16:00:02 <cohosh> #startmeeting tor anti-censorship meeting 16:00:02 <MeetBot> Meeting started Thu Aug 5 16:00:02 2021 UTC. The chair is cohosh. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:00:02 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic. 16:00:18 <cohosh> welcome 16:00:24 <cohosh> here is our meeting pad: https://pad.riseup.net/p/tor-anti-censorship-keep 16:00:53 <cohosh> feel free to update it with what you've been working on and add items to the agenda :) 16:03:27 <cohosh> thanks dcf for the links 16:03:56 <cohosh> i was reading the kazakhstan thread on ntc.party after seeing it there 16:04:25 <dcf1> seems like it may have been nothing, or a temporary anomaly? 16:05:01 <cohosh> hm yeah, how to interpret ooni tests is sort of an open question 16:05:32 <cohosh> in almost all cases the "tor is likely blocked" message doesn't actually correlate with whether it's possible to make a connection 16:06:33 <cohosh> but, it also seems possible that something was going on 16:06:39 <cohosh> this test for example: https://explorer.ooni.org/measurement/20210730T085155Z_tor_KZ_9198_n1_Q9PfLTtn5ob9sHzo 16:07:22 <cohosh> shows that most dir auths were actually reachable (although somehow they got 1/10) from that 16:08:03 <dcf1> hm 16:08:06 <cohosh> comparing that with the next day's results though suggests something was going on 16:08:26 <dcf1> I didn't see that tpo/anti-censorship/pluggable-transports/snowflake!48 was waiting for an approval, I'll do it today 16:08:40 <cohosh> thanks 16:08:54 <cohosh> i've also been trying to get snowflake working in the new shadow release 16:09:32 <cohosh> there's some work to be done before it's ready but when it is it'll be a better way to test server side changes without having to do a redeployment 16:10:19 <cohosh> and you can do neat stuff like say "i want the bridge in NL, a proxy in BR, and a client in CN" 16:11:09 <cohosh> but before it's ready i'm also trying not to get too far sucked down that rabbit hole at the expense of other things that need to get done >.< 16:11:11 <dcf1> that's great 16:12:01 <dcf1> what's the issue with system calls? does shadow run something like seccomp that limits them by default? 16:12:49 <cohosh> hm it depends on the call 16:12:59 <cohosh> some calls shadow uses the native system call 16:13:51 <jnewsome> oh hey. I can talk about this a bit if it's helpful. (I get pinged on "shadow" mentions haha) 16:13:58 <cohosh> jnewsome: awesome :D 16:14:11 <cohosh> i was just digging for the relevant source but you can answer best XD 16:14:38 <jnewsome> yeah, we basically intercept every syscall, using seccomp or ptrace. we emulate most of them. some of them we allow to execute natively 16:15:16 <jnewsome> ones we haven't explicitly implemented / decided-on yet just return an error 16:15:19 <jnewsome> ENOSYS 16:16:15 <dcf1> ok, so it's not as if snowflake is contravening some security policy, it's just hitting the frontiers of what shadow has implemented 16:16:25 <jnewsome> right 16:16:25 <cohosh> yup :) 16:16:45 <cohosh> a lot of the hiccups were common to pretty much all Go networking code 16:17:46 <cohosh> so a neat side effect of getting snowflake working is that shadow will be more usable for other programs written in Go 16:20:58 <cohosh> any other discussion for today? 16:21:20 <cohosh> dcf1: really nice work on the ampcache rendezvouz 16:21:38 <dcf1> thanks 16:21:54 <dcf1> I guess we just keep in in our back pocket for now, in case it becomes needed 16:22:14 <cohosh> is there a reason to switch over before that? 16:22:36 <dcf1> it was good to lay the groundwork for modularizing client registration 16:23:01 <cohosh> yea i like the refactoring you did there 16:23:02 <dcf1> well, ampcache is lower (zero) cost, but the cost of domain fronting is already low 16:23:17 <cohosh> fair enough, domain fronting through fastly is also free for us at the moment 16:23:22 <dcf1> ampcache unfortunately only works with google, so ampcache rendezvous won't work in China 16:23:45 <cohosh> okay i was wondering if that domain was blocked 16:24:05 <dcf1> probably you can find some domain that works that isn't blocked, but I imagine it would take some looking 16:25:02 <dcf1> if we make the configuration be based on SOCKS args, then potentially we could have different configurations of snowflake available in the connection wizard 16:25:41 <cohosh> that was the main motivation 16:26:06 <cohosh> for snowflake#40059 16:26:41 <anadahz> Q: Do I recall correctly that Snowflake had a security code review? 16:26:54 <cohosh> hey anadahz! 16:27:05 <dcf1> anadahz: only a small part of it, the turbo tunnel session layer 16:27:29 <cohosh> https://lists.torproject.org/pipermail/anti-censorship-team/2021-April/000167.html 16:27:51 <anadahz> Do you think that it will be of value to have an extended code security review? 16:28:59 <cohosh> it couldn't hurt for sure 16:29:23 <cohosh> it's still under active development though 16:29:30 <cohosh> so maybe it'd be better to wait a bit? 16:29:53 <anadahz> Perhaps it will be better when it reaches a final release? 16:30:03 <anadahz> s/final/stable 16:32:07 <cohosh> yeah 16:32:08 <dcf1> anadahz, do you have a lead on getting a security audit done? 16:33:18 <anadahz> dcf1: yes, but I 'll need to convince them :P 16:34:17 * cohosh will happily accept free security audits XD 16:34:26 <anadahz> \o/ 16:37:11 <anadahz> re:kazakhstan thread on ntc.party It may be that they are deploying something new. Perhaps looking if they were any websites blocked in the same date range may bring up some insights. 16:37:24 <cohosh> ye that's a good suggestion 16:38:54 <cohosh> anything else before i end the meeting? 16:40:19 <cohosh> thanks everyone! 16:40:22 <cohosh> #endmeeting