Blogs

Introduction to Digital Security With the CIJ

On Monday the 25th of March, the Centre for Investigative Journalism in London organized a free event where journalists could learn more about digital security. I was invited to speak about Tor, other speakers covered OTR, TrueCrypt, GPG, and mobile security.

The attendees were divided into five groups, and each speaker had 20-25 minutes with each group. I gave out USB sticks with the Tor Browser Bundle, the Pluggable Transports Bundle, the short user manual, and the 2012 annual report.

I talked a bit about the history of Tor and the Tor Project, discussed a few different threats, mentioned hidden services, listed a few examples of real world use, and helped everyone get the Tor Browser Bundle up and running. I did not have access to a projector or whiteboard, so I did my best to illustrate how Tor works by drawing boxes, arrows, blobs, and stick figures on a piece of paper.

A number of people asked if we had some sort of document or manual explaining all the topics covered at this event. I mentioned Security in a box and the FLOSS Manuals, but also pointed out that there is currently no single document available, that I am aware of, which explains all of these topics.

I have previously discussed creating such a document with the Rory Peck Trust, which is a London based organization that specializes in safety, security and professional development for freelance journalists. I mentioned this again when I met with them the day after the CIJ event, and I’m looking forward to seeing the end result in a few months.

Thanks to the Centre for Investigative Journalism for hosting the event and inviting me.

New Name for Obfsproxy Tor Browser Bundles

Some days ago we released new Pluggable Transport Bundles which aim to
replace the old Pyobfsproxy/Flashproxy bundles and the even older
Obfsproxy bundles.

Users are encouraged to upgrade to the new bundles since they support
all the currently deployed pluggable transports and the latest
versions of Firefox and Torbutton.

The new bundles also contain the latest release of the Python version
of Obfsproxy, which replaces the legacy version that was written in C.

Finally, from now on Obfuscated bundles will be called "Pluggable
Transport Bundles" and each new version will contain all the deployed
pluggable transports. Users need to use http://bridges.torproject.org
to get bridges with pluggable transports ("obfuscated/obfsproxy
bridges") for their bundles.

New Pluggable Transports bundles 0.2.4.11-alpha (flashproxy + obfsproxy)

We've updated the Pluggable Transports Tor Browser Bundles with Firefox 17.0.4esr and Tor 0.2.4.11-alpha. These releases have numerous bug fixes and a new Torbutton as well.

Like the previous bundles, these contain Flashproxy and the Python version of Obfsproxy.

Flash proxy is a transport that uses proxies running in web browsers as access points into Tor. Obfsproxy is a pluggable transport that makes network traffic look unlike normal Tor traffic. Both of these technologies make it harder to block access to Tor. If you previously used the obfsproxy bundle, please upgrade to this bundle, which in addition to flash proxy has new obfsproxy bridges.

Flash proxy works differently from other pluggable transports, and you need to take extra steps to make it work. In particular, you will probably need to configure port forwarding in order to receive connections from browser proxies. There are instructions and hints on how to do that at this page: flash proxy howto.

These bundles contain the same hardcoded obfs2 bridge addresses as the previous bundles which may work for some jurisdictions but you are strongly advised to get new bridge addresses from BridgeDB: https://bridges.torproject.org/?transport=obfs2.

Furthermore, we are looking for feedback on how the bundles work. Please leave comments on the flash proxy usability wiki page or ticket #7824 with your experience, good or bad.

There are other ways you can help beyond testing the bundles. One is to run a bridge with pyobfsproxy. Another is to put the flash proxy badge on your web site or blog, or add it to your Wikipedia profile. If you want your browser to continue to be a proxy after a switch to an opt-in model, click the “Yes” button on the options page.

2012 Annual Report

We are excited to announce the Tor Project 2012 Annual Report, which highlights the activities and outstanding accomplishments by the Tor team over the past year. Also included is a glimpse at Tor's strategic initiatives for 2013.

PDF version is available at:
https://www.torproject.org/about/findoc/2012-TorProject-Annual-Report.pd...

A special thank you goes out to our funders and supporters for their continued commitment to our mission.

Questions regarding the annual report contact execdir@torproject.org

New Firefox 17.0.4esr and Tor 0.2.4.11-alpha bundles

We've updated the stable and alpha Tor Browser Bundles with Firefox 17.0.4esr and Tor 0.2.4.11-alpha. These releases have numerous bug fixes and a new Torbutton as well.

https://www.torproject.org/download

Tor Browser Bundle (2.3.25-5)

  • Update Firefox to 17.0.4esr
  • Update NoScript to 2.6.5.8
  • Update HTTPS Everywhere to 3.1.4
  • Fix non-English language bundles to have the correct branding (closes: #8302)
  • Firefox patch changes:
    • Remove "This plugin is disabled" barrier
      • This improves the user experience for HTML5 Youtube videos:
        They "silently" attempt to load flash first, which was not so silent
        with this barrier in place. (closes: #8312)
    • Disable NoScript's HTML5 media click-to-play barrier (closes: #8386)
    • Fix a New Identity hang and/or crash condition (closes: #6386)
    • Fix crash with Drag + Drop on Windows (closes: #8324)
  • Torbutton changes:
    • Fix Drag+Drop crash by using a new TBB drag observer (closes: #8324)
    • Fix XML/E4X errors with Cookie Protections (closes: #6202)
    • Don't clear cookies at shutdown if user wants disk history (closes: #8423)
    • Leave IndexedDB and Offline Storage disabled. (closes: #8382)
    • Clear DOM localStorage on New Identity. (closes: #8422)
    • Don't strip "third party" HTTP auth from favicons (closes: #8335)
    • Localize the "Spoof english" button strings (closes: #5183)
    • Ask user for confirmation before enabling plugins (closes: #8313)
    • Emit private browsing session clearing event on "New Identity"

Tor Browser Bundle (2.4.11-alpha-1)

  • Update Firefox to 17.0.4esr
  • Update Tor to 0.2.4.11-alpha
  • Update NoScript to 2.6.5.8
  • Update HTTPS Everywhere to 4.0development.6
  • Update PDF.js to 0.7.236
  • Fix non-English language bundles to have the correct branding (closes: #8302)
  • Firefox patch changes:
    • Remove "This plugin is disabled" barrier
      • This improves the user experience for HTML5 Youtube videos:
        They "silently" attempt to load flash first, which was not so silent
        with this barrier in place. (closes: #8312)
    • Disable NoScript's HTML5 media click-to-play barrier (closes: #8386)
    • Fix a New Identity hang and/or crash condition (closes: #6386)
    • Fix crash with Drag + Drop on Windows (closes: #8324)
  • Torbutton changes:
    • Fix Drag+Drop crash by using a new TBB drag observer (closes: #8324)
    • Fix XML/E4X errors with Cookie Protections (closes: #6202)
    • Don't clear cookies at shutdown if user wants disk history (closes: #8423)
    • Leave IndexedDB and Offline Storage disabled. (closes: #8382)
    • Clear DOM localStorage on New Identity. (closes: #8422)
    • Don't strip "third party" HTTP auth from favicons (closes: #8335)
    • Localize the "Spoof english" button strings (closes: #5183)
    • Ask user for confirmation before enabling plugins (closes: #8313)
    • Emit private browsing session clearing event on "New Identity"

JOIN US - Tor Project Boston Hack Day Event - March 20, 2013 - Hosted by Boston University's Department of Computer Science

Join us for a unique public hack day event where you will have an opportunity to work in a highly collaborative, interactive environment with Tor's team of technology and research experts. Topics for the day will be determined by the attendees; so bring your ideas, questions, projects and technical expertise with you! Continental breakfast will be provided.

Wednesday, March 20, 2012
9 am until 5 pm
BU Computer Science Dept, 111 Cummington Mall, Boston, MA - ROOM 148
Directions: http://www.bu.edu/cs/about/directions-and-contact/

Hosted by Boston University's Department of Computer Science

For more information or questions contact, execdir@torproject.org.

CryptoParty Stockholm

I attended the Stockholm Cryptoparty on Saturday the 16th of February. I was asked to give the opening talk, "Varför krypto?", to start off the day. My goal was to explain why cryptography should be used daily by everyone in mundane ways. The general topic was about how I watch kids using cryptography daily, without knowing it or without fully understanding the technical details behind it. This is ok. Kids chat a lot. When you introduce Off-the-record to their chats, they instantly understand that the chats are now private, and can be authenticated. The distinction between the two concepts is fairly easy to grasp, even if they don't understand the details of hashes, key exchanges, or ciphers. Once a few core people start using OTR, for example, then it spreads to their friends and soon you have networks of kids using OTR having safe and secure chats.

The simplest three steps people can take to begin using cryptography daily are:

  1. Use https everywhere in your browser.
  2. Use a browser password manager. KeePass is as good as any. The point is to keep username/passwords unique and complex per site/service. The next time LinkedIn or some major site loses tens of millions of passwords, you're protected because it's not the same username and password you used for your gmail, facebook, twitter, banking, and vkontact accounts.
  3. Use Tor for actions you want to keep private. Everything on the Internet leaves a trace. The world knows you're a dog online.

Thankfully, I could give the introduction in English and not have to offend the attendees with my poor Swedish. Linus gave a great Tor talk in Swedish. Overall, the day went well. We had huge pizzas and generally a great time. Many people were new to cryptoparties and new to cryptography in general. It was a great time. As an American, it was nice to see about 50% women attending. There were a number of younger kids learning about all of this too. The cryptoparties I've attended in the USA have been all men and the maybe one girlfriend or wife dragged to the event.

(Unfortunately, the camera recording my talk malfunctioned and corrupted the video. However, other images and videos from the day are available on our media server.

Thanks to DFRI, Sparvnästet, and iis.se for hosting the event and inviting me to attend.

New flash proxy talk

Last week I gave an hour-long talk about flash proxies.

The talk contains a detailed summary of the whole system, plus some new information like the details of our rendezvous system and graphs showing usage numbers. I thank the Stanford Computer Systems Colloquium for giving me the opportunity to speak.

Syndicate content Syndicate content