Tor Weekly News — October 29th, 2014
harmony01 at riseup.net
Wed Oct 29 16:21:59 UTC 2014
Tor Weekly News October 29th, 2014
Welcome to the forty-third issue in 2014 of Tor Weekly News, the weekly
newsletter that covers what’s happening in the Tor community.
Tor 0.2.5.10 is out
The 0.2.5.x branch of the core Tor software hit stable, with the release
of 0.2.5.10. As Nick Mathewson explained , there have been no changes
since last week’s 0.2.5.9-rc release, and the new features will be
familiar to readers of Tor Weekly News over the past year of
development, but highlights include “improved denial-of-service
resistance for relays, new compiler hardening options, and a system-call
sandbox for hardened installations on Linux”, as well as improvements to
transparent proxying, building and testing, pluggable transport
usability, and much more.
This release means that Tor versions in the 0.2.3.x series, which has
“received no patches or attention for some while” and “accumulated many
known flaws” , are now deprecated. Relay operators running these
versions must upgrade as soon as possible, or risk having their relays
rejected from the network in the near future.
Please see Nick’s release announcement for the full changelog, and
download your copy of the 0.2.5.10 source code from the distribution
directory  or a prebuilt package from your usual repositories.
Jacob Appelbaum announced  version 0.1.3 of TorBirdy, a torifying
extension for the Thunderbird email client. Among other things, this
release fixes the recently-reported “wrote:” bug , disables the
automatic downloading of messages from POP3 accounts, and ensures that
draft messages for IMAP accounts are stored on the local system rather
than sent over the network. However, as Jacob wrote, “it’s still
experimental”, so “use at your own risk”. See the release announcement
for a full changelog.
Anthony G. Basile announced  version 20141022 of tor-ramdisk, the
micro Linux distribution whose only purpose is to host a Tor server in
an environment that maximizes security and privacy. This release
addresses the recent POODLE attack  with updates to Tor and OpenSSL,
and also upgrades the Linux kernel.
Yawning Angel called for testing  of the revamped tor-fw-helper, a
tool that automates the port forwarding required (for example) by the
flash proxy  pluggable transport. Please see Yawning’s message for
full testing instructions and other important information: “Questions,
Comments, Feedback appreciated”.
On the Tor blog, Andrew Lewman responded  to the abuse of Tor by
creators of so-called “ransomware”, or malware that tries to restrict
access to users’ files unless a ransom is paid; these extortionists
sometimes ask their victims to install Tor software in order to
communicate with them over a hidden service, leading users to the
mistaken belief that The Tor Project is somehow involved. As Andrew
wrote, this software “is unrelated to The Tor Project. We didn’t produce
it, and we didn’t ask to be included in the criminal infection of any
computer.” Users may find the information provided by the BBC  and
Bleeping Computer  to be helpful in resolving the problem.
Josh Pitts posted an analysis  of apparently malicious behavior by a
Tor relay that was modifying binary files downloaded over Tor circuits
in which it was the exit node. As Roger Dingledine responded ,
“we’ve now set the BadExit flag on this relay, so others won’t
accidentally run across it”.
David Fifield pointed out  “an apparent negative correlation between
obfs3 users and vanilla users” in the Tor Metrics portal’s bridge user
graphs  and wondered what might be causing it.
News from Tor StackExchange
Dodo wants to run several hidden services (HTTP, XMPP, SSH etc.), but
use just one onion address . Jobiwan explained that one can forward
each port to a different service. Further information can be found at
the configuration page for hidden services .
Rodney Hester proxies the DirPort of his relay and saw lots of requests
to nonexistent URLs, of which the most prominent is the URL
/tor/status/all.z , and asks where they are coming from. Do you have
an answer? If so, please share it at Tor’s StackExchange site.
Oct 29 13:30 UTC | little-t tor development meeting
| #tor-dev, irc.oftc.net
Oct 31 17:00 CET | OONI development meeting
| #ooni, irc.oftc.net
Nov 03 - 07 | Roger @ WPES and CCS
| Phoenix, Arizona, USA
Nov 03 18:00 UTC | Tor Browser online meeting
| #tor-dev, irc.oftc.net
Nov 03 19:00 UTC | Tails contributors meeting
| #tails-dev (irc.indymedia.org/h7gf2ha3hefoj5ls.onion)
Nov 04 17:00 UTC | little-t tor patch workshop
| #tor-dev, irc.oftc.net
This issue of Tor Weekly News has been assembled by Lunar, qbi, Roger
Dingledine, and Harmony.
Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project page , write down your
name and subscribe to the team mailing list  if you want to
More information about the tor-news