[liberationtech] Images of Blocking in Different Countries?
On Aug 15, 2012, at 2:46 AM, "Eric S Johnson" wrote: > There are persistent reports that China?s cybercensorship can > sometimes vary (a little) by ISP, but I?ve never seen this (I?ve only > been to ~13 of the 34 PRC-defined provinces), and Alkasir hasn?t ever > detected any such variations. I carried out a few experiments last year, looking at regional variations in the responses of Chinese DNS servers for domains that had been reported as blocked by Herdict. (Using a list of DNS servers pulled from the APNIC WHOIS database.) There are plenty of caveats to the approach I took: DNS server location doesn't map reliably onto where the user is, DNS poisoning can occur at border routers, DNS servers can return different responses to different people, my methods for detecting poisoning were quite crude, etc. Given all that, I found a lot of variation in the DNS responses across China. I published a paper about it in FOCI'11 last year, but that mainly focused on the ethical issues of censorship research: http://static.usenix.org/events/foci11/tech/final_files/Wright.pdf There are some preliminary results and visualisations in this presentation: http://www.slideshare.net/josswright/finegrained-censorship-mapping (Apologies for my terrible GIS skills...) The approach was quite crude, but does support the hypothesis of filtering being at least partially decentralised. (Which makes sense for such a massive project.) I'm currently looking at quite a promising approach for a much more interesting set of experiments based on IP scans rather than DNS. Watch this space. :) Joss ___ liberationtech mailing list liberationtech@lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?" You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech
Re: [liberationtech] Images of Blocking in Different Countries?
On Thu, Aug 16, 2012 at 05:15:49AM +0800, Eric S Johnson wrote: > > I'm not saying China doesn't do DPI. I'm just saying that, from my > own experience living in China for the past three years, DPI doesn’t > appear to be used to inspect the contents of web pages and dynamically > block undesirable content. > > I.e. it's easy to register a new domain (call it > TestChinaCyberFiltering.org) and put up onto it a handful of pages > which include every possible word and phrase which we know are > problematic to the Chinese censors. Start with the list of words which > trigger censorship and surveillance in TOM Skype (the wordlist's been > repeatedly cracked by researchers at, I think, Arizona). Add all the > content which the good folks at UC-Berkeley’s China Digital Times have > detected cause immediate censorship on Weibo (China’s Twitter-like > service). This should be a total of about 400 words and phrases > (almost all only in Chinese). > > Then access those pages from within China. > > As far as I can tell, access will be unimpeded. > Two possibilities, not necessarily mutually exclusive, spring to mind. The first is that DPI could be occurring at border routers, so that traffic within China is not undergoing DPI scanning by default. If your hypothetical TestChinaCyberFiltering.org is hosted in China you might see different behaviour to if it were hosted in, say, the US. You might also expect to see hybrid filtering similar to what we have in the UK with BT's Cleanfeed. In that case, certain domains are added to a watch list, and only those domains are subjected to more sophisticated forms of filtering. This means that the filter doesn't have to expend the resources on DPI for all web traffic, only those that have been marked up on the list of problematic domains. This also gives the option to use cheap and easy DNS, or simple IP, filtering for some sites, and more subtle and costly filtering for other domains. That allows the filter to avoid unnecessary overblocking, whilst still retaining the ability to filter in a relatively fine-grained fashion. Of course, these two could be combined: it could be that all cross-border traffic is inspected, whereas internal traffic is only inspected if it's on the blacklist. Or vice versa, of course. There are other possibilities, but these are the ones that occur to me immediately from your description. Joss ___ liberationtech mailing list liberationtech@lists.stanford.edu Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?" You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech
Re: [liberationtech] Opinion on a paper?
