[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Tor Weekly News â October 9th, 2013

========================================================================
Tor Weekly News                                        October 9th, 2013
========================================================================

Welcome to the fifteenth issue of Tor Weekly News, the weekly newsletter
that covers what's happening in the world of Tor â âking of high-secure,
low-latency anonymityâÂ[1].

   [1]Âhttp://www.theguardian.com/world/interactive/2013/oct/04/tor-high-secure-internet-anonymity

New tranche of NSA/GCHQ Tor documents released
----------------------------------------------

After a cameo appearance in previous leaked intelligence documentsÂ[2],
Tor found itself at the center of attention in the latest installment of
the ongoing Snowden disclosures after a series of stories were published
in the Guardian and the Washington Post that detailed alleged attempts
by NSA, GCHQ, and their allies to defeat or circumvent the protection
that Tor offers its users. A number of source materials, redacted by the
newspapers, were published to accompany the articles.

The documents in questionÂ[3] offer, alongside characteristically
entertaining illustrationsÂ[4], an overview of the Tor network from the
point of view of the intelligence agencies, as well as a summary of
attacks against Tor users and the network as a whole that they have
considered or carried out.

Despite the understandable concern provoked among users by these
disclosures, Tor developers themselves were encouraged by the often
relatively basic or out-of-date nature of the attacks described. In
response to one journalist's request for comment, Roger Dingledine wrote
that âwe still have a lot of work to do to make Tor both safe and
usable, but we don't have any new work based on these slidesâÂ[5].

Have a look at the documents yourself, and feel free to raise any
questions with the community on the mailing lists or IRC channels.

   [2]Âhttps://blog.torproject.org/blog/tor-nsa-gchq-and-quick-ant-speculation
   [3]Âhttp://media.encrypted.cc/files/nsa
   [4]Âhttps://twitter.com/EFF/status/386291345301581825
   [5]Âhttps://blog.torproject.org/blog/yes-we-know-about-guardian-article#comment-35793

tor 0.2.5.1-alpha is out
------------------------

Roger Dingledine announcedÂ[6] the first alpha release in the tor
0.2.5.x series, which among many other improvements introduces
experimental support for syscall sandboxing on Linux, as well as
statistics reporting for pluggable transports usage on compatible
bridges.

Roger warned that âthis is the first alpha release in a new series, so
expect there to be bugs. Users who would rather test out a more stable
branch should stay with 0.2.4.x for now.â 0.2.5.1-alpha will not
immediately appear on the main download pages, in order to avoid having
too many versions listed at once. Please feel free to test the new
releaseÂ[7], and report any bugs you find!

   [6]Âhttps://lists.torproject.org/pipermail/tor-talk/2013-October/030269.html
   [7]Âhttps://www.torproject.org/dist/

How did Tor achieve reproducible builds?
----------------------------------------

At the end of June, Mike Perry announcedÂ[8] the first release of the
Tor Browser Bundle 3.0 alpha series, featuring release binaries âexactly
reproducible from the source code by anyoneâ. In a subsequent blog
postÂ[9] published in August, he explained why it mattered.

Mike has just published the promised follow-up pieceÂ[10] describing how
this feat was achieved in the new Tor Browser Bundle build process.

He explains how GitianÂ[11] is used to create a reproducible build
environment, the tools used to produce cross-platform binaries for
Windows and OS X from a Linux environment, and several issues that
prevented the builds from being entirely deterministic. The latter range
from timestamps to file ordering differences when looking up a
directory, with an added 3 bytes of pure mystery.

There is more work to be done to âprevent the adversary from
compromising the (substantially weaker) Ubuntu build and packaging
processesâ currently used for the toolchain. Mike also wrote about
making the build of the compiler and toolchain part of the build
process, cross-compilation between multiple architectures, and the work
being done by Linux distributions to produce deterministic builds from
their packages.

If you are interested in helping, or working on your own software
project, there is a lot to be learned by reading the blog post in full.

   [8]Âhttps://blog.torproject.org/blog/tor-browser-bundle-30alpha2-released
   [9]Âhttps://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise
  [10]Âhttps://blog.torproject.org/blog/deterministic-builds-part-two-technical-details
  [11]Âhttp://gitian.org/howto.html

Toward a new Tor Instant Messaging Bundle
-----------------------------------------

A first meeting last week kicked-off the âAttentive Otter projectâÂ[12]
which aims to come up with a new bundle for instant messaging. The first
meeting mainly consisted in trying to enumerate the various options.

In the end, people volunteered to research three different
implementation ideas. Thijs Alkemade and Jurre van Bergen explored the
possibilty of using Pidgin/libpurpleÂ[13] as the core component. Jurre
also prepared an analysis of xmpp-clientÂ[14], together with David
Goulet, Nick Mathewson, Arlo Breault, and George Kadianakis. As a third
option, Mike Perry took a closer look at Instantbird/ThunderbirdÂ[15]
with Sukhbir Singh.

All the options have their pros and cons, and they will probably be
discussed on the tor-dev mailing list and at the next âAttentive
Otterâ meeting.

  [12]Âhttps://trac.torproject.org/projects/tor/wiki/org/sponsors/Otter/Attentive
  [13]Âhttps://lists.torproject.org/pipermail/tor-dev/2013-October/005544.html
  [14]Âhttps://lists.torproject.org/pipermail/tor-dev/2013-October/005546.html
  [15]Âhttps://lists.torproject.org/pipermail/tor-dev/2013-October/005555.html

More monthly status reports for September 2013
----------------------------------------------

The wave of regular monthly reports from Tor project members continued
this week with submissions from George KadianakisÂ[16], LunarÂ[17],
Sathyanarayanan GunasekaranÂ[18], Ximin LuoÂ[19], Matt PaganÂ[20], Pearl
CrescentÂ[21], Colin C.Â[22], Arlo BreaultÂ[23], Karsten LoesingÂ[24],
Jason TsaiÂ[25], the Tor help deskÂ[26], Sukhbir SinghÂ[27], Nick
MathewsonÂ[28], Mike PerryÂ[29], Andrew LewmanÂ[30], Aaron GÂ[31], and
the Tails folksÂ[32].

  [16]Âhttps://lists.torproject.org/pipermail/tor-reports/2013-October/000346.html
  [17]Âhttps://lists.torproject.org/pipermail/tor-reports/2013-October/000347.html
  [18]Âhttps://lists.torproject.org/pipermail/tor-reports/2013-October/000348.html
  [19]Âhttps://lists.torproject.org/pipermail/tor-reports/2013-October/000349.html
  [20]Âhttps://lists.torproject.org/pipermail/tor-reports/2013-October/000350.html
  [21]Âhttps://lists.torproject.org/pipermail/tor-reports/2013-October/000351.html
  [22]Âhttps://lists.torproject.org/pipermail/tor-reports/2013-October/000352.html
  [23]Âhttps://lists.torproject.org/pipermail/tor-reports/2013-October/000353.html
  [24]Âhttps://lists.torproject.org/pipermail/tor-reports/2013-October/000354.html
  [25]Âhttps://lists.torproject.org/pipermail/tor-reports/2013-October/000355.html
  [26]Âhttps://lists.torproject.org/pipermail/tor-reports/2013-October/000356.html
  [27]Âhttps://lists.torproject.org/pipermail/tor-reports/2013-October/000357.html
  [28]Âhttps://lists.torproject.org/pipermail/tor-reports/2013-October/000358.html
  [29]Âhttps://lists.torproject.org/pipermail/tor-reports/2013-October/000359.html
  [30]Âhttps://lists.torproject.org/pipermail/tor-reports/2013-October/000360.html
  [31]Âhttps://lists.torproject.org/pipermail/tor-reports/2013-October/000361.html
  [32]Âhttps://lists.torproject.org/pipermail/tor-reports/2013-October/000362.html

Tor Help Desk Roundup
---------------------

A number of users wanted to know if Tor was still safe to use given the
recent news that Tor users have been targeted by the NSA. We directed
these users to the Tor Project's official statement on the subjectÂ[33].

One of the most popular questions the help desk receives continues to be
whether or not Tor is available on iOS devices. Currently there is no
officially supported solution, although more than one project has been
presentedÂ[34, 35].

The United Kingdom is now one of the countries where citizens request
assistance circumventing a national firewallÂ[36].

  [33]Âhttps://blog.torproject.org/blog/yes-we-know-about-guardian-article
  [34]Âhttps://lists.torproject.org/pipermail/tor-dev/2013-October/005542.html
  [35]Âhttps://trac.torproject.org/projects/tor/ticket/8933
  [36]Âhttps://lists.torproject.org/pipermail/tor-talk/2013-July/029054.html

Miscellaneous news
------------------

Thanks to GrozdanÂ[37], Simon Gattner from Netzkonstrukt BerlinÂ[38],
WollomaticÂ[39], and HaskellÂ[40] for setting up new mirrors of the Tor
project website.

  [37]Âhttps://lists.torproject.org/pipermail/tor-mirrors/2013-September/000366.html
  [38]Âhttps://lists.torproject.org/pipermail/tor-mirrors/2013-September/000370.html
  [39]Âhttps://lists.torproject.org/pipermail/tor-mirrors/2013-October/000374.html
  [40]Âhttps://lists.torproject.org/pipermail/tor-mirrors/2013-October/000375.html

Arlo Breault sent out a request for comments on a possible new version
of the check.torproject.org pageÂ[41].

  [41]Âhttps://lists.torproject.org/pipermail/tor-talk/2013-October/030253.html

Runa Sandvik announcedÂ[42] that the Tor Stack Exchange page has moved
from private beta to public beta. If you'd like to help answer
Tor-related questions (or ask them), get involved now!Â[43]

  [42]Âhttps://lists.torproject.org/pipermail/tor-talk/2013-October/030269.html
  [43]Âhttp://tor.stackexchange.com/

Philipp Winter sent out a call for testing (and installation
instructions) for the ScrambleSuit pluggable transports protocolÂ[44].

  [44]Âhttps://lists.torproject.org/pipermail/tor-talk/2013-October/030252.html

Not strictly Tor-related, but Mike Perry started an interesting
discussionÂ[45] about the âweb of trustâ system, as found in OpenPGP.
The discussion was also held on the MonkeySphere mailing list, which
prompted Daniel Kahn Gilmor to reply with many clarifications regarding
the various properties and processes of the current implementation. To
sum it up, Ximin Luo startedÂ[46] a new documentation projectÂ[47] âto
describe and explain security issues relating to identity, in
(hopefully) simple and non-implementation-specific languageâ.

  [45]Âhttps://lists.torproject.org/pipermail/tor-talk/2013-September/030235.html
  [46]Âhttps://lists.riseup.net/www/arc/monkeysphere/2013-10/msg00000.html
  [47]Âhttps://github.com/infinity0/idsec/

The listmaster role has been better definedÂ[48] and is now performed by
a team consisting of Andrew Lewman, Damian Johnson, and Karsten Loesing.
Thanks to them!

  [48]Âhttps://trac.torproject.org/projects/tor/wiki/org/operations/Infrastructure/lists.torproject.org

Roger Dingledine released an official statement on the Tor project
blogÂ[49] regarding the takedown of the Silk Road hidden service and
the arrest of its alleged operator.

  [49]Âhttps://blog.torproject.org/blog/tor-and-silk-road-takedown

Fabio Pietrosanti askedÂ[50] for reviews of âexperimental Tor
performance tuning for a Tor2web node.â Feel free to have a lookÂ[51]
and provide feedback.

  [50]Âhttps://lists.torproject.org/pipermail/tor-talk/2013-October/030405.html
  [51]Âhttps://github.com/globaleaks/Tor2web-3.0/wiki/Performance-tuning

Claudiu-Vlad Ursache announcedÂ[52] the initial release of
CPAProxyÂ[53], âa thin Objective-C wrapper around Torâ. This is the
first component of a project to ârelease a free open-source browser on
the App Store that uses this wrapper and Tor to anonymize requests.â
Claudiu-Vlad left several questions open, and solicited opinions on the
larger goal.

  [52]Âhttps://lists.torproject.org/pipermail/tor-dev/2013-October/005545.html
  [53]Âhttps://github.com/ursachec/CPAProxy

Upcoming events
---------------

Oct 09-10 | Andrew speaking at Secure Poland 2013
          | Warszawa, Poland
          | http://www.secure.edu.pl/
          |
Oct 11    | Kelley @ Journalist Training Event
          | Helsiniki, Finland
          | http://www.journalistiliitto.fi/jp13/
          |
Nov 04-05 | 20th ACM Conference on Computer and Communications Security
          | Berlin, Germany
          | http://www.sigsac.org/ccs/CCS2013/


This issue of Tor Weekly News has been assembled by Lunar, harmony,
dope457 and Matt Pagan.

Want to continue reading TWN? Please help us create this newsletter.  We
still need more volunteers to watch the Tor community and report
important news. Please see the project pageÂ[54], write down your name
and subscribe to the team mailing listÂ[55] if you want to get involved!

  [54]Âhttps://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
  [55]Âhttps://lists.torproject.org/cgi-bin/mailman/listinfo/news-team

Attachment: signature.asc
Description: Digital signature

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk