Not sure if this problem also applies to gitea, but it might explain why there is apparently only one¹ onion forge in existence, and it’s broken.

gg6zxtreajiijztyy5g6bt5o6l3qu32nrg7eulyemlhxwwl6enk6ghad.onion used to be relatively functional, perhaps because there was no clearnet variant, but it’s dead now.

¹ plz correct me if I am wrong. There used to be:

git.fuwafuwa.moe → git.fwfwqtpi2ofmehzdxe3e2htqfmhwfciwivpnsztv7dvpuamhr72ktlqd.onion
git.nogafam.es → git.hsdtecd4h2b5z732pvkg2yw3746epap4qusgvjjze6nhmfcdpz2suiad.onion
but they have been gone for quite some time now.

In this thread I propose an “Onion workaround” near the bottom of the page. It does not work.

My latest experiment is formed like this:

$ sudo tee -a /etc/tor/torrc <<< 'mapaddress 192.168.1.25 hsdtecd4h2b5z732pvkg2yw3746epap4qusgvjjze6nhmfcdpz2suiad.onion'
$ cat >> ~/.ssh/config <<eof
host nogafam-onion
     UserKnownHostsFile    /dev/null
     StrictHostKeyChecking no
     hostname     192.168.1.25
     ForwardX11   no
     ProxyCommand connect -4 -S 127.0.0.1:9050 %h %p
     IdentityFile /home/$(whoami)/.ssh/id_rsa_nogafam
eof

Doing a git push results in:

ssh: Could not resolve hostname nogafam-onion: Name or service not known
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

I suspect SSH objects to a hostname that is supplied as an IP address.

But apart from that, what should the first 3 octals of the IP address? Should it match the LAN subnet that I am on? I hope not, because my LAN subnet changes from day to day depending on where I connect. Or should it reflect the VirtualAddrNetwork in /etc/tor/torrc?

Note that I do not restart tor when I mess with the mapaddress.. I just send mapaddress 1.2.3.4=yadayada.onion to the tor control port which should have realtime effect.

I tried both using a subnet that matches the LAN I am on, and also tried one that matches the VirtualAddrNetwork. Both result in the same error.

So I thought maybe the hostname needs to be the onion address. But check this out.. running this on the CLI:

$ tor-resolve hsdtecd4h2b5z732pvkg2yw3746epap4qusgvjjze6nhmfcdpz2suiad.onion 127.0.0.1:9050

Results in an IPv6! WTF? I do not expect Tor to use IPv6 for internal mapping. Most especially when I used mapaddress to micro-manage the mapping.

update

Gitea proxy webhooks may be what’s missing. Along these lines:

https://github.com/go-gitea/gitea/issues/22335

This is probably the key to getting this working -- https://github.com/RightToPrivacy/Gitea-Onion

(cross-posted in !collaboration@sopuli.xyz)

There are two common methods for starting a new repository: using git init or git clone. This post demonstrates the former.

Preconditions:

• SSH, git, and Tor are installed
• a Tor SOCKS proxy listens on port 9050 (i.e. SocksPort 9050 in /etc/tor/torrc)
• (optional) You have an HTTP proxy such as privoxy listening on port 8118

Create an accout and a repository on a gitea instance. The following parameters are placeholders assumed for these instructions:

forge: gitea
instance: git.platypush.tech (many choices)
repo name: tuneInTurnOffDropOut
username: timLeary

Locally, make a new directory and go there. CLI steps from there:

$ git init
$ git config http.proxy http://127.0.0.1:8118/; # optional; only useful if you later want/need to switch to HTTP and you run an HTTP proxy over Tor
$ git config credential.helper store; # optional; only useful to store your creds if you later want/need to forgo SSH keys
$ git config user.name timLeary

Visit your settings (e.g. https://git.platypush.tech/user/settings), ☑ Hide email address, and see what special address is supplied. Use that in the next step.

(update) some gitea servers have this tickbox but they do not mention a special email address. 🤷

$ git config user.email timLeary@noreply.git.platypush.tech; # get this from account settings, or use an email address of your choice

Visit your new repo (e.g. https://git.platypush.tech/timLeary/tuneInTurnOffDropOut) which will show a “quick guide” because it’s an empty repo. Highlight “SSH“ to see the SSH username to the left of the “@”. Remember that for the next step.

