tor-project

tor-project@lists.torproject.org

16 participants
2324 discussions

Support plan proposal
by Colin Childs 16 Mar '16

16 Mar '16

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi everyone, Below is the support plan proposal that has been mentioned in the "State of the helpdesk?" thread. Feedback is very much welcomed, as there may be things I have not considered, or have missed. Documentation updating: 1. Update Tor Browser user manual [1] 2. Update HS guide [2] 3. Update relay guides [3] Note: When users contact the help-desk, the majority of questions would fit into these three topics. The majority of the majority would fall into the user manual, however there are still tickets about running / maintaining relays and HSs. Support portal creation and/or FAQ updating: 1. Convert RequestTracker articles[4] into user-usable resources 2. Determine if these resources should be added to FAQ, or to their own page. My opinion, is that we could create something like Twitter's "Help Center"[5] using a combination of these articles, and expanded FAQ entri es. 3. If the help portal option is favored, researching which free platforms we could use for this would be my next step. I'm also confident that creating something with basic functionality would not be a large time sink, however this seems like a problem that is likely solv ed. Providing direct user support: I believe with the documentation updates, and making the support articles more easily available will decrease the number of users who require our assistance; but it will never result in no users requiring assistance. The best solution I can think of, is the following: 1. Finish "Documentation updating" and "Support portal creation and/or FAQ updating" tasks 2. Announce the new resources on the Tor blog, and other platforms 3. Watch for and incorporate feedback on the new resources 4. Put out another call for volunteers, as well as reach out to previous help-desk staff 5. Re-open the help-desk, to a (hopefully) more manageable number of tickets. [1]: https://lists.torproject.org/pipermail/tor-project/2016-March/000151.htm l [2]: https://www.torproject.org/docs/tor-hidden-service.html.en [3]: https://www.torproject.org/docs/tor-relay-debian.html.en [4]: https://people.torproject.org/~colin/rt-articles.git [5]: https://support.twitter.com/ - -- Colin Childs Tor Project https://www.torproject.org Twitter: @Phoul -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJW4PqVAAoJEJWQHABkmqq5F50P/1Tq5fvzc07bUiQea4goq3no OdwD8NUFdFLK4EZe165Cedqoaddz3uWkOUmJmYtUBILLvjHp6E/AWhrIHBU1hCXv WenOKat6kQPhgH8FKCGt2r9UtVRQ1y78JwthFN/m9uUBMIYmAxhMfe/tf20/2G9c l2jph9SHU1q1NQrBhQ65ch+ZkZXZtPtEaM55eK/jyuYY6U8oHFYo0U1o1dq0tv/C +St9OWgTUMLto0lghhSfuU/1cmjW4vB8OeF+Sy3F8Hqs35ZgDP/0yccG1QbSsxIv Jytz6s6k/0+7PeE22s4EIcUDC1AY9+W14KcR/TCEjDFB+EqdyRYnS45nyHZ8Vhm9 tzig2To87pE8m/uUU1CT9uUkuSdJiunYWQYoiicJ00c3E/pxU/8d5Sea+Ic7C6jO vejR64jHW4/DShCOq0UspZnMIPUfcElMIEvsyQ4SmcDfZfEaimFoksaPVGGnihLb AfQRue2v5FQx36ulwNRoypZcqtYvQA3b8l+mGaP49C1qLeg2t8jESYjv4L9fAIdf HLVvj/kWS51dYkcrUaUBE++vVBjXlpctjfRvT3Qav3fT0gSiOs3nQkaOwJeG71rV 1CvdxP0bPfMAtHk9shovvNiqwPi9tREu9edWUhIsgKY5Quf9ZzS/5+skElpVt5yK xnUKSRSjDr8vriZfoMOa =Hksr -----END PGP SIGNATURE-----

