15:57:52 <cohosh> #startmeeting tor anti-censorship meeting 15:57:52 <MeetBot> Meeting started Thu Mar 18 15:57:52 2021 UTC. The chair is cohosh. Information about MeetBot at http://wiki.debian.org/MeetBot. 15:57:52 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic. 15:57:59 <cohosh> hey everyone! 15:58:02 <AlwaysLivid> hello! 15:58:11 <cohosh> here is our meeting pad: https://pad.riseup.net/p/tor-anti-censorship-keep 15:58:19 <agix> hi 15:58:36 <cohosh> feel free to add things to the agenda 15:58:37 <gtsatsis> Hello! 15:59:01 <cohosh> AlwaysLivid: gtsatsis: hi! 15:59:37 <cohosh> dcf1: is that first announcement yours? 16:00:01 <dcf1> Yes, this is a part of the Turbo Tunnel work from last year, the sponsor is giving it a security audit, which also affects parts of snowflake. 16:00:20 <dcf1> They started Monday this week. 16:00:51 <cohosh> nice 16:00:53 <dcf1> So far, I have not heard much, but I understand they will produce a written report. 16:01:20 <cohosh> are they looking only at turbotunnel parts of snowflake, or the whole system? 16:01:30 <dcf1> Just the turbotunnel parts, as I understand it. 16:02:11 <cohosh> cool 16:02:47 <cohosh> i would be curious about a security audit of all the webrtc bits >.< 16:03:11 <cohosh> but this is still nice 16:03:43 <cohosh> okay it looks like we have some discussion items for today 16:03:56 <AlwaysLivid> wait i forgot to fill out one more thing 16:04:30 <cohosh> AlwaysLivid: oh it's ok you don't need to add everything to the pad 16:04:47 <cohosh> we mostly use the pad to remind us what to talk about 16:04:47 <gtsatsis> > China appears to be blocking Signal 16:04:48 <AlwaysLivid> it's specifically the idea that popped up in my head two days ago and was excited to share :P 16:05:19 <gtsatsis> tfw as soon as I start working on a distribution bot for Signal, it gets blocked 16:05:35 <cohosh> heh 16:05:53 <cohosh> gtsatsis: you have the room/floor/mic now so feel free to share what you've been working on :) 16:06:22 <gtsatsis> Well, with inspiration from AlwaysLivid, I actually went ahead and wrote this little bot up last night 16:06:24 <gtsatsis> https://gitlab.com/gtsatsis/signal-gettor 16:06:45 <AlwaysLivid> (I told him that he should look into this on at least 4 different occasions.) 16:06:56 <gtsatsis> It allows users of the Signal platform to request and receive binaries of the Tor browser without much hassle 16:07:29 <gtsatsis> Just "tor get <platform> [language]" in a message, and it'll send a binary and the signature file, as well as instructions on how to verify the signature 16:07:52 <AlwaysLivid> It's really similar to the way the e-mail distributor works. 16:08:04 <AlwaysLivid> but with more dialogue! 16:08:57 <gtsatsis> that's basically it 16:09:21 <gtsatsis> (sorry, not really good at this presenting thing, haha >.<) 16:09:25 <cohosh> cool! 16:09:32 <cohosh> no that was great 16:09:50 <AlwaysLivid> signal is a nice platform for this purpose too particularly because they really don't have any sort of strict limitations on file upload limits 16:10:07 <dcf1> I am not sure who is in charge of gettor things 16:10:28 <dcf1> There is something that sometimes uploads binaries to https://archive.org/details/@gettor, but it seems it's not automated as it doesn't get every release 16:10:30 <cohosh> i'm the maintainer at the moment 16:10:40 <cohosh> yeah 16:10:47 <gtsatsis> dcf1: oh, if there's any problem with the branding, I can rename the repo; I simply had it named as signal-gettor on my computer so i was like "might as well" 16:10:55 <arlolra> so you're the gettor aid 16:11:10 <cohosh> arlolra: lmao 16:11:27 <cohosh> so the way gettor currently works is we have providers and distrbutors 16:11:52 <cohosh> the distributors right now only include email and used to include both email and twitter but twitter is broken until we do a complete rewrite of it 16:12:04 <cohosh> the distributors distribute download links to our providers 16:12:30 <cohosh> which is where the binaries are uploaded and right now include: google docs, internet archive, gitlab, and github 16:12:43 <AlwaysLivid> (i'll bring up this thing with the twitter later on) 16:12:55 <gtsatsis> Ah, I'm currently downloading and sending the files directly through Signal 16:13:09 <cohosh> yeah we do it this way because tor browser binaries are so huge 16:13:37 <cohosh> so if you like you can use our existing provider links 16:13:54 <gtsatsis> Will take a look! 16:14:03 <AlwaysLivid> are there any applicable restrictions with bandwidth? 16:14:06 <cohosh> https://gitlab.torproject.org/tpo/anti-censorship/gettor-project/gettor/-/tree/master/scripts 16:14:14 <cohosh> gettor needs a lot more love than it is getting right now 16:14:25 <gtsatsis> I currently bypass Signal's "dangerous filetypes" by zipping up the .exe/.dmg/.tar.xz 16:14:51 <AlwaysLivid> Is that user friendly? (Can SIgnal be reached out to as a means of getting them to lift the restrictions?) 16:15:22 <cohosh> idk, signal is pretty strict on making UI changes and about what are good use cases 16:15:25 <AlwaysLivid> I'm not even sure if they'd be extremely fond of the idea, but their terms of service and the restrictions in the platform itself seem to be fine with it. 16:15:35 <cohosh> but i also don't think changing this is a good call 16:15:48 <dcf1> alternatively, it could always zip, and that way it could additionally include the signature files 16:15:50 <gtsatsis> AlwaysLivid: It's not a server-side block, so there's nothing preventing you from sharing the files. The official client simply restricts the up/downloading of files with certain extensions. 16:16:41 <gtsatsis> dcf1: good idea, my brain had become mush after about 3AM, so I send the signature as a separate file, but I'll go ahead and get right on that after the meeting 16:16:46 <cohosh> if it was a link you could avoid this somewhat 16:16:52 <cohosh> Since the link will open in a browser 16:17:21 <AlwaysLivid> ... Why not both? 16:17:35 <cohosh> yeah you could do that 16:17:35 <gtsatsis> ^ I could implement a tor get link option 16:17:40 <AlwaysLivid> yeah that's what i also thought of 16:18:41 <AlwaysLivid> i mean, signal is e2ee, i feel like forcing people (esp. high-risk) to get browsers and websites increases the stakes 16:18:59 <cohosh> so to make these requests, do users have to send the message to a specific number? 16:19:13 <AlwaysLivid> for now, OWS says that they'll add usernames later in 2021, but yeah. 16:19:19 <gtsatsis> Yeah, they do- I don't have any public numbers to test it with at the moment, but- ^ 16:20:11 <AlwaysLivid> I thought of potential issues arising with i18n and discussed them extensively with George, but I also considered that, should they add usernames, you could just run different instances of the bot that speak different languages. 16:20:30 <AlwaysLivid> and then aggregate the bot usernames in a single group/channel sort of thing or something similar 16:20:42 <AlwaysLivid> (I'm not extensively familiar with Signal) 16:21:05 <cohosh> i think we used to do that in very early gettor, where users would send an email to gettor+[language code]@torproject.org 16:21:15 <cohosh> like gettor+fa@torproject.org 16:21:21 <gtsatsis> Yeah, that's a possibility if usernames do come out later this year, but at the moment I'm simply working with suffixing the language at the end of the command 16:21:53 <gtsatsis> While a tad bit messy, it works 16:22:25 <cohosh> thanks for working on this 16:22:32 <cohosh> is there anything we can do to help? 16:23:31 <gtsatsis> I mean, anyone's free to contribute, but most things, I've basically been able to tackle by myself. 