David Cameron recently said in a speech that he would deny potential Terrorists a safe space on the Internet to communicate;
The obvious problem here is that everyone is a potential Terrorist so what David Cameron is actually promising that he intends to legislate against anyone having a means of communication that is secure from Government interference.
We’ve seen that GCHQ and the Police have abused (or just plain broken) laws in order to spy on Journalists, Lawyers and other innocents, the Government can not be trusted with these powers.
In response ASafe.Space has been registered and will contain a few short guides on how to have a safe space to browse the Internet, communicate over Instant Messaging, Email or even Pen and Paper.
Evading censorship and surveillance are one and the same, if the censor doesn’t know what you are saying or what you are reading they can’t stop you nor can they hold it against you.
In June 2004 BT took the step of putting technical measures in place that allowed them to censor the Internet.
At the time there was muffled dissent at the idea of creating and deploying such technology but those voices were silenced by accusations that opposition to CleanFeed was to support the abuse of children.
We warned that this was the start of a slippery slope.
In 2011 the MPA took BT to court in an attempt to block Newzbin, when the Honourable Justice Arnold understood that BT already had an Internet censorship system in place he ordered it to be used to block Newzbin
In respect of its customers to whose internet service the system known as Cleanfeed is applied whether optionally or otherwise, [BT] shall within 14 days adopt the following technical means to block or attempt to block access by its customers to the website known as Newzbin2 currently accessible at www.newzbin.com, its domains and sub-domains and including payments.newzbin.com and any other IP address or URL whose sole or predominant purpose is to enable or facilitate access to the Newzbin2 websiteHon Justice Arnold
On the back of the Newzbin success various other private entities took to the High Court to chase more ISPs and in February 2012 the Honourable Justice Arnold ruled
… that both users and the operators of TPB infringe the copyrights of the Claimants (and those they represent) in the UK.Hon Justice Arnold
The result of this ruling was that BT, TalkTalk, Sky and others were required to take measures to block or at least impede access by their customers to a peer-to-peer (“P2P”) file-sharing website called The Pirate Bay (“TPB”).
At the time the OpenRightsGroup issued the following statement;
Blocking the Pirate Bay is pointless and dangerous. It will fuel calls for further, wider and even more drastic calls for internet censorship of many kinds, from pornography to extremism.Jim Killock, Executive Director of the Open Rights Group
So here we are in 2014, a decade after we originally predicted the slippery slope of Internet censorship and we have Court ordered censorship at the behest of foreign private entities, secret URL blocklists courtesy of the IWF, varying levels of Internet Filtering in homes, Internet filtering in coffee shops etc and now the City of London Police appear to be using organised Crime Legislation to intimidate and shut down proxies.
How a PAC Proxy Works
The PAC (Proxy auto-config) file format was originally designed by Netscape in 1996 for the Netscape Navigator 2.0 and is a text file that defines which URLs are to be routed over a proxy and optionally which proxy to use on a per URL basis.
A very basic PAC file could look like this;
function FindProxyForURL(url, host)
{
var list = new Array("wtfismyip.com","www.ipchicken.com");
for(var i=0; i < list .length; i++)
{
if (shExpMatch(host, list[i]))
{
return "SOCKS socks.survivetheclaireperryinter.net:9050";
}
}
return "DIRECT";
}
This PAC file defines two URLs (wtfismyip.com and www.ipchicken.com) and tells the browser that these URLs should be routed via the SOCKS proxy socks.survivetheclaireperryinter.net using port 9050. Any other URLs are routed directly (as in not using a proxy).
The Tor Project is one of the most powerful tools we have against Internet censorship and one of the features of a Tor relay is the ability to be used as a SOCKS proxy.
There are lots of Tor relays on the Internet that are configured not only as Bridges, pluggable transports, Exits & relays but also as SOCKS servers. We will create a Tor relay to be coupled with a PAC file to selectively route certain URLs over The Onion Routing network to bypass censorship.
Using the Tor PAC Proxy
To test a Tor powered PAC proxy simply set your Browser Proxy settings to; https://RoutingPacketsIsNotACrime.uk/pac.config?id=piratebay this will allow you to browse to thepiratebay.se via a Tor proxy in Russia.
To create your own list of URLs to route via your Tor proxy start by navigating to https://RoutingPacketsIsNotACrime.uk and identify which URLs you would like to route.
