18:00 phw│ #startmeeting anti-censorship team meeting 18:00 MeetBot│ Meeting started Thu Jul 9 15:59:03 2020 UTC. The chair is phw. Information about MeetBot at http://wiki.debian.org/MeetBot. 18:00 MeetBot│ Useful Commands: #action #agreed #help #info #idea #link #topic. 18:00 * | MeetBot changed topic of #tor-meeting to: (Meeting topic: anti-censorship team meeting) 18:00 phw│ good morning, everybody 18:00 phw│ here is our meeting pad: https://pad.riseup.net/p/tor-anti-censorship-keep 18:00 hannelores│ hey 18:01 juggy│ hi 18:02 agix│ hi 18:02 cohosh│ hi 18:02 gaba│ hi 18:02 phw│ gaba: did the tuesday gitlab meeting result in a way forward regarding our problem with anonymous issue submissions? 18:03 gaba│ yes 18:03 gaba│ we are creating all users that people are asking 18:03 gaba│ and then ahf is working on a lobby 18:03 gaba│ on submission form 18:04 gaba│ https://gitlab.torproject.org/ahf/lobby 18:04 phw│ a submission form to apply for accounts? 18:04 gaba│ "This Django application contains the lobby website for Tor's Gitlab instance. 18:04 gaba│ The Gitlab Lobby allows users to: 18:04 gaba│ Request accounts on our Gitlab server, if they are interested in working 18:04 gaba│ with Tor's development teams. 18:04 gaba│ Anonymously submit and comment on issues on Tor's Gitlab instance." 18:05 ahf│ phw: first step is for users to sign up, second step is for users to submit anonymously 18:05 ahf│ hope to have a demo ready next week for the first step 18:06 phw│ what do people sign up with? so it's not a shared account? 18:07 dcf1│ so if I understand correctly, at the moment to submit a bug report, you email gitlab-admin@tpo and get an account, then use the account to file the report 18:07 gaba│ right 18:07 gaba│ that is how is working right now 18:07 dcf1│ when the lobby website is ready, it will be possible to use it to 1) request an account without emailing gitlab-admin, or 2) submit a bug report without an account 18:07 ahf│ phw: people wont have to sign-up. people will be able to submit (with moderation) to the issue tracker 18:07 dcf1│ ok 18:07 ahf│ for projects who are willing to do moderations 8) 18:08 ahf│ phw: the discource discussion yesterday might change the plans those, but i'm not tracking that super much right now 18:09 gaba│ the discourse wil help with where discussion is happening before tickets 18:09 gaba│ but i do not think it will change how we submit tickets 18:09 gaba│ discourse will help with blogpost (if we do discourse) 18:09 gaba│ and to redirect people from multiple Tor forums around the Internet 18:09 * ahf nods 18:10 phw│ should we create a cypherpunks-like gitlab account until the lobby website is ready? 18:10 gaba│ why? 18:11 cohosh│ how many weeks until people are able to submit tickets? 18:11 gaba│ there is some debate on the cypherpunk account. Some people do not like that option and is harder to do in gitlab because the possible changes people can do on the account 18:11 cohosh│ it might be nice to have something to bridge the gap until then 18:11 phw│ as a temporary solution, so people can interact with gitlab until the lobby is done 18:12 gaba│ you think that people asking for accounts is not something that can work for now? 18:13 dcf1│ I guess we as a team could do this, by requesting a new account with the proper permissions. 18:13 dcf1│ I think that requiring an account, and especially requiring emailing someone to make an account, is a high barrier for many of the people who want to reach us. 18:13 phw│ gaba: we're talking about anonymous submissions, specifically. i don't think that asking for an account is a good solution for this 18:14 phw│ i wouldn't mind managing an account that's only allowed to report issues in the anti-censorship group 18:14 phw│ ...so it wouldn't bother anyone else 18:14 ahf│ the permission systems are not setup correctly yet, which makes it hard to maintain such a user. the user would have access to everything practically and we haven't audited all group access yet 18:15 phw│ i see 18:15 ahf│ and first time someone logs in and changes the pw, you will need someone to reset it :-/ 18:15 dcf1│ hmm 18:15 ahf│ i do agree the barrier to entry is higher than anybody wants it 18:15 dcf1│ an easy alternative is we designate a bug-reporting etherpad and remember to check it every week 18:15 gaba│ like that alternative 18:16 phw│ sounds good to me 18:16 ahf│ or take issues by mail? the first suggestion we had when we moved was for people to write to tor-dev@, but a mailing list also have higher barriers than somebody wants 18:16 gaba│ we could even setup a form somewhere where people send tickets... 18:16 dcf1│ We just need something concrete to write at https://snowflake.torproject.org/#bugs 18:16 cohosh│ yeah an etherpad is a good call 18:17 cohosh│ is then when the lobby is ready we can write that information on the pad 18:17 ahf│ from what i can tell, the lobby stuff is the only thing i have on my plate for gitlab stuff next week, and it's not a big project for the account sign-up. i think i could spend half a day more on it and do some very basic ticket submission stuff (but probably not comments) if you are willing to beta-test something like that 18:17 * cohosh is willing to beta test 18:17 cohosh│ ahf: thanks for doing all this 18:17 HashikD│ I am available for testing aswell. 18:17 ahf│ trying with the anti-censorship teams' project would be nice before we try opening it up. i've been hoping to find a test team this week or next 18:18 ahf│ cool 18:18 phw│ thanks ahf 18:19 ahf│ np! let me try to poke you all sometime next week when i have something we can try 18:19 phw│ dcf1: do you mind updating https://snowflake.torproject.org/#bugs ? 18:20 dcf1│ Yes I'll do it. 18:20 phw│ thanks 18:21 cohosh│ dcf1: i just remembered that i haven't updated the badge yet for #34129 >.< 18:21 zwiebelbot:#tor-meetingtor#34129: Use STUN to determine NAT behaviour of peers - https://bugs.torproject.org/34129 - [Closed (moved) → tor:tpo/anti-censorship/pluggable-transports/snowflake#34129] 18:21 phw│ oh, there are a bunch of censorship-related pets'20 papers. take a look at the 'interesting links' section 18:22 dcf1│ I found a badge in the wild in Sergey's site: https://sfrolov.io/ 18:22 cohosh│ dcf1: woah heh 18:23 cohosh│ looks like it's populating the strings right though 18:23 cohosh│ it's not* 18:24 phw│ any other topics to discuss before we move on to our 'needs review' section? 18:25 valdikss│ I'm the author of GoodbyeDPI, it's listed on the pad. Feel free to ask me anything. 18:25 cohosh│ valdikss: hi! 18:25 phw│ valdikss: welcome! 18:26 dcf1│ hey valdikss, we're scheduled to talk about it right after the normal meeting business 18:26 valdikss│ I'll be here, mention me and I'll check the chat. 18:27 * phw takes a look at today's reviews 18:28 phw│ #30579 for cohosh, and i think that's it? 18:28 zwiebelbot:#tor-meetingtor#30579: Add more STUN servers to the default snowflake configuration in Tor Browser - https://bugs.torproject.org/30579 - [Closed (moved) → tor:tpo/anti-censorship/pluggable-transports/snowflake#30579] 18:28 phw│ oh, is that still relevant? 18:30 dcf1│ sorry I'm behind on the last week of tickets 18:30 cohosh│ yeah it's a small change to add a new default stun server to the proxy-go isntances 18:30 cohosh│ so that they'll do nat discovery by default 18:30 cohosh│ i'm almost done rolling out all the nat discovery changes 18:30 phw│ gotcha 18:31 phw│ does anyone else need help with anything? 18:31 phw│ *crickets* means no 18:32 phw│ let's move on to the reading group 18:32 dcf1│ I'll at least leave a ticket on merge request !5 18:32 dcf1│ *a comment 18:32 cohosh│ dcf1: thanks 18:33 phw│ i didn't get around to this week's reading, so i would appreciate it if anyone else can moderate today's session :/ 18:34 cohosh│ i took a look but don't have a summary pre-prepared 18:34 dcf1│ I believe cohosh suggested the topic; also I am prepared to talk about it 18:34 dcf1│ And of course valdikss can correct any errors 18:35 cohosh│ okay i can do a brief summary of what i learned 18:36 cohosh│ i have some questions too 18:36 cohosh│ 18:37 cohosh│ GoodbyeDPI is a service for bypassing censorship by either ignoring redirects sent by DPI boxes or tricking the DPI into ignoring the session 18:37 cohosh│ a lot of the techniques used are somewhat similar to the ones we've discussed in some of the recent reading groups on symTCP and geneva 18:38 cohosh│ e.g., fragmenting the first TCP data packet 18:38 cohosh│ and some HTTP-level tricks like playing with the capitalization of the Host: header 18:38 dcf1│ E.g. https://github.com/ValdikSS/GoodbyeDPI#how-does-it-work 18:39 cohosh│ but it will also just ignore packets that it thinks are sent by the DPI 18:39 cohosh│ these are packets that have an IP id of 0x0000 or 0x0001 that contain tcp rst 18:40 cohosh│ my understanding is that these techniques are specifically catered to the DPI boxes used by censors in Russia 18:40 dcf1│ Yes, the tuning for local conditions is interesting to me. 18:40 cohosh│ and that it is meant to be installed as a windows service so that the tricks can be used by any browser or other program that is making TCP/HTTP requests 18:41 cohosh│ they have also included with the tool some scripts that users can run to test whether goodbyeDPI will work for them 18:41 valdikss│ That is correct. GoodbyeDPI either prevents OS and software from receiving injected packets by DPI or 'breaks' the packets to make them undetectable by the DPI. 18:41 cohosh│ 18:41 HashikD│ I guess, most of the related works and GoodbyeDPI is geared towards bypassing a Russing ISP 18:42 valdikss│ There's a similar software for Linux, https://github.com/bol-van/zapret 18:42 dcf1│ From my notes: 18:42 dcf1│ GoodbyeDPI is for WIndows only. For packet manipulation it relies on WinDivert (https://github.com/basil00/Divert) 18:42 valdikss│ GoodbyeDPI works in Indonesia (they recently got Netflix blocked and the software unblocks it), Turkey. I've also tested it in Saudi Arabia. 18:43 cohosh│ valdikss: thanks, i was curious about that 18:43 dcf1│ WinDivert itself has its origin in ReQrypt (https://reqrypt.org/reqrypt.html), about which I wrote a summary: https://groups.google.com/d/msg/traffic-obf/iwDomyMF--Q/N87y8mAPAgAJ 18:43 dcf1│ Here's an example in the source code for Host header manipulation: https://github.com/ValdikSS/GoodbyeDPI/blob/505b8bf516b74f2f1c0aff2b10768d6e9a0adeab/src/goodbyedpi.c#L783 18:44 dcf1│ Here's an example of changing the window size on receiving a SYN/ACK (I suppose this is something like brdgrd): https://github.com/ValdikSS/GoodbyeDPI/blob/505b8bf516b74f2f1c0aff2b10768d6e9a0adeab/src/goodbyedpi.c#L938 18:44 dcf1│ I unpacked the release the found a file blacklist.txt with a list of domains in it; I suppose that by default, GoodbyeDPI only affects those domains? 18:44 HashikD│ Additionally, One of the related works suggests to use DNS-Over-Https to bypass DNS. I guess most censors rely on DOT for blocking. 18:45 valdikss│ dcf1: yes, that's Russian blacklist. 18:45 dcf1│ I ran `goodbyedpi.exe -1` on Windows 8, then I used Internet Explorer to open one of the domains on the blacklist, 00seeds.com 18:45 dcf1│ Then in the packet capture, sure enough, I see `hoSt:00seeds.com\r\n` 18:46 dcf1│ Oh, Windows popped up a dialog asking if I wanted to allow GoodbyteDPI to make changes to my computer; I guess this is activating WinDivert. 18:46 dcf1│ valdikss: does the blacklist come directly from roskomnadzor? Or is it inferred in some other way? 18:47 valdikss│ dcf1: Roskomnadzor has an API for ISPs, one of the ISP uploads the list to github since the beginning: https://github.com/zapret-info/z-i 18:48 cohosh│ heh 18:48 valdikss│ This is custom csv format, the original file is XML with its own schema (I could provide it to you if you're curious) 18:48 dcf1│ Ah great, zapret-info is the same data source used in https://censorbib.nymity.ch/#Ramesh2020a 18:48 dcf1│ Actually I used that repo once, watching the number of IP addresses listed during the Telegram block. 18:49 dcf1│ I'm wondering if it's possible to use WinDivert for Geneva, so that Geneva is not Linux-only. 18:50 dcf1│ I had a look at the WinDivert source code; it's a non-trivial piece of software. 18:50 dcf1│ I have heard from the people doing Npcap (packet capture driver for Windows by the Nmap project) that similarly that project is a major undertaking. 18:51 valdikss│ I'm pretty sure. Take a look at Tallow (from ReQrypt and WinDivert developer), it has TCP reassembling code to redirect all the system traffic to Tor socks proxy: https://www.reqrypt.org/tallow.html 18:53 valdikss│ I have some other anti-censorship ideas you may want to implement. For example, using of TLS Padding Extension to artificially enlarge TLS handshake, to overflow DPI TLS reassembly buffer: https://ntc.party/t/http-headers-tls-padding-as-a-censorship-circumvention-method/168 18:55 dcf1│ Conceivably even vanilla Tor could apply that technique to talk to plain bridges and guards. 18:55 cohosh│ nice 18:56 dcf1│ One question I had is if there's any relationship between GoodbyeDPI and antizapret.prostovpn.org. Are they related or separate? 18:56 dcf1│ On ntc.party, I have it configured to send me notifications for every topic, except https://ntc.party/c/antizapret-prostovpn-org/5, which is support for antizapret and is the most active topic. 18:57 valdikss│ dcf1: they are completely separate but both created by me. Antizapret is an automated proxy and VPN service which proxies/routes only blocked websites. 18:58 dcf1│ okay, thanks for the clarification 18:58 dcf1│ anyway, GoodbyeDPI seems to work well and it's easy to use 18:59 cohosh│ valdikss: is it often (or ever) that you need to update goodbyedpi 18:59 cohosh│ for changes they make to the dpi boxes? 18:59 dcf1│ I also appreciate your research posts, valdikss 19:00 valdikss│ cohosh: Yes, the DPIs are updated on a regular basis, at least once a year. It's tricky to find newer bypass methods, they are not as stable and easy to implement than all existing ones. 19:01 valdikss│ GoodbyeDPI is still very effective in Russia due to the fact that we have hundreds of small ISPs across the country, not dozens like in most other countries. ISP network setup could be very different, many of smaller ISP use very simple or custom DPI systems. 19:02 valdikss│ we have thousands* (around 3000) of small ISPs. 19:02 cohosh│ aha, that's where the test scripts you included come in handy then? because there is so much variation in censorship 19:03 valdikss│ Yes. I made it somewhere in 2015 I believe, it was interesting for me how ISP implement censorship. I've collected statistics data, analyzed it. 19:04 dcf1│ The Tor Project has a small tool also designed for local testing: https://gitlab.torproject.org/tpo/anti-censorship/emma 19:05 dcf1│ For me, GoodbyeDPI is interesting because it proves that systems based on local packet manipulation can be practically deployed. 19:06 cohosh│ yeah wow, that it's been working since 2015 is pretty cool 19:06 dcf1│ Even if there are a lot of annoyances to work around, such as requiring administrator permission, and OS-specific network APIs. 19:09 valdikss│ I have to go. Feel free to contact me here or on ntc.party. I have many unimplemented ideas, for example GoodbyeDPI alternative for modern Android smartphones without root access, based on eBPF. I also have a test build of Firefox with TLS Padding 12k, works well. 19:10 phw│ valdikss: thank you for coming and for answering our questions! 19:10 cohosh│ valdikss: thanks for stopping by! 19:10 dcf1│ cheers, thanks so much for being here 19:13 phw│ shall we wrap it up? 19:13 dcf1│ I guess that is all there is to talk about this week. 19:14 phw│ does anyone have suggestions for the next reading group? 19:14 phw│ (doesn't have to be now. you can also post it to our mailing list) 19:14 dcf1│ The next one I'm planning to read and summarize is the ICLab one, though I'm not sure how much of it will be new to this group. 19:15 dcf1│ There are the PETS papers listed in the pad (I'm not totally sure the VPN one is in our wheelhouse but it sounds interesting) 19:15 dcf1│ In about 1 month there are likely to be some FOCI papers as well. 19:16 phw│ the abstract of the pets vpn paper sounds interesting. i'm sure some of its lessons translate to our technology 19:18 * phw votes for the vpn paper 19:18 phw│ i can provide a summary 19:18 cohosh│ cool sounds good to me 19:18 agix│ +1 19:18 phw│ ok, that's it for today. thanks for attending 19:19 cohosh│ \o/ thanks! 19:19 phw│ #endmeeting 19:19 HashikD│ Thanks everyone! that's very interesting! 19:19 agix│ thanks 19:19 hannelores│ thanks 19:19 juggy│ thanksz 19:20 phw│ wait, my #endmeeting does not seem to have ended the meeting...? 19:20 dcf1│ it's leviOsa, not levioSA 19:20 dcf1│ #endmeeting 19:20 dcf1│ i too am powerless 19:20 cohosh│ it looks like there was a netsplit mid-meeting 19:21 phw│ MeetBot seems gone 19:21 cohosh│ maybe the meetbot is on a different server lol 19:21 phw│ guess we'll never know what happened to this meeting 19:21 cohosh│ yeah perhaps one of us should make a manual log in case that happened 19:22 cohosh│ Netsplit reticulum.oftc.net <-> coulomb.oftc.net quits: teor4, +GeKo, MeetBot, sisbell_, isis, +weasel, traumschule, +karsten, pjahra, +nickm 19:22 phw│ i'll attach the log to my meeting summary 19:22 cohosh│ thanks phw