Slashdot Mirror
Researchers Debut Proxy-Less Anonymity Service
Trailrunner7 writes "As state-level censorship continues to grow in various countries around the globe in response to political dissent and social change, researchers have begun looking for news ways to help Web users get around these restrictions. Now, a group of university researchers has developed an experimental system called Telex that replaces the typical proxy architecture with a scheme that hides the fact that the users are even trying to communicate at all."
"users is" I'll let you guys figure it out for yourselves.
The key innovation in Telex is that it uses "stations" installed at ISPs to recognize and reroute specially tagged requests from clients trying to reach censored sites.
Oh, right... We can fully expect our friendly ISPs to go along with this nice, convenient fully centralized 'service'... Pleeeze
For justice, we must go to Don Corleone
The bad assumption is that government controlled ISPs in said censored nations won't make their own Telex nodes and just intercept traffic before it reaches the web at large. The really bad assumption is that other ISPs between the end user and the fake destination will have Telex nodes to do the dirty work. This method seems to be screaming MITM me.
I remember Telex ads from when I was a kid. Lo and behold, Telex is actually still around.
Trolling is a art,
"The key innovation in Telex is that it uses "stations" installed at ISPs to recognize and reroute specially tagged requests from clients trying to reach censored sites. "
I can totally see how this will not work - at all.
Shut up. (Yes, I know it's troll food).
while (true != false) process_more_stupid_code();
is install magic boxes in the same ISP that is cutting off information
and add on the fact that telex is a commercial service still in use and there you have it ... effin brilliant scheme guys
Decrypt HTTPS en route? Are crazy? Get the government to replace your Telex client and keys with theirs and you're fucked. As an extension of that idea, let's play the paranoia game: They could be doing this right now!
Okay, so we rename the proxy a "station" and now we can call it proxy-less?
It would be easier to configure a web service which recognized X keyword searches from the same session to convert the session to a port forwarding ssh session to an appropriate proxy.
( google search on book, monkey, tuesday, and blue gets you ssh forwarded to privoxy.com, etc. )
your https connection stays to the main site, & it just forwards the data .
"Friendly countries"; like, the USA?
isn't this just data masquerading? you'd still see bytes flowing, so how is it better than vpn or whatever?
world was created 5 seconds before this post as it is.
What's the point of naming it Telex? Are they trying to make it hard for end-users to find information about it or do they want the end-users searches to look anonymous with a known term?
I used to send my FX orders to Sydney, Tokyo and Sing by telex. You mean its made a come back? The new stealth: 110 baud!
I, Anonymous Coward, hereby debut my own, better scheme:
Each user utilizing this privacy filter simply asks their ISP, government, mail provider, OS manufacturer, neighbor, IT admin, etc. not to track them!
It's as simple as that!
although i am probably missing something.... but uhm. relying on your ISP to shield you from this stuff seems pointless.
The offending government from loading Telex, harvesting the end points and blocking those?
vpn requires local software / possibly alternate ports to initiate.
Proxies do not require local software, but have central points that can be blocked.
better method would be to have simple looking sites have "backdoors" that could be used to exit normal mode, and establish new session with hidden services.
With governments worldwide moving to radio intercepts of neural signals, such services will soon be a waste of resources. Unless they can come up with a masking service to prevent the reconstruction of human thoughts, this type of research is going nowhere and will only expose people.
converting your message to 5-bit code hole-punched into paper tape?
As state-level censorship continues to grow..
FTA: Widespread ISP deployment might require incentives from governments.
Can you see the little flaw in this whole concept yet?
For justice, we must go to Don Corleone
The difference is that it would not be dependent on the end point site supporting it (in which case the end point site would simply be blocked for supporting it). Instead, it moves the redirect down a level and makes it blend in with a normal HTTPS connection. When it passes over a Telex enabled router, it gets changed out and redirected. The primary problem I see with the system is that all a censor has to do is get the magic box on their own routers and suddenly they can see the traffic and tell where it is coming from. Also, having ISPs provide the service may be tricky. This seems like fairly useless technology unless the explanation was not very good.
AJ Henderson
If you have to have something running which will reroute the packets, isn't that effectively a proxy? This is just a different way of accessing the proxy. Not only that but the proxy needs to be running in the network path for the packet, when the routing isn't even guaranteed to be always the same. Would this even work outside a lab?
I've tried anonymizers like TOR in the past, but the setup was convoluted and somewhat annoying. Proxies work, but they can slow things down quite a lot. If I could pay my ISP another $5 a month for anonymity and put the burden of managing it on them, I'm all for it!
And I also would like to sell you this bridge I recently acquired in Brooklyn. It's totally not the right time for me to be owning a bridge.
But seriously, who is going to trust this system? It creates an enormous incentive for intelligence agencies to infiltrate as many major ISPs as they have to in order to capture the traffic and/or compromise the keys--if they haven't already infiltrated the project to parallel develop a compromised version of the product that feeds the keys straight to the CIA so that their own "station" can intercept and decode "secret" messages. It would also create an enormous incentive for, say, an enterprising President to sell/trade data to our allies and/or creditors, in effect selling out freedom fighters.
They have to--power abhors anonymity. If they don't know whom to destroy, it makes the power they have useless.
Who did what now?
they've got their hearts in the right place, and ( especially by getting on /. ) they're making people think about the problem. This might even spark an idea in someone who creates a real solution.
This is interesting, but in most of the world, net censorship is enabled by the hosting provider. The real threat is the collusion of ISPs and national governments.
The censorship that the ISPs employ can be really subtle: bandwidth caps prevent people from sharing their connections; traffic shaping rewards visitors to certain sites with fast downloads - and punishes visitors to other sites with slow downloads.
Also, this circumvention technology suggests a certain amount of "we, the good-guys" vs. "them, the bad-guys" thinking. In the real world, its more an issue of "we, the little guys" vs. "them, the big guys" and the ISPs are, by definition, the "big guys".
How often do the "big guys" (ISPs) conspire with the "little guys" (you and me) to defeat other "big guys" (National Governments) ?
Answer: The don't and the won't.
-S
So, if a hostile ISP (Say, China) sets up a Telex Station that sits *very* close to the user's Telex client, said hostile ISP (Say, China) could siphon off these Telex requests to their own resources or simply block them. Or am I missing something?
We Teleks connect to Telex with Telix through Telax.
Host Request -> some site
---other telex site responds
request dest dns host range ! = remote site range
**blocked**
... oh wait.
Somehow, I think nesting myself (needle) in a haystack (Tor network) would be safer than routing through set stations. At the end of the day, this sounds like dumbing down the tools we already have so common users can take advantage of them without learning the procedures. I wouldn't normally have a problem with protecting Anonymity, but I think in this case I'm going to say no. ISPs aren't going to bother with this, especially in countries and areas where governments have complete control over such matters. Besides, even if the ISPs did bother to set these up, the government would likely find a way to back-door this kind of service anyways. (re: PROTECT-IP act) Personally, I'll stick to the time tested plan of Chinese VPN + SSH and/or Tor. At the end of the day, you're better off learning these sorts of things and recognizing the amount of protection you ACTUALLY have, rather than assuming you're invincible. It's a good idea, I just doubt the implementation will match the drawing board.
As far as I can tell, you connect via HTTPS with "public-key steganography" indicating that the connection is this wacky-do-da Telex type and the machine you connect to is used as a staging platform (proxy) to connect to other anonymity services? What's new here that you can't do with stunnel?
Worst punctuation I've ever seen.
Sorry, but gray text on gray background is making my eyes bleed.
Idiotic in all possible ways -- the purpose, the name, the method, the announcement, and the results of application.
Contrary to the popular belief, there indeed is no God.
There are other services and protocols one would like to use Anonymously...
You're inside of an HTTPS connection and send spooky data that somehow this Telex box can see. How exactly can the Telex box see inside the HTTPS secured connection if the connection is supposed to be secured to this bogus back-end web site that's benign and not aware of the goofy stuff? Is this SSL connection somehow different than a normal one to these web sites and if so would that possibly make it stand out?
Build it, Drive it, Improve it! Hybridz.org
Crypto nerds are like hippies but without that strong grasp of the realities of this world.
This "idea" relies on the fact that internet traffic is routed through several places on its way. They idea is that on one of these ways, the traffic will be read and if a magic bit is detected, it will re-route this traffic to somewhere else, making it possible to do a request for google.com with a magic bit set (which I can only presume is some magic bit that won't be bloody obvious for not fitting in the very well define protocol for http... oh https... you are doing a google.com request through https, no, that is not going to send up any red flags) and instead get the result from slashdot.org.
Of course, how the internet routes things is not set in stone and for big sites there are plenty of alternative routes, just hit google and you are likely to get a different ip each time with a ttl of 60 seconds. Of course smaller sites might have a more static route... for 1 user. In a country with different ISP's and multiple connections to the outside world, traffic might come in to the site from a number of directions.
This "idea" relies on a router to be present on all the routes that intercepts ALL traffic, parses it and sends it on to one destination or the other...
How do you get so many ISP's to do this violating every rule of the internet in the process?Just imagine if some ISP really did do this, send a request on to another destination then requested...
The problem with it all is simple, this is middle class white kids who live with the certainty of the existence of internet conspiracy theories trying to be clever.
Real oppressive regimes don't work like this. They simply block traffic, or just don't give people computers. If traffic is allowed any suspicious traffic won't get a careful analysis, they simple send some goons around and beat you, rape your sister and kill your parents until you confess, or not confess. Both are good. One way or another you will be a warning to others.
Only non-represive regimes can be circumvented by crypto-nerds. It is easy to hide your secret message from your mom because she frankly don't give a shit and just wishes retro-abortion was legal while she drowns her sorrows in cooking sherry.
Next up, darknet, because your isp will totally not notice if any traffic comes in on an unusual port. But I got plausible deniability (freenet)... yeah... that MIGHT (lawyers say it won't) work in a western civilization. That is because the west is more or less free. In Syria? They are digging mass graves that can be seen from space. They don't CARE. The more people know you died at their hands, the more will remain silent. Dictatorships are rarely overthrown, what gets overthrown is the sap left to clean up after the dictator wisely decided to call it quits by fleeing with his billions or dying.
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Today a civil liberties advocate announced his invention of a police brutality reporting system, consisting of a special data recorder carried by police officers.
"When information is power, privacy is freedom" - Jah-Wren Ryel
What an overly complex bogus system. It will require tons of ISP's to cooperate to get this to work. We might as well install an SSL proxy at the border and tell the Chinese the whole world is reachable over the proxy IP only. Take it or leave it.
Year after year we see all these awesome developments which probably cost a ton but I've never heard of one really taking off. Meanwhile the Chinese are simply using commercial VPN providers or brewing their own on $3/month VPS servers.
Imagine...a significant portion of the people trying to avoid monitoring of their online activities getting routed automatically through your very own Telex "station" to your own poisoned 'proxy' service, allowing full monitoring of traffic that the end user thinks is secure...
Really, there seems to be no way for the end user to verify that the Telex "station" that reroutes their request is legitimate. So instead of using peer-verified, trusted proxies, they cast their dirty laundry out on the interwebs and trust that a reliable station will catch and redirect it to a true Telex station, instead of a corporate or government shill? (I admit, I just skimmed TFA, so am I just missing the magical way they prevent this from happening?)
Seems slightly less secure than using Cracker Jack decoder rings, to me...
"I love animals! Some are cute, others are tasty, what's not to like?" - Betsy Schroeder, Jeopardy contestant
He claims the magic boxes will sit outside the repressive countries.
Mail him: jhalderm@eecs.umich.edu
Telex appears to be a covert channel, and has nothing to do with anonymity. People have been trying this for a long time, using techniques like packet steganography and other theoretical protocols. The problem with covert channels are:
1) Throughput/Bandwidth (Covert channels can typically produce only low dialup speeds)
2) Covert is not covert. If you are up against a DPI system designed for censorship, a simple filter is all that is needed to discover you are trying to insert a covert channel, simply due to packet structure anomaly/encrypted data recognition.
2) Covert recipient. You have to have a server somewhere that is reading the covert channel. This means if the route you are using doesn't have a friendly DPI device without unfriendly DPI devices, you're out of luck.
This technology isn't really worth mentioning.
"Citizen, hand over computer for checking of dissident TELEX client software! Also, you need new door!"