Blogs

Tor Weekly News — December 24th, 2014

Welcome to the fifty-first issue in 2014 of Tor Weekly News, the weekly newsletter that covers what’s happening in the Tor community.

Stem 1.3 is out

“After months down in the engine room”, Damian Johnson announced version 1.3 of Stem, the Tor controller library written in Python. Among the many improvements in this release, Damian singled out the new set of controller methods for working with hidden services, as well as the 40% increase in descriptor parsing speed.

Please see the changelog for full details of all the new features.

Miscellaneous news

The team of researchers working on the collection of hidden service statistics asked relay operators for help by enabling these statistics on their relays in the coming days and weeks. They included a step-by-step tutorial for enabling this feature, which has recently been merged into Tor’s main branch.

Building on Andrea Shepard’s recently-merged work on global cell scheduling, Nick Mathewson announced that the KIST socket management algorithm proposed earlier this year to reduce congestion in the Tor network is now “somewhat implemented” for Linux. You can follow the testing and reviews on the associated ticket.

Nick also asked for feedback on the proposal to increase the interval at which Tor relays report their bandwidth usage statistics from fifteen minutes to four hours : “Will this break anything you know about?”

Moritz Bartl invited Tor relay operators to a meet-up at the upcoming Chaos Communication Congress in Hamburg: “We will do quick presentations on recent and future activities around Torservers.net, talk about events relevant to the Tor relay community, and what lies ahead.”

Thanks to Thomas White for keeping the community updated following a brief period of suspicious activity around his exit relays and Onionoo application mirrors!

This week in Tor history

A year ago this week, Tor Browser hit version 3.5, bringing with it a pioneering deterministic build system that set a new standard in software distribution security, and has since drawn interest from many other projects, including the Debian operating system. It also laid the long-obsolete Vidalia graphical controller to rest, replacing it with the faster, sleeker Tor Launcher. The privacy-preserving browser is now approaching version 4.5, and users can look forward to a security slider offering finer-grained tuning of security preferences, as well as features that restore some of Vidalia’s circuit-visualization capabilities.


This issue of Tor Weekly News has been assembled by Harmony and Karsten Loesing.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Stem Release 1.3

in

Greetings wonderful people of the world! After months down in the engine room I'm delighted to announce the 1.3.0 release of Stem.

For those who aren't familiar with it, Stem is a Python library for interacting with Tor. With it you can script against your relay, descriptor data, or even write applications similar to arm and Vidalia.

https://stem.torproject.org/

So what's new in this release?


Better Hidden Service Support

Now it's easier than ever to spin up hidden services!

Thanks to contributions from Federico Ceratto and Patrick O'Doherty we now have a set of methods specifically for working with hidden services. Check it out in our new tutorial...

Over the River and Through the Wood


Faster Descriptor Parsing

This release dramatically improves the speed at which Stem can parse decriptors. Thanks to optimizations from Nick Mathewson and Ossi Herrala we can now read descriptors 40% faster!


This is just the tip of the iceberg. For a full rundown on the myriad of improvements and fixes in this release see...

https://stem.torproject.org/change_log.html#version-1-3

Cheers! -Damian

Possible upcoming attempts to disable the Tor network

The Tor Project has learned that there may be an attempt to incapacitate our network in the next few days through the seizure of specialized servers in the network called directory authorities. (Directory authorities help Tor clients learn the list of relays that make up the Tor network.) We are taking steps now to ensure the safety of our users, and our system is already built to be redundant so that users maintain anonymity even if the network is attacked. Tor remains safe to use.

We hope that this attack doesn't occur; Tor is used by many good people. If the network is affected, we will immediately inform users via this blog and our Twitter feed @TorProject, along with more information if we become aware of any related risks to Tor users.

The Tor network provides a safe haven from surveillance, censorship, and computer network exploitation for millions of people who live in repressive regimes, including human rights activists in countries such as Iran, Syria, and Russia. People use the Tor network every day to conduct their daily business without fear that their online activities and speech (Facebook posts, email, Twitter feeds) will be tracked and used against them later. Millions more also use the Tor network at their local internet cafe to stay safe for ordinary web browsing.

