phobos's blog

Announcement: The Tor Project is now accepting Bitcoin Donations

Over the past year, we have received many requests for us to accept bitcoin donations. After careful consideration and research, we are thrilled to announce that effective today The Tor Project is accepting bitcoin donations. In partnership with Bitpay, bitcoins can easily and directly be donated to support Tor’s ongoing mission of being the global resource for privacy technology advocacy, research and education in the ongoing pursuit of freedom of speech, privacy rights online, and censorship circumvention. Check out our donations page now. Bitcoin donations received by The Tor Project will be converted directly to US Dollars.

Our decision to accept bitcoins has been well thought out and researched from a financial accounting perspective with an eye on passing our required annual A-133 audit. We believe we are the first US 501(c)3 non-profit organization to test acceptance of bitcoins and attempt to pass the US Government A-133 Audit Standard. Our 2013 audit results, along with our past financial documents, will be made available on our website once complete in 2014.

The Tor Project is also proud to be in the company of other visible non-profit organizations accepting bitcoins including EFF and Wordpress.

Why is this important? The Tor Project needs your donations to continue our mission and to keep the Tor suite of technologies ahead with the growing threats to privacy and anonymity around the world. Your donation made TODAY, through bitcoin, Paypal, Amazon Payments, Givv.org, checks, money orders or bank transfers, will provide greater security and privacy for millions around the world who use Tor every day.

Help us continue our mission!

Thanks!

Thank you from The Tor Project for your support, advocacy, and help over the past few years!

Tor, NSA, GCHQ, and QUICK ANT Speculation

Many Tor users and various press organizations are asking about one slide in a Brazillian TV broadcast. A graduate student in law and computer science at Stanford University, Jonathan Mayer, then speculated on what this "QUICK ANT" could be. Since then, we've heard all sorts of theories.

We've seen the same slides as you and Jonathan Mayer have seen. It's not clear what the NSA or GCHQ can or cannot do. It's not clear if they are "cracking" the various crypto used in Tor, or merely tracking Tor exit relays, Tor relays as a whole, or run their own private Tor network.

What we do know is that if someone can watch the entire Internet all at once, they can watch traffic enter tor and exit tor. This likely de-anonymizes the Tor user. We describe the problem as part of our FAQ.

We think the most likely explanation here is that they have some "Tor flow detector" scripts that let them pick Tor flows out of a set of flows they're looking at. This is basically the same problem as the blocking-resistance problem — they could do it by IP address ("that's a known Tor relay"), or by traffic fingerprint ("that looks like TLS but look here and here how it's different"), etc.

It's unlikely to have anything to do with deanonymizing Tor users, except insofar as they might have traffic flows from both sides of the circuit in their database. However, without concrete details, we can only speculate as well. We'd rather spend our time developing Tor and conducting research to make a better Tor.

Thanks to Roger and Lunar for edits and feedback on this post.

Transparency, openness, and our 2012 financial docs

After completing the standard audit, our 2012 state and federal tax filings are available. Our 2012 Annual Report is also available. We publish all of our related tax documents because we believe in transparency. All US non-profit organizations are required by law to make their tax filings available to the public on request by US citizens. We want to make them available for all.

Part of our transparency is simply publishing the tax documents for your review. The other part is publishing what we're working on in detail. We hope you'll join us in furthering our mission (a) to develop, improve and distribute free, publicly available tools and programs that promote free speech, free expression, civic engagement and privacy rights online; (b) to conduct scientific research regarding, and to promote the use of and knowledge about, such tools, programs and related issues around the world; (c) to educate the general public around the world about privacy rights and anonymity issues connected to Internet use.

All of this means you can look through our source code, including our design documents, and all open tasks, enhancements, and bugs available on our tracking system. Our research reports are available as well. From a technical perspective, all of this free software, documentation, and code allows you and others to assess the safety and trustworthiness of our research and development. On another level, we have a 10 year track record of doing high quality work, saying what we're going to do, and doing what we said.

Internet privacy and anonymity is more important and rare than ever. Please help keep us going through getting involved, donations, or advocating for a free Internet with privacy, anonymity, and keeping control of your identity.

NNEDV Tech Summit 2013 Report

I was invited to talk for 90 minutes at NNEDV's TechSummit 13 about privacy, helping victims, and Tor. My presentation covered a quick overview of Tor, why I'm here talking about domestic violence and intimate partner abuse, and what we're doing to help. I also included four case studies of which highlight the role of technology in stalking and abuse. Videos of my talk may make their way online at some point. At the request of the audience, I walked through my World Bank Hackathon presentation to show how easy it is to infect a mobile phone and what an abuser will get out of such an action.

The conference was held at the great Hayes Mansion which allowed for lots of informal conversations in a more relaxed atmosphere. The attendees are a mix of advocates from around the world, law enforcement, commercial companies (such as Apple, Facebook, Google, Verizon, Mozilla, etc), and a number of lawyers from public and private organizations.

I could only stay for one of the three-day conference, but once again, it was great to engage in conversations with people of all backgrounds. Many organizations are now more aware of Tor and interested in talking to us about using our technology and experience to help. Hopefully our continuing commitment to helping and past experience in this area are beginning to make a difference.

Overall, it was great to be invited and worth the trip.

Hidden Services, Current Events, and Freedom Hosting

Around midnight on August 4th we were notified by a few people that a large number of hidden service addresses have disappeared from the Tor Network. There are a variety of rumors about a hosting company for hidden services: that it is suddenly offline, has been breached, or attackers have placed a javascript exploit on their web site.

A Hidden service is a server – often delivering web pages – that is reachable only through the Tor network. While most people know that the Tor network with its thousands of volunteer-run nodes provides anonymity for users who don´t want to be tracked and identified on the internet, the lesser-known hidden service feature of Tor provides anonymity also for the server operator.

Anyone can run hidden services, and many do. We use them internally at The Tor Project to offer our developers anonymous access to services such as SSH, IRC, HTTP, and our bug tracker. Other organizations run hidden services to protect dissidents, activists, and protect the anonymity of users trying to find help for suicide prevention, domestic violence, and abuse-recovery. Whistleblowers and journalists use hidden services to exchange information in a secure and anonymous way and publish critical information in a way that is not easily traced back to them. The New Yorker's Strongbox is one public example.

Hidden service addresses, aka the dot onion domain, are cryptographically and automatically generated by the tor software. They look like this http://idnxcnkne4qt76tg.onion/, which is our torproject.org website as a hidden service.

There is no central repository nor registry of addresses. The dot onion address is both the name and routing address for the services hosted at the dot onion. The Tor network uses the .onion-address to direct requests to the hidden server and route back the data from the hidden server to the anonymous user. The design of the Tor network ensures that the user can not know where the server is located and the server can not find out the IP-address of the user, except by intentional malicious means like hidden tracking code embedded in the web pages delivered by the server. Additionally, the design of the Tor network, which is run by thousands of volunteers, ensures that it is impossible to censor or block certain .onion-addresses.

The person, or persons, who run Freedom Hosting are in no way affiliated or connected to The Tor Project, Inc., the organization coordinating the development of the Tor software and research. In the past, adversarial organizations have skipped trying to break Tor hidden services and instead attacked the software running at the server behind the dot onion address. Exploits for PHP, Apache, MySQL, and other software are far more common than exploits for Tor. The current news indicates that someone has exploited the software behind Freedom Hosting. From what is known so far, the breach was used to configure the server in a way that it injects some sort of javascript exploit in the web pages delivered to users. This exploit is used to load a malware payload to infect user's computers. The malware payload could be trying to exploit potential bugs in Firefox 17 ESR, on which our Tor Browser is based. We're investigating these bugs and will fix
them if we can.

As for now, one of multiple hidden service hosting companies appears to be down. There are lots of rumors and speculation as to what's happened. We're reading the same news and threads you are and don't have any insider information. We'll keep you updated as details become available.

EDIT: See our next blog post for more details about the attack.

Tor Check Outage on 03 and 04 July 2013

Over the past 24 hours https://check.torproject.org has been unavailable due to excessive DNS queries to the exitlist service. It seems there are a number of individuals and companies with commercial products relying upon this volunteer service. We finally hit the point where we couldn't keep up with the queries and simply disabled the service.

This is a volunteer service offered as a proof of concept. We strongly encourage people to run their own. The code is available at https://svn.torproject.org/svn/check/trunk/.

The new Tor Browser 3.0 alpha series includes a new way to detect "tor or not" locally, without relying on a single point of failure service. This is the first step towards finally retiring check.torproject.org for good.

As of 09:00 on 04 July 2013, the service is re-enabled. We reserve the right to take it down as needed without notice.

A weekend at New England Give Camp

Trip Report for New England Give Camp 2013

I spent the entire weekend with New England Give Camp at Microsoft Research in Cambridge, MA. I was one of the non-profits, representing ipv tech, Tor, and offering myself as a technical volunteer to help out other non-profits. Over the 48 hours, here's what I helped out doing:

  • Transition House
    • Help evaluate their IT systems
    • Look at, reverse engineer, and fix their Alice database system
  • Emerge
    • Update their wordpress installation
    • Help fix the rotating images on the site
  • ipv tech
    • Hack on fuerza app
    • Get fuerza into a git repo, now here at gitorious
    • rewrite the app to be markdown and static files to work offline
  • Children's Charter
    • Help resurrect their hacked WordPress installation and build them a new site.

I also did a 30 minute talk about technology and intimate partner violence. Over the past few years, I've seen every possible technology used to stalk, harass, and abuse people--and those that help them. I'm helping the victims and advocates use the same technologies to empower the victims and turn the tables on the abusers in most cases. The ability to be anonymous and be free from surveillance for once, even for an hour, is cherished by the victims and affected advocates.

Our team was great. Kevin, Paul, John, Bob, Carmine, Adam, and Sarah did a great job at keeping motivated, making progress, and joking along the way. Microsoft, Whole Foods, and a slew of sponsors offered endless food, sugary drinks, beautiful views, and encouragement throughout the weekend.

Cambridge Community Television interviewed me at the very end of the event. There's also a Flickr group full of pictures.

Overall it was a great experience. I encourage you to volunteer next year.

Syndicate content Syndicate content