- tor-commits - lists.torproject.org

[metrics-web/master] Add graph on bandwidth by Exit and/or Guard flags.
by karsten＠torproject.org 26 Apr '11

26 Apr '11

commit 0189c896586e67e994cb0774b51515e115f8e8f2 Author: Karsten Loesing <karsten.loesing(a)gmx.net> Date: Tue Apr 26 14:14:09 2011 +0200 Add graph on bandwidth by Exit and/or Guard flags. --- db/tordir.sql | 36 ++++++++++++++++ etc/web.xml | 4 ++ rserve/csv.R | 14 ++++++ rserve/graphs.R | 44 ++++++++++++++++++++ src/org/torproject/ernie/web/CsvServlet.java | 1 + .../ernie/web/GraphParameterChecker.java | 1 + web/WEB-INF/network.jsp | 31 ++++++++++++++ 7 files changed, 131 insertions(+), 0 deletions(-) diff --git a/db/tordir.sql b/db/tordir.sql index 8efba09..cfe5907 100644 --- a/db/tordir.sql +++ b/db/tordir.sql @@ -196,6 +196,16 @@ CREATE TABLE total_bwhist ( CONSTRAINT total_bwhist_pkey PRIMARY KEY(date) ); +-- TABLE bwhist_flags +CREATE TABLE bwhist_flags ( + date DATE NOT NULL, + isexit BOOLEAN NOT NULL, + isguard BOOLEAN NOT NULL, + read BIGINT, + written BIGINT, + CONSTRAINT bwhist_flags_pkey PRIMARY KEY(date, isexit, isguard) +); + -- TABLE user_stats -- Aggregate statistics on directory requests and byte histories that we -- use to estimate user numbers. @@ -591,6 +601,31 @@ CREATE OR REPLACE FUNCTION refresh_total_bwhist() RETURNS INTEGER AS $$ END; $$ LANGUAGE plpgsql; +CREATE OR REPLACE FUNCTION refresh_bwhist_flags() RETURNS INTEGER AS $$ + BEGIN + DELETE FROM bwhist_flags WHERE date IN (SELECT date FROM updates); + INSERT INTO bwhist_flags (date, isexit, isguard, read_write_avg) + SELECT a.date, isexit, isguard, SUM(read_sum) as read, + SUM(written_sum) AS written + FROM + (SELECT DATE(validafter) AS date, + fingerprint, + BOOL_OR(isexit) AS isexit, + BOOL_OR(isguard) AS isguard + FROM statusentry + WHERE isrunning = TRUE + AND DATE(validafter) >= (SELECT MIN(date) FROM updates) + AND DATE(validafter) <= (SELECT MAX(date) FROM updates) + AND DATE(validafter) IN (SELECT date FROM updates) + GROUP BY 1, 2) a + JOIN bwhist + ON a.date = bwhist.date + AND a.fingerprint = bwhist.fingerprint + GROUP BY 1, 2, 3; + RETURN 1; + END; +$$ LANGUAGE plpgsql; + -- FUNCTION refresh_user_stats() -- This function refreshes our user statistics by weighting reported -- directory request statistics of directory mirrors with bandwidth @@ -823,6 +858,7 @@ CREATE OR REPLACE FUNCTION refresh_all() RETURNS INTEGER AS $$ PERFORM refresh_relay_versions(); PERFORM refresh_total_bandwidth(); PERFORM refresh_total_bwhist(); + PERFORM refresh_bwhist_flags(); PERFORM refresh_user_stats(); DELETE FROM scheduled_updates WHERE id IN (SELECT id FROM updates); RETURN 1; diff --git a/etc/web.xml b/etc/web.xml index a9b36bc..688e6f3 100644 --- a/etc/web.xml +++ b/etc/web.xml @@ -197,6 +197,10 @@ </servlet-mapping> <servlet-mapping> <servlet-name>GraphImage</servlet-name> + <url-pattern>/bwhist-flags.png</url-pattern> + </servlet-mapping> + <servlet-mapping> + <servlet-name>GraphImage</servlet-name> <url-pattern>/dirbytes.png</url-pattern> </servlet-mapping> <servlet-mapping> diff --git a/rserve/csv.R b/rserve/csv.R index 37a0856..17a59c2 100644 --- a/rserve/csv.R +++ b/rserve/csv.R @@ -90,6 +90,20 @@ export_bandwidth <- function(path) { write.csv(bandwidth, path, quote = FALSE, row.names = FALSE) } +export_bwhist_flags <- function(path) { + drv <- dbDriver("PostgreSQL") + con <- dbConnect(drv, user = dbuser, password = dbpassword, dbname = db) + q <- paste("SELECT date, isexit, isguard, read, written", + "FROM bwhist_flags", + "WHERE date < (SELECT MAX(date) FROM bwhist_flags) - 1", + "ORDER BY date, isexit, isguard") + rs <- dbSendQuery(con, q) + bw <- fetch(rs, n = -1) + dbDisconnect(con) + dbUnloadDriver(drv) + write.csv(bw, path, quote = FALSE, row.names = FALSE) +} + export_dirbytes <- function(path) { drv <- dbDriver("PostgreSQL") con <- dbConnect(drv, user = dbuser, password = dbpassword, dbname = db) diff --git a/rserve/graphs.R b/rserve/graphs.R index 15daf02..f268a34 100644 --- a/rserve/graphs.R +++ b/rserve/graphs.R @@ -443,6 +443,50 @@ plot_bandwidth <- function(start, end, path, dpi) { ggsave(filename = path, width = 8, height = 5, dpi = as.numeric(dpi)) } +plot_bwhist_flags <- function(start, end, path, dpi) { + drv <- dbDriver("PostgreSQL") + con <- dbConnect(drv, user = dbuser, password = dbpassword, dbname = db) + q <- paste("SELECT date, isexit, isguard, read, written ", + "FROM bwhist_flags WHERE date >= '", start, "' AND date <= '", end, + "' AND date < (SELECT MAX(date) FROM bwhist_flags) - 1 ", sep = "") + rs <- dbSendQuery(con, q) + bw <- fetch(rs, n = -1) + dbDisconnect(con) + dbUnloadDriver(drv) + dates <- seq(from = as.Date(start, "%Y-%m-%d"), + to = as.Date(end, "%Y-%m-%d"), by = "1 day") + missing <- setdiff(dates, as.Date(bw$date, origin = "1970-01-01")) + if (length(missing) > 0) + bw <- rbind(bw, + data.frame(date = as.Date(missing, origin = "1970-01-01"), + isexit = FALSE, isguard = FALSE, read = NA, written = NA), + data.frame(date = as.Date(missing, origin = "1970-01-01"), + isexit = FALSE, isguard = TRUE, read = NA, written = NA), + data.frame(date = as.Date(missing, origin = "1970-01-01"), + isexit = TRUE, isguard = FALSE, read = NA, written = NA), + data.frame(date = as.Date(missing, origin = "1970-01-01"), + isexit = TRUE, isguard = TRUE, read = NA, written = NA)) + bw <- data.frame(date = bw$date, variable = ifelse(bw$isexit, + ifelse(bw$isguard, "Guard & Exit", "Exit only"), + ifelse(bw$isguard, "Guard only", "Middle only")), + value = (bw$read + bw$written) / 2) + ggplot(bw, aes(x = as.Date(date, "%Y-%m-%d"), y = value / 2^20 / 86400, + colour = variable)) + + geom_line(size = 1) + + scale_x_date(name = paste("\nThe Tor Project - ", + "https://metrics.torproject.org/", sep = ""), format = + c("%d-%b", "%d-%b", "%b-%Y", "%b-%Y", "%Y", "%Y")[ + cut(as.numeric(max(as.Date(bw$date, "%Y-%m-%d")) - + min(as.Date(bw$date, "%Y-%m-%d"))), + c(0, 10, 56, 365, 730, 5000, Inf), labels=FALSE)]) + + scale_y_continuous(name="Bandwidth (MiB/s)", + limits = c(0, max(bw$value, na.rm = TRUE) / 2^20 / 86400)) + + scale_colour_hue(name = "") + + opts(title = "Bandwidth history by relay flags", + legend.position = "top") + ggsave(filename = path, width = 8, height = 5, dpi = as.numeric(dpi)) +} + plot_dirbytes <- function(start, end, path, dpi) { drv <- dbDriver("PostgreSQL") con <- dbConnect(drv, user = dbuser, password = dbpassword, dbname = db) diff --git a/src/org/torproject/ernie/web/CsvServlet.java b/src/org/torproject/ernie/web/CsvServlet.java index 0997f31..0140fa9 100644 --- a/src/org/torproject/ernie/web/CsvServlet.java +++ b/src/org/torproject/ernie/web/CsvServlet.java @@ -31,6 +31,7 @@ public class CsvServlet extends HttpServlet { this.availableCsvFiles = new HashSet<String>(); this.availableCsvFiles.add("bandwidth"); this.availableCsvFiles.add("bridge-users"); + this.availableCsvFiles.add("bwhist-flags"); this.availableCsvFiles.add("connbidirect"); this.availableCsvFiles.add("current-platform-strings"); this.availableCsvFiles.add("direct-users"); diff --git a/src/org/torproject/ernie/web/GraphParameterChecker.java b/src/org/torproject/ernie/web/GraphParameterChecker.java index 308afe5..95e4cf0 100644 --- a/src/org/torproject/ernie/web/GraphParameterChecker.java +++ b/src/org/torproject/ernie/web/GraphParameterChecker.java @@ -47,6 +47,7 @@ public class GraphParameterChecker { this.availableGraphs.put("versions", "start,end,filename,dpi"); this.availableGraphs.put("platforms", "start,end,filename,dpi"); this.availableGraphs.put("bandwidth", "start,end,filename,dpi"); + this.availableGraphs.put("bwhist-flags", "start,end,filename,dpi"); this.availableGraphs.put("dirbytes", "start,end,filename,dpi"); this.availableGraphs.put("direct-users", "start,end,country,filename,dpi"); diff --git a/web/WEB-INF/network.jsp b/web/WEB-INF/network.jsp index a1a5efe..7906789 100644 --- a/web/WEB-INF/network.jsp +++ b/web/WEB-INF/network.jsp @@ -227,6 +227,37 @@ in the network.</p> <p><a href="csv/bandwidth.csv">CSV</a> file containing all data.</p> <br> +<h3>Relay bandwidth by Exit and/or Guard flags</h3> +<br> +<p>The following graph shows the relay bandwidth of all relays with the +Exit and/or Guard flags assigned by the directory authorities.</p> +<a name="bwhist-flags"></a> +<img src="bwhist-flags.png${bwhist_flags_url}" + width="576" height="360" alt="Relay bandwidth by flags graph"> +<form action="network.html#bwhist-flags"> + <div class="formrow"> + <input type="hidden" name="graph" value="bwhist-flags"> + <p> + <label>Start date (yyyy-mm-dd):</label> + <input type="text" name="start" size="10" + value="<c:choose><c:when test="${fn:length(bwhist_flags_start) == 0}">${default_start_date}</c:when><c:otherwise>${bwhist_flags_start[0]}</c:otherwise></c:choose>"> + <label>End date (yyyy-mm-dd):</label> + <input type="text" name="end" size="10" + value="<c:choose><c:when test="${fn:length(bwhist_flags_end) == 0}">${default_end_date}</c:when><c:otherwise>${bwhist_flags_end[0]}</c:otherwise></c:choose>"> + </p><p> + Resolution: <select name="dpi"> + <option value="72"<c:if test="${bwhist_flags_dpi[0] eq '72'}"> selected</c:if>>Screen - 576x360</option> + <option value="150"<c:if test="${bwhist_flags_dpi[0] eq '150'}"> selected</c:if>>Print low - 1200x750</option> + <option value="300"<c:if test="${bwhist_flags_dpi[0] eq '300'}"> selected</c:if>>Print high - 2400x1500</option> + </select> + </p><p> + <input class="submit" type="submit" value="Update graph"> + </p> + </div> +</form> +<p><a href="csv/bwhist-flags.csv">CSV</a> file containing all data.</p> +<br> + <h3>Number of bytes spent on answering directory requests</h3> <br> <p>Relays running on 0.2.2.15-alpha or higher report the number of bytes

1 0

r24671: {projects} Ah, Torbutton. It's almost as if you never existed. (projects/articles/browser-privacy)
by Mike Perry 26 Apr '11

26 Apr '11

Author: mikeperry Date: 2011-04-26 11:18:08 +0000 (Tue, 26 Apr 2011) New Revision: 24671 Modified: projects/articles/browser-privacy/W3CIdentity.tex Log: Ah, Torbutton. It's almost as if you never existed. Modified: projects/articles/browser-privacy/W3CIdentity.tex =================================================================== --- projects/articles/browser-privacy/W3CIdentity.tex 2011-04-26 09:35:52 UTC (rev 24670) +++ projects/articles/browser-privacy/W3CIdentity.tex 2011-04-26 11:18:08 UTC (rev 24671) @@ -263,8 +263,8 @@ make user interaction with content elements more explicitly tied to the current site. -Similarly, one could imagine this two-level origin isolation being deployed to -improve similar issues with DOM Storage and cryptographic tokens. +Similarly, one could imagine this two level dual-keyed origin isolation being +deployed to improve similar issues with DOM Storage and cryptographic tokens. Making the origin model for browser identifiers more closely match user activity and user expectation has other advantages as well. With a clear @@ -309,45 +309,14 @@ improvements, as it does not require extensive compatibility testing or standards coordination. -% XXX: Do we need to even mention torbutton? -One of the earliest examples of an identity-based approach is our own work on -Torbutton\cite{torbutton}, Torbutton deserves poor marks for both simplicity -and usability\cite{not-to-toggle}. Torbutton attempts to isolate the user's -non-Tor activity from their Tor activity, effectively providing the user with -a blank slate for their Tor activity, but optionally allowing them to toggle -between these two identities. +Of the major private browsing modes, Google Chrome's Incognito Mode comes the +closest to conveying the idea of ``identity'' to the user, and the +implementation is also simple as a result. The Incognito Mode window is a +separate, stylized window that clearly conveys an alternate identity is in use +for this window, which can be used concurrent to the non-private identity. +The better UI appears to lead to less mode error (where the user forgets their +private browsing state) compared to other browsers\cite{private-browsing}. -Firefox Private Browsing Mode is very similar, in that it allows users to -switch between their normal browsing and a ``private'' clean slate. - -% FIXME: This paragraph can go if we need space: -Both Firefox PBM and Torbutton suffer from usability issues, primarily because -this concept of separate browsing identities is not properly conveyed to the -user. In Firefox's case, this usability issue is apparent through the quantity -of mode error observed in the review of Private Browsing Modes by Dan Boneh et -al\cite{private-browsing}. In Torbutton's case, the issues appear more severe. -We've informally observed that users have tremendous difficulties remembering -which tabs were Tor-related and which were non-Tor related, and we've also -observed issues with mode error. - -Both of these approaches are exceedingly complex: they deal with every aspect -of browser state individually. This development effort however does enable -Firefox and Torbutton to provide the user with great fine-grained control. - -Google Chrome's Incognito Mode comes the closest to conveying this idea of -``Incognito identity'' to the user, and the implementation is also simpler as a -result. The Incognito Mode window is a separate, stylized window that clearly -conveys an alternate identity is in use for this window, which can be used -concurrent to the non-private identity. This appears to lead to less mode -error (where the user forgets their private browsing state) compared to other -browsers. - -% FIXME: This paragraph can go if we need space: -The implementation of Incognito is as a virtualized in-memory profile, which -allows them to achieve protection against history storage issues for very low -effort. It also allows them to tweak browser properties and permissions -specifically for this profile. - The Mozilla Weave project appears to be proposing an identity-oriented method of managing, syncing, and storing authentication tokens, and also has use cases described for multiple users of a single browser\cite{weave-manager}. It

