Posts tagged “Internet Censorship”

Blurring the Boundaries Between Cybercrime and Politically Motivated Attacks



An emerging area of inquiry in security research is the blurring boundaries between cybercrime and other, more targeted forms of attack, and more specifically attacks that appear to be politically motivated. These attacks often take the form of targeted malware attacks that act as a form of surveillance in which sensitive documents and communications are captured from the targeted organizations and individuals or politically motivated Denial of Service attacks that aim to punish, disrupt and/or censor the ability of the targets to communicate to the world.

One of the themes that informed the “Shadows in the Cloud” report was the (potential) relationship between crimeware networks and cyber-espionage. The boundaries between the two appear to be blurring making issues of attribution increasingly more complex. It may also indicate that there is an emerging market for sensitive information and/or politically motivated attacks as crimeware networks seek to monetize such information and capabilities.

I explored this theme in a report on a case related to Kneber botnet documented by NetWitness in which a known ZeuS-based botnet, typically used to steal banking information and other credentials, was specifically targeting .mil and .gov email addresses with spearphishing attacks and then dropping a second piece of malware, an infostealer, on the compromised systems that uploaded sensitive documents to a drop zones in Belarus and Russia. This botnet was engaged in all sorts of other malicious activity associated with cybercrime.

When it comes to DDoS attacks a similar pattern is observed. Jose Nazario of Arbor Networks wrote a very interesting paper that analyzed politically motivated DDoS attacks (and is basically the inspiration for this blog post). The numerous DDoS attacks described in this paper are very interesting, some are punitive attacks others appear to be an effort to censor political speech (something I worked on at ONI in the past with Kyrgyzstan in 2005 and Belarus in 2006). In the paper Nazario dicusses the role that well known BlackEnergy-based botnets played in the DDoS attacks on Georgian websites during the Russia-Georgia conflict in 2008. In a really amazing presentation Jose Nazario and Andre DiMino of Shadowserver document the attacks on Georgia. But what is most interesting, in this context, are the other unrelated targets that the same botnets also attacked. The RU-GE case is a great example of the blurring boundaries between crimeware networks, politically motivated attacks a censorship.

On a much smaller scale, I observed some recent attacks in which a BlackEnergy-based botnet attacked a variety of unrelated targets but eventually attacked political websites. The botnet was discovered while analyzing data captured from the computer of a Tibetan political figure. Due to the character of the network Greg Walton and I concluded that the attack was not targeted and was not related to the Tibet or to the political activities of the individual who was compromised. However, I continued to monitor the botnet.

The botnet had two command and control domain names 091809.ru and sexiland.ru both hosted on the same IP address (210.51.166.238, China Netcom). The command and control interface was not password protected and I was able to access it and determine the size of the botnet. According to the statistics in the interface, 091809.ru had 2044 active bots, an average of 2418 per hour and 8105 per day. In total the 091809.ru recorded 64346 infections. According to the statistics in the interface, sexiland.ru (210.51.166.238) had 3623 active bots, an average of 4869 per hour and 12749 per day. In total the sexiland.ru recorded 51813 infections. This is not a particularly large botnet at all, but the attackers could access at least 6000 bots at any given time.

This botnet attacked a variety of websites, however, four of them caught my attention.

1. bachuna.net

2009-12-15 05:00:01
flood http bachuna.net

The attackers began flooding bachuna.net on 2009-12-15. The attacks appear to relate to Ukrainian news stories (here, here, here and here) which broke around the same time as the attacks started involving a judge named Oleg Bachun and two competing websites bachuna.net and bachun.net. While the former was supportive of the judge the latter implicated him in illegal activities. Since I am relying on Google Translate it would be great of some Russia and Ukrainian speakers could provide a more in-depth assessment of what happened in the case as well as to the domain names involved as it appears from the reports that bachun.net was transfered to the owner of bachuna.net.

2. ingushetiyaru.org

2010-01-16 18:00:01 – 2010-01-20 06:00:02
flood http www.ingushetiyaru.org

Rights in Russia reported that “a website run by an opposition group in Ingushetia, Ingushetiyaru.org, suffered a DDoS attack after publishing comments critical of the region’s authorities.” Ingushetia is located near Chechnya and is a politically sensitive area. Ingushetiyaru.org reported the DDoS on their livejournal site and the broader implications in this article. This is not the first time there have DDoS attacks related to this region. Jeff Carr reported on another DDoS attack and implicated the RBN in the attack.

3. angusht.com

2010-01-22 12:00:01 – 2010-01-26 15:00:02
flood http angusht.com

This website, angusht.com, is also related to Ingushetia and reported DDoS attacks (here too) earlier this year. Several other related sites were also reported to be inacessible. The timing of the inaccessibility of the sites and the DDoS attacks on angusht.com and ingushetiyaru.org also correlate with reports of an explosion of a gas pipeline in Ingushetia.

4. kadyrov2012.com

2010-01-25 08:00:02 – 2010-01-27 02:00:01
flood http kadyrov2012.com

The website kadyrov2012.com was a satirical website claiming that the Russian-backed Chechen leader Ramzan Kadyrov was going to run in for president in Russia’s elections. Reuters reported the story on January 24 which correlate with the timing of the DDoS attacks.

These attacks are fairly small when compared with others and fly under the radar screen of most. They show that small scale attacks designed to censor opposing views occur with frequency against key websites and during critical time periods. It is clear that those engaged in political activities and those who vocally oppose repressive policies such as censorship may be subjected to a complex set of threats from targeted malware through to DDoS and not simply censorship in the form of Internet filtering. Finally, these attacks demonstrate that botnets involved with criminal activity are being used to conduct both political and apolitical DDoS attacks

Sites DDoS’d by this botnet:

flood http 195.216.243.39
flood http 208.64.123.225
flood http 213.155.12.120
flood http 217.107.35.35
flood http 217.17.158.55
flood http 217.20.163.4
flood http 62.149.24.2
flood http 72.20.34.140
flood http 80.93.54.57
flood http 82.146.43.3
flood http 89.108.126.2
flood http 94.198.51.216
flood http angusht.com
flood http angusht.com index.php
flood http angusht.com personal subscribe subscr_edit.php
flood http antiddos.org
flood http asterios.tm
flood http asterios.tm index.php
flood http asteriys.com index.php?f=stat&act=online&server=0
flood http attackers.ru
flood http bachuna.net
flood http bankunet.com
flood http barbars.ru
flood http blud.net
flood http carderfix.ru
flood http carder.info
flood http carder.info index.php
flood http carder.info,l2.theonline.ru
flood http carder.su
flood http carder.su showgroups.php
flood http ddef.ru
flood http do-finance.com
flood http fan-age.ru,l2.exsade.com,forum.exsade.com,final-zone.ru
flood http filebase.to
flood http forum.notebook812.ru
flood http forum.timesgame.ru,timesgame.ru
flood http internet-guard.net index.php
flood http kadyrov2012.com
flood http kadyrov2012.com
flood http kadyrov2012.com index
flood http karyatour.com.ua
flood http l2jfree.com
flood http la2.100nt.ru
flood http la2.timesgame.ru
flood http lineage.cn.km.ua
flood http ll2.su
flood http meridian-express.ru
flood http modcam.ru
flood http notebook812.ru
flood http notebook812.ru
flood http ohah.ru
flood http ohah.ru index.php
flood http planety-hackeram.ru
flood http portal27.ru
flood http pupsa.net
flood http rodi.ru
flood http rosban.su
flood http sever.ru
flood http slineage.ru
flood http smsdeal.ru index.php
flood http takwap.ru
flood http takwap.ru 111 XXX_DETKA
flood http takwap.ru 157 xxx ohah.ru
flood http teamsteam.ru
flood http vpotoke.com
flood http wapfan.org index.php
flood http wow.cln.ru
flood http www.2simtv.ru index.php
flood http www.angusht.com index.php
flood http www.art-taxi.ru
flood http www.glazey.ru
flood http www.ingushetiyaru.org
flood http www.notebook812.ru
flood http www.prado-club.su
flood http www.prado-club.su forum
flood http www.ripoffreport.com
flood http xaknet.ru
flood icmp forum.antichat.ru
flood syn www.ripoffreport.com 80

Surveillance was a Chinese Gov’t Requirement — Skype



I raised questions in the “Breaching Trust” report regarding why TOM-Skype started to log their users’ messages and who had access to the data? Skype now says that the monitoring was a Chinese government requirement. Now we know why it was done and who had access to the captured messages.

Skype President Josh Silverman writes:

What have you learned from TOM about the uploading and storing of certain chats, and what are you doing about it?

What we have discovered in our conversations with TOM is that they in fact were required to do this by the Chinese government.

“Extremely Concerned” — Skype



UPDATE: Skype President Addresses Chinese Privacy Breach — Josh Silverman’s statement on the Skype blog.

The AFP reports:

Skype said it learned just Wednesday that a previously disclosed text filter operated by TOM-Skype, a joint venture between Chinese mobile firm TOM Online and Skype, had been altered.

“Last night, we learned that this practice was changed without our knowledge or consent and we are extremely concerned,” Skype, which is owned by US online auction house eBay, said.

“We deeply apologise for the breach of privacy relating to chat messages on TOM’s servers in China and we are urgently addressing this situation with TOM,” the company said.

AFP

Skype president Josh Silverman said in a statement that TOM Online “just like any other communications company in China, has established procedures to meet local laws and regulations.

“These regulations include the requirement to monitor and block instant messages containing certain words deemed ‘offensive’ by the Chinese authorities,” Silverman said.

“It is common knowledge that censorship does exist in China and that the Chinese government has been monitoring communications in and out of the country for many years,” he said.

He recalled that in April 2006, Skype admitted that TOM Online “operated a text filter that blocked certain words in chat messages” and unsuitable messages were to be “discarded and not displayed or transmitted anywhere.”

“It was our understanding that it was not TOM’s protocol to upload and store chat messages with certain keywords, and we are now inquiring with TOM to find out why the protocol changed,” he said.

“We are currently addressing the wider issue of the uploading and storage of certain messages with TOM,” Silverman said, stressing that the millions of people around the world using standard Skype software were unaffected.

TOM-Skype Q & A



I have been getting a lot of questions and feedback on the “Breaching Trust” report. I’ll try to post more details and answer questions. Here are some of the common questions people have been asking.

How were you able to determine that messages containing keywords were being uploaded to a web server? How did you find and decrypt the messages?

Wireshark. Every time I typed the word “fuck” an HTTP connection was made to a TOM Skype server. I visited the URL directly in Firefox, cut off the file name and was able to view the contents of the directory. With a little poking around I found the encryption key. A few lines of Python and voila. I did not “crack” anything nor was there any “elite” hackery — just plain, simple stuff.

Is “normal” Skype affected?

No. The Skype software downloaded from skype.com is not affected by the behavior. The only time “normal” Skype users are affected is when they communicate with TOM-Skype users.

What is TOM-Skype and what is the difference between it and Skype?

If you go to www.skype.com from China, you are redirected to skype.tom.com — so that’s version most Chinese people will use.

