself, IMHO, by emerging out of
> >alpha
> >> > with open-net.
> >> --
> >> Matthew J Toseland - toad at amphibian.dyndns.org
> >> Freenet Project Official Codemonkey - http://freenetproject.org/
> >> ICTHUS - Nothing is impossible. Our Boss says so.
> >
> >
> >Crash Override at OjOMetJJ+IpWf92awrR+leXmIaY
> >
> >
> >___
> >Support mailing list
> >Support at freenetproject.org
> >http://news.gmane.org/gmane.network.freenet.support
> >Unsubscribe at
> >http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support
> >Or mailto:support-request at freenetproject.org?subject=unsubscribe
> >

> ___
> Support mailing list
> Support at freenetproject.org
> http://news.gmane.org/gmane.network.freenet.support
> Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support
> Or mailto:support-request at freenetproject.org?subject=unsubscribe

-- 
Matthew J Toseland - toad at amphibian.dyndns.org
Freenet Project Official Codemonkey - http://freenetproject.org/
ICTHUS - Nothing is impossible. Our Boss says so.
-- next part --
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL:

[freenet-chat] Re: [freenet-support] Freenet 0.7

2006-08-30 Thread urza9...@gmail.com

Have you thought about that ignoring reset packets thing that was
shown to make it possible to bypass The Great Firewall? I mean, I
don't know too much about it, or if it'd be possible for
freenetbut it might be worth looking in to.

Also just wanna add that I fully support the desire to help get around
the chinese firewalls and stuffbut you're one of hundreds of
projects working on that same goaland personally, I'm not using
0.7 until there's a working opennet. As much as it may seem like I'm
totally against darknetsit's not so much what you're working on,
it's how. I still feel quite strongly that the main page should send
new users to a download page for 0.5, not 0.7. As for the issue of
getting a working opennet...I'll join the other people in backing
offI suppose I can wait another year or so for a new versionI
just hope 0.5 will last that long without any fresh users.

On 8/30/06, David 'Bombe' Roden  wrote:
> On Wednesday 30 August 2006 22:35, inverse wrote:
>
> > beyond harvesting the connected IP addresses to raid their owner's
> > homes, one big concern with encrypted protocols is that they can be
> > filtered out by application-level scanning firewalls. I think this is
> > exactly what's happening in China.
>
> Yes, the session bytes that are used to initiate connections are
> typical.
>
>
> > Public-key encrypted communications show constant patterns the moment
> > a public key is exchanged between hosts.
>
> Communication between 0.7 nodes doesn't have to exchange public keys,
> those are already known as they are contained in the node reference.
>
>
> David
>
>
> ___
> Support mailing list
> Support at freenetproject.org
> http://news.gmane.org/gmane.network.freenet.support
> Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support
> Or mailto:support-request at freenetproject.org?subject=unsubscribe
>
>
>

-- 

http://www.spreadfirefox.com/?q=affiliatesid=0t=57;>http://sfx-images.mozilla.org/affiliates/Buttons/180x60/blank.gif"/>

[freenet-chat] Re: [freenet-support] Freenet 0.7

2006-08-30 Thread cr...@remailer-debian.panta-rhei.eu.org

On Tue, 29 Aug 2006 22:01:06 +0100, you wrote:
>
> Freenet 0.5 had opennet, and yet it was a failure.
>

Ok, I gotta know this.  How is 0.5 considered a failure. I use it daily and
it works flawlessly, Frost messages flow as well as ever, as do downloads of
splitfiles.  Yesterday I retrieved a freesite that had not been updated in
two years and it was 100% intact.  To me, that spells success.

"And now back to Frost"

> On Mon, Aug 28, 2006 at 08:44:42PM -, Hartmut Folter wrote:
> > Freenet 0.7 is nothing more than yet another in a series of Freenet
> > failures-in-waiting until it proves itself, IMHO, by emerging out of alpha
> > with open-net.
> --
> Matthew J Toseland - toad at amphibian.dyndns.org
> Freenet Project Official Codemonkey - http://freenetproject.org/
> ICTHUS - Nothing is impossible. Our Boss says so.

Crash Override at OjOMetJJ+IpWf92awrR+leXmIaY

Re: [freenet-chat] Re: [freenet-support] Freenet 0.7

2006-08-30 Thread Crash

On Tue, 29 Aug 2006 22:01:06 +0100, you wrote:

 Freenet 0.5 had opennet, and yet it was a failure.


Ok, I gotta know this.  How is 0.5 considered a failure. I use it daily and
it works flawlessly, Frost messages flow as well as ever, as do downloads of
splitfiles.  Yesterday I retrieved a freesite that had not been updated in
two years and it was 100% intact.  To me, that spells success.

