anonymity advocacy

August 2009 Progress Report

phobos — Mon, 21 Sep 2009 07:19:26 -0700

New releases

On August 4, we released Tor Browser Bundle 1.2.7. It is updated primarily due to Firefox 3.0.13 with its ssl fixes.

The full changelist is:
1.2.7: Released 2009-08-04

update Firefox to 3.0.13
add Polish translation
update libevent to 1.4.12

On August 19, we released Tor Browser Bundle 1.2.8. The big changes are the inclusion of statically linked openssl dlls to resolve a few geoip lookup and functionality issues with Vidalia, and the upgrade to the new Vidalia 0.2.2.

The full list of updates and fixes:

update Torbutton to 1.2.2
update Vidalia to 0.2.2
compile OpenSSL 0.9.8k with Visual C to make dlls
update Pidgin to 2.6.1

On August 3rd, we release Vidalia 0.2.1. This is a major change in the way OS X and Windows bundles are installed, as well as many usability enhancements. This also sets the stage for a plugin-API being developed over the next few months.

The changes are:

Add a "Find Bridges Now" button that will attempt to automatically
download a set of bridge addresses and add them to the list of bridges
in the Network settings page.
Add support for building with Google's Breakpad crash reporting
library (currently disabled by default).
Show or hide the "Who has used my bridge recently?" link along with
the other bridge-related widgets when the user toggles the relay mode
in the Network settings page. (Ticket #480)
Tolerate bridge addresses that do not specify a port number, since Tor
now defaults to using port 443 in such cases.
Add support for viewing the map as a full screen widget when built
with KDE Marble support.
Compute the salted hash of the control password ourself when starting
Tor, rather than launching Tor once to hash the password, parsing the
output, and then again to actually start Tor.
Add a signal handler that allows Vidalia to clean up and exit normally
when it catches a SIGINT or SIGTERM signal. (Ticket #481)
If the user chooses to ignore further warnings for a particular port,
remove it from the WarnPlaintextPorts and RejectPlaintextPorts
settings immediately. Also remember their preferences and reapply them
later, even if Tor is unable to writes to its torrc.(Ticket #493)
Don't display additional plaintext port warning message boxes until
the first visible message box is dismissed. (Ticket #493)
Renamed the 'make win32-installer' CMake target to 'make dist-win32'
for consistency with our 'make dist-osx' target.
Fix a couple bugs in the WiX-based Windows installer related to building
a Marble-enabled Vidalia installer.
Write the list of source files containing translatable strings to a
.pro file and supply just the .pro file as an argument to lupdate, rather
than supplying all of the source file names themselves.

On August 14th, we release Vidalia 0.2.2. It addresses an issue with openssl which causes the geoip lookups to fail on various versions of Windows. It also switches from the Nullsoft Installer to the Microsoft System Installer for better compatibility with Microsoft Windows.
There are now separate Apple OS X builds, one for PowerPC architectures and one for i386 architectures. No more Universal binary bloat to download.
The changes are:

When the user clicks "Browse" in the Advanced settings page to locate
a new torrc, set the initial directory shown in the file dialog to the
current location of the user's torrc. (Ticket #505)
Use 'ditto' to strip the architectures we don't want from the Qt
frameworks installed into the app bundle with the dist-osx,
dist-osx-bundle and dist-osx-split-bundle build targets.
Fix a bug in the CMakeLists.txt files for ts2po and po2ts that caused
build errors on Panther for those two tools.
Include rebuilt OpenSSL libraries in the Windows packages that are
built with the static (/MT) version of the Microsoft Visual C++
Runtime. Otherwise, we would require users to install the MSVC
Redistributable, which doesn't work for portable installations such as
the Tor Browser Bundle.
Remove the NSIS file for the Vidalia installer since we now ship
MSI-based installers on Windows.

On August 27th, we released Vidalia 0.2.3. This fixes some more bugs with "Who has used by bridge" functionality and switches to Qt signals for event handling.
The changes are:

Create the data directory before trying to copy over the default
Vidalia configuration file from inside the application bundle on Mac
OS X. Affects only OS X drag-and-drop installer users without a
previous Vidalia installation.
Change all Tor event handling to use Qt's signals and slots mechanism
instead of custom QEvent subclasses.
Fix another bug that resulted in the "Who has used my bridge?" link
initially being visible when the user clicks "Setup Relaying" from
the control panel if they are running a non-bridge relay.
(Ticket #509, reported by "vrapp")
Always hide the "Who has used my bridge?" link when Tor isn't running,
since clicking it won't return useful information until Tor actually
is running.

On August 9th, we released Torbutton 1.2.2.
The changes and enhancements are:

bugfix: Workaround Firefox Bug 440892 to prevent external apps from
being launched (and thus bypassing proxy settings) without user
confirmation. Independently reported by Greg Fleischer and optimist.
bugfix: Create a separate "No Proxy For" option and remove the
string "localhost" from proxy exemptions. Prevents a theoretical
proxy bypass condition discovered by optimist. Fix based on patch from
optimist.
bugfix: bug 970: Purge undo tab list on Tor toggle.
bugfix: bug 1040: Scrub URLs from log level 4 and higher log messages.
Mac OS writes Firefox console messages to disk by default.
bugfix: bug 1033: Fix FoxyProxy conflict that caused some FoxyProxy
strings to fail to display.
misc: bug 1006: Pop up a more specific failure message for pref
changing errors during Tor toggle.
misc: Fix a couple of strict javascript warns on FF3.5
misc: Add chrome url protection call to conceal other addons during
non-Tor usage. Patch by Sebastian Lisken.
misc: Remove torbutton log system init message that may have scared some
paranoids.

Architecture and technical design docs

Update our secure updater, Thandy, to have optional BitTorrent support to distribute load spikes following new releases better. Currently, it uses the mainline BitTorrent libraries that can be installed along with Thandy, but there is also some groundwork to support other BitTorrent libraries later on.

Advocacy and outreach.

Andrew, Jacob, Karsten, Mike, Nick, and Roger attended the Privacy Enhancing Technologies Symposium in Seattle, WA. Details can be found at http://petsymposium.org/2009/. Jacob, Karsten, Mike, and Roger each presented their work on Tor.

Jacob, Karsten, Mike, Roger, and Sebastian attended Hacking at Random 2009 in Vierhouten, Netherlands. Details of the conference can be found at https://wiki.har2009.org/page/Main_Page. Jacob and Roger presented about Tor.

Jacob attended FooCamp 2009. More details can be found at http://foocamp09.wiki.oreilly.com/wiki/index.php/Main_Page. Jacob presented about Tor.

Andrew contacted Tor relay operators that started running a relay between June 12, 2009 and July 13, 2009; ostensibly for the Iranian protest movement. Of the 37 new relays, 13 had gone offline. After contacting the relay operators, 7 of the 13 are back online.

Preconfigured privacy (circumvention) bundles for USB or LiveCD.

On August 4, we released Tor Browser Bundle 1.2.7. It is updated primarily due to Firefox 3.0.13 with its ssl fixes.

The full changelist is:
1.2.7: Released 2009-08-04

update Firefox to 3.0.13
add Polish translation
update libevent to 1.4.12

The full list of updates and fixes:

update Torbutton to 1.2.2
update Vidalia to 0.2.2
compile OpenSSL 0.9.8k with Visual C to make dlls
update Pidgin to 2.6.1

Jacob and Steve Tyree started work on a portable Tor Browser Bundle for Apple OS X. Jacob started work on a portable Tor Browser Bundle for generic Linux. Both bundles are currently in developer testing, gearing up for an alpha release in September 2009.

Updated TorVM with current packages for torbutton, tor, qemu. Added geoip and pycrypto to TorVM.

Scalability, load balancing, directory overhead, efficiency.

Continued metrics work with torperf and directory request statistics. Update bufferstats report, http://git.torproject.org/checkout/metrics/master/report/buffer/bufferst...
Updated circuit window report, http://git.torproject.org/checkout/metrics/master/report/circwindow/circ...

updated statistics on directory requests, http://git.torproject.org/checkout/metrics/master/report/dirarch/

And updated measurements on overall tor network performance, http://git.torproject.org/checkout/metrics/master/report/performance/tor...

Continued work on our bandwidth node scanner to provide better extra-info for clients to make better routing decisions.

Added a seventh directory authority run by Jacob Appelbaum.

More reliable (e.g. split) download mechanism.

Christian Fromme started work on our email auto-responder, get-tor, to better handle split downloads via email.

Jon, our mirror volunteer, continued to contact mirrors and update their status accordingly. The net change is zero, but we added a new mirror and removed a stale mirror.

Translation work

Runa, our Google Summer of Code student, finished the project to allow for website content to be translated via the Tor Translation Portal, https://translation.torproject.org/. The conversion tools are now live and Danish and Farsi are the first languages enabled in the Tor Translation Portal for testing.

In August, there were:

8 Russian updates for the website
29 Polish updates for the website
15 Chinese updates for the website
Danish updates for Torbutton
Nederlandish updates for Torbutton

Anonymity by Design versus by Policy

phobos — Wed, 16 Sep 2009 20:44:30 -0700

There have been some recent stories in the news about various "anonymous" bloggers and commenters being unmasked by court order. A business promises not to give up your identity unless forced to do so via court order. This is anonymity by policy. If a business doesn't have your identity, then there is nothing to divulge. This is anonymity by design.

