PhoenixFire

Immunicity Returns

On the 2nd of October the Government Intellectual Property Office and the City of London Police PIPCU posted to twitter about how they’d diverted 11 million views from ‘pirate’ websites since July 2014.

Unfortunately there’s a slight problem with their claim; some of the seized domains, such as immunicity.org, have been under the control of Brass Horn Communications for several months now, hundreds of thousands of those supposed diverts have actually been seeing the following page;

divert

Domain seizures are censorship and as we all know; the Net interprets censorship as damage and routes around it.

Hopefully PIPCU will concentrate on people actually committing crimes rather than those who are just routing packets.

BwheKLxCQAAdzAP.jpg large

PacketFlagon – The HydraProxy

Today marks 1 year since the Immunicity arrest that saw someone get arrested for allowing people to send their HTTP(s) traffic where they wanted to without interference.

In that time it’d seem that the City of London Police haven’t really done much;

However the guys and gals over at Brass Horn Communications have been doing quite a bit culminating in todays “launch party” of HydraProxy.Party

Whilst not a real launch party* it is the official unveiling of the open sourced software derived from the original RoutingPacketsIsNotACrime.uk platform.

What is a ProxyShard / HydraProxy

The PacketFlagon platform is essentially one central server that feeds and receives information from lots of other servers around the Internet.

Anyone is free to download the BSD licensed software from GitHub, upload it to their webserver and then 30 seconds later are capable of creating, editing and serving the PAC files that help your browser circumnavigate Internet censorship.

The HydraProxy element comes in several parts, the first is that not only are there now tens of the PacketFlagon frontends available but the PAC files are also available on S3 and most impressively of all the platform maintains a number of what it terms “deadhand” nodes that constantly monitor the central server and the various frontends.

If the deadhand nodes reach consensus that a frontend has been blocked another domain is automatically registered, a new virtual machine is created and then bootstrapped to be a frontend node, all without human intervention!

Android App

There is also an Android app available on the Google Play store or by compiling the sourcecode yourself from GitHub.

The App provides an easy way to manage existing PAC files or to create new ones, we’re told that later versions will also include some intelligent circumnavigation methods in case the ISPs start to block the PacketFlagon API itself.

Is It Safe To Use?

Yes. Keep an eye on the Brass Horn Communications warrant canary just in case but we trust the team.

With that said it’s always a better bet to take your security and censorship circumnavigation into your own hands and look at how to properly use Tor or create SSH tunnels / your own SOCKS proxies.

* It’s understood that if you’re at DefCon in Las Vegas and can track down the @PacketFlagon team they might buy you a beer!

Devils_Bridge

Introducing Brass Horn Communications

Brass Horn Communications is a non-profit entity registered in the UK whose sole purpose is to provide Internet based services and education to help people evade censorship and avoid surveillance.

Their first Tor Exit node went live on March 2nd 2015 joining 8 other multi-purpose Tor relays, additionally Brass Horn Communications has adopted the infrastructure of RoutingPacketsIsNotACrime.uk / PacketFlagon.is and in doing so has published the Tor entry bridges used by the Squid proxies into the public directory for general use.

The name came from a Welsh legend;

Britain was plagued by the Coraniaid who could not be injured because their hearing was so sharp that they could hear any sound that the wind carried. It was by using a Brass Horn that Llefelys was able to securely communicate to his brother Lludd how to defeat the Coraniaid.

One of the stated goals of the organisation is to provide UK centric Tor relays and bridges (especially obfuscated bridges) to enable those in the UK to browse an uncensored Internet at relative speed to their native connection.

At the moment the team is working on a new version of the PacketFlagon.is software to release under the BSD license.

safe

Introducing ASafe.Space

David Cameron recently said in a speech that he would deny potential Terrorists a safe space on the Internet to communicate;

The obvious problem here is that everyone is a potential Terrorist so what David Cameron is actually promising that he intends to legislate against anyone having a means of communication that is secure from Government interference.

We’ve seen that GCHQ and the Police have abused (or just plain broken) laws in order to spy on Journalists, Lawyers and other innocents, the Government can not be trusted with these powers.

In response ASafe.Space has been registered and will contain a few short guides on how to have a safe space to browse the Internet, communicate over Instant Messaging, Email or even Pen and Paper.

Evading censorship and surveillance are one and the same, if the censor doesn’t know what you are saying or what you are reading they can’t stop you nor can they hold it against you.

BwheKLxCQAAdzAP.jpg large

Filters Are For Coffee – Not The Internet

Today is International Coffee Day so what better day to take the Open Rights Group tag line of “Filters Are For Coffee Not The Internet” and investigate the capabilities of the Internet filtering at various coffee locations.

Costa Coffee / Cafe Nero – O2 Wifi

DNS Spoofing: Partial
MiTM SSL: No
Deep Packet Inspection: Yes
Destination IP Transit Interference: Yes

O2 WiFi requires two-factor registration via a phone number and SMS claiming that it is a legal requirement. This is easily traversed with a disposable PAYG phone (e.g. EE have a Nokia 106 for £4.99 – an excellent option for a burner phone). Once you’ve completed the two-factor check (the first being they record your MAC address) you can start browsing.

The first thing to notice is that unlike their mobile offering the WiFi has several layers of filtering, some DNS queries are intercepted to send you to a block page and even if you resolve the A record out-of-band Squid will intercept and block.

If you manually query a 3rd party DNS server for the record in question then it appears to return normally.

This level of blocking however is hit and miss with domains such as the thepiratebay.se suffering the worst interference but others that are blocked by the default mobile filters aren’t blocked on the WiFi.

Thankfully all the usual bypass methods (Tor, RoutingPacketsIsNotACrime.uk, SSH SOCKS5 tunnel and SSL) work flawlessly despite the use of Squid and DNS interference.

Interestingly O2 have chosen to force Google to not allow SSL searching (so they can inspect the content and block stuff) which also means anyone else in the coffee shop can spy on your browsing. DuckDuckGo.com does still offer SSL searching and isn’t blocked.

Breaking down an O2 Intercept

The packet capture for this attempt to hit http://reddit.com/r/nsfw is here, the pertinent part of the HTTP transfer is below;

GET /r/nsfw HTTP/1.1
User-Agent: curl/7.34.0
Host: reddit.com
Accept: */*

HTTP/1.1 200 OK
Date: Mon, 29 Sep 2014 10:28:51 GMT
X-Template: blacklisted
Content-Type: text/html
Content-Length: 195
Cache-Control: no-cache
X-Cache: MISS from Squid
Via: 1.1 Squid (squid/3.2.11)
Connection: keep-alive
< !DOCTYPE html>
<html>
<head>
    <meta http-equiv="refresh" content="0; url=https://www.o2wifi.co.uk/pages/n4?bd=http://reddit.com:80/r/nsfw"/>
    <title></title>
</head>
<body>
</body>
</html>

Despite getting the correct A records back from the nameservers in packet 5 we can see in packets 12 onwards that the O2 Squid server (ironically the same software PacketFlagon.is uses to bypass censorship!) returns back some HTML with a meta refresh that instantly directs the browser to their block page.

As shown in this packet capture there is no IP/Host matching it is all done on the GET path and the Host header so Hosts files hacks won’t work either.

High Court blocks are solved using DNS and an attempt to resolve thepiratebay.se returns 127.0.0.1.

Finally some other blocks such as the block of torproject.org are achieved by just silently dropping the packets.

Starbucks – BT / Friendly WiFi

The people at Friendly WiFi appear to be quite zealous about blocking “pornography” and come out with ridiculous claims such as that by putting in their filtering one gets a “porn free city”

Thankfully their blocks are almost as easy to bypass as O2′s. Interestingly, unlike O2, Starbucks and BT don’t believe they are required to legally know who is using their WiFi and no registration is required.

DNS Spoofing: Yes
MiTM SSL: No
Deep Packet Inspection: Yes
Destination IP Transit Interference: No

Websites that are blocked due to sub-content (e.g. reddit.com/r/nsfw) are blocked over HTTP but accessible over SSL. Interestingly thepiratebay.se is reachable over SSL e.g.

curl -k -v https://194.71.107.27 -H 'Host: thepiratebay.se'

Using PAC files such as RoutingPacketsIsNotACrime.uk was hit and miss and requires some more investigation but other bypass options such as SSL, Tor and using an SSH SOCKS5 tunnel all worked without issue.

BT also force Google to downgrade search to a non-ssl version which means others could monitor your search terms.

Breaking down a BT Intercept

When trying to hit reddit.com/r/nsfw this packet capture shows a HTTP 302 is returned rather than the site we’re after.

GET /r/nsfw HTTP/1.1
User-Agent: curl/7.34.0
Accept: */*
Host: reddit.com

HTTP/1.1 302 Found
Location: http://217.41.225.106/redirect/starbucks/index.html

An attempt to reach thepiratebay.se resulted in a forged DNS reply for 193.113.9.167 that simply displays the words “Error – site blocked”

Interestingly as shown in this packet capture, resolving the A record out-of-band and then passing a HTTP request through works fine!

Bonus – EE Hotspot

During my travels between coffee shops I stumbled across an EE hotspot which had a completely different set of filtering as it uses OpenDNS.

DNS Spoofing: Yes
MiTM SSL: No
Deep Packet Inspection: No
Destination IP Transit Interference: No

Much like O2 you are required to register using a phone and EE uses www.picopoint.com to do this.

The filtering is very lax with reddit.com/r/nsfw and the Pirate Bay being allowed through however shock sites like rotten.com resolve to 67.215.65.130 which results in an OpenDNS block page.

Since the filtering is entirely DNS based out-of-band resolution, RoutingPacketsIsNotACrime, Tor and SSH SOCKS5 tunnels all work fine.

I’ve drank far too much coffee today and it’s a shame that public establishments feel it necessary to put censorship technology that performs excessive over-blocking (how is torproject.org sexual?) but at least it is still easy to bypass.

coffeecoffee

O2

How to Bypass O2′s Internet Filtering without a Credit Card or Identifying Yourself

O2 were next on the list for a tear-down of their filtering anyway but as luck would have it they blocked RoutingPacketsIsNotACrime.uk which meant I had control of both ends of a TCP/HTTP connection that was being filtered. Being able to investigate what happens from both sides is an opportunity that is too good to miss.

You can buy an O2 PAYG device such as a phone, dongle or MiFi in cash and with a name that doesn’t require verification.

This will however result in you receiving a SIM with the “Default Safety” level of filtering enabled. Attempting to visit legitimate, non-sexual and legal websites such as RoutingPacketsIsNotACrime.uk can result in a block page;
o2-block

The good news is that the O2 filters are quite easy to circumnavigate.

DNS Spoofing: No
MiTM SSL: No
Deep Packet Inspection: Partial
Destination IP Transit Interference: Yes
-
Unique Reason for Block: No
Categorised Block: No
Ability to report incorrect block: No

Tor

The goto advice is, as always, to download Tor as it will not only bypass all filtering but will also help mask those who need to use Tor to aid in protecting their privacy if configured as a relay too.

With Tor installed and configured to listen on port 9050 as a SOCKS proxy (or using the bundled Tor Browser if using the Tor Bundle or the Android port Orbot) you will be able to bypass all filtering (including the censored blocks forced on you even if you are over 18)

SOCKS5 SSH Proxy

If you don’t want to use Tor then creating a SOCKS tunnel via SSH is also an excellent option. Visit LowEndBox.com where you can get tiny cloud servers (e.g. 128Mb of RAM) for as little as £5 a year that can be paid for in advance with a prepaid Visa/Mastercard.

Once you’ve purchased or otherwise acquired a server running OpenSSH (or any other variety that supports tunneling) simply connect to it specifying the -D option to create a local dynamic tunnel;

ssh -D 9050 proxy1.survivetheclaireperryinter.net

Once connected you can configure your browser to use 127.0.0.1 port 9050 as a SOCKS5 proxy (Edit – Preferences > Network > Settings > SOCKS Host) and bypass all filtering.

SSL

O2 cannot Man in the Middle (MiTM) SSL connections so any website that has an SSL component and not yet subject to a High Court Order block is accessible over SSL.

This also means that you can use a RoutingPacketsIsNotACrime.uk PAC file to get around all filtering despite them banning the HTTP path.

Attacking from Both Sides

Since this is the first time I’ve had access to both sides of the filtering fence I can examine what is happening to our packets to see how O2′s filtering works.

A first attempt at connecting provides the attached packet capture where we can see that our host (OpenBSD) does a DNS lookup for both the A and the AAAA record. The MiFi dongle returns the correct IP addresses for both queries indicating that there isn’t any Nominum style DNS interference going on.

