18:04:38 #startmeeting tor launcher automation 18:04:38 Meeting started Fri Jun 2 18:04:38 2017 UTC. The chair is isabela. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:04:38 Useful Commands: #action #agreed #help #info #idea #link #topic. 18:04:41 nickm: thanks! 18:04:48 great! 18:05:00 first, thanks everyone for adding stuff to the doc 18:05:15 here is the feature brief i am trying to keep updated as our discussion evolves 18:05:21 https://docs.google.com/document/d/119plBq2oIeNS3okHCBNaBSqm_a1jJObYxKB_n6jodoQ/edit# 18:05:22 I added some stuff at the very last minute – sorry! 18:05:26 and this is the doc i am talking about :) 18:05:51 i was thinking that for this meeting we should elect 1 (or 2 problems) to discuss and solve - and use a pad to take notes etc 18:06:12 i have a suggestion of problem to discuss but i am open if folks prefer another one 18:06:24 i also created this pad: https://pad.riseup.net/p/launcher-auto-prob 18:06:49 isabela: tell us your preferred problem! 18:06:50 the problem i would like to suggest is 7.C at the google doc, which i noted on the pad as well 18:07:25 if moat happens before trying hardcoded bridges what happens if meeks is blocked and how we will go about the user experience on that 18:07:57 i am raising thisproblem because i am more and more convinced that moat before hardcoded bridges might be the right path here 18:08:15 ok i will be silent and let others say what they think :) 18:08:37 (and if we have an agreement on which proble to talk about we move on to talk about that) 18:09:05 for reference: 18:09:09 i think quite a few people might be assuming that meek is the most likely proxy technology to work (it just happens to be the most expensive to operate), does that seem right? 18:09:12 "Moat - this is how we are calling the idea to present a captcha for the user to solve in order to get a bridge. Our idea is to embed what bridges site has: https://bridges.torproject.org/bridges on Tor Launcher window." 18:09:20 off-topic: Since it's my first To Launcher Automation meeting, I also have a few questions outside of problem-solving... Tell me when it's best to ask them. And I'm very happy to have been invited! 18:09:23 +1 on moat before hardcoded bridges, it's less blockable/fingerprintable, and also later (when there's hyphae) it all looks mostly the same (i.e. "someone is connecting to google/amazon/etc") 18:09:29 catalyst: I think so! 18:09:51 sajolida: it's the first one for all of us! and probably after the agenda. :) 18:10:05 * Samdney lurks 18:10:22 the problem with moat before hardcoding bridges is that it seriously diminshes the automation benefits 18:10:27 I am not a fan of it from the UX perspective. :( 18:10:30 GeKo: +1 18:10:39 linda: actually is the 2nd meeting :) 18:10:42 catalyst: meek is most likely to work, but also if everybody does it, it creates a pretty clear fingerprint and also a pretty clear bottleneck. 18:10:45 isabela: oh riiiiight 18:11:01 mcs: wrt meek-client, how much have you worked on the current profile launching code in TBB? I am wondering if that is a better choice than the go meek-client, both for error reporting and for not being blocked 18:11:01 GeKo: which automation benefits? 18:11:04 it does not just work for the users anymore out of the box instead they have to solve a captcha first 18:11:05 catalyst: privacy bottleneck i mean. whoever runs the huge website gets to see *all* the bootstrapping. 18:11:17 sajolida: give us a min on deciding about this part and we can address other stuff after - how does that sound? 18:11:35 isis: that the users clicks on the auto connect button and behind the scenes everything is configured and the browser window pops up 18:11:37 arma2: we have multiple CDNs we use for meek right? 18:11:39 arma2: in this case, it's only using meek as a sort of C&C channel to talk to bridgedb 18:11:51 with a working bridge or not if a direct connection is enough 18:12:08 I was thinking that maybe we could do moat after trying a few hard-coded bridges only, like three. That would help with stop point #1: time to connection. 18:12:18 i bet that would work for 90% of our users right now 18:12:24 which wold be a huge win 18:12:25 isis: yes, right, but still, remember the case where haystack tried to see if it had network connectivity by going to a state owned website. 18:12:37 mikeperry: I am not sure what you mean by “how much have you worked on the current profile launching code in TBB?” But we can discuss the best choice later ;) 18:12:40 GeKo: +1 18:13:31 the problem with moat behind the hardcoded bridges step is: how do we ever reach the moat step? 18:13:32 so, I'm really not comfortable with doing things that will get automatically blocked, and I think trying hard-coded bridges will get blocked by _existing_ censorship tech. 18:13:44 sajolida: i like the idea of trying a limit set of hard coded bridges and then leave moat to happen after that 18:14:01 nickm: good point 18:14:16 nickm: i agree. that's highly location-dependent though right? 18:14:22 nickm: good point. 18:14:40 to be clear, if the user clicks auto, we try normal tor bootstrap, and all of this discussion is only for the case where that normal bootstrap fails, yes? 18:14:49 yes 18:14:53 great 18:15:03 ok, so if we're doing that, we don't actually care about china, right? 18:15:09 or competent censorship? 18:15:12 arma2: oh I needed that clarification 18:15:15 and this is just for dumb censorship? 18:15:27 nickm: I also need that clarification 18:15:39 arma2: yes 18:15:50 arma2: hopefully the graphs at the docs shows that 18:15:53 if we do the "try three bridges first" thing, china is just going to block people's connections for a few minutes, and then moat is not gonna work 18:15:55 nickm: can you expand a bit on the not caring about china part? 18:16:05 what isis just said above 18:16:21 "Try the detectable thing first" will make us get blocked by... 18:16:25 ok. so the worry is a censor that knows to look for the "cute little christmas tree tor behavior", and when it sees it, it knows to shut down that user for a while. 18:16:42 ...anybody who takes a "when you detect anitcensorship, throttle or shut down the user for a bit" approach. 18:16:48 https://drive.google.com/file/d/0B0Ke2fBu7_ALVHBaVXh6Wl9kX0U/view 18:16:51 China's been known to do that at times and places 18:17:03 so has iran 18:17:03 If we believe that hard-coded bridges will fail 90% of the time. Then what's the benefit of trying them to solve stop point #1? Or maybe only try them if, based on the location, we *know* that they have a change to success. 18:17:08 so this is where making it possible to disable the various stages and ideally also reorder them is useful. I think we should at least have a pref that lets us say "skip direct connect, go directly to moat" in TBB that we can flip just for zh-CN builds 18:17:21 arma2 linda - https://drive.google.com/file/d/0B0Ke2fBu7_ALVHBaVXh6Wl9kX0U/view 18:17:26 if we take this "loud than quiet" approach, and we expect it will work in china or iran, then we are fooling ourselves. 18:17:29 hopefully this will help understand the steps 18:17:34 I'm okay with saying "let's do a dumb thing first" 18:17:40 and then later, in V2, we expand that to country detection and Doing the Right Thing, based on OONI data 18:17:43 so this sort of implies two (or more?) user flows: 1) if you're in a non-censored place, try N hardcoded bridges before falling back to moat 2) if you're in a censored place, do moat and fallback to hardcoded 18:17:47 i'm okay with saying "let's do a stupid thing to fight stupid censors"... 18:18:17 isis: we could think about that, yes 18:18:28 but if we actually want to make this easy for people facing a competent adversary, we can't take the "loud first, quiet second" approach for them. 18:18:41 i guess this means we need a better idea of "what is V1 _not_ trying to do"? 18:18:59 nickm: does "when you click auto, tor starts by trying to bootstrap normally" already count in your "loud" category? 18:19:00 mikeperry's idea for prefs is good 18:19:10 nickm: what do you think about the solution mikeperry is talking about 18:19:15 arma2: yes 18:19:20 great 18:19:45 i like the preference idea 18:19:46 mikeperry: what kind of pref? user-editable? 18:19:49 isabela: if I understand, mike's idea is to have a "loud first" mode and a "quiet first" mode, and to choose between them based on increasingly smart heuristics? 18:19:52 we could at least experiment with it 18:19:53 that seems ok 18:20:03 * linda nods 18:20:23 mikeperry: btw, many people in china don't use the zh-cn builds, because the translations are bad enough that they use english instead. not a deal breaker, but something to keep in mind. 18:20:42 or the fonts in tor browser suck 18:20:46 if we say "moat == 1" and "try hardcoded bridges == 2" and "other thing == 3" then TB can ship configs like "zh_CN: 1,3,2; en_US: 2,3,1; etc" 18:20:48 catalyst: TBB about:config pref. 18:20:51 arma2: good point 18:20:52 geko: oh hey, or that too. 18:21:11 arma2: yeah, stopgap until we get country detection working for V2 18:21:23 isis: +1 18:21:39 isis: +1 18:21:39 isis: i would expand your list to say "0 == normal tor boottrap", and then put 0 in the ordered list somewhere 18:21:46 arma2: +1 18:21:48 Like saying "for zh-CN builds we do this and that". 