[TWN team] Recent changes to the wiki pages

Lunar lunar at torproject.org
Sat Aug 29 09:40:04 UTC 2015 

===========================================================================
=== https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews/2015/33 ===
===========================================================================

version 7
Author: harmony
Date:   2015-08-29T08:58:22+00:00

   --

--- version 6
+++ version 7
@@ -15,8 +15,10 @@
 Contents
 --------
 
- 1. XXX
- 2. XXX
+ 1. Hash visualizations to protect against onion phishing
+ 2. Tor-enabled Debian mirrors
+ 3. Miscellaneous news
+ 4. Upcoming events
 
 Hash visualizations to protect against onion phishing
 -----------------------------------------------------
@@ -56,6 +58,30 @@
  [XXX]: https://lists.torproject.org/pipermail/tor-talk/2014-October/035413.html
  [XXX]: https://lists.torproject.org/pipermail/tor-talk/2015-June/038295.html
  [XXX]: https://lists.torproject.org/pipermail/tor-dev/2015-August/009302.html
+
+Tor-enabled Debian mirrors
+--------------------------
+
+Richard Hartmann, Peter Palfrader, and Jonathan McDowell have set up
+the first onion service mirrors [XXX] of the Debian operating system’s
+software package infrastructure. This means that it is now possible to
+update your Debian system without the update information or downloaded
+packages leaving the Tor network at all, preventing a network adversary
+from discovering information about your system. A follow-up post by
+Richard [XXX] includes guidance on using apt-transport-tor [XXX] with
+the new mirrors.
+
+These services are only the first in what should hopefully become a
+fully Tor-enabled system mirroring “the complete package lifecycle,
+package information, and the website”. “This service is not redundant,
+it uses a key which is stored on the local drive, the .onion will
+change, and things are expected to break”, wrote Richard, but if you
+are interested in trying out the new infrastructure, see the write-ups
+for further information.
+
+ [XXX]: http://richardhartmann.de/blog/posts/2015/08/24-Tor-enabled_Debian_mirror/
+ [XXX]: http://richardhartmann.de/blog/posts/2015/08/25-Tor-enabled_Debian_mirror_part_2/
+ [XXX]: https://retout.co.uk/blog/2014/07/21/apt-transport-tor
 
 Miscellaneous news
 ------------------
@@ -157,7 +183,3 @@
   [XXX]: https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
   [XXX]: https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team
 }}}
-
-Possible items:
-
- * Tor-enabled Debian mirrors: http://richardhartmann.de/blog/posts/2015/08/24-Tor-enabled_Debian_mirror/ and http://richardhartmann.de/blog/posts/2015/08/25-Tor-enabled_Debian_mirror_part_2/

version 6
Author: harmony
Date:   2015-08-29T08:42:59+00:00

   --

--- version 5
+++ version 6
@@ -2,11 +2,11 @@
 
 '''Editor:''' Harmony
 
-'''Subject:''' Tor Weekly News — August 28th, 2015
+'''Subject:''' Tor Weekly News — August 29th, 2015
 
 {{{
 ========================================================================
-Tor Weekly News                                        August 28th, 2015
+Tor Weekly News                                        August 29th, 2015
 ========================================================================
 
 Welcome to the thirty-third issue in 2015 of Tor Weekly News, the weekly
@@ -18,12 +18,44 @@
  1. XXX
  2. XXX
 
-Feature XXX
------------
+Hash visualizations to protect against onion phishing
+-----------------------------------------------------
 
-Feature 1 with cited source [XXX]
+Unlike URLs on the non-private web, the .onion addresses used by Tor
+hidden services are not handed out by any central authority — instead,
+they are derived by the hidden services themselves based on their
+cryptographic key information. This means that they are typically
+quite hard for humans to remember, unless the hidden service operator —
+whether by chance or by making repeated attempts — hits upon a memorable
+string, as in the case of Facebook’s hidden service [XXX].
 
- [XXX]:
+“The problem”, writes George Kadianakis, is that due to these
+user-unfriendly strings, “many people don’t verify the whole onion
+address, they just trust the onion link or verify the first few
+characters. This is bad since an attacker can create a hidden service
+with a similar onion address very easily”, then trick users into
+visiting that address instead for a variety of malicious purposes. This
+species of attack that has already been seen in the wild [XXX]. After
+discussions with other researchers in this area, George drew up a
+proposal [XXX] to incorporate visual information into the verification
+process: “So when TBB connects to a hidden service, it uses the onion
+address to generate a randomart or key poem and makes them available
+for the user to examine.”
+
+As with all new development proposals, however, there are many
+unanswered questions. What kind of visualization would work best?
+Should there also be an auditory component, like a randomly-generated
+tune? How should the feature be made available to users without
+confusing those who have no idea what it is or why it’s needed? In
+short, “Some real UX research needs to be done here, before we decide
+something terrible.”
+
+If you have clear and constructive feedback to offer on this unusual
+but important proposal, please send it to the tor-dev mailing list.
+
+ [XXX]: https://lists.torproject.org/pipermail/tor-talk/2014-October/035413.html
+ [XXX]: https://lists.torproject.org/pipermail/tor-talk/2015-June/038295.html
+ [XXX]: https://lists.torproject.org/pipermail/tor-dev/2015-August/009302.html
 
 Miscellaneous news
 ------------------



-- 
Your friendly TWN monitoring script

      In case of malfunction, please reach out for lunar at torproject.org
          or for the worst cases, tell weasel at torproject.org to kill me.

More information about the news-team mailing list