یک فیلتر شکن آماتور یا هدیه جمهوری اسلامی؟
مقاله ای تخصصی در سایت Anonymous Iran که مهمترین سایت و منبع تخصصی بررسی فیلتر و فیلتر شکنهاست. در این مقاله بشکل دقیق نحوه کار این فیلترشکن توضیخ داده شده است و در آن آمده: "این برنامه این کار را بشکلی خطرناک و کوته بینانه انجام میدهد که میتواند براحتی بر علیه اشخاصی که از آن استفاده میکنند استفاده شود."
لینک مقاله پایین:
Some observations :
1) The username (" greenmachine 1") and password ("freeiran 1") are hard -coded into the binary .
2) It appears to only connect to one server in Germany (188.40.112.139), meaning Iran can block just the IP and /or target users connecting to this IP .
3) Since it 's using SSH , it has a known signature that would be easy for Iran to target .
4) It unconditionally accepts the remote host 's session key . That means it 's trivially vulnerable to a MITM attack . The government wouldn 't even need to distribute bugged copies : it 's self -bugged .
That took 15 minutes to figure out and break . Next?
...................................................................................................
ترجمه نظر بالا:
مشاهدات:
مطلبی از سایت:
The Green Machine
The authors of the Green Machine claim to allow users to access the uncensored Internet securely from inside Iran . The program does this , but in a dangerous and shortsighted way that can be easily blocked or even turned against the very people it is intended to protect .
The Green Machine is actually a thin shell around the open -source SSH client (not that it credits the PuTTY people ). PuTTY is an excellent program , but the Green Machine uses it in a dangerous and inappropriate way that I will explain below .
How It Works
In order to understand how the program works , it is first necessary to understand how the Internet works . Please bear with me : for those not technically -minded , this is the minimum you need to know .
Those more steeped in technology will realize I'm simplifying the situation somewhat for clarity . Also keep in mind that these connections are symmetric : what I describe for outgoing communication applies in reverse to replies .
The Normal Internet
When a web browser (or any other client program ) sends information to a server over a network , the program first goes through the operating system . There , the information the program is divided into chunks called packets . To each packet , the operating system adds information about where the packet is coming from (the ) and where the packet is going (the destination). It also adds a number telling the server receiving the packet to which program it 's supposed to send the information . This number is called the port. What the application originally wanted to send , which makes up most of the packet , is called the payload.
Web traffic always uses port 80, so if you were connecting to , your packet would look something like this :
Code :
Now , if you were trying to block access to facebook .com , the easiest thing to do is to block any packet with facebook.com in the destination field . This approach is precisely what the government of Iran tried first .
The First Stab: Proxy Servers
To get around this blocking , people started using . When a client uses a proxy server , instead of sending a packet directly to the destination , the client instead sends a packet to a third computer , the proxy , which forwards it to the originally -intended computer . So , the packet leaving the client looks like this :
Code :
Now put yourself back in the shoes of an Internet censor . Just looking for in the destination field no longer works because people are just using proxyserver1 instead . Now , you have two options :
As it turns out , the Iranian government has been employing techniques , which is why proxy servers quickly stop working (once the government learns what they 're called ), and why sites are often blocked even when they go through proxies (because the government can look inside the packet and its ultimate destination ).
Escalation
It 's still possible to get around even this level of blocking , but it takes more effort on the part of the client . The basic idea is twofold :
There are several different ways of accomplishing these goals . What the Green Machine does is put the payload inside another kind of payload called SSH , which stands for Secure SHell and is mainly used by computer geeks . Because SSH encrypts (scrambles ) the payload , the government can 't look inside the packet and see who the user is trying to talk to . To try to fool the government further , the Green Machine uses port 80 for this payload , even through one normally sends SSH packets using port 22.
The outgoing packet looks like this :
Code:
When receives this packet , it decodes " dsfa %!@3fjndaS 213415!,,,,!@" into " connect to facebook.com" and follows that instruction . So far , so good : you can connect to facebook .
Fool's Gold
While the Green Machine approach appears to work , it 's actually chock full of problems and vulnerabilities that makes it quite detectable and dangerous to use even while it does work .
Speaking Swahili in Finland
First of all , it 's running traffic over port 80, not the usual port 22. Nobody can tell what 's inside the SSH payload , but the government can tell that the packet is SSH , not the expected web traffic . It 's a giant red flag that says "take a closer look at this connection !"
Why not just use port 22 like most other SSH traffic , then ? You run into the same problem : if the government sees a sudden spike in SSH traffic , it will know to focus on both the source and destination of the traffic and quickly learn to block it . Recall that the government can still block a packet based on its field even if it doesn 't understand the payload .
Who 's Bob ? Why are you so very interested in this Bob ?
The Green Machine is configured to talk to exactly two servers . (There are two programs included in the package , each of which is hard -wired to talk to one server .). Once the government discovers what these servers are , either by observing traffic (which thanks to running over SSH , sticks out like a sore thumb ) or just by getting a copy of the program for itself , these servers can be blocked by just looking for them in the field of each packet . All the encryption in the world won 't stop that from happening .
I'm the Bob you are looking for . Really . Trust me .
The government can do worse than block the traffic to innocuousmachine 42, though . Once the government knows what the machine is called , it can redirect packets intended to that machine to its own machine and read what 's inside , which means that every post , tweet , and email sent through this program could be read by the government without your ever knowing .
The government would quite literally use what 's called a : it would , without your knowledge , send packets intended for innocuousmachine42 to its own machine and read them . It would then talk to innocuousmachine 42 as if it were you , so you would never notice that anyone is wrong .
The government can do this because the Green Machine doesn 't take steps to make sure it 's talking to whom it thinks it 's talking to and will gladly talk to anyone who 's speaking on port 80.
Consequently , using this program is dangerous
مقاله ای تخصصی در سایت Anonymous Iran که مهمترین سایت و منبع تخصصی بررسی فیلتر و فیلتر شکنهاست. در این مقاله بشکل دقیق نحوه کار این فیلترشکن توضیخ داده شده است و در آن آمده: "این برنامه این کار را بشکلی خطرناک و کوته بینانه انجام میدهد که میتواند براحتی بر علیه اشخاصی که از آن استفاده میکنند استفاده شود."
لینک مقاله پایین:
...................................................................................................
نظر یک متخصص:...................................................................................................
مشاهدات:
- شناسه "
greenmachine 1 " و پسورد "freeiran 1 " در بیناری بصورت غیر قابل تغییر نوشته شده اند. - به نظر میاید که فقط به یک سرور در آلمان وصل میشود و نتیجتا ایران کافیست مسیر ارتباط این آی پی و یا آی پی مقصد کاربرانی که ازآن استفاده میکنند را ببندد.
- از آنجا که این سانسورشکن از SSH استفاده میکند، یک سیگناتور مشخص دارد که براحتی از سوی رژیم ایران میتواند هدف قرار گیرد.
- بلاشرط session key هاست ریموت را قبول میکند. به این معنا در قبال حملات mitm براحتی آسیب پذیر است. رژیم حتی نیازی به تغییر و باگ دار کردن (جاسوسی کردن) و پخش آن در شبکه ندارد. این برنامه خودش همینطور هست.
- 15 دقیقه طول کشید تا کشف و شکسته شد.
...................................................................................................
مطلبی از سایت:
The Normal Internet
<span><mj> +-----------------------------------+<br /><br /> | <mj>source</mj> | <mj>your</mj> <mj>computer</mj> |<br /><br /> +-------------+---------------------+<br /><br /> | <mj>destination</mj> | </mj><a href="http://facebook.com">facebook.com</a><mj> |<br /><br /> +-------------+---------------------+<br /><br /> | <mj>port</mj> | 80 |<br /><br /> +-------------+---------------------+<br /><br /> | <mj>payload</mj> |<br /> <br /> | |<br /> <br /> | <mj>Send</mj> <mj>me</mj> <mj>the</mj> <mj>your</mj> <mj>homepage</mj><br /> |<br /> | |<br /> <br /> +-----------------------------------+</mj></span>
The First Stab: Proxy Servers
<span> +-----------------------------------+<br /> <br /> | source | your computer |<br /> <br /> +-------------+---------------------+<br /> <br /> | destination | proxyserver1 |<br /> <br /> +-------------+---------------------+<br /> <br /> | port | 80 |<br /> <br /> +-------------+---------------------+<br /> <br /> | payload |<br /> <br /> | |<br /> <br /> | Tell <a href="http://facebook.com">facebook.com</a> to send the |<br /><br /> | homepage. |<br /><br /> | |<br /><br /> +-----------------------------------+</span>
- Find out what the proxy servers are and block them based on source.
- Look inside the payload and look for facebook.com. This called deep packet inspection
because you're looking "deep" inside the payload of the packet, which
ordinarily you're not supposed to care about if your job is to just
move packets from one place to another.
Escalation
- Prevent the government from finding out what the proxy servers are called
Make sure the doesn 'thave anything that looks like aproxy request
Code:
<mj> +-----------------------------------+<br /><br /> | <mj>source</mj> | <mj>your</mj> <mj>computer</mj><br /> |<br /> +-------------+---------------------+<br /><br /> | <mj>destination</mj> | <mj>innocuousmachine</mj>42 |<br /><br /> +-------------+---------------------+<br /> | <mj>port</mj><br /> | 80 |<br /><br /> +-------------+---------------------+<br /><br /> | <mj>payload</mj> |<br /><br /> | |<br /><br /> | <mj>SSH</mj>-<mj>CONNECTION</mj>-<mj>REQUEST</mj> |<br /><br /> | <mj>dsfa</mj>%!@3<mj>fjndaS</mj>213415!,,,,!@ |<br /><br /> | |<br /><br /> +-----------------------------------+</mj>
Fool's Gold
Speaking Swahili in Finland
پستها
هیچ نظری موجود نیست:
ارسال یک نظر