
Turkey Moves To Block Twitter At The IP Level - sgy
http://techcrunch.com/2014/03/22/turkey-moves-to-block-twitter-at-the-ip-level/
======
jrockway
That's easy to fix, Twitter sets their TTL to 5 minutes and changes their
frontend address every 5 minutes.

Now if they block Google Public DNS, that's a problem, but again, that
involves very carefully tweaking route advertisements (since it's anycast).
You can also always grab the DNS record out of the root nameservers.

Ultimately, filtering the Internet only works if you filter _all_ of the
Internet.

~~~
mrtksn
They should be able to watch Twitter's frontend address and ban it
accordingly.

Right now the solutions are VPN, Tor and opera mini style proxy services. It's
expected that they may go after these too. AFAIK the law requires ISP's to
take measures against censorship avoidance methods.

The PM acts against the social media as if it's an existential threat for him.

I am not sure if he rationally calculates these actions or he just can't
handle any speech that is not controlled directly by him.(as the leaks
indicate, he practically controlled the traditional media for years since)

~~~
jrockway
_They should be able to watch Twitter 's frontend address and ban it
accordingly._

It's the government. First they'll have to write a contract. Then they'll have
to solicit bids. Then...

Meanwhile, Twitter has highly-experienced software engineers and system
administrators on staff.

~~~
egeozcan
Turkish government is not a typical government in that regard. It's more like
an oligarchy where some chosen people can get things done with a simple call
in minutes. An example: There is a "Ministry of Telecommunication and
Communication" (TİB) and the president of TİB, solely by his own will, can
shutdown web sites within 4 hours.

~~~
jrockway
Not if the people he calls have to do something new. DNS blocks are easy.
Weathering an active attack might be harder. The question is how far Twitter
wants to escalate.

~~~
capecodcarl
If people keep pushing it with VPNs and censorship avoidance they'll just push
Turkey to switch to a whitelisted Turkey-approved Internet and block
everything else by default. It's much easier to maintain a whitelist of
approved sites when you're censoring people than try to play whack-a-mole and
block things that you don't like.

------
diorray
They even blocked DNS servers.. Sadly, Erdogan thinks that if people can't
access to Twitter, they can't access to corruption tapes.

~~~
sitkack
The turks are very sophisticated, it might stop the rurals from getting to
twitter but not people in teh cities.

~~~
sitkack

      * https://www.torproject.org/download/download
      * https://www.privateinternetaccess.com/
    

They would have to block every VPN provider on the planet.

~~~
johnpowell
A good friend of mine is in Turkey. I just fired up a few droplets on Digital
Ocean for his friends and family to use as VPN's.

It only takes about ten minutes per VPS to set everything up.

~~~
sitkack
I was in Istanbul, southern, central and eastern Turkey over six weeks during
the protests, wonderful people everyone.

~~~
m00dy
yes we are :)

------
czbond
Usually you can get around proxy and firewall blocks of IP addresses by using
the Decimal equivalent.... for instance, here is the decimal version of the IP
address for google [http://74.125.224.72/](http://74.125.224.72/)
[http://1249763400](http://1249763400)

~~~
ffk
While this works with many basic firewalls, this does not work at the IP
routing level.

The IP address is in a binary format long before it hits the routing tables on
the Internet.

[edit: cleaning up wording]

------
peterkelly
So here's an idea that's been forming in my head over the last few days - a
distributed version of twitter.

The problem with twitter as it currently stands is that it relies on a
centralised server (well, servers). That's easy to block, or legally compel to
remove content. Imagine instead that every user on twitter had their own
"stream" replicated on both their own computer and those of all of their
followers. If you choose to follow someone, you get access to their stream
either directly from the person themselves, or any of their other followers.

This would partition the system according to popularity. The more followed a
person is, the more replicas of their tweet stream available. When someone
retweets something, it appears in their own stream, so retweets benefit from
this replication. Any tweets that are particularly important and popular would
be virtually impossible to suppress.

To prove that tweets had originated from a particular user, every user would
have a public/private key pair generated when they first begin using the
system, and all tweets would carry an associated cryptographic signature.
"Registering" for the system would be a matter of generating an identity using
a key pair and a username. Clashes and impersonation of usernames is something
I haven't yet thought of a solution to, though usernames would be for display
purposes only; the real identity would be the public key.

Replica discovery is another challenge, but there's much in the existing P2P
literature and practice (esp bittorrent) that could possibly be of help here.

As far as business models are concerned, Twitter's current one wouldn't work,
as it relies on the centralised nature of the system. However it would be
possible for developers of individual clients to make money by providing
various value-adds, and these could co-exist with open source clients.

Thoughts?

Side note: There seems to be a bug in the comments system where the last
paragraph is omitted. Is anyone else experiencing this?

Extra last paragraph

~~~
nknighthb
The first time you have to say "key" to an end-user, you have lost. Key
management (including, critically, movement between devices) is the primary
reason email encryption is rare.

(And if the solution to key management involves letting a website deal with
it, you've just invited re-centralization of the system, since users are going
to gravitate to the service everyone else uses, not set up their own server.)

~~~
etherael
That doesn't necessarily mean you've lost, take cryptocurrencies for example.
Yes you can manage your own keys as an end user for your cryptocurrency
holdings, but as you say most end users will prefer to work through a third
party that will handle the complexities of key management for them.

The trick is though that there can be an infinite amount of third parties all
engaged in competition with each other and the end users just participate in
that market like they would any other.

OP's suggestion may well work the same way, certain end users could choose to
handle their own key management, and there could be third parties that handle
it for those that prefer not to. As long as the space for those third parties
is infinite and end users can opt to handle key management themselves, it's
still a decentralised solution.

~~~
nknighthb
This is not a technical problem. It is a human problem, and humans don't act
like you want them to. There would emerge a handful of large, popular, simple,
easy-to-use central sites. A rogue regime can block them just as easily as it
just blocked Twitter.

When it takes hours, days, or weeks for new moles to pop up, and they
necessarily _stay_ up, Whack-A-Mole is easy. And as sites keep getting
whacked, people will lose the motivation to move on to yet another new site,
learn its quirks, and rebuild their network.

Twitter is a powerful tool of dissent precisely because _everyone_ uses it.
It's not limited to the technically sophisticated and/or motivated activists.
Activists need access to regular people, and they won't have it on a network
that's painful and annoying to use.

~~~
etherael
A competitive market of third party providers on a peer to peer based social
media platform can be both easy to use and impossible to censor. Censorship
resistance becomes just another thing on the shopping list for third party
providers, those that can do it best get the largest amount of users. The more
censorship becomes a problem, the more value there is in services that resist
it.

~~~
nknighthb
Ordinary people do not do their "shopping" based on censorship resistance,
_and they never will_. You're thinking like an activist, you need to think
like an apathetic layman, because that's what the vast majority of human
beings are. They simply _do not care_ about the same things you do, and you
can't force them to until their lives are _directly_ impacted.

If you want to help ordinary people get around censorship, go help the Tor
project. It actually works, because it's compatible with human nature. It
provides a simple, largely transparent tool that people can insert into their
existing, normal habits, and it provides a basis on which the technically
sophisticated can build even better tools in the form of hidden services that
users can interact with exactly as they interact with their existing, non-
resistant tools.

~~~
etherael
> The more censorship becomes a problem, the more value there is in services
> that resist it.

That is, normal people can be negatively affected by state actions and
censorship too, at the point that it _is_ a problem, why would those ordinary
people _not_ do their shopping based on censorship resistance?

> If you want to help ordinary people get around censorship, go help the Tor
> project. It actually works, because it's compatible with human nature. It
> provides a simple, largely transparent tool that people can insert into
> their existing, normal habits, and it provides a basis on which the
> technically sophisticated can build even better tools in the form of hidden
> services that users can interact with exactly as they interact with their
> existing, non-resistant tools.

This is decent advice, but just serves to make my point all the more;
Censorship resistance is becoming a problem in Turkey, people start using Tor.
If the aforementioned peer to peer based social media platform actually
existed, they would start using whatever service best evaded the censorship
they're railing against now via Tor.

Since we have Tor already, why bother with such a platform? Because despite
Tor, the platform itself could be hijacked and Tor would not assist in
censorship resistance in this scenario. Twitter might be happy to tell Turkey
to get lost when they start making demands, but what if you're trying to evade
censorship from the US government or entity with similar level of power? This
will likely become an issue in future, having platforms that are immune to
hijacking is a good way to address it.

