Here is the March report for SponsorF Year4: https://trac.torproject.org/projects/tor/wiki/org/sponsors/SponsorF/Year4 (With thanks to Lunar for compiling most of it!)
------------------------------------------------------------------------ 1) Tor: performance, scalability, reachability, anonymity, security. - We released Tor 0.2.5.3-alpha on March 23rd. In addition to the fixes from 0.2.4.21, it contains two new anti-DoS features for Tor relays, resolves a bug that kept SOCKS5 support for IPv6 from working, fixes several annoying usability issues for bridge users, and removes more old code for unused directory formats. This release also marks the first step toward the stabilization of Tor 0.2.5, as from now on no feature patches not already written will be considered for inclusion. https://lists.torproject.org/pipermail/tor-talk/2014-March/032448.html - George Kadianakis made a detailed analysis of the performance and anonymity implications of switching to only a single guard node: https://lists.torproject.org/pipermail/tor-dev/2014-March/006458.html Nicholas Hopper did further experimentations using the TorPS simulator. https://lists.torproject.org/pipermail/tor-dev/2014-March/thread.html#6458 The current outcome is that there are many complex research questions here, but we should probably do it anyway. - Roger talked briefly to the Georgetown / Penn team about integrating their network coordinate system, and/or alternate path selection schemes, into Tor. The consensus for now is that most of their research is premature or shown-to-be-not-a-good-idea-yet. One promising idea would be to integrate the network coordinating system into the relays, and see how it would behave in practice, so we can get more intuition. That would require a proposal -- the ball is in their court now. ------------------------------------------------------------------------ 2) Bridges and Pluggable transports: make Tor able to adapt to new blocking events (including better tracking when these blocking events occur). - David Fifield published a guide to patching meek, an HTTP pluggable transport, so that it can be used to send traffic via Lantern, a censorship circumvention system which acts as an HTTP proxy and proxies traffic through trusted friends. https://lists.torproject.org/pipermail/tor-dev/2014-March/006356.html - The meek development repository has been moved to Tor Project's infrastructure. https://lists.torproject.org/pipermail/tor-dev/2014-March/006506.html - George Kadianakis announced obfsproxy version 0.2.7. The new release fixes an important bug where scramblesuit would reject clients if they try to connect a second time after a short amount of time has passed. https://lists.torproject.org/pipermail/tor-relays/2014-March/004074.html - Version 0.0.2 of obfsclient -- a C++ implementation of obfs3 and ScrambleSuit -- has been released. https://lists.torproject.org/pipermail/tor-dev/2014-March/006592.html - BridgeDB version 0.1.5 was released on March 16th and version 0.1.6 on March 26th. Bridge descriptor parsing reliability has been improved. A custom solution for CAPTCHA has replaced the nearly impossible to solve CAPTCHA served by Google reCAPTCHA service. https://bridges.torproject.org/ - Roger wrote about the current situation of how Tor is able to circumvent censorship on Chinese Internet accesses. https://blog.torproject.org/blog/how-to-read-our-china-usage-graphs - Roger talked to SRI and Farsight about publishing their Jumpbox code, and/or doing an integrated TBB-PT release. Jumpbox (driving a browser to make your plausible-looking http requests, rather than trying to pretend to be a browser on your own) appears quite similar to what David Fifield and Sathya have each been doing. ------------------------------------------------------------------------ 3) Bundles: improve the Tor Browser Bundle and other Tor bundles and packages, especially improving bridge and pluggable transport support in TBB. - Tor Browser version 3.5.3 was released on March 19th as a safe upgrade for every Tor Browser user. Among important security fixes in the browser code, the new version contains an updated Tor, a fix for a potential freeze, a fix for the Ubuntu keyboard issue and a way to prevent disk leaks when watching videos. https://blog.torproject.org/blog/tor-browser-353-released - Tor Browser version 3.6-beta-1 was released on March 18th. It incorporates the same changes as version 3.5.3, minor fixes and usability improvements, but more importantly the result of a months-long effort to seamlessly integrate pluggable transports. In the network settings, users can now choose "Connect with provided bridges" and select from "obfs3" [12], "fte" [13] or "flashproxy" [14]. Entering custom bridges is also supported and will work for direct, obfs2 and obfs3 bridges. https://blog.torproject.org/blog/tor-browser-36-beta-1-released - Mike Perry wrote an introduction to Tor Browser development. https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Hacking - David Goulet released the fourth candidate of the Torsocks rewrite. https://lists.torproject.org/pipermail/tor-dev/2014-March/006371.html - On March 9th, Anthony G. Basile released a new version of the tor-ramdisk micro Linux distribution for relay operators. http://opensource.dyc.edu/pipermail/tor-ramdisk/2014-March/000127.html - Ramo released a new Tor plugin aimed at relay operators for Nagios monitoring system. https://lists.torproject.org/pipermail/tor-relays/2014-March/004062.html - Tails 0.23 was released on March 19th. Two major new features: Tails will now do "MAC spoofing" by default to hide the hardware address used on the local network, and it now supports bridge and pluggable transports configuration through the same interface used in recent Tor Browser. It also includes several security fixes, several small bugfixes and minor improvements. https://tails.boum.org/news/version_0.23/ - Patrick Schleizer announced the release of version 8 of Whonix -- an operating system focused on anonymity, privacy and security based on the Tor anonymity network, Debian and security by isolation. https://www.whonix.org/ ------------------------------------------------------------------------ 4) Metrics: provide safe but useful statistics, along with the underlying data, about the Tor network and its users and usage. - Onionoo is now able to provide per-bridge statistics. This should allow visualizations about where are users coming from and what type of pluggable transport they are using. https://onionoo.torproject.org/#clients - Onionoo now provides fractional uptimes of relays and bridges. https://onionoo.torproject.org/#uptime - We started considering how to track performance and total contribution for a subset of relays, in the "Metrics for assessing EFF's Tor relay challenge?" thread: https://lists.torproject.org/pipermail/tor-relays/2014-March/004170.html In an ideal world, these same scripts and graphing engines could be used to look at other relay sub-populations and track diversity and changes over time. ------------------------------------------------------------------------ 5) Outreach: teach a broad range of communities about how Tor works, why it's important, and why this broad range of user communities is needed for best safety. - The Tor Project has received 32 proposals for 2014 edition of the Google Summer of Code. - Kelley Misata delivered a talk "Journalists -- Staying Safe in a Digital World" at the Computer-Assisted Reporting Conference in Baltimore. https://lists.torproject.org/pipermail/tor-reports/2014-March/000470.html - David Rajchenbach-Teller from Mozilla reached out to the Tor Browser developers about their overhaul of the Firefox Session Restore mechanism. This is another milestone in the growing collaboration between the Tor Project and Mozilla. https://lists.torproject.org/pipermail/tor-talk/2014-February/032204.html - Tails won the 2014 Endpoint Security prize from Access. The prize recognizes Tails's unique positive impact on the endpoint security of at-risk users in need. https://www.accessnow.org/blog/2014/03/11/2014-access-innovation-prize-winners-announced-at-rightscon - Alex reported on an important case about Tor relay operators which came to court in Athens, Greece on March 18th. The defendant, a Tor relay operator, was acquitted after proving that the IP address used for criminal activity was in fact a Tor relay. https://lists.torproject.org/pipermail/tor-talk/2014-March/032441.html - The Tor network is seeing an increased number of users from inside Turkey after Twitter and other sites have been blocked by the Turkish government. A short blog post on how to get the Tor Browser was written, and translated in Turkish. https://metrics.torproject.org/users.html?graph=userstats-relay-country&start=2014-01-01&end=2014-03-31&country=tr&events=off#userstats-relay-country https://blog.torproject.org/blog/ways-get-tor-browser-bundle - Jacob Appelbaum presented a keynote titled "Free software for freedom, surveillance and you" at LibrePlanet 2014 in Boston. http://libreplanet.org/2014/program/sessions.html - A FreedomBox developer, James Valleroy came for help on the best way to configure the FreedomBox as a Tor bridge. https://lists.torproject.org/pipermail/tor-relays/2014-March/004108.html - A Tor exit operator held an Ask Me Anything on Reddit. https://pay.reddit.com/r/IAmA/comments/20243q/iaman_operator_of_eight_tor_relays_including_two ------------------------------------------------------------------------ 6) Research: Assist the academic community in analyzing/improving Tor. - Members of the Prosecco research team released a new attack on the TLS protocol -- dubbed "Triple Handshake" -- allowing impersonation of a given client when client authentication is in use together with session resumption and renegotiation. Nick Mathewson published a detailed analysis of why Tor is not affected, and also outlines future changes to make Tor resistant to even more potential TLS issues. https://lists.torproject.org/pipermail/tor-dev/2014-March/006372.html - Sebastian Urbach announced that Trying Trusted Tor Traceroutes, a Tor network measurement collaboration with groups including NRL, has reached 100 completed runs from different IPs. https://lists.torproject.org/pipermail/tor-relays/2014-March/004037.html - Nick Hopper presented his "Challenges in protecting Tor hidden services from botnet abuse" paper at FC: http://freehaven.net/anonbib/#botnetfc14 - Roger reviewed Usenix Security papers, including several anonymity papers. Similarly, Nick Mathewson and other Tor folks reviewed PETS submissions. _______________________________________________ tor-reports mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-reports
