15:57:52 <cohosh> #startmeeting tor anti-censorship meeting
15:57:52 <MeetBot> Meeting started Thu Mar 18 15:57:52 2021 UTC.  The chair is cohosh. Information about MeetBot at http://wiki.debian.org/MeetBot.
15:57:52 <MeetBot> Useful Commands: #action #agreed #help #info #idea #link #topic.
15:57:59 <cohosh> hey everyone!
15:58:02 <AlwaysLivid> hello!
15:58:11 <cohosh> here is our meeting pad: https://pad.riseup.net/p/tor-anti-censorship-keep
15:58:19 <agix> hi
15:58:36 <cohosh> feel free to add things to the agenda
15:58:37 <gtsatsis> Hello!
15:59:01 <cohosh> AlwaysLivid: gtsatsis: hi!
15:59:37 <cohosh> dcf1: is that first announcement yours?
16:00:01 <dcf1> Yes, this is a part of the Turbo Tunnel work from last year, the sponsor is giving it a security audit, which also affects parts of snowflake.
16:00:20 <dcf1> They started Monday this week.
16:00:51 <cohosh> nice
16:00:53 <dcf1> So far, I have not heard much, but I understand they will produce a written report.
16:01:20 <cohosh> are they looking only at turbotunnel parts of snowflake, or the whole system?
16:01:30 <dcf1> Just the turbotunnel parts, as I understand it.
16:02:11 <cohosh> cool
16:02:47 <cohosh> i would be curious about a security audit of all the webrtc bits >.<
16:03:11 <cohosh> but this is still nice
16:03:43 <cohosh> okay it looks like we have some discussion items for today
16:03:56 <AlwaysLivid> wait i forgot to fill out one more thing
16:04:30 <cohosh> AlwaysLivid: oh it's ok you don't need to add everything to the pad
16:04:47 <cohosh> we mostly use the pad to remind us what to talk about
16:04:47 <gtsatsis> > China appears to be blocking Signal
16:04:48 <AlwaysLivid> it's specifically the idea that popped up in my head two days ago and was excited to share :P
16:05:19 <gtsatsis> tfw as soon as I start working on a distribution bot for Signal, it gets blocked
16:05:35 <cohosh> heh
16:05:53 <cohosh> gtsatsis: you have the room/floor/mic now so feel free to share what you've been working on :)
16:06:22 <gtsatsis> Well, with inspiration from AlwaysLivid, I actually went ahead and wrote this little bot up last night
16:06:24 <gtsatsis> https://gitlab.com/gtsatsis/signal-gettor
16:06:45 <AlwaysLivid> (I told him that he should look into this on at least 4 different occasions.)
16:06:56 <gtsatsis> It allows users of the Signal platform to request and receive binaries of the Tor browser without much hassle
16:07:29 <gtsatsis> Just "tor get <platform> [language]" in a message, and it'll send a binary and the signature file, as well as instructions on how to verify the signature
16:07:52 <AlwaysLivid> It's really similar to the way the e-mail distributor works.
16:08:04 <AlwaysLivid> but with more dialogue!
16:08:57 <gtsatsis> that's basically it
16:09:21 <gtsatsis> (sorry, not really good at this presenting thing, haha >.<)
16:09:25 <cohosh> cool!
