Quantcast
[ 3 / biz / cgl / ck / diy / fa / g / ic / jp / lit / sci / tg / vr ] [ index / top / reports / report a bug ] [ 4plebs / archived.moe / rbt ]

Maintenance is complete! We got more disk space.
Become a Patron!

/g/ - Technology


View post   

[ Toggle deleted replies ]
File: 28 KB, 928x358, unknown.png [View same] [iqdb] [saucenao] [google] [report]
61017643 No.61017643 [Reply] [Original] [archived.moe] [rbt]

What is Ekansovi?

>15KB of obfuscated Javascript in every thread on 4chan (not being loaded from a 3rd party website)
>Unironically uses XOR for its string encryption
>Sets up a websocket connection to a.ekansovi.com/wsp
>Something to do with ice servers / stun servers.

Source with unencrypted strings: https://pastebin.com/C0Mj6vHL

>> No.61018019

>>61017643
It's just a tracking pixel and you're basically retarded.

>> No.61018082

>>61018019
you realize websockets and tracking pixels are two entirely different things right?
e() is only 11 lines of 550.

>> No.61018179
File: 191 KB, 753x187, 1447916124725.png [View same] [iqdb] [saucenao] [google] [report]
61018179

>>61017643
So what I don't understand is that it seems to be ad related trickery to get around common adblockers, but where are the ads?

>> No.61018184

>>61018019
shill

>> No.61018250

>>61018179
I think it's trying many different methods to track you; a 1px by 1px image, an embeded js file, and a websocket, and some XHR which looks as though it sends your useragent to.

>> No.61018310

>>61018250
Websocket section looks like it's sending a fingerprint in sha-256 delimited by colons.

>> No.61018399

> ekansovi
Haven't seen them in a long time, last I saw something connecting to there it was just tracking

>> No.61018409
File: 51 KB, 528x475, unknown.png [View same] [iqdb] [saucenao] [google] [report]
61018409

Make sure you have ekansovi.com and a.ekansovi.com blocked, gorhill apparently pushed an update that blocks them a couple of hours ago but just check to be safe

>> No.61018424

>>61017643
I've taken a look at it and it's nothing substantial.

>> No.61018428

>>61018019
>t.Hiro

>> No.61018429

>>61018424
...are you going to elaborate?

>> No.61018431
File: 54 KB, 480x451, 1470111210955.jpg [View same] [iqdb] [saucenao] [google] [report]
61018431

>>61017643
>non-free javascript

>> No.61018451

>>61018179
Possibly testing attack vectors. Not necessarily an attack.

>> No.61018453

>>61018409
>gorhill apparently pushed an update that blocks them
wut

>> No.61018458

Any girls have an opinion on this?

>> No.61018462

>>61018429
No need to block it. It'll make 4chan better.

>> No.61018466

>>61018453
uBlock Origin filter update

>> No.61018481
File: 1.36 MB, 320x213, 62c.gif [View same] [iqdb] [saucenao] [google] [report]
61018481

>>61018462

>> No.61018488

>>61018462
shill

>> No.61018492

>>61018409
>>61017643
Its not listed under by umatrix.

Haven't seen it here. Maybe you're infected?

>> No.61018521

>>61017643
who owns the domain?

>> No.61018522

>>61018466
wew is he one of us?

! https://rbt.asia/g/thread/61009719 ! Appears related to uponit.com ||ekansovi.com^ ! Somehow, websocket requests are behind-the-scene with Firefox. Pending ! further investigation, this fixes the issue. ||4chan.org^$csp=connect-src https: http:

>> No.61018529

>>61018521
theguardian

>> No.61018537

>>61018492
Apparently it might only be showing up for people from certain countries.
Right click > View source
Search for b.u("gIlePonVjyjmEpHGmTsFPsEYyxBVkstc");
That's the class for the XOR string decryption.

>> No.61018562

>>61018537
Unless the key is randomly generated, in which case you'd have to search for b.u("... unless the names are randomly generated as well in which case just look for 15KB of random as fuck javascript.

>> No.61018576

>>61018529
What made you come to that conclusion?

>> No.61018579

>>61018537
Hmm the key is there. The script is there, but its not running from a third party site.

Does that mean 4chan runs its own version?

>> No.61018587

>>61018522
>Appears related to uponit.com
There you have your question answered OP

>> No.61018591

>>61018579
Yep

>> No.61018600

>>61018429
It's a joke.

>> No.61018617

test

>> No.61018620

How can i block it with Ublock?

>> No.61018630

>>61018179
I have ABP on and I still see three little ads at the bottom of every 4chan page.

>> No.61018645

>>61018620
Open the uBlock settings
Go to the '3rd-party filters' tab
Click on the clock icon next to 'uBlock filters'
Click the 'Update now' button at the top

>> No.61018668

>>61017643
it's on the front page of 4chan as well, not just every thread
I can confirm it loads regardless of browser or addons. from different locations all around the world

those who say it does not load for them I have no idea why. But any OS, any browser, any addons (or none) on different ips and physically different computers all have it loading.

only thing I can say is those who don't have it loading have the old cached version of the javascript on 4chan still running

>> No.61018679

>>61018645
(you can open the settings by clicking on the uBlock button and then clicking the gear icon on the far left in the gray bar at the top)

alt. click on 'domains connected' in the uBlock popup
make both columns for 'ekansovi.com' solid red then save by clicking the padlock icon.

>> No.61018703

>>61017643
you forgot to mention
ekansovi

ekans
ovi

snake
egg

>> No.61018711

>>61018587
>uponit.com
>Immune to filters or blacklists
Am I really going to have to start blocking ads with hosts file?

>> No.61018721

They're uponit domains. End of story.

>> No.61018728
File: 3.52 MB, 490x476, 1483134062952.gif [View same] [iqdb] [saucenao] [google] [report]
61018728

>>61018587
>unblockable
If that's related to this, and this uses websockets, then...
>||*^$csp=connect-src https: http:

>> No.61018748

>>61018721
'Appears to be related to uponit' != 'Its uponit'

>> No.61018777

>>61018728
||wss:// actually, probably should have tested it first.

>> No.61018863

>>61018179
it smells more like some elaborate scheme to catch ban evaders.
hiro should just put mobile shitters in read only mode or at least increase the post timer

>> No.61018889

>>61018748
No, it is literally uponit. Do some more investigation.

>> No.61018890

>>61018711
>Immune to filters or blacklists

whatever they are doing, it doesn't seem to be working. i don't see ads here or on their site

>> No.61018905
File: 56 KB, 760x572, 1432187912406.jpg [View same] [iqdb] [saucenao] [google] [report]
61018905

>>61018889

>> No.61018916
File: 74 KB, 765x566, 343791.jpg [View same] [iqdb] [saucenao] [google] [report]
61018916

>>61017643
>Unironically uses XOR for its string encryption

>> No.61018935

>>61018916
I don't get what Miley Cyrus has to do with this :^)

>> No.61018942

>>61018890
That's because they're using it for tracking, not for displaying ads.

>> No.61018944

>>61018537

yep I get this same key

USA here but blocking cross site requests

>> No.61018982

>>61017643
Can it be blocked with noscipt? Does private browsing mode and deleting cookies and cache work?

>> No.61019012

>>61018982
Unless you're blocking 4chan.org, no.
Just get uBlock, or if you already have it update the uBlock filters in '3rd-party filters'

>> No.61019026
File: 44 KB, 1896x480, snakeivos.png [View same] [iqdb] [saucenao] [google] [report]
61019026

Am I good now /g/?

