#tor-meeting log

15:58:53 <shelikhoo> #startmeeting tor anti-censorship meeting
15:58:53 <shelikhoo> here is our meeting pad: https://pad.riseup.net/p/tor-anti-censorship-keep
15:58:53 <shelikhoo> feel free to add what you've been working on and put items on the agenda
15:58:53 <MeetBot> Meeting started Thu Oct  6 15:58:53 2022 UTC.  The chair is shelikhoo. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:58:53 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
15:59:01 <shelikhoo> Hi~
15:59:05 <meskio> hello
15:59:42 <itchyonion> hello
16:00:51 <cohosh> hi
16:01:08 <gaba> hi
16:01:43 <dcf1> I am a little double-booked at the momemnt, but I left some notes about the snowflake-01 bandwidth issues in the pad
16:02:18 <meskio> dcf1: thanks
16:02:22 <dcf1> If you have any questions, go ahead and write them, and I will try to give answers
16:03:35 <shelikhoo> okay, let's move to to the first topic
16:03:38 <shelikhoo> loss of bandwidth at snowflake-01 bridge
16:03:38 <shelikhoo> https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40207
16:03:38 <shelikhoo> the cause is unknown, but it may be something outside our immediate control, like a network issue at the hosting center. operators are investigating it.
16:03:38 <shelikhoo> will try a reboot later today
16:03:40 <shelikhoo> low bandwidth at the broker could be the cause of connection failures from Iran
16:03:42 <shelikhoo> https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/96#note_2841100
16:03:44 <shelikhoo> (but there are still users from Iran, still the largest single contingent)
16:03:47 <shelikhoo> https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40207#note_2840696
16:04:07 <meskio> AFAIK this is what dcf1 posted
16:04:34 <shelikhoo> We have started to reject out of date proxy since this Monday
16:04:56 <meskio> how is it going?
16:05:00 <shelikhoo> this will result in a loss of 30% of unrestricted proxy
16:05:14 <shelikhoo> and it is working as expected
16:05:32 <shelikhoo> but we are seeing users with restricted nat unable to find a match
16:05:50 <ggus> shelikhoo: should we announce to the community that we're rejecting these outdated proxies?
16:06:47 <shelikhoo> should we commit to this rejection, or we wants to rollback
16:07:23 <meskio> it looks like the bridge problem is bigger than the loss of proxies
16:07:29 <shelikhoo> I prefer to move things forward, but we should discuss this first
16:07:29 <meskio> but maybe I'm not seeing it clearly
16:07:31 <ggus> agree with meskio
16:07:51 <ggus> we can do a community call to have more proxies
16:08:04 <meskio> I have tried to use snowflake a couple of times from a restricted NAT and it took some time to connect but not horrible, but I am in a decent internet connection
16:08:20 <meskio> +1 to keep the change and inform the community
16:08:49 <cohosh> yeah the rejected clients are honestly no worse than they were before, perhaps because of the drop in usage we say, but almost certainly not the cause of it
16:09:15 <cohosh> s/say/saw
16:09:47 <shelikhoo> yes. I think to get around this bridge issue, we can start the process to add the info of second bridge to the broker
16:10:11 <shelikhoo> without including it in Tor browser
16:10:18 <shelikhoo> so we can begin to test it
16:10:24 <meskio> sounds good
16:10:27 <shelikhoo> (or valid it)
16:10:56 <shelikhoo> once this is done, we can begin to include this in Tor browser and send announcement
16:11:51 <meskio> we could write to tor-relays before that mentioning the proxy rejection and the need of more proxies
16:11:58 <shelikhoo> yes
16:12:24 <shelikhoo> do we have any idea why the current bridge is having issue?
16:12:57 <meskio> no, it looks like they are investigating it
16:13:10 <meskio> snowflake#40207
16:14:33 <shelikhoo> let's keep investigating this...
16:14:38 <shelikhoo> anything more on this topic?
16:15:04 <meskio> shelikhoo: do you want to write to tor-relays?
16:15:17 <meskio> or I could do it
16:15:39 <ggus> meskio: if it's community, then i should do it
16:15:47 <meskio> ok, please go
16:15:54 <meskio> thanks for taking care of it
16:15:55 <shelikhoo> yes! thanks ggus!
