What happened to Tox?

So I haven't been keeping up with Tox very much since I tried it very briefly in 2014.

Going back to Tox.im tells me that it seems like there was some sort of hostile takeover of Tox by the NSA? Are the Tox Foundation and Tox Project both compromised or are neither of them compromised or was someone being an asshole or what?

There also now seems to be a fork named Toktok. Based on what I've seen, it seems like it's just Toxcore with bugfixes since the lead dev was no longer able to work on it as much as he used to. Is Toktok trustworthy? Is it definitely the best version to use?

Sorry if this question gets asked a lot, but I was a little bit surprised to find out about this after checking up on Tox to see how it's matured.

Other urls found in this thread:


You'll be hanging with the rest of them on the day of the rope.

Proof? Articles? Anything at all?
Real classy.

This is the kind of missed abortion browsing Holla Forums these days

I have qtox. Are there problems with that?

Shoot yourself

tox.im is a domain squatter. The real project is at tox.chat.

Disregard , it's some nigger who can't read

Alright, thanks. I take it Tox.chat is still trustworthy, then? And should I start using Toktok or something?

Tox is that thing that people on /g/ started making, realized they were posting with retards, then went to Reddit to actually get shit done right?


it was shit and they spammed it everywhere, then scammed money out of people

its still shit and they dont spam it quite as much, thank god

hope i stop hearing about it soon.

What about Ricochet?

Ricochet completely relies on the security of Tor hidden services which were proven insecure when Facebook brute force generated an onion address with their name and other memorable words in it.

why are you posting on Holla Forums when you have such beliefs, you fucking hypocrite

The NSA thing was an April Foold joke. If you look closely you'll see it was dated 31 March, but the actual URL is 1 April. What happened is pretty simple.

It's ok, but slow and buggy. It also has a lot of glitches and connection errors. Otherwise, it seems ok. Even PrismBreak lists it as experimental though, just fyi.

That's pretty disappointing. I had hoped it would be mature enough to pester my friends to switch to by now.

/g/ project.

nuff said.

No it's reddit project, hence why things actually got done and people are using and talking about it

Ayy lmao

brb, uninstalling Tox over Tor

btw, if you used Tox without Tor, you are a retard

Have you got any literature on that Facebook thing?

There is an active groupchat, add LainBot and join Club Cyberia

i would have qtox, but the trisquel package in the repository doesn't work (fails to install every time). and one of the requirements of installing qtox is some newer version of QT which trisquel doesn't come with, and that thing is impossible to compile from source.

emerge qtox
yeah no wonder nobody here uses it

Nigger what. Generating keys until the first few letters spell Facebook is completely different from breaking hidden services. You realize that 8ch did the same thing back then, right?

Why do you ignore my post?
Now go back to Reddit.

Facebook address is facebookcorewwwi.onion

That is probably just one letter "off" from what they wanted to achieve. What this means is that you can generate addresses to your likings, which means that with a little more of effort you could bruteforce, say oxwugzccvk3dk6tj.onion/ , because you are looking for oxwugzccvk3dk6tj

Facebook didn't sit down and say "we want facebookcorewwwi", then generate the key for that address. They generated keys upon keys until the address had a facebook prefix and was memorable. You need a lot fewer attempts to do this and even then it took them ages. They should increase the length in the near future, but it is no proof of insecurity.

Hey OP, I'll tell you what's actually going on because this place is filled with actual illiterates, bigender french teenagers, inventors of the letter h, and other such detritus.

This domain was seized by a hostile rogue 'developer' (he never actually developed anything but a couple python scripts and a massive case of self-importance) and should be warned against whenever you see it. His aliases are stq, NikolaiToryzin, and AlexanderStraunoff. He changes names often but it's usually some pretentious historical shit, because he's a redditor. He lurks everything Tox related hoping to be mentioned so he can fap to how much everyone cares, so just direct people to the proper website and move on so we can avoid overstimulating his bindi.
The current domain is tox.chat.
Nothing was taken over by the NSA. The "Tox Foundation" was never anything other than stq who stole a bunch of money and then got ran off because he was a weaselwording enterprise fetishist who was only involved in the project to play pretend with webservers. Irungentoo learned his lesson about being too shy to tell people no, and the project is under better management by an incredibly productive sphere of pure best practices known as iphy. That leads into the next point.

This is the fork of toxcore maintained by iphy. It's where feature development takes place now because irungentoo is busy and a little burnt out. There aren't any hard feelings about it.
Toktok has clearly set design goals, specs, standards, all that glorious shit to make sure things get done right. No CoC, just code documentation and protocol standards.
You shouldn't have to think about what version to use unless you're compiling clients yourself. In that case, yes, you should probably switch to it at some point, although it hasn't yet diverged from toxcore much featurewise, as they're busy creating all the documentation and testing infrastructure that should have been there all along.