Blocked it everywhere I could.

>> No.61019027 [DELETED] 

>>61018537
Mine's slightly different: b.u("R3X + gIlePonVjyjmEpHGmTsFPsEYyxBVkstc")

>> No.61019042

>>61019027
There's two instances of b.u in the code, that's the first one.

>>61019026
Probably... hopefully.

>> No.61019071

>>61019026
I just blocked it in hosts file.

>> No.61019093

>>61018409
how to even take a picture of umatrix
it leaves when I grab terminal to scrot it

>> No.61019103
File: 20 KB, 1581x188, sneekysnek.png [View same] [iqdb] [saucenao] [google] [report]
61019103

>>61019026
>>61019042
Hmmm, the logger is still showing it, after I had blocked it, is this just because it attempts to or is it bypassing the block?

>>61019071
How do I do that?

Pic related time is after I had blocked >>61019026 so it might still be coming through

>> No.61019126

>>61019093
scrot -d [delay in seconds]

>>61019103
Click on the uBlock button, click the grey title bar at the top, go to the '3rd-party filters' tab, click on the clock icon next to 'uBlock filters', click on 'Update now'

>> No.61019129

>>61017643
I'm not getting this domain. It's probably coming from that notorious malware 4chanx.

>> No.61019157

>>61019129
that's some low effort bait right there

>> No.61019174

>>61019103

what is a good logger aka what are you using?

>> No.61019184 [DELETED] 

Test post.

>> No.61019194

>>61019129
I'm on firefux vanilla 4chan and see it in umatrix

>> No.61019213
File: 7 KB, 243x97, 1470409908774.png [View same] [iqdb] [saucenao] [google] [report]
61019213

>>61018587
I FUCKING KNEW IT

>> No.61019217
File: 28 KB, 309x290, 1.png [View same] [iqdb] [saucenao] [google] [report]
61019217

>>61019103
https://pastebin.com/FiWG9vN5 for hosts file instructions.
THIS IS FUCKING BIZARRE: 4chan wouldn't let me post the specific text of this pastebin link, giving me a connection error. Pic related. It lets me post normally otherwise.

>> No.61019229
File: 11 KB, 1199x170, still heree.png [View same] [iqdb] [saucenao] [google] [report]
61019229

>>61019126
Well shit I did that and it still showing up in the logger

Also I'm visiting random /pol/ threads to confirm it shows up as thats when it appears only so far.

>>61019174
Its just uBlock Origin's logger

>> No.61019246

>>61019217
Very suspicious coincidence.

Thanks for the link anon

>> No.61019250
File: 14 KB, 826x261, Untitled-2.png [View same] [iqdb] [saucenao] [google] [report]
61019250

>>61019217
Trying to post the text from that pastebin through post a reply at the top instead of the little reply window gets this response from 4chan. My IP is obviously not blocked as I'm posting right now. What the fuck?

>> No.61019273 [DELETED] 

127.0.0.1

>> No.61019276
File: 52 KB, 751x720, C7AeO8xWcAIuBHk.jpg [View same] [iqdb] [saucenao] [google] [report]
61019276

>>61019250

>> No.61019278

>>61019273
kek I just had that idea too, you beat me

>> No.61019287 [DELETED] 

127.0.0.1 a.ekansovi.com
127.0.0.1 ekansovi.com

>> No.61019296

test

>> No.61019301

>>61018250
In advanced cookie manager there is a cookie for that website named __cfduid or some shit.
Anothr anon didnt see it listed in the normal cookei viewer

>> No.61019305 [DELETED] 

127.0.0.1 a.ekansovi.com
127.0.0.1 ekansovi.com
hosts

>> No.61019314

>>61019301
>>61019301
Thats a cloudflare cookie

>> No.61019316

Why not
0.0.0.0 a.ekansovi.com
0.0.0.0 ekansovi.com

>> No.61019318
File: 40 KB, 305x264, 2017-06-21-222203_305x264_scrot.png [View same] [iqdb] [saucenao] [google] [report]
61019318

literally won't let me post this
posted this though >>61019296

>> No.61019330
File: 18 KB, 305x284, 1.png [View same] [iqdb] [saucenao] [google] [report]
61019330

This is the line which returns the connection error. Fucking bizarre.

>> No.61019344

>>61019318
>>61019330
Looks like simply etc(slash)hosts returns the connection error.

>> No.61019353

>>61018409
I guess Im out of the loop,
can you explain to me what addons I should be running and why?

I am using noscript + ublock origin.
I was using noscript + adblock plus or something but I was told they are cucks now and switched.

Now Im seeing all kinds of other crazy shit and I dont even know what it does

>> No.61019355

>>61019229
>Its just uBlock Origin's logger

Thanks

Requestpolicy blocks ekans egg completely

>> No.61019372
File: 24 KB, 1502x336, fukoff.png [View same] [iqdb] [saucenao] [google] [report]
61019372

>>61019246
>>61019229
Well I did the hosts file thing but new instances of ekanshitty still show up in the logger when I click new /pol/ threads in the catalog

Should that be possible even with hosts file solution? Is the logger also showing attempted connections or just those that get through?

>> No.61019388

>>61019372
what tool are you using here

>> No.61019391

>>61019372

rquestpolicy extension in firefox seems to stop it

those are probably attempted request that are failing, I would hope

>> No.61019392

>This role is in our Tel Aviv office
https://uponit.com/careers/

/pol/ is always right.

>> No.61019394

>>61019353
uBlock was created by gorhill and then got taken over by a cuck
uBlock Origin is gorhill's continuation for automagically blocking ads
uMatrix Origin is for blocking things with way more control over what's getting blocked.

>> No.61019396

>>61018409
Wouldn't blocking ekansovi also take care of a.ekansovi?

>> No.61019401

/etc/host

>> No.61019409

>>61019396
*.ekansovi.com would
ekansovi.com means only ekansovi.com

>> No.61019421

>>61019409
>*.ekansovi.com
Would that or something equivalent work in hosts file?

>> No.61019423

>>61018537
New Zealand here, string appears more than once
new b.u("R3X + gIlePonVjyjmEpHGmTsFPsEYyxBVkstc")
new b.u("gIlePonVjyjmEpHGmTsFPsEYyxBVkstc")

>> No.61019429

>>61019388
its just Ublock origin logger like I've said already ITT

>> No.61019434

>>61019421
probably not no

>>61019423
It's always two

>> No.61019441

>>61019372
Those must be attempted requests. The only thing I know of capable of bypassing hosts file is M$'s telemetry.

>> No.61019443

>>61019409
What about *ekansovi? Would that block everything?

>> No.61019452

>>61019443
Probably not, no.

>> No.61019491

>>61019429
shit that's neat

>> No.61019497

>>61019394
ok so it was ublock I was told not to use,

So do I want ublock + umatrix or just umatrix?

Is noscript still safe? is it redundant with umatrix?
I noticed that when a site doesnt work noscript is the only thing that I need to fuck with, like its doing a better job than ublock

>> No.61019506

>>61019391
>>61019441
>attempted request that are failing

I sure hope so, I set up the hosts file exactly as it should be and checked and rechecked and yet each new /pol/ thread I open the ekansovi shit pops up again in the logger, hopefully its just logging the attempt and not an actual connection, I wish the logger distinguished between the two

>> No.61019517

>>61019497
Noscript + uBlock ORIGIN
+ uMatrix ORIGIN if you want more control.

>> No.61019532

>>61018250
web RTC too

>> No.61019538
File: 8 KB, 250x238, pepe-indifferent.jpg [View same] [iqdb] [saucenao] [google] [report]
61019538

>>61019517
>umatrix origin

>> No.61019545

>>61019517
>uMatrix ORIGIN
this doesn't exist

>> No.61019546

>>61019517
I thought there was only one umatrix, not a umatrix and a umatrix origin

>> No.61019555

>>61019538
>>61019545
>>61019546
Whoops, sorry, you're correct it's just uMatrix

>> No.61019560

I would buy a pass if moot was still in charge and not hiro, who has a track record for fucking up people who trust him

>> No.61019584

>>61019213
/pol/ is always right.

>> No.61019585

>>61018630

> ABP
> 2017

>> No.61019586

>>61019421
nope
you have to add sub domains separately in host files
if you use pi-hole you can use wildcards for dns though

>> No.61019590

>>61019314
under the ekansovi url.

>>61019316
because he will just "b.ekansovi.com" and "aslfkjeiwrqjedfadslf.com" when you arnt looking

>> No.61019599

>>61019560
>trusting a white privileged man
>not trusting a poor rice farmer
fucking racist

>> No.61019601
File: 947 B, 416x454, 1489768509515.png [View same] [iqdb] [saucenao] [google] [report]
61019601

What kind of tweaks did you guys do to uMatrix? I noticed a lot of sites I used would fall apart after installing it.

Is it a good idea to globally allow googleapis, apis.google, ajax.googleapis? Seems like a lot of sites rely on them to work

>> No.61019620

>>61019601
I just live in a broken internet and surf happier

>> No.61019636

>>61019590
The patrician thing is to use uMatrix in default block-all mode since it will block everything not explicitly allowed.

>> No.61019641

Very confusing server (DNS resolves to 138.197.9.35)

Iplocation says the ISP is digitalocean

I attempted to SSH into it -
the connection message is "Bitvise WinSSH Server"
Windows? digitalocean doesnt allow you to make windows servers

any ideas?

>> No.61019642

>>61019601
I just keep them blocked by default. If a specific site breaks I try whitelisting them for that site and see if it works.

There's an awful lot of sites (news sites, blogs, etc) that look ugly but still display text content just fine with pretty much everything blocked.

>> No.61019649

>>61017643
seems like they are onto us. it's been removed

>> No.61019651

>>61019394
>>61019517
ok, I installed matrix and it broke replying so I had to disable it to post this

>> No.61019664

>>61019641
Some kind of front-end, proxy, or passthrough firewall with a windows server behind it, maybe?

>> No.61019666

>>61019651
You have to actually understand what uMatrix is and how it works, it's not an automagic catch-all it's a tool. You don't buy a hammer and say "Something's wrong it's not nailing things in" without actually using it.

>> No.61019670

>>61019642
>>61019620
my niggas

>> No.61019672

>>61019217
4chan doesnt let me make threads anymore. I dont know why.
It takes years to do anything and then loads a warning page about https

>> No.61019684

>>61019649
Huh, you're right.
Not finding the u.b( string now

>> No.61019685

>>61019601
it's like noscipt and you need a few days to adjust it for your main websites, but it's great for everything else and fighting tracking and other anti-privacy measures

>> No.61019686

>>61019506
>>61019441
>>61019391
Yep, ekansovi doesn't even show up in ublock origin anymore meaning hosts file blocked it completely, but it still shows up in the ublock logger as attempted access I guess

I checked just now and it shows up in the logger when clicking on /v/, /g/ threads too

Just what the hell is this thing.

>> No.61019695

>>61019666
And you dont buy a hammer and have it automatically nail your door shut

what do I click to make 4chan work. I dont care if everything else is broken right now

>> No.61019698

>>61019641

lol how new are you? all of the ips are fucking cloudflare

>> No.61019699

test

>> No.61019705

>>61019217
test

127.0.0.1 a.ekansovi.com
127.0.0.1 ekansovi.com

>> No.61019709

Are there any good tools for debugging/inspecting websocket sessions? Would actually be useful for a project of mine as well, but I didn't find anything

>> No.61019710

>>61019695
>>61019666
Nevermind, I figured it out.
This shit really fucks up a good buzz.

>> No.61019716

>>61019217
hey this guy did your linux fix >>61019318

>> No.61019721

>>61019649
It's still there for me (New Zealand)

>>61019684
b.u, not u.b

>>61019695
rows are domains
columns are media types
cells can be either red or green, if it's red that media type is blocked for that domain, if its green its not blocked.
Click on the top or bottom half of a cell to block/unblock that cell.
If you get stuck use google, if you cant even do that dont use uMatrix.

>> No.61019723

>>61019698
how can you tell?

>> No.61019725

>>61019705
test two

Copy hosts file to desktop or any other folder you don't need administrative privileges to save stuff in. Edit with notepad. Put these two lines in it and click save. It'll save it without adding a file extension:
127.0.0.1 a.ekansovi.com
127.0.0.1 ekansovi.com
Copy file, paste it back into \etc and click continue when it asks for admin privileges.
If you're on Linux, I don't know the Linux equivalent to a hosts file, or if that even exists.


also you should do 0.0.0.0 so it just drops it rather than routing it to yourself

>> No.61019741

>>61019725
>>61019217
only blocked part is the system32 shit

>> No.61019748

>>61019725

>also you should do 0.0.0.0 so it just drops it rather than routing it to yourself

What do you mean? Replace 127.0.0.1 with 0.0.0.0?

>> No.61019764

>>61019748
yes
your computer gets word you want to connect to ekans
it asks DNS file where to go
it sees 127.0.0.1
it connects to you and tries to communicate with it

if it's 0.0.0.0 it just drops the packet and never tries

>> No.61019771

>>61019721
You're, right my bad.

Here's the script if anyone is interested.
https://pastebin.com/yCe3WVpx

>> No.61019780

>>61019748
https://www.dslreports.com/forum/r24621780-hosts-127-0-0-1-vs-0-0-0-0

127.x.x.x is YOU
so you're talking to yourself or trying to
since you don't run a server after a few tries it'll drop
but 0.0.0.0 is auto drop

>> No.61019784

>>61019421
You can do that in the hosts file but you need to replace the default DNS resolver, i use acrylic DNS proxy for that

just remember to replace the dns servers in the config file since it uses Google dns servers by default

after installing it edit your connection settings to use 127.0.0.1 as primary DNS server and edit the acrilyc hosts file with the sites you want to block

You will be able to use *. to block entire sites after that, and it also stops windows 10 hardcoded domains from being able to connect so no more botnet

>> No.61019793

>>61019741
see
>>61019318
>>61019344

>> No.61019798

holy hell this is fucking awesome.
I never in my wildest dreams thought i'd see something of this caliber on 4chan of all places.
they must be looking for someone really hard, they're pulling out all the stops for this shit.
something is going to go down soon and I can guarantee it's because of the trump administration.

>> No.61019805

>>61019764
>>61019780
Got it, done. Thanks /g/ents

>> No.61019806

>>61019784
This stops all Windows 10 telemetry? I was under the impression only a hardware firewall could do that.

>> No.61019839

>>61013637
>the website is literally hosted on the same server 4chan is hosted on

Is that true or was he bullshitting

>> No.61019847

>>61019806
Windows normally respects entries in the hosts file for ordinary user applications (like, for instance, non-MS web browsers), but they hardcode some things in the bowels of windows, so system components will talk to microsoft regardless of the hosts file.