Note that the only URL selected by default is wtfismyip.com. To re-iterate, this is a technical demonstration of Censorship evasion and bypassing censorship is NOT illegal.
Add all of your URLs separated by a comma e.g. “google.com, yahoo.com, bing.com” then click “Save PAC File”.
Make note of your unique PAC file URL e.g. https://RoutingPacketsIsNotACrime.uk/pac.config?id=ABCDEF1234567890
Configure your browser to use your unique PAC file
Configure Internet Explorer
Go to Start then Control Panel. (Windows 8 users hover your mouse to the bottom right, click Settings, then click Control Panel)
Find Internet Options (sometimes under Network and Internet), then go to the Connections tab.
At the bottom, click the LAN settings button.
A new dialog will appear. Tick the box that says Use automatic configuration script.
In the address field, paste in your unique PAC file ID e.g. https://RoutingPacketsIsNotACrime.uk/pac.config?id=ABCDEF1234567890
Press OK, then OK on the Internet Options dialog.
Configure Mozilla Firefox
In Mozilla Firefox, go to Options. In Windows, click the Firefox button then choose Options, or go to Tools, then Options. In Mac OS X, go to Firefox, then Preferences. In Linux, go to Tools, Options.
Go to the Advanced tab, then go to the Network tab.
Click Settings next to Configure how Firefox connects to the Internet.
Select Automatic proxy configuration URL.
In the text field, paste in your unique PAC file ID e.g. https://RoutingPacketsIsNotACrime.uk/pac.config?id=ABCDEF1234567890
Press OK, then OK on the Options dialog.
Configure Google Chrome
In Google Chrome, click the menu button to the right of the URL bar, and choose Settings.
At the bottom, click the Show advanced settings
Under Network, click Change proxy settings.
On Windows, at the bottom click the LAN settings button. A new dialog will appear. Tick the box that says Use automatic configuration script.
On Mac OS X, tick Automatic Proxy Configuration.
On Linux, click Network proxy, select Automatic from the Method drop down menu.
In the address field, paste in your unique PAC file ID e.g. https://RoutingPacketsIsNotACrime.uk/pac.config?id=ABCDEF1234567890
Close the dialogs to save the settings. On Mac OS X, press Apply first.
You’ll note that the PAC file specifies the proxy as localhost:9050, trying to visit the URLs in question won’t work until we setup the local Tor relay.
Creating Your Local Tor Proxy
If you want to help the Tor network grow and create your own proxy to use with the RoutingPacketsIsNotACrime PAC files then these instructions should get you started.
If you don’t already have a dedicated server consider visiting DigitalOcean, Amazon EC2 or for some really good deals check LowEndBox.com.
For various reasons I would suggest hosting the server outside of the UK but that is a choice for you to make.
Allow the ORPort and the proxy port (in this case 9001 and 9150)
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 9001 -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 9150 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
Save and quit
/etc/init.d/iptables restart
If your server has IPv6 then make similar changes to ip6tables
Editing torrc
vim /etc/tor/torrc
A minimal torrc for use with a PAC file style proxy would look similar to the below (although you should read all the options to understand what you are doing);
xx.xx.xx.xx should be a routeable IP (e.g. not 127.0.0.1) of your server, if you want to keep your relay server partially private you might want to add PublishServerDescriptor 0 to your config too.
There is no security here, if someone port scanned your server then they would see that it is an open proxy and could use it to do nasty things that people will blame you for!
If your Tor relay is on a public IP (e.g. not 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16)then you may want to restrict the IPTables allow rule to only allow your source IP addresses
Start Tor & Confirm it is working
/etc/init.d/tor start
tail -f /var/log/messages
You should see something along the lines of;
socks Tor[31452]: Self-testing indicates your ORPort is reachable from the outside. Excellent. Publishing server descriptor.
socks Tor[31452]: Bootstrapped 85%: Finishing handshake with first hop.
socks Tor[31452]: Bootstrapped 90%: Establishing a Tor circuit.
socks Tor[31452]: Tor has successfully opened a circuit. Looks like client functionality is working.
socks Tor[31452]: Bootstrapped 100%: Done.
socks Tor[31452]: Performing bandwidth self-test...done.
Done!
Assuming you have chosen the URLs you wanted in the previous section (Using the Tor PAC Proxy) you can now browse to the URLs that were previously censored as they are now being routed over Tor. Any non-restricted URLs will route over your normal Internet connection.
Once installed and started Tor will be running on localhost:9150 (do not close the Tor Browser as this will also close the relay)
Done!
Assuming you have chosen the URLs you wanted in the previous section (Using the Tor PAC Proxy) you can now browse to the URLs that were previously censored as they are now being routed over Tor. Any non-restricted URLs will route over your normal Internet connection.
Some Final Thoughts (and quotes)
Internet Censorship is abhorrent, we shouldn’t stand by and let the Government, Police or lawyers dictate what we can read. The slippery slope is getting steeper every day so we all need to help stop it.
When bad men combine, the good must associate; else they will fall, one by one, an unpitied sacrifice in a contemptible struggle.Edmund Burke
I always wondered why somebody doesn’t do something about that. Then I realized I was somebody.Lily Tomlin
Withholding information is the essence of tyranny. Control of the flow of information is the tool of the dictatorship.Bruce Coville
Who is more to be pitied, a writer bound and gagged by policemen or one living in perfect freedom who has nothing more to say?Kurt Vonnegut
Once a government is committed to the principle of silencing the voice of opposition, it has only one way to go, and that is down the path of increasingly repressive measures, until it becomes a source of terror to all its citizens and creates a country where everyone lives in fear.Harry S. Truman
Free societies…are societies in motion, and with motion comes tension, dissent, friction. Free people strike sparks, and those sparks are the best evidence of freedom’s existence.Salman Rushdie
All men dream: but not equally. Those who dream by night in the dusty recesses of their minds wake in the day to find that it was vanity: but the dreamers of the day are dangerous men, for they may act their dreams with open eyes, to make it possible.T.E. Lawrence
The City of London Police Police Intellectual Property Crime Unit (PIPCU) arrested the operator of immunicity.org “on suspicion of running an ‘umbrella’ website providing access to other websites which have been subject to legal blocking orders.”
So some private entities sued some other private entities to prevent their customers from accessing certain websites. This, as far as I understand it, was a civil matter. How does the City of London Police gain the ability to arrest someone how was not party to either side of the civil matter.
An arrest is the act of depriving a person of his or her liberty usually in relation to the purported investigation or prevention of crime.Wikipedia
Routing packets is NOT A CRIME. What the fuck do they think they are up to?
@darkmobius suspected that the proxy server was providing access to sites subject to blocking orders for carrying illegal content.
— City Police PIPCU (@CityPolicePIPCU) August 8, 2014
Thankfully http://immunicity.co.uk/ and http://immun.es/ have already launched to help fill the space and more Tor Project relays are spinning up every day but let’s not stop there, if we don’t complain then they will continue to arrest and harass operators of these servers.
I would encourage people to complain to the City of London Police directly by tweeting at @CityPolice, by phone at 020 7601 2222, directly on their website with either this form (Public Complaints) or this form (Expression of Dissatisfaction) or by email; [email protected]
If you have time then also make a complaint to the Independent Police Complaints Commission by calling on 0300 020 0096 or via the website: http://www.ipcc.gov.uk/complaints (it probably wouldn’t hurt to tweet @IPCCNews as well).
As always check our Top Ways to Avoid Filters page for the latest information on the best way to avoid Internet filtering be it performed by the state, ISPs, special interest groups or because your current method was illegally shutdown by a police force overstepping the mark.
Update: September – Immunicity,co.uk has shutdown and immun.es is very unreliable.
When you buy a service from EE it will be filtered at their moderate level by default, the other options are Strict and Off. Strict is designed to be safe for children and Off is for Adults.
Of course even if you were to request that all filtering to be turned off it is still possible that you’ll fall foul of an incorrect IWF filter and be presented with the following page;
Putting the IWF and their secret blocklists aside there are many reasons you may not want to disclose information to EE or handover a credit card (you might not have one for instance) but still need to get past their filters that will block a female centric “adult” site that blogs about Censorship due to the content of the copy but will quite happily let you visit LiveLeak.com and watch people get killed.
The good news is that the EE Content Lock is quite easy to circumnavigate.
DNS Spoofing:No MiTM SSL:No Deep Packet Inspection:Yes Destination IP Transit Interference:No
- Unique Reason for Block:No Categorised Block:No Ability to report incorrect block:No
The goto advice is always to download Tor as it will not only bypass all filtering but it will also help mask those who need to use Tor to aid in protecting their privacy.
If you aren’t comfortable with installing software such as Tor then you could follow our guide on Creating a SOCKS5 Proxy which also works perfectly.
Finally the EE Content Lock system cannot MiTM SSL so even for blocked URLs such as http://reddit.com/r/nsfw (note that reddit.com isn’t blocked but /r/nsfw is!) can be accessed by using SSL.
Unfortunately reddit relies heavily on Akamai so the SSL certificate will be incorrect and you really shouldn’t get in the habit of accepting incorrect SSL.
Whilst this post proves it is trivial to bypass Government co-erced filtering it is likely that there will soon be a call to make filtering mandatory and criminalising attempts at bypassing them.
The best way to prevent this is to write to your MP and tell them that you don’t believe that any form of filtering has any place on the Internet.
It is still possible to anonymously purchase on-line resources which will be useful for those wishing to frustrate Internet surveillance, evade Internet censorship or blow the whistle on something without risking the exposure of their identity.
Finding a pre-paid card that can be purchased in cash with no questions asked is trivially easy, any card or gift shop is likely to have them interspersed with Starbucks gift cards etc.
For this example we’ll choose a £50 VISA card which once you get to the till will actually cost £53.95. Hand over your cash and walk out of the door.
As you leave swing by a Three, EE, O2 or Vodafone store and buy a pre-pay data SIM. Three have a 1Gb SIM for £7.50, buy it with cash and walk out of the store.
By now the VISA card will have activated and should be good to go.
For extra anonymity you may wish to visit a local pawn broker like Cash Converters or CEX and acquire a phone, tablet or laptop so that the IMEI you use with the newly purchased SIM is not one that has previously been tied to your identity.
Open up your VISA card and you’ll notice it has an expiry date, the CVV code on the signature strip and the usual 16 digit credit card number.
Setup your 3G connection, optionally install TOR to bypass any ISP restrictions that may be present then navigate to your VPS provider of choice. I’d suggest DigitalOcean.com but there are many others.
Signing up for an account is easy, put in an email address and a password (the email address will have to be a real one as it needs to be verified and it’s where your root passwords are sent but try signing up to something like HushMail.com).
Once logged in you’ll be asked to verify your billing details;
Now it’s likely that your use of TOR and a prepaid VISA card will trigger anti-fraud protections; the account will be locked and a support ticket will be raised asking you to identify yourself
The people at DigitalOcean are very good and if you adequately explain your motivations (be it running a website you’d rather not have your name attached too, as a proxy for privacy etc) they are likely to accommodate you without requiring copies of ID or a credit card number tied to your identity. DO NOT ABUSE THEIR TRUST.
Within a few minutes the account will be unlocked and you can launch your virtual machine.
If you login to the VISA pre-pay system you’ll be able to see if the pre-authorisation passed and that you’ll be able to continue paying for your server resources.
You can now host your whistle-blowing blog, a critique of public policy or just use it as a proxy safe in the knowledge that there is virtually no trace back to your true identity.
Do not abuse this ability to do hateful or illegal things, the VPS provider may not be able to identify you but they will shut you down and may even choose to shutdown all other accounts that appear to be of a similar profile to yours. Your actions could prevent someone who genuinely needs this anonymity.
Several years ago the UK Internet was tied up in an opt-in / opt-out battle about ISP proxies tracking your movements on-line to monetize advertising.
Now we have a new opt-in/opt-out battle but this time it is about ISP proxies tracking your movements on-line to prevent you seeing things you’re not allowed to see.
Could it be that the reasons the big ISPs rolled over so easily and implemented filters is that it provides them with a treasure trove of information about your browsing habits?
Notice how Phorm sit’s within the ISP network, masquerades as target domains and presents different content.
ISP filtering does similar things, they either spoof DNS responses to force you to goto their static block page or they manipulate routing within their network to route traffic destined for a remote host to a host within their network.
Technically there is nothing stopping them from doing other things with your traffic at this point. Are we to believe that having already silently tested Phorm on unsuspecting customers are they not capable of using this new found, Government instigated power to make some more money at the cost of your freedom and privacy?
