tor-project June 2016

tor-project@lists.torproject.org

26 participants
25 discussions

Fwd: Mozilla Will Fund Code Audits For Open Source Software
by Damian Johnson 10 Jun '16

10 Jun '16

Considering how closely we work with Mozilla I suspect this program is no surprise, but none the less forwarding it along since it could very well benefit some of our sub-projects. Cheers! -Damian ---------- Forwarded message ---------- From: Slashdot: manishs <atagar2(a)gmail.com> Date: Fri, Jun 10, 2016 at 7:45 AM Subject: Mozilla Will Fund Code Audits For Open Source Software To: atagar1(a)gmail.com Reader Orome1 writes: The Mozilla Foundation has set up the Secure Open Source (SOS) Fund, whose aim is to help open source software projects get rid their code of vulnerabilities. Projects that want Mozilla's help must be open source/free software and must be actively maintained, but they have a much better probability to being chosen if their software is commonly used and is vital to the continued functioning of the Internet or the Web. Three open source projects -- PCRE, libjpeg-turbo, and phpMyAdmin -- have already gone through the process, and the result was removal of 43 vulnerabilities (including one critical). [![](https://a.fsdn.com/sd/twitter_icon_large.png)](http://twitter.com/home?status=Mozilla+Will+Fund+Code+Audits+For+Open+Source+Software%3A+http%3A%2F%2Fbit.ly%2F25PgTSg) [![](https://a.fsdn.com/sd/facebook_icon_large.png)](http://www.facebook.com/sharer.php?u=https%3A%2F%2Fnews.slashdot.org%2Fstory%2F16%2F06%2F10%2F1418216%2Fmozilla-will-fund-code-audits-for-open-source-software%3Futm_source%3Dslashdot%26utm_medium%3Dfacebook) [![Share on Google+](http://www.gstatic.com/images/icons/gplus-16.png)](http://plus.goo… [Read more of this story](https://news.slashdot.org/story/16/06/10/1418216/mozilla-will-fund-c… at Slashdot. ![](http://feeds.feedburner.com/~r/Slashdot/slashdot/~4/VLQ1G2rQYWM) URL: http://rss.slashdot.org/~r/Slashdot/slashdot/~3/VLQ1G2rQYWM/mozilla-will-fu…

1 0

[machine usage] crm, ubuntu1404lts-persona
by Peter Palfrader 07 Jun '16

07 Jun '16

Hello gentle people! I am looking over the machines that tor is paying for, and two of them are the 1984 machine that we have labelled only as crm and ubuntu1404lts-persona. I think they may have been created at one point by Andrew. Does anybody know who might be using these machines? If you have an idea, please let us know. If one of them is your machine, or at one point was, please let us know if it is still useful and we should keep it around. (And please briefly describe what it is being used for.) If I don't hear anything, and nobody objects either, I will stop having them auto-renewed, i.e., I will decommission them. Thanks. -- | .''`. ** Debian ** Peter Palfrader | : :' : The universal https://www.palfrader.org/ | `. `' Operating System | `- https://www.debian.org/

2 3

Notes from June 2 2016 Vegas team meeting
by Karsten Loesing 07 Jun '16

07 Jun '16

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 See this posting for context: https://lists.torproject.org/pipermail/tor-project/2016-April/000223.html Notes for June 2 2016 meeting: Alison: 1) status of community documents 2) still working on SIDA proposal with Isa Mike: 1) Postponed my vacation for another week or so to help with community issues. I'll be quietly working on my phone prototype in the meantime. 2) Will be attending a panel on the Decentralized Web next week. Then maybe vacation? Unclear. Shari: 1) Erin the new HR person starts on Monday, so I'll need help from various folks to get her set up. 2) Board meeting recap. Nick: 1) Changed addresses on many online accounts. Make sure everybody in the office knows how not to get phished. Karsten: 1) Released DescripTor 1.2.0 containing a complete rewrite of docs into Javadocs. 2) Finished metrics proposal together with Cass, Isabela, iwakeh, and Shari. Kate: 1) It's important that Tor people talking to the media about Tor touch base with me prior to interviews so that I can help them with media training (if needed), discuss the reporter with them, etc. I need to understand which reporters are covering which topics. This is an evergreen request and also a longstanding policy. Georg: 1) Tor Browser 6.0 is out \o/ Isabela: 1) network team - working on next release [make it smaller] 2) OTF - reply to their questions [also pinged Sue on invoices we should be doing will ping her again is $ to come in ;)] 3) DRL- preparing F-indicators and extension letter -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJXVrBAAAoJEC3ESO/4X7XBFpsH/2Olfmnra7LFD4rjQ0rW5SK6 mexUJK+BuDagpIRj/96rZyWZAYXrVSND3p4ECMf/elOZqdZrZ04CNkrxyMRRIZBU m5Wl+T/pyJxowPv9nE7jgmkwM+156ZfMkJmqKC6NK9j52BY14C05p8Ni5c3IfPbg kjW8kNKx9apBnxbA+dhnTq9rHzNbvEDzNc1FhowVr1nsxHOevQwl+SPHdluJ5PoA PyP4Ux/qKtm0chumd1NPxh9I1WvZXXUdq2UwfWcfez3dWmepl+WCEy6mGRdpJ9TF bMlHKpaCN6xh0MC8fGGYX+WjDFHAjPHyW7gO+15NOTFVl7DSLUk3NUGkuW3Mh5Q= =/6x0 -----END PGP SIGNATURE-----

1 0

Hewlett Foundation Grants
by Tom Ritter 06 Jun '16

06 Jun '16

Someone pointed out the Hewlett Foundation grants to me: http://hewlett.org/blog/posts/refining-our-cyber-initiative-grantmaking-str… http://hewlett.org/sites/default/files/Cyber%20Initative%20Refined%20Grantm… It does not seem that they have 'open' grant applications, but they fund in the hundreds-of-thousands of dollars range to orgs like Berkman, New America, CDT, and a bunch of universities - so it seems worthwhile to think about and see if Tor could put in a proposal...? The goals for their grants are: - Building Capacity of Civil Society Orgs - Building Capacity of Individual Decision-Makers and Influencers - Building a Robust Network of Cybersecurity Experts - Generating Policy Driven Research and Thought Leadership - Cofunding It's not a slam dunk for the main sort of work Tor does, but it seems like it may fit OONI quite well or could be a vehicle for sponsorship of devs to attend things like Open Web Summits. -tom

1 0

Proxy Blocking Latency (preprint)
by David Fifield 01 Jun '16

01 Jun '16

Lynn Tsai and I, with the help of others, have been measuring how long it takes for Tor Browser's default bridges to be blocked. https://arxiv.org/abs/1605.08808 (click "PDF") Abstract: Censors of the Internet must continually discover and block new circumvention proxy servers. We seek to understand the pace of this process, specifically, the length of the delay between when a proxy becomes potentially discoverable and when the censor blocks it. We measure this delay by testing the reachability of previously unseen Tor bridges, before and after their introduction into Tor Browser, from sites in the U.S., China, and Iran, over a period of five months. We find that China's national firewall blocks these new bridges, but only after a varying delay of between 2 and 18 days, and that blocking occurs only after a user-ready software release, despite bridges being available earlier in source code. While the firewall notices new bridges in Tor Browser, bridges that appear only in Orbot, a version of Tor for mobile devices, remain unblocked. This work highlights the fact that censors can behave in unintuitive ways, which presents difficulties for threat modeling but also opportunities for evasion. The best summaries are on pages 4 and 5, which show in graphical/tabular form the dates of releases and how long the bridges remained reachable after. We would appreciate any comments or corrections. In particular, the description of the Tor Browser release process could stand some fact-checking by a Tor Browser developer.

2 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

tor-project June 2016