========================================================================
Tor Weekly News July 23rd, 2014
========================================================================
Welcome to the twenty-ninth issue of Tor Weekly News in 2014, the
weekly newsletter that covers what is happening in the Tor community.
Tails 1.1 is out!
-----------------
Tails, the Debian-based live system that protects its usersâ
communications by ensuring they are all sent through the Tor network,
has been updated. This new 1.1 releaseÂ[1] reminds Tails users of the
distributionâs roots in DebianÂ[2]: Tails is now based on the current
stable version of Debian, dubbed âWheezyâ.
This means that almost all software components have been updated. One
noticeable example is the desktop environment. The user experience of
the GNOMEÂ3 in fallback mode should be similar to previous Tails
versions, but things will look a bit differently than they used to.
One of the most keenly-awaited features of this new version is the
support for UEFI firmware. Mac users now have only to press the Alt
keyÂ[3] while booting their computer to start Tails from a DVD or USB
stick. The same goes for owners of computers displaying âWindows 8â
stickers. And, talking of Windows 8, the camouflage modeÂ[4] has been
updated to look more like it, instead of the now discontinued XP.
This new release also contains security fixesÂ[5], and minor tweaks over
the previous versions.
Because of the newly-introduced support for UEFI and the amount of
upgraded software, incremental upgrades will not be offered for
TailsÂ1.1. A full upgrade is needed through the Tails Installer. The
safest method for upgrading Tails sticks is to go through a freshly
burned DVD. Be sure to have a look at the list of known issuesÂ[6] to
learn about other oddities that might happen in the process.
[1]:Âhttps://tails.boum.org/news/version_1.1/
[2]:Âhttps://tails.boum.org/contribute/relationship_with_upstream/
[3]:Âhttps://tails.boum.org/doc/first_steps/start_tails/#usb-mac
[4]:Âhttps://tails.boum.org/doc/first_steps/startup_options/windows_camouflage/
[5]:Âhttps://tails.boum.org/security/Numerous_security_holes_in_1.0.1
[6]:Âhttps://tails.boum.org/news/version_1.1/#index2h1
PETS 2014
---------
The fourteenth Privacy Enhancing Technologies Symposium was held in
Amsterdam, Netherlands, July 16-18, 2014. A wide range of research in
privacy enhancing technologies was presented, with many of relevance to
Tor. Keynotes were given by Martin Ortlieb, Senior User Experience
Researcher in Privacy at Google, and William Binney, a former NSA
employee.
Some papers focusing on Tor include:
- âSpoiled Onions: Exposing Malicious Tor Exit Relaysâ by Philipp
Winter, Richard KÃwer, Martin Mulazzani, Markus Huber, Sebastian
Schrittwieser, Stefan Lindskog, and Edgar WeipplÂ[7]
- âOne Fast Guard for Life (or 9 months)â by Roger Dingledine, Nicholas
Hopper, George Kadianakis, and Nick MathewsonÂ[8]
- âFrom Onions to Shallots: Rewarding Tor Relays with TEARSâ by Rob
Jansen, Andrew Miller, Paul Syverson, and Bryan FordÂ[9]
- âA TorPath to TorCoin: Proof-of-Bandwidth Altcoins for Compensating
Relaysâ by Mainak Ghosh, Miles Richardson, Bryan Ford, and Rob
JansenÂ[10]
- âMeasuring the Leakage of Onion at the Root, A measurement of Torâs
.onion pseudo-top-level domain in the global domain name systemâ by
Matthew Thomas and Aziz MohaisenÂ[11]
Also announced at PETS was the 2014 PET Award for Outstanding Research
in Privacy Enhancing Technologies, for âA Scanner Darkly: Protecting
User Privacy From Perceptual Applicationsâ by Suman Jana, Arvind
Narayananâ, and Vitaly ShmatikovÂ[12]. The winner of the best student
paper at PETS was âI Know Why You Went to the Clinic: Risks and
Realization of HTTPS Traffic Analysisâ by Brad Miller, Ling Huang, A. D.
Joseph and J. D. TygarÂ[13].
Prior to PETS, there was a Tor meet-up which Moritz Bartl reported as a
great successÂ[14]. Hopefully there will also be such an event at the
2015 PETS, to be held in Philadelphia, US, in the week of June 29, 2015.
[7]:Âhttps://petsymposium.org/2014/papers/Winter.pdf
[8]:Âhttps://petsymposium.org/2014/papers/Dingledine.pdf
[9]:Âhttps://petsymposium.org/2014/papers/Jansen.pdf
[10]:Âhttps://petsymposium.org/2014/papers/Ghosh.pdf
[11]:Âhttps://petsymposium.org/2014/papers/Thomas.pdf
[12]:Âhttps://freedom-to-tinker.com/blog/shmat/a-scanner-darkly-protecting-user-privacy-from-perceptual-applications/
[13]:Âhttps://petsymposium.org/2014/papers/Miller.pdf
[14]:Âhttps://lists.torproject.org/pipermail/tor-talk/2014-July/033936.html
Miscellaneous news
------------------
txtorconÂ[15], the Tor control protocol implementation for the Twisted
frameworkÂ[16], received a new minor releaseÂ[17]. Version 0.10.1 fixes
âa couple bugs introduced along with the endpoints feature in 0.10.0â.
[15]:Âhttps://pypi.python.org/pypi/txtorcon
[16]:Âhttps://twistedmatrix.com/
[17]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-July/007166.html
Roger Dingledine postedÂ[18] an official reaction to the cancellation of
a proposed talk at the upcoming Blackhat2014 conference dealing with
possible deanonymization attacks on Tor users and hidden services.
[18]:Âhttps://blog.torproject.org/blog/recent-black-hat-2014-talk-cancellation
Tor ships with a sample webpageÂ[19] that can be used by exit node
operators to identify their system as such to anyone wishing to identify
the source of Tor traffic. Operators most often copy and adapt this
template to the local situation. Mick Morgan discovered than his version
was out of syncÂ[20] and contained broken links. âIf other operators are
similarly using a page based on the old template, they may wish to
updateâ, Mick advised.
[19]:Âhttps://gitweb.torproject.org/tor.git/blob_plain/HEAD:/contrib/operator-tools/tor-exit-notice.html
[20]:Âhttps://lists.torproject.org/pipermail/tor-relays/2014-July/004982.html
Michael Rogers, one of the developers of BriarÂ[21], announcedÂ[22] a
new mailing listÂ[23] for discussing peer-to-peer-based communication
systems based on Tor hidden services. As Briar and other systems might
be ârunning into similar issuesâ, a shared place to discuss them seemed
worthwhile.
[21]:Âhttps://briarproject.org/
[22]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-July/007161.html
[23]:Âhttps://fulpool.org/cgi-bin/mailman/listinfo/hidden-services
Karsten Loesing and Philipp Winter are looking for front-end web
developersÂ[24]: âWe are looking for somebody to fork and extend one of
the two main Tor network status websites AtlasÂ[25] or GlobeÂ[26]â
writes Karsten. Both websites currently need love and new maintainers.
Please reach out if you want to help!
[24]:Âhttps://blog.torproject.org/blog/looking-front-end-web-developers-network-status-websites-atlas-and-globe
[25]:Âhttps://atlas.torproject.org/
[26]:Âhttps://globe.torproject.org/
The database which holds Tor bridges, usually called BridgeDBÂ[27], is
able to give out bridge addresses through email. This feature was
recently extended to make the email autoresponder support more bridge
types, which required introducing new keywords that must be used in the
initial request. Matthew Finkel is looking for feedbackÂ[28] on the
current set of commands and how they could be improved.
[27]:Âhttps://gitweb.torproject.org/bridgedb.git
[28]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-July/007164.html
Lunar wrote a detailed reportÂ[29] on his week at the Libre Software
Meeting in Montpellier, France. The report covers the booth jointly held
with Nos OignonsÂ[30], his talk in the security track, and several
contacts made with other free software projects.
[29]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-July/000593.html
[30]:Âhttps://nos-oignons.net/
Hereâs another round of reports from Google Summer of Code students: the
mid-term: Amogh Pradeep on Orbot and Orfox improvementsÂ[31], Israel
Leiva on the GetTor revampÂ[32], Quinn Jarrell on the pluggable
transport combinerÂ[33], Juha Nurmi on the ahmia.fi projectÂ[34], Marc
Juarez on website fingerprinting defensesÂ[35], and Daniel Martà on
incremental updates to consensus documentsÂ[36].
[31]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-July/007152.html
[32]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-July/007156.html
[33]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-July/007157.html
[34]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-July/000594.html
[35]:Âhttps://lists.torproject.org/pipermail/tor-reports/2014-July/000595.html
[36]:Âhttps://lists.torproject.org/pipermail/tor-dev/2014-July/007163.html
Tim Retout announcedÂ[37] that apt-transport-torÂ[38] 0.2.1 has entered
Debian unstable. This package enables APT to download Debian packages
through Tor.
[37]:Âhttp://retout.co.uk/blog/2014/07/21/apt-transport-tor
[38]:Âhttps://tracker.debian.org/pkg/apt-transport-tor
AtlasÂ[39] can now also be used to search for Tor bridges. In the past,
Atlas was only able to search for relays. This was made possible thanks
to a patchÂ[40] developed by Dmitry Eremin-Solenikov.
[39]:Âhttps://atlas.torproject.org/
[40]:Âhttps://bugs.torproject.org/6320
Thanks to Tim SemeijnÂ[41] and Tobias BauerÂ[42] for setting up new
mirrors of the Tor Projectâs website and its software.
[41]:Âhttps://lists.torproject.org/pipermail/tor-mirrors/2014-July/000642.html
[42]:Âhttps://lists.torproject.org/pipermail/tor-mirrors/2014-July/000646.html
Tor help desk roundup
---------------------
Some Linux users have experienced missing dependency errors when trying
to install Tor Browser from their operating systemâs software
repositories. Tor Browser should only be installed from the Tor
Projectâs website, and never from a software repository. In other words,
using apt-get or yum to install Tor Browser is discouraged. Downloading
and verifying Tor Browser from the Tor Project website allows users to
keep up with important security updates as they are released.
News from Tor StackExchange
---------------------------
user3224 wants to log in to its Google, Microsoft etc. accounts and
wonders if they will know the real name and other personal
informationÂ[43]. Roya and mirimir explained that if someone logs into
an already personalized account Tor canât anonymize this user. Instead
it might be wise to use Tor to register a pseudonym and also use an
anonymous operating system like Tails or Whonix.
[43]:Âhttps://tor.stackexchange.com/q/3603/88
escapologybb has set up a Raspberry Pi. It serves as SOCKS proxy for the
internal network. While everyone can use it, escapologybb asks what the
security implications are and if this lowers the overall anonymityÂ[44].
If you know a good answer please share your knowledge with the users of
Tor StackExchange.
[44]:Âhttps://tor.stackexchange.com/q/3596/88
Upcoming events
---------------
Aug. 3 19:00 UTC | Tails contributors meeting
| #tails-dev @ irc.indymedia.orgÂ/Âh7gf2ha3hefoj5ls.onion
| https://mailman.boum.org/pipermail/tails-project/2014-July/000000.html
|
August 18 | Roger @ FOCI â14
| San Diego, California, USA
| https://www.usenix.org/conference/foci14
|
August 20-22 | Roger @ USENIX Security Symposium â14
| San Diego, California, USA
| https://www.usenix.org/conference/usenixsecurity14
This issue of Tor Weekly News has been assembled by Lunar, Steven
Murdoch, harmony, Philipp Winter, Matt Pagan, qbi, and Karsten Loesing.
Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project pageÂ[45], write down your
name and subscribe to the team mailing listÂ[46] if you want to
get involved!
[45]:Âhttps://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
[46]:Âhttps://lists.torproject.org/cgi-bin/mailman/listinfo/news-team
Attachment:
signature.asc
Description: Digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk