56 comments

[ 3.6 ms ] story [ 104 ms ] thread
The question is: how are they doing this?

My money is on internal BGP route announcements that blackhole twitter's IP address as this technique has been used for IP filtering in China and Pakistan and doesn't require any special equipment or overhead.

Unix-like operating systems commonly implement IP address blocking using TCP Wrapper, configured by host access control files: /etc/hosts.deny and /etc/hosts.allow
The hosts.allow and hosts.deny files only affect incoming connections to services that read them (whether by being invoked through tcpd, or by otherwise using libwrap. You could prevent Twitter from connecting to your FTP service or whatever, but not prevent other users on your network from contacting Twitter.
They even blocked DNS servers.. Sadly, Erdogan thinks that if people can't access to Twitter, they can't access to corruption tapes.
The turks are very sophisticated, it might stop the rurals from getting to twitter but not people in teh cities.

  * https://www.torproject.org/download/download
  * https://www.privateinternetaccess.com/
They would have to block every VPN provider on the planet.
A good friend of mine is in Turkey. I just fired up a few droplets on Digital Ocean for his friends and family to use as VPN's.

It only takes about ten minutes per VPS to set everything up.

I was in Istanbul, southern, central and eastern Turkey over six weeks during the protests, wonderful people everyone.
(comment deleted)
Usually you can get around proxy and firewall blocks of IP addresses by using the Decimal equivalent.... for instance, here is the decimal version of the IP address for google http://74.125.224.72/ http://1249763400
While this works with many basic firewalls, this does not work at the IP routing level.

The IP address is in a binary format long before it hits the routing tables on the Internet.

[edit: cleaning up wording]

(comment deleted)
(comment deleted)
That's easy to fix, Twitter sets their TTL to 5 minutes and changes their frontend address every 5 minutes.

Now if they block Google Public DNS, that's a problem, but again, that involves very carefully tweaking route advertisements (since it's anycast). You can also always grab the DNS record out of the root nameservers.

Ultimately, filtering the Internet only works if you filter all of the Internet.

They should be able to watch Twitter's frontend address and ban it accordingly.

Right now the solutions are VPN, Tor and opera mini style proxy services. It's expected that they may go after these too. AFAIK the law requires ISP's to take measures against censorship avoidance methods.

The PM acts against the social media as if it's an existential threat for him.

I am not sure if he rationally calculates these actions or he just can't handle any speech that is not controlled directly by him.(as the leaks indicate, he practically controlled the traditional media for years since)

An easy and amusing fix that won't happen would be for Turkish IPs to be directed to a set of proxies shared by Twitter, Facebook, Microsoft, Google, Wikipedia, and a few other popular sites/services.

Blocking Twitter is disturbing. Blocking much of the web people use daily is a serious escalation that seems unlikely to last in Turkey.

"The PM acts against the social media as if it's an existential threat for him."

Well, it is.

They should be able to watch Twitter's frontend address and ban it accordingly.

It's the government. First they'll have to write a contract. Then they'll have to solicit bids. Then...

Meanwhile, Twitter has highly-experienced software engineers and system administrators on staff.

Turkish government is not a typical government in that regard. It's more like an oligarchy where some chosen people can get things done with a simple call in minutes. An example: There is a "Ministry of Telecommunication and Communication" (TİB) and the president of TİB, solely by his own will, can shutdown web sites within 4 hours.
Not if the people he calls have to do something new. DNS blocks are easy. Weathering an active attack might be harder. The question is how far Twitter wants to escalate.
If people keep pushing it with VPNs and censorship avoidance they'll just push Turkey to switch to a whitelisted Turkey-approved Internet and block everything else by default. It's much easier to maintain a whitelist of approved sites when you're censoring people than try to play whack-a-mole and block things that you don't like.
They are real "pro".

Last time they accidentally blocked google analytics while they blocking youtube. voila, all turkish websites goes down because non-async analytics code.

So here's an idea that's been forming in my head over the last few days - a distributed version of twitter.

