BwheKLxCQAAdzAP.jpg large

Filters Are For Coffee – Not The Internet

Today is International Coffee Day so what better day to take the Open Rights Group tag line of “Filters Are For Coffee Not The Internet” and investigate the capabilities of the Internet filtering at various coffee locations.

Costa Coffee / Cafe Nero – O2 Wifi

DNS Spoofing: Partial
MiTM SSL: No
Deep Packet Inspection: Yes
Destination IP Transit Interference: Yes

O2 WiFi requires two-factor registration via a phone number and SMS claiming that it is a legal requirement. This is easily traversed with a disposable PAYG phone (e.g. EE have a Nokia 106 for £4.99 – an excellent option for a burner phone). Once you’ve completed the two-factor check (the first being they record your MAC address) you can start browsing.

The first thing to notice is that unlike their mobile offering the WiFi has several layers of filtering, some DNS queries are intercepted to send you to a block page and even if you resolve the A record out-of-band Squid will intercept and block.

If you manually query a 3rd party DNS server for the record in question then it appears to return normally.

This level of blocking however is hit and miss with domains such as the thepiratebay.se suffering the worst interference but others that are blocked by the default mobile filters aren’t blocked on the WiFi.

Thankfully all the usual bypass methods (Tor, RoutingPacketsIsNotACrime.uk, SSH SOCKS5 tunnel and SSL) work flawlessly despite the use of Squid and DNS interference.

Interestingly O2 have chosen to force Google to not allow SSL searching (so they can inspect the content and block stuff) which also means anyone else in the coffee shop can spy on your browsing. DuckDuckGo.com does still offer SSL searching and isn’t blocked.

Breaking down an O2 Intercept

The packet capture for this attempt to hit http://reddit.com/r/nsfw is here, the pertinent part of the HTTP transfer is below;

GET /r/nsfw HTTP/1.1
User-Agent: curl/7.34.0
Host: reddit.com
Accept: */*

HTTP/1.1 200 OK
Date: Mon, 29 Sep 2014 10:28:51 GMT
X-Template: blacklisted
Content-Type: text/html
Content-Length: 195
Cache-Control: no-cache
X-Cache: MISS from Squid
Via: 1.1 Squid (squid/3.2.11)
Connection: keep-alive
< !DOCTYPE html>
<html>
<head>
    <meta http-equiv="refresh" content="0; url=https://www.o2wifi.co.uk/pages/n4?bd=http://reddit.com:80/r/nsfw"/>
    <title></title>
</head>
<body>
</body>
</html>

Despite getting the correct A records back from the nameservers in packet 5 we can see in packets 12 onwards that the O2 Squid server (ironically the same software PacketFlagon.is uses to bypass censorship!) returns back some HTML with a meta refresh that instantly directs the browser to their block page.

As shown in this packet capture there is no IP/Host matching it is all done on the GET path and the Host header so Hosts files hacks won’t work either.

High Court blocks are solved using DNS and an attempt to resolve thepiratebay.se returns 127.0.0.1.

Finally some other blocks such as the block of torproject.org are achieved by just silently dropping the packets.

Starbucks – BT / Friendly WiFi

The people at Friendly WiFi appear to be quite zealous about blocking “pornography” and come out with ridiculous claims such as that by putting in their filtering one gets a “porn free city”

Thankfully their blocks are almost as easy to bypass as O2′s. Interestingly, unlike O2, Starbucks and BT don’t believe they are required to legally know who is using their WiFi and no registration is required.

DNS Spoofing: Yes
MiTM SSL: No
Deep Packet Inspection: Yes
Destination IP Transit Interference: No

Websites that are blocked due to sub-content (e.g. reddit.com/r/nsfw) are blocked over HTTP but accessible over SSL. Interestingly thepiratebay.se is reachable over SSL e.g.

curl -k -v https://194.71.107.27 -H 'Host: thepiratebay.se'

Using PAC files such as RoutingPacketsIsNotACrime.uk was hit and miss and requires some more investigation but other bypass options such as SSL, Tor and using an SSH SOCKS5 tunnel all worked without issue.

BT also force Google to downgrade search to a non-ssl version which means others could monitor your search terms.

Breaking down a BT Intercept

When trying to hit reddit.com/r/nsfw this packet capture shows a HTTP 302 is returned rather than the site we’re after.

GET /r/nsfw HTTP/1.1
User-Agent: curl/7.34.0
Accept: */*
Host: reddit.com

HTTP/1.1 302 Found
Location: http://217.41.225.106/redirect/starbucks/index.html

An attempt to reach thepiratebay.se resulted in a forged DNS reply for 193.113.9.167 that simply displays the words “Error – site blocked”

Interestingly as shown in this packet capture, resolving the A record out-of-band and then passing a HTTP request through works fine!

Bonus – EE Hotspot

During my travels between coffee shops I stumbled across an EE hotspot which had a completely different set of filtering as it uses OpenDNS.

DNS Spoofing: Yes
MiTM SSL: No
Deep Packet Inspection: No
Destination IP Transit Interference: No

Much like O2 you are required to register using a phone and EE uses www.picopoint.com to do this.

The filtering is very lax with reddit.com/r/nsfw and the Pirate Bay being allowed through however shock sites like rotten.com resolve to 67.215.65.130 which results in an OpenDNS block page.

Since the filtering is entirely DNS based out-of-band resolution, RoutingPacketsIsNotACrime, Tor and SSH SOCKS5 tunnels all work fine.

I’ve drank far too much coffee today and it’s a shame that public establishments feel it necessary to put censorship technology that performs excessive over-blocking (how is torproject.org sexual?) but at least it is still easy to bypass.

coffeecoffee

image-4479-orig

Claire Perry – Ostrich or Hypocrite?

Claire Perry recently attended an event about tackling domestic violence

Despite numerous reports of Internet filters causing overblocking of domestic abuse help websites including a warning from Woman’s Aid Chief Executive Polly Neate;

Women’s Aid is warning that the new ‘porn filters’ used by most major internet service providers may be putting women experiencing domestic violence and others at risk.
It has been revealed that filters used by all four major providers are blocking access to lifesaving websites providing information on domestic violence and sexual health.
The charity is highlighting that it could be very dangerous for a woman experiencing domestic violence to ‘opt-in’ to domestic violence information sites, as her partner may check her computer and see she’s been accessing the information.Polly Neate Dec 2013

Claire Perry is insisting that such concerns and warnings are “peddling dangerous rubbish”

Is this MP simply sticking their head in the sand so as not to accept the damage they’ve caused or do they want to appear to be doing one thing regardless of what their actions actually cause?

How many children have been unable to reach the NSPCC or Childline website and how many woman have been unable to reach rape or domestic abuse help websites now that the filters are in place?

bg-telesales-signpost

Bypassing EE’s Content Lock system without a credit card or identifying yourself

When you buy a service from EE it will be filtered at their moderate level by default, the other options are Strict and Off.
Strict is designed to be safe for children and Off is for Adults.

Of course even if you were to request that all filtering to be turned off it is still possible that you’ll fall foul of an incorrect IWF filter and be presented with the following page;
ee-illegal

Putting the IWF and their secret blocklists aside there are many reasons you may not want to disclose information to EE or handover a credit card (you might not have one for instance) but still need to get past their filters that will block a female centric “adult” site that blogs about Censorship due to the content of the copy but will quite happily let you visit LiveLeak.com and watch people get killed.

The good news is that the EE Content Lock is quite easy to circumnavigate.

DNS Spoofing: No
MiTM SSL: No
Deep Packet Inspection: Yes
Destination IP Transit Interference: No
-
Unique Reason for Block: No
Categorised Block: No
Ability to report incorrect block: No

The goto advice is always to download Tor as it will not only bypass all filtering but it will also help mask those who need to use Tor to aid in protecting their privacy.

If you aren’t comfortable with installing software such as Tor then you could follow our guide on Creating a SOCKS5 Proxy which also works perfectly.

Finally the EE Content Lock system cannot MiTM SSL so even for blocked URLs such as http://reddit.com/r/nsfw (note that reddit.com isn’t blocked but /r/nsfw is!) can be accessed by using SSL.
Unfortunately reddit relies heavily on Akamai so the SSL certificate will be incorrect and you really shouldn’t get in the habit of accepting incorrect SSL.

Whilst this post proves it is trivial to bypass Government co-erced filtering it is likely that there will soon be a call to make filtering mandatory and criminalising attempts at bypassing them.

The best way to prevent this is to write to your MP and tell them that you don’t believe that any form of filtering has any place on the Internet.

costa_coffee

More Overblocking for reasons of “Sexual Orientation” – This time at Costa Coffee

It didn’t take long for more high profile websites to get overblocked by overzealous filters.

PinkNews.co.uk reported today that it is blocked at Costa Coffee locations due to “Sexual Orientation”.

Yes, we’ve got to protect those kids from the childhood corrupting influence of Gay news.

But don’t worry, in the event that someone then planned on browsing to Stonewall to report what they may feel is an inappropriate block bordering on discrimination they’d find that Stonewall is blocked too.

Things are only going to get worse…

ee_0

EE – Your Internet must be Filtered if *anyone* under 18 has access

So as an Adult it appears you are contractually obliged to be filtered if anyone under the age of 18 is going to “use” the SIM.

And yet EE still don’t tell you exactly what else it is that you’ll be blocked from seeing as their block lists aren’t public.

Internet pornography petition

Claire Perry Proves Once Again That She Has No Idea What She Is Talking About

Two days after internet porn-blocking campaigner MP Claire Perry announced ISP filters were not overblocking content, the government has announced it is.

On top of that Ms Perry consistently berates her constituents and steadfastly sticks to the story that filters aren’t overblocking;

 

jquery

Sky Overblocks and takes out JQuery

ThinkBroadband (amongst others) has reported that Sky has yet again overblocked a website.

This time it was code.jquery.com which a lot of other websites rely on to serve the well know Javascript frameworks core files from.

Things like this are bound to happen, were predicted to happen and will continue to happen, causing untold damage to businesses and people.

JQuery was temporary blocked this morning having been misclassified. Our review process kicked in shortly afterwards and the site was unblocked just over an hour later.Sky

nouveau-logo-league-of-legends

League of Legends patches intercepted by DPI / URL Filters

LazyGamer.net has reported that patches being rolled out for League Of Legends has been blocked due to incidental filenames.

If your patcher logs show many lines like this:

RADS::Common::HTTPConnection::GetFile: File not found

And that happens with files with a name similar to this:

VarusExpirationTimer.luaobj

XerathMageChainsExtended.luaobj

The cause is that your provider is blocking any URLs that contain any pornographic content. Apparently that includes cases like this. An other cause are Router protection settings, which may also block the word sex.

If you are experiencing this problem, you can try to get the whole LoL folder zipped from a friend every time you patch, or just call your ISP to lift the blockade.

Edit: This should only happen to people who switch or signup with new ISPs after a certain date (I’m assuming 1st Jan). The filter won’t be on by default to any existing customers, at least it won’t on BT, so most people will be unaffected. If the filter is on, all it takes is a call to your ISP and it’s off. (thanks to /u/mejti )

Edit2: Read this: http://www.huffingtonpost.com/2013/07/29/uk-internet-filter-block-more-than-porn_n_3670771.htmlhttp://www.reddit.com/user/LoLBoompje

What is obviously quite scary about this revelation is that it means that this might not just be a simple URL or DNS based block but could be indicative of the far more intrusive Deep Packet Inspection technology rolled out by China and TalkTalk.

It’s not a long shot to fear that games will start breaking or gamers will get accused of cheating by software such as Steams VAC if ISPs start blocking data (e.g. chat messages or server instructions) that contain naughty words.

Lord-Clement-Jones-_244642k

Lord asks “Shouldn’t Filters (that don’t work) be compulsory?”

On the same day that the BBC reports that “Children can turn off Net Filters” a LibDem Lord has asked whether the choice of filtering should be taken out of parents (read everyone’s) hands and be made compulsory

I also welcome the recognition by the Prime Minister and the Secretary of State for Culture, Media and Sport of the need for adequate filtering to protect young people from online abuse. However, as was discussed in this House only recently with the Online Safety Bill of the noble Baroness, Lady Howe, should we not be making filtering compulsory? Is it enough simply to leave it up to parents to make the choice about appropriate safety features?Lord Clement-Jones

Within weeks of the filters that everyone predicted would herald a slippery slope to mandatory filtering with ever encroaching levels of censorship going online we’ve already started to slide.

Now more than ever you need to start teaching your friends and family how to survive the Claire Perry Internet.

image002

More smackdowns for the UK Police / Government

TechDirt have reported that EasyDNS have been victorious in their pursuit of due process when it comes to seizure of Domains by the City of London Police.

As you may be aware, the City of London Police’s new intellectual property crime unit took it upon themselves to seize domains they believed were involved in copyright infringement and some registrars co-operated without even asking for a warrant or court order.

Thankfully EasyDNS had this to say;

Who decides what is illegal? What makes somebody a criminal?  Given that the subtext of the request contains a threat to refer the matter to ICANN if we don’t play along, this is a non-trivial question. Correct me if I’m wrong, but I always thought it was something that gets decided in a court of law, as opposed to “some guy on the internet” sending emails. While that’s plenty reason enough for some registrars to take down domain names, it doesn’t fly here.

We have an obligation to our customers and we are bound by our Registrar Accreditation Agreements not to make arbitrary changes to our customers settings without a valid FOA (Form of Authorization). To supersede that we need a legal basis. To get a legal basis something has to happen in court.

The request also suggests we look at the whois contact information for the domain (which looks perfectly valid) and go ahead and suspend the domain based on invalid whois data. Again, there’s a process for that, you have to go through the ICANN Whois Inaccuracy Complaint process and most of the time that doesn’t result in a takedown anyway.

What gets me about all of this is that the largest, most egregious perpetrators of online criminal activity right now are our own governments, spying on their own citizens, illegally wiretapping our own private communications and nobody cares, nobody will answer for it, it’s just an out-of-scope conversation that is expected to blend into the overall background malaise of our ever increasing serfdom.

If I can’t make various governments and law enforcement agencies get warrants or court orders before they crack my private communications then I can at least  require a court order before I takedown my own customer.EasyDNS

Sounds interestingly similar to Andrews & Arnold’s reasons as to why they don’t like blocks doesn’t it?