Search Mailing List Archives


Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] New report on Internet Censorship and Surveillance in Turkmenistan

Rafal Rohozinski r.rohozinski at psiphon.ca
Sun Jan 6 17:55:36 PST 2013


Collin, (John),

All of this requires longer discussion, but I'll be brief here (for now).

Yes, we intend on making Black Watch open-source. And yes, we intend on
making data from Black Watch Open Data on censorship and surveillance.

WTR to your question Collin, Black Watch consists of client/server
environment that includes distributed testing clients that are located
across any number of network and at edge locations (ie ISP's, or specific
locations). The code runs on multiple platforms: android phones, windows
 boxes and a special Linux distribution that can be run off of small form
factor devices.

We developed Black Watch in part as a result of known issues with  rturtle
(the standard ONI testing tool). We needed something that could test for
"just-in-time",  and "just-in-place" filtering of the kind we were seen in
the former Soviet Union during elections/referendums, and other times of
social unrest. We also need a system capable of changing testing lists and
parameters rapidly, and giving the tester simultaneous feedback on results
(from their location, and a control location). Finally, we needed a system
that could test on mobile networks and devices.

I also want to stress that Black Watch is only one of the number sensor
suites we operate. We also have a system for  DNS monitoring/enumeration
(ZeroPoint), and  another that monitors specific (targeted) resources and
BGP/net block withdrawals (TrackR). We also monitor social media, which can
often give us important cues of what to look for, and where. It's through a
combination of these systems that we can begin to paint an accurate picture
of the topography of network  within a particular region. So, for example,
we detected a blip in Syrian Internet traffic today that included
significant route/BGP withdrawals  (that we will be writing up tomorrow).
Taken together, all of these data points allows to make certain assertions
about how the infrastructure changes over time, including points of
control.

Are we 100% certain of our analysis and results? Nope,real life is just too
messy to be quantified in technical terms and besides, that would be way
too much hubris. Often our analysis is inconclusive, takes way too much
time to assemble, is badly written, and can be just plain wrong. However,
doing it day in day out  (and as a team) means that we are getting much
better over time. In that respect, Syria has "forcing function" in the
development of these monitoring capabilities…

As I said, all of this requires a longer discussion.... but for the moment
I can tell you that we push out all the relevant information derived from
these systems through our Syria activity Facebook pages. Most of the
material is available in Arabic only, but we do put out a Cyber watch and
special reports in English, at least once every two weeks, and usually more
often. I think I posted one or two of these to this list, but could
certainly copy them here more regularly if there is interest. The landing
page to access the Syria facing resources is http://souriya.secdev.com (And
yes, there is a privacy policy you can review). All of this is still a far
cry from an Open Data describing censorship and surveillance, but it is a
step forward.

I'll try to respond to the other points in more detail this week. Both you
and John raise excellent questions that require a more details than I can
peck out on my iPhone while looking after two very energetic kids :-) As I
mentioned in my earlier email, we are waiting for word back from a funding
source that if successful will allow us to prioritize the Open Data project.

Best wishes,

Rafal





Sent by PsiPhone mobile. Please excuse typos or other oddities.

On 2013-01-06, at 6:16 PM, Collin Anderson <collin at averysmallbird.com>
wrote:

> This thought led me to a more general question: does Secdev have plans to
make data / methodology / code behind Black Watch and the other components
of Secdev's measures and study of openness available for peer review &
replication?

John's point drove at the heart of a concern of mine regarding Black
Watch's data collection methods -- based out of frustrations trying to
reconcile such research issues in my own work. When Telecomix investigated
aspects of Syria's filtering and surveillance apparatus, it became clear
that these functions had been devolved to the ISP from the start;
journalistic inquiries lent evidence to such understandings. This meant
differences in capacity and execution of more sophisticated blocking and
filtering rules, namely DPI on circumvention tools. These random variables
are especially more complex if the datasource is, for example, connections
made through open SOCKS and HTTP proxies.

It would be interesting -- and vitally important -- to see an argument that
these functions had migrated back up to the PDN, particularly since the
increase of human rights sanctions and public scrutiny should have limited
the willingness of external actors to participate in such a large project.

Could you speak on how Black Watch's methodology takes this into account,
whether you do seen specific evidence of such a change in the topology of
the control of the network, and how you handle potential incongruities in
your reporting?

Cordially,
Collin





On Sat, Jan 5, 2013 at 4:29 PM, John Scott-Railton
<john.railton at gmail.com>wrote:

> Hi Rafal,
>
> First off, thanks for sharing a copy of your report with the list!
>
> On the theme of open methods while studying openness…
>
> The cycle of reporting on FinFisher by Morgan and Bill / Rapid7 and
> others, as you rightly noted, was a good thing. And it had some
> confidence-building features of transparency and replication.  It was
> clearly good for the community.  I thought Collin's question about the
> release of data on the SORM-II signatures you referenced was a good one,
> and in this spirit: is Secdev planning on releasing them publicly or making
> them available to other research groups?
>
> This thought led me to a more general question: does Secdev have plans to
> make data / methodology / code behind Black Watch and the other components
> of Secdev's measures and study of openness available for peer review &
> replication?
>
> All the best,
>
> John
>
> On Sat, Jan 5, 2013 at 3:46 PM, Rafal Rohozinski <r.rohozinski at psiphon.ca>wrote:
>
>> Hi Colin,
>>
>> Just about to rest any doubt about this, I meant "clandestine" as a
>> synonym of "in secret". Likewise, by "debriefs" I simply mean having long
>> in-depth discussions with individual designed to accrue as many data points
>> as possible about past events, or circumstances. None of this is
>> particularly privileged to the IC, these are tried-and-true methods used by
>> a wide range of investigators (including those involved in fraud
>> investigations, police work, product research, marketing, or experimental
>> work) as well as investigative journalists, and it usually yields good
>> results over time.
>>
>> With respect to reporting on signatures, and establishing Open Data  on
>> censorship and surveillance through the publication of technical data, yes,
>> that's the intention. In some cases, and I think Morgan's  (et al) work on
>> FinFisher is a good example, it will be possible to publish the technical
>> protocols/signatures for surveillance tools. In other cases, especially for
>> in-line surveillance tools, there will be no signature except for the fact
>> that it may be detectable by the presence of unusual infrastructure and
>> verified through human sources or documentation. The latter  is quite
>> important, because of the vast majority of cases there will be some
>> documentation somewhere: in law, security regulations, commercial or
>> marketing documentation, or otherwise, that indicates that a surveillance
>> technology is being used, or considered. So perhaps not technical
>> signatures in the malware sense, but signatures in a broader sense.
>>
>> For censorship technologies it's a bit more straightforward because
>> presence or absence is pretty straightforward to establish. The tough part
>> is to see whether you can identify specific techniques/products from their
>> technical characteristics. Again, human sources are usually best to
>> establish a degree of ground truth, or at least verify/validate what's
>> visible in the technical domain.
>>
>> We are waiting to hear back from some sources of funding, and if we are
>> successful, we will be making a broader announcement about this initiative
>> shortly.
>>
>> Rafal
>>
>> Sent by PsiPhone mobile. Please excuse typos or other oddities.
>>
>> On 2013-01-05, at 5:58 PM, Collin Anderson <collin at averysmallbird.com>
>> wrote:
>>
>> > In the case of SORM-II, it also has a very distinct signature which is
>> visible if you are sitting in line with the system...
>> > Our intention with the testing platform is to contribute to the
>> creation of censorship and surveillance Open Data...
>>
>> That's excellent to hear, does SecDev intend to release data on these
>> signatures of SORM systems and other such surveillance products? "Clandestine
>> collection" and "debriefs" all seem so surreptitious and privileged to the
>> IC, however, technical data would clearly be of democratic benefit to a
>> number of researchers on this list.
>>
>> Cordially,
>> Collin
>>
>>
>>
>> On Sat, Jan 5, 2013 at 2:12 PM, Rafal Rohozinski <r.rohozinski at psiphon.ca
>> > wrote:
>>
>>> Morgan,
>>>
>>> Thanks for your note. I use the term "interview" euphemistically.
>>> Obviously we used a much more sophisticated set of methods including in
>>> depth debriefs with former employees, contractors, suppliers as well as
>>> other forms of clandestine collection. The point is that we were able to
>>> get a very detailed picture of how surveillance is carried out within the
>>> Ministry of communications, by whom, and with what means. This includes
>>> people that had access to the special rooms that are designated for
>>> surveillance in telephone switches throughout the former Soviet Union. All
>>> the people we talked to, directly, or indirectly,  that had detailed
>>> technical knowledge of how surveillance is conducted in an operational
>>> manner were unable to confirm, or even suggest that these two systems were
>>> being used operationally. In the case of SORM-II, it also has a very
>>> distinct signature which is visible if you are sitting in line with the
>>> system.
>>>
>>> By contrast, we were able to confirm these details in other CIS
>>> countries. In some cases it was quite easy because security officials are
>>> quite open about their use of surveillance technology for counterterrorism,
>>> criminal investigations et cetera. There are also laws on the books that
>>> govern how these technologies are used, and by whom, and therefore its
>>> possible to have a relatively open discussion if you know who to talk to,
>>> and how. I would say , however, that our interviewees have exceptionally
>>> privileged access, and therefore are able to have these discussions with
>>> the right people.
>>>
>>> Is it possible that these techniques are insufficient to detect traces
>>> of close hold activities? Undoubtably, yes. However, when you do enough
>>> asking, through enough different means, you usually come up with at least a
>>> shadow, or a trace. In this case, everything came up as negative.
>>>
>>> I'd be interested in further material that could help us detect
>>> FINFISHER at a technical level. We do operate a testing platform  and
>>> certainly calibrating it to detect or scan for these signatures would be
>>> very helpful given that we are present in a large number of countries. Our
>>> intention with the testing platform is to contribute to the creation
>>> of  censorship and surveillance Open Data, so having it routinely scan for
>>> known signatures of surveillance products would certainly be a great
>>> addition to the overall effort.
>>>
>>> Cheers,
>>>
>>> Rafal
>>>
>>> Sent by PsiPhone mobile. Please excuse typos or other oddities.
>>>
>>> On 2013-01-05, at 3:38 PM, Morgan Marquis-Boire <
>>> morgan.marquisboire at gmail.com> wrote:
>>>
>>> Hi Rafal,
>>>
>>> It is interesting that in your efforts talking to officials you were
>>> unable to elicit admissions of operational use of surveillance software.
>>> I'm not able to comment on the human elements of your interviews but the
>>> technical elements of the work used to enumerate the use of FinFisher in
>>> Turkmenistan are reproducible.
>>>
>>> FinFisher malware samples were reverse engineered which lead to
>>> enumeration of the command and control protocol. Knowledge of this protocol
>>> was then used to scan for FinSpy master servers. The hashes to the
>>> FinFisher samples were published as were the IPs of the servers. We (Bill
>>> Marczak and myself) were not the only ones doing work in this area.  Boston
>>> based security company Rapid7 also used similar techniques and we found
>>> that a technical replication of their work was reasonably straightforward.
>>>
>>> If your team has had any problems replicating these results, I'd be to
>>> happy to direct them toward relevant materials.
>>>
>>> -Morgan
>>>
>>> On Fri, Jan 4, 2013 at 8:41 AM, Rafal Rohozinski <
>>> r.rohozinski at psiphon.ca> wrote:
>>>
>>>> Hi Eva,
>>>>
>>>> Thanks for your note and good question.
>>>>
>>>> The simple answer is that we could find no compelling evidence beyond
>>>>  that reported by Privacy International, Citizen Lab and  the German news
>>>> report that FINFISHER  was being operationally employed in Turkmenistan.
>>>>  That's not for lack of looking. The report was built upon  interviews with
>>>> people that have first-hand experience at the Ministry of Communication and
>>>> Ministry of National Security, and civil society activists involved in
>>>> political and new media activity. While it  appears that a pilot project
>>>> may have been implemented sometime around 2010/11, we could find no
>>>> evidence (from sources inside the ministry) that it was  actually
>>>>  operationally employed,  nor were we able to track down any
>>>> samples/technical evidence from the activist/ opposition community.
>>>>
>>>> We had a similar situation with SORM. Our sources indicated that SORM
>>>> equipment was installed on Turkmen core networks sometime in 2009.  Quite
>>>> likely, this equipment came by way of a assistance program run by the
>>>> Russian Ministry of Interior aimed at creating a CIS wide  monitoring
>>>> system for cybercrime/cyber terrorism (Operation Proxy).  However, we found
>>>> no evidence that the equipment was actually being used.
>>>>
>>>> There may be reasons for this -  which are borne out through some of
>>>> our interview work in Turkmenistan and elsewhere in Central Asia.
>>>>
>>>> First, the level of technical knowledge in government agencies and the
>>>> telecommunication ministry in Turkmenistan is quite low. In general, the
>>>> Ministry of  Communication has been very dependent on outside consultants
>>>> and companies to install equipment (Including HuaWei and NOKIA). Once it's
>>>>  installed, maintaining equipment is a challenge. As a result, generally
>>>> only be most basic default settings and capabilities are used.  For
>>>> example,  Turkmen telecom uses  equipment from Huawei and CISCO  that is
>>>> capable of  advanced DPI. However, these capabilities are barely used to
>>>> manage bandwidth and traffic. They  have not been used  to develop keyword
>>>> lists for blocking.  Blocking is still done by way of IP address and domain
>>>> name. (The same is true on mobile networks, where a Checkpoint firewall are
>>>> used to filter traffic by domain and IP).
>>>>
>>>> Second, the Turkmen  security regime is pervasive, and as a result has
>>>> many more direct and simple ways of targeting " antisocial elements".
>>>> Online surveillance tends to be over-kill when they can easily accomplish
>>>> things through direct surveillance, informants and other forms of physical
>>>> controls.  We've also noted that in other Central Asia  countries  the
>>>> security forces tend to co-opt criminal hackers in order to target specific
>>>> individuals via electronic means. That means that the technical work is
>>>> done by someone who actually knows what they're doing, and the results are
>>>> more understandable and immediate to the security forces,  i.e., they can
>>>> ask questions and target the hacker to get at stuff they want to see.
>>>> It's also important not to forget that security/ intelligence forces are by
>>>> nature suspicious of anything outside of their control, including and
>>>> especially "foreign built" systems and software.
>>>>
>>>> Third,  security forces in Turkmenistan are much more concerned about
>>>> opposition from radical groups, and criminal elements that they are with
>>>> civil society opposition movements.  That's because  civil society in
>>>> Turkmenistan is extremely  weak, and controllable through  arrest,
>>>> detention, harassment. Criminal and radical groups are a lot more
>>>> resilient, because  they are by design covert organizations and generally
>>>> because of their incentive system, which can be ideological, or financial,
>>>>  don't have the same fear of the regime, and, in the case of some criminal
>>>> structures can be embedded in  state structures. As a result, my own
>>>> observation is that  advanced surveillance means, (including SORM) are
>>>> treated as a "scarce resource" and are focused on high-value targets that
>>>> include criminal elements and radical groups.  A third group I'd add here
>>>> are members of the regime itself, which tend to be more of a threat to the
>>>> higher leadership than civil society groups.
>>>>
>>>> Lastly,  as we point out in the report, the Turkmen authorities have an
>>>> ambivalent relationship to ICTs.  On the one hand, they recognize them as a
>>>> important element of national development, and also revenue generation for
>>>> the state ( and in particular, members of the elite).  On the other hand,
>>>> they've seen how these technologies can be leveraged by opposition groups
>>>> and so  are inclined towards imposing controls.  However, because
>>>>  Turkmenistan remains such a highly controlled society overall, the fear of
>>>>  civil society being mobilized through cyberspace is probably much less
>>>> than it would be elsewhere and as a result, thus far, the necessity for
