Sunday, 4 November 2012

The Amazing Race 21, Episode 6

Sonargaon (Bangladesh) - Istanbul (Turkey)

Getting around censorware and Internet blocking

Istanbul was introduced this week on The Amazing Race 21 as the place "where the Bosporus strait separates Europe from Asia". That's true enough, geographically speaking. It's also true, more significantly, in a cultural sense, and whether Istanbul seems more European or more Asian can depend on how you approach it.

But Istanbul and Turkey are far from unique as a city and country which draw their people and traditions from both major divisions of the Eurasian landmass. Moscow (where The Amazing Race 21 is headed next), as the capital of a country with most of its population in Europe and most of its land area in Asia, is also a clearly "middle-Eurasian" city. I haven't (yet) been in Tel Aviv, but it's a city located in, and with traditions drawn from, West Asia, but whose dominant population group identifies itself as European.

Turkey's economic position spanning the gulf between the world's rich and poor is probably more significant, and more unusual, than its geographic location spanning the Bosporus between Europe and Asia. While there are both rich and poor people in many countries where the First and Third Worlds co-exist, there are a few large or populous genuinely middle-income countries.

To visitors arriving from Bangladesh, like the contestants in The Amazing Race 21 this week, Istanbul looks like a modern, high-tech, city. To some degree, that was also true when I arrived in provincial Turkey (much poorer than Istanbul) overland from truly-poor Syria. On the other hand, to those arriving directly from the USA, especially those whose previous travels are limited to First World places in North America and Europe, Istanbul can come across as being on the edge of the Third World.

The deciding factor in which of the teams in the race finished last and was eliminated was whether they took taxis or mass transit from the airport to the center of the city. As Tom Brosnahan's authoritative TurkeyTravelPlanner.com explains in clearly illustrated detail, you can get between the airport and downtown Istanbul by train in a little more than an hour, although you have to transfer between the subway ("Metro") and the streetcar ("tram"). But a taxi or car service can be slightly faster, if there is no traffic. (Neither the Metro nor the trams run all night in Istanbul, so the train isn't an option if you have a late-night arrival or early morning departure.)

Tom Brosnahan has been traveling in and writing about Turkey since he went there as a Peace Corps volunteer in the 1960s. He's one of the finest guidebook writers I know, and has been a mentor to me and to many other travel writers. One of my odder encounters with globalization was finding a copy of Tom's memoir of his start in travel writing, Turkey: Bright Sun, Strong Tea, in the English-language section of a bookstore in Valparaiso, Chile.

I asked Tom he'd like to write a guest column for my newsletter this week, but when he tried to watch The Amazing Race online from Antalya, Turkey, he found that the CBS Web site was configured only to stream video to IP addresses it thought were in the USA.

I faced the same problem in reverse when I tried to watch The Amazing Race Australia (the best of the English-language franchises of "The Amazing Race" in other countries and regions) and found that the Seven Network would only stream it to Australian IP addresses.

It's not just US television shows that are censored in Turkey, however. Much of the censorship is at the Turkish end of the pipe, where I hesitate to say what is considered unspeakable lest that get me deemed persona non grata if I try to return to Turkey. Typical taboos include asking questions about national heroes or embarrassing incidents in national history, as well as whatever is locally considered "subversive" (which can mean something very different in a monarchy than it does in the USA) or "pornograpphic".

While the details of what topics and which Web sites are taboo vary from place to place, censorware and Internet blocking are common. Some countries have a national firewall (the "Great Firewall of China" is not the only such barrier that I've encountered), while others require all cybercafes or other public Internet access providers to run government-approved (and often maddeningly overbroad and erratic) filtering and/or monitoring software. One reason I had such problems when my bank froze my account for trying to check my balance from a Syrian IP address is that so many sites were blocked at the Syrian end that I didn't realize that this time it was my bank in the USA that was blocking my attempt to connect.

What's a would-be Web browser to do? It's a complicated question, depending on what sort of censorship you are dealing with, at which end of the connection.

