15:58:53 #startmeeting tor anti-censorship meeting 15:58:53 here is our meeting pad: https://pad.riseup.net/p/tor-anti-censorship-keep 15:58:53 feel free to add what you've been working on and put items on the agenda 15:58:53 Meeting started Thu Oct 6 15:58:53 2022 UTC. The chair is shelikhoo. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:58:53 Useful Commands: #action #agreed #help #info #idea #link #topic. 15:59:01 Hi~ 15:59:05 hello 15:59:42 hello 16:00:51 hi 16:01:08 hi 16:01:43 I am a little double-booked at the momemnt, but I left some notes about the snowflake-01 bandwidth issues in the pad 16:02:18 dcf1: thanks 16:02:22 If you have any questions, go ahead and write them, and I will try to give answers 16:03:35 okay, let's move to to the first topic 16:03:38 loss of bandwidth at snowflake-01 bridge 16:03:38 https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40207 16:03:38 the cause is unknown, but it may be something outside our immediate control, like a network issue at the hosting center. operators are investigating it. 16:03:38 will try a reboot later today 16:03:40 low bandwidth at the broker could be the cause of connection failures from Iran 16:03:42 https://gitlab.torproject.org/tpo/anti-censorship/team/-/issues/96#note_2841100 16:03:44 (but there are still users from Iran, still the largest single contingent) 16:03:47 https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40207#note_2840696 16:04:07 AFAIK this is what dcf1 posted 16:04:34 We have started to reject out of date proxy since this Monday 16:04:56 how is it going? 16:05:00 this will result in a loss of 30% of unrestricted proxy 16:05:14 and it is working as expected 16:05:32 but we are seeing users with restricted nat unable to find a match 16:05:50 shelikhoo: should we announce to the community that we're rejecting these outdated proxies? 16:06:47 should we commit to this rejection, or we wants to rollback 16:07:23 it looks like the bridge problem is bigger than the loss of proxies 16:07:29 I prefer to move things forward, but we should discuss this first 16:07:29 but maybe I'm not seeing it clearly 16:07:31 agree with meskio 16:07:51 we can do a community call to have more proxies 16:08:04 I have tried to use snowflake a couple of times from a restricted NAT and it took some time to connect but not horrible, but I am in a decent internet connection 16:08:20 +1 to keep the change and inform the community 16:08:49 yeah the rejected clients are honestly no worse than they were before, perhaps because of the drop in usage we say, but almost certainly not the cause of it 16:09:15 s/say/saw 16:09:47 yes. I think to get around this bridge issue, we can start the process to add the info of second bridge to the broker 16:10:11 without including it in Tor browser 16:10:18 so we can begin to test it 16:10:24 sounds good 16:10:27 (or valid it) 16:10:56 once this is done, we can begin to include this in Tor browser and send announcement 16:11:51 we could write to tor-relays before that mentioning the proxy rejection and the need of more proxies 16:11:58 yes 16:12:24 do we have any idea why the current bridge is having issue? 16:12:57 no, it looks like they are investigating it 16:13:10 snowflake#40207 16:14:33 let's keep investigating this... 16:14:38 anything more on this topic? 16:15:04 shelikhoo: do you want to write to tor-relays? 16:15:17 or I could do it 16:15:39 meskio: if it's community, then i should do it 16:15:47 ok, please go 16:15:54 thanks for taking care of it 16:15:55 yes! thanks ggus! 16:16:08 let us know if you need any help there 16:16:14 that is all for me in this topic 16:16:37 okay the next topic is about iran 16:16:37 Iran: 16:16:37 Anything (resources, work, support) that may be needed to help circumvent censorship in Iran right now? 16:16:37 There are multiple reports of snowflake not working in Iran in some ISPs, but so far we didn't receive a more detailed report. 16:16:39 Should we try out new PTs? dnstt, etc? 16:17:38 so, we should purpose some work we would like to do to assist people in Iran 16:17:52 I added some of thoe questions. Checking here if there is anything else needed. 16:18:08 would be nice to have vantage point in Iran 16:18:24 we could just rent a VPS, they don't have the same kind of censorship, but at least is something 16:18:43 meskio: i can give access to a vps in iran, but it's not connected to mobile isps 16:18:44 but we do observed some censorship even on that VPS 16:18:59 yes 16:19:08 ggus: please do, that will be handy, thanks 16:19:31 so it is helpful to us, even if there are user with more restrictive censorship 16:19:48 I think trying PTs will be nice, but is hard to get them to users as not being in TB 16:20:00 meskio: done :) 16:20:13 ggus: thanks, can I share it with shelikhoo ? 16:20:17 sure 16:20:33 might be interesting to share: there's a bunch of groups on telegram that regurgitate translated versions of announcements by the tor project every now and then 16:20:56 the telegram bots got shared in a group of 200k with ~15k views a day after it was posted 16:21:15 wow 16:21:30 :S 16:21:49 great! 16:22:07 i am rounding up/down the numbers a little bit, but i can dig it up if it's of any interest 16:22:09 would be nice find ways to do more annalysis of what is available in mobile networks or not, like is DNS working? so dnstt might work? 16:22:44 https://github.com/net4people/bbs/issues/125 has some notes about dnstt and DNS 16:22:53 but actually rolling out dnstt or webtunnel or whatever to users in a rush will not be trivial 16:22:59 other threads https://github.com/net4people/bbs/issues/126 https://github.com/net4people/bbs/issues/127 16:23:00 meskio: from users i heard that expressvpn was working, while orbot+snowflake wasn't working. 16:23:25 orbot+snowflake I expect to be blocked by goTLS 16:23:31 (correction: it was with ~13k views a few hours later, i should ask again) 16:23:57 would be nice to check if uTLS fixes the problem, we could coordinate with orbot to see how to enable that, or if the current orbot does support it and we just need to provide the right bridgeline 16:24:15 I think utls should work in this case, we should push tor browser to update snowflake pt 16:24:16 n0toose: still pretty cool :) 16:24:22 do we have orbot devs here? 16:24:26 dcf1: thanks for the links, I need to catch up with my reading 16:24:57 n8fr8he[m]: are you around? 16:25:02 https://www.appbrain.com/stats/google-play-rankings/top_free/communication/ir < orbot is still on the top of google play charts 16:25:18 cool 16:25:45 but, users are reporting that doesn't work: https://www.reddit.com/r/TOR/comments/xwmj8d/orbot_wont_work_in_iran/ 16:26:02 so, or someone fixed it, or they will migrate to other $vpn 16:26:02 I can explore what's up with orbot and uTLS, but I will not be much online until tuesday, so it might take a bit of time 16:26:49 ^ micah 16:28:10 that is all I have in my head to try 16:28:32 let's see if I get something about orbot and if we can test if uTLS does actually solve the problem 16:28:41 getting proper snowflake logs will help 16:29:46 Yes. anything more on this topic? 16:29:55 I have logs from two successful bootstraps from an Iran vantage, but they are successful, so they don't tell us much. 16:29:55 https://github.com/tladesignz/IPtProxy/issues/31 16:30:42 "This isn't urgent, but I'd recommend this feature because it often informs us on how to modify the snowflake bridge line by region and it could be useful for the orbot support team as well." 16:31:58 re: Iran. 16:32:06 I was rather well known that Iran often block TLS connection by its TLS fingerprint 16:32:25 and previously, there was android(arm) specific block 16:32:26 we're writing a rapid response fund proposal. we're including more user support hours/capacity 16:32:50 i wonder if AC-Team would like to include other things 16:32:54 so it is our current best guess 16:34:15 got an update: yeah, the message sharing the bots has nearly got ~100k views 16:34:24 ggus: I've seen the proposal, I don't think we have much hours left in our team 16:34:37 personally, I think ACT already have fund for vantage point, but it is not something we can easily get with money... 16:34:45 meskio: not even for an external contractor? 16:35:08 we do not have capacity in the team to add anything else in q4 but we can find somebody else to do some of the work if needed 16:35:29 yes, that would be nice 16:35:38 right what shelikhoo says 16:38:09 shelikhoo: TBB needs to update snowflake PT because of uTLS? 16:38:24 yes 16:38:30 I think cohosh is doing it 16:38:44 anything more on this topic? I think it is not like we can instantly think tasks that could be done by external contractor who might have limited anti-censorship background..... 16:38:49 yes 16:38:50 it's done, we're waiting for the next release afaik 16:38:59 I think there is already an merge request 16:39:05 it is merged? 16:39:21 shelikhoo: agree, is not trivial to give this kind of tasks to a contractor 16:39:36 agree 16:39:47 shelikhoo: for example, we heard from users in iran that we ddon't distribute tor browser .apk in gettor bot 16:39:57 this could be a task for this external contractor 16:40:08 yes, and is already written in that grant 16:40:12 https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/merge_requests/523 16:40:27 yep, i wrote that. this is an example. 16:40:32 :) 16:41:25 great, thanks cohosh ! 16:41:28 cohosh: I see it is approved. we can just wait for next release 16:41:30 thanks! 16:41:46 meskio: if i can help by talking to guardian about orbot, let me know. maybe after you test? 16:42:00 micah: thanks 16:42:08 I think we can move to the next topic 16:42:37 telegram download bot 16:42:37 apart from a minor issue that needed a one-line fix, launch went well 16:42:37 external contributors have also participated 16:42:37 heavy focus on building new features (especially android builds without downloads.json), which in turn either requires a lot of refactoring 16:42:39 lots of issues concerning third-party libraries again, most bug reports/feature requests have been made to upstream developers 16:42:41 logging has been replaced with aiologger to protect the bot from "hugs of death" 16:42:43 aiologger does not show dates in files. hacky solution: obtain the date when methods of the logger are called, maintainers are not very active 16:42:45 we depend on undocumented behavior. after doing research, it seems OK here 16:42:47 are new versions with regressions OK? 16:42:50 translations 16:42:52 a recent change in how exceptions are communicated to the user has pushed the readiness of translations back 16:42:54 will be expanded once development (mostly) stagnates 16:42:56 existing translations will not be touched until that happens 16:42:58 comments are still a TODO 16:43:07 yep, that's me 16:44:01 i am currently dealing with doing a lot of things in a very undocumented-but-still-trying-to-be-safe way and actually ending up having to use a lot of external dependencies (which i initially avoided) 16:44:15 the external dependencies very often lack in features in very, very subtle ways 16:45:07 external dependencies => python libraries used by onionsproutsbot? 16:45:08 hm, the best way to describe my situation is basically "i'm doing jugglery between 4 different issues", but all of them kind of depend on each other but at least i've been getting work done 16:45:20 yes. 16:45:54 as stated in the document itself, i ended up moving ahead with using a different solution for logging because the default library was I/O blocking 16:46:45 i did that mostly to deal with unexpected rises in demand, which can lead to things like one line of code requesting the bot's profile username causing hitting a lot of ratelimits, even if i thought that "it probably couldn't get that bad" when i initially wrote it 16:47:13 shit happens :) 16:47:16 yuuuuuup 16:47:23 so, i'm just like, trying to be cautious, but that also requires the help, advice and open-source work of other people 16:47:43 and despite pouring a few hours into this everyday, it's not moving as fast as i want it to be 16:48:30 how can we help you? 16:48:31 n0toose: what kind of help you need? 16:48:32 but, it's been getting way better, way more robust, significant UI improvements as well as things like, in the event of an exception, the user will now get all of the information and the username to the support bot 16:49:25 i think the best i could ask for here is some sort of direction, is it worth it trying to juggle between 50% non-functional changes [incl. translation comments], 30% trying to make the bot more "resilient" in the long run and 20% in features 16:49:43 or do i just "bruteforce through it" and get an implementation that will also provide e.g. android builds 16:50:26 the first strategy is the strategy i followed over many many months, i modelled everything after "okay, it's good if the bot works and nobody has to bother for a long time" 16:51:16 yes, i think the next topic is from you as well 16:51:17 new experimental gettor backend 16:51:17 authored in go, could potentially be merged together with rdsys 16:51:17 makes sharing large files through platforms with download limits under 100 MB (unless if you pay, or not) possible (by splitting them and providing the users with an app to put it back together) 16:51:18 relies on commands like the other gettor implementations 16:51:20 uses mongodb as a backend 16:51:22 android versions work too 16:51:24 currently private 16:51:40 that's correct, a friend of mine that i won't name out of reasons of discretion and for the sake of not putting words in their mouth is working on that 16:51:53 which platform does it distribute binary with? 16:52:09 platform as in tor browser version or "where does it do that" 16:52:19 n0toose: looking into maintanability I think is a good approach, and up to now has being pretty good (just one serious issue since deployed) 16:52:23 "where does it do that" 16:52:34 i've seen their proofs of concept work on slack, discord (without a nitro subscription) and matrix 16:53:07 all in one codebase, but the interactions with the platforms are basically, more like the O.G. gettor, like, through email or twitter or something 16:53:21 but it does file uploads and interacts with each platform in a very rudimentary way 16:53:43 in most cases, this should be good enough (e.g. discord) 16:53:57 is this the one you mentioned once that chunks the uploads and have some app to reconstruct the final binary? 