[tor-reports] Griffin's May

Griffin Boyce griffin at cryptolab.net
Mon Jun 1 16:03:53 UTC 2015

                . '@(@@@@@@@)@. (@@) `  .   '
      .  @@'((@@@@@@@@@@@)@@@@@)@@@@@@@)@
      @@(@@@@@@@@@@))@@@@@@@@@@@@@@@@)@@` .
   @.((@@@@@@@)(@@@@@@@@@@@@@@))@\@@@@@@@@@)@@@  .
(@@@@@@@@)@@@@@@@@@@@@@(@@@@@@@@//@@@@@@@@@) `
  .@(@@@@)##&&&&&(@@@@@@@@)::_=(@\\@@@@)@@ .   .'
    `   @@(@###&&&&!!;;;;;::-=_=@.@\\@@     '
       `  @.#####&&&!!;;;::=-_= .@  \\
             ####&&&!!;;::=_-        `
             ##&&!:-      `..      `..
            #&!;:-       `. `..   `...
           #&!;=         `.. `.. ` `..   `..    `..   `..
           #&!-          `..  `..  `.. `..  `..  `.. `..
            #&=          `..   `.  `..`..   `..    `...
    jgs      #&-         `..       `..`..   `..     `..
             \\#/'       `..       `..  `.. `...   `..
              `/                                  `..


Stormy has surpassed expectations in user testing, so it's nearly time 
to release it [5].  I've been refining the Jabber and IRC onion service 
setup flow this weekend in preparation for its security audit.  Until it 
passes an audit, I'm only willing to list it as for use by developers.  
However, of course, the goal of the project is to make it easy for 
journalists and writers and individuals to set up a secure onion service 
without having to de-anonymize themselves by hiring a developer.


Cure53 has conducted a full audit of Cupcake and Flashproxy.  The report 
is here [1][2].  Special thanks to David Fifield for being very 
responsive during the audit and the Open Tech Fund for funding and 
coordinating the audit.  The results were extremely positive, 
particularly in light of the large number of Cupcake wrappers for 
Flashproxy [2].  There were no real issues found, and auditors commented 
on the excellent code quality.  So that was surprising.

Once the initial results of the audit were received, I submitted Cupcake 
for Firefox to the Mozilla add-ons site [3].  Review can take a while 

Timelining ongoing work on Satori's guides, in-progress features, 
tentative future plans, and trying to coordinate work across the 
project.  The design of Satori tends towards light and airy, but most of 
the feedback I receive is to make it high contrast with a dark scheme.  
I'm not sure how to reconcile these conflicting design notions, so 
instead I'm just keeping it light.  The flow so far seems to work well.

Relatedly, conducted further testing of GlitterBot to notify me of 
software updates.  The goal is to partially automate the process of 
verifying signatures and updating the software that I re-distribute.  
This would improve update response time.  I would still need to 
independently ensure that files and signatures match (which is naturally 
already part of my workflow).

I've been sitting on some code for a standalone Tails ISO Verifier for 
Chrome for a while now and may release it in late June.  Though I might 
experiment more with GPG signature verification first [6].


Wrote a paper on guard exhaustion attacks and mitigations and submitted 

Had a long discussion with a patent attorney on defensive patents and 
open-source code as prior art.  It was very illuminating; she gave great 

Came up with an interesting way to (possibly) slow the Tor network via 
onion services while in the shower. Looking at how to use Shadow to 
simulate such an attack on a pretend network.


Visited New York to discuss issues around sexism, racism, and 
discrimination in open source software development with a diverse set of 
trainers and organizers.

Travelled to San Jose, CA for IEEE:W2SP, where Paul Syverson presented 
our paper on onion services & web authentication. That was fun =)


- Submitting an art proposal for the first time ever. Moderately 
- Section 215 of the Patriot Act expired and I bought a bottle of my 
favorite persecco to celebrate. It was very fitting for my last night in 
- I should take a vacation.


[1] http://github.com/glamrock/cupcake/security/audit1.pdf
[2] http://github.com/glamrock/cupcake
[3] https://addons.mozilla.org/en-us/firefox/addon/cupcakebridge/
[4] In all likelihood, Mozilla's review will take longer than the real 
audit did.
[5] https://github.com/glamrock/stormy
[6] If anyone asks, I said nothing about javascript crypto functions.


More information about the tor-reports mailing list