16:16:08 <meskio> let us know if you need any help there
16:16:14 <meskio> that is all for me in this topic
16:16:37 <shelikhoo> okay the next topic is about iran
16:16:37 <shelikhoo> Iran:
16:16:37 <shelikhoo> Anything (resources, work, support) that may be needed to help circumvent censorship in Iran right now?
16:16:37 <shelikhoo> There are multiple reports of snowflake not working in Iran in some ISPs, but so far we didn't receive a more detailed report.
16:16:39 <shelikhoo> Should we try out new PTs? dnstt, etc?
16:17:38 <shelikhoo> so, we should purpose some work we would like to do to assist people in Iran
16:17:52 <gaba> I added some of thoe questions. Checking here if there is anything else needed.
16:18:08 <meskio> would be nice to have vantage point in Iran
16:18:24 <meskio> we could just rent a VPS, they don't have the same kind of censorship, but at least is something
16:18:43 <ggus> meskio: i can give access to a vps in iran, but it's not connected to mobile isps
16:18:44 <shelikhoo> but we do observed some censorship even on that VPS
16:18:59 <meskio> yes
16:19:08 <meskio> ggus: please do, that will be handy, thanks
16:19:31 <shelikhoo> so it is helpful to us, even if there are user with more restrictive censorship
16:19:48 <meskio> I think trying PTs will be nice, but is hard to get them to users as not being in TB
16:20:00 <ggus> meskio: done :)
16:20:13 <meskio> ggus: thanks, can I share it with shelikhoo ?
16:20:17 <ggus> sure
16:20:33 <n0toose> might be interesting to share: there's a bunch of groups on telegram that regurgitate translated versions of announcements by the tor project every now and then
16:20:56 <n0toose> the telegram bots got shared in a group of 200k with ~15k views a day after it was posted
16:21:15 <meskio> wow
16:21:30 <gaba> :S
16:21:49 <shelikhoo> great!
16:22:07 <n0toose> i am rounding up/down the numbers a little bit, but i can dig it up if it's of any interest
16:22:09 <meskio> would be nice find ways to do more annalysis of what is available in mobile networks or not, like is DNS working? so dnstt might work?
16:22:44 <dcf1> https://github.com/net4people/bbs/issues/125 has some notes about dnstt and DNS
16:22:53 <meskio> but actually rolling out dnstt or webtunnel or whatever to users in a rush will not be trivial
16:22:59 <dcf1> other threads https://github.com/net4people/bbs/issues/126 https://github.com/net4people/bbs/issues/127
16:23:00 <ggus> meskio: from users i heard that expressvpn was working, while orbot+snowflake wasn't working.
16:23:25 <meskio> orbot+snowflake I expect to be blocked by goTLS
16:23:31 <n0toose> (correction: it was with ~13k views a few hours later, i should ask again)
16:23:57 <meskio> would be nice to check if uTLS fixes the problem, we could coordinate with orbot to see how to enable that, or if the current orbot does support it and we just need to provide the right bridgeline
16:24:15 <shelikhoo> I think utls should work in this case, we should push tor browser to update snowflake pt
16:24:16 <meskio> n0toose: still pretty cool :)
16:24:22 <ggus> do we have orbot devs here?
16:24:26 <meskio> dcf1: thanks for the links, I need to catch up with my reading
16:24:57 <meskio> n8fr8he[m]: are you around?
16:25:02 <ggus> https://www.appbrain.com/stats/google-play-rankings/top_free/communication/ir < orbot is still on the top of google play charts
16:25:18 <meskio> cool
16:25:45 <ggus> but, users are reporting that doesn't work: https://www.reddit.com/r/TOR/comments/xwmj8d/orbot_wont_work_in_iran/
16:26:02 <ggus> so, or someone fixed it, or they will migrate to other $vpn
16:26:02 <meskio> I can explore what's up with orbot and uTLS, but I will not be much online until tuesday, so it might take a bit of time
16:26:49 <gaba> ^ micah
16:28:10 <meskio> that is all I have in my head to try
16:28:32 <meskio> let's see if I get something about orbot and if we can test if uTLS does actually solve the problem
16:28:41 <meskio> getting proper snowflake logs will help
16:29:46 <shelikhoo> Yes. anything more on this topic?
16:29:55 <dcf1> I have logs from two successful bootstraps from an Iran vantage, but they are successful, so they don't tell us much.
