Hacker News new | comments | show | ask | jobs | submit login
Belarus finally bans Tor (torproject.org)
311 points by BuuQu9hu 104 days ago | hide | past | web | 123 comments | favorite



This reminds me of a paper I read recently about the techniques that China employs to block Tor and other anonymity servers.

Great read, especially the annotated version: http://fermatslibrary.com/s/examining-how-the-great-firewall...


I found a PDF version for those interested: http://conferences.sigcomm.org/imc/2015/papers/p445.pdf


I wonder about the first RST with zeros in the sequence and acknowledge fields. Probably just bad software but if it is always the first RST it could be a sort of canary such that people in the "know" could note the malformed reset and pre-program a 'ignore RST this session' bit.


I guess they had to custom build a solution for this and screwed it up. The weird thing is that it seems like this should have been caught in testing. Unless it is a form of silent protest from the hapless programmers forced to write this oppression aid. Might even be some IOCCC level trickery at play here where it works in testing and with official IP addresses, but doesn't work for the majority of the population.


Is it possible for anyone to share the full text of the post for those of use behind a great firewall?

Edit: thanks!


Country: Belarus

Probed ISPs: Beltelecom (AS 6697)

Censorship method: TCP injections

We have recently heard of network anomalies in Belarus. Tor has been finally blocked in December 2016, although it had been explicitly declared that Tor should be blocked since February 2015.

Directly connected users from Belarus

An anonymous cypherpunk has helped to gather some evidence regarding Tor being blocked in Belarus. It’s neither a complete study nor an in-depth research and it’s unclear if any other further evidence will be gathered, so we decided to share current knowledge as-is:

Tor directory authorities are not blocked Public onion routers have their ORPort blocked by TCP RST injection The onion routers’ DirPort is not blocked Plain-old non-obfuscated Tor Bridges from BridgeDB circumvent the interference Beltelecom (or its upstream) has strange configuration of the networking gear injecting reset packets The strangeness in equipment is the following. The first injected RST packet does not have have proper SEQ/ACK numbers. These packet fields are just filled with zeroes. So this packet is dropped by the client’s TCP/IP stack per RFC5961 and does not actually terminate the client’s connection:

$ tshark -Tfields -eframe.time_relative -eip.src -etcp.srcport -eip.dst -etcp.dstport \ -eip.ttl -etcp.flags.str -etcp.seq -etcp.ack -r urandom.pcap | sed | awk | perl 0.000000 192.168.1.2 42555 87.118.94.227 443 64 S* 899897236 0 0.029459 87.118.94.227 443 192.168.1.2 42555 125 R* 0 0 (sic!) 0.096914 87.118.94.227 443 192.168.1.2 42555 52 AS 1984028404 899897237 0.096958 192.168.1.2 42555 87.118.94.227 443 64 A* 899897237 1984028405 0.136874 87.118.94.227 443 192.168.1.2 42555 125 R* 1984028405 0

That’s all for today. Remember, fried potato is better with onion!


urandom.pcap: Belarus (finally) bans Tor Leonid Evdokimov 2016-12-08 00:00:00 +0000 UTC Country: Belarus

Probed ISPs: Beltelecom (AS 6697)

Censorship method: TCP injections

We have recently heard of network anomalies in Belarus. Tor has been finally blocked in December 2016, although it had been explicitly declared that Tor should be blocked since February 2015.

Directly connected users from Belarus

An anonymous cypherpunk has helped to gather some evidence regarding Tor being blocked in Belarus. It’s neither a complete study nor an in-depth research and it’s unclear if any other further evidence will be gathered, so we decided to share current knowledge as-is:

Tor directory authorities are not blocked

Public onion routers have their ORPort blocked by TCP RST injection

The onion routers’ DirPort is not blocked

Plain-old non-obfuscated Tor Bridges from BridgeDB circumvent the interference

Beltelecom (or its upstream) has strange configuration of the networking gear injecting reset packets

The strangeness in equipment is the following. The first injected RST packet does not have have proper SEQ/ACK numbers. These packet fields are just filled with zeroes. So this packet is dropped by the client’s TCP/IP stack per RFC5961 and does not actually terminate the client’s connection:

    $ tshark -Tfields -eframe.time_relative -eip.src -etcp.srcport -eip.dst -etcp.dstport \
        -eip.ttl -etcp.flags.str -etcp.seq -etcp.ack -r urandom.pcap | sed | awk | perl

    0.000000   192.168.1.2 42555 87.118.94.227   443  64 **********S* 899897236  0
    0.029459 87.118.94.227   443   192.168.1.2 42555 125 *********R** 0          0 (sic!)
    0.096914 87.118.94.227   443   192.168.1.2 42555  52 *******A**S* 1984028404 899897237
    0.096958   192.168.1.2 42555 87.118.94.227   443  64 *******A**** 899897237  1984028405
    0.136874 87.118.94.227   443   192.168.1.2 42555 125 *********R** 1984028405 0
That’s all for today. Remember, fried potato is better with onion!


("fried potato" is a reference to cliché Belarusian obsession with potato)


Thanks for explaining.. was not aware of this.


https://web.archive.org/web/20161208223355/https://ooni.torp...

Hope you still have access to archive.org ;)


My corp firewall is blocking it for "Cache/Proxy" :p


That is a neat trick.. I was also blocked but web archive works fine!


OONI About Install Tests Data Get Involved Blog urandom.pcap: Belarus (finally) bans Tor Leonid Evdokimov 2016-12-08 00:00:00 +0000 UTC

Country: Belarus

Probed ISPs: Beltelecom (AS 6697)

Censorship method: TCP injections

We have recently heard of network anomalies in Belarus. Tor has been finally blocked in December 2016, although it had been explicitly declared that Tor should be blocked since February 2015.

Directly connected users from Belarus

An anonymous cypherpunk has helped to gather some evidence regarding Tor being blocked in Belarus. It’s neither a complete study nor an in-depth research and it’s unclear if any other further evidence will be gathered, so we decided to share current knowledge as-is:

    Tor directory authorities are not blocked
    Public onion routers have their ORPort blocked by TCP RST injection
    The onion routers’ DirPort is not blocked
    Plain-old non-obfuscated Tor Bridges from BridgeDB circumvent the interference
    Beltelecom (or its upstream) has strange configuration of the networking gear injecting reset packets
The strangeness in equipment is the following. The first injected RST packet does not have have proper SEQ/ACK numbers. These packet fields are just filled with zeroes. So this packet is dropped by the client’s TCP/IP stack per RFC5961 and does not actually terminate the client’s connection:

$ tshark -Tfields -eframe.time_relative -eip.src -etcp.srcport -eip.dst -etcp.dstport \ -eip.ttl -etcp.flags.str -etcp.seq -etcp.ack -r urandom.pcap | sed | awk | perl 0.000000 192.168.1.2 42555 87.118.94.227 443 64 S* 899897236 0 0.029459 87.118.94.227 443 192.168.1.2 42555 125 R* 0 0 (sic!) 0.096914 87.118.94.227 443 192.168.1.2 42555 52 AS 1984028404 899897237 0.096958 192.168.1.2 42555 87.118.94.227 443 64 A* 899897237 1984028405 0.136874 87.118.94.227 443 192.168.1.2 42555 125 R* 1984028405 0

That’s all for today. Remember, fried potato is better with onion!

The Onion


You know things are looking bad when the post reporting on censorship is censored.


Is it possible to access any of these where you are?

archive.org archive.is archive.today archive.fo webcache.googleusercontent.com


Coming soon to a jurisdiction near you!


Fake News journalists using 'Dark Web' drug and human trafficking network, study finds


Yup, UK next.


Race you

edit: in the interests of clarification, this means I expect to see attacks on Tor within the US before the UK.


The US is too busy using TOR as a honeypot and offensive weapon to shut down access.

TOR actually amplifies the asymmetry betweem the NSA and smaller actors: the NSA by owning the whole network can easily break it, but it prevents smaller players from getting the same access.

Of course, the FBI seem to routinely compromise TOR sites they don't like.


Usually via traditional investigative means.


And then they exploit Firefox bugs to drop phone-home malware on users. But so far, it's only been Windows malware :) And it relies on bypassing Tor's socks proxy.


If you truly wanted anonymity why wouldn't you buy a $35 raspberry pi and stuff it between your computer and the internet and route all traffic through it through tor? Too many zero days out there in browsers, flash, java, office not to mention configuration slip ups that could nullify your tor protection.


"buy a $35 raspberry pi and stuff it between your computer and the internet and route all traffic through it through tor? Too many zero days out there in browsers, flash, java, office"

How does Raspberry Pi help here? If it routes traffic at IP level, it will be transparent at an application level. Firewall/IDS won't help against zero days either.


It's trivial to use iptables to block all traffic except to the SOCKS proxy port on Tor, or even forcibly redirect it all through Tor directly using the transparent proxying support.


You can do all that on a host PC as well. I still don't see what additional layer of security Raspberry Pi adds here. Or am I missing something?


The idea is that even if the host PC is pwned the Pi will still route the traffic from it via Tor.


If the host PC is pwned then it can still disclose useful information about itself (files, Geo locations, mac addresses) - it will just be routed over TOR.


True. So it must not contain anything that's associated with you, in any way. Buy with cash. No geolocation data. Dedicated LAN. No sneaker net sharing. Compartmentalization.


Totally agreed. I nearly edited my comment yesterday to include this actually.

It is just one potential brick in your security wall.


Indeed. People are wrong with such confidence these days.


Yes, that's a serious problem. But being wrong in parent's direction isn't so bad ;) Over-engineering and prudence is my mantra.


Raspberry's firmware is not Open Source, that's why. Might just as well full of vulnerabilities and/or backdoors.


Because:

1) Pi only supports about 6MB/s on its ethernet port, meaning that you get 3MB/up and 3MB/down

2) TOR itself is just super slow, so why am I paying for a 350Mbps connection?

3) Most VPN services are fast enough for the above bandwidth, and offer sufficient security against state-based snooping.


Weren't most of the services they took down because of the CMU deanonymizaton attack?

They also claim Silk Road was classical hacking, but given what we know of parallel construction and their vagueness in describing their locating of the servers, we can't really know what happened there.


I know very little of networking but I assume to perform a TCP reset injection attack, the ISP would need to rely on the IP address of the public onion routers. Now, why do they play around with the reset flag instead of just simply swallowing the packets directed at a tor router?


Because effectively blocking packets at requires supervising all routes through which they might escape (i.e., managing a lot of dynamic rules on a lot of very critical routers), whereas injecting forged packets only requires one little box.

Kinda like the Berlin Wall. Easier to shoot people attempting to cross than hermetically seal the entire border.


I don't quite follow. You can't inject an RST packet unless you know someone is trying to connect to a Tor node, so you still need to supervise all the routes, right?


Difference is I can do traffic analysis and RST generation over lots of machines (if it gets slow, worst case my RST gets there late). Changing routes/forwarding table action has to happen on machine moving large data, in real time.


You can sniff the traffic out-of-band, possibly implement it on already existing spy/monitoring infrastructure.


And ignoring RST may work. In fact that method worked against earlier implementations of the great firewall of China.


Funnily enough I can read the comments here but my employer's filtering proxy (Blue Coat) blocked the torproject.org ;-)


Why "finally"?

From a quick search it seems a shot at Belarus' desire to ban Tor back in 2015 but only now achieving it.


That's the point. The article itself mentions that Belarus had officially ratified (not implemented) a law blocking Tor in February 2015, but only now is it actually being implemented.


Sorry, I missed that although it's in the very first line.


Lukashenko has to get around to it lol


Opening this website in Chrome on my Android device gives me the "ERR_CERT_AUTHORITY_INVALID" error.

Checking the certificate details, I found out that the certificate is issued to the organization "OpenDNS, Inc." I use OpenDNS's family safety DNS.

I don't think that TOR is owned by OpenDNS. Is it possibly that OpenDNS is MITMing me like previously Avast was reported? But how is that possible? I don't have any OpenDNS software installed that could change certificates.


They are late. Turkey already did it few weeks ago.


I'm from Belarus.

Belarus laws and politics had been for a long time a playground for Russia. Kinda "before implementing it for all users in production, let's try it on a smaller audience to see if it works or not."

So this ban is mostly an exercise for Russia, to get some experience.


I'm from Belarus too. Consider the above a fantasy.


By the way, it it legal to _use_ Tor in Belarus? Is it correct, that Tor should be blocked by ISPs, but user can't be punished for circumvention?

That's my understanding of the document http://www.pravo.by/main.aspx?guid=12551&p0=T21503059&p1=1&p...


That's my understanding too of the situation too. Thanks for the link, BTW.


I am neither from Belarus nor Russia and don't know what to think here. If either of you can provide some references to back up your positions that would be great, thanks.


My position is equal to yours: unless there are facts, it's a fantasy (modestly saying).

Moreover, in this particular case there are facts which don't fit into the idea that Russia first experiments in Belarus. For example Russia has a regulation that personal info of user should be stored inside the country (LinkeIn was banned recently for not obeying this regulation). There is no such regulation in Belarus. If Russia was experimenting first in Belarus they would try it here first.

Also, there is Chinese experience to study, I don't see any need for additional experiments.

So, it's nothing more than a conspiracy superstition.


No one says Belarus is the only place to run experiments on, or need in such field for every single experiment etc. Also, there was an initiative to move all the servers into the country (still in effect officially) for both domestic and foreign companies. Obviously it can not be achieved (just imagine fitting Microsoft-size-worth of servers into tiny country like Belarus (~9M people). For country like Russia you can do something like that to _some_ _degree_


> No one says Belarus is the only place to run experiments on

So you're now saying China's firewall is also a Russian experiment?


thanks for the expansion. I would suggest though, that just because they did not try something first this time, would not constitute a proof that they never do, nor even that they often do?

> So, it's nothing more than a conspiracy superstition.

Well, we do know that state sponsored internet trolls exist and have done for some time. They are not always subtle, but that doesn't mean that they are not very successfully subtle also.

I read an interesting article recently (though I can't find it now, sorry), which made an attempt to guess the number of such trolls on a country by country basis. Any comment either enhancing or detracting from a national reputation is suspect now, I fear.


They are everywhere



It's ukaz #60, an internet regulation in Belarus. It's different from the Russian regulation about storing user's data in the country and it confirms the countries progress in regulating new areas, like internet, independently. Everyone looks at everyone's experience, but it's not like one country is a playground for another.


You should read about the Bahamas, the USA playground for cell phone full take interception and then revise your comment. Just because you think things don't exist doesn't mean you're right.


I'm from Finlan ld but visting the US, till February and I have a feeling US will watch Belarus very closely to see if it is successful thrn will try to quietly implement a ban or interfere with Tor as best as they can. Rule 41 is a mere Apptizer. The Americans have yet to receive their Entrés. What's even more scary is the radical laws being fought for in Canada as of today.


I doubt it, the US government invented and has been a major sponsor to the tor project.

https://pando.com/2014/07/16/tor-spooks/


Historically yes. But I suggest bookmarking this comment and coming back to it in a few years to see how prophetic or absurd it turns out.



Really? A cartoon about the Jeane Dixon fallacy is a response? I think you're going to find the next years very surprising indeed. Even now, using tor is de facto grounds for a wiretap[1]

And I apologize in advance if my evidence is actually on topic and doesn't have funny pictures.

[1]https://techcrunch.com/2016/12/05/section-702-mohamud-appeal...


back in the day, using a bbs was grounds for a wiretap. (The fact bbs were full of phreakers had absolutely nothing to do with it im sure....)

so they sit, they listen, then do what exactly?

