Category: filtering

Divine Internet Filtering

Now I’m not very religious, but have no real problem with those who are.  Obviously, excluding those who want to kill me, blow me up or have me imprisoned – anything like that.  However I do think that secular governments seem to work better, at least with regards to democracy simply because most places have many people of differing faiths – I’d argue history supports this view.

It also in my opinion works best with other areas, such as internet access. For example Saudi Arabia, has a very fast and efficient telecoms infrastructure,  the speed in some of Riyadh’s 5 star hotels is absolutely incredible, absolutely no buffering over Wifi while watching BBC iPlayer.  But unfortunately with this 21 century technology, comes an almost medieval implementation.

I am referring to the way that Saudi Arabia censors the internet, or specifically the ISU who are based at the King Abdulaziz City for Science and Technology.  For a 21st century techno geek like me, alarm bells started ringing when I read the ISU statement on why they filter the internet –

God Almighty directed humanity in the Nobel Qur’an in the words of His prophet Joseph: “He said: My Lord, prison is more beloved to me than that to which they entice me, and were you not to divert their plot away from me I will be drawn towards them and be of the ignorant.  So his Lord answered him and diverted their plot away from him, truly, He is the All-Hearer, the All-Knower”  Yusuf(12):33-34

You can see the filtering statement here.

http://www.isu.net.sa/saudi-internet/contenet-filtring/filtring.htm

Now I’ve written a fair few, acceptable use policies in my time, but I confess I rarely reference religious scriptures. It will come as no surprise to find that in general the internet filtering operated by the Saudi Government tend to focus on repressing opposition and promoting their religious beliefs.

The sort of sites that are blocked are things like the Saudi Human Rights organisations, Free Speech Coalition and the Voice of Saudi Women. Lots of journalists are filtered, in fact they once blocked all of blogger because of a couple of blogs were being used to raise awareness of issues within the Kingdom of Saudi Arabia.

saudi internet filter

This is the cheerful message you get if you try and access one of the many thousands of blocked websites. Be especially careful in Saudi Internet cafes were hidden cameras were installed in 2009 and the proprietors are forced to supply names and addresses of customers on demand.

They use a system called Smart Filter to block access to all these websites. It’s nothing very complicated though and most people are able to bypass using proxies, VPNs or specialised software – like this.

Why Can’t I Use a Proxy

We’ve all been there – you’re stuck in work or school, and frankly bored out of your brain.   Sure you have internet access but all the most interesting sites are blocked –

  • Facebook Blocked
  • Youtube Blocked
  • MySpace Blocked
  • World of Warcraft (games and forum) Blocked

So why’s it happening and what can you do about it?

Your company or school controls your access to the internet at several points and is blocking your access at several levels.

The first control is probably through their own proxy server.  If you go and look in Tools/Internet Options/Connections/LAN Settings or  something like that in different browsers you’ll probably see a proxy server set.  That address will be a server controlled by your company where they force all internet traffic.  If they’ve done a decent job you won’t be able to change this.

The settings will normally be deployed by something called GPO (group Policy Objects) which are the way most organisations control what their computer looks like.  These apply settings like specific desktops, screensavers, Internet Explorer settings each time you boot up your computer.

Therefore absolutely everything you request goes through the company proxy server.  You might think you’re being clever searching for ninja proxy sites on the internet but I’m afraid you’re not.  All you are doing is creating a log of you searching for ‘ninja proxy sites online’, and letting administrators know you want to bypass their settings. The proxy server will be set to filter out all such requests by a variety of methods.  The most common one will be a huge list of URLs containing all the dodgy one page, Glype proxy installations online.

So you need to bypass this proxy server or do you?

If the organisation has their network set up properly then even by using an alternative browser or modifying the proxy settings in IE will not work anyway.  The reason is that your company firewall, the hardware device which controls all the traffic in and out of your network should only allow web traffic out from one specific address – the proxy server.   So forget about specific IPs, free web proxies or anything specific like a UK VPN or proxy until you figure this part out.  Remember in this scenario if you bypass the company proxy then your request will not get through, it needs to come from that specific IP address or it will get blocked.

Then a couple of things might happen –

  • The alert will be flagged on the firewall (Web requests from an incorrect internal client)
  • The administrator will track down the PC and find out it’s been modified.

But don’t worry in reality probably nobody ever looks at  the logs and most firewalls generate so many alerts that nobody ever looks at those either.

The point is your searching for online web proxies is simply a waste of time.  To bypass most corporate proxies you need to go through that proxy and not around it.  Through it because any other originating IP address will get blocked and may possibly  wake up your IT Department.  But you need to stop the proxy blocking access based on the content (what you are requesting) and the URL (the actual site you want to visit).

There are two things you can do to allow this – first you need encryption so that nothing can see inside your web request and secondly you need some low key server outside the network to relay your request.  These two requirements if implemented correctly will allow you to tunnel through any corporate network firewall or proxy and also keep your surfing private from the administrators and logs.   I should point out that the new generation of Smart DNS servers like this, may be more effective in a lockdown environment that standard proxies although it’s likely you’ll need admin access on your local pc in order to modify the network settings, as generally these will all be assigned automatically via DHCP.

What is Internet Filtering (and How Can you Beat it)?

This is becoming a more and more important question as we spend an increasing amount of time online. What exactly is internet filtering and should we learn to live with it or try and bypass it at every turn?

It’s probably best to start with some background, and define some of the types of filtering you’ll find online and who enforces them. All sorts of people could potentially be filtering your internet access, largely dependent upon your location and situation. Governments often filter extensively – places like China, Thailand and Iran heavily restrict what you can see or do online. More worryingly many places monitor rather than block which has led to many bloggers for instance being imprisoned for merely expressing an opinion online.

Web Filtering
More democratic nations are also starting to increase the amount of filtering they engage in. Australia seems very keen to introduce an extensive filtering system whilst Iceland are proposing to block internet porn completely from their country.

There are also more understandable filtering which takes place in your workplace, schools or colleges generally to prevent individuals accessing inappropriate sites or spending their working days on Facebook!

Surprisingly though all this filtering is usually obtained through very similar methods. Your local college is liable to be filtering your internet feed using the same methods as the Sudanese Government. If you decide you do want to beat internet filtering – then here’s two of the main methods used;

Filtering TCP/IP Headers

Every TCP/IP packet consists of two main sections, the header and the data. Inside the header you’ll find the destination IP address effectively where the request is being sent to. A simple but popular method of internet filtering is to maintain a list of ‘blocked IP addresses’ any request sent to these addresses is either dropped or blocked. It’s nto a very effective method though and means spending a long time keeping an up to date list of IP addresses and servers. It also often ends up blocking legitimate sites by mistake.

Filtering Based on Content

A more sophisticated method which involves looking at the data in the packet and not simply the address from the header. It usually involves an investment in new hardware to enable content filtering. This method is much more configurable and will allow blocks on inappropriate content such as porn, gambling etc without the reliance on maintaining a static list of sites.

It’s not perfect and there are still ways to beat this method of internet filtering too, it can also heavily impact the speed of the connection as well.

There are many variants of these methods and of course you’ll find lots of different security configurations employed as well in many organisations. For example many companies will only allow outgoing web requests out through a single server address normally a controlled proxy server. This is to stop people using the free basic web proxy servers that you find over the internet.

So Can You Beat Internet Filtering?

The simple answer is that you normally can. Evading the simple TCP/IP header filters is relatively straight forward – just finding a proxy server which does not have it’s IP address listed will normally do the trick.

Obviously it’s more difficult if you’re faced by a sophisticated content filter like BT Clean Feed, Websense or Optinet. These are actually looking in the data for both web addresses and specific keywords or patterns in the content itself. The simplest way to stop these content filters blocking you is to make your browsing unreadable by encrypting it. Encrypting your data means that the filters can’t actually see what is in the data in order to make a decision, when combined with a proxy server you can normally beat most internet filters.

Take a look at this video, which demonstrates how Hide IP Software actually works.

If you need a product that does this and more – then take a look at . , it has the technology to encrypt and cloak your protection plus access to an extensive network of proxies all over the globe – servers in the United States, Britain, France, Canada and many more across the world. You can use it for complete seclusion, to circumvent web filtering,censorship or even just to watch Hulu, BBC Iplayer or any media site you enjoy. The proxy will shield your IP address and the encryption will protect your data from logging and content filters.

Once Upon a Time There Was a Hosts File

When the World Wide Web was little and called the ARPAnet, resolving computers to their IP addresses wasn’t a big deal. In fact because the network consisted of only a few hundred hosts, a single file called HOSTS.TXT was sufficient. This file contained the name to address mapping of every computer on the ARPAnet. Unix computers hacked the HOSTS.TXT and built it’s own version and stored it into /etc/hosts – all was fine and dandy.

The HOSTS.TXT was maintained by a Network Information Centre and distributed by a single host. Any client would pick up a fresh copy every few days to see if any new hosts had been added to the network. Slowly there were problems as the network got bigger – here’s some of the biggies:

  • Traffic – the toll on the SRI-NIC (the computer which held the master copy of HOSTS.TXT) became unbearable. Network traffic and CPU utilization was overloading the host.
  • Name Collisions – No two hosts on a network can be the same. There was no system to enforce this uniqueness of host names – duplicates started to appear in the host list as it got bigger.
  • Consistency – making sure that everyone had the correct version of HOSTS.TXT became extremely difficult. Machines on the far edges of the network would take so long to get an update that it was

It didn’t work, name resolution started to cause havoc on the network as it grew, mailservers fell over as duplicates appeared. Hundreds of versions of the HOSTS.TXT file caused loads of issues and the reliability of the network plummeted.  A new system was needed and it was needed fast, that system was delivered by a chap called Paul Mockapetris.  He released two RFCs  – 882 and 883 which were the first definition of the Domain Name System – or as we mostly refer to it as DNS.    These RFCs have now been superceded many times as security, administration and implementation problems have been identified and rectified.

The Internet as we know it relies not on some huge text file but the Name resolution delivered by the Domain Name System.  DNS is simply a huge distributed database, local control of this data is allowed.   However this data is accessible across the whole network through a client/server set up.  Now this is where the history lesson finishes – I don’t want to start talking about Name Servers, resolvers or caching as you can find that stuff in other places.

Here on theninjaproxy.org we like our information is little more practical – so lets have a look at a little legacy of the HOSTS.TXT file that is used as a first step of resolution by Windows TCP/IP.

There’s the little fellow  – a text file called hosts which contains your computers first port of call in Name resolution before it uses methods like DNS for example.

It can be used to block or filters websites, hackers use it to infect clients with viruses and trojans by redirecting to nasty sites.  Also plenty of places still use it to make web based applications work properly or to redirect clients to specific computers.

It’s quite simple to use – here’s a brief illustration.  We are going to redirect a web site to a different place using the hosts file –

Let’s redirect our web surfer to somewhere pleasing to the eye – playboy.com.  First we find the IP address of the site by pinging it -216.18.172.158.   Next we need to make some simple modifications to our hosts file – you’ll usually need administration access to alter this file.


You can see we have added a line telling the computer that the site www.google.com can be found at the address 216.18.172.158 (oh no it can’t!).

Of course you’ve guessed what will happen when anyone tries to visit Google on this computer!

Sometimes doesn’t work as great on the bigger sites that rotate their IPs over lots of servers and you may have to clear your cache with CCleaner beforehand.  But you get the idea, another slight modification is that you can use the hosts file to block access to sites to.   Instead of redirecting a site to different IP address you can just redirect to your local computer using 127.0.0.1.

For example perhaps you are getting pissed about all the adverts that are served on websites from ad.doubleclick.net, simply add this line to your hosts file.

127.0.0.1     ad.doubleclick.net

This will have the effect of blocking access to that website (and blocking it’s adverts).  It’s a crude but reasonably effective way of blocking access to specific websites on a particular computer.  Many companies or schools use this method on public facing or ‘kiosk’ machines.

Unfortunately hackers also use this method too, viruses modify your hosts file to redirect your machine to malicious websites instead of popular sites like Facebook or similar.  So it’s always worth checking out your hosts file occasionally to see all is in order.

Internet Filtering, Censorship, Surveillance and Stuff Like That

One of the many justifications used across the world by agencies, governments, regimes etc for spying on us and filtering internet feeds is that it actually protects us.    By that they generally mean by employing these tactics they are able to catch more terrorists, paedophiles and various nasty people using the internet for their naughtiness.  In fact in many sectors of society if you argue that the internet shouldn’t be monitored or filtered then you will often find yourself grouped with these unsavory characters. Now just to clarify I’m not talking about carefully targeted surveillance and filtering on suspects (fair enough on that) but the general broad monitoring and filtering on an entire population on the off chance of picking up something interesting !

The problem is that it’s utter rubbish for one very good reason – it simply doesn’t work.    It’s all very well a Government thinking that they can routinely pick up terrorists by swooping on a Facebook page – but in reality what sort of hardened operatives are they going to pick up?   One thing for sure they won’t be very clever – in fact you’ll probably pick up the likes of these two harmless muppets who tried to organise a riot on Facebook.   Their riot attracted no rioters and they were picked up and sentenced to four years (which will probably be reduced to 2 weeks on appeal).

Jordan Blackshaw, left, and Perry Sutcliffe-Keenan

Now to be honest I don’t know about you, but I might be prepared to concede a large part of my liberty and privacy if I thought the world would become a genuinely safer and better place.   However picking up the likes of these two hardly meets that criteria.

The point I’m trying to make is that when internet filtering, censoring and surveillance techniques are utilised the only people who are affected are those with nothing to hide, plus perhaps a few thick criminals/terrorists who are probably of limited danger.   There are many ways to circumvent filters, there are lots of ways to communicate anonymously and all those who need to are doing just that.

Do Al Qaeda communicate through Facebook, My Space or Twitter – I suspect not.  Do they send out their orders by emails in clear text with PDF attachments detailing their targets – of course they don’t.    They’ll be using TOR, encrypted emails, hidden web sites and communication networks on the Dark web.   There will be codes, ciphers and carefully devised communication methods and strategies plus loads of other stuff on here The Ninja Proxy!

Of course they might be like this lot from the rather funny film Four Lions –

 

But I suspect not.