18:21:58 arma2: I was going to say this. Beware not to assume to much regarding 18:21:58 language-country mapping. Like saying "for zh-CN builds we do this and 18:21:58 that". 18:21:58 I bet lots of people use Tor while travelling, use Tor in English if 18:21:58 they know English because translations are partial or bad, etc. Some 18:22:01 languages are spoken in many countries (French in Africa, Spanish in 18:22:03 America, etc.). 18:22:27 +1 18:22:28 yeah, this is discussed in the V2 part of the doc (a pref that defines ordering of panes based on country detection, not locale) 18:22:29 to help future readers, maybe we could add a high-level overview of what things each implementation phase is and is not trying to do? 18:22:46 catalyst: that is a good idea 18:23:20 so, we are heading towards "part one, teach tor browser how to do attempts in a variety of orders, and make it easy to specify what order", and "part two, we'll work on good interfaces for users to get the right order"? 18:23:36 sajolida: +1 18:24:00 Also, how do we convey to users that different builds lead to different anti-censorship properties *before* they download and try them? 18:24:04 arma2: i think that matches my understanding so far 18:24:19 arma2: that is my understanding as well 18:24:28 sajolida: I am not sure we need to specify this 18:24:35 catalyst: that doc is trying to do that - things will change after this meeting probably - but it has some info of other phases 18:24:41 ok. i think having tor browser know how to do various bootstrap attempts is a great building block. 18:24:53 sajolida: we can specify that things will work better, but not go into the details. 18:25:02 arma2: yes, that is really brilliant. 18:25:48 i would be tempted to, if we're doing the dumb thing first, try to do a dumb thing where it's more obvious to the user that a decision is being made 18:25:49 sajolida: there will always be a "manual configuration" mode for all users of any place/language 18:26:03 the one where the language bundle they pick dictates the decision is sure going to be surprising to them 18:27:07 we can label things by censorship environment rather thatn languages, which could help 18:27:14 where are we on the "just have auto do the thing that works for most people, but not for china and iran, and have an "advanced" button or something for now, and later we try to have something that works for china and iran"? 18:27:43 that is, auto chooses 0,1,2,3 or 0,2,1,3 or whatever we decide to do as our first try. 18:27:55 arma2: we will always keep the flow that has manual configs 18:28:03 hmm 18:28:09 then the manual config option would let you choose the ordering 18:28:36 arma2: for now i was thinking of just using the flow that linda suggests on her paper 18:28:38 i don't think so 18:28:43 I am now thinking that maybe we should ask the user to choose betwen 0,1,2,3 or 0,2,1,3. In general, and not have different versions do different things, which is confusing. 18:28:49 arma2: not pick an ordering but just the normal path we hav enow 18:28:54 We can just ask the user "where are you?" and let that map to a strategy 18:28:56 Presumably, our users in Iran and China have to use manual today (so we will ask them to keep using it for a while longer). 18:28:57 yes 18:28:59 arma2: https://drive.google.com/file/d/0B0Ke2fBu7_ALVHBaVXh6Wl9kX0U/view 18:29:18 I am also a fan of my own flow. but I am biased and I have been wrong before 18:29:26 (my "yes" was to what isa said) 18:29:33 mcs: yes, manual == what ppl have to do today, but with the improvments linda suggests on her paper 18:29:39 yes 18:29:42 isabela: right 18:30:09 i think auto *needs* to try 0 first, right? so if we are worried about the christmas tree light effect, where people notice you clicked auto.. that is just something we have to accept, right? 18:30:10 so first choide for the user will be 'auto' or 'manua' or whatever we want to call them 18:30:16 I don't think we should ask he user where they are if we can avoid it. and I think on most platforms, we can (without looking at locale) 18:30:23 *manual 18:30:32 arma2: 0 == dir connect? 18:30:33 fewer questions => better 18:30:41 arma2: if so, then yes, auto is doing that 18:30:43 0 == direct connect, yes. linda's first box after auto. 18:30:43 linda: +1, Asking for the country might look awkward but my be a better first step thanhaving different config on different builds. Version 2 will solve this awkwardness. 18:30:58 s/my/might/ 18:31:03 mikeperry: there are mozilla apis we probably can use for getting a good understand of where folks are 18:31:04 mikeperry: are you thinking probing OS settings to infer geographic location? 18:31:16 iirc mozilla used that for search engine selection 18:31:36 Probing OS seetings won't work in Tails :) 18:32:05 but maybe that's an appropriate threadoff for a first guess 18:32:55 does Tails ask people their timezone, or is everything UTC? 18:33:25 let me try my point again. auto needs to start with step 0, direct connect, right? and if so, the game is over if the chinese user would be more subtle doing step 3 rather than step 2, because they've already done step 0, direct connect. 18:33:30 arma2: well, we could think about skipping 0 for folks in china 18:33:44 hm! 18:34:10 yep 18:34:12 mikeperry: not *yet* but we want to do that at some point, so that would work indeed 18:34:19 that is the reason we are thinking how we find out folks are in china 18:35:09 sajolida: cool 18:35:17 so the alternative would be to try to figure out where they are, e.g. in a country selector where we could try to be smart and auto select the right country if possible, and then the choice of country dictates what auto actually does. 18:35:21 so do we agree that phase 1 isn't going to (automatically) help people in China? 18:36:02 catalyst: correct, phase 1 won't help anyone in china 18:36:08 catalyst: as it is now , yep. but we could change it to address that 18:36:15 exactly 18:36:32 that is why we are thinking of asking for the country first 18:36:40 or trying to figure out the country if we dont want to ask 18:36:56 if we can do that we could address the users in china issue 18:37:05 i would kind of hope we do both. that is, even if we try to figure it out so we don't have to ask, we just use what we figured out as the default, when we ask. 18:37:14 (my main interest in phase 1 is making sure it doesn't introduce something that messes up phase 2 for chinese/iranian/etc users) 18:37:41 I am a fan of asking for something, because it kind of is a form of consent. Havign users pick a country and click "connect me" seems like a good use of a window, rahter than jargon and clicking a button "I understand the risks of connecting" 18:37:43 i liked the idea to try to auto-select the correct country from a dropdown/autocomplete list 18:38:04 linda: how are you feeling about a drop down box or whatever where the user selects her country? and we can make it give them our first guess at their country automatically, e.g. by language choice or whatever 18:38:48 isi: Right, guessing and asking are not exclusive. We can guess and propose to refine or correct. 18:38:55 right. 18:39:02 one thing to think about re:asking user for their country -> if user gives an answer that is not true, e.g. i am in china and i say i am in honduras because your question creeps me out 18:39:05 yep 18:39:11 than we will be trying the wrong thing for the user for a while :) 18:39:17 that's fine, i think. 18:39:18 arma2: that sounds good to me, initally. I'd need to think about how it's done and test it to be sure 18:39:22 you get to pretend you're in honduras if you like. 18:39:28 also let's remember that censorship is not uniform per country. universities have different rules than areas with mistrusted minorities have different rules from the capital during an election 18:39:45 this won't be an easy UI to figure out 18:39:49 hmm 18:40:03 so it's starting to sound to me like we're expanding the scope of phase 1 to cover some of phase 2, which is fine, but i'd rather we did so intentionally (or someone can tell me how i'm misinterpreting) 18:40:04 The coolest thing to do is just to do one thing that works all the time. :( 18:40:16 catalyst: hmm good point 18:40:18 yeah 18:40:21 this is true. if we don't have that many possible orderings, i wonder if we might just give them a choice between three bootstrap options, slider style. 18:40:26 catalyst: i think you are right 18:40:39 nickm: +1 18:40:40 or the slider style is done in the manual section, and auto uses the setting of the slider that works for lots of people. 