Here is the January report for SponsorF Year4: https://trac.torproject.org/projects/tor/wiki/org/sponsors/SponsorF/Year4
------------------------------------------------------------------------ 1) Tor: performance, scalability, reachability, anonymity, security. - There were no Tor releases in January, so I'll save the summaries of progress there for when we put out actual releases. - Directory authorities have been upgrading their directory signing key to 2048-bit RSA (rather than 1024-bit, since 1024-bit is uncomfortably small these days). We now have a majority (seven of nine) authorities upgraded: https://bugs.torproject.org/10324 https://people.torproject.org/~linus/sign2048.html - In December, Nick submitted an internet-draft to randomize gmt_unix_time in TLS Hello records: http://tools.ietf.org/html/draft-mathewson-no-gmtunixtime-00 (since its main effect is to act as yet another fingerprint for recognizing users) ------------------------------------------------------------------------ 2) Bridges and Pluggable transports: make Tor able to adapt to new blocking events (including better tracking when these blocking events occur). - We're continuing to head towards having a unified TBB with integrated obfsproxy+flashproxy and deterministic builds: https://trac.torproject.org/projects/tor/ticket/10006 - We merged ScrambleSuit into Obfsproxy: https://trac.torproject.org/projects/tor/ticket/10598 https://gitweb.torproject.org/pluggable-transports/obfsproxy.git/tree/HEAD:/obfsproxy/transports/scramblesuit and a new release is forthcoming. - Yawning wrote a C obfs3 implementation: https://github.com/Yawning/obfsclient which is especially helpful for mobile where Python apps are tough to deploy. This second implementation also helped to uncover some ambiguities in the obfs spec: https://trac.torproject.org/projects/tor/ticket/10782 - David Fifield proposed a simple http/https hybrid transport that makes use of https vhosting to reach appengine: https://lists.torproject.org/pipermail/tor-dev/2014-January/006159.html https://trac.torproject.org/projects/tor/wiki/doc/meek https://www.bamsoftware.com/git/meek.git/ - Kevin Dyer released versions 0.2.3, 0.2.4, and 0.2.5 of fteproxy. These releases focused on removing dependencies on third party libraries, performance improvements, bug fixes, and enhancements (to the build process) to support integration with the gitian build process. There is now has a testing version of TBB 3.6 bundled with fteproxy: https://trac.torproject.org/projects/tor/ticket/10362#comment:11 - Roger, Arturo, and George met with M-Lab, Georgia Tech, Stonybrook, and Least Authority to discuss collaborations on Internet censorship measurement tools and projects. One of the medium-term measurement goals is to detect (and track in an ongoing way) whether various pluggable transport protocols (e.g. Websocket, SSL, obfs3) are blocked from networks around the world. - Roger met with Griffin Boyce about the state of Flash proxy, Cupcake, and general usability of blogging platforms that normal activists can set up for themselves. Cupcake (a Chromium extension to run a Flash proxy) is another great example of transitions from this grant: http://cupcakebridge.com/ ------------------------------------------------------------------------ 3) Bundles: improve the Tor Browser Bundle and other Tor bundles and packages, especially improving bridge and pluggable transport support in TBB. - Mike wrote up a summary of TBB work in January: https://lists.torproject.org/pipermail/tor-reports/2014-February/000438.html including the release of TBB 3.5.1: https://blog.torproject.org/blog/tor-browser-351-released - Orbot -- the Guardian Project's port of Tor on Android platforms -- has received a major update. Version 13 includes "all the latest bling across the board" meaning Tor 0.2.4.20 and updated versions of OpenSSL and XTables. Nathan also mentions "some important fixes to the Orbot service, to ensure it remains running in the background, and the active notification keeps working, as well. Finally, we've changed the way the native binaries are installed, making it more reliable and clean across devices." https://guardianproject.info/apps/orbot/ https://lists.mayfirst.org/pipermail/guardian-dev/2014-January/002973.html After the initial release candidates, 13.0.1, 13.0.2 and then 13.0.3 were quickly made available to fix various reported issues: https://lists.mayfirst.org/pipermail/guardian-dev/2014-January/003016.html The new release is available from the Guardian Project's website, F-Droid repository, or Google Play: https://guardianproject.info/releases/ - Tails summarized their recent work on their Debian-based Tor live system: https://tails.boum.org/news/report_2013_12/ - Koumbit has been working on Torride, a live distribution to run Tor relays -- not unlike Tor-ramdisk -- but based on Debian. Version 1.1.0 has been released on January 10th: https://redmine.koumbit.net/projects/torride http://opensource.dyc.edu/tor-ramdisk/ https://redmine.koumbit.net/news/17 ------------------------------------------------------------------------ 4) Metrics: provide safe but useful statistics, along with the underlying data, about the Tor network and its users and usage. - Karsten added two new graphs to metrics.torproject.org in our continued efforts to visualize the diversity of the Tor network over time: https://metrics.torproject.org/network.html#advbwdist-perc https://metrics.torproject.org/network.html#advbwdist-relay https://bugs.torproject.org/10460 - Microdescriptor historical tarballs are now available on the metrics website: https://metrics.torproject.org/data.html#relaydesc - We continued to make progress at a version of the Globe relay explorer that doesn't require JavaScript: https://globe.torproject.org/ https://trac.torproject.org/projects/tor/ticket/10407 https://lists.torproject.org/pipermail/tor-dev/2014-February/006165.html ------------------------------------------------------------------------ 5) Outreach: teach a broad range of communities about how Tor works, why it's important, and why this broad range of user communities is needed for best safety. - "The Inside Story of Tor, the Best Internet Anonymity Tool the Government Ever Built", cover article at http://www.businessweek.com/articles/2014-01-23/tor-anonymity-software-vs-dot-the-national-security-agency - Roger, Andrew, Kelley, and Karen met with Spitfire to discuss press strategies: https://lists.torproject.org/pipermail/tor-reports/2014-January/000434.html - Roger did a talk at NSF: https://lists.torproject.org/pipermail/tor-talk/2014-January/031701.html http://freehaven.net/~arma/slides-nsf14.pdf Afterwards Roger met with some DHS program managers who would like somebody to do a study to assess how much Tor traffic is "good" or "bad" (motivated by the NIJ study we mentioned in the 30c3 talk in Hamburg). We really need a great university research group to take this on, but it's a huge open research question right now whether such a study could be done both accurately and safely. - Jake did a talk with Christian Grothoff for the Council of Europe: https://lists.torproject.org/pipermail/tor-reports/2014-February/000450.html http://www.theinquirer.net/inquirer/news/2325775/the-council-of-europe-wants-action-on-eavesdropping - We launched the www-team list for volunteers to help make our website more accessible and useful: https://blog.torproject.org/blog/tor-website-needs-your-help - Many Tor people attended the Real-World Cryptography conference in NYC, to help them understand Tor's threat model and to better understand how new developments will impact Tor. https://blog.torproject.org/blog/tor-weekly-news-%E2%80%94-january-29th-2014 ------------------------------------------------------------------------ 6) Research: Assist the academic community in analyzing/improving Tor. - Roger met with NRL researchers to provide advice and guidance in their trust-based path selection research. The big question they're wrestling with this month is what threat model they should consider -- they're hunting for one that's both straightforward to analyze and also represents some real adversary. - Rob posted a summary of his upcoming NDSS paper on how to turn a denial-of-service attack against Tor guards into an anonymity attack: https://blog.torproject.org/blog/new-tor-denial-service-attacks-and-defenses - Philipp Winter posted a summary of his tech report about detecting Tor exit relays that monitor or modify exit traffic: https://blog.torproject.org/blog/what-spoiled-onions-paper-means-tor-users - Roger shepherded an FC short paper on how there are too many CA certs in normal browsers / operating systems, and how to reduce the number. "You Won't Be Needing These Any More: On Removing Unused Certificates >From Trust Stores" http://fc14.ifca.ai/program.html - Roger talked more with the Leuven / Drexel team that's working on evaluating website fingerprinting attacks. They're aiming to show that false positive rates go up faster than previous literature expected, once you consider more realistic web pages in more realistic quantities. - Nick Hopper will present a short paper at FC on defending Tor from botnet invasion: http://fc14.ifca.ai/program.html (earlier version tech reported at https://research.torproject.org/techreports/botnet-tr-2013-11-20.pdf ) Meanwhile, Microsoft has continued cleaning up the bots: https://blogs.technet.com/b/mmpc/archive/2014/01/09/tackling-the-sefnit-botnet-tor-hazard.aspx --Roger _______________________________________________ tor-reports mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-reports