Packet 5 is the start of the HTTP sequence and everything is going fine, in packet 8 curl sends the host header we’re after, at this point there’s a rogue TLSv1 encrypted connection to 185.29.44.9 (o2bb.winint.net and mobilebroadbandaccess.o2.co.uk – we’ll delve into this later) which is from an earlier session.

Packet 11 appears to be an ACK from my server in response to packet 8 however packets 12 and 13 shows that the server sent a 302 redirect to send the browser to http://assets.o2.co.uk/18plusaccess. Well we know that this isn’t true. Interestingly we then get some packets (16,17 and 19) that Wireshark flags as out of order and duplicate responses to the earlier packets.

From this we can make a couple of assumptions, the first that O2′s filtering system relies on a deep packet or proxy inspection of the host header and secondly that there is possibly a race condition for returning HTTP packets.

Hacking RFCs

RFC 2616 section 14.23 dictates that a valid HTTP/1.1 request will contain a host header but doesn’t specify how many (for obvious reasons), so lets see if we can abuse this by manipulating the HTTP headers using curl e.g;

curl 89.151.84.121 -H 'Host: o2-censor.com' -H 'routingpacketsisnotacrime.uk'

The HTTP request is allowed through without issue however the web server at the other end will also ignore the second Host header and attempt to serve the first.

Passing the first host header as an empty string and the second as the host we want results in a block. Maybe we’ll come back to this later (custom build of apache + browser plugin?).

The next test is to see if there is coupling between the IP and HTTP host.

curl 46.4.22.9 -H 'routingpacketsisnotacrime.uk'

Still results in a block. OK, well we know that O2 can’t interfere with 443, it’s possible that they see the cypto handshake or that they see it’s not port 80 and ignore it so I tried setting an apache host to listen on 8081 but the Host header was still detected and blocked.

On a whim I tried using a RoutingPacketsIsNotACrime.uk PAC file served over SSL and that worked which was a relief.

Anyhow, back to messing with host headers. Since we know that O2 rely on the Host header lets set a rubbish DNS name in /etc/hosts (or C:\windows\system32\drivers\etc\hosts for you Windows people) and configure apache to serve the censored website on a given IP regardless of host header (a default vhost if you will).

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6
89.151.84.121 routingpacketsisgreat.fucko2

Success! As you can see in packet 4 of this Wireshark packet capture we sent a Host header of routingpacketsisgreat.fucko2 and received the correct response back from the server which is a 302 to https://RoutingPacketsIsNotACrime.uk and since we know that SSL is not interfered with the connection continues.

For completeness sake lets see what a censored connection looks like from the server side.

When sending a HTTP GET to wtfismyip.com the IP returned was consistently 82.132.245.233 however as we can see from the packet capture the IP that reached out to my server was 82.132.245.111. It starts the first part of the TCP handshake and then sends a TCP reset.

From within the O2 network this server appears to be listening on thousands of ports whereas from an outside source it appears that there are no listening ports.

All servers within the 82.132.244.0/24 have a PTR record of dab-rcn1-h-xx-3.dab.02.net where xx does increase with each IP but does not correlate to the IP itself.

There appears to be a limited form of session or IP ‘stickiness’ with repeated connections to differing remote IPs always coming from the same host (e.g. a.b.c.d ‘sticks’ to dab-rcn1-h-ab-3.dab.02.net but e.f.g.h ‘sticks’ to dab-rcn1-h-xy-3.dab.02.net).I didn’t test the longevity of the stickiness but it doesn’t really matter.

Using our fake Host header trick the connection completes but still comes from the 82.132.245.0/24 range (although in other captures I’ve seen 82.132.244.0/24). So it would appear that these proxies will evaluate all plain text traffic regardless of whether the IP is known to host blocked content.

The TCP dump indicates that whilst the initial TCP handshake happens the upper layer (HTTP) doesn’t until the proxy has evaluated the host header which means the second assumption about a possible race condition was incorrect.

StreamShield

As an interesting aside by evaluating how the server responds to certain requests it’s fairly likely that these filtering boxes are running some form of Linux, that conclusion is further strengthened by the fact that BAE is hiring Linux C++ engineers for their StreamShield product which we know from Court documents is what O2 use.

o2-streamshieldThe BAE StreamShield system is quite nasty, enabling real time deep packet inspection of various protocols (which is how it picks out the host header from HTTP streams) but can also do real time filtering based on the content of the returned data.

