Showing posts with label censorship. Show all posts
Showing posts with label censorship. Show all posts

Saturday, April 28, 2012

Canalising the marshes: tidying up the people

Well, this is interesting, both on the Bo Xilai story and also on the general theme of the state of the art in contemporary authoritarianism. It looks like a major part of the case is about BXL's electronic surveillance of Chongqing and specifically of top national-level Chinese officials:

One political analyst with senior-level ties, citing information obtained from a colonel he recently dined with, said Mr. Bo had tried to tap the phones of virtually all high-ranking leaders who visited Chongqing in recent years, including Zhou Yongkang, the law-and-order czar who was said to have backed Mr. Bo as his potential successor. “Bo wanted to be extremely clear about what leaders’ attitudes toward him were,” the analyst said.

That's Zhou Yongkang as in the head of the whole Chinese internal security structure, cops, spooks, and all. Bo's police chief (and future sort-of defector) Wang Lijun is described as being "a tapping freak", addicted to the productivity and hence apparent power of electronic intelligence. Not only that, Wang eventually began tapping Bo, who was also tapping the CDIC feds who came down to keep an eye on him.

The practicalities are, as always, interesting.

The architect was Mr. Wang, a nationally decorated crime fighter who had worked under Mr. Bo in the northeast province of Liaoning. Together they installed “a comprehensive package bugging system covering telecommunications to the Internet,” according to the government media official.

One of several noted cybersecurity experts they enlisted was Fang Binxing, president of Beijing University of Posts and Telecommunications, who is often called the father of China’s “Great Firewall,” the nation’s vast Internet censorship system.

It's worth pointing out that the provincial networks belonging to China Mobile, China Telecom etc. are usually organised as companies in their own right, and they often have their own AS numbers, and indeed they often contract for substantial network development projects with Western vendors (Nokia Siemens recently had a big mobile network contract in Sichuan, notably) on their own right.

Anyway, Fang's involvement is very interesting indeed. He is responsible for the state-of-the-art authoritarian solution to the Internet. This is not just, or even primarily, a question of blacklisting websites or turning off the Internet. The Great Firewall's detailed design, as the Cambridge Computer Lab found out a while ago, is specifically intended to be a semi-permeable membrane. Rather like Hadrian's Wall, it is more about the gates through it than the wall itself, and the defences point in both directions.

When a computer within it tries to initiate a TCP connection to one outside that is classified as dodgy, the Firewall sends an RST message back to kill the connection. This permits much higher performance than the DNS-based blacklisting typical of, say, the UAE.

It also means that it's possible to ignore the RST and look through the firewall by using your own firewall utility (specifically, set something like iptables to drop any RSTs for connections in states other than ESTABLISHED before a suitable time has elapsed). However, it would be a fair guess that any traffic doing this is logged and analysed more deeply.

Further, there is a substantial human infrastructure linking the media/PR/propaganda system, the police system, and the Ministry of the Information Industry. This uses tools such as moderation on big Web forums, direct recruitment, harassment, or persuasion of important influencers, the development of alternative opposition voices, and the use of regime loyalist trolls (the famous wumaodang).

The firewall, like Hadrian's Wall or the original Great Wall, also has an economic function. This acts as a protectionist subsidy to Chinese Internet start-ups and a tariff barrier to companies outside it. Hence the appearance of some really big companies that basically provide clones of Twitter et al. Because the clones are inside the firewall, they are amenable to management and moderation. 

And none of this detracts from the genuine intention of the people at 31 Jin-rong Street, the China Telecom HQ, to wire up the whole place. Iran's surprisingly important role providing broadband to Afghanistan and diversionary links to the Gulf reminds us that providing connectivity can be a powerful policy tool and one that you can use at the same time as informational repression.

So, Fang's achievement is basically a package of technical and human security measures that let whoever is in charge of them command the context Web users experience.

Last autumn, several of the Chinese web startups were subjected to the combined honour and menace of a visit from top securocrats. Tencent, the owner of QQ and the biggest of the lot, got Zhou Yongkang in person. In hindsight, this will have been around the time the CDIC landed in Chongqing.

So, where am I going with this? Clearly, there was serious disquiet that somebody was usurping the right to control the wires. Even more disquieting, the surveillance establishment in Fang's person seemed to be cooperating with him. And the systems he set up worked just as well for someone increasingly seen as a dangerous rebel as they did for the central government. (In fact, the people who like to complain about Huawei equipment in the West have it the wrong way round. It's not some sort of secret backdoor they should be worrying about: it's the official stuff.)

I do wonder, depending on what happens to Fang (he's still vanished, but his Weibo feed has started updating again), if we might not see a relaxation of the firewall, which the pundits will consider "reform". In fact it will be no such thing, rather a cranking up of internal chaos to facilitate a crackdown on opposition.

Sunday, October 17, 2010


Does anyone have any idea why I'm banned from reading For the last few days, the three FP blogs I subscribe to haven't been updating, and trying to read this I had to use an anonymous SSL-proxy server. Just for that "test your practical circumvention skills" feeling! I can ping and traceroute to their servers (Amazon EC2 - look at you all cloudy and everything!) but when I send them an HTTP GET they immediately kill the TCP session.

