April 2018 - tor-project - lists.torproject.org

Are there countries where using Tor is illegal?
by Cristian Consonni 11 May '25

11 May '25

Hi, (Sorry if this question has already been asked in the past, feel free to point me to the relevant resources.) I know that the legal FAQs by the EFF state that: «we believe that running a Tor relay — including an exit relay that allows people to anonymously send and receive traffic — is legal under U.S. law.»[1] I also know there is a list of countries for which there is legislation that exclude communication service providers from liability. They are indicated in the Legal of the Tor Exit Guidelines page[2], they are USA, Germany, Netherlands, Austria, France, and Sweden. >From some articles in the press[3a][3b] it may be illegal - depending on how you interpret the wording[*] - to use Tor (and other technologies such as VPNs or proxies) in the UAE, with fines ranging in the millions of dirhams (hundreds of thousand of dollars). A couple of weeks ago it was discussed - on this list as well - that a law was introduced to the state parliament to ban Tor[4a][4b]. This follows a case of some months ago of a Russian Tor exit node operator being arrested for inciting mass riots and terrorism[4c][4d]. The idea of blocking VPNs or Tor seems to have already been considered in the past[4e]. This infographic about pluggable transports[5] suggests access to the Tor network is censored or limited in China, Uzbekistan, Iran, and Kazakhstan. Tor being censored orblocked may be different from it being illegal. What about other countries? Is there a place where I can find more about this topic? Cristian [1]: https://www.torproject.org/eff/tor-legal-faq.html.en [2]: https://trac.torproject.org/projects/tor/wiki/doc/TorExitGuidelines [3a]: http://www.emirates247.com/news/emirates/dh500-000-fine-if-you-use-fraud-ip… [3b]: http://news.softpedia.com/news/people-caught-using-vpns-tor-or-proxies-in-t… [*]: «Whoever uses a fraudulent computer network protocol address (IP address) by using a false address or a third-party address by any other means for the purpose of committing a crime or preventing its discovery» [4a]: https://lists.torproject.org/pipermail/tor-talk/2017-June/043293.html [4b]: https://trac.torproject.org/projects/tor/ticket/22055 [4c]: https://lists.torproject.org/pipermail/tor-talk/2017-April/043109.html [4d]: https://techcrunch.com/2017/04/24/dmitry-bogatov-tor-russia/ [4e]; https://torrentfreak.com/vpn-and-tor-ban-looming-on-the-horizon-for-russia-… [5]: https://www.torproject.org/images/PT/2016-07-how-to-use-PT.png

4 3

Tor Browser team meeting notes, 30 April 2018
by Georg Koppen 07 May '18

07 May '18

Hi all! Here are the notes from our weekly Tor Browser meeting which we had earlier today. The chat log can be found at http://meetbot.debian.net/tor-meeting/2018/tor-meeting.2018-04-30-18.00.log… and our pad items were: Monday April 30, 2018 Discussion question(s): -igt0 asks: I know we have talked about accessibility before, about mobile, how much we care right now? I am asking because of ticket #25902. Android accessibility services allow password managers to listen for user events. e.g. typing a password in a login form. -Upcoming releases -What is our way forward with our extensions for ESR60? [sysrqb and arthuredelstein will look next week into what is needed to get our extensions integrated into a working ESR60 build] mcs and brade: Last week: - Helped with triage of incoming tickets. - Continued rebasing Tor Browser updater patches for ESR60 (part of #25543). - Tested on macOS. - Participated in the UX/Tor Browser "sync" meeting. This week: - Finish rebasing Tor Browser updater patches for ESR 60. - Test on Linux. - Test on Windows. - Monitor #25807 (Can not request bridges from torproject.org (App Engine is broken for moat)). igt0: Last week: - #25810: Backported few fixes affecting Orfox to tor-browser-52.7.3esr-8.0-1. - #25974: Make sure Android Oreo(API level 26) autofill feature is disabled (looks like it doesn't work on FF, i am trying to make autofill to work on simulator to be 100% sure) This week: - Review and smoke test rebased Orfox patches branch. - Build and test on android the rebased tor browser patches for ESR60 to make sure we are not going to have problems in the alpha release. tjr - Found and bypassed a crash bug for MinGW. Looking at two, maybe three crashes currently. - 1) A crash in https://searchfox.org/mozilla-central/source/nsprpub/pr/src/threads/prtpd.c… that happens on TC - 2) This assert: https://searchfox.org/mozilla-central/source/layout/svg/nsSVGIntegrationUti… - Have been learning more about debugging symbol-less (in WinDBG). Feel pretty comfortable identifying where I am in assembly (assuming Debug asserts are present...) [GeKo: Do you feel you could write up what you learned and, say, add this to the Hacking doc we have? I guess this would help us a lot, too.] - Wrote it up at https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Hacking/Debugg… GeKo Last Week: - wrote a patch for the rustc cross-compilation for Windows - fixed the rustc cross-compilation for macOS (still need to clean-up the patch for review) - helped with Sponsor4 reports (yes! those were still a thing!1!) - wrote/backported small patches for tor-launcher (getting Moat to work again) and for tor-browser (fixes an off-by-one error) - started to review the patch rebase for ESR 60 - gave the circuit display patch (#24309) another round of testing - patch reviews/merges (#25898, #25458, #25810, #25973) This week: - finish up the rustc compilation patch for macOS - rebase review - update macOS toolchain - plan to take days off (5/1 and 5/3+5/4) boklm: Last week: - patches for #25817 (add ansible roles for nightly builds) and #25318 (adding email notification for nightly builds) are now ready for review - installed some VMs for running the Tor Browser testsuite, and started working on some ansible roles for the setup - worked on a patch for #25876 (Source release tarballs for Tor Browser) to automate creation of source tarballs - worked on #25862 (Clean up wrapper script/CFLAGS and friends mix on Windows) which is now ready for review - investigated the reproducibility issue with #16472 (binutils update) - started reviewing #25894 (Get a rust cross-compiler for Windows) and #25832 (Enable pthread support for mingw-w64) This week: - help with building the new releases - continue investigating issue with binutils update (#16472) - continue work on testsuite VMs setup sysrqb: Last week: - Worked on TBA patch rebase (#25741) - Worked on updating Orfox's https-everywhere addon (#25603) This week: - Found -8.0-1 branch is busted when building Orfox, fixing now (#25980) - Merge #25603 after we fix bustage - Continue testing #25741, put in needs-review - Start working on another TBA ticket pospeselr: Last week: - Worked on #23247 (Communicating security expectations for .onion), most of the way there but need to plumb down some logic exposing mixed-mode info for .onion to work correctly This Week: - Finishing up #23247 - Entertaining Shane this afternoon - Flying to the east coast to visit family Friday afternoon arthuredelstein: Last week: - https://trac.torproject.org/25938 (backport 1334776) - Updated https://trac.torproject.org/25543 (Rebase Tor Browser patches for ESR60) - Revised patch for https://trac.torproject.org/24309 (Activity 4.1: Improve how circuits are displayed to the user) - Revised patch for https://trac.torproject.org/22343 (Save as... in the context menu results in using the catch-all circuit); will post after more testing - Did more cspace calculations for https://trac.torproject.org/25575 (Server space request for hosting Tor Browser downloads) updated by arthuredelstein This week: - Try to get a preliminary desktop build working for TBB/ESR60 - Continue revising https://trac.torproject.org/25543 branch - Permissions patch revision: https://bugzilla.mozilla.org/show_bug.cgi?id=1330467 Georg

