- tor-project - lists.torproject.org

Network team meeting notes, 9 Oct 2018
by Nick Mathewson 09 Oct '18

09 Oct '18

Hi, all! We had our meeting today. The logs and decisions are at http://meetbot.debian.net/tor-meeting/2018/tor-meeting.2018-10-09-16.59.html . Below are the contents of our meeting pad... = Network team meeting pad! = Welcome to our meeting! Mondays at 1700 UTC on #tor-meeting on OFTC. (This channel is logged while meetings are in progress.) Want to participate? Awesome! Here's what to do: 1. If you have updates, enter them below, under your name. 2. If you see anything you want to talk about in your updates, put them in boldface! 3. Show up to the IRC meeting and say hi! Note the meeting location: #tor-meeting on OFTC! (See https://lists.torproject.org/pipermail/tor-project/2017-September/001459.ht… for background.) After each week's meetings, the contents of this pad will be sent to tor-project @ lists.torproject.org. After that is done, the pad can be used for the next week. == Previous notes == (Search the list archive for older notes.) 4 Sep: https://lists.torproject.org/pipermail/tor-project/2018-September/001965.ht… 10 Sep: https://lists.torproject.org/pipermail/tor-project/2018-September/001972.ht… 17 Sep: https://lists.torproject.org/pipermail/tor-project/2018-September/001982.ht… 24 Sep: https://lists.torproject.org/pipermail/tor-project/2018-September/001996.ht… 1 Oct: No online meeting; in-person meeting in Mexico City. == Stuff to do every week = * Let's check and update the roadmap. What's done, and what's coming up? url to roadmap: https://docs.google.com/spreadsheets/d/1Ufrun1khEo5Cwd6OwngERn829wU3W3eskdr… * Check reviewer assignments at https://docs.google.com/spreadsheets/d/1Ufrun1khEo5Cwd6OwngERn829wU3W3eskdr… * Also, let's check for things we need update on our spreadsheet! Are there important documents we should link to? Things we should archive? * Check rotations at https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/TeamRot… * Community guides, it's time to hand off to the next guide! * Let's look at proposed tickets! [but see discussion] https://trac.torproject.org/projects/tor/query?status=accepted&status=assig… == Reminders == *ok, Remember to "/me status: foo" at least once daily. * Remember that our current code reviews should be done by end-of-week. * Make sure you are in touch with everybody with whom you are doing work for the next releases ------------------------------- ---- 9 October 2018 ------------------------------- == Announcements == Tor 0.3.2 is now unsupported. https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CoreTor… Tor Calendar: we have a shiny new one for adding time off https://storm.torproject.org/grain/H6dQejgGAizq6MYMawwPzq/ Tor employees, please do timesheets each week, or in the worst case by the end of the month. The new schema (all network team work goes in "Network Team") should make this much faster. == Discussion == * We must assign bug and CI tickets in 0.3.5; they should get fixed ASAP. - nickm * What do we need to do to "finish up" our roadmap? I know it's a living document, but how far are we from something we can work from? -nickm Reminder for this discussion: sponsor 8 issues are priority as it is finishing at the end of the year -gaba There are a few things in the UX roadmap related to network team. Let's check that we have it on our roadmap -gaba (https://storm.torproject.org/grain/2uvMtMh7xKDubdC5np68tN/) * Finish & validate new "minimal rotations" plan from meeting? (Idea was to define minimial versions of each rotation, and possibly drop the ones that don't actually make sense) -nickm Plan and comments: https://pad.riseup.net/p/team_rotation * Reminder: Capacity estimation: adding actual points in the big beautiful spreadsheet from the roadmap -gaba * Proposal to change the meeting only once every 4 weeks to a time that teor can attend. Patch party time? -gaba == Recommended links == Have a look at Catherine West's rustconf 2018 closing keynote. Lots of neat architectural thinking. https://kyren.github.io/2018/09/14/rustconf-talk.html == Updates == NOTE NEW FORMAT! Name: Week of XYZ (planned): - Leave blank for now, since we didn't make plans for last week Week of XYZ (actual): - What you did last week Week of ABC (planned): - What you're planning to do this week. Mike (sick, may not be online during meeting): Week of 10/1 (actual): - OMG so many meetings Week of 10/8 (planned): - OMG so much followup - Create tor-researchers list - Figure out Mozilla all Hands - wtf-pad mails Nick: Week of 10/1 (actual): - Wrap up meeting stuff, take a couple of days mostly-off Week of 10/8 (planned): - Talking about decentralization at Berkman on Thursday - Post-process meeeting notes into a usable form - Work with gaba et al to finalize roadmap - Review and merge - Work on continuous integration issues - Find a better solution on #27971 (having to force security level 1 for TLS backward compat) - Try to fix bugs in 0.3.5 - Finish whitepaper? - Work on sketch for subsystem API - Work on sketch for communication API ahf: Week of 10/1 (actual): - Tor meeting. - Wrote a scraper for Trac in Python, so we might be able to move on with some of the ideas that came up in our CI session! Needs some cleanup though. Week of 10/8 (planned): Sponsor 8: - Figure out which tasks I'm on from the roadmap session and begin there. Sponsor 19: - Work on PT document for Kat. Misc: - Backlog of Trac + IRC + Mail - Look into sysadmin candidate + participate in interviews. - Catch up on hiring process for anti-censorship team role. - Go over my meeting notes from the Tor meeting to see if we need to fill out any tickets. asn: [will be on a flight back to gr during meeting): Week of 10/1 (actual): - Tor meeting. - Mike I pushed a branch with the WTF code reading we did together `adaptive_padding_comments`. Week of 10/8 (planned): - Catch up with intense amounts of email, backlogs and minor tasks that have accumulated during the meeting. - Do a presentation on "state of Tor" in FOSSCOMM (the Greek open source conference) on Saturday. - Maybe try to read some more WTF-PAD code if I get the time. dgoulet: Week of 10/1 (actual): - A bit uneventful. Few tickets reviewed and a little bit of triage. - Followed the meeting as much as I could using the Wiki notes, some IRC insights and emails. Week of 10/8 (planned): - Write Sponsor19 report. - Figure out where I am in the Roadmap and start on that. - Prioritizing 035 tickets before merge window opens next week. gaba: Week of 10/1 (actual) - Tor meeting Week of 10/8 (planned): - roadmap - cleaning on notes - schedule 1 on 1s catalyst (sick, might be offline for actual meeting): week of 10/1 (2018-W40) (actual): - Mexico City and all the meetings week of 10/8 (2018-W41) (planned): - update existing Mexico City session notes from my handwritten notes - travel accounting - reviews - talk more about hiring process stuff with ahf and komlo? - design meetings rotation

