David Cameron recently said in a speech that he would deny potential Terrorists a safe space on the Internet to communicate;
The obvious problem here is that everyone is a potential Terrorist so what David Cameron is actually promising that he intends to legislate against anyone having a means of communication that is secure from Government interference.
We’ve seen that GCHQ and the Police have abused (or just plain broken) laws in order to spy on Journalists, Lawyers and other innocents, the Government can not be trusted with these powers.
In response ASafe.Space has been registered and will contain a few short guides on how to have a safe space to browse the Internet, communicate over Instant Messaging, Email or even Pen and Paper.
Evading censorship and surveillance are one and the same, if the censor doesn’t know what you are saying or what you are reading they can’t stop you nor can they hold it against you.
Today is International Coffee Day so what better day to take the Open Rights Group tag line of “Filters Are For Coffee Not The Internet” and investigate the capabilities of the Internet filtering at various coffee locations.
Costa Coffee / Cafe Nero – O2 Wifi
DNS Spoofing:Partial MiTM SSL:No Deep Packet Inspection:Yes Destination IP Transit Interference:Yes
O2 WiFi requires two-factor registration via a phone number and SMS claiming that it is a legal requirement. This is easily traversed with a disposable PAYG phone (e.g. EE have a Nokia 106 for £4.99 – an excellent option for a burner phone). Once you’ve completed the two-factor check (the first being they record your MAC address) you can start browsing.
The first thing to notice is that unlike their mobile offering the WiFi has several layers of filtering, some DNS queries are intercepted to send you to a block page and even if you resolve the A record out-of-band Squid will intercept and block.
If you manually query a 3rd party DNS server for the record in question then it appears to return normally.
This level of blocking however is hit and miss with domains such as the thepiratebay.se suffering the worst interference but others that are blocked by the default mobile filters aren’t blocked on the WiFi.
Thankfully all the usual bypass methods (Tor, RoutingPacketsIsNotACrime.uk, SSH SOCKS5 tunnel and SSL) work flawlessly despite the use of Squid and DNS interference.
Interestingly O2 have chosen to force Google to not allow SSL searching (so they can inspect the content and block stuff) which also means anyone else in the coffee shop can spy on your browsing. DuckDuckGo.com does still offer SSL searching and isn’t blocked.
Breaking down an O2 Intercept
The packet capture for this attempt to hit http://reddit.com/r/nsfw is here, the pertinent part of the HTTP transfer is below;
GET /r/nsfw HTTP/1.1
User-Agent: curl/7.34.0
Host: reddit.com
Accept: */*
HTTP/1.1 200 OK
Date: Mon, 29 Sep 2014 10:28:51 GMT
X-Template: blacklisted
Content-Type: text/html
Content-Length: 195
Cache-Control: no-cache
X-Cache: MISS from Squid
Via: 1.1 Squid (squid/3.2.11)
Connection: keep-alive
< !DOCTYPE html>
Despite getting the correct A records back from the nameservers in packet 5 we can see in packets 12 onwards that the O2 Squid server (ironically the same software PacketFlagon.is uses to bypass censorship!) returns back some HTML with a meta refresh that instantly directs the browser to their block page.
As shown in this packet capture there is no IP/Host matching it is all done on the GET path and the Host header so Hosts files hacks won’t work either.
High Court blocks are solved using DNS and an attempt to resolve thepiratebay.se returns 127.0.0.1.
The people at Friendly WiFi appear to be quite zealous about blocking “pornography” and come out with ridiculous claims such as that by putting in their filtering one gets a “porn free city”
Thanks @stephen_mosley for supporting our campaign to make Chester world's first #pornfreecity @chestertweetsuk pic.twitter.com/WlL4X1cOJv
— getmedigital.com (@getmedigital) September 23, 2014
Thankfully their blocks are almost as easy to bypass as O2′s. Interestingly, unlike O2, Starbucks and BT don’t believe they are required to legally know who is using their WiFi and no registration is required.