The problem with twitter as it currently stands is that it relies on a centralised server (well, servers). That's easy to block, or legally compel to remove content. Imagine instead that every user on twitter had their own "stream" replicated on both their own computer and those of all of their followers. If you choose to follow someone, you get access to their stream either directly from the person themselves, or any of their other followers.

This would partition the system according to popularity. The more followed a person is, the more replicas of their tweet stream available. When someone retweets something, it appears in their own stream, so retweets benefit from this replication. Any tweets that are particularly important and popular would be virtually impossible to suppress.

To prove that tweets had originated from a particular user, every user would have a public/private key pair generated when they first begin using the system, and all tweets would carry an associated cryptographic signature. "Registering" for the system would be a matter of generating an identity using a key pair and a username. Clashes and impersonation of usernames is something I haven't yet thought of a solution to, though usernames would be for display purposes only; the real identity would be the public key.

Replica discovery is another challenge, but there's much in the existing P2P literature and practice (esp bittorrent) that could possibly be of help here.

As far as business models are concerned, Twitter's current one wouldn't work, as it relies on the centralised nature of the system. However it would be possible for developers of individual clients to make money by providing various value-adds, and these could co-exist with open source clients.

Thoughts?

Side note: There seems to be a bug in the comments system where the last paragraph is omitted. Is anyone else experiencing this?

Extra last paragraph

The first time you have to say "key" to an end-user, you have lost. Key management (including, critically, movement between devices) is the primary reason email encryption is rare.

(And if the solution to key management involves letting a website deal with it, you've just invited re-centralization of the system, since users are going to gravitate to the service everyone else uses, not set up their own server.)

That doesn't necessarily mean you've lost, take cryptocurrencies for example. Yes you can manage your own keys as an end user for your cryptocurrency holdings, but as you say most end users will prefer to work through a third party that will handle the complexities of key management for them.

The trick is though that there can be an infinite amount of third parties all engaged in competition with each other and the end users just participate in that market like they would any other.

OP's suggestion may well work the same way, certain end users could choose to handle their own key management, and there could be third parties that handle it for those that prefer not to. As long as the space for those third parties is infinite and end users can opt to handle key management themselves, it's still a decentralised solution.

This is not a technical problem. It is a human problem, and humans don't act like you want them to. There would emerge a handful of large, popular, simple, easy-to-use central sites. A rogue regime can block them just as easily as it just blocked Twitter.

When it takes hours, days, or weeks for new moles to pop up, and they necessarily stay up, Whack-A-Mole is easy. And as sites keep getting whacked, people will lose the motivation to move on to yet another new site, learn its quirks, and rebuild their network.

Twitter is a powerful tool of dissent precisely because everyone uses it. It's not limited to the technically sophisticated and/or motivated activists. Activists need access to regular people, and they won't have it on a network that's painful and annoying to use.

A competitive market of third party providers on a peer to peer based social media platform can be both easy to use and impossible to censor. Censorship resistance becomes just another thing on the shopping list for third party providers, those that can do it best get the largest amount of users. The more censorship becomes a problem, the more value there is in services that resist it.
Ordinary people do not do their "shopping" based on censorship resistance, and they never will. You're thinking like an activist, you need to think like an apathetic layman, because that's what the vast majority of human beings are. They simply do not care about the same things you do, and you can't force them to until their lives are directly impacted.

If you want to help ordinary people get around censorship, go help the Tor project. It actually works, because it's compatible with human nature. It provides a simple, largely transparent tool that people can insert into their existing, normal habits, and it provides a basis on which the technically sophisticated can build even better tools in the form of hidden services that users can interact with exactly as they interact with their existing, non-resistant tools.

> The more censorship becomes a problem, the more value there is in services that resist it.

That is, normal people can be negatively affected by state actions and censorship too, at the point that it is a problem, why would those ordinary people not do their shopping based on censorship resistance?

