[tor-talk] Tor Weekly News — March 26th, 2014

harmony harmony01 at riseup.net
Wed Mar 26 12:00:09 UTC 2014

Tor Weekly News                                         March 26th, 2014

Welcome to the twelfth issue of Tor Weekly News in 2014, the weekly
newsletter that covers what is happening in the Tor community.

Tor is out

Nick Mathewson cut a new release of the Tor development branch [1] on
March 23rd: “Tor includes all the fixes from It
contains two new anti-DoS features for Tor relays, resolves a bug that
kept SOCKS5 support for IPv6 from working, fixes several annoying
usability issues for bridge users, and removes more old code for unused
directory formats.”

This release also marks the first step toward the stabilization of Tor
0.2.5, as from now on “no feature patches not already written will be
considered for inclusion”.

The source is available at the usual location [2], as are updated binary

  [1]: https://lists.torproject.org/pipermail/tor-talk/2014-March/032448.html
  [2]: https://www.torproject.org/dist/

Tails 0.23 is out…

…but many Tails users are already running it. Now that incremental
upgrades have been turned on by default with the previous release, users
of Tails on USB sticks have been able to enjoy the process of a smooth
upgrade in three clicks.

As always, the new release [3] fixes several security holes [4]. That
alone should make anyone switch, but the new version finally brings with
it two long-awaited features and many small improvements.

Tails will now do “MAC spoofing” by default. To hide the hardware
address used on the local network, Tails will now use a randomized
address by default. This will help prevent the tracking of one’s
geographical location across networks. For more information about MAC
spoofing, why it matters, and when it might be relevant to turn it off,
be sure to read the very well-written documentation [5].

Another important feature is the integrated support for proxies and Tor
bridges. This should be of immense help to users of Tails on censored
networks. The integration is done using the Tor Launcher extension [6],
familiar to everyone who has used recent versions of the Tor Browser.

For examples of smaller features and bugfixes: Tor, obfsproxy, I2P,
Pidgin and the web browser have been upgraded, a 64-bit kernel is used
on most systems to pave the way for UEFI support, documentation is now
accessible from the greeter, and the “New identity” option in the
browser is available again.

The next Tails release is scheduled for April 29th and will be 1.0.  For
this important milestone in 5 years of intense work, the Tails team is
still looking for a logo [7].

  [3]: https://tails.boum.org/news/version_0.23/
  [4]: https://tails.boum.org/security/Numerous_security_holes_in_0.22.1/
  [5]: https://tails.boum.org/doc/first_steps/startup_options/mac_spoofing/
  [6]: https://gitweb.torproject.org/tor-launcher.git
  [7]: https://tails.boum.org/news/logo_contest/

New Tor Browser releases

The Tor Browser team put out two new releases based on Firefox
24.4.0esr [8]. Version 3.5.3 [9] is meant as a safe upgrade for every
Tor Browser user. Among other changes, the new version contains an
updated Tor, a fix for a potential freeze, a fix for the Ubuntu keyboard
issue and a way to prevent disk leaks when watching videos.

On top of the preceding changes, version 3.6-beta-1 [10] is the
culmination of a months-long effort to seamlessly integrate pluggable
transports [11] into the Tor Browser. In the network settings, users can
now choose “Connect with provided bridges” and select from “obfs3” [12],
“fte” [13] or “flashproxy” [14]. Entering custom bridges is also
supported and will work for direct, obfs2 and obfs3 bridges.

Other usability changes include wording improvements in the connection
wizard, translatable Tor status messages, and the use of disk image
(DMG) instead of ZIP archives for Mac OS X. 

Please upgrade, in any case, and consider helping iron out the remaining
issues in the 3.6 branch.

  [8]: https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html#firefox24.4
  [9]: https://blog.torproject.org/blog/tor-browser-353-released
 [10]: https://blog.torproject.org/blog/tor-browser-36-beta-1-released
 [11]: https://www.torproject.org/docs/pluggable-transports.html
 [12]: https://gitweb.torproject.org/pluggable-transports/obfsproxy.git/blob/refs/heads/master:/doc/obfs3/obfs3-protocol-spec.txt
 [13]: https://fteproxy.org/
 [14]: https://crypto.stanford.edu/flashproxy/

Miscellaneous news

Since the 3.5 release, “Tor Browser Bundle is more like a standalone
browser and less like a bundle”. This led the Tor Browser team to plan
to “rename it to just ‘Tor Browser’ everywhere” [15].

 [15]: https://bugs.torproject.org/11193

Thanks to Berkay [16] and to André Schulz [17] for running mirrors of
the Tor Project website!

 [16]: https://lists.torproject.org/pipermail/tor-mirrors/2014-March/000491.html
 [17]: https://lists.torproject.org/pipermail/tor-mirrors/2014-March/000492.html

Alex reported [18] an “important case about Tor relay operators” which
came to court in Athens, Greece on March 18th. The defendant, a Tor
relay operator, was acquitted after proving that the IP address used for
criminal activity was in fact a Tor relay.

 [18]: https://lists.torproject.org/pipermail/tor-talk/2014-March/032441.html

Connections to Twitter from inside Turkey were blocked by the Turkish
government on 20th March [19], leading to an increase in the number of
Tor users there [20, 21].

 [19]: http://arstechnica.com/tech-policy/2014/03/after-dns-change-fails-turkish-government-steps-up-twitter-censorship/
 [20]: https://metrics.torproject.org/users.html?graph=userstats-relay-country&start=2014-01-01&end=2014-03-26&country=tr&events=off#userstats-relay-country
 [21]: http://www.bbc.com/news/technology-26714214

Jacob Appelbaum presented a keynote titled “Free software for freedom,
surveillance and you” at LibrePlanet 2014 [22]. The presentation was
done remotely from Berlin using Tor and GStreamer [23].

 [22]: http://libreplanet.org/2014/program/sessions.html
 [23]: https://github.com/ioerror/freenote

James Valleroy wrote to tor-relays [24] asking the best way to configure
the FreedomBox [25] as a Tor bridge. Lance Hathaway explained [26] about
pluggable transports and Roger Dingledine mentioned [27] the potential
issues of relaying a bridge and a hidden service at the same time.

 [24]: https://lists.torproject.org/pipermail/tor-relays/2014-March/004108.html
 [25]: https://wiki.debian.org/FreedomBox
 [26]: https://lists.torproject.org/pipermail/tor-relays/2014-March/004111.html
 [27]: https://lists.torproject.org/pipermail/tor-relays/2014-March/004134.html

Aymeric Vitte wrote to tor-talk [28] to mention an implementation of the
Tor protocol in JavaScript. Sadly, the project is not free software yet.

 [28]: https://lists.torproject.org/pipermail/tor-talk/2014-March/032432.html

A Tor exit operator recently held [29] an Ask Me Anything on Reddit,
which was quite successful, generating over 800 upvotes, 478 comments,
and being read by thousands. The most popular questions were focused on
how to improve the use of Tor, the legality of exit nodes, discussions
on hidden services, the workings of Tor, and many other topics related
to privacy and security.

 [29]: https://pay.reddit.com/r/IAmA/comments/20243q/iaman_operator_of_eight_tor_relays_including_two

Tor help desk roundup

Users sometimes want to know how to transfer their bookmarks from an old
Tor Browser to an updated one. Mozilla provide instructions on how to do
this on their website [30].

 [30]: http://support.mozilla.org/en-US/kb/export-firefox-bookmarks-to-backup-or-transfer

The new Tor Browser releases were again prevented from working properly
by WebRoot Internet Security. The error message is “Couldn’t load
XPCOM”. Users need to disable WebRoot, whitelist the appropriate Tor
Browser files, and more importantly contact WebRoot support to warn them
that their product is breaking the Tor Browser and, to the best of Tor
support’s knowledge, Firefox stable releases. Ideally, WebRoot should
test new releases before harming Tor users. See #11268 [31] if you want
to help.

 [31]: https://bugs.torproject.org/11268

News from Tor StackExchange

uighur1984 wanted to set up a hidden service for their public-facing
website [32] and decided that the HiddenServiceDir should be the same
like the DocumentRoot of the website. This led to some problems with
access rights. Sam Whited clarified that both directories should be
separated: the data in the HiddenServiceDir doesn't contain any actual
data from the website, but only the keys and other information from the
hidden service.

 [32]: https://tor.stackexchange.com/q/1783/88

Gondalse shot a video showing policemen torturing a citizen. The release
of the video led to a trial, and Gondalse fears that someone might try
to track the owner of the video down [33]. Jens Kubieziel pointed out
some OPSEC rules, and showed which problems can lead to deanonymization.

 [33]: https://tor.stackexchange.com/q/1790/88 

Upcoming events

Mar 26 19:00 UTC | little-t tor development meeting
                 | #tor-dev, irc.oftc.net
Mar 28 17:00 UTC | Pluggable transports online meeting
                 | #tor-dev, irc.oftc.net
Mar 28 18:00 UTC | Tor Browser online meeting
                 | #tor-dev, irc.oftc.net
                 | https://lists.torproject.org/pipermail/tbb-dev/2014-March/000026.html
April 1-4        | Civil Rights Defenders’ Days
                 | Stockholm, Sweden
                 | http://defendersdays.civilrightsdefenders.org/

This issue of Tor Weekly News has been assembled by Lunar, Matt Pagan,
harmony, qbi, Jesse Victors, and Karsten Loesing.

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project page [34], write down your
name and subscribe to the team mailing list [35] if you want to
get involved!

 [34]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
 [35]: https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team

More information about the tor-talk mailing list