1 0

September 2018 report for the Tor Browser team
by Georg Koppen 09 Oct '18

09 Oct '18

Hi! September was the month of the releases for the Tor Browser team. As said in our previous monthly report we got our Tor Browser 8.0[1], Tor Browser 8.5a1[2], and Tor Browser for Android 1.0a1[3] out. However, then we needed to pick up 2 security releases done by Mozilla which resulted in Tor Browser 8.0.1[4], Tor Browser 8.0.2[5], Tor Browser 8.5a2[6], and Tor Browser 8.5a3[7]. Apart from closing security holes in Firefox, with the release of Tor Browser 8.0.1 and 8.5a2 we took the opportunity to fix the most pressing issues encountered during our Tor Browser 8.0 rollout. Those included a crash during start-up on older macOS systems (10.9.x)[8] and a suboptimal solution to our user agent treatment[9]. Remaining issues are still tracked with the `tbb-8.0-issues` keyword.[10] Tor Browser 8.0.2 and 8.5a3 only closed Firefox security holes.[11] This was the first time we needed to do security releases during a dev meeting which was... exciting. Many thanks to boklm who did the heavy-lifting here. Besides working on those releases we nailed down our future plans towards a stable Tor Browser for Android[12], prepared our dev meeting and met face to face in Mexico. The full list of tickets closed by the Tor Browser team in September is accessible using the `TorBrowserTeam201809` keyword in our bug tracker.[13] For October we plan to finish our roadmap for the coming 6 months[14] and try to make solid progress towards our second alpha release for Tor Browser for Android, which is plan in early November. At the end of October another round of desktop releases is planned to pick up the latest batch of Firefox security patches and more fixes for Tor Browser 8 related issues. All tickets on our radar for this month can be seen with the `TorBrowserTeam201810` keyword in our bug tracker.[15] Georg [1] https://blog.torproject.org/new-release-tor-browser-80 [2] https://blog.torproject.org/new-release-tor-browser-85a1 [3] https://blog.torproject.org/new-alpha-release-tor-browser-android [4] https://blog.torproject.org/new-release-tor-browser-801 [5] https://blog.torproject.org/new-release-tor-browser-802 [6] https://blog.torproject.org/new-release-tor-browser-85a2 [7] https://blog.torproject.org/new-release-tor-browser-85a3 [8] https://trac.torproject.org/projects/tor/ticket/27482 [9] https://trac.torproject.org/projects/tor/ticket/26146 [10] https://trac.torproject.org/projects/tor/query?status=accepted&status=assig… [11] https://www.mozilla.org/en-US/security/advisories/mfsa2018-24/ [12] https://lists.torproject.org/pipermail/tbb-dev/2018-September/000910.html [13] https://trac.torproject.org/projects/tor/query?status=closed&keywords=~TorB… [14] https://lists.torproject.org/pipermail/tbb-dev/2018-October/000916.html [15] https://trac.torproject.org/projects/tor/query?status=accepted&status=assig…

