Simple Ways to Avoid Iranian Cyber Security

Press's Fascination with Deep Packet Inspection Flawed

In support of echo's "bullshit" assertion:

Repressive governments will do what they can to crack down on online dissent. By picking up on the WSJ's highly questionable "deep packed inspection" article, the author misses the real story: this is a measure/counter-measure/counte​r-counter-measure game.

First, Nokia flatly denies the claims WSJ's article:

"Nokia Siemens Networks has not provided any deep packet inspection, web censorship or Internet filtering capability to Iran."

Second, even if Nokia is lying, anyone using the Onion Router (TOR) anonymous network is safe from DPI because all traffic between the client computer and TOR entry node is encrypted -- only TOR's exit node is unencrypted and would be able to sniff the packets (as has actually happened). If the "https" SSL protocol is used, then the entire message is encrypted end-to-end and no one but the destination has access to the message.

Third, TOR traffic from Iran is skyrocketing, as discussed at length at Anonymous Iran. A Persian-language TOR recently appeared. And it's very easy to set up a proxy server to act as a bridge to TOR that will bypass government filtering.

Others that have raised red flags about the WSJ's article: Iran, Traffic Analysis, and Deep Packet Inspection, Wikipedia: Deep packet inspection in Iran:

"It’s at this point that we can say that Iran is either using DPI in incredibly complex and sophisticated ways that push the technology to its limits, or the WSJ is blowing smoke. ... I truly wonder just how accurate the story from the WSJ is on the technical capabilities of the DPI devices that are deployed"

All these arguments, based on both the fact that the Iranians don't have the capabilities the WSJ attributes to it, and the fact that if it did, these capabilities are easily undermined by encryption, undermine many of the article's premises.

The real question is how many and how quickly Iranians will adapt to using these more sophisticated tools.

What does it hurt to assume that they do have it, and are keeping it secret, and use the red-herring tactic as well as using Tor?

hope you are not serious, as people may live in these ghost addresses.. no need in getting people beat..

DPI doesn't make a lot of difference. For non-encrypted content, you should assume that they can easily be monitored. For properly encrypted content, nobody should be able to decrypt it, or the banks will all be robbed.

DPI is able to decide for example what protocols are passing through, to find suspicious activity. More useful in blocking than tracking. But Freegate alone once had millions of Iranian users (not clear from the company announcement but could be a lot more.)

For those activists who need to send secret messages, cryptic emails, encrypted emails, a simple http server on the home computer, using https or encrypted files or encrypted pictures will do nicely and hardly noticeable.

How do you generate red herring? I can't think of anything that make sense, enlighten me.

Good point

No worries, sooner or later he will find out he's bullshitting himself before getting to that point.

Well, if the all knowing echo is correct, there is no such thing as Iranian government DPI, so it wouldn't matter, now would it? Are saying that it does exist?

There is only one reason anyone would be so vehemently against any efforts to block DPI, like our Iranian echo friend is, and so insistent that it does not exist. That is someone who is using it and who is very dependent on it. His posts are very suspicious.

LOL you sound like a paranoid snitzoid

hes been around, think again, he doesnt say there isnt DPI, he says "DPI doesn't make a lot of difference."

inb4moarredherring

echo:

mini-statistics


Join Date
06-16-2009
Total Posts
87

What's a snitzoid?

It's a secret. Ssssshhhhhh!!!!

You're both guilty of resorting to ad hominem argument. Please to be focusing on the issues and dropping the trolling.

Ta.

So, you're saying 87 posts of disinformation?

Really, why three pages of vague attacks, and "bullshit" with no details explaining it until after someone else posts up a link to sites? He probably just went to those places and cut and pasted what was there to here. He obviously could not come out and say why he thought it was bullshit until someone else gave him something he could publicly say. He probably couldn't think of a reason, but he still obviously wanted to discourage this line of discussion.

You really are naive if you don't think the same people who are printing out the text of instant messenger conversations and putting them in front of the people they arrest for holding those conversations aren't here, too. And they aren't just going to come out and say who they are. The more subtle the bullshit they spread here, the longer they can do it. Their main purpose for being in here is to spread disinformation and to try and trap those who are within their reach.

Don't be a fool. Always keep your guard up. There is no reason to fear them, because they are ahamidinejad cock-smoking pussies, but don't be fooled by them either.

You need a boy herring, and a girl herring - ask your mum...

The Iranian govt IS using DPI, and you cannot block them using anything. There is only one guy who thought about "confusing" DPI using red herring, but he effectively admitted that he haven't got a clue. And it doesn't matter that much. If people are still sending unencrypted email for important things, there's nothing you can do much about it.

edit: The WSJ article may not be correct. But it doesn't matter a lot. You can use any brand of DPI or something else to monitor.

Yes, as I already said, I can't think of anything that make sense, including this one.

Aways Use Encryption and Anonymity

Rather than getting wrapped around the axle about whether echo is spreading disinformation or not (I think that he's right in this instance), focus on the constructive conclusion that everyone in Iran who uses the internet should be using strong encryption and anonymization -- TOR, OTR, GPG.

The case with SMS monitoring is warning enough: if you don't encrypt, expect that your messages will be intercepted and read. It's no surprise that a human rights lawyer speaking with Iranian dissidents had her unencrypted IM's intercepted, resulting in the jailing of a client.

Frankly, I'm shocked that Mazaheri was communicating with her client over an unencrypted channel -- that's just bad legal representation if your client is in Iran.

Download GPG and begin using it over an anonymized network like TOR today, whether your talking to your lawyer, friends, or immediate family.

If there's a way to have strong encryption + anonymization on a cell phone, I'm unaware of it, which means that cell phones should be used as recording devices only -- there is no secure IM, SMS, twittering, or anything from a cell phone. Do you all agree?

You can encrypt SMS using AES for some years now.

SMS 007 : Handango

And same for voice encryption in cell phones
http://www.engadgetmobile.com/2006/05/19/sagem-vectrotel-x8-crypto-phone/

With any sort of inspection you assume your adversary will be able to detect that someone is sending something secret, like it is possible for them to know who are using TOR or freegate etc. For mobile phones in some countries there is the possibility of sending a blind person, a total stranger to you, into a store to buy a prepaid cell phone for you, paying cash. That would be anonymous.

The product I would personally recommend - it's source code is publicly available, and has been for years, and the guy who founded the company: Berry Wels is well-known and widely respected in his field - is Cryptophone. www.gsmk.de [The idea of making the source code publicly available may sound counter-intuitive if you're not interested in security. But it means that every man and his dog has had a go at cracking it. If flaws exist, they're much more likely to be found, and thereby quickly rectified. This is at odds with (to my knowledge) every other piece of mobile phone scrambling software/hardware, which is a "security by obscurity"/"black box" proposition. In other words, you simply take the company's word that it does do X, Y and Z; and that Prettyfairyland's Intelligence service hasn't done a deal with them and had a backdoor introduced in the product.]

You can download the (free) Cryptophone for Windows software from their site here: CryptoPhone

Handsets however, - whether cellular or landline - come with a price tag attached.

-------------------------------------------------------------------------
That said (to my mind at least), you should only make encrypted phonecalls in certain specific circumstances. The female lawyer would have been a good example of someone who needed to, and had no reason not to do so: as she had nothing to hide but the content of the call itself.

However, if you're organising a protest or any kind of action where you want not only the content of the call, but also your participation (in a secretive activity) to remain unknown, you're almost certainly better off using code phrases and code words.

By code words and phrases, I'm meaning words/topics that have specific pre-arranged meanings for the person you're talking with, but to any outside party listening in, will just as easily relate to your real life. In fact they should be so commonplace, that picking this conversation out over the all the other near identical ones you regularly have, is an almost impossible task.

The first thing you need to do is look at the nature of the relationship you have with your "co-conspirator," if it's purely conspiratorial in nature, then the first thing you must do is create a plausible reason for the relationship, together with specific cover for the activity you're involved in.

Once the overt/non-disguised nature of the relationship is established, you can then create good, safe, secure codephrases and words.

By way of a simple example, a guy with a printshop is printing anti-government leaflets, and an artist from the University is acting as the cutout between the activists producing the text and designwork for the flyers, and the printer himself.

The first thing the two need to do, is to confirm that everything's safe. The printer often plays with words and the spelling of words in his text messages, so he takes one instance, which is his playful corruption of "Hello there" into "Helloo there," and turns it into a code. He lets the artist know that should he EVER preface a text message "Helloo there," then it means he strongly suspects that there's police/security service interest. If instead it's "Hellooo there," (with 3 o's) then it's not just suspected, it's an absolute certainty. At no other time will these two very distinct spellings be used with the artist (though he continues to regularly use them with his friends and family).
So that they can both be sure that the message has been "received," i.e. the artist hasn't forgotten/failed to notice the warning, the agreed response is that when the artist replies, at the end of the message, he'll type "take it steady my friend."

The other element that they need to discuss, are arrangements relating to the printing. The printer's business is primarily screenprinting (a mixture of canvasses and t-shirts make up 3/4 of his work), with leaflets being relatively unusual. So they agree that the activism leaflets will be referred to as "t-shirts", and the artist will (genuinely) supply him with designs for at least a few of the t-shirts he produces. From there it's very easy for a "code word" to be introduced, so that they both know that when any particular conversation is about the activism leaflets, allowing a perfectly natural, yet sufficiently detailed conversation to be the result.

Now you can say, "well their occupations are a bit too convenient," but were the individual's real-lives different, then the overt/covert relationship and corresponding phrases would be similarly different. If the guy at the Uni is a mathematician: he helps out the printer with his bookeeping. Or maybe it's a purely social relationship: and they both have a common interest in chess.

You can always find a reason for two people to know each other, and you can always create codes and phrases that are exceptionally hard to discover, because they're hidden in plain sight. The key test is "If someone suspected I was up to [insert activity], listening to this conversation, would they have any clue at all?"

[Contrast this with the "mafia-don" in the movie warning someone that "the 'other people' have been sniffing around", or that he needs "500 't-shirts' tomorrow...capiche", and you get the difference. One SCREAMS "I am using a code," the other is so everyday that you don't even hear it. Even if you're looking.

All that said, there are times, where an activity (particularly), can't be dressed up as anything other than what it is. When telephone communication enters that scene, it may well be necessary to make the call in a clandestine, rather than covert manner. [The difference being that a clandestine activity is one that's hidden, whereas a covert activity is one that's disguised. The difference is not semantic: it's very real, and very dangerous. If you have a solid cover for your actions, you're well insulated from the dangers inherent in whatever activity you're a part of. If on the other hand, the action is a clandestine one, you have no such insulation. If you're "caught in the act," to put it bluntly, you're fucked. So it's real. It's serious. Keep clandestine activity TO A MINIMUM.]

Where phonecalls are concerned, this is particularly complicated, due to the technology employed by a state such as Iran. There are essentially two ways that Iran is likely to monitor calls within the country. The first is the targeting of specific telephones (this is the one everyone knows about...the bug "on the line" so to speak). The second is the "sucking up" OF ALL CALLS made within the country (this is the one that people think they know about, the "keyword" triggered system (someone says "bomb" and "palace" in the call, and it's routed through to a human operator for analysis). The problem is that this both overstates and understates the capabilities of such systems in ways that are exceedingly important if you're trying to counter them. [I'm pretty tired, and this is going off the original topic as well as getting TL: DR, so will carry on later/tomorrow.]

Dennis & Synthesised et al, if you all care that much ersatz about them, then get off the damn computer, quit your job, buy a ticket and GO THERE! Yes, they suffer and the lady died and so do millions everyday for the same and worse! Where's your indignation over Darfur, you big fak-o liberals?
Otherwise you are just blowing air out of your asses! Twittering and NV won't help enough if at all and won't make that much of a difference in the big picture. You can't pick and choose which ones suffer more (hypocrisy anyone?), there's pain everywhere and your patronizing obsessive surrogate "pain" will NOT help!

You all will see........

wrong thread dude.

You logic is lacking.

Not to get into this because we are talking about Iran but bleeding heart liberals like yourself do not really think much.

I think it would be easier to "save" people from the totalitarianism regime in Iran who have an infrastructure. If you go to Africa, and inject 150,000 troops in to a situation like Darfur what they become are "peacekeepers" for a month and food distribution links and baby sitters.....FOREVER.

You can go into Iraq and Iran and probably even North Korea and do what you will to the people at the top of the political and military structure and the majority of the people who have created the infrastructure over centuries will bounce back from the event relatively soon...like in under five years.

Going anywhere near any country in Africa means being there for centuries to train, teach, prod, immunize, and build the entire infrastructure and society for them...since they have been there since the beginning of time, for BILLIONS of years and have not even have figured out how to pave roads. The entire continent of Africa is pretty sad actually. It is a FAILED continent.

I suppose if people were going to start using steganography in their pics on the net or email, it might pay to (semi automatically) put garbled messages in all of them to keep the deep packet machines working overtime

If Steganography is applied to images, it effectively "crumples and wets papers" - like in your analogy above, but any observer with the right equipment can tell if the equivalent of "wet and crumpled papers" are being transmitted.

If anyone like to put up 2 small images where one has been embedded with a steganography message, I'll see how hard it is to identify the right one and discern something about the message.