wiki:TorWeeklyNews/2013/1

Version 37 (modified by lunar, 7 years ago) (diff)

add tails low hanging fruit sessions

Second issue of Tor Weekly News. Covering what's happening since July 2nd, 2013. To be released on July 10th, 2013.

Editor for this week: Lunar

Subject: Tor Weekly News — July, 10th 2013

========================================================================
Tor Weekly News                                          July 10th, 2013
========================================================================

Welcome to the second issue of Tor Weekly News, the weekly
newsletter meant to cover what is happening in the great Tor
community.

First release candidate for Tor 0.2.4.x series
----------------------------------------------

On Wednesday 3rd July, Roger Dingledine announced release of Tor 0.2.4.15-rc. [z]
As “rc” suggests it is the first release candidate for 0.2.4.x series.
This version fixes a few smaller bugs, but generally appears stable, wrote Roger.

Some highlights of changes from 0.2.3.x: [f]

 * bridges now report the pluggable transports they support to the bridge authority, [q]
 * IPv6 support, [a][b][c][d]
 * automatically forward the TCP ports of pluggable transport proxies using tor-fw-helper if PortForwarding is enabled, [t]
 * switch to a nonrecursive Makefile structure. Where available, now used automake's "silent" make rules by default, [e]
 * and many, many more small improvements and fixes.

New version for download & testing here [x].

 [z] https://lists.torproject.org/pipermail/tor-talk/2013-July/028776.html
 [f] https://gitweb.torproject.org/tor.git/blob/b13c6becc:/ChangeLog
 [q] https://trac.torproject.org/3589
 [a] https://trac.torproject.org/5534
 [b] https://trac.torproject.org/5535
 [c] https://trac.torproject.org/6362
 [d] https://trac.torproject.org/6363
 [e] https://trac.torproject.org/6522
 [t] https://trac.torproject.org/4567
 [x] https://www.torproject.org/dist/

New vulnerability in Tor Browser Bundle 2.3.25-10?
--------------------------------------------------

User cypherpunks reported an issue when downloaded files are scanned by the 
Microsoft Security Essentials or another cloud based AV product due to wrong 
value of Firefox's “browser.download.manager.scanWhenDone;true” [1].

Cypherpunks suggests to set the value to “false” to prevent reporting downloaded 
files to Microsoft. He also mentions this can be achieved by AV settings itself.
This issue affects Windows users and only completed downloads are scanned.

 [1] https://trac.torproject.org/9195

The Tor Project is hiring a Lead Automation Engineer
-----------------------------------------------------

Do you have experience programming in multiple languages, including Java, 
Python/Ruby, Bash scripting, and Javascript?

The Tor Project opened a new position as Lead Automation Engineer. The
project seeks to deploy nightly builds and continuous integration 
for as many of its key software components and platform combinations as possible.
Candidates are expected to be capable of taking the lead in selecting, deploying,
and maintaining multiple automation systems in several different programming languages.
For more details visit [x].


XXX: expand
XXX: quote mikeperry https://lists.torproject.org/pipermail/tor-dev/2013-July/005119.html


 [x] https://www.torproject.org/about/jobs-lead-automation.html.en

check.torproject.org outage
---------------------------

As Andrew Lewman wrote on Thursday 4th July [XXX], “over the past 24 hours
https://check.torproject.org has been unavailable due to excessive DNS
queries to the exitlist service. It seems there are a number of individuals and
companies with commercial products relying upon this volunteer service. We
finally hit the point where we couldn't keep up with the queries and simply
disabled the service.”

As time of writing, the service is again available, but the project might
“take it down as needed without notice.”

check.torproject.org is no longer the homepage for Tails since January this year.
The Tor Browser Bundle will also switch to a new homepage in version 3,
currently in alpha stage [XXX].

Other software or services who depends on check.torproject.org should either
migrate away or run their own. The source code for the web page is
available [XXX]. It is supported by a database of running exit nodes that
can be queried through DNS [XXX].

If you wish to help, one need is to actually make it easier for third
parties to get their own “check” service running. This means improving
TorDNSEL [XXX] or finishing TorBEL [XXX]. And writing an easy to follow
documentation.

[XXX] https://blog.torproject.org/blog/tor-check-outage-03-and-04-july-2013
[XXX] https://tails.boum.org/news/version_0.16/
[XXX] https://bugs.torproject.org/7494
[XXX] https://svn.torproject.org/cgi-bin/viewvc.cgi/Tor/check/trunk/
[XXX] https://trac.torproject.org/projects/tor/wiki/doc/TorDNSExitList
      (page contained outdated informations as of 2013-07-04)
[XXX] https://gitweb.torproject.org/tordnsel.git
[XXX] https://gitweb.torproject.org/torbel.git

An experimental transparent Tor proxy for Windows
-------------------------------------------------

basil announced [XXX] a new experimental transparent Tor proxy for using Tor on Windows:
“1) It (transparently) reroutes all HTTP traffic through the Tor anonymity network; and
2) It blocks all non-Tor traffic (including DNS) to and from your computer.”

The project is currently dubbed TorWall but the name is likely to change as it is
problematic regarding the Tor trademark [XXX] and Roger pointed out [XXX] that there was a
now discontinued project already called Torwall. Roger also pointed out that
transparent proxying might not be the best solutions “on the theory that
if the given application isn't specifically configured to use Tor, it's
probably going to screw up privacy-wise.”

basil answered [XXX] by stating that the project was “really for those who know and understand
the risks (possibly a very limited market?)”. Feel free to give it a try if you do!

[XXX] https://lists.torproject.org/pipermail/tor-talk/2013-July/028809.html
[XXX] https://www.torproject.org/docs/trademark-faq
[XXX] https://lists.torproject.org/pipermail/tor-talk/2013-July/028833.html
[XXX] https://lists.torproject.org/pipermail/tor-talk/2013-July/028840.html

Theft of Tor relay private keys?
--------------------------------

On Tuesday 2nd July, Thomas Hluchnik expressed concern about hypothetical situation when 
(NS) agency breaks into large scale of nodes and steals their private keys, in combination 
with gathering of all the traffic possible. “Wouldn't this increase the likelihood that data 
from complete circuits can be decrypted and traced back to the original sender?” [X]

In response to this question, Mike Perry admits, he is also very concerned.
“If their intercepts are passive, merely stealing relays' private
identity key won't accomplish much because Tor uses Forward Secrecy for
both the relay TLS links and for circuit setup. [X]
However, if their intercepts are active (as in they can arbitrarily
manipulate traffic in-flight), then stealing either Guard node keys or
directory authority keys allows complete route capture and traffic
discovery of targeted clients.” [X]

XXX: Expand [I'll finish this later]

 [X] https://lists.torproject.org/pipermail/tor-talk/2013-July/028749.html
 [X] https://en.wikipedia.org/wiki/Perfect_forward_secrecy
 [X] https://lists.torproject.org/pipermail/tor-talk/2013-July/028751.html

A new interface to explore the Tor network
------------------------------------------

On June 25, 2013, Christian announced [XXX] a new web application to explore the
Tor network. Based on the Ember.js [XXX] framework, it uses data from Onionoo [XXX]
to display informations about Tor relays and bridges.

As Karsten pointed out [XXX], this tool already have the same set of features
than Atlas [XXX] — the current recommended way to get details about relays — and
even a few more: “list 10 fastest relays on start page, show bridge details”.
As Onionoo was exactly designed to offer a backend for various visualisation
tools, Karsten thinks “it's fine to have more than one website providing
access to Onionoo data.  Yay, diversity.”

Feel free to play with Tor Onionoo search [XXX] or have a look at its source
code [XXX].

