Tor: The Blog

Five Years as an Exit Node Operator

phobos — Mon, 10 Nov 2008 21:50:57 -0800

The official version of "What to expect" when running a Tor exit relay is fairly brief. This post will be verbose.

I've been running a node since 2003. I first started off running a node in Xen on a server at a colocation datacenter with an un-metered line. The dual Xeon kept up with the demands fairly well. I ran it with the default exit policy with open irc ports. Things went smoothly for many months until my ISP called. The Abuse Department said my IP was reported in a mass irc bot attack against DalNet. I spent some time on the phone explaining Tor, explaining how it's an anonymizing proxy, and how it's used for good in the world. I highlighted that of the megabits of bandwidth it provided 7x24 for many months, this was the first issue. They asked that I block irc ports, and all would be well. I modified the exit policy to block irc ports.

Many more months passed without issue. Apparently, given the lax bandwidth controls, many other customers ran Tor exit nodes as well. The ISP updated their Terms of Service, and notified all of us that running any proxy was now in violation of the ToS. This meant I was at risk of disconnection. I switched to a non-exit configuration. I ran this way for months. I knew full well I was violating the ToS. If I was disconnected, it was my fault. Then the ISP was bought; and the new owners demanded I shut off my Tor node or be disconnected. It was fun while it lasted.

Welcome to 2005. New ISP, same nickname, different server, same non-exit Tor configuration. Tor loved the dual opteron cpus. The difference in cpu load was dramatic. The load before was 40-50% cpu for "NumCPU 2" on the dual Xeons. On the dual Opterons, the load was 5-10%. Same non-exit config. Same version of Tor. Different hardware, newer version of the OS (Redhat 4 as opposed to CentOS 3).

I sustained 15 Mb/s the first day. Woo! Oh wait, they meter bandwidth at the switch, and now I have to pay for it. Ok, BandwidthRate here we come. The new ISP was relatively new. The CEO was on the forums. That's how small and new they were. We chatted, he didn't see a problem with Tor. Great.

I changed the config to the default exit policy with irc blocked. About a month later, the DMCA Notice bots hit. And boy, they hit like hourly. I setup a procmail recipe to pull the company and supposed infringing content out of their emails and stuff them into a response template based on The Tor DMCA Response Template. After about 3 weeks of this, I switched back to non-exit mode for a month or so. No one asked me to do this, I just felt nervous; or perhaps it was the chilling effect of the notices. And then I switched back to default minus irc exit configuration.

Months would go by without a complaint. Google would occasionally complain that my IP defaced some Google Groups. Or some random person from a blog that got hit with spam from my IP would complain. Once again, I'd explain Tor, and everything would resolve itself. I wrote this wiki entry after noting the common patterns that worked when dealing with abuse complaints.

Recently, the DMCA notices have become popular again. However, this time they're complaining directly to the ISP, not to me. My ISP opens support tickets and copy and pastes the exact email they received. I respond with the same DMCA Response template I did before. So far, they just keep closing the tickets.

In the grand scheme of things, Tor is pretty benign. I fluctuate between 2-5 Mb/s depending upon how much transit I've consumed for that billing period. Tor's bandwidth controls are surprisingly accurate. When I configure Tor to consume 1.8TB of transit over 30 days, it'll do it and not a byte more.

In total, I've received around 50 DMCA infringement notices, 20 abuse complaints, and zero visits from the Feds. After 5 years, I must have transferred petabytes of normal Tor traffic. Hopefully, I've helped users in restrictive environments see the unfiltered Internet. Or helped people keep their privacy and anonymity intact while online. Sorry to disappoint you if you were expecting SWAT teams and black helicopters and mad car chases through the streets. Real life is much more boring.

The carnival of data retention expands

phobos — Fri, 07 Nov 2008 15:13:27 -0800

We've already asked about how to handle the forthcoming data retention directive in Germany.

A few more governments are either heading down that path, or already there:

Internet black boxes to record every email and website visit at The Telegraph UK.
Data Retention in Denmark.
SORM-2 in Russia
Sweden wants to record all cross-border communications.

I suspect we'll see proposals for this in the USA soon enough.

Anonymity on the Internet is not going away.

phobos — Fri, 07 Nov 2008 15:00:53 -0800

A few people have told me about this TechRadar story. The implication is that the US Air Force is going to do away with the anonymity of the Internet. In reality, I think these people are looking for Tor's opinion on this sort of "news". Rather than pick apart the silliness of the statements, a few things bothered me about the TechRadar article; which I've already heard many times.

Let's tackle the misnomer that the Internet is inherently anonymous. This quote states the "common wisdom":

It's true that the TCP/IP protocol, as currently implemented, makes it very hard to verify the source of any given network packet, but that's purely because the network architects chose to make it that way.