16:09:32 <cohosh> no that was great
16:09:50 <AlwaysLivid> signal is a nice platform for this purpose too particularly because they really don't have any sort of strict limitations on file upload limits
16:10:07 <dcf1> I am not sure who is in charge of gettor things
16:10:28 <dcf1> There is something that sometimes uploads binaries to https://archive.org/details/@gettor, but it seems it's not automated as it doesn't get every release
16:10:30 <cohosh> i'm the maintainer at the moment
16:10:40 <cohosh> yeah
16:10:47 <gtsatsis> dcf1: oh, if there's any problem with the branding, I can rename the repo; I simply had it named as signal-gettor on my computer so i was like "might as well"
16:10:55 <arlolra> so you're the gettor aid
16:11:10 <cohosh> arlolra: lmao
16:11:27 <cohosh> so the way gettor currently works is we have providers and distrbutors
16:11:52 <cohosh> the distributors right now only include email and used to include both email and twitter but twitter is broken until we do a complete rewrite of it
16:12:04 <cohosh> the distributors distribute download links to our providers
16:12:30 <cohosh> which is where the binaries are uploaded and right now include: google docs, internet archive, gitlab, and github
16:12:43 <AlwaysLivid> (i'll bring up this thing with the twitter later on)
16:12:55 <gtsatsis> Ah, I'm currently downloading and sending the files directly through Signal
16:13:09 <cohosh> yeah we do it this way because tor browser binaries are so huge
16:13:37 <cohosh> so if you like you can use our existing provider links
16:13:54 <gtsatsis> Will take a look!
16:14:03 <AlwaysLivid> are there any applicable restrictions with bandwidth?
16:14:06 <cohosh> https://gitlab.torproject.org/tpo/anti-censorship/gettor-project/gettor/-/tree/master/scripts
16:14:14 <cohosh> gettor needs a lot more love than it is getting right now
16:14:25 <gtsatsis> I currently bypass Signal's "dangerous filetypes" by zipping up the .exe/.dmg/.tar.xz
16:14:51 <AlwaysLivid> Is that user friendly? (Can SIgnal be reached out to as a means of getting them to lift the restrictions?)
16:15:22 <cohosh> idk, signal is pretty strict on making UI changes and about what are good use cases
16:15:25 <AlwaysLivid> I'm not even sure if they'd be extremely fond of the idea, but their terms of service and the restrictions in the platform itself seem to be fine with it.
16:15:35 <cohosh> but i also don't think changing this is a good call
16:15:48 <dcf1> alternatively, it could always zip, and that way it could additionally include the signature files
16:15:50 <gtsatsis> AlwaysLivid: It's not a server-side block, so there's nothing preventing you from sharing the files. The official client simply restricts the up/downloading of files with certain extensions.
16:16:41 <gtsatsis> dcf1: good idea, my brain had become mush after about 3AM, so I send the signature as a separate file, but I'll go ahead and get right on that after the meeting
16:16:46 <cohosh> if it was a link you could avoid this somewhat
16:16:52 <cohosh> Since the link will open in a browser
16:17:21 <AlwaysLivid> ... Why not both?
16:17:35 <cohosh> yeah you could do that
16:17:35 <gtsatsis> ^ I could implement a tor get link option
16:17:40 <AlwaysLivid> yeah that's what i also thought of
16:18:41 <AlwaysLivid> i mean, signal is e2ee, i feel like forcing people (esp. high-risk) to get browsers and websites increases the stakes
16:18:59 <cohosh> so to make these requests, do users have to send the message to a specific number?
16:19:13 <AlwaysLivid> for now, OWS says that they'll add usernames later in 2021, but yeah.
16:19:19 <gtsatsis> Yeah, they do- I don't have any public numbers to test it with at the moment, but- ^
16:20:11 <AlwaysLivid> I thought of potential issues arising with i18n and discussed them extensively with George, but I also considered that, should they add usernames, you could just run different instances of the bot that speak different languages.
16:20:30 <AlwaysLivid> and then aggregate the bot usernames in a single group/channel sort of thing or something similar
16:20:42 <AlwaysLivid> (I'm not extensively familiar with Signal)
16:21:05 <cohosh> i think we used to do that in very early gettor, where users would send an email to gettor+[language code]@torproject.org
16:21:15 <cohosh> like gettor+fa@torproject.org
16:21:21 <gtsatsis> Yeah, that's a possibility if usernames do come out later this year, but at the moment I'm simply working with suffixing the language at the end of the command
16:21:53 <gtsatsis> While a tad bit messy, it works
16:22:25 <cohosh> thanks for working on this
16:22:32 <cohosh> is there anything we can do to help?
16:23:31 <gtsatsis> I mean, anyone's free to contribute, but most things, I've basically been able to tackle by myself.
16:24:00 <gtsatsis> The one thing I'd like to see is a way to get android builds from downloads.json or something along those lines, would make it much easier, heh
16:24:25 <AlwaysLivid> I opened a ticket about that like 6 months ago, but it got labelled as "Unscheduled" like 4 months ago.
16:24:32 <cohosh> yeah that's a question for the applications team and tor browser devs
16:24:38 <cohosh> i'm not sure what the status is on that
16:24:43 <gtsatsis> AlwaysLivid: Ouchie
16:25:01 <AlwaysLivid> I just can't remember the number, I'm just trying to avoid duplicates :P
16:25:44 <cohosh> AlwaysLivid: do you remember the repository?
16:26:01 <cohosh> i can put an extra label on it
16:26:08 <AlwaysLivid> I seriously am not sure.
16:26:26 <AlwaysLivid> let me use some fancy gitlab search terms
16:26:26 <dcf1> https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40110
16:26:33 <dcf1> ?
16:26:36 <AlwaysLivid> ....... yup!
16:26:43 <cohosh> thanks dcf
16:26:44 <AlwaysLivid> that's hugely convenient, thanks!
16:26:56 <AlwaysLivid> oh, it already has a label!
16:27:22 <cohosh> nice, as of 3 hours ago :)
16:27:23 <AlwaysLivid> .... Wait, I opened a different ticket. oh well.
16:27:42 <gtsatsis> Oh, AlwaysLivid, I think I know what happened
16:27:56 <AlwaysLivid> Regarding what?
16:28:19 <gtsatsis> boklm made a ticket about 3 hours ago wrt: splitting the downloads.json file to different json files for different architectures
16:28:36 <gtsatsis> I'd think Android would be included
16:28:38 <AlwaysLivid> Yeah, I chimed in to the ticket too.
16:29:32 <cohosh> okay well we'd love it if you kept us updated on this work
16:30:02 <cohosh> i am very glad both of you are working on GetTor related things
16:30:38 <gtsatsis> :)
16:30:49 <AlwaysLivid> I'm a bit inactive for the time being for reasons I've brought up before, but I still poke around if I find a free hour or two.
16:31:26 <cohosh> we have this meeting every week and also an anti-censorship mailing list: https://lists.torproject.org/cgi-bin/mailman/listinfo/anti-censorship-team
16:31:29 <AlwaysLivid> ... I also still try to give people "project ideas" if they have no idea what to work on whenever I get the chance ;D
16:31:39 <AlwaysLivid> Yeah, I should really sign up to it.
16:32:12 <AlwaysLivid> I'll do so after the meeting.
16:32:27 <gtsatsis> Same
16:32:40 <cohosh> :)
16:33:52 <AlwaysLivid> I decided to experiment with Telegram because I felt like it was a very open platform, but I keep stumbling upon blockers that I can't deal with under my current limited amount of time. Speaking of which, I just opened a new ticket regarding downloads.json: #40380
16:33:58 <AlwaysLivid> https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40380
16:34:08 <dcf1> gtsatsis: when you feel comfortable that you have something to release, you can announce it at https://github.com/net4people/bbs or https://ntc.party/c/community-software/27
16:34:11 <AlwaysLivid> It's a tiny detail.
16:35:28 <AlwaysLivid> If we both manage to finish up on our projects at a point where they could be considered as deployable, is it advisable/possible to hand over the control to project itself?
16:35:46 <gtsatsis> dcf1: will do! I suppose the more people able to host a bot, the better it'd be. I was talking to someone and they jokingly said "are you going to put QR code stickers on random lightpoles on the street?", and tbh, it doesn't sound like a bad idea lol
16:36:12 <cohosh> AlwaysLivid: not necessarily, we'd be happy to host code or integrate it with GetTor but it's still unclear what that would look like
16:36:33 <cohosh> it depends on what you want to do
16:36:54 <cohosh> and we're short on maintainers right now
16:37:12 <AlwaysLivid> I see, that's why I've also been wondering about it. I mean, like, will either of these bots be potentially hosted by the project itself?
