03:10:43 <isis> #startmeeting
03:10:43 <MeetBot> Meeting started Sat Jul 26 03:10:43 2014 UTC.  The chair is isis. Information about MeetBot at http://wiki.debian.org/MeetBot.
03:10:43 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
03:10:47 <isis> yay!
03:11:33 <isis> i have black toenail polish with turquoise hexagon sparkles and other flaky emerald sparkle on top!
03:11:34 <mikeperry> sweet. you walked right into my trap. I've always wanted to just yammer on about some unrelated topic during someone else's meeting ;)
03:11:51 <dcf1> "The chair is isis."
03:11:53 <dcf1> is isis?
03:11:56 <isis> mikeperry: i've already got it covered, dude
03:11:58 <dcf1> isis is.
03:12:07 <isis> isisisisisisisis!
03:12:18 <dcf1> Is isis I?
03:13:53 <isis> anyway, i just wanted to go on record saying that i killed #12639 #12635 #11139 #11140 #12650 #5463 and #9385 in cold blood
03:14:05 <dcf1> #agreed
03:14:09 <isis> and i don't regret a single action
03:14:22 <isis> #commands
03:14:22 <MeetBot> Available commands: #accept #accepted #action #agree #agreed #chair #commands #endmeeting #halp #help #idea #info #link #lurk #meetingname #meetingtopic #nick #rejected #restrictlogs #save #startmeeting #topic #unchair #undo #unlurk
03:14:56 <mikeperry> #halp
03:15:03 <isis> #meetingname bridgedbieber
03:15:03 <MeetBot> The meeting name has been set to 'bridgedbieber'
03:15:47 <dcf1> #link https://www.bamsoftware.com/images/ccc-2013/P1020299-md.JPG
03:15:49 <mikeperry> #info meetbot needs #halp
03:16:09 <isis> #action isis needs to enable fte bridges before releasing bridgedb-0.2.3
03:16:36 <isis> #info mikeperry needs way moar #halp
03:17:37 <isis> #action palindromes are henceforth banned
03:18:08 <dcf1> A man, a plan, a canal, Costa Rica!
03:18:23 <mikeperry> #action mikeperry *bafs* all over this meeting and its rules
03:19:35 <isis> rise to vote, sir
03:19:37 <mikeperry> costa rica is way better than panama anyway
03:20:44 <mikeperry> #agreed we make this timeslot the regular left coast party meeting
03:21:36 <isis> but i'm in moscow
03:21:38 <mikeperry> I skipped the #idea stage on that one because it was so obviously a good idea
03:22:21 <mikeperry> sweet, how is it? I've committed some torbutton code from there
03:22:37 <mikeperry> but never really got to see the sights, you know?
03:22:37 <isis> yep, i've noticed :)
03:23:08 <armadev> in moscow, eh. can you bid for the moneyz?
03:24:20 <isis> i don't really have anything up yet, but moxie posted some stuff
03:24:21 <isis> https://twitter.com/moxie/status/479357124737515521
03:24:47 <isis> https://twitter.com/moxie/status/479013027870568448
03:25:06 <isis> https://twitter.com/moxie/status/479355449666719746
03:25:18 <isis> i'm meaning to write a blog post...
03:26:57 <isis> okay? anyone else have any updates pertaining to BridgeDB?
03:27:57 <isis> mikeperry or dcf1: may i borrow your e-gavel for the baffing?
03:28:12 <dcf1> I don't have one.
03:28:40 <isis> you just *baf* with your fist, or....??
03:28:40 <mikeperry> an e-gavel can only be materialized out of the ether by the baffer
03:28:54 <mikeperry> you might also need some kind of force crystal to focus it
03:28:59 <isis> oooh
03:29:01 <dcf1> Try thinking happy thoughts.
03:29:03 <mikeperry> synthetic or natural, your choice
03:29:22 <mikeperry> I prefer synthetic, of course
03:30:16 <sysrqb> isis: karsten has a plan for more bridge metrics (in the nearish future).
03:30:32 <armadev> isis: is the plan to stack on a bunch of new domains, where the weakest one wins you all the bridges, or to break bridges into partitions per domain or per set of domains?
