/operate/ - Endchan Operations

Why can't I post replys to /tech/ or /pol/ ?

 >>/4445/
I dunno, what is it telling you?

this is the best workaround at this point. thanks!

 >>/4154/
Can't you just ban all the IPs in the /24 individually?

Please help, /librejp/ is getting wiped.

 >>/5417/
globals can only help delete spam. It's really up to your BO manage the settings and choose what risks he wants to accept. We recommend using higher (less risky) settings when under attack, such as CAPTCHAs. But all boards should have a thread creation limit.

Maybe someone can type up a guide to the settings better than:
http://endchan.xyz/.static/moderation.html

I can't post anywhere without javascript, no matter how many times I filled the captcha.
http://endchan5doxvprs5.onion/blockBypass.js says 'You have a valid block bypass.' but Trying to post without js opens http://endchan5doxvprs5.onion/replyThread.js which 302 redirects to http://endchan5doxvprs5.onion/login.html Please fix it!

 >>/5615/

can confirm this.

I'm using Tor browser with js disabled and after filling in CAPTCHA I'm not redirected to my post (actually my post does not get posted either).

Workaround for now is to fill in the CAPTCHA, redirect to board manually and then write a post, which is kind of annoying.

Can you look into it somehow?

 >>/5615/ 
3rd to confirm this. I brought this up on tech and while I am grateful for the tor support. After the block bypass was implemented I have not been able to post without enabling some sort of cookies or javascript. It may have to do with the redirection. You can not post in a lightweight browser or a heavily about:configured firefox fork without being redirected to the login page.

 >>/5615/
I can't reproduce. I'm logged out, go to /test/ (Tor Browser, JS off, cookies on), create post, either takes to the block bypass page if I don't have one, or just creates the post.

 >>/5617/
> I have not been able to post without enabling some sort of cookies or javascript
Cookies have to be enabled

I can post fine with torbrowser with JS off and cookies on. And I can't fix anything I can't reproduce since I can't dig into to get the details. So anything more you can provide would be really helpful, settings, version numbers (OS, browser), net capture, etc.

 >>/5619/
Alright. Lets use the links2 modified for tor use with the settings in /os/. That is one example of this. I do not know why it does this in firefox so maybe that can help deduce the issue.

 >>/5619/

 >>/5619/

Are you sure redirection happens automatically after typing CAPTCHA in block bypass page?

I'm using Tor browser in gentoo 64bit multilib with js disabled (cookies on) but I have to manually navigate to other page after finishing CAPTCHA to have block bypass effect.

Can you show us your about:config?

 >>/5622/
> I have to manually navigate to other page after finishing CAPTCHA to have block bypass effect. 
That is the expected behaviour.
What is not expected behaviour is being directed to the login page and not being able to post.

I found the problem, it requires sending HTTP-referers ('network.http.sendRefererHeader' value at least 1). 8chan has this sh*t too. Referers are the 2nd worst privacy invaders after third-party cookies. I don't understand why should we need it. It has 0 benefits. I don't want to copy every outside url manually to open them.

 >>/5630/
Good research. Yes, that's an antispam measure, so it has benefits. 

I've found the section in the lynxchan code that causes this. Maybe we can find compromise but StephenLynx needs to explain the anti-spam side better.


exports.checkReferer = function(req) {

  if (!req.headers.referer) {
    return false;
  }

  var parsedReferer = url.parse(req.headers.referer);

  var finalReferer = parsedReferer.hostname;
  finalReferer += (parsedReferer.port ? ':' + parsedReferer.port : '');

  return finalReferer === req.headers.host;

};

exports.getAuthenticatedPost = function(req, res, getParameters, callback,
    optionalAuth, exceptionalMimes) {

  if (!exports.checkReferer(req)) {
    exports.redirectToLogin(res);
    return;
  }

  if (getParameters) {

    exports.getPostData(req, res, function(auth, parameters) {

      accountOps.validate(auth, function validated(error, newAuth, userData) {
        if (error && !optionalAuth) {
          exports.redirectToLogin(res);
        } else {
          callback(newAuth, userData, parameters);
        }

      });
    }, exceptionalMimes);
  } else {

    accountOps.validate(exports.getCookies(req), function validated(error,
        newAuth, userData) {

      if (error && !optionalAuth) {
        exports.redirectToLogin(res);
      } else {
        callback(newAuth, userData);
      }
    });
  }

};

 >>/5630/
 >>/5631/
Fixed:
https://gitgud.io/LynxChan/LynxChan/commit/fa8003017057f9920caae8d493eff7b13933e28a

The issue was that I forgot to include the check for the authentication being optional when it failed the check for the referrer.

So when your authentication failed due to your referrer mismatch, it sent you to the login screen, even though you didn't had to authenticate to begin with.

With this fix your referrer won't impact anything at all when you post, unless you expect to post using role signatures.

As to why the referrer is required:
It is only required when you are not using js and you are authenticating your request, as logged in.

The issue is that if someone puts a form to any other site, your browser will still perform whatever the form does using the cookies the destination site set on your browser.

But if I require these requests to come from the same site that is being requested, this is nullified.

tl,dr; its a CSRF protection that is used minimally.

Still not working for me in links2 browser. You can modify how you receive and send headers and referrers though so I am willing to change some settings to get it working.

 >>/5634/
I haven't applied the fix to EndChan yet

 >>/5635/
I figured it was the same error that you get on 8ch when it says "invalid referrer". Thanks for looking into it though this is wonderful.

 >>/5630/
> I don't want to copy every outside url manually to open them.

The latest Tor browser update is for you:
> Tor Browser 6.5 -- January 24 2017

>  * Bug 17334: Spoof referrer when leaving a .onion domain

Allowing referrers on per-site basis is a bit harder to do. You still need to use about:config and manually set it, post somewhere and set it back when you are done.

 >>/5631/
> Yes, that's an antispam measure, so it has benefits.

Well, it worth just as much as relying on the browser's user-agent for anti-spam. Nothing. Even the most simple spambots include referrer spoofing. And when referrers are used for "security purpose" (like at Webfaction), I become so confused: I don't know whether I should cry or laugh.

 >>/5636/
fix has been applied

 >>/5642/
> it worth just as much as relying on the browser's user-agent
it's more like, if it stops one piece of spam, it's worth implementing

there's more spam incoming lately. I don't know if it's just some bored scamdude (only one post appearing in latest thread on my board in random time with big intervals) or shitty spambot. Leaving the post for you and the link he gave (added xxx among numbers there, if you remove it you will get actual link) - don't know if it will be of any use for you but whatever

>  >/4/10531

Please fix binary TorIP lookup, k tks:
https://gitgud.io/LynxChan/LynxChan/commit/9f698d23654cbc34c65ac435477d183793322c36
https://gitgud.io/search?utf8=%E2%9C%93&search=TorIps&group_id=&project_id=610&search_code=true&repository_ref=master

8leaks must feel retarded by now

 >>/6240/
#1 we don't use them
#2 I don't see any problem

> 8leaks must feel retarded by now
Wut?

> #1 we don't use them

Stop bullshitting me: https://gitgud.io/search?utf8=%E2%9C%93&search=TorIps&group_id=&project_id=660&search_code=true&repository_ref=master
> #2 I don't see any problem

replied to you the exact problem on overchan: tl;dr why record at all?
> Wut?

Read the first thread  >>/8leaks/1/

 >>/6243/
> Stop bullshitting me
Well, you see that's called the "Master" branch, it contains the latest source code for LynxChan (1.8/1.9?). We don't use vanilla LynxChan, we use InfinityNow which is currently based on 1.7.5. 1.7.5 uses the database to store the list of tor exit nodes, it does not use the "binary TorIP lookup".

> replied to you the exact problem on overchan: tl;dr why record at all?
It's to make sure BOs don't ban tor exit nodes. And again we're not recording, we're download the publicly disclosed database from the tor site to speed the software up and reduce the load on the tor project's website.

 >>/6244/ 
/t/cfece09191990a45b0888942f8b1ac922d22dadf/#b142c609366435fbadafdfb84d83d6e47e321165
& 
> project_id=660

> Showing 1 - 19 of 19 blobs for "TorIps" in project InfinityNow / LynxChan 

> we use InfinityNow which is currently based on 1.7.5. 1.7.5 uses the database to store the list of tor exit nodes, it does not use the "binary TorIP lookup".


> to speed the software up and reduce the load on the tor project's website.

tis fine.

since this is about tor I wont make another thread

here's my experience of the endchan.onion links
> wake up monday morning

> go to the endchan.onion links

> 1 open in each tab

> make coffee

> make breakfast

> eat

> shower

> go to work

> come back

> wednesday evening the tabs are fully loaded

> try to post

> takes about 2-3 days for the block bypass to load

> a few weeks later finally the pages loaded and I can post

> refresh the page, go to catalog, go to new threads, block bypass expires

> I die of old age

 >>/6251/
if I know how to make the onion not shit, I would. I'm told restarting it too often isn't good either. There's not much I can do

The block bypass is incredibly annoying for certain vpns I just wanted to bitch about that. Also storing cookies pisses me off. K done bitching.

 >>/6406/
then come up with a better way to stop tor flooding

test

 >>/6439/
captcha every 5 posts

Oh, and just recount the bumps when a post is deleted. So let's say your threads were layed out like so:

Thread 1.
Thread 2.
Thread 3.
Thread 4.
Thread 5.

Thread 5 is bumped and is now Thread 1. The post that bumped Thread 5 is deleted. Thread 1 returns to Thread 5. This is basically "reverse bumping"

Make it an opt-out feature. It should be the default to prevent spam, imo.

To OdiliTime: Thoughts?

 >>/6769/
Wouldn't do anything for spam. I'll bring it up to StephenLynx see if he can put it in 1.9

I've just gotten a block bypass on my VPN for the first time, does this affect all IPs or just some?

 >>/6919/
It's not to prevent spam itself, but moreso to prevent the damage caused by the spam.

 >>/6920/
only IPs on the stopspam blocklist.

Post linking seems broken and there's a redirect every time I post. Also, no captcha's showing up as it was before, so I have to click on the 'No cookies?'. (Didn't think this needed a separate thread)

 >>/7000/
Hey odil /sp/ is getting hit with spam right now, probly enough to effect the site

 >>/7006/
/sp/ is always loaded with spam

 >>/8094/
it was like thousand post botspam
not gud 'spam'

why do some boards how more expansive block bypass than others?

 >>/9411/
Diffrent boards use diffrent data mining to be more effective. I've been trying to work on neural links for all users so that all your thoughts can just be read. Its coming soon.

 >>/9411/
Board Operators have a lot of control and choice

1e00a9570e13a... jpeg
(28.79 KB, 240x320)

 >>/9424/
> when your attempt to imitate the site admin fails miserably

 >>/9435/
delete.

Scripts Blocked png
(389.48 KB, 1160x743)

I'll just post this here because I don't think this deserves its own thread: why are all these third party scripts trying to access my browser while on endchan? See pic. Are these datamining users?

I'll take shit that... png
(309.57 KB, 1600x867)

 >>/9499/
Those are from your other browsing tabs. NoScript keeps a recent history of sites that it's blocked so you can unbreak the "dynamic" webshites that pull scripts in from approximately 2 gorillion third-party domains. We don't do any of that shit. The only third-party request you should see without clicking a YouTube embed link is a test file we try to pull in from https://end.chan/, an OpenNIC domain OdiliTime controls that shouldn't resolve to anything unless you get your DNS from an OpenNIC resolver. (Of course, if you do click on a YouTube embed, who knows what that fucker is going to pull in, so you do that at your own risk. That's why we cache the thumbnail from youtube.com and make the widget click-to-load, so you can choose whether or not to take that risk.)

 >>/9501/
OK, thanks for the info. I do routinely wipe my browser cache/history, I guess I forgot to do that before I came back here. Likely could have been a news site or some video streaming site that had a bunch of scripts trying to follow me around.

This is the 5th time I tried upload a huge ass file on TOR,
and the captcha expires before it can finish uploading.
Is there a fucking way it can verify the captcha first, 
then attempt or fail&report to upload the file?!?
This isn't blockBypass.js cookie, this is board-post captcha.js/captchaImage.

This shouldn't even be a bloody problem: You want to upload a file? 
First checkbox you want to upload a file, 
write your message, 
click take me to upload.js, 
and copy and past this key.

If should instantly fail if it detects a banned file type by just the header,
e.g. .exe, .elf, .out, etc., and reply back such, and link you back to your
thread. 
I prefer the open window/tab method.

Just tried clearnet, same shit.

 >>/9505/
They need to change the 30 second captcha refresh mandate to at least 2 or 3 minutes. I think this would help, usually when it starts uploading as long as its the same captcha it will successfully post. Sometimes big files take more than 30 seconds to begin uploading and thats when it refreshes and fucks up the post.

 >>/9516/
I'll talk to StephenLynx about this

 >>/9516/
1: the captcha expiration is configurable
2: the FE can pre-solve a captcha to make it last for one hour.
3: the FE can access the cookie that says when the captcha expires so users can have it to auto refresh or at least know when it expires.

 >>/9505/
just use another file hosting service and post the link

Can the block bypass link be added for each tor in the toolbar? It's getting annoying with the pop up windows not opening having to switch back and forth

your capcha is more annoying than recapcha

 >>/10289/
but not as annoying as on 8ch