Hacker News new | past | comments | ask | show | jobs | submit login
Japan's National Police Agency to urge Internet providers to block users of Tor (mainichi.jp)
98 points by pixelcort on Apr 18, 2013 | hide | past | web | favorite | 54 comments



>The move comes on the heels of a series of online threats via remotely hijacked computers using the Tor system, which allows users to mask their online identities and locations by routing connections through several servers.

There's been an investigation/questioning going on regarding one particular incident for many months now, where a guy had used Tor (among other things) to hijack others' computers and send crime threats from these machines. The Japanese police, being pretty inexperienced at this sort of thing, arrested the wrong person back in late 2012 (which btw ruined that poor guy's life, because the Japanese press has this retarded tendency to report suspects' real names, addresses, occupation, even when the status is preliminary), and it's been a series of embarrassments for them ever since.

They even have the prime suspect in custody, yet they can't find concrete evidence to lock him up. (in fact, they're doing some pretty shady stuff by keeping him in custody for an inordinately long time through various loop-holey means). The whole debacle has shown both the technology ineptitude of Japan's police department as well as its heavyhandedness.

Old article, but you'll get the gist of the situation.

http://www.wired.co.uk/news/archive/2013-01/07/japan-cat-col...

Then there is an article in February saying he was "caught", but two months later, he is still stuck in custody as police try in vain to find conclusive evidence that can lock him up.

http://www.wired.co.uk/news/archive/2013-02/12/japanese-cat-...


OK, this needs context.

Japan has an insanely hight conviction rate in pretty much all crimes. What happens is this: police find someone who is plausibly guilty (very low threshold and lots of bias) and keep them in custody for a long time (sometimes months) until they finally confess. Case solved.

So what you have just described is just business as usual for Japan.


Yes and that behavior resulted in the wrongfully convicted guy (back in 2012) "confessing" that he's the one who sent the crime threats, even though he was innocent.

(I forgot about this part in my original post, for thanks for being the impetus for making me remember :P)


It seems very plausible.

Most crimes in Japan have conviction rates of well over 90% for the reasons I wrote so I would be very surprised if this case was any different.


This reminds me of the scene in Shogun (Richard Chamberlain, 1980, etc. Doesn't ring a bell? Do yourself a favor and read the book/watch the film.) where he's in jail and the Spanish Friar tells him: "in Japan, all crimes have only one penalty: Death!"

As an aside, my wife is Japanese (born and raised there) and in her mind, once the police or the authorities say something, it's God's Truth.

It doesn't help that in Japan, the Emperor is believed to be descended from the Gods.

I'm breaking her of that concept, because, let's face it, man is fallible, but it's been an interesting struggle.


And it gets worse.

At first, the Japanese police "interrogated" four of the people whose computers had been hijacked. THREE OF THEM CONFESSED. The only reason they're not behind bars now is because:

1. Even the Japanese police noticed that there was something wrong with the case. It didn't make sense that these four people were co-operating.

2. The fourth guy was savvy enough to figure out what had happened, and explain it to the police.

This kind of crap goes on all the time here. Japan is what is known as a "soft police state".

The flip-side is, the police are so dependent on the confession to secure a conviction that, and so inept at other forms of investigation, that if you have the means to resist the pressure to confess, you walk free. That's part of how the yakuza (criminal gangs) survive in this highly regulated society.


Technically not true. They have 21 days to charge you. It is best to never say a word. This does not mean they will not charge you, they may, but more than likely they won't.


I came here to comment and guess who I saw lol

I think this is such a boneheaded move. Why is the Japanese government so anachronistic and unreformed when it comes to Internet policy?


It's because Japanese society is backwards and unreformed when it comes to its dealings with the Internet. [1]

1. http://neojaponisme.com/2009/05/19/the-fear-of-the-internet/



No, not at all like the USA. Japan is at least 10 years behind when it comes to the internet. It's a completely different situation. You have to experience it to understand it. The Japanese simply haven't grokked the idea of moving large aspects of their lives online, or even why they should bother to try to understand the internet.


You are confusing 'different' with '10 years behind'.

