Schneier on Security
A blog covering security and security technology.
« Hacking Scratch Lottery Tickets |
| Julian Sanchez on Balancing Privacy and Security »
February 11, 2011
How Feed-Over-Email Circumvents Chinese Censorship
Neat article, both the technology and the hacker who created it.
Posted on February 11, 2011 at 7:05 AM
• 20 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Seems to me this technology could be defeated by a country simply by filtering all email and attempting to detect the encryption. In other words, if an email is encrypted (and perhaps not being addressed to someone who has authorization to use encryption), block it. I don't see why a deep packet filter can't do these things if a country wants them to. It would be a major hassle and require a lot of resources, but couldn't it be done?
Now that this technology has surfaced, it shouldn't take long to defeat it or most certainly, make it more difficult to use. We keep forgetting that all of this stuff evolves over time, and sometimes it even comes back to bite you much later. I wonder what new technologies IPV6 will spawn for this type of activity?
Richard Steven Hack:
I suppose that's why this system relies on "foreign" email providers, and encrypted connections to them; email doesn't cross borders except for on the final hop to the end user.
But on the other hand, if one is willing to block encrypted POP/IMAP entirely...
Wow. alt.binaries.encrypted over majordomo. The more technologies progress...
I wonder how the likes of Australia will respond to this :-)
Also, would the US Government be so proud of it as a concept if it had been used to feed diplomatic cables to Wikileaks...
Although on a more sensible note, I agree with Paul and it is nice to see old concepts re-discovered.
Feed over Email does not require SSL by default. If users do not configure it to use an SSL email server, they will receive the feed in the clear.
Worse, messages from the FOE server are not authenticated and written to the user's disk. This could make FOE vulnerable to malicious spoofed messages.
See the project and source here:
Frankly I think this is a no-go stuff.
It could be beneficial when used by small group to exchange data but I would expect it be defeated quickly if it is being used by broader audience.
A good spam filter could just flagged these messages as spams and on the other hand, this technique can be used to deliver spams to certain people; finally, the fact that it requires special decrypting software would expose more attack surface to those who installed the software.
It remembers me the old FTPmail programs. I think it can be very effective: in fact it's a covert channel in a legitimate channel that the government cannot close. The key is that as long as news are text, it requires very little bandwidth, so the text can be hidden very effectively. It's a lot different than trying to hide browsing activities. With a bit of steganography (again, especially for text, that requires so little bandwidth), the encrypted text wouldn't be noticeable by the filters. Also, if a reader could get a "personalized" steganography key, even when the mechanism is discovered, the filters wouldn't be able to detect which messages carries a forbidden payload.
Although someone will probably come up with a technique to block or cripple such feeds, the positive thing is that there is yet another technique to circumvent internet censorship, which for all practical purposes is a good thing.
It would seem that at least some folks take it seriously as the Google FOE project URL is not accessible from within Iran. For something similar, check out www.mailmyweb.com .
Aaaaargh ! Windows C# code only. Anybody tried compiling it under Mono ?
The answer is yes, this technology can be easy defeated by a good content filter ( who treat these messages simply as spam ) or a packet filter. As known, Skype is one of the most hard applications to be blocked, it easily circumvents content and packet filters, but with a little effort, I have instructed my packet filters to apply a simple and extremly efficient strategy, when my packet filter see a Skype packet, it cut off from the Internet the machine who send it for 4 hours. Users, when starts to understand that Skype was the culprit of this malfunction, simply ceased to use it. So, with no effort, I have hit the target ... so can you imagine what a government can do ? I think that temporarly the FoE tech had surprised censors, but FoE can be considered too weak and it's only a matter of time until be defeated. Maybe, the "old and gold" steganography can be considered more useful, because also if censors discovered the algo it can be changed, so censors must to commit more resources every time until these commitments will be economically or technically unsustainables ...
"...The client and mail server have to be encrypted to bypass the..."
I do not understand why ANY email is still unencrypted; at least since RSA's patent expired.
My understanding is that China's internet censorship system really isn't that robust. There were already numerous technical ways around it. If this makes things easier, great. But it never was unbreakable, and never needed to be to keep the majority of citizens reading what the leadership wants.
@original bob: One reason why my email is unencrypted is that I want my recipients to be able to read it. While some of my friends are very computer-savvy, not all are, and my family tends not to be.
For encryption to work, all the popular email programs would have to support it, and transparently generate and handle key pairs. They would have to work properly with multiple recipients and mailing lists, including group replies. So far, there hasn't been the demand.
One reason why not blocking the encrypted e-mails: you need the traffic for your agents using different nicknames and free mail services, not only the government ones, sniffed by the enemies 8-)
in case you put them on a white list...
Ultimately you can do mimic ciphers, which is pretty much what the best spambots do already. If you personalize those just a bit, it's going to be very hard to distinguish between those and "legitimate" messages.
I'm reading so much silly talk here...
This is basically encapsulating RSS in other protocols - mail (over SSL Web/POP/IMAP whatever). Because this is so commonly encrypted and the decryption software - SSL - is built into standard browsers and mail clients, users have a plausible reason to be using encryption.
Deep packet inspection won't work because of the encryption. Only option for the eavesdropper is to then to block anything that isn't cleartext, which means blocking a lot of services and is not without solutions either.
But seriously, what has spam filtering got to do with anything? The mail server is in a friendly country.
So much nonsense.
How to get the completed source of FOE? I have get your FOE source files at http://code.google.com/p/foe-project/
. but when i compile the
solution with Visual Studio 2010, it show a fail message "not found
..\foe\AddFeed.cs". Is the AddFeed.cs neccessary? How to get this
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.