newsflash! cypherpunks mailing list is behind cloudflare-NSA
subject says it all. oh and I didn't send the previous message "Cryptocurrency: Trump Pumps Cryptos, Andreas Blasts jewcoins"
On July 12, 2019 4:02:20 AM UTC, Punk <punks@tfwno.gf> wrote:
[snip]
oh and I didn't send the previous message "Cryptocurrency: Trump Pumps Cryptos, Andreas Blasts jewcoins"
Start signing your messages with a pgp key? Seems like the simplest and most secure method of preventing impersonation. Cheers John
Newsflash! This happened in April, and was announced here: https://lists.cpunks.org/pipermail/cypherpunks/2019-April/045250.html We have been on Cloudflare's DNS since then for the email lists. I have shut their CDN on and off, and it's currently on. This means that their content distribution network does some caching of visits to https://lists.cpunks.org (i.e., the Mailman interface to list archives etc.). But the CDN doesn't handle emails. Those go through the (only) server for the list, which is also known as PGLAF.org. In olden days of cypherpunks, there was a distributed list delivery via multiple servers. These days, it's on the single server, managed by the Mailman software. The server has the usual array of anti-spam measures like graylisting, SPF, DKIM and DMARC. But it's not that hard to spoof another user... if there are problems, I can dig into them a bit via the server logs. And, if people think we should turn off the Cloudflare CDN, I can do that easily enough. It is not very relevant for us, other than perhaps making it a bit faster for people who are harvesting the list archives from somewhere that the CDN is faster than the (GigE) network that PGLAF.org sits on. - Greg On Fri, Jul 12, 2019 at 01:02:20AM -0300, Punk wrote:
subject says it all.
oh and I didn't send the previous message "Cryptocurrency: Trump Pumps Cryptos, Andreas Blasts jewcoins"
On Fri, 12 Jul 2019 11:42:04 -0700 Greg Newby <gbnewby@pglaf.org> wrote:
Newsflash! This happened in April, and was announced here: https://lists.cpunks.org/pipermail/cypherpunks/2019-April/045250.html
I was about to write that "oops, I missed that message", but I actually didn't. I read that message when it was posted and I just re-read it, and it says nothing about cloudflare being used.
We have been on Cloudflare's DNS since then for the email lists.
I have shut their CDN on and off, and it's currently on. This means that their content distribution network does some caching of visits to https://lists.cpunks.org
yeah that's what I saw (cloudflare notice when JS is disabled) Using cloudflare's cdn also means that the NSA gets a direct record of who looks at the archives, or at least they get the traffic for further 'traffic analysis'. Also obv cloudflare-NSA automatically tracks visitors across all sites that use cloudflare. Now, given how entrenched the surveillance state is, one could 'argue' that this is just another drop in the ocean, but still...
(i.e., the Mailman interface to list archives etc.).
But the CDN doesn't handle emails. Those go through the (only) server for the list, which is also known as PGLAF.org.
oh, ok.
In olden days of cypherpunks, there was a distributed list delivery via multiple servers. These days, it's on the single server, managed by the Mailman software. The server has the usual array of anti-spam measures like graylisting, SPF, DKIM and DMARC. But it's not that hard to spoof another user... if there are problems, I can dig into them a bit via the server logs.
And, if people think we should turn off the Cloudflare CDN, I can do that easily enough. It is not very relevant for us, other than perhaps making it a bit faster for people who are harvesting the list archives from somewhere that the CDN is faster than the (GigE) network that PGLAF.org sits on. - Greg
On Fri, Jul 12, 2019 at 01:02:20AM -0300, Punk wrote:
subject says it all.
oh and I didn't send the previous message "Cryptocurrency: Trump Pumps Cryptos, Andreas Blasts jewcoins"
On 7/12/19, Greg Newby <gbnewby@pglaf.org> wrote:
Newsflash! This happened in April, and was announced here: https://lists.cpunks.org/pipermail/cypherpunks/2019-April/045250.html We have been on Cloudflare's DNS since then for the email lists.
Use of CF or any other CDN was not mentioned in the announcement, whether for DNS, or HTTPS. The entire internet is NSA anyway. If CDN for HTTPS, consider multihoming on I2P or Tor so users can still access when CDN javascript captcha or otherwise arbitrarily blocks them or goes down. As to caching bandwidth and archives... You really should fork that 335MiB mbox file off now or no later than year end, and compress it, and then once yearly thereafter, and sign them all. People will eventually seed them into IPFS, etc. Try using a modern unix compression tool like zstd, they are faster, smaller, available for all systems... https://github.com/facebook/zstd https://facebook.github.io/zstd/ https://code.fb.com/core-data/zstandard/ https://en.wikipedia.org/wiki/Zstandard
Thanks for the discussion and input on the DNS hosting. I appreciate the knowledge and speculation of the group. Another newsflash! I turned off CDN in Cloudflare. All traffic (web, email, and any other IP traffic) will go straight to the (only) server at 65.50.255.19, 2604:3200:0:3:21e:67ff:fe86:ff9c/64. For the curious, this is a server that is owned by the Project Gutenberg Literary Archive Foundation (a 501(c)3 charity that operates Project Gutenberg). I'm the long-time director & CEO. The server is a real physical server, not a VM or cloud-hosted. It hosts a few other domains, including companies of my wife & mother-in-law. Also our hobby site for dog mushing, https://www.stinkypup.net .. The server lives in a Castle Access facility in San Diego, but my hosting provider is johncompanies.com (it's their rack, and they provide excellent front-line support. Recommended). The upstream connection is provided by Cogentco. All of the above could be discovered with a little sleuthing, and I thought the list subscribers might be interested. Concerning Cloudflare: If there are recommendations for other free or cheap DNS providers, I'd like to hear them. I had used editdns and Zonedit for years, then the first was bought by DynDNS then by Oracle, and the second ceased operations. I prefer to have my domain WHOIS on one provider, my DNS with another provider, and then to run the server myself. I still have other domains with Oracle's DNS service, which used to be DynDNS. They grandfathered "Lifetime" free service, and that lifetime is now ending: Oracle announced end-of-life for their free service as of May 2020. So, I need to move those other domains somewhere. Cloudflare offers a lot of capability at their free level, so that's what I tried with lists.cpunks.org Also, one other administrativia: The www.cpunks.org is on a different server, different IP, and different nameserver. It just redirects to lists.cpunks.org right now, but Riad and I like having some division of services. More on archives etc.: On Fri, Jul 12, 2019 at 06:34:07PM -0400, grarpamp wrote:
On 7/12/19, Greg Newby <gbnewby@pglaf.org> wrote:
Newsflash! This happened in April, and was announced here: https://lists.cpunks.org/pipermail/cypherpunks/2019-April/045250.html We have been on Cloudflare's DNS since then for the email lists.
Use of CF or any other CDN was not mentioned in the announcement, whether for DNS, or HTTPS. The entire internet is NSA anyway.
My bad for not mentioning it. There are tons of features in Cloudflare, even at the free service level, and this one was on by default. I spent a little time twiddling it, and then left it on. This should have been disclosed to the list. Anyway, it's now off, and I intend to leave it off. Other related features, like Javascript-based captchas, are options on top of the CDN, so none of that stuff will happen to our list. The only reason I might consider turning it on temporarily in the future is if there is a DDoS against the server. Cloudflare has some great capabilities for intercepting attack traffic. And:
If CDN for HTTPS, consider multihoming on I2P or Tor so users can still access when CDN javascript captcha or otherwise arbitrarily blocks them or goes down.
Yeah, I will try to look into this. I haven't set it up before, but instructions are out there. I agree this is a perfectly reasonable thing to do for the list.
As to caching bandwidth and archives...
You really should fork that 335MiB mbox file off now or no later than year end, and compress it, and then once yearly thereafter, and sign them all. People will eventually seed them into IPFS, etc.
Yes. I am overdue for doing this, and don't mind being periodically reminded. If someone else wants to work on this type of thing, I can provide easy access to everything. Basically, we have a complete archive from 2013-present, and nearly complete from before that back to the earliest days. Though the older stuff is in mbox files that don't parse quite correctly, and have tons of spam. - Greg
Try using a modern unix compression tool like zstd, they are faster, smaller, available for all systems...
https://github.com/facebook/zstd https://facebook.github.io/zstd/ https://code.fb.com/core-data/zstandard/ https://en.wikipedia.org/wiki/Zstandard
On 7/13/19, Greg Newby <gbnewby@pglaf.org> wrote:
recommendations for other free or cheap DNS providers, I'd like to hear them.
I prefer to have my domain WHOIS on one provider, my DNS with another provider, and then to run the server myself.
Many registrars throw in DNS service for free. Free DNS services independant from registrar are harder to find but do still exist, try a web search. cpunks.org registrar is currently namecheap under PIR, with its NS pointing out to friendly nameservers for its SOA.
whether for DNS, or HTTPS.
There are tons of features in Cloudflare, even at the free service level
Other related features, like Javascript-based captchas, are options on top of the CDN
Supposedly those can be disabled or made much less aggressive or more friendly, while still utilizing CDN cache / anti-DoS
The only reason I might consider turning it on temporarily in the future is if there is a DDoS against the server. Cloudflare has some great capabilities for intercepting attack traffic.
Sure, try keeping the Cloudflare account active in case you need to quickly point there for a while to defeat a DoS attack.
I2P or Tor instructions are out there.
Know that you can still get scraped and TCP games through those. Though at least tor has onion auth keys you can post to the list now and then that will block all access to non subscribers. robots.txt can be useful, yet easy to defeat. There's also .htaccess at the webserver level. And a mailman access at that level. Unfortunately the latter two will prevent the list from being picked up by search engines.
johncompanies.com
Still going.
Oracle ... DynDNS
Oracle loves to unfree things... Solaris, ZFS, etc. DynDNS started selling itself around 2002. RedHat just bought by IBM. Takes a lot of structure forethought to be able to uphold promises of free models for long term.
On 7/11/19 23:02, Punk wrote:
oh and I didn't send the previous message "Cryptocurrency: Trump Pumps Cryptos, Andreas Blasts jewcoins"
Someone hijacked your session or has your password perhaps? From the headers on that message: Received: from cock.li (mx1.cock.li [185.10.68.5]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pglaf.org (Postfix) with ESMTPS id 2312911C040D for <cypherpunks@lists.cpunks.org>; Thu, 11 Jul 2019 19:17:23 -0700 (PDT) So it really came from cock.li. So if it's not specific to your account, either cock.li got hacked, or it's an inside job by Vince (I really hope not, despite some of the real crackpots I've seen using his mail server, I get the impression Vince really is trying to be a good guy). -- Shawn K. Quinn <skquinn@rushpost.com> http://www.rantroulette.com http://www.skqrecordquest.com
On Fri, 12 Jul 2019 21:09:32 -0500 "Shawn K. Quinn" <skquinn@rushpost.com> wrote:
On 7/11/19 23:02, Punk wrote:
oh and I didn't send the previous message "Cryptocurrency: Trump Pumps Cryptos, Andreas Blasts jewcoins"
Someone hijacked your session or has your password perhaps? From the headers on that message:
Received: from cock.li (mx1.cock.li [185.10.68.5]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pglaf.org (Postfix) with ESMTPS id 2312911C040D for <cypherpunks@lists.cpunks.org>; Thu, 11 Jul 2019 19:17:23 -0700 (PDT)
hmm - yeah I too looked at the headers and saw that the message apparently came from cock.li. I assumed that cock.li allows spoofing of the sender, so anyone with an account there can do it? IIRC somebody also spoofed my gmail account once or twice, although that was easier to see in the headers.
So it really came from cock.li. So if it's not specific to your account, either cock.li got hacked, or it's an inside job by Vince
hmm - now that you mention that, it's kinda obvious that these two spoofed messages https://lists.cpunks.org/pipermail/cypherpunks/2019-July/075590.html https://lists.cpunks.org/pipermail/cypherpunks/2019-July/075576.html came from the same person who has written a lot of similar messages using addresses from cock.li - so he MIGHT be Vince? (or the NSA who hacked his server...or...long list) Here are some examples of messages that my natural 'neural network' tells me come from the same person (patterns are pretty obvious...) https://lists.cpunks.org/pipermail/cypherpunks/2017-August/068903.html https://lists.cpunks.org/pipermail/cypherpunks/2017-August/068906.html https://lists.cpunks.org/pipermail/cypherpunks/2017-August/068907.html https://lists.cpunks.org/pipermail/cypherpunks/2017-October/069409.html https://lists.cpunks.org/pipermail/cypherpunks/2017-October/039856.html https://lists.cpunks.org/pipermail/cypherpunks/2017-December/070296.html https://lists.cpunks.org/pipermail/cypherpunks/2017-December/070353.html https://lists.cpunks.org/pipermail/cypherpunks/2017-December/070353.html etc etc, there are lots of them.
(I really hope not, despite some of the real crackpots I've seen using his mail server, I get the impression Vince really is trying to be a good guy).
participants (5)
-
grarpamp -
Greg Newby -
John Newman -
Punk -
Shawn K. Quinn