tor-project July 2016

tor-project@lists.torproject.org

37 participants
23 discussions

Notes from July 21 2016 Vegas team meeting
by Karsten Loesing 25 Jul '16

25 Jul '16

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 See this posting for context: https://lists.torproject.org/pipermail/tor-project/2016-April/000223.html Notes for July 21 2016 meeting: Alison: 1) I'm on "vacation" from 23-28 July which just means that my wifi might be intermittent 2) building the community team: doing outreach to activists, particularly women and people of color Georg: 1) Attended PETS and talked with a bunch of people about current and future projects Shari: 1) investigation is complete; press release probably tomorrow 2) TorDev invitations going out today (name TorDev?) Karsten: 1) Published a new graph showing bridge users by country and transports which dgoulet is going to present at HOPE. 2) Made good progress cleaning up codebases together with iwakeh. We're very close to zero checkstyle issues in all Java codebases. 3) Wrote down some milestones for an SOW for the MOSS award which Cass, Isabela, iwakeh, and I should finalize until end of week. -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJXlgOYAAoJEC3ESO/4X7XB0pEH/2Psp9IIJQzcNgNkLC51np7+ a+oTa3MxwUmXWxoH2J9RLyWU3tz/li2moUMUngJGf80yLeCBZXizrJID9PLfzd2R sGbGzygLGdpUTJwYj+Z4ZTkZmKeIwK0LmYIt0Cj/eBhvszyT3AtANGGuEapddUjG ootSiKSScJ4IK/R5pRez5ZZbWsTPOv46apJ0lZg1N0yOMq5/DCmogqZy+vOTZM4A Ey9RxHPsjtQFucYK0z9qqYxMOStiXmQe3wmtAeeMwktD+gdjYy3+wqo+e0Cm/kRi o/u/9/TKi+SV+4QVihkOPqrt8rWYiTR9z6kyNidbrdLt+8kmqy8RJaYfW6/IN1A= =C2w8 -----END PGP SIGNATURE-----

1 0

Who is attending the OTF summit?
by Roger Dingledine 23 Jul '16

23 Jul '16

Who here is going to the OTF summit? I hear it is mid October in Baltimore. I spoke to Dan Meredith today about whether I should go -- last year he was really sad that I wasn't there, and I told him I wasn't invited, and he declared I was always invited to everything, so I reminded him about it today. I know they're very limited in space. I figure step zero is to learn who else here is already signed up, so I can figure out how important it is for me to be there. (And if for some reason you aren't comfortable answering on-list, you can always answer me off-list.) Woo, --Roger

3 2

Notes from July 14 2016 Vegas team meeting
by Karsten Loesing 18 Jul '16

18 Jul '16

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 See this posting for context: https://lists.torproject.org/pipermail/tor-project/2016-April/000223.html Notes for July 14 2016 meeting: Nick: 1) "Oh look at all this free time I have now that I'm not on the board!" ha ha ha 2) When does the next TB with 028 come out? Georg: 1) Would other projects that want to include Tor Browser need to become licensees? If so under which circumstances (#19652 is the background here)? <- arma will comment on that ticket to move things forward Shari: 1) Could we approve the TorDev invitee list so I can move things forward and start to invite people? 2) Transitioning the new board. 3) Rolling out insurance for organization and individuals. 4) Working with community team to prepare for HOPE, and sharing what I know with community council as they face their first challenge re: community membership. 5) Preparing to announce the conclusion of the investigation next week. NYTimes and Gizmodo are both interested in covering the announcement. 6) Hopefully things will start to calm down after next week's announcement. Isabela: 1) re: services maintainers - me, karsten and tor admin team helped cass put together a proposal for fund to get someone to help out with this 2) getting on drl q2 report 3) 97% coverage of resumes for DRL visit in August 4) with alison, shari and erin help we have a doc for some funders who asked an update on what we are doing to make tor diverse/inclusive/harassment-free community (not sure if this should be private) Kate: 1) Media and social media for board transition, including communicating with and prepping outgoing and incoming boards (all of whom have been fantastic and gracious to work with) 2) House-Senate appropriations issues problems re: language mandating restrictions regarding privacy tool funding by the Broadcasting Board of Governors 3) Clips for grant report, in conjunction with excellent volunteer David Stanton 4) Will be at HOPE so not online as normal; will check email and be available by phone 5) Paperwork and various tech problems (solved eventually) Roger: 0) spent this week doing sponsorR meetings 1) state dept funding bill: strategy suggestion 2) seattle mtg attendees 3) would you like to ask questions about the director thing 4) some exciting new onion addresses for high profile websites on the way Karsten: 1) Wrote proposal to get services admin together with Isabela and Cass. -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJXjH6EAAoJEC3ESO/4X7XB+fQIALmGcd7jr/M2jTefs567ZyOB okoD5gblIyW11TzGxCY4P3AXM889DmNVIR+J+HarNt8qIst/pB5A6zMvzdUZH+Nd uazxS2/uyf85sdlPZFzhn8/Fbgt3fygbrRhEEYZO/p6TrOJDAGAlojHf2rK0kK7l /zcxEjNyk5pF9qGltGczgkSVRP80Qp43EwMMjKkyIx7K2KK7w0sRzCwrJMs4NIxr t+DxEP/4065G2Gm4nWO4qpeqA7UAQoWhVqXropU81OtLz/MR11kf0KUCzrxEn3TX idSM0I+cjXA/m8Ba6tOQ00m3KF8a1P9l/Sbx4ToH8SC+78Hyu7W79eeQIryTg+g= =W8Vk -----END PGP SIGNATURE-----

