Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] New report on Internet Censorship and Surveillance in Turkmenistan

John Scott-Railton john.railton at
Sat Jan 5 16:29:33 PST 2013

Hi Rafal,

First off, thanks for sharing a copy of your report with the list!

On the theme of open methods while studying openness…

The cycle of reporting on FinFisher by Morgan and Bill / Rapid7 and others,
as you rightly noted, was a good thing. And it had some confidence-building
features of transparency and replication.  It was clearly good for the
community.  I thought Collin's question about the release of data on the
SORM-II signatures you referenced was a good one, and in this spirit: is
Secdev planning on releasing them publicly or making them available to
other research groups?

This thought led me to a more general question: does Secdev have plans to
make data / methodology / code behind Black Watch and the other components
of Secdev's measures and study of openness available for peer review &

All the best,


On Sat, Jan 5, 2013 at 3:46 PM, Rafal Rohozinski <r.rohozinski at>wrote:

> Hi Colin,
> Just about to rest any doubt about this, I meant "clandestine" as a
> synonym of "in secret". Likewise, by "debriefs" I simply mean having long
> in-depth discussions with individual designed to accrue as many data points
> as possible about past events, or circumstances. None of this is
> particularly privileged to the IC, these are tried-and-true methods used by
> a wide range of investigators (including those involved in fraud
> investigations, police work, product research, marketing, or experimental
> work) as well as investigative journalists, and it usually yields good
> results over time.
> With respect to reporting on signatures, and establishing Open Data  on
> censorship and surveillance through the publication of technical data, yes,
> that's the intention. In some cases, and I think Morgan's  (et al) work on
> FinFisher is a good example, it will be possible to publish the technical
> protocols/signatures for surveillance tools. In other cases, especially for
> in-line surveillance tools, there will be no signature except for the fact
> that it may be detectable by the presence of unusual infrastructure and
> verified through human sources or documentation. The latter  is quite
> important, because of the vast majority of cases there will be some
> documentation somewhere: in law, security regulations, commercial or
> marketing documentation, or otherwise, that indicates that a surveillance
> technology is being used, or considered. So perhaps not technical
> signatures in the malware sense, but signatures in a broader sense.
> For censorship technologies it's a bit more straightforward because
> presence or absence is pretty straightforward to establish. The tough part
> is to see whether you can identify specific techniques/products from their
> technical characteristics. Again, human sources are usually best to
> establish a degree of ground truth, or at least verify/validate what's
> visible in the technical domain.
> We are waiting to hear back from some sources of funding, and if we are
> successful, we will be making a broader announcement about this initiative
> shortly.
> Rafal
> Sent by PsiPhone mobile. Please excuse typos or other oddities.
> On 2013-01-05, at 5:58 PM, Collin Anderson <collin at>
> wrote:
> > In the case of SORM-II, it also has a very distinct signature which is
> visible if you are sitting in line with the system...
> > Our intention with the testing platform is to contribute to the
> creation of censorship and surveillance Open Data...
> That's excellent to hear, does SecDev intend to release data on these
> signatures of SORM systems and other such surveillance products? "Clandestine
> collection" and "debriefs" all seem so surreptitious and privileged to the
> IC, however, technical data would clearly be of democratic benefit to a
> number of researchers on this list.
> Cordially,
> Collin
> On Sat, Jan 5, 2013 at 2:12 PM, Rafal Rohozinski <r.rohozinski at>wrote:
>> Morgan,
>> Thanks for your note. I use the term "interview" euphemistically.
>> Obviously we used a much more sophisticated set of methods including in
>> depth debriefs with former employees, contractors, suppliers as well as
>> other forms of clandestine collection. The point is that we were able to
>> get a very detailed picture of how surveillance is carried out within the
>> Ministry of communications, by whom, and with what means. This includes
>> people that had access to the special rooms that are designated for
>> surveillance in telephone switches throughout the former Soviet Union. All
>> the people we talked to, directly, or indirectly,  that had detailed
>> technical knowledge of how surveillance is conducted in an operational
>> manner were unable to confirm, or even suggest that these two systems were
>> being used operationally. In the case of SORM-II, it also has a very
>> distinct signature which is visible if you are sitting in line with the
>> system.
>> By contrast, we were able to confirm these details in other CIS
>> countries. In some cases it was quite easy because security officials are
>> quite open about their use of surveillance technology for counterterrorism,
>> criminal investigations et cetera. There are also laws on the books that
>> govern how these technologies are used, and by whom, and therefore its
>> possible to have a relatively open discussion if you know who to talk to,
>> and how. I would say , however, that our interviewees have exceptionally
>> privileged access, and therefore are able to have these discussions with
>> the right people.
>> Is it possible that these techniques are insufficient to detect traces of
>> close hold activities? Undoubtably, yes. However, when you do enough
>> asking, through enough different means, you usually come up with at least a
>> shadow, or a trace. In this case, everything came up as negative.
>> I'd be interested in further material that could help us detect FINFISHER
>> at a technical level. We do operate a testing platform  and certainly
>> calibrating it to detect or scan for these signatures would be very helpful
>> given that we are present in a large number of countries. Our intention
>> with the testing platform is to contribute to the creation of  censorship
>> and surveillance Open Data, so having it routinely scan for known
>> signatures of surveillance products would certainly be a great addition to
>> the overall effort.
>> Cheers,
>> Rafal
>> Sent by PsiPhone mobile. Please excuse typos or other oddities.
>> On 2013-01-05, at 3:38 PM, Morgan Marquis-Boire <
>> morgan.marquisboire at> wrote:
>> Hi Rafal,
>> It is interesting that in your efforts talking to officials you were
>> unable to elicit admissions of operational use of surveillance software.
>> I'm not able to comment on the human elements of your interviews but the
>> technical elements of the work used to enumerate the use of FinFisher in
>> Turkmenistan are reproducible.
>> FinFisher malware samples were reverse engineered which lead to
>> enumeration of the command and control protocol. Knowledge of this protocol
>> was then used to scan for FinSpy master servers. The hashes to the
>> FinFisher samples were published as were the IPs of the servers. We (Bill
>> Marczak and myself) were not the only ones doing work in this area.  Boston
>> based security company Rapid7 also used similar techniques and we found
>> that a technical replication of their work was reasonably straightforward.
>> If your team has had any problems replicating these results, I'd be to
>> happy to direct them toward relevant materials.
>> -Morgan
>> On Fri, Jan 4, 2013 at 8:41 AM, Rafal Rohozinski <r.rohozinski at
>> > wrote:
>>> Hi Eva,
>>> Thanks for your note and good question.
>>> The simple answer is that we could find no compelling evidence beyond
>>>  that reported by Privacy International, Citizen Lab and  the German news
>>> report that FINFISHER  was being operationally employed in Turkmenistan.
>>>  That's not for lack of looking. The report was built upon  interviews with
>>> people that have first-hand experience at the Ministry of Communication and
>>> Ministry of National Security, and civil society activists involved in
>>> political and new media activity. While it  appears that a pilot project
>>> may have been implemented sometime around 2010/11, we could find no
>>> evidence (from sources inside the ministry) that it was  actually
>>>  operationally employed,  nor were we able to track down any
>>> samples/technical evidence from the activist/ opposition community.
>>> We had a similar situation with SORM. Our sources indicated that SORM
>>> equipment was installed on Turkmen core networks sometime in 2009.  Quite
>>> likely, this equipment came by way of a assistance program run by the
>>> Russian Ministry of Interior aimed at creating a CIS wide  monitoring
>>> system for cybercrime/cyber terrorism (Operation Proxy).  However, we found
>>> no evidence that the equipment was actually being used.
>>> There may be reasons for this -  which are borne out through some of our
>>> interview work in Turkmenistan and elsewhere in Central Asia.
>>> First, the level of technical knowledge in government agencies and the
>>> telecommunication ministry in Turkmenistan is quite low. In general, the
>>> Ministry of  Communication has been very dependent on outside consultants
>>> and companies to install equipment (Including HuaWei and NOKIA). Once it's
>>>  installed, maintaining equipment is a challenge. As a result, generally
>>> only be most basic default settings and capabilities are used.  For
>>> example,  Turkmen telecom uses  equipment from Huawei and CISCO  that is
>>> capable of  advanced DPI. However, these capabilities are barely used to
>>> manage bandwidth and traffic. They  have not been used  to develop keyword
>>> lists for blocking.  Blocking is still done by way of IP address and domain
>>> name. (The same is true on mobile networks, where a Checkpoint firewall are
>>> used to filter traffic by domain and IP).
>>> Second, the Turkmen  security regime is pervasive, and as a result has
>>> many more direct and simple ways of targeting " antisocial elements".
>>> Online surveillance tends to be over-kill when they can easily accomplish
>>> things through direct surveillance, informants and other forms of physical
>>> controls.  We've also noted that in other Central Asia  countries  the
>>> security forces tend to co-opt criminal hackers in order to target specific
>>> individuals via electronic means. That means that the technical work is
>>> done by someone who actually knows what they're doing, and the results are
>>> more understandable and immediate to the security forces,  i.e., they can
>>> ask questions and target the hacker to get at stuff they want to see.