>>>> surveillance has probably been less than in other Central Asian countries
>>>> where the opposition movement has had space to organize.
>>>>
>>>> I think the last point to mention is that we've tried to keep this
>>>> report factual and based on verifiable information.  This means we had to
>>>> make some editorial choices.   I'd be happy to amend the report with a
>>>> fuller section on FINFISHER and would welcome any additional factual
>>>> information that can be provided by members of this group, or elsewhere.
>>>>
>>>> Best wishes,
>>>>
>>>> Rafal
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Jan 3, 2013, at 7:11 PM, Eva Galperin <eva at eff.org> wrote:
>>>>
>>>> > Thank you for sharing your report, Rafal. I read it with great
>>>> interest.
>>>> >
>>>> > I see that you devoted about a third of this report to Internet
>>>> > surveillance in Turkmenistan, but you don't mention Gamma or Finfisher
>>>> > even once. The discovery that Gamma International's products were
>>>> being
>>>> > used to spy on citizens in over a dozen countries, including
>>>> > Turkmenistan, was a pretty major story last year. Was there a reason
>>>> why
>>>> > you decided to leave it out of the report?
>>>> >
>>>> >
>>>> > ************************************************
>>>> > Eva Galperin
>>>> > International Freedom of Expression Coordinator
>>>> > Electronic Frontier Foundation
>>>> > eva at eff.org
>>>> > (415) 436-9333 ex. 111
>>>> > ************************************************
>>>> >
>>>> > On 1/2/13 9:01 AM, Rafal Rohozinski wrote:
>>>> >> The SecDev Group has released a study of Internet censorship and
>>>> surveillance in Turkmenistan.  The  report was commissioned and financially
>>>> supported by the Open Society Foundations.  It is posted on the ONI Website
>>>> , and can also be downloaded from here
>>>> >>
>>>> >> Neither Here Nor There: Turkmenistan’s Digital Doldrums
>>>> >>
>>>> >>
>>>> >> Abstract
>>>> >>
>>>> >> Turkmenistan is slowly emerging from decades of darkness. President
>>>> Gurbanguli Berdymukhamedov has vowed to modernize the country by
>>>> encouraging the uptake of new technology for economic development and more
>>>> efficient governance. Hundreds of thousands of Turkmen citizens are now
>>>> online. However, the country faces serious challenges as it prepares to go
>>>> digital. Infrastructure is primitive, and public access is enforced by a
>>>> state monopoly. Slow speeds, exorbitant pricing, and technological
>>>> illiteracy all constitute major hurdles. A new study from the SecDev Group
>>>> highlights the ambivalent policies and practices that have left
>>>> Turkmenistan mired in the digital doldrums, torn between its desire to join
>>>> the worldwide web and its compulsion to control cyberspace.
>>>> >>
>>>> >>
>>>> >>
>>>> >> --
>>>> >> Unsubscribe, change to digest, or change password at:
>>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>> > --
>>>> > Unsubscribe, change to digest, or change password at:
>>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>>
>>>> --
>>>> Unsubscribe, change to digest, or change password at:
>>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>>
>>>
>>>
>>>
>>> --
>>> Seek not the favor of the multitude; it is seldom got by honest and
>>> lawful means. But seek the testimony of few; and number not voices, but
>>> weigh them
>>>
>>> --
>>> Unsubscribe, change to digest, or change password at:
>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>
>>>
>>> --
>>> Unsubscribe, change to digest, or change password at:
>>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>>
>>
>>
>>
>> --
>> *Collin David Anderson*
>> averysmallbird.com | @cda | Washington, D.C.
>>
>> --
>> Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>>
>> --
>> Unsubscribe, change to digest, or change password at:
>> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>>
>  John Scott-Railton
>
> www.johnscottrailton.com
>
>
> PGP key ID: 0x3e0ccb80778fe8d7
>
> Fingerprint: FDBE BE29 A157 9881 34C7  8FA6 3E0C CB80 778F E8D7
>
> --
> Unsubscribe, change to digest, or change password at:
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>



-- 
*Collin David Anderson*
averysmallbird.com | @cda | Washington, D.C.

--
Unsubscribe, change to digest, or change password at:
https://mailman.stanford.edu/mailman/listinfo/liberationtech
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130106/54b4e3ed/attachment.html>


More information about the liberationtech mailing list