Hi folks! As the Tor Project has grown in scope, we've been struggling to keep up with simultaneously a) doing all the development that needs to be done (including meeting deliverables for our funders), and b) keeping the community up-to-date on our in-progress work. Lately I've been writing monthly status summaries, much like what we have our GSoC students do. In an effort to be more transparent, I'm going to start sending them to tor-talk rather than just to the other developers. Note that I will need to omit or anonymize things sometimes -- some research groups I meet with don't want to announce their paper draft until it gets accepted at a conference, some funders don't want the publicity that would come from admitting their interest in Internet freedom, etc. I'll try to err on the side of sunlight though. For those here who are totally taken by surprise by this email (and the fact that Tor does things :), I encourage you to to lurk on the irc channels if you want to follow along more closely. https://www.torproject.org/about/contact#irc And finally, please do ask questions! Here's your chance to understand my role in Tor and how it fits with what other people are doing. But since the root of the problem here has been that we do too many things and don't have time to do more, please focus on your most burning question(s). --Roger ------------------------------------------------------------------------ Here's what I said at the beginning of May that I hoped to do:

- Allocate FOCI papers to reviewers.

Done. We got 20 submissions, and reviewing is ongoing. We'll pick some in early June. https://blog.torproject.org/blog/call-papers-free-and-open-communications-in... https://www.usenix.org/conference/foci12/

- Actually release 0.2.2.36, this time for sure, no take-backs.

Done. https://lists.torproject.org/pipermail/tor-announce/2012-June/000084.html

- Help Radu put in the NIST proposal.

Done. We submitted a grant proposal to work with a team of research institutions on questions around privacy, identity, and mobile. I'll write more details here if the grant agency turns out to like the proposal.

- Help Nick and Mike interview and make decisions about core developers.

Done (well, mostly they did it). https://blog.torproject.org/blog/dedicated-core-tor-developer https://www.torproject.org/about/jobs-coredev.html.en Our new core developer is getting up to speed now. I'm really excited that this will mean Nick can make more progress on core development! I'll let them make a further announcement when they're ready.

- I'm going to try to be absent from the world May 11-15.

Done (vacation).

- May 14 is the PETS stipend deadline. After that I'll help Andrei allocate the stipends.

The PETS people wanted us to push the deadline back to June 1. I dealt with all the mails and allocated stipends in early June. http://petsymposium.org/2012/stipends http://petsymposium.org/2012/

- Get the PETS papers up on the PETS website.

They're up at http://freehaven.net/anonbib/papers/pets2012/ and I will add links to http://petsymposium.org/2012/program.php but I'm doing a cursory check with Matt first to see if he knows whether any authors want to keep their papers unpublished for now.

- Launch a working-group of pluggable transport developers and researchers, and make sure they all know about each other.

Not done. I'll aim to get a pluggable transport development page up on the website in June.

- Try to help vmon and Zack Weinberg feel more accepted in the community, since I'm the backup mentor for vmon's gsoc project.

Ongoing. We succeeded at getting the Stegotorus code approved for publication by Zack's funders, so vmon's gsoc project can proceed as planned. You can read vmon's periodic status reports on the tor-dev mailing list. Next step is to help get the Stegotorus git repository cleaned up, make the code itself more functional, and encourage them to make a tech report version of the paper available. https://gitweb.torproject.org/stegotorus.git

- Flesh out more SponsorZ tasks so we're more aware of our future.

Not finished. But you can follow along on our current "I wish we had a funder for this task so we could spend time on it" task list: https://trac.torproject.org/projects/tor/wiki/org/sponsors/SponsorZ

- Help SponsorF come up with metrics by which the SponsorF Red Team will judge the project's success.

Not done. I expect more progress in June though -- stay tuned.

- Rewrite the "how governments and military use Tor" section on the webpage, since they actually don't run hidden services to our knowledge, but we do have good new stories like IWF's use of Tor.

Not done. More generally, I wish I had some extra weeks to sit down and update the FAQ and other web pages, since it's been years since I wrote many of them.