1 1

Summary of meek's costs, March 2018
by Sina Rabbani 02 May '18

02 May '18

Dear Tor Project, Here's the summary of meek's CDN fees for March 2018. Inspired by David Fifield's summary emails :) I went back and updated the trac page with costs all the way back to April 2017, the time Team Cymru started to cover the fees. https://trac.torproject.org/projects/tor/wiki/doc/meek#Costs Google Amazon Azure total 2017 Jan — $1,550.19 $1,196.28 $2,746.47 2017 Feb — $1,454.68 $960.01 $2,414.69 2017 Mar — $2,298.75 $353.81 $2,652.56 2017 Apr — $584.73 $ 725.80 $1,310.53 2017 May — $2,150.47 $1,097.29 $3,247.76 2017 Jun — $2,677.31 $4,358.50 $7,035.81 2017 Jul — $2,873.28 $5,330.18 $8,203.46 2017 Aug — $646.28 $4,020.68 $4,666.96 2017 Sep — $1,914.41 $4,670.51 $6,584.92 2017 Oct — $2,962.71 $3,912.41 $6,875.12 2017 Nov — $4,674.80 $2,513.43 $7,188.23 2017 Dec — $6,358.11 $1,451.36 $7,809.47 2017 total — $30,145.72 $30,590.26 $60,735.98 Google Amazon Azure 2018 Jan — $8,429.07 $1,880.31 $10,309.38 2018 Feb — $8,522.01 $2,630.71 $11,152.72 2018 Mar — $10,863.95 ? $10,863.95 2018 total — $27,815.03 $4,511.02+ $32,326.05 grand total $13,138.96 $81,274.22 $43,754.18 $138,167.36 I'll do my best to keep the trac page updated. All the best, Sina -- Sina Rabbani | Systems Engineer | Team Cymru, Inc. srabbani(a)cymru.com | 0x53B422A8 | http://www.team-cymru.com/

