- tor-project - lists.torproject.org

Summary of meek's costs, February 2017
by David Fifield 29 Mar '17

29 Mar '17

Here's the summary of meek's CDN fees for February 2017. App Engine + Amazon + Azure = total by period all 2014 $600.63 + $917.89 + $0.00 = $1518.52 all 2015 $8006.59 + $8146.83 + $1292.89 = $17446.31 January 2016 $771.17 + $1581.88 + $329.10 = $2682.15 February 2016 $986.39 + $977.85 + $445.83 = $2410.07 March 2016 $1079.49 + $865.06 + $534.71 = $2479.26 April 2016 $1169.23 + $1074.25 + $508.93 = $2752.41 May 2016 $525.46 + $1097.46 + $513.56 = $2136.48 June 2016 $0.00 + $1117.67 + $575.50 = $1693.17 July 2016 $0.00 + $1121.71 + $592.47 = $1714.18 August 2016 $0.00 + $1038.62 + $607.13 = $1645.75 September 2016 $0.00 + $932.22 + $592.92 = $1525.14 October 2016 $0.00 + $1259.19 + $646.00 = $1905.19 November 2016 $0.00 + $1613.00 + $597.76 = $2210.76 December 2016 $0.00 + $1569.84 + $1416.10 = $2985.94 January 2017 $0.00 + $1550.19 + $1196.28 = $2746.47 February 2016 $0.00 + $1454.68 + $960.01 = $2414.69 -- total by CDN $13138.96 + $26345.34 + $10202.06 = $49686.36 grand total https://metrics.torproject.org/userstats-bridge-transport.html?start=2016-1… == Amazon a.k.a. meek-amazon == EU (Ireland) 492M requests $590.89 2924 GB $231.46 Global 9M requests $9.99 28 GB $2.14 US East (Northern Virginia) 410M requests $410.52 2668 GB $209.18 -- total 912M requests $1011.40 5621 GB $442.78 charge for alarms $0.50 https://atlas.torproject.org/#details/F4AD82B2032EDEF6C02C5A529C42CFAFE5165… == Azure a.k.a. meek-azure == https://atlas.torproject.org/#details/AA033EEB61601B2B7312D89B62AAA23DC3ED8… Zone 1 440 GB $ 38.30 Zone 2 171 GB $ 23.63 Zone 3 3583 GB $ 895.68 Zone 4 4 GB $ 0.59 Zone 5 11 GB $ 1.81 -- total 4209 GB $ 960.01 Earlier reports in this series: https://trac.torproject.org/projects/tor/wiki/doc/meek#Costs

1 0

Tor project's use of Mailman
by johny 25 Mar '17

25 Mar '17

Hi all, I'm currently working on my GSoC proposal for the GNU Mailman project, which aims to implement encrypted mailing lists. I noticed that Tor project uses Mailman and has a few private lists as well. I think that Tor project's private lists might be a great example that could use such encrypted lists. What requirements would Tor project have of such encrypted mailing list? This would help me better understand potential uses of encrypted mailing lists in a real environment. My proposal uses PGP/MIME. A short description follows: It establishes a list keypair which subscribers use to encrypt their messages with. A user needs to present a PGP public key on subscription which will be later used to encrypt messages from the list. List owner moderates the list and accepts users subscription. User has to prove ownership of the key by signing a confirmation token. Subscriber then sends messages encrypted with list key and signed with the one he subscribed with. He receives messages encrypted to his key and signed by the original author as well as the list itself. Commands will require signature and confirmation too. A more detailed proposal can be found in the links below. -Jan ----- [Project idea]: https://wiki.list.org/DEV/Google%20Summer%20of%20Code%202017#Encrypted_List… [Proposal draft (site)]: https://neuromancer.sk/page/gsoc/mailman [Proposal draft (PDF)]: https://neuromancer.sk/static/mailman.pdf

4 4

Notes from March 16 2017 Vegas team meeting
by Karsten Loesing 21 Mar '17

21 Mar '17

Notes for March 16 2017 meeting: Isabela: 1) reviewing DRL response 2) submitting sponsorS final report / sponsor4 report 3) working with linda, hiro and network team on prep work for AMS 4) meeting with Mike / f2f tomorrow 5) will take a look at what arma and nick want my help with the NSF projects and start working on that next week Alison: 1) Finalizing Tor Meeting plans: buddies, agenda, strategic planning stuff 2) Working on content for the support portal 3) Eagerly awaiting results of the Community Council Guidelines vote 4) Sprucing up the community team wiki Shari: 1) Pulling together board book for Amsterdam meeting. 2) Getting ready for strategic planning discussion in Amsterdam and beyond. 3) Last minute Amsterdam details. 4) Reviewing DRL budget for submission. Karsten: 1) Started the vote on community council guidelines proposed by Alison and Damian, which will run until next Wednesday. 2) If all goes well, we'll be down to 4 out of 19 MOSS tasks by AMS, with still 3 out of 12 months ahead of us. Nick: 1) Hacking, triaging, etc 2) Sponsor4, sponsorR going well. 3) DRL status? 4) Amsterdam prep Arturo: 1) Tagged an ooniprobe release candidate: https://github.com/TheTorProject/ooni-probe/releases/tag/v2.2.0-rc.2. Testing of it is greatly appreciated! 2) Ironing out the last pending issues for upcoming mobile app release 3) Monday we will be releasing a report on internet censorship in Thailand 4) Did a bit of planning for the upcoming migration to new data processing pipeline and general re-organisation/cleanup of the rest of our infrastructure Georg: 1) Sponsor4 work and there mainly ESR52 transition tasks 2) We might need to make an emergency release due to Pwn2Own 3) I prepared my talk for Open Source Days Josh: 1) Tor Weekly News: "Reboot Edition" out tomorrow Friday, March 17th. 2) Strategic communications plan draft should be done by end of day today

1 0

Re: [tor-project] U.S. border crossing guide
by Nathan Freitas 20 Mar '17

20 Mar '17

On Fri, Mar 17, 2017, at 04:05 PM, David Fifield wrote: > On Fri, Mar 17, 2017 at 01:35:30PM -0500, Franklin Bynum wrote: > > == If you are a U.S. citizen == > > The government has to let you in. They can, however, detain you for > > questioning and search you and your property. > > If you want one person's account of what that's like, I (a U.S. citizen) > wrote about my experience being detained at the border in 2013 for not > answering questions. I was in secondary for around seven hours and in a > cell for most of that time. > > https://www.bamsoftware.com/writing/mia-cbp.html "Cool that Google gets a list of people detained by DHS." Thanks for reminding me of your experience and excellent write-up, David. Respect, +n

3 2

U.S. border crossing guide
by Franklin Bynum 20 Mar '17

20 Mar '17

Many of you will be crossing the U.S. border soon because of travel to the Tor Meeting. I was supposed to be there, but child care obligations will keep me stateside. As an immigration lawyer and a member of the Tor community, I would like to give you all a crash course in crossing the U.S. border. This document does not discuss anything related to seeking asylum or other refugee status. If you hold or may seek refugee status of any kind, seek professional help. == If you are not a U.S. citizen == If you have permanent resident status, have a visa or are a national of a country that is part of the Visa Waiver Program [fn:1], when you present yourself to an immigration officer at the border the officer evaluates whether you are inadmissible under any of the many grounds in section 212 of the Immigration and Nationality Act. [fn:2] Having a travel document does not guarantee you entry. All people who are not U.S. citizens are subject to the entire slate of grounds of inadmissibility, including long-time permanent residents. If the official finds that you are inadmissible, you will be denied entry and detained pending your removal. Some people, like permanent residents, will be detained for weeks until they can see an immigration judge to receive a hearing on their inadmissibility. The agent will likely ask you questions about who you are and where you are going. You have a right under the United States constitution to refuse to answer questions, but if you refuse to answer the officer will surely deny you entry and will likely detain you for further questioning. Immigration officers have wide latitude to question you and deny you entry. You have little legal recourse against this. Read the grounds of inadmissibility [fn:1] and you will see the many ways you can be lawfully denied entry, even as a permanent resident. If you have ever been arrested or otherwise feel that you may be singled out, contact me or another immigration lawyer before you intend to cross the border. == If you are a U.S. citizen == The government has to let you in. They can, however, detain you for questioning and search you and your property. == For everyone: border searches == At the U.S. border, immigration officers may search you basically for any reason, or no reason. They do not have to articulate any suspicion. They can, and do routinely, go through all your property, including your devices. They can clone your hard drive. They can attach forensic tools to your phone or other device. They can seize your item as evidence against you. You can not do anything to stop this. The one things you can do is refuse to give passwords. You have a constitutional right to remain silent that is fairly strong here. If you are a U.S. citizen, they have no recourse except to detain, question, and intimidate you further. They cannot detain you for an unreasonable amount of time, measured by what an imaginary "objective reasonable person" would think is reasonable. This amount of time will be longer than you personally think is reasonable. If you are a non-citizen, they could deny you entry for your refusal. If you are stopped and your device is searched or you are asked for passwords, contact me. == About me == I am a relay operator, a lawyer, and partner to Alison. I am in IRC at @frabyn. My practice is criminal defense and immigration in Texas. My website is https://bynumlaw.net/ * Footnotes [fn:1] https://travel.state.gov/content/visas/en/visit/visa-waiver-program.html [fn:2] https://www.uscis.gov/ilink/docView/SLB/HTML/SLB/0-0-0-1/0-0-0-29/0-0-0-200… -- Franklin Bynum Lawyer 2814 Hamilton Street Houston, Texas 77004 +1 713 343-8844