1 0

r24670: {projects} Rework draft based on Nick's suggestions: improve abstract, (projects/articles/browser-privacy)
by Mike Perry 26 Apr '11

26 Apr '11

Author: mikeperry Date: 2011-04-26 09:35:52 +0000 (Tue, 26 Apr 2011) New Revision: 24670 Modified: projects/articles/browser-privacy/W3CIdentity.bib projects/articles/browser-privacy/W3CIdentity.tex Log: Rework draft based on Nick's suggestions: improve abstract, tone down use of identity, introduce ideas better. Problem is, we've now bled into 6 pages. We need to trim some fat. Modified: projects/articles/browser-privacy/W3CIdentity.bib =================================================================== --- projects/articles/browser-privacy/W3CIdentity.bib 2011-04-26 01:37:07 UTC (rev 24669) +++ projects/articles/browser-privacy/W3CIdentity.bib 2011-04-26 09:35:52 UTC (rev 24670) @@ -95,3 +95,13 @@ author= {Mozilla}, note = {\url{https://mozillalabs.com/personas/}} } + +@Misc{rfc2965, + author = {D. Kristol and L. Montulli}, + title = {HTTP State Management Mechanism}, + howpublished = {IETF RFC 2965}, + month = {October}, + year = {2000}, + note = {\url{http://www.rfc-editor.org/rfc/rfc2965.txt}}, +} + Modified: projects/articles/browser-privacy/W3CIdentity.tex =================================================================== --- projects/articles/browser-privacy/W3CIdentity.tex 2011-04-26 01:37:07 UTC (rev 24669) +++ projects/articles/browser-privacy/W3CIdentity.tex 2011-04-26 09:35:52 UTC (rev 24670) @@ -17,7 +17,7 @@ \begin{document} -\title{Bridging the Disconnect Between Web Identity and User Perception} +\title{Bridging the Disconnect Between Web Privacy and User Perception} \author{Mike Perry \\ The Internet \\ mikeperry(a)torproject.org} @@ -32,10 +32,13 @@ and the reality of their relationship with the websites they visit. This position paper explores this disconnect and provides some recommendations for making the technical reality of the web match user perception, through both -technical improvements as well as user interface cues. By looking at all of -the elements of tracking as though they collectively comprise "User Identity", -we can make better decisions about improvements to both the technical and the -interface aspects of authentication and privacy. +technical improvements as well as user interface cues. We frame the core +technical problem as one of ``linkability'' -- the level of correlation +between various online activities that the user naturally expects to be +independent. We look to address the issue of unexpected linkability through +both improvements to the web's origin model, as well as through user interface +cues about the set of accumulated identifiers that can be said to comprise +a user's online identity. \end{abstract} @@ -44,8 +47,8 @@ The prevailing revenue model of the web is an appealing one. Web users receive unfettered, frictionless access to an extensive variety of information sources in exchange for viewing advertising. This advertising is more valuable if each -advertisement is more relevant to the current activity, and if possible, more -relevant to the current user. +advertisement is relevant to the current activity, and if possible, relevant +to the current user. The cost of this is that user privacy on the web is a nightmare. There is ubiquitous tracking, unseen partnership agreements and data exchange, and @@ -56,7 +59,7 @@ The problem is that the revenue model of the web has incentivized companies to find ways to continue to track users against their will, even if those users are attempting to protect themselves through currently available methods. -Starting with the infamous "Flash cookies", we have progressed through a +Starting with the infamous ``Flash cookies'', we have progressed through a seemingly endless arms race of secondary identifiers and tracking information: visited history, cache, font and system data, desktop resolution, keystroke timing, and so on and so forth\cite{wsj-fingerprinting}. @@ -71,46 +74,61 @@ To understand and evaluate potential solutions and improvements to this status quo, we must explore the disconnect between user experience and the way the -web actually functions with respect to tracking and identity. +web actually functions with respect to user tracking. -% FIXME: Do we need this paragraph? -%To this end, the rest of this document is structured as follows: First, we -%examine user identity on the web, comparing the average user's perspective to -%what actually is happening technically behind the scenes, and noting the major -%disconnects. We then examine solutions attempting to bridge this disconnect -%from two different directions. +% +% 20:16 < nickm> Not "identity-based", though. identity-separation, +% identity-isolation. "nym" and "pseudonym" are also fine words +% 20:18 < armadev> i'm still not entirely clear on what you mean by the +% identity model. i am guessing it's "the user thinks of his web +% experience in terms of whether the website can recognize +% him", but i think that's not it. i want clearer +% definitions up front, and then i can help with terms. :) -We only consider implementations that involve privacy-by-design. -Privacy-by-policy approaches such as Do Not Track will not be discussed. -\section{User Identity on the Web} +To this end, the rest of this document is structured as follows: First, we +examine how the user perceives their privacy on the web, comparing the average +user's perspective to what actually is happening technically behind the +scenes, and noting the major disconnects. We then examine solutions attempting +to bridge this disconnect from two different directions, corresponding to the +two major sources of disconnect\footnotemark. The first direction is improving +the linkability issues inherent with the multi-origin model of the web itself. +The second direction is improving user cues and browser interface to suggest a +coherent concept of identity to the user, which more accurately reflects the +set of unique identifiers they have accumulated. Both of these directions can +be pursued independently. -To properly examine this privacy problem, we must probe into the details of -both what a User's perception of their identity is, as well as the technical -realities of what goes into web authentication and tracking. +\footnotetext{We only consider implementations that involve privacy-by-design. +Privacy-by-policy approaches such as Do Not Track will not be discussed.} -\subsection{User Perception of Identity} +\section{User Privacy on the Web} -Instinctively, users define their privacy in terms of their identity, in terms +To properly examine the privacy problem, we must probe both the average user's +perception of what their ``web identity'' is, as well as the technical +realities of web authentication and tracking. + +\subsection{User Perception of Privacy} + +Instinctively, users define their privacy in terms of their identity: in terms of how they have interacted with a site in order to inform it of who they are. Typically, the user's perception of their identity on the web is usually a direct -function of the mechanisms used for strong authentication for particular sites. +function of the identifiers used for strong authentication for particular sites. For example, users expect that logging in to Facebook creates a relationship in their browsers when facebook.com is present in the URL bar, but they are -likely not aware that this also extends to their activity on other, arbitrary -sites that happen to include "Like this on Facebook" buttons or +typically not aware that this also extends to their activity on other, arbitrary +sites that happen to include ``Like this on Facebook'' buttons or Facebook-sourced advertising content. -Many, if not most, users expect that when they log out of a site their -relationship ends and that any associated tracking should be over. Even -users who are aware of cookies can be prone to believing that clearing the -cookies and private browsing data related to a particular site is sufficient -to end their relationship with that site. +Many, if not most, users expect that when they log out of a site, their +relationship ends and that any associated tracking should be over. Even users +who are aware of cookies can be prone to believing that clearing the cookies +related to a particular site is sufficient to end their relationship with that +site. Neither of these beliefs has any relation to reality. -\subsection{Technical Reality of Identity} +\subsection{The Technical Reality of Privacy} The technical reality of the web today is that users are usually wrong about their authentication status with respect to a particular site, and are almost @@ -118,31 +136,44 @@ pages. The default experience is such that all of this data exchange is concealed from the user. -So then what is identity? In terms of authentication, it would at first appear -to be cookies, HTTP Auth tokens, and client TLS certificates. However, even this -begins to break down. High-security websites are already using fingerprinting -as an auxiliary second factor of authentication\cite{security-fingerprinting}, -and online data aggregators utilize everything they can to build complete -portraits of users' identities\cite{tracking-identity}. +So then what comprises the user's web identity for tracking purposes? In terms +of authentication, it would at first appear to be limited to cookies, HTTP +Auth tokens, and client TLS certificates. However, this identifier-based +approach breaks down quickly on the modern web. High-security websites are +already using fingerprinting as an auxiliary second factor of +authentication\cite{security-fingerprinting}, and online data aggregators +utilize everything they can to build complete portraits of users' +identities\cite{tracking-identity}. -Identity then is a superset of all the authentication tokens used by the +Despite what the user may believe, their actual web identity then is a +superset of all the stored identifiers and authentication tokens used by the browser. It is the ability to link a user's activity in one instance to their activity in another instance, be it across time, or even on the very same page due to multiple content origins. -\subsection{Identity as Linkability} +Therefore, instead of viewing the user's identity as the sum of their +identifiers, or as their relationship to individual websites, it is best to +view it as the ability to link activity from one website to activity in +another website. We will call this property ``user linkability''. -When expanded to cover all items that enable or substantially contribute to -Linkability, a lot more components of the browser are now in scope. We will -briefly enumerate these components. +\subsection{User Privacy as Linkability} +In terms of what the user actually expects, user privacy is more accurately +modeled as the level of linkability between subsequent actions on the web, as +opposed to the mere sum of their unique identifiers and authentication tokens. + +When privacy is expanded to cover all items that enable or substantially +contribute to linkability, a lot more components of the browser are now in +scope. We will briefly enumerate these components. + First, the obvious properties are found in the state of the browser: cookies, DOM storage, cache, cryptographic tokens and cryptographic state, and -location. These are what technical people tend to think of first when it comes -to private browsing and identity, but they are not the whole story. +location. These identifiers are what technical people tend to think of first +when it comes to user identity and private browsing, but they are not the +whole story. Next, we have long-term properties of the browser itself. These include the -User Agent String, the list of installed plugins, rendering capabilities, +User Agent string, the list of installed plugins, rendering capabilities, window decoration size, and browser widget size. Then, we have properties of the computer. These include desktop size, IP @@ -156,7 +187,7 @@ \subsection{Developing a Threat Model} Unfortunately, just about every browser property and functionality is a -potential fingerprinting target. In order to properly address the network +potential linkability target. In order to properly address the network adversary on a technical level, we need a metric to measure linkability of the various browser properties that extend beyond any stored origin-related state. @@ -172,102 +203,114 @@ \footnotetext{In particular, the test does not take in all aspects of resolution information. It did not calculate the size of widgets, window -decoration, or toolbar size. We believe this may add high amounts of entropy -to the screen field. It also did not measure clock offset and other time-based -fingerprints. Furthermore, as new browser features are added, this experiment -should be repeated to include them.} +decoration, or toolbar size. We believe these resolution-related properties +may add high amounts of entropy to the resolution component. They also did not +measure clock offset and other time-based fingerprints. Furthermore, as new +browser features are added, the experiment should be repeated to include +them.} This metric also indicates that it is beneficial to standardize on implementations of fingerprinting resistance where possible. More implementations using the same defenses means more users with similar -fingerprints, which means less entropy in the metric. +fingerprints, which means less entropy in the metric. Similarly, uniform +feature deployment leads to less entropy in the metric. \section{Matching User Perception with Reality} -When the concept of user identity is expanded to cover all aspects of -linkability, addressing the problem of the disconnect between user perception -and reality becomes clearer. For users to have privacy, and for private -browsing modes to function, the relationship between a user and a site must be -understood by that user. +For users to have privacy, and for private browsing modes to function, the +relationship between a user and a site must be understood by that user. It is apparent that the user experiences disconnect with the technical realities of the web on two major fronts: the average user does not grasp the privacy implications of the multi-origin model, nor are they given a clear -concept of identity to grasp the privacy implications of the union of the -trackable components of their browsers. +concept of browser identity to grasp the privacy implications of the union +of the linkable components of their browsers. We will now examine examples of attempts at reducing this disconnect on each -of these two fronts. +of these two fronts. Note that these to fronts are orthogonal. Approaches from +them may be combined, or used independently. -Note that identity-based approaches and the origin-based approaches are -orthogonal. They may be combined, or used independently. +\subsection{Improving the Origin Model} -\subsection{Origin-Based Approaches} +The current identifier origin model used by the web is fundamentally flawed +when viewed from the perspective of meeting the expectations of the user. +Unique, globally linkable identifiers can be transmitted for arbitrary content +elements on any page, which can be sourced from anywhere without user +interaction or awareness. -Origin-based approaches seek to improve the technical behavior of the browser -to make linkability less implicit and more consent-driven. In short, these -approaches seek to make the web behave more like users currently assume it -behaves by anchoring browser state to top-level origins as opposed to -associating it with arbitrary content elements. +However, the behavior of identifiers and linkable attributes can be improved +to make linkability less implicit and more consent-driven without the need for +cumbersome interventionist user interface. Where explicit identifiers exist, +they should be tied to the pair of the top-level origin and the third-party +content origin. Where linkability attributes exist, they should be obfuscated +on a per-origin basis. -The earliest relevant example of this work is SafeCache\cite{safecache}. +An early relevant example of this idea is SafeCache\cite{safecache}. SafeCache seeks to reduce the ability for 3rd party content elements to use the cache to store identifiers. It does this by limiting the scope of the -cache to the origin in the url bar. This has the effect that commonly sourced -content elements are fetched and cached repeatedly, but this is the desired -property. Each of these prevalent content elements can be crafted to include -unique identifiers for each user, tracking users who attempt to avoid tracking -by clearing cookies. +cache to the top-level origin in the url bar. This has the effect that +commonly sourced content elements are fetched and cached repeatedly, but this +is the desired property. Each of these prevalent content elements can be +crafted to include unique identifiers for each user, tracking users who +attempt to avoid tracking by clearing cookies. -Mozilla has a wonderful example of an origin-based improvement written by Dan -Witte and buried on their wiki\cite{thirdparty}. It describes a new dual-keyed -origin for cookies, so that cookies would only be transmitted if they matched -both the top level origin and the third party origin involved in their -creation. This approach would go a long way towards preventing implicit -tracking across multiple websites. +The Mozilla development wiki describes an origin model cookie transmission +improvement written by Dan Witte\cite{thirdparty}. Dan describes a new +dual-keyed origin for cookies, so that cookies would only be transmitted if +they matched both the top level origin and the third party origin involved in +their creation. This approach would go a long way towards preventing implicit +tracking across multiple websites, and has some interesting properties that +make user interaction with content elements more explicitly tied to the +current site. Similarly, one could imagine this two-level origin isolation being deployed to improve similar issues with DOM Storage and cryptographic tokens. -Making the origin model for browser identifiers more closely match the user +Making the origin model for browser identifiers more closely match user activity and user expectation has other advantages as well. With a clear -distinction between 3rd party and top-level cookies, the privacy settings -window could have a user-intuitive way of representing the user's relationship -with different origins, perhaps by using only the favicon of that top level -origin to represent all of the browser state accumulated by that origin. The -user could delete the entire set of browser state (cookies, cache, storage, -cryptographic tokens) associated with a site simply by removing its favicon -from their privacy info panel. +distinction between 3rd party and top-level cookies due to double-keying, the +privacy settings window could have a user-intuitive way of representing the +user's relationship with different origins, perhaps by using only the favicon +of that top level origin to represent all of the browser state accumulated by +that origin. The user could delete the entire set of browser state (cookies, +cache, storage, cryptographic tokens) associated with a site simply by +removing its favicon from their privacy info panel. -The problem with origin-based approaches is that individually, they do not -fully address the entire linkability problem unless the same restriction is -applied uniformly to all aspects of stored browser state, and all other -linkability issues are dealt with. Behind-the-scenes partnerships can easily -allow companies to continue to link users to their identities through any -aspect of browser state that is not properly compartmentalized to the top -level origin and bound to the same rules. +The problem with origin model improvement approaches is that individually, +they do not fully address the entire linkability problem unless the same +restriction is applied uniformly to all aspects of stored browser state, and +all other linkability issues are dealt with. Behind-the-scenes partnerships +can easily allow companies to continue to link users to their identities +through any linkable aspect of browser state that is not properly +compartmentalized to the top level origin and bound to the same rules as all +other linkable state. -However, linkability based on browser properties is very amenable to this -model. In particular, one can imagine per-origin plugin permissions, -per-origin limits on the number of fonts that can be used, and randomized -window-specific time offsets. +However, linkability based on fingerprintable browser properties is also +amenable to improvement under this model. In particular, one can imagine +per-origin plugin loading permissions, per-origin limits on the number of +fonts that can be used, and randomized window-specific time offsets. So, while these approaches are in fact useful for bringing the technical realities of the web closer to what the user assumes is happening, they must be deployed uniformly, with a consistent top-level origin restriction model. -This may take significant coordination and standardization efforts. +This may take significant coordination and standardization efforts. Without +this, it is necessary to fill the remaining linkability gaps by presenting +the user with a visual representation of their overall web identity. -\subsection{Identity-Based Approaches} +\subsection{Conveying Identity to the User} -We will now discuss what we call the identity-based approaches to privacy. -These approaches, whether explicitly or implicitly, all model the user's web -identity as the entirety of the user's state for all origins. +Even if the origin model of identifier transmission and other linkable +attributes is altered uniformly to be more in-line with what users expect, it +is likely that the average user will still experience privacy benefits if the +browser conveys the sum of all linkable information as a single, storable, +mutable, and clearable user identity. -The key advantage of identity-based approaches is that they can be simpler -than origin-based approaches when used to improve the privacy problem on their -own. +Providing this concept of identity to the user is also simpler than origin +improvements, as it does not require extensive compatibility testing or +standards coordination. -While the earliest example of an identity-based approach is our own work on +% XXX: Do we need to even mention torbutton? +One of the earliest examples of an identity-based approach is our own work on Torbutton\cite{torbutton}, Torbutton deserves poor marks for both simplicity and usability\cite{not-to-toggle}. Torbutton attempts to isolate the user's non-Tor activity from their Tor activity, effectively providing the user with @@ -275,7 +318,7 @@ between these two identities. Firefox Private Browsing Mode is very similar, in that it allows users to -switch between their normal browsing and a "private" clean slate. +switch between their normal browsing and a ``private'' clean slate. % FIXME: This paragraph can go if we need space: Both Firefox PBM and Torbutton suffer from usability issues, primarily because @@ -292,7 +335,7 @@ Firefox and Torbutton to provide the user with great fine-grained control. Google Chrome's Incognito Mode comes the closest to conveying this idea of -"Incognito identity" to the user, and the implementation is also simpler as a +``Incognito identity'' to the user, and the implementation is also simpler as a result. The Incognito Mode window is a separate, stylized window that clearly conveys an alternate identity is in use for this window, which can be used concurrent to the non-private identity. This appears to lead to less mode @@ -305,10 +348,10 @@ effort. It also allows them to tweak browser properties and permissions specifically for this profile. -The Mozilla Weave project appears to be proposing an identity-based method of -managing, syncing, and storing authentication tokens, and also has use cases -described for multiple users of a single browser\cite{weave-manager}. It is -the closest idea on paper to what we envision as the way to bridge user +The Mozilla Weave project appears to be proposing an identity-oriented method +of managing, syncing, and storing authentication tokens, and also has use +cases described for multiple users of a single browser\cite{weave-manager}. It +is the closest idea on paper to what we envision as the way to bridge user assumptions with reality. We believe that the user interface of the browser should convey a sense of @@ -342,28 +385,36 @@ This is especially true of cellular IP networks.} Linkability solutions within the identity framework would be similar to the -origin-based solutions, except they would be properties of the entire browser +origin model solutions, except they would be properties of the entire browser or browser profile, and would be obfuscated only once per identity switch. -% FIXME: Elaborate? - \section{Conclusions} -There is a demand for private browsing, and we believe that solid private -browsing modes can be created. In order to do this, we need solid analysis of -the threat models involved, and we need standardization for many aspects of -defense. +The appeal of the prevailing revenue model of the web and the difficulties +associated with altering browser behavior have lulled us into accepting user +deception as the norm for web use. The average user completely lacks the +understanding needed to grasp how web tracking is carried out. This disconnect +in understanding is extreme to the point where moral issues arise about the +level of consent actually involved in web use and associated tracking. -However, there is currently a huge disconnect between user privacy and -identity due to both the multi-origin nature of the web, and the failure of -browsers to adequately convey a sense of identity to the user. It is possible -to bridge this disconnect both by addressing the issues with the multi-origin -model, as well as providing the user with an explicit representation of their -web identity, and with control over this identity. +In fact, standardization efforts seemed to realize this problem early on but +failed to create a feasible recommendations for improving the situation. RFC +2965 governing HTTP State Management mandated in section 3.3.6 that +third-party origins must not cause the browser to transmit cookies unless the +interaction is ``verifiable'' and readily apparent to the user\cite{rfc2965}. +In section 6, it also strongly suggested that informed consent and user +control should govern the interaction of users to tracking identifiers. -% XXX: The dangers of adblockers and filters + the long-term imperative of -% improving privacy for the continued use of the advertising revenue model. +Without changes to browser behavior, browser interface, or both, such informed +consent is simply not possible on today's web. Several examples from academia +and practice show that it is possible to bridge this disconnect by addressing +the linkability issues with the web's origin model with minimal breakage. +Additionally, the first steps towards providing the user with an explicit +representation of their web identity have been taken. +The pieces are in place to build robust private browsing modes based on these +two approaches, and metrics exist to measure their success. + \bibliographystyle{plain} \bibliography{W3CIdentity} \clearpage