In fact, IP addresses are designed and used for routing. It's easy to figure out where traffic originates if you have the IP address. What's not so easy is figuring out if the owner of the system at that IP address was the actual sender of the traffic. There's a popular notion that you are your IP address; and that actions taken with your IP can be tied back to you. IP addresses are for routing, not authentication. The Air Force plan wants to solve the latter problem of authentication (Network friend or foe). A subpoena or legal demand of a provider (blog, forum, ISP, etc) can reveal the IP address and possibly its owner.

The larger concern with the article is that it states:

But it's also what lets protesters protest and dissidents diss, so there are some genuinely valid reasons for wanting to preserve internet privacy

and then ends with

Anonymous internets will always exist - the terrorists, the paedophiles and the tin-foil-hat brigade will make sure of that. But in 10 years time, the idea of the mainstream internet - the one that all of us use every day - being anonymous, will seem as quaint as a street without CCTV cameras.

Anonymity is a defense against the tyranny of the majority. There are many, many valid uses of anonymity tools, such as Tor. The belief that anonymous tools exist only for the edges of societies is narrow-minded. The tools exist and are used by all. Much like the Internet, the tools can be used for good or bad. The negative uses of such tools typically generate huge headlines, but not the positive uses. Raising the profile of the positive uses of anonymity tools, such as Tor, is one of our challenges.

OS X Vidalia Bundle Thoughts

phobos — Wed, 29 Oct 2008 19:43:41 -0700

A few weeks ago, I watched some non-technical OS X users attempt to install the Vidalia-Tor Bundle. Many of them tried to drag the installation package to Applications. A few were surprised it required an installation at all.

In Vidalia trunk I committed a different way to install Vidalia, Tor, and Polipo. In this new dmg, you just open it up and drag the Vidalia icon into Applications. You now have Tor, Vidalia, and Polipo pre-configured and running completely out of Applications. While this works well for users that never installed Tor/Vidalia before, it doesn't work so well for existing installations.

Is it smart to think users will un-install their existing Vidalia/Tor bundle before using the drag and drop installation method? My inclination is that it isn't smart. This installation method also removes the ability to automatically install Torbutton for Firefox.

In comparison, the current method is to ship a dmg which contains a metapackage. This metapackage contains a few scripts to run pre and post-installation, which do smart things to save current configurations, upgrade existing software binaries, and try to install Torbutton for Firefox. In general, this method has worked well for most users. I've heard from enough people to know they tried to drag and drop the metapackage into Applications at first, and when that didn't work, double-clicked the metapackage to start the installer.

I'm now leaning towards creating a Tor Browser Bundle for OS X; which can run out of the dmg or be installed via drag and drop. Much like the current Tor Browser Bundle (also, we should stop naming everything Tor), it would be self-contained and leave zero trace on the machine after closing.

Thoughts on ways to make the OS X install easier, ostensibly via drag and drop install? Or is the effort to create a TBB for OS X a better use of resources?

Tor, Germany, and Data Retention

arma — Thu, 16 Oct 2008 20:09:57 -0700

With the "enforcement" phase of Germany's data retention law coming
into effect on January 1 2009, it's time to start considering design
modifications for Tor to make us more resistant. There are many different
pieces to consider, including

How should we change path selection so Tor clients are less at risk
from German ISPs that decide to log?
What exactly will German ISPs log, and who is supposed to have access
to it?
What suggestions should we give to German Tor relay operators, and
German privacy advocates in general, about how they should fight this
law without putting themselves too much at risk?

I propose some technical changes to Tor in this or-dev post:
http://archives.seul.org/or/dev/Oct-2008/msg00001.html

Stay tuned for the policy suggestions -- perhaps we'll cover those at 25C3!

Online Anonymity Debate in South Korea

phobos — Thu, 16 Oct 2008 19:06:17 -0700

An article about the debate over online anonymity in South Korea caught my eye for a few reasons. The topic of online anonymity periodically rises to the social consciousness in South Korea. This time, it's about the suicide of a well-known actress, Choi Jin-sil. It's sad that she chose to commit suicide, and I'm sorry she felt she had no where to go for help. However, blaming the Internet for her death is dubious at best. The Internet is a collection of networks. The Internet is a thing, not a person. While I dislike rude telemarketers, I don't blame the telephone company for providing the connection. In this case, there seemed to be a subset of people bent on defaming her regardless of the circumstances, while using the Internet as their communication medium.

The real goal behind this upswelling of support for banning anonymity is to pass the Cyber Defamation Law. This appears to be the equivalent of user verification where all online activities must be in a real name and, in some way, verifiable.

"We will press hard to pass the Cyber Defamation Law and the real-name system," Hong Joon-pyo, the ruling Grand National Party's floor leader, told reporters last week. "It is wrong to neglect the fact that violence is rampant online, due to anonymity."