7 7

Network team meeting notes, 30 April 2018
by Nick Mathewson 30 Apr '18

30 Apr '18

Hi, all! Logs from this week's meeting are available at http://meetbot.debian.net/tor-meeting/2018/tor-meeting.2018-04-30-16.59.html Below is a copy of our notes! = Network team meeting pad, 30 April 2018 = Welcome to our meeting! Mondays at 1700 UTC on #tor-meeting on OFTC. (This channel is logged while meetings are in progress.) Want to participate? Awesome! Here's what to do: 1. If you have updates, enter them below, under your name. 2. If you see anything you want to talk about in your updates, put them in *boldface*! 3. Show up to the IRC meeting and say hi! Note the meeting location: #tor-meeting on OFTC! (See https://lists.torproject.org/pipermail/tor-project/2017-September/001459.ht… for background.) == Previous notes == 5 March: https://lists.torproject.org/pipermail/tor-project/2018-March/001685.htmlyy 26 March: https://lists.torproject.org/pipermail/tor-project/2018-March/001695.html 3 April: https://lists.torproject.org/pipermail/tor-project/2018-April/001705.html 9 April: https://lists.torproject.org/pipermail/tor-project/2018-April/001723.html 16 April: https://lists.torproject.org/pipermail/tor-project/2018-April/001739.html 23 April: https://lists.torproject.org/pipermail/tor-project/2018-April/001747.html == Stuff to do every week = * Let's check and update the roadmap. What's done, and what's coming up? url to roadmap: https://docs.google.com/spreadsheets/d/1Ufrun1khEo5Cwd6OwngERn829wU3W3eskdr… * Check reviewer assignments at https://docs.google.com/spreadsheets/d/1Ufrun1khEo5Cwd6OwngERn829wU3W3eskdr… * Check rotations at https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/TeamRot… == Announcements == * Remember to "/me status: foo" at least once daily. * Remember that our current code reviews should be done by end-of-week. * Make sure you are in touch with everybody with whom you are doing 0.3.4.x work. * Important dates: * May 1, 2018 -- 0.2.5 is no longer supported: https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CoreTor… * May 15, 2018 -- 0.3.4.x feature freeze! 3 WEEKS LEFT. - *OUR BIG PRIORITY **SHOULD BE **TO GET ALL FEATURES IN FOR 034 BEFORE ANYTHING ELSE.* - * Lets not wait for the review assignement sheet for any of those or roadmap items.* * Remember: don't spend more than a day working on anything that isn't on the 033 or 034 milestones. * juga is working on bandwidth measurement for Tor's Summer of Privacy. Congratulations! == Discussion == * Should 0.3.4 be a long-term support release? How do we pick our next LTS? -NM - Can we just tell Debian to use it as a LTS? What about other platforms? - teor * Are we ready to release 0.3.3? -NM - [dgoulet] We should get the TROVE finalized. Apart from that, I think it is. - [ahf] I still have #25245 open, I do have a patch to do some diagnostics, but it's very annoying to reproduce locally. It's marked priority = very high, but I don't know if we think it's a blocker? == Updates == asn: [Migh be off for May 1st excursion at the time of the meeting.] Last week: - Reviewed and helped with #25870. This is complex stuff! To better understand the ticket, I wrote some initial unittests for path selection for normal exit circuits and vanguards. They are still quite simple but they can be the basis of something good. - Pushed bugfixes and features to the vanguard simulator (#23978) based on Mike's testing. - Reviewed #23693. - Provided feedback to the 2-guard proposal thread. - Gave a bit of testing to haxxpop's v3 client auth branch. Seems to work! I also motivated some more people to try it out and find bugs. Next step is to find time for code review. We are hoping for 035 inclusion. - Discussed v3 intro auth with haxxpop. - Wrote patch for #25843 and got it merged. - Replied to "[tor-dev] onion v2 deprecation plan?" thread. - Suggested some tasks to our ahmia SoP student. This week: - Continue discussion on the 2-guard proposal thread. We are doing good progress. - Discuss with Mike what's needed next for the vanguard simulator. - Triage tickets out of 034 with my name that I don't have time for. Most of them were the result of 033 -> 034 triaging. - Hopefully find some time for #25552. Mike: - Reviewed #24734, wrote a couple fixups forit. - Worked on #25870 (vanguard path restrictions) with asn. - Proposal 291 mailinglist posts (enumerated 8 properties defenses have and developed one that got all of them) - Refined #25903 (CIRC_BW events that help check for dropped-cell side channels); updated vanguard repo to use them; tested them. - Reviewed #25843 (NumEntryGuards param). asn - are you sure that it is influencing our dirguards? it looks like no. catalyst: last week (2018-W17): - investigated some unexplained test coverage fluctuations revealed by coveralls.io - opened #25908 to stabilize test coverage. thanks nickm for doing some inital data gathering! - more call stack analysis for #25061 - deferred #25061 to 034 - reviewed #19429 (compatibility with openssl-1.1 no-deprecated) - patch for #25936 (display test-suite.log from the correct location when doing a distcheck build in travis) - worked on #25756 (relax timestamp tolerance for early consensus) this week (2018-W18): - finish #25756 - write some summary of investigations to date on #25061 - reviews - other 033, 034 bug fixes as needed teor: * Last week: * collecting privacy-preserving statistics is still time-consuming * Bandwidth file spec revisions, we should have tested it with tor first :-) * Continued to help with bandwidth measurement (sbws) * A few code and spec reviews * CC'd specific people about old trac milestones * This week: * Analyse the last collection results * Configure and schedule the next collection(s) * Start writing up & reviewing others' write-ups * Try to keep up with the bandwidth stuff dgoulet: Last week: * Fixed tickets (see Timeline). * Reviwed and worked on #25500 child tickets with nickm. * Finalized dirauth modularization with #25610, working with ahf on that. It is in needs_review and a biggy! * The annoying warning on 034 has been fixed! #25577 This week: * Continue on #25500 child tickets with nickm. * Prioritize #25610 if a review comes in. * Depending on the two things above goes, I can get on the roadmap item #25552 (HSDir rev counter issue) or the wide CREATE cell work (#24986). * Name of the game for me until the freeze in 15 days is to prioritize big patches and features for 034 on our roadmap. ahf: Last week: Sponsor 8: - Went over data submission for our Onion Service speed test and ensured everything was running OK. - Worked with David on going over the dir auth module code. - Submitted patch for #25953. Misc: - Reviewed: #25812 & #17949. - CI duty. This week: Sponsor 8: - Help out if there is some changes we need to do to the split dirauth patches - Move to look at the network idleness code if possible. Misc: - Coverity duty. - Talk with Mozilla about all hands logistics. nickm: Last week: * Wrote several patches to move things out of the second_elapsed_callback() and run_scheduled_events() functions, including #25931 (consdiffmgr_rescan), #25932 (various cleanup-and-close functions), #25949 (delayed signewnym), #25937 (dirvote actions), #25933 (attach pending). Also did #25927 in prep for reforming how we handle approx_time(). Tracking all of these at https://pad.riseup.net/p/tor-client-cpu and under #25375 * Merged a bunch of merge_ready items * Reviewed a bunch of quick and not-so-quick patches * PETS discussions * Coverity duty : nothing seems to have happened. This week: * Deprecate 0.2.5.x * Community advocate * More hacking on moving things out of second_elapsed_callback() and friends (#25375) * Review #25610 (modularizing dirvote code) * Review #25869 (bandwidth doc format spec) * Ask packagers about LTS preferences isis: last week: - finished setting up appveyor (per developer windows CI) for tor #25549 - debugged a few windows test failures #25942 #25943 #25944 - powershell is terrible - reviewed #24630 - did ticket triage several times - commented on some github.com/rust-lang tickets regarding bool FFI compatibility - made some progress on wide create cells #25647 #25650 25653 next week: - more wide create cell stuff - revising a couple tickets #24660 #25549

