- tor-project - lists.torproject.org

brief downtime of some services, including mail
by Peter Palfrader 19 May '16

19 May '16

Hey, just a quick heads-up. The friendly people who host some of our hardware have to shuffle things around in their racks. As a result, two of our machines that host a couple of VMs will be down for a few hours starting around 1600Z. Services that will be down include mail, lists, rt, torperf, gettor, translation, compass, jenkins. If all goes well, things should be back a few hours later. Cheers, -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal https://www.palfrader.org/ | `. `' Operating System | `- https://www.debian.org/

1 1

Notes from May 12 2016 Vegas team meeting
by Karsten Loesing 17 May '16

17 May '16

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 See this posting for context: https://lists.torproject.org/pipermail/tor-project/2016-April/000223.html Notes for May 12 2016 meeting: Mike: 1) I reviewed a bunch of sandboxing tech for Tor Browser. I think I have the outlines of what a sandbox would look like that blocks some/most/all of the information obtained by the FBI exploit (we'll likely do best on Linux and Mac, but can still block proxy bypass on windows). I will be sending that to the Tor Browser team shortly. 2) Got an email from Disconnect. They are working to restore Google searches.. Georg: 1) We worked on getting the ESR45 based Tor Browser into stable shape (there are still things left to do) 2) I worked on our search engine situation (Disconnect does not have Google results anymore) Nick: 1) Doing code review and encouraging others by formal pressures: Till the needs-review tickets of May 10 are reviewed, I'm not reviewing other (non-critical) stuff. [Talking with Isabela about this, and applying structural pressure. It's going fine.] 2) Need to get SVN access to Seattle folks. I need to hear from Shari about whether it's internal or corp+internal. (Is Shari on?). [Outcome: Shari says Jon should have access. So I added him.] 3) Resolved UDRP with help from Peter and Wendy. Put my Google voice # as the contact. Now I am getting 4-5 no-message calls there per day. (I have ringing disabled.) [Outcome: waiting for decision on which phone number should get all the phonespam.] Isabela: 1) Pick up SIDA proposal 2) tomorrow is DRL call I sent an email about it 3) sent a blog post for fact check to Roger and Nick Katie: 1) CloudFlare meeting and next steps 2) FBI exploit hearing happening today in Washington State. Mozilla has requested that it see the exploit first. 3) Isis media and training going well so far :) 4) Rule 41 5) Fastly opportunity Shari: 1) Talking with Duck Duck Go to see if their search engine might be a good way to go for Tor Browser. 2) Talking with Laura Cunningham from DRL to see if I can get a good read on whether they really want TorDev in Valencia in 2017. 3) Jake's back. How can he best engage? Karsten: 1) Reviewed CollecTor patches and discussed design changes with iwakeh. 2) Spent some time writing a possible funding proposal for metrics work. 3) Please read responses to notes posted to tor-project@ and respond if people ask questions about your notes. Alison 1) Still collecting user feedback around CloudFlare stuff. Contacted all of the allies that were on my list, heard from only one, and that one hasn't told me yet if I can share their comments with the group. 2) Reaching out to allied people (journalists, activists, attorneys, etc) to see about getting more varied involvement in the community team 3) Continuing to work on the membership doc, social contract, and support manual here and there in the midst of hectic travel and speaking schedule. -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJXOueAAAoJEC3ESO/4X7XBVgcH/09pGr0Pq6zAxPbqPiXML+Su f+ZxDQpftO+QRmWHOR2mzakpudIZIjUBgJkp41zSxfqsbQ2luwG+/bfZZGAdqm0F hDHFNZPJG0pQ0k2fhHNVl3ngsnYrGoMxLukRahgpzEl4hwpFJQUWiWvv0hNhHcIW +zbSSIbVbJJbhH3N4726TmxAzQxQFKCcTaSPtQzwxWcVlgexz2vFVcfEM+TPWfGy AA+ZC+1Pcr4qBB/v25ryK4OM5LWRpXVbkA6wZjuALXWfy+npQEokgHF4E/gRwZj9 SO2gvAFnSbUgTmez0GWVs+sCUgrTz8PihvQnKAkzRwdRqL+0wjDjZllqgE3xK6M= =Jfvw -----END PGP SIGNATURE-----

