#tor-meeting log

15:59:03 <phw> #startmeeting anti-censorship team meeting
15:59:03 <MeetBot> Meeting started Thu Jul  9 15:59:03 2020 UTC.  The chair is phw. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:59:03 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
15:59:06 <phw> good morning, everybody
15:59:18 <phw> here is our meeting pad: https://pad.riseup.net/p/tor-anti-censorship-keep
15:59:34 <hanneloresx> hey
15:59:36 <juggy> hi
16:00:40 <agix> hi
16:00:43 <cohosh> hi
16:01:00 <gaba> hi
16:01:01 <phw> gaba: did the tuesday gitlab meeting result in a way forward regarding our problem with anonymous issue submissions?
16:01:44 <gaba> yes
16:01:54 <gaba> we are creating all users that people are asking
16:01:58 <gaba> and then ahf is working on a lobby
16:02:13 <gaba> on submission form
16:03:06 <gaba> https://gitlab.torproject.org/ahf/lobby
16:03:13 <phw> a submission form to apply for accounts?
16:03:22 <gaba> "This Django application contains the lobby website for Tor's Gitlab instance.
16:03:25 <gaba> The Gitlab Lobby allows users to:
16:03:28 <gaba> Request accounts on our Gitlab server, if they are interested in working
16:03:31 <gaba> with Tor's development teams.
16:03:33 <gaba> Anonymously submit and comment on issues on Tor's Gitlab instance."
16:03:49 <ahf> phw: first step is for users to sign up, second step is for users to submit anonymously
16:04:00 <ahf> hope to have a demo ready next week for the first step
16:04:38 <phw> what do people sign up with? so it's not a shared account?
16:05:40 <dcf1> so if I understand correctly, at the moment to submit a bug report, you email gitlab-admin@tpo and get an account, then use the account to file the report
16:05:51 <gaba> right
16:06:02 <gaba> that is how is working right now
16:06:06 <dcf1> when the lobby website is ready, it will be possible to use it to 1) request an account without emailing gitlab-admin, or 2) submit a bug report without an account
16:06:14 <ahf> phw: people wont have to sign-up. people will be able to submit (with moderation) to the issue tracker
16:06:15 <dcf1> ok
16:06:20 <ahf> for projects who are willing to do moderations 8)
16:06:52 <ahf> phw: the discource discussion yesterday might change the plans those, but i'm not tracking that super much right now
16:07:43 <gaba> the discourse wil help with where discussion is happening before tickets
16:07:53 <gaba> but i do not think it will change how we submit tickets
16:08:05 <gaba> discourse will help with blogpost (if we do discourse)
16:08:16 <gaba> and to redirect people from multiple Tor forums around the Internet
16:08:25 * ahf nods
16:09:03 <phw> should we create a cypherpunks-like gitlab account until the lobby website is ready?
16:09:33 <gaba> why?
16:09:55 <cohosh> how many weeks until people are able to submit tickets?
16:10:00 <gaba> there is some debate on the cypherpunk account. Some people do not like that option and is harder to do in gitlab because the possible changes people can do on the account
16:10:03 <cohosh> it might be nice to have something to bridge the gap until then
16:10:13 <phw> as a temporary solution, so people can interact with gitlab until the lobby is done
16:11:30 <gaba> you think that people asking for accounts is not something that can work for now?
16:11:46 <dcf1> I guess we as a team could do this, by requesting a new account with the proper permissions.
16:12:19 <dcf1> I think that requiring an account, and especially requiring emailing someone to make an account, is a high barrier for many of the people who want to reach us.
16:12:24 <phw> gaba: we're talking about anonymous submissions, specifically. i don't think that asking for an account is a good solution for this
16:13:02 <phw> i wouldn't mind managing an account that's only allowed to report issues in the anti-censorship group
16:13:08 <phw> ...so it wouldn't bother anyone else
16:13:18 <ahf> the permission systems are not setup correctly yet, which makes it hard to maintain such a user. the user would have access to everything practically and we haven't audited all group access yet
16:13:37 <ahf> and first time someone logs in and changes the pw, you will need someone to reset it :-/
16:13:37 <phw> i see
16:13:39 <dcf1> hmm
16:13:56 <ahf> i do agree the barrier to entry is higher than anybody wants it
16:14:10 <dcf1> an easy alternative is we designate a bug-reporting etherpad and remember to check it every week
16:14:24 <gaba> like that alternative
16:14:41 <phw> sounds good to me
16:14:44 <ahf> or take issues by mail? the first suggestion we had when we moved was for people to write to tor-dev@, but a mailing list also have higher barriers than somebody wants
16:14:45 <gaba> we could even setup a form somewhere where people send tickets...
