Toxic – A distributed, secure, command-line based instant messenging client (opens in new tab)

(github.com)

127 pointsJfreegman11y ago81 comments

81 comments

60 comments · 18 top-level

ex-contributor11y ago· 18 in thread

DISCLAIMER: I am one of the many Tox ex-contributors, who used to work on it in the past. I don't want to be identified due to harassment other ex-contributors suffered in the past. The following message is my point of view on the project as a whole.

Proplex, a long-time member of the Tox-Foundation and in charge of both infrastructure and marketing, called out tox devs because the 2 people in charge (irungentoo and stqism) were dealing with money in a shady way and he got suspicious. This lead him to leaving the Tox Foundation Proof: https://gist.github.com/irungentoo/5af26f5edefcdb7eac72

After he went away and stopped to pay for the website and other servers (he hosted everything), Tox devs got angry and tracked his online activity by his browser UA, read his private email sent to his @tox.im address and considered breaking into his VPS account Proof: https://gist.github.com/urras/ba792274f5aaf662a082/5d91d2a78... and https://archive.today/KkSWp

Members of the Tox Foundation such as stqism try constantly to sneak in copyright changes in unrelated fixes: Proof: https://github.com/irungentoo/toxcore/pull/1219 and https://github.com/irungentoo/toxcore/pull/1224

irungentoo enforced censorship on his github repo to try to cover everything up Proof: https://github.com/irungentoo/toxcore/issues/1227

After it got out of hand and too many people called out the Tox Foundation, this happened: Proof: http://a.pomf.se/kqwgsg.png

irungentoo claims Tox is secure just because he uses a secure primitive, which is really arrogant and something only a pretentious deceiver would say. This is a crypto 101 mistake. Proof: https://github.com/irungentoo/toxcore/issues/121#issuecommen...

After the points exposed above, the conclusion is obvious, at least for me.

The Tox Foundation claims Tox is completely secure and nobody can break in, not even the NSA. Still, there's been no security audit and it is highly likely Tox isn't completely secure, given it's alpha software. But their website gives the idea people face no risk by using Tox right now. They are deceiving people to believe it is secure so they gain more users at the expense of putting users privacy at risk. Proof: https://tox.im itself. See all security claims even though it hasn't been audited. Saying it's "alpha" doesn't mean to anything to non-tech-savvy, they will think it's missing a feature or two, not that their privacy and security is possibly compromised.

I believe it's my moral obligation, and of everyone's else reading this, not to use Tox. You are contributing to a shady foundation composed of menchildren that don't care about other's privacy, deals with money in a shady way and dox people who go against them. Do not trust the Tox Foundation - this is my personal message.

colechristensen11y ago

There is a whole lot of green on this thread. The text is copied [1] and has been posted several other places. Generally the tone here and strong somewhat overreacting stances aren't particularly becoming of the HN community.

1. https://www.google.com/search?q=%22irungentoo+enforced+censo...

jumpwah11y ago

Also see #1229 (not much, but related): https://github.com/irungentoo/toxcore/issues/1229

Edit: I have no affiliation here, just an outside observer. I think it's relevant because, unlike the screenshot of #1228, the still alive 1229 issue (at least) shows that this happened nearly a month ago.

Whether or not the fact that it happened nearly a month ago matters I don't know, but at least it's a bit of extra context/info.

irungentoo11y ago

>Proplex, a long-time member of the Tox-Foundation and in charge of both infrastructure and marketing, called out tox devs because the 2 people in charge (irungentoo and stqism) were dealing with money in a shady way and he got suspicious

We barely get any donations. We barely have money and we are very transparent about it, look at our donations page.

>After he went away and stopped to pay for the website and other servers (he hosted everything)

He disappeared one day, didn't warn us or anything and took everything (including backups) with him.

>Tox devs got angry and tracked his online activity by his browser UA, read his private email sent to his @tox.im address and considered breaking into his VPS account

Yes because I wanted to know if he had done anything weird on the site. We never considered breaking into his account. His tox.im mail was never remade on the new tox.im mail server so all emails sent to it ended up in our catch all email.

>Members of the Tox Foundation such as stqism try constantly to sneak in copyright changes

I'm a member of the Tox foundation and I don't sneak in copyright changes in my repo. He also didn't try to sneak it in. I never merge pull requests before reading everything first.

>After it got out of hand and too many people called out the Tox Foundation, this happened

Yes and I explained exactly what happened. What is the issue?

>irungentoo enforced censorship on his github repo to try to cover everything up

Because kicking trolls is censorship?

