The Tor Project is Hiring a Developer for OONI!

by art | May 17, 2016

Are you a software engineer passionate about internet freedom and transparency? The Tor Project is hiring a full-time developer to work on OONI!

What’s OONI?

The Open Observatory of Network Interference (OONI) is a free software effort of the Tor Project which aims to detect online censorship and traffic manipulation around the world through the collection of network measurements.

OONI is based on free software tests that are designed to measure:

  • Blocking of websites
  • Systems responsible for censorship, surveillance and traffic manipulation
  • Reachability of Tor, proxies, VPNs, and other systems

Since 2012, OONI has collected more than 9.5 million measurements across 96 countries, all of which are public and provide evidence and data to back up claims of network manipulation.

Why join OONI?

OONI is in a unique position to bring transparency to technical censorship. You can play a key part in keeping the web free and neutral.

By joining the team, you will play an important role not only in paving the road for a better interference detection system, but you will also be responsible for software run by activists around the world. Your work will help reveal unlawful censorship and surveillance around the world and aid the work of human rights defenders.

Becoming an OONI-tarian

As a core OONI developer, you will contribute to some of our active development efforts, including:

These tasks will increase the impact of the millions of measurements that OONI is currently hosting, the hundreds of vantage points around the world, and the future of censorship measurement.

Learn more and apply to join the OONI team as a core developer here.

Comments

Please note that the comment area below has been archived.

May 17, 2016

Permalink

I am so glad you've been able to find the funds to do this!

So many urgent things need to be addressed, but this is certainly one of the most important. I hope this will ultimately help endangered people/journalists everywhere.

Huge item of meta-news, of particular interest to people in Brazil who need to read what the Snowden trove reveals about the cynical and outrageous USG manipulation of political/economic events in their country:

https://theintercept.com/2016/05/16/the-intercept-is-broadening-access-…
The Intercept Is Broadening Access to the Snowden Archive. Here’s Why
Glenn Greenwald
16 May 2016

> From the time we began reporting on the archive provided to us in Hong Kong by NSA whistleblower Edward Snowden, we sought to fulfill his two principal requests for how the materials should be handled: that they be released in conjunction with careful reporting that puts the documents in context and makes them digestible to the public, and that the welfare and reputations of innocent people be safeguarded. As time has gone on, The Intercept has sought out new ways to get documents from the archive into the hands of the public, consistent with the public interest as originally conceived.
>
> Today, The Intercept is announcing two innovations in how we report on and publish these materials. Both measures are designed to ensure that reporting on the archive continues in as expeditious and informative a manner as possible, in accordance with the agreements we entered into with our source about how these materials would be disclosed, a framework that he, and we, have publicly described on numerous occasions.
>
> The first measure involves the publication of large batches of documents.
> ...
> The other innovation is our ability to invite outside journalists, including from foreign media outlets, to work with us to explore the full Snowden archive.

Great example of the kind of news which must not censored by any government, and should be read by people everywhere, because it's that important to their understanding of their personal situation.

May 18, 2016

Permalink

Sometimes TorBrowser makes connection to 93.184.220.29 without tor.exe.
Check this:
ocsp.digicert.com
and make TorBrowser better.

> ocsp.digicert.com

Forgive me if I misunderstood (your post contains few details), but it sounds to me as if you might have noticed an unexpected connection to oscp.digicert.com when you were connecting to another site using Tor Browser, such as https:twitter.com. But if that other site was protected by https, Tor Browser *should* connect to some Certificate Authority site (digicert is one of the biggest) in order to fetch the certificate used to verify that you were connecting to the genuine twitter.com and not an FBI phishing site masquerading as twitter.com.

May 19, 2016

Permalink

Tor Browser is really great. Pity some sites block the access when they see a "strange" ip address.
These sites don't have to oblige us to not stay anonymous.

The hardened version of ooni?

This comment makes no sense on this blog post.

I wonder if we should start enforcing on-topicness of the blog post comments.