Defamation is already a crime in South Korea. The irony is that the person who possibly first defamed Choi Jin-sil has been found, a person only known by their last name, Paik. According to the article,

"Paik was questioned by investigators soon after Choi's suicide and ultimately indicted for defamation."

Normally, the articles on how online anonymity is bad for the world end here. In this case, the article closes with how online anonymity is what probably helped bring South Korea into the democracy it has today.

A great quote from Park Jun-chul,

"If there is no anonymity, not so many people will risk saying what is really happening at work places, schools, or in the society."

This ties right into what we've already seen happen online with activists, https://www.torproject.org/torusers.html.en#activists

The Guardian has a better overview covering both the positive and negative uses of online anonymity in South Korea.

Tor 0.2.1.6-alpha Released

phobos — Tue, 14 Oct 2008 17:25:11 -0700

Tor 0.2.1.6-alpha further improves performance and robustness of hidden
services, starts work on supporting per-country relay selection, and
fixes a variety of smaller issues.

The original announcement can be found at
http://archives.seul.org/or/talk/Oct-2008/msg00093.html

Changes in version 0.2.1.6-alpha - 2008-09-30

Major features:

Implement proposal 121: make it possible to build hidden services
that only certain clients are allowed to connect to. This is
enforced at several points, so that unauthorized clients are unable
to send INTRODUCE cells to the service, or even (depending on the
type of authentication) to learn introduction points. This feature
raises the bar for certain kinds of active attacks against hidden
services. Code by Karsten Loesing.
Relays now store and serve v2 hidden service descriptors by default,
i.e., the new default value for HidServDirectoryV2 is 1. This is
the last step in proposal 114, which aims to make hidden service
lookups more reliable.
Start work to allow node restrictions to include country codes. The
syntax to exclude nodes in a country with country code XX is
"ExcludeNodes {XX}". Patch from Robert Hogan. It still needs some
refinement to decide what config options should take priority if
you ask to both use a particular node and exclude it.
Allow ExitNodes list to include IP ranges and country codes, just
like the Exclude*Nodes lists. Patch from Robert Hogan.

Major bugfixes:

Fix a bug when parsing ports in tor_addr_port_parse() that caused
Tor to fail to start if you had it configured to use a bridge
relay. Fixes bug 809. Bugfix on 0.2.1.5-alpha.
When extending a circuit to a hidden service directory to upload a
rendezvous descriptor using a BEGIN_DIR cell, almost 1/6 of all
requests failed, because the router descriptor had not been
downloaded yet. In these cases, we now wait until the router
descriptor is downloaded, and then retry. Likewise, clients
now skip over a hidden service directory if they don't yet have
its router descriptor, rather than futilely requesting it and
putting mysterious complaints in the logs. Fixes bug 767. Bugfix
on 0.2.0.10-alpha.
When fetching v0 and v2 rendezvous service descriptors in parallel,
we were failing the whole hidden service request when the v0
descriptor fetch fails, even if the v2 fetch is still pending and
might succeed. Similarly, if the last v2 fetch fails, we were
failing the whole hidden service request even if a v0 fetch is
still pending. Fixes bug 814. Bugfix on 0.2.0.10-alpha.
DNS replies need to have names matching their requests, but
these names should be in the questions section, not necessarily
in the answers section. Fixes bug 823. Bugfix on 0.2.1.5-alpha.

Minor features:

Update to the "September 1 2008" ip-to-country file.
- Allow ports 465 and 587 in the default exit policy again. We had
rejected them in 0.1.0.15, because back in 2005 they were commonly
misconfigured and ended up as spam targets. We hear they are better
locked down these days.
Use a lockfile to make sure that two Tor processes are not
simultaneously running with the same datadir.
Serve the latest v3 networkstatus consensus via the control
port. Use "getinfo dir/status-vote/current/consensus" to fetch it.
Better logging about stability/reliability calculations on directory
servers.
Drop the requirement to have an open dir port for storing and
serving v2 hidden service descriptors.
Directory authorities now serve a /tor/dbg-stability.txt URL to
help debug WFU and MTBF calculations.
Implement most of Proposal 152: allow specialized servers to permit
single-hop circuits, and clients to use those servers to build
single-hop circuits when using a specialized controller. Patch
from Josh Albrecht. Resolves feature request 768.
Add a -p option to tor-resolve for specifying the SOCKS port: some
people find host:port too confusing.
Make TrackHostExit mappings expire a while after their last use, not
after their creation. Patch from Robert Hogan.
Provide circuit purposes along with circuit events to the controller.

Minor bugfixes:

Fix compile on OpenBSD 4.4-current. Bugfix on 0.2.1.5-alpha.
Reported by Tas.
Fixed some memory leaks -- some quite frequent, some almost
impossible to trigger -- based on results from Coverity.
When testing for libevent functions, set the LDFLAGS variable
correctly. Found by Riastradh.
Fix an assertion bug in parsing policy-related options; possible fix
for bug 811.
Catch and report a few more bootstrapping failure cases when Tor
fails to establish a TCP connection. Cleanup on 0.2.1.x.
Avoid a bug where the FastFirstHopPK 0 option would keep Tor from
bootstrapping with tunneled directory connections. Bugfix on
0.1.2.5-alpha. Fixes bug 797. Found by Erwin Lam.
When asked to connect to A.B.exit:80, if we don't know the IP for A
and we know that server B rejects most-but-not all connections to
port 80, we would previously reject the connection. Now, we assume
the user knows what they were asking for. Fixes bug 752. Bugfix
on 0.0.9rc5. Diagnosed by BarkerJr.
If we are not using BEGIN_DIR cells, don't attempt to contact hidden
service directories if they have no advertised dir port. Bugfix
on 0.2.0.10-alpha.
If we overrun our per-second write limits a little, count this as
having used up our write allocation for the second, and choke
outgoing directory writes. Previously, we had only counted this when
we had met our limits precisely. Fixes bug 824. Patch from by rovv.
Bugfix on 0.2.0.x (??).
Avoid a "0 divided by 0" calculation when calculating router uptime
at directory authorities. Bugfix on 0.2.0.8-alpha.
Make DNS resolved controller events into "CLOSED", not
"FAILED". Bugfix on 0.1.2.5-alpha. Fix by Robert Hogan. Resolves
bug 807.
Fix a bug where an unreachable relay would establish enough
reachability testing circuits to do a bandwidth test -- if
we already have a connection to the middle hop of the testing
circuit, then it could establish the last hop by using the existing
connection. Bugfix on 0.1.2.2-alpha, exposed when we made testing
circuits no longer use entry guards in 0.2.1.3-alpha.
If we have correct permissions on $datadir, we complain to stdout
and fail to start. But dangerous permissions on
$datadir/cached-status/ would cause us to open a log and complain
there. Now complain to stdout and fail to start in both cases. Fixes
bug 820, reported by seeess.
Remove the old v2 directory authority 'lefkada' from the default
list. It has been gone for many months.

Code simplifications and refactoring:

Revise the connection_new functions so that a more typesafe variant
exists. This will work better with Coverity, and let us find any
actual mistakes we're making here.
Refactor unit testing logic so that dmalloc can be used sensibly
with unit tests to check for memory leaks.
Move all hidden-service related fields from connection and circuit
structure to substructures: this way they won't eat so much memory.

September 2008 Progress Report

phobos — Tue, 14 Oct 2008 17:07:12 -0700

Releases
Vidalia 0.1.9 (released September 2) fixes a big pile of bugs and inconveniences in the earlier releases. This new release marks the first "stable" release of Vidalia, in that we have now branched into a stable (0.1.x) branch and a development (0.2.x) branch.
http://trac.vidalia-project.net/browser/vidalia/tags/vidalia-0.1.9/CHANG...

Tor 0.2.0.31 (released September 3) addresses two potential anonymity issues, starts to fix a big bug we're seeing where in rare cases traffic from one Tor stream gets mixed into another stream, and fixes a variety of smaller issues.
http://archives.seul.org/or/announce/Sep-2008/msg00000.html

Tor 0.2.1.6-alpha (released September 30) further improves performance and robustness of hidden services, starts work on supporting per-country relay selection, and fixes a variety of smaller issues.
http://archives.seul.org/or/talk/Oct-2008/msg00093.html

Circumvention Enhancements
From the Vidalia 0.1.9 ChangeLog:
"Correct the location of the simplified Chinese help files so they will actually load again."

From the Tor 0.2.1.6-alpha ChangeLog:
"Start work to allow node restrictions to include country codes. The syntax to exclude nodes in a country with country code XX is "ExcludeNodes {XX}". Patch from Robert Hogan. It still needs some refinement to decide what config options should take priority if you ask to both use a particular node and exclude it."
This feature should allow users in China to specify that they don't want to enter (and/or exit) in China, which in theory could provide stronger security for them.

From the Tor 0.2.1.6-alpha ChangeLog:
"Allow ports 465 and 587 in the default exit policy again. We had rejected them in 0.1.0.15, because back in 2005 they were commonly misconfigured and ended up as spam targets. We hear they are better locked down these days."
This feature lets people use GMail with Tor in more flexible ways. This approach is especially important for people trying to send email in certain configurations when their network wants to block or monitor them.

From the Tor 0.2.1.6-alpha ChangeLog:
"Provide circuit purposes along with circuit events to the controller."
This change will allow Vidalia to mark circuits in its graphical interface, so users don't get confused about why Tor is building strange circuits in the background when it's really just doing encrypted directory updates.

Matt and Andrew fixed a bug in the Vidalia bundle installer where it tried to detect if Firefox was installed, and unclick the "install Torbutton" option if not, but it didn't detect right. Now if Firefox is missing we put up a warning explanation about how you really ought to be using Tor with Firefox.

We also finally started working on a fix for the Vidalia bug where if Vidalia launches Tor and then crashes later, when you start Vidalia again it'll cryptically ask for your control password.
https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ#TorPasswordPro...
The first fix is to add a "reset" button to the cryptic message, that kills Tor for you and restarts it, and a "help" button that explains what's going on. These will be out in the next development Vidalia release, hopefully in October.

Camilo Viecco submitted a patch for our RPM spec (build) file to let us build Red Hat / SuSE packages for 64-bit architectures. Andrew included these patches in 0.2.1.6-alpha.

Advocacy
Steven Murdoch taught a lecture at the FIDIS/IFIP Brno Summer School in the Czech Republic.
http://www.buslab.org/SummerSchool2008/
The presentation was on anti-censorship in general especially on Tor. The students seemed to be interested so he encouraged them to look at Tor and see if there is anything they'd like to work on. We will see if anything comes from that.

We've also been discussing creating a Facebook application, for allowing relay operators to show off that they are running a Tor relay and hopefully encourage more to do so. We think this is a good enough idea to try building it, so Steven has started to do so. As well as adding bling to a user's profile, it would also allow us to map the network of node operators. This is one of the more promising research fields to resist Sybil attacks, see e.g.
"A Sybil-proof one-hop DHT, Chris Lesniewski-Laas"
http://pdos.csail.mit.edu/papers/sybil-dht-socialnets08.pdf

Steven had a related story regarding host-based security from his trainings in Kyrgyzstan and Poland. See also
http://www.f-secure.com/weblog/archives/00001494.html

Jacob was in a story by Declan about Internet Traceback plans:
"The Chinese Government, the NSA, Verisign and the ITU are getting together to trace users"
http://news.cnet.com/8301-13578_3-10040152-38.html

The current issue of Make Magazine has an article on how to use Tor:
http://www.make-digital.com/make/vol15/?pg=102

Helped Kasimir add new Tor controller features so Torstatus can switch to using the v3 directory system:
http://trunk.torstatus.kgprog.com/

Ease of Use
Steven is working on a new branch of Vidalia that can be used in Tor Browser Bundle, for launching Firefox directly without needing the extra installer scripts called "Firefox Portable". If we get this working, then we can hopefully make progress on running multiple Firefoxes at once (one used for Tor launched by TBB, and one used for non-Tor).
http://trac.vidalia-project.net/browser/vidalia/branches/alt-launcher

Jacob Appelbaum worked on a set of instructions for rebranding Firefox, if we decide that we need to call the browser that ships in the Tor Browser Bundle something other than "Firefox". The instructions aren't complete, for example because we need more replacement logos.
https://svn.torproject.org/svn/torbrowser/trunk/build-scripts/branding/
It looks like the process of rebranding Firefox 3 is much more straightforward. We have "move to FF3" on our TBB roadmap.

Work by Martin and Kyle on the Tor VM project continues. We have a very early prototype available now:
http://peertech.org/files/demo/testinfo.html
and we hope to give it some more testing and better documentation in the coming months.

Scalability
Joel Reardon, Ian Goldberg's student at Waterloo, has finished the final version of his thesis "Improving Tor using a TCP-over-DTLS tunnel":
http://uwspace.uwaterloo.ca/handle/10012/4011
We funded this research (along with 4x matching funding from MITACS in Canada) in the hopes that it would move us close enough to being able to switch to a UDP design that we can put it on the Tor development roadmap at some point. Many large challenges remain, but this is also promising work in that it shows that we can expect very serious performance improvements if we go this route.

We've started hunting more thoroughly for solutions to Bug 676:
https://bugs.torproject.org/flyspray/index.php?do=details&id=696
The issue is that some of the v3 directory authorities are keeping bad statistics on uptimes and stability of relays, which means they are not assigning the Stable or Guard flag correctly to them. The result is that the networkstatus consensus mislabels them, and clients end up not choosing relays or circuits in an efficient manners. This bug not only results in bad performance for clients, but also results in overloading some relays, leading to worse performance.

From the Tor 0.2.1.6-alpha ChangeLog:
"Implement most of Proposal 152: allow specialized servers to permit single-hop circuits, and clients to use those servers to build single-hop circuits when using a specialized controller. Patch from Josh Albrecht. Resolves feature request 768."
"Fixed some memory leaks -- some quite frequent, some almost impossible to trigger -- based on results from Coverity."

