How to fight censors in Thailand (Technical data)
- From: Blade@xxxxxxxxxx (Deckard)
- Date: Sat, 07 Apr 2007 16:51:56 GMT
Something that may interest people living in Thailand who want to know
more about the hidden machinations of the junta and its reactionary
minions.
Mort
_
Knowledge is the best tool to fight censors
by Don SAMBANDARAKSA
It seems interesting to note than when something as blatant as
censoring YouTube occurred, nobody seems to be responsible for it, or
for finding out who did it. The Ministry of ICT (MICT) said it was not
their fault while the TOT and CAT also denied responsibility.
But the problem was that the block was transient, continually in a
state of flux, and lasted for only a matter of hours. As one engineer
at an ISP who tried to help analyse the block said, "you can only
speculate as to what happened after the fact. What we need is
information on the block when it's actually in place."
But after this news hit a couple of weeks ago, many readers came
forward to say that the YouTube block was not unique - that strange
things had been happing to other web sites, for weeks before that.
One newspaper's web department contacted explained how they first saw
something out of the ordinary around two weeks prior to the YouTube
block. Their web site was suddenly responding slowly and some users
had noted that, in the browser window, instead of the message saying
that it was waiting for the domain name in question, it said that it
was waiting for a certain numerical IP address belonging to CSLoxinfo,
which had nothing to do with them. This new site then spewed out what
was effectively a copy of their web site.
Now, to recap for a moment, the YouTube block was done by an HTTP 301
redirect. In other words, the "server" that http://www.youtube.com
pointed to was not really the YouTube server, but was a third party
machine redirecting the user, first to nowhere, later to the
mict.go.th web site.
What was happening to that newspaper's web site, one speculates, is
that the same HTTP 301 redirect was happening, redirecting to a server
which then probably did some logging and redirected it back to the
real server, which is hosted overseas. Worryingly, such an attack
could not happen without the ISP or gateway's cooperation. The fact
that it happened at the same time by many different ISPs suggests it
happened at the Internet gateway level. For Thailand, the gateway is
run by CAT.
Now that we know how, a brief glance at the effects of this technical
gobbledygook may be in order. The damage done can be felt in a number
of ways. For most, including that newspaper's web site, it was just a
slowdown in the already obscenely slow Internet.
For YouTube viewers that Saturday, it meant a block. What few realised
is that the same double redirection mechanism can easily be used to
watch what we do online. At the very least it can log URLs opened and
pair them to IPs, which means a log of who is visiting which web site.
A more sophisticated mechanism may even be to eavesdrop on email,
passwords and the like.
Hark back to the coup and one recalls that General Sonthi said that
anyone eavesdropping on telephone conversations would have their
telecom licences revoked. Of course, only geeks use email and credit
cards for e-commerce. Real army people use mobile telephones, cash and
post armed guards in front of network operations rooms to prevent
someone hacking the network and installing a piece of spyware.
Incidentally, rumours are that the MICT once commissioned a major
university years ago to build a session hijacking system, though
nobody today seems to be willing to confirm its existence.
Could it be that the disruptions of the past month was the result of
three of these hypothetical boxes being installed at the International
Internet Gateway? Could it be that the only reason that YouTube was
blocked was because of the design of the blocking box, which did not
differentiate between control traffic and end-user (re-directed,
monitored) traffic?
Could it be that once they had hijacked sessions with very high
traffic, such as the YouTube site, the box crashed because it could
not handle the load and required someone to physically visit the box
on Saturday morning to manually reset it? So what can we do? Taking to
the streets in mass protests at Big Brother is one option, but we have
been there, done that and it is what led us to this mess to begin
with.
The best defence is knowledge. If we can tell when this session
hijacking technique is taking place, it will at least make Big Brother
think twice.
Firefox and Mozilla users can install a plugin, live HTTP headers from
livehttpheaders.mozdev.org. This will, as its name suggests, show the
actual HTTP dialogue between the browser and server in real time. What
this means is that, if it is redirected via the HTTP 301 redirect
message or communicating with a server it should not be talking to, it
will be made clear to see.
Once the IP address of the man in the middle is identified, programs
such as nmap (http://www.insecure.org) can be used to probe and
fingerprint that node. Users should then talk about it in public fora,
compare notes from the http headers and nmap results and then, with
enough information, perhaps the finger of blame can finally be pointed
at someone with proof, rather than just a couple of bits of
circumstantial evidence and a lot of speculation.
.
- Follow-Ups:
- Re: How to fight pedo French like Deckard in Thailand (Technical data)
- From: Sue Chaisone
- Re: How to fight pedo French like Deckard in Thailand (Technical data)
- Prev by Date: Chiang Mai : "Royal Flora exhibition will not be open during Songkran holidays" Nation
- Next by Date: Re: You Tube article
- Previous by thread: Chiang Mai : "Royal Flora exhibition will not be open during Songkran holidays" Nation
- Next by thread: Re: How to fight pedo French like Deckard in Thailand (Technical data)
- Index(es):
Relevant Pages
|
Loading