Occasionally you'll get a splash screen saying "You are not permitted to visit this Web site" (although it won't usually be in English or specify why the site you tried to visit is blocked). More often, especially in a place where the connection to any US or other foreign web site is slow, you won't be able to tell for sure whether the connection is being blocked at your end, whether the server is configured not to deliver the content you want to your country (because of geographic limits on content licensing, political embargoes, or business choices), or whether the connection is so slow that the browser is timing out before it gets a response.

The canonical method of getting around government firewalls is Tor. I've met, and greatly respect, some of the key people in the Tor project. They are focused on security, not usability, however, and Tor is anything but user-friendly (although gradually improving).

Tor isn't a magic bullet for communications security. If you don't understand how it works, you shouldn't rely on it to protect yourself or other people you are writing about or communicating with. But Tor is a key is a key resource for human rights activists and journalists.

If you aren't doing anything online that you care if identity thieves or the secret police can eavesdrop on, Tor may be overkill and even self-defeating. Many Internet censors try to block connections to known Tor servers. Tor's multi-hop relaying tends to make it very slow and poorly suited for streaming media of any sort.

A simpler but completely insecure alternative that may enable you to get around firewalls and geographic restrictions on Web content delivery is to use a "public proxy server". Basically, this means sending your request for a Web page to a relay someone has set up. The proxy will forwards your request to the server, and relays the server's response back to you.

To the server, your request appears to be coming from wherever the server is located. And to the local firewall or censorware, you appear to be connecting to an innocuous site (the proxy) and not the politically heretical Wikipedia article or you want to read (a common problem in Turkey), or the site where you maintain your blog but that local authorities have deemed pornographic because other blogs on the site include pictures of unveiled women unescorted in public (not so much of an issue in Turkey, where veils for women and beards for men are forbidden rather than required, but common in some nearby countries) .

Various Web sites compile lists of public proxy servers. They tend to change frequently, because known public proxy servers quickly get overloaded and/or blocked.

Search for "public proxy servers" and you'll get lists (unless such searches are themselves blocked from wherever you are, it which case you can ask a friend in another country to look up some lists of public proxy servers and e-mail them to you.) Look for recently-verified ones with low latency. Expect to have to try several before you find one that's up, and to have to do go through the same process to find another working proxy tomorrow.

To use (or test) a proxy server, enter the IP address (four numbers, each from 0 to 127, separated by periods) and the port number (most commonly 80 or 8080, but any number is possible; some firewalls block most ports except port 80, in which case you are limited to using proxies that use port 80) into the "HTTP proxy" settings fields in your Web browser:

Once you have set up your browser this way to route all your browsing through a proxy server, you can just browse normally, although you can expect pages to load slowly and with delays.

For your protection against inadvertently divulging passwords or other information to the operator of the proxy server, remember to set your browser back to normal ("no proxy") when you are done with whatever you needed to use the proxy server for.

Most easy-to-find public proxies are in the USA, which is fine if you want to access sites that are accessible from the USA, but that you aren't allowed to connect to directly from where you are. For something like "The Amazing Race Australia", which is available for streaming only to users or proxies at Australian IP addresses, it's harder, since there aren't so many public proxy servers in Australia. Some sites list public proxy servers by country.

Some free proxy servers are set up as a public service. Others are "honey pots" run by thieves. Never enter any password you care about through an unknown proxy server.

Another option would be to set up an always-on computer of your own, at your home or on a server somewhere, as your own private proxy server. It's possible to do this pretty cheaply, using a fairly minimal Web hosting account, if you know how. An unadvertised private proxy server on an obscure port number is less likely to get overloaded or blocked than a public proxy server, although it still might get found by an exhaustively (or randomly) port-scanning attacker.

None of these tactics are reliable, and you need to be prepared for the possibility that any Web site or online service that you rely on -- your banking site, your webmail, you name it -- might be unreachable, for no apparent reason and with no recourse, in any given country. Carry any data you might need with you in some format, and don't count on access to "the cloud".

