#tor-meeting log

16:00:02 <cohosh> #startmeeting tor anti-censorship meeting
16:00:02 <MeetBot> Meeting started Thu Aug  5 16:00:02 2021 UTC.  The chair is cohosh. Information about MeetBot at http://wiki.debian.org/MeetBot.
16:00:02 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
16:00:18 <cohosh> welcome
16:00:24 <cohosh> here is our meeting pad: https://pad.riseup.net/p/tor-anti-censorship-keep
16:00:53 <cohosh> feel free to update it with what you've been working on and add items to the agenda :)
16:03:27 <cohosh> thanks dcf for the links
16:03:56 <cohosh> i was reading the kazakhstan thread on ntc.party after seeing it there
16:04:25 <dcf1> seems like it may have been nothing, or a temporary anomaly?
16:05:01 <cohosh> hm yeah, how to interpret ooni tests is sort of an open question
16:05:32 <cohosh> in almost all cases the "tor is likely blocked" message doesn't actually correlate with whether it's possible to make a connection
16:06:33 <cohosh> but, it also seems possible that something was going on
16:06:39 <cohosh> this test for example: https://explorer.ooni.org/measurement/20210730T085155Z_tor_KZ_9198_n1_Q9PfLTtn5ob9sHzo
16:07:22 <cohosh> shows that most dir auths were actually reachable (although somehow they got 1/10) from that
16:08:03 <dcf1> hm
16:08:06 <cohosh> comparing that with the next day's results though suggests something was going on
16:08:26 <dcf1> I didn't see that tpo/anti-censorship/pluggable-transports/snowflake!48 was waiting for an approval, I'll do it today
16:08:40 <cohosh> thanks
16:08:54 <cohosh> i've also been trying to get snowflake working in the new shadow release
16:09:32 <cohosh> there's some work to be done before it's ready but when it is it'll be a better way to test server side changes without having to do a redeployment
16:10:19 <cohosh> and you can do neat stuff like say "i want the bridge in NL, a proxy in BR, and a client in CN"
16:11:09 <cohosh> but before it's ready i'm also trying not to get too far sucked down that rabbit hole at the expense of other things that need to get done >.<
16:11:11 <dcf1> that's great
16:12:01 <dcf1> what's the issue with system calls? does shadow run something like seccomp that limits them by default?
16:12:49 <cohosh> hm it depends on the call
16:12:59 <cohosh> some calls shadow uses the native system call
16:13:51 <jnewsome> oh hey. I can talk about this a bit if it's helpful. (I get pinged on "shadow" mentions haha)
16:13:58 <cohosh> jnewsome: awesome :D
16:14:11 <cohosh> i was just digging for the relevant source but you can answer best XD
16:14:38 <jnewsome> yeah, we basically intercept every syscall, using seccomp or ptrace. we emulate most of them. some of them we allow to execute natively
16:15:16 <jnewsome> ones we haven't explicitly implemented / decided-on yet just return an error
16:15:19 <jnewsome> ENOSYS
16:16:15 <dcf1> ok, so it's not as if snowflake is contravening some security policy, it's just hitting the frontiers of what shadow has implemented
16:16:25 <jnewsome> right
16:16:25 <cohosh> yup :)
16:16:45 <cohosh> a lot of the hiccups were common to pretty much all Go networking code
16:17:46 <cohosh> so a neat side effect of getting snowflake working is that shadow will be more usable for other programs written in Go
16:20:58 <cohosh> any other discussion for today?
16:21:20 <cohosh> dcf1: really nice work on the ampcache rendezvouz
16:21:38 <dcf1> thanks
16:21:54 <dcf1> I guess we just keep in in our back pocket for now, in case it becomes needed
16:22:14 <cohosh> is there a reason to switch over before that?
16:22:36 <dcf1> it was good to lay the groundwork for modularizing client registration
16:23:01 <cohosh> yea i like the refactoring you did there
16:23:02 <dcf1> well, ampcache is lower (zero) cost, but the cost of domain fronting is already low
16:23:17 <cohosh> fair enough, domain fronting through fastly is also free for us at the moment
16:23:22 <dcf1> ampcache unfortunately only works with google, so ampcache rendezvous won't work in China
16:23:45 <cohosh> okay i was wondering if that domain was blocked
16:24:05 <dcf1> probably you can find some domain that works that isn't blocked, but I imagine it would take some looking
16:25:02 <dcf1> if we make the configuration be based on SOCKS args, then potentially we could have different configurations of snowflake available in the connection wizard
16:25:41 <cohosh> that was the main motivation
16:26:06 <cohosh> for snowflake#40059
16:26:41 <anadahz> Q: Do I recall correctly that Snowflake had a security code review?
16:26:54 <cohosh> hey anadahz!
16:27:05 <dcf1> anadahz: only a small part of it, the turbo tunnel session layer
16:27:29 <cohosh> https://lists.torproject.org/pipermail/anti-censorship-team/2021-April/000167.html
16:27:51 <anadahz> Do you think that it will be of value to have an extended code security review?
16:28:59 <cohosh> it couldn't hurt for sure
16:29:23 <cohosh> it's still under active development though
16:29:30 <cohosh> so maybe it'd be better to wait a bit?
16:29:53 <anadahz> Perhaps it will be better when it reaches a final release?
16:30:03 <anadahz> s/final/stable
16:32:07 <cohosh> yeah
16:32:08 <dcf1> anadahz, do you have a lead on getting a security audit done?
16:33:18 <anadahz> dcf1: yes, but I 'll need to convince them :P
16:34:17 * cohosh will happily accept free security audits XD
16:34:26 <anadahz> \o/
16:37:11 <anadahz> re:kazakhstan thread on ntc.party It may be that they are deploying something new. Perhaps looking if they were any websites blocked in the same date range may bring up some insights.
16:37:24 <cohosh> ye that's a good suggestion
16:38:54 <cohosh> anything else before i end the meeting?
16:40:19 <cohosh> thanks everyone!
16:40:22 <cohosh> #endmeeting