Tor Weekly News — October 9th, 2013

Lunar lunar at torproject.org
Wed Oct 9 15:27:02 UTC 2013


========================================================================
Tor Weekly News                                        October 9th, 2013
========================================================================

Welcome to the fifteenth issue of Tor Weekly News, the weekly newsletter
that covers what's happening in the world of Tor — “king of high-secure,
low-latency anonymity” [1].

   [1] http://www.theguardian.com/world/interactive/2013/oct/04/tor-high-secure-internet-anonymity

New tranche of NSA/GCHQ Tor documents released
----------------------------------------------

After a cameo appearance in previous leaked intelligence documents [2],
Tor found itself at the center of attention in the latest installment of
the ongoing Snowden disclosures after a series of stories were published
in the Guardian and the Washington Post that detailed alleged attempts
by NSA, GCHQ, and their allies to defeat or circumvent the protection
that Tor offers its users. A number of source materials, redacted by the
newspapers, were published to accompany the articles.

The documents in question [3] offer, alongside characteristically
entertaining illustrations [4], an overview of the Tor network from the
point of view of the intelligence agencies, as well as a summary of
attacks against Tor users and the network as a whole that they have
considered or carried out.

Despite the understandable concern provoked among users by these
disclosures, Tor developers themselves were encouraged by the often
relatively basic or out-of-date nature of the attacks described. In
response to one journalist's request for comment, Roger Dingledine wrote
that “we still have a lot of work to do to make Tor both safe and
usable, but we don't have any new work based on these slides” [5].

Have a look at the documents yourself, and feel free to raise any
questions with the community on the mailing lists or IRC channels.

   [2] https://blog.torproject.org/blog/tor-nsa-gchq-and-quick-ant-speculation
   [3] http://media.encrypted.cc/files/nsa
   [4] https://twitter.com/EFF/status/386291345301581825
   [5] https://blog.torproject.org/blog/yes-we-know-about-guardian-article#comment-35793

tor 0.2.5.1-alpha is out
------------------------

Roger Dingledine announced [6] the first alpha release in the tor
0.2.5.x series, which among many other improvements introduces
experimental support for syscall sandboxing on Linux, as well as
statistics reporting for pluggable transports usage on compatible
bridges.

Roger warned that “this is the first alpha release in a new series, so
expect there to be bugs. Users who would rather test out a more stable
branch should stay with 0.2.4.x for now.” 0.2.5.1-alpha will not
immediately appear on the main download pages, in order to avoid having
too many versions listed at once. Please feel free to test the new
release [7], and report any bugs you find!

   [6] https://lists.torproject.org/pipermail/tor-talk/2013-October/030269.html
   [7] https://www.torproject.org/dist/

How did Tor achieve reproducible builds?
----------------------------------------

At the end of June, Mike Perry announced [8] the first release of the
Tor Browser Bundle 3.0 alpha series, featuring release binaries “exactly
reproducible from the source code by anyone”. In a subsequent blog
post [9] published in August, he explained why it mattered.

Mike has just published the promised follow-up piece [10] describing how
this feat was achieved in the new Tor Browser Bundle build process.

He explains how Gitian [11] is used to create a reproducible build
environment, the tools used to produce cross-platform binaries for
Windows and OS X from a Linux environment, and several issues that
prevented the builds from being entirely deterministic. The latter range
from timestamps to file ordering differences when looking up a
directory, with an added 3 bytes of pure mystery.

There is more work to be done to “prevent the adversary from
compromising the (substantially weaker) Ubuntu build and packaging
processes” currently used for the toolchain. Mike also wrote about
making the build of the compiler and toolchain part of the build
process, cross-compilation between multiple architectures, and the work
being done by Linux distributions to produce deterministic builds from
their packages.

If you are interested in helping, or working on your own software
project, there is a lot to be learned by reading the blog post in full.

   [8] https://blog.torproject.org/blog/tor-browser-bundle-30alpha2-released
   [9] https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise
  [10] https://blog.torproject.org/blog/deterministic-builds-part-two-technical-details
  [11] http://gitian.org/howto.html

Toward a new Tor Instant Messaging Bundle
-----------------------------------------

A first meeting last week kicked-off the “Attentive Otter project” [12]
which aims to come up with a new bundle for instant messaging. The first
meeting mainly consisted in trying to enumerate the various options.

