May 2018 - tor-project - lists.torproject.org

Community team April update
by Alison Macrina 09 May '18

09 May '18

April 2018 Community Team highlights Meeting notes ================================================================== https://trac.torproject.org/projects/tor/wiki/org/teams/CommunityTeam#Curre… Tor Meeting ================================================================= We began planning the Mexico City meeting with a new group, meeting-planners(a)lists.tpo. Join us and help make the meeting awesome! Volunteer recognition ================================================================== Kat and Jon sent their first swag bundle to a noteworthy volunteer! But they need more teams to nominate volunteers for this program, so please make sure you're nominating excellent volunteers for swag and glory! Outreachy and Summer of Privacy ================================================================== We've accepted two new interns, one from Outreachy and one from Summer of Privacy. Jaruga will be working on updating and maintaining documentation, and Cy will be taking over Pari's work as user advocate. Welcome Jaruga and Cy! Localization ================================================================== Colin has reached out to a bunch of translators to try to get them more swag and recognition. community.torproject.org ================================================================== We made a lot of progress on training modules for community.tpo. We'll test them out with real users at the end of May. Library Freedom Institute ================================================================== LFI curriculum development continues apace. Our first cohort starts the first week of June. Community governance ================================================================== tor-internal@ voted affirmatively for the code of conduct [1] and statement of values [2]! [1] https://gitweb.torproject.org/community/policies.git/tree/code_of_conduct.t… [2] https://gitweb.torproject.org/community/policies.git/tree/statement_of_valu… Tor talks and outreach ================================================================== Cryptorave got fully funded in April. At least ten Tor talks planned!!!! Including Isabela keynoting. Toronto Public Library approved their Tor pilot project. We finalized plans for Tor people to go to RightsCon. We heard back from HOPE that one of our talks got accepted. We're visiting community members in Uganda in May to do community-building and usability work. NYC Tor meetups have been going really well and happening regularly. The plan for the summer is just to do a social event to keep things easy, and focus most of our attention on HOPE. Ann Arbor Cryptoparty is having an event in June at their local library: https://aadl.org/node/372209. They're also starting to plan an event in November around Aaron Swartz Day. Another privacy meetup happened in Pune, India with more in-depth discussions about using Tor. kushal was planning a blog post as a follow up to that meeting. Jobs on the community team ================================================================== We conducted interviews for the community liaison position. Mozilla began accepting applications for our Open Web fellow. Colin will be transitioning into the relay advocate role over the next few months! Other stuff ================================================================== ilv has been working on a Spanish-language Tor mailing list. ================================================================== -- Alison Macrina Community Team Lead The Tor Project

1 0

April 2018 report for the Tor Browser team
by Georg Koppen 08 May '18

08 May '18

Hi all! In April we shipped one Tor Browser alpha release, 8.0a6[1]. It contains Tor 0.3.3.5-rc to give the release candidate a wider testing and updates a bunch of other components as well. It's the first alpha release using GCC 6.4 for compiling Linux and Windows bundles, which is part of our toolchain updates we plan to do for our switch to Firefox ESR60. Non-release work in April concentrated on two areas: preparations for our switch to Firefox 60 ESR and the first alpha for Tor Browser on Android. For the former we rebased all our patches[2] and are currently reviewing those changes. Furthermore, we got our build setup ready to build Rust code[3] that comes with Firefox and started to look into necessary updates for our own extensions, Torbutton and Tor Launcher[4]. We made progress on our Tor Browser for Android roadmap as well: we updated the Orfox patches to make them ready for Firefox 61[5], which the first alpha version will be based on. Additionally, we further investigated possible proxy bypasses on mobile and the state of the fingerprinting/linkability defenses we already have available on desktop. The full list of tickets closed by the Tor Browser team in April is accessible using the `TorBrowserTeam201804` keyword in our bug tracker.[6] For May we'll focus on getting our toolchains ready for Tor Browser 8 and have nightly builds available, being able to test our changes further. For that we plan to have our test suite functioning and adapted to Firefox 60 ESR as well. Moreover, we'll do the necessary proxy safety audit taking changes between Firefox 52 ESR and Firefox 60 ESR into account[7] and start reviewing new features[8] to make sure we can patch the code where needed. For Tor Browser on Android we aim at having our mobile-specific patches updated and available on a separate branch, following the regular Firefox release cycle and fix as much proxy bypass problems and fingerprinting/linkability issues as we can. All tickets on our radar for this month can be seen with the `TorBrowserTeam201805` keyword in our bug tracker.[9] Georg [1] https://blog.torproject.org/tor-browser-80a6-released [2] https://trac.torproject.org/projects/tor/ticket/25543 [3] https://trac.torproject.org/projects/tor/ticket/25220 and child tickets [4] https://trac.torproject.org/projects/tor/ticket/25750 [5] https://trac.torproject.org/projects/tor/ticket/25741 [6] https://trac.torproject.org/projects/tor/query?status=closed&keywords=~TorB… [7] https://trac.torproject.org/projects/tor/ticket/22176 [8] https://trac.torproject.org/projects/tor/ticket/22074 [9] https://trac.torproject.org/projects/tor/query?status=accepted&status=assig…

1 0

Tor Browser team meeting notes, 30 April 2018
by Georg Koppen 07 May '18

07 May '18

Hi all! Here are the notes from our weekly Tor Browser meeting which we had earlier today. The chat log can be found at http://meetbot.debian.net/tor-meeting/2018/tor-meeting.2018-04-30-18.00.log… and our pad items were: Monday April 30, 2018 Discussion question(s): -igt0 asks: I know we have talked about accessibility before, about mobile, how much we care right now? I am asking because of ticket #25902. Android accessibility services allow password managers to listen for user events. e.g. typing a password in a login form. -Upcoming releases -What is our way forward with our extensions for ESR60? [sysrqb and arthuredelstein will look next week into what is needed to get our extensions integrated into a working ESR60 build] mcs and brade: Last week: - Helped with triage of incoming tickets. - Continued rebasing Tor Browser updater patches for ESR60 (part of #25543). - Tested on macOS. - Participated in the UX/Tor Browser "sync" meeting. This week: - Finish rebasing Tor Browser updater patches for ESR 60. - Test on Linux. - Test on Windows. - Monitor #25807 (Can not request bridges from torproject.org (App Engine is broken for moat)). igt0: Last week: - #25810: Backported few fixes affecting Orfox to tor-browser-52.7.3esr-8.0-1. - #25974: Make sure Android Oreo(API level 26) autofill feature is disabled (looks like it doesn't work on FF, i am trying to make autofill to work on simulator to be 100% sure) This week: - Review and smoke test rebased Orfox patches branch. - Build and test on android the rebased tor browser patches for ESR60 to make sure we are not going to have problems in the alpha release. tjr - Found and bypassed a crash bug for MinGW. Looking at two, maybe three crashes currently. - 1) A crash in https://searchfox.org/mozilla-central/source/nsprpub/pr/src/threads/prtpd.c… that happens on TC - 2) This assert: https://searchfox.org/mozilla-central/source/layout/svg/nsSVGIntegrationUti… - Have been learning more about debugging symbol-less (in WinDBG). Feel pretty comfortable identifying where I am in assembly (assuming Debug asserts are present...) [GeKo: Do you feel you could write up what you learned and, say, add this to the Hacking doc we have? I guess this would help us a lot, too.] - Wrote it up at https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Hacking/Debugg… GeKo Last Week: - wrote a patch for the rustc cross-compilation for Windows - fixed the rustc cross-compilation for macOS (still need to clean-up the patch for review) - helped with Sponsor4 reports (yes! those were still a thing!1!) - wrote/backported small patches for tor-launcher (getting Moat to work again) and for tor-browser (fixes an off-by-one error) - started to review the patch rebase for ESR 60 - gave the circuit display patch (#24309) another round of testing - patch reviews/merges (#25898, #25458, #25810, #25973) This week: - finish up the rustc compilation patch for macOS - rebase review - update macOS toolchain - plan to take days off (5/1 and 5/3+5/4) boklm: Last week: - patches for #25817 (add ansible roles for nightly builds) and #25318 (adding email notification for nightly builds) are now ready for review - installed some VMs for running the Tor Browser testsuite, and started working on some ansible roles for the setup - worked on a patch for #25876 (Source release tarballs for Tor Browser) to automate creation of source tarballs - worked on #25862 (Clean up wrapper script/CFLAGS and friends mix on Windows) which is now ready for review - investigated the reproducibility issue with #16472 (binutils update) - started reviewing #25894 (Get a rust cross-compiler for Windows) and #25832 (Enable pthread support for mingw-w64) This week: - help with building the new releases - continue investigating issue with binutils update (#16472) - continue work on testsuite VMs setup sysrqb: Last week: - Worked on TBA patch rebase (#25741) - Worked on updating Orfox's https-everywhere addon (#25603) This week: - Found -8.0-1 branch is busted when building Orfox, fixing now (#25980) - Merge #25603 after we fix bustage - Continue testing #25741, put in needs-review - Start working on another TBA ticket pospeselr: Last week: - Worked on #23247 (Communicating security expectations for .onion), most of the way there but need to plumb down some logic exposing mixed-mode info for .onion to work correctly This Week: - Finishing up #23247 - Entertaining Shane this afternoon - Flying to the east coast to visit family Friday afternoon arthuredelstein: Last week: - https://trac.torproject.org/25938 (backport 1334776) - Updated https://trac.torproject.org/25543 (Rebase Tor Browser patches for ESR60) - Revised patch for https://trac.torproject.org/24309 (Activity 4.1: Improve how circuits are displayed to the user) - Revised patch for https://trac.torproject.org/22343 (Save as... in the context menu results in using the catch-all circuit); will post after more testing - Did more cspace calculations for https://trac.torproject.org/25575 (Server space request for hosting Tor Browser downloads) updated by arthuredelstein This week: - Try to get a preliminary desktop build working for TBB/ESR60 - Continue revising https://trac.torproject.org/25543 branch - Permissions patch revision: https://bugzilla.mozilla.org/show_bug.cgi?id=1330467 Georg

