tor-project July 2017

tor-project@lists.torproject.org

42 participants
42 discussions

Help brainstorm Tor myths
by Roger Dingledine 07 Jul '17

07 Jul '17

As part of my upcoming Defcon talk on onion services: https://www.defcon.org/html/defcon-25/dc-25-speakers.html#Dingledine I'm thinking of including a section on Tor mythbusting. That is, there are all sorts of Tor misunderstandings and misconceptions floating around, and it seems smart to try to get them organized into one place as a start to resolving them. (Later steps for resolving them should include better and more consistent communication, and actually changing things so Tor is safer/stronger/better. One step at a time.) Below is an initial list to get us started, along with overly brief summaries of the reality underlying the myth. Please contribute more entries! To contribute best, please frame your entry from the perspective of a helpful and concerned Tor user or advocate, rather than as a crackpot conspiracy theorist. (Fun as it might be, I have little interest in socket-puppet trolling myself on stage, so phrasing myths in a constructive manner is the best way to move forward.) And also, don't get too hung up on the quick rebuttal text I've written: the goal here is to brainstorm the myths, not to write the perfect answer to each of them. That can come later. - "I heard the Navy wrote Tor originally (so how can we trust it)." (They didn't. I wrote it.) - "I heard the NSA runs half the exit relays." (Hard to disprove, but it doesn't make any sense for them to run exits. But that shouldn't make you relax, since they already surveil a lot of the internet, including some of the existing exit relays, so they don't *need* to run their own. Also, the Snowden documents give us some good hints that say no. Btw, use SSL.) - "I heard Tor is slow." (You're right, it's not blazing fast. But it's a lot faster than it was in earlier years. Tor's speed has most to do with how much load there is on the network, not on latency between the relays as many people believe. We need more relays.) - "I heard Tor gets most of its money from the US government." (Alas, this one is true. We have three categories of funding: basic research like from NSF, R&D like from the Open Technology Fund, and deployment and training like from the State Dept. See the financial documents that we publish for details. Alternatives would sure be swell.) - "I heard 80% of Tor is bad people." (There have been a bunch of confusing studies about Tor users and usage, and the numbers vary wildly based on what you're measuring and how you classify bad. But for the above stat, you probably heard it from a US DoJ attorney who misunderstood a journalist's article about one of these studies. Or who knows, maybe she maliciously twisted the results. See also the ongoing research work on measuring the "dark web".) - "I heard Tor is broken." (Man, this phrase represents a fundamental misunderstanding of computer security. All the academics go after Tor -- and it's great that they do -- because we're the best thing out there, plus we provide good documentation and help them in analyzing the attacks. You don't hear about breaks in centralized proxy companies because there's nothing interesting about showing flaws in them. Also, security designs adapt and improve, and that's how the field works. I'll try to keep my rant on this one short so it doesn't take over.) Thanks! --Roger

8 8

June 2017 Report for the Tor Browser Team
by Georg Koppen 07 Jul '17

07 Jul '17

Hi all! In June the Tor Browser team made 3 releases, Tor Browser 7.0[1], Tor Browser 7.0.1[2], and Tor Browser 7.5a1[3], switching Tor Browser users to an up-to-date Firefox 52 ESR version. Major new features coming with the switch to Firefox 52 ESR are Firefox's multiprocess mode and in-browser sandboxing. Unfortunately, the long awaited content sandboxing did not make it into the ESR 52 series due to stability issues but we are trying to backport the necessary patches for Tor Browser 7. We'll start with Tor Browser for Linux[4] but hope to do the same for macOS as well if there are different patches needed. For Windows users work on basic sandboxing support was and is ongoing, too.[5] The alpha release is almost identical to Tor Browser 7.0.1 with the notable exception of testing a fix for a vulnerability found in Firefox on Windows systems.[6] It got already upstreamed and all Tor Browser users on Windows will get it with the next Firefox update.[7] Non-release related work involved fixing our test suite for the ESR 52 transition[8] and preparing the launch of our own FP Central instance + using its results for our Q&A.[9] The full list of tickets closed by the Tor Browser team in June is accessible using the `TorBrowserTeam201706` keyword in our bug tracker.[10] In June we already started with addressing regressions coming with our switch to Firefox ESR 52 and plan to continue with that work in July. Interested parties can track the progress in our bug tracker following tickets with the `tbb-7.0-issues, tbb-regression` keywords.[11] Furthermore, we hope to work on some of the remaining `tbb-7.0-must` issues.[12] Finally, rbm nightly builds and making use of our own Panopticlick (a.k.a FP Central) instance is on our agenda for July as well. All tickets on our radar for this month can be seen with the `TorBrowserTeam201707` keyword in our bug tracker.[13] Georg [1] https://blog.torproject.org/blog/tor-browser-70-released [2] https://blog.torproject.org/blog/tor-browser-701-released [3] https://blog.torproject.org/blog/tor-browser-75a1-released [4] https://trac.torproject.org/projects/tor/ticket/22692 [5] https://trac.torproject.org/projects/tor/ticket/16010 [6] https://trac.torproject.org/projects/tor/ticket/21617 [7] https://hg.mozilla.org/releases/mozilla-esr52/rev/012e4429ccd9 [8] https://trac.torproject.org/projects/tor/ticket/21982 [9] https://trac.torproject.org/projects/tor/ticket/22587 [10] https://trac.torproject.org/projects/tor/query?status=closed&keywords=~TorB… [11] https://trac.torproject.org/projects/tor/query?status=accepted&status=assig… [12] https://trac.torproject.org/projects/tor/query?status=accepted&status=assig… [13] https://trac.torproject.org/projects/tor/query?keywords=~TorBrowserTeam2017…

