550451_10151471864269951_1163522326_n

Your Guide to Surviving The Claire Perry Internet

The Net interprets censorship as damage and routes around it.
-John Gilmore 1993

The Internet as we know it is experiencing some of the most damaging changes in its history.

The US National Security Agency and the UK’s GCHQ are undermining security and communications infrastructure at an unprecedented level, some of the ISPs we rely on are co-operating with Government plans to fundamentally interfere with packet routing, DNS resolution and end-to-end reachability in the name of “saving the Children” and “anti terrorism”.

With the launch of consumer Internet filtering people will experience the curtailment of access to information and levels of arbitrary censorship unseen in decades. With systems like CleanFeed and Deep Packet Inspection your ISPs will be able to silently limit what information you can reach if it has been deemed inappropriate, extreme, or even just esoteric.

Children and vulnerable adults will be prevented from accessing support networks, information websites and more. Overblocking will be the biggest barrier to information sharing in 2014.

The people to blame for this curtailment of rights, this assault on the freedom of information and the sleepwalk into censorship are David Cameron and Claire Perry. They are MPs, they are supposed to be accountable to us. Write to your MP and insist that these measures be reversed and prevented from happening again.

Until the blocks are repealed and outlawed this website will serve to help you evade ISP & Government blocks, avoid communications surveillance so you can utilise a free and open Internet as was envisaged.

    PhoenixFire

    Immunicity Returns

    On the 2nd of October the Government Intellectual Property Office and the City of London Police PIPCU posted to twitter about how they’d diverted 11 million views from ‘pirate’ websites since July 2014.

    Unfortunately there’s a slight problem with their claim; some of the seized domains, such as immunicity.org, have been under the control of Brass Horn Communications for several months now, hundreds of thousands of those supposed diverts have actually been seeing the following page;

    divert

    Domain seizures are censorship and as we all know; the Net interprets censorship as damage and routes around it.

    Hopefully PIPCU will concentrate on people actually committing crimes rather than those who are just routing packets.

    youtube-banned

    Age Verification Starts with YouTube Music Videos

    The UK Government’s Department for Culture, Media and Sport celebrated that YouTube and Vevo will be forcing age restrictions on music videos.

    On one hand the Government claim;

    Introducing age rating for all music videos online was a manifesto commitment – making the pilot permanent and working to extend this internationally by sharing our experience of the pilot is part of delivering this.

    Yet on the other hand they claim that this is industry driven and the Government has nothing to do with it;

    Regardless this policy is driving a message that parents can rely on Government meddling to protect their children from the evils of the Internet rather than encouraging them to actually talk and educate children themselves.

    Also, and more worryingly, it is conditioning people that it’s OK to have to hand over biometrics to receive services, to surrender anonymity to access content online and that Government censorship is acceptable.

    We wouldn’t be suprised if there comes a time when the UK Government can tag content on YouTube to require adults to be logged in with a registered and verified account to view ‘extreme’ material such as a GreenPeace anti-fracking video or citizen recorded footage of Police brutality. The chilling effect is obvious.

    And, for those who plan to host content themselves or on Vimeo the Government will make good on the plan to block websites that don’t conform to their age-gating plans.

    BwheKLxCQAAdzAP.jpg large

    PacketFlagon – The HydraProxy

    Today marks 1 year since the Immunicity arrest that saw someone get arrested for allowing people to send their HTTP(s) traffic where they wanted to without interference.

    In that time it’d seem that the City of London Police haven’t really done much;

    However the guys and gals over at Brass Horn Communications have been doing quite a bit culminating in todays “launch party” of HydraProxy.Party

    Whilst not a real launch party* it is the official unveiling of the open sourced software derived from the original RoutingPacketsIsNotACrime.uk platform.

    What is a ProxyShard / HydraProxy

    The PacketFlagon platform is essentially one central server that feeds and receives information from lots of other servers around the Internet.

    Anyone is free to download the BSD licensed software from GitHub, upload it to their webserver and then 30 seconds later are capable of creating, editing and serving the PAC files that help your browser circumnavigate Internet censorship.

    The HydraProxy element comes in several parts, the first is that not only are there now tens of the PacketFlagon frontends available but the PAC files are also available on S3 and most impressively of all the platform maintains a number of what it terms “deadhand” nodes that constantly monitor the central server and the various frontends.

    If the deadhand nodes reach consensus that a frontend has been blocked another domain is automatically registered, a new virtual machine is created and then bootstrapped to be a frontend node, all without human intervention!

    Android App

    There is also an Android app available on the Google Play store or by compiling the sourcecode yourself from GitHub.

    The App provides an easy way to manage existing PAC files or to create new ones, we’re told that later versions will also include some intelligent circumnavigation methods in case the ISPs start to block the PacketFlagon API itself.

