Question: Censorship by blacklisting hardcoded IPs?


#1

I have a question regarding about the methods of censorships that governments might have.
Okay, so rUDP will be indistinguishable from normal UDP packages, and there are no handshakes and ports are randomly assigned continuously. Perfect with that aspect, no DPI Firewall will block that based on traffic analysis.

So I was wondering about the hardcoded IPs, that sounds like it would be the logical step for a gov: just keep updating the lists of hardcoded first hops. Lets say that gov servers are curling every minute the config file from github to blacklist any new IP address for the bootstrapping.
What alternatives do the new users have to connect to the network?


New Members: Start Here!
#2

Isn’t this why we need totally end user owned and controlled wiresless mesh cognitive radio devices, hopeful some small, mobile, battery back, hardened and solar powered. We need people more aggressive about this than the NRA is on its guns. We have to tell the NRA people that even better than guns is hardened com, and that without it they can take your guns!


#3

yeah, ideally meshnet would be the logical choice, but the scope of that happening is decades away.
We should have a plan B to make it work with the current infrastructure, no?


#4

Yes! For sure. But that plan B has to happen right now and we need to transition to it as fast as possible. I think viable IOT happens to be cobbled together mesh standards on open verifiable single silicon with software stitiching together the opportunistic spectrum overlaps to reach out to everything within range- but power frugal.

I think SAFE has an expiration date on any Clearnet hardware, it is apt to be purged, but another matter witb SAFE optimized end user owned and controlled hardware.


#5

Hence my question, what’s the answer from MaidSafe: what happens when the hardcoded IPs are all blacklisted?
How can it bootstrap?


#6

Firstly I do not know many governments who have this direct control over ISP’s IP blacklists (China etc excepted). Usually it requires the government department to request/demand the ISP to block certain IP addresses. Since the list is typically small it is not that difficult to do. But as all government processes go it takes time to do.

So I do not see government using curl to effectively real time (“every minute”) block IP addresses. More like one day they get the IP addresses then this moves through the government process and ends up as a request/demand to the (perhaps 1000’s, 700 in AU) ISPs to block those IP addresses and this typically takes 1-3 days for the ISP to do.

But if the list expands to 100’s or thousands (as is likely for SAFE) there are further issues with IP address blocking and the management of those lists

Now this is very valid and David did comment about this when it was brought up some time ago. The question is not new.

The approximate response included that the node would remember its last neighbour nodes and attempt to connect to those. The “hardcoded” list is only a last resort and there was talk that even this would not necessarily be a list of a few nodes specified on github.

Your list of previous neighbour nodes has a good chance of one being active. Maybe included in that list will be other nodes that are archive nodes and likely to be on most of the time.


#7

That is why I highlighted “new” users, because those wouldn’t have any “last” neighbor node. My understanding was that once you connect the first time, you are pretty okay since you keep populating them (is it?), so existing users wouldn’t be much threatened. The problem would be with the newcomers.

Well, you just responded yourself. China is the one I have in mind, Cuba, and potentially in Trump’s America you could also expect something batshit crazy to happen.
If MaidSafe becomes popular, it will become a targeted, and the weakest link to stop spreading it towards the population the easiest way would be to keep monitoring new hardcoded bootstraps and dropping all connections towards those IP addresses, especially easy to do when the traffic is foreign.
The NSA has all nodes and Internet Exchange Points and Tier 1 providers currently intervened. From eavesdropping to controlling is just a flip on the switch away.

So I think that the point is to make SafeNetwork work in the worst scenario possible. Is there any way of surviving an active targetting of the government to DoS it?


#8

Not quite. They get logs. But point taken that they could go full USSR on the internet.

I see the problem as not them having to target a few hundred node IP addresses, but rather 100’s of thousands of IP addresses.

Every web site (not SAFE) that advertises SAFE download to view content stored on SAFE rather than internet servers will also likely advertise the IP addresses of the Nodes they know about (likely to be their own vaults)

So if thousands of websites do this, you could easily have 10+ thousand IP addresses and if dynamically updated then it could be 1 million IP addresses that they need to start blocking in real time.

The javascript that shows the SAFE download could also be harvesting the close neighbours of the webserver that also is running one or more vaults.

The worse case is when SAFE is small, maybe < 100 thousand nodes.


#9

But would you trust non official sources to download safenetwork clients??
This could actually be the phase 2 of those totalitarian governments, as it opens up a very nice vector of supplying trojanized safe clients.


#10

Its going to happen. How many download javascript (via browser) and run it? People do it all the time without thinking twice.

Hopefully there will be central download sites that people trust that the website points to.