1 0

[arm/master] PID resolution fallbacks by ps and lsof
by atagar＠torproject.org 26 Apr '11

26 Apr '11

commit c62e15023f3f6fe791a5f6fc21f070c6e8f857fb Author: Damian Johnson <atagar(a)torproject.org> Date: Mon Apr 25 19:52:07 2011 -0700 PID resolution fallbacks by ps and lsof On Macs all of the current pid resolution tactics fails, so adding a couple more that work on that platform. --- src/util/torTools.py | 28 ++++++++++++++++++++++++++++ 1 files changed, 28 insertions(+), 0 deletions(-) diff --git a/src/util/torTools.py b/src/util/torTools.py index 0eebd20..08b04c0 100644 --- a/src/util/torTools.py +++ b/src/util/torTools.py @@ -122,6 +122,8 @@ def getPid(controlPort=9051, pidFilePath=None): 4. "netstat -npl | grep 127.0.0.1:%s" % <tor control port> 5. "ps -o pid -C tor" 6. "sockstat -4l -P tcp -p %i | grep tor" % <tor control port> + 7. "ps axc | egrep \" tor$\"" + 8. "lsof -wnPi | egrep \"^tor.*:%i\"" % <tor control port> If pidof or ps provide multiple tor instances then their results are discarded (since only netstat can differentiate using the control port). This @@ -201,6 +203,32 @@ def getPid(controlPort=9051, pidFilePath=None): if pid.isdigit(): return pid except IOError: pass + # attempts to resolve via a ps command that works on the mac (this and lsof + # are the only resolvers to work on that platform). This fails if: + # - tor's running under a different name + # - there's multiple instances of tor + + try: + results = sysTools.call("ps axc | egrep \" tor$\"") + if len(results) == 1 and len(results[0].split()) > 0: + pid = results[0].split()[0] + if pid.isdigit(): return pid + except IOError: pass + + # attempts to resolve via lsof - this should work on linux, mac, and bsd - + # this fails if: + # - tor's running under a different name + # - tor's being run as a different user due to permissions + # - there are multiple instances of Tor, using the + # same control port on different addresses. + + try: + results = sysTools.call("lsof -wnPi | egrep \"^tor.*:%i\"" % controlPort) + if len(results) == 1 and len(results[0].split()) > 1: + pid = results[0].split()[1] + if pid.isdigit(): return pid + except IOError: pass + return None def getBsdJailId():

1 0

[arm/master] Making lsof the sole connection resolver on macs
by atagar＠torproject.org 26 Apr '11

26 Apr '11

commit cd6a6873e753fa4497250ab1c5c332f3e6fe86cf Author: Damian Johnson <atagar(a)torproject.org> Date: Mon Apr 25 19:21:56 2011 -0700 Making lsof the sole connection resolver on macs On macs connection resolver detection from the path isn't working, and aparently only lsof is available. This results in us trying (and failing) all of the other resolvers before falling back to something that works. This drops us straight to using lsof on macs. --- src/util/connections.py | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/src/util/connections.py b/src/util/connections.py index a797e7b..f632306 100644 --- a/src/util/connections.py +++ b/src/util/connections.py @@ -337,6 +337,8 @@ def getSystemResolvers(osType = None): if osType == "FreeBSD": resolvers = [Resolver.BSD_SOCKSTAT, Resolver.BSD_PROCSTAT, Resolver.LSOF] + elif osType == "Darwin": + resolvers = [Resolver.LSOF] else: resolvers = [Resolver.NETSTAT, Resolver.SOCKSTAT, Resolver.LSOF, Resolver.SS]

1 0

[arm/master] Dropping locales when geoip db is unavailable
by atagar＠torproject.org 26 Apr '11

26 Apr '11

commit 1161a6a6e72dff62fe019b9d15cc0943958359f7 Author: Damian Johnson <atagar(a)torproject.org> Date: Mon Apr 25 19:13:43 2011 -0700 Dropping locales when geoip db is unavailable Previously the connection panel showed '??' for all locales when the geoip database was unavailable. Dropping these entries from the interface entirely instead. --- src/interface/connections/connEntry.py | 3 ++- src/util/torTools.py | 14 +++++++++++--- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/src/interface/connections/connEntry.py b/src/interface/connections/connEntry.py index f613fc2..e6c0d92 100644 --- a/src/interface/connections/connEntry.py +++ b/src/interface/connections/connEntry.py @@ -824,8 +824,9 @@ class ConnectionLine(entries.ConnectionPanelLine): dstAddress += " (%s)" % purpose elif not connections.isIpAddressPrivate(self.foreign.getIpAddr()): extraInfo = [] + conn = torTools.getConn() - if includeLocale: + if includeLocale and not conn.isGeoipUnavailable(): foreignLocale = self.foreign.getLocale("??") extraInfo.append(foreignLocale) spaceAvailable -= len(foreignLocale) + 2 diff --git a/src/util/torTools.py b/src/util/torTools.py index 31a7061..0eebd20 100644 --- a/src/util/torTools.py +++ b/src/util/torTools.py @@ -474,19 +474,19 @@ class Controller(TorCtl.PostEventListener): if isCacheArg and cachedValue: result = cachedValue isFromCache = True - elif isGeoipRequest and self.geoipFailureCount == GEOIP_FAILURE_THRESHOLD: + elif isGeoipRequest and self.isGeoipUnavailable(): # the geoip database aleady looks to be unavailable - abort the request raisedExc = TorCtl.ErrorReply("Tor geoip database is unavailable.") else: try: getInfoVal = self.conn.get_info(param)[param] if getInfoVal != None: result = getInfoVal - if isGeoipRequest: self.geoipFailureCount = 0 + if isGeoipRequest: self.geoipFailureCount = -1 except (socket.error, TorCtl.ErrorReply, TorCtl.TorCtlClosed), exc: if type(exc) == TorCtl.TorCtlClosed: self.close() raisedExc = exc - if isGeoipRequest: + if isGeoipRequest and not self.geoipFailureCount == -1: self.geoipFailureCount += 1 if self.geoipFailureCount == GEOIP_FAILURE_THRESHOLD: @@ -833,6 +833,14 @@ class Controller(TorCtl.PostEventListener): return result + def isGeoipUnavailable(self): + """ + Provides true if we've concluded that our geoip database is unavailable, + false otherwise. + """ + + return self.geoipFailureCount == GEOIP_FAILURE_THRESHOLD + def getMyPid(self): """ Provides the pid of the attached tor process (None if no controller exists

1 0

[arm/master] fix: Missing configuration key for missing geoip
by atagar＠torproject.org 26 Apr '11

26 Apr '11

commit 36512bdc7608db5f225e58926ac0b5f383f6b026 Author: Damian Johnson <atagar(a)torproject.org> Date: Mon Apr 25 18:51:13 2011 -0700 fix: Missing configuration key for missing geoip This causes a crashing error when the Tor geoip file is unavailable, and locales are queried. --- src/util/torTools.py | 3 ++- 1 files changed, 2 insertions(+), 1 deletions(-) diff --git a/src/util/torTools.py b/src/util/torTools.py index b5913ed..31a7061 100644 --- a/src/util/torTools.py +++ b/src/util/torTools.py @@ -82,7 +82,8 @@ CONFIG = {"torrc.map": {}, "log.torSetConf": log.INFO, "log.torPrefixPathInvalid": log.NOTICE, "log.bsdJailFound": log.INFO, - "log.unknownBsdJailId": log.WARN} + "log.unknownBsdJailId": log.WARN, + "log.geoipUnavailable": log.WARN} # events used for controller functionality: # NOTICE - used to detect when tor is shut down

1 0

r24669: {} put in the bibtex file rather than the bbl droppings (projects/articles/browser-privacy)
by Roger Dingledine 26 Apr '11