1 1

GSoC 2017 Ahmia status update #3
by Pushkar Pathak 07 Jul '17

07 Jul '17

Hi everyone, This is the bi-weekly status report for Ahmia - Hidden Service Search ## Upgrade Elastic 2.4 to 5.4 Elastic support is upgraded from version 2.4 to 5.4. [1] ## Data Visualization and statistics page I am working on visualization of statistics. Some examples include linking structures between sites and popularity graph of domains. [2] I will fix the broken stats page once I am done with the graphs. Thanks, Pushkar Pathak [1] : https://github.com/ahmia/ahmia-site/pull/9 [2] : https://github.com/mdhash/ahmia-site/commit/36fdfd0da528b673b347232c26edb19…

1 0

Notes from July 6 2017 Vegas team meeting
by Karsten Loesing 07 Jul '17

07 Jul '17

Notes for July 6 2017 meeting: Nick: 1) From last week: Should I approve timesheets? How? Roger: 1) Who do I tell about operations task ideas, like "we should make a standardized slide template based on the style guide stuff from Elio" [Steph: I'm working on templates] 2) In talking with Alison last week I proposed that the community team re-focus on: "Helping the rest of the world help Tor". So helping relay operators is in, and helping activists and advocates is in, and helping volunteers get oriented is in. But support should shift to whichever team makes the thing being supported, and in general we should be watchful for the community team accumulating "all the stuff that involves interacting with users", because that's a poor way to draw the line. We're still early in the refocusing plan, but you heard it here first. 3) Membership policy is slowly proceeding (and I think that's ok). 4) Isa and I worked out new time allocation recommendations for the network team 5) geko: did you know about https://launchpad.net/~webupd8team/+archive/ubuntu/tor-browser -- that some random person is packaging tor browser for ubuntu, and not keeping up? Which team should be interacting with these people so they either do it right or stop? [GeKo: No, I did not; regarding the team question: it seems to me it could be a good start if someone from the community team would reach out to those people. Depending on how that goes it seems to be fine to involve folks from the Tor Browser team] 6) Alison and I picked up the "speakers bureau" idea again. Her next step is to get the notes from when we talked to Biella. 7) Privacy sensitivity training as an onboarding topic. We should make sure all our new people understand about Facebook "like" tracking, about web cookies in our html mass mails, and in general about the expectations from our community. 8) Status of the comms support person funding proposal? Alison: 1) More on Roger's point 2: I am going to organize a meeting with all of the people who currently work on support so that we can better coordinate channels, documentation, feedback to devs, and the like. 2) Tor Meeting: I sent the most recent invite list to vegas-leads. Are these ready to go out now? Can we move on to creating the meeting schedule? 3) Today I'm doing a webinar about Tor for Drexel University's Libraries and Archives Student Association 4) Finishing up a short grant to support graphic design work and printing costs for some posters and handouts for LFP. 5) Follow up on Roger's point 6: I am waiting for Biella to get back from vacation to give me those notes. 6) Need to connect with Steph and Tommy about publicizing the support wiki. 7) Are we still interested in having an unconscious bias training? Those trainers got back in touch with me. 8) Working on onboarding docs for "FOSS/Tor culture" which will complement what Isa is doing with privacy onboarding (see Roger's point 7). Arturo: 1) Ran out of disk space on one of our pipeline related machines, but appear to not have lost any data during that date contrary to previous belief. See: https://github.com/TheTorProject/ooni-sysadmin/issues/116 2) Following Leonids lead we have started documenting various sys-admin related incidents to learn from them and mitigate them in the future: https://github.com/TheTorProject/ooni-sysadmin/issues?q=is%3Aopen+is%3Aissu… 3) ooni-probe mobile app with notification support is coming together nicely. We are testing an alpha build for iOS and working on getting an alpha build for Android. 4) Next generation ooni-pipeline is moving forward. We are optimistically aiming to have an MVP deployment (with the new measurements interface running) deployed by CLSI: https://github.com/TheTorProject/ooni-pipeline/pull/62#issuecomment-3126377…. If you are a user (or would like to be a user) of ooni-measurements API you should check out: https://github.com/TheTorProject/ooni-measurements/blob/8a3bc04779514170168…. Georg: 1) We got out (or are about to get out) new Tor Browser releases picking up new tor versions; I am happy how this worked out while I was away from the keyboard 2) We tried to move the browser developer job application process forward; hopefully concrete next steps will happen next week 3) Can we move forward with the bug bounty program? I owe the hackerone folks an email outlining our plan [GeKo: the plan is to get back to HackerOne coordinating the public launch] Steph: 1) I'm creating brand aligned templates for documents and presentations, will eventually make their way to media.torproject.org 2) Working on first newsletter template, message about delivery change, content. Giant Rabbit still working on creating unsubscribe capability 5) Upcoming campaigns: sha2017, bug bounty, support wiki. 6) Will participate in net neutrality day of action next week https://www.battleforthenet.com/july12/ 7) Have been working back through press inquiries, responding to all new requests with feedback from Shari 8) Worked with asn to polish wilmington blog post, published and share Shari: 1) working on final report on donation database grant and edits for other proposals 2) had initial talk with Giant Rabbit folks about this year's crowdfunding campaign Karsten: 1) Cleaned up a little after the end-of-month sprint by updating to new metrics-lib, updating Metrics website, updating to new Debian stretch libraries. 2) Started making plans for current month; current plan is to focus on CollecTor development this month and do some maintenance tasks that piled up over the last six months. Mike: 1) Can we get an official TBB build machine? ( https://trac.torproject.org/projects/tor/ticket/22764#ticket, elsewhere) [GeKo: Yes, please] 2) Talking with researchers, getting padding code ready for PETS meeting. Brad: 1) Working on the year-end close process and preparation of financial reports 2) Sue and I both have a long backlog at the moment, so apologies for any delays in responding to questions sent to the accounting@ alias 3) Please approve time/expenses in Harvest for assigned employees no later than Tues July 11 4) It's important that we get all expense reports covering JAN-JUN by the end of this month

1 0

Tails report for June, 2017
by intrigeri 07 Jul '17

07 Jul '17

Hi, we've just published the Tails report for June, 2017: https://tails.boum.org/news/report_2017_06/ I'm attaching a simplified HTML version for your offline reading pleasure :) Cheers, -- intrigeri

1 0

Sukhbir's June 2017
by Sukhbir Singh 06 Jul '17

06 Jul '17

Hi, In June, I worked on the following: * Tor Messenger - Released Tor Messenger 0.4.0b3: https://blog.torproject.org/blog/tor-messenger-040b3-released - Started working on the transition to ESR52. We are trying to reuse the components from Tor Browser itself by using rbm (which is what we have been using for the Tor Messenger builds.) This is going to form the major part of the work this month. * TorBirdy Worked on the following tickets: #20978 #21880 #22318 #22566 #22567 #22568 #22569 * Community - Continued working on planning Tor outreach in India with an NGO; more details later once it is finalized. - Giving two Tor talks in Toronto in August: https://lists.torproject.org/pipermail/tor-community-team/2017-June/000048.… -- Sukhbir

