Delivery-Date: Wed, 30 Jul 2014 10:12:15 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.3 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	RP_MATCHES_RCVD,UNPARSEABLE_RELAY,URIBL_RHS_DOB autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 766E31E04AD;
	Wed, 30 Jul 2014 10:12:13 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id DE39B30956;
	Wed, 30 Jul 2014 14:12:09 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 870A33092E;
 Wed, 30 Jul 2014 14:12:06 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at eugeni.torproject.org
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id b2OwholNqB1m; Wed, 30 Jul 2014 14:12:06 +0000 (UTC)
Received: from mail.potager.org (quatre.potager.org [91.194.60.100])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "*.potager.org",
 Issuer "StartCom Class 2 Primary Intermediate Server CA" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 3427B308BC;
 Wed, 30 Jul 2014 14:12:06 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1]) with ESMTPSA id 6CEE9C2B90B
Date: Wed, 30 Jul 2014 16:11:58 +0200
From: Lunar <lunar@torproject.org>
To: tor-news@lists.torproject.org, tor-talk@lists.torproject.org
Message-ID: <20140730141158.GE21746@loar>
Mail-Followup-To: tor-news@lists.torproject.org, tor-talk@lists.torproject.org
MIME-Version: 1.0
User-Agent: Mutt/1.5.23 (2014-03-12)
Subject: [tor-talk] =?utf-8?q?Tor_Weekly_News_=E2=80=94_July_30th=2C_2014?=
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============2428002973333003517=="
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>


--===============2428002973333003517==
Content-Type: multipart/signed; micalg=pgp-sha256;
	protocol="application/pgp-signature"; boundary="WK3l2KTTmXPVedZ6"
Content-Disposition: inline


--WK3l2KTTmXPVedZ6
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Tor Weekly News                                          July 30th, 2014
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Welcome to the thirtieth issue of Tor Weekly News in 2014, the weekly
newsletter that covers what is happening in the Tor community.

Tor Browser 3.6.3 is out
------------------------

A new pointfix release for the 3.6 series of the Tor Browser is out=C2=A0[1=
].
Most components have been updated and a couple of small issues fixed.
Details are available in the release announcement.

The release fixes import security updates=C2=A0[2] from Firefox. Be sure to
upgrade=C2=A0[3]! Users of the experimental meek=C2=A0[4] bundles have not =
been
forgotten=C2=A0[5].

   [1]:=C2=A0https://blog.torproject.org/blog/tor-browser-363-released
   [2]:=C2=A0https://www.mozilla.org/security/known-vulnerabilities/firefox=
ESR.html#firefox24.7
   [3]:=C2=A0https://www.torproject.org/download/download-easy.html
   [4]:=C2=A0https://trac.torproject.org/projects/tor/wiki/doc/meek
   [5]:=C2=A0https://people.torproject.org/~dcf/pt-bundle/3.6.3-meek-1/

New Tor stable and alpha releases
---------------------------------

Two new releases of Tor are out. The new 0.2.5.6-alpha release=C2=A0[6]
=E2=80=9Cbrings us a big step closer to slowing down the risk from guard
rotation, and fixes a variety of other issues to get us closer to a
release candidate=E2=80=9D.

Once directory authorities have upgraded, they will =E2=80=9Cassign the Gua=
rd
flag to the fastest 25% of the network=E2=80=9D. Some experiments showed th=
at
=E2=80=9Cfor the current network, this results in about 1100 guards, down f=
rom
2500.=E2=80=9D

The complementary change to moving the number of entry guards down to
one=C2=A0[7] is the introduction of two new consensus parameters.
NumEntryGuards and NumDirectoryGuards will respectively set the number
of entry guards and directory guards that clients will use. The default
for NumEntryGuards is currently three, but this will allow a reversible
switch to one in a near future.

Several important fixes have been backported to the stable branch in the
0.2.4.23 release=C2=A0[8]. Source packages are available at the regular
location=C2=A0[9]. Binary packages have already landed in Debian=C2=A0[10,1=
1] and
the rest should follow shortly.

   [6]:=C2=A0https://lists.torproject.org/pipermail/tor-talk/2014-July/0341=
80.html
   [7]:=C2=A0https://gitweb.torproject.org/torspec.git/blob_plain/HEAD:/pro=
posals/236-single-guard-node.txt
   [8]: https://lists.torproject.org/pipermail/tor-announce/2014-July/00009=
3.html
   [9]:=C2=A0https://www.torproject.org/dist/
  [10]:=C2=A0https://tracker.debian.org/news/560607
  [11]:=C2=A0https://tracker.debian.org/news/560611

Security issue in Tails 1.1 and earlier
---------------------------------------

Several vulnerabilities have been discovered in I2P which is shipped in
Tails 1.1 and earlier=C2=A0[12]. I2P=C2=A0[13] is an anonymous overlay netw=
ork
with many similarities to Tor. There was quite some confusion around the
disclosure process of this vulnerability. Readers are encouraged to read
what the Tails team has written about it=C2=A0[14].

Starting I2P in Tails normally requires a click on the relevant menu
entry. Once started, the security issues can lead to the deanonymization
of a Tails user who visits a malicious web page. As a matter of
precaution, the Tails team recommends removing the =E2=80=9Ci2p=E2=80=9D pa=
ckage each
time Tails is started.

I2P has fixed the issue in version 0.9.14=C2=A0[15]. It is likely to be
included in the next Tails release, but the team is also discussing=C2=A0[1=
6]
implementing more in-depth protections that would be required in order
to keep I2P in Tails.

  [12]:=C2=A0https://tails.boum.org/security/Security_hole_in_I2P_0.9.13/
  [13]:=C2=A0https://geti2p.net/
  [14]:=C2=A0https://tails.boum.org/news/On_0days_exploits_and_disclosure/
  [15]:=C2=A0https://geti2p.net/en/blog/post/2014/07/26/0.9.14-Release
  [16]:=C2=A0https://mailman.boum.org/pipermail/tails-dev/2014-July/006459.=
html

Reporting bad relays
--------------------

=E2=80=9CBad=E2=80=9D relays are malicious, misconfigured, or otherwise bro=
ken Tor
relays. As anyone is free to volunteer bandwidth and processing power to
spin up a new relay, users can encounter such bad relays once in a
while. Getting them out of everyone=E2=80=99s circuits is thus important.

Damian Johnson and Philipp Winter have been working on improving and
documenting=C2=A0[17] the process of reporting bad relays. =E2=80=9CWhile w=
e do
regularly scan the network for bad relays, we are also dependent on the
wider community to help us spot relays which don=E2=80=99t act as they shou=
ld=E2=80=9D
wrote=C2=A0[18] Philipp.

When observing unusual behaviors, one way to learn about the current
exit relay before reporting it is to use the Check=C2=A0[19] service. This
method can be inaccurate and tends to be a little bit cumbersome. The
good news is that Arthur Edelstein is busy integrating=C2=A0[20] more
feedback on Tor circuits being used directly into the Tor Browser.

  [17]:=C2=A0https://trac.torproject.org/projects/tor/wiki/doc/ReportingBad=
Relays
  [18]:=C2=A0https://blog.torproject.org/blog/how-report-bad-relays
  [19]:=C2=A0https://check.torproject.org/
  [20]:=C2=A0https://trac.torproject.org/projects/tor/ticket/8641#comment:12

Miscellaneous news
------------------

The Tor Project, Inc. has completed its standard financial audit for the
year 2013=C2=A0[21]. IRS Form 990=C2=A0[22], Massachusetts Form PC=C2=A0[23=
], and the
Financial Statements=C2=A0[24] are now available for anyone to review.
Andrew Lewman explained: =E2=80=9Cwe publish all of our related tax documen=
ts
because we believe in transparency. All US non-profit organizations are
required by law to make their tax filings available to the public on
request by US citizens. We want to make them available for all.=E2=80=9D

  [21]:=C2=A0https://blog.torproject.org/blog/transparency-openness-and-our=
-2013-financials
  [22]:=C2=A0https://www.torproject.org/about/findoc/2013-TorProject-Form99=
0.pdf
  [23]:=C2=A0https://www.torproject.org/about/findoc/2013-TorProject-FormPC=
=2Epdf
  [24]:=C2=A0https://www.torproject.org/about/findoc/2013-TorProject-Financ=
ialStatements.pdf

CJ announced=C2=A0[25] the release of orWall=C2=A0[26] (previously named
Torrific), a new Android application that =E2=80=9Cwill force applications
selected through Orbot while preventing unchecked applications to have
network access=E2=80=9D.

  [25]:=C2=A0https://lists.torproject.org/pipermail/tor-talk/2014-July/0340=
06.html
  [26]:=C2=A0https://orwall.org/

The Thali project=C2=A0[27] aims to use hidden services to host web content.
As part of the effort, they have written a cross-platform Java
library=C2=A0[28]. =E2=80=9CThe code handles running the binary, configurin=
g it,
managing it, starting a hidden service, etc.=E2=80=9D wrote=C2=A0[29] Yaron=
 Goland.

  [27]:=C2=A0http://www.thaliproject.org/mediawiki/index.php?title=3DMain_P=
age
  [28]:=C2=A0https://github.com/thaliproject/Tor_Onion_Proxy_Library
  [29]:=C2=A0https://lists.torproject.org/pipermail/tor-talk/2014-July/0340=
46.html

Gareth Owen released=C2=A0[30] a Java-based Tor research framework=C2=A0[31=
]. The
goal is to enable researchers to try things out without having to deal
with the full tor source. =E2=80=9CAt present, it is a fully functional cli=
ent
with a number of examples for hidden services and SOCKS. You can build
arbitrary circuits, build streams, send junk cells, etc.=E2=80=9D wrote Gar=
eth.

  [30]:=C2=A0https://lists.torproject.org/pipermail/tor-dev/2014-July/00723=
2.html
  [31]:=C2=A0https://github.com/drgowen/tor-research-framework

Version 0.2.3 of BridgeDB=C2=A0[32] has been deployed. Among other
changes=C2=A0[33], owners of riseup.net email accounts can now request
bridges through email=C2=A0[34].

  [32]:=C2=A0https://bridges.torproject.org/
  [33]:=C2=A0https://gitweb.torproject.org/bridgedb.git/blob/2a6d5463:/CHAN=
GELOG
  [34]:=C2=A0https://bugs.torproject.org/11139#comment:15

The first candidate for Orbot 14.0.5 has been released. =E2=80=9CThis update
includes improved management of the background processes, the ability to
easily change the local SOCKS port (to avoid conflicts on some Samsung
Galaxy and Note devices), and the fancy new notification dialog, showing
your current exit IPs and country=E2=80=9D wrote=C2=A0[35] Nathan Freitas.

  [35]:=C2=A0https://lists.mayfirst.org/pipermail/guardian-dev/2014-July/00=
3667.html

While working on guard nodes, George Kadianakis realized that =E2=80=9Cthe =
data
structures and methods of the guard nodes code are not very robust=E2=80=9D.
Nick Mathewson and George have been busy trying to come up with better
abstractions=C2=A0[36]. More brains working on the problem would be welcome!

  [36]:=C2=A0https://bugs.torproject.org/12595

Mike Perry posted=C2=A0[37] =E2=80=9Ca summary of the primitives that Marc =
Juarez
aims to implement for his Google Summer of Code project on prototyping
defenses for Website Traffic Fingerprinting and follow-on research=E2=80=9D=
=2E Be
sure to have a look if you want to help prevent website fingerprint
attacks.

  [37]:=C2=A0https://lists.torproject.org/pipermail/tor-dev/2014-July/00724=
6.html

A new draft proposal =E2=80=9Cfor making all relays also be directory serve=
rs
(by default)=E2=80=9D has been submitted=C2=A0[38] by Matthew Finkel. Among=
 the
motivations, Matthew wrote: =E2=80=9CIn a network where every router is a
directory server, the profiling and partitioning attack vector is
reduced to the guard (for clients who use them), which is already in a
privileged position for this. In addition, with the increased set size,
relay descriptors and documents are more readily available and it
diversifies the providers.=E2=80=9D This change might make the transition t=
o a
single guard safer. Feedback welcome!

  [38]:=C2=A0https://lists.torproject.org/pipermail/tor-dev/2014-July/00724=
7.html

Noah Rahman reported=C2=A0[39] on the progress of the Stegotorus Google
Summer of Code project.

  [39]:=C2=A0https://lists.torproject.org/pipermail/tor-dev/2014-July/00724=
8.html

Tor help desk roundup
---------------------

A number of Iranian Tor users have reported that Tor no longer works out
of the box in Iran, and the Tor Metrics portal shows a corresponding
drop in the number of directly-connecting users there=C2=A0[40]. Collin
Anderson investigated the situation and reported that the
Telecommunication Company of Iran had begun blocking the Tor network by
blacklisting connections to Tor=E2=80=99s directory authorities=C2=A0[41]. =
Tor users
can circumvent this block by getting bridges from BridgeDB=C2=A0[42] and
entering the bridge addresses they receive into their Tor Browser.

  [40]:=C2=A0https://metrics.torproject.org/users.html?graph=3Duserstats-re=
lay-country&start=3D2014-04-30&end=3D2014-07-28&country=3Dir&events=3Don#us=
erstats-relay-country
  [41]:=C2=A0https://bugs.torproject.org/12727
  [42]:=C2=A0https://bridges.torproject.org/

Upcoming events
---------------

 Aug. 1 16:00 UTC  | Pluggable transports online meeting
                   | #tor-dev, irc.oftc.net
                   |
 Aug. 3 19:00 UTC  | Tails contributors meeting
                   | #tails-dev, irc.indymedia.org / h7gf2ha3hefoj5ls.onion
                   | https://mailman.boum.org/pipermail/tails-project/2014-=
July/000000.html
                   |
 August 18         | Roger @ FOCI =E2=80=9914
                   | San Diego, California, USA
                   | https://www.usenix.org/conference/foci14
                   |
 August 20-22      | Roger @ USENIX Security Symposium =E2=80=9914
                   | San Diego, California, USA
                   | https://www.usenix.org/conference/usenixsecurity14


This issue of Tor Weekly News has been assembled by Lunar, Matt Pagan,
harmony, and Philipp Winter.

Want to continue reading TWN? Please help us create this newsletter.
We still need more volunteers to watch the Tor community and report
important news. Please see the project page=C2=A0[43], write down your
name and subscribe to the team mailing list=C2=A0[44] if you want to
get involved!

  [43]:=C2=A0https://trac.torproject.org/projects/tor/wiki/TorWeeklyNews
  [44]:=C2=A0https://lists.torproject.org/cgi-bin/mailman/listinfo/news-team

--WK3l2KTTmXPVedZ6
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJT2P0uAAoJEEgU3sIrMHw8cxAQAN2iEGwYNmJyJV9xAKQwFUr5
dMwahtImuehBIWd7CSvgLiAoBH62f1mOXb0VvMEGeYwchWbTMVez5Kb3pqGuT1jJ
eO4b3elLz5Y2+ryA8/dkUpipMiZIuwdzmvFXwambEk0/R5fEP3PCVUoVn6ax8vC1
ZDwWSNWtgS/Q2u95y3UOPalSBB5ASosA4S9LumdT2JDCjFHXDw5BpPZBopITH0Z2
F8M6ifZaTDmKnsrmjtU5G85/yySf7y+D8KYA1OOxNeanOv1gVacrcu59E+TumJoV
Ph+IPn/QXVyD8ZU66I4yS700yXp4PeGJ+MWI7zoNFm1nfrX2b0iz2iKQ58OZDrWG
RATNeDyl4Df6KEdX8HPgP5GKkHohdpSa8XQJxjy5hFFOY5Oy+o7oHrqoYmTyHsw6
VNELsmLN6Xdd38Gc+WJVJ0xMJi/RAyt83wPrOKcg6hyEeVkiToFuUF2O83jkv2Oa
5O9lVUcrRpiUifTSlNxJPb72abfbhNI++jE8fCWK6Oz2ETmFGUARxHAE8iQj1oJ8
USCdRYx5u/p5qthItvXcEpYYswbrRsu4L7O/ZYAeSyFV+rSF0ggyKGzUtReylui/
4ScT4b5GTTJnz/tVafl2LvKuwl3kGJmQ1vlF9fDn9SOyNN0AEinNHq5DaRgeyMGj
tohlEYq0SRCyp2jYc9Fk
=RCYk
-----END PGP SIGNATURE-----

--WK3l2KTTmXPVedZ6--

--===============2428002973333003517==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

--===============2428002973333003517==--

