New Day, New Internet Threats in Iran
It was widely reported today that Iran vowed to step up its efforts in digital censorship, saying the era of “mercy” is over. But what does this mean for those in Iran and for the people trying to help them abroad?
In the statement released by ILNA — a regular mouthpiece of the regime — national police chief Ismail Ahmadi Moghaddam said: “These people should know where they are sending the SMS and e-mail as these systems are under control. They should not think using proxies will prevent their identification.” He added that those who have used the Internet for organizing the opposition had “committed a worse crime than those who come to the streets”.
Let’s break these claims down…
- Proxies can be tracked. It’s true that proxies are easy to detect. If one is not using an encrypted proxy, the contents can be read and even altered.
- Text messages can be tracked & read. We know that Iran (along with the United States) uses the same monitoring technology sold by Nokia Siemens. What they call ‘lawful intercept’ technology can certainly be used to track & read text messages sent from cellphones. When possible, people should use prepaid cellphones and calling cards to disassociate their location/identity with calls being made.
- E-mails can be tracked & read. This is certainly true for clear-text emails. People need to make sure they’re accessing their e-mail using an encrypted connection (POP + SSL or IMAPS) and for extra security, people should really be using PGP/GPG encryption on emails they send. There are great tutorials for Mac and Windows available.
Bottom line: if you control the network, you can control & inspect the contents. Think of sending an email like sending a package. What FedEx is to your package, the government is to emails in Iran. But what if FedEx decided it wanted to open every box, poke around inside, and change or remove anything it didn’t like? That’s kind of like communications in Iran.
In a recent interview with PRI’s The World, I discussed how the Iranian government will ramp up censorship on certain days considered crucial in suppressing the opposition. This demonstrates further that they are shifting tactics, grasping for an effective policy of strategic oppression.
Maghaddam’s statement, though, is important in two other ways. First, it shows that the regime knows the power of the Internet. They know arresting, beating, and killing thousands of people that show up to protest makes more and more Iranians oppose their regime. Now, they will try to focus on silencing the organizers. Ultimately, this strategy will fail because the strength of the opposition has been its diffuseness: the “organizers” and the “protesters” are one in the same. Moreover, this new strategy demonstrates the continuing and pressing need to disseminate information and technology in Iran to allow people to continue to communicate freely, without fear. As time goes by, will they give up on the public violence again the protesters? Or are they trying to murder the vox populi before it can take tangible form? Either way, this is exactly why tools like Haystack are crucial for the people in Iran.
(This article originally appeared at PBS FRONTLINE’s Tehran Bureau.)
Freegate is Working in Iran!
Didn’t see this one coming.. but.. for some reason it looks like Freegate — popular amongst Chinese users seeking to get around the Great Firewall. What’s even better is that multiple ground reports from Iran tell me it’s even fast!
With Freegate’s tiny size of 400k, people can pass this around on tiny thumb drives or grab it from one of many mirrors I’m sure will be quickly setup.
I was given this Freegate setup as one that works in Iran as of *right now*, yay for good news, now lets get this out!
Best Proxy Practices (BPP!) and an update
I just want to make a quick post about best practices when running a proxy to help those on the ground in Iran get access to social networks, the outside world, and their families. It is ABSOLUTELY IMPERATIVE that this be a secure effort that is thought out and executed in the safest possible manner.
As a general rule, and I know I didn’t point this out in the original guides, all proxies should be setup with the following options in the Squid config file:
* Blocking of IRI government ipblocks [1]
* Allowing of Iran ipblocks [2]
* 10 random chosen inbound ports
* CONNECT support
* No X-Forwarded-For headers
* No client stats
* Logging to /dev/null
* Turn SSL off — it’s blocked from Iran anyway
If you’re running a proxy already, please change these settings. If you’re running a proxy on a default port (81/8080/8181/9090/3218) then change the port and shoot me off an e-mail at update@austinheap.com.
I will post a sample configuration file, as I know there have been a lot of concerns.
Also, I want to say sorry for not being able to respond to all the tweets and e-mails yet, although I’m going as fast as possible given all the other pressing demands! I’ve got thousands of emails to sort out, and the outpour of support and people helping out has been amazing. Together we’re capable of doing amazing things so thank you to everyone who is helping make a difference.
Thank you. Thank you. Thank you.
#allmylove2iran
[1] Based on ripe data found on RIPE
[2] Based on Country IP data found on CountryIPBlocks
How to setup a proxy for Iran citizens (Virtual Machine Disk Format!)
Update: Version v0.3 has been posted, thanks James!
Great news all — the wonderful user “xxxxxx” has contributed a Virtual Machine Disk Format to the proxy campaign!
All you need to do is grab a copy of the VMDK file with your favorite web browser (?) BitTorrent program and you’re good to go… pop the disk image on your favorite cloud/vps host and click start.
There are two accounts created on install (you can change both passwords):
(user:password)
root:#iran
iran:election
Could we make it any easier to help? Please tweet your proxies via *DM* @austinheap or e-mail them to me@austinheap.com.
THANK YOU XXXXXX (I don’t know if I can post your name yet, please e-mail me!)
How to setup a proxy for Iran citizens (for Windows!)
If you’re using Windows, it’s pretty straight forward to setup a proxy and help give access to those in Iran who are being censored. If you’re running Redhat/CentOS, please use the linux instructions.
1) Download Squid for Windows
2) Extract that zip archive, and move the “squid” folder to the root of your drive (probably C:\).
3) After moving the squid folder, open “C:\squid\etc\squid.conf” in your favorite text editor (not Word).
4) Configure the DNS name servers on the line that says “dns_nameservers” to point at your ISPs DNS servers.
5) Now the fun part, locking access down the just the Iranian IP blocks.
Inside the text editor search (Control-W) for the line “http_access deny all” and change it to “http_access allow all”. This will make your proxy open and accessible to the world. If you would like to limit your proxy to Iranian IP blocks, you want to change “http_access deny all” to read “http_access allow TRUSTED” add a line (BEFORE the http_access line to setup an access control list [ACL]). This ACL line that defines TRUSTED should read:
acl TRUSTED src 62.60.128.0/17 62.193.0.0/19 62.220.96.0/19 77.36.128.0/17 77.77.64.0/18 77.104.64.0/18 77.237.64.0/19 77.237.160.0/19 77.245.224.0/20 78.38.0.0/15 78.109.192.0/20 78.110.112.0/20 78.111.0.0/20 78.154.32.0/19 78.157.32.0/19 78.158.160.0/19 79.127.0.0/17 79.132.192.0/19 79.170.144.0/21 79.175.128.0/18 80.66.176.0/20 80.69.240.0/20 80.71.112.0/20 80.75.0.0/20 80.191.0.0/16 80.242.0.0/20 80.253.128.0/20 80.253.144.0/20 81.12.0.0/17 81.28.32.0/20 81.28.48.0/20 81.31.160.0/20 81.31.176.0/20 81.90.144.0/20 81.91.128.0/20 81.91.144.0/20 82.99.192.0/18 82.115.0.0/19 83.147.192.0/18 84.47.192.0/18 84.241.0.0/18 85.9.64.0/18 85.15.0.0/18 85.133.128.0/17 85.185.0.0/16 85.198.0.0/18 86.109.32.0/19 87.107.0.0/16 87.247.160.0/19 87.248.128.0/19 89.144.128.0/18 89.165.0.0/17 89.221.80.0/20 89.235.64.0/18 91.98.0.0/15 91.184.64.0/19 91.186.192.0/19 91.206.122.0/23 91.208.165.0/24 91.209.242.0/24 91.212.16.0/24 91.212.19.0/24 91.212.252.0/24 92.42.48.0/21 92.50.0.0/18 92.61.176.0/20 92.62.176.0/20 92.242.192.0/19 93.110.0.0/16 93.190.24.0/21 94.74.128.0/18 94.101.128.0/20 94.101.176.0/20 94.101.240.0/20 94.139.160.0/19 94.182.0.0/15 94.184.0.0/17 94.232.168.0/21 94.241.128.0/18 95.38.0.0/16 95.80.128.0/18 95.81.64.0/18 95.82.0.0/18 95.82.64.0/18 95.130.56.0/21 95.130.240.0/21 188.34.0.0/16 188.93.64.0/21 188.121.96.0/19 188.121.128.0/19 188.136.128.0/17 188.158.0.0/15 193.189.122.0/23 194.225.0.0/16 195.146.32.0/19 212.16.64.0/19 212.33.192.0/19 212.50.224.0/19 212.80.0.0/19 212.95.128.0/19 212.120.192.0/19 213.176.0.0/19 213.176.32.0/19 213.176.64.0/18 213.195.0.0/18 213.207.192.0/18 213.217.32.0/19 213.233.160.0/19 217.11.16.0/20 217.24.144.0/20 217.25.48.0/20 217.64.144.0/20 217.66.192.0/20 217.66.208.0/20 217.146.208.0/20 217.172.96.0/19 217.174.16.0/20 217.218.0.0/15
6) Setup “visible_hostname” (normally just the public IP address).
7) Turn off logging by adding these two lines:
access_log none
cache_store_log none
7) Setup the Squid cache by issuing the following command: “c:\squid\sbin\squid -D –z” (No quotes).
Setup Squid to run as a service by issuing the following command: “c:\squid\sbin\squid –i”
Please don’t run this on a machine that you’re worried about or is used for production sites; and take basic security precautions, ie: moving ftp off the default port, using a firewall package, etc.
Once your server is up and running please DM @austinheap and let me know! I will no longer posting proxies on the public list. If you set one up, please e-mail me@austinheap.com to contribute to the private one or e-mail me if your an Iranian that needs access!
Connect 2.0
Translator