Let's just stipulate that fiber-optic and mobile internet infrastructure is light-years ahead of the US, since you say you are only talking about utilization.

So no, Japanese people don't tend to do Facebook. On the other hand, they have 2channel, which was launched when Zuckerberg was still jerking off to Asian porn at prep school, and which 1 out of 10 Japanese people use. It's completely anonymous and pretty much the opposite of Facebook, but it's still the Internet.

Just about everybody you see on the train, old grannies included, is sitting quietly, not talking, accessing some type of Internet-delivered content on their phone -- and we doing so well before "smartphone" was a word and when people were still stocking up on canned goods for Y2K. (I was a "PDA" developer back then.)

My Japanese mother-in-law, as is typical, is fully conversant in using Skype, Flickr, Google+ or whatever... to check our the latest baby pics. Not to post her own stuff, because she certainly wouldn't want to do that.

So if by 'the internet' you mean 'moving large aspects of their lives online' (in public, where others can see what they are up to), then no, people aren't really into that here.

Privacy is a way deeper concept in Japan, both pre-Internet and in the present day. Even if people write blogs, they are often totally anonymous. They avoid putting their names on their apartment mailboxes and shun transparent garbage bags so that their neighbors can't see what's in their trash, too.

That's different, but it's not '10 years behind' any more than Japan is '10 years behind in watching Survivor and Hardcore Pawn reality shows'.

(Disclaimer: I'm not Japanese, but I don't use social networks either, and I like it that way.)

[1]: http://www.japantimes.co.jp/news/2010/04/06/reference/2chann...


You're forgetting about digital media: http://www.theverge.com/2012/11/15/3628376/japan-digital-con...

There's a lot more to moving your life online than social networking. I'm not big on social networking either. But that doesn't mean I still rent my videos at the corner store or go to the local record store to buy albums on CD.


I don't think I am forgetting about those things -- read the closing paragraph of the article you link:

    The real question, however, is whether or not
    Japanese consumers even want these services that
    we from the West can no longer imagine life without.
    Hulu and Sony are making good starts, but they 
    certainly have their work cut out for them in Japan.
    As far as I can tell, most people are pretty happy as
    long as they live within bicycle distance of a Tsutaya
    — that’s basically everyone in Tokyo, by the way — and
    its convenient, cheap access to rented media. Which,
    of course, can be copied and kept forever; a practice
    that Tsutaya has gone out of its way to encourage by 
    actually selling burnable discs and drives alongside its
    J-pop CDs. And for casual consumers, maybe it is a better
    solution. No DRM, no extortionate prices, and a sense of
    ownership. That’s the thing about Japan — for better or 
    worse, you can always count on the place to march to the 
    beat of a different drummer.
Like I said: different.

It reminds me of how Japan kept (and keeps) using fax machines. It seems archaic, but fax machines are dramatically easier to use and far more reliable than any email system every devised.

Part of what is going on here is that all the digital solutions suck too much ass. It took Apple ten years from when they launched iTunes Store to make the legal digital music scene actually better than CDs (when they finally shitcanned all DRM and stopped sucking more than the process of driving to Best Buy). It took an Amazon to make digital books not suck balls.

Nobody has done that with movies and TV yet (other than the bootleg torrent scene, I mean). But I note the article mentions Hulu is doing well in Japan. Well, the suck-ass Hulu that they have in America wouldn't do well here -- they had to make Japanese Hulu significantly better (no ads, faster speeds, subtitles, etc). It's still not good enough that I can say walking down the street to Tsutaya is Doing It Wrong.

I'm not saying the Japanese are the masters of the Internet, either. It turns out that the reason all Japanese websites look like shit is because that's how the Japanese want 'em. I spoke to an engineer for Rakuten at the last HN Tokyo meetup -- turns out Rakuten actually does have some designers and they've A/B tested their current 450-blinking-mini-banners-per-6MB-page against some clean and modern designs. The horrific eyesores won. The people had spoken. And what they said was, well, different.


> It seems archaic, but fax machines are dramatically easier to use and far more reliable than any email system every devised.

Are you kidding me? I have never had issues with reliability of email, but fax machines are always breaking down, running out of toner, and lord knows what else. That's why services like HelloFax exist.