>irungentoo claims Tox is secure just because he uses a secure primitive

Scroll down to my next comment in that thread.

Sorry for my previous comment. This one should be better.

nfkd11y ago

>We barely get any donations. We barely have money That's relative and your wording is slippery here. What is "barely no money"? $50? $100? In any case, donated money should be dealt with in a better way. Even an ex-member of the foundation (Proplex) had a big issue with this. He actually left because of the shady way you dealt with money and, since then, nothing changed.

>we are very transparent about it, look at our donations page. That page tell barely nothing and is outdated. What's the money being spent on? Who's the financial manager? As a donator, how can I be sure my money is being spent on Tox and not on personal servers, vacations, etc. by the Tox Foundation leaders? There were rumors about that, and although I don't believe them, this is a serious issue anyway.

>He disappeared one day, didn't warn us or anything and took everything (including backups) with him. And on the same day you started harassing him, without even listening to his side of the story? And what do you mean with backups? You are saying you or other project members didn't keep local backups? That would be an amateur mistake to make.

>Yes because I wanted to know if he had done anything weird on the site And the NSA just wants to know if we had done anything weird on their country. /sarcasm Do you think that justifies spying on him?

>We never considered breaking into his account But you said the following at #tox-secret on January 14th: "urras, if you want to forcefully gain access to his digital ocean account I can reset his pass" SOURCE: https://archive.today/Y6LEw (line 45)

>His tox.im mail was never remade on the new tox.im mail server so all emails sent to it ended up in our catch all email As soon as he left the project you should have deleted his @tox.im email account or at least temporarily disabled it. It's unethical to keep receiving (and reading) emails that were meant to someone else.

>I'm a member of the Tox foundation and I don't sneak in copyright changes in my repo I never said you did, I was talking about stq, the second in command of the foundation. https://github.com/stqism/ToxCore/commit/bed425598f26938bd54...

>Because kicking trolls is censorship? Tell me, how is this a troll? http://i.imgur.com/HNFtcOG.png Keep in mind the title was defaced (and later on the message) by irungentoo. As soon as dfortner raised up those questions, you locked the issue, edited his messages to say garbage, hurting his image, and banned him from the repository so he couldn't raise the issue again.

>Sorry for my previous comment. This one should be better. This one isn't a blatant rant without content like the other one, it's just some damage control. I honestly don't know what is worse, but I guess you are right on saying this is a little better.

JfreegmanOP11y ago

Unfortunately, being affiliated with 4chan means we attract a lot of trolls pretending to be "ex-devs" or "concerned members of the community" who have nothing better to do with their time than to spread FUD (https://en.wikipedia.org/wiki/Fear,_uncertainty_and_doubt). We certainly aren't perfect, and have made our fair share of mistakes, but at the end of the day this is just personal drama that serves to distract from the software.

Lazare11y ago

Well, that's fascinating. Thanks for providing some important context.

cynicalkane11y ago

One of the "proof"s given here is that a pull request changed a 2013 copyright to a 2013-2015 copyright, as though that's sinister somehow. I stopped reading after that.

exposing11y ago

Read it again. https://github.com/stqism/ToxCore/commit/bed425598f26938bd54... He tried to get copyright away from people and assign it to the "Tox Foundation", all during a supposedly unrelated minor bug fix.

jumpwah11y ago

I think it's because of changing 'project' to 'Foundation': https://github.com/irungentoo/toxcore/pull/1219#commitcommen...

impossibru11y ago

This is literally a 4chan troll copying and pasting the same thing over and over again on /g/ http://rbt.asia/g/?task=search&ghost=yes&search_text=%22Afte... http://rbt.asia/g/?task=search&ghost=yes&search_text=The+%22...

If you actually go and see the "proof" links you'll see most of them are 404 because the OP didn't bother to updating them.

ex-contributor11y ago

Or maybe the Tox Foundation is covering it up?

Hopefully I archive most for good measure.

https://archive.today/Y6LEw

https://archive.today/MajJV

https://archive.today/KkSWp

https://archive.today/CWBUp

http://a.pomf.se/kqwgsg.png

1 more reply

threatofrain11y ago

We should drop that "proof" argument because it's just an argument that impossibru, a completely fresh account, mindlessly threw out.

What we have in this forum are achive.org links. Those links contain conversations about breaking into Proplex's accounts and tracking Proplex's behavior. We should not have to filter past this argument of yours.

Your other argument just accuses someone of being a forum troll.

1 more reply

derlel11y ago

Sounds like an extremely one-sided version of an argument. Why should we care about the devs? If the source is open and the software is good, I can tolerate Linus-tier rants if need be.

ex-contributor11y ago

The issue is that if you use Tox you support their foundation, the Tox Foundation™ which deals with money in a shady way and deceive their users just in order to grow. I, for moral and ethical principles, don't want to have anything to do with such a thing and believe it's necessary to let people know about the situation. If they couldn't even respect an ex-developer privacy[0] how can we expect them to run a foundation and create a supposedly secure instant messaging?

[0] https://archive.today/Y6LEw

2 more replies

LeoPanthera11y ago

Open source developers with attitude problems? Surely this has never occurred before.

To be less sarcastic: Does it matter who the developers are and how they behave? If the source is open then it can be reviewed by anyone. If it works, there is no reason not to use it.

bch11y ago

If the project is toxic (no pun intended) that's good enough reason to have nothing to do with it, period. If the above is true, a fork with a less-hostile community/development-environment would be a Good Thing.

irungentoo11y ago

You are just some troll trying to kill our project with fabrications and lies. You twist the truth to fit your own agenda.

The guy in question tried to damage the project on his way out so yes I grepped our server logs for his ips because I wanted to know if he had tried anything weird.

This guy posting this comment here is someone who decided to start this war against the project after I refused to kick someone who actually did something from our project. He posts this bullshit everywhere.

scrollaway11y ago

It doesn't help that you have zero clue how to answer professionally to actual trolls.

Hint: it involves replying to actual concerns rather than ad hominems. I mean, it's not like GP doesn't have any material on you, there's some pretty shitty stuff going on there.

jbangert11y ago· 8 in thread

My one experience with the Tox project was that I made a few (I thought) constructive suggestions. First, I suggested they use some form of static analysis or perhaps a 'safer' language to implement their core functionality - such as Rust or Go, instead of rather messy (at the time) C code.

Furthermore, having spent a lot of time researching parsers and how parser differentials can affect the security of systems, I suggested they use some tools, such as protocol buffers, to eliminate handwritten parsing code. The response I got was rather disheartening and downright hostile - it boiled down to the fact that protocol buffers involves C++ code which they are a priori against, without actually engaging in a factual argument (I wrote an article in the current USENIX login/ last years OSDI about parsers for binary protocols for anyone interested in background: https://www.usenix.org/system/files/conference/osdi14/osdi14... and github.com/jbangert/nail)

irungentoo11y ago

First of all the choice of C is because it was the language I was the most confidant writing secure code in. I'm not going to learn a new language and then right away start try to write secure code with it.

Clang has some great tools I use like the various sanitizers. Static analysis sucks and almost never finds any real issues but we still use it.

If you think toxcore should use protocol buffers, feel free to port it. This is an open source project and contributions are welcome. If you do a better job than me then I will merge your contribution. We are at #tox-dev on freenode.

nfkd11y ago

But why create your own parser instead of using proven-secure ones? Sounds like NIH Syndrome to me.

dethstar11y ago

There was a tox-core rewrite in Rust[1], but it's been abandoned. According to the author until Tox gets proper doc.

https://github.com/mahkoh/Xot

sillysaurus311y ago

The response I got was rather disheartening and downright hostile - it boiled down to the fact that protocol buffers involves C++ code which they are a priori against

Being against C++ isn't inherently a bad thing. For example, Tarsnap probably won't ever use C++ code.

I can't read your PDF because of an SSL certificate error.

jbangert11y ago

Weird, it works here. I put a copy on my webpage at http://csail.mit.edu/~julian/papers/login_nail.pdf

As has been pointed out below, there are many C bindings for Protobuf (and my argument was that using something like protobuf allows reimplementing the protocol).

1 more reply

lipnitsk11y ago

There are also protocol buffers libraries for and in C code, such as the protobuf-c library: https://github.com/protobuf-c/protobuf-c

stingraycharles11y ago

Our of interest, could you share the url to the discussion?

jbangert11y ago

https://github.com/irungentoo/toxcore/issues/137

3 more replies

simlevesque11y ago· 3 in thread

Is Tox secure ? Compared to tinfoil chat

ex-contributor11y ago

Tox still hasn't solved the serious metadata leakage issue.

They tried to cover it up by adding onion-routing for friend requests, but ACTUAL MESSAGES are still done directly.

Strong adversaries such as your ISP and agencies like the NSA, the GCHQ, etc. can still collect metadata about your conversations.

