16:00:13 #startmeeting tor anti-censorship meeting 16:00:13 here is our meeting pad: https://pad.riseup.net/p/r.9574e996bb9c0266213d38b91b56c469 16:00:13 editable link available on request 16:00:13 Meeting started Thu Aug 22 16:00:13 2024 UTC. The chair is shelikhoo. Information about MeetBot at http://wiki.debian.org/MeetBot. 16:00:13 Useful Commands: #action #agreed #help #info #idea #link #topic. 16:00:16 hi! 16:00:46 hellohello 16:02:18 dcf1: congrats for the presentation in usenix, I hear it was really good, I hope the video gets released 16:02:44 hihi sorry got a bit distracted 16:02:45 thanks. I will update the bbs thread and tor forum thread when there's a video. 16:02:51 also congrats dcf1 16:03:01 nice 16:03:16 congrats dcf1! 16:03:45 congrats! 16:06:02 okay. let's start today's meeting 16:06:19 the first topic is: 16:06:20 - Snowflake debian package is outdated: 16:06:20 - Is there a plan for updates? If AC-Team wants to increase the number of snowflake standalone proxies, we need to maintain deb packages. Should we start a call for maintainers? If so, what are the requirements? 16:06:20 - MR: https://gitlab.torproject.org/tpo/web/community/-/merge_requests/386/diffs Please note that every new string added to the community portal is localized. If this is a temporary issue, I don't think it worth merging it. (gus) 16:06:47 I think ggus added it but is not around today 16:07:14 yes, that being said the topic was quite self-explanatory 16:07:15 anyway, yes the snowflake package in debian is pretty outdated and I have being failing to find the time and motivation to update it 16:07:55 I think this is one of the issue with debian: old package 16:07:59 we are starting soon P146 where we plan to work on snowflake and one of the deliverables is to improve our packaging of snowflake 16:08:14 I think we should consider make generating debian package automated 16:08:19 so the answer is yes, we do plan to work on this, but maybe not very soon 16:09:06 This would be the same as the general direction of making everything automated 16:09:11 I'm not sure what to recommend for the community portal, but I'll write there saying that we do plan to update it but will take some months 16:09:53 there are some manual steps always to publish into debian, but I guess we could automate most of it 16:10:18 I've being maintaining this package, but I'm not that skilled on packaging for debian 16:10:27 It's worth to mention that it's apparently not just outdated but non-functional due to incompatibility with other components. 16:10:30 and I wish someone else that knows better can take over 16:11:02 *components of Snowflake 16:11:08 WofWca[m]: I see, that is sad 16:11:10 A think a easier way would be just package the binary in debian with an self-hosted repo 16:11:36 yes, we have deb.torproject.org we can try to get this package pushed there as part of P146 16:12:15 the debian moderation standard is quite time consuming, if we couldn't meet its demand in a timely manner, we should find another way 16:12:17 yes 16:12:30 anything more on this topic? 16:12:48 not from me 16:13:07 https://github.com/eyedeekay/blizzard/ "Blizzard: The I2P Snowflake donor Plugin" 16:13:07 should we ask them to use a diferent identifier than "standalone" to find them in the stats? 16:13:51 that was me 16:14:00 this is an IsP snowflake proxy 16:14:06 based on our proxy library 16:14:10 we mentioned it last week 16:14:26 they are not changing the name, so AFAIK in our stats will appear as standalone 16:14:47 I wonder if we should poke them to use a different name so we can see them in the metrics 16:14:59 yeah, personally I love it. I just hope they can update their package when we do 16:15:04 do I recall correctly that there is an easy way to change that name? 16:16:00 Isn't there a change required on the Tor Metrics side as well, to add a new recognized proxy type? At least I thought there was some kind of "whitelist" of known names and names not on the list become unrecognized. 16:16:23 mmm, that rings a bell 16:16:24 the broker does some validation for sure 16:16:38 That's it, it needs a coordinated change in the broker 16:16:40 https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/blob/main/proxy/lib/snowflake.go?ref_type=heads 16:17:01 I wonder if is worth it here, not sure how many contributors will bring 16:17:02 shelikhoo: you beat me to it :D 16:17:17 I think we just need to change the value here, plus add the name to the allow list 16:17:42 then it should be fine, that being said, I don't think this value can be set via command line 16:17:47 well it's not the worst thing to have them counted as unknown, which is what will happen if they specify a name we don't recognize 16:17:50 uhm I do not think we use proxy types... 