Here is the July report for SponsorF Year4: https://trac.torproject.org/projects/tor/wiki/org/sponsors/SponsorF/Year4 (With thanks to Lunar for compiling much of it!)
------------------------------------------------------------------------ 1) Tor: performance, scalability, reachability, anonymity, security. - We released Tor 0.2.5.6-alpha on July 30th. It moves Tor a big step closer to slowing down the risk from guard rotation, and fixes a variety of other issues to get closer to a release candidate. Directory authorities will now assign the Guard flag to the fastest 25% of the network (instead of 50%). Two new consensus parameters, NumEntryGuards and NumDirectoryGuards will respectively set the number of entry guards and directory guards that clients will use. https://lists.torproject.org/pipermail/tor-talk/2014-July/034180.html - We released an update to the stable branch, Tor 0.2.4.23, on the same day, backporting several important fixes from the latest alpha release. https://lists.torproject.org/pipermail/tor-announce/2014-July/000093.html - Both updates also closed a covert channel that has been used to perform traffic confirmation attacks on hidden service users. We published a detailed security advisory: https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack - Linus Nordberg experimented with the idea of public, append-only, untrusted log à la Certificate Transparency for the Tor consensus. https://lists.torproject.org/pipermail/tor-dev/2014-July/007092.html http://www.certificate-transparency.org/ - A new draft proposal for making all relays also be directory servers by default has been written by Matthew Finkel. This would reduce the profiling and partitioning attack vector to the guard. In addition, with the increased set size, relay descriptors and documents are more readily available and it would diversify the providers. This change would also be beneficial to security in the transition to a single guard. https://lists.torproject.org/pipermail/tor-dev/2014-July/007247.html - Nick Mathewson designed and implemented a langsec tool ("trunnel") to generate safe parser code for Tor binary wire formats. The goal is to reduce risk factors from hand-written binary parser code. https://gitweb.torproject.org/user/nickm/trunnel.git - A high-level roadmap for core Tor development was worked out during the dev meeting in Paris: https://trac.torproject.org/projects/tor/wiki/org/meetings/2014SummerDevMeeting/Roadmaps#CoreTor - We launched a new "bad relays" list where people can report problems with relays they interact with -- e.g. messing with exit traffic: https://blog.torproject.org/blog/how-report-bad-relays And Philipp has continued developing the "exitmap" scanner: https://gitweb.torproject.org/user/phw/exitmap.git ------------------------------------------------------------------------ 2) Bridges and Pluggable transports: make Tor able to adapt to new blocking events (including better tracking when these blocking events occur). - obfsproxy 0.2.11 and 0.2.12 were respectively released on July 16th and July 22nd. The new versions will make the life of ScrambleSuit bridge operators easier by improving password manipulation. Several denial-of-services were fixed, and other small improvements merged. https://gitweb.torproject.org/pluggable-transports/obfsproxy.git/blob/a6b3a3ee1:/ChangeLog - The official pluggable transport specification has received a major update, and it also better documents the current software. https://gitweb.torproject.org/torspec.git/blob/HEAD:/pt-spec.txt - Version 0.2.3 of BridgeDB has been deployed on July 26th. It introduces better blacklisting of bridge harvesters and allow fuzzy matching on blocked addresses. It also now distributes fte bridges to users. https://gitweb.torproject.org/bridgedb.git/blob/2a6d5463:/CHANGELOG - The future Tor Browser integrated updater has been modified to support symlinks as they are needed for meek. https://trac.torproject.org/projects/tor/ticket/12647 - We now have documentation on how to set up fteproxy bridges: https://trac.torproject.org/projects/tor/wiki/doc/fte/setup - We made high-level roadmaps for pluggable transports and BridgeDB during the Paris dev meeting. https://trac.torproject.org/projects/tor/wiki/org/meetings/2014SummerDevMeeting/Roadmaps#PT https://trac.torproject.org/projects/tor/wiki/org/meetings/2014SummerDevMeeting/Roadmaps#BridgeDB - Tor directory authorities appear to have been blocked by IP:port in Iran. They may also have blocked (by address:port) the default bridges that come in Tor Browser: https://trac.torproject.org/projects/tor/ticket/12727 ------------------------------------------------------------------------ 3) Bundles: improve the Tor Browser Bundle and other Tor bundles and packages, especially improving bridge and pluggable transport support in TBB. - We released Tor Browser version 3.6.3 on July 24th. This point revision in the 3.6 series updated most of its components for minor enhancements and fixes, and contains several important security fixes from Firefox. https://blog.torproject.org/blog/tor-browser-363-released - The Tor Browser team came up with a high-level roadmap at the dev meeting in Paris. https://trac.torproject.org/projects/tor/wiki/org/meetings/2014SummerDevMeeting/Roadmaps#TBB - Tails 1.1 came out on July 31st. Tails is now based on the current stable release of Debian, "Wheezy". Almost every software component has been updated. The new version also brings proper support for Apple computers, and the camouflage mode now mimcs Windows 8 instead of XP. https://tails.boum.org/news/version_1.1/ - Tails updated its roadmap during its annual summit. https://labs.riseup.net/code/projects/tails/roadmap - The first candidate for Orbot 14.0.5 has been released on July 28th. This update includes improved management of the background processes, the ability to easily change the local SOCKS port, and the fancy new notification dialog, showing your current exit IPs and country. https://lists.mayfirst.org/pipermail/guardian-dev/2014-July/003667.html - txtorcon, the Tor control protocol implementation for the Twisted framework, has seen a new minor release. Version 0.10.1 fixes a couple bugs introduced along with the endpoints feature in 0.10.0. https://lists.torproject.org/pipermail/tor-dev/2014-July/007166.html - The Thali project aims to use hidden services to host web content. As part of the effort, they have written a cross-platform Java library to handle running the tor binary, configuring it, managing it, starting a hidden service, etc. http://www.thaliproject.org/mediawiki/index.php?title=Main_Page https://github.com/thaliproject/Tor_Onion_Proxy_Library - Sean Robinson introduced a new graphical Tor controller called Syboa as a replacement for the defunct TorK. https://gitorious.org/syboa/syboa ------------------------------------------------------------------------ 4) Metrics: provide safe but useful statistics, along with the underlying data, about the Tor network and its users and usage. - We wrote up a call for volunteers to help improve the frontends for Atlas and Globe: https://blog.torproject.org/blog/looking-front-end-web-developers-network-status-websites-atlas-and-globe - A new parameter has been added to Onionoo's API that accepts a fingerprint and returns documents from all relays in the family. This parameter can be useful for websites showing aggregate data from all relays run by the same person/organization. https://bugs.torproject.org/12521 - The descriptor archives have been re-processed to add advertised bandwidth and consensus weight graph data to Onionoo. This will enable Atlas, Globe, and other Onionoo clients to plot graphs using these data. https://bugs.torproject.org/11388 - Atlas can now be used to search for Tor bridges (via nickname or the hash of their fingerprint). In the past, Atlas was only able to search for relays. Thanks to a patch developed by Dmitry Eremin-Solenikov. https://bugs.torproject.org/6320 ------------------------------------------------------------------------ 5) Outreach: teach a broad range of communities about how Tor works, why it's important, and why this broad range of user communities is needed for best safety. - We gave a quote to Das Erste about the "NSA targeting Tor" article: https://blog.torproject.org/blog/being-targeted-nsa One of the key things to realize is that NSA and other organizations target everybody, but it's only interesting news when details of attacks on things like Tor come out. Or said another way, responding to this news by jumping ship from using Tor will just put you into the fire. - During the 2014 Summer Tor meeting in Paris, a joint conference with Tor, Mozilla, and Reporters Without Borders attracted more than a hundred attendees. http://mozillazine-fr.org/air-mozilla-conference-tor-mozilla-et-rsf/ - While in Paris, Caspar Bowden and several Tor contributors had a 90 minute meeting with the French data protection agency "la CNIL" to better understand mutual challenges, and discuss where cooperation could be possible. - Tor Weekly News is now one year old. 56 issues have been released so far, and on top of blog readers, the tor-news@ mailing list has more than 1500 subscribers. https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews - We posted our 2013 financials, along with a reminder about the importance of transparency: https://blog.torproject.org/blog/transparency-openness-and-our-2013-financials - Lunar spent a week at the Libre Software Meeting in Montpellier, France. A booth was jointly held with volunteers from Nos Oignons, a talk was scheduled in the security track, and several contacts were made with other free software projects. https://lists.torproject.org/pipermail/tor-reports/2014-July/000593.html - Kelley Misata presented a keynote during the second annual technology summit of the National Network to End Domestic Violence (NNEDV). - Runa Sandvik presented Tor and SecureDrop at the Converge Conference in Detroit. http://convergeconference.org/main/speakers/#sandvik - Philipp Winter wrote about the Citizen Lab Summer Institute, which took place at the University of Toronto from July 28 to 31: https://citizenlab.org/summerinstitute/2014.html The event brought together policy and technology researchers who focus on Internet censorship and measurement. A lot of great work was presented including but not limited to a proposal to measure the chilling effect, ongoing work to deploy Telex, and several projects to measure censorship in different countries. Some Tor-related work was also presented: Researchers are working on understanding how the Tor network is used for political purposes. Another project makes use of TCP/IP side channels to measure the reachability of Tor relays from within China. https://arxiv.org/pdf/1312.5739.pdf ------------------------------------------------------------------------ 6) Research: Assist the academic community in analyzing/improving Tor. - Many Tor people participated in the fourteenth Privacy Enhancing Technologies Symposium in Amsterdam, Netherlands, July 16-18, 2014. A wide range of research in privacy enhancing technologies was presented, with many of relevance to Tor. https://www.petsymposium.org/2014/program.php Steven Murdoch wrote a summary of Tor-related PETS papers in https://blog.torproject.org/blog/tor-weekly-news-%E2%80%94-july-23rd-2014 - Roger Dingledine presented the "one guard" paper at HotPETS: http://freehaven.net/~arma/OneGuardForLifeHotPets14.pdf - Rob Jansen covered the last five years of research on incentives for running Tor relays in a detailed blog post. https://blog.torproject.org/blog/tor-incentives-research-roundup-goldstar-par-braids-lira-tears-and-torcoin - Roger Dingledine posted an official reaction to the cancellation of a proposed talk at the upcoming Blackhat2014 conference dealing with possible deanonymization attacks on Tor users and hidden services. https://blog.torproject.org/blog/recent-black-hat-2014-talk-cancellation - Gareth Owen released a Java-based Tor research framework. The goal is to enable researchers to try things out without having to deal with the full tor source. At present, it is a fully functional client with a number of examples for hidden services and SOCKS. It can be used to build arbitrary circuits, streams, sending junk cells, etc. https://github.com/drgowen/tor-research-framework - Mike Perry posted a summary of the primitives that Marc Juarez aims to implement for his Google Summer of Code project on prototyping defenses for Website Traffic Fingerprinting and follow-on research. https://lists.torproject.org/pipermail/tor-dev/2014-July/007246.html _______________________________________________ tor-reports mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-reports
