======================================================================== Tor Weekly News October 29th, 2014 ========================================================================
Welcome to the forty-third issue in 2014 of Tor Weekly News, the weekly newsletter that covers what’s happening in the Tor community. Tor 0.2.5.10 is out ------------------- The 0.2.5.x branch of the core Tor software hit stable, with the release of 0.2.5.10. As Nick Mathewson explained [1], there have been no changes since last week’s 0.2.5.9-rc release, and the new features will be familiar to readers of Tor Weekly News over the past year of development, but highlights include “improved denial-of-service resistance for relays, new compiler hardening options, and a system-call sandbox for hardened installations on Linux”, as well as improvements to transparent proxying, building and testing, pluggable transport usability, and much more. This release means that Tor versions in the 0.2.3.x series, which has “received no patches or attention for some while” and “accumulated many known flaws” [2], are now deprecated. Relay operators running these versions must upgrade as soon as possible, or risk having their relays rejected from the network in the near future. Please see Nick’s release announcement for the full changelog, and download your copy of the 0.2.5.10 source code from the distribution directory [3] or a prebuilt package from your usual repositories. [1]: https://lists.torproject.org/pipermail/tor-announce/2014-October/000096.html [2]: https://lists.torproject.org/pipermail/tor-relays/2014-October/005590.html [3]: https://dist.torproject.org/ Miscellaneous news ------------------ Jacob Appelbaum announced [4] version 0.1.3 of TorBirdy, a torifying extension for the Thunderbird email client. Among other things, this release fixes the recently-reported “wrote:” bug [5], disables the automatic downloading of messages from POP3 accounts, and ensures that draft messages for IMAP accounts are stored on the local system rather than sent over the network. However, as Jacob wrote, “it’s still experimental”, so “use at your own risk”. See the release announcement for a full changelog. [4]: https://lists.torproject.org/pipermail/tor-talk/2014-October/035326.html [5]: https://bugs.torproject.org/13480 Anthony G. Basile announced [6] version 20141022 of tor-ramdisk, the micro Linux distribution whose only purpose is to host a Tor server in an environment that maximizes security and privacy. This release addresses the recent POODLE attack [7] with updates to Tor and OpenSSL, and also upgrades the Linux kernel. [6]: http://opensource.dyc.edu/pipermail/tor-ramdisk/2014-October/000134.html [7]: https://blog.torproject.org/blog/new-sslv3-attack-found-disable-sslv3-torbrowser Yawning Angel called for testing [8] of the revamped tor-fw-helper, a tool that automates the port forwarding required (for example) by the flash proxy [9] pluggable transport. Please see Yawning’s message for full testing instructions and other important information: “Questions, Comments, Feedback appreciated”. [8]: https://lists.torproject.org/pipermail/tor-dev/2014-October/007670.html [9]: https://crypto.stanford.edu/flashproxy/ On the Tor blog, Andrew Lewman responded [10] to the abuse of Tor by creators of so-called “ransomware”, or malware that tries to restrict access to users’ files unless a ransom is paid; these extortionists sometimes ask their victims to install Tor software in order to communicate with them over a hidden service, leading users to the mistaken belief that The Tor Project is somehow involved. As Andrew wrote, this software “is unrelated to The Tor Project. We didn’t produce it, and we didn’t ask to be included in the criminal infection of any computer.” Users may find the information provided by the BBC [11] and Bleeping Computer [12] to be helpful in resolving the problem. [10]: https://blog.torproject.org/blog/tor-misused-criminals [11]: https://www.bbc.com/news/technology-28661463 [12]: http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information Josh Pitts posted an analysis [13] of apparently malicious behavior by a Tor relay that was modifying binary files downloaded over Tor circuits in which it was the exit node. As Roger Dingledine responded [14], “we’ve now set the BadExit flag on this relay, so others won’t accidentally run across it”. [13]: http://www.leviathansecurity.com/blog/the-case-of-the-modified-binaries/ [14]: https://lists.torproject.org/pipermail/tor-talk/2014-October/035340.html David Fifield pointed out [15] “an apparent negative correlation between obfs3 users and vanilla users” in the Tor Metrics portal’s bridge user graphs [16] and wondered what might be causing it. [15]: https://lists.torproject.org/pipermail/tor-dev/2014-October/007659.html [16]: https://metrics.torproject.org/users.html?graph=userstats-bridge-transport&transport=%3COR%3E&transport=obfs3#userstats-bridge-transport News from Tor StackExchange --------------------------- Dodo wants to run several hidden services (HTTP, XMPP, SSH etc.), but use just one onion address [17]. Jobiwan explained that one can forward each port to a different service. Further information can be found at the configuration page for hidden services [18]. [17]: https://tor.stackexchange.com/q/4437/88 [18]: https://www.torproject.org/docs/tor-hidden-service.html.en#three Rodney Hester proxies the DirPort of his relay and saw lots of requests to nonexistent URLs, of which the most prominent is the URL /tor/status/all.z [19], and asks where they are coming from. Do you have an answer? If so, please share it at Tor’s StackExchange site. [19]: https://tor.stackexchange.com/q/4452/88 Upcoming events --------------- Oct 29 13:30 UTC | little-t tor development meeting | #tor-dev, irc.oftc.net | Oct 31 17:00 CET | OONI development meeting | #ooni, irc.oftc.net | Nov 03 - 07 | Roger @ WPES and CCS | Phoenix, Arizona, USA | https://www.cylab.cmu.edu/news_events/events/wpes2014/ | http://www.sigsac.org/ccs/CCS2014/ | Nov 03 18:00 UTC | Tor Browser online meeting | #tor-dev, irc.oftc.net | Nov 03 19:00 UTC | Tails contributors meeting | #tails-dev (irc.indymedia.org/h7gf2ha3hefoj5ls.onion) | https://mailman.boum.org/pipermail/tails-project/2014-October/000045.html | Nov 04 17:00 UTC | little-t tor patch workshop | #tor-dev, irc.oftc.net This issue of Tor Weekly News has been assembled by Lunar, qbi, Roger Dingledine, and Harmony. Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page [20], write down your name and subscribe to the team mailing list [21] if you want to get involved! [20]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews [21]: https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