16:17:53 I documented a history of how there was a time where we were missing "iptproxy" labels because the broker hadn't redeployed yet 16:17:56 https://github.com/turfed/snowflake-paper/blob/98cf35650ef8d9021b4f1fda1adb56ba61d2891a/figures/proxies/proxy-type.r#L17 16:18:13 hiro: we do in grafana 16:18:17 hiro: you're right, I was mistaken, it is not Tor Metrics that needs a change, but the Snowflake broker. 16:18:28 ah ok so you meant your metrics 16:18:38 xD 16:18:54 shelikhoo: it can be set in the SnowflakeProxy struct which is what they're using 16:19:06 https://github.com/eyedeekay/blizzard/blob/9123dd706cc0a1e3b0d64ffcb5199ad67d216d8a/main.go#L39 16:19:28 cohosh: yes! I didn't read their source.. 16:19:45 it seems they are already compiling it on their own 16:19:49 ok, then I'll open an issue on their side to ask them to set a different name 16:19:52 "After [2020-12-03], attribute unknown proxy types until 2022-06-21 to iptproxy. IPtProxy reported its type as "iptproxy", but this value was not recognized by the broker until the deployment of 2022-06-21." 16:19:59 and we'll see about the update on the broker side 16:20:04 sounds good 16:20:14 so we just need to add a new name to broker allow list 16:20:17 nice! 16:20:32 cool, I'll inform on whatever they said 16:21:05 anything more on this topic? 16:21:17 nop 16:21:17 archive https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake-mobile 16:21:18 var KnownProxyTypes = map[string]bool 16:21:21 https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/blob/b73add155074657cb763fcf12a3f7d2e9e22316d/common/messages/proxy.go#L19 16:21:50 yes, here is the list of proxy that are known and accepted 16:22:01 yes, here is the list of proxy type that are known and accepted 16:22:47 I have archived snowflake-mobile repo, it has being updated for 3 years, not sure if it has ever being used, let me know if I should revert the archival 16:23:27 thanks, that was a good call 16:23:42 I think it is the right decision, we don't have too much time in working on it, and tools like orbot already have similar features 16:23:59 anythig more on this topic? 16:24:07 not from me 16:24:16 PT binary size updates 16:24:16 https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42607 16:24:16 Remove conjure from android as a last resort 16:24:36 okay, it seems there is another squeeze of bytes 16:25:30 yeah, we've been trying a few things but none of them have had a good effort to results ratio 16:25:57 both Google and Apple impose some kind of size limit on some size 16:26:27 as a result, we are keep spending time on subsiding them 16:26:40 i offered the option of just removing conjure from android versions 16:26:51 we still have a few tricks up our sleeve but they require some time 16:27:22 conjure is pretty minimally supported by us anyway so i don't think we will lose a lot there 16:27:49 here is its recent usage: https://metrics.torproject.org/rs.html#details/A84C946BF4E14E63A3C92E140532A4594F2C24CD 16:28:07 I agree, is ok to remove conjure for now in android 16:28:14 I think Google was trying to push https://developer.android.com/guide/app-bundle 16:29:21 It is a way to split app in to many chunks, and let google serve them 16:29:46 the downside is they are requiring app developers to surrender apk signing keys 16:30:36 shelikhoo: hm, might be worth mentioning on the issue 16:30:44 this one: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/42607 16:31:03 but yeah i suspect the signing keys thing will be a dealbreaker 16:32:53 yeah, I think eventually distribution over play store would be discontinued 16:32:58 but anyway 16:33:09 anything more on this topic? 16:34:17 nope 16:35:03 Manifest V3 Deployment pending, will proceed on next week 16:35:30 the last discussion topic: I plan to deploy manifest v3 on chrome next week 16:35:44 that's great :) 16:35:44 should we delay it, or we should go ahead 16:36:09 this would be the last step in throwing away the ticking bomb! 16:36:27 i think it's a good idea to go ahead with it. It is definitely functional in its current state 16:36:34 shelikhoo: FYI CWS has a phased rollout feature, i.e. you can roll our the release to only a certain percentage of users. 