Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 06 PROF. PHILLIPA GILL COMPUTER SCIENCE, STONY BROOK UNIVERSITY.

Published byEthelbert Stephens Modified over 9 years ago

Similar presentations

Presentation on theme: "CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 06 PROF. PHILLIPA GILL COMPUTER SCIENCE, STONY BROOK UNIVERSITY."— Presentation transcript:

1 CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 06 PROF. PHILLIPA GILL COMPUTER SCIENCE, STONY BROOK UNIVERSITY

2 WHERE WE ARE Last time: In-path vs. On-path censorship Proxies Detecting page modifications with Web Trip-Wires Finished up background on measuring censorship Questions?

3 TEST YOUR UNDERSTANDING 1.What is the purpose of the HTTP 1.1 host header? 2.What is the purpose of the server header? 3.Why might it not be a good header to include? 4.What is a benefit of an in-path censor? 5.What are the two mechanisms for proxying traffic? Pros/cons of these? 6.How can you detect a flow terminating proxy? 7.How can you detect a flow rewriting proxy? 8.What are two options in terms of targeting traffic with proxies? 9.How can partial proxying be used to characterize censorship?

4 TODAY Challenges of measuring censorship Potential solutions

5 SO FAR… … we’ve had a fairly clear notion of censorship And mainly focused on censors that disrupt communication Usually Web communication … but in practice things are more complicated Defining, detecting, and measuring censorship at scale pose many challenges Reading from Web page: Making Sense of Internet Censorship: A New Frontier for Internet Measurement. S. Burnett and N. Feamster.

6 HOW TO DEFINE “CENSORSHIP” Censorship is well defined in the political setting… What we mean when we talk about “Internet censorship” is less clear E.g., copyright takedowns? Surveillance? Blocked content?  broader class of “information controls” The following are 3 types of information controls we can try to measure: 1.Blocking (complete: page unavailable, partial: specific Web objects blocked) 2.Performance degradation (Degrade performance to make service unusable, either to get users to not use a service or to get them to use a different one) 3.Content manipulation (manipulation of information. Removing search results, “sock puppets” in online social networks)

7 CHALLENGE 1: WHAT SHOULD WE MEASURE? Issue 1: Censorship can take many forms? Which should we measure? How can we find ground truth? If we do not observe censorship does that mean there is no censorship? Issue 2: Distinguishing positive from negative content manipulation. Personalization vs. manipulation? How might we distinguish these? Another option: make result available to the user and let them decide Issue 3: Accurate detection may require a lot of data. Unlike regular Internet measurement, the censor can try to hide itself! Need more data to find small-scale censorship rather than wholesale Internet shut down Distinguishing failure from censorship is a challenge! E.g., IP packet filters

8 CHALLENGE 2: HOW TO MEASURE Issue 1: Adversarial measurement environment Your measurement tool itself might be blocked. www.citizenlab.org has been blocked in China for a long time!www.citizenlab.org Need covert channel/circumvention tools to send data back. Should have deniability The end-host monitoring itself maybe be compromised E.g., government agent downloads your software and sends back bogus data Issue 2: How to distribute the software Running censorship measurements may incriminate users Distribute “dual use” software. Network debugging/availability testing (censorship is just one such cause of unavailability) Give users availability data. Let them draw conclusions…

9 PRINCIPLE 1: CORRELATE INDEPENDENT DATA SOURCES Example: Software in the region indicates that the user cannot access the service. Can correlate with: Web site logs: did other regions experience the outage? Was the Web site down? Home routers: e.g., use platforms like Bismark to test availability and correlate with user submitted results. DNS lookups: what was observed as results at DNS resolvers at that time? Does it support the hypothesis of censorship? BGP messages: look for anomalies that could indicate censorship or just network failure.

10 PRINCIPLE 2: SEPARATE MEASUREMENTS AND ANALYSIS Client collects data but inferences of censorship happen in a separate location Central location can correlate results from a large number of clients + data sources Also helps with defensibility of the dual use property Software itself isn’t doing anything that looks like censorship detection Helpful when you want to go back over the data as well! E.g., testing new detection schemes on existing data

11 PRINCIPLE 3: SEPARATE INFORMATION PRODUCTION FROM CONSUMPTION The channels used for gathering censorship information E.g., user submitted reports, browser logs, logs from home routers … should be decoupled from results dissemination. Different sets of users can access the information than collected it Improved deniability Just because you access the information does not mean you helped collect it Makes it more difficult for the censor to disrupt the channels

12 PRINCIPLE 4: DUAL USE SCENARIOS WHENEVER POSSIBLE Censorship is just another type of reachability problem! Many network debugging and diagnosis tools already gather information that can be used for both these issues and censorship E.g., services like SamKnows already perform tests of reachability to popular sites Anomalies in reachability could also indicate censorship If censorship measurement is a side effect and not a purpose of the tool … users will be more willing to deploy … governments may be less likely to block

13 PRINCIPLE 5: ADOPT EXISTING ROBUST DATA CHANNELS Leverage tools like Collage, Tor, Aqua, etc. for transporting data when necessary: From the platform to the client software (e.g., commands) From the client to the platform (e.g., results data) From the platform to the public (e.g., reports of censorship) Each channel gives different properties Anonymity (e.g., Tor) Deniability (e.g., Collage) Traffic analysis resistance (e.g., Aqua)

14 PRINCIPLE 6: HEED AND ADAPT TO CHANGING SITUATIONS/THREATS Censorship technology may change with time Cannot have a platform that runs only one type of experiment Need to be able to specify multiple types of experiments Talk with people on the ground Monitor the situation E.g., some regions may be too dangerous to monitor: Syria, N. Korea etc.

15 ETHICS/LEGALITY OF CENSORSHIP MEASUREMENTS Complicated issue! Using systems like VPNs, VPS, PlanetLab in the region pose least risk to people on the ground Representativeness of results? Realistically, even in countries where there is low Internet penetration attempting to access blocked sites will not be significant enough to raise flags 10 years of ONI data collection support this However, many countries have broadly defined laws And querying a “significant amount” of blocked sites might raise alarms. Informed consent is critical before performing any tests.

16 SO FAR... MANY PROBLEMS …  … some solutions? Be creative Leverage existing measurement platforms to study censorship from outside of the region E.g., RIPE ATLAS (need to be a bit careful here) querying DNS resolvers, sending probes to find collateral censorship Look for censorship in BGP routing data Another solution: Spookyscan (reading on Web page) ACK: upcoming slides borrowed from Jeff Knockel @ UNM

17 BACKGROUND Packet spoofing. A spoofed packet has the return IP address of another machine IPID counters. Set differently depending on the operating system. Random 0 Increment per packet within a flow Increment per packet globally  what hybrid idle scan needs

18 BASIC IDEA We would like to measure censorship without requiring vantage points within the country Idea: Use side channels to infer behavior within the country Real world example: Pentagon + Pizza Watch dominos deliveries on normal evenings Night before invasion … much more pizza.

19

20

21

22

23

24

25

26

27

28

29

30 START DAY 2

31 ENCORE: LIGHTWEIGHT MEASUREMENT OF WEB CENSORSHIP WITH CROSS-ORIGIN REQUESTS Governments around the world realize Internet is a key communication tool … working to clamp down on it! How can we measure censorship? Main approaches: User-based testing: Give users software/tools to perform measurements E.g., ONI testing, ICLabONI testingICLab External measurements: Probe the censor from outside the country via carefully crafted packets/probes E.g., IPID side channels, probing the great firewall/great cannonIPID side channelsgreat firewallgreat cannon 31

32 ENCORE: LIGHTWEIGHT MEASUREMENT OF WEB CENSORSHIP WITH CROSS-ORIGIN REQUESTS Censorship measurement challenges: Gaining access to vantage points Managing user risk Obtaining high fidelity technical data Encore key idea: 32 Script to have browser query Web sites for testing

33 ENCORE: USING CROSS SITE JAVA SCRIPT TO MEASURE CENSORSHIP Basic idea: Recruit Web masters instead of vantage points Have the Web master include a javascript that causes the user’s browser to fetch sites to be tested Use timing information to infer whether resources are fetched directly Operates in an ‘opt-out’ model User may have already executed the javascript prior to opting out Argument Not requiring informed consent gives users plausible deniability Steps taken to mitigate risk Include common 3 rd party domains (they’re already loaded by many pages anyways) Include 3 rd parties that are already included on the main site One project option is to investigate these strategies! Example site hosting Encore: http://www.cs.princeton.edu/~feamster/

34 ETHICAL CONSIDERATIONS Different measurement techniques have different levels of risk In-country measurements How risky is it to have people access censored sites? What is the threshold for risk? Risk-benefit trade off? How to make sure people are informed? Side channel measurements Causes unsuspecting clients to send RSTs to a server What is the risk? Not stateful communication … … but what about a censor that just looks at flow records? Mitigation idea: make sure you’re not on a user device Javascript-based measurements Is lack of consent enough deniability?

35 HANDS ON ACTIVITY Try spookyscan ! http://spookyscan.cs.unm.edu/scans/censorship How can we find IP addresses for different clients and servers? Clients: www.shodanhq.com search os:freebsdwww.shodanhq.com Servers: dig! Example results (these will only work for ~1 week) http://spookyscan.cs.unm.edu/scans/AOW_EPQO8RD1P- u4vC5fnA/view http://spookyscan.cs.unm.edu/scans/ycciaubw7X_IceBxRolD8Q/vie w Try downloading and installing OONI: https://ooni.torproject.org/ Post your experiences to Piazza!

Download ppt "CSE 592 INTERNET CENSORSHIP (FALL 2015) LECTURE 06 PROF. PHILLIPA GILL COMPUTER SCIENCE, STONY BROOK UNIVERSITY."

Similar presentations

Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Leveraging Good Intentions to Reduce Unwanted Network Traffic Marianne Shaw (U. Washington) USENIX 2nd Workshop on Steps to Reducing Unwanted Traffic on.

Leveraging Good Intentions to Reduce Unwanted Network Traffic Marianne Shaw (U. Washington) USENIX 2nd Workshop on Steps to Reducing Unwanted Traffic on.
 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.

 Natural consequence of the way Internet is organized o Best effort service means routers don’t do much processing per packet and store no state – they.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Component Patterns – Architecture and Applications with EJB copyright © 2001, MATHEMA AG Component Patterns Architecture and Applications with EJB JavaForum.

Component Patterns – Architecture and Applications with EJB copyright © 2001, MATHEMA AG Component Patterns Architecture and Applications with EJB JavaForum.
How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.

How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.
1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)

1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.

By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
1 Web Content Delivery Reading: Section 9.2.2 and 9.4.3 COS 461: Computer Networks Spring 2007 (MW 1:30-2:50 in Friend 004) Ioannis Avramopoulos Instructor:

1 Web Content Delivery Reading: Section and COS 461: Computer Networks Spring 2007 (MW 1:30-2:50 in Friend 004) Ioannis Avramopoulos Instructor:
Lecture 8 Epidemic communication, Server implementation.

Lecture 8 Epidemic communication, Server implementation.
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)

1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)
Department Of Computer Engineering

Department Of Computer Engineering
MNO Cloud Use Case 2 Source: Rogers Wireless Contact: Ed O’Leary George Babut 3GPP/SA3-LI#43Tdoc SA3LI11_115.

MNO Cloud Use Case 2 Source: Rogers Wireless Contact: Ed O’Leary George Babut 3GPP/SA3-LI#43Tdoc SA3LI11_115.
Setiri: Advances in Trojan Technology Roelof Temmingh Haroon Meer BlackHat USA 2002.

Setiri: Advances in Trojan Technology Roelof Temmingh Haroon Meer BlackHat USA 2002.

Similar presentations

Ads by Google