DNS Spoofing:Yes MiTM SSL:No Deep Packet Inspection:Yes Destination IP Transit Interference:No
Websites that are blocked due to sub-content (e.g. reddit.com/r/nsfw) are blocked over HTTP but accessible over SSL. Interestingly thepiratebay.se is reachable over SSL e.g.
Using PAC files such as RoutingPacketsIsNotACrime.uk was hit and miss and requires some more investigation but other bypass options such as SSL, Tor and using an SSH SOCKS5 tunnel all worked without issue.
BT also force Google to downgrade search to a non-ssl version which means others could monitor your search terms.
Breaking down a BT Intercept
When trying to hit reddit.com/r/nsfw this packet capture shows a HTTP 302 is returned rather than the site we’re after.
GET /r/nsfw HTTP/1.1
User-Agent: curl/7.34.0
Accept: */*
Host: reddit.com
HTTP/1.1 302 Found
Location: http://217.41.225.106/redirect/starbucks/index.html
An attempt to reach thepiratebay.se resulted in a forged DNS reply for 193.113.9.167 that simply displays the words “Error – site blocked”
Interestingly as shown in this packet capture, resolving the A record out-of-band and then passing a HTTP request through works fine!
Bonus – EE Hotspot
During my travels between coffee shops I stumbled across an EE hotspot which had a completely different set of filtering as it uses OpenDNS.
DNS Spoofing:Yes MiTM SSL:No Deep Packet Inspection:No Destination IP Transit Interference:No
Much like O2 you are required to register using a phone and EE uses www.picopoint.com to do this.
The filtering is very lax with reddit.com/r/nsfw and the Pirate Bay being allowed through however shock sites like rotten.com resolve to 67.215.65.130 which results in an OpenDNS block page.
Since the filtering is entirely DNS based out-of-band resolution, RoutingPacketsIsNotACrime, Tor and SSH SOCKS5 tunnels all work fine.
I’ve drank far too much coffee today and it’s a shame that public establishments feel it necessary to put censorship technology that performs excessive over-blocking (how is torproject.org sexual?) but at least it is still easy to bypass.
The City of London Police Police Intellectual Property Crime Unit (PIPCU) arrested the operator of immunicity.org “on suspicion of running an ‘umbrella’ website providing access to other websites which have been subject to legal blocking orders.”
So some private entities sued some other private entities to prevent their customers from accessing certain websites. This, as far as I understand it, was a civil matter. How does the City of London Police gain the ability to arrest someone how was not party to either side of the civil matter.
An arrest is the act of depriving a person of his or her liberty usually in relation to the purported investigation or prevention of crime.Wikipedia
Routing packets is NOT A CRIME. What the fuck do they think they are up to?
@darkmobius suspected that the proxy server was providing access to sites subject to blocking orders for carrying illegal content.
— City Police PIPCU (@CityPolicePIPCU) August 8, 2014
Thankfully http://immunicity.co.uk/ and http://immun.es/ have already launched to help fill the space and more Tor Project relays are spinning up every day but let’s not stop there, if we don’t complain then they will continue to arrest and harass operators of these servers.
I would encourage people to complain to the City of London Police directly by tweeting at @CityPolice, by phone at 020 7601 2222, directly on their website with either this form (Public Complaints) or this form (Expression of Dissatisfaction) or by email; [email protected]
If you have time then also make a complaint to the Independent Police Complaints Commission by calling on 0300 020 0096 or via the website: http://www.ipcc.gov.uk/complaints (it probably wouldn’t hurt to tweet @IPCCNews as well).
As always check our Top Ways to Avoid Filters page for the latest information on the best way to avoid Internet filtering be it performed by the state, ISPs, special interest groups or because your current method was illegally shutdown by a police force overstepping the mark.
Update: September – Immunicity,co.uk has shutdown and immun.es is very unreliable.
It is still possible to anonymously purchase on-line resources which will be useful for those wishing to frustrate Internet surveillance, evade Internet censorship or blow the whistle on something without risking the exposure of their identity.
Finding a pre-paid card that can be purchased in cash with no questions asked is trivially easy, any card or gift shop is likely to have them interspersed with Starbucks gift cards etc.
For this example we’ll choose a £50 VISA card which once you get to the till will actually cost £53.95. Hand over your cash and walk out of the door.
As you leave swing by a Three, EE, O2 or Vodafone store and buy a pre-pay data SIM. Three have a 1Gb SIM for £7.50, buy it with cash and walk out of the store.
By now the VISA card will have activated and should be good to go.
For extra anonymity you may wish to visit a local pawn broker like Cash Converters or CEX and acquire a phone, tablet or laptop so that the IMEI you use with the newly purchased SIM is not one that has previously been tied to your identity.
Open up your VISA card and you’ll notice it has an expiry date, the CVV code on the signature strip and the usual 16 digit credit card number.
Setup your 3G connection, optionally install TOR to bypass any ISP restrictions that may be present then navigate to your VPS provider of choice. I’d suggest DigitalOcean.com but there are many others.
Signing up for an account is easy, put in an email address and a password (the email address will have to be a real one as it needs to be verified and it’s where your root passwords are sent but try signing up to something like HushMail.com).
Once logged in you’ll be asked to verify your billing details;
Now it’s likely that your use of TOR and a prepaid VISA card will trigger anti-fraud protections; the account will be locked and a support ticket will be raised asking you to identify yourself
The people at DigitalOcean are very good and if you adequately explain your motivations (be it running a website you’d rather not have your name attached too, as a proxy for privacy etc) they are likely to accommodate you without requiring copies of ID or a credit card number tied to your identity. DO NOT ABUSE THEIR TRUST.
Within a few minutes the account will be unlocked and you can launch your virtual machine.
If you login to the VISA pre-pay system you’ll be able to see if the pre-authorisation passed and that you’ll be able to continue paying for your server resources.
You can now host your whistle-blowing blog, a critique of public policy or just use it as a proxy safe in the knowledge that there is virtually no trace back to your true identity.
Do not abuse this ability to do hateful or illegal things, the VPS provider may not be able to identify you but they will shut you down and may even choose to shutdown all other accounts that appear to be of a similar profile to yours. Your actions could prevent someone who genuinely needs this anonymity.
On the same day that the BBC reports that “Children can turn off Net Filters” a LibDem Lord has asked whether the choice of filtering should be taken out of parents (read everyone’s) hands and be made compulsory
I also welcome the recognition by the Prime Minister and the Secretary of State for Culture, Media and Sport of the need for adequate filtering to protect young people from online abuse. However, as was discussed in this House only recently with the Online Safety Bill of the noble Baroness, Lady Howe, should we not be making filtering compulsory? Is it enough simply to leave it up to parents to make the choice about appropriate safety features?Lord Clement-Jones
Within weeks of the filters that everyone predicted would herald a slippery slope to mandatory filtering with ever encroaching levels of censorship going online we’ve already started to slide.
This article is for use on a Linux/Mac computer (desktop / laptop etc). A Windows guide will be available at a later date.
If you don’t currently run Linux on your desktop I would strongly suggest it. Try Fedora or Ubuntu. If you don’t want to run Linux permanently but do want to try this method then a Live Boot CD of Fedora or Ubuntu (or any other Linux OS of your choice) would be an ideal method.
Servers in datacenters are extremely unlikely to experience filtering so by tunnelling your connection through to a server you can browse the Internet without worrying if your connection is being restricted or surveilled.
IMAGE
Signing up with Digital Ocean
Navigate to www.DigitalOcean.com and click the Signup button at the top of the page. Enter an email address and a password. You may want to use an anonymous email provider such as Hushmail.com to protect your privacy and a strong password you’ve not used anywhere else. Important: The email address must be real as your server password will be emailed to you.
Once logged in you’ll have access to the initial control panel;
Click get started which will take you to the billing page, you can either use a credit card (you may want to use an anonymous Visa / Mastercard, search online for keywords such as prepaid, anonymous etc) or PayPal.
Once your payment is processed and cleared (check billing for tracking your pre-paid balance if using PayPal) or refresh the droplets page to see the below;
Click Create Droplet!
Choose a friendly name for the server (aka Droplet), this name is not important feel free to use how-to.survivetheclaireperryinter.net if you want to. Leave the Size option alone (or if a larger size is selected change to to 512Mb/20Gb/1Tb as this is only $5 / £3 a month). For lower latency and a reduced chance of NSA eavesdropping choose an Amsterdam datacenter (not necessary but recommended).
Scroll down for more settings. For the purposes of this tutorial choose CentOS and then the latest CentOS version (currently 6.4) then click Create Droplet.
After a few seconds of watching the following screen your server will be created and you should have received an email with your root password.
Behold your new server, make note of the IP address at the top near the word active. In this case the IP address is 95.85.54.190Check your inbox and you should have an email with the IP address, the user name (root) and your password. It’s very important you don’t write a blog post and publish your username and password because bad things will happen to your server
Now we’re ready to create a proxy.
Testing the Proxy / Tunnel
Assuming you are logged into your Linux computer load up a terminal.Type the following;
Replace the IP address with your own. You’ll be informed that the authenticity of the host can’t be established which is true because you don’t know what the RSA key fingerprint is. You can choose to accept it and continue or be paranoid and bail. If you chose to continue you will be prompted for you password that was sent by email.
Load up another terminal (or a tab) and type the following;
You should see the following output indicating that your ISP is Digital Ocean.
You could immediately configure your browser etc to use these settings but you should try and be a bit more thorough.
Configuring the Proxy / Tunnel for long term use
Exit all of the terminals opened in the previous step which will close all tunnels and SSH sessions and we’ll get started on making this a little more secure.
First things first is to change the root password from the one that was emailed to you. Load up a terminal and ssh in;
Once logged in change the password with the passwd command. Ensure you use a different password to anything else you have.The root user is the most powerful user on a Linux server and can delete anything and everything so you really don’t want to be using it for everyday tasks. For creating the tunnel we want to use a non-privileged user. To do this simply type the following (feel free to replace the name tunnel with your name or anything, it’s just a username and isn’t important);
useradd tunnel
Now change the password for this user by passing the username to the passwd command used earlier, make sure you use a strong password and one that isn’t that same as any of your others;
passwd tunnel
Load up a new tab on your local machine and try logging in as your new user;
For this example I’m going to use Firefox but feel free to try it out with others. In the address bar type about:config, you’ll be presented with the following screen;
Assuming you are going to be careful click the button.
In the Search bar at the top type proxy, then look for the strings network.proxy.socks and network.proxy.socks_port, type in the values from the command above (127.0.0.1 and 8080). If your ISP filters DNS then you may want to toggle network.proxy.socks_remote_dns too (don’t forget to change your name servers!).
Finally change network.proxy.type to 1.
To test, simply load up a new Firefox tab and attempt to access a blocked page.
So there you have it, an easy way to get past any Web filtering and as an added bonus since your traffic is encrypted between your computer and your server in Amsterdam neither your ISP nor the UK Government can monitor it.
Traffic egressing the server can still be tracked and recorded. With the right combination of warrants and traffic capture at the Digital Ocean datacenter coupled with your home ISP logs illegal activity can still be traced back to you! Only use this to method to bypass filters,
Upcoming articles include creating a dedicated Raspberry PI proxy for use with multiple devices (phones, tablets, Windows PCs etc) and setup guides for other server providers. Make sure you follow @STCPI on Twitter for updates!
Initial research indicates that even attempting to use 3rd Party DNS servers on some ISPs elicits a spoofed response which indicates that these ISPs are intercepting and monitoring ALL DNS queries you make. This presents a variety of concerns such as the accuracy of SPF, DNS-SEC or TXT responses but that’s a topic for another time.
Circumnavigation:
If you discover that you are getting faked responses and are unable to reach the correct webserver follow the steps below.
Get the A Record
Navigate to a website such as http://www.dnsstuff.com/tools
Look for the DNS Lookup tool
In the text box enter the URL you are trying to reach (e.g. www.google.com)
Select A from the record type
Submit the request and make a note of the IP address returned.
Edit the Hosts file
Windows
Start notepad.exe as an Administrator
Open C:\Widnows\System32\drivers\etc\hosts
Add the URL and the IP address in the format shown below; 173.194.34.67 www.google.com
Save the file ensuring that a file suffix isn’t appended
Linux / Mac
Open /etc/hosts as the superuser with your editor of choice (vim!)
Add the URL and the IP address in the format shown below; 173.194.34.67 www.google.com
Save the file ensuring that a file suffix isn’t appended
Testing
Load up a cmd prompt (Ctrl + R, type cmd, press return)
Type nslookup www.google.com
Ensure you receive the IP address you entered in the hosts file
If the ISP is using BGP filtering methods, Deep Packet Inspection (DPI) or a transparent proxy then this still may not work as they’ll detect traffic going to the blocked IP subnet and act accordingly.
Keep an eye on our How to Evade Blocks page and follow @STCPI on Twitter for more methods to discover and evade Internet censorship.
An enterprising Computer Student from Singapore going by the name @nubela on Twitter has released a Chrome plugin that allows people to evade some of the ISP filters.
On his websites goawaycameron.co.uk he has published a mini FAQ and a getting started guide;
Will this work outside of UK?
Yes! This will work anywhere, and with any websites that are blocked by firewall, universities, workplaces, nanny filters, or well, censorship.
What is “Go away Cameron”?
“Go away Cameron”, or GAC, is a chrome extension that automates a private and smart proxy service to route your access around censorship so you can regain your access to your favourite blocked sites in UK.
Is it legal?
GAC is essentially a smart proxy service. And I don’t believe a proxy service is illegal.
Are you harvesting info?
No, no logs are stored.
Can you trace who I am?
No, I can’t even do that. Other from your IP address, which isn’t logged as well. But how can you know for sure? See my answer to the last question.
Is it safe?
It is even safer than you using any unknown Hotspot Shield, or surfing websites through the random web proxy (which you already am and needs no setting up in case you don’t know, thats how they block you from the websites). In fact, it is even FASTER. Because the server uses better international routing than your homeline internet. And most of the blocked websites are international.
Why do you need the permission to “access data on all websites?”
Because blocked sites lie on arbitrary urls! And I don’t have, nor will I ever can have, an exhuastive list of UK banned sites. What I can do is to merely detect whether the website returns you an error message saying UK blocked it. (This is when the extension kicks in). I think I have an at most 10line code that checks for this. I welcome you to check the code for this.
Why do you need the permission to “access tabs and browsing activity?”
Because I apply a private proxy (not public, so even safer) to your browser temporarily for you to be able to view the banned website. But because it is private, it needs to enter the username and password to the proxy. Which I don’t want you to manually enter, so I hijack the process and manually enter it for you. So thats why I need this permission so I can make it seamless for you. I promise I do nothing more than that.
What is your intention for making this?
3 reasons. One, It was a holiday project as I was learning Twitter bootstrap. Two, I enjoy my internet freedom, and urge all of you to never give that up, let alone to any government agencies. Three, I did have some blind hopes for it going viral.
@nubela
Well here’s to hoping it, and the reasons for needing it, go viral!
Install Go Away Cameron for Chrome
Update:
Mainstream news have picked up on the story:
http://www.wired.co.uk/news/archive/2013-12/23/go-away-cameron
http://www.telegraph.co.uk/technology/internet-security/10534618/Go-Away-Cameron-browser-extension-bypasses-UK-porn-filters.html
http://www.techradar.com/news/internet/-go-away-cameron-chrome-extension-nullifies-pm-s-porn-blockade-1210457
http://metro.co.uk/2013/12/20/go-away-cameron-browser-extension-lets-users-bypass-uk-porn-filters-4238809/