It also gathers and stores all that information about you so that O2 can hand over details about what you’ve been doing to anyone who asks thanks to the Data Retention and Investigatory Powers Act.

Returning to 185.29.44.9

This IP block belongs to a company called IMIMOBILE EUROPE LTD who appear to be in the business of monetizing mobile customers through a variety of means.

185.29.44.9 is mobilebroadbandaccess.o2.co.uk and is part of a joint venture between the two to create self service portals.

Interestingly you can put any O2 phone number in, from any Internet connection (including Tor) and it will divulge a limited amount of information about the account.

o2-selfservice

Little though the information may be, with scams such as the “Microsoft Event View Tech Support” or “Compromised Bank Card key in your Pin” call it is dangerous to tell the wrong people when another persons PAYG SIM expires and how much data is left, vulnerable people can be convinced with less. But then again, we’re talking about the company that censored the NSPCC and ChildLine websites so looking after vulnerable people isn’t top of their priorities.

So, I’m down another £40 but it’s been very interesting to play with O2′s censorship technology which, it turns out, is easy to circumnavigate because the ‘Net interprets censorship as damage and routes around it.

To prohibit the reading of certain books is to declare the inhabitants to be either fools or slavesClaude Adrien Helvétius

blogimg-opendns

Defeating DNS Based Filtering (Sky, BT etc) with DNSCrypt

Several of the “Big Five” ISPs utilise a form of filtering that intercepts DNS requests and spoof replies for sites that are on the block list, in certain cases if you are able to resolve the IP address out-of-band (e.g. a hosts file) then you can browse uninterrupted.

We already know that most ISP implementations of filtering cannot intercept and block SSL protected HTTP traffic and in the same way DNSCrypt turns regular DNS traffic into encrypted DNS traffic that is secure from eavesdropping and man-in-the-middle attacks.

It doesn’t require any changes to domain names or how they work, it simply provides a method for securely encrypting communication between people and our OpenDNS’ servers.

The DNSCrypt code base is open source and it’s available on GitHub.

Download for Mac
Download for Windows
Linux can be installed via your favourite package manager

Once installed just set your DNS server to be 127.0.0.2 and you should be set to go.

If you have any issues or need more help with installation check out; http://dnscrypt.org/

thankyou_img

Building a PIPCU Resistant Immunicity Style Proxy Using Tor

A Little History

In June 2004 BT took the step of putting technical measures in place that allowed them to censor the Internet.

At the time there was muffled dissent at the idea of creating and deploying such technology but those voices were silenced by accusations that opposition to CleanFeed was to support the abuse of children.

We warned that this was the start of a slippery slope.

In 2011 the MPA took BT to court in an attempt to block Newzbin, when the Honourable Justice Arnold understood that BT already had an Internet censorship system in place he ordered it to be used to block Newzbin

In respect of its customers to whose internet service the system known as Cleanfeed is applied whether optionally or otherwise, [BT] shall within 14 days adopt the following technical means to block or attempt to block access by its customers to the website known as Newzbin2 currently accessible at www.newzbin.com, its domains and sub-domains and including payments.newzbin.com and any other IP address or URL whose sole or predominant purpose is to enable or facilitate access to the Newzbin2 websiteHon Justice Arnold

On the back of the Newzbin success various other private entities took to the High Court to chase more ISPs and in February 2012 the Honourable Justice Arnold ruled

… that both users and the operators of TPB infringe the copyrights of the Claimants (and those they represent) in the UK.Hon Justice Arnold

The result of this ruling was that BT, TalkTalk, Sky and others were required to take measures to block or at least impede access by their customers to a peer-to-peer (“P2P”) file-sharing website called The Pirate Bay (“TPB”).

At the time the OpenRightsGroup issued the following statement;

Blocking the Pirate Bay is pointless and dangerous. It will fuel calls for further, wider and even more drastic calls for internet censorship of many kinds, from pornography to extremism.Jim Killock, Executive Director of the Open Rights Group

So here we are in 2014, a decade after we originally predicted the slippery slope of Internet censorship and we have Court ordered censorship at the behest of foreign private entities, secret URL blocklists courtesy of the IWF, varying levels of Internet Filtering in homes, Internet filtering in coffee shops etc and now the City of London Police appear to be using organised Crime Legislation to intimidate and shut down proxies.