16:37:27 <AlwaysLivid> Yeah, I get that.
16:38:00 <AlwaysLivid> I mean, I'd see myself maintaining my bot (and poking around with gtsatsis's implementation a bit too :D )
16:38:08 <cohosh> we could if you want us to, i think this will also be up to you
16:38:34 <cohosh> our admin/comms team will probably want to know if you use Tor Project in a signal or telegram username
16:38:37 <AlwaysLivid> I don't really possess the available resources or bandwidth to host it on a permanent basis reliably.
16:39:06 <cohosh> okay then yeah you should reach out to us about hosting it
16:39:08 <AlwaysLivid> I just use my unofficial project name and keep the whole affiliation thing limited to "Distribute the binaries of The Tor Project".
16:39:22 <cohosh> yeah that's fine
16:39:33 <AlwaysLivid> Got it, I'll try my best to either finish it or to bring it to a very optimal state in a few months.
16:39:35 <dcf1> That's the rub, the cost of deploying and maintaining a project like this is usually many times the cost of initially developing the software
16:40:05 <AlwaysLivid> I'm designing the bot with saving bandwidth (and preventing DoS attacks) in mind.
16:40:24 <gtsatsis> I've been running a file host for the past, gosh, 5 years almost. There's nothing truer than what you just said dcf1
16:41:14 <AlwaysLivid> Many of my projects have actually stopped at prohibitive maintenance costs as far as the infrastructure is concerned, but yeah, not sure if we're drifting away from the topic.
16:42:16 <cohosh> no worries, we don't have more agenda items for today
16:42:28 <cohosh> but yeah we have dedicated server/resources for GetTor
16:42:36 <AlwaysLivid> Understood, thanks for clearing that up.
16:43:00 <AlwaysLivid> I do have a couple of other topics (more like 'ideas' that I'd like to discuss rather than anything tangible) to bring up if that's not a problem.
16:43:27 <cohosh> okay go for it!
16:43:41 <AlwaysLivid> So, you did bring up that the Twitter bot was still broken and had to be fixed eventually or something, right?
16:44:52 <AlwaysLivid> The Twitter bot (as well as the mail bot) have simpler functionality, particularly because they essentially just respond to messages and act based on input and there's no CDN or file uploading magic involved.
16:45:37 <cohosh> um it depends on what you mean by file uploading
16:45:46 <AlwaysLivid> well, not like the internet archive stuff for example
16:45:46 <cohosh> like i said, our providers are separate
16:45:57 <AlwaysLivid> but like you wouldn't upload a tor binary to twitter
16:46:10 <cohosh> so we do upload the files but that happens on a separate schedule (and unfortunately manually)
16:46:21 <cohosh> yeah that's right
16:46:33 <AlwaysLivid> yeah i get that, but, long story short, file uploading is out of the equation in this case and it's going to stay that way
16:46:37 <AlwaysLivid> I was thinking of the Matrix platform, which does have a lot of bridges available. I was running a discussion room that was accessible both on Discord, Matrix, Telegram and even IRC and one of the nicer things I noticed as I did that was that I could use bots on Discord from Matrix.
16:47:17 <AlwaysLivid> So, let me get to the point; If a single bot on Matrix was to be written, then subsequently connected to a bunch of different services using 'bridges', you could have one bot interacting with dozens of different services.
16:47:57 <AlwaysLivid> Matrix is a bit buggy and support for complicated features such as file uploading is questionable and varies a LOT.
16:48:52 <AlwaysLivid> But if we're talking about a chatbot that responds based on simple text input and also sends text, you could just write a single bot and work with multiple different platforms. The only thing to consider would be e.g. adhering to the shortest character limit of each of the platforms.
16:49:52 <cohosh> oh that's really interesting
16:49:59 <AlwaysLivid> Like, I could hypothetically message a bot on Facebook Messenger or WhatsApp (this is a pure hypothetical), and the same bot that sends people links on Twitter could also respond the exact same way.
16:50:08 <AlwaysLivid> Same reaction, one codebase.
16:50:39 <cohosh> as i understand it, we have a matrix/IRC bridge for all of our IRC channels here
16:50:41 <AlwaysLivid> The hardest part about this would be the infrastructure, since Matrix is still in its infancy as a platform, however. Which is, again, why I'm bringing up something simple
16:51:08 <AlwaysLivid> cohosh, yeah, Matrix users can interact with IRC bots and (sometimes) vice versa!
16:51:32 <AlwaysLivid> My primary concern with this idea is that there are a lot of quirks that are very often out of control.
16:52:08 <AlwaysLivid> But like, as you said, 'gettor lacks maintainers', this could seem like an interesting idea to experiment with and gradually expand on.
16:53:22 <cohosh> yeah it is, thanks for bringing this up
16:53:40 <AlwaysLivid> that's something i'd definitely like to experiment with in the future, but one step at a time
16:53:48 <cohosh> having a simpler system with a smaller code base is ideal
16:53:55 <cohosh> awesome :)
16:54:30 <AlwaysLivid> you could bridge matrix and signal, but that wouldn't render e.g. gtsatsis's implementation useless, particularly because of the file uploads and privacy features such as "disappearing messages" that default to one hour, which he has enabled by default
16:55:11 <AlwaysLivid> so that's important to note since my idea is interesting for covering a lot of ground but it's definitely *not* a panacea and that's not what i'm trying to sell here
16:55:33 <cohosh> i should end the meeting soon, are there any more discussion points or anyone have something they need help with this week?
16:55:54 <cohosh> AlwaysLivid: yeah good point
16:55:59 <AlwaysLivid> there's also another idea that i wanted to throw around (but can sum up in two minutes) but that can also wait for next week :P
16:56:11 <AlwaysLivid> *can be summed up
16:56:42 <cohosh> nice, go ahead
16:56:58 <AlwaysLivid> I've been experimenting over the past few months with different censorship circumvention techniques and other irrelevant projects that seem to stick together, for some reason.
16:57:02 <AlwaysLivid> e.g. https://dn42.dev
16:57:42 <AlwaysLivid> That is an experimental network for people interested in learning more about networking (and the magics of BGP/OSPF), but I see a lot of potential in censorship circumvention. In networks like these, people can host SOCKS proxies or even Tor bridges, which is also something that I tried out.
16:58:07 <AlwaysLivid> Some (technically advanced) people in heavily censored countries have taken advantage of these networks to circumvent censorship that way.
16:58:35 <AlwaysLivid> Or even some other crazy networking stuff that would not be otherwise carried out under clearnet.
16:59:06 <AlwaysLivid> I was wondering about the prospect of mirroring the Tor website on experimental networks like these.
16:59:45 <cohosh> Hmm interesting!
17:00:00 <cohosh> I have to run now, but i'll take a look at some point later
17:00:02 <AlwaysLivid> Like, it's just a couple of VPNs that go through more VPNs and it's not infallible (e.g. an adversary could monitor traffic and a threat intel company has infiltrated a network like that in the past for some weird reason).
17:00:08 <AlwaysLivid> Got it! Thanks for your time!
17:00:12 <dcf1> I think the general principle is to implement the idea in prototype form
17:00:30 <AlwaysLivid> I'm just bringing them up because I would if I could :P
17:00:37 <cohosh> can someone other than me end the meeting or do i have to do that if i started it?
17:00:52 <AlwaysLivid> can other participants end it?
17:01:00 <cohosh> not sure
17:01:07 <AlwaysLivid> ... what's the command, we could find out!
17:01:11 <dcf1> #endmeeting
17:01:19 <AlwaysLivid> Welp, we got our answer.
17:01:22 <cohosh> okay i'll end it here so the logging stops but feel free to carry on in this channel
17:01:26 <cohosh> #endmeeting