Anti-censorship team report: May 2020

Tor's anti-censorship team writes monthly reports to keep the world updated on its progress. So far, we have been posting these team reports to the tor-project mailing list but starting this month, we are experimenting with turning team reports into blog posts as well. Our hope is that this makes it more convenient for the community to follow our work and comment on it. We work for you all, and to do our work well, we need to hear from you!

Without further ado, here's what the anti-censorship team accomplished in May 2020:

Snowflake

  • Tor Browser 9.5a13, released on May 22, has a major usability improvement in Snowflake that makes it possible to migrate a connection to a new temporary proxy when the one you are using goes offline.  This makes it more likely that a Snowflake connection will work in the first place, and lets Snowflake be used for a longer time. You can read more in ticket #34043.

  • Started a Google Summer of Code project to implement an Android snowflake proxy app.

  • Started implementing workarounds for NAT incompatibility between snowflake proxies and clients. (#34129)

  • Implemented Android reproducible build of snowflake clients. (#28672)

  • Fixed a bug that resulted in Chrome proxies hanging. (#31278)

GetTor

  • Fixed a problem where GetTor got into an infinite email loop with other autoresponders. (#34286)

  • Fixed some bugs in the GetTor twitter responder, bringing it closer to being fixed. (#27330)

BridgeDB

  • Made steady progress on wolpertinger, which helps BridgeDB build a feedback loop with OONI (and potentially other censorship measurement platforms). OONI finished its part of the implementation, and can now request bridges from wolpertinger's API. Wolpertinger then fetches OONI's test results from its S3 bucket and writes them back to BridgeDB's SQLite database. (#32740)
  • Summarised plans for BridgeDB's future on the anti-censorship-team mailing list.

  • Wrote a blog post on our most recent BridgeDB 0.10.1 release.

  • Finished monitoring tool that periodically sends email to BridgeDB's autoresponder to make sure that it's still working. (#12802)

  • Removed chatspeak references across BridgeDB's UI. (#31528)

  • Extended BridgeDB's minimalistic SQL table for blocked bridges. (#34154)

  • Updated BridgeDB's user interface with the latest translations from Transifex.  Thanks to everyone who helped translate BridgeDB to different languages!

  • Fixed a bug that would break BridgeDB's email autoresponder after a while. (#33945)

Miscellaneous

zoobab

June 05, 2020

Permalink

While I'm sure the anti-censorship team does some good work, do you think you could extend the anti-censorship to the Tor Blog itself?

Because there is A LOT of censorship on this blog. Too much in fact. If the Tor Blog wasn't so heavily censored then I think a lot of posts might have more than just half a dozen comments. We might actually get to read a differing of opinions and not just the fanbois with their daily bootlicking.

You can still censor spam and all that, just don't censor 'because you don't like what the community has to say', which is what's happening on the Tor Blog now. I'll be surprised if this comment itself isn't censored.

"We work for you all, and to do our work well, we need to hear from you!"

No, I don't think you really want to hear from us. Instead you want to hear from those of us who AGREE with whatever topic is being discussed. Much different.

You would probably be surprised about how many comments we delete. It's very few of them. We don't tolerate abusive comments, and trolls can find another place to troll (you are included in this). I approved your comment because this policy should be very clear. The blog is for communicating important information and receiving feedback from the community - Tor does not exist without the community. With that being said, blog comments are only helpful if people write informative messages. This is not a bulletin board where someone can write whatever they want (and expect it to be published).

@sysrq:

I am not the OP but I have something to say here. Community feedback, right?

First:

> The blog is for communicating important information and receiving feedback from the community - Tor does not exist without the community. With that being said, blog comments are only helpful if people write informative messages.

IMO this statement is misleading.

For years community members have urged TP to follow the example of noted cryptologist Bruce Schneier who has a regular "anything goes" Friday post in which commentators are allowed to post such things as links they think will be of interest to readers of the blog, or to ask Bruce about something. Unfortunately, TP has never responded to this suggestion, so there has never been any real opportunity for community members to offer suggestions or to raise concerns, because when we try to do that, our comments are deleted on the grounds that they are "off topic" (or so I infer from a handful of instances where someone claiming to work for TP let fly in the Tor chat room).

So I once again request that TP consider doing what Bruce does and instituting a regular Friday post where you ask the community what's on our minds, what features we'd like to see, what community or journalism outreach we'd like to see, etc.

Second: we all know that TP has at times been the target of Gamergate style harrassment. However, I study state-sponsored troll posting and FWIW I thought the post you designated a "troll" was just someone expressing frustration with TP's flawed community relations, not as a professional troll.

Third: is it true that TP allows unvetted volunteers to delete submissions to this blog? That could explain why TP seems to have so much difficulty appreciating why community members often feel TP is not listening to or responding to our concerns.

Fourth: why not publish monthly stats on how many comments were submitted and how many were deleted, published, lost?

Last but not least: I am well aware that TP is currently in financial difficulty and that TP employees are overworked, so let me state that despite frustration with TP's imperfections, I love the important work you are doing under difficult circumstances!

I think there are two great suggestions here.

For years community members have urged TP to follow the example of noted cryptologist Bruce Schneier who has a regular "anything goes" Friday post...

Because its volunteer work, my suggestion would be monthly, not weekly.

Fourth: why not publish monthly stats on how many comments were submitted and how many were deleted, published, lost?

The Tor project demands transparency from others and should therefore act in the same way!

Thanks for the plus one!

To my surprise, the moderators did approve the post mentioning some badly needed popular press (see below), which was also from me.

Monthly "anything goes"? I could live with that.

@ TP:

Weekly would be better, but let's try monthly and see how things go.

We do love the work they are doing. What we don't love is undue censorship of the Tor Blog from topical or otherwise relevant discussion.

We also don't particularly need Tor Blog to discuss important issues relating to Tor. Reddit and a number of other online communities host discussions of their own, we may also air our perpetual praise or grievances there unfettered (and we do). HOWEVER as a courtesy we may choose to submit here for a more focused discussion to debate solutions to problems, together. Because in fact we are all in this together, we must remember that. When it becomes unfortunate is when admins simply choose to hit the delete button in lieu of engaging with the community as they claim to, or should be doing. I've said my peace on the matter.

Change can be difficult, but sometimes needed. It is needed here at the Tor Blog.

> Reddit and a number of other online communities host discussions of their own

Not everyone feels safe signing up for or trying to post to Reddit. I imagine that anyone who has used Tor for more than five years or so has not forgotten Gamergate. Many people feel that Reddit also has a history of unacknowledged racism.

Thanks for supporting (I think) the call for a regular "anything goes" post in this blog.

"and trolls can find another place to troll (you are included in this)"

I wrote the original comment. There's no need for namecalling like that, as it serves no purpose except to attempt to silence and suppress further discussion.

"I approved your comment because"

Thank you, it is good you approved my comment. This is a step in the right direction, painful as it may be for the Tor Blog to take.

After reading your response, I recommend a period of self-reflection for the Tor Blog and its admins, whether they themselves are living up to the mission of openness and anti-censorship they so fervently tout.

I'm pleasantly surprised that Tor folks have allowed this discussion to go ahead here.

While I understand, in general, the requirement for comments to be 'on topic', I wanted to air the following example.

A while back when a bunch of Tor staff were laid off, comments were disabled on the post announcing this. On a subsequent post I asked why this was the case, and even that simple question was blocked.

There was literally no way to ask this question in an 'on topic' way, because of the disabling of comments on the relevant post in the first place!

I can only assume Tor folks do not want to discuss the decision to sack staff. But as a decision that affects the whole Tor community, surely at least some transparency and accountability is a reasonable ask?

I'm not pursuing this to stir up trouble. I genuinely want the Tor ecosystem to thrive and grow.

I'm sorry but this topic is not up for discussion in this open community forum.

As you know, mass firings can happen any time at the discretion of the executive director. During the recent pandemic scare, many companies seized upon the opportunity to cast off some of their underperforming chaff. You know, the seat warmers and all that. One thing about pandemics is they can provide great cover to this effect, few will question it.

Point is, I think we should not further question the transparency, openness nor the integrity of the Tor organization. They did what they had to do during a difficult time. The right thing for us to do, the PATRIOTIC thing is that we should trust that the ED has made the right decision, free from any undue influence or necessity for a new Aresline office chair.

Also please continue to donate! Your donation matters to the community and to the bottom line, no pun intended.

This comment was a rather poor attempt at satire. Apologies as it must pass the Tron Recognizer censorship filter here. Good day sir.

A while back when a bunch of Tor staff were laid off, comments were disabled on the post announcing this. On a subsequent post I asked why this was the case, and even that simple question was blocked.

Can confirm. I asked about this as well, and I never saw my comment approved.

My questions about the firings were also censored.

While I assume TP really is experiencing financial stress, we users have no idea what subprojects of Tor Project have been shuttered.

Not everybody knows this, so I should point out that we have a blog comment policy:
https://trac.torproject.org/projects/tor/wiki/doc/community/blog-commen…

Obviously, one cannot just post anything on here and expect it to be approved. And calling the deletion of comments "censorship" is both inaccurate hyperbole and not helpful. That said, I think we can all agree that the process of community feedback isn't working well for anyone. For a constructive discussion on how to move forward with respect to blog comments and community feedback, take a look at this discussion over at the tor-project mailing list:
https://lists.torproject.org/pipermail/tor-project/2020-June/002880.html

Thank you Phil, I really appreciate your passing on the suggestion to the mailing list.

I do not have email so I cannot contribute myself but I hope others will.

I don't think I myself used the word "censorship" but I think when others did they did so out of frustration, without meaning to equate TP with Stalinist Russia etc.

I think it has more to do with a lack of understanding, or caring, about community feedback in general.

Referencing today's TorBlog post, 6/24 'Save Open Technology Fund, #SaveInternetFreedom'. This is a very important topic, inviting users to sign a letter showing their support. But once again 'isabela' decides to turn comments off, forbidding any further community involvement or discussion on the topic. This I feel is an inappropriate use of censorship. Ironically the very type of censorship isabela would seem to be against.

An open community forum is a better idea, with hands off the lock trigger. Why suppress discussion? If Tor is conducting its business correctly, positive feedback will result. If Tor is failing in this regard, then the community will advise the Tor organization of the fact.

Also, its good policy to stop locking posts from community discussion, unless there's a valid reason to lock it.

Think of our comment section as a megaphone. It slightly amplifies your voice, allowing you to be heard by more people. Now, nobody is *preventing* you from speaking. You're free to complain about this blog anywhere else; on your own blog, to you friends, with a sign on the street corner, and to your local politicians. Not only am I supporting your right to speak about this blog, I even *encourage* you to speak, over on our mailing list, which is an equally powerful megaphone.

Understand however that you have no inherent right to use our megaphones, just like you have no inherent right to write an editorial for the New York Times, a significantly more powerful megaphone. You are merely asking for permission to use someone else's megaphones and we're free to grant permission as we see fit, based on the policy I linked above. And so is the New York Times. And almost any other publishing platform. And if you don't like that, then build your own megaphone and make your own rules.

With that out of the way, this megaphone is now only available for the folks who have actual feedback for the anti-censorship team. To continue the discussion about blog comment policy (and don't get me wrong: I think it's a discussion worth having!), please use the email thread I linked above.

Same here, I also made a brief comment on this incident when it happened. The comment was not approved.

Nothing worse than a service that claims to be anti-censorship, then turns around and willingly performs censorship of its own users.

I'd be curious to know what Bruce thinks of all this, the censorship problems on this blog and its misbehaving admins.

zoobab

June 05, 2020

Permalink

"Your comment has been queued for review by site administrators and will be published after approval."

A more pleasant way of invoking 'censorship' at the Tor Blog. Oh the irony...

zoobab

June 06, 2020

Permalink

Any positive press about Tor Project always seems notable:

theregister.co.uk
Tor soups up onion sites with bountiful browser bump: No more tears trying to find the secure sites you want
Latest Tor Browser iteration makes the dark web a bit more memorable
3 Jun 2020

(Note to Vulture Central: graphics like the crying man is getting old--- how about using a graphic which portrays the Tor Community as something which is not actually a joke?)