16:24:00 <gtsatsis> The one thing I'd like to see is a way to get android builds from downloads.json or something along those lines, would make it much easier, heh 16:24:25 <AlwaysLivid> I opened a ticket about that like 6 months ago, but it got labelled as "Unscheduled" like 4 months ago. 16:24:32 <cohosh> yeah that's a question for the applications team and tor browser devs 16:24:38 <cohosh> i'm not sure what the status is on that 16:24:43 <gtsatsis> AlwaysLivid: Ouchie 16:25:01 <AlwaysLivid> I just can't remember the number, I'm just trying to avoid duplicates :P 16:25:44 <cohosh> AlwaysLivid: do you remember the repository? 16:26:01 <cohosh> i can put an extra label on it 16:26:08 <AlwaysLivid> I seriously am not sure. 16:26:26 <AlwaysLivid> let me use some fancy gitlab search terms 16:26:26 <dcf1> https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40110 16:26:33 <dcf1> ? 16:26:36 <AlwaysLivid> ....... yup! 16:26:43 <cohosh> thanks dcf 16:26:44 <AlwaysLivid> that's hugely convenient, thanks! 16:26:56 <AlwaysLivid> oh, it already has a label! 16:27:22 <cohosh> nice, as of 3 hours ago :) 16:27:23 <AlwaysLivid> .... Wait, I opened a different ticket. oh well. 16:27:42 <gtsatsis> Oh, AlwaysLivid, I think I know what happened 16:27:56 <AlwaysLivid> Regarding what? 16:28:19 <gtsatsis> boklm made a ticket about 3 hours ago wrt: splitting the downloads.json file to different json files for different architectures 16:28:36 <gtsatsis> I'd think Android would be included 16:28:38 <AlwaysLivid> Yeah, I chimed in to the ticket too. 16:29:32 <cohosh> okay well we'd love it if you kept us updated on this work 16:30:02 <cohosh> i am very glad both of you are working on GetTor related things 16:30:38 <gtsatsis> :) 16:30:49 <AlwaysLivid> I'm a bit inactive for the time being for reasons I've brought up before, but I still poke around if I find a free hour or two. 16:31:26 <cohosh> we have this meeting every week and also an anti-censorship mailing list: https://lists.torproject.org/cgi-bin/mailman/listinfo/anti-censorship-team 16:31:29 <AlwaysLivid> ... I also still try to give people "project ideas" if they have no idea what to work on whenever I get the chance ;D 16:31:39 <AlwaysLivid> Yeah, I should really sign up to it. 16:32:12 <AlwaysLivid> I'll do so after the meeting. 16:32:27 <gtsatsis> Same 16:32:40 <cohosh> :) 16:33:52 <AlwaysLivid> I decided to experiment with Telegram because I felt like it was a very open platform, but I keep stumbling upon blockers that I can't deal with under my current limited amount of time. Speaking of which, I just opened a new ticket regarding downloads.json: #40380 16:33:58 <AlwaysLivid> https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40380 16:34:08 <dcf1> gtsatsis: when you feel comfortable that you have something to release, you can announce it at https://github.com/net4people/bbs or https://ntc.party/c/community-software/27 16:34:11 <AlwaysLivid> It's a tiny detail. 16:35:28 <AlwaysLivid> If we both manage to finish up on our projects at a point where they could be considered as deployable, is it advisable/possible to hand over the control to project itself? 16:35:46 <gtsatsis> dcf1: will do! I suppose the more people able to host a bot, the better it'd be. I was talking to someone and they jokingly said "are you going to put QR code stickers on random lightpoles on the street?", and tbh, it doesn't sound like a bad idea lol 16:36:12 <cohosh> AlwaysLivid: not necessarily, we'd be happy to host code or integrate it with GetTor but it's still unclear what that would look like 16:36:33 <cohosh> it depends on what you want to do 16:36:54 <cohosh> and we're short on maintainers right now 16:37:12 <AlwaysLivid> I see, that's why I've also been wondering about it. I mean, like, will either of these bots be potentially hosted by the project itself? 