#11

Heading off governments at the pass and beating them to the punch on deployed practicality is key. SAFE deployed at scale before they have a stratgy ties their hands to an extent.

The other day this couple I know were getting out of their car at a hospital when an autonomous robot guard rolled up on them. It shockef them. The man yelled at it and it started taking pictures which was odd, must have video feed. I imagined this thing as a segway with a camera post. They said there were several on the grounds. Sorry I didn’t get a good description. But kind of spooky. Will we be able to get away with cop watcher and cop chaser drones?

Maybe these will be what SAFE runs out of:


#12

SAFE will be a boon for many storage services and large companies trying to save a buck and improve profitability. As such it will likely mean that those services would publish their own lists and distribute the software. The economic impact of such a move could have undesirable consequences for the local government.

Another idea is to allow these 3rd parties to distribute the software and have maidsafe build a verification mechanism into the network that has the user point it to the downloaded binary and hash it to check it against the official copy hosted on the network. If things get tricky there is always the out of band method.

A pre-existing user could use an app designed to first copy the official binary to the USB drive for hash signature maintenance and in the same folder create a bootstrap file the binary auto refers to when the initial bootstrap fails.

My 2c,


#13

In another coin I’ve used, users shared their peers.dat files with each other via other means when there were DDoS attacks etc that made it difficult to get up and running.


#14

I wonder if there could be a way to:

  1. Share those peers.dat securely, so if it falls into the wrong hands it doesn’t get blacklisted.
  2. Make sure that that peer file doesn’t get corrupted or that the internet doesn’t get flooded with fake files with fake peers.

Think about the worst case scenario where MaidSafe would be specifically targeted to be disrupted.
So imagine yourself sitting on a desk, and you are given the task of blocking new users from adopting MaidSafe, how would you do it?
If I were the asshole in charge, I would:
Phase 1) Get the official releases, read all the hardcoded IPs, and blacklist them all. Periodically check for changes, and if there are new IPs, blacklist them automatically
Phase 2) Once the official sources are useless because of the blacklisting, those users who are craving for SafeNetwork are gonna start searching for alternate versions, so the government agencies can cater that demand by creating bogus websites that pretend to be from a decentralized MaidSafe Pod or an alternative supporting site, and distribute trojanized versions of it. Harvest more IPs to blacklist in this manner, and meanwhile steal the keys of the user who installed it, and then send a list of files to a C&C to analyze illegal content and attempt to identify the user IRL (shotgunning for illegal users within borders). Those who are detected sharing forbidden information on the SafeNetwork, are persecuted publicly as a deterrent for future users, by spreading the propaganda that the SafeNetwork IS NOT SECURE (“look how many we caught, even though it was a shot in the dark, no one will be any the wiser!”).
Phase 3) Flood the internet with fake peers.dat, in countless shitty websites and torrents, so people get frustrated and decide that the SafeNetwork software is low quality. This measure will just potentiate the demand for the trojanized versions that work.

Specific targeting is happening with TOR in China (look up China’s Great Cannon), so this is not just a wild experimental thought, it is a realistic threat to consider if we are hoping SafeNetwork to become very successful: it WILL be specifically targeted.
If any of you think these ideas are far fetched: some of the “phase 2” aspects are happening with the free VPNs offered in the internet, and some of the phase 3 was already done with companies like MediaSentry, Overpeer, Loudeye hired by the MPAA and RIAA.
A totalitarian regime like China (or even worse the future US under Trump, lookup QUANTUM attacks from the NSA ANT Catalog, that is the toy this batshit tyrant wannabe has under his belt), could execute them all three if they felt that the internet was out of their reach to be monitored or controlled.

Therefore, I was wondering:

  1. How can we prevent official hardcoded IPs from being blacklisted.
  2. Is there a technique under the sleeve would make them impossible to be blacklisted or retrieved?
  3. Is there a non-IP method to bootstrap?

#15

If I - or most folk , I strongly suspect - thought that Maidsafe was going to cosy up to the likes of the NRA, you would very quickly see the project forked.

Take your NRA and stick it. pal.

When are you self-centred Americans going to realise the world does not revolve around you?This is what Scots think of your Trump, NRA and other associated right-wing scum


#16

Thanks for being so on topic guys.


#17

Topic hi-jackers 'R us

… Sorry


#18

@Warren Actually I fully agree about mesh networking. It’s just that I’m not going to enlist the NRA to help us achieve it.


#19

You only need one bootstrap IP the very first time you start the vault, right? After that, the vault should maintain its own list of nodes. So each vault provider (that’s us) could share their IP to trusted people and they should be able to join the network and be independent of bootstrap servers after that.
Am I missing something?


#20

Yes, and I mentioned it several times before, what about the

new users


thank you.