1 0

Re: [tor-project] Google lifted sanctions on Iran
by Nathan Freitas 16 May '16

16 May '16

On Sat, May 14, 2016, at 04:07 PM, Nima Fatemi wrote: > Good news! Google finally lifted sanctions on Iran. This means Iranians > are no more censored from both ends and can now take advantage of > censorship circumvention techniques like meek-google. Any practical impact on Google Play downloads? I've been seeing those as tracked from Iran for quite awhile now, but perhaps people were still using VPNs? > Heck, I think we can even accept GSoC students from Iran, now. Oh yes, put me down for mentoring that, for sure! +n

1 0

Re: [tor-project] Launching Ethics Guidelines
by isis 16 May '16

16 May '16

Virgil Griffith transcribed 10K bytes: > I accidentally put tor-project@ on the To: field. Sorry about that. A *likely* story. I put tor-project@ back in the To: field. > Although I personally don't consider this content to be dangerous, at > least one person will consider it so, and I'd rather not antagonize > that person. Heh. > I renamed the URL to: [snipped the URL] > Share as you see fit. I'll refrain from stooping to your level, thanks. > -V The above URL to dropbox which Virgil gave me contains extremely detailed logs of user behaviour, including: - timestamp accurate to the second - IP addresses (where only the final octet is scrubbed, reducing the set of possible IPs in question to ~253) - onion service requested - full URI requested - onion service response code > On Thu, May 12, 2016 at 5:43 PM, Virgil Griffith <i(a)virgil.gr> wrote: > > Apparently tor-assistants@ no longer exists? Well, here's the logs. > > Share with whomever you think is appropriate. > > > > ============================================================ > > The earlier dates were on a different hard drive. Here's the oldest > > date I have on hand: Jan 25, 2016. > > > > https://dl.dropboxusercontent.com/u/3308162/2016-01-25.log.gz This file was replaced with a new one, which says the following: > Oops! Didn't mean to post this URL to a public mailing list. My goof. > > I renamed the file and sent the new URL to isis and Matt Finkel. If you > want the data, talk to either of them. I trust each of them to distribute > the data however they see fit. > > In releasing this day's worth of data, my goal is concretize the discussion > of how much de-anonymizing power this data provides. > > I claim two things: > (a) Forbidding any Tor community member from using Google Ads on a > Tor-related website is overbroad. > (b) The de-anonymizing power of onion.link's minimized logs is > substantially less than Google Ads (or equivalent). > > If (a) is not true, reasonable next candidates for banishment include, and > are not limited to: > > * Grams http://grams7enufi7jmdl.onion [onionsite] > * DailyDot http://www.dailydot.com/tags/tor [clearnet] > * DeepDotWeb http://deepdot35Wvmeyd5.onion [double whammy! DeepDotWeb > tracks users on its onionsite *AND* clearnet > https://www.deepdotweb.com/] > > And last I checked these were popular upstanding onionsites. > > Obviously some people will dislike (a). And thus some people will dislike > (b). And that's okay. The community (obviously) doesn't wish to > unanimously approve of every Tor onion-site. The question is whether using > an ad-network is a bannable offense. > > Given (a) is not a bannable offense, and additionally badness(b) < > badness(a). Ergo (b) not a bannable offense. To my knowledge, The Daily Dot has never attempted to sell Tor user data to INTERPOL. > > SHA1: f5eaab44c04e483ffe24c58ec558fdfaefb610b2 > > > > I forthrightly attest that: > > > > (1) these logs are socially very interesting, but not actively dangerous. > > > > (2) these logs are substantially less dangerous than running Google > > ads, which was the alternative. > > > > Rebuttals are welcome on tor-project@ . > > > > If you want to see the minimized logs for a specific day I can do that too. Hmm… I think I've heard the word "minimised" in reference to bulk metadata collection before… -- ♥Ⓐ isis agora lovecruft _________________________________________________________ OpenPGP: 4096R/0A6A58A14B5946ABDE18E207A3ADB67A2CDB8B35 Current Keys: https://fyb.patternsinthevoid.net/isis.txt

