Tor Weekly News — December 25th, 2013

Welcome to the 26th issue of Tor Weekly News, the weekly newsletter that covers what is happening in the Tor community.

The 3.x series of the Tor Browser Bundle is now stable

After more than a year of work, Mike Perry has officially blessed the 3.5 release of the Tor Browser Bundle as the new stable release. Improving on the previous stable series, it features a deterministic build system for distributed trust, a new integrated interface to interact with Tor and all the improvements from Tor 0.2.4.

Users of the previous 2.x series might be a little disoriented by the user interface changes. David Fifield, Matt Pagan and others have been compiling the most frequent questions heard after the switch. Until the integrated browser interface catches up, new Vidalia bundles are now available for those who need them. Erinn Clark is ironing out the remaining integration issues.

With the discontinuation of Firefox 17 ESR, the new release had to be pushed to users to avoid exposing them to security holes. Firefox 24 ESR, on which the Tor Browser is now based, should be supported by Mozilla for approximately one year. This will leave our browser hackers some time to focus more on user experience improvements, test automation, and better resistance to fingerprinting issues.

Several tutorials, videos, and bits of documentation might now in one way or another be out-of-date in many places. Please help report them or, even better, write up some updated versions.

This release is quite a milestone for the project. Update and enjoy!

The Tor Project now accepts donation in Bitcoin

As is often pointed out in the press, the majority of the Tor Project’s financial support comes from US government-linked organizations. In the ongoing effort to offer as many possible ways for individuals and organizations to give help to the project, Bitcoin donations are now being accepted.

As Roger Dingledine wrote in a subsequent comment: “We really need to get some funding for core Tor development, and especially for improving Tor’s anonymity, because none of our current funders care enough about the anonymity side of Tor. Outreach and blocking-resistance are great topics, but we can’t let the anonymity part rot.”

Head over to the donations page to learn more about how to chip in with Bitcoins or other currencies.

Tor 0.2.4.20 is out

The first update to the new stable branch of Tor has been released on December 23rd. It fixes an issue that would create more preemptive circuits than actually need, and a security issue related to poor random number generation.

The latter affects “users who 1) use OpenSSL 1.0.0 or later, 2) set ‘HardwareAccel 1’ in their torrc file, 3) have ‘Sandy Bridge’ or ‘Ivy Bridge’ Intel processors, and 4) have no state file in their DataDirectory (as would happen on first start). Users who generated relay or hidden service identity keys in such a situation should discard them and generate new ones.”

The source code is already available from the usual location. Update packages and bundles should be ready soon.

Tor events at the 30th Chaos Communication Congress

The Chaos Computer Club will be holding its 30th Congress in Hamburg between the 27th and the 30th of December, and as usual there are a number of Tor-related talks and events scheduled.

Following their session on the Tor ecosystem at 29c3, Tor Project members Roger Dingledine and Jacob Appelbaum will be giving a talk entitled “The Tor Network: We’re living in interesting times”, in which they discuss the Project’s work over the last few years, with special reference to “major cryptographic upgrades in the Tor network, interesting academic papers in attacking the Tor network, major high profile users breaking news about the network itself, discussions about funding, FBI/NSA exploitation of Tor Browser users, botnet related load on the Tor network, and other important topics”.

Their talk will be followed by a discussion involving everyone interested in helping Tor at the NoisySquare assembly. The Tor ecosystem is now made up of more than forty different projects, and there are sure to be ways you can help. Bring your skills and your energy!

Torservers.net will be holding a meeting of Tor relay operators and organizations, featuring “quick presentations on recent and future activities around Torservers.net”, to be followed by the official members’ meeting of the German Torservers.net partner organization, Zwiebelfreunde e.V.

#youbroketheinternet will hold a session on the future of crypto routing backends: “Even the IETF is now considering that Onion Routing should be a fundamental capability of the Internet. How would that look in practice?”

If you are attending the Congress, feel free to come along and participate in these sessions; if not, you should be able to catch up with the talks online.

Miscellaneous news

Anthony G. Basile released version 20131216 of Tor-ramdisk, a “uClibc-based micro Linux distribution whose only purpose is to host a Tor server in an environment that maximizes security and privacy.” This new release is the first to ship the 0.2.4 branch of Tor.

For those who like hazardous experiments, intrigeri sent a call for testing an experimental Tails image with preliminary UEFI support — users of Apple hardware should be particularly interested. anonym also announced that test images from the MAC spoofing branch were available.

Nick Mathewson sent his now-monthly review of the status of Tor’s proposals. Karsten Loesing followed-up by commenting on several of those related to the directory protocol. Have a look, you might also be able to move things forward!

Many thanks to John Sweeney of otivpn.com, Jeremy J. Olson of EPRCI, and les.net for running mirrors of the Tor Project website.

Karsten Loesing has been experimenting with replacementsfor the “fast exits” graphs that would convey a better feeling of the network growth. He also deployed a new visualization for the fraction of connections used uni-/bidirectionally.

Tor help desk roundup

Multiple users have now emailed the help desk regarding a particular type of “ransomware” that encrypts the hard drive of Windows computers and won’t give users the decryption key until a payment is made. Victims of this malware have emailed the help desk because the ransomware message includes a link to a tor hidden service site. Malware victims wanted to know how to install the Tor Browser, or thought the Tor Project was the source of the malware.

The Tor Project does not make malware; in the past Tor developers have worked with anti-virus developers to help stop other types of malware. Users affected might find useful information in the guide assembled by BleepingComputer.com. If you have not been affected, the story might be a good reminder to think about your backups.

This issue of Tor Weekly News has been assembled by Lunar, harmony, Matt Pagan and dope457.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!