How a PAC Proxy Works

The PAC (Proxy auto-config) file format was originally designed by Netscape in 1996 for the Netscape Navigator 2.0 and is a text file that defines which URLs are to be routed over a proxy and optionally which proxy to use on a per URL basis.

A very basic PAC file could look like this;

function FindProxyForURL(url, host) 
{    
    var list = new Array("wtfismyip.com","www.ipchicken.com");
    for(var i=0; i < list .length; i++)
    {
        if (shExpMatch(host, list[i]))
        {
           return "SOCKS socks.survivetheclaireperryinter.net:9050";
        }
    }
    return "DIRECT";
}

This PAC file defines two URLs (wtfismyip.com and www.ipchicken.com) and tells the browser that these URLs should be routed via the SOCKS proxy socks.survivetheclaireperryinter.net using port 9050. Any other URLs are routed directly (as in not using a proxy).

The Tor Project is one of the most powerful tools we have against Internet censorship and one of the features of a Tor relay is the ability to be used as a SOCKS proxy.

There are lots of Tor relays on the Internet that are configured not only as Bridges, pluggable transports, Exits & relays but also as SOCKS servers. We will create a Tor relay to be coupled with a PAC file to selectively route certain URLs over The Onion Routing network to bypass censorship.

Using the Tor PAC Proxy

To test a Tor powered PAC proxy simply set your Browser Proxy settings to; https://RoutingPacketsIsNotACrime.uk/pac.config?id=piratebay this will allow you to browse to thepiratebay.se via a Tor proxy in Russia.

To create your own list of URLs to route via your Tor proxy start by navigating to https://RoutingPacketsIsNotACrime.uk and identify which URLs you would like to route.

Note that the only URL selected by default is wtfismyip.com. To re-iterate, this is a technical demonstration of Censorship evasion and bypassing censorship is NOT illegal.

Add all of your URLs separated by a comma e.g. “google.com, yahoo.com, bing.com” then click “Save PAC File”.

Make note of your unique PAC file URL e.g. https://RoutingPacketsIsNotACrime.uk/pac.config?id=ABCDEF1234567890

Configure your browser to use your unique PAC file


Configure Internet Explorer

  1. Go to Start then Control Panel. (Windows 8 users hover your mouse to the bottom right, click Settings, then click Control Panel)
  2. Find Internet Options (sometimes under Network and Internet), then go to the Connections tab.
  3. At the bottom, click the LAN settings button.
  4. A new dialog will appear. Tick the box that says Use automatic configuration script.
  5. In the address field, paste in your unique PAC file ID e.g. https://RoutingPacketsIsNotACrime.uk/pac.config?id=ABCDEF1234567890
  6. Press OK, then OK on the Internet Options dialog.

Configure Mozilla Firefox

  1. In Mozilla Firefox, go to Options. In Windows, click the Firefox button then choose Options, or go to Tools, then Options. In Mac OS X, go to Firefox, then Preferences. In Linux, go to Tools, Options.
  2. Go to the Advanced tab, then go to the Network tab.
  3. Click Settings next to Configure how Firefox connects to the Internet.
  4. Select Automatic proxy configuration URL.
  5. In the text field, paste in your unique PAC file ID e.g. https://RoutingPacketsIsNotACrime.uk/pac.config?id=ABCDEF1234567890
  6. Press OK, then OK on the Options dialog.

Configure Google Chrome

  1. In Google Chrome, click the menu button to the right of the URL bar, and choose Settings.
  2. At the bottom, click the Show advanced settings
  3. Under Network, click Change proxy settings.
    1. On Windows, at the bottom click the LAN settings button. A new dialog will appear. Tick the box that says Use automatic configuration script.
    2. On Mac OS X, tick Automatic Proxy Configuration.
    3. On Linux, click Network proxy, select Automatic from the Method drop down menu.
  4. In the address field, paste in your unique PAC file ID e.g. https://RoutingPacketsIsNotACrime.uk/pac.config?id=ABCDEF1234567890
  5. Close the dialogs to save the settings. On Mac OS X, press Apply first.

You’ll note that the PAC file specifies the proxy as localhost:9050, trying to visit the URLs in question won’t work until we setup the local Tor relay.

Creating Your Local Tor Proxy

If you want to help the Tor network grow and create your own proxy to use with the RoutingPacketsIsNotACrime PAC files then these instructions should get you started.

If you don’t already have a dedicated server consider visiting DigitalOcean, Amazon EC2 or for some really good deals check LowEndBox.com.

For various reasons I would suggest hosting the server outside of the UK but that is a choice for you to make.

CentOS 6

Install EPEL

wget http://www.mirrorservice.org/sites/dl.fedoraproject.org/pub/epel/6/i386/epel-release-6-8.noarch.rpm
yum install epel-release-6-8.noarch.rpm

Edit iptables

vim /etc/sysconfig/iptables

Allow the ORPort and the proxy port (in this case 9001 and 9150)

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 9001 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 9150 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Save and quit

/etc/init.d/iptables restart

If your server has IPv6 then make similar changes to ip6tables

Editing torrc

vim /etc/tor/torrc

A minimal torrc for use with a PAC file style proxy would look similar to the below (although you should read all the options to understand what you are doing);

SocksPort xx.xx.xx.xx:9150
ORPort 9001
Nickname TheNameOfYourRelay
ContactInfo YourContactDetails
ExitPolicy reject *:*

xx.xx.xx.xx should be a routeable IP (e.g. not 127.0.0.1) of your server, if you want to keep your relay server partially private you might want to add PublishServerDescriptor 0 to your config too.

There is no security here, if someone port scanned your server then they would see that it is an open proxy and could use it to do nasty things that people will blame you for!
If your Tor relay is on a public IP (e.g. not 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16) then you may want to restrict the IPTables allow rule to only allow your source IP addresses

Start Tor & Confirm it is working

/etc/init.d/tor start
tail -f /var/log/messages

You should see something along the lines of;

socks Tor[31452]: Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
socks Tor[31452]: Bootstrapped 85%: Finishing handshake with first hop.
socks Tor[31452]: Bootstrapped 90%: Establishing a Tor circuit.
socks Tor[31452]: Tor has successfully opened a circuit. Looks like client functionality is working.
socks Tor[31452]: Bootstrapped 100%: Done.
socks Tor[31452]: Performing bandwidth self-test...done.

Done!

Assuming you have chosen the URLs you wanted in the previous section (Using the Tor PAC Proxy) you can now browse to the URLs that were previously censored as they are now being routed over Tor. Any non-restricted URLs will route over your normal Internet connection.

Windows

Follow our tutorial on Securely Installing Tor on Windows to get the full Tor Browser bundle up and running.

Once installed and started Tor will be running on localhost:9150 (do not close the Tor Browser as this will also close the relay)

Done!

Assuming you have chosen the URLs you wanted in the previous section (Using the Tor PAC Proxy) you can now browse to the URLs that were previously censored as they are now being routed over Tor. Any non-restricted URLs will route over your normal Internet connection.

Some Final Thoughts (and quotes)

Internet Censorship is abhorrent, we shouldn’t stand by and let the Government, Police or lawyers dictate what we can read. The slippery slope is getting steeper every day so we all need to help stop it.

When bad men combine, the good must associate; else they will fall, one by one, an unpitied sacrifice in a contemptible struggle.Edmund Burke

I always wondered why somebody doesn’t do something about that. Then I realized I was somebody.Lily Tomlin

Withholding information is the essence of tyranny. Control of the flow of information is the tool of the dictatorship.Bruce Coville

Who is more to be pitied, a writer bound and gagged by policemen or one living in perfect freedom who has nothing more to say?Kurt Vonnegut

Once a government is committed to the principle of silencing the voice of opposition, it has only one way to go, and that is down the path of increasingly repressive measures, until it becomes a source of terror to all its citizens and creates a country where everyone lives in fear.Harry S. Truman

Free societies…are societies in motion, and with motion comes tension, dissent, friction. Free people strike sparks, and those sparks are the best evidence of freedom’s existence.Salman Rushdie

All men dream: but not equally. Those who dream by night in the dusty recesses of their minds wake in the day to find that it was vanity: but the dreamers of the day are dangerous men, for they may act their dreams with open eyes, to make it possible.T.E. Lawrence

bg-telesales-signpost

Bypassing EE’s Content Lock system without a credit card or identifying yourself

When you buy a service from EE it will be filtered at their moderate level by default, the other options are Strict and Off.
Strict is designed to be safe for children and Off is for Adults.

