Meet the Tor Summer of Privacy and Outreachy Interns

Photo by adrian on Unsplash
We have some contributors joining the Tor Project this month who come to us through two paid internship programs, Tor Summer of Privacy and Outreachy, an internship program for underrepresented groups in tech. Please join us in congratulating those who were selected and help us welcome them to the Tor community.
Meet the interns and find out a few of the things they’ll be working on:

Summer of Privacy

    •    Chefarov will update and enhance Ahmia, a search engine tool for onion services, mentored by Juha and George.
    •    Dmr will expand Stem’s support as a Tor client, mentored by Damian Johnson and Teor.
    •    Juga will add new features to (and open sourcing!) our bandwidth scanner, mentored by Pastly and Teor.

Tor’s Summer of Privacy is coordinated by Colin Childs (phoul).


    •    Cy63113 will be our user advocate, helping us understand where Tor users struggle to download, install, configure, and use Tor software, mentored by Alison Macrina and Colin.
    •    Jaruga will update and maintain Tor documentation, mentored by Colin.

Tor’s Outreachy program is coordinated by Tommy Collison (t0mmy).

We’re believers in the power of paid internships to discover new talent, help new folks join the Tor community, and make our privacy-enhancing software even better. If you’re interested in seeing how the interns progress with their projects, you can join our tor-dev mailing list.

Congrats again to those who were selected, and thanks to our coordinators and mentors who provide guidance and encouragement.


April 26, 2018


Suggestion: EFF has a theme they call "catalog of missing devices". I'd like to see the user advocates start keeping a "catalog of missing torified devices/software/tools", occasionally re-prioritizing as new information arrives on the threat profile and on the capabilities of the greater Tor community.

Some missing items this user would like to see:

o Faraday bags and other defenses against "extraneous EM emissions" snooping (cheaper than $10K TEMPEST vaults),
o defenses against chemical weapons and thru-wall sensors being provided to many agencies,
o defenses against sonic weapons and EMP weapons being provided to some agencies,
o software defined radios which can be tuned to any freq in KhZ to 15 GHz range or so (yes, that is an engineering challenge), or can construct power spectrum graphs (where are the signals?)
o just as wireshark knows thousands of protocols, the SDR should know likely sources for signals at a given frequency
o drone detectors
o ADS-B-reader/plotters

all that is yet solved :
- except for chemical weapon (not possible)
- except for ADS-B (i do no know what it is)
IMO, it is not the job of EFF or Tor and the solutions are given as it without any warranty (DIY) _ the better way is to avoid it or destroy it : swimming between the sharks is no the right protocol even for the spies.


April 26, 2018


I encourage TP to think big, but I also think it's important to maximize the chances of a good experience for the interns, and giving them tasks which do not appear unrealistic and double-teamed mentoring strikes me as a very good idea.


April 27, 2018


To: The new recruits

A warm welcome to you all.

As the picture aptly shows, your route is narrow and winding with no end in sight. The forest represents the distractions that you may encounter as you walk on the path to digital freedom. There is no clear blue sky. Instead the mist wraps around the trees and the sky is overcast, signifying the enormous uncertainty that you may face. Are you ready to take on whatever challenges that will be thrown at you? It is not too late to quit, you know.....

If I might interject a more positive spin on the frequent need to make design decisions (and other decisions) based on incomplete and possibly unreliable information:

It seems to me that NSA, the network insecurities that agency has fostered for decades, and new technologies (often developed by DARPA) have created a world in which one cannot use the word "true" without scare quotes, a world in which nothing is what it seems, a world in which all knowledge is attached to subjective probabilities rather than binary truth values. And for that reason it seems to me that for young people entering a career in tech, an internship at TP is ideal preparation for life in the 21st century.


April 28, 2018


i love the picture ! (thx adrian)

these efforts are for the improvements on the network not for the browser.

the new director will -maybe- decide to update a bit more the old mozilla skeleton/model for a secure browser (rsa ? 1024 ? e.g.).

thanks for enhancing privacy-software better.

> It would be nice to join the discussion


Tor users do not often have the chance to report some genuinely good news, but I'd like to share this:
International Standards Body Rejects Weakened IOT Encryption Methods Pushed By The NSA
from the bleak-days-for-Big-Surveillance dept

> The NSA has again been outed for pushing compromised encryption standards. An early Snowden leak showed the agency paid RSA $10 million to promote a weakened encryption standard. RSA offered up a denial that didn't exactly contradict the evidence provided by the leaked documents. A few years later, NIST (National Institute of Standards and Technology) removed the Dual Elliptic Curve algorithm from its recommendations, citing its distrust of the agency pushing for its adoption: the NSA. Dual EC appeared to be deliberately weakened, reducing encryption-breaking efforts to a matter of seconds, rather than hours or days.
> The NSA is once again at the center of an encryption controversy. This time the intended target of weakened encryption standards is the Internet of Things. As Kieran McCarthy of The Register reports, the NSA's hard-sell approach backfired, leaving its preferred attack vectors encryption algorithms locked out by an international standards body.

With some effort, you can find archived Snowden-leaked documents at which detail NSA's decades-old efforts to manipulate NIST in order to ensure non-government encryption is sufficiently weak that their computers can break it. (All indications are that they have not always succeeded, but many experts are getting more and more worried about aging AES standard.)

Some of us have long urged pro-privacy techies to experiment with "honeypot" entrapment of state-sponsored spooks, and to try to develop software or devices which can warn of "Evil maid" attacks (probably the most dangerous kind). Anyone interested in securing their laptop (especially when it is sometimes out of your physical control, such as when traveling) will want to read this:
It’s Impossible to Prove Your Laptop Hasn’t Been Hacked. I Spent Two Years Finding Out.
Micah Lee
28 Apr 2018

> But there is a sneaky class of attack, called “evil maid” attacks, that disk encryption alone cannot protect against. Evil maid attacks work like this: An attacker (such as a malicious hotel housekeeper, for example) gains temporary access to your encrypted laptop. Although they can’t decrypt your data, they can spend a few minutes tampering with your laptop and then leave it exactly where they found it. When you come back and type in your credentials, now you have been hacked.
> Exactly how an evil maid attack would work against your laptop depends on many factors: the type of computer you use, what operating system you use, which disk encryption software you use, and the configuration of firmware used to boot your computer, firmware which I’ll call “BIOS,” although it can also go by acronyms like EFI and UEFI. Some computers have considerably better technology to prevent evil maid attacks than others – for example, attackers have to do more advanced tampering to hack a Windows laptop encrypted with BitLocker than they do to hack a Mac laptop encrypted with FileVault (as of now, anyway) or a Linux laptop encrypted with LUKS.

Some Linux users have long complained about the limitations of LUKS, but it will be hard to overcome this until hardware manufacturers decide to treat Linux users with the respect we deserve. To make matters worse, it is generally agreed that Linus Torvalds has generally been less concerned with cybersecurity issues than we would desire in the leader of kernel development. (He was recently grilled by the US Congress concerning security problems with Linux servers.)

> The issue of tampering is particularly relevant for human rights workers, activists, journalists, and software developers, all of whom hold sensitive data sought by powerful potential attackers. People in these vocations are often keenly aware of the security of their laptops while traveling – after all, laptops store critical secrets like communication with sources, lists of contacts, password databases, and encryption keys used to vouch for source code you write, or to give you access to remote servers.
> ...
> [In one type of Evil Maid attack] an attacker could replace your BIOS firmware with malicious firmware. When you power on your computer, the very first program that your computer runs is your BIOS firmware. The job of this program is to initialize all of your hardware – your memory, disks, Wi-Fi adapter, video card, USB ports, and everything else – and then ultimately boot an operating system, typically the one stored on your hard disk.
> When you format your disk and install a new operating system on your computer, your BIOS firmware doesn’t change. This is because this program isn’t stored on your hard disk at all. Instead, it’s stored in a small chip on your computer’s motherboard called an SPI flash chip.
> This is why BIOS malware is so stealthy – you can’t get rid of it by formatting your hard disk, and it can spy on you across operating systems, such as if you boot to a Tails USB stick.

An old story which remains relevant shows that there are even nastier possibilities than Evil Maid attacks:
This ‘Demonically Clever’ Backdoor Hides In a Tiny Slice of a Computer Chip
Andy Greenberg
1 Jun 2016

> Security flaws in software can be tough to find. Purposefully planted ones—hidden backdoors created by spies or saboteurs—are often even stealthier. Now imagine a backdoor planted not in an application, or deep in an operating system, but even deeper, in the hardware of the processor that runs a computer. And now imagine that silicon backdoor is invisible not only to the computer’s software, but even to the chip’s designer, who has no idea that it was added by the chip’s manufacturer, likely in some farflung Chinese factory. And that it’s a single component hidden among hundreds of millions or billions. And that each one of those components is less than a thousandth of the width of a human hair.

Note that we know Evil Maid attacks occur in the wild (they are well documented in the Snowden leaks and in leaks from Hacking Team), but so far AFAIK attacks in which chips have been clandestinely redesigned for the purposes of espionage have not yet been found in the wild. But this might well be due to the extreme difficulty of finding such chip backdoors, which is orders of magnitude harder than the difficulty of detecting sophisticated Evil Maid attacks, as explained in Micah Lee's article.

I am glad to see that Lee says he still thinks trawling for spook attacks is a good idea.

> [malware which lives in BIOS] can spy on you across operating systems, such as if you boot to a Tails USB stick.

I believe this also holds true for Tails booted from a R/O DVD, but does anyone know for sure?


April 29, 2018


I have a question about some observations I made this weekend while surfing to human rights related sites:

The certificate I see when I surf to reads, in part:
Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Not Before: Apr 16 15:48:58 2018 GMT
Not After : Jul 15 15:48:58 2018 GMT
Subject: CN = ***
X509v3 Subject Alternative Name:

I see hiding in there, but should your blog (?) really be using the same cert as a company called forensicon? The pantheonsiteio is actually preceded by a mysterious long numerical identifier which presumably contains encoded metadata of some kind. Should we be worried?

Further, the website cert suddenly expired this weekend. If I ignore the warning and surf there anyway, the cert I see reads in part:

Issuer: C = BE, O = GlobalSign nv-sa, CN = GlobalSign CloudSSL CA - SHA256 - G3
Not Before: Apr 26 16:23:07 2018 GMT
Not After : Feb 22 13:21:02 2019 GMT
Subject: C = US, ST = California, L = San Francisco, O = "Fastly, Inc.", CN =
X509v3 Subject Alternative Name:, DNS:*, DNS:*, DNS:*, DNS:*, DNS:*, DNS:*, DNS:*, DNS:*, DNS:*, DNS:*, DNS:*, DNS:*,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

I see in there, but should ACLU really be tied to

Should we be worried?


May 04, 2018


1. When your website being blocked, how to download the Tor? GitHub page ( is the safe alternative place?
2. On my Android phone Orbot 16 won't connected anyway but Orbot 15 that I downloaded from GitHub working so fine. There is not any issue with the GitHub page, it's official?

The Github page is not yet updated as fast as it could and contains some outdated software. Insofar, please stick to the official and latest releases found on or for Orbot in the F-Droid repo. We are trying to implement a better process to close this gap on Github but are not there yet. So, the site is official in the sense that Tor project members have access to the Github accoutn.

Join the discussion...

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

1 + 0 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.