16:54:01 it's not the absoutely user friendliest option, but it's something 16:54:18 meskio, if you mean the thing i PM'd you about, yes. 16:54:24 pretty cool 16:54:30 it very muc his 16:54:31 is there anything public of it? 16:54:42 they told me they can make it public if i wanted to 16:54:54 that was less than a few hours ago 16:55:01 however you define few, i guess :) 16:55:13 :) 16:55:41 regarding the maintainability, yes, it has worked well and working on a sane design has led to me fixing that issue in a train in less than 15 minutes with a very limited amount of information that i chose to collect 16:55:50 as i said, i had to update a few strings 16:56:01 and the reason why i did that was because i very much improved the exceptions that the user is getting 16:56:31 like, we get some information, but we may not be able to be too sure whether this happens with a specific version, systematically, or with every version (i define version as "locale") 16:56:58 however, i basically made it so that like the user gets informed that something goes wrong, exception text, and i also included the support bot username so that they can forward it or just let the support people know 16:57:10 and from there, i also get informed, just like i did the last time, i believe 16:57:18 but this is like on a purely opt-in basis 16:58:05 i learned that pyrogram also stores certain interactions with users into a local database (which is not something i wanted to have), so i basically made it so that this "database" is stored in memory and discarded when the bot shuts down 16:58:40 n0toose: maybe we can have a voice call next week and talk about that 16:59:01 is being 1 hour of meeting 16:59:16 and we might not need everybody on that conversation 16:59:19 yeah sure thing, i am just, like, trying to make it possible for the problem to be immediately obvious to all parties involved "without overreaching" and also making the design of the bot sane enough for anyone on the team here to be able to figure this out 16:59:22 okay then! 16:59:27 yes! 16:59:32 here is the last topic 16:59:34 built-in bridgdes vs 'settings' pool: do we need more built-in obfs4 bridges? 16:59:49 n0toose: great, I'll poke you to talk, thanks for sharing 17:00:03 BTW, I think the design is pretty nice :) 17:00:37 i'm trying my best! (i make mistakes but i fix them with a follow-up commit like 10 minutes later) 17:00:56 about built-in bridges 17:01:02 it's meant to always work either way, you can update to the latest version if you feel like it 17:01:05 okay I'LL stop 17:01:21 the question comes from two bridges going away and another one that left some weeks ago 17:01:25 we are not replacing them 17:01:30 n0toose 👍 thanks for your work 17:01:44 ggus: was questioning how much is actually needed 17:01:56 n0toose: thanks for your work! 17:02:10 (additional note: i am not alone in this and got help from a few very talented friends of mine over the past few weeks, thankfully) 17:02:12 currently with connect assist we only recommend builtin bridges for countries where we don't know about censorship but tor doesn't connect 17:02:24 so I expect it to be mostly corporate firewalls blocking tor 17:02:34 and in that case builtin bridges usually work pretty well 17:03:04 but we could hand out 'settings' bridges and don't need to do all the work of finding people to run builtin bridges 17:03:38 they are not going to go away tomorrow, as they will still be an option TB settings 17:03:47 but will not get so much used (I hope) 17:03:56 any opinions on that? 17:04:27 BTW, I'm not sure I have a clear opinion, as I'm not sure I understand the whole rationale of why builtin bridges exist 17:04:38 meskio: maybe we could ask built-in bridges operators if they saw a drop on their bridge usage after TB-11.5 release (july 2022) 17:05:21 ggus: we can even look into that directly into metrics.tpo 17:05:23 I think when censor block built-in bridge, then they will block them all quickly. unless there is performance issue with built-in bridge, we don't need too many of them 17:06:11 It's a chapter in my thesis, the speed of blocking default bridges https://www.bamsoftware.com/papers/thesis/#chap:proxy-probe 17:06:41 https://censorbib.nymity.ch/#Matic2017a has things to say about default bridges and what fraction of bridge users use them 17:06:44 nice, I'll read it 17:06:51 we tried last december, and chinese and russian govs blocked the new bridge pretty fast 17:08:21 anything more on this topic? 17:08:23 I guess the main reason for builtin bridges to exist was that getting bridges was hard, before moat going to a blocked website or email or after filling captchas 17:08:34 but with connect assist is trivialt to get them 17:08:37 anyway, is true is late 17:08:47 let me create an issue and collect information there 17:08:59 https://gitlab.torproject.org/tpo/community/relays/-/issues/23 17:09:58 yep. I think we can call this a meeting. Please have a look at interesting links, there are report of censorship events. 17:10:07 #endmeeting