Censorship detection                            Arturo `hellais` Filasto’Sunday, September 4, 2011
Whoami                    • @hellais on twitter                    • hellais@torproject.org                    • art@globa...
What is Censorship?                    • Internet filtering is a form of non                            democratic oppressi...
Filternet                    • It’s a distorsion of what is in reality the                            internet.           ...
La soluzione a quelli che sono percepiti                 soggettivamente come contenuti inappropriati è                   ...
Tor                    • Tor software downloads are currently                            blocked from China, Iran, Lebanon...
Hidden Services                    • They allow a server to give access to                            content anonymously ...
Tor Hidden Services                    • am4wuhz3zifexz5u.onion                    • Anonymity for the Server             ...
How HS work                Client                                         Hidden Server                               IP  ...
How HS work                    Client                                           Hidden Server                             ...
Why use HS                    • Avoid retaliation for what you publish                    • Securely host and serve conten...
How filtering is                                 performed                    • Depends on the location and entities       ...
Filtering taxonomy                    • Logging (passive)                    • Network and protocol Hijacking             ...
Filter detection                                   techniques                    • Important to classify by risk profile   ...
OONI                    • Open Observatory of Network                            Interference                    • I am wo...
Existing testing tools                    • Netalyzr, rTurtle, Herdict.                    • Unfortunately either the raw ...
Goals for OONI                    • Make a something Open Source and publish                            the raw data colle...
Filtering detection                                     techniques                    •       High risk and Active        ...
Fingerprinting of the                                 application                    • Most existing tools that we audited...
The scientific method                    • Control                      • What you know is a good result                   ...
Brief excursus on                            censorship in the                                  WorldSunday, September 4, ...
Syria: BlueCoat                    • They are using commerical bluecoat                            devices                ...
Syria: BlueCoat                    •       SERVER is located outside Syria                    •       CLIENT1 is located i...
Syria: BlueCoat                                           GET /HTTP/1.1                                           Host: SE...
Syria: BlueCoat                    • More details and funness to come in the                            following days ;)S...
Funny ⅖ Off Topic                                discovery                    • Who has ever used a captive portal?       ...
Sunday, September 4, 2011
IranSunday, September 4, 2011
Iran                    •       Nokia has reportedly sold equipment to the                            Iranian government. ...
Italy                    • Currently two methods are being used:                     • DNS based                     • ISP...
Sunday, September 4, 2011
libero.itSunday, September 4, 2011
Free communications                    • Are something that is important to the                            progress of hum...
Questions?Sunday, September 4, 2011
Sunday, September 4, 2011
Upcoming SlideShare
Loading in...5
×

Censorship Detection Techniques

4,520

Published on

Censorship detection techniques. Most of the credit goes to Jacob Appelbaum and this presentation was prepared last minute for the ESC2011 Italian hacker camp.

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
4,520
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
23
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Censorship Detection Techniques