2 1

Google lifted sanctions on Iran
by Nima Fatemi 15 May '16

15 May '16

Hey all, Good news! Google finally lifted sanctions on Iran. This means Iranians are no more censored from both ends and can now take advantage of censorship circumvention techniques like meek-google. Heck, I think we can even accept GSoC students from Iran, now. Big kudos to those who worked hard to make this happen. Thought I'd share this news with you. Best, -- Nima 0XC009DB191C92A77B | @mrphs "I disapprove of what you say, but I will defend to the death your right to say it" --Evelyn Beatrice Hall

2 1

Fwd: Launching Ethics Guidelines
by Tom Ritter 14 May '16

14 May '16

I saw https://trac.torproject.org/projects/tor/wiki/org/meetings/2015SummerDevMee… and it notes "Create thread on tor-dev." I couldn't find that thread. But since the below is relevant for this, I figured I'd forward it here. He says not to be intimidated by the length of the document, but I am anyway. Unsurprisingly the tl;dr section was the most appealing to me: http://networkedsystemsethics.net/index.php?title=Networked_Systems_Ethics#… ---------- Forwarded message ---------- From: Bendert Zevenbergen <bendert.zevenbergen(a)oii.ox.ac.uk> Date: 3 May 2016 at 10:08 Subject: [OTF-Talk] Launching Ethics Guidelines Dear All, Today I’m launching the outcome of my OTF information controls fellowship on the Ethics of Networked Systems Research: http://networkedsystemsethics.net. Here a short explanation: These Networked System Ethics guidelines aim to underpin a meaningful cross-disciplinary conversation between gatekeepers of ethics standards and researchers about the ethical and social impact of technical Internet research projects. At heart of this work is the iterative reflexivity methodology that guides stakeholders to identify and minimize risks and other burdens. These must be mitigated to the largest extent possible by adjusting the design of the project before data collection takes place. The aim is thus to improve the ethical considerations of individual projects, but also to streamline the proceedings of ethical discussions in Internet research (or product development) generally. The primary audience for these guidelines is technical researchers (e.g. computer science, network engineering, as well as social science) and gatekeepers of ethics standards at institutions, academic journals, conferences, and funding agencies. It would be great if these guidelines do get used beyond academic research in civil society, product development, or otherwise. This is not just my work, but these guidelines were developed in cooperation with many great people who attended workshops worldwide. Here’s a workshop report and a case study that show how this work developed: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2666934 http://bdes.datasociety.net/council-output/case-study-no-encore-for-encore/ I’m very interested to hear if you have applied these guidelines to your projects, or whether you have comments on this work! Feel free to forward this email..! Many thanks to OTF for making this possible and their excellent support! Ben ------------------------------------------------ Ben Zevenbergen DPhil (PhD) Candidate Oxford Internet Institute University of Oxford Senior Fellow Open Technology Fund

11 24

Notes from May 5 2016 Vegas team meeting
by Karsten Loesing 12 May '16

12 May '16

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 See this posting for context: https://lists.torproject.org/pipermail/tor-project/2016-April/000223.html Notes for May 5 2016 meeting: Mike: 1) Worked on the OTF proposal with Isa, the TBB team, and the core-tor team. Roger: 1) The tor-project rule 41 mail: https://lists.torproject.org/pipermail/tor-project/2016-May/000309.html 2) SponsorW! We tentatively have a new NSF project starting in August, to build defenses for website fingerprinting 3) The subscription / membership discussion. Conclusion is that Alison will send her current draft of the membership process doc, and we'll look for landmines and generally try to move it forward to the point that more people can read it and decide if it's addressing the right things. Kate: (instead of listing everything I did, am just listing points where I ask for Vegas input): 1) Wrote and sent out press release for DuckDuckGo and pitched to a couple Philly reporters; got a Technically Philly hit and a lot of twitter retweets-- dominated all other tweets for the whole Philadelphia Tech Week now in session. 2) Rule 41: SCOTUS rule would allow FBI hacking of computers using Tor, no matter where they are We are working with our alles. 3) Green Alerts--taking advantage of fast-moving good opportunities for Tor 4) Marketing Tor to drive up Tor uptake: Goals to increase the number of users? Social calls to action on browser home page? App store optimization (there's an Apple app store for computer apps)? User drive similar to EFF relay drive? 5) Scheduled and held two CloudFlare meetings (Friday afternoon/Monday afternoon); set out plan to mobilize allies. Alison is soliciting user stories. We will meet again early next week. Met with Marie on CloudFlare strategy. Nick: 1) More hacking. 2) Helped with OTF stuff 3) Email transitions wrt Tom and Katherine (sent email to vegas-leads) 4) Going to Montreal this coming week 5) Somebody needs to train Seattle on SVN, etc. 6) We no longer have a huge box of quasi-antique HDs full of who-knows-what. Instead the HD shredding people have two or three tubs full of mashed-up HD parts. https://people.torproject.org/~nickm/volatile/drives/ Shari: 1) Apologies to Vegas team for jumping the gun on tor-internal. Anything I/we need to do for followup? 2) Seattle office is staffed up and running. Make sure teams know we have administrative and grant-writing help in house if they need it. 3) What should we do about Tor Dev and IFF? Georg: 1) We worked on our transition to Tor Browser 6.0 which will keep us busy the next couple of weeks, too 2) I reviewed the OTF proposal Alison 1) submitted OTF concept note for Tor servers community capacity building 2) Cloudflare community stuff: team is working on allies outreach, getting user stories, and creative campaign eg https://twitter.com/shiromarieke/status/727898847343738881 3) We need docs with our messaging that can be easily shared with allies, community members. Will ping Katie about getting these together. 4) Still slowly working on social contract, support docs, and membership doc. The last one is the new priority given all Tor internal stuff. Worked on it a bit with Lunar yesterday, hope to have something for Tor internal to review after the weekend. Integrating comments and ideas from the email thread. 5) Looking forward to seeing Shari and the Seattle office next week! Isabela: 1) DRL stuff: * Submitted quarterly report * Will have a follow up call on our SOIs on May 11th 2) Submitting the OTF proposal tomorrow - trying to incorporate feedback and get this done 3) Denna is cool with updating deliverables for TBB on contract will get a draft of a formal proposal I need to write for her, for Mike and Georg to review. 4) Richard Brooks want to write a SOI to DRL for a project with he GENI network where we can deploy VMs on it for PT testing, or to run bridges etc - is it useful for us? Do we want to do it? Karsten: 1) collector improvement project is going really well and not only improving collector but also other metrics code bases at the same time. 2) shutting down globe proceeds as planned. no big obstacles there. 3) tricked isabela into co-writing answers to funding-related questions in the metrics team FAQ at https://trac.torproject.org/projects/tor/wiki/org/teams/MetricsTeam/Documen… -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJXMjlzAAoJEC3ESO/4X7XBbb8H/iQh1H1F+RT74dcMQwLWOoEZ Aq7gdtdn9CvmEk3wdL9fqqnrCwK13rG5uKc3aAWRs0RTTNsrlF9cH2PWBQe21yq7 dxpt1yFpl+oYFwGZPDMnDjbWUxw9vKgsi4sXr6jsQZ73w4kvUpFhiqAJW55OtwOc 30mBBSsg4FsjJV8oInK3zOIgVOgPKzvjx1SzH+jQQk690nQeyD7atA8Lb2Xn56Or LlkUup/IxC46e8qibPu04AqD+Yr5DboE/yd/Y9cjsWIfrIXTSeHF5/sVBwSK4Bzg ynXMqdWys2+Oz1PE3qwG7E2Mgc3bd7w2/dWNAj/SfBUjCyMCd9BKCbn4FnAZmOw= =PuKK -----END PGP SIGNATURE-----