Advocates for anonymous comments understand the value of being able to speak freely. However, if you're simply connecting from your home or office, parts of your identity are leaked to the site on which you commented. As shown above, you can be unmasked fairly easily. Some sites simply respond to a subpoena, others legal threats, and still others simply don't care; giving away your identity with any request. There are plenty of valid reasons to want to protect your identity in a blog, comment, or feedback form.

I've participated in "anonymous reviews" being conducted in a company where employees get to give their opinion on anything in the company: strategy, management, branding, etc. Human Resources rolls out the "anonymous survey" with great fanfare as a chance for the line employees to get their voice heard. At the same time, upper management asks IT to ascertain which IP address maps to which employee, whether connecting internally or not. Employees quickly figure out what's going on and feel undervalued and coerced into toeing the company line. And management lacks the feedback they probably should hear. In this case, anonymity by policy doesn't help anyone actually improve the company.

Another example is the Iraqi Rewards Program run by the CIA. It's designed such that concerned Iraqi's can report illegal activities and get a reward for verified intelligence. Essentially, an anonymous tip line. The issue is an Iraqi citizen will go into an Internet cafe and have an encrypted conversation with cia.gov. This is bad for the people who want to report something. An observer on the network only sees someone talking to cia.gov with encryption. A truly anonymous tip line should protect the identity of the tipster, and provide the tipster with the ability to divulge as much of their identity as comfortable.

The examples and news stories above show you the difference between anonymity by policy and anonymity by design. We encourage the courts to keep raising the requirements before forcing a provider to divulge your identity. We encourage companies to learn how privacy can enhance their relationship with their customers. We designed Tor such that relying on court tests and company policies isn't your only protection. Tor users and relay operators don't have the data to divulge. This is anonymity and privacy by design.

July 2009 Progress Report

phobos — Mon, 10 Aug 2009 01:07:57 -0700

New releases

On July 8th, we released Vidalia 0.1.15..

On July 8th, we updated the Tor 0.2.0.35-stable bundles with the new Vidalia to fix an ssl issue and the Firefox Torbutton extension installation for OS X users.

On July 8th, we released Tor 0.2.1.17-rc.

Tor Browser Bundle 1.2.3 was released on July 8, 2009.
TBB 1.2.3 was replaced by 1.2.4 on July 11, 2009
TBB 1.2.5 was released on July 25th. It solely included an update to Tor 0.2.1.18 .
TBB 1.2.6 was released on July 28th. It solely included an update to Tor 0.2.1.19.

On July 24th, we released Tor 0.2.1.18.

On July 28th, we released Tor 0.2.1.19.

Make Tor a better tool for users in censored countries

Tor 0.2.1.18 is our new stable. That is, this is the first stable release
of the 0.2.1.x branch. The 0.2.0.x branch went stable in July of 2008.
From the 0.2.1.18 release:

If the bridge config line doesn't specify a port, assume 443.
This makes bridge lines a bit smaller and easier for users to
understand.

If we're using bridges and our network goes away, be more willing
to forgive our bridges and try again when we get an application
request.

Architecture and technical design docs for Tor enhancements related to blocking-resistance.

Proposal 166 details four steps we're taking to safely collect data
about Tor's network performance and network usage: 1) directory client
counts by country, 2) entry guard client counts by country, 3) relay
cell statistics, and 4) exit traffic by port and volume.
https://git.torproject.org/checkout/tor/master/doc/spec/proposals/166-st...

Hide Tor's network signature

Part of the reason why Tor might be especially slow in Iran could
be that they're doing deep packet inspection (DPI) to throttle SSL
connections. Tor's strategy of looking like SSL might turn out to be a
bad move in this case. It's hard to tell whether the SSL throttling is
actually happening, of course, because we get plenty of mixed information
from our sources in Iran. But if it *is* happening, we should start
investigating traffic obfuscation approaches that a) don't look like SSL,
but b) don't look recognizably like any other protocol.

Some other Iran circumvention developers have come up with a patch to
obfuscate ssh traffic:
http://github.com/brl/obfuscated-openssh/tree/master
http://c-skills.blogspot.com/2008/12/sshv2-trickery.html

Sometime soon we should start looking at designs to super-encrypt the
Tor link traffic in this way.

Grow the Tor network and user base. Outreach

On July 1st, Andrew gave a detailed Tor talk at the National Cyber Forensics and Training Alliance. Andrew's blog about the event is at https://blog.torproject.org/blog/visit-ncfta.

On July 7th, Andrew was a panelist for the CIMA/NED discussion on Iran and the Role of New Media, http://cima.ned.org/events/new-media-in-iran.html. Andrew's blog about the event is at https://blog.torproject.org/blog/cimaned-panel-iran-and-new-media.

