- tor-project - lists.torproject.org

Notes from June 2 2016 Vegas team meeting
by Karsten Loesing 07 Jun '16

07 Jun '16

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 See this posting for context: https://lists.torproject.org/pipermail/tor-project/2016-April/000223.html Notes for June 2 2016 meeting: Alison: 1) status of community documents 2) still working on SIDA proposal with Isa Mike: 1) Postponed my vacation for another week or so to help with community issues. I'll be quietly working on my phone prototype in the meantime. 2) Will be attending a panel on the Decentralized Web next week. Then maybe vacation? Unclear. Shari: 1) Erin the new HR person starts on Monday, so I'll need help from various folks to get her set up. 2) Board meeting recap. Nick: 1) Changed addresses on many online accounts. Make sure everybody in the office knows how not to get phished. Karsten: 1) Released DescripTor 1.2.0 containing a complete rewrite of docs into Javadocs. 2) Finished metrics proposal together with Cass, Isabela, iwakeh, and Shari. Kate: 1) It's important that Tor people talking to the media about Tor touch base with me prior to interviews so that I can help them with media training (if needed), discuss the reporter with them, etc. I need to understand which reporters are covering which topics. This is an evergreen request and also a longstanding policy. Georg: 1) Tor Browser 6.0 is out \o/ Isabela: 1) network team - working on next release [make it smaller] 2) OTF - reply to their questions [also pinged Sue on invoices we should be doing will ping her again is $ to come in ;)] 3) DRL- preparing F-indicators and extension letter -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJXVrBAAAoJEC3ESO/4X7XBFpsH/2Olfmnra7LFD4rjQ0rW5SK6 mexUJK+BuDagpIRj/96rZyWZAYXrVSND3p4ECMf/elOZqdZrZ04CNkrxyMRRIZBU m5Wl+T/pyJxowPv9nE7jgmkwM+156ZfMkJmqKC6NK9j52BY14C05p8Ni5c3IfPbg kjW8kNKx9apBnxbA+dhnTq9rHzNbvEDzNc1FhowVr1nsxHOevQwl+SPHdluJ5PoA PyP4Ux/qKtm0chumd1NPxh9I1WvZXXUdq2UwfWcfez3dWmepl+WCEy6mGRdpJ9TF bMlHKpaCN6xh0MC8fGGYX+WjDFHAjPHyW7gO+15NOTFVl7DSLUk3NUGkuW3Mh5Q= =/6x0 -----END PGP SIGNATURE-----

1 0

Hewlett Foundation Grants
by Tom Ritter 06 Jun '16

06 Jun '16

Someone pointed out the Hewlett Foundation grants to me: http://hewlett.org/blog/posts/refining-our-cyber-initiative-grantmaking-str… http://hewlett.org/sites/default/files/Cyber%20Initative%20Refined%20Grantm… It does not seem that they have 'open' grant applications, but they fund in the hundreds-of-thousands of dollars range to orgs like Berkman, New America, CDT, and a bunch of universities - so it seems worthwhile to think about and see if Tor could put in a proposal...? The goals for their grants are: - Building Capacity of Civil Society Orgs - Building Capacity of Individual Decision-Makers and Influencers - Building a Robust Network of Cybersecurity Experts - Generating Policy Driven Research and Thought Leadership - Cofunding It's not a slam dunk for the main sort of work Tor does, but it seems like it may fit OONI quite well or could be a vehicle for sponsorship of devs to attend things like Open Web Summits. -tom

1 0

Proxy Blocking Latency (preprint)
by David Fifield 01 Jun '16

01 Jun '16

Lynn Tsai and I, with the help of others, have been measuring how long it takes for Tor Browser's default bridges to be blocked. https://arxiv.org/abs/1605.08808 (click "PDF") Abstract: Censors of the Internet must continually discover and block new circumvention proxy servers. We seek to understand the pace of this process, specifically, the length of the delay between when a proxy becomes potentially discoverable and when the censor blocks it. We measure this delay by testing the reachability of previously unseen Tor bridges, before and after their introduction into Tor Browser, from sites in the U.S., China, and Iran, over a period of five months. We find that China's national firewall blocks these new bridges, but only after a varying delay of between 2 and 18 days, and that blocking occurs only after a user-ready software release, despite bridges being available earlier in source code. While the firewall notices new bridges in Tor Browser, bridges that appear only in Orbot, a version of Tor for mobile devices, remain unblocked. This work highlights the fact that censors can behave in unintuitive ways, which presents difficulties for threat modeling but also opportunities for evasion. The best summaries are on pages 4 and 5, which show in graphical/tabular form the dates of releases and how long the bridges remained reachable after. We would appreciate any comments or corrections. In particular, the description of the Tor Browser release process could stand some fact-checking by a Tor Browser developer.

2 2

Fwd: Applications extended - APNIC Internet Operations Research Grant
by Virgil Griffith 31 May '16

31 May '16

This seems like a lovely grant opportunity for someone doing BGP or traffic analysis work. Must have some presence in Asia Pacific. -V ---------- Forwarded message ---------- From: *APNIC Secretariat* <apnic-no-reply(a)apnic.net> Date: Tuesday, 31 May 2016 Subject: Applications extended - APNIC Internet Operations Research Grant ________________________________________________________________________ APNIC Internet Operations Research Grant applications extended ________________________________________________________________________ APNIC is pleased to announce that applications for the APNIC Internet Operations Research Grant have been extended by TWO WEEKS to 15 June 2016 (23:59 UTC). Applicants can apply for funding between AUD 5,000 to AUD 45,000 for research projects on topics related to Internet operations, infrastructure and related protocols, for example: - Network measurement and analysis - IPv6 deployment - BGP routing - Network security - Peering and interconnection Apply now --------- If you have a project that supports the development of an Internet research community whose results can improve the availability, reliability and security of the Internet in the Asia Pacific, then apply now. We encourage members of Network Operators Groups, members/partners of IXPs, operators of root servers, and academics and postgraduate students to submit their proposals. The APNIC Internet Operations Research Grant is administered and managed by ISIF Asia. For more information, please see: http://isif.asia/grant ________________________________________________________________________ APNIC Secretariat secretariat(a)apnic.net <javascript:_e(%7B%7D,'cvml','secretariat(a)apnic.net');> Asia Pacific Network Information Centre (APNIC) Tel: 61 7 3858 3100 PO Box 3646 South Brisbane, QLD 4101 Australia Fax: 61 7 3858 3199 6 Cordelia Street, South Brisbane, QLD http://www.apnic.net ________________________________________________________________________

1 0

Tor Hackfest during HOPE?
by Kate 30 May '16

30 May '16

Hi, David Huerta is founder of NYC's hackerspace Resistor and has a very cool day job helping to envision the future of libraries (first locally and then nationally), at the Brooklyn Public Library. He wants to host a Tor hackfest during HOPE. Cheers, Kate Hello, re: latest blog post: https://blog.torproject.org/blog/mission-montreal-building-next-generation-…. Would there be any interest in a Tor Hackfest in NYC? I can bounce the idea off the other NYC Resistor (http://www.nycresistor.com/) kin to see if we can schedule a day or two for late July; Same week as HOPE? We can host groups < 25 people, pro bono. Let me know if there's any interest, .dh huertanix(a)nycresistor.com

3 2

Notes from May 26 2016 Vegas team meeting
by Karsten Loesing 30 May '16

30 May '16

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 See this posting for context: https://lists.torproject.org/pipermail/tor-project/2016-April/000223.html Notes for May 26 2016 meeting: Georg: 1) Tor Browser 6.0 is ready for QA. Planned release day is May 30. 2) I worked on our search engine problem. Disconnect switched the fallback to DuckDuckGo. 3) I reviewed 2 papers Nick: 1) Tor 0.2.8.3-alpha is almost out. Which TorBrowser will get it? 2) Talked with some folks and Isabela about doing an audit on the Tor code. (Roger set this up; I think an existing funder would be paying?) Seems promising so far. 3) Had meeting with Isabela and team. Productive but team feels stretched. IMO we need: * A sense that everybody is doing their fair share * Nearly all people to be contractually 'allowed' to work on nearly all things. * To track non-coding tasks as well a coding tasks when planning time and allocating people * A better sense of how much volunteers would like to commit, and a way for us to be able to ask the paid people before the volunteers. We have planned to: * Get a working code review system * Add review-points to trac * chop 0.2.9 and future releases down to size * improve our workflow. * have another meeting in july Kate: 1) Rule 41 update —Need to stay with bipartisan talking point: DOJ is trying to get a major policy change enacted with a rule change in the Federal Rules of Criminal Procedure--DOJ is trying to circumvent Congress. Rep. Poe's office is introducing co-sponsors in two's-- one democrat for each republican. It's going well. 2) CloudFlare update: More allies are joining us; we are planning to track CloudFlare's promises and hold them accountable, probably via an email list. 3) A-Clinic Collaboration - probably not a formal collaboration with this foundation that wants to use onion services to do anonymous health surveys, etc. A letter describing our involvement is still being negotiated. 4) Recruited volunteers to help with HTML tagging so we can upload more things to the Tor website. 5) Press Kit: Volunteer David Stanton is working on user stories document and I am finishing onion services doc as well as document that describes myths about Tor and explains the realities. 6) US Mission in Uganda held an Internet freedom and human rights Twitter event - we participated (5/26) We received some media coverage about the onion services hackfest, including a nice SlashDot piece - BoingBoing: https://boingboing.net/2016/05/26/tor-project-is-working-on-a-we.html - The Register:http://www.theregister.co.uk/2016/05/25/nextgen_tor_to_use_distributed_rng_55character_addresses/ - Softpedia: http://news.softpedia.com/news/tor-to-use-never-seen-before-distributed-rng… - IBTimes: http://www.ibtimes.co.uk/tor-develops-its-own-random-number-generator-make-… - Hackread: https://www.hackread.com/tor-developers-next-gen-onion-service/ - Slashdot: https://yro.slashdot.org/story/16/05/25/2347238/tor-to-use-distributed-rng-… - Naked Security: https://nakedsecurity.sophos.com/2016/05/26/tor-takes-on-the-question-what-… FBI is being pressured by the judge to release Tor 0-day in Washington State case Shari: 1) board meeting on Friday; anything you want me to bring up? 2) Monday is a holiday in the U.S. How to handle holidays? 3) Personnel update. Isabela: 1) Organized retrospective meeting with the network team for the team to have a sense of how things are going and where are the pain points we need to improve. Went pretty good for my first irc retrospective :) 2) Working with Alison on updating the SIDA proposal. 3) Working on possible Mozilla grant - at first with TBB and Nathan because we were thinking of applying for mobile browser - now with Karsten because we probably will apply for metrics instead per Mozilla's feedback. 4) focus on making the release 0.2.9 smaller / pick up DRL work (M&E and F-indicators and extension) are the things for me starting next week Mike: 1) I'm wrapping up the last thing before I take a vacation: I'm going to help with the Mozilla proposal(s), and then start my vacation, ideally on June 1st. Karsten: 1) Continued writing a funding proposal for metrics work, together with Isabela and Cass who have been extremely helpful so far. Deadline is May 31st. 2) Just talked to weasel about the virtual machines at one of our hosters basically falling apart. We'll need to migrate them ASAP to a new hoster. Apparently, budget shouldn't be an issue there, because we're freeing up some money by reducing hosting elsewhere, but just in case there's overlap we might be paying a few hundred USD extra. -- Asked Shari for ~200 USD/mo, which she approved. Alison: 1) social contract draft is with Lunar and Matt for one more review before Vegas leads 2) the community council is writing our guidelines -- still in its very early stages 3) sent another update of the membership doc to this team for review - -- next it'll go to tor-internal@ 4) reworking SIDA proposal with Isa 5) OTF concept note for building community capacity within Torservers was invited for a full proposal! 6) Cloudflare meeting (Mike will probably update) 7) support team met yesterday. we hope to integrate this team more into the community team. phoul has done major updates to the support docs and we're now working on plans for distribution and translation and maintenance. -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJXTAaJAAoJEC3ESO/4X7XBO5oH/3FH9ZW7O1aJwkIl0vByaPP9 JXDosBBm2FssksZn9z498qQ7o6HkSlfrO0oT3nnjvQlteYGZZQj+gdDuFpiQ8KTD tKlUk753iWDgPrsK0+WMszhKYpe/zNIOQ7GieY0Xx3Nkxmzvc/buMlxA+qHkF09/ NFv6WqJUTy3nZsf8N8JwD2pUiFafXLzthEmrGgLsHxNsIFN1BbdI4npZIueV0Cpw 1cQk01eZKZtoDi03/ilAsVtUoeBYRmjktUgdFIAh9vXputAfG7pgliJCbxj2j+Dw k8p7HfjJQsgistQJJrLVus9Tt1rYQULDqw0r2G9cn6dhuO/zBSNJNBJeqgWH+hE= =FVjF -----END PGP SIGNATURE-----

1 0

Fallback Directory Monitoring
by Damian Johnson 28 May '16

28 May '16

Hi Tim, hi Nick. As requested on ticket #18177 [1] we now have a new DocTor monitor [2] that checks the reachability of our fallback directories. A notification that looks like the following is sent to the three of us and #tor-bots if over 25% of the fallbacks are unreachable... ------------------------------------------------------------ 29/100 (29%) fallback directories have become slow or unresponsive... * 9504CB22EEB25D344DE63CB7A6F2C46F895C3686 => IPv6 ORPort is unreachable (2a03:b0c0:3:d0::2ed:7001:9050) * AEA43CB1E47BE5F8051711B2BF01683DB1568E05 => IPv6 ORPort is unreachable (2001:41d0:a:74a::1:443) * 8B7F47AE1A5D954A3E58ACDE0865D09DBA5B738D => DirPort is unreachable (178.217.184.32:9030) ... etc... ------------------------------------------------------------ A fallback is defined as unavailable if... * We can't connect to its ORPort. * We can't connect to its DirPort. * We can't connect to its IPv6 ORPort (if it has one). * It takes longer than 15 seconds to provide the consensus (download times are usually ~3s). The cron runs once per day. Happy to also send these to tor-consensus-health@ if anybody there wants the notices. Cheers! -Damian [1] https://trac.torproject.org/projects/tor/ticket/18177 [2] https://gitweb.torproject.org/doctor.git/tree/fallback_directories.py

1 0

Monday holiday in the U.S.
by Shari Steele 26 May '16

26 May '16

Hey all. Monday is Memorial Day in the United States: https://en.wikipedia.org/wiki/Memorial_Day The Tor office in Seattle will officially be closed on Monday. All other U.S. Tor people are invited to take a holiday. And those of you who live in other countries, please take off an appropriate holiday wherever you are. :) Our new human resources manager, Erin Wyatt, will be starting on June 6. Coming up with a good holiday policy will be one of the (many) things on her to-do list. Shari

1 0

Re: [tor-project] Onion sites vs onion services vs hidden services
by Nathan Freitas 26 May '16

26 May '16

On Wed, May 4, 2016, at 10:41 AM, Paul Syverson wrote: > On Wed, May 04, 2016 at 07:36:23AM +0000, Yawning Angel wrote: > > On Wed, 4 May 2016 01:30:13 +0000 > > Alison Macrina <alison(a)libraryfreedomproject.org> wrote: > > > So, I want to propose that we choose onion sites or onion services > > > once and for all (I'm in favor of the former because most users have > > > no idea what is meant by "services"; it sounds too vague). Then, > > > whenever we see somewhere on torproject.org or any of our > > > documentation or whatever that still reads hidden services or onion > > > services, that we kill it with fire. > > > > Disagree, because this further reinforces the idea that the internet is > > centered around port 80/443, and is nonsensical given some of our > > prominent use cases ("Ricochet is based around Tor onion services" vs > > "Ricochet is based around Tor onion sites". One of these statements is > > correct, and one is not). > > To further Yawning's point and provide an example of using both terms: > Ricochet is an onion service in which each Ricochet client > creates a local onionsite that others connect to. Actually, for me, the user of the word "service" is something that is a machine-readable endpoint, an API or protocol, while "site" is a meant to have some human-facing aspect that is able to be browsed or read through a web browser or something of that nature. I would say that Ricochet is only an onionservice, while something like SecureDrop or Globaleaks would be an onionsite that offers onionservices as part of the application. +n

8 7

Is there a mission statement / list of goals for Tor Project?
by Virgil Griffith 25 May '16

25 May '16

This seems like an obvious question, but https://www.torproject.org/about/overview.html gives me no clear answer. ----- I've gotten conflicting reports on the goals of Tor ranging among: * protecting Tor users and HSs * preventing linking of IP addresses to internet traffic regardless of whether someone is a Tor user * developing and enabling privacy-enhancing technologies * furthering human rights * furthering "internet freedom" * furthering "privacy" Each of these is a fine and good thing. However, the current ambiguity makes it unclear what to do when these individually good things conflict. For example, Tor2web enables linking of client IP addresses to internet traffic. Which is bad. However, it also "furthers human rights" as it's the largest whistleblowing platform. How to adjudicate? When are we, as agents of Tor Project, serving "the ideology of Tor" versus our own personal ideology? Clarifying this is a standard part of organizational maturity. For example, Greenpeace does a similar thing: * http://www.greenpeace.org/eastasia/about/mission/ * http://www.greenpeace.org/international/en/about/our-core-values/ While different people will have slightly different ideas of what constitutes the "Tor ideology", and we don't want to wantonly pick fights, it seems reasonable for management to triage these individually good things into different tiers. Because right now I see people claiming orthogonal things as Tor Project's ideology. -V

2 3