26 Apr '11

Author: arma Date: 2011-04-26 01:37:07 +0000 (Tue, 26 Apr 2011) New Revision: 24669 Added: projects/articles/browser-privacy/W3CIdentity.bib Removed: projects/articles/browser-privacy/W3CIdentity.bbl Log: put in the bibtex file rather than the bbl droppings Deleted: projects/articles/browser-privacy/W3CIdentity.bbl =================================================================== --- projects/articles/browser-privacy/W3CIdentity.bbl 2011-04-26 01:06:35 UTC (rev 24668) +++ projects/articles/browser-privacy/W3CIdentity.bbl 2011-04-26 01:37:07 UTC (rev 24669) @@ -1,73 +0,0 @@ -\begin{thebibliography}{10} - -\bibitem{private-browsing} -Gaurav Aggrawal, Elie Bursztein, Collin Jackson, and Dan Boneh. -\newblock An analysis of private browsing modes in modern browsers. -\newblock In {\em Proc. of 19th Usenix Security Symposium}, 2010. - -\bibitem{panopticlick} -Peter Eckersley. -\newblock How unique is your web browser? -\newblock In {\em Proceedings of the 10th international conference on Privacy - enhancing technologies}, PETS'10, pages 1--18, Berlin, Heidelberg, 2010. - Springer-Verlag. - -\bibitem{safecache} -Collin Jackson and Dan Boneh. -\newblock Protecting browser state from web privacy attacks. -\newblock In {\em In Proceedings of the International World Wide Web - Conference}, pages 737--744, 2006. - -\bibitem{security-fingerprinting} -{Jennifer Valentino-DeVries}. -\newblock {Evercookies and Fingerprinting: Are Anti-Fraud Tools Good for Ads?}, - 2010. -\newblock - \url{http://blogs.wsj.com/digits/2010/12/01/evercookies-and-fingerprinting-f% -inding-fraudsters-tracking-consumers/}. - -\bibitem{wsj-fingerprinting} -{Julia Angwin and Jennifer Valentino-DeVries}. -\newblock {Race Is On to 'Fingerprint' Phones, PCs}, 2010. -\newblock - \url{http://online.wsj.com/article/SB100014240527487046792045756467041009595% -46.html}. - -\bibitem{firefox-personas} -Mozilla. -\newblock Personas. -\newblock \url{https://mozillalabs.com/personas/}. - -\bibitem{weave-manager} -Mozilla. -\newblock {The Weave Account Manager}. -\newblock \url{https://wiki.mozilla.org/Labs/Weave/Identity/Account_Manager}. - -\bibitem{not-to-toggle} -Mike Perry. -\newblock To toggle, or not to toggle: The end of torbutton. -\newblock - \url{https://lists.torproject.org/pipermail/tor-talk/2011-April/020077.html}. - -\bibitem{torbutton} -Mike Perry. -\newblock {The Torbutton Design Document}, 2011. -\newblock \url{https://www.torproject.org/torbutton/en/design/}. - -\bibitem{facebook-like} -Arnold Roosendaal. -\newblock {Facebook Tracks and Traces Everyone: Like This!} -\newblock {\em SSRN eLibrary}, 2010. - -\bibitem{tracking-identity} -Emily Steel. -\newblock {Online Tracking Company RapLeaf Profiles Users By Name}, 2010. -\newblock - \url{http://online.wsj.com/article/SB100014240527023044105045755602432594160% -72.html}. - -\bibitem{thirdparty} -Dan Witte. -\newblock \url{https://wiki.mozilla.org/Thirdparty}. - -\end{thebibliography} Added: projects/articles/browser-privacy/W3CIdentity.bib =================================================================== --- projects/articles/browser-privacy/W3CIdentity.bib (rev 0) +++ projects/articles/browser-privacy/W3CIdentity.bib 2011-04-26 01:37:07 UTC (rev 24669) @@ -0,0 +1,97 @@ +@article{facebook-like, + type={Working Paper Series}, + title={{Facebook Tracks and Traces Everyone: Like This!}}, + author={Roosendaal, Arnold}, + journal={SSRN eLibrary}, + year={2010}, + publisher={SSRN}, + keywords={Facebook, Like button, Cookies, Profiling, privacy, Data protection}, + location={http://ssrn.com/paper=1717563}, + language={English} +} + +@Misc{wsj-fingerprinting, + title = {{Race Is On to 'Fingerprint' Phones, PCs}}, + author= {{Julia Angwin and Jennifer Valentino-DeVries}}, + year={2010}, + publisher={The Wall Street Journal Online}, + note = {\url{http://online.wsj.com/article/SB10001424052748704679204575646704100959546.html}} +} + +@Misc{security-fingerprinting, + title = {{Evercookies and Fingerprinting: Are Anti-Fraud Tools Good for Ads?}}, + author= {{Jennifer Valentino-DeVries}}, + year={2010}, + publisher={The Wall Street Journal Online}, + note = {\url{http://blogs.wsj.com/digits/2010/12/01/evercookies-and-fingerprinting-finding-fraudsters-tracking-consumers/}} +} + +@Misc{tracking-identity, + title = {{Online Tracking Company RapLeaf Profiles Users By Name}}, + author= {Emily Steel}, + year={2010}, + publisher={The Wall Street Journal Online}, + note = {\url{http://online.wsj.com/article/SB10001424052702304410504575560243259416072.html}} +} + +@INPROCEEDINGS{safecache, + author = {Collin Jackson and Dan Boneh}, + title = {Protecting browser state from web privacy attacks}, + booktitle = {In Proceedings of the International World Wide Web Conference}, + year = {2006}, + pages = {737--744} +} + +@Misc{thirdparty, + author = {Dan Witte}, + note = {\url{https://wiki.mozilla.org/Thirdparty}} +} + +@Misc{torbutton, + title = {{The Torbutton Design Document}}, + author= {Mike Perry}, + year={2011}, + note = {\url{https://www.torproject.org/torbutton/en/design/}} +} + +@Misc{weave-manager, + title = {{The Weave Account Manager}}, + author={Mozilla}, + note = {\url{https://wiki.mozilla.org/Labs/Weave/Identity/Account_Manager}} +} + +@inproceedings{private-browsing, + author = {Gaurav Aggrawal and Elie Bursztein and Collin Jackson and Dan Boneh}, + title = {An analysis of private browsing modes in modern browsers}, + year = 2010, + booktitle = {Proc. of 19th Usenix Security Symposium} +} + + +@inproceedings{panopticlick, + author = {Eckersley, Peter}, + title = {How unique is your web browser?}, + booktitle = {Proceedings of the 10th international conference on Privacy enhancing technologies}, + series = {PETS'10}, + year = {2010}, + isbn = {3-642-14526-4, 978-3-642-14526-1}, + location = {Berlin, Germany}, + pages = {1--18}, + numpages = {18}, + url = {http://portal.acm.org/citation.cfm?id=1881151.1881152}, + acmid = {1881152}, + publisher = {Springer-Verlag}, + address = {Berlin, Heidelberg}, +} + +@Misc{not-to-toggle, + title = {To Toggle, or not to Toggle: The End of Torbutton}, + author={Mike Perry}, + note = {\url{https://lists.torproject.org/pipermail/tor-talk/2011-April/020077.html}} +} + +@Misc{firefox-personas, + title = {Personas}, + author= {Mozilla}, + note = {\url{https://mozillalabs.com/personas/}} +}

1 0

r24668: {} First draft. (in projects/articles: . browser-privacy)
by Mike Perry 26 Apr '11

