[liberationtech] Appelbaum's Ultrasurf report

Tue Apr 17 12:00:37 PDT 2012

This is a great piece of work Jacob!

A few comments/questions,

- The section 3.1 title "Network censorship: New boss, same as the old
boss" is a bit overreaching. I assume Ultrasurf censors adult sites for
saving bandwidth and cost. This is not the "same as the old boss". The fact
that they censor www.facts.org.cn is unfortunate. I won't support this but
I can understand it. For people who don't know Ultrasurf's background, it
is developed by Falungong dissidents who are victims of persecution from
the Chinese government. The site www.facts.org.cn is a government-run
anti-Falungong site.

- I think you may also have overstated the risk associated with the
technical vulnerabilities of Ultrasurf as in "they may present
life-threatening danger in hostile situations". In China, one does not get
arrested for browsing foreign websites or posting unwelcome messages,
instead, one gets arrested when he makes his name known for his cause. I
don't know the case in Syria, but the fact that Ultrasurf is installed in
many cybercafes means that the "actual" risk of using Ultrasurf is small,
even though the "potential" risk may be much higher, which one matters is a
judgment call though. To keep in mind, in "hostile situations", the
authority relies more on physical torture than cyber detective work to get
evidence.

- What makes Ultrasurf so popular is mainly its ease of use. So the
question is how to make more secure tools (like Tor) as easy to use as
Ultrasurf. If we have to strike a balance between usability and security,
where is it and what current circumvention tools fill in this space, or
will Tor be the one?

The above may seem I'm defending Ultrasurf, I should make clear I don't
intend to :-). What I love to see is a positive environment for all
anti-censorship groups so we users can get better tools.

Cheers,

On Tue, Apr 17, 2012 at 9:40 AM, Griffin Boyce <griffinboyce at gmail.com>wrote:

>   I'm going to disagree with Jake on this one -- it's definitely *not* a
> giant waste of time.  The more frequently and more publicly privacy-related
> technologies are discussed, the more educated the general public will be.
>
>   The research is very solid and *highly* condemning.  Both the original
> findings and Ultrasurf's vague, defensive response are worth reading.
>
>   Unfortunately, if something is easy-to-use, then it's frequently
> perceived as effective -- or worse, "better than" -- competing products.
>  Ultrasurf gets so many users because it's easy to install and use.  As
> always, we're fighting against the stream of both censorship and marketing
> messages from companies that suck.  Caveat lector.
>
>   There's a major lesson on the after-effects of usability in this.  My
> 13-year-old sister figured out how to use web proxies to get around
> filtering/censorship at school.  Pretty much *anything* is better than
> using a web proxy, but they are easy-to-use and she can swap them out as
> they get blocked.  The downside, of course, is that it's easy to see that
> she's using it, easy to see what sites she's visiting, and occasionally
> she'll get caught doing it.
>
>   While it's a frivolous example, it's a large portion of the usability
> issue surrounding circumvention.  And where does she get her information on
> circumvention?  Via word-of-mouth from other people who also don't really
> know what they're doing.  Something to think on, perhaps.
>
> Best,
> Griffin Boyce
>
>
> On Mon, Apr 16, 2012 at 4:45 PM, Jillian C. York <jilliancyork at gmail.com>wrote:
>
>> I would add to that that Ultrasurf is not just *used* in Syria, it's *
>> popular* in Syria.  When I was there, it was installed in most
>> cybercafes.
>>
>> On Tue, Apr 17, 2012 at 11:12 AM, Jacob Appelbaum <jacob at appelbaum.net>
>  wrote:
>
>>
>> I'd like to add that Ultrasurf has replied:
>> http://ultrasurf.us/Ultrasurf-response-to-Tor-definitive-review.pdf
>>
>> If that doesn't confirm a bunch of my findings in the paper, I guess
>> nothing will!
>>
>> (What a giant waste of time, sigh)
>>
>> All the best,
>> Jacob
>
>
>
>> On Mon, Apr 16, 2012 at 1:40 PM, Andrew Lewis <andrew at pdqvpn.com> wrote:
>>
>> I ran into Jacob at 28c3, and as he described the holes it terrified me
>>> to know that people in Syria(the country I am focused on at the moment)
>>> were using this software. I am just starting to read the actual papers, but
>>> as I understand it the holes were/are pretty serious, and that the
>>> monitoring software in Syria(Bluecoat) was picking up one of the major
>>> holes as part of it's routine logging of all internet traffic, with no
>>> special changes required.
>>>
>>> -Andrew
>>>
>>>
>>> On Apr 16, 2012, at 4:33 PM, Rebecca MacKinnon wrote:
>>>
>>> "Ultrasurf is software produced by the UltraReach company for censorship
>>> circumvention, privacy, security and anonymity. Unfortunately for them, I
>>> found their claims to be overstated and I found a number of serious
>>> problems with Ultrasurf."
>>>
>>> https://blog.torproject.org/blog/ultrasurf-definitive-review
>>>
>>> Would love to know people's comments and reactions.
>>>
>>> Best,
>>> Rebecca
>>>
>>>
>
> --
> "I believe that usability is a security concern; systems that do
> not pay close attention to the human interaction factors involved
> risk failing to provide security by failing to attract users."
> ~Len Sassaman
>
> PGP Key etc: https://www.noisebridge.net/wiki/User:Fontaine
>
>
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
>
> Should you need to change your subscription options, please go to:
>
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> If you would like to receive a daily digest, click "yes" (once you click
> above) next to "would you like to receive list mail batched in a daily
> digest?"
>
> You will need the user name and password you receive from the list
> moderator in monthly reminders. You may ask for a reminder here:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
> Should you need immediate assistance, please contact the list moderator.
>
> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
>

-- 
Tom
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20120417/3c3035ba/attachment.html>