wiki:TorWeeklyNews/2013/12

Version 22 (modified by lunar, 6 years ago) (diff)

promote and rework the clock skew issue

Thirteenth issue of Tor Weekly News. Covering what's happening from September 17th, 2013 to September 24th, 2013. To be released on September 25th, 2013.

Editor: dope457

Subject: Tor Weekly News — September 25th, 2013

========================================================================
Tor Weekly News                                     September 25th, 2013
========================================================================

Welcome to the thirteenth issue of Tor Weekly News, the weekly newsletter that
covers what is happening in the XXX Tor community.

Reimbursement of exit operators
-------------------------------

In July 2012, Roger Dingledine wrote a post on the Tor blog [XXX] in which he
raised the prospect of offering funding to organizations running fast Tor exit
nodes. In so doing, Roger wrote, 'we will improve the network's diversity as
well as being able to handle more users.' He also announced that donors were
already interested in financing such a scheme. Then, in April this year, Moritz
Bartl stated [XXX] that torservers.net was looking to move away from establishing
additional exit nodes, in favor of providing support of various kinds to partner
organizations running their own exits.

These plans, and the discussion they provoked, are now about to bear fruit
in the form of a financial reimbursement scheme directed at torservers.net's
partner organizations. Moritz wrote again on the the tor-relays list [XXX]
to announce that reimbursements are scheduled to begin at the end of this
month, drawn from a one-time donation by the Broadcasting Board of Governors.

The ensuing debate focused both on the technical aspects of reimbursement
— that is, how best to determine the division of funds based on information
harvested from the network metrics [XXX] — and the question of the security
issues that could potentially arise from such a scheme [XXX].

[...TBC]

 [XXX] https://blog.torproject.org/blog/turning-funding-more-exit-relays
 [XXX] https://lists.torproject.org/pipermail/tor-relays/2013-April/001996.html
 [XXX] https://lists.torproject.org/pipermail/tor-relays/2013-September/002825.html
 [XXX] https://lists.torproject.org/pipermail/tor-relays/2013-September/002831.html

Tails 0.20.1 is out
-------------------

Tails saw its 33rd release on September 19th [XXX]. The most visible change
might be the upgrade of tor to version 0.2.4.17-rc, which should result in
faster and more reliable access to the network after the sudden bump in
Tor clients [XXX]. 

Among other minor bugfixes and improvements, persistence volumes are now properly unmounted
on shutdown. This should prevent data loss in some situations, and avoid a sometimes lengthy
pause upon activation.

It also fixes several important security issues [XXX]. It is recommended that
all users upgrade as soon as possible [XXX].

 [XXX] https://tails.boum.org/news/version_0.20.1/
 [XXX] https://blog.torproject.org/blog/how-to-handle-millions-new-tor-clients
 [XXX] https://tails.boum.org/security/Numerous_security_holes_in_0.20/
 [XXX] https://tails.boum.org/news/version_0.20.1/

New Tor Browser Bundles released
--------------------------------

A new set of stable and beta Tor Browser Bundles was announced on the Tor blog [XXX].
As well as disabling the filtering of results for queries submitted to Startpage,
the default search engine, they include an updated version of HTTPS-Everywhere that
no longer causes a storm of requests to clients1.google.com, an issue reported by many
users after the last release [XXX]. In addition, they incorporate important security
updates; it is recommended that all users upgrade as soon as possible.

 [XXX] https://blog.torproject.org/blog/new-tor-browser-bundles-firefox-1709esr
 [XXX] https://bugs.torproject.org/9713

Tor mini-hackathon at GNU 30th Anniversary Celebration
------------------------------------------------------

Nick Mathewson sent an invitation [XXX] encouraging everyone to attend GNU 30th Anniversary 
Celebration [XXX] this weekend at MIT, where the Tor is going to be featured among few others projects. 
Part of the event is hackaton so if you like to program, and you're interested in helping with Tor, 
sign up on the webpage [XXX] and come on by! 

 [XXX] https://lists.torproject.org/pipermail/tor-talk/2013-September/030154.html
 [XXX] https://gnu.org/gnu30/celebration
 [XXX] https://crm.fsf.org/civicrm/event/register?id=10

False alarm about clock skew
----------------------------

Small offsets in system time is a good opportunity to fingerprint Tor clients. In
order to eliminate unnecessary exposure, Nick Mathewson has been working on
proposal 222 [XXX].

Unfortunately this introduced a bug which revealed itself after the directory
authority named “turtles” was upgraded. The result is that relays started to warn their
operators of an implausible clock skew [XXX]. This was indeed a false alarm.

The issue has been quickly worked around and properly fixed a few hours later [XXX].

 [XXX] https://gitweb.torproject.org/torspec.git/blob_plain/refs/heads/master:/proposals/222-remove-client-timestamps.txt
 [XXX] https://lists.torproject.org/pipermail/tor-relays/2013-September/002888.html
 [XXX] https://bugs.torproject.org/9798

Miscellaneous news
------------------

Jacob Appelbaum inquired with VUPEN about the Tor Project having the right of first
refusal for Tor Browser bugs, in order to protect users [XXX].

 [XXX] http://storify.com/fredericjacobs/discussion-between-tor-s-ioerror-and-vupen-s-chaou

In the course of stopping Tor clients from communicating their local time to servers,
a bug was introduced into the tor master branch that caused relays to warn their
operators of clock skew, after receiving the Unix epoch as the current time from
affected directory authorities [XXX].

 [XXX] https://bugs.torproject.org/9798

The proposed Tor page on Stack Exchange has now reached 100% commitment, and will soon
be launching as a live beta. Thanks to everyone who signed up! [XXX].

 [XXX] http://area51.stackexchange.com/proposals/56447/tor

Vulnerabilities
---------------

XXX: Reported vulnerabilities [XXX].

 [XXX] vulnerability report source

Upcoming events
---------------

Sep 28-29 | Tor mini-hackathon at GNU 30th Anniversary Celebration
          | MIT, Cambridge, Massachusetts
          | https://gnu.org/gnu30/celebration
          |
Sep 30th  | Congress on Privacy & Surveillance
          | A one-day event triggered by recent announcements about secret Internet mass surveillance
          | Lausanne, Switzerland
          | http://ic.epfl.ch/privacy-surveillance
          |
Jul XX-XX | Event XXX brief description
          | Event City, Event Country
          | Event website URL


This issue of Tor Weekly News has been assembled by XXX, XXX, Jacob Appelbaum, and
XXX

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project page [XXX], write down your
name and subscribe to the team mailing list [XXX] if you want to
get involved!

  [XXX] https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
  [XXX] https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team

Possible items :

on EvilGenius by Johannes Fürmann https://lists.torproject.org/pipermail/tor-dev/2013-September/005484.html