diff --git a/censor-local.bib b/censor-local.bib new file mode 100644 index 0000000..ca63db0 --- /dev/null +++ b/censor-local.bib @@ -0,0 +1,24 @@ +% These are entries that replace entries in censor.bib +% that I want to edit in some way. + +% Use \enquote to avoid double quotes within double quotes. +@inproceedings{Marczak2015a-local, + author = {Bill Marczak and Nicholas Weaver and Jakub Dalek and Roya Ensafi and David Fifield and Sarah McKune and Arn Rey and John Scott-Railton and Ron Deibert and Vern Paxson}, + title = {An Analysis of {China}'s \enquote{Great Cannon}}, + booktitle = {Free and Open Communications on the Internet}, + publisher = {USENIX}, + year = {2015}, + url = {https://www.usenix.org/system/files/conference/foci15/foci15-paper-marczak.pdf}, +} + +% Set url to my HTML page. +@article{Fifield2015a-local, + author = {David Fifield and Chang Lan and Rod Hynes and Percy Wegmann and Vern Paxson}, + title = {Blocking-resistant communication through domain fronting}, + journal = {Privacy Enhancing Technologies}, + volume = {2015}, + number = {2}, + publisher = {De Gruyter Open}, + year = {2015}, + url = {https://www.bamsoftware.com/papers/fronting/}, +} diff --git a/censor.bib b/censor.bib index 40e95c1..c9e689a 100644 --- a/censor.bib +++ b/censor.bib @@ -97,7 +97,7 @@ publisher = {IEEE}, year = {2017}, pages = {1113--1124}, - url = {http://censorbib.nymity.ch/pdf/Heydari2017a.pdf}, + url = {https://censorbib.nymity.ch/pdf/Heydari2017a.pdf}, } @inproceedings{Gebhart2017a, @@ -106,7 +106,7 @@ booktitle = {European Symposium on Security \& Privacy}, publisher = {IEEE}, year = {2017}, - url = {http://homes.cs.washington.edu/~yoshi/papers/GebhartEtAl-IEEEEuroSP.pdf}, + url = {https://homes.cs.washington.edu/~yoshi/papers/GebhartEtAl-IEEEEuroSP.pdf}, } @techreport{Wolfgarten2006a, @@ -151,7 +151,7 @@ booktitle = {Workshop on Privacy in the Electronic Society}, publisher = {ACM}, year = {2016}, - url = {http://dl.acm.org/authorize?N25517}, + url = {https://dl.acm.org/authorize?N25517}, } @inproceedings{Bocovich2016a, @@ -235,7 +235,7 @@ publisher = {De Gruyter Open}, year = {2016}, pages = {83--101}, - url = {http://www.degruyter.com/downloadpdf/j/popets.2016.2016.issue-4/popets-2016-0030/popets-2016-0030.xml}, + url = {https://www.degruyter.com/downloadpdf/j/popets.2016.2016.issue-4/popets-2016-0030/popets-2016-0030.xml}, } @article{Khattak2016a, @@ -247,7 +247,7 @@ publisher = {De Gruyter Open}, year = {2016}, pages = {37--61}, - url = {http://www.degruyter.com/downloadpdf/j/popets.2016.2016.issue-4/popets-2016-0028/popets-2016-0028.xml}, + url = {https://www.degruyter.com/downloadpdf/j/popets.2016.2016.issue-4/popets-2016-0028/popets-2016-0028.xml}, } @article{Douglas2016a, @@ -259,7 +259,7 @@ publisher = {De Gruyter Open}, year = {2016}, pages = {4--20}, - url = {http://www.degruyter.com/downloadpdf/j/popets.2016.2016.issue-4/popets-2016-0026/popets-2016-0026.xml}, + url = {https://www.degruyter.com/downloadpdf/j/popets.2016.2016.issue-4/popets-2016-0026/popets-2016-0026.xml}, } @inproceedings{Scott2016a, @@ -316,7 +316,7 @@ publisher = {De Gruyter Open}, year = {2016}, pages = {175--192}, - url = {http://www.degruyter.com/downloadpdf/j/popets.2015.2016.issue-2/popets-2016-0011/popets-2016-0011.xml}, + url = {https://www.degruyter.com/downloadpdf/j/popets.2015.2016.issue-2/popets-2016-0011/popets-2016-0011.xml}, } @article{McPherson2016a, @@ -328,7 +328,7 @@ publisher = {De Gruyter Open}, year = {2016}, pages = {212--225}, - url = {http://www.degruyter.com/downloadpdf/j/popets.2016.2016.issue-3/popets-2016-0024/popets-2016-0024.xml}, + url = {https://www.degruyter.com/downloadpdf/j/popets.2016.2016.issue-3/popets-2016-0024/popets-2016-0024.xml}, } @inproceedings{Kohls2016a, @@ -393,7 +393,7 @@ booktitle = {Workshop on Privacy in the Electronic Society}, publisher = {ACM}, year = {2015}, - url = {http://censorbib.nymity.ch/pdf/Vines2015a.pdf}, + url = {https://censorbib.nymity.ch/pdf/Vines2015a.pdf}, } @inproceedings{Tanash2015a, @@ -402,7 +402,7 @@ booktitle = {Workshop on Privacy in the Electronic Society}, publisher = {ACM}, year = {2015}, - url = {http://censorbib.nymity.ch/pdf/Tanash2015a.pdf}, + url = {https://censorbib.nymity.ch/pdf/Tanash2015a.pdf}, } @inproceedings{Ensafi2015b, @@ -447,7 +447,7 @@ booktitle = {Workshop on Privacy in the Electronic Society}, publisher = {ACM}, year = {2011}, - url = {http://www.cypherpunks.ca/~iang/pubs/bridgespa-wpes.pdf}, + url = {https://www.cypherpunks.ca/~iang/pubs/bridgespa-wpes.pdf}, } @inproceedings{Ververis2015a, @@ -521,7 +521,7 @@ number = {1}, publisher = {De Gruyter Open}, year = {2015}, - url = {http://censorbib.nymity.ch/pdf/Ensafi2015a.pdf}, + url = {https://censorbib.nymity.ch/pdf/Ensafi2015a.pdf}, } @article{Fifield2015a, @@ -550,7 +550,7 @@ booktitle = {International Conference on Advanced Communication Technology}, publisher = {IEEE}, year = {2014}, - url = {http://censorbib.nymity.ch/pdf/Wang2014a.pdf}, + url = {https://censorbib.nymity.ch/pdf/Wang2014a.pdf}, } @article{Gill2015a, @@ -561,7 +561,7 @@ year = {2015}, volume = {9}, number = {1}, - url = {http://censorbib.nymity.ch/pdf/Gill2015a.pdf}, + url = {https://censorbib.nymity.ch/pdf/Gill2015a.pdf}, } @inproceedings{Aase2012a, @@ -598,7 +598,7 @@ publisher = {CTU Publishing House}, title = {The {Eternity} Service}, year = {1996}, - url = {http://www.cl.cam.ac.uk/~rja14/Papers/eternity.pdf}, + url = {https://www.cl.cam.ac.uk/~rja14/Papers/eternity.pdf}, } @techreport{Anderson2012a, @@ -606,7 +606,7 @@ title = {The Hidden {Internet} of {Iran}: Private Address Allocations on a National Network}, institution = {}, year = {2012}, - url = {http://arxiv.org/pdf/1209.6398v1}, + url = {https://arxiv.org/pdf/1209.6398v1}, } @techreport{Anderson2013a, @@ -614,7 +614,7 @@ title = {Dimming the {Internet}: Detecting Throttling as a Mechanism of Censorship in {Iran}}, institution = {University of Pennsylvania}, year = {2013}, - url = {http://arxiv.org/pdf/1306.4361v1.pdf}, + url = {https://arxiv.org/pdf/1306.4361v1.pdf}, } @inproceedings{Anderson2014a, @@ -653,7 +653,7 @@ publisher = {USENIX}, title = {{Internet} Censorship in {Iran}: A First Look}, year = {2013}, - url = {http://censorbib.nymity.ch/pdf/Aryan2013a.pdf}, + url = {https://censorbib.nymity.ch/pdf/Aryan2013a.pdf}, } @article{Aycock2008a, @@ -665,7 +665,7 @@ title = {``Good'' Worms and Human Rights}, volume = {38}, year = {2008}, - url = {http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1412007}, + url = {https://papers.ssrn.com/sol3/papers.cfm?abstract_id=1412007}, } @techreport{Bachrach2011a, @@ -673,7 +673,7 @@ title = {{\#h00t}: Censorship Resistant Microblogging}, institution = {Rice University and University of Texas at Arlington}, year = {2011}, - url = {http://arxiv.org/pdf/1109.6874v1.pdf}, + url = {https://arxiv.org/pdf/1109.6874v1.pdf}, } @inproceedings{Benson2013a, @@ -709,7 +709,7 @@ publisher = {USENIX}, title = {Chipping Away at Censorship Firewalls with User-Generated Content}, year = {2010}, - url = {http://www.usenix.org/event/sec10/tech/full_papers/Burnett.pdf}, + url = {https://www.usenix.org/event/sec10/tech/full_papers/Burnett.pdf}, } @inproceedings{Cao2009a, @@ -719,7 +719,7 @@ publisher = {IEEE}, title = {{SkyF2F}: Censorship Resistant via {Skype} Overlay Network}, year = {2009}, - url = {http://censorbib.nymity.ch/pdf/Cao2009a.pdf}, + url = {https://censorbib.nymity.ch/pdf/Cao2009a.pdf}, } @inproceedings{Chaabane2014a, @@ -747,7 +747,7 @@ publisher = {Springer}, title = {Ignoring the {Great Firewall} of {China}}, year = {2006}, - url = {http://www.cl.cam.ac.uk/~rnc1/ignoring.pdf}, + url = {https://www.cl.cam.ac.uk/~rnc1/ignoring.pdf}, } @inproceedings{Clayton2006b, @@ -757,7 +757,7 @@ publisher = {Springer}, title = {Failures in a Hybrid Content Blocking System}, year = {2006}, - url = {http://www.cl.cam.ac.uk/~rnc1/cleanfeed.pdf}, + url = {https://www.cl.cam.ac.uk/~rnc1/cleanfeed.pdf}, } @inproceedings{Connolly2014a, @@ -803,7 +803,7 @@ booktitle = {Economics and Information Security}, title = {The Economics of Censorship Resistance}, year = {2004}, - url = {http://www.cl.cam.ac.uk/~rja14/Papers/redblue.pdf}, + url = {https://www.cl.cam.ac.uk/~rja14/Papers/redblue.pdf}, } @techreport{Danezis2011a, @@ -846,7 +846,7 @@ booktitle = {Computer and Communications Security}, year = {2013}, publisher = {ACM}, - url = {http://eprint.iacr.org/2012/494.pdf}, + url = {https://eprint.iacr.org/2012/494.pdf}, } @inproceedings{Ensafi2014a, @@ -855,7 +855,7 @@ booktitle = {Passive and Active Measurement Conference}, publisher = {Springer}, year = {2014}, - url = {http://arxiv.org/pdf/1312.5739.pdf}, + url = {https://arxiv.org/pdf/1312.5739.pdf}, } @inproceedings{Espinoza2011a, @@ -929,7 +929,7 @@ publisher = {USENIX}, title = {Building Dissent Networks: Towards Effective Countermeasures against Large-Scale Communications Blackouts}, year = {2013}, - url = {http://censorbib.nymity.ch/pdf/Hasan2013a.pdf}, + url = {https://censorbib.nymity.ch/pdf/Hasan2013a.pdf}, } @inproceedings{Houmansadr2011a, @@ -1020,7 +1020,7 @@ publisher = {USENIX}, title = {Towards Illuminating a Censorship Monitor's Model to Facilitate Evasion}, year = {2013}, - url = {http://censorbib.nymity.ch/pdf/Khattak2013a.pdf}, + url = {https://censorbib.nymity.ch/pdf/Khattak2013a.pdf}, } @inproceedings{Khattak2014a, @@ -1067,7 +1067,7 @@ publisher = {ACM}, year = {2004}, pages = {47--58}, - url = {http://censorbib.nymity.ch/pdf/Koepsell2004a.pdf}, + url = {https://censorbib.nymity.ch/pdf/Koepsell2004a.pdf}, } @inproceedings{Li2014a, @@ -1148,7 +1148,7 @@ booktitle = {Computer and Communications Security}, year = {2012}, publisher = {ACM}, - url = {http://www.cypherpunks.ca/~iang/pubs/skypemorph-ccs.pdf}, + url = {https://www.cypherpunks.ca/~iang/pubs/skypemorph-ccs.pdf}, } @inproceedings{Morrison2014a, @@ -1156,7 +1156,7 @@ title = {Toward automatic censorship detection in microblogs}, booktitle = {Data Mining in Social Networks}, year = {2014}, - url = {http://arxiv.org/pdf/1402.5310.pdf}, + url = {https://arxiv.org/pdf/1402.5310.pdf}, } @inproceedings{Nabi2013a, @@ -1165,7 +1165,7 @@ publisher = {USENIX}, title = {The Anatomy of Web Censorship in {Pakistan}}, year = {2013}, - url = {http://censorbib.nymity.ch/pdf/Nabi2013a.pdf}, + url = {https://censorbib.nymity.ch/pdf/Nabi2013a.pdf}, } @inproceedings{Nobori2014a, @@ -1184,7 +1184,7 @@ publisher = {IEEE}, title = {Empirical Study of a National-Scale Distributed Intrusion Detection System: Backbone-Level Filtering of {HTML} Responses in {China}}, year = {2010}, - url = {http://www.cs.unm.edu/~crandall/icdcs2010.pdf}, + url = {https://www.cs.unm.edu/~crandall/icdcs2010.pdf}, } @inproceedings{Perng2005a, @@ -1194,7 +1194,7 @@ publisher = {Springer}, title = {Censorship Resistance Revisited}, year = {2005}, - url = {http://censorbib.nymity.ch/pdf/Perng2005a.pdf}, + url = {https://censorbib.nymity.ch/pdf/Perng2005a.pdf}, } @inproceedings{Roberts2011a, @@ -1213,7 +1213,7 @@ title = {Secure Communication over Diverse Transports}, year = {2012}, pages = {75--80}, - url = {http://censorbib.nymity.ch/pdf/Rogers2012a.pdf}, + url = {https://censorbib.nymity.ch/pdf/Rogers2012a.pdf}, } @inproceedings{Roos2014a, @@ -1231,7 +1231,7 @@ title = {Identity-Based Steganography and Its Applications to Censorship Resistance}, publisher = {Springer}, year = {2013}, - url = {http://petsymposium.org/2013/papers/ruffing-censorship.pdf}, + url = {https://petsymposium.org/2013/papers/ruffing-censorship.pdf}, } @inproceedings{Schuchard2012a, @@ -1277,7 +1277,7 @@ booktitle = {CHI Conference on Human Factors in Computing Systems}, publisher = {ACM}, year = {2011}, - url = {http://censorbib.nymity.ch/pdf/Shklovski2011a.pdf}, + url = {https://censorbib.nymity.ch/pdf/Shklovski2011a.pdf}, } @inproceedings{Sovran2008a, @@ -1339,7 +1339,7 @@ publisher = {USENIX}, title = {Five Incidents, One Theme: {Twitter} Spam as a Weapon to Drown Voices of Protest}, year = {2013}, - url = {http://censorbib.nymity.ch/pdf/Verkamp2013a.pdf}, + url = {https://censorbib.nymity.ch/pdf/Verkamp2013a.pdf}, } @inproceedings{Wachs2013a, @@ -1403,7 +1403,7 @@ booktitle = {Network and Distributed System Security}, publisher = {The Internet Society}, year = {2009}, - url = {http://www.icsi.berkeley.edu/pubs/networking/ndss09-resets.pdf}, + url = {https://www.icsi.berkeley.edu/pubs/networking/ndss09-resets.pdf}, } @inproceedings{Weinberg2012a, @@ -1438,7 +1438,7 @@ booktitle = {Free and Open Communications on the Internet}, publisher = {USENIX}, year = {2013}, - url = {http://censorbib.nymity.ch/pdf/Winter2013a.pdf}, + url = {https://censorbib.nymity.ch/pdf/Winter2013a.pdf}, } @inproceedings{Winter2013b, @@ -1447,7 +1447,7 @@ booktitle = {Workshop on Privacy in the Electronic Society}, publisher = {ACM}, year = {2013}, - url = {http://censorbib.nymity.ch/pdf/Winter2013b.pdf}, + url = {https://censorbib.nymity.ch/pdf/Winter2013b.pdf}, } @inproceedings{Wright2011a, @@ -1464,7 +1464,7 @@ title = {Regional Variation in {Chinese Internet} Filtering}, institution = {University of Oxford}, year = {2012}, - url = {http://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID2265775_code1448244.pdf?abstractid=2265775&mirid=3}, + url = {https://papers.ssrn.com/sol3/Delivery.cfm/SSRN_ID2265775_code1448244.pdf?abstractid=2265775&mirid=3}, } @inproceedings{Wustrow2011a, @@ -1473,7 +1473,7 @@ booktitle = {USENIX Security Symposium}, publisher = {USENIX}, year = {2011}, - url = {http://www.usenix.org/event/sec11/tech/full_papers/Wustrow.pdf}, + url = {https://www.usenix.org/event/sec11/tech/full_papers/Wustrow.pdf}, } @inproceedings{Wustrow2014a, @@ -1492,7 +1492,7 @@ publisher = {Springer}, year = {2011}, pages = {133--142}, - url = {http://web.eecs.umich.edu/~zmao/Papers/china-censorship-pam11.pdf}, + url = {https://web.eecs.umich.edu/~zmao/Papers/china-censorship-pam11.pdf}, } @inproceedings{Zhou2013a, @@ -1501,7 +1501,7 @@ booktitle = {Hot Topics in Privacy Enhancing Technologies}, publisher = {Springer}, year = {2013}, - url = {http://petsymposium.org/2013/papers/zhou-censorship.pdf}, + url = {https://petsymposium.org/2013/papers/zhou-censorship.pdf}, } @inproceedings{Zhu2013a, diff --git a/local.bib b/local.bib index 7f2d419..9258610 100644 --- a/local.bib +++ b/local.bib @@ -390,3 +390,21 @@ school = {Karlstad University}, year = {2014}, } + +@techreport{LovecruftDeValence2017a, + author = {Lovecruft, Isis Agora and de Valence, Henry}, + title = {{HYPHAE}: Social Secret Sharing}, + number = {2017-04-21}, + month = apr, + year = {2017}, + url = {https://patternsinthevoid.net/hyphae/hyphae.pdf}, +} + +@techreport{Sovran2008b, + author = {Yair Sovran and Jinyang Li and Lakshminarayanan Subramanian}, + title = {Unblocking the {Internet}: Social Networks Stymie Censors}, + organization = {New York University}, + number = {TR2008-918}, + year = {2008}, + url = {http://kscope.news.cs.nyu.edu/pub/TR-2008-918.pdf}, +} diff --git a/summaries.txt b/summaries.txt index d1e371b..828455f 100644 --- a/summaries.txt +++ b/summaries.txt @@ -1202,3 +1202,28 @@ someone's home computer)? Covers ways of mitigating risk, which include not directly using leaf nodes for measurement, but rather doing a traceroute and stepping two hops back; and scanning from entire /24s at a time to avoid implicating any single user. + + +Mahdian2010a +Fighting Censorship with Algorithms + +Looks at bridge distribution from an algorithmic point of view. The +model is that there are $k$ adversaries, $n-k$ honest users, $m$ +bridges; the goal is that at the end, all honest users should have at +least one unblocked bridge. Considers three scenarios: static one-shot, +dynamic multiple-round, and trust networks where users can invite other +users. In the static one-shot model, the problem reduces to a problem in +secure overlay network design +(http://www.cs.columbia.edu/~lierranli/publications/AAIM06.pdf) and the +algorithm they offer is to give each bridge to each user with +independent probability $1/(k+1)$. In the dynamic multiple-round model, +the simpler version of the algorithm is to divide the users into $n/k$ +groups and give each group a unique bridge. When a bridge is +compromised, divide its user group in half and give each half a new +unique bridge. A more complicated version of the dynamic algorithm (that +gives better bounds on the number of bridges required) reuses +uncompromised bridges when probing to find the adversaries. In the trust +network model (where adversaries can invite other adversaries), they +leave the problem mostly open but show a solution for the case $k=1$. +Not really practical: wants knowledge of $n$ and $k$, assumes bridges +are always online, set of users doesn't change much. diff --git a/thesis.tex b/thesis.tex index 3040ac7..7f9b04b 100644 --- a/thesis.tex +++ b/thesis.tex @@ -20,7 +20,7 @@ % biblatex manual: % "When using the hyperref package, it is preferable to load it after biblatex." \usepackage[backend=biber,maxbibnames=99,backref=true]{biblatex} -\bibliography{local,censor} +\bibliography{local,censor-local,censor} \usepackage[hidelinks]{hyperref} \urlstyle{same} @@ -40,7 +40,7 @@ \usepackage{yfonts} -\newcommand{\dragons}{\textfrak{\Large here be dragons}\bigskip} +\newcommand{\dragons}{\bigskip\noindent\textfrak{\Large here be dragons}\bigskip} \begin{document} @@ -81,6 +81,7 @@ % Counterintelligence? Introducing incremental tweaks (like auto-rotating PT ports) that are easily counteracted but take time to figure out? I had been opposed to the cat-and-mouse game line of research, but it makes sense when thinking about modeling the foibles of a real censor. \chapter{Introduction} +\label{chap:intro} This is a thesis about Internet censorship. In it, I will expand on two threads of research @@ -175,7 +176,7 @@ of the incoming and outgoing traffic, and allow the rest to pass---this assumption will be a major focus of the next chapter. It is not hard to see how the border firewall model -relates to censorship as it is seen in practice. +relates to censorship in practice. In a common case, the censor is a national government, and the borders of its controlled network correspond to the borders of a country. @@ -203,28 +204,30 @@ or the amount of computation they can afford to spend on each communication. % and the capabilities of commercial networking technology may presage % those of larger censors in the future. -The scope excludes other important cases of censorship, -for example that which occurs entirely within -the censor's sphere of influence\index{sphere of influence (of a censor)}, -or anything not involving the Internet. -So, for example, we do not consider the blocking of keywords -on China's domestic microblogging service Weibo, -and censorship of television and printed newspapers. -We also leave out the important and difficult topic -of self-censorship---people choosing not to -express themselves, in whatever medium, -for fear of repercussion. -We do, however, consider the possibility of -non-network-based attacks by censors, -such as physical violence or imprisonment, -but only as it relates to circumvention -of a border firewall. - -% not newspaper censorship -% not internal censorship (50c party) -% not e.g. Publius, Tangler. -% not purely within-sphere -% just border firewall censorship +Here are some examples of forms of censorship that are in scope: +\begin{itemize} +\item blocking IP addresses +\item blocking specific network protocols +\item blocking DNS resolution for certain domains +\item blocking keywords in URLs +\item dissecting network layers (``deep packet inspection'') +\item statistical and probabilistic traffic classification +\item active measures by censors to discover the use of circumvention +\end{itemize} +Other forms of censorship that are \emph{not} in scope include: +\begin{itemize} +\item domain takedowns (that affect all clients globally) +\item server-side blocking (servers refusing to serve certain clients) +\item anything that takes place entirely within the censor's network + and does not cross the border +\item forum moderation and deletion of social media posts +\item deletion-resistant publishing like + the Eternity Service~\cite{Anderson1996a}---except + insofar as access to such services may be blocked +% Dagster~\cite{Stubblefield2001a} +% Publius~\cite{Waldman2000a} +% Tangler~\cite{Waldman2001a} +\end{itemize} Some have objected to the use of the generic term ``Internet censorship''\index{``Internet censorship'' as a term} @@ -237,70 +240,90 @@ to refer to the border firewall case. % Even within this narrowed scope, there is plenty to do. -\chapter{Circumvention paradigms} +\chapter{Principles of circumvention} +\label{chap:principles} + +In order to understand the challenges of circumvention, +it helps to put yourself in the mindset of a censor. +A censor has two high-level functions: detection and blocking. +Detection is a classification problem: +the censor prefers to