13:59:59 <hellais> #startmeeting OONI Community meeting 2021-09-28
13:59:59 <MeetBot> Meeting started Tue Sep 28 13:59:59 2021 UTC.  The chair is hellais. Information about MeetBot at http://wiki.debian.org/MeetBot.
13:59:59 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
14:00:13 <slacktopus> <agrabeli> How are you doing?
14:00:32 <slacktopus> <agrabeli> Hope you're all keeping safe and well. :pray:<3
14:00:57 <slacktopus> <agrabeli> I'm Maria with OONI. :wave:
14:01:10 <slacktopus> <agrabeli> Please feel encouraged to introduce yourselves async as you join. :)
14:01:18 <slacktopus> <db1984> Hi! Davide connected :+1: Hello everyone :)
14:01:28 <slacktopus> <sbs> Hello, I'm Simone and I also work for OONI! :ooni: :)
14:01:38 <slacktopus> <agrabeli> Ciao @db1984, welcome! :)
14:01:41 <slacktopus> <gus934> Hello! Gus from the tor project o/
14:02:02 <slacktopus> <agrabeli> Hello @gus934, thanks for joining us! :)
14:02:17 <slacktopus> <hellais> :wave::skin-tone-3:
14:03:02 <slacktopus> <sarath_ms> :wave: Hello! I am Sarath and I am a developer at OONI
14:03:56 <slacktopus> <agrabeli> As a reminder: Please add topics that you'd like to discuss during today's meeting in this pad: https://pad.riseup.net/p/ooni-community-meeting-keep :)
14:04:09 <slacktopus> <andresazp> Hi all! I’m Andrés from Venezuela :flag-ve: doing many anti-censorship things at VE sin Filtro
14:04:32 <slacktopus> <vianyl.f> Hello, I'm Vianney Forewah connecting from Cameroon. OONI partner
14:05:00 <slacktopus> <agrabeli> Hello @andresazp and @vianyl.f, thanks so much for joining us today! :)
14:05:12 <slacktopus> <xhdix> :wave: Hi everyone
14:05:25 <slacktopus> <agrabeli> Welcome @xhdix! :)
14:05:36 <slacktopus> <agrabeli> It looks like we have a full party :) :party_parrot:
14:05:50 <slacktopus> <agrabeli> So before we get started with the agenda topics, I'd like to share a few updates:
14:06:41 <slacktopus> <agrabeli> 1. We're hiring! :heart_eyes: Specifically, we're seeking to hire a *full-time mobile developer* who can lead the development of OONI Probe Mobile: https://ooni.org/post/2021-job-opening-ooni-mobile-developer/
14:07:25 <slacktopus> <agrabeli> ^^ I think this is a very exciting job position, since they would be developing the version of OONI Probe that is used by most people around the world! :heart_eyes:
14:07:52 <slacktopus> <agrabeli> We really want to ensure that the person we hire can best serve our community. So if you know anyone who would be great for this role, please encourage them to apply! :)
14:08:05 <slacktopus> <agrabeli> The application deadline is *31st October 2021*.
14:09:04 <slacktopus> <anastasiya> Hey, Anastasiya from Access Now is also hear :)  Hello everyone!
14:09:16 <slacktopus> <agrabeli> 2. We published a new *user guide* for the *OONI Probe Command Line Interface (CLI)*: https://ooni.org/support/ooni-probe-cli :)
14:09:43 <slacktopus> <agrabeli> ^^ This offers step-by-step instructions on how you can go about using OONI Probe CLI on macOS and Linux. :) You can also install it on Raspberry Pis!
14:10:00 <slacktopus> <agrabeli> (Welcome @anastasiya, thank you for joining us! :) )
14:10:15 <slacktopus> <agrabeli> So those were the quick updates I wanted to share. :) Any questions or thoughts?
14:11:01 <slacktopus> <agrabeli> Otherwise we can nicely transition to the next agenda topic, which is about Raspberry Pis... :heart_eyes:
14:11:35 <slacktopus> <agrabeli> #topic 2. If the community is interested, VE sin Filtro can share some details of a public image for running Raspberry Pi as an appliance (it helps setting up runing ooni and mini ooni automatically without monitor, etc) it can be configured without ssh.
14:12:01 <slacktopus> <andresazp> I’ll make it brief, and if there is interest for more details please ask about ir!
14:12:43 <slacktopus> <valentina097> Hi, everyone! I'm Valentina and I work with @andresazp at VE sin Filtro :flag-ve:
14:13:54 <slacktopus> <agrabeli> Welcome @valentina097! :)
14:15:09 <slacktopus> <andresazp> For the longest time we have used OONI in Raspberry Pi devices in addition to the mobile and desktop apps.  We see a lot of value of using both for contexts such as ours: low bandwith, large and changing censorship, cost/value of devices and many more.  So we use the Raspbeey pi to automate and guarantee a 100% coverage of the testlist every day, regardless of people going out, being busy, shutting down their machines, etc
14:16:56 <slacktopus> <db1984> dumb question! Hum it would mean that an image could be fleshed into the rasp, then if connected to the internet (and electricity) all the measures will be done automatically?
14:17:45 <slacktopus> <andresazp> I write something and I think slack ate it
14:18:02 <slacktopus> <agrabeli> (oops)
14:18:06 <slacktopus> <valentina097> There aren't dumb questions in here! haha
14:18:08 <slacktopus> <andresazp> So writing it again
14:20:19 <slacktopus> <andresazp> But all of this requires certain level of technical expertise. And we know that other organizations have similar needs. So the lower that bar significantly we are working on a *public disk image* for rpi that people can get up and running with it fast and easy
14:20:45 <slacktopus> <andresazp> You don’t even need to use SSH to congure it
14:20:57 <slacktopus> <agrabeli> That's actually a great question! And the answer is yes -- assuming that the distribution is configured to perform tests automatically. But as long as it's connected to power + Internet, it can keep performing tests in an unattended way without disruptions. :)
14:21:10 <slacktopus> <sbs> that's awesome, @andresazp @valentina097!
14:21:35 <slacktopus> <valentina097> The fact that measurements can be collected automatically with minimum set-up is one of the most important aspects in our project.
14:21:48 <slacktopus> <andresazp> you can burn the image to an SD card in Windows and change a .txt config file to select a few things and when it boots on the pi it will be ready. Of curse, you can in deed log in via SSH for more tinkering
14:22:00 <slacktopus> <federico> @andresazp I can help automating the generation of an image
14:22:26 <slacktopus> <hellais> This is really cool!
14:22:45 <slacktopus> <federico> @andresazp do you usually enable unattended upgrades?
14:22:58 <slacktopus> <agrabeli> Yeah, that's amazing @valentina097 and @andresazp! :heart_eyes: Thank you!! <3
14:23:02 <slacktopus> <hellais> Are you using as a base the ooniprobe-cli debian package for installing it? Do you do something in order to ensure that ooniprobe is kept up to date?
14:23:20 <slacktopus> <db1984> The question on updates would have been the next one LOL
14:24:07 <slacktopus> <andresazp> Some features The image supports:  • Automatic *“ooni run”* on a user-selectable schedule (by default once a day) • Easy configuration of a smaller list of urls to test more frequently using *miniooni*
14:25:42 <slacktopus> <andresazp> • User configurable schedule for that miniooni command also on the text file • Easy way to make that miniooni short list updatable say from a github repo or a file somewhere
14:26:30 <slacktopus> <valentina097> We are building ooniprobe-cli from source.
14:26:55 <slacktopus> <andresazp> • optionally setting up an SSH Tor Hidden Service for remote access
14:28:14 <slacktopus> <andresazp> and more without having to ssh and configure each one.  So that if an organization wants to have OONI to run as an appliance and are not that tech savvy, they can burn the image and change the text file and they are done
14:28:37 <slacktopus> <andresazp> There is also an interactive script if you do log-in to it
14:29:00 <slacktopus> <andresazp> (via ssh or plug in keyboard and screen)
14:29:30 <slacktopus> <andresazp> Again the idea is to lower the dificulty to this kind of setups
14:30:31 <slacktopus> <andresazp> I’m not usre the latest version of the image is up in the GH repo, I’ll double check; but if not, it will be updated today-ish
14:31:24 <slacktopus> <federico> if you also wanted a web UI to manage it, you could look at FreedomBox "plith" UI.
14:31:25 <slacktopus> <agrabeli> @andresazp that's all amazing! Please do share the link to the image with the channel when it's updated :pray:
14:32:02 <slacktopus> <db1984> Thank you very much for the explanation, it is truly amazing!
14:32:37 <slacktopus> <agrabeli> Indeed, thank you @andresazp and @valentina097! <3
14:33:47 <slacktopus> <federico> If ooniprobe-cli will be in Debian all of this could be shipped in official images
14:37:13 <slacktopus> <valentina097> The idea of this is to reduce the breach between organizations that have a lot of tech savvy individuals and the ones who don't. Sometimes we forget that most people don't use Linux based systems or know about SSH, so making this as frictionless as possible for someone that is not a programmer, engineer, enthusiast -or anything in between- is very important.
14:37:43 <slacktopus> <valentina097> But at the same time, making it more reliable and useful than just asking people to run Ooni on their phones or laptops.
14:37:45 <slacktopus> <andresazp> We can schedule some time for sharing feedback and ideas for improvement.
14:38:22 <slacktopus> <agrabeli> @andresazp that would be amazing! We'd love that. :pray:
14:38:55 <slacktopus> <agrabeli> Also couldn't agree more with @valentina097’s last points. :100:
14:39:47 <slacktopus> <agrabeli> What you're building is really awesome, and super useful for the community -- thank you! <3 Please share relevant links so that we can help promote it.
14:40:45 <slacktopus> <agrabeli> @andresazp @valentina097 was there anything else you'd like to share or discuss on this topic?
14:41:17 <slacktopus> <andresazp> Feel free to ping us for more on this topic!
14:42:01 <slacktopus> <agrabeli> Thanks @andresazp.
14:42:10 <slacktopus> <agrabeli> I guess then we can proceed to the next agenda topic:
14:42:16 <slacktopus> <agrabeli> #topic 3. Better measurement by measuring server side blocking and DNS poisoning [xhdix]
14:43:23 <slacktopus> <agrabeli> ^^ @xhdix is there anything you'd like to add? :)
14:43:50 <slacktopus> <xhdix> Thanks! yes. Servers block communication in a variety of ways, sometimes similar to the usual network censorship methods. For example, here are 4 more ways than HTTP 403 error for geoblocking by Google that that have been documented so far (as I know) : https://github.com/wikicensorship/wikicensorship/issues/1  For example, this article only deals with HTTP 403 error and shows that geoblocking is observed in all countries and does not
14:43:51 <slacktopus> include only 4 countries at the top of the US sanctions. (Iran, Cuba, Syria, North Korea) : https://censoredplanet.org/assets/403forbidden.pdf  Or because censorship is bidirectional, in addition to governments forcing businesses to keep servers within the country, sometimes within country/network blocking of the request ‌appears just like censorship on the user network in other countries. Like: https://github.com/ooni/probe/issues/1780  As a
14:43:51 <slacktopus> result, and considering that OONI introduces Probe as follows: https://ooni.org/about/ `By running OONI Probe, you can collect data that can potentially serve as *evidence of Internet censorship* since it shows how, when, where, and by whom it is implemented.`  (it shows *how, when, where, and by whom*)  Investigating this is essential in improving the quality of OONI data as well as advancing its purpose.  What are your plans for it in
14:43:52 <slacktopus> OONI? (Comments from others are also welcome)
14:48:33 <slacktopus> <hellais> Yeah this is a really important point and we have been discussing quite recently how we should be working in the direction of being better equipped at detecting server-side blocking too.
14:49:41 <slacktopus> <hellais> It’s also a question of the accuracy of measurements in general, as our automated heuristics may flag as cases of server-side blocking instances of server-side blocking, while I think we should be treating evidence of this phenomenon distinct from that of country or network level censorship
14:50:23 <slacktopus> <hellais> One first step in this direction is probably that of starting to add some of the known server-side blocking fingerprint to our fingerprintdb and expose this information in some way in OONI Explorer and the API
14:51:03 <slacktopus> <hellais> We have a relevant issue on this topic over here: https://github.com/ooni/backend/issues/306
14:52:04 <slacktopus> <hellais> When it’s IP or TCP level blocking it’s going to be significantly trickier to distinguish the case of server-side blocking from network or country level blocks
14:53:13 <slacktopus> <hellais> As you show in the above linked issue one viable technique would be that of running traceroutes to the affected endpoints and see how far you can get before you start seeing packets being dropped
14:54:24 <slacktopus> <agrabeli> @hellais @sbs could that be a follow-up experiment as part of the new web connectivity test?
14:55:44 <slacktopus> <agrabeli> (as part of future iterations -- not the upcoming release)
14:55:45 <slacktopus> <hellais> We could consider it, though due to technical limitations we most likely would not be able to run such an experiment on all platforms. For example it’s very tricky to do traceroute experiments on mobile devices and even on desktops you generally require special permissions for doing so, which would complicate the deployment of our app
14:56:32 <slacktopus> <hellais> In any case a paper that comes to mind on this topic (which actually was written based on analysis of OONI data) is this 2016 paper looking at server-side blocking of tor users: https://www.icir.org/vern/papers/tor-differential.NDSS16.pdf
14:58:35 <slacktopus> <andresazp> as sidenote, be should promote the use of *HTTP 451 Unavailable For Legal Reasons* for many of those cases
14:59:19 <slacktopus> <andresazp> so that it’s mande explicit by platforms
14:59:29 <slacktopus> <hellais> Yeah that’s another excellent point, which is that these platforms that implemented geolocation based blocking are doing it in a way that makes the job of detecting it automatically hard
14:59:53 <slacktopus> <hellais> If we could get them to commit to doing it in a way that is more machine readable, it would make detecting it much simpler
15:01:09 <slacktopus> <andresazp> I know of some Venezuelan cases that would not fit this. iE Venezuelan gov sites not visible abroad, but mayor “western”platforms should probably just be upfront about it
15:01:59 <slacktopus> <hellais> On this note there is also a git repository that includes many server-side blocking fingerprints which we could use to bootstrap our fingeprintdb: https://www.bamsoftware.com/git/ooni-tor-blocks.git/
15:06:20 <slacktopus> <hellais> Yeah for sure
15:07:04 <slacktopus> <hellais> In any case I have taken note of the fact this topic was brought up during this meeting and linked the above mentioned github issue in our tracking issue for it: https://github.com/ooni/backend/issues/306#issuecomment-929319282
15:07:55 <slacktopus> <hellais> Do we have anything else to discuss on this?
15:09:13 <slacktopus> <agrabeli> If not, we can end the meeting, as we're almost 10 minutes past the hour
15:09:18 <slacktopus> <xhdix> + https://github.com/ooni/probe/issues/1780
15:09:40 <slacktopus> <xhdix> Thank you all!
15:09:46 <slacktopus> <agrabeli> (but ofc, you're welcome to keep discussing on this channel anytime :) )
15:09:49 <slacktopus> <andresazp> Thank you!
15:10:00 <slacktopus> <agrabeli> Thanks everyone for joining us today! :)
15:10:06 <slacktopus> <db1984> Thank you!
15:10:26 <slacktopus> <agrabeli> The *next OONI Community Meeting is on Tuesday, 26th October 2021 at 14:00 UTC*. :ooni:
15:10:45 <slacktopus> <andresazp> Thank you all, specially the OONI team!
15:10:48 <slacktopus> <agrabeli> I will share updates on the meeting info here + ooni-talk mailing list as always. :)
15:11:20 <slacktopus> <agrabeli> Warm thanks to the VEsinFiltro team, and to everyone who joined us today! <3
15:11:42 <slacktopus> <agrabeli> Hope you all have a great day/evening! <3:sparkles:
15:11:54 <hellais> #endmeeting