[tor-reports] Griffin's March and February

Griffin Boyce griffin at cryptolab.net
Wed Apr 1 21:56:54 UTC 2015

    __     _
   / _|   | |
  | |_ ___| |__  _ __ _   _  __ _ _ __ _   _
  |  _/ _ \ '_ \| '__| | | |/ _` | '__| | | |
  | ||  __/ |_) | |  | |_| | (_| | |  | |_| |
  |_| \___|_.__/|_|   \__,_|\__,_|_|   \__, |
                                        __/ |
   In February, I spent a good deal of time on personal matters, but also 
took time to present on Guard Exhaustion (adversarial forced guard node 
rotation) at the DC Area Privacy and Security Seminar (DCAPS).  The 
response was very positive and the slides are available online [3].  
Future work in this area will focus on how to present this information 
(signs that an adversary may be trying to induce them to use a faulty 
guard node) in a way that is meaningful to users.  I also continued 
working on a content analysis project that had promising initial 

SATORI (February)

   For February, I focused on building a solid base for Satori's future 
development.  This includes setting up work agreements with Jonah 
Sheridan and beginning the design process.  Jonah and I planned out 
development for Satori for the coming months, as well as outlining what 
we see as the needs of users.  To that end, we've been working on design 
for documentation to include and what information users need to know to 
boost the learning process.  We also wireframed the new desktop 
application prototype and I have been using those as the basis for the 
new apps' flow.  The whiteboards used during these discussions are 
available in the github repository[1,2], along with the the wireframes 

   At the end of February, the desktop and mobile versions were nearing 
the prototype phase, and my hope is that Satori for Android will be in 
beta by the end of this week.  Automation of application update 
notifications was completed, with additional automation work slated for 

Relevant commits for February:

STORMY (February)

   Stormy's development was delayed while awaiting contract renewal.  
Once signed, I began working with someone to create a GUI for Stormy to 
make setting up hidden services even easier.

TAILS (February)

   Began working with Kim on the full documentation rewrite.  Reached out 
to individual translators and got the ball rolling with them.  The 
documentation is currently around 30 pages, which is rather a lot to 
translate into 15 languages.

[3] https://github.com/saint/dcaps-winter2015

,---.    ,---.   ____    .-------.        _______   .---.  .---.
|    \  /    | .'  __ `. |  _ _   \      /   __  \  |   |  |_ _|
|  ,  \/  ,  |/   '  \  \| ( ' )  |     | ,_/  \__) |   |  ( ' )
|  |\_   /|  ||___|  /  ||(_ o _) /   ,-./  )       |   '-(_{;}_)
|  _( )_/ |  |   _.-`   || (_,_).' __ \  '_ '`)     |      (_,_)
| (_ o _) |  |.'   _    ||  |\ \  |  | > (_)  )  __ | _ _--.   |
|  (_,_)  |  ||  _( )_  ||  | \ `'   /(  .  .-'_/  )|( ' ) |   |
|  |      |  |\ (_ o _) /|  |  \    /  `-'`-'     / (_{;}_)|   |
'--'      '--' '.(_,_).' ''-'   `'-'     `._____.'  '(_,_) '---'

   In March, a paper on I co-authored with Paul Syverson was accepted to 
the Web 2.0 Privacy and Security workshop.


   I began the month by travelling to Valencia, Spain for the 
Circumvention Tech Festival.  While there, I:

- discussed ongoing Stormy work with Karsten and Isabela
- presented a talk for end-users on expanding their knowledge of 
security apps
- presented a demo of Satori and Cupcake
- discussed design choices and user needs in Stormy and Satori with 
trainers who have extensive experience
- showed off some early research on automated content analysis of 
redacted documents, which I hope to present later in the year


   Satori for desktop now recognizes 1793 pieces of software.  I am also 
reaching out to trainers to find out what other software they think the 
app should be recognizing.  Currently, it only recognizes 
somewhat-recent versions of Tor Browser and Tails.  I expect to expand 
this in April to cover the most common circumvention software and all of 
the applications that Satori redistributes.

   Alpha for Android and Windows is now complete and in user testing. 
Focus for now is to implement mobile design changes in response to 
trainer feedback.  Next I will aim for feature parity between Chrome, 
Desktop, and Android to improve usability and reduce user confusion.  
Currently the Chrome version doesn't recognize software by sha256sum.  
Peer-to-peer downloads are also likely to be available in Chrome before 
Android or Windows as it's surprisingly straightforward in javascript.

   The alpha application represents a basic demo and contains the core 
functionality (downloads, sotware verification, and sha256sum 
generation).  Presented to trainers in the community to get feedback.  
The Guides section is hidden as they need to be written.

Thoughts on future Satori features:
   I've designed new features (such as easy-to-use GPG signature 
verification) that would require more time, more people, and more 
funding.  As such, I'm currently looking at my options for additional 
funding[5] and cooperative agreements that would help make it happen.  
For Windows, adding GPG functionality would also increase the size by at 
least 4mb as I'd have to bundle in GPG4win.  Creating a new GPG 
implementation is... not likely, to say the least.  That way lies 
dragons.  For Linux, adding these functions would be more 
straightforward, but still require more time/people/funding.  I expect 
to come to a conclusion in April.

   Relevant github commits:


   The GUI is in alpha and available on github for developer testing 
*only* [4].  Please do not use it.  Personal cloud feature (Cozy) still 
needs to be coded.


   Kim did an initial edit of Tails documentation, and I am in the 
process of making additional updates and changes.  Activists offered use 
of their guides written in Arabic, much to my delight.  Negotiations 
with other activists and translators are ongoing.  The new Tails 
documentation is likely to be translated into Farsi, Chinese, German, 
and Dutch by late April.  Currently investigating the use of Sikuli to 
create automated screenshots of the Tor Browser in 15 languages.

   Work on the Chrome ISO verifier is paused, awaiting the design of the 
Firefox version.  This code comes from the Satori codebase, but with a 
different design and without downloads/bridges/guides/P2P.

[4] https://github.com/glamrock/Stormy
[5] Currently, work on Satori is being generously sponsored by the Open 
Technology Fund.

“Sometimes the questions are complicated and the answers are simple.”
― Dr. Seuss

More information about the tor-reports mailing list