- I'm going to Oakland

Done. http://www.ieee-security.org/TC/SP2012/ I talked to a bunch of people, such as - Micah Sherr, professor at Georgetown, who wants to help us with ExperimenTor and simulation bugs. I will send him a pile of trac ticket links around our recent performance simulation problems. https://trac.torproject.org/projects/tor/wiki/org/roadmaps/Tor/Performance http://crysp.uwaterloo.ca/software/exptor/ - Rob Cunningham who is Kevin Bauer's new boss. I spent a while trying to convince Rob that he should have Kevin work on Tor simulation and performance questions as part of his new job at Lincoln Labs. http://www.mit.edu/~ke23793/ - Camilo Viecco, who now works for Mozilla on adding privacy features to Firefox. He has been frustrated so far at getting his commits in: he has buy-in from the security team, but other teams block his commits with statements like "it's an arms race we can't win, so don't even bother trying to make things better". I encouraged him to get his mid-level manager to play the politics game better on his behalf. - Tariq Elahi, Ryan Henry, and Tao Wang are grad students from Ian's group doing interesting things: http://crysp.uwaterloo.ca/ In particular Tariq is working on a paper showing that we shouldn't replace guards in our list as soon as they go away, since it significantly increases the exposure to other guards. I helped Tariq quite a bit with his paper. http://cacr.uwaterloo.ca/techreports/2012/cacr2012-11.pdf But Ryan is working on privacy-preserving ways to gather Tor statistics data, and I don't have time to help him figure out what most needs collecting. Please jump in if you're interested. http://www.cs.uwaterloo.ca/~rhenry/pdf/torstat-poster-Oakland.pdf - I talked to several anonymous communications professors about having them use their sabbatical to become the Tor research coordinator. What we need to replace me as research coordinator is not a grad student -- we need someone who already knows how to set a research agenda and get other people to do it, i.e. a professor. Several are going on sabbatical soon, and we could supplement their salary for cheap. - I spoke at length with the authors of the "Peekaboo" and "LasTor" papers, and somewhat less with the LAP authors. I'll publish some paper analyses and summaries on the blog as I get time. http://freehaven.net/anonbib/#oakland2012-peekaboo http://freehaven.net/anonbib/#oakland2012-lastor http://freehaven.net/anonbib/#oakland2012-lap

- I'll aim to drop by SponsorF and/or Stanford at the end of the month to give them some facetime.