>>> It's also important not to forget that security/ intelligence forces are by
>>> nature suspicious of anything outside of their control, including and
>>> especially "foreign built" systems and software.
>>> Third,  security forces in Turkmenistan are much more concerned about
>>> opposition from radical groups, and criminal elements that they are with
>>> civil society opposition movements.  That's because  civil society in
>>> Turkmenistan is extremely  weak, and controllable through  arrest,
>>> detention, harassment. Criminal and radical groups are a lot more
>>> resilient, because  they are by design covert organizations and generally
>>> because of their incentive system, which can be ideological, or financial,
>>>  don't have the same fear of the regime, and, in the case of some criminal
>>> structures can be embedded in  state structures. As a result, my own
>>> observation is that  advanced surveillance means, (including SORM) are
>>> treated as a "scarce resource" and are focused on high-value targets that
>>> include criminal elements and radical groups.  A third group I'd add here
>>> are members of the regime itself, which tend to be more of a threat to the
>>> higher leadership than civil society groups.
>>> Lastly,  as we point out in the report, the Turkmen authorities have an
>>> ambivalent relationship to ICTs.  On the one hand, they recognize them as a
>>> important element of national development, and also revenue generation for
>>> the state ( and in particular, members of the elite).  On the other hand,
>>> they've seen how these technologies can be leveraged by opposition groups
>>> and so  are inclined towards imposing controls.  However, because
>>>  Turkmenistan remains such a highly controlled society overall, the fear of
>>>  civil society being mobilized through cyberspace is probably much less
>>> than it would be elsewhere and as a result, thus far, the necessity for
>>> surveillance has probably been less than in other Central Asian countries
>>> where the opposition movement has had space to organize.
>>> I think the last point to mention is that we've tried to keep this
>>> report factual and based on verifiable information.  This means we had to
>>> make some editorial choices.   I'd be happy to amend the report with a
>>> fuller section on FINFISHER and would welcome any additional factual
>>> information that can be provided by members of this group, or elsewhere.
>>> Best wishes,
>>> Rafal
>>> On Jan 3, 2013, at 7:11 PM, Eva Galperin <eva at> wrote:
>>> > Thank you for sharing your report, Rafal. I read it with great
>>> interest.
>>> >
>>> > I see that you devoted about a third of this report to Internet
>>> > surveillance in Turkmenistan, but you don't mention Gamma or Finfisher
>>> > even once. The discovery that Gamma International's products were being
>>> > used to spy on citizens in over a dozen countries, including
>>> > Turkmenistan, was a pretty major story last year. Was there a reason
>>> why
>>> > you decided to leave it out of the report?
>>> >
>>> >
>>> > ************************************************
>>> > Eva Galperin
>>> > International Freedom of Expression Coordinator
>>> > Electronic Frontier Foundation
>>> > eva at
>>> > (415) 436-9333 ex. 111
>>> > ************************************************
>>> >
>>> > On 1/2/13 9:01 AM, Rafal Rohozinski wrote:
>>> >> The SecDev Group has released a study of Internet censorship and
>>> surveillance in Turkmenistan.  The  report was commissioned and financially
>>> supported by the Open Society Foundations.  It is posted on the ONI Website
>>> , and can also be downloaded from here
>>> >>
>>> >> Neither Here Nor There: Turkmenistan’s Digital Doldrums
>>> >>
>>> >>
>>> >> Abstract
>>> >>
>>> >> Turkmenistan is slowly emerging from decades of darkness. President
>>> Gurbanguli Berdymukhamedov has vowed to modernize the country by
>>> encouraging the uptake of new technology for economic development and more
>>> efficient governance. Hundreds of thousands of Turkmen citizens are now
>>> online. However, the country faces serious challenges as it prepares to go
>>> digital. Infrastructure is primitive, and public access is enforced by a
>>> state monopoly. Slow speeds, exorbitant pricing, and technological
>>> illiteracy all constitute major hurdles. A new study from the SecDev Group
>>> highlights the ambivalent policies and practices that have left
>>> Turkmenistan mired in the digital doldrums, torn between its desire to join
>>> the worldwide web and its compulsion to control cyberspace.
>>> >>
>>> >>
>>> >>
>>> >> --
>>> >> Unsubscribe, change to digest, or change password at:
>>> > --
>>> > Unsubscribe, change to digest, or change password at:
>>> --
>>> Unsubscribe, change to digest, or change password at:
>> --
>> Seek not the favor of the multitude; it is seldom got by honest and
>> lawful means. But seek the testimony of few; and number not voices, but
>> weigh them
>> --
>> Unsubscribe, change to digest, or change password at:
>> --
>> Unsubscribe, change to digest, or change password at:
> --
> *Collin David Anderson*
> | @cda | Washington, D.C.
> --
> Unsubscribe, change to digest, or change password at:
> --
> Unsubscribe, change to digest, or change password at:
 John Scott-Railton

PGP key ID: 0x3e0ccb80778fe8d7

Fingerprint: FDBE BE29 A157 9881 34C7  8FA6 3E0C CB80 778F E8D7
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the liberationtech mailing list