> It took Apple ten years from when they launched iTunes Store to make the legal digital music scene actually better than CDs (when they finally shitcanned all DRM and stopped sucking more than the process of driving to Best Buy).

Uhh, no. Most Americans I know stopped buying CDs from Best Buy some time around 2005 or 2006. And those were the latecomers. The younger people stopped pretty much after Napster became big in the late 90s.

> Nobody has done that with movies and TV yet

Have you never used Netflix?

> It turns out that the reason all Japanese websites look like shit is because that's how the Japanese want 'em. I spoke to an engineer for Rakuten at the last HN Tokyo meetup -- turns out Rakuten actually does have some designers and they've A/B tested their current 450-blinking-mini-banners-per-6MB-page against some clean and modern designs. The horrific eyesores won. The people had spoken. And what they said was, well, different.

A/B testing is not the be all and end all of website design: http://www.codinghorror.com/blog/2010/07/groundhog-day-or-th...

And I wouldn't use Rakuten as an example of shining engineering (or design) talent. I interviewed with them and quickly realized that it was a place where engineers went to get super shitty. Not to mention that Mikitani's famed "B2B2C" model is just plain idiotic. Surprise surprise, give people too much control over their "store pages", and they turn to shit. In America we'd already learned that lesson from MySpace, but it apparently never translated over to Japan.

And if the Japanese like crammed and messy designs so much, why have the iPhone and iPad been such big hits? Shouldn't they have just kept using their Galapagos keitai, with the horribly confusing byzantine UI and tons of features that no one ever used?


Real quick:

1.) Yes you have had reliability issues with email. And so has everybody else who has ever used it. It's inherently unreliable by design, and errors can happen anywhere along the chain and often don't reported back.

2.) I have used Netflix. It's the best legal solution I've seen so far, but the selection still sucks and it doesn't work internationally. Not solved.

3.) Most Americans you know may have stopped buying CDs in 2005, but not most Americans I know, and (more to the point) not most Americans in general[1][2]. I dabbled in buying digital music back then, but it was inferior, crippled, DRM-laden shit. iTunes didn't fix that until 2009[3]. US digital music sales didn't surpass physical sales until 2011.

4.) I wasn't using Rakuten as an example of shining engineering or design. I'm saying the horrible, garish store pages on Rakuten -- apparently as shocking to your sensibilities as they are to mine -- are actually what the Japanese people, in aggregate, seem to prefer. Understanding that goes a long way toward understanding why all my Japanese bank websites look so heinous[4], why my coworkers here prefer Yahoo to Google for web-searching, and so on.

The iPhone? Well fuck it, that must be the exception that proves the rule. ;-)

But before you diss those old Galapagos keitais, people did use the hell out of those. I know 50 year olds who can still reserve a flight way faster on one of those things while driving down the street than I can do with my iPhone using both hands.

My point in all of this was just to say Japan isn't "behind" the US in Internet use (in terms of per capita users, they are very similar, ranked #14 and #13 respectively[5]), they just use it differently.

Some differences I like (e.g., not prematurely accepting cunty DRM-ridden systems that aren't really as good as the old systems they purport to replace).

Some, I don't like (e.g., bank website design).

And some, like not really having digital books here yet (outside of manga, anyway) are a just function of the USA's global economic dominance -- those markets take an Apple or Amazon to spearhead. Japan is not those American companies' first priority. It'll take more time before those products are available here.

OK, I lied, that wasn't real quick.

[1]: http://www.businesswire.com/news/home/20120105005547/en/Niel...

[2]http://www.businesswire.com/news/home/20130104005149/en/Niel...

[3]: http://www.pcworld.com/article/162732/drm_free_itunes_meanin...

[4]: Yep, including this one (lol!): http://www.rakuten-bank.co.jp

[5]: http://www.nationmaster.com/graph/int_use_percap-internet-us...


> Yes you have had reliability issues with email. And so has everybody else who has ever used it. It's inherently unreliable by design, and errors can happen anywhere along the chain and often don't reported back.

