Tor Weekly News — January 15th, 2014

Welcome to the second issue in 2014 of Tor Weekly News, the weekly newsletter that covers what is happening in the Tor community.

Orbot 13 is out

Orbot — the Guardian Project’s port of Tor on Android platforms — has received a major update. Version 13 includes “all the latest bling across the board” meaning Tor 0.2.4.20 and updated versions of OpenSSL and XTables. Nathan also mentions “some important fixes to the Orbot service, to ensure it remains running in the background, and the active notification keeps working, as well. Finally, we’ve changed the way the native binaries are installed, making it more reliable and clean across devices.”

After the initial release candidates, 13.0.1, 13.0.2 and then 13.0.3 were quickly made available to fix various reported issues.

The new release is available from the Guardian Project’s website, F-Droid repository or Google Play.

Who are the Tor Project’s website visitors?

Last week’s call for help regarding the Tor Project’s website has seen a pretty impressive response. Discussions then quickly sparkled on the newly created mailing list.

As one of the first concrete outcomes, Rey Dhuny contributed an initial set of “personas”, later improved by Max Jakob Maass, Silviu Riley with suggestions from others. Quoting Wikipedia: “personas are fictional characters created to represent the different user types within a targeted demographic, attitude and/or behavior set that might use a site, brand or product in a similar way.”

One can have a look at the wiki page to learn more about the seven different users of the Tor website that have been currently identified: The Student, The Journalist, The Researcher, The Donor, The Engineer, The Activist, The Dissident. These personas should probably be further refined, but are already a very useful tool to think about how to structure a new website.

For anyone interested in following the effort, Andrew Lewman has spent time triaging all website related tickets and setting up a new milestone to keep tabs on tasks and issues.

Let’s save Tor Weather!

The Tor network would not exist without all its volunteers — currently more than 3,000 all around the world — who run the 5,000+ relays anonymizing our connections.

Tor Weather is one of these small services run by the Tor Project that is meant to make the life of relay operators easier. It can warn them when their relay is down or when a new version of tor is available… and when they can receive the rewarding t-shirt. Unfortunately, Tor Weather has been unmaintained for quite a while, and issues have accumulated over time.

Karsten Loesing has sent a call for help with suggestions on how the code can be simplified and improved. Abhiram Chintangal and Norbert Kurz have already stated their interests. Coordination is done through the tor-dev mailing list  and a design wiki page. Join them if you are up to some Python hacking or spiffing up the web interface!

More monthly status reports for December 2013

The wave of regular monthly reports from Tor project members for the month of December 2013 continued this week as well with the extended report form the Tails team followed by reports from George Kadianakis, Kevin P Dyer, and Andrew Lewman.

Miscellaneous news

The Tails team has put out a call for testing the first release candidate for Tails 0.22.1. The new version will bring several bugfixes, an updated kernel, and many improvements to the upgrader application.

Directory authorities are in the process of upgrading their directory signing key to RSA 2048. This has been done for five out of nine authorities. The changes might result in some temporary error messages in logs of Tor relays, as it did when gabelmoo changed its key on January 11th.

Nicolas Vigier has sent a proposal about replacing the current Gitian-based build system for the Tor Browser Bundle by a system based on burps. Nicolas also worked on a prototype to go with his proposal.

Nick Mathewson mentioned that the “Sniper Attack” paper by Rob Jansen, Florian Tschorsch, Aaron Johnson, and Björn Scheuermann was now available. This paper describes serious Denial of Service attacks through memory exhaustion. The issue is fixed “thanks to advice from the paper’s authors, in Tor 0.2.4.x and later”.

In order to prevent attacks on hidden services based on predicting which directory will be used, directory authorities need to periodically produce shared unpredictable random strings. To address the issue, Nicholas Hopper has sent a threshold signature-based proposal for a shared RNG, now up for reviews.

The next session of low-hanging fruits for Tails will happen on February 8th in the #tails IRC channel OFTC at 10:00 CET.

Thanks to stalkr.net, Maki Hoshisawa and cYbergueRrilLa AnonyMous NeXus for running new mirrors of the Tor Project website.

Jaromil announced the release of Dowse, “a transparent proxy setup supporting Tor”. One feature is that it detects “all URLs whose domain ends in .onion, routing them directly to Tor, effectively making the onion network accessible without any plugin or software installed.” The transport proxy approach has known issues but can still be of interest to some users. Jaromil is seeking feedback and opinions from the community.

Microsoft’s Geoff McDonald wrote a blog post describing how they have helped remove half of the estimated four millions of Tor clients installed by the Sefnit botnet without the computer owner’s knowledge.

Koumbit has been working on Torride, a live distribution to run Tor relays — not unlike Tor-ramdisk — but based on Debian. Version 1.1.0 has been released on January 10th.

Tor help desk roundup

Many users have been emailing for clarification on the Tor Browser’s interface. The first time Tor Browser is started, users are asked if their network is free of obstacles. Many users do not know if their network is free of obstacles or not. A network is free of obstacles if it does not censor connections to the Tor network. Ticket #10610 has been opened to discuss possible improvements.

A number of users have reported problems using the Tor Browser in Backtrack Linux. Backtrack is unusual among Linux distributions in that the user can only log in as root; there are no other user accounts. The Tor Browser cannot be run as root. One solution for Backtrack users is to create a new account with the useradd command and then run the Tor Browser as that user with the sudo command.

This issue of Tor Weekly News has been assembled by Lunar, Matt Pagan, dope457, Sandeep, Karsten Loesing, Nicolas Vigier, Philipp Winter and the Tails developers.

Tor Weekly News needs reviewers! 24 hours before being published, the content of the next newsletter is frozen so there is time to improve the language. We are really missing native or good English speakers who could spend just about 20 minutes each week. See the project page, and subscribe to the team mailing list if you want to get involved!