$ git remote add origin forgejo@platy:timLeary/tuneInTurnOffDropOut.git; # ⚠ Do not use the gitea-suggested parameter verbatim; just grab the git API username (generally “git” or “forgejo”) from the previous step to prefix into this format. “platy” is an arbitrary string of your choice.
$ git checkout -b main; # “master” is a popular historic variation to “main”, but main is the woke gitea default so we’ll run with it
$ printf '%s\n' 'Put a blurb about the project here.' > README.md
$ git add README.md
$ git commit -m "first commit"
$ ssh-keygen -t rsa -N '' -C 'timLeary at platypush' -f ~/.ssh/id_rsa_platypush-timLeary; # the "-C $comment" parameter is optional
$ wl-copy < ~/.ssh/id_rsa_platypush-timLeary.pub; # Use your preferred way to get the pubkey in your clipboard. wl-copy is the Wayland-specific way to do that.

git.platypush.tech → settings → SSH/GPG Keys → Manage SSH Key → add key → (paste from clipboard)

$ ssh-keygen -l -f ~/.ssh/id_rsa_platypush-timLeary; # optional check; compare the local sha256 fingerprint to that in platypush/timLeary web account settings
$ cat >> ~/.ssh/config <<eof
host platy
     hostname     git.platypush.tech
     ForwardX11   no
     ProxyCommand connect -4 -S 127.0.0.1:9050 \$(tor-resolve %h 127.0.0.1:9050) %p
     IdentityFile /home/$(whoami)/.ssh/id_rsa_platypush-timLeary
eof

$ git push -u origin main

Note that the host value in ~/.ssh/config is any identifier you want. But it must match the token between @ and : in the git remote add origin command. I chose platy in the example.

Benefits

The beauty of this configuration is that you never need to prefix your git commands with torsocks going forward. All cloud ops will automatically tunnel over Tor. In fact, using torsocks would fail with this config.

Drawbacks

• Probably does not work on gitea onion instances (ouch!)
• Some gitea instances refuse SSH and/or Tor connections, but they are opaque about it. In those cases you get error messages that lie. Switching to HTTP is the workaround.

Onion workaround (untested)

How can this be done for onion hosts? Would this work?:

$ sudo tee -a /etc/tor/torrc <<< 'mapaddress 192.168.1.25 hsdtecd4h2b5z732pvkg2yw3746epap4qusgvjjze6nhmfcdpz2suiad.onion'
$ cat >> ~/.ssh/config <<eof
host nogafam-onion
     hostname     192.168.1.25
     ForwardX11   no
     ProxyCommand connect -4 -S 127.0.0.1:9050 %h %p
     IdentityFile /home/$(whoami)/.ssh/id_rsa_nogafam
eof

Or is there a better way?

(note that nogafam.es is not a good example for testing because they block SSH deliberately)

update: the above stanza does not work.

Improvements?

Any feedback for improvements is welcome.

Just heard a radio interview where a dynamic pricing expert said some online shops detect a Safari browser and assume Apple users have deeper pockets. The algo positions higher priced items to the top of the page and perhaps shows them higher prices as those on non-Apple platforms.

So of course I’m thinking: this is perhaps a good reason to get more folks using Tor. If you cannot sell the idea of privacy, maybe money savings would sway them.

Tor users are fucked by tor-hostility, but that marginalisation is only possible because we are a small demographic. We need to be a bigger demographic.

I need this for political/activist purposes. When a public service blocks Tor, I want to be able to say that the public service marginalises/disservices ppl on some platforms.

My first thought was Qubes OS, because it can be setup as a Tor-only platform. The flaw of course is that users can configure it either way. So the public service would argue that it was the user’s choice to configure it to not use clearnet. If an OS were to operate purely on anonymous networks with no direct clearnet access, this would have some niche applications for activism.

cross-posted from: https://libretechni.ca/post/786769

FOSDEM presenter Jah Kosha will pitch the idea that the web can be made inclusive by introducing some middleware called #akoopa to share websites using torrents. This is severely needed. I cannot even read legal statutes that I am bound by because the gov publishes law on exclusive websites.

It’s similar to my youtube-torrent idea:

https://libretechni.ca/post/420147

cross-posted from: https://beehaw.org/post/23925690

the problem

The web is littered with enshitified Tor-hostile resources generally deployed with the naive idea that Tor users are criminals. The Tor community can barely function. The web is broken in countless ways and it’s not always obvious whether Tor users are targeted by the marginalisation because firewalls never state why they are blocking. Sometimes they block based on geolocation or user-agent strings, and sometimes a resource is simply down for everyone. Tor users are left assuming their exit node IP is the culprit.

Also a problem: some people actually have no Internet at home. For some it is temporary and for others it is a permanent way of living a mostly analog life.

the solution (for many cases)

Use the clearnet at a cafe with open access. Of course it’s unreasonable to haul a desktop computer into a cafe or to carry a laptop at all times, so it would be useful to send fetch orders from your PC to your phone. When the phone connects to public Wi-Fi, you tap to execute the queue of fetch orders. Then when back at your PC you download the fulfilled orders from the phone.

This could even be useful within the home, since the block or malfunction can be a number of things. A smartphone could try to execute fetch orders over Orbot, which may or may not fail. And if it fails, it remains an unfulfilled order to retry in a cafe.

Aria2 would be perfect for the underlying heavy lifting because it supports many protocols (HTTP, FTP, bittorrent), and it exists on both the PC and Android. The Android code is apparently just a backend. It’s broken or useless on its own and needs a controller such as the app proposed here.

insufficient alternatives

The usual workarounds have compromises. A VPN may or may not work but it’s still a bit far from anonimity. The VPN provider is essentially like another ISP who can snoop on you.

Download managers already exist on smartphones, but there is no seamless PC interoperability. And (AFAIK) they are just for simple files, not for webpages or Youtube videos.

There is Newpipe but it has no PC interoperability. You must search YT using the Newpipe UI.

In the early web days there was a service where you email an URL to a certain email address and it responded with an email with the webpage attached.

We need that back. We need it to escape arbitrary anti-Tor anti-VPN forms of enshitification.

archive.org is very useful but we cannot rely on it.

Email has also become enshitified and it’s rightfully distrusted and even abandoned by the few true resisters who exist. So ideally it would be an onion email address that takes in the requests. Perhaps an onion activitypub UI as well.

Full quote from EFF a few days ago:

“Free expression is the lifeblood of democracy. As more of our lives take place in digital spaces, EFF’s work grows more relevant and urgent to ensure everyone’s right to free speech.”

At the same time, EFF turns a blind eye to Cloudflare, who:

1. impedes petition signing on change.org, moveon.org, and actionnetwork.org. Voters who are blocked by CF’s access restrictions are effectively denied participation in democratic processes.
2. blocks voters from accessing information about candidates published on sites like www.opensecrets.org.
3. suppresses voting: CF impedes voter registration, disenfranchising voters in 8 US states (16% of voter registration sites).

The EFF is apparently okay with forcing people to choose between the privacy of the Tor network and democracy.

The EFF wrote in their most recent newsletter:

… Because it's your rights we're fighting for.

• Your right to speak and learn freely online, free of government censorship
• Your right to move through the world without being surveilled everywhere you go
• Your right to use your device without it tracking your every click, purchase, and IRL movement
• Your right to control your data, including data about your body, and to know that data given to one government agency won’t be weaponized against you by another
• Your right to do what you please with the products and content you pay for …

Cloudflare has been DoSing the whole Tor community for over a decade now. Those who are not excluded from CF sites (over ⅓ of the web), who are free to move around only have that liberty because they submit to surveillance and give up their privacy.

EFF has ties to the Tor Project that are closer than most people realise. At the same time, Tor Project itself has submitted to licking Cloudflare’s boots. TP has quietly removed material from their blogs that criticises Cloudflare.

Searching EFF newsletters for Meta, Facebook, Google, Amazon, etc has no shortage of hits. But not a word about Cloudflare -- the most direct adversary of what EFF claims to fight for.

People are already aware of Google and Facebook. If they choose to pawn themselves to those platforms, they know what they are signing up for. It’a waste of energy and resources to fixate on those known evils. EFF is doing a gross injustice by not informing people about Cloudflare.

Cloudflare is one of the few tech giants that wise users cannot escape. In some US states you cannot even register to vote without Cloudflare knowing. You can submit a paper registration but then the data entry worker still submits your personal data to a Cloudflare website.

It’s relatively trivial to escape Google and Facebook and protect yourself. Most of that battle is a matter of not registering and not accessing the services, and watching out for a few corner cases. Cloudflare fucks everyone by compromising websites whose admin doesn’t even know what they are signing up for and the fact that they are pawning all their own users. When your gov publishes legal statutes exclusively in Cloudflare’s walled garden or puts gov services inside CF, we’re fucked to an extent that is much more beyond our control.