I met with Zack Weinberg and Jeroen Massar. I've been working with Zack to kick SponsorF into making the Stegotorus code available. I think it will benefit a lot from the light of day -- we've already discovered a lot of usability issues. I fear that key parts of the underlying design (like, say, the Stego part) are going to need to be discarded though. Jeroen is working on their "get lots of bridge addresses and handle routing traffic through them at the iptables layer" design. They're also working on a program to take in a blob (e.g. from bridgedb), do some network interactions, and produce a bridge address -- see also item 7 on https://trac.torproject.org/projects/tor/wiki/org/sponsors/SponsorF/Year2 I expect that I'm going to have to wrestle them to the ground to make it open before we can find out if it will be of any use to us or the world. The wrestling will continue at the upcoming SponsorF meeting in June. Also stay tuned for their FOCI paper describing the overall architecture. I also met with David Fifield, the Flashproxy developer (grad student at Stanford, and an nmap developer). I now believe that Flashproxy is ready for further deployment and use by real users. The main drawback is that the censored users currently need to have a public IP address (i.e. not be behind a NAT) to use it. I expect as websockets tries harder to replace Skype, it will be easier for us to do nat piercing inside the browser and resolve this limitation. https://gitweb.torproject.org/flashproxy.git/blob/HEAD:/README http://crypto.stanford.edu/flashproxy/ http://crypto.stanford.edu/flashproxy/flashproxy.pdf At the upcoming developer meeting in Florence, we should have a discussion about all these great people doing great work for Tor that aren't hearing our status report discussions currently. Maybe I should contribute to the solution by putting my monthly status reports on the blog or on tor-talk. ------------------------------------------------------------------------ Here are some other things I did in May: - Met with two of Rachel Greenstadt's grad students at Drexel University who want to do their class project on Tor after seeing our Berlin 28C3 talk. They had wanted to try to measure linkability between exiting streams on a given circuit. I encouraged them instead to work on https://trac.torproject.org/projects/tor/ticket/5752 and in particular https://trac.torproject.org/projects/tor/ticket/5830 - Talked to Nick Feamster at Georgia Tech (soon to be University of Maryland) about OONI vs his Bismark project. He doesn't think his Bismark devices are big enough to handle Python, so he's been writing his tests in lua. I suggested that OONI and Bismark should at least share a common output format. I think Arturo is right to keep asking him "Are you sure your devices can't run python? Really sure?" http://projectbismark.net/ http://ooni.nu/index.html - Continued to put time into moderating and responding to blog comments. They've turned into a great source of real bugs, especially among Windows users. Let me reiterate my hopes for a forum where we can turn these people into more of a community. If only secure maintainable forum software existed in the world. [Update: one of our new funders has included funding to get some forums up and running and maintained -- I'm not sure on the timeframe for it yet though.] https://blog.torproject.org/ - Turned down an IEEE TDSC academic journal review request, and an IEEE ToN journal review request, because of IEEE's anti-science publishing policy. http://www.researchwithoutwalls.org/ - Our CSET submission comparing Shadow to ExperimenTor got accepted! Details (including a camera-ready version) coming soon. https://www.usenix.org/conference/cset12 ------------------------------------------------------------------------ Here are some items I expect to do in June: - Participate in the Q2 Tor directors board meeting, including approving the updated 2012 budget. - Understand the open positions in our current budget, what funders each one maps to, and what the priorities are in terms of spending the money. Then we can start putting some calls-for-resumes-and-code-samples up on the website, as well as prioritizing which calls we want to do when. Unless I ignore all of this until July. - Get 0.2.3.16-alpha out. Get 0.2.2.37 out. Get 0.2.3.17-alpha out. - Orchestrate the FOCI discussion and select the program. - Tell Micah Sherr and Chris Wacek (Georgetown) about the open simulation questions; and get Rob Jansen (UMN/NRL), Mashael AlSabah (Waterloo), etc a good summary of the current situation. - Read and consider http://microsoftjobsblog.com/zen-of-pm so I can help Adam Shostack help us get a good project manager. - I have a three hour slot at the SponsorF meeting this month. I'm going to try to bring everybody there up to speed on everything. While also letting other people talk for most of the time. Preparing for this talk will be a big part of my June. - Meet with Kevin Dyer's lab at Portland State before the SponsorF meeting. Rob Jansen and Aaron Johnson (NRL) will be joining me. - Help prepare for the SponsorF site visit that will occur a few days before PETS. We'll need to provide slides/etc, and likely even call in and do the phone presentation thing. - Go to Stamford CT to do a Tor talk for one of Ian's past students. http://privacyandsecurity.pbiresearch.com/agenda.html - Write an abstract for the ecrypt talk I'm doing at the workshop before PETS: https://www.cosic.esat.kuleuven.be/ecrypt/provpriv2012/invited.html - Fly to Florence, for the Tor developers meeting and hackfest in July. https://trac.torproject.org/projects/tor/wiki/org/meetings/2012SummerDevMeet... https://trac.torproject.org/projects/tor/wiki/org/meetings/2012FlorenceHackf... ------------------------------------------------------------------------ Things I'm still dropping the ball on: - I wonder if I should follow up with Carol @ google about our obfsproxy post in February and the interest they expressed in doing a repost on the gsoc blog. https://blog.torproject.org/blog/obfsproxy-next-step-censorship-arms-race http://google-opensource.blogspot.com/ - Transparently document the secteam process, especially since we have concluded to use it far less often and only for critical security things. - Answer the thread between Karsten and Jake where we had an excited volunteer with a clearly useful contribution that we totally dropped on the floor. Try to generalize the experience to improve our response to new contributors. We used to be great at it, and lately we're all overloaded. - Add a "scientific papers" exception to our trademark-faq: I want to give blanket permission to scientific papers to use the word Tor in their paper name, so long as they don't go and write software under that name too. https://www.torproject.org/docs/trademark-faq - Make a plan for fixing all the "CBT sometimes breaks Tor" issues. https://trac.torproject.org/projects/tor/ticket/3443 - Try to teach the Virtus Linux guy about how to make a safe Tor distro. http://sourceforge.net/projects/virtuslinux/ - Start summarizing Tor research papers on the blog more regularly. There have been a huge number of really important research papers lately, and most Tor people don't know about them. Should I summarize them on the blog (for a broader audience), or on tor-dev (for the rest of the Tor developers), or what? - Add Zack Weinberg, David Fifield, etc to tor-assistants, so they can be more integrated into the community. And then to tor-internal. And then dissolve tor-internal and make us all be transparent again. - Figure out where we are on the "change our cipher suite" tickets, and try to help them move forward. https://trac.torproject.org/projects/tor/ticket/4744 - I need new business cards. - Get https://trac.torproject.org/projects/tor/wiki/org/sponsors/SponsorA through D back up on the wiki somewhere (Andrew took them down since they were concluded, and since they just listed contract deliverables rather than the progress reports and trac ticket links that we've been doing for later funders; but we should keep them there for posterity). _______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE