[tor-talk] Tor Weekly News — September 3rd, 2014

Eugen Leitl eugen at leitl.org
Wed Sep 3 07:45:00 PDT 2014

----- Forwarded message from harmony <harmony01 at riseup.net> -----

Date: Wed, 3 Sep 2014 14:06:36 +0000
From: harmony <harmony01 at riseup.net>
To: tor-news at lists.torproject.org, tor-talk at lists.torproject.org
Subject: [tor-talk] Tor Weekly News — September 3rd, 2014
Message-ID: <20140903140636.03c38791 at riseup.net>
X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.10; i486-pc-linux-gnu)
Reply-To: tor-talk at lists.torproject.org

Tor Weekly News                                      September 3rd, 2014

Welcome to the thirty-fifth issue of Tor Weekly News in 2014, the weekly
newsletter that covers what is happening in the Tor community.

Tor Browser 3.6.5 and 4.0-alpha-2 are out

The Tor Browser team put out two new releases of the privacy-preserving
web browser. Among the major changes, version 3.6.5 upgrades Firefox to
24.8.0esr, and includes an improved prompt to help users defend against
HTML5 canvas image fingerprinting [1], following a patch by Isis
Lovecruft [2]. Version 4.0-alpha-2 additionally includes the code for
the forthcoming Tor Browser auto-updater (switched off by default) and
“better hardening for Windows and Linux builds” [3].

As ever, you can download the new releases along with their signature
files from the Tor Project’s distribution directory [4]. Please upgrade
as soon as you can.

  [1]: https://lists.torproject.org/pipermail/tor-talk/2014-July/033969.html
  [2]: https://bugs.torproject.org/12684
  [3]: https://lists.torproject.org/pipermail/tor-qa/2014-September/000458.html
  [4]: https://www.torproject.org/dist/torbrowser/

Tails 1.1.1 is out

The Tails team released [5] version 1.1.1 of the Debian- and Tor-based
live operating system. As well as upgrading key components like Tor,
Iceweasel, and Linux, this release disables I2P by default when Tails is
booted, in response to the vulnerability recently disclosed by Exodus
Intelligence [6]. Like Truecrypt, “i2p” must now be specified as a
parameter on booting by users who wish to use it.

A number of other security fixes and routine improvements make this an
important update for all Tails users. See the full changelog in the
team’s announcement, then update from a running copy of Tails 1.1 if you
have one, or head to the download page [7] if you don’t.

  [5]: https://tails.boum.org/news/version_1.1.1/
  [6]: https://tails.boum.org/security/Security_hole_in_I2P_0.9.13/
  [7]: https://tails.boum.org/download/

Helping Internet services accept anonymous users

Without a large and diverse network, run by thousands of dedicated
volunteers, Tor would be nowhere near as useful or popular as it
currently is. Although the current situation might at times seem
fragile, there are still many places where it is feasible to host Tor
exit nodes.

However, Tor would become much less attractive to users if they found
themselves unable to reach or interact with their favorite websites
while using it, a situation that is unfortunately growing more common as
site administrators and engineers react negatively to instances of
abusive Tor traffic by banning anonymous connections outright. Tor users
and developers, as well as members of other online communities (such as
Wikimedia [8]), have tried to address the issue before, but real
progress has yet to be made.

Roger Dingledine wrote a “call to arms” [9] explaining the problem in
detail and exploring possible paths to a solution: “Step one is to
enumerate the set of websites and other Internet services that handle
Tor connections differently from normal connections […]. Step two is to
sort the problem websites based on how amenable they would be to our

Since the problem involves humans as much as it does machines, anyone
working on it will have to be both “technical” but also ”good at
activism”. If you fit that description, OTF has expressed interest in
funding work on this issue through their Information Controls Fellowship
Program [10]. Please read Roger’s blog post in full for more details.

  [8]: https://meta.wikimedia.org/wiki/Grants:IdeaLab/Partnership_between_Wikimedia_community_and_Tor_community
  [9]: https://blog.torproject.org/blog/call-arms-helping-internet-services-accept-anonymous-users
 [10]: https://www.opentechfund.org/labs/fellowships

Monthly status reports for August 2014

The wave of regular monthly reports from Tor project members for the
month of August has begun. Damian Johnson released his report
first [11], followed by reports from Georg Koppen [12], Sherief
Alaa [13], Noel Torres [14], Kevin P Dyer [15], Nick Mathewson [16],
Lunar [17], Arthur D. Edelstein [18], Karsten Loesing [19], Andrew
Lewman [20], Arlo Breault [21], Pearl Crescent [22], and Michael Schloh
von Bennewitz [23].