In fairness to microsoft, this was probably at least partly motivated by the fact that a common malware trick for a long time in the XP era was to use the hosts file to kill connections to windows update and to the homepages of things like Spybot and other anti-malware outfits.

>> No.61019849

how about blocking google-analytics?

>> No.61019855

>>61019839
it was, it seems to have changed

haven't looked at the XHR data for a while either

>> No.61019858

>>61019849
I already do that

>> No.61019867

Here's the script attempts to embed on the page when certain conditions are met

https://pastebin.com/dgqHbNpz

but why? and how are the conditions met?

>> No.61019876

>>61019855
thats because its fucking cloudflare

>> No.61019879

>>61019849
0.0.0.0 analytics.google.com or whatever it is

just run pi-hole

>> No.61019881

>>61019867
>when certain conditions are met

You mean like when you open any random thread on /v/, /g/, /pol/ etc?

Because thats when it appears in the log for me

>> No.61019900

>>61019876
their cloudflare ips are different goyo

>> No.61019901

Why are you spoonfeeding all the retards in this thread? This is why /g/ is so shit. These idiots think it's okay to come here and beg for help with all their pc issues. Send them to /sqt/ or >>>/wsr/.

>> No.61019909

>>61019784
>it also stops windows 10 hardcoded domains
>>61019847
>but they hardcode some things in the bowels of windows
This appears as if you are saying this method is a viable software-only method for completely stopping all Windows telemetry. Am I interpreting this correctly, and has this been tested?

>> No.61019919

>>61019876
>>61013719

>> No.61019929

>>61019879
0.0.0.0 www.google-analytics.com
doesn't work, reloading the page and I still see it on ublock logger

>> No.61019936

a.ekansovi.com and ritogaga.com
both have the same styling when requesting a non-existant page

>> No.61019954

>>61019919
well it's not 81.171.8.138 anymore cuz that gives a different response than this fucking gay ekans site does

>> No.61019958

>>61019806
It does block them I got pissed off because they werent getting blocked in my hosts file that I searched how to block them, after a few days I found acrylic and managed to block them

Windows still tries to connect to those domains though, like with go.microsoft.com there's always tons of request of it in my DNS logger even though they all resolve to 0.0.0.0

>> No.61019972

>>61019929
JS will still try to make the request, so addons will still see the request. But your kernel's networking subsystem will do DNS resolution for google-analytics.com, get 0.0.0.0 back, and give up immediately. The JS, if it bothers to check for errors (almost no JS does, shitty, shitty language and culture) will find that the request it made failed. Probably with a destination unreachable or something similar.

>> No.61019983

>>61019958
That's pretty fucking awesome, anon. Thanks.
/g/ approved DNS servers anyone?

>> No.61019988

>>61019983
dnscrypt-proxy

>> No.61019994

>>61019909
That first answer wasn't mine, he was someone else, they do get blocked you can try for yourself acrylic is open source and its not that hard to install

>> No.61020000

>>61019983
>/g/ approved DNS servers anyone?
Most OpenNIC ones and dnscrypt.eu if you can use dnscrypt
Avoid OpenDNS almost as much as Google DNS
You can also run your own DNS server but of course this won't do outside your home network (unless you have a static IP)

>> No.61020005

Why should anyone care

>> No.61020015

>>61020005
Fuck off hiroshima

>> No.61020021

>Another useful feature is called "Behind the scene". You find it listed in the page selection menu, and it lists requests that uBlock cannot associate with a domain.

>This includes among other things requests made by the browser itself, made by extensions, and by websites if technologies such as hyperlink auditing are used.

Ok so once again it seems like the ekansovi showing up for in Behind the scene logger are just the requests being listed, not any actual connections, since its been blocked in hosts after all.

>> No.61020026

TTL on the dns records are only 5 minutes and Im pretty sure theyve changed multiple times within the hour

>> No.61020036

>>61020005
Have you read 1984?

>> No.61020037

>>61020026
yep as I said they keep changing the ip

regardless of cloudflare

>> No.61020053

>>61020037
anyone up for jacking the domain? registered with amazon

>> No.61020077

>>61020053
huh?
it's regsitered on name.com

https://who.is/whois/ekansovi.com

>> No.61020094

>>61020077
>Name Servers
>adrian.ns.cloudflare.com
>173.245.58.57
>terin.ns.cloudflare.com
>173.245.59.236

So wait, it's just some cloudflare shit?

>> No.61020096
File: 55 KB, 587x714, Screenshot_13.png [View same] [iqdb] [saucenao] [google] [report]
61020096

>>61019958
here's how it looks like when they get blocked by acrylic

>> No.61020104

etc\host

>> No.61020114

>>61020077
my bad, was thinking of mojigaga.com
anyway, it should be easy

>> No.61020138

>>61020094
before cloudflare, the ip was>>61019919
that crossthread one

but now it doesn't work and all the IPs are cloudflare
81.171.8.138
this is the ONLY Ip that has routed to that site that isn't cloudflare
https://whois.arin.net/rest/net/NET-81-0-0-0-1/pft?s=81.171.8.138

arin says it's a eurotrash ip

>> No.61020159

https://pastebin.com/Zp61Pvny

some gay guy I know made the code from the ekans site more beautiful

> I don't understand the first function though it will never run

>> No.61020167

>>61020159
...why?

>> No.61020174

How do you xor the strings in js?

>> No.61020180

>>61020159
>2245760 == 1416070001
noticed that too, very strange

>> No.61020191

>>61020180
yea he asked me about it, I have no idea.. haven't seen anyone post that at all or ask about it.
>>61020167
>BEcause anytthing after && relies on the first condition being true
>It will short-circut after the comparison because those two numbers aren't the same

>> No.61020195

another thing about this is, if you're behind a proxy or VPN, and do not have a webRTC blocker add-on installed, this script now has your real IP address

>> No.61020201

>>61020195
(google webRTC leak)

>> No.61020202

>>61020191
>So unless that first number is dynamic, it's will never create the image

>> No.61020204
File: 7 KB, 250x243, 1497973609311.jpg [View same] [iqdb] [saucenao] [google] [report]
61020204

Why do you care?

>> No.61020209

>>61020204
>Not caring about the code being run on his machine

>> No.61020234

>>61020180
>>61020202
actually, duh, you provide the number in the URL query and generates the script with that number. so it shows they're looking for someone/something specific

>> No.61020247

>>61020234
see: http://xhr.ekansovi.com/ljs?p=2245760

>> No.61020253

>>61020209
It's a fucking website.

>> No.61020256

>>61020234
that's why 1416070001 is all the fucking over the place in their code
>>61020195
how do I disable webrtc

>> No.61020257

>>61020204
>>61020036

>> No.61020274

>>61020256
if you're using chrome: https://chrome.google.com/webstore/detail/webrtc-leak-prevent/eiadekoaikejlgdbkbdfeijglgfdalml?hl=en

>> No.61020275

>>61020257
I was born in 1989, what about you? Retard

>> No.61020288

>>61020274
so I disable it?
"disable non-proxied"

>> No.61020290

>>61019213
There is a part of the tech sector in Israel called Download Valley. Superfish, of Lenovo self-destruct fame, issued forth from one of the Download Valley companies.
Presumably it's an artifact of Israeli laws around installing things on people's computers or something.

>> No.61020292

>>61020275Go back to you watch threads faggot

>> No.61020307

>>61020275
1984 is a book about a dystopian future where the government has omnipresent spying on its citizens and uses it to eliminate political dissenters.
Just because (it doesn't appear as if) the government isn't using spying data to eliminate political dissenters now doesn't mean they can't and won't use spying data they're collecting now to eliminate political dissenters later.
It's a legitimate concern.

