Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] New report on Internet Censorship and Surveillance in Turkmenistan

Rafal Rohozinski r.rohozinski at
Tue Jan 8 06:45:47 PST 2013


First of all, it's important to recognize that SORM  is a system for  lawful access to telephone and IP traffic. It is normalized under the laws of the Russian Federation and most of the countries of the former Soviet Union. In other words, it is not a " secret"  system, but rather one which is well-known,  well-documented and has been around for over 10 years. 

The relevant Russia legislation is:
 Order of the State Committee of the Russian Federation № 47 of 27.03.99
 Order of the Ministry of Communications of the Russian Federation № 73 of 27.05.10.
The company that produces SORM -  MFI-SOFT -  is quite proud of its product, and others that they produce in the information security market. In fact, here is their marketing video. The part about SORM starts at 3:14 ( okay, it's lame, but at least they are advertising it)

As a consequence, the technical characteristics of SORM  are quite well-documented.  Also, because the system is installed at ISPs, the technical characteristics of its installation are also quite well-known.

By way of a general introduction, here are links to two technical presentations on SORM (2 and 3)  the provide some of this technical information, and also a view  of  the user interface ( which gives you a sense of its capabilities). 

SORM 2 -

SORM 3 -

The files are in Russian, but nothing that Google translate can't help with :-)

I really don't know if anyone in Europe, Canada, or the US  has procured NetBeholder.  But the fact that the company stopped advertising it openly on their website in 2010  leads me to believe that their success in this market space was rather small.  Contrary to popular belief, LEA  tools are not big business, and bring a lot of liability to companies so usually they tend to sell to home markets where they have a guaranteed monopoly and stable revenues.

The only thing I can say about why they were marketing from Canada is related to  some circumstantial evidence I received a few years ago that the Canadian subsidiary  was selling Netbeholder as a "Canadian product"  in a variety of south countries. However, I'd stress this is circumstantial evidence so nothing hard and fast. However,  If you take a look at the SORM  product page, you will see that they have adapted it to work with a wide range of equipment including Nortel, Broadworks and Ericsson,  so it's not inconceivable that there may be existing installations in North America and elsewhere outside the CIS   <> . MFI claims its products are in 84 countries. If you look at the ALOE website,  they do list a number of SIP providers in the US that use MFI  equipment. However, since MFI/ALOE  also resells VoIP soft switches, it's really unclear what they might be using. <>.

> This is a rather difficult thing to do - it seems not worth doing. These
> guys are already working on reducing detectability, aren't they?

Because the system is not secret, and is legally mandated, no, the builders  have not made it particularly stealthy. 


On Jan 7, 2013, at 8:02 PM, Jacob Appelbaum <jacob at> wrote:

> Rafal Rohozinski:
>> John,
>> With respect to SORM-II,  the "signatures"  are based upon the
>> technical characteristics of the system rather than something that's
>> detectable by protocol scanning. 
> What are the technical characteristics of SORM-II?
>> In a nutshell, SORM-II  boxes
>> located on remote network segments (i.e. ISP's or other providers)
>> require a separate command channel for tasking and data backhaul.
> Detectable by what means? Is this the Kim Dot Com extra latency issue?
> Is this just another box found on a related network?
>> In some installations, this is a separate physical channel, and
>> others it is virtualized through the ISPs connection their upstream
>> provider or IXP  (usually at the the central telephone switch).
>> Consequently,  while the device itself does not have a detectable
>> signature,  the control channel  is a defining feature.  The
>> challenge is in detecting the control channel.  We have report
>> pending on SORM  that should be released sometime during the late
>> spring of 2013.
> Can you give us a simple example?
>> We are trying to decide how  and what to publish  so
>> as to share usable knowledge without  revealing tradecraft that would
>> allow the developers of SORM (II and III)  to  reduce detectability.
>  Don't
>> BTW -  SORM II is  commercially available  in the  European, US and
>> Canadian  under  the brand name "NetBeholder"  so those of you with
>> deep pockets should buy a set up and reverse engineer it
>> …  the company even has a
>> street address in Toronto,  for those of you that want to visit. :-)
> Has it been found on Canadian networks? Who uses it?
> All the best,
> Jacob
> --
> Unsubscribe, change to digest, or change password at:

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the liberationtech mailing list