Changes between Version 64 and Version 65 of TorWeeklyNews/2013/14


Ignore:
Timestamp:
Oct 9, 2013, 3:28:55 PM (6 years ago)
Author:
lunar
Comment:

sent!

Legend:

Unmodified
Added
Removed
Modified
  • TorWeeklyNews/2013/14

    v64 v65  
    33'''Editor:''' Lunar
    44
    5 '''Status:''' FROZEN! — Changes should go in [wiki:TorWeeklyNews/2013/15 next week edition] — ''Expected release time 2013-10-09 12:00 UTC (worst case 17:00 UTC)''
    6 
    7 '''Subject:''' Tor Weekly News — October 9th, 2013
    8 
    9 {{{
    10 ========================================================================
    11 Tor Weekly News                                        October 9th, 2013
    12 ========================================================================
    13 
    14 Welcome to the fifteenth issue of Tor Weekly News, the weekly newsletter
    15 that covers what's happening in the world of Tor — “king of high-secure,
    16 low-latency anonymity” [1].
    17 
    18    [1] http://www.theguardian.com/world/interactive/2013/oct/04/tor-high-secure-internet-anonymity
    19 
    20 New tranche of NSA/GCHQ Tor documents released
    21 ----------------------------------------------
    22 
    23 After a cameo appearance in previous leaked intelligence documents [2],
    24 Tor found itself at the center of attention in the latest installment of
    25 the ongoing Snowden disclosures after a series of stories were published
    26 in the Guardian and the Washington Post that detailed alleged attempts
    27 by NSA, GCHQ, and their allies to defeat or circumvent the protection
    28 that Tor offers its users. A number of source materials, redacted by the
    29 newspapers, were published to accompany the articles.
    30 
    31 The documents in question [3] offer, alongside characteristically
    32 entertaining illustrations [4], an overview of the Tor network from the
    33 point of view of the intelligence agencies, as well as a summary of
    34 attacks against Tor users and the network as a whole that they have
    35 considered or carried out.
    36 
    37 Despite the understandable concern provoked among users by these
    38 disclosures, Tor developers themselves were encouraged by the often
    39 relatively basic or out-of-date nature of the attacks described. In
    40 response to one journalist's request for comment, Roger Dingledine wrote
    41 that “we still have a lot of work to do to make Tor both safe and
    42 usable, but we don't have any new work based on these slides” [5].
    43 
    44 Have a look at the documents yourself, and feel free to raise any
    45 questions with the community on the mailing lists or IRC channels.
    46 
    47    [2] https://blog.torproject.org/blog/tor-nsa-gchq-and-quick-ant-speculation
    48    [3] http://media.encrypted.cc/files/nsa
    49    [4] https://twitter.com/EFF/status/386291345301581825
    50    [5] https://blog.torproject.org/blog/yes-we-know-about-guardian-article#comment-35793
    51 
    52 tor 0.2.5.1-alpha is out
    53 ------------------------
    54 
    55 Roger Dingledine announced [6] the first alpha release in the tor
    56 0.2.5.x series, which among many other improvements introduces
    57 experimental support for syscall sandboxing on Linux, as well as
    58 statistics reporting for pluggable transports usage on compatible
    59 bridges.
    60 
    61 Roger warned that “this is the first alpha release in a new series, so
    62 expect there to be bugs. Users who would rather test out a more stable
    63 branch should stay with 0.2.4.x for now.” 0.2.5.1-alpha will not
    64 immediately appear on the main download pages, in order to avoid having
    65 too many versions listed at once. Please feel free to test the new
    66 release [7], and report any bugs you find!
    67 
    68    [6] https://lists.torproject.org/pipermail/tor-talk/2013-October/030269.html
    69    [7] https://www.torproject.org/dist/
    70 
    71 How did Tor achieve reproducible builds?
    72 ----------------------------------------
    73 
    74 At the end of June, Mike Perry announced [8] the first release of the
    75 Tor Browser Bundle 3.0 alpha series, featuring release binaries “exactly
    76 reproducible from the source code by anyone”. In a subsequent blog [9]
    77 published in August, he explained why it mattered.
    78 
    79 Mike has just published the promised follow-up piece [10] describing how
    80 this feat was achieved in the new Tor Browser Bundle build process.
    81 
    82 He explains how Gitian [11] is used to create a reproducible build
    83 environment, the tools used to produce cross-platform binaries for
    84 Windows and OS X from a Linux environment, and several issues that
    85 prevented the builds from being entirely deterministic. The latter range
    86 from timestamps to file ordering differences when looking up a
    87 directory, with an added 3 bytes of pure mystery.
    88 
    89 There is more work to be done to “prevent the adversary from
    90 compromising the (substantially weaker) Ubuntu build and packaging
    91 processes” currently used for the toolchain. Mike also wrote about
    92 making the build of the compiler and toolchain part of the build
