Just be careful out there. All I have to do is alter one letter for the BBC .onion and I can get phished/scammed/duped. For example, this is an altered .onion for BBC:
This is spectacularly misleading. That second address isn't real, and doesn't work.
It is computationally infeasible to generate an onion address similar to an existing one. Yes you could make another one that starts with "bbcnews", but all/most of the other characters would be different. Additionally, since the BBC is using https, the cert would be different, or missing.
Indeed. For anyone unfamiliar with the nature of cryptographic hashes, each character increases the difficulty to get a collision exponentially.
~10 characters are easy enough to generate on a single machine so don't rely on a vanity-prefix and the trailing couple of characters only, but getting a new .onion address matching even half of an existing one within the lifetime of civilization is unrealistic even with state-actor resources.
You'd be better off trying to brute-force Satoshi's bitcoin private keys if you're feeling that lucky...
If I'm following my intuitions about the math in the right direction, the probability of getting a single-character-or-less edit distance from a given target hash is (56×32)/32⁵⁶ per attempt.
The expected number of attempts to get one success at this would then be about 2²⁶⁹. Even so, a typosquatting victim would be very unlikely to make the exact right typo for the attack to work!
I think my reasoning is wrong somehow because I think there are only 2²⁵⁶ different onionsite public keys, so it doesn't quite make sense that you would have to do 2¹³ more work than trying all of them. But I'm still pretty convinced that it's going to be infeasible without a strong break of the hash function.
In terms of attacks that merely try to generate onion addresses that are merely somewhat visually similar to target ones (e.g. by matching at the very beginning and very end?), these are possible, and it would be interesting to see research about how likely people are to fall for various attacks like that. Maybe that research has already been done?
>If I'm following my intuitions about the math in the right direction
you are, except our theoretical familiarity with math and the antecedent nature of life can easily lead us to intuitions that mature to fallacies quickly.
>e.g. by matching at the very beginning and very end?)
Thankfully those smarter than us have solved this problem too - the "hashing" algorithm is so fundamentally lossy (but not too lossy to fall into the pidgen-hole paradox) 1-way, that it is mathematically impossible to have any knowledge of the end of the hash before you get it.
You can "brute-force" it backwards, sure (for some old hashes obviously) - give me a string that's MD5 starts with "Jerry" and ends with "loves math", and I will congratulate you on your waste of computational resources.
Sure, but targeting similarity with a previously-chosen hash is a scenario where the birthday paradox doesn't come in. The case where it does would be "can we produce two arbitrary new hashes that are similar in this way?", in which case the amount of work required might be about the square root of what our intuition might suggest.
(although I think there's an explosion in the required space in that case because you need to store information about all of the values that you've already been able to produce, in order to learn whether new values collide with them!)
>"can we produce two arbitrary new hashes that are similar in this way?"
arbitrary may be the heavy lifter here, we can certainly birthday-paradox two address that look similar (square root, yes)
>(although I think there's an explosion in the required space in that case because you need to store information about all of the values that you've already been able to produce, in order to learn whether new values collide with them!)
bloom hash table a bloom hash table with some nerdy optimizations for backtracking, depending on whether your IO/CPU/GPU or network were the bottleneck. If you got a double-positive, skip the integer/nonce/etc.
Although, realistically, I'd be very surprised if in a quintilion PETAFLOPS you found a single 128bit number that, after being hashed twice, starts with "face" and ends with "book"
Arbitrary means: It's "easy" (square root) to find two numbers that resemble each other in a sufficiently large set, but neither of them will resemble anything meaningful. It's still "hard" to find a number that resembles a previously given different number, such as the bbcnews hash above. (The chance that any two kids in a room share a birthday is fairly high; the chance that a kid has their birthday on January 1st is much lower.)
> Although, realistically, I'd be very surprised if in a quintilion PETAFLOPS you found a single 128bit number that, after being hashed twice, starts with "face" and ends with "book"
We can just calculate it. "face" + "book" is 8 characters in base 64, for a total of 8*6=48 bits that need to be set a certain way. 2^48 is roughly 10^15. Hashing once or twice barely matters at this point (2*10^15 ~=~ 10^15). A quintillion petaflops is 10^33 flops, so unless your hashing algorithm takes 10^18 floating point operations, you have an incredibly high probability of finding such a number within a second.
Blatantly incorrect, and nearly dis-intelligently so....unless you know something we don't?
.onion domain address are like cryptographic collisions - you must try trillons of nonces (random numbers, ya nasty brits) to even approach the chance of a collision that is recognizable in a literary sense.
Now, RAT's waiting patiently for you to copy/paste transferred funds have plenty of time - especially when they know (and so do many wallets noawadays) that most people check the first and last characters.
How the heck does this work? I thought .onions were essentially a hash of a public key, making finding collisions (or even 1-char near collisions like your example) infeasible. Do both of your example links resolve? If so, how?
I have no doubt that you can find one with similar prefix and/or suffix, but not to the degree of similarity of your example.
I will try to give a simplified explanation as best I can. PGP verification is a vital process to learn. Once learned it is easy to verify yourself. You need to know PGP if you are visiting .onion sites, it is not optional if you want any certainty.
The information in a PGP signed message is encrypted using a password (the private key) in such a way that only a different password (the public key) could unlock it. Once you have a trustworthy public key from a site/individual, you can check to see if a message was signed using the correct password in the matching private key.
If truly kept private, you can trust it is a message from the same person who gave you the the public key to begin with. That is how we know .onion urls are from the owners of the sites.
If the address ever needs to change, they will sign a new message that you can know for certain came from someone in possession of the SAME private key as the first time. Same if there is a new key pair, they sign it with the old one too, so you can trust the new one equally as the old. Well, you can trust it as much as you trust the owner to not have shared it or been hacked, bribed, or arrested.
Dark.fail tries to be someone you can trust. If you did trust them, you could trust all the addresses on their site, and thereby the public keys listed on those sites to be trustworthy as well. Dark.fail gives their seal of approval that everything belongs to whom it should on their site.
Their tool is just checking to make sure the keys match up correctly.
You cannot trust Dark.fail's seal of approval. They have proven you cannot trust them. Do not visit their site anymore. You always need to verify for yourself. Learn how.
I’m sorry (kind of), but this comment rubs me completely the wrong way. This is at best highly ignorant and at worst misleading. I’m willing to bet the former given how trendy it is now for people that know barely anything about a subject to turn around and teach others about it. You’ve just taken “lookalike domain name phishing exists”, explained it to an audience that almost certainly knows it, but also applied it to .onion domains, which are about the only context in which it’s wayyyy closer to impossible to actually pull this off.
How on earth did anyone have the computing power to generate the altered address? Wouldn't that have taken trillions of years? Isn't that the whole point of these long random addresses?
I have JS turned off in my main surfing profile and New Reddit performs badly and hides the content, unless you amend the URL to `old.reddit.com` so Reddit is not that accessible. I have JS turned off for privacy & security reasons. Reddit is basically fuck-you'ing those who enjoy their privacy.
NSA are purple team (both red team and blue team), so they do defense aswell as offense. They need to sniff plaintext aswell as protect their own infra and IP with strong crypto standards like AES. The public also benefits from AES, often to the detriment of SIGINT efforts by the NSA, so there are caveats to this, and it's nuanced.
Suite A is fairly specialised. Nobody can publicly comment on specific use cases of course, but it's fairly well known that Suite B is used for most national security information, including TS/SCI. But yes, technically non-public algorithms exist and are in use, it's just not even nearly automatically applied to everything.
Cool! It would be fascinating to read more about the Suite A ciphers and compare them to known designs, see how they were inspired by, improved or differ. But I guess there's not much chance of that happening as they're classified, haha! :)
They're using fips like the rest of govt. i get that you don't know. That's fine, but when you start making up stuff to fill in the gap that's when you need to do a reality check.
MDN[0] is usually my goto reference for frontend stuff. I know DevDocs has the offline feature, but frankly I can't develop without an Internet connection. I tried it, and failed terribly. Besides MDN, developers need quick access to Google and ChatGPT to go forward, quickly.
I was recently on a flight where the "wifi is down" and wanted to get some coding done. I already had some LLM models downloaded, so I quickly pulled down the fauxpilot repo and made sure I had everything needed for when we were in the air.
My expectations were really low, but I was surprised at how productive I was with just DevDocs and an LLM. I might have even been more productive than normal because there wasn't any internet distractions.
> Hof's first attempt the day before failed when he began his swim without goggles and his corneas froze solid and blinded him. A rescue diver pulled him to the surface after he passed out.
For anyone wanting to try this, I‘d just warn that many extremes that humans haven’t evolved to endure (sitting for long periods, spending no time in sunlight, spending too much time in sunlight, eating no fat, eating too much fat, etc) have been shown repeatedly to shorten lifespan. I’d see daily ice baths as an unnatural extreme and wouldn’t consider doing this, at least not for a long period of time.
Humans weren't optimized to endure the unnatural extreme heat of a 175 degree sauna, yet studies point to frequent sauna use being associated with a reduction in all-cause mortality
> yet studies point to frequent sauna use being associated with a reduction in all-cause mortality
Is this perhaps because frequent sauna access is correlated with higher socioeconomic status/less stress/more free time/etc. What kind of confounding factors did they include in that study?
Emerging evidence suggests a plausible mechanism is the "heat-shock response", which upregulates a lot of crap related to cleaning up misfolded (= aggregatey) proteins, like protein degradation and chaperone protein expression. Where most of these neurodegenerative diseases AD, PD, some dementias, CTE, prion diesases etc. involve protein aggregation at some point whether necessary-and-sufficient or just along for the ride. Like at this point if some kind of degenerative disease isn't thought to relate to protein aggregation, it's more likely nobody's bothered to look for it
Anecdotally/personally, it seems like there's kind of a step response going from "not cooked" to "cooked", the good stuff doesn't happen until you get "cooked" (ideally remaining that way for a while), and this seems to happen around a body temperature of 38.5-39C.
