Tor Summer of Privacy--Apply Now!

The Tor Project is launching our first Tor Summer of Privacy! This is a pilot program for students who want to collaborate to develop privacy tools. We participated in Google's groundbreaking Summer of Code from 2007-2014, but we weren't renewed this year (Google is rightly offering new groups this opportunity) so we've decided to start our own program. Many thanks to Tor's individual donors who decided to sponsor the Summer of Privacy. Students only have 10 days to apply--so spread the word!

We feel that working on Tor is rewarding because:

• You will work with a world-class team of developers on an anonymity network that is already protecting millions of people daily--or work on your own, new project.

• We only write free (open source) software. The tools you make won't be locked down or rot on a shelf.

• The work you do could contribute to academic publications — Tor development raises many open questions and interesting problems in the field of anonymity systems

• You can work your own hours wherever you like.

• We are friendly and collaborative.

We are looking for people with great code samples who are self-motivated and able to work independently. We have a thriving and diverse community of interested developers on the IRC channel and mailing lists, and we're eager to work with you, brainstorm about design, and so on, but you need to be able to manage your own time, and you need to already be somewhat familiar with how free software development on the Internet works.

We invite and welcome applications from many different kinds of students who come from many different backgrounds. Don't be shy--apply!

Tor will provide a total stipend of USD $5,500 per accepted student developer.

DEADLINE FOR APPLICATION: We are accepting applications now through April 17th, 2015. Apply soon!

We're always happy to have new contributors, so if you are still planning your summer, please consider spending some time working with us to make Tor better!


April 06, 2015


I really am looking forward to contributing to Tor. By that, I mean helping to make Tor. I'm not a coder but I'd like to help. I only know basic C. What thing do I have to learn to so that I can help make Tor? The core code of Tor is especially interesting :) I have K&R 2nd E. and Hacking: The Art of Exploitation 2nd e. which looks like good books to start learning. Thoughts? Thanks!


April 06, 2015


I wish all the best to everyone who will participate in the Summer of Privacy, and I hope applicants are so eager to get started that they will be willing to spend some time before summer arrives in a course of background reading. May I recommend two Great Books which I believe will help you think like an attacker?

David Kahn
The Codebreakers
MacMillan, 1967

Bruce Schneier
Applied Cryptography
Wiley, 1996

How often does it happen that an "unauthorized history" of some arcane field inspires an epochal contribution to that very same field? One of the few examples known to me: Kahn's book directly inspired Whitfield Diffie's work on what is now known as public-key cryptography.

One of the Snowden leaks so far published by The Intercept is the official NSA account of how NSA raided the home of W. F. Friedman, the legendary cryptographer for whom the Friedman auditorium at NSA/Washington is named.

Working on behalf of the USG in the years before World War Two, WFF had masterminded MAGIC, and after that war he briefly worked for the then new agency, NSA, but by the time of the raid on his home he had become an (internally) outspoken critic, on the grounds that NSA was continuing to carry on widespread violations of privacy of ordinary people around the world, which WFF felt was inappropriate in peace time. Were he alive today, I have no doubt that WFF would be writing editorials supporting the views of William Binney, not those of Admiral Rogers.

The NSA agents who raided Friedman's home were looking for unclassified papers which Friedman had published prior to World War One while working at Riverbank Laboratories for an eccentric millionaire on the authorship of the plays of the author generally known as "Shakespeare". (Who may well have been the historical actor/producer William Shakespeare, putting aside that controversy, I should point out that the analogies between the Elizabethan secret police, Stasi, KGB, NSA, and the creative responses of the targeted intelligentsia, are extensive and thought-provoking.) The leaked NSA memo notes that during the raid, Friedman quietly smoked a pipe and appeared oddly unperturbed. The reason was that WF had previously given a complete set of the legendary Riverbank papers to a bright neighbor boy, an aspiring reporter named, you guessed it, David Kahn!

Friedman met his wife Elizebeth at Riverbank. She was herself an accomplished cryptanalyst who worked for the USCG decrypting the communications of rumrunners during the Prohibition era (as did WFF, briefly). The similarities with the war of the modern FBI on the so-called Darknet are hard to miss, and instructive.

Bruce Schneier is not only a skilled cryptanalyst but also one of the world's most accomplished nonfiction authors. All his books are well worth reading, but Applied Cryptography is the one every cryptanalyst studies.

There is a huge unmet need for a third great book, on modern cryptanalysis, which is not the same thing as techniques for black hat hacking, which is SOP for NSA nowadays. (You can learn all about cryptanalysis up to Friedman's Riverbank papers from Kahn, and contrary to what some modern cryptanalysts state, I think those methods remain relevant today.) The best standin, I think, are the blogs of another skilled cryptanalyst who is also a gifted writer, Matthew Green. Since his blog is in constant danger of being censored/removed by our enemies at FBI/NSA, grab these while you can:…
In defense of Applied Cryptography
Matthew Green
7 Nov 2011…
A diversion: BEAST Attack on TLS/SSL Encryption
Matthew Green
20 Sep 2011…
Non-governmental crypto attacks
Mattthew Green
28 Nov 2011…
OpenSSL and NSS are FIPS 140 certified. Is the Internet safe now?
Matthew Green
2 Jan 2012…
Trustwave issued a man-in-the-middle certificate
Matthew Green
7 Feb 2012…
Attack of the week: RC4 is kind of broken in TLS
Matthew Green
12 Mar 2013…
The Ideal Cipher Model (wonky)
Matthew Green
11 Apr 2013…
On cellular encryption
Matthew Green
14 May 2013…
How to 'backdoor' an encryption app
Matthew Green
17 Jun 2013
On the NSA
Matthew Green
6 Sep 2013…
The Many Flaws of Dual_EC_DRBG
Mathew Green
18 Sep 2013…
How does the NSA break SSL?
Matthew Green
2 Dec 2013…
How do you know if an RNG is working?
Matthew Green
19 Mar 2014…
Attack of the week: OpenSSL Heartbleed
Matthew Green
8 Apr 2014…
Attack of the Week: Triple Handshakes (3Shake)
Matthew Green
24 Apr 2014
Noodling about IM protocols
Matthew Green
26 July 2014…
Attack of the week: POODLE
Matthew Green
14 Oct 2014…
Attack of the week: FREAK (or 'factoring the NSA for fun and profit')
Matthew Green
3 Mar 2015

Please note that many of these blog posts offer detailed studies of practical attacks on TLS, which should help to explain why I hope Tor coders will read them, if they have not already done so. If one had to pick just a few of Green's posts, I'd pick the one on RNGs (both Snowden and Green have stated that attacking the RNG is much easier for NSA than full-on cryptanalysis of a modern block cipher).

To repeat, I am suggesting that students who have applied to the Summer of Tor read as much of these as practical over the next few months, not that anyone try to read them all in a day. One day-planning warning: once you pick up Kahn's rather long book, I can almost guarantee that you will be unwilling to stop reading until you've finished the book, and then you'll want to immediately read it all over again. It's that good.



April 06, 2015


Those people who apply to this will be monitored, tracked, or harrased by NSA and GCHQ.

Well, that isn't a very nice thing to say. I think it's also a wrong thing to say.

First, why would they be any more interesting than the millions of other people who care about Tor?

And second, giving people the impression that if they do X then they'll be scooped up in the pervasive monitoring, but if they don't do X then they won't be, is dangerously misleading. The pervasive monitoring by many of these groups scoops up everything, whether you do X or not.

In short, be careful with logic that includes "I won't do this activity and then they won't watch me".


April 07, 2015


TBB 4.5a5 is very useful for screen size faking when you choose privacy and security settings from the green onion icon, and set the security level to medium low or above. when you adjust tbb windows size to an unnormal size, it helps it stays the same or adjust another type of standard screen revolution.


April 08, 2015


Someone suggested:

> Those people who apply to [Summer of Tor] will be monitored, tracked, or harassed by NSA and GCHQ.

Well, they're tracking absolutely everyone, but no doubt Summer of Tor coders will become particular targets. But so what? We can't let fear of becoming a "selectee" deter us from combating state-sponsored criminality.

Secret police states create an atmosphere of fear in order to deter their restive populations from effective opposition to oppressive governmental policies. Freedom-loving citizens can, should, and will resist such intimidation by all means at their disposal.

Arma asked:

> why would they be any more interesting than the millions of other people who care about Tor?

Because student developers

o may gain inside access to TP networks and employees,

o can possibly be more easily pressured by USG thugs than people with wider experience and more influential personal connections,

o may use hardware devices which can more easily be trojaned by NSA and its sidekicks in UK, CA, AU, NZ,

o may acquire knowledge of the personal strengths and weaknesses of key Tor Project members,

o may write code which is eventually used by millions, code which we can expect NSA will try to "shape" by any means possible, even if it cannot "turn" any of the student developers.

I am not saying that these possibilities-- or better say, "likelihoods"--- should dissuade anyone from fostering the growth of the privacy industry by sponsoring programs such as Summer of Tor! Rather, I am warning everyone to remain vigilant. Because, as arma said, just because we are not doing anything wrong does not mean FVEY agencies are not out to get us. They are, and they routinely use vicious tactics. So be careful.

For extensive details on how FVEY agencies try to "shape" anonymity and privacy-enhancing software and to disrupt the organizations which develop such software, please see Snowden-leaked documents on

o NSA presentations on Project Bullrun

o NSA/GCHQ presentations about several anti-Tor programs

o GCHQ presentations on disrupting targeted communities

Know your enemy!


April 09, 2015


Just as a side note: Please mark a blog post like this, that is pinned at the beginning of the blog. I needed some days to figure out that this post here isn't the latest one, but there has been some new ones published in between.

Same here!

It took me at least a day before I realized. I regularly check this blog for potentially critical information or just to see progress. It's true that I could have been more thorough in checking, but when you sometimes check several times a day a little added convenience is welcomed.

Tor blog Firefox add-on anyone? Something small (in our non-Tbb browser) that blinks/informs when a new post is created. It could even allow for someone to follow a particular post and it's comments. I just think keeping the community informed about important data/events is of utmost importance. With automatic updates reaching stability, some will feel less inclined to visit the blog. A plugin could bridge the upcoming gap.


April 23, 2015


> Argh, I'd love to apply, but I'm graduating this May.

Employment should not be a binary choice between:

o Tor Project
o the surveillance state

Plainly, Tor Project cannot possibly hope to hire the thousands of people who want to make a difference by working for a privacy-enhancing company.

Can recent graduates in such relevant fields as CS "create their own (privacy-enhancing) jobs" by helping to grow a privacy industry? Which rigorously repels infiltration/subversion by the enemy?