Bruce Schneier

 

Blog

Crypto-Gram Newsletter

Books

Essays and Op Eds

News and Interviews

Audio and Video

Speaking Schedule

Password Safe

Cryptography

About Bruce Schneier

Contact Information

 

Schneier on Security

A blog covering security and security technology.

« Hacking Scratch Lottery Tickets | Main | Julian Sanchez on Balancing Privacy and Security »

February 11, 2011

How Feed-Over-Email Circumvents Chinese Censorship

Neat article, both the technology and the hacker who created it.

Posted on February 11, 2011 at 7:05 AM20 Comments

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

Seems to me this technology could be defeated by a country simply by filtering all email and attempting to detect the encryption. In other words, if an email is encrypted (and perhaps not being addressed to someone who has authorization to use encryption), block it. I don't see why a deep packet filter can't do these things if a country wants them to. It would be a major hassle and require a lot of resources, but couldn't it be done?

Thoughts?

Posted by: Richard Steven Hack at February 11, 2011 8:26 AM

Funny, it seems it's the method used by RMS to browse the web:
http://lwn.net/Articles/262570/

Posted by: Aissen at February 11, 2011 8:47 AM

Now that this technology has surfaced, it shouldn't take long to defeat it or most certainly, make it more difficult to use. We keep forgetting that all of this stuff evolves over time, and sometimes it even comes back to bite you much later. I wonder what new technologies IPV6 will spawn for this type of activity?

Posted by: kashmarek at February 11, 2011 8:48 AM

Richard Steven Hack:

I suppose that's why this system relies on "foreign" email providers, and encrypted connections to them; email doesn't cross borders except for on the final hop to the end user.

But on the other hand, if one is willing to block encrypted POP/IMAP entirely...

Posted by: magetoo at February 11, 2011 9:05 AM

@magetoo

I don't think blocking just POP/IMAP will do it...

https://mail.google.com/

Now, a few countries have already figured this one out. India's tried to block it. Internet access, enterprise push e-mail, and messenger, securely proxied through Canadian servers:

http://us.blackberry.com/apps-software/server/

Posted by: Seiran at February 11, 2011 10:20 AM

Wow. alt.binaries.encrypted over majordomo. The more technologies progress...

Posted by: paul at February 11, 2011 11:30 AM

I wonder how the likes of Australia will respond to this :-)

Also, would the US Government be so proud of it as a concept if it had been used to feed diplomatic cables to Wikileaks...

Although on a more sensible note, I agree with Paul and it is nice to see old concepts re-discovered.

Posted by: GreenSquirrel at February 11, 2011 11:33 AM

Feed over Email does not require SSL by default. If users do not configure it to use an SSL email server, they will receive the feed in the clear.

Worse, messages from the FOE server are not authenticated and written to the user's disk. This could make FOE vulnerable to malicious spoofed messages.

See the project and source here:
http://code.google.com/p/foe-project/

Posted by: Steve Weis at February 11, 2011 3:00 PM

Frankly I think this is a no-go stuff.

It could be beneficial when used by small group to exchange data but I would expect it be defeated quickly if it is being used by broader audience.

A good spam filter could just flagged these messages as spams and on the other hand, this technique can be used to deliver spams to certain people; finally, the fact that it requires special decrypting software would expose more attack surface to those who installed the software.

Posted by: Xin LI at February 11, 2011 7:00 PM

It remembers me the old FTPmail programs. I think it can be very effective: in fact it's a covert channel in a legitimate channel that the government cannot close. The key is that as long as news are text, it requires very little bandwidth, so the text can be hidden very effectively. It's a lot different than trying to hide browsing activities. With a bit of steganography (again, especially for text, that requires so little bandwidth), the encrypted text wouldn't be noticeable by the filters. Also, if a reader could get a "personalized" steganography key, even when the mechanism is discovered, the filters wouldn't be able to detect which messages carries a forbidden payload.

Posted by: claudio at February 12, 2011 4:58 AM

Although someone will probably come up with a technique to block or cripple such feeds, the positive thing is that there is yet another technique to circumvent internet censorship, which for all practical purposes is a good thing.

It would seem that at least some folks take it seriously as the Google FOE project URL is not accessible from within Iran. For something similar, check out www.mailmyweb.com .

Posted by: Dirk Praet at February 12, 2011 9:50 AM

Aaaaargh ! Windows C# code only. Anybody tried compiling it under Mono ?

Posted by: Dirk Praet at February 12, 2011 9:58 AM

The answer is yes, this technology can be easy defeated by a good content filter ( who treat these messages simply as spam ) or a packet filter. As known, Skype is one of the most hard applications to be blocked, it easily circumvents content and packet filters, but with a little effort, I have instructed my packet filters to apply a simple and extremly efficient strategy, when my packet filter see a Skype packet, it cut off from the Internet the machine who send it for 4 hours. Users, when starts to understand that Skype was the culprit of this malfunction, simply ceased to use it. So, with no effort, I have hit the target ... so can you imagine what a government can do ? I think that temporarly the FoE tech had surprised censors, but FoE can be considered too weak and it's only a matter of time until be defeated. Maybe, the "old and gold" steganography can be considered more useful, because also if censors discovered the algo it can be changed, so censors must to commit more resources every time until these commitments will be economically or technically unsustainables ...

Posted by: ElQhawaq at February 13, 2011 3:15 AM

"...The client and mail server have to be encrypted to bypass the..."

I do not understand why ANY email is still unencrypted; at least since RSA's patent expired.

Posted by: bob (the original bob) at February 14, 2011 6:56 AM

My understanding is that China's internet censorship system really isn't that robust. There were already numerous technical ways around it. If this makes things easier, great. But it never was unbreakable, and never needed to be to keep the majority of citizens reading what the leadership wants.

Posted by: Fnord at February 14, 2011 7:58 AM

@original bob: One reason why my email is unencrypted is that I want my recipients to be able to read it. While some of my friends are very computer-savvy, not all are, and my family tends not to be.

For encryption to work, all the popular email programs would have to support it, and transparently generate and handle key pairs. They would have to work properly with multiple recipients and mailing lists, including group replies. So far, there hasn't been the demand.

Posted by: David Thornley at February 14, 2011 12:46 PM

One reason why not blocking the encrypted e-mails: you need the traffic for your agents using different nicknames and free mail services, not only the government ones, sniffed by the enemies 8-)
in case you put them on a white list...

Posted by: zoli at February 15, 2011 3:53 PM

Ultimately you can do mimic ciphers, which is pretty much what the best spambots do already. If you personalize those just a bit, it's going to be very hard to distinguish between those and "legitimate" messages.

Posted by: paul at February 16, 2011 1:12 PM

I'm reading so much silly talk here...

This is basically encapsulating RSS in other protocols - mail (over SSL Web/POP/IMAP whatever). Because this is so commonly encrypted and the decryption software - SSL - is built into standard browsers and mail clients, users have a plausible reason to be using encryption.

Deep packet inspection won't work because of the encryption. Only option for the eavesdropper is to then to block anything that isn't cleartext, which means blocking a lot of services and is not without solutions either.

But seriously, what has spam filtering got to do with anything? The mail server is in a friendly country.

So much nonsense.

Posted by: Marc at March 7, 2011 8:05 PM

How to get the completed source of FOE? I have get your FOE source files at http://code.google.com/p/foe-project/
. but when i compile the
solution with Visual Studio 2010, it show a fail message "not found
..\foe\AddFeed.cs". Is the AddFeed.cs neccessary? How to get this
file?

Posted by: How to get the completed source of FOE? at April 7, 2011 3:52 AM

Subscribe to comments on this entry

Post a comment




E-mail is optional and will not be displayed on the site.


Remember Me?


Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Powered by Movable Type. Photo at top by Geoffrey Stone.

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

 
Bruce Schneier
Blog Menu

Search


blog only
essays and op eds only
whole site

Blog Home Page
100 Latest Comments

Archives by Date

2012 J F M A M
2011 J F M A M J J A S O N D
2010 J F M A M J J A S O N D
2009 J F M A M J J A S O N D
2008 J F M A M J J A S O N D
2007 J F M A M J J A S O N D
2006 J F M A M J J A S O N D
2005 J F M A M J J A S O N D
2004 J F M A M J J A S O N D

Support Bloggers' Rights!
Defend Privacy--Support Epic
Latest Book
Liars & Outliers
more books by Bruce Schneier
Syndication
Full Text Feed
Excerpts Feed

Follow on Twitter
Subscribe via Kindle

Translations
German
Italian

more translations

Crypto-Gram Newsletter
If you prefer to receive Bruce Schneier's comments on security as a monthly e-mail digest, subscribe to Schneier on Security's sister publication, Crypto-Gram.
read more