In 2004 Skype developed a relationship with TOM Online, a leading wireless provider in China, and announced a joint venture in 2005. Skype and TOM Online produced a special version of the Skype software, known as TOM-Skype, for use in China.

What is Skype saying, have they said anything to you?

I contacted Skype to have the security issue fixed before the report was released. So, they have configured the servers so that one can no longer view the logs and they have deleted sensitive files, such as the one containing the encryption key. Other than that contact, I’ve only seen the
statements they’ve made to reporters.

The NYT:

Jennifer Caukin, an eBay spokeswoman, said, “The security and privacy of our users is very important to Skype.” But the company spoke to the accessibility of the messages, not their monitoring. “The security breach does not affect Skype’s core technology or functionality,” she said. “It exists within an administrative layer on Tom Online servers. We have expressed our concern to Tom Online about the security issue and they have informed us that a fix to the problem will be completed within 24 hours.” EBay had no comment on the monitoring.

To the WSJ

Jennifer Caukin, a spokeswoman for Skype, said in an emailed statement that the security problem had been remedied as a result of the new report. The idea that China’s government “might be monitoring communications in and out of the country shouldn’t surprise anyone,” Ms. Caukin said. “Nevertheless, we were very concerned to hear about the apparent security issue” that enabled people to view user information, and “we are pleased that, once we informed TOM about it, that they were able to fix the flaw.”

In a separate statement, TOM Group said that “as a Chinese company, we adhere to rules and regulations in China where we operate our businesses.”

The WSJ blog, has the statement in full.

In the past Skype stated:

The text filter operates on the chat message content before it is encrypted for transmission, or after it has been decrypted on the receiver side. If the message is found unsuitable for displaying, it is simply discarded and not displayed or transmitted anywhere.

What I found directly contradicts this.

How does this relate to Corporate Social Responsibility (and the voluntary Principles of Free Expression and Privacy process)?

This case demonstrates the critical importance of the issues of transparency and accountability by providers of communications technologies. It highlights the risks of storing personally identifying and sensitive private information in jurisdictions where human rights and privacy are under threat. It also illustrates the need to assess the security, privacy and human rights impact of such a decision.

Some companies, such as Google, has stated that while the censor some search results they “will not maintain on Chinese soil any services, like email, that involve personal or confidential data.”

In this case Skype appears to have delegated all of the censorship and surveillance responsibilities to TOM – I don’t think they read Rebecca’s paper; they should. While examining the Yahoo! China – Shi Tao case she warned:

Companies that choose to ignore the broader human rights implications of their business practices are gambling with their long-term global reputations as trustworthy conduits or repositories of people’s personal communications and information.

Are the “key words” censored? Or are the messages just logged?

The only key word that I could use to trigger the content filter (the messages is not displayed to the user) and have logged in the content filter logs (uploaded to the tom-skype server) was “fuck” (and variations like f*ck). If a message contains the word “fuck” it is not displayed to the user (the entire message is not displayed) and the entire message is uploaded and logged.

In the same content filter logs I found that the majority of the logged messages did not contain obscenities, like fuck. However, many of the messages contained words like “Communist Party”, I counted the number of logged messages that contained these words, from that I identified what I think are key words. It is unclear if these messages are just logged, or are censored and logged.

Post questions in the comments and I’ll try to answer them :)

Breaching Trust: An analysis of surveillance and security practices on China’s TOM-Skype platform



[UPDATE: New York Times coverage of the report here.]

Our investigation reveals troubling security and privacy breaches affecting TOM-Skype—the Chinese version of the popular voice and text chat software Skype. It also raises troubling questions regarding how these practices are related to the Government of China’s censorship and surveillance policies.

The questionable security practices of TOM-Online led to the disclosure of millions of records containing personal information regarding mobile phone accounts, SMS messages, and the usage of TOM-Skype. However, this disclosure also confirms that TOM-Skype is censoring and logging text chat messages that contain specific, sensitive keywords and may be engaged in more targeted surveillance.

These findings raise key questions. To what extent do TOM Online and Skype cooperate with the Chinese government in monitoring the communications of activists and dissidents as well as ordinary citizens? On what legal basis is TOM-Skype capturing and logging this volume and detail of personal user data and communication, and who has access to it?

Full Report (mirror)

More… »

Tunisia: Law Suit over Fake 404



The ONI Blog reports that a journalist/blogger in Tunisia is suiing the government over the blocking of Facebook.

Tunisian journalist and blogger Zied El-Hen filed a suit this week in a Tunisian court against the Tunisian Internet Agency for blocking the social networking Web site Facebook, according to a report by Reuters (Arabic).

An interesting twist concerns the claim that he was mislead:

In an interesting technical argument he said that the the agency mislead him by serving the message 404 (Not Found) error message instead of the 403 message (Access Forbidden), which the agency serves to users who attempt to access banned sites.

Here is a screen shot I took during WSIS in Tunisia in 2005. You can see that the 404 page is taken from Internet Explorer, but I was using Firefox! You can see from the HTTP headers that the 404 is fake.

One important issue to remember in this case is that Tunisia is using SmartFilter, a filtering product developed by the U.S. company Secure Computing. This product is used in many countries including in Saudi Arabia, Oman, Sudan, United Arab Emirates, and previously in Iran. In these other countries they use SmarFilter to show users a blockpage that indicates to the user that the content is intentionally blocked. Instead, Tunisia uses this blockpage functionality to fake a 404 error page.

Tunisia uses SmartFilter to block access to categories of websites, such as pornography, but also adds their own targets, often political web sites, to the blocking lists. Sometimes content that was not intended to be blocked is blocked in all of Tunisia due to miscategorizations by SmartFilter.

DNS and the GFW



While the ability to the GFW to send RST packets in an attempt to terminate a connection between a source IP and a destination IP based on keywords appearing in packets (keyword in GET requests and possibly the HTML responses) has been documented in http://www.cl.cam.ac.uk/~rnc1/ignoring.pdf and http://www.cs.unm.edu/~crandall/concept_doppler_ccs07.pdf China also employs a similar system to interfere with DNS. If a DNS request to resolve a hostname is sent in to an IP in China, an intermediary will respond with a DNS response containing an incorrect IP. This is not totally new, it has been documented from inside China already.

I start with a “UDP Traceroute” (DNS packets with no qname with incrementing TTL’s) in order to find the first hop inside China. The IP address of contained in the ICMP response is checked in Team Cymru‘s IP lookup service to find the AS, Country and Network Name.

1|192.168.2.1|time-exceeded  NA
2|64.230.*.*|time-exceeded CA NA
3|64.230.*.*|time-exceeded CA NA
4|64.230.*.*|time-exceeded CA NA
5|64.230.*.*|time-exceeded CA NA
6|64.230.147.14|time-exceeded CA NA
7|206.108.103.138|time-exceeded CA NA
8|160.81.109.193|time-exceeded US SPRINTLINK - Sprint
9|144.232.10.19|time-exceeded US SPRINTLINK - Sprint
10|144.232.8.169|time-exceeded US SPRINTLINK - Sprint
11|144.232.9.224|time-exceeded US SPRINTLINK - Sprint
12|144.232.9.32|time-exceeded US SPRINTLINK - Sprint
13|144.232.2.171|time-exceeded US SPRINTLINK - Sprint
14|144.223.148.2|time-exceeded US SPRINTLINK - Sprint
15|219.158.4.193|time-exceeded CN CHINA169-BACKBONE CNCGROUP China169 Backbone

For me the first CN hop to the IP address 202.165.102.247 (www.yahoo.cn) is 15. So I send a DNS request for “www.citizenlab.org” to 202.165.102.247 (which is not a DNS server) with a TTL of 15, its IP is 219.158.4.193 (CHINA169-BACKBONE CNCGROUP China169 Backbone).

###[ IP ]###
  version   = 4
  ihl       = 0
  tos       = 0x0
  len       = 0
  id        = 1
  flags     = 
  frag      = 0
  ttl       = 15
  proto     = udp
  chksum    = 0x0
  src       = 192.168.2.11
  dst       = 202.165.102.247
  options   = ''
###[ UDP ]###
     sport     = domain
     dport     = domain
     len       = 0
     chksum    = 0x0
###[ DNS ]###
        id        = 0
        qr        = 0
        opcode    = QUERY
        aa        = 0
        tc        = 0
        rd        = 1
        ra        = 0
        z         = 0
        rcode     = ok
        qdcount   = 0
        ancount   = 0
        nscount   = 0
        arcount   = 0
        \qd        \
         |###[ DNS Question Record ]###
         |  qname     = 'www.citizenlab.org'
         |  qtype     = A
         |  qclass    = IN
        an        = 0
        ns        = 0
        ar        = 0

The ICMP response comes back from hop 15:

###[ IP ]###
  version   = 4L
  ihl       = 5L
  tos       = 0x0
  len       = 56
  id        = 5984
  flags     = 
  frag      = 0L
  ttl       = 241
  proto     = icmp
  chksum    = 0xf52
  src       = 219.158.4.193
  dst       = 192.168.2.11
  options   = ''
###[ ICMP ]###
     type      = time-exceeded
     code      = 0
     chksum    = 0xc2d7
     id        = 0xeacf
     seq       = 0x3af8
###[ IP in ICMP ]###
        version   = 4L
        ihl       = 5L
        tos       = 0x0
        len       = 64
        id        = 1
        flags     = 
        frag      = 0L
        ttl       = 1
        proto     = udp
        chksum    = 0xc55c
        src       = 192.168.2.11
        dst       = 202.165.102.247
        options   = ''
###[ UDP in ICMP ]###
           sport     = domain
           dport     = domain
           len       = 44
           chksum    = 0xbca

While this is occurring I also sniff the wire to see if other packets are being sent my way, and they are. Four bad DNS responses were sent my way claiming to be from 202.165.102.247.

###[ IP ]###
     version   = 4L
     ihl       = 5L
     tos       = 0x10
     len       = 98
     id        = 45372
     flags     = 
     frag      = 0L
     ttl       = 45
     proto     = udp
     chksum    = 0xe7ee
     src       = 202.165.102.247
     dst       = 192.168.2.11
     options   = ''
###[ UDP ]###
        sport     = domain
        dport     = domain
        len       = 78
        chksum    = 0xe286
###[ DNS ]###
           id        = 0
           qr        = 1L
           opcode    = QUERY
           aa        = 1L
           tc        = 0L
           rd        = 1L
           ra        = 1L
           z         = 0L
           rcode     = ok
           qdcount   = 1
           ancount   = 1
           nscount   = 0
           arcount   = 0
           \qd        \
            |###[ DNS Question Record ]###
            |  qname     = 'www.citizenlab.org.'
            |  qtype     = A
            |  qclass    = IN
           \an        \
            |###[ DNS Resource Record ]###
            |  rrname    = 'www.citizenlab.org.'
            |  type      = A
            |  rclass    = IN
            |  ttl       = 86400
            |  rdlen     = 0
            |  rdata     = '216.234.179.13'
           ns        = 0
           ar        = 0

Summary:

192.168.2.11 > 202.165.102.247 <DNSQR  qname='www.citizenlab.org.' qtype=A qclass=IN |> 0
219.158.4.193 > 192.168.2.11   time-exceeded
202.165.102.247 > 192.168.2.11 <DNSQR  qname='www.citizenlab.org.' qtype=A qclass=IN |> 
    <DNSRR  rrname='www.citizenlab.org.' type=A rclass=IN ttl=300 rdata='64.33.88.161' |>
202.165.102.247 > 192.168.2.11 <DNSQR  qname='www.citizenlab.org.' qtype=A qclass=IN |> 
    <DNSRR  rrname='www.citizenlab.org.' type=A rclass=IN ttl=86400 rdata='216.234.179.13' |>
202.165.102.247 > 192.168.2.11 <DNSQR  qname='www.citizenlab.org.' qtype=A qclass=IN |> 
    <DNSRR  rrname='www.citizenlab.org.' type=A rclass=IN ttl=86400 rdata='216.234.179.13' |>
202.165.102.247 > 192.168.2.11 <DNSQR  qname='www.citizenlab.org.' qtype=A qclass=IN |> 
    <DNSRR  rrname='www.citizenlab.org.' type=A rclass=IN ttl=86400 rdata='216.234.179.13' |>

64.33.88.161 and 216.234.179.13 are not IP addresses that “www.citizenlab.org” should resolve to.

I used 38 IP addresses on 38 different AS’s in China as targets. A DNS packet was sent to the first CN hop from a udp traceroute to each of these IPs. The IP’s returned from the ICMP packet received from each hop are distributed across 11 AS’s in China.

In total, I received 8 unique bad IP addresses.

211.94.66.147 24403 CN CNNIC-CNCITYNET-AP Beijing Kuanjie Net communication technology Ltd
209.145.54.50 6428 US CDM - CDM
203.161.230.171 9925 HK HKTHOST-AP Powerbase DataCenter Services (HK) Ltd.
64.33.88.161 19916 US ASTRUM-0001 - OLM LLC
202.181.7.85 7489 AU FIRSTLINK-AS-AP First Link Internet Services
4.36.66.178 3356 US LEVEL3 Level 3 Communications
216.234.179.13 13911 CA TERA-BYTE - Tera-byte Online Services
202.106.1.2 4808 CN CHINA169-BJ CNCGROUP IP network China169 Beijing Province Network

Two of the IP’s are in Mainland China and one is in Hong Kong; three are in the US and one in Australia. Only one of the CN IP’s, 211.94.66.147, has a web server running when I checked which means that this server could log IP addresses that connect to it and host name in the requests. Why these IPs?

I don’t know. It is pretty strange.

64.33.88.161 was the IP for falundafa.ca, the IP was blocked so an domains that resolved to it were also blocked. Seems to be legacy blocking.

If you $host bbs.hygung.com you’ll get back most of these IP’s, along with a bunch of others. Many of these IP’s also appear on some kind of IP blocking list (another one), RobotDog anyone? Seems to be a list for a Router OS by http://www.mikrotik.com.cn/. Another site has a post about dns cache poisoning/phishing and one of these IP’s, this time affecting an ISP in Taiwan.

Anyone?

The “iTunes Blocked in China” Takeaway



The iTunes Store, the portal page used to puchase media from Apple, was briefly blocked in China. This meant that iTunes users in China were unable to view, search, sample and purchase media available through Apple’s iTunes Store. (I recently spoke with The World’s Cyrus Farivar about this story (mp3), below I expand on some of the details.)

How? China has a multi-layered filtering system. One of these layers is “key word” filtering that occurs near the main international gateways that connect China to the rest of the Internet. When packets are found in requests (or responses) that contain certain keywords, China’s filtering system sends reset (RST) packets to the computer that issued the request as well as the computer to which the request was sent effectively terminating the connection between the two. China added a portion of the iTunes Store URL as a keyword; whenever a request was seen to contain this keyword the request was reset.

Why? China does not disclose the official reasons why content is blocked but the reason is most likely due to the “Songs for Tibet” album available through the iTunes Store. The album contains songs by popular artists and those who purchase the entire album get access to a video of the Dalai Lama. While other content the Government of China would likely find objectionable is available in iTunes, including Tibet and Dalai Lama related content, downloading the “Songs for Tibet” album became a form of protest.

The Art of Peace Foundation issued a press release on August 19, 2008 stating that Olympic athletes were downloading the album “as an act of solidarity with Tibet.” On August 21, 2008 Stephen Hutcheon of the Sydney Morning Herald reported:

Access to Apple’s online iTunes Store has been blocked in China after it emerged that Olympic athletes have been downloading and possibly listening to a pro-Tibetan music album in a subtle act of protest against China’s rule over the province.

Access to the Tunes Store was quickly reinstated, but access to the specific album was reportedly still blocked. Shortly thereafter reports emerged stating that the album itself was also accessible from within China. It is still unclear whether full access to the album has been restored.

Where? How is it possible that some Internet users in China have access to the “Songs for Tibet” album in the iTunes Store while others do not? China has a multi-layered filtering system; it is not always identical in all parts of China. While the album is no longer blocked in all of China, at the gateway points for example, it may still be blocked at local or regional levels or on specific Internet Service Providers.

The Takeaway? The blocking of the iTunes store itself, and the blocking of the specific “Songs for Tibet” album, is important even though it was brief. Not so much in terms of the Government of China, we know that they will continue to block content they find threatening but i terms of what Apple will do. It turns out that normal Internet users in China can’t purchase and download the “Songs for Tibet” album, only foreigners with credit cards and billing addresses outside of China can. (They can listen/watch the short clips available for free however, it they set their iTunes Store to a different location, such as Canada). iTunes does not currently have a full iTunes Store for China — but they will!

