{edited to bring screenshot down locally, because 'uploadimg.ru' is desperately slow & unreliable ~admin}
cryptostorm leaks my IP.
it possible to leak IP when using Ares (wikipedia article)
:/
Ξ welcome to cryptostorm's member forums ~ you don't have to be a cryptostorm member to post here Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ
Ξ any OpenVPN configs found on the forum are likely outdated. For the latest, visit here or GitHub Ξ
Ξ If you're looking for tutorials/guides, check out the new https://cryptostorm.is/#section6 Ξ
reported IP address leak when using Ares torrent client
-
- Posts: 613
- Joined: Sun Dec 16, 2012 6:34 am
- Contact:
Ares Galaxy p2p application - IP discovery
Ok, I was not previously familiar with this application so I've had to do some reading on it before responding with anything useful.
Ares appears to be some kind of mash-up of old-model centralised/quasi-centralised peer-to-peer networking tools like Gnutella and some DHT/torrent functionality partially welded onto the outside of it. It's written in Delphi (!!) and is Windows-only, although there's some half-supported ports to other OSes.
It's opensource, and hosted on sourceforge, but... Delphi. On Windows. Which means mostly everything's done outside the actual SRC, in a sense, and it's anyone's guess what actually happens behind the scenes (that's just my own jaded summation, obviously).
The Delphi source is available here (latest build), and I've stuck a zip of it on this post in case someone with much more Delphi/Win knowledge wants to take a peek and correct or expand any of my comments. By all means, please do!
Now, the screenshot above is actually of the GUI as seen by a user at his own computer. That his own machine knows its own physical IP address is, of course, not surprising... however, it's worrisome that it's so prominent about shouting that information via the UI. Just... a little unusual.
A very cursory review of the src files and I saw stuff like this:
That's in module helpR_ipfunc.pas, for those curious:
So this is where I stop and make a Munsch-style ooooooo face. Like this:
There's nothing inherently wrong with application architectures like this. Indeed, there's a certain naivete to them: need to send files? We'll tell everyone our IP address, so they know how to find us! That's the whole idea of having a publicly-routable address, after all.
But in terms of trying to use an application like this to share files without disclosing physical IP... not something I"d personally run out and sign up for. It can be done, no doubt - a bit of googling would likely turn up tweaks or mods or forks of the source or whatever. But, look: this is dressing up a horse as a camel and taking her out into the hot desert sun. She may make it, and she may even appear on the outside camel-ish... but what the fuck? She's not a camel - she's a mare. Don't pretend she's a camel. It'll end badly, sooner or later. Probably sooner.
If there was an online privacy equivalent of the annual Accidents in North American Mountaineering volumes, a huge chunk of the entries would include text such as "victim used a nonstandard 'filesharing' application on a Windows computer and found himself broadcasting all manner of private information to the world..." These applications aren't designed for privacy, they're designed to share stuff promiscuously and aggressively. They're funded by advertising, so the more sharing and more traffic they generate, the more ads they show and the more money they make. So they tend to be somewhat flexible in areas of privacy, if the trade-off is better "peer discoverability" and thus more volume of files being pushed around.
None of this is to say these apps are inherently evil - some are and have been for years, some most certainly aren't. But they're a huge privacy (and often, security) risk. This is structurally the case.
We can't offer assurances, via cryptostorm, that these applications can be prevented from leaking physical IP - or any other data they feel like leaking. That's frustrating to folks who would like us to be a one-stop-shop for leak-blocking - and if we could do so without becoming vastly intrusive in the details of what our members send and receive through cryptostorm, we'd be happy to provide extra privacy! But we can't, for deep structural reasons that I'll try to summarise with a metaphor...
Cryptostorm's job is to ensure, metaphorically speaking, that the letters you send to and receive from the rest of the world don't have your name and address printed on the outside of them when they leave the safe zone of our own cryptostorm network. Instead, they have as the return address "{cryptostorm member} c/o cryptostorm network"... people write back to that address, and via some clever networking and encryption techniques, those letters show right back up in your mailbox, like clockwork. It's pretty cool, it works well, and we are really, really obsessive about making sure no letters slip out with your actual home address printed as "return address" on the outside of them.
