Tor 0.2.0.30 is released. A better formatted version of this report can be found at gmane.org

Tor 0.2.0.30 switches to a more efficient directory distribution design,
adds features to make connections to the Tor network harder to block,
allows Tor to act as a DNS proxy, adds separate rate limiting for relayed
traffic to make it easier for clients to become relays, fixes a variety
of potential anonymity problems, and includes the usual huge pile of
other features and bug fixes.

https://www.torproject.org/download.html

Changes in version 0.2.0.30 - 2008-07-15
o New v3 directory design:
- Tor now uses a new way to learn about and distribute information
about the network: the directory authorities vote on a common
network status document rather than each publishing their own
opinion. Now clients and caches download only one networkstatus
document to bootstrap, rather than downloading one for each
authority. Clients only download router descriptors listed in
the consensus. Implements proposal 101; see doc/spec/dir-spec.txt
for details.
- Set up moria1, tor26, and dizum as v3 directory authorities
in addition to being v2 authorities. Also add three new ones:
ides (run by Mike Perry), gabelmoo (run by Karsten Loesing), and
dannenberg (run by CCC).
- Switch to multi-level keys for directory authorities: now their
long-term identity key can be kept offline, and they periodically
generate a new signing key. Clients fetch the "key certificates"
to keep up to date on the right keys. Add a standalone tool
"tor-gencert" to generate key certificates. Implements proposal 103.
- Add a new V3AuthUseLegacyKey config option to make it easier for
v3 authorities to change their identity keys if another bug like
Debian's OpenSSL RNG flaw appears. read more »

A quick trip report from the National Network to End Domestic Violence training conference. I gave a series of presentations to the people who help victims of abuse. The day started off with an introduction to the technology issues surrounding victims of abuse and stalking. An overview of the challenges they face, the methods that are used against them, and the "dark side" of technologies such as RFID, Bluetooth, and GPS.

My presentation was an overview of Tor, online anonymity, and places to find more information. The afternoon sessions covered the legal environment and risks for victims. The speakers covered online harassment, the plights of women on welfare and their oppression via technology ("the new punitiveness" as it was termed), and a quick hypothetical situation about jilted lovers and their legal recourse; from both sides.

Overall, it was a great set of new organizations and people to meet for the Tor Project.

Update: NNEDV has posted some of their extensive documents online for review.

Releases:

Torbutton 1.2.0rc5 (released July 6) provides improved addon compatibility, better preservation of Firefox preferences that we touch, fixing issues with Tor toggle breaking for some option combos, and an improved 'Restore Defaults' button. This version also features Firefox 3 cookie jar support, and support for storing cookie jars in memory.
http://archives.seul.org/or/talk/Jul-2008/msg00026.html

Vidalia 0.1.6 (released July 8) fixes a bug introduced in 0.1.3 that could cause excessive CPU usage or crashing on some platforms; continues to prepare Vidalia's strings for easier translation; adds a Romanian GUI and installer translation; and updated the Farsi, Finnish, French, German, and Swedish translations.
http://trac.vidalia-project.net/browser/vidalia/tags/vidalia-0.1.6/CHANG...

Tor 0.2.0.29-rc (released July 8) fixes two big bugs with using bridges, fixes more hidden-service performance bugs, and fixes a bunch of smaller bugs.
http://archives.seul.org/or/talk/Jul-2008/msg00038.html

Torbutton 1.2.0rc6 (released July 12) features fixes for a nasty history loss bug, an exception during Tor toggle, javascript being disabled in some tabs, better pref handling, and more.
http://archives.seul.org/or/talk/Jul-2008/msg00049.html

Tor 0.2.0.30 (released July 15) is the first stable release of the 0.2.0.x branch. The previous stable branch (0.1.2.x) went stable in April of 2007. We are still waiting for Torbutton and Vidalia to stabilize before announcing the Windows and OS X packages on the or-announce announcements
list. We expect to do that in August.

Tor Browser Bundle 1.1.1 (released July 20) updates Vidalia to release 0.1.6, updates Pidgin Portable to 2.4.3, updates Pidgin OTR plugin to 3.2, updates Tor to 0.2.1.2-alpha, updates Torbutton to 1.2.0rc6, and sets TZ=UTC environment variable in RelativeLink (needed by Torbutton).
https://svn.torproject.org/svn/torbrowser/trunk/README read more »

We are currently sponsoring a design contest to create a new logo for Vidalia. The winner of the contest will receive a $250 USD cash prize. The firm deadline for contest submissions is August 22, 2008.

