[liberationtech] New report on Internet Censorship and Surveillance in Turkmenistan
John Scott-Railton
john.railton at gmail.com
Sat Jan 5 16:29:33 PST 2013
Hi Rafal,
First off, thanks for sharing a copy of your report with the list!
On the theme of open methods while studying openness…
The cycle of reporting on FinFisher by Morgan and Bill / Rapid7 and others,
as you rightly noted, was a good thing. And it had some confidence-building
features of transparency and replication. It was clearly good for the
community. I thought Collin's question about the release of data on the
SORM-II signatures you referenced was a good one, and in this spirit: is
Secdev planning on releasing them publicly or making them available to
other research groups?
This thought led me to a more general question: does Secdev have plans to
make data / methodology / code behind Black Watch and the other components
of Secdev's measures and study of openness available for peer review &
replication?
All the best,
John
On Sat, Jan 5, 2013 at 3:46 PM, Rafal Rohozinski <r.rohozinski at psiphon.ca>wrote:
> Hi Colin,
>
> Just about to rest any doubt about this, I meant "clandestine" as a
> synonym of "in secret". Likewise, by "debriefs" I simply mean having long
> in-depth discussions with individual designed to accrue as many data points
> as possible about past events, or circumstances. None of this is
> particularly privileged to the IC, these are tried-and-true methods used by
> a wide range of investigators (including those involved in fraud
> investigations, police work, product research, marketing, or experimental
> work) as well as investigative journalists, and it usually yields good
> results over time.
>
> With respect to reporting on signatures, and establishing Open Data on
> censorship and surveillance through the publication of technical data, yes,
> that's the intention. In some cases, and I think Morgan's (et al) work on
> FinFisher is a good example, it will be possible to publish the technical
> protocols/signatures for surveillance tools. In other cases, especially for
> in-line surveillance tools, there will be no signature except for the fact
> that it may be detectable by the presence of unusual infrastructure and
> verified through human sources or documentation. The latter is quite
> important, because of the vast majority of cases there will be some
> documentation somewhere: in law, security regulations, commercial or
> marketing documentation, or otherwise, that indicates that a surveillance
> technology is being used, or considered. So perhaps not technical
> signatures in the malware sense, but signatures in a broader sense.
>
> For censorship technologies it's a bit more straightforward because
> presence or absence is pretty straightforward to establish. The tough part
> is to see whether you can identify specific techniques/products from their
> technical characteristics. Again, human sources are usually best to
> establish a degree of ground truth, or at least verify/validate what's
> visible in the technical domain.
>
> We are waiting to hear back from some sources of funding, and if we are
> successful, we will be making a broader announcement about this initiative
> shortly.
>
> Rafal
>
> Sent by PsiPhone mobile. Please excuse typos or other oddities.
>
> On 2013-01-05, at 5:58 PM, Collin Anderson <collin at averysmallbird.com>
> wrote:
>
> > In the case of SORM-II, it also has a very distinct signature which is
> visible if you are sitting in line with the system...
> > Our intention with the testing platform is to contribute to the
> creation of censorship and surveillance Open Data...
>
> That's excellent to hear, does SecDev intend to release data on these
> signatures of SORM systems and other such surveillance products? "Clandestine
> collection" and "debriefs" all seem so surreptitious and privileged to the
> IC, however, technical data would clearly be of democratic benefit to a
> number of researchers on this list.
>
> Cordially,
> Collin
>
>
>
> On Sat, Jan 5, 2013 at 2:12 PM, Rafal Rohozinski <r.rohozinski at psiphon.ca>wrote:
>
>> Morgan,
>>
>> Thanks for your note. I use the term "interview" euphemistically.
>> Obviously we used a much more sophisticated set of methods including in
>> depth debriefs with former employees, contractors, suppliers as well as
>> other forms of clandestine collection. The point is that we were able to
>> get a very detailed picture of how surveillance is carried out within the
>> Ministry of communications, by whom, and with what means. This includes
>> people that had access to the special rooms that are designated for
>> surveillance in telephone switches throughout the former Soviet Union. All
>> the people we talked to, directly, or indirectly, that had detailed
>> technical knowledge of how surveillance is conducted in an operational
>> manner were unable to confirm, or even suggest that these two systems were
>> being used operationally. In the case of SORM-II, it also has a very
>> distinct signature which is visible if you are sitting in line with the
>> system.
>>
>> By contrast, we were able to confirm these details in other CIS
>> countries. In some cases it was quite easy because security officials are
>> quite open about their use of surveillance technology for counterterrorism,
>> criminal investigations et cetera. There are also laws on the books that
>> govern how these technologies are used, and by whom, and therefore its
>> possible to have a relatively open discussion if you know who to talk to,
>> and how. I would say , however, that our interviewees have exceptionally
>> privileged access, and therefore are able to have these discussions with
>> the right people.
>>
>> Is it possible that these techniques are insufficient to detect traces of
>> close hold activities? Undoubtably, yes. However, when you do enough
>> asking, through enough different means, you usually come up with at least a
>> shadow, or a trace. In this case, everything came up as negative.
>>
>> I'd be interested in further material that could help us detect FINFISHER
>> at a technical level. We do operate a testing platform and certainly
>> calibrating it to detect or scan for these signatures would be very helpful
>> given that we are present in a large number of countries. Our intention
>> with the testing platform is to contribute to the creation of censorship
>> and surveillance Open Data, so having it routinely scan for known
>> signatures of surveillance products would certainly be a great addition to
>> the overall effort.
>>
>> Cheers,
>>
>> Rafal
>>
>> Sent by PsiPhone mobile. Please excuse typos or other oddities.
>>
>> On 2013-01-05, at 3:38 PM, Morgan Marquis-Boire <
>> morgan.marquisboire at gmail.com> wrote:
>>
>> Hi Rafal,
>>
>> It is interesting that in your efforts talking to officials you were
>> unable to elicit admissions of operational use of surveillance software.
>> I'm not able to comment on the human elements of your interviews but the
>> technical elements of the work used to enumerate the use of FinFisher in
>> Turkmenistan are reproducible.
>>
>> FinFisher malware samples were reverse engineered which lead to
>> enumeration of the command and control protocol. Knowledge of this protocol
>> was then used to scan for FinSpy master servers. The hashes to the
>> FinFisher samples were published as were the IPs of the servers. We (Bill
>> Marczak and myself) were not the only ones doing work in this area. Boston
>> based security company Rapid7 also used similar techniques and we found
>> that a technical replication of their work was reasonably straightforward.
>>
>> If your team has had any problems replicating these results, I'd be to
>> happy to direct them toward relevant materials.
>>
>> -Morgan
>>
>> On Fri, Jan 4, 2013 at 8:41 AM, Rafal Rohozinski <r.rohozinski at psiphon.ca
>> > wrote:
>>
>>> Hi Eva,
>>>
>>> Thanks for your note and good question.
>>>
>>> The simple answer is that we could find no compelling evidence beyond
>>> that reported by Privacy International, Citizen Lab and the German news
>>> report that FINFISHER was being operationally employed in Turkmenistan.
>>> That's not for lack of looking. The report was built upon interviews with
>>> people that have first-hand experience at the Ministry of Communication and
>>> Ministry of National Security, and civil society activists involved in
>>> political and new media activity. While it appears that a pilot project
>>> may have been implemented sometime around 2010/11, we could find no
>>> evidence (from sources inside the ministry) that it was actually
>>> operationally employed, nor were we able to track down any
>>> samples/technical evidence from the activist/ opposition community.
>>>
>>> We had a similar situation with SORM. Our sources indicated that SORM
>>> equipment was installed on Turkmen core networks sometime in 2009. Quite
>>> likely, this equipment came by way of a assistance program run by the
>>> Russian Ministry of Interior aimed at creating a CIS wide monitoring
>>> system for cybercrime/cyber terrorism (Operation Proxy). However, we found
>>> no evidence that the equipment was actually being used.
>>>
>>> There may be reasons for this - which are borne out through some of our
>>> interview work in Turkmenistan and elsewhere in Central Asia.
>>>
>>> First, the level of technical knowledge in government agencies and the
>>> telecommunication ministry in Turkmenistan is quite low. In general, the
>>> Ministry of Communication has been very dependent on outside consultants
>>> and companies to install equipment (Including HuaWei and NOKIA). Once it's
>>> installed, maintaining equipment is a challenge. As a result, generally
>>> only be most basic default settings and capabilities are used. For
>>> example, Turkmen telecom uses equipment from Huawei and CISCO that is
>>> capable of advanced DPI. However, these capabilities are barely used to
>>> manage bandwidth and traffic. They have not been used to develop keyword
>>> lists for blocking. Blocking is still done by way of IP address and domain
>>> name. (The same is true on mobile networks, where a Checkpoint firewall are
>>> used to filter traffic by domain and IP).
>>>
>>> Second, the Turkmen security regime is pervasive, and as a result has
>>> many more direct and simple ways of targeting " antisocial elements".
>>> Online surveillance tends to be over-kill when they can easily accomplish
>>> things through direct surveillance, informants and other forms of physical
>>> controls. We've also noted that in other Central Asia countries the
>>> security forces tend to co-opt criminal hackers in order to target specific
>>> individuals via electronic means. That means that the technical work is
>>> done by someone who actually knows what they're doing, and the results are
>>> more understandable and immediate to the security forces, i.e., they can
>>> ask questions and target the hacker to get at stuff they want to see.
>>> It's also important not to forget that security/ intelligence forces are by
>>> nature suspicious of anything outside of their control, including and
>>> especially "foreign built" systems and software.
