GSoC 2020: Snowflake Proxy on Mobile

by hashikd | September 9, 2020

This blog post is about the project I worked on and my experience with Tor under GSoC 2020. After spending a lot of time understanding organizational goals, writing a proposal that aligns with these goals, I eagerly awaited the result of GSoC’s application – a nerve-wracking experience. I’m sure every student who submitted a proposal can relate to this experience. Getting selected to work on the proposal was a fantastic feeling, and knowing that I was going to work for a big and exciting organization like Tor added to the thrill.

The Project

I am very fortunate to have worked with the Tor Project’s anti-censorship team this summer; I worked on Snowflake Proxy on Mobile. The Wiki gives an elaborate sketch about the project; The gist is that this project allows users to run a Snowflake proxy on Android, which helps users in censored countries access Tor. The project is not yet ready for release; some UI/UX work and testing remain to be done, and we hope to wrap up this work over the next few months. If anyone wants to try it out, the URLs point to the local testing environment (Snowbox) for development. It will work if you change the URL to the right broker; they can be changed using the app’s settings, eliminating the need to tweak the code.

The project is the proxy component of the Snowflake circumvention system. This pluggable transport has been under development by Tor for quite some time now. Snowflake’s idea is for volunteers to spin up short-lived proxies that Tor users use to circumvent censorship. There already is a large set of volunteer proxies, and this mobile version further adds to this blizzard of Snowflakes.

Feel free to provide feedback, report issues, and voice ideas using the project’s issues page.

My Experience with the Tor Project

Tor’s community is very welcoming; all the Tor core developers are down to earth, humble, and easy to approach for any technical difficulty. Any interested person can barge into their IRC channels and ask any question, and either the developers or the fellow folks in the community would answer our questions.

The anti-censorship team often hosts a reading group to discuss research papers. This is an excellent and exciting opportunity for a student to learn some great topics related to security, which I enjoyed a great deal. Additionally, the team schedules meetings every week, using an anti-censorship team pad that contains reading group schedules, meeting schedules, and updates. Other teams at Tor have similar pads. It’s good to see what all developers are working on, and if there is any chance I could get involved, I will find it there.

Whenever there is a possibility, I got involved in any other project developments at Tor, mainly anti-censorship projects. The developers answered all my queries. It can be tiresome to explain a project to a newbie. Still, they did, with elaborate mails, that would get me started in the development process. 

What’s Next?

I am certainly planning on sticking around to get involved in development whenever I can, and I will continue to work on the GSoC project. In my opinion, every student should be encouraged to work on open source projects by which they learn from the best developers with years of experience, and when one makes a merge request, the community will do a code review allowing the student to improve their code in the future. Additionally, it promotes open source work. 

A huge thanks to Google for making this possible and for encouraging students and projects. My mentors Cecylia (cohosh) and Philipp (phw) were immensely helpful while working on the project and got me involved in other projects at Tor. Finally, thanks to the Tor Project and the Digital Impact Alliance (umbrella organization in GSoC) as a whole for choosing me and making this a significant milestone in my career.

Comments

Please note that the comment area below has been archived.

September 09, 2020

Permalink

As a user myself, thank you very much! I wish sponsors (Google) weren't in the business of tracking, but, hashikd, thank you for contributing to Tor!

September 09, 2020

Permalink

Honestly, i'm excited for the introduction of snowflake to tor in general. Thing is though, i wish that it could be released already, but i'm sure that the people at the tor project have gotten that request a ton, but it's nice to know that running a snowflake server via the snowflake extension and getting no connections from bridge users will change soon!

September 10, 2020

Permalink

cohosh, I have a suggestion, in the Snowflake addon instead of # of users in the last 24 hours it would be better to have # of users that used your proxy and whenever there's an increase in the last 24 hours there would be a small tag next to it or below it like:

> # of ...... 23
> [+1 today]

September 11, 2020

Permalink

Is there much organic webRTC traffic to non-domestic IPs in the real world? Collateral damage would be minimal for GFW if not.

September 11, 2020

Permalink

Please don't get me wrong. I love the tor but I think I'm not going to be able to run Snowflake without a serious effort on my part.

I'm guessing it's as open source as tor, which would be great if I could understand those few tens of thousands of lines of code that made up tor.

But as a slightly paranoid user I just have a hard time feeling safe when I see lots of network traffic coming out of my computer.

The thing that worries me most is running tor/Tor Browser/Snowflake as the user I'm logged in as, which for the most part is my personal account I have my data in.

Any security problem with tor/Tor Browser/Snowflake that allows shell access is going to have access to my data. A major no-no. It doesn't matter that I run my main account in lowly user, non-Administrative, mode.

What's the recommendation? Create another account just to run tor/Tor Browser/Snowflake in case of security problems it won't have as much access to my data as if I was running it under my own account? But then what about most (or at least mine) unix-like OS that runs a umask that seems to give every other account on my system some sort of access in my ~ ?

September 12, 2020

Permalink

How easy it is to get recent versions of TOR (that support Snowflake) in countries which block this website? GitHub and GitLab only contain outdated versions, and they are hard to find using search. Can you get recent versions of Tor in China using APT or SnapCraft? The Tor Browser Louncher available on FlatHub probably won't work in China, because it tries to connect to this website.

GetTor only serves Tor Browser stable but you can get an alpha by using one of our mirrors:
https://2019.www.torproject.org/getinvolved/mirrors.html.en

Here are alpha downloads on one of the mirrors:
https://mirror.oldsql.cc/tor/download/alpha/

(By the way, GetTor is the discovery mechanism for copies on GitHub and GitLab: Send an email to gettor@torproject.org and add your operating system (windows, linux, osx) to the email's body. You aren't supposed to find these copies over search.)

September 14, 2020

Permalink

> The anti-censorship team often hosts a reading group to discuss research papers. This is an excellent and exciting opportunity for a student to learn some great topics related to security, which I enjoyed a great deal.

That is very important, especially for young researchers/engineers. I would like to suggest that in future summers, TP consider including at least one seminar each on

o specific revelations from the Snowden leaks of technical capabilities of NSA (perhaps based upon EFF's NSA primary sources repository),

o survey of surveillance technology generally (but AFAIK no-one website even begins to adequately cover this, so someone might have to do some serious work here).

I am optimistic that one day, perhaps sooner than anyone thinks, someone associated with TP will suddenly see an unexpected opportunity to do "something completely different" (thank you Monty Python), which becomes the breakout application which makes Tor privacy-promoting technology part of every household all over the world.

Confusion to our enemies!

September 14, 2020

Permalink

> big

Tor Project is big?

> The gist is that this project allows users to run a Snowflake proxy on Android, which helps users in censored countries access Tor.

One thing which really bothers me about GSoC and this project in particular is that Google is not doing this because they care about privacy or censorship. (That would make no sense whatever, because their entire business model is about denials of privacy and massaging search results!) Rather, GSoc appears to be a rather cynical program to sneakily lock activists around the world into using Android rather than IoS. My fear is that Google will be happy to turn around and sell sensitive data on the most endangered mobile phone users to the worst governments in the world, for example to enable surveillance using NSO Group or Cellebrite malware, which would place these vulnerable people in real danger.

I hope everyone who shares this fear will make a point of sending a grassroots contribution to Tor Project, because the goal of turning TP into a user funded NGO similar to EFF, rather than an NGO dependent upon handouts from our natural enemies (USIC tied USG agencies and companies like Google).

All that said, many thanks for your interest in combatting censorship, and best wishes for your future career in an industry our world needs almost as much as it needs "green power": a genuine privacy industry which sells products to consumers which are effective in small ways or large to genuinely enhance the privacy and cybersecurity and access to information of ordinary people all over the world.

Tor Project is big?

It isn't? I suppose it boils down to a personal definition of big,
As big as Amazon, MS, Google, Apple, etc.? No.
Big, relative to the opensource world? Yes.

GSoC appears to be a rather cynical program to sneakily lock activists around the world into using Android rather than IoS

I hate to say. This statement is wrong on many levels; I disagree entirely. Please feel free to head over to the GSoC page; there are tons of projects and a broad spectrum of technologies. Not just Android, there are even iOS projects. In fact, Very few projects are Android-based.

I believe we have to credit where credit is due; GSoC brought nothing but good to the opensource community. The proof being all the projects it helped over the years, please head over to their website check out the projects yourself. It might change your view.

Hi Hashik, thanks for your reply!

> Please feel free to head over to the GSoC page; there are tons of projects and a broad spectrum of technologies. Not just Android, there are even iOS projects. In fact, Very few projects are Android-based.

You have my attention, but can you give a link to the specific page you had in mind? (I did a search of this webpage using the built-in Firefox search function but did not find what looked like a like to GSoc projects generally.)

Sure! The link[1] at the time of writing is updated until 2019 projects 2020 is yet[2] to the archive. Every year GSoC accepts a bunch of organizations, which you can see when you click on a specific year. Of which, organizations are free to choose the projects they deem useful to them, and students are free to choose from those listed ideas by orgs or propose something new that would benefit the org. Google has little to no say in this process of selecting projects.

I'm sure you would change your mind after looking at the orgs and projects.

[1] https://summerofcode.withgoogle.com/archive/
[2] https://summerofcode.withgoogle.com/organizations/

Thanks much--- I have recorded the links and am heading over there now.

I'd appreciate any light anyone can shed on what exactly is the business model of Team Cymru and what are their USG contracts. I believe some employees are current or former USSS so I am having a hard time understading why no-one has ever been willing to answer my questions about Team Cymru.

Thank you very much for the links.

Unfortunately, when I followed them I found that these websites do not work with Tor Browser!

Specifically, I tried to surf there using TB in Tails 4.10, with the security slider on "safest", which I judge to be appropriate when interacting with sites such as Google or FBI.gov. But no content was displayed.

It seems reasonable to guess that the problem is that Google has constructed the pages to collect personal information about visitors, and if the visitor does not want to give up whatever canvas fingerprinting reveals (lots), Google in effect tells us "f off!".

Might I suggest some reading also? Two important books:

Julia Angwin, Dragnet Nation

Shoshana Zuboff, Surveillance Capitalism

I think these books may change how you view Google (no pun intended).

I worry that I am placing myself at risk by visiting a Google site, but I did what you asked.

I was hoping to find a CSV file with much data I could download and analyze using machine learning (of course) in R (of course)! But Google presents the information in a way which is hard to use.

A glance shows that GSoC 2020 claims to have supported projects associated with various Open Source products I use, including R, GNU Radio, and Debian.

So far so good, but a closer look shows:

o the projects which GSoC supported at R involve rather obscure topics, but what R really needs is much improved security for software downloads from CRAN, starting with code signing; R is the most used and the most advanced stat platform, and we know NSA, GRU, NSO Group &c are actively targeting the scientific community which uses R, but Google does not care about code signing CRANware?

o the projects which GSoC supported at Debian have to do with porting Android toolchain to Debian (not IoS),

o GSoC supported a Digital Pre Distortion project at Gnu Radio which appears to help Google IoT development, rather than helping activists monitor their own WiFi devices such as phones (Android or otherwise); compare the Snowden project which GSoC declined to fund,

o GSoC supported adding language pairs in Apertium, including Indian languages (useful for outsourcing Google coding) but also some obscure European languages whose survival is politically controversial on nations such as France and Spain, so I give them that.

This is just a random sample; I would prefer to apply machine learning but Google is impeding that.

My nonscientific survey appears to support my suspicion that Google is avoiding giving The People things we need, like Snowden's "Radio Introspection" or a textbook on GRASS, instead is giving handouts to developers working on obscure IoT and biotech and surveillance related projects which will help Google further advance it's surveillance capitalism agenda.

Please do keep working on anti-censorship and pro-cybersecurity-for-citizens projects, but please be wary of the hidden agendas of huge corporations like Google whose business model is all about exploiting the data exhaust and manipulating requests for information from ordinary people in order to further expand its money and power, while further diminishing the money and power available to any but the billionaire class.

> One thing which really bothers me about GSoC and this project in particular is that Google is not doing this because they care about privacy or censorship. (That would make no sense whatever, because their entire business model is about denials of privacy and massaging search results!)

My other favorite NGO, EFF, just launched an Atlas of Surveillance:

ttps://atlasofsurveillance.org

That is good.

But it uses ArcGIS (a company which has many contracts with USIC and Pentagon, including some of the earliest Find/Fix/Finish contracts), and it requires javascript and is not viewable at any setting of Tor Browser which I tried.

That is bad.

Sigh...

As a good example of Things People Need, EFF has just released YAYA, which is derived from the YARA malware research tool. It would be wonderful if a reputable nonprofit sponsor helped EFF work with Debian Project to make YAYA into a Debian package with good documentation, because I feel that with some more work YAYA could be used by Tor users to check their own computers for malware.

eff.org
Introducing “YAYA”, a New Threat Hunting Tool From EFF Threat Lab
Cooper Quintin
25 Sep 2020
The YAYA logo and automaton mascot

At the EFF Threat Lab we spend a lot of time hunting for malware that targets vulnerable populations, but we also spend time trying to classify malware samples that we have come across. One of the tools we use for this is YARA. YARA is described as “The Pattern Matching Swiss Knife for Malware Researchers.” Put simply, YARA is a program that lets you create descriptions of malware (YARA rules) and scan files or processes with them to see if they match. The community of malware researchers has amassed a great deal of useful YARA rules over the years, and we use many of them in our own malware research efforts. One such repository of YARA rules is the Awesome YARA guide, which contains links to dozens of high-quality YARA repositories. Managing a ton of YARA rules in different repositories, plus your own sets of rules, can be a headache, so we decided to create a tool to help us manage our YARA rules and run scans. Today we are presenting this open source tool free to the public: YAYA, or Yet Another YARA Automation.

Also worth mentioning is the fact that another risk which Tor Project is taking by relying upon GSoC is the widely expected forthcoming USG Antitrust action against Google:

eff.org
The Government’s Antitrust Suit Against Google: Go Big and Do It Right
Mitch Stoltz
25 Sep 2020