16:37:27 <AlwaysLivid> Yeah, I get that. 16:38:00 <AlwaysLivid> I mean, I'd see myself maintaining my bot (and poking around with gtsatsis's implementation a bit too :D ) 16:38:08 <cohosh> we could if you want us to, i think this will also be up to you 16:38:34 <cohosh> our admin/comms team will probably want to know if you use Tor Project in a signal or telegram username 16:38:37 <AlwaysLivid> I don't really possess the available resources or bandwidth to host it on a permanent basis reliably. 16:39:06 <cohosh> okay then yeah you should reach out to us about hosting it 16:39:08 <AlwaysLivid> I just use my unofficial project name and keep the whole affiliation thing limited to "Distribute the binaries of The Tor Project". 16:39:22 <cohosh> yeah that's fine 16:39:33 <AlwaysLivid> Got it, I'll try my best to either finish it or to bring it to a very optimal state in a few months. 16:39:35 <dcf1> That's the rub, the cost of deploying and maintaining a project like this is usually many times the cost of initially developing the software 16:40:05 <AlwaysLivid> I'm designing the bot with saving bandwidth (and preventing DoS attacks) in mind. 16:40:24 <gtsatsis> I've been running a file host for the past, gosh, 5 years almost. There's nothing truer than what you just said dcf1 16:41:14 <AlwaysLivid> Many of my projects have actually stopped at prohibitive maintenance costs as far as the infrastructure is concerned, but yeah, not sure if we're drifting away from the topic. 16:42:16 <cohosh> no worries, we don't have more agenda items for today 16:42:28 <cohosh> but yeah we have dedicated server/resources for GetTor 16:42:36 <AlwaysLivid> Understood, thanks for clearing that up. 16:43:00 <AlwaysLivid> I do have a couple of other topics (more like 'ideas' that I'd like to discuss rather than anything tangible) to bring up if that's not a problem. 16:43:27 <cohosh> okay go for it! 16:43:41 <AlwaysLivid> So, you did bring up that the Twitter bot was still broken and had to be fixed eventually or something, right? 16:44:52 <AlwaysLivid> The Twitter bot (as well as the mail bot) have simpler functionality, particularly because they essentially just respond to messages and act based on input and there's no CDN or file uploading magic involved. 16:45:37 <cohosh> um it depends on what you mean by file uploading 16:45:46 <AlwaysLivid> well, not like the internet archive stuff for example 16:45:46 <cohosh> like i said, our providers are separate 16:45:57 <AlwaysLivid> but like you wouldn't upload a tor binary to twitter 16:46:10 <cohosh> so we do upload the files but that happens on a separate schedule (and unfortunately manually) 16:46:21 <cohosh> yeah that's right 16:46:33 <AlwaysLivid> yeah i get that, but, long story short, file uploading is out of the equation in this case and it's going to stay that way 16:46:37 <AlwaysLivid> I was thinking of the Matrix platform, which does have a lot of bridges available. I was running a discussion room that was accessible both on Discord, Matrix, Telegram and even IRC and one of the nicer things I noticed as I did that was that I could use bots on Discord from Matrix. 16:47:17 <AlwaysLivid> So, let me get to the point; If a single bot on Matrix was to be written, then subsequently connected to a bunch of different services using 'bridges', you could have one bot interacting with dozens of different services. 16:47:57 <AlwaysLivid> Matrix is a bit buggy and support for complicated features such as file uploading is questionable and varies a LOT. 16:48:52 <AlwaysLivid> But if we're talking about a chatbot that responds based on simple text input and also sends text, you could just write a single bot and work with multiple different platforms. The only thing to consider would be e.g. adhering to the shortest character limit of each of the platforms. 16:49:52 <cohosh> oh that's really interesting 16:49:59 <AlwaysLivid> Like, I could hypothetically message a bot on Facebook Messenger or WhatsApp (this is a pure hypothetical), and the same bot that sends people links on Twitter could also respond the exact same way. 16:50:08 <AlwaysLivid> Same reaction, one codebase. 16:50:39 <cohosh> as i understand it, we have a matrix/IRC bridge for all of our IRC channels here 16:50:41 <AlwaysLivid> The hardest part about this would be the infrastructure, since Matrix is still in its infancy as a platform, however. Which is, again, why I'm bringing up something simple 16:51:08 <AlwaysLivid> cohosh, yeah, Matrix users can interact with IRC bots and (sometimes) vice versa! 16:51:32 <AlwaysLivid> My primary concern with this idea is that there are a lot of quirks that are very often out of control. 16:52:08 <AlwaysLivid> But like, as you said, 'gettor lacks maintainers', this could seem like an interesting idea to experiment with and gradually expand on. 16:53:22 <cohosh> yeah it is, thanks for bringing this up 16:53:40 <AlwaysLivid> that's something i'd definitely like to experiment with in the future, but one step at a time 16:53:48 <cohosh> having a simpler system with a smaller code base is ideal 16:53:55 <cohosh> awesome :) 16:54:30 <AlwaysLivid> you could bridge matrix and signal, but that wouldn't render e.g. gtsatsis's implementation useless, particularly because of the file uploads and privacy features such as "disappearing messages" that default to one hour, which he has enabled by default 16:55:11 <AlwaysLivid> so that's important to note since my idea is interesting for covering a lot of ground but it's definitely *not* a panacea and that's not what i'm trying to sell here 16:55:33 <cohosh> i should end the meeting soon, are there any more discussion points or anyone have something they need help with this week? 16:55:54 <cohosh> AlwaysLivid: yeah good point 16:55:59 <AlwaysLivid> there's also another idea that i wanted to throw around (but can sum up in two minutes) but that can also wait for next week :P 16:56:11 <AlwaysLivid> *can be summed up 16:56:42 <cohosh> nice, go ahead 16:56:58 <AlwaysLivid> I've been experimenting over the past few months with different censorship circumvention techniques and other irrelevant projects that seem to stick together, for some reason. 16:57:02 <AlwaysLivid> e.g. https://dn42.dev 16:57:42 <AlwaysLivid> That is an experimental network for people interested in learning more about networking (and the magics of BGP/OSPF), but I see a lot of potential in censorship circumvention. In networks like these, people can host SOCKS proxies or even Tor bridges, which is also something that I tried out. 16:58:07 <AlwaysLivid> Some (technically advanced) people in heavily censored countries have taken advantage of these networks to circumvent censorship that way. 16:58:35 <AlwaysLivid> Or even some other crazy networking stuff that would not be otherwise carried out under clearnet. 16:59:06 <AlwaysLivid> I was wondering about the prospect of mirroring the Tor website on experimental networks like these. 16:59:45 <cohosh> Hmm interesting! 17:00:00 <cohosh> I have to run now, but i'll take a look at some point later 17:00:02 <AlwaysLivid> Like, it's just a couple of VPNs that go through more VPNs and it's not infallible (e.g. an adversary could monitor traffic and a threat intel company has infiltrated a network like that in the past for some weird reason). 17:00:08 <AlwaysLivid> Got it! Thanks for your time! 17:00:12 <dcf1> I think the general principle is to implement the idea in prototype form 17:00:30 <AlwaysLivid> I'm just bringing them up because I would if I could :P 17:00:37 <cohosh> can someone other than me end the meeting or do i have to do that if i started it? 17:00:52 <AlwaysLivid> can other participants end it? 17:01:00 <cohosh> not sure 17:01:07 <AlwaysLivid> ... what's the command, we could find out! 17:01:11 <dcf1> #endmeeting 17:01:19 <AlwaysLivid> Welp, we got our answer. 17:01:22 <cohosh> okay i'll end it here so the logging stops but feel free to carry on in this channel 17:01:26 <cohosh> #endmeeting