Uh, no I haven't. I cannot remember a single instance in which I sent an email and it failed to arrive in the recipient's inbox. Just stop and think about it - you're actually defending fax machines, which are KNOWN to regularly break down.

> I have used Netflix. It's the best legal solution I've seen so far, but the selection still sucks and it doesn't work internationally. Not solved.

The reason it doesn't work in Japan is because Japan is way behind when it comes to the internet. Because Japanese companies are lumbering behemoths loathe to adopt the internet. Because consumers don't show interest in streaming their movies and TV shows instead of going to Tsutaya.

> Most Americans you know may have stopped buying CDs in 2005, but not most Americans I know, and (more to the point) not most Americans in general[1][2]. I dabbled in buying digital music back then, but it was inferior, crippled, DRM-laden shit. iTunes didn't fix that until 2009[3]. US digital music sales didn't surpass physical sales until 2011.

Of course digital sales didn't surpass physical sales for a long time - with digital sales, people started buying singles instead of whole CDs, so they were spending a lot less money. And a lot of the people were just pirating their music instead of buying it. You would have to compare total digital vs physical music consumption, not music sales, in order to figure out how quickly digital music was adopted. Just because someone purchased a $10 CD doesn't mean they actually listened to all the songs on it. And just because someone who listens to music all the time has never purchased a song digitally doesn't mean they buy CDs (they could have pirated it all).

And what about Japan? How is digital music doing there in comparison to the US? Oh yeah, people are STILL buying/renting and listening to CDs.

> I'm saying the horrible, garish store pages on Rakuten -- apparently as shocking to your sensibilities as they are to mine -- are actually what the Japanese people, in aggregate, seem to prefer. Understanding that goes a long way toward understanding why all my Japanese bank websites look so heinous[4], why my coworkers here prefer Yahoo to Google for web-searching, and so on.

How much concrete evidence is there that the Japanese don't prefer cleaner website designs? You could've said the same thing about American websites in the 90s, but things have changed.

As for preferring Yahoo to Google, that has more to do with historical preferences than the site design. After all, Bing has a clean and simple design, and is largely comparable to Google in terms of results, but Americans continue to use Google. Old habits die hard. The difference in Japan is that they are even more attached to doing things as they've always been done. It takes a dramatic event, like the Meiji Revolution, or losing in WW2, to engender rapid change in Japan.

> Some differences I like (e.g., not prematurely accepting cunty DRM-ridden systems that aren't really as good as the old systems they purport to replace).

I don't think it has anything to do with DRM. The Japanese are happy to deal with Apple's draconian App Store policies as they buy tons and tons of iPhones. What proof is there that it was DRM that stopped them from buying music on iTunes? The real reason is that the record industry in Japan refused to put their music online until recently.

> those markets take an Apple or Amazon to spearhead. Japan is not those American companies' first priority

Why not a Japanese company, like Sony? Sony had an E-reader in Japan a long time ago. But it could never move forward, because a few companies have a stranglehold on the publishing industry and aren't receptive to change.


w1ntermute, I have to disagree with you here. If we are going to generalize, the Japanese are most definitely clued-in to the Internet. They may not use Facebook as much, but they have one of the highest usages of Twitter in the world (a little old, but here: http://www.mediabistro.com/alltwitter/twitter-top-countries_... and here: http://venturebeat.com/2012/01/09/huge-in-japan-twitter/), and they use the Internet for a lot of things like making purchases, finding product/store/restaurant/etc. reviews, auctions, etc. And, despite the relatively lower numbers, tons of Japanese are on Facebook (although, this article describes how teenagers are more into Instagram and other photo-sharing services, moreso than FB, which makes sense consider Japan's history of photo sharing via feature-phones...but I digress: http://japan.cnet.com/news/commentary/35029092/). AND, let us not forget venerable old 2chan, the inspiration for 4chan(!). To say that they are ten years behind I think is pretty much not the case.

Which all just goes to say that it is even more of a shame that the government doesn't have a clue about this shit.

Now, if you are talking about building an environment to create new web businesses, or adopting new software development techniques, then maybe they are behind...but not ten years (and most everyone is behind the U.S. on this as far as I've seen).

