[liberationtech] Appelbaum's Ultrasurf report

Stefan Geens stefan.geens at gmail.com
Tue Apr 17 16:23:35 PDT 2012 

Jacob Appelbaum: "I believe and I said in the report that the GFW appears to be blocking access *from* Ultrasurf." 

One further data point to support your thesis: 

Outside China, when I use Witopia's VPN to surf the net and try to visit weibo.com, qq.com or some other China-hosted site, the GFW indeed blocks access INTO China. This behavior started maybe 4-6 months ago.  

Stefan

--
stefan.geens at gmail.com
@stefangeens @ogleearth @dliberation


On 18 Apr, at 01:08, Jacob Appelbaum wrote:

> Hi Tom,
> 
> On 04/17/2012 03:00 PM, Tom Zhang wrote:
>> This is a great piece of work Jacob!
>> 
>> A few comments/questions,
>> 
>> - The section 3.1 title "Network censorship: New boss, same as the old
>> boss" is a bit overreaching. I assume Ultrasurf censors adult sites for
>> saving bandwidth and cost. This is not the "same as the old boss". The fact
>> that they censor www.facts.org.cn is unfortunate. I won't support this but
>> I can understand it. For people who don't know Ultrasurf's background, it
>> is developed by Falungong dissidents who are victims of persecution from
>> the Chinese government. The site www.facts.org.cn is a government-run
>> anti-Falungong site.
> 
> 
> There are two things happening here. Lets not put them together.
> 
> The first is that they censor urls, without disclosing which urls, and
> then when they do, they send them to a block page. That block page did
> tag users with a Google Analytics cookie and now it appears to have an
> Ad (!) - please view the site here: ultrasurf.us/block.htm
> 
> Until I contacted them, I do not believe they ever disclosed to their
> users that they censored access. Nor do I believe it reasonable to tag
> them with a Google Analytics cookie. Nor do I believe it reasonable to
> inspect the user's traffic and have a totally non-transparent blocklist.
> I feel that any tool that censors the internet is not actually against
> censorship but rather, simply views say, pornography as the New Bad
> Content. That is frankly, in my view, not very different from other
> authorities censoring me where I have no say or control.
> 
> The second is that they, as I note in the paper, may not be blocking
> www.facts.org.cn but rather, you can tell if Ultrasurf's network is
> blocked by the so-called Great Firewall of China. I believe and I said
> in the report that the GFW appears to be blocking access *from*
> Ultrasurf. This is on the one hand out of Ultrasurf's control and on the
> other hand, it speaks to their claims about being unblockable - an
> almost impossible bar to meet.
> 
> I think truth in advertising is very important in a tool like this -
> especially with the level of detail afforded to UltraReach and
> UltraSurf. It's not about being perfect, it's about disclosing
> imperfections and being as honest as is possible. Which until my report,
> I don't think these things were known generally, if at all.
> 
> 
>> 
>> - I think you may also have overstated the risk associated with the
>> technical vulnerabilities of Ultrasurf as in "they may present
>> life-threatening danger in hostile situations". In China, one does not get
>> arrested for browsing foreign websites or posting unwelcome messages,
>> instead, one gets arrested when he makes his name known for his cause. I
>> don't know the case in Syria, but the fact that Ultrasurf is installed in
>> many cybercafes means that the "actual" risk of using Ultrasurf is small,
>> even though the "potential" risk may be much higher, which one matters is a
>> judgment call though. To keep in mind, in "hostile situations", the
>> authority relies more on physical torture than cyber detective work to get
>> evidence.
>> 
> 
> I believe that the way that Ultrasurf marketed themselves was simply
> false. They have attempted to update their website to reflect reality. I
> still think it is over stating the protection it offers but I consider
> it an improvement that they updated their claims at all.
> 
> I additionally believe that the problem with vulnerable software and
> anonymity is that I fear that it would lead to physical torture for very
> specific cases. If I was the Chinese, Iranian or Syrian government, I'd
> find vulnerabilities and only use them in a targeted fashion. That is
> generally what we see from the West with vendors like VUPEN - why should
> we assume things will be different for Ultrasurf?
> 
> This is why with their claims, as stated on their website and reproduced
> in the paper, I think someone wanting perfect anonymity and being
> untracable will perhaps find themselves in a very bad situation.
> 
>> - What makes Ultrasurf so popular is mainly its ease of use. So the
>> question is how to make more secure tools (like Tor) as easy to use as
>> Ultrasurf. If we have to strike a balance between usability and security,
>> where is it and what current circumvention tools fill in this space, or
>> will Tor be the one?
> 
> I think there are different levels of security and Tor is by no means
> perfect. I probably should have anonymously released the report to keep
> the discussion focused on the actual issues at hand but oh well. So it
> goes, as they say...
> 
> I think that we have some bare minimum processes that need to be
> considered for tools of this class - one of them is to acnowledge that
> basically all circumvention tools have a major security component. If
> you believe your network to be hostile and you download Chrome with such
> a tool, what just happened? Is it fine to not have any integrity
> assurances? Even if they advertise them? Is it fine for logs to be
> collected? Even if they advertise (at the time) that they store nothing?
> 
> The subject of review is also important. Without a design, what is a
> bug? Without a threat model, what is an attack or an attacker?
> 
> These processes should be open and openly discussed amongst all tool
> creators.
> 
>> 
>> The above may seem I'm defending Ultrasurf, I should make clear I don't
>> intend to :-). What I love to see is a positive environment for all
>> anti-censorship groups so we users can get better tools.
>> 
> 
> I think that a key idea must be to think beyond circumvention. Thanks
> for your comments, I appreciate your feedback.
> 
> All the best,
> Jacob
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
> 
> Should you need to change your subscription options, please go to:
> 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"
> 
> You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> Should you need immediate assistance, please contact the list moderator.
> 
> Please don't forget to follow us on http://twitter.com/#!/Liberationtech

More information about the liberationtech mailing list