How secure is I2P and its derivatives? (fun)

[lgillis]

Did you know that I2P scores 90 out of a possible 100 and I2Pd still scores 88/100 in terms of perceived security? Take a look, it could be entertaining:

https://doingfedtime.com/i2p-versions-essentials/ via https://www.reddit.com/r/i2p/comments/1 ... _thoughts/ – I2P? Reddit! 100/100. The only place where freedom of expression is still possible!1!

And once again, if we use the Internet for legal communication and I2P only for illegal piracy, then sooner or later all participants from the I2P-DB will go to jail together. \(^_^)/

[anikey]

Did you know that I2P scores 90 out of a possible 100 and I2Pd still scores 88/100 in terms of perceived security? Take a look, it could be entertaining:

I don't understand where these security rankings came from.

Also, if i look at the publications on that site, by the same user (https://doingfedtime.com/author/sam/), I notice that a lot of it seems like AI generated. (if i paste some piece of an article into quillbot detector, it detects quite a high percentage).
I have a feeling like these scores are hallucinated.

The picture at the beginning of that article also feels partially ai generated (and an old screenshot of I2P console, and a couple of logos slapped onto it).

I don't understand why Kovri was even mentioned, its last activity was around 4 years ago. How many security issues do you think it did not fix in these 4 years? And they give it such a high (85) rating of security.

A thing called "I2P-Browser" is also listed. I can't access the page linked from it (i2p-browser.i2p).

Same thing with "I2P-Zone", i've never heard of it, and i can't access the page (i2p.zone). The provided screenshot does not even seem related (github page of namecoin-i2p-resolver).

The link to i2p-bote page does not exist (https://geti2p.net/en/docs/applications/i2pbote).
Same thing with "Transmission-I2P". (Besides, by the github screenshot, it seems dead, they should've instead promoted qbittorrent which added i2p support).

The link to Tahoe-LAFS (or as it's called in the article "Taho-LAFS") is also dead.

The link to "i2pberry" is also quite dead, according to various in-i2p registries (never seen since 2013!), i don't see why mention such a dead resource.

The reason I'm criticizing the mentioning of dead resources, is because they should be explicitly marked as such, and not given a high security rating, because all things I2P are security sensitive (anonymity can be compromised if no security). Yet there are NO programs on that list with a rating less than 75, and most are 80 or more.

Besides, the author in the aforementioned reddit post claims that "I'm far from an expert on I2P", so how can you entrust "not an expert" to rank security of software?

I2P? Reddit! 100/100. The only place where freedom of expression is still possible!1!

I don't quite understand. Maybe you're protesting that people post on reddit. There might be a reason for it: reddit is more accessible to regular people, because it is on the regular internet, outside of i2p.

And once again, if we use the Internet for legal communication and I2P only for illegal piracy, then sooner or later all participants from the I2P-DB will go to jail together. \(^_^)/

How is this even related to all the above? What is "I2P-DB"?

[lgillis]

Exactly, my young friend, the ranking is complete nonsense. It already lacks the reference point, i.e. what the 100 - percent or points or plums - indicates in terms of certainty. So no comparison is possible at all. Also, no reasons are given as to how the ranking is made up. You have already recognized that. Although …
> I2P? Reddit! 100/100.
oops, here's the reference point. What a bummer, now I seem to have disproved myself!!!111Exclamation mark

https://i2pforum.net = http://i2pforum.i2p Try it out, it's currently still free.

> What is "I2P-DB"?
This is technical stuff, completely uninteresting for ultimate consumers.

That was satire. Thank you for playing along.

[anikey]

https://i2pforum.net = http://i2pforum.i2p Try it out, it's currently still free.

I already knew about this. This equals sign causes some problems though.

Cookie problems.

I can't stay logged in because the .i2p version sets cookies for the .net version, so the cookie doesn't work.
As such, it relies on the ?sid= URL parameter which is both inconvenient and not as secure.
I've posted about it multiple times in the relevant thread (the one about "logout after 5 minutes") on that forum.

Yet nothing changed, the admins didn't fix it after all this time.

The technical side is that it sets the domain to the .net version (so it doesn't get used because it's going through the .i2p version), and that it sets the 'Secure' option, which limits cookies to only HTTPS (but .i2p version does not have https, because it's unnecessary).

The discuss.i2p site doesn't have this problem.

[lgillis]

Yet nothing changed, the admins didn't fix it after all this time.

What you report is well known to everyone involved, as are various other weaknesses. But you can't do more than point them out. I also don't know where you got the information that there are several administrators. Is that the case? As far as I know, large parts of the western infrastructure of I2P are in fact run by one person. I suspect that as long as nobody volunteers to be a forum administrator, not much will change. Or we'll wait another quarter of a century until the colleague has retired and is looking for something to do in his spare time.

Until then, or until someone else sets up a modern forum, we have no choice but to play a little trick. As in the way of first writing the posts in the beloved text editor so that they don't get lost if the tunnel connection breaks down again, then logging in and placing the essay or novella or the self-written sentence and sending it off. And you can track whether anyone actually replies via RSS feeds.

Shall we talk about what we would like to have, which forum software is the right one to represent I2P, purely theoretically, just for fun?

[anikey]

I also don't know where you got the information that there are several administrators. Is that the case?

I didn't actually know how many admins there were. Maybe I should've used "administration" instead, or something.
Actually, now that i look, there are two accounts on that site listed as "Administrators" - log into it, and at the bottom click "The team" (or "Members") - it will list the admins. They are echelon and fori2padmin18, but the second one has not posted anything ever, it seems.

As far as I know, large parts of the western infrastructure of I2P are in fact run by one person.

Actually, more than one. Look here. Although that page is a bit outdated (it has "Monotone guru" even though i2p-project switched to git some years ago; and i think zzz came back to development, but is only listed there as "past contributor").

Many things are done by idk, but the sites and the forum are administrated by echelon.

Until then, or until someone else sets up a modern forum, we have no choice but to play a little trick. As in the way of first writing the posts in the beloved text editor so that they don't get lost if the tunnel connection breaks down again, then logging in and placing the essay or novella or the self-written sentence and sending it off. And you can track whether anyone actually replies via RSS feeds.

Shall we talk about what we would like to have, which forum software is the right one to represent I2P, purely theoretically, just for fun?

"Modern" as in stuffed with javascript? That wouldn't really cut it because security practices usually tell people to disable JS by-default on darknet sites.
Actually, this one (phpBB; we're using it right now!) works really well for i2p (speaking as a user). It is lightweight so it doesn't need much bandwidth.

I haven't had many problems with tunnel breakages. So i usually write posts (yes, even this one) in the textarea inside the web browser (i don't need much text-editing capabilities here at the moment).

The only forum where i often come close to losing my posts (and this is why i copy them to clipboard before posting) is the problematic forum (i2pforum.i2p) which times out the session really quick, and there's a high chance i'll have to stare at the "You must log in before posting" screen when posting there. Other than i2pforum, phpbb works well enough.

phpbb is also nice since it has some enhancements if you enable JS, but will work just fine if you don't. That is simply beautiful.

[lgillis]

They are echelon and fori2padmin18, but the second one has not posted anything ever, it seems.

Exactly, and here we have disadro21us, discussuser and postman. Apart from postman, who only showed an interest in this forum once when explicitly notified by the community (me, or Gillis), the names fori2padmin18, disadro21us and discussuser are unknown to everyone. That's strange, since everyone else uses their alias when they want to score a few points to move up in the perceived social structure. So we have two phpBB forums, one in blue and one in brown, both running almost in their default settings. In addition, there is a Tacker WebUI, which is administratively managed in exactly the same form as the forum rules here, which have only been made a little more verbose for the more obtuse participants. (By the way, last week Team Postman deleted a torrent that was supposed to support your I2PSnark research. There was nothing illegal, even the anonymous IDs were blacked out.) And why don't the admins sit down with the users and look for a solution together? Because they are afraid of being exposed, because it could come out that people are helping each other out here. Which means they have access to the destinations of the participants. If you haven't realised what that means, here's an example. User CL uploads a handful of cheap adult torrents to the tracker and then goes to the forum to talk about morality and decency and demands a ban on pornography. The admins have a look at the connection data and realise that he is a hypocrite.

And when I talk about infrastructure, I mean the hardware on which all this runs and whose rent someone has to pay. A few years ago, you could still see who received how much money for which purposes on the page you linked. Because this transparent disclosure revealed internal entanglements, it was not continued. Today, you have to proceed differently if you want to know on which servers of which company and subsidiary the infrastructure is hosted.

You must have noticed the last paragraph, ‘Inclusion’, when you linked the page. The project manager at the time did not dare to object to the registration or at least demand a discussion about it, even though the source code is on Microsoft's servers. This should illustrate the prevailing power imbalance in the western part. There are other reasons, but because of what I have said, I think it is important not to become dependent on individual providers. That's why I like alternatives like MuWire.

I don't really care about these half-heartedly run forums. This one, for example, was created to get the ongoing discussions and all things human off the PaT wishlist. They all seem like children's tables at a family party to me. And I also assume that they can disappear at any time after the game without notice. And it doesn't seem to be just me, because as I said before, the majority of conversations take place on the internet and on social media. So people are afraid to speak their minds here, in a network that is supposedly fighting for more freedom. But maybe I'm wrong and the omerta, the mafia's duty of confidentiality, applies and nobody has told me that?

The real alternative to phpBB brown and blue is retrobbs.i2p. However, its interface provokes the broken windows effect. But I would rather have a contemporary GUI in a neat environment that doesn't evoke such associations in the first place. Whether with or without JavaScript is the same to me, just as phpBB is only fully usable with JS, the Tor-Browser also comes with JS switched on. I'm still talking about freedom of speech and not the nonsense that some people obviously associate with the darknet.

Sorry for the length, some things don't fit into a handful of sentences.

[anikey]

Exactly, and here we have disadro21us, discussuser and postman. Apart from postman, who only showed an interest in this forum once when explicitly notified by the community (me, or Gillis), the names fori2padmin18, disadro21us and discussuser are unknown to everyone. That's strange, since everyone else uses their alias when they want to score a few points to move up in the perceived social structure.

Maybe that's just the vocal minority though? There are many people who sign up for both forums but do not post anything.

In addition, there is a Tacker WebUI, which is administratively managed in exactly the same form as the forum rules here, which have only been made a little more verbose for the more obtuse participants.

What's that? I've never heard of it.

(By the way, last week Team Postman deleted a torrent that was supposed to support your I2PSnark research. There was nothing illegal, even the anonymous IDs were blacked out.)

I suppose i might have seen something like a picture listed in the Latest section of PATracker (i've not downloaded it though). If that's what we're talking about, maybe it was just too small, for a couple of kilobytes to be put up as a torrent? (Why didn't they just put it up on a share file site?)
Even then, are you sure that it was Team Postman who deleted it? Maybe the uploader themselves deleted it (i know you can delete your torrents from Tracker if they have no seeds, or something along these lines).

And why don't the admins sit down with the users and look for a solution together? Because they are afraid of being exposed, because it could come out that people are helping each other out here.

What is wrong with "helping each other out"? Or is there hidden meaning in your words?

Which means they have access to the destinations of the participants.

Generally, a site hoster in i2p knows the clients' destinations. Because destinations in I2P are comparable to IP addresses on the regular internet (except not linked to real-world identities). There is even a project that can track people across multiple eepsites (if they cooperate/collude) to find out that one person is visiting these eepsites.
That doesn't mean that this is unfixable. You can use multiple HTTP proxies (each proxy gets a different destination) and imitate multiple identities. Many faces! (And don't forget to have different fingerprints for the browsers, but that is not I2P's problem.)

User CL uploads a handful of [...] to the tracker and then goes to the forum to talk about [...]. The admins have a look at the connection data and realise that he is a hypocrite.

Assuming this is a hypothetical user.
See, the user could've used one destination for uploading (i.e. registering for Tracker and submitting), and another for posting (i.e. registering on a forum and submitting post). Then they would've appeared as two people, there's no way to distinguish them.

(Side note: torrent clients already create their own destinations.)

And when I talk about infrastructure, I mean the hardware on which all this runs and whose rent someone has to pay. A few years ago, you could still see who received how much money for which purposes on the page you linked. Because this transparent disclosure revealed internal entanglements, it was not continued. Today, you have to proceed differently if you want to know on which servers of which company and subsidiary the infrastructure is hosted.

I've browsed two internet archives and couldn't find a page with the money.

(Or could have they silently removed it? No way! Total world conspiracy!)

You must have noticed the last paragraph, ‘Inclusion’, when you linked the page. The project manager at the time did not dare to object to the registration or at least demand a discussion about it, even though the source code is on Microsoft's servers. This should illustrate the prevailing power imbalance in the western part. There are other reasons, but because of what I have said, I think it is important not to become dependent on individual providers.

My information is that this section was silently added by the site administrator some time ago, and some people didn't like it. That's all I know.

That's why I like alternatives like MuWire.

Is there any reason to jump to a different and incompatible piece of software, even though you could've joined the (probably more popular) bittorrent "community"?
The more people compatible with each other, the better.
I'm not saying everyone should rely only on Postman's Tracker.
The problem with using a less-popular and incompatible alternative like Muwire is that it's not as easy to move data from an older place.
With a torrent tracker, you just grab the infohashes and add them to the new one. No rehashing or anything necessary. In fact, that's now cross-seeding from the Clearnet works right now. People bring torrents from clearnet trackers and add them to Postman's tracker.
Same thing can be done if people want to migrate to a different tracker.
And by using complementary open trackers and DHT, you can even retain the seeders without them having to do anything. (So Postman's tracker is more like a searchable index of torrents, with comments and ratings.)
Bittorrent is even more decentralized by having multiple independent implementations - i2psnark, bbt, libtorrent-rasterbar.

I don't really care about these half-heartedly run forums. This one, for example, was created to get the ongoing discussions and all things human off the PaT wishlist. They all seem like children's tables at a family party to me. And I also assume that they can disappear at any time after the game without notice. And it doesn't seem to be just me, because as I said before, the majority of conversations take place on the internet and on social media. So people are afraid to speak their minds here, in a network that is supposedly fighting for more freedom. But maybe I'm wrong and the omerta, the mafia's duty of confidentiality, applies and nobody has told me that?

People talk where it is more convenient to talk. It's more convenient to talk on reddit because it's accessible from clearnet (and from the phone!) and they already had accounts there.

Looking at the topics on reddit, it doesn't seem anything scary (anything that people would be afraid "to speak their minds"). So they could've just talked here. But they wanted to talk on reddit, presumably because it's more convenient. And because there are more people there.

The real alternative to phpBB brown and blue is retrobbs.i2p. However, its interface provokes the broken windows effect. But I would rather have a contemporary GUI in a neat environment that doesn't evoke such associations in the first place. Whether with or without JavaScript is the same to me, just as phpBB is only fully usable with JS, the Tor-Browser also comes with JS switched on.

How is retrobbs different from another ordinary forum (set aside the interface)? Is it, like, federated with other forums, like Usenet? Or something? That'd be kinda cool. In that there'd be no single point of centralization. (a little bit searching slightly confirms my guess, but i'd like to know more things.)

Additional investigation lead to finding a similar-looking forum but with different content - novabbs.i2p.

I'm still talking about freedom of speech and not the nonsense that some people obviously associate with the darknet.

I wasn't really talking about whatever "nonsense" either. People may come to here for different reasons.