-A guy who works at a Japanese internet company in Tokyo


Things are not nearly as rosy as you're painting them: http://www.theverge.com/2012/11/15/3628376/japan-digital-con...

All I can say is that my experience living in Tokyo has been completely different from what you suggest. Like the Neojaponisme article suggests, there is a general "fear and loathing" of the internet among the Japanese.


And yet they make shows like Eden of the East which contains a system with that namesake that's basically Facebook meets Metafilter meets Google


imo Japanese subculture citizens (especially those who really live and breathe it) are much farther away from the "mainstream" culture and society than their counterparts in the West.

It is more 'normal' to be 'not normal' over here.


And yet I have gigabit internet here.


I don't mean their internet infrastructure, I mean their actual utilization of the internet.


skimmed the linked article and was quite impressed with the thorough analysis. :)


Neojaponisme is a great site, it's too bad there hasn't been any new content since the new year started.


> Why is the Japanese government so anachronistic and unreformed about Internet policy?

Take a step back. Why is the Japanese government so anachronistic and unreformed?


So this would work by the host wanting to be nice to the police; a dating site doesn't want child rapists, so they ban Tor exit nodes. That makes sense. What I found amusing, though, is that they want sites that accept leaks from government agencies to do the same thing. If you're a site that collects leaked information, the last thing you're going to do is block Tor. So I found that example amusing.


How do you know if traffic is from a Tor exit node? Is there a giant list of exit nodes kept somewhere that can be referred to?

For that matter, if I'm using TOR does the ISP have anyway to know that? I know they can't get to the contents of what I'm sending, but does the data look like different to "normal" internet use in a way that could be detected and filtered?


I remember that iron geek has a few talks about this, and specifically about different ways to leak information in a darknet, usually protocols that dont respect what the browser is trying to accomplish, and depending how your tor traffic is setup (browser plugin), may lead someone directly to you.

Anyway, here's his fairly simple php script: http://www.irongeek.com/i.php?page=security/detect-tor-exit-...


Yes, there's a list of exit nodes. Which machines are exit nodes is not supposed to be secret and could be easily derived by an interested party. (Send a bunch of requests to your web server over Tor. Observe the list of IPs making requests.)

http://torstatus.blutmagie.de/ip_list_exit.php/Tor_ip_list_E...

And yes, ISPs could detect Tor traffic if they wanted to.


Could Tor traffic be encapsulated in HTTPS to stop ISPs from identifying it, or would they still be able to either identify the traffic as Tor or identify the relay nodes and block access to them?

I'm curious if the Japanese proposal is even possible, or if it's another political policy that isn't supported by technology like Australia's proposed internet censorship system (which was eventually abandoned)


That's a complicated question. This talk from CCC in 2011 addresses some of the points (and is very interesting in it's own right):

http://www.youtube.com/watch?v=GwMr8Xl7JMQ

Tor already uses SSL, so I'm not sure how valuable encapsulating it in HTTPS would be. In fact (and this is from memory, so I may be wrong), some governments were able to block Tor by looking at certificate expiry date - Tor uses short lived certificates, but no real https site is going to use an ssl cert that expires in a couple hours. There were some other ways to fingerprint Tor traffic, but I'd have to watch the video again to remember.

The Tor developers also apparently have a list of potential ways to identify Tor traffic, but haven't fixed all of them because they're waiting for evidence that they're being used to block Tor traffic first.

As for relays - the bridge system addresses that. It's difficult or impossible to compile a complete list of bridge nodes, so that method should be pretty effective. It's also possible to run a "private" bridge and share it out of band with other. That method certainly should make relay identification extremely difficult.


I don't think they're proposing to block the PROTOCOL. (Is it even possible to reliably distinguish Tor traffic from other encrypted traffic?) Rather, I think they're proposing to block all packets being sent to known Tor end-nodes. Of course, miscreants can get around this by bouncing their packets off a relay outside Japan.

This will actually HELP Japanese criminals who go to the trouble of using a relay. When they cause trouble, the first response of the authorities will be, "This is the work of foreign criminals." (A common scapegoat, alas.) "It can't possibly be coming from Japan, because we've blocked Tor." (and we're certainly not going to admit that our firewall leaks)


What authority does the NPA have to force providers based in Japan to do this?


Please, there is no mention of force anywhere. Not in the title nor in the article.

Urge is very different from force, and furthermore they are urging ISPs to voluntarily block Tor communications.


The problem here is that they want this at all, this is a typical first step for introducing censorship.

Real life example from Norway:

1: Police wanted/suggested a filter to stop child porn (think of the children, etc)

2: This filter is then implemented by the ISP`s that wants to use it.

3: Police/Government suggests/mentions that it should be required for all ISP`s.

4: Government starts talking about implementing filter for stopping sites that "can be bad"(read: piracy sites)

(what will happen in the future, at least as i suspect it)

The child porn filter will be forced upon all ISP`s, it will be changed to also block other sites that the government/police thinks that should be blocked.

Now this filter is as of today easy to go around by simply using other DNS servers, but the problem is that censorship is wanted at all. I will not be surprised if the next step is to put the filter on a lower level on the network stack. And even in the long term, forbid the use of TOR/Freenet etc.


Iin their eyes there are already limits on what people can browse and adding a couple more is no different than what is already established.

You're implying that censorship will lead to a slippery slope but we're already sliding down one.


I didn't say that they could or would force anything. You apparently read this as:

  OMG! On *WHAT* authority can they do this?!
  It's a travesty!
while my intent was:

  Do they have authority to take this further than
  strong suggestions?


just like the SFPD is only suggesting bars/clubs/restaurants install 24h surveillance cameras?

http://www.jwz.org/blog/?s=sfpd


Given the well-known closeness of industry and government in many countries and especially Japan, is that an important distinction?


None, but how much is really necessary here? [I would] Expect the ISPs in this case to be relatively complacent, regardless of the quote from the "industry insider".


Is it even feasible to block Tor connections?


Kind of. Tor operates over a standard port, so detecting it is relativly easy. However, people in a non blocked region can create a non-standard entry node that is indistiguishable from normal encrypted connections.


That "standard port" is 443, by the way. The same port as SSL traffic. So actually detecting it requires analysis of the traffic patterns.

Blocking known exit nodes, on the other hand, is pretty easy - just block a subset of IPs.


Kind of, China does this by blocking all relays they get hold of. No relay-DB is ever complete, so they cant get them all, but enough to make it troublesome to use.


It is feasible to prevent Tor users from accessing your service. This is by design. (see https://www.torproject.org/docs/faq-abuse.html.en#Bans)

It is much harder to stop your users from accessing Tor. You can make it less convenient, but there are countermeasures. (see https://www.torproject.org/docs/bridges.html.en)


There are some clever tricks adversaries can do with DPI. One thing was that Tor originally used SSL certificates with very short expiration times and rotated them frequently. That's very distinct compared to "real" https traffic, since no one waits until a certificate is a couple hours from expiration to replace it. My understanding is that now they still rotate certificates, but they set the expiration date much farther out in the future.


I cringed when I read the headline reference to Tor as "hijacking software."


Even more worrying are phrases like "the Tor system was abused in a number of crimes." I realize that this is a Japanese translation but the conflation between "maliciously use" and "abuse" is still odd.


The use of "abuse" is correct here. It was used in an incorrect/improper manner, which is the definition of abuse.


Brought to you by the nation that arrested a developer for creating P2P sharing software called Winny.

http://www.afterdawn.com/news/article.cfm/2006/12/17/japan_c...

Japan is inching ever closer to China's version of the internet. BitTorrent piracy is also a criminal offense in Japan (not a civil one as in many other nations).


I find it interesting that the police would rather have Tor blocked at ISP's, which is not an easy thing to do, than find how to use it effectively to police those that abuse it. https://www.torproject.org/docs/bridges

Head in the sand mentality. Well, I better get my Tor installation updated.


> The panel specifically recommends that communications be blocked when there is access from IP addresses publicly listed as those allocated to the third in a chain of computers that are used by Tor.

This means blocking Tor exit nodes (third in a chain), right? So this means using Tor won't be blocked, but the exit nodes within the relevant ISPs would be?


"First they came ...."




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: