[liberationtech] Details needed about monitoring and data retention in Syria

Okhin okhin at okhin.fr
Tue Jan 10 15:47:35 PST 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We just receive some news from the ground, it appears that at least one ISP in Syria had just upgraded the filtering infrastructure in Syria, so I'll basically copy/paste (and removing the identifying parts) this. Quite instructive I think:

[quote]
A guest of mine, upon visiting me, got on my lan , he tried to access
http://www.facebook.com
he wasn't using any proxy or vpn service and he got the following
message (translated):

To the gentlemen ,the subscribers of Tarassul ISP ,
Please cancel the settings for the DNS nameservers in your local network.
And so on for the settings of your ADSL router .
So as to get these settings automatically.
So that the service does not stop due to some modification in the
service of the provider Tarassul.
If the previous settings did not work , please change the DNS settings
of your local network and put your
router IP address in the DNS entry .

So , I read about DNS ,DNS poisoning and other things.
this was about two months ago , so when I was modding my router settings
I decided that using my ISP's DNS server is a bad idea , a very bad
one(now that I understand how dns works) and I read that google has such
a service ,so I just changed it ! .

I did some tests (I've included some screenshots) , and the horrible
thing is that they redirected me to this "notice" page insteadof the
legitimate facebook website although I'm not using their DNS ,which
means (please accept my humble opinion) that they are actively hijacking
my(or any other) connection!

I never use facebook so I've never seen this page before (but I don't
think It's been going on for a long time)
and honestly I thought it would be a good idea to 'not use' any proxy
- - -including tor- when doing normal browsing ,maybe that might mislead
anyone censoring my connection ,it wouldn't hurt if they knew I was
looking up stuff on internet .But after this
incident,
I'm thinking that they can redirect my web requests even if I don't use
their DNS , and the web-page will still appear to be real and legit.
Truly ,they aren't the smartest guys in the world but they might be able
to infect anyone with malware  ,specially those with no up-to-date
browsers.
So I thought it would be a good idea to inform you about this.

Update :  I've doing some investigations since Thursday (first time this
appeared) ,sorry it took so much time ,https was often blocked
(technically I think it was port 443) and the electricity went down for
long hours .
Everybody is getting this message not just me ,in fact it's the new
"access denied" page .
I've read some "official" info , the aim is to get people to change
their dns from the old one 82.137.200.83 to the new ones 82.137.200.19
and 82.137.200.20 or set the routers to automatically obtain the new
ones..
I don't know why would they change their DNS at such a time , I don't
wanna jump to conclusions but this isn't really the time for them to
"mod" their service !!
Maybe the Iranian government is helping ? , well I'm almost sure you
heard about those comodo & diginotar certs ,if someone knows how to do
"real" phishing and gonna help them  ,It's gonna be the Iranians , and
considering the tension in the gulf , they wouldn't save any effort ..
I'm sure of one thing , we must keep our eyes open or ,at some point ,
we're gonna miss something.

Update2 ,Monday : wow , today was like hell ! , https was totally down
and I spent all day trying to log to my email ,didn't succeed .
everything else just let me down ,Tor wasn't working even with bridges
,or with specifying port 80 to connect  with because IP 18.0.0.1 is
blocked , VPN (hotspot shield) was surprisingly down too. even ultrasurf
isn't working ,probably because all of these services use port 443 .
even google's webcache was blocking the bluecoat's ip ,probably a lot of
people were using it to circumvent the block.

update3 ,Tuesday : Finally , https and tor are working ,for now at least
, I don't know when it will go down again but it looks they're up to
something after all. Assad spoke today about "an iron grip" , we can
only wait and see , but yesterday's 'cyber siege' was truly a nightmare.
by the way , they modified the DNS page and added a link to tarassul.sy
(for more info), the site is up today but yesterday it was down, I
believe every one got curious and followed the link. They have DOSed
themselves ,lol :)
[/quote]

So, this is quite knew, we've heard of it on Monday, maybe Sunday. So, they're moving (again) part of the infrastructure. At least the Tarassul one. We try to gather other testimony to look at the big pictures, but it's quite hard (they have a lot of power outtage).

With datalove,
Okhin


On Tue, 10 Jan 2012 22:01:29 +0000
Andrew Lewis <andrew at pdqvpn.com> wrote:

> Jacob, 
> 
> The people I have talked to claim to be from the tech side of intelligence agencies, and indicated a disorganized mess with competing fiefdoms. All my other poking and proding internally point to a ton of different and random equipment across different ISPs. However I have no info or access to the demarc at this point, so I'll take what your saying as the truth, I am merely indicating that my sources are not just average joes as far as I know and is based on my own investigations into the matter. 
> 
> 
> Yes mobiles are terribly weak from a security PoV. And since this is where most of the Internet and communication penetration is at in these countries, it is even scarier.  
> 
> -Andrew
> 
> Somewhat ironically, Sent from my iPhone
> 
> 
> 
> On Jan 10, 2012, at 9:33 PM, Jacob Appelbaum <jacob at appelbaum.net> wrote:
> 
> > On 01/10/2012 01:11 PM, Jillian C. York wrote:
> >> No, but it's certainly useful when putting the surveillance in
> >> perspective.  Just as many of the Egyptians who later accessed their files
> >> from State Security offices had never been detained or questioned, it's
> >> quite possible that much of Syria's surveillance is for surveillance's sake.
> >> 
> > 
> > I imagine that the Narus systems likely running in Egypt will have in
> > impact in a number of years. Just the same as the snort IDS at the edge
> > of Syria. These are databases that over time become more and more
> > valuable. When smart people learn about them, smart people will do much
> > much scarier things than the original creators of these systems.
> > 
> > 
> > I think it's really important to keep perspective about perspective.
> > 
> > We're still around fifteen days away from a full year of revolution in
> > Egypt. I'm sure we haven't seen everything yet and I'm certain that what
> > we have seen, we probably don't understand very well. If the Egyptians
> > were using Narus or Cisco interception, would we know? I've been told
> > that the Cisco interception is used for arrests, so what do we make of that?
> > 
> >> Which is not to say the recommendations are wrong - they're not.  But the
> >> full picture includes both the reality of the surveillance systems and the
> >> reality of how authorities are using their capabilities.
> >> 
> > 
> > Sure, I think we agree on the first point. Additionally, I'd add that
> > different authorities use their capabilities in myriad of ways.
> > 
> > We do not know the full reality, only the capabilities. By being
> > cautious, we're trying to mitigate many of the possibilities even in the
> > worst of actualities.
> > 
> > The irony is that for internet chatting and web browsing, I think we've
> > got an ironclad solution; where as for phones, we're basically all
> > doomed - from billing to content.
> > 
> > All the best,
> > Jacob
> > _______________________________________________
> > liberationtech mailing list
> > liberationtech at lists.stanford.edu
> > 
> > Should you need to change your subscription options, please go to:
> > 
> > https://mailman.stanford.edu/mailman/listinfo/liberationtech
> > 
> > If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"
> > 
> > You will need the user name and password you receive from the list moderator in monthly reminders.
> > 
> > Should you need immediate assistance, please contact the list moderator.
> > 
> > Please don't forget to follow us on http://twitter.com/#!/Liberationtech
> _______________________________________________
> liberationtech mailing list
> liberationtech at lists.stanford.edu
> 
> Should you need to change your subscription options, please go to:
> 
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?"
> 
> You will need the user name and password you receive from the list moderator in monthly reminders.
> 
> Should you need immediate assistance, please contact the list moderator.
> 
> Please don't forget to follow us on http://twitter.com/#!/Liberationtech
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBAgAGBQJPDM4XAAoJEKpfDYQAUTlHaaIP/1m6mWh0ys8FjVDFrojQAYbm
fLyIm80hw9pGPUiE4BRa7iw5AQ816lNB1xXnX/IjWoaBDGf9USCpT+7Tc/iHsDkj
iM9opexPjMctdURANG+iWe11l9S2t3In5Hl3j0pARaBFzpB0Bo53uvBU3aP4wewA
/Ag3PmfdywVsvYYhZ4UBI6Ana+Sd9I9mjPquEOmJnthC1Lnz5BvL3k9pib5WpCtd
Imnqite3F/4wj9Hgk8BUD5AzR2UYZbZa3Q+7JDFS6euLdGOyKTQ2FO3AKG4Qwdab
vDBAMVFfoDlJONtWpVi4WJWjWX12dZiR0gCjUabqaDUuWsZb6cjdySXh55vNvdpS
bnsMQIhmRMI+kDu/M5z92Amu7o1ub8vGDOGE7bGOKC4wRNhGnUcZquysUsFdsOqB
31aPxx7R2Bw4sjZM5HuYTGOxME2CYFZ13/3J4m2ZzXwcEX7THhCD+8ol/qWRqvPs
MMinsuNG0rkP5nZ5YdvRPzEdpoFZMXiFexJMU6n2coUa9xemwPjz1/PaTbfhB2PR
PKPdKRV9eNoepenmf7aVfZtvDd1ooqTwAUvjbc1DSDRFyZyopfQTnRGedfoHNHJi
3T0cnLRTvUPe4qdwPwOi3jy5UqkU9JmEBxPuKxuhjz+lo/UV6DzbxlvA9N8N+FDn
0JuyDA/4xKWQFOS2FvZP
=LX43
-----END PGP SIGNATURE-----

More information about the liberationtech mailing list