1 0

Privacy-enhancing vs Transparency-enhancing
by Virgil Griffith 17 Jul '16

17 Jul '16

I recently had the pleasure of receiving some OnionLink related phone calls from the Singapore Police Force. They were very polite and had noticeably impeccable English. I learned some things from these discussions. In Asia, the noun-phrase "Privacy Enhancing Technologies" is viewed with suspicion. But you frame the exact same thing as a "Transparency Enhancing Technology", and they're all about that! E.g., whistleblowing isn't seen as privacy enhancing for the individual, but as transparency enhancing for the society! Taking a step back, this may be an instance of the individualist vs collectivist default frame of reference in Western vs Eastern societies. I mention this as an example for how Tor can better survive, and perhaps even gain cultural traction, in Asia. -V

2 3

Breaking news! New Tor board
by Kate Krauss 13 Jul '16

13 Jul '16

Hi, The Tor board of directors has decided to pass the baton to a new group. Here is the blog post: https://blog.torproject.org/blog/tor-project-elects-new-board%C2%A0-directo… The board statement was written by the outgoing board. The blog post is posted by me because it's also basically our press release. The New York Times has covered the development, via a very fast-moving set of interactions with the reporter. Here's the result: http://www.nytimes.com/2016/07/14/technology/tor-project-a-digital-privacy-… We are asking the reporter to add in Megan Price (the newest of the new board members). Sincerely, Katie -- Kate Krauss Director of Communications and Public Policy kate(a)torproject.org @TorProject 1-718-864-6647 (works for Signal also) PGP: CC0D 9B42 DE89 D4D0 619B A606 DDEB 3937 7D18 973B

1 0

Save the date: Berlin meetup Sep 9 - Sep 11
by Georg Koppen 13 Jul '16

13 Jul '16

Hi, it seems we have a winner for the proposed Berlin meetup later this year: September 9 - September 11. While not everybody can attend all days this is the weekend where everybody can attend at least one day. I am about to send further information to the tor-meeting list. If you are not subscribed to it yet, now would be a good time I guess. :) Georg

6 10

Torproject Github Account
by Nima Fatemi 11 Jul '16

11 Jul '16

Someone pointed on IRC that there's an unofficial torproject account on github[1]. And that they're serving a fork of tor[2] and even binaries[3]! Now I didn't run any tests to see if they're serving the same exact code or binaries as our official git and website, but even if they do mirror the official repo character by character, it's still concerning. I hope that we know who controls the account, and that we can add a disclaimer of some sort on there. Since apparently "unofficial repo" doesnt seem to be sufficient. And if not, can we try to contact github and claim the account? [1] https://github.com/torproject/ [2] https://github.com/torproject/tor [3] https://github.com/torproject/tor/releases Best, -- Nima 0X58C4B928A3E218F6 | @mrphs "I disapprove of what you say, but I will defend to the death your right to say it" --Evelyn Beatrice Hall