1 0

Tor Browser team meeting notes, 8 Oct 2018
by Georg Koppen 09 Oct '18

09 Oct '18

Hi all! We had our first weekly Tor Browser meeting in October yesterday and here are, as usual, the link to the the IRC meeting log: http://meetbot.debian.net/tor-meeting/2018/tor-meeting.2018-10-08-18.01.log… and to our meeting notes on the pad: Discussion: -Roadmap (https://pad.riseup.net/p/tbb-roadmap-2018-19) -Timesheets! (GeKo: they need to be submitted by 7th the following month and approved by 10th the following month) -status updates redux (GeKo: If you work, then please put a status update to #tor-dev, so we all keep in sync over the week) -team rotations (see: https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/TeamRot… for what the network team has) (GeKo: We'll start with more build duty rotations and think about other areas where the rotation idea might be useful) - tjr: should i cancel the monthly mozilla sync tomorrow? Leaning strongly towards yes. (GeKo: Yes, this got cancelled) GeKo: Last week: -dev meeting -secruity releases preparation (much thanks to boklm for doing the heavy-lifting!) This week: -esr60 wrap-up -catching up on reviews -work on design doc (#25021) and release doc update (#25030) -finalizing the roadmap -getting back to staring at our reproducible build issues with rust (#26475) -start looking into single-locale repacks (#27466) -tjr: when would be a good time to chat about the tb8 retrospective with focus on mozilla stuff? - [tjr] Did Ethan & co indicate they wanted to be there? 15:00 UTC is our usual meeting time for Europe+West Coast... -mcs/brade: do we still need to do #27239 or are we done with the feedback for the network team? Response from mcs: We recently commented in #27691 (a child ticket). There are a lot of tickets though, so we should take another look and give feedback to the network team. We may need to ask catalyst for a summary of how clients like Tor Launcher will be affected. mcs and brade: Since our last meeting: - Attended face-to-face meeting in Mexico City. - Helped with triage of new tickets. - Completed some code reviews. - Tested Tor Browser 8.0 to 8.0.1 updates. - Created a patch for #27623 (wrong default pref values in Tor Browser 8.0). - Helped with regression #27865 (Tor Browser 8.5a2 is crashing on Windows). - Created a patch for #27905 (many occurrences of "Firefox" in about:preferences). - Investigated #27828 ("Check for Tor Browser update" doesn't seem to do anything). - Completed end-of-month administrative things. This week: - Finish post-travel paperwork. - #27828 ("Check for Tor Browser update" doesn't seem to do anything). igt0: Last week: - Attended the f2f Tor meeting - decompressing from the meeting. (take a look in the notes, double check the roadmap and so on) This week: - #25013 (Move TorButton code to the tor browser repository) - Write proposal for tor button for android. boklm: Last week: - attending Mexico meeting - releasing security releases This week: - work on torbrowser testsuite - try to make rebundling faster by generating multiple bundles in parrallel (#27218) - some reviews sisbell: Last week: - Generated tarball of android dependencies - android-toolchain work and testing: #26697 #27439 This Week: - #27440 LLVM Support (fix regression) - #27443 - Firefox: this requires some amount of rework to align with changes in android-toolchain. pospeselr: Last week: - mexico city - fixed dev pc - cleaned up logger built to debug #26381 (sandbox race condition on windows) This week - ping ethan on #3600 - #3600 work (disable cookies being passed through on redirects) - [tjr] any chance you could summarize what the plan is for this? [pospeselr] yes - last week, was getting up to speed on the redirect cookie problem ( https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections seems like a good place to start here for reference) - it looks like there are three classes we need to worry about: HTTP redirects (302 and friends), JS redirects (window.location), and HTML redirects (http-equiv="refresh" meta tag) - initial plan is to prototype/hack a solution for HTTP redirects, see what breaks (and build test page for each) - [tjr] When you say " just disable the cookie redirect via a pref"... what do you mean? - rather than just blanket disabling cookie forwarding on redirect, only do so when a pref is enabled to improve chance the patch can get uplifted - [tjr] I still don't understand. You're on a.com. You click a link to b.com (which sends cookies for b.com). You receive a redirect to c.com. You're saying "We won't send cookies for c.com"? - [pospeselr] that sounds about right, unless I'm misunderstanding the ticket - [tjr] I don't think this is helpful. The cookies for b.com have already been sent to b.com. There's a very limited benefit here... I think a design document would be helpful; but it's up to you =) - [pospeselr] the discussion can be found here: https://trac.torproject.org/projects/tor/ticket/3600 Not my area of expertise so if there's obvious holes here I'm all ears. Seems like concern of affiliated websites cookies being used to auto-log you in (ie when traversing various google properties) - putting logger up on github w/ patch that can be directly applied to firefox for that logging goodness tjr - Close to landing a mingw-clang x86 job - Close to landing pdb support for mingw-clang - Worked on mingw-gcc jemalloc a bunch. No conclusions. Next step is to compile esr60 with mingw-clang and see how that looks.... - Worked on the mozilla-release issue with sukhe a bit. Couldn't build tb-alpha. This is really confusing. I wonder which will get done first: mingw-clang or this.... pili - How do we decide when/whether to incorporate user feedback into Tor Browser releases? (GeKo: There are no strict rules that govern this so far: it depends on how many users are affected by an issue, what else we have to do etc.) arthuredelstein: Last week: - Finished at Mexico meeting - Took a day off - Worked on https://bugzilla.mozilla.org/show_bug.cgi?id=1330467 (FPI permissions) - Patch for https://trac.torproject.org/27959 (2018 Tor Browser donation text) This week: - Try to finish FPI permissions - Look at tbb/8 issues, including https://trac.torproject.org/projects/tor/ticket/27290 - Work on donation banner code when ready - Optimistics SOCKS if time Georg