Tor is also used by banks, diplomatic officials, members of law enforcement, bloggers, and many others. Attempts to disable the Tor network would interfere with all of these users, not just ones disliked by the attacker.

Every person has the right to privacy. This right is a foundation of a democratic society. For example, if Members of the British Parliament or US Congress cannot share ideas and opinions free of government spying, then they cannot remain independent from other branches of government. If journalists are unable to keep their sources confidential, then the ability of the press to check the power of the government is compromised. If human rights workers can't report evidence of possible crimes against humanity, it is impossible for other bodies to examine this evidence and to react. In the service of justice, we believe that the answer is to open up communication lines for everyone, securely and anonymously.

The Tor network provides online anonymity and privacy that allow freedom for everyone. Like freedom of speech, online privacy is a right for all.

[Update Monday Dec 22: So far all is quiet on the directory authority front, and no news is good news.]
[Update Sunday Dec 28: Still quiet. This is good.]

Tor Weekly News — December 17th, 2014

Welcome to the fiftieth issue in 2014 of Tor Weekly News, the weekly newsletter that covers what’s happening in the Tor community.

Solidarity against online harassment

Following “a sustained campaign of harassment” directed at a core Tor developer over the past few months, the Tor Project published a statement in which it declared “support for her, for every member of our organization, and for every member of our community who experiences this harassment”: “In categorically condemning the urge to harass, we mean categorically: we will neither tolerate it in others, nor will we accept it among ourselves. We are dedicated to both protecting our employees and colleagues from violence, and trying to foster more positive and mindful behavior online ourselves… We are working within our community to devise ways to concretely support people who suffer from online harassment; this statement is part of that discussion. We hope it will contribute to the larger public conversation about online harassment and we encourage other organizations to sign on to it or write one of their own.”

As of this writing, there are 448 signatories to the statement, including Tor developers and community members, academics, journalists, lawyers, and many others who are lending their support to this movement in its early stages. If you want to add your name to the list, please send an email to tor-assistants@lists.torproject.org.

Tails 1.2.2 is out

The Tails team announced a pointfix release of the amnesic live operating system. The only difference between this version and the recent 1.2.1 release is that the automatic Tails Updater now expects a different certificate authority when checking for a new Tails version. As the team explained, “On January 3rd, the SSL certificate of our website hosting provider, boum.org, will expire. The new certificate will be issued by a different certificate authority […] As a consequence, versions previous to 1.2.2 won’t be able to do the next automatic upgrade to version 1.2.3 and will receive an error message from Tails Upgrader when starting Tails after January 3rd”.

This, along with a bug that prevents automatic updates from 1.2.1 to 1.2.2, means that all Tails users will need to upgrade manually: either to version 1.2.2 before January 3rd or (if for some reason that is not possible) to version 1.2.3 following its release on January 14th. Please see the team’s post for more details and download instructions.

Miscellaneous news

George Kadianakis, Karsten Loesing, Aaron Johnson, and David Goulet requested feedback on the design and code they have developed for the Tor branch that will enable the collection of statistics on Tor hidden services, hoping to answer the questions “Approximately how many hidden services are there?” and “Approximately how much traffic in the Tor network is going to hidden services?”: “Our plan is that in approximately a week we will ask volunteers to run the branch. Then in a month from now we will use those stats to write a blog post about the approximate size of Tor hidden services network and the approximate traffic it’s pushing.” Please join in with your comments on the relevant ticket!

Philipp Winter announced an early version of “zoossh”, which as the name implies is a speedy parser written in Go that will help to “detect sybils and other anomalies in the Tor network” by examining Tor’s archive of network data. While it is not quite ready for use, “I wanted folks to know that I’m working on that and I’m always happy to get feedback and patches.”

Yawning Angel announced the existence of “basket”, a “stab at designing something that significantly increases Tor’s resistance to upcoming/future attacks”, combining post-quantum cryptographic primitives with “defenses against website fingerprinting (and possibly end-to-end correlation) attacks”. You can read full details of the cryptographic and other features of “basket” in Yawning’s post, which is replete with warnings against using the software at this stage: “It’s almost at the point where brave members of the general public should be aware that it exists as a potential option in the privacy toolbox… [but] seriously, unless you are a developer or researcher, you REALLY SHOULD NOT use ‘basket’.” If you are gifted or foolhardy enough to ignore Yawning’s advice and test “basket” for yourself, please let the tor-dev mailing list know what you find.

Sukhbir Singh and Arlo Breault requested feedback on an alpha version of Tor Messenger. It is an instant messaging client currently under development that intends to send all traffic over Tor, use Off-the-Record (OTR) encryption of conversations by default, work with a wide variety of chat networks, and have an easy-to-use graphical user interface localized into multiple languages.

TheCthulhu announced that his mirrors of two Tor network tools are now available over Tor hidden services. Globe can be accessed via http://globe223ezvh6bps.onion and Atlas via http://atlas777hhh7mcs7.onion. The mirrors provided by the Cthulhu run on their own instance of Onionoo, so in the event that the primary sites hosted by Tor Project are offline, both of these new mirrors should still be available for use either through the new hidden services or through regular clearnet access.

The Tails team published a signed list of SHA256 hashes for every version of Tails (and its predecessor, amnesia) that it had either built or verified at the time of release.

Vlad Tsyrklevich raised the issue of the discoverability risk posed to Tor bridges by the default setting of their ORPorts to 443 or 9001. Using data from Onionoo and internet-wide scans, Vlad found that “there are 4267 bridges, of which 1819 serve their ORPort on port 443 and 383 serve on port 9001. That’s 52% of tor bridges. There are 1926 pluggable-transports enabled bridges, 316 with ORPort 443 and 33 with ORPort 9001. That’s 18% of Tor bridges… I realized I was also discovering a fair amount of private bridges not included in the Onionoo data set.” Vlad recommended that operators be warned to change their ORPorts away from the default; Aaron Johnson suggested possible alternative solutions, and Philipp Winter remarked that while bridges on port 443 “would easily fall prey to Internet-wide scanning”, “they would still be useful for users behind captive portals” and other adversaries that restrict connections to a limited range of ports.

Alden Page announced that development will soon begin on a free-software tool to counteract “stylometry” attacks, which attempt to deanonymize the author of a piece of text based on their writing style alone. “I hope you will all agree that this poses a significant threat to the preservation of the anonymity of Tor users”, wrote Alden. “In the spirit of meeting the needs of the privacy community, I am interested in hearing what potential users might have to say about the design of such a tool.” Please see Alden’s post for further discussion of stylometry attacks and the proposed countermeasures, and feel free to respond with your comments or questions.

Tor help desk roundup

Because Tor Browser prevents users from running it as root, Kali Linux users starting Tor Browser will see an error message saying Tor should not be run as root.

In Kali, all userspace software runs as root by default. To run Tor Browser in Kali Linux, create a new user account just for using Tor Browser. Unpack Tor Browser and chown -R your whole Tor Browser directory. Run Tor Browser as your created Tor Browser user account.


This issue of Tor Weekly News has been assembled by Harmony, TheCthulhu, Matt Pagan, Arlo Breault, and Karsten Loesing.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Solidarity against online harassment

One of our colleagues has been the target of a sustained campaign of harassment for the past several months. We have decided to publish this statement to publicly declare our support for her, for every member of our organization, and for every member of our community who experiences this harassment. She is not alone and her experience has catalyzed us to action. This statement is a start.

The Tor Project works to create ways to bypass censorship and ensure anonymity on the Internet. Our software is used by journalists, human rights defenders, members of law enforcement, diplomatic officials, and many others. We do high-profile work, and over the past years, many of us have been the targets of online harassment. The current incidents come at a time when suspicion, slander, and threats are endemic to the online world. They create an environment where the malicious feel safe and the misguided feel justified in striking out online with a thousand blows. Under such attacks, many people have suffered — especially women who speak up online. Women who work on Tor are targeted, degraded, minimized and endure serious, frightening threats.

This is the status quo for a large part of the internet. We will not accept it.

We work on anonymity technology because we believe in empowering people. This empowerment is the beginning and a means, not the end of the discussion. Each person who has power to speak freely on the net also has the power to hurt and harm. Merely because one is free to say a thing does not mean that it should be tolerated or considered reasonable. Our commitment to building and promoting strong anonymity technology is absolute. We have decided that it is not enough for us to work to protect the world from snoops and censors; we must also stand up to protect one another from harassment.

It's true that we ourselves are far from perfect. Some of us have written thoughtless things about members of our own community, have judged prematurely, or conflated an idea we hated with the person holding it. Therefore, in categorically condemning the urge to harass, we mean categorically: we will neither tolerate it in others, nor will we accept it among ourselves. We are dedicated to both protecting our employees and colleagues from violence, and trying to foster more positive and mindful behavior online ourselves.

Further, we will no longer hold back out of fear or uncertainty from an opportunity to defend a member of our community online. We write tools to provide online freedom but we don't endorse online or offline abuse. Similarly, in the offline world, we support freedom of speech but we oppose the abuse and harassment of women and others. We know that online harassment is one small piece of the larger struggle that women, people of color, and others face against sexism, racism, homophobia and other bigotry.

This declaration is not the last word, but a beginning: We will not tolerate harassment of our people. We are working within our community to devise ways to concretely support people who suffer from online harassment; this statement is part of that discussion. We hope it will contribute to the larger public conversation about online harassment and we encourage other organizations to sign on to it or write one of their own.

For questions about Tor, its work, its staff, its funding, or its world view, we encourage people to directly contact us (Media contact: Kate Krauss, press @ torproject.org). We also encourage people join our community and to be a part of our discussions:
https://www.torproject.org/about/contact
https://www.torproject.org/docs/documentation#MailingLists



In solidarity against online harassment,

Roger Dingledine
Nick Mathewson
Kate Krauss
Wendy Seltzer
Caspar Bowden
Rabbi Rob Thomas
Karsten Loesing
Matthew Finkel
Griffin Boyce
Colin Childs
Georg Koppen
Tom Ritter
Erinn Clark
David Goulet
Nima Fatemi
Steven Murdoch
Linus Nordberg
Arthur Edelstein
Aaron Gibson
Anonymous Supporter
Matt Pagan
Philipp Winter
Sina Rabbani
Jacob Appelbaum
Karen Reilly
Meredith Hoban Dunn
Moritz Bartl
Mike Perry
Sukhbir Singh
Sebastian Hahn
Nicolas Vigier
Nathan Freitas
meejah
Leif Ryge
Runa Sandvik
Andrea Shepard
Isis Agora Lovecruft
Arlo Breault
Ásta Helgadóttir
Mark Smith
Bruce Leidl
Dave Ahmad
Micah Lee
Sherief Alaa
Virgil Griffith
Rachel Greenstadt
Andre Meister
Andy Isaacson
Gavin Andresen
Scott Herbert
Colin Mahns
John Schriner
David Stainton
Doug Eddy
Pepijn Le Heux
Priscilla Oppenheimer
Ian Goldberg
Rebecca MacKinnon
Nadia Heninger
Cory Svensson
Alison Macrina
Arturo Filastò
Collin Anderson
Andrew Jones
Eva Blum-Dumontet
Jan Bultmann
Murtaza Hussain
Duncan Bailey
Sarah Harrison
Tom van der Woerdt
Jeroen Massar
Brendan Eich
Joseph Lorenzo Hall
Jean Camp
Joanna Rutkowska
Daira Hopwood
William Gillis
Adrian Short
Bethany Horne
Andrea Forte
Hernán Foffani
Nadim Kobeissi
Jakub Dalek
Rafik Naccache
Nathalie Margi
Asheesh Laroia
Ali Mirjamali
Huong Nguyen
Meerim Ilyas
Timothy Yim
Mallory Knodel
Randy Bush
Zachary Weinberg
Claudio Guarnieri
Steven Zikopoulos
Michael Ceglar
Henry de Valence
Zachariah Gibbens
Jeremy M. Harmer
Ilias Bartolini
René Pfeiffer
Percy Wegmann
Tim Sammut
Neel Chauhan
Matthew Puckey
Taylor R Campbell
Klaus Layer
Colin Teberg
Jeremy Gillula
Will Scott
Tom Lowenthal
Rishab Nithyanand
Brinly Taylor
Craig Colman-Shepherd
A. Lizard
M. C. McGrath
Ross MacDonald
Esra'a Al Shafei
Gulnara Yunusova
Ben Laurie
Christian Vandrei
Tanja Lange
Markus Kitsinger
Harper Reed
Mark Giannullo
Alyssa Rowan
Daniel Gall
Kathryn Cramer
Camilo Galdos AkA Dedalo
Ralf-Philipp Weinmann
Miod Vallat
Carlotta Negri
Frederic Jacobs
Susan Landau
Jan Weiher
Donald A. Byrd
Jesin A.
Thomas Blanchard
Matthijs Pontier
Rohan Nagel
Cyril Brulebois
Neal Rauhauser
Sonia Ballesteros Rey
Florian Schmitt
Abdoulaye Bah
Simone Basso
Charlie Smith
Steve Engledow
Michael Brennan
Jeffrey Landale
Sophie Toupin
Dana Lane Taylor
Nagy Gabor
Shaf Patel
Augusto Amaral
Robin Molnar
Jesús Cea Avión
praxis journal
Jens Stomber
Noam Roberts
Ken Arroyo Ohori
Brian Kroll
Shawn Newell
Rasmus Vuori
Alexandre Guédon
Seamus Tuohy
Virginia Lange
Nicolas Sera-Leyva
Jonah Silas Sheridan
Ross McElvenny
Aaron Zauner
Christophe Moille
Micah Sherr
Gabriel Rocha
Yael Grauer
Kenneth Freeman
Dennis Winter
justaguy
Lee Azzarello
Zaki Manian
Aaron Turner
Greg Slepak
Ethan Zuckerman
Pasq Gero
Pablo Suárez-Serrato
Kerry Rutherford
Andrés Delgado
Tommy Collison
Dan Luedders
Flávio Amieiro
Ulrike Reinhard
Melissa Anelli
Bryan Fordham
Nate Perkins
Jon Blanchard
Jonathan Proulx
Bunty Saini
Daniel Crowley
Matt Price
Charlie McConnell
Chuck Peters
Ejaz Ahmed
Laura Poitras
Benet Hitchcock
Dave Williams
Jane Avriette
Renata Avila
Sandra Ordonez
David Palma
Andre N Batista
Steve Bellovin
James Renken
Alyzande Renard
Patrick Logan
Rory Byrne
Holly Kilroy
Phillipa Gill
Mirimir
Leah Carey
Josh Steiner
Benjamin Mako Hill
Nick Feamster
Dominic Corriveau
Adrienne Porter Felt
str4d
Allen Gunn
Eric S Johnson
Hanno Wagner
Anders Hansen
Alexandra Stein
Tyler H. Meers
Shumon Huque
James Vasile
Andreas Kinne
Johannes Schilling
Niels ten Oever
David W. Deitch
Dan Wallach
Jon Penney
Starchy Grant
Damon McCoy
David Yip
Adam Fisk
Jon Callas
Aleecia M. McDonald
Marina Brown
Wolfgang Britzl
Chris Jones
Heiko Linke
David Van Horn
Larry Brandt
Matt Blaze
Radek Valasek
skruffy
Galou Gentil
Douglas Perkins
Jude Burger
Myriam Michel
Jillian York
Michalis Polychronakis
SilenceEngaged
Kostas Jakeliunas
Sebastiaan Provost
Sebastian Maryniak
Clytie Siddall
Claudio Agosti
Peter Laur
Maarten Eyskens
Tobias Pulls
Sacha van Geffen
Cory Doctorow
Tom Knoth
Fredrik Julie Andersson
Nighat Dad
Josh L Glenn
Vernon Tang
Jennifer Radloff
Domenico Lupinetti
Martijn Grooten
Rachel Haywire
eliaz
Christoph Maria Sommer
J Duncan
Michael Kennedy Brodhead
Mansour Moufid
Melissa Elliott
Mick Morgan
Brenno de Winter
George Scriban
Ryan Harris
Ricard S. Colorado
Julian Oliver
Sebastian "bastik" G.
Te Rangikaiwhiria Kemara
Koen Van Impe
Kevin Gallagher
Sven "DrMcCoy" Hesse
Pavel Schamberger
Phillip M. Pether
Joe P. Lee
Stephanie Hyland
Maya Ganesh
Greg Bonett
Amadou Lamine Badji
Vasil Kolev
Jérémie Zimmermann
Cally Gordon
Hakisho Nukama
Daniel C Howe
Douglas Stebila
Jennifer Rexford
Nayantara Mallesh
Valeria de Paiva
Tim Bulow
Meredith Whittaker
Max Hunter
Maja Lampe
Thomas Ristenpart
Lisa Wright
August Germar
Ronald Deibert
Harlan Lieberman-Berg
Alan L. Stewart
Alexander Muentz
Erin Benson
Carmela Troncoso
David Molnar
Holger Levsen
Peter Grombach
John McIntyre
Lisa Geelan
Antonius Kies
Jörg Kruse
Arnold Top
Vladimir G. Ivanovic
Ahmet A. Sabancı
Henriette Hofmeier
Ethan Heilman
Daniël Verhoeven
Alex Shepard
Max Maass
Ed Agro
Andrew Heist
Patrick McDonald
Lluís Sala
Laurelai Bailey
Ghost
José Manuel Cerqueira Esteves
Fabio Pietrosanti
Cobus Carstens
Harald Lampesberger
Douwe Schmidt
Sascha Meinrath
C. Waters
Bruce Schneier
George Danezis
Claudia Diaz
Kelley Misata
Denise Mangold
Owen Blacker
Zach Wick
Gustavo Gus
Alexander Dietrich
Frank Smyth
Dafne Sabanes Plou
Steve Giovannetti
Grit Hemmelrath
Masashi Crete-Nishihata
Michael Carbone
Amie Stepanovich
Kaustubh Srikanth
arlen
Enrique Piracés
Antoine Beaupré
Daniel Kahn Gillmor
Richard Johnson
Ashok Gupta
Alex Halderman
Brett Solomon
Raegan MacDonald
Joseph Steele
Marie Gutbub
Valeria Betancourt
Konstantin Müller
Emma Persky
Steve Wyshywaniuk
Tara Whalen
Joe Justen
Susan Kentner
Josh King
Juha Nurmi
John Saylor
Jurre van Bergen
Saedu Haiza
Anders Damsgaard
Sadia Afroz
Nat Meysenburg
x3j11
Julian Assange
Skyhighatrist
Dan Staples
Grady Johnson
Matthew Green
Cameron Williams
Roy Johnson
Laura S Potter-Brown
Meredith L. Patterson
Casey Dunham
Raymond Johansen
Kieran Thandi
Jason Gulledge
Matt Weeks
Khalil Sehnaoui
Brennan Novak
Casey Jones
Jesse Victors
Peter DeChristo
Nick Black
Štefan Gurský
Glenn Greenwald
hinterland3r
Russell Handorf
Lisa D Lowe
Harry Halpin
Cooper Quintin
Mark Burdett
Conrad Corpus
Steve Revilak
Nate Shiff
Annie Zaman
Matthew Miller (Fedora Project)
David Fetter
Gabriella Biella Coleman
Ryan Lackey
Peter Clemenko
Serge Egelman
David Robinson
Sasa Savic
James McWilliams
Arrigo Triulzi
Kevin Bowen
Kevin Carson
Sajeeb Bhowmick
Dominik Rehm
William J. Coldwell
Niall Madhoo
Christoph Mayer
Simone Fischer-Hübner
George W. Maschke
Jens Kubieziel
Dan Hanley
Robin Jacks
Zenaan Harkness
Pete Newell
Aaron Michael Johnson
Kitty Hundal
Sabine "Atari-Frosch" Engelhardt
Wilton Gorske
Lukas Lamla
Kat Hanna
Polly Powledge
Sven Guckes
Georgia Bullen
Vladan Joler
Eric Schaefer
Ly Ngoc Quan Ly
Martin Kepplinger
Freddy Martinez
David Haren
Simon Richter
Brighid Burns
Peter Holmelin
Davide Barbato
Neil McKay
Joss Wright
Troy Toman
Morana Miljanovic
Simson Garfinkel
Harry Hochheiser
Malte Dik
Tails project
„nuocu
Kurt Weisman
BlacquePhalcon
Shaikh Rafia
Olivier Brewaeys
Sander Venema
James Murphy
Chris "The Paucie" Pauciello
Syrup-tan
Brad Parfitt
Jerry Whiting
Massachusetts Pirate Party
András Stribik
Alden Page
Juris Vetra
Zooko Wilcox-O'Hearn
Marcel de Groot
Ryan Henry
Joy Lowell
Guilhem Moulin
Werner Jacob
Tansingh S. Partiman
Bryce Alexander Lynch
Robert Guerra
John Tait
Sebastian Urbach
Atro Tossavainen
Alexei Czeskis
Greg Norcie
Greg Metcalfe
Benjamin Chrobot
Lorrie Faith Cranor
Jamie D. Thomas
EJ Infeld
Douglas Edwards
Cody Celine
Ty Bross
Matthew Garrett
Sam P.
Vidar Waagbø
Raoul Unger
Aleksandar Todorović
John Olinda
Graham Perkins
Casa Casanova
James Turnbull
Eric Hogue
Jacobo Nájera
Ben Adida


If you would like to be on this list of signers (please do — you don't have to be a part of Tor to sign on!), please reach us at tor-assistants @ torproject.org.

Tor Weekly News — December 10th, 2014

Welcome to the forty-ninth issue in 2014 of Tor Weekly News, the weekly newsletter that covers what’s happening in the Tor community.

Tor Browser 4.0.2 and 4.5-alpha-2 are out

Georg Koppen announced new stable and alpha releases by the Tor Browser team. Tor Browser 4.0.2 fixes the Windows compiler bugs that were resulting in frequent crashes, ensures entries in the cache are once again isolated by URL bar domain, and prevents the user’s locale setting from being leaked by the JavaScript engine. Tor Browser 4.5-alpha-2 brings further improvements to Torbutton’s new circuit visualization panel, which can now be turned off by visiting about:config and setting “extensions.torbutton.display_circuit” to “false”, as well as to the security slider.

Both releases contain important security updates and all users should upgrade as soon as possible; please see Georg’s post for full details. You can obtain your copy from the project page, or through the in-browser updater.

Tails 1.2.1 is out

The Tails team announced a new version of the amnesic live operating system. Alongside updates to Linux and Tor Browser, Tails 1.2.1 finally disables the Truecrypt encryption manager, which was abandoned by its developers earlier this year. There have been warnings about this change for several months, but users who have not yet migrated their data away from Truecrypt (or who are not able to) can still access these volumes with cryptsetup by following Tails’ own guide.

The default configuration of GnuPG has also been changed in line with accepted best practices. If you want to take advantage of this, there is a simple step you need to perform; please see the team’s post for more details, and get your copy of the new Tails from the download page or through the incremental updater.

More monthly status reports for November 2014

The wave of regular monthly reports from Tor project members for the month of November continued, with reports from Pearl Crescent, Sukhbir Singh, Leiah Jansen, Matt Pagan, Arlo Breault, Colin C., and Nicolas Vigier.

Karsten Loesing reported on behalf of the Tor Network Tools team, and Roger Dingledine sent out the report for SponsorF.

Miscellaneous news

George Kadianakis sent out an updated draft of the proposal to safely collect hidden service statistics from Tor relays.

Nick Mathewson gave a talk to the Computer Systems Security class at MIT on the subject of “Anonymous Communication”.

David Fifield summarized the costs incurred in November by the infrastructure for the meek pluggable transport.

The Tails team wondered about the best way to prioritize adding support for pluggable transports: “Assuming we add support for Scramblesuit in Tails 1.3, then what usecases won’t we be supporting, that we could support better with obfs4 or meek?”

usprey wrote up a guide to configuring a Tor relay on a server running Arch Linux: “All and any feedback will be appreciated! Are there any privacy concerns about using pdnsd to cache DNS locally?”

Jacob Appelbaum recommended possible ways to reduce the attack surface presented by the kernel and the firewall in Tails. He also compiled a dataset containing historical hashes and signatures of Tails files: “In the future, I’ll write a program that uses the dataset in a useful manner. In an ideal world, we’d have a way to use a Tails disk to verify any other Tails disk.”

Tor help desk roundup

Users often write to find out how they can help the Tor Project. There are several ways to help out.

If you have access to a server, consider setting up a Tor relay to expand the network, or a bridge relay to help internet users stuck behind censorship.

If you’re a coder, see if any of the projects on our volunteer page capture your interest. You can also look for tickets on our bug tracker that are filed with the “easy” component if you want to submit some patches.

If you’re interested in doing outreach, consider joining the Tor Weekly News team.

If you’d like to get involved with translations, please join a team on our Transifex. If a team for the language you’d like to translate into does not yet exist (check carefully), please go ahead and request a new team. It will take a day or two for the team to be approved, so please be patient.

News from Tor StackExchange

strand raised a question about the code regarding rendezvous and introduction points. Within src/or/rendservice.c there are several occurrences of onion_address, and strand wants to know which function catches what from a hidden service. If you can answer this question, please come to Tor’s Q&A page and give us some insights.

This week in Tor history

A year ago this week, the Freedom of the Press Foundation launched its “Encryption Tools for Journalists” crowdfunding campaign, distributing the proceeds to five free software security projects, including the Tor Project and Tails. As of this writing, 1256 donors have contributed $136,977.05 in support of journalists’ right to communicate with sources and carry out research without being subjected to invasive surveillance. Thanks to the FPF and to everyone who has donated so far!


This issue of Tor Weekly News has been assembled by Matt Pagan, qbi, David Fifield, Arlo Breault, Karsten Loesing, and Harmony.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!

Tor Browser 4.5-alpha-2 is released

The second alpha release of the 4.5 series is available from the extended downloads page and also from our distribution directory.

Tor Browser 4.5-alpha-2 is based on Firefox ESR 31.3.0, which features important security updates to Firefox. Additionally, it fixes a regression which caused third party authentication credentials to remain undeleted and contains smaller improvements to the circuit UI and the security slider.

Here is the changelog since 4.5-alpha-1:

  • All Platforms
    • Update Firefox to 31.3.0esr
    • Update NoScript to 2.6.9.5
    • Update HTTPS Everywhere to 5.0developement.1
    • Update Torbutton to 1.8.1.2
      • Bug 13672: Make circuit display optional
      • Bug 13671: Make bridges visible on circuit display
      • Bug 9387: Incorporate user feedback
      • Bug 13784: Remove third party authentication tokens
    • Bug 13435: Remove our custom POODLE fix (fixed by Mozilla in 31.3.0esr)

Tails 1.2.1 is out

Tails, The Amnesic Incognito Live System, version 1.2.1, is out.

This release fixes numerous security issues and all users must upgrade as soon as possible.

Changes

Notable user-visible changes include:

  • Security fixes
    • Upgrade Linux to 3.16.7-1.
    • Install Tor Browser 4.0.2 (based on Firefox 31.3.0esr).
  • Bugfixes
    • Restore mouse scrolling in KVM/Spice (ticket #7426).
    • Suppress excessive (and leaky!) Torbutton logging (ticket #8160).
    • Don't break the Unsafe and I2P Browsers after installing incremental upgrades (ticket #8152, ticket #8158).
    • External links in various applications should now open properly in the Tor Browser (ticket #8153, ticket #8186).
    • Fix clearsigning of text including non-ASCII characters in gpgApplet (ticket #7968).
  • Minor improvements
    • Upgrade I2P to 0.9.17-1~deb7u+1.
    • Make GnuPG configuration closer to the best practices (ticket #7512).
    • Remove TrueCrypt support and document how to open TrueCrypt volumes using cryptsetup (ticket #5373).

See the online Changelog for technical details.

Known issues

  • Users of the GnuPG keyrings and configuration persistence feature should follow some manual steps after upgrading a Tails USB stick or SD card installation to Tails 1.2.1.
  • Longstanding known issues.

I want to try it or to upgrade!

Go to the download page.

As no software is ever perfect, we maintain a list of problems that affects the last release of Tails.

What's coming up?

The next Tails release is scheduled for January 14.

Have a look at our roadmap to see where we are heading to.

Do you want to help? There are many ways you can contribute to Tails. If you want to help, come talk to us!

Support and feedback

For support and feedback, visit the Support section on the Tails website.

Syndicate content Syndicate content