[tor-dev] Fwd: About using source code

[saurav dahal]

Can anybody please tell me how to use the original source code of tor  by
modifying and implementing on the TOR network?
For example: I want to log how many circuits have been made through my OR.

Thanks,

Saurav
___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

[tor-dev] Tor Browser Weekly IRC meetings moved to 18:00 UTC Fridays

[Mike Perry]

Due to the US Daylight Savings Time changes generating new conflicts for
a few people, the Tor Browser team's weekly IRC meeting will now be on
Fridays at 18:00 UTC in #tor-dev on irc.oftc.net, starting this Friday,
March 21st.

We will be snuggling up next to the Huggable^W Pluggable Transports team
meeting, which is just before us at 17:00 UTC on alternating Fridays.
Their next meeting is March 28th.

The hope is that this will help us to work closer with them to polish up
the new unified PT-enabled Tor Browser, add new transport types, and
otherwise generate PLUR (yeah, I said it).

For details on our meeting format, see the original post:
https://lists.torproject.org/pipermail/tbb-dev/2014-February/00.html


P.S. We may have to revisit this time again when the EU switches to
"Summer Time" on March 30th. Running an hour later in the EU may start
to run into people's Friday evening plans, but we'll cross that bridge
once it starts burning.

-- 
Mike Perry


signature.asc
Description: Digital signature
___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

[tor-dev] Descriptor-id and responsible hidden service directorate. Changes in version 0.2.4.18-rc - 2013-11-16

[Frank Young]

I have noticed that since the release of version 0.2.4.18-rc - 2013-11-16,
Attempts to fetch v2 rendezvous service descriptor are failing.
The issue seems to get worse as many people are updating their clients.

The calculation of decriptor ids based on specification in rend-spec.tx
 doeesn't seems to be correct anymore. All 6 responsible
hidden services directorates return 404 to a GET request for
/tor/rendezvous2/

I search through the tor source for the release version (0.2.4.18-rc -
2013-11-16) in rend_compute_v2_desc_id and
rend_client_refetch_v2_renddesc but failed to notice any  significant
change. Could any member of the dev team respond to to this?
___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Re: [tor-dev] GoSC - Website Fingerprinting project

[Marc Juarez]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Mike, thanks for your comments. My main concern for applying to GSoC is
the time commitment. As I said in my first message, I would like to work
part-time in the project. Anyway, I will submit a proposal and specify
this there.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTKwo6AAoJEGfJ5xfgazlxaloIAI2e0ssAgX//xbBD/jnTP59s
I7kJqRLhRPc2qE9DWGEsCU4NF309h66gboK4+CUhq1FGMIj08Q/VRmoumiSzOmzx
ksC3eFaoxTSD0P/Nl0wDkjhrXTn1uJVqRP1OlMDvVEj5630I3ZvZ1cSxe7cTFEAd
To6xOIH89e3pAv6kpn/rby292kXDyhZFteuIkj8cU5fxTuQ/lytcKFKxgdVvTxBT
XZGG+sYfvgYtVoL01IYfHsSOtHBMv8Nr1huBOz1UvRoih66Hxq1NcClxNfW7DcdT
0Kvf4Gp3SeKRxnuux1PzJPwFOLFhGixCLjfiV2h+rnSezk0yM4EEMdpvZShFxmw=
=Jovi
-END PGP SIGNATURE-
___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Re: [tor-dev] GoSC - Website Fingerprinting project

[Marc Juarez]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 03/19/2014 01:13 PM, Ian Goldberg wrote:
> You may also be interested in our new tech report:
> 
> 
> T. Wang, X. Cai, R. Nithyanand, R. Johnson and I. Goldberg 
> Effective Attacks and Provable Defenses for Website Fingerprinting 
> CACR 2014-05 
> http://cacr.uwaterloo.ca/techreports/2014/cacr2014-05.pdf

Thank you, Ian. I'll read it.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTKwdSAAoJEGfJ5xfgazlxUdkH/2MG9EzklnRrGVrAZfA9G1RA
ZYtCsVErZw2d+iH+Vu/hFIwPPSjrk7Kwp/dk9pvI5oKigEmOWaRgwcx7hqXgbcZ2
ruf4QkqD064HT4b5UwmliWSpQut1e0dQ06EtGvvbzy1Mzy7cnBtACdzLeFM+NaI5
OiPpEKkb3pYJAIJIms63JfFjf0VWb5G+OSjpYXu+9OqWIci/cRpVMjwvrWz+bKi5
pxib7wWeI1V5c56WDa/g0aBJ47cHeGpY7zOgmkhZ9IqUBV+4uXrOeQIfWAA8iP6F
Fw/s8/C4Il4iSO0TfooHrCMWI5yG8QX5B7Wos5c9+T+IZbwjYEe/Y4GlrUVV+0o=
=8yhX
-END PGP SIGNATURE-
___
tor-dev mailing list
tor-dev@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Re: [tor-dev] Panopticlick summer project

[Gunes Acar]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Thanks for all the feedback Mike,
I'll be in touch with you and Georg on the Tor side.

For the other discussion: I don't think open-sourcing Panopticlick is
critical for this work. Rather, it's Panopticlick data that may inform
the information-theoretic evaluation of TBB's countermeasures (e.g. to
get a sense of font distribution to evaluate font limits: Can I
pick/probe 10 fonts to identify all Tor users?)

Actually we've been planning to publish the aggregated Panopticlick
data with Peter and this may be the perfect time to do it. Frankly, I
don't think EFF was reluctant to collaborate with you, rather I guess
they simply had no time. That's why I'm very glad to hear from Yan who
seem to be able to dedicate more time.

I hope that'd work for everybody - me dedicating some of my time (1-2
weeks) to work on the analysis of Panopticlick data.

Best,
Gunes


On Wed 19 Mar 2014 04:14:05 AM CET, Mike Perry wrote:
> Gunes Acar:
>> My name is Gunes Acar, a 2nd year PhD student at Computer
>> Security and Industrial Cryptography (COSIC) group of University
>> of Leuven.
>> 
>> I work with Prof. Claudia Diaz and study online tracking and
>> browser fingerprinting. I'd like to work on "Panopticlick" 
>> (https://www.torproject.org/getinvolved/volunteer.html.en#panopticlick)
>>
>> 
summer
>> project and other fingerprinting related issues which I tried to 
>> outline below:
>> 
>> 1) Collaborate with Peter@EFF to port/open-source Panopticlick: 
>> https://trac.torproject.org/projects/tor/ticket/6119#comment:4 a)
>> implement necessary modifications - e.g. we won't be having
>> cookies or real IP addresses to match returning visitors. b)
>> consider security implications of storing fingerprints (e.g.
>> what happens if someone gets access to fingerprint database?)
>> 
>> 2) Add machine-readability support outlined in Tor Automation 
>> proposals: 
>> https://people.torproject.org/~boklm/automation/tor-automation-proposals.html#helper-fingerprint
>>
>> 
a) which one(s) should we implement? JSON, YAML, XML?
>> 
>> 3) Survey the literature for fingerprinting attacks published
>> since Panopticlick. Implement those that may apply to TBB: a)
>> Canvas & WebGL fingerprinting (Mowery et al.) - make sure the
>> patch at #6253 works b) JS engine fingerprinting (Mulazzani et
>> al.) c) CSS & rendering engine fingerprinting, (Unger et al.) 
>> ...
> 
> This sounds good. We already have a fix for #1 though, but
> verification can't hurt (the canvas should come back as all white
> unless the user allows it).
> 
> We also have a couple fixes for CSS-based fingerprinting (fonts
> and system colors) that are entropy-reduction efforts only.
> Actually measuring the amount of entropy reduction here would be
> useful.
> 
>> 4) Check with realworld fingerprinting scripts to see if they
>> collect anything that is not considered before. Check if TBB's
>> FP countermeasures work against them. (We can use data from
>> FPDetective study to find sites with fingerprinting scripts)
> 
> Great.
> 
>> 5) Backport new "attacks" found in 3 & 4 to EFF's Panopticlick in
>> case they consider an update.
> 
> Unfortunately, the EFF has been reluctant to work with us in any
> way to improve or re-deploy Panopticlick for our needs, hence the
> frustrated tone of my other mail in this thread. It also seems that
> the EFF would not permit your resulting work to be open source,
> which I believe is a violation of the GSoC rules. I guess since you
> are not intending to actually apply to GSoC, this is a moot point
> though. It's just also a sore one for me, so I figured I'd poke it
> once more ;).
> 
> However, as I also said in my other mail, I actually think we may
> be better served by developing something independent of
> Panopticlick. We need per-TBB version breakdowns of all the
> statistics we record, so we can measure the change in entropy as we
> deploy fixes and improvements to our defenses, without previous
> datapoints biasing the distribution.
> 
> Other than some helper functions to store data and calculate
> entropy, and one (or maybe two) simple fingerprinting tests, we
> should not need any of the Panopticlick code for this project. It's
> also likely that our DB schema will end up radically different, due
> to the need to segment data by browser version (which may be input
> by the user), and the need for many more (and more varied) tests
> than they have.
> 
>> 6) Convert fixed FP-related bugs into regression tests. 
>> https://trac.torproject.org/projects/tor/query?keywords=~tbb-fingerprinting&status=closed
>>
>>
>> 
7) Build test cases to check the severity of fingerprinting related
>> open tickets, e.g.: 
>> https://trac.torproject.org/projects/tor/ticket/8770 
>> https://trac.torproject.org/projects/tor/ticket/10299
>> 
>> 8) Work on potential fingerprinting bugs that ESR31 may bring.
>> 
>> 9) ESR transitions seem to create a lot of FP-related issues that
>> need to be checked manually