Tell HN: The Internet situation inside Iran
Following the protests, the government has cut off or severely limited residential and especially mobile broadband access to the internet and people can only access websites and services hosted inside Iran. This has made connecting to VPNs with servers outside Iran, and Tor close to impossible. That being said, the servers inside Iranian data centers still have access to the outside world.
The government has also blocked Instagram and WhatsApp (the main channels of communication used by people inside Iran), and alternatives such as Telegram, Signal, etc are also blocked, halting communications to a crawl. People have to either call each other via GSM or send SMSs (which by the way is being monitored and messages containing keywords related to the protests don't even get delivered). As you can imagine, it's preventing people from coordinating the protests and strikes, and with the sattelite TVs being also heavily jammed, the only source of information accessible to most people is the government-led local TV channels which are distributing regime propaganda 24/7 and trying to scare people into submission.
We (a group of tech people inside Iran) have started using the servers inside Iranian data centers gain access to the Internet, and are setting up VPN servers and Tor bridges and giving the information to people we know. It's not scalable, and it's risky for us (the servers inside Iran can be traced back to us), but that's the only way we could think of to help. The technical details are published here:
https://github.com/InternetForIran/InternetForIran
We need help on multiple fronts:
- Please review and contribute to our repository on GitHub linked above. We need to improve the security and make deployment easier.
- The methods for setting up Tor bridges described in the repository were working up until 2 days ago, but have mostly stopped working and we haven't figured out why yet, maybe you can help?
- We have reports that V2Ray VMess and ShadowSocks are working inside Iran even at times when most other tools and protocols don't. We haven't been able to reliably deploy and test this (there are many configuration options and it's not clear which methods are working). Please create an issue or send a PR if you know how it works and how to deploy it.
- If you are an Iranian expat: Get a server inside Iran and set this up for your family and friends and get them back online.
- If you are an entrepreneur or work at a tech startup inside Iran: Your company already has servers inside Iran. Talk with your team, set up VPN servers and Tor bridges and share them with other employees and ask them to help get their family and friends online.
Edit: Formatting.
197 comments
[ 4.0 ms ] story [ 222 ms ] threadhttps://briarproject.org/how-it-works/
https://briarproject.org/download-briar/
freemesh for wifi AP based mesh networks. not as convenient as briar, but considering the situation having multiple modes of communication seems like a good hedge.
also, if you can get a hold of lora wan based devices, e.g. esp32 w/ lorawan, you can set up a lorawan based mesh network with wifi entry points.Worst case a mule gets captured or turns to the government in which case those messages are lost. That's all.
Jean-Luc Picard
https://en.m.wikipedia.org/wiki/Metaphor
If you’re going to object to a metaphor, I think you should do it on the grounds that it offers little to no insight into the situation. In my opinion, if you’re going to object to the above quote based on the fact that Iran is, in terms of infrastructure if not politically, well developed then you may as well also disregard it because Iranians are not an alien species and software developers are not captains of space ships.
To use another metaphor: you’re losing the forest for the trees. Please don’t object to this on the grounds that there is no foliage on the bridge of the USS Enterprise.
Then we could have discussed pro/cons of destroying someone way of life by introducing our civilization vs. turning a blind eye to the poor (by our standards) living conditions of the tribe.
Iran (even if you don't like its political system) is not it.
What (I presume) you see in the quote:
- We have a rule not to interfere in *primitive* cultures.
- It is sometimes acceptable to break this rule when I feel it is morally right to do so.
When you read the quote, your emphasis is on the primitive. To you, the prime directive as a metaphor can only stretch to cover that. However, other people can take this advice and apply it in a more abstract way to many different areas of life. For example:
- We have a rule not to interfere in other cultures.
- We have rule not to interfere in other parts of the business.
- I have a rule not to interfere in other people’s affairs.
For example, the latter could form part of Kant’s Axe Murderer dilemma. You may think it is unacceptable to lie, but when faced with an axe murderer at the door looking for someone they intend to murder, you may choose to lie to save the intended victim. You may or may not class this as interference. You may go further and ring the police at which point I think you are interfering by most people's definition. Even though we are now talking about axe murderers and are very far away from primitive alien cultures, there is still a link between the two scenarios regarding rules around interference and when it is morally right to do so.
You could almost see this as a percentage scale, where 100% would be if a future space ship captain was debating whether to interfere in a primitive culture and 0% being do I want to get a bacon roll for breakfast tomorrow (e.g zero relevance). In this case, yes, your point about the amazonian tribe IS more relevant as it ticks more similarity boxes. Maybe it would score something like a 90% on the similarity scale. However, “we have a rule not to interfere in other cultures” is, in my mind, not too many percentage points off, maybe say 85%. To you it may be much less, say 30%. That’s fine, we are allowed to have different viewpoints.