8 9

Cor Tor Team sponsor4 February work report
by isabela 16 Mar '17

16 Mar '17

Core Tor Team February 2017 Report We started to work on collecting measurements[1] of our consensus diff proposal (prop140) to analyze how much data Tor downloads today, how much data it would download after the consensus diff implementation is complete, and what we could do in order to reduce the downloaded volume further. We created the following tools[2] to help us collect and analyze our data: The populate.py and analyze.py scripts are for looking at the amount and causes ofmicrodescriptor change over time. The populate-consenus and analyze-consensus.py scripts look at the amount and causesof routerstatus change over time in the consensus. The diff-size tool determines the mean size for ed-based consensus diffs, after various consensus transformations and diff compression algorithms. With these tools, we were able to improve[3] Proposal 140 [4] "Provide diffs between consensuses", which is an important part for us to do to achieve our objective. They also lead to the creation of proposals 274 through 276, each of which will reduce the required bandwidth for directory operations (see below). We also created tools[5] to analyze different compression schemes related to Proposal 278 [6] "Directory Compression Scheme Negotiation", which is one of the design proposals we plan to implement in order to achieve our goals under this objective. We have the results of the first collection/analyses[7]. The other proposals related to directory bandwidth savings are: Proposal 274 [8] - Rotate onion keys less frequently Proposal 275 [9] - Stop including meaningful "published" time in microdescriptor consensus Proposal 276 [10] - Report bandwidth with lower granularity in consensus documents [1] https://trac.torproject.org/projects/tor/ticket/21205 [2] https://github.com/nmathewson/consensus-diff-analysis [3] https://trac.torproject.org/projects/tor/ticket/21209 [4] https://github.com/torproject/torspec/blob/master/proposals/140-consensus-d… [5] https://gitlab.com/ahf/tor-sponsor4-compression [6] https://github.com/torproject/torspec/blob/master/proposals/278-directory-c… [7] https://docs.google.com/spreadsheets/d/1devQlUOzMPStqUl9mPawFWP99xSsRM8xWv7… [8] https://github.com/torproject/torspec/blob/master/proposals/274-rotate-onio… [9] https://github.com/torproject/torspec/blob/master/proposals/275-md-publishe… [10] https://github.com/torproject/torspec/blob/master/proposals/276-lower-bw-gr… [11] https://github.com/torproject/torspec/blob/master/proposals/277-detect-id-s…

1 0

New UAE Users
by Matthew Finkel 15 Mar '17

15 Mar '17

Anyone know what caused the remarkable jump in direct and obfs3 users from the UAE that began on 16 Jan and 06 Feb, respectively? Sorry if I already missed the discussion about this. https://metrics.torproject.org/userstats-relay-country.html?start=2017-01-1… https://metrics.torproject.org/userstats-bridge-country.html?start=2017-02-… Thanks!