On Sun, Sep 09, 2012 at 07:19:22PM +, Paul Bernal (LAW) wrote: > I wondered if anyone had an opinion on it - I don't have the technical > knowledge to be able to evaluate it properly. The basic conclusion > seems to be that re-identification of 'anonymised' data is not nearly > as easy as we had previously thought (from the work of Latanya > Sweeney, Paul Ohm etc). Are these conclusions valid? > > My concern is that I can see this paper being used to justify all > kinds of potentially risky information being released - particularly > health data, which could get into the hands of insurance companies and > others who could use it to the detriment of individuals. On the other > hand, if the conclusions are really valid, then perhaps people like me > shouldn't be as concerned as we are. Hi Paul, I've gone over this paper quite quickly, partially because it's late here and I should be asleep; apologies for any bizarre turns of phrase, repetition (hesitation or deviation...), or bad-tempered comments. :) I'll also certainly defer to the hardcore reidentification experts if they turn up. (This email has become slightly longer than I intended. To sum up: "Lots of problems. False assumptions. Cherry-picked examples. Ignores or wholly misunderstands subsequent decade of research. Somewhat misrepresents statistics. Wishful-thinking recommendations. Correct in stating that we don't need to delete all data everywhere in order to avoid reidentification, but that's about it.") My initial response is that the paper is partially correct, in that the Sweeney example was a dramatic, anecdotal demonstration of reidentification and shouldn't be taken as representative of data in general. On the other hand, the paper goes wildly off in the other direction, and claims that the specifics of the Sweeney example somehow demonstrate that reidentification in general is barely feasible and can easily be handled with a few simple rules of thumb. Overall, I would say that there are a number of serious flaws in the arguments of the author. Firstly, the paper is predicated almost entirely on what the author refers to as `the myth of the perfect population register' -- that almost no realistic database covers an entire population, and so any apparently unique record could in fact also match someone outside of the database. This is certainly true, but is used by the author to justify an assumption that does not hold, in my opinion. This assumption, the largest conceptual flaw in the paper, is that a reidentification has to be unique and perfect to be of any value. The author claims, based on the `perfect population register', that because some reidentified record, relating to, say, health information of an individual, could potentially match that of someone that wasn't in the database, that there is no guarantee that the record is accurate, and thus the reidentification is useless. This is not true -- even such partial or probabilistic reidentifications reduce the set of possibilities, and reveal information regarding an individual. This can be used and combined with further data sources to achieve either reidentification, if that is the goal, or simply the revelation of sensitive personal information. As an example: Sweeney used William Weld's unique characteristics in the voter database to reidentify his anonymous health data. As some hypothetical `Person X' who was not in the voter database could have matched those apparently unique characteristics, the anonymous health data could have belonged to Person X rather than William Weld. As the author notes, this is overcome in the Sweeney case by making use of public information to confirm that the data was that of William Weld -- the author seems to believe that any such auxiliary information for other individuals could not reasonably exist, despite the existence of Google and Facebook. The author takes from this that any partial or probabilistic reidentification is therefore worthless, and claims that it was only the widely publicized `auxiliary information' about William Weld's health status that made such reidentification possible. What the author fails to address is that the availability of such auxiliary information is exactly what is being made available with greater and greater frequency by the release of poorly-anonymised databases. As such, whilst the initial reidentification cannot be made with perfect accuracy, subsequent pieces of auxiliary information can be used to verify, research and identify an individual. (Of course, an attacker may simply be seeking to gain a given piece of sensitive information, so a true `reidentification' may not be a useful goal in considering the risks of such databases.) The author states in the abstract that `... most re-identification attempts face a strong challenge in being able to create a complete and accurate population register', and claims that this strong assumption underlies most other reidentification work. (Using the
Re: [liberationtech] Opinion on a paper?
On Sun, Sep 09, 2012 at 10:14:34PM -0500, Nick M. Daly wrote: > If you haven't read Paul Ohm's paper yet, you should. It's long, but > that's mostly because it's incredibly well explained. Seconded. :) -- Joss Wright | @JossWright http://www.pseudonymity.net/~joss -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] FinFisher is now controlled by UK export controls
On Mon, Sep 10, 2012 at 06:39:51PM +, Jacob Appelbaum wrote:
> Eric King:
> > Hi all,
> >
> > I thought this list would be interested to know that the British
> > Government has decided to place FinFisher under UK export controls.
> > There are a ton of questions that remain to be answered, and it's
> > only part of the bigger goal to control the export of surveillance
> > technology, but it's a good first step!
> >
Hooray! Well done!
> This is absolutely fucking horrible. They're controlling it based on
> *cryptography* after we WON the cryptowars? What. The. Fuck. And even
> worse, they must require a license? And they don't state categorically
> that they'll deny it on some kind of humanitarian or anti-crime
> related basis?
>
> I mean, I am sure this is the result of a lot of hard work by many
> people and I don't mean to imply any disrespect. Did this just
> undercut the work from the 90s? Wany people explicitly fought hard to
> win the decision of having our free speech rights apply to the net for
> code as speech.
I agree that it's sad not to have a response along the lines of `this is
violating human rights, so we'll stop it for that reason', but I've
rarely seen such an honest and principled response. :)
Export control regulation is not my area of expertise, but it seems to
me that the more general humanitarian stance will come from restricting
to whom they will sell evil stuff -- this acknowledgement is simply that
FinFisher falls under the `evil stuff' category. All this does is place
FinFisher in a position where it can't be sold to horrible regimes with
impunity.