permit some communications and deny others, +and so it must have some procedure for deciding which +communications fall in which category. +Blocking follows detection. +Once the censor detects some prohibited communication, +it must take some action to stop the communication, +such as terminating the connection at a network router. +A censor must be able both to detect and to block. +(Detection without blocking would be called not censorship, but surveillance.) +The flip side of this statement is that +a circumventor succeeds either by +eluding detection, or, once detected, +somehow resist the censor's blocking action. +Research on circumvention has mostly dealt with the detection problem---a +minority of research is on resisting blocking despite being detected. + +A censor is, then, essentially +a traffic classifier coupled with +a blocking mechanism. +Though the design space is large, +and many complications are possible, +at its heart it must decide, for each communication, +whether to block or allow, +and then effect blocks as appropriate. +Any classifier is liable to make mistakes. +When the censor fails to block something that it would have preferred to block, +it is an error called a \emph{false negative}; +when the censor accidentally blocks something that it would have preferred to allow, +it is a \emph{false positive}. +Forcing the censor to trade false negative for false positives +is the core of all circumvention that is based on avoiding detection. +Understanding the relative importance of +misclassification errors to the censor---knowing +what it prefers to allow and to block---is +important for designing circumvention systems. + \dragons -The purpose of threat modeling is, in my view, -to enable the building of more effective circumvention. -We study censors in order to learn how to defeat them. +Detection ranges from almost trivial to very complicated. + + +detection can be trivial or complicated +can be precomputed +limits on scale may constrin what censors can do + + +``obfuscation'' term is apt. +not reflecting a mindset of security through obscurity; +rather a recognition that it's about making the classification more difficult, +and forcing the censor to trade false positives for false negatives. The censor can block direct access to any destination, so circumvention typically uses, at minimum, some kind of indirect access, such as connecting through a proxy server. -Seen from the censor's point of view, -censorship is a classification problem. -There is some class of traffic that the censor wants to block, -but also there is traffic that the censor prefers not to block---whatever -authority controls the censor must see -\emph{some} benefit to allowing Internet access. -For each packet, stream (or whatever), -the censor must make a decision about whether to block or allow. -Circumvention can be understood as making this classification problem more difficult, -of increasing the cost of misclassifications. -When the censor fails to block something that it would have preferred to block, -it is a misclassification called a \emph{false negative}. -The cost of false negative classifications is an increase -in whatever a censor wishes to suppress through censorship: -for example popular demonstrations, free journalism, -and political organizing. -When the censor blocks something that it would have preferred to allow, -the misclassification is a \emph{false positive}. -The cost of false positive misclassifications is a diminishing -in the utility of the Internet: -people and businesses just trying to get on with their work or lives -encounter obstacles, generally decreasing productivity -and other qualities the censor might want to preserve. % paper on costs of shutdowns. -The cost of false positives is so important to circumvention -that researchers have a specialized term for it: collateral damage. -Collateral damage encompasses all the harm suffered by the censor -through inadvertent, ancillary blocking done in the course of censorship. -The term is a bit unfortunate, because it is easily misunderstood. -If circumventors do things right, -the potential ``damage'' is never realized, -because the censor sees the cost as being too great. -Circumventors try to make false positives so expensive -that the censor has no choice but to allow false negatives; -that is, to permit circumvention traffic. - -Early censors (around the time of the late 1990s and early 2000s) -would be considered weak by today's standards. -They were mostly easy to circumvent by simple countermeasures, -such as tweaking a protocol or using an alternative DNS server. -But as censors become more capable, -our models have to evolve to match. -Indeed, my interest in threat modeling -might be described as a sort of meta-modeling, -learning about how threat models change -over time and according to circumstances. +Cite Pfitzmann + Hansen~\cite{Pfitzmann2010a}: undetectability, +unobservability, +unblockability. +Houmansadr?: entanglement. +I prefer to think of it in terms of costs. -It is helpful to categorize the challenges of circumvention -into three parts. +eavesdropper's dilemma~\cite{eavesdroppersdilemma} +(as an example of having an empty sphere of visibility?) +Ignoring the Great Firewall of China~\cite{Clayton2006a}: +detection succeeds but not blocking. +Flakiness of firewalls, etc. +``blocking'' include throttling, disruption more generally +detection can include preprocessing + +I find it helpful to break detection into two classes: +detection by content and detection by address. +... The first is blocking by content; that is, by what you say. HTTP request keyword filtering and blocking based on deep packet inspection @@ -320,6 +343,31 @@ Appendix~\ref{sec:list-of-circ} contains a summary of censorship circumvention systems and how they have changed over time in response to changing censorship threats. +This taxonomy of censorship techniques is not the only one possible. +Philipp Winter divides it into three problems~\cite[\S~1.1]{Winter2014c}: +the bootstrapping problem; +the endpoint blocking problem; +and the traffic obfuscation problem. +Khattak, Elahi, et~al.~\cite{Khattak2016a} call these two tasks +``fingerprinting'' and ``direct censorship''; +Tschantz et~al.~\cite{Tschantz2016a} call them +``detection'' and ``action.'' + + +\section{Collateral damage} + +The cost of false positives is so important to circumvention +that researchers have a specialized term for it: collateral damage. +Collateral damage encompasses all the harm suffered by the censor +through inadvertent, ancillary blocking done in the course of censorship. +The term is a bit unfortunate, because it is easily misunderstood. +If circumventors do things right, +the potential ``damage'' is never realized, +because the censor sees the cost as being too great. +Circumventors try to make false positives so expensive +that the censor has no choice but to allow false negatives; +that is, to permit circumvention traffic. + collateral damage not a nice name means the same as ``making the classification problem difficult'' @@ -342,8 +390,29 @@ This is an example of a censor having an empty sphere of influence\index{sphere and a nonempty sphere of visibility\index{sphere of visibility (of a censor)}: it can look, but not touch. A real-life example is Toosheh~\cite{toosheh}\ldots (also has receiver anonymity) -eavesdropper's dilemma~\cite{eavesdroppersdilemma} -(as an example of having an empty sphere of visibility?) +Don't need to be vague, saying that there is some communication the censor is unwilling to block. +Make it concrete: this is what collateral damage the censor would have to incur to block this. +If that collateral damage is large, then you win. +Indistinguishability is a means toward increasing collateral damage. +turn your assumptions into testable or quantifiable hypotheses +don't say, "the censor cannot do X"; say, "in order to do X, the censor would have to..." +make the threat models falsifiable: not just assumptions but hypotheses about how the world works (or will work) + + +\section{Bridge distribution} + +Resistance to blocking by address; +obfuscated protocol then prevents blocking by content. + +\begin{itemize} +\item Kaleidoscope~\cite{Sovran2008a,Sovran2008b} +\item Mahdian~\cite{Mahdian2010a} +\item Proximax~\cite{McCoy2011a} +\item rBridge~\cite{Wang2013a} +\item