So I haven't been keeping up with Tox very much since I tried it very briefly in 2014.
Going back to Tox.im tells me that it seems like there was some sort of hostile takeover of Tox by the NSA? Are the Tox Foundation and Tox Project both compromised or are neither of them compromised or was someone being an asshole or what?
There also now seems to be a fork named Toktok. Based on what I've seen, it seems like it's just Toxcore with bugfixes since the lead dev was no longer able to work on it as much as he used to. Is Toktok trustworthy? Is it definitely the best version to use?
Sorry if this question gets asked a lot, but I was a little bit surprised to find out about this after checking up on Tox to see how it's matured.
You'll be hanging with the rest of them on the day of the rope.
Josiah Clark
Proof? Articles? Anything at all? Real classy.
Carter Cox
This is the kind of missed abortion browsing Holla Forums these days
Bentley Brooks
I have qtox. Are there problems with that?
Adam Kelly
Shoot yourself
David Wood
tox.im is a domain squatter. The real project is at tox.chat.
Disregard , it's some nigger who can't read
Xavier Parker
Alright, thanks. I take it Tox.chat is still trustworthy, then? And should I start using Toktok or something?
Evan Sanders
Tox is that thing that people on /g/ started making, realized they were posting with retards, then went to Reddit to actually get shit done right?
Owen Nguyen
...
Logan Torres
it was shit and they spammed it everywhere, then scammed money out of people
its still shit and they dont spam it quite as much, thank god
hope i stop hearing about it soon.
Landon Harris
What about Ricochet?
Austin Taylor
Ricochet completely relies on the security of Tor hidden services which were proven insecure when Facebook brute force generated an onion address with their name and other memorable words in it.
Jace Young
why are you posting on Holla Forums when you have such beliefs, you fucking hypocrite
James Harris
The NSA thing was an April Foold joke. If you look closely you'll see it was dated 31 March, but the actual URL is 1 April. What happened is pretty simple.
It's ok, but slow and buggy. It also has a lot of glitches and connection errors. Otherwise, it seems ok. Even PrismBreak lists it as experimental though, just fyi.
Easton Brooks
That's pretty disappointing. I had hoped it would be mature enough to pester my friends to switch to by now.
Justin Jackson
/g/ project.
nuff said.
Lincoln Taylor
No it's reddit project, hence why things actually got done and people are using and talking about it
Samuel Rogers
Ayy lmao
brb, uninstalling Tox over Tor
btw, if you used Tox without Tor, you are a retard
Liam Murphy
Have you got any literature on that Facebook thing?
Noah Ramirez
There is an active groupchat, add LainBot and join Club Cyberia 415732B8A549B2A1F9A278B91C649B9E30F07330E8818246375D19E52F927C57F08A44E082F6
Mason Clark
i would have qtox, but the trisquel package in the repository doesn't work (fails to install every time). and one of the requirements of installing qtox is some newer version of QT which trisquel doesn't come with, and that thing is impossible to compile from source.
Jayden Long
emerge qtox yeah no wonder nobody here uses it
Carter King
Nigger what. Generating keys until the first few letters spell Facebook is completely different from breaking hidden services. You realize that 8ch did the same thing back then, right?
That is probably just one letter "off" from what they wanted to achieve. What this means is that you can generate addresses to your likings, which means that with a little more of effort you could bruteforce, say oxwugzccvk3dk6tj.onion/ , because you are looking for oxwugzccvk3dk6tj
Nolan Powell
Facebook didn't sit down and say "we want facebookcorewwwi", then generate the key for that address. They generated keys upon keys until the address had a facebook prefix and was memorable. You need a lot fewer attempts to do this and even then it took them ages. They should increase the length in the near future, but it is no proof of insecurity.
Christopher White
Hey OP, I'll tell you what's actually going on because this place is filled with actual illiterates, bigender french teenagers, inventors of the letter h, and other such detritus.
This domain was seized by a hostile rogue 'developer' (he never actually developed anything but a couple python scripts and a massive case of self-importance) and should be warned against whenever you see it. His aliases are stq, NikolaiToryzin, and AlexanderStraunoff. He changes names often but it's usually some pretentious historical shit, because he's a redditor. He lurks everything Tox related hoping to be mentioned so he can fap to how much everyone cares, so just direct people to the proper website and move on so we can avoid overstimulating his bindi. The current domain is tox.chat. Nothing was taken over by the NSA. The "Tox Foundation" was never anything other than stq who stole a bunch of money and then got ran off because he was a weaselwording enterprise fetishist who was only involved in the project to play pretend with webservers. Irungentoo learned his lesson about being too shy to tell people no, and the project is under better management by an incredibly productive sphere of pure best practices known as iphy. That leads into the next point.
This is the fork of toxcore maintained by iphy. It's where feature development takes place now because irungentoo is busy and a little burnt out. There aren't any hard feelings about it. Toktok has clearly set design goals, specs, standards, all that glorious shit to make sure things get done right. No CoC, just code documentation and protocol standards. You shouldn't have to think about what version to use unless you're compiling clients yourself. In that case, yes, you should probably switch to it at some point, although it hasn't yet diverged from toxcore much featurewise, as they're busy creating all the documentation and testing infrastructure that should have been there all along.