Someone has to read through the material, decipher it, translate it, interpret it. and how exactly do you act on it?

https://m.youtube.com/watch?v=3A_VT9YGA10


its easy to see both the upside and downside of this though.

its also only really a problem for americans. since the us government is paying to ensure other countries governments cant interfer with free communication.

its a matter of opinion wether they also managed to gain the ability to interfere with free communication themselves.

but since the "Next best alternative" is ssl/tls.

kinda a moot point.


Wall Street Journal is actually praising Belarus: http://www.wsj.com/articles/belarus-is-emerging-as-the-silic...


When I read your comment it made it seem like the WSJ was praising Belarus for banning Tor, which is not the case. (at least from reading the portion of the article that is not behind a paywall)


Do a google search for the article title and click the WSJ search result and you'll be able to view without the paywall.

But yeah, no mention of TOR in that article.


Wall Street Journal praising Belarus for banning Tor? How would that ever be possible?


Not for banning Tor, but I get the impression that if that had happened in time they'd have thrown it in there as a positie.

And many in Belarus said the country’s reputation as Europe’s last dictatorship is no hindrance to their work. “Success stories and a business’s scalability are more important than politics,” said Nick Vyhouski [...]

Charming.



This is a PR piece by Belarus national tech hub development agency. And they still put caveats about dictatorship and all.


Got me thinking about hidden communication techniques using DNS queries or ICMP as the "transport" layer. That would confuse the hell out of everyone :P


Both techniques are known and have effective counter-measurements. While it might work for a while, as soon as such "exotic" solutions get more widespread, it can be banned and filtered too (just few more rules to firewalls/IDs). China is a great example of this mouse&cat game.


There are VPN solutions that work over ICMP https://www.softether.org/1-features/1._Ultimate_Powerful_VP...



Could they use remote relays still?


You probably could do all kinds of things, but is it worth the risk of getting jailed?


The answer to that depends on the cause.


Depends on how serious the risk is. You run the risk of "getting jailed" for all kinds of minor crimes that people routinely commit. Are people actually going to get arrested for trying to use Tor? I don't think that's very plausible. You could pretty easily claim it was malware trying to make the connection and you don't know anything about it.


Yeah, you could claim that. Then, they search your computer and find no traces of malware but they find a copy of the Tor Browser Bundle. Now what?

Besides, law enforcement never just "takes your word for it". I've got a lot of friends in law enforcement and -- as far as "suspects" go -- they'll pretty much (attempt to) verify every claim you make.


Plausible deniability/difficulty of conviction means that LEOs rarely pursue cases where that would apply. I agree once they open an investigation, they'll verify the claim; I'm saying that crimes that have high acquittal rates and/or low prosecutorial uptake will get less attention from the police because it's frustrating/difficult/wasteful to spend a lot of time on things that don't usually pan out.

I don't know how the system works in Belarus so I understand it may not really matter there. The point is that it's going to be difficult to prove that the accused made an intentional connection to Tor as long as the accused and/or his/her lawyer has some technical literacy and knows what to say.


It's Belarus, police and laws work quite differently there.


Only if banned = illegal?


Normally when a government bans something it is by making it illegal.


Not exactly; there's a lot of instances where something is 'decriminalised', that is, it's technically banned but you won't be prosecuted for it. (e.g. weed in the Netherlands)


Can someone please explain the "fried potatoes are better with onion"? Is this an in-joke? A secret key? Many potatoes, -l


From wikipedia: In the Soviet Union, Belarusians were sometimes called bulbashi, a pejorative conjugation of the Belarusian word for potato.


That's because Belarusians eat a lot of potatoes. The per capita potato consumption there is probably the highest in the world: http://www.fao.org/potato-2008/en/world/


Funny, I was just reading about how non-German residents of Germany use "Kartoffel" (potato) as a perjorative for Germans in Germany. I didn't realize "potato" was such an effective insult it would exist in another country too!


Not to mention that there's a lot of (IMO semi-bad taste, but mostly just unfunny) potato pejoratives + punchlines directed @ the irish.


In the game Dota 2, the bracket with players that play so badly it becomes humorous, is often called the "potato bracket".