That's our job. We accept that responsibility and focus on it continuously. However...
If you put inside that letter a note to someone that your home address is xxx James Street, and mail it out via cryptostorm, there's no way we can prevent that address information from arriving when the letter is opened at its destination. Because we don't look inside letters, ever. That's not our job, and it's not our role, and doing so would be creepy and wrong and break every part of our security model. The downside is, we can't prevent people from doing that - intentionally or otherwise - despite every technological and cryptographic tool we bring to bear on the outside of the envelope itself.
(every now and again, we can find a way to impute that there's a likely unintentional data leak going on inside an envelope and take steps to make sure those don't slip out - that's what we do with our webRTC IP lealblock, for example - but that's a really rare thing, because the risk of making wrong imputations & blocking envelopes members really do want to send is always there... in some cases, the pieces line up so it's clear the block is a net gain for all members, and we'll implement it - along with a way to disable it for those who don't want it active)
One could wrap these "dirty packets" (containing private IP address information) in 10 layers of ECC crypto, and it wouldn't do anything to stop that IP address from being leaked - because it's inside the envelope. Decisions about what goes inside envelopes are made by the operating system of the member's computer. We don't have any voice in that - nor should we. We take stuff once it's packaged up and ready for delivery, and we keep that safe, secure, and private. The letters that are written and placed in those envelopes... not our remit, don't want to know what's in them.
Hopefully this is helpful in laying out the structural side of this question. It's not a "we can't be bothered to secure some things" reply, at all. Instead it's a "we can't secure that, and anything we might do to try to secure it would wreck all the other security we provide elsewhere, and go against our role as a neutral transmitter of envelopes back and forth to the world out there" reply.
As to what things one can do to ensure one's local applications on one's computer aren't sending envelopes full of sensitive data out... that's a huge question, and an important one. Too big for this over-long post, most assuredly.
Cheers,
~ pj
Ares appears to be some kind of mash-up of old-model centralised/quasi-centralised peer-to-peer networking tools like Gnutella and some DHT/torrent functionality partially welded onto the outside of it. It's written in Delphi (!!) and is Windows-only, although there's some half-supported ports to other OSes.
It's opensource, and hosted on sourceforge, but... Delphi. On Windows. Which means mostly everything's done outside the actual SRC, in a sense, and it's anyone's guess what actually happens behind the scenes (that's just my own jaded summation, obviously).
The Delphi source is available here (latest build), and I've stuck a zip of it on this post in case someone with much more Delphi/Win knowledge wants to take a peek and correct or expand any of my comments. By all means, please do!
Now, the screenshot above is actually of the GUI as seen by a user at his own computer. That his own machine knows its own physical IP address is, of course, not surprising... however, it's worrisome that it's so prominent about shouting that information via the UI. Just... a little unusual.
A very cursory review of the src files and I saw stuff like this:
Code: Select all
function GetLocalIp:cardinal;
{type
sockaddr_in = record
case Integer of
0: (sin_family: u_short;
sin_port: u_short;
sin_addr: TInAddr;
sin_zero: array[0..7] of Char);
1: (sa_family: u_short;
sa_data: array[0..13] of Char)
