Tor Summer of Privacy Projects

We're pleased to announce the projects for this year's Tor Summer of Privacy! Of our twenty-two applicants sadly we only had funding for four, so without further ado here they are!
 

Projects officially begin on May 25th. We're thrilled to have them with us, and have our fingers crossed that they'll stay afterward to become core developers!

Tags

That would certainly be appreciated! We're still scrambling to see if there's additional funding somewhere for another. We have a lot of other fantastic proposals we'd love to fund.

Anon

April 20, 2015

Permalink

When I drag text from Kwrite, if the charactar is Chinese, to the text field of Tbb 4.5a5, the copy one is going to be an unrecognized symbol.

Plus, dragging Chinese text from Knotes to both Tbb 4.5a and 4.08 is also effected.

Anon

April 23, 2015

Permalink

Congrats to the winners!

In the spirit of anecdotal evidence that Tor users generally are being attacked, and in the context of the recent report of 94 bad exit nodes which appeared to be using Tor to attack his HS: during the past two weeks I have noticed the following:

o while using TBB, frequent error messages saying something like "handshake failed" (with reference to a specific elliptic curve, maybe 25519)

o while using Tails, while connecting to a site with excellent crypto, got this error message:
(Error code: ssl_error_inappropriate_fallback_alert)

These errors were previously rare to nonexistent.

Anon

April 23, 2015

Permalink

The recent POST note on Tor

www.parliament.uk/briefing-papers/post-pn-488.pdf

led to questions in both Tor-talk and this blog about this sentence:

"The Executive Director of Tor Project Inc., Andrew Lewman, says he would like to intensify collaborations with LEAs and policy makers in the UK."

In the blog, Roger replied this collaboration certainly does *not* entail "putting in backdoors", but he didn't clarify what it *does* mean. In Tor-talk, Thomas White asked about recent DARPA funding for Tor (including the Summer of Privacy?) which seems to be connected to MEMEX.

For those who don't know, the original MEMEX was a speculative idea published in July 1945 by wartime science czar Vanevar Bush, later taken up by DARPA and developed as the infamous TIA and LifeLog programs. And what is LifeLog? From Wikipedia:

"LifeLog aims to compile a massive electronic database of every activity and relationship a person engages in. This is to include credit card purchases, web sites visited, the content of telephone calls and e-mails sent and received, scans of faxes and postal mail sent and received, instant messages sent and received, books and magazines read, television and radio selections, physical location recorded via wearable GPS sensors, biomedical data captured through wearable sensors, The high level goal of this data logging is to identify "preferences, plans, goals, and other markers of intentionality."

Yikes!

Note that "markers of intentionality" refers to LifeLog data being fed to predictive analysis algorithms for the purpose of algorithmic goverance: personalized governmental actions designed just for you-- designed, that is, not to help you live your dreams, but to make you change your behavior in directions the government prefers. (No more anti-fracking protesting for you, or else!)

DARPA's current MEMEX is said to be less ambitious than LifeLog (which aimed to document the entire lives second by second of every human, the better to oppress them I suppose), focusing on documenting the second by second evolution of the "dark web", a term which DARPA probably uses because it can mean anything they decide they want it to mean.

But if the current MEMEX really is son of LifeLog, son of TIA, son of MEMEX, this sounds like pretty scary company to keep. And pretty strange company for privacy advocates to keep.

Roger confirmed that DARPA is currently providing funds to Tor for research projects, and stated " we're using the Memex money to make hidden services stronger, and we're teaching other people how Tor works".

He gave an example of how his teaching efforts could actually help the Project fight against the cyberwarhawks:

"Our "3-4%" [of Tor traffic is related to HS] stat has actually been used by some of the other people (at other groups) who are funded by Memex. They're talking to (among others) the child porn division of the Department of Justice, and I've taught them enough about Tor that they've basically turned into Tor advocates on our behalf. They've found actual numbers to be really useful at countering the FUD that some government people start out with. One of these people explained to me last week that they listen to her more than she thinks they'd listen to me, since she shows up as a neutral party."

It could be argued that as long as DARPA places no restrictions on how its funds are spent, why not take the money? One could point to a vaguely analogous precedent such as the development of DES. As I recall, in some obscured manner NSA partially funded the IBM project which became DES, and was dumbfounded-- and appalled-- at how far Horst Feistel had singlehandedly advanced the theory and practice of designing strong block ciphers. The story goes that NSA boffins told Feistel "you did your job too well!". Then they brought pressure to bear on NBS (now NIST) to weaken the published version of DES by truncating the key length... same old... same old...

But I remain very concerned that Tor Project not be "captured" (like NBS/NIST or the US Mathematics profession) by NSA and its friends. It might be OK to take *some* money from the surveillance industrial complex, but only as a last resort, and it should never exceed some percentage of total funding.

But it's hard to have a discussion with the Tor user community about what percentage should be the maximum allowed to come from USG because the exact numbers have never been published on the web (as far as I know). So I propose that the Project should consider announcing that in future it will no longer accept funds from

o USG agencies like DARPA

o secretive CIA-connected government contractors like SRI

o murky public-private entities like NED

*unless* these sources agree to let the Project become completely transparent about all its funding. In particular, I think those funding sources which prohibit Tor from stating on its website exactly who these sponsors are should be politely thanked and told their money is no longer good here.

I agree that this is an important discussion.