>> No.61020309

And this bothers me?

>> No.61020329

>>61020288
No, the default is fine. installing the add-on is enough to block the leak.

>> No.61020338

>>61020309
>>61020204
>>61020005
fuck off ekansovi

>> No.61020342
File: 3 KB, 1911x30, blok.png [View same] [iqdb] [saucenao] [google] [report]
61020342

>>61017643
>What is Ekanso-

blocked.

>> No.61020363
File: 8 KB, 1007x197, blok2.png [View same] [iqdb] [saucenao] [google] [report]
61020363

>>61020342

>> No.61020405

>>61018630
I have ublock origin and i also see them

>> No.61020430

anyone know how to get into the stun:// without writing fucking javascript?

from the source it connects to
stun://a.ekansovi.com:6001

and the password is possibly "00000000000000000000000000000000"

>> No.61020499

>>61020338
Why are you samefagging so much instead of telling us why we should worry? Are you perhaps autistic

>> No.61020501
File: 1 KB, 142x20, 1478223295899.png [View same] [iqdb] [saucenao] [google] [report]
61020501

>>61020247
Oh shit, it's the same number for me.

>> No.61020506
File: 142 KB, 1280x720, image-w1280.jpg [View same] [iqdb] [saucenao] [google] [report]
61020506

>>61020430
>password is possibly "00000000000000000000000000000000"

I like how this is going

>> No.61020525

Does ekansovi only show in specific browser?
Because when I use safari, I don't get that, but in chromium, I get that. Or maybe unlock in safari doesn't detect it?

>> No.61020538

>>61020501
if you clicked the link I crafted then no shit

>>61020499
Its a very advanced tracker, still trying to figure out the logic behind it. its obviously looking for something. best to have it blocked.

>> No.61020540

>>61020525
nope
tested on 7 different operating systems with all browsers and different IPs and different physical computers

>> No.61020552

>>61019372
>hosts file didn't help
Depending on OS/Settings you may have to clear DNS cache too.

Some Software use their own Lookup methods to work around users changing their host-file or having a DNS that blocks certain domains (for example Chrome and stuff based on that).
Those usually use Google DNS 8.8.8.8, 8.8.4.4 and ignores your host file. They may also find the DNS from your provider and ask it directly.

Using DNSquerySniffer from Nirsoft can give you a hint about what DNS are used.
You may also want to block all UDP/TCP DNS calls to anything except those 2-3 you explicitly allow. Thus making it a bit harder for trojans to send/receive data since port 53 usually allowed by every possible firewall for everyone.

>> No.61020559

>>61020538
>if you clicked the link I crafted then no shit
Oh, lol. Silly me.

>> No.61020566

>>61020538
see if it's testing for browser capabilities or vulnerabilities

>> No.61020567

>>61018703
>ekansovi
>ekans ovi
>snake ovi
>snake oiv
>snake oil

>> No.61020576
File: 115 KB, 419x402, shockedtsundere.jpg [View same] [iqdb] [saucenao] [google] [report]
61020576

>mfw I realized it might be looking for FBIAnon

>> No.61020588

>>61020576
Yes, ad networks are looking for a greasy larper

>> No.61020589

>>61020576
Who?

>> No.61020607

>>61019709

This is actually a major problem for web developers. None of the dev tools built into Chrome are any use at all looking at what a websocket is doing.

>> No.61020609
File: 99 KB, 1016x386, Screen Shot 2017-06-22 at 12.11.57 PM.png [View same] [iqdb] [saucenao] [google] [report]
61020609

>>61020540
Weird. This is from my safari (left) and my chromium (right). But well I get >>61018537 when checking the source in safari though.

>> No.61020622

>>61020609
is safari even capable of running the shit?
I didn't try that browser myself

>> No.61020643

>>61020525
If you look at the pastebin in the op, it explicitly checks for safari in g(a), though who knows what it's doing or why.

>> No.61020646

>>61020622
Do you mean using ublock origin?
Yeah it can
https://github.com/el1t/uBlock-Safari

>> No.61020658

>>61020646
no lol. I mean the web socket and connection

>> No.61020702

>>61020658
Yeah it's supported as far as I know.

>>61020643
Damn, then I need to filter ekansovi in host level for making sure it's safe too. Thanks, anon.

>> No.61021041

How can I be 100% sure I blocked it?

>> No.61021115

>>61021041
try to go to the website

>> No.61021214

does it work?

@@||4chan.org$domain=4chan.org
@@||4cdn.org$domain=4chan.org
@@||googleapis.com$domain=4chan.org
||*$third-party,script,domain=4chan.org
||*$third-party,xmlhttprequest,domain=4chan.org
||*$third-party,websocket,domain=4chan.org

>> No.61021403

>>61020607
Have you heard of wireshark and pcapdump?

>> No.61022035

>>61019636
This

>> No.61022302 [DELETED] 

>>61020180
>1416070001

A search for this number throws this out:

https://github.com/Floens/ChanTracking/blob/master/pages/home.html

Which, was discussed LAST YEAR :>>https://warosu.org/g/thread/55946290

So, is it the same shit?


What is it

>> No.61022479

An anon posted this link and it got delet

https://github.com/Floens/ChanTracking/blob/master/pages/home.html

>> No.61022593

If I have a separate anti-malware program managing my hosts file, and I'm alsio using a uBlock Origin hosts list, does one trump the other? I don't see that Firefox has added anything to my hosts file when I check it.

>> No.61022595

>>61020363
>>61020342
blocking https://xhr.ekansovi.com is not sufficient, you fool.

>> No.61022637

>>61022479
Yeah, my bad for being paranoid

That git just has the 4chan source on it - 1416070001 appears in the 4chan source.

>>61020180

>> No.61022652

>>61020363
>>61020342
Get a load of this fucking idiot.

>> No.61022700

If you dump the script that gets evald there is a "the cake is a lie" text in it

>> No.61022726

To dump the script after decryption just do this.
1. put bp on first line of sources
2. go to console
eval = function(x){

alert(x);
}

3. let it run.

>> No.61022936

>>61022593
no and you're stupid to ask

>> No.61022945
File: 21 KB, 501x419, so salty.png [View same] [iqdb] [saucenao] [google] [report]
61022945

>tried to unblock ekansovi.com in uMatrix and uBlock until no more wss connections were blocked in Console
>new friends popping in uBlock's dashboard
>adswithsalt.com

so it's just hirojew playing with us all along

>> No.61022964

>>61022936
I guess I should have asked it this way. Does uBlock Origin have the ability to edit my hosts file?

>> No.61022991

>>61022964
>can a browser extension that's not pure malware edit my host file?
once upon a time /g/ wasn't so shitty
I blame phoneposters

>> No.61023024
File: 26 KB, 493x382, chrome_2017-06-22_19-19-37.png [View same] [iqdb] [saucenao] [google] [report]
61023024

use a proper blocking tool

>> No.61023028

>>61022964
no and you're stupid to ask

>> No.61023055

>>61023024
why does it look like that

>> No.61023069

>>61023055
the shit to the left? That's "advanced mode".

>> No.61023073

>>61023055
>>61023069
https://github.com/gorhill/uBlock/wiki/Advanced-user-features

>> No.61023107

>>61023024
>blocks all third party
>blocks all third party scripts and frames, as if this was necessary
>manually unblock every single cdn site and third party site
>aussie
3/10, use uMatrix at least
and you'll have some surprises if you look at chrome://webrtc-internals/ once you refresh a 4chan page, even with all that fuckery, stun:a.ekansovi.com:6001 will knock at you anyway. You'll NEED the latest uBlock Origin Extra.
Oh, and if you have uMatrix as well in Chromium, then again you'll see STUN requests until you add uBlock Origin Extra.

>> No.61023149

>>61023107
well shit thanks for the info at least.

fwiw I don't unblock "every single cdn", just shit I need. I'm not so tinfoil I don't use google or imgur, I just don't want my shit uploaded to putin.ru without me saying so.

>> No.61023153

>>61023107
>using chrome
>caring about privacy
why

>> No.61023176

>>61023153
because firefox has lost all direction, why use something copying chrome half the time and making dumb decisions the other half when you could just use chrome? mozilla need to cut the fat and get focused on making firefox great again.

>> No.61023181

>>61023176
Pale moon.

>> No.61023197

>>61023176
Nice job dodging the question. Even if they have women in charge, at least there is some expectation of privacy. With Chrome, you have zero. Also, see: palemoon

>> No.61023216

>>61023176
>use chrome
The browser designed from ground up to spy on you.
Don't let google and anyone the sell or forced to give info too ever again miss a single click from you.
Thanks to chrome they no longer need a camera in your apartment.
They can reconstruct your movements depending on the exact interaction with your computer.

>> No.61023226

Apply this into 'My filters' of uBlock Origin.

! 3/30/2017, 2:48:59 AM http://boards.4chan.org

ekansovi.com

>> No.61023241

reminder that if you see ekansovi shit on chrome://webrtc-internals/ you're still vulnerable

>> No.61023261

>>61023197
>>61023216
Google knows everything about me already. Google already knows everything about you, probably. I don't give a shit if all my information is going to Google. They've had my email for over a decade, they have every search I've ever made, pretty much every IM I've ever sent, they're inside my phone, and they have a growing AI division. That fight was lost long ago.

I'm just trying to stop random script kiddies running code in my browser.

If you want to use firefox I have no problem with that, but I use chrome.

>> No.61023271

>>61023241
>chrome://webrtc-internals/

Something like this at the start of this is bad, even if you've blocked the URL outright?

>>61017643, { iceServers: [stun:a.ekansovi.com:6001], iceTransportPolicy: all, bundlePolicy: balanced, rtcpMuxPolicy: require },

>> No.61023281

>>61023024
Newfag here.
The left one is for global rules and the right one is for local rules, right?

>> No.61023287

>>61023271
yep, apparently we need https://chrome.google.com/webstore/detail/ublock-origin-extra/pgdnlhfefecpicbbihgmbmffkjpaplco/related?hl=en

I saw on the github he made a commit specifically to include 4chan.org, Perhaps someone could explain why we need to 'foil' these "early" connection attempts on a case by case basis instead of globally blocking the root cause of this kind of shit?

>> No.61023290
File: 6 KB, 385x197, 4c.png [View same] [iqdb] [saucenao] [google] [report]
61023290

>>61023271
yes, use uBO Extra

>> No.61023296

>>61023281
yep

>> No.61023399

>>61023290
How do I bring up that context menu for uBO Extra?

>> No.61023413
File: 22 KB, 365x515, 2017-06-22-095825_365x515_scrot.png [View same] [iqdb] [saucenao] [google] [report]
61023413

>feel when 4chan is as bad as jerusalem online for jewing its users

>> No.61023443
File: 302 KB, 640x400, file.png [View same] [iqdb] [saucenao] [google] [report]
61023443

>>61023290
Talking about this one they use in the chrome web store picture.

>> No.61023488

>>61023261
>If you want to use firefox I have no problem with that, but I use chrome.
After analyzing "Iron" and found tons of trickery still left inside they had missed to clean out, I gave up on Chrome or any derivate.

Firefox with tons of extensions and tons of about:settings changes is probably decent (since TOR use it), but in default mode it's just as bad as chrome.

That's why I don't use any of the popular browsers, but I do masquerade as one. Not something I recommend since it's more work getting shit to work.
Not only trojans have problems running in my configuration - it's everything else too!

>> No.61023652
File: 221 KB, 562x849, Screenshot_20170620_111825.png [View same] [iqdb] [saucenao] [google] [report]
61023652

>>61019798

>> No.61023666

>>61023287
because you can't disable WebRTC on Chrom(e,ium}
and u{Block Origin, Matrix} don't address WebRTC

>https://github.com/chrisaljoudi/uBlock/issues/645#issuecomment-72291619
not in Firefox
not in Chrom{e,ium}

at best, uBlock Origin will show you an option to "Prevent WebRTC from leaking local IP addresses" but won't intercept and filter WebRTC requests.
This happens in both Firefox and Chrom{e,ium}; but at least in Firefox you can disable WebRTC completely.

>> No.61023683

>>61023261
You are part of the problem.

>> No.61023691

>>61023666
Thanks

>> No.61023859

there's
>https://github.com/Eloston/ungoogled-chromium
>Disable WebRTC (will be configurable in the future #179)

allegedly it's not a fork
>ungoogled-chromium should not be considered a fork of Chromium
just a set of
>configuration flags, patches, and custom scripts

pick you poison: use an upstream that allows you to disable WebRTC even when you have js running
or
use an upstream that doesn't allow you to disable WebRTC so you have to
- rely on third-party addons with pre-compiled lists of rogues sites (see uBO-extra)
- resort to disabling js completely (WebRTC doesn't work if js is completely disabled)
- revert to "forks"/unbranded versions of the upstream

>> No.61024093
File: 110 KB, 489x557, Screenshot_20170620_141316.png [View same] [iqdb] [saucenao] [google] [report]
61024093

Exposing our true identities is someone's idea of punishment for 4chan getting Trump elected

>> No.61024271

>>61017643
chinese moot sold us out

>> No.61024303

>>61024271
Regular moot sold you out too.

>> No.61024427

>>61018916
>XOR encryption is unbreakable even in theory if the data XOR'd with the data to be encrypted is random and if the random data is the same length as the date to encrypt

>> No.61024469
File: 1.04 MB, 1280x720, 1448831563817.png [View same] [iqdb] [saucenao] [google] [report]
61024469

>obfuscated non-free java-script

>tfw botnet wants you to stop shitposting

>> No.61024706

>>61024427
How is that any different from OTP?

>> No.61024715
File: 3 KB, 1141x26, webrtc was a mistake.png [View same] [iqdb] [saucenao] [google] [report]
61024715

Friendly reminder that
if you're using firefox
and you're not disabling WebRTC completely
so that you don't see this message in Console
you're exposed. You won't be able to see STUN in ff @ about:webrtc as you do in chrome @ chrome://webrtc-internals/
but you'll see adswithsalt.com coming through in your uMatrix/uBlock dashboards

>> No.61024749

>>61024715
btw, adswithsalt has already challenged ad blockers in the past
>https://github.com/uBlockOrigin/uAssets/issues/209

>> No.61024791

>>61020329
No it isn't. None of the settings in that extension will block WebRTC on Chrome.

Check chrome://webrtc-internals and the connection will still be made.

The only way to block it in Chrome is with hosts file but if they change the subdomain you'll need to realise and block it again.

