- tor-project - lists.torproject.org

OONI Monthly Report: July 2017
by Arturo Filastò 16 Aug '17

16 Aug '17

Hi Tor! This is what OONI has been up to in July 2017. # OONI Monthly Report: July 2017 The OONI team had an exciting month, having had the opportunity to host the first OONI Partner Gathering and to attend the Citizen Lab Summer Institute (CLSI). We made a new release of our mobile apps, including push notifications to remind users to repeat tests regularly, and the integration of the DASH streaming test which is designed to measure the quality of tested networks by emulating a video streaming. We made significant progress on the re-engineering of our data processing pipeline and on probe orchestration. We also updated various test lists in collaboration with our partners, and we hosted our monthly community meeting. ## Organized and hosted the first OONI Partner Gathering Thanks to support from the OTF Community Lab, the Ford Foundation, and the Media Democracy Fund (MDF), we were able to host our first OONI Partner Gathering! The event was hosted at the University of Toronto on 10th & 11th July 2017. The aim of this two-day event was to bring our international partners together to share skills, knowledge, and research findings. We reflected on our collaboration over the last year, and we brainstormed on future goals and priorities to improve our collaboration on the study of internet censorship. We published a report which provides an overview of the event, its sessions, partner challenges and needs, future goals and priorities, and event outcomes. The report can be found here: https://ooni.torproject.org/post/ooni-partner-gathering-2017/ The event's agenda and session notes can be found here: https://github.com/OpenObservatory/gatherings/tree/master/partner-gathering… As part of the event, we interviewed some of our partners. Their interviews will be published on our website within the next month(s). ## New release: Push notifications and integration of the DASH streaming test into the ooniprobe mobile apps During July we made a new release of our mobile apps, including the following two exciting new features: * Push notifications * DASH streaming test Push notifications will allow us to send messages and alerts to OONI probes all around the world. This is a particularly important feature as it will allow us to communicate directly with probe users, provide instructions, and to encourage users to run specific tests when emergent censorship events are reported by local communities. We implemented a first type of notification that sends a text message and an array of URLs, when this notification is opened in the app, a custom web browser opens the first URL and if there is some connectivity error, the user can cycle to the next (to avoid possible censorship). This first push notification support for apps are only informative: it allows us to send messages to ooniprobe users and engage them to run the app more, in the next release there will be a support to run tests remotely. OONI's new DASH streaming test is designed to measure video streaming performance. DASH, in particular, is designed to measure the quality of tested networks by emulating a video streaming. This test can be useful for examining cases of throttling and potential net neutrality violations. We published a detailed description of the DASH test on our website, which can be found here: https://ooni.torproject.org/nettest/dash/ ## Progress on the re-engineering of our data processing pipeline This month we made a lot of progress on the data processing pipeline. * We migrated blockpages fingerprints to the new pipeline database format to make migration of OONI Explorer to the news DB format possible. * We tackled some differences in old and new pipeline results while running two pipelines side-by-side. * We started hardening distributed pipeline infrastructure with firewalls and better monitoring to prevent incidents. * We started the process of freeing unused computing resources (virtual machines) allocated to OONI infrastructure in OTF cloud. ## Progress on probe orchestration In the area of probe orchestration we made a series of very important improvements, namely: * We deployed to production probe orchestration with message alert push notifications * Released a new version of the ooniprobe mobile apps that supports receiving push notifications * Made various improvements and bugfixes to the orchestration system Learn more by checking out the Changelog: https://github.com/TheTorProject/proteus/blob/master/ChangeLog.md ## Updated test lists During July we created a new test list for Mali, in collaboration with our local partners. This test list can be found here: https://github.com/citizenlab/test-lists/pull/192 We also updated the Egyptian test list to include URLs that were recently reported to be blocked by locals. The updates can be found here: https://github.com/citizenlab/test-lists/pull/194 Furthermore, we added BBC domains to multiple country-specific test lists: https://github.com/citizenlab/test-lists/pull/193 ## Attended the Citizen Lab Summer Institute (CLSI) The OONI team had the opportunity to attend the Citizen Lab Summer Institute (CLSI) in Toronto from 12th-14th July 2017 (https://citizenlab.ca/summerinstitute/2017.html) As part of the event, we facilitated the following sessions: * Presentation of OONI as part of the "Measurement Methods and Tool Showcase" session (Day 2) * Introduction to Network Measurement Research (Day 2) * OONI Partnership Program (Day 2) * Internet Blackout Detection (Day 3) * Contextualizing Censorship Measurement Research (Day 3) As an outcome of our participation at the CLSI, we expect to form new partnerships, to better inform the development of our methodologies (particularly those related to measuring internet blackouts), and to create a community-driven database that contextualizes network measurement data. ### Community meeting We hosted our monthly community meeting on https://slack.openobservatory.org/ on 25th July 2017. As part of the meeting, we discussed the next steps for the development of a methodology for the automatic detection and examination of internet blackouts in regions of India. ## Userbase In July 2017 ooniprobe was run 65,331 times from 1,606 different vantage points across 158 countries around the world. This information can also be found through our stats here: https://measurements.ooni.torproject.org/stats ~ The OONI team.

