Ending domestic violence, NNEDV, and Tor

I was invited to speak at the annual technical conference of the National Network to End Domestic Violence, Over the past few years, I've been personally involved with helping victims and survivors of abuse. In many cases, it has been education and helping them understand what's possible on the Internet, methods to protect their privacy, and methods to control what data trails they leave behind. I've been deeply disturbed after meeting survivors of sexual slavery, human trafficking, and child abuse. The realities of life for these people while they were being abused, and the systematic failures of the systems set up to protect and help them, is shocking. The law enforcement officers and those offering services and direct support to these victims often suffer from Post Traumatic Stress Disorder (PTSD). Everyone involved with the results of abuse seems to need help all around.

Many people simply assume that the only answer is to disconnect and never go online again. However, often your data is online, even if you are not. Many services, friends, and access to information is increasingly available online only. Disconnecting isn't really an option, especially if you need to find support, shelter, and services to help you. Conversely, if you're a survivor, part of the healing process is to help others. The ability to go online anonymously and join forums, chat, or email with others in a bad place can be the difference between life and death. This is also true for those in law enforcement and support services. They need to share with people, heal and be healed. In many cases, they don't want this associated to anything a search engine, future employer, or current partners will find. They cherish their anonymity.

I did two presentations, the first was loosely about cloud computing, centralized reporting, and putting your victim's and survivor's data online. The core idea was to transfer knowledge, not recommend any one product or solution. I believe people can better assess risks when they understand the data to support their decisions. This presentation is here,

The second presentation was more about Tor and how survivors and victims can and have used Tor in the past to regain some control of their online privacy and anonymity. This second presentation is here,

I'm glad NNEDV exists, and that we can help, even if in some small way, such as doing a couple of presentations.

July 2011 Progress Report

The July 2011 Progress Report is at the bottom of this post and at

Highlights include continued progress on protocol obfuscating proxy, a new bridge guard design, outreach, scalability improvements, orbot updates, and a number of translation updates.

Update 2011-08-15: based on feedback, created a plaintext version of the pdf. It doesn't contain the images obviously, but does contain all of the content. Generated the text file via pandoc. The text file is here,

Real Name Internet versus Reality

There is a growing cacophony that a fully identified, real name policy for the Internet will solve all of our problems relating to crime, bullying, harassment, and everything else. This idea is furthered along by Facebook, Google, and the US White House.

As just one example of how this is an over-simplified argument, it seems people are continuing to forget their childhoods. As a kid, many of you were bullied and harassed at school. You knew the kids picking on you at lunch, at recess, at morning before class, and after school. Further, you knew their parents, where they lived, and generally who they were outside of school. This bullying and harassment may have continued through High School, into College, and through your work life. Again, you knew their real names and far more about them than Google, Facebook, or the US Govt will ever hope to know. A real name world hasn't made life better, more civil, or safer for millions of kids growing up in it.

I've spent time talking to kids that have been bullied online and in real life. It's all done with real names via Facebook, text messaging, at recess, after school, via twitter, etc. It spreads to those trying to stop it, such as their parents who get involved to defend their kid. These are all real name environments. Kids don't call it bullying. It's called 'starting static' these days to skirt the word 'bullying'. Regardless of the term, it's frequently done via real names.

There is a small, but growing, set of voices realizing that real name policies aren't all they are promising to provide, namely safety. EFF/Jillian York, GigOM/Matthew Ingram, and moot have all made cases why anonymity is important on the Internet. This forced dichotomy is not new, Karina Rigby wrote about it back in 1995.

We've learned over the past few years that the ability to remain anonymous has led to people instituting positive change, such as the 'Arab Spring', and to being able to research and question authority without the fear of punishment and/or death to them and their relatives in repressive regimes. Further, the option of anonymity can allow you to explore new topics, learn about new things, and join new communities. You are freed from the baggage of your own history. People can change.

Jerks can use anonymity too. Or they can use their real names. It would be an interesting study to see the abuse/complaint report numbers for Facebook, Google+, and other real name environments versus similar environments without such a real name requirement. It would be equally interesting to learn if the presence of an authority figure versus real names provides less abuse/complaints from the members. This post is skipping the entire topic of trojan software acting in your name, such as botnets collating millions of identities to do the bidding of others.

The power is in the beholder, not the technology itself. Use your anonymity for good, while you still have it. You should be in control of your identity, not someone else.

Arm Release 1.4.3


Hi all. A new release of arm is now available. This completes the codebase refactoring project that's been a year in the works and provides numerous performance, usability, and stability improvements...

Cheers! -Damian

New Tor Browser Bundles

All of the alpha Tor Browser Bundles have been updated to the latest Tor, and the Windows stable bundle has been updated with the latest
Firefox 3.6.19.

The experimental bundles also now contain Firefox 5 and Polipo has been removed
from all of them.

Firefox 3.6 Tor Browser Bundles

Windows bundle
1.3.26: Released 2011-07-13

  • Update Firefox to 3.6.19
  • Update HTTPS-Everywhere to 1.0.0development.4
  • Update Libevent to 2.0.12-stable

OS X bundle
1.1.22: Released 2011-07-13

  • Update Tor to
  • Update Firefox to 3.6.19
  • Update HTTPS-Everywhere to 1.0.0development.4
  • Update NoScript to

Linux bundles
1.1.12: Released 2011-07-13

  • Update Tor to
  • Update Firefox to 3.6.19
  • Update HTTPS-Everywhere to 1.0.0development.4
  • Update NoScript to

Firefox 4 Tor Browser Bundles

Tor Browser Bundle (2.2.30-1)

  • Update Tor to
  • Update Firefox to 5.0.1
  • Update Torbutton to 1.4.0
  • Update Libevent to 2.0.12-stable
  • Update HTTPS-Everywhere to 1.0.0development.4
  • Update NoScript to

Temporary direct download links for Firefox 5 bundles:

Tor is out

Tor is the first release candidate for the Tor 0.2.2.x
series. It fixes a few smaller bugs, but generally appears stable.
Please test it and let us know whether it is!

Changes in version - 2011-07-07
Minor bugfixes:

  • Send a SUCCEEDED stream event to the controller when a reverse
    resolve succeeded. Fixes bug 3536; bugfix on 0.0.8pre1. Issue
    discovered by katmagic.
  • Always NUL-terminate the sun_path field of a sockaddr_un before
    passing it to the kernel. (Not a security issue: kernels are
    smart enough to reject bad sockaddr_uns.) Found by Coverity;
    CID #428. Bugfix on Tor
  • Don't stack-allocate the list of supplementary GIDs when we're
    about to log them. Stack-allocating NGROUPS_MAX gid_t elements
    could take up to 256K, which is way too much stack. Found by
    Coverity; CID #450. Bugfix on
  • Add BUILDTIMEOUT_SET to the list returned by the 'GETINFO
    events/names' control-port command. Bugfix on;
    fixes part of bug 3465.
  • Fix a memory leak when receiving a descriptor for a hidden
    service we didn't ask for. Found by Coverity; CID #30. Bugfix

Minor features:

  • Update to the July 1 2011 Maxmind GeoLite Country database.

June 2011 Progress Report

The June 2011 progress report is at the bottom of this post and at

Highlights include ECC improvements, updated translations, software releases, arm progress, vidalia updates, and thandy progress.

Torbutton 1.4.0 Released

Torbutton 1.4.0 has been released at:

The addon has been disabled on Our URL is now

This release features support for Firefox 5.0, and has been tested
against the vanilla release for basic functionality. However, it has
not been audited for Network Isolation, State Separation, Tor
Undiscoverability or Interoperability issues[1] due to toggling under
Firefox 5.

If you desire Torbutton functionality with Firefox 4/5, we recommend
you download the Tor Browser Bundle 2.2.x alphas from or run Torbutton in its
own separate Firefox profile.

The reasons for this shift are explained here:

If you find bugs specific to Firefox 5, toggling, and/or extension
conflicts, file them under the component "Torbutton":

Bugs that still apply to Tor Browser should be filed under component

Bugs in the "Torbutton" component currently have no maintainer
available to fix them. Feel free to step up.

(No, simply mis-filing your Torbutton toggle bugs under
TorBrowserButton won't cause them to get fixed accidentally. It will
just annoy me slightly as I relocate them to the correct component).

Here is the complete changelog:
* bug 3101: Disable WebGL. Too many unknowns for now.
* bug 3345: Make Google Captcha redirect work again.
* bug 3399: Fix a reversed exception check found by arno.
* bug 3177: Update torbutton to use new TorBrowser prefs.
* bug 2843: Update proxy preferences window to support env var.
* bug 2338: Force toggle at startup if tor is enabled
* bug 3554: Make Cookie protections obey disk settings
* bug 3441: Enable cookie protection UI by default.
* bug 3446: We're Firefox 5.0, we swear.
* bug 3506: Remove window resize event listener.
* bug 1282: Set fixed window size for each new window.
* bug 3508: Apply Stanford SafeCache patch (thanks Edward, Collin et al).
* bug 2361: Make about window work again on FF4+.
* bug 3436: T(A)ILS was renamed to Tails.
* bugfix: Fix a transparent context menu issue on Linux FF4+.
* misc: Squelch exception from app launcher in error console.
* misc: Make DuckDuckGo the default Google Captcha redirect destination.
* misc: Make it harder to accidentally toggle torbutton.


Syndicate content Syndicate content