The one thing I would say is that I personally feel that if you take a restrictive view of stories (which is what I would consider only allowing yourself to consider the prime directive relevant to primitive cultures) you are cutting off a lot of the richness of story telling. Writers want us to take their stories, be they set in the past, present and future, and relate it to our lives and current events. If you don’t do that, then what even is the point in taking the time to read them? Do you even feel a connection to the story? Do you feel it has enriched your life in any way? Are you really watching Star Trek in case you one day have to make an ethical decision on whether to interfere with an Amazonian tribe or do you feel that there are lessons within it that can be applied to more mundane and ordinary existences?
I feel the same way that the best sci-fi is about us/our lives. Though disagree with conclusions --reasonable people can disagree-- if we would remove the god-like difference in power between groups then there were not the prime directive in the first place.
In practical terms, I don't expect any debate/morale dilemmas when we encounter isolated tribes -- they are likely to be exterminated for profit one way or another. The prevailing logic in practice: the might is right. Then the story can be spinned in whatever way to make it digestible by the public if necessary.
“Allow me to introduce you to:
https://en.m.wikipedia.org/wiki/Metaphor”
that set the wrong tone for this entire comment thread to begin with.
I agree that the Prime Directive of Star Trek is dependent on primitive species. I think that the Prime Directive of Life is to not interfere in other people’s business without good reason. In the case of Iran right now, if I had the skills (which I don’t) I’d be tempted to break the Prime Directive of Life because I think there are people there being killed and tortured for no reason other than it aids the men in power maintain their status and that doesn’t sit right with me. Obviously if you kill one monster you can’t be sure an even worse one won’t take its place but for me, I’d rather take my chances. I’ve got to have hope in humanity, that we can come together, that we can banish evil when we see it even if it takes us many attempts and that we can build better things in its place. I believe people should be free to live their lives however they wish so long as they are not hurting others.
Sadly, I feel you may be right on the “might is right” thing. In my opinion, Star Trek only works as a series due to the “universal replicator”. As a device, it allows for the creation of anything, thus there is no scarcity of resources and the entire planet is free to adopt an “abundancy mindset” rather than a “scarcity mindset”. With people no longer worried about survival or material possessions, people are free to pursue their passions and curiosities and focus on bettering themselves rather than competing to survive.
The Star Trek universe also only works because the federation have more technologically advanced weaponry than their ideological adversaries allowing them security and peace of mind. Of course, it is possible to achieve an abundance mindset without any replicator as many happy people alive today will demonstrate. But in what is an increasingly materialistic world, it may be the quickest way to achieve it globally. I don’t think this is going to look like a box that just makes things as in Star Trek. Instead it will be AI controlling many different machines and abundant renewable energy to power them. Maybe it will all go wrong with the singularity. Who knows!
Sadly, we know through the ancients that the “gods are eternal” so it is likely that, if we were able to create a similar utopia to that of Star Trek, we will still produce damaged people who seek war, power over others etc just as the advanced worlds of Star Trek have their own villainous characters. We would thus need to also have other systems well developed simultaneously, good health care systems, good education systems, good political systems etc. Maybe then we will have ascended to a place where we deal with our inner world in a manner that is non destructive to our external world and will be able to go to space as explorers rather than conquerors. If we go to space before this self mastery is achieved then it will be likely be the same old tragic self interested story.
I think non-interventionism is a bad choice for individuals with the power to help people under repressive regimes communicate with the outside world.
I will say even more. Other governments are watching and likely debating what could be used on their respective turfs. Something to think about.
I also support the rights of private citizens living in a free society to act on their own behalf, however they see fit.
That's not a dangerous game, that's an excercise of the rights protected by the society they are part of.
In my opinion, any methods to help Iranian people to help them shake this control that aren't covert Western attacks on Iran or Islam are a good thing. Helping the protestors to communicate with each other is one of the most neutral, anodyne things you can do. For me, legitimate government is created through discussions, plans, and agreements among the governed. Any disruption of that is despotism. Maybe, one day, Iranians will be helping us protest.
That it is. When their society has reached a tipping point where women are burning their hijabs in the street in front of massive groups and cameras I think they have decided to not hide in the shadows and are willing to sacrifice themselves for what they believe in. Many of them are likely to have unspeakable things done to them. I suspect they know the sacrifices they are making and willing to take risks. Godspeed to them.
LISTER: Do you mean they had a war over whether the doughnut diner hats were red or blue?
HOLLY: Yeah. Most of them were killed fighting about that. It's daft really, innit?
LISTER: You're not kidding. They were supposed to be green.
Knowing that, the simplest and easiest solution that would avoid detection is to SSH tunnel into that datacenter and SSH-ProxyForward out of that datacenter into Amazon AWS via SSH and use that SSH proxy chain as a SOCKS proxy for browsers. Make sure the browser is using the SOCKS proxy (SSH) for its DNS. Many sites will make your friends solve captchas if they show up from Amazon so if you have a friend outside of Iran in the same AWS region that is willing to open SSH on their home router then one could add that private home router as their last hop in the SSH proxy forward. Do not go directly from the datacenter to the home. It is normal and expected for Datacenters to SSH to Amazon.
SSH Client -> Iranian Datacenter / Server -> AWS VM -> Home router in same region as AWS -> Internet.
If many people are using the same server and VM then make sure that MaxStartups and MaxSessions have been increased in sshd_config as well as any PAM limits on the servers for open files on every node in the path. Clients should enable ControlPath / ControlMaster in their ssh_config or ~/.ssh/config. To harden each hop configure PermitOpen to only allow the SSH hops and the final hop should also permit *:443
Examples of all these steps can be found on SuperUser / StackExchange / ServerFault and are all public knowledge. All above-board, no hacking involved.
[Edit] Removing the Squid MITM SSL-Bump proxy idea. That would make follow on questions harder to explain.
[Edit from Fatnino's input] If your Amazon VPC's are too outbound-restricted then pick another VPS provider that is commonly used for hosting 3rd party tools for datacenters, preferably one already used by that datacenter.
[Edit] In theory hypothetically speaking every hop possible could have misconfigured but realistic looking syslog so that SSH connections are not logged on the server and in theory a log-less silent rule in the edge firewall to not log SSH connections. Sometimes syslog disks also fill up by mistake. SSH can also be performed in ephemeral diskless containers such as Docker, Podman and LXC.
So my connections looked like this:my laptop at work in California, tunnel to aws in Virginia, tunnel back to a server at my house in California, connect to actual desired site likely hosted on aws in Virginia yet again.
To make this happen, you should have a minimum number of connections from inside Iran into the datacenter.
For a small group of trusted people with always on connections, you could just create a linear chain of SSH forwards connecting everyone. For widespread connectivity, a TOR bridge through the path you describe would be workable.
The ISP would still be able to see any traffic to the gateway, but if you had enough links outside of government monitored net infrastructure to the gateway (hard lines you take down or obfuscate when the patrol does their rounds, wireless point to point connections), the risk would be on the gateway operator.
(Please do not take my advice without evaluation. This is speculation from a SWE, not advice for life or death situations.)
Edit: I suppose if your ingress traffic is over links not monitored by government anyway, it doesn't matter if you use SSH or a web application forwarding traffic to a SOCKS proxy behind the scenes. Not sure if the idea presented above would be useful in other scenarios.
Edit2: I guess usability is a benefit, even without security benefits. "Plug in this cable and type this URL into your browser" is easier than "open a terminal and establish an SSH connection."
Something that looks similar to mosh being UDP and encrypted but that allows proxied traffic would be Tinc Open Source VPN [1] The nicest thing about Tinc is that it does user-space dynamic mesh routing without requiring packet forwarding being enabled. I would call it a middle ground to onion routing if set up right. It has configurable compression. The reason I did not suggest this is that it is not simple to set up and get OpSec right the first time out of the gate unless the people involved are already very experienced with it. That's why I suggested SSH. SSH is relatively simple, well known and will blend in with all the legit SSH traffic and more people have experience with SSH. SSH egress from a datacenter is normal, expected and likely already permitted to AWS without making logged firewall changes.
[1] - https://www.tinc-vpn.org/
Agreed on the utility of SSH. I work on a product that offers SSH certificate authorities as a service, among other things, and have read some of the RFCs.
I mainly mentioned the web forward proxy as a response to the "SSH traffic to Iranian datacenters from residential connections is suspicious," comment, but SSH is a great basis to build on. I doubt the SSH egress from the datacenters would draw much attention, but again, I wouldn't use my advice in a life-threatening situation, especially as I have never seen these type of monitoring systems in action.
A gateway is a single, big ass signal that says "come murder me".
hn@ycombinator.com
Using Tor sounds good in theory, but it's too far easy to identify all of the Tor connections and identify the residences connected to them.
I would suggest using SSH tunnels on whatever port a given server normally communicates on. If this is 443, connections should just look like normal web browsing on an ISP level. If the server is used to transmit other data over TLS using that port should be fine too.
All of that said, the challenging thing is not to secure the traffic, but to make it look normal. A persistent connection is not normal from a residential IP in most cases. This means you should take your session down once you've sent your messages for the day.
Except that it doesn't look like TLS - depending on what the traffic inspection capabilities look like I imagine someone speaking SSH on port 443 is pretty incriminating :/
The connection to the residence would be the last hop in the SSH proxy foward chain meaning that all Iran will see is Datacenter -> AWS. Then it is AWS -> residence. Iran would not have visibility into AWS egress traffic, rather Five-Eyes [1] would see everything in and out of AWS.
Datacenter -> Non-Iranian-AWS Region -> Non-Iranian Residence -> Internet.
The flow from the DC to AWS is all they would see.
[1] - https://en.wikipedia.org/wiki/Five_Eyes
SSH can be used for file transfers via sftp so it is not uncommon to have long transfers of data. In this edge case however one could set up a simple rate limited rsync over ssh and then rate limit ssh slightly higher so that the browsing shares the bandwidth creating a relatively smooth data stream. Data streams are not expected to be perfectly constant across the internet so a little fluctuation would be fine.
If Multiplexing is being used via ControlMaster ControlPath in the client then the people browsing will be riding the extra SSH channels without having to re-authenticate after their first authentication. The first SSH channel would be used for the SFTP transfer.
Then rate limit SSH just above 600KB/s using `tc`. On a modern kernel this is one line. One could use HTB bucket rules with tc on older kernels.All of this said, I do not believe this step is required unless a datacenter's SSH traffic patterns were already being traffic profiled and I would theorize that for this to be the case Iran's intelligence agency would have been watching them for other reasons.
Also have a look at their blog post about NAT traversal for some potential inspiration: https://tailscale.com/blog/how-nat-traversal-works/
Good luck out there! I'll have a look at your github repo now.
[0]: https://tailscale.com/
And it requires a control server with auth. Simply cutting off access to the control server would disable clients from connecting.
While there is headscale, configuring the tailscale clients is tricky and would not scale to hundreds or thousands of non technical people.
/!/ Also tailscale is a mesh network. It would only take one rouge client to revel all other clients. This is very very dangerous given the use case.
Also, the copyright notice at the bottom of their help center is Google: https://support.getoutline.org/s/article/Data-collection?lan...
A tiny bit more digging and it is actually Google in sheep's clothing: https://jigsaw.google.com/
That's gonna be a no for me, dawg.
If you're going to insinuate something else, I'd suggest you get some actual evidence first. Just saying "colour revolution" or whatever is intellectually lazy, as well as being dishonest and dismissive about people who are risking their lives and liberty.
I just don’t know why this childlike notion that well-coordinated protests are organic persists. It may have been true in medieval times but not today. I can draw you a clear pattern of foreign interference in similar protests with hundreds of data points. Even if this one was completely organic, it would be a staggeringly outlying data point.
An easy way to help someone in a censored country to access Tor.
https://snowflake.torproject.org/
As far as I understand it and as stated the post text up top, the protesters are protesting because a woman died in the custody of the Iranian morality police. That seems like a pretty good reason to protest. If there's more to the story and the protests are actually about something different, then it would be interesting to know what it is. As it is, the comment comes across as "I don't think the death of that woman is worth protesting about" which isn't a sentiment that I think is likely to get much sympathy here.
This is a misunderstanding in how downvotes work here.
A possible exception are hyper-contentious issues (Israel/Palestine for example), where the upvote/downvote count is just a reflection of which tribe has greater numbers on HN.
We have not been blocked yet, session is an e2ee decentralised messenger.
https://getsession.org/
I don't want to seem insensitive to the Iran situation, but how does Session compare to other popular encrypted messaging services?
Seems to be a fork from Signal by oxenio. It's selling point seems to be the crypto currency relation?
Signal also has a private cryptocurrency attached to it, most definitely used by criminals, scammers and even pump and dumped by the founders which one of them are the founders of Signal. (Yes. Moxie is part of it.)
It is based on the signal messenger, the apps look nearly identical.
And you don't have a phone number or an account login, you just have a long UID that you use like your phone number and a random recovery phrase. It is all about not sending much metadata about you, your phone, etc.
Did session and lokinet already have a code security audit or pentest?
When you focus on setting up servers, you can argue it is mainly about communication.
They cannot go after anyone who wants to be online again - but of course they will go after anyone, who set up infrastructure especially for activists.
I would frame it internally strictly as "going online".
Tornode running on a censors machine is ideal.
If you have an idea based on your own knowledge of what they asked for,I'd put it there, that will keep them from duplicating effort.
1. Take a picture.
2. Use app to insert message into picture, encrypt with passphrase.
3. SMS picture to friend or upload to Iranian equivalent of imgur (if any is up).
4. Friend loads picture into app and types passphrase to get message.
I'm not sure what a good choice of app would be, but something good must exist?
Just being able to organize internally is super useful. The protestors don't need to use Facebook to organize effectively.
When similar events unfolded in Syria, people created redundant social networks of fake Facebook accounts. This seemed to work well. When captured and tortured, people would hand over credentials for one account. People would detect that network was "burned" and move to the next one.
This gave the officials very little information, since the accounts did not reference real names, and locations were obfuscated. High risk private messages were deleted, etc.
The key to this working was that Facebook was not sympathetic to or cooperating with the Syrian government, and accessing Facebook was a common (not worth prosecuting) infraction.
I'd be worried that they will fingerprint / honeypot tor infrastructure, then round people up. The existence of the tor client or connection logs basically proves guilt.
Friending facebook accounts with cutsey names is much less incriminating. Edit: Also, any honeypot proxy connection logs just show that you used https to access facebook.
She has been successful using VPN and WhatsApp until today. I don't know if I'll ever hear from her again.
(Though I'm fairly sure the protests are unrelated)
> Iranians can't possibly have any agency. Is that what you're saying?
As someone who grew up in a country that had experienced FOUR US backed coups, multiple 'spontaneous people's movements' of the same nature, yes. That's precisely what Im saying.
The agency that the locals have in such situations is co-opted and subverted by the source that organizes the protests, leaving only a husk of their original intention represented by various symbolism and paraphernalia. The resulting government NEVER does anything in line with the original protests. The policies are always privatizing the nation's resources, setting up US bases, borrowing more from US-controlled financial institutions, reduction of labor protections, deregulation. The same ills that plague the US.
Even if one is not a student of geopolitics or has no knowledge of recent political history, he or she can easily tell who backed such a regime change operation by the resulting policies.
Right now, it seems like those who use the internet and phones are at a disadvantage. Phones are always tracked, and the internet is a giant surveillance tool. If the government controls the network, then it is always at a great advantage, no matter if VPN or Tor is used.
Adding to this, their security forces learned a great deal as well. Here is a brief talk on this covering a little bit of the protest history and what is likely to occur. [1]
[1] - https://www.youtube.com/watch?v=ooROZDeds8o [video 4 mins]
Back then, the governments didn't have that either. Pigs on the streets with barely working (or understandable) radios, outdated huge paper maps, and if they were lucky a barely working chopper for a bit of aerial surveillance. The only tools were water cannons, batons, tear gas that didn't work against drunk people, shields and live ammo.
These days, the abilities of governments in counter-protesting are absurd:
- each pig has not just a radio with high quality audio transmission, but also a digital data channel for streaming video and other intel in both directions
- tons of surveillance cameras with high definition imaging sensors
- cheap-ass drones
- there are multiple vendors offering "data fusion" for command centers. Think of platforms that fuse everything into one cohesive environment: a Google Maps map and satellite view, with individual position markers for each unit, live feeds from thousands of surveillance cameras, live feeds from officer body cameras, live feeds from drones and choppers, AI analyzing all of that to predict movements of the masses, incoming firehose feeds from Twitter and Facebook...
- highly effective tear gases, mobile walls on tanks to lock down streets [first photo of 1], tasers, rubber bullets, LRAD acoustic weapons and other non-deadly tools for crowd control
It's hard to mount successful protest against nations that have half the stuff I just described, and as HK shows all but impossible against a nation that does have this kind of abilities.
[1] https://www.hrw.org/news/2018/12/14/france-police-crowd-cont...
Protesters can just have their accounts frozen, and/or deposits confiscated, as we seen in recent examples.
(Those young kids who use their latest Apple watch to pay for coffee in the morning just because it's "convenient" really do not understand what they are sleepwalking into...)
[1]: https://scuttlebutt.nz/
[edit] checked back in on it since i hadn't used it for a bit. Looks like the clients probably still work but the development seems to have been abandoned for a couple years now. So sad. It had an amazing community. Maybe still does...