Something mentioned in The Register seems like something worthy of a post in this blog:

> The Tor Browser is also testing a way to make the cryptographic alphabet soup of onion addresses easier for people to remember. Toward that end, the project has partnered with Freedom of the Press Foundation (FPF) and the Electronic Frontier Foundation's HTTPS Everywhere to deploy human-readable Secure Drop sites. Secure Drop is an open-source whistleblower platform for submitting documents online anonymously. It relies on Tor and difficult-to-remember onion addresses like http://qn4qfeeslglmwxgb.onion/. The Secure Drop site is run by activist organization Lucy Parsons Labs. Under the latest version of the Tor Browser that onion address has an alias, lucyparsonslabs.securedrop.tor.onion. The Tor Project and FPF plan to evaluate the response to this addressing alternative with an eye toward making it more widely available.

Tor Project and EFF are two of my favorite things, so I hope you can work together to make it so easy for even small local papers to deploy Secure Drops that this becomes the standard way for sources to communicate with local and national news organizations.

In paricular: TP's official hometown, so to speak, is Seattle. But neither The Stranger nor Crosscut have Secure Drops. These are the hometown papers of one of the most tech savvy cities in the world, so why do they not have Secure Drops?! The only conjecture I can make is that setting up a Secure Drop is hard and they do not know how to obtain free trustworthy expert help from Tor Project to help them set it up. But it might be even worse than that: they may never even have heard of Secure Drop. We need to change that.

@ Reporters: in the public interest, I must be blunt: if you are not using encrypted messaging, you are not doing your job right! Wake up, smell the Starbucks, be smart, get with the program!

zoobab

June 11, 2020

Permalink

I will like to get involved been about a year and a half i want to learn hacking writing code but here south africa not really people that do it i want toe learn and make a difference

Taking the long view towards what the privacy-tech commiunity might need in the next five years in terms of coding expertise:

Some users think the Raspberry Pi could find novel anti-censorship applications if they supported LUKS and if TP supported Tor for armrf architecture. Cheap small general purpose digital computers are easily transported (Pi fits in a pocket) and can be deployed as for single-purpose use (better for security, but not that Pi is not designed with security in mind, so you need to do some things to improve security). Examples:

o cell-site simulator ("Stingray") detector?

o spyplane detector? (A Pi which can access flightradar24.com would be invaluable for documenting for example Predators circling over mass protests against police violence in the USA).

o civilian controlled Pi to Pi message passing (see also i2p), e.g. in cities where USG heavily surveils conventional internet?

The reason I mention this is that Raspberry is purpose built to help would-be coders teach themselves, so if you can buy one you might take a look at their website and decide if you like any of their DIY projects.

I do not claim to understand the distinction, but AFAIK Raspberry Pi uses armhf architecture which differs in some way from arm architecture. But it can't be too hard to adapt Tor for the Pi because the Raspberry software repository mirrors the Debian repository. I have been able to install all kinds of debs small and large and run them, for example to do scientific computing on a Pi-3B. So I imagine it would be possible to have a Tor Browser which runs on the Pi.

One odd ommission in the Raspberry repository: LUKS encryption appears not to work so you cannot (apparently) use LUKS encrypted USBs with Raspbian, even though the Pi has four USB ports.

Pi's are cheap, have WiFi capability, and can if adopted in large numbers can possibly make a decentralized free citizen controlled urban net entirely independent of ISPs. This could be useful in situations such as the notorious incident in the Bay Area in which the BART police shut down cell service to suppress a planned peaceful protest of a fatal shooting by BART police (a few years before the current protests), prompting technologists to point out that the feds already appear to have the power to do the same thing to an entire city's access to the internet.

I don't know just how this would work, but I feel that it is probable that Tor for the Pi would lead to important pro-privacy anti-censorship innovations.

> One odd ommission in the Raspberry repository: LUKS encryption appears not to work so you cannot (apparently) use LUKS encrypted USBs with Raspbian, even though the Pi has four USB ports.

