[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-talk] Tor Weekly News â October 29th, 2014

Tor Weekly News                                       October 29th, 2014

Welcome to the forty-third issue in 2014 of Tor Weekly News, the weekly
newsletter that covers whatâs happening in the Tor community.

Tor is out

The 0.2.5.x branch of the core Tor software hit stable, with the release
of As Nick Mathewson explained [1], there have been no changes
since last weekâs release, and the new features will be
familiar to readers of Tor Weekly News over the past year of
development, but highlights include âimproved denial-of-service
resistance for relays, new compiler hardening options, and a system-call
sandbox for hardened installations on Linuxâ, as well as improvements to
transparent proxying, building and testing, pluggable transport
usability, and much more.

This release means that Tor versions in the 0.2.3.x series, which has
âreceived no patches or attention for some whileâ and âaccumulated many
known flawsâ [2], are now deprecated. Relay operators running these
versions must upgrade as soon as possible, or risk having their relays
rejected from the network in the near future.

Please see Nickâs release announcement for the full changelog, and
download your copy of the source code from the distribution
directory [3] or a prebuilt package from your usual repositories.

  [1]: https://lists.torproject.org/pipermail/tor-announce/2014-October/000096.html
  [2]: https://lists.torproject.org/pipermail/tor-relays/2014-October/005590.html
  [3]: https://dist.torproject.org/

Miscellaneous news

Jacob Appelbaum announced [4] version 0.1.3 of TorBirdy, a torifying
extension for the Thunderbird email client. Among other things, this
release fixes the recently-reported âwrote:â bug [5], disables the
automatic downloading of messages from POP3 accounts, and ensures that
draft messages for IMAP accounts are stored on the local system rather
than sent over the network. However, as Jacob wrote, âitâs still
experimentalâ, so âuse at your own riskâ. See the release announcement
for a full changelog.

  [4]: https://lists.torproject.org/pipermail/tor-talk/2014-October/035326.html
  [5]: https://bugs.torproject.org/13480

Anthony G. Basile announced [6] version 20141022 of tor-ramdisk, the
micro Linux distribution whose only purpose is to host a Tor server in
an environment that maximizes security and privacy. This release
addresses the recent POODLE attack [7] with updates to Tor and OpenSSL,
and also upgrades the Linux kernel.

  [6]: http://opensource.dyc.edu/pipermail/tor-ramdisk/2014-October/000134.html
  [7]: https://blog.torproject.org/blog/new-sslv3-attack-found-disable-sslv3-torbrowser

Yawning Angel called for testing [8] of the revamped tor-fw-helper, a
tool that automates the port forwarding required (for example) by the
flash proxy [9] pluggable transport. Please see Yawningâs message for
full testing instructions and other important information: âQuestions,
Comments, Feedback appreciatedâ.

  [8]: https://lists.torproject.org/pipermail/tor-dev/2014-October/007670.html
  [9]: https://crypto.stanford.edu/flashproxy/

On the Tor blog, Andrew Lewman responded [10] to the abuse of Tor by
creators of so-called âransomwareâ, or malware that tries to restrict
access to usersâ files unless a ransom is paid; these extortionists
sometimes ask their victims to install Tor software in order to
communicate with them over a hidden service, leading users to the
mistaken belief that The Tor Project is somehow involved. As Andrew
wrote, this software âis unrelated to The Tor Project. We didnât produce
it, and we didnât ask to be included in the criminal infection of any
computer.â Users may find the information provided by the BBC [11] and
Bleeping Computer [12] to be helpful in resolving the problem.

 [10]: https://blog.torproject.org/blog/tor-misused-criminals
 [11]: https://www.bbc.com/news/technology-28661463
 [12]: http://www.bleepingcomputer.com/virus-removal/cryptolocker-ransomware-information

Josh Pitts posted an analysis [13] of apparently malicious behavior by a
Tor relay that was modifying binary files downloaded over Tor circuits
in which it was the exit node. As Roger Dingledine responded [14],
âweâve now set the BadExit flag on this relay, so others wonât
accidentally run across itâ.

 [13]: http://www.leviathansecurity.com/blog/the-case-of-the-modified-binaries/
 [14]: https://lists.torproject.org/pipermail/tor-talk/2014-October/035340.html

David Fifield pointed out [15] âan apparent negative correlation between
obfs3 users and vanilla usersâ in the Tor Metrics portalâs bridge user
graphs [16] and wondered what might be causing it.

 [15]: https://lists.torproject.org/pipermail/tor-dev/2014-October/007659.html
 [16]: https://metrics.torproject.org/users.html?graph=userstats-bridge-transport&transport=%3COR%3E&transport=obfs3#userstats-bridge-transport

News from Tor StackExchange

Dodo wants to run several hidden services (HTTP, XMPP, SSH etc.), but
use just one onion address [17]. Jobiwan explained that one can forward
each port to a different service. Further information can be found at
the configuration page for hidden services [18].

 [17]: https://tor.stackexchange.com/q/4437/88
 [18]: https://www.torproject.org/docs/tor-hidden-service.html.en#three

Rodney Hester proxies the DirPort of his relay and saw lots of requests
to nonexistent URLs, of which the most prominent is the URL
/tor/status/all.z [19], and asks where they are coming from. Do you have
an answer? If so, please share it at Torâs StackExchange site.

 [19]: https://tor.stackexchange.com/q/4452/88

Upcoming events

  Oct 29 13:30 UTC | little-t tor development meeting
                   | #tor-dev, irc.oftc.net
  Oct 31 17:00 CET | OONI development meeting
                   | #ooni, irc.oftc.net
  Nov 03 - 07      | Roger @ WPES and CCS
                   | Phoenix, Arizona, USA
                   | https://www.cylab.cmu.edu/news_events/events/wpes2014/
                   | http://www.sigsac.org/ccs/CCS2014/
  Nov 03 18:00 UTC | Tor Browser online meeting
                   | #tor-dev, irc.oftc.net
  Nov 03 19:00 UTC | Tails contributors meeting
                   | #tails-dev (irc.indymedia.org/h7gf2ha3hefoj5ls.onion)
                   | https://mailman.boum.org/pipermail/tails-project/2014-October/000045.html
  Nov 04 17:00 UTC | little-t tor patch workshop
                   | #tor-dev, irc.oftc.net

This issue of Tor Weekly News has been assembled by Lunar, qbi, Roger
Dingledine, and Harmony.

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project page [20], write down your
name and subscribe to the team mailing list [21] if you want to
get involved!

 [20]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
 [21]: https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to