16:29:55 <ggus> https://github.com/tladesignz/IPtProxy/issues/31
16:30:42 <ggus> "This isn't urgent, but I'd recommend this feature because it often informs us on how to modify the snowflake bridge line by region and it could be useful for the orbot support team as well."
16:31:58 <ggus> re: Iran.
16:32:06 <shelikhoo> I was rather well known that Iran often block TLS connection by its TLS fingerprint
16:32:25 <shelikhoo> and previously, there was android(arm) specific block
16:32:26 <ggus> we're writing a rapid response fund proposal. we're including more user support hours/capacity
16:32:50 <ggus> i wonder if AC-Team would like to include other things
16:32:54 <shelikhoo> so it is our current best guess
16:34:15 <n0toose> got an update: yeah, the message sharing the bots has nearly got ~100k views
16:34:24 <meskio> ggus: I've seen the proposal, I don't think we have much hours left in our team
16:34:37 <shelikhoo> personally, I think ACT already have fund for vantage point, but it is not something we can easily get with money...
16:34:45 <ggus> meskio: not even for an external contractor?
16:35:08 <gaba> we do not have capacity in the team to add anything else in q4 but we can find somebody else to do some of the work if needed
16:35:29 <meskio> yes, that would be nice
16:35:38 <gaba> right what shelikhoo says
16:38:09 <micah> shelikhoo: TBB needs to update snowflake PT because of uTLS?
16:38:24 <meskio> yes
16:38:30 <meskio> I think cohosh is doing it
16:38:44 <shelikhoo> anything more on this topic? I think it is not like we can instantly think tasks that could be done by external contractor who might have limited anti-censorship background.....
16:38:49 <shelikhoo> yes
16:38:50 <cohosh> it's done, we're waiting for the next release afaik
16:38:59 <shelikhoo> I think there is already an merge request
16:39:05 <shelikhoo> it is merged?
16:39:21 <meskio> shelikhoo: agree, is not trivial to give this kind of tasks to a contractor
16:39:36 <gaba> agree
16:39:47 <ggus> shelikhoo: for example, we heard from users in iran that we ddon't distribute tor browser .apk in gettor bot
16:39:57 <ggus> this could be a task for this external contractor
16:40:08 <meskio> yes, and is already written in that grant
16:40:12 <cohosh> https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/merge_requests/523
16:40:27 <ggus> yep, i wrote that. this is an example.
16:40:32 <meskio> :)
16:41:25 <micah> great, thanks cohosh !
16:41:28 <shelikhoo> cohosh: I see it is approved. we can just wait for next release
16:41:30 <shelikhoo> thanks!
16:41:46 <micah> meskio: if i can help by talking to guardian about orbot, let me know. maybe after you test?
16:42:00 <meskio> micah: thanks
16:42:08 <meskio> I think we can move to the next topic
16:42:37 <shelikhoo> telegram download bot
16:42:37 <shelikhoo> apart from a minor issue that needed a one-line fix, launch went well
16:42:37 <shelikhoo> external contributors have also participated
16:42:37 <shelikhoo> heavy focus on building new features (especially android builds without downloads.json), which in turn either requires a lot of refactoring
16:42:39 <shelikhoo> lots of issues concerning third-party libraries again, most bug reports/feature requests have been made to upstream developers
16:42:41 <shelikhoo> logging has been replaced with aiologger to protect the bot from "hugs of death"
16:42:43 <shelikhoo> aiologger does not show dates in files. hacky solution: obtain the date when methods of the logger are called, maintainers are not very active
16:42:45 <shelikhoo> we depend on undocumented behavior. after doing research, it seems OK here
16:42:47 <shelikhoo> are new versions with regressions OK?
16:42:50 <shelikhoo> translations
16:42:52 <shelikhoo> a recent change in how exceptions are communicated to the user has pushed the readiness of translations back
16:42:54 <shelikhoo> will be expanded once development (mostly) stagnates
16:42:56 <shelikhoo> existing translations will not be touched until that happens
16:42:58 <shelikhoo> comments are still a TODO
16:43:07 <n0toose> yep, that's me
16:44:01 <n0toose> i am currently dealing with doing a lot of things in a very undocumented-but-still-trying-to-be-safe way and actually ending up having to use a lot of external dependencies (which i initially avoided)
16:44:15 <n0toose> the external dependencies very often lack in features in very, very subtle ways
16:45:07 <meskio> external dependencies => python libraries used by onionsproutsbot?
