[tor-talk] Roger's status report, August 2013

Six things I did in August 2013: 1) Wrote a security advisory for the "Old Tor Browser Bundles vulnerable" issue: https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html and then posted it to the blog and helped to manage the confusion there (700+ comments!) https://blog.torproject.org/blog/tor-security-advisory-old-tor-browser-bundles-vulnerable 2) Attended FOCI and Usenix Security: https://www.usenix.org/conference/foci13 https://www.usenix.org/conference/usenixsecurity13 I mainly talked with grad students to help them understand Tor better and focus more usefully on research questions. I also did a rump session talk to summarize five "performance improvement" research directions that look worth exploring. 3) Helped Karen, Nick, and Mike write a DRL funding proposal for more core development and maintenance. If it works, this will be a two-year grant to help with 1) turning more of the academic research prototype pluggable transport designs into something clean that we can actually give users; 2) better testing for the core "tor" program, including unit tests, refactoring, and better use of our full network testing harness named Chutney; and 3) build automation and a start at QA automation, so we can have nightlies of everything, start automatically checking for regressions, etc. 4) Released Tor 0.2.4.16-rc: https://lists.torproject.org/pipermail/tor-talk/2013-August/029344.html 5) Helped Kelley and Mike write an RFA funding proposal to move TBB 3.0 development forward for the next year -- 1) identify and resolve privacy and security issues in Firefox that impact TBB users, especially with respect to the two upcoming new Firefox releases; 2) improve the usability and functionality of the Firefox extensions that we include with TBB; and 3) finish and extend our "reproducible build" design that allows users to gain confidence that TBB includes exactly and only the components we meant it to include. 6) Started to deal with the huge growth in Tor users that started in mid-August. Current theory is that it's a botnet of some sort that bundled a Tor 0.2.3 client. We'll need to do ongoing firefighting here. ------------------------------------------------------------------------- Six smaller things I did in August 2013: 7) Attended the board-of-directors meeting, including continuing to wrangle the budget side of things. We should have some funding for new people to help work on the myriad sides of Tor development, but we're not yet sure how much we can afford to spend (or at least I'm not), so it seems wisest to figure that out first. 8) Helped Arlo get set up to replace our live "check" server: https://trac.torproject.org/projects/tor/ticket/9529 https://check2.torproject.org/ (Thanks Arlo!) 9) Agreed to do some more talks in the future: Sept 2013, PLUG talk, http://www.phillylinux.org/meetings.html Nov 2013, "Second Moscow International Forum for Innovative Development" Jan 2014, NSF Watch, http://www.nsf.gov/cise/cns/watch/ 10) Rewrote the FAQ entry on JavaScript and TBB: https://www.torproject.org/docs/faq#TBBJavaScriptEnabled 11) Wrote an explanation for why I'm not too worried that the NSA might be running Tor relays: https://mailman.stanford.edu/pipermail/liberationtech/2013-August/010595.html (It's not that I'm not worried. It's that I'm all full up on worry that they watch links.) 12) Found time to write another monthly status report. I got off track because I was trying to go through my inbox each month and answer mails that I missed. I've given up on that :/ -- this mail is based only on what I found in my outbox for August. ------------------------------------------------------------------------- September 2013 goals include: 1) Continue dealing with fallout from the botnet. E.g. see https://trac.torproject.org/projects/tor/ticket/9574 2) Finish and post my blog post motivating larger guard rotation periods, and what to fix first: https://trac.torproject.org/projects/tor/ticket/8240 3) Release 0.2.4.17-rc, and work on 0.2.4.x release notes so we can call it stable. 4) Help Nick Hopper, our new research director, be more productive.