CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 10 PHILLIPA GILL – STONY BROOK UNIVERSITY

WHERE WE ARE Last time: Case study: Iran + Pakistan Questions? Revisit hands on activity … RIPEstat page for AS 12880: Try looking up other Iranian networks NDT data in Google ail=false&bcs=d&nselm=h&met_y=download_throughput&scale_y=lin&ind_y =false&rdim=country&idim=country:364&ifdim=country&ind=false OOKLA Speed test: _y=avg_download_speed

ASSIGNMENT 1 DISCUSSION Some questions led to confusion Part 1 Q2 who are the source and destination (most people got this): Source ICSI ; Destination Baidu (accepted anything from the destination whois since it was a weird looking record). Q3 Why did Wireshark flag Packet 8 as a retransmission? Q4 What is unusual about the response in packet 9? (there was a typo in this question, I reduced total by 3 for it) Q5 (most people got this): Is it the same device responding to packet 8 as the first GET (packet 4)?

ASSIGNMENT 1 DISCUSSION Some questions led to confusion Part 2 Q2 What is missing from the TCP connection? Handshake! Q3 Flow or packet level censor? (a lot of people had trouble with this!) Q4 What is returned in response to the HTTP GET? Part 3 On path or in path censor? Why?

TEST YOUR KNOWLEDGE (IRAN) 1.How did the government assert control over the Internet in 2001? 2.What were the conflicting goals of Iran in implementing censorship? 3.What was the end result of these? 4.What is the `campaign for halal Internet’? Why did people fear this? 5.What is the purpose of IP addresses designated in RFC1918? 6.What are two techniques used by Anderson to map an internal 10.x.x.x address to an external IP? 7.What is the idea of “dimming the Internet”? 8.How can “dimming” be measured? 9.How did the pseudonymous paper identify filtering based on the host header? 10.What type of proxy did they find?

TEST YOUR KNOWLEDGE (PAKISTAN) 1.Why is censorship in Pakistan well known? 2.Which protocol allowed collateral damage when they censored YouTube? 3.What is the main form of censorship in Pakistan identified by the Web censorship paper? 4.What are the most common circumvention techniques in Pakistan? 5.What are some circumvention techniques that were found to work for Pakistan censorship? 6.Which product did CitizenLab find in Pakistan? 7.How did they find the IP of installations of the product? 8.How did they verify that the installations were used for censorship?

TODAY Case Study: China Background (ONI report) Concept Doppler (Crandall et al.) Locating the censors (Xu et al.) Great Cannon  Seminar Tuesday October 1pm!

BACKGROUND China: one-party state, ruled by the Chinese Communist Party (CCP) Conflict between IT development and ability to contain sensitive or threatening information Several milestones challenged gov’t control: Anniversary of Tibetan Uprising in 2008: Protests in Lhasa 2008 Beijing Olympics, pressures to lessen censorship Foreign reporters had unprecedented access within the country Domestic news still highly restricted Unfettered Internet access for foreign journalists restricted to “games-related” Web sites 2009 Riots in Urumqi led to Internet restrictions to “quench the riot … and prevent violent” State sponsored Web site access (31 sites) slowly restored but Internet access in Xinjiang was effectively severed for 10 months

BACKGROUND Google refuses to comply with legal requirements of content filtering in China Attempts to hack gmail accounts of human rights activists Google wanted to establish a truly free and open search engine or officially close Google.cn Google’s actions placed PRC’s censorship practices in the international spotlight China’s population means that even at 28.9% Internet penetration the country has the most Internet users in the world Mobile networking is important for bridging the rural/urban divide 10% of users access the Internet only on a mobile device Widespread use of Internet has led to a change in the public discourse and exposing corruption of government officials and even dismissal of senior officials

INTERNET FILTERING IN CHINA Initial project: Green Dam Youth Escort project Filtering at the level of the user’s computer Analysis by ONI + StopBadware showed that it wasn’t effective in blocking all pornography and would unpredictably block political and religious content Follow on project: “Blue Dam” with more features mandated to be installed by ISPs Server side/ISP-level blocking of content deemed to be inappropriate Blog services are also responsible for policing content on their sites Must install keyword filters + delete accounts of violating users More on this in the online social networking lecture …

TODAY’S READINGS ConceptDoppler: A Weather Tracker for Internet Censorship. Crandall et al Internet Censorship in China: Where Does the Filtering Occur? Xu et al. 2011

CONCEPTDOPPLER Goals: Develop the capability to monitor both the technical censorship mechanism and how it is used E.g., to answer questions such as why was “keyword blocked” in a given place and time Focus on keyword blocking: less collateral damage, less negative fall out than blunt censorship techniques Specific aim to monitor the set of blocked keywords over time and monitor for variations between regions Useful for circumvention (e.g., encoding keywords to make them unidentifiable to DPI boxes). The need for continuous monitoring of censored keywords requires efficient probing: Latent semantic analysis + techniques from Web search to minimize the set of keywords that must be probed.

EXPERIMENT 1 TEST GFC 72 hours of HTTP GETs to 1.Send FALUN (blocked keyword) until a RST is received 2.Switch to send TEST (benign word) until a valid HTTP response is received Observation: hosts are blocked from communicating for 90 seconds after sending the bad keyword.

RESULTS: BLOCKING IS NOT 100% RELIABLE White = not blocked; grey = blocked X = 0 is 15:00 in Beijing Y = # of probes Diurnal trends in filtering effectiveness

EXPERIMENT 2: FIND GFC FIREWALLS Target URLs probed = top 100 URLs returned by Google for the queries: site:x where X=.cn,.com.cn,.edu.cn,.org.cn, and.net.cn No RSTs observed if the connection was not open -> GFC is stateful

WHERE ARE THE CENSORS?

FINDING KEYWORDS EFFICIENTLY Latent semantic analysis (LSA) to find keywords related to concepts the government might filter Details of LSA in the paper. Experimental set up: Gather all the pages of Chinese language Wikipedia 12 term lists based on 12 general concepts (terms are selected to be most related to the concept via LSA) Probed 2,500 terms from each of the 12 lists

NUMBER OF KEYWORDS FOUND X axis = bins of 250 keywords Y axis = # of blocked keywords found Key takeaway: 2,500 tested terms selected via LSA contains many more Blocked keywords than randomly chosen terms

LIMITATIONS Scale: Querying each 2,500 word list takes hours; heavy use of network resources False positives + false negatives No way to claim these lists are exhaustive … Potentials for evation: If we know what keywords are filtered when we observe them we can be clever and hide them E.g., fragment IP packets on the keyword, HTML comments in the word: fa lun Use different encodings for keywords: F%61lun Gong Put keywords in Captchas or insert other characters: g0ng

READING 2: MAPPING THE GFC Presentation

HANDS ON ACTIVITY Online reports of Chinese censorship: &l=EVERYTHING China Chats data: Video chat censorship: files/foci15_slides_knockel.pdf