16:15:13 <dcf1> We just need something concrete to write at https://snowflake.torproject.org/#bugs
16:15:25 <cohosh> yeah an etherpad is a good call
16:15:36 <cohosh> is then when the lobby is ready we can write that information on the pad
16:15:42 <ahf> from what i can tell, the lobby stuff is the only thing i have on my plate for gitlab stuff next week, and it's not a big project for the account sign-up. i think i could spend half a day more on it and do some very basic ticket submission stuff (but probably not comments) if you are willing to beta-test something like that
16:16:06 * cohosh is willing to beta test
16:16:12 <cohosh> ahf: thanks for doing all this
16:16:31 <HashikD> I am available for testing aswell.
16:16:32 <ahf> trying with the anti-censorship teams' project would be nice before we try opening it up. i've been hoping to find a test team this week or next
16:16:38 <ahf> cool
16:17:31 <phw> thanks ahf
16:17:44 <ahf> np! let me try to poke you all sometime next week when i have something we can try
16:18:28 <phw> dcf1: do you mind updating  https://snowflake.torproject.org/#bugs ?
16:18:41 <dcf1> Yes I'll do it.
16:18:52 <phw> thanks
16:19:36 <cohosh> dcf1: i just remembered that i haven't updated the badge yet for #34129 >.<
16:19:57 <phw> oh, there are a bunch of censorship-related pets'20 papers. take a look at the 'interesting links' section
16:21:04 <dcf1> I found a badge in the wild in Sergey's site: https://sfrolov.io/
16:21:25 <cohosh> dcf1: woah heh
16:21:41 <cohosh> looks like it's populating the strings right though
16:21:44 <cohosh> it's not*
16:23:25 <phw> any other topics to discuss before we move on to our 'needs review' section?
16:23:48 <valdikss> I'm the author of GoodbyeDPI, it's listed on the pad. Feel free to ask me anything.
16:24:04 <cohosh> valdikss: hi!
16:24:23 <phw> valdikss: welcome!
16:24:51 <dcf1> hey valdikss, we're scheduled to talk about it right after the normal meeting business
16:25:13 <valdikss> I'll be here, mention me and I'll check the chat.
16:26:18 * phw takes a look at today's reviews
16:26:45 <phw> #30579 for cohosh, and i think that's it?
16:26:53 <phw> oh, is that still relevant?
16:28:36 <dcf1> sorry I'm behind on the last week of tickets
16:28:37 <cohosh> yeah it's a small change to add a new default stun server to the proxy-go isntances
16:29:02 <cohosh> so that they'll do nat discovery by default
16:29:15 <cohosh> i'm almost done rolling out all the nat discovery changes
16:29:33 <phw> gotcha
16:29:40 <phw> does anyone else need help with anything?
16:30:30 <phw> *crickets* means no
16:30:36 <phw> let's move on to the reading group
16:30:45 <dcf1> I'll at least leave a ticket on merge request !5
16:30:51 <dcf1> *a comment
16:31:01 <cohosh> dcf1: thanks
16:32:06 <phw> i didn't get around to this week's reading, so i would appreciate it if anyone else can moderate today's session :/
16:32:52 <cohosh> i took a look but don't have a summary pre-prepared
16:32:59 <dcf1> I believe cohosh suggested the topic; also I am prepared to talk about it
16:33:22 <dcf1> And of course valdikss can correct any errors
16:34:12 <cohosh> okay i can do a brief summary of what i learned
16:34:41 <cohosh> i have some questions too
16:34:57 <cohosh> <summary>
16:35:53 <cohosh> GoodbyeDPI is a service for bypassing censorship by either ignoring redirects sent by DPI boxes or tricking the DPI into ignoring the session
16:36:19 <cohosh> a lot of the techniques used are somewhat similar to the ones we've discussed in some of the recent reading groups on symTCP and geneva
16:36:42 <cohosh> e.g., fragmenting the first TCP data packet
16:36:58 <cohosh> and some HTTP-level tricks like playing with the capitalization of the Host: header
16:37:13 <dcf1> E.g. https://github.com/ValdikSS/GoodbyeDPI#how-does-it-work
16:37:43 <cohosh> but it will also just ignore packets that it thinks are sent by the DPI
16:38:15 <cohosh> these are packets that have an IP id of 0x0000 or 0x0001 that contain tcp rst
16:38:50 <cohosh> my understanding is that these techniques are specifically catered to the DPI boxes used by censors in Russia
16:39:25 <dcf1> Yes, the tuning for local conditions is interesting to me.
