[tor-reports] Trip report from Libre Software Meeting 2014 in Montpellier, France [PROPER]
Lunar
lunar at torproject.org
Wed Jul 16 21:29:44 UTC 2014
[ Please ignore the other email. It missed language ]
[ fixes and the list of recurring questions. ]
Hi!
Right at the close of the 2014 summer dev. meeting [1], I jumped onto a
train in the direction of Montpellier to attend the 15th Libre Software
Meeting [2]. The Libre Software Meeting is the biggest free software
event for the French community.
[1]: https://trac.torproject.org/projects/tor/wiki/org/meetings/2014SummerDevMeeting
[2]: https://2014.rmll.info/?lang=en
The Tor / Nos Oignons booth
---------------------------
Like last year [3], it started with two days of tents and booths [4]
really close to the central Place de la Comédie. More than 60 different
projects and organizations were represented [5].
Most of the tents [6] stayed up for the two days, despite the strong
wind. No rain until Sunday evening where we quickly packed at the first
drops. Saturday was well attended [7] and there was hardly two minutes
without someone asking questions [8]. Sunday got slightly less
visitors [9] but it was still very successful.
[3]: https://lists.torproject.org/pipermail/tor-reports/2013-July/000292.html
[4]: https://2014.rmll.info/Lieux?lang=en
[5]: https://2014.rmll.info/Participants?lang=en
[6]: https://twitter.com/Bookynette/status/485667519655849984/photo/1
[7]: https://twitter.com/rmll2014/status/485440941021745152/photo/1
[8]: http://photo.rmll.info/index.php/2014/Montpellier-Esplanade-Charles-de-Gaulle-J1/SDC10140
There’s 5 people in front of the booth in that picture.
[9]: https://twitter.com/ackrst/status/485719865148571648/photo/1
We had a joint booth [10] for Tor and Nos Oignons [11]. I had printed a
A1-sized green on black poster with the “root design” logo that was hung
on the outside of the tent. We also had a smaller sign with the Nos
Oignons logo hanging on the other side.
On the table, we had flyers about Nos Oignons [12] (but we quickly ran
out of French ones), stickers (but not enough Tor ones), and A2
posters [13].
There was also a A1 version of the poster on the table [14]. Together
with the flyer, they offered great visual support to explain what Tor
was and what it did. Most often I would start my explanations with what
Tor protected and move on to relays and onion crypto only if the person
was curious for more details. Even if it was quite overwhelming for
people passing by, the EFF visual helped to make clear out what was
protected and what was not [15].
[10]: http://photo.rmll.info/index.php/2014/Montpellier-Esplanade-Charles-de-Gaulle-J2/SDC10171
[11]: https://nos-oignons.net/%C3%80_propos/index.en.html
[12]: https://nos-oignons.net/Diffusez/nos-oignons-flyer-grand-public-201306-en.pdf
[13]: http://photo.rmll.info/index.php/2014/Montpellier-Esplanade-Charles-de-Gaulle-J2/SDC10169
[14]: https://nos-oignons.net/Actualit%C3%A9s/20140623_rapports_affiches_et_conferences/600x-affiches-tor-et-https-03.jpg
[15]: http://photo.rmll.info/index.php/2014/Montpellier-Esplanade-Charles-de-Gaulle-J2/SDC10170
From Monday to Friday, talks were happening at one of Montpellier's
universities, and booths were set up inside a big tent [16] in front of
it. We quickly put up the posters up again [17] and started answering
questions [18]. There, most vistors already knew about free software or
Tor. Discussions were often more technical.
[16]: https://twitter.com/guerdal82/status/486763651442180096/photo/1
[17]: http://photo.rmll.info/index.php/2014/Montpellier-Esplanade-Charles-de-Gaulle-J5/SDC10266
[18]: http://photo.rmll.info/index.php/2014/Montpellier-Esplanade-Charles-de-Gaulle-J6/SDC10353-951885625
It was great to be with other Nos Oignons’ volunteers: nicoo, aeris, Lu,
opi, mathieui, and syl. There was always someone to hold the booth and
it didn’t feel like a burden to be there. nicoo cooked us great vegan
onion pies [19] every other day. We really made progress in how we
explained things during the week.
Around 170 posters were given out in a single week. Nos Oignons made
around 600€ in donations.
[19]: http://www.fdn.fr/~fsirjean/nos-oignons/DSCN6916.JPG
Recurring questions included:
* Does Tor work in China?
* What's the difference between Tor and Peer To Peer?
* What's the difference between Tor and a VPN?
* Does Tor remove ads?
* Every Tor users are under surveillance by the NSA, is that bad?
* How do I user Tor with other applications?
* Is it dangerous to use Tor with a Wi-Fi network that you do
not trust?
* Tor is slow, right?
* Are my messages protected when I use Tor?
* How can I trust Tor when the NSA operates 2/3rd of the relays?
* How is Tor funded?
* What is Tor legal framework?
* What is the difference between Tor and Freenet?
* What is the difference between Tor and other anonymization networks?
* Can I get around the filters set up by university housing with Tor?
* Why should I use the Tor Browser when I can use Firefox and
extensions?
* If I use Tor, will I get infected by malware more easily?
* Is it dangerous to run an exit node?
* When I use the Tor Browser, I'm relaying connections from other
users, right?
* Can I become an exit node without knowing it?
* How can an attacker fingerprint my browser?
* What are hidden services?
* What is Tor doing about cookies?
* But the Silkroad guy got arrested, right?
* What does Tor bring me?
* How do I use Tor?
Many long time free software users have experience with Tor that is 3-4
years old. They still have in mind that Tor is slow and that it’s
complicated to setup. Thankfully, by the end of the week, several of
them took another look and had positive feedback (except for the website
not being translated).
One French operator explained that he had been raided and summoned by
the police several times (but without follow-ups). They now reject every
IP addresses known to be in France on their exit.
What we might have missed at the booth: more hardware to demonstrate the
Tor Browser and Tails (but then the network was not always available).
Interviews and talk
-------------------
In June, I was asked a couple questions by the security track organizers
who had invited me to give a talk about Tor. The interview [20] was
relayed a little bit on Twitter and other forums.
[20]: https://2014.rmll.info/+Interview-de-Lunar-Defis-passes-et+?lang=en
People from Radio Campus Montpellier had set up a radio for the
event [21]. We did a 25 minutes interview [22]. Thanks to Marie-Odile,
there’s even a transcript (in French) [23].
[21]: http://www.radiocampus.be/wp-content/uploads/2014/07/20140709_160956-1024x576.jpg
[22]: http://radio2014.rmll.info/e/2014/ep/reseau-tor
[23]: https://wiki.april.org/w/R%C3%A9seau_Tor_-_Interview_de_Lunar_-_Radio_RMLL_2014
With the dev. meeting right behind, and all that happening, I did not
had enough time to prepare a formal talk for Tuesday [24]. So instead
of doing slides, I collected many references on various past and present
Tor challenges, put them on an Etherpad [25], did a quick 5 minutes
introduction, and opened for Q&A. The talk was in French, as there is
already a good amount of material in English, and nothing I was about to
say is not already written elsewhere. This was a good opportunity to
have a conversation [26] with the French free software community.
It lasted for 40 minutes. The questions were: does Tor needs
organizations like Nos Oignons? Do you advise against running a relay at
home? What about this upcoming BlackHat talk which claims that you can
deanonymize users for cheap? Can you explain how people have been able
to make a list of hidden services? What do you think of distributions
like Tails or Liberté Linux? How about Tor on Android? What should I do
to use another browser instead of the Tor Browser [27]? Mozilla does
security releases of Firefox very often, how long do I stay vulnerable
with the Tor Browser? Would it be possible to detect, at entry nodes,
that the browser used is too bad? Why did you told me that using Tor and
a VPN was a bad idea? What do I need to run exit nodes? In the Tor
project, if someone wants to contribute, who decides, who reviews? Is
there a formal process to become a member of the Tor Project? What can I
do with my existing server to help you without getting harmed in the
process? Is it interesting to create other organizations like Nos
Oignons?
The talk has been recorded on video [28]. The room was full [29]
(90 attendees for 80 seats) despite the presentation being held
concurrently with Richard Stallman’s talk [30]. I had good feedback both
from the audience and from the security track organizers.
[24]: https://2014.rmll.info/conference311?lang=en
[25]: https://pad.riseup.net/p/lsm2014-tor/50/export/txt
[26]: http://blog.rootshell.be/wp-content/uploads/2014/07/IMG_4014.jpg
[27]: https://twitter.com/xme/status/486507392944066560
[28]: http://videos-cdn.rmll.info/videos2014/ubicast/31-sc002-defis-passes-et-futurs-pour-tor_e7bf/
[29]: https://twitter.com/phil_alex/status/486500898500521984/photo/1
[30]: https://twitter.com/xme/status/486500822801719297
I had an extra question from a system administrator right after the talk
who asked me how they should handle traffic from Tor from a network
point of view. They looked worried mostly about DoS attacks, so I
suggested looking at adaptive rate limiting of all Tor exit nodes.
Virginie Galindo [31] and Xavier Mertens [32] blogged about the talk
and others from the security track.
[31]: http://poulpita.com/2014/07/16/rmll2014-free-software-all-in-one-place/
[32]: http://blog.rootshell.be/2014/07/09/rmll-2014-security-track-wrap-up/
Contacts
--------
A supporter of Emmabuntüs [33] wanted me to discuss how to include the
Tor Browser directly in the distribution. I did not pursue this as I was
already tired and I believe this would again be blocked by #3994 [34]
which I have mostly given up for now.
[33]: http://www.emmabuntus.org/
[34]: https://bugs.torproject.org/3994
I went to the Fedora booth [35] to ask if they know about any progress
on getting reproducible builds since last year's blog post [36] but they
were not aware of anyone working on this in the project.
[35]: http://fedora-fr.org/
[36]: http://securityblog.redhat.com/2013/09/18/reproducible-builds-for-fedora/
Liberté 0 [37] is an awesome group of people working on accessibility
in free software. I believe we could ask them to have a try at the Tor
Browser and the future Tor Messenger to get feedback on how usable our
tools are for people using screen readers, for example.
[37]: http://wiki.liberte0.org/
We discussed support for XMPP servers behind Tor hidden services with
developers of Salut à Toi [38] — a versatile XMPP client that does chat,
microblogging, file sharing and many other things. We agreed that Tor
hidden services were a nice way to simplify self-hosting. But they were
cautious and wanted to review what kind of sensitive data they could
leak before hooking the software with Tor. Great!
[38]: http://www.salut-a-toi.org/
“YunoHost is a server operating system aiming to make self-hosting
accessible to everyone.” [39] We discussed integrating the configuration
of Tor hidden services into their interface. Maybe they will need
#1922 [40] resolved before that can be done nicely. Once again, I
stressed that Tor can make the “how to configure my router” step
optional. We also discussed how feasible it would be to enable YunoHost
to securely host hidden services (remove as much fingerprinting as
possible through network isolation, filesystem isolation, clock on UTC,
etc.). It looked doable but non-trivial. One developper is also involved
in Nos Oignons, so in any cases, it helps communication. :)
[39]: https://yunohost.org/
[40]: https://bugs.torproject.org/1922
I had interesting discussions with the people from the “Serveur Libre”
project [41], which is a local hosting provider, self-managed in a
horizontal manner, with strong focus on protecting users’ privacy as
much as possible. Unencrypted emails are rejected at the SMTP
level [42], using Tor is mandatory to access some services [43], and
root access is only available through a collective process [44] — using
PAM for meetings changes and a submission/validation system for
day-to-day operations. The crazy part is that they have a running
TorBEL instance [45]. I was surprised that the code was working for
them. They are chasing a bad memory leak, though.
[41]: https://wiki.serveurlibre.net/
[42]: https://hg.serveurlibre.net/sldev/file/71011e5b086b/cryptomailfilter/README
[43]: https://wiki.serveurlibre.net/D%c3%a9veloppement/DropNoTor
[44]: https://wiki.serveurlibre.net/D%c3%a9veloppement/CollectiveSysadmin
[45]: https://hg.serveurlibre.net/sldev/file/71011e5b086b/torbel/install.sh
I also had quick discussions with several free software and Linux user
groups on organizing talks about Tor. We’ll see about follow-ups in the
next months. In my mind, this would be less about presenting Tor to
people than giving material on how to talk about Tor to the rest of the
world.
Miscellanea
-----------
The main conference organizers did quite wrong in letting some people
set up hidden video cameras [46] in several places to create
“timelapse” movies. After being called out on this, they agreed it was a
bad idea. The video material has been erased. Hopefully before someone
else got hold of it.
[46]: https://ldn-fai.net/rmll-2014-surveillance-video-de-la-foule-a-linsu-des-visiteurs/
I would like to thank volunteers from APRIL [47], who have been awesome
booth neighbors, sharing tips, pens, tape, smiles, and sheltering our
stuff in their car when it needed to be moved.
[47]: http://www.april.org/
(Many thanks to Sebastian for proof-reading this long report.)
--
Lunar <lunar at torproject.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-reports/attachments/20140716/4bfe67a4/attachment-0001.sig>
More information about the tor-reports
mailing list