[tor-reports] Griffin's April

Griffin Boyce griffin at cryptolab.net
Mon May 4 00:18:57 UTC 2015 

       >>                             >=>
      >>=>                        >>  >=>
     >> >=>     >=> >=>  >> >==>      >=>
    >=>  >=>    >>   >=>  >=>    >=>  >=>
   >=====>>=>   >>   >=>  >=>    >=>  >=>
  >=>      >=>  >=> >=>   >=>    >=>  >=>
> =>        >=> >=>      >==>    >=> >==>
                >=>

TRAVEL

I participated in a workshop at the beginning of the month in DC.  I 
also taught
various people about Tor and GPG and Satori throughout the month, though 
these
were usually one-on-one or one-on-five situations rather than events.

I'm strongly leaning towards restricting my travel for the next year.


CODE

Security audits & code review: I’ve enlisted outside help for security 
audits,
static code analysis, and code review.  To that end, I’m working with 
Cure53 for
a full audit of Cupcake and Flashproxy (which is within scope because 
Cupcake’s
code effectively acts as a wrapper for flashproxy).  This will take 
place the
first week of May.

Satori for Chrome, Windows desktop, and Android will be submitted for 
audits
later in May. Stormy’s GUI code will be audited later in May, with 
scripts
undergoing review likely in early June.

Began working with a press consultant/coordinator for Satori.  Given how
difficult it is to juggle time-sensitive press activities with other 
important
tasks, and considering my great reluctance to give interviews, I expect 
that
this will be a major win.

I realized that certain environmental factors can cause Tails to fail 
open --
which could de-anonymize some users if they are actively in the process 
of
downloading something large.  An attacker who suspects that an IP 
address may be
using Tails to access the Tor network should be able to induce these 
conditions
very easily.  More experiments are needed in this area.

May (so far): In the process of hiring Kim Burton part-time to assist 
with
writing and documentation.  She is awesome.

Discussion is ongoing as to whether to rebrand Cupcake Bridge (the 
project that
houses Cupcake and Satori) as Freya Labs.  Freya is a viking warrior 
goddess who
drives a chariot led by two enormous cats, so there's a lot to like 
about that.


RESEARCH

The W2SP “Genuine Onion” paper is now public [1][2].  Paul was great to 
write
with =)

I am writing a paper on guard exhaustion[3].

As mentioned previously, I’ve been working on automated content analysis 
of
redacted documents.  I wrote a paper/talk proposal for HotPETS, but it 
was not
selected.  However, I am continuing to work on it as it is very 
fascinating to
me (and literally no one else).

This represents a major advancement over David Neccache and Claire 
Whelan’s
initial analysis (Eurocrypt 2004), and also a dramatic step forward from
Lopresti and Spitz’s 2005 analysis of older-style redactions [4].

The conclusion was that in instances where the occlusion contained only 
one
word, content was accurately guessed 100% of the time within a few 
seconds in
the lab.  As my work covers a lot of new ground in this area, I will 
likely
write a longer paper to present my findings.  This would seem to be the 
largest
analysis of this type, and the first one targeting full documents in an
automated fashion.

Typographic considerations in document security is not a common research 
topic,
so finding a good fit is proving tricky.  The findings will at least be 
in a
blog post at some point.  The code created as part of this research 
project will
be released with a restrictive license in the near future.


PERSONAL:

- I am moving to Cambridge, MA in June and am very excited =)  So 
everyone asking
me when I’m moving to Berlin, the answer is Never.

- I’ve been working on art more lately, producing many terrible cubist 
doodles and
presumably equally terrible sculpture ideas.  I find working with 
pastels in
particular to be very relaxing.  Later this summer I begin working in 
earnest on
a fairly sizeable sculpture, with an eye towards completing it by March 
2017.

- I’m weighing my options for different graduate school programs in 
computer
science and psychology.

- Apologies to anyone affected by email latency.

[1] NRL’s page on Genuine Onion: 
http://www.nrl.navy.mil/itd/chacs/syverson-genuine-onion-simple-fast-flexible-and-cheap-website-authentication
[2] The github repo where we wrote it: 
https://github.com/saint/w2sp-2015
[3] Explanation of guard exhaustion: 
https://github.com/saint/dcaps-winter2015
[4] http://www.cse.lehigh.edu/~lopresti/Publications/2005/spie05a.pdf


~Griffin


-- 
“Sometimes the questions are complicated and the answers are simple.”
― Dr. Seuss

More information about the tor-reports mailing list