end;}
Code: Select all
{
this file is part of Ares
Aresgalaxy ( http://aresgalaxy.sourceforge.net )
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either
version 2 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
}
{
Description:
ip format/convert misc functions
}
unit helper_ipfunc;
interface
uses
classes,classes2,ares_types,helper_strings,sysutils,synsock,winsock,blcksock,
helper_crypt,vars_global,class_cmdlist,windows;
const
LOW_IP_LIMIT=1;
HIGH_IP_LIMIT=223;
function ip_firewalled(ipC:cardinal):boolean; overload;
function ip_firewalled(const ipS:string):boolean; overload;
function GetLocalIp:cardinal;
function ipint_to_dotstring(ip:cardinal):string;
function ipdotstring_to_anonnick(ip:string):string;
function ip_to_hex_str(ip:cardinal):string;
function inet_addr(cp: PChar): u_long; stdcall; {PInAddr;} { TInAddr }
function inet_ntoa(inaddr: TInAddr): PChar; stdcall;
function headercrypt_to_aresip(str:string):string;
function is_ip(stringa:string):boolean;
function ip_int_to_dotted_reverse(ip:cardinal):string;
function resolve_name_to_ip(dns:string):string;
function ipint_to_anonick(ip:cardinal):string;
function is_banned_ip(ip:cardinal):boolean;
procedure add_ban(ip:cardinal);
function isAntiP2PIP(ip:cardinal):boolean;
function serialize_myConDetails:string;
function isBlockedChat(ip:cardinal):boolean;
var
lista_banned_ip:tnapcmdlist;
implementation
uses
ufrmmain,mysupernodes,const_ares;
function inet_addr; external 'wsock32.dll' name 'inet_addr';
function inet_ntoa; external 'wsock32.dll' name 'inet_ntoa';
function serialize_mycondetails:string;
begin
// do not include supernodes' infos if reachable by others
if not vars_global.im_firewalled then
result:=int_2_dword_string(vars_global.localipC)+
int_2_word_string(vars_global.myport)+
int_2_dword_string(vars_global.LanIPC)
else
result:=int_2_dword_string(vars_global.localipC)+
int_2_word_string(vars_global.myport)+
int_2_dword_string(vars_global.LanIPC)+
mysupernodes.mysupernodes_serialize;
end;
function isBlockedChat(ip:cardinal):boolean;
var
buff:array[0..3] of byte;
begin
result:=false;
move(ip,buff[0],4);
case buff[0] of
50:result:=(buff[1]=97) or //softlayer 50.97.0.0/16
(buff[1]=22) or (buff[1]=23); //softlayer 50.22.0.0/15
64:result:=(buff[1]=31) and (buff[2]<=63); //limestone 64.31.0.0 - 64.31.63.255
67:result:=(buff[1]=228); //softlayer 187.198.0.0/16
69:result:=(buff[1]=162) and (buff[2]>=64); // limestone 69.162.64.0 - 69.162.127.255
74:result:=(buff[1]=63) and (buff[2]>=192); // Limestone Networks 74.63.192.0 - 74.63.255.255
78:result:=(buff[1]=47) and (buff[2]=125); // bondhost 78.47.125.32 - 78.47.125.39
108:result:=(buff[1]=61) and (buff[2]=40); // game hosting 108.61.40.160
173:result:=(buff[1]=193) and (buff[2]>=192); // softlayer 173.193.192.0/18
end;
end;
function isAntiP2PIP(ip:cardinal):boolean;
var
buff:array[0..3] of byte;
begin
result:=false;
move(ip,buff[0],4);
//torrent
case buff[0] of
38:result:=(((buff[1]=118) and (buff[2]=11)) or
( (buff[1]=100) and ((buff[2]>=24) and (buff[2]<=27)) or ((buff[2]>=134) and (buff[2]<=135)) ) ); // cogent
208:result:=((buff[1]=10) and (buff[2]>=23) and (buff[2]<=29)); // sprint
end;
if result then exit;
// DHT
case buff[0] of
38:result:=((buff[1]=99) and ((buff[2]=253) or (buff[2]=254))) or // 38.99.253.XX Performance Systems International Inc.
(buff[1]=102); // Performance systems 38.102.xx.xx
62:result:=((buff[1]=241) and (buff[2]=52)); // 62.241.52.0 - 62.241.52.255 Planetwebhost
208:result:=((buff[1]=86) and (buff[2]=198)); //Quick Connect Hosting
end;
if result then exit;
// first type
case buff[0] of
8:result:=((buff[1]=3) and (buff[2]=210)); // 8.3.210.xx level3 spammer
38:result:=((buff[1]=99) and (buff[2]=252)) or // 38.99.252.XX Performance Systems International Inc.
((buff[1]=107) and ((buff[2]=162) or (buff[2]=161)) ); // 38.99.252.XX Performance Systems International Inc.
64:result:=((buff[1]=62) and (buff[2]>=128)); // 64.62.128.0 - 64.62.255.255 Hurricane Electric
65:result:=((buff[1]=49) and (buff[2]=32)) or
((buff[1]=99) and (buff[2]=204)) or // 65.99.204.0 - 65.99.204.255 Crucial Paradigm
((buff[1]=19) and (buff[2]>=128) and (buff[2]<=191)); // 65.19.128.0 - 65.19.191.255 Hurrican Electric
66:result:=(((buff[1]>=166) and (buff[1]<=167))) or // Covad 66.166.0.0 - 66.167.255.255
( (buff[1]=160) and (buff[2]>=128) and (buff[2]<=207) ) or // 66.160.128.0 - 66.160.207.255 Hurricane Electric
( (buff[1]=180) and (buff[2]=205) ) or //66.180.205.xx Cyberverse Online Spammer
( (buff[1]=186) and (buff[2]>=192) and (buff[2]<=223) ) or // WV FIBER LLC 66.186.192.0 - 66.186.223.255
( (buff[1]=198) and (buff[2]=35) ) or // 66.198.35.104-107-110 TeleGlobe Montreal Spammer
( (buff[1]=45) and (buff[2]>=224)) or // 66.45.224.0 - 66.45.255.255 Interserver SMPLAYER
( (buff[1]=117) and (buff[2]<=15) ); // 66.117.5.xx Corporate Colocation Inc 66.117.0.0 - 66.117.15.255
67:result:=((buff[1]>=100) and (buff[1]<=103)) or // Covad Communications 67.100.0.0 - 67.103.255.255
((buff[1]=159) and (buff[2]<=63)) or // FDCservers.net 67.159.0.0 - 67.159.63.255
((buff[1]=215) and (buff[2]>=224)); // Secured Private Network 67.215.224.0 - 67.215.255.255
69:result:=(buff[1]=175) and (buff[2]<=127); // zapshares.com 69.175.0.0 - 69.175.127.255
70:result:=((buff[1]=38) and (buff[2]<=127)) or //iWeb Dedicated / Technologies
(buff[1]=42);// FSH Network Services 70.42.0.0 - 70.42.255.255
72:result:=(buff[1]=5) or // FSH Networks / Internap 72.5.0.0 - 72.5.255.255
((buff[1]=55) and (buff[2]>=184) and (buff[2]<=191)) or // 72.55.128.0 - 72.55.191.255 iWeb Technologies Inc
((buff[1]=232) and (buff[2]=105)) or
((buff[1]=172) and (buff[2]=92)) or // Net2Ez
((buff[1]=172) and (buff[2]=90)) or
((buff[1]=232) and (buff[2]=94)); // Layered Technologies, Inc. 72.232.0.0 - 72.232.255.255
74:result:=((buff[1]=206) and (buff[2]>=160) and (buff[2]<=191)); //MOJOHOST 74.206.160.0 - 74.206.191.25
78:result:=((buff[1]=129) and (buff[2]=150));
81:result:=((buff[1]=179) and (buff[2]=88) and (buff[3]=79)); // Pipex Dyn 81.179.88.79 ****
83:result:=((buff[1]=142) and (buff[2]>=224) and (buff[2]<=231)); // 83.142.224.0 - 83.142.231.255 Rapidswitch
87:result:=((buff[1]=239) and (buff[2]>=48) and (buff[2]<=55)) or // Server Shed Limited 87.239.48.0 - 87.239.55.255
((buff[1]=117) and (buff[2]=230) and (buff[3]>=128)) or // Rapidswitch 87.117.230.128 - 87.117.230.255
((buff[1]=117) and (buff[2]=231)); // Rapidswitch 87.117.231.0 - 87.117.231.255
96:result:=(buff[1]=127) and (buff[2]>=128) and (buff[2]<=191); // 96.127.128.0 - 96.127.191.255 zapshares SPAMBOT publicidad de ares
99:result:=((buff[1]=192) and (buff[2]>=128)); // MOJOHOST Canada 99.192.128.0 - 99.192.255.255
108:result:=((buff[1]=178) and (buff[2]<=63)) or // 108.178.0.0 - 108.178.63.255 zapshares FAKE
((buff[1]=229) and (buff[2]<=127)); // 108.229.0.0 - 108.229.127.255 AT&T ATT-CLOUD
168:result:=(buff[1]=151); // Intelligence Network, Inc. 168.151.0.0 - 168.151.255.255
173:result:=(buff[1]=203); //173.203.0.0 - 173.203.255.255 Rackspace Hosting
174:result:=((buff[1]=36) or (buff[1]=37)); //SoftLayer Technologies Inc. 174.36.0.0 - 174.37.255.255
184:result:=((buff[1]=72) or (buff[1]=73)) or //AMAZON hosts 184.72.0.0 - 184.73.255.255
(buff[1]=154); //184.154.0.0/16 zapshares SingleHop, Inc. SPAMBOT publicidad de ares
189:result:=((buff[1]=43) and ((buff[2]=25) or (buff[2]=26))); //Embratel BR 189.43.25.0/26
202:result:=((buff[1]=167) and (buff[2]>=224)); // EQUINIXAP-NET 202.167.224.0 - 202.167.255.255
204:begin
if buff[1]=193 then begin
result:=((buff[2]>=128) and (buff[2]<=159)); //GLOBIXBLK4 USA 204.193.128.0 - 204.193.159.255
end else
if buff[1]=236 then begin // Amazon Web Services 204.236.128.0 - 204.236.255.255
result:=(buff[2]>=128);
end;
end;
205:result:=((buff[1]=134) and ((buff[2]=238) or (buff[2]=239))); // xeex 205.134.238.0 - 205.134.239.255
206:result:=(buff[1]=190) and (buff[2]>=128) and (buff[2]<=159); // 206.190.128.0 - 206.190.159.255 Hosting Services, Inc
207:result:=((buff[1]=7) and (buff[2]=136)) or
((buff[1]=171) and ((buff[2]>=61) or (buff[2]<=62))) or // Regard Systems Integrators 207.171.61.0 - 207.171.61.255
((buff[1]=212) and (buff[2]=26)); // PacificNet 207.212.26.0 - 207.212.26.255
208:result:=((buff[1]=93) and (buff[2]>=4) and (buff[2]<=7)); // hosting central 208.93.4.0 - 208.93.7.255
209:begin
result:=(buff[1]=10) or // GLOBIXBLK3 USA 209.10.0.0 - 209.10.255.255
((buff[1]=195) and (buff[2]<=63)) or// 209.195.0.0 - 209.195.63.255 ( Macrovision Corporation )
((buff[1]=51) and (buff[2]>=160) and (buff[2]<=191)); // 209.51.160.0 - 209.51.191.255 Hurrican Electric
end;
212:begin
if buff[1]=71 then begin
result:=(buff[2]>=224); // Globix it 212.71.224.0 - 212.71.255.255
end;
end;
213:begin
if buff[1]=219 then begin
if buff[2]=9 then begin
result:=(buff[3]>=192); // X Works 213.219.9.192 - 213.219.9.255
end;
end;
end;
216:begin
result:=((buff[1]=58) and (buff[2]<=127)) or //216.58.0.0 - 216.58.127.255 Information Gateway Services
((buff[1]=18) and (buff[2]=228) and (buff[3]<=95)) or //216.18.228.0 - 216.18.228.95 PROTONSOLUTION-1
((buff[1]=58) and (buff[2]=193)) or // 216.58.193.xx Fox Communications
((buff[1]=66) and (buff[2]<=95)) or // 216.66.0.0 - 216.66.95.255 Hurrican Electric
((buff[1]=218) and (buff[2]>=128)) or // 216.218.128.0 - 216.218.255.255 Hurrican Electric
((buff[1]=230) and (buff[2]>=224) and (buff[2]<=239));//216.230.224.0 - 216.230.239.255 The Optimal Link Corporation
end;
end;
if result then exit;
// second type
case buff[0] of
24:result:=((buff[1]=76) and (buff[2]=251)); // SHAW Ottawa 24.76.251.x *****
63:begin
result:= ((buff[1]>=216) and (buff[1]<=223)) or // Beyond the net 63.216.0.0 - 63.223.255.255
((buff[1]>=236) and (buff[1]<=239)); // QWEST COMUNICATION 63.236.0.0 - 63.239.255.255
end;
64:begin
if buff[1]=70 then result:=(buff[2]<=111); // Savvis 64.70.0.0 - 64.70.111.255
end;
66:result:=( (buff[1]=172) or // Fastserve Network 66.172.0.0 - 66.172.63.255
((buff[1]=110) and (buff[2]<=127)) or // TeleGlobe 66.110.0.0 - 66.110.127.255
((buff[1]=25) and (buff[2]=7)) ); // RR Houston TX 66.25.7.237 ****
69:begin
if buff[1]=26 then begin
result:=((buff[2]>=160) and (buff[2]<=191)); // Net Sentry Corp 69.26.160.0 - 69.26.191.255
end;
end;
72:begin
if buff[1]=35 then begin
result:=((buff[2]>=224) and (buff[2]<=239)); // FUZION COLO NV 72.35.224.0 - 72.35.239.255
end;
end;
142:result:=(buff[1]=162); // Stentor National 142.162.0.0 - 142.162.255.255
154:result:=(buff[1]=37); // PERFORMANCE SYSTEM 154.37.0.0 - 154.37.255.255
204:begin
if buff[1]=11 then begin
result:=((buff[2]>=16) and (buff[2]<=19)); //Your OneStop Network, Inc 204.11.16.0 - 204.11.19.255
end;
end;
205:result:=((buff[1]=177) or // Beyond The net 205.177.0.0 - 205.177.255.255
(buff[1]=252)); // Beyond The Network America, Inc 205.252.0.0 - 205.252.255.255
206:result:=(buff[1]=161); // Beyond The Network America 206.161.0.0 - 206.161.255.255
207:result:=(buff[1]=226); // Beyond The Network America 207.226.0.0 - 207.226.255.255
208:result:=((buff[1]>=48) and (buff[1]<=50));// Global Crossing 208.48.224.0 - 208.50.127.255
216:begin
if buff[1]=8 then begin
result:=(buff[2]>=192); // Cosmex Media 216.8.192.0 - 216.8.255.255
end else
if buff[1]=9 then begin
result:=((buff[2]>=160) and (buff[2]<=175)) or // Western PA Internet Access, Inc. 216.9.160.0 - 216.9.175.255
((buff[2]>=192) and (buff[2]<=207)); // ASI comunication 216.9.192.0 - 216.9.207.255
end else
if buff[1]=151 then begin
result:=((buff[2]>=128) and (buff[2]<=159));// xeen.net 216.151.128.0 - 216.151.159.255
end else
result:=(buff[1]=156); //XO Communications 216.156.0.0 - 216.156.255.255
end;
220:result:=(buff[1]=255); // SingNet Pte Ltd 220.255.0.0 - 220.255.255.255
221:result:=(buff[1]=189);// NTT Communications Corporation 221.184.0.0 - 221.191.255.255 ****
end;
end;
procedure add_ban(ip:cardinal);
begin
if lista_banned_ip=nil then lista_banned_ip:=tnapcmdlist.create;
if lista_banned_ip.FindById(ip)<>-1 then exit;
lista_banned_ip.addcmd(ip,'');
end;
function is_banned_ip(ip:cardinal):boolean;
begin
try
if lista_banned_ip=nil then begin
result:=false;
exit;
end;
result:=(lista_banned_ip.FindById(ip)<>-1);
except
result:=false;
end;
end;
function resolve_name_to_ip(dns:string):string;
var
lista:tmystringlist;
begin
result:='';
lista:=tmystringlist.create; //otteniamo ip reale per cript decript
ResolveNameToIP(dns,lista);
if lista.count<1 then begin
lista.free;
exit;
end;
result:=lista.strings[0];
lista.free;
end;
function ip_int_to_dotted_reverse(ip:cardinal):string;
var ia: in_addr;
ipi:integer;
str:string;
begin
str:=int_2_dword_string(ip);
str:=reverse_order(str);
ipi:=chars_2_dword(str);
ia.S_addr := ipi;
result := inet_ntoa(ia);
end;
function is_ip(stringa:string):boolean;
var
i:integer;
puntini:byte;
begin
puntini:=0;
for i:=1 to length(stringa) do begin
if ((stringa[i]<>'0') and (stringa[i]<>'1') and
(stringa[i]<>'2') and (stringa[i]<>'3') and
(stringa[i]<>'4') and (stringa[i]<>'5') and
(stringa[i]<>'6') and (stringa[i]<>'7') and
(stringa[i]<>'8') and (stringa[i]<>'9') and
(stringa[i]<>'.')) then begin
result:=false;
exit;
end else if stringa[i]='.' then inc(puntini);
end;
result:=(puntini=3);
end;
function headercrypt_to_aresip(str:string):string;
var
ip,ip_server:integer;
port,port_server:word;
begin
if length(str)<>12 then begin
result:='';
exit;
end;
str:=hexstr_to_bytestr(str);
str:=d54(str,3617);
ip_server:=chars_2_dword(copy(str,1,4));
port_server:=chars_2_word(copy(str,5,2));
ip:=chars_2_dword(copy(str,7,4));
port:=chars_2_word(copy(str,11,2));
result:=ipint_to_dotstring(ip_server)+':'+inttostr(port_server)+'|'+
ipint_to_dotstring(ip)+':'+inttostr(port);
end;
function ip_to_hex_str(ip:cardinal):string;
var i:integer;
str:string;
begin
try
str:=int_2_dword_string(ip);
result:='';
for i:=1 to length(str) do result:=result+inttohex(ord(str[i]),2);
result:=lowercase(result);
except
end;
end;
function ipdotstring_to_anonnick(ip:string):string;
var
ipi:integer;
begin
ipi:=inet_addr(pchar(ip));
result:=STR_ANON+ip_to_hex_str(ipi);
end;
function ipint_to_anonick(ip:cardinal):string;
begin
result:=STR_ANON+ip_to_hex_str(ip);
end;
function ipint_to_dotstring(ip:cardinal):string;
var ia: in_addr;
begin
ia.S_addr := ip;
result := inet_ntoa(ia);
end;
function GetLocalIp:cardinal;
{type
sockaddr_in = record
case Integer of
0: (sin_family: u_short;
sin_port: u_short;
sin_addr: TInAddr;
sin_zero: array[0..7] of Char);
1: (sa_family: u_short;
sa_data: array[0..13] of Char)
end;}
var
s:string;
hname:string;
lista:tmystringlist;
begin
Result:=0;
try
setlength(s, 255);
synsock.GetHostName(pchar(s), Length(s) - 1);
hname := Pchar(s);
if hname = '' then Result := 0 else begin
lista:=tmystringlist.create;
ResolveNameToIP(hname,lista);
if lista.count>0 then result:=inet_addr(pchar(lista.strings[0])) else Result := 0;
lista.free;
end;
except
end;
end;
function ip_firewalled(ipC:cardinal):boolean;
var
buffer:array[0..3] of byte;
begin
result:=false;
move(ipC,buffer[0],4);
if buffer[0]>HIGH_IP_LIMIT then begin
result:=true;
exit;
end;
if buffer[0]<LOW_IP_LIMIT then begin
result:=True;
exit;
end;
case buffer[0] of
10:result:=true;
127:result:=((buffer[1]=0) and (buffer[2]=0) and (buffer[3]=1));
192:result:=(buffer[1]=168);
172:result:=((buffer[1]>=16) and (buffer[1]<=32));
end;
end;
function ip_firewalled(const ipS:string):boolean;
begin
result:=ip_firewalled(inet_addr(pchar(ipS)));
end;
end.
But in terms of trying to use an application like this to share files without disclosing physical IP... not something I"d personally run out and sign up for. It can be done, no doubt - a bit of googling would likely turn up tweaks or mods or forks of the source or whatever. But, look: this is dressing up a horse as a camel and taking her out into the hot desert sun. She may make it, and she may even appear on the outside camel-ish... but what the fuck? She's not a camel - she's a mare. Don't pretend she's a camel. It'll end badly, sooner or later. Probably sooner.
If there was an online privacy equivalent of the annual Accidents in North American Mountaineering volumes, a huge chunk of the entries would include text such as "victim used a nonstandard 'filesharing' application on a Windows computer and found himself broadcasting all manner of private information to the world..." These applications aren't designed for privacy, they're designed to share stuff promiscuously and aggressively. They're funded by advertising, so the more sharing and more traffic they generate, the more ads they show and the more money they make. So they tend to be somewhat flexible in areas of privacy, if the trade-off is better "peer discoverability" and thus more volume of files being pushed around.
None of this is to say these apps are inherently evil - some are and have been for years, some most certainly aren't. But they're a huge privacy (and often, security) risk. This is structurally the case.
We can't offer assurances, via cryptostorm, that these applications can be prevented from leaking physical IP - or any other data they feel like leaking. That's frustrating to folks who would like us to be a one-stop-shop for leak-blocking - and if we could do so without becoming vastly intrusive in the details of what our members send and receive through cryptostorm, we'd be happy to provide extra privacy! But we can't, for deep structural reasons that I'll try to summarise with a metaphor...
Cryptostorm's job is to ensure, metaphorically speaking, that the letters you send to and receive from the rest of the world don't have your name and address printed on the outside of them when they leave the safe zone of our own cryptostorm network. Instead, they have as the return address "{cryptostorm member} c/o cryptostorm network"... people write back to that address, and via some clever networking and encryption techniques, those letters show right back up in your mailbox, like clockwork. It's pretty cool, it works well, and we are really, really obsessive about making sure no letters slip out with your actual home address printed as "return address" on the outside of them.
That's our job. We accept that responsibility and focus on it continuously. However...
If you put inside that letter a note to someone that your home address is xxx James Street, and mail it out via cryptostorm, there's no way we can prevent that address information from arriving when the letter is opened at its destination. Because we don't look inside letters, ever. That's not our job, and it's not our role, and doing so would be creepy and wrong and break every part of our security model. The downside is, we can't prevent people from doing that - intentionally or otherwise - despite every technological and cryptographic tool we bring to bear on the outside of the envelope itself.
(every now and again, we can find a way to impute that there's a likely unintentional data leak going on inside an envelope and take steps to make sure those don't slip out - that's what we do with our webRTC IP lealblock, for example - but that's a really rare thing, because the risk of making wrong imputations & blocking envelopes members really do want to send is always there... in some cases, the pieces line up so it's clear the block is a net gain for all members, and we'll implement it - along with a way to disable it for those who don't want it active)
One could wrap these "dirty packets" (containing private IP address information) in 10 layers of ECC crypto, and it wouldn't do anything to stop that IP address from being leaked - because it's inside the envelope. Decisions about what goes inside envelopes are made by the operating system of the member's computer. We don't have any voice in that - nor should we. We take stuff once it's packaged up and ready for delivery, and we keep that safe, secure, and private. The letters that are written and placed in those envelopes... not our remit, don't want to know what's in them.
Hopefully this is helpful in laying out the structural side of this question. It's not a "we can't be bothered to secure some things" reply, at all. Instead it's a "we can't secure that, and anything we might do to try to secure it would wreck all the other security we provide elsewhere, and go against our role as a neutral transmitter of envelopes back and forth to the world out there" reply.
As to what things one can do to ensure one's local applications on one's computer aren't sending envelopes full of sensitive data out... that's a huge question, and an important one. Too big for this over-long post, most assuredly.
Cheers,
~ pj
...just a scatterbrained network topologist & crypto systems architect……… ҉҉҉
[list]
[/list]
☯ pj@ðëëþ.be ☯ keybase pgp ☯ mit pgp ☯ ðørkßöt-on-console ☯ git 'er github
bitmessage: BM-NBBqTcefbdgjCyQpAKFGKw9udBZzDr7f[/color]
[list]



☯ pj@ðëëþ.be ☯ keybase pgp ☯ mit pgp ☯ ðørkßöt-on-console ☯ git 'er github
bitmessage: BM-NBBqTcefbdgjCyQpAKFGKw9udBZzDr7f[/color]