My two cents:
Accept all the money that the NSA and co. is willing to give, but do not spend it yet.
Stock up all the 'dirty' funds for a while. That way if the Tor Project becomes 'too successful', like block ciphers, the dirty money can not suddenly be cut of, as there is still a stock of it to use over time.

So as a rule one can accept all the dirty funds, but only use, say, 10% of the available dirty funds each year, for eternity.

This assures independence from the dirty money in the short and medium term, while still accepting everything.

I'm using Meek bridge in China and the TBB produces lots of network traffic which I see from the system monitor, but surfing web in Tbb is much slowly than the good amount of traffic, why you produce so many unusable traffic?

Sorry to intrude but there NONE,ZERO,NADA tor bridges available (via the web page & emailing) ! obfs3, obfs4, fteproxy, scramblesuit not even 1 bridge! What is happening can someone elaborate on the situation?

> Accept all the money that the NSA and co. is willing to give, but do not spend it yet. Stock up all the 'dirty' funds for a while. That way if the Tor Project becomes 'too successful', like block ciphers, the dirty money can not suddenly be cut of, as there is still a stock of it to use over time.

Good idea. We might point to the example of Southern Poverty Law Center (SPLC.org), a non-profit which decades ago established a generous endowment. SPLC is now said to be one of the wealthiest independent nonprofits in the US. SPLC takes *no* government funds at all and is more or less self-sufficient.

I think everyone here would agree that the Tor Project should work toward a similar level of independence from government funding. Many users would go much further and urge that the Project work towards establishing a clear and consistent policy of non-cooperation with governments.

In one respect, SPLC is an awful example in the context of Tor blog. Their major activity in recent decades appears to be their Intelligence Project, which collects open source intelligence on hate groups. Which is, in principle, fine by me. But another unanswered question troubles me: the OSI methods used by SPLC have grown sufficiently sophisticated over the years that I think we have to wonder whether, like the anti-child-porn public-private partnership NGO mentioned in another thread, SPLC might be misusing Tor by using a bad family of Tor nodes to try to deanonmyze Tor users in order to figure out whether any of us are members of any of the groups whose on-line activities they closely monitor. Even worse, perhaps, in their recent white papers SPLC waxes enthusiastic about USG dragnet surveillance programs, which to some critics appears inconsistent with the origins on SPLC in defending poor people of color against government oppression.

Clearly the Project needs funding to grow Tor into the default for everyman's web browsing, which is needed to help those who need Tor most to become "lost in the noise". It might be acceptable to take some fraction of total funding from DARPA if no strings are attached, but in the long run, it is clear that the project will need to find funding independent of governments, huge corporations, or wealthy individuals with an agenda which may not be privacy friendly. For example, many Tor users would no doubt be alarmed to discover that-- these are hypothetical examples, I hope-- Comcast or the Koch brothers are lurking behind NoName Privacy Org, a current or future Tor funder.

Many, many Tor users have expressed concern over the years about USG funding for Tor. I believe that one point on which all of them would most likely agree is that *transparency in funding is essential*. Currently the Project's major funders (DARPA, NED, SRI, others?) appear to very badly fail in this respect. That alone is sufficient reason to insist that they allow the Project to publish everything it knows about these funders, or to place a high priority on developing transparent and more privacy-citizen -friendly replacement funding from non-governmental sources.

Many Tor users have long been concerned that the Tor Project is inadequately resistant to being NISTed by NSA. If the current funding situation continues, that concern will rapidly become even more concerning to the Tor user-base.

From Tor Weekly News — April 22nd, 2015:

> Donncha O’Cearbhaill will be implementing a system to increase the availability of large onion services by balancing requests across several back-end servers, each running its own Tor instance; Jesse Victors will be working on a project entitled “The Onion Name System: Tor-Powered Distributed DNS for Tor Hidden Services”, based on his thesis; former GSoC student and GetTor project leader Israel Leiva will be returning to carry out further work on the alternative distribution system for Tor software; and Israel’s twin brother Cristóbal will be developing a web-based status dashboard for Tor relays.

Speaking as one who has previously suggested (in a general way) concerns to be addressed by three of these four projects: outstanding! Much appreciated! Best wishes to all the interns (and possible future developers) in their Tor work!

Have Tor developers though about running a tier-2 tor relay network under hidden services?

It could work as something simple such as relays having an option to be anonymous and they would simply run as hidden service and the hidden service address would be shown in tor relay list. This would solve global Tor bans from various websites and traffic flagging.

I think I don't need to do much more explaining. Please consider it.

Please make Tor compilable from source on Visual Studio from Windows!!

All of these projects sound awesome, and I'm so exciting that you started hiring interns this year! I must say though that I'm a little bit disappointed with the gender breakdown. Were none of the applicants women? And if not, are there things you could do to advertise to more female students in future years?

I don't think the gender of the author has any influence on their contribution to Tor. 99% of people using a system will never know the developer's gender, nor does it make any practical difference. I seriously doubt Tor's team chose any of these projects based on the gender of the applicant, and I suspect they haven't met most of the applicants so there's no way to introduce that bias except by name alone. The applications are judged on merit, not gender, and anyone who thinks otherwise has spent too much time on Tumblr.

I'd love to see an equal distribution and more women in the science, technology, and security fields. There's nothing stopping them from entering these fields or from being accepted by Tor's SoP program. https://i.imgur.com/CfDz6ZN.png The choice is based on merit, and I don't think the solution to the distribution problem is on Tor's end. In the end, nobody cares about the gender of the developer, so I think this issue is rather moot in a practical sense.