On July 15th, Andrew presented Tor at Webinno22, http://www.webinnovatorsgroup.com/2009/07/06/the-webinno22-demo-companie.... Further discussions about online privacy startups and business deals with various investors and their seed companies are continuing since this event.

June 2009 Progress Report

phobos — Sat, 11 Jul 2009 19:06:32 -0700

New releases

On June 20th we released Tor 0.2.1.16-rc.
On June 21st, we released Tor Browser Bundle 1.2.1.
On June 23rd, we released Tor Browser Bundle 1.2.2.
On June 24th, we released Tor 0.2.0.35-stable. We expect that this release is the last of the 0.2.0.x -stable series, soon to be replaced with the 0.2.1.x series.
On June 30th, we released Vidalia 0.1.14.

Censorship circumvention

Packaged rpms for Red Flag Linux version 6. Red Flag Linux is reported to be the new operating system for all Internet cafe's in China. So far, no one has seen this conversion actually happen, but now we're ready if it does.

Our email autoresponder, gettor , received a number of patches to deal with dkim issues, including finding a dkim bug that prevented yahoo email users from fetching Tor. This bug has been fixed. Additionally, we've whitelisted some domains where we
see we're having lots of use but dkim isn't always configured properly. We've had thousands of users from China using gettor.

Outreach/Advocacy

Andrew, Roger, and Wendy attended Computers, Freedom, and Privacy 2009 Conference (http://www.cfp2009.org). Andrew presented a “quicktake” talk on “Who uses Tor?”. Andrew and Roger, along with Paul Syverson, and a North African blogger, hosted a panel on “It Takes A Village To Be Anonymous”. Due to the sensitive situation surrounding the blogger, this panel was not recorded.

Andrew talked with the Committee to Protect Journalists (http://cpj.org) about online security and circumvention tools.

Jillian C. York blogged at KnightPulse about “Average citizens browse anonymously
”, http://www.knightpulse.org/blog/09/06/04/average-citizens-browse-anonymo...

Due to Iranian's usage of Tor during the recent election, the general press/media conducted a few interviews with Andrew:

Computer World, http://www.computerworld.com/action/article.do?command=viewArticleBasic&...
Cnet News, http://news.cnet.com/8301-13578_3-10267287-38.html
Deutche Welle, http://www.dw-world.de/dw/article/0,,4400882,00.html
Technology Review, http://www.technologyreview.com/web/22893/
Origo, in Hungary, http://www.origo.hu/techbazis/internet/20090618-a-kiberforradalmarok-feg...
O'Reilly, http://radar.oreilly.com/2009/06/tor-and-the-legality-of-runnin.html
Washington Times, http://www.washingtontimes.com/news/2009/jun/26/protesters-use-navy-tech...
Arte TV video interview, the 30-minute video interview can't be put online, but will be shown to their viewers in late June/early July 2009. http://www.arte.tv
EFF, http://www.eff.org/deeplinks/2009/06/help-protesters-iran-run-tor-relays...
A Houston Radio station did an on-air interview, but didn't put the interview online.
A Romanian newspaper did an interview, but didn't put the story online.
Public Rado International did a more in-depth interview. They expect it to be on PBS Radio and BBC Radio 4 in early July 2009.

A number of blogs and other media picked up these original interviews and spread the word even further:

Preconfigured privacy (circumvention) bundles for USB or LiveCD.

Tor Browser Bundle 1.2.1 and 1.2.2 released in June. Planning a migration of the base operating system for the Incognito LiveCD to switch from Gentoo to an Ubuntu variant. We can always use help in maintaining Incognito.

Scalability, load balancing, directory overhead, efficiency.

June was spent documenting, stabilizing, and streamlining the bandwidth authority scanner, which has been runningfor a while on the Directory Authority named ides.

It is good enough to start running on multiple authorities now to produce actual results for clients to use.

More reliable (e.g. split) download mechanism.

Our email autoresponder, gettor , received a number of patches to deal with dkim issues, including finding a dkim bug that prevented yahoo email users from fetching Tor. This bug
has been fixed. Additionally, we've whitelisted some domains where we see we're having lots of use but dkim isn't always configured properly. We've had thousands of users from China using gettor.

The Tor Check website (check.torproject.org) had a few bugs and we've fixed all but two. We sometimes still have false negatives (because the Tor client doesn't know to fetch the consensus at any specific time) and we also still sometimes barf python exceptions because mod_python has some weird exception from time to time. We also accepted a patch from Marcus Greip that extends the TorBulkExitList to allow arbitrary ports rather than just port 80.

Footprints from Tor Browser Bundle.

Reduced the scanning for plugins Portable Firefox can do on launch of the application. There is still an issue where Firefox displays other plugins to users, but they aren't actually valid plugins and won't run on command. Firefox acquires the names through queries to the Windows Registry.

Translations

16 Polish website updates
8 Italian website updates
3 German website updates

Tips for Running an Exit Node with Minimal Harassment

mikeperry — Sun, 21 Jun 2009 03:08:08 -0700

I have noticed that a lot of new exit nodes have recently appeared on the network. This is great news, since exit nodes are typically on the scarce side. Exits usually occupy 30-33% of network by capacity, but are currently at a whopping 38.5% (156 MBytes/sec out of 404 total).

However, I want to make sure that these nodes stay up and don't end up being shut down due to easily preventable abuse complaints. I've run a number of exit nodes on a few different ISPs and not only have I lived to tell about it, I've have not had one shut down yet. Moreover, I've only received about 4 abuse complaints in as many years of running exit nodes. This is in stark contrast to other node operators following a more reactive strategy. I'm convinced this is largely because I observe the following pro-active guidelines.

1. Inform your ISP
This is the most important rule for running a long-lived exit node, especially if you have your choice of ISP. Pick an ISP you can trust, and let them know exactly what is going on. Explain Tor to them, and why it is important to the Internet, the world, and to you, their customer. Giving them links to our Tor Users, Tor Overview, Tor Legal FAQ and Tor Abuse FAQ is typically immensely helpful. Mentioning China and the current conflict in Iran are also likely to be helpful. If your ISP is your University, you may also want to peruse this set of recommendations specific to dealing with University administrators.

If your ISP does not approve, all is not lost: you can look into running a middle node, or a much less visible bridge node. It is better to learn this up front, rather than have your Internet connection shut down on you without warning. Exit bandwidth is often scarce, but any node is better than no node.

2. Get a separate IP for the node. Do not route your own traffic via this IP
While it may be tempting to mix in your traffic with your node's exit traffic for cover, this is best avoided. Having a separate IP allows your ISP to more easily recognize that abuse complaints and DMCA notices can be forwarded to you to be quickly responded to with a boilerplate response, as opposed to cutting off your Internet access or providing your personal information to the copyright cartels.

3. Get recognizable Reverse DNS for this IP
Setting a good reverse DNS name for your exit IP helps to prevent knee-jerk reactions from sysadmins and DoS kiddies alike who run into bad apples coming from your node IP. Something like tor-exit.yourdomain.org or tor-proxy-readme.yourdomain.org is the best bet.

4. Set up a Tor Exit Notice
Once you have a good reverse DNS name, you should put some content there that explains what Tor is for those who see the name and try to visit it via http. If you run your DirPort on port 80 with Tor 0.2.1.x or newer, you can use the Tor config option "DirPortFrontPage" to display a notice explaining that you are running an exit node. A sample one is provided in contrib/tor-exit-notice.html in the source distribution. This way, when someone sees tor-proxy-readme.yourdomain.org in their logs, they hopefully will get the hint and read the notice before flaming you. Be sure to update the contact info and other places marked with FIXME in the notice.

5. Get ARIN registration (if possible)
If you can get your ISP to SWIP your IP block to display a contact and abuse email that you control, this can go a long way to reducing aggravation that they may feel from dealing with the occasional abuse complaint, because the vast majority of the few complaints that are still made will go to you instead of them.

6. Rate limit and optionally QoS your node
I've recently conducted some measurements that showed that nodes that used Tor's BandwidthRate config option to set a limit slightly below their actual capacity were much more reliable than those that did not. Along these lines, it may also be useful to use this Linux-based QoS script to prioritize your Tor IP traffic below other traffic on your machine. Similar QoS can also be achieved via DDWRT, openwrt and of course via commercial routers. If you use do QoS other than that script, you should ensure that you provide Tor with a reasonable minimum bandwidth so that it does not starve when you do other things. Somewhere between 33 and 50% of your connection is a reasonable minimum value.

That's it! Happy operating!

May 2009 Progress Report

phobos — Wed, 10 Jun 2009 11:41:55 -0700

New releases
On May 25, we released Tor 0.2.1.15-rc.
On May 17, we released Tor VM 0.0.2.
On May 25, we released Vidalia 0.1.13 containing

Remove an old warning on the relay settings page that running a bridge
relay requires Tor 0.2.0.8-alpha or newer.
Add a workaround for a bug that prevented Vidalia's tray icon from
getting added to the system notification area on Gnome when Vidalia was
run on system startup. Patch by Steve Tyree. (Ticket #247)
Fix a bug that prevented the control panel from displaying when
running on the Enlightenment window manager. Patch by Steve Tyree.
Rename the CMake variables used to store the location of Qt's lupdate
and lrelease executables. Recent versions of CMake decided to use the
same variable name, which was stomping on mine, resulting in the wrong
lupdate and lrelease executables being used.
Use the TorProcess subclass of QProcess for launching Tor when hashing
a control password so we can take advantage of its PATH+=:/usr/sbin
trick on Debian there too.
If a RouterDescriptor object is empty, don't try to display it in the
router descriptor details viewer. (Ticket #479)
Wait until Vidalia has registered for log events via the control port
before ignoring Tor's output on stdout. Previously we would start
ignoring Tor's stdout after successfully authenticating, but before
registering for log events which, in some cases, could lead to
messages not appearing in the message log.
Update many translations and remove others than are no longer
up-to-date enough to be useful.

On May 25th, we released Tor Browser Bundle 1.2.0 containing

Switch to launching Firefox directly from Vidalia to
allow multiple instances of Firefox
Update Firefox to 3.0.10
Update to Qt 4.5.1
Update Firefox prefs.js to stop scanning for plugins
Update libevent to 1.4.11
Include the Tor geoip database
Update Vidalia to 0.1.13
Update Tor to 0.2.1.15-rc

Design, develop, and implement enhancements that make Tor a better
tool for users in censored countries.

Matt added "fetch bridges" features to Vidalia 0.2.x. This provides a link to automatically request bridges from https://bridges.torproject.org for users.

Architecture and technical design docs for Tor enhancements
related to blocking-resistance.
Proposal 160 aims to let authorities modify the bandwidth they put in
the consensus for each relay. This step will allow us to adjust the
weights we advertise for clients, once the measurements from TorFlow
start giving us better weights.
https://git.torproject.org/checkout/tor/master/doc/spec/proposals/160-ba...

Proposal 161 describes how node bandwidth ratios are
computed and how they can be produced in parallel.
https://git.torproject.org/checkout/tor/master/doc/spec/proposals/161-co...

Proposal 162 describes "consensus flavors": the size of the networkstatus
consensus is critical, since every user fetches it every few hours. So
we need a way to add new fields -- and remove old fields -- in a way
that lets old clients continue to use the consensus. The current plan
is to build and distribute several different versions at once, so each
client can fetch the one with the format they expect.
https://git.torproject.org/checkout/tor/master/doc/spec/proposals/162-co...

Proposal 163 starts to consider the problem of clients using relays as
single-hop proxies. If many clients start doing this (say, to improve
their own performance), it puts additional risk on the relays, since now
an attacker can expect to discover both client origins and destinations
by attacking the relay. Our current strategy for forcing clients to use
more than one hop is quite fragile, and it looks like we will soon need
more robust strategies.
https://git.torproject.org/checkout/tor/master/doc/spec/proposals/163-de...

Proposal 164 suggests ways to make it easier for relay operators to
discover why they are not listed in the networkstatus consensus. We have
a handle of people each week ask us on IRC why their relay isn't listed,
and currently the only way to answer is to have a competent directory
authority operator go dig around in various files in his datadirectory.
https://git.torproject.org/checkout/tor/master/doc/spec/proposals/164-re...

Proposal 165 focuses on simplifying the steps required to add a new
directory authority. The current approach requires manual work from every
directory authority operator within a space of several hours. As the
number of authorities grows, this synchronization is becoming impractical
-- and that's causing us to leave the number of authorities small, which
makes us vulnerable to other attacks. Once this proposal is finalized
and deployed, we'll hopefully be able to add new authorities more
smoothly.
https://git.torproject.org/checkout/tor/master/doc/spec/proposals/165-si...

Grow the Tor network and user base. Outreach.
Jacob attended CONFidence in Krakow, Poland as a keynote speaker. http://2009.confidence.org.pl/

Andrew and Jacob attended the Soul of a New Machine conference in Berkeley, CA. http://hrc.berkeley.edu/events/newmachineconference/

Roger and Andrew attended the 7th Annual Chinese Internet Research Conference in Philadelphia, PA. http://www.global.asc.upenn.edu/index.php?page=167

Karsten attended SIGINT 09 in Cologne.

Mike gave a presentation on TorFlow at CodeCon.

Roger met with Nick, Paul Syverson and Aaron Johnson at Yale to work more on Paul's research question: if we trust some Tor relays differently than others, how should we select our paths to be safe, and how do we analyze how safe the paths are?

Roger did a talk for about 15 OSI people in Budapest, Hungary.

Preconfigured privacy (circumvention) bundles for USB or LiveCD
The two large changes were the ability to run multiple instances of Firefox at once, such that a user's personal firefox shouldn't share data with the firefox from our bundle. The other change is the ability to stop TBB firefox from scanning the system for potential plugins, like Windows Media, Java, etc.

Started work on a hardened branch of Incognito live CD to help protect users from possible bugs in the programs running.

Scalability, load balancing, directory overhead, efficiency.

