Blogs

The New Research from Northeastern University

We’ve been speaking to journalists who are curious about a HotPETS 2016 talk from last week: the HOnions: Towards Detection and Identification of Misbehaving Tor HSDirs research paper conducted by our colleagues at Northeastern University. Here's a short explanation, written by Donncha and Roger.

Internally, Tor has a system for identifying bad relays. When we find a bad relay, we throw it out of the network.

But our techniques for finding bad relays aren't perfect, so it's good that there are other researchers also working on this problem. Acting independently, we had already detected and removed many of the suspicious relays that these researchers have found.

The researchers have sent us a list of the other relays that they found, and we're currently working on confirming that they are bad. (This is tougher than it sounds, since the technique used by the other research group only detects that relays *might* be bad, so we don't know which ones to blame for sure.)

It's especially great to have this other research group working on this topic, since their technique for detecting bad relays is different from our technique, and that means better coverage.

As far as we can tell, the misbehaving relays' goal in this case is just to discover onion addresses that they wouldn't be able to learn other ways—they aren't able to identify the IP addresses of hosts or visitors to Tor hidden services.

The authors here are not trying to discover new onion addresses. They are trying to detect other people who are learning about onion addresses by running bad HSDirs/relays.

This activity only allows attackers to discover new onion addresses. It does not impact the anonymity of hidden services or hidden service clients.

We have known about and been defending against this situation for quite some time. The issue will be resolved more thoroughly with the next-generation hidden services design. Check out our blog post, Mission: Montreal!

A Quick, Simple Guide to Tor and the Internet of Things (So Far)

"The Internet of Things" is the remote control and networking of everyday devices ranging from a family's lawn sprinkler or babycam to a corporation's entire HVAC system.

Tor Project contributor Nathan Freitas, Executive Director of The Guardian Project, has developed a new way to use Tor's anonymous onion services to protect the "Internet of Things." The new system, while experimental, is also scalable.

The system uses Home Assistant, a free, open-source platform built on Python, that can run on Raspberry Pi and other devices. It easily can be set up to control and network people’s “Internet of Things” —home security systems, toasters, thermostats, smart lightbulbs, weather sensors and other household appliances. The new "Tor Onion Service Configuration" setup is available on their website.

"The Tor Project wants Tor privacy technology to be integrated into everyday life so that people don't have to log on to it—their privacy and security are built in. Nathan's work with Home Assistant is an early but important milestone," said Shari Steele, Tor's Executive Director.

The great danger with the "Internet of Things" (or IoT) is the opportunity for surveillance--for an individual hacker or a state actor to accumulate, store, and exploit very private information against individuals or companies.

These attacks are far from hypothetical: We've read about the ability for an attacker to see and speak to a baby through a babycam or hack and control a car. Attackers stole 40 million credit card numbers after they hacked into a national retailer's HVAC system and used it to reach their computer system and their customers.

Tor has developed a way to build a buffer of privacy between the baby and the Internet--so that the baby (or the HVAC system) is never exposed to the open Internet at all. Instead of a hackable, single point of failure, attackers must contend with the global network of thousands of Tor nodes.

"Too many 'Things' in our homes, at our hospitals, in our businesses and throughout our lives are exposed to the public Internet without the ability to protect their communication. Tor provides this, for free, with real-world hard ended, open-source software and strong, state of the art cryptography," said Nathan Freitas, Executive Director of the Guardian Project.

“Networked sensors and the Internet of Things are projected to grow substantially, and this has the potential to drastically change surveillance. The still images, video, and audio captured by these devices may enable real-time intercept and recording with after-the-fact access. Thus an inability to monitor an encrypted channel could be mitigated by the ability to monitor from afar a person through a different channel.”

--"DON'T PANIC," Berkman Klein Center's report on encryption
https://cyber.law.harvard.edu/pubrelease/dont-panic/

More Information:

• Guardian Project video explaining the Tor/Home Assistant system: https://www.youtube.com/watch?v=j2yT-0rmgDA

• Guardian Project's easy-to-understand slides:
https://github.com/n8fr8/talks/blob/master/onion_things/Internet%20of%20...

• Home Assistant page on setting up Tor:
https://home-assistant.io/cookbook/tor_configuration/

The Tor Project Elects New Board of Directors

Today, the board of directors of the Tor Project is announcing a bold decision in keeping with its commitment to the best possible health of the organization.

Says Tor's Executive Director Shari Steele, "I think this was an incredibly brave and selfless thing for the board to do. They’re making a clear statement that they want the organization to become its best self."

A Statement from the Board of Directors of The Tor Project

As Tor's board of directors, we consider it our duty to ensure that the Tor Project has the best possible leadership. The importance of Tor's mission requires it; the public standing of the organization makes it possible; and we are committed to achieve it.

We had that duty in mind when we conducted an Executive Director search last year, and appreciate the leadership Shari Steele has brought. To support her, we further believe that it is time that we pass the baton of board oversight as the Tor Project moves into its second decade of operations.

Accordingly, we are pleased to announce an excellent slate of new directors who have agreed to serve on Tor's board. The old directors have, as of July 12, 2016, elected these directors as the new Tor board:

Matt Blaze
Cindy Cohn 
Gabriella Coleman
Linus Nordberg
Megan Price   
Bruce Schneier

Roger Dingledine and Nick Mathewson will continue in their roles as co-founders of the Tor Project, leading Tor's technical research and development. We will all continue to support Tor's mission, community, management, and organization; and we are happy to offer Shari, the new board, and the entire team our help and knowledge. We thank the Tor community for their patience and help in this transition.

Signed,

Roger Dingledine
Meredith Hoban Dunn
Ian Goldberg
Nick Mathewson
Julius Mittenzwei
Wendy Seltzer
Rabbi Rob Thomas

--------

Biographies of Incoming Board Members
(Photos available upon request)
 
Matt Blaze is a professor in the computer and information science department at the University of Pennsylvania, where he directs the Distributed Systems Laboratory. He has been doing research on surveillance technology for over 20 years, as well as cryptography, secure systems, and public policy.
 
Cindy Cohn is the Executive Director of the Electronic Frontier Foundation (EFF). From 2000 to 2015 she served as EFF’s Legal Director as well as its General Counsel.  Ms. Cohn first became involved with EFF in 1993, when EFF asked her to serve as the outside lead attorney in Bernstein v. Dept. of Justice, the successful First Amendment challenge to the U.S. export restrictions on cryptography.  Since then, Ms. Cohn has worked to ensure that people around the world have the right to access information and communicate privately and anonymously, including mounting lawsuits against NSA spying, providing legal counsel to computer programmers building and developing privacy and anonymity tools, and helping to develop the Necessary and Proportionate Principles applying international human rights standards to digital  communications surveillance.   
 
The National Law Journal named Ms. Cohn one of 100 most influential lawyers in America in 2013, noting: "[I]f Big Brother is watching, he better look out for Cindy Cohn." She was also named one of the 100 most influential lawyers in 2006 for "rushing to the barricades wherever freedom and civil liberties are at stake online."  In 2007 the National Law Journal named her one of the 50 most influential women lawyers in America. In 2010 the Intellectual Property Section of the State Bar of California awarded her its Intellectual Property Vanguard Award and in 2012 the Northern California Chapter of the Society of Professional Journalists awarded her the James Madison Freedom of Information Award.
 
Bruce Schneier is an internationally renowned security technologist; called a "security guru" by The Economist.  He is the author of 14 books -- including the New York Times best-seller Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World -- as well as hundreds of articles, essays, and academic papers.  His influential newsletter "Crypto-Gram" and blog "Schneier on Security" are read by over 250,000 people.  Schneier is a fellow at the Berkman Center for Internet and Society at Harvard University, a Lecturer in Public Policy at the Harvard Kennedy School, a board member of the Electronic Frontier Foundation and the Tor Project, and an advisory board member of EPIC and VerifiedVoting.org.  He is also a special advisor to IBM Security and the Chief Technology Officer of Resilient.
 