Ostensibly the term is meant to imply that the players there have about as much capability of thought as a potato.


In Dutch we say aardappel (earth apple; means potato) to stupid people, not Germans in particular as far as I knew. It might originate from that, I don't know.

Wat een aardappel! "What a dummy!"


> In Dutch we say aardappel (earth apple; means potato) to stupid people

Same in France with "patate". Funny to notice that the more common French expression for "potato" is "pomme de terre" ("apple of earth"), just like in Dutch!


Patat in Dutch are french fries :D

Though in the south (both south NL and Flemish Belgium) they're called "friet", as in "gefrituurd" ("fries" as in "they're fried"). Still, patat is officially Dutch and according to some website 95% of the Flemish people and 100% of the Dutch people know the word.


I've never said that.


You're 20, he's 45. Or he's even more of a nerd than you.


Nah, that saying isn't nerdy, just wait for the UDP jokes...

(... which nobody gets.)


May be regional, I'm not sure. Might have picked it from in either Limburg, Noord-Brabant or Gelderland. Pretty sure though that it's fairly universal, even if it's not something lots of people say every day.


Interesting, TIL that conjugation is not just for verbs, but that there is a separate and distinct use of this word for combining two ideas (which I guess in a sense is what verb conjugation is).


Generally, it is just verbs. The broader category (modification of any part of speech) is called inflection.


Eastern Europe eats a lot of potatoes.

Onion = Onion Router


I pulled up the image from the website; its metadata showed that it was downloaded from the wikimedia commons. I then ran a hex diff with https://upload.wikimedia.org/wikipedia/commons/thumb/5/52/Fr... . Turns out it was a complete match. So either there is nothing to see, or it is extremely elaborate!


Onion routing probably. TOR stands for the onion router .


YES! get in lads


It's just a good reminder.


I thought we aren't supposed to talk politics on HN anymore..


The week-long experiment was terminated early. See https://news.ycombinator.com/item?id=13133855


Even if it was still in effect, I think this would be fair game.

... and this is why they lifted the restriction early.


What a terrible decision that was. Glad it was reversed. It never would've worked.


It did work. The "decision" was to try changing the rules for a short time to see what we could learn by doing so, and we learned a lot. We ended it early because (a) the learning stabilized and (b) there were costs to continuing.

It's strange to me that so many people heard "just for a week" as "forever" and are continuing to comment as if those mean the same thing. The internet is weird.


Will you be making a "Tell HN" saying the experiment has ended with your thoughts? Are you okay replying to comments by users who do not know the experiment has ended?

I would be comparing a) data after the first announcement b) data after your comment in an unrelated thread saying the experiement is over c) data after the week is over and d) data after you write the promised lessons learnt post.


Yes, we decided to try distributing the info in the threads and see how well that works. So far it seems to be working well, because (a) there aren't that many such comments (as of a few minutes ago there aren't any that haven't been replied to), and (b) nearly all of them are now getting replied to correctly before we even see them. Together with the fact that HN has gone back to approximately normal re political stories and flagging, that makes me believe the information is working its way through.

Making an announcement a la Tell HN doesn't necessarily disseminate information. In this case it would almost certainly turn into a huge rehash of the original argument, with new information getting drowned out in the process. There are so many counterintutive effects to this, and we're still learning--indeed I feel like we're still taking baby steps. Turning up the volume definitely doesn't necessarily turn up the communication.


We are talking about a political ban, on politics detox week. Why is this thread still here?

I see nothing about security or routing technology, just reportage on the actions of a government - politics.


The week-long experiment was terminated early. See https://news.ycombinator.com/item?id=13133855


And yet it's almost as if there's been no announcement of this and people still think it's going on. I wonder what the flagging behaviour is?


Sorry I didn't see this earlier (your comment defeated my search queries). Flagging behavior appears to have returned to normal surprisingly quickly.


If you see people who are questioning the status of the detox week, I encourage you to let them know and point them to the thread I did above.


up next: your country too


Please don't post unsubstantive comments to HN.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact

Search: