diff --git a/local.bib b/local.bib index 6fc4e45..b96ed38 100644 --- a/local.bib +++ b/local.bib @@ -64,18 +64,6 @@ url = {https://opennet.net/research/profiles/iran}, } -% https://events.ccc.de/congress/2006/Fahrplan/track/Society/1473.en.html -% has a dead link to Devtarget.org and "Sebastian's full master thesis." -% Alternate URL: http://www.security-science.com/pdf/investigating-large-scale-internet-content-filtering.pdf -@mastersthesis{Wolfgarten2006a, - author = {Sebastian Wolfgarten}, - title = {Investigating large-scale {Internet} content filtering}, - school = {Dublin City University}, - month = aug, - year = 2006, - url = {http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.133.5778&rep=rep1&type=pdf}, -} - @misc{meek-wiki, title = {meek}, key = {meek}, diff --git a/thesis.tex b/thesis.tex index 31f1842..9aa2f0c 100644 --- a/thesis.tex +++ b/thesis.tex @@ -10,6 +10,7 @@ \usepackage{graphicx} \usepackage{makeidx} \usepackage{microtype} +\usepackage{todonotes} % http://grad.berkeley.edu/academic-progress/dissertation/: % "Margins: For the manuscript material, including headers, footers, tables, @@ -392,6 +393,10 @@ Gabi Nakibly and Dan Boneh. \chapter{Principles of circumvention} \label{chap:principles} +\begin{itemize} +\item Look like something / look like nothing +\end{itemize} + In order to understand the challenges of circumvention, it helps to put yourself in the mindset of a censor. A censor has two high-level functions: detection and blocking. @@ -579,6 +584,23 @@ It is not necessary to fully reach this ideal before circumvention becomes possible. Better obfuscation drives up the censor's error rate and therefore the cost of any blocking. +Ideally, the potential ``damage'' is never realized, +because the censor sees the cost as being too great. + +Collateral damage, being an abstract ``cost,'' can take many forms. +It may come in the form of civil discontent, +as people try to access web sites and get +annoyed with the government when unable to do so. +It may be reduced productivity, +as workers are unable to access resources they +need to to their job. +This is the usual explanation for why the +Great Firewall of China has never blocked GitHub +for long\todo{when and how long?}, +despite GitHub's hosting and distribution +of circumvention software: +GitHub is so deeply integrated into software development, +that programmers are not able to work when it is blocked. Collateral damage, as with other aspects of censorship, cannot be understood in isolation, @@ -599,44 +621,134 @@ then yes, the collateral damage is likely to be high. But if not, then the censor could take or leave those hundred sites---it doesn't matter. -\dragons - -If circumventors do things right, -the potential ``damage'' is never realized, -because the censor sees the cost as being too great. -Circumventors try to make false positives so expensive -that the censor has no choice but to allow false negatives; -that is, to permit circumvention traffic. - -false positive and false negative costs---circumventor's tactic is -to bind FPs and FNs tightly together. -underlies all circumvention according to the usual threat models -(maybe not, in cases where censor can observe, but not influence) -even look-like-something, stego transports ultimately depend on collateral damage -(lengthy explanation and examples) - -Don't need to be vague, saying that there is some communication the censor is unwilling to block. -Make it concrete: this is what collateral damage the censor would have to incur to block this. -If that collateral damage is large, then you win. -Indistinguishability is a means toward increasing collateral damage. -turn your assumptions into testable or quantifiable hypotheses -don't say, "the censor cannot do X"; say, "in order to do X, the censor would have to..." -make the threat models falsifiable: not just assumptions but hypotheses about how the world works (or will work) - -real shutdowns not a paradox -paper on costs of shutdowns. - -I believe that collateral damage provides a more productive way -to think about the limitations of censors. -...what's more, it is defined relative to a specific censor's -resources and motivations, -rather than being ``unblockable'' in absolute terms. -Cite Pfitzmann + Hansen~\cite{Pfitzmann2010a}: undetectability, -unobservability, -unblockability. -Houmansadr?: entanglement. -someone?: deniability -I prefer to think of it in terms of costs. +Censors may take actions to reduce collateral damage +while still blocking most of what they intend to. +(Another way to think of it is: +reducing false positives without reducing false negatives.) +For example, it has been repeatedly documented---by +Clayton et~al.~\cite{Clayton2006a}, +Winter and Lindskog~\cite{Winter2012a}, +and Fifield and Tsai~\cite{Fifield2016a}, +for example---that the Great Firewall +prefers to block individual ports (or a small range of ports), +rather than blocking an entire IP address, +probably in a bid to reduce collateral damage. +In \autoref{chap:domain-fronting} we will see a system +whose blocking resistance is based on widely used web services---the +argument is that to block the circumvention system, +the censor would have to block the entire web service. +However this argument requires that the circumvention system's +use of the web service be indistinguishable from other uses---otherwise +the censor may selectively block only the connections used for circumvention. +Local circumstances may serve to reduce collateral damage: +for example if a domestic replacement exists +for a foreign service, the censor may block +the foreign service more easily. + +The censor's reluctance to cause collateral damage +is what makes circumvention possible in general. +(There are some exceptions, +discussed in the next section, +where the censor can detect but is not capable of blocking.) +To deploying a circumvention system is to make a bet: +that the censor cannot field a classifier +that adequately distinguishes traffic of the circumvention system +from other traffic which, if blocked, +would result in collateral damage. +Even steganographic circumvention channels that mimic some other protocol +ultimately derive their blocking resistance from a collateral damage argument: +that the censor feels that to block that other protocol +would result in too much damage to be worth it. +For example, a circumvention protocol that imitates HTTP +can be blocked by blocking HTTP---the question then +is whether the censor can afford to block HTTP. +And that's in the best case---assuming the circumvention protocol has no ``tell'' +that enables the censor easily to distinguish it from the cover protocol +it is trying to imitate. +Indistinguishability is a necessary but not sufficient condition +for blocking resistance: +that which you are trying to be indistinguishable from must also +have sufficient collateral damage. +It's of no use to have a perfect steganographic of a protocol +that the censor doesn't mind blocking. + +In my opinion, collateral damage provides a more productive way +to think about the behavior of censors +than do alternatives. +Is is able to take into account different censors' +differing resources and motivations, +and so is more useful for generic modeling. +Moreover, it gets to the heart of what makes +traffic resistant to blocking. +There have been many other attempts at +defining resistance to blocking. +Pfitzmann and Hansen~\cite{Pfitzmann2010a}, +in a work that aimed to define various terms in anonymity and +censorship resistance, +gave the three notions of +``undetectability,'' +``unobservability,'' and +``unblockability.''\todo{define these} +Narain et~al.~\cite{Narain2014a} +characterized the essential component as being +``deniability,'' +meaning that a user could plausibly claim to have been doing +something other than circumventing when confronted with a +log of their network activity. +Zhou et~al.~\cite{Zhou2013a} +used the term ``entanglement,'' +which inspired a lot of my own thinking. +What they call entanglement I think of as +indistinguishability, +and keep in mind that that which you are trying to be indistinguishable with +has to be something valued by the censor. +Collateral damage provides a way to make statements +about censorship resistance quantifiable, at least in a loose sense. +Rather than saying, ``the censor cannot block $X$,'' +or even, ``the censor is unwilling to block $X$,'' +it is better to say ``in order to block $X$, the censor would have to do $Y$,'' +where $Y$ is some action bearing a cost for the censor. +A statement like this makes it clear that some censors may be able to afford +the cost of doing $Y$ and others may not; +there is no ``unblockable'' in absolute terms. +Now, actually quantifying the value of $Y$ is a task in itself, +by no means a trivial one. +The state of research in this field is still far from being able to assign +actual numbers (e.g. in terms of dollars) to costs as perceived by censors. +If a circumvention system becomes blocked, it may simply mean +that the circumventor overestimated the collateral damage or +underestimated the censor's capacity to absorb it. + +We have observed that the risk of collateral damage is +what prevents the censor from shutting down the network completely---and +yet, censors \emph{do} occasionally do complete shutdowns. +In fact the practice is increasing; +\todo{someone} reported \todo{some number} +of shutdowns in 2016. +This does not necessarily contradict +the theory of collateral damage. +Shutdowns are indeed costly---\todo{someone} +estimated that shutdowns cost \todo{some amount}. +It is just that, in some cases, +the calculus works out that the harm caused by a shutdown +does not outweigh (in the censor's mind) +the benefits of blocking access. +As always, the outcome depends on the specific censor: +censors that don't benefit as much from the Internet +don't have as much to lose by blocking it. +The fact that shutdowns or ``curfews'' are limited in duration +shows that even censors that can afford to do a total shutdown cannot +afford to do it forever. + +Complicating everything is the fact that censors +are not bound to act rationally. +Like any other large, +complex entity, +a censor is prone to err, +to act impetuously, +to make decisions that cause more harm than good. +One might even say that the very decision to censor +is exactly such an irrational decision, at the greater societal level. \section{Spheres of influence and visibility}