Link | Posted by Edward on Sunday, 4 November 2012, 23:59 (11:59 PM) | TrackBack (0)
Comments

I think that last paragraph says it all: don't plan on staying connected in any way while traveling! There MAY be some locally approved connectivity, and you MIGHT be able to figure out how to make it work for you. But you're risking everything if you enter a password you care about on a connection you make overseas, and the only stuff you should be confident about being able to access should be offline, stored on your device. People forget that computers are just tools: yes, they make our lives easier, but only when and where we can configure them to work our way. Even just a few miles outside that zone might as well be as far away as the moon if you don't know what you're doing and/or if local authorities and/or thieves won't let you browse in peace.

BTW: Don't you think it's time to update your Practical Nomad Guide to the Online Travel Marketplace?

Posted by: Ben Bangs, 14 November 2012, 09:38 ( 9:38 AM)

Hi Edward. Read your latest missive with interest - lots of good info there. Was wondering if you'd seen or tried any of the commercial services that provide VPN's for consumers? I've found both www.purevpn.com and especially www.overplay.net to be very useful when travelling, both for security and for getting an IP address that makes it look like I'm in another country. I've certainly found them much more reliable than public proxy servers, anyway. Stay safe on the road, and thanks for providing a consistently interesting read!

Posted by: Simon, 14 November 2012, 11:20 (11:20 AM)

Thanks for the feedback and suggestions.

Any commercial proxying or VPN server, like a public proxy or your own private proxy server or VPN gateway, is vulnerable to being blocked.

A service like Overplay, which offers both a proxy server network and a VPN service, for different monthly subscription fees, might be more reliable and faster thah a public proxy. But it still can't be relied on.

In some countries, and from some public access points (cybercafes, public wi-fi access points, etc.), *all* VPN traffic and all traffic other than HTTP traffic to port 80 is blocked.

I'd like to update "The Practical Nomad Guide to the Online Travel Marketplace" and make it available again, but it's a large project that hasn't yet risen to the top of my priorities.

Would you rather see an updated version of the material in "The Practical Nomad Guide to the Online Travel Marketplace" as a portion of my Web site, with advertisements, or as a new e-book edition? If the latter, what price would you pay for a PDF?

Leave your answers in the comments.

Posted by: Edward Hasbrouck, 14 November 2012, 11:31 (11:31 AM)

The best way to run your own proxy at home is a combination of a dynamic DNS entry (so you can find yourself), a proxy server package to run at home as you noted, an SSL certificate (<$20/year from rapidsslonline.com, which is easier to use than a free self-signed certificate), and - Here's the kicker - port knocking. What port knocking buys you is total obscurity from port scanners and freeloaders, so that only you (and the hacker sitting on the same cybercafe LAN as
you) can even try to use the proxy, and even then only for as long as you configure the port knocking gateway to stay open after each correct secret knock.

You're right, of course, that SSL is blocked in some places. Then, the user could enable both SSL and non-SSL, on some combination of likely-to-work ports (e.g. 80 and 8080, 443 and 587), with knocking enabled on all of them, to have the best possibility of a) finding something that will work (at all), and b) having the option of SSL (where possible) and having at least something (when SSL is effectively blocked).

One port knocking client is Judd Vinet's "knock" available for multiple platforms (Windows, Linux, Mac OS X, and more) at

http://www.zeroflux.org/projects/knock

For sending knocks from places with very restrictive (but possibly not very smart) filters - that is, filters like "only port 80", you could set up a knock which is a series of TCP flags, e.g. "open the proxy from the knocking IP address if the knocking IP address sends the sequence TCP port 80 FIN, TCP port 80 ACK, TCP port 80 SYN" (which is a sequence that would never occur naturally). Port scans are unlikely to find or trigger this, and as it is all on port 80 there's a reasonable chance that even a paranoid government's filters would allow the necessary packets through.

Another idea is to put SSL on port 80, although smarter filters would get in the way of that.

Saludos,

Jay

Posted by: Jay Libove, 15 November 2012, 11:01 (11:01 AM)
Post a comment









Save personal info as cookie?