[XXX] https://lists.torproject.org/pipermail/tor-dev/2013-June/005063.html
[XXX] http://emberjs.com/
[XXX] https://onionoo.torproject.org/
[XXX] https://lists.torproject.org/pipermail/tor-dev/2013-July/005122.html
[XXX] https://atlas.torproject.org/
[XXX] http://makepanic.github.io/emberjs-tor-onionoo/
[XXX] https://github.com/makepanic/emberjs-tor-onionoo

Misc. development news
----------------------

Karsten Loesing has updated GeoIP databases for tor and Onionoo to July MaxMind databases [XXX]
without their A1 Anonymous Proxy ranges. See #6266 for more details on why and how we
need to fix the data released by MaxMind.

It looks like the `start-tor-browser` shell script cannot be used to start the
Tor Browser from the graphical file manager on Ubuntu 13.04 [XXX]. If you have any great idea
please chime in.

If you know C, you could make the live of many relay operators either by making tor
configuration accepts “bit/s” on top of the current “byte/s” [XXX]. The former being more commonly
used by network operators to describe bandwidth, it could reduce a common case of confusion.
It looks like a patch would even be pretty simple!

Work has started on a pluggable transport that would combine the traffic obfuscation
properties of obfsproxy with the address diversity of Flashproxy [XXX].

intrigeri has announced two “low-hanging fruits” sessions for Tails [XXX]. Feel free to
join the #tails IRC channel on July 11, 2013
at 8:00 UTC or on July 13, 2013 at 7:00 UTC. “Everyone interested to contribute to Tails
is warmly welcome to join! The idea is to spend a while together on
many small tasks that take less than 2 hours each, and are waiting in our TODO list
for too long.” He also gave a list of candidate tasks.

[XXX] https://bugs.torproject.org/9225
[XXX] https://gitweb.torproject.org/tor.git/commit/2a61b0dd6be2eba9525b777dcb4400b93b695a2d
[XXX] https://bugs.torproject.org/6266
[XXX] https://bugs.torproject.org/9091
[XXX] https://bugs.torproject.org/9214
[XXX] https://bugs.torproject.org/7167
[XXX] https://mailman.boum.org/pipermail/tails-dev/2013-July/003240.html

More monthly status reports for June 2013
-----------------------------------------

Continuing from last week, more monthly reports are now available for June 2013: 
George Kadianakis [XXX], Aaron G. [XXX], Runa A. Sandvik [XXX], Mike Perry [XXX],
Karsten Loesing [XXX], Tails folks [XXX], Tor help desk [XXX].

[XXX] https://lists.torproject.org/pipermail/tor-reports/2013-July/000280.html
[XXX] https://lists.torproject.org/pipermail/tor-reports/2013-July/000284.html
[XXX] https://lists.torproject.org/pipermail/tor-reports/2013-July/000285.html
[XXX] https://lists.torproject.org/pipermail/tor-reports/2013-July/000286.html
[XXX] https://lists.torproject.org/pipermail/tor-reports/2013-July/000287.html
[XXX] https://lists.torproject.org/pipermail/tor-reports/2013-July/000288.html
[XXX] https://lists.torproject.org/pipermail/tor-reports/2013-July/000289.html

Upcoming events
---------------

Jul 10-12 | Tor at Privacy Enhancing Technology Symposium
          | Bloomington, Indiana, USA
          | http://petsymposium.org/2013/
          |
Jul 22-26 | Tor annuel dev. meeting
          | München, Germany
          | https://trac.torproject.org/projects/tor/wiki/org/meetings/2013SummerDevMeeting
          |
Jul 31-05 | Tor at OHM
          | Geestmerambacht, Netherlands
          | https://ohm2013.org/
          |
Aug 1-4   | Runa Sandvik @ DEF-CON 21
          | Rio Hotel, Las Vegas, USA
          | https://www.defcon.org/html/defcon-21/dc-21-index.html



This issue of Tor Weekly News has been assembled by Lunar, luttigdev, dope457, 
and XXX.

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteer writers to watch the Tor community
and report important news. Please see the project page [XXX]
and write down your name if you want to get involved!

[XXX] https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews

Other possible items: