Censorship Detection Techniques

Censorship detection Arturo `hellais` Filasto’Sunday, September 4, 2011

Whoami • @hellais on twitter • hellais@torproject.org • art@globaleaks.org • art@fuffa.org • art@winstonsmith.orgSunday, September 4, 2011

What is Censorship? • Internet ﬁltering is a form of non democratic oppression on people. • It allows those in power to subvert the reality.Sunday, September 4, 2011

Filternet • It’s a distorsion of what is in reality the internet. • Follows the subjectiveness of the authorities • This does not help humanitySunday, September 4, 2011

La soluzione a quelli che sono percepiti soggettivamente come contenuti inappropriati è oggettivamente più contenutiSunday, September 4, 2011

Tor • Tor software downloads are currently blocked from China, Iran, Lebanon, Qatar, etc. • Tor delivers via email, write to gettor@torproject.org and we will send you a client to bootstrap a Tor clientSunday, September 4, 2011

Hidden Services • They allow a server to give access to content anonymously • This bypasses censorship in placeSunday, September 4, 2011

Tor Hidden Services • am4wuhz3zifexz5u.onion • Anonymity for the Server • DoS protection • End-To-End encryptionSunday, September 4, 2011

How HS work Client Hidden Server IP IP IPSunday, September 4, 2011

How HS work Client Hidden Server IP IP IP RPSunday, September 4, 2011

Why use HS • Avoid retaliation for what you publish • Securely host and serve content • Stealth Hidden ServiceSunday, September 4, 2011

How ﬁltering is performed • Depends on the location and entities performing it • A mix of commercial products and open source software • Lebanon ISP’s use Free Software • Syria uses commercial Blue Coat devices • US/NSA use commercial Narus devicesSunday, September 4, 2011

Filtering taxonomy • Logging (passive) • Network and protocol Hijacking • Injection (modify content, 302, rst etc.) • Dropping (packets not transmitted)Sunday, September 4, 2011

Filter detection techniques • Important to classify by risk proﬁle • People running ﬁlter detection tools must know how invasive the technique isSunday, September 4, 2011

OONI • Open Observatory of Network Interference • I am working on this with Jacob Appelbaum as part of The Tor Project • An extensible and ﬂexible tool to perform censorship detectionSunday, September 4, 2011

Existing testing tools • Netalyzr, rTurtle, Herdict. • Unfortunately either the raw data results or even the tools themselves are closed :( • They only release reports, without the original raw dataSunday, September 4, 2011

Goals for OONI • Make a something Open Source and publish the raw data collected • Have hackers write code and sociologist write reports ;)Sunday, September 4, 2011

Filtering detection techniques • High risk and Active • request for certain “bad” resources (test censorship lists) • keyword injection • anything that may trigger DPI devices • Low risk and Active • TTL walking • Network latency • Passive • In the future proxooni to proxy trafﬁc with a SOCKS proxy and detect anomalies as the user does his normal internet activitiesSunday, September 4, 2011

Fingerprinting of the application • Most existing tools that we audited leak who they are • In OONI reports will only be submitted over TorSunday, September 4, 2011

The scientiﬁc method • Control • What you know is a good result • It can also be a request done over Tor • Experiment • Check if it matches up with the result • If it does not there is an anomaly that must be exploredSunday, September 4, 2011

Brief excursus on censorship in the WorldSunday, September 4, 2011

Syria: BlueCoat • They are using commerical bluecoat devices • Anonymous Telecomix contributors produced a good analysisSunday, September 4, 2011

Syria: BlueCoat • SERVER is located outside Syria • CLIENT1 is located inside Syria • CLIENT connects to SERVER port 5060, no connection • CLIENT connects to SERVER port 443, connection works • CLIENT connects to SERVER port 80, the headers in the response are rewrittenSunday, September 4, 2011

Syria: BlueCoat GET /HTTP/1.1 Host: SERVER User-Agent: Standard-browser-User-Agent Accept: text/html,etc. Accept-Encoding: gzip,deﬂate,sdch Accept-Language: en-US,en;q=0.8 Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 X-Forwarded-For: CLIENT Cache-Control: max-stale=0 Connection: Keep-Alive X-BlueCoat-Via: 2C044BEC00210EB6Sunday, September 4, 2011

Syria: BlueCoat • More details and funness to come in the following days ;)Sunday, September 4, 2011

Funny ⅖ Off Topic discovery • Who has ever used a captive portal? • Skype makes you pay access with it’s credit • It has problems doing login • It uses a captive portalSunday, September 4, 2011

Sunday, September 4, 2011

IranSunday, September 4, 2011

Iran • Nokia has reportedly sold equipment to the Iranian government. It helps wiretap, track, and crush dissenting members of Iranian society. Nokia claims that this is ethical because they were forced to put legal intercepts into their products by the West.Sunday, September 4, 2011

Italy • Currently two methods are being used: • DNS based • ISP level blacklistingSunday, September 4, 2011

libero.itSunday, September 4, 2011

Free communications • Are something that is important to the progress of humanity.Sunday, September 4, 2011

Questions?Sunday, September 4, 2011

Censorship Detection Techniques

by Arturo Filastò on Sep 04, 2011

Accessibility

Categories

Tags

Upload Details

Usage Rights

2 Embeds 998

Statistics

Censorship Detection Techniques — Presentation Transcript

http://hellais.wordpress.com	996
http://webcache.googleusercontent.com	2