TRAVEL & EVENTS
In June, I moved to Cambridge, MA. Mid-month, I demonstrated Satori and
Cupcake to RFA, OTF, and related organizations. Then I travelled to
Philadelphia for PETS. PETS started off very auspiciously. Attending
academic/research events is still very new to me, but the abundance of
friendly people makes it less scary.
After PETS, I traveled to Champaign, Illinois to give a talk at UIUC
called “When Usability Kills” and eat barbecue with Nikita Borisov. I
can really see myself settling down there. Then I traveled to DC for
the hidden services meeting. At the Hidden Services Meeting, I mostly
hacked quietly and became very impressed with Ricochet. Seriously,
everyone should try it out. Some very interesting outcomes came from
the meeting (the Arlington Accords).
In August, I went to the White House for the LGBTQ Tech Innovation
Summit. The crowd came from fairly diverse backgrounds, but most seemed
to be interested in for-profit ventures. One of the speakers was a
Palantir exec, so instead of talking about censorship in other countries
(ostensibly the reason I was invited), I spent much of my time talking
about the fight against mass surveillance in the US. There are two
amusing data points here: 1) no one clapped when I got off stage (there
were some shocked faces though), and 2) about a dozen people came up to
me to discuss how to fight mass surveillance later in the day. I showed
a few people how TextSecure works, gave info on Tor, and exchanged cards
with people who wanted more info on how to get involved.
While there, I also learned that anyone in the office of the National
Security Council for Intelligence Programs are supposed to leave their
cell phones in an unlocked, unguarded wooden box right outside the
office door. This was the case for many of the offices, but seemed
quite odd -- that seems ripe for over-the-air tampering and likely
doesn’t fully dampen the sound either. It seems like a very empty
security gesture, when there are some ways to easily retain the security
of the devices without allowing them to be activated as remote mics.
After the White House trip, I flew to Berlin for Camp and a long-awaited
vacation. Going to Berlin is always lovely, and it’s always a little
sad to leave. </3
In early September, I began my fellowship at the Berkman Center for
Internet and Society at Harvard University. Nervous and excited! :D
RESEARCH, EXPERIMENTS, AND ART-LIKE SUBSTANCES
My work at the Berkman Center has multiple focal points, including
expanding on Satori and conducting a research project on censorship in a
specific geo-political region. This research data will be contributed to
the Internet Monitor. All of this will require a fair bit of travel
outside the US, but the results will be extremely
{illuminating|rewarding}. Once I have more data, I’ll begin releasing
more data visualizations. While I can’t/shouldn’t say much publicly now,
the hope is to generate the first robust view of censorship in the
region. If successful, the results should be groundbreaking and give
insight into the the social and political reasoning behind internet
filters in the region. So, you know, no pressure.
I’m still working a bit on content analysis of redacted documents, and
have been playing around with translating recorded keyboard sounds into
words and typed characters. [About the latter: He Wang is working on
similar research at UIUC -- his project takes a different angle, using
gyroscopes, accelerometers, and biometrics to map to common words. His
project is likely better-formed overall. Mine is closer to
experimentation, using a variety of recording distances, analyzes audio
levels, and aims to map individual characters rather than map to common
words [4]]. Some combination of these (plus the NSA+Grindr research/art
project) will be in my talk proposal for 32c3. I experimented a bit
with using vibration on window frames to thwart laser mics, but initial
tests showed that the vibration was powerful enough to be audible in the
room (and therefore annoying to occupants). Experiments will continue
with much smaller vibration motors (2-5v max).
I’m looking into how many CloudFlare-backed sites exist (~1.5M), and
then visiting all of them via Tor to see what percentage hit
CloudFlare’s captcha. The idea is to get a handle on how many might be
affected by CloudFlare’s glitchy infinite-loop captcha system. If I
then arrange all of the websites by Alexa rank, it’s possible to begin
contacting ops of high-traffic websites to ask them to whitelist Tor
IPs. Because the whitelist option on CloudFlare reportedly only allows
for 200 IPs, that isn’t a full solution. But this may spread awareness
and emphasize that fixing the endless-loop bug should be a larger
priority.
An art goal for this fall is to get the hang of painting with a palette
knife. Also trying to figure what size and depth a laser-etching needs
to be to make a paper rubbing transfer effective. Hmm.
SATORI
In July, we reached feature parity between Windows, Android, and Chrome.
We also began work on peer-to-peer integration. The goal here is to
both increase the difficulty in blocking downloads and to facilitate
torrent-based video tutorials later in the year.
In addition, I researched uncensored channels and will begin offering
downloads via Microsoft Azure, which offers a lot in terms of speed and
availability for users in mainland China. These allow me to ensure
availability and high-speed downloads in target areas without incurring
the difficult-to-manage costs of Akamai. Azure is available in China
and Iran; CloudFlare is available also, but it seems to be frequently
blocked by the GFW. Azure in particular is interesting because they are
very fast and downloads are available globally. This makes it an ideal
replacement for Akamai, which has similar properties but is
prohibitively expensive. Amazon has been very good to work with, but is
frequently blocked within China. For users on mainland China, we need
something that is more infeasible for censors to block.
The downloads-per-dollar breakdown is:
Akamai: 17.8 downloads per $1 spent
Azure: 199 downloads per $1 spent (estimate for 1TB used per month)
Cloudflare: ∞ downloads, but not available in China ($20-$200 per
month static fee)
Satori is *still* the safest way to obtain GPG4win, as the official
website doesn’t use SSL (and in fact will
give you errors), and does not provide SHA256 hashes. This should not be
the case. But because of this, organizations have been directing people
to download GPG4win from the Satori app rather than from official
sources. Most notable of these is Access, who made Satori an integral
part of their encryption guide[1]. Access has also taken up the
unenviable task of convincing the makers of security software to take
security seriously, with GPG4win developers saying “I hope we'll get
around doing something in September or October”[2].
In the coming months, I will begin expanding Satori to support easy GPG
signature verification. The trick with that is going to be keeping the
app size small enough for it to be easily distributed.
BUGS
I worked on an annoying bug for nearly a week [3] before another coder
let me know that it was actually the compiler’s fault. >_< This has
actually delayed the official beta release of Satori because it disabled
a critical function.
Tor bugs triaged, patched, or closed: #5895, #10994, #11678, #13090,
#13143, #13282, 15158, #895, #722, #679. (And props to Sukhbir for
fixing #13982, which was slowly driving me insane during trainings).
ALSO
I am seeking a part-time assistant: http://cryptic.be/assistant.html
REFS
[1] https://guides.accessnow.org/pgp/PGP_Encrypted_Email_Windows.html
[2] whyyyyyy ლ(ಠ益ಠლ)
http://lists.wald.intevation.org/pipermail/gpg4win-users-en/2015-July/001233.html
[2b] (◞‸◟;) I get that it’s a volunteer effort but COME ON
[3] http://imgur.com/fwn8A2E
[4]
http://www.popsci.com/now-your-smartwatch-even-knows-what-youre-typing
__..--''``---....___ _..._ __
_.-' .-/"; ` ``<._ ``.''_ `.
_.-' _..--.'_ \ `( ) )
(_..-' (< _ ;_..__ ; `'
`-._,_)' ``--...____..-'
(I recently got a cat. She is the best cat.)
--
“Intelligence without ambition is a bird without wings.”
― Salvador Dalí
_______________________________________________
tor-reports mailing list
[email protected]
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-reports