1 0

Network team meeting, 14 August 2017
by Alexander Færøy 14 Aug '17

14 Aug '17

Hello! It's vacation season so a lot of people are out this week, but the remaining people in the network team had a short meeting today on IRC. The minutes from the IRC meeting can be found at http://meetbot.debian.net/tor-dev/2017/tor-dev.2017-08-14-17.00.html The pad content can be found here: --- snip --- Network team meeting, 14 August 2017 Announcements and requests: - Nick has opened review-group-22. Have a look! Please review things! - Nick's out of town this week. - After the meeting, somebody please send out a copy of this pad and a link to the logs for tor-project@ - How early should people arrive for Montreal anyway? [to team mailing list] Nick: * Last week * Hacks and merges on stuff for R, Q, V, etc. * Numerous bugfixes and cleanups * Grabbed lots of small tickets * Sent out proposal 280 (privcount in tor) * Wrote and sent out proposal 281 (downloading microdescriptors in smarter ways) * Collected lists of things we did for NSF and sponsor4. (ahf, isabela, I sent you email about the sponsor4 status stuff I did) * Wrapped up one last sponsor4 task (#23220) * Started writing proposals on authority refactoring, TLS 1.3 migration * This week * On vacation! (I'll see personal mail, and mostly ignore lists) * probably not hacking, unless I get bored in the car or something ;) * The week after * I'm planning to release 0.3.1.6-rc. Please help with bugfixing! haxxpop: * Last week - run a fuzzing test on an outer layer of hsv3 desc and found a bug (#23233) * This week - write an inner layer fuzzing of hsv3 desc and run it to find some bugs ahf Last week: Sponsor 8: - Went out and got a spare nexus 5 to test on. - Started collecting metrics via the dump system subsystem on Android (on device). - Gave up on the simulator: too slow and querky to do anything useful with except looking at the apps themselves. Misc: - Misc. reviews. - Went to SHA2017 - met a lot of nice Tor users, did a talk. - Tried to keep the next-gen HS running as david+george's prop 244 work. This week: Sponsor 8: - Start looking into Nick's list of timed events, start trying to minimize them, check if it has a direct effect on the measurements. Sponsor 4: - Go over Nick's comments to the prop 278 merge, send new one to review for when he's back from vacation. Misc: - Figure out how to get to montreal: is _all_ network team meetings set in stone now? Next week: - I have vacation to do BornHack! Mike Last week: - Recovering from back injury. This week: - Still recovering, and preparing for vacation - Going to try to get patches ready for #23077 and #23097 before I go. isis: Last week: - Reviewed Chelsea's protover - Wrote up more Ristretto specs - Spent ~1 day total mentoring the intern for the bridge bandwidth project This week: - Mostly AFK to go speak at RustConf catalyst: Last week (2017-W32): - chased down Roger's complaint about variable shadowing warnings from gcc post-hs-merge. Turns out there's an old gcc bug that made it complain about shadowing functions with variables. We should probably ignore those warnings because modern compilers are more discerning - more investigation about bridge bypass (#20532); blocked by some weird hard-to-reproduce issues on Tor Browser - some Montreal meeting logistics. Turns out air travel for me tends to require awkward routings now that I'm not in something that pretends to be an airline hub - met with Nick, Roger, and a few others (tbb-dev types?) about https://pad.riseup.net/p/tor-client-progress - community team sprint. Tried out a few GetTor things and opened tickets suggesting improvements This week (2017-W33): - make more progress on #20532 - make more progress on improving bootstrap progress/error reporting (some good ideas already noted in the pad) komlo: - Last week: - Came up with a rust kata for Montreal, will send that out soon if people want to start beforehand - This week: - Fixing up rust protover from Isis's review --- snip --- Cheers, Alex.