And now back to Frost

 On Mon, Aug 28, 2006 at 08:44:42PM -, Hartmut Folter wrote:
  Freenet 0.7 is nothing more than yet another in a series of Freenet
  failures-in-waiting until it proves itself, IMHO, by emerging out of alpha
  with open-net.
 --
 Matthew J Toseland - [EMAIL PROTECTED]
 Freenet Project Official Codemonkey - http://freenetproject.org/
 ICTHUS - Nothing is impossible. Our Boss says so.


Crash [EMAIL PROTECTED]


___
Support mailing list
Support@freenetproject.org
http://news.gmane.org/gmane.network.freenet.support
Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support
Or mailto:[EMAIL PROTECTED]

Re: [freenet-chat] Re: [freenet-support] Freenet 0.7

2006-08-30 Thread Ortwin Regel

It wasn't safe enough, though, I suppose.On 30 Aug 2006 03:27:04 -, [EMAIL PROTECTED]
 [EMAIL PROTECTED] wrote:
On Tue, 29 Aug 2006 22:01:06 +0100, you wrote: Freenet 0.5 had opennet, and yet it was a failure.Ok, I gotta know this.How is 0.5 considered a failure. I use it daily andit works flawlessly, Frost messages flow as well as ever, as do downloads of
splitfiles.Yesterday I retrieved a freesite that had not been updated intwo years and it was 100% intact.To me, that spells success.And now back to Frost On Mon, Aug 28, 2006 at 08:44:42PM -, Hartmut Folter wrote:
  Freenet 0.7 is nothing more than yet another in a series of Freenet  failures-in-waiting until it proves itself, IMHO, by emerging out of alpha  with open-net. -- Matthew J Toseland - 
[EMAIL PROTECTED] Freenet Project Official Codemonkey - http://freenetproject.org/ ICTHUS - Nothing is impossible. Our Boss says so.
Crash [EMAIL PROTECTED]___Support mailing listSupport@freenetproject.org
http://news.gmane.org/gmane.network.freenet.supportUnsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/supportOr mailto:
[EMAIL PROTECTED]?subject=unsubscribe
___
Support mailing list
Support@freenetproject.org
http://news.gmane.org/gmane.network.freenet.support
Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support
Or mailto:[EMAIL PROTECTED]

Re: [freenet-chat] Re: [freenet-support] Freenet 0.7

2006-08-30 Thread Matthew Toseland

Well on the most trivial level, 0.5 doesn't work in china.

On Wed, Aug 30, 2006 at 08:51:32PM +0200, Ortwin Regel wrote:
 It wasn't safe enough, though, I suppose.
 
 On 30 Aug 2006 03:27:04 -, [EMAIL PROTECTED] 
 [EMAIL PROTECTED] wrote:
 
 On Tue, 29 Aug 2006 22:01:06 +0100, you wrote:
 
  Freenet 0.5 had opennet, and yet it was a failure.
 
 
 Ok, I gotta know this.  How is 0.5 considered a failure. I use it daily
 and
 it works flawlessly, Frost messages flow as well as ever, as do downloads
 of
 splitfiles.  Yesterday I retrieved a freesite that had not been updated in
 two years and it was 100% intact.  To me, that spells success.
 
 And now back to Frost
 
  On Mon, Aug 28, 2006 at 08:44:42PM -, Hartmut Folter wrote:
   Freenet 0.7 is nothing more than yet another in a series of Freenet
   failures-in-waiting until it proves itself, IMHO, by emerging out of
 alpha
   with open-net.
  --
  Matthew J Toseland - [EMAIL PROTECTED]
  Freenet Project Official Codemonkey - http://freenetproject.org/
  ICTHUS - Nothing is impossible. Our Boss says so.
 
 
 Crash [EMAIL PROTECTED]
 
 
 ___
 Support mailing list
 Support@freenetproject.org
 http://news.gmane.org/gmane.network.freenet.support
 Unsubscribe at
 http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support
 Or mailto:[EMAIL PROTECTED]
 

 ___
 Support mailing list
 Support@freenetproject.org
 http://news.gmane.org/gmane.network.freenet.support
 Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support
 Or mailto:[EMAIL PROTECTED]

-- 
Matthew J Toseland - [EMAIL PROTECTED]
Freenet Project Official Codemonkey - http://freenetproject.org/
ICTHUS - Nothing is impossible. Our Boss says so.


signature.asc
Description: Digital signature
___
Support mailing list
Support@freenetproject.org
http://news.gmane.org/gmane.network.freenet.support
Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support
Or mailto:[EMAIL PROTECTED]

Re: [freenet-chat] Re: [freenet-support] Freenet 0.7

2006-08-30 Thread inverse


Matthew Toseland wrote:

Well on the most trivial level, 0.5 doesn't work in china.
  

yo,

beyond harvesting the connected IP addresses to raid their owner's 
homes, one big concern with encrypted protocols is that they can be 
filtered out by application-level scanning firewalls. I think this is 
exactly what's happening in China.



Application-level scanning can be implemented via ASIC technology 
directly in hardware thus being extremely fast, and we know this works 
very well.
Public-key encrypted communications show constant patterns the moment a 
public key is exchanged between hosts.


Such system can work until there's enough processing power available to 
make them run without compromising the overal network performance, so to 
defeat them (they are intended to simply drop forbidden connections) you 
have to design a protocol

which shows no recognisable patterns at any level.
Nested symmetric encryption of each packet with multiple randomly 
selected pre-shared keys?

To decode each packet a firewall will have to:
1) try at least half the known pre-shared keys on each packet
2) do the above for each level of encryption used.

given the number of keys n and the number of levels l the total number 
of decryption passes k before you extract usable data (which may be 
further asymmetrically encrypted)  is  k = (n/2)^l. This is true for 
each packet and you cannot avoid doing this if you want to confirm the 
contents.
While this might not be so demanding for a single CPU and few 
connections, a core firewall won't be happy to discover that a simple 
scan no longer suffices and you have to actually process a VERY large 
number of packets coming from a number of sources with random ports 
trough a custom designed and frequently updated cryptographic ASIC 
multiple times.


The idea is not to design a virtually unstopplable protocol:  there  
might come a day when only  pure HTTP  to port 80 is  allowed,  the idea 
instead is to make it a bit more unstoppable in places like China, 
probably France and EU and next in the US.


Also, this won't be a solution in places that trace social network 
connections (like the current US), this  however will make  the process 
somewhat harder.


Just a suggestion..




___
Support mailing list
Support@freenetproject.org
http://news.gmane.org/gmane.network.freenet.support
Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support
Or mailto:[EMAIL PROTECTED]

Re: [freenet-chat] Re: [freenet-support] Freenet 0.7

2006-08-30 Thread David 'Bombe' Roden

On Wednesday 30 August 2006 22:35, inverse wrote:

 beyond harvesting the connected IP addresses to raid their owner's
 homes, one big concern with encrypted protocols is that they can be
 filtered out by application-level scanning firewalls. I think this is
 exactly what's happening in China.

Yes, the session bytes that are used to initiate connections are 
typical.


 Public-key encrypted communications show constant patterns the moment
 a public key is exchanged between hosts.

Communication between 0.7 nodes doesn't have to exchange public keys, 
those are already known as they are contained in the node reference.


David


pgp3I7rk5J72S.pgp
Description: PGP signature
___
Support mailing list
Support@freenetproject.org
http://news.gmane.org/gmane.network.freenet.support
Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support
Or mailto:[EMAIL PROTECTED]

Re: [freenet-chat] Re: [freenet-support] Freenet 0.7

2006-08-30 Thread urza9814


Have you thought about that ignoring reset packets thing that was
shown to make it possible to bypass The Great Firewall? I mean, I
don't know too much about it, or if it'd be possible for
freenetbut it might be worth looking in to.

Also just wanna add that I fully support the desire to help get around
the chinese firewalls and stuffbut you're one of hundreds of
projects working on that same goaland personally, I'm not using
0.7 until there's a working opennet. As much as it may seem like I'm
totally against darknetsit's not so much what you're working on,
it's how. I still feel quite strongly that the main page should send
new users to a download page for 0.5, not 0.7. As for the issue of
getting a working opennet...I'll join the other people in backing
offI suppose I can wait another year or so for a new versionI
just hope 0.5 will last that long without any fresh users.

On 8/30/06, David 'Bombe' Roden [EMAIL PROTECTED] wrote:

On Wednesday 30 August 2006 22:35, inverse wrote:

 beyond harvesting the connected IP addresses to raid their owner's
 homes, one big concern with encrypted protocols is that they can be
 filtered out by application-level scanning firewalls. I think this is
 exactly what's happening in China.

Yes, the session bytes that are used to initiate connections are
typical.


 Public-key encrypted communications show constant patterns the moment
 a public key is exchanged between hosts.

Communication between 0.7 nodes doesn't have to exchange public keys,
those are already known as they are contained in the node reference.


David


___
Support mailing list
Support@freenetproject.org
http://news.gmane.org/gmane.network.freenet.support
Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support
Or mailto:[EMAIL PROTECTED]






--
HTML
a href=http://www.spreadfirefox.com/?q=affiliatesamp;id=0amp;t=57;img
border=0 alt=Get Firefox! title=Get Firefox!
src=http://sfx-images.mozilla.org/affiliates/Buttons/180x60/blank.gif//a
___
Support mailing list
Support@freenetproject.org
http://news.gmane.org/gmane.network.freenet.support
Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support
Or mailto:[EMAIL PROTECTED]

Re: [freenet-chat] Re: [freenet-support] Freenet 0.7

2006-08-30 Thread David 'Bombe' Roden

On Wednesday 30 August 2006 23:47, [EMAIL PROTECTED] wrote:

 Have you thought about that ignoring reset packets thing that was
 shown to make it possible to bypass The Great Firewall? I mean, I
 don't know too much about it, or if it'd be possible for
 freenetbut it might be worth looking in to.