16:39:25 <cohosh> and that it is meant to be installed as a windows service so that the tricks can be used by any browser or other program that is making TCP/HTTP requests
16:39:51 <cohosh> they have also included with the tool some scripts that users can run to test whether goodbyeDPI will work for them
16:39:59 <valdikss> That is correct. GoodbyeDPI either prevents OS and software from receiving injected packets by DPI or 'breaks' the packets to make them undetectable by the DPI.
16:40:19 <cohosh> </short summary>
16:40:24 <HashikD> I guess, most of the related works and GoodbyeDPI is geared towards bypassing a Russing ISP
16:40:49 <valdikss> There's a similar software for Linux, https://github.com/bol-van/zapret
16:41:08 <dcf1> From my notes:
16:41:29 <dcf1> GoodbyeDPI is for WIndows only. For packet manipulation it relies on WinDivert (https://github.com/basil00/Divert)
16:41:33 <valdikss> GoodbyeDPI works in Indonesia (they recently got Netflix blocked and the software unblocks it), Turkey. I've also tested it in Saudi Arabia.
16:41:45 <cohosh> valdikss: thanks, i was curious about that
16:41:55 <dcf1> WinDivert itself has its origin in ReQrypt (https://reqrypt.org/reqrypt.html), about which I wrote a summary: https://groups.google.com/d/msg/traffic-obf/iwDomyMF--Q/N87y8mAPAgAJ
16:42:17 <dcf1> Here's an example in the source code for Host header manipulation: https://github.com/ValdikSS/GoodbyeDPI/blob/505b8bf516b74f2f1c0aff2b10768d6e9a0adeab/src/goodbyedpi.c#L783
16:42:46 <dcf1> Here's an example of changing the window size on receiving a SYN/ACK (I suppose this is something like brdgrd): https://github.com/ValdikSS/GoodbyeDPI/blob/505b8bf516b74f2f1c0aff2b10768d6e9a0adeab/src/goodbyedpi.c#L938
16:43:18 <dcf1> I unpacked the release the found a file blacklist.txt with a list of domains in it; I suppose that by default, GoodbyeDPI only affects those domains?
16:43:27 <HashikD> Additionally, One of the related works suggests to use DNS-Over-Https to bypass DNS. I guess most censors rely on DOT for blocking.
23:42:40 <tomcat> #endmeeting
16:57:41 <nickm> doot de doot
16:58:56 <ahf> o/
16:58:57 <gaba> hi!
16:59:00 <Caitlin> hi
16:59:01 <ahf> just in time with pad update :o
16:59:09 <MeetBot> gaba: Error: Can't start another meeting, one is in progress.
16:59:14 <gaba> what!
16:59:30 <gaba> #endmeeting ?
16:59:33 <ahf> oh no
16:59:45 <ahf> another thing we need to fix in an upcoming irc bot
16:59:51 <gaba> well, anybody know what happened?
16:59:55 <ahf> yeah
17:00:01 <ahf> 090720 19:20:01  +         phw: wait, my #endmeeting does not seem to have ended the meeting...?                       │············································································
17:00:06 <gaba> uh
17:00:07 <ahf> looks like phw's endmeeting didn't work
17:00:17 <gaba> ok, let's add a ticket to tpa
17:00:38 <phw> #endmeeting