>>>
>>> Third, security forces in Turkmenistan are much more concerned about
>>> opposition from radical groups, and criminal elements that they are with
>>> civil society opposition movements. That's because civil society in
>>> Turkmenistan is extremely weak, and controllable through arrest,
>>> detention, harassment. Criminal and radical groups are a lot more
>>> resilient, because they are by design covert organizations and generally
>>> because of their incentive system, which can be ideological, or financial,
>>> don't have the same fear of the regime, and, in the case of some criminal
>>> structures can be embedded in state structures. As a result, my own
>>> observation is that advanced surveillance means, (including SORM) are
>>> treated as a "scarce resource" and are focused on high-value targets that
>>> include criminal elements and radical groups. A third group I'd add here
>>> are members of the regime itself, which tend to be more of a threat to the
>>> higher leadership than civil society groups.
>>>
>>> Lastly, as we point out in the report, the Turkmen authorities have an
>>> ambivalent relationship to ICTs. On the one hand, they recognize them as a
>>> important element of national development, and also revenue generation for
>>> the state ( and in particular, members of the elite). On the other hand,
>>> they've seen how these technologies can be leveraged by opposition groups
>>> and so are inclined towards imposing controls. However, because
>>> Turkmenistan remains such a highly controlled society overall, the fear of
>>> civil society being mobilized through cyberspace is probably much less
>>> than it would be elsewhere and as a result, thus far, the necessity for
>>> surveillance has probably been less than in other Central Asian countries
>>> where the opposition movement has had space to organize.
>>>
>>> I think the last point to mention is that we've tried to keep this
>>> report factual and based on verifiable information. This means we had to
>>> make some editorial choices. I'd be happy to amend the report with a
>>> fuller section on FINFISHER and would welcome any additional factual
>>> information that can be provided by members of this group, or elsewhere.
>>>
>>> Best wishes,
>>>
>>> Rafal
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Jan 3, 2013, at 7:11 PM, Eva Galperin <eva at eff.org> wrote:
>>>
>>> > Thank you for sharing your report, Rafal. I read it with great
>>> interest.
>>> >
>>> > I see that you devoted about a third of this report to Internet
>>> > surveillance in Turkmenistan, but you don't mention Gamma or Finfisher
>>> > even once. The discovery that Gamma International's products were being
>>> > used to spy on citizens in over a dozen countries, including
>>> > Turkmenistan, was a pretty major story last year. Was there a reason
>>> why
>>> > you decided to leave it out of the report?
>>> >
>>> >
>>> > ************************************************
>>> > Eva Galperin
>>> > International Freedom of Expression Coordinator
>>> > Electronic Frontier Foundation
>>> > eva at eff.org
>>> > (415) 436-9333 ex. 111
>>> > ************************************************
>>> >
>>> > On 1/2/13 9:01 AM, Rafal Rohozinski wrote:
>>> >> The SecDev Group has released a study of Internet censorship and
>>> surveillance in Turkmenistan. The report was commissioned and financially
>>> supported by the Open Society Foundations. It is posted on the ONI Website
>>> , and can also be downloaded from here
>>> >>
>>> >> Neither Here Nor There: Turkmenistan’s Digital Doldrums
>>> >>
>>> >>
>>> >> Abstract
>>> >>
>>> >> Turkmenistan is slowly emerging from decades of darkness. President
>>> Gurbanguli Berdymukhamedov has vowed to modernize the country by
>>> encouraging the uptake of new technology for economic development and more
>>> efficient governance. Hundreds of thousands of Turkmen citizens are now
>>> online. However, the country faces serious challenges as it prepares to go
>>> digital. Infrastructure is primitive, and public access is enforced by a
>>> state monopoly. Slow speeds, exorbitant pricing, and technological
>>> illiteracy all constitute major hurdles. A new study from the SecDev Group
>>> highlights the ambivalent policies and practices that have left
>>> Turkmenistan mired in the digital doldrums, torn between its desire to join
>>> the worldwide web and its compulsion to control cyberspace.
>>> >>
>>> >>
>>> >>
>>> >> --
>>> >> Unsubscribe, change to digest, or change password at:
>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>> > --
>>> > Unsubscribe, change to digest, or change password at:
>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>
>>> --
>>> Unsubscribe, change to digest, or change password at:
>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>
>>
>>
>>
>> --
>> Seek not the favor of the multitude; it is seldom got by honest and
>> lawful means. But seek the testimony of few; and number not voices, but
>> weigh them
>>
>> --
>> Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>>
>> --
>> Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>
>
>
> --
> *Collin David Anderson*
> averysmallbird.com | @cda | Washington, D.C.
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>
John Scott-Railton
www.johnscottrailton.com
PGP key ID: 0x3e0ccb80778fe8d7
Fingerprint: FDBE BE29 A157 9881 34C7 8FA6 3E0C CB80 778F E8D7
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130105/200f5694/attachment.html>
More information about the liberationtech
mailing list