Lunar also reported on behalf of the help desk [24], and Mike Perry did
the same for the Tor Browser team [25].

 [11]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000626.html
 [12]: https://lists.torproject.org/pipermail/tor-reports/2014-August/000627.html
 [13]: https://lists.torproject.org/pipermail/tor-reports/2014-September/000628.html
 [14]: https://lists.torproject.org/pipermail/tor-reports/2014-September/000629.html
 [15]: https://lists.torproject.org/pipermail/tor-reports/2014-September/000630.html
 [16]: https://lists.torproject.org/pipermail/tor-reports/2014-September/000633.html
 [17]: https://lists.torproject.org/pipermail/tor-reports/2014-September/000635.html
 [18]: https://lists.torproject.org/pipermail/tor-reports/2014-September/000636.html
 [19]: https://lists.torproject.org/pipermail/tor-reports/2014-September/000637.html
 [20]: https://lists.torproject.org/pipermail/tor-reports/2014-September/000638.html
 [21]: https://lists.torproject.org/pipermail/tor-reports/2014-September/000639.html
 [22]: https://lists.torproject.org/pipermail/tor-reports/2014-September/000640.html
 [23]: https://lists.torproject.org/pipermail/tor-reports/2014-September/000641.html
 [24]: https://lists.torproject.org/pipermail/tor-reports/2014-September/000634.html
 [25]: https://lists.torproject.org/pipermail/tor-reports/2014-September/000642.html

Miscellaneous news

Yawning Angel released [26] a new set of experimental Tor Browser builds
containing the proposed obfs4 pluggable transport, along with a
changelog; “questions, comments, feedback” are welcome on the email
thread or the bug ticket tracking the deployment of obfs4 [27].

 [26]: https://lists.torproject.org/pipermail/tor-dev/2014-August/007420.html
 [27]: https://bugs.torproject.org/12130

Arturo Filastò announced [28] the release of version 1.1.0 of
oonibackend, the tool “used by ooniprobe to discover the addresses of
test helpers (via the bouncer) to submit reports to (via the collector)
and to perform some measurements that require a backend system to talk
to (via test helpers)” [29].

 [28]: https://lists.torproject.org/pipermail/tor-dev/2014-September/007450.html
 [29]: https://pypi.python.org/pypi/oonibackend

meejah posted [30] a list of tasks to be completed in order to bring Tor
Weather to a deployable state, following the recent rewrite effort and
the Google Summer of Code project by Sreenatha Bhatlapenumarthi.

 [30]: https://lists.torproject.org/pipermail/tor-dev/2014-August/007426.html

Israel Leiva submitted a summary [31] of work completed as part of the
“Revamp GetTor” Google Summer of Code project: “The plan for now is to
keep doing tests and deploy it asap (hopefully during September).”

 [31]: https://lists.torproject.org/pipermail/tor-dev/2014-August/007427.html

Mike Perry posted [32] an updated version [33] of the proposal for
website fingerprinting countermeasures which he co-authored with Marc
Juarez as part of the latter’s Google Summer of Code project.

 [32]: https://lists.torproject.org/pipermail/tor-dev/2014-August/007417.html
 [33]: https://gitweb.torproject.org/user/mikeperry/torspec.git/blob/refs/heads/multihop-padding-primitives:/proposals/ideas/xxx-multihop-padding-primitives.txt

Lunar gave a talk [34] at this year’s DebConf on the effort to build
Debian packages deterministically, which is inspired in large part by
Tor Browser’s use of the same technology [35]. Major progress was
achieved during the conference [36].

 [34]: http://meetings-archive.debian.net/pub/debian-meetings/2014/debconf14/webm/Reproducible_Builds_for_Debian_a_year_later.webm
 [35]: https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise
 [36]: http://lists.alioth.debian.org/pipermail/reproducible-builds/Week-of-Mon-20140901/000198.html

David Fifield submitted a breakdown [37] of the costs incurred by the
infrastructure that supports the meek pluggable transport [38] since its
introduction. The total to date from both the Google App Engine and
Amazon AWS front domains? $6.56.