The Pi is made in the UK. Didn't they outlaw unbackdoored encryption in UK products a few years ago?

zoobab

June 22, 2020

Permalink

[Moderator: please allow this submission: IMO this news is obviously relevant]

The Drump administration has fired the entire leadership of OTF (Open Technology Fund), RFA (Radio Free Asia), and other USG funded entities which have long attempted to counter censorship (e.g. in VN, CN, RU), by among other means providing some grants to Tor Project:

theatlantic.com
The Voice of America Will Sound Like Trump
Under the president’s control, U.S.-funded broadcasters could turn into a presidential propaganda machine.
Anne Applebaum
Staff writer at The Atlantic
22 Jun 2020

> ...
> For 14 years, Liu was the president of Radio Free Asia, an independent but congressionally funded broadcaster that transmits news and information in Mandarin, Cantonese, Uighur, Tibetan, and nearly a dozen other languages. RFA broke the first stories of the Chinese concentration camps built to hold millions of Uighurs, members of China’s repressed Muslim minority; RFA has also reported the stories of dissidents, trafficked women, unrest in Tibet, and many other topics that Beijing would prefer to ignore.
> ...
> Pack’s coup d’état is so potentially damaging to the U.S. government’s overall effort to stop Chinese and Russian disinformation that some wonder if that isn’t the point. “Maybe they don’t want to fight Russian disinformation,” one staff member speculated.

Some 400 groups have already penned an open letter protesting Drump's attempt to reshape the remnants of VOA as a Drumpist proganda organ pushing Drump-approved "fake news".

I am one of those users who have in years passed expressed concern about TP's acceptance of funding from USG-tied entities (and privacy-enemies like Google), but this development is horrifying.

Not sure whether the following item good news (unblocking Telegram) or bad news (concessions):

theregister.com
Russia lifts restrictions on Telegram messenger app after it expresses ‘readiness’ to stop some nasties
A win for Vlad the Decryptor
Simon Sharwood, APAC Editor
22 Jun 2020

> Russia has lifted restrictions on secure messaging app Telegram after its developers agreed to block some content. Telegram proclaims that it has a “mission to provide the best security combined with ease of use. Everything on Telegram, including chats, groups, media, etc. is encrypted using a combination of 256-bit symmetric AES encryption, 2048-bit RSA encryption, and Diffie–Hellman secure key exchange.” All that crypto irked Russia, which has blocked VPNs and large ranges of IP addresses in order to stop messages flowing, on grounds that Telegram is used by extremists, terrorists and to distribute child exploitation material. Now Telegram and Russia have reached an agreement to allow wider access to the app, seemingly in return for more co-operation.

If anyone wants confirmation that secret police are watching Tor devs, BLM "leaders", etc., it might be somewhere here:

https://hunter.ddosecrets.com/datasets/102

See

zdnet.com
BlueLeaks: Data from 200 US police departments & fusion centers published online
Activist group DDoSecrets published 296 GB of police data on Friday, June 19.
Catalin Cimpanu for Zero Day
22 Jun 2020

> confirmation that secret police are watching Tor devs,

The search tool turns up numerous mentions of Tor. The top results seem to simply be

o news articles (from past years) quoting Roger D or discussing Jacob A, etc,

o copies of academic papers on privacy research by Stephen M, etc,

o discussion of the Medvade botnet abuse of the Tor network (which TP knew about years ago),

which some LEA official emailed to others. But there also seems to be lengthy documents concerning BND requests for information on certain American citizens which appear to mention Roger D, and there seems to be discussion of his travel itinerary (presumbly gleaned from CBP's warrantless routine access to travel agency arrangements). Unfortunately the site appears to be very slow and I was not able to download the more interesting looking documents.

USG has confirmed that the documents are genuine.

@isabela

Thank you for speaking out on this issue in the comment-closed thread. However, you urgently need to address the LAEDA Act which would mandate backdoors in everything made in the US including Tor. This would appear to mean TP has the choice of leaving the US or closing up shop. The first will be a crisis since TP is registered only in the USA, AFAIK; the second would be a tragedy for people around the world who rely on Tor to keep themselves and their friends and families safe(r) online. PLEASE speak up!

zoobab

June 24, 2020

Permalink

The latest attempt to mandate some kind of backdoors just arrived in the US Senate:

zdnet.com
Republicans push bill requiring tech companies to help access encrypted data
The proposed legislation is Congress' latest attempt to weaken encryption from tech giants.
Alfred Ng headshot
Alfred Ng
24 Jun 2020

> A group of Senate Republicans is looking to force tech companies to comply with "lawful access" to encrypted information, potentially jeopardizing the technology's security features. On Tuesday, Republican lawmakers introduced the Lawful Access to Encrypted Data Act,

The LAEDA Act? Rhymes with Al Qaeda? Sigh...

> which calls for an end to "warrant-proof" encryption that's disrupted criminal investigations. The bill was proposed by Sen. Lindsey Graham, chairman of the Senate Judiciary committee, along with Sens. Tom Cotton and Marsha Blackburn. If passed, the act would require tech companies to help investigators access encrypted data if that assistance would help carry out a warrant. Lawmakers and the US Justice Department have long battled with tech companies over encryption, which is used to encode data. The Justice Department argues that encryption prevents investigators from getting necessary evidence from suspects' devices and has requested that tech giants provide "lawful access."
>
> That could come in many ways, such as providing a key to unlock encryption that's only available for police requests. The FBI made a similar request to Apple in 2016 when it wanted to get data from a dead terrorist's iPhone in a San Bernardino, California, shooting case. Giving access specifically to government agencies when requested is often referred to as an "encryption backdoor," something tech experts and privacy advocates have long argued endangers more people than it helps. End-to-end encryption protects billions of people from hackers, oppressive governments and abusive romantic partners by providing security measures that even the companies themselves aren't able to crack. Creating a way for investigators to access that data raises concerns that the method could also open the door for hackers and criminals to abuse that exposure.

There is a link to the senate.gov website, but it will surprise few to find that Tor users are blocked from accessing the official announcement.

zoobab

June 25, 2020

Permalink

[Moderator: PLEASE do not censor this post; the issue is clearly too important for TP to prevent users from learning about it or from discussing it.]

Tor relies critically upon strong encryption, in particular upon public key algorithm "handshakes" and upon "perfect forward secrecy". If these things are outlawed, Tor will instantly become either insanely dangerous to use, or illegal.

Since its inception, TP has promised that "we will never introduce a backdoor in our code".

And for years, literally for years, users have worried that this assurance falls short of someone else being forced to introduce a backdoor in "upstream" code.

For years, literally for years, users have been trying to warn TP that unbackdoored encryption could become illegal in the US virtually at any moment.

Now a bill has been introduced in the US Senate which appears to literally embody our worst fears.

Tor is registered as a tax-exempt NGO in the USA. For years, literally for years, users have begged the leadership to plan for relocating overseas in the event that Tor is declared illegal in the USA. With LAEDA, in the worst case, that could happen in days or weeks.

For years, literally for years, users have asked TP "What is Our Plan?".

For years, literally, TP has refused to say one single word on the subject.

See:

theregister.co.uk
After huffing and puffing for years, US senators unveil law to blow the encryption house down with police backdoors
Lawmakers will attempt to bend the laws of mathematics to their will
24 Jun 2020

eff.org
The Senate’s New Anti-Encryption Bill Is Even Worse Than EARN IT, and That’s Saying Something
Andrew Crocker
24 Jun 2020

> Right now, we rely on secure technologies like never before—to cope with the pandemic, to organize and march in the streets, and much more. Yet, now is the moment some members of the Senate Judiciary and Intelligence Committees have chosen to try to effectively outlaw encryption in those very technologies.

Join the discussion...

We encourage respectful, on-topic comments. Comments that violate our Code of Conduct will be deleted. Off-topic comments may be deleted at the discretion of the post moderator. Please do not comment as a way to receive support or report bugs on a post unrelated to a release. If you are looking for support, please see our support portal or ways to get in touch with us.

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

9 + 4 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.