Here is the August report for SponsorF Year4: https://trac.torproject.org/projects/tor/wiki/org/sponsors/SponsorF/Year4 (With thanks to Lunar for compiling much of it!)
------------------------------------------------------------------------ 1) Tor: performance, scalability, reachability, anonymity, security. - In mid August we switched the NumEntryGuards consensus parameter from 3 to 1 -- that is, we deployed one of the major recommendations from the "One Fast Guard for Life" HotPETS 2014 paper. Preliminary analysis from Aaron Johnson shows that moving from 3 guards to 1 guard gives us the bulk of the benefit against the guard rotation vulnerabilities discussed in https://blog.torproject.org/blog/improving-tors-anonymity-changing-guard-parameters More analysis coming later I hope. - George Kadianakis continued discussions on the design of the next generation of Hidden Services and handling of Introduction Point selection. https://lists.torproject.org/pipermail/tor-dev/2014-August/007335.html - The Tor network no longer supports designating relays by nickname, ending a set of long standing issues. https://lists.torproject.org/pipermail/tor-talk/2014-August/034380.html - Nick Mathewson has been working on Trunnel, a tool to automatically generate binary encoding and parsing code based on C-like structure descriptions. https://lists.torproject.org/pipermail/tor-dev/2014-August/007355.html - Nick Mathewson wrote ed25519-based primitives intended to implement proposals 220, 224, and 228 (so we can change to stronger identity keys for relays, hidden services, etc). https://bugs.torproject.org/12980 ------------------------------------------------------------------------ 2) Bridges and Pluggable transports: make Tor able to adapt to new blocking events (including better tracking when these blocking events occur). - Yawning Angel has made available experimental versions of the Tor Browser that include the latest version of the obfs4 pluggable transport. https://lists.torproject.org/pipermail/tor-dev/2014-August/007404.html https://lists.torproject.org/pipermail/tor-dev/2014-August/007420.html https://github.com/Yawning/obfs4 - Thanks to Fabian Keil, liballium and obfsclient are in the FreeBSD ports tree now: https://docs.freebsd.org/cgi/getmsg.cgi?fetch=4055628+0+/usr/local/www/db/text/2014/svn-ports-all/20140824.svn-ports-all - David Fifield published a detailed tutorial on how to use the "meek" pluggable transport: https://blog.torproject.org/blog/how-use-%E2%80%9Cmeek%E2%80%9D-pluggable-transport - David Fifield sent a breakdown of the (surprisingly tiny) costs incurred by the infrastructure that supports the meek pluggable transport since its introduction and the new set of users coming with the first alpha release of the Tor Browser 4.0. https://lists.torproject.org/pipermail/tor-dev/2014-August/007429.html ------------------------------------------------------------------------ 3) Bundles: improve the Tor Browser Bundle and other Tor bundles and packages, especially improving bridge and pluggable transport support in TBB. - We released Tor Browser versions 3.6.4 and 4.0-alpha-1 on August 12. The stable version contains fixes for several new OpenSSL bugs, and enables users to see log warnings about the RELAY_EARLY traffic confirmation attack. The first alpha version of the 4.0 series includes the meek pluggable transport, and paves the way to the upcoming auto-updater by using a new directory layout. https://blog.torproject.org/blog/tor-browser-364-and-40-alpha-1-are-released - Mike Perry wrote up more details about the Tor Browser team's work in August: https://lists.torproject.org/pipermail/tor-reports/2014-September/000642.html - Anthony G. Basile announced a new release of tor-ramdisk, an i686 or x86_64 uClibc-based micro Linux distribution whose only purpose is to host a Tor server. http://opensource.dyc.edu/pipermail/tor-ramdisk/2014-August/000132.html - meejah released a new command-line application, carml, a versatile set of tools to query and control a running Tor. https://lists.torproject.org/pipermail/tor-dev/2014-August/007295.html https://github.com/meejah/carml - Torsocks is a wrapper program that will force an application's network connections to go through the Tor network. David Goulet released version 2.0.0, blessing the new codebase as stable after more than a year of efforts. https://lists.torproject.org/pipermail/tor-dev/2014-August/007330.html https://gitweb.torproject.org/torsocks.git/blob/HEAD:/README.md - meejah announced the release of version 0.11.0 of txtorcon, a Twisted-based Python controller library for Tor. https://lists.torproject.org/pipermail/tor-dev/2014-August/007375.html - Mike Perry posted an overview of a recent report put together by iSEC Partners and commissioned by the Open Technology Fund to explore current and future hardening options for the Tor Browser. https://blog.torproject.org/blog/isec-partners-conducts-tor-browser-hardening-study - The Guardian Project has announced the first working versions of Orfox, a new Firefox-based secure browser for Android. https://lists.mayfirst.org/pipermail/guardian-dev/2014-August/003717.html https://github.com/guardianproject/OrfoxFennec ------------------------------------------------------------------------ 4) Metrics: provide safe but useful statistics, along with the underlying data, about the Tor network and its users and usage. - Karsten Loesing published some code to compute similarity metrics in order to prevent more Sybil attacks in the future. https://github.com/kloesing/SAD - David Fifield explored visualizations of the consensus that made the recent Sybil attack visible. https://bugs.torproject.org/12813 - Karsten Loesing worked on several performance fixes for Onionoo. https://bugs.torproject.org/12655 https://bugs.torproject.org/12849 https://bugs.torproject.org/12849 - Onionoo now provides a version field enabling clients to verify their support of the current data format. https://bugs.torproject.org/12905 ------------------------------------------------------------------------ 5) Outreach: teach a broad range of communities about how Tor works, why it's important, and why this broad range of user communities is needed for best safety. - The Electronic Frontier Foundation wrote two blog posts to show why Tor is important for universities and how universities can help the Tor network. https://www.eff.org/deeplinks/2014/08/tor-campus-part-i-its-been-done-and-should-happen-again https://www.eff.org/deeplinks/2014/08/tor-campus-part-ii-icebreakers-and-risk-mitigation-strategies - Nick Mathewson was interviewed by Joe McGonegal of "Slice of MIT". https://slice.mit.edu/2014/08/28/tor-project/ - Lunar attended the 15th annual Debian conference in Portland, Oregon, and gave a talk on the effort to build Debian packages deterministically, which is inspired in large part by Tor Browser's use of the same technology: http://meetings-archive.debian.net/pub/debian-meetings/2014/debconf14/webm/Reproducible_Builds_for_Debian_a_year_later.webm - Andrew Lewman gave interviews to the Guardian and the BBC with vast reach. http://www.theguardian.com/technology/2014/aug/21/tor-aphex-twin-taylor-swift http://www.bbc.com/news/technology-28889714 - Roger and others participated in a gathering of circumvention developers and researchers in San Diego, on the transition day after FOCI ended and before Usenix Security began. Collaborations and brainstorming sessions led to stronger ties between groups. ------------------------------------------------------------------------ 6) Research: Assist the academic community in analyzing/improving Tor. - Roger gave a lightning talk at FOCI about the need for better ways to handle accountability and anonymity, and followed it up with a more detailed blog post: https://blog.torproject.org/blog/call-arms-helping-internet-services-accept-anonymous-users - Roger and Paul were present to receive the Usenix Security "Test of Time" award for the Tor 2004 paper. They did a short panel in front of the whole audience to give advice on how to pick good paper topics, and to discuss why the Tor topic has been so strong over the years. - It's becoming increasingly obvious that Tor needs more accurate relay bandwidth measurement -- as the network grows, some fast relays are not getting large weights in the consensus, so we're effectively wasting volunteered resources. Several research groups have been looking into secure bandwidth measurement, which hopefully will include "accurate" bandwidth measurement somewhere along the way. - Kevin Dyer gave a talk at USENIX Security on LibFTE: A Toolkit for Constructing Practical, Format-Abiding Encryption Schemes. https://kpdyer.com/publications/usenix2014-fte.pdf - Usenix Security also had a session entitled "Tracking Targeted Attacks against Civilians and NGOs", where papers from our sub-area were presented to a broader audience. Hopefully the mainstreaming of these topics in the academic security world will lead to more, and more in-depth, papers on the topic. - Gareth Owen wrote an update about the status of the Java Tor Research Framework. The framework is a largely fully functional tor client with code that is easy to read, follow and crucially change for custom functionality. https://lists.torproject.org/pipermail/tor-dev/2014-August/007328.html - Mike Perry posted an updated version of the proposal for website fingerprinting countermeasures which he co-authored with Marc Juarez as part of Marc's Google Summer of Code project. https://lists.torproject.org/pipermail/tor-dev/2014-August/007417.html https://gitweb.torproject.org/user/mikeperry/torspec.git/blob/refs/heads/multihop-padding-primitives:/proposals/ideas/xxx-multihop-padding-primitives.txt _______________________________________________ tor-reports mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-reports
