[tor-reports] Griffin’s Summer

Griffin Boyce griffin at cryptolab.net
Mon Sep 14 21:12:33 UTC 2015 

TRAVEL & EVENTS

In June, I moved to Cambridge, MA.  Mid-month, I demonstrated Satori and 
Cupcake to RFA, OTF, and related organizations.  Then I travelled to 
Philadelphia for PETS.  PETS started off very auspiciously.  Attending 
academic/research events is still very new to me, but the abundance of 
friendly people makes it less scary.

After PETS, I traveled to Champaign, Illinois to give a talk at UIUC 
called “When Usability Kills” and eat barbecue with Nikita Borisov.  I 
can really see myself settling down there.  Then I traveled to DC for 
the hidden services meeting. At the Hidden Services Meeting, I mostly 
hacked quietly and became very impressed with Ricochet. Seriously, 
everyone should try it out.  Some very interesting outcomes came from 
the meeting (the Arlington Accords).

In August, I went to the White House for the LGBTQ Tech Innovation 
Summit.  The crowd came from fairly diverse backgrounds, but most seemed 
to be interested in for-profit ventures.  One of the speakers was a 
Palantir exec, so instead of talking about censorship in other countries 
(ostensibly the reason I was invited), I spent much of my time talking 
about the fight against mass surveillance in the US.  There are two 
amusing data points here: 1) no one clapped when I got off stage (there 
were some shocked faces though), and 2) about a dozen people came up to 
me to discuss how to fight mass surveillance later in the day. I showed 
a few people how TextSecure works, gave info on Tor, and exchanged cards 
with people who wanted more info on how to get involved.

While there, I also learned that anyone in the office of the National 
Security Council for Intelligence Programs are supposed to leave their 
cell phones in an unlocked, unguarded wooden box right outside the 
office door.  This was the case for many of the offices, but seemed 
quite odd -- that seems ripe for over-the-air tampering and likely 
doesn’t fully dampen the sound either.  It seems like a very empty 
security gesture, when there are some ways to easily retain the security 
of the devices without allowing them to be activated as remote mics.

After the White House trip, I flew to Berlin for Camp and a long-awaited 
vacation.  Going to Berlin is always lovely, and it’s always a little 
sad to leave. </3

In early September, I began my fellowship at the Berkman Center for 
Internet and Society at Harvard University.  Nervous and excited! :D

RESEARCH, EXPERIMENTS, AND ART-LIKE SUBSTANCES

My work at the Berkman Center has multiple focal points, including 
expanding on Satori and conducting a research project on censorship in a 
specific geo-political region. This research data will be contributed to 
the Internet Monitor.  All of this will require a fair bit of travel 
outside the US, but the results will be extremely 
{illuminating|rewarding}. Once I have more data, I’ll begin releasing 
more data visualizations. While I can’t/shouldn’t say much publicly now, 
the hope is to generate the first robust view of censorship in the 
region.  If successful, the results should be groundbreaking and give 
insight into the the social and political reasoning behind internet 
filters in the region. So, you know, no pressure.

I’m still working a bit on content analysis of redacted documents, and 
have been playing around with translating recorded keyboard sounds into 
words and typed characters. [About the latter: He Wang is working on 
similar research at UIUC -- his project takes a different angle, using 
gyroscopes, accelerometers, and biometrics to map to common words. His 
project is likely better-formed overall. Mine is closer to 
experimentation, using a variety of recording distances, analyzes audio 
levels, and aims to map individual characters rather than map to common 
words [4]]. Some combination of these (plus the NSA+Grindr research/art 
project) will be in my talk proposal for 32c3.  I experimented a bit 
with using vibration on window frames to thwart laser mics, but initial 
tests showed that the vibration was powerful enough to be audible in the 
room (and therefore annoying to occupants). Experiments will continue 
with much smaller vibration motors (2-5v max).

I’m looking into how many CloudFlare-backed sites exist (~1.5M), and 
then visiting all of them via Tor to see what percentage hit 
CloudFlare’s captcha.  The idea is to get a handle on how many might be 
affected by CloudFlare’s glitchy infinite-loop captcha system.  If I 
then arrange all of the websites by Alexa rank, it’s possible to begin 
contacting ops of high-traffic websites to ask them to whitelist Tor 
IPs.  Because the whitelist option on CloudFlare reportedly only allows 
for 200 IPs, that isn’t a full solution.  But this may spread awareness 
and emphasize that fixing the endless-loop bug should be a larger 
priority.

An art goal for this fall is to get the hang of painting with a palette 
knife. Also trying to figure what size and depth a laser-etching needs 
to be to make a paper rubbing transfer effective. Hmm.

SATORI

In July, we reached feature parity between Windows, Android, and Chrome. 
We also began work on peer-⁠to-⁠peer integration.  The goal here is to 
both increase the difficulty in blocking downloads and to facilitate 
torrent-based video tutorials later in the year.

In addition, I researched uncensored channels and will begin offering 
downloads via Microsoft Azure, which offers a lot in terms of speed and 
availability for users in mainland China. These allow me to ensure 
availability and high-⁠speed downloads in target areas without incurring 
the difficult-⁠to-⁠manage costs of Akamai. Azure is available in China 
and Iran; CloudFlare is available also, but it seems to be frequently 
blocked by the GFW. Azure in particular is interesting because they are 
very fast and downloads are available globally. This makes it an ideal 
replacement for Akamai, which has similar properties but is 
prohibitively expensive. Amazon has been very good to work with, but is 
frequently blocked within China.  For users on mainland China, we need 
something that is more infeasible for censors to block.

The downloads-⁠per-⁠dollar breakdown is:
Akamai: 17.8 downloads per $1 spent
Azure: 199 downloads per $1 spent (estimate for 1TB used per month)
Cloudflare: ∞ downloads, but not available in China ($20-⁠$200 per
month static fee)

Satori is *still* the safest way to obtain GPG4win, as the official 
website doesn’t use SSL (and in fact will
give you errors), and does not provide SHA256 hashes. This should not be 
the case.  But because of this, organizations have been directing people 
to download GPG4win from the Satori app rather than from official 
sources.  Most notable of these is Access, who made Satori an integral 
part of their encryption guide[1].  Access has also taken up the 
unenviable task of convincing the makers of security software to take 
security seriously, with GPG4win developers saying “I hope we'll get 
around doing something in September or October”[2].

In the coming months, I will begin expanding Satori to support easy GPG 
signature verification.  The trick with that is going to be keeping the 
app size small enough for it to be easily distributed.

BUGS
I worked on an annoying bug for nearly a week [3] before another coder 
let me know that it was actually the compiler’s fault. >_<  This has 
actually delayed the official beta release of Satori because it disabled 
a critical function.

Tor bugs triaged, patched, or closed: #5895, #10994, #11678, #13090, 
#13143, #13282, 15158, #895, #722, #679. (And props to Sukhbir for 
fixing #13982, which was slowly driving me insane during trainings).

ALSO
I am seeking a part-time assistant: http://cryptic.be/assistant.html

REFS
[1] https://guides.accessnow.org/pgp/PGP_Encrypted_Email_Windows.html
[2] whyyyyyy ლ(ಠ益ಠლ) 
http://lists.wald.intevation.org/pipermail/gpg4win-users-en/2015-July/001233.html
[2b] (◞‸◟;) I get that it’s a volunteer effort but COME ON
[3] http://imgur.com/fwn8A2E
[4] 
http://www.popsci.com/now-your-smartwatch-even-knows-what-youre-typing

          __..--''``---....___   _..._    __
      _.-'    .-/";  `        ``<._  ``.''_ `.
  _.-' _..--.'_    \                    `( ) )
(_..-'    (< _     ;_..__               ; `'
            `-._,_)'      ``--...____..-'

(I recently got a cat. She is the best cat.)

-- 
“Intelligence without ambition is a bird without wings.”
― Salvador Dalí

More information about the tor-reports mailing list