Common criticisms of Tox:
Welcome to 8ch. If you didn't come from /g/, then you came from reddit, you stupid fucks.
Run Tox over Tor. If you want something to be anonymous you run if over tor. i2p and other layer support is in the works.
Grayhatter is developing them and they're testable today in his utox feature fork. He's also working on multidevice, also testable in his utox feature fork. He's overworked, so maybe contribute something other than bitching.
This can be safely ignored, obviously.
please fill out this form is.gd/EGHhDM

I contribute well-researched bug reports that point to exact problems/lines and they never get a reply so fuck you

They've been sitting on the "nearly finished" code for the new group chats for over half a year now. **How much longer must I suffer?

sorry but Holla Forums has more important things to discuss, like how redpilled 'technology' is.

Jfreegman is developing new groupchats, grayhatter is developing multidevice.

Also there's a pretty recent update at blog.tox.chat explaining what's going on.

Do you report them on github? Can you give an example?

Link some, whore

They're holding until TCP-DHT

Thanks for the well reasoned response, user. I appreciate it a lot. I guess for now I'll just play around with qTox and worry about Toktok when it lands in the official repos. Good to know it's not NSA Approved (TM) yet.

security audit when

Never. Tox was a shit idea from some basement dwellers post-Snowden leaks. Their cryptography is a joke compared to OTR (which was available at that time) and Signal.

Has Signal's server passed a security audit yet?


And this

It's actually a sad but not uncommon outcome for open source projects. They rely on a volunteer to manage the money, who then steals it. They raised a ton of funds and had a clear road map and very reasonable burn rate, then that cunt fucked them. The sad fact is, no money means no full time code, unless you are mikeeusa. It's a shame they didn't try to become a part of a larger organisation who would manage their funds, like the fsf.

What do you base this edgy opinion on? Tox's networking code is written over the NaCl crypto library which is state of the art, and it has feature parity with OTR (perfect forward secrecy, deniable authentication, Diffie Hellman key exchange). I would say it's even more secure than Signal from a design viewpoint, on account of Signal being server-based.

When you pay for it. Because you're not just bitching for no reason, you actually want to see it happen, right?

get outta here, nigger

The NSA/FBI/CIA/BYOD infiltrated the community and ripped it apart. Didn't you see the anti-tox posts on /g/ and Holla Forums?

It's an aimless project. There are much better tested alternatives out there.


tox.im isn't owned by a domain squatter. It used to be their main site till the guy who owned the domain ended up being a manbaby and ragequit from the project. Thus why it now redirects to "my daddy's a lawyer fuck you" page.

Oh I'm sorry, was this Holla Forums or /tox/?

They didn't break Tor by generating a key to coincidentally have the first few letters spell out Facebook.

Right because paying those tards have lead to such great outcomes in the past.

Spineless shills.

enjoy your denial of service

how much does a third party security audit cost or are there any non-profits that might be interested?

And they failed

There has to be a security industry standard for verifiable audits, right? How do we find out?

Don't kid yourself. Have you read the postings here?


The cryptographic libraries they use doesn't matter, if it's not used in a good way.

Verifying you received the public key of the actual recipient you're trying to contact, is a serious concern. Also, I'm not a cryptography expert, but the "nonce ratcheting" in Tox doesn't seem like a very secure way of trying to implement what OTR already does. It's also slightly concerning that the design documents are horrible, and it seems the authors seem to confuse 'encrypting' and 'signing' with public keys...

Well I must agree that Signal being centralized on one set of servers, and being able to easily collect metadata is bad, I don't think Signal was designed with that threat model in mind. It's more of a drop in replacement for texting, where you don't want the state to be able to read your personal messages to your mother, and not for planning world domination. In such a case, you'd use Tor + OTR anyway :^).

Until Tox can receive an audit, I'd say it's sketchy at best. Please please, just use Signal or OTR/OMEMO + Tor if you actually want privacy... The arrogance of the developers in the security of their product is enough of a reason to not use Tox.

It is used properly. I've looked at the implementation myself.

That's not a tox-specific issue, and is generally solved with OOB communication.

Elaborate please.

They have a very well written spec that's almost finished. toktok.github.io/spec

This is where your bad intentions become completely transparent. Telling people to use a fundamentally less secure messenger because -insert baseless slandering of devs here- is not how you convince a tech-literate community of security nerds. Now I'm just convinced you have a conflict of interest. Either you're a payed shill or a competitor. You've been spreading this exact same FUD for three years. It didn't work, and it won't work. If you want to convince people Tox is insecure, you simply need to find a security flaw in the design/code. You can't do that though, so you resort to baseless attacks and >muh audit bullshit. And the fact that (((someone))) is trying so hard to discredit Tox makes me believe that it does its job perhaps too well.

nonwhites not welcome

Please use this service that had a fed gag order for most of 2016 it's trustworthy we promise ;L)