~~~
nknighthb
I invite you to waste your time. I'll not be wasting any more of mine on this
absurd thread.

~~~
nitrogen
If anything in this thread is absurd, it is your outright dismissal of the
notion that users will ever change the status quo, using _Tor_ of all things
as your example.

If Tor can create an adequate UX for an onion router, why couldn't someone
create a decent UX for a distributed secure messaging system?

~~~
icebraining
Playing nknighthb's advocate, the point is, you can convince people to use
Tor, because they are directly affected by the ban, without having to convince
_everyone_ who uses Twitter to use Tor, while you would have to convince
everyone who uses Twitter to use your system instead, even the people who have
no obvious reason for doing so.

~~~
nitrogen
This is a good point; people might see Tor as a one-time step they have to do
to continue doing exactly what they did before, rather than a complete change
to their digital routine. Still, I hope people keep building distributed
alternatives; eventually someone might just get the right UX at the right
time.

I normally wouldn't have been so harsh in my wording, especially when jumping
into the middle of a thread, but I guess the words "waste" and "absurd" seemed
hostile enough to set me off.

------
EthanHeilman
The question is: how are they doing this?

My money is on internal BGP route announcements that blackhole twitter's IP
address as this technique has been used for IP filtering in China and Pakistan
and doesn't require any special equipment or overhead.

~~~
sgy
Unix-like operating systems commonly implement IP address blocking using TCP
Wrapper, configured by host access control files: /etc/hosts.deny and
/etc/hosts.allow

~~~
yuubi
The hosts.allow and hosts.deny files only affect incoming connections to
services that read them (whether by being invoked through tcpd, or by
otherwise using libwrap. You could prevent Twitter from connecting to your FTP
service or whatever, but not prevent other users on your network from
contacting Twitter.

------
acd
Ponders if they are also blocking Twitter on IPv6.

Anyhow here is how to circomvent the filter
[https://www.hidemyass.com/proxy/](https://www.hidemyass.com/proxy/) type in
twitter

Background is Turkeys prime minister and leaked audiotapes.
[http://www.todayszaman.com/news-340552-full-transcript-of-
vo...](http://www.todayszaman.com/news-340552-full-transcript-of-voice-
recording-purportedly-of-turkish-pm-erdogan-and-his-son.html)

~~~
p1mrx
Twitter doesn't support IPv6 at all, unlike Facebook and Google+, where it's
been running since World IPv6 Launch on 2012-06-06.

------
existencebox
A brief glance at the news doesn't give me much information, but the first
thing that comes to mind when I see service blocking like this is, "when do
the protests start?"

Perhaps I only know of the examples that confirm to this pattern, but internet
limitations seems to often lead to MUCH higher levels of societal discontent.
Could someone who understand the politics/social climate there give me a tl;dr
on the situation in that light and what's reasonable to expect?

~~~
gkya
Allow me to tell you about the worst kind of problem: getting used to
government being naughty. When quirky and nasty stuff happens so often, it is
commonplace. When everything is so rotten, one first questions "what is their
benefits from this" about every thing someone does.

Also, what you see and what we experience here is just a game on actuality, to
turn away people's looks from problems that are deeper and nastier. It is all
done in order to feint reality and get it to go under the dark curtain of a
scandal.

Basically, we're told "Look! What's over there," and then are slapped in the
face.

------
adenner
Next up deep packet inspection of all connections?

~~~
theverse
No, TYYP protocol [1]. DPI will be unnecessary.

[1] [https://github.com/rakyll/tyyp](https://github.com/rakyll/tyyp)

------
puppetmaster3
If he had NSA he couldjust predict noncompliant individuals.

------
mattbarrie
LOL

