Matthew Toseland | 4 Oct 15:16 2015

Re: Hi

On Sun, Oct 04, 2015 at 01:58:15AM -0400, Steve Dougherty wrote:
> In the light of the elliptic curve attacks [0] are you interested in
> helping rekey the seed nodes? Does it require new code?
> - Steve
> [0]

I don't think this affects us much actually. It only exposes the ephemeral
ECDH keys, not the node private key. We don't need to change the ECDSA node 
private keys because of a bug affecting ECDH, which uses different keys.

I guess if Mallory can crack the ECDH keys fast enough he might be able to do
an MITM against the connections between his peers and their peers. Or maybe 
just passively decrypt the connections? JFK is designed to provide some 
protection against DH bugs? On darknet, Mallory can't get any further than his
peers' peers. On opennet, he can add more connections, but there are easier
attacks for that e.g. malicious seednodes.

Devl mailing list
Devl <at>
Ian Clarke | 29 Sep 21:50 2015

Behind the times

Bringing an off-list conversation onto the list (I failed to cc the list in
the first place).


Unfortunately these aren't the only ways we've fallen behind the times
(hard to believe we've been doing this for 15 years!).

   - Maven/Gradle are now de-facto standard build systems for Java apps,
   and yet we're still using Ant (I was never convinced by the security
   argument against these tools, since we don't audit 3rd-party libraries

   - Website badly needs an update, it looks very dated and frankly a bit
   spammy.  Bootstrap <>
    anyone, or even the Github page generator
    would be a big improvement

   - We could also use an automatic unit testing system like Travis CI
    (which is free for O.S projects)

Of course, all of these things will require work.  Fortunately, most can be
tackled independently of each-other and so we can bite off one piece at a
time, if there are any volunteers to take ownership of them.



(Continue reading)

xor | 27 Sep 21:17 2015

Freenet/Tunnels 2015-08 paper: On the Impossibility of Efficient Self-Stabilization in Virtual Overlays with Churn

> Abstract
> —Virtual overlays generate topologies for greedy rout-
> ing, like rings or hypercubes, on connectivity restricted networks.
> They  have  been  proposed  to  achieve  efficient  content  discovery
> in  the  Darknet  mode  of  Freenet,  for  instance,  which  provides
> a  private  and  secure  communication  platform  for  dissidents
> and  whistle-blowers.  Virtual  overlays  create  tunnels  between
> nodes  with  neighboring  addresses  in  the  topology.  The  routing
> performance   hence   is   directly   related   to   the   length   of   the
> tunnels,  which  have  to  be  set  up  and  maintained  at  the  cost  of
> communication overhead in the absence of an underlying routing
> protocol.
> In this paper, we show the impossibility to efficiently maintain
> sufficiently short tunnels. Specifically, we prove that in a dynamic
> network either the maintenance or the routing eventually exceeds
> polylog  cost  in  the  number  of  participants.  Our  simulations
> additionally  show  that  the  length  of  the  tunnels  increases  fast
> if  standard  maintenance  protocols  are  applied.  Thus,  we  show
> that virtual overlays can only offer efficient routing at the price
> of high maintenance costs.

Can someone please:

- talk to the authors? Ask them for what we should do? Maybe ask them to 
discuss this here on the mailing list? Or even join IRC? Maybe they could even 
actively join fred development? It'd be really nice to have those folks as 
regular contributors :) Also, please mention something like "By the way: 
Freenet will be running out of funds soon. Do you have ideas about who we 
(Continue reading)

Steve Dougherty | 19 Sep 21:25 2015

Thoughts on removing native acceleration? [cross-post FMS]

Does anyone have benchmarks that demonstrate native acceleration having
significant performance improvements? Keeping it around makes for
maintenance, and anecdotes suggest native Java performance is
sufficient. If it's no longer a clear benefit to have native
acceleration I'd like to look into removing it to lower maintenance
load. Thoughts?

Devl mailing list
Devl <at>
xor | 17 Sep 11:15 2015

WoT build0018 done: Performance improvements, easier to install

You should prefer reading the HTML version of this changelog.
It provides clickable links and inlined images:
http://localhost:8888/USK <at> QeTBVWTwBldfI-lrF~xf0nqFVDdQoSUghT~PvhyJ1NE,OjEywGD063La2H-IihD7iYtZm3rC0BP6UTvvwyF5Zh4,AQACAAE/flog/26/

Installation instructions are at "Important stuff".

Text version follows...

Web of Trust Version 0.4.4 build0018

  Measurements [1] of removing Trust values show an average execution
  time of 1.7 seconds, which previously was 49 seconds
  = a speed improvement of factor 28.


NOTICE: According to TheSeeker, his machines have been seized by the US
government. This gives the government access to his WoT / FMS
identities, his freesites, etc. Please update your Trust values.
He was a seed-identity until ~2 years ago, and thus might have received
a Trust value of 100 from you automatically if you created your
identities back then.
(He says this was due to stuff *not* related to Freenet, and that he
was neither intentionally committing a crime nor being aware of
unintentionally having illegal things on his computers.)

NOTICE: While this release has not yet been bundled with a new Freenet
release, it can be acquired a lot easier than previous non-bundled
(Continue reading)

hyazinthe | 14 Sep 15:06 2015

Call for Participation: 32C3 — 32nd Chaos Communication Congress


as you're constantly in search of new coders, users and money, maybe you're interesting in submitting a
talk to this event within the next 2 weeks - that's how long the submission phase goes. The event itself will
take place between christmas and sylvester, so the end of the year. Last year more than 11.000 people
around the world came to this annual event, which takes place in Germany, Hamburg.

Torben Lechner
Devl mailing list
Devl <at>
Crypt Node | 12 Sep 18:18 2015

Re: C# Tray App (Probably) Feature-Complete

I tested tray app build 1468 linked to in the 1468 release announcement
as well as the 1470 build on Windows 7 x64, and build 1470 on Windows
8.1 x64. Both builds performed the expected action when using the tray
app to open Freenet. Preferences > Browser > Internet Explorer opened IE
in privacy mode. Preferences > Browser > Firefox and Auto opened Firefox
in incognito mode.

Is the windows tray automatically updated when new releases are
installed over Freenet, or is it a manual update? If it's a manual
update, would it help to include the build number in the preferences
screen if anyone has an issue? Does it ever check for updates and notify
the user? Can the download links be changed to include the build number
as part of the file name, and not the extension? Currently they download
as FreenetTray.exe.build01470 which requires the user to rename it.

On 6/18/15 6:45 AM, Steve Dougherty wrote:
> I've found that Firefox's registry key goes in
> HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox on
> Windows 10. (It's also there in Windows 7, but Windows 7 also has it
> elsewhere.) Does this work?
> On Tue, Mar 24, 2015, 10:58 PM Steve Dougherty <steve <at>
> <mailto:steve <at>>> wrote:
>     On 03/23/2015 01:19 AM, Crypto Nation wrote:
>     > I tried the new tray icon in Windows 7 x64, Windows 8.1 x64, and the
>     > Windows 10 x64 Technical Preview build 9926. Tested: Open
>     Freenet, Start
(Continue reading)

Arne Babenhauserheide | 11 Sep 21:56 2015

freenet <at> bountysource


I just submitted a claim for the bountysource team freenet:

I did that because bountysource now provides an option for monthly
payment (similar to Patreon), so it can form a sustainable base for


> Freenet provides censorship resistant communication, including
> serverless websites, forums, microblogging and email with perfect
> forward security.

> It is in practical use worldwide since 2000 and realizes a
> decentralized, anonymizing datastore with optional friend-to-friend
> structure and spam resistance. In 2015 it received the SUMA award
> for protection against total surveillance.

Best wishes,

Unpolitisch sein
heißt politisch sein, 
ohne es zu merken. 
- Arne (

(Continue reading)

xor | 10 Sep 10:12 2015

Multiple SourceForge issues

There was someone on IRC whose Freenet wasn't working because it was
build01217. He got that because our SF account still labels that as latest.

In theory, I would simply request whoever has access to delete the SF account, 
but something important should be considered first:

> In 2013, GIMP’s developers pulled the GIMP Windows downloads from
> SourceForge. SourceForge was full of misleading advertisements
> masquerading as “Download” buttons — something that’s a problem all over
> the web. 
> In 2015, SourceForge pushed back. Considering the old GIMP account on
> SourceForge “abandoned,” they took control over it, locking out the
> original maintainer. They then put GIMP downloads back up on SourceForge,
> wrapped in SourceForge’s own junkware-filled installer.

- So when deleting the account, please first check whether there is some kind 
of opt-out thing to tell them "do not take control over the account".
Devl mailing list
Devl <at>
xor | 8 Sep 15:27 2015

We've been invited to an European Parliament conference

[15:18] <qwebirc59848> Dear Ian Clarke,  The Civil Liberties Justice and Home 
Affairs Committee (LIBE) and the Science and Technology Options Assessment 
Panel (STOA) of the European Parliament are organising, in association with 
the Luxemburg Presidency of the European Council, on 8 -9 December 2015 at the 
European Parliament, a high-level conference on ‘Protecting on-line privacy by 
enhancing IT security and EU IT autonomy’.
[15:19] <qwebirc59848> This high-level conference will gather about 100 
academics and policy-makers to discuss possible European policies for 
enhancing privacy protection on the Internet in a post-Snowden world. This 
event is organised as a follow-up to the report adopted by the EP on 12 March 
2015 "on the US NSA surveillance programme, surveillance bodies in various 
Member States and their impact on EU citizens’ fundamental rights and on 

The guy unfortunately left before mentioning more details, and the message 
seems cropped.
Anyone willing to try to contact those folks? 
Anyone willing to attend?
Devl mailing list
Devl <at>
Arne Babenhauserheide | 5 Sep 16:58 2015

ShareWiki as official plugin?


I finished the last remaining bugfix of ShareWiki and I think it is
ready for inclusion.

My only gripe is the name: *wiki suggests collaborative editing which
we it does not really provide. Though you can simply copy the source…

ShareSite would be unfortunate (the short form would be SS which I as
German don’t want to use for historic reasons). 

Or should be just keep the name ShareWiki?

Either way: What do you think about making it official?

Best wishes,

1w6 sie zu achten,
sie alle zu finden,
in Spiele zu leiten
und sacht zu verbinden.

Devl mailing list
(Continue reading)