1 0

OONI Monthly Report: April 2018
by Maria Xynou 30 Apr '18

30 Apr '18

Hello Tor, The OONI team published a report on network disruptions in Sierra Leone and established a new partnership with a local human rights organization in South Sudan. We also updated more test lists based on research, and we continued to make progress on probe orchestration, the development of the Windows app, and on the revamping of our mobile apps. We experimented with creating and publishing our first short documentary, and we continued to collaborate with community members on tracking censorship events worldwide. # Established new partnership We are excited to have formally established a new partnership with South Sudan's The Advocates for Human Rights and Democracy (TAHURID). As part of our new partnership, we aim to collaborate on the study of internet censorship in South Sudan through the collection and analysis of OONI Probe network measurements. Social media announcement: https://twitter.com/OpenObservatory/status/988695263274586112 # Updated test lists We carried out research (https://ooni.torproject.org/get-involved/contribute-test-lists/#test-list-r…) <https://ooni.torproject.org/get-involved/contribute-test-lists/#test-list-r…> to identify more URLs to test for censorship in Zimbabwe and Venezuela. Based on this research, we updated the following test lists: * Zimbabwe: https://github.com/citizenlab/test-lists/pull/327 * Venezuela: https://github.com/citizenlab/test-lists/pull/329 Overall, based on research, we have updated the following 5 test lists over the last months: * Zimbabwe: https://github.com/citizenlab/test-lists/pull/327 * Venezuela: https://github.com/citizenlab/test-lists/pull/329 * Sierra Leone: https://github.com/citizenlab/test-lists/pull/320 * Egypt: https://github.com/citizenlab/test-lists/pull/336 * Mali: https://github.com/citizenlab/test-lists/pull/304 During April 2018, we also updated the following test lists based on URLs provided by community members: * Kazakhstan: https://github.com/citizenlab/test-lists/pull/330 * Ethiopia: https://github.com/citizenlab/test-lists/pull/326 * Venezuela: https://github.com/citizenlab/test-lists/pull/333 * Uganda: https://github.com/citizenlab/test-lists/pull/334 # Report on network disruptions in Sierra Leone We collaborated with Sierra Leone's Campaign for Human Rights and Development International (CHRDI) to monitor censorship events during the country's election period. OONI data collected and analyzed from Sierra Leone did not show any significant signs of internet censorship. Even though WhatsApp and Facebook Messenger were accessible, their testing presented high execution time, indicating some form of performance degradation on the network. Amid Sierra Leone's runoff elections, two network disruptions occurred. We examined these disruptions via Google traffic and BGP data, and published a report: https://ooni.torproject.org/post/sierra-leone-network-disruptions-2018-elec… # Progress on Probe Orchestration We made a lot of progress on implementing probe orchestration for automatically running network measurements on mobile OONI Probe. See: https://github.com/ooni/orchestra Some highlights include: * Integrating the experiment signing with the Yubikey 4 hardware security module * Significant refactoring of the codebase to make it easier to separate the alert push notification logic from that of experiment notification * Renaming of Proteus to OONI Orchestra * Upgrading the web frontend to the latest dependency versions The unmerged branch containing the above changes is the following: https://github.com/ooni/orchestra/pull/44 # Progress on the Windows app development In collaboration with Simone Basso, we iterated on integrating Measurement Kit into the Windows OONI Probe desktop app (https://github.com/measurement-kit/go-measurement-kit/tree/feature/windows+… <https://github.com/measurement-kit/go-measurement-kit/tree/feature/windows+…>) <https://github.com/measurement-kit/go-measurement-kit/tree/feature/windows+…>. # Revamping the OONI Probe mobile apps As part of our work on revmaping the OONI Probe mobile apps, we continued to make progress on the design and UI, and we released a new testflight for iOS which includes new copy and all of the strings. We also created a design brief for new illustrations to be included in the revamped mobile apps, and we started working with illustrators. # Short documentary on internet censorship in Cuba We published a short documentary that we created during our trip to Cuba last year, titled: "ParkNet: Exploring Internet Censorship in Cuba". This 5-minute film features some of our key findings on our study of internet censorship in Cuba and is available here: https://ooni.torproject.org/post/parknet-short-documentary-cuba/ More in-depth findings are available via our research report (https://ooni.torproject.org/post/cuba-internet-censorship-2017/) <https://ooni.torproject.org/post/cuba-internet-censorship-2017/%29>. This short documentary is our first experiment in presenting censorship findings with video. We have set up an OONI YouTube channel where we plan to publish more videos in the next months: https://www.youtube.com/channel/UCQhDgj9wBf4_w5bWFvLlq-w # Community use of OONI data ## Blocking of IM apps in Chad OONI data was referenced in Internet Sans Frontieres' press statement regarding the blocking of WhatsApp, Facebook Messenger, Viber and BCC in Chad: https://internetwithoutborders.org/chad-is-blocking-social-media-and-messag… ## Blocking of news outlet in Venezuela OONI data confirmed the blocking of news outlet El Pitazo in Venezuela. We provided an analysis and interpretation of measurements that supported IPYS Venezuela's report on the blocking: https://ipysvenezuela.org/alerta/dos-medidas-de-censura-han-afectado-a-el-p… ## Citizen Lab Netsweeper report OONI data was used to identify blocked websites and middleboxes in the Citizen Lab's research report, "Planet Netsweeper": https://citizenlab.ca/2018/04/planet-netsweeper/ # Community activities ## OONI presentation at the International Journalism Festival (IJF) On 13th April 2018, OONI was presented at the International Journalism Festival (IJF) in Italy on a panel that discussed the many faces of censorship. More information about this panel is available here: https://www.journalismfestival.com/programme/2018/states-companies-algorith… The OONI presentation can be viewed here: https://www.youtube.com/watch?v=PTecjRM8tAs&feature=youtu.be&t=11m56s ## Blog post on recent participation at conferences We published a blog post on our recent participation at conferences in Africa, India, and Europe. Our blog post is available here: https://ooni.torproject.org/post/ooni-in-africa-india-europe-conferences/ ## Community meeting We hosted our monthly community meeting on 24th April 2018. As part of the meeting, we discussed the following: 1. Recap of what OONI has been up to over the last month 2. Outreach: How to communicate OONI Probe more effectively and engage wider audiences 3. Community engagement challenges: Monitoring censorship events in Chad and elsewhere in Africa # Userbase In April 2018, OONI Probe was run 265,001 times from 4,911 different vantage points in 210 countries around the world. This information can also be found through our stats here: https://api.ooni.io/stats ~ The OONI team. -- Maria Xynou Research and Partnerships Coordinator Open Observatory of Network Interference (OONI) https://ooni.torproject.org/ PGP Key Fingerprint: 2DC8 AFB6 CA11 B552 1081 FBDE 2131 B3BE 70CA 417E