  1. 1. Censorship detection Arturo `hellais` Filasto’Sunday, September 4, 2011
  2. 2. Whoami • @hellais on twitter • hellais@torproject.org • art@globaleaks.org • art@fuffa.org • art@winstonsmith.orgSunday, September 4, 2011
  3. 3. What is Censorship? • Internet filtering is a form of non democratic oppression on people. • It allows those in power to subvert the reality.Sunday, September 4, 2011
  4. 4. Filternet • It’s a distorsion of what is in reality the internet. • Follows the subjectiveness of the authorities • This does not help humanitySunday, September 4, 2011
  5. 5. La soluzione a quelli che sono percepiti soggettivamente come contenuti inappropriati è oggettivamente più contenutiSunday, September 4, 2011
  6. 6. Tor • Tor software downloads are currently blocked from China, Iran, Lebanon, Qatar, etc. • Tor delivers via email, write to gettor@torproject.org and we will send you a client to bootstrap a Tor clientSunday, September 4, 2011
  7. 7. Hidden Services • They allow a server to give access to content anonymously • This bypasses censorship in placeSunday, September 4, 2011
  8. 8. Tor Hidden Services • am4wuhz3zifexz5u.onion • Anonymity for the Server • DoS protection • End-To-End encryptionSunday, September 4, 2011
  9. 9. How HS work Client Hidden Server IP IP IPSunday, September 4, 2011
  10. 10. How HS work Client Hidden Server IP IP IP RPSunday, September 4, 2011
  11. 11. Why use HS • Avoid retaliation for what you publish • Securely host and serve content • Stealth Hidden ServiceSunday, September 4, 2011
  12. 12. How filtering is performed • Depends on the location and entities performing it • A mix of commercial products and open source software • Lebanon ISP’s use Free Software • Syria uses commercial Blue Coat devices • US/NSA use commercial Narus devicesSunday, September 4, 2011
  13. 13. Filtering taxonomy • Logging (passive) • Network and protocol Hijacking • Injection (modify content, 302, rst etc.) • Dropping (packets not transmitted)Sunday, September 4, 2011
  14. 14. Filter detection techniques • Important to classify by risk profile • People running filter detection tools must know how invasive the technique isSunday, September 4, 2011
  15. 15. OONI • Open Observatory of Network Interference • I am working on this with Jacob Appelbaum as part of The Tor Project • An extensible and flexible tool to perform censorship detectionSunday, September 4, 2011
  16. 16. Existing testing tools • Netalyzr, rTurtle, Herdict. • Unfortunately either the raw data results or even the tools themselves are closed :( • They only release reports, without the original raw dataSunday, September 4, 2011
  17. 17. Goals for OONI • Make a something Open Source and publish the raw data collected • Have hackers write code and sociologist write reports ;)Sunday, September 4, 2011
  18. 18. Filtering detection techniques • High risk and Active • request for certain “bad” resources (test censorship lists) • keyword injection • anything that may trigger DPI devices • Low risk and Active • TTL walking • Network latency • Passive • In the future proxooni to proxy traffic with a SOCKS proxy and detect anomalies as the user does his normal internet activitiesSunday, September 4, 2011
  19. 19. Fingerprinting of the application • Most existing tools that we audited leak who they are • In OONI reports will only be submitted over TorSunday, September 4, 2011
  20. 20. The scientific method • Control • What you know is a good result • It can also be a request done over Tor • Experiment • Check if it matches up with the result • If it does not there is an anomaly that must be exploredSunday, September 4, 2011
  21. 21. Brief excursus on censorship in the WorldSunday, September 4, 2011
  22. 22. Syria: BlueCoat • They are using commerical bluecoat devices • Anonymous Telecomix contributors produced a good analysisSunday, September 4, 2011
  23. 23. Syria: BlueCoat • SERVER is located outside Syria • CLIENT1 is located inside Syria • CLIENT connects to SERVER port 5060, no connection • CLIENT connects to SERVER port 443, connection works • CLIENT connects to SERVER port 80, the headers in the response are rewrittenSunday, September 4, 2011
  24. 24. Syria: BlueCoat GET /HTTP/1.1 Host: SERVER User-Agent: Standard-browser-User-Agent Accept: text/html,etc. Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 X-Forwarded-For: CLIENT Cache-Control: max-stale=0 Connection: Keep-Alive X-BlueCoat-Via: 2C044BEC00210EB6Sunday, September 4, 2011
  25. 25. Syria: BlueCoat • More details and funness to come in the following days ;)Sunday, September 4, 2011
  26. 26. Funny ⅖ Off Topic discovery • Who has ever used a captive portal? • Skype makes you pay access with it’s credit • It has problems doing login • It uses a captive portalSunday, September 4, 2011
  27. 27. Sunday, September 4, 2011
  28. 28. IranSunday, September 4, 2011
  29. 29. Iran • Nokia has reportedly sold equipment to the Iranian government. It helps wiretap, track, and crush dissenting members of Iranian society. Nokia claims that this is ethical because they were forced to put legal intercepts into their products by the West.Sunday, September 4, 2011
  30. 30. Italy • Currently two methods are being used: • DNS based • ISP level blacklistingSunday, September 4, 2011
  31. 31. Sunday, September 4, 2011
  32. 32. libero.itSunday, September 4, 2011
  33. 33. Free communications • Are something that is important to the progress of humanity.Sunday, September 4, 2011
  34. 34. Questions?Sunday, September 4, 2011
  35. 35. Sunday, September 4, 2011
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×