1 0

Tigas' CDMX Meeting / Onion Browser report
by Mike Tigas 08 Oct '18

08 Oct '18

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi y’all! I was asked to write up some notes on the CDMX Meeting for tor-mobile folks; figured the report might be useful to my fellow onionfolk in the way that other reports are on this list. Anyway, some updates on Onion Browser-ish things, with a focus on the Tor meeting (mostly just summarizing some notes I took and TODOs I made): * From before the meeting: A few weeks ago I finally posted to my Patreon after like, a year of silence? Something like that. There’s plenty of updates on the past year of work in there.[1] * I provided an update on installs/usage: Onion Browser crossed 1 million downloads at some point in April. There are about 1,700 app sessions per day (which only counts users who’ve opted in to analytics and sharing that data with app developers[2], so it’s a very low-ball count). * Folks are seeing a lot of fake “Tor” or “Onion Browser” apps in the Apple App Store or the Google Play Store. In the past we’ve submitted requests to Apple about apps using the Tor branding or the Onion Browser name. (Technically trademark is the only thing we have to act on, since our permissive OSS licenses allow redistribution as long as the correct license bits are written down in there.) Someone said we should maybe have something (in the wiki?) about what to do if you find someone else’s app pretending to be official Tor/Onion Browser/Orbot/etc -- like who to notify here, and what steps & language we use when submitting the request to the app stores. * I learned from Nick that as of 0.3.4.X, “DisableNetwork 1” now also disables unnecessary CPU wakeups (basically things only needed when Tor is connected) -- this might help with some of the stability issues that happen when the device sleeps (since I do set DisableNetwork when that event is triggered). * There’s (possible?) new funding from Guardian Project that will hopefully jump-start more work on Onion Browser again soon. Had a great conversation with Fabby who works with Guardian Project; looking forward to putting a roadmap together when I have some spare cycles again. (I’ll probably have more time to have those conversations in earnest after the US election.) * Started working on an update to Tor.framework (the little-t tor integrating bits that build into Onion Browser) to update the Tor in it. (It’s currently stuck on 0.3.3.x right now.) I’m like 99% sure the current issues are due to cleanup and refactoring in tor (like some of the work towards making it usable as a library). Couldn’t work on it in CDMX because I didn’t bring a Mac with Xcode on it, but I’ve been tinkering around with it since I got back.[3][4] Hopefully more on that soon. * Not exclusively Onion Browser related, but since I also do operate a few .onions, I was around a lot of conversations about .onion usability (esp with long v3 ones) and things like HTTPS Everywhere and alt-svc headers as solutions. I’d love to get some work in on alt-svc in Onion Browser[5], and maybe experiment with some explicit user consent like in [6]. Hand-in-hand with that, it could be cool to implement some built in list of well-known and well-attested clearnet -> onion site mappings in the app (going along with the HTTPS Everywhere ruleset in the app). [1]: https://www.patreon.com/posts/lots-of-long-21317240 [2]: https://support.apple.com/en-us/HT202100 [3]: https://github.com/iCepa/Tor.framework/compare/master...mtigas:tor_0_3_5_2-… [4]: https://github.com/OnionBrowser/OnionBrowser/commit/90dc95f11c2949d7114bc1f… [5]: https://github.com/OnionBrowser/OnionBrowser/issues/148 [6]: https://trac.torproject.org/projects/tor/attachment/ticket/21952/21952.png Cheers, Mike Tigas https://mike.tig.as/ | @mtigas 0xDFD760C4 | 0x6E0E9923 -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEGzfVMu3Uhpsce8OaFLh4upXaaEoFAlu765oACgkQFLh4upXa aEprCA/9EtaMTvV0OI46d9XrWHl3OXYQZxPE4XtG9tbXs0oB7fL9cUEJTRbdjSQE kBHHQ7gmJKGvoaBrNtjmRhc87QMQwhPC0vofMSWiXuZI41QKPE2GN+iVRMobHYaL qAJMtzzbu8SZrUtN9vkdxkgpPxuGhxdmvArlGsYhVXSgptcevSeqPAdDtbxAOTto 7jJ8GbK754wpnGRQA3BzkBO8gAiFSAyriMSODfcFIlsINf0ZP+FWzflgwzTh5HwJ 8cZ002CiHuXq+iqxJiRkbkLHI4ogipmKDDestQk5qX2XUPka/qe0qajmR1kaRzXx iqEbay+uicztULPC0R/X1sXPIlljx5UQWhJhWbOFRpz1V92oTq+qSvI5nL+52mw4 5otg5D3I8iIeHlla+iUKlS58dzkuSVSjKWbxUTQY03GGy1q2WYjZywmbwPFbUePA /AhzYs5Hhw1bSt3FL3B/aWsnifQjYpz2HoO2pogLkdYDkB3iDaVix7G2Wyg4Q/7q I2bbxak5Z3BiYYKmOA4y9m6fozxj4AmfaNTPMesad56uw3L7JdHslsBohCgEiitB rbC+tJOw+hH+mYf4vh66/qt9XOP/p3F3pj4i8SgJE0WeWXAIlESScsjKHw4JyNkm VLOtVrXNkN32sY0bsirhD/rrQPxiVogPbSTX80t62vP61BpzElqItwQBEwoAHRYh BOk8LVk3LzcQmzAuvZFvvD/f12DEBQJbu+ubAAoJEJFvvD/f12DEZkICCOB6XMFS RlQ0x16PkNoYJzZdetjiT8SkNTmnx5T1bk5mUjoJ0FAR7kOjl6T+bYLPzNcosya2 5sCpCDBiLO8x8TrlAgUXvpXo+uckSTIKGgU2b0fvGd4ZjtRuf2a42y29TPtjd/ZZ 0fpyI9vffzDg8hI7kBnLeKiHqxTrNnhS0BwtMHSmdg== =q/Ny -----END PGP SIGNATURE-----