1 0

Notes from April 26 2018 Vegas team meeting
by Karsten Loesing 27 Apr '18

27 Apr '18

Notes for April 26 2018 meeting: Arturo: 1) We established a partnership with The Advocates for Human Rights and Democracy (TAHURID) in South Sudan: https://twitter.com/OpenObservatory/status/988695263274586112 2) We published a short documentary on internet censorship in Cuba: https://ooni.torproject.org/post/parknet-short-documentary-cuba/ 3) We hosted the OONI April Community Meeting: http://meetbot.debian.net/ooni/2018/ooni.2018-04-24-13.59.html 4) Progress on OONI Orchestra development isabela: 1) done with sponsor4 final reports - sent to Sue to create our final invoice 2) working on sponsor8 Q1 report (due may day) 3) afk tomorrow (friday 27 for doc) and off on may day 4) Community Liaison candidates interview 5) preparing for cryptorave talk (and 2 other activities we are doing there) 6) working on .onion otf proposal due may first 7) sent network speed tests for the week 8) met with brave about their feature that makes it possible for an user to open a private tab and have a connection to tor on that tab 9) dealt w/ noise from ED announcement :D Shari: 1) talked to lots of folks about ED transition 2) did four interviews for new Community Liaison position. 3) reviewing onion services grant proposal for OTF 4) started to work on job description for fundraising director but got distracted; I'm determined to finish it by next week! 5) crafted emails for Sue to send asking for reimbursement for Rome meeting 6) finally made travel arrangements for a couple of trips in May and June (RightsCon, NYC, and quick trip to SF for EFF board meeting) 7) still haven't done expense reports for last two trips. :( Gonna try to get those done by next week, too. 8) meeting planning stuff; we're close to deciding on a hotel Alison: 1) did interviews for the community liaison position 2) Library Freedom Institute curriculum and other planning -- we start in a little more than one month! If anyone is interested in reviewing my curriculum I'd love to share it with you 3) Mexico City invite list update 4) organizing the Mexico City meeting timeline 5) working on community portal slides with great feedback from Tor people 6) still no word from HOPE, but I think other people have heard from them? Steph: 1) newsletter out today 2) published ED news, sent to press 3) answering front desk / press 4) published a post on new interns Tommy and Colin put together 5) Def Con: anyone interested to present? deadline may 1. talk about mitigating the ddos? if not, I think we will just have a booth/table in the privacy village to talk to folks, answer questions, get donations for swag. Roger and I will be there. Anyone else? 6) trademark issue Mike: 1) Conversation with brave Georg: 1) helped with Sponsor4 reporting, it seems we have survived that sponsor as well, yay! 2) participated in conversation with Brave folks Karsten: 1) Made some good progress on Sponsor 13 deliverables. Nick: 1) Racing to 0.3.4-freeze on may 15. 2) 0.3.3 is in RC. Make sure we know about must-fix bugs.

1 0

Network team meeting notes, 23 April 2018
by Nick Mathewson 24 Apr '18

24 Apr '18

Hello! Our weekly meeting logs are here: http://meetbot.debian.net/tor-meeting/2018/tor-meeting.2018-04-23-16.58.html Below are our notes from the meeting. = Network team meeting pad, 23 April 2018 = Welcome to our meeting! Mondays at 1700 UTC on #tor-meeting on OFTC. (This channel is logged while meetings are in progress.) Want to participate? Awesome! Here's what to do: 1. If you have updates, enter them below, under your name. 2. If you see anything you want to talk about in your updates, put them in *boldface*! 3. Show up to the IRC meeting and say hi! Note the meeting location: #tor-meeting on OFTC! (See https://lists.torproject.org/pipermail/tor-project/2017-September/001459.ht… for background.) == Previous notes == 5 March: https://lists.torproject.org/pipermail/tor-project/2018-March/001685.htmlyy 26 March: https://lists.torproject.org/pipermail/tor-project/2018-March/001695.html 3 April: https://lists.torproject.org/pipermail/tor-project/2018-April/001705.html 9 April: https://lists.torproject.org/pipermail/tor-project/2018-April/001723.html 16 April: https://lists.torproject.org/pipermail/tor-project/2018-April/001739.html == Stuff to do every week = * Let's check and update the roadmap. What's done, and what's coming up? url to roadmap: https://docs.google.com/spreadsheets/d/1Ufrun1khEo5Cwd6OwngERn829wU3W3eskdr… * Check reviewer assignments at https://docs.google.com/spreadsheets/d/1Ufrun1khEo5Cwd6OwngERn829wU3W3eskdr… * Check rotations at https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/TeamRot… == Announcements == * Remember to "/me status: foo" at least once daily. * Remember that our current code reviews should be done by end-of-week. * Make sure you are in touch with everybody with whom you are doing 0.3.4.x work. * Important dates: * May 15, 2018 -- 0.3.4.x feature freeze! 3 WEEKS LEFT. * Remember: don't spend more than a day working on anything that isn't on the 033 or 034 milestones. == Discussion == * How much should we do with travis and how much do we leave to jenkins? (See #25814) * What is blocking 0.3.3-stable? * Should we consider any 034-proposed items? Here's a useful query that finds 0.3.4 tickets that are recently modified, and don't have code: https://trac.torproject.org/projects/tor/query?status=accepted&status=assig… - Mike wants #25883 (some control port events) - gk wants #25895 (rust cross-compiling for Windows) These ones seem ok: - dgoulet added #19665 (client port counts) as an essential part of periodic events (Sponsor 8) - nickm added #25828 as a bugfix found in #25373 token buckets (Sponsor 8) == Updates == Nick: * Last week: * CI rotation: - added coveralls support to travis (25818) - fixed numerous 32-bit issues found by jenkins - fixed a couple of windows issues found by jenkins - fixed a distcheck issue found by jenkins - wrote a patch to have travis handle distcheck - addressed failing rust builds on jenkins (25813) * Wrote tricky patch to replace token-bucket refill events (every 100ms) with as-needed refills. 25373 * Wrote patch to fix nonfatal assertion failures in 033 (25691/25692) * Reviewed pending patches (25762, 24660, 24659) * Attended prop291 meeting (two-guard discussion). * Fixed clang scan-build issues * Wrote fixes for various small tickets on 034 milestone. * This week: * Work with dgoulet to make second_elapsed_callback less overengineered * Review, merge, revise. * More small 034 tickets, time permitting * Coverity rotation Mike: * Last week: * Wrote a patch for #25733 * Cleaned up #25400 * Looked into jenkins a bit to try to help figure out how to email build-breakers automatically (#25819) * Ran prop 291 meeting + notes + tickets + mailinglist posts * Ran vanguard simulator a bunch; found some bugs; wrote some patches. * Wrote patch for #25870 (fix vanguard restrictions -- I think this is our best bet for restrictions in 0.3.3/0.3.4) * Implemented a ton of vanguard script pieces (bandwidth checks, relay use frequency checks) * Stumbled on #25883 (no control port stream events for onion services on service side). * This week: * Really want to fix #25883 for 0.3.4. May need some help/tips. * Get vanguards repo closer to release quality teor: * Last week: * Wow, collecting privacy-preserving statistics is time-consuming * Bandwidth file spec review (we are down to formatting and nitpicks now) * Continued to help with bandwidth measurement (sbws) * Added new authorities to the testnet * Tor SoP reviews * Security patch discussion * Code reviews on nonfatal asserts (25691/25692), consensus method pruning (24378, prop#290) * Closed some really old trac milestones, sent an email to tor-dev about the rest * This week: * Analyse the last collection results * Configure and schedule the next collection * Start writing up & reviewing dgoulet: * Last week: - Ticket work (See timeline). - #25226 got merged so #25824 followed. - Worked on #25762 and worked with nickm on some other roadmap items about reducing client CPU usage. - I did a full days of work on Torsocks. I'm waiting on feedback on one ticket before releasing. I will probably just release if I don't hear back this week from the author of the patch. - Some work happened in the bad-relays world as well. * This week: - I'll try to finalize with nickm some roadmap items we've been working together (#25500 master ticket). - Short list of bugs for 034: #25761, #25577 - If possible, continue modularization work with #25610 - No rotation role for me this week. catalyst: * last week (2018-W16): - reviewed updates to #25511 (getinfo current-time/*) - control-spec.txt changes to support #25511 (getinfo current-time/*) - also some spec spelling fixes (#25871) caught during review - reviewed #25727 (bool in rust ffi) [*isis, were you able to poke rust people about stuff?*] - did some thinking about #25756 (loosening "consensus from the future" tolerance) with input from nickm - sponsor8 reporting stuff - expense accounting stuff * this week (2018-W15): - code review - continue working on #25061 (spurious connection warnings logged by relay) - look more at #25756 - other 033 or 034 work as needed ahf: Last week: Sponsor 8: - Moved our test s8 onion to a new host. Did some minor tweaks to our site. - Looked at Isa's S8 reporting. - Cross compiled Tor/Orbot for Android-ARM64. Now running Orbot locally with that for test (#25496). Misc: - Progress on #25245: easy to trigger if you inject a lot of traffic to an exit in a Chutney network, but difficult to trigger otherwise. Worked on making it easier to debug. - Go over the interview content with the version2 journalist about Tor. - Participated in a radio show with a host I know from BornHack about Tor. - Think(hopefully?) managed to solve logistics around being able to go to Mozilla All Hands after Seattle. Now waiting for OK from Mozilla. - Reviewed #25140 This week: Sponsor 8: - 0.3.4 work: either network idleness controller interface or conditionally compiled modules. - Talk with Hans about what we need to do to get #25496 (0.3.4 ARM64 work) into an Orbot release. Misc: - Land patches for #25245 (0.3.3). - CI duty. Question: our Jenkins have looked very sad, should I prioritize some time on this during the week? asn: Last week: - Participated in meeting on 2-guards (prop#291). - After the meeting, I submitted a patch for #25843 as was arranged and started testing the 2-guard proposal. I also posted a pseudo-proposal on a possible future for path restrictions in: https://lists.torproject.org/pipermail/tor-dev/2018-April/013085.html - Worked on improving the vanguard simulator, fixing bugs found by mike, and implementing more features (#23978). - Reviewed #24688 and #23693. - Started a thread on replay protection and ed25519 malleability as part of #25552. Ian suggested some possible avenues which I think are worth following. Isis also suggested some alternative avenues based on xeddsa and vxeddsa. I plan to read more into these generalized DSA protocols this week and decide if we can fit them for 034, they seem quite interesting. Perhaps a plausible approach would be to do Ian's simple approach for now, and switch to vxeddsa in the future. Not sure. I plan to read more about this this week, I find it very interesting. - Will be secondary mentor for the ahmia project in SoP this year. This week: - Continue work on 2-guard proposal and vanguards. - Read more about vxeddsa for #25552. - Test haxxpop's hsv3 client auth - Suggest some tasks for the Ahmia SoP student. - More reviews. haxxpop: last week: - Finish the client auth in the v3 onion service (excluding the intro auth) and it's ready for testing now! ( https://github.com/torproject/tor/pull/36 ) You can test it by adding `HiddenServiceAuthorizeClient basic <client_name>` on the service torrc and `HidServAuth <onion address> <base64-encoded x25519 private key>` on the client torrc You can get the private key from `client_authorized_privkeys/<client_name>.privkey` on the service file directory *Could anyone test it soon and, if possible, add it to the next release?* [asn: Yes I will definitely test and start the review procedure! Did you also do intro auth or just desc auth?] [haxxpop: just desc auth, because I still don't know which file to put clients' ed25519 public keys] [asn: ok we can figure this out. i guess you'd like us to give it initial review/testing before doing intro auth, right? makes sense.] [haxxpop: yes. In fact, I think desc auth and intro auth are independent features. We can launch the desc auth without intro auth, if we want. ] - next week: - - Probably take a break ;) pastly: last week: - started testnet authority and convinced people to trust it - feed sbws testnet results to the authority - changed sbws v3bw file units from bytes to KB so they'd be comparable to torflow - faq additions, glossary - sbws scanner (client) performs periodic reachability tests for sbws servers - sought input from dirauths about running sbws servers vs changing sbws to use http servers - signed up to mentor juga for bw scanning work - publish sbws docs at http://d7pxflytfsmz6uh3x7i2jxzzwea6nbpmtsz5tmfkcin5edapaig5vpyd.onion/ this week: - (today, definitely) *make sbws open source** [asn: boom!!!]* - see https://github.com/pastly/simple-bw-scanner - publish sbws docs at readthedocs - unit tests - probably change from requiring sbws servers to using http(s) isis: last week: - reviewed a patch to do `make distcheck` on travis #25814 - reviewed a patch to use coveralls from travis #25818 - did the hook/account setup for getting coveralls to start publishing to https://coveralls.io/github/torproject/tor - revised patches to expose our RNG in rust #24660 - responded to code review on #24659 - lunch meeting with trevor perrin about malleability in HS crypto and hash domain separation in post quantum key exchanges - reviewed #25515 again - long emails to lists about TROVE-2018-005 and HS crypto malleability #25552 - more work on wide create cells #25647 this week: - finish #25647

