Blogs

Tor Weekly News — June 4th, 2014

Welcome to the twenty-second issue of Tor Weekly News in 2014, the weekly newsletter that covers what is happening in the Tor community.

Tails moves to Wheezy

The Tails live system is a Debian derivative aiming at preserving the privacy and anonymity of its users.

The first Tails releases were based on Debian Lenny (2009-2012); since version 0.7, Tails has been based on Debian Squeeze (2011-). Meanwhile, Debian has released a new stable version dubbed Wheezy, and the upcoming Tails 1.1 will be the first release to be based on the latter.

The general set of features should not change much from the previous Tails release, but almost every software component has been updated. On
May 30th, the Tails team released a beta image; given the number of changes, testing is even more welcome than usual.

Testers can also try out the new UEFI support, which enables Tails to boot on recent hardware and on Macs.

Several issues with the current beta image have already been identified, so be sure to have a look at the list before reporting.

The details of the release schedule are still being discussed at the time of writing, but Tails 1.1 is likely to be out by the end of July. Please help make it a great release!

Stem 1.2 brings interactive interaction with the Tor daemon

On June 1st, Damian Johnson announced the release of Stem 1.2. Stem is a Python library for interacting with the Tor daemon. It is now used by several applications like the arm status monitor and Philipp Winter’s exit scanner.

The new version brings an interactive control interpreter, “a new method for interacting with Tor’s control interface that combines an interactive python interpreter with raw access similar to telnet”. This should make Tor hackers happy by saving them from having to manually poke the control port through telnet or create complete Stem scripts.

For the complete list of changes, head over to the changelog.

Monthly status reports for May 2014

The wave of regular monthly reports from Tor project members for the month of May has begun. Pearl Crescent released their report first, followed by Sherief Alaa, Damian Johnson, Nick Mathewson, Colin C., Georg Koppen, Lunar, Arlo Breault, and Matt Pagan.

Lunar also reported on behalf of the help desk, while Arturo Filastò did likewise for the OONI team, and Mike Perry for the Tor Browser team.

Miscellaneous news

Pups, a chat system implemented by Sherief Alaa for real-time invitation-based user support, has gone live, and can now be used by Tor’s support assistants when that method promises a quicker resolution of an issue.

In response to a question about the writing of unit tests for tor, Nick Mathewson shared a brief guide to identifying lines in tor’s codebase that have not yet been covered by tests.

Nick also put out a call (relayed by Moritz Bartl) for Tor relay operators running version 0.2.5.4-alpha or later to profile their relays, in order to identify potential bottlenecks. Basic instructions for doing so on Debian and Ubuntu can be found in the comments to the relevant ticket.

During a discussion on the role of JavaScript hooks in Tor Browser, Mike Perry clarified the merits of writing direct C++ Firefox patches over using such hooks, as well as the possibility of incorporating Torbutton’s privacy features into either Firefox itself or a dedicated add-on.

Andrew Lewman reported on his trip to Stockholm to address Sida and the Stockholm Internet Forum.

Juha Nurmi sent the second weekly report for the ahmia.fi Google Summer of Code project .

Marc Juarez is working on website fingerprinting countermeasures in the form of a pluggable transport. Marc wants to “implement a set of primitives that any link padding-based defense would benefit of” and is looking for feedback on the envisaged primitives.

Philipp Winter announced that Atlas, the web application to learn about currently running Tor relays, will now display information about a relay’s IPv6 exit policy, as well as the already-existing IPv4 exit summary.

Tor help desk roundup

Sometimes users with no network obstacles will email the help desk to ask how to configure their Tor Browser. Often these users will not need to configure anything, and clicking “Connect” is all that is necessary. Discussion on this problem is taking place on the bug tracker.

Easy development tasks to get involved with

The bridge distributor BridgeDB populates its database from the cached descriptor files copied over from the bridge authority. There’s a small bug in BridgeDB where a line that is included in two different cached descriptor files gets added twice to the database. The ticket says this bug is easily reproducible and even contains commands for reproducing it. If you enjoy digging into unknown Python/Twisted codebases to find the few spots that need fixing, this bug may be for you. Be sure to comment on the ticket when you have a fix!


This issue of Tor Weekly News has been assembled by harmony, Lunar, Matt Pagan and Karsten Loesing.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Stem Release 1.2

in

Hi all. After months of work I'm please to announce the release of Stem 1.2.0!

For those who aren't familiar with it, Stem is a Python library for interacting with Tor. With it you can script against your relay, descriptor data, or even write applications similar to arm and Vidalia.

https://stem.torproject.org/

So what's new in this release?


Interactive Tor Interpreter

The control interpreter is a new method for interacting with Tor's control interface that combines an interactive python interpreter with raw access similar to telnet. This adds several usability features, such as...

  • Irc-style commands like '/help'.
  • Tab completion for Tor's controller commands.
  • History scrollback by pressing up/down.
  • Transparently handles Tor authentication at startup.
  • Colorized output for improved readability.

For a tutorial to get you started see...

Down the Rabbit Hole


New connect() Function

This release of Stem provides a new, even easier method for establishing controllers. Connecting to Tor can now be as easy as...

import sys

from stem.connection import connect

if __name__ == '__main__':
  controller = connect()

  if not controller:
    sys.exit(1)  # unable to get a connection

  print 'Tor is running version %s' % controller.get_version()
  controller.close()



For a rundown on the myriad of improvements and fixes in this release see...

https://stem.torproject.org/change_log.html#version-1-2

Cheers! -Damian

Stockholm May 2014 Trip Report

I was invited to speak on a panel at Sida about security, tools, and how they can be used in the world. The panel was generally for Sida staff to let them learn, ask questions, and interact with us in an informal way. A big thanks to Sida for providing the space and infrastructure support to allow us to all congeal for a day. My presentation from the panel is available[8].

Despite not being invited last year, I was invited to the Stockholm Internet Forum[1] (SIF14) this year to help talk about Tor, privacy, a cyber-panopticon[2] panel, empowering women and tech, and generally meeting with various organizations about funding partnerships. I spent most of my time split between talking to various orgs about partnerships and hanging out with the cool dfri[3] people. I met Hillevi Engström[7] and introduced her and her attending staff to Tor. The cyper-panopticon panel was held during the unconference sessions on the first day. We generally raised topics of surveillance, chilling effects, encryption, and the nature of abusive relationships between some governments and their populaces. Some pictures and videos are available[4]--if anyone has more pictures or video, let me know via email. The panel wasn't officially recorded by SIF14.

The better parts of the panels were the hallway/mingle sessions where everyone got to talk about real topics. I talked at length about the situation in Burkina Faso[5], the Uganda and LGBT situation, and spoke to a few women from Jordan, Egypt, Ghana, Ivory Coast, Algiers, Morocco, Uganda, and Kenya about the state of women's access to and education in technology, especially in writing code to gain employment. Everyone wants to help equalize the situation for women in both economic and rights in these countries. A huge debt of gratitude to Sarah Cortes[6], a volunteer, researcher, and strong feminist for paying her own way to Sweden to represent Tor at Sida and at SIF14, explaining the details to most of the women at the conference, and for introducing Tor to a huge number of organizations in a very positive way. It's unfortunate the conference was dominated by discussions about a few white men and surveillance. Learning more about surveillance, Snowden, and women whistle-blowers would have been interesting. However, more time given to the topics of gender equality such as the "crime of being a woman online" and what we can do to empower all women with access, opportunity, education, and increased technical skills would have been more interesting at a conference composed of 50% women. What have you done to fight the patriarchy today?

I met and spoke with a few senior officials of the Middle East-North Africa region from the Foreign Ministry of Sweden about Tor, privacy, and supporting women in the region.

I spent the rest of the week meeting with some people from potential partners, dfri, and other activists from around the world. The general feedback from potential funding organizations is that we have a lot of work to do and the rest of the world is quickly catching up and surpassing our capabilities. At the same time, there is a lot of interest in partnering with us to accomplish many goals in improving privacy, censorship circumvention research, and improving the situation of women online.

All in all, a successful trip and great time in Sweden.

1. http://www.stockholminternetforum.se/
2. https://cyberpanopticonsif.wordpress.com/
3. https://www.dfri.se/
4. http://andrewlewman.smugmug.com/SIF14-Panopticon-Panel/
5. https://en.wikipedia.org/wiki/Burkina_Faso
6. http://sarahcortes.is/
7. http://www.government.se/sb/d/13510
8. https://svn.torproject.org/svn/projects/presentations/2014-05-26-Sida-Pr...

Originally sent to the Tor-reports mailing list.

Tor Weekly News — May 28th, 2014

Welcome to the twenty-first issue of Tor Weekly News in 2014, the weekly newsletter that covers what is happening in the Tor community.

OnionShare and tor’s ControlPort

Micah Lee published OnionShare, a program that “makes it simple to share a file securely using a password-protected Tor hidden service”. It originally ran only in Tails, but has now been made compatible with other GNU/Linux distros, Windows, and OS X. As part of that process, Micah wondered about the best way to make the program work with a Tor Browser or system tor process, as “I would really like to not be in the business of distributing Tor myself”. meejah and David Stainton responded with relevant details of the Stem and txtorcon controller libraries, which allow this kind of operation to take place via tor’s ControlPort.

The “Tor and HTTPS” visualization made translatable

Lunar announced the creation of a repository for an SVG+Javascript version of the EFF’s interactive “Tor and HTTPS” visualization, which has proven useful in explaining to users the types of data that can be leaked or intercepted, and by whom, when using Tor or HTTPS (or both, or neither). As Lunar wrote, “The good news is that it’s translatable”: copies have so far been published in over twenty languages. The amount of translation required is very small, so if you’d like to contribute in your language then download the POT file and submit a patch!

A Child’s Garden of Pluggable Transports

David Fifield published “A Child’s Garden of Pluggable Transports”, a detailed visualization of different pluggable transport protocols, including “aspects of different transports that I think are hard to intuit, such as what flash proxy rendezvous looks like, and how transports look under the encrypted layer that is visible to a censor”. A few other transports supported by Tor are not yet discussed in the guide; “if you know how to run any of those transports, and you know an effective way to visualize it, please add it to the page”, wrote David.

Miscellaneous news

Anthony G. Basile released version 20140520 of tor-ramdisk, the micro Linux distribution “whose only purpose is to host a Tor server in an environment that maximizes security and privacy”. The new version upgrades Tor to version 0.2.4.22, which “adds an important block to authority signing keys that were used on authorities vulnerable to the “heartbleed” bug in OpenSSL”, among other fixes; upgrading “is strongly recommended”.

Cure53 audited the security of the Onion Browser, a web browser for iOS platforms tunneling traffic through Tor. From the conclusion: “we believe that the Onion Browser project is on the right track, however there is still a long way ahead for the project to be appropriately ‘ripe’ for usage in actually privacy-relevant and critically important scenarios.” All reported issues should have been fixed in release 1.5 on May 14th.

A new pluggable transport, currently named obfs4, is being crafted by Yawning Angel: “obfs4 is ScrambleSuit with djb crypto. Instead of obfs3 style UniformDH and CTR-AES256/HMAC-SHA256, obfs4 uses a combination of Curve25519, Elligator2, HMAC-SHA256, XSalsa20/Poly1305 and SipHash-2-4”. The feature set offered by obfs4 is comparable to ScrambleSuit, with minor differences. Yawning is now asking the community for comments, reviews, and tests.

Stem now offers a control interpreter, “a new method for interacting with Tor’s control interface that combines an interactive python interpreter with raw access similar to telnet”. Damian Johnson wrote a new tutorial to give an overview of what can be done with it.

Also on the controller front, Yawning Angel hacked on or-applet, a Gtk+ system tray applet to monitor Tor circuits.

Arlo Breault is making progress on the Tor Instant Messenger Bundle: a minimalistic user interface for OTR encryption in Instantbird, one of the key features missing from the finished software, has now been implemented.

Nicolas Vigier has been working on improving the Mbox sandboxing environment to test the Tor Browser for disk or network leaks.

Israel Leiva published the initial version of a design proposal for the “Revamp GetTor” Google Summer of Code project, having concluded that a full rewrite is needed.

Juha Nurmi submitted the first weekly report for the ahmia.fi GSoC project.

kzhm sent out instructions for installing obfsproxy on Fedora 20, to go with those for other Linux distributions.

AddressSanitizer (ASan) is a powerful memory error detector: software built with such technology makes it a lot harder to exploit programming errors related to memory management. Happily, Georg Koppen has announced the first test packages of the Tor Browser built with ASan hardening.

Karsten Loesing is planning on spinning off the directory archive from the metrics portal.

Tor help desk roundup

Multiple Mac OS X users complained that despite seeing the “Congratulations” welcome page, they were unable to reach any website with the Tor Browser. It appears that with a recent update, the Sophos anti-virus solution interferes with the Tor Browser. In order to be able to use the Tor Browser again, one must open Sophos Anti-Virus, then “Preferences”, and in the “Web Protection” panel position all switches to off.

News from Tor StackExchange

yohann2008 doesn’t want their hidden service to be indexed by search engines. puser suggested using a robots.txt file, as on a normal webpage. Jens Kubieziel later received confirmation on the IRC channel of ahmia.fi that this search engine does indeed respect the robots.txt; however, it is unknown whether others do.

Herbalist saw the following line in their log file and wonders what it could mean: “Rejecting INTRODUCE1 on non-OR or non-edge circuit 7503”. If you can unravel this mystery, please submit your answer to the question.

Easy development tasks to get involved with

The metrics website displays graphs on bridge users by pluggable transport, but we’d like to have another graph with total pluggable transport usage. Karsten Loesing outlined the steps for adding such a graph, which require some knowledge of R and ggplot2. If you enjoy writing R and want to add this new graph to the metrics website, give it a try and post your results on the ticket.


This issue of Tor Weekly News has been assembled by Lunar, harmony, qbi, and Karsten Loesing.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

New Feature: Tor Interpreter

in

Hi all, after a couple months down in the engine room I'm delighted to announce a new Stem feature for advanced Tor users and developers!

Stem's Interpreter Tutoral

The control interpreter is a new method for interacting with Tor's control interface that combines an interactive python interpreter with raw access similar to telnet. This adds several usability features, such as...

  • Irc-style commands like '/help'.
  • Tab completion for Tor's controller commands.
  • History scrollback by pressing up/down.
  • Transparently handles Tor authentication at startup.
  • Colorized output for improved readability.

This is the last major feature going into the Stem's 1.2.0 release, which is coming out later this month. Until then you can easily give it a whirl with...

% git clone https://git.torproject.org/stem.git
% cd stem
% ./tor-prompt

Running into an issue? Got a feature request? As always feedback appreciated! -Damian

Tor Weekly News — May 21st, 2014

Welcome to the twentieth issue of Tor Weekly News in 2014, the weekly newsletter that covers what is happening in the Tor community.

Tor 0.2.4.22 is out

A new version of the Tor stable branch was released on May 16th: “Tor 0.2.4.22 backports numerous high-priority fixes from the Tor 0.2.5 alpha release series. These include blocking all authority signing keys that may have been affected by the OpenSSL ‘heartbleed’ bug, choosing a far more secure set of TLS ciphersuites by default, closing a couple of memory leaks that could be used to run a target relay out of RAM, and several others.”

For more details, look at the full changelog. The source is available at the usual location. Packages should be coming shortly, if not already available.

Digital Restrictions Management and Firefox

Mozilla’s decision to support playing media with digital restrictions in Firefox by implementing the W3C EME specification has raised a fair amount of controversy. Paul Crable wanted to know what it meant for the Tor Browser.

Mike Perry answered that “simply removing the DRM will be trivial, and it will be high on our list of tasks”.

But he also explained his worries regarding a “per-device unique identifier” that Firefox would provide as part of the implementation: “it is likely that this identifier will soon be abused by all sorts of entities, […] quickly moving on to the advertising industry (why not play a short device-linked DRM video with your banner ad? You get a persistent, device-specific tracking identifier as part of the deal!). I think it is also quite likely that many arbitrary sites will actually deny access to users who do not provide them with such a device-id, if only due to ease of increased revenue generation from a fully identified userbase.”

Mike has raised the issue on Mozilla’s dev-privacy mailing-list where Henri Sivonen replied that device-identifying information will be hashed together with a “per-origin browser-generated secret“ that “persists until the user asks the salt to be forgotten”. So it does not look as gloom as it initially appeared. As always, the devil is in the details.

Miscellaneous news

David Goulet reported on the status of the development of Torsocks 2.0, the library for safely using applications with Tor.

Karsten Loesing posted on the Tor Blog to commemorate the tenth anniversary of the first archived Tor directory, and discussed the different ways in which the public archive of directory data is being used for research and development.

Karsten also notified the community of a change in the compression algorithm used for the tarballs of archived metrics data, which has reduced their total size from 212 gigabytes to 33 — an 85% gain!

Knock is a variant of port-knocking that might be useful in the future for pluggable transports. “As Knock uses two fields in the TCP header in order to hide information and we explicitly want to be compatible with machines sitting in typical home networks”, writes Julian Kirsch, “we thus created a program which tests if Knock would work in your environment.” Please give it a try to help the team figure out if Knock could be deployed in the wild.

Thanks to Jesse Victors, Andrea, Nicholas Merrill, and Martin A. for running mirrors of the Tor Project website!

Michael Schloh von Bennewitz has been busy analyzing a disk leak in Tor Browser: when one copies a significant chunk of text to the clipboard, a temporary file is created with its content. Michael found a possible fix and is welcoming reviews.

Nicolas Vigier has been investigating some extra connections made by the Tor Browser on startup to the local resolver and the default port or the SOCKS proxy.

Shawn Nock proved us once more that talking to ISP is key to run Tor relays on high-speed links. Shawn’s exit node was abruptly shut down by its provider on May 15th. After a well-crafted plea explaining why Tor is important, the provider restored the service on the very same day!

However, dope457 reported that their provider is now giving them trouble for being the operator of a non-exit relay, due to a large amount of traffic on the DNS port (53), which is being used as the ORPort by a recently-established Tor relay, as pointed out by Roman Mamedov.

Now that ICANN is “selling” top-level domain names, Anders Andersson raised concerns about the .onion extension used by Tor. Fortunately, RFC6761 defines a process regarding special-use domain names. Last November, Christian Grothoff, Matthias Wachs, Hellekin O. Wolf, and Jacob Appelbaum submitted a request to reserve several TLDs used in peer-to-peer systems. Hellekin sent an update about the procedure: “the current status quo from the IETF so far is that this issue is not a priority”.

Tor help desk roundup

Local antivirus or firewall applications can prevent Tor from connecting unless they are disabled. Firewall tools that have caused usability issues in the past include Webroot SecureAnywhere AV, Kaspersky Internet Security 2012, Sophos Antivirus for Mac, and Microsoft Security Essentials.

News from Tor StackExchange

The Tor StackExchange site now provides more than 1000 answers to user-supplied questions. However, there are still ~130 questions which need a good answer, so if you happen to know one then please visit the site and help out.

The majority of the questions are about the Tor Browser Bundle, but hidden services also attract a large amount of attention. When it comes to operating systems, there are 42 Windows-related questions, while questions about Tails and Whonix number nearly 50. All your questions about Tor and related software are welcome.

Blue_Pyro uses Orweb on a mobile phone and wants to save images from websites. Abel of Guardian recommended two options: first, a user can use Firefox mobile with privacy enhanced options, or one can try Orfox, a development version of a Firefox-based browser.

Easy development tasks to get involved with

Stem is a Python controller library for Tor. It comes with tutorials and generally has pretty good test coverage. The newly-added example scripts, however, don’t yet have unit tests. Damian Johnson suggested ways to add unit tests for example scripts; if you want to help out, learn how to get started, start writing unit tests for the example scripts, and then comment on the ticket.

The traffic obfuscator obfsproxy should validate command-line arguments appropriately. Right now, it’s printing an error and continuing, but it should really abort. This sounds like a trivial change, but maybe there’s more to fix in the nearby code. If you like Python and want to give it a try, there’s more information for you on the ticket.


This issue of Tor Weekly News has been assembled by Lunar, harmony, Matt Pagan, Karsten Loesing, qbi, and Georg Koppen.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

10 years of collecting Tor directory data

Today is the 10th anniversary of collecting Tor directory data!

As the 2004 Tor design paper says, "As of mid-May 2004, the Tor network consists of 32 nodes (24 in the US, 8 in Europe), and more are joining each week as the code matures."

In fact, we still have the original relay lists from back then. The first archived Tor directory dates back to May 15, 2004. It starts with the following lines which are almost human-readable:

signed-directory
published 2004-05-15 07:30:57
recommended-software 0.0.6.1,0.0.7pre1-cvs
running-routers moria1 moria2 tor26 incognito jap dizum
  cassandra metacolo poblano ned TheoryOrg Tonga
  peertech hopey tequila triphop moria4 anize rot52
  randomtrash


As of today, May 15, 2014, there are about 4,600 relays in the Tor network and another 3,300 bridges. In these 10 years, we have collected a total of 212 GiB of bz2-compressed tarballs containing Tor directory data. That's more than 600 GiB of uncompressed data. And of course, the full archive is publicly available for download.

Here's a small selection of what people do with this fine archive:

If people want to use the Tor directory archive for their research or for building new applications, or want to help out with the projects listed above, don't hesitate to contact us!

Happy 10th birthday, Tor directory archive!

Tor Weekly News — May 14th, 2014

Welcome to the nineteenth issue of Tor Weekly News in 2014, the weekly newsletter that covers what is happening in the Tor community.

Tor Browser 3.6.1 is released

On May 7th, version 3.6.1 of the Tor Browser was released. Apart from updating HTTPS Everywhere and NoScript, the new release mainly solves a regression experienced by proxy users.

The new version should not error out with “You have configured more than one proxy type” anymore.

More monthly status reports for April 2014

More monthly reports from Tor project members have arrived this week with submissions from Nicolas Vigier and Roger Dingledine.

Roger also sent the report for SponsorF. The Tails team has released theirs.

Miscellaneous news

ooniprobe 1.0.2 has been released. The new version brings security fixes, a manpage, a test for Tor bridge reachability among other improvements.

As the Tor blog should migrate away from its current decaying software, Eric Schaefer wrote to tell that he had extracted all blog posts in a format ready for a static site generator. Comments are also available. One option would be to import them in a dedicated commenting system. Tom Purl has setup a test Juvia instance for anyone who wish to give it a shot.

David Fifield released a new round of Tor Browser packages modified to include meek. “Unlike previous bundles […], these ones aren’t configured to use meek automatically. You have to select ‘Configure’ on the network settings screen and then choose meek from the list of transports.” Please give them a try!

Isis Lovecruft rewrote the email bridge distributor in order to fix some fundamental design problems with the old code. Reviews are welcome.

Tor help desk roundup

A relay operator contacted the Tor Help Desk after seeing the following message in the Tor log: “http status 400 ("Fingerprint is marked rejected") response from dirserver '128.31.0.34:9131'”.

One might see this message is if one’s relay was found to be vulnerable to the Heartbleed OpenSSL bug and subsequently removed from the Tor consensus. Instructions for upgrading one’s relay are on the Tor project’s blog.


This issue of Tor Weekly News has been assembled by Lunar, Matt Pagan, Karsten Loesing and Roger Dingledine.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Syndicate content Syndicate content