2 1

First report from UN Special Rapporteur on Privacy
by Virgil Griffith 11 Mar '16

11 Mar '16

Of interest to Tor people---first report by the UN Special Rapporteur on the Right to Privacy: * http://dl.dropbox.com/u/3308162/A-HRC-31-64.pdf "As the Special Rapporteur mentioned in presenting his report at the Human Rights Council today, his focus is currently on defining “what" to protect (defining privacy) and “why" (privacy as an enabling right rather than as an end in itself), whereas the “how” is envisioned for a much later stage in his mandate." If someone on the list wants to get into this I'll make the appropriate connections. -V ---------- Forwarded message ---------- From: Nicolas Seidler <seidler(a)isoc.org> Date: Wed, Mar 9, 2016 at 7:06 AM Subject: [Internet Policy] Heads-up: new report by UN Special Rapporteur on Privacy To: "internetpolicy(a)elists.isoc.org" <internetpolicy(a)elists.isoc.org> Dear all, I would like to bring your attention to the release of the first report by the UN Special Rapporteur on the Right to Privacy, Joseph A. Cannataci. http://www.ohchr.org/EN/HRBodies/HRC/RegularSessions/Session31/Documents/A-… As we mentioned when this mandate was created, this is a brand new position in the UN Human Rights Council that was created as part of reactions to disclosures on pervasive communication surveillance (including at the UN General Assembly level in December 2014). We are still going through the report and will share more thoughts later on. We can however already note that this first report focuses on defining a roadmap for the Special Rapporteur, and highlighting what he considers as key issues for his mandate going forward. As the Special Rapporteur mentioned in presenting his report at the Human Rights Council today, his focus is currently on defining “what" to protect (defining privacy) and “why" (privacy as an enabling right rather than as an end in itself), whereas the “how” is envisioned for a much later stage in his mandate. ISOC will continue to follow closely this process and to offer a bridge for our community’s input in the Special Rapporteur’s mandate, who is keen to consult a wide range of stakeholders. Be on the lookout for more analysis next week, and in the meantime do not hesitate to share your thoughts. Best regards, Nicolas Seidler Senior Policy Advisor The Internet Society _______________________________________________ To manage your ISOC subscriptions or unsubscribe, please log into the ISOC Member Portal: https://portal.isoc.org/ Then choose Interests & Subscriptions from the My Account menu.

1 0

Moderation for new tor-users@ mailing list
by Moritz Bartl 11 Mar '16

11 Mar '16

Hi everyone, At the Valencia dev meeting, in the "take back community channels"[1] session, we discussed how to deal with the somewhat degenerated tor-talk mailing list. The initial idea was to come up with some excellent, nice and reasonable guidelines and explanations of what should be on tor-talk (and, subsequently, what should be posted someplace else, and where), switch tor-talk to be moderated, and then moderate users for a while until they have shown to agree to the guidelines. Also, step up moderation a bit in the sense that if a user starts to post off-topic things again to warn them, or put them back into moderation. A less aggressive approach was discussed, which involves the creation of a new list called "tor-users". This new list will not ahve all the thousands(?) of subscribers of tor-talk, which is a shame, but it might be easier to apply a new moderation concept to a new list and sort-of give up the old one, than trying to change the climate on the old list. Also, the idea for the new list was to explicitly have a more narrow focus than the broad "tor-talk" list, namely "(community) user support". weasel suggested a set of scripts that they used at Debian for some list moderation. It sure sounds great to use IMAP and mail move actions for moderation instead of the mailman interface. It does not necessarily require TPI to officially run an IMAP server; we could use an account someplace else, and even run the scripts outside of TPI if we wanted to. We did succeed in that we now have a number of volunteers who want to help moderate. (Not enough, please let me know if you want to help, too). I am the unfortunate volunteer that even agreed to "lead" this effort! :-) What we still don't have is a nice and friendly mail that explains the concept and the underlying guidelines, and points to other potential venues (like cpunks maybe) if people want to discuss other things. Does anyone want to come up with a draft for discussion? I guess ideally we even have a couple of templates to use in mailman for rejection messages, but we can come up with those while we go along. I don't think I should be the one writing it, we have native speakers with better writing skills amongst ourselves :) Weasel, what's the status of those moderation scripts, and what kind of suggestions do you have on moving that forward? Sorry that I didn't want to talk about it back in Valencia when you wanted to, but I really wasn't in the right mood... Can you dig them up so I can have a look? Do you want to run them on TPI infrastructure? Do you wnt me to run them on mine? [1] https://trac.torproject.org/projects/tor/wiki/org/meetings/2016WinterDevMee… -- Moritz

2 1

NH Tor bill overwhelmingly passes the house!!!
by Alison Macrina 10 Mar '16

10 Mar '16

Great news! The pro-Tor bill [1] from NH State Rep Keith Ammon just passed the NH House by a HUGE margin -- 268-62!!! This is a really big deal, not just because it shows how much support there is from NH congresspeople, but because it was expected not to pass (they were anticipating a floor fight [2]). This bill is not yet a law -- it still needs to go before the NH Senate and pass there. But this makes me hopeful! The ACLU of NH is working with Rep Ammon on a senate strategy, and I may provide additional testimony if needed. I'll keep everyone posted on this. Alison [1] http://www.dailydot.com/politics/new-hampshire-tor-library-legislation/ [2] http://www.dailydot.com/politics/tor-bill-new-hampshire-floor-fight/

