Censorship Detection Techniques
-
Upload
arturo-filasto -
Category
Technology
-
view
4.440 -
download
1
description
Transcript of Censorship Detection Techniques
Censorship detectionArturo `hellais` Filasto’
Sunday, September 4, 2011
Whoami
• @hellais on twitter
Sunday, September 4, 2011
What is Censorship?
• Internet filtering is a form of non democratic oppression on people.
• It allows those in power to subvert the reality.
Sunday, September 4, 2011
Filternet
• It’s a distorsion of what is in reality the internet.
• Follows the subjectiveness of the authorities
• This does not help humanity
Sunday, September 4, 2011
La soluzione a quelli che sono percepiti soggettivamente come contenuti inappropriati è
oggettivamente più contenuti
Sunday, September 4, 2011
Tor
• Tor software downloads are currently blocked from China, Iran, Lebanon, Qatar, etc.
• Tor delivers via email, write to [email protected] and we will send you a client to bootstrap a Tor client
Sunday, September 4, 2011
Hidden Services
• They allow a server to give access to content anonymously
• This bypasses censorship in place
Sunday, September 4, 2011
Tor Hidden Services
• am4wuhz3zifexz5u.onion
• Anonymity for the Server
• DoS protection
• End-To-End encryption
Sunday, September 4, 2011
How HS work
Hidden ServerIP
IP
IP
Client
Sunday, September 4, 2011
How HS work
Hidden ServerIP
IP
IP
Client
RP
Sunday, September 4, 2011
Why use HS
• Avoid retaliation for what you publish
• Securely host and serve content
• Stealth Hidden Service
Sunday, September 4, 2011
How filtering is performed
• Depends on the location and entities performing it
• A mix of commercial products and open source software
• Lebanon ISP’s use Free Software
• Syria uses commercial Blue Coat devices
• US/NSA use commercial Narus devices
Sunday, September 4, 2011
Filtering taxonomy
• Logging (passive)
• Network and protocol Hijacking
• Injection (modify content, 302, rst etc.)
• Dropping (packets not transmitted)
Sunday, September 4, 2011
Filter detection techniques
• Important to classify by risk profile
• People running filter detection tools must know how invasive the technique is
Sunday, September 4, 2011
OONI
• Open Observatory of Network Interference
• I am working on this with Jacob Appelbaum as part of The Tor Project
• An extensible and flexible tool to perform censorship detection
Sunday, September 4, 2011
Existing testing tools
• Netalyzr, rTurtle, Herdict.
• Unfortunately either the raw data results or even the tools themselves are closed :(
• They only release reports, without the original raw data
Sunday, September 4, 2011
Goals for OONI
• Make a something Open Source and publish the raw data collected
• Have hackers write code and sociologist write reports ;)
Sunday, September 4, 2011
Filtering detection techniques
• High risk and Active
• request for certain “bad” resources (test censorship lists)
• keyword injection
• anything that may trigger DPI devices
• Low risk and Active
• TTL walking
• Network latency
• Passive
• In the future proxooni to proxy traffic with a SOCKS proxy and detect anomalies as the user does his normal internet activities
Sunday, September 4, 2011
Fingerprinting of the application
• Most existing tools that we audited leak who they are
• In OONI reports will only be submitted over Tor
Sunday, September 4, 2011
The scientific method
• Control
• What you know is a good result
• It can also be a request done over Tor
• Experiment
• Check if it matches up with the result
• If it does not there is an anomaly that must be explored
Sunday, September 4, 2011
Brief excursus on censorship in the
World
Sunday, September 4, 2011
Syria: BlueCoat
• They are using commerical bluecoat devices
• Anonymous Telecomix contributors produced a good analysis
Sunday, September 4, 2011
Syria: BlueCoat
• SERVER is located outside Syria
• CLIENT1 is located inside Syria
• CLIENT connects to SERVER port 5060, no connection
• CLIENT connects to SERVER port 443, connection works
• CLIENT connects to SERVER port 80, the headers in the response are rewritten
Sunday, September 4, 2011
Syria: BlueCoatGET /HTTP/1.1Host: SERVER
User-Agent: Standard-browser-User-AgentAccept: text/html,etc.
Accept-Encoding: gzip,deflate,sdchAccept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3X-Forwarded-For: CLIENTCache-Control: max-stale=0
Connection: Keep-AliveX-BlueCoat-Via: 2C044BEC00210EB6
Sunday, September 4, 2011
Syria: BlueCoat
• More details and funness to come in the following days ;)
Sunday, September 4, 2011
Funny ⅖ Off Topic discovery
• Who has ever used a captive portal?
• Skype makes you pay access with it’s credit
• It has problems doing login
• It uses a captive portal
Sunday, September 4, 2011
Sunday, September 4, 2011
Iran
Sunday, September 4, 2011
Iran
• Nokia has reportedly sold equipment to the Iranian government. It helps wiretap, track, and crush dissenting members of Iranian society. Nokia claims that this is ethical because they were forced to put legal intercepts into their products by the West.
Sunday, September 4, 2011
Italy
• Currently two methods are being used:
• DNS based
• ISP level blacklisting
Sunday, September 4, 2011
Sunday, September 4, 2011
libero.it
Sunday, September 4, 2011
Free communications
• Are something that is important to the progress of humanity.
Sunday, September 4, 2011
Questions?
Sunday, September 4, 2011
Sunday, September 4, 2011