16:45:08 <n0toose> hm, the best way to describe my situation is basically "i'm doing jugglery between 4 different issues", but all of them kind of depend on each other but at least i've been getting work done
16:45:20 <n0toose> yes.
16:45:54 <n0toose> as stated in the document itself, i ended up moving ahead with using a different solution for logging because the default library was I/O blocking
16:46:45 <n0toose> i did that mostly to deal with unexpected rises in demand, which can lead to things like one line of code requesting the bot's profile username causing hitting a lot of ratelimits, even if i thought that "it probably couldn't get that bad" when i initially wrote it
16:47:13 <meskio> shit happens :)
16:47:16 <n0toose> yuuuuuup
16:47:23 <n0toose> so, i'm just like, trying to be cautious, but that also requires the help, advice and open-source work of other people
16:47:43 <n0toose> and despite pouring a few hours into this everyday, it's not moving as fast as i want it to be
16:48:30 <meskio> how can we help you?
16:48:31 <gaba> n0toose: what kind of help you need?
16:48:32 <n0toose> but, it's been getting way better, way more robust, significant UI improvements as well as things like, in the event of an exception, the user will now get all of the information and the username to the support bot
16:49:25 <n0toose> i think the best i could ask for here is some sort of direction, is it worth it trying to juggle between 50% non-functional changes [incl. translation comments], 30% trying to make the bot more "resilient" in the long run and 20% in features
16:49:43 <n0toose> or do i just "bruteforce through it" and get an implementation that will also provide e.g. android builds
16:50:26 <n0toose> the first strategy is the strategy i followed over many many months, i modelled everything after "okay, it's good if the bot works and nobody has to bother for a long time"
16:51:16 <shelikhoo> yes, i think the next topic is from you as well
16:51:17 <shelikhoo> new experimental gettor backend
16:51:17 <shelikhoo> authored in go, could potentially be merged together with rdsys
16:51:17 <shelikhoo> makes sharing large files through platforms with download limits under 100 MB (unless if you pay, or not) possible (by splitting them and providing the users with an app to put it back together)
16:51:18 <shelikhoo> relies on commands like the other gettor implementations
16:51:20 <shelikhoo> uses mongodb as a backend
16:51:22 <shelikhoo> android versions work too
16:51:24 <shelikhoo> currently private
16:51:40 <n0toose> that's correct, a friend of mine that i won't name out of reasons of discretion and for the sake of not putting words in their mouth is working on that
16:51:53 <shelikhoo> which platform does it distribute binary with?
16:52:09 <n0toose> platform as in tor browser version or "where does it do that"
16:52:19 <meskio> n0toose: looking into maintanability I think is a good approach, and up to now has being pretty good (just one serious issue since deployed)
16:52:23 <shelikhoo> "where does it do that"
16:52:34 <n0toose> i've seen their proofs of concept work on slack, discord (without a nitro subscription) and matrix
16:53:07 <n0toose> all in one codebase, but the interactions with the platforms are basically, more like the O.G. gettor, like, through email or twitter or something
16:53:21 <n0toose> but it does file uploads and interacts with each platform in a very rudimentary way
16:53:43 <n0toose> in most cases, this should be good enough (e.g. discord)
16:53:57 <meskio> is this the one you mentioned once that chunks the uploads and have some app to reconstruct the final binary?
16:54:01 <n0toose> it's not the absoutely user friendliest option, but it's something
16:54:18 <n0toose> meskio, if you mean the thing i PM'd you about, yes.
16:54:24 <meskio> pretty cool
16:54:30 <n0toose> it very muc his
16:54:31 <meskio> is there anything public of it?
16:54:42 <n0toose> they told me they can make it public if i wanted to
16:54:54 <n0toose> that was less than a few hours ago
16:55:01 <n0toose> however you define few, i guess :)
16:55:13 <meskio> :)
16:55:41 <n0toose> regarding the maintainability, yes, it has worked well and working on a sane design has led to me fixing that issue in a train in less than 15 minutes with a very limited amount of information that i chose to collect
16:55:50 <n0toose> as i said, i had to update a few strings
16:56:01 <n0toose> and the reason why i did that was because i very much improved the exceptions that the user is getting
16:56:31 <n0toose> like, we get some information, but we may not be able to be too sure whether this happens with a specific version, systematically, or with every version (i define version as "locale")
16:56:58 <n0toose> however, i basically made it so that like the user gets informed that something goes wrong, exception text, and i also included the support bot username so that they can forward it or just let the support people know
16:57:10 <n0toose> and from there, i also get informed, just like i did the last time, i believe
16:57:18 <n0toose> but this is like on a purely opt-in basis
16:58:05 <n0toose> i learned that pyrogram also stores certain interactions with users into a local database (which is not something i wanted to have), so i basically made it so that this "database" is stored in memory and discarded when the bot shuts down
16:58:40 <meskio> n0toose: maybe we can have a voice call next week and talk about that
16:59:01 <meskio> is being 1 hour of meeting
16:59:16 <meskio> and we might not need everybody on that conversation
16:59:19 <n0toose> yeah sure thing, i am just, like, trying to make it possible for the problem to be immediately obvious to all parties involved "without overreaching" and also making the design of the bot sane enough for anyone on the team here to be able to figure this out
16:59:22 <n0toose> okay then!
16:59:27 <shelikhoo> yes!
16:59:32 <shelikhoo> here is the last topic
16:59:34 <shelikhoo> built-in bridgdes vs 'settings' pool: do we need more built-in obfs4 bridges?
16:59:49 <meskio> n0toose: great, I'll poke you to talk, thanks for sharing
17:00:03 <meskio> BTW, I think the design is pretty nice :)
17:00:37 <n0toose> i'm trying my best! (i make mistakes but i fix them with a follow-up commit like 10 minutes later)
17:00:56 <meskio> about built-in bridges
17:01:02 <n0toose> it's meant to always work either way, you can update to the latest version if you feel like it
17:01:05 <n0toose> okay I'LL stop
17:01:21 <meskio> the question comes from two bridges going away and another one that left some weeks ago
17:01:25 <meskio> we are not replacing them
17:01:30 <itchyonion> n0toose 👍 thanks for your work
17:01:44 <meskio> ggus: was questioning how much is actually needed
17:01:56 <ggus> n0toose: thanks for your work!
17:02:10 <n0toose> (additional note: i am not alone in this and got help from a few very talented friends of mine over the past few weeks, thankfully)
17:02:12 <meskio> currently with connect assist we only recommend builtin bridges for countries where we don't know about censorship but tor doesn't connect
17:02:24 <meskio> so I expect it to be mostly corporate firewalls blocking tor
17:02:34 <meskio> and in that case builtin bridges usually work pretty well
17:03:04 <meskio> but we could hand out 'settings' bridges and don't need to do all the work of finding people to run builtin bridges
17:03:38 <meskio> they are not going to go away tomorrow, as they will still be an option TB settings
17:03:47 <meskio> but will not get so much used (I hope)
17:03:56 <meskio> any opinions on that?
17:04:27 <meskio> BTW, I'm not sure I have a clear opinion, as I'm not sure I understand the whole rationale of why builtin bridges exist
17:04:38 <ggus> meskio: maybe we could ask built-in bridges operators if they saw a drop on their bridge usage after TB-11.5 release (july 2022)
17:05:21 <meskio> ggus: we can even look into that directly into metrics.tpo
17:05:23 <shelikhoo> I think when censor block built-in bridge, then they will block them all quickly. unless there is performance issue with built-in bridge, we don't need too many of them
17:06:11 <dcf1> It's a chapter in my thesis, the speed of blocking default bridges https://www.bamsoftware.com/papers/thesis/#chap:proxy-probe
17:06:41 <dcf1> https://censorbib.nymity.ch/#Matic2017a has things to say about default bridges and what fraction of bridge users use them
17:06:44 <meskio> nice, I'll read it
17:06:51 <ggus> we tried last december, and chinese and russian govs blocked the new bridge pretty fast
17:08:21 <shelikhoo> anything more on this topic?
17:08:23 <meskio> I guess the main reason for builtin bridges to exist was that getting bridges was hard, before moat going to a blocked website or email or after filling captchas
17:08:34 <meskio> but with connect assist is trivialt to get them
17:08:37 <meskio> anyway, is true is late
17:08:47 <meskio> let me create an issue and collect information there
17:08:59 <ggus> https://gitlab.torproject.org/tpo/community/relays/-/issues/23
17:09:58 <shelikhoo> yep. I think we can call this a meeting. Please have a look at interesting links, there are report of censorship events.
17:10:07 <shelikhoo> #endmeeting