We documented the metrics we collect to help us determine the best ways to scale the Tor network. http://blog.torproject.org/blog/performance-measurements-and-blockingres... A number of nodes are now collecting this information to assist our network-wide measurements.

Much progress on torctl and torflow tools being used to measure real and potential performance of nodes in the public tor network.

Mike wrote proposal 161 describing how node bandwidth ratios are
computed and how they can be produced in parallel. The proposal can be found at http://git.torproject.org/checkout/tor/master/doc/spec/proposals/161-com...

Karsten finished a first patch to dump statistics about local queues to disk every 15 minutes. A first impression of how these data could be evaluated can be found in http://freehaven.net/~karsten/volatile/bufferstats-2009-05-25.pdf. The goal is to see if our buffer allocation algorithms are sufficient or need tweaking.

More reliable (e.g. split) download mechanism.
Developed the ability to split Apple OS X bundles into 1.44MB chunks. The functionality is native to OS X versions 10.4 and newer. It will not work in versions 10.3.9 or earlier releases.

Translation work, ultimately a browser-based approach
11 Polish updates
4 German updates
Portugese torbutton updates
Danish torbutton updates
Romanian torbutton updates
11 Italian updates
3 Chinese updates

Updated guide to blogging anonymously

phobos — Thu, 12 Mar 2009 17:58:05 -0700

We worked with Sami from Global Voices to update their guide to blogging anonymously. The big changes are more screenshots, easier instructions, and suggested use of the Tor Browser Bundle by default; as it's generaly plug and play.

The Citizen Media Law Project also has a good guide to anonymity online. Be sure to check out the legal challenges to anonymity online and legal protections to anonymous speech as well.

February 2009 Progress Report

phobos — Tue, 10 Mar 2009 08:24:22 -0700

New releases, new hires, new funding
On February 8, we released versions 0.2.0.34-stable and 0.2.1.12-alpha.

Tor 0.2.0.34 features several more security-related fixes. You should upgrade, especially if you run an exit relay (remote crash) or a directory authority (remote infinite loop), or you're on an older (pre-XP) or not-recently-patched Windows (remote exploit).

This release marks end-of-life for Tor 0.1.2.x. Those Tor versions have many known flaws, and nobody should be using them. You should upgrade. If you're using a Linux or BSD and its packages are obsolete, stop using those packages and upgrade anyway.

Enhancements
In Tor 0.2.1.12-alpha, if we're using bridges and our network goes away, be more willing to forgive our bridges and try again when we get an application request. Bugfix on 0.2.0.x.

Continued to develop research and coding items for improving Tor's performance using a number of techniques. We're focusing on six main reasons for slow performance: congestion control, tcp backoff, wrong window sizes at start, lack of priority for circuit control cells, and user load from peer to peer bulk data transfers.

We've implemented KDE Marble as an alternate visualization of the world into Vidalia. The first phase is to get a better 3-D globe for clients. The next phase is to enable “click to exit” so users can choose their country of preference for exit nodes. More on this coming in a future blog post.

Outreach
Andrew and Roger attended an Open Society Institute Forum on, “The Future of Freedom and Control in the Internet Age”, http://www.soros.org/initiatives/fellowship/events/freedom_20090210. Rebecca MacKinnon and Evgeny Morozov both mentioned Tor and its positive uses multiple times during the talk and subsequent Q&A.

Andrew attended Mobile Activism 4 Change barcamp on February 21. This generated some citizen media press about security, privacy, and anonymity in reference to the mobile activist world. You can read more at http://barcamp.org/MobileTechForSocialChangeNewYork.

Jacob attended the InfoActivism camp, http://www.informationactivism.org/, in Bangalore, India. He gave 20 presentations, trainings, and lectures on Tor.

Produced a guide to Tor and circumvention with the Center for Human Rights and Democracy in Saudi Arabia, http://cdhr.info.

Worked with Global Voices (http://globalvoicesonline.org/) to update their guide to anonymous blogging with Tor and Wordpress; http://advocacy.globalvoicesonline.org/projects/guide/. We recommend the Tor Browser Bundle by default, and provide clearer instructions and more pictures to assist users in getting configured quickly and securely.

There was a talk at BlackHat from Xinwen Fu. Our official response and thoughts on the topic are available at https://blog.torproject.org/blog/one-cell-enough

From Feb 6-9, Roger, Nick, Wendy, and Andrew attended ShmooconV, http://shmoocon.org/, in February. Discussed Tor present and futures with many of the attendees.

End of Feb, Steven and Roger went to Financial Crypto 2009. We talked more with economics and "economics of information security" professors and researchers to get a better intuition about how to balance usability and load on the network. Steven also did a lightning talk on the "TLS footprint" arms race question: should we wait to fix known flaws, to slow down the arms race, or should we fix everything asap to discourage the censors from even trying?

Feb 17, Roger did a guest lecture on Tor in Drexel's senior-level computer
security class.

In Feb we also met with the Freedom House (http://www.freedomhouse.org/), to help them understand how Tor works and to try to help with the trainings they're organizing.

Jillian C. York continued her blogging for Tor at KnightPulse with “From Tunisia to Japan: Anonymity Everywhere”, http://www.knightpulse.org/blog/09/02/25/tunisia-japan-anonymity-everywh...

Tor bundles for USB drives or LiveCDs
On February 18, we released Tor Browser Bundle 1.1.9 with an updated Tor version to 0.2.1.12-alpha, Vidalia updated to 0.1.11, and Firefox 3.0.6. Andrew has taken over building the bundle to reduce the time between tor releases and bundles which include it. This should make PETER from the blog happy.

Updated the Incognito LiveCD TODO list to provide some more direction and tasks for the near future, http://archives.seul.org/or/cvs/Feb-2009/msg00056.html

We continued development and enhancement of TorVM with software updates to libevent, openwrt, vidalia, openvpn, tor, and win pcap. Enhanced the self-extraction and build scripts for easier creation by less technical users.

Scalability, load balancing, directory overhead, and efficiency
We wrote up a summary of directory overhead work here:
https://blog.torproject.org/blog/overhead-directory-info%3A-past%2C-pres...

Csaba Kiraly has been doing research on how to reduce the overall load on the Tor network, while also reducing latency for clients: http://archives.seul.org/or/dev/Feb-2009/msg00000.html

Alternate acquisition methods
Updated our get-tor email auto-responder to include more languages, added in the English version of the tor browser bundle, tested gmail download and resuming interrupted downloads, and fleshed out the design for easier localization of the message text and commands.

Translation
We had a combined 113 commits across Polish, Chinese, Italian, German, Spanish, Russian, Argentinian, Brazilian Portuguese, and Romanian languages. 41 of these commits were through our translation portal.

Black t-shirts by user request

phobos — Tue, 17 Feb 2009 11:36:01 -0800

Our fine green t-shirts have been a hit over the past few years. By the sheer number of requests we've received for another color, it appears not everyone is comfortable wearing the conversation starting green. We now have black t-shirts. Just like the green shirts, these are Fruit of the Loom "tagless" 100% cotton t-shirts. They have the Tor logo and domain name on the front, nothing on the back.

The conditions for receiving them are still the same:

A large enough ($65+) donation to the Tor Project.
Operate a fast Tor relay that's been running for the past two months: you are eligible if you allow exits to port 80 and you average 100 KB/s traffic, or if you're not an exit but you average 500 KB/s traffic.
Help out in other ways. Maintain a translation for the website. Write a good support program and get a lot of people to use it. Do research on Tor and anonymity, solve some of our bugs, or establish yourself as a Tor advocate.

The pictures just have the shirts folded in half so you can see the detail.

In praise of multiple options for circumvention

phobos — Mon, 16 Feb 2009 16:31:16 -0800

I was asked the other day why we don't advocate for just Tor as the one tool to rule them all. My glib answer is "of course we do, however the larger the toolbox, the better off the world."

Expanding on that notion, the various anonymity, privacy, and circumvention tools target different people and use cases. Tor advocates for Anonymity first, circumvention second. It would be very naive of us to think that we can solve all use cases. In fact, it would be silly of us to try to dictate the needs of any user. The larger the ecosystem of privacy and anonymity tools, the more options for users, and the better off we are as a whole.

At the core, Tor is a protocol and a set of specifications. Others can take our documentation and build upon it for their own tool. The EU PRIME project did this and created a fully Java implementation of Tor with a GUI. The result was called OnionCoffee. It's woefully out of date now, but the proof of concept stands; it can be done. The purpose of specifying a protocol is to leave interpretation and implementation as open as possible. Imagine if the creators of the Internet Protocol restricted implementations to exactly as they had envisioned 40-something years ago. As for Tor, there is much more protocol work to be done, research completed, and our reference implementation polished before we can consider online anonymity solved, or even close to solved.

We are often asked, "I use tool X, what do you think about it? Should I switch to Tor?"

Instead of an answer, we ask a series of questions to find out why they use X; for the reasons of learning more about X, why people choose X, and what Tor may lack. It turns out, they use X because their friends use X, and they know the strengths and weaknesses of the software well. It may not be perfect, but they know what the software can and cannot do. They know if a tool is compromised, or access to the service is shut off, they can switch to another. If there was only one tool, once it is blocked or disappears, the users are screwed. Isn't it great to have options?

Obviously, we state that Tor is a fine solution, and perhaps they should add the concept of anonymity and our software to their list of options. Our goal is educating users to help themselves and others. Anyone who suggests otherwise is trying to sell you something.