I don't think so. Saunas are economically available to almost everyone (where there is fuel). I grew up a yooper in Upper Michigan and saunas are a very common part of the culture and even folks without indoor plumbing (much less common now) would have wood-burning saunas in the back yard. Saunas are one of the most relaxing, and invigorating, experiences I know of.
> Saunas are economically available to almost everyone
This can't possibly be true. 65% of Americans are living paycheck to paycheck. They definitely aren't in a position to get a Sauna.
And besides, just because people can afford to do something, doesn't mean that less wealthy people do. Almost anybody could afford to golf, but that doesn't mean golf doesn't skew wealthy if you're looking at the people who actually play. If you looked at how long people who golf live vs people who don't, I'd be willing to bet that golfers live longer. I'm not about to suggest that golf is what is keeping them alive though.
Golf takes gear, course access, and above all large amounts of free time. It's certainly not something almost anybody can afford to do. Access and the time to commit are things those with higher economic status often take for granted when considering whether everyone can afford some activity. These factors likely come into play for saunas too - they're not a staple for any given city gym, for sure, which means you need access to a more well-outfitted gym, or to have a sauna in your own home. And then, again, free time beyond the essentials of fitness and daily life.
Yes, that is exactly my point. Anybody could golf, but it isn't practical for people who don't have a good amount of expendable income, so they don't do it.
Same thing with saunas.
You and I have a different view of what a sauna is. My sauna in the UP is simply wood-sided shack, interior cedar board, and a wood burning sauna stove (basically a plain wood stove with free rocks on top) bought locally for around $600, and all going strong since 1998.
Here at home I belong to a gym for $55/ month and sauna there almost daily, and in prior home in Green Bay, each YMCA had a sauna included with membership. Mostly northern cultures and many southern have had something similar for thousands of years. The Oneida tribe outside Green Bay has regular sweat lodge ceremonies, same basic thing. I won’t enumerate the benefits of a true deep heating sauna but it is deeply meditative for me. This is one of the healthy ways to relax that is often available if sought out. Even during a recent trip to Orlando, I was able to sauna at one of the Y’s. My dad (86 yo) saunas at his health club near his home in SC.
I have never heard saunas described as something outside normal economic lifestyles.
Interesting saunas being associated with wealth, we come from different places. When I was in college at Michigan Tech in the early 80’s, dorms had saunas, the frat house had a sauna, and if you were lucky, someone was renting a place with a sauna. Of course I understand that this was very much a regional thing, the point is they are simple to construct and simple to maintain.
While there, I became friends with an old Finnish couple about 10 miles east of town near the Lake Superior shores. They explained that until just a few years ago (at that time), people had outhouses, and a sauna for relaxing, bathing and socializing. They did not eat cake. (They ate pasties :-) )
Do you really think that the people who worked on this study didn't consider your knee-jerk level-1 confounding factor? Obviously they look socioeconomic status into account when they were studying all-cause mortality, what study wouldn't?
There is a reproducibility crisis in many fields where people tacitly assumed everyone else was doing their due diligence. Many basic assumptions about confounding factors, confidence values, etc are still being criticized and revisited. You should not assume that such factors have been accounted for, instead you should join in continually asking if they have been and challenging all assumptions.
I'm not making that assumption, I'm asking what factors they included. Lots of studies are poorly run and fail to account for very simple confounding factors.
The big study was a 20+ year observational study in Finland [1] where Sauna's are supposed to be quite accessible, but the world is complicated and there are probably many confounding factors.
The mechanism of action seems very plausible. Sauna's are moderate stress which spikes your heart rate temporarily (they say 100-150bpm in the study). So it's not surprising it could be protective for cardiovascular disease just like many other forms of moderate stress/exercise.
I don’t mind people asking obvious questions. Even if the answer is also obvious, it’s still an important base to cover, and we shouldn’t assume it was. The humanities is replete with flawed studies.
It's almost as if complex systems resist deterministic patterns of thinking. If only someone decades ago had written a book warning us about seeking 'silver bullets' in software development...
> but I always struggle to articulate what that would mean, how I should achieve that, what I need to change etc
I recommend bullet journaling, to get stuff on paper/written down first before you take action. Then you can revise past notes to see how much you've progressed. It's worth being very clear about what you want, and have a rough draft of the means to get it.
There's a phrase I always loved: 'What's meant for you won't pass you by'.
[0] https://dark.fail/
> Accurate URLs verified by PGP. No direct linking in order to protect against DNS leaks from accidental clicking in a clearnet browser.
How does the PGP verif work? I'm not used to it. There exists a tool here[1] but how does it all work?
[1] https://dark.fail/pgp