The specific crypto wars point is worth digging into, though. I've had a
brief look at the relevant sections of the referenced Strategic Export
Controls list:
http://www.bis.gov.uk/assets/biscore/eco/docs/control-lists/12-1014-uk-strategic-export-control-list-consolidated.pdf
The first meaningful match for `Category 5' (page 42 - "General Software
Note") does appear to make this less worrying on that front:
``Categories 0 to 9 of this list do not control "software" which is
either:
a. Generally available to the public by being:
1. Sold from stock at retail selling points, without restriction, by
means
of:
a. Over-the-counter transactions;
b. Mail order transactions;
c. Electronic transactions; or
d. Telephone order transactions; and
2. Designed for installation by the user without further substantial
support by the supplier; or
N.B. Entry a. of the General Software Note does not release
"software" specified in Category 5 - Part 2 ("Information Security").
b. "In the public domain".''
So, public domain software is exempt. Over-the-counter software is
usually exempt, unless specifically fitting their category for
`information security' that refers you to Category 5 - Section 2. That
section has a `cryptography note':
``Note 3: Cryptography Note
5A002 and 5D002 do not control goods that meet all of the following:
a. Generally available to the public by being sold, without restriction,
from stock at retail selling points by means of any of the following:
1. Over-the-counter transactions;
2. Mail order transactions;
3. Electronic transactions; or
4. Telephone call transactions;
b. The cryptographic functionality cannot easily be changed by the user;
c. Designed for installation by the user without further substantial
support by the supplier; and
d. When necessary, details of the goods are accessible and will be
provided, upon request, to the competent authorities of the Member State
in which the exporter is established in order to ascertain compliance
with conditions described in paragraphs a. to c. above.''
This doesn't resolve the problem of cryptography in general being
treated as munitions, even if it's in a very restricted sense, but it
seems that the result of the crypto wars was more complex than simply
setting crypto free.
Joss
--
Joss Wright | @JossWright
http://www.pseudonymity.net/~joss
--
Unsubscribe, change to digest, or change password at:
https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] No Disconnect
On Wed, Nov 07, 2012 at 10:03:44PM +0400, Eric S Johnson wrote: > > "No Disconnect Strategy" is the name for the EC's internet freedom grants > program (mentioned by Commissioner Kroes at the December 2011 Freedom Online > conference in Den Haag). This summer the "invitation to submit concept > notes" was issued in June, deadline mid-July. The EUR3M invitation was "lot > three" of the more-or-less annual EIDHR call for proposals. If I had to > guess, I would suppose the ratio will be something like it was for DRL-~30% > of the concept notes are invited to submit full proposals, and ~30% of those > get funded. I think the first cut will be announced shortly. The selection of concept notes invited to submit full proposals should be made by December 17th, according to an email they sent out to concept note authors a few days ago. Joss -- Joss Wright | @JossWright http://www.pseudonymity.net -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] No Disconnect
On Wed, Nov 07, 2012 at 06:14:46PM +, Jill Moss wrote: > Thanks Eric. I'll keep my eyes open for an announcement. As much, I > wonder who may be attending the workshop later this month in Brussels? > jill I will. :) Joss -- Joss Wright | @JossWright http://www.pseudonymity.net -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Libya Telecom blocks Facebook?
On Tue, Nov 27, 2012 at 12:49:19PM -0800, Brian Conley wrote: > Apparently Libya Telecom (LTT) may have just blocked Facebook. > > I'm working on gathering additional details/confirming. > > Anyone else heard something *specific*? Not necessarily useful information, but for reference I just queried their DNS servers (as listed here: http://www.ltt.ly/en/support/qna/index.php?c=29 ) and got a valid IP mapping for facebook. So if they are blocking it's doesn't seem to be at the DNS level. Joss -- Joss Wright | @JossWright http://www.pseudonymity.net -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptocat Censored in China
On Sat, Dec 22, 2012 at 09:58:50AM +0200, Nadim Kobeissi wrote: > I would like to report that Cryptocat is now being censored in China. The > URLs being 100% blocked are: > > - Cryptocat Project Website: https://project.crypto.cat > - Cryptocat Development Blog: https://blog.crypto.cat > > We've tweeted an announcement and will probably follow with a > (non-China-accessible :/) blog post: > https://twitter.com/cryptocatapp/status/282393018693206016 Hi Nadim, Any information on how the blocking is showing up? (DNS or IP based, for example?) Just out of curiosity I ran DNS queries for a set of about 200 servers scattered across China, based on some other censorship probing I've been doing. I haven't had time to go over the results in detail, but I'm seeing roughly 40% returning (correct) IP addresses, 40% giving invalid nameserver errors, with all other response types (timeouts, etc.) scattered over the remaining 20%. I haven't seen any IP misdirection, which has been the most common response type for things blocked at the DNS level in my past research. I also haven't had a chance to check what sort of correlation there is between the blog.crypto.cat and project.crypto.cat results. I'd be interested to hear more, especially as the methods being used to block things are apparently undergoing a bit of a shift at the moment. Joss -- Joss Wright | @JossWright http://www.pseudonymity.net -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Cryptocat Censored in China
On Sat, Dec 22, 2012 at 05:48:34PM +0100, Ralph Holz wrote: > > PS: While I was at it, I checked the current DNS rewriting for > twitter.com. It still points to a Korean IP. Some of the more fun DNS poisoning in my experiments[1] were >=15 apparently unrelated servers across China all redirecting torproject.org to 'tonycastro.net' or 'tonycastro.com', and a separate set redirecting to 'thepetclubfl.net'. A New Scientist journalist wrote up that work[2] and contacted both sites. Tony Castro[3] instantly threatened to sue everyone in sight for implying that he was a Chinese sleeper agent. The Pet Club webmaster had noticed the Chinese traffic and was interested to know where it had come from. :) (I suggested setting up a few China-focused pay-per-view adverts.) Joss [1] http://www.slideshare.net/josswright/through-a-router-darkly-remote-investigation-of-chinese-internet-f [1b] http://www.pseudonymity.net/~joss/doc/work/presentation/2012/10/wright-censormap.pdf (Original) [2] http://www.newscientist.com/article/mg21628936.300-florida-pet-spa-mystery-link-to-chinas-great-firewall.html (Requires registration.) [3] http://tonycastro.net/ (A life story worth Googling...) -- Joss Wright | @JossWright http://www.pseudonymity.net -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] New report on Internet Censorship and Surveillance in Turkmenistan
On Mon, Jan 07, 2013 at 01:23:40PM -0500, Rafal Rohozinski wrote: > At some stage in the near future we will share a design document so as > to lay this out as clearly as possible. I'd love to see this at the Usenix FOCI workshop this year. (Call for papers will be forthcoming in a few weeks.) Joss -- Joss Wright | @JossWright http://www.pseudonymity.net -- Unsubscribe, change to digest, or change password at: https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] NSA flag terms
On Tue, Jun 18, 2013 at 07:59:08AM -0700, Yosem Companys wrote: > From: Khannea Suntzu > > This is an (admittedly huge) list of words that supposedly cause the > NSA to flag you as a potential terrorist if you over-use them in an > email. > > You may want to peruse this entire list yourself, but here are some of > our favourites that stick out: > > · dictionary > > · sweeping > > · ionosphere > > · military intelligence > > · Steve Case > > · Scully The ones that stick out more for me are: "c", "a", "b", "d", and "the". Oh, and "Badger". And "Quiche". Joss -- Joss Wright | @JossWright http://www.pseudonymity.net -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Tor Project website blocked by many UK ISPs as "adult content"
On Thu, Nov 06, 2014 at 11:42:44AM -0500, Griffin Boyce wrote: > This is only for customers who've opted-in to adult content filters. Some > ISPs have the content filter on by default: > > "EE, O2, TalkTalk and Vodafone all came with their default "adult content" > filters enabled by default. The following ISPs provided no filtering by > default: 3, Andrews & Arnold, BT Broadband, Plusnet, Sky Broadband and > Virgin Media." > > They also mention that blocking for some sites seems to vary by region, so > I'm curious what a more in-depth review would find. > > ~Griffin It's worth noting that most of the most stringent filters are on the mobile networks, as reflected in the above list. This is an interesting cultural phenomenon, in which default filtering is a seemingly accepted norm for mobile connections here in the UK, whereas home ISPs are less likely to filter by default. This also all fits into a wider debate about default filtering in the UK. David Cameron and the Conservative element of the coalition government have been strongly in favour of it, but the Liberal Democrat element of the coalition blocked it from being legislated directly. Despite that, all ISPs, but particularly the largest ones, are 'expected' to implement filtering (and many do so). Of course this plays into the interesting questions around private companies filtering on behalf of the state, but without the democratic accountability that state-mandated filtering would hopefully bring with it, or at least which could be demanded by citizens. This also recalls, in some ways, the block list produced by the Internet Watch Foundation,a non-government charitable organisation, which most ISPs are similarly strongly encouraged to implement. Joss -- Joss Wright | @JossWright http://www.pseudonymity.net -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
