Welcome to the twenty-ninth issue of Tor Weekly News in 2014, the weekly newsletter that covers what is happening in the Tor community.

Tails 1.1 is out!

Tails, the Debian-based live system that protects its users’ communications by ensuring they are all sent through the Tor network, has been updated. This new 1.1 release reminds Tails users of the distribution’s roots in Debian: Tails is now based on the current stable version of Debian, dubbed “Wheezy”.

This means that almost all software components have been updated. One noticeable example is the desktop environment. The user experience of the GNOME 3 in fallback mode should be similar to previous Tails versions, but things will look a bit differently than they used to.

One of the most keenly-awaited features of this new version is the support for UEFI firmware. Mac users now have only to press the Alt key while booting their computer to start Tails from a DVD or USB stick. The same goes for owners of computers displaying “Windows 8” stickers. And, talking of Windows 8, the camouflage mode has been updated to look more like it, instead of the now discontinued XP.

This new release also contains security fixes, and minor tweaks over the previous versions.

Because of the newly-introduced support for UEFI and the amount of upgraded software, incremental upgrades will not be offered for Tails 1.1. A full upgrade is needed through the Tails Installer. The safest method for upgrading Tails sticks is to go through a freshly burned DVD. Be sure to have a look at the list of known issues to learn about other oddities that might happen in the process.

PETS 2014

The fourteenth Privacy Enhancing Technologies Symposium was held in Amsterdam, Netherlands, July 16-18, 2014. A wide range of research in privacy enhancing technologies was presented, with many of relevance to Tor. Keynotes were given by Martin Ortlieb, Senior User Experience Researcher in Privacy at Google, and William Binney, a former NSA employee.

Some papers focusing on Tor include:

• Spoiled Onions: Exposing Malicious Tor Exit Relays by Philipp Winter, Richard Köwer, Martin Mulazzani, Markus Huber, Sebastian Schrittwieser, Stefan Lindskog, and Edgar Weippl
• One Fast Guard for Life (or 9 months) by Roger Dingledine, Nicholas Hopper, George Kadianakis, and Nick Mathewson
• From Onions to Shallots: Rewarding Tor Relays with TEARS by Rob Jansen, Andrew Miller, Paul Syverson, and Bryan Ford
• A TorPath to TorCoin: Proof-of-Bandwidth Altcoins for Compensating Relays by Mainak Ghosh, Miles Richardson, Bryan Ford, and Rob Jansen
• Measuring the Leakage of Onion at the Root, A measurement of Tor’s .onion pseudo-top-level domain in the global domain name system by Matthew Thomas and Aziz Mohaisen

Also announced at PETS was the 2014 PET Award for Outstanding Research in Privacy Enhancing Technologies, for A Scanner Darkly: Protecting User Privacy From Perceptual Applications by Suman Jana, Arvind Narayanan†, and Vitaly Shmatikov. The winner of the best student paper at PETS was I Know Why You Went to the Clinic: Risks and Realization of HTTPS Traffic Analysis by Brad Miller, Ling Huang, A. D. Joseph and J. D. Tygar .

Prior to PETS, there was a Tor meet-up which Moritz Bartl reported as a great success. Hopefully there will also be such an event at the 2015 PETS, to be held in Philadelphia, US, in the week of June 29, 2015.

Miscellaneous news

txtorcon, the Tor control protocol implementation for the Twisted framework, received a new minor release. Version 0.10.1 fixes “a couple bugs introduced along with the endpoints feature in 0.10.0”.

Roger Dingledine posted an official reaction to the cancellation of a proposed talk at the upcoming Blackhat2014 conference dealing with possible deanonymization attacks on Tor users and hidden services.

Tor ships with a sample webpage that can be used by exit node operators to identify their system as such to anyone wishing to identify the source of Tor traffic. Operators most often copy and adapt this template to the local situation. Mick Morgan discovered than his version was out of sync and contained broken links. “If other operators are similarly using a page based on the old template, they may wish to update”, Mick advised.

Michael Rogers, one of the developers of Briar, announced a new mailing list for discussing peer-to-peer-based communication systems based on Tor hidden services. As Briar and other systems might be “running into similar issues”, a shared place to discuss them seemed worthwhile.

Karsten Loesing and Philipp Winter are looking for front-end web developers: “We are looking for somebody to fork and extend one of the two main Tor network status websites Atlas or Globe” writes Karsten. Both websites currently need love and new maintainers. Please reach out if you want to help!

The database which holds Tor bridges, usually called BridgeDB, is able to give out bridge addresses through email. This feature was recently extended to make the email autoresponder support more bridge types, which required introducing new keywords that must be used in the initial request. Matthew Finkel is looking for feedback on the current set of commands and how they could be improved.

Lunar wrote a detailed report on his week at the Libre Software Meeting in Montpellier, France. The report covers the booth jointly held with Nos Oignons, his talk in the security track, and several contacts made with other free software projects.

Here’s another round of reports from Google Summer of Code students: the mid-term: Amogh Pradeep on Orbot and Orfox improvements, Israel Leiva on the GetTor revamp, Quinn Jarrell on the pluggable transport combiner, Juha Nurmi on the ahmia.fi project, Marc Juarez on website fingerprinting defenses, and Daniel Martí on incremental updates to consensus documents.

Tim Retout announced that apt-transport-tor 0.2.1 has entered Debian unstable. This package enables APT to download Debian packages through Tor.

Atlas can now also be used to search for Tor bridges. In the past, Atlas was only able to search for relays. This was made possible thanks to a patch developed by Dmitry Eremin-Solenikov.

Thanks to Tim Semeijn and Tobias Bauer for setting up new mirrors of the Tor Project’s website and its software.

Tor help desk roundup

Some Linux users have experienced missing dependency errors when trying to install Tor Browser from their operating system’s software repositories. Tor Browser should only be installed from the Tor Project’s website, and never from a software repository. In other words, using apt-get or yum to install Tor Browser is discouraged. Downloading and verifying Tor Browser from the Tor Project website allows users to keep up with important security updates as they are released.

News from Tor StackExchange

user3224 wants to log in to its Google, Microsoft etc. accounts and wonders if they will know the real name and other personal information. Roya and mirimir explained that if someone logs into an already personalized account Tor can’t anonymize this user. Instead it might be wise to use Tor to register a pseudonym and also use an anonymous operating system like Tails or Whonix.

escapologybb has set up a Raspberry Pi. It serves as SOCKS proxy for the internal network. While everyone can use it, escapologybb asks what the security implications are and if this lowers the overall anonymity. If you know a good answer please share your knowledge with the users of Tor StackExchange.

This issue of Tor Weekly News has been assembled by Lunar, Steven Murdoch, harmony, Philipp Winter, Matt Pagan, qbi, and Karsten Loesing.

Want to continue reading TWN? Please help us create this newsletter. We still need more volunteers to watch the Tor community and report important news. Please see the project page, write down your name and subscribe to the team mailing list if you want to get involved!