[tor-reports] Griffin's May
Griffin Boyce
griffin at cryptolab.net
Mon Jun 1 16:03:53 UTC 2015
. '@(@@@@@@@)@. (@@) ` . '
. @@'((@@@@@@@@@@@)@@@@@)@@@@@@@)@
@@(@@@@@@@@@@))@@@@@@@@@@@@@@@@)@@` .
@.((@@@@@@@)(@@@@@@@@@@@@@@))@\@@@@@@@@@)@@@ .
(@@@@@@@@@@@@@@@@@@)@@@@@@@@@@@\\@@)@@@@@@@@)
(@@@@@@@@)@@@@@@@@@@@@@(@@@@@@@@//@@@@@@@@@) `
.@(@@@@)##&&&&&(@@@@@@@@)::_=(@\\@@@@)@@ . .'
@@`(@@)###&&&&&!!;;;;;;::-_=@@\\@)@`@.
` @@(@###&&&&!!;;;;;::-=_=@.@\\@@ '
` @.#####&&&!!;;;::=-_= .@ \\
####&&&!!;;::=_- `
###&&!!;;:-_=
##&&!;::_=
##&&!;:=
##&&!:- `.. `..
#&!;:- `. `.. `...
#&!;= `.. `.. ` `.. `.. `.. `..
#&!- `.. `.. `.. `.. `.. `.. `..
#&= `.. `. `..`.. `.. `...
jgs #&- `.. `..`.. `.. `..
\\#/' `.. `.. `.. `... `..
`/ `..
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
STORMY
Stormy has surpassed expectations in user testing, so it's nearly time
to release it [5]. I've been refining the Jabber and IRC onion service
setup flow this weekend in preparation for its security audit. Until it
passes an audit, I'm only willing to list it as for use by developers.
However, of course, the goal of the project is to make it easy for
journalists and writers and individuals to set up a secure onion service
without having to de-anonymize themselves by hiring a developer.
CODE && DESIGN
Cure53 has conducted a full audit of Cupcake and Flashproxy. The report
is here [1][2]. Special thanks to David Fifield for being very
responsive during the audit and the Open Tech Fund for funding and
coordinating the audit. The results were extremely positive,
particularly in light of the large number of Cupcake wrappers for
Flashproxy [2]. There were no real issues found, and auditors commented
on the excellent code quality. So that was surprising.
Once the initial results of the audit were received, I submitted Cupcake
for Firefox to the Mozilla add-ons site [3]. Review can take a while
[4].
Timelining ongoing work on Satori's guides, in-progress features,
tentative future plans, and trying to coordinate work across the
project. The design of Satori tends towards light and airy, but most of
the feedback I receive is to make it high contrast with a dark scheme.
I'm not sure how to reconcile these conflicting design notions, so
instead I'm just keeping it light. The flow so far seems to work well.
Relatedly, conducted further testing of GlitterBot to notify me of
software updates. The goal is to partially automate the process of
verifying signatures and updating the software that I re-distribute.
This would improve update response time. I would still need to
independently ensure that files and signatures match (which is naturally
already part of my workflow).
I've been sitting on some code for a standalone Tails ISO Verifier for
Chrome for a while now and may release it in late June. Though I might
experiment more with GPG signature verification first [6].
RESEARCH && WRITING
Wrote a paper on guard exhaustion attacks and mitigations and submitted
it to USENIX:FOCI.
Had a long discussion with a patent attorney on defensive patents and
open-source code as prior art. It was very illuminating; she gave great
advice.
Came up with an interesting way to (possibly) slow the Tor network via
onion services while in the shower. Looking at how to use Shadow to
simulate such an attack on a pretend network.
TRAVEL && OUTREACH
Visited New York to discuss issues around sexism, racism, and
discrimination in open source software development with a diverse set of
trainers and organizers.
Travelled to San Jose, CA for IEEE:W2SP, where Paul Syverson presented
our paper on onion services & web authentication. That was fun =)
PERSONAL
- Submitting an art proposal for the first time ever. Moderately
terrifying.
- Section 215 of the Patriot Act expired and I bought a bottle of my
favorite persecco to celebrate. It was very fitting for my last night in
DC.
- I should take a vacation.
~Griffin
[1] http://github.com/glamrock/cupcake/security/audit1.pdf
[2] http://github.com/glamrock/cupcake
[3] https://addons.mozilla.org/en-us/firefox/addon/cupcakebridge/
[4] In all likelihood, Mozilla's review will take longer than the real
audit did.
[5] https://github.com/glamrock/stormy
[6] If anyone asks, I said nothing about javascript crypto functions.
## END OF TRANSMISSION ##
More information about the tor-reports
mailing list