    Is It Safe To Use?

    Yes. Keep an eye on the Brass Horn Communications warrant canary just in case but we trust the team.

    With that said it’s always a better bet to take your security and censorship circumnavigation into your own hands and look at how to properly use Tor or create SSH tunnels / your own SOCKS proxies.

    * It’s understood that if you’re at DefCon in Las Vegas and can track down the @PacketFlagon team they might buy you a beer!

      image002

      Sony Email Leaks Shows Refusal To Fund PIPCU As Well As Conspiring With (and against) Government Ministers

      Funding PIPCU

      During a meeting on September 5th 2014 with Mike Weatherley (the Prime Minister’s IP Adviser) Sony noted that they and the MPAA were not pleased at the idea of being asked to fund PIPCU;

      The potential (now likely) request for Rights Holders to contribute funds to support PIPCU will be limited to whatever the DCMS Minister (Sajid Javid) considers to be outside the definition of “policing”. So, for example, on-site assistance with review of evidence sent for the Advertising initiative, assistance with funding for training etc.

      MPAA’s representative made clear that we are not pleased with the prospect of any contribution – and, at a subsequent meeting of the Alliance, it was confirmed that many other entities/groups endorse and will deliver the same view.

      Following the news that the Government was going to fund PIPCU till Sony noted on October 23rd 2014 that

      Note that the local UK/EU member company and MPA team have agreed already that we need to focus immediately on ensuring that Government funding continues beyond (assuming that PIPCU continues to be helpful) and also monitoring whatever spending review happens during and immediately after the 2015 election so that we don’t lose the current commitment.

      That Sony considers that PIPCU may at some point no longer be helpful is interesting but such an assumption is a touch rude considering that in April 2014 Sony discovered that their ads were displaying on “rogue” sites thanks to a PIPCU seized site;

      Despite these efforts and successes, there are still regular instances of Sony ads being placed on illegal sites, including an SEL ad (discovered during a domain seizure operation by the City of London Police) and two Playstation ads (discovered during web crawling initiatives by music trade associations RIAA and IFPI). Screen shots depicting these particular examples are attached here for your reference. We are aware of instances of poorly placed ads for SME’s music and SPE’s films as well. All of our companies have vulnerability in this area, and we’d like to work more closely together to ensure that Sony’s brand is supported by responsible ad practices across all of our companies.

      Conspiring with (and against) Government Ministers

      Elsewhere in the leaks one can see that Sony are cozy with Government Ministers at varying levels whom they’ll happily attempt to get fired;

      … am sitting here with Bella and conspiring as to how to make you Minister of Culture and Sport. You are perfectly qualified. First step is to get ed Vaizey fired. I will do this with George Osborne. I will do this with George Osborne. Next step is to get you appointed. This requires you meeting CHARLES Dunstone and having him recommend you

      It’s interesting to note that Charles Dunstone is the Chairman of TalkTalk Group who were the first ISP to deploy Huawei filtering hardware devices in their network and were one of the ISPs rumoured to be pushing for Default Filtering…

      Devils_Bridge

      Introducing Brass Horn Communications

      Brass Horn Communications is a non-profit entity registered in the UK whose sole purpose is to provide Internet based services and education to help people evade censorship and avoid surveillance.

      Their first Tor Exit node went live on March 2nd 2015 joining 8 other multi-purpose Tor relays, additionally Brass Horn Communications has adopted the infrastructure of RoutingPacketsIsNotACrime.uk / PacketFlagon.is and in doing so has published the Tor entry bridges used by the Squid proxies into the public directory for general use.

      The name came from a Welsh legend;

      Britain was plagued by the Coraniaid who could not be injured because their hearing was so sharp that they could hear any sound that the wind carried. It was by using a Brass Horn that Llefelys was able to securely communicate to his brother Lludd how to defeat the Coraniaid.

      One of the stated goals of the organisation is to provide UK centric Tor relays and bridges (especially obfuscated bridges) to enable those in the UK to browse an uncensored Internet at relative speed to their native connection.

      At the moment the team is working on a new version of the PacketFlagon.is software to release under the BSD license.

      safe

      Introducing ASafe.Space

      David Cameron recently said in a speech that he would deny potential Terrorists a safe space on the Internet to communicate;

      The obvious problem here is that everyone is a potential Terrorist so what David Cameron is actually promising that he intends to legislate against anyone having a means of communication that is secure from Government interference.

      We’ve seen that GCHQ and the Police have abused (or just plain broken) laws in order to spy on Journalists, Lawyers and other innocents, the Government can not be trusted with these powers.

      In response ASafe.Space has been registered and will contain a few short guides on how to have a safe space to browse the Internet, communicate over Instant Messaging, Email or even Pen and Paper.