1 0

Stem Release 1.7
by Damian Johnson 07 Oct '18

07 Oct '18

Hi all, I'm delighted to announce the release of Stem 1.7! https://blog.atagar.com/stem-release-1-7/ This is a full year’s accumulation of fixes and improvements. For a list of everything that's changed please see... https://stem.torproject.org/change_log.html#version-1-7 Cheers! -Damian

1 0

Tor user feedback update - September 2018
by Andie Eoch 03 Oct '18

03 Oct '18

Hey all! Welcome to September's user feedback update! First, I'd like to introduce myself - my name is Maggie, and I'm the new user advocate! Please don't hesitate to contact me with questions, suggestions, concerns, or your highest quality gifs. You can find me as wayward on IRC, as @meochaidha on twitter, or through email at waywardwyrd at protonmail dot com. I've started a new sheet to track user feedback and bug reports for the next months. Data from this month was gathered from comments on the Tor blog, r/TOR [1], IRC, and stackexchange. You can find the user feedback sheet below [2]. If you have any suggestions for new fields in this doc, or for other info to include in these monthly summaries, please let me know! TL;DR: Overall, it looks like the team did a really stellar job of tackling issues that popped up after the TB 8.0 release. We still have room for improvement in terms of new user education, accessibility, and advocacy. ---- Most popular tags on StackExchange: - tor-browser-bundle: 5 this week, 26 this month - configuration: 12 this month - security: 9 this month - windows: 10 this month - linux: 8 this month - hidden-services: 6 this month - anonymity: 6 this month - bridge: 5 this month -- The biggest issues of September have been: - crashes on OSX after updating to TB 8.0.1+ (#27482) [3] - RESOLVED - crashes with various linux distros: ------ older Ubuntu/Mint distros (#27508) [4] - OPEN ------ CentOS 6 (#27552) [5] - RESOLVED - dissatisfaction with the changes to user agent spoofing (#26146) [6] - RESOLVED - issues with UI after updating to TB 8.0, including missing bookmark bar (#27264) [7] and Tor icon (#27175) [8]; both RESOLVED - NoScript is not saving per-site permissions (#27175) [9] - RESOLVED - users are confused by the change to the location of circuit information - some users think it was removed (#27663) [10] - MODIFIED - disabling accessibility on Windows breaks screenreaders (#27503) [11]. High priority - OPEN- Tor 0.3.4.8 is leaking memory (#27813) [12] - OPEN (you can find a more complete list of TB8-related tickets below, as well! [13]) -- Common questions from users this month (many answered on FAQ, links in annotations): - What is Tor [14], and why should I use it? - Does using a VPN with Tor improve or harm privacy [15]? - How can I use Tor on my iPad? [16] - Do I need to use Tor for regular browsing; or, when is it appropriate to use Tor? - Why is my relay using less bandwidth now that it received a guard flag [17]? - My school blocked the Tor executable - how do I access Tor now? - Does using a Firefox theme (night mode, etc.) with the Tor browser de-anonymize me? - There's a lot of general confusion when things break (expectedly) in the higher security slider settings - perhaps we should consider how to make the effects of security levels clearer, or adding an FAQ entry? -- Thanks, team! Come find me and say hi if you're at the Mexico City meeting this week, and give me all the feedback you have [18]! ---- /annotations/ 1. what do they think this is, an ACRONYM or something ? ? ? ? ? 2. https://storm.torproject.org/shared/mPq1dBuXpcPIk1W5QUI883VHHKpkgR65Z6RIJmG… 3. https://trac.torproject.org/projects/tor/ticket/27482 4. https://trac.torproject.org/projects/tor/ticket/27508 5. https://trac.torproject.org/projects/tor/ticket/27552 6. https://trac.torproject.org/projects/tor/ticket/26146 7. https://trac.torproject.org/projects/tor/ticket/27264 8. https://trac.torproject.org/projects/tor/ticket/27175 9. https://trac.torproject.org/projects/tor/ticket/27175 10. https://trac.torproject.org/projects/tor/ticket/27663 11. https://trac.torproject.org/projects/tor/ticket/27503 12. https://trac.torproject.org/projects/tor/ticket/27813 13. [https://trac.torproject.org/projects/tor/query?status=!closed&keywords=~tbb… 14. https://www.torproject.org/docs/faq.html.en#WhatIsTor 15. https://www.torproject.org/docs/faq.html.en#IsTorLikeAVPN 16. https://www.torproject.org/docs/faq.html.en#Mobile 17. https://www.torproject.org/docs/faq.html.en#MyRelayRecentlyGotTheGuardFlagA… 18. https://imgur.com/a/Vr7gf0X ---- Maggie Tor Project Community Team pronouns: she/they | twitter: [@meochaidha](https://www.twitter.com/meochaidha) pgp: 0626 9C68 D0CC 1A5B E41B 72F2 615E B878 975C 4CDC

1 0

Key Signing Party! send your key DEADLINE Sept 29th
by emma peel 01 Oct '18

01 Oct '18

Hello people! So, I will be hosting a Key Signing party in Mexico during the Tor Meeting. Key signing parties should be called certificate verification parties but we are conditioned by the interface, so we call it key signing. Please send me your key on a signed email (unless is another kind of key...), even if it is already in db.torproject.org. before Sept. 29th. ------------------- DEADLINE Sept 29th. ------------------- You also need to be present on the party to get signatures... Lets verify and kill the MitM! ------------------------------------------------------------------ INSTRUCTIONS ------------------------------------------------------------------ Please don't participate of the party if you don't want public signatures... it creates overhead and its very likely that somebody will upload your key to the server with a new signature! Make sure you have a 4096 bit RSA key. If not, generate a new one: http://ekaia.org/blog/2009/05/10/creating-new-gpgkey/ Make sure you follow the OpenPGP Best Practices: https://riseup.net/en/security/message-security/openpgp/best-practices You can get your key on a file called mynickname.asc by doing: gpg --export --armor [your fingerprint] mynickname.asc You can also use this opportunity to add your OTR fingerprints, or other services you may want to certify for the people attending. For the OTR fingerprint, depending on your client: Pidgin: https://otr.cypherpunks.ca/help/fingerprint.php Adium: https://adium.im/help/pgs/AdvancedFeatures-OTREncryption.html BitlBee: otr info irssi: /otr info At the meeting: verify ====================== 0. don't sign anything! 1. i will send the final file the day before, through the list 2. you can come with your laptop, or with a printed version of the file. 3. if you print the file, write the output of this command on the paper: gpg --print-md sha256 fingerprint-verification-unverified.txt 4. read out the checksum and make sure everyone has the same file 5. create a copy of the file to make notes: % cp fingerprint-verification-unverified.txt fingerprint-verification-annotated.txt 6. everyone (silently): verify your fingerprint(s) and user ID(s) in the document are correct 7. everyone (publically): identify yourself and verify that the fingerprint(s) and user ID(s) are correct 8. everyone: fill in the checkboxes in fingerprint-verification-annotated.txt: Fingerprint OK, ID OK 9. when done, sign the document: gpg --detach-sign fingerprint-verification-annotated.txt 10. at home, sign the keys.