3 2

Which domains have onion addresses with EV Certs
by Paul Syverson 10 May '16

10 May '16

Does anyone have a list of domains with EV Certs for onion addresses or know where to easily obtain such? Juha, I didn't see any obvious indicator of this at ahmia, but maybe you keep track of this somehow? Alternatively, if people have specific names of companies or domains (beyond Facebook) that have Certs for both their registered domain names and their onion addresses I'd appreciate hearing about them. Thanks. aloha, Paul

7 11

Notes from April 28 2016 Vegas team meeting
by Karsten Loesing 09 May '16

09 May '16

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 See this posting for context: https://lists.torproject.org/pipermail/tor-project/2016-April/000223.html Notes for Apr 28 2016 meeting: Georg: 1) We worked on our Tor Browser releases and got them out. 2) In the next weeks we will work on stabilizing ESR45 based code for the 6.0 stable release being due in about 4 weeks. 3) I worked on a replacement/change for our OTF sandbox deliverable. Kate: 1) Facebook press: Coordinated closely with Alec Muffett from Facebook; published simple press release; spoke to TechCrunch and Daily Dot; got a flood of positive press from other outlets based on Alec's short Facebook blog post. 2) Edman media strategy and statement (on statement: conferred with colleagues, drafted statement with Shari, fact checked with Roger, Nick and others, sent to Daily Dot reporter.) 3) Reviewed bug report for Nick 4) Met with Nick and Shari on media issues. 5) Coordinated interviews with Daily Dot (Facebook article, article on Edman, also article on Internet censorship), Motherboard (CloudFlare), Forbes (Exit relays and Seattle raid) PBS (for Internet documentary--Nick is being interviewed tomorrow), Gizmodo interview with Shari, WBAI radio interview for Shari, spoke to Wired about new Iranian satellite service that distributes Tor software and animation as well as Tails. 6) Spoke to Jake--all is going very well on his trip to island nation; talk went well, he met with only local Tor relay operator and made contacts with local internet freedom community. 7) Published second issue of newsletter for funders and external nontechnical audiences who aren't following Tor closely (different from TWN). 8) Met with nontechnical volunteer David to discuss work. 9) Social media: Tweeting and posting to Facebook. 10) Worked on onion services fact sheet which includes examples of good uses of onion services - still needs work. 11) Want to participate in collaboration with health clinic using onion service to share sensitive info with patients, etc.; asking Tor for a letter indicating we want to collaborate. Requires short "we are collaborating" letter from Shari. Mike: 1) Talked to Kevin and Matt about the blog. Matt gave us some technical suggestions related to avoiding logging IPs. 2) Figuring out how to handle an OTF about a deliverable with Georg and Isa. Nick: 1) There will be some work to onboard Jon. Need somebody to spin him up on PGP/XMPP/something so I can start sending him passwords he will need. 2) Handling transition stuff from Katherine's and Tom's departure. This includes email wrangling. 3) Got a UDRP complaint from Joker. Need to send them faxes. Will do on Monday. 4) End-of-month process for deliverables seems to be going well; we will find that we had lots of stuff that just couldn't get finished by EOM. 5) Will be distracted today and tomorrow preparing for interview for internet history documentary; more good work to come in May. 6) Bug retrospective seems very promising; we should maybe spread the other practice so that other teams to do stuff like this. 7) Will try very hard not to be working this weekend. My stress levels are up, and I need to unwind. 8) Helping Isa with reports has gotten easier since we started getting better about tracking sponsors. 9) Haven't made progress migrating us away from SVN for a while. 10) Have made a tiny bit of progress trying code review tools. 11) Hoping that TBB 6.0a5 comes out today so users can test the tor in in. Isabela: 1) Waiting on a couple of things from Sue Abt: * a) W9 for OONI to get the money for their grant * b) Finance report for sponsorT 2) need to apply changes on how we are reporting things to DRL - they requested this from everyone at the implementers meeting. Done so far: * clean up of the narrative report - need review from Roger (PT part), Nick(Testing part), Shari?