----- Forwarded message from dope457 <dope457@riseup.net> ----- Date: Wed, 25 Sep 2013 14:15:43 +0200 From: dope457 <dope457@riseup.net> To: tor-talk@lists.torproject.org, tor-news@lists.torproject.org Subject: [tor-talk] Tor Weekly News — September 25th, 2013 User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Thunderbird/24.0 Reply-To: tor-talk@lists.torproject.org ======================================================================== Tor Weekly News September 25th, 2013 ======================================================================== Welcome to the thirteenth issue of Tor Weekly News, the weekly newsletter that covers what's happening in the well-heeled Tor community. Reimbursement of exit operators ------------------------------- In July 2012, Roger Dingledine wrote a post on the Tor blog [1] in which he raised the prospect of offering funding to organizations running fast Tor exit nodes. In so doing, Roger wrote, “we will improve the network's diversity as well as being able to handle more users.” He also announced that donors were already interested in financing such a scheme. Then, in April this year, Moritz Bartl stated [2] that torservers.net was looking to move away from establishing additional exit nodes, in favor of providing support of various kinds to partner organizations running their own exits. These plans, and the discussion they provoked, are now about to bear fruit in the form of a financial reimbursement scheme directed at torservers.net's partner organizations. Moritz wrote again on the the tor-relays list [3] to announce that reimbursements are scheduled to begin at the end of this month, drawn from a one-time donation by the U.S. Government's Broadcasting Board of Governors. The ensuing debate focused both on the technical aspects of reimbursement — that is, how best to determine the division of funds based on information harvested from the network metrics [4] — and the question of the security issues that could potentially arise from such a scheme [5]. Moritz specified that currently the only organizations to qualify for reimbursements are those that he personally knows: “so, if you’re interested in becoming a partner, start social interaction with me”, he wrote. Questions or comments regarding these proposals are welcome on the tor-relays list, and further announcements and discussion about the reimbursement system will be published on its dedicated mailing lists [6]. [1] https://blog.torproject.org/blog/turning-funding-more-exit-relays [2] https://lists.torproject.org/pipermail/tor-relays/2013-April/001996.html [3] https://lists.torproject.org/pipermail/tor-relays/2013-September/002824.html [4] https://lists.torproject.org/pipermail/tor-relays/2013-September/002825.html [5] https://lists.torproject.org/pipermail/tor-relays/2013-September/002831.html [6] https://lists.torproject.org/pipermail/tor-relays/2013-May/002138.html Tails 0.20.1 is out ------------------- Tails saw its 33rd release on September 19th [7]. The most visible change might be the upgrade of tor to version 0.2.4.17-rc, which should result in faster and more reliable access to the network after the sudden bump in Tor clients [8]. Among other minor bugfixes and improvements, persistence volumes are now properly unmounted on shutdown. This should prevent data loss in some situations, and avoid a sometimes lengthy pause upon activation. It also fixes several important security issues [9]. It is recommended that all users upgrade as soon as possible [10]. [7] https://tails.boum.org/news/version_0.20.1/ [8] https://blog.torproject.org/blog/how-to-handle-millions-new-tor-clients [9] https://tails.boum.org/security/Numerous_security_holes_in_0.20/ [10] https://tails.boum.org/news/version_0.20.1/ New Tor Browser Bundles released -------------------------------- A new set of stable and beta Tor Browser Bundles was released [11] on September 20th. The Tor Browser is now based on Firefox 17.0.9esr and fixes several important security issues [12]. Queries for the default search engine, Startpage, are no longer subject to its invasive “family filter” [13]. The beta branch also include an updated version of HTTPS Everywhere that no longer causes a storm of requests to clients1.google.com, an issue reported by many users after the last release [14]. Once again, it is recommended that all users upgrade as soon as possible. [11] https://blog.torproject.org/blog/new-tor-browser-bundles-firefox-1709esr [12] https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html#firef... [13] https://bugs.torproject.org/8839 [14] https://bugs.torproject.org/9713 Tor mini-hackathon at GNU 30th Anniversary Celebration ------------------------------------------------------ Nick Mathewson sent an invitation [15] encouraging everyone to attend the GNU 30th Anniversary Celebration [16] on September 28th and 29th at MIT, Cambridge, MA, USA. Part of the event is a hackathon, and Tor is featured alongside a few other projects. If you want to spend some of the weekend helping the Tor community, sign up on the webpage [17] and come along! [15] https://lists.torproject.org/pipermail/tor-talk/2013-September/030154.html [16] https://gnu.org/gnu30/celebration [17] https://crm.fsf.org/civicrm/event/register?id=10 Clock skew: false alarm ----------------------- Small offsets in system time offer an attractive opportunity for fingerprinting Tor clients. In order to eliminate unnecessary exposure, Nick Mathewson has been working on proposal 222 [18]. Unfortunately, this process introduced a bug into the tor daemon which became apparent after the directory authority named “turtles” was upgraded. The result was that relays started to warn their operators of an implausible clock skew [19]. This was, of course, a false alarm. The issue was quickly worked around, and fixed properly a few hours later [20]. [18] https://gitweb.torproject.org/torspec.git/blob_plain/refs/heads/master:/prop... [19] https://lists.torproject.org/pipermail/tor-relays/2013-September/002888.html [20] https://bugs.torproject.org/9798 Tor Help Desk Roundup --------------------- One user contacted the help desk for assistance running torbrowser, an application not affiliated with the Tor Project that attempts to mimic the Tor Browser Bundle. The torbrowser application violates the Tor Project’s trademark, and the Tor Project encourages users to avoid it. Multiple Tor Project developers have contacted SourceForge, which hosts this application’s website, attempting to get the project removed. Andrew Lewman has said that lawyers have now been engaged [21]. A number of University students continued to contact the help desk to report difficulties circumventing their University’s Cyberoam firewall. These students report being unable to access the Tor network even when using the Pluggable Transports Browser with obfs3 bridges. One person reported success circumventing the firewall when using an obfsproxy bridge on port 443. This issue is ongoing, but a bug report has been filed [22]. [21] https://lists.torproject.org/pipermail/tor-talk/2013-August/029614.html [22] https://bugs.torproject.org/projects/tor/ticket/9601 Miscellaneous news ------------------ Jacob Appelbaum inquired with VUPEN about the Tor Project having the right of first refusal for Tor Browser bugs, in order to protect users [23]. [23] http://storify.com/fredericjacobs/discussion-between-tor-s-ioerror-and-vupen... The proposed Tor page on Stack Exchange has now reached 100% commitment, and will soon be launching as a live beta. Thanks to everyone who signed up! [24]. [24] http://area51.stackexchange.com/proposals/56447/tor sajolida reported on the latest Tails “low-hanging fruits session”. The date and a tentative agenda for the next online contributors meeting have also been set [25,26]. [25] https://mailman.boum.org/pipermail/tails-dev/2013-September/003703.html [26] https://mailman.boum.org/pipermail/tails-dev/2013-September/003696.html As GSoC entered its final phase, Kostas Jakeliunas reported on the searchable metrics archive [27], Johannes Fürmann on EvilGenius [28], and Cristian-Matei Toader on Tor capabilities [29]. [27] https://lists.torproject.org/pipermail/tor-dev/2013-September/005483.html [28] https://lists.torproject.org/pipermail/tor-dev/2013-September/005484.html [29] https://lists.torproject.org/pipermail/tor-dev/2013-September/005490.html How can we provide Tor users an easy way to verify the signatures on Tor software? Sherief Alaa raised this question on the tor-dev mailing list when asking for comments on plans to write a “small” GUI tool [30]. [30] https://lists.torproject.org/pipermail/tor-dev/2013-September/005491.html Upcoming events --------------- Sep 28-29 | Tor mini-hackathon at GNU 30th Anniversary Celebration | MIT, Cambridge, Massachusetts | https://gnu.org/gnu30/celebration | Sep 29 | Colin at the Winnipeg Cryptoparty | Winnipeg, Manitoba, Canada | http://wiki.skullspace.ca/index.php/CryptoParty | Sep 29-01 | Tor at OpenITP Circumvention Tech Summit IV | Berlin, Germany | https://www.openitp.org/openitp/circumvention-tech-summit.html | Sep 30 | Congress on Privacy & Surveillance | Lausanne, Switzerland | http://ic.epfl.ch/privacy-surveillance This issue of Tor Weekly News has been assembled by harmony, Lunar, dope457, Matt Pagan, and Jacob Appelbaum. Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page [31], write down your name and subscribe to the team mailing list [32] if you want to get involved! [31] https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews [32] https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team -- tor-talk mailing list - tor-talk@lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5