I wonder about the first RST with zeros in the sequence and acknowledge fields. Probably just bad software but if it is always the first RST it could be a sort of canary such that people in the "know" could note the malformed reset and pre-program a 'ignore RST this session' bit.
I guess they had to custom build a solution for this and screwed it up. The weird thing is that it seems like this should have been caught in testing. Unless it is a form of silent protest from the hapless programmers forced to write this oppression aid. Might even be some IOCCC level trickery at play here where it works in testing and with official IP addresses, but doesn't work for the majority of the population.
We have recently heard of network anomalies in Belarus. Tor has been finally blocked in December 2016, although it had been explicitly declared that Tor should be blocked since February 2015.
Directly connected users from Belarus
An anonymous cypherpunk has helped to gather some evidence regarding Tor being blocked in Belarus. It’s neither a complete study nor an in-depth research and it’s unclear if any other further evidence will be gathered, so we decided to share current knowledge as-is:
Tor directory authorities are not blocked
Public onion routers have their ORPort blocked by TCP RST injection
The onion routers’ DirPort is not blocked
Plain-old non-obfuscated Tor Bridges from BridgeDB circumvent the interference
Beltelecom (or its upstream) has strange configuration of the networking gear injecting reset packets
The strangeness in equipment is the following. The first injected RST packet does not have have proper SEQ/ACK numbers. These packet fields are just filled with zeroes. So this packet is dropped by the client’s TCP/IP stack per RFC5961 and does not actually terminate the client’s connection:
urandom.pcap: Belarus (finally) bans Tor
Leonid Evdokimov 2016-12-08 00:00:00 +0000 UTC
Country: Belarus
Probed ISPs: Beltelecom (AS 6697)
Censorship method: TCP injections
We have recently heard of network anomalies in Belarus. Tor has been finally blocked in December 2016, although it had been explicitly declared that Tor should be blocked since February 2015.
Directly connected users from Belarus
An anonymous cypherpunk has helped to gather some evidence regarding Tor being blocked in Belarus. It’s neither a complete study nor an in-depth research and it’s unclear if any other further evidence will be gathered, so we decided to share current knowledge as-is:
Tor directory authorities are not blocked
Public onion routers have their ORPort blocked by TCP RST injection
The onion routers’ DirPort is not blocked
Plain-old non-obfuscated Tor Bridges from BridgeDB circumvent the interference
Beltelecom (or its upstream) has strange configuration of the networking gear injecting reset packets
The strangeness in equipment is the following. The first injected RST packet does not have have proper SEQ/ACK numbers. These packet fields are just filled with zeroes. So this packet is dropped by the client’s TCP/IP stack per RFC5961 and does not actually terminate the client’s connection:
OONI
About Install Tests Data Get Involved Blog
urandom.pcap: Belarus (finally) bans Tor
Leonid Evdokimov 2016-12-08 00:00:00 +0000 UTC
Country: Belarus
Probed ISPs: Beltelecom (AS 6697)
Censorship method: TCP injections
We have recently heard of network anomalies in Belarus. Tor has been finally blocked in December 2016, although it had been explicitly declared that Tor should be blocked since February 2015.
Directly connected users from Belarus
An anonymous cypherpunk has helped to gather some evidence regarding Tor being blocked in Belarus. It’s neither a complete study nor an in-depth research and it’s unclear if any other further evidence will be gathered, so we decided to share current knowledge as-is:
Tor directory authorities are not blocked
Public onion routers have their ORPort blocked by TCP RST injection
The onion routers’ DirPort is not blocked
Plain-old non-obfuscated Tor Bridges from BridgeDB circumvent the interference
Beltelecom (or its upstream) has strange configuration of the networking gear injecting reset packets
The strangeness in equipment is the following. The first injected RST packet does not have have proper SEQ/ACK numbers. These packet fields are just filled with zeroes. So this packet is dropped by the client’s TCP/IP stack per RFC5961 and does not actually terminate the client’s connection:
The US is too busy using TOR as a honeypot and offensive weapon to shut down access.
TOR actually amplifies the asymmetry betweem the NSA and smaller actors: the NSA by owning the whole network can easily break it, but it prevents smaller players from getting the same access.
Of course, the FBI seem to routinely compromise TOR sites they don't like.
And then they exploit Firefox bugs to drop phone-home malware on users. But so far, it's only been Windows malware :) And it relies on bypassing Tor's socks proxy.
If you truly wanted anonymity why wouldn't you buy a $35 raspberry pi and stuff it between your computer and the internet and route all traffic through it through tor? Too many zero days out there in browsers, flash, java, office not to mention configuration slip ups that could nullify your tor protection.
"buy a $35 raspberry pi and stuff it between your computer and the internet and route all traffic through it through tor? Too many zero days out there in browsers, flash, java, office"
How does Raspberry Pi help here? If it routes traffic at IP level, it will be transparent at an application level. Firewall/IDS won't help against zero days either.
It's trivial to use iptables to block all traffic except to the SOCKS proxy port on Tor, or even forcibly redirect it all through Tor directly using the transparent proxying support.
If the host PC is pwned then it can still disclose useful information about itself (files, Geo locations, mac addresses) - it will just be routed over TOR.
True. So it must not contain anything that's associated with you, in any way. Buy with cash. No geolocation data. Dedicated LAN. No sneaker net sharing. Compartmentalization.
Weren't most of the services they took down because of the CMU deanonymizaton attack?
They also claim Silk Road was classical hacking, but given what we know of parallel construction and their vagueness in describing their locating of the servers, we can't really know what happened there.
I know very little of networking but I assume to perform a TCP reset injection attack, the ISP would need to rely on the IP address of the public onion routers. Now, why do they play around with the reset flag instead of just simply swallowing the packets directed at a tor router?
Because effectively blocking packets at requires supervising all routes through which they might escape (i.e., managing a lot of dynamic rules on a lot of very critical routers), whereas injecting forged packets only requires one little box.
Kinda like the Berlin Wall. Easier to shoot people attempting to cross than hermetically seal the entire border.
I don't quite follow. You can't inject an RST packet unless you know someone is trying to connect to a Tor node, so you still need to supervise all the routes, right?
Difference is I can do traffic analysis and RST generation over lots of machines (if it gets slow, worst case my RST gets there late). Changing routes/forwarding table action has to happen on machine moving large data, in real time.
That's the point. The article itself mentions that Belarus had officially ratified (not implemented) a law blocking Tor in February 2015, but only now is it actually being implemented.
Opening this website in Chrome on my Android device gives me the "ERR_CERT_AUTHORITY_INVALID" error.
Checking the certificate details, I found out that the certificate is issued to the organization "OpenDNS, Inc."
I use OpenDNS's family safety DNS.
I don't think that TOR is owned by OpenDNS. Is it possibly that OpenDNS is MITMing me like previously Avast was reported? But how is that possible? I don't have any OpenDNS software installed that could change certificates.
Belarus laws and politics had been for a long time a playground for Russia. Kinda "before implementing it for all users in production, let's try it on a smaller audience to see if it works or not."
So this ban is mostly an exercise for Russia, to get some experience.
I am neither from Belarus nor Russia and don't know what to think here. If either of you can provide some references to back up your positions that would be great, thanks.
My position is equal to yours: unless there are facts, it's a fantasy (modestly saying).
Moreover, in this particular case there are facts which don't fit into the idea that Russia first experiments in Belarus. For example Russia has a regulation that personal info of user should be stored inside the country (LinkeIn was banned recently for not obeying this regulation). There is no such regulation in Belarus. If Russia was experimenting first in Belarus they would try it here first.
Also, there is Chinese experience to study, I don't see any need for additional experiments.
So, it's nothing more than a conspiracy superstition.
No one says Belarus is the only place to run experiments on, or need in such field for every single experiment etc.
Also, there was an initiative to move all the servers into the country (still in effect officially) for both domestic and foreign companies. Obviously it can not be achieved (just imagine fitting Microsoft-size-worth of servers into tiny country like Belarus (~9M people). For country like Russia you can do something like that to _some_ _degree_
thanks for the expansion. I would suggest though, that just because they did not try something first this time, would not constitute a proof that they never do, nor even that they often do?
> So, it's nothing more than a conspiracy superstition.
Well, we do know that state sponsored internet trolls exist and have done for some time. They are not always subtle, but that doesn't mean that they are not very successfully subtle also.
I read an interesting article recently (though I can't find it now, sorry), which made an attempt to guess the number of such trolls on a country by country basis. Any comment either enhancing or detracting from a national reputation is suspect now, I fear.
It's ukaz #60, an internet regulation in Belarus. It's different from the Russian regulation about storing user's data in the country and it confirms the countries progress in regulating new areas, like internet, independently. Everyone looks at everyone's experience, but it's not like one country is a playground for another.
You should read about the Bahamas, the USA playground for cell phone full take interception and then revise your comment.
Just because you think things don't exist doesn't mean you're right.
I'm from Finlan ld but visting the US, till February and I have a feeling US will watch Belarus very closely to see if it is successful thrn will try to quietly implement a ban or interfere with Tor as best as they can. Rule 41 is a mere Apptizer. The Americans have yet to receive their Entrés. What's even more scary is the radical laws being fought for in Canada as of today.
Really? A cartoon about the Jeane Dixon fallacy is a response? I think you're going to find the next years very surprising indeed. Even now, using tor is de facto grounds for a wiretap[1]
And I apologize in advance if my evidence is actually on topic and doesn't have funny pictures.
its easy to see both the upside and downside of this though.
its also only really a problem for americans. since the us government is paying to ensure other countries governments cant interfer with free communication.
its a matter of opinion wether they also managed to gain the ability to interfere with free communication themselves.
When I read your comment it made it seem like the WSJ was praising Belarus for banning Tor, which is not the case. (at least from reading the portion of the article that is not behind a paywall)
Not for banning Tor, but I get the impression that if that had happened in time they'd have thrown it in there as a positie.
And many in Belarus said the country’s reputation as Europe’s last dictatorship is no hindrance to their work.
“Success stories and a business’s scalability are more important than politics,” said Nick Vyhouski [...]
Got me thinking about hidden communication techniques using DNS queries or ICMP as the "transport" layer. That would confuse the hell out of everyone :P
Both techniques are known and have effective counter-measurements. While it might work for a while, as soon as such "exotic" solutions get more widespread, it can be banned and filtered too (just few more rules to firewalls/IDs). China is a great example of this mouse&cat game.
Depends on how serious the risk is. You run the risk of "getting jailed" for all kinds of minor crimes that people routinely commit. Are people actually going to get arrested for trying to use Tor? I don't think that's very plausible. You could pretty easily claim it was malware trying to make the connection and you don't know anything about it.
Yeah, you could claim that. Then, they search your computer and find no traces of malware but they find a copy of the Tor Browser Bundle. Now what?
Besides, law enforcement never just "takes your word for it". I've got a lot of friends in law enforcement and -- as far as "suspects" go -- they'll pretty much (attempt to) verify every claim you make.
Plausible deniability/difficulty of conviction means that LEOs rarely pursue cases where that would apply. I agree once they open an investigation, they'll verify the claim; I'm saying that crimes that have high acquittal rates and/or low prosecutorial uptake will get less attention from the police because it's frustrating/difficult/wasteful to spend a lot of time on things that don't usually pan out.
I don't know how the system works in Belarus so I understand it may not really matter there. The point is that it's going to be difficult to prove that the accused made an intentional connection to Tor as long as the accused and/or his/her lawyer has some technical literacy and knows what to say.
Not exactly; there's a lot of instances where something is 'decriminalised', that is, it's technically banned but you won't be prosecuted for it. (e.g. weed in the Netherlands)
That's because Belarusians eat a lot of potatoes. The per capita potato consumption there is probably the highest in the world: http://www.fao.org/potato-2008/en/world/
Funny, I was just reading about how non-German residents of Germany use "Kartoffel" (potato) as a perjorative for Germans in Germany. I didn't realize "potato" was such an effective insult it would exist in another country too!
In Dutch we say aardappel (earth apple; means potato) to stupid people, not Germans in particular as far as I knew. It might originate from that, I don't know.
> In Dutch we say aardappel (earth apple; means potato) to stupid people
Same in France with "patate". Funny to notice that the more common French expression for "potato" is "pomme de terre" ("apple of earth"), just like in Dutch!
Though in the south (both south NL and Flemish Belgium) they're called "friet", as in "gefrituurd" ("fries" as in "they're fried"). Still, patat is officially Dutch and according to some website 95% of the Flemish people and 100% of the Dutch people know the word.
May be regional, I'm not sure. Might have picked it from in either Limburg, Noord-Brabant or Gelderland. Pretty sure though that it's fairly universal, even if it's not something lots of people say every day.
Interesting, TIL that conjugation is not just for verbs, but that there is a separate and distinct use of this word for combining two ideas (which I guess in a sense is what verb conjugation is).
I pulled up the image from the website; its metadata showed that it was downloaded from the wikimedia commons. I then ran a hex diff with https://upload.wikimedia.org/wikipedia/commons/thumb/5/52/Fr... . Turns out it was a complete match. So either there is nothing to see, or it is extremely elaborate!
It did work. The "decision" was to try changing the rules for a short time to see what we could learn by doing so, and we learned a lot. We ended it early because (a) the learning stabilized and (b) there were costs to continuing.
It's strange to me that so many people heard "just for a week" as "forever" and are continuing to comment as if those mean the same thing. The internet is weird.
Will you be making a "Tell HN" saying the experiment has ended with your thoughts? Are you okay replying to comments by users who do not know the experiment has ended?
I would be comparing a) data after the first announcement b) data after your comment in an unrelated thread saying the experiement is over c) data after the week is over and d) data after you write the promised lessons learnt post.
Yes, we decided to try distributing the info in the threads and see how well that works. So far it seems to be working well, because (a) there aren't that many such comments (as of a few minutes ago there aren't any that haven't been replied to), and (b) nearly all of them are now getting replied to correctly before we even see them. Together with the fact that HN has gone back to approximately normal re political stories and flagging, that makes me believe the information is working its way through.
Making an announcement a la Tell HN doesn't necessarily disseminate information. In this case it would almost certainly turn into a huge rehash of the original argument, with new information getting drowned out in the process. There are so many counterintutive effects to this, and we're still learning--indeed I feel like we're still taking baby steps. Turning up the volume definitely doesn't necessarily turn up the communication.
Great read, especially the annotated version: http://fermatslibrary.com/s/examining-how-the-great-firewall...