 [37]: https://lists.torproject.org/pipermail/tor-dev/2014-August/007429.html
 [38]: https://trac.torproject.org/projects/tor/wiki/doc/meek

Thanks to P D [39] and Daniel Pajonzeck [40] for running mirrors of the
Tor Project website and software!

 [39]: https://lists.torproject.org/pipermail/tor-mirrors/2014-August/000653.html
 [40]: https://lists.torproject.org/pipermail/tor-mirrors/2014-August/000673.html

Also on the subject of mirrors, Roger Dingledine alerted [41] the
tor-mirrors mailing list to the fact that the Tor Project website
(specifically the distribution directory) will shortly be increasing in
size to eight or nine gigabytes, as a result of the
soon-to-be-implemented Tor Browser updater [42]. Mirror operators will
need to ensure that they can provide enough disk space to accommodate
the change.

 [41]: https://lists.torproject.org/pipermail/tor-mirrors/2014-September/000675.html
 [42]: https://bugs.torproject.org/4234

whonixqubes announced [43] the release of an integrated version of the
Whonix and Qubes operating systems: “I look forward to helping make
Qubes + Whonix integration even tighter and more seamless throughout the

 [43]: https://lists.torproject.org/pipermail/tor-talk/2014-August/034562.html

Tor help desk roundup

The help desk has been asked if Tor can make a website visit appear to
come from China. Tor connections appear to originate from the country
where the exit relay in use is located; since Tor is blocked in China,
there are zero exit relays in China. A visualization of the different
country-locations of exit relays can be found on Tor’s metrics
page [44].

 [44]: https://metrics.torproject.org/bubbles.html#country-exits-only 

News from Tor StackExchange

Anony Mouse wanted to know why Facebook shows the location of the user’s
last login over Tor as Baghdad or Dhaka [45], instead of the real
location of the exit relay. qbi posted a screenshot showing this
issue [46]. According to Facebook, this information is based on an
approximation, but this approximation locates all Tor exit relays 
either in Baghdad or in Dhaka.

 [45]: https://tor.stackexchange.com/q/3364/88
 [46]: https://twitter.com/qbi/status/506550322308055040

user3500 wants to contribute to Tor and asks how this can be done as an
inexperienced developer [47]. Jens Kubieziel replied with several
possibilities, including reading the volunteer page and Tor Weekly News:
in particular, the section containing easy development tasks might be a
good start. Roya pointed out that any contribution is better than no
contribution, and encouraged user3500 to just get started. Umut Seven
recommended writing unit tests.

 [47]: https://tor.stackexchange.com/q/3961/88

Kras wants to use FoxyProxy in connection with Tor Browser Bundle and
asks if it is safe to do so [48]. At the moment, there is only an answer
saying “yes”, without any explanation. What is your experience? Is it
safe for a user to install and use FoxyProxy?

 [48]: https://tor.stackexchange.com/q/3239/88

Upcoming events

  Sep 03 13:30 UTC | little-t tor development meeting
                   | #tor-dev, irc.oftc.net
  Sep 03 19:00 UTC | Tails contributors meeting
                   | #tails-dev, irc.indymedia.org / h7gf2ha3hefoj5ls.onion
                   | https://mailman.boum.org/pipermail/tails-project/2014-August/000016.html
  Sep 05 15:00 UTC | OONI development meeting
                   | #ooni, irc.oftc.net
                   | https://lists.torproject.org/pipermail/ooni-dev/2014-August/000151.html
  Sep 08 18:00 UTC | Tor Browser online meeting
                   | #tor-dev, irc.oftc.net
  Sep 12 19:00 UTC | Tails low hanging fruit session
                   | #tails-dev, irc.indymedia.org / h7gf2ha3hefoj5ls.onion
                   | https://mailman.boum.org/pipermail/tails-project/2014-August/000024.html

This issue of Tor Weekly News has been assembled by harmony, Matt Pagan,
Lunar, qbi, and Arlo Breault.

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project page [49], write down your
name and subscribe to the team mailing list [50] if you want to
get involved!

 [49]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
 [50]: https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team
tor-talk mailing list - tor-talk at lists.torproject.org
To unsubscribe or change other settings go to

----- End forwarded message -----

More information about the cypherpunks mailing list