1 0

Notes from August 10 2017 Vegas team meeting
by Karsten Loesing 12 Aug '17

12 Aug '17

Notes for August 10 2017 meeting: Roger: 1) We disappear on weekends. :/ https://lists.torproject.org/pipermail/tor-project/2017-August/001370.html 2) Did my defcon talk last week, with ~2k people in the audience. (Two follow-up talk invites, to Sofia and Kiev) Created the speaking@ alias to help coordinate our response to talk invites. 3) I'm going to say yes to a McGill Tor talk that Biella is organizing right after Montreal Mtg 4) I'm working on an NSF Medium proposal with Prateek and Aaron, due October 5) Brad: we got our no-cost-extension for SponsorQ 6) I published some of the Tor Research Safety Board cases: https://research.torproject.org/safetyboard.html#examples 7) I'm off to FOCI/Usenix security this weekend/next week, and will be less online the week after. 8) I'm currently buried in NSF annual report writing. Nick: 1) Out next week. Will see personal email. 2) Service-side HS implementation is merged. Client-side should be ready for review once I'm back from vacation. Shari: 1) Working on various grant proposals. 2) Trying to work through backlog of emails after some travel. 3) Some personnel stuff. Mike: 1) Back re-injury last week. Spent most of the week either in bed, or stretching. 2) Supposed to be on vacation starting mid next week, but this may not happen. Alison: 1) Monitoring support wiki blog comments and preparing for tomorrow's support wiki sprint. 2) Working on a few grant related things and waiting to hear back from one Big One 3) Sent out another draft of the membership guidelines 4) Speakers bureau is going pretty well so far! We've started handing out speaking engagements as they come in, and I'm looking around for training resources for the Montreal meeting. 5) The only thing I have to discuss is Montreal meeting planning! Steph: 1) Working w GR on newsletter setup. 2) Managing blogs 3) Finding speakers, responding to press. Got some answers up on TheQuestion english and russian. 4) Finishing odf templates. Will next get these living somewhere 5) Social media. We're up to over 1k new followers on twitter each week Georg: 1) The bug bounty program is a success so far I think but it still involves quite some work to follow up on reports 2) We made progress with the browser dev hiring; first interview yesterday, two more to come today 3) Sponsor4 money is running out in about 3 months (affecting at least the current Tor Browser team). What are the follow-up plans? <- shari, brad and isabela will look at it again and we'll take the planning from that

1 0

Trac offline for a few hours - now back
by Silvia [Hiro] 10 Aug '17

10 Aug '17

Hi, Some of you might have noticed that trac was offline and sad for a few hours. This was due to a scheduled update to the VM where trac lives. We also updated trac installation itself and a few plugings. If you notice anything amiss please open a ticket (or in case trac doesn't work send me an email directly). Talk soon, -hiro

1 0

Community Team July report
by Alison Macrina 09 Aug '17

09 Aug '17

Here are the highlights of the Community Team's work in July 2017: July 2017 Community Team report Meeting notes July 2017 ================================================================== https://trac.torproject.org/projects/tor/wiki/org/teams/CommunityTeam#Curre… Tor Meeting planning ================================================================== Invites for the Tor Montreal Meeting have gone out, and now the Vegas Leads (which includes Alison) are organizing the week's events and will soon start soliciting ideas for the schedule. Support portal/support wiki ================================================================== A number of us who work on support met in July to talk about support needs. We also did a lot of work on the support wiki, which is now public: https://trac.torproject.org/projects/tor/wiki/org/teams/CommunityTeam/Suppo… We published a blog post announcing the wiki and soliciting more feedback: https://blog.torproject.org/blog/get-immediate-help-our-new-support-wiki In August, we'll have a support wiki sprint to incorporate some of that feedback and add more questions and answers. Community documents ================================================================== Alison and catalyst worked on the code of conduct draft some. The contributor guidelines discussion continued on the tor-internal@ list. We'll send another updated draft in early August. Alison also worked on a FOSS/Tor history and culture onboarding doc that will get published to the onboarding wiki in August. Library Freedom Project ================================================================== Held outreach/training events for the Society of American Archivists, Drexel University, and Oregon librarians. Worked with NYCLU on an upcoming privacy training. Drafted some grants, including a couple for graphic design and website work. Made plans for upcoming talks, including one at a freedom of expression conference in Paris. Speakers bureau ================================================================== The community and communications teams organized a group of people for the Tor Speakers Bureau in order to empower more people to speak about Tor and broaden our outreach. The next step for the Speakers Bureau is to participate in public speaking training. We hope to do some of this in person at the Montreal meeting. Google Summer of Code ================================================================== Lots happening with GSoC in July, so here are all of the current GSoC project reports: unMessage reports: https://lists.torproject.org/pipermail/tor-project/2017-July/001318.html https://lists.torproject.org/pipermail/tor-project/2017-July/001260.html anon-connection-wizard reports: https://lists.torproject.org/pipermail/tor-project/2017-July/001315.html https://lists.torproject.org/pipermail/tor-project/2017-July/001258.html Tor Browser Crash Reporter: https://lists.torproject.org/pipermail/tor-project/2017-July/001317.html https://lists.torproject.org/pipermail/tor-project/2017-July/001259.html Improving Ahmia: https://lists.torproject.org/pipermail/tor-project/2017-July/001319.html https://lists.torproject.org/pipermail/tor-project/2017-July/001254.html GSoC finals begin August 29th! ================================================================== Next up: more Tor Montreal meeting planning, more work on the code of conduct draft, finishing the contributor guidelines, more work on the support wiki including the sprint. ================================================================== Thanks for reading! -- Alison Macrina Community Team Lead The Tor Project