When Apple opens “iTunes Store China” will “Songs for Tibet” be available through it? Will they restrict access to content by geographical locations? Well for copyright reasons they already do, will they do so for politically sensitive content as well?

Internet Censorship: Malaysia



Malaysia has become the latest country to begin filtering the Internet. The news web site www.malaysia-today.net is being blocked by Malaysia largest Internet Service Provider, TMnet, after the Malaysian Communications and Multimedia Commission ordered the web site blocked.

TMnet has configured their DNS serverssuch that they do not properly resolve the correct IP addresses for www.malaysia-today.net or malaysia-today.net.

$ dig @202.188.1.5 www.malaysia-today.net

; < <>> DiG 9.4.2-P1 < <>> @202.188.1.5 www.malaysia-today.net
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER< <- opcode: QUERY, status: NXDOMAIN, id: 18677
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;www.malaysia-today.net. IN A

;; AUTHORITY SECTION:
malaysia-today.net. 3600 IN SOA ns1.blocked. blocked.tm.net.my. 1 900 600 86400 3600

;; Query time: 270 msec
;; SERVER: 202.188.1.5#53(202.188.1.5)
;; WHEN: Thu Aug 28 09:20:20 2008
;; MSG SIZE rcvd: 104

$ dig @202.188.1.5 malaysia-today.net

; <<>> DiG 9.4.2-P1 < <>> @202.188.1.5 malaysia-today.net
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER< <- opcode: QUERY, status: NOERROR, id: 15429
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;malaysia-today.net. IN A

;; ANSWER SECTION:
malaysia-today.net. 3600 IN A 127.0.0.1

;; AUTHORITY SECTION:
malaysia-today.net. 3600 IN NS ns1.blocked.

;; Query time: 292 msec
;; SERVER: 202.188.1.5#53(202.188.1.5)
;; WHEN: Thu Aug 28 09:20:42 2008
;; MSG SIZE rcvd: 77

iTunes Store Blocked in China



UPDATE: I can now access the iTunes store from China.

Recent reports indicate that China is blocking access to Apple’s iTunes Store:

Users reported receiving an error message when attempting to reach iTunes: “iTunes could not connect to the iTunes store. An unknown error occurred.(-4) Make sure your network connection is active and try again.”

While in some cases this error is associated with iTunes itself, I can confirm that in this case China was blocking access to URLs necessary to load the iTunes Store. China employs a variety of methods of filtering. In this case, all of the domains properly resolved to correct IP addresses and all of the IP addresses were accessible. Moreover, SSL access was also fine. The initial requests that iTunes makes work fine, until a particular URL is requested.

More specifically, GET requests containing “ax.phobos.apple.com.edgesuite.net/WebObjects/MZStore” are disrupted. (There were probably more ways to trigger the RST’s, I did not get the chance to test more as the blocking appears to have been lifted). After making a few connections, iTunes eventually attempts to connect to:

http://ax.phobos.apple.com.edgesuite.net/WebObjects/MZStore.woa/wa/initiateSession?ix=2

This triggers spoofed RST packets.

In addition to checking from computers in China, this behaviour can be triggered by connecting into China as well. Here I’ve set up a 3-way TCP handshake with yahoo.cn’s IP address, since yahoo.cn is located in China. I then send a packet with the payload “ax.phobos.apple.com.edgesuite.net/WebObjects/MZStore” but with a TTL that is insufficient to reach the intended destination. An ICMP packet comes back from a router (for me, at TTL 16) followed by spoofed RST packets that disrupt the connection.

See http://www.cl.cam.ac.uk/~rnc1/ignoring.pdf and http://www.cs.unm.edu/~crandall/concept_doppler_ccs07.pdf for more on this technique.

Search Monitor: Toward a Measure of Transparency



Citizen Lab Occasional Paper #1, “Search Monitor Project: Toward a Measure of Transparency“, (mirror) has been released today. This report interrogates and compares the censorship practices of the search engines provided by Google, Microsoft and Yahoo! for the Chinese market along with the domestic Chinese search engine Baidu. It is based on tests conducted between November 2007 and April 2008 focused on uncovering web sites that have been censored from search engine results.

The report finds that although Internet users in China are able to access more information due to the presence of foreign search engines the web sites that are censored are often the only sources of alternative information available for politically sensitive topics. In addition to censoring the web sites of Chinese dissidents and the Falun Gong movement, the web sites of major news organizations, such as the BBC, as well as international advocacy organizations, such as Human Rights Watch, are also censored.

The data presented in this report indicates that there is not a comprehensive system – such as a list issued by the Chinese government – in place for determining censored content. In fact, the evidence suggests that search engine companies themselves are selecting the specific web sites to be censored raising the possibility of over blocking as well as indicating that there is significant flexibility in choosing how to implement China’s censorship requirements.

This report finds that search engine companies maintain an overall low level of transparency regarding their censorship practices and concludes that independent monitoring is required to evaluate their compliance with public pledges regarding commitments to transparency and human rights. The lack of clarity in the process and the unwillingness of companies to disclose this information acts to bolster China’s current censorship policy that thrives on secrecy and unaccountability.

It is becoming increasingly clear that technology companies face a dilemma when attempting to penetrate the Chinese market. A failure to comply with China’s censorship policies can result in the wholesale blocking of a company’s entire service or significant levels of interference due to China’s filtering system. Companies that have a physical presence in China face the challenge of obtaining proper licensing and their Chinese employees may face legal threats for the foreign company’s failure to comply with China’s censorship policies. However, it is also clear that compliance with China’s censorship policies is also an unattractive option. Google, Microsoft and Yahoo! are all facing tough criticism from governments, human rights groups and civil liberties advocates as well as their shareholders for their complicity in China’s censorship policies.

While foreign search engines do provide more content than domestic search engines, the greatest benefit of having foreign search engines in China may not be increased access to information but is the potential contribution that these companies can make to further transparency and accountability in the process of censorship.

Since this report was finalized, the domestic Chinese search engine Baidu, following the foreign search engines, introduced a censorship notification indicating that it is possible to make progress through engagement. While this development may seem negligible to some and it is certainly no reason to become complacent, it is a small first step toward lifting the veil of secrecy and unaccountability that permeates China’s censorship policies.

Microsoft: Censorship Notification Returns



Microsoft now has a censorship notification in the censored version of the search engine live.com that they provide for the Chinese market. The notification appears when search are made for particular keywords, however, the notification is not displayed when searches are restricted to censored domains. (See Degrading Transparency: Comparing Google, Yahoo and Microsoft for past reports).

May 13, 2008
Engine Presence Placement Specificity Connection Screenshot
Google Yes High
Notification is placed under results
Low
Mentions “local law”
Yes
Notification only appears when results are censored
screenshot
Yahoo Yes Medium
Notification is placed at the bottom of every page
Low
Mentions “local law”
No screenshot
Microsoft Yes* Medium
Notification when searching for particular “key words”.*
Low
Mentions “local law”
Yes* screenshot (2)

* Microsoft provides notification when searching for particular “key words”, however, no message appears when restricting the search to a censored web site.

U.S. Funded Health Search Engine Blocks ‘Abortion’



Wired reports that a health services search engine funded by the US Government blocks searches for the word “abortion” because of the possibilty that funding could be denied for project that “actively promote abortion”:

Called Popline, the search site is run by the Johns Hopkins Bloomberg School of Public Health in Maryland. It’s funded by the U.S. Agency for International Development, or USAID…

“We recently made all abortion terms stop words,” Dickson [the manager of the database at John Hopkins] wrote in a note to Gloria Won, the UCSF medical center librarian making the inquiry. “As a federally funded project, we decided this was best for now.”

It turns out that the block was prompted by complaints from the Bush administration:

“The items in question had to do with abortion advocacy — the two items dealing with abortion were removed following this inquiry, and the administrators made a decision to restrict abortion as a search term,” said Tim Parsons, a spokesman for the Johns Hopkins Bloomberg School of Public Health in Maryland.

Searches for “abortion” have been restored. However, it does not appear that the two removed articles were restored.

US: Airforce Blocks Blogs



Wired reports that the USAF is blocking any URLs with “blog” in them.

AFNOC has imposed bans on all sites with “blog” in their URLs, thus cutting off any sites hosted by Blogspot. Other blogs, and sites in general, are blocked based on content reviews performed at the base, command and AFNOC level …

The idea isn’t to keep airmen in the dark — they can still access news sources that are “primary, official-use sources,” said Maj. Henry Schott, A5 for Air Force Network Operations. “Basically … if it’s a place like The New York Times, an established, reputable media outlet, then it’s fairly cut and dry that that’s a good source, an authorized source,” he said …

AFNOC blocks sites by using Blue Coat software, which categorizes sites based on their content and allows users to block sub-categories as they choose.

“Often, we block first and then review exceptions,” said Tech. Sgt. Christopher DeWitt, a Cyber Command spokesman.

As a result, airmen posting online have cited instances of seemingly innocuous sites — such as educational databases and some work-related sites — getting wrapped up in broad proxy filters.

Wow.

Framing Censorship



Recently, Microsoft’s Bill Gates stated that in the end Internet censorship will not work. He suggested that resistance to Internet censorship will be “driven by business requirements” because “[r]estrictions on free speech will curtail business activity, and so commercial forces will work against censorship.” This is interesting because on one hand companies such as Microsoft along with Google and Yahoo! are already censoring their products, particularly search engines geared for the Chinese market. Microsoft has in fact decreased the level of transparency regarding the censorship of their Chinese search engine — they are moving further away from challenging censorship. On the other hand, Yahoo! has been asking the U.S. government to help free the Chinese dissidents it helped imprison and Gates’ comments seem to echo Google’s argument that censorship should be treated as a barrier to trade. Google has been lobbying the U.S. government on this issue and a resolution has recently passed in the European Parliament that is being interpreted as a a way to treat Internet censorship as a trade barrier. The EU resolution:

Calls on the Commission to specifically deal with all restrictions on the provision of Internet and information society services imported by European companies in third countries as part of its external trade policy and to regard all unnecessary limitations on the provision of those services as constituting trade barriers;

These developments are interesting because Internet censorship is almost exclusively framed within the realm of human rights, particularly Article 19 of both the Universal Declaration of Human Rights (UDHR) and the International Covenant on Civil and Political Rights (ICCPR) which state:

Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.

1. Everyone shall have the right to hold opinions without interference.

2. Everyone shall have the right to freedom of expression; this right shall include freedom to seek, receive and impart information and ideas of all kinds, regardless of frontiers, either orally, in writing or in print, in the form of art, or through any other media of his choice.

3. The exercise of the rights provided for in paragraph 2 of this article carries with it special duties and responsibilities. It may therefore be subject to certain restrictions, but these shall only be such as are provided by law and are necessary:

(a) For respect of the rights or reputations of others;

(b) For the protection of national security or of public order (ordre public), or of public health or morals.

Article 19 of the ICCPR includes a provision for the restriction of the right to freedom of expression as does Article 29 of the UDHR which states:

1. Everyone has duties to the community in which alone the free and full development of his personality is possible.
2. In the exercise of his rights and freedoms, everyone shall be subject only to such limitations as are determined by law solely for the purpose of securing due recognition and respect for the rights and freedoms of others and of meeting the just requirements of morality, public order and the general welfare in a democratic society.
3. These rights and freedoms may in no case be exercised contrary to the purposes and principles of the United Nations.

The interaction between freedom and restriction has made its way into the area of internet governance — if we can call it that. For example, in ICANN discussion on expanding gTLDs this interaction is quite prominent:

The string evaluation process must not infringe the applicant’s freedom of expression rights that are protected under internationally recognized principles of law.

Strings must not be contrary to generally accepted legal norms relating to morality and public order that are recognized under international principles of law.

It is often under the rubric of morality and public order and/or national security that Internet censorship is framed by those who seek its implementation or seek to justify its ongoing practice. The practice of “filtering” — the technical means of blocking online content — is growing. Increasingly, it is not the practice of filtering that is being challenged, the debate is about what content is being filtered. In other words, how the practice of filtering is being framed is the location where ideas about censorship are being contested. China, for example, justifies its extensive Internet filtering and surveillance systems by “stressing repeatedly that Chinese Internet minders abide strictly by laws and regulations that in some cases have been modeled on American and European statutes.” Chinese official Liu Zhengrong told the New York Times:

“If you study the main international practices in this regard you will find that China is basically in compliance with the international norm,” he said. “The main purposes and methods of implementing our laws are basically the same.”

With specific reference to surveillance, Liu noted:

“It is clear that any country’s legal authorities closely monitor the spread of illegal information,” he said. “We have noted that the U.S. is doing a good job on this front.”

The efforts by Google to frame Internet censorship as a trade barrier can be seen as an entrance into this contest of ideas. Such a framing has interesting potential consequences. First, it removes of reduces the moral component of human rights that anti-censorship activists have so heavily relied on. Making less money rather than protecting human rights because of the driving argument. But while international human rights agreements have little-to-no enforcement mechanisms trade agreements usually have quite explicit means through which disputes can be settled and decisions enforced. Since censorship often takes place in an environment with minimal, if any, transparency and accountability the resistance to censorship focuses on challenging these practices.

These range from research projects designed to document and expose current censorship practices, to legal challenges to the development and use of technologies. Combined, these efforts seek to challenge the norms surrounding the practice of filtering, change the policies of governments and ISPs and empower users to protect their privacy and exercise the right of free expression online.

Does framing censorship in terms of trade undercut the normative moral foundation of human rights based arguments or does it represent a means to an end, another tactic in the toolbox for anti-censorship activists? What are the consequences of linking Internet censorship and regimes that deal with trade barriers, particularly when this effort is lead by corporations, corporations that are already complicit in Internet censorship?

There have been past efforts to tie human rights to trade. The most notable case, especially relevant in terms of the efforts by Google to lobby the U.S. government to treat censorship as a trade barrier, concerned human rights and the most favoured nation (MFN) status afforded to China. In 1994 Bill Clinton extended China’s MFN status stating:

I am moving, therefore, to delink human rights from the annual extension of Most Favored Nation trading status for China. That linkage has been constructive during the past year, but I believe, based on our aggressive contacts with the Chinese in the past several months, that we have reached the end of the usefulness of that policy

The de-linking of trade and human rights has been characterized as a victory for China (Lynch 2002) and signals that re-linking the two in the context of censorship may be more difficult than it appears. However, in China, the United Nations, and Human Rights Ann Kent suggests that a major factor in the de-linking was that “the business community in particular opposed the linkage” (Kent 1999:72). The combination of China’s resistance and corporate lobbying which Robert Dreyfuss suggests was “led by Boeing, Motorola, Caterpillar, AT&T, and the American International Group (AIG)” eventually succeeded in pressuring the U.S. to de-link trade and human rights.

Underpinning this strategy is what John Garver calls China’s “negative instruments of leverage” (Deng and Wang 2005:225). In China Rising, edited by Deng and Wang, Garver suggests that China preferred to do without U.S. economic cooperation rather than capitulate to threats on human rights issues. This same strategy appears to be at play in terms of Internet censorship. China blocked Google’s search engine and news site entirely. Both of these Google services now censor results for users in China and full access has been restored. To be fair, Microsoft, Yahoo! and others also censor many of their services targeted for the Chinese market, Google has in may ways been the most transparent and demonstrated leadership in this area. Google has publicly engaged with their controversial decision to censor and has made the choice not to introduce services such as email. Yahoo!, which has long been censoring its search engine, does provide email services and has been complicit in the imprisonment of Chinese dissidents as a result. Microsoft initially followed Google’s lead but has since reduced its level of transparency. All three are involved in the effort to develop an industry code of conduct to guide the behaviour of corporations when faced with laws that interfere with human rights. While these companies have taken steps, albeit small ones, towards confronting censorship the extent of their resolve is unclear especially considering that full blocking is always an option that China has. Moreover, China may even have an incentive to block these companies as doing so privileges their domestic competitors. In the past, China has redirected users to domestic search engines when blocking foreign hosted ones.

Unfortunately, I don’t have much in the way of answers. In fact, I am left with questions: what are the consequences of creating a norm of filtering in which objections only concern the content targeted and not the practice itself? China, with the help of U.S. business, has manged to de-link trade and human rights in the past, does the fact that business is now favouring the link make a difference given their money and lobbying experience?? How will such a framing affect the prospect of enforcement that has escaped international human rights commitments in the past but been arguably successful in the arena of trade? Does the shift from framing censorship as a human rights violation to a trade barrier undermine the normative moral efforts of human rights organizations? Or does it enhance it? What are the prospects for success when China can just block these services wholesale as it has done in the past? Finally, is this just a distraction from the real issue — the complicity of these corporations in Internet censorship in China?