Tor in Google Summer of Code 2014

by atagar | February 26, 2014

Interested in coding on Tor and getting paid for it by Google? If you are a student, we have good news for you: We have been accepted as a mentoring organisation for Google Summer of Code 2014 together with The Electronic Frontier Foundation!

Here are the facts: The summer of code gives you the opportunity to work on your own Tor-related coding project with one of the Tor developers as your mentor. You can apply for a coding project related to Tor itself or to one of its many supplemental projects. Your mentor will help you when you're stuck with your project and guide you in becoming part of the Tor community. Google pays you 5,500 USD for the three months of your project, so that you can focus on coding and don't have to worry about how to pay your bills.

Did we catch your attention? These are your next steps: Go look at the Google Summer of Code FAQ to make sure you are eligible to participate. Have a look at our ideas list to see if one of those projects matches your interests. If there is no project on that list that you'd want to work on, read the documentation on our website and make up your own project idea! Come to the tor-dev@ list or #tor-dev on OFTC and let us know about your project idea. Communication is essential to success in the summer of code, and we're unlikely to accept students we haven't heard from before reading their application. So really, come to the list or IRC channel and talk to us!

Finally, write down your project idea using our template and submit your application to Google before March 21.

We are looking forward to discussing your project idea with you!

Comments

Please note that the comment area below has been archived.

February 26, 2014

Permalink

That's a really good news.
Wil apply asap :)

Cheers guys and keep up the good work !

Great! The best way to get involved and up-to-speed is to:

a) read through the ideas list on the volunteer page:
https://sedvblmbog.tudasnich.de/getinvolved/volunteer#projects

b) start listening to the discussions on the various IRC channels:
https://sedvblmbog.tudasnich.de/about/contact#irc

c) learn more about Tor in general:
https://sedvblmbog.tudasnich.de/docs/documentation#UpToSpeed

February 26, 2014

Permalink

One of these guys should write a library to implement connect/send/recv/etc in C. Something that allows app developers to quickly switch from using traditional network socket code, to tor data port oriented socket code without any real pain. Like change connect(args) to connect_tor(same args as normal connect).

Fortunately, the Tor client acts like a standard socks proxy. So many applications can already handle it, since they already know how to use a proxy.

Or maybe you have in mind that the application itself would launch Tor in its own process space? Many people have asked for "Tor as a library" in the past, but when they investigate the idea further they generally realize it won't actually make things easier in the way they'd hoped.

Anyway, this is a fine discussion for irc.

February 26, 2014

Permalink

Bringing Google into this project is akin to having a wolf watch your sheep. So long anonymity and all the benefits Tor brought us.

(I assume your comment below is the same person as this one)

This is the same discussion we've been having over and over with respect to funders. If you want the longer version of it, I suggest you watch our 30c3 talk from this past December:
http://events.ccc.de/congress/2013/Fahrplan/events/5423.html
http://media.ccc.de/browse/congress/2013/30C3_-_5423_-_en_-_saal_1_-_20…

If you want the short version: gsoc is explicitly for open source projects, and they're leaving it to us to choose the people, choose the projects, and manage the projects. Everything will happen in the open, where you can watch it, and you can judge the results for yourself.

GSoC is a great way to get more people involved and integrated into the Tor community -- we have way more projects and problems to solve than we have available developers, and we need many many more people helping us. Please help!

(Also, if you liked Tor before you read this blog post, you should realize that we've been participating in GSoC for many years now.)

February 28, 2014

In reply to arma

Permalink

The question remains: Why does invest the money and resources into this project that they do, year after year?

Altruism?

Nothing is free.

I totally agree. Google will NEVER spend their money without getting something in return.

Google's life blood is collecting our private info, and I'm sure that this is what's behind this project.

I'm sure that anyone receiving money for this project would not hesitate to slip in a back door into Tor (if it's not already there yet).

Goodby Tor!

Well, they do it to a) make the actually good developers in the world like them a bit more, and b) get free help from good developers in identifying other good developers so they can try to hire them. Oh, and somewhere along the line is c) make free software in the world better, thus undermining certain large proprietary software businesses that compete with Google.