The logo will be used in the Vidalia software and related installers, on the website, and on t-shirts. Designers are free to choose any fonts, color combinations, and symbol options you like (no onions, though, please). The logo must include a symbolic component that is recognizable by itself without the name "Vidalia" next to it. See the contest page for more details. If you have further questions, please email contest@vidalia-project.net or stop by #vidalia on irc.oftc.net.

Here's the overall timeline for the contest:

• August 15 – August 22: Entries may be submitted at the Worth1000 contest page.
• August 23 – August 24: Everyone is welcome to review the submissions received and vote on their favorite design. Even if you didn't submit anything, you can still vote!

• August 25 – August 31: The final winner will be announced by August 31 at the latest.

Late entries will not be eligible for the cash prize, so be sure to get your
submission in by August 22!

I've noticed a few comments about a Chinese anti-virus program, RISING, reporting that Vidalia.exe and Privoxy.exe are infected with Trojan.PSW.Win32.Undef.adp. In both cases, I suspect that RISING is reporting false positives. These executables as packaged and available on the Tor download page are not infected.

I've looked at the MD5 and SHA-1 sums of these programs as included in the Vidalia bundle and they match what the source packages produce as executables. The privoxy.exe included in the bundles is the exact same one as found at the Sourceforge Privoxy Download Page.

The Vidalia.exe is the same as the one included in the Vidalia Download Page.

Feel free to confirm this is true for you. Better yet, let us know if these individual packages (Vidalia.exe from Vidalia and Privoxy.exe from Sourceforge) also show up as infected.

Perhaps you've noticed that the packages for CentOS 4 and OSX Tiger/10.4 haven't been updated lately. Welcome to dead hard drives.

For a long while, I used VMware Server for guest OSes to build the various rpm and windows packages. This mostly worked well. And then both drives in the physical server I used to host the vmware instance failed. A two-drive RAID 1 array doesn't like it when both drives fail. I replaced the drives, re-installed Debian, and attempted to install vmware server again. The vmware kernel module refused to load. I tried the old tricks to get it to work, nothing. I finally looked at some script/patch that I found via Google, and got the module to load. Then my license key didn't work anymore.

In frustration, I gave up and installed VirtualBox. CentOS 4 defaults to using an SMP kernel on install, which Virtualbox (aka qemu) doesn't like at all. CentOS 4 installs just fine, it just won't boot after install. I haven't had time to further fix the problem. For the time being, there's no CentOS 4 (Redhat 4 rpms) for Tor.

As for OSX, well, there was no raid array of any kind, just a single drive in a mac mini. It died in a fit of 0xE0030005 (Undefined) errors and now won't boot at all. A new drive is on the way. I expect to have OSX Tiger/10.4 packages in a week or so. The good news is that the Panther Mac continues to work just fine.

Perhaps it's time to start using Amazon's EC2 or something similar instead of messing with all this hardware and virtualization software. Or maybe I should work on hacking OSX 10.4 and 10.5 into virtualbox.

** Update 2008-08-06: new drive was DOA. And it appears the logic board on the mac mini is fried. Ugh.

Torbutton 1.2.0rc1 (released June 1), the first release candidate for the next stable series of the security-enhanced Torbutton Firefox extension, features functional support for Firefox 3. However, this support has not been extensively tested. In particular, timezone masking does not work at all. The workaround is to manually set the environment variable 'TZ' to 'UTC' before starting Firefox. This works on both Linux and Windows:
http://archives.seul.org/or/talk/Jun-2008/msg00044.html

Tor 0.2.0.27-rc (released June 3) adds a few features we left out of the earlier release candidates. In particular, we now include an IP-to-country GeoIP database, so controllers can easily look up what country a given relay is in, and so bridge relays can give us some sanitized summaries about which countries are making use of bridges. (See proposal 126-geoip-fetching.txt for details.)
http://archives.seul.org/or/talk/Jun-2008/msg00055.html

Torbutton 1.2.0rc2 (released June 8) features a fix for an annoying bug on MacOS, and adds much clamored for options to start Firefox in a specific Tor state:
http://archives.seul.org/or/talk/Jun-2008/msg00103.html

Tor 0.2.0.28-rc (released June 13) fixes an anonymity-related bug, fixes a hidden-service performance bug, and fixes a bunch of smaller bugs.
http://archives.seul.org/or/talk/Jun-2008/msg00165.html

Tor 0.2.1.1-alpha (released June 13) fixes a lot of memory fragmentation problems that were making the Tor process bloat especially on Linux; makes our TLS handshake blend in better; sends "bootstrap phase" status events to the controller, so it can keep the user informed of progress (and problems) fetching directory information and establishing circuits; and adds a variety of smaller features. http://archives.seul.org/or/talk/Jun-2008/msg00185.html

Vidalia 0.1.4 (released June 13) adds a bootstrap progress bar, UPnP support, a new set of freely licensed GUI icons, and fixes a few bugs. read more »

For those of you just tuning in: Over the past year, I have been the maintainer of the Torbutton Firefox extension, adding a number of features and security enhancements to transform Torbutton from a simple proxy switcher into a secure way to fully isolate all browser state from one proxy state to another and defend against all known privacy and IP address leakage attacks.

The release candidate phase of the extension started about a month ago, but with the release of Firefox 3 and Torbutton 1.2.0rc series occurring at the same time, we've hit a number of unexpected rough spots and snags. However, with the 1.2.0rc5 release of Torbutton, I'm pleased to report that the majority of those now seem to be behind us (a few annoying Firefox bugs notwithstanding).

Thanks to contributions from arno, the Cookie Jar features now work with Firefox 3. They have even been improved to allow cookies to persist in memory-based jars across Tor toggle (as opposed to requiring Tor cookies to be written to disk to preserve them), which I personally already find very useful. read more »

Incognito is an open source LiveDistro assisting you to securely and anonymously use the Internet almost anywhere you go. Incognito can be used from either a CD or a USB drive and has several Internet applications (Web browser, IRC client, Mail client, Instant messenger, etc.) pre-configured with security in mind, and all Internet traffic will be anonymized.

At the core of this anonymity is the Tor™ software and network. In recognition of the transparency, open source base, continued development, and improvement of the Incognito software, The Tor Project is proud to list Incognito as a licensee of the Tor brands.

Incognito has the right to use the Tor name and the Tor onion logo™ as needed. The high quality graphics will improve the user experience. The usage of the Tor brand will only further reinforce that Incognito is a legitimate solution using the Tor software.

We welcome the further cooperation and collaboration between Incognito and The
Tor Project.

Tor 0.2.0.26-rc (released May 13) fixes a major security vulnerability caused by a bug in Debian's OpenSSL packages. All users running any 0.2.0.x version should upgrade, whether they're running Debian or not.
http://archives.seul.org/or/talk/May-2008/msg00048.html

Vidalia 0.1.3 (released May 25) adds a hidden service configuration UI designed and implemented by Domenik Bork, as well as a few other bugfixes.
http://trac.vidalia-project.net/browser/vidalia/tags/vidalia-0.1.3/CHANG...

The Tor Browser Bundle 1.0.2 (released May 3) and 1.0.3 (released May 16) include upgraded versions of Tor, Vidalia, Torbutton, and Firefox.

We added three new part-time developers in May. We hired Matt Edman as a part-time employee at the beginning of May, to work on Vidalia maintenance, bugfixes, and new features. We also are funding Karsten Loesing to work on making hidden service rendezvous and interaction faster, and Peter Palfrader to work on lowering the overhead of directory requests, especially during bootstrap, which should directly improve the experience for Tor users on modems or cell phones.

Google has agreed to give us some funding to work on auto-update for Windows. Our plan is for Vidalia to look at the majority-signed network status consensus to decide when to update and to what version (Tor already lists what versions are considered safe, in each network status document). We should actually do the update via Tor if possible, for additional privacy, and we need to make sure to check package signatures to ensure package validity. Last, we need to give the user an interface for these updates, including letting her opt to migrate from one major Tor version to the next.

We continued enhancements to the Chinese and Russian Tor website translations. Vidalia also added a Turkish translation.

From the Vidalia 0.1.3 ChangeLog: read more »