03:30:41 <mikeperry> primarily you need will and rage if you go the synthetic route. dcf1 might have a different approach, it seems
03:30:43 <isis> *adfer mihi, et vis ab aethere crystallus e-gablum iuberet!*
03:30:55 * isis materialises an e-gavel
03:31:28 <mikeperry> oh wait
03:31:40 <mikeperry> shifting out of party mode, what to people think about DNS bridge lines?
03:31:43 <isis> armadev: the plan is to complete #11330, to separate domains into different hashrings
03:31:45 <sysrqb> i don't think relying on emails is a winning strategy
03:31:56 <sysrqb> we need more/better mechanisms
03:32:00 <mikeperry> I think I hate them, but am I in the minority?
03:32:11 <mikeperry> kpdyer really wants to use them
03:32:14 <isis> i hate them
03:32:32 <isis> i think it's *horrible* for TBB's fingerprintability
03:32:59 <armadev> i think users should get to choose
03:33:03 <armadev> some people use bridges for reachability
03:33:12 <mikeperry> yeah, I certainly think that any DNS bridge lines need to be a separate selector in the TBB UI, at the very least.. we shouldn't do that unless the user really wants to for some reason (or needs to)
03:33:19 <armadev> those people would rather have a dns bridge, which works, than be safe and unable to reach the destination they want to reach
03:33:19 <isis> i assume you are talking about having stuff like "bridge fte something.something.com FINGERPRINT" for bridge lines in TBB's defaults
03:33:37 <armadev> i think having dns bridges in the default bridges in tbb is pretty sketchy
03:33:58 <mikeperry> yeah, that's one thing kpdyer keeps pushing for, and I have to keep telling him no
03:34:03 <armadev> if somebody tells you one and you type it in it should work
03:34:16 <armadev> (it doesn't in 0.2.5, because somebody decided to break it)
03:34:19 <armadev> but it does in 0.2.4
03:34:24 <isis> armadev: wouldn't these DNS requests be unproxied in this case, since tor can't connect to a bridge yet, and doesn't have a circuit
03:34:27 <mikeperry> but in the case of load balancers, I am wondering a bit... especially if the user gets to choose first.. but it still seems a bad choice
03:34:34 <armadev> isis: yes
03:34:49 <armadev> resolve and connect. think of dns like the fast flux people do.
03:34:53 <sysrqb> isis: it the proxymax dsign
03:34:57 <sysrqb> design too
03:35:01 <mikeperry> since DNS censorship is very pervasive
03:35:01 <sysrqb> maybe proximax also
03:35:12 <isis> eh...
03:35:23 <isis> i really really think this is a bad idea
03:35:48 <isis> most of the censorship i witnessed while working on OONI was DNS-based
03:35:55 <armadev> hyproxymative
03:36:17 <armadev> isis: you are arguing that in many realistic situations it won't work
03:36:18 <dcf1> If you're blocking DNS lookups in bridge lines, there might be other places you want to do it.
03:36:19 * sysrqb wonders if that's a word
03:36:23 <armadev> that's different than arguing it's a bad idea
03:36:27 <dcf1> ORPort foo.bar.com:8000
03:36:34 <dcf1> That resolves foo.bar.com for me.
03:36:42 <dcf1> Jul 25 20:38:44.709 [warn] Could not bind to 216.250.183.107:8000: Cannot assign requested address
03:37:07 <dcf1> It's not the same bridge threat model, but I guess the reason it worked for bridge lines was because it was using common torrc parsing logic.
03:37:12 <sysrqb> but that's on the relay
03:37:18 <sysrqb> compared to on the client
03:37:18 <isis> armadev: yes, i think it won't work for anything other than acting as a load-balancer in regions where "nothing is blocked"
03:37:30 <sysrqb> the relay is already fingerprintable (unless youre a bridge)
03:37:59 <dcf1> SocksPort foo.bar.com:8000
03:38:01 <isis> armadev: but i also think it is a bad idea (if it is in the default settings for TB)
03:38:02 <armadev> isis: well, sounds fine. a) it works in those cases b) maybe it works in others. why prevent the user from trying it if she wants to.
03:38:04 <dcf1> does it too, if you want it on the client.
03:38:30 <dcf1> I personally can live without DNS in bridge lines.
03:38:47 <dcf1> I'll just manually look up my bridge's IP when I want to test something.
03:38:54 <armadev> i just think people are being too narrow-minded about what bridges are for, when deciding if it's a good idea or not
03:39:32 <isis> if they *want* to do it, by all means let them... but i think there should be a big red warning saying "THE DNS REQUEST FOR %s IS GOING TO GO OUT PLAINTEXT, POTENTIALLY GIVING AWAY THAT YOU ARE TRYING TO USE BRIDGES WITH TORBROWSER"
03:39:33 <armadev> and that's not the right way to handle 1e6 users
03:40:34 <isis> granted, yes, bridges are used for other things, i use bridges in lieu of using guards
03:40:58 <isis> and other people just use them for privacy
03:41:41 <isis> but the case of someone in China or Iran trying to do that DNS resolution is what scares me
03:42:45 <dcf1> Even without DNS lookups, bridges are not really a defense against observability.
03:43:58 <dcf1> Like https://github.com/sethhall/bro-junk-drawer/blob/master/detect-tor.bro, for example.
03:44:19 <armadev> these are fteproxy bridges we speak of
03:44:26 <armadev> so that particular script doesn't apply
03:44:30 <armadev> but in general yes you are right
03:44:42 <dcf1> Oh, that's a little different, with pluggable transports, I agree.
03:45:11 <dcf1> Running such a script is probably a little bit more expensive than monitoring DNS, but not a whole lot more, I'd guess.
03:46:17 <armadev> does amogh do irc? or does he have a trac username?
03:49:33 <isis> i mean, the usability case for load balancing is important, as is the case for using "outdated transports" as i've been arguing for on tor-talk@ and tor-dev@ this week
03:50:22 <isis> but without a big red warning... i would be scared that people would select this because a domain looks friendlier than an IP, to their own detriment
03:50:59 <isis> though i am not opposed to having it in TB, so long as it is not in the default settings
03:53:16 <mikeperry> I didn't fully understand the load balancing component at first.. I guess his one DNS bridge can actually be replicated by amazon to a ton of VMs if he needs it?
03:54:14 <mikeperry> I could see creating an fte-dns choice that is super noise but has these scaling properties... but it is definitely a different type of transport in my mind, and the user should have to choose it... and I'd still prefer they hoose something like meek as last resort instead
03:54:44 <armadev> i think keeping dns bridge names out of the default bridges in tbb is fine
03:54:52 <isis> mikeperry: i believe that amazon "scales up" instances to "more CPU" on "more addresses" by replicating the running instance to other machines worldwide, yes
03:54:53 <armadev> especially since it's going to break when tbb goes to tor 0.2.5.x
03:55:37 <isis> tor-0.2.5.x removes dns resolutions from bridge/proxy lookups?
03:57:01 <armadev> yes
03:57:13 <armadev> and yesterday i closed the ticket where nickm was trying to put that into 0.2.4.23 as a 'minor backport'
03:57:29 <armadev> since that's the sort of thing that makes debian be like 'wait you changed your feature'
03:58:00 <armadev> https://trac.torproject.org/projects/tor/ticket/10801
03:58:35 <marblesoda> armadev: amoghbl2
03:58:49 <mikeperry> yeah there are way more fun and exciting things to backport than that, trust me ;)
03:58:49 <isis> that... doesn't seem minor. i would be surprised if that changed without changing versions
03:59:07 <armadev> marblesoda: is that an irc name or a trac name?
03:59:22 <marblesoda> irc
03:59:26 <armadev> amoghbl2: please see #12701
03:59:48 <isis> okay, it's been 30 minutes, i'm closing this meeting
04:00:04 <dcf1> good meeting everybody
04:00:26 * isis *bafs* the summoned e-gavel and then lights it on fire for the symbol of fascism that it is
04:00:35 <dcf1> sweet party mikeperry
04:00:36 <isis> *BAF*
04:00:39 <dcf1> feel better isis
04:00:44 <isis> #endmeeting