I just approved a whole mess of not-really-related-to-ooni-at-all comments below. They sure do distract from the actual blog post topic.

(The counter might be "but this is the only safe way for Tor users to reach you!" -- but that is not true, since adding an off-topic comment to a blog post is not reaching us at all.)

May 19, 2016

Permalink

https://www.buzzfeed.com/sheerafrenkel/everything-you-ever-wanted-to-kn…
Everything You Ever Wanted to Know About How ISIS Uses The Internet
They talk on Telegram and send viruses to their enemies. BuzzFeed News’ Sheera Frenkel looks at how ISIS members and sympathizers around the world use the internet to grow their global network.
Sheera Frenkel

> Here’s an example of a conversation on a private ISIS channel on the messaging app Telegram on a recent Sunday afternoon:
>
> “brother r u use VPN for site?”
> “no brother, that is shit. use tor.”
> “tor is creation of CIA. avoid tor.”
> “so use vpn?”
> “lol, no there is something else”
>
> These sorts of exchanges appear daily on Telegram,

If I am reading the article correctly, this snippet was shown to the reporter by Dlishad Othman "a cybersecurity engineer with the ISC Project".

I wish the reporter had pointed out that if this pair of 4 Watt bulbs is a typical example of ISIS recruits, that (non)-governmental(?) entity must not be so cyber-capable after all.

Two more recent Buzzfeed News articles of interest to Tor users:

https://www.buzzfeed.com/hamzashaban/manhattan-district-attorney-wants-…
Manhattan District Attorney Wants To Put An End To Apple’s Default Encryption
Law enforcement officials continue to push for a new law that would ban secure communications in the interest of national security.
Hamza Shaban

> ...
> Cyrus Vance, the District Attorney of New York County and one of the most vocal opponents of robust consumer encryption, believes lawmakers shouldn’t wait for potential encryption cases to wind their way through the courts. Instead, with urgency, he is lobbying members of Congress to support legislation that would force tech companies to maintain the ability to decrypt the data of their consumers on demand, with a judge’s approval.

IOW, Cy Vance Jr seeks to outlaw end-to-end encryption, which would outlaw Tor, GPG, and many other good things. The less dire alternative on offer from the USG: "persuade" vendors to make strong cryptography too hard for ordinary people to use on their personal devices:

https://www.buzzfeed.com/hamzashaban/why-googles-encryption-choices-mat…
Why Google’s Encryption Choices Matter
Allo, Google’s new messaging app, offers end-to-end encryption — but not by default.
Hamza Shaban

> Default settings matter.
>
> This truth of consumer technology brings significance to Google’s decision, announced Wednesday during its annual I/O developer conference, to offer end-to-end encryption through its new messaging app, Allo. But unlike WhatsApp or Apple’s iMessage, if you want the protection it offers you’ll have to turn it on.
>
> Through an optional “incognito” mode, Allo encrypts communications in such a way that not even Google can access the contents of the messages you send. Only intended recipients can read correspondence when its end-to-end encrypted. For the majority of people, built-in settings are the ones most often used. That’s why Google’s decision to add end-to-end encryption as an option in Allo — but not enable it by default — is disconcerting to some technologists.

Well, here's one tiny bit of good news (thanks to all Americans who called their senators?):

http://www.theregister.co.uk/2016/05/27/backdoor_bill_dead/
Feinstein-Burr's bonkers backdoor crypto law is dead in the water
US senators' bill won't make it to the floor of Congress
Kieren McCarthy
27 May 2016

> A proposed piece of US legislation that would have required American tech companies to cripple the encryption in their products is dead in the water. The daft bill was championed by Senators Richard Burr (R‑NC) and Dianne Feinstein (D‑CA) in February following an increasingly rancorous debate over encryption, and at one point it looked likely to make it into law. Just last month, Senator Ron Wyden said he was planning to filibuster it.

