Tell HN: The Internet situation inside Iran

1045 points by throwaway124592 ↗ HN
As you probably have heard, there have been widespread protests going on inside Iran for the past week or so following the death of Mahsa Amini at the hands of the morality police.

Following the protests, the government has cut off or severely limited residential and especially mobile broadband access to the internet and people can only access websites and services hosted inside Iran. This has made connecting to VPNs with servers outside Iran, and Tor close to impossible. That being said, the servers inside Iranian data centers still have access to the outside world.

The government has also blocked Instagram and WhatsApp (the main channels of communication used by people inside Iran), and alternatives such as Telegram, Signal, etc are also blocked, halting communications to a crawl. People have to either call each other via GSM or send SMSs (which by the way is being monitored and messages containing keywords related to the protests don't even get delivered). As you can imagine, it's preventing people from coordinating the protests and strikes, and with the sattelite TVs being also heavily jammed, the only source of information accessible to most people is the government-led local TV channels which are distributing regime propaganda 24/7 and trying to scare people into submission.

We (a group of tech people inside Iran) have started using the servers inside Iranian data centers gain access to the Internet, and are setting up VPN servers and Tor bridges and giving the information to people we know. It's not scalable, and it's risky for us (the servers inside Iran can be traced back to us), but that's the only way we could think of to help. The technical details are published here:

https://github.com/InternetForIran/InternetForIran

We need help on multiple fronts:

- Please review and contribute to our repository on GitHub linked above. We need to improve the security and make deployment easier.

- The methods for setting up Tor bridges described in the repository were working up until 2 days ago, but have mostly stopped working and we haven't figured out why yet, maybe you can help?

- We have reports that V2Ray VMess and ShadowSocks are working inside Iran even at times when most other tools and protocols don't. We haven't been able to reliably deploy and test this (there are many configuration options and it's not clear which methods are working). Please create an issue or send a PR if you know how it works and how to deploy it.

- If you are an Iranian expat: Get a server inside Iran and set this up for your family and friends and get them back online.

- If you are an entrepreneur or work at a tech startup inside Iran: Your company already has servers inside Iran. Talk with your team, set up VPN servers and Tor bridges and share them with other employees and ask them to help get their family and friends online.

Edit: Formatting.

197 comments

[ 4.0 ms ] story [ 222 ms ] thread
Yes, it's such a shame people are spamming Signal proxies when Briar is the one most deserving of attention. Especially considering Briar works without internet and Iran has a history of shutting off the internet.
Briar is built for emergencies such as natural disasters. BTW, blocking comms (for any country) it's a disaster for the economy.
(comment deleted)
along the same line...

freemesh for wifi AP based mesh networks. not as convenient as briar, but considering the situation having multiple modes of communication seems like a good hedge.

  https://freemeshwireless.com/

also, if you can get a hold of lora wan based devices, e.g. esp32 w/ lorawan, you can set up a lorawan based mesh network with wifi entry points.

  https://meshtastic.org/
+1 if y'all can explain the UX of these apps to regular folks, it's much harder to censor individual Bluetooth connections run on mobile phones than a server in a data center. If y'all can risk sending mules to a gathering to run messages between folks, it'll keep you going even if the internet gets cut off from DCs.

Worst case a mule gets captured or turns to the government in which case those messages are lost. That's all.

Briar has been translated to Persian 100%. This is a good indicator that is must be in widespread use in Iran
Yeah I think this is the way. Trying to setup VMs and proxies to get outside internet working is a lost cause IMHO. They need apps that work with a mesh networks and keep things local using wifi and bluetooth. This is the way.
Just my opinion but I think that non-interventionism should be promoted here. Especially when it comes to political situations like this. It’s a dangerous game.
I agree, but if you're never going to step foot in Iran and have no contacts there then I don't see why not.
Actually that’s a selfish way to look at it. You’re putting other peoples lives at risk inside the country. Anyone could easily decide to contribute compromised and malware infected VPN or TOR servers that will in actuality log traffic.
"Of course, you know of the Prime Directive, which tells us that we have no right to interfere with the natural evolution of alien worlds. Now I have sworn to uphold it, but nevertheless I have disregarded that directive on more than one occasion because I thought it was the right thing to do. Now, if you are holding on to some temporal equivalent of that directive, then isn't it possible that you have an occasion here to make an exception, to help me to choose, because it's the right thing to do?"

Jean-Luc Picard

The prime directive is not for peer civilization. Iran is not on a stone age (yet).
Allow me to introduce you to:

https://en.m.wikipedia.org/wiki/Metaphor

The objection was to your metaphor.
A metaphor is never going to cleanly map from one situation across to another. If it did, we would have no need for the metaphor as we would just have two identical scenarios. The metaphor’s purpose is to elucidate insight in one matter by presenting another with some similarities.

If you’re going to object to a metaphor, I think you should do it on the grounds that it offers little to no insight into the situation. In my opinion, if you’re going to object to the above quote based on the fact that Iran is, in terms of infrastructure if not politically, well developed then you may as well also disregard it because Iranians are not an alien species and software developers are not captains of space ships.

To use another metaphor: you’re losing the forest for the trees. Please don’t object to this on the grounds that there is no foliage on the bridge of the USS Enterprise.

Your metaphor would work if we discussed whether or not to contact some isolated tribe in Amazon.

Then we could have discussed pro/cons of destroying someone way of life by introducing our civilization vs. turning a blind eye to the poor (by our standards) living conditions of the tribe.

Iran (even if you don't like its political system) is not it.

The metaphor obviously doesn’t resonate with you. It does resonate for myself and for 13 other people. I wish you well and hope you find something more to your liking.
It is very sad that facts do not matter just populism
No, it is sad that you cannot accept that people respond differently to different things. That two different viewpoints can exist and both be wrong and both be correct to varying degrees simultaneously. That one man's trash is another man's treasure. There is no "fact" in metaphor and story, only interpretation. It is not objective science. Rather ironically given the thread, you're acting as if you're the ayatollah of metaphor and that we should all just get in line and bow to your viewpoint.

What (I presume) you see in the quote:

- We have a rule not to interfere in *primitive* cultures.

- It is sometimes acceptable to break this rule when I feel it is morally right to do so.

When you read the quote, your emphasis is on the primitive. To you, the prime directive as a metaphor can only stretch to cover that. However, other people can take this advice and apply it in a more abstract way to many different areas of life. For example:

- We have a rule not to interfere in other cultures.

- We have rule not to interfere in other parts of the business.

- I have a rule not to interfere in other people’s affairs.

For example, the latter could form part of Kant’s Axe Murderer dilemma. You may think it is unacceptable to lie, but when faced with an axe murderer at the door looking for someone they intend to murder, you may choose to lie to save the intended victim. You may or may not class this as interference. You may go further and ring the police at which point I think you are interfering by most people's definition. Even though we are now talking about axe murderers and are very far away from primitive alien cultures, there is still a link between the two scenarios regarding rules around interference and when it is morally right to do so.

You could almost see this as a percentage scale, where 100% would be if a future space ship captain was debating whether to interfere in a primitive culture and 0% being do I want to get a bacon roll for breakfast tomorrow (e.g zero relevance). In this case, yes, your point about the amazonian tribe IS more relevant as it ticks more similarity boxes. Maybe it would score something like a 90% on the similarity scale. However, “we have a rule not to interfere in other cultures” is, in my mind, not too many percentage points off, maybe say 85%. To you it may be much less, say 30%. That’s fine, we are allowed to have different viewpoints.

The one thing I would say is that I personally feel that if you take a restrictive view of stories (which is what I would consider only allowing yourself to consider the prime directive relevant to primitive cultures) you are cutting off a lot of the richness of story telling. Writers want us to take their stories, be they set in the past, present and future, and relate it to our lives and current events. If you don’t do that, then what even is the point in taking the time to read them? Do you even feel a connection to the story? Do you feel it has enriched your life in any way? Are you really watching Star Trek in case you one day have to make an ethical decision on whether to interfere with an Amazonian tribe or do you feel that there are lessons within it that can be applied to more mundane and ordinary existences?

Thank you for your thoughtful answer. It is more than my comment deserves. I agree with most you said. I had to look up what is "Kant’s Axe Murderer dilemma".

I feel the same way that the best sci-fi is about us/our lives. Though disagree with conclusions --reasonable people can disagree-- if we would remove the god-like difference in power between groups then there were not the prime directive in the first place.

In practical terms, I don't expect any debate/morale dilemmas when we encounter isolated tribes -- they are likely to be exterminated for profit one way or another. The prevailing logic in practice: the might is right. Then the story can be spinned in whatever way to make it digestible by the public if necessary.

Don’t worry about it, it was my own fault for being a sarcastic bastard with

“Allow me to introduce you to:

https://en.m.wikipedia.org/wiki/Metaphor”

that set the wrong tone for this entire comment thread to begin with.

I agree that the Prime Directive of Star Trek is dependent on primitive species. I think that the Prime Directive of Life is to not interfere in other people’s business without good reason. In the case of Iran right now, if I had the skills (which I don’t) I’d be tempted to break the Prime Directive of Life because I think there are people there being killed and tortured for no reason other than it aids the men in power maintain their status and that doesn’t sit right with me. Obviously if you kill one monster you can’t be sure an even worse one won’t take its place but for me, I’d rather take my chances. I’ve got to have hope in humanity, that we can come together, that we can banish evil when we see it even if it takes us many attempts and that we can build better things in its place. I believe people should be free to live their lives however they wish so long as they are not hurting others.

Sadly, I feel you may be right on the “might is right” thing. In my opinion, Star Trek only works as a series due to the “universal replicator”. As a device, it allows for the creation of anything, thus there is no scarcity of resources and the entire planet is free to adopt an “abundancy mindset” rather than a “scarcity mindset”. With people no longer worried about survival or material possessions, people are free to pursue their passions and curiosities and focus on bettering themselves rather than competing to survive.

The Star Trek universe also only works because the federation have more technologically advanced weaponry than their ideological adversaries allowing them security and peace of mind. Of course, it is possible to achieve an abundance mindset without any replicator as many happy people alive today will demonstrate. But in what is an increasingly materialistic world, it may be the quickest way to achieve it globally. I don’t think this is going to look like a box that just makes things as in Star Trek. Instead it will be AI controlling many different machines and abundant renewable energy to power them. Maybe it will all go wrong with the singularity. Who knows!

Sadly, we know through the ancients that the “gods are eternal” so it is likely that, if we were able to create a similar utopia to that of Star Trek, we will still produce damaged people who seek war, power over others etc just as the advanced worlds of Star Trek have their own villainous characters. We would thus need to also have other systems well developed simultaneously, good health care systems, good education systems, good political systems etc. Maybe then we will have ascended to a place where we deal with our inner world in a manner that is non destructive to our external world and will be able to go to space as explorers rather than conquerors. If we go to space before this self mastery is achieved then it will be likely be the same old tragic self interested story.

I think non-interventionism is a good choice for governments that are addicted to foreign adventurism.

I think non-interventionism is a bad choice for individuals with the power to help people under repressive regimes communicate with the outside world.

It is not a game. Governments around the world, big and small have been seen turning internet off at the first sign of trouble. It only makes sense that we provide a way for the population to circumvent those efforts. As flawed as internet is, I still think it is worth defending and protecting from government overreach.

I will say even more. Other governments are watching and likely debating what could be used on their respective turfs. Something to think about.

Star-link + widespread mesh network nodes? Although, what about jammers?
I support non-interventionism as a default mode for public policy.

I also support the rights of private citizens living in a free society to act on their own behalf, however they see fit.

That's not a dangerous game, that's an excercise of the rights protected by the society they are part of.

I don't see how providing internet connections to people in Iran constitutes intervention. What they do with those connections is up to them.
Unless you have a personal political opinion about it. I personally support Iran, I support the Iranian government (as an existing middle eastern democracy), and I support the Iranian people. I am against oppressive theocracies, and I support Iranian citizens doing what is necessary to loosen or free themselves from the hold of how they express their faith being dictated from above.

In my opinion, any methods to help Iranian people to help them shake this control that aren't covert Western attacks on Iran or Islam are a good thing. Helping the protestors to communicate with each other is one of the most neutral, anodyne things you can do. For me, legitimate government is created through discussions, plans, and agreements among the governed. Any disruption of that is despotism. Maybe, one day, Iranians will be helping us protest.

It’s a dangerous game.

That it is. When their society has reached a tipping point where women are burning their hijabs in the street in front of massive groups and cameras I think they have decided to not hide in the shadows and are willing to sacrifice themselves for what they believe in. Many of them are likely to have unspeakable things done to them. I suspect they know the sacrifices they are making and willing to take risks. Godspeed to them.

How insane is it that women are risking death by burning a hijab, and as you say 'willing to sacrifice themselves for what they believe in'.

LISTER: Do you mean they had a war over whether the doughnut diner hats were red or blue?

HOLLY: Yeah. Most of them were killed fighting about that. It's daft really, innit?

LISTER: You're not kidding. They were supposed to be green.

They are risking death for not challenging the status quo.
the servers inside Iranian data centers still have access to the outside world.

Knowing that, the simplest and easiest solution that would avoid detection is to SSH tunnel into that datacenter and SSH-ProxyForward out of that datacenter into Amazon AWS via SSH and use that SSH proxy chain as a SOCKS proxy for browsers. Make sure the browser is using the SOCKS proxy (SSH) for its DNS. Many sites will make your friends solve captchas if they show up from Amazon so if you have a friend outside of Iran in the same AWS region that is willing to open SSH on their home router then one could add that private home router as their last hop in the SSH proxy forward. Do not go directly from the datacenter to the home. It is normal and expected for Datacenters to SSH to Amazon.

SSH Client -> Iranian Datacenter / Server -> AWS VM -> Home router in same region as AWS -> Internet.

If many people are using the same server and VM then make sure that MaxStartups and MaxSessions have been increased in sshd_config as well as any PAM limits on the servers for open files on every node in the path. Clients should enable ControlPath / ControlMaster in their ssh_config or ~/.ssh/config. To harden each hop configure PermitOpen to only allow the SSH hops and the final hop should also permit *:443

Examples of all these steps can be found on SuperUser / StackExchange / ServerFault and are all public knowledge. All above-board, no hacking involved.

[Edit] Removing the Squid MITM SSL-Bump proxy idea. That would make follow on questions harder to explain.

[Edit from Fatnino's input] If your Amazon VPC's are too outbound-restricted then pick another VPS provider that is commonly used for hosting 3rd party tools for datacenters, preferably one already used by that datacenter.

[Edit] In theory hypothetically speaking every hop possible could have misconfigured but realistic looking syslog so that SSH connections are not logged on the server and in theory a log-less silent rule in the edge firewall to not log SSH connections. Sometimes syslog disks also fill up by mistake. SSH can also be performed in ephemeral diskless containers such as Docker, Podman and LXC.

I worked at a place with very restrictive internet policies. My team had access to one aws instance that could get out to the open internet.

So my connections looked like this:my laptop at work in California, tunnel to aws in Virginia, tunnel back to a server at my house in California, connect to actual desired site likely hosted on aws in Virginia yet again.

The first hop, "SSH Client -> Iranian Datacenter" seems extremely vulnerable to surveillance, and would create an incriminating list of people involved. With this discussion in the open, you can bet Iranian authorities are going to specifically look for anything discussed here, so the only viable solutions should have no measurable deviation from normal behavior that would allow them to detect which datacenter was doing this.

To make this happen, you should have a minimum number of connections from inside Iran into the datacenter.

For a small group of trusted people with always on connections, you could just create a linear chain of SSH forwards connecting everyone. For widespread connectivity, a TOR bridge through the path you describe would be workable.

I considered that, but the small group of trusted people is a bit of a double-edged sword. If one person is taken and they do not have good OpSec they could expose that entire group of trusted friends and that would be a more valuable target to authorities. So in that case I would stick with having an accidentally exposed SSH in that datacenter.
maybe lorawan can be used to launder the traffic? IoT traffic obfuscators running on battery power
You'll fill the airwaves very quickly with Lora devices. They're quite terrible at anything more than very simple text data. Time in air is high, bandwidth is very low, and signal clashes in crowded areas are a big issue.
Could individuals run a public internet gateway that doesn't keep logs with something similar to mosh but running the equivalent of an SSH tunnel? Think a SOCKS proxy on one end, but running as a public web application/forward proxy on the other end.

The ISP would still be able to see any traffic to the gateway, but if you had enough links outside of government monitored net infrastructure to the gateway (hard lines you take down or obfuscate when the patrol does their rounds, wireless point to point connections), the risk would be on the gateway operator.

(Please do not take my advice without evaluation. This is speculation from a SWE, not advice for life or death situations.)

Edit: I suppose if your ingress traffic is over links not monitored by government anyway, it doesn't matter if you use SSH or a web application forwarding traffic to a SOCKS proxy behind the scenes. Not sure if the idea presented above would be useful in other scenarios.

Edit2: I guess usability is a benefit, even without security benefits. "Plug in this cable and type this URL into your browser" is easier than "open a terminal and establish an SSH connection."

something similar to mosh

Something that looks similar to mosh being UDP and encrypted but that allows proxied traffic would be Tinc Open Source VPN [1] The nicest thing about Tinc is that it does user-space dynamic mesh routing without requiring packet forwarding being enabled. I would call it a middle ground to onion routing if set up right. It has configurable compression. The reason I did not suggest this is that it is not simple to set up and get OpSec right the first time out of the gate unless the people involved are already very experienced with it. That's why I suggested SSH. SSH is relatively simple, well known and will blend in with all the legit SSH traffic and more people have experience with SSH. SSH egress from a datacenter is normal, expected and likely already permitted to AWS without making logged firewall changes.

[1] - https://www.tinc-vpn.org/

Bookmarked. Thanks!

Agreed on the utility of SSH. I work on a product that offers SSH certificate authorities as a service, among other things, and have read some of the RFCs.

I mainly mentioned the web forward proxy as a response to the "SSH traffic to Iranian datacenters from residential connections is suspicious," comment, but SSH is a great basis to build on. I doubt the SSH egress from the datacenters would draw much attention, but again, I wouldn't use my advice in a life-threatening situation, especially as I have never seen these type of monitoring systems in action.

You are not dealing with a state that will say "teehee, we have no proof of the data that's going through, oh well!". Anyone found operating one of these gateways will just end up being beaten with a wrench, and traffic logged further on. Considering this, it's overall safer to not go through a central gateway, and to have as many possible connections going through. Hell, even PCs stored in weird places, in government offices, just to make the signal to noise ratio even worse.

A gateway is a single, big ass signal that says "come murder me".

Good point. I wish I could delete or edit my comment but I can't. Thanks for the reply.
Moderators can probably help.

hn@ycombinator.com

This is a good recommendation.

Using Tor sounds good in theory, but it's too far easy to identify all of the Tor connections and identify the residences connected to them.

I would suggest using SSH tunnels on whatever port a given server normally communicates on. If this is 443, connections should just look like normal web browsing on an ISP level. If the server is used to transmit other data over TLS using that port should be fine too.

All of that said, the challenging thing is not to secure the traffic, but to make it look normal. A persistent connection is not normal from a residential IP in most cases. This means you should take your session down once you've sent your messages for the day.

> If this is 443, connections should just look like normal web browsing on an ISP level

Except that it doesn't look like TLS - depending on what the traffic inspection capabilities look like I imagine someone speaking SSH on port 443 is pretty incriminating :/

ssh over 443 is likely to be rather common since most firewalls leave 443 alone
If the datacenter had been using SSH on port 22 to AWS in the past, I would just stick with that. The less changes the less obvious something is out of place. It sounds like they can still egress the datacenters for now.

The connection to the residence would be the last hop in the SSH proxy foward chain meaning that all Iran will see is Datacenter -> AWS. Then it is AWS -> residence. Iran would not have visibility into AWS egress traffic, rather Five-Eyes [1] would see everything in and out of AWS.

Datacenter -> Non-Iranian-AWS Region -> Non-Iranian Residence -> Internet.

The flow from the DC to AWS is all they would see.

[1] - https://en.wikipedia.org/wiki/Five_Eyes

Just a side note: I guess it still can be suspicious as AWS is banned for Iranian. Irainians usually use other VPS providers.
Ah I was unaware. In that case they should use whatever VPS they normally use that is outside of Iran. Hopefully some of them are outside of the country.
Would traffic shaping still enable to guess this is a browser usage rather than a typical ssh?
I believe you are asking about theoretical machine learning used to identify encrypted traffic patterns.

SSH can be used for file transfers via sftp so it is not uncommon to have long transfers of data. In this edge case however one could set up a simple rate limited rsync over ssh and then rate limit ssh slightly higher so that the browsing shares the bandwidth creating a relatively smooth data stream. Data streams are not expected to be perfectly constant across the internet so a little fluctuation would be fine.

If Multiplexing is being used via ControlMaster ControlPath in the client then the people browsing will be riding the extra SSH channels without having to re-authenticate after their first authentication. The first SSH channel would be used for the SFTP transfer.

   rsync -aq --bwlimit=600 /some/dir/big-file ssh-first-hop:/dev/null
Then rate limit SSH just above 600KB/s using `tc`. On a modern kernel this is one line.

   tc qdisc add dev eth0 handle 101: root cake diffserv3 bandwidth 6mbit internet nat egress ack-filter triple-isolate ethernet  memlimit 32M
One could use HTB bucket rules with tc on older kernels.

All of this said, I do not believe this step is required unless a datacenter's SSH traffic patterns were already being traffic profiled and I would theorize that for this to be the case Iran's intelligence agency would have been watching them for other reasons.

Telegram have MTProxy that acts as a proxy and censor resistant.
[Edit] Too late for me to edit my original post. It was pointed out to me that Iranians are not permitted to use AWS. In that case, replace "AWS" with whatever VPS/Server providers that Iranians are permitted to use that is outside of the country.
I'm an Iranian living in the US and I have family in Iran. The internet is completely shut off for two weeks and international phone calling also doesn't work. All I can do is pray at this point.
Hoping for the best for you and your family. I am so sorry you all are going through this.
I would recommend trying to set up tailscale[0] in the servers instead of a VPN, its similar to the reply about SSH ProxyForwarding but it has a lot more tricks under the hood. Of course you need somewhere (aka an AWS server in eg. europe) to connect to.

Also have a look at their blog post about NAT traversal for some potential inspiration: https://tailscale.com/blog/how-nat-traversal-works/

Good luck out there! I'll have a look at your github repo now.

[0]: https://tailscale.com/

Tailscale is a VPN...

And it requires a control server with auth. Simply cutting off access to the control server would disable clients from connecting.

While there is headscale, configuring the tailscale clients is tricky and would not scale to hundreds or thousands of non technical people.

/!/ Also tailscale is a mesh network. It would only take one rouge client to revel all other clients. This is very very dangerous given the use case.

Please if you're having trouble setting up Shadowsocks consider using Outline (getoutline.org) asl19.org and their Telegram bot for generating Outline access keys. This team has put in years of effort to make Shadowsocks usable by regular people
The Learn More button in the cookie banner goes straight to Google's site.

Also, the copyright notice at the bottom of their help center is Google: https://support.getoutline.org/s/article/Data-collection?lan...

A tiny bit more digging and it is actually Google in sheep's clothing: https://jigsaw.google.com/

That's gonna be a no for me, dawg.

Jigsaw is run by Google but if you look at outlines GitHub you'll notice that it's completely independent of anything Google.
For what was supposed to be a spontaneous protest, this all seems incredibly well-coordinated. Certainly wouldn’t be the first time a foreign government used riots to influence government policy. Even further, Khamenei may not last the year and such riots could heavily influence the selection of his successor, offering a strong motive to any country looking to engage in such espionage.
So glad we can both appreciate how well organised mass protests can be when everyone works together.

If you're going to insinuate something else, I'd suggest you get some actual evidence first. Just saying "colour revolution" or whatever is intellectually lazy, as well as being dishonest and dismissive about people who are risking their lives and liberty.

It's also lazy because every spy agency is drawn to unrest in a rival country like a moth to a flame. Regardless of how pure a movement is, it will quickly attract foreign interest and influence as it grows. So this is ultimately just an easy way to dismiss any challenge to the status quo.
I can’t name a single insurrection in the past 300 years that didn’t have significant foreign financing and support from the beginning. America’s 1776 insurrection was heavily financed by the French. The 1918 Russian Revolution could not have been won without help from the Germans. Castro wasn’t going anywhere without Russian support. The Hong Kong protests were backed by the US. Israel destroyed Middle Eastern stability with the Arab Spring.

I just don’t know why this childlike notion that well-coordinated protests are organic persists. It may have been true in medieval times but not today. I can draw you a clear pattern of foreign interference in similar protests with hundreds of data points. Even if this one was completely organic, it would be a staggeringly outlying data point.

Your understanding of how the world works is simplistic and wrong. Happy for you and your datapoints, no need for the drawing.
Everyone should install the snowflake extension as this allows you to create a bridge in to Tor with just a browser extension. An easy way to add to the Tor bridge IP pool without having to spin up a VPS.

An easy way to help someone in a censored country to access Tor.

https://snowflake.torproject.org/

Why are we downvoting someone's opinion? At least leave a rebuttal.
Because an opinion by itself doesn't add much to the discussion, if we don't know why that opinion is held.

As far as I understand it and as stated the post text up top, the protesters are protesting because a woman died in the custody of the Iranian morality police. That seems like a pretty good reason to protest. If there's more to the story and the protests are actually about something different, then it would be interesting to know what it is. As it is, the comment comes across as "I don't think the death of that woman is worth protesting about" which isn't a sentiment that I think is likely to get much sympathy here.

>Because an opinion by itself doesn't add much to the discussion

This is a misunderstanding in how downvotes work here.

(comment deleted)
We don't talk about down votes on hn "because it is boring" to dang. And because there is an incentive to downvote something which is downvoted. Lighter color indicates downvoted content. It shows reputation. As reputation precedes, people will downvote lighter colored text until someone asks why below it. In which case they will reconsider.
There are also a lot of HNers (myself included) who will upvote any comments they see that they think are unfairly downvoted, whether they agree or disagree with the comment. It creates a pretty good balancing effect. The end result is that comments that stay downvoted after having a decent number of eyeballs on them seem to usually deserve it.

A possible exception are hyper-contentious issues (Israel/Palestine for example), where the upvote/downvote count is just a reflection of which tribe has greater numbers on HN.

(comment deleted)
Would you care to develop on that? (either the reasons or why you don't agree with them)
Anything posted without explanation can be downvoted without explanation.
(comment deleted)
Iranians are protesting and chanting "women, life, freedom". So are you saying that you're against those moral ideals?
Over at session we are getting a massive influx of users from Iran right now.

We have not been blocked yet, session is an e2ee decentralised messenger.

https://getsession.org/

Thank you for Session, i've been using it to reliably communicate with a friend in Iran
I have not heard of Session before now.

I don't want to seem insensitive to the Iran situation, but how does Session compare to other popular encrypted messaging services?

https://github.com/oxen-io

Seems to be a fork from Signal by oxenio. It's selling point seems to be the crypto currency relation?

Yup, they are selling usernames for $
More decentralized and censorship resistant than Signal, which that is sitting on Google's servers. Google has the ability to shut Signal down if they wanted to or if asked to by the authorities, since Signal is helping others evade sanctions illegally without a license.

Signal also has a private cryptocurrency attached to it, most definitely used by criminals, scammers and even pump and dumped by the founders which one of them are the founders of Signal. (Yes. Moxie is part of it.)

It is completely decentralized and works like Tor (Onion Routing) while others are centralized or federated.

It is based on the signal messenger, the apps look nearly identical.

And you don't have a phone number or an account login, you just have a long UID that you use like your phone number and a random recovery phrase. It is all about not sending much metadata about you, your phone, etc.

How does session compare to Briar + Orbot?

Did session and lokinet already have a code security audit or pentest?

(comment deleted)
If you are an American, it [edit] may be a crime to do so. Be careful.
It seems risky to set this up on something you own when facing the adversary you face. Use good OPSEC. Don't do this on something than can be tied to you. Not on your servers, not from your workstations, not from your house, not from your workplace. That's 101 level operational security. It'd just take one user to be discovered using the VPN, followed by forensics and interrogation to unmask whoever sets this up. Then what happens?
I would say, it depends.

When you focus on setting up servers, you can argue it is mainly about communication.

They cannot go after anyone who wants to be online again - but of course they will go after anyone, who set up infrastructure especially for activists.

I would frame it internally strictly as "going online".

The idea is plausible deniability, used PCs that could be plausible hacked. Bonuspoints when they are part of the regimes machinery.

Tornode running on a censors machine is ideal.

There's also DNS tunneling (dnstt) which is slow but probably harder to block
(comment deleted)
I see a lot of people suggesting services, wanting to be helpful here, when they asked for people to respond on GitHub.

If you have an idea based on your own knowledge of what they asked for,I'd put it there, that will keep them from duplicating effort.

Can people use a steganography app to communicate via innocuous images?

1. Take a picture.

2. Use app to insert message into picture, encrypt with passphrase.

3. SMS picture to friend or upload to Iranian equivalent of imgur (if any is up).

4. Friend loads picture into app and types passphrase to get message.

I'm not sure what a good choice of app would be, but something good must exist?

The point is that phone service and access to the outside internet is blocked. You can't get images out any more than you can get text out, so putting text in images does not help.
If data centers can make outside connections then steganography and internal (to Iran) routing can help get messages from protests to someone that can pass those through datacenter Internet links.

Just being able to organize internally is super useful. The protestors don't need to use Facebook to organize effectively.

I thought the main goal was to help Iranians communicate with each other.
Is there any good open source or publicly usable steganography software with reasonable UX? Page 1 of Google shows this thing called OpenStego. I've heard of steganography but have no idea what tools are reputable in this space.
Does steganography break when Social media sites reprocess images? I.e. do you need to access the underlying raw bytes?
Great point, probably most approaches break if the site is doing that.
I find MMS heavily compresses images to an absolutely unusable extent.
(comment deleted)
I wish you the best of luck.

When similar events unfolded in Syria, people created redundant social networks of fake Facebook accounts. This seemed to work well. When captured and tortured, people would hand over credentials for one account. People would detect that network was "burned" and move to the next one.

This gave the officials very little information, since the accounts did not reference real names, and locations were obfuscated. High risk private messages were deleted, etc.

The key to this working was that Facebook was not sympathetic to or cooperating with the Syrian government, and accessing Facebook was a common (not worth prosecuting) infraction.

I'd be worried that they will fingerprint / honeypot tor infrastructure, then round people up. The existence of the tor client or connection logs basically proves guilt.

Friending facebook accounts with cutsey names is much less incriminating. Edit: Also, any honeypot proxy connection logs just show that you used https to access facebook.

According to my friend in Iran, Facebook has been banned for some time. Same with FB Messenger.

She has been successful using VPN and WhatsApp until today. I don't know if I'll ever hear from her again.

Just make sure to be reasonably active on those accounts.
Funny how the women's rights situation in Iran became bad enough to prompt large scale protests within two weeks of Iran joining SCO. Not two months earlier. Not two months later. Just within weeks.
SCO? The country code for Scotland? The Santa Cruz Operation? What's SCO in this context? My (30 seconds of) searching turned up nothing plausible.
I was thinking in South Colorado. Is a common problem with specialists using acronyms in a conversation for a wider audience.
This is the sixth occurrence of major protests in Iran in in five years.
How many of them were such large scale 'spontaneous' protests that were televised this much like this one...
This one is still on the small side, actually.
Yeah, murdering a woman for not wearing her hijab properly is just a western plot. Iranians can't possibly have any agency. Is that what you're saying?
Surely it's not the first or the last time that this has happened or will happen again. I can smell the glowies from a thousand miles away.
People were being murdered for not wearing their hijab last year. The year before. The year before that. Why didn't large scale 'spontaneous' protests erupt at any point in that time period but instead happened right within 2 weeks of SCO membership...

> Iranians can't possibly have any agency. Is that what you're saying?

As someone who grew up in a country that had experienced FOUR US backed coups, multiple 'spontaneous people's movements' of the same nature, yes. That's precisely what Im saying.

The agency that the locals have in such situations is co-opted and subverted by the source that organizes the protests, leaving only a husk of their original intention represented by various symbolism and paraphernalia. The resulting government NEVER does anything in line with the original protests. The policies are always privatizing the nation's resources, setting up US bases, borrowing more from US-controlled financial institutions, reduction of labor protections, deregulation. The same ills that plague the US.

Even if one is not a student of geopolitics or has no knowledge of recent political history, he or she can easily tell who backed such a regime change operation by the resulting policies.

Back in the 80's, I remember that people were protesting without internet and mobile phones, with very successful results. They bought down the iron curtain after all. The most sophisticated technology they used was the printing press, for printing and distributing fliers, newspapers and censored books. Underground groups were organized in cells too, without phones, email or apps.

Right now, it seems like those who use the internet and phones are at a disadvantage. Phones are always tracked, and the internet is a giant surveillance tool. If the government controls the network, then it is always at a great advantage, no matter if VPN or Tor is used.

People can protest without the Internet. However, they’re at a greater disadvantage than protesters in the 80s because the government does have the Internet.
Back in the 80s, the number of people who had been and were killed organizing this way had a lot of zeroes at the end of it. Don’t get me wrong, I’m all for a low tech approach to security where it makes sense, but it’s not a panacea. And it’s not like this evolving movement wasn’t organizing the same way at the same time, we’ve learned more from them than the inverse.
we’ve learned more from them than the inverse

Adding to this, their security forces learned a great deal as well. Here is a brief talk on this covering a little bit of the protest history and what is likely to occur. [1]

[1] - https://www.youtube.com/watch?v=ooROZDeds8o [video 4 mins]

> Back in the 80's, I remember that people were protesting without internet and mobile phones, with very successful results.

Back then, the governments didn't have that either. Pigs on the streets with barely working (or understandable) radios, outdated huge paper maps, and if they were lucky a barely working chopper for a bit of aerial surveillance. The only tools were water cannons, batons, tear gas that didn't work against drunk people, shields and live ammo.

These days, the abilities of governments in counter-protesting are absurd:

- each pig has not just a radio with high quality audio transmission, but also a digital data channel for streaming video and other intel in both directions

- tons of surveillance cameras with high definition imaging sensors

- cheap-ass drones

- there are multiple vendors offering "data fusion" for command centers. Think of platforms that fuse everything into one cohesive environment: a Google Maps map and satellite view, with individual position markers for each unit, live feeds from thousands of surveillance cameras, live feeds from officer body cameras, live feeds from drones and choppers, AI analyzing all of that to predict movements of the masses, incoming firehose feeds from Twitter and Facebook...

- highly effective tear gases, mobile walls on tanks to lock down streets [first photo of 1], tasers, rubber bullets, LRAD acoustic weapons and other non-deadly tools for crowd control

It's hard to mount successful protest against nations that have half the stuff I just described, and as HK shows all but impossible against a nation that does have this kind of abilities.

[1] https://www.hrw.org/news/2018/12/14/france-police-crowd-cont...

Yup, the other side of the coin is even darker. To add to the list - the recent trend to phase out cash in favor of electronic payments.

Protesters can just have their accounts frozen, and/or deposits confiscated, as we seen in recent examples.

(Those young kids who use their latest Apple watch to pay for coffee in the morning just because it's "convenient" really do not understand what they are sleepwalking into...)

80's, a world without cameras in each street.
regarding V2Ray VMess and ShadowSocks, I believe you could directly create issues or contact their maintainers for help, they are willing to help since we have been fighting against THE FIREWALL for many years, there are lots of active communities.
yes, v2ray VMess shadowsocks is the best protocal in the world.
you might want to consider scuttlebutt[1]. It's a truly decentralized social network. You can set up your own in-country servers to spread information between clients fairly easily and it doesn't matter if they take them down because it's decentralized any any other server can replace it. Set up a few and then if they take one down the others can spread the word about where to find its replacement.

[1]: https://scuttlebutt.nz/

[edit] checked back in on it since i hadn't used it for a bit. Looks like the clients probably still work but the development seems to have been abandoned for a couple years now. So sad. It had an amazing community. Maybe still does...

Wouldn't p2p applications be problematic because they reveal the IPs of several people who are connected?