1 0

Tor Browser team meeting notes, 23 April 2018
by Georg Koppen 23 Apr '18

23 Apr '18

Hi! Our weekly meeting just finished and here come, as usual, the notes. The chat log can be found on http://meetbot.debian.net/tor-meeting/2018/tor-meeting.2018-04-23-17.59.log… and our pad items are/were: Monday, April 23, 2018 Discussion question(s): Arthur asks: We seem to have mar files stored in two places: dist.torproject.org/torbrowser/ and cdn.torproject.org/aus1/torbrowser/ weasel asked if we need to increase space in both places. (https://trac.torproject.org/projects/tor/ticket/25575#comment:3) I'm wondering if these two sets of mar files are redundant, or if they are different things and we indeed need to roughly double the space of both things in order to increase the number of locales by ~2x. [arthur plans to add new calculations to #25575] boklm asks: disk space on build-sunet-a is full again. I am wondering if we could increase the disk size on this VM. [boklm just asked on #tor-project] mcs and brade: Last week: - Continued rebasing Tor Browser updater patches for ESR60 (part of #25543). - Helped with triage of incoming tickets. - Attended the Snowflake meeting. - Participated in the UX/Tor Browser "sync" meeting. This week: - Continue rebasing Tor Browser updater patches for ESR 60. - Monitor #25807 (Can not request bridges from torproject.org (App Engine is broken for moat)). sysrqb: Last week: Continued troubleshooting https-everywhere add-on update (#25603) - It seems https-everywhere webextension does not work in Fennec 52.7.3 - Still testing modified version of https-e v5.2.21 Troubleshooting crash during start-up of Fennec 61.0a1 with rebased Orfox patches (#25741) - Crash caused by MOZ_CRASH() call due to failure during EGL (graphics library) setup - Reproducible without Orfox patches, fetching current mozilla-central and will rebuild using that - hmm, now that I think about it, i forgot to clobber first, maybe caused by remaining compilation This week: More of troubleshooting the above tickets Reviewing upstream Mozilla bugs affecting Mozilla 52ESR code GeKo: Last week -worked mostly on getting rustc ready for our Tor Browser builds * slight progress on getting rust compiled for osx but I did not finish that yet (#25779) * wrote a patch for the 64bit Windows cross-compilation; it's working and i get esr60 compiled with it; tor needs to get fixed though (#25895) * we might have trouble getting the 32bit Windows cross-compilation going due to exception handling issue, see: https://github.com/rust-lang/rust/issues/12859 -write patches to get esr60 compiled for Windows (#25554, #25832) -opened tickets to clean up our CFLAGS/LDFLAGS usage for Windows which is pretty confusing (#25859, #25860, #25862) -bisected on the weekend our compilation issue when STL wrappers are enabled for 64bit Windows (#23231); it seems https://bugzilla.mozilla.org/show_bug.cgi?id=1443823 is fixing that one, too -reviewed #25458 (UI customization half-broken in Tor Browser 8.0a3) and #24309 -reviewed a bunch of Fennec bugs we might want to consider to backport for the next Orfox release -signed the alpha release -a bit bug triage This week -fix osx rust cross-compilation -further investigate 32bit Windows rust cross-compilation -review remaining Fennec bugs we could consider for backport -review the rebased Tor Browser patches (#25543) -bug triage (torbutton and tor bundles/installation components) -maybe if time permits finally fixing https://bugzilla.mozilla.org/show_bug.cgi?id=1390583 (Stylo: Build Broken with MinGW) igt0: Last Week: Continued testing fingerprinting and linkability defenses - Android Accessible Services can allow external apps to detect users typing their passwords, so it is recommend to us to disable #25902 (Disable Firefox Mobile accessibility services) - Tested if the desktop linkability patches work on Mobile This week: Make sure I didn't miss any other android fingerprint attack vector Rebase and test my tor button branch against the rebased Tor Mobile branch. arthuredelstein: Last week: - Posted my rebase results (#25543) - Rebased #25543 again to latest mozilla-beta - Worked on fixing circuit display problem on windows. The issue is causes by a strange browser bug related to XUL. I am working on tracking down that bug, and also developing a workaround in case that fix doesn't work. - Built and signed the alpha (with boklm's help) - Looked at #22343 again (Save as... in the context menu results in using the catch-all circuith) This week: - Finally fix circuit display on Windows - Post a patch for #22343 - Try to get tor-browser-build working with the #25543 branch pospeselr: Last Week: - fought off a cold - various patch revisions for #20283 uplift (Tor Browser should run without a `/proc` filesystem) - went through outstanding issues for #25147 (Backport of fix shipped in Firefox 58.0.1?) - patch for #25458 (UI customization half-broken in Tor Browser 8.0a3) gk: looked into it this morning and verified the newTab.js change is actually not needed for UI customization screen to work will update the patch once my trac login issues are handled [GeKo: kk] This Week: - #23247 !!! (Communicating security expectations for .onion) tjr - Found a fixed a MinGW bug that was causing crashes - (But it was with those graphics prefs enabled - my patch disabling them was incorrect. I resolved that and am investigating a 'new' crash) boklm: Last week: - helped build and publish the new alpha - finished setup of new nightly build VM which is now running at http://f4amtbsowhix7rrf.onion/ - worked on the following tickets: - #25817: Add ansible scripts for setup of nigthly build server - #25318: Add Tor Browser nightly builds email notification - #25862: Clean up wrapper script/CFLAGS and friends mix on Windows - #25834: Use compiler dependent spec files for mingw-w64 This week: - investigate reproducibility issue with binutils update (#12968) [#16742] - work on fixing testsuite issues - setup a new VM for running testsuite on nightly builds - work on cleaning up our CFLAGS/LDFLAGS usage for Windows Georg