      Evading censorship and surveillance are one and the same, if the censor doesn’t know what you are saying or what you are reading they can’t stop you nor can they hold it against you.

      whatareyoulookingat

      Police Want To Link Your Identity To An IP Address – But Don’t Like It When You Do It To Them

      It was reported today that Theresa May is intending to introduce new measures requiring Internet Service Providers to keep data that identifies online users.

      Obviously most ISPs will retain some information such as the authenticated credentials, IP issued (if DHCP or similar) MAC addresses of the modem etc but the article doesn’t make it clear exactly what information ISPs are to be ordered to retain. It’s likely to be the public IP and possibly the NAT ports if the ISP is using CGN.

      The only mention of retention is in regards to the original snoopers bill.

      Between this website, the DRIP websites and RoutingPacketsIsNotACrime certain IPs kept appearing and a bit of research showed that these might be Police IP addresses so a Freedom Of Information Request was sent.

      Unfortunately the Police denied the request for reasons of National Security and so as not to compromise “ongoing investigations” but given that the surveillance state has continued to grind forward let’s even the playing field a little bit;

      Response to the Freedom of Information Request

      Section 1 of the Freedom of Information Act 2000 (FOIA) places two duties on public authorities. Unless exemptions apply, the first duty at Section 1(1)(a) is to confirm or deny whether the information specified in a request is held. The second duty at Section 1(1)(b) is to disclose information that has been confirmed as being held. Where exemptions are relied upon s17 of FOIA requires that we provide the applicant with a notice which: a) states that fact b) specifies the exemption(s) in question and c) states (if that would not otherwise be apparent) why the exemption applies.

      City of London Police can neither confirm nor deny that it holds any information relevant to your request as the duty in s1(1)(a) of the Freedom of Information Act 2000 does not apply, by virtue of the following exemptions:

      - Section 24 (2) National Security
      - Section 30(3) Investigations
      - Section 31(3) Law Enforcement

      Information is exempt by virtue of section 24 where the exemption is required for the purpose of safeguarding national security. The duty to confirm or deny does not arise if, or to the extent that, exemption from section 1(1) (a) is required for the purpose of safeguarding national security. This is a prejudice-based exemption and the potential harm in confirming or denying that the information is held or not held is detailed below. It is also a qualified exemption subject to an assessment of the public interest and the factors favouring confirmation and non-confirmation that the information is held or not held are listed below.

      Information is exempt by virtue of section 30 where it has, at any time, been held for the purpose of an investigation. The duty to confirm or deny does not arise in relation to information which is exempt by virtue of this section. This is a class-based exemption and it is not necessary to demonstrate the potential for harm to occur. It is however a qualified exemption subject to an assessment of the public interest and the factors favouring confirmation and non-confirmation that the information is held or not held are listed below.

      Information is exempt by virtue of section 31 where its disclosure would, or would be likely to prejudice the prevention or detection of crime, the apprehension or prosecution of offenders, or the administration of justice. This is a prejudice-based exemption subject to the identification of harm, which is detailed below. It is also a qualified exemption subject to an assessment of the public interest and the factors favouring disclosure and non-disclosure are listed below.

      Identification of harm – s.24 and s.31
      Confirmation or denial that the IP addresses mentioned are owned by the Police Service could affect the Police’s ability to effectively carry out operations and investigations as well as compromising the security of the United Kingdom.

      Confirmation or denial of this information could be used to plan and execute an attack on police systems. Such attacks are not often ‘frontal attacks’, but rather are iterative in nature where attackers test a number of approaches over a period of time. As such, even discrete elements of a force IT platform could provide enough information to formulate an attack. IP addresses are not publicly available, and would normally be hidden behind layers of security. The information could be used to gain access to force systems, and affect the Police’s ability to carry out its core functions which would then have implications for National Security.

      Factors favouring confirmation or denial – s.24
      The threat from national and international terrorism is ever present and the public are entitled to know how the police operate. In the current financial climate of cuts and with the call for transparency, confirmation or denial would enable improved public debate.

      Factors against confirmation or denial – s.24
      Confirmation or denial cannot be in the public interest if ongoing or future operations or investigations to protect the security of the United Kingdom would be compromised as outlined in the identification of harm paragraph.

      Factors favouring confirmation or denial – s.30
      Confirmation or denial would highlight where public funds are being spent and where resources are being distributed within a specific area of policing which would reinforce the City of London Police’s commitment to openness and transparency.

      Factors against confirmation or denial – s.30
      Confirmation or denial would identify the current status of an ongoing investigation. Revealing the details requested could hinder the prevention or detection crime as the investigation could be prejudiced by disclosing details into the public domain before the investigation has concluded.