That would involve platform-specific code, there's no way to do that in 
java.


David


pgpjzwSgsXhpB.pgp
Description: PGP signature
___
Support mailing list
Support@freenetproject.org
http://news.gmane.org/gmane.network.freenet.support
Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support
Or mailto:[EMAIL PROTECTED]

Re: [freenet-chat] Re: [freenet-support] Freenet 0.7

2006-08-30 Thread inverse


David 'Bombe' Roden wrote:

Communication between 0.7 nodes doesn't have to exchange public keys, 
those are already known as they are contained in the node reference.

nice!

I definitely need to install 0.7 and capture some packets for testing

___
Support mailing list
Support@freenetproject.org
http://news.gmane.org/gmane.network.freenet.support
Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support
Or mailto:[EMAIL PROTECTED]

Re: [freenet-chat] Re: [freenet-support] Freenet 0.7

2006-08-30 Thread inverse


[EMAIL PROTECTED] wrote:

Have you thought about that ignoring reset packets thing that was
shown to make it possible to bypass The Great Firewall? I mean, I
don't know too much about it, or if it'd be possible for
freenetbut it might be worth looking in to. 


it's possible to do it, but only under linux at the moment.

You just set an iptables prerouting rule that drops incoming tcp RST 
packets.
This a kernel side level 4 setting that's perfectly transparent to the 
application level, the only side effect being that any incoming 
connection will end with a timeout in place of a graceful reset.
Under windows I suppose you simply lack the instruments and support to 
do something clever like that.



___
Support mailing list
Support@freenetproject.org
http://news.gmane.org/gmane.network.freenet.support
Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support
Or mailto:[EMAIL PROTECTED]

[freenet-chat] Re: [freenet-support] Freenet 0.7

Re: [freenet-chat] Re: [freenet-support] Freenet 0.7

Re: [freenet-chat] Re: [freenet-support] Freenet 0.7

Re: [freenet-chat] Re: [freenet-support] Freenet 0.7

[freenet-chat] Re: [freenet-support] Freenet 0.7

[freenet-chat] Re: [freenet-support] Freenet 0.7

[freenet-chat] Re: [freenet-support] Freenet 0.7

[freenet-chat] Re: [freenet-support] Freenet 0.7

[freenet-chat] Re: [freenet-support] Freenet 0.7

[freenet-chat] Re: [freenet-support] Freenet 0.7

[freenet-chat] Re: [freenet-support] Freenet 0.7

[freenet-chat] Re: [freenet-support] Freenet 0.7

[freenet-chat] Re: [freenet-support] Freenet 0.7

[freenet-chat] Re: [freenet-support] Freenet 0.7

[freenet-chat] Re: [freenet-support] Freenet 0.7

Re: [freenet-chat] Re: [freenet-support] Freenet 0.7

Re: [freenet-chat] Re: [freenet-support] Freenet 0.7

Re: [freenet-chat] Re: [freenet-support] Freenet 0.7

Re: [freenet-chat] Re: [freenet-support] Freenet 0.7

Re: [freenet-chat] Re: [freenet-support] Freenet 0.7

Re: [freenet-chat] Re: [freenet-support] Freenet 0.7

[freenet-chat] Re: [freenet-support] Freenet 0.7

[freenet-chat] Re: [freenet-support] Freenet 0.7

[freenet-chat] Re: [freenet-support] Freenet 0.7

[freenet-chat] Re: [freenet-support] Freenet 0.7

[freenet-chat] Re: [freenet-support] Freenet 0.7

Re: [freenet-chat] Re: [freenet-support] Freenet 0.7

Re: [freenet-chat] Re: [freenet-support] Freenet 0.7

Re: [freenet-chat] Re: [freenet-support] Freenet 0.7

Re: [freenet-chat] Re: [freenet-support] Freenet 0.7

Re: [freenet-chat] Re: [freenet-support] Freenet 0.7

Re: [freenet-chat] Re: [freenet-support] Freenet 0.7

Re: [freenet-chat] Re: [freenet-support] Freenet 0.7

Re: [freenet-chat] Re: [freenet-support] Freenet 0.7

Re: [freenet-chat] Re: [freenet-support] Freenet 0.7

35 matches

Site Navigation

Mail list logo

Footer information