16:36:42 yeah!!! 16:36:50 I will try to prepare for it on Monday, and hit the big button on Tuesday 16:36:59 :) 16:37:05 i didn't know about the rollout WofWca[m] that's a good tip 16:37:26 yes, we could do it, but anyway we just need to watch out for complaints 16:37:32 or feedbacks 16:37:35 the main missing part is getting the popup to turn green when there's a user right? 16:37:56 i think we have the error messages propagating 16:38:06 the missing part is when there is an error there is no detailed error reason 16:38:16 and there is user count display 16:38:18 oh i see 16:38:30 that's right 16:38:37 right now the only error supported is the consent error 16:38:45 i still think it's worth it to deploy since we're past the deadline 16:38:47 any other error is not yet shown to the user 16:38:49 yes 16:39:29 okay, let's move to the next thing: discussion group on the paper 16:39:30 Bridging Barriers: A Survey of Challenges and Priorities in the Censorship Circumvention Landscape 16:39:46 https://www.usenix.org/conference/usenixsecurity24/presentation/xue-bridging 16:40:45 I can try to produce an introduction to the paper 16:40:56 yes, please@ 16:40:57 ! 16:41:12 the researchers have done interviews to users and providers of Circumvention Technologies (CT) 16:41:39 looking on how their expectations and use differs 16:42:54 they have look into the motivation to use them, the bootstrap/discover and the usage 16:43:23 not sure what else to add to the summary 16:43:47 I wonder if we have any authors here? They said they might be. 16:43:50 thanks! 16:44:19 Yes it's very interesting that this study looks at two sides: the providers and the users. 16:44:26 thanks for the summary from meskio, I think we can start the first discussion topic about this paper 16:44:29 What aspects of the paper are questionable? 16:44:36 I found it a bit too focused on VPNs, but some good points about how people in censored areas learn about CTs and people are making money on selling that information. 16:44:53 they also interviewed anti-censorship tool developers as well 16:45:22 theodorsm: yes, at the same time users do mention their need for privacy and they do point towards Tor there 16:45:36 The "VPN" terminology question is tricky, a lot of people don't know the difference, as they say in a footnote on page 7. "Surveyed users often used the two terms interchangeably." 16:46:15 Tor itself is engaging with with such a problem with the name of Tor VPN, if I am not mistaken. 16:46:36 I see two interesting places where users and providers have different perspective: 16:47:03 I think for non-tech users application layer proxy, transport layer proxy and packet layer proxy isn't that difference if they serve the same purpose 16:47:08 1. on the motivations users mention people not caring about bypassing censorship, while providers talk about people not knowing about censorship 16:47:46 my complaints is that when they asked for what assistance would be appreciated, they didn't mention assistance from who 16:47:56 2. on the trust users mention the need for privacy and anonymity while providers talk on how it is not so important 16:48:24 I assume it is just about assistance from academic community, but may there are most to ask for other part of society 16:48:52 the trust discussion was interesting to me too 16:49:11 I agree, it shows how Tor is valuable there :) 16:49:41 good observation meskio. "there's so much distrust and snitching going on that unfortunately I just can’t trust anyone." (U14) 16:50:05 yeah, i was going to say that Tor helps for sure, since we can't see what users are accessing through our tools, but there is some non-neglible trust in the sense that we do see their IP addresses, being the first hop 16:50:10 How does Tor collaborate with organzations such as Amnesty, could they for example also educate people who need CTs and anonymity? 16:50:39 yeah, the "airport" space is quite... contested... especially when both provider and user can land in prison 16:50:48 some ac tools and bootstrapping requires accessing servers run by tor the org/community, some bridges run by volunteers we don't know 16:51:22 (we are now also discussing: 16:51:22 Are there immediate actions we can take based on this work? 16:51:22 Are there long-term actions we can take based on this work?) 16:52:07 I guess those questions are related to what cohosh is saying 16:52:18 Section 6 is about future priorities and challenges, maybe we can discuss how much we vibe with those 16:52:27 users do put some trust on those bridges 16:52:47 i would be curious to know a bit more about the privacy risks users are worried about: is it mostly what they are visiting, or whether they are using the tools 