Firefox can properly block WebRTC. Chrome can't currently

>> No.61024830
File: 86 KB, 420x238, laughing_girls.jpg [View same] [iqdb] [saucenao] [google] [report]
61024830

>he doesn't have Ghostery and AdBlock Plus

laughing_ekansovi.exe

>> No.61024850

>>61024830
dear fucking God, read the motherfucking thread you fucking millenial

if it was a ruse, 10/10 you rused me

>> No.61024955
File: 3 KB, 481x92, peerconnection.png [View same] [iqdb] [saucenao] [google] [report]
61024955

>>61024715
>>61024749
in firefox you may use normie-friendly addons like https://addons.mozilla.org/firefox/addon/privacy-settings/ with these media-related settings

>> No.61025090

>>61024706
Does not follow the same mechanics but I guess the principle is the same.

My point was to not underestimate how strong XOR encryption can be, if properly implemented, since some anon seemed to be making fun of it

>> No.61025118
File: 98 KB, 784x373, Capture.png [View same] [iqdb] [saucenao] [google] [report]
61025118

>>61024850
Sorry, that was a ruse actually :^)

But, seriously guys - we all know how to block this now. The real question is - what is it doing, and why is it embedded on 4chan?

>> No.61025179

>>61025118
see again
>>61024749
>>61016560

>>61019636
>>61022035
Not enough, see >>61024715 , >>61023107

>> No.61025343

How many 4chan users are going to either install uBlock Origin Extra in Chrome-related browsers or disable completely webrtc AND use at least uBlock Origin?
My guess is that it wil be a number negligible enough for the "advanced users" to still stand out and be backtracked

>> No.61025396

>>61025343
This.

It's probably safer to disable uBlock entirely lads... nothing to hide nothing to fear :^)

>> No.61025446

>>61023024
What the fuck are you doing you dumb ass? Use "noop" not "allow"

>> No.61025465

>>61020589
anon from /pol/, claimed to be ex-/FBI, posted various pictures and stories that couldn't be found anywhere else.

>> No.61025495

Once again proving WebRTC was a mistake.

>> No.61025500

>>61023024
use proper "noop" rules, not "allow" rules.

>> No.61025509

Pale Meme doesn't have WebRTC.

>> No.61025515

If I don't see it in Ublock's content logger. then i'm good?

>> No.61025524

>>61025515
It *should* be blocked now but it doesn't show up in the general view in firefox it shows up under behind-the-scenes for some odd reason apparently related to webrtc

>> No.61025570

>>61025515
no, read the thread.

>> No.61025704

>>61025515
Also download uBlock Origin Extra from chrome Store.

>> No.61025724

So wait

What if you're only using Clover to browse?

>> No.61025754

>>61025724
I think those clients just download the json file and the images/media and ignore the rest of the page so I don't think they were affected, probably.

>> No.61025772

>>61025524
So if I disable WebRTC then it should stop right?

>> No.61025776
File: 147 KB, 1262x778, 1487289337554.png [View same] [iqdb] [saucenao] [google] [report]
61025776

Another solution, if you're using 4chan x, you can block all requests coming from the 4chan scripts in Settings -> Advanced -> Javascript Whitelist

Pic related, my config

This will prevent it from executing without installing more add-ons.. but of course hirochink could just add the tracking code to the 4chan js itself.

>>61025724
you should be safe. clients typically stick to API calls. wouldnt make sense for them to run any javascript

>> No.61025794

>>61025515
the logger is irrelevant

open a console (I assume you're on firefox)
you should either see the pic in >>61024715 if you have disabled WebRTC completely

or this message
Content Security Policy: The page’s settings blocked the loading of a resource at wss://a.ekansovi.com/wsp (“connect-src https: http:”). if you didn't disable WebRTC completely BUT you updated recently uBlock Origin's filters.

In the first case you are ALWAYS protected
In the second case you are protected ONLY ONCE, thanks to an explicit rule ( see >>61016560 ; it injects a fake CSP)

If you're on Chromium: you can't be ALWAYS protected, you have to download uBlock Origin Extra and rely on hard-coded lists, so you're bound to be protected only ONCE (if the domain changes, you're busted)

>> No.61025806

>>61025772
It apparently falls back to using XHR if you disable WebRTC but the good news is you can easily block those through the usual filters. You should disable WebRTC anyway because it's a huge security risk at this point.

>> No.61025809

>>61025776
I should have 'self' commented out there too

>> No.61025814

>>61025754
>>61025776
t. jewmoot

these "javascripts" are enabled if you enable any javascript on 4chan at all.

>> No.61025826

>>61025724
>mobile poster gets busted
and nothing of value was lost that day

>> No.61025893

>>61025794
>if you didn't disable WebRTC completely BUT you updated recently uBlock Origin's filters.
uBlock Origin takes precedence it seems, so the "Content Security Policy" error will be logged if you have updated uBlock Origin's filters recently no matter if you have disabled WebRTC completely.

>> No.61025915

So is anyone going to address the problem with firefox that allowed this potentially malicious website to slip by every content filter?

>> No.61025935

>>61025915
>the problem with firefox
the problem is with any browser and it's called WebRTC. It's more a problem for Chrome users, since they can't disable it entirely.
The problem has been addressed extensively, read the thread.

>> No.61025955

>>61025935
Is it really just webrtc behaving correctly? How is bypassing everything and running in the behind-the-scenes scope normal? Why isn't webrtc assigned its own scope if it doesn't run in any of the other ones?

>> No.61025957

>>61022637
>1416070001 appears in the 4chan source
Why tho? 2012-01-01

>> No.61025983

>>61018492
There was a huge thread about it on Tuesday.
to tl;dr it, this may or may not be able to tie a user's IP to their posts.

>> No.61026068

test

>> No.61026131
File: 167 KB, 1340x362, 1495867210872.png [View same] [iqdb] [saucenao] [google] [report]
61026131

How come I don't have it? Does that mean I haven't been naughty like you guys?

>> No.61026135

>>61025794
WebRTC is disabled and I see that message. So I should be set?

>> No.61026141

>>61025509
Jah bless

>> No.61026179

>Tought I was safe since the very first thread about this shit cause it didn't show up on umatrix
>Checked ublock hidder requests today just because was curious
>ekansovi

Feels Bad Man

>> No.61026210

How do you block Google without breaking captcha? I can't post otherwise. Fuck paying gookmoot.

>> No.61026213

>>61026179
Yeah, the WebRTC bypass has fucked us all

>> No.61026239

>>61026179
it shows up behind the scene logger for me too, even though I blocked it in hosts

>> No.61026272

>>61026239
It will because the javascript is still running on the page. The blocker only stops the connection attempt from working so whatever it's doing is kept on your machine.

>> No.61026279

>>61023241
>chrome://webrtc-internals/
>ERR_INVALID_URL
so i'm basically safe?
and yes i'm using chromium

>> No.61026291

>>61026272
I see, thanks for clarifying.

>> No.61026339

>>61026239
Blocking WebRTC fixed this for me but actually what the fuck is going on?
I'm actually glad I'm not from US so if this are the feds they wont get me.
Hopefully none of you guys gets shit from it too.

Are there any other vectors aside WebRTC and some scripting shit? I'm using uBlock and noScript and it doesn't seem to be doing any connections anymore, am I safe now?

>> No.61026346

The actual tracking pixel comes from s0.2mdn.net

Whois for s0.2mdn.net says it was registered using Google DNS by MarkMonitor, Inc.

>MarkMonitor Inc. is an American software company founded in 1999. It develops software intended to protect corporate brands from Internet counterfeiting, fraud, piracy, and cybersquatting.

>> No.61026372

>>61026339
Check the Tor browser, they are trying to remove all fingerprinting, etc

>> No.61026454

>>61026179
>Checked ublock hidder requests
How?

>> No.61026467

>>61026454
behind the scene

>> No.61026488
File: 9 KB, 552x166, bts.png [View same] [iqdb] [saucenao] [google] [report]
61026488

>>61026454
>>61026467

>> No.61026517
File: 74 KB, 992x880, 1473252509187.png [View same] [iqdb] [saucenao] [google] [report]
61026517

>>61026467
>>61026488
Oh, I see. It still doesn't show for me though. Maybe I don't have it, which would be weird since my posting habits seem to be in line with those who claim to have it.

>> No.61026539

>>61026517
Why is the favicon requested multiple times a second? github fucking sucks

>> No.61026550

>>61026372
I know about Tor but firefox is really comfy after some tweaking, I'm just curious if there is some way I could see all the requests.
Is uBlock listing them all?

>> No.61026572
File: 840 KB, 1176x1000, 1492195015931.png [View same] [iqdb] [saucenao] [google] [report]
61026572

>>61026539
I-I don't know. I was reading some documentation for a bit but now that you mention it, it's kinda weird.

>> No.61026600

>>61026550
ublock can show "hidden" requests that the browser itself makes. Firefox/Chrome hide those so people don't mess with them. Other than that I think they show the same amount

>> No.61026626

>>61026550
The Tor browser is firefox with privacy tweaks. (Though js is still enabled by default which will probably result in people being killed)

>> No.61026837

>>61026626
No self-destructing cookies though

>>61026600
It is then, thanks

>> No.61026852

>>61026135
Yes, you're safe

>> No.61026869

>>61026852
Thanks, Anon

>> No.61026927

>>61026837
Yea, the Tor team are making some very dumb/intelFriendly decisions, they try to explain it away by saying it's to increase users of the tor network but they're only alienating people who know anything about security.

>> No.61026971
File: 2 KB, 326x31, cancer.png [View same] [iqdb] [saucenao] [google] [report]
61026971

>>61026852
>>61026339
Update, WebRTC block is not helping

>> No.61026988

>>61026971
could just be the request showing

>> No.61026989

>>61017643
cool story bro

>> No.61027017

>>61026989
oy, the dev commented here.

>> No.61027039
File: 13 KB, 260x260, mods.jpg [View same] [iqdb] [saucenao] [google] [report]
61027039

mods are asleep
post sinks

>> No.61027053

>>61027039
>>61026989
shills. do not respond to this shit

>> No.61027068

>>61026988
How do I know for sure it is blocked then?

>> No.61027072
File: 13 KB, 320x434, NSAISPYINGONYOUFAGGITS.jpg [View same] [iqdb] [saucenao] [google] [report]
61027072

>>61017643
finally

>> No.61027119

>>61026971
Websocket and WebRTC are two different things. Update the filters in ublock/umatrix (open settings, 3rd party filters, update now) if you didn't do it already.

>> No.61027142

>>61026971
are you the same guy who >>61026135
>disabled and I see that message
the message being
>Content Security Policy: The page’s settings blocked the loading of a resource at wss://a.ekansovi.com/wsp (“connect-src https: http:”).
?
If so, you're showing a /wsm rather than a /wsp request, and it would be interesting to know
- browser version
- status of media.peerconnection.enabled in about:config
- full string

>>61027119
WebRTC is used to exploit uBlock/uMatrix content filtering and to create a websocket.

>> No.61027168

>>61027142
btw, uBlock's filter detailed in >>61016560
should block both variants and they shouldn't hit uBlock's logger.

>> No.61027205

>>61027142
I'm not that guy who got the message and I don't know where should I look for it, if you can tell me where I will post results.
I'm on firefox 52.1.0, peerconnection is set to false.

>> No.61027267

>>61027205
update your uBlock filters
then clear everything (ctrl-shift-del)
open the thread in a new tab
and see >>61025794

>> No.61027308

>>61027119
no it's not

>> No.61027387

>>61027068
>>61027068
>>61027068

>> No.61027393

>>61027267
>>61027142
17:40:13.013 Content Security Policy: The page’s settings blocked the loading of a resource at „wss://a.ekansovi.com/wsm” („connect-src https: http:”). 1 (unknown)

I don't understand, shouldn't it exist at all after setting RTC to false?

>> No.61027486

>>61027387
Get a job in Tel Aviv and check the cp database

>> No.61027623

>>61027393
see >>61025893
you're fine.

>> No.61027649
File: 18 KB, 598x417, rtc.png [View same] [iqdb] [saucenao] [google] [report]
61027649

I'm confused. What's wrong with using this?

>> No.61027686

>>61027649
that's irrelevant. uBlock don't and can't do rtc content filtering. It can only inject CSP rules (firefox) or "defuse" javascript eval with uBO-extra (Chrome only)

>> No.61027693

>>61027649
just disable webGL/rtc entirely because its cancer.

>> No.61027735
File: 47 KB, 766x624, socket.png [View same] [iqdb] [saucenao] [google] [report]
61027735

>>61027686
>>61027693
But in conjunction with filters, it works

>> No.61027772

>>61027735
no, you're blocking https requests. The malicious script attempts to hit you with wss:// websockets TOO and with websockets crafted via WebRTC, thus unfilterable with uBlock/uMatrix.
Read the fucking thread.

>> No.61027823

>>61027772
>unfilterable with uBlock/uMatrix
better: >>61027686
>It can only inject CSP rules (firefox) or "defuse" javascript eval with uBO-extra (Chrome only)
wss / WebRTC is "indirectly filtered" in Firefox thanks to uBlock Origin's CSP injection in every 4chan thread, and it can be verified through the Console.

>> No.61027945
File: 42 KB, 1086x550, wss.png [View same] [iqdb] [saucenao] [google] [report]
61027945

>>61027686
>>61027693
>>61027772
Sorry, wasn't paying attention. As I said, it seems to block it, unless it's misrepresenting it.

>> No.61028139
File: 9 KB, 628x52, ss.png [View same] [iqdb] [saucenao] [google] [report]
61028139

>>61027945
that's a custom rule you created, and it's NOT enough. It shouldn't hit the logger. Remove your custom rule. Go through all the passages detailed in >>61027267
Pic related is what you should see in the logger.

>> No.61028201

>>61028139
btw in the Console (not in the logger) you'll be able to see
>Content Security Policy: The page’s settings blocked the loading of a resource at wss://a.ekansovi.com/wsp (“connect-src https: http:”).
AND
>Content Security Policy: The page’s settings blocked the loading of a resource at https://xhr.ekansovi.com/ljs?p=[string] (“script-src http://s.4cdn.org https://s.4cdn.org http://www.google.com https://www.google.com https://www.gstatic.com http://cdn.mathjax.org https://cdn.mathjax.org https://cdnjs.cloudflare.com https://boards.4chan.org 'unsafe-inline' 'unsafe-eval'”).
AND
>Content Security Policy: The page’s settings blocked the loading of a resource at blob:https://boards.4chan.org/[string] (“default-src https://boards.4chan.org * data: 'unsafe-inline' 'unsafe-eval'”).
among the other CSP-related error messages.

>> No.61028350

so how does the script actually manage to somehow make these websocket connections behind-the-scene?
i messed a bit with websockets today and calling the WebSocket constructor like `new WebSocket("wss://example.com/")` etc. actually resulted in the connections being shown by uBlock's logger associated with the tab i was executing that javascript on, and NOT the behind-the-scenes view

>>
Name (leave empty)
Comment (leave empty)
Name
E-mail
Subject
Comment
Password [?]Password used for file deletion.
reCAPTCHA
Action