1 0

Notes from July 7 2016 Vegas team meeting
by Karsten Loesing 11 Jul '16

11 Jul '16

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 See this posting for context: https://lists.torproject.org/pipermail/tor-project/2016-April/000223.html Notes for June 30 2016 meeting: Kate: 1) Helping with board-related stuff 2) Responding to media queries 3) Re-writing nontechnical blog posts to be actually nontechnical (with love and affection; they are awesome) 4) Is Congress targeting our funding via the State Department? Wondering if this is a response to the failed Feinstein-Burr bill. https://www.techdirt.com/articles/20160701/18073734878/senate-funding-bill-… (will learn more soon and post something on Tor Internal) - From Politico: ENCRYPTION CONCERNS MOVE TO A NEW BILL — The “going dark” debate has crept into the State Department’s global internet freedom agenda. The fiscal 2017 State-Foreign Ops spending bill approved by the Senate Appropriations panel this week requires State to detail safeguards to keep any spending under the program on “circumvention technology” (which includes encryption) from being used “for illicit purposes, such as coordinating terrorist activities or online sexual exploitation of children.” The bill language mirrors provisions in the House version of the legislation, which that chamber’s Appropriations Committee hasn’t yet approved. Both bills also continue a ban that began in fiscal 2016 on using State or USAID money to establish outside email servers, a swipe at former Secretary of State Hillary Clinton, now the presumptive Democratic presidential nominee. Read more: http://www.politico.com/tipsheets/morning-cybersecurity/2016/07/still-more-… Isabela: 1) Submitted last week the grant we worked with Cass for orfox / tor browser for android 17.7k/6months 2) lots of DRL work (Q2 reports, M&E.. F-indicators organizing... collecting docs for audit) Karsten: 1) Busy coding and reviewing on various metrics-related codebases together with iwakeh. Putting out metrics-lib 1.3.0 this week. Nick: 1) busy as heck with tor stuff 2) at PETS the week after next (17July through 24July). 3) let's make sure we get Seattle meeting right. 4) here comes a new tor release Shari: 1) Seattle TorDev meeting invitees 2) community and corp working together 3) employee stuff 4) board update -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJXg3TXAAoJEC3ESO/4X7XBqiAH/1x+htZhspeQ7I+wVep9TkdK 9b26mc9zCB2ErKYMi+5L5TIVFS7PoGka6curEK2BzVN6aFA7gwVicOQnTUti+0T8 1Gzp05pRS6tXUsePqqNG//IbL2OcbM3LNZ3408ReJ4a+s/+/8RzsEzIXaOZO4WNm qfS28k54X4JP9RktU7/g81l6Ao/xqH3m3Lk62FB+07F1y0Z1knr5qf69ArNPGKEf FdrUCTJ/tDVQ9jYgmpFdlVFXyjnyBQzaHjhiQGCwJX+RVtaSvAjcKRZHcrkYjiBo 0TzzGU92ScKJKJeUSueFdYUUfRAwk6gHgat5hCywYw4F1JXS+5+sBuWU8xWWeMY= =rezc -----END PGP SIGNATURE-----

1 0

Notes from June 30 2016 Vegas team meeting
by Karsten Loesing 04 Jul '16

04 Jul '16

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 See this posting for context: https://lists.torproject.org/pipermail/tor-project/2016-April/000223.html Notes for June 30 2016 meeting: Georg: 1) How to route money from Mozilla's bug bounty program to Tor? As a donation? As "normal" wire transfer? 2) Moved forward with the Berlin meetup idea 3) Helped a bit with the ISC proposal Kate: 1) Posting blog post about Serene; answering media inquiries about our tech; planning newsletter. 2) CRS has published a report on Rule 41 Nick: 1) Trying to deal with software stuff. That seems to be going well. 2) Not much happening. No need to check in much. Karsten: 1a) MOSS award: does it start on July 1? Isabela and Shari say yes. 1b) do we know when the paperwork will get signed? Isabela expects paper work to start soon. 1c) and most importantly can we have sponsor letter X? Yes, already assigned X. Alison: 1) Community team continues to work on the support manual and have just started work on an attached glossary. We want to get in touch with the folks who made the amazing Twitter support desk and get all their secrets, because Twitter support is amazing. 2) social contract is really nearly done! getting feedback on the preamble/blog text now. soon we'll have to talk about ratifying the thing, and where it will live. 3) membership guidelines are next... 4) a few of us came up with some text for the folks speaking at HOPE to say before their talk, gently acknowledging the elephant in the room, and directing folks to talk about said elephant in a moderated space at another part of the conference. 5) Alison is speaking all over the UK in the next two weeks (London, Brighton, Glasgow) including a Tor talk at the British Library!!!! Isabela: 1) Worked on mobile tor browser proposal to ISC - will submit today after this meeting 2) We have a designer! who simply secure hired and is paying to do our brand guideline - he did mozilla's and has a good track record doing design work. Phil (from ux team) will be reviewing his work. I will send a letter introducing him to tor-project. I was wondering if I could extend the europe pre dev meeting gathering to Elio, Ame and Phil -- they are all in europe and are working with UX team and I hope they will do more projects with us beyond the guidelines. Would be great for them to mingle and meet more tor ppl and for tor ppl to tell them what needs we have. 3) Worked on organizing tasks with the core tor team 4) Hoping to get DRL reports done 5) SIDA is moving and we have a deadline (August 1st) yay! Shari: 1) board meeting today 2) dealing with some personnel issues 3) good news: we received the promise of a grant of $250k from the Media Democracy Fund for general operating expenses -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJXemqFAAoJEC3ESO/4X7XBqYgH/0qx10XyPLD7PNfDz6H1iPu2 3Nh9twpIbw200HFmAPmYdIIkrPPm4yOmbSrH1SijEmO6U2w1VN0hVjoqZ8bzIPgO FshyNqNJFAD5T1UeMZ6W/rbaHRZVJ4srkD32oyTr0SIYoFad/adewdFKicEJfvPM NxiCaTTva7zpY3bXXid00B3FquV/LkYaZGwdSZjeIK1o3wiNHnZSSkxECUa+cI5S EZ5378HMropMOYjZ6b3nUAs5XY9X54UIfd3TUrPuWOhAJMHdBV0NIq7IGsnaAPLv acd1wfS6IDS8hkUAQI4tQBDPsKmQZ9V8YoOYDJYSVOQSFJx8FH0ohNQvuShdS2s= =Iqk4 -----END PGP SIGNATURE-----

1 0

(FWD) Plan for dropping urras: starts with dizum, Faravahar, dannenberg
by Roger Dingledine 03 Jul '16

03 Jul '16

Fyi for those wondering about the logistics of rotating directory authorities (and why it is more complicated and more fragile than you may have expected :). --Roger ----- Forwarded message from Roger Dingledine <arma(a)mit.edu> ----- Date: Fri, 1 Jul 2016 13:31:46 -0400 From: Roger Dingledine <arma(a)mit.edu> To: dir-auth(a)lists.torproject.org Subject: Plan for dropping urras: starts with dizum, Faravahar, dannenberg -------------------------------------------------------------------------- We're going to do this in three phases. PHASE ONE: a) dizum, Faravahar, and dannenberg all drop urras from their DirServers lines. There's no need to synchronize here -- just do it as soon as you get around to it, and let us know that you did. PHASE TWO: once all of phase one is done, then moria1, gabelmoo, and longclaw will do a coordinated switch in the same hour. PHASE THREE: maatuska and tor26 will switch whenever they like after that. -------------------------------------------------------------------------- Here are all the details so you can follow along with why I think this will work, and how it can go wrong. Constraint 1: We have nine dir auths currently, and we need five of them to agree in order to get a consensus. Constraint 2: Five of the nine have attached bandwidth authorities, and we need three bwauths to be part of the consensus at all times. Constraint 3: Five of them vote on BadExit, and we need at least one of them in the consensus or we unassign all the BadExit flags. An odd number of voters (one or three) is better than an even number (two). Constraint 4: Three of them vote about recommended versions, and we need at least one of them in the consensus. Constraint 5: Each authority supports a range of consensus methods depending on what Tor version it runs. When constructing a consensus, the authorities choose the largest consensus method supported by more than 2/3 of the voting authorities for that hour. Now that dizum has upgraded to Tor 0.2.8.x, we'll have 9 authorities that can do method 20 and 4 authorities that can do method 22, which means we'll pick method 20 so long as there are at least 6 authorities voting. We should make sure that nobody else upgrades to Tor 0.2.8.x until we've finished, else we could fall into an edge case where we have enough that we pick method 22, but not enough to get five signatures on the resulting consensus. Constraint 6: Tor versions before 0.2.8.1-alpha don't believe in dannenberg's current v3 identity key, and Tor versions before 0.2.4.26 or 0.2.5.11 don't believe in longclaw at all. The dannenberg issue can be solved by having dannenberg resume voting with its legacy v3 identity key (I don't know why it stopped -- maybe it never started?), and the longclaw issue can be solved by declaring that versions that old don't matter to us. With that in mind, here are our nine dir auths, with their properties, grouped into the three phases: dizum no-bwauth method22 faravahar BWauth method20 dannenberg no-bwauth method20 only-believed-by-0.2.8 moria1 BWauth BadExit recommends-versions method22 gabelmoo BWauth BadExit recommends-versions method22 longclaw BWauth BadExit method20 maatuska BWauth BadExit method20 tor26 no-bwauth BadExit recommends-versions method22 urras no-bwauth method21 So once phase one is complete, we should still have six dir auths voting, including four bwauths and five badexit voters and two recommends-versions, and using consensus method 20. Once phase two is complete, we should have six dir auths voting, including four bwauths and three badexit voters and two recommends-versions, and using consensus method 20. The end of phase two will be the most delicate point, since most deployed Tors don't believe in dannenberg's new key, so while we will have six dir auths voting, most clients will consider the resulting consensus to have only five signatures -- so if anybody drops out we will not have enough signatures. Once phase three is complete, we should have eight dir auths voting, including five bwauths and five badexit voters and three recommends-versions, and still using consensus method 20. Whew. Let me know if any of my logic is bad. --Roger ----- End forwarded message -----

1 1

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

tor-project July 2016