1 0

support the torproject with bridges
by Felix 09 Aug '17

09 Aug '17

Hi everybody I would be happy to support the torproject with two bridges as default TBB bridges. Each is * RelayBandwidthRate 15000 KB, RelayBandwidthBurst 30000 KB * The server where they are on currently moves 350Mbit in and 350Mbit out. If the bridges are accepted I will prefer their need for bw. * Tor 0.3.0.10 (git-c33db290a9d8d0f9) running on FreeBSD with Libevent 2.1.8-stable, OpenSSL LibreSSL 2.5.3 and Zlib 1.2.8 and obfs4 0.0.8. * E3-1230 v5 @ 3.40GHz, dedicated server * The location is Germany Last year I joined the Tor break outs at ccc Hamburg and noticed there is a need for reliable bridges. So here we are. Please ask if you need more information. [1] http://lists.nycbug.org/pipermail/tor-bsd/2017-August/000556.html > > I have two bridges running on FreeBSD with obfs4 'griinchux' > > and 'zipfelmuetze'. > > They work for me but see only some clients per day. > > Both are on a multihomed server so bandwidth can be balanced > > between relays and those. > > If usefull one can put them to the list. Better test it to your > > needs before. > You probably shouldn't run exits and default bridges at the same time. I'm not running exits. > You can email tor-project(a)lists.torproject.org to offer your bridge. > Tell us how fast it is and which country it is in. See above. > You MUST NOT include the bridge IP address in public emails. > Only send that after it has been accepted. Clear. -- Cheers, Felix

5 4

Make it harder to brute-force Trac user passwords
by Jens Kubieziel 08 Aug '17

08 Aug '17

Hi, recently I had a discussion with GeKo about brute-forcing trac accounts. Someone reported that trac allows to test username/password combinations without having an upper limit. This resulted in https://trac.torproject.org/projects/tor/ticket/23120 and I set the the maximum amount to 17 (chosen arbitrarily). When an account is locked an admin has to unlock it. However I received some mails who raised the point that people can now lock out legitimate users quite easily. Thatswhy I want to discusss this here. What happens when people sucessfully guess a password? In general people can create an account or use the cypherpunks account to gain more permissions. So it doesn't make sense to guess those passwords. However it gets more interesting when someone guesses the password of a member of the TRAC_ADMIN group. Then the attacker can read our configuration and create some havoc. However with the current setup it is hardly possible to change trac.ini. Even TRAC_ADMIN has not the permissions to do so. So we lived with this risk in the last years and simply relied on the fact that people choose a secure (aka hard-to-guess) password. So we just could return to this state. If we choose to do something against password-guessing attacks, we could choose the current solution. This means after n attempts (currently n=17) the account gets locked and only a admin can unlock it. This has the risk that attackers can lock out legitimate users. The trac cookbook list some other possibilities (<URL:https://trac-hacks.org/wiki/CookBook/AccountManagerPluginConfiguration>) to configure the account locking. In general it can be configured to release the lock after some amount of time. However each visit to trac happens at Unix epoch by configuration, so the plugin would never release the lock. If we want to configure automatic unlocking, we would have to change our webserver settings (as far as I see it). How should we set up trac regarding brute-forcing? Are there other possibilities I missed? I'd love to hear your feedback on this. -- Jens Kubieziel http://www.kubieziel.de Wenn der Mensch so viel Vernunft hätte wie Verstand, wäre alles viel einfacher. Dr. Linus Carl Pauling

4 5

Network team meeting, 7 August 2017
by Nick Mathewson 07 Aug '17

07 Aug '17

Hello, friends! We had another network team meeting today. The log is at http://meetbot.debian.net/tor-dev/2017/tor-dev.2017-08-07-17.00.html Notes from the pad are below. A lot of people are out for various time periods during August. Network team meeting, 7 August 2017 Notes from last week: https://lists.torproject.org/pipermail/tor-project/2017-July/001337.html Reminders: - 0.3.1.x was scheduled to be stable last week; nickm postponed it one month to 5 September. - 15 September is the 0.3.2.x freeze. Nick: * Last week - Finished and circulated draft of privcount-in-tor proposal to privcount authors; updated code to match. - Finished reviewing #20657 (prop224, server-side); reviewed first round of fixes. - Reviewed and merged lots of branches, fixed lots of regressions. - Released 0.3.1.5-alpha, 0.3.0.10 - Announced the end of 0.2.4, 0.2.6, and 0.2.7. - Wrote a bunch of little patches * This week - Send privcount draft to tor-dev; open tickets; etc. - Review and comment on tor-client-progress draft. - Review #20657 2nd round of fixes, and maybe 3rd? - Get ready for being out of town next week. Anything I should do/know this week? - More hacking, probably. - Should I do 0.3.1.6-rc this week? (No. Once back from vacation.) komlo: - This week: - first round of rust protover code review by isis - write fuzzing tests for protover ffi - Next week: - Schedule for rust hackfest asn Last week: - Fixing up #20657 branch from nick's review. - Testing #20657 and finding more bugs. - Wrote tons of #20657 unittests. - Did some testing/reviewing on the client-side branch This week: - Get #20657 merged hopefully. - Start reviewing the client-side. pastly: Updating KIST tickets as we speak. David: KIST will be needs_review by the end of the day catalyst: Last week (2017-W31): - helped review #23061 (crypto_rand_double()); floating point is HARD - looked at #22636 log output on failure -- seems OK actually due to the way automake's test rules extract failing/skipped detailed logs into test-suite.log. - dealing with myriad small annoyances of a new house This week (2017-W32): - copy brade's comments about Tor Launcher behavior from #22232 to somewhere more useful like a wiki page - think some more about #23061 - think some more about how Core Tor can help Tor Launcher with bootstrap troubleshooting isis: last week: - began writing up a specification for Ristretto (Decaf point encoding for curve25519), this way we can agree that we're all doing the same encoding, and then I can use it in Hyphae (#22776) - revising patches for the new cmdline key expiration feature (#17639) - some torspec patches https://gitweb.torproject.org/torspec.git/commit/?id=8ebdf2e99f93628055c7d7… https://gitweb.torproject.org/torspec.git/commit/?id=28a8208232cac218b9bbbd… https://gitweb.torproject.org/torspec.git/commit/?id=db17344f15a9e02d041e9d… - laptop had hardware failures and needed to be repaired and then reinstalled :( - also starting building a desktop/build/work machine as well, but that's not finished yet this week: - reviewing Chelsea's Rust protover patch - more work on the moat backend server (#22871) and farfetchd (#15967) - getting ready for my talk at rustconf next week

1 0

July 2017 report for the metrics team
by Karsten Loesing 07 Aug '17

07 Aug '17

Hello Tor, hello world! Below you'll find the highlights of Tor metrics team work done in July 2017. On behalf of the Tor metrics team, Karsten Merged specifications from Metrics sub sites CollecTor [1] and Onionoo [2] into Tor Metrics [3, 4]. [1] https://collector.torproject.org/ [2] https://onionoo.torproject.org/ [3] https://metrics.torproject.org/collector.html [4] https://metrics.torproject.org/onionoo.html Fixed various problems with data on Tor Metrics, including missing server numbers and bandwidth reports [5] and wrongly attributed OnionPerf measurements [6]. [5] https://lists.torproject.org/pipermail/metrics-team/2017-July/000416.html [6] https://lists.torproject.org/pipermail/metrics-team/2017-July/000418.html Released CollecTor 1.2.0 [7] which switches from Torperf to OnionPerf [8] and contains updates to metrics-lib 2.0.0 and to libraries contained in Debian stretch. [7] https://lists.torproject.org/pipermail/tor-dev/2017-July/012372.html [8] https://metrics.torproject.org/stats.html#torperf-1.1

1 0

Damian's Status Report - July 2017
by Damian Johnson 06 Aug '17

06 Aug '17

Yay, pretty things! Couple pictures pretty much sums it up. Here's what I was up to this month... http://blog.atagar.com/july2017/ Cheers! -Damian

1 0