Hacker News new | comments | show | ask | jobs | submit login
Show HN: Cecibot – Censorship Circumvention Bot (cecibot.com)
62 points by boramalper 3 months ago | hide | past | web | favorite | 22 comments



Hello HN, author here!

I am a developer from Turkey, currently residing abroad for studying CompSci. Throughout the years I watched the Internet censorship in my country getting worse and worse each and every day under the Islamist regime of Erdoğan, to the extent that of Wikipedia getting blocked.

As they improved their methods of censoring (and worsening the life of their citizens), such as from DNS blocking to blocking VPNs today, I was afraid that there any direct solution can (and will) one day get blocked (for instance, Tor website is currently blocked in Turkey but it works if you manage to install it somehow, whereas you'll need a bridge to connect to the Tor network in Iran if memory serves me well).

I came up with the idea (though not sure of its uniqueness) to use channels of everyday communication (such as e-mail, Telegram, (Facebook) Messenger...) to circumvent censorship. Because "even under the most repressive regimes, people do need to communicate with others, both within and outside of the country."

I'd love to hear your feedback!

Bora

P.S. https://github.com/boramalper/cecibot


It would be nice if the returned files or PDFs were (GPG) signed with an official cecibot key, for tamper protection.


Very minor nitpick: Would be nice if the github link was also on the site.

I like the idea a lot though! Very interesting.


Are you afraid for repercussions for writing the software and/or your statement(s) about the regime?


On the one hand, yes I am afraid, but on the other, I am sick & tired of silence (which quickly leads into learned helplessness).

I think it's better to speak up and to face the consequences than to see (first) your country (and then the world) ruined. I am currently studying abroad in UK and even though they cannot directly harm me (though they can hurt me through my family and beloved ones living back home).

I kept thinking about the idea of settling in a nicer country, but then, I realise that people (in the West) have paid the price of their freedom (if not their wealth), and then idea of "(e|im)migrating" doesn't feel like a solution any more but postponement of the problem, whose responsibility is on my (our) shoulders and no one else's.

More than what you asked for I assume, sorry. =)


Brave of you, good luck with your efforts.


The terms of service seem a bit odd to me:

   I do not tolerate:

   - Exploitation of _children_ (including child pornography)
   - _Religious_ terrorism
May I suggest changing this into something a bit less specific? The way it is written now you seem to be OK with political terrorism and exploitation of any other group. Just state you won't hesitate to report obvious criminal activity and leave it to the user to decide whether they feel they can trust you.


> Just state you won't hesitate to report obvious criminal activity

Bypassing censorship is a criminal activity in a number of countries. Pick censorship or pick an internet with illegal content. You can't have a world with neither.


If you don't trust the tool, don't use it. The fact that '[b]ypassing censorship is a criminal activity in a number of countries' seems to be what drove the creator of this tool to its creation so I assume that he will not report you for 'bypassing censorship'. This does not mean it is impossible of course, a smart Erdolf-follower could make a similar tool (or even this one) with the purpose of catching those who try to escape censorship. In the end it comes down to trust, no matter which tool you use.


@werber mentioned it in his comment as well, and I agree that the list is oddly specific, because it's solely based on me (with very little regard to whether something is legal or not). I personally do not want to assist in causing harm to any children, nor any religious terrorist groups.

Also, when you say "exploitation of anyone" or "any terrorists", I think it becomes far too broad, especially terrorism: Osama Bin Laden, a fallen idol, was once an "Anti-Soviet warrior (who) puts his army on the road to peace".[0]

Not that I support any terrorist activity, but I wouldn't like to snitch[1] on people based on whims of statesmen.

[0]: http://uk.businessinsider.com/1993-independent-article-about... [1]: Unless they use rubber hose.


This is really cool, nice work.

In addition to censorship-circumvention, it also provides a way to read the content of potentially-malicious sites without risk of browser vulnerabilities being exploited, and without revealing your IP address, User-Agent, etc.

Now we can all browse the web like we're Richard Stallman :)

EDIT:

> try downloading it, if it is a file smaller than 5 MiB;

I found that even pages smaller than 5MB get rendered to PDF.

Are you using headless Chrome or similar to implement this? It seems Javascript isn't getting executed (which is probably wise, I was just surprised it renders the pages so faithfully if it's not also running some sort of engine that will execute JS).

(Update: UA is "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/67.0.337")

EDIT2:

It doesn't seem to support chunked transfer-encoding:

> Your request [...] has been unsuccessful due to following error:

> file size unknown: "content-length" header is missing


>it also provides a way to read the content of potentially-malicious sites without risk of browser vulnerabilities being exploited

PDFs have the same kind of vulnerabilities, they can even execute JS (JS is probably not contained in the ones generated by the author).

>and without revealing your IP address, User-Agent, etc.

Yep.

>> try downloading it, if it is a file smaller than 5 MiB;

>I found that even pages smaller than 5MB get rendered to PDF.

I believe the text is supposed to mean "if it's not a web page but a file [offered for download], it will download the file if it's less than 5MB".


Some PDF readers can execute JS which can be embedded in PDF files. Just use a reader which doesn't support embedded JS (or switch it off if it does support it) to avoid this whole class of vulnerabilities.


> Are you using headless Chrome or similar to implement this?

Yes, with pyppeteer[0] (Python 3 port of puppeteer).

> I found that even pages smaller than 5MB get rendered to PDF.

Web-pages (URLs that contain no file-extensions, or certain ones such as ".php", ".aspx" etc.) are rendered into PDFs. Generated PDFs must also be less than 5 MiB[1].

> It doesn't seem to support chunked transfer-encoding:

True. I need to determine the size of a file before downloading it completely, and I used "content-length" header for that. I can see how it should also be possible for chunked transfer-encoding, but I'm not willing to implement it myself to be honest, and I doubt if it's supported by requests library.

Thanks for the feedback!

[0]: https://miyakogi.github.io/pyppeteer/ [1]: An arbitrary limit. Might change it in the future.


I'd be extremely surprised if chunked encoding is not supported by the standard python http requests libraries.


I meant, a way to get the file-size when chunked transfer-encoding is used. I cannot imagine any, and I don't think requests has some magic way to calculate it (or more likely STOP after downloading n bytes).

Maybe `stream=True` and `.read(5 * 1024 * 1024)` and check EOF, if not, abort.


Seems like this just creates a honeypot where censorship regimes can easily detect people attempting to circumvent their systems. Use this tool and you're liable to be a list.

Maybe combined with a form of stenography, this could be more useful.


This is a cool bot. I wonder how well this concept can work for two way communication: not just GETting webpages but also allowing messaging when it’s blocked.


Excellent idea! Congrats on launching, and I love the minimalist website.

Quick note, /ar/ and /zh/ don’t currently seem to work.


Thanks. =) It's currently being translated into Arabic, and I'm yet to find a Chinese speaker (who is willing to translate).


Religious terrorism... What about domestic terrorism?


I think the point is that the label of “terrorist” is often forced upon those using justified force against a violent oppressor.

To use an example from American history, the American revolutionaries (AKA “patriots”) were almost certainly seen as terrorists from the perspective of Great Britain and its loyal subjects.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: