More like, “I want to screw around, but I can’t, because I don’t know how to screw; so somebody must do it for me, BECAUSE I WANT IT.”

I myself wish to build a spaceship out of beer cans.  I have not the slightest idea of how to do this.  Yeah, I DON’T HAVE ANY BEER-CAN-AEROSPACE KNOWLEDGE.  Now if you’re not helping me, mind your own #@!& business please.


https://medium.com/@lukeparker/the-trust-attack-a6241a08a9cd

Though it should go without saying, I expect Bitcoin Supersonic Bomb to have a market impact equal to the effect of spitting at the ocean.  If our hapless wannabe forker ever actually figures out how to fork, that is.

@theymos, this isn’t what you signed up for!  Not the downtime, and not the following—as seen through Tor.  Not changed by rotating circuits.  I can’t dump cookies, because I need to stay logged in; and once Cloudflare decided to demand from me an Internet cavity search, they locked me out of bitcointalk.org with a demand that I let them run their executable code on my machine.  I waited it out, and they eventually let me pass.


Cloudflare also repeatedly tried to Google-CAPTCHA me on their error pages.  No, thanks; I can do without seeing the holy secret errors.

This interrupted my repeated attempts to post the following.  (Anybody awaiting a reply from me elsewhere, please understand if it may be slow in coming.)

---

I’ve oftentimes wondered how Cloudflare can afford to offer “free” DDoS protection.  Their product requires serious network bandwidth, hardware, sysadmin, and engineering.  Those cost money—lots of money.

Usually, “free” products which cost big money to offer can be explained with the aphorism, “You are not the customer; you are the product.”  That raises the question, who pays?

In practice, who pays? is isomorphic to the ancient idiom:  Cui bono?

“You are the product.”  Bitcointalk.org is now a product.  For whom?  And does the customer truly wish for Bitcointalk.org to succeed?

At that, does Cloudflare itself like customers who “especially dislike Cloudflare”?  One of the great benefits of dependence on “huge centralized anti-DDoS companies” is that you can’t bite the hand which feeds you—at least, not more than that hand will deign to tolerate.  Too bad.  Even if this is only some generalized Cloudflare failure, I doubt that theymos stands at the front of their support queue.

Ladies and gentlemen, we are witnessing the mental process which actuated every hardfork to date!  Did you ever want to be a fly on the wall during the initial planning stages of Bitcoin XT, Bitcoin Unlimited, NYA, Bitcoin Cash, Bitcoin Gold, Bitcoin Plutonium Diamond With Ponies?  Did you ever wonder why from a technical perspective, they’re all such comedic horrors?  Well, observe the same principle in action:  Behold the birth of Bitcoin Supersonic Bomb!

After all, as we’ve all heard, developers are unimportant.


No, I am evaluating your personality based on the demonstrated evidence that you are a moron.  A rude one, at that.  Well, at least you gave me some laughs today; but it was at the expense of the time of people who actually tried to help you.  That’s just not worth it.

Yet my heart softens.  Call it my BOFH instinct.  Somebody should help you.

Here is the secret of Bitcoin:  The bits of the coins live in the electrons running through wires which power the entire Internet.  Voltage transception in the magnetic fields of power generators keep the blockchain secure.  That is how mining works:  Pulse codes are modulated by ASIC processes called “hashing”, which forms new coins out of electric charges and pushes them onto the wires.  You did hear that mining has high electrical cost, right?

A hardfork of Bitcoin is caused by asymmetric perturbation of the hash modulation, which in turn causes divergence of the hash nonces onto two different permuted chains.  This arises when voltage pushes the electrons through a sharp, pointy conductor.  Did you ever see what happens when you put a fork in the microwave?  See all the sparks?  Well, that is how Bitcoin gets forked, too!  It’s called a “fork” for a reason:  It needs a literal fork, or fork-like device.  Well-financed projects such as Bitcoin Cash used forks made of solid tellurium; but any ordinary household fork will do.

Thus, to fork Bitcoin, you must stick a fork into an electrical outlet.  Hodl it tightly; don’t let go before the process is complete (not that you’ll be able to).  It’s that easy!  No coding knowledge is required.  HTH.  Have a nice trip.


The fork happens faster if you have 240V outlets.  Dare I hope?

If you have technical support questions about your obsolete Microsoft system, I urge you to pray to “Bitcoin Jesus”.  Verily, he lied for your sins.  His mark rose heavenward on the pump; then a spear pierced His market’s side for the dump.  Be ye a sick, BOOST ye He shall.  Render unto Caesar Satoshi the things that are Satoshi’s, and unto God Jihan the things that are Jihan’s.  Behold the Good News of His centralized Glory; for His alone are Wholly Profits!

---

Moderators, please.  Outside the Alt section, “Bitcoin Cash” scamcoin promotions must be deleted; and users who make them must be banned.  The years of block wars and hostile takeover attempts have yielded ample precedent for such action, e.g.:


(Discussing the potential of banning Coinbase, if they were to move to a scam forkchain.)

How is Cloudflare thus relevant?  The purpose of the image proxy is to “improve privacy and eliminate mixed content warnings”.  (I also speculate that it might filter some evil, though that’s only an idle guess.)  It has nothing to do with DDoS protection, other than needing it.

---

On a related note, I am now working to spearhead the development of a browser add-on to block Cloudflare.  Bitcointalk.org is discussed in Issue 4.

Hot off the presses, a Cloudflare-blocking browser add-on!  a.m.o. currently says it was last updated “an hour ago (Dec 11, 2017)”:

https://addons.mozilla.org/en-US/firefox/addon/block-cloudflare-mitm-attack/

I have not yet examined the code.  Use at your own risk, pending review.

Referred by:

https://trac.torproject.org/projects/tor/ticket/24351#comment:25

Cheers to whomever did this.  “Cypherpunks write code.”

Where will drug users get all this Bitcoin, to “use for bad purposes”?  I suppose that was easy, when Bitcoin was widely considered to be a toy.  This is changing fast.

Hardcore addicts get paper cash through street crime.  But Bitcoin is not so easy to obtain this way; and those who do muggings and thefts will simply buy drugs from the dealer on the corner, not exchange to Bitcoin and buy on the Internet.  Though it’s true that Bitcoin can be obtained through online hacking/theft, such doings require at least a modicum of skill and a clear head.  I doubt that many online coin thieves be chronically zonked on dope.

Occasional users might have digital coins.  But it is hardcore addicts who really support the economics of a large-scale drug market; and hardcore addicts are useless walking carcasses, worthless economically and in every other way.  That is why they are so contemptible, after all.  Moreover, Bitcoin’s economic deflation provides an incentive to not waste it.  What sort of an addled fool would rather have a few hits of dope now, than keep a stash of widely-coveted digital coins for later?  If you must buy drugs, it would be less stupid to spend your depreciating official toilet paper.

Any form of money will always have some use in criminal activity.  But I suspect that as Bitcoin becomes more valuable, it will ultimately become “cleaner” than fiat money.  Perhaps it already is, idiotic mass-media tomfoolery notwithstanding.

I was careful not to suggest that .onions be DDoS-proof.  Of course, they’re not.  But they do radically change the attack surface, largely for the better (at least against DDoS).

In practice, I would suppose that probably, the best means to deny access to a .onion would be to DDoS its introduction points.  Those have publicly known IP addresses; and I doubt many Tor node operators are prepared to handle even something so commonplace as an amplified flood of UDP packets in response to forged DNS requests.  The .onion will become available again as it changes introduction points; but meanwhile, users will have an awful time getting through.  I am not saying anything which is not already well-known and widely discussed amongst Tor devs.

On another note, I would not deem Ulbricht competent to admin the website for a hot-dog cart.  Let alone to run a site under a threat model far beyond my abilities, and likely beyond the capability of the Tor network.  He couldn’t even keep PHP (!) errors from spilling his servers’ guts.  I guess he must have been high on drugs.  I would not take any lessons from his experience, other than mining it for examples of what not to do.  Whereas .onions run by competent sysadmins have survived extreme DDoS attempts.

What some people just do not get:  Before there were drug laws, there was no drug culture.  Libertarians, hippies, and Drug-Warriors all share the same blind spot here.

Indeed, once upon a time, there was the practical opposite of a drug culture.  Before there were drug laws—before there was a drug problem—Western societies were what $YEAR would consider ultra-arch-paleo-conservative.  Yes, you could then buy some heavy-duty drugs at the drug store; that’s why it’s called the drug store!  Yet anybody who became patently dysfunctional from addiction to cocaine, opiates, or for that matter, alcohol would be mercilessly shamed, shunned, humiliated, and outcast from civil society.

Addiction was not (and is not) an “illness”; it was (and is) a character flaw.  Those who overtly demonstrated such flaws could go die in a hole, as far as sane people were concerned.

The upshot is that other than alcohol, most intoxicating drugs were used only for medicinal purposes by most people.  I think drunks were more common, but they were universally despised.

This principle also goes to show exactly why some drugs are socially and legally tolerated, and others aren’t.  Caffeine and nicotine don’t make you stupid—quite to the contrary, in fact.  NASA’s Mission Control room during the Apollo missions was always strewn with coffee cups and overflowing ashtrays.  That was a part of literally going to the Moon; and I guarantee that not one of those guys ever “did drugs” in the sense people mean that—not on the job, and not anytime!  Alcohol has higher abuse potential; but the vast majority of people can consume moderate amounts of alcohol without ever becoming dysfunctional.  Of course, I am only stating the obvious.  What I just said is clearly understood by anybody whose brain is not damaged from doing drugs.

Disgust for intoxication has been common to every functional society.  Fascinating fact:  The word amethyst derives from the ancient Greek words meaning, “not drunk”.  The Greeks enjoyed wine, but they abhorred drunkenness.  They mixed their wine with water, believing undiluted wine to be a poison.  There was also a widespread belief that amethyst stones had magical powers to prevent intoxication; and some people carved wine goblets out of amethyst, in the hope that this would let them drink without getting drunk.  Fancy that, an active desire to drink without drunkenness!  Contrast that healthy attitude with today’s popular desire for “altered consciousness”.

In modern times, the cultural glorification of intoxication started in the interwar period.  This occurred as part of a cultural upheaval in both Europe and America; but I think it was worst in America, due to Prohibition.  In the speakeasies, whiskey (illegal) and cocaine (legal) were the intoxicants of choice.  For the first time in the history of this civilization, youths developed a widespread notion that it was, like, totally awesome to go out and get smashed.  The 1920s had 1960s counterculture in miniature; and with the seed of a drug culture having taken root, it only took time to grow and spread.  Drug Warriors tried to fix the problem with more prohibitions, leading only to predictable results.

As for druggies:  People who glorify, condone, or even excuse states of extreme or chronic intoxication can’t and shouldn’t be helped.  For this reason, I fully support instant legalization for most drugs (except marijuana and hallucinogens)—combined with the exclusion of known drug users from all health insurance, welfare, and assistance with food and housing.  Drug abuse would quickly prove itself to be a strictly self-limiting problem.

Druggies, don’t whine.  I am supporting your freedom to kill yourselves!  Others, please join me in fixing the social and cultural problem with its only cure:  Unlimited cold contempt for people whose idea of “fun” is asinine self-destruction.  Drug abuse will only decrease and decease when scum who do drugs are once again “mercilessly shamed, shunned, humiliated, and outcast from civil society.”  I am doing my part.

---

Bitcoin shows no mercy for those who lose their private keys.  You have ultimate power over your own, and ultimate responsibility for yourself.  Mess up, and you will lose everything—nobody can help you.  There seems to be a lesson there.

You have only one body.  You have only one brain.  Mess those up intentionally, and you will lose everything.  Have a nice trip! ☠

Animations distract, that’s why advertisers (ab)use them.


Touché.  It’s only a matter of font availability, or lack thereof.  As for myself, I am stuck with whatever Tor Browser bundles or otherwise coerces.  Installed fonts (and even minor variations in versions of the same font) can be used in fingerprinting attacks to distinguish users, sort of like a built-in universal tracking cookie.  “Design Goal: Font-based fingerprinting MUST be rendered ineffective”.  Thus, all Tor Browser users must use exactly the same font sets.

If you want to get rid of the emoji entirely, you’d need to tinker with your system fonts.  This madness started with Unicode 6.0, and it’s only getting worse.  Unicode won’t cough up a codepoint to distinguish umlaut from diaeresis/tréma, but will eagerly flood its <21-bit codespace with colourful pictures.

THIS.  Thank you.  A Bitcointalk .onion was on my mind all week, together with other anti-DDoS mitigation ideas about which I hope to write up suggestions.  It is also something I may perhaps, maybe, perhaps be willing to not only talk about (hint, hint).

.onion sites already have less exposure to DDoS than sites on the open Internet.  Connections to .onion have no access to a full network stack—only to streams through Tor’s circuit protocol, a custom stream transport layer.  No TCP handshake tricks, no amplified UDP floods to clog the pipes, etc.  I suppose theymos’ “homebrew” anti-DDoS had already stopped those.  But also, the capacity limitations and cell queuing mechanisms of the Tor network and its nodes provide some upper bounds on any type of DDoS which uses high bandwidth.  That leaves (1) specialized attacks against the Tor onion proxy, (2) DDoS against introduction points, and (3) any relatively moderate-/low-bandwidth application-layer attacks.  (“Relatively” compared to DDoS which uses tens or hundreds of gigabits per second.)

For (1), lock down that onion proxy tight and isolate it from the web backend—which you should do anyway.  At least it can’t take down the site itself, or affect reachability from clearnet.  Better still, use onionbalance with multiple onion proxies; that gives load-balancing and failover, and also permits isolating v2 .onion private keys from the machines handling visitor traffic.  (2) is really a Tor network issue, though maxing out your intro points with onionbalance will help.  For (3), well, as always—don’t run poorly designed software.  nginx is already robust against HTTP-level DDoS; I have no idea about the vulnerability profile of SMF, other than that it’s database-intensive forum software written in PHP.  I guess, start by disabling the search function through .onion...

I don’t see why a monthly paid subscription should be required.  If that was intended as an idea for .onion, it would effectually restrict .onion use to people who directly make money off the forum—signature campaigners, etc.  Instead, to prevent abuse, I’d suggest that full posting privileges through .onion be restricted to full Members or paid Copper Members.  (I am guessing that Junior Member accounts may be too cheap on the account sale market, especially for hacked accounts.)  .onion posters without those ranks should be restricted through a “newbie jail”-like system.  Those who could not afford paid membership, could spend a few months ranking up in the .onion jail—or through clearnet exits, just like now.  For spammers and scammers, throwaway accounts would be prohibitively expensive.

Perhaps also add a “.onion” tag below the username and rank for posts made through .onion.  I am reluctant to suggest that, given the level of prejudice some people have against Tor users; but I don’t think the moderators here have such a bias, which is the important part to me, personally.  I myself would be proud to wear a “.onion” tag.  I would explicitly add it, if it were offered as an option.

For a non-location-hidden .onion, as I presume this would be, single-onion mode should be snappy for users.  Projects such as Debian and Tor Project successfully run high-bandwidth services such as public apt repositories through .onions, using onionbalance.  Debian users can do all their OS updates without ever touching clearnet!  Use of .onion also helps the Tor network, by shifting load off the bottleneck of exit nodes.  Any relay can serve as as a rendezvous point, including the far more numerous “middle nodes”.

Note that any .onion version of the forum must be verified to work with Javascript disabled.  Excepting signup and login functions, basic functionality seems to work fine that way.


Cloudflare’s effect on spam should be somewhere between negligible and nil.  It’s an anti-DDoS reverse proxy network and caching CDN; it also filters out attacks against braindead applications which can’t handle Bobby Tables.  I don’t see how it could help much against spam; how could the HTTP requests involved in spam posts be distinguished from legitimate network traffic?  Especially the spam posts made by nominal humans?  Though I suppose that forum spam is a wetware-layer DDoS.  It does “deny service” when the forum is unreadable.


I wonder whether theymos’ “evil IP” system uses the publicly known IPs of Tor exits, as published in the consensus.  It would make sense to charge a set price to all Tor users, rather than varying the fee by measurements taken on a particular exit IP.  But n.b., not all exits actually exit through the same IP as they use for their ORPort.  I recall some research finding that as many as 10% of exits did otherwise.  This is useful for avoiding blocks, but risky for node operators since the IP is not listed in the “exonerator”.

Actually, user-agents which disable, inhibit, or do not support APNG may instead display only the first frame; and for software which does not support APNG, you may use an image which does not appear in the animation at all.  Thus, I see at least three different cases, the last two of which may overlap:

1. Software which is configured to disable looping, and will stop on the last frame.

2. Software which stops on the first frame.

3. Software which does not support APNG, and will always display the image in the IDAT.  This includes Microsoft browsers, and older Chrome/Blink-based browsers (reference).  Depending on how you construct the APNG, the IDAT may be the first frame; or it may not appear in the animation at all.  The difference is determined by whether the first fcTL chunk appears before or after IDAT.  This allows use of a separately designed fallback image.

https://wiki.mozilla.org/APNG_Specification

P.S., LoyceV, thanks for the tip.  I didn’t know that option.  My forum experience will henceforth be less annoying.  Now, if only there were a means to make the browser strip Unicode emoji 💩 from subject lines. 🔥 👿 🔥

Well, write off hours wasted trying to coerce fresh Tor Browser to do exactly what I wanted with my precious seventeenth-circuit login cookies (as recovered from the browser console).  I finally gave up, and installed a persistent browser exclusively for Bitcointalk.org.  After checking the appropriate boxes and “only” trying three circuits to get a CAPTCHA, I am now allegedly logged in until the year 2023; oh yes, I backed up those cookies!

I thus hope to not be the canary in the CAPTCHA anymore; but I do care about this issue, and I will continue trying to adduce a workable solution.

Thanks to those who replied.  Now that I don’t face a steep login hassle, I will be catching up on this and other threads.

Why would they bother trying the back door, when sites (and browsers) grant them front-door access?

Cloudflare is a global active adversary which MITMs every connection by design, as theymos wisely noted.

The following is a real-life allegory pertaining to gold’s new competitor, Bitcoin.

What would you do, if gold were made illegal?

Think it can’t happen?  Well—how many of you are American?  Private individual ownership of gold coins and bars was illegal in the United States for four decades.  “Hoarding” individual wealth in gold was banned from 1 May 1933 until 31 December 1974.  Vast amounts of gold bullion were confiscated from people, who were forced to accept instead the Monopoly Money known as “United States Dollars”.  Numerous individuals were criminally prosecuted for attempting to keep their gold—a crime according to Executive Orders 6102, 6111, 6260, and 6261, and the Gold Reserve Act passed by the U.S. Congress and signed into law by U.S. President Franklin Delano Roosevelt.


This is fact, not fancy.  Not some weird theory.  This is history:  It actually happened.  And if it happened before, it could happen again.