Of course even if you were to request that all filtering to be turned off it is still possible that you’ll fall foul of an incorrect IWF filter and be presented with the following page;
ee-illegal

Putting the IWF and their secret blocklists aside there are many reasons you may not want to disclose information to EE or handover a credit card (you might not have one for instance) but still need to get past their filters that will block a female centric “adult” site that blogs about Censorship due to the content of the copy but will quite happily let you visit LiveLeak.com and watch people get killed.

The good news is that the EE Content Lock is quite easy to circumnavigate.

DNS Spoofing: No
MiTM SSL: No
Deep Packet Inspection: Yes
Destination IP Transit Interference: No
-
Unique Reason for Block: No
Categorised Block: No
Ability to report incorrect block: No

The goto advice is always to download Tor as it will not only bypass all filtering but it will also help mask those who need to use Tor to aid in protecting their privacy.

If you aren’t comfortable with installing software such as Tor then you could follow our guide on Creating a SOCKS5 Proxy which also works perfectly.

Finally the EE Content Lock system cannot MiTM SSL so even for blocked URLs such as http://reddit.com/r/nsfw (note that reddit.com isn’t blocked but /r/nsfw is!) can be accessed by using SSL.
Unfortunately reddit relies heavily on Akamai so the SSL certificate will be incorrect and you really shouldn’t get in the habit of accepting incorrect SSL.

Whilst this post proves it is trivial to bypass Government co-erced filtering it is likely that there will soon be a call to make filtering mandatory and criminalising attempts at bypassing them.

The best way to prevent this is to write to your MP and tell them that you don’t believe that any form of filtering has any place on the Internet.

anonymous1-580x3251

Using Anonymous Visa Cards to Create Untraceable Surveillance / Censorship Avoidance Proxies or Webhosts

It is still possible to anonymously purchase on-line resources which will be useful for those wishing to frustrate Internet surveillance, evade Internet censorship or blow the whistle on something without risking the exposure of their identity.

Finding a pre-paid card that can be purchased in cash with no questions asked is trivially easy, any card or gift shop is likely to have them interspersed with Starbucks gift cards etc.
Prepaid Visa and Mastercards

For this example we’ll choose a £50 VISA card which once you get to the till will actually cost £53.95. Hand over your cash and walk out of the door.

As you leave swing by a Three, EE, O2 or Vodafone store and buy a pre-pay data SIM. Three have a 1Gb SIM for £7.50, buy it with cash and walk out of the store.

By now the VISA card will have activated and should be good to go.

For extra anonymity you may wish to visit a local pawn broker like Cash Converters or CEX and acquire a phone, tablet or laptop so that the IMEI you use with the newly purchased SIM is not one that has previously been tied to your identity.

Open up your VISA card and you’ll notice it has an expiry date, the CVV code on the signature strip and the usual 16 digit credit card number.

card

Setup your 3G connection, optionally install TOR to bypass any ISP restrictions that may be present then navigate to your VPS provider of choice. I’d suggest DigitalOcean.com but there are many others.

Signing up for an account is easy, put in an email address and a password (the email address will have to be a real one as it needs to be verified and it’s where your root passwords are sent but try signing up to something like HushMail.com).
signup

Once logged in you’ll be asked to verify your billing details;
logged_in

Now it’s likely that your use of TOR and a prepaid VISA card will trigger anti-fraud protections; the account will be locked and a support ticket will be raised asking you to identify yourself
verify

The people at DigitalOcean are very good and if you adequately explain your motivations (be it running a website you’d rather not have your name attached too, as a proxy for privacy etc) they are likely to accommodate you without requiring copies of ID or a credit card number tied to your identity. DO NOT ABUSE THEIR TRUST.

Within a few minutes the account will be unlocked and you can launch your virtual machine.

If you login to the VISA pre-pay system you’ll be able to see if the pre-authorisation passed and that you’ll be able to continue paying for your server resources.
balance

You can now host your whistle-blowing blog, a critique of public policy or just use it as a proxy safe in the knowledge that there is virtually no trace back to your true identity.

Do not abuse this ability to do hateful or illegal things, the VPS provider may not be able to identify you but they will shut you down and may even choose to shutdown all other accounts that appear to be of a similar profile to yours. Your actions could prevent someone who genuinely needs this anonymity.