But as the reporter points out, privacy advocates cannot rest easy:

> Not that the issue is going to go away for long. Both the FBI and Apple have agreed that with such a significant issue as access to billions of people's data on the table, a few extreme lawsuits is not the best way to find a workable compromise. Pretty much everyone agrees that where the line is drawn – and how it is drawn – is something Congress has to tackle. And tackle in the way that democratic institutions are supposed to do it: through widespread public consultation, the inclusion of all relevant parties, and the considered views of experts. Whether the elections later this year will produce a Congress that is less dysfunctional and so able to get back to the complex business of writing laws, we will have to see.

May 19, 2016

Permalink

I say again: the change to Rule 41b which will take effect in December unless the US Congress acts, will directly affect Tor users all over the world:

https://www.aclu.org/blog/washington-markup/governments-hacking-powers-…
The Government’s Hacking Powers Are About to Grow Exponentially
Neema Singh Guliani, ACLU Legislative Counsel
19 May 2016

> Federal agents may soon be able to remotely hack into hundreds or even millions of computers across the country — with a single warrant. And Congress has to act by December 1 to stop this incredible power grab.
> ...
> The rule change would allow the government to obtain a search warrant to remotely hack a computer in cases involving certain internet crimes, or when the location of the computer is being masked electronically (for example, when a person uses a virtual private network or a privacy-protective service like Tor). Judges would be permitted to authorize these searches within and outside their district — as an exception to the general rule that judges may only issues warrants within their jurisdiction. This could allow the government to hack into millions of computers across the country, without proper judicial oversight.

May 19, 2016

Permalink

Who would dare to read the following article except under cover of Tor?

medium.com
The Pentagon’s secret pre-crime program to know your thoughts, predict your future
US military contractors are mining social media to influence your ‘cognitive behavior’ when you get angry at the state
Nafeez Ahmed
1 Feb 2016

> The US Department of Defense (DoD) wants contractors to mine your social media posts to develop new ways for the US government to infer what you’re really thinking and feeling — and to predict what you’ll do next.
>
> Pentagon documents released over the last few months identify ongoing classified research in this area that the federal government plans to expand, by investing millions more dollars.
>
> The unclassified documents, which call on external scientists, institutions and companies to submit proposals for research projects, not only catalogue how far US military capabilities have come, but also reveal the Pentagon’s goals: building the US intelligence community’s capacity to forecast population behavior at home and abroad, especially groups involved in political activism.
> ...

Do I detect a sudden chilling sensation?

May 19, 2016

Permalink

One more striking example of why everyone needs to use Tor as much as possible:

https://www.eff.org/deeplinks/2016/05/when-surveillance-chills-speech-n…
Surveillance Chills Speech—As New Studies Show—And Free Association Suffers
Karen Gullo
19 May 2016

> ... Government surveillance has that chilling effect—on our activities, choices and communications—and carries serious consequences. We argue in our lawsuit First Unitarian Church of Los Angeles, et al v. NSA that the government’s collection of phone records violates the First Amendment rights of our clients—churches and civil and human rights organizations—by discouraging members and constituents from associating and communicating with them for fear of being spied on.
> ...
> The Wikipedia study, to be published in an upcoming issue of the Berkeley Technology Law Journal, found a dramatic fall in monthly traffic to Wikipedia articles about terror groups and their techniques after the June 2013 disclosures of the NSA PRISM surveillance program by whistleblower Edward Snowden. The study looked at 48 Wikipedia articles that contained terrorism-related keywords tracked by the Department of Homeland Security, such as “suicide attack” and “dirty bomb.”
>
> Article views dropped 30 percent after June 2013, which supports “the existence of an immediate and substantial chilling effect,” wrote author Jonathon Penney. He also found that monthly views continued to fall, suggesting that the chilling effects of NSA surveillance are long term. The study, he says, has “implications for the health of democratic deliberation among citizens” and the broader health of society.

The correct solution is of course not to stop reading uncensored in order to learn things you need to know for your own safety, but to use Tor.

> These studies provide evidence of what we have long argued—our freedom to read what we choose online and communicate and associate with others privately is profoundly affected by the prospect of the government looking over our shoulder. It’s changed our behavior, whether that means not commenting on a Facebook post about terrorism, avoiding a Wikipedia page, or steering clear of certain organizations.

Exactly!

What Cy Vance and James Comey really want is to ensure that governments (or rather their AI governance bots) to make all the big decisions about the lives of individual citizens. God forbid citizens should think for themselves, much less decide how they want their own lives to unfold!

May 19, 2016

Permalink

Was following links from this fine piece by two senior ACLU staffers:

Power Loves the Dark
Matthew Harwood, Senior Writer/Editor, ACLU
& Jay Stanley, Senior Policy Analyst, ACLU Speech, Privacy & Technology Project
19 May 2016

> In December 2015, the Journal of the American Statistical Association published a study that brought joy to the predictive crime-fighting industry. The study’s researchers concluded that a predictive policing algorithm outperformed human analysts in indicating where crime would occur, which in turn led to real crime reductions after officers were dispatched to the flagged areas. Only one problem: five of the seven authors held PredPol stock, and two were co-founders of the company. On its website, PredPol identifies the research as a “UCLA study,” but only because PredPol co-founder Jeffery Brantingham is an anthropology professor there.

What critic of "lying with statistics" could resist reading a bit of marketing fluff published (by ASA, even) as an "independent academic study" [sic]? Unfortunately got this response from the third party server:

> client IP is blocked because: More than 100 sessions created in 5 minutes
> Blocked IPs: ***

Censoring PredPol *propadanda*! Houda thunkit?

(BTW, the claimed "100 sessions" figure didn't change to "101" when I tried a second time, so it's probably completely bogus.)

May 19, 2016

Permalink

Truly, the USG has gone off the rails:

http://sputniknews.com
Developer of Online Anonymity Tool Tor Flees US to Escape FBI ‘Harassment’
Mandel Ngan
18 May 2016

> The Federal Bureau of Investigations may be looking to break into Tor, the Internet browser that hides user’s locations, by trying to subpoena one of Tor’s primary software developers, and instead of complying, she has fled the country.
>
> The FBI wants the cryptographer, who goes by Isis Agora Lovecruft, to testify in a criminal hacking investigation, but privacy advocates — as well as Lovecruft herself — believe the Bureau will attempt to coerce her into helping them crack the system.
>
> The Electronic Frontier Foundation (EFF), the leading nonprofit organization defending electronic civil liberties, has also taken on the case.
>
> “The FBI needs to open up and tell Isis what it is they want before she can decide if she will meet with them,” EFF Senior Staff Attorney Nate Cardozo told Sputnik. “They've said she isn't under investigation, but there are still too many unanswered questions. Isis has a right to know what's going on instead of playing this strange guessing game as she's pursued by federal agents.”

Perilous times indeed.

May 22, 2016

Permalink

Remember when Medium hosted the Sarawak Report, a detailed, sourced, well-researched expose of political corruption in Malaysia?

Predictably, the government blocked access to Medium.com. And they didn't stop there. You can no doubt guess their next move:

https://www.techdirt.com/
Free Speech
Mike Masnick
19 May 2016

> the government [of Malaysia] is now pushing a new law that gives the MCMC much more power to silence criticism online. And a big part of this is removing the intermediary liability protections that service providers have. This is a topic that we've discussed an awful lot -- especially with regards to things like Section 230 of the CDA in the US, which makes websites immune from liability for actions of their users. Many people try to attack these protections, claiming that they're just protecting big companies, but they're actually very much about protecting the public's ability to speak freely -- and the situation in Malaysia is a perfect example.
>
> Without strong intermediary liability protections, websites will now have very strong incentive to immediately block or take down any content that might displease the government, for fear that leaving it up will lead to legal consequences. This is also why we're so concerned about the recent lawsuits in France claiming that Twitter, Facebook and YouTube didn't take down offensive comments fast enough. Expecting service providers to police and monitor content is a path to widespread censorship.
>
> In Malaysia, a coalition of civil society/public interest groups are fighting back against this new law, and trying to spread the word about its possible impact.

Damn straight. It's all of them against all of us, and we all need to fight back.

May 22, 2016

Permalink

OT but maybe very good news: a big problem (agreed?) for Tails developers is that the PRNG may not be able to gather enough entropy for strong cryptography soon after you boot from a DVD. The following development is clearly big news--- could it possibly help?

http://www.theregister.co.uk/2016/05/18/boffins_achieve_breakthrough_in…
Boffins achieve 'breakthrough' in random number generation
New method could make it harder for hackers in the future
Katyanna Quach
18 May 2016

> University of Texas computer science professor David Zuckerman and PhD student Eshan Chattopadhyay have found that a "high-quality" random number could be generated by combining two "low-quality" random sources... The new method makes it harder for hackers, as it requires less computational power to spew out random numbers of higher quality. Their paper has caught the attention of other academics worldwide who have described the research as "pulse-quickening" and "a breakthrough in theoretical computer science."

https://threatpost.com/academics-make-theoretical-breakthrough-in-rando…
Academics Make Theoretical Breakthrough in Random Number Generation
Michael Mimoso
May 17, 2016

> Two University of Texas academics have made what some experts believe is a breakthrough in random number generation that could have longstanding implications for cryptography and computer security...“We show that if you have two low-quality random sources—lower quality sources are much easier to come by—two sources that are independent and have no correlations between them, you can combine them in a way to produce a high-quality random number,” Zuckerman said. “People have been trying to do this for quite some time. Previous methods required the low-quality sources to be not that low, but more moderately high quality.
> ...
> In fact, academics worldwide have taken notice. Oded Goldreich, a professor of computer science at the Weizmann Institute of Science in Israel, called it a fantastic result. “It would have been great to see any explicit two-source extractor for min-entropy rate below one half, let alone one that beats Bourgain’s rate of 0.499,” Goldreich said on the Weizmann website. “Handling any constant min-entropy rate would have been a feast (see A Challenge from the mid-1980s), and going beyond that would have justified a night-long party.”

(Bourgain is a Fields Medalist, so beating his bound is pretty impressive. Goldreich is a well known expert in academic cryptography.)

The articles link to the paper and a followup paper from another researcher.

May 22, 2016

Permalink

At times, apparent trolling, astroturfing, or other malicious manipulations of social media (possibly sponsored by hostile governments) have become a problem in this blog. An interesting new study from Gary King's group at Harvard claims to uncover 488 million posts by (Chinese government sponsored) "fifty centers":

http://www.theregister.co.uk/2016/05/20/china_caught_astroturfing_polit…
China caught astroturfing social networks
Harvard study blames state groups for 488m comments
Shaun Nichols
20 May 2016

> ... "We estimate that the government fabricates and posts about 488 million social media comments a year. In contrast to prior claims, we show that the Chinese regime's strategy is to avoid arguing with skeptics of the party and the government, and to not even discuss controversial issues," say report authors Gary King, Jennifer Pan, and Margaret Roberts. "We infer that the goal of this massive secretive operation is instead to regularly distract the public and change the subject, as most of the these posts involve cheerleading for China, the revolutionary history of the Communist Party, or other symbols of the regime."

One surprising conclusion:

> ... The researchers believe that the 50 cent Party members are not actually employed full-time to target online discussions, but rather engage in the activities outside of their day-jobs as employees in other government organizations. The findings, the study concludes, contradict previously-held notions that online censorship in China is conducted directly through targeting and removing content that is critical of the state. Rather, the researchers find, the government is using more subtle tactics to undermine those who would criticize its policies. "Distraction is a clever and useful strategy in information control, in that an argument in almost any human discussion is rarely an effective way to put an end to an opposing argument," the researchers note. "Letting an argument die, or changing the subject, usually works much better than picking an argument and getting someone's back up (as new parents recognize fast).

Gary King is the author of the well known R package "Zelig", and has been a tireless champion of Bayesian statistics in the social sciences. One of his earlier papers studied the infamous "hanging chads".

(This comment is not a malicious attempt to "change the subject", and I feel it is not OT in this blog generally, I think, but it is OT in this thread. Wish TP offered a weekly open comment post like Bruce Schneier's "squid" posts.)

WaPo has been running a fine series on censorship by the Chinese government, including this:

https://www.washingtonpost.com
China’s scary lesson to the world: Censoring the Internet works
Simon Denyer
23 May 2016

> ... Far from knocking down the world’s largest system of censorship, China in fact is moving ever more confidently in the opposite direction, strengthening the wall’s legal foundations, closing breaches and reinforcing its control of the Web behind the wall.

Such stories should help Tor leaders make the case to the US Congress to reject FBI's demands to declare Tor effectively illegal, which could potentially shut down Tor Project unless it can perform an emergency relocation somewhere else--- trouble is, other governments such as Netherlands, Iceland, Norway are moving down the same repressive path. But Tor might have some popular support in Germany and some other EU countries, even if the governments are likely to be susceptible to USG pressure to declare Tor illegal.

It is important to recognize that the government of China is doing openly many things which the USG is doing in great secrecy, such as

o sophisticated manipulations of official media and unofficial social media forums,

o intervening often in the family lives of every schoolchild, to ensure that they become "compliant" adults who do not challenge the government's policies,

o assigning "citizenship scores" to each citizen,

o systematizing discrimination against political dissidents and other "weird" people,

o supercomputer simulation of entire populations for "what if" simulations (if government performs "intervention" #377 on Citizen X, does the elite benefit?).

The fact that unlike the USG, the Chinese government is mostly doing these things openly does not render any of them either wise or just, of course.

Thanks to all Tor people for opposing censorship and promoting access to information and freedom of thought/expression!

May 24, 2016

Permalink

Please take some action to scan tor relays and exits to see if the're run by blacklisted spammers!! I think it may reveal they are taking over! and ruining Tor! Including Krypton and Fire.onion are many blacklisted relays. Thank you. Heads Up!!!

The Tor Network is operated almost entirely by volunteers around the world, but Tor Project does have a few (less than a dozen?) paid employees, including a core development team. The funding is confusing even for the employees, I gather, but some are paid mostly from money which ultimately comes from sources like Radio Free Asia, which is sort of pro-US propaganda organization (but some would argue, not as nasty as the word "propaganda" makes it sound.) I believe Summer of Code interns at TP are paid by another weirdly conflicted source, Google. I believe that some key Tor assets have full time positions doing closely related pro-privacy work, but from time to time provide patches or essential advice to TP.

I suppose it is more or less inevitable that the people who are paid to defend The People from the Powers that Be are not probably not paid as well as the people who are paid to attack The People. But knowing how incredibly essential their work is to freedom, justice, and democracy no doubt sustains them in the fact of constant harassment from the bad guys.

No doubt someone from TP will correct me if I said anything which is terribly incorrect!

May 29, 2016

Permalink

Following up on FBI's harrassment of Tor developers, it seems that the Seattle city government also hates privacy--- and the people at Seattle Privacy Coalition who try to defend it:

http://www.npr.org
When A Dark Web Volunteer Gets Raided By The Police
Heard on All Things Considered
Martin Kaste 2010
4 Apr 2016

https://www.thestranger.com
Judge Who Authorized Police Search of Seattle Privacy Activists Wasn't Told They Operate Tor Network
Ansel Herz
8 Apr 2016

http://www.theregister.co.uk/2016/05/25/seattle_suehawks/
Seattle Suehawks: Smart meter hush-up launched because, er ... terrorism
Security through obscurity, amirite?
Shaun Nichols
25 May 2016

http://www.theregister.co.uk/2016/05/27/phil_mocek_seattle_smart_meters/
As US court bans smart meter blueprints from public, sysadmin tells of fight for security info
He wanted records – and got sued instead amid terror fears
Shaun Nichols
27 May 2016