> If you want to help ordinary people get around censorship, go help the Tor project. It actually works, because it's compatible with human nature. It provides a simple, largely transparent tool that people can insert into their existing, normal habits, and it provides a basis on which the technically sophisticated can build even better tools in the form of hidden services that users can interact with exactly as they interact with their existing, non-resistant tools.

This is decent advice, but just serves to make my point all the more; Censorship resistance is becoming a problem in Turkey, people start using Tor. If the aforementioned peer to peer based social media platform actually existed, they would start using whatever service best evaded the censorship they're railing against now via Tor.

Since we have Tor already, why bother with such a platform? Because despite Tor, the platform itself could be hijacked and Tor would not assist in censorship resistance in this scenario. Twitter might be happy to tell Turkey to get lost when they start making demands, but what if you're trying to evade censorship from the US government or entity with similar level of power? This will likely become an issue in future, having platforms that are immune to hijacking is a good way to address it.

I invite you to waste your time. I'll not be wasting any more of mine on this absurd thread.
Fair enough, I don't care enough about social media to build such a platform at any rate, I just don't agree with your assertion that peer to peer systems involving key management are a lost cause.
Freenet[1] does actually have a decentralized social network plugin, sone[2]. It's not exactly user friendly, but at least it seems to prove that if people care about these things enough, they will use a solution even if it is difficult. By making the user experience simpler (less technical), one should be able to lower the bar significantly. It's worth noting that everything in the sone-guide[2] could be done automatically; freenet just isn't designed for simplicty.

[1]https://freenetproject.org

[2]http://freesocial.draketo.de/sone_en.html

If anything in this thread is absurd, it is your outright dismissal of the notion that users will ever change the status quo, using Tor of all things as your example.

If Tor can create an adequate UX for an onion router, why couldn't someone create a decent UX for a distributed secure messaging system?

Playing nknighthb's advocate, the point is, you can convince people to use Tor, because they are directly affected by the ban, without having to convince everyone who uses Twitter to use Tor, while you would have to convince everyone who uses Twitter to use your system instead, even the people who have no obvious reason for doing so.
This is a good point; people might see Tor as a one-time step they have to do to continue doing exactly what they did before, rather than a complete change to their digital routine. Still, I hope people keep building distributed alternatives; eventually someone might just get the right UX at the right time.

I normally wouldn't have been so harsh in my wording, especially when jumping into the middle of a thread, but I guess the words "waste" and "absurd" seemed hostile enough to set me off.

What I had in mind was something that would operate in a peer-to-peer fashion similar to bittorrent, and everyone who uses it would install an app to use it. If people only or mainly used web-based frontends it would be unlikely to work well.

Also in response to the earlier comment: the app could provide a friendly interface for generating keys which doesn't require the user to know the technical details. They would just have an "identity file" that would be stored on the app, with options to copy it to a usb stick etc.

Additional paragraph which seems to be cut off from all comments.

> everyone who uses it would install an app to use it

Exactly. Meaning you must have key management.

> Also in response to the earlier comment: the app could provide a friendly interface for generating keys which doesn't require the user to know the technical details. They would just have an "identity file" that would be stored on the app, with options to copy it to a usb stick etc.

You are repeating history. PGP and many similar products have provided exactly this for end-user encryption of email for more than two decades. Not one has gained mass adoption. You cannot make a system that relies on the user to understand anything at all about key management, no matter how friendly the interface. "I will write a new program that makes email encryption easy!" has long been a joke/cliche. Key management is a problem that must be addressed with something more substantive than just yet another new interface tacked on top of the same old ideas.

I can't even get intelligent developers to manage SSH keys properly. They lose them constantly, or forget their passphrases (if I can even get them to use a passphrase). There is absolutely no hope of making a service anywhere near as popular as Twitter that adds the friction of key management.

> Key management (including, critically, movement between devices) is the primary reason email encryption is rare.

I think you're wrong. Basic key management is nearly trivial, even for complete non-techies. My dad didn't knew a thing about modern crypto but learned to sign his amateur radio callbook records in no time. Just showed him "here's your keypair, keep this one absolutely private, and this is public key, here we ask them to sign the public part, yada yada" (the whole explanation took about 15 minutes) and he got it. Maybe that's because he was personally interested in learning.

Now, while he would probably get confused and fail when faced with any remotely advanced things, he's able to use very basic crypto well enough. And, yes, he had backed keys up and had moved them between computers. It wasn't that hard.

The primary reason for rarity is complete UI/UX awkwardness. Key management (if present) is hidden beneath dozen of clicks deep into some obscure settings area - this prevents users from learning there's one. Then UI is plain horrible (pretty much raw view of keystore contents, with all that X.50x-based weirdness exposed naked right to ASN.1 OIDs), which prevents use by those who found it. And software vendors, even though they're bragging about their "security for our users" efforts, don't give a damn about that, as key management UIs remained mostly the same for decades.

Your dad is probably exactly the kind of person Zimmerman was thinking about in 1991. Somebody with one PC that they do everything on. He also has a specific motivation for learning about and putting up with public key crypto.

I don't know what UIs you've used, but the ones I've used dating back to the early 90s are nothing like what you're describing. Typical public key crypto UIs are very clear and unambiguous, and I've had no trouble teaching intelligent people how to use them.

The problem is twofold: First, half the population is necessarily below average.

Second, even getting the intelligent people to keep using it is a completely different matter. I've had an engineer-CEO mandate PGP usage for the company. Later, when sending him encrypted documents, he couldn't read them. Why? Because he'd gotten a new laptop. Where were his keys? Who knows.

Ditto one of the best and most security-minded engineers I know. Tried to send an encrypted file to him, "I haven't really used PGP in years, I'm not sure where my keys are".

I've kept a keychain[0] intact for the better part of a decade. I don't personally know a single other person who has, including the person who originally asked me to generate a public key.

[0] In fact, one of my still-used SSH keys is also about that old, as is my known_hosts file. These are, again, singular accomplishments in my professional and social circles.

> Thoughts?

Yes, one: this idea has no chance. Also it's been tried. App.net, diaspora, etc. If there aren't any people there there's no reason to join. If you think your engineering buddies will be the catalyst, look how well that's turned out for Google+, and Google+ is made by Google and they forced it down millions of people's throats and it's still not being used by normal people. You think selling it as "it can't be banned in Turkey" is going to be appealing to many people?

This is how it's going to go down, you're going to make some minimal app, a few people will use it once and never check it again, then you get burned out and go back to fixing some problem in your day job.

> You think selling it as "it can't be banned in Turkey" is going to be appealing to many people?

It might in Turkey :)

I'm aware these things are really, really hard to get off the ground. But if what you said was entirely true, there would be no new social networking services appear, ever. Among the thousands of efforts, every now and then one manages to become successful.

Additional paragraph which seems to be cut off from all comments.

> But if what you said was entirely true, there would be no new social networking services appear, ever.

I never said that. Obviously new social networks are being created through mobile apps, like whatsapp, because they fill a need that has nothing to do with your approach. There are already thousands of whatsapp, snapchat, etc clones so attempting to copy the first mover is going to be about as effective as you might imagine.

I had similar ideas.im working ona different project but canwe pleasechat? @puppetmaster3
A brief glance at the news doesn't give me much information, but the first thing that comes to mind when I see service blocking like this is, "when do the protests start?"

Perhaps I only know of the examples that confirm to this pattern, but internet limitations seems to often lead to MUCH higher levels of societal discontent. Could someone who understand the politics/social climate there give me a tl;dr on the situation in that light and what's reasonable to expect?

Allow me to tell you about the worst kind of problem: getting used to government being naughty. When quirky and nasty stuff happens so often, it is commonplace. When everything is so rotten, one first questions "what is their benefits from this" about every thing someone does.

Also, what you see and what we experience here is just a game on actuality, to turn away people's looks from problems that are deeper and nastier. It is all done in order to feint reality and get it to go under the dark curtain of a scandal.

Basically, we're told "Look! What's over there," and then are slapped in the face.

If he had NSA he couldjust predict noncompliant individuals.