8 12

OONI status report - February 2017
by Arturo Filastò 15 Mar '17

15 Mar '17

# OONI Monthly Report: February 2017 February was an important month for the OONI project, as the launch of the ooniprobe mobile app for Android and iOS platforms significantly increased OONI's userbase and global coverage of censorship events. Below we provide some highlights from OONI's activities in February 2017. ## Launch of ooniprobe mobile app On 9th February 2017 we launched our mobile app for Android and iOS platforms. The development of the apps was carried out as part of Lorenzo Primittera's OTF fellowship through support from the OONI team. The new ooniprobe app includes network measurement tests that are designed to examine: * Blocking of websites ("Web Connectivity" test) * Presence of middle boxes ("HTTP invalid request line" test) * Speed and performance of networks ("NDT" test) This app can be installed on Android and iOS platforms through the following app stores: * Google Play: https://play.google.com/store/apps/details?id=org.openobservatory.ooniprobe * Apple nes.apple.com/us/app/id1199566366 More information about ooniprobe's mobile apps can be found through the post that we published on the launch date: https://ooni.torproject.org/post/ooni-mobile-app/ The launch of ooniprobe's mobile app received widespread media coverage. Some news outlets that wrote about ooniprobe's mobile apps include: * CNN: http://money.cnn.com/2017/02/08/technology/ooniprobe-censorship-mobile-app/ * Forbes: https://www.forbes.com/sites/leemathews/2017/02/09/tor-projects-new-mobile-… * The Atlantic: https://www.theatlantic.com/technology/archive/2017/02/ooniprobe-censorship… * Cyberscoop: https://www.cyberscoop.com/ooniprobe-tor-app-ios-android-censorship/ ## ooniprobe mobile app: Translations and feature requests Following the launch of ooniprobe's mobile apps, we started collecting feedback from our users and implementing feature requests. These are summarized through the following platform: https://trello.com/b/RgwVg6i8/ooniprobe-mobile-feature-requests More feature requests can be viewed through the tickets and pull requests of the following GitHub repositories: * https://github.com/TheTorProject/ooniprobe-ios * https://github.com/TheTorProject/ooniprobe-android * https://github.com/TheTorProject/ooni-wui In response to community feedback, we started working on the f-droid version of ooniprobe: https://github.com/TheTorProject/ooniprobe-android/issues/54. We also reviewed and edited the Citizen Lab's global test list (that is tested by ooniprobe's mobile app) quite extensively: https://github.com/citizenlab/test-lists/pull/133. We started coordinating the translation of ooniprobe's mobile apps through support from the Localization Lab. In February, ooniprobe was translated to the following languages: * Spanish * French * Italian Work is being done on adding translations for: * Hindi * Arabic We added support for translating ooniprobe's mobile apps (https://github.com/TheTorProject/ooni-wui/issues/31) and future releases will include translations. ## New web UI We made progress on implementing the new web UI following the UX review. We tagged a release candidate for ooni-probe that features the new web UI and made an open call for testing: https://github.com/TheTorProject/ooni-probe/releases/tag/v2.2.0-rc.1. ## Community engagement We have setup a slack to IRC bridge to encourage less technical users and OONI enthusiasts to join in our public discussions: https://slack.openobservatory.org/. Starting in February we have also started to hold broader community meetings on Slack and IRC with the goal of engaging more with the wider OONI community. The logs for the last community meeting can be found here: http://meetbot.debian.net/ooni/2017/ooni.2017-02-28-15.59.log.html. ## Updated documentation Since May 2016 we have been receiving legal consultation for the improvement of our documentation and practices pertaining to potential risks associated to the use of ooniprobe. To this end, we updated the following documentation: * OONI Data Policy: https://ooni.torproject.org/about/data-policy/ * Risks: Things you should know before using ooniprobe: https://ooni.torproject.org/about/risks/ The above documentation not only incorporates feedback that we received through legal consultation, but also includes information pertaining to ooniprobe's mobile apps. In addition, we published a test description for OONI's new NDT test (which is included in our mobile apps): https://ooni.torproject.org/nettest/ndt/ ## Research and data analysis In collaboration with Sinar Project, we carried out research and data analysis for our upcoming reports on Myanmar, Thailand, and Indonesia. We expect to publish these research reports within the next month. ## Userbase OONI's userbase expanded significantly in February thanks to the launch of our mobile apps. In February alone, ooniprobe was run 143,607 times from 2,765 different vantage points across 181 countries around the world. This information can also be found through our stats here: https://measurements.ooni.torproject.org/stats ~ The OONI team.