Well, you might say:  What if nobody knows I have any gold?  That would require that you buy it anonymously.  Store it in secret.  Never brag about it.  Never use it in any way which can be traced.  And take precautions, just in case somebody may be making a list of people who own gold.

Please take care of your Bitcoin privacy—and your privacy with gold, too.

Single data point:  This applies to me.  I don’t wish to discuss details publicly.  I did overpay.


Well, then why bother with the large (and futile) effort of trying to associate a payment-from address?  Delegating trust to a public key (Bitcoin or otherwise) is an ordinary key management issue; and it’s orthogonal to the anti-abuse payment mechanism.


https://github.com/bitcoin/bitcoin/issues/10542 (only discusses Segwit P2WPKH-in-P2SH; generalizing a signature scheme for P2SH would be a non sequitur.)

I recently made this mistake, much to my embarrassment.

---

Anyway, this whole discussion is on the wrong thread.  The login CAPTCHA issue is distinct from the Cloudflare issue.  theymos added the login CAPTCHA sometime before 2017-10-19, and moved behind Cloudflare 2017-11-29.  The login CAPTCHA is not from Cloudflare.

Duly noted.  Your rolodex must be spooky.

Aside, with apologies—not to toot my own horn, but very few people can match my abilities in the trick art of proper Tor use.  Admittedly, Satoshi could well have exceeded me.

I’m not worried.  I’m not doing anything illegal, either.

Interesting.  I also have what I would consider “high speed Internet”.  Using a new session of Tor Browser through Tor, my connections should be indistinguishable from yours; that is the whole purpose of Tor, as well as Tor Browser’s anti-fingerprinting measures.  If we appear identical, we should get identical treatment.  Why do we seem to observe different results?  An interesting question, indeed.

Have you tried this recently?  In the past week or so, the situation has become progressively worse from where I sit.  First, the “automated queries” message happened occasionally; it was only a minor annoyance.  Then, it happened every time—but could be fixed with a circuit change.  Today, I was forced to try seventeen circuits before I could even get a CAPTCHA.  Google search followed a similar pattern over the years, ending in total lockout of Tor.

What do you observe with your “free VPN”?  Does it give you the “automated queries” message, or lock you out some other way?

Why privacy?  See also my .sig: “...Because I do nothing wrong, I have nothing to show.”  (And why are you even using Bitcoin, if you think that what Satoshi did “may be illegal”?  You are not a mind-reader; your supposition of Satoshi’s motives says nothing about him, and everything about you.  Do you believe that Bitcoin be illegal?)  But your deliberately insulting flamebait is off-topic.

theymos has never been anything but supportive of legitimate Tor users.  The question here is not pro-/anti-Tor.  There is some sort of real problem with abuse, not specific to Tor.  A CAPTCHA was added to the login page for all users, to prevent this abuse.  But this traded one problem for another, because Google hates Tor users.  They pretend not to, but they really do; I speak from long experience of having used the Internet exclusively through Tor, for years.  Google search itself followed a similar pattern:  First, they CAPTCHAed Tor users; and then, they replied with an “automated queries” accusation against even Tor users who could solve CAPTCHA; and that is where it stands.  Google’s flagship product gives an endless CAPTCHA loop, which wholly prevents it from being used through Tor.

I desire to solve the problem constructively—and meanwhile, to provide user reports documenting the severity of the problem.  Let’s please focus on that.

N.b. that the login page CAPTCHA is not from Cloudflare.  theymos added the login CAPTCHA sometime before 2017-10-19, and moved behind Cloudflare 2017-11-29.  But of course, the same Google CAPTCHA is involved; and the point you raise is interesting.  Compare:


I suggest reading that post at length.


Good idea.  I suggested exactly that, in a post which seems to have been axed for reasons unknown to me.  (Do I need to snap public archives of all my posts?  I do save the text locally.)


Any which way, if any popular forum has users who can handle public-key crypto, it should be Bitcointalk.org!