(Outreach part) - by review I mean facts (if I missed anything) and English :) * initiated conversation on how to simplify our F-Indicators reports - we have 3 different sets going on... is a big mess that I inherited :( * plan on building a M&E for our project with them * start to look at what is needed to get our extension going for sponsorS contract - to make sure it ends on the right date (EOQ3) 3) working today with Mike on OTF full proposal (2/3 is done already) - -- plan to get it to Roger to give it a LaTex beauty magic by EOW (Chad said is ok to submit it by first week of May) 4) working with Mike and Geko on negotiating with OTF to change a deliverable on our contract 5) working with Nick and Yawning - on defining deliverables for Yawning to work on so we can build a contract with him 6) Richard Brooks want to write a SOI to DRL for a project with he GENI network where we can deploy VMs on it for PT testing, or to run bridges etc - is it useful for us? Do we want to do it? Alison: 1) finishing up OTF proposal for Torservers.net (worked with Juris and Moritz and other Torservers folks) which aims to build community capacity for Tor relay operators. 2) Kate will put Alison in touch with Forbes reporter who is writing about relay operator stuff2. Started conversation with EFF folks about a community response to CloudFlare issues. 3) Community docs that are still slowly being worked on: social contract, membership doc, and support docs. Alison has had a very very busy two weeks of trainings! But after this week, the membership doc and social contract have been bumped up in priority. 4) Still working to grow the community team! a few more activists and folks on Tor-teachers mailing list have reached out to me, so I hope soon to have a critical mass. Karsten: 1) Not much to report this week. Trying to keep team members productive by responding to questions and reviewing patches. The CollecTor improvement project is going really well. 2) Globe retirement is going okay. We're creating a list of things to add to Atlas before dumping Globe, but I don't see any major blockers there. 3) Created a graph or two for this week's Sponsor R event. Shari: 1) This is the last week for Tom and Katherine as Tor Project contractors. We need to offboard them and wish them the best. Hopefully they'll remain active in the Tor community. 2) A lot of new people have started here, and the Seattle office is rocking. I’m planning to send a personnel note around tomorrow to tor-internal. Will include new office contact information. 3) Sent note to DRL about uncoupling TorDev from IFF. Expect to hear back from them this week. 4) We have close to a draft anti-discrimination/anti-harassment policy finished. I will run it by the Vegas team and then distribute to tor-internal. -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJXKcpsAAoJEC3ESO/4X7XBK04H/RnwJExgAB29oFwi6Fq4FHvp u1XdQ/t0VEyp27rbSXMQvk7NydmE/3bnN+ASihIxsvrTt3CUUSI5tFb9fc9Afx7c af6JB2xWpezGLo6RFhs2hiipA6cpDuwH0oTf0giyv96gHxp9ltGUQtAGs/Pk+XtD ywZYgWXP0+R3gJ1YyX7GqIs5QYUUlegv85GEmkIHAuF/JOxNqu7qqEKLf1KbSihy 8MNTNs50sG97W7XPwiwJTjykUSJQl6U96WhYVYJl8TX3V7h5qc/7N2FyTSDVGdbv KOL/5d1jkL7cF0biaWC8JdlrDzSHNlBzGRbBVre4ZMFs97w9JQ3ij4B2C6Y14FY= =qRj8 -----END PGP SIGNATURE-----

5 4

Teaching lawmakers about Tor for rule 41 amendment
by Roger Dingledine 06 May '16

06 May '16

Hi Alison, Kate, Check out https://theintercept.com/2016/04/28/supreme-court-gives-fbi-more-hacking-po… I think this is a really important outreach topic. A) We should reach out to the senators who are planning to fight the changes, to offer to teach them more about Tor and more about the Internet, see if they have any questions or concerns, etc. I bet there are some staffers somewhere who are working on exactly this topic, and everything they know about Tor they learned from one scary video about the dark web. We should teach them how Tor works, why people need it, and why a diversity of types of users is key to its security. B) At the same time, we should learn what their talking points are, so we can be better at educating people about the issue. In particular, one of the quotes in the article says it's "possibly the broadest expansion of extraterritorial surveillance power since the FBI's inception", but at the same time, I can totally picture people saying "Oh come on, it's just Tor, how can that be such a big change?" We would be smart to have concrete non-Tor examples of what these new powers would allow, so everybody can understand that these changes aren't just about Tor. Thanks! --Roger

5 5