Common criticisms of Tox: Welcome to 8ch. If you didn't come from /g/, then you came from reddit, you stupid fucks. Run Tox over Tor. If you want something to be anonymous you run if over tor. i2p and other layer support is in the works. Grayhatter is developing them and they're testable today in his utox feature fork. He's also working on multidevice, also testable in his utox feature fork. He's overworked, so maybe contribute something other than bitching. This can be safely ignored, obviously. please fill out this form is.gd/EGHhDM
Joshua Rogers
I contribute well-researched bug reports that point to exact problems/lines and they never get a reply so fuck you
Lincoln Hernandez
They've been sitting on the "nearly finished" code for the new group chats for over half a year now. **How much longer must I suffer?
Nathan Allen
sorry but Holla Forums has more important things to discuss, like how redpilled 'technology' is.
Christian Perez
Jfreegman is developing new groupchats, grayhatter is developing multidevice.
Also there's a pretty recent update at blog.tox.chat explaining what's going on.
Hudson Perez
Do you report them on github? Can you give an example?
Ethan Sanchez
Link some, whore
Julian Perry
They're holding until TCP-DHT
Gabriel Cooper
Thanks for the well reasoned response, user. I appreciate it a lot. I guess for now I'll just play around with qTox and worry about Toktok when it lands in the official repos. Good to know it's not NSA Approved (TM) yet.
Lucas Bennett
security audit when
Jordan Collins
Never. Tox was a shit idea from some basement dwellers post-Snowden leaks. Their cryptography is a joke compared to OTR (which was available at that time) and Signal.
Easton Harris
Has Signal's server passed a security audit yet?
James Hill
This
And this
It's actually a sad but not uncommon outcome for open source projects. They rely on a volunteer to manage the money, who then steals it. They raised a ton of funds and had a clear road map and very reasonable burn rate, then that cunt fucked them. The sad fact is, no money means no full time code, unless you are mikeeusa. It's a shame they didn't try to become a part of a larger organisation who would manage their funds, like the fsf.
Benjamin Rodriguez
What do you base this edgy opinion on? Tox's networking code is written over the NaCl crypto library which is state of the art, and it has feature parity with OTR (perfect forward secrecy, deniable authentication, Diffie Hellman key exchange). I would say it's even more secure than Signal from a design viewpoint, on account of Signal being server-based.
Jackson Collins
When you pay for it. Because you're not just bitching for no reason, you actually want to see it happen, right?
Ethan Reyes
get outta here, nigger
Jaxon Murphy
The NSA/FBI/CIA/BYOD infiltrated the community and ripped it apart. Didn't you see the anti-tox posts on /g/ and Holla Forums?
Matthew Powell
It's an aimless project. There are much better tested alternatives out there.
Leave.
tox.im isn't owned by a domain squatter. It used to be their main site till the guy who owned the domain ended up being a manbaby and ragequit from the project. Thus why it now redirects to "my daddy's a lawyer fuck you" page.
Oh I'm sorry, was this Holla Forums or /tox/?
They didn't break Tor by generating a key to coincidentally have the first few letters spell out Facebook.
Right because paying those tards have lead to such great outcomes in the past.
Jackson Richardson
Spineless shills.
Adam Baker
enjoy your denial of service
Camden Kelly
how much does a third party security audit cost or are there any non-profits that might be interested?
Tyler Morgan
And they failed
Jaxon Perez
There has to be a security industry standard for verifiable audits, right? How do we find out?
Christian Adams
Don't kid yourself. Have you read the postings here?
The cryptographic libraries they use doesn't matter, if it's not used in a good way.
Verifying you received the public key of the actual recipient you're trying to contact, is a serious concern. Also, I'm not a cryptography expert, but the "nonce ratcheting" in Tox doesn't seem like a very secure way of trying to implement what OTR already does. It's also slightly concerning that the design documents are horrible, and it seems the authors seem to confuse 'encrypting' and 'signing' with public keys...
Well I must agree that Signal being centralized on one set of servers, and being able to easily collect metadata is bad, I don't think Signal was designed with that threat model in mind. It's more of a drop in replacement for texting, where you don't want the state to be able to read your personal messages to your mother, and not for planning world domination. In such a case, you'd use Tor + OTR anyway :^).
Until Tox can receive an audit, I'd say it's sketchy at best. Please please, just use Signal or OTR/OMEMO + Tor if you actually want privacy... The arrogance of the developers in the security of their product is enough of a reason to not use Tox.
Joseph Perry
It is used properly. I've looked at the implementation myself.
That's not a tox-specific issue, and is generally solved with OOB communication.
This is where your bad intentions become completely transparent. Telling people to use a fundamentally less secure messenger because -insert baseless slandering of devs here- is not how you convince a tech-literate community of security nerds. Now I'm just convinced you have a conflict of interest. Either you're a payed shill or a competitor. You've been spreading this exact same FUD for three years. It didn't work, and it won't work. If you want to convince people Tox is insecure, you simply need to find a security flaw in the design/code. You can't do that though, so you resort to baseless attacks and >muh audit bullshit. And the fact that (((someone))) is trying so hard to discredit Tox makes me believe that it does its job perhaps too well.
Ryder Miller
nonwhites not welcome
Justin Myers
Please use this service that had a fed gag order for most of 2016 it's trustworthy we promise ;L)