[AktiviX-discuss] AktiviX-discuss Digest, Vol 54, Issue 2

Mon May 18 10:24:35 UTC 2009

aktivix-discuss-request at lists.aktivix.org wrote:
----------------8<-----------------------
> - how can the author protect their privacy? I suggested installing TOR 
> but is that enough? She might be using computers where she cannot 
> install software.

I'd be wary of Tor as a guarantee of privacy in China. It doesn't
encrypt between the exit node and the target server. There's no
guarantee that exit nodes won't be subject to the control of the Chinese
authorities. If they were that'd be bad, see for example
http://www.wired.com/politics/security/news/2007/09/embassy_hacks?currentPage=1

Tor can also fail if an attacker can see both ends of a connection. If
your blogger was in China this would pretty much bound to be the case,
see the FAQ for more:
https://wiki.torproject.org/noreply/TheOnionRouter/TorFAQ?action=recall&rev=554#EntryGuards

And there's the fact that on its own tor doesn't hide all TCP traffic -
DNS lookups for example.

Aside from that there's also the risk that the authorities may become
more interested than usual in an individual who is using Tor. I imagine
that this would be a bad thing.

I reckon that your best bet is to host entirely outside China, using
some kind of steganography to post mp3, jpg or some other innocuous data
containing the data you're actually interested in to an anonymous email
account hosted outside China. If you can get an SSL connection to the
account that's good, but there is always the possibility of man-in-the
middle attacks. Some papers on steganography are at:
http://www.jjtc.com/Steganography/

This still puts your blogger at some risk if the software is discovered
or logs are found. You'll want them to securely delete files and logs
and do an sfill on their drive each time they use their machine. Even
doing that may not be enough to guarantee privacy but it reduces risks a
certain amount. I'd regard Chinese post and phone services as being a
non-starter, others may know better.

Another option that I'd thought of vaguely is to use something like
GNUNet to share steganographic files anonymously; but that kind of
traffic may again be the sort of thing in which the Chinese authorities
are particularly interested and may increase the risk to your blogger.

Other options include ssh-tunnelling to a proxy outside the firewall or
using a VPN; both of these could also look dodgy to the censors.

Cheers,

-- 
Charlie Harvey
IT Manager
New Internationalist

t: +44 (0)1865 811402
f: +44 (0)1865 793152
w: http://www.newint.org/

New Internationalist is an independent not-for-profit communications
cooperative. Our multi-award winning magazine, New Internationalist,
brings to life the people, the ideas and the action in the fight for
global justice.

New Internationalist Publications Ltd. is incorporated in England
under no.1005239. Registered Office:
New Internationalist, 55 Rectory Road, Oxford,  OX4 1BW, UK