Sunday, September 26, 2010

"Cyberwar" and Iran: the other side of the hill

If I hadn't been fiddling with file permissions to get Wordpress running last Sunday, I'd probably have been writing about the Haystack saga. I'm a bit gestört by some of the coverage of it - Evgeny Morozov, typically, has been doing good work in the general war on bullshit, but I'm less convinced of his broader conclusions. See here.

What stands out about Haystack isn't so much the technology - which we can't really make statements about, because they kept everything secret until it all fell down, and the implementation is apparently so awful nobody wants to release the code in case someone tries to use it - but the meta-technology. As this post makes clear, perhaps the biggest problem was that it was half-open, half-closed. The code wasn't released, so it was impossible for anyone to review it, but it was circulated widely enough that the core development team had little or no idea how far it might have spread. In fact, some people who did have the source code thought it would be a good idea to compile it, package it, and share it with people who might need it.

And although there is apparently a client-server element in it, the server was allowed to accept connections from the wider Internet. So they'd accidentally allowed the unfinished and untested project to start operating in production.

The Guardian is mocked; John Graham-Cumming is right (and check out the remarks about Tor in comments) and points out that Haystack's crypto was reliant on a source of random numbers that, well, isn't random. The EFF has good advice.

Now, this week has another superspy Iran story, Stuxnet, the worm that apparently attacks a Siemens SCADA application. Here's JGC again, being sceptical. There's a rundown at Alliance Geostrategique. The author of the theory that it's an attack on the Bushehr nuclear power plant is self publicising here - I, for one, am not convinced that the fact they hadn't got some software licence key in 2009 is great evidence, especially as the Windows .lnk exploit involved wouldn't care either way. It's the one from July in which Windows will execute code packed into the icon file for a desktop shortcut on a USB stick, so how pleased the Business Software Alliance is with the Iranians is here or there.

And it also seems to target Indian and Indonesian systems. Maybe its authors are protesting against Eat, Pray, Love.

To put it another way, I think we're under a cyberattack from a sinister network of chancers and self-publicists who have glommed on to the whole issue as a way of getting their faces in the news and their hands into the till. As our occasional reader Bos puts it:
When you say "weapons-grade cybermunitions developed by nation states", I hear "this patchwork of consulting gigs won't cover my coke bill."

Meanwhile, what's going on in Iran? In many ways, this is much more interesting. Way back in 2006, I blogged about how the Iranian government was putting impressive resources into aid to Afghanistan. One facet of this was that they had laid a fibre-optic cable from Iran to Herat; another was that the cybercafe in Kabul with the most bandwidth and the least censorship was the one in the Iranian cultural centre.

Now, it looks like the Iranian wholesale telco monopoly, DCI (Datacomms Iran), is becoming a significant transit provider to networks in Iraq, specifically Kurdistan, and Afghanistan, including the Afghan Government. As the good people at Renesys point out, this is perfectly sensible for the Kurdish operators - they're getting rid of their expensive and slow VSAT links, and diversifying their sources of transit - but this is dependent on actually diversifying, rather than just replacing.

The Afghan government's network, it turns out, has recently started to show up through DCI as well as through Pakistan and an Uzbek provider. For a while, all the Afghan prefixes were being routed via either Iran or Uzbekistan and Russia, after a fibre cut on the route to Pakistan.

You can certainly see why the Afghans might not want to pass all their traffic through Pakistan. But treating this as a political issue does have a point. Back in the summer of 2009, the Iranian state found an elegant way to use DCI as an instrument of political power - rather than turn everything off, as in Burma, or call out the troll army, as in China (although they do have that capability), they rate-limited everyone down to about 20% of the typical throughput. As all Iranian ISPs have to use DCI for transit, this meant that a lot of hostile Internet activity will just not have happened, although the really determined would get through.

They are, of course, the ones you want to catch. Squelching down the bandwidth also probably meant that the traffic was reduced to a level where their lawful-intercept infrastructure* could capture and process it all. Almost certainly, they can do the same to any of their downstreams, or continue to pass customer traffic while squelching their own.

It is impressively ironic that a few router configuration rules can mean freedom in Herat and tyranny in Tehran.

Saturday, April 10, 2010

actual Iranian music news

I was needling Spencer Ackerman about this but didn't get a rise. It's applicable to Noel Maurer too.

No-One Knows About Persian Cats is a cracking little film; it's a pseudo-documentary about Iran's music underground, by the Kurdish director Bahman Ghobadi and a small who's who of Iranian music. As a result, it could almost have been designed for Spackerman in the way Jeremy Clarkson said Vulcan 607 could have been designed for him.

One thing that comes through are the permanently-operating factors in the human terrain. For example, there's always a fixer - the guy who doesn't actually contribute any music themselves, but does know people who know people who have access to studio time and hall bookings and dodgy government permits. It's the Tony Wilson ethic. Hamed Behdad plays him as someone of permanent charm and near perfect unreliability, never clear whether he's totally committed to success or on the point of making off with the funds - one reading of the grim ending is that he's the grass.

The metal band's guitarist works - like Tony Iommi - in a metalworking factory, and the band rehearse in a shed full of cowshit on the edge of town, although paradoxically their lyrics are all about positive thinking. The rappers are slightly thuggish and given to lyrics like "the class struggle oppresses us!" which may have worked better in the original. The indie band are a bit painfully sensitive and notably more middle-class, the sort of people these guys are thinking of.

So far, so good; anything that reminds us that Iran is not actually Nazi Germany or the far side of the moon is politically welcome. So much of this is immediately recognisable if you've ever sat in a Mini with rust holes and a 1x12 Valvestate box on your lap, with a curry balanced on the top.

Of course, making music in an authoritarian society has its special problems. Everyone except the rappers is desperate to leave and the plot revolves around rounding up passports, visas, and means of payment, as the East Germans used to say. And getting the Ministry of Virtue permit to actually put on a gig. In the meantime, there's a constant round of rehearsals in cellars and in breezeblock sheds on rooftops; incredibly complex informal building seems to be a bit of a feature of Tehran.

And there's a sticky end at the hands of the militia, or not quite at their hands enough to prove it. In that way the police tend to have.

The BBC has the soundtrack as streams here.

Monday, July 06, 2009

someone's got it in for us, they're planting stories in the press

Bob Dylan lyric too appropriate not to use yet again. Who is trying to frighten users?

It begins with a Daily Telegraph story that a clerk, Lisa Greenwood, in the Department for Children, Schools and Families was sacked for posting a comment about Hazel Blears on theyworkforyou. Unfortunately, no comment including the text quoted exists in any system, and the Torygraph doesn't seem to know which Web site they actually mean.

Further inquiries show that the story originates from a local news agency (South West News) and the DCSF press office. The Telegraph claims that the comment was sent by e-mail, but there are no MySociety sites that accept comments by e-mail, so this cannot be true. TheyWorkForYou doesn't send confirmations by e-mail, so it can't be one of those, although WriteToThem and FixMyStreet do.

Clearly, someone is telling porkies, and using the same as grounds to terminate some poor sod's employment. Now, civil servants are formally bound by oath to renounce partisanship; however, the text doesn't make any reference - if it wasn't invented out of thin air by the DCSF press office - to any political party, only to Hazel Blears' personal financial probity.

It is probably worth remembering at this point that several government ministers have been in the habit of quoting what they claim is other people's private correspondence during parliamentary debates, no doubt because they cannot be sued for what they say in the House. Specifically, Lord Warner, Andrew Miller MP, and Caroline Flint MP used what purported to be private e-mail sent by Professor Ross Anderson of Cambridge University and Simon Davies of Privacy International and LSE to score points in debates on ID cards and on the NHS National Programme for IT.

Nobody has ever explained how they came by these documents, or whether the quotes were genuine, and the (sigh) mainstream media has displayed zero interest. E-mail messages have the legal status of letters, and even under RIPA it would be hard to consider the campaign to opt out of the NPfIT Spine a question of national security. The government has form for using dubiously acquired, or possibly fictional, private correspondence for partisan ends.

Update: Well, well. She contacted Blears from her own Web site, by clicking a MAILTO link, which of course launched her local (i.e. service) mail client rather than a Hotmail account.

But the issue here is that a minister (with exceptions - Scotland and Wales and Northern Ireland, of course. Yes, yes) is responsible as an MP to their constituents, and as a minister to Parliament as a whole, i.e. the nation at one remove. Further, it's just fucking indecent and violent, an act of boss brutality. She was on £16,000 at age 38; what else is it?

Far from wanking about trivialities, we ought to demand her reinstatement. If she wants to deal with an organisation that spies on private correspondence for partisan ends, that is.

Sunday, June 28, 2009


Arbor Networks has a great post with data on Iranian Internet censorship. As well as the deliberate transit shortage, they seem to be targeting specific protocols, notably SSH, the secure shell protocol one uses to administer servers and also quite often to provide a VPN tunnel. This isn't surprising, really, but it is depressing; practically any shell account and any machine, including my mobile phone, will let you set up an SSH tunnel, and it is strongly encrypted, so it's one of the most reliable and easiest ways to beat the censor.

Arbor's analysis suggests that the point is to limit traffic to levels that their existing censorship infrastructure can handle; interestingly, e-mail, and bogstandard Web traffic on port 80, seem unaffected, which suggests they already had the big squid proxy etc. in place. There is, of course, nothing to stop you configuring your server to do SSH on port 80, but it might be a little obvious. An alternative would be to use something like OpenVPN, which uses the same HTTPS protocol and port that all the e-commerce and corporate e-mail things do.

Fascinatingly, levels of gaming application traffic are unaffected, and Arbor wonder if it would be possible to use this for clandestine communications. (Perhaps the government wants people playing computer games?) This is, of course, a major plot point from Charlie Stross's Halting State, although the exploit is rather more sophisticated there - rather than just meeting up for a chat in-game, they are mapping their data to the game's commands and reversing the process at the other end.

Depressingly, according to Renesys, many of the open proxy servers that have been set up for the use of Iranian dissidents are being heavily abused by Chinese spammers. This is a hard problem; any tunnelling system intended to defeat the censor must be open to anyone, it's insanely risky to keep any logs of who accesses it, so it seems inevitable that the vermin will get in.

Sunday, September 14, 2008

They have wakened the timeless Things; they have killed their father Time

More China convergence blogging. Declan McCullagh reports on efforts by the US and China to sneak something nasty into the ITU standardisation process, through a committee that doesn't publish its documentation or let anyone else in the room. But the Chinese appear to be the ones leaning forward;
The Chinese author of the document, Huirong Tian, did not respond to repeated interview requests. Neither did Jiayong Chen of China's state-owned ZTE Corporation, the vice chairman of the Q6/17's parent group who suggested in an April 2007 meeting that it address IP traceback.

A second, apparently leaked ITU document offers surveillance and monitoring justifications that seem well-suited to repressive regimes: A political opponent to a government publishes articles putting the government in an unfavorable light. The government, having a law against any opposition, tries to identify the source of the negative articles but the articles having been published via a proxy server, is unable to do so, protecting the anonymity of the author.
Now that's what I call a use case! The standards group in question includes someone from the Chinese ministry of telecoms and an NSA official whose biog appears to be secret, as well as someone from Verisign; who is hilariously quoted as saying that:
"The OSI Internet protocols (IPv5) had the capabilities built-in. The ARPA Internet left them out because the infrastructure was a private DOD infrastructure."
(Trust me, if you know your Internet history, it's hilarious.) The poor darling, still wishing for someone to bring back OSI. And the representatives of the Chinese Communist Party conspiring away with the NSA.

Oh well; it's not as if it's going to work. Viz:
“Since passage of the Patriot Act, many companies based outside of the United States have been reluctant to store client information in the U.S.,” said Marc Rotenberg, executive director of the Electronic Privacy Information Center in Washington. “There is an ongoing concern that U.S. intelligence agencies will gather this information without legal process. There is particular sensitivity about access to financial information as well as communications and Internet traffic that goes through U.S. switches.”

But economics also plays a role. Almost all nations see data networks as essential to economic development. “It’s no different than any other infrastructure that a country needs,” said K C Claffy, a research scientist at the Cooperative Association for Internet Data Analysis in San Diego. “You wouldn’t want someone owning your roads either.”
Read the whole damn thing; it's one of the best reported stories on the Internet infrastructure I've ever seen, they spoke to the right people (Renesys, k c claffy, Odlyzko), and the conclusions are interesting to say the least.
The Renesys rankings of Internet connections, an indirect measure of growth, show that the big winners in the last three years have been the Italian Internet provider Tiscali, China Telecom and the Japanese telecommunications operator KDDI.

Firms that have slipped in the rankings have all been American: Verizon, Savvis, AT&T, Qwest, Cogent and AboveNet. “The U.S. telecommunications firms haven’t invested,” said Earl Zmijewski, vice president and general manager for Internet data services at Renesys. “The rest of the world has caught up. I don’t see the AT&T’s and Sprints making the investments because they see Internet service as a commodity.”
If the "American Internet" is ending, it's because they don't deserve it any more.

Monday, April 14, 2008

You Say Virgin, We Say Die!

So, after the Phorm evilhood, and the weird brokenness detailed here, and the 30-odd hour no-notice outage they dropped on me just after I started working from home, literally driving me to drink (the nearest operational open WLAN I found was in a pub), now Virgin Media comes up with this. It's not just the delight with which they want to deliberately spoil everyone else's day to extract cash from non-customers, it's the contempt, to say nothing of the ideological horror within revealed by someone who thinks bus lanes exist to make buses go slower. Well, I've got all the contempt anyone can handle, so I've just churned to I'll be cancelling on Virgin just as soon as they hook up my new ADSL link.

Friday, April 04, 2008

Phorm, how do I hack thee?

Let me count the ways.

If you think Phorm - the evil advert-spooking system practically all the UK's eyeball ISPs want to force on you - isn't so bad, I've got news for you. First of all, let's have a look at this Grauniad Tech article.
BT's 2006 trials certainly involved some sort of interception, because the data streams had extra Javascript inserted into them - which puzzled a number of people at the time. Two examples can be seen at the forums of and In both, the Javascript and other tags inserted by the 121Media system are clearly visible, with one showing the referring page and possibly "interests" of the member. Both contain links to - the 121Media-owned site through which BT sent browser requests during the 2006 trials and later ones in summer 2007.

OK. So not only were they snooping, but Phorm actually injects not just data - like a cookie - but code into your URL requests, so their customer websites react differently as a result. It's especially worrying that what they are adding is JavaScript; it's not just data, it's program logic. It does things. And, as any user of modern Web 2.0 services should realise, you can do all kinds of things with it - for example, you can call other web servers from within a web page without reloading. There is no way for you - the person whose BT, Virgin or Carphone Warehouse billing record stands behind the IP address that stands behind the identifier Phorm assigned - to know what such code does until after the fact.

Now, consider this; the good people of F-Secure unpicking the latest trend in security threats, the iFrame injection. It works like this - a lot of websites catch the search requests they receive and cache them, either to speed up the search process or to provide suggestions with the search results. This means that the search string...appears in a web page on their servers. So, if you fire enough popular search terms (which you can get from their website...) in, and append your attack code, there's a chance it'll get cached. And then, a visitor who uses the same search terms will get a page that contains the attack code; JavaScript is executed in the client side - i.e on the visitor's computer - so you're in.

So, let's put them together; if you're a Phorm customer, you can get the interests and web habits (and billing data?) of everyone in the UK delivered to your dodgy website in real time, and then you can reload anything you damn well like in their browser based on that information. Suddenly - let's back off here. It'll be someone unpopular. At first. So or sends you to; and there's fuck all you can do about it, except try to explain the concepts of "deep packet inspection", "iFRAME SEO injection", and the like to a court of law.

Paranoia, right? Not so much.

You think that's scary? Here's some more F-Secure for you. There is at least one exploit out there, which could be delivered through the lines we just discussed, that writes dubious code to the BIOS - the low-level insect brain of a computer, the bit that lights up the screen, spins up the hard drive, and explains how to read the boot sector and start the operating system. The only fix there, I think, would be to format the fucking lot and install something completely different - or throw the damn thing in the sea.

But here's where it gets bad; the thing nicks your online banking passwords. And then what does it do? It puts money into your bank account. Feel free to speculate.

Update: Now that's what I call an April Fool from F-Secure. A cracker. This is of course without prejudice to the rest of the post, but I should have realised there would be no way they'd have included a live link to the exploit if it was real. If you were brave enough to follow it,'d get the joke.

Saturday, March 15, 2008


One of the many wonderful things about the Web is that its hypertext structure not only permits us to navigate it, and to invoke external resources (scripts, graphics, etc), but also to measure relevance and authority. Google's killer insight was of course just this; to use links as votes for the relevance of a given document, and to do this recursively so that the more authoritative the document, the more powerful its outbound links.

But there is a fundamental problem here; the introduction of the REL="NOFOLLOW" tag was meant to stop spammers manipulating this structure by autogenerating great numbers of links, but this is only a partial solution. After all, the fact that somebody considers a document unreliable, irrelevant, spammy, or just...repellent is useful information; but there is no way of capturing it. Ideas like the "Semantic Web" have examined things like the idea of creating links that go backwards as well as forwards; I for one have never been able to understand this, and it sounds far too much like INTERCAL's COME FROM... statement. (You thought GOTO was considered harmful; COME FROM ... is the exact opposite.)

What I propose is that we introduce a negative hyperlink. A kind of informational veto. I've blogged about the Stupid Filter before, which attempts to gather enough stupidity from the Web that it can characterise stupid and use Bayesian filtering to get rid of it, as we do with spam. But I suspect that is a fundamentally limited, and also illiberal, approach; StupidFilter is indexing things like YouTube comments threads, which seems to guarantee that what it actually filters will be inarticulacy, or to put it another way, non-anglophones, the poor, the young, and the members of subcultures of all kinds. The really dangerous stupidity walks at noon and wears a suit, and its nonsense is floated in newspaper headlines and nicely formatted PowerPoint decks. StupidFilter would never filter Dick Cheney.

But a folksonomic approach to nonsense detection would not be bound to any one kind of stupidity or dishonesty, just as PageRank isn't restricted to any one subject. Anyone could antilink any document for any reason, across subjects, languages and cultures. Antilinks would be simple to capture programmatically - just as simple as other HTML tags are. In Python, it would be as simple as replacing the search string in a BeautifulSoup instance - one line of code. Even without changes to today's Web browsers, a simple user script could flash a warning when one was encountered, or provide a read-out of the balance between positive and negative links to a page.

Consider this post at; Chris is quite right to mock the Metropolitan Police's efforts to encourage the public to report "unusual" things. After all, there is no countervailing force; if you collect enough noise, statistically speaking, you will eventually find a pattern. What you need is the refiner's fire. Why is there no Debunk a Terror Alert hotline?

I am quite serious about this. Implementation could be as simple as a REL="BULLSHIT" attribute. Now how do you go making a submission to the W3C?

Tuesday, March 04, 2008

More Phorm Horrors

Spyblog is, of course, making sense when they say that the BT/Virgin Media/Carphone Warehouse spying scheme may be illegal because of the sweeping-up of e-mail traffic with the rest. As you know, Bob, e-mail has the legal status of a letter, thanks to the good folks of the EFF years ago. I thought of this, too; here's the text of my complaint to the ICO.
I have just become aware that BT, Virgin Media, and Carphone Warehouse have signed agreements to implement a wideranging scheme to monitor Web traffic passing over their access networks. The intent is, apparently, to insert targeted advertisements into Web content requested by their customers.I consider the details of the scheme to be unacceptable and of dubious legality. It appears that the technical implementation requires the participating network to intercept traffic between requesters and remote sites, to keep logs of individual users' activity, and to amend the content returned in accordance with rules applied to these logs. Legally, electronic mail is considered equivalent to a letter; this implies not just reading the traffic but altering it.

Note that many electronic mail users access their mailboxes via a Web interface, so their electronic mail could be affected by this insofar as it is not encrypted. As requests are being redirected, it is also possible that the security of authenticated sessions might be compromised. No guarantees are offered, or indeed technically possible, that this system would only be used for commercial purposes; as if that made it all right.

Corroborative information is available here [snip a gaggle of links]

Some people are concerned that other ISPs that either use BT's IPStream service - buying wholesale service on BT's access lines - or else use BT Wholesale to backhaul the lines they have taken over under local-loop unbundling to their facilities might be affected.

I'm pretty sure they're not; the distinction between an IPStream customer and a BT Retail customer is essentially which ISP bills you and routes the traffic onwards. BT Retail deals with BT Wholesale and Openreach on the same basis as other ISPs, under the terms of their agreement with Ofcom; so it buys service from BT Wholesale, and its traffic is piped from the BRAS (Broadband Remote Access Server) into its own core network. Meanwhile, the IPStream operators' traffic is wrapped into something called the Layer 2 Tunnelling Protocol (L2TP) and shipped from the BRAS over BT Wholesale wires to their own core networks, where they unwrap it, bill it, and route it.

If you look at the leaked network diagram above (right-click to enlarge), the Phorm/Websense/whatever stuff is all located in the BT Retail core network, upstream of the switches that handle traffic through their RADIUS servers. RADIUS is a server protocol used for accounting for IP traffic and controlling access, so essentially, all that goes through here is traffic BT Retail is billing for. We can therefore conclude that the other ISPs who use BT IPStream or local-loop unbundling are safe. Note that the left hand side is within BT Wholesale, i.e. everyone, the centre section is within BT Retail, so just their customers, and the right hand side is BT Wholesale's IP backbone network, so everyone again; if you like, imagine that the other ISPs' traffic goes around the back of the slide.

Which leads to the ironic conclusion that the best you can do if you're a Virgin customer is to churn to someone who uses BT's network.

Sunday, March 02, 2008

A short break in social democracy

Felix Salmon recalls the impact the appearance of wealth, and Buenos Aires’ status as a quasi-European city, had on Argentina’s finances; part of the reason the banks thought it could pay back the money they lent it was that it looked OK, or rather the steaks were superb, the wine better, the company classy (and white); how could anything go wrong?

It’s worth reading. It’s also interesting, as it’s his response to a debate between carta dell’oro glibertarians Tyler Cowen and Megan McArdle about why those terrible lefties persist in believing that Cuba is richer than northern Mexico. Cowen’s argument is essentially that there is a distinction between perceived wealth and actual wealth; the outsider sees crappy roads but not humming export industries, handsome Spanish buildings but not stinking jails. This is OK as far as it goes, but there is a far more interesting and fundamental point here.

Essentially, what they are talking about is J.K. Galbraith’s paradox of private affluence and public squalor. Naturally, right-libertarianism obliges them to carefully avoid citing him, but this is exactly the point he made in the 1950s; it’s quite possible, indeed common, for prosperity to coexist with ugly and generally ‘orrible visuals, precisely because people will optimise the stuff they control and which affects them individually, like their own homes. Further, there is some sort of indifference curve between private and public goods; people are willing to put up with crappier public spaces if they can compensate with greater private comfort. You can argue endlessly about the slope of the curve, but there is at least some tradeoff.

The international aspect, though, is interesting and I think original; as a foreigner, the visual terms of trade are inverted. You don’t spend time in private space, and you spend much more time than usual in public or semipublic, so private affluence is invisible except in so far as it spills over into the public square (good steakhouses, say, and high culture). Further, a lot of travelling occurs between cultures where different private-public exchange rates apply. It occurs to me that much tourism is motivated by precisely this factor; tourism as a form of commuting from the suburbs of private affluence to the city of public prosperity. In a sense, urban tourists are unconsciously spending a few days in socialism. (Other forms of tourism may provide something similar by creating pseudo-public spaces of great luxury, the poverty of the country being concealed.)

This goes double for questions of egalitarianism - tourists don’t stray into the favela, and a colleague of mine recalls the Ericsson engineer he worked with who was robbed of all his possessions down to and including his underpants on the first day of the project, so private suffering is as invisible as private affluence - and maybe triple for questions of politics.

After all, you’re unlikely to be the object of oppression as a visitor unless you’re actually coming to seek it out; if you don’t speak the language you’re unlikely to miss much through the censorship of the news. Add to this some special factors that apply to visitors who have come to do something rather than just to visit; if business is good, your old friends the fundamental attribution error and the salience heuristic will assure you that things are OK, if you’re as smart as you are. If it’s bad, well, look how dirty the streets are.

Saturday, June 09, 2007

It's for your own good (again)

You probably don't know that the government wants to implement wholesale filtering of URL requests from the end of next month, do you? Not that the national press, TV, or anything else has reported on it, nor has there been any serious parliamentary debate. Nuh. But the Home Office is pressurising British ISPs to install a system BT has been using since 2003, at the behest of (guess who) David Blunkett, called Cleanfeed.

A brief technical description - the Internet Watch Foundation provides a list of dodgy sites, and these are resolved to IP addresses in the normal way. Those addresses are then injected into the ISP's internal routing table through BGP, giving the address of a squid proxy within the ISP's network. This proxy matches the requests against the IWF's list of URLs. Matches return a "fuck off" splash page, non-matches are routed in the normal way.

The flaws are well-known; for a start, any encrypted protocol, even https, will pass through without touching the sides. It doesn't attempt to examine e-mail (and anyway, anyone who tries to distribute illegal material by e-mail without encrypting deserves to be caught), nor does it affect NNTP traffic - and, after all, alt.binaries.* newsgroups are still the best places to find any form of smut on the 'net. BitTorrent, Skype file transfer, and things more exotic will also go unfiltered. It's literally just port 80. Another problem, as demonstrated by Richard Clayton of the Cambridge Computer Lab, is that the system could be repurposed as a directory of the really bad stuff.

So, nobody who actually wants child abuse images will suffer from this. ISPs will, though, because it costs money. The Government pays for RIPA data retention, but it isn't paying for this little exercise because it's "voluntary", in the special Home Office sense of "voluntary" that means "do this or we'll make your life a misery". The official justification is to protect children from "accidentally stumbling upon" the images. This is ridiculous. I've been on the 'net since 1996 and I've never "stumbled upon" illegal images - for the same reason no-one ever accidentally buys cocaine. It's illegal, you fucking idiots. Nobody walks around waving a sign saying DRUG DEALER. And drug dealers do not give drugs away.

But there's worse. How can anyone be naive enough to imagine that the geniuses behind Operation Ore won't immediately want the log from that squid box - after all, if "the computer" refused to serve you something, you must have asked for it. Are you with the terrorists? I am aware that at least one ISP that has implemented the system has also removed the logging code from the squid, in the hope that any police request would require extensive software development (at the public charge).

Who, anyway, decides what is to be censored? The Internet Watch Foundation seems to rely on complaints from the public, only 33 per cent of which are upheld after the IWF's own enquiries. This is mildly promising - it suggests that some scrutiny is going on. But should the right to censor be in the hands of an organisation partly funded by News International?

If this is meant to be voluntary, I'd like to make clear that any ISP that refuses can have my business.

Update: Did you know that the list is priced at £5,000 a year and that it's confidential?

Sunday, September 17, 2006

Brainfuck City

Remind me not to go back to Dubai if at all possible. It's what happens when you leave the keys where the postmodernists can get at them, a formless mass of rapid urbanisation running along the coast from the border with Sharjah to beyond the docks at Jebel Ali. "Sprawl" doesn't describe it, because sprawl implies that there is a city centre out of which suburbs are expanding. Here, the whole thing is centre, or rather multiple artificial centres, with infill.

Construction rages everywhere. You can buy off-plan, without money up front, borrowing in any currency you can imagine, with a guarantee that you won't have to make payments until you move in. You're not expected to move in, but rather to sell at a profit before the thing is even built. John Kenneth Galbraith remarked in The Great Crash that one of the most impressive features of capitalism is the ingenuity with which it relieves the speculator of all the burdens of ownership except the capital gain. This kind of baroque finance is usually the mark of a wild speculative boom, and as if more proof was needed, the boom is now too big to fit Dubai itself. The biggest developer, Emaar, is currently advertising "the Portuguese lifestyle at Canyon Views" - Canyon Views, you discover only if you read the small print, is actually located near Rawalpindi, Pakistan.

And what buildings. The only common denominator is size, the huger the better. But strangely, as huge as they may be, they rarely if ever evoke the dignity and awe of the monumental. The rampant skyscraper-building somehow doesn't create the gut excitement of the City of London or the skyline of New York, just noise. See our shopping mall, six times the size of Brent Cross, its steel frame concealed under faux-adobe lumps and Andalusian detailing, as a vast dark glass office tower hurtles past..but where you might expect a three-story Corbusier pilotis, are a set of sand-coloured Doric columns, flanking the entrance to a white marble lobby the size of an airfield, decorated in the taste of Saddam Hussein and airconditioned to the approximate temperature of Dick Cheney's heart...while illuminated banners for another shopping mall beseech you to "Visit China! See Andalusia! Travel to Persia!" and a vast likeness of the late Ruler, Sheikh Zayed al-Maktoum, looms from out of a UAE flag on a giant billboard, chops set in a cruelly fatherly grin. He's perched on another neoclassical pillar, too, although Roman civilisation never extended here. Presumably some signification of imperial might attaches to it. As the sun sinks in to the soupy air, the whole semiologist's smorgasbord is spotlit from below with Yves Klein blue..