2 1

State of helpdesk?
by Roger Dingledine 10 Mar '16

10 Mar '16

Hi Colin, I had a good chat last week with one of the volunteers that you recruited some months ago to help with the helpdesk. He told me that he wasn't answering tickets anymore, since it is just a deluge of tickets, mostly the same over and over, and without any feedback mechanisms from the helpdesk to the other support pieces (faq, stackexchange, etc) and dev teams, there isn't really an end in sight. I suspect I agree with him -- taking a step back, it seems wise for us to enumerate our support mechanisms, and try to prioritize and triage so we do what is most scalable and most sustainable. That said, I don't think many of us have a good handle on where the helpdesk is right now. So it's hard for us to know where it should fit in this triaging. Can you summarize for us how many tickets it's getting, how many (and which) people are active, whether most tickets are getting answered (and after how long), what languages they're in, and whatever other questions I ought to be asking? Then we will be in a better position to try to help you. Thanks! --Roger

3 7

Updating the Tor Browser user manual
by Colin Childs 08 Mar '16

08 Mar '16

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hi everyone, I hope you all had a great time in Valencia! As I mentioned in my previous status report, here is my current plan for updating the Tor Browser user manual. The idea behind doing this, is that a large portion of the tickets that come into the help-desk could be directly resolved by this document, if it were maintained and available in a way that users could easily access. I believe spending the time to finish up the manual and make it available would be more helpful to the help-desk, and the users than answering the hundreds of individual questions posed by the users that are already answered in this manual. When the help-desk initially started, the "short user manual" existed, which was where the majority of answers for users came from. This was extremely handy, as we were able to link them that document and the majority of users could work through it themselves, saving the help-desk for when they ran into issues. I'd like it if this could be the state of affairs again, as it made the lives of help-desk staff a lot easier at the time. Please let me know what you think of the plan below: - - Update certain outdated screenshots - - Do a complete pass of content review, and update / clean up any outdated or missing sections - - Write out an update plan for the manual, as described in https://gitweb.torproject.org/tor-browser/user-manual.git/tree/TODO - - Find a home for the document on torproject.org, hopefully in a mirrored location - - Contact trusted translators to work on localizing the user manual, or updating the parts that were already localized but updated. - - Upload manual to Transifex, and let translators begin working on the strings. - - Discuss ways the manual could be added to the Tor Browser (Only after it exists on the website) - - Begin pulling in new translations from language teams with trusted reviewers, and are at 100% completion Thanks for looking this over! - -- Colin Childs Tor Project https://www.torproject.org Twitter: @Phoul -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJW3sZRAAoJEJWQHABkmqq54YoP/jYzxUFN0+buF+jW51yJlkqP 98J09z4G7uAIN1vXp3jpWdm/EeddTkFsbIXkc/aJB88navwZZzJ5FQWVHsBBi6BG dHEjINFqSwWbHhytTNI808QBFs1u9eLHSjL8BaImTbRzey+teWTecaBozuDXZU/h 6cCGrkbUK9Zz58Z/Af8W9xNWopXZvK72AnTuX5ccaUpBDpATwG+NvJSsYuLG6Ca9 IB/2ZMZW9uTI9vcegpsY7FYIj1UWfE2wW2Aj6IAoLEFWSpO4NbZMow2edDyRrQco 09wXB59RQQI7yXCIF6d6dAGQHzTVtQ2G4SO04tuRAd1XfUn3VwzI2a5+EmLHWYsp jpeLu6GG2ia8g9dBnXrr4E+HYuqPpTYNxj5EuXF8yJj5zXX07bkxrAtfMy8+wyIV oEeMUTpls+bD2PS/COYEzy4T3gdOci5ptOb2yQr/rWVtVMfXu6Z1qwenbeAJxbu0 eRhfGXQ+eiyL7Om/8A5KdMNHpcK11Q019zbHiTpn8fxKTJW0HpaZJfNKckVJ3fBD Y7ILa1QgaDq19pOgYW1O+FFzS2W49xQHuIP54KxN5KUSOYBrrr48LogDrRLC9jvC 8h6haRP+YYT3smiUrn+thnkrqGu1wJC9X0vJaZIqPdwVGp/geCWQ3hI5rgXWI0px t/5UdHvNjT8lafy611c1 =ShOT -----END PGP SIGNATURE-----

2 1

Tor teachers mailing list
by Alison Macrina 03 Mar '16

03 Mar '16

Hi all, After a session at Tor dev about training users on Tor, a few of us thought it might be a good idea to make another push for the Tor-teachers list [1]. This list is for anyone who teaches Tor or want to teach Tor. We use this list to circulate training materials, share stories, and build community. Please join us on the list and tell us how you're teaching Tor, or how you'd like to! Some things that are particularly needed in the group: more curricula on the wiki [2] in more languages! Especially curricula aimed at different user groups (teens, lawyers, activists, etc). We're also hoping to get a list on there of possible places to go and teach Tor, eg upcoming conferences outside of the privacy/security world. I will send an update to the tor-teachers list with the rest of what we discussed at the training session, but I'll wait a few days so that folks can have some time to join the list. See you there! Alison [1] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-teachers [2] https://trac.torproject.org/projects/tor/wiki/doc/tor-teachers

1 1

Our Jabber Server
by David Goulet 03 Mar '16

03 Mar '16

Greetings Everyone! Thanks to weasel for bringing Debian Jessie to the server, we now have a working usable Jabber server. Woot! Here is our XMPP score: c2s: https://xmpp.net/result.php?domain=torproject.org&type=client s2s: https://xmpp.net/result.php?domain=torproject.org&type=server Everyone with an LDAP account can connect to the server. Else, you can't. Before you can do that, you need to set your "rtc" password. Here is how: 1) Enter your user and ldap password at https://db.torproject.org/login.html and press "Update my info". 2) At the very bottom, you should see this https://people.torproject.org/~dgoulet/volatile/rtc-pass.png, the "Change rtc password" field. Put your password in there. Unfortunately, it silent fails if you enter a "too big of a password" and we are unsure of the maximum length so I think 16 characters (based on my experiment) is the maximum possible. 3) Wait a couple of minutes so the database sync up and reaches the jabber server. When you connect, if it fails, wait a bit more. Usually after 5 to 10 minutes it should work so report the issue if it still fails. Useful informations about the server now and how to use it. Your account is <ldap-user>@torproject.org. You have to enable TLS of course. We also have a hidden service! It's: k2r67kry5haud25b.onion. To use it, set the server of your account with it but the user must be your LDAP one that is <ldap-user>@torproject.org. It's federating that means you can add contact that are OUTSIDE of this server such as riseup users or any workable jabber server supporting TLS. Our TLS certificate is from Let's Encrypt and checksum is below. Remember that in 3 months that fingerprint will change: SHA256 Fingerprint=56:4B:0B:AC:7A:55:1D:8F:52:29:E0:A6:61:D7:0F:B6:EC:41:FC:59:FE:2B:B3:39:FA:14:23:65:38:13:26:A0 Finally, this server has a special quirk. It will _tell_ you when you are NOT using OTR. I've put it in "optional" mode but we can also put it in "mandatory" mode if needed which will force all messages going through to be OTR encrypted. I don't expect any big issues to arise once this server gets more users but at first we might need to tweak some stuff thus restart it. Enjoy! David