The "Tox Foundation" tries to cover this up and pretend that "tox was never meant to be anonymous", but the truth is harsh.

Now, this wouldn't be a problem if the Tox Foundation made this issue clear to its users. This is how P2P works, after all, direct connections, and that's fine.

But the problem is that Tox doesn't make that obvious for non-tech-savvy users.

When they read on the website that they are completely safe from the NSA and whatnot, they won't expect to be in any way exposed.

Still, unless these non-tech-savvy users "route all incoming and outgoing traffic through Tor" they won't be completely safe and should be worried about metadata leakage and adding people they don't actually know. But such a thing isn't made clear and Tox deceives users this way, only to get more people using it. It's unethical and outright wrong, in my personal opinion.

urras11y ago

Again, don't listen to this guy. He just copies and pastes this stuff from 4chan.

2 more replies

JfreegmanOP11y ago

Tox is DHT/P2P based which means it does not rely on any type of centralized authority, and all traffic is encrypted using the sodium crypto library (https://github.com/jedisct1/libsodium).

Full disclosure: Tox has not yet been professionally audited.

ex-contributor11y ago· 2 in thread

One of the links I posted above "mysteriously" disappeared. I have an archived version though. It's one of the key-points of the situation I exposed, so it's worth a read.

https://archive.today/Y6LEw

urras11y ago

Yeah, I deleted that Gist because you're using it out of context. I've talked with you one-on-one, and I've asked you to stop pasting it wherever someone mentions Tox.

exposing11y ago

HIGHLIGHTS

irungentoo: tox main developer, head of the Tox Foundation NikolaiToryzin (stqism): second in command, run the Tox Foundation's monetary operation The rest are other developers on the #tox-secret channel.

TRACKING PROPLEX, AN EX-MEMBER OF THE TOX FOUNDATION, ONLINE ACTIVITY THROUGH HIS UA:

irungentoo prolapses phone seems to have a unique user agent

NikolaiToryzin If you tell me it I can make tox.im return stuff to him only

irungentoo 'Mozilla/5.0 (Linux; Android 4.4.2; SM-N900V Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.69 Mobile Safari/537.36' NikolaiToryzin That'll be fun

READING HIS PRIVATE EMAIL:

irungentoo basically proplex did an email request change on his digital ocean account which means an email containing his ip got sent to david@tox.im which ended up in the catch all email

urras irungentoo: Any interesting emails? irungentoo urras, if you want to forcefully gain access to his digital ocean account I can reset his pass

[...]

NikolaiToryzin But they want his personal info

urras How do you guys know

NikolaiToryzin Emails.

irungentoo comparing himself to the NSA:

irungentoo I feel like the NSA

irungentoo tracking people across ips even without cookies is so easy

irungentoo https://mail.tox.im/prolapse.txt [link now unavailable, but I archived it https://archive.today/KkSWp ]

irungentoo why would I want to go after terrorists?

irungentoo blackmailing people with power is much more lucrative

TRACKING AN EX-DEVELOPER AGAIN:

irungentoo 173.52.122.131 - - [13/Jan/2015:00:33:01 -0500] "GET /User:Proplex HTTP/1.1" 404 3656 "https://github.com/Tox/Tox-Website" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36"

irungentoo interesting

irungentoo I like how he checked if the wiki was up: 96.250.8.105 - - [20/Dec/2014:02:12:30 -0500] "GET / HTTP/1.1" 301 5 "https://tox.im/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36"

irungentoo you really don't need cookies to track people online.

plutooo11y ago· 2 in thread

tox does not attempt to hide your ip. Every single friend you have added has your ip. This is by design.

JfreegmanOP11y ago

That's partially true. However if you force TCP connections (in Toxic this is done with the -t flag) your IP is effectively hidden from your contacts because all your traffic gets relayed by TCP nodes in the network. The downside is that forced TCP connections are slower and less reliable.

Though to be properly anonymous you would need to run it through Tor: https://wiki.tox.im/Tox_over_Tor_(ToT)

The reason Tox doesn't have built in anonymity is because strong anonymity has a massive impact on quality (especially streaming data like audio/video). Our goal is to steal normal (non-paranoid) users from Skype and get everyone and their mother using strong encryption. In order to achieve that we need to have comparable quality rather than something that feels like you're using a 28.8k modem.

And again, anyone who actually wants anonymity still has that option.

platz11y ago

If broad adoption is truly your goal you have a branding problem. Normal people will not use a tool called 'toxic' which prints crazy ASCII letters in the command line. You might as well ask soccer moms to hold the line at occupy wall street.

2 more replies

rasengan11y ago· 2 in thread

It's not really command-line since it relies on ncurses. I thought it was something different like where you're literally sitting at the command-line within some short of shell like:

toxuser@toxbox:~$ tox send pg "Hi, YC looks cool!"

Or maybe even crazier like that Zero project thing (I forget what it is called).

That said, good stuff. :)

JfreegmanOP11y ago

True, but I figure it's close enough. There is a true CLI client for Tox called Ratox. It's pretty neat. https://wiki.tox.im/Ratox

SeanQ11y ago

raTox is a actually really fun to use, but it's less of a client and more of a command line tool in a bash script.

AgentME11y ago· 2 in thread

Can Tox do persistent group text chats with offline message delivery to people when they sign in again? It's the one killer feature of Skype that keeps me on it. No open messaging programs ever support this it seems like.

JfreegmanOP11y ago

Currently no, but there is a groupchat rewrite underway and that is one of the planned improvements.

hammerandtongs11y ago

I look forward to this.

I have to echo the parent though, getting history from the period you were disconnected is a killer feature of skype that seems to get little or no attention.

It is one of the major things that keeps some of my group chats on skype.

1 more reply

exposing11y ago· 2 in thread

If you use a secure crypto primitive, is it correct to say your program is secure?

I mean, can you be sure something is secure just because of the crypto lib?

I thought there had something to do with the implementation too?

I ask this because of Tox. The main developer claims Tox is secure because of the crypto library.

It sounds weird to me, so I decided to ask... After all, if it was this easy all programs would be secure, right? Just import a secure crypto lib and it's done? Sounds weird.

https://github.com/irungentoo/toxcore/issues/121#issuecommen...

jimktrains211y ago

Having a sound library removes a whole host of issues; however, it doesn't remove all of them. First and second among many are key management and concatenating values before hashing or signing.

detaro11y ago

No, you didn't decide to ask, you take a lot of redirections and bullshitting to point out your link. Which is an interesting contribution, but the way you deliver it is really bad style and annoying.

dang11y ago· 1 in thread

We've closed this thread to noob accounts (except the submitter) because of troll activity.

zaroth11y ago

Not a moment too soon. :-/

Looking at some of these [flagkilled] comments... all I can say is... it sure makes me happy to be a part of the HN community and that we have a place which is largely free of that "nonsense" (a much too overly nice way to describe it)

task_queue11y ago· 1 in thread

Make it worthwhile for someone to test how 'secure' this system is before touting that title.

An audit or a bounty with no limitations on rendering the system insecure. An example of how not to do this would be the Telegram contest sham.

superuser211y ago

Contests/bounties are not indicative of security because it is very likely that potential profits from selling or using an exploit are greater than the bounty offered.

ssalenik11y ago· 1 in thread

The home page[0] seems to suggest that there are also audio and video capable clients... are they still in development, or is there something functional already?

[0] - https://tox.im/

JfreegmanOP11y ago

Toxic has 1 on 1 audio chats, and GUI clients such as uTox and qTox additionally have group audio, as well as 1 on 1 video. Both clients are usable, though I would personally recommend qTox.

benwaffle11y ago

core C lib: https://github.com/irungentoo/toxcore

Qt client: https://github.com/tux3/qTox

ncurses client: https://github.com/Tox/toxic

metro/windows client: https://github.com/Reverp/Toxy

plain C client (uses xlib/win32 to draw the UI): https://github.com/notsecure/uTox

racket client: https://github.com/lehitoskin/blight

there's also java bindings: https://github.com/sonOfRa/tox4j

etc...

PhearTheCeal11y ago

Also relevant, and containing video and audio chat support, is uTox[0] and qTox[1]. Looks like they are currently working on getting group video chat working.

[0] http://utox.org/ [1] http://utoxisfinished.info/

nkantar11y ago

Is anyone actually using this (or something like it)?

If so, I'm curious about the details like context and experience.

juliangoldsmith11y ago

I hadn't looked much into Tox, but after seeing a few mentions on cyberpunk boards, and seeing how hard people are shilling against it, I think I'm going to take a closer look.

Pxtl11y ago

Is this at all related to Nullsoft Waste? That was quite a scandal when it launched with a "whoops we didn't mean to open-source that" thing. It was a crypto-IM too.

synchronise11y ago

So how does this differ to Retroshare or Ricochet?

EGreg11y ago

Why'd they call it by such a negative moniker?

j / k navigate · click thread line to collapse