Not every step that Google takes is *directly* about collecting our private info. Some of the steps are quite indirect. :)

As for the backdoor comment, that totally doesn't make sense with the rest of this discussion. For example, why in your world would somebody taking Google's money do it, but somebody taking the National Science Foundation's money not do it?

February 26, 2014

Permalink

and there goes any reason to trust torproject will protect my privacy and anonymity any longer.

thank you google

February 26, 2014

Permalink

the last two comments make no sense are act as idle gossip. Intel backdoored it's hw crypto chip, I wonder if these guys boycott all Intel hw also?

Or any other binary-blob in their operating system. Even with coreboot.org, you'll still need proprietary program code, which could be disassembled, but still it's not trustworthy.

Thank you torproject and every contributor to the software or the project itself. You are doing a good job and applying something like summer of code makes it even more awesome.

February 26, 2014

Permalink

gpg --verify tor-browser-linux32-3.5.2.1_en-US.tar.xz.asc tor-browser-linux64-3.5.2.1_en-US.tar.xz
gpg: Signature made Sat 15 Feb 2014 05:46:30 AM CST using RSA key ID 63FEE659
gpg: BAD signature from "Erinn Clark "

$ gpg --verify tor-browser-linux32-3.5.2.1_en-US.tar.xz.asc
gpg: Signature made Sat 15 Feb 2014 06:46:30 AM EST using RSA key ID 63FEE659
gpg: Good signature from "Erinn Clark "

Works for me. In this directory:
https://sedvblmbog.tudasnich.de/dist/torbrowser/3.5.2.1/
you can find this file:
https://sedvblmbog.tudasnich.de/dist/torbrowser/3.5.2.1/sha256sums.txt
which lists the sha256 hash of each file. In this case, the hash for that TBB is:
0b7fe384e06486528969897efecc30e1ffe994b1015fb5897101824b83fa9c26 tor-browser-linux32-3.5.2.1_en-US.tar.xz
which matches what I downloaded.

Sounds like you only downloaded part of it? Or it got corrupted in some other way?

February 26, 2014

Permalink

too bad i don't know enough C to apply. i fit the college student part of the requirement though. one day i will apply

February 27, 2014

Permalink

WTF is this??? Working with Google is most def sleeping with the enemy! Google shares ALL your info with the Gov, I thought this was the WHOLE point of using TOR was to stay away from their bullshit and now they just turn around and work with them?

Please read the details -- we are directing some of Google's money at students who want to write open-source software for Tor. Students who are opposed to taking Google's money are welcome to avoid it. But in the past, this has been a great way to identify and foster new developers for the Tor community. I'm excited to participate again.

Also, whether Google funds people to write open-source software is a distinct topic from whether Tor users should use Google's services.

I encourage you to learn more about ECC.

Dual_EC_DRBG does indeed have a very bad history. That doesn't make all ECC bad.

Factoring and discrete log are looking weaker and weaker over time -- the second URL you list actually has an article on how discrete logs are increasingly bad news, and ECC is increasingly the only safe option.

It generally comes down to parameter choices:
http://safecurves.cr.yp.to/

We're fans of curve25519.

February 28, 2014

Permalink

wheres onion sites?
why you put start page search on first page if is much better put onion sites in official search.

we dont need that garbage sites monitored by dictators, we need realy freedom of onion sites. if all sites are an garbage monitored, I will join my pc on trash and live without that.

silk road is now hard because all goods is now opened in customs and an gov. official steal my goods and intimate me in my home endorsed by greedy gov.

February 28, 2014

Permalink

We need an alternative internet without gov. and their spies.
Can tor help?

That's a really tough one -- all the fiber, the buildings, the large companies that make deals with each other... it is tough to replace that at the large scale.

March 03, 2014

Permalink

While I disagree at the ease with which a backdoor can be implemented in opensource software (it's opensource just read the code), I love the distrust. This is the kind of paranoia that sadly isn't found in the mainstream sheep.

And if Tor doesn't have a backdoor already, when they do install one it's not going to be opensource and they aren't going to write a blog post about it.

March 04, 2014

Permalink

I am running a hidden service and sometimes I have requests to ports 21, 22, 25, 80, 139, 445, 6667 and other well-known ports. Seemingly someone tests my service for open ports. How wide is hidden service address known if I didn't tell my address to anyone by now?

March 04, 2014

Permalink

"This message came from google when I attempted to log into my gmaii account using the Tor browser. Notice the irreverent IP address. After this attempt my account was flagged. Seems to me that TOR servers could be more trouble than they're worth? "

-----------------------------------------------------------------------------

Someone recently used your password to try to sign in to your Google Account -*******************

We prevented the sign-in attempt in case this was a hijacker trying to access your account. Please review the details of the sign-in attempt:

Tuesday, March 4, 2014 2:13:13 PM UTC
IP Address: 193.107.17.71 (free.palestine.fuck.government.of.israel.g0v.su)
Location: Ovelgönne, Germany

If you do not recognize this sign-in attempt, someone else might be trying to access your account. You should sign in to your account and reset your password immediately.

------------------------------------------------------------------------------

G**gle want to be able to track users, they want to know everything about you and everything you do. They hate users that attempt to be anonymous, and does everything in their power to make such attempts a night-mare, so the user stops using the anonymity software.

The solution is of course to stop using G**gle.

Also keep away from M****soft and Ya**o for the same reasons.

And, if you tried to log in into your non-anonymous e-mail account using Tor, you will still be non-anonymous of course. Tor won't automatically make you anonymous if you use it wrong. G**gle still hates Tor users though.

March 08, 2014

Permalink

It's half off-topic but Tails have no open Contact site and the programers/develpers seems to think a little bit very restricted -from the users sight.
3 important questions and things:

-They introduce "filtering proxy in front of the Tor ControlPort".
One important detail: for arm too -a few more lines of code ?? Without TAILS is nearly like cheap GADGET only! Users want that? Really?

-"Install 64-bit kernel instead of the 686-pae one"
In future users can start TAILS on 32-bit PCs ?

-In the near future TAILS developers want to replace the world map in
Vidalia.
I dont know...... I WANT see which nodes/route Tor/Tails is using. May cause i don't get money from government.
Starting from DVD current vanilla Tails has no capabilities for static entry guard. Living in GB, Tails is choosing Entry Guard in GB, choosing routes like GB-US-SE, GB-CA-US, GB-GB-US etc. . And Tails developers think users don't want to see that?
Really.......? Should i LOL ?

Tails should be open useable as possible. All others could not be in the private users interest!

I agree it is hard to anonymously get in touch with the Tails developers and community.

- Sorry, I don't understand your question about the filtering proxy.

- Yes, Tails will include 32-bit kernel (non-pae, works on all 32-bit and most 64-bit PCs), and a 64-bit kernel (pae, works on all 64-bit PC, including EFI enabled PCs). Which one is loaded is auto-detected.

- The Tails developers want to replace the network map from Vidalia with another network map. Currently no alternative exists, so Tails will keep Vidalia.

- I agree Tor's selection of routes is questionable. Seems prone to timing attacks. As far as I know no one have actually been traced due to poor route selection yet however, so maybe not much to worry about in practice.

" - Sorry, I don't understand your question about the filtering proxy. "

Very very simple.Arm needs ControlPort.
Without ControlPort you can't use arm(=Tor config tool on console with easy gui; torproject.org).A very useful tool you can make tor more flexible.In Tails,too.

Tor ControlPort in new Tails is allowed filtered only for 'New Identity' in Torbutton, arm would be DEAD.Desired?

If you know arm gui on work there is possibly a need for a filter proxy,too.

"The Tails developers want to replace the network map from Vidalia"

In this new Gui users must have the possibility to close connections like in Vidalia.

March 08, 2014

Permalink

hax

On: trac.torproject.org

Look if such a feature request already exists, or create a new ticket about it.

Make sure to motivate clearly why AdBlock Plus should be included in TBB, and what possible draw-backs of doing so may be.

For example, benefits for Tor users:
- Less connections made to advertisement companies, which are known to try tracking users and their interests.
- Less risk a user believe in the scams presented.
- Less risk the user installs a malware by mistake or because he/she was fooled. E.g. "which is the correct download button, there is four on the sites, some larger, some flashing".

Possible drawbacks:
- Assuming the rulelist is static for each TBB version, it may still be possible to fingerprint which TBB version a certain user is running by watching which ads is downloaded and which are blocked. Maybe not a big problem as most users should be running the latest version at any time.