[tor-talk] Tor Weekly News — July 23rd, 2014

Lunar lunar at torproject.org
Wed Jul 23 13:23:12 UTC 2014

Tor Weekly News                                          July 23rd, 2014

Welcome to the twenty-ninth issue of Tor Weekly News in 2014, the
weekly newsletter that covers what is happening in the Tor community.

Tails 1.1 is out!

Tails, the Debian-based live system that protects its users’
communications by ensuring they are all sent through the Tor network,
has been updated. This new 1.1 release [1] reminds Tails users of the
distribution’s roots in Debian [2]: Tails is now based on the current
stable version of Debian, dubbed “Wheezy”.

This means that almost all software components have been updated. One
noticeable example is the desktop environment. The user experience of
the GNOME 3 in fallback mode should be similar to previous Tails
versions, but things will look a bit differently than they used to.

One of the most keenly-awaited features of this new version is the
support for UEFI firmware. Mac users now have only to press the Alt
key [3] while booting their computer to start Tails from a DVD or USB
stick. The same goes for owners of computers displaying “Windows 8”
stickers. And, talking of Windows 8, the camouflage mode [4] has been
updated to look more like it, instead of the now discontinued XP.

This new release also contains security fixes [5], and minor tweaks over
the previous versions.

Because of the newly-introduced support for UEFI and the amount of
upgraded software, incremental upgrades will not be offered for
Tails 1.1. A full upgrade is needed through the Tails Installer. The
safest method for upgrading Tails sticks is to go through a freshly
burned DVD. Be sure to have a look at the list of known issues [6] to
learn about other oddities that might happen in the process.

   [1]: https://tails.boum.org/news/version_1.1/
   [2]: https://tails.boum.org/contribute/relationship_with_upstream/
   [3]: https://tails.boum.org/doc/first_steps/start_tails/#usb-mac
   [4]: https://tails.boum.org/doc/first_steps/startup_options/windows_camouflage/
   [5]: https://tails.boum.org/security/Numerous_security_holes_in_1.0.1
   [6]: https://tails.boum.org/news/version_1.1/#index2h1

PETS 2014

The fourteenth Privacy Enhancing Technologies Symposium was held in
Amsterdam, Netherlands, July 16-18, 2014. A wide range of research in
privacy enhancing technologies was presented, with many of relevance to
Tor. Keynotes were given by Martin Ortlieb, Senior User Experience
Researcher in Privacy at Google, and William Binney, a former NSA

Some papers focusing on Tor include:

- “Spoiled Onions: Exposing Malicious Tor Exit Relays” by Philipp
  Winter, Richard Köwer, Martin Mulazzani, Markus Huber, Sebastian
  Schrittwieser, Stefan Lindskog, and Edgar Weippl [7]
- “One Fast Guard for Life (or 9 months)” by Roger Dingledine, Nicholas
  Hopper, George Kadianakis, and Nick Mathewson [8]
- “From Onions to Shallots: Rewarding Tor Relays with TEARS” by Rob
  Jansen, Andrew Miller, Paul Syverson, and Bryan Ford [9]
- “A TorPath to TorCoin: Proof-of-Bandwidth Altcoins for Compensating
  Relays” by Mainak Ghosh, Miles Richardson, Bryan Ford, and Rob
  Jansen [10]
- “Measuring the Leakage of Onion at the Root, A measurement of Tor’s
  .onion pseudo-top-level domain in the global domain name system” by
  Matthew Thomas and Aziz Mohaisen [11]

Also announced at PETS was the 2014 PET Award for Outstanding Research
in Privacy Enhancing Technologies, for “A Scanner Darkly: Protecting
User Privacy From Perceptual Applications” by Suman Jana, Arvind
Narayanan†, and Vitaly Shmatikov [12]. The winner of the best student
paper at PETS was “I Know Why You Went to the Clinic: Risks and
Realization of HTTPS Traffic Analysis” by Brad Miller, Ling Huang, A. D.
Joseph and J. D. Tygar [13].

Prior to PETS, there was a Tor meet-up which Moritz Bartl reported as a
great success [14]. Hopefully there will also be such an event at the
2015 PETS, to be held in Philadelphia, US, in the week of June 29, 2015.

   [7]: https://petsymposium.org/2014/papers/Winter.pdf
   [8]: https://petsymposium.org/2014/papers/Dingledine.pdf
   [9]: https://petsymposium.org/2014/papers/Jansen.pdf
  [10]: https://petsymposium.org/2014/papers/Ghosh.pdf
  [11]: https://petsymposium.org/2014/papers/Thomas.pdf
  [12]: https://freedom-to-tinker.com/blog/shmat/a-scanner-darkly-protecting-user-privacy-from-perceptual-applications/
  [13]: https://petsymposium.org/2014/papers/Miller.pdf
  [14]: https://lists.torproject.org/pipermail/tor-talk/2014-July/033936.html

Miscellaneous news

txtorcon [15], the Tor control protocol implementation for the Twisted
framework [16], received a new minor release [17]. Version 0.10.1 fixes
“a couple bugs introduced along with the endpoints feature in 0.10.0”.

  [15]: https://pypi.python.org/pypi/txtorcon
  [16]: https://twistedmatrix.com/
  [17]: https://lists.torproject.org/pipermail/tor-dev/2014-July/007166.html

Roger Dingledine posted [18] an official reaction to the cancellation of
a proposed talk at the upcoming Blackhat2014 conference dealing with
possible deanonymization attacks on Tor users and hidden services.

  [18]: https://blog.torproject.org/blog/recent-black-hat-2014-talk-cancellation

Tor ships with a sample webpage [19] that can be used by exit node
operators to identify their system as such to anyone wishing to identify
the source of Tor traffic. Operators most often copy and adapt this
template to the local situation. Mick Morgan discovered than his version
was out of sync [20] and contained broken links. “If other operators are
similarly using a page based on the old template, they may wish to
update”, Mick advised.

  [19]: https://gitweb.torproject.org/tor.git/blob_plain/HEAD:/contrib/operator-tools/tor-exit-notice.html
  [20]: https://lists.torproject.org/pipermail/tor-relays/2014-July/004982.html

Michael Rogers, one of the developers of Briar [21], announced [22] a
new mailing list [23] for discussing peer-to-peer-based communication
systems based on Tor hidden services. As Briar and other systems might
be “running into similar issues”, a shared place to discuss them seemed

  [21]: https://briarproject.org/
  [22]: https://lists.torproject.org/pipermail/tor-dev/2014-July/007161.html
  [23]: https://fulpool.org/cgi-bin/mailman/listinfo/hidden-services

Karsten Loesing and Philipp Winter are looking for front-end web
developers [24]: “We are looking for somebody to fork and extend one of
the two main Tor network status websites Atlas [25] or Globe [26]”
writes Karsten. Both websites currently need love and new maintainers.
Please reach out if you want to help!

  [24]: https://blog.torproject.org/blog/looking-front-end-web-developers-network-status-websites-atlas-and-globe
  [25]: https://atlas.torproject.org/
  [26]: https://globe.torproject.org/

The database which holds Tor bridges, usually called BridgeDB [27], is
able to give out bridge addresses through email. This feature was
recently extended to make the email autoresponder support more bridge
types, which required introducing new keywords that must be used in the
initial request. Matthew Finkel is looking for feedback [28] on the
current set of commands and how they could be improved.

  [27]: https://gitweb.torproject.org/bridgedb.git
  [28]: https://lists.torproject.org/pipermail/tor-dev/2014-July/007164.html

Lunar wrote a detailed report [29] on his week at the Libre Software
Meeting in Montpellier, France. The report covers the booth jointly held
with Nos Oignons [30], his talk in the security track, and several
contacts made with other free software projects.

  [29]: https://lists.torproject.org/pipermail/tor-reports/2014-July/000593.html
  [30]: https://nos-oignons.net/

Here’s another round of reports from Google Summer of Code students: the
mid-term: Amogh Pradeep on Orbot and Orfox improvements [31], Israel
Leiva on the GetTor revamp [32], Quinn Jarrell on the pluggable
transport combiner [33], Juha Nurmi on the ahmia.fi project [34], Marc
Juarez on website fingerprinting defenses [35], and Daniel Martí on
incremental updates to consensus documents [36].

  [31]: https://lists.torproject.org/pipermail/tor-dev/2014-July/007152.html
  [32]: https://lists.torproject.org/pipermail/tor-dev/2014-July/007156.html
  [33]: https://lists.torproject.org/pipermail/tor-dev/2014-July/007157.html
  [34]: https://lists.torproject.org/pipermail/tor-reports/2014-July/000594.html
  [35]: https://lists.torproject.org/pipermail/tor-reports/2014-July/000595.html
  [36]: https://lists.torproject.org/pipermail/tor-dev/2014-July/007163.html

Tim Retout announced [37] that apt-transport-tor [38] 0.2.1 has entered
Debian unstable. This package enables APT to download Debian packages
through Tor.

  [37]: http://retout.co.uk/blog/2014/07/21/apt-transport-tor
  [38]: https://tracker.debian.org/pkg/apt-transport-tor

Atlas [39] can now also be used to search for Tor bridges. In the past,
Atlas was only able to search for relays. This was made possible thanks
to a patch [40] developed by Dmitry Eremin-Solenikov.

  [39]: https://atlas.torproject.org/
  [40]: https://bugs.torproject.org/6320

Thanks to Tim Semeijn [41] and Tobias Bauer [42] for setting up new
mirrors of the Tor Project’s website and its software.

  [41]: https://lists.torproject.org/pipermail/tor-mirrors/2014-July/000642.html
  [42]: https://lists.torproject.org/pipermail/tor-mirrors/2014-July/000646.html

Tor help desk roundup

Some Linux users have experienced missing dependency errors when trying
to install Tor Browser from their operating system’s software
repositories. Tor Browser should only be installed from the Tor
Project’s website, and never from a software repository. In other words,
using apt-get or yum to install Tor Browser is discouraged. Downloading
and verifying Tor Browser from the Tor Project website allows users to
keep up with important security updates as they are released.

News from Tor StackExchange

user3224 wants to log in to its Google, Microsoft etc. accounts and
wonders if they will know the real name and other personal
information [43]. Roya and mirimir explained that if someone logs into
an already personalized account Tor can’t anonymize this user. Instead
it might be wise to use Tor to register a pseudonym and also use an
anonymous operating system like Tails or Whonix.

  [43]: https://tor.stackexchange.com/q/3603/88

escapologybb has set up a Raspberry Pi. It serves as SOCKS proxy for the
internal network. While everyone can use it, escapologybb asks what the
security implications are and if this lowers the overall anonymity [44].
If you know a good answer please share your knowledge with the users of
Tor StackExchange.

  [44]: https://tor.stackexchange.com/q/3596/88

Upcoming events

 Aug. 3 19:00 UTC  | Tails contributors meeting
                   | #tails-dev @ irc.indymedia.org / h7gf2ha3hefoj5ls.onion
                   | https://mailman.boum.org/pipermail/tails-project/2014-July/000000.html
 August 18         | Roger @ FOCI ’14
                   | San Diego, California, USA
                   | https://www.usenix.org/conference/foci14
 August 20-22      | Roger @ USENIX Security Symposium ’14
                   | San Diego, California, USA
                   | https://www.usenix.org/conference/usenixsecurity14

This issue of Tor Weekly News has been assembled by Lunar, Steven
Murdoch, harmony, Philipp Winter, Matt Pagan, qbi, and Karsten Loesing.

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project page [45], write down your
name and subscribe to the team mailing list [46] if you want to
get involved!

  [45]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
  [46]: https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20140723/1887ff9f/attachment-0001.sig>

More information about the tor-talk mailing list