1 0

Notes from April 19 2018 Vegas team meeting
by Karsten Loesing 20 Apr '18

20 Apr '18

Notes for April 19 2018 meeting: Roger: 1) Reminder: your team should nominate useful volunteers for swag and glory! Kat says they've gotten only one person so far, across all teams. 2a) Defcon: The talk deadline is coming up. Do we want to submit a talk? 2b) I connected Steph to Straithe, so they can discuss Defcon crypto privacy village use. 3) I pushed the Penn thing forward another step. Our accounting person there is out of the office until Tuesday. 3) On Monday I begin two weeks of travel. That means I might miss the next two Vegas meetings (and I'll generally be a lot more scarce -- use email and be patient). 4) shari: should we ask the board to think about whether it wants to invite anybody (like future board candidates) to mexico city? 7) Shari: it's still on my todo list: go over those 2016-2017 financial breakouts. 8) Do we still have unclaimed Rightscon tickets? 9) Fyi, our buildbot ("jenkins") is having problems, which means some things aren't building, which impacts website changes. I'm going to try to learn more about what's up. I think it's tied to the recent hardware failures. Shari: 1) Writing job description for new Fundraising Director position. 2) Interviewing people for the Community Liaison position. 3) Working with Tommy on OTF proposal for onion services. 4) I must do my expense reports for Rome and San Francisco! 5) Following up on Amazon meek stuff. Karsten: 1) Held an in-person team meeting in Aberdeen to plan updates to the roadmap for the next six months. 2) Released Onionoo 6.0-1.13.0 and metrics-lib 2.3.0. isabela: 1) working on guidelines for 3rd party integration of Tor (for Brave, Mozilla, Cliqz etc) 2) trying to figure out the best approach to Google discontinue of domain fronting: https://www.theverge.com/2018/4/18/17253784/google-domain-fronting-disconti… #25807 #25804 etc 3) writing final reports for sponsor4 (this has been interrupted so many times :/ but i will get there!) 4) continue with candidates selections for community liaison and user research coordinator - collaborated with job description for Censorship Team Project Manager / Team Lead position. 5) me and antonela spoke with trainers in Costa Rica about Tor and UX! Antonela is having a second round this Friday where they will report usability feedback to us (first chat was for about Tor day to day work and how UX team functions etc). 6) Leaving to Brazil tonight!!!!! I will be afk friday April 20th. preparing my talks at Cryptorave Mike: 1) Rabbitholing into yet more guard related dev/design issues 2) I have only used a couple sites with captchas this week. They did give me one though. Anyone else use Tor this week with any sites that gave them a captcha? (Anyone else use Tor this week? :)[I get very few captchas. My main problem is sites like Fox News that simply reject me. -arma] Arturo: 1) Created a design brief for the illustrations of the revamped OONI Probe mobile apps 2) Updated test lists: https://github.com/citizenlab/test-lists/pull/333 & https://github.com/citizenlab/test-lists/pull/334 3) Supported IPYS Venezuela on their report on the blocking of a news website: https://ipysvenezuela.org/alerta/dos-medidas-de-censura-han-afectado-a-el-p… 4) Submitted first MOSS progress report 5) Progress on probe orchestration development Georg: 1) A new alpha release, 8.0a6, is upcoming with the latest tor release candidate (0.3.3.5-rc) 2) I finally got the endorsement letter for the Taler folks out, thanks to everyone who helped 3) Thought about the Appengine issue and how we should work around it for moat/snowflake 4) Mike: did the ReCAPTCHA situation get better? What would be next steps? Should we wait another week? Should we get out the pitchforks? Should we reply to the Google folks? [Okay, it seems we try to get more data points figuring our whether there are improvements or not] 5) Reference checks for the Android dev candidates are under way Steph 1) published a post on HotPETs. started planning a tor for journalists post with kushal. 2) starting on main website landing page copy 3) Jon is working with GR to get OONI swag on the donate page 4) Will be talking to Alison about figuring out our DefCon village presence Alison 1) Mexico City preliminary invites! I'd like to send our preliminary list to Jon/tor-internal tomorrow. And I'm making a timeline for meeting planning 2) Library Freedom Institute curriculum development 3) working on modular training slides for community.torproject.org, getting great feedback from other trainers/Tor people 4) reviewed community liaison and user research coordinator apps 5) following up with Steph re: Defcon 6) still waiting on a response from HOPE 7) sponsor9 coordination work 8) working on the community team roadmap

1 0

want to help review Tor training materials?
by Alison Macrina 17 Apr '18

17 Apr '18

Hi all, I'm working on a set of modular training resources for teaching about Tor. They cover a number of common topics (Tor basics, Tor Browser and features, Tor Browser in-depth, Tor mobile, Tor censorship circumvention, and anonymous sharing with Tor) and can be used separately or in conjunction in training environments. These materials will eventually be available to download from community.torproject.org, and we'll be using them to complete some of our usability and outreach work over the next few months. I'd love if some people on this list who give Tor trainings would take a look at the materials I've already created. Right now I've only got slide decks, and I'd like people to look at them and give me feedback before I write the accompanying teacher's manual. If you're interested in giving feedback please contact me offlist and I'll send you the files. Once they're finished, and before community.torproject.org is ready, they'll live on gitweb.torproject.org. Thanks for your help! -- Alison Macrina Community Team Lead The Tor Project

1 0