26 Apr '11

Author: mikeperry Date: 2011-04-26 01:06:35 +0000 (Tue, 26 Apr 2011) New Revision: 24668 Added: projects/articles/browser-privacy/ projects/articles/browser-privacy/W3CIdentity.bbl projects/articles/browser-privacy/W3CIdentity.tex projects/articles/browser-privacy/llncs.cls projects/articles/browser-privacy/usenix.sty Log: First draft. Added: projects/articles/browser-privacy/W3CIdentity.bbl =================================================================== --- projects/articles/browser-privacy/W3CIdentity.bbl (rev 0) +++ projects/articles/browser-privacy/W3CIdentity.bbl 2011-04-26 01:06:35 UTC (rev 24668) @@ -0,0 +1,73 @@ +\begin{thebibliography}{10} + +\bibitem{private-browsing} +Gaurav Aggrawal, Elie Bursztein, Collin Jackson, and Dan Boneh. +\newblock An analysis of private browsing modes in modern browsers. +\newblock In {\em Proc. of 19th Usenix Security Symposium}, 2010. + +\bibitem{panopticlick} +Peter Eckersley. +\newblock How unique is your web browser? +\newblock In {\em Proceedings of the 10th international conference on Privacy + enhancing technologies}, PETS'10, pages 1--18, Berlin, Heidelberg, 2010. + Springer-Verlag. + +\bibitem{safecache} +Collin Jackson and Dan Boneh. +\newblock Protecting browser state from web privacy attacks. +\newblock In {\em In Proceedings of the International World Wide Web + Conference}, pages 737--744, 2006. + +\bibitem{security-fingerprinting} +{Jennifer Valentino-DeVries}. +\newblock {Evercookies and Fingerprinting: Are Anti-Fraud Tools Good for Ads?}, + 2010. +\newblock + \url{http://blogs.wsj.com/digits/2010/12/01/evercookies-and-fingerprinting-f% +inding-fraudsters-tracking-consumers/}. + +\bibitem{wsj-fingerprinting} +{Julia Angwin and Jennifer Valentino-DeVries}. +\newblock {Race Is On to 'Fingerprint' Phones, PCs}, 2010. +\newblock + \url{http://online.wsj.com/article/SB100014240527487046792045756467041009595% +46.html}. + +\bibitem{firefox-personas} +Mozilla. +\newblock Personas. +\newblock \url{https://mozillalabs.com/personas/}. + +\bibitem{weave-manager} +Mozilla. +\newblock {The Weave Account Manager}. +\newblock \url{https://wiki.mozilla.org/Labs/Weave/Identity/Account_Manager}. + +\bibitem{not-to-toggle} +Mike Perry. +\newblock To toggle, or not to toggle: The end of torbutton. +\newblock + \url{https://lists.torproject.org/pipermail/tor-talk/2011-April/020077.html}. + +\bibitem{torbutton} +Mike Perry. +\newblock {The Torbutton Design Document}, 2011. +\newblock \url{https://www.torproject.org/torbutton/en/design/}. + +\bibitem{facebook-like} +Arnold Roosendaal. +\newblock {Facebook Tracks and Traces Everyone: Like This!} +\newblock {\em SSRN eLibrary}, 2010. + +\bibitem{tracking-identity} +Emily Steel. +\newblock {Online Tracking Company RapLeaf Profiles Users By Name}, 2010. +\newblock + \url{http://online.wsj.com/article/SB100014240527023044105045755602432594160% +72.html}. + +\bibitem{thirdparty} +Dan Witte. +\newblock \url{https://wiki.mozilla.org/Thirdparty}. + +\end{thebibliography} Added: projects/articles/browser-privacy/W3CIdentity.tex =================================================================== --- projects/articles/browser-privacy/W3CIdentity.tex (rev 0) +++ projects/articles/browser-privacy/W3CIdentity.tex 2011-04-26 01:06:35 UTC (rev 24668) @@ -0,0 +1,372 @@ +%\documentclass{llncs} +\documentclass[letterpaper,11pt]{llncs} +%\documentclass{article} % llncs + +\usepackage{usenix} +\usepackage{url} +\usepackage{amsmath} +\usepackage{epsfig} +\usepackage{epsf} +\usepackage{listings} + +%\setlength{\textwidth}{6in} +%\setlength{\textheight}{8.4in} +%\setlength{\topmargin}{.5cm} +%\setlength{\oddsidemargin}{1cm} +%\setlength{\evensidemargin}{1cm} + +\begin{document} + +\title{Bridging the Disconnect Between Web Identity and User Perception} + +\author{Mike Perry \\ The Internet \\ mikeperry(a)torproject.org} + +%\institute{The Internet} + +\maketitle +\pagestyle{plain} + +\begin{abstract} + +There is a huge disconnect between how users perceive their online presence +and the reality of their relationship with the websites they visit. This +position paper explores this disconnect and provides some recommendations for +making the technical reality of the web match user perception, through both +technical improvements as well as user interface cues. By looking at all of +the elements of tracking as though they collectively comprise "User Identity", +we can make better decisions about improvements to both the technical and the +interface aspects of authentication and privacy. + +\end{abstract} + +\section{Introduction} + +The prevailing revenue model of the web is an appealing one. Web users receive +unfettered, frictionless access to an extensive variety of information sources +in exchange for viewing advertising. This advertising is more valuable if each +advertisement is more relevant to the current activity, and if possible, more +relevant to the current user. + +The cost of this is that user privacy on the web is a nightmare. There is +ubiquitous tracking, unseen partnership agreements and data exchange, and +surreptitious attempts to uncover users' identities against their will and +without their knowledge. This is not just happening in the dark, unseemly +corners of the web. It is happening everywhere\cite{facebook-like}. + +The problem is that the revenue model of the web has incentivized companies to +find ways to continue to track users against their will, even if those users +are attempting to protect themselves through currently available methods. +Starting with the infamous "Flash cookies", we have progressed through a +seemingly endless arms race of secondary identifiers and tracking information: +visited history, cache, font and system data, desktop resolution, keystroke +timing, and so on and so forth\cite{wsj-fingerprinting}. + +These efforts have lead to an even wider disconnect between a user's +perception of their privacy and the reality of their privacy. Users simply +can't keep up with the ways they are being tracked. + +When users are being coerced into ceding data about themselves without clear +understanding or consent (and in fact, in many cases despite their explicit +attempts to decline to consent), serious moral issues begin to arise. + +To understand and evaluate potential solutions and improvements to this status +quo, we must explore the disconnect between user experience and the way the +web actually functions with respect to tracking and identity. + +% FIXME: Do we need this paragraph? +%To this end, the rest of this document is structured as follows: First, we +%examine user identity on the web, comparing the average user's perspective to +%what actually is happening technically behind the scenes, and noting the major +%disconnects. We then examine solutions attempting to bridge this disconnect +%from two different directions. + +We only consider implementations that involve privacy-by-design. +Privacy-by-policy approaches such as Do Not Track will not be discussed. + +\section{User Identity on the Web} + +To properly examine this privacy problem, we must probe into the details of +both what a User's perception of their identity is, as well as the technical +realities of what goes into web authentication and tracking. + +\subsection{User Perception of Identity} + +Instinctively, users define their privacy in terms of their identity, in terms +of how they have interacted with a site in order to inform it of who they are. +Typically, the user's perception of their identity on the web is usually a direct +function of the mechanisms used for strong authentication for particular sites. + +For example, users expect that logging in to Facebook creates a relationship +in their browsers when facebook.com is present in the URL bar, but they are +likely not aware that this also extends to their activity on other, arbitrary +sites that happen to include "Like this on Facebook" buttons or +Facebook-sourced advertising content. + +Many, if not most, users expect that when they log out of a site their +relationship ends and that any associated tracking should be over. Even +users who are aware of cookies can be prone to believing that clearing the +cookies and private browsing data related to a particular site is sufficient +to end their relationship with that site. + +Neither of these beliefs has any relation to reality. + +\subsection{Technical Reality of Identity} + +The technical reality of the web today is that users are usually wrong about +their authentication status with respect to a particular site, and are almost +always oblivious to the relationship between content elements of arbitrary +pages. The default experience is such that all of this data exchange is +concealed from the user. + +So then what is identity? In terms of authentication, it would at first appear +to be cookies, HTTP Auth tokens, and client TLS certificates. However, even this +begins to break down. High-security websites are already using fingerprinting +as an auxiliary second factor of authentication\cite{security-fingerprinting}, +and online data aggregators utilize everything they can to build complete +portraits of users' identities\cite{tracking-identity}. + +Identity then is a superset of all the authentication tokens used by the +browser. It is the ability to link a user's activity in one instance to their +activity in another instance, be it across time, or even on the very same page +due to multiple content origins. + +\subsection{Identity as Linkability} + +When expanded to cover all items that enable or substantially contribute to +Linkability, a lot more components of the browser are now in scope. We will +briefly enumerate these components. + +First, the obvious properties are found in the state of the browser: cookies, +DOM storage, cache, cryptographic tokens and cryptographic state, and +location. These are what technical people tend to think of first when it comes +to private browsing and identity, but they are not the whole story. + +Next, we have long-term properties of the browser itself. These include the +User Agent String, the list of installed plugins, rendering capabilities, +window decoration size, and browser widget size. + +Then, we have properties of the computer. These include desktop size, IP +address, clock offset and timezone, and installed fonts. + +Finally, linkability also includes the properties of the multi-origin model of +the web that allow tracking due to partnerships. These include the implicit +cookie transmission model, and also explicit click referral and data exchange +partnerships. + +\subsection{Developing a Threat Model} + +Unfortunately, just about every browser property and functionality is a +potential fingerprinting target. In order to properly address the network +adversary on a technical level, we need a metric to measure linkability of the +various browser properties that extend beyond any stored origin-related state. + +The Panopticlick project by the EFF provides us with exactly this +metric\cite{panopticlick}. The researchers conducted a survey of volunteers +who were asked to visit an experiment page that harvested many of the above +components. They then computed the Shannon Entropy of the resulting +distribution of each of several key attributes to determine how many bits of +identifying information each attribute provided. + +While not perfect\footnotemark, this metric allows us to prioritize effort at +components that have the most potential for linkability. + +\footnotetext{In particular, the test does not take in all aspects of +resolution information. It did not calculate the size of widgets, window +decoration, or toolbar size. We believe this may add high amounts of entropy +to the screen field. It also did not measure clock offset and other time-based +fingerprints. Furthermore, as new browser features are added, this experiment +should be repeated to include them.} + +This metric also indicates that it is beneficial to standardize on +implementations of fingerprinting resistance where possible. More +implementations using the same defenses means more users with similar +fingerprints, which means less entropy in the metric. + +\section{Matching User Perception with Reality} + +When the concept of user identity is expanded to cover all aspects of +linkability, addressing the problem of the disconnect between user perception +and reality becomes clearer. For users to have privacy, and for private +browsing modes to function, the relationship between a user and a site must be +understood by that user. + +It is apparent that the user experiences disconnect with the technical +realities of the web on two major fronts: the average user does not grasp the +privacy implications of the multi-origin model, nor are they given a clear +concept of identity to grasp the privacy implications of the union of the +trackable components of their browsers. + +We will now examine examples of attempts at reducing this disconnect on each +of these two fronts. + +Note that identity-based approaches and the origin-based approaches are +orthogonal. They may be combined, or used independently. + +\subsection{Origin-Based Approaches} + +Origin-based approaches seek to improve the technical behavior of the browser +to make linkability less implicit and more consent-driven. In short, these +approaches seek to make the web behave more like users currently assume it +behaves by anchoring browser state to top-level origins as opposed to +associating it with arbitrary content elements. + +The earliest relevant example of this work is SafeCache\cite{safecache}. +SafeCache seeks to reduce the ability for 3rd party content elements to use +the cache to store identifiers. It does this by limiting the scope of the +cache to the origin in the url bar. This has the effect that commonly sourced +content elements are fetched and cached repeatedly, but this is the desired +property. Each of these prevalent content elements can be crafted to include +unique identifiers for each user, tracking users who attempt to avoid tracking +by clearing cookies. + +Mozilla has a wonderful example of an origin-based improvement written by Dan +Witte and buried on their wiki\cite{thirdparty}. It describes a new dual-keyed +origin for cookies, so that cookies would only be transmitted if they matched +both the top level origin and the third party origin involved in their +creation. This approach would go a long way towards preventing implicit +tracking across multiple websites. + +Similarly, one could imagine this two-level origin isolation being deployed to +improve similar issues with DOM Storage and cryptographic tokens. + +Making the origin model for browser identifiers more closely match the user +activity and user expectation has other advantages as well. With a clear +distinction between 3rd party and top-level cookies, the privacy settings +window could have a user-intuitive way of representing the user's relationship +with different origins, perhaps by using only the favicon of that top level +origin to represent all of the browser state accumulated by that origin. The +user could delete the entire set of browser state (cookies, cache, storage, +cryptographic tokens) associated with a site simply by removing its favicon +from their privacy info panel. + +The problem with origin-based approaches is that individually, they do not +fully address the entire linkability problem unless the same restriction is +applied uniformly to all aspects of stored browser state, and all other +linkability issues are dealt with. Behind-the-scenes partnerships can easily +allow companies to continue to link users to their identities through any +aspect of browser state that is not properly compartmentalized to the top +level origin and bound to the same rules. + +However, linkability based on browser properties is very amenable to this +model. In particular, one can imagine per-origin plugin permissions, +per-origin limits on the number of fonts that can be used, and randomized +window-specific time offsets. + +So, while these approaches are in fact useful for bringing the technical +realities of the web closer to what the user assumes is happening, they must +be deployed uniformly, with a consistent top-level origin restriction model. +This may take significant coordination and standardization efforts. + +\subsection{Identity-Based Approaches} + +We will now discuss what we call the identity-based approaches to privacy. +These approaches, whether explicitly or implicitly, all model the user's web +identity as the entirety of the user's state for all origins. + +The key advantage of identity-based approaches is that they can be simpler +than origin-based approaches when used to improve the privacy problem on their +own. + +While the earliest example of an identity-based approach is our own work on +Torbutton\cite{torbutton}, Torbutton deserves poor marks for both simplicity +and usability\cite{not-to-toggle}. Torbutton attempts to isolate the user's +non-Tor activity from their Tor activity, effectively providing the user with +a blank slate for their Tor activity, but optionally allowing them to toggle +between these two identities. + +Firefox Private Browsing Mode is very similar, in that it allows users to +switch between their normal browsing and a "private" clean slate. + +% FIXME: This paragraph can go if we need space: +Both Firefox PBM and Torbutton suffer from usability issues, primarily because +this concept of separate browsing identities is not properly conveyed to the +user. In Firefox's case, this usability issue is apparent through the quantity +of mode error observed in the review of Private Browsing Modes by Dan Boneh et +al\cite{private-browsing}. In Torbutton's case, the issues appear more severe. +We've informally observed that users have tremendous difficulties remembering +which tabs were Tor-related and which were non-Tor related, and we've also +observed issues with mode error. + +Both of these approaches are exceedingly complex: they deal with every aspect +of browser state individually. This development effort however does enable +Firefox and Torbutton to provide the user with great fine-grained control. + +Google Chrome's Incognito Mode comes the closest to conveying this idea of +"Incognito identity" to the user, and the implementation is also simpler as a +result. The Incognito Mode window is a separate, stylized window that clearly +conveys an alternate identity is in use for this window, which can be used +concurrent to the non-private identity. This appears to lead to less mode +error (where the user forgets their private browsing state) compared to other +browsers. + +% FIXME: This paragraph can go if we need space: +The implementation of Incognito is as a virtualized in-memory profile, which +allows them to achieve protection against history storage issues for very low +effort. It also allows them to tweak browser properties and permissions +specifically for this profile. + +The Mozilla Weave project appears to be proposing an identity-based method of +managing, syncing, and storing authentication tokens, and also has use cases +described for multiple users of a single browser\cite{weave-manager}. It is +the closest idea on paper to what we envision as the way to bridge user +assumptions with reality. + +We believe that the user interface of the browser should convey a sense of +persistent identity prominently to the user in the form of a visual cue. This +cue can either be an abstract image, graphic or theme (such as the user's +choice of Firefox Persona\cite{firefox-personas}), or it can be a text area +with the user's current favored pseudonym. This idea of identity should then +be integrated with the browsing experience. Users should be able to click a +button to get a clean slate for a new identity, and should be able to log in +and out of of password-protected stored encrypted identities, which would +contain the entire state of the browser. This is the direction the Tor Project +intends to head in with the Tor Browser Bundle\cite{not-to-toggle}. + +To this user, the Private Browsing Mode would be no more than a special case +of this identity UI - a special identity that they can trust not to store +browsing history information to disk. Such a UI also more explicitly captures +what is going on with respect to the user's relationship to the web. + +However, all current private browsing modes fall short of protecting against a +network adversary and fail to deal with linkability against a network +adversary\cite{private-browsing}, claiming that it is outside their threat +model\footnotemark. If the user is given a new identity that is still linkable +to the previous one due to shortcomings of the browser, this approach has +failed as a privacy measure. + +\footnotetext{The primary reason given to abstain from addressing the network +adversary is IP address linkability. However, we believe this to be a red +herring. Users are quite capable of using alternate Internet connections, and +it is common practice for ISPs in many parts of the world to rotate user IP +addresses daily, to discourage servers and to impede the spread of malware. +This is especially true of cellular IP networks.} + +Linkability solutions within the identity framework would be similar to the +origin-based solutions, except they would be properties of the entire browser +or browser profile, and would be obfuscated only once per identity switch. + +% FIXME: Elaborate? + +\section{Conclusions} + +There is a demand for private browsing, and we believe that solid private +browsing modes can be created. In order to do this, we need solid analysis of +the threat models involved, and we need standardization for many aspects of +defense. + +However, there is currently a huge disconnect between user privacy and +identity due to both the multi-origin nature of the web, and the failure of +browsers to adequately convey a sense of identity to the user. It is possible +to bridge this disconnect both by addressing the issues with the multi-origin +model, as well as providing the user with an explicit representation of their +web identity, and with control over this identity. + +% XXX: The dangers of adblockers and filters + the long-term imperative of +% improving privacy for the continued use of the advertising revenue model. + +\bibliographystyle{plain} \bibliography{W3CIdentity} + +\clearpage +\appendix + +\end{document} Added: projects/articles/browser-privacy/llncs.cls =================================================================== --- projects/articles/browser-privacy/llncs.cls (rev 0) +++ projects/articles/browser-privacy/llncs.cls 2011-04-26 01:06:35 UTC (rev 24668) @@ -0,0 +1,1016 @@ +% LLNCS DOCUMENT CLASS -- version 2.8 +% for LaTeX2e +% +\NeedsTeXFormat{LaTeX2e}[1995/12/01] +\ProvidesClass{llncs}[2000/05/16 v2.8 +^^JLaTeX document class for Lecture Notes in Computer Science] +% Options +\let\if@envcntreset\iffalse +\DeclareOption{envcountreset}{\let\if@envcntreset\iftrue} +\DeclareOption{citeauthoryear}{\let\citeauthoryear=Y} +\DeclareOption{oribibl}{\let\oribibl=Y} +\let\if@custvec\iftrue +\DeclareOption{orivec}{\let\if@custvec\iffalse} +\let\if@envcntsame\iffalse +\DeclareOption{envcountsame}{\let\if@envcntsame\iftrue} +\let\if@envcntsect\iffalse +\DeclareOption{envcountsect}{\let\if@envcntsect\iftrue} +\let\if@runhead\iffalse +\DeclareOption{runningheads}{\let\if@runhead\iftrue} + +\let\if@openbib\iffalse +\DeclareOption{openbib}{\let\if@openbib\iftrue} + +\DeclareOption*{\PassOptionsToClass{\CurrentOption}{article}} + +\ProcessOptions + +\LoadClass[twoside]{article} +\RequirePackage{multicol} % needed for the list of participants, index + +\setlength{\textwidth}{12.2cm} +\setlength{\textheight}{19.3cm} + +% Ragged bottom for the actual page +\def\thisbottomragged{\def\@textbottom{\vskip\z@ plus.0001fil +\global\let\@textbottom\relax}} + +\renewcommand\small{% + \@setfontsize\small\@ixpt{11}% + \abovedisplayskip 8.5\p@ \@plus3\p@ \@minus4\p@ + \abovedisplayshortskip \z@ \@plus2\p@ + \belowdisplayshortskip 4\p@ \@plus2\p@ \@minus2\p@ + \def\@listi{\leftmargin\leftmargini + \parsep 0\p@ \@plus1\p@ \@minus\p@ + \topsep 8\p@ \@plus2\p@ \@minus4\p@ + \itemsep0\p@}% + \belowdisplayskip \abovedisplayskip +} + +\frenchspacing +\widowpenalty=10000 +\clubpenalty=10000 + +\setlength\oddsidemargin {63\p@} +\setlength\evensidemargin {63\p@} +\setlength\marginparwidth {90\p@} + +\setlength\headsep {16\p@} + +\setlength\footnotesep{7.7\p@} +\setlength\textfloatsep{8mm\@plus 2\p@ \@minus 4\p@} +\setlength\intextsep {8mm\@plus 2\p@ \@minus 2\p@} + +\setcounter{secnumdepth}{2} + +\newcounter {chapter} +\renewcommand\thechapter {\@arabic\c@chapter} + +\newif\if@mainmatter \@mainmattertrue +\newcommand\frontmatter{\cleardoublepage + \@mainmatterfalse\pagenumbering{Roman}} +\newcommand\mainmatter{\cleardoublepage + \@mainmattertrue\pagenumbering{arabic}} +\newcommand\backmatter{\if@openright\cleardoublepage\else\clearpage\fi + \@mainmatterfalse} + +\renewcommand\part{\cleardoublepage + \thispagestyle{empty}% + \if@twocolumn + \onecolumn + \@tempswatrue + \else + \@tempswafalse + \fi + \null\vfil + \secdef\@part\@spart} + +\def\@part[#1]#2{% + \ifnum \c@secnumdepth >-2\relax + \refstepcounter{part}% + \addcontentsline{toc}{part}{\thepart\hspace{1em}#1}% + \else + \addcontentsline{toc}{part}{#1}% + \fi + \markboth{}{}% + {\centering + \interlinepenalty \@M + \normalfont + \ifnum \c@secnumdepth >-2\relax + \huge\bfseries \partname~\thepart + \par + \vskip 20\p@ + \fi + \Huge \bfseries #2\par}% + \@endpart} +\def\@spart#1{% + {\centering + \interlinepenalty \@M + \normalfont + \Huge \bfseries #1\par}% + \@endpart} +\def\@endpart{\vfil\newpage + \if@twoside + \null + \thispagestyle{empty}% + \newpage + \fi + \if@tempswa + \twocolumn + \fi} + +\newcommand\chapter{\clearpage + \thispagestyle{empty}% + \global\@topnum\z@ + \@afterindentfalse + \secdef\@chapter\@schapter} +\def\@chapter[#1]#2{\ifnum \c@secnumdepth >\m@ne + \if@mainmatter + \refstepcounter{chapter}% + \typeout{\(a)chapapp\space\thechapter.}% + \addcontentsline{toc}{chapter}% + {\protect\numberline{\thechapter}#1}% + \else + \addcontentsline{toc}{chapter}{#1}% + \fi + \else + \addcontentsline{toc}{chapter}{#1}% + \fi + \chaptermark{#1}% + \addtocontents{lof}{\protect\addvspace{10\p@}}% + \addtocontents{lot}{\protect\addvspace{10\p@}}% + \if@twocolumn + \@topnewpage[\@makechapterhead{#2}]% + \else + \@makechapterhead{#2}% + \@afterheading + \fi} +\def\@makechapterhead#1{% +% \vspace*{50\p@}% + {\centering + \ifnum \c@secnumdepth >\m@ne + \if@mainmatter + \large\bfseries \@chapapp{} \thechapter + \par\nobreak + \vskip 20\p@ + \fi + \fi + \interlinepenalty\@M + \Large \bfseries #1\par\nobreak + \vskip 40\p@ + }} +\def\@schapter#1{\if@twocolumn + \@topnewpage[\@makeschapterhead{#1}]% + \else + \@makeschapterhead{#1}% + \@afterheading + \fi} +\def\@makeschapterhead#1{% +% \vspace*{50\p@}% + {\centering + \normalfont + \interlinepenalty\@M + \Large \bfseries #1\par\nobreak + \vskip 40\p@ + }} + +\renewcommand\section{\@startsection{section}{1}{\z@}% + {-18\p@ \@plus -4\p@ \@minus -4\p@}% + {12\p@ \@plus 4\p@ \@minus 4\p@}% + {\normalfont\large\bfseries\boldmath + \rightskip=\z@ \@plus 8em\pretolerance=10000 }} +\renewcommand\subsection{\@startsection{subsection}{2}{\z@}% + {-18\p@ \@plus -4\p@ \@minus -4\p@}% + {8\p@ \@plus 4\p@ \@minus 4\p@}% + {\normalfont\normalsize\bfseries\boldmath + \rightskip=\z@ \@plus 8em\pretolerance=10000 }} +\renewcommand\subsubsection{\@startsection{subsubsection}{3}{\z@}% + {-18\p@ \@plus -4\p@ \@minus -4\p@}% + {-0.5em \@plus -0.22em \@minus -0.1em}% + {\normalfont\normalsize\bfseries\boldmath}} +\renewcommand\paragraph{\@startsection{paragraph}{4}{\z@}% + {-12\p@ \@plus -4\p@ \@minus -4\p@}% + {-0.5em \@plus -0.22em \@minus -0.1em}% + {\normalfont\normalsize\itshape}} +\renewcommand\subparagraph[1]{\typeout{LLNCS warning: You should not use + \string\subparagraph\space with this class}\vskip0.5cm +You should not use \verb|\subparagraph| with this class.\vskip0.5cm} + +\DeclareMathSymbol{\Gamma}{\mathalpha}{letters}{"00} +\DeclareMathSymbol{\Delta}{\mathalpha}{letters}{"01} +\DeclareMathSymbol{\Theta}{\mathalpha}{letters}{"02} +\DeclareMathSymbol{\Lambda}{\mathalpha}{letters}{"03} +\DeclareMathSymbol{\Xi}{\mathalpha}{letters}{"04} +\DeclareMathSymbol{\Pi}{\mathalpha}{letters}{"05} +\DeclareMathSymbol{\Sigma}{\mathalpha}{letters}{"06} +\DeclareMathSymbol{\Upsilon}{\mathalpha}{letters}{"07} +\DeclareMathSymbol{\Phi}{\mathalpha}{letters}{"08} +\DeclareMathSymbol{\Psi}{\mathalpha}{letters}{"09} +\DeclareMathSymbol{\Omega}{\mathalpha}{letters}{"0A} + +\let\footnotesize\small + +\if@custvec +\def\vec#1{\mathchoice{\mbox{\boldmath$\displaystyle#1$}} +{\mbox{\boldmath$\textstyle#1$}} +{\mbox{\boldmath$\scriptstyle#1$}} +{\mbox{\boldmath$\scriptscriptstyle#1$}}} +\fi + +\def\squareforqed{\hbox{\rlap{$\sqcap$}$\sqcup$}} +\def\qed{\ifmmode\squareforqed\else{\unskip\nobreak\hfil +\penalty50\hskip1em\null\nobreak\hfil\squareforqed +\parfillskip=0pt\finalhyphendemerits=0\endgraf}\fi} + +\def\getsto{\mathrel{\mathchoice {\vcenter{\offinterlineskip +\halign{\hfil +$\displaystyle##$\hfil\cr\gets\cr\to\cr}}} +{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr\gets +\cr\to\cr}}} +{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr\gets +\cr\to\cr}}} +{\vcenter{\offinterlineskip\halign{\hfil$\scriptscriptstyle##$\hfil\cr +\gets\cr\to\cr}}}}} +\def\lid{\mathrel{\mathchoice {\vcenter{\offinterlineskip\halign{\hfil +$\displaystyle##$\hfil\cr<\cr\noalign{\vskip1.2pt}=\cr}}} +{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr<\cr +\noalign{\vskip1.2pt}=\cr}}} +{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr<\cr +\noalign{\vskip1pt}=\cr}}} +{\vcenter{\offinterlineskip\halign{\hfil$\scriptscriptstyle##$\hfil\cr +<\cr +\noalign{\vskip0.9pt}=\cr}}}}} +\def\gid{\mathrel{\mathchoice {\vcenter{\offinterlineskip\halign{\hfil +$\displaystyle##$\hfil\cr>\cr\noalign{\vskip1.2pt}=\cr}}} +{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr>\cr +\noalign{\vskip1.2pt}=\cr}}} +{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr>\cr +\noalign{\vskip1pt}=\cr}}} +{\vcenter{\offinterlineskip\halign{\hfil$\scriptscriptstyle##$\hfil\cr +>\cr +\noalign{\vskip0.9pt}=\cr}}}}} +\def\grole{\mathrel{\mathchoice {\vcenter{\offinterlineskip +\halign{\hfil +$\displaystyle##$\hfil\cr>\cr\noalign{\vskip-1pt}<\cr}}} +{\vcenter{\offinterlineskip\halign{\hfil$\textstyle##$\hfil\cr +>\cr\noalign{\vskip-1pt}<\cr}}} +{\vcenter{\offinterlineskip\halign{\hfil$\scriptstyle##$\hfil\cr +>\cr\noalign{\vskip-0.8pt}<\cr}}} +{\vcenter{\offinterlineskip\halign{\hfil$\scriptscriptstyle##$\hfil\cr +>\cr\noalign{\vskip-0.3pt}<\cr}}}}} +\def\bbbr{{\rm I\!R}} %reelle Zahlen +\def\bbbm{{\rm I\!M}} +\def\bbbn{{\rm I\!N}} %natuerliche Zahlen +\def\bbbf{{\rm I\!F}} +\def\bbbh{{\rm I\!H}} +\def\bbbk{{\rm I\!K}} +\def\bbbp{{\rm I\!P}} +\def\bbbone{{\mathchoice {\rm 1\mskip-4mu l} {\rm 1\mskip-4mu l} +{\rm 1\mskip-4.5mu l} {\rm 1\mskip-5mu l}}} +\def\bbbc{{\mathchoice {\setbox0=\hbox{$\displaystyle\rm C$}\hbox{\hbox +to0pt{\kern0.4\wd0\vrule height0.9\ht0\hss}\box0}} +{\setbox0=\hbox{$\textstyle\rm C$}\hbox{\hbox +to0pt{\kern0.4\wd0\vrule height0.9\ht0\hss}\box0}} +{\setbox0=\hbox{$\scriptstyle\rm C$}\hbox{\hbox +to0pt{\kern0.4\wd0\vrule height0.9\ht0\hss}\box0}} +{\setbox0=\hbox{$\scriptscriptstyle\rm C$}\hbox{\hbox +to0pt{\kern0.4\wd0\vrule height0.9\ht0\hss}\box0}}}} +\def\bbbq{{\mathchoice {\setbox0=\hbox{$\displaystyle\rm +Q$}\hbox{\raise +0.15\ht0\hbox to0pt{\kern0.4\wd0\vrule height0.8\ht0\hss}\box0}} +{\setbox0=\hbox{$\textstyle\rm Q$}\hbox{\raise +0.15\ht0\hbox to0pt{\kern0.4\wd0\vrule height0.8\ht0\hss}\box0}} +{\setbox0=\hbox{$\scriptstyle\rm Q$}\hbox{\raise +0.15\ht0\hbox to0pt{\kern0.4\wd0\vrule height0.7\ht0\hss}\box0}} +{\setbox0=\hbox{$\scriptscriptstyle\rm Q$}\hbox{\raise +0.15\ht0\hbox to0pt{\kern0.4\wd0\vrule height0.7\ht0\hss}\box0}}}} +\def\bbbt{{\mathchoice {\setbox0=\hbox{$\displaystyle\rm +T$}\hbox{\hbox to0pt{\kern0.3\wd0\vrule height0.9\ht0\hss}\box0}} +{\setbox0=\hbox{$\textstyle\rm T$}\hbox{\hbox +to0pt{\kern0.3\wd0\vrule height0.9\ht0\hss}\box0}} +{\setbox0=\hbox{$\scriptstyle\rm T$}\hbox{\hbox +to0pt{\kern0.3\wd0\vrule height0.9\ht0\hss}\box0}} +{\setbox0=\hbox{$\scriptscriptstyle\rm T$}\hbox{\hbox +to0pt{\kern0.3\wd0\vrule height0.9\ht0\hss}\box0}}}} +\def\bbbs{{\mathchoice +{\setbox0=\hbox{$\displaystyle \rm S$}\hbox{\raise0.5\ht0\hbox +to0pt{\kern0.35\wd0\vrule height0.45\ht0\hss}\hbox +to0pt{\kern0.55\wd0\vrule height0.5\ht0\hss}\box0}} +{\setbox0=\hbox{$\textstyle \rm S$}\hbox{\raise0.5\ht0\hbox +to0pt{\kern0.35\wd0\vrule height0.45\ht0\hss}\hbox +to0pt{\kern0.55\wd0\vrule height0.5\ht0\hss}\box0}} +{\setbox0=\hbox{$\scriptstyle \rm S$}\hbox{\raise0.5\ht0\hbox +to0pt{\kern0.35\wd0\vrule height0.45\ht0\hss}\raise0.05\ht0\hbox +to0pt{\kern0.5\wd0\vrule height0.45\ht0\hss}\box0}} +{\setbox0=\hbox{$\scriptscriptstyle\rm S$}\hbox{\raise0.5\ht0\hbox +to0pt{\kern0.4\wd0\vrule height0.45\ht0\hss}\raise0.05\ht0\hbox +to0pt{\kern0.55\wd0\vrule height0.45\ht0\hss}\box0}}}} +\def\bbbz{{\mathchoice {\hbox{$\mathsf\textstyle Z\kern-0.4em Z$}} +{\hbox{$\mathsf\textstyle Z\kern-0.4em Z$}} +{\hbox{$\mathsf\scriptstyle Z\kern-0.3em Z$}} +{\hbox{$\mathsf\scriptscriptstyle Z\kern-0.2em Z$}}}} + +\let\ts\, + +\setlength\leftmargini {17\p@} +\setlength\leftmargin {\leftmargini} +\setlength\leftmarginii {\leftmargini} +\setlength\leftmarginiii {\leftmargini} +\setlength\leftmarginiv {\leftmargini} +\setlength \labelsep {.5em} +\setlength \labelwidth{\leftmargini} +\addtolength\labelwidth{-\labelsep} + +\def\@listI{\leftmargin\leftmargini + \parsep 0\p@ \@plus1\p@ \@minus\p@ + \topsep 8\p@ \@plus2\p@ \@minus4\p@ + \itemsep0\p@} +\let\@listi\@listI +\@listi +\def\@listii {\leftmargin\leftmarginii + \labelwidth\leftmarginii + \advance\labelwidth-\labelsep + \topsep 0\p@ \@plus2\p@ \@minus\p@} +\def\@listiii{\leftmargin\leftmarginiii + \labelwidth\leftmarginiii + \advance\labelwidth-\labelsep + \topsep 0\p@ \@plus\p@\@minus\p@ + \parsep \z@ + \partopsep \p@ \@plus\z@ \@minus\p@} + +\renewcommand\labelitemi{\normalfont\bfseries --} +\renewcommand\labelitemii{$\m@th\bullet$} + +\setlength\arraycolsep{1.4\p@} +\setlength\tabcolsep{1.4\p@} + +\def\tableofcontents{\chapter*{\contentsname\@mkboth{{\contentsname}}% + {{\contentsname}}} + \def\authcount##1{\setcounter{auco}{##1}\setcounter{@auth}{1}} + \def\lastand{\ifnum\value{auco}=2\relax + \unskip{} \andname\ + \else + \unskip \lastandname\ + \fi}% + \def\and{\stepcounter{@auth}\relax + \ifnum\value{@auth}=\value{auco}% + \lastand + \else + \unskip, + \fi}% + \@starttoc{toc}\if@restonecol\twocolumn\fi} + +\def\l@part#1#2{\addpenalty{\@secpenalty}% + \addvspace{2em plus\p@}% % space above part line + \begingroup + \parindent \z@ + \rightskip \z@ plus 5em + \hrule\vskip5pt + \large % same size as for a contribution heading + \bfseries\boldmath % set line in boldface + \leavevmode % TeX command to enter horizontal mode. + #1\par + \vskip5pt + \hrule + \vskip1pt + \nobreak % Never break after part entry + \endgroup} + +\def\@dotsep{2} + +\def\hyperhrefextend{\ifx\hyper@anchor\@undefined\else +{chapter.\thechapter}\fi} + +\def\addnumcontentsmark#1#2#3{% +\addtocontents{#1}{\protect\contentsline{#2}{\protect\numberline + {\thechapter}#3}{\thepage}\hyperhrefextend}} +\def\addcontentsmark#1#2#3{% +\addtocontents{#1}{\protect\contentsline{#2}{#3}{\thepage}\hyperhrefextend}} +\def\addcontentsmarkwop#1#2#3{% +\addtocontents{#1}{\protect\contentsline{#2}{#3}{0}\hyperhrefextend}} + +\def\@adcmk[#1]{\ifcase #1 \or +\def\@gtempa{\addnumcontentsmark}% + \or \def\@gtempa{\addcontentsmark}% + \or \def\@gtempa{\addcontentsmarkwop}% + \fi\@gtempa{toc}{chapter}} +\def\addtocmark{\@ifnextchar[{\@adcmk}{\@adcmk[3]}} + +\def\l@chapter#1#2{\addpenalty{-\@highpenalty} + \vskip 1.0em plus 1pt \@tempdima 1.5em \begingroup + \parindent \z@ \rightskip \@pnumwidth + \parfillskip -\@pnumwidth + \leavevmode \advance\leftskip\@tempdima \hskip -\leftskip + {\large\bfseries\boldmath#1}\ifx0#2\hfil\null + \else + \nobreak + \leaders\hbox{$\m@th \mkern \@dotsep mu.\mkern + \@dotsep mu$}\hfill + \nobreak\hbox to\@pnumwidth{\hss #2}% + \fi\par + \penalty\@highpenalty \endgroup} + +\def\l@title#1#2{\addpenalty{-\@highpenalty} + \addvspace{8pt plus 1pt} + \@tempdima \z@ + \begingroup + \parindent \z@ \rightskip \@tocrmarg + \parfillskip -\@tocrmarg + \leavevmode \advance\leftskip\@tempdima \hskip -\leftskip + #1\nobreak + \leaders\hbox{$\m@th \mkern \@dotsep mu.\mkern + \@dotsep mu$}\hfill + \nobreak\hbox to\@pnumwidth{\hss #2}\par + \penalty\@highpenalty \endgroup} + +\setcounter{tocdepth}{0} +\newdimen\tocchpnum +\newdimen\tocsecnum +\newdimen\tocsectotal +\newdimen\tocsubsecnum +\newdimen\tocsubsectotal +\newdimen\tocsubsubsecnum +\newdimen\tocsubsubsectotal +\newdimen\tocparanum +\newdimen\tocparatotal +\newdimen\tocsubparanum +\tocchpnum=\z@ % no chapter numbers +\tocsecnum=15\p@ % section 88. plus 2.222pt +\tocsubsecnum=23\p@ % subsection 88.8 plus 2.222pt +\tocsubsubsecnum=27\p@ % subsubsection 88.8.8 plus 1.444pt +\tocparanum=35\p@ % paragraph 88.8.8.8 plus 1.666pt +\tocsubparanum=43\p@ % subparagraph 88.8.8.8.8 plus 1.888pt +\def\calctocindent{% +\tocsectotal=\tocchpnum +\advance\tocsectotal by\tocsecnum +\tocsubsectotal=\tocsectotal +\advance\tocsubsectotal by\tocsubsecnum +\tocsubsubsectotal=\tocsubsectotal +\advance\tocsubsubsectotal by\tocsubsubsecnum +\tocparatotal=\tocsubsubsectotal +\advance\tocparatotal by\tocparanum} +\calctocindent + +\def\l@section{\@dottedtocline{1}{\tocchpnum}{\tocsecnum}} +\def\l@subsection{\@dottedtocline{2}{\tocsectotal}{\tocsubsecnum}} +\def\l@subsubsection{\@dottedtocline{3}{\tocsubsectotal}{\tocsubsubsecnum}} +\def\l@paragraph{\@dottedtocline{4}{\tocsubsubsectotal}{\tocparanum}} +\def\l@subparagraph{\@dottedtocline{5}{\tocparatotal}{\tocsubparanum}} + +\def\listoffigures{\@restonecolfalse\if@twocolumn\@restonecoltrue\onecolumn + \fi\section*{\listfigurename\@mkboth{{\listfigurename}}{{\listfigurename}}} + \@starttoc{lof}\if@restonecol\twocolumn\fi} +\def\l@figure{\@dottedtocline{1}{0em}{1.5em}} + +\def\listoftables{\@restonecolfalse\if@twocolumn\@restonecoltrue\onecolumn + \fi\section*{\listtablename\@mkboth{{\listtablename}}{{\listtablename}}} + \@starttoc{lot}\if@restonecol\twocolumn\fi} +\let\l@table\l@figure + +\renewcommand\listoffigures{% + \section*{\listfigurename + \@mkboth{\listfigurename}{\listfigurename}}% + \@starttoc{lof}% + } + +\renewcommand\listoftables{% + \section*{\listtablename + \@mkboth{\listtablename}{\listtablename}}% + \@starttoc{lot}% + } + +\ifx\oribibl\undefined +\ifx\citeauthoryear\undefined +\renewenvironment{thebibliography}[1] + {\section*{\refname} + \def\(a)biblabel##1{##1.} + \small + \list{\@biblabel{\@arabic\c@enumiv}}% + {\settowidth\labelwidth{\@biblabel{#1}}% + \leftmargin\labelwidth + \advance\leftmargin\labelsep + \if@openbib + \advance\leftmargin\bibindent + \itemindent -\bibindent + \listparindent \itemindent + \parsep \z@ + \fi + \usecounter{enumiv}% + \let\p@enumiv\@empty + \renewcommand\theenumiv{\@arabic\c@enumiv}}% + \if@openbib + \renewcommand\newblock{\par}% + \else + \renewcommand\newblock{\hskip .11em \(a)plus.33em \(a)minus.07em}% + \fi + \sloppy\clubpenalty4000\widowpenalty4000% + \sfcode`\.=\@m} + {\def\@noitemerr + {\@latex@warning{Empty `thebibliography' environment}}% + \endlist} +\def\@lbibitem[#1]#2{\item[{[#1]}\hfill]\if@filesw + {\let\protect\noexpand\immediate + \write\@auxout{\string\bibcite{#2}{#1}}}\fi\ignorespaces} +\newcount\@tempcntc +\def\@citex[#1]#2{\if@filesw\immediate\write\@auxout{\string\citation{#2}}\fi + \@tempcnta\z@\@tempcntb\m@ne\def\@citea{}\@cite{\@for\@citeb:=#2\do + {\@ifundefined + {b@\@citeb}{\@citeo\@tempcntb\m@ne\@citea\def\@citea{,}{\bfseries + ?}\@warning + {Citation `\@citeb' on page \thepage \space undefined}}% + {\setbox\z@\hbox{\global\@tempcntc0\csname b@\@citeb\endcsname\relax}% + \ifnum\@tempcntc=\z@ \@citeo\@tempcntb\m@ne + \@citea\def\@citea{,}\hbox{\csname b@\@citeb\endcsname}% + \else + \advance\@tempcntb\@ne + \ifnum\@tempcntb=\@tempcntc + \else\advance\@tempcntb\m@ne\@citeo + \@tempcnta\@tempcntc\@tempcntb\@tempcntc\fi\fi}}\@citeo}{#1}} +\def\@citeo{\ifnum\@tempcnta>\@tempcntb\else + \@citea\def\@citea{,\,\hskip\z@skip}% + \ifnum\@tempcnta=\@tempcntb\the\@tempcnta\else + {\advance\@tempcnta\@ne\ifnum\@tempcnta=\@tempcntb \else + \def\@citea{--}\fi + \advance\@tempcnta\m@ne\the\@tempcnta\@citea\the\@tempcntb}\fi\fi} +\else +\renewenvironment{thebibliography}[1] + {\section*{\refname} + \small + \list{}% + {\settowidth\labelwidth{}% + \leftmargin\parindent + \itemindent=-\parindent + \labelsep=\z@ + \if@openbib + \advance\leftmargin\bibindent + \itemindent -\bibindent + \listparindent \itemindent + \parsep \z@ + \fi + \usecounter{enumiv}% + \let\p@enumiv\@empty + \renewcommand\theenumiv{}}% + \if@openbib + \renewcommand\newblock{\par}% + \else + \renewcommand\newblock{\hskip .11em \(a)plus.33em \(a)minus.07em}% + \fi + \sloppy\clubpenalty4000\widowpenalty4000% + \sfcode`\.=\@m} + {\def\@noitemerr + {\@latex@warning{Empty `thebibliography' environment}}% + \endlist} + \def\@cite#1{#1}% + \def\@lbibitem[#1]#2{\item[]\if@filesw + {\def\protect##1{\string ##1\space}\immediate + \write\@auxout{\string\bibcite{#2}{#1}}}\fi\ignorespaces} + \fi +\else +\@cons\@openbib@code{\noexpand\small} +\fi + +\def\idxquad{\hskip 10\p@}% space that divides entry from number + +\def\@idxitem{\par\hangindent 10\p@} + +\def\subitem{\par\setbox0=\hbox{--\enspace}% second order + \noindent\hangindent\wd0\box0}% index entry + +\def\subsubitem{\par\setbox0=\hbox{--\,--\enspace}% third + \noindent\hangindent\wd0\box0}% order index entry + +\def\indexspace{\par \vskip 10\p@ plus5\p@ minus3\p@\relax} + +\renewenvironment{theindex} + {\@mkboth{\indexname}{\indexname}% + \thispagestyle{empty}\parindent\z@ + \parskip\z@ \@plus .3\p@\relax + \let\item\par + \def\,{\relax\ifmmode\mskip\thinmuskip + \else\hskip0.2em\ignorespaces\fi}% + \normalfont\small + \begin{multicols}{2}[\@makeschapterhead{\indexname}]% + } + {\end{multicols}} + +\renewcommand\footnoterule{% + \kern-3\p@ + \hrule\@width 2truecm + \kern2.6\p@} + \newdimen\fnindent + \fnindent1em +\long\def\@makefntext#1{% + \parindent \fnindent% + \leftskip \fnindent% + \noindent + \llap{\hb@xt@1em{\hss\@makefnmark\ }}\ignorespaces#1} + +\long\def\@makecaption#1#2{% + \vskip\abovecaptionskip + \sbox\@tempboxa{{\bfseries #1.} #2}% + \ifdim \wd\@tempboxa >\hsize + {\bfseries #1.} #2\par + \else + \global \@minipagefalse + \hb@xt@\hsize{\hfil\box\@tempboxa\hfil}% + \fi + \vskip\belowcaptionskip} + +\def\fps@figure{htbp} +\def\fnum@figure{\figurename\thinspace\thefigure} +\def \@floatboxreset {% + \reset@font + \small + \@setnobreak + \@setminipage +} +\def\fps@table{htbp} +\def\fnum@table{\tablename~\thetable} +\renewenvironment{table} + {\setlength\abovecaptionskip{0\p@}% + \setlength\belowcaptionskip{10\p@}% + \@float{table}} + {\end@float} +\renewenvironment{table*} + {\setlength\abovecaptionskip{0\p@}% + \setlength\belowcaptionskip{10\p@}% + \@dblfloat{table}} + {\end@dblfloat} + +\long\def\@caption#1[#2]#3{\par\addcontentsline{\csname + ext@#1\endcsname}{#1}{\protect\numberline{\csname + the#1\endcsname}{\ignorespaces #2}}\begingroup + \@parboxrestore + \@makecaption{\csname fnum@#1\endcsname}{\ignorespaces #3}\par + \endgroup} + +% LaTeX does not provide a command to enter the authors institute +% addresses. The \institute command is defined here. + +\newcounter{@inst} +\newcounter{@auth} +\newcounter{auco} +\def\andname{and} +\def\lastandname{\unskip, and} +\newdimen\instindent +\newbox\authrun +\newtoks\authorrunning +\newtoks\tocauthor +\newbox\titrun +\newtoks\titlerunning +\newtoks\toctitle + +\def\clearheadinfo{\gdef\@author{No Author Given}% + \gdef\@title{No Title Given}% + \gdef\@subtitle{}% + \gdef\@institute{No Institute Given}% + \gdef\@thanks{}% + \global\titlerunning={}\global\authorrunning={}% + \global\toctitle={}\global\tocauthor={}} + +\def\institute#1{\gdef\@institute{#1}} + +\def\institutename{\par + \begingroup + \parskip=\z@ + \parindent=\z@ + \setcounter{@inst}{1}% + \def\and{\par\stepcounter{@inst}% + \noindent$^{\the@inst}$\enspace\ignorespaces}% + \setbox0=\vbox{\def\thanks##1{}\@institute}% + \ifnum\c@@inst=1\relax + \else + \setcounter{footnote}{\c@@inst}% + \setcounter{@inst}{1}% + \noindent$^{\the@inst}$\enspace + \fi + \ignorespaces + \@institute\par + \endgroup} + +\def\@fnsymbol#1{\ensuremath{\ifcase#1\or\star\or{\star\star}\or + {\star\star\star}\or \dagger\or \ddagger\or + \mathchar "278\or \mathchar "27B\or \|\or **\or \dagger\dagger + \or \ddagger\ddagger \else\@ctrerr\fi}} + +\def\inst#1{\unskip$^{#1}$} +\def\fnmsep{\unskip$^,$} +\def\email#1{{\tt#1}} +\AtBeginDocument{\@ifundefined{url}{\def\url#1{#1}}{}} +\def\homedir{\~{ }} + +\def\subtitle#1{\gdef\@subtitle{#1}} +\clearheadinfo + +\renewcommand\maketitle{\newpage + \refstepcounter{chapter}% + \stepcounter{section}% + \setcounter{section}{0}% + \setcounter{subsection}{0}% + \setcounter{figure}{0} + \setcounter{table}{0} + \setcounter{equation}{0} + \setcounter{footnote}{0}% + \begingroup + \parindent=\z@ + \renewcommand\thefootnote{\@fnsymbol\c@footnote}% + \if@twocolumn + \ifnum \col@number=\@ne + \@maketitle + \else + \twocolumn[\@maketitle]% + \fi + \else + \newpage + \global\@topnum\z@ % Prevents figures from going at top of page. + \@maketitle + \fi + \thispagestyle{empty}\@thanks +% + \def\\{\unskip\ \ignorespaces}\def\inst##1{\unskip{}}% + \def\thanks##1{\unskip{}}\def\fnmsep{\unskip}% + \instindent=\hsize + \advance\instindent by-\headlineindent + \if!\the\toctitle!\addcontentsline{toc}{title}{\@title}\else + \addcontentsline{toc}{title}{\the\toctitle}\fi + \if@runhead + \if!\the\titlerunning!\else + \edef\@title{\the\titlerunning}% + \fi + \global\setbox\titrun=\hbox{\small\rm\unboldmath\ignorespaces\@title}% + \ifdim\wd\titrun>\instindent + \typeout{Title too long for running head. Please supply}% + \typeout{a shorter form with \string\titlerunning\space prior to + \string\maketitle}% + \global\setbox\titrun=\hbox{\small\rm + Title Suppressed Due to Excessive Length}% + \fi + \xdef\@title{\copy\titrun}% + \fi +% + \if!\the\tocauthor!\relax + {\def\and{\noexpand\protect\noexpand\and}% + \protected@xdef\toc@uthor{\@author}}% + \else + \def\\{\noexpand\protect\noexpand\newline}% + \protected@xdef\scratch{\the\tocauthor}% + \protected@xdef\toc@uthor{\scratch}% + \fi + \addtocontents{toc}{{\protect\raggedright\protect\leftskip15\p@ + \protect\rightskip\@tocrmarg + \protect\itshape\toc@uthor\protect\endgraf}}% + \if@runhead + \if!\the\authorrunning! + \value{@inst}=\value{@auth}% + \setcounter{@auth}{1}% + \else + \edef\@author{\the\authorrunning}% + \fi + \global\setbox\authrun=\hbox{\small\unboldmath\@author\unskip}% + \ifdim\wd\authrun>\instindent + \typeout{Names of authors too long for running head. Please supply}% + \typeout{a shorter form with \string\authorrunning\space prior to + \string\maketitle}% + \global\setbox\authrun=\hbox{\small\rm + Authors Suppressed Due to Excessive Length}% + \fi + \xdef\@author{\copy\authrun}% + \markboth{\@author}{\@title}% + \fi + \endgroup + \setcounter{footnote}{0}% + \clearheadinfo} +% +\def\@maketitle{\newpage + \markboth{}{}% + \def\lastand{\ifnum\value{@inst}=2\relax + \unskip{} \andname\ + \else + \unskip \lastandname\ + \fi}% + \def\and{\stepcounter{@auth}\relax + \ifnum\value{@auth}=\value{@inst}% + \lastand + \else + \unskip, + \fi}% + \begin{center}% + {\Large \bfseries\boldmath + \pretolerance=10000 + \@title \par}\vskip .8cm +\if!\@subtitle!\else {\large \bfseries\boldmath + \vskip -.65cm + \pretolerance=10000 + \@subtitle \par}\vskip .8cm\fi + \setbox0=\vbox{\setcounter{@auth}{1}\def\and{\stepcounter{@auth}}% + \def\thanks##1{}\@author}% + \global\value{@inst}=\value{@auth}% + \global\value{auco}=\value{@auth}% + \setcounter{@auth}{1}% +{\lineskip .5em +\noindent\ignorespaces +\(a)author\vskip.35cm} + {\small\institutename} + \end{center}% + } + +% definition of the "\spnewtheorem" command. +% +% Usage: +% +% \spnewtheorem{env_nam}{caption}[within]{cap_font}{body_font} +% or \spnewtheorem{env_nam}[numbered_like]{caption}{cap_font}{body_font} +% or \spnewtheorem*{env_nam}{caption}{cap_font}{body_font} +% +% New is "cap_font" and "body_font". It stands for +% fontdefinition of the caption and the text itself. +% +% "\spnewtheorem*" gives a theorem without number. +% +% A defined spnewthoerem environment is used as described +% by Lamport. +% +%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% + +\def\@thmcountersep{} +\def\(a)thmcounterend{.} + +\def\spnewtheorem{\@ifstar{\@sthm}{\@Sthm}} + +% definition of \spnewtheorem with number + +\def\@spnthm#1#2{% + \@ifnextchar[{\@spxnthm{#1}{#2}}{\@spynthm{#1}{#2}}} +\def\@Sthm#1{\@ifnextchar[{\@spothm{#1}}{\@spnthm{#1}}} + +\def\@spxnthm#1#2[#3]#4#5{\expandafter\@ifdefinable\csname #1\endcsname + {\@definecounter{#1}\@addtoreset{#1}{#3}% + \expandafter\xdef\csname the#1\endcsname{\expandafter\noexpand + \csname the#3\endcsname \noexpand\@thmcountersep \@thmcounter{#1}}% + \expandafter\xdef\csname #1name\endcsname{#2}% + \global\@namedef{#1}{\@spthm{#1}{\csname #1name\endcsname}{#4}{#5}}% + \global\@namedef{end#1}{\@endtheorem}}} + +\def\@spynthm#1#2#3#4{\expandafter\@ifdefinable\csname #1\endcsname + {\@definecounter{#1}% + \expandafter\xdef\csname the#1\endcsname{\@thmcounter{#1}}% + \expandafter\xdef\csname #1name\endcsname{#2}% + \global\@namedef{#1}{\@spthm{#1}{\csname #1name\endcsname}{#3}{#4}}% + \global\@namedef{end#1}{\@endtheorem}}} + +\def\@spothm#1[#2]#3#4#5{% + \@ifundefined{c@#2}{\@latexerr{No theorem environment `#2' defined}\@eha}% + {\expandafter\@ifdefinable\csname #1\endcsname + {\global\@namedef{the#1}{\@nameuse{the#2}}% + \expandafter\xdef\csname #1name\endcsname{#3}% + \global\@namedef{#1}{\@spthm{#2}{\csname #1name\endcsname}{#4}{#5}}% + \global\@namedef{end#1}{\@endtheorem}}}} + +\def\@spthm#1#2#3#4{\topsep 7\p@ \@plus2\p@ \@minus4\p@ +\refstepcounter{#1}% +\@ifnextchar[{\@spythm{#1}{#2}{#3}{#4}}{\@spxthm{#1}{#2}{#3}{#4}}} + +\def\@spxthm#1#2#3#4{\@spbegintheorem{#2}{\csname the#1\endcsname}{#3}{#4}% + \ignorespaces} + +\def\@spythm#1#2#3#4[#5]{\@spopargbegintheorem{#2}{\csname + the#1\endcsname}{#5}{#3}{#4}\ignorespaces} + +\def\@spbegintheorem#1#2#3#4{\trivlist + \item[\hskip\labelsep{#3#1\ #2\@thmcounterend}]#4} + +\def\@spopargbegintheorem#1#2#3#4#5{\trivlist + \item[\hskip\labelsep{#4#1\ #2}]{#4(#3)\@thmcounterend\ }#5} + +% definition of \spnewtheorem* without number + +\def\@sthm#1#2{\@Ynthm{#1}{#2}} + +\def\@Ynthm#1#2#3#4{\expandafter\@ifdefinable\csname #1\endcsname + {\global\@namedef{#1}{\@Thm{\csname #1name\endcsname}{#3}{#4}}% + \expandafter\xdef\csname #1name\endcsname{#2}% + \global\@namedef{end#1}{\@endtheorem}}} + +\def\@Thm#1#2#3{\topsep 7\p@ \@plus2\p@ \@minus4\p@ +\@ifnextchar[{\@Ythm{#1}{#2}{#3}}{\@Xthm{#1}{#2}{#3}}} + +\def\@Xthm#1#2#3{\@Begintheorem{#1}{#2}{#3}\ignorespaces} + +\def\@Ythm#1#2#3[#4]{\@Opargbegintheorem{#1} + {#4}{#2}{#3}\ignorespaces} + +\def\@Begintheorem#1#2#3{#3\trivlist + \item[\hskip\labelsep{#2#1\@thmcounterend}]} + +\def\@Opargbegintheorem#1#2#3#4{#4\trivlist + \item[\hskip\labelsep{#3#1}]{#3(#2)\@thmcounterend\ }} + +\if@envcntsect + \def\(a)thmcountersep{.} + \spnewtheorem{theorem}{Theorem}[section]{\bfseries}{\itshape} +\else + \spnewtheorem{theorem}{Theorem}{\bfseries}{\itshape} + \if@envcntreset + \@addtoreset{theorem}{section} + \else + \@addtoreset{theorem}{chapter} + \fi +\fi + +%definition of divers theorem environments +\spnewtheorem*{claim}{Claim}{\itshape}{\rmfamily} +\spnewtheorem*{proof}{Proof}{\itshape}{\rmfamily} +\if@envcntsame % alle Umgebungen wie Theorem. + \def\spn@wtheorem#1#2#3#4{\@spothm{#1}[theorem]{#2}{#3}{#4}} +\else % alle Umgebungen mit eigenem Zaehler + \if@envcntsect % mit section numeriert + \def\spn@wtheorem#1#2#3#4{\@spxnthm{#1}{#2}[section]{#3}{#4}} + \else % nicht mit section numeriert + \if@envcntreset + \def\spn@wtheorem#1#2#3#4{\@spynthm{#1}{#2}{#3}{#4} + \@addtoreset{#1}{section}} + \else + \def\spn@wtheorem#1#2#3#4{\@spynthm{#1}{#2}{#3}{#4} + \@addtoreset{#1}{chapter}}% + \fi + \fi +\fi +\spn@wtheorem{case}{Case}{\itshape}{\rmfamily} +\spn@wtheorem{conjecture}{Conjecture}{\itshape}{\rmfamily} +\spn@wtheorem{corollary}{Corollary}{\bfseries}{\itshape} +\spn@wtheorem{definition}{Definition}{\bfseries}{\itshape} +\spn@wtheorem{example}{Example}{\itshape}{\rmfamily} +\spn@wtheorem{exercise}{Exercise}{\itshape}{\rmfamily} +\spn@wtheorem{lemma}{Lemma}{\bfseries}{\itshape} +\spn@wtheorem{note}{Note}{\itshape}{\rmfamily} +\spn@wtheorem{problem}{Problem}{\itshape}{\rmfamily} +\spn@wtheorem{property}{Property}{\itshape}{\rmfamily} +\spn@wtheorem{proposition}{Proposition}{\bfseries}{\itshape} +\spn@wtheorem{question}{Question}{\itshape}{\rmfamily} +\spn@wtheorem{solution}{Solution}{\itshape}{\rmfamily} +\spn@wtheorem{remark}{Remark}{\itshape}{\rmfamily} + +\def\@takefromreset#1#2{% + \def\@tempa{#1}% + \let\@tempd\@elt + \def\@elt##1{% + \def\@tempb{##1}% + \ifx\@tempa\@tempb\else + \@addtoreset{##1}{#2}% + \fi}% + \expandafter\expandafter\let\expandafter\@tempc\csname cl@#2\endcsname + \expandafter\def\csname cl@#2\endcsname{}% + \@tempc + \let\@elt\@tempd} + +\def\theopargself{\def\@spopargbegintheorem##1##2##3##4##5{\trivlist + \item[\hskip\labelsep{##4##1\ ##2}]{##4##3\@thmcounterend\ }##5} + \def\@Opargbegintheorem##1##2##3##4{##4\trivlist + \item[\hskip\labelsep{##3##1}]{##3##2\@thmcounterend\ }} + } + +\renewenvironment{abstract}{% + \list{}{\advance\topsep by0.35cm\relax\small + \leftmargin=1cm + \labelwidth=\z@ + \listparindent=\z@ + \itemindent\listparindent + \rightmargin\leftmargin}\item[\hskip\labelsep + \bfseries\abstractname]} + {\endlist} +\renewcommand{\abstractname}{Abstract} +\renewcommand{\contentsname}{Table of Contents} +\renewcommand{\figurename}{Fig.} +\renewcommand{\tablename}{Table} + +\newdimen\headlineindent % dimension for space between +\headlineindent=1.166cm % number and text of headings. + +\def\ps@headings{\let\@mkboth\@gobbletwo + \let\@oddfoot\@empty\let\@evenfoot\@empty + \def\@evenhead{\normalfont\small\rlap{\thepage}\hspace{\headlineindent}% + \leftmark\hfil} + \def\@oddhead{\normalfont\small\hfil\rightmark\hspace{\headlineindent}% + \llap{\thepage}} + \def\chaptermark##1{}% + \def\sectionmark##1{}% + \def\subsectionmark##1{}} + +\def\ps@titlepage{\let\@mkboth\@gobbletwo + \let\@oddfoot\@empty\let\@evenfoot\@empty + \def\@evenhead{\normalfont\small\rlap{\thepage}\hspace{\headlineindent}% + \hfil} + \def\@oddhead{\normalfont\small\hfil\hspace{\headlineindent}% + \llap{\thepage}} + \def\chaptermark##1{}% + \def\sectionmark##1{}% + \def\subsectionmark##1{}} + +\if@runhead\ps@headings\else +\ps@empty\fi + +\setlength\arraycolsep{1.4\p@} +\setlength\tabcolsep{1.4\p@} + +\endinput + Added: projects/articles/browser-privacy/usenix.sty =================================================================== --- projects/articles/browser-privacy/usenix.sty (rev 0) +++ projects/articles/browser-privacy/usenix.sty 2011-04-26 01:06:35 UTC (rev 24668) @@ -0,0 +1,97 @@ +% usenix-2e.sty - to be used with latex2e (the new one) for USENIX. +% To use this style file, do this: +% +% \documentclass[twocolumn]{article} +% \usepackage{usenix-2e} +% and put {\rm ....} around the author names. +% +% The following definitions are modifications of standard article.sty +% definitions, arranged to do a better job of matching the USENIX +% guidelines. +% It will automatically select two-column mode and the Times-Roman +% font. + +% +% USENIX papers are two-column. +% Times-Roman font is nice if you can get it (requires NFSS, +% which is in latex2e. + +%\if@twocolumn\else\input twocolumn.sty\fi +\usepackage{times} + +% +% USENIX wants margins of: 7/8" side, 1" bottom, and 3/4" top. +% 0.25" gutter between columns. +% Gives active areas of 6.75" x 9.25" +% +\setlength{\textheight}{9.0in} +\setlength{\columnsep}{0.25in} +\setlength{\textwidth}{6.75in} +%\setlength{\textwidth}{7.00in} +%\setlength{\footheight}{0.0in} +\setlength{\topmargin}{-0.25in} +\setlength{\headheight}{0.0in} +\setlength{\headsep}{0.0in} +\setlength{\evensidemargin}{-0.125in} +\setlength{\oddsidemargin}{-0.125in} + +% +% Usenix wants no page numbers for submitted papers, so that they can +% number them themselves. +% +\pagestyle{empty} + +% +% Usenix titles are in 14-point bold type, with no date, and with no +% change in the empty page headers. The whol author section is 12 point +% italic--- you must use {\rm } around the actual author names to get +% them in roman. +% +\def\maketitle{\par + \begingroup + \renewcommand\thefootnote{\fnsymbol{footnote}}% + \def\@makefnmark{\hbox to\z@{$\m@th^{\@thefnmark}$\hss}}% + \long\def\@makefntext##1{\parindent 1em\noindent + \hbox to1.8em{\hss$\m@th^{\@thefnmark}$}##1}% + \if@twocolumn + \twocolumn[\@maketitle]% + \else \newpage + \global\@topnum\z@ + \@maketitle \fi\@thanks + \endgroup + \setcounter{footnote}{0}% + \let\maketitle\relax + \let\@maketitle\relax + \gdef\@thanks{}\gdef\@author{}\gdef\@title{}\let\thanks\relax} + +\def\@maketitle{\newpage + %\vbox to 0.5in{ + \vbox to 1.5in{ + %\vspace*{\fill} + %\vskip 2em + \begin{center}% + {\Large\bf \@title \par}% + \vskip 0.250in minus 0.250in + {\large\it + \lineskip .5em + \begin{tabular}[t]{c}\@author + \end{tabular}\par}% + \end{center}% + \par + \vspace*{\fill} +% \vskip 1.5em + } +} + +% +% The abstract is preceded by a 12-pt bold centered heading +\def\abstract{\begin{center}% +{\large\bf \abstractname\vspace{-.5em}\vspace{\z@}}% +\end{center}} +\def\endabstract{} + +% +% Main section titles are 12-pt bold. Others can be same or smaller. +% +\def\section{\@startsection {section}{1}{\z(a)}{-3.5ex plus-1ex minus + -.2ex}{2.3ex plus.2ex}{\reset@font\large\bf}}

1 0

[tor/master] Merge remote-tracking branch 'origin/maint-0.2.2'
by nickm＠torproject.org 25 Apr '11

25 Apr '11

commit 5230cc4fe7f80396304681ce2e9a1d0421920c40 Merge: fdbdaf8 f3b58df Author: Nick Mathewson <nickm(a)torproject.org> Date: Mon Apr 25 19:04:13 2011 -0400 Merge remote-tracking branch 'origin/maint-0.2.2' changes/bug2971 | 6 ++++++ src/or/config.c | 4 +++- 2 files changed, 9 insertions(+), 1 deletions(-)

1 0