    93 process, cross-compilation between multiple architectures, and the work
    94 being done by Linux distributions to produce deterministic builds from
    95 their packages.
    96 
    97 If you are interested in helping, or working on your own software
    98 project, there is a lot to be learned by reading the blog post in full.
    99 
    100    [8] https://blog.torproject.org/blog/tor-browser-bundle-30alpha2-released
    101    [9] https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise
    102   [10] https://blog.torproject.org/blog/deterministic-builds-part-two-technical-details
    103   [11] http://gitian.org/howto.html
    104 
    105 Toward a new Tor Instant Messaging Bundle
    106 -----------------------------------------
    107 
    108 A first meeting last week kicked-off the “Attentive Otter project” [12]
    109 which aims to come up with a new bundle for instant messaging. The first
    110 meeting mainly consisted in trying to enumerate the various options.
    111 
    112 In the end, people volunteered to research three different
    113 implementation ideas. Thijs Alkemade and Jurre van Bergen explored the
    114 possibilty of using Pidgin/libpurple [13] as the core component. Jurre
    115 also prepared an analysis of xmpp-client, together with David Goulet,
    116 Nick Mathewson, Arlo Breault, and George Kadianakis [14]. As a third
    117 option, Mike Perry took a closer look at Instantbird/Thunderbird with
    118 Sukhbir Singh [15].
    119 
    120 All the options have their pros and cons, and they will probably be
    121 discussed on the tor-dev mailing list and at the next “Attentive
    122 Otter” meeting.
    123 
    124   [12] https://trac.torproject.org/projects/tor/wiki/org/sponsors/Otter/Attentive
    125   [13] https://lists.torproject.org/pipermail/tor-dev/2013-October/005544.html
    126   [14] https://lists.torproject.org/pipermail/tor-dev/2013-October/005546.html
    127   [15] https://lists.torproject.org/pipermail/tor-dev/2013-October/005555.html
    128 
    129 More monthly status reports for September 2013
    130 ----------------------------------------------
    131 
    132 The wave of regular monthly reports from Tor project members continued
    133 this week with submissions from George Kadianakis [16], Lunar [17],
    134 Sathyanarayanan Gunasekaran [18], Ximin Luo [19], Matt Pagan [20], Pearl
    135 Crescent [21], Colin C. [22], Arlo Breault [23], Karsten Loesing [24],
    136 Jason Tsai [25], the Tor help desk [26], Sukhbir Singh [27], Nick
    137 Mathewson [28], Mike Perry [29], Andrew Lewman [30], Aaron G [31], and
    138 the Tails folks [32].
    139 
    140   [16] https://lists.torproject.org/pipermail/tor-reports/2013-October/000346.html
    141   [17] https://lists.torproject.org/pipermail/tor-reports/2013-October/000347.html
    142   [18] https://lists.torproject.org/pipermail/tor-reports/2013-October/000348.html
    143   [19] https://lists.torproject.org/pipermail/tor-reports/2013-October/000349.html
    144   [20] https://lists.torproject.org/pipermail/tor-reports/2013-October/000350.html
    145   [21] https://lists.torproject.org/pipermail/tor-reports/2013-October/000351.html
    146   [22] https://lists.torproject.org/pipermail/tor-reports/2013-October/000352.html
    147   [23] https://lists.torproject.org/pipermail/tor-reports/2013-October/000353.html
    148   [24] https://lists.torproject.org/pipermail/tor-reports/2013-October/000354.html
    149   [25] https://lists.torproject.org/pipermail/tor-reports/2013-October/000355.html
    150   [26] https://lists.torproject.org/pipermail/tor-reports/2013-October/000356.html
    151   [27] https://lists.torproject.org/pipermail/tor-reports/2013-October/000357.html
    152   [28] https://lists.torproject.org/pipermail/tor-reports/2013-October/000358.html
    153   [29] https://lists.torproject.org/pipermail/tor-reports/2013-October/000359.html
    154   [30] https://lists.torproject.org/pipermail/tor-reports/2013-October/000360.html
    155   [31] https://lists.torproject.org/pipermail/tor-reports/2013-October/000361.html
    156   [32] https://lists.torproject.org/pipermail/tor-reports/2013-October/000362.html
    157 
    158 Tor Help Desk Roundup
    159 ---------------------
    160 
    161 A number of users wanted to know if Tor was still safe to use given the
    162 recent news that Tor users have been targeted by the NSA. We directed
    163 these users to the Tor Project's official statement on the subject [33].
    164 
    165 One of the most popular questions the help desk receives continues to be
    166 whether or not Tor is available on iOS devices. Currently there is no
    167 officially supported solution, although more than one project has been
    168 presented [34, 35].
    169 
    170 The United Kingdom is now one of the countries where citizens request
    171 assistance circumventing a national firewall [36].
    172 
    173   [33] https://blog.torproject.org/blog/yes-we-know-about-guardian-article
    174   [34] https://lists.torproject.org/pipermail/tor-dev/2013-October/005542.html
    175   [35] https://trac.torproject.org/projects/tor/ticket/8933