18:41:21 nickm: i agree, but we will always have fall back (like if I pick US as my country and I am in detroit univ, which blocks tor, tor will try direct connect because i am in the US and then it wont work and it will try step 2 (moat or something)) 18:41:42 taking a step back. one of the cool things about the current "phase 1 auto" is that tor browser gets to learn how to do each of the attempts. and we want that for all future designs i think? 18:41:53 the slider would get more complicated as we add things to try, since you can't really linearly order (1,2,3,0) (0.1.2,3) (2,3,1,0) etc 18:42:17 +1 18:42:20 arma2: I think that's true. "Try different things in different orders" is a feature we know we'll want 18:42:31 yep 18:42:39 isis: right, but we wouldn't need all permutations, we would only need whatever countries we were going to handle. (i think the slider idea is not best.) 18:42:52 the set of orderings that makes sense is still going to be smaller than the full permutation set, i hope 18:43:04 isis: i.e., if there is no country for which we would say "3,2,1,0", then there's no setting for that. 18:43:29 I think we should abstract the details of the ordering from the user 18:43:45 yeah. "please drag the options on this list into the order you would prefer Tor to try them" is a little to close to "please enter into this text box your best idea for defeating censorship; we're out of ideas!" for my taste ;) 18:43:49 they don't need ot know that much--they just want to know what to choose that'll work, and if it changes their risk 18:44:13 "press this button to open the source code and reprogram tor" 18:44:15 ;) 18:44:15 i hope we do abstract that from the user 18:44:40 ok 18:44:45 catalyst: yeah, hopefully there's way less options than permutations, but still linear ordering for "how censored" is a slightly awkward concept (imho) 18:44:55 agreed. 18:45:09 i got a lot of good stuff so far - discussion has moved towards good direct in relationship to how to solve this problem. i want to make a time check 18:45:15 is 15min till the hour :) 18:45:27 how ppl are feeling? 18:45:38 finally starting to understand the plans a bit :) 18:45:42 heheh 18:45:47 yay 18:45:47 that is good :) 18:45:50 I feel productive! 18:45:59 But also need to go in 15 so wanna do things :P 18:46:23 to be clear, is 'version 2' a thing we plan to build on top of 'version 1'? or is it an alternative? 18:46:32 List of countries could be displayed in the abstraction: "$FANCY_NAME (3,2,1,0) Works best in Tanzania and Thailand". And we're not asking for the country so explicitly. 18:46:32 on the top of it 18:46:43 I'm fine to continue. 18:46:59 arma2: but probably will change now after this discussion 18:47:03 ok 18:47:08 ok. so it sounds to me like trying to ask for, or guess, the country is part of version 2? 18:47:10 maybe now is a good time sajolida for you to present your question? 18:47:17 unless we are unwilling to build a version 1 that doesn't have that? 18:47:19 isabela: Ok :) 18:47:22 sajolida: that sounds like an interesting idea 18:47:25 arma2: it was before this meeting, might change now 18:47:50 #1: What kind of network connections will Tor Launcher initiate *itself* (as opposed to asking little-t-tor to)? None? 18:47:54 i am kind of imagining the user would click "auto" and then it tries to guess country, asks what country, and then (maybe) has a "do you want to 1) try to be super sneaky (this might not connect) or 2) do anything and everything to try to get online (this might cause you to get noticed/blocked)" 18:48:50 and then #1 is something like (3,2,1,0) and #2 is something like (0,2,1,3) or whatever 18:48:58 isis: i agree that there are two wildly different use cases for tor ("reachability vs safety"), and trying to auto do the right thing for both user categories is super hard. 18:49:18 sajolida: can you explain a little more, i dont understand sorry 18:49:28 isis: i think that's great for user agency. i don't know that there's a good way to ask that in a way that gets useful answers from most users 18:50:08 as an example of sajolida's question. let's say tor launcher wants to use moat to get a captcha for a bridge. it uses meek to get the captcha. what launches meek? 18:50:11 Is the plan to adapt core tor enough so that all the trial and error are done by core-tor itself? Or is Tor Launcher doing to initiate *some* network activity on its own will doing the trial and error? 