13 15

Griffin's ICFP February
by Griffin Boyce 03 Mar '16

03 Mar '16

-------- Original Message -------- Subject: [icfp-active] Griffin's ICFP February Date: 2016-03-03 13:50 From: Griffin Boyce <griffin(a)cryptolab.net> To: ICFP Active <icfp-active(a)opentechfund.org> Hello all, In February, I fought logistics and small delays, but got some interesting initial results from Russia. Ultimately, I was not able to gather enough data to complete a paper before the PETS deadline. However, I have proposed a talk for the HOPE conference in NYC this summer [1]. My co-author, Jeff Landale, and I will continue working on a paper with the goal of submitting for USENIX:FOCI. Initial results from Russia have been surprising. Of the Alexa top 1M sites, 153,000 seem to be blocked. I've run the test twice, and will re-run the test from another location, but if the block percentage really is ~15.3%, then that is quite extreme! I was guessing that around 2000 sites would be blocked. Towards the end of the month I prepared for and attended the Internet Freedom Festival in Valencia, Spain. As part of the paper-writing process, I wrote up a first draft of the project methodology, which appears below. Please let me know if you see any gaps or have additional tests to suggest. Methodology: # Website Diagnostics The sites to be tested are divided into segments of 10,000 websites, plus custom tests for sites focused on circumvention. This way, if there’s an error during the test, it’s easier to perform a re-test without having to test over a million sites (again). The first test is a simple check to see if the site is available (code 200) or if it’s down. This test is performed from both the target region and a presumed-uncensored area (typically Germany or the US) to ensure that the site is not simply down for maintenance. (In the process, I determine whether it’s a DNS block or an IP block). Once I have a list of not-(code 200) sites, I dig in deeper. I take a screenshot of all sites using EyeWitness. Then I see if the site is being blocked or is giving a proper Block Page. If the block pages follow a common format *and* give the block reason, I scrape the reasons and map them to the domains. There can be interesting differences found here. For example, in Indonesia SMBC Comics is blocked for ‘pornography and promoting bigotry and sectarian violence,’ when the site is not pornographic and contains minimal fantasy violence. If the site is inaccessible for whatever reason, I check for TCP reset packets, check if there is an SSL/TLS error, check for forced downloads, and for some sites check for MitM. MitM test is only performed for sites where a user would typically be trying to download something, such as Lantern or Tor Browser. In cases of possible MitM, I collect PCAP data (packet captures) and attempt to download the relevant parts of the website to compare with a non-suspicious version of the website. While some regional differences may exist -- news in different languages, for example -- differences in executables or malware injections are indicators of active man-in-the-middle attacks. Once all website tests are performed, I categorize the sites by cross-referencing Alexa data. Categorizing website content is one of the harder problems at scale, so relying on Alexa for categorization appears to be the best solution. For example, it would be impossible for me to categorize 153,000 blocked websites from Russia given the sheer number of websites involved. # Tor & Lantern tests Once all websites are categorized, I check whether or not Tor Browser and Lantern are usable within the country. Lantern has a built-in test for this purpose. For Tor Browser, I use a modified version of Philipp Winter’s ExitMap, and feed it an up-to-date list of Tor nodes. It then cycles through thousands of individual tor circuits to check whether every entry node is available from the test location. From there, I determine whether all of Tor is blocked, or only some nodes. If only some guard nodes are blocked, this may mean (depending on the age of the unblocked nodes relative to the blocked nodes) that the unblocked guard nodes were set up to track users or indicate that the system for blocking Tor nodes hasn’t updated since those nodes were created. I then test whether different kinds of bridges are blocked within the country by making circuits using bridges (including obfs2/obfs3/obfs4/fte/scramblesuit and standard bridges). For some locations, we will also test flashproxy- and snowflake-backed Tor connectivity. All Tor-related tests are run twice, with pre-selected nodes where possible, to minimize errors and ensure test accuracy. # Tests Performed OONI: website accessibility, HTTP error codes, TCP reset packets ExitMap (hacked/customized): checks Tor network node connectivity Tor daemon: test bridge connectivity EyeWitness: screenshots Custom nmap script: to get data on SSL/TLS certificates Custom scripts: to compare SSL/TLS certificates between test locations, compare websites for MitM determination, collecting blocked website HTML, collecting blocked website reasons (as needed), and formatting collected data # Websites Tested The top one million sites, as determined by Alexa’s traffic analyses. This includes a very diverse group of religious and LGBT websites. In addition, I am testing some circumvention websites. As mentioned above, these are grouped into segments so that re-tests can be performed without having to re-test everything. Box status: RU =) UA =| EG =) TN =( -- coordinating local tests instead KG =) KZ =( -- ISP set up Crunchbang OS instead of Debian [1] Due to this, I will not be attending PETS. -- “We have to create; it is the only thing louder than destruction.” ~ Andrea Gibson

1 0

Grants for Tor-related work/research
by Virgil Griffith 03 Mar '16

03 Mar '16

Particularly, I can see research getting funded that explores counter-measures to the kinds of attacks discussed in: http://conferences.sigcomm.org/hotnets/2014/papers/hotnets-XIII-final80.pdf (1) http://www.isif.asia/researchgrant --- "open to all relevant topics of interest around Internet operations, infrastructure and related protocols, such as Network measurement and analysis; IPv6; BGP routing; Network security and Peering and interconnection." --- I can see someone from Tor Metrics doing well here. (2) http://isif.asia/ISOC_CybersecGrant --- Research on improving DNSSEC --- Research/greater deployment of secure routing. -V

1 0

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

tor-project