phobos's blog

New releases, new hires, new funding

On March 9, we released Tor 0.2.1.13-alpha. It includes the following fixes and enhancements:

o Major bugfixes:
- Correctly update the list of which countries we exclude as exits, when the GeoIP file is loaded or reloaded. Diagnosed by lark. Bugfix on 0.2.1.6-alpha.

o Minor bugfixes (on 0.2.0.x and earlier):
- Automatically detect MacOSX versions earlier than 10.4.0, and
disable kqueue from inside Tor when running with these versions.
We previously did this from the startup script, but that was no
help to people who didn't use the startup script. Resolves bug 863.
- When we had picked an exit node for a connection, but marked it as
"optional", and it turned out we had no onion key for the exit,
stop wanting that exit and try again. This situation may not
be possible now, but will probably become feasible with proposal read more »

A number of people are reporting that AntiVir's latest update is reporting trojan Dropper.Gen in the Tor Browser Bundle version 1.1.11, specifically the "Start Tor Browser.exe" program.

This appears to be a false positive from AntiVir. No one has confirmed they've checked the pgp signature with their download of TBB. You may want to confirm you've actually downloaded our package, https://www.torproject.org/verifying-signatures.

False positives occurs often enough we have a FAQ entry about it, https://www.torproject.org/faq#VirusFalsePositives

You can read more about the trojan at http://www.avira.ro/en/threats/section/details/id_vir/3647/tr_dropper.ge...

I'm building a VM to specifically test this AntiVir version against Start Tor Browser.exe to see what inside the executable is triggering the false positive.

An updated Tor Browser Bundle is released to address the Firefox 3.0.7 security issues. It includes:

• Update Firefox to 3.0.8
• Add Italian language bundles
• Update Torbutton to 1.2.1
• Update Vidalia to 0.1.12

This updated TBB can be downloaded from https://www.torproject.org/easy-download as the "zero install bundle".

One of the most requested upgrades to Vidalia is a better map of the world. We looked into a few different technologies and decided on KDE's Marble interface. Marble enables an accurate mapping of nodes according to their geolocation, allows for future enhancements such as "click a country to start or end your Tor circuit", and plugins for extra data views. This also gives us the ability to use Qt's Webkit browser to display custom information about nodes, circuits, or anything else in a pop-up window. An anonymous funder covered the costs involved in developing this feature. We thank them for their support. read more »

Tor 0.2.1.13-alpha includes another big pile of minor bugfixes and
cleanups. We're finally getting close to a release candidate.

https://www.torproject.org/download

Changes in version 0.2.1.13-alpha - 2009-03-09
Major bugfixes:

• Correctly update the list of which countries we exclude as
  exits, when the GeoIP file is loaded or reloaded. Diagnosed by
  lark. Bugfix on 0.2.1.6-alpha.

Minor bugfixes (on 0.2.0.x and earlier):

• Automatically detect MacOSX versions earlier than 10.4.0, and
  disable kqueue from inside Tor when running with these versions.
  We previously did this from the startup script, but that was no
  help to people who didn't use the startup script. Resolves bug 863.
• When we had picked an exit node for a connection, but marked it as
  "optional", and it turned out we had no onion key for the exit, read more »

We worked with Sami from Global Voices to update their guide to blogging anonymously. The big changes are more screenshots, easier instructions, and suggested use of the Tor Browser Bundle by default; as it's generaly plug and play.

The Citizen Media Law Project also has a good guide to anonymity online. Be sure to check out the legal challenges to anonymity online and legal protections to anonymous speech as well.

New releases, new hires, new funding
On February 8, we released versions 0.2.0.34-stable and 0.2.1.12-alpha.

Tor 0.2.0.34 features several more security-related fixes. You should upgrade, especially if you run an exit relay (remote crash) or a directory authority (remote infinite loop), or you're on an older (pre-XP) or not-recently-patched Windows (remote exploit).

This release marks end-of-life for Tor 0.1.2.x. Those Tor versions have many known flaws, and nobody should be using them. You should upgrade. If you're using a Linux or BSD and its packages are obsolete, stop using those packages and upgrade anyway.

Enhancements
In Tor 0.2.1.12-alpha, if we're using bridges and our network goes away, be more willing to forgive our bridges and try again when we get an application request. Bugfix on 0.2.0.x. read more »

The Berkman Center has released their report on the landscape of circumvention technologies as it was in 2007. Tor was included in this test and comes out as a secure tool with some improvements needed. Technology Review also picked up this report and wrote an article on the results.

Since the original publication of the report, we've responded to and improved a number of identified weaknesses. The main focus has been on usability of the software. Tor is easier to understand, configure, and install. We've worked on finding translators for the various parts of the suite of tools that comprise Tor. We developed and enhanced a Firefox plugin called Torbutton. The current Torbutton mitigates all known browser-based anonymity attacks. Torbutton is included in our bundles and is automatically installed into the user's Firefox browser configuration. Torbutton can be found at https://torproject.org/torbutton/ or https://addons.mozilla.org/en-US/firefox/addon/2275. read more »