Salmon~\cite{Douglas2016a} +\item Hyphae~\cite{LovecruftDeValence2017a} +\end{itemize} + In the usual threat models, though, the censor is assumed to be quite powerful, capable of dropping, replaying, and forging arbitrary packets, @@ -357,14 +426,6 @@ that can inject, but not drop, packets. the very strong threat model may be appropriate for e.g. whitelisting corporate or university censors -Don't need to be vague, saying that there is some communication the censor is unwilling to block. -Make it concrete: this is what collateral damage the censor would have to incur to block this. -If that collateral damage is large, then you win. -Indistinguishability is a means toward increasing collateral damage. -turn your assumptions into testable or quantifiable hypotheses -don't say, "the censor cannot do X"; say, "in order to do X, the censor would have to..." -make the threat models falsifiable: not just assumptions but hypotheses about how the world works (or will work) - address blocking content blocking (could also separate out e.g. timing (and something else? check Khattak2016a)) @@ -386,13 +447,6 @@ Traffic transformation look like nothing and look like something Psiphon anecdote about prepending HTTP to obfssh -This taxonomy of censorship techniques is not the only one possible. -Philipp Winter, in his Ph.D. thesis~\cite[\S~1.1]{Winter2014c}, -divides it into three problems: -the bootstrapping proble; -the endpoint blocking problem; -and the traffic obfuscation problem. - depending on physical aspects of networks Denali @@ -412,6 +466,17 @@ Censors may come to conclusions different than what we expect \section{Early censorship and circumvention} +Early censors (around the time of the late 1990s and early 2000s) +would be considered weak by today's standards. +They were mostly easy to circumvent by simple countermeasures, +such as tweaking a protocol or using an alternative DNS server. +But as censors become more capable, +our models have to evolve to match. +Indeed, my interest in threat modeling +might be described as a sort of meta-modeling, +learning about how threat models change +over time and according to circumstances. + \cite{Clayton2006a} \cite{Clayton2006b} Thailand (1996, first?) @@ -899,7 +964,7 @@ and the web servers of popular Chinese web sites. There were frequent failures of the firewall resulting in temporary connectivity, typically lasting in bursts of hours. -In 2015, Marczak et~al.~\cite{Marczak2015a} +In 2015, Marczak et~al.~\cite{Marczak2015a-local} investigated an innovation in the capabilities of the border routers of China, an attack tool dubbed the ``Great Cannon.'' @@ -1184,7 +1249,7 @@ Today, meek is Tor's second-most-used transport, carrying around 10 terabytes of user traffic each month. Domain fronting appeared in the 2015 research paper -``Blocking-resistant communication through domain fronting''~\cite{Fifield2015a}, +``Blocking-resistant communication through domain fronting''~\cite{Fifield2015a-local}, which I coauthored with Chang Lan, Rod Hynes, Percy Wegmann, and Vern Paxson. @@ -1198,7 +1263,7 @@ of four noteworthy circumvention designs: \begin{itemize} \item Flash proxy~\cite{Fifield2012a}, based on temporary proxies running in web browsers. \item OSS~\cite{Fifield2013a}, using third-party web scanning services. -\item Domain fronting~\cite{Fifield2015a}, using popular web services for cover. +\item Domain fronting~\cite{Fifield2015a-local}, using popular web services for cover. \item Snowflake~\cite{snowflake-wiki,FifieldGilEpnerWebRTC} (in progress), based on peer-to-peer proxies in web browsers; flash proxy redux. \end{itemize} These have evolved according to the needs of the time @@ -1423,12 +1488,12 @@ what's used and what's not used WebRTC fingerprinting -\section{How does it end?} +% \section{How does it end?} -Probably the circumstances of the world change -and make irrelevant this field of study. -How can we reach that moment favorably? -(Spend the war winning, not losing.) +% Probably the circumstances of the world change +% and make irrelevant this field of study. +% How can we reach that moment favorably? +% (Spend the war winning, not losing.) \backmatter