1 0

Security slider usability testing results
by Linda Naeun Lee 14 Mar '17

14 Mar '17

Hi all: The results of the security slider usability testing is here: https://docs.google.com/document/d/1Wr4e9OftQaIyvU-p2pN9JcdLsOAl9Z87hg4XWW8… In short, users seemed to choose the setting that would be right for them, functionality wise, even if they didn’t have good security understanding or mild misconceptions. UI should account for multiple ways of interaction. Some people said interesting things. Highlights include: -(the "safest" setting has bad connotations) P12: “I’m not sure, I don’t think I’ll be doing anything that would require that amount of safety. *giggles*” -(people making emotional decisions)P13: “I would probably choose the “safe” setting, there's the potential for more content being blocked on the safest setting, and I'm the kind of dum-dum who's willing to take my chances.” -(not understanding on-the-wire vs machine security defenses) P14: “I would choose the standard setting- I’m just going off of the experience I’ve had on the website I currently visit. I have Norton and feel like that keeps my computer pretty safe.” Cheers, Linda P.S.: I've been working on a more understandable security slider for a couple months now; documentation here: https://trac.torproject.org/projects/tor/wiki/doc/UX/OrfoxSecuritySlider -- Current Key: https://pgp.mit.edu/pks/lookup?search=lindanaeunlee GPG Fingerprint: FA0A C9BE 2881 B347 9F4F C0D7 BE70 F826 5ED2 8FA2

5 6

Notes from March 9 2017 Vegas team meeting
by Karsten Loesing 13 Mar '17

13 Mar '17

Notes for March 9 2017 meeting: Georg: 1) We got releases out (6.5.1, 7.0a2, and 7.0a2-hardened) 2) Continuing work on Sponsor4 items (ESR 52 transition, build system scalability, and integration of fingerprinting Q&A tool (aka own Panopticlick) Alison: 1) Linda, Colin, and I are working on next steps for the support portal: creating content, looking into design options for the banner and icons, messing around with the layout. We are meeting weekly about this and will also discuss it in AMS. 2) The Community Council Guidelines will go to a vote Friday. I'll be running the social contract proposal period at the same time. 3) More planning for AMS meeting. 4) Global South outreach: more trainings happening, also ilv has been doing a lot of work trying to get more relay operators in LatAm. He's run into some issues as some places don't meet basic technical requirements, and he does need funding to keep the operation going, but there is at least a lot of interest. 5) LFP event next week at Temple University -- March 15th 6) I'm going to SXSW for a day or two to meet up with some people/groups and talk about Tor. Shari: 1) lots of planning for Amsterdam meeting; specifically working on agenda for strategic planning discussion 2) pulling together board book for board meeting in Amsterdam 3) meeting with/talking to Yawning about what he's up to; Mitchell Baker about Tor/Mozilla collaboration 4) still trying to get caught up from my week out; getting ready to be out for a couple of weeks in Europe Nick: 1) Not really much prepared for Amsterdam meeting. Not sure what I should be doing. 2) Development proceeds apace. 3) Need to advance stuff with Roger's NSF plans: AMS might be a fine place. 4) Planning to take it easy for Thu/Fri next week, to improve reserves for Amsterdam. Karsten: 1) Trying to wrap up a few Sponsor X tasks/deliverables in the next 1.5 weeks in order to become more open to requests and suggestions brought up in Amsterdam. Mike: 1) Worked on Orbot roadmap for DRL (unfunded, so pretty pipe-dreamy) Isabela: 1) still working on the final report 2) final month of ISC/Orfox work - Linda is compiling user testing reports - we have some dev time to spend on it so we will be polishing things 3) catching up on things after the Seattle trip -> working on monthly report for sponsor4 / MOSS invoice / SIDA response / DRL response / network team release prep work 4) set to table at Libre Planet - thanks to jon's help 5) linda and I have syncs with simply secure - right now they are pretty much done with updating the style guidelines (incorporating feedback from the seattle meeting) the final version will be publish and they will be doing 2 blog posts about this project and Tor will published as 'guest contributors' at our blog. Hope this will bring good attention to the efforts on visual consistency of Tor and ux. 6) hiro survey is out and it seems ppl are answering it \o/ - I also organized the blog work stuff in a pad and hope to sync with hiro on it next week when she is back from IFF Josh: 1) I plan to relaunch Tor Weekly News on 3/17 2) I am still looking for more people from within Tor that want to join me in helping to make Tor more effective at social media. This can just be as simple as encouraging people to PM/DM me about, for example, interesting things happening in the world of tech privacy/security. But hopefully doing Tor Weekly news will also be something that will help me get more ideas and connect with more people in our community on a regular basis. Arturo: 1) OONI team is at the Internet Freedom Festival

1 0