Tor Weekly News — September 25th, 2013

Wed Sep 25 12:15:43 UTC 2013

========================================================================
Tor Weekly News                                     September 25th, 2013
========================================================================

Welcome to the thirteenth issue of Tor Weekly News, the weekly newsletter
that covers what's happening in the well-heeled Tor community.

Reimbursement of exit operators
-------------------------------

In July 2012, Roger Dingledine wrote a post on the Tor blog [1] in which
he raised the prospect of offering funding to organizations running fast
Tor exit nodes. In so doing, Roger wrote, “we will improve the network's
diversity as well as being able to handle more users.” He also announced
that donors were already interested in financing such a scheme. Then, in
April this year, Moritz Bartl stated [2] that torservers.net was looking
to move away from establishing additional exit nodes, in favor of
providing support of various kinds to partner organizations running their
own exits.

These plans, and the discussion they provoked, are now about to bear
fruit in the form of a financial reimbursement scheme directed at
torservers.net's partner organizations. Moritz wrote again on the the
tor-relays list [3] to announce that reimbursements are scheduled to
begin at the end of this month, drawn from a one-time donation by the
U.S. Government's Broadcasting Board of Governors.

The ensuing debate focused both on the technical aspects of reimbursement
— that is, how best to determine the division of funds based on
information harvested from the network metrics [4] — and the question of
the security issues that could potentially arise from such a scheme [5].

Moritz specified that currently the only organizations to qualify for
reimbursements are those that he personally knows: “so, if you’re
interested in becoming a partner, start social interaction with me”, he
wrote. Questions or comments regarding these proposals are welcome on the
tor-relays list, and further announcements and discussion about the
reimbursement system will be published on its dedicated mailing lists [6].

    [1] https://blog.torproject.org/blog/turning-funding-more-exit-relays
    [2] https://lists.torproject.org/pipermail/tor-relays/2013-April/001996.html
    [3] https://lists.torproject.org/pipermail/tor-relays/2013-September/002824.html
    [4] https://lists.torproject.org/pipermail/tor-relays/2013-September/002825.html
    [5] https://lists.torproject.org/pipermail/tor-relays/2013-September/002831.html
    [6] https://lists.torproject.org/pipermail/tor-relays/2013-May/002138.html

Tails 0.20.1 is out
-------------------

Tails saw its 33rd release on September 19th [7]. The most visible change
might be the upgrade of tor to version 0.2.4.17-rc, which should result
in faster and more reliable access to the network after the sudden bump
in Tor clients [8].

Among other minor bugfixes and improvements, persistence volumes are now
properly unmounted on shutdown. This should prevent data loss in some
situations, and avoid a sometimes lengthy pause upon activation.

It also fixes several important security issues [9]. It is recommended
that all users upgrade as soon as possible [10].

    [7] https://tails.boum.org/news/version_0.20.1/
    [8] https://blog.torproject.org/blog/how-to-handle-millions-new-tor-clients
    [9] https://tails.boum.org/security/Numerous_security_holes_in_0.20/
   [10] https://tails.boum.org/news/version_0.20.1/

New Tor Browser Bundles released
--------------------------------

A new set of stable and beta Tor Browser Bundles was released [11] on
September 20th. The Tor Browser is now based on Firefox 17.0.9esr and
fixes several important security issues [12].

Queries for the default search engine, Startpage, are no longer subject
to its invasive “family filter” [13]. The beta branch also include an
updated version of HTTPS Everywhere that no longer causes a storm of
requests to clients1.google.com, an issue reported by many users after
the last release [14].

Once again, it is recommended that all users upgrade as soon as possible.

   [11] https://blog.torproject.org/blog/new-tor-browser-bundles-firefox-1709esr
   [12] https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html#firefox17.0.9
   [13] https://bugs.torproject.org/8839
   [14] https://bugs.torproject.org/9713

Tor mini-hackathon at GNU 30th Anniversary Celebration
------------------------------------------------------

Nick Mathewson sent an invitation [15] encouraging everyone to attend the
GNU 30th Anniversary Celebration [16] on September 28th and 29th at MIT,
Cambridge, MA, USA. Part of the event is a hackathon, and Tor is featured
alongside a few other projects. If you want to spend some of the weekend
helping the Tor community, sign up on the webpage [17] and come along!

   [15] https://lists.torproject.org/pipermail/tor-talk/2013-September/030154.html
   [16] https://gnu.org/gnu30/celebration
   [17] https://crm.fsf.org/civicrm/event/register?id=10

Clock skew: false alarm
-----------------------

Small offsets in system time offer an attractive opportunity for
fingerprinting Tor clients. In order to eliminate unnecessary exposure,
Nick Mathewson has been working on proposal 222 [18].

Unfortunately, this process introduced a bug into the tor daemon which
became apparent after the directory authority named “turtles” was
upgraded. The result was that relays started to warn their operators of
an implausible clock skew [19]. This was, of course, a false alarm.

The issue was quickly worked around, and fixed properly a few hours later [20].

   [18] https://gitweb.torproject.org/torspec.git/blob_plain/refs/heads/master:/proposals/222-remove-client-timestamps.txt
   [19] https://lists.torproject.org/pipermail/tor-relays/2013-September/002888.html
   [20] https://bugs.torproject.org/9798

Tor Help Desk Roundup
---------------------

One user contacted the help desk for assistance running torbrowser, an
application not affiliated with the Tor Project that attempts to mimic
the Tor Browser Bundle. The torbrowser application violates the Tor
Project’s trademark, and the Tor Project encourages users to avoid it.
Multiple Tor Project developers have contacted SourceForge, which hosts
this application’s website, attempting to get the project removed. Andrew
Lewman has said that lawyers have now been engaged [21].

A number of University students continued to contact the help desk to
report difficulties circumventing their University’s Cyberoam firewall.
These students report being unable to access the Tor network even when
using the Pluggable Transports Browser with obfs3 bridges. One person
reported success circumventing the firewall when using an obfsproxy
bridge on port 443. This issue is ongoing, but a bug report has been
filed [22].

   [21] https://lists.torproject.org/pipermail/tor-talk/2013-August/029614.html
   [22] https://bugs.torproject.org/projects/tor/ticket/9601

Miscellaneous news
------------------

Jacob Appelbaum inquired with VUPEN about the Tor Project having the
right of first refusal for Tor Browser bugs, in order to protect users [23].

   [23] http://storify.com/fredericjacobs/discussion-between-tor-s-ioerror-and-vupen-s-chaou

The proposed Tor page on Stack Exchange has now reached 100% commitment,
and will soon be launching as a live beta. Thanks to everyone who signed
up! [24].

   [24] http://area51.stackexchange.com/proposals/56447/tor

sajolida reported on the latest Tails “low-hanging fruits session”. The
date and a tentative agenda for the next online contributors meeting have
also been set [25,26].

   [25] https://mailman.boum.org/pipermail/tails-dev/2013-September/003703.html
   [26] https://mailman.boum.org/pipermail/tails-dev/2013-September/003696.html

As GSoC entered its final phase, Kostas Jakeliunas reported on the
searchable metrics archive [27], Johannes Fürmann on EvilGenius [28], and
Cristian-Matei Toader on Tor capabilities [29].

   [27] https://lists.torproject.org/pipermail/tor-dev/2013-September/005483.html
   [28] https://lists.torproject.org/pipermail/tor-dev/2013-September/005484.html
   [29] https://lists.torproject.org/pipermail/tor-dev/2013-September/005490.html

How can we provide Tor users an easy way to verify the signatures on Tor
software? Sherief Alaa raised this question on the tor-dev mailing list
when asking for comments on plans to write a “small” GUI tool [30].

   [30] https://lists.torproject.org/pipermail/tor-dev/2013-September/005491.html

Upcoming events
---------------

Sep 28-29 | Tor mini-hackathon at GNU 30th Anniversary Celebration
           | MIT, Cambridge, Massachusetts
           | https://gnu.org/gnu30/celebration
           |
Sep 29    | Colin at the Winnipeg Cryptoparty
           | Winnipeg, Manitoba, Canada
           | http://wiki.skullspace.ca/index.php/CryptoParty
           |
Sep 29-01 | Tor at OpenITP Circumvention Tech Summit IV
           | Berlin, Germany
           | https://www.openitp.org/openitp/circumvention-tech-summit.html
           |
Sep 30    | Congress on Privacy & Surveillance
           | Lausanne, Switzerland
           | http://ic.epfl.ch/privacy-surveillance

This issue of Tor Weekly News has been assembled by harmony, Lunar,
dope457, Matt Pagan, and Jacob Appelbaum.

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project page [31], write down your
name and subscribe to the team mailing list [32] if you want to
get involved!

   [31] https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
   [32] https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team