16:53:19 in section 6 they talk about "streamlining the bootstraping and server rotation process" wich connects a lot with the work we want to do with signaling channels library 16:53:23 I think one of the issue is that they do wish to use these AC-tool to do what normal netizen do 16:53:26 * Bootstrapping Challenges 16:53:26 * Outreach & Feedback Channels 16:53:26 * Flexible Funding 16:53:26 * Academic Priorities vs. On-the-ground Needs 16:53:26 * User Education 16:53:29 * Collaboration & Community 16:53:34 in section 6 they mention faster turn around time for surge and sustain funding but this also likely implies an over reliance on known and established entities and funding directed only to them 16:53:47 I often hear user discussing how to get their proxy to work with ChatGPT 16:53:55 Netflix 16:54:02 shelikhoo: that's interesting 16:54:06 register account at Google... 16:54:10 so there's kind of an inherent friction between having this kind of funding available and creating more dynamic CT approaches. . .maybe? 16:54:20 "Private grants or donations could serve as viable alternative funding avenues." any ideas about that? 16:54:52 So, as Tor, if we wants to attract more user, we need to make Tor (exit) more useful when it comes to actually accessing website and services 16:55:18 I do appreciate the discussion of existing funding channels creating an unintentional and undesirable competition between CT providers. 16:55:35 '"we are in this together" mindset' 16:55:45 and let's say Edit Wiki, Register Account without phone number, and Access ChatGPT 16:55:50 This is related to my own frustration with research groups not talking to one another, perhaps. 16:56:15 yes, that is something that frustrates me too dcf1 16:56:20 and a lot of people in the community 16:56:33 theodorsm: I don't know the answer to your question about Amnesty etc. OONI does some outreach and training, I'm not sure about others. 16:56:47 Just let you know these "airport"s frequently DDoS each other 16:56:48 yes, I see there is some collavoration for funding, we do have grants together with other parties, but maybe something to improve more 16:57:37 and they also have alliance with public announcement channel to punish "airport" they don't like 16:57:59 "unless you change your course you will be DDoSed" 16:58:02 something like that 16:58:04 theodorsm: no idea about amnesty, we'll need to ask ggus about it, I know we do colavorate with other outreach organizations 16:59:02 Is there future work that we want to call out in hopes that others will pick it up? 16:59:10 okay the last minute! 16:59:18 let's chat about future works 16:59:58 I think their future priorities are good, I personally care more about the bootstrapping challenges and the academic priorities, as it touches my work more closely 17:00:21 meskio: +1 17:00:42 I will keep the meeting open for 3 minutes to have everyone's voice remembered, but to avoid overtime the meeting is officially ended! Thanks everyone! 17:01:14 "“the more 17:01:15 The questions about how users go from zero to somehow bootstrapping into a CT is maybe the most groundbreaking part of this survey. 17:01:16 steps you have, the fewer people can do" 17:01:34 obfs4 requires quite a few steps, some with trial and error 17:01:37 cohosh: thank you for your advocacy of publishing in HTML and not PDF :) 17:01:46 hahaha 17:02:07 I think in general that the first step will be assisted by friends 17:02:10 in person 17:02:29 especially for those without the skills 17:02:30 it's quite true, though in Tor and probably elsewhere we have been making progress, with moat, connection assist 17:02:58 that's right we do have a more automated way of getting obfs4 bridges now :) 17:03:02 that being said, a lot of clients are quite easy to use, with an subscription link, the rest will be taken care of bv the client 17:03:18 shelikhoo: so do you believe it starts with a lower level of awareness-building? 17:03:50 dcf1: yes, I think the user need to be aware of the wall, and then be shown the value of bypassing it 17:04:41 many users I know are there to access tools or information they know they couldn't get inside the wall, such as the update on their favorite singer's social media account, or ChatGPT 17:05:27 Yes, I guess ChatGPT would be an example of the kind of sudden "crisis" like Molly Roberts et al. talk about, where there is something people want to access that there is no ready replacement for. 17:05:36 I will end the meeting here to put an end to over time, but feel free to keep chatting! 17:05:43 #endmeeting