1. What project would you like to work on? Use our ideas lists as a starting
point or make up your own idea. Your proposal should include high-level
descriptions of what you're going to do, with more details about the parts you
expect to be tricky. Your proposal should also try to break down the project
into tasks of a fairly fine granularity, and convince us you have a plan for
The Snakes on a Tor exit scanner has the potential to dramatically improve the
safety of Tor users by ferreting out misconfigured and malicious exit nodes.
At present it suffers from certain stability issues which prevent it from being
run for long periods of time, and from an overabundance of false positives in
the results it generates. While I would ideally like to work on designing new
routines for detecting subtle content modifications and for better handling
dynamic content -- the issues of stability and false positives need to be
addressed first. I've begun looking at the SoaT source code and running some
preliminary experiments, identifying several small stability issues. In the
coming weeks I'll begin to collect a body of false positives which I'll study
and design new filters around. The most difficult part of this project may be
determining what actual positive results look like, and developing a threat
model that predicts the kinds of modifications which malicious exit nodes are
likely to make. I'm sure this question has been addressed by members of the Tor
community, so much of my early work this summer will involve talking to
community members to better understand the kinds of malicious exit nodes which
have been seen in the past, and determining how well the current SoaT
implementation performs against these known attacks.
April 26 - May 24:
* Start to get an idea of what the threat model looks like, continue
performing stability tests and gathering a diverse collection of results
May 24 - June 17:
* Throw everything I can at SoaT - make it crash and fix the bugs.
* Keep collecting data!
June 17 - July 17:
* In depth analysis of false positives. Use both false positives and real
modifications (or modifications generated by myself which emulate the
types of things predicted by the threat model) to develop a data set that
SoaT's filters can be evaluated against offline.
* Use the data set to improve existing filters and create new ones.
July 17 - August 2:
Here the timeline splits depending on progress thus far.
Case 1 - There are still too many false positives:
* Keep developing new filters and tuning old ones.
Case 2 - False positives have been reduced to an acceptable level:
* Get SoaT running full time on a dedicated machine. Improve reporting so
that SoaT can communicate its suspicions to the Tor team.
* Start drafting plans for improving the system.
August 2 - 16:
* Perform an extensive test of the system and write up a report of where it
* does well and what can be improved.
2. Point us to a code sample: something good and clean to demonstrate that you
know what you're doing, ideally from an existing project.
I'm one of the two lead developers for the Anomos project, the code for which
can be browsed here [https://git.anomos.info/?p=anomos.git;a=summary].
Anomos is in Python, and I handle almost all of the network code (which makes
extensive use of SSL), so this project is particularly representative of where
my skill set intersects with that needed to work on SoaT.
3. Why do you want to work with The Tor Project / EFF in particular?
I think Tor is one of the most important free software projects in development
today - I'm very interested in the political issues surrounding access to
information, and have been an EFF member for several years now. Tor has also
been the primary inspiration for my work on Anomos. What particularly attracts
me about Tor is the sustained emphasis its developers have placed on making it
a platform for research. This emphasis has attracted a large community of
skilled anonymity researchers with whom I would be honored to work with and
learn from as I continue my study of anonymity and begin to conduct my own
4. Tell us about your experiences in free software development environments. We
especially want to hear examples of how you have collaborated with others
rather than just working on a project by yourself.
I develop all of my own software under free licenses and make an effort to work
in groups as often as possible. Anomos, the largest project I've worked on,
would not have been possible in a non-free environment. It has received
tremendous support from the community in terms of development, debugging,
translation, documentation, and testing - the project simply would not have
been possible without support from the free software community. I run free
software on all of my computers, and make an active effort to report or patch
bugs whenever possible.
5. Will you be working full-time on the project for the summer, or will you
have other commitments too (a second job, classes, etc)? If you won't be
available full-time, please explain, and list timing if you know them for other
major deadlines (e.g. exams). Having other activities isn't a deal-breaker, but
we don't want to be surprised.
I will be available full-time to work on Tor. I plan on attending a couple
conferences and spending a lot of time outdoors, but that won't take me away
from my work for more than a few days.
6. Will your project need more work and/or maintenance after the summer ends?
What are the chances you will stick around and help out with that and other
My project will almost certainly be completed during the summer. That said,
I'm very likely to remain active with the Tor project after the summer. I'm
currently planning on conducting anonymity research as a large part of my
undergraduate thesis work and would love for that work to involve Tor.
7. What is your ideal approach to keeping everybody informed of your progress,
problems, and questions over the course of the project? Said another way, how
much of a "manager" will you need your mentor to be?
Especially when it comes to a project I'm really interested in - I'm extremely
self motivated and require very little management. I generally check in with a
project manager once per week unless a problem or question arises. I make
extensive use of version control software, commit frequently, and keep my work
in a publicly accessible repositories, so my mentor will be able to monitor my
progress at their leisure. I'm also happy to blog or otherwise communicate my
progress on a regular basis to the project community.
8. What school are you attending? What year are you, and what's your
major/degree/focus? If you're part of a research group, which one?
I'm in my third year at Hampshire College studying computer science with a
focus on distributed and peer-to-peer systems. I occasionally work at the
University of Massachusetts, Amherst conducting BitTorrent research under Arun
9. How can we contact you to ask you further questions? Google doesn't share
your contact details with us automatically, so you should include that in your
application. In addition, what's your IRC nickname? Interacting with us on IRC
will help us get to know you, and help you get to know our community.
You can email me: firstname.lastname@example.org
GPG Key ID: 0xA1D39D09
GPG Fingerprint: 7131 3E78 7500 3BB2 FCDD FA97 91ED 834D A1D3 9D09
Instant message me via XMPP: email@example.com
Or talk to me on IRC: susurrusus on OFTC (I idle in #tor)
10. Is there anything else we should know that will make us like your project
The project I've proposed here is just a starting point - I think I have a lot
to bring to the Tor project and that this summer will just be the start of a
lasting academic relationship with the community.