Travel to Persia, indeed. It's only a day's sail on a ferry or half an hour's flying time away. Huge stacks of shipping containers marked IRISL for Islamic Republic of Iran Shipping Lines await forwarding at the docks. Iranian dance music is a current fashion (it sounds like 90s Italian house with an odd Russian touch of nationalist/football chant and some folk influences), but presumably official discourse would rather not call attention to a profitable but despised neighbour. That is, in fact, a motif for the whole place. The monopoly telecoms operator blocks more URLs than China, but goes to particular lengths to discourage VoIP usage for crude financial reasons. But, with effort and clue, most sites are reachable; when YouTube was banned recently, the censors somehow forgot to bar its www2 and www3 mirror servers. Tor and various VPN solutions are widely used, and the locations of uncensored WLANs circulate.

As with all tyrannies, what they want you to do is forget. Forget that the censorship is obvious and widely circumvented, that Iran is to the north and Saudi Arabia the west, that 90 per cent of the population are not citizens of the UAE and are subject to deportation at any moment, for example if their employers wish it. Forget that most of those are desperately poor subcontinental building workers, dependent on the boom's continuation. Forget that booms do not continue. Forget what happens if they don't want to leave.

Forget you're even in Dubai. This is a desert with daytime temperatures of 40 degrees C, where at this time of year the minimum temperature is in the high thirties. Everything must always be airconditioned, especially as it's usually built of glass curtain walling. Water is desalinated, or to put it another way, produced from oil, but every new building has lawns and palm trees. Golf courses are big business. Next door in Sharjah, 10 kilometres away, water is in short supply and delivered by tanker. At nine o'clock at night, you can be stuck in a traffic jam of water trucks going West, away from the border, to supply the builders with water to mix their concrete. No public transport worth speaking of exists.

The best meal, in fact the only local meal, I had was in a club for hardhat British ex-pats, the sort of place you go for the all-day breakfast, satellite football and Guinness. Elsewhere it's all global gunk, a bit of Indian, a bit of Thai, a bit of sushi. Although you can eat whilst observed by a four-storey and historically inaccurate statue of Buddha, and probably witness the crucifixion of a gorilla if you're willing to spend a little cash and make the effort, it's only realistically going to be terrible.

The key to the local economy isn't oil, it's everyone else's oil. Everything you see has been built since the Jebel Ali container terminal and the tanker-repairing yards opened in 1976. More recently they built another container terminal, and then the giant airport.

Viktor Bout's last-known address, by the way, was Villa 5, Cornish Road, Coral Compound, Sharjah. I didn't go.

Tuesday, June 27, 2006

The trench art of networking

Soldiers in Iraq, dissatisfied with the limited and censored Internet service available officially, build their own. It's impressive, even though the main demand is to download filthy pictures and order foodstuffs forbidden by the chain of command - which, I suppose, gives it a sort of charm. As one of Robert Graves' comrades said, marching towards the front, Dear Mum, I am currently wading in blood up to my neck. Send fags and a lifebelt. Love and kisses.

It's probably a better idea than using a mobile phone, whether with a UK or local SIM inserted. Chez Spyblog there are details of supposed threatening calls made to the families of British soldiers in Iraq, with sceptical comment. Unfortunately, I'm much less sceptical - see this post from November 2005 on weird and clueless policy towards GSM networks in Iraq, and this one with regard to unauthorised mobile networks.

It seems nontrivial numbers of Allied soldiers are using local SIM cards provided by various networks not limited to MTS/Vodafone and Iraqna(Orascom Telecom), and these networks are possibly penetrated by the enemy. The reason for using local SIMs with GSM phones is that it is cheap. The reason not to is that all call details, locations, and numbers called are available to anyone with access to the operator's SS7 switch and databases - not just that, but the phone broadcasts its number and IMEI whenever it tries to register on the network, so jamming the real network and listening could gather identifying data.

Using Skype or a comparable peer-to-peer VoIP applicatiion from an Internet-connected computer would be far more secure - that, and making very sure no mobiles go outside the wire, as a similar method could be used to track troop movements.

On a similar Internet-politics trip, watch Charlie Stross bust my chops over IRC and the Soviet 1991 coup. Looks like I was wrong. It does mean an opportunity for an interesting anecdote, though. A Cisco Systems executive I spoke to a couple of months ago talked of selling the old BT System X digital phone exchanges to the Russians immediately post-communism. To his surprise, the first switch he visited was a 1940s all-electromechanical monster, maintained perfectly by a small army of women engineers who polished every contact, at least once a week.

There was no difficulty making the pristine copper wires do DSL, either, when he returned a few years later with Cisco. So it's probably no wonder there were IRC users in Moscow in 1991..

kostenloser Counter