The government of Sri Lanka has “blocked social media” in response to yesterday’s horrific, despicable attacks.
How is that done? I kinda doubt there is one main ‘cable’ coming in the country? Presumably, you can access Facebook et al using other connections, possibly by satellite or even by circumventing the country’s main servers (maybe with a VPN?). Are they really blocking those sites or just preventing the average person from accessing social media conveniently?
Thanks.
In a lot of countries, the main Internet connections are controlled by the government.
When I was stationed in Saudi Arabia, many sites were blocked by the government. VPN was the way to go.
Couldn’t the country simply require all ISPs to block all traffic from a specific country or website?
As manson said, a VPN should get around it. Some of the youtubers I watch have to use a VPN while in certain parts of Asia in order to keep uploading videos. IIRC, ElectroBoom may have just done that in the last few weeks.
Even without direct control of the network infrastructure, states often have a monopoly on violence. Using coercion by penalty or by force, they order local ISPs to implement various blocking methods. At its simplest, they can force the ISPs to block the domain name system that converts “instagram.com” into a machine-reachable IP address, but that’s trivially circumvented. Other methods include blocking at the IP range level, inspecting the actual traffic and blocking it, forbidding VPNs and other encrypted traffic except from a known-good whitelist, etc.
It’s not just Sri Lanka. Everyone does it… the Chinese, the Europeans, the Americans, etc. Usually for porn, sex commerce, gambling, drugs, or online piracy, or truths inconvenient to their politicians. For example, the USA routinely shuts down sites it doesn’t like, such as the Pirate Bay or Silk Road (via outright seizures).
Yes, there are often ways to circumvent blocks, but doing so may be difficult for the average person, expensive monetarily, or dangerous legally. In certain regimes it could also put you on a list marked for prosecution, persecution, torture, or death. Probably for something as trivial as WhatsApp, the idea was just to moderate the spread of hysteria, knowing that most people would not care to invest the trivial effort in using a VPN, rather just waiting a few days for it to come back.
Indeed.
Mostly I was interested in the more technical side (thank you!) but do share your concern about government control (in all its forms).
The government could also block access to VPN. At least to known VPN servers.
The Wikipedia section is a good starting point:
Blocking it is fairly easy. Basically, you put a firewall in between your countries distribution and your external provider uplink(s). Even a firewall that a school has can do content filtering, and even a novice can set it up to block, say, YouTube (or the Straight Dope or any other site). You can use pre-built filters in fact to block ‘social media’ (or ‘violence’, ‘gambling’, ‘gang’, ‘porn’ or other categories), and you’ll get most of the big ones…and that’s out of the box, with no special programming or cyber security knowledge. That’s clicking on some boxes and maybe putting some URLs into a blacklist, if you really want to get whacky. So…trivially easy. Hell, where you work probably has some sort of content or URL filtering…most places today do. There are also updated sites that list new URLs and their categories for blocking, if you subscribe to them or you have a firewall that does so or they offer this as a service.
Can you circumvent them? Sure…that, too, is fairly easy. Even in China, many Chinese netizens get around the Great Firewall (arguably, one of the best built systems on the planet for authoritarian jackbootery and info blocking) using VPN, though they have tightened this up in recent years, making it more difficult than just a cookie cutter VPN service as it used to be. Still, you can get around it…as long as you don’t get caught. Depending on who you are, either nothing will happen, or…bad things might ensue (even penis).
As I’m sure is obvious, I am not well versed in the technical aspects of blocking but would think that satellite ‘broadcast’ would get through many of the blocking techniques listed in this thread (at least until their broadcast frequency was jammed, if such a thing can be done effectively). Is iridium working? Other such systems? Does the general public have access to satellite transmission of internet content?
It really depends. What you’re asking now is not so much a technical problem but a political one: it depends on who the regulators ask to do the blocking, and whether they choose to comply.
The Internet is several layers of commercial providers, most of who have way more interest in following the rules than breaking them for you. They’re profit-making, not liberty-maximizing, enterprises. In the USA, when the intelligence services wanted all your phone metadata, all the major telecoms bent over backwards to betray your trust even without a warrant. Qwest didn’t, apparently, and their CEO was imprisoned for some phony charge. I suspect the situation in even worse in places like China or North Korea.
So the state can choose to block an individual ISP (unlikely, there are hundreds of them) or some upstream network provider, AT&T or Level 3 or the domain registrar or Google or all of the above, really. I am not sure if they have a standard “send this block request out to the following 1,345 entities and individuals” button they can push or they decide on a case by case basis who to contact to enforce the blocking. The same economies of scale that make the internet relatively affordable also means that it’s relatively centralized, and strategically covering a few of the major provider will probably block access to 90%+ of users.
While it’s possible that a satellite network like Iridium, which uses two-way satellite communications (as opposed to DirecTV Internet, which uses satellite downstream and either DSL or dialup upstream), can bypass this sort of restriction, it really could only happen if they 1) have no interest in following a particular nation’s laws AND 2) are connecting to other network peers who are also ignoring the laws (very unlikely; such companies do not tend to survive long). At some point, even satellite networks connect to regular ol’ ground-based networks, or go through one of just a few transoceanic pipelines. Not to mention Iridium is also hideously slow and horrifically expensive as it is. People are not going to do that just to use WhatsApp. Otherwise they’d be their own network, separately from the Internet, and worthless to most users.
State actors can also demand private keys, tap fiber lines, install monitoring stations, coerce ISPs, ask for logs, backdoor software and hardware, etc.
Most censorship evasion happens through encryption or steganography, or both, meaning your traffic is either mathematically encrypted or hidden as normal-looking traffic or encrypted and then disguised. Most VPNs work on that principle, hoping for the blessing of the regulators (“oh, the Americans use it for business, we can’t block all VPNs or industry will complain…”) while encrypting it so that it’s harder for regulators to see what you’re accessing. Not every VPN does it right, unfortunately, and some metadata (such as DNS lookups) can sometimes leak out. Keep in mind that even the things we normally call “secure,” such as HTTPS websites, are really just controlled by about a dozen companies that don’t always do a very good job of vetting fakes, and are easily coerced by state actors or skillful social engineers.
If you really want to evade a dedicated state actor, I know of no surefire way to do so unless you meet face to face or send a carrier pigeon. There are services like Signal or TOR or Freenet or I2P that allow some degree of pseudonymity, but casual users of them are unlikely to survive dedicated tracking attempts by state professionals with access to ISPs, cell phone towers, Google/Android location histories, etc. Much of the internet and its security protocols were originally designed by US defense and intelligence agencies to begin with.
Again, that’s where the monopoly on violence comes in: most cybersecurity cannot protect against “if I don’t give this creepy intelligence dude what he wants, I’m going to prison and my family will starve.” The tech support dude at random VPN company #5643 is not going to care enough about you to protect you from state thugs.
That said, very few situations really call for that level of security. A VPN would get you around most blocks, but it may also expose you to unwanted attention. (Why is this random user in this village sending gigabytes through a VPN when all his neighbors are just WeChatting or watching cat GIFs?)
If you’re just trying to avoid casual snoops, any generic VPN is fine. If you’re trying to avoid dedicated state actors, no electronic communication is safe. Learn from Snowden’s warnings and mistakes. At most, you can maybe hope for “our message will be very difficult for them to decipher,” but it’s much harder to conceal that you talked at all, which in and of itself can be dangerous (such as a source talking to a journalist, or a person talking to a foreign national at a specific point in time) – that’s the whole danger behind the metadata wiretapping a few years back that caused a minor uproar in the privacy community and a big yawn from the general public.
Sorry, I confounded two separate issues in my last post…
It’s very difficult to maintain privacy against state actors
BUT… if you don’t care about privacy and just want to evade a content block, that’s a lot easier (other people can mirror it for you and send it through some proxy or VPN). In the case of people trying to use WhatsApp or going to Facebook in China, the government probably isn’t going to care if you evade their block (though they might log it for future ammunition against you, you subversive).
OK, so at least one way of doing it on the technical side.
Facebook (or any other company) has a known block of IP addresses, and routers across the internet all exchange information to determine how best to get to that block.
So you take the routers that are under your control and give them “fake” routes for that block of IP addresses that go nowhere. So you try to go to Facebook, but you can’t get there because their IP addresses are going to a null0 black hole.
Are there technical ways around that? Sure. But something like that is often more for the masses, not for technical people with VPNs or out-of-country satellite internet accounts.
DNS redirection or masking is often used by scammers and other malware types and can either be overlay-ed on your browser or, if you are a nation state, it can be implemented directly into their DNS records as you say. China actually does this, as they do with their search engines, redirecting people to alternative websites (with the correct narrative) they control (and often flagging the search requests for later review by security types). They tie it into the social credit score as well.
Most internet access is done via undersea cables, including for Sri Lanka. Here is a cool map:
One of my nephews took a job through a shady company, teaching English in China. We were chatting via text (WhatsApp, IIRC) and I asked him if the firewall blocked things. He told me it was trivially easy to work around it.
Heavily armed police showed up one day, screaming orders, and took him to the airport. Once they identified his internet use, they saw that he was on a tourist visa instead of a work visa (supplied by his employer). He was thrown out of China, which is kind of a cool thing to have on your CV.