[tor-reports] Griffin's July

Griffin Boyce griffin at cryptolab.net
Mon Aug 4 07:14:28 UTC 2014 

Hello all,

   This is my first report as a Tor contractor.  ^_^  July contained a 
lot of travel [1] and a lot of needful discussions and a lot of dealing 
with legal bureaucracy[2], but despite my best efforts did not include a 
lot of coding.  Thankfully, there will not be another month like this 
until at least next February.

Attended Summer 2014 Tor developers meeting in Paris.
Attended the Tails dev meeting, also in Paris.
Attended HOPE X in New York City.


  .d8888b.  888
d88P  Y88b 888
Y88b.      888
  "Y888b.   888888 .d88b.  888d888 88888b.d88b.  888  888
     "Y88b. 888   d88""88b 888P"   888 "888 "88b 888  888
       "888 888   888  888 888     888  888  888 888  888
Y88b  d88P Y88b. Y88..88P 888     888  888  888 Y88b 888
  "Y8888P"   "Y888 "Y88P"  888     888  888  888  "Y88888
                                                      888
                                                 Y8b d88P
                                                  "Y88P"

   In late June, work on Stormy began in earnest, as the move away from 
being a personal project into being a formal Tor project changed its 
scope a bit.  As part of this, I sought out a very large variety of 
opinions from both the community and those I see as being 
non-technical/semi-technical end-users.  Stormy is designed as a shell 
script to install necessary components for a Tor hidden service that is 
useful for journalists and activists.

   At the Paris meeting, I discussed other options for implementation 
with Lunar, Karsten, and ioerror, which included expanding on Onionshare 
(no) and packing the project for Debian.  Packaging for Ubuntu is 
absolutely possible, and while outside the scope of the contract, I'm 
happy to work to package Stormy later this quarter.  Debian Developers 
working on Tor-related projects have thoughtfully offered to have it 
added once finished.  I'd love to have `apt-get install stormy` as a 
realistic option for users who want to set up a hidden service.

   Seeking additional outside input on Stormy was necessary, but 
ultimately hasn't changed much in terms of development.  I've run 
through initial user tests, which have confirmed that documentation 
needs to be a top priority, as most users won't have someone to pose 
questions to.  Initial issues are related to connecting to an outside 
server (using PuTTY/commandline) -- all users were able to set up a 
Ghost instance and hidden service unassisted. Which is a pretty big win 
as far as I'm concerned.


b.             8 `8.`8888.      ,8'  ,o888888o.
888o.          8  `8.`8888.    ,8'  8888     `88.
Y88888o.       8   `8.`8888.  ,8',8 8888       `8.
.`Y888888o.    8    `8.`8888.,8' 88 8888
8o. `Y888888o. 8     `8.`88888'  88 8888
8`Y8o. `Y88888o8      `8. 8888   88 8888
8   `Y8o. `Y8888       `8 8888   88 8888
8      `Y8o. `Y8        8 8888   `8 8888       .8'
8         `Y8o.`        8 8888      8888     ,88'
8            `Yo        8 8888       `8888888P'


   After travelling to Manhattan for HOPE X, the first thing that 
happened was to play Marco Polo with various people I was slated to meet 
with.  This is always amusing. :D  Visited with Twitter engineers and 
project managers at various points to talk about the expression needs 
for Tor users in oppressive regimes, as well as ways perhaps to make it 
easier to unblock Tor exit nodes.  They were very understanding and easy 
to work with.  The main issue is that they were not entirely sure how to 
keep an up-to-date list of exit nodes included within their whitelist.  
So, when tracking abusive IPs, exit IPs (which each serve millions of 
people) would get included and non-abusive users would get locked out.

   In discussions with James Vasile of OpenITP, we've come to the 
conclusion that working together to (hopefully) tackle what we see as 
key issues in easing access to the Tor network for those most at risk.  
Chief among these is bridge address diversity (and increase of obfs3 
population) and convincing large websites that supporting flashproxy is 
in the public interest (which it is).  To achieve both requires much 
analysis and writing and convincing of third parties.  This is still 
in-progress, but I am *quite* optimistic that both will be successful.

   Am working with hosting companies on possible donations of IP space 
usage for the purposes of increasing bridge address diversity.

   Came to the conclusion that I should write a proposal or proposed 
addendum on BridgeDB improvements, with a particular emphasis on 
geo-rotation and blocking response.

   Sandy from OpenITP and I are working together in the early stages of 
two projects that aim to broaden understanding of and perhaps increase 
diverse representation in the community.  As a result, I may wind up 
working out of the OpenITP office in SoHo at times.  #perk

   Had a great discussion about Onionshare with Micah Lee, and confirmed 
his future development plans for it.  While I don't think it's a match 
for the use cases that Stormy's trying to solve (and vice versa), I <3 
it completely and think that the features he's about to introduce will 
be ~awesome~
        _           _
   ___ | |__   __ _(_)
  / _ \| '_ \ / _` | |
| (_) | | | | (_| | |
  \___/|_| |_|\__,_|_|

   Completed initial research for 'Batou' accessibility+usability 
project. Implementation to be finished late August. This project is 
unfunded, so no one actually cares about when it gets completed (so it's 
likely to move to later).

In addition:

*  Relayed my usability recommendations to Mike Perry and may write a 
draft proposal in support of them.
*  Followed up on non-profit registration for Cupcake Bridge as an 
entity.
*  Am seeking outside help on Cupcake, as deadlines grow short.
*  Tor Browser downloads via Satori have passed ten thousand.
*  Colleagues have convinced me to apply to two research fellowships in 
support of my netfreedom/anti-censorship work.
*  Began discussions about possibly getting institutional support for 
some (or perhaps all) of my research.
*  People are slowly convincing me to move to Holland. But I will 
probably stay in DC.
*  Submitted talks to Arse Elektronika.
*  Met with researchers.
*  Replaced my derpy/huge laptop with a sweet Lenovo sourced from the 
only shop which does enough business in a day to not be able to 
realistically facilitate hardware backdoors. <3  I ~highly~ recommend 
laptop shopping with a renowned security engineer.

   This is not quite everything, but I promised myself I'd stop at a 
thousand words.

best,
Griffin


[1] Four trips across two countries and five states. Two of those with a 
fiften-year-old.
[2] Inheriting a kid leads to a lot of paperwork and costs a small 
fortune, as it turns out.

More information about the tor-reports mailing list