Several security- and integrity-related bugfixes from Tor 0.2.0.31:
"Make sure that two circuits can never exist on the same connection with the same circuit ID, even if one is marked for close. This is conceivably a bugfix for bug 779. Bugfix on 0.1.0.4-rc."
"Relays now reject risky extend cells: if the extend cell includes a digest of all zeroes, or asks to extend back to the relay that sent the extend cell, tear down the circuit. Ideas suggested by rovv."
"If not enough of our entry guards are available so we add a new one, we might use the new one even if it overlapped with the current circuit's exit relay (or its family). Anonymity bugfix pointed out by rovv."

August 2008 Progress Report

phobos — Sun, 21 Sep 2008 16:05:39 -0700

Releases

Vidalia 0.1.7 (released August 2) fixes a bug that caused Vidalia to not recognize Tor's version correctly in Tor 0.2.0.x, adds an "nsh2po" tool that helps Pootle translate the Vidalia bundle installer strings, adds "TZ=UTC" to the BrowserExecutable's environment variables when launched via Vidalia, and updates the Czech, French, and German translations.
http://trac.vidalia-project.net/browser/vidalia/tags/vidalia-0.1.7/CHANG...

Incognito 2008.1 (released August 2) is a Gentoo-based Tor LiveCD. This new release adds a "walkthrough" which will launch on startup; adds language support for Arabic, Green, Hebrew, Russian, and Swedish; improves the support for Chinese and Japanese fonts; adds support for VMWare and partial support for VirtualBox; switches to Tor 0.2.0.30 and Torbutton 1.2.0; and adds some new privacy-supporting software and removes some applications that are too likely to leak private information.
https://svn.torproject.org/svn/incognito/trunk/ChangeLog

Tor 0.2.1.3-alpha (released August 3) implements most of the pieces to prevent infinite-length circuit attacks (see proposal 110); fixes a bug that might cause exit relays to corrupt streams they send back; allows address patterns (e.g. 255.128.0.0/16) to appear in ExcludeNodes and ExcludeExitNodes config options; and fixes a big pile of bugs.
http://archives.seul.org/or/talk/Aug-2008/msg00039.html

Tor 0.2.1.4-alpha (released August 4) fixes a pair of crash bugs in 0.2.1.3-alpha.
http://archives.seul.org/or/talk/Aug-2008/msg00039.html

Tor Browser Bundle 1.1.2 (released August 9) updates Vidalia to version 0.1.6, updates Firefox to 2.0.0.16, updates Tor to 0.2.1.4-alpha, updates Torbutton to 1.2.0, and disables the TZ=UTC environment variable trick since Vidalia 0.1.7 now handles that for us.
https://svn.torproject.org/svn/torbrowser/trunk/README

Vidalia 0.1.8 (released August 17) makes the bandwidth graph window look better for languages like Farsi, includes ssleay32.dll in the Windows packages so Vidalia won't crash when it finds an incompatible version of ssleay32.dll in the user's $PATH, makes "escape" and "return" shortcuts for the settings window, and fixes a variety of other bugs.
http://trac.vidalia-project.net/browser/vidalia/tags/vidalia-0.1.8/CHANG...

Tor 0.2.0.30 (released July 15, announced August 21) switches to a more efficient directory distribution design, adds features to make connections to the Tor network harder to block, allows Tor to act as a DNS proxy, adds separate rate limiting for relayed traffic to make it easier for clients to become relays, fixes a variety of potential anonymity problems, and includes the usual huge pile of other features and bug fixes.
http://archives.seul.org/or/announce/Aug-2008/msg00000.html

Tor Browser Bundle 1.1.3 (released August 22) fixes a bug in the 0.1.2 release that messed up translations in the homepage, adds "small=1" to the homepage URL so it doesn't show the huge green onion by default, and updates Vidalia to 0.1.8.
https://svn.torproject.org/svn/torbrowser/trunk/README

Tor 0.2.1.5-alpha (released August 31) moves us closer to handling IPv6 destinations, puts in a lot of the infrastructure for adding authorization to hidden services, lays the groundwork for having clients read their load balancing information out of the networkstatus consensus rather than the individual router descriptors, addresses two potential anonymity issues, and fixes a variety of smaller issues.
http://archives.seul.org/or/talk/Sep-2008/msg00072.html

Blocking resistance
The Tor 0.2.1.3-alpha and 0.2.1.4-alpha releases include more fixes for hidden service performance and robustness, have slightly improved bootstrap status event behavior, and start hunting down a horrible bug that looks like it could leak private information:
https://bugs.torproject.org/flyspray/index.php?do=details&id=779

Now that the Tor 0.2.0.30 release has been declared stable, ordinary users will finally get bridge features, the new harder-to-block network protocol, and other features by default.

Core Development
We're working on a draft for a new "automatic software update" protocol, code-named Glider, that incorporates the previous proposals 153 and 154 but is easier to extend to other packages, and is easier to implement and maintain on the server side. We hope to have this new draft out as an actual proposal document, along with some early prototypes of the server side, in September.
https://svn.torproject.org/svn/updater/trunk/specs/glider-spec.txt
Part of the ongoing development question is how to write the client side of this auto update engine in a convenient and easy language like Python, yet have it still be extremely compact on the client side -- since Windows doesn't include Python by default, shipping a Python interpreter with the auto updater could add 10MB to the package size.

Roger sent the list of "research directions we should look at" to or-dev, so more people could look at it:
http://archives.seul.org/or/dev/Aug-2008/msg00031.html
We are working these items into a more comprehensive research and development roadmap; stay tuned.

Advocacy
We answered a lot of press organizations about Tor and the Olympics this month. Our main goal was to explain to technical people how bridges work, what they're for, and explain that in most countries right now Tor works just fine out of the box, so bridges are the backup plan for later down the arms race. The CCC (and others) succeeded in making some good press articles, e.g.
http://www.rsf.org/article.php3?id_article=27991
http://www.guardian.co.uk/technology/2008/aug/07/censorship.hacking
http://www.guardian.co.uk/commentisfree/2008/aug/05/china.censorship

Roger attended Black Hat and Defcon. His Defcon talk was:
"Attacks/Vulnerabilities on Tor: past, present, future"
Slides are at http://freehaven.net/~arma/slides-dc08.pdf
He had a packed room of 500+ people. Lucky Green summarized his take-away from the talk as "we would love to work with you if you find any problems with Tor, and we have a good track record of working well with the community." That sounds like what we were aiming for. We're still waiting for the video to come out so we can link to it from the documentation page.

We also talked a lot with the Mozilla people about privacy-impacting bugs in Firefox. We have a list now:
https://www.torproject.org/torbutton/design/#FirefoxBugs
and should start looking for good Firefox developers to fix them and funding to incent them to do so.

We put up our mid-August NLnet reports:
https://www.torproject.org/projects/hidserv#Aug08
https://www.torproject.org/projects/lowbandwidth#Aug08

Jacob spent a long week of hacking in Argentina, for DebConf 8 (the yearly Debian Conference). Lots of Tor advocacy. Another box of Tor stickers applied to many many laptops. Lots of people were interested in Tor and many many people installed Tor on both laptops and servers. This advocacy resulted in at least two new high bandwidth nodes that he helped the administrators configure. The first is in Japan. The second is our first major high bandwidth node in New Zealand.

Coverity (coverity.com) is now scanning Tor. It found a bunch of minor memory leaks, a few false positives, and some other miscellaneous bugs. Nick fixed almost all of the bugs in a quick afternoon, excepting some testing code that has some resource leaks. Jacob is going to work on getting other Tor related projects into Coverity.

Mike Perry has been working lately on publicity for moving more high-profile websites to use SSL correctly. Last year at Defcon he reported a bug in how many sites (including GMail) handle their cookies: he basically described an easy way for anybody in Starbucks to steal your GMail cookie and log into your gmail account, even if you are always very careful to only use "https" when logging in to your gmail account. The attack works because cookies *can* be set with an "only present this cookie on an SSL connection" flag when they're created, but no sites actually set this flag because they are concerned about usability. This attack is easy to perform as a Tor exit relay too. This year, Mike presented an actual tool that performs this attack on a local wireless network in an automated way. Some high-profile sites are slowly moving to use more secure login approaches.

Matt Edman finished running the "Vidalia logo design contest". The contest resulted in 76 entries. There were a lot of questionable submissions (Vidalia ninjas?!), but there were also a few great ones. He is tending towards this entry as his choice for the new Vidalia logo:
http://www.worth1000.com/view.asp?entry=479229

Usability
Incognito 2008.1 (released August 2) is a Gentoo-based Tor LiveCD. This new release adds a "walkthrough" which will launch on startup; adds language support for Arabic, Green, Hebrew, Russian, and Swedish; improves the support for Chinese and Japanese fonts; adds support for VMWare and partial support for VirtualBox; switches to Tor 0.2.0.30 and Torbutton 1.2.0; and adds some new privacy-supporting software and removes some applications that are too likely to leak private information.
https://svn.torproject.org/svn/incognito/trunk/ChangeLog

Incognito now comes with much more thorough documentation about which software packages are included, and how they are configured:
http://www.browseanonymouslyanywhere.com/incognito/uploadfiles/docs.html

Incognito's next step is to work on a "hardened" option that uses a more secure kernel and other applications. The goal is to keep the same usability but be even less vulnerable to application-level and kernel-level attacks that could be used to gain access to the system and then try to unveil the user.

Tor Browser Bundle 1.1.2 (released August 9) updates Vidalia to release 0.1.6, updates Firefox to 2.0.0.16, updates Tor to 0.2.1.4-alpha, updates Torbutton to 1.2.0, and disables the TZ=UTC environment variable trick since Vidalia 0.1.7 now handles that for us.
https://svn.torproject.org/svn/torbrowser/trunk/README

We're working on a new branch of Vidalia that can be used in Tor Browser Bundle, for launching Firefox directly without needing the extra installer scripts called "Firefox Portable". If we get this working, then we can hopefully make progress on running multiple Firefoxes at once (one used for Tor launched by TBB, and one used for non-Tor).
http://trac.vidalia-project.net/browser/vidalia/branches/alt-launcher

The German CCC organization put together a version of the Tor Browser Bundle called the "Freedom Stick" for use in teaching the media about the Chinese firewall and the Olympics:
http://chinesewall.ccc.de/freedomstick-en.html

Scalability
From the Tor 0.2.1.5-alpha ChangeLog:
"More progress toward proposal 141: Network status consensus documents and votes now contain bandwidth information for each router and a summary of that router's exit policy. Eventually this will be used by clients so that they do not have to download every known descriptor before building circuits."

We're worked on getting "Tor Weather" back up and working:
https://weather.torproject.org/
Weather is a service to let relay operators get notified when their relay is unreachable for an extended period of time. It's still in its early experimental stages, but it's already proved useful to its early testers. It's also using SSL as its base URL now.

Jacob has also been working on a Tor network map, to visualize where our relays are. Using all of the known descriptors, it maps each node with some GeoIP code and plot it onto a map. You can interact with the data to see the IP address of each node, the node name and the city/country information if we could find it. Sadly, it *will* lock your browser up for one or two minutes, as there's a lot of data to parse:
http://freehaven.net/~ioerror/maps/v3-tormap.html

Tor 0.2.0.31 Released

phobos — Mon, 08 Sep 2008 21:34:15 -0700

A better formatted version of this can be found at the OR-Announce Archives.

Tor 0.2.0.31 addresses two potential anonymity issues, starts to fix
a big bug we're seeing where in rare cases traffic from one Tor stream
gets mixed into another stream, and fixes a variety of smaller issues.

https://www.torproject.org/download.html

Changes in version 0.2.0.31 - 2008-09-03
o Major bugfixes:
- Make sure that two circuits can never exist on the same connection
with the same circuit ID, even if one is marked for close. This
is conceivably a bugfix for bug 779. Bugfix on 0.1.0.4-rc.
- Relays now reject risky extend cells: if the extend cell includes
a digest of all zeroes, or asks to extend back to the relay that
sent the extend cell, tear down the circuit. Ideas suggested
by rovv.
- If not enough of our entry guards are available so we add a new
one, we might use the new one even if it overlapped with the
current circuit's exit relay (or its family). Anonymity bugfix
pointed out by rovv.

o Minor bugfixes:
- Recover 3-7 bytes that were wasted per memory chunk. Fixes bug
794; bug spotted by rovv. Bugfix on 0.2.0.1-alpha.
- Correctly detect the presence of the linux/netfilter_ipv4.h header
when building against recent kernels. Bugfix on 0.1.2.1-alpha.
- Pick size of default geoip filename string correctly on windows.
Fixes bug 806. Bugfix on 0.2.0.30.
- Make the autoconf script accept the obsolete --with-ssl-dir
option as an alias for the actually-working --with-openssl-dir
option. Fix the help documentation to recommend --with-openssl-dir.
Based on a patch by "Dave". Bugfix on 0.2.0.1-alpha.
- Disallow session resumption attempts during the renegotiation
stage of the v2 handshake protocol. Clients should never be trying
session resumption at this point, but apparently some did, in
ways that caused the handshake to fail. Bug found by Geoff Goodell.
Bugfix on 0.2.0.20-rc.
- When using the TransPort option on OpenBSD, and using the User
option to change UID and drop privileges, make sure to open
/dev/pf before dropping privileges. Fixes bug 782. Patch from
Christopher Davis. Bugfix on 0.1.2.1-alpha.
- Try to attach connections immediately upon receiving a RENDEZVOUS2
or RENDEZVOUS_ESTABLISHED cell. This can save a second or two
on the client side when connecting to a hidden service. Bugfix
on 0.0.6pre1. Found and fixed by Christian Wilms; resolves bug 743.
- When closing an application-side connection because its circuit is
getting torn down, generate the stream event correctly. Bugfix on
0.1.2.x. Anonymous patch.