In the end, people volunteered to research three different
implementation ideas. Thijs Alkemade and Jurre van Bergen explored the
possibilty of using Pidgin/libpurple [13] as the core component. Jurre
also prepared an analysis of xmpp-client [14], together with David
Goulet, Nick Mathewson, Arlo Breault, and George Kadianakis. As a third
option, Mike Perry took a closer look at Instantbird/Thunderbird [15]
with Sukhbir Singh.

All the options have their pros and cons, and they will probably be
discussed on the tor-dev mailing list and at the next “Attentive
Otter” meeting.

  [12] https://trac.torproject.org/projects/tor/wiki/org/sponsors/Otter/Attentive
  [13] https://lists.torproject.org/pipermail/tor-dev/2013-October/005544.html
  [14] https://lists.torproject.org/pipermail/tor-dev/2013-October/005546.html
  [15] https://lists.torproject.org/pipermail/tor-dev/2013-October/005555.html

More monthly status reports for September 2013
----------------------------------------------

The wave of regular monthly reports from Tor project members continued
this week with submissions from George Kadianakis [16], Lunar [17],
Sathyanarayanan Gunasekaran [18], Ximin Luo [19], Matt Pagan [20], Pearl
Crescent [21], Colin C. [22], Arlo Breault [23], Karsten Loesing [24],
Jason Tsai [25], the Tor help desk [26], Sukhbir Singh [27], Nick
Mathewson [28], Mike Perry [29], Andrew Lewman [30], Aaron G [31], and
the Tails folks [32].

  [16] https://lists.torproject.org/pipermail/tor-reports/2013-October/000346.html
  [17] https://lists.torproject.org/pipermail/tor-reports/2013-October/000347.html
  [18] https://lists.torproject.org/pipermail/tor-reports/2013-October/000348.html
  [19] https://lists.torproject.org/pipermail/tor-reports/2013-October/000349.html
  [20] https://lists.torproject.org/pipermail/tor-reports/2013-October/000350.html
  [21] https://lists.torproject.org/pipermail/tor-reports/2013-October/000351.html
  [22] https://lists.torproject.org/pipermail/tor-reports/2013-October/000352.html
  [23] https://lists.torproject.org/pipermail/tor-reports/2013-October/000353.html
  [24] https://lists.torproject.org/pipermail/tor-reports/2013-October/000354.html
  [25] https://lists.torproject.org/pipermail/tor-reports/2013-October/000355.html
  [26] https://lists.torproject.org/pipermail/tor-reports/2013-October/000356.html
  [27] https://lists.torproject.org/pipermail/tor-reports/2013-October/000357.html
  [28] https://lists.torproject.org/pipermail/tor-reports/2013-October/000358.html
  [29] https://lists.torproject.org/pipermail/tor-reports/2013-October/000359.html
  [30] https://lists.torproject.org/pipermail/tor-reports/2013-October/000360.html
  [31] https://lists.torproject.org/pipermail/tor-reports/2013-October/000361.html
  [32] https://lists.torproject.org/pipermail/tor-reports/2013-October/000362.html

Tor Help Desk Roundup
---------------------

A number of users wanted to know if Tor was still safe to use given the
recent news that Tor users have been targeted by the NSA. We directed
these users to the Tor Project's official statement on the subject [33].

One of the most popular questions the help desk receives continues to be
whether or not Tor is available on iOS devices. Currently there is no
officially supported solution, although more than one project has been
presented [34, 35].

The United Kingdom is now one of the countries where citizens request
assistance circumventing a national firewall [36].

  [33] https://blog.torproject.org/blog/yes-we-know-about-guardian-article
  [34] https://lists.torproject.org/pipermail/tor-dev/2013-October/005542.html
  [35] https://trac.torproject.org/projects/tor/ticket/8933
  [36] https://lists.torproject.org/pipermail/tor-talk/2013-July/029054.html

Miscellaneous news
------------------

Thanks to Grozdan [37], Simon Gattner from Netzkonstrukt Berlin [38],
Wollomatic [39], and Haskell [40] for setting up new mirrors of the Tor
project website.

  [37] https://lists.torproject.org/pipermail/tor-mirrors/2013-September/000366.html
  [38] https://lists.torproject.org/pipermail/tor-mirrors/2013-September/000370.html
  [39] https://lists.torproject.org/pipermail/tor-mirrors/2013-October/000374.html
  [40] https://lists.torproject.org/pipermail/tor-mirrors/2013-October/000375.html

Arlo Breault sent out a request for comments on a possible new version
of the check.torproject.org page [41].

  [41] https://lists.torproject.org/pipermail/tor-talk/2013-October/030253.html

Runa Sandvik announced [42] that the Tor Stack Exchange page has moved
from private beta to public beta. If you'd like to help answer
Tor-related questions (or ask them), get involved now! [43]

  [42] https://lists.torproject.org/pipermail/tor-talk/2013-October/030269.html
  [43] http://tor.stackexchange.com/

Philipp Winter sent out a call for testing (and installation
instructions) for the ScrambleSuit pluggable transports protocol [44].

  [44] https://lists.torproject.org/pipermail/tor-talk/2013-October/030252.html

Not strictly Tor-related, but Mike Perry started an interesting
discussion [45] about the “web of trust” system, as found in OpenPGP.
The discussion was also held on the MonkeySphere mailing list, which
prompted Daniel Kahn Gilmor to reply with many clarifications regarding
the various properties and processes of the current implementation. To
sum it up, Ximin Luo started [46] a new documentation project [47] “to
describe and explain security issues relating to identity, in
(hopefully) simple and non-implementation-specific language”.

  [45] https://lists.torproject.org/pipermail/tor-talk/2013-September/030235.html
  [46] https://lists.riseup.net/www/arc/monkeysphere/2013-10/msg00000.html
  [47] https://github.com/infinity0/idsec/

The listmaster role has been better defined [48] and is now performed by
a team consisting of Andrew Lewman, Damian Johnson, and Karsten Loesing.
Thanks to them!

  [48] https://trac.torproject.org/projects/tor/wiki/org/operations/Infrastructure/lists.torproject.org

Roger Dingledine released an official statement on the Tor project
blog [49] regarding the takedown of the Silk Road hidden service and
the arrest of its alleged operator.

  [49] https://blog.torproject.org/blog/tor-and-silk-road-takedown

Fabio Pietrosanti asked [50] for reviews of “experimental Tor
performance tuning for a Tor2web node.” Feel free to have a look [51]
and provide feedback.

  [50] https://lists.torproject.org/pipermail/tor-talk/2013-October/030405.html
  [51] https://github.com/globaleaks/Tor2web-3.0/wiki/Performance-tuning

Claudiu-Vlad Ursache announced [52] the initial release of
CPAProxy [53], “a thin Objective-C wrapper around Tor”. This is the
first component of a project to “release a free open-source browser on
the App Store that uses this wrapper and Tor to anonymize requests.”
Claudiu-Vlad left several questions open, and solicited opinions on the
larger goal.

  [52] https://lists.torproject.org/pipermail/tor-dev/2013-October/005545.html
  [53] https://github.com/ursachec/CPAProxy

Upcoming events
---------------

Oct 09-10 | Andrew speaking at Secure Poland 2013
          | Warszawa, Poland
          | http://www.secure.edu.pl/
          |
Oct 11    | Kelley @ Journalist Training Event
          | Helsiniki, Finland
          | http://www.journalistiliitto.fi/jp13/
          |
Nov 04-05 | 20th ACM Conference on Computer and Communications Security
          | Berlin, Germany
          | http://www.sigsac.org/ccs/CCS2013/


This issue of Tor Weekly News has been assembled by Lunar, harmony,
dope457 and Matt Pagan.

Want to continue reading TWN? Please help us create this newsletter.  We
still need more volunteers to watch the Tor community and report
important news. Please see the project page [54], write down your name
and subscribe to the team mailing list [55] if you want to get involved!

  [54] https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
  [55] https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-news/attachments/20131009/fc0e7c5f/attachment.sig>


More information about the tor-news mailing list