1 1

Network team meeting notes, 7 May 2018
by Nick Mathewson 07 May '18

07 May '18

Hi, everybody! We had yet another network team meeting. You can find the transcript at http://meetbot.debian.net/tor-meeting/2018/tor-meeting.2018-05-07-16.58.html The contents of our pad are below: ============ = Network team meeting pad, 7 May 2018 = Welcome to our meeting! Mondays at 1700 UTC on #tor-meeting on OFTC. (This channel is logged while meetings are in progress.) Want to participate? Awesome! Here's what to do: 1. If you have updates, enter them below, under your name. 2. If you see anything you want to talk about in your updates, put them in boldface! 3. Show up to the IRC meeting and say hi! Note the meeting location: #tor-meeting on OFTC! (See https://lists.torproject.org/pipermail/tor-project/2017-September/001459.ht… for background.) == Previous notes == 5 March: https://lists.torproject.org/pipermail/tor-project/2018-March/001685.htmlyy 26 March: https://lists.torproject.org/pipermail/tor-project/2018-March/001695.html 3 April: https://lists.torproject.org/pipermail/tor-project/2018-April/001705.html 9 April: https://lists.torproject.org/pipermail/tor-project/2018-April/001723.html 16 April: https://lists.torproject.org/pipermail/tor-project/2018-April/001739.html 23 April: https://lists.torproject.org/pipermail/tor-project/2018-April/001747.html 30 April: https://lists.torproject.org/pipermail/tor-project/2018-April/001750.html == Stuff to do every week = * Let's check and update the roadmap. What's done, and what's coming up? url to roadmap: https://docs.google.com/spreadsheets/d/1Ufrun1khEo5Cwd6OwngERn829wU3W3eskdr… * Check reviewer assignments at https://docs.google.com/spreadsheets/d/1Ufrun1khEo5Cwd6OwngERn829wU3W3eskdr… * Check rotations at https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/TeamRot… == Announcements == * Remember to "/me status: foo" at least once daily. * Remember that our current code reviews should be done by end-of-week. * Make sure you are in touch with everybody with whom you are doing 0.3.4.x work. * Important dates: * May 15, 2018 -- 0.3.4.x feature freeze! 1 WEEK LEFT. OUR BIG PRIORITY SHOULD BE TO GET ALL FEATURES IN FOR 034 BEFORE ANYTHING ELSE. Lets not wait for the review assignement sheet for any of those or roadmap items. And remember, "It's fine to defer!" * Remember: don't spend more than a day working on anything that isn't on the 033 or 034 milestones. == Discussion == * #25960, last comment by teor, "decide whether to put the small or the large version of this ticket on the roadmap" regarding the "Bandwidth List" format (https://trac.torproject.org/projects/tor/ticket/25960#comment:9) == Updates == teor: Last week: * bandwidth spec and code reviews * rewrote the experimental privcount plot command * final data collections This week: * leave for a week and a half mike: Last week: * Discussions and meetings about domain fronting issues. * Reviewed #25903, #25914, and #25995 * Ticket triage * Prop #291 discussion * Log message for #25705 ( * Fixed up #25870 (vanguard restrictions) * Tested and tweaked vanguard script This week: * Help get last of 034 vanguard helper patches merged * Continue testing vanguard script; write unit tests and packaging * Continue 2 guard discussion/analysisq asn: Last week: - Reviewed #25552: prop224: Onion service rev counters are useless and actually harmful for scalability - Reviewed #23107: prop224: Optimize hs_circ_service_get_intro_circ() digest calculation - Reviewed #25870: Fix vanguard restrictions - Reviewed #25997, #25996. - Did some debugging in #25761: hs: Reload signal (HUP) doesn't remove a disabled service - Did an initial review of haxxpop's client auth branch: #20700. - Discussed hsv3 client authorization: https://lists.torproject.org/pipermail/tor-dev/2018-May/013155.html - Discussed 2-guard proposal again: https://lists.torproject.org/pipermail/tor-dev/2018-May/013162.html - Triaged some of my tickets out of 034. This week: - More work on #25761. - More work on #25552 - More work on client auth and #20700. - More work on vanguards and 2-guard proposal. haxxpop Last week: - Discussed hsv3 client authorization: https://lists.torproject.org/pipermail/tor-dev/2018-May/013155.html This week: - Re-publish the descriptor if the client auth config changes via SIGHUP - Revise hsv3 torspec to specify how the users configure hsv3 client authorization - Try to finalize if we want to use prefix in client auth private/public keys or not Nick: Last week: - More 1/sec refactoring on #25375. Now, there is nothing that needs to happen 1/sec when the network is disabled! - Reviewed lots and lots of branches. - Deprecated 0.2.5 - Gave a Tor lecture for an MIT class. - Debugged Tor working with libressl. - Tried to help with fallout from some travis-breaking merges. These should happen less and less as we get more travis tests into master. - Did community advocate role. Didn't actually achieve much. Maybe I wasn't seeing the right opportunities :/ - More #25908 (test coverage determinism) work to improve coveralls utility. This week: - Finish the 0.3.4 portion of #25375: actually disable the 1/sec callback when the net is off. - Check whether we're ready to merge TROVE-2018-005. - Review and merge even more pending branches. - Close smaller 0.3.4 issues, preferring those on the roadmap. - Backport 0.3.3 items. - Prepare for 0.3.4 alpha and 0.3.3 stable to come out next week (!?) - Bug triage rotation. - Begin triage on 0.3.4 tickets. - Revise bwauth format spec, if teor and juga and pastly want me to. (I'm also happy for you to make any subset of the changes I suggested; I trust your judgment.) juga: Last week: - more "bwauth format spec" revisions - worked on #25947, #25960, #26004, #26007 This week: - more "bwauth format spec" - refactor for #25960 - other things depending on the spec Can not be at the meeting, but it would be great if people can discuss what i added in "Disscusion". I'll read backlog around 19:00 UTC and answer questions in #tor-dev. Always happy if nickm review spec dgoulet (Will miss the meeting): Last week: - Worked (mostly review) with nickm on #25500 child tickets. - Closed down roadmap item #25494. Dirauth modularization was merged upstream with #25610 \o/. Not perfect but a good step forward. - Patch work for #25552 HSv3 problem which took lots of discussion with teor/asn. It is in merge_ready for 034. - Reviewed ffmancera circuit cannibalization patch #25118. This week: - Work on roadmap item #25500 child tickets so we can get them upstream before freeze with nickm. - Review++ on 034 features as needed. I have on my radar #25647 (wide CREATE cell encoding from isis). - Will do a review pass on haxxpop's HSv3 client auth branch. - Address, as a priority, anything that comes up with #25552 (roadmap item) so we can get it upstream before next week. - If no 034 features need my attention, I'll start on 034 bug squashing. We already have plenty that needs fixing just for HSv3. catalyst: last week (2018-W17): - reviewed #15015 (--verify-config port binding). closed as worksforme after multiple failures to replicate - started to review #25549 (appveyor CI) - finished tests and patches for #25756 (make early-consensus detection more reasonable). unsurprisingly, the tests took most of the time and the actual behavior change was almost trivial to implement. - looked at some coverage flapping issues - helped a little with the rust distcheck CI - looked at #25061 some more - IRC moderation stuff this week (2018-W18): - CI rotation - #25061 - reviews ahf Last week: Sponsor 8: - Wrote an additional patch for #25991. - Reviewed: #25990, #25991. - Went over our HS perf. data and tried to clean it up. Misc: - Reviewed: #17949, #17873. - Booked flights for SF for Mozilla All Hands. - Coverity duty: not much to report here. This week: Sponsor 8: - Work on idle interface: #25499 + its children for 0.3.4. Misc: - Review #24732, more review of #17873 - Community hero role! isis: last week: - revised #24660 - finished wide create(d) cell parsing/handling #25647 - fixed a couple things i did in #24660 that broke some things #26024 #26025 - fixed bridgedb because there was a stem issue where it didn't handle errors when trying to parse ed25519 certs with the year 491869 #26023 - reviewed #25903 and #25936 - re-booked my Seattle flight (the frickin airline couldn't charge my card for some reason and then didn't see fit to tell me) this week: - fixing up a leak in a test for #25647 - wide extend cell handling #25651 - maybe wrapping the create(d)2v cells in extend2 cells if i get to it #25650 - working out paystub/employment verification stuff for an apartment i'm trying to get - revising the TROVE-2018-005 patches pastly: last week: - More testing and fixing of switch-to-http branch of sbws. Not much to report - Some person came and told us on a GH issue that there's no way sbws should ignore self-reported bandwiths but couldn't dumb it down enough for us to digest. https://github.com/pastly/simple-bw-scanner/issues/150 this week: Seattle travel paperwork note: I'll have very limited availability Thurs May 10 to Mon May 14; also on Sat May 19.

1 0

Notes from May 3 2018 Vegas team meeting
by Karsten Loesing 04 May '18

04 May '18

Notes for May 3 2018 meeting: Alison: 1) HOPE -- one of our talks got accepted, waiting to hear about other talks and the table 2) Sponsor9 -- coordinating travel and workshop plans with partners 3) LFI -- more curriculum development, setting up communication platforms, finalizing stuff before we begin in June! 4) next week we'll begin interviews for the user research coordinator 5) Mexico City save-the-dates are going out, getting more invitation suggestions from tor-internal@ now 6) the meeting planners group will meet on May 9 at 1700 UTC (in #tor-meeting unless it's occupied) to make a timeline and delegate tasks for the Mexico City meeting 7) Outreachy and Summer of Privacy interns have been chosen! 8) lots of outreach stuff happening on the community team: meetups in Pune, India, Ann Arbor, NYC meetup planning, plus Cryptorave is this weekend! Georg: 1) Release preparations to pick up Mozilla's Firefox ESR 52.8.0; countdown for transitioning to ESR 60 for Tor Browser desktop is starting Mike: 1) What do we know about what triggered the cascade of CDNs to disable domain fronting? Did they all collective panic? Or did customers complain? Did a censor threaten to block all of them? Or is there some other issue? 2) 0.3.3+0.3.4 development work Nick: 1) 0.3.3 should be stable soon. 2) 0.3.4 will be feature-frozen soon. 3) 0.2.5 is now unsupported 4) 0.3.4 or 0.3.5 is likely to be chosen as a long-term support release, depending on timing. 5) Taught a 90-minute class of MIT students about Tor this week. Realizing I have at least 3 hours of material. Maybe ought to make a video series. Steph: 1) responding to inquiries 2) Def Con 3) talking to a volunteer about writing a post on running exits Karsten: 1) Made even more progress on Sponsor 13 deliverables. Arturo: 1) Finished a, mostly working, OONI Probe orchestration backend MVP done: https://github.com/ooni/orchestra/pull/44#issuecomment-386005973 2) Finished most of the screen mockups for the revamped OONI Explorer 3) Going to hire illustrators for illustrations for the revamped OONI Probe app Shari: 1) submitted OTF grant proposal isabela: 1) onion services otf proposal done 2) late with sponsor8 report - trying to get it done by eod monday 3) talking with brave about their feature using Tor 4) will participate in at least 4 activities about tor at cryptorave may 4 and 5 and on may 8th i will be offline doing a tor training in sao paulo (expect offline time) 5) preparing monthly reports for sponsor 13 and 17 6) working on the domain fronting issue 7) need to move on with the job post for localization project manager part time position 8) internews approached me talking about a pluggable transport idea they want to submit a grant proposal for and would like a support letter from tor

1 0

Summary of meek's costs, March 2018
by Sina Rabbani 02 May '18

02 May '18

Dear Tor Project, Here's the summary of meek's CDN fees for March 2018. Inspired by David Fifield's summary emails :) I went back and updated the trac page with costs all the way back to April 2017, the time Team Cymru started to cover the fees. https://trac.torproject.org/projects/tor/wiki/doc/meek#Costs Google Amazon Azure total 2017 Jan — $1,550.19 $1,196.28 $2,746.47 2017 Feb — $1,454.68 $960.01 $2,414.69 2017 Mar — $2,298.75 $353.81 $2,652.56 2017 Apr — $584.73 $ 725.80 $1,310.53 2017 May — $2,150.47 $1,097.29 $3,247.76 2017 Jun — $2,677.31 $4,358.50 $7,035.81 2017 Jul — $2,873.28 $5,330.18 $8,203.46 2017 Aug — $646.28 $4,020.68 $4,666.96 2017 Sep — $1,914.41 $4,670.51 $6,584.92 2017 Oct — $2,962.71 $3,912.41 $6,875.12 2017 Nov — $4,674.80 $2,513.43 $7,188.23 2017 Dec — $6,358.11 $1,451.36 $7,809.47 2017 total — $30,145.72 $30,590.26 $60,735.98 Google Amazon Azure 2018 Jan — $8,429.07 $1,880.31 $10,309.38 2018 Feb — $8,522.01 $2,630.71 $11,152.72 2018 Mar — $10,863.95 ? $10,863.95 2018 total — $27,815.03 $4,511.02+ $32,326.05 grand total $13,138.96 $81,274.22 $43,754.18 $138,167.36 I'll do my best to keep the trac page updated. All the best, Sina -- Sina Rabbani | Systems Engineer | Team Cymru, Inc. srabbani(a)cymru.com | 0x53B422A8 | http://www.team-cymru.com/

7 7

Damian's Status Report - April 2018
by Damian Johnson 01 May '18

01 May '18

Hi all! Was out of commission during my last status report so this one's a little meatier... https://blog.atagar.com/april2018/ Cheers! -Damian

1 0