17:59:10 #startmeeting 17:59:10 Meeting started Mon Mar 16 17:59:10 2015 UTC. The chair is hellais. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:59:10 Useful Commands: #action #agreed #help #info #idea #link #topic. 17:59:24 ok let's start this 18:00:40 #topic who is here? 18:00:45 * irl is here 18:00:45 * isabela is around 18:01:12 i'm here 18:02:31 quick report back on our circumvention study in iran - i emailed afisk@getlantern.org, no reply yet. I checked out the various source projects at github.com/getlantern, and ran the linux and windows clients while capturing traffic 18:03:00 aagbsn: ok cool 18:03:07 the linux version of the client set itself into "GIVE" mode (according to logs) without warning. I dont think I accidentally captured user traffic but I haven't reviewed the pcapcs yet 18:04:14 I started writing up a description of the tool, it seems it will be a bit tricky to document / test all the parts because the state of the project is a bit unclear 18:04:37 I read through all the tickets on their github tracker, it appears that they might be ditching some of the legacy code in the near future 18:05:40 yeah I think all the java stuff is destined to be dropped in the near future 18:05:50 I also pcap'd torbrowserbundle with fteproxy, and started writing up a description of fteproxy 18:06:13 yeah. it's not clear for our purpose what evaluating whether the tool works or not should be 18:06:23 because by design they do not proxy all traffic, just a whitelisted set of domains 18:07:37 their design uses cloudflare domain tricks, like meek, to forward traffic (the project called flashlight). That isn't the same system that exits traffic via other users 18:07:54 so, I captured traffic for the most recent version of the .exe available on their website 18:09:32 we'll probably not be able to test all websites for censorship circumvention because of the whitelist 18:10:18 well the goal of this analysis phase is to have enough documentation to be able to implement a test that can reliably detect if the tool is working in Iran 18:10:35 so I would not dig too deep into it's inner workings 18:10:37 yes, and it will be tricky to know what working means 18:10:54 well the real test will be actually running the tools 18:11:05 because for the currently shipping binary, it isn't a single tool 18:11:08 and checking if it can bootstrap and you can visit some website 18:11:38 hellais: yes, but if 'some website' isn't on their whitelist, it will pass unproxied, and detect that it is blocked 18:11:41 is that what we wnat? 18:11:43 aagbsn: how does the lantern browser get access to the internet? 18:13:43 it gets a list of listening proxies from a google xmpp server, using cloudflare domain ssl tricks if google is blocked. there is a http proxy that requests matching the whitelist are sent to 18:14:41 those requests get transported to users running the software in GIVE mode, if they are ssl, and if they are not ssl, they are passed through lantern infrastructure 18:15:09 as best I can tell from reading the various tickts/code. I need to confirm this by looking at the pcaps 18:15:25 so, there's still more work to do there 18:16:59 in the meanwhile I switched to writing up fteproxy 18:18:30 aagbsn: but I mean when you use the software how is it that you access a blocked website? 18:18:39 do you use their browser or your normal browser? 18:19:10 this week I want to finish up the fteproxy & scramblesuit & obfs3 analysis/spec 18:19:17 in either case there is probably some protocol that this browser speaks with lantern to say get me this site. 18:19:30 http proxy iirc 18:20:37 then in the end the OONI test will be just a matter of launching ./run_lantern_master_tool (where run_latern_master_tool will probably be a series of hacks to get it to believe it's not running headless) and then speak HTTP to the local proxy 18:20:40 there are .pac files that specify when to use a proxy or not 18:21:04 we'll need some kind of google accounts for each of the probes 18:21:53 then if we want to be kind to the lantern developers we also test all of their various strategies separately and tell the which ones work and which don't, but a user reading a report will just want to see lantern: true|false 18:22:11 aagbsn: yeah we can get some of those 18:22:21 anyways we can talk more about this later 18:22:44 I wanted to give a little update on the informed consent topic 18:23:16 last week I was in Oxford for a conference around ethics and internet research where I proposed the problem of OONI 18:23:29 ok, that's all from me for now then :) 18:25:36 most agree on the fact that we need some authoritative and knowledgable figure to review the risks of running OONI before we have a large user base 18:26:00 likely those risks vary from country to country 18:26:58 did anyone have feedback on the current informed consent document? 18:27:23 there was a lot of discussion on the mailing list 18:27:24 there was one person that is the editor of this medical scientific journal that said that as is OONI research would not be accepted for publication in any medical journal and no IRB would approve 18:27:50 i still think it's best that we provide as much information as we think is relevant, but don't actually make any statements in a way that might imply us accepting responsibility 18:27:57 any statements we make should still come with no warranty 18:28:25 hellais: do they mean with respect to analysis of the contributed data? Or using the tools to collect their own data for publication? 18:28:29 today with vasilis we had a call with some lawyers from harvard that will be examining our texts 18:28:48 as well as providing a risk assessment for some set of countries 18:28:54 excellent! 18:28:57 awesome 18:29:40 we will be working with them in the upcoming months to formulate how the risk is impacted by the various deployment strategies and if there are some precautions that we can take in order to minimise them 18:29:56 somewhat surprised, as I had thought that groups have published analysis of public data 18:30:18 i mean, medical ethics is likely stricter than ethics for other journals 18:30:20 such as the internet census (highly questionable origin) and aol search data 18:30:40 tbh I don't understand how you can apply medical ethics criterial to network measurement 18:30:55 heh 18:31:08 I mean there was a lot of talk about benefit vs risk for the volunteer 18:31:31 which makes sense if you are participating to a study on a new eye medicine that could pontentially make you blind 18:31:52 so you are risking to go blind, but you have the benefit of potentially seeing better 18:31:56 this is a really big topic, especially if you consider that most of the medical applications/services are based on closed and proprietary software 18:32:01 but in our case the benefit for the user is a bit fuzzy and indirect 18:32:18 aagbsn: public != ok to use in research 18:32:46 aagbsn: as an example there is currently a lot of debate in the research community about the internet census 2012 data and if it's ok to use it in a paper 18:32:56 anadahz: remind me to tell you later about how some doctors use proprietary and 'secure' email tools to send health records. someone i know received medical records this way with an 'encrypted' header that was nothing of the sort 18:33:04 I believe some papers have been rejected from some journals because they were using it 18:33:19 hm 18:34:06 collin anderson has used OONI to do measurements, but with his own tests & probes 18:34:27 so, OONI as an infrastructure platform is also useful to researchers who may not use user-supplied data 18:34:55 we should help them understand the scenario where this sort of application is possible for research 18:36:02 well the goal with this legal study is to have a way to say "hey you researcher that wants to use OONI or collect data with OONI for your research, it's ok these lawyers said so" 18:36:49 hm, I should think that in the computer science field it would be more obvious that using the open source tools would be OK, even if using the user-supplied data isn't 18:37:28 well it's a matter of how you acquire the data 18:37:28 * irl is at a university wanting to use ooni for a paper, so it would be useful if the paper wasn't rejected based on the source of the data. 18:37:50 if for example I collect data by infecting them with some malware it's not ok 18:37:58 if I tell them that I will be collecting the data then it's ok 18:38:07 potentially even if the data is personal 18:38:13 yep, it's just informed consent. 18:38:32 like during this conference there was one person that talked about this project they did to map out outbreaks of epidemics 18:39:01 and they installed on the phones of volunteers this software agent that would track them wherever they went and record the IDs of the bluetooth devices they encoutered 18:39:31 oh the latter seems troublesome 18:39:37 they also wanted to expand it with the ability to have a "danger detector" that would tell you where you should not go, since there are potentially infected people there 18:39:42 they said ok to the first part 18:39:45 but not to the last 18:40:19 that is to say that the devil is in the details and there are many ways to do something, but not all of them are ethically ok 18:44:59 seems strange that sniffing random peoples bluetooth devices would be ok, but proving information based on that collection wasn't. clearly this isn't so clear 18:45:31 aagbsn: the information was not all public 18:45:52 aagbsn: it was all stored on a system at the university that only 2 people had access to and wiped at the end of the study 18:47:01 in other news, we thought a bit about the possible ways to implement signing of reports 18:47:07 did you have any positive feedback on ooni? 18:47:28 or interest in running probes or working with the data? 18:47:29 aagbsn: I wouldn't say there were particularly positive feedback 18:47:57 aagbsn: joss wright said he would be interested in coming to the data viz hackfest 18:48:20 ok, great :) 18:48:35 aagbsn: but the majority of the people there were of the non technical, philosphically variety 18:49:58 * irl has to think about disappearing in about 15-20 minutes. 18:50:17 irl: ah ok so let's talk a bit about the OTF proposal now 18:50:21 cool 18:50:55 I don't remember if I said this last time, but basically we have concluded that it makes most sense to split them up into 3 separate ones 18:51:03 CPP, ORG, OONI 18:51:19 ok, we discussed this on the call but didn't have a conclusion 18:51:27 I think we did mention that at the last irc meeting also 18:51:32 this means that we need to submit a new concept notes by May 1st 18:51:46 ok, so a new document. 18:51:49 correct 18:51:54 hellais: is that the earliest we can submit? 18:52:09 so we need to take all the stuff that is OONI stuff in the CPP and ORG proposal and put it in our own one 18:52:18 so i'm working directly on adding functionality to OONI, so I guess I'm mainly concerned with that one. 18:52:32 as well as add other things that we believe are important that are not in scope of CPP nor ORG 18:52:43 ok cool. 18:52:55 aagbsn: we can submit it when we want, but they will review it only starting from May 1st 18:53:07 ok 18:53:08 hellais: can you send round a new google docs link for the new document by email? 18:53:12 hellais: is this proposal a shared google doc or something? 18:53:15 irl: yes I will do that 18:53:19 awesome 18:53:42 I have also talked about this with Karen from Tor and she will also help us with it 18:53:50 also awesome 18:55:16 sbs: any updates from anna regarding the hackfest? 18:55:16 In case that you haven't seen yet there is a ticket about OONI roadmap: https://trac.torproject.org/projects/tor/wiki/org/roadmaps/OONI 18:55:31 (There are plans to do a OONI data viz hackfest in Rome in May) 18:55:40 yep, but that doesn't necessarily have the OTF activities on it 18:55:49 oh snap, did you pick rogh dates yet? 18:55:57 I will be unavailble the latter two weeks of may 18:56:10 not yet 18:56:28 hellais: she told me she was very interested, she was talking with the technical staff and pinging me back when she will have news 18:56:43 OTF got back to me saying that they have received the request, but haven't spoken to them verbally about it yet 18:56:52 sbs: awesome! 18:57:11 hellais: would there be any travel budget in there? 18:57:25 aagbsn: if you already know the exact dates send them to me so I can keep them in mind when scheduling it 18:57:32 i'm not sure what my budgets look like but likely not good, but it would be good to meet up for organising and a bit of hacking. 18:58:12 hellais: yes, I believe the 15th onwards 18:58:17 irl: yes the plan is to get budget for OONI devs to come as well as data visualization and designer types 18:58:41 awesome. so when there's a date i'll book that time with $boss. 18:58:51 making it an open call where people can submit their CV to us and if it looks good and they have a cool project to hack on in the days of the hackfest we can pay for their travel and accomodation 18:59:04 very awesome. 19:00:46 the next steps for what we should be focusing on this week are: 19:01:27 hellais: update: 17th onwards 19:01:41 1) Continue work on the Iran study, by the end of this week anadahz, aagbsn and I should have completed the analysis of the tools and pushed the code to the repository 19:01:48 err text 19:03:02 that is me: Psiphon, Tor, obfs4. vasilis: obfs2, scotty, meek, openvpn. aagbsn: obfs3, lantern, scramblesuit, fte 19:03:27 2) Get the shared document for the concept notes and start putting the content of the other proposals inside of that 19:04:34 3) Start thinking of what text and graphics should go on the open call for the open data hackfest 19:05:19 https://docs.google.com/document/d/1-2bf8UUOkcCM7g1ItzOY-4BYRBkI91QndWSgh8RdEx4/edit?usp=sharing 19:05:25 here is the google doc for that last one 19:06:00 anything else we should talk about? 19:06:18 ah we also have 4) 19:06:59 4) Create tickets for the roadmap https://trac.torproject.org/projects/tor/wiki/org/roadmaps/OONI and add missing steps to roadmap, creating tickets when needed 19:07:15 #link open data hackfest document https://docs.google.com/document/d/1-2bf8UUOkcCM7g1ItzOY-4BYRBkI91QndWSgh8RdEx4/edit?usp=sharing 19:07:24 #link ooni roadmap https://trac.torproject.org/projects/tor/wiki/org/roadmaps/OONI 19:08:12 hellais: have you ordered the ooni stickers? 19:09:16 anadahz: yes I have 250 of the fancy variety (two sided print with on the back some text on what ooni is and links) 19:09:38 and 1000 of the cheaper sort, one sided square 19:10:01 as soon as I get them I will relay some of them over to you all 19:10:49 woo stickers 19:11:13 awesome 19:11:23 awesome!! 19:12:08 ok, so once there is the link for the new concept notes, i can get going there. for now though i'll have to disappear. 19:12:28 irl: great, thanks for attending the meeting :) 19:12:54 mondays are looking better now, so i should be able to attend more. 19:13:02 have fun all. (: 19:13:11 can we use an etherpad e.g. https://pad.riseup.net/p/otf_ooni_concept_notes 19:13:58 riseup deletes the pads after 1 month of inactivity 19:14:03 isabela: did you have any questions? 19:14:25 hellais: yes, we should have completed/exported by then, no? 19:16:05 aagbsn: hopefully ;) 19:16:49 nope 19:16:58 if somebody here has a way of reaching to the citizenlab people it would be cool if they could check out this pull request: 19:16:59 just learning 19:17:11 #link test lists management pull request https://github.com/citizenlab/test-lists/pull/4 19:17:39 I most recently added a tool that allow somebody to add a URL to the test list by searching through the list for similar URLs already present 19:17:55 and prompting the user to input all the various identifiers needed 19:18:10 I would like to eventually make that into a web form 19:19:55 also this week in OONI, lorenzo has been working on the iOS app and has implemented support for viewing the log of a test and listing the currently running measurements: https://github.com/lorenzoprimi/libight_iOS 19:20:16 #link libight iOS https://github.com/lorenzoprimi/libight_iOS 19:21:03 hellais: about the app, I've yet to understand why it crashes on my Mac 19:21:12 lol 19:21:21 hellais: it's in my TODO list to understand that :) 19:21:47 sbs: that is quite weird indeed, I am able to run it successfully on mine 19:22:10 hellais: indeed, I'm seeking for another Mac, so we can make a majority report 19:22:28 heheheh 19:22:42 is there anything else? 19:23:21 no, I spent some time studying C++ and looking at how other projects use C++11 w/ async code 19:23:31 so I was not very productive 19:24:32 ack! 19:24:59 if there is nothing else I would say we call this gathering adjourned 19:26:05 thanks for attending! 19:26:07 #endmeeting