3 3

Network team meeting notes, 24 Sep 2018
by Nick Mathewson 25 Sep '18

25 Sep '18

Hello! (So you know, we won't be having an online meeting next week.) Our meeting logs are available from http://meetbot.debian.net/tor-meeting/2018/tor-meeting.2018-09-24-16.59.html The contents of our pad are below. = Network team meeting pad! = Welcome to our meeting! Mondays at 1700 UTC on #tor-meeting on OFTC. (This channel is logged while meetings are in progress.) Want to participate? Awesome! Here's what to do: 1. If you have updates, enter them below, under your name. 2. If you see anything you want to talk about in your updates, put them in boldface! 3. Show up to the IRC meeting and say hi! Note the meeting location: #tor-meeting on OFTC! (See https://lists.torproject.org/pipermail/tor-project/2017-September/001459.ht… for background.) After each week's meetings, the contents of this pad will be sent to tor-project @ lists.torproject.org. After that is done, the pad can be used for the next week. == Previous notes == (Search the list archive for older notes.) 4 Sep: https://lists.torproject.org/pipermail/tor-project/2018-September/001965.ht… 10 Sep: https://lists.torproject.org/pipermail/tor-project/2018-September/001972.ht… 17 Sep: https://lists.torproject.org/pipermail/tor-project/2018-September/001982.ht… 24 Sep: == Stuff to do every week = * Let's check and update the roadmap. What's done, and what's coming up? url to roadmap: https://docs.google.com/spreadsheets/d/1Ufrun1khEo5Cwd6OwngERn829wU3W3eskdr… * Check reviewer assignments at https://docs.google.com/spreadsheets/d/1Ufrun1khEo5Cwd6OwngERn829wU3W3eskdr… * Also, let's check for things we need update on our spreadsheet! Are there important documents we should link to? Things we should archive? * Check rotations at https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/TeamRot… * Community guides, it's time to hand off to the next guide! * Let's look at proposed tickets! [but see discussion] https://trac.torproject.org/projects/tor/query?status=accepted&status=assig… == Reminders == * Remember to "/me status: foo" at least once daily. * Remember that our current code reviews should be done by end-of-week. * Make sure you are in touch with everybody with whom you are doing work for the next releases ------------------------------- ---- 24 September 2018 ------------------------------- == Announcements == Tor 0.3.2 will not be supported past 9 October (2 weeks from now): https://trac.torproject.org/projects/tor/wiki/org/teams/NetworkTeam/CoreTor… Here are the Mexico City meeting schedules: https://trac.torproject.org/projects/tor/wiki/org/meetings/2018MexicoCity/D… https://trac.torproject.org/projects/tor/wiki/org/meetings/2018MexicoCity/P… Tor employees, please do timesheets each week, or in the worst case by the end of the month. The new schema (all network team work goes in "Network Team") should make this much faster. == Discussion == * Let's defer non-essential tickets from the 0.3.5.x-final milestone * [dgoulet] asn and I haven't assign needs_review yet. Do we want it considering Tor meeting or not? If yes, only 035 or not? * On the meeting: Are we missing any sessions we need? Are there any sessions we don't need? [isa] what prep work we can do for roadmaping in Mexico? -> https://pad.riseup.net/p/tor-nt-roadmap-prep-keep == Updates == teor (offline): last week: - Travel preparation - Meeting schedules and preparation - Worked on #27288 and children - required protocol error - Review the 0.3.5.1-alpha changelog, make check-changes better (#27761) - make macOS Travis much faster by changing how we install dependencies (#27738) - Code reviews for PrivCount in Tor, protover, macOS i386 time, client auto IPv6 this week: - More travel preparation - Sit on planes and in airports - Take some time off before the meeting - Work out what needs to be done at the meeting, and what can wait until after - I am on the CI rotation, but I'll be offline for at least 3/5 days asn: [Flying to Mexico tomorrow. Will be packing and having dinner with family tonight. Very likely not at the meeting] Last week: - Helped isabela with onion funding proposal - Wrote SponsorV annual report - Review many v3 tickets: #27774, #27410, #27797, #27550. - Re-review #4700. - Review #27709. - Review CF's latest blog post. - Feedback for #27471. This week: - Packing and travelling to Mexico. Nick: Last week: * Revised whitepaper on sidechannels. * Hunted 0.3.5.1-alpha bugs * Released 0.3.5.1-alpha * Diagnosed and fixed #27795 (fd miscouting leading to Tor thinking it was out of FDs) * Made Tor compile happily with -flto * Released 0.3.5.2-alpha to fix #27795 * Patches to split a few modules that were large and/or not where they belonged. * Wrote proposal 297 to suggest a change to protover-based shutdown behavior * Review, merge, etc This week: * PETS reviews * More module splitting * Defer more tickets from 0.3.5 * More Mexico prep * Probably taking short days on Thu/Fri to make up for working over this coming weekend. * See you in Mexico on Saturday morning! dgoulet: Last week: - Worked on annoying HS bugs: #27410, #27550 and #27774 specifically. - Patch for #27549 again in the HS code. - 035 ticket review (See Timeline for this). - Started writing a unit test for #27471 theory so we can test the proposed solution. This week: - Planning to continue the 035 review/patch ticket work. - I'll also tackle some long standing HSv3 bugs which includes #27838 that re-appeared today. #27471 of course to finalize. - I'm on Ticket Triage this week. ahf Last week: Sponsor 8: - More patch work for #25502. - Started an experiment with trying to use Rust's mio for event loop in Tor. Misc: - Reviewed: #27686 - Added some documentation for #4700 and got it landed. - Went over CV's for the sysadmin job opening. - Helped some people trying to understand the #4700 proxy code and the whole CF onion thing. - Read the DeepCorr paper. This week: - Comment on sysadmin CV's/ranking. - Travel to Mexico(!!!) - Some preparation for the Mexico trip. catalyst: last week (2018-W38): - somewhat unwell, hopefully just travel vaccines - bug triage rotation - code reviews - travel prep - troubleshooting for #27484 after seeing it myself this week (2018-W39): - CI+Coverity rotation - more travel prep - Mexico City - people who do Rust, i could use some opinions on "how do we want to do dependency updates anyway?" for #27130 Mike (having IRC shell issues? hrmm..): Last week: - Mexico City travel mails - Vanguard updates - Fixed up #23512 This week: - Travel prep - Vanguards release? - WTF-PAD work Gaba: Last week: - Onboarding with Isa This week: - Reading and preping for mexico

1 0

Job opening - Software Developer for Anti-Censorship Team
by Erin Wyatt 24 Sep '18

24 Sep '18

Hi everyone! We have a new job opening for a software developer on the (new) Anti-Censorship Team! Please help us spread the word. You can forward the job description directly to a person whom you think would be great, you could share it on your social media, and/or you could forward it to a mailing list! Every share helps get us closer to finding the magical person who will fill this position. :) The job description is on our website: https://www.torproject.org/about/jobs-developer-anti-censorship.html.en, pasted below, and attached as a PDF. Thank you, everyone! Have a great week. :) Cheers, Erin Wyatt HR Manager ewyatt(a)torproject.org GPG Fingerprint: 35E7 2A9F 6655 45F9 2CB6 6624 BA0C 9400 F80F 91CE ————————————>8————————————>8————————————>8 Internet Freedom Nonprofit Seeks Software Developer for Anti-Censorship Team The Tor Project, Inc., a 501(c)(3) nonprofit organization advancing human rights and freedoms by creating and deploying free and open source anonymity and privacy technologies, is seeking an experienced Software Developer to take our anti-censorship work to the next level. Tor is for everyone, and we are actively working to build a team that represents people from all over the world — people from diverse ethnic, national, and cultural backgrounds; people from all walks of life. Racial minorities, non-gender-binary people, women, and people from any group that is generally underrepresented in tech are encouraged to apply. This developer will improve the user experience process of finding alternate routes to the Tor network when censorship events are blocking access in their host countries. Experience with Internet security and knowledge of obfuscation technologies would be a big help. Personal commitment to open source and using your advanced programming skills for the greater good is essential. This developer position will be an integral part of our brand new Anti-Censorship Team. Main responsibilities for this position are: • Devise metrics and load balancing mechanisms for our current and future bridge distribution system. • Analyze our current BridgeDB design to determine how it can better leverage other circumvention solutions, such as newer pluggable transports (PTs). • Review our current list of PTs and decide which we should continue to maintain. • Evaluate new Pluggable Transports against our criteria to determine if they should be supported. • Work with other members of the anti-censorship team lead to evaluate, pick and implement censorship-resistant discovery mechanisms for pluggable transport addresses. • Evaluate cryptographic solutions to rate limiting bridge distribution, and if any are feasible, implement them. Required qualifications: • extensive experience writing and evaluating code in Python and Go • experience in designing and documenting software engineering solutions to problems; • self-directed • comfortable and reliable with working remotely Preferred qualifications: • development experience in Rust • understanding of the Tor pluggable transport ecosystem and the censorship circumvention research space • familiarity with developing and scaling distributed systems • previous contributions to other open source projects Experience working with open source communities and/or a dedication to Internet freedom are added pluses. This is a full-time position that can be done remotely/internationally or in our office in Seattle, WA. To apply, send a cover letter that includes a statement about why you want to work at the Tor Project, your CV/resume (including three professional references), and a link to a code sample or some non-trivial software project you have significantly contributed to. The email should go to job-anticensor at torproject dot org with “Anti-Censorship Developer” in the subject line. No phone calls please! The Tor Project's workforce is smart and committed. The Tor Project currently has a paid and contract staff of around 47 developers and operational support staff, plus many thousands of volunteers who contribute to our work. The Tor Project is funded in part by government research and development grants, and in part by individual, foundation and corporate donations. Flexible salary, depending on experience. The Tor Project has a competitive benefits package, including a generous PTO policy; 14 paid holidays per year (including the week between Christmas and New Year's, when the office is closed); health, vision, dental, disability, and life insurance paid in full for employee; and flexible work schedule. The Tor Project, Inc., is an equal opportunity, affirmative action employer.

1 0

Notes from September 20 2018 Vegas team meeting
by Karsten Loesing 21 Sep '18

21 Sep '18

Notes for September 20 2018 meeting: Shari: 1) Pulling together little things for audit. 2) Pulling together bigger things for board meeting in Mexico. 3) Helping with some last minute things re: Mexico meeting. 4) Must finish Sida budget revision today. 5) Pushing along some stuff that has been stuck. Sue: 1) Audit moving along - still working to complete all selections with auditors 2) Onboarding two new employees - trying to delegate as much as I can while doing the audit 3) Working on Mexico City items to discuss at employee/contractor meetings - time sheets, expense reports, etc. Nick: 1) Alpha came out; expecting new alphas every so often 2) About to release whitepaper about UDP and sidechannel research that it needs. I'd like to pull Roger and Mike into a discussion. Alison: 1) woooooooooooooooooo getting all the things done before the meeting!!!!!!! 2) SOTO stuff ready? Please let me know ASAP if you're using slides. Mike: 1) Wrapped up my things for Tor release 2) karsten: I have a question about metrics' use of CIRC_BW events for you (offline/after) 3) Wrote on Mexico safety+security mail Arturo: 1) The OONI Probe mobile app illustrations are done and they look great! 2) Collecting feedback and iterating on OONI Explorer mockups 3) Improving based on feedback the OONI Probe mobile app Android prototype 4) Infrastructure housekeeping and data migration 5) A lot of progress with the OONI Probe desktop app and CLI: https://github.com/ooni/probe-cli/pull/16, https://github.com/ooni/probe-desktop/pull/17 6) Updated test lists: https://github.com/citizenlab/test-lists/pull/392, https://github.com/citizenlab/test-lists/pull/389, https://github.com/citizenlab/test-lists/pull/390, https://github.com/citizenlab/test-lists/pull/391 7) Established new partnership with Paraguay's TEDIC: https://twitter.com/OpenObservatory/status/1042760192197373952 Sarah: 1) Creating a calendar and list of deliverables for YE campaign. Will be looping others into the planning document later today. 2) Updating Tor's Guidestar profile which donors often reference before giving. The info there is also utilized by donation tools like AmazonSmile. 3) Gathering materials for Tor's state registrations for fundraising. 4) Arranging meetings in Mexico. Steph: 1) answered press inquiries about the cloudflare onions, drafted a statement 2) drafted a Tor stories blog post and survey, now in review 3) promoting Toronto library event and TB pilot program 4) prepped with isa for a podcast 5) getting tweets translated with help from emma & antonela Karsten: 1) Released ExoneraTor 4.0.0 that reduces the overall database from 243G to 63G and mean response time from 18.9 to 2.3 seconds. 2) Started a survey to get input on our Tor Metrics 2018/19 roadmap. If you have suggestions what we should take into account, please participate in this survey: https://survey.torproject.org/index.php/987123 ! It runs until next Wednesday. Georg: 1) Release fun++ (we were ready to release 8.0.1/8.5a2 but need to pick up additional Firefox patches) 2) Shari: I want to offer someone a contract for fixing one of our bugs (#27503) as we can't do it ourselves well and reached out to someone to give me an estimate about cost/time. It should be about 2-3 days of work. How can we proceed here? [how much will it cost? If it's not too much, we could just offer that person a contract - Shari]

1 0