I will not donate to EFF until they get their priorities straight.

WTF happened to onionmail.info?

So disturbing.

It was such a great resource for email. It was a quite unique infrastructure that gave a bit of freedom and privacy unlike any other email provider.

update

It’s back up.

--cross-posted from !forced_obsolescence@slrpnk.net--

Shitty new captive portals are a new form of enshitification. Captive portals are getting so fancy that they are dysfunctional on old phones. They managed to fuck up the simple task of merely presenting a button that basically says “I agree not to shit on your network”.

It’s really infuriating to be on a bus or train for hours, unable to use Wi-Fi to plan your trip because some jackass dipshit coded a captive portal that assumes everyone is a pushover who continously buys recent phones, when all they need is to render a fucking button or tickbox.

I am betting that the clueless pricks behind the captive portals have enough incompetence that DNS traffic gets through. But for that to work you must run a server for the purpose of serving AndIodine. So it would be useful if some Tor entry nodes supported DNS traffic.

Captive portals are a form of oppression against people with old phones or non-standard software, esp. those w/out GUI browsers. I believe an anti-obsolescence mission to support people with old phones or non-standard software would be compatible with Tor Project’s principles.

A DNS bridge would be useful in other situations as well, such as where Tor is blocked deliberately. Normal traffic is slow over DNS, so Tor client could treat it as a last resort by attempting DNS after X number of connection failures. It would generally overall increase the availability of Tor access.

When visiting git.openprivacy.ca over tor but without using Tor browser, it automatically redirects to gitopcybr57ris5iuivfz62gdwe2qk5pinnt2wplpwzicaybw73stjqd.onion. The privacyinternational website used to do that, but not the last time I checked. A lot of sites seem to make use of a return header that tells the browser what the onion is without actually redirecting. Of course the problem with that is non-Tor browsers obviously do nothing with such headers. I thought it’s worth mentioning here that auto-redirection is the smart way to do this.

There are countless public wi-fi access points that push captive portals which collect identity info on users and track them. The purpose of the privacy intrusion is (allegedly) so they can respond to complaints about unacceptable use. Or worse, so they can directly snoop on their own users activity to police their behavior. Those burdens are not cost-free. Babysitters cost money.

Tor solves this problem. There can be no expectation that a service provider nanny Tor users because they naturally cannot see what users are doing. You are only responsible for what you know -- and for what data you collect. The responsibility of Tor users falls on the exit nodes (to the extent they are used, as opposed to onions).

It’s bizarre how public access admins often proactively block egress Tor traffic, out of some ignorant fear that they would be held accountable for what the user does. It’s the complete opposite. Admins /shed/ accountability for activity that they cannot monitor. If it’s out of their hands, it’s also beyond their responsibility. This is Infosec Legal Aspects 101 -- don’t collect the info if you don’t want the responsibility that the data collection brings. Somehow most of the population has missed that class and remains driven by FUD instead. They foolishly do the opposite: copious overcollection, erroneously thinking that’s the responsible thing to do.

In principle, if you want to deploy gratis Internet access to a population free of captive portals and with effortless administration that respects the privacy of users, then it is actually clearnet traffic that you would block. If you allow only Tor traffic, you escape the babysitter role entirely.

In thinking about how to configure this, first thought was: setup a Tor middlebox transparent proxy and force all traffic over Tor. The problem with that is you would actually still have visibility on the traffic before it gets packaged for Tor, so it fails in the sense that you could technically be held liable for not babysitting the traffic between the user and the Tor network. OTOH, the chances of receiving a complaint from the other side of the Tor cloud are naturally quite low. Still, it’s flawed.

It really needs to be a firewall that blocks all except Tor guard nodes. A “captive portal” of sorts could be used to inform clearnet users that only Tor traffic is permitted, which could give some basic advice about Tor, such as local workshops on installing a Tor client.

It imposes a barrier to entry of both knowledge and wisdom on users. So be it; it is what it is. Not everyone can expect a free hand-out, and it’s usually Tor users to face the oppression of access denial. Of course the benefit is that some people will decide to install Tor in order to use the hotspot.

A Turk was telling me about a peaceful demonstration he attended, in Turkey. He said police surrounded the protest. Then someone in plain clothes threw a stone at the police. One of the demonstrators noticed that the guy who threw the stone had handcuffs in his back pocket. IOW, a cop posing as a demonstrator threw a stone in order to justify the police tagging the protest as “violent” so they could shut it down.

So of course the question is, to what extent are bad actors on Tor actually boot lickers who are working to ruin Tor for everyone?

There are many situations where gov-distributed public information is legally required to be open access. Yet they block Tor.

To worsen matters, the general public largely and naively believes it’s correct to call something as “open access” when in fact there are access restrictions in place.

The resource should work like this:

1. User supplies an URL
2. Robot tries to access that page from a variety of different countries, residential and datacenter IPs, Tor, various VPNs, different user-agent strings, etc.
3. Report is generated that reports the site as “openly accessible” if no obsticles (like 403s) were detected. Otherwise tags the site as “restricted access” and lists the excluded demographics of people.

The report should be dated and downloadable as PDF so that activists can send it to the org behind site with a letter saying: “your website is not open access -- please fix”.

This need somewhat aligns with the mission of the OONI project, but they are not doing this AFAICT.

Update

I just read an announcement about Belgium’s “open data” law, which is basically a summary. It said something like “there should be no unnecessary access restrictions”. I’m not sure to what extent that accurately reflects the law, but it’s an example of what one country considers “open”, fwiw. From there, I would say most Tor blockades are not necessary but rather some lazy sysadmin looking for an easy job. They of course would then like to argue that it’s “necessary” to keep the baddies out.

Update 2

The Open Knowledge Foundation Network defines open data to be completely free from restrictions:

https://okfn.org/en/library/what-is-open/

There is a particular public hotspot where tor takes like an hour to establish a connection on. It’s stuck on 10% shows a running count of connection attempts upwards of 40.

What does this mean? Is it that the wi-fi operator is blocking guard nodes, but perhaps only a snapshot of guard nodes? When I finally connect, is it a case where I managed to get a more recent guard node than the wi-fi operator knows about?

Political parties around the world have flocked to nationbuilder.com for some reason. This tor-hostile Cloudflare site is blocking Tor users from accessing election info. This kind of sloppy lazy web administration is common.

But what’s a bit disturbing is that when I contact a political party to say I cannot reach their page because of the nationbuilder block page, they sound surprised, like it’s the first time they are hearing about web problems. So Tor users are lazy too. That’s the problem.

cross-posted from: https://lemmy.sdf.org/post/24375297

Tracker pixels are surprisingly commonly used by legitimate senders.. your bank, your insurance company, any company you patronize. These assholes hide a 1-pixel image in HTML that tracks when you open your email and your IP (thus whereabouts).

I use a text-based mail client in part for this reason. But I got sloppy and opened an HTML attachment in a GUI browser without first inspecting the HTML. I inspected the code afterwards. Fuck me, I thought.. a tracker pixel. Then I visited just the hostname in my browser. Got a 403 Forbidden. I was happy to see that. Can I assume these idiots shot themselves in the foot with a firewall Tor blanket block? Or would the anti-tor firewall be smart enough to make an exception for tracker pixel URLs?

cross-posted from: https://sopuli.xyz/post/13489053

In the onion v2 days we had underwood2hj3pwd.onion. There were half a dozen other onion email providers but Underwood was the only one that did not have a clearnet email alias (IIRC). That was a useful feature because you could distribute an onion address to a MS Outlook or Gmail user and they could not use it to share their correspondence to you with Google or MS in the loop. They had just two options: step off the ad surveillance platform or not contact you at all. That option died with Underwood.

The other onion email services all have a clearnet translation. So if (for example) I give a gmail user this address:

foo@yllvy3mhtamstbqzm4wucfwab57ap6zraxqvkjn2iobmrtxdsnb37dqd.onion

and they are motivated to reach me, they can figure out that the corresponding clearnet alias is foo(/at/)onionmail.info and then they can use that address to send me a msg that is then shared with their surveillance advertiser. And worse, that’s less effort for them than obtaining an onion email account.

So what I do now is give an XMPP account. Since Google has abandoned jabber and MS never partook, XMPP avoids Google and MS. But XMPP is not a drop-in replacement for email. OMEMO is glitchy/buggy with pitfalls.

I would like to offer an email option. Ideally, an onion email service would offer a clearnet alias that cannot be determined from the onion address, which implies a different userid string.

What happens if an app uses UDP instead of TCP (or both UDP and TCP), and you use the torsocks wrapper script? Would the UDP connections all leak without the Tor user knowing?