1 0

June 2017 grants report
by Tommy Collison 05 Jul '17

05 Jul '17

Hello, Tor! For those of you who don't know me, I'm the new grant writer -- I work closely with the communications and community teams. Here's what I got up to in my first full month on the job. ## June 2017 - Onboarded @ Tor, put a face and a name to folks I've been following/interacting with for years. - Met folks at the network team meeting in Wilmington [1]. Started thinking about how to make it easier & faster to onboard people into the Tor community. - Familiarized myself with Tor's current grants and sponsors. - Submitted a grant to improve & expand Tor Metrics. - Familiarized myself with Foundation Center, a resource for grant-writers to find funders in their fields [2]. - Started a bunch of grants due this month. TC -- [1] https://blog.torproject.org/blog/network-team-hackfest-wilmington-watch [2] http://foundationcenter.org

1 0

UX team summary for June 2017
by Linda Naeun Lee 05 Jul '17

05 Jul '17

Hi all: June felt like a productive month, mostly due to the organizational processes in place! This was the first month of weekly ticket triages *and* team meetings, which gave us a better sense of what is going on in the organization and how to prioritize our work. This month, we spent a majority of our efforts redesigning the new blog. We made design changes to update the look and feel of the website, as well as making some changes to make it easier to read blog posts and comments. The corresponding tickets are: https://trac.torproject.org/projects/tor/ticket/22510, https://trac.torproject.org/projects/tor/ticket/22392, https://trac.torproject.org/projects/tor/ticket/22395 We also iterated the first design of tor launcher according to Linda's previous research, and started to schedule content discussions for torproject.org. We were working on torproject.org stuff pretty centrally the last couple of months, but we're shifting to prioritize the tor launcher work since that has funding and a deadline while the torproject.org effort does not. Linda also attended Mozilla all-hands and talked with firefox about uplifting features, and had great discussions with Arthur, Nathan, and Amogh about what UX work to collaborate on! Exciting. Cheers, Linda N. Lee Current Key: https://pgp.mit.edu/pks/lookup?search=lindanaeunlee GPG Fingerprint: FA0A C9BE 2881 B347 9F4F C0D7 BE70 F826 5ED2 8FA2

1 0

SponsorR Status Report June 2017
by George Kadianakis 05 Jul '17

05 Jul '17

Hello, here is the June 2017 report for SponsorR: - We merged prop224 code that does additional validation of ed25519 pubkeys to defend against impersonation/fishing attacks: https://trac.torproject.org/projects/tor/ticket/22006 - Marked the first chunk of prop224 service-side code as ready for final review: https://trac.torproject.org/projects/tor/ticket/21979 - Published and reviewed more prop224 groundwork code: https://trac.torproject.org/projects/tor/ticket/22727 https://trac.torproject.org/projects/tor/ticket/22726 - Discussed some design issues with the directory system of prop224. Some work is required here to verify that the new behavior is good and specify it in the spec: https://lists.torproject.org/pipermail/tor-dev/2017-June/012336.html https://trac.torproject.org/projects/tor/ticket/22735 https://trac.torproject.org/projects/tor/ticket/22736 - Fixed an annoying hidden service crash bug: https://blog.torproject.org/blog/tor-0308-released-fix-hidden-services-also… - Started reviewing and testing of the client-side descriptor-fetching code for prop224: https://trac.torproject.org/projects/tor/ticket/21403 We are now working on the client-side introduction part of prop224.

1 0

June 2017 report for the metrics team
by Karsten Loesing 04 Jul '17

04 Jul '17

Hello Tor, hello world! Below you'll find the highlights of Tor metrics team work done in June 2017. On behalf of the Tor metrics team, Karsten Published a blog post to announce the release of Tor Metrics Library 2 [1]. [1] https://blog.torproject.org/blog/tor-descriptors-la-carte-tor-metrics-libra… Released Tor Metrics Library versions 1.8.0 [2], 1.8.1 [3], 1.8.2 [4], 1.9.0 [5], and finally 2.0.0 [6] with numerous changes as described in the change log [7]. [2] https://lists.torproject.org/pipermail/tor-dev/2017-June/012299.html [3] https://lists.torproject.org/pipermail/tor-dev/2017-June/012305.html [4] https://lists.torproject.org/pipermail/tor-dev/2017-June/012322.html [5] https://lists.torproject.org/pipermail/tor-dev/2017-June/012342.html [6] https://lists.torproject.org/pipermail/tor-dev/2017-June/012362.html [7] https://gitweb.torproject.org/metrics-lib.git/plain/CHANGELOG.md Completed all remaining Sponsor X deliverables running from July 2016 to June 2017 [8]. [8] https://trac.torproject.org/projects/tor/wiki/org/sponsors/SponsorX

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

tor-project July 2017