[liberationtech] Appelbaum's Ultrasurf report

[Jacob Appelbaum]

Hi Tom,

On 04/17/2012 03:00 PM, Tom Zhang wrote:
> This is a great piece of work Jacob!
> 
> A few comments/questions,
> 
> - The section 3.1 title "Network censorship: New boss, same as the old
> boss" is a bit overreaching. I assume Ultrasurf censors adult sites for
> saving bandwidth and cost. This is not the "same as the old boss". The fact
> that they censor www.facts.org.cn is unfortunate. I won't support this but
> I can understand it. For people who don't know Ultrasurf's background, it
> is developed by Falungong dissidents who are victims of persecution from
> the Chinese government. The site www.facts.org.cn is a government-run
> anti-Falungong site.


There are two things happening here. Lets not put them together.

The first is that they censor urls, without disclosing which urls, and
then when they do, they send them to a block page. That block page did
tag users with a Google Analytics cookie and now it appears to have an
Ad (!) - please view the site here: ultrasurf.us/block.htm

Until I contacted them, I do not believe they ever disclosed to their
users that they censored access. Nor do I believe it reasonable to tag
them with a Google Analytics cookie. Nor do I believe it reasonable to
inspect the user's traffic and have a totally non-transparent blocklist.
I feel that any tool that censors the internet is not actually against
censorship but rather, simply views say, pornography as the New Bad
Content. That is frankly, in my view, not very different from other
authorities censoring me where I have no say or control.

The second is that they, as I note in the paper, may not be blocking
www.facts.org.cn but rather, you can tell if Ultrasurf's network is
blocked by the so-called Great Firewall of China. I believe and I said
in the report that the GFW appears to be blocking access *from*
Ultrasurf. This is on the one hand out of Ultrasurf's control and on the
other hand, it speaks to their claims about being unblockable - an
almost impossible bar to meet.

I think truth in advertising is very important in a tool like this -
especially with the level of detail afforded to UltraReach and
UltraSurf. It's not about being perfect, it's about disclosing
imperfections and being as honest as is possible. Which until my report,
I don't think these things were known generally, if at all.


> 
> - I think you may also have overstated the risk associated with the
> technical vulnerabilities of Ultrasurf as in "they may present
> life-threatening danger in hostile situations". In China, one does not get
> arrested for browsing foreign websites or posting unwelcome messages,
> instead, one gets arrested when he makes his name known for his cause. I
> don't know the case in Syria, but the fact that Ultrasurf is installed in
> many cybercafes means that the "actual" risk of using Ultrasurf is small,
> even though the "potential" risk may be much higher, which one matters is a
> judgment call though. To keep in mind, in "hostile situations", the
> authority relies more on physical torture than cyber detective work to get
> evidence.
> 

I believe that the way that Ultrasurf marketed themselves was simply
false. They have attempted to update their website to reflect reality. I
still think it is over stating the protection it offers but I consider
it an improvement that they updated their claims at all.

I additionally believe that the problem with vulnerable software and
anonymity is that I fear that it would lead to physical torture for very
specific cases. If I was the Chinese, Iranian or Syrian government, I'd
find vulnerabilities and only use them in a targeted fashion. That is
generally what we see from the West with vendors like VUPEN - why should
we assume things will be different for Ultrasurf?

This is why with their claims, as stated on their website and reproduced
in the paper, I think someone wanting perfect anonymity and being
untracable will perhaps find themselves in a very bad situation.

> - What makes Ultrasurf so popular is mainly its ease of use. So the
> question is how to make more secure tools (like Tor) as easy to use as
> Ultrasurf. If we have to strike a balance between usability and security,
> where is it and what current circumvention tools fill in this space, or
> will Tor be the one?

I think there are different levels of security and Tor is by no means
perfect. I probably should have anonymously released the report to keep
the discussion focused on the actual issues at hand but oh well. So it
goes, as they say...

I think that we have some bare minimum processes that need to be
considered for tools of this class - one of them is to acnowledge that
basically all circumvention tools have a major security component. If
you believe your network to be hostile and you download Chrome with such
a tool, what just happened? Is it fine to not have any integrity
assurances? Even if they advertise them? Is it fine for logs to be
collected? Even if they advertise (at the time) that they store nothing?

The subject of review is also important. Without a design, what is a
bug? Without a threat model, what is an attack or an attacker?

These processes should be open and openly discussed amongst all tool
creators.

> 
> The above may seem I'm defending Ultrasurf, I should make clear I don't
> intend to :-). What I love to see is a positive environment for all
> anti-censorship groups so we users can get better tools.
> 

I think that a key idea must be to think beyond circumvention. Thanks
for your comments, I appreciate your feedback.

All the best,
Jacob