18:50:16 sajolida: are you asking if this will change on the network side or just the tbb side 18:50:18 arma2: this reachability vs safety thing is the real problem 18:50:27 sajolida: tor launcher side 18:50:30 catalyst: +1 18:50:47 catalyst: yeah, that's true 18:51:30 that divide was the original motivation for connect vs configure in tor launcher, btw. connect was for the reachability people, and configure was for the safety people. 18:51:40 but then we didn't provide any good things for the safety people to do. 18:51:43 one more thing before we all go away ( sajolida if you have more questions please ask ) 18:52:00 next step here will be: 1. update the brief reflecting this discussion 18:52:23 i hope to work with linda on some possible paths like the one isis suggested 18:52:31 and add graphs showing them there for the next meeting 18:52:34 :) 18:52:38 o/ 18:52:39 and share this with the email thread 18:52:43 sounds good 18:53:04 sajolida: i think we are not sure where some parts of the work fall, but Tor Launcher will definitely need to be able to use meek-client to talk to bridgedb 18:53:05 i think once notes are down in the brief we will see if we capture the understanding that everyone has of v1 18:53:09 sajolida: i think that's not clear yet 18:53:20 and be able to start writing the tasks for implemeting it 18:53:23 what isis said 18:53:34 isis, GeKo: fully understandable! 18:53:35 and then we will be able to start breaking down these tasks in a timeline 18:53:43 #2: for linda, regarding the implementation steps: What does "Perform QA once TBB team is ready" mean? 18:53:46 It seems like you're going to do a software prototype? Why not play with a paper prototype first, based on Linda's wireframe? 18:56:07 sajolida: is this based on the task at the doc? 18:56:17 isabela: yeap 18:56:35 we probably have to refine those but we have played with some user testing with alpha releases 18:56:47 we did a small one for orfox security slider 18:56:59 i put that there thinking of something similar 18:57:28 hopefully we will be able to coordinate with the community team on that so we can have a good diversity of demographic etc 18:57:33 testing it for us 18:57:46 linda provided a nice script/methodology when we did it for orfox 18:57:46 in "If possible organize user testing in multiple countries or simulating different scenarios", what kind of prototype are users going to test? 18:58:19 i dont have an answer yet, that depends also on tbb team bandwidth 18:58:21 big picture question re tor launcher vs the "meta" process that future sandboxes might want: should we just ignore that idea here? or is there a way to make more of our work here reusable for that future situation? 18:58:28 could be the alpha version of tbb which this feature 18:58:37 but anyway, count me in for testing in the languages I speak :) 18:58:45 sajolida: yay! 18:58:56 and my last question, #3: Any news on the possible language and coding dependencies for this new Tor Launcher? How easy is it going to be to reuse it in Tails? :) 18:58:58 s/which/with 18:59:02 arma2: i think ignore, alas 18:59:09 arma2: by "meta" process do you mean sandboxing the controller interface so a single tor process can be shared by mutually untrusted apps? 18:59:34 sajolida: that is a question for GeKo and mcs i guess :) 18:59:44 but maybe too soon to answer 18:59:51 catalyst: no, i mean being able to run tor browser on windows while properly sandboxing the browser, which involves not giving it permission to overwrite itself, which implies having some *other* process that really runs things. 19:00:13 I got a skype call, but I'll read these logs after~ 19:00:22 thanks linda o/ 19:00:22 and will still lurk here 19:00:30 geko: ok. ignore is not terrible, i think, since a lot of the design work is reusable. 19:00:40 Given the timeframe for version 1, I assume we do not have time to create a completely new launcher thing. 19:00:41 sajolida: there is no new tor launcher yet :) 19:00:55 * nickm is fading, but will still lurk 19:01:02 But yes, we have not done any coding for this yet :) 19:01:16 alright folks 19:01:25 we are achieving the hour 19:01:37 ppl need to eat, for some folks if friday night and the party is starting :P 19:01:41 so maybe we call it for now? 19:01:44 GeKo, mcs: ok, thanks! 19:02:01 yeap, i'm done 19:02:19 alright! thanks again everyone for coming up and help out with the discussion 19:02:23 it was very productive 19:02:29 will stop the bot now 19:02:35 ^_^ 19:02:41 yes, very helpful meeting. 19:02:46 #endmeeting