      Factors favouring confirmation or denial – s.31
      Confirmation or denial would show which IP addresses are used by the police service and (by way of version numbers) reassure the public that these systems are up to date.

      Factors against confirmation or denial – s.31
      Confirmation or denial cannot be in the public interest if ongoing or future operations or investigations would be compromised as outlined in the identification of harm paragraph.

      Balancing the public interest
      On review, there is very little to indicate that the public interest would be better served by confirming or denying the information is held. The public rightly expects the police service to ensure that all of its systems are secure so that the information it holds maintains its value and integrity. Confirmation or denial would be detrimental to these aims and therefore, at this moment in time, it is our opinion that for these issues the balance test for confirming nor denying that information is held is not made out.

      No inference can be taken from this refusal that information does or does not exist.

      The First Thread

      The first IP addresses that piqued our attention were 212.137.45.109 and 212.62.5.158 so lets see what ASN they belong to and what the RIPE description is;
      inetnum: 212.137.45.96 - 212.137.45.111
      netname: CW-AMLPID739647-NET
      descr: AML PID 739647
      country: GB
      admin-c: CHCP1-RIPE
      tech-c: CHCP1-RIPE
      status: ASSIGNED PA
      mnt-by: MNT-HOSTING
      source: RIPE # Filtered
       
      role: CW Hosting Centre Park Royal
      address: 900 Coronation Road
      address: NW10 7PQ
      address: London
      remarks: trouble: [email protected]
      admin-c: CLAU1-RIPE
      tech-c: AA3670-RIPE
      tech-c: CLAU1-RIPE
      tech-c: SYLV-RIPE
      nic-hdl: CHCP1-RIPE
      mnt-by: EXODUS-MNT
      mnt-by: CW-IPGNOC-MNT
      abuse-mailbox: [email protected]
      source: RIPE # Filtered
       
      % Information related to '212.137.32.0/20AS1273'
       
      route: 212.137.32.0/20
      descr: CWC-SWINDONWEBHOST
      origin: AS1273
      mnt-by: CW-EUROPE-GSOC
      source: RIPE # Filtered


      inetnum: 212.62.5.0 - 212.62.5.255
      netname: CW-AMLPID739647-NET
      descr: AML PID 739647
      country: GB
      admin-c: CHCP1-RIPE
      tech-c: CHCP1-RIPE
      status: ASSIGNED PA
      mnt-by: MNT-HOSTING
      mnt-domains: CW-DNS-MNT
      source: RIPE # Filtered
       
      role: CW Hosting Centre Park Royal
      address: 900 Coronation Road
      address: NW10 7PQ
      address: London
      remarks: trouble: [email protected]
      admin-c: CLAU1-RIPE
      tech-c: AA3670-RIPE
      tech-c: CLAU1-RIPE
      tech-c: SYLV-RIPE
      nic-hdl: CHCP1-RIPE
      mnt-by: EXODUS-MNT
      mnt-by: CW-IPGNOC-MNT
      abuse-mailbox: [email protected]
      source: RIPE # Filtered
       
      % Information related to '212.62.0.0/19AS1273'
       
      route: 212.62.0.0/19
      descr: CH-EXODUS
      origin: AS1273
      mnt-by: CW-EUROPE-GSOC
      source: RIPE # Filtered

      Well there’s the first clue, we know that the National Policing Improvement Agency signed a deal with Cable & Wireless to provide elements for the national communications network (a.k.a PNN3) so we’re onto a good start.

      The Overlooked Vector; DNS

      Hurricane Electric provide a brilliant service at http://bgp.he.net/ which allows you to see a variety of information about IP blocks including ASN, RPKI status and forward/reverse DNS.

      C&W make two announcements that contain one of the IPs;

      AS1273 212.137.0.0/16 Cable & Wireless UK P.U.C.
      AS1273 212.137.32.0/20 Cable and wireless Internet-NET

      Looking at the more specific announcement we can see a variety of interesting Police National Network DNS records;
      212.137.36.161 pnn-gw6.pnn.police.uk
      212.137.36.163 pnn-gw.pnn.police.uk
      212.137.36.164 pnn-gw.pnn.police.uk
      212.137.36.165 smtp.pnn.police.uk
      212.137.36.166 biscuits.pnn.police.uk
      ...
      212.137.45.97 mail.pnn.police.uk
      212.137.45.104 smtp.pnn.police.uk
      212.137.45.105 smtp.pnn.police.uk
      212.137.45.106 smtp.pnn.police.uk

      Delving into SMTP

      We’ve seen mail.pnn.police.uk before because the FOI response was sent from within PNN3 so the SMTP headers probably have some interesting information;
      Received: by 10.216.16.73 with SMTP id g51csp220108weg; Mon, 13 Oct 2014 07:16:17 -0700 (PDT)
      X-Received: by 10.194.21.193 with SMTP id x1mr2053266wje.135.1413209777204; Mon, 13 Oct 2014 07:16:17 -0700 (PDT)
      Return-Path:
      Received: from mail.pnn.police.uk (mail.pnn.police.uk. [212.137.45.97])
      by mx.google.com with ESMTPS id hu8si1814120wib.9.2014.10.13.07.16.16
      for
      (version=TLSv1 cipher=RC4-SHA bits=128/128);
      Mon, 13 Oct 2014 07:16:17 -0700 (PDT)
      Received-SPF: none (google.com: [email protected] does not designate permitted sender hosts) client-ip=212.137.45.97;
      Authentication-Results: mx.google.com; spf=neutral (google.com: [email protected] does not designate permitted sender hosts) [email protected]
      From: xxxxxx xxxxxx
      To: "'[email protected]'"
      Subject: REQUEST FOR INFORMATION REF: COL/14/714 (NOT PROTECTIVELY MARKED)
      Thread-Topic: REQUEST FOR INFORMATION REF: COL/14/714 (NOT PROTECTIVELY MARKED)
      Thread-Index: Ac/m8D8M8+UzCwmmRSGWynCyQxELkw==
      Date: Mon, 13 Oct 2014 14:16:15 +0000
      Message-ID:
      Accept-Language: en-GB, en-US
      Content-Language: en-US
      X-MS-Has-Attach: yes
      X-MS-TNEF-Correlator:
      x-officeenforcer-classification-impactlevel: 0
      x-officeenforcer-classification: NOT PROTECTIVELY MARKED
      x-originating-ip: [172.26.4.63] MIME-Version: 1.0
      X-ACL-Warn: X-Virus Scan: F-Secure 9
      X-PNN3-Rtr: dnslookup

      So from this we can see that the Police use the 172.16.0.0/12 RFC1918 addresses internally and elements of 212.137.45.0/24 are definitely used by the Police.

      Hardly obscured by “layers and layers of security”.

      Nailing down 212.137.45.109

      Whilst there is HTTP traffic coming from 212.137.45.109 it doesn’t have any registered reverse DNS which could indicate it is not a normal egress gateway (or someone is lazy – hanlons razor).

      A quick search finds that this IP address is certainly busy; leaving a comment here, in wikileaks, activity on the British Transport Police wikipedia page, some form of request from a Crime Prevention Adviser, an old reverse DNS lookup referring to NWIS and someone lists on old whois record;

      inetnum: 212.137.45.96 - 212.137.45.111
      netname: CW-PNN-NET
      descr: PNN
      country: GB
      admin-c: CHCP1-RIPE
      tech-c: CHCP1-RIPE
      status: ASSIGNED PA
      mnt-by: MNT-HOSTING
      source: RIPE Filtered
      role: CW Hosting Centre Park Royal
      address: 900 Coronation Road
      address: NW10 7PQ
      address: London
      remarks: trouble: ***@cw.net

      Conclusion

      It’s fairly safe to say that 212.62.5.0/24 and 212.137.45.0/24 are in some way related to the Police.

      Before issuing the Freedom of Information request our servers were crawled / visited every day by these IPs.

      Since issuing the request they haven’t been back…

      Footnote:

      Cable & Wireless are the ISP that assisted GCHQ with their “Mastering the Internet” program: http://www.wired.co.uk/news/archive/2014-11/21/cable-and-wireless-vodafone-worked-with-gchq

        adr

        Increase the Cost of Filtering to ISPs by Raising ADR Complaints

        OFCOM has a lot of rules for ISPs to follow and under General Condition 14 (GC14.5 – Dispute Resolution) – all ISPs in the United Kingdom are required to be members of an approved ADR scheme like CISAS or Ombudsman Services, which are designed to supplement (not replace) the ISPs own internal complaints procedures and are only used after a dispute has gone unresolved for 8 weeks (the “Deadlock Letter” stage).

        The ADR process is a very useful tool for consumers, albeit an unpopular one among ISPs (i.e. they still have to pay up to around £350 +vat in fees to the ADR regardless of whether or not they win), but some smaller providers continue to flout the rules by wrongly assuming that they don’t have to offer an ADR or by failing to make customers aware that one is available.

        The key here is that if one were to make a request to unblock a website and the ISP doesn’t co-operate then you can start the ADR process.

        Upon being told that the ISP won’t unblock the website request a deadlock letter in accordance with the Alternative Dispute Resolution process.

        At this point the ISP representative will probably try and convince you that you cannot make an ADR complaint about this as they are scared of costing the company ~£350. Insist on your deadlock

        Imagine if everyone with a censored Internet connection raised an ADR complaint for every blocked website.

        Choose.net has an excellent guide on how to go about raising an ADR.

        BwheKLxCQAAdzAP.jpg large

        Filters Are For Coffee – Not The Internet

        Today is International Coffee Day so what better day to take the Open Rights Group tag line of “Filters Are For Coffee Not The Internet” and investigate the capabilities of the Internet filtering at various coffee locations.

        Costa Coffee / Cafe Nero – O2 Wifi

        DNS Spoofing: Partial
        MiTM SSL: No
        Deep Packet Inspection: Yes
        Destination IP Transit Interference: Yes

        O2 WiFi requires two-factor registration via a phone number and SMS claiming that it is a legal requirement. This is easily traversed with a disposable PAYG phone (e.g. EE have a Nokia 106 for £4.99 – an excellent option for a burner phone). Once you’ve completed the two-factor check (the first being they record your MAC address) you can start browsing.

        The first thing to notice is that unlike their mobile offering the WiFi has several layers of filtering, some DNS queries are intercepted to send you to a block page and even if you resolve the A record out-of-band Squid will intercept and block.

        If you manually query a 3rd party DNS server for the record in question then it appears to return normally.

        This level of blocking however is hit and miss with domains such as the thepiratebay.se suffering the worst interference but others that are blocked by the default mobile filters aren’t blocked on the WiFi.

        Thankfully all the usual bypass methods (Tor, RoutingPacketsIsNotACrime.uk, SSH SOCKS5 tunnel and SSL) work flawlessly despite the use of Squid and DNS interference.

        Interestingly O2 have chosen to force Google to not allow SSL searching (so they can inspect the content and block stuff) which also means anyone else in the coffee shop can spy on your browsing. DuckDuckGo.com does still offer SSL searching and isn’t blocked.

        Breaking down an O2 Intercept

        The packet capture for this attempt to hit http://reddit.com/r/nsfw is here, the pertinent part of the HTTP transfer is below;

        GET /r/nsfw HTTP/1.1
User-Agent: curl/7.34.0
Host: reddit.com
Accept: */*

HTTP/1.1 200 OK
Date: Mon, 29 Sep 2014 10:28:51 GMT
X-Template: blacklisted
Content-Type: text/html
Content-Length: 195
Cache-Control: no-cache
X-Cache: MISS from Squid
Via: 1.1 Squid (squid/3.2.11)
Connection: keep-alive
< !DOCTYPE html>

        Despite getting the correct A records back from the nameservers in packet 5 we can see in packets 12 onwards that the O2 Squid server (ironically the same software PacketFlagon.is uses to bypass censorship!) returns back some HTML with a meta refresh that instantly directs the browser to their block page.

        As shown in this packet capture there is no IP/Host matching it is all done on the GET path and the Host header so Hosts files hacks won’t work either.

        High Court blocks are solved using DNS and an attempt to resolve thepiratebay.se returns 127.0.0.1.

        Finally some other blocks such as the block of torproject.org are achieved by just silently dropping the packets.

        Starbucks – BT / Friendly WiFi

        The people at Friendly WiFi appear to be quite zealous about blocking “pornography” and come out with ridiculous claims such as that by putting in their filtering one gets a “porn free city”

        Thankfully their blocks are almost as easy to bypass as O2′s. Interestingly, unlike O2, Starbucks and BT don’t believe they are required to legally know who is using their WiFi and no registration is required.

        DNS Spoofing: Yes
        MiTM SSL: No
        Deep Packet Inspection: Yes
        Destination IP Transit Interference: No

        Websites that are blocked due to sub-content (e.g. reddit.com/r/nsfw) are blocked over HTTP but accessible over SSL. Interestingly thepiratebay.se is reachable over SSL e.g.

        curl -k -v https://194.71.107.27 -H 'Host: thepiratebay.se'

        Using PAC files such as RoutingPacketsIsNotACrime.uk was hit and miss and requires some more investigation but other bypass options such as SSL, Tor and using an SSH SOCKS5 tunnel all worked without issue.

        BT also force Google to downgrade search to a non-ssl version which means others could monitor your search terms.

        Breaking down a BT Intercept

        When trying to hit reddit.com/r/nsfw this packet capture shows a HTTP 302 is returned rather than the site we’re after.

        GET /r/nsfw HTTP/1.1
User-Agent: curl/7.34.0
Accept: */*
Host: reddit.com

HTTP/1.1 302 Found
Location: http://217.41.225.106/redirect/starbucks/index.html

        An attempt to reach thepiratebay.se resulted in a forged DNS reply for 193.113.9.167 that simply displays the words “Error – site blocked”

        Interestingly as shown in this packet capture, resolving the A record out-of-band and then passing a HTTP request through works fine!

        Bonus – EE Hotspot

        During my travels between coffee shops I stumbled across an EE hotspot which had a completely different set of filtering as it uses OpenDNS.

        DNS Spoofing: Yes
        MiTM SSL: No
        Deep Packet Inspection: No
        Destination IP Transit Interference: No

        Much like O2 you are required to register using a phone and EE uses www.picopoint.com to do this.

        The filtering is very lax with reddit.com/r/nsfw and the Pirate Bay being allowed through however shock sites like rotten.com resolve to 67.215.65.130 which results in an OpenDNS block page.

        Since the filtering is entirely DNS based out-of-band resolution, RoutingPacketsIsNotACrime, Tor and SSH SOCKS5 tunnels all work fine.

        I’ve drank far too much coffee today and it’s a shame that public establishments feel it necessary to put censorship technology that performs excessive over-blocking (how is torproject.org sexual?) but at least it is still easy to bypass.

        coffeecoffee

        O2

        How to Bypass O2′s Internet Filtering without a Credit Card or Identifying Yourself

        O2 were next on the list for a tear-down of their filtering anyway but as luck would have it they blocked RoutingPacketsIsNotACrime.uk which meant I had control of both ends of a TCP/HTTP connection that was being filtered. Being able to investigate what happens from both sides is an opportunity that is too good to miss.

        You can buy an O2 PAYG device such as a phone, dongle or MiFi in cash and with a name that doesn’t require verification.

        This will however result in you receiving a SIM with the “Default Safety” level of filtering enabled. Attempting to visit legitimate, non-sexual and legal websites such as RoutingPacketsIsNotACrime.uk can result in a block page;
        o2-block

        The good news is that the O2 filters are quite easy to circumnavigate.

        DNS Spoofing: No
        MiTM SSL: No
        Deep Packet Inspection: Partial
        Destination IP Transit Interference: Yes
        -
        Unique Reason for Block: No
        Categorised Block: No
        Ability to report incorrect block: No

        Tor

        The goto advice is, as always, to download Tor as it will not only bypass all filtering but will also help mask those who need to use Tor to aid in protecting their privacy if configured as a relay too.

        With Tor installed and configured to listen on port 9050 as a SOCKS proxy (or using the bundled Tor Browser if using the Tor Bundle or the Android port Orbot) you will be able to bypass all filtering (including the censored blocks forced on you even if you are over 18)

        SOCKS5 SSH Proxy

        If you don’t want to use Tor then creating a SOCKS tunnel via SSH is also an excellent option. Visit LowEndBox.com where you can get tiny cloud servers (e.g. 128Mb of RAM) for as little as £5 a year that can be paid for in advance with a prepaid Visa/Mastercard.

        Once you’ve purchased or otherwise acquired a server running OpenSSH (or any other variety that supports tunneling) simply connect to it specifying the -D option to create a local dynamic tunnel;

        ssh -D 9050 proxy1.survivetheclaireperryinter.net

        Once connected you can configure your browser to use 127.0.0.1 port 9050 as a SOCKS5 proxy (Edit – Preferences > Network > Settings > SOCKS Host) and bypass all filtering.

        SSL

        O2 cannot Man in the Middle (MiTM) SSL connections so any website that has an SSL component and not yet subject to a High Court Order block is accessible over SSL.

        This also means that you can use a RoutingPacketsIsNotACrime.uk PAC file to get around all filtering despite them banning the HTTP path.

        Attacking from Both Sides

        Since this is the first time I’ve had access to both sides of the filtering fence I can examine what is happening to our packets to see how O2′s filtering works.

        A first attempt at connecting provides the attached packet capture where we can see that our host (OpenBSD) does a DNS lookup for both the A and the AAAA record. The MiFi dongle returns the correct IP addresses for both queries indicating that there isn’t any Nominum style DNS interference going on.

        Packet 5 is the start of the HTTP sequence and everything is going fine, in packet 8 curl sends the host header we’re after, at this point there’s a rogue TLSv1 encrypted connection to 185.29.44.9 (o2bb.winint.net and mobilebroadbandaccess.o2.co.uk – we’ll delve into this later) which is from an earlier session.

        Packet 11 appears to be an ACK from my server in response to packet 8 however packets 12 and 13 shows that the server sent a 302 redirect to send the browser to http://assets.o2.co.uk/18plusaccess. Well we know that this isn’t true. Interestingly we then get some packets (16,17 and 19) that Wireshark flags as out of order and duplicate responses to the earlier packets.

        From this we can make a couple of assumptions, the first that O2′s filtering system relies on a deep packet or proxy inspection of the host header and secondly that there is possibly a race condition for returning HTTP packets.

        Hacking RFCs

        RFC 2616 section 14.23 dictates that a valid HTTP/1.1 request will contain a host header but doesn’t specify how many (for obvious reasons), so lets see if we can abuse this by manipulating the HTTP headers using curl e.g;

        curl 89.151.84.121 -H 'Host: o2-censor.com' -H 'routingpacketsisnotacrime.uk'

        The HTTP request is allowed through without issue however the web server at the other end will also ignore the second Host header and attempt to serve the first.

        Passing the first host header as an empty string and the second as the host we want results in a block. Maybe we’ll come back to this later (custom build of apache + browser plugin?).

        The next test is to see if there is coupling between the IP and HTTP host.

        curl 46.4.22.9 -H 'routingpacketsisnotacrime.uk'

        Still results in a block. OK, well we know that O2 can’t interfere with 443, it’s possible that they see the cypto handshake or that they see it’s not port 80 and ignore it so I tried setting an apache host to listen on 8081 but the Host header was still detected and blocked.

        On a whim I tried using a RoutingPacketsIsNotACrime.uk PAC file served over SSL and that worked which was a relief.

        Anyhow, back to messing with host headers. Since we know that O2 rely on the Host header lets set a rubbish DNS name in /etc/hosts (or C:\windows\system32\drivers\etc\hosts for you Windows people) and configure apache to serve the censored website on a given IP regardless of host header (a default vhost if you will).

        127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
89.151.84.121 routingpacketsisgreat.fucko2

        Success! As you can see in packet 4 of this Wireshark packet capture we sent a Host header of routingpacketsisgreat.fucko2 and received the correct response back from the server which is a 302 to https://RoutingPacketsIsNotACrime.uk and since we know that SSL is not interfered with the connection continues.

        For completeness sake lets see what a censored connection looks like from the server side.

        When sending a HTTP GET to wtfismyip.com the IP returned was consistently 82.132.245.233 however as we can see from the packet capture the IP that reached out to my server was 82.132.245.111. It starts the first part of the TCP handshake and then sends a TCP reset.

        From within the O2 network this server appears to be listening on thousands of ports whereas from an outside source it appears that there are no listening ports.

        All servers within the 82.132.244.0/24 have a PTR record of dab-rcn1-h-xx-3.dab.02.net where xx does increase with each IP but does not correlate to the IP itself.

        There appears to be a limited form of session or IP ‘stickiness’ with repeated connections to differing remote IPs always coming from the same host (e.g. a.b.c.d ‘sticks’ to dab-rcn1-h-ab-3.dab.02.net but e.f.g.h ‘sticks’ to dab-rcn1-h-xy-3.dab.02.net).I didn’t test the longevity of the stickiness but it doesn’t really matter.

        Using our fake Host header trick the connection completes but still comes from the 82.132.245.0/24 range (although in other captures I’ve seen 82.132.244.0/24). So it would appear that these proxies will evaluate all plain text traffic regardless of whether the IP is known to host blocked content.

        The TCP dump indicates that whilst the initial TCP handshake happens the upper layer (HTTP) doesn’t until the proxy has evaluated the host header which means the second assumption about a possible race condition was incorrect.

        StreamShield

        As an interesting aside by evaluating how the server responds to certain requests it’s fairly likely that these filtering boxes are running some form of Linux, that conclusion is further strengthened by the fact that BAE is hiring Linux C++ engineers for their StreamShield product which we know from Court documents is what O2 use.

        o2-streamshieldThe BAE StreamShield system is quite nasty, enabling real time deep packet inspection of various protocols (which is how it picks out the host header from HTTP streams) but can also do real time filtering based on the content of the returned data.

        It also gathers and stores all that information about you so that O2 can hand over details about what you’ve been doing to anyone who asks thanks to the Data Retention and Investigatory Powers Act.

        Returning to 185.29.44.9

        This IP block belongs to a company called IMIMOBILE EUROPE LTD who appear to be in the business of monetizing mobile customers through a variety of means.

        185.29.44.9 is mobilebroadbandaccess.o2.co.uk and is part of a joint venture between the two to create self service portals.

        Interestingly you can put any O2 phone number in, from any Internet connection (including Tor) and it will divulge a limited amount of information about the account.

        o2-selfservice

        Little though the information may be, with scams such as the “Microsoft Event View Tech Support” or “Compromised Bank Card key in your Pin” call it is dangerous to tell the wrong people when another persons PAYG SIM expires and how much data is left, vulnerable people can be convinced with less. But then again, we’re talking about the company that censored the NSPCC and ChildLine websites so looking after vulnerable people isn’t top of their priorities.

        So, I’m down another £40 but it’s been very interesting to play with O2′s censorship technology which, it turns out, is easy to circumnavigate because the ‘Net interprets censorship as damage and routes around it.

        To prohibit the reading of certain books is to declare the inhabitants to be either fools or slavesClaude Adrien Helvétius