    176   [36] https://lists.torproject.org/pipermail/tor-talk/2013-July/029054.html
    177 
    178 Miscellaneous news
    179 ------------------
    180 
    181 Thanks to Grozdan [37], Simon Gattner from Netzkonstrukt Berlin [38],
    182 Wollomatic [39], and Haskell [40] for setting up new mirrors of the Tor
    183 project website.
    184 
    185   [37] https://lists.torproject.org/pipermail/tor-mirrors/2013-September/000366.html
    186   [38] https://lists.torproject.org/pipermail/tor-mirrors/2013-September/000370.html
    187   [39] https://lists.torproject.org/pipermail/tor-mirrors/2013-October/000374.html
    188   [40] https://lists.torproject.org/pipermail/tor-mirrors/2013-October/000375.html
    189 
    190 Arlo Breault sent out a request for comments on a possible new version
    191 of the check.torproject.org page [41].
    192 
    193   [41] https://lists.torproject.org/pipermail/tor-talk/2013-October/030253.html
    194 
    195 Runa Sandvik announced [42] that the Tor Stack Exchange page has moved
    196 from private beta to public beta. If you'd like to help answer
    197 Tor-related questions (or ask them), get involved now! [43]
    198 
    199   [42] https://lists.torproject.org/pipermail/tor-talk/2013-October/030269.html
    200   [43] http://tor.stackexchange.com/
    201 
    202 Philipp Winter sent out a call for testing (and installation
    203 instructions) for the ScrambleSuit pluggable transports protocol [44].
    204 
    205   [44] https://lists.torproject.org/pipermail/tor-talk/2013-October/030252.html
    206 
    207 Not strictly Tor-related, but Mike Perry started an interesting
    208 discussion [45] about the “web of trust” system, as found in OpenPGP.
    209 The discussion was also held on the MonkeySphere mailing list, which
    210 prompted Daniel Kahn Gilmor to reply with many clarifications regarding
    211 the various properties and processes of the current implementation. To
    212 sum it up, Ximin Luo started [46] a new documentation project [47] “to
    213 describe and explain security issues relating to identity, in
    214 (hopefully) simple and non-implementation-specific language”.
    215 
    216   [45] https://lists.torproject.org/pipermail/tor-talk/2013-September/030235.html
    217   [46] https://lists.riseup.net/www/arc/monkeysphere/2013-10/msg00000.html
    218   [47] https://github.com/infinity0/idsec/
    219 
    220 The listmaster role has been better defined [48] and is now performed by
    221 a team consisting of Andrew Lewman, Damian Johnson, and Karsten Loesing.
    222 Thanks to them!
    223 
    224   [48] https://trac.torproject.org/projects/tor/wiki/org/operations/Infrastructure/lists.torproject.org
    225 
    226 Roger Dingledine released an official statement on the Tor project
    227 blog [49] regarding the takedown of the Silk Road hidden service and
    228 the arrest of its alleged operator.
    229 
    230   [49] https://blog.torproject.org/blog/tor-and-silk-road-takedown
    231 
    232 Fabio Pietrosanti asked [50] for reviews of “experimental Tor
    233 performance tuning for a Tor2web node.” Feel free to have a look [51]
    234 and provide feedback.
    235 
    236   [50] https://lists.torproject.org/pipermail/tor-talk/2013-October/030405.html
    237   [51] https://github.com/globaleaks/Tor2web-3.0/wiki/Performance-tuning
    238 
    239 Claudiu-Vlad Ursache announced [52] the initial release of
    240 CPAProxy [53], “a thin Objective-C wrapper around Tor”. This is the
    241 first component of a project to “release a free open-source browser on
    242 the App Store that uses this wrapper and Tor to anonymize requests.”
    243 Claudiu-Vlad left several questions open, and solicited opinions on the
    244 larger goal.
    245 
    246   [52] https://lists.torproject.org/pipermail/tor-dev/2013-October/005545.html
    247   [53] https://github.com/ursachec/CPAProxy
    248 
    249 Upcoming events
    250 ---------------
    251 
    252 Oct 09-10 | Andrew speaking at Secure Poland 2013
    253           | Warszawa, Poland
    254           | http://www.secure.edu.pl/
    255           |
    256 Oct 11    | Kelley @ Journalist Training Event
    257           | Helsiniki, Finland
    258           | http://www.journalistiliitto.fi/jp13/
    259           |
    260 Nov 04-05 | 20th ACM Conference on Computer and Communications Security,
    261           | Berlin, Germany
    262           | http://www.sigsac.org/ccs/CCS2013/
    263 
    264 
    265 This issue of Tor Weekly News has been assembled by Lunar, harmony,
    266 dope457 and Matt Pagan.
    267 
    268 Want to continue reading TWN? Please help us create this newsletter.  We
    269 still need more volunteers to watch the Tor community and report
    270 important news. Please see the project page [54], write down your name
    271 and subscribe to the team mailing list [55] if you want to get involved!
    272 
    273   [54] https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
    274   [55] https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team
    275 }}}
     5'''Status:''' [https://lists.torproject.org/pipermail/tor-news/2013-October/000015.html Sent]