Censorship detection techniques. Most of the credit goes to Jacob Appelbaum and this presentation was prepared last minute for the ESC2011 Italian hacker camp.

1. Censorship detection
Arturo `hellais` Filasto’
Sunday, September 4, 2011

2. Whoami
• @hellais on twitter
• hellais@torproject.org
• art@globaleaks.org
• art@fuffa.org
• art@winstonsmith.org
Sunday, September 4, 2011

3. What is Censorship?
• Internet filtering is a form of non
democratic oppression on people.
• It allows those in power to subvert the
reality.
Sunday, September 4, 2011

4. Filternet
• It’s a distorsion of what is in reality the
internet.
• Follows the subjectiveness of the
authorities
• This does not help humanity
Sunday, September 4, 2011

5. La soluzione a quelli che sono percepiti
soggettivamente come contenuti inappropriati è
oggettivamente più contenuti
Sunday, September 4, 2011

6. Tor
• Tor software downloads are currently
blocked from China, Iran, Lebanon, Qatar,
etc.
• Tor delivers via email, write to
gettor@torproject.org and we will send
you a client to bootstrap a Tor client
Sunday, September 4, 2011

7. Hidden Services
• They allow a server to give access to
content anonymously
• This bypasses censorship in place
Sunday, September 4, 2011

8. Tor Hidden Services
• am4wuhz3zifexz5u.onion
• Anonymity for the Server
• DoS protection
• End-To-End encryption
Sunday, September 4, 2011

9. How HS work
Client
Hidden Server
IP
IP
IP
Sunday, September 4, 2011

10. How HS work
Client
Hidden Server
IP
IP
IP
RP
Sunday, September 4, 2011

11. Why use HS
• Avoid retaliation for what you publish
• Securely host and serve content
• Stealth Hidden Service
Sunday, September 4, 2011

12. How filtering is
performed
• Depends on the location and entities
performing it
• A mix of commercial products and open
source software
• Lebanon ISP’s use Free Software
• Syria uses commercial Blue Coat devices
• US/NSA use commercial Narus devices
Sunday, September 4, 2011

13. Filtering taxonomy
• Logging (passive)
• Network and protocol Hijacking
• Injection (modify content, 302, rst etc.)
• Dropping (packets not transmitted)
Sunday, September 4, 2011

14. Filter detection
techniques
• Important to classify by risk profile
• People running filter detection tools must
know how invasive the technique is
Sunday, September 4, 2011

15. OONI
• Open Observatory of Network
Interference
• I am working on this with Jacob Appelbaum
as part of The Tor Project
• An extensible and flexible tool to perform
censorship detection
Sunday, September 4, 2011

16. Existing testing tools
• Netalyzr, rTurtle, Herdict.
• Unfortunately either the raw data results
or even the tools themselves are closed :(
• They only release reports, without the
original raw data
Sunday, September 4, 2011

17. Goals for OONI
• Make a something Open Source and publish
the raw data collected
• Have hackers write code and sociologist
write reports ;)
Sunday, September 4, 2011

18. Filtering detection
techniques
• High risk and Active
• request for certain “bad” resources (test censorship lists)
• keyword injection
• anything that may trigger DPI devices
• Low risk and Active
• TTL walking
• Network latency
• Passive
• In the future proxooni to proxy traffic with a SOCKS proxy and
detect anomalies as the user does his normal internet activities
Sunday, September 4, 2011

19. Fingerprinting of the
application
• Most existing tools that we audited leak
who they are
• In OONI reports will only be submitted
over Tor
Sunday, September 4, 2011

20. The scientific method
• Control
• What you know is a good result
• It can also be a request done over Tor
• Experiment
• Check if it matches up with the result
• If it does not there is an anomaly that
must be explored
Sunday, September 4, 2011

21. Brief excursus on
censorship in the
World
Sunday, September 4, 2011

22. Syria: BlueCoat
• They are using commerical bluecoat
devices
• Anonymous Telecomix contributors
produced a good analysis
Sunday, September 4, 2011

23. Syria: BlueCoat
• SERVER is located outside Syria
• CLIENT1 is located inside Syria
• CLIENT connects to SERVER port 5060, no
connection
• CLIENT connects to SERVER port 443,
connection works
• CLIENT connects to SERVER port 80, the
headers in the response are rewritten
Sunday, September 4, 2011

24. Syria: BlueCoat
GET /HTTP/1.1
Host: SERVER
User-Agent: Standard-browser-User-Agent
Accept: text/html,etc.
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
X-Forwarded-For: CLIENT
Cache-Control: max-stale=0
Connection: Keep-Alive
X-BlueCoat-Via: 2C044BEC00210EB6
Sunday, September 4, 2011

25. Syria: BlueCoat
• More details and funness to come in the
following days ;)
Sunday, September 4, 2011

26. Funny ⅖ Off Topic
discovery
• Who has ever used a captive portal?
• Skype makes you pay access with it’s credit
• It has problems doing login
• It uses a captive portal
Sunday, September 4, 2011

27. Sunday, September 4, 2011

28. Iran
Sunday, September 4, 2011

29. Iran
• Nokia has reportedly sold equipment to the
Iranian government. It helps wiretap, track,
and crush dissenting members of Iranian
society. Nokia claims that this is ethical
because they were forced to put legal
intercepts into their products by the West.
Sunday, September 4, 2011

30. Italy
• Currently two methods are being used:
• DNS based
• ISP level blacklisting
Sunday, September 4, 2011

31. Sunday, September 4, 2011

32. libero.it
Sunday, September 4, 2011

33. Free communications
• Are something that is important to the
progress of humanity.
Sunday, September 4, 2011

34. Questions?
Sunday, September 4, 2011

35. Sunday, September 4, 2011