Gabriella (Biella) Coleman holds the Wolfe Chair in Scientific and Technological Literacy at McGill University. Trained as an anthropologist, her scholarship explores the intersection of the cultures of hacking and politics, with a focus on the sociopolitical implications of the free software movement and the digital protest ensemble Anonymous.  She has authored two books, Coding Freedom: The Ethics and Aesthetics of Hacking (Princeton University Press, 2012) and Hacker, Hoaxer, Whistleblower, Spy: The Many Faces of Anonymous (Verso, 2014), which was named to Kirkus Reviews’ Best Books of 2014 and was awarded the Diana Forsythe Prize by the American Anthropological Association. Her work has been featured in numerous scholarly journals and edited volumes. Committed to public ethnography, she routinely presents her work to diverse audiences, teaches undergraduate and graduate courses, and has written for popular media outlets, including the New York Times, Slate, Wired, MIT Technology Review, Huffington Post, and the Atlantic.
 
Linus Nordberg is a longtime internet and privacy activist who has been involved with Tor since 2009. He's a software developer who specializes in network security and operating internet services. Since his start at Tor he's developed code, run services, and advocated for the Tor Project. He's one of the founders of the Swedish digital rights organization DFRI (Digitala Fri- och Rättigheter) and through that involved in the European umbrella public policy organization EDRi (European Digital Rights).
 
Megan Price, Executive Director of the Human Rights Data Analysis Group, designs strategies and methods for statistical analysis of human rights data for projects in a variety of locations including Guatemala, Colombia, and Syria. Her work in Guatemala includes serving as the lead statistician on a project in which she analyzes documents from the National Police Archive; she has also contributed analyses submitted as evidence in two court cases in Guatemala. Her work in Syria includes serving as the lead statistician and author on three reports, commissioned by the Office of the United Nations High Commissioner of Human Rights (OHCHR), on documented deaths in that country.

Megan is a member of the Technical Advisory Board for the Office of the Prosecutor at the International Criminal Court, a Research Fellow at the Carnegie Mellon University Center for Human Rights Science, and she is the Human Rights Editor for the Statistical Journal of the International Association for Official Statistics (IAOS). She earned her doctorate in biostatistics and a Certificate in Human Rights from the Rollins School of Public Health at Emory University. She also holds a master of science degree and bachelor of science degree in Statistics from Case Western Reserve University.

--------

The Tor Project develops and distributes free software and has built an open and free network that helps people defend against online surveillance that threatens personal freedom and privacy. Tor is used by human rights defenders, diplomats, government officials, and millions of ordinary people who value freedom from surveillance.

The Tor Project's Mission Statement: "To advance human rights and freedoms by creating and deploying free and open anonymity and privacy technologies, supporting their unrestricted availability and use, and furthering their scientific and popular understanding."

For media inquiries, contact press at tor project dot org.

Tor 0.2.8.5-rc is released

Tor 0.2.8.5-rc has been released! You can download the source from the Tor website. Packages should be available over the next week or so.

Tor 0.2.8.5-rc is the second release candidate in the Tor 0.2.8 series. If we find no new bugs or regressions here, the first stable 0.2.8 release will be identical to it. It has a few small bugfixes against previous versions.

PLEASE NOTE: This is a release candidate. We think that we solved all of the showstopper bugs, but we also thought the same thing about 0.2.8.4-rc: crucial bugs may remain. Please only run this release if you're willing to test and find bugs. If no showstopper bugs are found, we'll be putting out 0.2.8.6 as a stable release.

Changes in version 0.2.8.5-rc - 2016-07-07

  • Directory authority changes:
    • Urras is no longer a directory authority. Closes ticket 19271.
  • Major bugfixes (heartbeat):
    • Fix a regression that would crash Tor when the periodic "heartbeat" log messages were disabled. Fixes bug 19454; bugfix on tor-0.2.8.1-alpha. Reported by "kubaku".
  • Minor features (build):
    • Tor now again builds with the recent OpenSSL 1.1 development branch (tested against 1.1.0-pre6-dev). Closes ticket 19499.
    • When building manual pages, set the timezone to "UTC", so that the output is reproducible. Fixes bug 19558; bugfix on 0.2.2.9-alpha. Patch from intrigeri.
  • Minor bugfixes (fallback directory selection):
    • Avoid errors during fallback selection if there are no eligible fallbacks. Fixes bug 19480; bugfix on 0.2.8.3-alpha. Patch by teor.
  • Minor bugfixes (IPv6, microdescriptors):
    • Don't check node addresses when we only have a routerstatus. This allows IPv6-only clients to bootstrap by fetching microdescriptors from fallback directory mirrors. (The microdescriptor consensus has no IPv6 addresses in it.) Fixes bug 19608; bugfix on 0.2.8.2-alpha.
  • Minor bugfixes (logging):
    • Reduce pointlessly verbose log messages when directory servers can't be found. Fixes bug 18849; bugfix on 0.2.8.3-alpha and 0.2.8.1-alpha. Patch by teor.
    • When a fallback directory changes its fingerprint from the hard- coded fingerprint, log a less severe, more explanatory log message. Fixes bug 18812; bugfix on 0.2.8.1-alpha. Patch by teor.
  • Minor bugfixes (Linux seccomp2 sandboxing):
    • Allow statistics to be written to disk when "Sandbox 1" is enabled. Fixes bugs 19556 and 19957; bugfix on 0.2.5.1-alpha and 0.2.6.1-alpha respectively.
  • Minor bugfixes (user interface):
    • Remove a warning message "Service [scrubbed] not found after descriptor upload". This message appears when one uses HSPOST control command to upload a service descriptor. Since there is only a descriptor and no service, showing this message is pointless and confusing. Fixes bug 19464; bugfix on 0.2.7.2-alpha.
  • Fallback directory list:
    • Add a comment to the generated fallback directory list that explains how to comment out unsuitable fallbacks in a way that's compatible with the stem fallback parser.
    • Update fallback whitelist and blacklist based on relay operator emails. Blacklist unsuitable (non-working, over-volatile) fallbacks. Resolves ticket 19071. Patch by teor.
    • Update hard-coded fallback list to remove unsuitable fallbacks. Resolves ticket 19071. Patch by teor.

Selfrando: Q and A with Georg Koppen

Georg Koppen is a longtime Tor browser developer. He and Tor developer Mike Perry worked to integrate Selfrando into Tor browser.

Tell us about Selfrando, the new code being tested for Tor Browser.

Selfrando randomizes Tor browser code to ensure that an attacker doesn't know where the code is on your computer. This makes it much harder for someone to construct a reliable attack--and harder for them to use a flaw in your Tor Browser to de-anonymize you. 

How were you and Tor's Mike Perry involved in the project?  

We mainly worked on integrating Selfrando in Tor Browser where needed and tested it as well as we could. We closely read the paper and helped to improve it. The bulk of the work was done by the other researchers. These are Mauro Conti, Stephen Crane, Tommaso Frassetto, Andrei Homescu, Per Larsen, Christopher Liebchen, and Ahmad-Reza Sadeghi.

Can you talk about Tor's relationship with the research community?

Tor relies on the research community to ethically investigate unsolved issues with Tor software. We work closely with research groups in the anonymity space, the security space, in privacy research, etc. 

Tor is the focus of many researchers. We have rigorous documentation and open, transparent development processes. We also have a working product, Tor Browser, that easily reaches 1 to 2 million users, with testing channels where one can try new defenses first and refine them as needed, as we are doing with the Selfrando project. 

When will Selfrando be available for ordinary Tor users (in the stable version)?

The first thing to note here is that Selfrando is currently only available for a fraction of our users; those who have a 64-bit Linux systems. The Selfrando folks are working on a version for Windows which is not yet ready. 

I think that Tor browser version 6.5 might be a bit too early for a stable release. However, if user testing shows this is okay, Selfrando will make it in. A more conservative approach is pointing to Tor browser version 7.0.

That’s a pretty long time from now (next Spring!) How can people help Tor speed it up?

We need more users testing things--more experienced people trying out our nightly/alpha builds. 

Selfrando's development is good so far and the browser integration work has not been so tricky; the main problem is being confident enough that it does not break some random user setups while everything is fine and working on our testing machines.

Specifically, we need more experienced people running Linux 64-bit operating systems to download and try our hardened nightly builds. They can download the latest hardened nightly build and look for the latest "nightly-hardened" build in general at https://people.torproject.org/~linus/builds/. Obviously, these are test versions of the Tor Browser--we're trying to look for bugs.

Will there will be future collaborations with these researchers?

To port Selfrando to Windows and OSX and make it available to our users, yes!

How do you feel about the fact that the research community is teaming up with Tor to strengthen Tor browser against attacks?

I think this is great as it gives us another valuable ally to make our users safer. And in the longer run, all other users with "normal" browsers could benefit from that, too.

______________________________________________________________

The researchers behind Selfrando will present their project in July at the Privacy Enhancing Technologies Symposium in Darmstadt, Germany.

An advance copy of their research paper is available here.

Selfrando is available for use in other open-source projects on Github.

TorBirdy 0.2.0: Sixth Beta Release

We are pleased to announce the sixth beta release of TorBirdy and the first in the 0.2 series: TorBirdy 0.2.0. All users are encouraged to upgrade as this release fixes numerous security and privacy issues.

Notable changes include fixing local timestamp disclosure in the date and the message-ID headers, as detailed in tickets #6314 and #6315. The patch for sanitizing the date header is shipped with TorBirdy. The patch for the message-ID header was submitted upstream to Mozilla and merged in Thunderbird 45, and it is therefore recommended that you upgrade to Thunderbird 45 if possible.

There are currently no known leaks in TorBirdy but please note that we are still in beta, so the usual caveats apply.

If you are using TorBirdy for the first time, visit the wiki to get started.

Other changes in this release include:

0.2.0, 27 Jun 2016

* Bug #6314: Prevent local timestamp disclosure via Date header
* Bug #6315: Prevent local timestamp disclosure via Message-ID header
* Bug #13721: Fix usage of wrong locale
* Bug #17426: Allow configuration of default email protocol
* Bug #15459: Add support for deterministic XPI generation
* Bug #11387, #13006: Fix non-standard EHLO argument
* Bug #17118: Allow manual account configuration for Gmail with OAuth2
* Bug #19031: Add and audit support for RSS reader
* Bug #7847: Audit and update support for NNTP
* Bug #10683: Update Thunderbird UI to reflect TorBirdy's state
* Bug #19330: Set secure defaults for outgoing mail servers
* Removed compatibility for older versions of Thunderbird and added support for Thunderbird 37+
* Added support for automatic configuration of Riseup email accounts
* Updated various privacy and security settings (see commit 2bdeffbb for a list of the changes)
* Update translations for current languages

Many thanks to Arthur Edelstein and the Tails Developers for this release!

We offer two ways of installing TorBirdy -- either by visiting our website (GPG signature; signed by 0xB01C8B006DA77FAA) or by visiting the Mozilla Add-ons page for TorBirdy. Please note that there may be a delay -- which can range from a few hours to days -- before the extension is reviewed by Mozilla and updated on the Add-ons page.

(Packages for Debian GNU/Linux will be created and uploaded shortly.)

Tor's Innovative Metrics Program Receives Award from Mozilla

Good news for data enthusiasts who trust numbers more than words: The Tor Project has just received an award from Mozilla's Open Source Support program to improve Tor metrics over the next 12 months.

While some analytics programs collect data in ways that violate the privacy of users, Tor's metrics program seeks to keep users safe as we collect and analyze data. We use the data to develop ways to allow more people to access the free Internet via Tor, and we make all data available to the world, so that Tor users, developers, journalists, and funders can see and understand the ways that people use Tor worldwide.

Mozilla's mission is to ensure the Internet is a global public resource, open and accessible to all. Mozilla Open Source Support (MOSS) is an awards program specifically focused on supporting the Open Source and Free Software movement. Their Mission Partners track is open to any open source/free software project undertaking an activity which significantly furthers Mozilla's mission.

Over the coming year, our main goals for this project will be:

1. To make CollecTor (our primary data collection service) more resilient to single-point failures, by enabling multiple CollecTor instances to gather data independently and exchange it in an automated fashion. Doing this will reduce the number of gaps in our data, and make it less likely that an error at one server will make the data invalid.

2. To create an easy-to-use observation kit containing DescripTor (our library for parsing and analyzing Tor servers' descriptions of themselves) together with user-friendly tutorials for evaluating Tor network data. This will make it easier for programmers to write tools that examine historical and current data about the servers that make up the Tor network.

3. To set up more instances of the network status service Onionoo to improve its availability, and work on the most pressing usability issues of the Atlas network status service;

4. To further reduce the amount of sensitive usage data (such as bandwidth totals and connections-per-country) stored on Tor relays and reported to the Tor directory authorities. While we believe that this data is safe the way we handle it today, we believe that improved cryptographic and statistical techniques would allow us to store and share even less data.

5. To improve the accuracy of performance measurements by developing better methods and tools to analyze and simulate average user behavior;

6. To make the Tor Metrics website more usable, so that users, developers, and researchers can more easily find, compare, and interpret information about Tor's usage and performance.

We're excited about this news for a great many reasons.

First, it is one more important step in diversifying Tor's funding.

Second, while the project focuses on improving six important aspects of Tor metrics, it also aims at more general improvements to make Tor metrics software more stable, scalable, maintainable, and usable. These improvements are typically harder to "sell" in funding proposals because their results are less visible to funders. It's reassuring that Mozilla understands that these improvements are important, too.

Third, this award is the first one awarded to Tor's young metrics team, only established 12 months ago in June, 2015. It's an appreciation of the initial work done by the metrics team and a very good basis for the upcoming 12 months.

Writing the award proposal was a successful cooperation of a number of Tor people: it would simply not have happened without Isabela, who made contact with Mozilla people; it would not have been readable without Cass's remarkable ability to translate from tech to English; it would not have contained as many good reasons for getting accepted without iwakeh's invaluable input; and it would not have been accepted without Shari's efforts in asking a leading security expert to write an endorsement of our award request. Finally, this blog post would certainly not have been as readable without Kate's and Nick's editorial capabilities. And now let's go write some code.

Tor Browser 6.0.2 is released

Tor Browser 6.0.2 is now available from the Tor Browser Project page and also from our distribution directory.

Tor Browser 6.0.2 is a fixup release to address the most pressing issues we found after switching to Firefox 45.2.0esr.

In particular, we resolved a possible crash bug visible e.g. on Faceboook or mega.nz and we fixed the broken PDF download button in the PDF reader.

Note: In version 6.0 we started code signing the OS X bundle for Gatekeeper support. A side effect of this signature is that it makes it harder to compare the bundles we ship with the bundles produced using reproducible builds, therefore we plan to post instructions for removing the OS X code signing parts on our website soon. An other effect is that the incremental update will not be working for users who installed the previous version using the .dmg file, due to bug 19410. The internal updater should still work, though, doing a complete update.

Update (June 23, 12:38 UTC): We have still some users that report crashes on Facebook and mega.nz. We suspect this happens because those users are not using Tor Browser in its default configuration but have left the Private Browsing Mode. There are at least two workarounds for this: 1) Using a clean new Tor Browser 6.0.2 (including a new profile) solves the problem. 2) As files cached by those websites in the Tor Browser profile are causing the crashes, deleting them helps as well. See bug 19400 for more details in this regard.

Here is the full changelog since 6.0.1:

  • All Platforms
    • Update Torbutton to 1.9.5.5
    • Bug 19401: Fix broken PDF download button
    • Bug 19411: Don't show update icon if a partial update failed
    • Bug 19400: Back out GCC bug workaround to avoid asmjs crash
  • Windows
    • Bug 19348: Adapt to more than one build target on Windows (fixes updates)
  • Linux
    • Bug 19276: Disable Xrender due to possible performance regressions
Syndicate content Syndicate content